Changeset 217

Timestamp:

09/29/06 21:14:53 (2 years ago)

Author:

jwalt

Message:

• improve Digest auth, add secure PRNG, better validity tests, cleanup code
  
• document and improve message passing mechanism
  

Files:

• trunk/lib/AxKit2/Plugin.pm (modified) (4 diffs)
• trunk/plugins/authenticate (modified) (7 diffs)

trunk/lib/AxKit2/Plugin.pm

@@ -121 +121 @@
-}
-
+
+my %_HANDLER_ATTRIB;
+
+sub Stacked : ATTR(CODE) {
+    my ($package, $symbol, $referent) = @_;
+    $_HANDLER_ATTRIB{$referent} = 1;
+}
+
-sub dispatch_message {
-    my $self = shift;
-    my $message = shift;
-    if (my $sub = $self->can("message_$message")) {
+        $sub->($self,@_), return DECLINED if ($_HANDLER_ATTRIB{$sub});
-        return OK, $sub->($self,@_);
-    }
@@ -295 +304 @@
-Retrieve the name of the currently executing hook
-
+=head2 C<< $plugin->notes >>
+
+If you need to store plugin-private data associated with a request, you can store
+them with C<< $plugin->notes($key,$value) >> and retrieve them via C<< $plugin->notes($key) >>.
+It works exactly like C<< $client->notes(...) >>, except that the key is made unique for
+each plugin.
+
+=head2 C<< $plugin->send >>
+
+This is the interface to user-defined callbacks and message passing. Plugins can define
+messages they handle like this:
+
+  sub message_login { # sent by plugins/authenticate
+    my ($self, $user) = @_;
+    # let an imaginary database setting do something on login
+    $self->config->database->login($user);
+  }
+
+Other plugins can then send a message using C<< $plugin->send('login',$user) >>. This is
+intended for typical callback situations, but it also allows plugins to offer services
+to other plugins, like this:
+
+  my $cached_object = $plugin->send('cache',$key);
+
+Since all plugins are searched for a corresponding message handler, plugins are independent
+of the actual implementation of such services.
+
+By default, the first message handler that is found is run and it's return value returned.
+If you want your handler to stack, i.e., that other handlers are run after it, specify the
+attribute C<Stacked> on the sub:
+
+  sub message_login : Stacked {
+    my ($self, $user) = @_;
+    # log it somewhere special, but do not interfere with regular login processing.
+    open(my $fh, '>>', 'userlog'); print $fh time()." ".$user."\n"; close($fh);
+  }
+
+Of course, the return value of stacked handlers is ignored.
+
+If you need even more complex processing, see C<< hook_handler >> below.
+
-=head1 CONFIGURATION DIRECTIVES
-
@@ -351 +401 @@
-For full details and more ways of designing configuration directives, see L<AxKit2::Config>.
-
+=head1 OTHER FACILITIES
+
+Since AxKit2 is based on L<Danga::Socket>, those facilities are also available to plugins.
+You should read it's documentation for details, but two use cases are rather common:
+
+=head2 Timers
+
+Have a custom callback at (roughly) a certain time from now:
+
+  # add a timed callback
+  my $timer = Danga::Socket->AddTimer($seconds, $subref);
+  # later, if you decide the timer is no longer needed
+  $timer->cancel;
+
+Pass a closure if you need values from C<$plugin>, as the callback is called
+without arguments or C<$self> reference.
+
+=head2 Watching additional FDs
+
+If you want to watch other file descriptors for IO, for example a permanent
+network connection to some other host, or a subprocess that you spawned for
+some asynchronous processing, add a new package at the end of your plugin,
+like this:
+
+  # ... your regular plugin code ...
+  
+  package My::Plugin::SubprocessEvent
+  use base 'Danga::Socket';
+  # ... and so on, copy the example code from Danga::Socket docs
+
+Since watching a FD happens in parallel to other requests, you will have to
+use global variables or similar to communicate with your plugin.
+
-=head1 AVAILABLE HOOKS
-
@@ -612 +695 @@
-
-=back
+
+
+=head2 message
+
+Params: MESSAGE_NAME, ARGUMENTS
+
+Called whenever a plugin C<send>'s a message.
+
+Return Value:
+
+=over 4
+
+=item * C<DECLINED> - go on dispatching the message
+
+=item * C<OK>, I<RETVAL> - Finish this message dispatch, return I<RETVAL> to caller.
+
+=back
+
-
-

trunk/plugins/authenticate

@@ -138 +138 @@
-
-Digest is recommended, since it is the best you can get short of going
-
-
+
+
+
+
+
-
-Basic provides practically no security, since anyone snooping on your connection can
-read the password in (superficially obfuscated) plain text. It is widely
-supported. This is relevant if you expect media players and other embedded HTTP
-
+
+
+
+
+
+
+
-
-=head2 C<AuthRealm> I<realm>
@@ -217 +226 @@
-}
-
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-
-=head2 C<< logout >>
@@ -236 +283 @@
-might want to lock out users after a certain number of failed attempts.
-
-=head2 C<< login_timeout >>
-
-This message is sent whenever a login session times out. This can happen I<after> the user
-has logged in with another session, but it will sooner or later be sent for every session
-not logged out via message C<logout>.
-
-=cut
-
-sub message_logout {
-
-my $session = $self->client->headers_in->header('Digest-Session')
+, $session
+$session = $self->client->headers_in->header('Digest-Session') unless defined $session
-    return unless defined $session;
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-    }
-
-
-
-
-
-
-
-
+
+
+
-    my $header = "Digest realm=" . quoted_string($self->config->auth_realm) . ", " .
-        "domain=".quoted_string($self->config->auth_domain).", " .
@@ -336 +384 @@
-        }
-
+        # Cheap tests first, save processing time on mismatch.
+
-        # This could be a hacking attempt, a config change, or an ambiguous config.
-        return $self->send_digest_challenge if ($param{realm} ne $self->config->auth_realm);
-
+        # Unknown username/realm combination
-        my $hash = $self->config->auth_file->{$param{username}.':'.$param{realm}};
-        # Unknown username/realm combination
-        return $self->send_digest_challenge if (!$hash);
-
+        # Validate nonce.
-        $param{nonce} = decode_base64($param{nonce});
-
+
+
-        # This can't possibly be one of our nonces, so there is probably something fishy going on.
-        return $self->send_digest_forbidden("impossible nonce") if (int($timestamp) ne $timestamp || !defined $nonce || int($timestamp) > time());
-
+        my $s = $_SESSIONS{$session};
+        if ($s) {
+            # Validate nc if present.
+            return $self->send_digest_forbidden("replay attack") if $param{qop} && $param{nc} ne sprintf("%08x",$$s[0]);
+            # Timestamp invalid: replay attack.
+            return $self->send_digest_forbidden("invalid timestamp") if $timestamp != $$s[1];
+            # Username mismatch: attempt to take over different user's session
+            return $self->send_digest_forbidden("user mismatch in server nonce") if $param{username} ne $user;
+        } else {
+            # Replay attack, expired or logged out session. Force relogin.
+            return $self->send_digest_challenge if $param{qop} && $param{nc} ne '00000001';
+            # Username mismatch: attempt to take over different user's session, or ancient session with old client.
+            return $self->send_digest_challenge if length($user);
+        }
+
+        # More expensive checks.
+
+        # If the nonce doesn't match what it should be, something fishy is going on: A user tries to act as a different user, 
+        # take over another user's session id, or it could be a replay attack.
+        # Unfortunately, this can also happen after a server restart. Force a relogin, however.
+        my $secret = ( $s? $$s[2] : $_SERVER_SECRET );
+        $nonce = "$timestamp:$session:$user:" . md5("$timestamp:$session:$user:$secret");
+        return $self->send_digest_challenge if ($param{nonce} ne $nonce);
+
+        # The heart of Digest auth: check the response hash.
-        my $bodyhash = ($self->notes('bodyhash')? $self->notes('bodyhash')->hexdigest : '0' x 32);
-        my $A2 = md5_hex( $hd->request_method . ':' . $param{uri} . ($param{qop} eq 'auth-int'? ':' . $bodyhash : '') );
@@ -353 +430 @@
-                                ($param{qop}? $param{nc} . ':' . $param{cnonce} . ':' . $param{qop} . ':' : '') .
-                                $A2 );
-
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-        $A2 = md5_hex( ':' . $param{uri} ); # TODO: provide auth-int? . ($param{qop} eq 'auth-int'? ':' . $bodyhash : '')
-        $response = md5_hex( $hash->[0] . ':' . encode_base64($param{nonce},"") . ':' .
@@ -362 +451 @@
-        $self->client->headers_out->header('Authentication-Info',"qop=auth, cnonce=".quoted_string($param{cnonce}).", nc=$param{nc}, rspauth=".quoted_string($response));
-
-        $nonce = $timestamp.':'.$session.':'.md5($timestamp.':'.$session.':'.$_SERVER_SECRET);
-        # This could be a hacking attempt, or a server restart.
-        return $self->send_digest_challenge($param{nonce},$session) if ($param{nonce} ne $nonce);
-
-        $hd->header('Digest-Session',$session);
-
-
-
-
+
+
+
-            $self->send('login',$param{username});
+            # need another round-trip, since we want to tie the session id to the user name
+            # but avoid as much server-side state as possible without compromising security.
+            return $self->send_digest_challenge($session,$param{username});
-        }
-
@@ -377 +464 @@
-        if (!$param{qop} || $param{qop} eq 'auth,auth-int') {
-            # Change nonce once per minute to reduce replay attack time window.
-param{nonce},$session
+session,$param{username}
-            return OK;
-        }
-
-
-
-
-
+
+
-
-        # All checks passed.