oa-enterprise 0.1.0 → 0.1.1

data/README.rdoc

@@ -11,7 +11,8 @@ To get just enterprise functionality:
 For the full auth suite:
 
     gem install omniauth
-    
+
+CAS strategy    
 == Stand-Alone Example
 
 Use the strategy as a middleware in your application:
@@ -22,7 +23,9 @@ Use the strategy as a middleware in your application:
     
 Then simply direct users to '/auth/cas' to have them sign in via your company's CAS server.
 See OmniAuth::Strategies::CAS::Configuration for more configuration options.
-
+    
+Then simply direct users to '/auth/cas' to have them sign in via your company's CAS server.
+See OmniAuth::Strategies::CAS::Configuration for more configuration options.
 
 == OmniAuth Builder
 
@@ -36,3 +39,20 @@ If CAS is one of several authentication strategies, use the OmniAuth Builder:
       provider :cas, :server => 'http://cas.mycompany.com/cas'
       provider :campfire
     end
+
+LDAP strategy
+
+    use OmniAuth::Strategies::LDAP, :host => '10.101.10.1', :port => 389, :method => :plain, :base => 'dc=intridea, dc=com', :uid => 'sAMAccountName', :try_sasl => true, :sasl_mechanisms => "GSS-SPNEGO"
+		or
+    use OmniAuth::Builder do
+      provider :LDAP, :host => '10.101.10.1', :port => 389, :method => :plain, :base => 'dc=intridea, dc=com', :uid => 'sAMAccountName', :try_sasl => true, :sasl_mechanisms => "GSS-SPNEGO"
+    end
+		    
+    LDAP server's :host and :port are required, :method is also a required field, and allowed values are :plain, :ssl, and :tls.
+    :base is required, it is the distinguish name (DN) for your organization, all users should be searchable under this base.
+    :uid is required, it is the LDAP attribute name for the user name in the login form. typically AD would be 'sAMAccountName' or 'UniquePersonalIdentifier', while 
+    OpenLDAP is 'uid'. You can also use 'dn', if your user choose the put in the dn in the login form (but usually is too long for user to remember or know).
+    :try_sasl and :sasl_mechanisms are optional, use it to initial SASL connection to server. mechanism supported are DIGEST-MD5 and GSS-SPNEGO.
+
+Then simply direct users to '/auth/ldap' to have them authenticated via your company's LDAP server.
+    

data/lib/omniauth/enterprise.rb

@@ -3,5 +3,6 @@ require 'omniauth/core'
 module OmniAuth
   module Strategies
     autoload :CAS, 'omniauth/strategies/cas'
+    autoload :LDAP, 'omniauth/strategies/ldap'
   end
 end

data/lib/omniauth/strategies/ldap.rb

@@ -0,0 +1,94 @@
+require 'omniauth/enterprise'
+require 'net/ldap'
+
+module OmniAuth
+  module Strategies
+    class LDAP
+      include OmniAuth::Strategy
+      
+      autoload :Adaptor, 'omniauth/strategies/ldap/adaptor'
+      @@config   =  {'first_name' => 'givenName', 'last_name' => 'sn', 'email' => ['mail', "email", 'userPrincipalName'],
+										'phone' => ['telephoneNumber', 'homePhone', 'facsimileTelephoneNumber'],
+										'mobile_number' => ['mobile', 'mobileTelephoneNumber'],
+										'nickname' => ['uid', 'userid', 'sAMAccountName'],
+										'title' => 'title',
+										'location' => {"%0, %1, %2, %3 %4" => [['address', 'postalAddress', 'homePostalAddress', 'street', 'streetAddress'], ['l'], ['st'],['co'],['postOfficeBox']]},
+										'uid' => 'dn',
+										'url' => ['wwwhomepage'],
+										'image' => 'jpegPhoto',
+										'description' => 'description'}
+      def initialize(app, title, options = {})
+        super(app, options.delete(:name) || :ldap)
+        @title = title
+        @adaptor = OmniAuth::Strategies::LDAP::Adaptor.new(options)
+      end
+      
+      protected
+      
+      def request_phase
+        if env['REQUEST_METHOD'] == 'GET'
+          get_credentials
+        else
+          perform
+        end
+      end
+
+			def get_credentials
+        OmniAuth::Form.build(@title) do
+          text_field 'Login', 'username'
+          password_field 'Password', 'password'
+        end.to_response
+      end
+      def perform
+      	begin
+      		@adaptor.bind(:bind_dn => request.POST['username'], :password => request.POST['password'])
+      		@ldap_user_info = @adaptor.search(:filter => Net::LDAP::Filter.eq(@adaptor.uid, request.POST['username']),:limit => 1)
+      		@user_info = self.class.map_user(@@config, @ldap_user_info)
+	        request.POST['auth'] = auth_hash
+	        @env['REQUEST_METHOD'] = 'GET'
+	        @env['PATH_INFO'] = "#{OmniAuth.config.path_prefix}/#{name}/callback"
+	
+	        @app.call(@env)
+      	rescue Exception => e
+      		puts e.message
+      		fail!(:invalid_credentials)
+      	end
+      end      
+
+      def callback_phase
+      	fail!(:invalid_request)
+      end
+      
+      def auth_hash
+        OmniAuth::Utils.deep_merge(super, {
+          'uid' => @user_info["uid"],
+          'user_info' => @user_info,
+          'extra' => @ldap_user_info
+        })
+      end
+      
+		  def self.map_user mapper, object
+		  	user = {}
+		    mapper.each do |key, value|
+		      case value
+		        when String
+		          user[key] = object[value.downcase.to_sym].to_s if object[value.downcase.to_sym]
+		        when Array
+		          value.each {|v| (user[key] = object[v.downcase.to_sym].to_s; break;) if object[v.downcase.to_sym]}
+		        when Hash
+		        	value.map do |key1, value1|
+			        	pattern = key1.dup
+			        	value1.each_with_index do |v,i|
+			          	part = '';
+			          	v.each {|v1| (part = object[v1.downcase.to_sym].to_s; break;) if object[v1.downcase.to_sym]}
+			        		pattern.gsub!("%#{i}",part||'') 
+			        	end	
+			        	user[key] = pattern
+		       		end
+		        end
+		      end
+		    user
+		  end       
+    end
+  end
+end

data/lib/omniauth/strategies/ldap/adaptor.rb

@@ -0,0 +1,293 @@
+#this code boughts pieces from activeldap and net-ldap
+require 'rack'
+require 'net/ldap'
+require 'net/ntlm'
+require 'uri'
+module OmniAuth
+  module Strategies
+    class LDAP
+      class Adaptor
+				class LdapError < StandardError; end
+				class ConfigurationError < StandardError; end
+				class AuthenticationError < StandardError; end
+				class ConnectionError < StandardError; end
+	      VALID_ADAPTER_CONFIGURATION_KEYS = [:host, :port, :method, :bind_dn, :password,
+	                                          :try_sasl, :sasl_mechanisms, :uid, :base]
+	      MUST_HAVE_KEYS = [:host, :port, :method, :uid, :base]
+	      METHOD = {
+	        :ssl => :simple_tls,
+	        :tls => :start_tls,
+	        :plain => nil
+	      }     
+	      attr_accessor :bind_dn, :password                                     
+				attr_reader :connection, :uid, :base
+	      def initialize(configuration={})
+	        @connection = nil
+	        @disconnected = false
+	        @bound = false
+	        @configuration = configuration.dup
+	        @logger = @configuration.delete(:logger)
+	        message = []
+	        MUST_HAVE_KEYS.each do |name|
+	        	message << name if configuration[name].nil? 
+	        end
+	        raise ArgumentError.new(message.join(",") +" MUST be provided") unless message.empty?
+	        VALID_ADAPTER_CONFIGURATION_KEYS.each do |name|
+	          instance_variable_set("@#{name}", configuration[name])
+	        end
+	      end
+	
+				def connect(options={})
+	        host = options[:host] || @host
+	        method = options[:method] || @method || :plain
+	        port = options[:port] || @port || ensure_port(method)
+	        method = ensure_method(method)
+	        @disconnected = false
+	        @bound = false
+	        @bind_tried = false				
+          config = {
+            :host => host,
+            :port => port,
+          }
+          config[:encryption] = {:method => method} if method
+          @connection, @uri, @with_start_tls = 
+          begin
+            uri = construct_uri(host, port, method == :simple_tls)
+            with_start_tls = method == :start_tls
+            puts ({:uri => uri, :with_start_tls => with_start_tls}).inspect
+            [Net::LDAP::Connection.new(config), uri, with_start_tls]
+          rescue Net::LDAP::LdapError
+            raise ConnectionError, $!.message
+          end
+	      end
+	
+	      def unbind(options={})
+	          @connection.close # Net::LDAP doesn't implement unbind.
+	      end
+	
+	      def bind(options={})
+	        connect(options) unless connecting?
+	        begin
+		        @bind_tried = true
+		
+		        bind_dn = (options[:bind_dn] || @bind_dn).to_s
+		        try_sasl = options.has_key?(:try_sasl) ? options[:try_sasl] : @try_sasl
+		
+		        # Rough bind loop:
+		        # Attempt 1: SASL if available
+		        # Attempt 2: SIMPLE with credentials if password block
+		        if try_sasl and sasl_bind(bind_dn, options)
+		        	puts "bind with sasl"
+		        elsif simple_bind(bind_dn, options)
+		        	puts "bind with simple"
+		        else
+		          message = yield if block_given?
+		          message ||= ('All authentication methods for %s exhausted.') % target
+		          raise AuthenticationError, message
+		        end
+		
+		        @bound = true
+	        rescue Net::LDAP::LdapError
+	          raise AuthenticationError, $!.message
+	        end
+	      end
+	
+	      def disconnect!(options={})
+	        unbind(options)
+	        @connection = @uri = @with_start_tls = nil
+	        @disconnected = true
+	      end
+	
+	      def rebind(options={})
+	        unbind(options) if bound?
+	        connect(options)
+	      end
+	
+	      def connecting?
+	        !@connection.nil? and !@disconnected
+	      end
+	
+	      def bound?
+	        connecting? and @bound
+	      end
+				
+				def search(options={}, &block)
+	        base = options[:base]
+	        filter = options[:filter]
+	        limit = options[:limit]
+	
+	        args = {
+	        	:base => @base,
+	          :filter => filter,
+	          :size => limit
+	        }
+					puts args.inspect
+          attributes = {}
+          execute(:search, args) do |entry|
+            entry.attribute_names.each do |name|
+              attributes[name] = entry[name]
+            end
+        	end
+        	attributes
+      end
+	      private
+	      def execute(method, *args, &block)
+	        result = @connection.send(method, *args, &block)
+	        message = nil
+	        if result.is_a?(Hash)
+	          message = result[:errorMessage]
+	          result = result[:resultCode]
+	        end
+	        unless result.zero?
+	          message = [Net::LDAP.result2string(result), message].compact.join(": ")
+	          raise LdapError, message
+	        end
+	      end	      
+	      
+	      def ensure_port(method)
+	        if method == :ssl
+	          URI::LDAPS::DEFAULT_PORT
+	        else
+	          URI::LDAP::DEFAULT_PORT
+	        end
+	      end
+	
+	      def prepare_connection(options)
+	      end
+	
+	      def ensure_method(method)
+	        method ||= "plain"
+	        normalized_method = method.to_s.downcase.to_sym
+	        return METHOD[normalized_method] if METHOD.has_key?(normalized_method)
+	
+	        available_methods = METHOD.keys.collect {|m| m.inspect}.join(", ")
+	        format = "%s is not one of the available connect methods: %s"
+	        raise ConfigurationError, format % [method.inspect, available_methods]
+	      end
+	      
+	      def sasl_bind(bind_dn, options={})
+	        sasl_mechanisms = options[:sasl_mechanisms] || @sasl_mechanisms
+	          sasl_mechanisms.each do |mechanism|
+		          begin
+			          normalized_mechanism = mechanism.downcase.gsub(/-/, '_')
+			          sasl_bind_setup = "sasl_bind_setup_#{normalized_mechanism}"
+			          next unless respond_to?(sasl_bind_setup, true)
+			          initial_credential, challenge_response =
+			            send(sasl_bind_setup, bind_dn, options)
+			          args = {
+			            :method => :sasl,
+			            :initial_credential => initial_credential,
+			            :mechanism => mechanism,
+			            :challenge_response => challenge_response,
+			          }
+			          info = {
+			            :name => "bind: SASL", :dn => bind_dn, :mechanism => mechanism,
+			          }
+			          puts info.inspect
+			          execute(:bind, args)
+			          return true
+			        rescue Exception => e
+			        	puts e.message
+			        end
+	          end
+	        false
+			  end
+
+      def parse_sasl_digest_md5_credential(cred)
+        params = {}
+        cred.scan(/(\w+)=(\"?)(.+?)\2(?:,|$)/) do |name, sep, value|
+          params[name] = value
+        end
+        params
+      end			  
+      CHARS = ("a".."z").to_a + ("A".."Z").to_a + ("0".."9").to_a
+      def generate_client_nonce(size=32)
+        nonce = ""
+        size.times do |i|
+          nonce << CHARS[rand(CHARS.size)]
+        end
+        nonce
+      end      
+      def sasl_bind_setup_digest_md5(bind_dn, options)
+        initial_credential = ""
+        nonce_count = 1
+        challenge_response = Proc.new do |cred|
+          params = parse_sasl_digest_md5_credential(cred)
+          qops = params["qop"].split(/,/)
+          unless qops.include?("auth")
+            raise ActiveLdap::AuthenticationError,
+                  _("unsupported qops: %s") % qops.inspect
+          end
+          qop = "auth"
+          server = @connection.instance_variable_get("@conn").addr[2]
+          realm = params['realm']
+          uri = "ldap/#{server}"
+          nc = "%08x" % nonce_count
+          nonce = params["nonce"]
+          cnonce = generate_client_nonce
+          requests = {
+            :username => bind_dn.inspect,
+            :realm => realm.inspect,
+            :nonce => nonce.inspect,
+            :cnonce => cnonce.inspect,
+            :nc => nc,
+            :qop => qop,
+            :maxbuf => "65536",
+            "digest-uri" => uri.inspect,
+          }
+          a1 = "#{bind_dn}:#{realm}:#{options[:password]||@password}"
+          a1 = "#{Digest::MD5.digest(a1)}:#{nonce}:#{cnonce}"
+          ha1 = Digest::MD5.hexdigest(a1)
+          a2 = "AUTHENTICATE:#{uri}"
+          ha2 = Digest::MD5.hexdigest(a2)
+          response = "#{ha1}:#{nonce}:#{nc}:#{cnonce}:#{qop}:#{ha2}"
+          requests["response"] = Digest::MD5.hexdigest(response)
+          nonce_count += 1
+          requests.collect do |key, value|
+            "#{key}=#{value}"
+          end.join(",")
+        end
+        [initial_credential, challenge_response]
+      end
+      def sasl_bind_setup_gss_spnego(bind_dn, options)
+        puts options.inspect
+        user,psw = [bind_dn, options[:password]||@password]
+        raise LdapError.new( "invalid binding information" ) unless (user && psw)
+
+        nego = proc {|challenge|
+          t2_msg = Net::NTLM::Message.parse( challenge )
+          user, domain = user.split('\\').reverse
+          t2_msg.target_name = Net::NTLM::encode_utf16le(domain) if domain
+          t3_msg = t2_msg.response( {:user => user, :password => psw}, {:ntlmv2 => true} )
+          t3_msg.serialize
+        }        
+        [Net::NTLM::Message::Type1.new.serialize, nego]        
+      end
+      
+	      def simple_bind(bind_dn, options={})
+	          args = {
+	            :method => :simple,
+	            :username => bind_dn,
+	            :password => options[:password]||@password,
+	          }
+	          execute(:bind, args)
+	          true
+	      end
+	      
+	      def construct_uri(host, port, ssl)
+	        protocol = ssl ? "ldaps" : "ldap"
+	        URI.parse("#{protocol}://#{host}:#{port}").to_s
+	      end
+	
+	      def target
+	        return nil if @uri.nil?
+	        if @with_start_tls
+	          "#{@uri}(StartTLS)"
+	        else
+	          @uri
+	        end
+	      end	
+      end
+    end
+  end
+end

metadata

@@ -1,21 +1,22 @@
 --- !ruby/object:Gem::Specification 
 name: oa-enterprise
 version: !ruby/object:Gem::Version 
-  hash: 27
+  hash: 25
   prerelease: false
   segments: 
   - 0
   - 1
-  - 0
-  version: 0.1.0
+  - 1
+  version: 0.1.1
 platform: ruby
 authors: 
 - James A. Rosen
+- Ping Yu
 autorequire: 
 bindir: bin
 cert_chain: []
 
-date: 2010-10-01 00:00:00 -05:00
+date: 2010-10-04 00:00:00 -05:00
 default_executable: 
 dependencies: 
 - !ruby/object:Gem::Dependency 
@@ -24,12 +25,12 @@ dependencies:
     requirements: 
     - - "="
       - !ruby/object:Gem::Version 
-        hash: 27
+        hash: 25
         segments: 
         - 0
         - 1
-        - 0
-        version: 0.1.0
+        - 1
+        version: 0.1.1
   requirement: *id001
   name: oa-core
   prerelease: false
@@ -52,6 +53,38 @@ dependencies:
   type: :runtime
 - !ruby/object:Gem::Dependency 
   version_requirements: &id003 !ruby/object:Gem::Requirement 
+    none: false
+    requirements: 
+    - - ~>
+      - !ruby/object:Gem::Version 
+        hash: 25
+        segments: 
+        - 0
+        - 1
+        - 1
+        version: 0.1.1
+  requirement: *id003
+  name: net-ldap
+  prerelease: false
+  type: :runtime
+- !ruby/object:Gem::Dependency 
+  version_requirements: &id004 !ruby/object:Gem::Requirement 
+    none: false
+    requirements: 
+    - - ~>
+      - !ruby/object:Gem::Version 
+        hash: 25
+        segments: 
+        - 0
+        - 1
+        - 1
+        version: 0.1.1
+  requirement: *id004
+  name: rubyntlm
+  prerelease: false
+  type: :runtime
+- !ruby/object:Gem::Dependency 
+  version_requirements: &id005 !ruby/object:Gem::Requirement 
     none: false
     requirements: 
     - - ">="
@@ -60,12 +93,12 @@ dependencies:
         segments: 
         - 0
         version: "0"
-  requirement: *id003
+  requirement: *id005
   name: rake
   prerelease: false
   type: :development
 - !ruby/object:Gem::Dependency 
-  version_requirements: &id004 !ruby/object:Gem::Requirement 
+  version_requirements: &id006 !ruby/object:Gem::Requirement 
     none: false
     requirements: 
     - - ~>
@@ -76,12 +109,12 @@ dependencies:
         - 0
         - 8
         version: 0.0.8
-  requirement: *id004
+  requirement: *id006
   name: mg
   prerelease: false
   type: :development
 - !ruby/object:Gem::Dependency 
-  version_requirements: &id005 !ruby/object:Gem::Requirement 
+  version_requirements: &id007 !ruby/object:Gem::Requirement 
     none: false
     requirements: 
     - - ~>
@@ -92,12 +125,12 @@ dependencies:
         - 3
         - 0
         version: 1.3.0
-  requirement: *id005
+  requirement: *id007
   name: rspec
   prerelease: false
   type: :development
 - !ruby/object:Gem::Dependency 
-  version_requirements: &id006 !ruby/object:Gem::Requirement 
+  version_requirements: &id008 !ruby/object:Gem::Requirement 
     none: false
     requirements: 
     - - ~>
@@ -108,12 +141,12 @@ dependencies:
         - 3
         - 4
         version: 1.3.4
-  requirement: *id006
+  requirement: *id008
   name: webmock
   prerelease: false
   type: :development
 - !ruby/object:Gem::Dependency 
-  version_requirements: &id007 !ruby/object:Gem::Requirement 
+  version_requirements: &id009 !ruby/object:Gem::Requirement 
     none: false
     requirements: 
     - - ~>
@@ -124,12 +157,12 @@ dependencies:
         - 5
         - 4
         version: 0.5.4
-  requirement: *id007
+  requirement: *id009
   name: rack-test
   prerelease: false
   type: :development
 - !ruby/object:Gem::Dependency 
-  version_requirements: &id008 !ruby/object:Gem::Requirement 
+  version_requirements: &id010 !ruby/object:Gem::Requirement 
     none: false
     requirements: 
     - - ~>
@@ -140,7 +173,7 @@ dependencies:
         - 4
         - 3
         version: 1.4.3
-  requirement: *id008
+  requirement: *id010
   name: json
   prerelease: false
   type: :development
@@ -157,6 +190,8 @@ files:
 - lib/omniauth/strategies/cas/configuration.rb
 - lib/omniauth/strategies/cas/service_ticket_validator.rb
 - lib/omniauth/strategies/cas.rb
+- lib/omniauth/strategies/ldap/adaptor.rb
+- lib/omniauth/strategies/ldap.rb
 - README.rdoc
 - LICENSE.rdoc
 - CHANGELOG.rdoc