[catagits/Catalyst-Authentication-Store-LDAP.git] / lib / Catalyst / Authentication / Store / LDAP / User.pm


=pod

=head1 NAME

Catalyst::Authentication::Store::LDAP::User
 - A User object representing an LDAP object.

=head1 SYNOPSIS

You should be creating these objects through L<Catalyst::Authentication::Store::LDAP::Backend>'s "get_user" method, or just letting $c->authenticate do
it for you.

    sub action : Local {
        my ( $self, $c ) = @_;
        $c->authenticate({
            id => $c->req->param(username),
            password => $c->req->param(password)
        );
        $c->log->debug($c->user->username . "is really neat!");
    }

If you access just $c->user in a scalar context, it will return the current
username.

=head1 DESCRIPTION

This wraps up an LDAP object and presents a simplified interface to it's
contents.  It uses some AUTOLOAD magic to pass method calls it doesn't
understand through as simple read only accessors for the LDAP entries
various attributes.

It gets grumpy if you ask for an attribute via the AUTOLOAD mechanism
that it doesn't know about.  Avoid that with using "has_attribute",
discussed in more detail below.

You can skip all that and just go straight to the L<Net::LDAP::Entry>
object through the "ldap_entry" method:

    my $entry = $c->user->ldap_entry;

It also has support for Roles.

=cut

package Catalyst::Authentication::Store::LDAP::User;
use base qw( Catalyst::Authentication::User Class::Accessor::Fast );

use strict;
use warnings;
use Scalar::Util qw/refaddr/;
use Net::LDAP::Entry;

our $VERSION = '1.015';

BEGIN { __PACKAGE__->mk_accessors(qw/user store/) }

use overload '""' => sub { shift->stringify }, fallback => 1;

my %_ldap_connection_passwords; # Store inside-out so that they don't show up
                                # in dumps..

=head1 METHODS

=head2 new($store, $user, $c)

Takes a L<Catalyst::Authentication::Store::LDAP::Backend> object
as $store, and the data structure returned by that class's "get_user"
method as $user.  The final argument is an instance of your application,
which is passed along for those wanting to subclass User and perhaps use
models for fetching data.

Returns a L<Catalyst::Authentication::Store::LDAP::User> object.

=cut

sub new {
    my ( $class, $store, $user, $c, $roles ) = @_;

    return unless $user;

    bless { store => $store, user => $user, _roles => $roles }, $class;
}

=head2 id

Returns the results of the "stringify" method.

=cut

sub id {
    my $self = shift;
    return $self->stringify;
}

=head2 stringify

Uses the "user_field" configuration option to determine what the "username"
of this object is, and returns it.

If you use the special value "dn" for user_field, it will return the DN
of the L<Net::LDAP::Entry> object.

=cut

sub stringify {
    my ($self) = @_;
    my $userfield = $self->store->user_field;
    $userfield = $$userfield[0] if ref $userfield eq 'ARRAY';
    if ( $userfield eq "dn" ) {
        my ($string) = $self->user->ldap_entry->dn;
        return $string;
    }
    else {
        my $val = $self->$userfield;
        return ref($val) eq 'ARRAY' ? $val->[0] : $val;
    }
}

=head2 supported_features

Returns hashref of features that this Authentication::User subclass supports.

=cut

sub supported_features {
    return {
        password => { self_check => 1, },
        session  => 1,
        roles    => { self_check => 0, },
    };
}

=head2 check_password($password)

Bind's to the directory as the DN of the internal L<Net::LDAP::Entry> object,
using the bind password supplied in $password.  Returns 1 on a successful
bind, 0 on failure.

=cut

sub check_password {
    my ( $self, $password ) = @_;
    if ( $self->store->ldap_auth($self->ldap_entry->dn, $password) ) {
        # Stash a closure which can be used to retrieve the connection in the users context later.
        $_ldap_connection_passwords{refaddr($self)} = $password;
        return 1;
    }
    else {
        return 0;
    }
}

=head2 roles

Returns the results of L<Catalyst::Authentication::Store::LDAP::Backend>'s "lookup_roles" method, an array of roles that are valid for this user.

=cut

sub roles {
    my $self = shift;
    $self->{_roles} ||= [$self->store->lookup_roles($self)];
    return @{$self->{_roles}};
}

=head2 for_session

Returns the user for persistence in the session depending on the
persist_in_session config option.

=cut

sub for_session {
    my $self = shift;

    if ( $self->store->persist_in_session eq 'all' ) {
        # use the roles accessor to ensure the roles are fetched
        return { user => $self->user, _roles => [ $self->roles ] };
    }

    return $self->stringify;
}

=head2 ldap_entry

Returns the raw ldap_entry.

=cut

sub ldap_entry {
    my $self = shift;
    return $self->user->{'ldap_entry'};
}

=head2 attributes($type)

Returns an array of attributes present for this user.  If $type is "ashash",
it will return a hash with the attribute names as keys. (And the values of
those attributes as, well, the values of the hash)

=cut

sub attributes {
    my ( $self, $type ) = @_;
    if ( $type eq "ashash" ) {
        return $self->user->{'attributes'};
    }
    else {
        return keys( %{ $self->user->{'attributes'} } );
    }
}

=head2 has_attribute

Returns the values for an attribute, or undef if that attribute is not present.
The safest way to get at an attribute.

=cut

sub has_attribute {
    my ( $self, $attribute ) = @_;
    if ( !defined($attribute) ) {
        Catalyst::Exception->throw(
            "You must provide an attribute to has_attribute!");
    }
    if ( $attribute eq "dn" ) {
        return $self->ldap_entry->dn;
    }
    elsif ( $attribute eq "username" ) {
       return $self->user->{'attributes'}->{$self->store->user_field};
    }
    elsif ( exists( $self->user->{'attributes'}->{$attribute} ) ) {
        return $self->user->{'attributes'}->{$attribute};
    }
    else {
        return undef;
    }
}

=head2 get

A simple wrapper around has_attribute() to satisfy the Catalyst::Authentication::User API.

=cut

sub get { return shift->has_attribute(@_) }

=head2 get_object

Satisfies the Catalyst::Authentication::User API and returns the contents of the user()
attribute.

=cut

sub get_object { return shift->user }

=head2 ldap_connection

Re-binds to the auth store with the credentials of the user you logged in
as, and returns a L<Net::LDAP> object which you can use to do further queries.

=cut

sub ldap_connection {
    my $self = shift;
    $self->store->ldap_bind( undef, $self->ldap_entry->dn,
        $_ldap_connection_passwords{refaddr($self)} );
}

=head2 AUTOLOADed methods

We automatically map the attributes of the underlying L<Net::LDAP::Entry>
object to read-only accessor methods.  So, if you have an entry that looks
like this one:

    dn: cn=adam,ou=users,dc=yourcompany,dc=com
    cn: adam
    loginShell: /bin/zsh
    homeDirectory: /home/adam
    gecos: Adam Jacob
    gidNumber: 100
    uidNumber: 1053
    mail: adam@yourcompany.com
    uid: adam
    givenName: Adam
    sn: Jacob
    objectClass: inetOrgPerson
    objectClass: organizationalPerson
    objectClass: Person
    objectClass: Top
    objectClass: posixAccount

You can call:

    $c->user->homedirectory

And you'll get the value of the "homeDirectory" attribute.  Note that
all the AUTOLOADed methods are automatically lower-cased.

=head2 Special Keywords

The highly useful and common method "username" will map to the configured
value of user_field (uid by default.)

    $c->user->username == $c->user->uid

=cut

sub DESTROY {
    my $self = shift;
    # Don't leak passwords..
    delete $_ldap_connection_passwords{refaddr($self)};
}

sub can {
    my ($self, $method) = @_;

    return $self->SUPER::can($method) || do {
        return unless $self->has_attribute($method);
        return sub { $_[0]->has_attribute($method) };
    };
}

sub AUTOLOAD {
    my $self = shift;

    ( my $method ) = ( our $AUTOLOAD =~ /([^:]+)$/ );

    if ( $method eq "DESTROY" ) {
        return;
    }

    if ( my $attribute = $self->has_attribute($method) ) {
        return $attribute;
    }
    else {
        Catalyst::Exception->throw(
            "No attribute $method for User " . $self->stringify );
    }
}

1;

__END__

=head1 AUTHORS

Adam Jacob <holoway@cpan.org>

Some parts stolen shamelessly and entirely from
L<Catalyst::Plugin::Authentication::Store::Htpasswd>.

Currently maintained by Peter Karman <karman@cpan.org>.

=head1 THANKS

To nothingmuch, ghenry, castaway and the rest of #catalyst for the help. :)

=head1 SEE ALSO

L<Catalyst::Authentication::Store::LDAP>, L<Catalyst::Authentication::Store::LDAP::Backend>, L<Catalyst::Plugin::Authentication>, L<Net::LDAP>

=head1 COPYRIGHT & LICENSE

Copyright (c) 2005 the aforementioned authors. All rights
reserved. This program is free software; you can redistribute
it and/or modify it under the same terms as Perl itself.

=cut
Commit	Line	Data
f66d606b	1
	2	=pod
	3
	4	=head1 NAME
	5
	6	Catalyst::Authentication::Store::LDAP::User
9638f14b	7	- A User object representing an LDAP object.
f66d606b	8
	9	=head1 SYNOPSIS
	10
afb8e81c	11	You should be creating these objects through L<Catalyst::Authentication::Store::LDAP::Backend>'s "get_user" method, or just letting $c->authenticate do
f66d606b	12	it for you.
	13
	14	sub action : Local {
	15	my ( $self, $c ) = @_;
afb8e81c	16	$c->authenticate({
	17	id => $c->req->param(username),
	18	password => $c->req->param(password)
	19	);
f66d606b	20	$c->log->debug($c->user->username . "is really neat!");
	21	}
	22
	23	If you access just $c->user in a scalar context, it will return the current
	24	username.
	25
	26	=head1 DESCRIPTION
	27
	28	This wraps up an LDAP object and presents a simplified interface to it's
	29	contents. It uses some AUTOLOAD magic to pass method calls it doesn't
	30	understand through as simple read only accessors for the LDAP entries
9638f14b	31	various attributes.
f66d606b	32
f66d606b	33	It gets grumpy if you ask for an attribute via the AUTOLOAD mechanism
9638f14b	34	that it doesn't know about. Avoid that with using "has_attribute",
f66d606b	35	discussed in more detail below.
	36
	37	You can skip all that and just go straight to the L<Net::LDAP::Entry>
	38	object through the "ldap_entry" method:
	39
	40	my $entry = $c->user->ldap_entry;
	41
	42	It also has support for Roles.
	43
	44	=cut
	45
	46	package Catalyst::Authentication::Store::LDAP::User;
	47	use base qw( Catalyst::Authentication::User Class::Accessor::Fast );
	48
	49	use strict;
	50	use warnings;
8fe890e6	51	use Scalar::Util qw/refaddr/;
aa44391e	52	use Net::LDAP::Entry;
f66d606b	53
dfead577	54	our $VERSION = '1.015';
f66d606b	55
8fe890e6	56	BEGIN { __PACKAGE__->mk_accessors(qw/user store/) }
f66d606b	57
	58	use overload '""' => sub { shift->stringify }, fallback => 1;
	59
8fe890e6	60	my %_ldap_connection_passwords; # Store inside-out so that they don't show up
	61	# in dumps..
	62
f66d606b	63	=head1 METHODS
f66d606b	64
52a972a4	65	=head2 new($store, $user, $c)
f66d606b	66
	67	Takes a L<Catalyst::Authentication::Store::LDAP::Backend> object
	68	as $store, and the data structure returned by that class's "get_user"
52a972a4	69	method as $user. The final argument is an instance of your application,
	70	which is passed along for those wanting to subclass User and perhaps use
	71	models for fetching data.
f66d606b	72
	73	Returns a L<Catalyst::Authentication::Store::LDAP::User> object.
	74
	75	=cut
	76
	77	sub new {
439924cb	78	my ( $class, $store, $user, $c, $roles ) = @_;
f66d606b	79
	80	return unless $user;
	81
439924cb	82	bless { store => $store, user => $user, _roles => $roles }, $class;
f66d606b	83	}
	84
	85	=head2 id
	86
	87	Returns the results of the "stringify" method.
	88
	89	=cut
	90
	91	sub id {
	92	my $self = shift;
	93	return $self->stringify;
	94	}
	95
	96	=head2 stringify
	97
	98	Uses the "user_field" configuration option to determine what the "username"
	99	of this object is, and returns it.
	100
	101	If you use the special value "dn" for user_field, it will return the DN
	102	of the L<Net::LDAP::Entry> object.
	103
	104	=cut
	105
	106	sub stringify {
	107	my ($self) = @_;
	108	my $userfield = $self->store->user_field;
	109	$userfield = $$userfield[0] if ref $userfield eq 'ARRAY';
	110	if ( $userfield eq "dn" ) {
	111	my ($string) = $self->user->ldap_entry->dn;
	112	return $string;
	113	}
	114	else {
394e2cec	115	my $val = $self->$userfield;
394e2cec	116	return ref($val) eq 'ARRAY' ? $val->[0] : $val;
f66d606b	117	}
	118	}
	119
	120	=head2 supported_features
	121
	122	Returns hashref of features that this Authentication::User subclass supports.
	123
	124	=cut
	125
	126	sub supported_features {
	127	return {
	128	password => { self_check => 1, },
	129	session => 1,
	130	roles => { self_check => 0, },
	131	};
	132	}
	133
	134	=head2 check_password($password)
	135
	136	Bind's to the directory as the DN of the internal L<Net::LDAP::Entry> object,
	137	using the bind password supplied in $password. Returns 1 on a successful
	138	bind, 0 on failure.
	139
	140	=cut
	141
	142	sub check_password {
	143	my ( $self, $password ) = @_;
238a096f	144	if ( $self->store->ldap_auth($self->ldap_entry->dn, $password) ) {
57e643d2	145	# Stash a closure which can be used to retrieve the connection in the users context later.
8fe890e6	146	$_ldap_connection_passwords{refaddr($self)} = $password;
f66d606b	147	return 1;
	148	}
	149	else {
	150	return 0;
	151	}
	152	}
	153
	154	=head2 roles
	155
	156	Returns the results of L<Catalyst::Authentication::Store::LDAP::Backend>'s "lookup_roles" method, an array of roles that are valid for this user.
	157
	158	=cut
	159
	160	sub roles {
	161	my $self = shift;
5a9aba6e	162	$self->{_roles} \|\|= [$self->store->lookup_roles($self)];
405489b5	163	return @{$self->{_roles}};
f66d606b	164	}
	165
	166	=head2 for_session
	167
439924cb	168	Returns the user for persistence in the session depending on the
439924cb	169	persist_in_session config option.
f66d606b	170
	171	=cut
	172
	173	sub for_session {
	174	my $self = shift;
439924cb	175
	176	if ( $self->store->persist_in_session eq 'all' ) {
	177	# use the roles accessor to ensure the roles are fetched
	178	return { user => $self->user, _roles => [ $self->roles ] };
	179	}
	180
f66d606b	181	return $self->stringify;
	182	}
	183
	184	=head2 ldap_entry
	185
9638f14b	186	Returns the raw ldap_entry.
f66d606b	187
	188	=cut
	189
	190	sub ldap_entry {
	191	my $self = shift;
	192	return $self->user->{'ldap_entry'};
	193	}
	194
	195	=head2 attributes($type)
	196
	197	Returns an array of attributes present for this user. If $type is "ashash",
	198	it will return a hash with the attribute names as keys. (And the values of
	199	those attributes as, well, the values of the hash)
	200
	201	=cut
	202
	203	sub attributes {
	204	my ( $self, $type ) = @_;
	205	if ( $type eq "ashash" ) {
	206	return $self->user->{'attributes'};
	207	}
	208	else {
	209	return keys( %{ $self->user->{'attributes'} } );
	210	}
	211	}
	212
	213	=head2 has_attribute
	214
	215	Returns the values for an attribute, or undef if that attribute is not present.
9638f14b	216	The safest way to get at an attribute.
f66d606b	217
	218	=cut
	219
	220	sub has_attribute {
	221	my ( $self, $attribute ) = @_;
	222	if ( !defined($attribute) ) {
	223	Catalyst::Exception->throw(
	224	"You must provide an attribute to has_attribute!");
	225	}
	226	if ( $attribute eq "dn" ) {
	227	return $self->ldap_entry->dn;
	228	}
a4427384	229	elsif ( $attribute eq "username" ) {
	230	return $self->user->{'attributes'}->{$self->store->user_field};
	231	}
f66d606b	232	elsif ( exists( $self->user->{'attributes'}->{$attribute} ) ) {
	233	return $self->user->{'attributes'}->{$attribute};
	234	}
	235	else {
	236	return undef;
	237	}
	238	}
	239
57d476f1	240	=head2 get
	241
	242	A simple wrapper around has_attribute() to satisfy the Catalyst::Authentication::User API.
	243
	244	=cut
	245
	246	sub get { return shift->has_attribute(@_) }
	247
	248	=head2 get_object
	249
	250	Satisfies the Catalyst::Authentication::User API and returns the contents of the user()
	251	attribute.
	252
	253	=cut
	254
	255	sub get_object { return shift->user }
	256
da0d62e4	257	=head2 ldap_connection
	258
	259	Re-binds to the auth store with the credentials of the user you logged in
	260	as, and returns a L<Net::LDAP> object which you can use to do further queries.
	261
	262	=cut
	263
	264	sub ldap_connection {
	265	my $self = shift;
89ab2886	266	$self->store->ldap_bind( undef, $self->ldap_entry->dn,
8fe890e6	267	$_ldap_connection_passwords{refaddr($self)} );
da0d62e4	268	}
da0d62e4	269
f66d606b	270	=head2 AUTOLOADed methods
	271
	272	We automatically map the attributes of the underlying L<Net::LDAP::Entry>
	273	object to read-only accessor methods. So, if you have an entry that looks
	274	like this one:
	275
	276	dn: cn=adam,ou=users,dc=yourcompany,dc=com
	277	cn: adam
	278	loginShell: /bin/zsh
	279	homeDirectory: /home/adam
	280	gecos: Adam Jacob
	281	gidNumber: 100
	282	uidNumber: 1053
	283	mail: adam@yourcompany.com
	284	uid: adam
	285	givenName: Adam
	286	sn: Jacob
	287	objectClass: inetOrgPerson
	288	objectClass: organizationalPerson
	289	objectClass: Person
	290	objectClass: Top
	291	objectClass: posixAccount
	292
	293	You can call:
	294
	295	$c->user->homedirectory
	296
	297	And you'll get the value of the "homeDirectory" attribute. Note that
9638f14b	298	all the AUTOLOADed methods are automatically lower-cased.
f66d606b	299
	300	=head2 Special Keywords
	301
	302	The highly useful and common method "username" will map to the configured
9638f14b	303	value of user_field (uid by default.)
f66d606b	304
	305	$c->user->username == $c->user->uid
	306
	307	=cut
	308
8fe890e6	309	sub DESTROY {
	310	my $self = shift;
	311	# Don't leak passwords..
	312	delete $_ldap_connection_passwords{refaddr($self)};
	313	}
	314
ec21cfdc	315	sub can {
	316	my ($self, $method) = @_;
	317
	318	return $self->SUPER::can($method) \|\| do {
	319	return unless $self->has_attribute($method);
	320	return sub { $_[0]->has_attribute($method) };
	321	};
	322	}
	323
f66d606b	324	sub AUTOLOAD {
	325	my $self = shift;
	326
	327	( my $method ) = ( our $AUTOLOAD =~ /([^:]+)$/ );
	328
	329	if ( $method eq "DESTROY" ) {
	330	return;
	331	}
a4427384	332
	333	if ( my $attribute = $self->has_attribute($method) ) {
	334	return $attribute;
f66d606b	335	}
	336	else {
	337	Catalyst::Exception->throw(
	338	"No attribute $method for User " . $self->stringify );
	339	}
	340	}
	341
	342	1;
	343
	344	__END__
	345
	346	=head1 AUTHORS
	347
	348	Adam Jacob <holoway@cpan.org>
	349
	350	Some parts stolen shamelessly and entirely from
9638f14b	351	L<Catalyst::Plugin::Authentication::Store::Htpasswd>.
f66d606b	352
	353	Currently maintained by Peter Karman <karman@cpan.org>.
	354
	355	=head1 THANKS
	356
	357	To nothingmuch, ghenry, castaway and the rest of #catalyst for the help. :)
	358
	359	=head1 SEE ALSO
	360
	361	L<Catalyst::Authentication::Store::LDAP>, L<Catalyst::Authentication::Store::LDAP::Backend>, L<Catalyst::Plugin::Authentication>, L<Net::LDAP>
	362
	363	=head1 COPYRIGHT & LICENSE
	364
	365	Copyright (c) 2005 the aforementioned authors. All rights
	366	reserved. This program is free software; you can redistribute
	367	it and/or modify it under the same terms as Perl itself.
	368
	369	=cut
	370