chaltron 1.0.10 → 1.1.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 72571e485760e7bf439a08e096643fb70f0ded45ac64095534fb9b2ae5f3efb5
-  data.tar.gz: 5e00168651cb647adada5c19187a71364344e0ad609f2a186d3efe9169701fbc
+  metadata.gz: c977d4e104c86ab2f4fd73705bff5c85fc86fb47090e10cab3d0b9ad8ed16b7c
+  data.tar.gz: ea483a22e0bc4a3d917072fef88c35cc6312c3aefdefc32757efddb04675d45c
 SHA512:
-  metadata.gz: 18005274020f0076645423b10692f9b189da42f3efbe3234e376b1f0ba9fafd97c787a4f9ba477fe467d33fc260a568647af3bf7dc77aa17c1f259b9b0bbf4cb
-  data.tar.gz: c5b3e8b1670d2eea5db6e551d0950781e5d942f16616a28777ab1b687064f73b694303b2dbe9b28f6dc0d3d92096d528696e7626acf14eb92ed1f8f6195c083b
+  metadata.gz: f723fdbd928eb379f9d289543b708d4de2dfb6581b57140e47ebc9e2b69121261ecf90f75812038ae8b3ef83c0cd1ef1499c6d9264e3638ab57162584c1db84f
+  data.tar.gz: 037d308844d5a4cf8c30ce9be50ca1ebb0ad294ba81bfecb6fa3bf2433c4d4fcf58c194e7630acb9e3f276847a4d017af9f7071bea9a394f3430bf59e71d0794

data/app/controllers/chaltron/ldap_controller.rb

@@ -15,11 +15,11 @@ class Chaltron::LdapController < ApplicationController
     userid = params[:userid]
     if userid.present?
       entry = Chaltron::LDAP::Person.find_by_uid(userid)
-      @entries << entry unless entry.nil?
+      @entries << entry
     else
-      res = Chaltron::LDAP::Person.find_by_fields(find_options)
-      @entries = res
+      @entries = Chaltron::LDAP::Person.find_by_fields(find_options)
     end
+    @entries.compact!
   end
 
   def multi_create
@@ -41,12 +41,12 @@ class Chaltron::LdapController < ApplicationController
   private
   def find_options
     department = params[:department]
-    name       = params[:fullname]
+    name       = params[:lastname]
     limit      = params[:limit].to_i
 
     ret = {}
     ret[:department] = "*#{department}*" unless department.blank?
-    ret[:cn]         = "*#{name}*"       unless name.blank?
+    ret[:last_name]  = "*#{name}*"       unless name.blank?
     ret[:limit]      = limit.zero? ? default_limit : limit
     ret
   end

data/app/controllers/chaltron/omniauth_callbacks_controller.rb

@@ -12,6 +12,7 @@ module Chaltron
       # We only find ourselves here
       # if the authentication to LDAP was successful.
       user = Chaltron::LDAP::User.find_or_create(oauth, Chaltron.ldap_allow_all)
+      user = Chaltron.ldap_after_authenticate.call(user, Chaltron::LDAP::Connection.new)
       if user.nil?
         redirect_to root_url, alert: I18n.t('chaltron.not_allowed_to_sign_in')
       else

data/app/controllers/chaltron/sessions_controller.rb

@@ -1,3 +1,5 @@
+require 'chaltron/ldap/connection'
+
 class Chaltron::SessionsController  < Devise::SessionsController
   after_action :after_login, only: :create
   before_action :before_logout, only: :destroy
@@ -9,6 +11,7 @@ class Chaltron::SessionsController  < Devise::SessionsController
   end
 
   def before_logout
+    Chaltron.ldap_before_logout.call(current_user, Chaltron::LDAP::Connection.new) if current_user.ldap_user?
     info I18n.t('chaltron.logs.logout', user: current_user.display_name)
   end
 end

data/app/models/log.rb

@@ -1,4 +1,4 @@
-class Log < ActiveRecord::Base
+class Log < ApplicationRecord
   Severities = %w( emerg alert crit err warning notice info debug )
 
   validates_presence_of :severity, :message

data/app/models/user.rb

@@ -1,4 +1,4 @@
-class User < ActiveRecord::Base
+class User < ApplicationRecord
   include Authorizable
   # Include default devise modules. Others available are:
   # :registerable, :confirmable, :lockable and :omniauthable
@@ -26,4 +26,8 @@ class User < ActiveRecord::Base
     end
   end
 
+  def ldap_user?
+    provider == 'ldap'
+  end
+
 end

data/app/views/chaltron/ldap/search.html.erb

@@ -5,7 +5,7 @@
     label_col: 'col-sm-2', control_col: 'col-sm-10') do |f| %>
 
     <%= f.text_field :userid, label: t('.name_label'), help: t('.name_help') %>
-    <%= f.text_field :fullname, label: t('.fullname_label'), help: t('.fullname_help') %>
+    <%= f.text_field :lastname, label: t('.lastname_label'), help: t('.lastname_help') %>
     <%= f.text_field :department, label: t('.department_label'), help: t('.department_help') %>
     <%= f.text_field :limit, label: t('.limit_label'), help: t('.limit_help'), value: @limit %>
 

data/app/views/chaltron/users/index.html.erb

@@ -5,7 +5,7 @@
       <%= render partial: 'side_filters', locals: { filters: @filters } %>
       <hr>
 
-      <% if ldap_enabled? %>
+      <% if ldap_enabled? and !Chaltron.ldap_allow_all %>
         <div class='dropdown pull-right'>
           <%= content_tag :button, type: 'button', class: 'btn btn-primary dropdown-toggle',
             data: {toggle: 'dropdown'}, aria: {expanded: false, haspopup: true}, id: 'new_user_button' do %>

data/app/views/chaltron/users/show.html.erb

@@ -66,11 +66,11 @@
   <div class='float-right'>
     <%= link_to edit_user_path(@user), class: 'btn btn-primary' do %>
       <%= icon :fas, :edit, t('.edit') %>
-    <% end %>
+    <% end if can? :edit, @user %>
     <%= link_to @user, method: :delete, class: 'btn btn-danger',
       disabled: current_user == @user,
       data: { confirm: t('.destroy_confirm', user: @user.username) } do %>
       <%= icon :fas, :trash, t('.destroy') %>
-    <% end %>
+    <% end if can? :destroy, @user%>
   </div>
 </div>

data/app/views/locales/en.yml

@@ -70,11 +70,11 @@ en:
         title: Search for LDAP sers
         submit_text: Search
         name_label: User
-        name_help: Search for user-id (exact match)
+        name_help: Search by user-id (exact match)
         fullname_label: Fullname
-        fullname_help: Search for first name or surname (also partial match)
+        fullname_help: Search by last name (also partial match)
         department_label: Department
-        department_help: Search for department (also partial match)
+        department_help: Search by department (also partial match)
         limit_label: Limit
         limit_help: Max shown results
       multi_new:

data/app/views/locales/it.yml

@@ -71,8 +71,8 @@ it:
         submit_text: Cerca
         name_label: Utente
         name_help: Ricerca per user-id (match esatto)
-        fullname_label: Nome
-        fullname_help: Ricerca per nome o cognome (anche match parziale)
+        lastname_label: Nome
+        lastname_help: Ricerca per cognome (anche match parziale)
         department_label: Funzione
         department_help: Ricerca per sigla di funzione (anche match parziale)
         limit_label: Limite

data/config/chaltron_navigation.rb

@@ -6,10 +6,10 @@ SimpleNavigation::Configuration.run do |navigation|
     if signed_in?
       primary.item :admin, I18n.t('chaltron.menu.admin'), '#', link_html: { icon: 'cogs' } do |admin|
         admin.item :users, I18n.t('chaltron.menu.users'), users_path, link_html: { icon: 'users' },
-           highlights_on: /\/(users|ldap)(?!\/self_(show|edit|update))/ if can?(:manage, User)
+           highlights_on: /\/(users|ldap)(?!\/self_(show|edit|update))/ if can?(:read, User)
         admin.item :logs, I18n.t('chaltron.menu.logs'), logs_path, link_html: { icon: 'book' },
            highlights_on: /\/logs/ if can?(:read, Log)
-      end if can?(:manage, User) or can?(:read, Log)
+      end if can?(:read, User) or can?(:read, Log)
       primary.item :logged, current_user.display_name.html_safe, '#',
         html: { class: 'dropdown-menu-right' } do |user|
         user.item :self_edit, I18n.t('chaltron.menu.self_show'), self_show_users_path,

data/config/routes.rb

@@ -15,8 +15,9 @@ Rails.application.routes.draw do
   resources :logs, controller: 'chaltron/logs', only: [:index, :show]
 
   # search and create LDAP users
-  get   'ldap/search'       => 'chaltron/ldap#search'
-  post  'ldap/multi_new'    => 'chaltron/ldap#multi_new'
-  post  'ldap/multi_create' => 'chaltron/ldap#multi_create'
-
+  if Devise.omniauth_providers.include?(:ldap) and !Chaltron.ldap_allow_all
+    get   'ldap/search'       => 'chaltron/ldap#search'
+    post  'ldap/multi_new'    => 'chaltron/ldap#multi_new'
+    post  'ldap/multi_create' => 'chaltron/ldap#multi_create'
+  end
 end

data/lib/chaltron.rb

@@ -14,7 +14,7 @@ module Chaltron
   @@default_roles = []
 
   mattr_accessor :ldap_allow_all
-  @@ldap_allow_all = false
+  @@ldap_allow_all = true
 
   mattr_accessor :enable_syslog
   @@enable_syslog = false
@@ -22,6 +22,29 @@ module Chaltron
   mattr_accessor :syslog_facility
   @@syslog_facility = Syslog::LOG_SYSLOG
 
+  mattr_accessor :ldap_field_mappings
+  @@ldap_field_mappings = {
+    first_name: 'givenname',
+    last_name: 'cn',
+    department: 'department',
+    email: 'mail'
+  }
+
+  mattr_accessor :ldap_group_base
+  @@ldap_group_base = nil
+
+  mattr_accessor :ldap_group_member_filter
+  @@ldap_group_member_filter = -> (entry) { "uniquemember=#{entry.dn}" }
+
+  mattr_accessor :ldap_role_mappings
+  @@ldap_role_mappings = {}
+
+  mattr_accessor :ldap_after_authenticate
+  @@ldap_after_authenticate = -> (user, ldap) { user }
+
+  mattr_accessor :ldap_before_logout
+  @@ldap_before_logout = -> (user, ldap) { }
+
   def self.setup
     yield self
   end

data/lib/chaltron/ldap/connection.rb

@@ -4,6 +4,12 @@ require 'chaltron/ldap/person'
 module Chaltron
   module LDAP
     class Connection
+      NET_LDAP_ENCRYPTION_METHOD = {
+        simple_tls: :simple_tls,
+        start_tls:  :start_tls,
+        plain:      nil
+      }.freeze
+
       attr_reader :ldap
 
       def initialize(params = {})
@@ -16,7 +22,9 @@ module Chaltron
       end
 
       def find_by_uid(id)
-        find_user(uid: id)
+        opts = {}
+        opts[uid.to_sym] = id
+        ret = find_user(opts)
       end
 
       def find_user(*args)
@@ -47,35 +55,31 @@ module Chaltron
             scope: Net::LDAP::SearchScope_BaseObject
           }
         else
-          filters = []
-          fields.each do |field|
-            filters << Net::LDAP::Filter.eq(field, args[field])
+          filters = fields.map do |field|
+            f = translate_field(field)
+            Net::LDAP::Filter.eq(f, args[field]) if f
           end
           options = {
             base: base,
             filter: filters.inject { |sum, n| Net::LDAP::Filter.join(sum, n) }
           }
         end
+        options.merge!(size: limit) unless limit.nil?
+        ldap_search(options).map do |entry|
+          Chaltron::LDAP::Person.new(entry, uid) if entry.respond_to? uid
+        end.compact
+      end
 
-#        if config.user_filter.present?
-#          user_filter = Net::LDAP::Filter.construct(config.user_filter)
-
-#          options[:filter] = if options[:filter]
-#                               Net::LDAP::Filter.join(options[:filter], user_filter)
-#                             else
-#                               user_filter
-#                             end
-#        end
-
-        options.merge!(size: limit) if limit.present?
-
-        entries = ldap_search(options).select do |entry|
-          entry.respond_to? uid
-        end
+      def find_groups_by_member(entry)
+        options = {
+          base: Chaltron.ldap_group_base || base,
+          filter: Chaltron.ldap_group_member_filter.call(entry)
+        }
+        ldap_search(options)
+      end
 
-        entries.map do |entry|
-          Chaltron::LDAP::Person.new(entry, uid)
-        end
+      def update_attributes(dn, args)
+        ldap.modify dn: dn, operations: args.map { |k,v| [:replace, k, v] }
       end
 
       private
@@ -84,15 +88,21 @@ module Chaltron
         Devise.omniauth_configs[:ldap].options
       end
 
+      def translate_field field
+        return uid if field.to_sym == :uid
+        return Chaltron.ldap_field_mappings[field.to_sym] unless Chaltron.ldap_field_mappings[field.to_sym].nil?
+        field
+      end
+
       def adapter_options
-        {
+        opts = {
           host: options[:host],
           port: options[:port],
-          encryption: encryption,
+          encryption: encryption_options,
           verbose: true
-        }.tap do |options|
-          options.merge!(auth_options) if has_auth?
-        end
+        }
+        opts.merge!(auth_options) if has_auth?
+        opts
       end
 
       def base
@@ -103,15 +113,64 @@ module Chaltron
         options[:uid]
       end
 
-      def encryption
-        case options[:method].to_s
-        when 'ssl'
-          :simple_tls
-        when 'tls'
-          :start_tls
-        else
-          nil
+      def encryption_options
+        method = translate_method
+        return unless method
+        {
+          method: method,
+          tls_options: tls_options
+        }
+      end
+
+      def translate_method
+        NET_LDAP_ENCRYPTION_METHOD[options[:encryption]&.to_sym]
+      end
+
+      def tls_options
+        return @tls_options if defined?(@tls_options)
+
+        method = translate_method
+        return unless method
+
+        opts = if options[:verify_certificates] && method != 'plain'
+                 # Dup so we don't accidentally overwrite the constant
+                 OpenSSL::SSL::SSLContext::DEFAULT_PARAMS.dup
+               else
+                 # It is important to explicitly set verify_mode for two reasons:
+                 # 1. The behavior of OpenSSL is undefined when verify_mode is not set.
+                 # 2. The net-ldap gem implementation verifies the certificate hostname
+                 #    unless verify_mode is set to VERIFY_NONE.
+                 { verify_mode: OpenSSL::SSL::VERIFY_NONE }
+               end
+
+        opts.merge!(custom_tls_options)
+
+        @tls_options = opts
+      end
+
+      def custom_tls_options
+        return {} unless options['tls_options']
+
+        # Dup so we don't overwrite the original value
+        custom_options = options['tls_options'].dup.delete_if { |_, value| value.nil? || value.blank? }
+        custom_options.symbolize_keys!
+
+        if custom_options[:cert]
+          begin
+            custom_options[:cert] = OpenSSL::X509::Certificate.new(custom_options[:cert])
+          rescue OpenSSL::X509::CertificateError => e
+            Rails.logger.error "LDAP TLS Options 'cert' is invalid for provider #{provider}: #{e.message}"
+          end
+        end
+
+        if custom_options[:key]
+          begin
+            custom_options[:key] = OpenSSL::PKey.read(custom_options[:key])
+          rescue OpenSSL::PKey::PKeyError => e
+            Rails.logger.error "LDAP TLS Options 'key' is invalid for provider #{provider}: #{e.message}"
+          end
         end
+        custom_options
       end
 
       def auth_options

data/lib/chaltron/ldap/person.rb

@@ -44,11 +44,17 @@ module Chaltron
       end
 
       def department
-        entry.department.first rescue nil
+        entry.send(Chaltron.ldap_field_mappings[:department]).first rescue nil
       end
 
       def name
-        entry.cn.first
+        if Chaltron.ldap_field_mappings[:full_name].nil?
+          first_name = entry.send(Chaltron.ldap_field_mappings[:first_name]).first
+          last_name = entry.send(Chaltron.ldap_field_mappings[:last_name]).first
+          "#{first_name} #{last_name}"
+        else
+          entry.send(Chaltron.ldap_field_mappings[:full_name]).first
+        end
       end
 
       def uid
@@ -60,7 +66,7 @@ module Chaltron
       end
 
       def email
-        entry.mail.first rescue nil
+        entry.send(Chaltron.ldap_field_mappings[:email]).first rescue nil
       end
 
       def dn
@@ -71,6 +77,10 @@ module Chaltron
         'ldap'
       end
 
+      def ldap_groups
+        self.class.ldap.find_groups_by_member(self)
+      end
+
       private
 
       def self.ldap

data/lib/chaltron/ldap/user.rb

@@ -20,7 +20,11 @@ module Chaltron
           entry = Chaltron::LDAP::Person.find_by_uid(username)
           if user.nil? and create
             # create user
-            user = entry.create_user Chaltron.default_roles
+            roles = Chaltron.default_roles
+            roles = entry.ldap_groups.map do |e|
+              Chaltron.ldap_role_mappings[e.dn]
+            end.compact if !Chaltron.ldap_role_mappings.blank?
+            user = entry.create_user(roles)
           end
           update_ldap_attributes(user, entry) unless user.nil?
           user

data/lib/chaltron/version.rb

@@ -1,3 +1,3 @@
 module Chaltron
-  VERSION = '1.0.10'.freeze
+  VERSION = '1.1.0'.freeze
 end

data/lib/generators/chaltron/templates/app/models/ability.rb

@@ -31,6 +31,10 @@ class Ability
     user ||= User.new
     if user.is?(:user_admin)
       can :manage, User
+      if Chaltron.ldap_allow_all
+        cannot :edit, User, { provider: 'ldap' }
+        cannot :destroy, User, { provider: 'ldap' }
+      end
       can :read, Log, category: 'user_admin'
     end
     if user.is?(:admin)

data/lib/generators/chaltron/templates/config/initializers/chaltron.rb

@@ -2,13 +2,66 @@ Chaltron.setup do |config|
   # Add new roles to the right and NEVER change role order, or you'll break every role bitmask
   # config.roles = %w( admin user_admin )
 
-  # If ldap enabled (see config/initializers/devise.rb), set this to true to
-  # allow every ldap authenitcated users to access you application
-  # config.ldap_allow_all = false
+  # If LDAP enabled (see config/initializers/devise.rb), chaltron must use
+  # email field and may use first_name, last_name, full_name, department.
+  # Here is the field mapping on you own LDAP server.
+  # Default values are the following:
+  # config.ldap_field_mappings = {
+  #   first_name: 'givenname',
+  #   last_name: 'cn',
+  #   department: 'department',
+  #   email: 'mail'
+  # }
 
-  # Default roles granted to new users (if automatically created)
+  # If LDAP enabled, set this to true to allow every ldap authenitcated
+  # users to access you application
+  # config.ldap_allow_all = true
+
+  # You may set here default roles granted to new users (if automatically created)
   # config.default_roles = []
 
+  # Here you may specify a different base for your LDAP groups
+  # If not specified the :base parameter defined in Devise.omniauth_configs[:ldap] will be used
+  # config.ldap_group_base = 'ou=groups,dc=example,dc=com'
+
+  # Here you may specify a filter to retrieve LDAP group membership
+  # Accept entry (an instance of Chaltron::LDAP::Person) as parameter
+  # Default is
+  # config.ldap_group_member_filter = -> (entry) { "uniquemember=#{entry.dn}" }
+
+  # Roles granted to new users may be retrieved by LDAP group membership.
+  # config.ldap_role_mappings = {
+  #   'DN_of_LDAP_group1' => 'role1',
+  #   'DN_of_LDAP_group2' => 'role2'
+  # }
+
+  # The following callback is called after a successful LDAP authentication
+  # The callback may manipulate the user instance and
+  # must return user if ok, nil if not allowed do login
+  # Takes two parameters:
+  #  - user, current instance of User
+  #  - ldap, a new instance of Chaltron::LDAP::Connection
+  # Default is the following (it does nothing and return user)
+  # config.ldap_after_authenticate =  -> (user, ldap) { user }
+  #
+  # Example:
+  # config.ldap_after_authenticate = -> (user, ldap) {
+  #   ldap.find_by_uid(user.username).entry.enabled == ['true'] ? user : nil
+  # }
+
+  # The following callback is called before logout of an LDAP user
+  # Takes two parameters:
+  #  - user, current instance of User
+  #  - ldap, a new instance of Chaltron::LDAP::Connection
+  # Default is the following (does nothing)
+  # config.ldap_before_logout =  -> (user, ldap) { }
+  #
+  # Example:
+  # config.ldap_before_logout = -> (user, ldap) {
+  #   ldap.update_attributes(user.extern_uid, { lastLogout: Time.now.strftime('%Y%m%d%H%M%S%z') })
+  # }
+  #
+
   # If syslog enabled, all Log records will be available also in syslog flow
   # config.enable_syslog = false
   # config.syslog_facility = Syslog::LOG_SYSLOG

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: chaltron
 version: !ruby/object:Gem::Version
-  version: 1.0.10
+  version: 1.1.0
 platform: ruby
 authors:
 - vicvega
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2019-03-15 00:00:00.000000000 Z
+date: 2019-03-29 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rails