2015-12-16 00:07:31 -05:00
|
|
|
# frozen_string_literal: false
|
2003-07-23 12:51:36 -04:00
|
|
|
#
|
|
|
|
# httpauth/htpasswd -- Apache compatible htpasswd file
|
|
|
|
#
|
|
|
|
# Author: IPR -- Internet Programming with Ruby -- writers
|
|
|
|
# Copyright (c) 2003 Internet Programming with Ruby writers. All rights
|
|
|
|
# reserved.
|
|
|
|
#
|
|
|
|
# $IPR: htpasswd.rb,v 1.4 2003/07/22 19:20:45 gotoyuzo Exp $
|
|
|
|
|
2018-11-02 13:52:33 -04:00
|
|
|
require_relative 'userdb'
|
|
|
|
require_relative 'basicauth'
|
2003-07-23 12:51:36 -04:00
|
|
|
require 'tempfile'
|
|
|
|
|
|
|
|
module WEBrick
|
|
|
|
module HTTPAuth
|
2011-05-10 19:37:43 -04:00
|
|
|
|
|
|
|
##
|
|
|
|
# Htpasswd accesses apache-compatible password files. Passwords are
|
|
|
|
# matched to a realm where they are valid. For security, the path for a
|
|
|
|
# password database should be stored outside of the paths available to the
|
|
|
|
# HTTP server.
|
|
|
|
#
|
|
|
|
# Htpasswd is intended for use with WEBrick::HTTPAuth::BasicAuth.
|
|
|
|
#
|
|
|
|
# To create an Htpasswd database with a single user:
|
|
|
|
#
|
|
|
|
# htpasswd = WEBrick::HTTPAuth::Htpasswd.new 'my_password_file'
|
|
|
|
# htpasswd.set_passwd 'my realm', 'username', 'password'
|
|
|
|
# htpasswd.flush
|
|
|
|
|
2003-07-23 12:51:36 -04:00
|
|
|
class Htpasswd
|
|
|
|
include UserDB
|
|
|
|
|
2011-05-10 19:37:43 -04:00
|
|
|
##
|
|
|
|
# Open a password database at +path+
|
|
|
|
|
2018-07-25 23:21:52 -04:00
|
|
|
def initialize(path, password_hash: nil)
|
2003-07-23 12:51:36 -04:00
|
|
|
@path = path
|
|
|
|
@mtime = Time.at(0)
|
|
|
|
@passwd = Hash.new
|
|
|
|
@auth_type = BasicAuth
|
2018-07-25 23:21:52 -04:00
|
|
|
@password_hash = password_hash
|
|
|
|
|
|
|
|
case @password_hash
|
|
|
|
when nil
|
|
|
|
# begin
|
|
|
|
# require "string/crypt"
|
|
|
|
# rescue LoadError
|
|
|
|
# warn("Unable to load string/crypt, proceeding with deprecated use of String#crypt, consider using password_hash: :bcrypt")
|
|
|
|
# end
|
|
|
|
@password_hash = :crypt
|
|
|
|
when :crypt
|
|
|
|
# require "string/crypt"
|
|
|
|
when :bcrypt
|
|
|
|
require "bcrypt"
|
|
|
|
else
|
|
|
|
raise ArgumentError, "only :crypt and :bcrypt are supported for password_hash keyword argument"
|
|
|
|
end
|
|
|
|
|
2017-12-21 20:07:39 -05:00
|
|
|
File.open(@path,"a").close unless File.exist?(@path)
|
2003-07-23 12:51:36 -04:00
|
|
|
reload
|
|
|
|
end
|
|
|
|
|
2011-05-10 19:37:43 -04:00
|
|
|
##
|
|
|
|
# Reload passwords from the database
|
|
|
|
|
2003-07-23 12:51:36 -04:00
|
|
|
def reload
|
|
|
|
mtime = File::mtime(@path)
|
|
|
|
if mtime > @mtime
|
|
|
|
@passwd.clear
|
2017-12-21 20:07:39 -05:00
|
|
|
File.open(@path){|io|
|
2003-07-23 12:51:36 -04:00
|
|
|
while line = io.gets
|
|
|
|
line.chomp!
|
2005-01-02 17:31:13 -05:00
|
|
|
case line
|
|
|
|
when %r!\A[^:]+:[a-zA-Z0-9./]{13}\z!
|
2018-07-25 23:21:52 -04:00
|
|
|
if @password_hash == :bcrypt
|
|
|
|
raise StandardError, ".htpasswd file contains crypt password, only bcrypt passwords supported"
|
|
|
|
end
|
|
|
|
user, pass = line.split(":")
|
|
|
|
when %r!\A[^:]+:\$2[aby]\$\d{2}\$.{53}\z!
|
|
|
|
if @password_hash == :crypt
|
|
|
|
raise StandardError, ".htpasswd file contains bcrypt password, only crypt passwords supported"
|
|
|
|
end
|
2005-01-02 17:31:13 -05:00
|
|
|
user, pass = line.split(":")
|
|
|
|
when /:\$/, /:{SHA}/
|
|
|
|
raise NotImplementedError,
|
|
|
|
'MD5, SHA1 .htpasswd file not supported'
|
|
|
|
else
|
|
|
|
raise StandardError, 'bad .htpasswd file'
|
|
|
|
end
|
2003-07-23 12:51:36 -04:00
|
|
|
@passwd[user] = pass
|
|
|
|
end
|
|
|
|
}
|
|
|
|
@mtime = mtime
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2011-05-10 19:37:43 -04:00
|
|
|
##
|
|
|
|
# Flush the password database. If +output+ is given the database will
|
|
|
|
# be written there instead of to the original path.
|
|
|
|
|
2003-07-23 12:51:36 -04:00
|
|
|
def flush(output=nil)
|
|
|
|
output ||= @path
|
2013-04-20 11:10:29 -04:00
|
|
|
tmp = Tempfile.create("htpasswd", File::dirname(output))
|
|
|
|
renamed = false
|
2003-07-23 12:51:36 -04:00
|
|
|
begin
|
|
|
|
each{|item| tmp.puts(item.join(":")) }
|
|
|
|
tmp.close
|
|
|
|
File::rename(tmp.path, output)
|
2013-04-20 11:10:29 -04:00
|
|
|
renamed = true
|
|
|
|
ensure
|
2016-11-21 18:05:41 -05:00
|
|
|
tmp.close
|
2013-04-20 11:10:29 -04:00
|
|
|
File.unlink(tmp.path) if !renamed
|
2003-07-23 12:51:36 -04:00
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2011-05-10 19:37:43 -04:00
|
|
|
##
|
|
|
|
# Retrieves a password from the database for +user+ in +realm+. If
|
|
|
|
# +reload_db+ is true the database will be reloaded first.
|
|
|
|
|
2003-07-23 12:51:36 -04:00
|
|
|
def get_passwd(realm, user, reload_db)
|
|
|
|
reload() if reload_db
|
|
|
|
@passwd[user]
|
|
|
|
end
|
|
|
|
|
2011-05-10 19:37:43 -04:00
|
|
|
##
|
|
|
|
# Sets a password in the database for +user+ in +realm+ to +pass+.
|
|
|
|
|
2003-07-23 12:51:36 -04:00
|
|
|
def set_passwd(realm, user, pass)
|
2018-07-25 23:21:52 -04:00
|
|
|
if @password_hash == :bcrypt
|
|
|
|
# Cost of 5 to match Apache default, and because the
|
|
|
|
# bcrypt default of 10 will introduce significant delays
|
|
|
|
# for every request.
|
|
|
|
@passwd[user] = BCrypt::Password.create(pass, :cost=>5)
|
|
|
|
else
|
|
|
|
@passwd[user] = make_passwd(realm, user, pass)
|
|
|
|
end
|
2003-07-23 12:51:36 -04:00
|
|
|
end
|
|
|
|
|
2011-05-10 19:37:43 -04:00
|
|
|
##
|
|
|
|
# Removes a password from the database for +user+ in +realm+.
|
|
|
|
|
2003-07-23 12:51:36 -04:00
|
|
|
def delete_passwd(realm, user)
|
|
|
|
@passwd.delete(user)
|
|
|
|
end
|
|
|
|
|
2011-05-10 19:37:43 -04:00
|
|
|
##
|
|
|
|
# Iterate passwords in the database.
|
|
|
|
|
|
|
|
def each # :yields: [user, password]
|
2003-07-23 12:51:36 -04:00
|
|
|
@passwd.keys.sort.each{|user|
|
|
|
|
yield([user, @passwd[user]])
|
|
|
|
}
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|