This file is indexed.

/usr/share/perl5/User/Simple/Admin.pm is in libuser-simple-perl 1.45-1.

This file is owned by root:root, with mode 0o644.

The actual contents of the file can be viewed below.

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
use warnings;
use strict;

package User::Simple::Admin;

=encoding UTF-8

=head1 NAME

User::Simple::Admin - User::Simple user administration

=head1 SYNOPSIS

  $ua = User::Simple::Admin->new($db, $user_table);

  $ua = User::Simple::Admin->create_rdbms_db_structure($db, $user_table,
      [$extra_sql]);
  $ua = User::Simple::Admin->create_plain_db_structure($db, $user_table,
      [$extra_sql]);
  $ok = User::Simple::Admin->has_db_structure($db, $user_table);

  %users = $ua->dump_users;

  $id = $ua->id($login);
  $login = $ua->login($id);

  $otherattrib = $user->otherattrib($id);

  $ok = $usr->set_login($id, $login);
  $ok = $usr->set_passwd($id, $passwd);
  $ok = $usr->set_otherattrib($id, $value);
  $ok = $usr->clear_session($id);

  $id = $ua->new_user(login => $login, passwd => $passwd, 
        [otherattribute => $otherattribute]);

  $ok = $ua->remove_user($id);

=head1 DESCRIPTION

User::Simple::Admin manages the administrative part of the User::Simple
modules - Please check L<User::Simple> for a general overview of these modules
and an explanation on what-goes-where.

User::Simple::Admin works as a regular administrator would: The module should
be instantiated only once for all of your users' administration, if possible,
and not instantiated once for each user (in contraposition to L<User::Simple>,
as it works from each of the users' perspective in independent instantiations).

Note also that User::Simple::Admin does b<not> perform the administrative user
checks - It is meant to be integrated to your system, and it is your system 
which should carry out all of the needed authentication checks.

=head2 CONSTRUCTOR

Administrative actions for User::Simple modules are handled through this
Admin object. To instantiate it:

  $ua = User::Simple::Admin->new($db, $user_table);

$db is an open connection to the database where the user data is stored.

$user_table is the name of the table that holds the users' data.

If we do not yet have the needed DB structure to store the user information,
we can use this class method as a constructor as well:

  $ua = User::Simple::Admin->create_rdbms_db_structure($db, $user_table,
      [$extra_sql]);

  $ua = User::Simple::Admin->create_plain_db_structure($db, $user_table,
      [$extra_sql]);

The first one should be used if your DBI handle ($db) points to a real RDBMS,
such as PostgreSQL or MySQL. In case you are using a file-based DBD (such as
DBD::XBase, DBD::DBM, DBD::CVS or any other which does not use a real RDBMS
for storage), use C<User::Simple::Admin-E<gt>create_plain_db_structure>
instead. What is the difference? In the first case, we will create a table
that has internal consistency checks - Some fields are declared NOT NULL, some
fields are declared UNIQUE, and the user ID is used as a PRIMARY KEY. This 
cannot, of course, be achieved using file-based structures, so the integrity
can only be maintained from within our scripts.

This module does not provide the functionality to modify the created tables
by adding columns to it, although methods do exist to access and modify the
values stored in those columns (see the L<CREATING, QUERYING AND MODIFYING
USERS> section below), as many DBDs do not implement the ALTER TABLE SQL 
commands. It does, however, allow you to specify extra fields in the tables at
creation time - If you specify a third extra parameter, it will be included as 
part of the table creation - i.e., you can create a User::Simple table with
fields for the user's first and family names and a UNIQUE constraint over
them this way:

  $ua = User::Simple::Admin->create_rdbms_db_structure($db, $user_table,
      'firstname varchar(30) NOT NULL, famname varchar(30) NOT NULL,
       UNIQUE (firstname,famname)');

Keep in mind that the internal fields are C<id>, C<login>, C<passwd>, 
C<session> and C<session_exp>. Don't mess with them ;-) Avoid adding any fields
starting with C<set_> or called as any method defined here, as they will 
become unreachable. And, of course, keep in mind what SQL construct does your 
DBD support.

If you add any fields with names starting with C<adm_>, they will be visible 
but not modifiable from within L<User::Simple> - You will only be able to
modify them from L<User::Simple::Admin>.

=head2 QUERYING FOR DATABASE READINESS

In order to check if the database is ready to be used by this module with the
specified table name, use the C<has_db_structure> class method:

  $ok = User::Simple::Admin->has_db_structure($db, $user_table);  

=head2 RETRIEVING THE SET OF USERS

  %users = $ua->dump_users;

Will return a hash with the data regarding the registered users with all of the
existing DB fields, in the following form:

  ( $id1 => { login=>$login1, firstname=>$firstname1, famname=>$famname1 },
    $id2 => { login=>$login2, firstname=>$firstname2, famname=>$famname2 },
    (...) )

Of course, with the appropriate attributes. The internal attributes C<id>, 
C<session> and C<session_exp> will not be included in the resulting hashes (you
have the C<id> as the hash keys).

=head2 CREATING, QUERYING AND MODIFYING USERS

  $id = $ua->new_user(login => $login, passwd => $passwd, 
        [otherattribute => $otherattribute]);

Creates a new user with the specified data. Returns the new user's ID. Only
the login is mandatory (as it uniquely identifies the user), unless you have
specified extra NOT NULL fields or constraints in the DB. If no password is 
supplied, the account will be created, but no login will be allowed until one 
is supplied.

  $ok = $ua->remove_user($id);

Removes the user specified by the ID.

  $id = $ua->id($login);
  $login = $ua->login($id);

  $otherattrib = $user->otherattrib($id);

Get the value of each of the mentioned attributes. Note that in order to get
the ID you can supply the login, every other method answers only to the ID. In
case you have the login and want to get the firstname, you can use 
C<$ua->firstname($ua->id($login));>

Of course, beware: if you request for a field which does not exist in your
table, User::Simple will raise an  error and die just as if an unknown method 
had been called.

  $ok = $usr->set_login($id, $login);
  $ok = $usr->set_passwd($id, $passwd);

Modifies the requested attribute of the specified user, setting it to the new 
value. Except for the login, they can all be set to null values - If the 
password is set to a null or empty value, the account will be locked (that is, 
no password will be accepted). The internal attributes C<id>, C<session> and 
C<session_exp> cannot be directly modified (you have the C<id> as the hash 
keys).

Just as with the accessors, if you have extra columns, you can modify them the
same way:

  $ok = $usr->set_otherattrib($id, $value);

i.e.

  $ok = $usr->set_name($id, $name);

=head2 SESSIONS

  $ok = $usr->clear_session($id);

Removes the session which the current user had open, if any.

Note that you cannot create a new session through this module - The only way of
creating a session is through the C<ck_login> method of L<User::Simple>.

=head1 DEPENDS ON

L<Digest::MD5>

=head1 SEE ALSO

L<User::Simple> for the regular user authentication routines (that is, to
use the functionality this module adimisters)

=head1 AUTHOR

Gunnar Wolf <gwolf@gwolf.org>

=head1 COPYRIGHT

Copyright 2005-2009 Gunnar Wolf / Instituto de Investigaciones
Económicas UNAM 

This module is Free Software; it can be redistributed under the same
terms as Perl.

=cut

use Carp;
use Digest::MD5 qw(md5_hex);
use UNIVERSAL qw(isa);
our $AUTOLOAD;

######################################################################
# Constructor/destructor

sub new {
    my ($self, $class, $db, $table);
    $class = shift;
    $db = shift;
    $table = shift;

    # Verify we got the right arguments
    unless (isa($db, 'DBI::db')) {
	carp "First argument must be a DBI connection";
	return undef;
    }

    # In order to check if the table exists, check if it consists only of
    # valid characters and query for a random user
    unless ($table =~ /^[\w\_]+$/) {
	carp "Invalid table name $table";
	return undef;
    }
    unless ($class->has_db_structure($db, $table)) {
	carp "Table $table does not exist or has wrong structure";
	carp "Use $class->create_db_structure first.";
	return undef;
    }

    $self = { db => $db, tbl => $table };

    bless $self, $class;
    return $self;
}

# As we are using autoload, better explicitly leave this as an empty sub
sub DESTROY {}

######################################################################
# Creating the needed structure

sub create_rdbms_db_structure {
    my ($class, $db, $table, $extra_sql, $sql, $sth);
    $class = shift;
    $db = shift;
    $table = shift;
    $extra_sql = shift || ''; # Avoid warnings on undef

    # Remember some DBD backends don't implement 'serial' - Use 'integer' and
    # some logic on our side instead
    $sql = sprintf('CREATE TABLE %s (
            id serial PRIMARY KEY, 
            login varchar(100) NOT NULL UNIQUE,
            passwd char(32),
            session char(32) UNIQUE,
            session_exp varchar(20)
            %s)', $table, $extra_sql ? ", $extra_sql" : '');

    unless ($sth = $db->prepare($sql) and $sth->execute) {
	carp "Could not create database structure using table $table";
	return undef;
    }

    return $class->new($db, $table);
}

sub create_plain_db_structure {
    my ($class, $db, $table, $extra_sql, $sql, $sth);
    $class = shift;
    $db = shift;
    $table = shift;
    $extra_sql = shift || ''; # Avoid warnings on undef

    # Remember some DBD backends don't implement 'serial' - Use 'integer' and
    # some logic on our side instead
    $sql = sprintf('CREATE TABLE %s (
            id integer, 
            login varchar(100),
            passwd char(32),
            session char(32),
            session_exp varchar(20)
            %s)', $table, $extra_sql  ? ", $extra_sql" : '');

    unless ($sth = $db->prepare($sql) and $sth->execute) {
	carp "Could not create database structure using table $table";
	return undef;
    }

    return $class->new($db, $table);
}

sub has_db_structure {
    my ($class, $db, $table, $sth);
    $class = shift;
    $db = shift;
    $table = shift;

    # We check for the DB structure by querying for any given row. 
    # Yes, this method can fail if the needed fields exist but have the wrong
    # data, if the ID is not linked to a trigger and a sequence, and so on...
    # But usually, this check will be enough just to determine if we have the
    # structure ready.
    return 1 if ($sth=$db->prepare("SELECT id, login, passwd, session, 
        session_exp FROM $table") and $sth->execute);
    return 0;
}

######################################################################
# Retrieving information

sub dump_users { 
    my ($self, $order, $sth, %users);
    $self = shift;

    unless ($sth = $self->{db}->prepare("SELECT * FROM $self->{tbl}") 
	    and $sth->execute) {
	carp 'Could not query for the user list';
	return undef;
    }
    $sth->execute;


    # Keep to myself the internal fields, translate the fieldnames to lowercase
    while (my $row = $sth->fetchrow_hashref) {
	for my $in_field (keys %$row) {
	    my ($id);
	    # Some DBDs are case-insensitive towards Perl (we can query/modify 
	    # the columns case-insensitively), but internally are case
	    # sensitive. Gah, we work around that to provide the much more 
	    # common lowercase fields... This might still have some problems
	    # attached, please tell me if it breaks for you.
	    for my $case (qw(id ID Id iD)) {
		if (exists $row->{$case}) {
		    $id = $row->{$case};
		    last;
		}
	    }
	    carp "Did not find an ID field - Cannot continue" unless $id;
	    my $out_field = lc($in_field);
	    next if $out_field =~ /^(?:id|session|session_exp)$/;

	    $users{$id}{$out_field} = $row->{$in_field};
	}
    }
    return %users;
}

sub id { 
    my ($self, $login, $sth, $id);
    $self = shift;
    $login = shift;

    $sth = $self->{db}->prepare("SELECT id FROM $self->{tbl} WHERE login = ?");
    $sth->execute($login);

    ($id) = $sth->fetchrow_array;

    return $id;
}

sub login {
    my ($self, $id);
    $self = shift;
    $id = shift;
    return undef unless $id;
    return $self->_get_field($id, 'login'); 
}

######################################################################
# Modifying information

# We need only the mutators for the special case fields - Handle everything
# else via AUTOLOAD
sub set_login { 
    my ($self, $id, $new, $sth, $ret, $used);
    $self = shift;
    $id = shift;
    $new = shift;

    return undef unless $id;

    # Setting the login to the current login? Noop doomed to fail, make it look
    # as a success
    $used = $self->id($new);
    return 1 if $used and $used == $self->id($self->login($id));

    if ($used) {
	carp "The requested login is already used (ID $used).";
	return undef;
    }

    return $self->_set_field($id, 'login', $new);
}

sub set_passwd { 
    my ($self, $id, $new, $crypted, $sth);
    $self = shift;
    $id = shift;
    $new = shift;
    return undef unless $id;

    # No password was supplied? Prevent anybody from logging in with a blank
    # password (nothing will get a MD5 equal to this string).
    if ($new) {
	$crypted = md5_hex($new, $id);
    } else {
	$crypted = '-!- Disabled -!-';
    }

    return $self->_set_field($id, 'passwd', $crypted);
}

sub clear_session {
    my ($self, $id);
    $self = shift;
    $id = shift;
    return undef unless $id;
    return ($self->_set_field($id,'session','') && 
	    $self->_set_field($id, 'sesson_exp', ''));
}

# Other attributes will be retreived via AUTOLOAD
sub AUTOLOAD {
    my ($self, $id, $new, $name, $myclass, $set, $field);
    $self = shift;
    $id = shift;
    $new = shift;

    # Autoload gives us the fully qualified method name being called - Get our
    # class name and strip it off $name. And why the negated index? Just to be
    # sure we don't discard what we don't want to - Either it is at the
    # beginning, or we don't discard a thing
    $name = $AUTOLOAD;
    $myclass = ref($self);
    if (!index($name, $myclass)) {
	# Substitute in $name from the beginning (0) to the length of the class
	# name plus two (that is, strip the '::') with nothing.
	substr($name,0,length($myclass)+2,'');
    }

    return undef unless $id;

    # Do we know how to handle the request?
    if ($name =~ /^set_(.+)$/) {
	$set = 1;
	$field = $1;
    } else {
	$field = $name;
    }

    if ($set) {
	if ($field =~ /^(id|session|sesion_exp)$/) {
	    die "Attempt to modify internal field $field";
	}

	return $self->_set_field($id, $field, $new);

    } 
    return $self->_get_field($id, $field);
}

######################################################################
# User creation and removal

sub new_user { 
    my ($self, %param, $id, $db, $orig_state, $has_transact);
    $self = shift;
    %param = @_;

    # We will use the database handler over and over - Get a shortcut.
    $db = $self->{db};

    # If available, we will do all this work inside a transaction. Sadly, not
    # every DBD provides such a facility - By trying to begin_work and
    # then commit on an empty transaction, we can check if this DBD does 
    # provide it. 
    eval { 
	$db->begin_work; 
	$db->commit;
    };
    $has_transact = $@ ? 0 : 1;

    # We require a login - Check if we got one.
    unless ($param{login}) {
	carp 'A login is required for user creation';
	return undef;
    }

    # Check first if we have a registered user with this same login
    if (my $id = $self->id($param{login})) {
	carp "There is already a user registered with desired login (ID $id)";
	return undef;
    }

    $orig_state = $db->{RaiseError};
    eval {
	my ($sth);
	$db->begin_work if $has_transact;
	$db->{RaiseError} = 1;

	# Not all DBD backends implement the 'serial' datatype - We use a
	# simple integer, and we just move the 'serial' logic to this point,
	# the only new user creation area. 
	# Yes, this could lead to a race condition and to the attempt to insert
	# two users with the same ID - We have, however, the column as a 
	# 'primary key'. Any DBD implementing unicity will correctly fail. 
	# And... Well, nobody expects too high trust from a DBD backend which
	# does not implement unicity, right? :)
	$sth = $db->prepare("SELECT id FROM $self->{tbl} ORDER BY
            id desc");
	$sth->execute;
	($id) = $sth->fetchrow_array;
	$id++;

	$sth = $db->prepare("INSERT INTO $self->{tbl} (id, login) 
            VALUES (?, ?)");
	$sth->execute($id, $param{login});

	# But just to be sure, lets retreive the ID from the login.
	$id = $self->id($param{login});

	$self->set_passwd($id, $param{passwd});

	# Set all the other fields we got as parameters
	for my $field (keys %param) {
	    next if $field =~ /^(login|passwd)$/; # Already handled.
	    $self->_set_field($id, $field, $param{$field});
	}

	$db->commit if $has_transact;
	$db->{RaiseError} = $orig_state;
    };
    if ($@) {
	if ($has_transact) {
	    $db->rollback;
	} else {
	    carp 'User creation was not successful. This DBD does not support'.
		' transactions - You might have a half-created user!';
	}
	$db->{RaiseError} = $orig_state;
	carp "Could not create specified user";
	return undef;
    }
    return $id;
}

sub remove_user { 
    my ($self, $id, $sth);
    $self = shift;
    $id = shift;

    unless ($sth = $self->{db}->prepare("DELETE FROM $self->{tbl} WHERE id=?")
	    and $sth->execute($id)) {
	carp "Could not remove user $id";
	return undef;
    }

    return 1;
}

######################################################################
# Private methods and functions

sub _get_field {
    my ($self, $id, $field, $sth);
    $self = shift;
    $id = shift;
    $field = shift;

    unless ($self->_is_valid_field($field)) {
	carp "Invalid field: $field";
	return undef;
    }

    $sth=$self->{db}->prepare("SELECT $field FROM $self->{tbl} WHERE id = ?");
    $sth->execute($id);

    return $sth->fetchrow_array;
}

sub _set_field { 
    my ($self, $id, $field, $val, $sth);
    $self = shift;
    $id = shift;
    $field = shift;
    $val = shift;

    unless ($self->_is_valid_field($field) or $field eq 'passwd') {
	carp "Invalid field: $field";
	return undef;
    }

    unless ($sth = $self->{db}->prepare("UPDATE $self->{tbl} SET $field = ? 
            WHERE id = ?") and $sth->execute($val, $id)) {
	carp "Could not set $field to $val for user $id";
	return undef;
    }

    return 1;
}

sub _is_valid_field {
    my ($self, $field, $raise_error);
    $self = shift;
    $field = shift;

    # If it is one of our internal fields, return successfully right away
    return 1 if $field =~ /^(login)$/;

    # Explicitly disallow direct passwd handling
    return 0 if $field eq 'passwd';

    # Allow only valid fields - alphanumeric characters or underscores
    $field =~ /^[\w\d\_]+$/ or return 0;

    $raise_error = $self->{db}{RaiseError};

    eval {
	my $sth;
	$self->{db}{RaiseError} = 1;
	$sth = $self->{db}->prepare("SELECT $field FROM $self->{tbl}");
	$sth->execute;
    };
    if ($@) {
	# If an error was raised, the field does not exist - Return 0
	# Restore the RaiseError

	$self->{db}{RaiseError} = $raise_error;
	return 0;
    }

    # The field is valid! Return 1.
    # Restore the RaiseError
    $self->{db}{RaiseError} = $raise_error;

    return 1;
}

1;