xn_devise_ldap_authenticatable 0.8.5

data/spec/rails_app/public/javascripts/rails.js

@@ -0,0 +1,118 @@
+document.observe("dom:loaded", function() {
+  function handleRemote(element) {
+    var method, url, params;
+
+    if (element.tagName.toLowerCase() === 'form') {
+      method = element.readAttribute('method') || 'post';
+      url    = element.readAttribute('action');
+      params = element.serialize(true);
+    } else {
+      method = element.readAttribute('data-method') || 'get';
+      url    = element.readAttribute('href');
+      params = {};
+    }
+
+    var event = element.fire("ajax:before");
+    if (event.stopped) return false;
+
+    new Ajax.Request(url, {
+      method: method,
+      parameters: params,
+      asynchronous: true,
+      evalScripts: true,
+
+      onLoading:     function(request) { element.fire("ajax:loading", {request: request}); },
+      onLoaded:      function(request) { element.fire("ajax:loaded", {request: request}); },
+      onInteractive: function(request) { element.fire("ajax:interactive", {request: request}); },
+      onComplete:    function(request) { element.fire("ajax:complete", {request: request}); },
+      onSuccess:     function(request) { element.fire("ajax:success", {request: request}); },
+      onFailure:     function(request) { element.fire("ajax:failure", {request: request}); }
+    });
+
+    element.fire("ajax:after");
+  }
+
+  function handleMethod(element) {
+    var method, url, token_name, token;
+
+    method     = element.readAttribute('data-method');
+    url        = element.readAttribute('href');
+    csrf_param = $$('meta[name=csrf-param]').first();
+    csrf_token = $$('meta[name=csrf-token]').first();
+
+    var form = new Element('form', { method: "POST", action: url, style: "display: none;" });
+    element.parentNode.appendChild(form);
+
+    if (method != 'post') {
+      var field = new Element('input', { type: 'hidden', name: '_method', value: method });
+      form.appendChild(field);
+    }
+
+    if (csrf_param) {
+      var param = csrf_param.readAttribute('content');
+      var token = csrf_token.readAttribute('content');
+      var field = new Element('input', { type: 'hidden', name: param, value: token });
+      form.appendChild(field);
+    }
+
+    form.submit();
+  }
+
+  $(document.body).observe("click", function(event) {
+    var message = event.findElement().readAttribute('data-confirm');
+    if (message && !confirm(message)) {
+      event.stop();
+      return false;
+    }
+
+    var element = event.findElement("a[data-remote]");
+    if (element) {
+      handleRemote(element);
+      event.stop();
+      return true;
+    }
+
+    var element = event.findElement("a[data-method]");
+    if (element) {
+      handleMethod(element);
+      event.stop();
+      return true;
+    }
+  });
+
+  // TODO: I don't think submit bubbles in IE
+  $(document.body).observe("submit", function(event) {
+    var element = event.findElement(),
+        message = element.readAttribute('data-confirm');
+    if (message && !confirm(message)) {
+      event.stop();
+      return false;
+    }
+
+    var inputs = element.select("input[type=submit][data-disable-with]");
+    inputs.each(function(input) {
+      input.disabled = true;
+      input.writeAttribute('data-original-value', input.value);
+      input.value = input.readAttribute('data-disable-with');
+    });
+
+    var element = event.findElement("form[data-remote]");
+    if (element) {
+      handleRemote(element);
+      event.stop();
+    }
+  });
+
+  $(document.body).observe("ajax:after", function(event) {
+    var element = event.findElement();
+
+    if (element.tagName.toLowerCase() === 'form') {
+      var inputs = element.select("input[type=submit][disabled=true][data-disable-with]");
+      inputs.each(function(input) {
+        input.value = input.readAttribute('data-original-value');
+        input.writeAttribute('data-original-value', null);
+        input.disabled = false;
+      });
+    }
+  });
+});

data/spec/rails_app/script/cucumber

@@ -0,0 +1,10 @@
+#!/usr/bin/env ruby
+
+vendored_cucumber_bin = Dir["#{File.dirname(__FILE__)}/../vendor/{gems,plugins}/cucumber*/bin/cucumber"].first
+if vendored_cucumber_bin
+  load File.expand_path(vendored_cucumber_bin)
+else
+  require 'rubygems' unless ENV['NO_RUBYGEMS']
+  require 'cucumber'
+  load Cucumber::BINARY
+end

data/spec/rails_app/script/rails

@@ -0,0 +1,6 @@
+#!/usr/bin/env ruby
+# This command will automatically be run when you run "rails" with Rails 3 gems installed from the root of your application.
+
+APP_PATH = File.expand_path('../../config/application',  __FILE__)
+require File.expand_path('../../config/boot',  __FILE__)
+require 'rails/commands'

data/spec/spec_helper.rb

@@ -0,0 +1,55 @@
+ENV["RAILS_ENV"] = "test"
+
+require File.expand_path("rails_app/config/environment.rb",  File.dirname(__FILE__))
+require 'rspec/rails'
+require 'rspec/autorun'
+require 'factory_girl' # not sure why this is not already required
+
+# Rails 4.1 and RSpec are a bit on different pages on who should run migrations
+# on the test db and when.
+#
+# https://github.com/rspec/rspec-rails/issues/936
+if defined?(ActiveRecord::Migration) && ActiveRecord::Migration.respond_to?(:maintain_test_schema!)
+  ActiveRecord::Migration.maintain_test_schema!
+end
+
+Dir[File.expand_path("support/**/*.rb", File.dirname(__FILE__))].each {|f| require f}
+
+RSpec.configure do |config|
+  config.mock_with :rspec
+  config.use_transactional_fixtures = true
+  config.infer_base_class_for_anonymous_controllers = false
+end
+
+def ldap_root
+  File.expand_path('ldap', File.dirname(__FILE__))
+end
+
+def ldap_connect_string
+  if ENV["LDAP_SSL"]
+    "-x -H ldaps://localhost:3389 -D 'cn=admin,dc=test,dc=com' -w secret"
+  else
+    "-x -h localhost -p 3389 -D 'cn=admin,dc=test,dc=com' -w secret"
+  end
+end
+
+def reset_ldap_server!
+  if ENV["LDAP_SSL"]
+    `ldapmodify #{ldap_connect_string} -f #{File.join(ldap_root, 'clear.ldif')}`
+    `ldapadd #{ldap_connect_string} -f #{File.join(ldap_root, 'base.ldif')}`
+  else
+    `ldapmodify #{ldap_connect_string} -f #{File.join(ldap_root, 'clear.ldif')}`
+    `ldapadd #{ldap_connect_string} -f #{File.join(ldap_root, 'base.ldif')}`
+  end
+end
+
+def default_devise_settings!
+  ::Devise.ldap_logger = true
+  ::Devise.ldap_create_user = false
+  ::Devise.ldap_update_password = true
+  ::Devise.ldap_config = "#{Rails.root}/config/#{"ssl_" if ENV["LDAP_SSL"]}ldap.yml"
+  ::Devise.ldap_check_group_membership = false
+  ::Devise.ldap_check_attributes = false
+  ::Devise.ldap_auth_username_builder = Proc.new() {|attribute, login, ldap| "#{attribute}=#{login},#{ldap.base}" }
+  ::Devise.authentication_keys = [:email]
+end

data/spec/support/factories.rb

@@ -0,0 +1,16 @@
+FactoryGirl.define do
+  factory :user do
+    email "example.user@test.com"
+    password "secret"
+  end
+
+  factory :admin, :class => User do
+    email "example.admin@test.com"
+    password "admin_secret"
+  end
+
+  factory :other, :class => User do
+    email "other.user@test.com"
+    password "other_secret"
+  end
+end

data/spec/unit/connection_spec.rb

@@ -0,0 +1,14 @@
+require File.expand_path('../spec_helper', File.dirname(__FILE__))
+
+describe 'Connection' do
+  it 'accepts a proc for ldap_config' do
+    ::Devise.ldap_config = Proc.new() {{
+      'host' => 'localhost',
+      'port' => 3389,
+      'base' => 'ou=testbase,dc=test,dc=com',
+      'attribute' => 'cn',
+    }}
+    connection = Devise::LDAP::Connection.new()
+    expect(connection.ldap.base).to eq('ou=testbase,dc=test,dc=com')
+  end
+end

data/spec/unit/user_spec.rb

@@ -0,0 +1,331 @@
+require File.expand_path('../spec_helper', File.dirname(__FILE__))
+
+describe 'Users' do
+
+  def should_be_validated(user, password, message = "Password is invalid")
+    assert(user.valid_ldap_authentication?(password), message)
+  end
+
+  def should_not_be_validated(user, password, message = "Password is not properly set")
+     assert(!user.valid_ldap_authentication?(password), message)
+  end
+
+  describe "With default settings" do
+    before do
+      default_devise_settings!
+      reset_ldap_server!
+    end
+
+    describe "look up and ldap user" do
+      it "should return true for a user that does exist in LDAP" do
+        assert_equal true, ::Devise::LDAP::Adapter.valid_login?('example.user@test.com')
+      end
+
+      it "should return false for a user that doesn't exist in LDAP" do
+        assert_equal false, ::Devise::LDAP::Adapter.valid_login?('barneystinson')
+      end
+    end
+
+    describe "create a basic user" do
+      before do
+        @user = Factory.create(:user)
+      end
+
+      it "should check for password validation" do
+        assert_equal(@user.email, "example.user@test.com")
+        should_be_validated @user, "secret"
+        should_not_be_validated @user, "wrong_secret"
+        should_not_be_validated @user, "Secret"
+      end
+    end
+
+    describe "change a LDAP password" do
+      before do
+        @user = Factory.create(:user)
+      end
+
+      it "should change password" do
+        should_be_validated @user, "secret"
+        @user.password = "changed"
+        @user.change_password!("secret")
+        should_be_validated @user, "changed", "password was not changed properly on the LDAP sevrer"
+      end
+
+      it "should not allow to change password if setting is false" do
+        should_be_validated @user, "secret"
+        ::Devise.ldap_update_password = false
+        @user.reset_password!("wrong_secret", "wrong_secret")
+        should_not_be_validated @user, "wrong_secret"
+        should_be_validated @user, "secret"
+      end
+    end
+
+    describe "create new local user if user is in LDAP" do
+
+      before do
+        assert(User.all.blank?, "There shouldn't be any users in the database")
+      end
+
+      it "should not create user in the database" do
+        @user = User.find_for_ldap_authentication(:email => "example.user@test.com", :password => "secret")
+        assert(User.all.blank?)
+        assert(@user.new_record?)
+      end
+
+      describe "creating users is enabled" do
+        before do
+          ::Devise.ldap_create_user = true
+        end
+
+        it "should create a user in the database" do
+          @user = User.find_for_ldap_authentication(:email => "example.user@test.com", :password => "secret")
+          assert_equal(User.all.size, 1)
+          User.all.collect(&:email).should include("example.user@test.com")
+          assert(@user.persisted?)
+        end
+
+        it "should not create a user in the database if the password is wrong_secret" do
+          @user = User.find_for_ldap_authentication(:email => "example.user", :password => "wrong_secret")
+          assert(User.all.blank?, "There's users in the database")
+        end
+
+        it "should not create a user if the user is not in LDAP" do
+          @user = User.find_for_ldap_authentication(:email => "wrong_secret.user@test.com", :password => "wrong_secret")
+          assert(User.all.blank?, "There's users in the database")
+        end
+
+        it "should create a user in the database if case insensitivity does not matter" do
+          ::Devise.case_insensitive_keys = []
+          @user = Factory.create(:user)
+
+          expect do
+            User.find_for_ldap_authentication(:email => "EXAMPLE.user@test.com", :password => "secret")
+          end.to change { User.count }.by(1)
+        end
+
+        it "should not create a user in the database if case insensitivity matters" do
+          ::Devise.case_insensitive_keys = [:email]
+          @user = Factory.create(:user)
+
+          expect do
+            User.find_for_ldap_authentication(:email => "EXAMPLE.user@test.com", :password => "secret")
+          end.to_not change { User.count }
+        end
+
+        it "should create a user with downcased email in the database if case insensitivity matters" do
+          ::Devise.case_insensitive_keys = [:email]
+
+          @user = User.find_for_ldap_authentication(:email => "EXAMPLE.user@test.com", :password => "secret")
+          User.all.collect(&:email).should include("example.user@test.com")
+        end
+      end
+
+    end
+
+    describe "use groups for authorization" do
+      before do
+        @admin = Factory.create(:admin)
+        @user = Factory.create(:user)
+        ::Devise.authentication_keys = [:email]
+        ::Devise.ldap_check_group_membership = true
+      end
+
+      it "should admin should be allowed in" do
+        should_be_validated @admin, "admin_secret"
+      end
+
+      it "should admin should have the proper groups set" do
+        @admin.ldap_groups.should include('cn=admins,ou=groups,dc=test,dc=com')
+      end
+
+      it "should user should not be allowed in" do
+        should_not_be_validated @user, "secret"
+      end
+    end
+    
+    describe "check group membership" do
+      before do
+        @admin = Factory.create(:admin)
+        @user = Factory.create(:user)
+      end
+      
+      it "should return true for admin being in the admins group" do
+        assert_equal true, @admin.in_ldap_group?('cn=admins,ou=groups,dc=test,dc=com')
+      end
+      
+      it "should return false for admin being in the admins group using the 'foobar' group attribute" do
+        assert_equal false, @admin.in_ldap_group?('cn=admins,ou=groups,dc=test,dc=com', 'foobar')
+      end
+      
+      it "should return true for user being in the users group" do
+        assert_equal true, @user.in_ldap_group?('cn=users,ou=groups,dc=test,dc=com')
+      end   
+      
+      it "should return false for user being in the admins group" do
+        assert_equal false, @user.in_ldap_group?('cn=admins,ou=groups,dc=test,dc=com')
+      end
+
+      it "should return false for a user being in a nonexistent group" do
+        assert_equal false, @user.in_ldap_group?('cn=thisgroupdoesnotexist,ou=groups,dc=test,dc=com')
+      end
+    end
+
+    describe "check group membership w/out admin bind" do
+      before do
+        @user = Factory.create(:user)
+        ::Devise.ldap_check_group_membership_without_admin = true
+      end
+
+      after do
+        ::Devise.ldap_check_group_membership_without_admin = false
+      end
+
+      it "should return true for user being in the users group" do
+        assert_equal true, @user.in_ldap_group?('cn=users,ou=groups,dc=test,dc=com')
+      end
+
+      it "should return false for user being in the admins group" do
+        assert_equal false, @user.in_ldap_group?('cn=admins,ou=groups,dc=test,dc=com')
+      end
+
+      it "should return false for a user being in a nonexistent group" do
+        assert_equal false, @user.in_ldap_group?('cn=thisgroupdoesnotexist,ou=groups,dc=test,dc=com')
+      end
+
+      # TODO: add a test that confirms the user's own binding is used rather
+      # than the admin binding by creating an LDAP user who can't do group
+      # lookups perhaps?
+
+      # TODO: add a test to demonstrate this function won't work on a user
+      # after the initial login request if the password isn't available. This
+      # might have to be more of a full stack test.
+    end
+
+    describe "use role attribute for authorization" do
+      before do
+        @admin = Factory.create(:admin)
+        @user = Factory.create(:user)
+        ::Devise.ldap_check_attributes = true
+      end
+
+      it "should admin should be allowed in" do
+        should_be_validated @admin, "admin_secret"
+      end
+
+      it "should user should not be allowed in" do
+        should_not_be_validated @user, "secret"
+      end
+    end
+
+    describe "use admin setting to bind" do
+      before do
+        @admin = Factory.create(:admin)
+        @user = Factory.create(:user)
+        ::Devise.ldap_use_admin_to_bind = true
+      end
+
+      it "should description" do
+        should_be_validated @admin, "admin_secret"
+      end
+    end
+
+  end
+
+  describe "use uid for login" do
+    before do
+      default_devise_settings!
+      reset_ldap_server!
+      ::Devise.ldap_config = "#{Rails.root}/config/#{"ssl_" if ENV["LDAP_SSL"]}ldap_with_uid.yml"
+      ::Devise.authentication_keys = [:uid]
+    end
+
+    describe "description" do
+      before do
+        @admin = Factory.create(:admin)
+        @user = Factory.create(:user, :uid => "example_user")
+      end
+
+      it "should be able to authenticate using uid" do
+        should_be_validated @user, "secret"
+        should_not_be_validated @admin, "admin_secret"
+      end
+    end
+
+    describe "create user" do
+      before do
+        ::Devise.ldap_create_user = true
+      end
+
+      it "should create a user in the database" do
+        @user = User.find_for_ldap_authentication(:uid => "example_user", :password => "secret")
+        assert_equal(User.all.size, 1)
+        User.all.collect(&:uid).should include("example_user")
+      end
+
+      it "should call ldap_before_save hooks" do
+        User.class_eval do
+          def ldap_before_save
+            @foobar = 'foobar'
+          end
+        end
+        user = User.find_for_ldap_authentication(:uid => "example_user", :password => "secret")
+        assert_equal 'foobar', user.instance_variable_get(:"@foobar")
+        User.class_eval do
+          undef ldap_before_save
+        end
+      end
+
+      it "should not call ldap_before_save hook if not defined" do
+        should_be_validated Factory.create(:user, :uid => "example_user"), "secret"
+      end
+    end
+  end
+
+  describe "using ERB in the config file" do
+    before do
+      default_devise_settings!
+      reset_ldap_server!
+      ::Devise.ldap_config = "#{Rails.root}/config/#{"ssl_" if ENV["LDAP_SSL"]}ldap_with_erb.yml"
+    end
+
+    describe "authenticate" do
+      before do
+        @admin = Factory.create(:admin)
+        @user = Factory.create(:user)
+      end
+
+      it "should be able to authenticate" do
+        should_be_validated @user, "secret"
+        should_be_validated @admin, "admin_secret"
+      end
+    end
+  end
+
+  describe "using variants in the config file" do
+    before do
+      default_devise_settings!
+      reset_ldap_server!
+      ::Devise.ldap_config = Rails.root.join 'config', 'ldap_with_boolean_ssl.yml'
+    end
+
+    it "should not fail if config file has ssl: true" do
+      Devise::LDAP::Connection.new
+    end
+  end
+
+  describe "use username builder" do
+    before do
+      default_devise_settings!
+      reset_ldap_server!
+      ::Devise.ldap_auth_username_builder = Proc.new() do |attribute, login, ldap|
+        "#{attribute}=#{login},ou=others,dc=test,dc=com"
+      end
+      @other = Factory.create(:other)
+    end
+
+    it "should be able to authenticate" do
+      should_be_validated @other, "other_secret"
+    end
+  end
+
+end