-[[!tag type/patch]]
+[[!tag patch wishlist]]
ikiwiki should support [Central Authentication
Service](http://www.ja-sig.org/products/cas/) authentication in order to use
--[[/users/bbb]]
+> Inline here is ok; git-am by mail is ok; a git repo I can pull from also
+> ok.
+>
+> This looks pretty acceptable as-is, but you need to put a copyright and
+> license statement at the top. I have a few questions that I'll insert
+> inline with the patch below. --[[Joey]]
+
------------------------------------------------------------------------------
diff --git a/IkiWiki/Plugin/cas.pm b/IkiWiki/Plugin/cas.pm
new file mode 100644
+use strict;
+use IkiWiki 2.00;
+use AuthCAS; # http://search.cpan.org/~osalaun/AuthCAS-1.3.1/
+
+> In ikiwiki we generally deman-load perl modules only when they're used.
+> This avoids loading expensive modules when the CGI isn't doing
+> authentication. Can you do that with AuthCAS? Something like this before
+> the use of it: `eval q{use AuthCAS}; error $@ if $@`
+
+
- +sub import { #{{{
+ +sub import {
+ hook(type => "getopt", id => "cas", call => \&getopt);
+ hook(type => "auth", id => "cas", call => \&auth);
+ hook(type => "formbuilder_setup", id => "cas", call => \&formbuilder_setup);
- +} # }}}
- +
+ +}
+
+> Could you please use tabs for indentation of program flow?
+
+# FIXME: We should check_config to ensure that :
+# * cas_url and ca_file are present
+
+> Please fix that..
+
+# * no other auth plugin are present (at least passwordauth and openid)
- +
- +sub getopt () { #{{{
+
+> Why would you want to make other auth plugins not work? Could a site not
+> legitimatly chose to use this and another auth method?
+
+ +sub getopt () {
+ eval q{use Getopt::Long};
+ error($@) if $@;
+ Getopt::Long::Configure('pass_through');
+ GetOptions("cas_url=s" => \$config{cas_url});
+ GetOptions("ca_file=s" => \$config{ca_file});
- +} #}}}
+ +}
+
- +sub auth ($$) { #{{{
+ +sub auth ($$) {
+ my $q=shift;
+ my $session=shift;
+
+ error("CAS failure: ".&AuthCAS::get_errors());
+ }
+ }
- +} #}}}
+ +}
+
+# I use formbuilder_setup and not formbuilder type in order to bypass the
+# Logout processing done in IkiWiki::CGI::cgi_prefs()
- +sub formbuilder_setup (@) { #{{{
+ +sub formbuilder_setup (@) {
+ my %params=@_;
+
+ my $form=$params{form};
--- /dev/null
+++ b/doc/plugins/cas.mdwn
@@ -0,0 +1,18 @@
- +[[!template id=plugin name=cas core=0 author="[[bbb]]"]]
- +[[!tag type/auth]]
+ +[[ template id=plugin name=cas core=0 author="[[bbb]]"]]
+ +[[ tag type/auth]]
+
+This plugin allows users to use authentication offered by a
+[JaSIG](http://www.ja-sig.org) [<acronym title='Central Authentication
+into the wiki.
+
+The plugin needs the [[!cpan AuthCAS-1.3.1]] perl module.
+
+> Does it really need that specific version? I think you should lose the
+> version part.
+
+
+This plugin has two mandatory configuration option. You **must** set `--cas_url`
+to the url of a server offering CAS 2.0 authentication. You must also set the
+`--ca_file` to an absolute path to the file containing CA certificates used by
+the server (generally, aka under Debian, fixing that value to
+`/etc/ssl/certs/ca-certificates.crt` is sufficient).
- +
+
+> It would be good to add commented-out examples of these to
+> ikiwiki.setup as well.
+
+This plugin is not enabled by default. It can not be used with other
+authentication plugin, such as [[passwordauth]] or [[openid]].