gitlab_omniauth-ldap 1.2.1 → 2.0.0

Sign up to get free protection for your applications and to get access to all the features.
Files changed (12) hide show
  1. checksums.yaml +4 -4
  2. data/.gitignore +2 -0
  3. data/.gitlab-ci.yml +12 -0
  4. data/README.md +24 -21
  5. data/gitlab_omniauth-ldap.gemspec +8 -4
  6. data/lib/omniauth/strategies/ldap.rb +3 -0
  7. data/lib/omniauth-ldap/adaptor.rb +65 -15
  8. data/lib/omniauth-ldap/version.rb +1 -1
  9. data/spec/omniauth/strategies/ldap_spec.rb +2 -1
  10. data/spec/omniauth-ldap/adaptor_spec.rb +139 -11
  11. metadata +68 -12
  12. data/Gemfile.lock +0 -49
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: bfa239bab0965d393691bfb55b586e5d81adfc24
4
- data.tar.gz: c3467533a4818f774ea858b813db07b660976804
3
+ metadata.gz: 4646ef4a95b7bfa207d4b4743c57bba1bfd2ef98
4
+ data.tar.gz: 0a14493288d4559b58a8430f69279b7185bc74ed
5
5
  SHA512:
6
- metadata.gz: 83c2b776a29778a1d7714981d44cb0511bd6a636888251f133ab6e744d77845d506fc58d715bad32280d128f8161784aeb5049ad8712badbc2afd0a8882ffd5c
7
- data.tar.gz: f04e671c5c052f00ca318bedde4dc2c511e722250b89e1f0a07536dd176da19bddbd7fd0a0435ada44c56a51845f8dceb765d422caa77166614962354fb06381
6
+ metadata.gz: 9dc3b289b76735def7a822fa51e3a854ca8a3a3cfd7d5009fb5db7c90d7413221cd555d3bbb817d4235fc30c50be28d061f2ab54712a7525d696f8135ecc026e
7
+ data.tar.gz: 8f63fca6f0cef94bfa693d8c81939e91a82a40161eb732376877e3e7efefdaa31f7c726ba9d93fad4674d3c44aff0de1f2a0f7f564d5c40e9f41fd916b9a3703
data/.gitignore CHANGED
@@ -1,2 +1,4 @@
1
1
  .project
2
+ .tags
2
3
  coverage
4
+ Gemfile.lock
data/.gitlab-ci.yml ADDED
@@ -0,0 +1,12 @@
1
+ image: "ruby:2.3.1"
2
+
3
+ before_script:
4
+ - bundle install
5
+
6
+ stages:
7
+ - test
8
+
9
+ rspec:
10
+ stage: test
11
+ script:
12
+ - bundle exec rake spec
data/README.md CHANGED
@@ -5,43 +5,46 @@
5
5
  Use the LDAP strategy as a middleware in your application:
6
6
 
7
7
  use OmniAuth::Strategies::LDAP,
8
- :title => "My LDAP",
9
- :host => '10.101.10.1',
10
- :port => 389,
11
- :method => :plain,
12
- :base => 'dc=intridea, dc=com',
13
- :uid => 'sAMAccountName',
14
- :name_proc => Proc.new {|name| name.gsub(/@.*$/,'')},
15
- :bind_dn => 'default_bind_dn',
8
+ :title => "My LDAP",
9
+ :host => '10.101.10.1',
10
+ :port => 389,
11
+ :encryption => :plain,
12
+ :base => 'dc=intridea, dc=com',
13
+ :uid => 'sAMAccountName',
14
+ :name_proc => Proc.new {|name| name.gsub(/@.*$/,'')},
15
+ :bind_dn => 'default_bind_dn',
16
16
  # Or, alternatively:
17
- #:filter => '(&(uid=%{username})(memberOf=cn=myapp-users,ou=groups,dc=example,dc=com))'
18
- :name_proc => Proc.new {|name| name.gsub(/@.*$/,'')}
19
- :bind_dn => 'default_bind_dn'
20
- :password => 'password'
17
+ #:filter => '(&(uid=%{username})(memberOf=cn=myapp-users,ou=groups,dc=example,dc=com))'
18
+ :name_proc => Proc.new {|name| name.gsub(/@.*$/,'')}
19
+ :bind_dn => 'default_bind_dn'
20
+ :password => 'password'
21
21
 
22
22
  All of the listed options are required, with the exception of :title, :name_proc, :bind_dn, and :password.
23
- Allowed values of :method are: :plain, :ssl, :tls.
24
23
 
25
- :bind_dn and :password is the default credentials to perform user lookup.
24
+ - `encryption` is the type of encryption to use between this library and the
25
+ LDAP server. `:plain` means no encryption. `:simple_tls` represents SSL/TLS
26
+ (usually on port 636) while `:start_tls` represents StartTLS (usually port 389).
27
+
28
+ - `:bind_dn` and `:password` are the default credentials to perform user lookup.
26
29
  most LDAP servers require that you supply a complete DN as a binding-credential, along with an authenticator
27
30
  such as a password. But for many applications, you often don’t have a full DN to identify the user.
28
31
  You usually get a simple identifier like a username or an email address, along with a password.
29
32
  Since many LDAP servers don't allow anonymous access, search function will require a bound connection,
30
- :bind_dn and :password will be required for searching on the username or email to retrieve the DN attribute
33
+ `:bind_dn` and `:password` will be required for searching on the username or email to retrieve the DN attribute
31
34
  for the user. If the LDAP server allows anonymous access, you don't need to provide these two parameters.
32
35
 
33
- :uid is the LDAP attribute name for the user name in the login form.
36
+ - `:uid` is the LDAP attribute name for the user name in the login form.
34
37
  typically AD would be 'sAMAccountName' or 'UserPrincipalName', while OpenLDAP is 'uid'.
35
38
 
36
- :filter is the LDAP filter used to search the user entry. It can be used in place of :uid for more flexibility.
37
- `%{username}` will be replaced by the user name processed by :name_proc.
39
+ - `:filter` is the LDAP filter used to search the user entry. It can be used in place of :uid for more flexibility.
40
+ `%{username}` will be replaced by the user name processed by `:name_proc`.
38
41
 
39
- :name_proc allows you to match the user name entered with the format of the :uid attributes.
42
+ - `:name_proc` allows you to match the user name entered with the format of the :uid attributes.
40
43
  For example, value of 'sAMAccountName' in AD contains only the windows user name. If your user prefers using
41
44
  email to login, a name_proc as above will trim the email string down to just the windows login name.
42
- In summary, use :name_proc to fill the gap between the submitted username and LDAP uid attribute value.
45
+ In summary, use `:name_proc` to fill the gap between the submitted username and LDAP uid attribute value.
43
46
 
44
- :try_sasl and :sasl_mechanisms are optional. :try_sasl [true | false], :sasl_mechanisms ['DIGEST-MD5' | 'GSS-SPNEGO']
47
+ - `:try_sasl` and `:sasl_mechanisms` are optional. `:try_sasl` [`true` | `false`], `:sasl_mechanisms` [`'DIGEST-MD5'` | `'GSS-SPNEGO'`]
45
48
  Use them to initialize a SASL connection to server. If you are not familiar with these authentication methods,
46
49
  please just avoid them.
47
50
 
data/gitlab_omniauth-ldap.gemspec CHANGED
@@ -9,10 +9,14 @@ Gem::Specification.new do |gem|
9
9
  gem.homepage = "https://github.com/gitlabhq/omniauth-ldap"
10
10
  gem.license = "MIT"
11
11
 
12
- gem.add_runtime_dependency 'omniauth', '~> 1.0'
13
- gem.add_runtime_dependency 'net-ldap', '~> 0.9'
14
- gem.add_runtime_dependency 'pyu-ruby-sasl', '~> 0.0.3.1'
15
- gem.add_runtime_dependency 'rubyntlm', '~> 0.3'
12
+ gem.add_runtime_dependency 'omniauth', '~> 1.3.1'
13
+ gem.add_runtime_dependency 'net-ldap', '~> 0.16'
14
+ gem.add_runtime_dependency 'pyu-ruby-sasl', '~> 0.0.3.3'
15
+ gem.add_runtime_dependency 'rubyntlm', '~> 0.5.2'
16
+ gem.add_development_dependency 'rspec', '~> 3.6.0'
17
+ gem.add_development_dependency 'pry', '~> 0.10.4'
18
+ gem.add_development_dependency 'rake', '~> 12.0.0'
19
+ gem.add_development_dependency 'rack-test', '~> 0.6.3'
16
20
 
17
21
  gem.executables = `git ls-files -- bin/*`.split("\n").map{ |f| File.basename(f) }
18
22
  gem.files = `git ls-files`.split("\n")
data/lib/omniauth/strategies/ldap.rb CHANGED
@@ -22,6 +22,9 @@ module OmniAuth
22
22
  option :title, "LDAP Authentication" #default title for authentication form
23
23
  option :port, 389
24
24
  option :method, :plain
25
+ option :disable_verify_certificates, false
26
+ option :ca_file, nil
27
+ option :ssl_version, nil # use OpenSSL default if nil
25
28
  option :uid, 'sAMAccountName'
26
29
  option :name_proc, lambda {|n| n}
27
30
 
data/lib/omniauth-ldap/adaptor.rb CHANGED
@@ -13,19 +13,37 @@ module OmniAuth
13
13
  class AuthenticationError < StandardError; end
14
14
  class ConnectionError < StandardError; end
15
15
 
16
- VALID_ADAPTER_CONFIGURATION_KEYS = [:host, :port, :method, :bind_dn, :password, :try_sasl, :sasl_mechanisms, :uid, :base, :allow_anonymous, :filter]
16
+ VALID_ADAPTER_CONFIGURATION_KEYS = [
17
+ :hosts, :host, :port, :encryption, :disable_verify_certificates, :bind_dn, :password, :try_sasl,
18
+ :sasl_mechanisms, :uid, :base, :allow_anonymous, :filter, :ca_file, :ssl_version,
19
+
20
+ # Deprecated
21
+ :method
22
+ ]
17
23
 
18
24
  # A list of needed keys. Possible alternatives are specified using sub-lists.
19
- MUST_HAVE_KEYS = [:host, :port, :method, [:uid, :filter], :base]
25
+ MUST_HAVE_KEYS = [
26
+ :base,
27
+ [:encryption, :method], # :method is deprecated
28
+ [:hosts, :host],
29
+ [:hosts, :port],
30
+ [:uid, :filter]
31
+ ]
32
+
33
+ ENCRYPTION_METHOD = {
34
+ :simple_tls => :simple_tls,
35
+ :start_tls => :start_tls,
36
+ :plain => nil,
20
37
 
21
- METHOD = {
38
+ # Deprecated. This mapping aimed to be user-friendly, but only caused
39
+ # confusion. Better to pass-through the actual `Net::LDAP` encryption type.
22
40
  :ssl => :simple_tls,
23
41
  :tls => :start_tls,
24
- :plain => nil,
25
42
  }
26
43
 
27
44
  attr_accessor :bind_dn, :password
28
45
  attr_reader :connection, :uid, :base, :auth, :filter
46
+
29
47
  def self.validate(configuration={})
30
48
  message = []
31
49
  MUST_HAVE_KEYS.each do |names|
@@ -37,6 +55,7 @@ module OmniAuth
37
55
  end
38
56
  raise ArgumentError.new(message.join(",") +" MUST be provided") unless message.empty?
39
57
  end
58
+
40
59
  def initialize(configuration={})
41
60
  Adaptor.validate(configuration)
42
61
  @configuration = configuration.dup
@@ -45,14 +64,12 @@ module OmniAuth
45
64
  VALID_ADAPTER_CONFIGURATION_KEYS.each do |name|
46
65
  instance_variable_set("@#{name}", @configuration[name])
47
66
  end
48
- method = ensure_method(@method)
49
67
  config = {
50
- :host => @host,
51
- :port => @port,
52
- :encryption => method,
53
- :base => @base
68
+ base: @base,
69
+ hosts: @hosts,
70
+ host: @host,
71
+ port: @port,
54
72
  }
55
-
56
73
  @bind_method = @try_sasl ? :sasl : (@allow_anonymous||!@bind_dn||!@password ? :anonymous : :simple)
57
74
 
58
75
 
@@ -63,6 +80,7 @@ module OmniAuth
63
80
  }
64
81
  config[:auth] = @auth
65
82
  @connection = Net::LDAP.new(config)
83
+ @connection.encryption(encryption_options)
66
84
  end
67
85
 
68
86
  #:base => "dc=yourcompany, dc=com",
@@ -88,14 +106,46 @@ module OmniAuth
88
106
  end
89
107
 
90
108
  private
91
- def ensure_method(method)
92
- method ||= "plain"
93
- normalized_method = method.to_s.downcase.to_sym
94
- return METHOD[normalized_method] if METHOD.has_key?(normalized_method)
95
109
 
96
- available_methods = METHOD.keys.collect {|m| m.inspect}.join(", ")
110
+ def encryption_options
111
+ translated_method = translate_method
112
+
113
+ {
114
+ method: translated_method,
115
+ tls_options: tls_options(translated_method)
116
+ }
117
+ end
118
+
119
+ def translate_method
120
+ method = @encryption || @method
121
+ method ||= "plain"
122
+ normalized_method = method.to_s.downcase.to_sym
123
+
124
+ unless ENCRYPTION_METHOD.has_key?(normalized_method)
125
+ available_methods = ENCRYPTION_METHOD.keys.collect {|m| m.inspect}.join(", ")
97
126
  format = "%s is not one of the available connect methods: %s"
98
127
  raise ConfigurationError, format % [method.inspect, available_methods]
128
+ end
129
+
130
+ ENCRYPTION_METHOD[normalized_method]
131
+ end
132
+
133
+ def tls_options(translated_method)
134
+ return {} if translated_method == nil # (plain)
135
+
136
+ tls_options = if @disable_verify_certificates
137
+ # It is important to explicitly set verify_mode for two reasons:
138
+ # 1. The behavior of OpenSSL is undefined when verify_mode is not set.
139
+ # 2. The net-ldap gem implementation verifies the certificate hostname
140
+ # unless verify_mode is set to VERIFY_NONE.
141
+ { verify_mode: OpenSSL::SSL::VERIFY_NONE }
142
+ else
143
+ OpenSSL::SSL::SSLContext::DEFAULT_PARAMS
144
+ end
145
+
146
+ tls_options[:ca_file] = @ca_file if @ca_file
147
+ tls_options[:ssl_version] = @ssl_version if @ssl_version
148
+ tls_options
99
149
  end
100
150
 
101
151
  def sasl_auths(options={})
data/lib/omniauth-ldap/version.rb CHANGED
@@ -1,5 +1,5 @@
1
1
  module OmniAuth
2
2
  module LDAP
3
- VERSION = "1.2.1"
3
+ VERSION = "2.0.0"
4
4
  end
5
5
  end
data/spec/omniauth/strategies/ldap_spec.rb CHANGED
@@ -5,6 +5,7 @@ describe "OmniAuth::Strategies::LDAP" do
5
5
  # :host => '10.101.10.1',
6
6
  # :port => 389,
7
7
  # :method => :plain,
8
+ # :verify_certificates => true,
8
9
  # :base => 'dc=intridea, dc=com',
9
10
  # :uid => 'sAMAccountName',
10
11
  # :name_proc => Proc.new {|name| name.gsub(/@.*$/,'')}
@@ -210,7 +211,7 @@ description: omniauth-ldap
210
211
  auth_hash.info.description.should == 'omniauth-ldap'
211
212
  end
212
213
  end
213
-
214
+
214
215
  context 'alternate fields' do
215
216
  let(:auth_hash){ last_request.env['omniauth.auth'] }
216
217
 
data/spec/omniauth-ldap/adaptor_spec.rb CHANGED
@@ -1,18 +1,29 @@
1
1
  require 'spec_helper'
2
- describe "OmniAuth::LDAP::Adaptor" do
2
+ describe OmniAuth::LDAP::Adaptor do
3
3
 
4
4
  describe 'initialize' do
5
5
  it 'should throw exception when must have field is not set' do
6
- #[:host, :port, :method, :bind_dn]
7
- lambda { OmniAuth::LDAP::Adaptor.new({host: "192.168.1.145", method: 'plain'})}.should raise_error(ArgumentError)
6
+ #[:host, :port, :encryption, :bind_dn]
7
+ lambda { OmniAuth::LDAP::Adaptor.new({host: "192.168.1.145", encryption: 'plain'})}.should raise_error(ArgumentError)
8
8
  end
9
9
 
10
- it 'should throw exception when method is not supported' do
11
- lambda { OmniAuth::LDAP::Adaptor.new({host: "192.168.1.145", method: 'myplain', uid: 'uid', port: 389, base: 'dc=com'})}.should raise_error(OmniAuth::LDAP::Adaptor::ConfigurationError)
10
+ it 'should not throw an error if hosts is set but host and port are not' do
11
+ expect {
12
+ described_class.new(
13
+ hosts: [['192.168.1.145', 389], ['192.168.1.146', 389]],
14
+ encryption: 'plain',
15
+ base: 'dc=example,dc=com',
16
+ uid: 'uid'
17
+ )
18
+ }.not_to raise_error(ArgumentError)
19
+ end
20
+
21
+ it 'should throw exception when encryption method is not supported' do
22
+ lambda { OmniAuth::LDAP::Adaptor.new({host: "192.168.1.145", encryption: 'myplain', uid: 'uid', port: 389, base: 'dc=com'})}.should raise_error(OmniAuth::LDAP::Adaptor::ConfigurationError)
12
23
  end
13
24
 
14
25
  it 'should setup ldap connection with anonymous' do
15
- adaptor = OmniAuth::LDAP::Adaptor.new({host: "192.168.1.145", method: 'plain', base: 'dc=intridea, dc=com', port: 389, uid: 'sAMAccountName'})
26
+ adaptor = OmniAuth::LDAP::Adaptor.new({host: "192.168.1.145", encryption: 'plain', base: 'dc=intridea, dc=com', port: 389, uid: 'sAMAccountName'})
16
27
  adaptor.connection.should_not == nil
17
28
  adaptor.connection.host.should == '192.168.1.145'
18
29
  adaptor.connection.port.should == 389
@@ -21,16 +32,17 @@ describe "OmniAuth::LDAP::Adaptor" do
21
32
  end
22
33
 
23
34
  it 'should setup ldap connection with simple' do
24
- adaptor = OmniAuth::LDAP::Adaptor.new({host: "192.168.1.145", method: 'plain', base: 'dc=intridea, dc=com', port: 389, uid: 'sAMAccountName', bind_dn: 'bind_dn', password: 'password'})
35
+ adaptor = OmniAuth::LDAP::Adaptor.new({host: "192.168.1.145", encryption: 'plain', base: 'dc=intridea, dc=com', port: 389, uid: 'sAMAccountName', bind_dn: 'bind_dn', password: 'password'})
25
36
  adaptor.connection.should_not == nil
26
37
  adaptor.connection.host.should == '192.168.1.145'
27
38
  adaptor.connection.port.should == 389
28
39
  adaptor.connection.base.should == 'dc=intridea, dc=com'
29
40
  adaptor.connection.instance_variable_get('@auth').should == {:method => :simple, :username => 'bind_dn', :password => 'password'}
41
+ adaptor.connection.instance_variable_get('@encryption').should == {:method => nil, :tls_options => {}}
30
42
  end
31
43
 
32
44
  it 'should setup ldap connection with sasl-md5' do
33
- adaptor = OmniAuth::LDAP::Adaptor.new({host: "192.168.1.145", method: 'plain', base: 'dc=intridea, dc=com', port: 389, uid: 'sAMAccountName', try_sasl: true, sasl_mechanisms: ["DIGEST-MD5"], bind_dn: 'bind_dn', password: 'password'})
45
+ adaptor = OmniAuth::LDAP::Adaptor.new({host: "192.168.1.145", encryption: 'plain', base: 'dc=intridea, dc=com', port: 389, uid: 'sAMAccountName', try_sasl: true, sasl_mechanisms: ["DIGEST-MD5"], bind_dn: 'bind_dn', password: 'password'})
34
46
  adaptor.connection.should_not == nil
35
47
  adaptor.connection.host.should == '192.168.1.145'
36
48
  adaptor.connection.port.should == 389
@@ -42,7 +54,7 @@ describe "OmniAuth::LDAP::Adaptor" do
42
54
  end
43
55
 
44
56
  it 'should setup ldap connection with sasl-gss' do
45
- adaptor = OmniAuth::LDAP::Adaptor.new({host: "192.168.1.145", method: 'plain', base: 'dc=intridea, dc=com', port: 389, uid: 'sAMAccountName', try_sasl: true, sasl_mechanisms: ["GSS-SPNEGO"], bind_dn: 'bind_dn', password: 'password'})
57
+ adaptor = OmniAuth::LDAP::Adaptor.new({host: "192.168.1.145", encryption: 'plain', base: 'dc=intridea, dc=com', port: 389, uid: 'sAMAccountName', try_sasl: true, sasl_mechanisms: ["GSS-SPNEGO"], bind_dn: 'bind_dn', password: 'password'})
46
58
  adaptor.connection.should_not == nil
47
59
  adaptor.connection.host.should == '192.168.1.145'
48
60
  adaptor.connection.port.should == 389
@@ -52,6 +64,122 @@ describe "OmniAuth::LDAP::Adaptor" do
52
64
  adaptor.connection.instance_variable_get('@auth')[:initial_credential].should =~ /^NTLMSSP/
53
65
  adaptor.connection.instance_variable_get('@auth')[:challenge_response].should_not be_nil
54
66
  end
67
+
68
+ it 'sets up a connection with the proper host and port' do
69
+ adapter = described_class.new(
70
+ host: '192.168.1.145',
71
+ encryption: 'plain',
72
+ base: 'dc=example,dc=com',
73
+ port: 3890,
74
+ uid: 'uid'
75
+ )
76
+
77
+ expect(adapter.connection.host).to eq('192.168.1.145')
78
+ expect(adapter.connection.port).to eq(3890)
79
+ expect(adapter.connection.hosts).to be_nil
80
+ end
81
+
82
+ it 'sets up a connection with a enumerable pairs of hosts' do
83
+ adapter = described_class.new(
84
+ hosts: [['192.168.1.145', 636], ['192.168.1.146', 636]],
85
+ encryption: 'plain',
86
+ base: 'dc=example,dc=com',
87
+ uid: 'uid'
88
+ )
89
+
90
+ expect(adapter.connection.host).to eq('127.0.0.1')
91
+ expect(adapter.connection.port).to eq(389)
92
+ expect(adapter.connection.hosts).to match_array([['192.168.1.145', 636], ['192.168.1.146', 636]])
93
+ end
94
+
95
+ context 'when encryption is plain' do
96
+ it 'should set the encryption method to nil' do
97
+ adaptor = OmniAuth::LDAP::Adaptor.new({host: "192.168.1.145", encryption: 'plain', base: 'dc=intridea, dc=com', port: 389, uid: 'sAMAccountName'})
98
+ adaptor.connection.instance_variable_get('@encryption').should include method: nil
99
+ end
100
+
101
+ it 'should set the encryption tls_options to empty' do
102
+ adaptor = OmniAuth::LDAP::Adaptor.new({host: "192.168.1.145", encryption: 'plain', base: 'dc=intridea, dc=com', port: 389, uid: 'sAMAccountName'})
103
+ adaptor.connection.instance_variable_get('@encryption').should include tls_options: {}
104
+ end
105
+ end
106
+
107
+ context 'when encryption is ssl' do
108
+ it 'should set the encryption method to simple_tls' do
109
+ adaptor = OmniAuth::LDAP::Adaptor.new({host: "192.168.1.145", encryption: 'ssl', base: 'dc=intridea, dc=com', port: 389, uid: 'sAMAccountName'})
110
+ adaptor.connection.instance_variable_get('@encryption').should include method: :simple_tls
111
+ end
112
+
113
+ context 'when disable_verify_certificates is not specified' do
114
+ it 'should set the encryption tls_options to OpenSSL default params' do
115
+ adaptor = OmniAuth::LDAP::Adaptor.new({host: "192.168.1.145", encryption: 'ssl', base: 'dc=intridea, dc=com', port: 389, uid: 'sAMAccountName'})
116
+ adaptor.connection.instance_variable_get('@encryption').should include tls_options: OpenSSL::SSL::SSLContext::DEFAULT_PARAMS
117
+ end
118
+ end
119
+
120
+ context 'when disable_verify_certificates is true' do
121
+ it 'should set the encryption tls_options verify_mode explicitly to verify none' do
122
+ adaptor = OmniAuth::LDAP::Adaptor.new({host: "192.168.1.145", encryption: 'ssl', disable_verify_certificates: true, base: 'dc=intridea, dc=com', port: 389, uid: 'sAMAccountName'})
123
+ adaptor.connection.instance_variable_get('@encryption').should include tls_options: { verify_mode: OpenSSL::SSL::VERIFY_NONE }
124
+ end
125
+ end
126
+
127
+ context 'when disable_verify_certificates is false' do
128
+ it 'should set the encryption tls_options to OpenSSL default params' do
129
+ adaptor = OmniAuth::LDAP::Adaptor.new({host: "192.168.1.145", encryption: 'ssl', disable_verify_certificates: false, base: 'dc=intridea, dc=com', port: 389, uid: 'sAMAccountName'})
130
+ adaptor.connection.instance_variable_get('@encryption').should include tls_options: OpenSSL::SSL::SSLContext::DEFAULT_PARAMS
131
+ end
132
+ end
133
+
134
+ context 'when ca_file is specified' do
135
+ it 'should set the encryption tls_options ca_file' do
136
+ adaptor = OmniAuth::LDAP::Adaptor.new({host: "192.168.1.145", encryption: 'ssl', base: 'dc=intridea, dc=com', port: 636, uid: 'sAMAccountName', bind_dn: 'bind_dn', password: 'password', ca_file: '/etc/ca.pem'})
137
+ adaptor.connection.instance_variable_get('@encryption').should include tls_options: OpenSSL::SSL::SSLContext::DEFAULT_PARAMS.merge(ca_file: '/etc/ca.pem')
138
+ end
139
+ end
140
+
141
+ context 'when ssl_version is specified' do
142
+ it 'should overwrite the encryption tls_options ssl_version' do
143
+ adaptor = OmniAuth::LDAP::Adaptor.new({host: "192.168.1.145", encryption: 'ssl', base: 'dc=intridea, dc=com', port: 636, uid: 'sAMAccountName', bind_dn: 'bind_dn', password: 'password', ssl_version: 'TLSv1_2'})
144
+ adaptor.connection.instance_variable_get('@encryption').should include tls_options: OpenSSL::SSL::SSLContext::DEFAULT_PARAMS.merge(ssl_version: 'TLSv1_2')
145
+ end
146
+ end
147
+ end
148
+
149
+ context 'when encryption is tls' do
150
+ it 'should set the encryption method to start_tls' do
151
+ adaptor = OmniAuth::LDAP::Adaptor.new({host: "192.168.1.145", encryption: 'tls', base: 'dc=intridea, dc=com', port: 389, uid: 'sAMAccountName'})
152
+ adaptor.connection.instance_variable_get('@encryption').should include method: :start_tls
153
+ end
154
+
155
+ context 'when disable_verify_certificates is not specified' do
156
+ it 'should set the encryption tls_options to OpenSSL default params' do
157
+ adaptor = OmniAuth::LDAP::Adaptor.new({host: "192.168.1.145", encryption: 'tls', base: 'dc=intridea, dc=com', port: 389, uid: 'sAMAccountName'})
158
+ adaptor.connection.instance_variable_get('@encryption').should include tls_options: OpenSSL::SSL::SSLContext::DEFAULT_PARAMS
159
+ end
160
+ end
161
+
162
+ context 'when disable_verify_certificates is true' do
163
+ it 'should set the encryption tls_options verify_mode explicitly to verify none' do
164
+ adaptor = OmniAuth::LDAP::Adaptor.new({host: "192.168.1.145", encryption: 'tls', disable_verify_certificates: true, base: 'dc=intridea, dc=com', port: 389, uid: 'sAMAccountName'})
165
+ adaptor.connection.instance_variable_get('@encryption').should include tls_options: { verify_mode: OpenSSL::SSL::VERIFY_NONE }
166
+ end
167
+ end
168
+
169
+ context 'when disable_verify_certificates is false' do
170
+ it 'should set the encryption tls_options to OpenSSL default params' do
171
+ adaptor = OmniAuth::LDAP::Adaptor.new({host: "192.168.1.145", encryption: 'tls', disable_verify_certificates: false, base: 'dc=intridea, dc=com', port: 389, uid: 'sAMAccountName'})
172
+ adaptor.connection.instance_variable_get('@encryption').should include tls_options: OpenSSL::SSL::SSLContext::DEFAULT_PARAMS
173
+ end
174
+ end
175
+ end
176
+
177
+ context 'when method is set instead of encryption' do
178
+ it 'should set the encryption method for backwards-compatibility' do
179
+ adaptor = OmniAuth::LDAP::Adaptor.new({host: "192.168.1.145", method: 'tls', base: 'dc=intridea, dc=com', port: 389, uid: 'sAMAccountName'})
180
+ adaptor.connection.instance_variable_get('@encryption').should include method: :start_tls
181
+ end
182
+ end
55
183
  end
56
184
 
57
185
  describe 'bind_as' do
@@ -59,7 +187,7 @@ describe "OmniAuth::LDAP::Adaptor" do
59
187
  let(:rs) { Struct.new(:dn).new('new dn') }
60
188
 
61
189
  it 'should bind simple' do
62
- adaptor = OmniAuth::LDAP::Adaptor.new({host: "192.168.1.126", method: 'plain', base: 'dc=score, dc=local', port: 389, uid: 'sAMAccountName', bind_dn: 'bind_dn', password: 'password'})
190
+ adaptor = OmniAuth::LDAP::Adaptor.new({host: "192.168.1.126", encryption: 'plain', base: 'dc=score, dc=local', port: 389, uid: 'sAMAccountName', bind_dn: 'bind_dn', password: 'password'})
63
191
  adaptor.connection.should_receive(:open).and_yield(adaptor.connection)
64
192
  adaptor.connection.should_receive(:search).with(args).and_return([rs])
65
193
  adaptor.connection.should_receive(:bind).with({:username => 'new dn', :password => args[:password], :method => :simple}).and_return(true)
@@ -67,7 +195,7 @@ describe "OmniAuth::LDAP::Adaptor" do
67
195
  end
68
196
 
69
197
  it 'should bind sasl' do
70
- adaptor = OmniAuth::LDAP::Adaptor.new({host: "192.168.1.145", method: 'plain', base: 'dc=intridea, dc=com', port: 389, uid: 'sAMAccountName', try_sasl: true, sasl_mechanisms: ["GSS-SPNEGO"], bind_dn: 'bind_dn', password: 'password'})
198
+ adaptor = OmniAuth::LDAP::Adaptor.new({host: "192.168.1.145", encryption: 'plain', base: 'dc=intridea, dc=com', port: 389, uid: 'sAMAccountName', try_sasl: true, sasl_mechanisms: ["GSS-SPNEGO"], bind_dn: 'bind_dn', password: 'password'})
71
199
  adaptor.connection.should_receive(:open).and_yield(adaptor.connection)
72
200
  adaptor.connection.should_receive(:search).with(args).and_return([rs])
73
201
  adaptor.connection.should_receive(:bind).and_return(true)
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: gitlab_omniauth-ldap
3
3
  version: !ruby/object:Gem::Version
4
- version: 1.2.1
4
+ version: 2.0.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Ping Yu
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2015-03-17 00:00:00.000000000 Z
11
+ date: 2017-06-07 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: omniauth
@@ -16,56 +16,112 @@ dependencies:
16
16
  requirements:
17
17
  - - "~>"
18
18
  - !ruby/object:Gem::Version
19
- version: '1.0'
19
+ version: 1.3.1
20
20
  type: :runtime
21
21
  prerelease: false
22
22
  version_requirements: !ruby/object:Gem::Requirement
23
23
  requirements:
24
24
  - - "~>"
25
25
  - !ruby/object:Gem::Version
26
- version: '1.0'
26
+ version: 1.3.1
27
27
  - !ruby/object:Gem::Dependency
28
28
  name: net-ldap
29
29
  requirement: !ruby/object:Gem::Requirement
30
30
  requirements:
31
31
  - - "~>"
32
32
  - !ruby/object:Gem::Version
33
- version: '0.9'
33
+ version: '0.16'
34
34
  type: :runtime
35
35
  prerelease: false
36
36
  version_requirements: !ruby/object:Gem::Requirement
37
37
  requirements:
38
38
  - - "~>"
39
39
  - !ruby/object:Gem::Version
40
- version: '0.9'
40
+ version: '0.16'
41
41
  - !ruby/object:Gem::Dependency
42
42
  name: pyu-ruby-sasl
43
43
  requirement: !ruby/object:Gem::Requirement
44
44
  requirements:
45
45
  - - "~>"
46
46
  - !ruby/object:Gem::Version
47
- version: 0.0.3.1
47
+ version: 0.0.3.3
48
48
  type: :runtime
49
49
  prerelease: false
50
50
  version_requirements: !ruby/object:Gem::Requirement
51
51
  requirements:
52
52
  - - "~>"
53
53
  - !ruby/object:Gem::Version
54
- version: 0.0.3.1
54
+ version: 0.0.3.3
55
55
  - !ruby/object:Gem::Dependency
56
56
  name: rubyntlm
57
57
  requirement: !ruby/object:Gem::Requirement
58
58
  requirements:
59
59
  - - "~>"
60
60
  - !ruby/object:Gem::Version
61
- version: '0.3'
61
+ version: 0.5.2
62
62
  type: :runtime
63
63
  prerelease: false
64
64
  version_requirements: !ruby/object:Gem::Requirement
65
65
  requirements:
66
66
  - - "~>"
67
67
  - !ruby/object:Gem::Version
68
- version: '0.3'
68
+ version: 0.5.2
69
+ - !ruby/object:Gem::Dependency
70
+ name: rspec
71
+ requirement: !ruby/object:Gem::Requirement
72
+ requirements:
73
+ - - "~>"
74
+ - !ruby/object:Gem::Version
75
+ version: 3.6.0
76
+ type: :development
77
+ prerelease: false
78
+ version_requirements: !ruby/object:Gem::Requirement
79
+ requirements:
80
+ - - "~>"
81
+ - !ruby/object:Gem::Version
82
+ version: 3.6.0
83
+ - !ruby/object:Gem::Dependency
84
+ name: pry
85
+ requirement: !ruby/object:Gem::Requirement
86
+ requirements:
87
+ - - "~>"
88
+ - !ruby/object:Gem::Version
89
+ version: 0.10.4
90
+ type: :development
91
+ prerelease: false
92
+ version_requirements: !ruby/object:Gem::Requirement
93
+ requirements:
94
+ - - "~>"
95
+ - !ruby/object:Gem::Version
96
+ version: 0.10.4
97
+ - !ruby/object:Gem::Dependency
98
+ name: rake
99
+ requirement: !ruby/object:Gem::Requirement
100
+ requirements:
101
+ - - "~>"
102
+ - !ruby/object:Gem::Version
103
+ version: 12.0.0
104
+ type: :development
105
+ prerelease: false
106
+ version_requirements: !ruby/object:Gem::Requirement
107
+ requirements:
108
+ - - "~>"
109
+ - !ruby/object:Gem::Version
110
+ version: 12.0.0
111
+ - !ruby/object:Gem::Dependency
112
+ name: rack-test
113
+ requirement: !ruby/object:Gem::Requirement
114
+ requirements:
115
+ - - "~>"
116
+ - !ruby/object:Gem::Version
117
+ version: 0.6.3
118
+ type: :development
119
+ prerelease: false
120
+ version_requirements: !ruby/object:Gem::Requirement
121
+ requirements:
122
+ - - "~>"
123
+ - !ruby/object:Gem::Version
124
+ version: 0.6.3
69
125
  description: A LDAP strategy for OmniAuth.
70
126
  email:
71
127
  - ping@intridea.com
@@ -74,10 +130,10 @@ extensions: []
74
130
  extra_rdoc_files: []
75
131
  files:
76
132
  - ".gitignore"
133
+ - ".gitlab-ci.yml"
77
134
  - ".rspec"
78
135
  - ".travis.yml"
79
136
  - Gemfile
80
- - Gemfile.lock
81
137
  - Guardfile
82
138
  - README.md
83
139
  - Rakefile
@@ -109,7 +165,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
109
165
  version: '0'
110
166
  requirements: []
111
167
  rubyforge_project:
112
- rubygems_version: 2.2.2
168
+ rubygems_version: 2.6.8
113
169
  signing_key:
114
170
  specification_version: 4
115
171
  summary: A LDAP strategy for OmniAuth.
data/Gemfile.lock DELETED
@@ -1,49 +0,0 @@
1
- PATH
2
- remote: .
3
- specs:
4
- gitlab_omniauth-ldap (1.2.1)
5
- net-ldap (~> 0.9)
6
- omniauth (~> 1.0)
7
- pyu-ruby-sasl (~> 0.0.3.1)
8
- rubyntlm (~> 0.3)
9
-
10
- GEM
11
- remote: http://rubygems.org/
12
- specs:
13
- coderay (1.0.8)
14
- diff-lcs (1.1.3)
15
- hashie (3.4.0)
16
- method_source (0.8.1)
17
- net-ldap (0.11)
18
- omniauth (1.2.2)
19
- hashie (>= 1.2, < 4)
20
- rack (~> 1.0)
21
- pry (0.9.10)
22
- coderay (~> 1.0.5)
23
- method_source (~> 0.8)
24
- slop (~> 3.3.1)
25
- pyu-ruby-sasl (0.0.3.3)
26
- rack (1.4.1)
27
- rack-test (0.6.2)
28
- rack (>= 1.0)
29
- rake (10.0.3)
30
- rspec (2.12.0)
31
- rspec-core (~> 2.12.0)
32
- rspec-expectations (~> 2.12.0)
33
- rspec-mocks (~> 2.12.0)
34
- rspec-core (2.12.2)
35
- rspec-expectations (2.12.1)
36
- diff-lcs (~> 1.1.3)
37
- rspec-mocks (2.12.1)
38
- rubyntlm (0.5.0)
39
- slop (3.3.3)
40
-
41
- PLATFORMS
42
- ruby
43
-
44
- DEPENDENCIES
45
- gitlab_omniauth-ldap!
46
- pry
47
- rack-test
48
- rake
49
- rspec