Sometimes you come across things that just make you wonder what is going on in peoples minds.

For years everyone who wrote applications compatible with the standard HTTP Authentication method has used the REMOTE_USER server variable as set by Apache to check the username that was logged in by the webserver, this has worked well for everyone, CGI’s and all would just grab it there and everyone would be happy.

Along comes PHP and they make great big mess of it, PHP suggests that we use $_SERVER[’PHP_AUTH_USER’] instead, and they give some good reasons for this too, except they have severely crippled this for all but Basic and Digest authentication, the following code from main/main.c


if (auth && auth[0] != ‘\0′ && strncmp(auth, “Basic “, 6) == 0) {
char *pass;
char *user;

user = php_base64_decode(auth + 6, strlen(auth) - 6, NULL);
if (user) {
pass = strchr(user, ‘:’);
if (pass) {
*pass++ = ‘\0′;
SG(request_info).auth_user = user;
SG(request_info).auth_password = estrdup(pass);
ret = 0;
} else {
efree(user);
}
}
}

As you can see above, they only import the user and pass from Apache if the AuthType is Basic, this makes no sense at all. Why not just check with Apache, if it set the username then import it? Surely Apache know if a user has authenticated? Ditto for password. It is so broken in fact that PHP in CGI mode also doesn’t work since those headers don’t get set for that either, countless comments and nasty hacks can be found in the PHP user contributed notes about this, but it is all just sillyness.

The reason this is annoying me is that I have written a Single Singon system in PHP, you can host a identity server on any domain and hook any site in any other domain into the SSO system, its a bit like TypeKey

Of course it’s nice to have a easy to use SSO system in PHP but what is the point if you can’t make legacy apps like Nagios, Cacti, RT etc play along with the SSO? So to solve this I extended Apache::AuthCookie with a new mod_perl module that plugs into Apache and does authentication using my SSO and a small bit of glue that you put on your RT/Cacti/Nagios box.

All’s great, I have SSO to Nagios, RT and countless other things working flawlessly, except of course Cacti because it’s written along the lines of the PHP manual, uses PHP_AUTH_USER instead of REMOTE_USER and so my new fancy AuthType in Apache does not work with Cacti. As it turns out its a quick 2 liner fix in the Cacti code but you would think PHP would be a bit more generic in this regard since as it stands now I think a lot of people who want to do SSO using hardware tokens and such have issues with PHP being silly.

Online Regex Testing
Back in 2004 I posted about The Regex Coach, its a great app that I still use today, however it only really works on Windows so I have been looking for some alternatives.

There is a really great resources called Regular-Expressions.info it even has a cheap tool that you can use to do something similar to The Regex Coach. Today Lifehacker mentioned RegExr, its a great web app but also has standalone versions for Windows, Linux and OS X, full of sample regular expressions, good explanations of what a regular expression parses as etc, it is a perfect replacement for The Regex Coach, worth checking it out!

Easy transparent PHP input filtering
I have been working on a site that will have potentially quite a few random third parties accessing it and inserting data into a MySQL database. I am thus quite keen on a good solid input filtering method for PHP to prevent things like XSS and SQL Injection.

There are several options out there, of the ones I found Inspekt is about the closest match to my way of working, it essentially imports $_GET, $_POST etc and wraps them in an object which you then use to access variables in a filtered method. It by default then NULLs the original variables so you cannot access them anymore, if backward compatibility is desired it can leave the originals untouched. Not optimal as this gives an unsafe by default result if you want to maintain backwards compatibility.

Another problem with this approach is that it is a lot of work to change existing code, which you might thing is just par for the course but I was convinced I need to find a way to do so more transparently.

I could for example at program start just walk through the $_GET etc arrays and apply some filtering to them using addslashes() and such but this is very restrictive, what if you need to get it unfiltered, especially if you perform destructive filtering? How would you go about filtering some variables for phone numbers, some for email addresses etc?

The answer lies in PHP’s new Standard Programming Library, specifically in its ArrayAccess interface, which if you don’t care for older versions of PHP is the way to go.

The basic advantage of this is that you can expose properties of your objects by using array notation rather than object notation:

$result = $foo->getBar();

compared to:

$result = $foo[’bar’];

Both statements give access to the private variable $bar just using different syntax. So using this technique we can write a transparent filter for input variables, the basic usage of the final library would be something along these lines:

$_GET = new ArrayArmor($_GET);

print (”Filtered Variable:$_GET[test]
\n”);
print (”Unfiltered Variable: ” . $_GET->getRaw(”test”));

A possible output from this script can be seen below:

Filtered Variable: 1234\’;delete from accounts;–
Unfiltered Variable: 1234′;delete from accounts;–

You can see that the default behavior is to protect the input but even for destructive filtering methods the raw unfiltered data would be available if the programmer needed it. You can provide all sorts of extra methods to validate emails, post codes and such.

A quick and dirty example of a class that provides this kind of filtering can be seen below:

class ArrayArmor Implements ArrayAccess {
private $original;

function __construct (&$variable) {
$this->original = $variable;
}

function offsetExists($offset) {
return isset($this->original[$offset]);
}

function offsetGet($offset) {
return addslashes($this->original[$offset]);
}

function offsetSet($offset, $value) {
}

function offsetUnset($offset) {
}

function getRaw($offset) {
return($this->original[$offset]);
}
}
?>
So that’s it, a simple method that is very easy to put into existing code. This is clearly not a full example as addslashes() is hardly the be-all and end-all of input protection, but if you build on this you can get a very easy to use and flexible input filter that is safe by default.

Macs and MS Keyboards
Previously I posted about my iMac 17″ that I got, that was January 2006 well I have now upgraded to a bigger mac, this time a 24″ iMac Core 2 Duo Extreme with 2GB RAM.


I still have the 17″ and will keep it, it’s replacing my really old AMD Linux Desktop on my desk but the 17″ has been getting a bit long in the tooth with Parallels, MS Office, and all sorts of other stuff that I have been doing on it as I am now working full time from home.

Previously I bought at the bottom of the spectrum and the machine lasted well, but I was hoping to keep it as my primary machine for at least 3 years. I guess my needs have increased though so this time I bought at the top end of the range and will upgrade it to 4GB RAM soon, just not from Apple as buying direct from Crucial will save me about 200 pounds.

What immediately annoyed me - to the point of cramps in my hands and general unhappyness - were this amazingly crap thinline keyboard that comes with the machines. I soon started looking at other options and found no 3rd party Mac keyboards but did notice that Microsoft keyboards have a utility to configure the various additional keys etc so I took the plunge and got a MS Natural Ergonomic 400 keyboard to replace my very old MS Office keyboard.


I am extremely pleased with this keyboard, everything works as it should. The configuration utility lets you configure every key on the keyboard and everything is mapped correctly as expected. Even the function keys like ‘new’ works by sending ‘apple key-n’ etc right out of the box, this is the case with all the MS keyboards on the market today so I can happily recommend any MS keyboard to mac users.

The iMac itself is lovely, I am really happy with it. Speed wise the Core 2 Duo Extreme chip has made a huge improvement, with Parallels running Windows the machine idles at about 2% while I have Firefox, Netnewswire, iTerm, several Terminal.app, Adium, Skype and all sorts of background stuff going, really cannot have asked for more from a desktop machine.

Easy per-machine custom facts for Puppet
As this is the first time I am posting about Puppet, maybe a few words about it first. Puppet is a configuration management system that helps you manage large infrastructures. There are ofcourse many similar things, cfengine and lcfg to name just two. I like Puppet as it has a big and active community but it is also a modern approach to the problem being that it has some properties of Object Orientation and so forth.

I’ve used cfengine - actually chose it over Puppet when it was still young - but that is over a year ago now and I if you have many or even 2 of the same nodes to maintain I urge you to check out Puppet.

So the rest is only really useful if you already know Puppet, sorry if this will bore many people :)

On a site I worked we used to have a file on each machine that defines a few Facter facts, this was very handy and I wanted to do something similar because I define variables like $country=”uk” and so forth in my nodes which then helps my manifests builds correct ntp configs for example. Now doing it with a global variable in the node is ok and all, but not nearly as sexy as letting each node know where they are in via facts.

In the old days hacking in new facts was a right pain and you possibly even needed to maintain your own package of facter, not so anymore, it’s in fact really nice now.

Puppet now lets you drop bits of ruby code into a directory and then sends the code off to clients on demand for integration into Facter, I won’t go into setting it up the Puppet Wiki goes into it at length. Instead I’ll show a simple bit of code to read in /etc/facts.txt on a node and present the values in it as facts.

var = nil
value = nil
facts = {}

if File.exists?(”/etc/facts.txt”)
File.open(”/etc/facts.txt”).each do |line|
var = $1 and value = $2 if line =~ /^(.+)=(.+)$/
if var != nil && value != nil
facts[var] = value
var = nil
value = nil
end
end

facts.each{|var,val|
Facter.add(var) do
setcode do
val
end
end
}
end

This code essentially just reads stuff out of key=val pairs in /etc/facts.txt and adds them to facter. Drop that into your facts directory on the master in a file ending in .rb and that should be it, with facts files on your nodes the values will now be available for use in your manifests.

Maybe not the best Ruby code as it’s my first ever Ruby code and mostly based on a sample I found in the Puppet book, I would have liked to do the Facter.add() call right in the loop that parses the file instead of using a array, but I couldn’t get that going.

Anyway, now I just distribute /etc/facts.txt to all my machines, and they know where they are and I have a simple no-hassle method for teaching machines about new things.

British Citizenship
I just received the following in the post:

Thanks you for submitting your application for British citizenship. I am pleased to say that the application has been succesful and you will shortly receive a letter inviting you to attend a citizenship ceremony.

Hooray.

Share This

Related Posts