adauth 2.0.0pre2 → 2.0.0

data/.gitignore

@@ -5,8 +5,9 @@ tmp/*
 spec/test_data.yml
 doc/*
 .yardoc/*
-
+.idea/
 .rvmrc
+log/*
 
 spec/test.sqlite3
 

data/Readme.md

@@ -13,13 +13,15 @@ and run a bundle install
 
 ## Usage
 
+### In Rails
+
 First off create a new config file by running the config generator
 
     rails g adauth:config
 
 Fill out the config values in _config/initializers/adauth.rb_
 
-### Joining a model to Adauth
+#### Joining a model to Adauth
 
 If you want to link your user model to Adauth you can use this simple code:
 
@@ -43,6 +45,28 @@ This gives you a bridge between Adauth and your model. When you call `User.creat
 	
 This can be used for any model and anything that you pull over through adauth.
 
-### SessionsController
+#### SessionsController
+
+You can use a premade sessions controller by running
+
+    rails g adauth:sessions
+	
+Which adds a couple of routes, a sessions controller and a login form. To login go to _/sessions/new_ and fill out the form, you will then POST to _/adauth_ and if succesful you will be sent back to _root_path_
+
+### In Scripts
+
+To use Adauth in a script or other program just call `Adauth.configure` somewhere at the begining of the script, once configured Adauth can be used anywhere in your program the same as rails.
+
+## Configuring
+
+Adauth has a few configuration options which are described in detail on the [wiki](https://github.com/Arcath/Adauth/wiki/Configuring).
+
+## Logs
+
+Adauth logs to weekly logs in logs/adauth.log(.DATE)
+
+You can interact with the logger through `Adauth.logger` and set a new one using `Adauth.logger=`
+
+## Developing
 
-TODO
+Before you can run the tests you will need to write a yml file with your domain settings in and place it at _spec/test_data.yml_, there is an example of this file in the spec folder.

data/adauth.gemspec

@@ -10,6 +10,7 @@ Gem::Specification.new do |s|
     s.email = ["gems@arcath.net"]
     s.homepage = "http://adauth.arcath.net"
     s.summary = "Provides Active Directory authentication for Rails"
+    s.description = "A full featured library for working with Microsofts Active Directory in Ruby."
     
     s.add_development_dependency "rake"
     s.add_development_dependency "rspec"

data/lib/adauth.rb

@@ -1,6 +1,7 @@
 # Requires
 require 'net/ldap'
 require 'timeout'
+require 'logger'
 # Version
 require 'adauth/version'
 # Classes
@@ -10,6 +11,7 @@ require 'adauth/config'
 require 'adauth/connection'
 # AdObjects
 require 'adauth/ad_objects/computer'
+require 'adauth/ad_objects/folder'
 require 'adauth/ad_objects/group'
 require 'adauth/ad_objects/ou'
 require 'adauth/ad_objects/user'
@@ -18,23 +20,29 @@ require 'adauth/rails'
 require 'adauth/rails/helpers'
 require 'adauth/rails/model_bridge'
 
+require 'adauth/net-ldap/string.rb' # Hot fix for issue
+
 # Adauth Container Module
-module Adauth
+module Adauth  
     # Yields a new config object and then sets it as the Adauth Config
     def self.configure
+        @logger ||= Logger.new('log/adauth.log', 'weekly')
+        @logger.info('load') { "Loading new config" }
         @config = Config.new
         yield(@config)
     end
     
     # Returns Adauths current connection to ActiveDirectory
     def self.connection
-        raise "Adauth needs configuring before use" if @config == nil
+        @logger.fatal('connection') { "Attempted to create connection without configuring" } if @config == nil
+        raise 'Adauth needs configuring before use' if @config == nil # Still raise an error here even after logging it so that adauth stops dead and doesn't error on the next line
         connect unless @connection
         @connection
     end
     
     # Connects to ActiveDirectory using the query user details
     def self.connect
+        @logger.info('connection') { "Connecting to AD as \"#{@config.query_user}\"" }
         @connection = Adauth::Connection.new(connection_hash(@config.query_user, @config.query_password)).bind
     end
     
@@ -50,4 +58,12 @@ module Adauth
             :password => password 
         }
     end
+    
+    def self.logger
+      @logger
+    end
+    
+    def self.logger=(inputs)
+      @logger = inputs
+    end
 end

data/lib/adauth/ad_object.rb

@@ -1,5 +1,11 @@
 module Adauth
+    # Container for Objects which inherit from Adauth::AdObject
+    module AdObjects
+    end
+  
+    # Add a field to the specified model
     def self.add_field(object, adauth_method, ldap_method)
+        Adauth.logger.info(object.inspect) { "Adding field \"#{ldap_method}\"" }
         object::Fields[adauth_method] = ldap_method
     end
     
@@ -8,27 +14,42 @@ module Adauth
     # Objects inherit from this class.
     #
     # Provides all the common functions for Active Directory.
-    class AdObject
+    class AdObject      
         # Returns all objects which have the ObjectClass of the inherited class
         def self.all
-            results = []
-            Adauth.connection.search(:filter => self::ObjectFilter).each do |result|
-                results.push self.new(result)
-            end
-            results
+            Adauth.logger.info(self.inspect) { "Searching for all objects matching filter \"#{self::ObjectFilter}\"" }
+            self.filter(self::ObjectFilter)
         end
         
         # Returns all the objects which match the supplied query
         #
         # Uses ObjectFilter to restrict to the current object
         def self.where(field, value)
-            results = []
             search_filter = Net::LDAP::Filter.eq(field, value)
-            joined_filter = search_filter & self::ObjectFilter
-            Adauth.connection.search(:filter => joined_filter).each do |result|
-                results.push self.new(result)
-            end
-            results
+            Adauth.logger.info(self.inspect) { "Searching for all \"#{self::ObjectFilter}\" where #{field} = #{value}" }
+            filter(add_object_filter(search_filter))
+        end
+        
+        # Returns all LDAP objects that match the given filter
+        #
+        # Use with add_object_filter to make sure that you only get objects that match the object you are querying though
+        def self.filter(filter)
+          results = []
+
+          result = Adauth.connection.search(:filter => filter)
+
+          raise 'Search returned NIL' if result == nil
+
+          result.each do |entry|
+            results << self.new(entry)
+          end
+
+          results
+        end
+        
+        # Adds the object filter to the passed filter
+        def self.add_object_filter(filter)
+          filter & self::ObjectFilter
         end
         
         # Creates a new instance of the object and sets @ldap_object to the passed Net::LDAP entity        
@@ -85,8 +106,32 @@ module Adauth
             @dn_ous
         end
         
+        # Runs a modify action on the current object, takes an aray of operations
         def modify(operations)
-            raise "Modify Operation Failed" unless Adauth.connection.modify :dn => @ldap_object.dn, :operations => operations
+            raise 'Modify Operation Failed' unless Adauth.connection.modify :dn => @ldap_object.dn, :operations => operations
+        end
+        
+        # Returns an array of member objects for this object
+        def members
+            unless @members
+                @members = []
+                [Adauth::AdObjects::Computer, Adauth::AdObjects::OU, Adauth::AdObjects::User, Adauth::AdObjects::Group].each do |object|
+                    object.all.each do |entity|
+                        @members.push entity if entity.is_a_member?(self)
+                    end
+                end
+            end
+            @members
+        end
+        
+        # Checks to see if the object is a member of a given parent (though DN)
+        def is_a_member?(parent)
+          my_split_dn = @ldap_object.dn.split(",")
+          parent_split_dn = parent.ldap_object.dn.split(",")
+          if (my_split_dn.count - 1) == parent_split_dn.count
+            return true if my_split_dn[1] == parent_split_dn[0]
+          end
+          return false
         end
         
         private
@@ -105,8 +150,4 @@ module Adauth
             (user || group)
         end
     end
-    
-    # Container for Objects which inherit from Adauth::AdObject
-    module AdObjects
-    end
 end

data/lib/adauth/ad_objects/folder.rb

@@ -0,0 +1,33 @@
+module Adauth
+    module AdObjects
+        # Active Directory OU Object
+        #
+        # Inherits from Adauth::AdObject
+        class Folder < Adauth::AdObject
+            # Field mapping
+            #
+            # Maps methods to LDAP fields e.g.
+            #
+            # :foo => :bar
+            #
+            # Becomes
+            # 
+            # Computer.name
+            #
+            # Which calls .name on the LDAP object
+            Fields = {
+                    :name => :name
+                }
+            
+            # Object Net::LDAP filter
+            #
+            # Used to restrict searches to just this object
+            ObjectFilter = Net::LDAP::Filter.eq("objectClass", "top")
+            
+            # Returns the Domain Object which is useful for building domain maps.
+            def self.root
+              self.new(Adauth.connection.search(:filter => Net::LDAP::Filter.eq("objectClass", "Domain")).first)
+            end
+        end
+    end
+end

data/lib/adauth/ad_objects/group.rb

@@ -25,11 +25,12 @@ module Adauth
             
             # Object Net::LDAP filter
             #
-            # Used to restrict searches to just this object
+            # Used to restrict searches' to just this object
             ObjectFilter = Net::LDAP::Filter.eq("objectClass", "group")
                 
             # Returns all the objects which are members of this group
             def members
+                Adauth.logger.info(self.inspect) { "Getting group members for #{self.name}" }
                 unless @members
                     @members = convert_to_objects(cn_members)
                 end

data/lib/adauth/ad_objects/ou.rb

@@ -23,19 +23,6 @@ module Adauth
             #
             # Used to restrict searches to just this object
             ObjectFilter = Net::LDAP::Filter.eq("objectClass", "organizationalUnit")
-            
-            # Returns all objects contained with in this OU
-            def members
-                unless @members
-                    @members = []
-                    [Adauth::AdObjects::Computer, Adauth::AdObjects::Group, Adauth::AdObjects::User].each do |object|
-                        object.all.each do |entity|
-                            @members.push entity if entity.ldap_object.dn =~ /#{@ldap_object.dn}/
-                        end
-                    end
-                end
-                @members
-            end
         end
     end
 end

data/lib/adauth/ad_objects/user.rb

@@ -27,7 +27,7 @@ module Adauth
             # Object Net::LDAP filter
             #
             # Used to restrict searches to just this object      
-            ObjectFilter = Net::LDAP::Filter.eq("objectClass", "user")
+            ObjectFilter = Net::LDAP::Filter.eq('objectClass', 'user')
           
             # Returns a connection to AD within the users context, used to check a user credentails
             #
@@ -36,10 +36,26 @@ module Adauth
                 user_connection = Adauth::Connection.new(Adauth.connection_hash(user, password)).bind
             end
             
-            # Returns True/False if the user is member of the cupplied group
+            # Returns True/False if the user is member of the supplied group
             def member_of?(group)
                 cn_groups.include?(group)
             end
+            
+            # Changes the password to the supplied value
+            #def set_password(new_password)
+            #  Adauth.logger.info("password management") { "Attempting password reset for #{self.login}" }
+            #  password = microsoft_encode_password(new_password)
+            #  modify([[:replace, 'unicodePwd', password]])
+            #end
+            
+            private
+            
+            def microsoft_encode_password(password)
+              out = ""
+              password = "\"" + password + "\""
+              password.length.times{|i| out+= "#{password[i..i]}\000" }
+              return out
+            end
         end
     end
 end

data/lib/adauth/authenticate.rb

@@ -4,17 +4,22 @@ module Adauth
     # Checks the groups & ous are in the allow/deny lists
     def self.authenticate(username, password)
         begin
+            Adauth.logger.info("authentication") { "Attempting to authenticate as #{username}" }
             if Adauth::AdObjects::User.authenticate(username, password)
                 user = Adauth::AdObjects::User.where('sAMAccountName', username).first
                 if allowed_group_login(user) && allowed_ou_login(user)
+                    Adauth.logger.info("authentication") { "Authentication succesful" }
                     return user
                 else
+                    Adauth.logger.info("authentication") { "Authentication failed (not in allowed group)" }
                     return false
                 end
             else
+                Adauth.logger.info("authentication") { "Authentication failed (bad username/password)" }
                 return false
             end
         rescue RuntimeError
+            Adauth.logger.info("authentication") { "Authentication failed (RuntimeError)" }
             return false
         end
     end
@@ -23,6 +28,10 @@ module Adauth
     def self.allowed_group_login(user)
         if @config.allowed_groups != []
             allowed = (user && @config.allowed_groups != (@config.allowed_groups - user.cn_groups)) ? user : nil
+
+            if allowed == nil
+              allowed = is_group_in_group(user) != nil ? user : nil
+            end
         else
             allowed = user
         end
@@ -32,6 +41,7 @@ module Adauth
         else
             denied = user
         end
+
         allowed == denied
     end
     
@@ -48,6 +58,29 @@ module Adauth
         else
             denied = user
         end
+
         allowed == denied
     end
+
+  def self.is_group_in_group(adobject)
+    # Loop through each users group and see if it's a member of an allowed group
+    begin
+      adobject.cn_groups.each do |group|
+
+        if @config.allowed_groups.include?(group)
+          return group
+        end
+
+        adGroup = Adauth::AdObjects::Group.where('name', group).first
+
+        unless self.is_group_in_group(adGroup) == nil
+          return true
+        end
+      end
+    rescue
+      return nil
+    end
+
+    nil
+  end
 end

data/lib/adauth/config.rb

@@ -4,7 +4,7 @@ module Adauth
     # Sets the defaults an create and generates guess values.
     class Config
         attr_accessor   :domain, :port, :base, :server, :encryption, :query_user, :query_password,
-                        :allowed_groups, :denied_groups, :allowed_ous, :denied_ous
+                        :allowed_groups, :denied_groups, :allowed_ous, :denied_ous, :contains_nested_groups
         
         def initialize
             @port = 389
@@ -12,13 +12,14 @@ module Adauth
             @allowed_ous = []
             @denied_groups =[]
             @denied_ous = []
+            @contains_nested_groups = false
         end
         
         # Guesses the Server and Base string
         def domain=(s)
             @domain = s
             @server ||= s
-            @base ||= s.gsub(/\./,', dc=').gsub(/^/,"dc=")
+            @base ||= s.gsub(/\./,', dc=').insert(0, 'dc=')
         end
     end
 end

data/lib/adauth/connection.rb

@@ -17,7 +17,7 @@ module Adauth
                                  :port => @config[:port],
                                  :base => @config[:base]
             if @config[:encryption]
-               conn.encryption = @config[:encryption]
+               conn.encryption @config[:encryption]
             end
 
             conn.auth "#{@config[:username]}@#{@config[:domain]}", @config[:password]
@@ -27,11 +27,11 @@ module Adauth
                     if conn.bind
                         return conn
                     else
-                        raise "Query User Rejected"
+                        raise 'Query User Rejected'
                     end
                 }
             rescue Timeout::Error
-                raise "Unable to connect to LDAP Server"
+                raise 'Unable to connect to LDAP Server'
             end
         end
     end

data/lib/adauth/net-ldap/string.rb

@@ -0,0 +1,70 @@
+# -*- ruby encoding: utf-8 -*-
+require 'stringio'
+
+# THIS FILE OVERRIDES SOME OF THE CONFIG IN NET::LDAP
+#
+# It exists because adauth needs this pull request
+
+##
+# BER extensions to the String class.
+module Net::BER::Extensions::String
+  ##
+  # Converts a string to a BER string. Universal octet-strings are tagged
+  # with 0x04, but other values are possible depending on the context, so we
+  # let the caller give us one.
+  #
+  # User code should call either #to_ber_application_string or
+  # #to_ber_contextspecific.
+  def to_ber(code = 0x04)
+    raw_string = raw_utf8_encoded
+    [code].pack('C') + raw_string.length.to_ber_length_encoding + raw_string
+  end
+  
+  # The patched method we need
+  def raw_utf8_encoded
+    if self.respond_to?(:encode)
+      # Strings should be UTF-8 encoded according to LDAP.
+      # However, the BER code is not necessarily valid UTF-8
+      #self.encode('UTF-8').force_encoding('ASCII-8BIT')
+			self.encode('UTF-8', invalid: :replace, undef: :replace, replace: '' ).force_encoding('ASCII-8BIT')
+    else
+      self
+    end
+  end
+  private :raw_utf8_encoded
+
+  ##
+  # Creates an application-specific BER string encoded value with the
+  # provided syntax code value.
+  def to_ber_application_string(code)
+    to_ber(0x40 + code)
+  end
+
+  ##
+  # Creates a context-specific BER string encoded value with the provided
+  # syntax code value.
+  def to_ber_contextspecific(code)
+    to_ber(0x80 + code)
+  end
+
+  ##
+  # Nondestructively reads a BER object from this string.
+  def read_ber(syntax = nil)
+    StringIO.new(self).read_ber(syntax)
+  end
+
+  ##
+  # Destructively reads a BER object from the string.
+  def read_ber!(syntax = nil)
+    io = StringIO.new(self)
+
+    result = io.read_ber(syntax)
+    self.slice!(0...io.pos)
+
+    return result
+  end
+
+  def reject_empty_ber_arrays
+    self.gsub(/0\000/n,'')
+  end
+end

data/lib/adauth/rails/model_bridge.rb

@@ -28,17 +28,18 @@ module Adauth
             def self.included(base)
                 base.extend ClassMethods
             end
-            
+
             # Uses AdauthMappings to update the values on the model using the ones from Adauth
             def update_from_adauth(adauth_model)
                 self.class::AdauthMappings.each do |k, v|
                     setter = "#{k.to_s}=".to_sym
-                    value = v.is_a?(Array) ? v.join(", ") : v 
+                    value = v.is_a?(Array) ? v.join(", ") : v
                     self.send(setter, adauth_model.send(value))
                 end
                 self.save
+                self
             end
-            
+
             # Class Methods for ModelBridge
             module ClassMethods
                 # Creates a new RailsModel from the adauth_model
@@ -46,7 +47,7 @@ module Adauth
                     rails_model = self.new
                     rails_model.update_from_adauth(adauth_model)
                 end
-                
+
                 # Used to create the RailsModel if it doesn't exist and update it if it does
                 def return_and_create_from_adauth(adauth_model)
                     find_method = "find_by_#{self::AdauthSearchField.last}".to_sym

data/lib/adauth/version.rb

@@ -1,4 +1,4 @@
 module Adauth
     # Adauths Version Number
-    Version = "2.0.0pre2"
+    Version = '2.0.0'
 end

data/spec/adauth_ad_object_computer_spec.rb

@@ -6,6 +6,13 @@ describe Adauth::AdObjects::Computer do
         pdc.should be_a Adauth::AdObjects::Computer
     end
     
+    it "should only find computers" do
+      default_config
+      Adauth::AdObjects::Computer.all.each do |computer|
+        computer.should be_a Adauth::AdObjects::Computer
+      end
+    end
+    
     it "should be in an ou" do
         default_config
         pdc.ous.should be_a Array

data/spec/adauth_ad_object_folder_spec.rb

@@ -0,0 +1,13 @@
+require 'spec_helper'
+
+describe Adauth::AdObjects::Folder do
+    it "should find Domain Controllers" do
+        default_config
+        Adauth::AdObjects::Folder.root.should be_a Adauth::AdObjects::Folder
+    end
+    
+    it "should have members" do
+        default_config
+        Adauth::AdObjects::Folder.root.members.should be_a Array
+    end
+end

data/spec/adauth_ad_object_user_spec.rb

@@ -39,4 +39,15 @@ describe Adauth::AdObjects::User do
         Adauth.add_field(Adauth::AdObjects::User, :description, :description)
         administrator.description.should be_a String
     end
+    
+    #it "should allow you to reset the password" do
+    #  default_config
+    #  Adauth::AdObjects::User.authenticate(test_data("domain", "breakable_user"), test_data("domain", "breakable_password")).should be_true
+    #  user = Adauth::AdObjects::User.where('sAMAccountName', test_data("domain", "breakable_user")).first
+    #  user.login.should eq test_data("domain", "breakable_user")
+    #  user.set_password("adauth_test")
+    #  Adauth::AdObjects::User.authenticate(test_data("domain", "breakable_user"), "adauth_test").should be_true
+    #  user.set_password(test_data("domain", "breakable_password"))
+    #  Adauth::AdObjects::User.authenticate(test_data("domain", "breakable_user"), test_data("domain", "breakable_password")).should be_true
+    #end
 end

data/spec/adauth_spec.rb

@@ -5,4 +5,8 @@ describe Adauth, :no_ad => true do
         Adauth.configure do |c|
         end
     end
+  
+    it "should be able to have a new logged defined" do
+      Adauth.logger= Logger.new('log/newlogger.log', 'daily')
+    end
 end

data/spec/test_data.example.yml

@@ -0,0 +1,7 @@
+domain:
+  domain: example.com
+  port: 389
+  base: "dc=example, dc=com"
+  server: dc1.example.com
+  query_user: User.Name
+  query_password: Password

metadata

@@ -1,15 +1,15 @@
 --- !ruby/object:Gem::Specification
 name: adauth
 version: !ruby/object:Gem::Version
-  version: 2.0.0pre2
-  prerelease: 5
+  version: 2.0.0
+  prerelease: 
 platform: ruby
 authors:
 - Adam "Arcath" Laycock
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2012-09-11 00:00:00.000000000 Z
+date: 2013-06-19 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rake
@@ -59,7 +59,8 @@ dependencies:
     - - ! '>='
       - !ruby/object:Gem::Version
         version: '0'
-description: 
+description: A full featured library for working with Microsofts Active Directory
+  in Ruby.
 email:
 - gems@arcath.net
 executables: []
@@ -76,12 +77,14 @@ files:
 - lib/adauth.rb
 - lib/adauth/ad_object.rb
 - lib/adauth/ad_objects/computer.rb
+- lib/adauth/ad_objects/folder.rb
 - lib/adauth/ad_objects/group.rb
 - lib/adauth/ad_objects/ou.rb
 - lib/adauth/ad_objects/user.rb
 - lib/adauth/authenticate.rb
 - lib/adauth/config.rb
 - lib/adauth/connection.rb
+- lib/adauth/net-ldap/string.rb
 - lib/adauth/rails.rb
 - lib/adauth/rails/helpers.rb
 - lib/adauth/rails/model_bridge.rb
@@ -94,6 +97,7 @@ files:
 - lib/generators/adauth/sessions/templates/new.html.erb
 - lib/generators/adauth/sessions/templates/sessions_controller.rb.erb
 - spec/adauth_ad_object_computer_spec.rb
+- spec/adauth_ad_object_folder_spec.rb
 - spec/adauth_ad_object_group_spec.rb
 - spec/adauth_ad_object_ou_spec.rb
 - spec/adauth_ad_object_user_spec.rb
@@ -102,6 +106,7 @@ files:
 - spec/adauth_rails_model_bridge_spec.rb
 - spec/adauth_spec.rb
 - spec/spec_helper.rb
+- spec/test_data.example.yml
 homepage: http://adauth.arcath.net
 licenses: []
 post_install_message: 
@@ -117,9 +122,9 @@ required_ruby_version: !ruby/object:Gem::Requirement
 required_rubygems_version: !ruby/object:Gem::Requirement
   none: false
   requirements:
-  - - ! '>'
+  - - ! '>='
     - !ruby/object:Gem::Version
-      version: 1.3.1
+      version: '0'
 requirements: []
 rubyforge_project: 
 rubygems_version: 1.8.23
@@ -128,6 +133,7 @@ specification_version: 3
 summary: Provides Active Directory authentication for Rails
 test_files:
 - spec/adauth_ad_object_computer_spec.rb
+- spec/adauth_ad_object_folder_spec.rb
 - spec/adauth_ad_object_group_spec.rb
 - spec/adauth_ad_object_ou_spec.rb
 - spec/adauth_ad_object_user_spec.rb
@@ -136,4 +142,5 @@ test_files:
 - spec/adauth_rails_model_bridge_spec.rb
 - spec/adauth_spec.rb
 - spec/spec_helper.rb
+- spec/test_data.example.yml
 has_rdoc: