forks
/
arsd
mirror of https://github.com/adamdruppe/arsd.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

authentication

This commit is contained in:
Adam D. Ruppe 2011-12-03 22:30:55 -05:00
parent afa953838c
commit 4890825620
2 changed files with 473 additions and 46 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

85
web.d
View File

@ -2169,6 +2169,10 @@ version(Windows) {
alias GetTempPathW GetTempPath;
}
version(Posix) {
static import linux = std.c.linux.linux;
}
/// Provides some persistent storage, kinda like PHP
/// But, you have to manually commit() the data back to a file.
/// You might want to put this in a scope(exit) block or something like that.
@ -2176,6 +2180,7 @@ class Session {
/// Loads the session if available, and creates one if not.
/// May write a session id cookie to the passed cgi object.
this(Cgi cgi, string cookieName = "_sess_id", bool useFile = true) {
// assert(cgi.https); // you want this for best security, but I won't be an ass and require it.
this._cookieName = cookieName;
this.cgi = cgi;
bool isNew = false;
@ -2183,16 +2188,78 @@ class Session {
if(cookieName in cgi.cookies && cgi.cookies[cookieName].length)
token = cgi.cookies[cookieName];
else {
if("x-arsd-session-override" in cgi.requestHeaders) {
loadSpecialSession(cgi);
return;
} else {
// there is no session; make a new one.
token = makeNewCookie();
isNew = true;
}
}
makeSessionId(token);
if(useFile)
reload();
if(isNew)
addDefaults();
}
/// This loads a session that the user requests, without the normal
/// checks. The idea is to allow debugging or local request sharing.
///
/// It is private because you never have to call it yourself, but read on
/// to understand how it works and some potential security concerns.
///
/// It loads the requested session read-only (it does not commit),
/// if and only if the request asked for the correct hash and id.
///
/// If they have enough info to build the correct hash, they must
/// already know the contents of the file, so there should be no
/// risk of data contamination here. (A traditional session hijack
/// is surely much easier.)
///
/// It is possible for them to forge a request as a particular user
/// if they can read the file, but otherwise not write. For that reason,
/// especially with this functionality here, it is very important for you
/// to lock down your session files. If on a shared host, be sure each user's
/// processes run as separate operating system users, so the file permissions
/// set in commit() actually help you.
///
/// If you can't reasonably protect the session file, compile this out with
/// -version=no_session_override and only access unauthenticated functions
/// from other languages. They can still read your sessions, and potentially
/// hijack it, but it will at least be a little harder.
///
/// Also, don't use this over the open internet at all. It's supposed
/// to be local only. If someone sniffs the request, hijacking it
/// becomes very easy; even easier than a normal session id since they just reply it.
/// (you should really ssl encrypt all sessions for any real protection btw)
private void loadSpecialSession(Cgi cgi) {
version(no_session_override)
throw new Exception("You cannot access sessions this way.");
else {
// the header goes full-session-id;file-contents-hash
auto info = split(cgi.requestHeaders["x-arsd-session-override"], ";");
_sessionId = info[0];
auto hash = info[1];
// FIXME: race condition if the session changes?
enforce(hashToString(SHA256(readText(getFilePath()))) == hash);
_readOnly = true;
reload();
}
}
private void addDefaults() {
set("csrfToken", generateCsrfToken());
// this is there to help control access to someone requesting a specific session id (helpful for debugging or local access from other languages)
// the idea is if there's some random stuff in there that you can only know if you have access to the file, it doesn't hurt to load that
// session, since they have to be able to read it to know this value anyway, so you aren't giving them anything they don't already have.
set("randomRandomness", to!string(uniform(0, ulong.max)));
}
private string makeSessionId(string cookieToken) {
@ -2241,7 +2308,7 @@ class Session {
// and new cookie -> new session id -> new csrf token
makeSessionId(makeNewCookie());
set("csrfToken", generateCsrfToken());
addDefaults();
if(hasData)
changed = true;
@ -2307,6 +2374,7 @@ class Session {
return value;
}
// FIXME: doesn't seem to work
string* opBinary(string op)(string key) if(op == "in") {
return key in fields;
}
@ -2394,13 +2462,26 @@ class Session {
/// Commits your changes back to disk.
void commit(bool force = false) {
if(force || changed)
if(_readOnly)
return;
if(force || changed) {
std.file.write(getFilePath(), toJson(data));
// We have to make sure that only we can read this file,
// since otherwise, on shared hosts, our session data might be
// easily stolen. Note: if your shared host doesn't have different
// users on the operating system for each user, it's still possible
// for them to access this file and hijack your session!
version(Posix)
enforce(linux.chmod(toStringz(getFilePath()), octal!600) == 0, "chmod failed");
// FIXME: ensure the file's read permissions are locked down
// on Windows too.
}
}
private string[string] data;
private bool _hasData;
private bool changed;
private bool _readOnly;
private string _sessionId;
private string _cookieName;
private Cgi cgi; // used to regenerate cookies, etc.

428
web.d.php
View File

@ -1,12 +1,10 @@
<?php
// FIXME: this doesn't work on Windows
// FIXME: doesn't handle arrays
// FIXME: doesn't handle nested function calls
// FIXME: no authentication for ApiProvider access is implemented
// FIXME: doesn't do ApiObjects nor nested ApiProviders right
// FIXME: doesn't do server side ApiObjects nor nested ApiProviders right
/**************************************
* This file is meant to help integrate web.d apps
* with PHP apps that live on the same domain.
* with PHP apps that live on the same domain, or remotely
* if you've implemented OAuth authentication on the server.
*
* It's useful for things like single sign on with a web.d core.
**************************************/
@ -34,13 +32,16 @@ class WebDotDSession {
$token);
$path = "/tmp/arsd_session_file_" . $this->sessionId;
if(file_exists($path))
$this->data =
json_decode(file_get_contents($path));
if(file_exists($path)) {
$filecontents = file_get_contents($path);
$this->data = json_decode($filecontents);
$this->fileHash = hash("sha256", $filecontents);
}
}
}
public $sessionId = "";
public $fileHash = "";
/// The data in the session, as a PHP object. Note that any writes
/// to it will be discarded.
@ -50,6 +51,13 @@ class WebDotDSession {
/// This provides a base for exceptions thrown by D
class WebDotDException extends Exception {}
// internal helper function; assoc arrays should be encoded differently than
// linear arrays
function arsd_helper_is_assoc_array($v) {
if(!is_array($v)) return false;
return array_diff_assoc(array_keys($v), range(0, count($v)));
}
/**
If you've used the Javascript generated by web.d, you'll
find this very familiar; this is a port of that for the
@ -104,14 +112,15 @@ class WebDotDException extends Exception {}
anonymous one-liner.
*/
class WebDotDMethodCall {
public function __construct($apiProvider, $method, $url, $params) {
public function __construct($apiProvider, $httpMethod, $functionName, $url, $params) {
$this->apiProvider = $apiProvider;
$this->method = $method;
$this->method = $httpMethod;
$this->url = $url;
$this->requestedDataFormat = "json";
$this->functionName = $functionName;
$num = 0;
foreach($params as $arg) {
$this->urlargs["positional-arg-" . $num] = $arg;
$this->urlArgs["positional-arg-" . $num] = $arg;
$num++;
}
}
@ -127,61 +136,56 @@ class WebDotDMethodCall {
}
public function setValue($name, $value) {
$this->urlargs[$name] = $value;
$this->urlArgs[$name] = $value;
return $this;
}
private $apiProvider;
private $url;
private $urlargs;
private $urlArgs = array();
private $method;
private $requestedDataFormat;
private $functionName;
public function getSync() {
$args = "";
$num = 0;
$params = $this->urlargs;
$params = $this->urlArgs;
$params["envelopeFormat"] = "json";
$params["format"] = $this->requestedDataFormat;
$outputted = false;
foreach($params as $k => $arg) {
if($outputted) {
$args .= "&";
} else {
$outputted = true;
}
$this->apiProvider->addCustomRequestData($this, $params);
$args .= urlencode($k);
$args .= "=";
$args .= urlencode($arg);
}
$args = $this->getArgString($params);
$url = $this->url;
$postData = "";
if($this->method == "GET")
$url .= "?" . $args;
else
$postData = $args;
$ch = curl_init($url);
if($this->method == "POST") {
curl_setopt($ch, CURLOPT_POST,1);
curl_setopt($ch, CURLOPT_POSTFIELDS, $args);
curl_setopt($ch, CURLOPT_POSTFIELDS, $postData);
}
curl_setopt($ch, CURLOPT_HEADER,0);
curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
$this->apiProvider->addCustomCurlCode($ch, $this, $url, $postData);
$data = curl_exec($ch);
$resultObj = json_decode($data);
if($resultObj == null) {
echo $data;
throw new WebDotDException("Got null JSON");
throw new WebDotDException("Got null JSON. Instead, got: " . $data);
}
if($resultObj->success) {
return $resultObj->result;
return $this->formatResult($resultObj->result);
} else {
// FIXME: maybe we can use type for better info?
$msg = $resultObj->type;
@ -193,6 +197,109 @@ class WebDotDMethodCall {
// assert(0); // not reached
}
// Why do I bother with this? It converts any generic object returned
// in the json to a custom class that, for now, only overrides toString,
// to make accessing the secondary format easier, but might offer more
// stuff in the future too, like better integration with the returned D types.
protected function formatResult($arg) {
if(is_object($arg)) {
$vars = get_object_vars($arg);
$obj = new WebDotDResultObject();
foreach($vars as $k => $v)
$obj->_fields[$k] = $this->formatResult($v);
return $obj;
} else if(is_array($arg)) {
$arr = Array();
foreach($arg as $k => $v)
$arr[$k] = $this->formatResult($v);
return $arr;
} else
return $arg;
}
private function argToUrlParam($k, $arg) {
if(is_object($arg) && get_class($arg) == "WebDotDMethodCall") {
$args = urlencode($k) . "=" . urlencode($arg->getRelativeUrlForNesting());
$args .= "&".$k."-type=ServerResult";
return $args;
} else if(is_object($arg) || arsd_helper_is_assoc_array($arg)) {
$aa = Array();
if(get_class($arg) == "WebDotDResultObject")
$aa = $arg->_fields;
else if(is_object($arg))
$aa = get_object_vars($arg);
else
$aa = $arg;
// FIXME - needs to actually send it. web.d doesn't define how it
// actually receives associative arrays yet.
throw new Exception("not yet able to do object params");
} else if(is_array($arg)) {
$args = "";
$outputtedHere = false;
foreach($arg as $a) {
if($outputtedHere) {
$args .= "&";
} else
$outputtedHere = true;
$args .= argToUrlParam($k, $arg);
}
return $args;
} else {
$args = "";
$args .= urlencode($k);
$args .= "=";
$args .= urlencode($arg);
return $args;
}
}
private function getArgString($params = null) {
if($params === null)
$params = $this->urlArgs;
$outputted = false;
$args = "";
foreach($params as $k => $arg) {
if($outputted) {
$args .= "&";
} else {
$outputted = true;
}
$args .= $this->argToUrlParam($k, $arg);
}
return $args;
}
private function getRelativeUrlForNesting() {
return $this->functionName . "?" . $this->getArgString();
}
}
/// A simple class to represent objects returned by calling D functions
class WebDotDResultObject {
public $_fields = Array();
public function __get($name) {
return $this->_fields[$name];
}
public function __set($name, $value) {
$this->_fields[$name] = $value;
}
public function __toString() {
if(isset($this->_fields["formattedSecondarily"]))
return $this->_fields["formattedSecondarily"];
return json_encode($this->_fields);
}
}
/// Base class for accessing web.d ApiProviders.
@ -205,27 +312,266 @@ class WebDotDMethodCall {
/// if you are making a web service, adding some authentication or
/// custom branding. See the protected functions for available hooks.
class WebDotDApiProvider {
private $endpoint;
// The endpoint is a full URL to the base of your web.d program, with trailing slash.
// for example: http://mywebsite.com/myapp/
public function __construct($endpoint) {
$this->endpoint = $endpoint;
protected $endPoint;
/// The endpoint is a full URL to the base of your web.d program, with trailing slash.
/// for example: http://mywebsite.com/myapp/
public function __construct($endPoint) {
$this->endPoint = $endPoint;
}
/// this can be used to add additional data to a request being prepared by mutating args
protected function addCustomRequestData($apiRequest, &$args) { }
/// use this to manipulate the http request a little before it is sent (custom headers, etc.)
protected function addCustomCurlCode($ch, $apiRequest, $url, $postData) { }
/// Returns a lazy method call object. The arguments and name are dynamic, so
/// you can do $api->anyFunction($any, $args)->getSync();
/// The getSync() command should be run at the last possible moment, when you
/// need to convert the call into a PHP variable result.
///
/// Note: you can pass those objects directly as arguments to other functions
/// to combine calls into one request! (Much of the time. It's not perfect server side,
/// but it works on primitives at least. This will eventually change.)
///
/// See WebDotDMethodCall's documentation for more information.
public function __call($name, $params = null) {
$url = $this->endpoint . $name;
$url = $this->endPoint . $name;
return new WebDotDMethodCall($this,
// the naming convention currently used by Javascript in web.d too
// is if a function name starts with get, use GET, otherwise, use POST.
// This is imperfect, but it's not awful (to me anyway).
// If you get the method wrong, the request will probably still work.
strpos($name, "get") === 0 ? "GET" : "POST",
$name,
$url,
$params);
}
}
/// Provides access to a *local* D ApiProvider.
class LocalWebDotDProvider extends WebDotDApiProvider {
/// Provides access to a *local* D ApiProvider, authenticating via a session.
/// This just works on most web.d code.
class LocalWebDotApiDProvider extends WebDotDApiProvider {
/// Takes a WebDotDSession
public function __construct($session) {
public function __construct($endPoint, $session) {
parent::__construct($endPoint);
$this->session = $session;
}
protected $session;
protected function addCustomRequestData($apiRequest, &$args) {
// we have to add the CSRF token or web.d will likely reject our command
if($apiRequest->method != "POST")
return; // no need for csrf token
if(!isset($session->data["csrfToken"]))
return; // we don't have one
$decoded = array();
$csrfData = explode("&", $session->data["csrfToken"]);
foreach($csrfToken as $item) {
$info = split("=", $item);
$decoded[urldecode($info[0])] = urldecode($info[1]);
}
// add the token to the arguments
$args[$decoded["key"]] = $decoded["token"];
}
protected function addCustomCurlCode($ch, $apiRequest, $url, $postData) {
// we want to ask D to also use the same session we're looking at
// The full session ID tells it what to use, and the file hash proves
// to D that we already have access to it.
$magic = $this->session->sessionId . ";" . $this->session->fileHash;
if(strlen($magic) > 0)
curl_setopt($ch, CURLOPT_HTTPHEADER, array("X-Arsd-Session-Override: $magic"));
}
}
/// Provides access to a remote D ApiProvider, using OAuth authentication.
///
/// You'll almost certainly want to provide a subclass of this for actual use.
///
/// You'll also have to implement OAuth in your D code too (I'll post my library
/// to help with that to github once I clean it up for public use, and then
/// I'll see how much I can reasonably automate in web.d.)
class RemoteWebDotDApiProvider extends WebDotDApiProvider {
/// The first three of these are specific to the system you are accessing.
/// The apiKey and apiSecret are how you identify as a specific user.
public function __construct($endPoint, $accessToken, $tokenSecret, $apiKey, $apiSecret) {
parent::__construct($endPoint);
$this->accessToken = $accessToken;
$this->tokenSecret = $tokenSecret;
$this->apiKey = $apiKey;
$this->apiSecret = $apiSecret;
}
private $accessToken;
private $tokenSecret;
private $apiKey;
private $apiSecret;
protected function addCustomCurlCode($ch, $apiRequest, $url, $postData) {
$oauth = new ARSDOAuth;
$oauthHeader = $oauth->getRequestHeader(
$this->apiKey, $this->apiSecret,
$url,
$this->accessToken, $this->tokenSecret,
$postData);
curl_setopt($ch, CURLOPT_HTTPHEADER, array($oauthHeader));
}
}
/* My implementation of OAuth 1 client requests, used for the remote authentication. A port from D. */
// Does custom sorting..
class ARSDPair {
public $name;
public $value;
public function __construct($k, $v) {
$this->name = $k;
$this->value = $v;
}
public function __toString() {
return urlencode($this->name) ."=" . urlencode($this->value);
}
static function opCmp($lhs, $rhs) {
$val = strcmp($lhs->name, $rhs->name);
if($val == 0)
$val = strcmp($lhs->value, $rhs->value);
return $val;
}
}
// Actually does the signing
class ARSDOAuth {
public function getRequestHeader($apiKey, $apiSecret, $url, $oauthToken, $oauthTokenSecret, $data) {
$oauthValues = Array();
$oauthValues["oauth_token"] = $oauthToken;
$oauthValues["token_secret"] = $oauthTokenSecret;
$oauthValues["oauth_consumer_key"] = $apiKey;
$oauthValues["oauth_nonce"] = rand() . time();
$oauthValues["oauth_signature_method"] = "HMAC-SHA1";
$oauthValues["oauth_timestamp"] = time();
$oauthValues["oauth_version"] = "1.0";
$signWith = urlencode($apiSecret) . "&" . $oauthTokenSecret;
$protocolHostAndPath = "";
$queryStringContents = "";
$questionMark = strpos($url, "?");
if($questionMark === FALSE)
$protocolHostAndPath = $url;
else {
$protocolHostAndPath = substr($url, 0, $questionMark);
$queryStringContents = substr($url, $questionMark + 1, strlen($url));
}
$sig = $this->getSignature(
strlen($data) > 0 ? "POST" : "GET",
$protocolHostAndPath,
$queryStringContents,
$oauthValues,
$data,
$signWith);
$oauthValues["oauth_signature"] = $sig;
$oauthHeader = "";
$outputted = false;
foreach($oauthValues as $k => $v) {
if($outputted)
$oauthHeader .= ",";
else
$outputted = true;
$oauthHeader .= $k . "=" . "\"" . $v . "\"";
}
return "Authorization: OAuth " . $oauthHeader;
}
// A port from D
public function getSignature (
$method,
$protocolHostAndPath,
$queryStringContents,
$authorizationHeaderContents,
$postBodyIfWwwEncoded,
$signWith)
{
$baseString = "";
$baseString .= $method;
$baseString .= "&";
$baseString .= urlencode($protocolHostAndPath);
$baseString .= "&";
$getArray = $this->decodeVariables($queryStringContents);
$postArray = $this->decodeVariables($postBodyIfWwwEncoded);
$pairs = Array(); // should hold Pairs
foreach($getArray as $k => $vals)
foreach($vals as $v)
$pairs[]= new ARSDPair($k, $v);
foreach($postArray as $k => $vals)
foreach($vals as $v)
$pairs[] = new ARSDPair($k, $v);
foreach($authorizationHeaderContents as $k => $v)
$pairs[] = new ARSDPair($k, $v);
$outputted = false;
$params = "";
usort($pairs, "ARSDPair::opCmp");
foreach($pairs as $pair) {
if($outputted)
$params.= "&";
else
$outputted = true;
$params .= $pair;
}
$baseString .= urlencode($params);
return urlencode(base64_encode(hash_hmac('sha1', $baseString, $signWith, TRUE)));
}
private function decodeVariables($str) {
if(strlen($str) == 0)
return array();
$ret = array();
$parts = explode("&", $str);
foreach($parts as $part) {
$kv = explode("=", $part);
$k = urldecode($kv[0]);
$v = "";
if(count($kv) > 1)
$v = urldecode($kv[1]);
if(!isset($ret[$k]))
$ret[$k] = array();
$ret[$k][] = $v;
}
return $ret;
}
}