wikk_web_auth 0.1.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: ecd4829760efaf1668d18a19881a30066d68a6c0
+  data.tar.gz: a9c80865749876369330677d7fdad881ac8376eb
+SHA512:
+  metadata.gz: 6bcb14d568d41c9467dc5a844469f31115b28c09d9743ced5d9c856f61a0976e82f2b5dc07fc5cf4c36812f7a002450158068ca27b8ce7b88cec611b6fb3ec02
+  data.tar.gz: 726c057193a25b2cebc441853fd833ed2ef9be6c7075577c56110c9cd48cf46bc25437932487e60fcdb53da880c4989a042b2d3a5cdfef2441fd7bc6ca7870b7

data/History.txt

@@ -0,0 +1,6 @@
+=== 1.0.0 / 2016-06-19
+
+* 1 major enhancement
+
+  * Birthday!
+

data/Manifest.txt

@@ -0,0 +1,5 @@
+History.txt
+Manifest.txt
+README.md
+Rakefile
+lib/wikk_web_auth.rb

data/README.md

@@ -0,0 +1,85 @@
+# wikk_web_auth
+
+* http://wikarekare.github.com/wikk_web_auth/
+* Source https://github.com/wikarekare/wikk_web_auth
+* Gem https://rubygems.org/gems/wikk_web_auth
+
+## DESCRIPTION:
+
+Gem provides common authentication framework for Wikarekare's Ruby CGIs. 
+
+## FEATURES/PROBLEMS:
+
+* In process of conversion from a library to a gem, and refactored to be more generic. Needs some real world testing. 
+
+## SYNOPSIS:
+
+### Redirect to login scenario
+* Logic flows from clients to the cgi; 
+* generating a login html page; 
+* client logs in, sending the form to the login.rbx Ruby cgi;
+* If successful, the login.rbx cgi sends back a redirect to the original cgi.
+
+### Javascript Scenario, with separation of function.
+* A separate login button is included on the HTML page, which uses the wikk_auth_js library
+```
+  <html>
+  <head>
+    <script src="wikk_web_auth.js"></script>
+    ...
+    <script>
+      init() {
+        //Check if we are authenticated, and fill in login span appropriately. 
+        logged_in(true, '/admin/sites.html'); //(display lock/unlock image, return url after login page)
+        ...
+      }
+      ...
+    </script>
+  </head>
+  <body onload="init();">
+    ...
+    <span id="login_span"></span>
+    ...
+```
+* The cgi simple calls the class level WIKK::Web_Auth.authenticate? call, for a true/false response.
+```
+  require 'wikk_web_auth'
+  @authenticated = Authenticated.authenticated?(@cgi)
+```
+
+## REQUIREMENTS:
+
+* Used in conjunction with Ruby cgi login.rbx 
+* relies on gems wikk_password
+* Could make use of wikk_configuration and wikk_aes_256
+
+## INSTALL:
+
+* sudo gem install wikk_web_auth
+
+## LICENSE:
+
+(The MIT License)
+
+Derived from Wikarekare authentication.rb library.
+
+Copyright (c) 2004-2016
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+'Software'), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED 'AS IS', WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
+IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY
+CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT,
+TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
+SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/Rakefile

@@ -0,0 +1,27 @@
+# -*- ruby -*-
+
+require 'rubygems'
+require 'hoe'
+Hoe.plugin :yard
+
+Hoe.spec 'wikk_web_auth' do 
+  self.readme_file = "README.md"
+  self.developer( "Rob Burrowes","r.burrowes@auckland.ac.nz")
+  remote_rdoc_dir = '' # Release to root
+  
+  self.yard_title = 'wikk_web_auth'
+  self.yard_options = ['--markup', 'markdown', '--protected']
+end
+
+
+#Validate manfest.txt
+#rake check_manifest
+
+#Local checking. Creates pkg/
+#rake gem
+
+#create doc/
+#rake docs  
+
+#Copy up to rubygem.org
+#rake release VERSION=1.0.1

data/lib/wikk_web_auth.rb

@@ -0,0 +1,263 @@
+module WIKK 
+  require 'cgi' 
+  require 'cgi/session' 
+  require 'cgi/session/pstore'     # provides CGI::Session::PStore
+  require 'digest/sha2'
+  require 'syslog/logger'
+  require "wikk_aes_256"
+  require 'wikk_password'
+
+  #Provides common authentication mechanism for all our cgis.
+  #  @attr_reader [String] user , the remote user's user name 
+  #  @attr_reader [String] session , the persistent Session record for this user
+  class Web_Auth
+    VERSION = "0.1.0" #Gem version
+    
+    attr_reader :user, :session
+    
+    #Create new Web_Auth instance, and proceed through authentication process by creating a login web form, if the user isn't authenticated.
+    #  @param cgi [CGI] Which carries the client data, cookies, and PUT/POST form data.
+    #  @param config [WIKK::Configuration|Hash] the location of the password file is embedded here.
+    #  @param return_url [String] If we successfully authenticate, return here.
+    #  @return [WIKK::Web_Auth]
+  	def initialize(cgi, config, return_url = nil)
+      if config.class == Hash
+        sym = config.each_with_object({}) { |(k,v),h| h[k.to_sym] = v }
+        @config = Struct.new(*(k = sym.keys)).new(*sym.values_at(*k))
+      else
+    	  @config = config
+    	end
+  	  @cgi = cgi
+      @user = ''
+      @session = nil
+  	  begin
+        @log = Syslog::Logger.syslog
+      rescue
+        @log = Syslog::Logger.new("authlib.rbx")
+      end
+      authenticate(return_url) 
+    end
+
+    #way of checking without doing a full login sequence.
+    #  @param cgi [CGI] Which carries the client data, cookies, and PUT/POST form data.
+    #  @return [Boolean] authenticated == true.
+  	def self.authenticated?(cgi)
+      begin
+          session = CGI::Session.new(cgi, Web_Auth.session_config({'new_session' => false}) )
+          authenticated = (session != nil && session['session_expires'] > Time.now && session['auth'] == true && session['ip'] == cgi.remote_addr)
+          session.close #Writes back the session data
+          return authenticated
+      rescue ArgumentError => error # if no old session to find.
+    	  begin
+          @log = Syslog::Logger.syslog
+        rescue
+          @log = Syslog::Logger.new("authlib.rbx")
+        end
+        @log.error(error.message)
+        return false
+      end
+    end
+
+    #get the session reference and delete the session.
+    #  @param cgi [CGI] Which carries the client data, cookies, and PUT/POST form data.
+    def self.logout(cgi)
+      begin
+          session = CGI::Session.new(cgi, Web_Auth.session_config({'new_session' => false}))
+          session.delete if session != nil
+      rescue ArgumentError => error # if no old session
+    	  begin
+          @log = Syslog::Logger.syslog
+        rescue
+          @log = Syslog::Logger.new("authlib.rbx")
+        end
+        @log.error(error.message)
+      end
+    end
+    
+    #Checks password file to see if the response from the user matches generating a hash from the password locally.
+    #  @param user [String] Who the remote user claims to be
+    #  @param challenge [String] Random string we sent to this user, and they used in hashing their password.
+    #  @param received_hash [String] The hex_SHA256(password + challenge) string that the user sent back.
+    #  @return [Boolean] True for authorization test suceeded.
+    def authorized?(user, challenge, received_hash)
+     begin
+       return WIKK::Password.valid_sha256_response?(user, @config, challenge, received_hash)
+     rescue IndexError => error #User didn't exist
+       @log.err("authorized?(#{user}): " + error.message)
+       return false
+     rescue Exception => error #Something else
+       @log.err("authorized?(#{user}): " + error.message)
+       return false
+     end
+    end
+
+    #Generate the new Session's config parameters, mixing in and/or overriding the preset values.
+    #  @param extra_arguments [Hash] Extra arguments that get added to the hash, or override values with the same key.
+    #  @return [Hash] The configuration hash.
+    def self.session_config(extra_arguments = {})
+      return {
+        'database_manager' => CGI::Session::PStore,  # use PStore
+        'session_key' => '_wikk_rb_sess_id',              # custom session key
+        #'session_id' => ?,
+        'session_expires' => (Time.now + 86400),     # 1 day timeout
+        'prefix' => 'pstore_sid_',  # PStore option
+        'tmpdir' => '/tmp',  # PStore option
+        #new_session => ?,#boolean
+        #no_hidden => ?,
+        #session_domain => ?,
+        #session_secure => ?,
+        #session_path => ?,
+        #no_cookies => ?, #boolean
+        #suffix => ?
+      }.merge(extra_arguments)
+    end
+    
+    def session_state_init(session_options = {})
+      session_options.each { |k,v| @session[k] = v }
+    end
+
+    #Test to see if we are already authenticated, and if not, generate an HTML login page.
+    #  @param return_url [String] We return here if we sucessfully login
+    def authenticate(return_url = nil)
+      begin
+        @session = CGI::Session.new(@cgi, Web_Auth.session_config({'new_session' => false})) #Look for existing session.
+        return gen_html_login_page(return_url) if @session == nil
+      rescue ArgumentError => error # if no old session
+        return gen_html_login_page(return_url)
+      rescue Exception => error
+        raise Exception, "Authenticate, CGI::Session.new " + error.message
+      end
+      
+      @session['auth'] = false if @session['session_expires'] < Time.now || #Session has expired
+                                  @session['ip'] != @cgi.remote_addr || #Not coming from same IP address
+                                  CGI::escapeHTML(@cgi['logout']) != '' #Are trying to logout
+                                  
+      return if(@session['auth'] == true) #if this is true, then we have already authenticated this session.       
+
+      if (challenge = @session['seed']) != '' #see if we are looking at a login response.
+        @user = CGI::escapeHTML(@cgi['Username'])
+        response = CGI::escapeHTML(@cgi['Response'])
+        if  @user != '' && response != '' && authorized?(@user, challenge, response)
+          @session['auth'] = true #Response valid.
+          @session['user'] = @user
+          @session['ip'] = @cgi.remote_addr
+          @session['seed'] = '' #Don't use the same one twice.
+          @session.close 
+          return
+        end
+      end
+
+      @session.delete #Start a new session.
+      gen_html_login_page(return_url)
+      @session.close if @session != nil #Saves the session state.
+    end
+
+    #clean up the session, setting @authenticated to false and deleting the session state.
+    def logout 
+      @session.delete if @session != nil
+    end
+
+    #Test to see if user authenticated, 
+    #  @return [Boolean] i.e @authenticated's value.
+    def authenticated?
+      @session != nil && @session['session_expires'] > Time.now && @session['auth'] == true && session['ip'] == @cgi.remote_addr
+    end
+      
+
+    #Used by calling cgi to generate a standard login page
+    #  @param return_url [String] We return here if we sucessfully login
+    def gen_html_login_page(return_url = nil)
+      session_options = Web_Auth.session_config()
+      @session = CGI::Session.new(@cgi, session_options) #Start a new session for future authentications.
+      raise "gen_html_login_page: @session == nil" if @session == nil
+      challenge = WIKK::AES_256.gen_key_to_s
+      session_state_init('auth' => false, 'seed' => challenge, 'ip' => "10.2.2.193", 'session_expires' => session_options['session_expires'])
+      @cgi.header("type"=>"text/html")
+      @cgi.out do
+        @cgi.html do
+          @cgi.head{ @cgi.title{"login"} + html_nocache + html_script() } +
+          @cgi.body {  html_login_form(user, challenge, return_url) + "\n" }
+        end
+      end
+      @session.update
+    end
+
+    #Used by calling cgi to inject a return URL into the html response. 
+    #Called by calling cgi, when constructing their html headers.
+    #  @param url [String] URL to redirect to.
+    #  @return [String] The HTML meta header, or "", if url is empty.
+    def html_reload(url = nil)
+      if url != nil && url != ''
+        "<meta http-equiv=\"Refresh\" content=\"0; URL=#{url}\">\n"
+      else
+        ""
+      end
+    end
+
+    #Used by calling cgi to generate logout with this form.
+    #  @param cgi_dir [String] directory holding the login.rbx cgi.
+    #  @return [String] Html logout form.
+    def html_logout_form(cgi_dir)
+      <<-EOHTMLF2
+      <form NAME="login" ACTION="#{cgi_dir}/login.rbx" METHOD="post">
+      <input TYPE="submit" NAME="logout" VALUE="logout" >
+      </form>
+      EOHTMLF2
+    end
+    
+    private 
+    #Login form javascript helper to SHA256 Hash a password and the challenge string sent by the server.
+    #  @return [String] Javascript to embed in html response.
+    def html_script
+      <<-EOHTML
+      <script type="text/javascript" src="/js/sha256.js"></script>
+
+      <script language="JavaScript">
+      function sendhash() {
+          str = document.login.Password.value +
+              document.login.Challenge.value;
+
+          document.login.Response.value = hex_sha256(str);
+          document.login.Password.value = "";
+          document.login.Challenge.value = "";
+          document.login.submit();
+      }
+      </script>
+      EOHTML
+    end
+
+    #Generate html login form.
+    #  @param user [String] user's login name.
+    #  @param challenge [String] Random bytes to add to password, before sending back to server.
+    #  @param return_url [String] Pass the url we want to return to if the login succeeds.
+    #  @return [String] Login form to embed in html response to user.
+    def html_login_form(user, challenge, return_url='')
+    <<-EOHTMLF
+    <form NAME="login" ACTION="/ruby/login.rbx" METHOD="post">
+    <input TYPE="hidden" NAME="Challenge" VALUE="#{challenge}"> 
+    <input TYPE="hidden" NAME="Response" VALUE="">
+    <input TYPE="hidden" NAME="ReturnURL" VALUE="#{return_url}">
+    <table>
+    <tr><th>User name</th><td><input TYPE="text" NAME="Username" VALUE="#{user}" SIZE="32" MAXLENGTH="32"></td></tr>
+    <tr><th>Password</th><td><input TYPE="password" NAME="Password" VALUE="" SIZE="32" MAXLENGTH="32"></td></tr>
+    <tr><td>&nbsp;</td><td>
+      <input ONCLICK="sendhash(); return false;" TYPE="Submit" NAME="submit" VALUE="Submit">
+      <input TYPE="button" NAME="Cancel" VALUE="   Cancel   " 
+      ONCLICK="document.login.Username.value='';document.login.Password.value=''">
+    </td></tr>
+    </table>
+    </form>
+    <script LANGUAGE="javascript" TYPE="text/javascript">
+          document.login.Username.focus();
+    </script>
+    EOHTMLF
+    end
+
+    #Generate no cache metadata header record.
+    #  @return [String] Html no-cache meta tag
+    def html_nocache
+      "<META HTTP-EQUIV=\"Pragma\" CONTENT=\"no-cache\">"
+    end
+  end
+end
+

metadata

@@ -0,0 +1,86 @@
+--- !ruby/object:Gem::Specification
+name: wikk_web_auth
+version: !ruby/object:Gem::Version
+  version: 0.1.0
+platform: ruby
+authors:
+- Rob Burrowes
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2016-06-26 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: hoe-yard
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 0.1.2
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 0.1.2
+- !ruby/object:Gem::Dependency
+  name: hoe
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.15'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.15'
+description: Gem provides common authentication framework for Wikarekare's Ruby CGIs.
+email:
+- r.burrowes@auckland.ac.nz
+executables: []
+extensions: []
+extra_rdoc_files:
+- History.txt
+- Manifest.txt
+- README.md
+files:
+- History.txt
+- Manifest.txt
+- README.md
+- Rakefile
+- lib/wikk_web_auth.rb
+homepage: http://wikarekare.github.com/wikk_web_auth/
+licenses:
+- MIT
+metadata: {}
+post_install_message: 
+rdoc_options:
+- "--markup"
+- markdown
+- "--protected"
+- "--title"
+- wikk_web_auth
+- "--quiet"
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.5.1
+signing_key: 
+specification_version: 4
+summary: Gem provides common authentication framework for Wikarekare's Ruby CGIs.
+test_files: []