summaryrefslogtreecommitdiffstats
path: root/Bugzilla/DuoWeb.pm
diff options
context:
space:
mode:
Diffstat (limited to 'Bugzilla/DuoWeb.pm')
-rw-r--r--Bugzilla/DuoWeb.pm146
1 files changed, 74 insertions, 72 deletions
diff --git a/Bugzilla/DuoWeb.pm b/Bugzilla/DuoWeb.pm
index 722c032e3..9dbfc46ad 100644
--- a/Bugzilla/DuoWeb.pm
+++ b/Bugzilla/DuoWeb.pm
@@ -47,67 +47,69 @@ my $SKEY_LEN = 40;
my $AKEY_LEN = 40;
our $ERR_USER = 'ERR|The username passed to sign_request() is invalid.';
-our $ERR_IKEY = 'ERR|The Duo integration key passed to sign_request() is invalid.';
+our $ERR_IKEY
+ = 'ERR|The Duo integration key passed to sign_request() is invalid.';
our $ERR_SKEY = 'ERR|The Duo secret key passed to sign_request() is invalid.';
-our $ERR_AKEY = "ERR|The application secret key passed to sign_request() must be at least $AKEY_LEN characters.";
+our $ERR_AKEY
+ = "ERR|The application secret key passed to sign_request() must be at least $AKEY_LEN characters.";
our $ERR_UNKNOWN = 'ERR|An unknown error has occurred.';
sub _sign_vals {
- my ($key, $vals, $prefix, $expire) = @_;
+ my ($key, $vals, $prefix, $expire) = @_;
- my $exp = time + $expire;
+ my $exp = time + $expire;
- my $val = join '|', @{$vals}, $exp;
- my $b64 = encode_base64($val, '');
- my $cookie = "$prefix|$b64";
+ my $val = join '|', @{$vals}, $exp;
+ my $b64 = encode_base64($val, '');
+ my $cookie = "$prefix|$b64";
- my $sig = hmac_sha1_hex($cookie, $key);
+ my $sig = hmac_sha1_hex($cookie, $key);
- return "$cookie|$sig";
+ return "$cookie|$sig";
}
sub _parse_vals {
- my ($key, $val, $prefix, $ikey) = @_;
+ my ($key, $val, $prefix, $ikey) = @_;
- my $ts = time;
+ my $ts = time;
- if (not defined $val) {
- return '';
- }
+ if (not defined $val) {
+ return '';
+ }
- my @parts = split /\|/, $val;
- if (scalar(@parts) != 3) {
- return '';
- }
- my ($u_prefix, $u_b64, $u_sig) = @parts;
+ my @parts = split /\|/, $val;
+ if (scalar(@parts) != 3) {
+ return '';
+ }
+ my ($u_prefix, $u_b64, $u_sig) = @parts;
- my $sig = hmac_sha1_hex("$u_prefix|$u_b64", $key);
+ my $sig = hmac_sha1_hex("$u_prefix|$u_b64", $key);
- if (hmac_sha1_hex($sig, $key) ne hmac_sha1_hex($u_sig, $key)) {
- return '';
- }
+ if (hmac_sha1_hex($sig, $key) ne hmac_sha1_hex($u_sig, $key)) {
+ return '';
+ }
- if ($u_prefix ne $prefix) {
- return '';
- }
+ if ($u_prefix ne $prefix) {
+ return '';
+ }
- my @cookie_parts = split /\|/, decode_base64($u_b64);
- if (scalar(@cookie_parts) != 3) {
- return '';
- }
- my ($user, $u_ikey, $exp) = @cookie_parts;
+ my @cookie_parts = split /\|/, decode_base64($u_b64);
+ if (scalar(@cookie_parts) != 3) {
+ return '';
+ }
+ my ($user, $u_ikey, $exp) = @cookie_parts;
- if ($u_ikey ne $ikey) {
- return '';
- }
+ if ($u_ikey ne $ikey) {
+ return '';
+ }
- if ($ts >= $exp) {
- return '';
- }
+ if ($ts >= $exp) {
+ return '';
+ }
- return $user;
+ return $user;
}
=pod
@@ -124,38 +126,38 @@ sub _parse_vals {
=cut
sub sign_request {
- my ($ikey, $skey, $akey, $username) = @_;
+ my ($ikey, $skey, $akey, $username) = @_;
- if (not $username) {
- return $ERR_USER;
- }
+ if (not $username) {
+ return $ERR_USER;
+ }
- if (index($username, '|') != -1) {
- return $ERR_USER;
- }
+ if (index($username, '|') != -1) {
+ return $ERR_USER;
+ }
- if (not $ikey or length $ikey != $IKEY_LEN) {
- return $ERR_IKEY;
- }
+ if (not $ikey or length $ikey != $IKEY_LEN) {
+ return $ERR_IKEY;
+ }
- if (not $skey or length $skey != $SKEY_LEN) {
- return $ERR_SKEY;
- }
+ if (not $skey or length $skey != $SKEY_LEN) {
+ return $ERR_SKEY;
+ }
- if (not $akey or length $akey < $AKEY_LEN) {
- return $ERR_AKEY;
- }
+ if (not $akey or length $akey < $AKEY_LEN) {
+ return $ERR_AKEY;
+ }
- my $vals = [ $username, $ikey ];
+ my $vals = [$username, $ikey];
- my $duo_sig = _sign_vals($skey, $vals, $DUO_PREFIX, $DUO_EXPIRE);
- my $app_sig = _sign_vals($akey, $vals, $APP_PREFIX, $APP_EXPIRE);
+ my $duo_sig = _sign_vals($skey, $vals, $DUO_PREFIX, $DUO_EXPIRE);
+ my $app_sig = _sign_vals($akey, $vals, $APP_PREFIX, $APP_EXPIRE);
- if (not $duo_sig or not $app_sig) {
- return $ERR_UNKNOWN;
- }
+ if (not $duo_sig or not $app_sig) {
+ return $ERR_UNKNOWN;
+ }
- return "$duo_sig:$app_sig";
+ return "$duo_sig:$app_sig";
}
=pod
@@ -175,20 +177,20 @@ sub sign_request {
=cut
sub verify_response {
- my ($ikey, $skey, $akey, $sig_response) = @_;
+ my ($ikey, $skey, $akey, $sig_response) = @_;
- if (not defined $sig_response) {
- return '';
- }
+ if (not defined $sig_response) {
+ return '';
+ }
- my ($auth_sig, $app_sig) = split /:/, $sig_response;
- my $auth_user = _parse_vals($skey, $auth_sig, $AUTH_PREFIX, $ikey);
- my $app_user = _parse_vals($akey, $app_sig, $APP_PREFIX, $ikey);
+ my ($auth_sig, $app_sig) = split /:/, $sig_response;
+ my $auth_user = _parse_vals($skey, $auth_sig, $AUTH_PREFIX, $ikey);
+ my $app_user = _parse_vals($akey, $app_sig, $APP_PREFIX, $ikey);
- if ($auth_user ne $app_user) {
- return '';
- }
+ if ($auth_user ne $app_user) {
+ return '';
+ }
- return $auth_user;
+ return $auth_user;
}
1;
generated by cgit v1.2.3-24-g4f1b (git 2.32.0) at 2024-05-03 14:30:43 +0200