RubyGems - ons-ldap - Versions diffs - 1.0.0 - Mend

ons-ldap 1.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

checksums.yaml +7 -0
data/README.md +38 -0
data/lib/ons-ldap.rb +1 -0
data/lib/ons-ldap/ldap_connection.rb +106 -0
data/lib/ons-ldap/version.rb +8 -0
metadata +70 -0

checksums.yaml ADDED

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: b2d412ce6348a1a3eefe1ff3bc96a1fac4f980f9
+  data.tar.gz: d77ef02808888a498f15a5970861faac220e958e
+SHA512:
+  metadata.gz: 811b492711c0b3a4cb97a54717fc2ad486daf1acbc33f65cfc7436a56aad8943063ec9df5d27b6546d119d44b761f9124256115ae75bd14df17f50b9ad1472c2
+  data.tar.gz: 43fb9137d557753022d7203e4314fccf2ad1b5aef4a9de4a621f5fce4f360deba45ea2076f72b31e2e3337c1c408b67eebe5bc21965851a7bd17ec4797ff348c

data/README.md ADDED

@@ -0,0 +1,38 @@
+# ONS LDAP RubyGem
+Thin wrapper around the [net-ldap](https://rubygems.org/gems/net-ldap) RubyGem. Contains a simple `LDAPConnection` class that can be used to authenticate against an LDAP directory.
+## Installation
+```
+gem install ons-ldap
+```
+## Example
+```ruby
+require 'ons-ldap'
+host = 'localhost '        # LDAP server host
+port = '398'               # LDAP server port
+base = 'dc=example,dc=com' # LDAP tree base
+# Hash of LDAP group names.
+groups = { admins: 'admins', users: 'users' }
+ldap_connection = LDAPConnection.new(host, port, base, groups, logger)
+user_entry      = ldap_connection.authenticate('johntopley', 'password')
+user_entry.user_id      #=> 'johntopley'
+user_entry.display_name #=> 'John Topley'
+user_entry.token        # 2FA token, stored in LDAP's employeeNumber field for expediency
+user_entry.groups       #=> ['admins', 'users']
+```
+## Testing
+```
+rake test
+```
+## Copyright
+Copyright (C) 2016 Crown Copyright (Office for National Statistics)

data/lib/ons-ldap.rb ADDED

	@@ -0,0 +1 @@
1	+ require_relative 'ons-ldap/ldap_connection'

data/lib/ons-ldap/ldap_connection.rb ADDED

@@ -0,0 +1,106 @@
+require 'net/ldap'
+UserEntry = Struct.new(:user_id, :display_name, :token, :groups)
+class LDAPConnection
+  # Class instance variables.
+  class << self
+    attr_accessor :host
+    attr_accessor :port
+    attr_accessor :base
+    attr_accessor :groups
+    attr_accessor :logger
+  end
+  def initialize(host, port, base, groups, logger)
+    self.class.host = host
+    self.class.port = port.to_i
+    self.class.base = base
+    self.class.groups = groups
+    self.class.logger = logger
+  end
+  def authenticate(username, password)
+    user_entry = nil
+    # Have to use the username DN format below for the bind operation to succeed.
+    auth = { method: :simple, username: "uid=#{username},ou=Users,#{self.class.base}", password: password }
+    Net::LDAP.open(host: self.class.host, port: self.class.port, base: self.class.base, auth: auth) do |ldap|
+      unless ldap.bind
+        result = ldap.get_operation_result
+        self.class.logger.error "LDAP authentication failed for '#{username}': #{result.message} (#{result.code})"
+        return nil
+      end
+      self.class.logger.info "LDAP authentication succeeded for '#{username}'"
+      user_entry = entry_for(username, ldap) || nil
+      # The user must be a member of at least the "<zone>-users" group for authentication to be considered successful.
+      users_group = self.class.groups['users']
+      unless group_member?(users_group, username, ldap)
+        self.class.logger.error "LDAP authentication failed: '#{username}' is not a member of the '#{users_group}' group"
+        return nil
+      end
+      user_entry.groups = groups_for(username, ldap)
+    end
+    user_entry
+  end
+  private
+  # Returns the LDAP directory entry for a user.
+  def entry_for(username, ldap)
+    filter     = Net::LDAP::Filter.construct("uid=#{username}")
+    attributes = %w(uid displayName employeeNumber) # employeeNumber is used to store the 2FA token.
+    user_entry = nil
+    succeeded = ldap.search(filter: filter, attributes: attributes, return_result: false) do |entry|
+      user_entry = UserEntry.new(entry.uid.first, entry.displayName.first, entry.employeeNumber.first)
+    end
+    unless succeeded
+      result = ldap.get_operation_result
+      self.class.logger.error "Error searching the LDAP directory using filter '#{filter}': #{result.message} (#{result.code})"
+    end
+    user_entry
+  end
+  # Returns the LDAP groups a user belongs to.
+  def groups_for(username, ldap)
+    filter     = Net::LDAP::Filter.construct("(&(objectClass=posixGroup)(memberUid=#{username}))")
+    attributes = %w(cn)
+    groups     = []
+    succeeded = ldap.search(filter: filter, attributes: attributes, return_result: false) do |entry|
+      groups << entry[:cn].first
+    end
+    unless succeeded
+      result = ldap.get_operation_result
+      self.class.logger.error "Error searching the LDAP directory using filter '#{filter}': #{result.message} (#{result.code})"
+    end
+    groups
+  end
+  # Returns whether a user is a member of a group.
+  def group_member?(group, username, ldap)
+    self.class.logger.info "group: '#{group}'"
+    filter     = Net::LDAP::Filter.construct("(&(cn=#{group})(memberUid=#{username}))")
+    attributes = %w(cn)
+    group_cn   = nil
+    succeeded = ldap.search(filter: filter, attributes: attributes, return_result: false) do |entry|
+      group_cn = entry.cn.first
+    end
+    unless succeeded
+      result = ldap.get_operation_result
+      self.class.logger.error "Error searching the LDAP directory using filter '#{filter}': #{result.message} (#{result.code})"
+    end
+    group_cn == group
+  end
+end

data/lib/ons-ldap/version.rb ADDED

@@ -0,0 +1,8 @@
+module ONSLDAP
+  module Version
+    MAJOR = 1
+    MINOR = 0
+    TINY  = 0
+  end
+  VERSION = [Version::MAJOR, Version::MINOR, Version::TINY].compact * '.'
+end

metadata ADDED

@@ -0,0 +1,70 @@
+--- !ruby/object:Gem::Specification
+name: ons-ldap
+version: !ruby/object:Gem::Version
+  version: 1.0.0
+platform: ruby
+authors:
+- John Topley
+- Philip Sharland
+autorequire:
+bindir: bin
+cert_chain: []
+date: 2016-08-25 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: net-ldap
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0.11'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0.11'
+description: Simple class for authenticating against an LDAP directory.
+email:
+- john.topley@ons.gov.uk
+- philip.sharland@ons.gov.uk
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- README.md
+- lib/ons-ldap.rb
+- lib/ons-ldap/ldap_connection.rb
+- lib/ons-ldap/version.rb
+homepage: https://github.com/ONSdigital/ldap-rubygem
+licenses:
+- Crown Copyright (Office for National Statistics)
+metadata: {}
+post_install_message:
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project:
+rubygems_version: 2.6.6
+signing_key:
+specification_version: 4
+summary: LDAP connection class
+test_files: []