Module: Ramaze::Helper::HttpDigest

Defined in:

lib/ramaze/helper/httpdigest.rb

Overview

Authorization using HTTP Digest.

For custom authorization failure handling add an #httpdigest_failure method in your controller.

Constant Summary

SESSION_NONCE =

'httpdigest_authentication_nonce'

SESSION_OPAQUE =

'httpdigest_authentication_opaque'

DIGEST_HEADER =

%|Digest realm="%s", qop="auth,auth-int", nonce="%s", opaque="%s"|

Instance Method Summary

• #httpdigest(uid, realm, &block) ⇒ Object
• #httpdigest_failure ⇒ Object
• #httpdigest_headers(uid, realm) ⇒ Object

  Set the WWW-Authenticate header and store relevant data in the session.

• #httpdigest_http_authorization(uid, realm) ⇒ Object
• #httpdigest_logout ⇒ Object

  Delete the nonce and opaque from session to log out.

• #httpdigest_lookup(username, realm) ⇒ Object
• #httpdigest_uuid ⇒ Object

Instance Method Details

#httpdigest(uid, realm, &block) ⇒ Object

# File 'lib/ramaze/helper/httpdigest.rb', line 66

def httpdigest(uid, realm, &block)
  session[SESSION_OPAQUE] ||= {}
  session[SESSION_OPAQUE][realm] ||= {}

  http_authorization = httpdigest_http_authorization(uid, realm)

  httpdigest_failure unless session_nonce = session[SESSION_NONCE]
  httpdigest_failure unless session_opaque = session[SESSION_OPAQUE][realm][uid]

  auth_type, auth_raw = http_authorization.split(' ', 2)
  httpdigest_failure unless auth_type == 'Digest'

  authorization = Rack::Auth::Digest::Params.parse(auth_raw)

  digest_response, username, nonce, nc, cnonce, qop, opaque =
    authorization.values_at(*%w[response username nonce nc cnonce qop opaque])

  httpdigest_failure unless nonce == session_nonce and opaque == session_opaque

  ha1 = httpdigest_lookup(username, realm, &block)
  a2 = [request.request_method,request.request_uri]
  a2 << Digest::MD5.hexdigest(request.body.read) if qop == "auth-int"
  ha2 = Digest::MD5.hexdigest( a2.join(':') )
  md5 = Digest::MD5.hexdigest([ha1, nonce, nc, cnonce, qop, ha2].join(':'))

  httpdigest_failure unless digest_response == md5

  return username
end

#httpdigest_failure ⇒ Object

# File 'lib/ramaze/helper/httpdigest.rb', line 41

def httpdigest_failure
  respond 'Unauthorized', 401
end

#httpdigest_headers(uid, realm) ⇒ Object

Set the WWW-Authenticate header and store relevant data in the session.

Parameters:

• uid (String)
• realm (String)

# File 'lib/ramaze/helper/httpdigest.rb', line 35

def httpdigest_headers(uid, realm)
  nonce = session[SESSION_NONCE] = httpdigest_uuid
  opaque = session[SESSION_OPAQUE][realm][uid] = httpdigest_uuid
  response['WWW-Authenticate'] = DIGEST_HEADER % [realm, nonce, opaque]
end

#httpdigest_http_authorization(uid, realm) ⇒ Object

# File 'lib/ramaze/helper/httpdigest.rb', line 45

def httpdigest_http_authorization(uid, realm)
  http_authorization = request.env['HTTP_AUTHORIZATION']
  return http_authorization if http_authorization

  httpdigest_headers(uid, realm)
  httpdigest_failure
end

#httpdigest_logout ⇒ Object

Delete the nonce and opaque from session to log out.

# File 'lib/ramaze/helper/httpdigest.rb', line 22

def httpdigest_logout
  session.delete(SESSION_NONCE)
  session.delete(SESSION_OPAQUE)
end

#httpdigest_lookup(username, realm) ⇒ Object

# File 'lib/ramaze/helper/httpdigest.rb', line 53

def httpdigest_lookup(username, realm)
  if block_given?
    yield(username)
  elsif respond_to?(:httpdigest_lookup_password)
    httpdigest_lookup_password(username)
  elsif respond_to?(:httpdigest_lookup_plaintext_password)
    plain = httpdigest_lookup_plaintext_password(username)
    Digest::MD5.hexdigest([username, realm, plain].join(':'))
  else
    raise "No password lookup handler found"
  end
end

#httpdigest_uuid ⇒ Object

# File 'lib/ramaze/helper/httpdigest.rb', line 27

def httpdigest_uuid
  ::SecureRandom.hex(32)
end