houston-devise_ldap_authenticatable 0.7.0

data/lib/devise_ldap_authenticatable/logger.rb

@@ -0,0 +1,11 @@
+module DeviseLdapAuthenticatable
+
+  class Logger    
+    def self.send(message, logger = Rails.logger)
+      if ::Devise.ldap_logger
+        logger.add 0, "  \e[36mLDAP:\e[0m #{message}"
+      end
+    end
+  end
+
+end

data/lib/devise_ldap_authenticatable/model.rb

@@ -0,0 +1,95 @@
+require 'devise_ldap_authenticatable/strategy'
+
+module Devise
+  module Models
+    # LDAP Module, responsible for validating the user credentials via LDAP.
+    #
+    # Examples:
+    #
+    #    User.authenticate('email@test.com', 'password123')  # returns authenticated user or nil
+    #    User.find(1).valid_password?('password123')         # returns true/false
+    #
+    module LdapAuthenticatable
+      extend ActiveSupport::Concern
+      
+      def login_with
+        @login_with ||= Devise.mappings[self.class.to_s.underscore.to_sym].to.authentication_keys.first
+        self[@login_with]
+      end
+      
+      def ldap_groups
+        Devise::LdapAdapter.get_groups(login_with)
+      end
+      
+      def in_ldap_group?(group_name, group_attribute = LdapAdapter::DEFAULT_GROUP_UNIQUE_MEMBER_LIST_KEY)
+        Devise::LdapAdapter.in_ldap_group?(login_with, group_name, group_attribute)
+      end
+      
+      def ldap_dn
+        Devise::LdapAdapter.get_dn(login_with)
+      end
+      
+      def ldap_get_param(login_with, param)
+        Devise::LdapAdapter.get_ldap_param(login_with,param)
+      end
+      
+      #
+      # callbacks
+      #
+      
+      # # Called before the ldap record is saved automatically
+      # def ldap_before_save
+      # end
+      
+      module ClassMethods
+        # Authenticate a user based on configured attribute keys. Returns the
+        # authenticated user if it's valid or nil.
+        def authenticate_with_ldap(attributes={})
+          auth_key = self.authentication_keys.first
+          return nil unless attributes[auth_key].present?
+          
+          auth_key_value = (self.case_insensitive_keys || []).include?(auth_key) ? attributes[auth_key].downcase : attributes[auth_key]
+          
+          ldap_connection = Devise::LdapAdapter::LdapConnect.new(
+            login: auth_key_value,
+            password: attributes[:password],
+            ldap_auth_username_builder: ::Devise.ldap_auth_username_builder,
+            admin: ::Devise.ldap_use_admin_to_bind )
+          return nil unless ldap_connection.authorized?
+          
+          entry = find_ldap_entry(ldap_connection, auth_key_value)
+          resource = find_for_ldap_authentication(attributes, entry)
+          resource = create_from_ldap_entry(attributes, entry) if resource.nil? && ::Devise.ldap_create_user
+          resource
+        end
+
+        def find_ldap_entry(ldap_connection, auth_key_value)
+          ldap_connection.search_for_login
+        end
+
+        def find_for_ldap_authentication(attributes, entry)
+          auth_key = self.authentication_keys.first
+          auth_key_value = (self.case_insensitive_keys || []).include?(auth_key) ? attributes[auth_key].downcase : attributes[auth_key]
+          
+          where(auth_key => auth_key_value).first
+        end
+
+        def self.create_from_ldap_entry(attributes, entry)
+          auth_key = self.authentication_keys.first
+          auth_key_value = (self.case_insensitive_keys || []).include?(auth_key) ? attributes[auth_key].downcase : attributes[auth_key]
+          
+          resource = new
+          resource[auth_key] = auth_key_value
+          resource.password = attributes[:password]
+          resource.ldap_before_save if resources.respond_to?(:ldap_before_save)
+          resource.tap(&:save)
+        end
+
+        def update_with_password(resource)
+          puts "UPDATE_WITH_PASSWORD: #{resource.inspect}"
+        end
+
+      end
+    end
+  end
+end

data/lib/devise_ldap_authenticatable/routes.rb

@@ -0,0 +1,8 @@
+## No routes needed anymore since Devise.add_module with the :route parameter will take care of it.
+
+# ActionController::Routing::RouteSet::Mapper.class_eval do
+# 
+#   protected
+#     # reuse the session routes and controller
+#     alias :ldap_authenticatable :database_authenticatable
+# end

data/lib/devise_ldap_authenticatable/schema.rb

@@ -0,0 +1,14 @@
+## Using email now instead of login. Will add an option later on.
+
+# Devise::Schema.class_eval do
+#     # Creates login
+#     #
+#     # == Options
+#     # * :null - When true, allow columns to be null.
+#     def ldap_authenticatable(options={})
+#       null = options[:null] || false
+# 
+#       apply_schema :login, String, :null => null
+#     end
+# 
+# end

data/lib/devise_ldap_authenticatable/strategy.rb

@@ -0,0 +1,19 @@
+require 'devise/strategies/authenticatable'
+
+module Devise
+  module Strategies
+    class LdapAuthenticatable < Authenticatable
+      def authenticate!
+        resource = valid_password? && mapping.to.authenticate_with_ldap(authentication_hash.merge(password: password))
+        return fail(:invalid) unless resource
+
+        if validate(resource)
+          resource.after_ldap_authentication if resource.respond_to?(:after_ldap_authentication)
+          success!(resource)
+        end
+      end
+    end
+  end
+end
+
+Warden::Strategies.add(:ldap_authenticatable, Devise::Strategies::LdapAuthenticatable)

data/lib/devise_ldap_authenticatable/version.rb

@@ -0,0 +1,3 @@
+module DeviseLdapAuthenticatable
+  VERSION = "0.7.0".freeze
+end

data/lib/generators/devise_ldap_authenticatable/install_generator.rb

@@ -0,0 +1,62 @@
+module DeviseLdapAuthenticatable
+  class InstallGenerator < Rails::Generators::Base
+    source_root File.expand_path("../templates", __FILE__)
+    
+    class_option :user_model, :type => :string, :default => "user", :desc => "Model to update"
+    class_option :update_model, :type => :boolean, :default => true, :desc => "Update model to change from database_authenticatable to ldap_authenticatable"
+    class_option :add_rescue, :type => :boolean, :default => true, :desc => "Update Application Controller with resuce_from for DeviseLdapAuthenticatable::LdapException"
+    class_option :advanced, :type => :boolean, :desc => "Add advanced config options to the devise initializer"
+    
+    
+    def create_ldap_config
+      copy_file "ldap.yml", "config/ldap.yml"
+    end
+    
+    def create_default_devise_settings
+      inject_into_file "config/initializers/devise.rb", default_devise_settings, :after => "Devise.setup do |config|\n"   
+    end
+    
+    def update_user_model
+      gsub_file "app/models/#{options.user_model}.rb", /:database_authenticatable/, ":ldap_authenticatable" if options.update_model?
+    end
+    
+    def update_application_controller
+      inject_into_class "app/controllers/application_controller.rb", ApplicationController, rescue_from_exception if options.add_rescue?
+    end
+    
+    private
+    
+    def default_devise_settings
+      settings = <<-eof
+  # ==> LDAP Configuration 
+  # config.ldap_logger = true
+  # config.ldap_create_user = false
+  # config.ldap_update_password = true
+  # config.ldap_config = "\#{Rails.root}/config/ldap.yml"
+  # config.ldap_check_group_membership = false
+  # config.ldap_check_attributes = false
+  # config.ldap_use_admin_to_bind = false
+  # config.ldap_ad_group_check = false
+  
+      eof
+      if options.advanced?  
+        settings << <<-eof  
+  # ==> Advanced LDAP Configuration
+  # config.ldap_auth_username_builder = Proc.new() {|attribute, login, ldap| "\#{attribute}=\#{login},\#{ldap.base}" }
+  
+        eof
+      end
+      
+      settings
+    end
+    
+    def rescue_from_exception
+      <<-eof
+  rescue_from DeviseLdapAuthenticatable::LdapException do |exception|
+    render :text => exception, :status => 500
+  end
+      eof
+    end
+    
+  end
+end

data/lib/generators/devise_ldap_authenticatable/templates/ldap.yml

@@ -0,0 +1,51 @@
+## Authorizations
+# Uncomment out the merging for each environment that you'd like to include.
+# You can also just copy and paste the tree (do not include the "authorizations") to each
+# environment if you need something different per enviornment.
+authorizations: &AUTHORIZATIONS
+  group_base: ou=groups,dc=test,dc=com
+  ## Requires config.ldap_check_group_membership in devise.rb be true
+  # Can have multiple values, must match all to be authorized
+  required_groups:
+    # If only a group name is given, membership will be checked against "uniqueMember"
+    - cn=admins,ou=groups,dc=test,dc=com
+    - cn=users,ou=groups,dc=test,dc=com
+    # If an array is given, the first element will be the attribute to check against, the second the group name
+    - ["moreMembers", "cn=users,ou=groups,dc=test,dc=com"]
+  ## Requires config.ldap_check_attributes in devise.rb to be true
+  ## Can have multiple attributes and values, must match all to be authorized
+  require_attribute:
+    objectClass: inetOrgPerson
+    authorizationRole: postsAdmin
+
+## Environment
+
+development:
+  host: localhost
+  port: 389
+  attribute: cn
+  base: ou=people,dc=test,dc=com
+  admin_user: cn=admin,dc=test,dc=com
+  admin_password: admin_password
+  ssl: false
+  # <<: *AUTHORIZATIONS
+
+test:
+  host: localhost
+  port: 3389
+  attribute: cn
+  base: ou=people,dc=test,dc=com
+  admin_user: cn=admin,dc=test,dc=com
+  admin_password: admin_password
+  ssl: simple_tls
+  # <<: *AUTHORIZATIONS
+
+production:
+  host: localhost
+  port: 636
+  attribute: cn
+  base: ou=people,dc=test,dc=com
+  admin_user: cn=admin,dc=test,dc=com
+  admin_password: admin_password
+  ssl: start_tls
+  # <<: *AUTHORIZATIONS

data/spec/ldap/.gitignore

@@ -0,0 +1,2 @@
+slapd-test.conf
+slapd-ssl-test.conf

data/spec/ldap/base.ldif

@@ -0,0 +1,73 @@
+# ldapadd -x -h localhost -p 3389 -D "cn=admin,dc=test,dc=com" -w secret -f base.ldif
+
+dn: dc=test,dc=com
+objectClass: dcObject
+objectClass: organizationalUnit
+dc: test
+ou: Test
+
+dn: ou=people,dc=test,dc=com
+objectClass: organizationalUnit
+ou: people
+
+dn: ou=others,dc=test,dc=com
+objectClass: organizationalUnit
+ou: others
+
+dn: ou=groups,dc=test,dc=com
+objectClass: organizationalUnit
+ou: groups
+
+# example.user@test.com, people, test.com
+dn: cn=example.user@test.com,ou=people,dc=test,dc=com
+objectClass: inetOrgPerson
+objectClass: authorizations
+sn: User
+uid: example_user
+mail: example.user@test.com
+cn: example.user@test.com
+authorizationRole: blogUser
+userPassword:: e1NTSEF9ZXRYaE9NcjRjOGFiTjlqYUxyczZKSll5MFlaZUF1NURCVWhhY0E9PQ=
+ =
+
+# other.user@test.com
+dn: cn=other.user@test.com,ou=others,dc=test,dc=com
+objectClass: inetOrgPerson
+objectClass: authorizations
+objectClass: organizationalPerson
+objectClass: person
+objectClass: top
+sn: Other
+uid: other_user
+cn: other.user@test.com
+authorizationRole: blogUser
+userPassword:: e1NIQX1IQXdtdk13RGF1ZUpyZDhwakxXMzZ6Yi9jTUU9
+
+# example.admin@test.com, people, test.com
+dn: cn=example.admin@test.com,ou=people,dc=test,dc=com
+objectClass: inetOrgPerson
+objectClass: authorizations
+objectClass: organizationalPerson
+objectClass: person
+objectClass: top
+sn: Admin
+uid: example_admin
+cn: example.admin@test.com
+authorizationRole: blogAdmin
+userPassword:: e1NIQX0wcUNXaERISGFwWmc3ekJxZWRRanBzNW1EUDA9
+
+# users, groups, test.com
+dn: cn=users,ou=groups,dc=test,dc=com
+objectClass: authorizations
+objectClass: groupOfUniqueNames
+objectClass: top
+uniqueMember: cn=example.user@test.com,ou=people,dc=test,dc=com
+authorizationRole: cn=example.admin@test.com,ou=people,dc=test,dc=com
+cn: users
+
+# users, groups, test.com
+dn: cn=admins,ou=groups,dc=test,dc=com
+objectClass: groupOfUniqueNames
+objectClass: top
+uniqueMember: cn=example.admin@test.com,ou=people,dc=test,dc=com
+cn: admins

data/spec/ldap/clear.ldif

@@ -0,0 +1,26 @@
+dn: cn=admins,ou=groups,dc=test,dc=com
+changetype: delete
+
+dn: cn=users,ou=groups,dc=test,dc=com
+changetype: delete
+
+dn: cn=example.admin@test.com,ou=people,dc=test,dc=com
+changetype: delete
+
+dn: cn=example.user@test.com,ou=people,dc=test,dc=com
+changetype: delete
+
+dn: cn=other.user@test.com,ou=others,dc=test,dc=com
+changetype: delete
+
+dn: ou=groups,dc=test,dc=com
+changetype: delete
+
+dn: ou=people,dc=test,dc=com
+changetype: delete
+
+dn: ou=others,dc=test,dc=com
+changetype: delete
+
+dn: dc=test,dc=com
+changetype: delete

data/spec/ldap/local.schema

@@ -0,0 +1,6 @@
+attributetype ( 1.1.2.2.5 NAME  'authorizationRole' SUP name )
+
+objectclass ( 1.1.2.2.1 NAME 'authorizations'
+        DESC 'mixin authorizations'
+        AUXILIARY
+        MAY authorizationRole )

data/spec/ldap/openldap-data/.gitignore

@@ -0,0 +1,2 @@
+dc=test,dc=com
+dc=test,dc=com.ldif

data/spec/ldap/openldap-data/run/.gitignore

@@ -0,0 +1,2 @@
+slapd.pid
+slapd.args

data/spec/ldap/run-server

@@ -0,0 +1,31 @@
+#!/usr/bin/env ruby
+
+require 'erb'
+require 'fileutils'
+
+FileUtils.chdir(File.dirname(__FILE__))
+
+## For OSX:
+ENV['PATH'] = "#{ENV['PATH']}:/usr/libexec"
+
+template = File.read('slapd-test.conf.erb')
+normal_out = 'slapd-test.conf'
+ssl_out = 'slapd-ssl-test.conf'
+
+File.open(normal_out, 'w') do |f|
+  @ssl = false
+  f.write ERB.new(template).result(binding)
+end
+File.open(ssl_out, 'w') do |f|
+  @ssl = true
+  f.write ERB.new(template).result(binding)
+end
+
+if ARGV.first == '--ssl'
+  cmd = "slapd -d 1 -f #{ssl_out} -h ldaps://localhost:3389"
+else
+  cmd = "slapd -d 1 -f #{normal_out} -h ldap://localhost:3389"
+end
+
+puts(cmd)
+exec(cmd)

data/spec/ldap/server.pem

@@ -0,0 +1,38 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIICXQIBAAKBgQC/hxFetCTh++3sEwchxuscH5TID0Wj2S/heBjY6RuK5rPrAcUg
+rA7jFEFilEQYpfGe3LIMBkr5pP4aR1NrLuvKZaHuBvRLwOcU7SbuFQ3FQLaJA3UK
+E2IOH9wMg1BMcG1WbzB1nKc650omKo7KqOAIYFFVq3gzlDRUmHF6dCAnvwIDAQAB
+AoGAcOBJfGbu1cCEF/2e1mlFZu214bIeeNInRdphynSXpuUQZBBG/Vpp66qkXlTD
+TUN/gwDObgfHaBm1KAehQioFC9ys1Iymlt8IeRYXH9Tkl7URe30QGAGjdIPohWpZ
+xl/aMrpQVvQukaStRNoJXA32j+tuR2KbxAK6bu9iLzXvCQECQQD6AOzHVDB06ZjF
+iJYB1/CyZBg0Q2aIOwGXwle1t1O7q6nJ6UWkurQF/inBdJdE5SWNEzYsI1tEP0n2
+1ZBIWQxtAkEAxB8WgFjRqYdmUYGQ1k8yxMUTLbZFd6t2UZyB/LAw9CtjH9lrU0z9
+81UK/ywVHkoDDPHbFyvd1jludqbz+suRWwJBAPEL9UCXfwUquf8zm5b5cv09n0y8
+895ELlv5qQHvWg+oC1Q/08NptOvWTMJXPQbTfepQ7LmP+Y6LCzCwZ6YqHd0CQFiW
+flB9Tj9YhNQ+RVE4twMAzhfw5FIY5joZCvI8F/DDBGRnjj4zYeafPHdkzyk+X0Bi
+owdFblAM4yO/aCeZ+k8CQQDdBi+WnpaaSL0NXmAb6+7aQRZ/Gc2O9S2JL/Fxw4EQ
+i7KTRdH/d6Db9SeQEc/uCbJW7fM4KbZcjFdncHFytakt
+-----END RSA PRIVATE KEY-----
+-----BEGIN CERTIFICATE-----
+MIIDwjCCAyugAwIBAgIJAP+plC/uCHKkMA0GCSqGSIb3DQEBBQUAMIGdMQswCQYD
+VQQGEwJVUzERMA8GA1UECBMIVmlyZ2luaWExEzARBgNVBAcTCkFsZXhhbmRyaWEx
+DTALBgNVBAoTBFRlc3QxDTALBgNVBAsTBFRlc3QxJDAiBgNVBAMUG2RldmlzZV9s
+ZGFwX2F1dGhlbnRpY2F0YWJsZTEiMCAGCSqGSIb3DQEJARYTZHBtY25ldmluQGdt
+YWlsLmNvbTAeFw0xMDA4MDUyMTU1MDVaFw0xMTA4MDUyMTU1MDVaMIGdMQswCQYD
+VQQGEwJVUzERMA8GA1UECBMIVmlyZ2luaWExEzARBgNVBAcTCkFsZXhhbmRyaWEx
+DTALBgNVBAoTBFRlc3QxDTALBgNVBAsTBFRlc3QxJDAiBgNVBAMUG2RldmlzZV9s
+ZGFwX2F1dGhlbnRpY2F0YWJsZTEiMCAGCSqGSIb3DQEJARYTZHBtY25ldmluQGdt
+YWlsLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAv4cRXrQk4fvt7BMH
+IcbrHB+UyA9Fo9kv4XgY2Okbiuaz6wHFIKwO4xRBYpREGKXxntyyDAZK+aT+GkdT
+ay7rymWh7gb0S8DnFO0m7hUNxUC2iQN1ChNiDh/cDINQTHBtVm8wdZynOudKJiqO
+yqjgCGBRVat4M5Q0VJhxenQgJ78CAwEAAaOCAQYwggECMB0GA1UdDgQWBBRcCNxq
+0PNXgMfYN2RQ2uIrBY03ADCB0gYDVR0jBIHKMIHHgBRcCNxq0PNXgMfYN2RQ2uIr
+BY03AKGBo6SBoDCBnTELMAkGA1UEBhMCVVMxETAPBgNVBAgTCFZpcmdpbmlhMRMw
+EQYDVQQHEwpBbGV4YW5kcmlhMQ0wCwYDVQQKEwRUZXN0MQ0wCwYDVQQLEwRUZXN0
+MSQwIgYDVQQDFBtkZXZpc2VfbGRhcF9hdXRoZW50aWNhdGFibGUxIjAgBgkqhkiG
+9w0BCQEWE2RwbWNuZXZpbkBnbWFpbC5jb22CCQD/qZQv7ghypDAMBgNVHRMEBTAD
+AQH/MA0GCSqGSIb3DQEBBQUAA4GBABjztpAgr6QxVCNxhgklrILH+RLxww3dgdra
+J6C6pXl9lbM+XIWiUtzD3Y8z2+tkJtjWCCN7peM2OYFvdChIvRz8XoxHqNB9W8wj
+xZOqBHN8MdI1g6PCD5Z8lK1TDvchTeskqCulE6tMHKaslByhfZS94uWY+NG5JY/Z
+traWmtWh
+-----END CERTIFICATE-----