230
|
1 package IMPL::Web::Handler::SecureCookie;
|
196
|
2 use strict;
|
|
3
|
230
|
4
|
196
|
5 use Digest::MD5 qw(md5_hex);
|
230
|
6 use IMPL::Const qw(:prop);
|
|
7 use IMPL::Security::Auth qw(:Const GenSSID);
|
|
8 use IMPL::declare {
|
|
9 require => {
|
|
10 SecurityContext => 'IMPL::Security::Context',
|
238
|
11 User => 'IMPL::Security::Principal',
|
230
|
12 AuthSimple => 'IMPL::Security::Auth::Simple',
|
231
|
13 Exception => 'IMPL::Exception',
|
|
14 OperationException => '-IMPL::InvalidOperationException',
|
|
15 HttpResponse => '-IMPL::Web::HttpResponse'
|
230
|
16 },
|
|
17 base => {
|
|
18 'IMPL::Object' => undef,
|
|
19 'IMPL::Object::Autofill' => '@_',
|
|
20 'IMPL::Object::Serializable' => undef
|
|
21 },
|
|
22 props => [
|
|
23 salt => PROP_RO,
|
238
|
24 _manager => PROP_RO,
|
230
|
25 _cookies => PROP_RW
|
|
26 ]
|
|
27 };
|
196
|
28
|
|
29 sub CTOR {
|
|
30 my ($this) = @_;
|
|
31
|
|
32 $this->salt('DeadBeef') unless $this->salt;
|
|
33 }
|
|
34
|
262
|
35 sub ValidateCookie {
|
|
36 my ($this,$sid,$cookie,$sign) = @_;
|
|
37
|
|
38 return 1 if $sid and $cookie and $sign and $sign eq md5_hex($this->salt,$sid,$cookie,$this->salt);
|
|
39
|
|
40 return 0;
|
|
41 }
|
|
42
|
230
|
43 sub Invoke {
|
196
|
44 my ($this,$action,$nextHandler) = @_;
|
|
45
|
230
|
46 return unless $nextHandler;
|
|
47
|
|
48 my $context;
|
238
|
49 $this->_manager($action->application->security);
|
196
|
50
|
230
|
51
|
|
52 my $sid = $action->cookie('sid',qr/(\w+)/);
|
|
53 my $cookie = $action->cookie('sdata',qr/(\w+)/);
|
239
|
54 my $sign = $action->cookie('sign',qw/(\w+)/);
|
196
|
55
|
262
|
56 if ( $this->ValidateCookie($sid,$cookie,$sign) ) {
|
230
|
57 # TODO: add a DefferedProxy to deffer a request to a data source
|
238
|
58 if ( $context = $this->_manager->GetSession($sid) ) {
|
230
|
59 if ( eval { $context->auth->isa(AuthSimple) } ) {
|
|
60 my ($result,$challenge) = $context->auth->DoAuth($cookie);
|
239
|
61
|
|
62 $context->authority($this);
|
|
63
|
230
|
64 if ($result == AUTH_FAIL) {
|
|
65 $context = undef;
|
|
66 }
|
239
|
67 } else {
|
|
68 undef $context;
|
196
|
69 }
|
|
70 }
|
230
|
71
|
196
|
72 }
|
230
|
73
|
231
|
74 $context ||= SecurityContext->new(principal => User->nobody, authority => $this);
|
230
|
75
|
238
|
76 my $httpResponse = $context->Impersonate($nextHandler,$action);
|
230
|
77
|
231
|
78 die OperationException->new("A HttpResponse instance is expected")
|
|
79 unless ref $httpResponse && eval { $httpResponse->isa(HttpResponse) };
|
230
|
80
|
231
|
81 return $this->WriteResponse($httpResponse);
|
230
|
82 }
|
|
83
|
231
|
84 sub InitSession {
|
239
|
85 my ($this,$user,$roles,$auth,$challenge) = @_;
|
230
|
86
|
254
|
87 my ($status,$answer);
|
|
88
|
|
89 if ($auth) {
|
|
90 ($status,$answer) = $auth->DoAuth($challenge);
|
|
91 } else {
|
|
92 $status = AUTH_SUCCESS;
|
|
93 }
|
239
|
94
|
|
95 die OperationException->new("This provider doesn't support multiround auth")
|
|
96 if ($status == AUTH_INCOMPLETE || $answer);
|
230
|
97
|
239
|
98 if ($status == AUTH_SUCCESS) {
|
|
99 my $sid = GenSSID();
|
|
100 my $cookie = GenSSID();
|
|
101
|
|
102 $this->_cookies({
|
|
103 sid => $sid,
|
|
104 sdata => $cookie
|
|
105 });
|
|
106
|
|
107 my $context = $this->_manager->CreateSession(
|
|
108 sessionId => $sid,
|
|
109 principal => $user,
|
|
110 auth => AuthSimple->Create(password => $cookie),
|
|
111 authority => $this,
|
|
112 rolesAssigned => $roles
|
|
113 );
|
|
114
|
|
115 $context->Apply();
|
|
116
|
|
117 }
|
|
118
|
|
119 return $status;
|
|
120 }
|
230
|
121
|
239
|
122 sub CloseSession {
|
|
123 my ($this) = @_;
|
|
124 if(my $session = SecurityContext->current) {
|
|
125 $this->_cookies({
|
|
126 sid => undef,
|
|
127 sdata => undef
|
|
128 })
|
|
129 }
|
196
|
130 }
|
|
131
|
|
132 sub WriteResponse {
|
230
|
133 my ($this,$response) = @_;
|
|
134
|
238
|
135 if (my $data = $this->_cookies) {
|
196
|
136
|
239
|
137 my $sign = $data->{sid} && md5_hex(
|
230
|
138 $this->salt,
|
|
139 $data->{sid},
|
|
140 $data->{sdata},
|
|
141 $this->salt
|
|
142 );
|
|
143
|
|
144 $response->cookies->{sid} = $data->{sid};
|
|
145 $response->cookies->{sdata} = $data->{sdata};
|
|
146 $response->cookies->{sign} = $sign;
|
|
147 }
|
231
|
148
|
|
149 return $response;
|
196
|
150 }
|
|
151
|
|
152 1;
|
|
153
|
|
154 __END__
|
|
155
|
|
156 =pod
|
|
157
|
|
158 =head1 NAME
|
|
159
|
230
|
160 C<IMPL::Web::Handler::SecureCookie>
|
196
|
161
|
|
162 =head1 DESCRIPTION
|
|
163
|
|
164 Возобновляет сессию пользователя на основе информации переданной через Cookie.
|
|
165
|
|
166 Использует механизм подписи информации для проверки верности входных данных перед
|
|
167 началом каких-либо действий.
|
|
168
|
|
169 Данный обработчик возвращает результат выполнения следдующего обработчика.
|
|
170
|
230
|
171
|
|
172
|
196
|
173 =head1 MEMBERS
|
|
174
|
231
|
175 =head2 C<[get,set] salt>
|
196
|
176
|
|
177 Скаляр, использующийся для подписи данных.
|
|
178
|
233
|
179
|
254
|
180 =head2 C<InitSession($user,$roles,$auth,$challenge)>
|
|
181
|
|
182 Инициирует сессию, поскольку данный модуль отвечает за взаимодействие с клиентом
|
|
183 при проверки аутентификации, ему передаются данные аутентификации для
|
|
184 продолжения обмена данными с клиентом. Если создается новая сессия, по
|
|
185 инициативе веб-приложения, то C<$auth> должно быть пусто.
|
196
|
186
|
|
187 =cut
|