RubyGems - devise_ldap_multiple - Versions diffs - 0.9.0 - Mend

devise_ldap_multiple 0.9.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (19) hide show

checksums.yaml +7 -0
data/.gitignore +10 -0
data/Gemfile +8 -0
data/MIT-LICENSE +20 -0
data/README.md +60 -0
data/Rakefile +16 -0
data/devise_ldap_multiple.gemspec +35 -0
data/lib/devise_ldap_multiple.rb +25 -0
data/lib/devise_ldap_multiple/exception.rb +6 -0
data/lib/devise_ldap_multiple/ldap/adapter.rb +111 -0
data/lib/devise_ldap_multiple/ldap/connection.rb +326 -0
data/lib/devise_ldap_multiple/logger.rb +9 -0
data/lib/devise_ldap_multiple/model.rb +131 -0
data/lib/devise_ldap_multiple/strategy.rb +48 -0
data/lib/devise_ldap_multiple/version.rb +3 -0
data/lib/generators/devise_ldap_multiple/devise_ldap_multiple_generator.rb +17 -0
data/lib/generators/devise_ldap_multiple/install_generator.rb +39 -0
data/lib/generators/devise_ldap_multiple/templates/default.yml +99 -0
metadata +239 -0

checksums.yaml ADDED Viewed

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 76c06c80d33a10a9a5d8b456c11922d628ca15bd
+  data.tar.gz: 1064d2b788a02aa146001923e9ca9476db08c818
+SHA512:
+  metadata.gz: f5041d2f9b051e019d5e4377578f79490bb4bf47211278572038b1730d8a4d18373177712d34f0095dec52b488e1c97e19e1e31d4a64d99fcc30d6fda0b0931a
+  data.tar.gz: a66484274528ae0a72dac12292dc8e87aaa3fa00864ed3b9e6159902c5351c3fae53be7d1a755c13e949bcd7cea389575668b63d7807cdd791f10e8e8643b87e

data/.gitignore ADDED Viewed

@@ -0,0 +1,10 @@
+.bundle
+Gemfile.lock
+log
+*.sqlite3
+test/ldap/openldap-data/*
+!test/ldap/openldap-data/run
+test/ldap/openldap-data/run/slapd.*
+test/rails_app/tmp
+pkg/*
+*.gem

data/Gemfile ADDED Viewed

@@ -0,0 +1,8 @@
+source "http://rubygems.org"
+gemspec
+group :development, :test do
+  gem 'debugger', platform: :ruby_19
+  gem 'byebug', platform: :ruby_20
+end

data/MIT-LICENSE ADDED Viewed

@@ -0,0 +1,20 @@
+Copyright (c) 2016 Scott Willett
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.md ADDED Viewed

@@ -0,0 +1,60 @@
+Devise LDAP Multiple
+====================
+This project is a fork of the brilliant project devise_ldap_authenticatable here: (https://github.com/cschiewek/devise_ldap_authenticatable).
+The difference is that this project allows you to use multiple LDAP databases in a single app, and the code was refactored significantly while adding this feature.
+Devise LDAP Multiple is a LDAP based authentication strategy for the [Devise](http://github.com/plataformatec/devise) authentication framework.
+If you are building applications for use within your organization which require authentication and you want to use LDAP, this plugin is for you.
+Devise LDAP Multiple works in replacement of Database Authenticatable. This devise plugin has not been tested with DatabaseAuthenticatable enabled at the same time. This is meant as a drop in replacement for DatabaseAuthenticatable allowing for a semi single sign on approach.
+Prerequisites
+-------------
+ * devise ~> 3.0.0 (which requires rails ~> 4.0)
+ * net-ldap ~> 0.6.0
+If you are transitioning from having Devise manage your users' passwords in the database to using LDAP auth, you may have to update your `users` table to make `encrypted_password` nullable, or else the LDAP user insert will fail.
+Usage
+-----
+In the Gemfile for your application:
+    gem "devise_ldap_multiple"
+To get the latest version, pull directly from github instead of the gem:
+    gem "devise_ldap_multiple", :git => "https://github.com/xarael/devise_ldap_multiple"
+Setup
+-----
+Run the rails generators for devise (please check the [devise](http://github.com/plataformatec/devise) documents for further instructions)
+    rails generate devise:install
+    rails generate devise MODEL_NAME
+Run the rails generator for `devise_ldap_multiple`
+    rails generate devise_ldap_multiple:install
+    rails generate devise_ldap_multiple [MODEL_NAME]
+MODEL_NAME defaults to: user
+This will install [MODEL_NAME].yml file to the config/ldap/ directory, update the devise.rb initializer with a default scope (default), and update your model.
+All configuration is set within these .yml files for each model. There's comments in the files to describe the various settings.
+References
+----------
+* [Devise LDAP Authenticatable](https://github.com/cschiewek/devise_ldap_authenticatable)
+* [OpenLDAP](http://www.openldap.org/)
+* [Devise](http://github.com/plataformatec/devise)
+* [Warden](http://github.com/hassox/warden)
+Released under the MIT license
+Copyright (c) 2016 [Scott Willett](https://github.com/xarael)

data/Rakefile ADDED Viewed

@@ -0,0 +1,16 @@
+require File.expand_path('spec/rails_app/config/environment', File.dirname(__FILE__))
+require 'rdoc/task'
+desc 'Default: run test suite.'
+task :default => :spec
+desc 'Generate documentation for the devise_ldap_multiple plugin.'
+Rake::RDocTask.new(:rdoc) do |rdoc|
+  rdoc.rdoc_dir = 'rdoc'
+  rdoc.title    = 'DeviseLDAPMultiple'
+  rdoc.options << '--line-numbers' << '--inline-source'
+  rdoc.rdoc_files.include('README.md')
+  rdoc.rdoc_files.include('lib/**/*.rb')
+end
+RailsApp::Application.load_tasks

data/devise_ldap_multiple.gemspec ADDED Viewed

@@ -0,0 +1,35 @@
+# -*- encoding: utf-8 -*-
+$:.push File.expand_path("../lib", __FILE__)
+require "devise_ldap_multiple/version"
+Gem::Specification.new do |s|
+  s.name     = 'devise_ldap_multiple'
+  s.version  = DeviseLdapMultiple::VERSION.dup
+  s.platform = Gem::Platform::RUBY
+  s.summary  = 'Devise extension to allow authentication to multiple LDAPs. Fork of the devise_ldap_authenticatable project.'
+  s.email = 'swillett@outlook.com'
+  s.homepage = 'https://github.com/xarael/devise_ldap_multiple'
+  s.description = s.summary
+  s.authors = ['Curtis Schiewek', 'Daniel McNevin', 'Steven Xu', 'Scott Willett']
+  s.license = 'MIT'
+  s.files         = `git ls-files`.split("\n")
+  # s.test_files    = `git ls-files -- {test,spec,features}/*`.split("\n")
+  s.executables   = `git ls-files -- bin/*`.split("\n").map{ |f| File.basename(f) }
+  s.require_paths = ["lib"]
+  s.add_dependency 'devise', '>= 3.4.1'
+  s.add_dependency 'net-ldap', '>= 0.6', '!= 0.12'
+  s.add_development_dependency 'rake', '>= 0.9'
+  s.add_development_dependency 'rdoc', '>= 3'
+  s.add_development_dependency 'rails', '>= 4.0'
+  s.add_development_dependency 'sqlite3'
+  s.add_development_dependency 'factory_girl_rails', '~> 1.0'
+  s.add_development_dependency 'factory_girl', '~> 2.0'
+  s.add_development_dependency 'rspec-rails'
+  %w{database_cleaner capybara launchy}.each do |dep|
+    s.add_development_dependency(dep)
+  end
+end

data/lib/devise_ldap_multiple.rb ADDED Viewed

@@ -0,0 +1,25 @@
+# encoding: utf-8
+require 'devise'
+require 'net/ldap'
+require 'devise_ldap_multiple/exception'
+require 'devise_ldap_multiple/logger'
+require 'devise_ldap_multiple/ldap/adapter'
+require 'devise_ldap_multiple/ldap/connection'
+# Nearly all configuration is in each scope.yml file under config/ldap/ for each scope.
+module Devise
+  # The default scope to use if devise doesn't map to a scope and a scope isn't manually specified
+  # Can be overwritten by setting in file config/initializers/devise.rb
+  mattr_accessor :ldap_default_scope
+  @@ldap_default_scope = 'default'
+end
+# Add ldap_authenticatable strategy to defaults.
+Devise.add_module(:ldap_authenticatable,
+                  :route => :session, ## This will add the routes, rather than in the routes.rb
+                  :strategy   => true,
+                  :controller => :sessions,
+                  :model  => 'devise_ldap_multiple/model')

data/lib/devise_ldap_multiple/exception.rb ADDED Viewed

@@ -0,0 +1,6 @@
+module DeviseLdapMultiple
+  class LdapException < Exception
+  end
+end

data/lib/devise_ldap_multiple/ldap/adapter.rb ADDED Viewed

@@ -0,0 +1,111 @@
+require "net/ldap"
+module Devise
+  module LDAP
+    DEFAULT_GROUP_UNIQUE_MEMBER_LIST_KEY = 'uniqueMember'
+    # Establishes connections and interacts with LDAP. Uses Connection objects to do this.
+    # Can interact with these methods in rails
+    module Adapter
+      # Returns all attributes for an account from LDAP
+      def self.get_ldap_entry(login, scope = default_scope)
+        self.ldap_connect(login, scope).search_for_login
+      end
+      # Get the value of an attribute for an account from LDAP
+      def self.get_ldap_param(login, param, scope = default_scope)
+        resource = self.ldap_connect(login, scope)
+        resource.ldap_param_value(param)
+      end
+      # Returns the DistinguishedName of an account (regardless of if it exists or not)
+      def self.get_dn(login, scope = default_scope)
+        self.ldap_connect(login, scope).dn
+      end
+      def self.password_updatable? (login, scope = default_scope)
+        options = { login: login, scope: scope }
+        resource = Devise::LDAP::Connection.new(options)
+        resource.password_updatable?
+      end
+      def self.user_creatable? (login, scope = default_scope)
+        options = { login: login, scope: scope }
+        resource = Devise::LDAP::Connection.new(options)
+        resource.user_creatable?
+      end
+      # Boolean returned for if an account in the LDAP exists (doesn't check authentication / authorization): false if a valid match can't be obtained from ldap.
+      def self.valid_login?(login, scope = default_scope)
+        self.ldap_connect(login, scope).valid_login?
+      end
+      # Tries to authenticate credentails to LDAP. Returns true or false appropriately.
+      def self.valid_credentials?(login, password_plaintext, scope = default_scope)
+        options = { login: login, password: password_plaintext, scope: scope }
+        resource = Devise::LDAP::Connection.new(options)
+        resource.authorized?
+      end
+      # Returns true or false depending on if the users credentials have expired or not
+      def self.expired_valid_credentials?(login, password_plaintext, scope = default_scope)
+        options = { login: login, password: password_plaintext, scope: scope }
+        resource = Devise::LDAP::Connection.new(options)
+        resource.expired_valid_credentials?
+      end
+      # Updates a users password in LDAP
+      def self.update_password(login, new_password, scope = default_scope)
+        options = { login: login, new_password: new_password, scope: scope }
+        resource = Devise::LDAP::Connection.new(options)
+        resource.change_password! if new_password.present?
+      end
+      # Also updates the password. Unsure what differentiates this from update_password currently.
+      def self.update_own_password(login, new_password, current_password)
+        set_ldap_param(login, :userPassword, new_password, current_password, true)
+      end
+      # Returns a list of group memberships for a user
+      def self.get_groups(login, scope = default_scope)
+        self.ldap_connect(login, scope).user_groups
+      end
+      # Checks if a user is a member of a specific group
+      def self.in_ldap_group?(login, group_name, group_attribute = nil, scope = default_scope)
+        self.ldap_connect(login, scope).in_group?(group_name, group_attribute)
+      end
+      # Sets an LDAP attribute for an account to a new value
+      def self.set_ldap_param(login, param, new_value, password = nil, scope = default_scope)
+        options = { login: login, password: password, scope: scope }
+        resource = Devise::LDAP::Connection.new(options)
+        resource.set_param(param, new_value)
+      end
+      # Deletes the LDAP attribute for an account
+      def self.delete_ldap_param(login, param, password = nil, scope = default_scope)
+        options = { login: login, password: password, scope: scope }
+        resource = Devise::LDAP::Connection.new(options)
+        resource.delete_param(param)
+      end
+      # Creates a new connection to an LDAP database and returns the connection object to run methods against
+      def self.ldap_connect(login, scope = default_scope)
+        options = { login: login, scope: scope }
+        Devise::LDAP::Connection.new(options)
+      end
+      # The default scope to use if none is specified
+      def self.default_scope
+        ::Devise.ldap_default_scope
+      end
+    end # module Adapter
+  end # module LDAP
+end # module Devise

data/lib/devise_ldap_multiple/ldap/connection.rb ADDED Viewed

@@ -0,0 +1,326 @@
+module Devise
+  module LDAP
+    class Connection
+      attr_reader :ldap, :login
+      def initialize(params = {})
+        # Option scope determines the mapping_file to use
+        @scope = params[:scope]
+        config_file_path = "#{Rails.root}/config/ldap/#{@scope}.yml"
+        # Read the config file depending on the scope
+        ldap_config = YAML.load(ERB.new(File.read(config_file_path)).result)
+        # Alter the ssl option in the configuration
+        ldap_config[Rails.env]["ssl"] = :simple_tls if ldap_config[Rails.env]["ssl"] === true
+        # Determines if logging happens
+        @logging_enabled = ldap_config['logging_enabled']
+        # Evaluated into Proc objects
+        @auth_username_builder  = eval ldap_config['auth_username_builder']
+        @auth_password_builder  = eval ldap_config['auth_password_builder']
+        # Attributes and groups required for authorisation of an account
+        @group_base = ldap_config["group_base"]
+        @required_groups = ldap_config["required_groups"]
+        @group_membership_attribute = ldap_config.has_key?("group_membership_attribute") ? ldap_config["group_membership_attribute"] : "uniqueMember"
+        @required_attributes = ldap_config["require_attribute"]
+        @required_attributes_presence = ldap_config["require_attribute_presence"]
+        # Various Flags
+        @allow_unauthenticated_bind = ["allow_unauthenticated_bind"]
+        @check_attributes = ldap_config['check_attributes']
+        @check_attributes_presence = ldap_config['check_attributes_presence']
+        @use_admin_to_bind = ldap_config['use_admin_to_bind']
+        @check_group_membership = ldap_config["check_group_membership"]
+        @check_group_membership_without_admin = ldap_config["check_group_membership_without_admin"]
+        @update_passwords = ldap_config['update_passwords']
+        @create_user = ldap_config['create_user']
+        # Other params referencing credentails not part of the config file
+        @login = params[:login]
+        @password = params[:password]
+        @new_password = params[:new_password]
+        # Build up the options used to establish an LDAP connection
+        ldap_options = {}
+        ldap_options[:login] = params[:login] if params[:login]
+        ldap_options[:password] =  params[:password] if params[:password]
+        ldap_options[:new_password] =  params[:new_password] if params[:new_password]
+        ldap_options[:ldap_auth_username_builder] = @auth_username_builder
+        ldap_options[:admin] = @use_admin_to_bind
+        ldap_options[:encryption] = ldap_config[Rails.env]["ssl"].to_sym if ldap_config[Rails.env]["ssl"]
+        # LDAP server to connect to depending on the current Rails environment in use
+        @ldap = Net::LDAP.new(ldap_options)
+        @ldap.host = ldap_config[Rails.env]["host"]
+        @ldap.port = ldap_config[Rails.env]["port"]
+        @ldap.base = ldap_config[Rails.env]["base"]
+        @attribute = ldap_config[Rails.env]["attribute"]
+        # Admin credentials to use if an admin is set to bind to LDAP (Rails environment dependent)
+        @ldap.auth ldap_config[Rails.env]["admin_user"], ldap_config[Rails.env]["admin_password"] if @use_admin_to_bind
+      end
+      # Logs a message to the console and the environment log file
+      def log (message)
+        DeviseLdapMultiple::Logger.send(message) if @logging_enabled
+      end
+      def password_updatable?
+        @update_passwords
+      end
+      def user_creatable?
+        @create_user
+      end
+      # Deletes a parameter from LDAP for an account
+      def delete_param(param)
+        update_ldap [[:delete, param.to_sym, nil]]
+      end
+      def set_param(param, new_value, is_password = false)
+        new_value = @auth_password_builder .call(new_value) if is_password
+        update_ldap( { param.to_sym => new_value } )
+      end
+      # Returns the DistinguishedName for an account, regardless of if it exists or not (calls a proc to determine the dn if it doesn't exists - proc defined in the config file)
+      def dn
+        @dn ||= begin
+          log("LDAP dn lookup: #{@attribute}=#{@login}")
+          log("LDAP dn lookup asdf: #{@attribute}=#{@login}")
+          ldap_entry = search_for_login
+          if ldap_entry.nil?
+            @auth_username_builder .call(@attribute,@login,@ldap)
+          else
+            ldap_entry.dn
+          end
+        end
+      end
+      def ldap_param_value(param)
+        ldap_entry = search_for_login
+        if ldap_entry
+          unless ldap_entry[param].empty?
+            value = ldap_entry.send(param)
+            log("Requested param #{param} has value #{value}")
+            value
+          else
+            log("Requested param #{param} does not exist")
+            value = nil
+          end
+        else
+          log("Requested ldap entry does not exist")
+          value = nil
+        end
+      end
+      def authenticate!
+        return false unless (@password.present? || @allow_unauthenticated_bind)
+        @ldap.auth(dn, @password)
+        @ldap.bind
+      end
+      def authenticated?
+        authenticate!
+      end
+      def last_message_bad_credentials?
+        @ldap.get_operation_result.error_message.to_s.include? 'AcceptSecurityContext error, data 52e'
+      end
+      def last_message_expired_credentials?
+        @ldap.get_operation_result.error_message.to_s.include? 'AcceptSecurityContext error, data 773'
+      end
+      def authorized?
+        log("Authorizing user #{dn}")
+        if !authenticated?
+          if last_message_bad_credentials?
+            log("Not authorized because of invalid credentials.")
+          elsif last_message_expired_credentials?
+            log("Not authorized because of expired credentials.")
+          else
+            log("Not authorized because not authenticated.")
+          end
+          return false
+        elsif !in_required_groups?
+          log("Not authorized because not in required groups.")
+          return false
+        elsif !has_required_attribute?
+          log("Not authorized because does not have required attribute.")
+          return false
+        elsif !has_required_attribute_presence?
+          log("Not authorized because does not have required attribute present.")
+          return false
+        else
+          return true
+        end
+      end
+      def expired_valid_credentials?
+        log("Authorizing user #{dn}")
+        !authenticated? && last_message_expired_credentials?
+      end
+      def change_password!
+        update_ldap(:userPassword => @auth_password_builder .call(@new_password))
+      end
+      def in_required_groups?
+        return true unless @check_group_membership || @check_group_membership_without_admin
+        ## FIXME set errors here, the ldap.yml isn't set properly.
+        return false if @required_groups.nil?
+        for group in @required_groups
+          if group.is_a?(Array)
+            return false unless in_group?(group[1], group[0])
+          else
+            return false unless in_group?(group)
+          end
+        end
+        return true
+      end
+      def in_group?(group_name, group_attribute = LDAP::DEFAULT_GROUP_UNIQUE_MEMBER_LIST_KEY)
+        in_group = false
+        if @check_group_membership_without_admin
+          group_checking_ldap = @ldap
+        else
+          group_checking_ldap = Connection.admin
+        end
+        unless @ldap_check_group_membership
+          group_checking_ldap.search(:base => group_name, :scope => Net::LDAP::SearchScope_BaseObject) do |entry|
+            if entry[group_attribute].include? dn
+              in_group = true
+              log("User #{dn} IS included in group: #{group_name}")
+            end
+          end
+        else
+          # AD optimization - extension will recursively check sub-groups with one query
+          # "(memberof:1.2.840.113556.1.4.1941:=group_name)"
+          search_result = group_checking_ldap.search(:base => dn,
+                            :filter => Net::LDAP::Filter.ex("memberof:1.2.840.113556.1.4.1941", group_name),
+                            :scope => Net::LDAP::SearchScope_BaseObject)
+          # Will return  the user entry if belongs to group otherwise nothing
+          if search_result.length == 1 && search_result[0].dn.eql?(dn)
+            in_group = true
+            log("User #{dn} IS included in group: #{group_name}")
+          end
+        end
+        unless in_group
+          log("User #{dn} is not in group: #{group_name}")
+        end
+        return in_group
+      end
+      def has_required_attribute?
+        return true unless @check_attributes
+        admin_ldap = Connection.admin
+        user = find_ldap_user(admin_ldap)
+        @required_attributes.each do |key,val|
+          matching_attributes = user[key] & Array(val)
+          unless (matching_attributes).any?
+            log("User #{dn} did not match attribute #{key}:#{val}")
+            return false
+          end
+        end
+        return true
+      end
+      def has_required_attribute_presence?
+        return true unless @check_attributes_presence
+        user = search_for_login
+        @required_attributes_presence.each do |key,val|
+          if val && !user.attribute_names.include?(key.to_sym)
+            log("User #{dn} doesn't include attribute #{key}")
+            return false
+          elsif !val && user.attribute_names.include?(key.to_sym)
+            log("User #{dn} includes attribute #{key}")
+            return false
+          end
+        end
+        return true
+      end
+      def user_groups
+        admin_ldap = Connection.admin
+        log("Getting groups for #{dn}")
+        filter = Net::LDAP::Filter.eq(@group_membership_attribute, dn)
+        admin_ldap.search(:filter => filter, :base => @group_base).collect(&:dn)
+      end
+      def valid_login?
+        !search_for_login.nil?
+      end
+      # Searches the LDAP for the login
+      #
+      # @return [Object] the LDAP entry found; nil if not found
+      def search_for_login
+        @login_ldap_entry ||= begin
+          log("LDAP search for login: #{@attribute}=#{@login}")
+          log("Attribute: #{@attribute.to_s}, Login: #{@login.to_s}")
+          log("Scope is: #{@scope}")
+          filter = Net::LDAP::Filter.eq(@attribute.to_s, @login.to_s)
+          ldap_entry = nil
+          match_count = 0
+          @ldap.search(:filter => filter) { |entry| ldap_entry = entry; match_count+=1}
+          op_result= @ldap.get_operation_result
+          if op_result.code!=0 then
+            log("LDAP Error #{op_result.code}: #{op_result.message}")
+          end
+          log("LDAP search yielded #{match_count} matches")
+          ldap_entry
+        end
+      end
+      private
+      def self.admin
+        ldap = Connection.new(:admin => true).ldap
+        unless ldap.bind
+          log("Cannot bind to admin LDAP user")
+          raise DeviseLdapAuthenticatable::LdapException, "Cannot connect to admin LDAP user"
+        end
+        return ldap
+      end
+      def find_ldap_user(ldap)
+        log("Finding user: #{dn}")
+        ldap.search(:base => dn, :scope => Net::LDAP::SearchScope_BaseObject).try(:first)
+      end
+      def update_ldap(ops)
+        operations = []
+        if ops.is_a? Hash
+          ops.each do |key,value|
+            operations << [:replace,key,value]
+          end
+        elsif ops.is_a? Array
+          operations = ops
+        end
+        if @use_admin_to_bind
+          privileged_ldap = Connection.admin
+        else
+          authenticate!
+          privileged_ldap = self.ldap
+        end
+        log("Modifying user #{dn}")
+        privileged_ldap.modify(:dn => dn, :operations => operations)
+      end
+    end # class Connection
+  end # module LDAP
+end # module Devise

data/lib/devise_ldap_multiple/logger.rb ADDED Viewed

@@ -0,0 +1,9 @@
+module DeviseLdapMultiple
+  class Logger
+    def self.send(message, logger = Rails.logger)
+      logger.add 0, "  \e[36mLDAP:\e[0m #{message}"
+    end
+  end
+end

data/lib/devise_ldap_multiple/model.rb ADDED Viewed

@@ -0,0 +1,131 @@
+require 'devise_ldap_multiple/strategy'
+module Devise
+  module Models
+    # LDAP Module, responsible for validating the user credentials via LDAP.
+    #
+    # Examples:
+    #
+    #    User.authenticate('email@test.com', 'password123')  # returns authenticated user or nil
+    #    User.find(1).valid_password?('password123')         # returns true/false
+    #
+    module LdapAuthenticatable
+      extend ActiveSupport::Concern
+      # Returns the current scope / mapping from devise (eg: 'admin', 'user', 'staff')
+      def current_scope
+        Devise.mappings.find {|k,v| v.class_name == self.class.name}.last.name.downcase
+      end
+      included do
+        attr_reader :current_password, :password
+        attr_accessor :password_confirmation
+      end
+      def login_with
+        @login_with ||= Devise.mappings.find {|k,v| v.class_name == self.class.name}.last.to.authentication_keys.first
+        self[@login_with]
+      end
+      def change_password!(current_password)
+        raise "Need to set new password first" if @password.blank?
+        Devise::LDAP::Adapter.update_own_password(login_with, @password, current_password, current_scope)
+      end
+      def reset_password!(new_password, new_password_confirmation)
+        if new_password == new_password_confirmation && Devise::LDAP::Adapter.password_updatable?(login_with, current_scope)
+          Devise::LDAP::Adapter.update_password(login_with, new_password, current_scope)
+        end
+        clear_reset_password_token if valid?
+        save
+      end
+      def password=(new_password)
+        @password = new_password
+        if defined?(password_digest) && @password.present? && respond_to?(:encrypted_password=)
+          self.encrypted_password = password_digest(@password)
+        end
+      end
+      # Checks if a resource is valid upon authentication.
+      def valid_ldap_authentication?(password)
+        Devise::LDAP::Adapter.valid_credentials?(login_with, password, current_scope)
+      end
+      def ldap_entry
+        @ldap_entry ||= Devise::LDAP::Adapter.get_ldap_entry(login_with, current_scope)
+      end
+      def ldap_groups
+        Devise::LDAP::Adapter.get_groups(current_scope, login_with)
+      end
+      def in_ldap_group?(group_name, group_attribute = LDAP::DEFAULT_GROUP_UNIQUE_MEMBER_LIST_KEY)
+        Devise::LDAP::Adapter.in_ldap_group?(login_with, group_name, group_attribute, current_scope)
+      end
+      def ldap_dn
+        ldap_entry ? ldap_entry.dn : nil
+      end
+      def ldap_get_param(param)
+        if ldap_entry && !ldap_entry[param].empty?
+          value = ldap_entry.send(param)
+        else
+          nil
+        end
+      end
+      #
+      # callbacks
+      #
+      # # Called before the ldap record is saved automatically
+      # def ldap_before_save
+      # end
+      # Called after a successful LDAP authentication
+      def after_ldap_authentication
+      end
+      module ClassMethods
+        # Find a user for ldap authentication.
+        def find_for_ldap_authentication(attributes={})
+          auth_key = self.authentication_keys.first
+          return nil unless attributes[auth_key].present?
+          auth_key_value = (self.case_insensitive_keys || []).include?(auth_key) ? attributes[auth_key].downcase : attributes[auth_key]
+      	  auth_key_value = (self.strip_whitespace_keys || []).include?(auth_key) ? auth_key_value.strip : auth_key_value
+          resource = where(auth_key => auth_key_value).first
+          if resource.blank?
+            resource = new
+            resource[auth_key] = auth_key_value
+            resource.password = attributes[:password]
+          end
+          if Devise::LDAP::Adapter.user_creatable?(self.authentication_keys.first, self.name.downcase) && resource.new_record? && resource.valid_ldap_authentication?(attributes[:password])
+            resource.ldap_before_save if resource.respond_to?(:ldap_before_save)
+            resource.save!
+          end
+          resource
+        end
+        def update_with_password(resource)
+          puts "UPDATE_WITH_PASSWORD: #{resource.inspect}"
+        end
+      end # module ClassMethods
+    end # module LdapAuthenticatable
+  end # module Models
+end # module Devise

data/lib/devise_ldap_multiple/strategy.rb ADDED Viewed

@@ -0,0 +1,48 @@
+require 'devise/strategies/authenticatable'
+module Devise
+  module Strategies
+    # Defines an authentication strategy to be used with Warden
+    # Some more information about this here: http://www.rubydoc.info/github/hassox/warden/Warden/Strategies/Base
+    class LdapAuthenticatable < Authenticatable
+      # Tests whether the returned resource exists in the database and the
+      # credentials are valid.  If the resource is in the database and the credentials
+      # are valid, the user is authenticated.  Otherwise failure messages are returned
+      # indicating whether the resource is not found in the database or the credentials
+      # are invalid.
+      def authenticate!
+        resource = mapping.to.find_for_ldap_authentication(authentication_hash.merge(:password => password))
+        return fail(:invalid) unless resource
+        if resource.persisted?
+          if validate(resource) { resource.valid_ldap_authentication?(password) }
+            remember_me(resource)
+            resource.after_ldap_authentication
+            success!(resource)
+          else
+            return fail(:invalid) # Invalid credentials
+          end
+        end
+        if resource.new_record?
+          if validate(resource) { resource.valid_ldap_authentication?(password) }
+            return fail(:not_found_in_database) # Valid credentials
+          else
+            return fail(:invalid) # Invalid credentials
+          end
+        end
+      end # def authenticate!
+    end # LdapAuthenticatable < Authenticatable
+  end # module Strategies
+end # module Devise
+# Add the strategy to warden
+Warden::Strategies.add(:ldap_authenticatable, Devise::Strategies::LdapAuthenticatable)

data/lib/devise_ldap_multiple/version.rb ADDED Viewed

@@ -0,0 +1,3 @@
+module DeviseLdapMultiple
+  VERSION = "0.9.0".freeze
+end

data/lib/generators/devise_ldap_multiple/devise_ldap_multiple_generator.rb ADDED Viewed

@@ -0,0 +1,17 @@
+  class DeviseLdapMultipleGenerator < Rails::Generators::Base
+    source_root File.expand_path("../templates", __FILE__)
+    argument :user_model, :type => :string, :default => "user", :desc => "Model to update"
+    # ToDo: Request user input to use a scope that already exists, or make it a parameter to pass into the generator
+    def create_ldap_config
+      copy_file "default.yml", "config/ldap/#{user_model}.yml"
+    end
+    def update_user_model
+      gsub_file "app/models/#{options.user_model}.rb", /:database_authenticatable/, ":ldap_authenticatable" if options.update_model?
+    end
+  end

data/lib/generators/devise_ldap_multiple/install_generator.rb ADDED Viewed

@@ -0,0 +1,39 @@
+module DeviseLdapMultiple
+  class InstallGenerator < Rails::Generators::Base
+    source_root File.expand_path("../templates", __FILE__)
+    # ToDo: Request user input to use a scope that already exists, or make it a parameter to pass into the generator
+    def create_ldap_config
+      copy_file "default.yml", "config/ldap/default.yml"
+    end
+    def create_default_devise_settings
+      inject_into_file "config/initializers/devise.rb", default_devise_settings, :after => "Devise.setup do |config|\n"
+    end
+    def update_application_controller
+      inject_into_class "app/controllers/application_controller.rb", ApplicationController, rescue_from_exception if options.add_rescue?
+    end
+    private
+    def default_devise_settings
+      settings = <<-eof
+  # ==> Devise LDAP Multiple configuration
+  config.ldap_default_scope = 'default'
+      eof
+      settings
+    end
+    def rescue_from_exception
+      <<-eof
+  rescue_from DeviseLdapMultiple::LdapException do |exception|
+    render :text => exception, :status => 500
+  end
+      eof
+    end
+  end
+end

data/lib/generators/devise_ldap_multiple/templates/default.yml ADDED Viewed

@@ -0,0 +1,99 @@
+### Configuration options ###
+# (These used to reside in config/initializers/devise.rb)
+# If set to true, will log LDAP queries to the Rails logger
+logging: true
+# If set to true, all valid LDAP users will be allowed to login and an appropriate user record will be created.
+# If set to false, you will have to create the user record before they will be allowed to login.
+create_user: true
+# When doing password resets, if true will update the LDAP server. Requires admin password.
+update_passwords: true
+# When set to true, the user trying to login will be checked to make sure they are in all of groups specified
+check_group_membership: false
+# When set to true, the user trying to login will be checked to make sure their attributes match those specified
+check_attributes: false
+# When set to true, the user trying to login will be checked against all require_attribute_presence attributes
+check_attributes_presence: false
+# When set to true, the admin user will be used to bind to the LDAP server during authentication.
+use_admin_to_bind: true
+# When set to true, the group membership check is done with the user's own credentials rather than with admin credentials.
+# Since these credentials are only available to the Devise user model during the login flow, the group check function will
+# not work if a group check is performed when this option is true outside of the login flow (e.g., before particular actions).
+check_group_membership_without_admin: false
+# You can pass a proc to the username option to explicitly specify the format that you search for a users' DN on your LDAP server.
+auth_username_builder: Proc.new() {|attribute, login, ldap| "#{attribute}=#{login},#{ldap.base}" }
+# Optionally you can define a proc to create custom password encrption when user reset password
+auth_password_builder: Proc.new() {|new_password| Net::LDAP::Password.generate(:sha, new_password) }
+### Authorizations ###
+# Uncomment out the merging for each environment that you'd like to include.
+# You can also just copy and paste the tree (do not include the "authorizations") to each
+# environment if you need something different per environment.
+authorizations: &AUTHORIZATIONS
+  allow_unauthenticated_bind: false
+  group_base: ou=groups,dc=test,dc=com
+  # Requires check_group_membership to be true
+  # Can have multiple values, must match all to be authorized
+  required_groups:
+    # If only a group name is given, membership will be checked against "uniqueMember"
+    - cn=admins,ou=groups,dc=test,dc=com
+    - cn=users,ou=groups,dc=test,dc=com
+    # If an array is given, the first element will be the attribute to check against, the second the group name
+    - ["moreMembers", "cn=users,ou=groups,dc=test,dc=com"]
+  # Requires check_attributes to be true
+  # Can have multiple attributes and values, must match all to be authorized
+  require_attribute:
+    objectClass: inetOrgPerson
+    authorizationRole: postsAdmin
+  # Requires check_attributes_presence to be true
+  # Can have multiple attributes set to true or false to check presence, all must match all to be authorized
+  require_attribute_presence:
+    mail: true
+    telephoneNumber: true
+    serviceAccount: false
+### Environment ###
+development:
+  host: localhost
+  port: 389
+  attribute: userPrincipalName
+  base: ou=people,dc=test,dc=com
+  admin_user: cn=admin,dc=test,dc=com
+  admin_password: admin_password
+  ssl: false
+  # <<: *AUTHORIZATIONS
+test:
+  host: localhost
+  port: 3389
+  attribute: userPrincipalName
+  base: ou=people,dc=test,dc=com
+  admin_user: cn=admin,dc=test,dc=com
+  admin_password: admin_password
+  ssl: simple_tls
+  # <<: *AUTHORIZATIONS
+production:
+  host: localhost
+  port: 636
+  attribute: userPrincipalName
+  base: ou=people,dc=test,dc=com
+  admin_user: cn=admin,dc=test,dc=com
+  admin_password: admin_password
+  ssl: start_tls
+  # <<: *AUTHORIZATIONS

metadata ADDED Viewed

@@ -0,0 +1,239 @@
+--- !ruby/object:Gem::Specification
+name: devise_ldap_multiple
+version: !ruby/object:Gem::Version
+  version: 0.9.0
+platform: ruby
+authors:
+- Curtis Schiewek
+- Daniel McNevin
+- Steven Xu
+- Scott Willett
+autorequire:
+bindir: bin
+cert_chain: []
+date: 2016-11-11 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: devise
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 3.4.1
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 3.4.1
+- !ruby/object:Gem::Dependency
+  name: net-ldap
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0.6'
+    - - "!="
+      - !ruby/object:Gem::Version
+        version: '0.12'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0.6'
+    - - "!="
+      - !ruby/object:Gem::Version
+        version: '0.12'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0.9'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0.9'
+- !ruby/object:Gem::Dependency
+  name: rdoc
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '3'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '3'
+- !ruby/object:Gem::Dependency
+  name: rails
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '4.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '4.0'
+- !ruby/object:Gem::Dependency
+  name: sqlite3
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: factory_girl_rails
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.0'
+- !ruby/object:Gem::Dependency
+  name: factory_girl
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.0'
+- !ruby/object:Gem::Dependency
+  name: rspec-rails
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: database_cleaner
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: capybara
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: launchy
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+description: Devise extension to allow authentication to multiple LDAPs. Fork of the
+  devise_ldap_authenticatable project.
+email: swillett@outlook.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- ".gitignore"
+- Gemfile
+- MIT-LICENSE
+- README.md
+- Rakefile
+- devise_ldap_multiple.gemspec
+- lib/devise_ldap_multiple.rb
+- lib/devise_ldap_multiple/exception.rb
+- lib/devise_ldap_multiple/ldap/adapter.rb
+- lib/devise_ldap_multiple/ldap/connection.rb
+- lib/devise_ldap_multiple/logger.rb
+- lib/devise_ldap_multiple/model.rb
+- lib/devise_ldap_multiple/strategy.rb
+- lib/devise_ldap_multiple/version.rb
+- lib/generators/devise_ldap_multiple/devise_ldap_multiple_generator.rb
+- lib/generators/devise_ldap_multiple/install_generator.rb
+- lib/generators/devise_ldap_multiple/templates/default.yml
+homepage: https://github.com/xarael/devise_ldap_multiple
+licenses:
+- MIT
+metadata: {}
+post_install_message:
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project:
+rubygems_version: 2.5.1
+signing_key:
+specification_version: 4
+summary: Devise extension to allow authentication to multiple LDAPs. Fork of the devise_ldap_authenticatable
+  project.
+test_files: []