-#!/usr/bin/perl
-
package Catalyst::Plugin::Authentication;
use base qw/Class::Accessor::Fast Class::Data::Inheritable/;
BEGIN {
__PACKAGE__->mk_accessors(qw/_user/);
- __PACKAGE__->mk_classdata($_) for qw/_auth_realms/;
}
use strict;
use Tie::RefHash;
use Class::Inspector;
+use Catalyst::Plugin::Authentication::Realm;
# this optimization breaks under Template::Toolkit
# use user_exists instead
# constant->import(have_want => eval { require Want });
#}
-our $VERSION = "0.10";
+our $VERSION = "0.10003";
sub set_authenticated {
my ( $c, $user, $realmname ) = @_;
if (!$realmname) {
$realmname = 'default';
}
+ my $realm = $c->get_auth_realm($realmname);
+
+ if (!$realm) {
+ Catalyst::Exception->throw(
+ "set_authenticated called with nonexistant realm: '$realmname'.");
+ }
if ( $c->isa("Catalyst::Plugin::Session")
and $c->config->{authentication}{use_session}
and $user->supports("session") )
{
- $c->save_user_in_session($user, $realmname);
+ $realm->save_user_in_session($c, $user);
}
- $user->_set_auth_realm($realmname);
+ $user->auth_realm($realm->name);
$c->NEXT::set_authenticated($user, $realmname);
}
-sub _should_save_user_in_session {
- my ( $c, $user ) = @_;
-
- $c->_auth_sessions_supported
- and $c->config->{authentication}{use_session}
- and $user->supports("session");
-}
-
-sub _should_load_user_from_session {
- my ( $c, $user ) = @_;
-
- $c->_auth_sessions_supported
- and $c->config->{authentication}{use_session}
- and $c->session_is_valid;
-}
-
-sub _auth_sessions_supported {
- my $c = shift;
- $c->isa("Catalyst::Plugin::Session");
-}
-
sub user {
my $c = shift;
return $c->_user(@_);
}
- if ( defined(my $user = $c->_user) ) {
- return $user;
+ if ( defined($c->_user) ) {
+ return $c->_user;
} else {
return $c->auth_restore_user;
}
return defined($c->_user) || defined($c->_user_in_session);
}
+# works like user_exists - except only returns true if user
+# exists AND is in the realm requested.
+sub user_in_realm {
+ my ($c, $realmname) = @_;
+
+ if (defined($c->_user)) {
+ return ($c->_user->auth_realm eq $realmname);
+ } elsif (defined($c->_user_in_session)) {
+ return ($c->session->{__user_realm} eq $realmname);
+ } else {
+ return undef;
+ }
+}
-sub save_user_in_session {
+sub __old_save_user_in_session {
my ( $c, $user, $realmname ) = @_;
$c->session->{__user_realm} = $realmname;
- # we want to ask the backend for a user prepared for the session.
+ # we want to ask the store for a user prepared for the session.
# but older modules split this functionality between the user and the
- # backend. We try the store first. If not, we use the old method.
+ # store. We try the store first. If not, we use the old method.
my $realm = $c->get_auth_realm($realmname);
if ($realm->{'store'}->can('for_session')) {
$c->session->{__user} = $realm->{'store'}->for_session($c, $user);
$realmname ||= 'default';
my $realm = $c->get_auth_realm($realmname);
- if ( $realm->{'store'} ) {
- return $realm->{'store'}->find_user($userinfo, $c);
- } else {
- $c->log->debug('find_user: unable to locate a store matching the requested realm');
+
+ if (!$realm) {
+ Catalyst::Exception->throw(
+ "find_user called with nonexistant realm: '$realmname'.");
}
+ return $realm->find_user($userinfo, $c);
}
sub _user_in_session {
my $c = shift;
- return unless $c->_should_load_user_from_session;
+ return unless
+ $c->isa("Catalyst::Plugin::Session")
+ and $c->config->{authentication}{use_session}
+ and $c->session_is_valid;
return $c->session->{__user};
}
-sub _store_in_session {
- my $c = shift;
-
- # we don't need verification, it's only called if _user_in_session returned something useful
-
- return $c->session->{__user_store};
-}
-
sub auth_restore_user {
my ( $c, $frozen_user, $realmname ) = @_;
return unless $realmname; # FIXME die unless? This is an internal inconsistency
my $realm = $c->get_auth_realm($realmname);
- $c->_user( my $user = $realm->{'store'}->from_session( $c, $frozen_user ) );
+ $c->_user( my $user = $realm->from_session( $c, $frozen_user ) );
# this sets the realm the user originated in.
- $user->_set_auth_realm($realmname);
+ $user->auth_realm($realmname);
+
return $user;
}
# we can't actually do our setup in setup because the model has not yet been loaded.
# So we have to trigger off of setup_finished. :-(
sub setup {
- my $c = shift;
+ my $app = shift;
- $c->_authentication_initialize();
- $c->NEXT::setup(@_);
+ $app->_authentication_initialize();
+ $app->NEXT::setup(@_);
}
## the actual initialization routine. whee.
sub _authentication_initialize {
- my $c = shift;
+ my $app = shift;
- if ($c->_auth_realms) { return };
-
- my $cfg = $c->config->{'authentication'} || {};
+ ## let's avoid recreating / configuring everything if we have already done it, eh?
+ if ($app->can('_auth_realms')) { return };
- %$cfg = (
- use_session => 1,
- %$cfg,
- );
+ ## make classdata where it is used.
+ $app->mk_classdata( '_auth_realms' => {});
+
+ my $cfg = $app->config->{'authentication'} ||= {};
- my $realmhash = {};
- $c->_auth_realms($realmhash);
+ $cfg->{use_session} = 1;
- ## BACKWARDS COMPATIBILITY - if realm is not defined - then we are probably dealing
- ## with an old-school config. The only caveat here is that we must add a classname
if (exists($cfg->{'realms'})) {
-
foreach my $realm (keys %{$cfg->{'realms'}}) {
- $c->setup_auth_realm($realm, $cfg->{'realms'}{$realm});
+ $app->setup_auth_realm($realm, $cfg->{'realms'}{$realm});
}
-
- # if we have a 'default-realm' in the config hash and we don't already
+ # if we have a 'default_realm' in the config hash and we don't already
# have a realm called 'default', we point default at the realm specified
- if (exists($cfg->{'default_realm'}) && !$c->get_auth_realm('default')) {
- $c->_set_default_auth_realm($cfg->{'default_realm'});
+ if (exists($cfg->{'default_realm'}) && !$app->get_auth_realm('default')) {
+ $app->_set_default_auth_realm($cfg->{'default_realm'});
}
} else {
+
+ ## BACKWARDS COMPATIBILITY - if realms is not defined - then we are probably dealing
+ ## with an old-school config. The only caveat here is that we must add a classname
+
+ ## also - we have to treat {store} as {stores}{default} - because
+ ## while it is not a clear as a valid config in the docs, it
+ ## is functional with the old api. Whee!
+ if (exists($cfg->{'store'}) && !exists($cfg->{'stores'}{'default'})) {
+ $cfg->{'stores'}{'default'} = $cfg->{'store'};
+ }
+
foreach my $storename (keys %{$cfg->{'stores'}}) {
my $realmcfg = {
- store => $cfg->{'stores'}{$storename},
+ store => { class => $cfg->{'stores'}{$storename} },
};
- $c->setup_auth_realm($storename, $realmcfg);
+ $app->setup_auth_realm($storename, $realmcfg);
}
}
}
-
# set up realmname.
sub setup_auth_realm {
my ($app, $realmname, $config) = @_;
- $app->log->debug("Setting up $realmname");
- if (!exists($config->{'store'}{'class'})) {
- Carp::croak "Couldn't setup the authentication realm named '$realmname', no class defined";
- }
-
- # use the
- my $storeclass = $config->{'store'}{'class'};
-
- ## follow catalyst class naming - a + prefix means a fully qualified class, otherwise it's
- ## taken to mean C::P::A::Store::(specifiedclass)::Backend
- if ($storeclass !~ /^\+(.*)$/ ) {
- $storeclass = "Catalyst::Plugin::Authentication::Store::${storeclass}::Backend";
- } else {
- $storeclass = $1;
+ my $realmclass = 'Catalyst::Plugin::Authentication::Realm';
+ if (defined($config->{'class'})) {
+ $realmclass = $config->{'class'};
+ Catalyst::Utils::ensure_class_loaded( $realmclass );
}
-
-
- # a little niceness - since most systems seem to use the password credential class,
- # if no credential class is specified we use password.
- $config->{credential}{class} ||= "Catalyst::Plugin::Authentication::Credential::Password";
-
- my $credentialclass = $config->{'credential'}{'class'};
-
- ## follow catalyst class naming - a + prefix means a fully qualified class, otherwise it's
- ## taken to mean C::P::A::Credential::(specifiedclass)
- if ($credentialclass !~ /^\+(.*)$/ ) {
- $credentialclass = "Catalyst::Plugin::Authentication::Credential::${credentialclass}";
+ my $realm = $realmclass->new($realmname, $config, $app);
+ if ($realm) {
+ $app->auth_realms->{$realmname} = $realm;
} else {
- $credentialclass = $1;
- }
-
- # if we made it here - we have what we need to load the classes;
- Catalyst::Utils::ensure_class_loaded( $credentialclass );
- Catalyst::Utils::ensure_class_loaded( $storeclass );
-
- # BACKWARDS COMPATIBILITY - if the store class does not define find_user, we define it in terms
- # of get_user and add it to the class. this is because the auth routines use find_user,
- # and rely on it being present. (this avoids per-call checks)
- if (!$storeclass->can('find_user')) {
- no strict 'refs';
- *{"${storeclass}::find_user"} = sub {
- my ($self, $info) = @_;
- my @rest = @{$info->{rest}} if exists($info->{rest});
- $self->get_user($info->{id}, @rest);
- };
- }
-
- $app->auth_realms->{$realmname}{'store'} = $storeclass->new($config->{'store'}, $app);
- if ($credentialclass->can('new')) {
- $app->auth_realms->{$realmname}{'credential'} = $credentialclass->new($config->{'credential'}, $app);
- } else {
- # if the credential class is not actually a class - has no 'new' operator, we wrap it,
- # once again - to allow our code to be simple at runtime and allow non-OO packages to function.
- my $wrapperclass = 'Catalyst::Plugin::Authentication::Credential::Wrapper';
- Catalyst::Utils::ensure_class_loaded( $wrapperclass );
- $app->auth_realms->{$realmname}{'credential'} = $wrapperclass->new($config->{'credential'}, $app);
+ $app->log->debug("realm initialization for '$realmname' failed.");
}
+ return $realm;
}
sub auth_realms {
my $realm = $app->get_auth_realm($realmname);
- if ($realm && exists($realm->{'credential'})) {
- my $user = $realm->{'credential'}->authenticate($app, $realm->{store}, $userinfo);
- if ($user) {
- $app->set_authenticated($user, $realmname);
- return $user;
- }
+ ## note to self - make authenticate throw an exception if realm is invalid.
+
+ if ($realm) {
+ return $realm->authenticate($app, $userinfo);
} else {
- $app->log->debug("The realm requested, '$realmname' does not exist," .
- " or there is no credential associated with it.")
+ Catalyst::Exception->throw(
+ "authenticate called with nonexistant realm: '$realmname'.");
+
}
return undef;
}
sub default_auth_store {
my $self = shift;
+ my $realm = $self->get_auth_realm('default');
+ if (!$realm) {
+ $realm = $self->setup_auth_realm('default', { class => "Catalyst::Plugin::Authentication::Realm::Compatibility" });
+ }
if ( my $new = shift ) {
- $self->auth_realms->{'default'}{'store'} = $new;
- my $storeclass = ref($new);
+ $realm->store($new);
+
+ my $storeclass;
+ if (ref($new)) {
+ $storeclass = ref($new);
+ } else {
+ $storeclass = $new;
+ }
# BACKWARDS COMPATIBILITY - if the store class does not define find_user, we define it in terms
# of get_user and add it to the class. this is because the auth routines use find_user,
}
}
- return $self->get_auth_realm('default')->{'store'};
+ return $self->get_auth_realm('default')->store;
}
## BACKWARDS COMPATIBILITY
sub auth_store_names {
my $self = shift;
- my %hash = ( $self->get_auth_realm('default')->{'store'} => 'default' );
+ my %hash = ( $self->get_auth_realm('default')->store => 'default' );
}
sub get_auth_store {
sub auth_stores {
my $self = shift;
- my %hash = ( 'default' => $self->get_auth_realm('default')->{'store'});
+ my %hash = ( 'default' => $self->get_auth_realm('default')->store);
}
__PACKAGE__;
/;
# later on ...
- $c->authenticate({ username => 'myusername', password => 'mypassword' });
+ $c->authenticate({ username => 'myusername',
+ password => 'mypassword' });
my $age = $c->user->get('age');
$c->logout;
Authentication data can also be stored in a session, if the application
is using the L<Catalyst::Plugin::Session> module.
-B<NOTE> in version 0.10 of this module, the api changed. Please see
-L</COMPATIBILITY ROUTINES> for more information.
+B<NOTE> in version 0.10 of this module, the interface to this module changed.
+Please see L</COMPATIBILITY ROUTINES> for more information.
=head1 INTRODUCTION
is (or isn't) allowed to do. For example, say your users are split into two
main groups - regular users and administrators. You want to verify that the
currently logged in user is indeed an administrator before performing the
-actions in an administrative part of your application. These decisionsmay be
+actions in an administrative part of your application. These decisions may be
made within your application code using just the information available after
authentication, or it may be facilitated by a number of plugins.
=head3 Storage Backends
-The authentication data also identifies a user, and the Storage Backend modules
+The authentication data also identifies a user, and the Storage backend modules
use this data to locate and return a standardized object-oriented
representation of a user.
/;
__PACKAGE__->config->{authentication} =
- {
- default_realm => 'members',
- realms => {
- members => {
- credential => {
- class => 'Password'
- },
- store => {
- class => 'Minimal',
- users = {
- bob => {
- password => "s00p3r",
- editor => 'yes',
- roles => [qw/edit delete/],
- },
- william => {
- password => "s3cr3t",
- roles => [qw/comment/],
- }
- }
- }
- }
- }
- };
+ {
+ default_realm => 'members',
+ realms => {
+ members => {
+ credential => {
+ class => 'Password',
+ password_field => 'password',
+ password_type => 'clear'
+ },
+ store => {
+ class => 'Minimal',
+ users = {
+ bob => {
+ password => "s00p3r",
+ editor => 'yes',
+ roles => [qw/edit delete/],
+ },
+ william => {
+ password => "s3cr3t",
+ roles => [qw/comment/],
+ }
+ }
+ }
+ }
+ }
+ };
This tells the authentication plugin what realms are available, which
}
This code should be very readable. If all the necessary fields are supplied,
-call the L<Catalyst::Plugin::Authentication/authenticate> method in the
-controller. If it succeeds the user is logged in.
+call the "authenticate" method from the controller. If it succeeds the
+user is logged in.
The credential verifier will attempt to retrieve the user whose details match
the authentication information provided to $c->authenticate(). Once it fetches
} ...
-Now suppose we want to restrict the ability to edit to a user with 'edit'
-in it's roles list.
+Now suppose we want to restrict the ability to edit to a user with an
+'editor' value of yes.
The restricted action might look like this:
$c->detach("unauthorized")
unless $c->user_exists
- and $c->user->get('editor') == 'yes';
+ and $c->user->get('editor') eq 'yes';
# do something restricted here
}
-This is somewhat similar to role based access control.
+(Note that if you have multiple realms, you can use $c->user_in_realm('realmname')
+in place of $c->user_exists(); This will essentially perform the same
+verification as user_exists, with the added requirement that if there is a
+user, it must have come from the realm specified.)
+
+The above example is somewhat similar to role based access control.
L<Catalyst::Plugin::Authentication::Store::Minimal> treats the roles field as
an array of role names. Let's leverage this. Add the role authorization
plugin:
realms => {
members => {
credential => {
- class => 'Password'
+ class => 'Password',
+ password_field => 'password',
+ password_type => 'clear'
},
store => {
class => 'DBIx::Class',
realms => {
members => {
credential => {
- class => 'Password'
+ class => 'Password',
+ password_field => 'password',
+ password_type => 'clear'
},
store => {
class => 'DBIx::Class',
},
admins => {
credential => {
- class => 'Password'
+ class => 'Password',
+ password_field => 'password',
+ password_type => 'clear'
},
store => {
class => '+MyApp::Authentication::Store::NetAuth',
credentials, the classname 'B<Password>', for example, is expanded to
Catalyst::Plugin::Authentication::Credential::B<Password>. For stores, the
classname 'B<storename>' is expanded to:
-Catalyst::Plugin::Authentication::Store::B<storename>::Backend.
+Catalyst::Plugin::Authentication::Store::B<storename>.
=back
Returns true if a user is logged in right now. The difference between
user_exists and user is that user_exists will return true if a user is logged
-in, even if it has not been retrieved from the storage backend. If you only
+in, even if it has not been yet retrieved from the storage backend. If you only
need to know if the user is logged in, depending on the storage mechanism this
can be much more efficient.
+=item user_in_realm ( $realm )
+
+Works like user_exists, except that it only returns true if a user is both
+logged in right now and was retrieved from the realm provided.
+
=item logout
Logs the user out, Deletes the currently logged in user from $c->user and the session.
=head1 SEE ALSO
-This list might not be up to date.
+This list might not be up to date. Below are modules known to work with the updated
+API of 0.10 and are therefore compatible with realms.
=head2 User Storage Backends
L<Catalyst::Plugin::Authentication::Store::Minimal>,
-L<Catalyst::Plugin::Authentication::Store::Htpasswd>,
-L<Catalyst::Plugin::Authentication::Store::DBIC> (also works with Class::DBI).
+L<Catalyst::Plugin::Authentication::Store::DBIx::Class>,
=head2 Credential verification
L<Catalyst::Plugin::Authentication::Credential::Password>,
-L<Catalyst::Plugin::Authentication::Credential::HTTP>,
-L<Catalyst::Plugin::Authentication::Credential::TypeKey>
=head2 Authorization
=head2 Internals Documentation
-L<Catalyst::Plugin::Authentication::Store>
+L<Catalyst::Plugin::Authentication::Internals>
=head2 Misc
L<Catalyst::Plugin::Authentication::CDBI::Basic>,
L<Catalyst::Plugin::Authentication::Basic::Remote>.
+=head1 INCOMPATABILITIES
-=head1 COMPATIBILITY ROUTINES
+The realms based configuration and functionality of the 0.10 update
+of L<Catalyst::Plugin::Authentication> required a change in the API used by
+credentials and stores. It has a compatibility mode which allows use of
+modules that have not yet been updated. This, however, completely mimics the
+older api and disables the new realm-based features. In other words you can
+not mix the older credential and store modules with realms, or realm-based
+configs. The changes required to update modules are relatively minor and are
+covered in L<Catalyst::Plugin::Authentication::Internals>. We hope that most
+modules will move to the compatible list above very quickly.
-=over 4
+=head1 COMPATIBILITY ROUTINES
In version 0.10 of L<Catalyst::Plugin::Authentication>, the API
changed. For app developers, this change is fairly minor, but for
Credential and Store authors, the changes are significant.
Please see the documentation in version 0.09 of
-Catalyst::Plugin::Authentication for a better understanding of how the old api
+Catalyst::Plugin::Authentication for a better understanding of how the old API
functioned.
The items below are still present in the plugin, though using them is
deprecated. They remain only as a transition tool, for those sites which can
-not be upgraded to use the new system due to local customizations, or use of
-Credential / store modules that have not yet been updated.
+not yet be upgraded to use the new system due to local customizations or use
+of Credential / Store modules that have not yet been updated to work with the
+new API.
These routines should not be used in any application using realms
functionality or any of the methods described above. These are for reference
=item login
This method is used to initiate authentication and user retrieval. Technically
-this is part of the old Password credential module, included here for
-completeness.
+this is part of the old Password credential module and it still resides in the
+L<Password|Catalyst::Plugin::Authentication::Credential::Password> class. It is
+included here for reference only.
=item default_auth_store
This is set to C<< $c->config->{authentication}{store} >> if that value exists,
or by using a Store plugin:
+ # load the Minimal authentication store.
use Catalyst qw/Authentication Authentication::Store::Minimal/;
Sets the default store to
-L<Catalyst::Plugin::Authentication::Store::Minimal::Backend>.
+L<Catalyst::Plugin::Authentication::Store::Minimal>.
=item get_auth_store $name
Yuval Kogman, C<nothingmuch@woobling.org>
+Jay Kuri, C<jayk@cpan.org>
+
Jess Robinson
David Kamholz
-Jay Kuri C<jayk@cpan.org>
=head1 COPYRIGHT & LICENSE