casino-ldap_authenticator 2.0.2 → 2.0.3
Sign up to get free protection for your applications and to get access to all the features.
@@ -10,16 +10,12 @@ class CASino::LDAPAuthenticator
|
|
10
10
|
end
|
11
11
|
|
12
12
|
def validate(username, password)
|
13
|
-
@username = username
|
14
|
-
@password = password
|
15
13
|
begin
|
16
|
-
|
17
|
-
|
18
|
-
if !@user_plain
|
14
|
+
user_plain = authenticate(username, password)
|
15
|
+
if !user_plain
|
19
16
|
false
|
20
17
|
else
|
21
|
-
generate_user
|
22
|
-
@user
|
18
|
+
generate_user(user_plain)
|
23
19
|
end
|
24
20
|
rescue Net::LDAP::LdapError => e
|
25
21
|
raise CASino::Authenticator::AuthenticatorError,
|
@@ -28,53 +24,60 @@ class CASino::LDAPAuthenticator
|
|
28
24
|
end
|
29
25
|
|
30
26
|
private
|
31
|
-
def
|
27
|
+
def ldap
|
28
|
+
return @ldap if @ldap
|
32
29
|
@ldap = Net::LDAP.new
|
33
30
|
@ldap.host = @options[:host]
|
34
31
|
@ldap.port = @options[:port]
|
35
32
|
if @options[:encryption]
|
36
33
|
@ldap.encryption(@options[:encryption].to_sym)
|
37
34
|
end
|
35
|
+
return @ldap
|
38
36
|
end
|
39
37
|
|
40
|
-
def authenticate
|
38
|
+
def authenticate(username, password)
|
39
|
+
# Don't allow "Unauthenticated bind" (http://www.openldap.org/doc/admin24/security.html#Authentication%20Methods)
|
40
|
+
return false unless password && !password.empty?
|
41
|
+
|
41
42
|
unless @options[:admin_user].nil?
|
42
|
-
|
43
|
+
ldap.auth(@options[:admin_user], @options[:admin_password])
|
43
44
|
end
|
44
|
-
|
45
|
-
|
45
|
+
|
46
|
+
user_plain = ldap.bind_as(:base => @options[:base], :size => 1, :password => password, :filter => user_filter(username))
|
47
|
+
if user_plain
|
46
48
|
include_attributes = @options[:extra_attributes].values + [username_attribute]
|
47
|
-
|
48
|
-
if
|
49
|
-
|
49
|
+
user_plain = ldap.search(:base => @options[:base], :filter => user_filter(username), :attributes => include_attributes)
|
50
|
+
if user_plain.is_a?(Array)
|
51
|
+
user_plain = user_plain.first
|
50
52
|
end
|
51
53
|
end
|
54
|
+
return user_plain
|
52
55
|
end
|
53
56
|
|
54
57
|
def username_attribute
|
55
58
|
@options[:username_attribute] || DEFAULT_USERNAME_ATTRIBUTE
|
56
59
|
end
|
57
60
|
|
58
|
-
def user_filter
|
59
|
-
filter = Net::LDAP::Filter.eq(username_attribute,
|
61
|
+
def user_filter(username)
|
62
|
+
filter = Net::LDAP::Filter.eq(username_attribute, username)
|
60
63
|
unless @options[:filter].nil?
|
61
64
|
filter &= Net::LDAP::Filter.construct(@options[:filter])
|
62
65
|
end
|
63
66
|
filter
|
64
67
|
end
|
65
68
|
|
66
|
-
def generate_user
|
67
|
-
|
68
|
-
username:
|
69
|
-
extra_attributes: extra_attributes
|
69
|
+
def generate_user(user_plain)
|
70
|
+
{
|
71
|
+
username: user_plain[username_attribute].first,
|
72
|
+
extra_attributes: extra_attributes(user_plain)
|
70
73
|
}
|
71
74
|
end
|
72
75
|
|
73
|
-
def extra_attributes
|
76
|
+
def extra_attributes(user_plain)
|
74
77
|
if @options[:extra_attributes]
|
75
78
|
result = {}
|
76
79
|
@options[:extra_attributes].each do |index_result, index_ldap|
|
77
|
-
value =
|
80
|
+
value = user_plain[index_ldap]
|
78
81
|
if value
|
79
82
|
result[index_result] = "#{value.first}"
|
80
83
|
end
|
@@ -65,6 +65,15 @@ describe CASino::LDAPAuthenticator do
|
|
65
65
|
end
|
66
66
|
end
|
67
67
|
|
68
|
+
context 'with an empty password' do
|
69
|
+
let(:password) { '' }
|
70
|
+
|
71
|
+
it 'does not call the #bind_as method on the LDAP connection' do
|
72
|
+
connection.should_not_receive(:bind_as)
|
73
|
+
subject.validate(username, password)
|
74
|
+
end
|
75
|
+
end
|
76
|
+
|
68
77
|
context 'when validation succeeds for user with missing data' do
|
69
78
|
let(:fullname) { 'Example User' }
|
70
79
|
let(:email) { "#{username}@example.org" }
|