X-Git-Url: http://git.vanrenterghem.biz/git.ikiwiki.info.git/blobdiff_plain/1ebcf81a3277b254d9392d04a070e72ab8ed976f..c5642119f7fafdafdaff05c0d37e787de221e9e2:/doc/todo/cas_authentication.mdwn?ds=inline diff --git a/doc/todo/cas_authentication.mdwn b/doc/todo/cas_authentication.mdwn index fbfb5f7b0..8bf7042df 100644 --- a/doc/todo/cas_authentication.mdwn +++ b/doc/todo/cas_authentication.mdwn @@ -1,4 +1,4 @@ -[[!tag patch]] +[[!tag patch wishlist]] ikiwiki should support [Central Authentication Service](http://www.ja-sig.org/products/cas/) authentication in order to use @@ -14,6 +14,13 @@ follows) ? --[[/users/bbb]] +> Inline here is ok; git-am by mail is ok; a git repo I can pull from also +> ok. +> +> This looks pretty acceptable as-is, but you need to put a copyright and +> license statement at the top. I have a few questions that I'll insert +> inline with the patch below. --[[Joey]] + ------------------------------------------------------------------------------ diff --git a/IkiWiki/Plugin/cas.pm b/IkiWiki/Plugin/cas.pm new file mode 100644 @@ -29,26 +36,40 @@ follows) ? +use strict; +use IkiWiki 2.00; +use AuthCAS; # http://search.cpan.org/~osalaun/AuthCAS-1.3.1/ + +> In ikiwiki we generally deman-load perl modules only when they're used. +> This avoids loading expensive modules when the CGI isn't doing +> authentication. Can you do that with AuthCAS? Something like this before +> the use of it: `eval q{use AuthCAS}; error $@ if $@` + + - +sub import { #{{{ + +sub import { + hook(type => "getopt", id => "cas", call => \&getopt); + hook(type => "auth", id => "cas", call => \&auth); + hook(type => "formbuilder_setup", id => "cas", call => \&formbuilder_setup); - +} # }}} - + + +} + +> Could you please use tabs for indentation of program flow? + +# FIXME: We should check_config to ensure that : +# * cas_url and ca_file are present + +> Please fix that.. + +# * no other auth plugin are present (at least passwordauth and openid) - + - +sub getopt () { #{{{ + +> Why would you want to make other auth plugins not work? Could a site not +> legitimatly chose to use this and another auth method? + + +sub getopt () { + eval q{use Getopt::Long}; + error($@) if $@; + Getopt::Long::Configure('pass_through'); + GetOptions("cas_url=s" => \$config{cas_url}); + GetOptions("ca_file=s" => \$config{ca_file}); - +} #}}} + +} + - +sub auth ($$) { #{{{ + +sub auth ($$) { + my $q=shift; + my $session=shift; + @@ -77,11 +98,11 @@ follows) ? + error("CAS failure: ".&AuthCAS::get_errors()); + } + } - +} #}}} + +} + +# I use formbuilder_setup and not formbuilder type in order to bypass the +# Logout processing done in IkiWiki::CGI::cgi_prefs() - +sub formbuilder_setup (@) { #{{{ + +sub formbuilder_setup (@) { + my %params=@_; + + my $form=$params{form}; @@ -130,13 +151,20 @@ follows) ? +into the wiki. + +The plugin needs the [[!cpan AuthCAS-1.3.1]] perl module. + +> Does it really need that specific version? I think you should lose the +> version part. + + +This plugin has two mandatory configuration option. You **must** set `--cas_url` +to the url of a server offering CAS 2.0 authentication. You must also set the +`--ca_file` to an absolute path to the file containing CA certificates used by +the server (generally, aka under Debian, fixing that value to +`/etc/ssl/certs/ca-certificates.crt` is sufficient). - + + +> It would be good to add commented-out examples of these to +> ikiwiki.setup as well. + +This plugin is not enabled by default. It can not be used with other +authentication plugin, such as [[passwordauth]] or [[openid]].