1 package Koha::AuthUtils;
3 # Copyright 2013 Catalyst IT
5 # This file is part of Koha.
7 # Koha is free software; you can redistribute it and/or modify it
8 # under the terms of the GNU General Public License as published by
9 # the Free Software Foundation; either version 3 of the License, or
10 # (at your option) any later version.
12 # Koha is distributed in the hope that it will be useful, but
13 # WITHOUT ANY WARRANTY; without even the implied warranty of
14 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 # GNU General Public License for more details.
17 # You should have received a copy of the GNU General Public License
18 # along with Koha; if not, see <http://www.gnu.org/licenses>.
21 use Crypt::Eksblowfish::Bcrypt qw(bcrypt en_base64);
22 use Encode qw( encode is_utf8 );
23 use Fcntl qw/O_RDONLY/; # O_RDONLY is used in generate_salt
24 use List::MoreUtils qw/ any /;
25 use String::Random qw( random_string );
26 use Koha::Exceptions::Password;
32 our @EXPORT_OK = qw(hash_password get_script_name);
36 Koha::AuthUtils - utility routines for authentication
40 use Koha::AuthUtils qw/hash_password/;
41 my $hash = hash_password($password);
45 This module provides utility functions related to managing
52 my $hash = Koha::AuthUtils::hash_password($password, $settings);
54 Hash I<$password> using Bcrypt. Accepts an extra I<$settings> parameter for salt.
55 If I<$settings> is not passed, a new salt is generated.
57 WARNING: If this method implementation is changed in the future, as of
58 bug 28772 there's at least one DBRev that uses this code and should
65 $password = Encode::encode( 'UTF-8', $password )
66 if Encode::is_utf8($password);
68 # Generate a salt if one is not passed
70 unless( defined $settings ){ # if there are no settings, we need to create a salt and append settings
71 # Set the cost to 8 and append a NULL
72 $settings = '$2a$08$'.en_base64(generate_salt('weak', 16));
75 return bcrypt($password, $settings);
80 my $salt = Koha::Auth::generate_salt($strength, $length);
86 For general password salting a C<$strength> of C<weak> is recommend,
87 For generating a server-salt a C<$strength> of C<strong> is recommended
89 'strong' uses /dev/random which may block until sufficient entropy is achieved.
90 'weak' uses /dev/urandom and is non-blocking.
94 C<$length> is a positive integer which specifies the desired length of the returned string
101 # the implementation of generate_salt is loosely based on Crypt::Random::Provider::File
103 # strength is 'strong' or 'weak'
104 # length is number of bytes to read, positive integer
105 my ($strength, $length) = @_;
110 die "non-positive strength of '$strength' passed to Koha::AuthUtils::generate_salt\n";
113 if( $strength eq "strong" ){
114 $source = '/dev/random'; # blocking
116 unless( $strength eq 'weak' ){
117 warn "unsuppored strength of '$strength' passed to Koha::AuthUtils::generate_salt, defaulting to 'weak'\n";
119 $source = '/dev/urandom'; # non-blocking
122 sysopen SOURCE, $source, O_RDONLY
123 or die "failed to open source '$source' in Koha::AuthUtils::generate_salt\n";
125 # $bytes is the bytes just read
126 # $string is the concatenation of all the bytes read so far
127 my( $bytes, $string ) = ("", "");
129 # keep reading until we have $length bytes in $strength
130 while( length($string) < $length ){
131 # return the number of bytes read, 0 (EOF), or -1 (ERROR)
132 my $return = sysread SOURCE, $bytes, $length - length($string);
134 # if no bytes were read, keep reading (if using /dev/random it is possible there was insufficient entropy so this may block)
137 die "error while reading from $source in Koha::AuthUtils::generate_salt\n";
147 =head2 is_password_valid
149 my ( $is_valid, $error ) = is_password_valid( $password, $category );
151 return $is_valid == 1 if the password match category's minimum password length and strength if provided, or general minPasswordLength and RequireStrongPassword conditions
152 otherwise return $is_valid == 0 and $error will contain the error ('too_short' or 'too_weak')
156 sub is_password_valid {
157 my ($password, $category) = @_;
159 Koha::Exceptions::Password::NoCategoryProvided->throw();
161 my $minPasswordLength = $category->effective_min_password_length;
162 $minPasswordLength = 3 if not $minPasswordLength or $minPasswordLength < 3;
163 if ( length($password) < $minPasswordLength ) {
164 return ( 0, 'too_short' );
166 elsif ( $category->effective_require_strong_password ) {
167 return ( 0, 'too_weak' )
168 if $password !~ m|(?=.*\d)(?=.*[a-z])(?=.*[A-Z]).{$minPasswordLength,}|;
170 return ( 0, 'has_whitespaces' ) if $password =~ m[^\s|\s$];
174 =head2 generate_password
176 my password = generate_password($category);
178 Generate a password according to category's minimum password length and strength if provided, or to the minPasswordLength and RequireStrongPassword system preferences.
182 sub generate_password {
185 Koha::Exceptions::Password::NoCategoryProvided->throw();
187 my $minPasswordLength = $category->effective_min_password_length;
188 $minPasswordLength = 8 if not $minPasswordLength or $minPasswordLength < 8;
190 my ( $password, $is_valid );
192 $password = random_string('.' x $minPasswordLength );
193 ( $is_valid, undef ) = is_password_valid( $password, $category );
194 } while not $is_valid;
199 =head2 get_script_name
201 This returns the correct script name, for use in redirecting back to the correct page after showing
202 the login screen. It depends on details of the package Plack configuration, and should not be used
203 outside this context.
207 sub get_script_name {
208 # This is the method about.pl uses to detect Plack; now that two places use it, it MUST be
210 if ( ( any { /(^psgi\.|^plack\.)/i } keys %ENV ) && $ENV{SCRIPT_NAME} =~ m,^/(intranet|opac)(.*), ) {
211 return '/cgi-bin/koha' . $2;
213 return $ENV{SCRIPT_NAME};
223 Crypt::Eksblowfish::Bcrypt(3)