thecore_auth_commons 3.5.6 → 3.5.7
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/app/controllers/users/sessions_controller.rb +6 -5
- data/app/services/ldap/authenticator.rb +42 -28
- data/config/locales/en.thecore_auth_commons.yml +5 -0
- data/config/locales/it.thecore_auth_commons.yml +5 -0
- data/lib/thecore_auth_commons/version.rb +1 -1
- data/lib/thecore_auth_commons.rb +23 -24
- metadata +1 -1
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 27bf0b1187752a6de3f29fe3b2d0e15057bba9a925eb7f9860236d9d8c505966
|
|
4
|
+
data.tar.gz: 342497749ab4022507a43b88c1ef948bf02d47d8a04bb36f15b27ff8cb260ddc
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 7115ff0b2fd8cd6ba55ae9d8a63c9b90d63550e585c972b71a682432dd0af2ac78be0ae646db3177956bffbb508fe31c424a695c5be6f9e35386f7c020637c68
|
|
7
|
+
data.tar.gz: 26d704084b0cebfe63a21eb2f2c8e8439a0787691fc7d08c87d8b4d946c18c0d75c064d55b481eae2dcfd77952c79017cfc0b0dda604d5de497b5fce1928bcda
|
|
@@ -4,19 +4,20 @@ class Users::SessionsController < Devise::SessionsController
|
|
|
4
4
|
self.resource = warden.authenticate(auth_options)
|
|
5
5
|
|
|
6
6
|
if resource
|
|
7
|
+
Rails.logger.info("Authentication: Found local user, signing in")
|
|
7
8
|
sign_in_and_redirect(resource)
|
|
8
9
|
else
|
|
10
|
+
Rails.logger.info("Authentication: Not found a local user, trying LDAP")
|
|
9
11
|
user = Ldap::Authenticator.new(
|
|
10
12
|
email: params[:user][:email],
|
|
11
|
-
password: params[:user][:password]
|
|
13
|
+
password: params[:user][:password],
|
|
12
14
|
).authenticate
|
|
13
15
|
|
|
14
16
|
if user
|
|
15
|
-
|
|
16
|
-
sign_in(:user, user)
|
|
17
|
-
redirect_to after_sign_in_path_for(user)
|
|
17
|
+
sign_in_and_redirect(user)
|
|
18
18
|
else
|
|
19
|
-
|
|
19
|
+
set_flash_message!(:alert, :invalid)
|
|
20
|
+
|
|
20
21
|
self.resource = resource_class.new(sign_in_params)
|
|
21
22
|
clean_up_passwords(resource)
|
|
22
23
|
respond_with_navigational(resource) { render :new, status: :unauthorized }
|
|
@@ -6,42 +6,56 @@ module Ldap
|
|
|
6
6
|
@email = email
|
|
7
7
|
end
|
|
8
8
|
|
|
9
|
-
def
|
|
10
|
-
|
|
9
|
+
def auth_on_single_server(server)
|
|
10
|
+
Rails.logger.debug("LDAP: Trying to authenticate #{email} on server #{server.inspect}")
|
|
11
|
+
ldap = Net::LDAP.new(
|
|
12
|
+
host: server.host,
|
|
13
|
+
port: server.port,
|
|
14
|
+
encryption: server.use_ssl ? :simple_tls : nil,
|
|
15
|
+
auth: {
|
|
16
|
+
method: :simple,
|
|
17
|
+
username: server.admin_user,
|
|
18
|
+
password: server.admin_password,
|
|
19
|
+
},
|
|
20
|
+
)
|
|
11
21
|
|
|
12
|
-
|
|
13
|
-
|
|
22
|
+
Rails.logger.debug("LDAP: Binding to server #{server.inspect} ")
|
|
23
|
+
filter = Net::LDAP::Filter.eq(server.auth_field, email) # server.auth_field
|
|
24
|
+
treebase = server.base_dn
|
|
25
|
+
|
|
26
|
+
Rails.logger.debug("LDAP: Searching for user #{email} in base #{treebase} with filter #{filter.to_s}")
|
|
27
|
+
ldap.search(base: treebase, filter: filter) do |entry|
|
|
28
|
+
user_dn = entry.dn
|
|
29
|
+
|
|
30
|
+
# Prova autenticazione utente
|
|
31
|
+
user_ldap = Net::LDAP.new(
|
|
14
32
|
host: server.host,
|
|
15
33
|
port: server.port,
|
|
16
34
|
encryption: server.use_ssl ? :simple_tls : nil,
|
|
17
35
|
auth: {
|
|
18
36
|
method: :simple,
|
|
19
|
-
username:
|
|
20
|
-
password:
|
|
21
|
-
}
|
|
37
|
+
username: user_dn,
|
|
38
|
+
password: password,
|
|
39
|
+
},
|
|
22
40
|
)
|
|
23
41
|
|
|
24
|
-
|
|
25
|
-
|
|
26
|
-
|
|
27
|
-
|
|
28
|
-
|
|
29
|
-
|
|
30
|
-
|
|
31
|
-
|
|
32
|
-
|
|
33
|
-
|
|
34
|
-
|
|
35
|
-
|
|
36
|
-
|
|
37
|
-
|
|
38
|
-
|
|
39
|
-
|
|
40
|
-
)
|
|
41
|
-
|
|
42
|
-
if user_ldap.bind
|
|
43
|
-
return find_or_create_user(entry, server.id)
|
|
44
|
-
end
|
|
42
|
+
Rails.logger.debug("LDAP: Trying to bind as user #{user_dn} on server #{server.inspect}")
|
|
43
|
+
return entry if user_ldap.bind
|
|
44
|
+
end
|
|
45
|
+
Rails.logger.debug("LDAP: Authentication failed for #{email} on server #{server.inspect}")
|
|
46
|
+
nil
|
|
47
|
+
end
|
|
48
|
+
|
|
49
|
+
def authenticate
|
|
50
|
+
return nil if @password.blank?
|
|
51
|
+
|
|
52
|
+
LdapServer.all.each do |server|
|
|
53
|
+
entry = auth_on_single_server(server)
|
|
54
|
+
if entry
|
|
55
|
+
Rails.logger.info("Authentication: LDAP authentication succeeded for #{email} on server #{server.name}")
|
|
56
|
+
return find_or_create_user(entry, server.id)
|
|
57
|
+
else
|
|
58
|
+
Rails.logger.info("Authentication: LDAP authentication failed for #{email} on server #{server.name}")
|
|
45
59
|
end
|
|
46
60
|
end
|
|
47
61
|
|
|
@@ -1,4 +1,9 @@
|
|
|
1
1
|
it:
|
|
2
|
+
devise:
|
|
3
|
+
sessions:
|
|
4
|
+
invalid: "Credenziali %{authentication_keys} o password non valide."
|
|
5
|
+
user:
|
|
6
|
+
invalid: "Credenziali %{authentication_keys} o password non valide."
|
|
2
7
|
error:
|
|
3
8
|
messages:
|
|
4
9
|
password_requires_letters_and_numbers: "deve contenere almeno una lettera e un numero"
|
data/lib/thecore_auth_commons.rb
CHANGED
|
@@ -1,34 +1,34 @@
|
|
|
1
|
-
require
|
|
2
|
-
require
|
|
3
|
-
require
|
|
4
|
-
require
|
|
1
|
+
require "devise"
|
|
2
|
+
require "cancancan"
|
|
3
|
+
require "kaminari"
|
|
4
|
+
require "activerecord-nulldb-adapter"
|
|
5
5
|
require "thecore_settings"
|
|
6
6
|
require "net/ldap"
|
|
7
|
-
require
|
|
8
|
-
require
|
|
9
|
-
require
|
|
7
|
+
require "omniauth"
|
|
8
|
+
require "omniauth-google-oauth2"
|
|
9
|
+
require "omniauth-entra-id"
|
|
10
10
|
|
|
11
11
|
require "thecore_auth_commons/engine"
|
|
12
12
|
|
|
13
13
|
require "thecore/seed"
|
|
14
14
|
|
|
15
15
|
module ThecoreAuthCommons
|
|
16
|
-
def self.oauth_vars?
|
|
17
|
-
|
|
16
|
+
def self.oauth_vars?
|
|
17
|
+
entra_id_vars? || google_oauth2_vars?
|
|
18
18
|
end
|
|
19
19
|
|
|
20
20
|
def self.entra_id_vars?
|
|
21
|
-
ENV[
|
|
21
|
+
ENV["ENTRA_CLIENT_ID"].present? && ENV["ENTRA_CLIENT_SECRET"].present? && ENV["ENTRA_TENANT_ID"].present?
|
|
22
22
|
end
|
|
23
23
|
|
|
24
24
|
def self.google_oauth2_vars?
|
|
25
|
-
ENV[
|
|
25
|
+
ENV["GOOGLE_CLIENT_ID"].present? && ENV["GOOGLE_CLIENT_SECRET"].present?
|
|
26
26
|
end
|
|
27
27
|
|
|
28
28
|
# Controlla se l'utente esiste, altrimenti lo crea con una password casuale
|
|
29
29
|
# e lo restituisce. Se l'utente esiste già, lo restituisce senza modificarlo.
|
|
30
30
|
|
|
31
|
-
def self.check_user
|
|
31
|
+
def self.check_user(email, name, surname, provider)
|
|
32
32
|
u = User.find_or_initialize_by(email: email)
|
|
33
33
|
u.name = name
|
|
34
34
|
u.surname = surname
|
|
@@ -54,8 +54,8 @@ module ThecoreAuthCommons
|
|
|
54
54
|
auth: {
|
|
55
55
|
method: :simple,
|
|
56
56
|
username: server.admin_user,
|
|
57
|
-
password: server.admin_password
|
|
58
|
-
}
|
|
57
|
+
password: server.admin_password,
|
|
58
|
+
},
|
|
59
59
|
)
|
|
60
60
|
|
|
61
61
|
unless ldap.bind
|
|
@@ -81,7 +81,7 @@ module ThecoreAuthCommons
|
|
|
81
81
|
puts "== Completato. Utenti importati: #{imported_count} =="
|
|
82
82
|
end
|
|
83
83
|
# Your code goes here...
|
|
84
|
-
def self.align_user
|
|
84
|
+
def self.align_user(email, entry, server_id)
|
|
85
85
|
user = User.find_or_initialize_by(email: email)
|
|
86
86
|
user.auth_source = "ldap #{server_id}"
|
|
87
87
|
|
|
@@ -96,8 +96,8 @@ module ThecoreAuthCommons
|
|
|
96
96
|
entry[:memberOf].each do |group|
|
|
97
97
|
group_name = group.split(",").first.split("=").last
|
|
98
98
|
# Se il gruppo è un admin, assegna il ruolo admin
|
|
99
|
-
is_admin = true if [
|
|
100
|
-
|
|
99
|
+
is_admin = true if ["Administrators", "Domain Admins", "Schema Admins", "Enterprise Admins", "admins", "administrators"].include?(group_name)
|
|
100
|
+
|
|
101
101
|
role = Role.find_or_create_by(name: group_name)
|
|
102
102
|
user.roles << role unless user.roles.include?(role)
|
|
103
103
|
end
|
|
@@ -109,20 +109,20 @@ module ThecoreAuthCommons
|
|
|
109
109
|
end
|
|
110
110
|
|
|
111
111
|
def self.generate_secure_password(length = 20)
|
|
112
|
-
raise ArgumentError,
|
|
112
|
+
raise ArgumentError, "Length must be at least 4" if length < 4
|
|
113
113
|
|
|
114
114
|
# Caratteri da cui attingere
|
|
115
|
-
lowercase = (
|
|
116
|
-
uppercase = (
|
|
117
|
-
numbers
|
|
118
|
-
symbols
|
|
115
|
+
lowercase = ("a".."z").to_a
|
|
116
|
+
uppercase = ("A".."Z").to_a
|
|
117
|
+
numbers = ("0".."9").to_a
|
|
118
|
+
symbols = ["!", "@", "#", "$", "%", "&", "*", "?", "-", "_", "+", "="]
|
|
119
119
|
|
|
120
120
|
# Obbliga almeno un carattere da ogni gruppo
|
|
121
121
|
password = [
|
|
122
122
|
lowercase.sample,
|
|
123
123
|
uppercase.sample,
|
|
124
124
|
numbers.sample,
|
|
125
|
-
symbols.sample
|
|
125
|
+
symbols.sample,
|
|
126
126
|
]
|
|
127
127
|
|
|
128
128
|
# Caratteri restanti scelti a caso tra tutti
|
|
@@ -132,5 +132,4 @@ module ThecoreAuthCommons
|
|
|
132
132
|
# Mischia per evitare ordine prevedibile
|
|
133
133
|
password.shuffle.join
|
|
134
134
|
end
|
|
135
|
-
|
|
136
135
|
end
|