File Coverage

blib/lib/Connector/Builtin/Authentication/PasswordScheme.pm

Criterion	Covered	Total	%
statement	92	108	85.1
branch	25	34	73.5
condition	2	6	33.3
subroutine	12	13	92.3
pod	3	3	100.0
total	134	164	81.7

line	stmt	bran	cond	sub	pod	time	code
1							# Connector::Builtin::Authentication::PasswordScheme
2							#
3							# Check passwords against a file with salted hashes and scheme prefix
4							#
5							package Connector::Builtin::Authentication::PasswordScheme;
6
7	1			1		144042	use strict;
	1					11
	1					28
8	1			1		4	use warnings;
	1					2
	1					23
9	1			1		4	use English;
	1					2
	1					6
10	1			1		984	use Data::Dumper;
	1					6711
	1					98
11
12	1			1		506	use MIME::Base64;
	1					1764
	1					78
13	1			1		1006	use Digest::SHA;
	1					3647
	1					69
14	1			1		10	use Digest::MD5;
	1					2
	1					32
15
16	1			1		539	use Moose;
	1					428993
	1					7
17							extends 'Connector::Builtin';
18
19							sub _build_config {
20	0			0		0	my $self = shift;
21
22	0	0				0	if (! -r $self->{LOCATION}) {
23	0					0	confess("Cannot open input file " . $self->{LOCATION} . " for reading.");
24							}
25
26	0					0	return 1;
27							}
28
29							sub get {
30	10			10	1	27	my $self = shift;
31	10					17	my $arg = shift;
32	10					13	my $params = shift;
33
34	10					59	my @path = $self->_build_path( $arg );
35	10					16	my $user = shift @path;
36
37	10					19	my $password = $params->{password};
38
39
40	10	50				31	if (!$user) {
41	0					0	$self->log()->error('No username');
42	0					0	die "no username given";
43							}
44
45	10	100				22	if (!$password) {
46	1					21	$self->log()->error('No password');
47	1					20	die "no password given";
48							}
49
50
51	9					191	$self->log()->debug('verify password for ' . $user );
52
53	9	100				82	if ($user =~ /[^a-zA-Z0-9_\-\.\@]/) {
54	1					19	$self->log()->error('Invalid chars in username ('.$user.')');
55	1					8	return $self->_node_not_exists( $user );
56							}
57
58	8					17	my $filename = $self->{LOCATION};
59
60	8	50	33			488	if (! -r $filename \|\| ! open FILE, "$filename") {
61	0					0	$self->log()->error('Can\'t open/read from file ' . $filename);
62	0					0	die 'Can\'t open/read from file ' . $filename;
63							}
64
65	8					910	while (<FILE>) {
66	23	100				176	if (/^$user:/) {
67	6					15	chomp;
68	6					20	my @t = split(/:/, $_, 3);
69	6					165	$self->log()->trace('found line ' . Dumper @t);
70
71							# This code is mainly a copy of OpenXPKI::Server::Authentication::Password
72							# but we do not support unsalted passwords
73							# digest specified in RFC 2307 userPassword notation?
74	6					328	my $encrypted;
75							my $scheme;
76	6	50				30	if ($t[1] =~ m{ \{ (\w+) \} (.+) }xms) {
77	6					20	$scheme = lc($1);
78	6					12	$encrypted = $2;
79							} else {
80	0					0	$self->log()->error('unparsable entry ' . $t[1]);
81	0					0	return 0;
82							}
83
84	6					8	my ($computed_secret, $salt);
85	6					13	eval {
86	6	100				15	if ($scheme eq 'ssha') {
		100
		50
87	2					62	$salt = substr(decode_base64($encrypted), 20);
88	2					19	my $ctx = Digest::SHA->new();
89	2					44	$ctx->add($password);
90	2					7	$ctx->add($salt);
91	2					39	$computed_secret = encode_base64($ctx->digest() . $salt, '');
92							} elsif ($scheme eq 'smd5') {
93	1					4	$salt = substr(decode_base64($encrypted), 16);
94	1					8	my $ctx = Digest::MD5->new();
95	1					6	$ctx->add($password);
96	1					7	$ctx->add($salt);
97	1					10	$computed_secret = encode_base64($ctx->digest() . $salt, '');
98							} elsif ($scheme eq 'crypt') {
99	3					544	$computed_secret = crypt($password, $encrypted);
100							} else {
101	0					0	$self->log()->error('unsupported scheme' . $scheme);
102	0					0	return 0;
103							}
104							};
105
106	6	50				19	$self->log()->debug('eval failed ' . $EVAL_ERROR->message()) if ($EVAL_ERROR);
107
108	6	50				13	if (! defined $computed_secret) {
109	0					0	$self->log()->error('unable to compute secret using scheme ' . $scheme);
110	0					0	return 0;
111							}
112
113							##! 2: "ident user ::= $account and digest ::= $computed_secret"
114	6					16	$computed_secret =~ s{ =+ \z }{}xms;
115	6					11	$encrypted =~ s{ =+ \z }{}xms;
116
117							## compare passphrases
118	6	100				12	if ($computed_secret eq $encrypted) {
119	4					109	$self->log()->info('Password accepted for ' . $user);
120	4					55	return 1;
121							} else {
122	2					47	$self->log()->info('Password mismatch for ' . $user);
123	2					21	return 0;
124							}
125							}
126							}
127	2					31	return $self->_node_not_exists( $user );
128							}
129
130							sub get_meta {
131	2			2	1	281	my $self = shift;
132
133							# If we have no path, we tell the caller that we are a connector
134	2					9	my @path = $self->_build_path( shift );
135	2	100				7	if (scalar @path == 0) {
136	1					7	return { TYPE => "connector" };
137							}
138
139	1					6	return {TYPE => "scalar" };
140							}
141
142							sub exists {
143
144	4			4	1	8	my $self = shift;
145
146							# No path = connector root which always exists
147	4					10	my @path = $self->_build_path( shift );
148	4	100				13	if (scalar @path == 0) {
149	1					5	return 1;
150							}
151
152	3					5	my $user = shift @path;
153
154	3					6	my $filename = $self->{LOCATION};
155	3	50	33			252	if (! -r $filename \|\| ! open FILE, "$filename") {
156	0					0	$self->log()->error('Can\'t open/read from file ' . $filename);
157	0					0	return 0;
158							}
159
160	3					59	while (<FILE>) {
161	7	100				59	if (/^$user:/) {
162	2					22	return 1;
163							}
164							}
165	1					9	return 0;
166							}
167
168	1			1		7413	no Moose;
	1					2
	1					6
169							__PACKAGE__->meta->make_immutable;
170
171							1;
172							__END__
173
174							=head1 Name
175
176							Connector::Builtin::Authentication::PasswordScheme
177
178							=head1 Description
179
180							Lightweight connector to check passwords against a password file holding
181							username/password pairs where the password is encrypted using a salted hash.
182							Password notation follows RFC2307 ({scheme}saltedpassword) but we support
183							only salted schemes: smd5, ssha and crypt.
184
185							=head2 Usage
186
187							The username is the first component of the path, the password needs to be
188							passed in the extended parameters using the key password.
189
190							Example:
191
192							$connector->get('username', { password => 'mySecret' } );
193
194							=head2 Return values
195
196							1 if the password matches, 0 if the user is found but the password does not
197							match and undef if the user is not found.
198
199							The connector will die if the password file is not readable or if one of
200							the parameters is missing.
201
202							=head2 Limitations
203
204							Usernames are limited to [a-zA-Z0-9_\-\.], invalid names are treated as not
205							found.
206