egov_utils 0.1.0

data/lib/egov_utils/auth_source.rb

@@ -0,0 +1,326 @@
+require 'net-ldap'
+
+module EgovUtils
+
+  class AuthSourceException < Exception; end
+  class AuthSourceTimeoutException < AuthSourceException; end
+
+  class AuthSource
+
+    NETWORK_EXCEPTIONS = [
+      Net::LDAP::LdapError,
+      Errno::ECONNABORTED, Errno::ECONNREFUSED, Errno::ECONNRESET,
+      Errno::EHOSTDOWN, Errno::EHOSTUNREACH,
+      SocketError
+    ]
+
+    def self.config
+      YAML.load_file(Rails.root.join('config', 'config.yml'))['ldap']
+    end
+
+    def self.providers
+      config.keys
+    end
+
+    def self.authenticate(login, password)
+      providers.collect{|p| AuthSource.new(p).authenticate(login, password) }.compact.first
+    end
+
+    def self.kerberos_providers
+      config.select{|provider, config| config['kerberos']}.keys
+    end
+
+    def self.find_kerberos_user(login)
+      kerberos_providers.collect{|p| AuthSource.new(p).get_kerberos_user_dn(login) }.compact.first
+    end
+
+    attr_accessor :provider
+
+    def initialize(provider)
+      require 'net-ldap'
+      @provider = provider
+      raise "EgovUtils::AuthSource#initialize - Non existing provider (#{provider.to_s})"  unless self.class.providers.include?(provider)
+    end
+
+    def options
+      @options ||= self.class.config[provider].dup
+    end
+
+    def host
+      options['host']
+    end
+
+    def port
+      options['port']
+    end
+
+    def encryption
+      case options['method'].to_s
+      when 'ssl'
+        :simple_tls
+      when 'tls'
+        :start_tls
+      else
+        nil
+      end
+    end
+
+    def authenticate(login, password)
+      return nil if login.blank? || password.blank?
+
+      with_timeout do
+        attrs = get_user_dn(login, password)
+        if attrs && attrs[:dn] && authenticate_dn(attrs[:dn], password)
+          Rails.logger.debug "Authentication successful for '#{login}'" if Rails.logger && Rails.logger.debug?
+          return attrs.except(:dn)
+        end
+      end
+    rescue *NETWORK_EXCEPTIONS => e
+      raise AuthSourceException.new(e.message)
+    end
+
+    def get_kerberos_user_dn(login)
+      return nil if login.blank?
+
+      with_timeout do
+        search_user_dn(login)
+      end
+    rescue *NETWORK_EXCEPTIONS => e
+      raise AuthSourceException.new(e.message)
+    end
+
+    def base_user_filter
+      Net::LDAP::Filter.eq("objectClass", "user") & Net::LDAP::Filter.eq("objectCategory", "person")
+    end
+
+    def base_group_filter
+      options['active_directory'] ? Net::LDAP::Filter.eq("objectClass", "group") : Net::LDAP::Filter.eq('objectClass', 'groupOfNames')
+    end
+
+    # Check if a DN (user record) authenticates with the password
+    def authenticate_dn(dn, password)
+      if dn.present? && password.present?
+        initialize_ldap_con(dn, password).bind
+      end
+    end
+
+    # Searches the source for users and returns an array of results
+    def search_user(q, by_login=false)
+      q = q.to_s.strip
+      return [] unless q.present?
+
+      results = []
+      search_filter = base_user_filter & user_search_filters(q)
+      ldap_con = initialize_ldap_con(options['bind_dn'], options['password'])
+      ldap_con.search(:base => options['base'],
+                      :filter => search_filter,
+                      :attributes => user_search_attributes,
+                      :size => 10) do |entry|
+        attrs = get_user_attributes_from_ldap_entry(entry)
+        if attrs
+          attrs[:login] = get_attr(entry, options['attributes']['username'])
+          results << attrs
+        end
+      end
+      results
+    rescue *NETWORK_EXCEPTIONS => e
+      raise AuthSourceException.new(e.message)
+    end
+
+    def search_group(q, by_login=false)
+      q = q.to_s.strip
+      return [] unless q.present?
+
+      results = []
+      search_filter = base_group_filter & group_search_filters(q)
+      ldap_con = initialize_ldap_con(options['bind_dn'], options['password'])
+      ldap_con.search(:base => options['base'],
+                      :filter => search_filter,
+                      :attributes => group_search_attributes,
+                      :size => 10) do |entry|
+        attrs = get_group_attributes_from_ldap_entry(entry)
+        results << attrs if attrs
+      end
+      results
+    rescue *NETWORK_EXCEPTIONS => e
+      raise AuthSourceException.new(e.message)
+    end
+
+    def group_members(group_sid)
+      ldap_con = initialize_ldap_con(options['bind_dn'], options['password'])
+      group_dn = nil
+      ldap_con.search(base: options['base'],
+                      filter: base_group_filter & Net::LDAP::Filter.eq('objectSID', group_sid),
+                      attributes: ['dn']) do |entry|
+        group_dn = get_attr(entry, 'dn')
+      end
+      results = []
+      if group_dn
+        ldap_con.search(base: options['base'],
+                          filter: base_user_filter & Net::LDAP::Filter.ex('memberOf:1.2.840.113556.1.4.1941', group_dn),
+                          attributes: user_search_attributes) do |entry|
+          attrs = get_user_attributes_from_ldap_entry(entry)
+          if attrs
+            attrs[:login] = get_attr(entry, options['attributes']['username'])
+            results << attrs
+          end
+        end
+      end
+      results
+    end
+
+    private
+      def with_timeout(&block)
+        timeout = 20
+        Timeout.timeout(timeout) do
+          return yield
+        end
+      rescue Timeout::Error => e
+        raise AuthSourceTimeoutException.new(e.message)
+      end
+
+      def initialize_ldap_con(ldap_user, ldap_password)
+        options = { :host => self.host,
+                    :port => self.port,
+                    :encryption => encryption
+                  }
+        unless ldap_user.blank? && ldap_password.blank?
+          options.merge!(:auth => { :method => :simple, :username => ldap_user, :password => ldap_password })
+        else
+          options.merge!(:auth => { :method => :anonymous })
+        end
+        Net::LDAP.new options
+      end
+
+      def onthefly_register?
+        !!options['onthefly_register']
+      end
+
+      def register_members_only?
+        options['onthefly_register'] == 'members'
+      end
+
+      def get_user_attributes_from_ldap_entry(entry)
+        {
+         :dn => entry.dn,
+         :login => get_attr(entry, options['attributes']['username']),
+         :firstname => get_attr(entry, options['attributes']['first_name']),
+         :lastname => get_attr(entry, options['attributes']['last_name']),
+         :mail => get_attr(entry, options['attributes']['email']),
+         :provider => provider
+        }
+      end
+
+      def get_group_attributes_from_ldap_entry(entry)
+        {
+         :dn => entry.dn,
+         :name => get_attr(entry, 'cn'),
+         :provider => provider,
+         :ldap_uid => get_sid_string( get_attr(entry, 'objectSID') )
+        }
+      end
+
+      # Return the attributes needed for the LDAP search.  It will only
+      # include the user attributes if on-the-fly registration is enabled
+      def user_search_attributes
+        ['dn'] + options['attributes']['username'] + options['attributes']['email'] + [options['attributes']['name'], options['attributes']['first_name'], options['attributes']['last_name']]
+      end
+      def login_attributes
+        if onthefly_register?
+          user_search_attributes
+        else
+          ['dn']
+        end
+      end
+
+      def group_search_attributes
+        ['dn', 'cn', 'objectSID']
+      end
+
+      def get_user_dn(login, password=nil)
+        ldap_con = nil
+        if options['bind_dn'].include?("$login")
+          ldap_con = initialize_ldap_con(options['bind_dn'].sub("$login", Net::LDAP::DN.escape(login)), password)
+        else
+          ldap_con = initialize_ldap_con(options['bind_dn'], options['password'])
+        end
+        attrs = nil
+        search_filter = base_user_filter & login_filters(login)
+        ldap_con.search( :base => options['base'],
+                         :filter => search_filter,
+                         :attributes=> user_search_attributes) do |entry|
+          if onthefly_register?
+            attrs = get_user_attributes_from_ldap_entry(entry)
+          else
+            attrs = {:dn => entry.dn}
+          end
+          Rails.logger.debug "DN found for #{login}: #{attrs[:dn]}" if Rails.logger && Rails.logger.debug?
+        end
+        attrs
+      end
+
+      def search_user_dn(login, password=nil)
+        ldap_con = nil
+        if options['bind_dn'].include?("$login")
+          ldap_con = initialize_ldap_con(options['bind_dn'].sub("$login", Net::LDAP::DN.escape(login)), password)
+        else
+          ldap_con = initialize_ldap_con(options['bind_dn'], options['password'])
+        end
+        attrs = nil
+        search_filter = login_search_filters(login) #base_filter & Net::LDAP::Filter.eq(self.attr_login, login)
+        ldap_con.search( :base => options['base'],
+                         :filter => search_filter,
+                         :attributes=> user_search_attributes) do |entry|
+          attrs ||= get_user_attributes_from_ldap_entry(entry)
+          Rails.logger.debug "DN found for #{login}: #{attrs[:dn]}" if Rails.logger && Rails.logger.debug?
+        end
+        attrs
+      end
+
+      def login_filters(login)
+        filters = options['attributes']['username'].collect{|un| Net::LDAP::Filter.eq(un, login)}
+        filters[1..-1].inject(filters.first){|filter, lf| filter | lf }
+      end
+
+      def login_search_filters(q)
+        filters = options['attributes']['username'].collect{|un| Net::LDAP::Filter.begins(un, q)}
+        filters[1..-1].inject(filters.first){|filter, lf| filter | lf }
+      end
+
+      def user_search_filters(q)
+        Net::LDAP::Filter.begins(options['attributes']['name'], q) |
+          Net::LDAP::Filter.begins(options['attributes']['first_name'], q) |
+          Net::LDAP::Filter.begins(options['attributes']['last_name'], q) |
+          Net::LDAP::Filter.begins(options['attributes']['username'].first, q) |
+          Net::LDAP::Filter.begins(options['attributes']['email'].first, q)
+      end
+
+      def group_search_filters(q)
+        Net::LDAP::Filter.begins('cn', q)
+      end
+
+      def get_attr(entry, attr_name)
+        if attr_name.is_a? Array
+          attr_name.collect{|an| get_attr(entry, an).presence }.compact.first.to_s
+        elsif !attr_name.blank?
+          value = entry[attr_name].is_a?(Array) ? entry[attr_name].first : entry[attr_name]
+          value.to_s.force_encoding('UTF-8')
+        end
+      end
+
+      # converts hex representation of SID returned by AD to its string representation
+      def get_sid_string(data)
+        return if data.nil?
+        sid = data.unpack('b x nN V*')
+        sid[1, 2] = Array[nil, b48_to_fixnum(sid[1], sid[2])]
+        'S-' + sid.compact.join('-')
+      end
+
+      B32 = 2**32
+
+      def b48_to_fixnum(i16, i32)
+        i32 + (i16 * B32)
+      end
+
+  end
+end

data/lib/egov_utils/engine.rb

@@ -0,0 +1,84 @@
+require 'i18n-js'
+require 'cancancan'
+require 'audited'
+
+module EgovUtils
+  class Engine < ::Rails::Engine
+    isolate_namespace EgovUtils
+
+    config.generators do |g|
+      g.test_framework :rspec
+      g.fixture_replacement :factory_girl, :dir => 'spec/factories'
+    end
+
+    initializer :append_migrations do |app|
+      unless app.root.to_s.match root.to_s
+        config.paths["db/migrate"].expanded.each do |expanded_path|
+          app.config.paths["db/migrate"] << expanded_path
+        end
+      end
+    end
+
+    initializer 'egov_utils.set_locales' do
+      config.middleware.use I18n::JS::Middleware
+    end
+
+    initializer 'egov_utils.grid_setup' do
+      require 'grid/shield_grid'
+      ActiveSupport::Reloader.to_prepare do
+        AzaharaSchema::Outputs.register(Grid::ShieldGrid)
+      end
+      ActiveSupport.on_load(:action_controller) do
+        ::ActionController::Base.helper EgovUtils::GridHelper
+      end
+    end
+
+    # initializer "active_record.include_plugins" do
+    #   ActiveSupport.on_load(:active_record) do
+    #     require 'egov_utils/has_audit_trail'
+    #     include EgovUtils::HasAuditTrail
+    #   end
+    # end
+
+    initializer 'egov_utils.user_setup' do
+      require 'egov_utils/user_utils/role'
+      require_dependency 'ability'
+      ActiveSupport.on_load(:action_controller) do
+        require 'egov_utils/user_utils/application_controller_patch'
+        ::ActionController::Base.include EgovUtils::UserUtils::ApplicationControllerPatch
+      end
+      # require 'omniauth'
+      # require 'omniauth-kerberos'
+      # Rails.application.config.middleware.use OmniAuth::Builder do
+      #   provider :kerberos
+      # end
+    end
+
+    initializer 'egov_utils.bootstrap_form' do
+      require 'bootstrap_form'
+
+      require 'bootstrap_form/helpers/bootstrap4'
+      require 'bootstrap_form/datetimepicker'
+      BootstrapForm::Helpers::Bootstrap.__send__(:prepend, BootstrapForm::Helpers::Bootstrap4)
+
+      BootstrapForm::DATE_FORMAT = 'DD/MM/YYYY'
+      ruby_format_string = BootstrapForm::DATE_FORMAT.gsub('YYYY', "%Y").gsub('MM', "%m").gsub('DD', "%d")
+
+      BootstrapForm::FormBuilder.__send__(:prepend, BootstrapForm::Datetimepicker)
+
+
+      ActionView::Helpers::Tags::DateField.redefine_method(:format_date) do |value|
+        value.try(:strftime, ruby_format_string)
+      end
+
+      ActionView::Helpers::Tags::DatetimeLocalField.redefine_method(:format_date) do |value|
+        value.try(:strftime, ruby_format_string+"T%T")
+      end
+    end
+
+    # config.after_initialize do
+    #   Rails.application.reload_routes!
+    #   OmniAuth.config.path_prefix = "#{Rails.application.routes.named_routes[:egov_utils].path.spec.to_s}/auth"
+    # end
+  end
+end

data/lib/egov_utils/has_audit_trail.rb

@@ -0,0 +1,68 @@
+module EgovUtils
+  module HasAuditTrail
+
+    def self.included(base)
+      base.extend(ClassMethods)
+    end
+
+    module ClassMethods
+
+      def has_audit_trail(options = {})
+        return if self.included_modules.include?(EgovUtils::HasAuditTrail::AuditTrailMethods)
+
+        default_options = {
+          :non_audited_columns => %w(id updated_at created_at lft rgt lock_version),
+          :important_columns => [],
+          :format_detail_date_columns => [],
+          :format_detail_time_columns => [],
+          :format_detail_reflection_columns => [],
+          :format_detail_boolean_columns => [],
+          :format_detail_hours_columns => []
+        }
+
+        cattr_accessor :audit_trail_options
+        self.audit_trail_options = default_options.dup
+
+        options.each do |k,v|
+          self.audit_trail_options[k] = Array(self.audit_trail_options[k]) | v
+        end
+
+        send :include, EgovUtils::HasAuditTrail::AuditTrailMethods
+      end
+
+    end
+
+    module AuditTrailMethods
+
+      def self.included(base)
+        base.class_eval do
+
+          has_many :audit_records, :as => :audited, :dependent => :destroy, :inverse_of => :audited
+
+        end
+      end
+
+      def clear_current_journal
+        @current_record = nil
+      end
+
+      def init_audit_record(user, notes = '')
+        @current_record ||= AuditRecord.new(:audited => self, :user => user, :notes => notes)
+      end
+
+      # Returns the names of attributes that are journalized when updating the issue
+      def journalized_attribute_names
+        self.class.column_names - self.audit_trail_options[:non_audited_columns]
+      end
+
+      private
+
+      def create_audit_record
+        if @current_record
+          @current_record.save
+        end
+      end
+
+    end
+  end
+end

data/lib/egov_utils/user_utils/application_controller_patch.rb

@@ -0,0 +1,92 @@
+module EgovUtils
+  module UserUtils
+    module ApplicationControllerPatch
+
+      extend ActiveSupport::Concern
+
+      included do
+
+        before_action :user_setup, :set_locale
+
+        rescue_from CanCan::AccessDenied do |exception|
+            respond_to do |format|
+              format.json { head :forbidden, content_type: 'text/html' }
+              format.html { render template: "errors/error_403", error: exception.message }
+              format.js   { head :forbidden, content_type: 'text/html' }
+            end
+          end
+
+        helper_method :current_user, :internal_network?
+
+      end
+
+      def internal_network?
+        request.host.ends_with? 'servis.justice.cz'
+      end
+
+      def current_user
+        User.current || user_setup
+      end
+
+      def user_setup
+        # Find the current user
+        User.current = find_current_user || find_kerberos_user || User.anonymous
+        logger.info("  Current user: " + (User.current.logged? ? "#{User.current.login} (id=#{User.current.id})" : "anonymous")) if logger
+        User.current
+      end
+
+      def redirect_back(fallback_location:, **args)
+        if params[:back_url]
+          redirect_to URI.parse(params[:back_url])
+        else
+          super
+        end
+      end
+
+      protected
+        def find_current_user
+          # existing session
+          find_session_user if session[:user_id]
+        end
+
+        def find_kerberos_user
+          return nil unless internal_network? && EgovUtils::AuthSource.kerberos_providers.any? && request.env['HTTP_REMOTE_USER'].present?
+          username = request.env['HTTP_REMOTE_USER'].split('@')[0]
+          logger.info("  Trying kerberos: #{username}") if logger
+          attrs = EgovUtils::AuthSource.find_kerberos_user(username)
+          if attrs
+            logger.info("  Found kerberos user: #{attrs[:login]}") if logger
+            User.active.find_by(login: attrs[:login])
+          end
+        end
+
+
+        def find_session_user
+          User.active.find(session[:user_id])
+        rescue ActiveRecord::RecordNotFound => e
+          nil
+        end
+
+        # Sets the logged in user
+        def logged_user=(user)
+          reset_session
+          if user && user.is_a?(EgovUtils::User)
+            User.current = user
+            start_user_session(user)
+          else
+            User.current = User.anonymous
+          end
+        end
+
+        def start_user_session(user)
+          session[:user_id] = user.id
+        end
+
+      private
+        def set_locale
+          I18n.default_locale = :cs
+        end
+
+    end
+  end
+end

data/lib/egov_utils/user_utils/role.rb

@@ -0,0 +1,26 @@
+module EgovUtils
+  module UserUtils
+    class Role
+
+      class_attribute :role_name
+      self.role_name = nil
+
+      def self.roles
+        @@roles ||= {}
+      end
+
+      def self.find(name)
+        roles[name]
+      end
+
+      def self.add(name)
+        roles[name] = self
+        self.role_name = name
+      end
+
+      def define_abilities(ability)
+      end
+
+    end
+  end
+end

data/lib/egov_utils/version.rb

@@ -0,0 +1,3 @@
+module EgovUtils
+  VERSION = '0.1.0'
+end

data/lib/egov_utils.rb

@@ -0,0 +1,5 @@
+require "egov_utils/engine"
+
+module EgovUtils
+  # Your code goes here...
+end

data/lib/grid/shield_grid.rb

@@ -0,0 +1,9 @@
+module Grid
+  class ShieldGrid < AzaharaSchema::Output
+
+    def self.key
+      'grid'
+    end
+
+  end
+end

data/lib/tasks/egov_utils_tasks.rake

@@ -0,0 +1,4 @@
+# desc "Explaining what the task does"
+# task :egov_utils do
+#   # Task goes here
+# end