devise_ldap_authenticatable 0.3.5 → 0.4.0

data/README.md

@@ -12,8 +12,11 @@ Requirements
 
 - An LDAP server (tested on OpenLDAP)
 - Rails 3.0.0.beta4
+
+These gems are dependencies of the gem:
+
 - Devise 1.1.rc2
-- ruby-net-ldap 0.0.4
+- net-ldap 0.1.1
 
 Installation
 ------------
@@ -25,12 +28,13 @@ This will *only* work for Rails 3 applications.
 In the Gemfile for your application:
 
     gem "devise", "1.1.rc2"
-    gem "devise_ldap_authenticatable", "0.3.5"
-
-For latest version, use the git repository instead
+    gem "devise_ldap_authenticatable", "0.4.0"
+    
+To get the latest version, pull directly from github instead of the gem:
 
     gem "devise_ldap_authenticatable", :git => "git://github.com/cschiewek/devise_ldap_authenticatable.git", :branch => "rails3"
 
+
 Setup
 -----
 
@@ -44,6 +48,9 @@ This will install the sample.yml, update the devise.rb initializer, and update y
                                # Default: user
     [--update-model]           # Update model to change from database_authenticatable to ldap_authenticatable
                                # Default: true
+    [--add-rescue]             # Update Application Controller with resuce_from for DeviseLdapAuthenticatable::LdapException
+                               # Default: true
+
 
 
 Usage
@@ -61,16 +68,27 @@ Configuration
 
 In initializer  `config/initializers/devise.rb` :
 
-* ldap\_create\_user
+* ldap\_logger _(default: true)_
+  * If set to true, will log LDAP queries to the Rails logger.
+
+* ldap\_create\_user _(default: false)_
 	* If set to true, all valid LDAP users will be allowed to login and an appropriate user record will be created.
       If set to false, you will have to create the user record before they will be allowed to login.
 
-* ldap\_config
+* ldap\_config _(default: #{Rails.root}/config/ldap.yml)_
 	* Where to find the LDAP config file. Commented out to use the default, change if needed.
 
-* ldap\_update\_password
+* ldap\_update\_password _(default: true)_
   * When doing password resets, if true will update the LDAP server. Requires admin password in the ldap.yml
 
+
+* ldap\_check\_group_membership _(default: false)_
+  * When set to true, the user trying to login will be checked to make sure they are in all of groups specified in the ldap.yml file.
+
+
+* ldap\_check\_attributes _(default: false)_
+  * When set to true, the user trying to login will be checked to make sure they have all of the attributes in the ldap.yml file.
+
 Testing
 -------
 

data/lib/devise_ldap_authenticatable.rb

@@ -1,12 +1,18 @@
 # encoding: utf-8
 require 'devise'
 
+require 'devise_ldap_authenticatable/exception'
+require 'devise_ldap_authenticatable/logger'
 require 'devise_ldap_authenticatable/schema'
 require 'devise_ldap_authenticatable/ldap_adapter'
 require 'devise_ldap_authenticatable/routes'
 
 # Get ldap information from config/ldap.yml now
 module Devise
+  # Allow logging
+  mattr_accessor :ldap_logger
+  @@ldap_logger = true
+  
   # Add valid users to database
   mattr_accessor :ldap_create_user
   @@ldap_create_user = false
@@ -16,6 +22,12 @@ module Devise
   
   mattr_accessor :ldap_update_password
   @@ldap_update_password = true
+  
+  mattr_accessor :ldap_check_group_membership
+  @@ldap_check_group_membership = false
+  
+  mattr_accessor :ldap_check_attributes
+  @@ldap_check_role_attribute = false
 end
 
 # Add ldap_authenticatable strategy to defaults.

data/lib/devise_ldap_authenticatable/exception.rb

@@ -0,0 +1,6 @@
+module DeviseLdapAuthenticatable
+
+  class LdapException < Exception
+  end
+
+end

data/lib/devise_ldap_authenticatable/ldap_adapter.rb

@@ -1,45 +1,135 @@
-require 'net/ldap'
+require "net/ldap"
 
 module Devise
 
-  # simple adapter for ldap credential checking
-  # ::Devise.ldap_host
   module LdapAdapter
     
     def self.valid_credentials?(login, password_plaintext)
-      resource = LdapConnect.new
-      ldap = resource.ldap
-      ldap.auth "#{resource.attribute}=#{login},#{ldap.base}", password_plaintext
-      ldap.bind # will return false if authentication is NOT successful
+      resource = LdapConnect.new(:login => login, :password => password_plaintext)
+      resource.authorized?
     end
     
-    def self.update_password(login, plaintext_password)
-      resource = LdapConnect.new
-      resource.update_ldap(login, :userpassword => Net::LDAP::Password.generate(:sha, plaintext_password)) if plaintext_password.present? 
+    def self.update_password(login, new_password)
+      resource = LdapConnect.new(:login => login, :new_password => new_password)
+      resource.change_password! if new_password.present? 
+    end
+    
+    def self.get_groups(login)
+      ldap = LdapConnect.new(:login => login)
+      ldap.user_groups
     end
 
     class LdapConnect
 
-      attr_reader :ldap, :base, :attribute
+      attr_reader :ldap, :login #, :base, :attribute, :required_groups, :login, :password, :new_password
 
       def initialize(params = {})
         ldap_config = YAML.load_file(::Devise.ldap_config || "#{Rails.root}/config/ldap.yml")[Rails.env]
-        ldap_options = params
         ldap_options[:encryption] = :simple_tls if ldap_config["ssl"]
 
-        @ldap = Net::LDAP.new(ldap_options)
+        @ldap = Net::LDAP.new # (ldap_options)
         @ldap.host = ldap_config["host"]
         @ldap.port = ldap_config["port"]
         @ldap.base = ldap_config["base"]
         @attribute = ldap_config["attribute"]
+        
+        @group_base = ldap_config["group_base"]
+        @required_groups = ldap_config["required_groups"]        
+        @required_attributes = ldap_config["require_attribute"]
+        
         @ldap.auth ldap_config["admin_user"], ldap_config["admin_password"] if params[:admin] 
+        
+        @login = params[:login]
+        @password = params[:password]
+        @new_password = params[:new_password]
       end
 
-      def dn(login)
-        "#{@attribute}=#{login},#{@ldap.base}"
+      def dn
+        "#{@attribute}=#{@login},#{@ldap.base}"
+      end
+
+      def authenticate!
+        @ldap.auth(dn, @password)
+        @ldap.bind
+      end
+
+      def authenticated?
+        authenticate!
+      end
+      
+      def authorized?
+        DeviseLdapAuthenticatable::Logger.send("Authorizing user #{dn}")
+        authenticated? && in_required_groups? && has_required_attribute?
+      end
+      
+      def change_password!
+        update_ldap(:userpassword => Net::LDAP::Password.generate(:sha, @new_password))
       end
 
-      def update_ldap(login,ops)
+      def in_required_groups?     
+        return true unless ::Devise.ldap_check_group_membership
+        
+        ## FIXME set errors here, the ldap.yml isn't set properly.
+        return false if @required_groups.nil?   
+           
+        admin_ldap = LdapConnect.admin
+                
+        for group in @required_groups
+          admin_ldap.search(:base => group, :scope => Net::LDAP::SearchScope_BaseObject) do |entry|
+            unless entry.uniqueMember.include? dn
+              DeviseLdapAuthenticatable::Logger.send("User #{dn} is not in group: #{group}")
+              return false
+            end
+          end
+        end
+        
+        return true
+      end
+      
+      def has_required_attribute?
+        return true unless ::Devise.ldap_check_attributes
+        
+        admin_ldap = LdapConnect.admin
+        
+        user = find_ldap_user(admin_ldap)
+                
+        @required_attributes.each do |key,val|
+          unless user[key].include? val
+            DeviseLdapAuthenticatable::Logger.send("User #{dn} did not match attribute #{key}:#{val}")
+            return false 
+          end
+        end
+        
+        return true
+      end
+      
+      def user_groups
+        admin_ldap = LdapConnect.admin
+        
+        DeviseLdapAuthenticatable::Logger.send("Getting groups for #{dn}")
+        filter = Net::LDAP::Filter.eq("uniqueMember", dn)
+        admin_ldap.search(:filter => filter, :base => @group_base).collect(&:dn)
+      end
+      
+      private
+      
+      def self.admin
+        ldap = LdapConnect.new(:admin => true).ldap
+        
+        unless ldap.bind
+          DeviseLdapAuthenticatable::Logger.send("Cannot bind to admin LDAP user")
+          raise DeviseLdapAuthenticatable::LdapException, "Cannot connect to admin LDAP user"
+        end
+        
+        return ldap
+      end
+      
+      def find_ldap_user(ldap)
+        DeviseLdapAuthenticatable::Logger.send("Finding user: #{dn}")
+        ldap.search(:base => dn, :scope => Net::LDAP::SearchScope_BaseObject).try(:first)
+      end
+      
+      def update_ldap(ops)
         operations = []
         if ops.is_a? Hash
           ops.each do |key,value|
@@ -49,21 +139,11 @@ module Devise
           operations = ops
         end
 
-        ldap = LdapConnect.new(:admin => true).ldap
-        ldap.bind
+        admin_ldap = LdapConnect.admin
         
-        ldap.modify(:dn => dn(login), :operations => operations)
+        DeviseLdapAuthenticatable::Logger.send("Modifying user #{dn}")
+        admin_ldap.modify(:dn => dn, :operations => operations)
       end
-      
-      # ## This is for testing, It will clear all users out of the LDAP database. Useful to put in before hooks in rspec, cucumber, etc..
-      # def clear_users!(base = @ldap.base)
-      #   raise "You should ONLY do this on the test enviornment! It will clear out all of the users in the LDAP server" if Rails.env != "test"
-      #   if @ldap.bind
-      #     @ldap.search(:filter => "#{@attribute}=*", :base => base) do |entry|
-      #       @ldap.delete(:dn => entry.dn)
-      #     end
-      #   end
-      # end
 
     end
 

data/lib/devise_ldap_authenticatable/logger.rb

@@ -0,0 +1,11 @@
+module DeviseLdapAuthenticatable
+
+  class Logger    
+    def self.send(message, logger = Rails.logger)
+      if ::Devise.ldap_logger
+        logger.add 0, "  \e[36mLDAP:\e[0m #{message}"
+      end
+    end
+  end
+
+end

data/lib/devise_ldap_authenticatable/model.rb

@@ -25,20 +25,28 @@ module Devise
         end
       end
 
+      ## FIXME find out how to get rid of this.
       def clean_up_passwords
-       # self.password = nil
       end
 
       # Checks if a resource is valid upon authentication.
       def valid_ldap_authentication?(password)
-        Devise::LdapAdapter.valid_credentials?(self.email, password)
+        if Devise::LdapAdapter.valid_credentials?(self.email, password)
+          return true
+        else
+          return false
+        end
+      end
+      
+      def ldap_groups
+         Devise::LdapAdapter.get_groups(self.email)
       end
 
       module ClassMethods
         # Authenticate a user based on configured attribute keys. Returns the
         # authenticated user if it's valid or nil.
-        def authenticate_with_ldap(attributes={})
-          return unless attributes[:email].present? 
+        def authenticate_with_ldap(attributes={}) 
+          return nil unless attributes[:email].present? 
           conditions = attributes.slice(:email)
 
           unless conditions[:email]
@@ -52,9 +60,10 @@ module Devise
           end
            
           if resource.try(:valid_ldap_authentication?, attributes[:password])
-            resource.new_record? ? resource.save : resource
+            resource.save if resource.new_record?
+            return resource
           else
-            nil
+            return nil
           end
 
         end

data/lib/devise_ldap_authenticatable/version.rb

@@ -1,4 +1,4 @@
 module DeviseLdapAuthenticatable
-  VERSION = "0.3.5"
+  VERSION = "0.4.0"
 end
 

data/lib/generators/devise_ldap_authenticatable/install_generator.rb

@@ -4,6 +4,8 @@ module DeviseLdapAuthenticatable
     
     class_option :user_model, :type => :string, :default => "user", :desc => "Model to update"
     class_option :update_model, :type => :boolean, :default => true, :desc => "Update model to change from database_authenticatable to ldap_authenticatable"
+    class_option :add_rescue, :type => :boolean, :default => true, :desc => "Update Application Controller with resuce_from for DeviseLdapAuthenticatable::LdapException"
+    
     
     def create_ldap_config
       copy_file "ldap.yml", "config/ldap.yml"
@@ -17,15 +19,29 @@ module DeviseLdapAuthenticatable
       gsub_file "app/models/#{options.user_model}.rb", /:database_authenticatable/, ":ldap_authenticatable" if options.update_model?
     end
     
+    def update_application_controller
+      inject_into_class "app/controllers/application_controller.rb", ApplicationController, rescue_from_exception if options.add_rescue?
+    end
+    
     private
     
     def default_devise_settings
       <<-eof
   # ==> LDAP Configuration 
+  # config.ldap_logger = true
   # config.ldap_create_user = false
   # config.ldap_update_password = true
   # config.ldap_config = "\#{Rails.root}/config/ldap.yml"
+  # config.ldap_check_group_membership = false
+  # config.ldap_check_attributes = false
+      eof
+    end
     
+    def rescue_from_exception
+      <<-eof
+  rescue_from DeviseLdapAuthenticatable::LdapException do |exception|
+    render :text => exception, :status => 500
+  end
       eof
     end
     

data/lib/generators/devise_ldap_authenticatable/templates/ldap.yml

@@ -1,27 +1,48 @@
+## Authorizations
+# Uncomment out the merging for each enviornment that you'd like to include.
+# You can also just copy and paste the tree (do not include the "authorizations") to each
+# enviornment if you need something different per enviornment.
+authorizations: &AUTHORIZATIONS
+  group_base: ou=groups,dc=test,dc=com
+  ## Requires config.ldap_check_group_membership in devise.rb be true
+  # Can have multiple values, must match all to be authorized
+  required_groups:
+    - cn=admins,ou=groups,dc=test,dc=com
+    - cn=users,ou=groups,dc=test,dc=com
+  ## Requires config.ldap_check_attributes in devise.rb to be true
+  ## Can have multiple attributes and values, must match all to be authorized
+  require_attribute:
+    objectClass: inetOrgPerson
+    authorizationRole: postsAdmin
+
+## Enviornments
+
 development:
   host: localhost
   port: 389
   attribute: cn
-  base: ou=people,dc=yourdomain,dc=com
-  admin_user: cn=admin,dc=yourdomain,dc=com
+  base: ou=people,dc=test,dc=com
+  admin_user: cn=admin,dc=test,dc=com
   admin_password: admin_password
   ssl: false
+  # <<: *AUTHORIZATIONS
 
 test:
   host: localhost
   port: 3389
   attribute: cn
-  base: ou=people,dc=yourdomain,dc=com
-  admin_user: cn=admin,dc=yourdomain,dc=com
+  base: ou=people,dc=test,dc=com
+  admin_user: cn=admin,dc=test,dc=com
   admin_password: admin_password
   ssl: false
+  # <<: *AUTHORIZATIONS
 
 production:
   host: localhost
   port: 636
   attribute: cn
-  base: ou=people,dc=yourdomain,dc=com
-  admin_user: cn=admin,dc=yourdomain,dc=com
+  base: ou=people,dc=test,dc=com
+  admin_user: cn=admin,dc=test,dc=com
   admin_password: admin_password
   ssl: true
-
+  # <<: *AUTHORIZATIONS

metadata

@@ -4,9 +4,9 @@ version: !ruby/object:Gem::Version
   prerelease: false
   segments: 
   - 0
-  - 3
-  - 5
-  version: 0.3.5
+  - 4
+  - 0
+  version: 0.4.0
 platform: ruby
 authors: 
 - Daniel McNevin
@@ -15,7 +15,7 @@ autorequire:
 bindir: bin
 cert_chain: []
 
-date: 2010-07-13 00:00:00 -04:00
+date: 2010-07-18 00:00:00 -04:00
 default_executable: 
 dependencies: 
 - !ruby/object:Gem::Dependency 
@@ -34,7 +34,7 @@ dependencies:
   type: :runtime
   version_requirements: *id001
 - !ruby/object:Gem::Dependency 
-  name: ruby-net-ldap
+  name: net-ldap
   prerelease: false
   requirement: &id002 !ruby/object:Gem::Requirement 
     none: false
@@ -43,15 +43,14 @@ dependencies:
       - !ruby/object:Gem::Version 
         segments: 
         - 0
-        - 0
-        - 4
-        version: 0.0.4
+        - 1
+        - 1
+        version: 0.1.1
   type: :runtime
   version_requirements: *id002
 description: LDAP Authentication for Devise
 email: 
 - dpmcnevin@gmail.com
-- curtis.schiewek@gmail.com
 executables: []
 
 extensions: []
@@ -59,7 +58,9 @@ extensions: []
 extra_rdoc_files: []
 
 files: 
+- lib/devise_ldap_authenticatable/exception.rb
 - lib/devise_ldap_authenticatable/ldap_adapter.rb
+- lib/devise_ldap_authenticatable/logger.rb
 - lib/devise_ldap_authenticatable/model.rb
 - lib/devise_ldap_authenticatable/routes.rb
 - lib/devise_ldap_authenticatable/schema.rb