RubyGems - thecore_auth_commons - Versions diffs - 3.5.6 → 3.5.8 - Mend

thecore_auth_commons 3.5.6 → 3.5.8

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (10) hide show

checksums.yaml +4 -4
data/app/controllers/users/sessions_controller.rb +6 -5
data/app/services/ldap/authenticator.rb +44 -30
data/config/locales/en.thecore_auth_commons.yml +5 -0
data/config/locales/it.thecore_auth_commons.yml +5 -0
data/db/migrate/20251216110301_add_ldap_match_fields_to_ldap_server.rb +10 -0
data/db/migrate/20251216111217_add_code_to_ldap_server.rb +6 -0
data/lib/thecore_auth_commons/version.rb +1 -1
data/lib/thecore_auth_commons.rb +31 -29
metadata +3 -1

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 987477d58391f32a83a64c20eff852ce2d4ce971e222a60ee730d117e1d913c2
-  data.tar.gz: 544af82b55daddb0e720fe008769aba04d1d8b83216eb1d18c1b1edf6c134e18
+  metadata.gz: b1eb9060882d36e90d8c5b1b77c6df18be6969382eba49fd59df9a30f5196433
+  data.tar.gz: 3f5bb4bd1029d7d3646ef0aede9129ff18eb893ba35915386eebbd498e7094cb
 SHA512:
-  metadata.gz: 79b1a9bc7b5987594fb22b6423297e68892d2d21c371532bae2ba8b677a82c716f8311b31a8e8f909b03d9cad077a2e49e92f7489e503467e8abf9806e79637f
-  data.tar.gz: 62452c88f37fecd66bc04dd72db6d62cc50b42bedb2882f412e83b5360f7e788f4bd6e20d776c3bf04d32de14ead046143fc216a6dffb4b734f6074f14a5fd95
+  metadata.gz: dc229651cf4cdda2944b339d4329d472efa031409ae2968e61e43ad9d744eaa804945cb10e759b6d4b04ae9bedcade5836d85f4b351db33b4b6db83c9c1e1cd8
+  data.tar.gz: 98b4790b2c327802296b0dc624f770134cf5d829e644f7211bbc036914df990d16834fff8997ffa945c364e4c2e5e43837b88215dcbfff896ee2e25aa23db941

data/app/controllers/users/sessions_controller.rb CHANGED Viewed

@@ -4,19 +4,20 @@ class Users::SessionsController < Devise::SessionsController
     self.resource = warden.authenticate(auth_options)
     if resource
+      Rails.logger.info("Authentication: Found local user, signing in")
       sign_in_and_redirect(resource)
     else
+      Rails.logger.info("Authentication: Not found a local user, trying LDAP")
       user = Ldap::Authenticator.new(
         email: params[:user][:email],
-        password: params[:user][:password]
+        password: params[:user][:password],
       ).authenticate
       if user
-        flash[:notice] = "Autenticato via LDAP"
-        sign_in(:user, user)
-        redirect_to after_sign_in_path_for(user)
+        sign_in_and_redirect(user)
       else
-        flash.now[:alert] = "Email o password non validi"
+        set_flash_message!(:alert, :invalid)
         self.resource = resource_class.new(sign_in_params)
         clean_up_passwords(resource)
         respond_with_navigational(resource) { render :new, status: :unauthorized }

data/app/services/ldap/authenticator.rb CHANGED Viewed

@@ -6,42 +6,56 @@ module Ldap
       @email = email
     end
-    def authenticate
-      return nil if @password.blank?
+    def auth_on_single_server(server)
+      Rails.logger.debug("LDAP: Trying to authenticate #{email} on server #{server.inspect}")
+      ldap = Net::LDAP.new(
+        host: server.host,
+        port: server.port,
+        encryption: server.use_ssl ? :simple_tls : nil,
+        auth: {
+          method: :simple,
+          username: server.admin_user,
+          password: server.admin_password,
+        },
+      )
-      LdapServer.all.each do |server|
-        ldap = Net::LDAP.new(
+      Rails.logger.debug("LDAP: Binding to server #{server.inspect} ")
+      filter = Net::LDAP::Filter.eq(server.auth_field, email) # server.auth_field
+      treebase = server.base_dn
+      Rails.logger.debug("LDAP: Searching for user #{email} in base #{treebase} with filter #{filter.to_s}")
+      ldap.search(base: treebase, filter: filter) do |entry|
+        user_dn = entry.dn
+        # Prova autenticazione utente
+        user_ldap = Net::LDAP.new(
           host: server.host,
           port: server.port,
           encryption: server.use_ssl ? :simple_tls : nil,
           auth: {
             method: :simple,
-            username: server.admin_user,
-            password: server.admin_password
-          }
+            username: user_dn,
+            password: password,
+          },
         )
-        filter = Net::LDAP::Filter.eq(server.auth_field, email) # server.auth_field
-        treebase = server.base_dn
-        ldap.search(base: treebase, filter: filter) do |entry|
-          user_dn = entry.dn
-          # Prova autenticazione utente
-          user_ldap = Net::LDAP.new(
-            host: server.host,
-            port: server.port,
-            encryption: server.use_ssl ? :simple_tls : nil,
-            auth: {
-              method: :simple,
-              username: user_dn,
-              password: password
-            }
-          )
-          if user_ldap.bind
-            return find_or_create_user(entry, server.id)
-          end
+        Rails.logger.debug("LDAP: Trying to bind as user #{user_dn} on server #{server.inspect}")
+        return entry if user_ldap.bind
+      end
+      Rails.logger.debug("LDAP: Authentication failed for #{email} on server #{server.inspect}")
+      nil
+    end
+    def authenticate
+      return nil if @password.blank?
+      LdapServer.all.each do |server|
+        entry = auth_on_single_server(server)
+        if entry
+          Rails.logger.info("Authentication: LDAP authentication succeeded for #{email} on server #{server.name}")
+          return find_or_create_user(entry, server)
+        else
+          Rails.logger.info("Authentication: LDAP authentication failed for #{email} on server #{server.name}")
         end
       end
@@ -52,8 +66,8 @@ module Ldap
     attr_reader :email, :password
-    def find_or_create_user(entry, server_id)
-      ThecoreAuthCommons.align_user email, entry, server_id
+    def find_or_create_user(entry, server)
+      ThecoreAuthCommons.align_user email, entry, server
     end
   end
 end

data/config/locales/en.thecore_auth_commons.yml CHANGED Viewed

@@ -1,4 +1,9 @@
 en:
+  devise:
+    sessions:
+      invalid: "Credential or password are invalid."
+      user:
+        invalid: "Credential or password are invalid."
   error:
     messages:
       password_requires_letters_and_numbers: "must contain at least one letter and one number"

data/config/locales/it.thecore_auth_commons.yml CHANGED Viewed

@@ -1,4 +1,9 @@
 it:
+  devise:
+    sessions:
+      invalid: "Credenziali %{authentication_keys} o password non valide."
+      user:
+        invalid: "Credenziali %{authentication_keys} o password non valide."
   error:
     messages:
       password_requires_letters_and_numbers: "deve contenere almeno una lettera e un numero"

data/db/migrate/20251216110301_add_ldap_match_fields_to_ldap_server.rb ADDED Viewed

@@ -0,0 +1,10 @@
+class AddLdapMatchFieldsToLdapServer < ActiveRecord::Migration[7.2]
+  def change
+    add_column :ldap_servers, :name, :string
+    add_index :ldap_servers, :name
+    add_column :ldap_servers, :surname, :string
+    add_index :ldap_servers, :surname
+    add_column :ldap_servers, :phone, :string
+    add_index :ldap_servers, :phone
+  end
+end

data/db/migrate/20251216111217_add_code_to_ldap_server.rb ADDED Viewed

@@ -0,0 +1,6 @@
+class AddCodeToLdapServer < ActiveRecord::Migration[7.2]
+  def change
+    add_column :ldap_servers, :code, :string
+    add_index :ldap_servers, :code
+  end
+end

data/lib/thecore_auth_commons/version.rb CHANGED Viewed

@@ -1,3 +1,3 @@
 module ThecoreAuthCommons
-  VERSION = "3.5.6".freeze
+  VERSION = "3.5.8".freeze
 end

data/lib/thecore_auth_commons.rb CHANGED Viewed

@@ -1,34 +1,34 @@
-require 'devise'
-require 'cancancan'
-require 'kaminari'
-require 'activerecord-nulldb-adapter'
+require "devise"
+require "cancancan"
+require "kaminari"
+require "activerecord-nulldb-adapter"
 require "thecore_settings"
 require "net/ldap"
-require 'omniauth'
-require 'omniauth-google-oauth2'
-require 'omniauth-entra-id'
+require "omniauth"
+require "omniauth-google-oauth2"
+require "omniauth-entra-id"
 require "thecore_auth_commons/engine"
 require "thecore/seed"
 module ThecoreAuthCommons
-  def self.oauth_vars?
-     entra_id_vars? || google_oauth2_vars?
+  def self.oauth_vars?
+    entra_id_vars? || google_oauth2_vars?
   end
   def self.entra_id_vars?
-    ENV['ENTRA_CLIENT_ID'].present? && ENV['ENTRA_CLIENT_SECRET'].present? && ENV['ENTRA_TENANT_ID'].present?
+    ENV["ENTRA_CLIENT_ID"].present? && ENV["ENTRA_CLIENT_SECRET"].present? && ENV["ENTRA_TENANT_ID"].present?
   end
   def self.google_oauth2_vars?
-    ENV['GOOGLE_CLIENT_ID'].present? && ENV['GOOGLE_CLIENT_SECRET'].present?
+    ENV["GOOGLE_CLIENT_ID"].present? && ENV["GOOGLE_CLIENT_SECRET"].present?
   end
   # Controlla se l'utente esiste, altrimenti lo crea con una password casuale
   # e lo restituisce. Se l'utente esiste già, lo restituisce senza modificarlo.
-  def self.check_user email, name, surname, provider
+  def self.check_user(email, name, surname, provider)
     u = User.find_or_initialize_by(email: email)
     u.name = name
     u.surname = surname
@@ -54,8 +54,8 @@ module ThecoreAuthCommons
         auth: {
           method: :simple,
           username: server.admin_user,
-          password: server.admin_password
-        }
+          password: server.admin_password,
+        },
       )
       unless ldap.bind
@@ -73,31 +73,34 @@ module ThecoreAuthCommons
         puts "Importando utente: #{email}"
         # Password must contain at least one uppercase letter, one lowercase letter, one number and one special character
-        ThecoreAuthCommons.align_user email, entry, server.id
+        ThecoreAuthCommons.align_user email, entry, server
         imported_count += 1
       end
     end
     puts "== Completato. Utenti importati: #{imported_count} =="
   end
-  # Your code goes here...
-  def self.align_user email, entry, server_id
+  def self.align_user(email, entry, server)
     user = User.find_or_initialize_by(email: email)
-    user.auth_source = "ldap #{server_id}"
+    user.auth_source = "ldap #{server.id}"
     # Password don't need to be changed, just created, otherwise it will invalidate the current user session if it's logged in
     user.password = user.password_confirmation = ThecoreAuthCommons.generate_secure_password if user.new_record?
     # Eventuale mapping LDAP -> campi User
-    user.name = entry[:givenname]&.first if user.respond_to?(:name)
+    user.name = entry[server.name]&.first if user.respond_to?(:name) && server.name.present?
+    user.surname = entry[server.surname]&.first if user.respond_to?(:surname) && server.surname.present?
+    user.phone = entry[server.phone]&.first if user.respond_to?(:phone) && server.phone.present?
+    user.code = entry[server.code]&.first if user.respond_to?(:code) && server.code.present?
-    # Recupera dala entry i gruppi di cui fa parte l'utente e crea i relativi record in Role assegnandoli all'utente corrente
+    # Recupera dalla entry i gruppi di cui fa parte l'utente e crea i relativi record in Role assegnandoli all'utente corrente
     is_admin = false
     entry[:memberOf].each do |group|
       group_name = group.split(",").first.split("=").last
       # Se il gruppo è un admin, assegna il ruolo admin
-      is_admin = true if [ "Administrators", "Domain Admins", "Schema Admins", "Enterprise Admins", "admins", "administrators" ].include?(group_name)
+      is_admin = true if ["Administrators", "Domain Admins", "Schema Admins", "Enterprise Admins", "admins", "administrators"].include?(group_name)
       role = Role.find_or_create_by(name: group_name)
       user.roles << role unless user.roles.include?(role)
     end
@@ -109,20 +112,20 @@ module ThecoreAuthCommons
   end
   def self.generate_secure_password(length = 20)
-    raise ArgumentError, 'Length must be at least 4' if length < 4
+    raise ArgumentError, "Length must be at least 4" if length < 4
     # Caratteri da cui attingere
-    lowercase = ('a'..'z').to_a
-    uppercase = ('A'..'Z').to_a
-    numbers   = ('0'..'9').to_a
-    symbols   = ['!', '@', '#', '$', '%', '&', '*', '?', '-', '_', '+', '=']
+    lowercase = ("a".."z").to_a
+    uppercase = ("A".."Z").to_a
+    numbers = ("0".."9").to_a
+    symbols = ["!", "@", "#", "$", "%", "&", "*", "?", "-", "_", "+", "="]
     # Obbliga almeno un carattere da ogni gruppo
     password = [
       lowercase.sample,
       uppercase.sample,
       numbers.sample,
-      symbols.sample
+      symbols.sample,
     ]
     # Caratteri restanti scelti a caso tra tutti
@@ -132,5 +135,4 @@ module ThecoreAuthCommons
     # Mischia per evitare ordine prevedibile
     password.shuffle.join
   end
 end

metadata CHANGED Viewed

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: thecore_auth_commons
 version: !ruby/object:Gem::Version
-  version: 3.5.6
+  version: 3.5.8
 platform: ruby
 authors:
 - Gabriele Tassoni
@@ -270,6 +270,8 @@ files:
 - db/migrate/20160209153816_create_permissions_chain.rb
 - db/migrate/20250516074016_create_ldap_servers.rb
 - db/migrate/20250516075204_add_auth_source_to_user.rb
+- db/migrate/20251216110301_add_ldap_match_fields_to_ldap_server.rb
+- db/migrate/20251216111217_add_code_to_ldap_server.rb
 - db/seeds.rb
 - lib/tasks/ldap.rake
 - lib/tasks/thecore_auth_commons_tasks.rake