thecore_auth_commons 3.3.3 → 3.4.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: bce6c783c7e44a377fb7b7dbf2305dd23b563eae7e2c8897200fc152c2be0884
-  data.tar.gz: e7c41b6d7a829023e02fff2f1f6fd194f1686576de3742665b502adc42461e08
+  metadata.gz: d5ff5d59febf329c917067988bc9a854f77222f310d07a34b98adbf500b92abd
+  data.tar.gz: ece767087f4e4bde62d0500c8e7b9840b0482043401d3df2052009b32cdfe639
 SHA512:
-  metadata.gz: 6960fc5c2750f3bf78e59360a8d3b1ef10eaefb179148701d3fb9c53b9f1f917390fe9835e8b12d45185d1351373a6d7054bede15e66795e1668794c76b2930d
-  data.tar.gz: 5ff74462f5bdc2c9289e6c8c4201f92a74a3f4ca2377138bef0c7a5c76768896c05c64e931bdd2705a794c41ed983d922fdaf968771b7dcfe2055ec29a80ec0f
+  metadata.gz: fc4901ac970bc086ae02863f9d82bfb72028055193d3bb6190d0b2396e8c86adf261b8ac6eb101b5de971729f734da6b8a1692454654c9731f3c868d07aed9d9
+  data.tar.gz: 7cf606e7d94bf1ef8c404b7bf859130c9d33c06a4d20cc4228dad1d1f035db5b1a99746504a5d92280fbdf818cfe13716ca2c99a21535445d712912063653705

data/app/controllers/users/sessions_controller.rb

@@ -0,0 +1,35 @@
+# app/controllers/users/sessions_controller.rb
+class Users::SessionsController < Devise::SessionsController
+  def create
+    self.resource = warden.authenticate(auth_options)
+
+    if resource
+      sign_in_and_redirect(resource)
+    else
+      user = Ldap::Authenticator.new(
+        email: params[:user][:email],
+        password: params[:user][:password]
+      ).authenticate
+
+      if user
+        flash[:notice] = "Autenticato via LDAP"
+        sign_in(:user, user)
+        redirect_to after_sign_in_path_for(user)
+      else
+        flash.now[:alert] = "Email o password non validi"
+        self.resource = resource_class.new(sign_in_params)
+        clean_up_passwords(resource)
+        respond_with_navigational(resource) { render :new, status: :unauthorized }
+      end
+    end
+  end
+
+  private
+
+  def sign_in_and_redirect(resource)
+    set_flash_message!(:notice, :signed_in)
+    sign_in(resource_name, resource)
+    yield resource if block_given?
+    respond_with resource, location: after_sign_in_path_for(resource)
+  end
+end

data/app/jobs/background_ldap_import_job.rb

@@ -0,0 +1,7 @@
+class BackgroundLdapImportJob < ApplicationJob
+    queue_as "#{ENV["COMPOSE_PROJECT_NAME"]}_default".to_sym
+  
+    def perform
+        ThecoreAuthCommons.import_ldap_users_task
+    end
+end

data/app/models/concerns/api/ldap_server.rb

@@ -0,0 +1,19 @@
+module Api::LdapServer
+  extend ActiveSupport::Concern
+
+  included do
+    # Use self.json_attrs to drive json rendering for 
+    # API model responses (index, show and update ones).
+    # For reference:
+    # https://api.rubyonrails.org/classes/ActiveModel/Serializers/JSON.html
+    # The object passed accepts only these keys:
+    # - only: list [] of model fields to be shown in JSON serialization
+    # - except: exclude these fields from the JSON serialization, is a list []
+    # - methods: include the result of some method defined in the model
+    # - include: include associated models, it's an object {} which also accepts the keys described here
+    cattr_accessor :json_attrs
+    self.json_attrs = ::ModelDrivenApi.smart_merge (json_attrs || {}), {}
+
+    # Custom action callable by the API must be defined in /app/models/concerns/endpoints/
+  end
+end

data/app/models/concerns/endpoints/ldap_server.rb

@@ -0,0 +1,78 @@
+class Endpoints::LdapServer < NonCrudEndpoints
+  # self.desc 'LdapServer', :test, {
+  #   # Define the action name using openapi swagger format
+  #   get: {
+  #     summary: "Test API Custom Action",
+  #     description: "This is a test API custom action",
+  #     operationId: "test",
+  #     tags: ["Test"],
+  #     parameters: [
+  #       {
+  #         name: "explain",
+  #         in: "query",
+  #         description: "Explain the action by returning this openapi schema",
+  #         required: true,
+  #         schema: {
+  #           type: "boolean"
+  #         }
+  #       }
+  #     ],
+  #     responses: {
+  #       200 => {
+  #         description: "The openAPI json schema for this action",
+  #         content: {
+  #           "application/json": {
+  #             schema: {
+  #               type: "object",
+  #               additionalProperties: true
+  #             }
+  #           }
+  #         }
+  #       },
+  #       501 => {
+  #         error: :string,
+  #       }
+  #     }
+  #   },
+  #   post: {
+  #     summary: "Test API Custom Action",
+  #     description: "This is a test API custom action",
+  #     operationId: "test",
+  #     tags: ["Test"],
+  #     requestBody: {
+  #       required: true,
+  #       content: {
+  #         "application/json": {}
+  #       }
+  #     },
+  #     responses: {
+  #       200 => {
+  #         description: "The openAPI json schema for this action",
+  #         # This will return the object with a message string and a params object
+  #         content: {
+  #           "application/json": {
+  #             schema: {
+  #               type: "object",
+  #               properties: {
+  #                 message: {
+  #                   type: "string"
+  #                 },
+  #                 params: {
+  #                   type: "object",
+  #                   additionalProperties: true
+  #                 }
+  #               }
+  #             }
+  #           }
+  #         }
+  #       },
+  #       501 => {
+  #         error: :string,
+  #       }
+  #     }
+  #   }
+  # }
+  # def test(params)
+  #   return { message: "Hello World From Test API Custom Action called test", params: params }, 200
+  # end
+end

data/app/models/concerns/rails_admin/ldap_server.rb

@@ -0,0 +1,10 @@
+module RailsAdmin::LdapServer
+  extend ActiveSupport::Concern
+
+  included do
+    rails_admin do
+      navigation_label I18n.t('admin.settings.label')
+      navigation_icon 'fa fa-passport'
+    end
+  end
+end

data/app/models/ldap_server.rb

@@ -0,0 +1,46 @@
+class LdapServer < ApplicationRecord
+  default_scope { order(priority: :asc) }
+
+  # Associations
+  include Api::LdapServer
+  include RailsAdmin::LdapServer
+
+  # Validations
+  validates :host, presence: true
+  validates :base_dn, presence: true
+
+  # Callbacks
+  # After the record is actually deleted from the DB, remove all associated users which have the same auth_source with value "ldap #{id}"
+  after_destroy :remove_users_with_auth_source
+
+  def test_connection
+    # Test the connection to the LDAP server
+    ldap = Net::LDAP.new(
+      host: host,
+      port: port,
+      encryption: use_ssl ? :simple_tls : nil,
+      auth: {
+        method: :simple,
+        username: admin_user,
+        password: admin_password
+      }
+    )
+    # Perform a simple bind to check the connection
+    if ldap.bind
+      # Connection successful
+      Rails.logger.info "Connection to LDAP server #{host} successful."
+    else
+      # Connection failed
+      Rails.logger.info "Connection to LDAP server #{host} failed: #{ldap.get_operation_result.message}"
+    end
+  end
+
+  private
+
+  # This method is called after the record is destroyed
+  def remove_users_with_auth_source
+    User.where(auth_source: "ldap #{id}").find_each do |user|
+      user.destroy
+    end
+  end
+end

data/app/services/ldap/authenticator.rb

@@ -0,0 +1,59 @@
+# app/services/ldap/authenticator.rb
+module Ldap
+  class Authenticator
+    def initialize(email:, password:)
+      @password = password
+      @email = email
+    end
+
+    def authenticate
+      return nil if @password.blank?
+
+      LdapServer.all.each do |server|
+        ldap = Net::LDAP.new(
+          host: server.host,
+          port: server.port,
+          encryption: server.use_ssl ? :simple_tls : nil,
+          auth: {
+            method: :simple,
+            username: server.admin_user,
+            password: server.admin_password
+          }
+        )
+
+        filter = Net::LDAP::Filter.eq(server.auth_field, email) # server.auth_field
+        treebase = server.base_dn
+
+        ldap.search(base: treebase, filter: filter) do |entry|
+          user_dn = entry.dn
+
+          # Prova autenticazione utente
+          user_ldap = Net::LDAP.new(
+            host: server.host,
+            port: server.port,
+            encryption: server.use_ssl ? :simple_tls : nil,
+            auth: {
+              method: :simple,
+              username: user_dn,
+              password: password
+            }
+          )
+
+          if user_ldap.bind
+            return find_or_create_user(entry, server.id)
+          end
+        end
+      end
+
+      nil
+    end
+
+    private
+
+    attr_reader :email, :password
+
+    def find_or_create_user(entry, server_id)
+      ThecoreAuthCommons.align_user email, entry, server_id
+    end
+  end
+end

data/config/locales/it.thecore_auth_commons.yml

@@ -13,6 +13,9 @@ it:
       cannot_delete_last_role: "deve esistere almeno un ruolo"
   activerecord:
     models:
+      ldap_server:
+        one: Server LDAP
+        other: Server LDAP
       user:
         one: Utente
         other: Utenti
@@ -23,6 +26,23 @@ it:
         one: Permesso
         other: Permessi
     attributes:
+      ldap_server:
+        # t.string :host, null: false
+        # t.integer :port, default: 389
+        # t.string :base_dn, null: false
+        # t.string :admin_user
+        # t.string :admin_password
+        # t.integer :priority, default: 1
+        # t.boolean :use_ssl, default: false
+        # t.string :auth_field, default: "userPrincipalName"
+        host: Host
+        port: Porta
+        base_dn: Base DN
+        admin_user: Utente Amministratore
+        admin_password: Password Amministratore
+        priority: Priorità
+        use_ssl: Usa SSL?
+        auth_field: Campo di Autenticazione
       user:
         email: E-Mail
         code: Codice

data/db/migrate/20250516074016_create_ldap_servers.rb

@@ -0,0 +1,21 @@
+class CreateLdapServers < ActiveRecord::Migration[7.2]
+  def change
+    create_table :ldap_servers do |t|
+      t.string :host, null: false
+      t.integer :port, default: 389
+      t.string :base_dn, null: false
+      t.string :admin_user
+      t.string :admin_password
+      t.integer :priority, default: 1
+      t.boolean :use_ssl, default: false
+      t.string :auth_field, default: "userPrincipalName"
+
+      t.timestamps
+    end
+    add_index :ldap_servers, :host
+    add_index :ldap_servers, :base_dn
+    add_index :ldap_servers, :admin_user
+    add_index :ldap_servers, :admin_password
+    add_index :ldap_servers, :auth_field
+  end
+end

data/db/migrate/20250516075204_add_auth_source_to_user.rb

@@ -0,0 +1,17 @@
+class AddAuthSourceToUser < ActiveRecord::Migration[7.2]
+  def change
+    add_column :users, :auth_source, :string, null: false, default: 'local'
+    add_index :users, :auth_source
+
+    # Fill the new column with the default value for existing users
+    reversible do |dir|
+      dir.up do
+        execute <<-SQL.squish
+          UPDATE users
+          SET auth_source = 'local'
+          WHERE auth_source IS NULL
+        SQL
+      end
+    end
+  end
+end

data/lib/tasks/ldap.rake

@@ -0,0 +1,7 @@
+# lib/tasks/ldap.rake
+namespace :ldap do
+  desc "Importa utenti da LDAP e sincronizzali nel database locale"
+  task sync_users: :environment do
+    ThecoreAuthCommons.import_ldap_users_task
+  end
+end

data/lib/thecore_auth_commons/version.rb

@@ -1,3 +1,3 @@
 module ThecoreAuthCommons
-  VERSION = "3.3.3".freeze
+  VERSION = "3.4.0".freeze
 end

data/lib/thecore_auth_commons.rb

@@ -3,11 +3,80 @@ require 'cancancan'
 require 'kaminari'
 require 'activerecord-nulldb-adapter'
 require "thecore_settings"
+require "net/ldap"
 
 require "thecore_auth_commons/engine"
 
 require "thecore/seed"
 
 module ThecoreAuthCommons
+
+  def self.import_ldap_users_task
+    puts "== Avvio sincronizzazione utenti da LDAP =="
+
+    imported_count = 0
+
+    LdapServer.all.each do |server|
+      puts "Contatto server LDAP: #{server.host} (priorità: #{server.priority})"
+
+      ldap = Net::LDAP.new(
+        host: server.host,
+        port: server.port,
+        encryption: server.use_ssl ? :simple_tls : nil,
+        auth: {
+          method: :simple,
+          username: server.admin_user,
+          password: server.admin_password
+        }
+      )
+
+      unless ldap.bind
+        puts "❌ Connessione fallita a #{server.host}"
+        next
+      end
+
+      filter = Net::LDAP::Filter.present(server.auth_field)
+      treebase = server.base_dn
+
+      ldap.search(base: treebase, filter: filter) do |entry|
+        email = entry[server.auth_field]&.first
+        next unless email
+
+        puts "Importando utente: #{email}"
+
+        # Password must contain at least one uppercase letter, one lowercase letter, one number and one special character
+        ThecoreAuthCommons.align_user email, entry, server.id
+        imported_count += 1
+      end
+    end
+
+    puts "== Completato. Utenti importati: #{imported_count} =="
+  end
   # Your code goes here...
+  def self.align_user email, entry, server_id
+    user = User.find_or_initialize_by(email: email)
+    user.auth_source = "ldap #{server_id}"
+
+    # Password don't need to be changed, just created, otherwise it will invalidate the current user session if it's logged in
+    user.password = user.password_confirmation = Devise.friendly_token[0, 20] if user.new_record?
+
+    # Eventuale mapping LDAP -> campi User
+    user.name = entry[:givenname]&.first if user.respond_to?(:name)
+
+    # Recupera dala entry i gruppi di cui fa parte l'utente e crea i relativi record in Role assegnandoli all'utente corrente
+    is_admin = false
+    entry[:memberOf].each do |group|
+      group_name = group.split(",").first.split("=").last
+      # Se il gruppo è un admin, assegna il ruolo admin
+      is_admin = true if [ "Administrators" "Domain Admins", "Schema Admins", "Enterprise Admins", "admins", "administrators" ].include?(group_name)
+      
+      role = Role.find_or_create_by(name: group_name)
+      user.roles << role unless user.roles.include?(role)
+    end
+
+    user.admin = is_admin if user.respond_to?(:admin)
+    # Se l'utente è nuovo o ha cambiato qualcosa, salvalo
+    puts "Cannot save user #{email} with errors: #{user.errors.full_messages.join(", ")}" unless user.save # if user.new_record? || user.changed? || user.roles_changed?
+    user
+  end
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: thecore_auth_commons
 version: !ruby/object:Gem::Version
-  version: 3.3.3
+  version: 3.4.0
 platform: ruby
 authors:
 - Gabriele Tassoni
@@ -9,6 +9,20 @@ bindir: bin
 cert_chain: []
 date: 1980-01-02 00:00:00.000000000 Z
 dependencies:
+- !ruby/object:Gem::Dependency
+  name: net-ldap
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: devise
   requirement: !ruby/object:Gem::Requirement
@@ -179,7 +193,13 @@ extra_rdoc_files: []
 files:
 - README.md
 - Rakefile
+- app/controllers/users/sessions_controller.rb
+- app/jobs/background_ldap_import_job.rb
 - app/models/action.rb
+- app/models/concerns/api/ldap_server.rb
+- app/models/concerns/endpoints/ldap_server.rb
+- app/models/concerns/rails_admin/ldap_server.rb
+- app/models/ldap_server.rb
 - app/models/permission.rb
 - app/models/permission_role.rb
 - app/models/predicate.rb
@@ -187,6 +207,7 @@ files:
 - app/models/role_user.rb
 - app/models/target.rb
 - app/models/user.rb
+- app/services/ldap/authenticator.rb
 - config/initializers/abilities.rb
 - config/initializers/add_to_db_migrations.rb
 - config/initializers/after_initialize.rb
@@ -203,7 +224,10 @@ files:
 - db/migrate/20160209153811_create_roles.rb
 - db/migrate/20160209153813_create_role_users.rb
 - db/migrate/20160209153816_create_permissions_chain.rb
+- db/migrate/20250516074016_create_ldap_servers.rb
+- db/migrate/20250516075204_add_auth_source_to_user.rb
 - db/seeds.rb
+- lib/tasks/ldap.rake
 - lib/tasks/thecore_auth_commons_tasks.rake
 - lib/thecore/seed.rb
 - lib/thecore_auth_commons.rb