thin-auth-ntlm 0.0.4

data/LICENSE.txt

@@ -0,0 +1,18 @@
+Copyright (c) 2009 Alexey Borzenkov
+
+Permission is hereby granted, free of charge, to any person obtaining a copy of
+this software and associated documentation files (the "Software"), to deal in
+the Software without restriction, including without limitation the rights to
+use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
+the Software, and to permit persons to whom the Software is furnished to do so,
+subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
+FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
+COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.txt

@@ -0,0 +1,11 @@
+= NTLM Authentication for Thin
+
+Allows you to force NTLM authentication on Thin TCP servers.
+
+= Using thin-auth-ntlm
+
+Just start your thin server using NTLMTcpServer backend:
+
+  thin -r thin-auth-ntlm -b Thin::Backends::NTLMTcpServer start
+
+Remote username will be available as request.remote_user.

data/Rakefile

@@ -0,0 +1,14 @@
+begin
+  require 'jeweler'
+  Jeweler::Tasks.new do |gemspec|
+    gemspec.name = "thin-auth-ntlm"
+    gemspec.summary = "Allows you to force NTLM authentication on Thin TCP servers."
+    gemspec.author = "Alexey Borzenkov"
+    gemspec.email = "snaury@gmail.com"
+
+    gemspec.add_dependency('thin', '>= 1.0.0')
+    gemspec.add_dependency('rubysspi-server', '>= 0.0.1')
+  end
+rescue LoadError
+  puts "Jeweler not available. Install it with: sudo gem install technicalpickles-jeweler -s http://gems.github.com"
+end

data/VERSION.yml

@@ -0,0 +1,4 @@
+---
+:major: 0
+:minor: 0
+:patch: 4

data/lib/thin-auth-ntlm.rb

@@ -0,0 +1,9 @@
+require 'thin'
+
+module Thin
+  autoload :NTLMConnection, 'thin/ntlm/connection'
+
+  module Backends
+    autoload :NTLMTcpServer, 'thin/ntlm/backends/tcp_server'
+  end
+end

data/lib/thin/ntlm/backends/tcp_server.rb

@@ -0,0 +1,13 @@
+module Thin
+  module Backends
+    class NTLMTcpServer < TcpServer
+      def initialize(host, port, options)
+        super(host, port)
+      end
+
+      def connect
+        @signature = EventMachine.start_server(@host, @port, NTLMConnection, &method(:initialize_connection))
+      end
+    end
+  end
+end

data/lib/thin/ntlm/connection.rb

@@ -0,0 +1,180 @@
+require 'weakref'
+require 'win32/sspi/server'
+
+module Thin
+  class NTLMWrapper
+    AUTHORIZATION_MESSAGE = <<END
+<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
+<html><head>
+<title>401 NTLM Authorization Required</title>
+</head><body>
+<h1>NTLM Authorization Required</h1>
+<p>This server could not verify that you
+are authorized to access the document
+requested.  Either you supplied the wrong
+credentials (e.g., bad password), or your
+browser doesn't understand how to supply
+the credentials required.</p>
+</body></html>
+END
+    REMOTE_USER = 'REMOTE_USER'.freeze
+    HTTP_AUTHORIZATION = 'HTTP_AUTHORIZATION'.freeze
+    WWW_AUTHENTICATE = 'WWW-Authenticate'.freeze
+    CONTENT_TYPE = 'Content-Type'.freeze
+    CONTENT_TYPE_AUTH = 'text/html; charset=iso-8859-1'.freeze
+    NTLM_REQUEST_PACKAGE = 'NTLM'.freeze
+    NTLM_ALLOWED_PACKAGE = 'NTLM|Negotiate'.freeze
+
+    def initialize(app, connection)
+      @app = app
+      @connection = WeakRef.new(connection)
+    end
+
+    def deferred?(env)
+      @app.respond_to?(:deferred?) && @app.deferred?(env)
+    end
+
+    def persistent?
+      @connection.request.persistent?
+    end
+
+    def can_persist!
+      @connection.can_persist!
+    end
+
+    def ntlm_start
+      @connection.ntlm_start
+    end
+
+    def ntlm_stop
+      @connection.ntlm_stop
+    end
+
+    def call(env)
+      # check if browser wants to reauthenticate
+      if @authenticated_as && http_authorization(env)
+        @authenticated_as = nil
+      end
+
+      # require authentication
+      unless @authenticated_as
+        ntlm_start
+        @authentication_stage ||= 1
+        result = process(env)
+        return result unless @authenticated_as
+        ntlm_stop
+      end
+
+      # pass thru
+      env[REMOTE_USER] = @authenticated_as
+      @app.call(env)
+    end
+
+    # Returns stripped HTTP-Authorization header, nil if none or empty
+    def http_authorization(env)
+      auth = env[HTTP_AUTHORIZATION]
+      if auth
+        auth = auth.strip
+        auth = nil if auth.empty?
+      end
+      auth
+    end
+
+    # Returns token type and value from HTTP-Authorization header
+    def token(env)
+      auth = http_authorization(env)
+      return [nil, nil] unless auth && auth.match(/\A(#{NTLM_ALLOWED_PACKAGE}) (.*)\Z/)
+      [$1, Base64.decode64($2.strip)]
+    end
+
+    # Acquires new OS credentials handle
+    def acquire(package = 'NTLM')
+      cleanup
+      @ntlm = Win32::SSPI::NegotiateServer.new(package)
+      @ntlm.acquire_credentials_handle
+      @ntlm
+    end
+
+    # Frees credentials handle, if acquired
+    def cleanup
+      if @ntlm
+        @ntlm.cleanup rescue nil
+        @ntlm = nil
+      end
+      nil
+    end
+
+    # Processes current authentication stage
+    # Returns rack response if authentication is incomplete
+    # Sets @authenticated_as to username if authentication successful
+    def process(env)
+      case @authentication_stage
+      when 1 # we are waiting for type1 message
+        package, t1 = token(env)
+        return request_auth(NTLM_REQUEST_PACKAGE, false) if t1.nil?
+        return request_auth unless persistent?
+        begin
+          acquire(package)
+          t2 = @ntlm.accept_security_context(t1)
+        rescue
+          return request_auth
+        end
+        request_auth("#{package} #{t2}", false, 2)
+      when 2 # we are waiting for type3 message
+        package, t3 = token(env)
+        return request_auth(NTLM_REQUEST_PACKAGE, false) if t3.nil?
+        return request_auth unless package == @ntlm.package
+        return request_auth unless persistent?
+        begin
+          t2 = @ntlm.accept_security_context(t3)
+          @authenticated_as = @ntlm.get_username_from_context
+          @authentication_stage = nil # in case IE wants to reauthenticate
+        rescue
+          return request_auth
+        end
+        return request_auth unless @authenticated_as
+        cleanup
+      else
+        raise "Invalid value for @authentication_stage=#{@authentication_stage} detected"
+      end
+    end
+
+    # Returns response with authentication request to the client
+    def request_auth(auth = nil, finished = true, next_stage = 1)
+      @authentication_stage = next_stage
+      can_persist! unless finished
+      head = {}
+      head[WWW_AUTHENTICATE] = auth if auth
+      head[CONTENT_TYPE] = CONTENT_TYPE_AUTH
+      [401, head, [AUTHORIZATION_MESSAGE]]
+    end
+  end
+
+  class NTLMConnection < Connection
+    def app=(app)
+      super NTLMWrapper.new(app, self)
+    end
+
+    def unbind
+      @app.cleanup if @app && @app.respond_to?(:cleanup)
+    ensure
+      super
+    end
+
+    # Saves original can_persist? value (NTLM will force persistence)
+    def ntlm_start
+      unless @ntlm_in_progress
+        @ntlm_saved_can_persist = @can_persist
+        @ntlm_in_progress = true
+      end
+    end
+
+    # Restores previous can_persist? value
+    def ntlm_stop
+      if @ntlm_in_progress
+        @can_persist = @ntlm_saved_can_persist
+        @ntlm_in_progress = false
+      end
+    end
+  end
+end

data/thin-auth-ntlm.gemspec

@@ -0,0 +1,48 @@
+# Generated by jeweler
+# DO NOT EDIT THIS FILE
+# Instead, edit Jeweler::Tasks in Rakefile, and run `rake gemspec`
+# -*- encoding: utf-8 -*-
+
+Gem::Specification.new do |s|
+  s.name = %q{thin-auth-ntlm}
+  s.version = "0.0.4"
+
+  s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
+  s.authors = ["Alexey Borzenkov"]
+  s.date = %q{2009-08-13}
+  s.email = %q{snaury@gmail.com}
+  s.extra_rdoc_files = [
+    "LICENSE.txt",
+     "README.txt"
+  ]
+  s.files = [
+    "LICENSE.txt",
+     "README.txt",
+     "Rakefile",
+     "VERSION.yml",
+     "lib/thin-auth-ntlm.rb",
+     "lib/thin/ntlm/backends/tcp_server.rb",
+     "lib/thin/ntlm/connection.rb",
+     "thin-auth-ntlm.gemspec"
+  ]
+  s.rdoc_options = ["--charset=UTF-8"]
+  s.require_paths = ["lib"]
+  s.rubygems_version = %q{1.3.4}
+  s.summary = %q{Allows you to force NTLM authentication on Thin TCP servers.}
+
+  if s.respond_to? :specification_version then
+    current_version = Gem::Specification::CURRENT_SPECIFICATION_VERSION
+    s.specification_version = 3
+
+    if Gem::Version.new(Gem::RubyGemsVersion) >= Gem::Version.new('1.2.0') then
+      s.add_runtime_dependency(%q<thin>, [">= 1.0.0"])
+      s.add_runtime_dependency(%q<rubysspi-server>, [">= 0.0.1"])
+    else
+      s.add_dependency(%q<thin>, [">= 1.0.0"])
+      s.add_dependency(%q<rubysspi-server>, [">= 0.0.1"])
+    end
+  else
+    s.add_dependency(%q<thin>, [">= 1.0.0"])
+    s.add_dependency(%q<rubysspi-server>, [">= 0.0.1"])
+  end
+end

metadata

@@ -0,0 +1,82 @@
+--- !ruby/object:Gem::Specification 
+name: thin-auth-ntlm
+version: !ruby/object:Gem::Version 
+  version: 0.0.4
+platform: ruby
+authors: 
+- Alexey Borzenkov
+autorequire: 
+bindir: bin
+cert_chain: []
+
+date: 2009-08-13 00:00:00 +04:00
+default_executable: 
+dependencies: 
+- !ruby/object:Gem::Dependency 
+  name: thin
+  type: :runtime
+  version_requirement: 
+  version_requirements: !ruby/object:Gem::Requirement 
+    requirements: 
+    - - ">="
+      - !ruby/object:Gem::Version 
+        version: 1.0.0
+    version: 
+- !ruby/object:Gem::Dependency 
+  name: rubysspi-server
+  type: :runtime
+  version_requirement: 
+  version_requirements: !ruby/object:Gem::Requirement 
+    requirements: 
+    - - ">="
+      - !ruby/object:Gem::Version 
+        version: 0.0.1
+    version: 
+description: 
+email: snaury@gmail.com
+executables: []
+
+extensions: []
+
+extra_rdoc_files: 
+- LICENSE.txt
+- README.txt
+files: 
+- LICENSE.txt
+- README.txt
+- Rakefile
+- VERSION.yml
+- lib/thin-auth-ntlm.rb
+- lib/thin/ntlm/backends/tcp_server.rb
+- lib/thin/ntlm/connection.rb
+- thin-auth-ntlm.gemspec
+has_rdoc: true
+homepage: 
+licenses: []
+
+post_install_message: 
+rdoc_options: 
+- --charset=UTF-8
+require_paths: 
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement 
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      version: "0"
+  version: 
+required_rubygems_version: !ruby/object:Gem::Requirement 
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      version: "0"
+  version: 
+requirements: []
+
+rubyforge_project: 
+rubygems_version: 1.3.5
+signing_key: 
+specification_version: 3
+summary: Allows you to force NTLM authentication on Thin TCP servers.
+test_files: []
+