1
0
Fork 0
mirror of https://github.com/ruby/ruby.git synced 2022-11-09 12:17:21 -05:00

* lib/webrick: Add documentation for WEBrick::HTTPAuth

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@31505 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
This commit is contained in:
drbrain 2011-05-10 23:37:43 +00:00
parent 6626b0a2c5
commit 8c2a52937f
10 changed files with 285 additions and 17 deletions

View file

@ -1,3 +1,7 @@
Wed May 11 08:36:38 2011 Eric Hodel <drbrain@segment7.net>
* lib/webrick: Add documentation for WEBrick::HTTPAuth
Wed May 11 03:06:35 2011 Eric Hodel <drbrain@segment7.net>
* lib/rss.rb: Add documentation for RSS. Patch by Steve Klabnik.

View file

@ -133,6 +133,12 @@
# +:ProxyContentHandler+ callback which will be invoked with the request and
# respone after the remote content has been fetched.
#
# == Basic and Digest authentication
#
# WEBrick provides both Basic and Digest authentication for regular and proxy
# servers. See WEBrick::HTTPAuth, WEBrick::HTTPAuth::BasicAuth and
# WEBrick::HTTPAuth::DigestAuth.
#
# == WEBrick as a Production Web Server
#
# WEBrick can be run as a production server for small loads.

View file

@ -15,10 +15,46 @@ require 'webrick/httpauth/htdigest'
require 'webrick/httpauth/htgroup'
module WEBrick
##
# HTTPAuth provides both basic and digest authentication.
#
# To enable authentication for requests in WEBrick you will need a user
# database and an authenticator. To start, here's an Htpasswd database for
# use with a DigestAuth authenticator:
#
# config = { :Realm => 'DigestAuth example realm' }
#
# htpasswd = WEBrick::HTTPAuth::Htpasswd.new 'my_password_file'
# htpasswd.auth_type = WEBrick::HTTPAuth::DigestAuth
# htpasswd.set_passwd config[:Realm], 'username', 'password'
# htpasswd.flush
#
# The +:Realm+ is used to provide different access to different groups
# across several resources on a server. Typically you'll need only one
# realm for a server.
#
# This database can be used to create an authenticator:
#
# config[:UserDB] = htpasswd
#
# digest_auth = WEBrick::HTTPAuth::DigestAuth.new config
#
# To authenticate a request call #authenticate with a request and response
# object in a servlet:
#
# def do_GET req, res
# @authenticator.authenticate req, res
# end
#
# For digest authentication the authenticator must not be created every
# request, it must be passed in as an option via WEBrick::HTTPServer#mount.
module HTTPAuth
module_function
def _basic_auth(req, res, realm, req_field, res_field, err_type, block)
def _basic_auth(req, res, realm, req_field, res_field, err_type,
block) # :nodoc:
user = pass = nil
if /^Basic\s+(.*)/o =~ req[req_field]
userpass = $1
@ -32,12 +68,26 @@ module WEBrick
raise err_type
end
def basic_auth(req, res, realm, &block)
##
# Simple wrapper for providing basic authentication for a request. When
# called with a request +req+, response +res+, authentication +realm+ and
# +block+ the block will be called with a +username+ and +password+. If
# the block returns true the request is allowed to continue, otherwise an
# HTTPStatus::Unauthorized error is raised.
def basic_auth(req, res, realm, &block) # :yield: username, password
_basic_auth(req, res, realm, "Authorization", "WWW-Authenticate",
HTTPStatus::Unauthorized, block)
end
def proxy_basic_auth(req, res, realm, &block)
##
# Simple wrapper for providing basic authentication for a proxied request.
# When called with a request +req+, response +res+, authentication +realm+
# and +block+ the block will be called with a +username+ and +password+.
# If the block returns true the request is allowed to continue, otherwise
# an HTTPStatus::ProxyAuthenticationRequired error is raised.
def proxy_basic_auth(req, res, realm, &block) # :yield: username, password
_basic_auth(req, res, realm, "Proxy-Authorization", "Proxy-Authenticate",
HTTPStatus::ProxyAuthenticationRequired, block)
end

View file

@ -9,17 +9,43 @@
module WEBrick
module HTTPAuth
##
# Module providing generic support for both Digest and Basic
# authentication schemes.
module Authenticator
RequestField = "Authorization"
ResponseField = "WWW-Authenticate"
ResponseInfoField = "Authentication-Info"
AuthException = HTTPStatus::Unauthorized
AuthScheme = nil # must override by the derived class
attr_reader :realm, :userdb, :logger
##
# Method of authentication, must be overriden by the including class
AuthScheme = nil
##
# The realm this authenticator covers
attr_reader :realm
##
# The user database for this authenticator
attr_reader :userdb
##
# The logger for this authenticator
attr_reader :logger
private
##
# Initializes the authenticator from +config+
def check_init(config)
[:UserDB, :Realm].each{|sym|
unless config[sym]
@ -37,6 +63,9 @@ module WEBrick
@auth_scheme = self::class::AuthScheme
end
##
# Ensures +req+ has credentials that can be authenticated.
def check_scheme(req)
unless credentials = req[@request_field]
error("no credentials in the request.")
@ -69,6 +98,10 @@ module WEBrick
end
end
##
# Module providing generic support for both Digest and Basic
# authentication schemes for proxies.
module ProxyAuthenticator
RequestField = "Proxy-Authorization"
ResponseField = "Proxy-Authenticate"

View file

@ -13,11 +13,32 @@ require 'webrick/httpauth/authenticator'
module WEBrick
module HTTPAuth
##
# Basic Authentication for WEBrick
#
# Use this class to add basic authentication to a WEBrick servlet.
#
# Here is an example of how to set up a BasicAuth:
#
# config = { :Realm => 'BasicAuth example realm' }
#
# htpasswd = WEBrick::HTTPAuth::Htpasswd.new 'my_password_file'
# htpasswd.set_passwd config[:Realm], 'username', 'password'
# htpasswd.flush
#
# config[:UserDB] = htpasswd
#
# basic_auth = WEBrick::HTTPAuth::BasicAuth.new config
class BasicAuth
include Authenticator
AuthScheme = "Basic"
##
# Used by UserDB to create a basic password entry
def self.make_passwd(realm, user, pass)
pass ||= ""
pass.crypt(Utils::random_string(2))
@ -25,11 +46,26 @@ module WEBrick
attr_reader :realm, :userdb, :logger
##
# Creates a new BasicAuth instance.
#
# See WEBrick::Config::BasicAuth for default configuration entries
#
# You must supply the following configuration entries:
#
# :Realm:: The name of the realm being protected.
# :UserDB:: A database of usernames and passwords.
# A WEBrick::HTTPAuth::Htpasswd instance should be used.
def initialize(config, default=Config::BasicAuth)
check_init(config)
@config = default.dup.update(config)
end
##
# Authenticates a +req+ and returns a 401 Unauthorized using +res+ if
# the authentication was not correct.
def authenticate(req, res)
unless basic_credentials = check_scheme(req)
challenge(req, res)
@ -52,12 +88,19 @@ module WEBrick
req.user = userid
end
##
# Returns a challenge response which asks for for authentication
# information
def challenge(req, res)
res[@response_field] = "#{@auth_scheme} realm=\"#{@realm}\""
raise @auth_exception
end
end
##
# Basic authentication for proxy servers. See BasicAuth for details.
class ProxyBasicAuth < BasicAuth
include ProxyAuthenticator
end

View file

@ -29,12 +29,11 @@ module WEBrick
#
# config = { :Realm => 'DigestAuth example realm' }
#
# htpasswd = WEBrick::HTTPAuth::Htpasswd.new 'my_password_file'
# htpasswd.auth_type = WEBrick::HTTPAuth::DigestAuth
# htpasswd.set_passwd config[:Realm], 'username', 'password'
# htpasswd.flush
# htdigest = WEBrick::HTTPAuth::Htdigest.new 'my_password_file'
# htdigest.set_passwd config[:Realm], 'username', 'password'
# htdigest.flush
#
# config[:UserDB] = htpasswd
# config[:UserDB] = htdigest
#
# digest_auth = WEBrick::HTTPAuth::DigestAuth.new config
#
@ -51,7 +50,7 @@ module WEBrick
attr_reader :algorithm, :qop
##
# Used by UserDB to create a password entry
# Used by UserDB to create a digest password entry
def self.make_passwd(realm, user, pass)
pass ||= ""
@ -68,8 +67,8 @@ module WEBrick
# You must supply the following configuration entries:
#
# :Realm:: The name of the realm being protected.
# :UserDB:: A database of usernames and passwords. See Htpasswd,
# Htdigest, Htgroup
# :UserDB:: A database of usernames and passwords.
# A WEBrick::HTTPAuth::Htdigest instance should be used.
def initialize(config, default=Config::DigestAuth)
check_init(config)
@ -381,6 +380,9 @@ module WEBrick
end
##
# Digest authentication for proxy servers. See DigestAuth for details.
class ProxyDigestAuth < DigestAuth
include ProxyAuthenticator

View file

@ -13,9 +13,26 @@ require 'tempfile'
module WEBrick
module HTTPAuth
##
# Htdigest accesses apache-compatible digest password files. Passwords are
# matched to a realm where they are valid. For security, the path for a
# digest password database should be stored outside of the paths available
# to the HTTP server.
#
# Htdigest is intended for use with WEBrick::HTTPAuth::DigestAuth and
# stores passwords using cryptographic hashes.
#
# htpasswd = WEBrick::HTTPAuth::Htdigest.new 'my_password_file'
# htpasswd.set_passwd 'my realm', 'username', 'password'
# htpasswd.flush
class Htdigest
include UserDB
##
# Open a digest password database at +path+
def initialize(path)
@path = path
@mtime = Time.at(0)
@ -26,6 +43,9 @@ module WEBrick
reload
end
##
# Reloads passwords from the database
def reload
mtime = File::mtime(@path)
if mtime > @mtime
@ -44,6 +64,10 @@ module WEBrick
end
end
##
# Flush the password database. If +output+ is given the database will
# be written there instead of to the original path.
def flush(output=nil)
output ||= @path
tmp = Tempfile.new("htpasswd", File::dirname(output))
@ -56,6 +80,10 @@ module WEBrick
end
end
##
# Retrieves a password from the database for +user+ in +realm+. If
# +reload_db+ is true the database will be reloaded first.
def get_passwd(realm, user, reload_db)
reload() if reload_db
if hash = @digest[realm]
@ -63,6 +91,9 @@ module WEBrick
end
end
##
# Sets a password in the database for +user+ in +realm+ to +pass+.
def set_passwd(realm, user, pass)
@mutex.synchronize{
unless @digest[realm]
@ -72,13 +103,19 @@ module WEBrick
}
end
##
# Removes a password from the database for +user+ in +realm+.
def delete_passwd(realm, user)
if hash = @digest[realm]
hash.delete(user)
end
end
def each
##
# Iterate passwords in the database.
def each # :yields: [user, realm, password_hash]
@digest.keys.sort.each{|realm|
hash = @digest[realm]
hash.keys.sort.each{|user|

View file

@ -11,7 +11,26 @@ require 'tempfile'
module WEBrick
module HTTPAuth
##
# Htgroup accesses apache-compatible group files. Htgroup can be used to
# provide group-based authentication for users. Currently Htgroup is not
# directly integrated with any authenticators in WEBrick. For security,
# the path for a digest password database should be stored outside of the
# paths available to the HTTP server.
#
# Example:
#
# htgroup = WEBrick::HTTPAuth::Htgroup.new 'my_group_file'
# htgroup.add 'superheroes', %w[spiderman batman]
#
# htgroup.members('superheroes').include? 'magneto' # => false
class Htgroup
##
# Open a group database at +path+
def initialize(path)
@path = path
@mtime = Time.at(0)
@ -20,6 +39,9 @@ module WEBrick
reload
end
##
# Reload groups from the database
def reload
if (mtime = File::mtime(@path)) > @mtime
@group.clear
@ -34,6 +56,10 @@ module WEBrick
end
end
##
# Flush the group database. If +output+ is given the database will be
# written there instead of to the original path.
def flush(output=nil)
output ||= @path
tmp = Tempfile.new("htgroup", File::dirname(output))
@ -48,11 +74,17 @@ module WEBrick
end
end
##
# Retrieve the list of members from +group+
def members(group)
reload
@group[group] || []
end
##
# Add an Array of +members+ to +group+
def add(group, members)
@group[group] = members(group) | members
end

View file

@ -13,9 +13,27 @@ require 'tempfile'
module WEBrick
module HTTPAuth
##
# Htpasswd accesses apache-compatible password files. Passwords are
# matched to a realm where they are valid. For security, the path for a
# password database should be stored outside of the paths available to the
# HTTP server.
#
# Htpasswd is intended for use with WEBrick::HTTPAuth::BasicAuth.
#
# To create an Htpasswd database with a single user:
#
# htpasswd = WEBrick::HTTPAuth::Htpasswd.new 'my_password_file'
# htpasswd.set_passwd 'my realm', 'username', 'password'
# htpasswd.flush
class Htpasswd
include UserDB
##
# Open a password database at +path+
def initialize(path)
@path = path
@mtime = Time.at(0)
@ -25,6 +43,9 @@ module WEBrick
reload
end
##
# Reload passwords from the database
def reload
mtime = File::mtime(@path)
if mtime > @mtime
@ -48,6 +69,10 @@ module WEBrick
end
end
##
# Flush the password database. If +output+ is given the database will
# be written there instead of to the original path.
def flush(output=nil)
output ||= @path
tmp = Tempfile.new("htpasswd", File::dirname(output))
@ -60,20 +85,33 @@ module WEBrick
end
end
##
# Retrieves a password from the database for +user+ in +realm+. If
# +reload_db+ is true the database will be reloaded first.
def get_passwd(realm, user, reload_db)
reload() if reload_db
@passwd[user]
end
##
# Sets a password in the database for +user+ in +realm+ to +pass+.
def set_passwd(realm, user, pass)
@passwd[user] = make_passwd(realm, user, pass)
end
##
# Removes a password from the database for +user+ in +realm+.
def delete_passwd(realm, user)
@passwd.delete(user)
end
def each
##
# Iterate passwords in the database.
def each # :yields: [user, password]
@passwd.keys.sort.each{|user|
yield([user, @passwd[user]])
}

View file

@ -9,19 +9,42 @@
module WEBrick
module HTTPAuth
##
# User database mixin for HTTPAuth. This mixin dispatches user record
# access to the underlying auth_type for this database.
module UserDB
attr_accessor :auth_type # BasicAuth or DigestAuth
##
# The authentication type.
#
# WEBrick::HTTPAuth::BasicAuth or WEBrick::HTTPAuth::DigestAuth are
# built-in.
attr_accessor :auth_type
##
# Creates an obscured password in +realm+ with +user+ and +password+
# using the auth_type of this database.
def make_passwd(realm, user, pass)
@auth_type::make_passwd(realm, user, pass)
end
##
# Sets a password in +realm+ with +user+ and +password+ for the
# auth_type of this database.
def set_passwd(realm, user, pass)
self[user] = pass
end
##
# Retrieves a password in +realm+ for +user+ for the auth_type of this
# database. +reload_db+ is a dummy value.
def get_passwd(realm, user, reload_db=false)
# reload_db is dummy
make_passwd(realm, user, self[user])
end
end