devise-multi-radius-authenticatable 0.1.1

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 33be02fd9225ced103b86617484e87c2008602a3
+  data.tar.gz: 52486855979a8293a3dc4b4cdde25cd7899273cc
+SHA512:
+  metadata.gz: fddfcf4842b11236fc1e261191fcbdbe354cf8208c151f1a226136b49384c664607a5f4ed4da1706e24ef9b9ff0b22b4b3588840253b056c84554cc28d6dbd2b
+  data.tar.gz: 30f6afd9306663d2167a809654f50d38d4d983b50955833dd4736f7fed8e208d1f7dc3df9e3838771cf9a7e63405a58320372ade242ad50cd754cee86cb84055

data/.gitignore

@@ -0,0 +1,7 @@
+Gemfile.lock
+log
+*~
+*.gem
+tmp
+rdoc
+

data/.rspec

@@ -0,0 +1,2 @@
+--color
+

data/.travis.yml

@@ -0,0 +1,7 @@
+language: ruby
+rvm:
+  - 1.9.2
+  - 1.9.3
+  - 2.0.0
+bundler_args: --binstubs
+script: bundle exec rspec spec

data/Gemfile

@@ -0,0 +1,3 @@
+source "http://rubygems.org"
+
+gemspec

data/MIT-LICENSE

@@ -0,0 +1,21 @@
+Copyright (c) 2012 Calvin Bascom
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+

data/README.md

@@ -0,0 +1,85 @@
+Devise Radius Authenticatable
+=============================
+
+[![Gem Version](https://badge.fury.io/rb/devise-radius-authenticatable.png)](http://badge.fury.io/rb/devise-radius-authenticatable)
+[![Build Status](https://travis-ci.org/mzaccari/devise-radius-authenticatable.png)](https://travis-ci.org/mzaccari/devise-radius-authenticatable)
+[![Code Climate](https://codeclimate.com/github/cbascom/devise-radius-authenticatable.png)](https://codeclimate.com/github/cbascom/devise-radius-authenticatable)
+
+Devise Radius Authenticatable is a Radius authentication strategy for [Devise](http://github.com/plataformatec/devise).
+
+Dependencies
+------------
+
+- Rails ~> 3.x or 4.x
+- Devise ~> 3.x
+- radiustar ~> 0.0.8
+
+Installation
+------------
+
+In the Gemfile for your application:
+
+    gem "devise", "~> 3.2"
+    gem "devise-radius-authenticatable"
+
+Setup
+-----
+
+Run the rails generators for devise (please check the [devise](http://github.com/plataformatec/devise) documents for further instructions)
+
+    rails generate devise:install
+    rails generate devise MODEL_NAME
+
+Run the rails generator for devise-radius-authenticatable.  Note that the generator is named with underscores instead of hyphens due to rails restrictions.
+
+    rails generate devise_radius_authenticatable:install <IP> <SECRET> [options]
+
+This will update the devise.rb initializer. The IP and SECRET parameters specify the IP address and shared secret for the radius server.  There are also some options you can pass to the generator to customize some default settings:
+
+Options:
+
+    [--uid-field=UID_FIELD]                                  # What database column to use for the UID
+                                                             # Default: uid
+    [--port=PORT]                                            # The port to connect to the radius server on
+                                                             # Default: 1812
+    [--timeout=TIMEOUT]                                      # How long to wait for a response from the radius server
+                                                             # Default: 60
+    [--retries=RETRIES]                                      # How many times to retry a radius request
+                                                             # Default: 0
+    [--dictionary-path=DICTIONARY_PATH]                      # The path to load radius dictionary files from
+    [--handle-timeout-as-failure=HANDLE_TIMEOUT_AS_FAILURE]  # Option to handle radius timeout as authentication failure
+                                                             # Default: false
+
+Documentation
+-------------
+
+The rdocs for the gem are available here: http://rubydoc.info/github/cbascom/devise-radius-authenticatable/master/frames
+
+Usage
+-----
+
+In order to use the radius_authenticatable strategy, you must modify your user model to use the :radius_authenticatable module.  The radius_authenticatable strategy can be used standalone or along with database_authenticatable and any other strategies you wish to include. If you use radius_authenticatable alongside other authentication strategies, the default order for the strategies is determined by the order they are loaded in.  The last loaded strategy will be the first strategy executed. The order of these strategies can be configured in the devise.rb initializer as follows:
+
+    config.warden do |warden_config|
+      warden_config.default_strategies(:database_authenticatable,
+                                       :radius_authenticatable,
+                                       {:scope => :admin})
+    end
+
+The radius_authenticatable strategy will stop warden from continuing to the next strategy if authentication to the radius server is successful, but will have warden continue to the next stratgey if authentication to the radius server fails.
+
+The field that is used for logins is the first key that's configured in the Devise `config.authentication_keys` settings, which by default is email. For help changing this, please see the [Railscast](http://railscasts.com/episodes/210-customizing-devise) that goes through how to customize Devise.
+
+Configuration
+-------------
+
+The radius_authenticatable module is configured through the normal devise initializer `config/initializers/devise.rb`.  The initial values are added to the file when you run the devise_radius_authenticatable:install generator as described previously.
+
+References
+----------
+
+* [FreeRadius](http://www.freeradius.org/)
+* [Devise](http://github.com/plataformatec/devise)
+* [Warden](http://github.com/hassox/warden)
+
+Copyright (c) 2012-2013 Calvin Bascom Released under the MIT license

data/Rakefile

@@ -0,0 +1,16 @@
+require File.expand_path('spec/rails_app/config/environment', File.dirname(__FILE__))
+require 'rdoc/task'
+
+desc 'Default: run test suite.'
+task :default => :spec
+
+desc 'Generate documentation for the devise-radius-authenticatable gem.'
+Rake::RDocTask.new(:rdoc) do |rdoc|
+  rdoc.rdoc_dir = 'rdoc'
+  rdoc.title    = 'Devise Radius Authenticatable'
+  rdoc.options << '--line-numbers'
+  rdoc.rdoc_files.include('README.md')
+  rdoc.rdoc_files.include('lib/**/*.rb')
+end
+
+RailsApp::Application.load_tasks

data/devise-multi-radius-authenticatable.gemspec

@@ -0,0 +1,32 @@
+# -*- encoding: utf-8 -*-
+
+require File.expand_path("../lib/devise/radius_authenticatable/version", __FILE__)
+
+Gem::Specification.new do |s|
+  s.name        = "devise-multi-radius-authenticatable"
+  s.version     = Devise::RadiusAuthenticatable::VERSION.dup
+  s.platform    = Gem::Platform::RUBY
+  s.summary     = "Devise extension to allow authentication via one or more RADIUS servers"
+  s.email       = "michael.zaccari@gmail.com"
+  s.homepage    = "http://github.com/mzaccari/devise-radius-authenticatable"
+  s.description = "A new authentication strategy named radius_authenticatable is added to the list of warden strategies when the model requests it.  The radius server information is configured through the devise initializer. One or more servers may be configured.  When a user attempts to authenticate via radius, the radiustar gem is used to perform the authentication with each server until a response is received.  This authentication strategy can be used in place of the database_authenticatable or alongside it depending on the needs of the application."
+  s.authors     = ['Michael Zaccari']
+  s.license     = 'MIT'
+
+  s.files         = `git ls-files`.split("\n")
+  s.test_files    = `git ls-files -- spec/*`.split("\n")
+  s.require_paths = ["lib"]
+
+  s.add_dependency('devise', '~> 3')
+  s.add_dependency('radiustar', '~> 0.0.8')
+
+  s.add_development_dependency('rake', '~> 10.2.2')
+  s.add_development_dependency('rails', '~> 4')
+  s.add_development_dependency('sqlite3', '~> 1.3')
+  s.add_development_dependency('rspec', '~> 2.14')
+  s.add_development_dependency('rspec-rails', '~> 2.14')
+  s.add_development_dependency('factory_girl', '~> 4.4')
+  s.add_development_dependency('capybara', '~> 2.2.1')
+  s.add_development_dependency('launchy')
+  s.add_development_dependency('ammeter', '~> 0.2')
+end

data/lib/devise-radius-authenticatable.rb

@@ -0,0 +1,8 @@
+require 'devise/radius_authenticatable'
+
+module Devise
+  module RadiusAuthenticatable
+    autoload :TestHelpers, 'devise/radius_authenticatable/test_helpers'
+  end
+end
+

data/lib/devise/models/radius_authenticatable.rb

@@ -0,0 +1,187 @@
+require 'radiustar'
+require 'devise/strategies/radius_authenticatable'
+
+module Devise
+  module Models
+    # The RadiusAuthenticatable module is responsible for validating a user's credentials
+    # against the configured radius server.  When authentication is successful, the
+    # attributes returned by the radius server are made available via the
+    # +radius_attributes+ accessor in the user model.
+    #
+    # The RadiusAuthenticatable module works by using the configured
+    # +radius_uid_generator+ to generate a UID based on the username and the radius server
+    # hostname or IP address.  This UID is used to see if an existing record representing
+    # the user already exists.  If it does, radius authentication proceeds through that
+    # user record.  Otherwise, a new user record is built and authentication proceeds.
+    # If authentication is successful, the +after_radius_authentication+ callback is
+    # invoked, the default implementation of which simply saves the user record with
+    # validations disabled.
+    #
+    # The radius username is extracted from the parameters hash by using the first
+    # configured value in the +Devise.authentication_keys+ array.  If the authentication
+    # key is in the list of case insensitive keys, the username will be converted to
+    # lowercase prior to authentication.
+    #
+    # == Options
+    #
+    # RadiusAuthenticable adds the following options to devise_for:
+    # * +radius_server+: The hostname or IP address of the radius server.
+    # * +radius_servers+: An array of hostnames or IP addresses for radius servers,
+    #    with optional port.
+    # * +radius_server_port+: The port the radius server is listening on.
+    # * +radius_server_secret+: The shared secret configured on the radius server.
+    # * +radius_server_timeout+: The number of seconds to wait for a response from the
+    #   radius server.
+    # * +radius_server_retries+: The number of times to retry a request to the radius
+    #   server.
+    # * +radius_uid_field+: The database column to store the UID in
+    # * +radius_uid_generator+: A proc that takes the username and server as parameters
+    #   and returns a string representing the UID
+    # * +radius_dictionary_path+: The path containing the radius dictionary files to load
+    # * +handle_radius_timeout_as_failure+: Option to handle radius timeout as authentication failure
+    #
+    # == Callbacks
+    #
+    # The +after_radius_authentication+ callback is invoked on the user record when
+    # radius authentication succeeds for that user but prior to Devise checking if the
+    # user is active for authentication.  Its default implementation simply saves the
+    # user record with validations disabled.  This method should be overriden if further
+    # actions should be taken to make the user valid or active for authentication.  If
+    # you override it, be sure to either call super to save the record or to save the
+    # record yourself.
+    #
+    # Authorization callbacks are triggered when +after_radius_authentication is
+    # called:
+    # * +before_radius_authorization :method_name
+    # * +around_radius_authorization :method_name
+    # * +after_radius_authorization :method_name
+    module RadiusAuthenticatable
+      extend ActiveSupport::Concern
+
+      ACCESS_ACCEPT = 'Access-Accept'
+
+      included do
+        attr_accessor :radius_attributes
+        define_model_callbacks :radius_authorization
+      end
+
+      # Use the currently configured radius server to attempt to authenticate the
+      # supplied username and password.  If authentication succeeds, make the radius
+      # attributes returned by the server available via the radius_attributes accessor.
+      # Returns true if authentication was successful and false otherwise.
+      #
+      # Parameters::
+      # * +username+: The username to send to the radius server
+      # * +password+: The password to send to the radius server
+      def valid_radius_password?(username, password)
+        reply   = nil
+        secret  = self.class.radius_server_secret
+        options = {
+          reply_timeout:  self.class.radius_server_timeout,
+          retries_number: self.class.radius_server_retries
+        }
+
+        if self.class.radius_dictionary_path
+          options[:dict] = Radiustar::Dictionary.new(self.class.radius_dictionary_path)
+        end
+
+        self.class.radius_servers_with_ports.each do |server, port|
+          req = Radiustar::Request.new("#{server}:#{port}", options)
+
+          # The authenticate method will raise a RuntimeError if we time
+          # out waiting for a response from the server. If the server responds,
+          # break and process the radius response. If not, try the next server.
+          begin
+            reply = req.authenticate(username, password, secret)
+            break
+          rescue
+            next
+          end
+        end
+
+        # Handle the error if no servers respond.
+        unless reply
+          return false if self.class.handle_radius_timeout_as_failure
+          raise
+        end
+
+        if reply[:code] == ACCESS_ACCEPT
+          reply.extract!(:code)
+          self.radius_attributes = reply
+          true
+        else
+          false
+        end
+      end
+
+      # Callback invoked by the RadiusAuthenticatable strategy after
+      # authentication with the radius server has succeeded and devise has
+      # indicated the model is valid. This callback is invoked prior to devise
+      # checking if the model is active for authentication.
+      def after_radius_authentication
+        run_callbacks :radius_authorization do
+          self.save(validate: false)
+        end
+      end
+
+      module ClassMethods
+
+        Devise::Models.config(self, :radius_server, :radius_servers, :radius_server_port,
+                              :radius_server_secret, :radius_server_timeout,
+                              :radius_server_retries, :radius_uid_field,
+                              :radius_uid_generator, :radius_dictionary_path,
+                              :handle_radius_timeout_as_failure)
+
+        # Invoked by the RadiusAuthenticatable stratgey to perform the authentication
+        # against the radius server.  The username is extracted from the authentication
+        # hash and a UID is generated from the username and server IP.  We then search
+        # for an existing resource using the UID and configured UID field.  If no resource
+        # is found, a new resource is built (not created).  If authentication is
+        # successful the callback is responsible for saving the resource.  Returns the
+        # resource if authentication succeeds and nil if it does not.
+        def find_for_radius_authentication(authentication_hash)
+          uid_field = self.radius_uid_field.to_sym
+          username, password = radius_credentials(authentication_hash)
+          uid = self.radius_uid_generator.call(username, self.radius_server)
+
+          resource = find_for_authentication({ uid_field => uid }) ||
+            new(uid_field => uid)
+
+          resource.valid_radius_password?(username, password) ? resource : nil
+        end
+
+        # Extract the username and password from the supplied authentication hash.  The
+        # username is extracted using the first value from +Devise.authentication_keys+.
+        # The username is converted to lowercase if the authentication key is in the list
+        # of case insensitive keys configured for Devise.
+        def radius_credentials(authentication_hash)
+          key = self.authentication_keys.first
+          value = authentication_hash[key]
+          value.downcase! if (self.case_insensitive_keys || []).include?(key)
+
+          [value, authentication_hash[:password]]
+        end
+
+        # Returns an enumerable that provides each server with it's configured
+        # port. If no port is given with the server config, the default
+        # +radius_server_port is used.
+        def radius_servers_with_ports
+          @radius_servers_with_ports ||= begin
+            retval   = []
+            servers  = self.radius_servers
+            servers += [self.radius_server] if self.radius_server
+
+            servers.each do |server|
+              server, port = server.split(':')
+              port ||= self.radius_server_port
+
+              retval << [server, port]
+            end
+
+            retval
+          end
+        end
+      end
+    end
+  end
+end

data/lib/devise/radius_authenticatable.rb

@@ -0,0 +1,45 @@
+require 'devise'
+
+module Devise
+  # The hostname or IP address of the radius server
+  mattr_accessor :radius_server
+
+  # A list of radius servers with optional port.
+  # Example: ['127.0.0.1:11812', '10.20.30.40']
+  mattr_accessor :radius_servers
+  @@radius_servers = []
+
+  # The port for the radius server
+  mattr_accessor :radius_server_port
+  @@radius_server_port = 1812
+
+  # The secret for the radius server
+  mattr_accessor :radius_server_secret
+
+  # The timeout in seconds for radius requests
+  mattr_accessor :radius_server_timeout
+  @@radius_server_timeout = 60
+
+  # The number of times to retry radius requests
+  mattr_accessor :radius_server_retries
+  @@radius_server_retries = 0
+
+  # The database column that holds the unique identifier for the radius user
+  mattr_accessor :radius_uid_field
+  @@radius_uid_field = :radius_uid
+
+  # The procedure to use to build the unique identifier for the radius user
+  mattr_accessor :radius_uid_generator
+  @@radius_uid_generator = Proc.new { |username, server| "#{username}@#{server}" }
+
+  # The path to load radius dictionary files from
+  mattr_accessor :radius_dictionary_path
+
+  # Option to handle radius timeout as authentication failure
+  mattr_accessor :handle_radius_timeout_as_failure
+  @@handle_radius_timeout_as_failure = false
+
+end
+
+Devise.add_module(:radius_authenticatable, :route => :session, :strategy => true,
+                  :controller => :sessions, :model  => true)

data/lib/devise/radius_authenticatable/test_helpers.rb

@@ -0,0 +1,126 @@
+require 'singleton'
+
+module Devise
+  module RadiusAuthenticatable
+    # The Devise::RadiusAuthenticatable::TestHelpers module provides a very simple stub
+    # server through the RadiusServer class.  It modifies the Radiustar::Request.new
+    # method to create a request in the stub server that can be used to check that the
+    # proper information is passed to the radius server.  It also modifies the
+    # Radiustar::Request#authenticate method to perform authentication against the stub
+    # server.
+    #
+    # The RadiusServer class offers a simple interface for creating users prior to your
+    # tests.  The create_radius_user method allows for the creation of a radius user
+    # within the stub server.  The radius_server method provides the RadiusServer instance
+    # that test assertions can be performed against.
+    #
+    # The stub server is a singleton class to provide easy access.  This means that it
+    # needs to have all state cleared out between tests.  The clear_radius_users and
+    # clear_radius_request methods offer an easy way to clear the user and request info
+    # out of the server between tests.
+    module TestHelpers
+      def radius_server
+        RadiusServer.instance
+      end
+
+      def create_radius_user(username, password, attributes = {})
+        RadiusServer.instance.add_user(username, password, attributes)
+      end
+
+      def clear_radius_users
+        RadiusServer.instance.clear_users
+      end
+
+      def clear_radius_request
+        RadiusServer.instance.clear_request
+      end
+
+      # Stub RadiusServer that allows testing of radius authentication without a real
+      # server.
+      class RadiusServer
+        include Singleton
+
+        attr_reader :url, :options
+
+        def initialize
+          clear_users
+          clear_request
+        end
+
+        # Stores the information about the radius request that would have been sent to
+        # the radius server.  This information can be queried to determine that the
+        # proper information is being sent.
+        def create_request(url, options)
+          @url = url
+          @options = options
+        end
+
+        # Clear the request information that is stored.
+        def clear_request
+          @url = nil
+          @options = nil
+        end
+
+        # Add a user to the radius server to use for authentication purposes.  A couple
+        # of default attributes will be returned in the auth response if no attributes
+        # are supplied when creating the user.
+        def add_user(username, password, attributes = {})
+          @users[username] = {}
+          @users[username][:password] = password
+          if attributes.empty?
+            @users[username][:attributes] = {
+              'User-Name' => username,
+              'Filter-Id' => 60
+            }
+          else
+            @users[username][:attributes] = attributes
+          end
+        end
+
+        # Clear the users that have been configured for the radius server.
+        def clear_users
+          @users = {}
+        end
+
+        # Accessor to retrieve the attributes configured for the specified user.
+        def attributes(username)
+          @users[username][:attributes]
+        end
+
+        # Called to perform authentication using the specified username and password.  If
+        # the authentication is successful, an Access-Accept is returned along with the
+        # radius attributes configured for the user.  If authentication fails, an
+        # Access-Reject is returned.
+        def authenticate(username, password)
+          if @users[username] && @users[username][:password] == password
+            { :code => 'Access-Accept' }.merge(@users[username][:attributes])
+          else
+            { :code => 'Access-Reject' }
+          end
+        end
+      end
+
+      def self.included(mod)
+        Radiustar::Request.class_eval do
+          def initialize(url, options = {})
+            Devise::RadiusAuthenticatable::TestHelpers::RadiusServer.instance.
+              create_request(url, options)
+          end
+
+          def authenticate(username, password, secret)
+            Devise::RadiusAuthenticatable::TestHelpers::RadiusServer.instance.
+              authenticate(username, password)
+          end
+        end
+
+        if mod.respond_to?(:after)
+          mod.after(:each) do
+            Devise::RadiusAuthenticatable::TestHelpers::RadiusServer.instance.
+              clear_request
+            Devise::RadiusAuthenticatable::TestHelpers::RadiusServer.instance.clear_users
+          end
+        end
+      end
+    end
+  end
+end