charanya-devise_ldap_authenticatable 0.4.6

data/lib/devise_ldap_authenticatable/exception.rb

@@ -0,0 +1,6 @@
+module DeviseLdapAuthenticatable
+
+  class LdapException < Exception
+  end
+
+end

data/lib/devise_ldap_authenticatable/ldap_adapter.rb

@@ -0,0 +1,237 @@
+require "net/ldap"
+
+module Devise
+
+  module LdapAdapter
+    
+    def self.valid_credentials?(login, password_plaintext)
+      options = {:login => login, 
+                 :password => password_plaintext, 
+                 :ldap_auth_username_builder => ::Devise.ldap_auth_username_builder,
+                 :admin => ::Devise.ldap_use_admin_to_bind}
+                 
+      resource = LdapConnect.new(options)
+      resource.authorized?
+    end
+    
+    def self.update_password(login, new_password)
+      options = {:login => login,
+                 :new_password => new_password,
+                 :ldap_auth_username_builder => ::Devise.ldap_auth_username_builder,
+                 :admin => ::Devise.ldap_use_admin_to_bind}
+                 
+      resource = LdapConnect.new(options)
+      resource.change_password! if new_password.present? 
+    end
+    
+    def self.get_groups(login)
+      options = {:login => login, 
+                 :ldap_auth_username_builder => ::Devise.ldap_auth_username_builder,
+                 :admin => ::Devise.ldap_use_admin_to_bind}
+
+      ldap = LdapConnect.new(options)
+      ldap.user_groups
+    end
+    
+    def self.get_dn(login)
+      options = {:login => login, 
+                 :ldap_auth_username_builder => ::Devise.ldap_auth_username_builder,
+                 :admin => ::Devise.ldap_use_admin_to_bind}
+      resource = LdapConnect.new(options)
+      resource.dn
+    end
+    
+    # Get the values of the attributes to be synched on to the Applications db.
+    # Application Specific Change
+      
+    def self.get_persistant_attributes(login)
+      options = {:login => login, 
+                 :ldap_auth_username_builder => ::Devise.ldap_auth_username_builder,
+                 :admin => ::Devise.ldap_use_admin_to_bind}
+      resource = LdapConnect.new(options)
+      resource.persistant_attributes
+    end
+    
+    # Get the value to be compared with the db field for authenticating.
+    # Application Specific Change
+    
+    def self.get_attribute_to_compare(login)
+      options = {:login => login, 
+                 :ldap_auth_username_builder => ::Devise.ldap_auth_username_builder,
+                 :admin => ::Devise.ldap_use_admin_to_bind}
+      resource = LdapConnect.new(options)
+      resource.attribute_to_compare
+    end
+
+    class LdapConnect
+
+      attr_reader :ldap, :login
+
+      def initialize(params = {})
+        
+        ldap_config = YAML.load(ERB.new(File.read(::Devise.ldap_config || "#{Rails.root}/config/ldap.yml")).result)[Rails.env]
+        ldap_options = params
+        ldap_options[:encryption] = :simple_tls if ldap_config["ssl"]
+
+        @ldap = Net::LDAP.new(ldap_options)
+        @ldap.host = ldap_config["host"]
+        @ldap.port = ldap_config["port"]
+        @ldap.base = ldap_config["base"]
+        @attribute = ldap_config["attribute"]
+        # Application Specific Change
+        @attribute_to_be_compared = ldap_config["attribute_to_compare"]
+        @attributes_to_persist = ldap_config["attributes_to_persist"]
+        
+        @ldap_auth_username_builder = params[:ldap_auth_username_builder]
+        @group_base = ldap_config["group_base"]
+        @required_groups = ldap_config["required_groups"]        
+        @required_attributes = ldap_config["require_attribute"]
+        
+        @ldap.auth ldap_config["admin_user"], ldap_config["admin_password"] if params[:admin] 
+                
+        @login = params[:login]
+        @password = params[:password]
+        @new_password = params[:new_password]
+      end
+      
+      # Application Specific Change
+      def persistant_attributes
+        
+        user_entry = find_ldap_user(ldap)
+        attribute_hash = {}
+       
+        @attributes_to_persist.each do |attr|
+          attribute_hash[attr[1]] = user_entry[attr[0]] 
+        end
+        attribute_hash
+      end
+      
+      # Application Specific Change
+      def attribute_to_compare
+        user_entry = find_ldap_user(ldap)
+        user_entry[@attribute_to_be_compared]
+      end
+
+      def dn
+        DeviseLdapAuthenticatable::Logger.send("LDAP search: #{@attribute}=#{@login}")
+        filter = Net::LDAP::Filter.eq(@attribute.to_s, @login.to_s)
+        ldap_entry = nil
+        @ldap.search(:filter => filter) {|entry| ldap_entry = entry}
+        if ldap_entry.nil?
+          @ldap_auth_username_builder.call(@attribute,@login,@ldap)
+        else
+          ldap_entry.dn
+        end
+      end
+
+      def authenticate!
+        @ldap.auth(dn, @password)
+        @ldap.bind
+      end
+
+      def authenticated?
+        authenticate!
+      end
+      
+      def authorized?
+        DeviseLdapAuthenticatable::Logger.send("Authorizing user #{dn}")
+        authenticated? && in_required_groups? && has_required_attribute?
+      end
+      
+      def change_password!
+        update_ldap(:userpassword => Net::LDAP::Password.generate(:sha, @new_password))
+      end
+
+      def in_required_groups?     
+        return true unless ::Devise.ldap_check_group_membership
+        
+        ## FIXME set errors here, the ldap.yml isn't set properly.
+        DeviseLdapAuthenticatable::Logger.send("Required Groups are #{@required_groups}")
+        return false if @required_groups.nil?   
+           
+        # admin_ldap = LdapConnect.admin 
+        # Admin bind is not really needed, but might depend on sepecific LDAP configuration.Knome Specific
+        admin_ldap = @ldap
+        
+        for group in @required_groups
+          if group.is_a?(Array)
+            group_attribute, group_name = group
+          else
+            group_attribute = "uniqueMember"
+            group_name = group
+          end
+          admin_ldap.search(:base => group_name, :scope => Net::LDAP::SearchScope_BaseObject) do |entry|
+            unless entry[group_attribute].include? dn
+              DeviseLdapAuthenticatable::Logger.send("User #{dn} is not in group: #{group_name }")
+              return false
+            end
+          end
+        end
+        
+        return true
+      end
+      
+      def has_required_attribute?
+        return true unless ::Devise.ldap_check_attributes
+        
+        admin_ldap = LdapConnect.admin
+        
+        user = find_ldap_user(admin_ldap)
+                
+        @required_attributes.each do |key,val|
+          unless user[key].include? val
+            DeviseLdapAuthenticatable::Logger.send("User #{dn} did not match attribute #{key}:#{val}")
+            return false 
+          end
+        end
+        
+        return true
+      end
+      
+      def user_groups
+        admin_ldap = LdapConnect.admin
+
+        DeviseLdapAuthenticatable::Logger.send("Getting groups for #{dn}")
+        filter = Net::LDAP::Filter.eq("uniqueMember", dn)
+        admin_ldap.search(:filter => filter, :base => @group_base).collect(&:dn)
+      end
+      
+      private
+      
+      def self.admin
+        ldap = LdapConnect.new(:admin => true).ldap
+        
+        unless ldap.bind
+          DeviseLdapAuthenticatable::Logger.send("Cannot bind to admin LDAP user")
+          raise DeviseLdapAuthenticatable::LdapException, "Cannot connect to admin LDAP user"
+        end
+        
+        return ldap
+      end
+      
+      def find_ldap_user(ldap)
+        DeviseLdapAuthenticatable::Logger.send("Finding user: #{dn}")
+        ldap.search(:base => dn, :scope => Net::LDAP::SearchScope_BaseObject).try(:first)
+      end
+      
+      def update_ldap(ops)
+        operations = []
+        if ops.is_a? Hash
+          ops.each do |key,value|
+            operations << [:replace,key,value]
+          end
+        elsif ops.is_a? Array
+          operations = ops
+        end
+
+        admin_ldap = LdapConnect.admin
+        
+        DeviseLdapAuthenticatable::Logger.send("Modifying user #{dn}")
+        admin_ldap.modify(:dn => dn, :operations => operations)
+      end
+
+    end
+
+  end
+
+end

data/lib/devise_ldap_authenticatable/logger.rb

@@ -0,0 +1,11 @@
+module DeviseLdapAuthenticatable
+
+  class Logger    
+    def self.send(message, logger = Rails.logger)
+      if ::Devise.ldap_logger
+        logger.add 0, "  \e[36mLDAP:\e[0m #{message}"
+      end
+    end
+  end
+
+end

data/lib/devise_ldap_authenticatable/model.rb

@@ -0,0 +1,118 @@
+require 'devise_ldap_authenticatable/strategy'
+
+module Devise
+	module Models
+		# LDAP Module, responsible for validating the user credentials via LDAP.
+		#
+		# Examples:
+		#
+		#		 User.authenticate('email@test.com', 'password123')	 # returns authenticated user or nil
+		#		 User.find(1).valid_password?('password123')				 # returns true/false
+		#
+		module LdapAuthenticatable
+			extend ActiveSupport::Concern
+
+			included do
+				attr_reader :current_password, :password
+				attr_accessor :password_confirmation
+			end
+
+			def login_with
+				self[::Devise.authentication_keys.first]
+			end
+			
+			def reset_password!(new_password, new_password_confirmation)
+				if new_password == new_password_confirmation && ::Devise.ldap_update_password
+					Devise::LdapAdapter.update_password(login_with, new_password)
+				end
+				clear_reset_password_token if valid?
+				save
+			end
+
+			def password=(new_password)
+				@password = new_password
+			end
+
+			# Checks if a resource is valid upon authentication.
+			def valid_ldap_authentication?(password)
+				if Devise::LdapAdapter.valid_credentials?(login_with, password)
+					return true
+				else
+					return false
+				end
+			end
+			
+			def ldap_groups
+				Devise::LdapAdapter.get_groups(login_with)
+			end
+			
+			def ldap_dn
+				Devise::LdapAdapter.get_dn(login_with)
+			end
+			
+			#Adding functions for synchronizing the values(user specified) between LDAP Metadata and Application database entry.
+			# Application Specific Change
+			def ldap_persistant_attributes
+				Devise::LdapAdapter.get_persistant_attributes(login_with) 
+			end
+			
+			def update_persistant_attributes
+				ldap_persistant_attributes.each do |key,value|
+					self[key.to_sym] = value.to_s 
+				end 
+			end
+			
+			# Adding this to get the field in db table with which the provided login detail should be compared to authenticate.
+			# Application Specific Change
+			def attribute_to_compare
+				Devise::LdapAdapter.get_attribute_to_compare(login_with)
+			end
+	 
+
+			module ClassMethods
+				# Authenticate a user based on configured attribute keys. Returns the
+				# authenticated user if it's valid or nil.
+				def authenticate_with_ldap(attributes={}) 
+					
+					@login_with = ::Devise.authentication_keys.first
+					return nil unless attributes[@login_with].present? 
+					
+					# Get the value to be compared within the database against the @login_with field 
+					# According to User Specified details
+					# Application Specific Change
+					 
+					attribute_to_login_with = attributes[@login_with]
+					resource = new
+					resource[@login_with] = attributes[@login_with]
+					resource.password = attributes[:password]
+										
+					if resource.try(:valid_ldap_authentication?, attributes[:password])
+						attribute_to_login_with = resource.attribute_to_compare
+						resource = where(@login_with => attribute_to_login_with).first
+						
+						if (resource.blank? and ::Devise.ldap_create_user)
+							resource = new
+							resource[@login_with] = attributes[@login_with]
+							resource.password = attributes[:password]
+						end
+						unless resource.blank?
+                                                  resource[@login_with] = attributes[@login_with]						
+                                                  resource.update_persistant_attributes
+                                                  DeviseLdapAuthenticatable::Logger.send("Updating persistant attributes") unless resource.new_record?
+                                                  resource.save
+                                                end
+						return resource
+					else
+						return nil
+					end
+				
+				end
+				
+				def update_with_password(resource)
+					puts "UPDATE_WITH_PASSWORD: #{resource.inspect}"
+				end
+				
+			end
+		end
+	end
+end

data/lib/devise_ldap_authenticatable/routes.rb

@@ -0,0 +1,8 @@
+## No routes needed anymore since Devise.add_module with the :route parameter will take care of it.
+
+# ActionController::Routing::RouteSet::Mapper.class_eval do
+# 
+#   protected
+#     # reuse the session routes and controller
+#     alias :ldap_authenticatable :database_authenticatable
+# end

data/lib/devise_ldap_authenticatable/schema.rb

@@ -0,0 +1,14 @@
+## Using email now instead of login. Will add an option later on.
+
+# Devise::Schema.class_eval do
+#     # Creates login
+#     #
+#     # == Options
+#     # * :null - When true, allow columns to be null.
+#     def ldap_authenticatable(options={})
+#       null = options[:null] || false
+# 
+#       apply_schema :login, String, :null => null
+#     end
+# 
+# end

data/lib/devise_ldap_authenticatable/strategy.rb

@@ -0,0 +1,36 @@
+require 'devise/strategies/authenticatable'
+
+module Devise
+  module Strategies
+    # Strategy for signing in a user based on his login and password using LDAP.
+    # Redirects to sign_in page if it's not authenticated
+    class LdapAuthenticatable < Authenticatable
+      def valid?
+        valid_controller? && valid_params? && mapping.to.respond_to?(:authenticate_with_ldap)
+      end
+
+      # Authenticate a user based on login and password params, returning to warden
+      # success and the authenticated user if everything is okay. Otherwise redirect
+      # to sign in page.
+      def authenticate!
+        if resource = mapping.to.authenticate_with_ldap(params[scope])
+          success!(resource)
+        else
+          fail(:invalid)
+        end
+      end
+
+      protected
+
+        def valid_controller?
+          params[:controller] == mapping.controllers[:sessions]
+        end
+
+        def valid_params?
+          params[scope] && params[scope][:password].present?
+        end
+    end
+  end
+end
+
+Warden::Strategies.add(:ldap_authenticatable, Devise::Strategies::LdapAuthenticatable)

data/lib/devise_ldap_authenticatable/version.rb

@@ -0,0 +1,4 @@
+module DeviseLdapAuthenticatable
+  VERSION = "0.4.6"
+end
+

data/lib/generators/devise_ldap_authenticatable/install_generator.rb

@@ -0,0 +1,61 @@
+module DeviseLdapAuthenticatable
+  class InstallGenerator < Rails::Generators::Base
+    source_root File.expand_path("../templates", __FILE__)
+    
+    class_option :user_model, :type => :string, :default => "user", :desc => "Model to update"
+    class_option :update_model, :type => :boolean, :default => true, :desc => "Update model to change from database_authenticatable to ldap_authenticatable"
+    class_option :add_rescue, :type => :boolean, :default => true, :desc => "Update Application Controller with resuce_from for DeviseLdapAuthenticatable::LdapException"
+    class_option :advanced, :type => :boolean, :desc => "Add advanced config options to the devise initializer"
+    
+    
+    def create_ldap_config
+      copy_file "ldap.yml", "config/ldap.yml"
+    end
+    
+    def create_default_devise_settings
+      inject_into_file "config/initializers/devise.rb", default_devise_settings, :after => "Devise.setup do |config|\n"   
+    end
+    
+    def update_user_model
+      gsub_file "app/models/#{options.user_model}.rb", /:database_authenticatable/, ":ldap_authenticatable" if options.update_model?
+    end
+    
+    def update_application_controller
+      inject_into_class "app/controllers/application_controller.rb", ApplicationController, rescue_from_exception if options.add_rescue?
+    end
+    
+    private
+    
+    def default_devise_settings
+      settings = <<-eof
+  # ==> LDAP Configuration 
+  # config.ldap_logger = true
+  # config.ldap_create_user = false
+  # config.ldap_update_password = true
+  # config.ldap_config = "\#{Rails.root}/config/ldap.yml"
+  # config.ldap_check_group_membership = false
+  # config.ldap_check_attributes = false
+  # config.ldap_use_admin_to_bind = false
+  
+      eof
+      if options.advanced?  
+        settings << <<-eof  
+  # ==> Advanced LDAP Configuration
+  # config.ldap_auth_username_builder = Proc.new() {|attribute, login, ldap| "\#{attribute}=\#{login},\#{ldap.base}" }
+  
+        eof
+      end
+      
+      settings
+    end
+    
+    def rescue_from_exception
+      <<-eof
+  rescue_from DeviseLdapAuthenticatable::LdapException do |exception|
+    render :text => exception, :status => 500
+  end
+      eof
+    end
+    
+  end
+end