2012-04-29 10:35:59 +02:00
|
|
|
#!perl -w
|
2005-03-30 22:50:34 +02:00
|
|
|
|
|
|
|
|
=head1 NAME
|
|
|
|
|
|
|
|
|
|
auth_flat_file - simple CRAM MD5 auth plugin using a flat password file
|
|
|
|
|
|
|
|
|
|
=head1 SYNOPSIS
|
|
|
|
|
|
|
|
|
|
in config/plugins:
|
|
|
|
|
|
|
|
|
|
auth/auth_flat_file
|
|
|
|
|
|
|
|
|
|
in config/flat_auth_pw
|
|
|
|
|
|
|
|
|
|
username1:password1
|
|
|
|
|
username2:password2
|
|
|
|
|
...
|
|
|
|
|
|
|
|
|
|
=head1 DESCRIPTION
|
|
|
|
|
|
|
|
|
|
This plugin implements a very simple authentication plugin using a flat password
|
|
|
|
|
file containing username and password separated by colons.
|
|
|
|
|
|
|
|
|
|
Note that this plugin enforces the use of a full email address (including
|
|
|
|
|
@domain) as the username. There's no particular reason for this so feel free
|
|
|
|
|
to modify the code to suit your setup.
|
|
|
|
|
|
|
|
|
|
The password is stored on disk unencrypted, however authentication uses a HMAC
|
|
|
|
|
algorithm so no password is transfered in the clear.
|
|
|
|
|
|
|
|
|
|
=cut
|
|
|
|
|
|
|
|
|
|
use Digest::HMAC_MD5 qw(hmac_md5_hex);
|
|
|
|
|
|
|
|
|
|
sub register {
|
|
|
|
|
my ( $self, $qp ) = @_;
|
|
|
|
|
|
2012-05-04 21:20:48 +02:00
|
|
|
$self->register_hook('auth-plain', 'auth_flat_file');
|
|
|
|
|
$self->register_hook('auth-login', 'auth_flat_file');
|
|
|
|
|
$self->register_hook('auth-cram-md5', 'auth_flat_file');
|
2005-03-30 22:50:34 +02:00
|
|
|
}
|
|
|
|
|
|
2010-05-11 07:16:54 +02:00
|
|
|
sub auth_flat_file {
|
2005-03-30 22:50:34 +02:00
|
|
|
my ( $self, $transaction, $method, $user, $passClear, $passHash, $ticket ) =
|
|
|
|
|
@_;
|
|
|
|
|
|
2012-05-04 21:20:48 +02:00
|
|
|
if ( ! defined $passClear && ! defined $passHash ) {
|
|
|
|
|
return ( DENY, "authflat - missing password" );
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
my ( $pw_name, $pw_domain ) = split '@', lc($user);
|
2005-03-30 22:50:34 +02:00
|
|
|
|
|
|
|
|
unless ( defined $pw_domain ) {
|
|
|
|
|
return DECLINED;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
my ($auth_line) = grep {/^$pw_name\@$pw_domain:/} $self->qp->config('flat_auth_pw');
|
|
|
|
|
|
2012-05-04 21:20:48 +02:00
|
|
|
if ( ! defined $auth_line) {
|
|
|
|
|
$self->log(LOGINFO, "User not found: $pw_name\@$pw_domain");
|
2005-03-30 22:50:34 +02:00
|
|
|
return DECLINED;
|
|
|
|
|
}
|
|
|
|
|
|
2012-05-04 21:20:48 +02:00
|
|
|
$self->log(LOGINFO, "Authentication for: $pw_name\@$pw_domain");
|
|
|
|
|
|
2005-03-30 22:50:34 +02:00
|
|
|
my ($auth_user, $auth_pass) = split(/:/, $auth_line, 2);
|
|
|
|
|
|
|
|
|
|
# at this point we can assume the user name matched
|
2012-05-04 21:20:48 +02:00
|
|
|
if ( defined $passClear && $auth_pass eq $passClear ) {
|
|
|
|
|
return ( OK, "authflat" );
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
if ( defined $passHash && $passHash eq hmac_md5_hex($ticket, $auth_pass) ) {
|
|
|
|
|
return ( OK, "authflat" );
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
return ( DENY, "authflat - wrong password" );
|
2005-03-30 22:50:34 +02:00
|
|
|
}
|
|
|
|
|
|
