devise_ldap_authenticatable 0.8.5 → 0.8.6

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: abe0050e42cc42dc4aae30f06758c90d38ac1311
-  data.tar.gz: 4ef05f917c2a93fe1a6c9d6f799d86e0721db43b
+  metadata.gz: 32d0f8a193c1b3669af1a6f2271f62a750bc2d49
+  data.tar.gz: afefa657196cbbccd64b415f0549d40779647427
 SHA512:
-  metadata.gz: f279002a80b2c7853af2c2b49620b177277bff0d5eecef58bf3ceea03f2d6ef536442f08199f715f18299dfc65da1f5eed8eb6e197aeb8f95398ff8b6ad41608
-  data.tar.gz: 984e1a040da8879d1de98896c68159d2459f043e06445fb222cb1d111eb5330711ab9115cd4c83e1333044f541e305e887bad42a5dfa4b2647c628e6833b4bec
+  metadata.gz: '029eeaad644b3d7026039cc535f15e0e280ad1af4a9e7af803e638c7f6861b8abd5fdf81c0ada09d4164a82fe00ab2569594b9fb06c04f18e904eadd67eb970c'
+  data.tar.gz: 430fd5c92a054178f1a209fba7673fb8e578b70c718b4aaf047131fdc9f591979db4bdf5d30dd2e0d2ea63b37cc231bf53d738ed363963af3353e3382000b91a

data/.gitignore

@@ -7,4 +7,5 @@ test/ldap/openldap-data/*
 test/ldap/openldap-data/run/slapd.*
 test/rails_app/tmp
 pkg/*
-*.gem
+*.gem
+.vscode

data/README.md

@@ -1,10 +1,5 @@
 Devise LDAP Authenticatable
 ===========================
-
-Why this fork?
---------------
-This fork changes a few lines to allow the admin binding to be set to the user trying to log in.
-
 [![Gem Version](https://badge.fury.io/rb/devise_ldap_authenticatable.png)](http://badge.fury.io/rb/devise_ldap_authenticatable)
 [![Code Climate](https://codeclimate.com/github/cschiewek/devise_ldap_authenticatable.png)](https://codeclimate.com/github/cschiewek/devise_ldap_authenticatable)
 [![Dependency Status](https://gemnasium.com/cschiewek/devise_ldap_authenticatable.png)](https://gemnasium.com/cschiewek/devise_ldap_authenticatable)
@@ -15,7 +10,7 @@ If you are building applications for use within your organization which require
 
 Devise LDAP Authenticatable works in replacement of Database Authenticatable. This devise plugin has not been tested with DatabaseAuthenticatable enabled at the same time. This is meant as a drop in replacement for DatabaseAuthenticatable allowing for a semi single sign on approach.
 
-For a screencast with an example application, please visit: [http://random-rails.blogspot.com/2010/07/ldap-authentication-with-devise.html](http://random-rails.blogspot.com/2010/07/ldap-authentication-with-devise.html)
+For a screencast with an example application, please visit: [http://corrupt.net/2010/07/05/LDAP-Authentication-With-Devise/](http://corrupt.net/2010/07/05/LDAP-Authentication-With-Devise/)
 
 Prerequisites
 -------------
@@ -24,6 +19,8 @@ Prerequisites
 
 Note: Rails 3.x / Devise 2.x has been moved to the 0.7 branch.  All 0.7.x gems will support Rails 3, where as 0.8.x will support Rails 4.
 
+If you are transitioning from having Devise manage your users' passwords in the database to using LDAP auth, you may have to update your `users` table to make `encrypted_password` nullable, or else the LDAP user insert will fail.
+
 Usage
 -----
 In the Gemfile for your application:
@@ -83,7 +80,9 @@ In initializer  `config/initializers/devise.rb` :
 * `ldap_check_group_membership` _(default: false)_
   * When set to true, the user trying to login will be checked to make sure they are in all of groups specified in the ldap.yml file.
 * `ldap_check_attributes` _(default: false)_
-  * When set to true, the user trying to login will be checked to make sure they have all of the attributes in the ldap.yml file.
+  * When set to true, the user trying to login will be checked to make sure their attributes match those specified in the ldap.yml file.
+* `ldap_check_attributes_presence` _(default: false)_
+  * When set to true, the user trying to login will be checked against all `require_attribute_presence` attributes in the ldap.yml file, either present _(attr: true)_,or not present _(attr: false)_.
 * `ldap_use_admin_to_bind` _(default: false)_
   * When set to true, the admin user will be used to bind to the LDAP server during authentication.
 * `ldap_check_group_membership_without_admin` _(default: false)_
@@ -116,9 +115,9 @@ Devise LDAP Authenticatable uses a running OpenLDAP server to do automated accep
 
 On OS X, this is available out of the box.
 
-On Ubuntu, you can install OpenLDAP with `sudo apt-get install slapd ldap-utils`. If slapd runs under AppArmor, add an exception like this to `/etc/apparmor.d/local/usr.sbin.slapd` to let slapd read our configs.
+On Ubuntu, you can install OpenLDAP with `sudo apt-get install slapd ldap-utils`. If slapd runs under AppArmor, add an exception like this to `/etc/apparmor.d/local/usr.sbin.slapd` to let slapd read our configs (reload using `sudo service apparmor reload` afterwards).
 
-    /path/to/devise_ldap_authenticatable/spec/ldap/** rw,$
+    /path/to/devise_ldap_authenticatable/spec/ldap/** rw,
 
 To start hacking on `devise_ldap_authentication`, clone the github repository, start the test LDAP server, and run the rake test task:
 
@@ -129,7 +128,7 @@ To start hacking on `devise_ldap_authentication`, clone the github repository, s
     # in a separate console or backgrounded
     ./spec/ldap/run-server
 
-    bundle exec rake db:migrate # first time only
+    RAILS_ENV=test bundle exec rake db:migrate # first time only
     bundle exec rake spec
 
 References

data/devise_ldap_authenticatable.gemspec

@@ -18,16 +18,16 @@ Gem::Specification.new do |s|
   s.executables   = `git ls-files -- bin/*`.split("\n").map{ |f| File.basename(f) }
   s.require_paths = ["lib"]
 
-  s.add_dependency('devise', '>= 3.4.1')
-  s.add_dependency('net-ldap', '>= 0.6.0', '<= 0.11')
+  s.add_dependency 'devise', '>= 3.4.1'
+  s.add_dependency 'net-ldap', '>= 0.16.0'
 
-  s.add_development_dependency('rake', '>= 0.9')
-  s.add_development_dependency('rdoc', '>= 3')
-  s.add_development_dependency('rails', '>= 4.0')
-  s.add_development_dependency('sqlite3')
-  s.add_development_dependency('factory_girl_rails', '~> 1.0')
-  s.add_development_dependency('factory_girl', '~> 2.0')
-  s.add_development_dependency('rspec-rails')
+  s.add_development_dependency 'rake', '>= 0.9'
+  s.add_development_dependency 'rdoc', '>= 3'
+  s.add_development_dependency 'rails', '>= 4.0'
+  s.add_development_dependency 'sqlite3'
+  s.add_development_dependency 'factory_girl_rails', '~> 1.0'
+  s.add_development_dependency 'factory_girl', '~> 2.0'
+  s.add_development_dependency 'rspec-rails'
 
   %w{database_cleaner capybara launchy}.each do |dep|
     s.add_development_dependency(dep)

data/lib/devise_ldap_authenticatable.rb

@@ -1,5 +1,6 @@
 # encoding: utf-8
 require 'devise'
+require 'net/ldap'
 
 require 'devise_ldap_authenticatable/exception'
 require 'devise_ldap_authenticatable/logger'
@@ -11,31 +12,40 @@ module Devise
   # Allow logging
   mattr_accessor :ldap_logger
   @@ldap_logger = true
-  
+
   # Add valid users to database
   mattr_accessor :ldap_create_user
   @@ldap_create_user = false
-  
+
   # A path to YAML config file or a Proc that returns a
   # configuration hash
   mattr_accessor :ldap_config
   # @@ldap_config = "#{Rails.root}/config/ldap.yml"
-  
+
   mattr_accessor :ldap_update_password
   @@ldap_update_password = true
-  
+
   mattr_accessor :ldap_check_group_membership
   @@ldap_check_group_membership = false
-  
+
+  mattr_accessor :ldap_check_group_membership_without_admin
+  @@ldap_check_group_membership_without_admin = false
+
   mattr_accessor :ldap_check_attributes
   @@ldap_check_role_attribute = false
-  
+
+  mattr_accessor :ldap_check_attributes_presence
+  @@ldap_check_attributes_presence = false
+
   mattr_accessor :ldap_use_admin_to_bind
   @@ldap_use_admin_to_bind = false
-  
+
   mattr_accessor :ldap_auth_username_builder
   @@ldap_auth_username_builder = Proc.new() {|attribute, login, ldap| "#{attribute}=#{login},#{ldap.base}" }
 
+  mattr_accessor :ldap_auth_password_builder
+  @@ldap_auth_password_builder = Proc.new() {|new_password| Net::LDAP::Password.generate(:sha, new_password) }
+
   mattr_accessor :ldap_ad_group_check
   @@ldap_ad_group_check = false
 end

data/lib/devise_ldap_authenticatable/ldap/adapter.rb

@@ -15,6 +15,16 @@ module Devise
         resource.authorized?
       end
 
+      def self.expired_valid_credentials?(login, password_plaintext)
+        options = {:login => login,
+                   :password => password_plaintext,
+                   :ldap_auth_username_builder => ::Devise.ldap_auth_username_builder,
+                   :admin => ::Devise.ldap_use_admin_to_bind}
+
+        resource = Devise::LDAP::Connection.new(options)
+        resource.expired_valid_credentials?
+      end
+
       def self.update_password(login, new_password)
         options = {:login => login,
                    :new_password => new_password,
@@ -34,7 +44,7 @@ module Devise
                    :ldap_auth_username_builder => ::Devise.ldap_auth_username_builder,
                    :admin => ::Devise.ldap_use_admin_to_bind}
 
-        resource = Devise::LDAP::Connection.new(options)
+        Devise::LDAP::Connection.new(options)
       end
 
       def self.valid_login?(login)
@@ -54,18 +64,18 @@ module Devise
       end
 
       def self.set_ldap_param(login, param, new_value, password = nil)
-        options = { :login => login,
-                    :ldap_auth_username_builder => ::Devise.ldap_auth_username_builder,
-                    :password => password }
+        options = {:login => login,
+                   :ldap_auth_username_builder => ::Devise.ldap_auth_username_builder,
+                   :password => password }
 
         resource = Devise::LDAP::Connection.new(options)
         resource.set_param(param, new_value)
       end
 
       def self.delete_ldap_param(login, param, password = nil)
-        options = { :login => login,
-                    :ldap_auth_username_builder => ::Devise.ldap_auth_username_builder,
-                    :password => password }
+        options = {:login => login,
+                   :ldap_auth_username_builder => ::Devise.ldap_auth_username_builder,
+                   :password => password }
 
         resource = Devise::LDAP::Connection.new(options)
         resource.delete_param(param)
@@ -79,9 +89,6 @@ module Devise
       def self.get_ldap_entry(login)
         self.ldap_connect(login).search_for_login
       end
-
     end
-
   end
-
 end

data/lib/devise_ldap_authenticatable/ldap/connection.rb

@@ -24,11 +24,13 @@ module Devise
 
         @group_base = ldap_config["group_base"]
         @check_group_membership = ldap_config.has_key?("check_group_membership") ? ldap_config["check_group_membership"] : ::Devise.ldap_check_group_membership
+        @check_group_membership_without_admin = ldap_config.has_key?("check_group_membership_without_admin") ? ldap_config["check_group_membership_without_admin"] : ::Devise.ldap_check_group_membership_without_admin
         @required_groups = ldap_config["required_groups"]
+        @group_membership_attribute = ldap_config.has_key?("group_membership_attribute") ? ldap_config["group_membership_attribute"] : "uniqueMember"
         @required_attributes = ldap_config["require_attribute"]
+        @required_attributes_presence = ldap_config["require_attribute_presence"]
 
         @ldap.auth ldap_config["admin_user"], ldap_config["admin_password"] if params[:admin]
-        @ldap.auth params[:login], params[:password] if ldap_config["admin_as_user"]
 
         @login = params[:login]
         @password = params[:password]
@@ -83,10 +85,25 @@ module Devise
         authenticate!
       end
 
+      def last_message_bad_credentials?
+        @ldap.get_operation_result.error_message.to_s.include? 'AcceptSecurityContext error, data 52e'
+      end
+
+      def last_message_expired_credentials?
+        @ldap.get_operation_result.error_message.to_s.include? 'AcceptSecurityContext error, data 773'
+      end
+
       def authorized?
         DeviseLdapAuthenticatable::Logger.send("Authorizing user #{dn}")
         if !authenticated?
-          DeviseLdapAuthenticatable::Logger.send("Not authorized because not authenticated.")
+          if last_message_bad_credentials?
+            DeviseLdapAuthenticatable::Logger.send("Not authorized because of invalid credentials.")
+          elsif last_message_expired_credentials?
+            DeviseLdapAuthenticatable::Logger.send("Not authorized because of expired credentials.")
+          else
+            DeviseLdapAuthenticatable::Logger.send("Not authorized because not authenticated.")
+          end
+
           return false
         elsif !in_required_groups?
           DeviseLdapAuthenticatable::Logger.send("Not authorized because not in required groups.")
@@ -94,17 +111,26 @@ module Devise
         elsif !has_required_attribute?
           DeviseLdapAuthenticatable::Logger.send("Not authorized because does not have required attribute.")
           return false
+        elsif !has_required_attribute_presence?
+          DeviseLdapAuthenticatable::Logger.send("Not authorized because does not have required attribute present.")
+          return false
         else
           return true
         end
       end
 
+      def expired_valid_credentials?
+        DeviseLdapAuthenticatable::Logger.send("Authorizing user #{dn}")
+
+        !authenticated? && last_message_expired_credentials?
+      end
+
       def change_password!
-        update_ldap(:userpassword => Net::LDAP::Password.generate(:sha, @new_password))
+        update_ldap(:userPassword => ::Devise.ldap_auth_password_builder.call(@new_password))
       end
 
       def in_required_groups?
-        return true unless @check_group_membership
+        return true unless @check_group_membership || @check_group_membership_without_admin
 
         ## FIXME set errors here, the ldap.yml isn't set properly.
         return false if @required_groups.nil?
@@ -122,23 +148,29 @@ module Devise
       def in_group?(group_name, group_attribute = LDAP::DEFAULT_GROUP_UNIQUE_MEMBER_LIST_KEY)
         in_group = false
 
-        admin_ldap = Connection.admin
+        if @check_group_membership_without_admin
+          group_checking_ldap = @ldap
+        else
+          group_checking_ldap = Connection.admin
+        end
 
         unless ::Devise.ldap_ad_group_check
-          admin_ldap.search(:base => group_name, :scope => Net::LDAP::SearchScope_BaseObject) do |entry|
+          group_checking_ldap.search(:base => group_name, :scope => Net::LDAP::SearchScope_BaseObject) do |entry|
             if entry[group_attribute].include? dn
               in_group = true
+              DeviseLdapAuthenticatable::Logger.send("User #{dn} IS included in group: #{group_name}")
             end
           end
         else
           # AD optimization - extension will recursively check sub-groups with one query
           # "(memberof:1.2.840.113556.1.4.1941:=group_name)"
-          search_result = admin_ldap.search(:base => dn,
+          search_result = group_checking_ldap.search(:base => dn,
                             :filter => Net::LDAP::Filter.ex("memberof:1.2.840.113556.1.4.1941", group_name),
                             :scope => Net::LDAP::SearchScope_BaseObject)
           # Will return  the user entry if belongs to group otherwise nothing
           if search_result.length == 1 && search_result[0].dn.eql?(dn)
             in_group = true
+            DeviseLdapAuthenticatable::Logger.send("User #{dn} IS included in group: #{group_name}")
           end
         end
 
@@ -153,11 +185,11 @@ module Devise
         return true unless ::Devise.ldap_check_attributes
 
         admin_ldap = Connection.admin
-
         user = find_ldap_user(admin_ldap)
 
         @required_attributes.each do |key,val|
-          unless user[key].include? val
+          matching_attributes = user[key] & Array(val)
+          unless (matching_attributes).any?
             DeviseLdapAuthenticatable::Logger.send("User #{dn} did not match attribute #{key}:#{val}")
             return false
           end
@@ -166,11 +198,28 @@ module Devise
         return true
       end
 
+      def has_required_attribute_presence?
+        return true unless ::Devise.ldap_check_attributes_presence
+
+        user = search_for_login
+
+        @required_attributes_presence.each do |key,val|
+          if val && !user.attribute_names.include?(key.to_sym)
+            DeviseLdapAuthenticatable::Logger.send("User #{dn} doesn't include attribute #{key}")
+            return false
+          elsif !val && user.attribute_names.include?(key.to_sym)
+            DeviseLdapAuthenticatable::Logger.send("User #{dn} includes attribute #{key}")
+            return false
+          end
+        end
+
+        return true
+      end
+
       def user_groups
         admin_ldap = Connection.admin
-
         DeviseLdapAuthenticatable::Logger.send("Getting groups for #{dn}")
-        filter = Net::LDAP::Filter.eq("uniqueMember", dn)
+        filter = Net::LDAP::Filter.eq(@group_membership_attribute, dn)
         admin_ldap.search(:filter => filter, :base => @group_base).collect(&:dn)
       end
 
@@ -188,6 +237,10 @@ module Devise
           ldap_entry = nil
           match_count = 0
           @ldap.search(:filter => filter) {|entry| ldap_entry = entry; match_count+=1}
+          op_result= @ldap.get_operation_result
+          if op_result.code!=0 then
+            DeviseLdapAuthenticatable::Logger.send("LDAP Error #{op_result.code}: #{op_result.message}")
+          end
           DeviseLdapAuthenticatable::Logger.send("LDAP search yielded #{match_count} matches")
           ldap_entry
         end

data/lib/devise_ldap_authenticatable/model.rb

@@ -53,7 +53,7 @@ module Devise
       end
 
       def ldap_groups
-        Devise::LDAP::Adapter.get_groups(login_with)
+        @ldap_groups ||= Devise::LDAP::Adapter.get_groups(login_with)
       end
 
       def in_ldap_group?(group_name, group_attribute = LDAP::DEFAULT_GROUP_UNIQUE_MEMBER_LIST_KEY)

data/lib/devise_ldap_authenticatable/strategy.rb

@@ -10,7 +10,7 @@ module Devise
       # indicating whether the resource is not found in the database or the credentials
       # are invalid.
       def authenticate!
-        resource = mapping.to.find_for_ldap_authentication(authentication_hash.merge(password: password))
+        resource = mapping.to.find_for_ldap_authentication(authentication_hash.merge(:password => password))
 
         return fail(:invalid) unless resource
 

data/lib/devise_ldap_authenticatable/version.rb

@@ -1,3 +1,3 @@
 module DeviseLdapAuthenticatable
-  VERSION = "0.8.5".freeze
+  VERSION = "0.8.6".freeze
 end

data/lib/generators/devise_ldap_authenticatable/install_generator.rb

@@ -13,7 +13,7 @@ module DeviseLdapAuthenticatable
     end
 
     def create_default_devise_settings
-      inject_into_file "config/initializers/devise.rb", default_devise_settings, :after => "Devise.setup do |config|\n"   
+      inject_into_file "config/initializers/devise.rb", default_devise_settings, :after => "Devise.setup do |config|\n"
     end
 
     def update_user_model
@@ -28,7 +28,7 @@ module DeviseLdapAuthenticatable
 
     def default_devise_settings
       settings = <<-eof
-  # ==> LDAP Configuration 
+  # ==> LDAP Configuration
   # config.ldap_logger = true
   # config.ldap_create_user = false
   # config.ldap_update_password = true
@@ -36,12 +36,13 @@ module DeviseLdapAuthenticatable
   # config.ldap_check_group_membership = false
   # config.ldap_check_group_membership_without_admin = false
   # config.ldap_check_attributes = false
+  # config.ldap_check_attributes_presence = false
   # config.ldap_use_admin_to_bind = false
   # config.ldap_ad_group_check = false
 
       eof
-      if options.advanced?  
-        settings << <<-eof  
+      if options.advanced?
+        settings << <<-eof
   # ==> Advanced LDAP Configuration
   # config.ldap_auth_username_builder = Proc.new() {|attribute, login, ldap| "\#{attribute}=\#{login},\#{ldap.base}" }
 

data/lib/generators/devise_ldap_authenticatable/templates/ldap.yml

@@ -1,7 +1,7 @@
 ## Authorizations
 # Uncomment out the merging for each environment that you'd like to include.
 # You can also just copy and paste the tree (do not include the "authorizations") to each
-# environment if you need something different per enviornment.
+# environment if you need something different per environment.
 authorizations: &AUTHORIZATIONS
   allow_unauthenticated_bind: false
   group_base: ou=groups,dc=test,dc=com
@@ -18,6 +18,12 @@ authorizations: &AUTHORIZATIONS
   require_attribute:
     objectClass: inetOrgPerson
     authorizationRole: postsAdmin
+  ## Requires config.ldap_check_attributes_presence in devise.rb to be true
+  ## Can have multiple attributes set to true or false to check presence, all must match all to be authorized
+  require_attribute_presence:
+    mail: true
+    telephoneNumber: true
+    serviceAccount: false
 
 ## Environment
 

data/spec/rails_app/config/ldap.yml

@@ -7,7 +7,9 @@ authorizations: &AUTHORIZATIONS
   require_attribute:
     objectClass: inetOrgPerson
     authorizationRole: blogAdmin
-    
+  require_attribute_presence:
+    mail: true
+
 test: &TEST
   host: localhost
   port: 3389
@@ -17,6 +19,6 @@ test: &TEST
   admin_password: secret
   ssl: false
   <<: *AUTHORIZATIONS
-  
+
 development:
   <<: *TEST

data/spec/rails_app/config/ldap_with_erb.yml

@@ -6,9 +6,11 @@ authorizations: &AUTHORIZATIONS
   required_groups:
     - cn=admins,<%= "ou=groups,#{@base}" %>
   require_attribute:
-    objectClass: inetOrgPerson
+    objectClass:
+      - inetOrgPerson
+      - organizationalPerson
     authorizationRole: blogAdmin
-    
+
 test: &TEST
   host: <%= "localhost" %>
   port: 3389
@@ -18,6 +20,6 @@ test: &TEST
   admin_password: secret
   ssl: false
   <<: *AUTHORIZATIONS
-  
+
 development:
   <<: *TEST

data/spec/spec_helper.rb

@@ -2,7 +2,6 @@ ENV["RAILS_ENV"] = "test"
 
 require File.expand_path("rails_app/config/environment.rb",  File.dirname(__FILE__))
 require 'rspec/rails'
-require 'rspec/autorun'
 require 'factory_girl' # not sure why this is not already required
 
 # Rails 4.1 and RSpec are a bit on different pages on who should run migrations
@@ -50,6 +49,7 @@ def default_devise_settings!
   ::Devise.ldap_config = "#{Rails.root}/config/#{"ssl_" if ENV["LDAP_SSL"]}ldap.yml"
   ::Devise.ldap_check_group_membership = false
   ::Devise.ldap_check_attributes = false
+  ::Devise.ldap_check_attributes_presence = false
   ::Devise.ldap_auth_username_builder = Proc.new() {|attribute, login, ldap| "#{attribute}=#{login},#{ldap.base}" }
   ::Devise.authentication_keys = [:email]
 end

data/spec/unit/adapter_spec.rb

@@ -0,0 +1,21 @@
+require 'spec_helper'
+
+describe Devise::LDAP::Adapter do
+  describe '#expired_valid_credentials?' do
+    before do
+      ::Devise.ldap_use_admin_to_bind = true
+      expect_any_instance_of(Devise::LDAP::Connection).to receive(:expired_valid_credentials?)
+    end
+
+    it 'can bind as the admin user' do
+      expect(Devise::LDAP::Connection).to receive(:new)
+        .with(hash_including(
+                  :login => 'test.user@test.com',
+                  :password => 'pass',
+                  :ldap_auth_username_builder => kind_of(Proc),
+                  :admin => true)).and_call_original
+
+      Devise::LDAP::Adapter.expired_valid_credentials?('test.user@test.com', 'pass')
+    end
+  end
+end

data/spec/unit/connection_spec.rb

@@ -11,4 +11,93 @@ describe 'Connection' do
     connection = Devise::LDAP::Connection.new()
     expect(connection.ldap.base).to eq('ou=testbase,dc=test,dc=com')
   end
+
+  class TestOpResult
+    attr_accessor :error_message
+  end
+
+  describe '#expired_valid_credentials?' do
+    let(:conn) { double(Net::LDAP).as_null_object }
+    let(:error) { }
+    let(:is_authed) { false }
+    before do
+      expect(Net::LDAP).to receive(:new).and_return(conn)
+      allow(conn).to receive(:get_operation_result).and_return(TestOpResult.new.tap{|r| r.error_message = error})
+      allow_any_instance_of(Devise::LDAP::Connection).to receive(:authenticated?).and_return(is_authed)
+      allow_any_instance_of(Devise::LDAP::Connection).to receive(:dn).and_return('any dn')
+      expect(DeviseLdapAuthenticatable::Logger).to receive(:send).with('Authorizing user any dn')
+    end
+    subject do
+      Devise::LDAP::Connection.new.expired_valid_credentials?
+    end
+
+    context do
+      let(:error) { 'THIS PART CAN BE ANYTHING AcceptSecurityContext error, data 773 SO CAN THIS' }
+      it 'is true when expired credential error is returned and not already authenticated' do
+        expect(subject).to be true
+      end
+    end
+
+    context do
+      it 'is false when expired credential error is not returned and not already authenticated' do
+        expect(subject).to be false
+      end
+    end
+
+    context do
+      let(:is_authed) { true }
+      it 'is false when expired credential error is not returned and already authenticated' do
+        expect(subject).to be false
+      end
+    end
+  end
+
+  describe '#authorized?' do
+    let(:conn) { double(Net::LDAP).as_null_object }
+    let(:error) { }
+    let(:log_message) { }
+    let(:is_authed) { false }
+    before do
+      expect(Net::LDAP).to receive(:new).and_return(conn)
+      allow(conn).to receive(:get_operation_result).and_return(TestOpResult.new.tap{|r| r.error_message = error})
+      allow_any_instance_of(Devise::LDAP::Connection).to receive(:authenticated?).and_return(is_authed)
+      allow_any_instance_of(Devise::LDAP::Connection).to receive(:dn).and_return('any dn')
+      expect(DeviseLdapAuthenticatable::Logger).to receive(:send).with('Authorizing user any dn')
+    end
+    subject do
+      Devise::LDAP::Connection.new.authorized?
+    end
+    context do
+      before { expect(DeviseLdapAuthenticatable::Logger).to receive(:send).with(log_message) }
+
+      context do
+        let(:error) { 'THIS PART CAN BE ANYTHING AcceptSecurityContext error, data 52e SO CAN THIS' }
+        let(:log_message) { 'Not authorized because of invalid credentials.' }
+        it 'is false when credential error is returned' do
+          expect(subject).to be false
+        end
+      end
+      context do
+        let(:error) { 'THIS PART CAN BE ANYTHING AcceptSecurityContext error, data 773 SO CAN THIS' }
+        let(:log_message) { 'Not authorized because of expired credentials.' }
+        it 'is false when expired error is returned' do
+          expect(subject).to be false
+        end
+      end
+      context do
+        let(:error) { 'any error' }
+        let(:log_message) { 'Not authorized because not authenticated.' }
+        it 'is false when any other error is returned' do
+          expect(subject).to be false
+        end
+      end
+    end
+
+    context do
+      let(:is_authed) { true }
+      it 'is true when already authenticated' do
+        expect(subject).to be true
+      end
+    end
+  end
 end

data/spec/unit/user_spec.rb

@@ -16,7 +16,7 @@ describe 'Users' do
       reset_ldap_server!
     end
 
-    describe "look up and ldap user" do
+    describe "look up an ldap user" do
       it "should return true for a user that does exist in LDAP" do
         assert_equal true, ::Devise::LDAP::Adapter.valid_login?('example.user@test.com')
       end
@@ -48,7 +48,7 @@ describe 'Users' do
         should_be_validated @user, "secret"
         @user.password = "changed"
         @user.change_password!("secret")
-        should_be_validated @user, "changed", "password was not changed properly on the LDAP sevrer"
+        should_be_validated @user, "changed", "password was not changed properly on the LDAP server"
       end
 
       it "should not allow to change password if setting is false" do
@@ -80,7 +80,7 @@ describe 'Users' do
         it "should create a user in the database" do
           @user = User.find_for_ldap_authentication(:email => "example.user@test.com", :password => "secret")
           assert_equal(User.all.size, 1)
-          User.all.collect(&:email).should include("example.user@test.com")
+          expect(User.all.collect(&:email)).to include("example.user@test.com")
           assert(@user.persisted?)
         end
 
@@ -116,7 +116,7 @@ describe 'Users' do
           ::Devise.case_insensitive_keys = [:email]
 
           @user = User.find_for_ldap_authentication(:email => "EXAMPLE.user@test.com", :password => "secret")
-          User.all.collect(&:email).should include("example.user@test.com")
+          expect(User.all.collect(&:email)).to include("example.user@test.com")
         end
       end
 
@@ -135,32 +135,32 @@ describe 'Users' do
       end
 
       it "should admin should have the proper groups set" do
-        @admin.ldap_groups.should include('cn=admins,ou=groups,dc=test,dc=com')
+        expect(@admin.ldap_groups).to include('cn=admins,ou=groups,dc=test,dc=com')
       end
 
       it "should user should not be allowed in" do
         should_not_be_validated @user, "secret"
       end
     end
-    
+
     describe "check group membership" do
       before do
         @admin = Factory.create(:admin)
         @user = Factory.create(:user)
       end
-      
+
       it "should return true for admin being in the admins group" do
         assert_equal true, @admin.in_ldap_group?('cn=admins,ou=groups,dc=test,dc=com')
       end
-      
+
       it "should return false for admin being in the admins group using the 'foobar' group attribute" do
         assert_equal false, @admin.in_ldap_group?('cn=admins,ou=groups,dc=test,dc=com', 'foobar')
       end
-      
+
       it "should return true for user being in the users group" do
         assert_equal true, @user.in_ldap_group?('cn=users,ou=groups,dc=test,dc=com')
-      end   
-      
+      end
+
       it "should return false for user being in the admins group" do
         assert_equal false, @user.in_ldap_group?('cn=admins,ou=groups,dc=test,dc=com')
       end
@@ -217,6 +217,26 @@ describe 'Users' do
       end
     end
 
+    describe "use attribute presence for authorization" do
+      before do
+        @admin = Factory.create(:admin)
+        @user = Factory.create(:user)
+        ::Devise.ldap_check_attributes_presence = true
+      end
+
+      after do
+        ::Devise.ldap_check_attributes_presence = false
+      end
+
+      it "should admin should not be allowed in" do
+        should_not_be_validated @admin, "admin_secret"
+      end
+
+      it "should user should be allowed in" do
+        should_be_validated @user, "secret"
+      end
+    end
+
     describe "use admin setting to bind" do
       before do
         @admin = Factory.create(:admin)
@@ -229,6 +249,19 @@ describe 'Users' do
       end
     end
 
+    describe 'check password expiration' do
+      before { allow_any_instance_of(Devise::LDAP::Connection).to receive(:authenticated?).and_return(false) }
+
+      it 'should return false for a user that has a fresh password' do
+        allow_any_instance_of(Devise::LDAP::Connection).to receive(:last_message_expired_credentials?).and_return(false)
+        assert_equal false, ::Devise::LDAP::Adapter.expired_valid_credentials?('example.user@test.com','secret')
+      end
+
+      it 'should return true for a user that has an expired password' do
+        allow_any_instance_of(Devise::LDAP::Connection).to receive(:last_message_expired_credentials?).and_return(true)
+        assert_equal true, ::Devise::LDAP::Adapter.expired_valid_credentials?('example.user@test.com','secret')
+      end
+    end
   end
 
   describe "use uid for login" do
@@ -259,7 +292,7 @@ describe 'Users' do
       it "should create a user in the database" do
         @user = User.find_for_ldap_authentication(:uid => "example_user", :password => "secret")
         assert_equal(User.all.size, 1)
-        User.all.collect(&:uid).should include("example_user")
+        expect(User.all.collect(&:uid)).to include("example_user")
       end
 
       it "should call ldap_before_save hooks" do

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: devise_ldap_authenticatable
 version: !ruby/object:Gem::Version
-  version: 0.8.5
+  version: 0.8.6
 platform: ruby
 authors:
 - Curtis Schiewek
@@ -10,7 +10,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2015-06-19 00:00:00.000000000 Z
+date: 2018-02-13 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: devise
@@ -32,20 +32,14 @@ dependencies:
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: 0.6.0
-    - - "<="
-      - !ruby/object:Gem::Version
-        version: '0.11'
+        version: 0.16.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: 0.6.0
-    - - "<="
-      - !ruby/object:Gem::Version
-        version: '0.11'
+        version: 0.16.0
 - !ruby/object:Gem::Dependency
   name: rake
   requirement: !ruby/object:Gem::Requirement
@@ -277,6 +271,7 @@ files:
 - spec/rails_app/script/rails
 - spec/spec_helper.rb
 - spec/support/factories.rb
+- spec/unit/adapter_spec.rb
 - spec/unit/connection_spec.rb
 - spec/unit/user_spec.rb
 homepage: https://github.com/cschiewek/devise_ldap_authenticatable
@@ -299,7 +294,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.4.6
+rubygems_version: 2.6.11
 signing_key: 
 specification_version: 4
 summary: Devise extension to allow authentication via LDAP
@@ -372,5 +367,6 @@ test_files:
 - spec/rails_app/script/rails
 - spec/spec_helper.rb
 - spec/support/factories.rb
+- spec/unit/adapter_spec.rb
 - spec/unit/connection_spec.rb
 - spec/unit/user_spec.rb