houston-devise_ldap_authenticatable 0.7.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 89918ad25f184bbc7f2a970aefc838ea1bcb3112
+  data.tar.gz: a49591f1d6db64218ccfc8bc64de2ab50149dc79
+SHA512:
+  metadata.gz: ec24c958bfbb0ffb5e0c59c7010b860907da202517929ca1b9c9664769e7044bc01f1ace1fb09a9bbf947e5834cf79a375c4388ef50207ff569621a52f00ea85
+  data.tar.gz: ee8a4d73a63d2597faeb00a255820569812fe7b4d9d1db8d8eaef2f5556def0103ac2f085f35a60341b6c0c77d781ec9375740de744fe49940b82813a49eb5ee

data/.gitignore

@@ -0,0 +1,9 @@
+.bundle
+Gemfile.lock
+log
+*.sqlite3
+test/ldap/openldap-data/*
+!test/ldap/openldap-data/run
+test/ldap/openldap-data/run/slapd.*
+test/rails_app/tmp
+pkg/*

data/CHANGELOG.md

@@ -0,0 +1,7 @@
+CHANGELOG
+=========
+
+v0.8
+----
+
+[Issue #102](https://github.com/cschiewek/devise_ldap_authenticatable/pull/102): Extract method in_group? from in_required_groups? and expose it to the model

data/Gemfile

@@ -0,0 +1,8 @@
+source "http://rubygems.org"
+
+gemspec
+
+group :development, :test do
+  gem 'ruby-debug', '>= 0.10.3', :platform => :mri_18
+  gem 'debugger', :platform => :ruby_19
+end

data/MIT-LICENSE

@@ -0,0 +1,20 @@
+Copyright (c) 2010 Curtis Schiewek
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.md

@@ -0,0 +1,131 @@
+Devise LDAP Authenticatable
+===========================
+Devise LDAP Authenticatable is a LDAP based authentication strategy for the [Devise](http://github.com/plataformatec/devise) authentication framework.
+
+If you are building applications for use within your organization which require authentication and you want to use LDAP, this plugin is for you.
+
+Devise LDAP Authenticatable works in replacement of Database Authenticatable. This devise plugin has not been tested with DatabaseAuthenticatable enabled at the same time. This is meant as a drop in replacement for DatabaseAuthenticatable allowing for a semi single sign on approach.
+
+For a screencast with an example application, please visit: [http://random-rails.blogspot.com/2010/07/ldap-authentication-with-devise.html](http://random-rails.blogspot.com/2010/07/ldap-authentication-with-devise.html)
+
+Prerequisites
+-------------
+ * devise ~> 2.0.0 (which requires rails ~> 3.1)
+ * net-ldap ~> 0.2.2
+
+Usage
+-----
+In the Gemfile for your application:
+
+    gem "devise_ldap_authenticatable"
+
+To get the latest version, pull directly from github instead of the gem:
+
+    gem "devise_ldap_authenticatable", :git => "git://github.com/cschiewek/devise_ldap_authenticatable.git"
+
+
+Setup
+-----
+Run the rails generators for devise (please check the [devise](http://github.com/plataformatec/devise) documents for further instructions)
+
+    rails generate devise:install
+    rails generate devise MODEL_NAME
+
+Run the rails generator for `devise_ldap_authenticatable`
+
+    rails generate devise_ldap_authenticatable:install [options]
+
+This will install the sample.yml, update the devise.rb initializer, and update your user model. There are some options you can pass to it:
+
+Options:
+
+    [--user-model=USER_MODEL]  # Model to update
+                               # Default: user
+    [--update-model]           # Update model to change from database_authenticatable to ldap_authenticatable
+                               # Default: true
+    [--add-rescue]             # Update Application Controller with rescue_from for DeviseLdapAuthenticatable::LdapException
+                               # Default: true
+    [--advanced]               # Add advanced config options to the devise initializer
+
+Querying LDAP
+-------------
+Given that `ldap_create_user` is set to true and you are authenticating with username, you can query an LDAP server for other attributes.
+
+in your user model:
+
+    before_save :get_ldap_email
+
+    def get_ldap_email
+      self.email = Devise::LdapAdapter.get_ldap_param(self.username,"mail")
+    end
+
+Configuration
+-------------
+In initializer  `config/initializers/devise.rb` :
+
+* `ldap_logger` _(default: true)_
+  * If set to true, will log LDAP queries to the Rails logger.
+
+* `ldap_create_user` _(default: false)_
+  * If set to true, all valid LDAP users will be allowed to login and an appropriate user record will be created.
+      If set to false, you will have to create the user record before they will be allowed to login.
+
+* `ldap_config` _(default: #{Rails.root}/config/ldap.yml)_
+	* Where to find the LDAP config file. Commented out to use the default, change if needed.
+
+* `ldap_update_password` _(default: true)_
+  * When doing password resets, if true will update the LDAP server. Requires admin password in the ldap.yml
+
+* `ldap_check_group_membership` _(default: false)_
+  * When set to true, the user trying to login will be checked to make sure they are in all of groups specified in the ldap.yml file.
+
+* `ldap_check_attributes` _(default: false)_
+  * When set to true, the user trying to login will be checked to make sure they have all of the attributes in the ldap.yml file.
+
+* `ldap_use_admin_to_bind` _(default: false)_
+  * When set to true, the admin user will be used to bind to the LDAP server during authentication.
+
+Advanced Configuration
+----------------------
+These parameters will be added to `config/initializers/devise.rb` when you pass the `--advanced` switch to the generator:
+
+* `ldap_auth_username_builder` _(default: `Proc.new() {|attribute, login, ldap| "#{attribute}=#{login},#{ldap.base}" }`)_
+  * You can pass a proc to the username option to explicitly specify the format that you search for a users' DN on your LDAP server.
+
+Troubleshooting
+--------------
+**Using a "username" instead of an "email":** The field that is used for logins is the first key that's configured in the `config/devise.rb` file under `config.authentication_keys`, which by default is email. For help changing this, please see the [Railscast](http://railscasts.com/episodes/210-customizing-devise) that goes through how to customize Devise.
+
+**SSL certificate invalid:** If you're using a test LDAP server running a self-signed SSL certificate, make sure the appropriate root certificate is installed on your system. Alternately, you may temporarily disable certificate checking for SSL by modifying your system LDAP configuration (e.g., `/etc/openldap/ldap.conf` or `/etc/ldap/ldap.conf`) to read `TLS_REQCERT never`.
+
+Development guide
+------------
+To contribute to `devise_ldap_authentication`, you should be able to run a test OpenLDAP server. Specifically, you need the `slapd`, `ldapadd`, and `ldapmodify` binaries.
+
+This seems to come out of the box with Mac OS X 10.6.
+
+On Ubuntu (tested on 12.04 and 12.10), you can run `sudo apt-get install slapd ldap-utils`. You will also likely have to add the `spec/ldap` directory of your local git clone to the slapd [apparmor](https://wiki.ubuntu.com/DebuggingApparmor) profile `/etc/apparmor.d/usr.sbin.slapd` if you get permissions errors. Something like this should do:
+
+    /path/to/devise_ldap_authenticatable/spec/ldap/** rw,$
+
+To start hacking on `devise_ldap_authentication`, clone the github repository, start the test LDAP server, and run the rake test task:
+
+    git clone https://github.com/cschiewek/devise_ldap_authenticatable.git
+    cd devise_ldap_authenticatable
+    bundle install
+
+    # in a separate console or backgrounded
+    ./spec/ldap/run-server
+
+    bundle exec rake db:migrate # first time only
+    bundle exec rake spec
+
+References
+----------
+* [OpenLDAP](http://www.openldap.org/)
+* [Devise](http://github.com/plataformatec/devise)
+* [Warden](http://github.com/hassox/warden)
+
+Released under the MIT license
+
+Copyright (c) 2012 [Curtis Schiewek](https://github.com/cschiewek), [Daniel McNevin](https://github.com/dpmcnevin), [Steven Xu](https://github.com/cairo140)

data/Rakefile

@@ -0,0 +1,16 @@
+require File.expand_path('spec/rails_app/config/environment', File.dirname(__FILE__))
+require 'rdoc/task'
+
+desc 'Default: run test suite.'
+task :default => :spec
+
+desc 'Generate documentation for the devise_ldap_authenticatable plugin.'
+Rake::RDocTask.new(:rdoc) do |rdoc|
+  rdoc.rdoc_dir = 'rdoc'
+  rdoc.title    = 'DeviseLDAPAuthenticatable'
+  rdoc.options << '--line-numbers' << '--inline-source'
+  rdoc.rdoc_files.include('README.md')
+  rdoc.rdoc_files.include('lib/**/*.rb')
+end
+
+RailsApp::Application.load_tasks

data/devise_ldap_authenticatable.gemspec

@@ -0,0 +1,34 @@
+# -*- encoding: utf-8 -*-
+$:.push File.expand_path("../lib", __FILE__)
+require "devise_ldap_authenticatable/version"
+
+Gem::Specification.new do |s|
+  s.name     = 'houston-devise_ldap_authenticatable'
+  s.version  = DeviseLdapAuthenticatable::VERSION.dup
+  s.platform = Gem::Platform::RUBY
+  s.summary  = 'Devise extension to allow authentication via LDAP'
+  s.email = 'curtis.schiewek@gmail.com'
+  s.homepage = 'https://github.com/cschiewek/devise_ldap_authenticatable'
+  s.description = s.summary
+  s.authors = ['Curtis Schiewek', 'Daniel McNevin', 'Steven Xu']
+
+  s.files         = `git ls-files`.split("\n")
+  s.test_files    = `git ls-files -- {test,spec,features}/*`.split("\n")
+  s.executables   = `git ls-files -- bin/*`.split("\n").map{ |f| File.basename(f) }
+  s.require_paths = ["lib"]
+
+  s.add_dependency('devise', '~> 3.0.0')
+  s.add_dependency('net-ldap', '~> 0.2')
+
+  s.add_development_dependency('rake', '>= 0.9')
+  s.add_development_dependency('rdoc', '>= 3')
+  s.add_development_dependency('rails', '~> 3.2')
+  s.add_development_dependency('sqlite3')
+  s.add_development_dependency('factory_girl_rails', '~> 1.0')
+  s.add_development_dependency('factory_girl', '~> 2.0')
+  s.add_development_dependency('rspec-rails')
+
+  %w{database_cleaner capybara launchy autotest-rails ZenTest autotest-growl}.each do |dep|
+    s.add_development_dependency(dep)
+  end
+end

data/lib/devise_ldap_authenticatable.rb

@@ -0,0 +1,50 @@
+# encoding: utf-8
+require 'devise'
+
+require 'devise_ldap_authenticatable/exception'
+require 'devise_ldap_authenticatable/logger'
+require 'devise_ldap_authenticatable/schema'
+require 'devise_ldap_authenticatable/ldap_adapter'
+require 'devise_ldap_authenticatable/routes'
+
+# Get ldap information from config/ldap.yml now
+module Devise
+  # Allow logging
+  mattr_accessor :ldap_logger
+  @@ldap_logger = true
+  
+  # Add valid users to database
+  mattr_accessor :ldap_create_user
+  @@ldap_create_user = false
+  
+  mattr_accessor :ldap_config
+  # @@ldap_config = "#{Rails.root}/config/ldap.yml"
+  
+  mattr_accessor :ldap_configuration
+  
+  mattr_accessor :ldap_update_password
+  @@ldap_update_password = true
+  
+  mattr_accessor :ldap_check_group_membership
+  @@ldap_check_group_membership = false
+  
+  mattr_accessor :ldap_check_attributes
+  @@ldap_check_role_attribute = false
+  
+  mattr_accessor :ldap_use_admin_to_bind
+  @@ldap_use_admin_to_bind = false
+  
+  mattr_accessor :ldap_auth_username_builder
+  @@ldap_auth_username_builder = Proc.new() {|attribute, login, ldap| "#{attribute}=#{login},#{ldap.base}" }
+
+  mattr_accessor :ldap_ad_group_check
+  @@ldap_ad_group_check = false
+end
+
+# Add ldap_authenticatable strategy to defaults.
+#
+Devise.add_module(:ldap_authenticatable,
+                  :route => :session, ## This will add the routes, rather than in the routes.rb
+                  :strategy   => true,
+                  :controller => :sessions,
+                  :model  => 'devise_ldap_authenticatable/model')

data/lib/devise_ldap_authenticatable/exception.rb

@@ -0,0 +1,6 @@
+module DeviseLdapAuthenticatable
+
+  class LdapException < Exception
+  end
+
+end

data/lib/devise_ldap_authenticatable/ldap_adapter.rb

@@ -0,0 +1,292 @@
+require "net/ldap"
+
+module Devise
+  module LdapAdapter
+    DEFAULT_GROUP_UNIQUE_MEMBER_LIST_KEY = 'uniqueMember'
+
+    def self.valid_credentials?(login, password_plaintext)
+      options = {:login => login,
+                 :password => password_plaintext,
+                 :ldap_auth_username_builder => ::Devise.ldap_auth_username_builder,
+                 :admin => ::Devise.ldap_use_admin_to_bind}
+
+      resource = LdapConnect.new(options)
+      resource.authorized?
+    end
+
+    def self.update_password(login, new_password)
+      options = {:login => login,
+                 :new_password => new_password,
+                 :ldap_auth_username_builder => ::Devise.ldap_auth_username_builder,
+                 :admin => ::Devise.ldap_use_admin_to_bind}
+
+      resource = LdapConnect.new(options)
+      resource.change_password! if new_password.present?
+    end
+
+    def self.update_own_password(login, new_password, current_password)
+      set_ldap_param(login, :userpassword, new_password, current_password)
+    end
+
+    def self.ldap_connect(login)
+      options = {:login => login,
+                 :ldap_auth_username_builder => ::Devise.ldap_auth_username_builder,
+                 :admin => ::Devise.ldap_use_admin_to_bind}
+
+      resource = LdapConnect.new(options)
+    end
+
+    def self.valid_login?(login)
+      self.ldap_connect(login).valid_login?
+    end
+
+    def self.get_groups(login)
+      self.ldap_connect(login).user_groups
+    end
+
+    def self.in_ldap_group?(login, group_name, group_attribute = nil)
+      self.ldap_connect(login).in_group?(group_name, group_attribute)
+    end
+
+    def self.get_dn(login)
+      self.ldap_connect(login).dn
+    end
+
+    def self.set_ldap_param(login, param, new_value, password = nil)
+      options = { :login => login,
+                  :ldap_auth_username_builder => ::Devise.ldap_auth_username_builder,
+                  :password => password }
+
+      resource = LdapConnect.new(options)
+      resource.set_param(param, new_value)
+    end
+
+    def self.delete_ldap_param(login, param, password = nil)
+      options = { :login => login,
+                  :ldap_auth_username_builder => ::Devise.ldap_auth_username_builder,
+                  :password => password }
+
+      resource = LdapConnect.new(options)
+      resource.delete_param(param)
+    end
+
+    def self.get_ldap_param(login,param)
+      resource = self.ldap_connect(login)
+      resource.ldap_param_value(param)
+    end
+
+    def self.get_ldap_entry(login)
+      self.ldap_connect(login).search_for_login
+    end
+
+    class LdapConnect
+
+      attr_reader :ldap, :login
+
+      def initialize(params = {})
+        ldap_config = ::Devise.ldap_configuration
+        ldap_config ||= YAML.load(ERB.new(File.read(::Devise.ldap_config || "#{Rails.root}/config/ldap.yml")).result)[Rails.env]
+        ldap_options = params
+        ldap_config["ssl"] = :simple_tls if ldap_config["ssl"] === true
+        ldap_options[:encryption] = ldap_config["ssl"].to_sym if ldap_config["ssl"]
+
+        @ldap = Net::LDAP.new(ldap_options)
+        @ldap.host = ldap_config["host"]
+        @ldap.port = ldap_config["port"]
+        @ldap.base = ldap_config["base"]
+        @attribute = ldap_config["attribute"]
+        @ldap_auth_username_builder = params[:ldap_auth_username_builder]
+
+        @group_base = ldap_config["group_base"]
+        @check_group_membership = ldap_config.has_key?("check_group_membership") ? ldap_config["check_group_membership"] : ::Devise.ldap_check_group_membership
+        @required_groups = ldap_config["required_groups"]
+        @required_attributes = ldap_config["require_attribute"]
+
+        @ldap.auth ldap_config["admin_user"], ldap_config["admin_password"] if params[:admin]
+
+        @login = params[:login]
+        @password = params[:password]
+        @new_password = params[:new_password]
+      end
+
+      def delete_param(param)
+        update_ldap [[:delete, param.to_sym, nil]]
+      end
+
+      def set_param(param, new_value)
+        update_ldap( { param.to_sym => new_value } )
+      end
+
+      def dn
+        DeviseLdapAuthenticatable::Logger.send("LDAP dn lookup: #{@attribute}=#{@login}")
+        ldap_entry = search_for_login
+        if ldap_entry.nil?
+          @ldap_auth_username_builder.call(@attribute,@login,@ldap)
+        else
+          ldap_entry.dn
+        end
+      end
+
+      def ldap_param_value(param)
+        filter = Net::LDAP::Filter.eq(@attribute.to_s, @login.to_s)
+        ldap_entry = nil
+        @ldap.search(:filter => filter) {|entry| ldap_entry = entry}
+
+        if ldap_entry
+          if ldap_entry[param]
+            DeviseLdapAuthenticatable::Logger.send("Requested param #{param} has value #{ldap_entry.send(param)}")
+            value = ldap_entry.send(param)
+            value = value.first if value.is_a?(Array) and value.count == 1
+            value
+          else
+            DeviseLdapAuthenticatable::Logger.send("Requested param #{param} does not exist")
+            value = nil
+          end
+        else
+          DeviseLdapAuthenticatable::Logger.send("Requested ldap entry does not exist")
+          value = nil
+        end
+      end
+
+      def authenticate!
+        @ldap.auth(dn, @password)
+        @ldap.bind
+      end
+
+      def authenticated?
+        authenticate!
+      end
+
+      def authorized?
+        DeviseLdapAuthenticatable::Logger.send("Authorizing user #{dn}")
+        authenticated? && in_required_groups? && has_required_attribute?
+      end
+
+      def change_password!
+        update_ldap(:userpassword => Net::LDAP::Password.generate(:sha, @new_password))
+      end
+
+      def in_required_groups?
+        return true unless @check_group_membership
+
+        ## FIXME set errors here, the ldap.yml isn't set properly.
+        return false if @required_groups.nil?
+
+        for group in @required_groups
+          unless in_group?(*group)
+            return false
+          end
+        end
+        return true
+      end
+
+      def in_group?(group_name, group_attribute = DEFAULT_GROUP_UNIQUE_MEMBER_LIST_KEY)
+        admin_ldap = LdapConnect.admin
+
+        unless ::Devise.ldap_ad_group_check
+          admin_ldap.search(:base => group_name, :scope => Net::LDAP::SearchScope_BaseObject) do |entry|
+            unless entry[group_attribute].include? dn
+              DeviseLdapAuthenticatable::Logger.send("User #{dn} is not in group: #{group_name }")
+              return false
+            end
+          end
+        else
+          # AD optimization - extension will recursively check sub-groups with one query
+          # "(memberof:1.2.840.113556.1.4.1941:=group_name)"
+          search_result = admin_ldap.search(:base => dn,
+                            :filter => Net::LDAP::Filter.ex("memberof:1.2.840.113556.1.4.1941", group_name),
+                            :scope => Net::LDAP::SearchScope_BaseObject)
+          # Will return  the user entry if belongs to group otherwise nothing
+          unless search_result.length == 1 && search_result[0].dn.eql?(dn)
+            DeviseLdapAuthenticatable::Logger.send("User #{dn} is not in group: #{group_name }")
+            return false
+          end
+        end
+
+        return true
+      end
+
+      def has_required_attribute?
+        return true unless ::Devise.ldap_check_attributes
+
+        admin_ldap = LdapConnect.admin
+
+        user = find_ldap_user(admin_ldap)
+
+        @required_attributes.each do |key,val|
+          unless user[key].include? val
+            DeviseLdapAuthenticatable::Logger.send("User #{dn} did not match attribute #{key}:#{val}")
+            return false
+          end
+        end
+
+        return true
+      end
+
+      def user_groups
+        admin_ldap = LdapConnect.admin
+
+        DeviseLdapAuthenticatable::Logger.send("Getting groups for #{dn}")
+        filter = Net::LDAP::Filter.eq("uniqueMember", dn)
+        admin_ldap.search(:filter => filter, :base => @group_base).collect(&:dn)
+      end
+
+      def valid_login?
+        !search_for_login.nil?
+      end
+
+      # Searches the LDAP for the login
+      #
+      # @return [Object] the LDAP entry found; nil if not found
+      def search_for_login
+        DeviseLdapAuthenticatable::Logger.send("LDAP search for login: #{@attribute}=#{@login}")
+        filter = Net::LDAP::Filter.eq(@attribute.to_s, @login.to_s)
+        ldap_entry = nil
+        @ldap.search(:filter => filter) {|entry| ldap_entry = entry}
+        ldap_entry
+      end
+
+      private
+
+      def self.admin
+        ldap = LdapConnect.new(:admin => true).ldap
+
+        unless ldap.bind
+          DeviseLdapAuthenticatable::Logger.send("Cannot bind to admin LDAP user")
+          raise DeviseLdapAuthenticatable::LdapException, "Cannot connect to admin LDAP user"
+        end
+
+        return ldap
+      end
+
+      def find_ldap_user(ldap)
+        DeviseLdapAuthenticatable::Logger.send("Finding user: #{dn}")
+        ldap.search(:base => dn, :scope => Net::LDAP::SearchScope_BaseObject).try(:first)
+      end
+
+      def update_ldap(ops)
+        operations = []
+        if ops.is_a? Hash
+          ops.each do |key,value|
+            operations << [:replace,key,value]
+          end
+        elsif ops.is_a? Array
+          operations = ops
+        end
+
+        if ::Devise.ldap_use_admin_to_bind
+          privileged_ldap = LdapConnect.admin
+        else
+          authenticate!
+          privileged_ldap = self.ldap
+        end
+
+        DeviseLdapAuthenticatable::Logger.send("Modifying user #{dn}")
+        privileged_ldap.modify(:dn => dn, :operations => operations)
+      end
+
+    end
+
+  end
+
+end