devise_ldap_authenticatable 0.8.1 → 0.8.7

data/lib/devise_ldap_authenticatable/model.rb

@@ -1,4 +1,4 @@
-require 'devise_ldap_authenticatable/strategy'
+require 'devise_ldap_authenticatable/strategy'
 
 module Devise
   module Models
@@ -18,7 +18,7 @@ module Devise
       end
 
       def login_with
-        @login_with ||= Devise.mappings[self.class.to_s.underscore.to_sym].to.authentication_keys.first
+        @login_with ||= Devise.mappings.find {|k,v| v.class_name == self.class.name}.last.to.authentication_keys.first
         self[@login_with]
       end
 
@@ -45,15 +45,15 @@ module Devise
 
       # Checks if a resource is valid upon authentication.
       def valid_ldap_authentication?(password)
-        if Devise::LDAP::Adapter.valid_credentials?(login_with, password)
-          return true
-        else
-          return false
-        end
+        Devise::LDAP::Adapter.valid_credentials?(login_with, password)
+      end
+
+      def ldap_entry
+        @ldap_entry ||= Devise::LDAP::Adapter.get_ldap_entry(login_with)
       end
 
       def ldap_groups
-        Devise::LDAP::Adapter.get_groups(login_with)
+        @ldap_groups ||= Devise::LDAP::Adapter.get_groups(login_with)
       end
 
       def in_ldap_group?(group_name, group_attribute = LDAP::DEFAULT_GROUP_UNIQUE_MEMBER_LIST_KEY)
@@ -61,11 +61,15 @@ module Devise
       end
 
       def ldap_dn
-        Devise::LDAP::Adapter.get_dn(login_with)
+        ldap_entry ? ldap_entry.dn : nil
       end
 
-      def ldap_get_param(login_with, param)
-        Devise::LDAP::Adapter.get_ldap_param(login_with,param)
+      def ldap_get_param(param)
+        if ldap_entry && !ldap_entry[param].empty?
+          value = ldap_entry.send(param)
+        else
+          nil
+        end
       end
 
       #
@@ -76,34 +80,34 @@ module Devise
       # def ldap_before_save
       # end
 
+      # Called after a successful LDAP authentication
+      def after_ldap_authentication
+      end
+
 
       module ClassMethods
-        # Authenticate a user based on configured attribute keys. Returns the
-        # authenticated user if it's valid or nil.
-        def authenticate_with_ldap(attributes={})
+        # Find a user for ldap authentication.
+        def find_for_ldap_authentication(attributes={})
           auth_key = self.authentication_keys.first
           return nil unless attributes[auth_key].present?
 
           auth_key_value = (self.case_insensitive_keys || []).include?(auth_key) ? attributes[auth_key].downcase : attributes[auth_key]
+      	  auth_key_value = (self.strip_whitespace_keys || []).include?(auth_key) ? auth_key_value.strip : auth_key_value
 
-          # resource = find_for_ldap_authentication(conditions)
           resource = where(auth_key => auth_key_value).first
 
-          if (resource.blank? and ::Devise.ldap_create_user)
+          if resource.blank?
             resource = new
             resource[auth_key] = auth_key_value
             resource.password = attributes[:password]
           end
 
-          if resource.try(:valid_ldap_authentication?, attributes[:password])
-            if resource.new_record?
-              resource.ldap_before_save if resource.respond_to?(:ldap_before_save)
-              resource.save!
-            end
-            return resource
-          else
-            return nil
+          if ::Devise.ldap_create_user && resource.new_record? && resource.valid_ldap_authentication?(attributes[:password])
+            resource.ldap_before_save if resource.respond_to?(:ldap_before_save)
+            resource.save!
           end
+
+          resource
         end
 
         def update_with_password(resource)

data/lib/devise_ldap_authenticatable/strategy.rb

@@ -3,16 +3,37 @@ require 'devise/strategies/authenticatable'
 module Devise
   module Strategies
     class LdapAuthenticatable < Authenticatable
+
+      # Tests whether the returned resource exists in the database and the
+      # credentials are valid.  If the resource is in the database and the credentials
+      # are valid, the user is authenticated.  Otherwise failure messages are returned
+      # indicating whether the resource is not found in the database or the credentials
+      # are invalid.
       def authenticate!
-        resource = valid_password? && mapping.to.authenticate_with_ldap(authentication_hash.merge(password: password))
+        resource = mapping.to.find_for_ldap_authentication(authentication_hash.merge(:password => password))
+
         return fail(:invalid) unless resource
 
-        if validate(resource)
-          success!(resource)
+        if resource.persisted?
+          if validate(resource) { resource.valid_ldap_authentication?(password) }
+            remember_me(resource)
+            resource.after_ldap_authentication
+            success!(resource)
+          else
+            return fail(:invalid) # Invalid credentials
+          end
+        end
+
+        if resource.new_record?
+          if validate(resource) { resource.valid_ldap_authentication?(password) }
+            return fail(:not_found_in_database) # Valid credentials
+          else
+            return fail(:invalid) # Invalid credentials
+          end
         end
       end
     end
   end
 end
 
-Warden::Strategies.add(:ldap_authenticatable, Devise::Strategies::LdapAuthenticatable)
+Warden::Strategies.add(:ldap_authenticatable, Devise::Strategies::LdapAuthenticatable)

data/lib/devise_ldap_authenticatable/version.rb

@@ -1,3 +1,3 @@
 module DeviseLdapAuthenticatable
-  VERSION = "0.8.1".freeze
-end
+  VERSION = "0.8.7".freeze
+end

data/lib/generators/devise_ldap_authenticatable/install_generator.rb

@@ -1,55 +1,57 @@
 module DeviseLdapAuthenticatable
   class InstallGenerator < Rails::Generators::Base
     source_root File.expand_path("../templates", __FILE__)
-    
+
     class_option :user_model, :type => :string, :default => "user", :desc => "Model to update"
     class_option :update_model, :type => :boolean, :default => true, :desc => "Update model to change from database_authenticatable to ldap_authenticatable"
     class_option :add_rescue, :type => :boolean, :default => true, :desc => "Update Application Controller with resuce_from for DeviseLdapAuthenticatable::LdapException"
     class_option :advanced, :type => :boolean, :desc => "Add advanced config options to the devise initializer"
-    
-    
+
+
     def create_ldap_config
       copy_file "ldap.yml", "config/ldap.yml"
     end
-    
+
     def create_default_devise_settings
-      inject_into_file "config/initializers/devise.rb", default_devise_settings, :after => "Devise.setup do |config|\n"   
+      inject_into_file "config/initializers/devise.rb", default_devise_settings, :after => "Devise.setup do |config|\n"
     end
-    
+
     def update_user_model
       gsub_file "app/models/#{options.user_model}.rb", /:database_authenticatable/, ":ldap_authenticatable" if options.update_model?
     end
-    
+
     def update_application_controller
       inject_into_class "app/controllers/application_controller.rb", ApplicationController, rescue_from_exception if options.add_rescue?
     end
-    
+
     private
-    
+
     def default_devise_settings
       settings = <<-eof
-  # ==> LDAP Configuration 
+  # ==> LDAP Configuration
   # config.ldap_logger = true
   # config.ldap_create_user = false
   # config.ldap_update_password = true
   # config.ldap_config = "\#{Rails.root}/config/ldap.yml"
   # config.ldap_check_group_membership = false
+  # config.ldap_check_group_membership_without_admin = false
   # config.ldap_check_attributes = false
+  # config.ldap_check_attributes_presence = false
   # config.ldap_use_admin_to_bind = false
   # config.ldap_ad_group_check = false
-  
+
       eof
-      if options.advanced?  
-        settings << <<-eof  
+      if options.advanced?
+        settings << <<-eof
   # ==> Advanced LDAP Configuration
   # config.ldap_auth_username_builder = Proc.new() {|attribute, login, ldap| "\#{attribute}=\#{login},\#{ldap.base}" }
-  
+
         eof
       end
-      
+
       settings
     end
-    
+
     def rescue_from_exception
       <<-eof
   rescue_from DeviseLdapAuthenticatable::LdapException do |exception|
@@ -57,6 +59,6 @@ module DeviseLdapAuthenticatable
   end
       eof
     end
-    
+
   end
 end

data/lib/generators/devise_ldap_authenticatable/templates/ldap.yml

@@ -1,8 +1,9 @@
 ## Authorizations
 # Uncomment out the merging for each environment that you'd like to include.
 # You can also just copy and paste the tree (do not include the "authorizations") to each
-# environment if you need something different per enviornment.
+# environment if you need something different per environment.
 authorizations: &AUTHORIZATIONS
+  allow_unauthenticated_bind: false
   group_base: ou=groups,dc=test,dc=com
   ## Requires config.ldap_check_group_membership in devise.rb be true
   # Can have multiple values, must match all to be authorized
@@ -17,6 +18,12 @@ authorizations: &AUTHORIZATIONS
   require_attribute:
     objectClass: inetOrgPerson
     authorizationRole: postsAdmin
+  ## Requires config.ldap_check_attributes_presence in devise.rb to be true
+  ## Can have multiple attributes set to true or false to check presence, all must match all to be authorized
+  require_attribute_presence:
+    mail: true
+    telephoneNumber: true
+    serviceAccount: false
 
 ## Environment
 

data/spec/rails_app/config/initializers/devise.rb

@@ -16,6 +16,11 @@ Devise.setup do |config|
   # note that it will be overwritten if you use your own mailer class with default "from" parameter.
   config.mailer_sender = "please-change-me-at-config-initializers-devise@example.com"
 
+
+  if ::Devise.respond_to?(:secret_key)
+    ::Devise.secret_key = '012a16191a7f61e84e55704e34b73db991a23ba396b6b7760596a3e80073e4464c55421c42a1a34327dee44828bec6745c48eba10cc0866799ec95c09ea27ada'
+  end
+
   # Configure the class responsible to send e-mails.
   # config.mailer = "Devise::Mailer"
 

data/spec/rails_app/config/ldap.yml

@@ -7,7 +7,9 @@ authorizations: &AUTHORIZATIONS
   require_attribute:
     objectClass: inetOrgPerson
     authorizationRole: blogAdmin
-    
+  require_attribute_presence:
+    mail: true
+
 test: &TEST
   host: localhost
   port: 3389
@@ -17,6 +19,6 @@ test: &TEST
   admin_password: secret
   ssl: false
   <<: *AUTHORIZATIONS
-  
+
 development:
   <<: *TEST

data/spec/rails_app/config/ldap_with_erb.yml

@@ -6,9 +6,11 @@ authorizations: &AUTHORIZATIONS
   required_groups:
     - cn=admins,<%= "ou=groups,#{@base}" %>
   require_attribute:
-    objectClass: inetOrgPerson
+    objectClass:
+      - inetOrgPerson
+      - organizationalPerson
     authorizationRole: blogAdmin
-    
+
 test: &TEST
   host: <%= "localhost" %>
   port: 3389
@@ -18,6 +20,6 @@ test: &TEST
   admin_password: secret
   ssl: false
   <<: *AUTHORIZATIONS
-  
+
 development:
   <<: *TEST

data/spec/rails_app/config/locales/devise.en.yml

@@ -17,6 +17,7 @@ en:
       unauthenticated: 'You need to sign in or sign up before continuing.'
       unconfirmed: 'You have to confirm your account before continuing.'
       locked: 'Your account is locked.'
+      not_found_in_database: "Your account is not present in this application's database."
       invalid: 'Invalid email or password.'
       invalid_token: 'Invalid authentication token.'
       timeout: 'Your session expired, please sign in again to continue.'

data/spec/rails_app/db/migrate/20100708120448_devise_create_users.rb

@@ -1,4 +1,4 @@
-class DeviseCreateUsers < ActiveRecord::Migration
+class DeviseCreateUsers < ActiveRecord::Migration[5.1]
   def self.up
     create_table(:users) do |t|
       ## Database authenticatable

data/spec/rails_app/db/schema.rb

@@ -1,4 +1,3 @@
-# encoding: UTF-8
 # This file is auto-generated from the current state of the database. Instead
 # of editing this file, please use the migrations feature of Active Record to
 # incrementally modify your database, and then regenerate this schema definition.
@@ -13,23 +12,22 @@
 
 ActiveRecord::Schema.define(version: 20100708120448) do
 
-  create_table "users", force: true do |t|
-    t.string   "email",                  default: "", null: false
-    t.string   "encrypted_password",     default: "", null: false
-    t.string   "reset_password_token"
+  create_table "users", force: :cascade do |t|
+    t.string "email", default: "", null: false
+    t.string "encrypted_password", default: "", null: false
+    t.string "reset_password_token"
     t.datetime "reset_password_sent_at"
     t.datetime "remember_created_at"
-    t.integer  "sign_in_count",          default: 0
+    t.integer "sign_in_count", default: 0
     t.datetime "current_sign_in_at"
     t.datetime "last_sign_in_at"
-    t.string   "current_sign_in_ip"
-    t.string   "last_sign_in_ip"
-    t.string   "uid"
-    t.datetime "created_at"
-    t.datetime "updated_at"
+    t.string "current_sign_in_ip"
+    t.string "last_sign_in_ip"
+    t.string "uid"
+    t.datetime "created_at", null: false
+    t.datetime "updated_at", null: false
+    t.index ["email"], name: "index_users_on_email", unique: true
+    t.index ["reset_password_token"], name: "index_users_on_reset_password_token", unique: true
   end
 
-  add_index "users", ["email"], name: "index_users_on_email", unique: true
-  add_index "users", ["reset_password_token"], name: "index_users_on_reset_password_token", unique: true
-
 end

data/spec/spec_helper.rb

@@ -2,9 +2,16 @@ ENV["RAILS_ENV"] = "test"
 
 require File.expand_path("rails_app/config/environment.rb",  File.dirname(__FILE__))
 require 'rspec/rails'
-require 'rspec/autorun'
 require 'factory_girl' # not sure why this is not already required
 
+# Rails 4.1 and RSpec are a bit on different pages on who should run migrations
+# on the test db and when.
+#
+# https://github.com/rspec/rspec-rails/issues/936
+if defined?(ActiveRecord::Migration) && ActiveRecord::Migration.respond_to?(:maintain_test_schema!)
+  ActiveRecord::Migration.maintain_test_schema!
+end
+
 Dir[File.expand_path("support/**/*.rb", File.dirname(__FILE__))].each {|f| require f}
 
 RSpec.configure do |config|
@@ -42,6 +49,7 @@ def default_devise_settings!
   ::Devise.ldap_config = "#{Rails.root}/config/#{"ssl_" if ENV["LDAP_SSL"]}ldap.yml"
   ::Devise.ldap_check_group_membership = false
   ::Devise.ldap_check_attributes = false
+  ::Devise.ldap_check_attributes_presence = false
   ::Devise.ldap_auth_username_builder = Proc.new() {|attribute, login, ldap| "#{attribute}=#{login},#{ldap.base}" }
   ::Devise.authentication_keys = [:email]
 end

data/spec/unit/adapter_spec.rb

@@ -0,0 +1,21 @@
+require 'spec_helper'
+
+describe Devise::LDAP::Adapter do
+  describe '#expired_valid_credentials?' do
+    before do
+      ::Devise.ldap_use_admin_to_bind = true
+      expect_any_instance_of(Devise::LDAP::Connection).to receive(:expired_valid_credentials?)
+    end
+
+    it 'can bind as the admin user' do
+      expect(Devise::LDAP::Connection).to receive(:new)
+        .with(hash_including(
+                  :login => 'test.user@test.com',
+                  :password => 'pass',
+                  :ldap_auth_username_builder => kind_of(Proc),
+                  :admin => true)).and_call_original
+
+      Devise::LDAP::Adapter.expired_valid_credentials?('test.user@test.com', 'pass')
+    end
+  end
+end

data/spec/unit/connection_spec.rb

@@ -0,0 +1,121 @@
+require File.expand_path('../spec_helper', File.dirname(__FILE__))
+
+describe 'Connection' do
+  it 'accepts a proc for ldap_config' do
+    ::Devise.ldap_config = Proc.new() {{
+      'host' => 'localhost',
+      'port' => 3389,
+      'base' => 'ou=testbase,dc=test,dc=com',
+      'attribute' => 'cn',
+    }}
+    connection = Devise::LDAP::Connection.new()
+    expect(connection.ldap.base).to eq('ou=testbase,dc=test,dc=com')
+  end
+
+  it 'allows encryption options to be set in ldap_config' do
+    ::Devise.ldap_config = Proc.new() {{
+      'host' => 'localhost',
+      'port' => 3389,
+      'base' => 'ou=testbase,dc=test,dc=com',
+      'attribute' => 'cn',
+      'encryption' => {
+        :method => :simple_tls,
+        :tls_options => OpenSSL::SSL::SSLContext::DEFAULT_PARAMS
+      }
+    }}
+    connection = Devise::LDAP::Connection.new()
+    expect(connection.ldap.instance_variable_get(:@encryption)).to eq({
+      :method => :simple_tls,
+      :tls_options => OpenSSL::SSL::SSLContext::DEFAULT_PARAMS
+    })
+  end
+
+  class TestOpResult
+    attr_accessor :error_message
+  end
+
+  describe '#expired_valid_credentials?' do
+    let(:conn) { double(Net::LDAP).as_null_object }
+    let(:error) { }
+    let(:is_authed) { false }
+    before do
+      expect(Net::LDAP).to receive(:new).and_return(conn)
+      allow(conn).to receive(:get_operation_result).and_return(TestOpResult.new.tap{|r| r.error_message = error})
+      allow_any_instance_of(Devise::LDAP::Connection).to receive(:authenticated?).and_return(is_authed)
+      allow_any_instance_of(Devise::LDAP::Connection).to receive(:dn).and_return('any dn')
+      expect(DeviseLdapAuthenticatable::Logger).to receive(:send).with('Authorizing user any dn')
+    end
+    subject do
+      Devise::LDAP::Connection.new.expired_valid_credentials?
+    end
+
+    context do
+      let(:error) { 'THIS PART CAN BE ANYTHING AcceptSecurityContext error, data 773 SO CAN THIS' }
+      it 'is true when expired credential error is returned and not already authenticated' do
+        expect(subject).to be true
+      end
+    end
+
+    context do
+      it 'is false when expired credential error is not returned and not already authenticated' do
+        expect(subject).to be false
+      end
+    end
+
+    context do
+      let(:is_authed) { true }
+      it 'is false when expired credential error is not returned and already authenticated' do
+        expect(subject).to be false
+      end
+    end
+  end
+
+  describe '#authorized?' do
+    let(:conn) { double(Net::LDAP).as_null_object }
+    let(:error) { }
+    let(:log_message) { }
+    let(:is_authed) { false }
+    before do
+      expect(Net::LDAP).to receive(:new).and_return(conn)
+      allow(conn).to receive(:get_operation_result).and_return(TestOpResult.new.tap{|r| r.error_message = error})
+      allow_any_instance_of(Devise::LDAP::Connection).to receive(:authenticated?).and_return(is_authed)
+      allow_any_instance_of(Devise::LDAP::Connection).to receive(:dn).and_return('any dn')
+      expect(DeviseLdapAuthenticatable::Logger).to receive(:send).with('Authorizing user any dn')
+    end
+    subject do
+      Devise::LDAP::Connection.new.authorized?
+    end
+    context do
+      before { expect(DeviseLdapAuthenticatable::Logger).to receive(:send).with(log_message) }
+
+      context do
+        let(:error) { 'THIS PART CAN BE ANYTHING AcceptSecurityContext error, data 52e SO CAN THIS' }
+        let(:log_message) { 'Not authorized because of invalid credentials.' }
+        it 'is false when credential error is returned' do
+          expect(subject).to be false
+        end
+      end
+      context do
+        let(:error) { 'THIS PART CAN BE ANYTHING AcceptSecurityContext error, data 773 SO CAN THIS' }
+        let(:log_message) { 'Not authorized because of expired credentials.' }
+        it 'is false when expired error is returned' do
+          expect(subject).to be false
+        end
+      end
+      context do
+        let(:error) { 'any error' }
+        let(:log_message) { 'Not authorized because not authenticated.' }
+        it 'is false when any other error is returned' do
+          expect(subject).to be false
+        end
+      end
+    end
+
+    context do
+      let(:is_authed) { true }
+      it 'is true when already authenticated' do
+        expect(subject).to be true
+      end
+    end
+  end
+end