Shibboleth at NC State » Moving from WRAP to Shibboleth » Script to Help Find WRAP Entries

Perl Script to Help Find WRAP Entries

Overview

We've written a perl script that will look down a directory tree to try to find .htaccess files containing AuthType WRAP configuration entries. The script can do three things:

WARNING: This script will only look for and correct .htaccess entries. It will not find or modify any PHP code. You are still responsible for reviewing any code located in the protected directories.

Requirements and Usage

The script is written to run on a Linux machine with perl installed. It should not require any non-standard libraries. It will not run on Windows, as it relies heavily on Linux-like front-slash '/' characters in paths. It might work under CygWin.

You will need read permissions on the directory that you are scanning, and all subdirectories. You may need write permissions as well if you use either of the options to write updated .htaccess files.

Usage, per the internal help option:

Usage: ./find_htaccess_entries.pl [options] /path/to/doc/root
-d dir      where to write reports (default /tmp)
-f          fix htaccess files separately - as .htaccess.shib
-F          fix htaccess files in place - keeps backup as .htaccess.wrap
-h          show this help
-r filename write report to this filename (default last part of docroot)
-v          verbose messages

Example 1: Reporting Only

This is an example run where we are looking for WRAP entries in an AFS web locker. Using '-v' so we can see the progress, which can take a little time in AFS.

./find_htaccess_entries.pl -v /afs/unity.ncsu.edu/web/w/weblocker

Spidering /afs/unity.ncsu.edu/web/w/weblocker ..........
... (many more dots, its a deep dir) ...
......done
Found htaccess files under /afs/unity.ncsu.edu/web/w/weblocker:
htdocs/project1/.htaccess
htdocs/project1/app/.htaccess
htdocs/prj2/.htaccess
... (-v reports all .htaccess files found) ...
Found WRAP in htdocs/project1/.htaccess
Found WRAP in htdocs/project1/app/.htaccess
Found WRAP in htdocs/prj2/.htaccess
... (-v reports when an .htaccess file contained WRAP code) ...
Found 95 files with WRAP rules
Wrote report to /tmp/weblocker.txt

Next, we can look at the report that it generated. It will show the full path to each .htaccess file that it found, along with a copy of the actualy WRAP code that it identified.

less /tmp/weblocker.txt

/afs/unity.ncsu.edu/web/w/weblocker/htdocs/project1/.htaccess
AuthType WRAP
require affiliation ncsu.edu
require user userid1 userid2 

/afs/unity.ncsu.edu/web/w/weblocker/htdocs/project1/app/.htaccess
AuthType WRAP
require valid-user

/afs/unity.ncsu.edu/web/w/weblocker/htdocs/prj2/.htaccess
AuthType WRAP
require user userid1 userid3 userid4

Example 2: Suggest Fixes

This example uses a temporary document root that we've setup to use with this script.

cd /tmp/weblocker
./find_htaccess_entries.pl -vf /tmp/weblocker
Spidering /tmp/weblocker .....done
Found htaccess files under /tmp/weblocker:
  docroot/anyusers/.htaccess
  docroot/optional/.htaccess
  docroot/someusers/.htaccess
Found WRAP in docroot/anyusers/.htaccess
    ... fixed.
Found WRAP in docroot/optional/.htaccess
    ... fixed.
Found WRAP in docroot/someusers/.htaccess
    ... fixed.
Found 3 files with WRAP rules
Wrote report to /tmp/weblocker.txt

In this case, we've used lowercase -f to fix .htaccess files by writing a new .htaccess.shib file in the same directory. We can review the changes that were suggested by viewing those files.

ls -1 docroot/*/.htaccess*
docroot/anyusers/.htaccess
docroot/anyusers/.htaccess.shib
docroot/optional/.htaccess
docroot/optional/.htaccess.shib
docroot/someusers/.htaccess
docroot/someusers/.htaccess.shib

cat docroot/anyusers/.htaccess.shib 
AuthType shibboleth
<IfVersion < 2.3>
  ShibCompatWith24 On
</IfVersion>
ShibRequestSetting requireSession true
require shib-session

cat docroot/someusers/.htaccess.shib 
AuthType shibboleth
<IfVersion < 2.3>
  ShibCompatWith24 On
</IfVersion>

ShibRequestSetting requireSession true
require shib-user userid1@ncsu.edu userid2@ncsu.edu

cat docroot/optional/.htaccess.shib 
AuthType shibboleth
<IfVersion < 2.3>
  ShibCompatWith24 On
</IfVersion>
ShibRequestSetting requireSession false
require shibboleth

Example 3: Fix Everything

This example uses the same temporary document root as above.

cd /tmp/weblocker
./find_htaccess_entries.pl -vF /tmp/weblocker
Spidering /tmp/weblocker .....done
Found htaccess files under /tmp/weblocker:
  docroot/anyusers/.htaccess
  docroot/optional/.htaccess
  docroot/someusers/.htaccess
Found WRAP in docroot/anyusers/.htaccess
    ... fixed.
Found WRAP in docroot/optional/.htaccess
    ... fixed.
Found WRAP in docroot/someusers/.htaccess
    ... fixed.
Found 3 files with WRAP rules
Wrote report to /tmp/weblocker.txt

In this case, we've used the uppercase -F to force the fixes to replace the existing .htaccess files. These changes are immediately live. The original .htaccess files are saved as .htaccess.wrap.

ls -1 docroot/*/.htaccess*
docroot/anyusers/.htaccess
docroot/anyusers/.htaccess.wrap
docroot/optional/.htaccess
docroot/optional/.htaccess.wrap
docroot/someusers/.htaccess
docroot/someusers/.htaccess.wrap

Possible Problems