devise_ldap_authenticatable 0.8.1 → 0.8.7

data/spec/unit/user_spec.rb

@@ -16,7 +16,7 @@ describe 'Users' do
       reset_ldap_server!
     end
 
-    describe "look up and ldap user" do
+    describe "look up an ldap user" do
       it "should return true for a user that does exist in LDAP" do
         assert_equal true, ::Devise::LDAP::Adapter.valid_login?('example.user@test.com')
       end
@@ -48,7 +48,7 @@ describe 'Users' do
         should_be_validated @user, "secret"
         @user.password = "changed"
         @user.change_password!("secret")
-        should_be_validated @user, "changed", "password was not changed properly on the LDAP sevrer"
+        should_be_validated @user, "changed", "password was not changed properly on the LDAP server"
       end
 
       it "should not allow to change password if setting is false" do
@@ -66,9 +66,10 @@ describe 'Users' do
         assert(User.all.blank?, "There shouldn't be any users in the database")
       end
 
-      it "should don't create user in the database" do
-        @user = User.authenticate_with_ldap(:email => "example.user@test.com", :password => "secret")
+      it "should not create user in the database" do
+        @user = User.find_for_ldap_authentication(:email => "example.user@test.com", :password => "secret")
         assert(User.all.blank?)
+        assert(@user.new_record?)
       end
 
       describe "creating users is enabled" do
@@ -77,18 +78,19 @@ describe 'Users' do
         end
 
         it "should create a user in the database" do
-          @user = User.authenticate_with_ldap(:email => "example.user@test.com", :password => "secret")
+          @user = User.find_for_ldap_authentication(:email => "example.user@test.com", :password => "secret")
           assert_equal(User.all.size, 1)
-          User.all.collect(&:email).should include("example.user@test.com")
+          expect(User.all.collect(&:email)).to include("example.user@test.com")
+          assert(@user.persisted?)
         end
 
         it "should not create a user in the database if the password is wrong_secret" do
-          @user = User.authenticate_with_ldap(:email => "example.user", :password => "wrong_secret")
+          @user = User.find_for_ldap_authentication(:email => "example.user", :password => "wrong_secret")
           assert(User.all.blank?, "There's users in the database")
         end
 
-        it "should create a user if the user is not in LDAP" do
-          @user = User.authenticate_with_ldap(:email => "wrong_secret.user@test.com", :password => "wrong_secret")
+        it "should not create a user if the user is not in LDAP" do
+          @user = User.find_for_ldap_authentication(:email => "wrong_secret.user@test.com", :password => "wrong_secret")
           assert(User.all.blank?, "There's users in the database")
         end
 
@@ -97,7 +99,7 @@ describe 'Users' do
           @user = Factory.create(:user)
 
           expect do
-            User.authenticate_with_ldap(:email => "EXAMPLE.user@test.com", :password => "secret")
+            User.find_for_ldap_authentication(:email => "EXAMPLE.user@test.com", :password => "secret")
           end.to change { User.count }.by(1)
         end
 
@@ -106,15 +108,15 @@ describe 'Users' do
           @user = Factory.create(:user)
 
           expect do
-            User.authenticate_with_ldap(:email => "EXAMPLE.user@test.com", :password => "secret")
+            User.find_for_ldap_authentication(:email => "EXAMPLE.user@test.com", :password => "secret")
           end.to_not change { User.count }
         end
 
         it "should create a user with downcased email in the database if case insensitivity matters" do
           ::Devise.case_insensitive_keys = [:email]
 
-          @user = User.authenticate_with_ldap(:email => "EXAMPLE.user@test.com", :password => "secret")
-          User.all.collect(&:email).should include("example.user@test.com")
+          @user = User.find_for_ldap_authentication(:email => "EXAMPLE.user@test.com", :password => "secret")
+          expect(User.all.collect(&:email)).to include("example.user@test.com")
         end
       end
 
@@ -133,32 +135,55 @@ describe 'Users' do
       end
 
       it "should admin should have the proper groups set" do
-        @admin.ldap_groups.should include('cn=admins,ou=groups,dc=test,dc=com')
+        expect(@admin.ldap_groups).to include('cn=admins,ou=groups,dc=test,dc=com')
       end
 
       it "should user should not be allowed in" do
         should_not_be_validated @user, "secret"
       end
     end
-    
+
     describe "check group membership" do
       before do
         @admin = Factory.create(:admin)
         @user = Factory.create(:user)
       end
-      
+
       it "should return true for admin being in the admins group" do
         assert_equal true, @admin.in_ldap_group?('cn=admins,ou=groups,dc=test,dc=com')
       end
-      
+
       it "should return false for admin being in the admins group using the 'foobar' group attribute" do
         assert_equal false, @admin.in_ldap_group?('cn=admins,ou=groups,dc=test,dc=com', 'foobar')
       end
-      
+
+      it "should return true for user being in the users group" do
+        assert_equal true, @user.in_ldap_group?('cn=users,ou=groups,dc=test,dc=com')
+      end
+
+      it "should return false for user being in the admins group" do
+        assert_equal false, @user.in_ldap_group?('cn=admins,ou=groups,dc=test,dc=com')
+      end
+
+      it "should return false for a user being in a nonexistent group" do
+        assert_equal false, @user.in_ldap_group?('cn=thisgroupdoesnotexist,ou=groups,dc=test,dc=com')
+      end
+    end
+
+    describe "check group membership w/out admin bind" do
+      before do
+        @user = Factory.create(:user)
+        ::Devise.ldap_check_group_membership_without_admin = true
+      end
+
+      after do
+        ::Devise.ldap_check_group_membership_without_admin = false
+      end
+
       it "should return true for user being in the users group" do
         assert_equal true, @user.in_ldap_group?('cn=users,ou=groups,dc=test,dc=com')
-      end   
-      
+      end
+
       it "should return false for user being in the admins group" do
         assert_equal false, @user.in_ldap_group?('cn=admins,ou=groups,dc=test,dc=com')
       end
@@ -166,8 +191,15 @@ describe 'Users' do
       it "should return false for a user being in a nonexistent group" do
         assert_equal false, @user.in_ldap_group?('cn=thisgroupdoesnotexist,ou=groups,dc=test,dc=com')
       end
+
+      # TODO: add a test that confirms the user's own binding is used rather
+      # than the admin binding by creating an LDAP user who can't do group
+      # lookups perhaps?
+
+      # TODO: add a test to demonstrate this function won't work on a user
+      # after the initial login request if the password isn't available. This
+      # might have to be more of a full stack test.
     end
-    
 
     describe "use role attribute for authorization" do
       before do
@@ -185,6 +217,26 @@ describe 'Users' do
       end
     end
 
+    describe "use attribute presence for authorization" do
+      before do
+        @admin = Factory.create(:admin)
+        @user = Factory.create(:user)
+        ::Devise.ldap_check_attributes_presence = true
+      end
+
+      after do
+        ::Devise.ldap_check_attributes_presence = false
+      end
+
+      it "should admin should not be allowed in" do
+        should_not_be_validated @admin, "admin_secret"
+      end
+
+      it "should user should be allowed in" do
+        should_be_validated @user, "secret"
+      end
+    end
+
     describe "use admin setting to bind" do
       before do
         @admin = Factory.create(:admin)
@@ -197,6 +249,19 @@ describe 'Users' do
       end
     end
 
+    describe 'check password expiration' do
+      before { allow_any_instance_of(Devise::LDAP::Connection).to receive(:authenticated?).and_return(false) }
+
+      it 'should return false for a user that has a fresh password' do
+        allow_any_instance_of(Devise::LDAP::Connection).to receive(:last_message_expired_credentials?).and_return(false)
+        assert_equal false, ::Devise::LDAP::Adapter.expired_valid_credentials?('example.user@test.com','secret')
+      end
+
+      it 'should return true for a user that has an expired password' do
+        allow_any_instance_of(Devise::LDAP::Connection).to receive(:last_message_expired_credentials?).and_return(true)
+        assert_equal true, ::Devise::LDAP::Adapter.expired_valid_credentials?('example.user@test.com','secret')
+      end
+    end
   end
 
   describe "use uid for login" do
@@ -225,9 +290,9 @@ describe 'Users' do
       end
 
       it "should create a user in the database" do
-        @user = User.authenticate_with_ldap(:uid => "example_user", :password => "secret")
+        @user = User.find_for_ldap_authentication(:uid => "example_user", :password => "secret")
         assert_equal(User.all.size, 1)
-        User.all.collect(&:uid).should include("example_user")
+        expect(User.all.collect(&:uid)).to include("example_user")
       end
 
       it "should call ldap_before_save hooks" do
@@ -236,7 +301,7 @@ describe 'Users' do
             @foobar = 'foobar'
           end
         end
-        user = User.authenticate_with_ldap(:uid => "example_user", :password => "secret")
+        user = User.find_for_ldap_authentication(:uid => "example_user", :password => "secret")
         assert_equal 'foobar', user.instance_variable_get(:"@foobar")
         User.class_eval do
           undef ldap_before_save
@@ -244,9 +309,7 @@ describe 'Users' do
       end
 
       it "should not call ldap_before_save hook if not defined" do
-        assert_nothing_raised do
-          should_be_validated Factory.create(:user, :uid => "example_user"), "secret"
-        end
+        should_be_validated Factory.create(:user, :uid => "example_user"), "secret"
       end
     end
   end
@@ -279,9 +342,7 @@ describe 'Users' do
     end
 
     it "should not fail if config file has ssl: true" do
-      assert_nothing_raised do
-        Devise::LDAP::Connection.new
-      end
+      Devise::LDAP::Connection.new
     end
   end
 

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: devise_ldap_authenticatable
 version: !ruby/object:Gem::Version
-  version: 0.8.1
+  version: 0.8.7
 platform: ruby
 authors:
 - Curtis Schiewek
@@ -10,180 +10,174 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2013-07-24 00:00:00.000000000 Z
+date: 2020-07-23 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: devise
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - '>='
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '3.0'
+        version: 3.4.1
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - '>='
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '3.0'
+        version: 3.4.1
 - !ruby/object:Gem::Dependency
   name: net-ldap
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - '>='
+    - - ">="
       - !ruby/object:Gem::Version
-        version: 0.3.1
-    - - <
-      - !ruby/object:Gem::Version
-        version: 0.6.0
+        version: 0.16.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - '>='
-      - !ruby/object:Gem::Version
-        version: 0.3.1
-    - - <
+    - - ">="
       - !ruby/object:Gem::Version
-        version: 0.6.0
+        version: 0.16.0
 - !ruby/object:Gem::Dependency
   name: rake
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0.9'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0.9'
 - !ruby/object:Gem::Dependency
   name: rdoc
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '3'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '3'
 - !ruby/object:Gem::Dependency
   name: rails
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '4.0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '4.0'
 - !ruby/object:Gem::Dependency
   name: sqlite3
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0'
 - !ruby/object:Gem::Dependency
   name: factory_girl_rails
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ~>
+    - - "~>"
       - !ruby/object:Gem::Version
         version: '1.0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ~>
+    - - "~>"
       - !ruby/object:Gem::Version
         version: '1.0'
 - !ruby/object:Gem::Dependency
   name: factory_girl
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ~>
+    - - "~>"
       - !ruby/object:Gem::Version
         version: '2.0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ~>
+    - - "~>"
       - !ruby/object:Gem::Version
         version: '2.0'
 - !ruby/object:Gem::Dependency
   name: rspec-rails
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0'
 - !ruby/object:Gem::Dependency
   name: database_cleaner
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0'
 - !ruby/object:Gem::Dependency
   name: capybara
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0'
 - !ruby/object:Gem::Dependency
   name: launchy
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0'
 description: Devise extension to allow authentication via LDAP
@@ -192,7 +186,7 @@ executables: []
 extensions: []
 extra_rdoc_files: []
 files:
-- .gitignore
+- ".gitignore"
 - CHANGELOG.md
 - Gemfile
 - MIT-LICENSE
@@ -277,6 +271,8 @@ files:
 - spec/rails_app/script/rails
 - spec/spec_helper.rb
 - spec/support/factories.rb
+- spec/unit/adapter_spec.rb
+- spec/unit/connection_spec.rb
 - spec/unit/user_spec.rb
 homepage: https://github.com/cschiewek/devise_ldap_authenticatable
 licenses:
@@ -288,17 +284,16 @@ require_paths:
 - lib
 required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
-  - - '>='
+  - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
-  - - '>='
+  - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubyforge_project: 
-rubygems_version: 2.0.3
+rubygems_version: 3.1.2
 signing_key: 
 specification_version: 4
 summary: Devise extension to allow authentication via LDAP