snaury-thin-auth-ntlm 0.0.2

data/LICENSE.txt

@@ -0,0 +1,18 @@
+Copyright (c) 2009 Alexey Borzenkov
+
+Permission is hereby granted, free of charge, to any person obtaining a copy of
+this software and associated documentation files (the "Software"), to deal in
+the Software without restriction, including without limitation the rights to
+use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
+the Software, and to permit persons to whom the Software is furnished to do so,
+subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
+FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
+COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.txt

@@ -0,0 +1,11 @@
+= NTLM Authentication for Thin
+
+Allows you to force NTLM authentication on Thin TCP servers.
+
+= Using thin-auth-ntlm
+
+Just start your thin server using NTLMTcpServer backend:
+
+  thin -r thin-auth-ntlm -b Thin::Backends::NTLMTcpServer start
+
+Remote username will be available as request.remote_user.

data/Rakefile

@@ -0,0 +1,14 @@
+begin
+  require 'jeweler'
+  Jeweler::Tasks.new do |gemspec|
+    gemspec.name = "thin-auth-ntlm"
+    gemspec.summary = "Allows you to force NTLM authentication on Thin TCP servers."
+    gemspec.author = "Alexey Borzenkov"
+    gemspec.email = "snaury@gmail.com"
+
+    gemspec.add_dependency('thin', '>= 1.0.0')
+    gemspec.add_dependency('rubysspi-server', '>= 0.0.1')
+  end
+rescue LoadError
+  puts "Jeweler not available. Install it with: sudo gem install technicalpickles-jeweler -s http://gems.github.com"
+end

data/lib/thin/ntlm/backends/tcp_server.rb

@@ -0,0 +1,13 @@
+module Thin
+  module Backends
+    class NTLMTcpServer < TcpServer
+      def initialize(host, port, options)
+        super(host, port)
+      end
+
+      def connect
+        @signature = EventMachine.start_server(@host, @port, NTLMConnection, &method(:initialize_connection))
+      end
+    end
+  end
+end

data/lib/thin/ntlm/connection.rb

@@ -0,0 +1,128 @@
+require 'win32/sspi/server'
+
+module Thin
+  class NTLMConnection < Connection
+    AUTHORIZATION_MESSAGE = <<END
+<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
+<html><head>
+<title>401 NTLM Authorization Required</title>
+</head><body>
+<h1>NTLM Authorization Required</h1>
+<p>This server could not verify that you
+are authorized to access the document
+requested.  Either you supplied the wrong
+credentials (e.g., bad password), or your
+browser doesn't understand how to supply
+the credentials required.</p>
+</body></html>
+END
+    REMOTE_USER = 'REMOTE_USER'.freeze
+    HTTP_AUTHORIZATION = 'HTTP_AUTHORIZATION'.freeze
+    WWW_AUTHENTICATE = 'WWW-Authenticate'.freeze
+    CONTENT_TYPE = 'Content-Type'.freeze
+    CONTENT_TYPE_AUTH = 'text/html; charset=iso-8859-1'.freeze
+    NTLM_REQUEST_PACKAGE = 'NTLM'.freeze
+    NTLM_ALLOWED_PACKAGE = 'NTLM|Negotiate'.freeze
+
+    def unbind
+      ntlm_cleanup
+    ensure
+      super
+    end
+
+    def process
+      # check if browser wants to reauthenticate
+      if @authenticated_as && http_authorization
+        @authenticated_as = nil
+      end
+      # require authentication
+      unless @authenticated_as
+        unless @authentication_stage
+          @post_ntlm_can_persist = @can_persist
+          @authentication_stage = 1
+        end
+        result = ntlm_process
+        return post_process(result) unless @authenticated_as
+      end
+
+      @request.env[REMOTE_USER] = @authenticated_as
+      @can_persist = @post_ntlm_can_persist
+      return super
+    end
+
+    def http_authorization
+      auth = @request.env[HTTP_AUTHORIZATION]
+      if auth
+        auth = auth.strip
+        auth = nil if auth.empty?
+      end
+      auth
+    end
+
+    def ntlm_acquire(package = 'NTLM')
+      ntlm_cleanup
+      @ntlm = Win32::SSPI::NegotiateServer.new(package)
+      @ntlm.acquire_credentials_handle
+      @ntlm
+    end
+
+    def ntlm_cleanup
+      if @ntlm
+        @ntlm.cleanup rescue nil
+        @ntlm = nil
+      end
+      nil
+    end
+
+    def ntlm_token
+      auth = http_authorization
+      return [nil, nil] unless auth && auth.match(/\A(#{NTLM_ALLOWED_PACKAGE}) (.*)\Z/)
+      [$1, Base64.decode64($2.strip)]
+    end
+
+    def ntlm_process
+      case @authentication_stage
+      when 1 # we are waiting for type1 message
+        package, t1 = ntlm_token
+        return ntlm_request_auth(NTLM_REQUEST_PACKAGE, false) if t1.nil?
+        return ntlm_request_auth unless request.persistent?
+        begin
+          ntlm_acquire(package)
+          t2 = @ntlm.accept_security_context(t1)
+        rescue
+          return ntlm_request_auth
+        end
+        ntlm_request_auth("#{package} #{t2}", false, 2)
+      when 2 # we are waiting for type3 message
+        package, t3 = ntlm_token
+        return ntlm_request_auth(NTLM_REQUEST_PACKAGE, false) if t3.nil?
+        return ntlm_request_auth unless package == @ntlm.package
+        return ntlm_request_auth unless request.persistent?
+        begin
+          t2 = @ntlm.accept_security_context(t3)
+          @authenticated_as = @ntlm.get_username_from_context
+          @authentication_stage = 1 # in case IE8 wants to reauthenticate
+        rescue
+          return ntlm_request_auth
+        end
+        return ntlm_request_auth unless @authenticated_as
+        ntlm_cleanup
+      else
+        raise "Invalid value for @authentication_stage=#{@authentication_stage} detected"
+      end
+    rescue Exception
+      handle_error
+      terminate_request
+      nil
+    end
+
+    def ntlm_request_auth(auth = nil, finished = true, next_stage = 1)
+      @authentication_stage = next_stage
+      @can_persist = !finished
+      head = {}
+      head[WWW_AUTHENTICATE] = auth if auth
+      head[CONTENT_TYPE] = CONTENT_TYPE_AUTH
+      return [401, head, [AUTHORIZATION_MESSAGE]]
+    end
+  end
+end

data/lib/thin-auth-ntlm.rb

@@ -0,0 +1,9 @@
+require 'thin'
+
+module Thin
+  autoload :NTLMConnection, 'thin/ntlm/connection'
+
+  module Backends
+    autoload :NTLMTcpServer, 'thin/ntlm/backends/tcp_server'
+  end
+end

metadata

@@ -0,0 +1,78 @@
+--- !ruby/object:Gem::Specification 
+name: snaury-thin-auth-ntlm
+version: !ruby/object:Gem::Version 
+  version: 0.0.2
+platform: ruby
+authors: 
+- Alexey Borzenkov
+autorequire: 
+bindir: bin
+cert_chain: []
+
+date: 2009-05-18 00:00:00 -07:00
+default_executable: 
+dependencies: 
+- !ruby/object:Gem::Dependency 
+  name: thin
+  type: :runtime
+  version_requirement: 
+  version_requirements: !ruby/object:Gem::Requirement 
+    requirements: 
+    - - ">="
+      - !ruby/object:Gem::Version 
+        version: 1.0.0
+    version: 
+- !ruby/object:Gem::Dependency 
+  name: rubysspi-server
+  type: :runtime
+  version_requirement: 
+  version_requirements: !ruby/object:Gem::Requirement 
+    requirements: 
+    - - ">="
+      - !ruby/object:Gem::Version 
+        version: 0.0.1
+    version: 
+description: 
+email: snaury@gmail.com
+executables: []
+
+extensions: []
+
+extra_rdoc_files: 
+- LICENSE.txt
+- README.txt
+files: 
+- LICENSE.txt
+- README.txt
+- Rakefile
+- lib/thin-auth-ntlm.rb
+- lib/thin/ntlm/backends/tcp_server.rb
+- lib/thin/ntlm/connection.rb
+has_rdoc: true
+homepage: 
+post_install_message: 
+rdoc_options: 
+- --charset=UTF-8
+require_paths: 
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement 
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      version: "0"
+  version: 
+required_rubygems_version: !ruby/object:Gem::Requirement 
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      version: "0"
+  version: 
+requirements: []
+
+rubyforge_project: 
+rubygems_version: 1.2.0
+signing_key: 
+specification_version: 2
+summary: Allows you to force NTLM authentication on Thin TCP servers.
+test_files: []
+