File Coverage

blib/lib/Apache2/AuthAny/AuthzHandler.pm

Criterion	Covered	Total	%
statement	4	6	66.6
branch			n/a
condition			n/a
subroutine	2	2	100.0
pod			n/a
total	6	8	75.0

line	stmt	sub	time	code
1				package Apache2::AuthAny::AuthzHandler;
2
3	1	1	1429	use strict;
	1		2
	1		41
4	1	1	350	use Apache2::Const -compile => qw(OK DECLINED HTTP_UNAUTHORIZED);
	0
	0
5				use Data::Dumper qw(Dumper);
6
7				use Apache2::AuthAny::DB qw();
8				our $VERSION = '0.201';
9
10				sub handler {
11				my $r = shift;
12
13				my $cf = Apache2::Module::get_config('Apache2::AuthAny',
14				$r->server,
15				$r->per_dir_config) \|\| {};
16
17				my %require;
18				foreach my $req (@{ $r->requires }) {
19				my ($k, @v) = split /\s+/, $req->{requirement};
20				# warn "\$k => $k, \@v => @v";
21				unless ($k) {
22				my $msg = "Configuration error. Lone Require";
23				$r->log->error("Apache2::AuthAny::AuthzHandler: $msg");
24				die $msg;
25				}
26				$k = lc($k);
27
28				if ($k eq 'valid-user') {
29				$require{'valid-user'} = 1;
30
31				} elsif ($k eq 'identified-user') {
32				$require{'identified-user'} = 1;
33
34				} elsif ($k eq 'authenticated') {
35				$require{'authenticated'} = 1;
36
37				} elsif ($k eq 'session') {
38				$require{'session'} = 1;
39
40				} elsif ($k eq 'user') {
41				foreach my $user (@v) {
42				$require{user}{$user} = 1;
43				}
44
45				} elsif ($k eq 'role') {
46				foreach my $role (@v) {
47				push @{ $require{role} }, $role;
48				}
49
50				} else {
51				my $msg = "invalid Require statement 'Require $req->{requirement}'";
52				die "$msg";
53				}
54				}
55
56				# warn Dumper(\%require);
57				unless (%require) {
58				my $msg = "Apache2::AuthAny::AuthzHandler: No 'Require'. WTF";
59				$r->log->error($msg);
60				die $msg;
61				#return Apache2::Const::DECLINED;
62				}
63
64				my $user_permitted = 0;
65				$r->log->info("Authz: %require: '" . Dumper(\%require) . "'");
66
67				if ($require{'valid-user'} \|\|
68				($require{user} && $require{user}{$r->user}) \|\|
69				($require{'identified-user'} && $ENV{AA_IDENT_UID})
70				) {
71				$user_permitted = 1;
72				} elsif (! $ENV{AA_IDENT_UID}) {
73				return Apache2::AuthAny::AuthUtil::goToGATE($r, 'unknown');
74				}
75
76				if (! $user_permitted && $require{role} ) {
77				my %user_role = map { $_ => 1 } split(",", $ENV{AA_ROLES});
78				foreach my $required_role (@{ $require{role} }) {
79				if ($user_role{$required_role}) {
80				$user_permitted = 1;
81				last;
82				}
83				}
84				}
85
86				# If user would otherwise be permitted, but has timed out, go
87				# to gate with timeout message.
88				if ($user_permitted && $require{'authenticated'} && $ENV{AA_STATE} ne 'authenticated') {
89				return Apache2::AuthAny::AuthUtil::goToGATE($r, 'timeout');
90				}
91
92				# Do not allow otherwise permitted identified users who are flagged in-active
93				if ($user_permitted && exists($ENV{AA_IDENT_active}) && ! $ENV{AA_IDENT_active}) {
94				my $msg = "Not activated";
95				$r->log->warn("Apache2::AuthAny::AuthzHandler: $msg");
96				return Apache2::AuthAny::AuthUtil::goToGATE($r, 'authz', {msg => $msg});
97				}
98
99				# Do not allow otherwise permitted users with no session cookie
100				if ($user_permitted && $require{'session'} && ! $ENV{AA_SESSION}) {
101				return Apache2::AuthAny::AuthUtil::goToGATE($r, 'session');
102				}
103
104				return Apache2::Const::OK if $user_permitted;
105
106				# Determine which error message to use on the GATE page
107				if ($require{role}) {
108				return Apache2::AuthAny::AuthUtil::goToGATE
109				($r, 'authz', { req_roles => join(",", @{ $require{role} }),
110				user_roles => $ENV{AA_ROLES},
111				});
112				} else {
113				my $msg = "Only certain users are permitted";
114				return Apache2::AuthAny::AuthUtil::goToGATE($r, 'authz', {msg => $msg});
115				}
116				}
117
118				1;
119