devise_ldap_authenticatable 0.6.1 → 0.7.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 68e24de8c225dff39bf6640f3249b17c28d15a2b
+  data.tar.gz: 68335d1a9e0bb5137a1629053f655cc051e019ec
+SHA512:
+  metadata.gz: 16cc901376b48de4f8eeefd811e13272dd10763fe0ae66c42b59ca79cb0543c6a9c985142b43d52db3fc4e9c1e7c461bca9f907904664a6f2b25e34d4d191f46
+  data.tar.gz: 9344876e0cf44b2b90fefef75d49346f5f0bffb01d2f4868fdfb9a56fcb68b58d0890ab7025acf8233600e98a4cf8b98476e4f09333fefa50d0b6cc986b9d933

data/.gitignore

@@ -1,4 +1,5 @@
 .bundle
+Gemfile.lock
 log
 *.sqlite3
 test/ldap/openldap-data/*

data/CHANGELOG.md

@@ -0,0 +1,7 @@
+CHANGELOG
+=========
+
+v0.8
+----
+
+[Issue #102](https://github.com/cschiewek/devise_ldap_authenticatable/pull/102): Extract method in_group? from in_required_groups? and expose it to the model

data/Gemfile

@@ -2,10 +2,7 @@ source "http://rubygems.org"
 
 gemspec
 
-gem 'devise', '~> 2.0.0'
-gem 'net-ldap', '~> 0.2.2'
-
-group :test do
+group :development, :test do
   gem 'ruby-debug', '>= 0.10.3', :platform => :mri_18
   gem 'debugger', :platform => :ruby_19
 end

data/README.md

@@ -1,39 +1,24 @@
 Devise LDAP Authenticatable
 ===========================
-
 Devise LDAP Authenticatable is a LDAP based authentication strategy for the [Devise](http://github.com/plataformatec/devise) authentication framework.
 
 If you are building applications for use within your organization which require authentication and you want to use LDAP, this plugin is for you.
 
-For a screencast with an example application, please visit: [http://random-rails.blogspot.com/2010/07/ldap-authentication-with-devise.html](http://random-rails.blogspot.com/2010/07/ldap-authentication-with-devise.html)
-
-**_Please Note_**
-
-If you are using rails 2.x then use 0.1.x series of gem, and see the rails2 branch README for instructions.
-
-Requirements
-------------
-
-- An LDAP server (tested on OpenLDAP)
-- Rails 3.0.0
-
-These gems are dependencies of the gem:
-
-- Devise ~> 2.0.0 
-- net-ldap ~> 0.2.2
+Devise LDAP Authenticatable works in replacement of Database Authenticatable. This devise plugin has not been tested with DatabaseAuthenticatable enabled at the same time. This is meant as a drop in replacement for DatabaseAuthenticatable allowing for a semi single sign on approach.
 
-Installation
-------------
-
-**_Please Note_**
+For a screencast with an example application, please visit: [http://random-rails.blogspot.com/2010/07/ldap-authentication-with-devise.html](http://random-rails.blogspot.com/2010/07/ldap-authentication-with-devise.html)
 
-This will *only* work for Rails 3 applications.
+Prerequisites
+-------------
+ * devise ~> 2.0.0 (which requires rails ~> 3.1)
+ * net-ldap ~> 0.2.2
 
+Usage
+-----
 In the Gemfile for your application:
 
-    gem "devise", "~> 2.0"
     gem "devise_ldap_authenticatable"
-    
+
 To get the latest version, pull directly from github instead of the gem:
 
     gem "devise_ldap_authenticatable", :git => "git://github.com/cschiewek/devise_ldap_authenticatable.git"
@@ -41,13 +26,12 @@ To get the latest version, pull directly from github instead of the gem:
 
 Setup
 -----
-
 Run the rails generators for devise (please check the [devise](http://github.com/plataformatec/devise) documents for further instructions)
 
     rails generate devise:install
     rails generate devise MODEL_NAME
 
-Run the rails generator for devise_ldap_authenticatable
+Run the rails generator for `devise_ldap_authenticatable`
 
     rails generate devise_ldap_authenticatable:install [options]
 
@@ -59,120 +43,89 @@ Options:
                                # Default: user
     [--update-model]           # Update model to change from database_authenticatable to ldap_authenticatable
                                # Default: true
-    [--add-rescue]             # Update Application Controller with resuce_from for DeviseLdapAuthenticatable::LdapException
+    [--add-rescue]             # Update Application Controller with rescue_from for DeviseLdapAuthenticatable::LdapException
                                # Default: true
     [--advanced]               # Add advanced config options to the devise initializer
 
-
-Usage
------
-
-Devise LDAP Authenticatable works in replacement of Database Authenticatable
-
-**_Please Note_**
-
-This devise plugin has not been tested with DatabaseAuthenticatable enabled at the same time. This is meant as a drop in replacement for DatabaseAuthenticatable allowing for a semi single sign on approach.
-
-The field that is used for logins is the first key that's configured in the `config/devise.rb` file under `config.authentication_keys`, which by default is email. For help changing this, please see the [Railscast](http://railscasts.com/episodes/210-customizing-devise) that goes through how to customize Devise.
-
-
 Querying LDAP
-----------------
-
-Given that ldap\_create\_user is set to true and you are authenticating with username, you can query an LDAP server for other attributes.
+-------------
+Given that `ldap_create_user` is set to true and you are authenticating with username, you can query an LDAP server for other attributes.
 
 in your user model:
 
-	before_save :get_ldap_email
-
-  def get_ldap_email
-    self.email = Devise::LdapAdapter.get_ldap_param(self.username,"mail")
-  end
+    before_save :get_ldap_email
 
+    def get_ldap_email
+      self.email = Devise::LdapAdapter.get_ldap_param(self.username,"mail")
+    end
 
 Configuration
 -------------
-
 In initializer  `config/initializers/devise.rb` :
 
-* ldap\_logger _(default: true)_
+* `ldap_logger` _(default: true)_
   * If set to true, will log LDAP queries to the Rails logger.
 
-* ldap\_create\_user _(default: false)_
-	* If set to true, all valid LDAP users will be allowed to login and an appropriate user record will be created.
+* `ldap_create_user` _(default: false)_
+  * If set to true, all valid LDAP users will be allowed to login and an appropriate user record will be created.
       If set to false, you will have to create the user record before they will be allowed to login.
 
-* ldap\_config _(default: #{Rails.root}/config/ldap.yml)_
+* `ldap_config` _(default: #{Rails.root}/config/ldap.yml)_
 	* Where to find the LDAP config file. Commented out to use the default, change if needed.
 
-* ldap\_update\_password _(default: true)_
+* `ldap_update_password` _(default: true)_
   * When doing password resets, if true will update the LDAP server. Requires admin password in the ldap.yml
 
-* ldap\_check\_group_membership _(default: false)_
+* `ldap_check_group_membership` _(default: false)_
   * When set to true, the user trying to login will be checked to make sure they are in all of groups specified in the ldap.yml file.
 
-* ldap\_check\_attributes _(default: false)_
+* `ldap_check_attributes` _(default: false)_
   * When set to true, the user trying to login will be checked to make sure they have all of the attributes in the ldap.yml file.
 
-* ldap\_use\_admin\_to\_bind _(default: false)_
+* `ldap_use_admin_to_bind` _(default: false)_
   * When set to true, the admin user will be used to bind to the LDAP server during authentication.
 
-
 Advanced Configuration
 ----------------------
-
 These parameters will be added to `config/initializers/devise.rb` when you pass the `--advanced` switch to the generator:
 
-* ldap\_auth\_username\_builder _(default: `Proc.new() {|attribute, login, ldap| "#{attribute}=#{login},#{ldap.base}" }`)_
+* `ldap_auth_username_builder` _(default: `Proc.new() {|attribute, login, ldap| "#{attribute}=#{login},#{ldap.base}" }`)_
   * You can pass a proc to the username option to explicitly specify the format that you search for a users' DN on your LDAP server.
 
-Testing
--------
-
-This has been tested using the following setup:
+Troubleshooting
+--------------
+**Using a "username" instead of an "email":** The field that is used for logins is the first key that's configured in the `config/devise.rb` file under `config.authentication_keys`, which by default is email. For help changing this, please see the [Railscast](http://railscasts.com/episodes/210-customizing-devise) that goes through how to customize Devise.
 
-* Mac OSX 10.6
-* OpenLDAP 2.4.11
-* REE 1.8.7 (2010.02)
+**SSL certificate invalid:** If you're using a test LDAP server running a self-signed SSL certificate, make sure the appropriate root certificate is installed on your system. Alternately, you may temporarily disable certificate checking for SSL by modifying your system LDAP configuration (e.g., `/etc/openldap/ldap.conf` or `/etc/ldap/ldap.conf`) to read `TLS_REQCERT never`.
 
-All unit and functional tests are part of a sample rails application under test/rails_app and requires a working LDAP sever.
+Development guide
+------------
+To contribute to `devise_ldap_authentication`, you should be able to run a test OpenLDAP server. Specifically, you need the `slapd`, `ldapadd`, and `ldapmodify` binaries.
 
-Build / Start Instructions for Test LDAP Server
------------------------------------------------
+This seems to come out of the box with Mac OS X 10.6.
 
-These instructions require the current directory context to be the `test/ldap` directory relative to the project root.
+On Ubuntu (tested on 12.04 and 12.10), you can run `sudo apt-get install slapd ldap-utils`. You will also likely have to add the `spec/ldap` directory of your local git clone to the slapd [apparmor](https://wiki.ubuntu.com/DebuggingApparmor) profile `/etc/apparmor.d/usr.sbin.slapd` if you get permissions errors. Something like this should do:
 
-  1. To start the server, run `./run-server.sh`
-  2. Add the basic structure: `ldapadd -x -h localhost -p 3389 -x -D "cn=admin,dc=test,dc=com" -w secret -f base.ldif`
-    * this creates the users / passwords:
-      * cn=admin,dc=test,com / secret
-      * cn=example.user@test.com,ou=people,dc=test,dc=com / secret
-  3. You should now be able to run the tests in test/rails_app by running: `rake`
-  
-  _For a LDAP server running SSL_
-  
-  1. To start the server, run: `./run-server.sh --ssl`
-  2. Add the basic structure: `ldapadd -x -H ldaps://localhost:3389 -x -D "cn=admin,dc=test,dc=com" -w secret -f base.ldif`
-    * this creates the users / passwords:
-      * cn=admin,dc=test,com / secret
-      * cn=example.user@test.com,ou=people,dc=test,dc=com / secret
-  3. You should now be able to run the tests in test/rails_app by running: `LDAP_SSL=true rake`
+    /path/to/devise_ldap_authenticatable/spec/ldap/** rw,$
 
-**_Please Note_**
+To start hacking on `devise_ldap_authentication`, clone the github repository, start the test LDAP server, and run the rake test task:
 
-In your system LDAP config file (on OSX it's /etc/openldap/ldap.conf) make sure you have the following setting:
+    git clone https://github.com/cschiewek/devise_ldap_authenticatable.git
+    cd devise_ldap_authenticatable
+    bundle install
 
-    TLS_REQCERT	never
+    # in a separate console or backgrounded
+    ./spec/ldap/run-server
 
-This will allow requests to go to the test LDAP server without being signed by a trusted root (it uses a self-signed cert)
+    bundle exec rake db:migrate # first time only
+    bundle exec rake spec
 
 References
 ----------
-
 * [OpenLDAP](http://www.openldap.org/)
 * [Devise](http://github.com/plataformatec/devise)
 * [Warden](http://github.com/hassox/warden)
 
 Released under the MIT license
 
-Copyright (c) 2010 Curtis Schiewek, Daniel McNevin, Steven Xu
+Copyright (c) 2012 [Curtis Schiewek](https://github.com/cschiewek), [Daniel McNevin](https://github.com/dpmcnevin), [Steven Xu](https://github.com/cairo140)

data/Rakefile

@@ -1,15 +1,16 @@
-require 'rake'
-require 'rake/testtask'
-require 'rake/rdoctask'
+require File.expand_path('spec/rails_app/config/environment', File.dirname(__FILE__))
+require 'rdoc/task'
 
-desc 'Default: run unit tests.'
-task :default => :test
+desc 'Default: run test suite.'
+task :default => :spec
 
 desc 'Generate documentation for the devise_ldap_authenticatable plugin.'
 Rake::RDocTask.new(:rdoc) do |rdoc|
   rdoc.rdoc_dir = 'rdoc'
   rdoc.title    = 'DeviseLDAPAuthenticatable'
   rdoc.options << '--line-numbers' << '--inline-source'
-  rdoc.rdoc_files.include('README')
+  rdoc.rdoc_files.include('README.md')
   rdoc.rdoc_files.include('lib/**/*.rb')
-end
+end
+
+RailsApp::Application.load_tasks

data/devise_ldap_authenticatable.gemspec

@@ -17,6 +17,18 @@ Gem::Specification.new do |s|
   s.executables   = `git ls-files -- bin/*`.split("\n").map{ |f| File.basename(f) }
   s.require_paths = ["lib"]
 
-  s.add_dependency('devise', '>= 2.0.0')
-  s.add_dependency('net-ldap', '~> 0.2.2')
-end
+  s.add_dependency('devise', '~> 2.0')
+  s.add_dependency('net-ldap', '~> 0.3.1')
+
+  s.add_development_dependency('rake', '>= 0.9')
+  s.add_development_dependency('rdoc', '>= 3')
+  s.add_development_dependency('rails', '>= 3.2')
+  s.add_development_dependency('sqlite3')
+  s.add_development_dependency('factory_girl_rails', '~> 1.0')
+  s.add_development_dependency('factory_girl', '~> 2.0')
+  s.add_development_dependency('rspec-rails')
+
+  %w{database_cleaner capybara launchy}.each do |dep|
+    s.add_development_dependency(dep)
+  end
+end

data/lib/devise_ldap_authenticatable/ldap_adapter.rb

@@ -1,8 +1,8 @@
 require "net/ldap"
 
 module Devise
-
   module LdapAdapter
+    DEFAULT_GROUP_UNIQUE_MEMBER_LIST_KEY = 'uniqueMember'
 
     def self.valid_credentials?(login, password_plaintext)
       options = {:login => login,
@@ -25,7 +25,7 @@ module Devise
     end
 
     def self.update_own_password(login, new_password, current_password)
-      set_ldap_param(login, :userpassword, new_password, current_password)
+      set_ldap_param(login, :userpassword, Net::LDAP::Password.generate(:sha, new_password), current_password)
     end
 
     def self.ldap_connect(login)
@@ -44,6 +44,10 @@ module Devise
       self.ldap_connect(login).user_groups
     end
 
+    def self.in_ldap_group?(login, group_name, group_attribute = nil)
+      self.ldap_connect(login).in_group?(group_name, group_attribute)
+    end
+
     def self.get_dn(login)
       self.ldap_connect(login).dn
     end
@@ -154,7 +158,18 @@ module Devise
 
       def authorized?
         DeviseLdapAuthenticatable::Logger.send("Authorizing user #{dn}")
-        authenticated? && in_required_groups? && has_required_attribute?
+        if !authenticated?
+          DeviseLdapAuthenticatable::Logger.send("Not authorized because not authenticated.")
+          return false
+        elsif !in_required_groups?
+          DeviseLdapAuthenticatable::Logger.send("Not authorized because not in required groups.")
+          return false
+        elsif !has_required_attribute?
+          DeviseLdapAuthenticatable::Logger.send("Not authorized because does not have required attribute.")
+          return false
+        else
+          return true
+        end
       end
 
       def change_password!
@@ -167,37 +182,44 @@ module Devise
         ## FIXME set errors here, the ldap.yml isn't set properly.
         return false if @required_groups.nil?
 
-        admin_ldap = LdapConnect.admin
-
         for group in @required_groups
           if group.is_a?(Array)
-            group_attribute, group_name = group
+            return false unless in_group?(group[1], group[0])
           else
-            group_attribute = "uniqueMember"
-            group_name = group
+            return false unless in_group?(group)
           end
-          unless ::Devise.ldap_ad_group_check
-            admin_ldap.search(:base => group_name, :scope => Net::LDAP::SearchScope_BaseObject) do |entry|
-              unless entry[group_attribute].include? dn
-                DeviseLdapAuthenticatable::Logger.send("User #{dn} is not in group: #{group_name }")
-                return false
-              end
-            end
-          else
-            # AD optimization - extension will recursively check sub-groups with one query
-            # "(memberof:1.2.840.113556.1.4.1941:=group_name)"
-            search_result = admin_ldap.search(:base => dn,
-                              :filter => Net::LDAP::Filter.ex("memberof:1.2.840.113556.1.4.1941", group_name),
-                              :scope => Net::LDAP::SearchScope_BaseObject)
-            # Will return  the user entry if belongs to group otherwise nothing
-            unless search_result.length == 1 && search_result[0].dn.eql?(dn)
-              DeviseLdapAuthenticatable::Logger.send("User #{dn} is not in group: #{group_name }")
-              return false
+        end
+        return true
+      end
+
+      def in_group?(group_name, group_attribute = DEFAULT_GROUP_UNIQUE_MEMBER_LIST_KEY)
+        in_group = false
+
+        admin_ldap = LdapConnect.admin
+
+        unless ::Devise.ldap_ad_group_check
+          admin_ldap.search(:base => group_name, :scope => Net::LDAP::SearchScope_BaseObject) do |entry|
+            if entry[group_attribute].include? dn
+              in_group = true
             end
           end
+        else
+          # AD optimization - extension will recursively check sub-groups with one query
+          # "(memberof:1.2.840.113556.1.4.1941:=group_name)"
+          search_result = admin_ldap.search(:base => dn,
+                            :filter => Net::LDAP::Filter.ex("memberof:1.2.840.113556.1.4.1941", group_name),
+                            :scope => Net::LDAP::SearchScope_BaseObject)
+          # Will return  the user entry if belongs to group otherwise nothing
+          if search_result.length == 1 && search_result[0].dn.eql?(dn)
+            in_group = true
+          end
         end
 
-        return true
+        unless in_group
+          DeviseLdapAuthenticatable::Logger.send("User #{dn} is not in group: #{group_name}")
+        end
+
+        return in_group
       end
 
       def has_required_attribute?
@@ -236,7 +258,9 @@ module Devise
         DeviseLdapAuthenticatable::Logger.send("LDAP search for login: #{@attribute}=#{@login}")
         filter = Net::LDAP::Filter.eq(@attribute.to_s, @login.to_s)
         ldap_entry = nil
-        @ldap.search(:filter => filter) {|entry| ldap_entry = entry}
+        match_count = 0
+        @ldap.search(:filter => filter) {|entry| ldap_entry = entry; match_count+=1}
+        DeviseLdapAuthenticatable::Logger.send("LDAP search yielded #{match_count} matches")
         ldap_entry
       end
 

data/lib/devise_ldap_authenticatable/model.rb

@@ -1,4 +1,4 @@
-require 'devise_ldap_authenticatable/strategy'
+require 'devise_ldap_authenticatable/strategy'
 
 module Devise
   module Models
@@ -53,6 +53,10 @@ module Devise
         Devise::LdapAdapter.get_groups(login_with)
       end
 
+      def in_ldap_group?(group_name, group_attribute = LdapAdapter::DEFAULT_GROUP_UNIQUE_MEMBER_LIST_KEY)
+        Devise::LdapAdapter.in_ldap_group?(login_with, group_name, group_attribute)
+      end
+
       def ldap_dn
         Devise::LdapAdapter.get_dn(login_with)
       end