RubyGems - devise_ldap_multiple - Versions diffs - 0.9.0 - Mend

devise_ldap_multiple 0.9.0

Files changed (19) hide show

checksums.yaml +7 -0
data/.gitignore +10 -0
data/Gemfile +8 -0
data/MIT-LICENSE +20 -0
data/README.md +60 -0
data/Rakefile +16 -0
data/devise_ldap_multiple.gemspec +35 -0
data/lib/devise_ldap_multiple.rb +25 -0
data/lib/devise_ldap_multiple/exception.rb +6 -0
data/lib/devise_ldap_multiple/ldap/adapter.rb +111 -0
data/lib/devise_ldap_multiple/ldap/connection.rb +326 -0
data/lib/devise_ldap_multiple/logger.rb +9 -0
data/lib/devise_ldap_multiple/model.rb +131 -0
data/lib/devise_ldap_multiple/strategy.rb +48 -0
data/lib/devise_ldap_multiple/version.rb +3 -0
data/lib/generators/devise_ldap_multiple/devise_ldap_multiple_generator.rb +17 -0
data/lib/generators/devise_ldap_multiple/install_generator.rb +39 -0
data/lib/generators/devise_ldap_multiple/templates/default.yml +99 -0
metadata +239 -0

checksums.yaml ADDED Viewed

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 76c06c80d33a10a9a5d8b456c11922d628ca15bd
+  data.tar.gz: 1064d2b788a02aa146001923e9ca9476db08c818
+SHA512:
+  metadata.gz: f5041d2f9b051e019d5e4377578f79490bb4bf47211278572038b1730d8a4d18373177712d34f0095dec52b488e1c97e19e1e31d4a64d99fcc30d6fda0b0931a
+  data.tar.gz: a66484274528ae0a72dac12292dc8e87aaa3fa00864ed3b9e6159902c5351c3fae53be7d1a755c13e949bcd7cea389575668b63d7807cdd791f10e8e8643b87e

data/.gitignore ADDED Viewed

@@ -0,0 +1,10 @@
+.bundle
+Gemfile.lock
+log
+*.sqlite3
+test/ldap/openldap-data/*
+!test/ldap/openldap-data/run
+test/ldap/openldap-data/run/slapd.*
+test/rails_app/tmp
+pkg/*
+*.gem

data/Gemfile ADDED Viewed

@@ -0,0 +1,8 @@
+source "http://rubygems.org"
+gemspec
+group :development, :test do
+  gem 'debugger', platform: :ruby_19
+  gem 'byebug', platform: :ruby_20
+end

data/MIT-LICENSE ADDED Viewed

@@ -0,0 +1,20 @@
+Copyright (c) 2016 Scott Willett
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.md ADDED Viewed

@@ -0,0 +1,60 @@
+Devise LDAP Multiple
+====================
+This project is a fork of the brilliant project devise_ldap_authenticatable here: (https://github.com/cschiewek/devise_ldap_authenticatable).
+The difference is that this project allows you to use multiple LDAP databases in a single app, and the code was refactored significantly while adding this feature.
+Devise LDAP Multiple is a LDAP based authentication strategy for the [Devise](http://github.com/plataformatec/devise) authentication framework.
+If you are building applications for use within your organization which require authentication and you want to use LDAP, this plugin is for you.
+Devise LDAP Multiple works in replacement of Database Authenticatable. This devise plugin has not been tested with DatabaseAuthenticatable enabled at the same time. This is meant as a drop in replacement for DatabaseAuthenticatable allowing for a semi single sign on approach.
+Prerequisites
+-------------
+ * devise ~> 3.0.0 (which requires rails ~> 4.0)
+ * net-ldap ~> 0.6.0
+If you are transitioning from having Devise manage your users' passwords in the database to using LDAP auth, you may have to update your `users` table to make `encrypted_password` nullable, or else the LDAP user insert will fail.
+Usage
+-----
+In the Gemfile for your application:
+    gem "devise_ldap_multiple"
+To get the latest version, pull directly from github instead of the gem:
+    gem "devise_ldap_multiple", :git => "https://github.com/xarael/devise_ldap_multiple"
+Setup
+-----
+Run the rails generators for devise (please check the [devise](http://github.com/plataformatec/devise) documents for further instructions)
+    rails generate devise:install
+    rails generate devise MODEL_NAME
+Run the rails generator for `devise_ldap_multiple`
+    rails generate devise_ldap_multiple:install
+    rails generate devise_ldap_multiple [MODEL_NAME]
+MODEL_NAME defaults to: user
+This will install [MODEL_NAME].yml file to the config/ldap/ directory, update the devise.rb initializer with a default scope (default), and update your model.
+All configuration is set within these .yml files for each model. There's comments in the files to describe the various settings.
+References
+----------
+* [Devise LDAP Authenticatable](https://github.com/cschiewek/devise_ldap_authenticatable)
+* [OpenLDAP](http://www.openldap.org/)
+* [Devise](http://github.com/plataformatec/devise)
+* [Warden](http://github.com/hassox/warden)
+Released under the MIT license
+Copyright (c) 2016 [Scott Willett](https://github.com/xarael)

data/Rakefile ADDED Viewed

@@ -0,0 +1,16 @@
+require File.expand_path('spec/rails_app/config/environment', File.dirname(__FILE__))
+require 'rdoc/task'
+desc 'Default: run test suite.'
+task :default => :spec
+desc 'Generate documentation for the devise_ldap_multiple plugin.'
+Rake::RDocTask.new(:rdoc) do |rdoc|
+  rdoc.rdoc_dir = 'rdoc'
+  rdoc.title    = 'DeviseLDAPMultiple'
+  rdoc.options << '--line-numbers' << '--inline-source'
+  rdoc.rdoc_files.include('README.md')
+  rdoc.rdoc_files.include('lib/**/*.rb')
+end
+RailsApp::Application.load_tasks

data/devise_ldap_multiple.gemspec ADDED Viewed

@@ -0,0 +1,35 @@
+# -*- encoding: utf-8 -*-
+$:.push File.expand_path("../lib", __FILE__)
+require "devise_ldap_multiple/version"
+Gem::Specification.new do |s|
+  s.name     = 'devise_ldap_multiple'
+  s.version  = DeviseLdapMultiple::VERSION.dup
+  s.platform = Gem::Platform::RUBY
+  s.summary  = 'Devise extension to allow authentication to multiple LDAPs. Fork of the devise_ldap_authenticatable project.'
+  s.email = 'swillett@outlook.com'
+  s.homepage = 'https://github.com/xarael/devise_ldap_multiple'
+  s.description = s.summary
+  s.authors = ['Curtis Schiewek', 'Daniel McNevin', 'Steven Xu', 'Scott Willett']
+  s.license = 'MIT'
+  s.files         = `git ls-files`.split("\n")
+  # s.test_files    = `git ls-files -- {test,spec,features}/*`.split("\n")
+  s.executables   = `git ls-files -- bin/*`.split("\n").map{ |f| File.basename(f) }
+  s.require_paths = ["lib"]
+  s.add_dependency 'devise', '>= 3.4.1'
+  s.add_dependency 'net-ldap', '>= 0.6', '!= 0.12'
+  s.add_development_dependency 'rake', '>= 0.9'
+  s.add_development_dependency 'rdoc', '>= 3'
+  s.add_development_dependency 'rails', '>= 4.0'
+  s.add_development_dependency 'sqlite3'
+  s.add_development_dependency 'factory_girl_rails', '~> 1.0'
+  s.add_development_dependency 'factory_girl', '~> 2.0'
+  s.add_development_dependency 'rspec-rails'
+  %w{database_cleaner capybara launchy}.each do |dep|
+    s.add_development_dependency(dep)
+  end
+end

data/lib/devise_ldap_multiple.rb ADDED Viewed

@@ -0,0 +1,25 @@
+# encoding: utf-8
+require 'devise'
+require 'net/ldap'
+require 'devise_ldap_multiple/exception'
+require 'devise_ldap_multiple/logger'
+require 'devise_ldap_multiple/ldap/adapter'
+require 'devise_ldap_multiple/ldap/connection'
+# Nearly all configuration is in each scope.yml file under config/ldap/ for each scope.
+module Devise
+  # The default scope to use if devise doesn't map to a scope and a scope isn't manually specified
+  # Can be overwritten by setting in file config/initializers/devise.rb
+  mattr_accessor :ldap_default_scope
+  @@ldap_default_scope = 'default'
+end
+# Add ldap_authenticatable strategy to defaults.
+Devise.add_module(:ldap_authenticatable,
+                  :route => :session, ## This will add the routes, rather than in the routes.rb
+                  :strategy   => true,
+                  :controller => :sessions,
+                  :model  => 'devise_ldap_multiple/model')

data/lib/devise_ldap_multiple/exception.rb ADDED Viewed

@@ -0,0 +1,6 @@
+module DeviseLdapMultiple
+  class LdapException < Exception
+  end
+end

data/lib/devise_ldap_multiple/ldap/adapter.rb ADDED Viewed

@@ -0,0 +1,111 @@
+require "net/ldap"
+module Devise
+  module LDAP
+    DEFAULT_GROUP_UNIQUE_MEMBER_LIST_KEY = 'uniqueMember'
+    # Establishes connections and interacts with LDAP. Uses Connection objects to do this.
+    # Can interact with these methods in rails
+    module Adapter
+      # Returns all attributes for an account from LDAP
+      def self.get_ldap_entry(login, scope = default_scope)
+        self.ldap_connect(login, scope).search_for_login
+      end
+      # Get the value of an attribute for an account from LDAP
+      def self.get_ldap_param(login, param, scope = default_scope)
+        resource = self.ldap_connect(login, scope)
+        resource.ldap_param_value(param)
+      end
+      # Returns the DistinguishedName of an account (regardless of if it exists or not)
+      def self.get_dn(login, scope = default_scope)
+        self.ldap_connect(login, scope).dn
+      end
+      def self.password_updatable? (login, scope = default_scope)
+        options = { login: login, scope: scope }
+        resource = Devise::LDAP::Connection.new(options)
+        resource.password_updatable?
+      end
+      def self.user_creatable? (login, scope = default_scope)
+        options = { login: login, scope: scope }
+        resource = Devise::LDAP::Connection.new(options)
+        resource.user_creatable?
+      end
+      # Boolean returned for if an account in the LDAP exists (doesn't check authentication / authorization): false if a valid match can't be obtained from ldap.
+      def self.valid_login?(login, scope = default_scope)
+        self.ldap_connect(login, scope).valid_login?
+      end
+      # Tries to authenticate credentails to LDAP. Returns true or false appropriately.
+      def self.valid_credentials?(login, password_plaintext, scope = default_scope)
+        options = { login: login, password: password_plaintext, scope: scope }
+        resource = Devise::LDAP::Connection.new(options)
+        resource.authorized?
+      end
+      # Returns true or false depending on if the users credentials have expired or not
+      def self.expired_valid_credentials?(login, password_plaintext, scope = default_scope)
+        options = { login: login, password: password_plaintext, scope: scope }
+        resource = Devise::LDAP::Connection.new(options)
+        resource.expired_valid_credentials?
+      end
+      # Updates a users password in LDAP
+      def self.update_password(login, new_password, scope = default_scope)
+        options = { login: login, new_password: new_password, scope: scope }
+        resource = Devise::LDAP::Connection.new(options)
+        resource.change_password! if new_password.present?
+      end
+      # Also updates the password. Unsure what differentiates this from update_password currently.
+      def self.update_own_password(login, new_password, current_password)
+        set_ldap_param(login, :userPassword, new_password, current_password, true)
+      end
+      # Returns a list of group memberships for a user
+      def self.get_groups(login, scope = default_scope)
+        self.ldap_connect(login, scope).user_groups
+      end
+      # Checks if a user is a member of a specific group
+      def self.in_ldap_group?(login, group_name, group_attribute = nil, scope = default_scope)
+        self.ldap_connect(login, scope).in_group?(group_name, group_attribute)
+      end
+      # Sets an LDAP attribute for an account to a new value
+      def self.set_ldap_param(login, param, new_value, password = nil, scope = default_scope)
+        options = { login: login, password: password, scope: scope }
+        resource = Devise::LDAP::Connection.new(options)
+        resource.set_param(param, new_value)
+      end
+      # Deletes the LDAP attribute for an account
+      def self.delete_ldap_param(login, param, password = nil, scope = default_scope)
+        options = { login: login, password: password, scope: scope }
+        resource = Devise::LDAP::Connection.new(options)
+        resource.delete_param(param)
+      end
+      # Creates a new connection to an LDAP database and returns the connection object to run methods against
+      def self.ldap_connect(login, scope = default_scope)
+        options = { login: login, scope: scope }
+        Devise::LDAP::Connection.new(options)
+      end
+      # The default scope to use if none is specified
+      def self.default_scope
+        ::Devise.ldap_default_scope
+      end
+    end # module Adapter
+  end # module LDAP
+end # module Devise

data/lib/devise_ldap_multiple/ldap/connection.rb ADDED Viewed

@@ -0,0 +1,326 @@
+module Devise
+  module LDAP
+    class Connection
+      attr_reader :ldap, :login
+      def initialize(params = {})
+        # Option scope determines the mapping_file to use
+        @scope = params[:scope]
+        config_file_path = "#{Rails.root}/config/ldap/#{@scope}.yml"
+        # Read the config file depending on the scope
+        ldap_config = YAML.load(ERB.new(File.read(config_file_path)).result)
+        # Alter the ssl option in the configuration
+        ldap_config[Rails.env]["ssl"] = :simple_tls if ldap_config[Rails.env]["ssl"] === true
+        # Determines if logging happens
+        @logging_enabled = ldap_config['logging_enabled']
+        # Evaluated into Proc objects
+        @auth_username_builder  = eval ldap_config['auth_username_builder']
+        @auth_password_builder  = eval ldap_config['auth_password_builder']
+        # Attributes and groups required for authorisation of an account
+        @group_base = ldap_config["group_base"]
+        @required_groups = ldap_config["required_groups"]
+        @group_membership_attribute = ldap_config.has_key?("group_membership_attribute") ? ldap_config["group_membership_attribute"] : "uniqueMember"
+        @required_attributes = ldap_config["require_attribute"]
+        @required_attributes_presence = ldap_config["require_attribute_presence"]
+        # Various Flags
+        @allow_unauthenticated_bind = ["allow_unauthenticated_bind"]
+        @check_attributes = ldap_config['check_attributes']
+        @check_attributes_presence = ldap_config['check_attributes_presence']
+        @use_admin_to_bind = ldap_config['use_admin_to_bind']
+        @check_group_membership = ldap_config["check_group_membership"]
+        @check_group_membership_without_admin = ldap_config["check_group_membership_without_admin"]
+        @update_passwords = ldap_config['update_passwords']
+        @create_user = ldap_config['create_user']
+        # Other params referencing credentails not part of the config file
+        @login = params[:login]
+        @password = params[:password]
+        @new_password = params[:new_password]
+        # Build up the options used to establish an LDAP connection
+        ldap_options = {}
+        ldap_options[:login] = params[:login] if params[:login]
+        ldap_options[:password] =  params[:password] if params[:password]
+        ldap_options[:new_password] =  params[:new_password] if params[:new_password]
+        ldap_options[:ldap_auth_username_builder] = @auth_username_builder
+        ldap_options[:admin] = @use_admin_to_bind
+        ldap_options[:encryption] = ldap_config[Rails.env]["ssl"].to_sym if ldap_config[Rails.env]["ssl"]
+        # LDAP server to connect to depending on the current Rails environment in use
+        @ldap = Net::LDAP.new(ldap_options)
+        @ldap.host = ldap_config[Rails.env]["host"]
+        @ldap.port = ldap_config[Rails.env]["port"]
+        @ldap.base = ldap_config[Rails.env]["base"]
+        @attribute = ldap_config[Rails.env]["attribute"]
+        # Admin credentials to use if an admin is set to bind to LDAP (Rails environment dependent)
+        @ldap.auth ldap_config[Rails.env]["admin_user"], ldap_config[Rails.env]["admin_password"] if @use_admin_to_bind
+      end
+      # Logs a message to the console and the environment log file
+      def log (message)
+        DeviseLdapMultiple::Logger.send(message) if @logging_enabled
+      end
+      def password_updatable?
+        @update_passwords
+      end
+      def user_creatable?
+        @create_user
+      end
+      # Deletes a parameter from LDAP for an account
+      def delete_param(param)
+        update_ldap [[:delete, param.to_sym, nil]]
+      end
+      def set_param(param, new_value, is_password = false)
+        new_value = @auth_password_builder .call(new_value) if is_password
+        update_ldap( { param.to_sym => new_value } )
+      end
+      # Returns the DistinguishedName for an account, regardless of if it exists or not (calls a proc to determine the dn if it doesn't exists - proc defined in the config file)
+      def dn
+        @dn ||= begin
+          log("LDAP dn lookup: #{@attribute}=#{@login}")
+          log("LDAP dn lookup asdf: #{@attribute}=#{@login}")
+          ldap_entry = search_for_login
+          if ldap_entry.nil?
+            @auth_username_builder .call(@attribute,@login,@ldap)
+          else
+            ldap_entry.dn
+          end
+        end
+      end
+      def ldap_param_value(param)
+        ldap_entry = search_for_login
+        if ldap_entry
+          unless ldap_entry[param].empty?
+            value = ldap_entry.send(param)
+            log("Requested param #{param} has value #{value}")
+            value
+          else
+            log("Requested param #{param} does not exist")
+            value = nil
+          end
+        else
+          log("Requested ldap entry does not exist")
+          value = nil
+        end
+      end
+      def authenticate!
+        return false unless (@password.present? || @allow_unauthenticated_bind)
+        @ldap.auth(dn, @password)
+        @ldap.bind
+      end
+      def authenticated?
+        authenticate!
+      end
+      def last_message_bad_credentials?
+        @ldap.get_operation_result.error_message.to_s.include? 'AcceptSecurityContext error, data 52e'
+      end
+      def last_message_expired_credentials?
+        @ldap.get_operation_result.error_message.to_s.include? 'AcceptSecurityContext error, data 773'
+      end
+      def authorized?
+        log("Authorizing user #{dn}")
+        if !authenticated?
+          if last_message_bad_credentials?
+            log("Not authorized because of invalid credentials.")
+          elsif last_message_expired_credentials?
+            log("Not authorized because of expired credentials.")
+          else
+            log("Not authorized because not authenticated.")
+          end
+          return false
+        elsif !in_required_groups?
+          log("Not authorized because not in required groups.")
+          return false
+        elsif !has_required_attribute?
+          log("Not authorized because does not have required attribute.")
+          return false
+        elsif !has_required_attribute_presence?
+          log("Not authorized because does not have required attribute present.")
+          return false
+        else
+          return true
+        end
+      end
+      def expired_valid_credentials?
+        log("Authorizing user #{dn}")
+        !authenticated? && last_message_expired_credentials?
+      end
+      def change_password!
+        update_ldap(:userPassword => @auth_password_builder .call(@new_password))
+      end
+      def in_required_groups?
+        return true unless @check_group_membership || @check_group_membership_without_admin
+        ## FIXME set errors here, the ldap.yml isn't set properly.
+        return false if @required_groups.nil?
+        for group in @required_groups
+          if group.is_a?(Array)
+            return false unless in_group?(group[1], group[0])
+          else
+            return false unless in_group?(group)
+          end
+        end
+        return true
+      end
+      def in_group?(group_name, group_attribute = LDAP::DEFAULT_GROUP_UNIQUE_MEMBER_LIST_KEY)
+        in_group = false
+        if @check_group_membership_without_admin
+          group_checking_ldap = @ldap
+        else
+          group_checking_ldap = Connection.admin
+        end
+        unless @ldap_check_group_membership
+          group_checking_ldap.search(:base => group_name, :scope => Net::LDAP::SearchScope_BaseObject) do |entry|
+            if entry[group_attribute].include? dn
+              in_group = true
+              log("User #{dn} IS included in group: #{group_name}")
+            end
+          end
+        else
+          # AD optimization - extension will recursively check sub-groups with one query
+          # "(memberof:1.2.840.113556.1.4.1941:=group_name)"
+          search_result = group_checking_ldap.search(:base => dn,
+                            :filter => Net::LDAP::Filter.ex("memberof:1.2.840.113556.1.4.1941", group_name),
+                            :scope => Net::LDAP::SearchScope_BaseObject)
+          # Will return  the user entry if belongs to group otherwise nothing
+          if search_result.length == 1 && search_result[0].dn.eql?(dn)
+            in_group = true
+            log("User #{dn} IS included in group: #{group_name}")
+          end
+        end
+        unless in_group
+          log("User #{dn} is not in group: #{group_name}")
+        end
+        return in_group
+      end
+      def has_required_attribute?
+        return true unless @check_attributes
+        admin_ldap = Connection.admin
+        user = find_ldap_user(admin_ldap)
+        @required_attributes.each do |key,val|
+          matching_attributes = user[key] & Array(val)
+          unless (matching_attributes).any?
+            log("User #{dn} did not match attribute #{key}:#{val}")
+            return false
+          end
+        end
+        return true
+      end
+      def has_required_attribute_presence?
+        return true unless @check_attributes_presence
+        user = search_for_login
+        @required_attributes_presence.each do |key,val|
+          if val && !user.attribute_names.include?(key.to_sym)
+            log("User #{dn} doesn't include attribute #{key}")
+            return false
+          elsif !val && user.attribute_names.include?(key.to_sym)
+            log("User #{dn} includes attribute #{key}")
+            return false
+          end
+        end
+        return true
+      end
+      def user_groups
+        admin_ldap = Connection.admin
+        log("Getting groups for #{dn}")
+        filter = Net::LDAP::Filter.eq(@group_membership_attribute, dn)
+        admin_ldap.search(:filter => filter, :base => @group_base).collect(&:dn)
+      end
+      def valid_login?
+        !search_for_login.nil?
+      end
+      # Searches the LDAP for the login
+      #
+      # @return [Object] the LDAP entry found; nil if not found
+      def search_for_login
+        @login_ldap_entry ||= begin
+          log("LDAP search for login: #{@attribute}=#{@login}")
+          log("Attribute: #{@attribute.to_s}, Login: #{@login.to_s}")
+          log("Scope is: #{@scope}")
+          filter = Net::LDAP::Filter.eq(@attribute.to_s, @login.to_s)
+          ldap_entry = nil
+          match_count = 0
+          @ldap.search(:filter => filter) { |entry| ldap_entry = entry; match_count+=1}
+          op_result= @ldap.get_operation_result
+          if op_result.code!=0 then
+            log("LDAP Error #{op_result.code}: #{op_result.message}")
+          end
+          log("LDAP search yielded #{match_count} matches")
+          ldap_entry
+        end
+      end
+      private
+      def self.admin
+        ldap = Connection.new(:admin => true).ldap
+        unless ldap.bind
+          log("Cannot bind to admin LDAP user")
+          raise DeviseLdapAuthenticatable::LdapException, "Cannot connect to admin LDAP user"
+        end
+        return ldap
+      end
+      def find_ldap_user(ldap)
+        log("Finding user: #{dn}")
+        ldap.search(:base => dn, :scope => Net::LDAP::SearchScope_BaseObject).try(:first)
+      end
+      def update_ldap(ops)
+        operations = []
+        if ops.is_a? Hash
+          ops.each do |key,value|
+            operations << [:replace,key,value]
+          end
+        elsif ops.is_a? Array
+          operations = ops
+        end
+        if @use_admin_to_bind
+          privileged_ldap = Connection.admin
+        else
+          authenticate!
+          privileged_ldap = self.ldap
+        end
+        log("Modifying user #{dn}")
+        privileged_ldap.modify(:dn => dn, :operations => operations)
+      end
+    end # class Connection
+  end # module LDAP
+end # module Devise

data/lib/devise_ldap_multiple/logger.rb ADDED Viewed

@@ -0,0 +1,9 @@
+module DeviseLdapMultiple
+  class Logger
+    def self.send(message, logger = Rails.logger)
+      logger.add 0, "  \e[36mLDAP:\e[0m #{message}"
+    end
+  end
+end

data/lib/devise_ldap_multiple/model.rb ADDED Viewed

@@ -0,0 +1,131 @@
+require 'devise_ldap_multiple/strategy'
+module Devise
+  module Models
+    # LDAP Module, responsible for validating the user credentials via LDAP.
+    #
+    # Examples:
+    #
+    #    User.authenticate('email@test.com', 'password123')  # returns authenticated user or nil
+    #    User.find(1).valid_password?('password123')         # returns true/false
+    #
+    module LdapAuthenticatable
+      extend ActiveSupport::Concern
+      # Returns the current scope / mapping from devise (eg: 'admin', 'user', 'staff')
+      def current_scope
+        Devise.mappings.find {|k,v| v.class_name == self.class.name}.last.name.downcase
+      end
+      included do
+        attr_reader :current_password, :password
+        attr_accessor :password_confirmation
+      end
+      def login_with
+        @login_with ||= Devise.mappings.find {|k,v| v.class_name == self.class.name}.last.to.authentication_keys.first
+        self[@login_with]
+      end
+      def change_password!(current_password)
+        raise "Need to set new password first" if @password.blank?
+        Devise::LDAP::Adapter.update_own_password(login_with, @password, current_password, current_scope)
+      end
+      def reset_password!(new_password, new_password_confirmation)
+        if new_password == new_password_confirmation && Devise::LDAP::Adapter.password_updatable?(login_with, current_scope)
+          Devise::LDAP::Adapter.update_password(login_with, new_password, current_scope)
+        end
+        clear_reset_password_token if valid?
+        save
+      end
+      def password=(new_password)
+        @password = new_password
+        if defined?(password_digest) && @password.present? && respond_to?(:encrypted_password=)
+          self.encrypted_password = password_digest(@password)
+        end
+      end
+      # Checks if a resource is valid upon authentication.
+      def valid_ldap_authentication?(password)
+        Devise::LDAP::Adapter.valid_credentials?(login_with, password, current_scope)
+      end
+      def ldap_entry
+        @ldap_entry ||= Devise::LDAP::Adapter.get_ldap_entry(login_with, current_scope)
+      end
+      def ldap_groups
+        Devise::LDAP::Adapter.get_groups(current_scope, login_with)
+      end
+      def in_ldap_group?(group_name, group_attribute = LDAP::DEFAULT_GROUP_UNIQUE_MEMBER_LIST_KEY)
+        Devise::LDAP::Adapter.in_ldap_group?(login_with, group_name, group_attribute, current_scope)
+      end
+      def ldap_dn
+        ldap_entry ? ldap_entry.dn : nil
+      end
+      def ldap_get_param(param)
+        if ldap_entry && !ldap_entry[param].empty?
+          value = ldap_entry.send(param)
+        else
+          nil
+        end
+      end
+      #
+      # callbacks
+      #
+      # # Called before the ldap record is saved automatically
+      # def ldap_before_save
+      # end
+      # Called after a successful LDAP authentication
+      def after_ldap_authentication
+      end
+      module ClassMethods
+        # Find a user for ldap authentication.
+        def find_for_ldap_authentication(attributes={})
+          auth_key = self.authentication_keys.first
+          return nil unless attributes[auth_key].present?
+          auth_key_value = (self.case_insensitive_keys || []).include?(auth_key) ? attributes[auth_key].downcase : attributes[auth_key]
+      	  auth_key_value = (self.strip_whitespace_keys || []).include?(auth_key) ? auth_key_value.strip : auth_key_value
+          resource = where(auth_key => auth_key_value).first
+          if resource.blank?
+            resource = new
+            resource[auth_key] = auth_key_value
+            resource.password = attributes[:password]
+          end
+          if Devise::LDAP::Adapter.user_creatable?(self.authentication_keys.first, self.name.downcase) && resource.new_record? && resource.valid_ldap_authentication?(attributes[:password])
+            resource.ldap_before_save if resource.respond_to?(:ldap_before_save)
+            resource.save!
+          end
+          resource
+        end
+        def update_with_password(resource)
+          puts "UPDATE_WITH_PASSWORD: #{resource.inspect}"
+        end
+      end # module ClassMethods
+    end # module LdapAuthenticatable
+  end # module Models
+end # module Devise

data/lib/devise_ldap_multiple/strategy.rb ADDED Viewed

@@ -0,0 +1,48 @@
+require 'devise/strategies/authenticatable'
+module Devise
+  module Strategies
+    # Defines an authentication strategy to be used with Warden
+    # Some more information about this here: http://www.rubydoc.info/github/hassox/warden/Warden/Strategies/Base
+    class LdapAuthenticatable < Authenticatable
+      # Tests whether the returned resource exists in the database and the
+      # credentials are valid.  If the resource is in the database and the credentials
+      # are valid, the user is authenticated.  Otherwise failure messages are returned
+      # indicating whether the resource is not found in the database or the credentials
+      # are invalid.
+      def authenticate!
+        resource = mapping.to.find_for_ldap_authentication(authentication_hash.merge(:password => password))
+        return fail(:invalid) unless resource
+        if resource.persisted?
+          if validate(resource) { resource.valid_ldap_authentication?(password) }
+            remember_me(resource)
+            resource.after_ldap_authentication
+            success!(resource)
+          else
+            return fail(:invalid) # Invalid credentials
+          end
+        end
+        if resource.new_record?
+          if validate(resource) { resource.valid_ldap_authentication?(password) }
+            return fail(:not_found_in_database) # Valid credentials
+          else
+            return fail(:invalid) # Invalid credentials
+          end
+        end
+      end # def authenticate!
+    end # LdapAuthenticatable < Authenticatable
+  end # module Strategies
+end # module Devise
+# Add the strategy to warden
+Warden::Strategies.add(:ldap_authenticatable, Devise::Strategies::LdapAuthenticatable)

data/lib/devise_ldap_multiple/version.rb ADDED Viewed

@@ -0,0 +1,3 @@
+module DeviseLdapMultiple
+  VERSION = "0.9.0".freeze
+end

data/lib/generators/devise_ldap_multiple/devise_ldap_multiple_generator.rb ADDED Viewed

@@ -0,0 +1,17 @@
+  class DeviseLdapMultipleGenerator < Rails::Generators::Base
+    source_root File.expand_path("../templates", __FILE__)
+    argument :user_model, :type => :string, :default => "user", :desc => "Model to update"
+    # ToDo: Request user input to use a scope that already exists, or make it a parameter to pass into the generator
+    def create_ldap_config
+      copy_file "default.yml", "config/ldap/#{user_model}.yml"
+    end
+    def update_user_model
+      gsub_file "app/models/#{options.user_model}.rb", /:database_authenticatable/, ":ldap_authenticatable" if options.update_model?
+    end
+  end

data/lib/generators/devise_ldap_multiple/install_generator.rb ADDED Viewed

@@ -0,0 +1,39 @@
+module DeviseLdapMultiple
+  class InstallGenerator < Rails::Generators::Base
+    source_root File.expand_path("../templates", __FILE__)
+    # ToDo: Request user input to use a scope that already exists, or make it a parameter to pass into the generator
+    def create_ldap_config
+      copy_file "default.yml", "config/ldap/default.yml"
+    end
+    def create_default_devise_settings
+      inject_into_file "config/initializers/devise.rb", default_devise_settings, :after => "Devise.setup do |config|\n"
+    end
+    def update_application_controller
+      inject_into_class "app/controllers/application_controller.rb", ApplicationController, rescue_from_exception if options.add_rescue?
+    end
+    private
+    def default_devise_settings
+      settings = <<-eof
+  # ==> Devise LDAP Multiple configuration
+  config.ldap_default_scope = 'default'
+      eof
+      settings
+    end
+    def rescue_from_exception
+      <<-eof
+  rescue_from DeviseLdapMultiple::LdapException do |exception|
+    render :text => exception, :status => 500
+  end
+      eof
+    end
+  end
+end

data/lib/generators/devise_ldap_multiple/templates/default.yml ADDED Viewed

@@ -0,0 +1,99 @@
+### Configuration options ###
+# (These used to reside in config/initializers/devise.rb)
+# If set to true, will log LDAP queries to the Rails logger
+logging: true
+# If set to true, all valid LDAP users will be allowed to login and an appropriate user record will be created.
+# If set to false, you will have to create the user record before they will be allowed to login.
+create_user: true
+# When doing password resets, if true will update the LDAP server. Requires admin password.
+update_passwords: true
+# When set to true, the user trying to login will be checked to make sure they are in all of groups specified
+check_group_membership: false
+# When set to true, the user trying to login will be checked to make sure their attributes match those specified
+check_attributes: false
+# When set to true, the user trying to login will be checked against all require_attribute_presence attributes
+check_attributes_presence: false
+# When set to true, the admin user will be used to bind to the LDAP server during authentication.
+use_admin_to_bind: true
+# When set to true, the group membership check is done with the user's own credentials rather than with admin credentials.
+# Since these credentials are only available to the Devise user model during the login flow, the group check function will
+# not work if a group check is performed when this option is true outside of the login flow (e.g., before particular actions).
+check_group_membership_without_admin: false
+# You can pass a proc to the username option to explicitly specify the format that you search for a users' DN on your LDAP server.
+auth_username_builder: Proc.new() {|attribute, login, ldap| "#{attribute}=#{login},#{ldap.base}" }
+# Optionally you can define a proc to create custom password encrption when user reset password
+auth_password_builder: Proc.new() {|new_password| Net::LDAP::Password.generate(:sha, new_password) }
+### Authorizations ###
+# Uncomment out the merging for each environment that you'd like to include.
+# You can also just copy and paste the tree (do not include the "authorizations") to each
+# environment if you need something different per environment.
+authorizations: &AUTHORIZATIONS
+  allow_unauthenticated_bind: false
+  group_base: ou=groups,dc=test,dc=com
+  # Requires check_group_membership to be true
+  # Can have multiple values, must match all to be authorized
+  required_groups:
+    # If only a group name is given, membership will be checked against "uniqueMember"
+    - cn=admins,ou=groups,dc=test,dc=com
+    - cn=users,ou=groups,dc=test,dc=com
+    # If an array is given, the first element will be the attribute to check against, the second the group name
+    - ["moreMembers", "cn=users,ou=groups,dc=test,dc=com"]
+  # Requires check_attributes to be true
+  # Can have multiple attributes and values, must match all to be authorized
+  require_attribute:
+    objectClass: inetOrgPerson
+    authorizationRole: postsAdmin
+  # Requires check_attributes_presence to be true
+  # Can have multiple attributes set to true or false to check presence, all must match all to be authorized
+  require_attribute_presence:
+    mail: true
+    telephoneNumber: true
+    serviceAccount: false
+### Environment ###
+development:
+  host: localhost
+  port: 389
+  attribute: userPrincipalName
+  base: ou=people,dc=test,dc=com
+  admin_user: cn=admin,dc=test,dc=com
+  admin_password: admin_password
+  ssl: false
+  # <<: *AUTHORIZATIONS
+test:
+  host: localhost
+  port: 3389
+  attribute: userPrincipalName
+  base: ou=people,dc=test,dc=com
+  admin_user: cn=admin,dc=test,dc=com
+  admin_password: admin_password
+  ssl: simple_tls
+  # <<: *AUTHORIZATIONS
+production:
+  host: localhost
+  port: 636
+  attribute: userPrincipalName
+  base: ou=people,dc=test,dc=com
+  admin_user: cn=admin,dc=test,dc=com
+  admin_password: admin_password
+  ssl: start_tls
+  # <<: *AUTHORIZATIONS

metadata ADDED Viewed

@@ -0,0 +1,239 @@
+--- !ruby/object:Gem::Specification
+name: devise_ldap_multiple
+version: !ruby/object:Gem::Version
+  version: 0.9.0
+platform: ruby
+authors:
+- Curtis Schiewek
+- Daniel McNevin
+- Steven Xu
+- Scott Willett
+autorequire:
+bindir: bin
+cert_chain: []
+date: 2016-11-11 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: devise
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 3.4.1
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 3.4.1
+- !ruby/object:Gem::Dependency
+  name: net-ldap
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0.6'
+    - - "!="
+      - !ruby/object:Gem::Version
+        version: '0.12'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0.6'
+    - - "!="
+      - !ruby/object:Gem::Version
+        version: '0.12'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0.9'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0.9'
+- !ruby/object:Gem::Dependency
+  name: rdoc
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '3'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '3'
+- !ruby/object:Gem::Dependency
+  name: rails
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '4.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '4.0'
+- !ruby/object:Gem::Dependency
+  name: sqlite3
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: factory_girl_rails
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.0'
+- !ruby/object:Gem::Dependency
+  name: factory_girl
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.0'
+- !ruby/object:Gem::Dependency
+  name: rspec-rails
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: database_cleaner
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: capybara
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: launchy
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+description: Devise extension to allow authentication to multiple LDAPs. Fork of the
+  devise_ldap_authenticatable project.
+email: swillett@outlook.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- ".gitignore"
+- Gemfile
+- MIT-LICENSE
+- README.md
+- Rakefile
+- devise_ldap_multiple.gemspec
+- lib/devise_ldap_multiple.rb
+- lib/devise_ldap_multiple/exception.rb
+- lib/devise_ldap_multiple/ldap/adapter.rb
+- lib/devise_ldap_multiple/ldap/connection.rb
+- lib/devise_ldap_multiple/logger.rb
+- lib/devise_ldap_multiple/model.rb
+- lib/devise_ldap_multiple/strategy.rb
+- lib/devise_ldap_multiple/version.rb
+- lib/generators/devise_ldap_multiple/devise_ldap_multiple_generator.rb
+- lib/generators/devise_ldap_multiple/install_generator.rb
+- lib/generators/devise_ldap_multiple/templates/default.yml
+homepage: https://github.com/xarael/devise_ldap_multiple
+licenses:
+- MIT
+metadata: {}
+post_install_message:
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project:
+rubygems_version: 2.5.1
+signing_key:
+specification_version: 4
+summary: Devise extension to allow authentication to multiple LDAPs. Fork of the devise_ldap_authenticatable
+  project.
+test_files: []