ons-ldap 1.0.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: b2d412ce6348a1a3eefe1ff3bc96a1fac4f980f9
+  data.tar.gz: d77ef02808888a498f15a5970861faac220e958e
+SHA512:
+  metadata.gz: 811b492711c0b3a4cb97a54717fc2ad486daf1acbc33f65cfc7436a56aad8943063ec9df5d27b6546d119d44b761f9124256115ae75bd14df17f50b9ad1472c2
+  data.tar.gz: 43fb9137d557753022d7203e4314fccf2ad1b5aef4a9de4a621f5fce4f360deba45ea2076f72b31e2e3337c1c408b67eebe5bc21965851a7bd17ec4797ff348c

data/README.md

@@ -0,0 +1,38 @@
+# ONS LDAP RubyGem
+Thin wrapper around the [net-ldap](https://rubygems.org/gems/net-ldap) RubyGem. Contains a simple `LDAPConnection` class that can be used to authenticate against an LDAP directory.
+
+## Installation
+
+```
+gem install ons-ldap
+```
+
+## Example
+
+```ruby
+require 'ons-ldap'
+
+host = 'localhost '        # LDAP server host
+port = '398'               # LDAP server port
+base = 'dc=example,dc=com' # LDAP tree base
+
+# Hash of LDAP group names.
+groups = { admins: 'admins', users: 'users' }
+
+ldap_connection = LDAPConnection.new(host, port, base, groups, logger)
+user_entry      = ldap_connection.authenticate('johntopley', 'password')
+
+user_entry.user_id      #=> 'johntopley'
+user_entry.display_name #=> 'John Topley'
+user_entry.token        # 2FA token, stored in LDAP's employeeNumber field for expediency
+user_entry.groups       #=> ['admins', 'users']
+```
+
+## Testing
+
+```
+rake test
+```
+
+## Copyright
+Copyright (C) 2016 Crown Copyright (Office for National Statistics)

data/lib/ons-ldap.rb

@@ -0,0 +1 @@
+require_relative 'ons-ldap/ldap_connection'

data/lib/ons-ldap/ldap_connection.rb

@@ -0,0 +1,106 @@
+require 'net/ldap'
+
+UserEntry = Struct.new(:user_id, :display_name, :token, :groups)
+
+class LDAPConnection
+
+  # Class instance variables.
+  class << self
+    attr_accessor :host
+    attr_accessor :port
+    attr_accessor :base
+    attr_accessor :groups
+    attr_accessor :logger
+  end
+
+  def initialize(host, port, base, groups, logger)
+    self.class.host = host
+    self.class.port = port.to_i
+    self.class.base = base
+    self.class.groups = groups
+    self.class.logger = logger
+  end
+
+  def authenticate(username, password)
+    user_entry = nil
+
+    # Have to use the username DN format below for the bind operation to succeed.
+    auth = { method: :simple, username: "uid=#{username},ou=Users,#{self.class.base}", password: password }
+
+    Net::LDAP.open(host: self.class.host, port: self.class.port, base: self.class.base, auth: auth) do |ldap|
+      unless ldap.bind
+        result = ldap.get_operation_result
+        self.class.logger.error "LDAP authentication failed for '#{username}': #{result.message} (#{result.code})"
+        return nil
+      end
+
+      self.class.logger.info "LDAP authentication succeeded for '#{username}'"
+      user_entry = entry_for(username, ldap) || nil
+
+      # The user must be a member of at least the "<zone>-users" group for authentication to be considered successful.
+      users_group = self.class.groups['users']
+      unless group_member?(users_group, username, ldap)
+        self.class.logger.error "LDAP authentication failed: '#{username}' is not a member of the '#{users_group}' group"
+        return nil
+      end
+
+      user_entry.groups = groups_for(username, ldap)
+    end
+
+    user_entry
+  end
+
+  private
+
+  # Returns the LDAP directory entry for a user.
+  def entry_for(username, ldap)
+    filter     = Net::LDAP::Filter.construct("uid=#{username}")
+    attributes = %w(uid displayName employeeNumber) # employeeNumber is used to store the 2FA token.
+    user_entry = nil
+
+    succeeded = ldap.search(filter: filter, attributes: attributes, return_result: false) do |entry|
+      user_entry = UserEntry.new(entry.uid.first, entry.displayName.first, entry.employeeNumber.first)
+    end
+
+    unless succeeded
+      result = ldap.get_operation_result
+      self.class.logger.error "Error searching the LDAP directory using filter '#{filter}': #{result.message} (#{result.code})"
+    end
+
+    user_entry
+  end
+
+  # Returns the LDAP groups a user belongs to.
+  def groups_for(username, ldap)
+    filter     = Net::LDAP::Filter.construct("(&(objectClass=posixGroup)(memberUid=#{username}))")
+    attributes = %w(cn)
+    groups     = []
+    succeeded = ldap.search(filter: filter, attributes: attributes, return_result: false) do |entry|
+      groups << entry[:cn].first
+    end
+    unless succeeded
+      result = ldap.get_operation_result
+      self.class.logger.error "Error searching the LDAP directory using filter '#{filter}': #{result.message} (#{result.code})"
+    end
+    groups
+  end
+
+  # Returns whether a user is a member of a group.
+  def group_member?(group, username, ldap)
+    self.class.logger.info "group: '#{group}'"
+    filter     = Net::LDAP::Filter.construct("(&(cn=#{group})(memberUid=#{username}))")
+    attributes = %w(cn)
+    group_cn   = nil
+
+    succeeded = ldap.search(filter: filter, attributes: attributes, return_result: false) do |entry|
+      group_cn = entry.cn.first
+    end
+
+    unless succeeded
+      result = ldap.get_operation_result
+      self.class.logger.error "Error searching the LDAP directory using filter '#{filter}': #{result.message} (#{result.code})"
+    end
+
+    group_cn == group
+  end
+end

data/lib/ons-ldap/version.rb

@@ -0,0 +1,8 @@
+module ONSLDAP
+  module Version
+    MAJOR = 1
+    MINOR = 0
+    TINY  = 0
+  end
+  VERSION = [Version::MAJOR, Version::MINOR, Version::TINY].compact * '.'
+end

metadata

@@ -0,0 +1,70 @@
+--- !ruby/object:Gem::Specification
+name: ons-ldap
+version: !ruby/object:Gem::Version
+  version: 1.0.0
+platform: ruby
+authors:
+- John Topley
+- Philip Sharland
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2016-08-25 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: net-ldap
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0.11'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0.11'
+description: Simple class for authenticating against an LDAP directory.
+email:
+- john.topley@ons.gov.uk
+- philip.sharland@ons.gov.uk
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- README.md
+- lib/ons-ldap.rb
+- lib/ons-ldap/ldap_connection.rb
+- lib/ons-ldap/version.rb
+homepage: https://github.com/ONSdigital/ldap-rubygem
+licenses:
+- Crown Copyright (Office for National Statistics)
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.6.6
+signing_key: 
+specification_version: 4
+summary: LDAP connection class
+test_files: []