[Jifty-commit] r2192 - in jifty/trunk/plugins/AuthzLDAP: . doc lib/Jifty lib/Jifty/Plugin lib/Jifty/Plugin/AuthzLDAP lib/Jifty/Plugin/AuthzLDAP/Action lib/Jifty/Plugin/AuthzLDAP/Model share share/po share/web share/web/static share/web/templates t

jifty-commit at lists.jifty.org jifty-commit at lists.jifty.org
Wed Nov 22 14:53:33 EST 2006 

Author: yves
Date: Wed Nov 22 14:53:32 2006
New Revision: 2192

Added:
   jifty/trunk/plugins/AuthzLDAP/
   jifty/trunk/plugins/AuthzLDAP/Makefile.PL
   jifty/trunk/plugins/AuthzLDAP/doc/
   jifty/trunk/plugins/AuthzLDAP/lib/
   jifty/trunk/plugins/AuthzLDAP/lib/Jifty/
   jifty/trunk/plugins/AuthzLDAP/lib/Jifty/Plugin/
   jifty/trunk/plugins/AuthzLDAP/lib/Jifty/Plugin/AuthzLDAP/
   jifty/trunk/plugins/AuthzLDAP/lib/Jifty/Plugin/AuthzLDAP.pm
   jifty/trunk/plugins/AuthzLDAP/lib/Jifty/Plugin/AuthzLDAP/Action/
   jifty/trunk/plugins/AuthzLDAP/lib/Jifty/Plugin/AuthzLDAP/Action/LDAPValidate.pm
   jifty/trunk/plugins/AuthzLDAP/lib/Jifty/Plugin/AuthzLDAP/Dispatcher.pm
   jifty/trunk/plugins/AuthzLDAP/lib/Jifty/Plugin/AuthzLDAP/Model/
   jifty/trunk/plugins/AuthzLDAP/lib/Jifty/Plugin/AuthzLDAP/Model/LDAPFilter.pm
   jifty/trunk/plugins/AuthzLDAP/share/
   jifty/trunk/plugins/AuthzLDAP/share/po/
   jifty/trunk/plugins/AuthzLDAP/share/web/
   jifty/trunk/plugins/AuthzLDAP/share/web/static/
   jifty/trunk/plugins/AuthzLDAP/share/web/templates/
   jifty/trunk/plugins/AuthzLDAP/t/

Log:
* First release for ldap autorization plugin
* use action LDAPValidate for testing


Added: jifty/trunk/plugins/AuthzLDAP/Makefile.PL
==============================================================================
--- (empty file)
+++ jifty/trunk/plugins/AuthzLDAP/Makefile.PL	Wed Nov 22 14:53:32 2006
@@ -0,0 +1,10 @@
+use inc::Module::Install;
+name('Jifty-Plugin-AuthzLDAP');
+license('Perl');
+version('0.01');
+requires('Jifty' => '0.60912');
+requires('Net::LDAP');
+
+install_share;
+
+WriteAll;

Added: jifty/trunk/plugins/AuthzLDAP/lib/Jifty/Plugin/AuthzLDAP.pm
==============================================================================
--- (empty file)
+++ jifty/trunk/plugins/AuthzLDAP/lib/Jifty/Plugin/AuthzLDAP.pm	Wed Nov 22 14:53:32 2006
@@ -0,0 +1,160 @@
+use strict;
+use warnings;
+
+=head1 NAME
+
+Jifty::Plugin::AuthzLDAP
+
+=head1 DESCRIPTION
+
+Jifty plugin.
+Provide ldap authorization with filters table and cache.
+
+NOW FOR TESTING AND COMMENTS
+
+
+=head1 CONFIGURATION NOTES
+
+in etc/config.yml
+  Plugins: 
+    - AuthzLDAP: 
+       LDAPbind: cn=testldap,ou=admins,dc=myorg,dc=org #
+       LDAPpass: test                   # password
+       LDAPhost: ldap.myorg.org         # ldap host
+       LDAPbase: ou=people,dc=myorg..   # ldap base
+       LDAPuid: uid                     # optional
+       CacheTimout: 20                  # minutes, optional, default 20 minutes
+
+in application create a LDAPFilter model
+        use base qw/Jifty::Plugin::AuthzLDAP::Model::LDAPFilter/;
+
+=head1 SEE ALSO
+
+L<Net::LDAP>
+
+=cut
+
+
+package Jifty::Plugin::AuthzLDAP;
+use base qw/Jifty::Plugin/;
+use Net::LDAP;
+use Cache::MemoryCache;
+
+{
+    my ($LDAPFilterClass, $LDAP, $cache, %params);
+
+    sub init {
+        my $self = shift;
+        my %args = @_;
+
+        my $appname = Jifty->config->framework('ApplicationName');
+        $LDAPFilterClass = "${appname}::Model::LDAPFilter";
+
+        $params{'Hostname'} = $args{LDAPhost};
+        $params{'base'} = $args{LDAPbase};
+        $params{'uid'} = $args{LDAPuid} || "uid";
+        $params{'dn'} = $args{LDAPbind};
+        $params{'pass'} = $args{LDAPpass};
+        $params{'timeout'} = $args{CacheTimout} || "20 minutes";
+
+        $LDAP = Net::LDAP->new($params{Hostname},async=>1,onerror => 'undef', debug => 0);
+
+        $cache = new Cache::MemoryCache( { 'namespace' => $appname.'AuthzLDAP',
+                                            'default_expires_in' => $params{'timeout'} } );
+    }
+
+    sub LDAPFilterClass {
+        return $LDAPFilterClass;
+    }
+
+    sub LDAP {
+        return $LDAP;
+    }
+
+    sub DN {
+        return $params{'dn'};
+    }
+
+    sub PASS {
+        return $params{'pass'};
+    }
+
+    sub UID {
+        return $params{'uid'};
+    }
+
+    sub BASE {
+        return $params{'base'};
+    }
+    
+    sub CACHE {
+        return $cache;
+    }
+
+}
+
+=head2 bind
+
+Bind to ldap
+
+=cut
+
+sub bind {
+    my $self = shift;
+    my $msg = $self->LDAP()->bind($self->DN() ,'password' =>$self->PASS());
+    unless (not $msg->code) {
+        Jifty->log->error("Bind to ldap server failed"); 
+        return;
+    }
+}
+
+=head2 validate NAME FILTERNAME
+
+return 1 if NAME validate FILTER or NAME-FILTERNAME in cache
+else return 0
+
+If FILTERNAME is flagged as is_group, search if user is uniquemember of this group
+as supported by the Netscape Directory Server
+
+=cut
+
+sub ldapvalidate {
+    my ($self, $user, $filtername) = @_;
+    my $response  = 'nok';
+    
+    my $cachekey = $user.'-'.$filtername;
+    my $cache = $self->CACHE->get($cachekey);
+    return ($cache eq 'ok')?1:0 if (defined $cache);
+   
+    my $record = $self->LDAPFilterClass()->new();
+    $record->load_by_cols( name => $filtername);
+
+    # (?) allow use of writing filter in filtername
+    # TODO: filtername must be cleanned
+    my $filter = ($record->filter)?$record->filter:$filtername;
+
+    $user = $self->UID().'='.$user.','.$self->BASE();
+    
+    # (??) how to catch AuthLDAP bind if it's used?
+    $self->bind();
+
+    my $msg;
+    # manage group as supported by the Netscape Directory Server 
+    if ($record->is_group) {
+        $msg = $self->LDAP()->compare( $filter, attr=>"uniquemember", value=>$user );
+        Jifty->log->debug("search grp: ".$msg->code); 
+        $response = 'ok' if ( $msg->code == 6 );
+    } else {
+            $filter = '('. $filter .')' if ( $filter !~ /^\(/ );
+            $msg = $self->LDAP()->search( base => $user, filter => $filter );
+            Jifty->log->debug("search: ".$msg->count); 
+            $response = 'ok' if (! $msg->code &&  $msg->count );
+    }
+
+    $self->CACHE->set($cachekey,$response);
+
+    return ( $response eq 'ok' )?1:0; 
+}
+
+
+1;

Added: jifty/trunk/plugins/AuthzLDAP/lib/Jifty/Plugin/AuthzLDAP/Action/LDAPValidate.pm
==============================================================================
--- (empty file)
+++ jifty/trunk/plugins/AuthzLDAP/lib/Jifty/Plugin/AuthzLDAP/Action/LDAPValidate.pm	Wed Nov 22 14:53:32 2006
@@ -0,0 +1,68 @@
+use warnings;
+use strict;
+
+=head1 NAME
+
+Jifty::Plugin::AuthzLDAP::Action::LDAPValidate
+
+=cut
+
+package Jifty::Plugin::AuthzLDAP::Action::LDAPValidate;
+use base qw/Jifty::Action Jifty::Plugin::AuthzLDAP/;
+
+
+=head2 arguments
+
+Return the ticket form field
+
+=cut
+
+sub arguments {
+    return (
+        {
+            name => {
+                mandatory      => 1
+            },
+
+            filter => {
+                mandatory => 1
+            },
+
+        }
+    );
+
+}
+
+=head2 take_action
+
+Bind on ldap to check the user's password. If it's right, log them in.
+Otherwise, throw an error.
+
+
+=cut
+
+sub take_action {
+    my $self = shift;
+    my $user = $self->argument_value('name');
+    my $filter = $self->argument_value('filter');
+
+    Jifty->log->debug("action: $user $filter");
+
+    # Bind on ldap
+    #my $msg = $self->bind();
+    
+    my $msg = $self->ldapvalidate($user,$filter);
+
+    Jifty->log->debug("validate: $msg");
+
+    if (not $msg) {
+        $self->result->error(
+            _('Access not allowed') );
+        return;}
+
+    return 1;
+}
+
+1;
+
+

Added: jifty/trunk/plugins/AuthzLDAP/lib/Jifty/Plugin/AuthzLDAP/Dispatcher.pm
==============================================================================
--- (empty file)
+++ jifty/trunk/plugins/AuthzLDAP/lib/Jifty/Plugin/AuthzLDAP/Dispatcher.pm	Wed Nov 22 14:53:32 2006
@@ -0,0 +1,9 @@
+use strict;
+use warnings;
+
+package Jifty::Plugin::AuthzLDAP::Dispatcher;
+use Jifty::Dispatcher -base;
+
+# Put any plugin-specific dispatcher rules here.
+
+1;

Added: jifty/trunk/plugins/AuthzLDAP/lib/Jifty/Plugin/AuthzLDAP/Model/LDAPFilter.pm
==============================================================================
--- (empty file)
+++ jifty/trunk/plugins/AuthzLDAP/lib/Jifty/Plugin/AuthzLDAP/Model/LDAPFilter.pm	Wed Nov 22 14:53:32 2006
@@ -0,0 +1,63 @@
+package Jifty::Plugin::AuthzLDAP::Model::LDAPFilter::Schema;
+use Jifty::DBI::Schema;
+use Scalar::Defer;
+
+column
+  name => type is 'text',
+  label is 'Name',
+  is mandatory,
+  is distinct;
+
+column
+  filter => type is 'text',
+  label is 'Filter',
+  is mandatory;
+
+column
+   is_group => type is 'boolean',
+   label is 'Group';
+
+column 'created_on' =>
+  type is 'datetime',
+  is immutable,
+  default is defer { DateTime->now },
+  filters are 'Jifty::DBI::Filter::DateTime';
+
+
+package Jifty::Plugin::AuthzLDAP::Model::LDAPFilter;
+use base qw/Jifty::Record/;
+
+sub create {
+    my $self  = shift;
+    my %args  = (@_);
+    my (@ret) = $self->SUPER::create(%args);
+
+    return (@ret);
+}
+
+
+=head2 current_user_can ACTION
+
+Only superuser can create or edit filters.
+Logged-in users can read. 
+
+=cut
+
+sub current_user_can {
+    my $self = shift;
+    my $type = shift;
+
+    if ($type eq 'create' || $type eq 'update') {
+        return 0 if
+           !$self->current_user->is_superuser;
+        return 1;
+    } elsif($type eq 'read') {
+        return 1 if 
+            $self->current_user->id || $self->current_user->is_superuser;
+        return 0;
+    }
+
+    return $self->SUPER::current_user_can($type, @_);
+}
+
+1;

More information about the Jifty-commit mailing list