annotate lib/IMPL/Web/Security.pm @ 416:cc2cf8c0edc2 ref20150831

sync
author cin
date Thu, 29 Oct 2015 03:50:25 +0300
parents c6e90e02dd17
children
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
407
c6e90e02dd17 renamed Lib->lib
cin
parents:
diff changeset
1 package IMPL::Web::Security;
c6e90e02dd17 renamed Lib->lib
cin
parents:
diff changeset
2 use strict;
c6e90e02dd17 renamed Lib->lib
cin
parents:
diff changeset
3
c6e90e02dd17 renamed Lib->lib
cin
parents:
diff changeset
4 use IMPL::Security::Auth qw(:Const);
c6e90e02dd17 renamed Lib->lib
cin
parents:
diff changeset
5 use IMPL::declare {
c6e90e02dd17 renamed Lib->lib
cin
parents:
diff changeset
6 require => {
c6e90e02dd17 renamed Lib->lib
cin
parents:
diff changeset
7 Exception => 'IMPL::Exception',
c6e90e02dd17 renamed Lib->lib
cin
parents:
diff changeset
8 NotImplementedException => '-IMPL::NotImplementedException',
c6e90e02dd17 renamed Lib->lib
cin
parents:
diff changeset
9 ArgException => '-IMPL::InvalidArgumentException',
c6e90e02dd17 renamed Lib->lib
cin
parents:
diff changeset
10 SecurityContext => 'IMPL::Security::AbstractContext'
c6e90e02dd17 renamed Lib->lib
cin
parents:
diff changeset
11 },
c6e90e02dd17 renamed Lib->lib
cin
parents:
diff changeset
12 };
c6e90e02dd17 renamed Lib->lib
cin
parents:
diff changeset
13
c6e90e02dd17 renamed Lib->lib
cin
parents:
diff changeset
14 use constant {
c6e90e02dd17 renamed Lib->lib
cin
parents:
diff changeset
15 ERR_NO_SUCH_USER => -1,
c6e90e02dd17 renamed Lib->lib
cin
parents:
diff changeset
16 ERR_NO_SEC_DATA => -2,
c6e90e02dd17 renamed Lib->lib
cin
parents:
diff changeset
17 ERR_NO_AUTHORITY => -3,
c6e90e02dd17 renamed Lib->lib
cin
parents:
diff changeset
18 ERR_NO_SEC_CONTEXT => -4,
c6e90e02dd17 renamed Lib->lib
cin
parents:
diff changeset
19 ERR_AUTH_FAIL => -5
c6e90e02dd17 renamed Lib->lib
cin
parents:
diff changeset
20 };
c6e90e02dd17 renamed Lib->lib
cin
parents:
diff changeset
21
c6e90e02dd17 renamed Lib->lib
cin
parents:
diff changeset
22 sub interactiveAuthPackage {
c6e90e02dd17 renamed Lib->lib
cin
parents:
diff changeset
23 die NotImplementedException->new();
c6e90e02dd17 renamed Lib->lib
cin
parents:
diff changeset
24 }
c6e90e02dd17 renamed Lib->lib
cin
parents:
diff changeset
25
c6e90e02dd17 renamed Lib->lib
cin
parents:
diff changeset
26 sub users {
c6e90e02dd17 renamed Lib->lib
cin
parents:
diff changeset
27 die NotImplementedException->new();
c6e90e02dd17 renamed Lib->lib
cin
parents:
diff changeset
28 }
c6e90e02dd17 renamed Lib->lib
cin
parents:
diff changeset
29
c6e90e02dd17 renamed Lib->lib
cin
parents:
diff changeset
30 sub roles {
c6e90e02dd17 renamed Lib->lib
cin
parents:
diff changeset
31 die die NotImplementedException->new();
c6e90e02dd17 renamed Lib->lib
cin
parents:
diff changeset
32 }
c6e90e02dd17 renamed Lib->lib
cin
parents:
diff changeset
33
c6e90e02dd17 renamed Lib->lib
cin
parents:
diff changeset
34 sub sessions {
c6e90e02dd17 renamed Lib->lib
cin
parents:
diff changeset
35 die NotImplementedException->new();
c6e90e02dd17 renamed Lib->lib
cin
parents:
diff changeset
36 }
c6e90e02dd17 renamed Lib->lib
cin
parents:
diff changeset
37
c6e90e02dd17 renamed Lib->lib
cin
parents:
diff changeset
38 sub AuthUser {
c6e90e02dd17 renamed Lib->lib
cin
parents:
diff changeset
39 my ($this,$name,$challenge,$roles,$package) = @_;
c6e90e02dd17 renamed Lib->lib
cin
parents:
diff changeset
40
c6e90e02dd17 renamed Lib->lib
cin
parents:
diff changeset
41 $package ||= $this->interactiveAuthPackage;
c6e90e02dd17 renamed Lib->lib
cin
parents:
diff changeset
42 $roles ||= [];
c6e90e02dd17 renamed Lib->lib
cin
parents:
diff changeset
43
c6e90e02dd17 renamed Lib->lib
cin
parents:
diff changeset
44 my $user = $this->users->GetById($name)
c6e90e02dd17 renamed Lib->lib
cin
parents:
diff changeset
45 or return {
c6e90e02dd17 renamed Lib->lib
cin
parents:
diff changeset
46 status => AUTH_FAIL,
c6e90e02dd17 renamed Lib->lib
cin
parents:
diff changeset
47 code => ERR_NO_SUCH_USER
c6e90e02dd17 renamed Lib->lib
cin
parents:
diff changeset
48 };
c6e90e02dd17 renamed Lib->lib
cin
parents:
diff changeset
49
c6e90e02dd17 renamed Lib->lib
cin
parents:
diff changeset
50 my $auth;
c6e90e02dd17 renamed Lib->lib
cin
parents:
diff changeset
51 if ( my $secData = $user->GetSecData($package) ) {
c6e90e02dd17 renamed Lib->lib
cin
parents:
diff changeset
52 $auth = $package->new($secData);
c6e90e02dd17 renamed Lib->lib
cin
parents:
diff changeset
53 } else {
c6e90e02dd17 renamed Lib->lib
cin
parents:
diff changeset
54 return {
c6e90e02dd17 renamed Lib->lib
cin
parents:
diff changeset
55 status => AUTH_FAIL,
c6e90e02dd17 renamed Lib->lib
cin
parents:
diff changeset
56 code => ERR_NO_SEC_DATA,
c6e90e02dd17 renamed Lib->lib
cin
parents:
diff changeset
57 user => $user
c6e90e02dd17 renamed Lib->lib
cin
parents:
diff changeset
58 };
c6e90e02dd17 renamed Lib->lib
cin
parents:
diff changeset
59 }
c6e90e02dd17 renamed Lib->lib
cin
parents:
diff changeset
60
c6e90e02dd17 renamed Lib->lib
cin
parents:
diff changeset
61 return {
c6e90e02dd17 renamed Lib->lib
cin
parents:
diff changeset
62 status => AUTH_FAIL,
c6e90e02dd17 renamed Lib->lib
cin
parents:
diff changeset
63 code => ERR_NO_SEC_CONTEXT
c6e90e02dd17 renamed Lib->lib
cin
parents:
diff changeset
64 } unless SecurityContext->current;
c6e90e02dd17 renamed Lib->lib
cin
parents:
diff changeset
65
c6e90e02dd17 renamed Lib->lib
cin
parents:
diff changeset
66 return {
c6e90e02dd17 renamed Lib->lib
cin
parents:
diff changeset
67 status => AUTH_FAIL,
c6e90e02dd17 renamed Lib->lib
cin
parents:
diff changeset
68 code => ERR_NO_AUTHORITY
c6e90e02dd17 renamed Lib->lib
cin
parents:
diff changeset
69 } unless SecurityContext->current->authority;
c6e90e02dd17 renamed Lib->lib
cin
parents:
diff changeset
70
c6e90e02dd17 renamed Lib->lib
cin
parents:
diff changeset
71 my $status = SecurityContext->current->authority->InitSession(
c6e90e02dd17 renamed Lib->lib
cin
parents:
diff changeset
72 $user,
c6e90e02dd17 renamed Lib->lib
cin
parents:
diff changeset
73 $roles,
c6e90e02dd17 renamed Lib->lib
cin
parents:
diff changeset
74 $auth,
c6e90e02dd17 renamed Lib->lib
cin
parents:
diff changeset
75 $challenge
c6e90e02dd17 renamed Lib->lib
cin
parents:
diff changeset
76 );
c6e90e02dd17 renamed Lib->lib
cin
parents:
diff changeset
77
c6e90e02dd17 renamed Lib->lib
cin
parents:
diff changeset
78 return {
c6e90e02dd17 renamed Lib->lib
cin
parents:
diff changeset
79 status => $status,
c6e90e02dd17 renamed Lib->lib
cin
parents:
diff changeset
80 code => ($status == AUTH_FAIL ? ERR_AUTH_FAIL : 0),
c6e90e02dd17 renamed Lib->lib
cin
parents:
diff changeset
81 user => $user
c6e90e02dd17 renamed Lib->lib
cin
parents:
diff changeset
82 };
c6e90e02dd17 renamed Lib->lib
cin
parents:
diff changeset
83 }
c6e90e02dd17 renamed Lib->lib
cin
parents:
diff changeset
84
c6e90e02dd17 renamed Lib->lib
cin
parents:
diff changeset
85 sub Logout {
c6e90e02dd17 renamed Lib->lib
cin
parents:
diff changeset
86 my ($this) = @_;
c6e90e02dd17 renamed Lib->lib
cin
parents:
diff changeset
87
c6e90e02dd17 renamed Lib->lib
cin
parents:
diff changeset
88 my $session = SecurityContext->current;
c6e90e02dd17 renamed Lib->lib
cin
parents:
diff changeset
89 if($session && $session->authority) {
c6e90e02dd17 renamed Lib->lib
cin
parents:
diff changeset
90 $session->authority->CloseSession($session);
c6e90e02dd17 renamed Lib->lib
cin
parents:
diff changeset
91
c6e90e02dd17 renamed Lib->lib
cin
parents:
diff changeset
92 $this->sessions->Delete($session);
c6e90e02dd17 renamed Lib->lib
cin
parents:
diff changeset
93 }
c6e90e02dd17 renamed Lib->lib
cin
parents:
diff changeset
94 }
c6e90e02dd17 renamed Lib->lib
cin
parents:
diff changeset
95
c6e90e02dd17 renamed Lib->lib
cin
parents:
diff changeset
96 sub CreateSecData {
c6e90e02dd17 renamed Lib->lib
cin
parents:
diff changeset
97 my ($this,$package,$params) = @_;
c6e90e02dd17 renamed Lib->lib
cin
parents:
diff changeset
98
c6e90e02dd17 renamed Lib->lib
cin
parents:
diff changeset
99 die ArgException->new(params => 'A hash reference is required')
c6e90e02dd17 renamed Lib->lib
cin
parents:
diff changeset
100 unless ref($params) eq 'HASH';
c6e90e02dd17 renamed Lib->lib
cin
parents:
diff changeset
101
c6e90e02dd17 renamed Lib->lib
cin
parents:
diff changeset
102 return $package->CreateSecData(%$params);
c6e90e02dd17 renamed Lib->lib
cin
parents:
diff changeset
103 }
c6e90e02dd17 renamed Lib->lib
cin
parents:
diff changeset
104
c6e90e02dd17 renamed Lib->lib
cin
parents:
diff changeset
105 1;
c6e90e02dd17 renamed Lib->lib
cin
parents:
diff changeset
106
c6e90e02dd17 renamed Lib->lib
cin
parents:
diff changeset
107 __END__
c6e90e02dd17 renamed Lib->lib
cin
parents:
diff changeset
108
c6e90e02dd17 renamed Lib->lib
cin
parents:
diff changeset
109 =pod
c6e90e02dd17 renamed Lib->lib
cin
parents:
diff changeset
110
c6e90e02dd17 renamed Lib->lib
cin
parents:
diff changeset
111 =head1 NAME
c6e90e02dd17 renamed Lib->lib
cin
parents:
diff changeset
112
c6e90e02dd17 renamed Lib->lib
cin
parents:
diff changeset
113 C<IMPL::Web::Security> Модуль для аутентификации и авторизации веб запроса.
c6e90e02dd17 renamed Lib->lib
cin
parents:
diff changeset
114
c6e90e02dd17 renamed Lib->lib
cin
parents:
diff changeset
115 =head1 DESCRIPTION
c6e90e02dd17 renamed Lib->lib
cin
parents:
diff changeset
116
c6e90e02dd17 renamed Lib->lib
cin
parents:
diff changeset
117 Текущий модуль обеспечивает функции верхнего уровня для работы с системой
c6e90e02dd17 renamed Lib->lib
cin
parents:
diff changeset
118 безопасности. Поскольку модуль является абстрактым, конкретные функции
c6e90e02dd17 renamed Lib->lib
cin
parents:
diff changeset
119 хранения и реализацию объектов модели безопасности должно обеспечить само
c6e90e02dd17 renamed Lib->lib
cin
parents:
diff changeset
120 приложение.
c6e90e02dd17 renamed Lib->lib
cin
parents:
diff changeset
121
c6e90e02dd17 renamed Lib->lib
cin
parents:
diff changeset
122 Сама система безопасности в веб приложении состоит из двух частей
c6e90e02dd17 renamed Lib->lib
cin
parents:
diff changeset
123
c6e90e02dd17 renamed Lib->lib
cin
parents:
diff changeset
124 =over
c6e90e02dd17 renamed Lib->lib
cin
parents:
diff changeset
125
c6e90e02dd17 renamed Lib->lib
cin
parents:
diff changeset
126 =item Модель системы безопасности
c6e90e02dd17 renamed Lib->lib
cin
parents:
diff changeset
127
c6e90e02dd17 renamed Lib->lib
cin
parents:
diff changeset
128 Предоставляет такие объкты безопасности, как пользователь, сессия роль,
c6e90e02dd17 renamed Lib->lib
cin
parents:
diff changeset
129 определяет правила проверки прав доступа субъекта к объекту.
c6e90e02dd17 renamed Lib->lib
cin
parents:
diff changeset
130
c6e90e02dd17 renamed Lib->lib
cin
parents:
diff changeset
131 =item Модуль безопасности
c6e90e02dd17 renamed Lib->lib
cin
parents:
diff changeset
132
c6e90e02dd17 renamed Lib->lib
cin
parents:
diff changeset
133 Контекст безопасности создается именно этим модулем.
c6e90e02dd17 renamed Lib->lib
cin
parents:
diff changeset
134
c6e90e02dd17 renamed Lib->lib
cin
parents:
diff changeset
135 Как правило встраивается в транспортный уровеь в виде обработчика
c6e90e02dd17 renamed Lib->lib
cin
parents:
diff changeset
136 C<IMPL::Web::Handler> и реализует непосредственно протокол аутентификации и
c6e90e02dd17 renamed Lib->lib
cin
parents:
diff changeset
137 обмена с пользователем.
c6e90e02dd17 renamed Lib->lib
cin
parents:
diff changeset
138
c6e90e02dd17 renamed Lib->lib
cin
parents:
diff changeset
139 Также модуль безопасности использует модель для хранения сессий и данных
c6e90e02dd17 renamed Lib->lib
cin
parents:
diff changeset
140 аутентификции.
c6e90e02dd17 renamed Lib->lib
cin
parents:
diff changeset
141
c6e90e02dd17 renamed Lib->lib
cin
parents:
diff changeset
142 =back
c6e90e02dd17 renamed Lib->lib
cin
parents:
diff changeset
143
c6e90e02dd17 renamed Lib->lib
cin
parents:
diff changeset
144 =head1 MEMBERS
c6e90e02dd17 renamed Lib->lib
cin
parents:
diff changeset
145
c6e90e02dd17 renamed Lib->lib
cin
parents:
diff changeset
146 =head2 C<AuthUser($name,$package,$challenge)>
c6e90e02dd17 renamed Lib->lib
cin
parents:
diff changeset
147
c6e90e02dd17 renamed Lib->lib
cin
parents:
diff changeset
148 Инициирует создание новой сессии используя провайдера безопасности текущего
c6e90e02dd17 renamed Lib->lib
cin
parents:
diff changeset
149 контекста безопасности.
c6e90e02dd17 renamed Lib->lib
cin
parents:
diff changeset
150
c6e90e02dd17 renamed Lib->lib
cin
parents:
diff changeset
151 =over
c6e90e02dd17 renamed Lib->lib
cin
parents:
diff changeset
152
c6e90e02dd17 renamed Lib->lib
cin
parents:
diff changeset
153 =item C<$name>
c6e90e02dd17 renamed Lib->lib
cin
parents:
diff changeset
154
c6e90e02dd17 renamed Lib->lib
cin
parents:
diff changeset
155 Имя пользователя, которое будет использоваться при поиске его в БД.
c6e90e02dd17 renamed Lib->lib
cin
parents:
diff changeset
156
c6e90e02dd17 renamed Lib->lib
cin
parents:
diff changeset
157 =item C<$package>
c6e90e02dd17 renamed Lib->lib
cin
parents:
diff changeset
158
c6e90e02dd17 renamed Lib->lib
cin
parents:
diff changeset
159 Имя модуля аутентификации, например, C<IMPL::Security::Auth::Simple>.
c6e90e02dd17 renamed Lib->lib
cin
parents:
diff changeset
160
c6e90e02dd17 renamed Lib->lib
cin
parents:
diff changeset
161 =item C<$challenge>
c6e90e02dd17 renamed Lib->lib
cin
parents:
diff changeset
162
c6e90e02dd17 renamed Lib->lib
cin
parents:
diff changeset
163 Данные, полученные от клиента, которые будут переданы модулю аутентификации для
c6e90e02dd17 renamed Lib->lib
cin
parents:
diff changeset
164 начала процесса аутентификации и создания сессии.
c6e90e02dd17 renamed Lib->lib
cin
parents:
diff changeset
165
c6e90e02dd17 renamed Lib->lib
cin
parents:
diff changeset
166 =back
c6e90e02dd17 renamed Lib->lib
cin
parents:
diff changeset
167
c6e90e02dd17 renamed Lib->lib
cin
parents:
diff changeset
168 Функция возвращает хеш с элементами
c6e90e02dd17 renamed Lib->lib
cin
parents:
diff changeset
169
c6e90e02dd17 renamed Lib->lib
cin
parents:
diff changeset
170 =over
c6e90e02dd17 renamed Lib->lib
cin
parents:
diff changeset
171
c6e90e02dd17 renamed Lib->lib
cin
parents:
diff changeset
172 =item C<status>
c6e90e02dd17 renamed Lib->lib
cin
parents:
diff changeset
173
c6e90e02dd17 renamed Lib->lib
cin
parents:
diff changeset
174 Статус аутентификации - отражает общее состояние процесса ацтентификации,
c6e90e02dd17 renamed Lib->lib
cin
parents:
diff changeset
175
c6e90e02dd17 renamed Lib->lib
cin
parents:
diff changeset
176 =over
c6e90e02dd17 renamed Lib->lib
cin
parents:
diff changeset
177
c6e90e02dd17 renamed Lib->lib
cin
parents:
diff changeset
178 =item C<AUTH_FAIL>
c6e90e02dd17 renamed Lib->lib
cin
parents:
diff changeset
179
c6e90e02dd17 renamed Lib->lib
cin
parents:
diff changeset
180 Аутентификация неудачная, сессия не создана.
c6e90e02dd17 renamed Lib->lib
cin
parents:
diff changeset
181
c6e90e02dd17 renamed Lib->lib
cin
parents:
diff changeset
182 =item C<AUTH_INCOMPLETE>
c6e90e02dd17 renamed Lib->lib
cin
parents:
diff changeset
183
c6e90e02dd17 renamed Lib->lib
cin
parents:
diff changeset
184 Аутентификация требует дополнительных шагов, сессия создана, но еще не доверена.
c6e90e02dd17 renamed Lib->lib
cin
parents:
diff changeset
185
c6e90e02dd17 renamed Lib->lib
cin
parents:
diff changeset
186 =item C<AUTH_SUCCESS>
c6e90e02dd17 renamed Lib->lib
cin
parents:
diff changeset
187
c6e90e02dd17 renamed Lib->lib
cin
parents:
diff changeset
188 Аутентификация успешно проведена, сессия создана.
c6e90e02dd17 renamed Lib->lib
cin
parents:
diff changeset
189
c6e90e02dd17 renamed Lib->lib
cin
parents:
diff changeset
190 =back
c6e90e02dd17 renamed Lib->lib
cin
parents:
diff changeset
191
c6e90e02dd17 renamed Lib->lib
cin
parents:
diff changeset
192 =item C<code>
c6e90e02dd17 renamed Lib->lib
cin
parents:
diff changeset
193
c6e90e02dd17 renamed Lib->lib
cin
parents:
diff changeset
194 =back
c6e90e02dd17 renamed Lib->lib
cin
parents:
diff changeset
195
c6e90e02dd17 renamed Lib->lib
cin
parents:
diff changeset
196 =cut