incline_ldap 0.1.1

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 37bfcb6c7e5e530989ba3bde1834af9b36979de3
+  data.tar.gz: 0b48332d9b5e0257ae0c3370800f9d0d2ebe9a4d
+SHA512:
+  metadata.gz: 508731fc38ff8024680871c2e243f3831ad8e544900ec47e6bbd0ed392e4abd0f373d5ea4d470a757b3a49edc16db6695c3fb8743c66ab87676520357bc242ee
+  data.tar.gz: 993ac522658e546b77db483254ce86d90f9da3ba7879d60183c008efc489399dbbf38c9b5c9e3f6b59f6b3e0ba55e4792fe97aada91c25f13904db14d9deffe3

data/.gitignore

@@ -0,0 +1,9 @@
+/.bundle/
+/.yardoc
+/Gemfile.lock
+/_yardoc/
+/coverage/
+/doc/
+/pkg/
+/spec/reports/
+/tmp/

data/.travis.yml

@@ -0,0 +1,5 @@
+sudo: false
+language: ruby
+rvm:
+  - 2.4.1
+before_install: gem install bundler -v 1.14.6

data/Gemfile

@@ -0,0 +1,7 @@
+source 'https://rubygems.org'
+
+# Specify your gem's dependencies in incline_ldap.gemspec
+gemspec
+
+gem 'eventmachine', group: :test
+

data/LICENSE.txt

@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2017 Beau Barker
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

data/README.md

@@ -0,0 +1,33 @@
+# InclineLdap
+
+The incline_ldap gem adds LDAP authentication to an [Incline](https://github.com/barkerest/incline) application.
+
+## Installation
+
+Add this line to your application's Gemfile:
+
+```ruby
+gem 'incline_ldap'
+```
+
+And then execute:
+
+    $ bundle
+
+Or install it yourself as:
+
+    $ gem install incline_ldap
+
+## Usage
+
+
+
+## Contributing
+
+Bug reports and pull requests are welcome on GitHub at https://github.com/barkerest/incline_ldap.
+
+
+## License
+
+The gem is available as open source under the terms of the [MIT License](http://opensource.org/licenses/MIT).
+

data/Rakefile

@@ -0,0 +1,10 @@
+require "bundler/gem_tasks"
+require "rake/testtask"
+
+Rake::TestTask.new(:test) do |t|
+  t.libs << "test"
+  t.libs << "lib"
+  t.test_files = FileList['test/**/*_test.rb']
+end
+
+task :default => :test

data/bin/console

@@ -0,0 +1,14 @@
+#!/usr/bin/env ruby
+
+require "bundler/setup"
+require "incline_ldap"
+
+# You can add fixtures and/or initialization code here to make experimenting
+# with your gem easier. You can also use a different console, if you like.
+
+# (If you use this, don't forget to add pry to your Gemfile!)
+# require "pry"
+# Pry.start
+
+require "irb"
+IRB.start(__FILE__)

data/bin/setup

@@ -0,0 +1,8 @@
+#!/usr/bin/env bash
+set -euo pipefail
+IFS=$'\n\t'
+set -vx
+
+bundle install
+
+# Do any other automated setup that you need to do here

data/lib/incline_ldap/auth_engine.rb

@@ -0,0 +1,193 @@
+require 'net-ldap'
+require 'incline'
+require 'securerandom'
+
+module InclineLdap
+
+  ##
+  # Defines an engine used to authenticate a user against an LDAP provider.
+  class AuthEngine < ::Incline::AuthEngineBase
+
+    ##
+    # An error raised when attempting to establish a connection to the LDAP provider.
+    ConnectionError = Class.new(StandardError)
+
+    ##
+    # Raised when a configuration value is invalid.
+    InvalidConfiguration = Class.new(ConnectionError)
+
+    ##
+    # Raised when the configuration looks good but we are still unable to connect.
+    BindError = Class.new(ConnectionError)
+
+    ##
+    # Creates a new LDAP authentication engine.
+    #
+    # Valid options:
+    # host::
+    #     The LDAP host name or IP address.  (required)
+    # port::
+    #     The port to connect to (defaults to 389 for non-ssl and 636 for ssl).
+    # ssl::
+    #     Should SSL be used for the connection (recommended, default is true).
+    # base_dn::
+    #     The base DN to search within when looking for user accounts.  (required)
+    # browse_user::
+    #     A user to log in as when looking for user accounts.  (required)
+    # browse_password::
+    #     The password for the browse_user.
+    # email_attribute::
+    #     The attribute to use when looking for user accounts (default is 'mail').
+    # auto_create::
+    #     If true, users are automatically created when they successfully authenticate against the LDAP provider for
+    #     the first time.
+    # auto_activate::
+    #     If this and auto_create are both true, then newly created users will be activated.  If auto_create is false,
+    #     this option has no effect.  If this is false and auto_create is true, newly created users will need to
+    #     activate their accounts as if they had signed up.
+    #
+    def initialize(options = {})
+      @options = {
+          ssl: true,
+          email_attribute: 'mail'
+      }.merge(options || {})
+
+      @options[:port] = @options[:port].to_s.to_i unless @options[:port].is_a?(::Integer)
+
+      if @options[:port] == 0
+        @options[:port] = (@options[:ssl] ? 636 : 389)
+      end
+
+      raise InvalidConfiguration, "Missing value for 'host' parameter." if @options[:host].blank?
+      raise InvalidConfiguration, "The value for 'port' must be between 1 and 65535." unless (1..65535).include?(@options[:port])
+      raise InvalidConfiguration, "Missing value for 'base_dn' parameter." if @options[:base_dn].blank?
+      raise InvalidConfiguration, "Missing value for 'email_attribute' parameter." if @options[:email_attribute].blank?
+      raise InvalidConfiguration, "Missing value for 'browse_user' parameter." if @options[:browse_user].blank?
+
+      ldap_opt = {
+          host: @options[:host],
+          port: @options[:port],
+          base: @options[:base_dn],
+          auth: {
+              method: :simple,
+              username: @options[:browse_user],
+              password: @options[:browse_password]
+          }
+      }
+
+      if @options[:ssl]
+        @options[:ssl] = @options[:ssl].to_sym if @options[:ssl].is_a?(::String)
+
+        unless [:simple_tls, :start_tls].include?(@options[:ssl])
+          @options[:ssl] =
+              if @options[:port] == 389
+                :start_tls
+              else
+                :simple_tls
+              end
+        end
+
+        ldap_opt[:encryption] = { method: @options[:ssl] }
+      end
+      
+      ::Incline::Log::debug "Creating new LDAP connection to #{@options[:host]}:#{@options[:port]}..."
+      @ldap = Net::LDAP.new(ldap_opt)
+      
+      ::Incline::Log::debug 'Binding to LDAP server...'
+      raise BindError, "Failed to connect to #{@options[:host]}:#{@options[:port]}." unless @ldap.bind
+
+      ::Incline::Log::info "Connected to LDAP host #{@options[:host]}:#{@options[:port]}."
+    end
+
+    ##
+    # Gets the host name or IP address for this LDAP authenticator.
+    def host
+      @options[:host]
+    end
+
+    ##
+    # Gets the host port for this LDAP authenticator.
+    def port
+      @options[:port]
+    end
+
+    ##
+    # Gets the SSL method for this LDAP authenticator.
+    def ssl
+      @options[:ssl]
+    end
+
+    ##
+    # Gets the Base DN for this LDAP authenticator.
+    def base_dn
+      @options[:base_dn]
+    end
+
+    ##
+    # Gets the email attribute name for this LDAP authenticator.
+    def email_attribute
+      @options[:email_attribute]
+    end
+
+    ##
+    # Authenticates a user against an LDAP provider.
+    def authenticate(email, password, client_ip)
+      ldap_filter = "(&(objectClass=person)(#{@options[:email_attribute]}=#{email}))"
+
+      reset_ldap!
+
+      search_result = @ldap.search(filter: ldap_filter)
+
+      if search_result && search_result.count == 1
+        search_result = search_result.first
+        
+        user = ::Incline::User.find_by(email: email)
+        
+        if @options[:auto_create] && user.nil?
+          rpwd = ::SecureRandom.urlsafe_base64(48)
+          ::Incline::Recaptcha::pause_for do
+            user =
+                ::Incline::User.create(
+                    email: email,
+                    password: rpwd,
+                    password_confirmation: rpwd,
+                    name: search_result[:displayName]&.first || search_result[:name]&.first || search_result[:cn]&.first,
+                    recaptcha: 'none',
+                    enabled: true,
+                    activated: !!@options[:auto_activate],
+                    activated_at: (@options[:auto_activate] ? Time.now : nil)
+                )
+            unless @options[:auto_activate]
+              user.send_activation_email client_ip
+            end
+          end
+        end
+        
+        if user
+          unless user.enabled?
+            add_failure_to user, '(LDAP) account disabled', client_ip
+            return nil
+          end
+          entry = @ldap.bind_as(filter: ldap_filter, password: password)
+          if entry && entry.count == 1
+            add_success_to user, '(LDAP)', client_ip
+            return user
+          else
+            add_failure_to user, '(LDAP) invalid password', client_ip
+            return nil
+          end
+        end
+      end
+      add_failure_to email, '(LDAP) invalid email', client_ip
+      nil
+    end
+
+    private
+
+    def reset_ldap!
+      @ldap.auth @options[:browse_user], @options[:browse_password]
+      @ldap.bind
+    end
+
+  end
+end

data/lib/incline_ldap/version.rb

@@ -0,0 +1,3 @@
+module InclineLdap
+  VERSION = "0.1.1"
+end

data/lib/incline_ldap.rb

@@ -0,0 +1,10 @@
+require 'incline'
+require 'incline_ldap/version'
+require 'incline_ldap/auth_engine'
+
+##
+# Extends the Incline gem with LDAP support.
+module InclineLdap
+
+
+end

data/test/incline_ldap_test.rb

@@ -0,0 +1,58 @@
+require 'test_helper'
+
+class InclineLdapTest < Minitest::Test
+  
+  def setup
+    @config = {
+        host: 'ldap.forumsys.com',
+        port: 389,
+        ssl: false,
+        base_dn: 'dc=example,dc=com',
+        browse_user: 'cn=read-only-admin,dc=example,dc=com',
+        browse_password: 'password',
+        auto_create: true,
+        auto_activate: true
+    }
+  end
+  
+  def test_should_connect_and_authenticate
+    aa = InclineLdap::AuthEngine.new(@config)
+    euler = 'euler@ldap.forumsys.com'
+    einstein = 'einstein@ldap.forumsys.com'
+    frank = 'frankenstein@ldap.forumsys.com'
+
+    assert aa
+    # should not be able to login as "Euler" with incorrect password.
+    assert_nil aa.authenticate(euler, 'wrong', '127.0.0.1')
+    # should be able to login as "Euler" with correct password.
+    assert aa.authenticate(euler, 'password', '127.0.0.1')
+    # should not be able to login as "Frankenstein" at all.
+    assert_nil aa.authenticate(frank, 'password', '127.0.0.1')
+    # should be able to login as 'Einstein'.
+    assert aa.authenticate(einstein, 'password', '127.0.0.1')
+  end
+  
+  def test_should_raise_error_for_invalid_config
+    [
+        [ :host, nil ],
+        [ :host, '' ],
+        [ :host, '   ' ],
+        [ :port, -1 ],
+        [ :port, 65536 ],
+        [ :base_dn, nil ],
+        [ :base_dn, '' ],
+        [ :base_dn, '   ' ],
+        [ :browse_user, nil ],
+        [ :browse_user, '' ],
+        [ :browse_user, '   ' ],
+        [ :browse_password, 'invalid-password' ]
+    ].each do |(k,v)|
+      assert_raises(InclineLdap::AuthEngine::ConnectionError) do
+        InclineLdap::AuthEngine.new(@config.merge({ k => v }))
+      end
+    end
+  end
+  
+  
+  
+end

data/test/test_helper.rb

@@ -0,0 +1,14 @@
+$LOAD_PATH.unshift File.expand_path('../../lib', __FILE__)
+require 'incline_ldap'
+
+require 'minitest/autorun'
+
+Dir.mkdir('tmp') unless Dir.exist?('tmp')
+
+# Connect to a temporary database.
+ActiveRecord::Base.establish_connection adapter: 'sqlite3', pool: 5, database: 'tmp/incline_ldap_test.sqlite3'
+
+# Execute migrations.
+Incline.migrate!
+
+require 'byebug'

metadata

@@ -0,0 +1,141 @@
+--- !ruby/object:Gem::Specification
+name: incline_ldap
+version: !ruby/object:Gem::Version
+  version: 0.1.1
+platform: ruby
+authors:
+- Beau Barker
+autorequire: 
+bindir: exe
+cert_chain: []
+date: 2017-07-13 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: incline
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 0.1.5
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 0.1.5
+- !ruby/object:Gem::Dependency
+  name: net-ldap
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.16'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.16'
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.14'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.14'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '10.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '10.0'
+- !ruby/object:Gem::Dependency
+  name: minitest
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '5.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '5.0'
+- !ruby/object:Gem::Dependency
+  name: sqlite3
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 1.3.13
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 1.3.13
+description: 
+email:
+- beau@barkerest.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- ".gitignore"
+- ".travis.yml"
+- Gemfile
+- LICENSE.txt
+- README.md
+- Rakefile
+- bin/console
+- bin/setup
+- lib/incline_ldap.rb
+- lib/incline_ldap/auth_engine.rb
+- lib/incline_ldap/version.rb
+- test/incline_ldap_test.rb
+- test/test_helper.rb
+homepage: https://github.com/barkerest/incline_ldap/
+licenses:
+- MIT
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: 2.3.0
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.5.2
+signing_key: 
+specification_version: 4
+summary: Adds LDAP authentication support to Incline.
+test_files: []