/usr/share/perl5/WebKDC/WebResponse.pm is in libwebkdc-perl 4.7.0-3build1.
This file is owned by root:root, with mode 0o644.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 | # An object encapsulating a response from a WebKDC.
#
# Written by Roland Schemers
# Copyright 2002, 2003, 2009, 2012, 2013, 2014
# The Board of Trustees of the Leland Stanford Junior University
#
# Permission is hereby granted, free of charge, to any person obtaining a copy
# of this software and associated documentation files (the "Software"), to
# deal in the Software without restriction, including without limitation the
# rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
# sell copies of the Software, and to permit persons to whom the Software is
# furnished to do so, subject to the following conditions:
#
# The above copyright notice and this permission notice shall be included in
# all copies or substantial portions of the Software.
#
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
# FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS
# IN THE SOFTWARE.
package WebKDC::WebResponse;
use strict;
use warnings;
our $VERSION;
# This version matches the version of WebAuth with which this module was
# released, but with two digits for the minor and patch versions.
BEGIN {
$VERSION = '4.0700';
}
# Create a new, empty request.
sub new {
my ($type) = @_;
my $self = {};
bless ($self, $type);
return $self;
}
# Shared code for all simple accessor methods. Takes the object, the
# attribute name, and the value. Sets the value if one was given, and returns
# the current value of that attribute.
sub _attr {
my ($self, $attr, $value) = @_;
$self->{$attr} = $value if defined ($value);
return $self->{$attr};
}
# Simple accessor methods.
sub app_state { my $r = shift; $r->_attr ('app_state', @_) }
sub default_device { my $r = shift; $r->_attr ('default_device', @_) }
sub default_factor { my $r = shift; $r->_attr ('default_factor', @_) }
sub login_canceled_token { my $r = shift; $r->_attr ('lc_token', @_) }
sub return_url { my $r = shift; $r->_attr ('return_url', @_) }
sub subject { my $r = shift; $r->_attr ('subject', @_) }
sub authz_subject { my $r = shift; $r->_attr ('authz_subject', @_) }
sub requester_subject { my $r = shift; $r->_attr ('requester_subject', @_) }
sub password_expiration { my $r = shift; $r->_attr ('pwd_expiration', @_) }
sub response_token { my $r = shift; $r->_attr ('response_token', @_) }
sub user_message { my $r = shift; $r->_attr ('user_message', @_) }
sub login_state { my $r = shift; $r->_attr ('login_state', @_) }
sub response_token_type {
my $r = shift;
$r->_attr ('response_token_type', @_);
}
# Set or return the list of permitted authorization identities.
sub permitted_authz {
my ($self, @values) = @_;
if (@values) {
$self->{permitted_authz} = [ @values ];
} else {
$self->{permitted_authz} ||= [];
}
return @{ $self->{permitted_authz} };
}
# Cookies are stored by type in a hash with value and (optional) expiration.
# Use cookies to retrieve the complete hash of cookies.
sub cookie {
my ($self, $type, $value, $expiration) = @_;
if (defined $value) {
if (!defined $expiration) {
$expiration = 0;
}
$self->{cookies}{$type}{value} = $value;
$self->{cookies}{$type}{expiration} = $expiration;
}
if (exists $self->{cookies}{$type}) {
return $self->{cookies}{$type}{value};
} else {
return undef;
}
}
# Return the cookies as a hash.
sub cookies {
my ($self) = @_;
return $self->{cookies};
}
# Login history, needed and configured factors, and devices are stored in
# arrays. Note that there is no way of clearing the array once a value has
# been set, only adding new values.
sub devices {
my ($self, @values) = @_;
push (@{ $self->{devices} }, @values) if @values;
return $self->{devices};
}
sub factor_configured {
my ($self, @values) = @_;
push (@{ $self->{'factor_configured'} }, @values) if @values;
return $self->{'factor_configured'};
}
sub factor_needed {
my ($self, @values) = @_;
push (@{ $self->{'factor_needed'} }, @values) if @values;
return $self->{'factor_needed'};
}
sub login_history {
my ($self, @values) = @_;
push (@{ $self->{'login_history'} }, @values) if @values;
return $self->{'login_history'};
}
1;
__END__
=for stopwords
WebAuth WebKDC login WEBAUTHS multifactor WEBAUTHR IP hostname webkdc-proxy
WebLogin Allbery
=head1 NAME
WebKDC::WebResponse - Encapsulates a response from a WebAuth WebKDC
=head1 SYNOPSIS
use WebKDC::WebResponse
my $resp = WebKDC::WebResponse->new;
$resp->subject ($user);
$resp->requester_subject ($req_subject);
$resp->response_token_type ('id');
$resp->response_token ($id);
$resp->return_url ($url);
=head1 DESCRIPTION
A WebKDC::WebResponse object encapsulates a response from a WebAuth
WebKDC, representing the result of a login attempt for a particular
WebAuth Application Server. It is filled in by the WebKDC module as the
result of a make_request_token_request call. The object has very little
inherent functionality. It's mostly a carrier for data.
=head1 CLASS METHODS
=over 4
=item new ()
Create a new, empty WebKDC::WebResponse object. At least some parameters
must be set using accessor functions as described below to do anything
useful with the object.
=back
=head1 INSTANCE METHODS
=over 4
=item app_state ([STATE])
Returns or sets the application state token. If this is set in the
response, the WebLogin server should return it to the WebAuth application
server as the WEBAUTHS parameter in the URL.
=item authz_subject ([SUBJECT])
Retrieve or set the asserted authorization identity. This is an identity
separate from the authentication identity that is vetted by the WebKDC and
asserted for authorization purposes to the remote site. It is included in
the id or proxy token, but is also included directly in the response for
display reasons in the WebLogin code.
=item default_device ([ID])
Returns or sets the default device to use for obtaining a second factor.
This may be set when the user's authentication was rejected because
multifactor authentication was required, and is used by WebLogin as part
of the prompting for the second factor authentication.
=item default_factor ([FACTOR])
Returns or sets the default authentication factor to use when a second
authentication factor besides password is required. This may be set when
the user's authentication was rejected because multifactor authentication
was required, and is used by WebLogin as part of the prompting for the
second factor authentication.
=item devices ([RECORD, ...])
Returns the list of devices for second authentication factors that the
user has available, or adds a new one. If any parameters are given, they
are device records that will be added to the list. Note that there is no
way to remove an entry from the list once it has been added.
Each RECORD should be an anonymous hash with a C<name> key indicating the
human-readable name of the device, a C<id> key indicating the opaque
identifier for the device, and a C<factors> key, whose value is a
reference to an array of factor codes that device supports. The
default_device() attribute should match the C<id> key of one of the device
records, and the default_factor() attribute should match one of the factors
listed for that device.
=item factor_configured ([FACTOR, ...])
=item factor_needed ([FACTOR, ...])
Returns or sets the authentication factors this user has configured or
that the WebAuth application server requires. These are set when the
user's authentication was rejected because multifactor authentication was
required and are used by the WebLogin server to determine what factor to
prompt for or to customize an error message explaining to the user what
factors they need to configure.
=item login_canceled_token ([LC])
Returns or sets a login cancellation token. If the user decides to cancel
this authentication, this token should be returned to the WebAuth
application server as the WEBAUTHR parameter in the URL.
=item login_history ([RECORD, ...])
Returns the list of login history records or adds new login history
records. If any parameters are given, they are history records that will
be added to the list. Note that there is no way to remove an entry from
the list once it has been added.
Each RECORD should be an anonymous hash with an C<ip> key whose value is
the IP address from which the user logged in and a C<timestamp> key whose
value is the time of that login in seconds since epoch. There may
optionally be a C<hostname> key that, if present, gives the hostname from
which the user logged in.
=item permitted_authz ([SUBJECT, ...])
Returns the list of permitted authorization identities or sets them. If
any parameters are given, the list of acceptable authorization identities
is replaced with the list of subjects given. The permitted authorization
identities are unique to this authenticated user and destination site.
=item cookie (TYPE[, VALUE][, EXPIRATION])
Returns or sets a cookie of the specified type. The TYPE parameter should
be the type of the cookie. The VALUE, if present, is the corresponding
token, suitable for being set as a browser cookie. The EXPIRATION, if
present, is the value the cookie expiration should be set for. Returns
the token of the given type, if any is set.
=item cookies ()
Returns all cookies as a hash, whose keys are the types and whose values
are the tokens. The returned hash is a reference to the hash inside the
WebKDC::WebResponse object and therefore should not be modified by the
caller.
=item return_url ([URL])
Returns or sets the return URL to which the user should be directed after
authentication.
=item requester_subject ([SUBJECT])
Returns or sets the identity of the WebAuth application server that
prompted this authentication attempt.
=item response_token ([TOKEN])
=item response_token_type ([TYPE])
Returns or sets the token that is the result of the authentication
attempt, or the type of that token. This will be either an id token or a
proxy token, depending on what the WebAuth application server requested.
=item subject ([SUBJECT])
Returns or sets the authenticated user identity.
=item password_expiration ([EXPIRATION])
Returns or sets the password expiration time for the authenticating user,
in seconds since UNIX epoch.
=item user_message ([TEXT])
Text passed back from the user information service as a message to
display to the user as explanatory text.
=back
=head1 AUTHOR
Roland Schemers and Russ Allbery <eagle@eyrie.org>
=head1 SEE ALSO
WebKDC(3)
This module is part of WebAuth. The current version is available from
L<http://webauth.stanford.edu/>.
=cut
|