Debug Apache 2.4 PerlAuthenHandler - apache

I am trying to debug a problem that occured after an apache upgrade. I want to integrate redmine into my apache authentification/access control.
Here is my apache config:
<Location "/git/">
AuthType Basic
AuthName "Git Access"
Require valid-user
Order deny,allow
Allow from all
PerlAccessHandler Apache::Authn::Redmine::access_handler
PerlAuthenHandler Apache::Authn::Redmine::authen_handler
...
And this is the access/authen handler:
sub access_handler {
my $r = shift;
unless ($r->some_auth_required) {
$r->log_reason("No authentication has been configured");
return FORBIDDEN;
}
return OK unless request_is_read_only($r);
my $project_id = get_project_identifier($r);
$r->log_error("Setting Auth to OK") if is_public_project($project_id, $r) && anonymous_role_allows_browse_repository($r);
$r->log_error("Content: " . $r->get_handlers("PerlAuthenHandler"));
$r->set_handlers(PerlAuthenHandler => [\&ok_authen_handler])
if is_public_project($project_id, $r) && anonymous_role_allows_browse_repository($r);
return OK
}
sub ok_authen_handler {
my $r = shift;
$r->log_error("ok_authen_handler()...");
my ($res, $redmine_pass) = $r->get_basic_auth_pw();
return OK;
}
sub authen_handler {
my $r = shift;
$r->log_error("authen_handler() ...");
my ($res, $redmine_pass) = $r->get_basic_auth_pw();
return $res unless $res == OK;
if (is_member($r->user, $redmine_pass, $r)) {
$r->log_error("Auth succeeded");
return OK;
} else {
$r->log_error("Auth failed...");
$r->note_auth_failure();
return DECLINED;
}
}
As you can see, the access handler resets the auth handler to some dummy method in case the authentication is not needed. In theory, this allows for selective anonymous access.
In practice, though apache 2.4 yields an error:
AH00027: No authentication done but request not allowed without authentication for $PATH. Authentication not configured?
I already nailed the problem to the hack in the access handler, if I uncomment the set_handlers statement, I can authenticate against redmine. So I guess there is something wrong in this "hack". Unfortunately I am not really a perl guy, so I have no idea how to investigate the issue any further.
Is there any way to figure out what is the important difference between the "hacked" control flow (i.e. setting the auth handler programmatically) and the normal one?

A little bit dirty workaround is to always set the "user" (REMOTE_USER) variable even in anonymous mode, so "Require valid-user" seems happy,
$r->user("");
return Apache2::Const::OK;
We had this problem to implement lazy authentication (Shibboleth style).

I recently upgraded from 2.3 to 2.5.1. Now i get the same strange behavior as long as the project is public. I have some projects, where others need access without registration on the redmine site. So i need a quick solution. But i have also no idea how to solve it. Therefore i created a bug report at the redmine project side:
http://www.redmine.org/issues/16948

Related

Apache give HTTP 404 error for all request when use custom perl module

I have to create the go remote-import server for my project using by apache and I try to create perl module for handler the go get request from user.
The perl module (RemoteImport.pm) was show in below:
sub handler{
my $r = shift;
# check if request is from "go"
return Apache2::Const::DECLINED if ($r->args() !~ /go\-get=1$/);
// Code for provide necessary http body data for go get request and return OK.
}
Apache config:
PerlModule Gerrit::Go::RemoteImport
<Location />
SetHandler perl-script
PerlResponseHandler Gerrit::Go::RemoteImport
</Location>
The go get request can be use normally but I found problem in another http request that have path begin with "/", the Apache does not continue to serve the request as it normally and give not-found page.
Please help me to solve this problem.
I get solution from my team as bellow:
sub go_remote_import_response {
my $r = shift;
# Code for provide necessary http body data for go get request and return OK.
}
sub handler {
my $r = shift;
# check if request is from "go"
return Apache2::Const::OK if ($r->args() !~ /go\-get=1$/);
# change the response handler to our handler if the request are from "go"
$r->handler('perl-script');
$r->set_handlers(PerlResponseHandler => \&go_remote_import_response);
return Apache2::Const::OK;
}

Apache Directory studio ldap bind from php

I am new to Apache Directory Studio and ldap. I am running a ldap server from Apache Directory studio. I have a user in ldap and i am trying to bind to the uid from a php script.Not sure where i am going wrong.
I am using username as "uid=admin,ou=user"
password as "secret"
I also tried username as "uid=arone_a,ou=users,dc=example,dc=com"
and password as "password"
Password attribute was set manually and arone_a is the user uid.
I am trying to write a php script which can pull all users in the ldap server.
Thanks in advance.
My PHP script is:
$ldaphost = "localhost";
$ldapport = 10389;
$ldaprdn='uid=admin,ou=system';
$ldappass='secret';
$ldapconn = ldap_connect($ldaphost, $ldapport)
or die("Could not connect to $ldaphost");
if($ldapconn)
{
$ldapbind=ldap_bind($ldapconn,$ldaprdn,$ldappass);
if($ldapbind)
{
echo "success";
}
else
{
echo "not success";
}
}
Connection goes through but bind is not going through.
I was having a similar issue and the problem was that I added to the userPassword attribute an additional param specifying the language, resulting in userPassword;lang-ca-ES (the wizard shows a form to add it).
That provoked that using Apache Directory Studio the "Verify" was working good, but it failed in the "Bind" check (you can do both in the password editor, double clicking the userPassword attribute.
I finally left userPassword without additional attributes and it binded perfectly :)
Just add the ldap set option, it worked for me
<?php
$ldaphost = "localhost";
$ldapport = 10389;
$ldaprdn='uid=admin,ou=system';
$ldappass='secret';
$ldapconn = ldap_connect($ldaphost, $ldapport)
or die("Could not connect to $ldaphost");
if($ldapconn) {
ldap_set_option($ldapconn, LDAP_OPT_PROTOCOL_VERSION, 3);
$ldapbind=ldap_bind($ldapconn,$ldaprdn,$ldappass);
if($ldapbind) {
echo "success";
} else {
echo "not success";
}
}
?>
The simple BIND request requires the DN, not the RDN. Should your BIND DN be something like uid=admin,ou=system,dc=example,dc=com?
see also
LDAP: Authentication best practices
LDAP: Programming practices

Codeigniter API error returning

Hi has anyone any experience using Phil Sturgeons RESTFUL libraries for codeigniter. I've decided to create a web service for our database in order to supply access to the database from multiple applications. The website is currently developed in Codeigniter therefore it was a simple solution to use the rest API libraries.
The problem I have is that I am trying to return specific errors in the event of a problem.
At the moment I am purposely returning an error like so:
require(APPPATH . 'libraries/REST_Controller.php');
class Settings_api extends REST_Controller {
function settings_get()
{
$this->response(NULL, 404);
}
}
If I access the url directly then I am just receiving a blank page, I can return a message if I replace the 'NULL' with a message but there is nothing to say its a 404 error whereas If I call the page via php using the following
$user = json_decode(file_get_contents('http://www.example.co.uk/api/settings_api/settings/'));
echo $user;
then it shows the following line
Message: file_get_contents(http://www.example.co.uk/api/settings_api/settings/) [function.file-get-contents]: failed to open stream: HTTP request failed! HTTP/1.1 404
In both instances I would like to return a 404 error along with a message I provide. Is this possible and if so could you point me in the right direction.
Thanks
The error message being generated by PHP, as far as I know, there's nothing you can do about this (other than using the # operator, which I do NOT recommend). So, your only option is to manually check file_get_content()'s return value:
$response = file_get_contents('http://...');
if ($response === false) {
// return whatever you feel is appropriate
} else {
$user = json_decode($response);
echo $user;
}
EDIT
Found this answer here on Stackoverflow which is what you are looking for.

Error while using REST api in magento

I have set up magento locally in my system using XAMPP
I have created a file in root directory named dm.php with the contents
<?php
/**
* Example of products list retrieve using Customer account via Magento REST API. OAuth authorization is used
*/
$callbackUrl = "http://localhost/dm.php";
$temporaryCredentialsRequestUrl = "http://localhost/mage2/oauth/initiate?oauth_callback=" . urlencode($callbackUrl);
$adminAuthorizationUrl = 'http://localhost/mage2/oauth/authorize';
$accessTokenRequestUrl = 'http://localhost/mage2/oauth/token';
$apiUrl = 'http://localhost/mage2/api/rest';
$consumerKey = 'enhksf7u33p3snubewb6zcq0z9c63bvv';
$consumerSecret = 'p7e835cdcxofokeep749jgzz4l1e306p';
session_start();
if (!isset($_GET['oauth_token']) && isset($_SESSION['state']) && $_SESSION['state'] == 1) {
$_SESSION['state'] = 0;
}
try {
$authType = ($_SESSION['state'] == 2) ? OAUTH_AUTH_TYPE_AUTHORIZATION : OAUTH_AUTH_TYPE_URI;
$oauthClient = new OAuth($consumerKey, $consumerSecret, OAUTH_SIG_METHOD_HMACSHA1, $authType);
$oauthClient->enableDebug();
if (!isset($_GET['oauth_token']) && !$_SESSION['state']) {
$requestToken = $oauthClient->getRequestToken($temporaryCredentialsRequestUrl);
$_SESSION['secret'] = $requestToken['oauth_token_secret'];
$_SESSION['state'] = 1;
header('Location: ' . $adminAuthorizationUrl . '?oauth_token=' . $requestToken['oauth_token']);
exit;
} else if ($_SESSION['state'] == 1) {
$oauthClient->setToken($_GET['oauth_token'], $_SESSION['secret']);
$accessToken = $oauthClient->getAccessToken($accessTokenRequestUrl);
$_SESSION['state'] = 2;
$_SESSION['token'] = $accessToken['oauth_token'];
$_SESSION['secret'] = $accessToken['oauth_token_secret'];
header('Location: ' . $callbackUrl);
exit;
} else {
$oauthClient->setToken($_SESSION['token'], $_SESSION['secret']);
$resourceUrl = "$apiUrl/products";
$oauthClient->fetch($resourceUrl);
$productsList = json_decode($oauthClient->getLastResponse());
print_r($productsList);
}
} catch (OAuthException $e) {
print_r($e);
}
But this is giving me the following error
Fatal error: Class 'OAuth' not found in D:\Webserver\xampp\htdocs\dm.php on line 19
Can anybody shed some light on this
Thanks
Since oauth is not possible to install in xampp windows i changed the contents of my dm.php file to this.
<?php
$ch = curl_init('http://localhost/mage2/api/rest/customers');
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
$customers = curl_exec($ch);
echo $customers;
?>
Now i am getting an error like this
{"messages":{"error":[{"code":403,"message":"Access denied"}]}}
What am i doing wrong?
First of all
Go to magento admin panel System->Webservice->RESt Roles->Guest->Resources Access ->SET ALL
Similarly Go to System->Webservice->RESt Attribute->Guest->Resources Access ->SET ALL
Then Hit this url http://****/chanchal/magento/api/rest/products in web Browser and check what error it shows....
According to me it must show product in your website in xml format.
Please let me know..
EDIT:
I configured a localhost just now and got this output refer the Screenshot. Be sure there is product in your magento.
Similarly follow the above steps for admin,customer then create a Ouath consumer from admin panel , Install RESTClient For Mozilla Firefox And follow Here
These for steps are necessary for the setup..the link might help you..
Authentication Endpoints
1./oauth/initiate - this endpoint is used for retrieving the Request Token.
2./oauth/authorize - this endpoint is used for user authorization (Customer).
3./admin/oauth_authorize - this endpoint is used for user authorization (Admin).
4./oauth/token - this endpoint is used for retrieving the Access Token.
Let me know if you have any issues.
Best of luck
A bit of code modifications will easily solve this error 403 forbidden.
What magento engine does is that it uses the default guest user to provide access to the REST api methods. The guest user does not have much powers so it should be better to change this functionality of magento. There are 2 ways of doing this:
1) Quick and dirty fix: in the file /app/code/core/Mage/Api2/Model/Auth.php, change the value of: DEFAULT_USER_TYPE = 'guest' to DEFAULT_USER_TYPE = 'admin'. In the file /app/code/core/Mage/Api2/Model/Auth/Adapter.php, change this line from return (object) array('type' => Mage_Api2_Model_Auth::DEFAULT_USER_TYPE, 'id' => null); to this:
return (object) array('type' => Mage_Api2_Model_Auth::DEFAULT_USER_TYPE, 'id' => '1');
This way the authentication system will not be broken.
2) Proper and long run fix: Override the two functionalities using the magento overriding mechanism to have a better solution in accordance to magento standards. This way the core files will be intact.
We use this link to install oauth for php. Its good and easy to add extension for php.
install oauth php
I hope it helps to all and would solved 'OAuth' not found fatal error.
I had the same issue and was struggling for a week but just try insatlling new version of xammp or wamp with supports ouath.The better solution was ,I installed Ammps 1.9 and in php5.4 I resolved the extension of oauth but still make sure that you select the proper php for extension oauth is supported (php5.4)
For installing Oauth : http://www.magentocommerce.com/api/rest/authentication/oauth_authentication.html
Installing PHP Extension for Oauth :
1. Download php_oauth.dll file and add it under C:\xampp\php\ext\
2. add [PHP_OAUTH] extension=php_oauth.dll in php.ini

Symfony REST API authentication without sfGuardPlugin

I'm trying to find information on securing a HTTP REST API in a Symfony project, but all I can find is information about using sfGuardPlugin. From what I can see, this plugin isn't very useful for web services. It tries to have user profile models (which aren't always that simple) and have "sign in" and "sign out" pages, which obviously are pointless for a stateless REST API. It does a lot more than I'll ever have need for and I what to keep it simple.
I want to know where to implement my own authorisation method (loosely based on Amazon S3's approach). I know how I want the authorisation method to actually work, I just don't know where I can put code in my Symfony app so that it runs before every request is processed, and lets approved requests continue but unsuccessful requests return a 403.
Any ideas? I can't imagine this is hard, I just don't know where to start looking.
There is a plugin for RESTful authentication -> http://www.symfony-project.org/plugins/sfRestfulAuthenticationPlugin
Not used it though ....
How where you planning to authenticate users ?
The jobeet tutorial uses tokens ... http://www.symfony-project.org/jobeet/1_4/Doctrine/en/15
I ended up finding what I was looking for by digging into the code for sfHttpAuthPlugin. What I was looking for was a "Filter". Some details and an example is described in the Askeet sample project.
Stick a HTTP basicAuth script in your <appname>_dev.php (Symfony 1.4 =<) between the project configuration "require" and the configuration instance creation.
Test it on your dev. If it works, put the code in your index.php (the live equivalent of <appname>_dev.php) and push it live.
Quick and dirty but it works. You may want to protect that username/password in the script though.
e.g.
$realm = 'Restricted area';
//user => password
$users = array('username' => 'password');
if (empty($_SERVER['PHP_AUTH_DIGEST'])) {
header('HTTP/1.1 401 Unauthorized');
header('WWW-Authenticate: Digest realm="'.$realm.
'",qop="auth",nonce="'.uniqid().'",opaque="'.md5($realm).'"');
die('Text to send if user hits Cancel button');
}
// || !isset($users[$data['username']]
// analyze the PHP_AUTH_DIGEST variable
if (!($data = http_digest_parse($_SERVER['PHP_AUTH_DIGEST'])) || !isset($users[$data['username']])) {
header('HTTP/1.1 401 Unauthorized');
header('WWW-Authenticate: Digest realm="'.$realm.
'",qop="auth",nonce="'.uniqid().'",opaque="'.md5($realm).'"');
die('Wrong Credentials!');
}
// generate the valid response
$A1 = md5($data['username'] . ':' . $realm . ':' . $users[$data['username']]);
$A2 = md5($_SERVER['REQUEST_METHOD'].':'.$data['uri']);
$valid_response = md5($A1.':'.$data['nonce'].':'.$data['nc'].':'.$data['cnonce'].':'.$data['qop'].':'.$A2);
if ($data['response'] != $valid_response) {
header('HTTP/1.1 401 Unauthorized');
header('WWW-Authenticate: Digest realm="'.$realm.
'",qop="auth",nonce="'.uniqid().'",opaque="'.md5($realm).'"');
die('Wrong Credentials!');
}
// function to parse the http auth header
function http_digest_parse($txt)
{
// protect against missing data
$needed_parts = array('nonce'=>1, 'nc'=>1, 'cnonce'=>1, 'qop'=>1, 'username'=>1, 'uri'=>1, 'response'=>1);
$data = array();
$keys = implode('|', array_keys($needed_parts));
preg_match_all('#(' . $keys . ')=(?:([\'"])([^\2]+?)\2|([^\s,]+))#', $txt, $matches, PREG_SET_ORDER);
foreach ($matches as $m) {
$data[$m[1]] = $m[3] ? $m[3] : $m[4];
unset($needed_parts[$m[1]]);
}
return $needed_parts ? false : $data;
}
// ****************************************************************************
// ok, valid username & password.. continue...