devise_ldap_authenticatable 0.8.1 → 0.8.3

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 83f8abeb23a6a4f7ba011a20858268cc9bc1b0f8
-  data.tar.gz: dca093640944a95c13037086cc74c94a39f9af02
+  metadata.gz: 2b851a53df509e6cf0d16292aa9192e06dfff3e7
+  data.tar.gz: 532280a974b9cf4bf52d34ff5a57b49cd33e6304
 SHA512:
-  metadata.gz: 65d9174c9f3d1231a895da94b731662a1fc5f4b3018b7626c95e71c94d739520d2737dd3ce27a999e60d9f64503b95fb3c68224fcdcb3da842570ec18fd43af6
-  data.tar.gz: 7cf26b625215614e7527745d3a32f449e592b56f7957cbad0a40cc253de4ccd63f6ef419d6854dcf8be28a555d25dd03c5de38eccef1e8279a56d9ece833099a
+  metadata.gz: dce1145454333fc039cab36e9c9c0c36178402fac1eff6f4d9bd552d3ac2eaa04fb8cf80e75750ed7c69e19fe93abe4a697288fb646f70481084114133c76725
+  data.tar.gz: c5084e9417909665e9aecb7591dad2fbaa42543498ad179a9ca7ce8fc75315c3c278c36ce5a4ddf74c7f202f64d34089bc17d828bff451e896ca116d5aa1338d

data/README.md

@@ -1,5 +1,10 @@
 Devise LDAP Authenticatable
 ===========================
+
+Why this fork?
+--------------
+This fork changes a few lines to allow the admin binding to be set to the user trying to log in.
+
 [![Gem Version](https://badge.fury.io/rb/devise_ldap_authenticatable.png)](http://badge.fury.io/rb/devise_ldap_authenticatable)
 [![Code Climate](https://codeclimate.com/github/cschiewek/devise_ldap_authenticatable.png)](https://codeclimate.com/github/cschiewek/devise_ldap_authenticatable)
 [![Dependency Status](https://gemnasium.com/cschiewek/devise_ldap_authenticatable.png)](https://gemnasium.com/cschiewek/devise_ldap_authenticatable)
@@ -41,7 +46,7 @@ Run the rails generator for `devise_ldap_authenticatable`
 
     rails generate devise_ldap_authenticatable:install [options]
 
-This will install the sample.yml, update the devise.rb initializer, and update your user model. There are some options you can pass to it:
+This will install the ldap.yml, update the devise.rb initializer, and update your user model. There are some options you can pass to it:
 
 Options:
 
@@ -57,12 +62,10 @@ Querying LDAP
 -------------
 Given that `ldap_create_user` is set to true and you are authenticating with username, you can query an LDAP server for other attributes.
 
-in your user model:
+in your user model you have to simply define `ldap_before_save` method:
 
-    before_save :get_ldap_email
-
-    def get_ldap_email
-      self.email = Devise::LdapAdapter.get_ldap_param(self.username,"mail")
+    def ldap_before_save
+      self.email = Devise::LDAP::Adapter.get_ldap_param(self.username,"mail").first
     end
 
 Configuration
@@ -71,25 +74,20 @@ In initializer  `config/initializers/devise.rb` :
 
 * `ldap_logger` _(default: true)_
   * If set to true, will log LDAP queries to the Rails logger.
-
 * `ldap_create_user` _(default: false)_
-  * If set to true, all valid LDAP users will be allowed to login and an appropriate user record will be created.
-      If set to false, you will have to create the user record before they will be allowed to login.
-
+  * If set to true, all valid LDAP users will be allowed to login and an appropriate user record will be created. If set to false, you will have to create the user record before they will be allowed to login.
 * `ldap_config` _(default: #{Rails.root}/config/ldap.yml)_
-	* Where to find the LDAP config file. Commented out to use the default, change if needed.
-
+  * Where to find the LDAP config file. Commented out to use the default, change if needed.
 * `ldap_update_password` _(default: true)_
   * When doing password resets, if true will update the LDAP server. Requires admin password in the ldap.yml
-
 * `ldap_check_group_membership` _(default: false)_
   * When set to true, the user trying to login will be checked to make sure they are in all of groups specified in the ldap.yml file.
-
 * `ldap_check_attributes` _(default: false)_
   * When set to true, the user trying to login will be checked to make sure they have all of the attributes in the ldap.yml file.
-
 * `ldap_use_admin_to_bind` _(default: false)_
   * When set to true, the admin user will be used to bind to the LDAP server during authentication.
+* `ldap_check_group_membership_without_admin` _(default: false)_
+  * When set to true, the group membership check is done with the user's own credentials rather than with admin credentials. Since these credentials are only available to the Devise user model during the login flow, the group check function will not work if a group check is performed when this option is true outside of the login flow (e.g., before particular actions).
 
 Advanced Configuration
 ----------------------
@@ -97,10 +95,12 @@ These parameters will be added to `config/initializers/devise.rb` when you pass
 
 * `ldap_auth_username_builder` _(default: `Proc.new() {|attribute, login, ldap| "#{attribute}=#{login},#{ldap.base}" }`)_
   * You can pass a proc to the username option to explicitly specify the format that you search for a users' DN on your LDAP server.
+* `ldap_auth_password_build` _(default: `Proc.new() {|new_password| Net::LDAP::Password.generate(:sha, new_password) }`)_
+  * Optionally you can define a proc to create custom password encrption when user reset password
 
 Troubleshooting
 --------------
-**Using a "username" instead of an "email":** The field that is used for logins is the first key that's configured in the `config/devise.rb` file under `config.authentication_keys`, which by default is email. For help changing this, please see the [Railscast](http://railscasts.com/episodes/210-customizing-devise) that goes through how to customize Devise.
+**Using a "username" instead of an "email":** The field that is used for logins is the first key that's configured in the `config/initializers/devise.rb` file under `config.authentication_keys`, which by default is email. For help changing this, please see the [Railscast](http://railscasts.com/episodes/210-customizing-devise) that goes through how to customize Devise. Also, this [documentation](https://github.com/plataformatec/devise/wiki/How-To%3a-Allow-users-to-sign-in-using-their-username-or-email-address) from Devise can very helpful.
 
 **SSL certificate invalid:** If you're using a test LDAP server running a self-signed SSL certificate, make sure the appropriate root certificate is installed on your system. Alternately, you may temporarily disable certificate checking for SSL by modifying your system LDAP configuration (e.g., `/etc/openldap/ldap.conf` or `/etc/ldap/ldap.conf`) to read `TLS_REQCERT never`.
 
@@ -111,11 +111,12 @@ For additional support, questions or discussions, please see the discussion foru
 
 Development guide
 ------------
-To contribute to `devise_ldap_authentication`, you should be able to run a test OpenLDAP server. Specifically, you need the `slapd`, `ldapadd`, and `ldapmodify` binaries.
 
-This seems to come out of the box with Mac OS X 10.6.
+Devise LDAP Authenticatable uses a running OpenLDAP server to do automated acceptance tests. You'll need the executables `slapd`, `ldapadd`, and `ldapmodify`.
+
+On OS X, this is available out of the box.
 
-On Ubuntu (tested on 12.04 and 12.10), you can run `sudo apt-get install slapd ldap-utils`. You will also likely have to add the `spec/ldap` directory of your local git clone to the slapd [apparmor](https://wiki.ubuntu.com/DebuggingApparmor) profile `/etc/apparmor.d/usr.sbin.slapd` if you get permissions errors. Something like this should do:
+On Ubuntu, you can install OpenLDAP with `sudo apt-get install slapd ldap-utils`. If slapd runs under AppArmor, add an exception like this to `/etc/apparmor.d/local/usr.sbin.slapd` to let slapd read our configs.
 
     /path/to/devise_ldap_authenticatable/spec/ldap/** rw,$
 

data/lib/devise_ldap_authenticatable.rb

@@ -16,6 +16,8 @@ module Devise
   mattr_accessor :ldap_create_user
   @@ldap_create_user = false
   
+  # A path to YAML config file or a Proc that returns a
+  # configuration hash
   mattr_accessor :ldap_config
   # @@ldap_config = "#{Rails.root}/config/ldap.yml"
   
@@ -44,4 +46,4 @@ Devise.add_module(:ldap_authenticatable,
                   :route => :session, ## This will add the routes, rather than in the routes.rb
                   :strategy   => true,
                   :controller => :sessions,
-                  :model  => 'devise_ldap_authenticatable/model')
+                  :model  => 'devise_ldap_authenticatable/model')

data/lib/devise_ldap_authenticatable/ldap/adapter.rb

@@ -26,7 +26,7 @@ module Devise
       end
 
       def self.update_own_password(login, new_password, current_password)
-        set_ldap_param(login, :userpassword, Net::LDAP::Password.generate(:sha, new_password), current_password)
+        set_ldap_param(login, :userPassword, ::Devise.ldap_auth_password_builder.call(new_password), current_password)
       end
 
       def self.ldap_connect(login)
@@ -84,4 +84,4 @@ module Devise
 
   end
 
-end
+end

data/lib/devise_ldap_authenticatable/ldap/connection.rb

@@ -4,7 +4,11 @@ module Devise
       attr_reader :ldap, :login
 
       def initialize(params = {})
-        ldap_config = YAML.load(ERB.new(File.read(::Devise.ldap_config || "#{Rails.root}/config/ldap.yml")).result)[Rails.env]
+        if ::Devise.ldap_config.is_a?(Proc)
+          ldap_config = ::Devise.ldap_config.call
+        else
+          ldap_config = YAML.load(ERB.new(File.read(::Devise.ldap_config || "#{Rails.root}/config/ldap.yml")).result)[Rails.env]
+        end
         ldap_options = params
         ldap_config["ssl"] = :simple_tls if ldap_config["ssl"] === true
         ldap_options[:encryption] = ldap_config["ssl"].to_sym if ldap_config["ssl"]
@@ -14,6 +18,8 @@ module Devise
         @ldap.port = ldap_config["port"]
         @ldap.base = ldap_config["base"]
         @attribute = ldap_config["attribute"]
+        @allow_unauthenticated_bind = ldap_config["allow_unauthenticated_bind"]
+
         @ldap_auth_username_builder = params[:ldap_auth_username_builder]
 
         @group_base = ldap_config["group_base"]
@@ -22,6 +28,7 @@ module Devise
         @required_attributes = ldap_config["require_attribute"]
 
         @ldap.auth ldap_config["admin_user"], ldap_config["admin_password"] if params[:admin]
+        @ldap.auth params[:login], params[:password] if ldap_config["admin_as_user"]
 
         @login = params[:login]
         @password = params[:password]
@@ -37,19 +44,19 @@ module Devise
       end
 
       def dn
-        DeviseLdapAuthenticatable::Logger.send("LDAP dn lookup: #{@attribute}=#{@login}")
-        ldap_entry = search_for_login
-        if ldap_entry.nil?
-          @ldap_auth_username_builder.call(@attribute,@login,@ldap)
-        else
-          ldap_entry.dn
+        @dn ||= begin
+          DeviseLdapAuthenticatable::Logger.send("LDAP dn lookup: #{@attribute}=#{@login}")
+          ldap_entry = search_for_login
+          if ldap_entry.nil?
+            @ldap_auth_username_builder.call(@attribute,@login,@ldap)
+          else
+            ldap_entry.dn
+          end
         end
       end
 
       def ldap_param_value(param)
-        filter = Net::LDAP::Filter.eq(@attribute.to_s, @login.to_s)
-        ldap_entry = nil
-        @ldap.search(:filter => filter) {|entry| ldap_entry = entry}
+        ldap_entry = search_for_login
 
         if ldap_entry
           unless ldap_entry[param].empty?
@@ -67,6 +74,7 @@ module Devise
       end
 
       def authenticate!
+        return false unless (@password.present? || @allow_unauthenticated_bind)
         @ldap.auth(dn, @password)
         @ldap.bind
       end
@@ -174,13 +182,15 @@ module Devise
       #
       # @return [Object] the LDAP entry found; nil if not found
       def search_for_login
-        DeviseLdapAuthenticatable::Logger.send("LDAP search for login: #{@attribute}=#{@login}")
-        filter = Net::LDAP::Filter.eq(@attribute.to_s, @login.to_s)
-        ldap_entry = nil
-        match_count = 0
-        @ldap.search(:filter => filter) {|entry| ldap_entry = entry; match_count+=1}
-        DeviseLdapAuthenticatable::Logger.send("LDAP search yielded #{match_count} matches")
-        ldap_entry
+        @login_ldap_entry ||= begin
+          DeviseLdapAuthenticatable::Logger.send("LDAP search for login: #{@attribute}=#{@login}")
+          filter = Net::LDAP::Filter.eq(@attribute.to_s, @login.to_s)
+          ldap_entry = nil
+          match_count = 0
+          @ldap.search(:filter => filter) {|entry| ldap_entry = entry; match_count+=1}
+          DeviseLdapAuthenticatable::Logger.send("LDAP search yielded #{match_count} matches")
+          ldap_entry
+        end
       end
 
       private
@@ -223,4 +233,4 @@ module Devise
       end
     end
   end
-end
+end

data/lib/devise_ldap_authenticatable/model.rb

@@ -1,4 +1,4 @@
-require 'devise_ldap_authenticatable/strategy'
+require 'devise_ldap_authenticatable/strategy'
 
 module Devise
   module Models
@@ -18,7 +18,7 @@ module Devise
       end
 
       def login_with
-        @login_with ||= Devise.mappings[self.class.to_s.underscore.to_sym].to.authentication_keys.first
+        @login_with ||= Devise.mappings.find {|k,v| v.class_name == self.class.name}.last.to.authentication_keys.first
         self[@login_with]
       end
 
@@ -45,11 +45,11 @@ module Devise
 
       # Checks if a resource is valid upon authentication.
       def valid_ldap_authentication?(password)
-        if Devise::LDAP::Adapter.valid_credentials?(login_with, password)
-          return true
-        else
-          return false
-        end
+        Devise::LDAP::Adapter.valid_credentials?(login_with, password)
+      end
+
+      def ldap_entry
+        @ldap_entry ||= Devise::LDAP::Adapter.get_ldap_entry(login_with)
       end
 
       def ldap_groups
@@ -61,11 +61,15 @@ module Devise
       end
 
       def ldap_dn
-        Devise::LDAP::Adapter.get_dn(login_with)
+        ldap_entry ? ldap_entry.dn : nil
       end
 
-      def ldap_get_param(login_with, param)
-        Devise::LDAP::Adapter.get_ldap_param(login_with,param)
+      def ldap_get_param(param)
+        if ldap_entry && !ldap_entry[param].empty?
+          value = ldap_entry.send(param)
+        else
+          nil
+        end
       end
 
       #
@@ -76,34 +80,34 @@ module Devise
       # def ldap_before_save
       # end
 
+      # Called after a successful LDAP authentication
+      def after_ldap_authentication
+      end
+
 
       module ClassMethods
-        # Authenticate a user based on configured attribute keys. Returns the
-        # authenticated user if it's valid or nil.
-        def authenticate_with_ldap(attributes={})
+        # Find a user for ldap authentication.
+        def find_for_ldap_authentication(attributes={})
           auth_key = self.authentication_keys.first
           return nil unless attributes[auth_key].present?
 
           auth_key_value = (self.case_insensitive_keys || []).include?(auth_key) ? attributes[auth_key].downcase : attributes[auth_key]
+      	  auth_key_value = (self.strip_whitespace_keys || []).include?(auth_key) ? auth_key_value.strip : auth_key_value
 
-          # resource = find_for_ldap_authentication(conditions)
           resource = where(auth_key => auth_key_value).first
 
-          if (resource.blank? and ::Devise.ldap_create_user)
+          if resource.blank?
             resource = new
             resource[auth_key] = auth_key_value
             resource.password = attributes[:password]
           end
 
-          if resource.try(:valid_ldap_authentication?, attributes[:password])
-            if resource.new_record?
-              resource.ldap_before_save if resource.respond_to?(:ldap_before_save)
-              resource.save!
-            end
-            return resource
-          else
-            return nil
+          if ::Devise.ldap_create_user && resource.new_record? && resource.valid_ldap_authentication?(attributes[:password])
+            resource.ldap_before_save if resource.respond_to?(:ldap_before_save)
+            resource.save!
           end
+
+          resource
         end
 
         def update_with_password(resource)

data/lib/devise_ldap_authenticatable/strategy.rb

@@ -3,16 +3,35 @@ require 'devise/strategies/authenticatable'
 module Devise
   module Strategies
     class LdapAuthenticatable < Authenticatable
+
+      # Tests whether the returned resource exists in the database and the
+      # credentials are valid.  If the resource is in the database and the credentials
+      # are valid, the user is authenticated.  Otherwise failure messages are returned 
+      # indicating whether the resource is not found in the database or the credentials
+      # are invalid.
       def authenticate!
-        resource = valid_password? && mapping.to.authenticate_with_ldap(authentication_hash.merge(password: password))
-        return fail(:invalid) unless resource
+        resource = mapping.to.find_for_ldap_authentication(authentication_hash.merge(password: password))
+
+        if resource.persisted?
+          if validate(resource) { resource.valid_ldap_authentication?(password) }
+            remember_me(resource)
+            resource.after_ldap_authentication
+            success!(resource)
+          else
+            return fail(:invalid) # Invalid credentials
+          end
+        end
 
-        if validate(resource)
-          success!(resource)
+        if resource.new_record?
+          if validate(resource) { resource.valid_ldap_authentication?(password) }
+            return fail(:not_found_in_database) # Valid credentials
+          else
+            return fail(:invalid) # Invalid credentials
+          end
         end
       end
     end
   end
 end
 
-Warden::Strategies.add(:ldap_authenticatable, Devise::Strategies::LdapAuthenticatable)
+Warden::Strategies.add(:ldap_authenticatable, Devise::Strategies::LdapAuthenticatable)

data/lib/devise_ldap_authenticatable/version.rb

@@ -1,3 +1,3 @@
 module DeviseLdapAuthenticatable
-  VERSION = "0.8.1".freeze
+  VERSION = "0.8.3".freeze
 end

data/lib/generators/devise_ldap_authenticatable/install_generator.rb

@@ -1,31 +1,31 @@
 module DeviseLdapAuthenticatable
   class InstallGenerator < Rails::Generators::Base
     source_root File.expand_path("../templates", __FILE__)
-    
+
     class_option :user_model, :type => :string, :default => "user", :desc => "Model to update"
     class_option :update_model, :type => :boolean, :default => true, :desc => "Update model to change from database_authenticatable to ldap_authenticatable"
     class_option :add_rescue, :type => :boolean, :default => true, :desc => "Update Application Controller with resuce_from for DeviseLdapAuthenticatable::LdapException"
     class_option :advanced, :type => :boolean, :desc => "Add advanced config options to the devise initializer"
-    
-    
+
+
     def create_ldap_config
       copy_file "ldap.yml", "config/ldap.yml"
     end
-    
+
     def create_default_devise_settings
       inject_into_file "config/initializers/devise.rb", default_devise_settings, :after => "Devise.setup do |config|\n"   
     end
-    
+
     def update_user_model
       gsub_file "app/models/#{options.user_model}.rb", /:database_authenticatable/, ":ldap_authenticatable" if options.update_model?
     end
-    
+
     def update_application_controller
       inject_into_class "app/controllers/application_controller.rb", ApplicationController, rescue_from_exception if options.add_rescue?
     end
-    
+
     private
-    
+
     def default_devise_settings
       settings = <<-eof
   # ==> LDAP Configuration 
@@ -34,22 +34,23 @@ module DeviseLdapAuthenticatable
   # config.ldap_update_password = true
   # config.ldap_config = "\#{Rails.root}/config/ldap.yml"
   # config.ldap_check_group_membership = false
+  # config.ldap_check_group_membership_without_admin = false
   # config.ldap_check_attributes = false
   # config.ldap_use_admin_to_bind = false
   # config.ldap_ad_group_check = false
-  
+
       eof
       if options.advanced?  
         settings << <<-eof  
   # ==> Advanced LDAP Configuration
   # config.ldap_auth_username_builder = Proc.new() {|attribute, login, ldap| "\#{attribute}=\#{login},\#{ldap.base}" }
-  
+
         eof
       end
-      
+
       settings
     end
-    
+
     def rescue_from_exception
       <<-eof
   rescue_from DeviseLdapAuthenticatable::LdapException do |exception|
@@ -57,6 +58,6 @@ module DeviseLdapAuthenticatable
   end
       eof
     end
-    
+
   end
 end

data/lib/generators/devise_ldap_authenticatable/templates/ldap.yml

@@ -3,6 +3,7 @@
 # You can also just copy and paste the tree (do not include the "authorizations") to each
 # environment if you need something different per enviornment.
 authorizations: &AUTHORIZATIONS
+  allow_unauthenticated_bind: false
   group_base: ou=groups,dc=test,dc=com
   ## Requires config.ldap_check_group_membership in devise.rb be true
   # Can have multiple values, must match all to be authorized

data/spec/rails_app/config/initializers/devise.rb

@@ -16,6 +16,11 @@ Devise.setup do |config|
   # note that it will be overwritten if you use your own mailer class with default "from" parameter.
   config.mailer_sender = "please-change-me-at-config-initializers-devise@example.com"
 
+
+  if ::Devise.respond_to?(:secret_key)
+    ::Devise.secret_key = '012a16191a7f61e84e55704e34b73db991a23ba396b6b7760596a3e80073e4464c55421c42a1a34327dee44828bec6745c48eba10cc0866799ec95c09ea27ada'
+  end
+
   # Configure the class responsible to send e-mails.
   # config.mailer = "Devise::Mailer"
 

data/spec/rails_app/config/locales/devise.en.yml

@@ -17,6 +17,7 @@ en:
       unauthenticated: 'You need to sign in or sign up before continuing.'
       unconfirmed: 'You have to confirm your account before continuing.'
       locked: 'Your account is locked.'
+      not_found_in_database: "Your account is not present in this application's database."
       invalid: 'Invalid email or password.'
       invalid_token: 'Invalid authentication token.'
       timeout: 'Your session expired, please sign in again to continue.'

data/spec/spec_helper.rb

@@ -5,6 +5,14 @@ require 'rspec/rails'
 require 'rspec/autorun'
 require 'factory_girl' # not sure why this is not already required
 
+# Rails 4.1 and RSpec are a bit on different pages on who should run migrations
+# on the test db and when.
+#
+# https://github.com/rspec/rspec-rails/issues/936
+if defined?(ActiveRecord::Migration) && ActiveRecord::Migration.respond_to?(:maintain_test_schema!)
+  ActiveRecord::Migration.maintain_test_schema!
+end
+
 Dir[File.expand_path("support/**/*.rb", File.dirname(__FILE__))].each {|f| require f}
 
 RSpec.configure do |config|

data/spec/unit/connection_spec.rb

@@ -0,0 +1,14 @@
+require File.expand_path('../spec_helper', File.dirname(__FILE__))
+
+describe 'Connection' do
+  it 'accepts a proc for ldap_config' do
+    ::Devise.ldap_config = Proc.new() {{
+      'host' => 'localhost',
+      'port' => 3389,
+      'base' => 'ou=testbase,dc=test,dc=com',
+      'attribute' => 'cn',
+    }}
+    connection = Devise::LDAP::Connection.new()
+    expect(connection.ldap.base).to eq('ou=testbase,dc=test,dc=com')
+  end
+end

data/spec/unit/user_spec.rb

@@ -66,9 +66,10 @@ describe 'Users' do
         assert(User.all.blank?, "There shouldn't be any users in the database")
       end
 
-      it "should don't create user in the database" do
-        @user = User.authenticate_with_ldap(:email => "example.user@test.com", :password => "secret")
+      it "should not create user in the database" do
+        @user = User.find_for_ldap_authentication(:email => "example.user@test.com", :password => "secret")
         assert(User.all.blank?)
+        assert(@user.new_record?)
       end
 
       describe "creating users is enabled" do
@@ -77,18 +78,19 @@ describe 'Users' do
         end
 
         it "should create a user in the database" do
-          @user = User.authenticate_with_ldap(:email => "example.user@test.com", :password => "secret")
+          @user = User.find_for_ldap_authentication(:email => "example.user@test.com", :password => "secret")
           assert_equal(User.all.size, 1)
           User.all.collect(&:email).should include("example.user@test.com")
+          assert(@user.persisted?)
         end
 
         it "should not create a user in the database if the password is wrong_secret" do
-          @user = User.authenticate_with_ldap(:email => "example.user", :password => "wrong_secret")
+          @user = User.find_for_ldap_authentication(:email => "example.user", :password => "wrong_secret")
           assert(User.all.blank?, "There's users in the database")
         end
 
-        it "should create a user if the user is not in LDAP" do
-          @user = User.authenticate_with_ldap(:email => "wrong_secret.user@test.com", :password => "wrong_secret")
+        it "should not create a user if the user is not in LDAP" do
+          @user = User.find_for_ldap_authentication(:email => "wrong_secret.user@test.com", :password => "wrong_secret")
           assert(User.all.blank?, "There's users in the database")
         end
 
@@ -97,7 +99,7 @@ describe 'Users' do
           @user = Factory.create(:user)
 
           expect do
-            User.authenticate_with_ldap(:email => "EXAMPLE.user@test.com", :password => "secret")
+            User.find_for_ldap_authentication(:email => "EXAMPLE.user@test.com", :password => "secret")
           end.to change { User.count }.by(1)
         end
 
@@ -106,14 +108,14 @@ describe 'Users' do
           @user = Factory.create(:user)
 
           expect do
-            User.authenticate_with_ldap(:email => "EXAMPLE.user@test.com", :password => "secret")
+            User.find_for_ldap_authentication(:email => "EXAMPLE.user@test.com", :password => "secret")
           end.to_not change { User.count }
         end
 
         it "should create a user with downcased email in the database if case insensitivity matters" do
           ::Devise.case_insensitive_keys = [:email]
 
-          @user = User.authenticate_with_ldap(:email => "EXAMPLE.user@test.com", :password => "secret")
+          @user = User.find_for_ldap_authentication(:email => "EXAMPLE.user@test.com", :password => "secret")
           User.all.collect(&:email).should include("example.user@test.com")
         end
       end
@@ -167,7 +169,37 @@ describe 'Users' do
         assert_equal false, @user.in_ldap_group?('cn=thisgroupdoesnotexist,ou=groups,dc=test,dc=com')
       end
     end
-    
+
+    describe "check group membership w/out admin bind" do
+      before do
+        @user = Factory.create(:user)
+        ::Devise.ldap_check_group_membership_without_admin = true
+      end
+
+      after do
+        ::Devise.ldap_check_group_membership_without_admin = false
+      end
+
+      it "should return true for user being in the users group" do
+        assert_equal true, @user.in_ldap_group?('cn=users,ou=groups,dc=test,dc=com')
+      end
+
+      it "should return false for user being in the admins group" do
+        assert_equal false, @user.in_ldap_group?('cn=admins,ou=groups,dc=test,dc=com')
+      end
+
+      it "should return false for a user being in a nonexistent group" do
+        assert_equal false, @user.in_ldap_group?('cn=thisgroupdoesnotexist,ou=groups,dc=test,dc=com')
+      end
+
+      # TODO: add a test that confirms the user's own binding is used rather
+      # than the admin binding by creating an LDAP user who can't do group
+      # lookups perhaps?
+
+      # TODO: add a test to demonstrate this function won't work on a user
+      # after the initial login request if the password isn't available. This
+      # might have to be more of a full stack test.
+    end
 
     describe "use role attribute for authorization" do
       before do
@@ -225,7 +257,7 @@ describe 'Users' do
       end
 
       it "should create a user in the database" do
-        @user = User.authenticate_with_ldap(:uid => "example_user", :password => "secret")
+        @user = User.find_for_ldap_authentication(:uid => "example_user", :password => "secret")
         assert_equal(User.all.size, 1)
         User.all.collect(&:uid).should include("example_user")
       end
@@ -236,7 +268,7 @@ describe 'Users' do
             @foobar = 'foobar'
           end
         end
-        user = User.authenticate_with_ldap(:uid => "example_user", :password => "secret")
+        user = User.find_for_ldap_authentication(:uid => "example_user", :password => "secret")
         assert_equal 'foobar', user.instance_variable_get(:"@foobar")
         User.class_eval do
           undef ldap_before_save
@@ -244,9 +276,7 @@ describe 'Users' do
       end
 
       it "should not call ldap_before_save hook if not defined" do
-        assert_nothing_raised do
-          should_be_validated Factory.create(:user, :uid => "example_user"), "secret"
-        end
+        should_be_validated Factory.create(:user, :uid => "example_user"), "secret"
       end
     end
   end
@@ -279,9 +309,7 @@ describe 'Users' do
     end
 
     it "should not fail if config file has ssl: true" do
-      assert_nothing_raised do
-        Devise::LDAP::Connection.new
-      end
+      Devise::LDAP::Connection.new
     end
   end
 

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: devise_ldap_authenticatable
 version: !ruby/object:Gem::Version
-  version: 0.8.1
+  version: 0.8.3
 platform: ruby
 authors:
 - Curtis Schiewek
@@ -10,180 +10,180 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2013-07-24 00:00:00.000000000 Z
+date: 2015-03-19 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: devise
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '3.0'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '3.0'
 - !ruby/object:Gem::Dependency
   name: net-ldap
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: 0.3.1
-    - - <
+    - - "<"
       - !ruby/object:Gem::Version
         version: 0.6.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: 0.3.1
-    - - <
+    - - "<"
       - !ruby/object:Gem::Version
         version: 0.6.0
 - !ruby/object:Gem::Dependency
   name: rake
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0.9'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0.9'
 - !ruby/object:Gem::Dependency
   name: rdoc
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '3'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '3'
 - !ruby/object:Gem::Dependency
   name: rails
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '4.0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '4.0'
 - !ruby/object:Gem::Dependency
   name: sqlite3
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0'
 - !ruby/object:Gem::Dependency
   name: factory_girl_rails
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ~>
+    - - "~>"
       - !ruby/object:Gem::Version
         version: '1.0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ~>
+    - - "~>"
       - !ruby/object:Gem::Version
         version: '1.0'
 - !ruby/object:Gem::Dependency
   name: factory_girl
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ~>
+    - - "~>"
       - !ruby/object:Gem::Version
         version: '2.0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ~>
+    - - "~>"
       - !ruby/object:Gem::Version
         version: '2.0'
 - !ruby/object:Gem::Dependency
   name: rspec-rails
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0'
 - !ruby/object:Gem::Dependency
   name: database_cleaner
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0'
 - !ruby/object:Gem::Dependency
   name: capybara
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0'
 - !ruby/object:Gem::Dependency
   name: launchy
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0'
 description: Devise extension to allow authentication via LDAP
@@ -192,7 +192,7 @@ executables: []
 extensions: []
 extra_rdoc_files: []
 files:
-- .gitignore
+- ".gitignore"
 - CHANGELOG.md
 - Gemfile
 - MIT-LICENSE
@@ -277,6 +277,7 @@ files:
 - spec/rails_app/script/rails
 - spec/spec_helper.rb
 - spec/support/factories.rb
+- spec/unit/connection_spec.rb
 - spec/unit/user_spec.rb
 homepage: https://github.com/cschiewek/devise_ldap_authenticatable
 licenses:
@@ -288,18 +289,89 @@ require_paths:
 - lib
 required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
-  - - '>='
+  - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
-  - - '>='
+  - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.0.3
+rubygems_version: 2.2.2
 signing_key: 
 specification_version: 4
 summary: Devise extension to allow authentication via LDAP
-test_files: []
+test_files:
+- spec/ldap/.gitignore
+- spec/ldap/base.ldif
+- spec/ldap/clear.ldif
+- spec/ldap/local.schema
+- spec/ldap/openldap-data/.gitignore
+- spec/ldap/openldap-data/run/.gitignore
+- spec/ldap/openldap-data/run/.gitkeep
+- spec/ldap/run-server
+- spec/ldap/server.pem
+- spec/ldap/slapd-test.conf.erb
+- spec/rails_app/Rakefile
+- spec/rails_app/app/controllers/application_controller.rb
+- spec/rails_app/app/controllers/posts_controller.rb
+- spec/rails_app/app/helpers/application_helper.rb
+- spec/rails_app/app/helpers/posts_helper.rb
+- spec/rails_app/app/models/post.rb
+- spec/rails_app/app/models/user.rb
+- spec/rails_app/app/views/layouts/application.html.erb
+- spec/rails_app/app/views/posts/index.html.erb
+- spec/rails_app/config.ru
+- spec/rails_app/config/application.rb
+- spec/rails_app/config/boot.rb
+- spec/rails_app/config/cucumber.yml
+- spec/rails_app/config/database.yml
+- spec/rails_app/config/environment.rb
+- spec/rails_app/config/environments/development.rb
+- spec/rails_app/config/environments/production.rb
+- spec/rails_app/config/environments/test.rb
+- spec/rails_app/config/initializers/backtrace_silencers.rb
+- spec/rails_app/config/initializers/devise.rb
+- spec/rails_app/config/initializers/inflections.rb
+- spec/rails_app/config/initializers/mime_types.rb
+- spec/rails_app/config/initializers/secret_token.rb
+- spec/rails_app/config/initializers/session_store.rb
+- spec/rails_app/config/ldap.yml
+- spec/rails_app/config/ldap_with_boolean_ssl.yml
+- spec/rails_app/config/ldap_with_erb.yml
+- spec/rails_app/config/ldap_with_uid.yml
+- spec/rails_app/config/locales/devise.en.yml
+- spec/rails_app/config/locales/en.yml
+- spec/rails_app/config/routes.rb
+- spec/rails_app/config/ssl_ldap.yml
+- spec/rails_app/config/ssl_ldap_with_erb.yml
+- spec/rails_app/config/ssl_ldap_with_uid.yml
+- spec/rails_app/db/migrate/20100708120448_devise_create_users.rb
+- spec/rails_app/db/schema.rb
+- spec/rails_app/features/manage_logins.feature
+- spec/rails_app/features/step_definitions/login_steps.rb
+- spec/rails_app/features/step_definitions/web_steps.rb
+- spec/rails_app/features/support/env.rb
+- spec/rails_app/features/support/paths.rb
+- spec/rails_app/lib/tasks/.gitkeep
+- spec/rails_app/lib/tasks/cucumber.rake
+- spec/rails_app/public/404.html
+- spec/rails_app/public/422.html
+- spec/rails_app/public/500.html
+- spec/rails_app/public/images/rails.png
+- spec/rails_app/public/javascripts/application.js
+- spec/rails_app/public/javascripts/controls.js
+- spec/rails_app/public/javascripts/dragdrop.js
+- spec/rails_app/public/javascripts/effects.js
+- spec/rails_app/public/javascripts/prototype.js
+- spec/rails_app/public/javascripts/rails.js
+- spec/rails_app/public/stylesheets/.gitkeep
+- spec/rails_app/script/cucumber
+- spec/rails_app/script/rails
+- spec/spec_helper.rb
+- spec/support/factories.rb
+- spec/unit/connection_spec.rb
+- spec/unit/user_spec.rb
+has_rdoc: