Bio::Das::ProServer::Authenticator::ip - authenticates DAS requests by IP address

Bio-Das-ProServer documentation Contained in the Bio-Das-ProServer distribution.

Index

Code Index:

NAME

Top

Bio::Das::ProServer::Authenticator::ip - authenticates DAS requests by IP address

VERSION

Top

$LastChangedRevision: 453 $

SYNOPSIS

Top

To authenticate a request:

  my $auth = Bio::Das::ProServer::Authenticator::ip->new({
    'config' => {
                 'authallow' => $, # IP whitelist
                },
  });

  my $allow = $auth->authenticate({
    'peer_addr' => $, # packed
    'request'   => $, # HTTP::Request object
    ...
  });

Once authenticated the IP address is stored:

  if ($allow) {
    my $ip    = $auth->ip();
  }

To simply perform IP address authentication but not deny requests, configure the source with a lax IP range (e.g. "0/0"). This allows the source to alter its behaviour in a more subtle fashion (e.g provide different data for different sites).

DESCRIPTION

Top

Authenticates requests according to a 'whitelist' of IP address ranges. Requests from clients not within one of these ranges are denied.

The IP addresses that are checked against the whitelist are: 1) that of the socket connection 2) those listed in the X-Forwarded-For HTTP header

The latter is necessary for clients and servers operating behind proxies.

IMPORTANT NOTE: Because IP addresses can be spoofed by clients, this is NOT a robust method of securing data.

CONFIGURATION AND ENVIRONMENT

Top

The whitelist for IP addresses is configured in the source INI section, using any combination of specific, additive, range or CIDR format IPs. Valid separators are comma and semicolon.

  [mysource]
  authenticator = ip
  authallow     = 1.2.3.4,193.62.196.0 + 255 , 123.123.123.1 - 123.123.123.10 ; 192.168/16

SUBROUTINES/METHODS

Top

authenticate : Applies authentication to a request.

  Requires: a hash reference containing details of the DAS request
  Returns:  either nothing (allow) or a HTTP::Response (deny)

  my $allow = $oAuth->authenticate({
    'peer_addr' => $, # packed (socket IP address)
    'request'   => $, # HTTP::Request object (for X-Forwarded-For header)
    ...
  });

ip : Gets the authenticated IP address

  my $sIp = $oAuth->ip();

init : Initialises the IP whitelist

DIAGNOSTICS

Top

  my $auth = Bio::Das::ProServer::Authenticator::ip->new({
    ...
    'debug'  => 1,
  });

DEPENDENCIES

Top

Carp
Net::IP
Socket
Bio::Das::ProServer::Authenticator

BUGS AND LIMITATIONS

Top

Clients that are separated from the server by an anonymising HTTP proxy (i.e. one that does not reveal the client's IP address in the X-Forwarded-For HTTP header) will always fail this method of authentication.

Note that clients may spoof an IP address in the X-Forwarded-For header. Therefore this method of authentication is not a robust security precaution.

INCOMPATIBILITIES

Top

None reported.

AUTHOR

Top

Andy Jenkinson <andy.jenkinson@ebi.ac.uk>

LICENSE AND COPYRIGHT

Top

Copyright (c) 2008 EMBL-EBI

Bio-Das-ProServer documentation Contained in the Bio-Das-ProServer distribution. 
#########
# Author:        Andy Jenkinson
# Created:       2008-02-20
# Last Modified: $Date: 2008-03-12 14:50:11 +0000 (Wed, 12 Mar 2008) $ $Author: andyjenkinson $
# Id:            $Id: ip.pm 453 2008-03-12 14:50:11Z andyjenkinson $
# Source:        $Source$
# $HeadURL: https://proserver.svn.sf.net/svnroot/proserver/trunk/lib/Bio/Das/ProServer/Authenticator/ip.pm $
#
# Authenticator implementation using IP information to control access.
#
package Bio::Das::ProServer::Authenticator::ip;

use strict;
use warnings;
use Net::IP;
use Socket;
use Carp;
use base qw(Bio::Das::ProServer::Authenticator);

our $VERSION = do { my ($v) = (q$LastChangedRevision: 453 $ =~ /\d+/mxg); $v; };

sub authenticate {
  my ($self, $params) = @_;

  # Reset stored IP
  delete $self->{'ip'};
  # IP addresses checked:
  # 1. All IPs from the X-Forwarded-For header
  # 2. The socket address
  my @query_ips = $params->{'request'} ? split /\s*,\s*/mx, $params->{'request'}->header('X-Forwarded-For') : ();
  if ($params->{'peer_addr'}) {
    push @query_ips, inet_ntoa( $params->{'peer_addr'} );
  }
  @query_ips = map {
    Net::IP->new($_) || croak 'Unable to determine client IP: '.Net::IP::Error
  } @query_ips;

  # Check each client IP against each whitelist IP range
  for my $query (@query_ips) {
    for my $whitelist (@{$self->{'allow_ip'}}) {
      $self->{'debug'} && carp 'Checking '.$query->ip.' against IP range '.$whitelist->print;
      my $match = $query->overlaps($whitelist);
      if (defined $match && ($match == $IP_A_IN_B_OVERLAP || $match == $IP_IDENTICAL)) {
        $self->{'ip'} = $query->ip;
        return $self->allow($params);
      }
    }
  }

  return $self->deny($params);
}

sub init {
  my $self = shift;
  $self->{'allow_ip'} = [ map {
    Net::IP->new($_) || croak 'Unable to parse whitelist IP range: '.Net::IP::Error
  } split /\s*[,;]+\s*/mx, $self->{'config'}->{'authallow'}||q() ];
  return;
}

sub ip {
  my $self = shift;
  return $self->{'ip'};
}

1;
__END__