gitlab_omniauth-ldap 1.2.1 → 2.0.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: bfa239bab0965d393691bfb55b586e5d81adfc24
-  data.tar.gz: c3467533a4818f774ea858b813db07b660976804
+  metadata.gz: 4646ef4a95b7bfa207d4b4743c57bba1bfd2ef98
+  data.tar.gz: 0a14493288d4559b58a8430f69279b7185bc74ed
 SHA512:
-  metadata.gz: 83c2b776a29778a1d7714981d44cb0511bd6a636888251f133ab6e744d77845d506fc58d715bad32280d128f8161784aeb5049ad8712badbc2afd0a8882ffd5c
-  data.tar.gz: f04e671c5c052f00ca318bedde4dc2c511e722250b89e1f0a07536dd176da19bddbd7fd0a0435ada44c56a51845f8dceb765d422caa77166614962354fb06381
+  metadata.gz: 9dc3b289b76735def7a822fa51e3a854ca8a3a3cfd7d5009fb5db7c90d7413221cd555d3bbb817d4235fc30c50be28d061f2ab54712a7525d696f8135ecc026e
+  data.tar.gz: 8f63fca6f0cef94bfa693d8c81939e91a82a40161eb732376877e3e7efefdaa31f7c726ba9d93fad4674d3c44aff0de1f2a0f7f564d5c40e9f41fd916b9a3703

data/.gitignore

@@ -1,2 +1,4 @@
 .project
+.tags
 coverage
+Gemfile.lock

data/.gitlab-ci.yml

@@ -0,0 +1,12 @@
+image: "ruby:2.3.1"
+
+before_script:
+  - bundle install
+
+stages:
+  - test
+
+rspec:
+  stage: test
+  script:
+    - bundle exec rake spec

data/README.md

@@ -5,43 +5,46 @@
 Use the LDAP strategy as a middleware in your application:
 
     use OmniAuth::Strategies::LDAP, 
-        :title => "My LDAP", 
-        :host => '10.101.10.1',
-        :port => 389,
-        :method => :plain,
-        :base => 'dc=intridea, dc=com',
-        :uid => 'sAMAccountName',
-        :name_proc => Proc.new {|name| name.gsub(/@.*$/,'')},
-        :bind_dn => 'default_bind_dn',
+        :title        => "My LDAP",
+        :host         => '10.101.10.1',
+        :port         => 389,
+        :encryption   => :plain,
+        :base         => 'dc=intridea, dc=com',
+        :uid          => 'sAMAccountName',
+        :name_proc    => Proc.new {|name| name.gsub(/@.*$/,'')},
+        :bind_dn      => 'default_bind_dn',
         # Or, alternatively:
-        #:filter => '(&(uid=%{username})(memberOf=cn=myapp-users,ou=groups,dc=example,dc=com))'
-        :name_proc => Proc.new {|name| name.gsub(/@.*$/,'')}
-        :bind_dn => 'default_bind_dn'
-        :password => 'password'
+        #:filter      => '(&(uid=%{username})(memberOf=cn=myapp-users,ou=groups,dc=example,dc=com))'
+        :name_proc    => Proc.new {|name| name.gsub(/@.*$/,'')}
+        :bind_dn      => 'default_bind_dn'
+        :password     => 'password'
 
 All of the listed options are required, with the exception of :title, :name_proc, :bind_dn, and :password.
-Allowed values of :method are: :plain, :ssl, :tls.
 
-:bind_dn and :password is the default credentials to perform user lookup.
+- `encryption` is the type of encryption to use between this library and the
+  LDAP server. `:plain` means no encryption. `:simple_tls` represents SSL/TLS
+  (usually on port 636) while `:start_tls` represents StartTLS (usually port 389).
+
+- `:bind_dn` and `:password` are the default credentials to perform user lookup.
   most LDAP servers require that you supply a complete DN as a binding-credential, along with an authenticator
   such as a password. But for many applications, you often don’t have a full DN to identify the user. 
   You usually get a simple identifier like a username or an email address, along with a password. 
   Since many LDAP servers don't allow anonymous access, search function will require a bound connection, 
-  :bind_dn and :password will be required for searching on the username or email to retrieve the DN attribute 
+  `:bind_dn` and `:password` will be required for searching on the username or email to retrieve the DN attribute
   for the user. If the LDAP server allows anonymous access, you don't need to provide these two parameters.
 
-:uid is the LDAP attribute name for the user name in the login form. 
+- `:uid` is the LDAP attribute name for the user name in the login form.
   typically AD would be 'sAMAccountName' or 'UserPrincipalName', while OpenLDAP is 'uid'.
 
-:filter is the LDAP filter used to search the user entry. It can be used in place of :uid for more flexibility.
-  `%{username}` will be replaced by the user name processed by :name_proc.
+- `:filter` is the LDAP filter used to search the user entry. It can be used in place of :uid for more flexibility.
+  `%{username}` will be replaced by the user name processed by `:name_proc`.
 
-:name_proc allows you to match the user name entered with the format of the :uid attributes. 
+- `:name_proc` allows you to match the user name entered with the format of the :uid attributes.
   For example, value of 'sAMAccountName' in AD contains only the windows user name. If your user prefers using 
   email to login, a name_proc as above will trim the email string down to just the windows login name. 
-  In summary, use :name_proc to fill the gap between the submitted username and LDAP uid attribute value.
+  In summary, use `:name_proc` to fill the gap between the submitted username and LDAP uid attribute value.
  
-:try_sasl and :sasl_mechanisms are optional. :try_sasl [true | false], :sasl_mechanisms ['DIGEST-MD5' | 'GSS-SPNEGO']
+- `:try_sasl` and `:sasl_mechanisms` are optional. `:try_sasl` [`true` | `false`], `:sasl_mechanisms` [`'DIGEST-MD5'` | `'GSS-SPNEGO'`]
   Use them to initialize a SASL connection to server. If you are not familiar with these authentication methods, 
   please just avoid them.
 

data/gitlab_omniauth-ldap.gemspec

@@ -9,10 +9,14 @@ Gem::Specification.new do |gem|
   gem.homepage      = "https://github.com/gitlabhq/omniauth-ldap"
   gem.license       = "MIT"
 
-  gem.add_runtime_dependency     'omniauth', '~> 1.0'
-  gem.add_runtime_dependency     'net-ldap', '~> 0.9'
-  gem.add_runtime_dependency     'pyu-ruby-sasl', '~> 0.0.3.1'
-  gem.add_runtime_dependency     'rubyntlm', '~> 0.3'
+  gem.add_runtime_dependency     'omniauth', '~> 1.3.1'
+  gem.add_runtime_dependency     'net-ldap', '~> 0.16'
+  gem.add_runtime_dependency     'pyu-ruby-sasl', '~> 0.0.3.3'
+  gem.add_runtime_dependency     'rubyntlm', '~> 0.5.2'
+  gem.add_development_dependency 'rspec', '~> 3.6.0'
+  gem.add_development_dependency 'pry', '~> 0.10.4'
+  gem.add_development_dependency 'rake', '~> 12.0.0'
+  gem.add_development_dependency 'rack-test', '~> 0.6.3'
 
   gem.executables   = `git ls-files -- bin/*`.split("\n").map{ |f| File.basename(f) }
   gem.files         = `git ls-files`.split("\n")

data/lib/omniauth/strategies/ldap.rb

@@ -22,6 +22,9 @@ module OmniAuth
       option :title, "LDAP Authentication" #default title for authentication form
       option :port, 389
       option :method, :plain
+      option :disable_verify_certificates, false
+      option :ca_file, nil
+      option :ssl_version, nil # use OpenSSL default if nil
       option :uid, 'sAMAccountName'
       option :name_proc, lambda {|n| n}
 

data/lib/omniauth-ldap/adaptor.rb

@@ -13,19 +13,37 @@ module OmniAuth
       class AuthenticationError < StandardError; end
       class ConnectionError < StandardError; end
 
-      VALID_ADAPTER_CONFIGURATION_KEYS = [:host, :port, :method, :bind_dn, :password, :try_sasl, :sasl_mechanisms, :uid, :base, :allow_anonymous, :filter]
+      VALID_ADAPTER_CONFIGURATION_KEYS = [
+        :hosts, :host, :port, :encryption, :disable_verify_certificates, :bind_dn, :password, :try_sasl,
+        :sasl_mechanisms, :uid, :base, :allow_anonymous, :filter, :ca_file, :ssl_version,
+
+        # Deprecated
+        :method
+      ]
 
       # A list of needed keys. Possible alternatives are specified using sub-lists.
-      MUST_HAVE_KEYS = [:host, :port, :method, [:uid, :filter], :base]
+      MUST_HAVE_KEYS = [
+        :base,
+        [:encryption, :method], # :method is deprecated
+        [:hosts, :host],
+        [:hosts, :port],
+        [:uid, :filter]
+      ]
+
+      ENCRYPTION_METHOD = {
+        :simple_tls => :simple_tls,
+        :start_tls => :start_tls,
+        :plain => nil,
 
-      METHOD = {
+        # Deprecated. This mapping aimed to be user-friendly, but only caused
+        # confusion. Better to pass-through the actual `Net::LDAP` encryption type.
         :ssl => :simple_tls,
         :tls => :start_tls,
-        :plain => nil,
       }
 
       attr_accessor :bind_dn, :password
       attr_reader :connection, :uid, :base, :auth, :filter
+
       def self.validate(configuration={})
         message = []
         MUST_HAVE_KEYS.each do |names|
@@ -37,6 +55,7 @@ module OmniAuth
         end
         raise ArgumentError.new(message.join(",") +" MUST be provided") unless message.empty?
       end
+
       def initialize(configuration={})
         Adaptor.validate(configuration)
         @configuration = configuration.dup
@@ -45,14 +64,12 @@ module OmniAuth
         VALID_ADAPTER_CONFIGURATION_KEYS.each do |name|
           instance_variable_set("@#{name}", @configuration[name])
         end
-        method = ensure_method(@method)
         config = {
-          :host => @host,
-          :port => @port,
-          :encryption => method,
-          :base => @base
+          base: @base,
+          hosts: @hosts,
+          host: @host,
+          port: @port,
         }
-
         @bind_method = @try_sasl ? :sasl : (@allow_anonymous||!@bind_dn||!@password ? :anonymous : :simple)
 
 
@@ -63,6 +80,7 @@ module OmniAuth
                   }
         config[:auth] = @auth
         @connection = Net::LDAP.new(config)
+        @connection.encryption(encryption_options)
       end
 
       #:base => "dc=yourcompany, dc=com",
@@ -88,14 +106,46 @@ module OmniAuth
       end
 
       private
-      def ensure_method(method)
-          method ||= "plain"
-          normalized_method = method.to_s.downcase.to_sym
-          return METHOD[normalized_method] if METHOD.has_key?(normalized_method)
 
-          available_methods = METHOD.keys.collect {|m| m.inspect}.join(", ")
+      def encryption_options
+        translated_method = translate_method
+
+        {
+          method: translated_method,
+          tls_options: tls_options(translated_method)
+        }
+      end
+
+      def translate_method
+        method = @encryption || @method
+        method ||= "plain"
+        normalized_method = method.to_s.downcase.to_sym
+
+        unless ENCRYPTION_METHOD.has_key?(normalized_method)
+          available_methods = ENCRYPTION_METHOD.keys.collect {|m| m.inspect}.join(", ")
           format = "%s is not one of the available connect methods: %s"
           raise ConfigurationError, format % [method.inspect, available_methods]
+        end
+
+        ENCRYPTION_METHOD[normalized_method]
+      end
+
+      def tls_options(translated_method)
+        return {} if translated_method == nil # (plain)
+
+        tls_options = if @disable_verify_certificates
+                        # It is important to explicitly set verify_mode for two reasons:
+                        # 1. The behavior of OpenSSL is undefined when verify_mode is not set.
+                        # 2. The net-ldap gem implementation verifies the certificate hostname
+                        #    unless verify_mode is set to VERIFY_NONE.
+                        { verify_mode: OpenSSL::SSL::VERIFY_NONE }
+                      else
+                        OpenSSL::SSL::SSLContext::DEFAULT_PARAMS
+                      end
+
+        tls_options[:ca_file] = @ca_file if @ca_file
+        tls_options[:ssl_version] = @ssl_version if @ssl_version
+        tls_options
       end
 
       def sasl_auths(options={})

data/lib/omniauth-ldap/version.rb

@@ -1,5 +1,5 @@
 module OmniAuth
   module LDAP
-    VERSION = "1.2.1"
+    VERSION = "2.0.0"
   end
 end

data/spec/omniauth/strategies/ldap_spec.rb

@@ -5,6 +5,7 @@ describe "OmniAuth::Strategies::LDAP" do
   # :host => '10.101.10.1',
   # :port => 389,
   # :method => :plain,
+  # :verify_certificates => true,
   # :base => 'dc=intridea, dc=com',
   # :uid => 'sAMAccountName',
   # :name_proc => Proc.new {|name| name.gsub(/@.*$/,'')}
@@ -210,7 +211,7 @@ description: omniauth-ldap
         auth_hash.info.description.should == 'omniauth-ldap'
       end
     end
-    
+
     context 'alternate fields' do
       let(:auth_hash){ last_request.env['omniauth.auth'] }
 

data/spec/omniauth-ldap/adaptor_spec.rb

@@ -1,18 +1,29 @@
 require 'spec_helper'
-describe "OmniAuth::LDAP::Adaptor" do
+describe OmniAuth::LDAP::Adaptor do
 
   describe 'initialize' do
     it 'should throw exception when must have field is not set' do
-      #[:host, :port, :method, :bind_dn]
-      lambda { OmniAuth::LDAP::Adaptor.new({host: "192.168.1.145", method: 'plain'})}.should raise_error(ArgumentError)
+      #[:host, :port, :encryption, :bind_dn]
+      lambda { OmniAuth::LDAP::Adaptor.new({host: "192.168.1.145", encryption: 'plain'})}.should raise_error(ArgumentError)
     end
 
-    it 'should throw exception when method is not supported' do
-      lambda { OmniAuth::LDAP::Adaptor.new({host: "192.168.1.145", method: 'myplain', uid: 'uid', port: 389, base: 'dc=com'})}.should raise_error(OmniAuth::LDAP::Adaptor::ConfigurationError)
+    it 'should not throw an error if hosts is set but host and port are not' do
+      expect {
+        described_class.new(
+          hosts: [['192.168.1.145', 389], ['192.168.1.146', 389]],
+          encryption: 'plain',
+          base: 'dc=example,dc=com',
+          uid: 'uid'
+        )
+      }.not_to raise_error(ArgumentError)
+    end
+
+    it 'should throw exception when encryption method is not supported' do
+      lambda { OmniAuth::LDAP::Adaptor.new({host: "192.168.1.145", encryption: 'myplain', uid: 'uid', port: 389, base: 'dc=com'})}.should raise_error(OmniAuth::LDAP::Adaptor::ConfigurationError)
     end
 
     it 'should setup ldap connection with anonymous' do
-      adaptor = OmniAuth::LDAP::Adaptor.new({host: "192.168.1.145", method: 'plain', base: 'dc=intridea, dc=com', port: 389, uid: 'sAMAccountName'})
+      adaptor = OmniAuth::LDAP::Adaptor.new({host: "192.168.1.145", encryption: 'plain', base: 'dc=intridea, dc=com', port: 389, uid: 'sAMAccountName'})
       adaptor.connection.should_not == nil
       adaptor.connection.host.should == '192.168.1.145'
       adaptor.connection.port.should == 389
@@ -21,16 +32,17 @@ describe "OmniAuth::LDAP::Adaptor" do
     end
 
     it 'should setup ldap connection with simple' do
-      adaptor = OmniAuth::LDAP::Adaptor.new({host: "192.168.1.145", method: 'plain', base: 'dc=intridea, dc=com', port: 389, uid: 'sAMAccountName', bind_dn: 'bind_dn', password: 'password'})
+      adaptor = OmniAuth::LDAP::Adaptor.new({host: "192.168.1.145", encryption: 'plain', base: 'dc=intridea, dc=com', port: 389, uid: 'sAMAccountName', bind_dn: 'bind_dn', password: 'password'})
       adaptor.connection.should_not == nil
       adaptor.connection.host.should == '192.168.1.145'
       adaptor.connection.port.should == 389
       adaptor.connection.base.should == 'dc=intridea, dc=com'
       adaptor.connection.instance_variable_get('@auth').should == {:method => :simple, :username => 'bind_dn', :password => 'password'}
+      adaptor.connection.instance_variable_get('@encryption').should == {:method => nil, :tls_options => {}}
     end
 
     it 'should setup ldap connection with sasl-md5' do
-      adaptor = OmniAuth::LDAP::Adaptor.new({host: "192.168.1.145", method: 'plain', base: 'dc=intridea, dc=com', port: 389, uid: 'sAMAccountName', try_sasl: true, sasl_mechanisms: ["DIGEST-MD5"], bind_dn: 'bind_dn', password: 'password'})
+      adaptor = OmniAuth::LDAP::Adaptor.new({host: "192.168.1.145", encryption: 'plain', base: 'dc=intridea, dc=com', port: 389, uid: 'sAMAccountName', try_sasl: true, sasl_mechanisms: ["DIGEST-MD5"], bind_dn: 'bind_dn', password: 'password'})
       adaptor.connection.should_not == nil
       adaptor.connection.host.should == '192.168.1.145'
       adaptor.connection.port.should == 389
@@ -42,7 +54,7 @@ describe "OmniAuth::LDAP::Adaptor" do
     end
 
     it 'should setup ldap connection with sasl-gss' do
-      adaptor = OmniAuth::LDAP::Adaptor.new({host: "192.168.1.145", method: 'plain', base: 'dc=intridea, dc=com', port: 389, uid: 'sAMAccountName', try_sasl: true, sasl_mechanisms: ["GSS-SPNEGO"], bind_dn: 'bind_dn', password: 'password'})
+      adaptor = OmniAuth::LDAP::Adaptor.new({host: "192.168.1.145", encryption: 'plain', base: 'dc=intridea, dc=com', port: 389, uid: 'sAMAccountName', try_sasl: true, sasl_mechanisms: ["GSS-SPNEGO"], bind_dn: 'bind_dn', password: 'password'})
       adaptor.connection.should_not == nil
       adaptor.connection.host.should == '192.168.1.145'
       adaptor.connection.port.should == 389
@@ -52,6 +64,122 @@ describe "OmniAuth::LDAP::Adaptor" do
       adaptor.connection.instance_variable_get('@auth')[:initial_credential].should =~ /^NTLMSSP/
       adaptor.connection.instance_variable_get('@auth')[:challenge_response].should_not be_nil
     end
+
+    it 'sets up a connection with the proper host and port' do
+      adapter = described_class.new(
+        host: '192.168.1.145',
+        encryption: 'plain',
+        base: 'dc=example,dc=com',
+        port: 3890,
+        uid: 'uid'
+      )
+
+      expect(adapter.connection.host).to eq('192.168.1.145')
+      expect(adapter.connection.port).to eq(3890)
+      expect(adapter.connection.hosts).to be_nil
+    end
+
+    it 'sets up a connection with a enumerable pairs of hosts' do
+      adapter = described_class.new(
+        hosts: [['192.168.1.145', 636], ['192.168.1.146', 636]],
+        encryption: 'plain',
+        base: 'dc=example,dc=com',
+        uid: 'uid'
+      )
+
+      expect(adapter.connection.host).to eq('127.0.0.1')
+      expect(adapter.connection.port).to eq(389)
+      expect(adapter.connection.hosts).to match_array([['192.168.1.145', 636], ['192.168.1.146', 636]])
+    end
+
+    context 'when encryption is plain' do
+      it 'should set the encryption method to nil' do
+        adaptor = OmniAuth::LDAP::Adaptor.new({host: "192.168.1.145", encryption: 'plain', base: 'dc=intridea, dc=com', port: 389, uid: 'sAMAccountName'})
+        adaptor.connection.instance_variable_get('@encryption').should include method: nil
+      end
+
+      it 'should set the encryption tls_options to empty' do
+        adaptor = OmniAuth::LDAP::Adaptor.new({host: "192.168.1.145", encryption: 'plain', base: 'dc=intridea, dc=com', port: 389, uid: 'sAMAccountName'})
+        adaptor.connection.instance_variable_get('@encryption').should include tls_options: {}
+      end
+    end
+
+    context 'when encryption is ssl' do
+      it 'should set the encryption method to simple_tls' do
+        adaptor = OmniAuth::LDAP::Adaptor.new({host: "192.168.1.145", encryption: 'ssl', base: 'dc=intridea, dc=com', port: 389, uid: 'sAMAccountName'})
+        adaptor.connection.instance_variable_get('@encryption').should include method: :simple_tls
+      end
+
+      context 'when disable_verify_certificates is not specified' do
+        it 'should set the encryption tls_options to OpenSSL default params' do
+          adaptor = OmniAuth::LDAP::Adaptor.new({host: "192.168.1.145", encryption: 'ssl', base: 'dc=intridea, dc=com', port: 389, uid: 'sAMAccountName'})
+          adaptor.connection.instance_variable_get('@encryption').should include tls_options: OpenSSL::SSL::SSLContext::DEFAULT_PARAMS
+        end
+      end
+
+      context 'when disable_verify_certificates is true' do
+        it 'should set the encryption tls_options verify_mode explicitly to verify none' do
+          adaptor = OmniAuth::LDAP::Adaptor.new({host: "192.168.1.145", encryption: 'ssl', disable_verify_certificates: true, base: 'dc=intridea, dc=com', port: 389, uid: 'sAMAccountName'})
+          adaptor.connection.instance_variable_get('@encryption').should include tls_options: { verify_mode: OpenSSL::SSL::VERIFY_NONE }
+        end
+      end
+
+      context 'when disable_verify_certificates is false' do
+        it 'should set the encryption tls_options to OpenSSL default params' do
+          adaptor = OmniAuth::LDAP::Adaptor.new({host: "192.168.1.145", encryption: 'ssl', disable_verify_certificates: false, base: 'dc=intridea, dc=com', port: 389, uid: 'sAMAccountName'})
+          adaptor.connection.instance_variable_get('@encryption').should include tls_options: OpenSSL::SSL::SSLContext::DEFAULT_PARAMS
+        end
+      end
+
+      context 'when ca_file is specified' do
+        it 'should set the encryption tls_options ca_file' do
+          adaptor = OmniAuth::LDAP::Adaptor.new({host: "192.168.1.145", encryption: 'ssl', base: 'dc=intridea, dc=com', port: 636, uid: 'sAMAccountName', bind_dn: 'bind_dn', password: 'password', ca_file: '/etc/ca.pem'})
+          adaptor.connection.instance_variable_get('@encryption').should include tls_options: OpenSSL::SSL::SSLContext::DEFAULT_PARAMS.merge(ca_file: '/etc/ca.pem')
+        end
+      end
+
+      context 'when ssl_version is specified' do
+        it 'should overwrite the encryption tls_options ssl_version' do
+          adaptor = OmniAuth::LDAP::Adaptor.new({host: "192.168.1.145", encryption: 'ssl', base: 'dc=intridea, dc=com', port: 636, uid: 'sAMAccountName', bind_dn: 'bind_dn', password: 'password', ssl_version: 'TLSv1_2'})
+          adaptor.connection.instance_variable_get('@encryption').should include tls_options: OpenSSL::SSL::SSLContext::DEFAULT_PARAMS.merge(ssl_version: 'TLSv1_2')
+        end
+      end
+    end
+
+    context 'when encryption is tls' do
+      it 'should set the encryption method to start_tls' do
+        adaptor = OmniAuth::LDAP::Adaptor.new({host: "192.168.1.145", encryption: 'tls', base: 'dc=intridea, dc=com', port: 389, uid: 'sAMAccountName'})
+        adaptor.connection.instance_variable_get('@encryption').should include method: :start_tls
+      end
+
+      context 'when disable_verify_certificates is not specified' do
+        it 'should set the encryption tls_options to OpenSSL default params' do
+          adaptor = OmniAuth::LDAP::Adaptor.new({host: "192.168.1.145", encryption: 'tls', base: 'dc=intridea, dc=com', port: 389, uid: 'sAMAccountName'})
+          adaptor.connection.instance_variable_get('@encryption').should include tls_options: OpenSSL::SSL::SSLContext::DEFAULT_PARAMS
+        end
+      end
+
+      context 'when disable_verify_certificates is true' do
+        it 'should set the encryption tls_options verify_mode explicitly to verify none' do
+          adaptor = OmniAuth::LDAP::Adaptor.new({host: "192.168.1.145", encryption: 'tls', disable_verify_certificates: true, base: 'dc=intridea, dc=com', port: 389, uid: 'sAMAccountName'})
+          adaptor.connection.instance_variable_get('@encryption').should include tls_options: { verify_mode: OpenSSL::SSL::VERIFY_NONE }
+        end
+      end
+
+      context 'when disable_verify_certificates is false' do
+        it 'should set the encryption tls_options to OpenSSL default params' do
+          adaptor = OmniAuth::LDAP::Adaptor.new({host: "192.168.1.145", encryption: 'tls', disable_verify_certificates: false, base: 'dc=intridea, dc=com', port: 389, uid: 'sAMAccountName'})
+          adaptor.connection.instance_variable_get('@encryption').should include tls_options: OpenSSL::SSL::SSLContext::DEFAULT_PARAMS
+        end
+      end
+    end
+
+    context 'when method is set instead of encryption' do
+      it 'should set the encryption method for backwards-compatibility' do
+        adaptor = OmniAuth::LDAP::Adaptor.new({host: "192.168.1.145", method: 'tls', base: 'dc=intridea, dc=com', port: 389, uid: 'sAMAccountName'})
+        adaptor.connection.instance_variable_get('@encryption').should include method: :start_tls
+      end
+    end
   end
 
   describe 'bind_as' do
@@ -59,7 +187,7 @@ describe "OmniAuth::LDAP::Adaptor" do
     let(:rs) { Struct.new(:dn).new('new dn') }
 
     it 'should bind simple' do
-      adaptor = OmniAuth::LDAP::Adaptor.new({host: "192.168.1.126", method: 'plain', base: 'dc=score, dc=local', port: 389, uid: 'sAMAccountName', bind_dn: 'bind_dn', password: 'password'})
+      adaptor = OmniAuth::LDAP::Adaptor.new({host: "192.168.1.126", encryption: 'plain', base: 'dc=score, dc=local', port: 389, uid: 'sAMAccountName', bind_dn: 'bind_dn', password: 'password'})
       adaptor.connection.should_receive(:open).and_yield(adaptor.connection)
       adaptor.connection.should_receive(:search).with(args).and_return([rs])
       adaptor.connection.should_receive(:bind).with({:username => 'new dn', :password => args[:password], :method => :simple}).and_return(true)
@@ -67,7 +195,7 @@ describe "OmniAuth::LDAP::Adaptor" do
     end
 
     it 'should bind sasl' do
-      adaptor = OmniAuth::LDAP::Adaptor.new({host: "192.168.1.145", method: 'plain', base: 'dc=intridea, dc=com', port: 389, uid: 'sAMAccountName', try_sasl: true, sasl_mechanisms: ["GSS-SPNEGO"], bind_dn: 'bind_dn', password: 'password'})
+      adaptor = OmniAuth::LDAP::Adaptor.new({host: "192.168.1.145", encryption: 'plain', base: 'dc=intridea, dc=com', port: 389, uid: 'sAMAccountName', try_sasl: true, sasl_mechanisms: ["GSS-SPNEGO"], bind_dn: 'bind_dn', password: 'password'})
       adaptor.connection.should_receive(:open).and_yield(adaptor.connection)
       adaptor.connection.should_receive(:search).with(args).and_return([rs])
       adaptor.connection.should_receive(:bind).and_return(true)

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: gitlab_omniauth-ldap
 version: !ruby/object:Gem::Version
-  version: 1.2.1
+  version: 2.0.0
 platform: ruby
 authors:
 - Ping Yu
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2015-03-17 00:00:00.000000000 Z
+date: 2017-06-07 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: omniauth
@@ -16,56 +16,112 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.0'
+        version: 1.3.1
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.0'
+        version: 1.3.1
 - !ruby/object:Gem::Dependency
   name: net-ldap
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '0.9'
+        version: '0.16'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '0.9'
+        version: '0.16'
 - !ruby/object:Gem::Dependency
   name: pyu-ruby-sasl
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.0.3.1
+        version: 0.0.3.3
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.0.3.1
+        version: 0.0.3.3
 - !ruby/object:Gem::Dependency
   name: rubyntlm
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '0.3'
+        version: 0.5.2
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '0.3'
+        version: 0.5.2
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 3.6.0
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 3.6.0
+- !ruby/object:Gem::Dependency
+  name: pry
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.10.4
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.10.4
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 12.0.0
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 12.0.0
+- !ruby/object:Gem::Dependency
+  name: rack-test
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.6.3
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.6.3
 description: A LDAP strategy for OmniAuth.
 email:
 - ping@intridea.com
@@ -74,10 +130,10 @@ extensions: []
 extra_rdoc_files: []
 files:
 - ".gitignore"
+- ".gitlab-ci.yml"
 - ".rspec"
 - ".travis.yml"
 - Gemfile
-- Gemfile.lock
 - Guardfile
 - README.md
 - Rakefile
@@ -109,7 +165,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.2.2
+rubygems_version: 2.6.8
 signing_key: 
 specification_version: 4
 summary: A LDAP strategy for OmniAuth.

data/Gemfile.lock

@@ -1,49 +0,0 @@
-PATH
-  remote: .
-  specs:
-    gitlab_omniauth-ldap (1.2.1)
-      net-ldap (~> 0.9)
-      omniauth (~> 1.0)
-      pyu-ruby-sasl (~> 0.0.3.1)
-      rubyntlm (~> 0.3)
-
-GEM
-  remote: http://rubygems.org/
-  specs:
-    coderay (1.0.8)
-    diff-lcs (1.1.3)
-    hashie (3.4.0)
-    method_source (0.8.1)
-    net-ldap (0.11)
-    omniauth (1.2.2)
-      hashie (>= 1.2, < 4)
-      rack (~> 1.0)
-    pry (0.9.10)
-      coderay (~> 1.0.5)
-      method_source (~> 0.8)
-      slop (~> 3.3.1)
-    pyu-ruby-sasl (0.0.3.3)
-    rack (1.4.1)
-    rack-test (0.6.2)
-      rack (>= 1.0)
-    rake (10.0.3)
-    rspec (2.12.0)
-      rspec-core (~> 2.12.0)
-      rspec-expectations (~> 2.12.0)
-      rspec-mocks (~> 2.12.0)
-    rspec-core (2.12.2)
-    rspec-expectations (2.12.1)
-      diff-lcs (~> 1.1.3)
-    rspec-mocks (2.12.1)
-    rubyntlm (0.5.0)
-    slop (3.3.3)
-
-PLATFORMS
-  ruby
-
-DEPENDENCIES
-  gitlab_omniauth-ldap!
-  pry
-  rack-test
-  rake
-  rspec