httpauth 0.1

Sign up to get free protection for your applications and to get access to all the features.
data/LICENSE ADDED
@@ -0,0 +1,16 @@
1
+ HTTPauth is an HTTP Authentication library for Ruby
2
+ Copyright (C) 2006 Fingertips, Manfred Stienstra <m.stienstra@fngtps.com>
3
+
4
+ This program is free software; you can redistribute it and/or modify
5
+ it under the terms of the GNU General Public License as published by
6
+ the Free Software Foundation; either version 2 of the License, or
7
+ (at your option) any later version.
8
+
9
+ This program is distributed in the hope that it will be useful,
10
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
11
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12
+ GNU General Public License for more details.
13
+
14
+ You should have received a copy of the GNU General Public License along
15
+ with this program; if not, write to the Free Software Foundation, Inc.,
16
+ 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
data/README ADDED
@@ -0,0 +1,39 @@
1
+ = README
2
+
3
+ HTTPauth is a library supporting the full HTTP Authentication protocol as specified in RFC 2617; both Digest Authentication and Basic Authentication. We aim to make HTTPAuth as compliant as possible.
4
+
5
+ HTTPAuth is built to be completely agnostic of the HTTP implementation. If you have access to your webserver's headers you can use this library to implement authentication.
6
+
7
+ This project is currently under development, don't use it in mission critical applications.
8
+
9
+ == Getting started
10
+
11
+ If you want to implement authentication for your application you should probably start by looking at the various examples. In the examples directory is an implementation of an HTTP client and server, you can use these to test your implementation. The examples are basic implementations of the protocol.
12
+
13
+ == Limitations
14
+
15
+ Currently the library doesn't check for consistency of the directives in the various headers, this means that implementations using this library can be vulnerable to request replay attacks. This will obviously be addressed before the final release.
16
+
17
+ == Plugins
18
+
19
+ === Ruby on Rails
20
+
21
+ A plugin for Ruby on Rails can be found here:
22
+
23
+ https://fngtps.com/svn/rails-plugins/trunk/digest_authentication
24
+
25
+ == Known client implementation issues
26
+
27
+ === Safari
28
+
29
+ Safari doesn't understand and parse the algorithm and qop directives correctly. For instance: it sends qop=auth as qop="auth" and when multiple qop values are suggested by the server, no authentication is triggered. See http://bugzilla.opendarwin.org/show_bug.cgi?id=10727.
30
+
31
+ == Internet Explorer
32
+
33
+ The qop and algorithm bug quoting bugs are also present in IE.
34
+
35
+ IE doesn't use the full URI for digest calculation, it chops off the query parameters. So a request on /script?q=a will response with uri='/script'.
36
+
37
+ == Known server implementation issues
38
+
39
+ Apache 2.0 sends Authorization-Info headers without a nextnonce directive.
@@ -0,0 +1,76 @@
1
+ require 'rake'
2
+ require 'rake/clean'
3
+ require 'rake/testtask'
4
+ require 'rake/gempackagetask'
5
+ require 'rake/rdoctask'
6
+
7
+ NAME = 'httpauth'
8
+ VERSIE = '0.1'
9
+ RDOC_OPTS = ['--quiet', '--title', "HTTPAuth - A Ruby library for creating, parsing and validating HTTP authentication headers",
10
+ "--opname", "index.html",
11
+ "--line-numbers",
12
+ "--main", "README",
13
+ "--charset", "utf-8",
14
+ "--inline-source"]
15
+ CLEAN.include ['pkg', 'doc', '*.gem']
16
+
17
+ desc 'Default: run tests'
18
+ task :default => [:test]
19
+ task :package => [:clean]
20
+
21
+ desc 'Run tests'
22
+ Rake::TestTask.new(:test) do |t|
23
+ t.pattern = 'test/**/*_test.rb'
24
+ t.verbose = true
25
+ t.warning = true
26
+ end
27
+
28
+ desc 'Create documentation'
29
+ Rake::RDocTask.new("doc") do |rdoc|
30
+ rdoc.rdoc_dir = 'doc'
31
+ rdoc.options += RDOC_OPTS
32
+ rdoc.main = "README"
33
+ rdoc.rdoc_files.include('README')
34
+ rdoc.rdoc_files.include('lib/**/*.rb')
35
+ end
36
+
37
+ desc 'Upload rdoc documentation to Rubyforge'
38
+ task :upload_doc => :doc do
39
+ `scp -r #{File.dirname(__FILE__)}/doc/* mst@rubyforge.org:/var/www/gforge-projects/httpauth/`
40
+ end
41
+
42
+ spec =
43
+ Gem::Specification.new do |s|
44
+ s.name = NAME
45
+ s.version = VERSIE
46
+ s.platform = Gem::Platform::RUBY
47
+ s.has_rdoc = true
48
+ s.extra_rdoc_files = ["README", "LICENSE"]
49
+ s.rdoc_options += RDOC_OPTS + ['--exclude', '^(examples|test)\/']
50
+ s.summary = "Library for the HTTP Authentication protocol (RFC 2617)"
51
+ s.description = "HTTPauth is a library supporting the full HTTP Authentication protocol as specified in RFC 2617; both Digest Authentication and Basic Authentication."
52
+ s.author = "Manfred Stienstra"
53
+ s.email = 'manfred@fngtps.com'
54
+ s.homepage = 'http://httpauth.rubyforge.org'
55
+ s.required_ruby_version = '>= 1.8.0'
56
+
57
+ s.files = %w(README LICENSE Rakefile) +
58
+ Dir.glob("lib/**/*") +
59
+ Dir.glob("examples/**/*")
60
+
61
+ s.require_path = "lib"
62
+ end
63
+
64
+ Rake::GemPackageTask.new(spec) do |p|
65
+ p.need_tar = true
66
+ p.gem_spec = spec
67
+ end
68
+
69
+ task :install do
70
+ sh %{rake package}
71
+ sh %{sudo gem install pkg/#{NAME}-#{VERSIE}}
72
+ end
73
+
74
+ task :uninstall => [:clean] do
75
+ sh %{sudo gem uninstall #{NAME}}
76
+ end
@@ -0,0 +1,132 @@
1
+ #!/usr/bin/env ruby
2
+
3
+ $:.unshift File.expand_path(File.dirname(__FILE__) + '/../lib')
4
+
5
+ require 'rubygems' rescue LoadError
6
+ require 'uri'
7
+ require 'rfuzz/client'
8
+ require 'httpauth/digest'
9
+
10
+ SALT = 'My very very secret salt'
11
+
12
+ class AuthenticationCache
13
+
14
+ def initialize
15
+ @uri = nil
16
+ @credentials = nil
17
+ end
18
+
19
+ def set_credentials_for(uri, credentials)
20
+ @uri = get_new_uri(@uri, uri)
21
+ @credentials = credentials
22
+ end
23
+
24
+ def get_credentials
25
+ @credentials
26
+ end
27
+
28
+ def update_usage_for(uri, nextnonce=nil)
29
+ if nextnonce
30
+ @credentials.nc = nextnonce
31
+ else
32
+ @credentials.nc += 1
33
+ end
34
+ end
35
+
36
+ protected
37
+
38
+ # Is uri1 more general than uri2
39
+ def more_general_uri?(uri1, uri2)
40
+ ua1 = uri1.nil? ? [] : uri1.split('/')
41
+ ua2 = uri2.nil? ? [] : uri2.split('/')
42
+ ua1.each_with_index do |p, i|
43
+ return false unless ua2[i] == p
44
+ end
45
+ true
46
+ end
47
+
48
+ def get_new_uri(uri1, uri2)
49
+ if more_general_uri?(uri1, uri2)
50
+ uri1
51
+ else
52
+ uri2
53
+ end
54
+ end
55
+ end
56
+
57
+ class AuthenticatedClient
58
+ include HTTPAuth::Digest
59
+
60
+ def initialize(host, port)
61
+ @client = RFuzz::HttpClient.new host, port
62
+ @cache = AuthenticationCache.new
63
+ @username = nil
64
+ @password = nil
65
+ end
66
+
67
+ def get_credentials_from_user
68
+ if @username.nil?
69
+ print 'Username: '
70
+ @username = $stdin.gets.strip
71
+ end
72
+ if @password.nil?
73
+ print 'Password: '
74
+ @password = $stdin.gets.strip
75
+ end
76
+ [@username, @password]
77
+ end
78
+
79
+ # Get a resource from the server
80
+ def get(resource)
81
+ uri = URI.parse resource
82
+
83
+ # If credentials were stored, use them. Otherwise do a normal get
84
+ credentials = @cache.get_credentials
85
+ unless credentials.nil?
86
+ puts "sending credentials: #{credentials.to_header}"
87
+ response = @client.get resource, :head => {"Authorization" => credentials.to_header}
88
+ else
89
+ response = @client.get resource
90
+ end
91
+ # If response was 401, retry with authentication
92
+ if response.http_status == '401' and !response['WWW_AUTHENTICATE'].nil?
93
+ puts "got challenge: #{response['WWW_AUTHENTICATE']}"
94
+ challenge = Challenge.from_header(response['WWW_AUTHENTICATE'])
95
+ (stale = challenge.stale) rescue NoMethodError
96
+ unless stale
97
+ username, password = get_credentials_from_user
98
+ else
99
+ username = credentials.username
100
+ password = credentials.password
101
+ end
102
+ credentials = Credentials.from_challenge(challenge,
103
+ {:uri => resource, :username => username, :password => password, :method => 'GET'}
104
+ )
105
+ puts "sending credentials: #{credentials.to_header}"
106
+ @cache.set_credentials_for uri.path, credentials
107
+ response = @client.get resource, :head => {"Authorization" => credentials.to_header}
108
+ end
109
+ # If the server sends authentication info use the information for the next request
110
+ if response['AUTHENTICATION_INFO']
111
+ puts "got authentication-info: #{response['AUTHENTICATION_INFO']}"
112
+ auth_info = AuthenticationInfo.from_header(response['AUTHENTICATION_INFO'])
113
+ @cache.update_usage_for uri.path, auth_info.h[:nextnonce]
114
+ else
115
+ @cache.update_usage_for uri.path
116
+ end
117
+ response
118
+ end
119
+ end
120
+
121
+ if $0 == __FILE__
122
+ unless ARGV.length == 2
123
+ puts <<-EOT
124
+ Usage: client_digest_secure get <url>
125
+ EOT
126
+ exit 0
127
+ end
128
+ uri = URI.parse ARGV[1]
129
+ client = AuthenticatedClient.new uri.host, uri.port
130
+ response = client.send ARGV[0].intern, uri.query ? "#{uri.path}&#{uri.query}" : uri.path
131
+ puts response.http_body
132
+ end
@@ -0,0 +1,47 @@
1
+ #!/usr/bin/env ruby
2
+
3
+ $:.unshift File.expand_path(File.dirname(__FILE__) + '/../lib')
4
+
5
+ require 'webrick'
6
+ require 'httpauth/digest'
7
+ require 'yaml'
8
+
9
+ include WEBrick
10
+
11
+ s = HTTPServer.new :Port => 2000, :AccessLog => [[File.open('/dev/null', 'w'), AccessLog::COMMON_LOG_FORMAT],
12
+ [File.open('/dev/null', 'w'), AccessLog::REFERER_LOG_FORMAT]]
13
+
14
+ class AuthenticationServlet < HTTPServlet::AbstractServlet
15
+ include HTTPAuth::Digest
16
+ def do_GET(request, response)
17
+ puts '-'*79
18
+ puts "request: Authorization: " + (request['Authorization'] || '')
19
+
20
+ credentials = Credentials.from_header(request['Authorization']) unless request['Authorization'].nil?
21
+ if !credentials.nil? and credentials.validate :password => 'secret', :method => 'GET'
22
+ response.status = 200
23
+ auth_info = AuthenticationInfo.from_credentials credentials
24
+ response['Authentication-Info'] = auth_info.to_header
25
+ response['Content-Type'] = 'text/plain; charset=utf-8'
26
+ response.body = 'You are authorized'
27
+ puts "response: Authentication-Info: " + response['Authentication-Info']
28
+ else
29
+ if credentials
30
+ puts '[!] FAILED: ' + credentials.reason
31
+ else
32
+ puts '[!] FAILED: No credentials specified'
33
+ end
34
+ response.status = 401
35
+ challenge = Challenge.new :realm => 'admin@httpauth.example.com', :qop => ['auth']
36
+ response['WWW-Authenticate'] = challenge.to_header
37
+ response['Content-Type'] = 'text/plain; charset=utf-8'
38
+ response.body = 'You are not authorized'
39
+ puts "response: WWW-Authenticate: " + response['WWW-Authenticate']
40
+ end
41
+ end
42
+ end
43
+
44
+ puts "\n>>> Open http://localhost:2000/ and login with password 'secret', any username should work\n\n"
45
+ s.mount '/', AuthenticationServlet
46
+ trap('INT') { s.shutdown }
47
+ s.start
@@ -0,0 +1,4 @@
1
+ require 'httpauth/constants'
2
+ require 'httpauth/exceptions'
3
+ require 'httpauth/basic'
4
+ require 'httpauth/digest'
@@ -0,0 +1,114 @@
1
+ %w(base64 httpauth/exceptions httpauth/constants).each { |l| require l }
2
+
3
+ module HTTPAuth
4
+ # = Basic
5
+ #
6
+ # The Basic class provides a number of methods to handle HTTP Basic Authentication. In Basic Authentication
7
+ # the server sends a challenge and the client has to respond to that with the correct credentials. These
8
+ # credentials will have to be sent with every request from that point on.
9
+ #
10
+ # == On the server
11
+ #
12
+ # On the server you will have to check the headers for the 'Authorization' header. When you find one unpack
13
+ # it and check it against your database of credentials. If the credentials are wrong you have to return a
14
+ # 401 status message and a challenge, otherwise proceed as normal. The code is meant as an example, not as
15
+ # runnable code.
16
+ #
17
+ # def check_authentication(request, response)
18
+ # credentials = HTTPAuth::Basic.unpack_authorization(request['Authorization'])
19
+ # if ['admin', 'secret'] == credentials
20
+ # response.status = 200
21
+ # return true
22
+ # else
23
+ # response.status = 401
24
+ # response['WWW-Authenticate'] = HTTPAuth::Basic.pack_challenge('Admin Pages')
25
+ # return false
26
+ # end
27
+ # end
28
+ #
29
+ # == On the client
30
+ #
31
+ # On the client you have to detect the WWW-Authenticate header sent from the server. Once you find one you _should_
32
+ # send credentials for that resource any resource 'deeper in the URL space'. You _may_ send the credentials for
33
+ # every request without a WWW-Authenticate challenge. Note that credentials are valid for a realm, a server can
34
+ # use multiple realms for different resources. The code is meant as an example, not as runnable code.
35
+ #
36
+ # def get_credentials_from_user_for(realm)
37
+ # if realm == 'Admin Pages'
38
+ # return ['admin', 'secret']
39
+ # else
40
+ # return [nil, nil]
41
+ # end
42
+ # end
43
+ #
44
+ # def handle_authentication(response, request)
45
+ # unless response['WWW-Authenticate'].nil?
46
+ # realm = HTTPAuth::Basic.unpack_challenge(response['WWW-Authenticate])
47
+ # @credentials[realm] ||= get_credentials_from_user_for(realm)
48
+ # @last_realm = realm
49
+ # end
50
+ # unless @last_realm.nil?
51
+ # request['Authorization'] = HTTPAuth::Basic.pack_authorization(*@credentials[@last_realm])
52
+ # end
53
+ # end
54
+ class Basic
55
+ class << self
56
+
57
+ # Unpacks the HTTP Basic 'Authorization' credential header
58
+ #
59
+ # * <tt>authorization</tt>: The contents of the Authorization header
60
+ # * Returns a list with two items: the username and password
61
+ def unpack_authorization(authorization)
62
+ d = authorization.split ' '
63
+ raise ArgumentError.new("HTTPAuth::Basic can only unpack Basic Authentication headers") unless d[0] == 'Basic'
64
+ Base64.decode64(d[1]).split(':')[0..1]
65
+ end
66
+
67
+ # Packs HTTP Basic credentials to an 'Authorization' header
68
+ #
69
+ # * <tt>username</tt>: A string with the username
70
+ # * <tt>password</tt>: A string with the password
71
+ def pack_authorization(username, password)
72
+ "Basic %s" % Base64.encode64("#{username}:#{password}").gsub("\n", '')
73
+ end
74
+
75
+ # Returns contents for the WWW-authenticate header
76
+ #
77
+ # * <tt>realm</tt>: A string with a recognizable title for the restricted resource
78
+ def pack_challenge(realm)
79
+ "Basic realm=\"%s\"" % realm.gsub('"', '')
80
+ end
81
+
82
+ # Returns the name of the realm in a WWW-Authenticate header
83
+ #
84
+ # * <tt>authenticate</tt>: The contents of the WWW-Authenticate header
85
+ def unpack_challenge(authenticate)
86
+ if authenticate =~ /Basic\srealm=\"([^\"]*)\"/
87
+ return $1
88
+ else
89
+ if authenticate =~ /^Basic/
90
+ raise UnwellformedHeader.new("Can't parse the WWW-Authenticate header, it's probably not well formed")
91
+ else
92
+ raise ArgumentError.new("HTTPAuth::Basic can only unpack Basic Authentication headers")
93
+ end
94
+ end
95
+ end
96
+
97
+ # Finds and unpacks the authorization credentials in a hash with the CGI enviroment. Returns [nil,nil] if no
98
+ # credentials were found. See HTTPAuth::CREDENTIAL_HEADERS for supported variable names.
99
+ #
100
+ # _Note for Apache_: normally the Authorization header can be found in the HTTP_AUTHORIZATION env variable,
101
+ # but Apache's mod_auth removes the variable from the enviroment. You can work around this by renaming
102
+ # the variable in your apache configuration (or .htaccess if allowed). For example: rewrite the variable
103
+ # for every request on /admin/*.
104
+ #
105
+ # RewriteEngine on
106
+ # RewriteRule ^admin/ - [E=X-HTTP-AUTHORIZATION:%{HTTP:Authorization}]
107
+ def get_credentials(env)
108
+ d = HTTPAuth::CREDENTIAL_HEADERS.inject(false) { |d,h| env[h] || d }
109
+ return unpack_authorization(d) if d
110
+ [nil, nil]
111
+ end
112
+ end
113
+ end
114
+ end
@@ -0,0 +1,14 @@
1
+ # HTTPAuth holds a number of classes and constants to implement HTTP Authentication with. See Basic or Digest for
2
+ # details on how to implement authentication using this library.
3
+ #
4
+ # For more information see RFC 2617 (http://www.ietf.org/rfc/rfc2617.txt)
5
+ module HTTPAuth
6
+ VERSION = '0.1'
7
+
8
+ CREDENTIAL_HEADERS = %w{REDIRECT_X_HTTP_AUTHORIZATION X-HTTP-AUTHORIZATION X-HTTP_AUTHORIZATION HTTP_AUTHORIZATION}
9
+ SUPPORTED_SCHEMES = { :basic => 'Basic', :digest => 'Digest' }
10
+ SUPPORTED_QOPS = ['auth', 'auth-int']
11
+ SUPPORTED_ALGORITHMS = ['MD5', 'MD5-sess']
12
+ PREFERRED_QOP = 'auth'
13
+ PREFERRED_ALGORITHM = 'MD5'
14
+ end
@@ -0,0 +1,583 @@
1
+ %w(tmpdir digest/md5 base64 httpauth/exceptions httpauth/constants).each { |l| require l }
2
+
3
+ module HTTPAuth
4
+ # = Digest
5
+ #
6
+ # The Digest class provides a number of methods to handle HTTP Digest Authentication. Generally the server
7
+ # sends a challenge to the client a resource that needs authorization and the client tries to respond with
8
+ # the correct credentials. Digest authentication rapidly becomes more complicated after that, if you want to
9
+ # build an implementation I suggest you at least skim RFC 2617 (http://www.ietf.org/rfc/rfc2617.txt).
10
+ #
11
+ # == Examples
12
+ #
13
+ # Digest authentication examples are too large to include in source documentation. Please consult the examples
14
+ # directory for client and server implementations.
15
+ #
16
+ # The classes and code of the library are set up to be as transparent as possible so integrating the library
17
+ # with any implementation talking HTTP, either trough CGI or directly should be possible.
18
+ #
19
+ # == The 'Digest'
20
+ #
21
+ # In Digest authentication the client's credentials are never sent in plain text over HTTP. You don't even have
22
+ # to store the passwords in plain text on the server to authenticate clients. The library doesn't force you to
23
+ # use the digest mechanism, it also works by specifying the username, password and realm. If you do decided to
24
+ # use digests you can generate them in the following way:
25
+ #
26
+ # H(username + ':' + realm + ':' + password)
27
+ #
28
+ # Where H returns the MD5 hexdigest of the string. The Utils class defines a method to calculate the digest.
29
+ #
30
+ # HTTPAuth::Digest::Utils.htdigest(username, realm, password)
31
+ #
32
+ # The format of this digest is the same in most implementations. Apache's <tt>htdigest</tt> tool for instance
33
+ # stores the digests in a textfile like this:
34
+ #
35
+ # username:realm:digest
36
+ #
37
+ # == Security
38
+ #
39
+ # Digest authentication is quite a bit more secure than Basic authentication, but it isn't as secure as SSL.
40
+ # The biggest difference between Basic and Digest authentication is that Digest authentication doesn't send
41
+ # clear text passwords, but only an MD5 digest. Recent developments in password cracking and mathematics have
42
+ # found several ways to create collisions with MD5 hashes and it's not infinitely secure. However, it currently
43
+ # still takes a lot of computing power to crack MD5 digests. Checking for brute force attacks in your applications
44
+ # and routinely changing the user credentials and maybe even the realm makes it a lot harder for a cracker to
45
+ # abuse your application.
46
+ module Digest
47
+ # Utils contains all sort of conveniance methods for the header container classes. Implementations shouldn't have
48
+ # to call any methods on Utils.
49
+ class Utils
50
+ class << self
51
+ # Encodes a hash with digest directives to send in a header.
52
+ #
53
+ # * <tt>h</tt>: The directives specified in a hash
54
+ # * <tt>variant</tt>: Specifies whether the directives are for an Authorize header (:credentials),
55
+ # for a WWW-Authenticate header (:challenge) or for a Authentication-Info header (:auth_info).
56
+ def encode_directives(h, variant)
57
+ encode = {:domain => :join, :algorithm => false, :stale => :str_to_bool, :nc => :int_to_hex,
58
+ :nextnonce => :int_to_hex}
59
+ if [:credentials, :auth].include? variant
60
+ encode.merge! :qop => false
61
+ elsif variant == :challenge
62
+ encode.merge! :qop => :list_to_quoted_string
63
+ else
64
+ raise ArgumentError.new("#{variant} is not a valid value for `variant' use :auth, :credentials or :challenge")
65
+ end
66
+ (variant == :auth ? '' : 'Digest ') + h.collect do |directive, value|
67
+ '' << directive.to_s << '=' << if encode[directive]
68
+ begin
69
+ Conversions.send encode[directive], value
70
+ rescue NoMethodError, ArgumentError
71
+ raise ArgumentError.new("Can't encode #{directive}(#{value.inspect}) with #{encode[directive]}")
72
+ end
73
+ elsif encode[directive].nil?
74
+ begin
75
+ Conversions.quote_string value
76
+ rescue NoMethodError, ArgumentError
77
+ raise ArgumentError.new("Can't encode #{directive}(#{value.inspect}) with quote_string")
78
+ end
79
+ else
80
+ value
81
+ end
82
+ end.join(", ")
83
+ end
84
+
85
+ # Decodes digest directives from a header. Returns a hash with directives.
86
+ #
87
+ # * <tt>directives</tt>: The directives
88
+ # * <tt>variant</tt>: Specifies whether the directives are for an Authorize header (:credentials),
89
+ # for a WWW-Authenticate header (:challenge) or for a Authentication-Info header (:auth_info).
90
+ def decode_directives(directives, variant)
91
+ raise HTTPAuth::UnwellformedHeader.new("Can't decode directives which are nil") if directives.nil?
92
+ decode = {:domain => :split, :algorithm => false, :stale => :bool_to_str, :nc => :hex_to_int,
93
+ :nextnonce => :hex_to_int}
94
+ if [:credentials, :auth].include? variant
95
+ decode.merge! :qop => false
96
+ elsif variant == :challenge
97
+ decode.merge! :qop => :quoted_string_to_list
98
+ else
99
+ raise ArgumentError.new("#{variant} is not a valid value for `variant' use :auth, :credentials or :challenge")
100
+ end
101
+
102
+ start = 0
103
+ unless variant == :auth
104
+ # The first six characters are 'Digest '
105
+ start = 6
106
+ scheme = directives[0..6].strip
107
+ raise HTTPAuth::UnwellformedHeader.new("Scheme should be Digest, server responded with `#{directives}'") unless scheme == 'Digest'
108
+ end
109
+
110
+ # The rest are the directives
111
+ # TODO: split is ugly, I want a real parser (:
112
+ directives[start..-1].split(',').inject({}) do |h,part|
113
+ parts = part.split('=')
114
+ name = parts[0].strip.intern
115
+ value = parts[1..-1].join('=').strip
116
+
117
+ # --- HACK
118
+ # IE and Safari qoute qop values
119
+ # IE also quotes algorithm values
120
+ if variant != :challenge and [:qop, :algorithm].include?(name) and value =~ /^\"[^\"]+\"$/
121
+ value = Conversions.unquote_string(value)
122
+ end
123
+ # --- END HACK
124
+
125
+ if decode[name]
126
+ h[name] = Conversions.send decode[name], value
127
+ elsif decode[name].nil?
128
+ h[name] = Conversions.unquote_string value
129
+ else
130
+ h[name] = value
131
+ end
132
+ h
133
+ end
134
+ end
135
+
136
+ # Concat arguments the way it's done frequently in the Digest spec.
137
+ #
138
+ # digest_concat('a', 'b') #=> "a:b"
139
+ # digest_concat('a', 'b', c') #=> "a:b:c"
140
+ def digest_concat(*args); args.join ':'; end
141
+
142
+ # Calculate the MD5 hexdigest for the string data
143
+ def digest_h(data); ::Digest::MD5.hexdigest data; end
144
+
145
+ # Calculate the KD value of a secret and data as explained in the RFC.
146
+ def digest_kd(secret, data); digest_h digest_concat(secret, data); end
147
+
148
+ # Calculate the Digest for the credentials
149
+ def htdigest(username, realm, password)
150
+ digest_h digest_concat(username, realm, password)
151
+ end
152
+
153
+ # Calculate the H(A1) as explain in the RFC. If h[:digest] is set, it's used instead
154
+ # of calculating H(username ":" realm ":" password).
155
+ def digest_a1(h, s)
156
+ # TODO: check for known algorithm values (look out for the IE algorithm quote bug)
157
+ if h[:algorithm] == 'MD5-sess'
158
+ digest_h digest_concat(
159
+ h[:digest] || htdigest(h[:username], h[:realm], h[:password]),
160
+ h[:nonce],
161
+ h[:cnonce]
162
+ )
163
+ else
164
+ h[:digest] || htdigest(h[:username], h[:realm], h[:password])
165
+ end
166
+ end
167
+
168
+ # Calculate the H(A2) for the Authorize header as explained in the RFC.
169
+ def request_digest_a2(h)
170
+ # TODO: check for known qop values (look out for the safari qop quote bug)
171
+ if h[:qop] == 'auth-int'
172
+ digest_h digest_concat(h[:method], h[:uri], digest_h(h[:request_body]))
173
+ else
174
+ digest_h digest_concat(h[:method], h[:uri])
175
+ end
176
+ end
177
+
178
+ # Calculate the H(A2) for the Authentication-Info header as explained in the RFC.
179
+ def response_digest_a2(h)
180
+ if h[:qop] == 'auth-int'
181
+ digest_h ':' + digest_concat(h[:uri], digest_h(h[:response_body]))
182
+ else
183
+ digest_h ':' + h[:uri]
184
+ end
185
+ end
186
+
187
+ # Calculate the digest value for the directives as explained in the RFC.
188
+ #
189
+ # * <tt>variant</tt>: Either <tt>:request</tt> or <tt>:response</tt>, as seen from the server.
190
+ def calculate_digest(h, s, variant)
191
+ raise ArgumentError.new("Variant should be either :request or :response, not #{variant}") unless [:request, :response].include?(variant)
192
+ # Compatability with RFC 2069
193
+ if h[:qop].nil?
194
+ digest_kd digest_a1(h, s), digest_concat(
195
+ h[:nonce],
196
+ send("#{variant}_digest_a2".intern, h)
197
+ )
198
+ else
199
+ digest_kd digest_a1(h, s), digest_concat(
200
+ h[:nonce],
201
+ Conversions.int_to_hex(h[:nc]),
202
+ h[:cnonce],
203
+ h[:qop],
204
+ send("#{variant}_digest_a2".intern, h)
205
+ )
206
+ end
207
+ end
208
+
209
+ # Return a hash with the keys in <tt>keys</tt> found in <tt>h</tt>.
210
+ #
211
+ # Example
212
+ #
213
+ # filter_h_on({1=>1,2=>2}, [1]) #=> {1=>1}
214
+ # filter_h_on({1=>1,2=>2}, [1, 2]) #=> {1=>1,2=>2}
215
+ def filter_h_on(h, keys)
216
+ h.inject({}) { |r,l| keys.include?(l[0]) ? r.merge({l[0]=>l[1]}) : r }
217
+ end
218
+
219
+ # Create a nonce value of the time and a salt. The nonce is created in such a
220
+ # way that the issuer can check the age of the nonce.
221
+ #
222
+ # * <tt>salt</tt>: A reasonably long passphrase known only to the issuer.
223
+ def create_nonce(salt)
224
+ now = Time.now
225
+ time = now.strftime("%Y-%m-%d %H:%M:%S").to_s + ':' + now.usec.to_s
226
+ Base64.encode64(
227
+ digest_concat(
228
+ time,
229
+ digest_h(digest_concat(time, salt))
230
+ )
231
+ ).gsub("\n", '')[0..-3]
232
+ end
233
+
234
+ # Create a 32 character long opaque string with a 'random' value
235
+ def create_opaque
236
+ s = []; 16.times { s << rand(127).chr }
237
+ digest_h s.join
238
+ end
239
+ end
240
+ end
241
+
242
+ # Superclass for all the header container classes
243
+ class AbstractHeader
244
+ # holds directives and values for digest calculation
245
+ attr_reader :h
246
+
247
+ # Redirects attribute messages to the internal directives
248
+ #
249
+ # Example:
250
+ #
251
+ # class Credentials < AbstractHeader
252
+ # def initialize
253
+ # @h = { :username => 'Ben' }
254
+ # end
255
+ # end
256
+ #
257
+ # c = Credentials.new
258
+ # c.username #=> 'Ben'
259
+ # c.username = 'Mary'
260
+ # c.username #=> 'Mary'
261
+ def method_missing(m, *a)
262
+ if ((m.to_s =~ /^(.*)=$/) == 0) and @h.keys.include?($1.intern)
263
+ @h[$1.intern] = a[0]
264
+ elsif @h.keys.include? m
265
+ @h[m]
266
+ else
267
+ raise NameError.new("undefined method `#{m}' for #{self}")
268
+ end
269
+ end
270
+ end
271
+
272
+
273
+ # The Credentials class handlers the Authorize header. The Authorize header is sent by a client who wants to
274
+ # let the server know he has the credentials needed to access a resource.
275
+ #
276
+ # See the Digest module for examples
277
+ class Credentials < AbstractHeader
278
+
279
+ # Parses the information from a Authorize header and create a new Credentials instance with the information.
280
+ # The options hash allows you to specify additional information.
281
+ #
282
+ # * <tt>authorization</tt>: The contents of the Authorize header
283
+ # See <tt>initialize</tt> for valid options.
284
+ def self.from_header(authorization, options={})
285
+ new Utils.decode_directives(authorization, :credentials), options
286
+ end
287
+
288
+ # Creates a new Credential instance based on a Challenge instance.
289
+ #
290
+ # * <tt>challenge</tt>: A Challenge instance
291
+ # See <tt>initialize</tt> for valid options.
292
+ def self.from_challenge(challenge, options={})
293
+ credentials = new challenge.h
294
+ credentials.update_from_challenge! options
295
+ credentials
296
+ end
297
+
298
+ # Create a new instance.
299
+ #
300
+ # * <tt>h</tt>: A Hash with directives, normally this is filled with the directives coming from a Challenge instance.
301
+ # * <tt>options</tt>: Used to set or override data from the Authorize header and add additional parameters.
302
+ # * <tt>:username</tt>: Mostly set by a client to send the username
303
+ # * <tt>:password</tt>: Mostly set by a client to send the password, set either this or the digest
304
+ # * <tt>:digest</tt>: Mostly set by a client to send a digest, set either this or the digest. For more
305
+ # information about digests see Digest.
306
+ # * <tt>:uri</tt>: Mostly set by the client to send the uri
307
+ # * <tt>:method</tt>: The HTTP Method used by the client to send the request, this should be an uppercase string
308
+ # with the name of the verb.
309
+ def initialize(h, options={})
310
+ @h = h
311
+ @h.merge! options
312
+ session = Session.new h[:opaque], :tmpdir => options[:tmpdir]
313
+ @s = session.load
314
+ @reason = 'There has been no validation yet'
315
+ end
316
+
317
+ # Convenience method, basically an alias for <code>validate(options.merge(:password => password))</code>
318
+ def validate_password(password, options={})
319
+ options[:password] = password
320
+ validate(options)
321
+ end
322
+
323
+ # Convenience method, basically an alias for <code>validate(options.merge(:digest => digest))</code>
324
+ def validate_digest(digest, options={})
325
+ options[:digest] = digest
326
+ validate(options)
327
+ end
328
+
329
+ # Validates the credential information stored in the Credentials instance. Returns <tt>true</tt> or
330
+ # <tt>false</tt>. You can read the ue
331
+ #
332
+ # * <tt>options</tt>: The extra options needed to validate the credentials. A server implementation should
333
+ # provide the <tt>:method</tt> and a <tt>:password</tt> or <tt>:digest</tt>.
334
+ # * <tt>:method</tt>: The HTTP Verb in uppercase, ie. GET or POST.
335
+ # * <tt>:password</tt>: The password for the sent username and realm, either a password or digest should be
336
+ # provided.
337
+ # * <tt>:digest</tt>: The digest for the specified username and realm, either a digest or password should ne
338
+ # provided.
339
+ def validate(options)
340
+ ho = @h.merge(options)
341
+ raise ArgumentError.new("You have to set the :request_body value if you want to use :qop => 'auth-int'") if @h[:qop] == 'auth-int' and ho[:request_body].nil?
342
+ raise ArgumentError.new("Please specify the request method :method (ie. GET)") if ho[:method].nil?
343
+
344
+ calculated_response = Utils.calculate_digest(ho, @s, :request)
345
+ if ho[:response] == calculated_response
346
+ @reason = ''
347
+ return true
348
+ else
349
+ @reason = "Response isn't the same as computed response #{ho[:response]} != #{calculated_response} for #{ho.inspect}"
350
+ end
351
+ false
352
+ end
353
+
354
+ # Returns a string with the reason <tt>validate</tt> returned false.
355
+ def reason
356
+ @reason
357
+ end
358
+
359
+ # Encodeds directives and returns a string that can be used in the Authorize header
360
+ def to_header
361
+ Utils.encode_directives Utils.filter_h_on(@h,
362
+ [:username, :realm, :nonce, :uri, :response, :algorithm, :cnonce, :opaque, :qop, :nc]), :credentials
363
+ end
364
+
365
+ # Updates @h from options, generally called after an instance was created with <tt>from_challenge</tt>.
366
+ def update_from_challenge!(options)
367
+ # TODO: integrity checks
368
+ @h[:username] = options[:username]
369
+ @h[:password] = options[:password]
370
+ @h[:digest] = options[:digest]
371
+ @h[:uri] = options[:uri]
372
+ @h[:method] = options[:method]
373
+ @h[:request_body] = options[:request_body]
374
+ unless @h[:qop].nil?
375
+ # Determine the QOP
376
+ if !options[:qop].nil? and @h[:qop].include?(options[:qop])
377
+ @h[:qop] = options[:qop]
378
+ elsif @h[:qop].include?(HTTPAuth::PREFERRED_QOP)
379
+ @h[:qop] = HTTPAuth::PREFERRED_QOP
380
+ else
381
+ qop = @h[:qop].detect { |qop| HTTPAuth::SUPPORTED_QOPS.include? qop }
382
+ unless qop.nil?
383
+ @h[:qop] = qop
384
+ else
385
+ raise UnsupportedError.new("HTTPAuth doesn't support any of the proposed qop values: #{@h[:qop].inspect}")
386
+ end
387
+ end
388
+ @h[:cnonce] ||= Utils.create_nonce options[:salt]
389
+ @h[:nc] ||= 1 unless @h[:qop].nil?
390
+ end
391
+ @h[:response] = Utils.calculate_digest(@h, @s, :request)
392
+ end
393
+ end
394
+
395
+ # The Challenge class handlers the WWW-Authenticate header. The WWW-Authenticate header is sent by a server when
396
+ # accessing a resource without credentials is prohibided. The header should always be sent together with a 401
397
+ # status.
398
+ #
399
+ # See the Digest module for examples
400
+ class Challenge < AbstractHeader
401
+
402
+ # Parses the information from a WWW-Authenticate header and creates a new WWW-Authenticate instance with this
403
+ # data.
404
+ #
405
+ # * <tt>challenge</tt>: The contents of a WWW-Authenticate header
406
+ # See <tt>initialize</tt> for valid options.
407
+ def self.from_header(challenge, options={})
408
+ new Utils.decode_directives(challenge, :challenge), options
409
+ end
410
+
411
+ # Create a new instance.
412
+ #
413
+ # * <tt>h</tt>: A Hash with directives, normally this is filled with directives coming from a Challenge instance.
414
+ # * <tt>options</tt>: Use to set of override data from the WWW-Authenticate header
415
+ # * <tt>:realm</tt>: The name of the realm the client should authenticate for. The RFC suggests to use a string
416
+ # like 'admin@yourhost.domain.com'. Be sure to use a reasonably long string to avoid brute force attacks.
417
+ # * <tt>:qop</tt>: A list with supported qop values. For example: <code>['auth-int']</code>. This will default
418
+ # to <code>['auth']</code>. Although this implementation supports both auth and auth-int, most
419
+ # implementations don't. Some implementations get confused when they receive anything but 'auth'. For
420
+ # maximum compatibility you should leave this setting alone.
421
+ # * <tt>:algorithm</tt>: The preferred algorithm for calculating the digest. For
422
+ # example: <code>'MD5-sess'</code>. This will default to <code>'MD5'</code>. For
423
+ # maximum compatibility you should leave this setting alone.
424
+ #
425
+ def initialize(h, options={})
426
+ @h = h
427
+ @h.merge! options
428
+ end
429
+
430
+ # Encodes directives and returns a string that can be used as the WWW-Authenticate header
431
+ def to_header
432
+ @h[:nonce] ||= Utils.create_nonce @h[:salt]
433
+ @h[:opaque] ||= Utils.create_opaque
434
+ @h[:algorithm] ||= HTTPAuth::PREFERRED_ALGORITHM
435
+ @h[:qop] ||= [HTTPAuth::PREFERRED_QOP]
436
+ Utils.encode_directives Utils.filter_h_on(@h,
437
+ [:realm, :domain, :nonce, :opaque, :stale, :algorithm, :qop]), :challenge
438
+ end
439
+ end
440
+
441
+ # The AuthenticationInfo class handles the Authentication-Info header. Sending Authentication-Info headers will
442
+ # allow the client to check the integrity of the response, but it isn't compulsory and will get in the way of
443
+ # pipelined retrieval of resources.
444
+ #
445
+ # See the Digest module for examples
446
+ class AuthenticationInfo < AbstractHeader
447
+
448
+ # Parses the information from a Authentication-Info header and creates a new AuthenticationInfo instance with
449
+ # this data.
450
+ #
451
+ # * <tt>auth_info</tt>: The contents of the Authentication-Info header
452
+ # See <tt>initialize</tt> for valid options.
453
+ def self.from_header(auth_info, options={})
454
+ new Utils.decode_directives(auth_info, :auth), options
455
+ end
456
+
457
+ # Creates a new AuthenticationInfo instance based on the information from Credentials instance.
458
+ #
459
+ # * <tt>credentials</tt>: A Credentials instance
460
+ # See <tt>initialize</tt> for valid options.
461
+ def self.from_credentials(credentials, options={})
462
+ auth_info = new credentials.h
463
+ auth_info.update_from_credentials! options
464
+ auth_info
465
+ end
466
+
467
+ # Create a new instance.
468
+ #
469
+ # * <tt>h</tt>: A Hash with directives, normally this is filled with the directives coming from a
470
+ # Credentials instance.
471
+ # * <tt>options</tt>: Used to set or override data from the Authentication-Info header
472
+ # * <tt>:response_body</tt> The body of the response that's going to be sent to the client. This is a
473
+ # compulsory option if the qop directive is 'auth-int'.
474
+ def initialize(h, options={})
475
+ @h = h
476
+ @h.merge! options
477
+ end
478
+
479
+ # Encodes directives and returns a string that can be used as the AuthorizationInfo header
480
+ def to_header
481
+ Utils.encode_directives Utils.filter_h_on(@h,
482
+ [:nextnonce, :qop, :rspauth, :cnonce, :nc]), :auth
483
+ end
484
+
485
+ # Updates @h from options, generally called after an instance was created with <tt>from_credentials</tt>.
486
+ def update_from_credentials!(options)
487
+ # TODO: update @h after nonce invalidation
488
+ @h[:response_body] = options[:response_body]
489
+ @h[:nextnonce] = @h[:nc] + 1
490
+ end
491
+ end
492
+
493
+ # Conversion for a number of internal data structures to and from directives in the headers. Implementations
494
+ # shouldn't have to call any methods on Conversions.
495
+ class Conversions
496
+ class << self
497
+
498
+ # Adds quotes around the string
499
+ def quote_string(str)
500
+ "\"#{str.gsub('"', '')}\""
501
+ end
502
+
503
+ # Removes quotes from around a string
504
+ def unquote_string(str)
505
+ str =~ /^\"([^\"]*)\"$/ ? $1 : str
506
+ end
507
+
508
+ # Creates an int value from hex values
509
+ def hex_to_int(str)
510
+ "0x#{str}".hex
511
+ end
512
+
513
+ # Creates a hex value in a string from an integer
514
+ def int_to_hex(i)
515
+ i.to_s(16).rjust 8, '0'
516
+ end
517
+
518
+ # Creates a boolean value from a string => true or false
519
+ def str_to_bool(str)
520
+ str == 'true'
521
+ end
522
+
523
+ # Creates a string value from a boolean => 'true' or 'false'
524
+ def bool_to_str(bool)
525
+ bool ? 'true' : 'false'
526
+ end
527
+
528
+ # Creates a quoted string with space separated items from a list
529
+ def list_to_quoted_string(list)
530
+ quote_string list.join(' ')
531
+ end
532
+
533
+ # Creates a list from a quoted space separated string of items
534
+ def quoted_string_to_list(string)
535
+ unquote_string(string).split ' '
536
+ end
537
+ end
538
+ end
539
+
540
+ # Session is a file-based session implementation for storing details about the Digest authentication session
541
+ # between requests.
542
+ class Session
543
+ attr_accessor :opaque
544
+ attr_accessor :options
545
+
546
+ # Initializes the new Session object.
547
+ #
548
+ # * <tt>opaque</tt> - A string to identify the session. This would normally be the <tt>opaque</tt> sent by the
549
+ # client, but it could also be an identifier sent through a different mechanism.
550
+ # * <tt>options</tt> - Additional options
551
+ # * <tt>:tmpdir</tt> A tempory directory for storing the session data. Dir::tmpdir is the default.
552
+ def initialize(opaque, options={})
553
+ self.opaque = opaque
554
+ self.options = options
555
+ end
556
+
557
+ # Associates the new data to the session and removes the old
558
+ def save(data)
559
+ File.open(filename, 'w') do |f|
560
+ f.write Marshal.dump(data)
561
+ end
562
+ end
563
+
564
+ # Returns the data from this session
565
+ def load
566
+ begin
567
+ File.open(filename, 'r') do |f|
568
+ Marshal.load f.read
569
+ end
570
+ rescue Errno::ENOENT
571
+ {}
572
+ end
573
+ end
574
+
575
+ protected
576
+
577
+ # The filename from which the session will be saved and read from
578
+ def filename
579
+ "#{options[:tmpdir] || Dir::tmpdir}/ruby_digest_cache.#{self.opaque}"
580
+ end
581
+ end
582
+ end
583
+ end
@@ -0,0 +1,6 @@
1
+ module HTTPAuth
2
+ # Raised when the library finds data that doesn't conform to the standard
3
+ class UnwellformedHeader < ArgumentError; end
4
+ # Raised when the library finds data that is not strictly forbidden but doesn't know how to handle.
5
+ class UnsupportedError < ArgumentError; end
6
+ end
metadata ADDED
@@ -0,0 +1,66 @@
1
+ --- !ruby/object:Gem::Specification
2
+ rubygems_version: 0.8.10
3
+ specification_version: 1
4
+ name: httpauth
5
+ version: !ruby/object:Gem::Version
6
+ version: "0.1"
7
+ date: 2006-09-04
8
+ summary: Library for the HTTP Authentication protocol (RFC 2617)
9
+ require_paths:
10
+ - lib
11
+ email: manfred@fngtps.com
12
+ homepage: http://httpauth.rubyforge.org
13
+ rubyforge_project:
14
+ description: HTTPauth is a library supporting the full HTTP Authentication protocol as specified in RFC 2617; both Digest Authentication and Basic Authentication.
15
+ autorequire:
16
+ default_executable:
17
+ bindir: bin
18
+ has_rdoc: true
19
+ required_ruby_version: !ruby/object:Gem::Version::Requirement
20
+ requirements:
21
+ - - ">="
22
+ - !ruby/object:Gem::Version
23
+ version: 1.8.0
24
+ version:
25
+ platform: ruby
26
+ authors:
27
+ - Manfred Stienstra
28
+ files:
29
+ - README
30
+ - LICENSE
31
+ - Rakefile
32
+ - lib/httpauth
33
+ - lib/httpauth.rb
34
+ - lib/httpauth/basic.rb
35
+ - lib/httpauth/constants.rb
36
+ - lib/httpauth/digest.rb
37
+ - lib/httpauth/exceptions.rb
38
+ - examples/client_digest_secure
39
+ - examples/server_digest_secure
40
+ test_files: []
41
+
42
+ rdoc_options:
43
+ - --quiet
44
+ - --title
45
+ - HTTPAuth - A Ruby library for creating, parsing and validating HTTP authentication headers
46
+ - --opname
47
+ - index.html
48
+ - --line-numbers
49
+ - --main
50
+ - README
51
+ - --charset
52
+ - utf-8
53
+ - --inline-source
54
+ - --exclude
55
+ - ^(examples|test)\/
56
+ extra_rdoc_files:
57
+ - README
58
+ - LICENSE
59
+ executables: []
60
+
61
+ extensions: []
62
+
63
+ requirements: []
64
+
65
+ dependencies: []
66
+