June 20, 2008

New UMN central auth perl module

I've started working on a set of new perl modules to replace UMNCookieAuth. I've broken the backend and cacheing section of the module away from the mod_perl section, so the backend should be usable from any perl application and does not have to be embedded in apache.

I'm also trying to be more proactive about writing tests for my code so you should be able to run "make test" and have it tell you something meaningful.

So far I've completed what I think should be a functional backend. The primary module is UMN::CAH::Client::Store.pm. Store uses Cache::FastMmap to cache authentication lookups and refers to UMN::CAH::Client::Store::AuthHub.pm to handle the actual connection to the central auth hub. Cache::FastMmap is supposed to be cross-platform compatible now, so in theory this module will run on Windows in addition to the various *nix (it was developed on Debian) without any modifications. Please let me know if this is not the case.

This is ALPHA software.

You can find downloads of UMN::CAH::Client::Store here: UMN-CAH-Client-Store. You should be able to run "perl Makefile.PL; make; make test; make install". Read on for the perldocs:

NAME

UMN::CAH::Client::Store - A cacheing proxy object for the U of MN's
Central Authentication service.

VERSION

This document describes UMN::CAH::Client::Store version 0.0.3

SYNOPSIS

 use UMN::CAH::Client::Store;

 my $authhub = UMN::CAH::Client::Store::AuthHub->new();
 my $cookie_ref = $authhub->get_and_verify( 'EncodedCookieToken',
                                            {
                                              ip => '127.0.0.1',
                                            } );

 if ( $cookie_ref->{status} eq 'OK' ) {
   print( "Authenticated as user $cookie_ref->{euid}");
 }
 else {
   my $redirect_url = $authhub->redir_url( 'https://some.host.umn.edu/', $cookie_ref );
 }

DESCRIPTION

UMN::CAH::Client::Store creates a cacheing proxy object to handle the
interface to the University of Minnesota's Central Authentication Hub.
This module uses Cache::FastMmap and Store::AuthHub to handle the
cacheing and the connection to the authentication server.

INTERFACE

new

$object = Store->new( %options )

Returns a new Store object. You may specify the following named options:

 server => x500 server DNS name or IP address (x500.umn.edu by default),
 port => the port number on which to contact the server (87 by default),
 modulename => x500 module name to use (WEBCOOKIE by default),

 login_url    => url to redirect users to for login (default: https://www.umn.edu/login),
 min_level    => minimum authentication level accepted (default: 30),
 timeout_len  => authentication timeout in seconds (default: 10800),
 rolling_timeout_len => timeout since last activity in seconds (default: 0),

 share_file     => this and the following are passed through to Cache::FastMmap,
 enable_stats   =>
 expire_time    =>
 cache_size     =>
 page_size      =>
 num_pages      =>
 unlink_on_exit =>

authhub

$object = $store->authhub()

Accessor for the underlying Store::Authhub object created by new().

cache

$object = $store->cache()

Accessor for the underlying Cache::FastMmap object created by new().

get

$hash_ref = $store->get( 'token' )

Searches for the encoded cookie token in the cache or from the x500
server and returns a reference to a hash of the parsed response along
with a couple of extensions.

The resulting hash will have the following values: 

status => "OK|NO", # from x500 
level => "5|10|20|30|40|50", # from x500 
timestamp => time, #from x500 
ip => "xx.xx.xx.xx", # from x500 
id => "userid", # from x500
token => "encrypted string" # set by Store::AuthHub 
lastactive => time, # set by Store::AuthHub, updated by Store 
euid => "userid", # set by Store::AuthHub, updated by Store

The values for status, level, timestamp, ip, and id will come directly
from the server response. Other values are extensions of this module:
  token: the original encoded token,
  lastactive: the current timestamp updated for every get(),
  euid: a duplicate of the id field (the effective id)

If the status field is "NO" then the other fields will be blank or
undefined.

The "lastactive" field is ONLY updated if the "rolling_timeout_len"
option was specified when the store was created.

getandverify

$hash_ref = $store->get_and_verify( 'token', {requirements} )

Used to get and decode the token as the get() method and to confirm that
the IP address, authentication level, timeout, and rolling timeout are
all valid.

The requirements argument is a hash reference with optional arguments as
follows: 

ip => 'xx.xx.xx.xx'
ids => [ array of acceptable user ids ]

The hash returned by get_and_verify() will be the same as returned by
get() except that the status field may have the alternate values below:
IP: an IP mismatch LV: the authentication level is below minimum level
(min_level) EX: timeout or rolling timeout has expired ID: the cookie
euid was not in the ids list (if ids list provided)

Empty or undefined requirements are ignored.

redir_url

$url_string = $store->redir_url( 'callback url', $hash_ref )

A convenience method to get the appropriate url redirection given a
hashed cookie from get_and_verify().

A blank or undef hash_ref or one with "OK" or "NO" status will result in
a simple url redirection, other status codes will result in the
appropriate params added to the url.

set_euid

$hash_ref = $store->set_euid( 'token', 'id' )

Used for setting the euid in the cache, a blank or undef id resets it to
the real user. The first argument can be either the token or the cookie
hash itself. On success returns the new cookie, on failure returns
undef.

DIAGNOSTICS

"Error: minimum authentication level must be at least 10"

    According to the CAH documentation, sites should not accept level 5
    authentication so trying to do so will throw an error.

"Error: No token."

    Calling get or get_and_verify without a token throws an error.

"Error: invalid id list"

    Results from attempting to pass something other than an array ref to
    the "ids" requirement in get_and_verify.

"Error: SSL communication failure: %s"

    An error occurred when trying to contact the designated x500 server
    via SSL.

"Error: invalid response from x500 server: %s"

    The response from the server did not fit the pattern expected.

CONFIGURATION AND ENVIRONMENT

UMN::CAH::Client::Store requires no configuration files or environment
variables.

The cache file will by default be stored in UMN_CAH_Client_Store in the
temporary directory. The module uses File::Spec to attempt to be
OS-neutral, but I've only tested it on Debian so far.

DEPENDENCIES

 UMN::CAH::Client::Store::AuthHub
 Cache::FastMmap
 File::Spec;
 Net::SSLeay
 URI::Escape;

INCOMPATIBILITIES

None reported.

BUGS AND LIMITATIONS

No bugs have been reported.

Please report any bugs or feature requests to the author.

AUTHOR

Steven Cayford "<cayfo001@umn.edu>"

LICENCE AND COPYRIGHT

Copyright (c) 2008, Steven Cayford "<cayfo001@umn.edu>". All rights
reserved.

This module is free software; you can redistribute it and/or modify it
under the same terms as Perl itself. See perlartistic.

DISCLAIMER OF WARRANTY

BECAUSE THIS SOFTWARE IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
FOR THE SOFTWARE, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN
OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
PROVIDE THE SOFTWARE "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER
EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE
ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE SOFTWARE IS WITH
YOU. SHOULD THE SOFTWARE PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL
NECESSARY SERVICING, REPAIR, OR CORRECTION.

IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
REDISTRIBUTE THE SOFTWARE AS PERMITTED BY THE ABOVE LICENCE, BE LIABLE
TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL, OR
CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE
SOFTWARE (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING
RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A
FAILURE OF THE SOFTWARE TO OPERATE WITH ANY OTHER SOFTWARE), EVEN IF
SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH
DAMAGES.
Posted by cayfo001 at 4:43 PM

June 4, 2008

Obama rally lines

Emily and I spent an hour or so waiting in line to get into the Xcel center last night to see Barack Obama speak. Unfortunately we didn't get in. We heard there had been 40 - 50,000 people waiting and capacity was 18,500. Instead we went to Pazzaluna and watched the speech on live TV at the bar.

The number of people waiting to get in was really impressive. Here's a map of the line as of when we joined it. Google says this is about 1.3 miles long, but it seemed longer and had already been moving for a while before we got there.


View Larger Map

For comparison, here's the line we waited in for Obama's February 2 rally at the Target Center. I think the line last night was thicker, probably about 4 people wide as opposed to 2 people wide in February.


View Larger Map

Posted by cayfo001 at 1:30 PM