egov_utils 0.1.9 → 0.1.10

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 0acb8a903d4ec6302d92915fff9a99e203ea7e76
-  data.tar.gz: 8320e02ca0f684d1542ee7d1ea9d0b08882782ed
+  metadata.gz: 339e97078108e7d4fbad0dfb86b2dc8a2a4d0d22
+  data.tar.gz: 4d2b4bcba50f2c9ce67dd093bc7ca11f0578c535
 SHA512:
-  metadata.gz: f02b14675f1cb7215cca5143e3c813b853423e9906a374ff6580d0dea06a5f81f6f78ffa24ce3272fde4a1ef83c125a3d952d81bddacda461116c934989aa633
-  data.tar.gz: a8b9243c8928d3207325d55250ff1556c12ede9aa75e3160963d673728a2ea6bd91cfd9d1f6ed11a27d4472c42852739342fe9e85688f6c84074565c647e2424
+  metadata.gz: 7bf7ae24fa68490735043ea48270c571f747089fe58337a7e9cfcfa8a5ea4303bec9baf4bc95dd999ba97d435dbfaa392de40c4d213191345f97c9657b11238f
+  data.tar.gz: 34c12fba18edb08e23fb66f383d8d535991da85cd794c2e493015e7cfa4dfb53024a34145afc6ab5c643911a9c49513a58dfbcea9a88ccec5cc6f660af3d16c4

data/README.md

@@ -1,8 +1,98 @@
+[![pipeline status](https://git.servis.justice.cz/libraries/egov_utils-rails/badges/master/pipeline.svg)](https://git.servis.justice.cz/libraries/egov_utils-rails/commits/master)
 # EgovUtils
-Short description and motivation.
+This gem is set of utilities commonly used in Czech egoverment for rails application.
+
+Main features:
+* User roles/permissions
+* Ldap integration
+* Addresses/people storing and validation trough Egsb - ( uses egsb_gate gem )
+* Usefull additions for bootstrap ( will be separeted in feature )
+* Data visualization and retrievement api ( uses azahara_schema gem )
+
+To be done:
+* NIA integration
+* ISDS SSO integration
 
 ## Usage
-How to use my plugin.
+Framework uses configuration in file config/config.yml
+
+### LDAP
+LDAP parameters has to be configured in framework config file under the key `ldap`.
+You can configure more than one ldap source. Framework will try all of them. But groups and users are resolved just by the one ldap controller where user resides.
+Following example is for Active Directory ldap using userPrincipalName as username (prefered - in case of multidomain ldap controller it should be mandatory)
+```yaml
+ldap:
+  main:
+    label: 'Lab'
+    # host: dc01.servis.resort.cz
+    domain: servis.resort.cz
+    resolve_host: true
+    port: 389
+    uid: 'userPrincipalName'
+    method: 'tls'
+    kerberos: true
+    bind_dn: 'CN=Uzivatel LDAP aplikace ABC,OU=Servisni,DC=servis,DC=resort,DC=cz'
+    password: 'heslo uzivatele LDAP aplikace'
+    active_directory: true #enables specific Active Directory functions
+    base: 'OU=Appname,DC=servis,DC=resort,DC=cz'
+    onthefly_register: members
+    attributes:
+      username: ['userPrincipalName']
+      email: ['mail', 'email']
+      name: 'cn'
+      first_name: 'givenName'
+      last_name: 'sn'
+```
+#### Authentication to reading ldap and security
+Authentication options are made trough `bind_dn` and `password` options.
+`bind_dn` id DN of user with read permissions for all ldap tree ( or the subtree wich relates to this application ) and `password` is a password for this user.
+
+#### Defining host
+Host can be defined in option `host`, but in bigger ldap installation you would prefer to use selection of the host on DNS for load balancing purposes.
+
+It can be done by defining option `domain` and `resolve_host: true`.
+Framework will let DNS resolve the servis record `_ldap._tcp.<domain>` and select the first record.
+It relies on resolution of this record to be sorted from less busy controller to most busy.
+It is prefered method for bigger ldaps with load balancing demands.
+
+Option `port` has to be defined if you are using `host` option.
+For `resolve_host` option, you can leave out the host option and framework will use the port returned by DNS server.
+But you can wish to define it anyway, if you have global catalog running on another port.
+
+Option `method` is for defining a security protocol, wich shoul be used for comunication with the ldap controller.
+* plain
+* ssl
+* tls
+You should always use encrypted connection, so please consider plain method to be just for testing purposes to connect to the test ldap controller.
+
+#### Base and attributes
+First you have to specify, where to look for records of users and groups related to the application.
+`base` could be just domain like `DC=servis,DC=resort,DC=cz`, but you should consider to narrowing the scope for performance purposes, so if your users and groups are in specific Organization Unit, you should define DN of the OU as a base.
+
+Attributes defines mapping for attributes in LDAP to attributes in the application database.
+If you are using activedirectory, you probably will want to keep the attributes same as in the example.
+But if you want to change them, you can do it. They are pretty self expanatory.
+
+#### Onthefly registration
+This parameter defines if administartor has to create the accounts (add users from AD) manually, or it can be created (added) with first login.
+
+Parameter `onthefly_register` set to `true` basically saying, that any user in the scope defined by `base` is allowed to login to the application.
+It can be usefull for easy applications, where you create organization unit for them and special account for every user of the application.
+Or on the other hand if the application is for whole resort and you specify the roles and permissions in the application.
+
+
+More interesting is an option `members`.
+With this option, framework will look in all groups added as groups in application and if the user is member of at least one of them, application will create the account.
+Other users can be added manually by administrator. Membership in groups is looked for recursively.
+
+#### Groups
+You can add LDAP groups to the application groups and define roles and permissions to the groups.
+Group membership is solved on the fly for the user, so it does´t depens on the order of making user a memmber of group and adding the group to the application.
+Group membership is looked for recursively, so you can add one big group, define permissions for that group, add other groups as members and end users to this groups.
+This ordering can be useful for more sub organizations, where every organization is managing its users permissions and then it is connected to the global AD catalog, where the application is queriing.
+
+#### Kerberos
+To be documented.
 
 ## Installation
 Add this lines to your application's Gemfile:

data/app/models/egov_utils/user.rb

@@ -87,7 +87,9 @@ module EgovUtils
     end
 
     def all_role_names
-      @all_role_names ||= groups.collect{|g| g.roles}.reduce([], :concat) + roles
+      @all_role_names ||= Rails.cache.fetch("#{cache_key}/all_role_names", expires_in: 1.hours) do
+                            groups.collect{|g| g.roles}.reduce([], :concat) + roles
+                          end
     end
 
     def all_roles
@@ -98,9 +100,13 @@ module EgovUtils
       ldap_groups || []
     end
 
+    def ldap_dn
+      @ldap_dn = auth_source.send(:get_user_dn, login)[:dn]
+    end
+
     def ldap_groups
       if provider.present?
-        EgovUtils::Group.where(provider: provider).to_a.select{|g| g.ldap_member?(self) }
+        EgovUtils::Group.where(provider: provider).to_a.select{|g| auth_source.member?(ldap_dn, g.ldap_uid) }
       end
     end
 

data/lib/egov_utils/auth_source.rb

@@ -46,12 +46,31 @@ module EgovUtils
       @options ||= self.class.config[provider].dup
     end
 
+    # Resolves host name - it is used only if option <tt>:resolve_host</tt> is set to true and expect <tt>:domain</tt> to be defined as well.
+    # ldap controller host is resolved by asking for the <tt>_ldap._tcp.<domain></tt> DNS record and takes first - solve the load balancing of ldap queries.
+    def host_dns
+      require 'resolv'
+      @host_dns = Resolv::DNS.open do |dns|
+                    dns.getresouce('_ldap._tcp.'+options['domain'], Resolv::DNS::Resource::IN::SRV)
+                  end
+    end
+
+    # Get host of ldap controller from options.
+    #
+    # * <tt>:host</tt> - this just give one host and EgovUtils just asks that host
+    # * <tt>:domain</tt> with <tt>:resolve_host</tt> set to true. Domain should be domain for your ldap users.
+    #     in this configuration ldap controller host is resolved by asking for the <tt>_ldap._tcp.<domain></tt> DNS record and takes first - solve the load balancing of ldap queries.
     def host
-      options['host']
+      if options['host']
+        options['host']
+      elsif options['resolve_host'] && options['domain']
+        host_dns.target.to_s
+      end
     end
 
+    # Returns ldap controller port. If <tt>:resolve_host</tt> is set to true and option for port is not defined, it uses port from DNS response.
     def port
-      options['port']
+      options['resolve_host'] ? (options['port'] || host_dns.port.to_i) : options['port']
     end
 
     def encryption
@@ -146,6 +165,25 @@ module EgovUtils
       raise AuthSourceException.new(e.message)
     end
 
+    def member?(user_dn, group_sid)
+      ldap_con = initialize_ldap_con(options['bind_dn'], options['password'])
+      group_dn = nil
+      Rails.logger.debug("Membership in group for #{user_dn}")
+      ldap_con.search(base: options['base'],
+                      filter: base_group_filter & Net::LDAP::Filter.eq('objectSID', group_sid),
+                      attributes: ['dn']) do |entry|
+        group_dn = get_attr(entry, 'dn')
+      end
+      if group_dn
+        ldap_con.search(base: user_dn,
+                          filter: base_user_filter & Net::LDAP::Filter.ex('memberOf:1.2.840.113556.1.4.1941', group_dn),
+                          attributes: ['dn']) do |entry|
+          return true
+        end
+      end
+      return false
+    end
+
     def group_members(group_sid)
       ldap_con = initialize_ldap_con(options['bind_dn'], options['password'])
       group_dn = nil

data/lib/egov_utils/user_utils/application_controller_patch.rb

@@ -55,8 +55,10 @@ module EgovUtils
           logger.info("  Trying kerberos: #{username}") if logger
           attrs = EgovUtils::AuthSource.find_kerberos_user(username)
           if attrs
-            logger.info("  Found kerberos user: #{attrs[:login]}") if logger
-            User.active.find_by(login: attrs[:login])
+            user = User.active.find_by(login: attrs[:login])
+            logger.info("  Found kerberos user: #{attrs[:login]} and it is in database") if logger && user
+            logged_user = user
+            user
           end
         end
 

data/lib/egov_utils/version.rb

@@ -1,3 +1,3 @@
 module EgovUtils
-  VERSION = '0.1.9'
+  VERSION = '0.1.10'
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: egov_utils
 version: !ruby/object:Gem::Version
-  version: 0.1.9
+  version: 0.1.10
 platform: ruby
 authors:
 - Ondřej Ezr
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2017-10-19 00:00:00.000000000 Z
+date: 2017-10-24 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rails