[Jifty-commit] r2192 - in jifty/trunk/plugins/AuthzLDAP: . doc
lib/Jifty lib/Jifty/Plugin lib/Jifty/Plugin/AuthzLDAP
lib/Jifty/Plugin/AuthzLDAP/Action
lib/Jifty/Plugin/AuthzLDAP/Model share share/po share/web
share/web/static share/web/templates t
jifty-commit at lists.jifty.org
jifty-commit at lists.jifty.org
Wed Nov 22 14:53:33 EST 2006
Author: yves
Date: Wed Nov 22 14:53:32 2006
New Revision: 2192
Added:
jifty/trunk/plugins/AuthzLDAP/
jifty/trunk/plugins/AuthzLDAP/Makefile.PL
jifty/trunk/plugins/AuthzLDAP/doc/
jifty/trunk/plugins/AuthzLDAP/lib/
jifty/trunk/plugins/AuthzLDAP/lib/Jifty/
jifty/trunk/plugins/AuthzLDAP/lib/Jifty/Plugin/
jifty/trunk/plugins/AuthzLDAP/lib/Jifty/Plugin/AuthzLDAP/
jifty/trunk/plugins/AuthzLDAP/lib/Jifty/Plugin/AuthzLDAP.pm
jifty/trunk/plugins/AuthzLDAP/lib/Jifty/Plugin/AuthzLDAP/Action/
jifty/trunk/plugins/AuthzLDAP/lib/Jifty/Plugin/AuthzLDAP/Action/LDAPValidate.pm
jifty/trunk/plugins/AuthzLDAP/lib/Jifty/Plugin/AuthzLDAP/Dispatcher.pm
jifty/trunk/plugins/AuthzLDAP/lib/Jifty/Plugin/AuthzLDAP/Model/
jifty/trunk/plugins/AuthzLDAP/lib/Jifty/Plugin/AuthzLDAP/Model/LDAPFilter.pm
jifty/trunk/plugins/AuthzLDAP/share/
jifty/trunk/plugins/AuthzLDAP/share/po/
jifty/trunk/plugins/AuthzLDAP/share/web/
jifty/trunk/plugins/AuthzLDAP/share/web/static/
jifty/trunk/plugins/AuthzLDAP/share/web/templates/
jifty/trunk/plugins/AuthzLDAP/t/
Log:
* First release for ldap autorization plugin
* use action LDAPValidate for testing
Added: jifty/trunk/plugins/AuthzLDAP/Makefile.PL
==============================================================================
--- (empty file)
+++ jifty/trunk/plugins/AuthzLDAP/Makefile.PL Wed Nov 22 14:53:32 2006
@@ -0,0 +1,10 @@
+use inc::Module::Install;
+name('Jifty-Plugin-AuthzLDAP');
+license('Perl');
+version('0.01');
+requires('Jifty' => '0.60912');
+requires('Net::LDAP');
+
+install_share;
+
+WriteAll;
Added: jifty/trunk/plugins/AuthzLDAP/lib/Jifty/Plugin/AuthzLDAP.pm
==============================================================================
--- (empty file)
+++ jifty/trunk/plugins/AuthzLDAP/lib/Jifty/Plugin/AuthzLDAP.pm Wed Nov 22 14:53:32 2006
@@ -0,0 +1,160 @@
+use strict;
+use warnings;
+
+=head1 NAME
+
+Jifty::Plugin::AuthzLDAP
+
+=head1 DESCRIPTION
+
+Jifty plugin.
+Provide ldap authorization with filters table and cache.
+
+NOW FOR TESTING AND COMMENTS
+
+
+=head1 CONFIGURATION NOTES
+
+in etc/config.yml
+ Plugins:
+ - AuthzLDAP:
+ LDAPbind: cn=testldap,ou=admins,dc=myorg,dc=org #
+ LDAPpass: test # password
+ LDAPhost: ldap.myorg.org # ldap host
+ LDAPbase: ou=people,dc=myorg.. # ldap base
+ LDAPuid: uid # optional
+ CacheTimout: 20 # minutes, optional, default 20 minutes
+
+in application create a LDAPFilter model
+ use base qw/Jifty::Plugin::AuthzLDAP::Model::LDAPFilter/;
+
+=head1 SEE ALSO
+
+L<Net::LDAP>
+
+=cut
+
+
+package Jifty::Plugin::AuthzLDAP;
+use base qw/Jifty::Plugin/;
+use Net::LDAP;
+use Cache::MemoryCache;
+
+{
+ my ($LDAPFilterClass, $LDAP, $cache, %params);
+
+ sub init {
+ my $self = shift;
+ my %args = @_;
+
+ my $appname = Jifty->config->framework('ApplicationName');
+ $LDAPFilterClass = "${appname}::Model::LDAPFilter";
+
+ $params{'Hostname'} = $args{LDAPhost};
+ $params{'base'} = $args{LDAPbase};
+ $params{'uid'} = $args{LDAPuid} || "uid";
+ $params{'dn'} = $args{LDAPbind};
+ $params{'pass'} = $args{LDAPpass};
+ $params{'timeout'} = $args{CacheTimout} || "20 minutes";
+
+ $LDAP = Net::LDAP->new($params{Hostname},async=>1,onerror => 'undef', debug => 0);
+
+ $cache = new Cache::MemoryCache( { 'namespace' => $appname.'AuthzLDAP',
+ 'default_expires_in' => $params{'timeout'} } );
+ }
+
+ sub LDAPFilterClass {
+ return $LDAPFilterClass;
+ }
+
+ sub LDAP {
+ return $LDAP;
+ }
+
+ sub DN {
+ return $params{'dn'};
+ }
+
+ sub PASS {
+ return $params{'pass'};
+ }
+
+ sub UID {
+ return $params{'uid'};
+ }
+
+ sub BASE {
+ return $params{'base'};
+ }
+
+ sub CACHE {
+ return $cache;
+ }
+
+}
+
+=head2 bind
+
+Bind to ldap
+
+=cut
+
+sub bind {
+ my $self = shift;
+ my $msg = $self->LDAP()->bind($self->DN() ,'password' =>$self->PASS());
+ unless (not $msg->code) {
+ Jifty->log->error("Bind to ldap server failed");
+ return;
+ }
+}
+
+=head2 validate NAME FILTERNAME
+
+return 1 if NAME validate FILTER or NAME-FILTERNAME in cache
+else return 0
+
+If FILTERNAME is flagged as is_group, search if user is uniquemember of this group
+as supported by the Netscape Directory Server
+
+=cut
+
+sub ldapvalidate {
+ my ($self, $user, $filtername) = @_;
+ my $response = 'nok';
+
+ my $cachekey = $user.'-'.$filtername;
+ my $cache = $self->CACHE->get($cachekey);
+ return ($cache eq 'ok')?1:0 if (defined $cache);
+
+ my $record = $self->LDAPFilterClass()->new();
+ $record->load_by_cols( name => $filtername);
+
+ # (?) allow use of writing filter in filtername
+ # TODO: filtername must be cleanned
+ my $filter = ($record->filter)?$record->filter:$filtername;
+
+ $user = $self->UID().'='.$user.','.$self->BASE();
+
+ # (??) how to catch AuthLDAP bind if it's used?
+ $self->bind();
+
+ my $msg;
+ # manage group as supported by the Netscape Directory Server
+ if ($record->is_group) {
+ $msg = $self->LDAP()->compare( $filter, attr=>"uniquemember", value=>$user );
+ Jifty->log->debug("search grp: ".$msg->code);
+ $response = 'ok' if ( $msg->code == 6 );
+ } else {
+ $filter = '('. $filter .')' if ( $filter !~ /^\(/ );
+ $msg = $self->LDAP()->search( base => $user, filter => $filter );
+ Jifty->log->debug("search: ".$msg->count);
+ $response = 'ok' if (! $msg->code && $msg->count );
+ }
+
+ $self->CACHE->set($cachekey,$response);
+
+ return ( $response eq 'ok' )?1:0;
+}
+
+
+1;
Added: jifty/trunk/plugins/AuthzLDAP/lib/Jifty/Plugin/AuthzLDAP/Action/LDAPValidate.pm
==============================================================================
--- (empty file)
+++ jifty/trunk/plugins/AuthzLDAP/lib/Jifty/Plugin/AuthzLDAP/Action/LDAPValidate.pm Wed Nov 22 14:53:32 2006
@@ -0,0 +1,68 @@
+use warnings;
+use strict;
+
+=head1 NAME
+
+Jifty::Plugin::AuthzLDAP::Action::LDAPValidate
+
+=cut
+
+package Jifty::Plugin::AuthzLDAP::Action::LDAPValidate;
+use base qw/Jifty::Action Jifty::Plugin::AuthzLDAP/;
+
+
+=head2 arguments
+
+Return the ticket form field
+
+=cut
+
+sub arguments {
+ return (
+ {
+ name => {
+ mandatory => 1
+ },
+
+ filter => {
+ mandatory => 1
+ },
+
+ }
+ );
+
+}
+
+=head2 take_action
+
+Bind on ldap to check the user's password. If it's right, log them in.
+Otherwise, throw an error.
+
+
+=cut
+
+sub take_action {
+ my $self = shift;
+ my $user = $self->argument_value('name');
+ my $filter = $self->argument_value('filter');
+
+ Jifty->log->debug("action: $user $filter");
+
+ # Bind on ldap
+ #my $msg = $self->bind();
+
+ my $msg = $self->ldapvalidate($user,$filter);
+
+ Jifty->log->debug("validate: $msg");
+
+ if (not $msg) {
+ $self->result->error(
+ _('Access not allowed') );
+ return;}
+
+ return 1;
+}
+
+1;
+
+
Added: jifty/trunk/plugins/AuthzLDAP/lib/Jifty/Plugin/AuthzLDAP/Dispatcher.pm
==============================================================================
--- (empty file)
+++ jifty/trunk/plugins/AuthzLDAP/lib/Jifty/Plugin/AuthzLDAP/Dispatcher.pm Wed Nov 22 14:53:32 2006
@@ -0,0 +1,9 @@
+use strict;
+use warnings;
+
+package Jifty::Plugin::AuthzLDAP::Dispatcher;
+use Jifty::Dispatcher -base;
+
+# Put any plugin-specific dispatcher rules here.
+
+1;
Added: jifty/trunk/plugins/AuthzLDAP/lib/Jifty/Plugin/AuthzLDAP/Model/LDAPFilter.pm
==============================================================================
--- (empty file)
+++ jifty/trunk/plugins/AuthzLDAP/lib/Jifty/Plugin/AuthzLDAP/Model/LDAPFilter.pm Wed Nov 22 14:53:32 2006
@@ -0,0 +1,63 @@
+package Jifty::Plugin::AuthzLDAP::Model::LDAPFilter::Schema;
+use Jifty::DBI::Schema;
+use Scalar::Defer;
+
+column
+ name => type is 'text',
+ label is 'Name',
+ is mandatory,
+ is distinct;
+
+column
+ filter => type is 'text',
+ label is 'Filter',
+ is mandatory;
+
+column
+ is_group => type is 'boolean',
+ label is 'Group';
+
+column 'created_on' =>
+ type is 'datetime',
+ is immutable,
+ default is defer { DateTime->now },
+ filters are 'Jifty::DBI::Filter::DateTime';
+
+
+package Jifty::Plugin::AuthzLDAP::Model::LDAPFilter;
+use base qw/Jifty::Record/;
+
+sub create {
+ my $self = shift;
+ my %args = (@_);
+ my (@ret) = $self->SUPER::create(%args);
+
+ return (@ret);
+}
+
+
+=head2 current_user_can ACTION
+
+Only superuser can create or edit filters.
+Logged-in users can read.
+
+=cut
+
+sub current_user_can {
+ my $self = shift;
+ my $type = shift;
+
+ if ($type eq 'create' || $type eq 'update') {
+ return 0 if
+ !$self->current_user->is_superuser;
+ return 1;
+ } elsif($type eq 'read') {
+ return 1 if
+ $self->current_user->id || $self->current_user->is_superuser;
+ return 0;
+ }
+
+ return $self->SUPER::current_user_can($type, @_);
+}
+
+1;
More information about the Jifty-commit
mailing list