wikk_web_auth 0.1.5 → 0.1.6

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: f11e7bb6190975e4175a2e0b67a4a01b157c3c4787538138099dda2a020ae07a
-  data.tar.gz: 622a9d3c4d29584a860b39f3a1e30b5462b765f02373dae5d8ab1139a9b5b441
+  metadata.gz: 671e30332d7611b59813c740329597c67743e6dfb1d14f5624b0d2f048f735ed
+  data.tar.gz: 370ae2207160bb1d6b7304c2451cdf9de71ea0f0da2e760e60642c9f3a8c822b
 SHA512:
-  metadata.gz: 83560ee013e45a01a0b8d7c62a4daef09d4c8e33501673d96b643a8ffb5675e136b3f4392b59041138d63abcc3e1584312bf027433ca941ef1da71c6f0fc22f7
-  data.tar.gz: 7fdd8602fa9427be49777ffa2b221f9718109c05c9c00b5a914b01a1af24fb242ef946c86f404efad63d818455c2626b7c8624cc31506f27c43f622ec663b249
+  metadata.gz: 80f9e4d1c65fdd6d96f35399ba86fa2a11ff09a505bfa8154fc6f0f3f464bb1ec9b4f5697655822439e7523cde7da2c4dddc210e78aeaeca690d499c04231cfa
+  data.tar.gz: 874afd4511eae12ece2931f7bce38bcb991ae6ae76660d30c53e3aa2254660fa778d3d31eed573e33b66d9dd23d3ed7cf19da263ea1f52c554ba4647c0b75cc8

data/History.txt

@@ -1,3 +1,23 @@
+robertburrowes	Sat Apr 15 16:18:34 2023 +1200
+	deleted an end in error
+robertburrowes	Sat Apr 15 16:05:26 2023 +1200
+	removed the syslogs. Getting odd errors, depending on the context.
+robertburrowes	Sat Apr 15 15:53:04 2023 +1200
+	factor out code into new_session() Clean up old cookie entries in cgi instance.
+robertburrowes	Sat Apr 15 15:49:37 2023 +1200
+	more output from the tests
+robertburrowes	Wed Apr 12 18:31:54 2023 +1200
+	Add test for authenticated on a reconnect Add test for trying to reauthenticate, by sending a previous response.
+robertburrowes	Wed Apr 12 18:30:25 2023 +1200
+	Initialize instance vars earlier @log.error now failing. Replaced with full call, using LOG_NOTICE session and @session mix up Explicitly set no_cookies and no_hidden to false (should be default)
+robertburrowes	Tue Apr 11 17:56:27 2023 +1200
+	bumped the version
+robertburrowes	Tue Apr 11 17:56:01 2023 +1200
+	Added test/direct_test.rb Cleaned up test, moving conf files into test/conf Created test/conf/pstore for the pstore temp files (which need cleaning out after the test)
+robertburrowes	Tue Apr 11 15:06:47 2023 +1200
+	refactor: Bump version Set return_url globally Initialize @session globally Separate generating challenge into its own method (for new rpc) Optionally call to authencate in initialize (for new rpc) Added check for the username changing during login. Fail authorized step, if challenge not set (i.e. we jumped straight to step 2. nil cgi params get converted to '' seed now reset, if authorization fails. Authorized? should have been private session_state_init should have been private
+robertburrowes	Sun Apr 9 17:57:33 2023 +1200
+	not used
 robertburrowes	Wed Mar 29 22:03:06 2023 +1300
 	Test against the new lib version, not the gem
 robertburrowes	Wed Mar 29 22:02:44 2023 +1300

data/lib/wikk_web_auth.rb

@@ -3,25 +3,30 @@ module WIKK
   require 'cgi/session'
   require 'cgi/session/pstore'     # provides CGI::Session::PStore
   require 'digest/sha2'
-  require 'syslog/logger'
-  require 'wikk_aes_256'
+  require 'securerandom'
   require 'wikk_password'
 
   # Provides common authentication mechanism for all our cgis.
+  # Uses standard cgi parameters, unless overridden e.g. cgi?user=x&response=y
+  # Returns values imbedded as hidden fields in the login form
   #  @attr_reader [String] user , the remote user's user name
   #  @attr_reader [String] session , the persistent Session record for this user
   class Web_Auth
-    VERSION = '0.1.5' # Gem version
+    VERSION = '0.1.6' # Gem version
 
-    attr_reader :user, :session
+    attr_reader :user, :challenge
+    attr_accessor :response
 
     # Create new Web_Auth instance, and proceed through authentication process by creating a login web form, if the user isn't authenticated.
     #  @param cgi [CGI] Which carries the client data, cookies, and PUT/POST form data.
     #  @param pwd_config [WIKK::Configuration|Hash] the location of the password file is embedded here.
+    #  @param user [String] overrides cgi['user']
+    #  @param response [String] overrides cgi['response']
+    #  @param user_logout [Boolean] overrides cgi['logout']
     #  @param pstore_config [Hash] overrides default pstore settings
     #  @param return_url [String] If we successfully authenticate, return here.
     #  @return [WIKK::Web_Auth]
-    def initialize(cgi, pwd_config = nil, return_url = nil, pstore_config: nil)
+    def initialize(cgi, pwd_config = nil, return_url = nil, user: nil, response: nil, user_logout: false, pstore_config: nil, run_auth: true)
       if pwd_config.instance_of?(Hash)
         sym = pwd_config.each_with_object({}) { |(k, v), h| h[k.to_sym] = v }
         @config = Struct.new(*(k = sym.keys)).new(*sym.values_at(*k))
@@ -31,14 +36,56 @@ module WIKK
 
       @cgi = cgi
       @pstore_config = pstore_config
-      @user = ''
-      @session = nil
+
+      # Set variables from the method's params, or alternately, from the CGI params
+      @user = user.nil? ? cgi_param('Username') : user
+      @response = response.nil? ? cgi_param('Response') : response
+      @return_url = return_url.nil? ? cgi_param('ReturnURL') : return_url
+
+      # Look for existing session, but don't start a new one.
       begin
-        @log = Syslog::Logger.syslog
-      rescue StandardError
-        @log = Syslog::Logger.new('wikk_web_auth')
+        @session = CGI::Session.new(@cgi, Web_Auth.session_config( { 'new_session' => false }, pstore_config: @pstore_config ))
+      rescue ArgumentError => _e # if no old session
+        @session = nil
+      rescue Exception => e # rubocop:disable Lint/RescueException In CGI, we want to handle every exception
+        raise e.class, 'Authenticate, CGI::Session.new ' + e.message
+      end
+
+      if @session.nil?
+        @challenge = '' # there is no current challenge
+      elsif @session['session_expires'].nil? ||       # Shouldn't be the case
+            @session['session_expires'] < Time.now || # Session has expired
+            @session['ip'] != @cgi.remote_addr ||     # Not coming from same IP address
+            # @session['user'] != @user ||              # Not the same user
+            cgi_param('logout') != '' ||        # Requested a logout
+            user_logout                               # Alternate way to request a logout
+        logout
+      else
+        # We ignore the cgi['Challenge'] value, and always get this from the pstore
+        @challenge = @session['seed'] # Recover the challenge from the pstore entry. It may be ''
+      end
+
+      authenticate if run_auth # This generates html output, so it is now conditionally run.
+    end
+
+    # Debug dump of session keys
+    def session_to_s
+      return '' if @session.nil?
+
+      s = '{'
+      [ 'auth', 'seed', 'ip', 'user', 'session_expires' ].each do |k|
+        s += "'#{k}':'#{@session[k]}', "
       end
-      authenticate(return_url)
+      s += '}'
+      return s
+    end
+
+    # expose the session_id. This is also returned by modifying the cgi instance passed in to initialize
+    # * The cgi.output_cookies Array of Cookies gets modified if no_cookies is false (the default)
+    # * And cgi.output_hidden Hash get modified if no_hidden is false (the default)
+    # @return [String] random session id
+    def session_id
+      @session.nil? ? '' : @session.session_id
     end
 
     # way of checking without doing a full login sequence.
@@ -48,52 +95,39 @@ module WIKK
     def self.authenticated?(cgi, pstore_config: nil )
       begin
         session = CGI::Session.new(cgi, Web_Auth.session_config( { 'new_session' => false }, pstore_config: pstore_config ) )
-        authenticated = (session != nil && session['session_expires'] > Time.now && session['auth'] == true && session['ip'] == cgi.remote_addr)
-        session.close # Writes back the session data
+        authenticated = (session != nil && !session['session_expires'].nil? && session['session_expires'] > Time.now && session['auth'] == true && session['ip'] == cgi.remote_addr)
+        session.close # Tidy up, so we don't leak file descriptors
         return authenticated
-      rescue ArgumentError => e # if no old session to find.
-        begin
-          @log = Syslog::Logger.syslog
-        rescue StandardError
-          @log = Syslog::Logger.new('wikk_web_auth')
-        end
-        @log.error(e.message)
+      rescue ArgumentError => _e # if no old session to find.
         return false
       end
     end
 
+    # Test to see if user authenticated.
+    # If this is the only call, then follow this with close_session()
+    #  @return [Boolean] True, if this session is authenticated
+    def authenticated?
+      @session != nil && !@session['session_expires'].nil? && @session['session_expires'] > Time.now && @session['auth'] == true && @session['ip'] == @cgi.remote_addr
+    end
+
     # get the session reference and delete the session.
     #  @param pstore_config [Hash] overrides default pstore settings
     #  @param cgi [CGI] Which carries the client data, cookies, and PUT/POST form data.
     def self.logout(cgi, pstore_config: nil)
       begin
         session = CGI::Session.new(cgi, Web_Auth.session_config( { 'new_session' => false }, pstore_config: pstore_config ))
-        session.delete if session != nil
-      rescue ArgumentError => e # if no old session
-        begin
-          @log = Syslog::Logger.syslog
-        rescue StandardError
-          @log = Syslog::Logger.new('wikk_web_auth')
-        end
-        @log.error(e.message)
+        session.delete unless session.nil? # Also closes the session
+      rescue ArgumentError => _e # if no old session
+        # Not an error.
       end
     end
 
-    # Checks password file to see if the response from the user matches generating a hash from the password locally.
-    #  @param user [String] Who the remote user claims to be
-    #  @param challenge [String] Random string we sent to this user, and they used in hashing their password.
-    #  @param received_hash [String] The hex_SHA256(password + challenge) string that the user sent back.
-    #  @return [Boolean] True for authorization test suceeded.
-    def authorized?(user, challenge, received_hash)
-      begin
-        return WIKK::Password.valid_sha256_response?(user, @pwd_config, challenge, received_hash)
-      rescue IndexError => e # User didn't exist
-        @log.error("authorized?(#{user}) User not found: " + e.message)
-        return false
-      rescue Exception => e # rubocop:disable Lint/RescueException  # In a cgi, we want to log all errors.
-        @log.error("authorized?(#{user}): " + e.message)
-        return false
-      end
+    # clean up the session, deleting the session state.
+    def logout
+      @session.delete unless @session.nil? # Will close the existing session
+      @session = nil
+      @challenge = '' # no current session, so no challenge string
+      clear_cgi_cookies
     end
 
     # Generate the new Session's config parameters, mixing in and/or overriding the preset values.
@@ -104,100 +138,105 @@ module WIKK
       instance_of?(Hash)
       session_conf = {
         'database_manager' => CGI::Session::PStore,  # use PStore
-        'session_key' => '_wikk_rb_sess_id',                # custom session key
-        'session_expires' => (Time.now + 86400),   # 1 day timeout
-        'prefix' => 'pstore_sid_',                          # Prefix for pstore file
+        'session_key' => '_wikk_rb_sess_id',         # custom session key
+        'session_expires' => (Time.now + 86400),     # 1 day timeout
+        'prefix' => 'pstore_sid_',                   # Prefix for pstore file
+        # 'suffix' => ?
         'tmpdir' => '/tmp',                          # PStore option. Under Apache2, this is a private namespace /tmp
-        'session_path' => '/'               # The cookie gets returned for URLs starting with this path
-        # 'session_id' => ?,                         # Created for new sessions. Merged in for existing sessions
+        'session_path' => '/',                       # The cookie gets returned for URLs starting with this path
         # 'new_session' => true,                     # Default, is to create a new session if it doesn't already exist
-        # 'no_hidden' => ?,
         # 'session_domain' => ?,
         # 'session_secure' => ?,
-        # 'no_cookies' => ?, #boolean
-        # 'suffix' => ?
+        # 'session_id' => ?,                         # Created for new sessions. Merged in for existing sessions
+        'no_cookies' => false,                       # boolean. Do fill in cgi output_cookies array of Cookies
+        'no_hidden' => false                         # boolean fill in the cgi output_hidden Hash key=cookie, value=session_id
       }
       session_conf.merge!(pstore_config) if pstore_config.instance_of?(Hash)
       session_conf.merge!(extra_arguments) if extra_arguments.instance_of?(Hash)
       return session_conf
     end
 
-    def session_state_init(session_options = {})
-      session_options.each { |k, v| @session[k] = v }
+    # Generate a challenge, as step 1 of a login
+    # If this is the only call, then follow this with close_session()
+    def gen_challenge
+      # Short session, which gets replaced if we successfully authenticate
+      new_session( { 'session_expires' => Time.now + 120 } )
+      raise 'gen_challenge: @session == nil' if @session.nil?
+
+      @challenge = SecureRandom.base64(32)
+      # Store the challenge in the pstore, ready for the 2nd login step, along with browser details
+      session_state_init('auth' => false, 'seed' => @challenge, 'ip' => @cgi.remote_addr, 'user' => @user, 'session_expires' => @session_options['session_expires'])
+      @session.update
+      return @challenge
+    end
+
+    # Test the response against the password file
+    # If this is the only call, then follow this with close_session()
+    # @return [Boolean] We got authorized
+    def valid_response?
+      if authorized?
+        # We got a challenge string, so we are on step 2 of the authentication
+        # And have passed the password check ( authorized?() )
+        new_session # regenerate the cookie with a longer lifetime.
+        raise 'valid_response?: @session == nil' if @session.nil?
+
+        session_state_init('auth' => true, 'seed' => '', 'ip' => @cgi.remote_addr, 'user' => @user, 'session_expires' => @session_options['session_expires'])
+        @session.update       # Should also update on close, which we probably do next
+        return true
+      else # Failed to authorize. The temporary challenge session cookie is no longer valid.
+        logout
+        return false
+      end
     end
 
     # Test to see if we are already authenticated, and if not, generate an HTML login page.
-    #  @param return_url [String] We return here if we sucessfully login
+    #  @param return_url [String] We return here if we sucessfully login. Overrides initialize value
     def authenticate(return_url = nil)
-      begin
-        @session = CGI::Session.new(@cgi, Web_Auth.session_config( { 'new_session' => false }, pstore_config: @pstore_config )) # Look for existing session.
-        return gen_html_login_page(return_url) if @session.nil?
-      rescue ArgumentError => _e # if no old session
-        return gen_html_login_page(return_url)
-      rescue Exception => e # rubocop:disable Lint/RescueException In CGI, we want to handle every exception
-        @log.error("authenticate(#{@session}):  #{e.message}")
-        raise e.class, 'Authenticate, CGI::Session.new ' + e.message
+      @return_url = return_url unless return_url.nil? # Update the return url (Backward compatibility)
+
+      # We have no session setup, or haven't sent the challenge yet.
+      # So we are at step 1 of the authentication
+      if @session.nil? || @challenge == ''
+        gen_html_login_page(message: 'no current challenge')
+        return
       end
 
+      # We are now at step 2, expecting a response to the challenge
       begin
-        @session['auth'] = false if @session['session_expires'].nil? ||
+        # Might be a while since we initialized the class, so repeat this test
+        @session['auth'] = false if @session['session_expires'].nil? ||       # Shouldn't ever happen, but has
                                     @session['session_expires'] < Time.now || # Session has expired
-                                    @session['ip'] != @cgi.remote_addr || # Not coming from same IP address
-                                    CGI.escapeHTML(@cgi['logout']) != '' # Are trying to logout
+                                    @session['ip'] != @cgi.remote_addr # ||     # Not coming from same IP address
+        #                           @session['user'] != @user                 # Username not the same as the session
 
         return if @session['auth'] == true # if this is true, then we have already authenticated this session.
 
-        if (challenge = @session['seed']) != '' # see if we are looking at a login response.
-          @user = CGI.escapeHTML(@cgi['Username'])
-          response = CGI.escapeHTML(@cgi['Response'])
-          if @user != '' && response != '' && authorized?(@user, challenge, response)
-            @session['auth'] = true # Response valid.
-            @session['user'] = @user
-            @session['ip'] = @cgi.remote_addr
-            @session['seed'] = '' # Don't use the same one twice.
-            @session.close
-            return
-          end
+        unless valid_response?
+          gen_html_login_page(message: 'invalid response:')
         end
-
-        @session.delete # Start a new session.
-        gen_html_login_page(return_url)
-        @session.close if @session != nil # Saves the session state.
+        @session.close unless @session.nil? # Saves the session state.
       rescue Exception => e # rubocop:disable Lint/RescueException
-        @log.error("authenticate(#{@session}):  #{e.message}")
         raise e.class, 'Authenticate, CGI::Session.new ' + e.message
       end
     end
 
-    # clean up the session, setting @authenticated to false and deleting the session state.
-    def logout
-      @session.delete if @session != nil
-    end
-
-    # Test to see if user authenticated,
-    #  @return [Boolean] i.e @authenticated's value.
-    def authenticated?
-      @session != nil && @session['session_expires'] > Time.now && @session['auth'] == true && session['ip'] == @cgi.remote_addr
+    # Ensure we don't consume all file descriptors
+    # Call after last call (though most calls do close the session)
+    def close_session
+      @session.close unless @session.nil?
+      @session = nil
     end
 
     # Used by calling cgi to generate a standard login page
-    #  @param return_url [String] We return here if we sucessfully login
-    def gen_html_login_page(return_url = nil)
-      session_options = Web_Auth.session_config( pstore_config: @pstore_config )
-      @session = CGI::Session.new(@cgi, session_options ) # Start a new session for future authentications.
-
-      raise 'gen_html_login_page: @session == nil' if @session.nil?
-
-      challenge = WIKK::AES_256.gen_key_to_s
-      session_state_init('auth' => false, 'seed' => challenge, 'ip' => @cgi.remote_addr, 'session_expires' => session_options['session_expires'])
+    def gen_html_login_page(message: '')
+      gen_challenge
       @cgi.header('type' => 'text/html')
       @cgi.out do
         @cgi.html do
           @cgi.head { @cgi.title { 'login' } + html_nocache + html_script } +
-            @cgi.body { html_login_form(user, challenge, return_url) + "\n" }
+            @cgi.body { html_login_form(message: message) + "\n" }
         end
       end
-      @session.update
     end
 
     # Used by calling cgi to inject a return URL into the html response.
@@ -223,6 +262,59 @@ module WIKK
       HTML
     end
 
+    # Get a CGI param
+    # @param key [String] name of the CGI param
+    # @return [String] Either the value, or ''
+    private def cgi_param(key)
+      value = @cgi[key]
+      return value.nil? ? '' : CGI.escapeHTML(value)
+    end
+
+    # Short hand for set up of the pstore session entry
+    # @param session_options [Hash] key pairs for the pstore session
+    private def session_state_init(session_options = {})
+      session_options.each { |k, v| @session[k] = v }
+    end
+
+    # Blat the session cookies, that would have been sent back to the server
+    private def clear_cgi_cookies
+      # Update the cgi record, removing the cookies
+      @cgi.instance_eval do
+        @output_hidden = {}
+        @output_cookies = []
+      end
+    end
+
+    # Create a new session in the pstore, having deleted any existing session.
+    # @param session_params [Hash] Optionally alter the session params
+    private def new_session(session_params = nil)
+      @session.delete unless @session.nil? # Closes and Deletes the existing session
+      clear_cgi_cookies
+      # Start a new session for future authentications.
+      # This resets the expiry timestamp
+      @session_options = Web_Auth.session_config( session_params, pstore_config: @pstore_config )
+      @session = CGI::Session.new(@cgi, @session_options )
+    end
+
+    # Checks password file to see if the response from the user matches generating a hash from the password locally.
+    #  @param user [String] Who the remote user claims to be
+    #  @param challenge [String] Random string we sent to this user, and they used in hashing their password.
+    #  @param response [String] The hex_SHA256(password + challenge) string that the user sent back.
+    #  @return [Boolean] True for authorization test suceeded.
+    private def authorized?
+      begin
+        unless @session.nil? ||
+               @challenge.nil? || @challenge == '' ||
+               @user.nil? || @user.empty? ||
+               @response.nil? || @response.empty?
+          return WIKK::Password.valid_sha256_response?(@user, @pwd_config, @challenge, @response)
+        end
+      rescue IndexError => _e # User didn't exist
+        # Not an error.
+      end
+      return false
+    end
+
     # Login form javascript helper to SHA256 Hash a password and the challenge string sent by the server.
     #  @return [String] Javascript to embed in html response.
     private def html_script
@@ -246,16 +338,17 @@ module WIKK
     # Generate html login form.
     #  @param user [String] user's login name.
     #  @param challenge [String] Random bytes to add to password, before sending back to server.
-    #  @param return_url [String] Pass the url we want to return to if the login succeeds.
+    #  @param return_url [String] We return here if we sucessfully login. Overrides initialize value
     #  @return [String] Login form to embed in html response to user.
-    private def html_login_form(user, challenge, return_url = '')
+    private def html_login_form(message: '')
       <<~HTML
         <form NAME="login" ACTION="/ruby/login.rbx" METHOD="post">
-        <input TYPE="hidden" NAME="Challenge" VALUE="#{challenge}">
+        <input TYPE="hidden" NAME="Challenge" VALUE="#{@challenge}">
         <input TYPE="hidden" NAME="Response" VALUE="">
-        <input TYPE="hidden" NAME="ReturnURL" VALUE="#{return_url}">
+        <input TYPE="hidden" NAME="ReturnURL" VALUE="#{@return_url}">
+        <span hidden>#{message}</span>
         <table>
-        <tr><th>User name</th><td><input TYPE="text" NAME="Username" VALUE="#{user}" SIZE="32" MAXLENGTH="32"></td></tr>
+        <tr><th>User name</th><td><input TYPE="text" NAME="Username" VALUE="#{@user}" SIZE="32" MAXLENGTH="32"></td></tr>
         <tr><th>Password</th><td><input TYPE="password" NAME="Password" VALUE="" SIZE="32" MAXLENGTH="32"></td></tr>
         <tr><td>&nbsp;</td><td>
           <input ONCLICK="sendhash(); return false;" TYPE="submit" NAME="login" VALUE="Login">

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: wikk_web_auth
 version: !ruby/object:Gem::Version
-  version: 0.1.5
+  version: 0.1.6
 platform: ruby
 authors:
 - Rob Burrowes
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2023-03-29 00:00:00.000000000 Z
+date: 2023-04-15 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: wikk_password