xn_devise_ldap_authenticatable 0.8.5

data/lib/devise_ldap_authenticatable/logger.rb

@@ -0,0 +1,11 @@
+module DeviseLdapAuthenticatable
+
+  class Logger    
+    def self.send(message, logger = Rails.logger)
+      if ::Devise.ldap_logger
+        logger.add 0, "  \e[36mLDAP:\e[0m #{message}"
+      end
+    end
+  end
+
+end

data/lib/devise_ldap_authenticatable/model.rb

@@ -0,0 +1,120 @@
+require 'devise_ldap_authenticatable/strategy'
+
+module Devise
+  module Models
+    # LDAP Module, responsible for validating the user credentials via LDAP.
+    #
+    # Examples:
+    #
+    #    User.authenticate('email@test.com', 'password123')  # returns authenticated user or nil
+    #    User.find(1).valid_password?('password123')         # returns true/false
+    #
+    module LdapAuthenticatable
+      extend ActiveSupport::Concern
+
+      included do
+        attr_reader :current_password, :password
+        attr_accessor :password_confirmation
+      end
+
+      def login_with
+        @login_with ||= Devise.mappings.find {|k,v| v.class_name == self.class.name}.last.to.authentication_keys.first
+        self[@login_with]
+      end
+
+      def change_password!(current_password)
+        raise "Need to set new password first" if @password.blank?
+
+        Devise::LDAP::Adapter.update_own_password(login_with, @password, current_password)
+      end
+      
+      def reset_password!(new_password, new_password_confirmation)
+        if new_password == new_password_confirmation && ::Devise.ldap_update_password
+          Devise::LDAP::Adapter.update_password(login_with, new_password)
+        end
+        clear_reset_password_token if valid?
+        save
+      end
+
+      def password=(new_password)
+        @password = new_password
+        if defined?(password_digest) && @password.present? && respond_to?(:encrypted_password=)
+          self.encrypted_password = password_digest(@password) 
+        end
+      end
+
+      # Checks if a resource is valid upon authentication.
+      def valid_ldap_authentication?(password)
+        Devise::LDAP::Adapter.valid_credentials?(login_with, password)
+      end
+
+      def ldap_entry
+        @ldap_entry ||= Devise::LDAP::Adapter.get_ldap_entry(login_with)
+      end
+
+      def ldap_groups
+        Devise::LDAP::Adapter.get_groups(login_with)
+      end
+
+      def in_ldap_group?(group_name, group_attribute = LDAP::DEFAULT_GROUP_UNIQUE_MEMBER_LIST_KEY)
+        Devise::LDAP::Adapter.in_ldap_group?(login_with, group_name, group_attribute)
+      end
+
+      def ldap_dn
+        ldap_entry ? ldap_entry.dn : nil
+      end
+
+      def ldap_get_param(param)
+        if ldap_entry && !ldap_entry[param].empty?
+          value = ldap_entry.send(param)
+        else
+          nil
+        end
+      end
+
+      #
+      # callbacks
+      #
+
+      # # Called before the ldap record is saved automatically
+      # def ldap_before_save
+      # end
+
+      # Called after a successful LDAP authentication
+      def after_ldap_authentication
+      end
+
+
+      module ClassMethods
+        # Find a user for ldap authentication.
+        def find_for_ldap_authentication(attributes={})
+          auth_key = self.authentication_keys.first
+          return nil unless attributes[auth_key].present?
+
+          auth_key_value = (self.case_insensitive_keys || []).include?(auth_key) ? attributes[auth_key].downcase : attributes[auth_key]
+      	  auth_key_value = (self.strip_whitespace_keys || []).include?(auth_key) ? auth_key_value.strip : auth_key_value
+
+          resource = where(auth_key => auth_key_value).first
+
+          if resource.blank?
+            resource = new
+            resource[auth_key] = auth_key_value
+            resource.password = attributes[:password]
+          end
+
+          if ::Devise.ldap_create_user && resource.new_record? && resource.valid_ldap_authentication?(attributes[:password])
+            resource.ldap_before_save if resource.respond_to?(:ldap_before_save)
+            resource.save!
+          end
+
+          resource
+        end
+
+        def update_with_password(resource)
+          puts "UPDATE_WITH_PASSWORD: #{resource.inspect}"
+        end
+
+      end
+    end
+  end
+end

data/lib/devise_ldap_authenticatable/strategy.rb

@@ -0,0 +1,39 @@
+require 'devise/strategies/authenticatable'
+
+module Devise
+  module Strategies
+    class LdapAuthenticatable < Authenticatable
+
+      # Tests whether the returned resource exists in the database and the
+      # credentials are valid.  If the resource is in the database and the credentials
+      # are valid, the user is authenticated.  Otherwise failure messages are returned
+      # indicating whether the resource is not found in the database or the credentials
+      # are invalid.
+      def authenticate!
+        resource = mapping.to.find_for_ldap_authentication(authentication_hash.merge(password: password))
+
+        return fail(:invalid) unless resource
+
+        if resource.persisted?
+          if validate(resource) { resource.valid_ldap_authentication?(password) }
+            remember_me(resource)
+            resource.after_ldap_authentication
+            success!(resource)
+          else
+            return fail(:invalid) # Invalid credentials
+          end
+        end
+
+        if resource.new_record?
+          if validate(resource) { resource.valid_ldap_authentication?(password) }
+            return fail(:not_found_in_database) # Valid credentials
+          else
+            return fail(:invalid) # Invalid credentials
+          end
+        end
+      end
+    end
+  end
+end
+
+Warden::Strategies.add(:ldap_authenticatable, Devise::Strategies::LdapAuthenticatable)

data/lib/devise_ldap_authenticatable/version.rb

@@ -0,0 +1,3 @@
+module DeviseLdapAuthenticatable
+  VERSION = "0.8.5".freeze
+end

data/lib/generators/devise_ldap_authenticatable/install_generator.rb

@@ -0,0 +1,63 @@
+module DeviseLdapAuthenticatable
+  class InstallGenerator < Rails::Generators::Base
+    source_root File.expand_path("../templates", __FILE__)
+
+    class_option :user_model, :type => :string, :default => "user", :desc => "Model to update"
+    class_option :update_model, :type => :boolean, :default => true, :desc => "Update model to change from database_authenticatable to ldap_authenticatable"
+    class_option :add_rescue, :type => :boolean, :default => true, :desc => "Update Application Controller with resuce_from for DeviseLdapAuthenticatable::LdapException"
+    class_option :advanced, :type => :boolean, :desc => "Add advanced config options to the devise initializer"
+
+
+    def create_ldap_config
+      copy_file "ldap.yml", "config/ldap.yml"
+    end
+
+    def create_default_devise_settings
+      inject_into_file "config/initializers/devise.rb", default_devise_settings, :after => "Devise.setup do |config|\n"   
+    end
+
+    def update_user_model
+      gsub_file "app/models/#{options.user_model}.rb", /:database_authenticatable/, ":ldap_authenticatable" if options.update_model?
+    end
+
+    def update_application_controller
+      inject_into_class "app/controllers/application_controller.rb", ApplicationController, rescue_from_exception if options.add_rescue?
+    end
+
+    private
+
+    def default_devise_settings
+      settings = <<-eof
+  # ==> LDAP Configuration 
+  # config.ldap_logger = true
+  # config.ldap_create_user = false
+  # config.ldap_update_password = true
+  # config.ldap_config = "\#{Rails.root}/config/ldap.yml"
+  # config.ldap_check_group_membership = false
+  # config.ldap_check_group_membership_without_admin = false
+  # config.ldap_check_attributes = false
+  # config.ldap_use_admin_to_bind = false
+  # config.ldap_ad_group_check = false
+
+      eof
+      if options.advanced?  
+        settings << <<-eof  
+  # ==> Advanced LDAP Configuration
+  # config.ldap_auth_username_builder = Proc.new() {|attribute, login, ldap| "\#{attribute}=\#{login},\#{ldap.base}" }
+
+        eof
+      end
+
+      settings
+    end
+
+    def rescue_from_exception
+      <<-eof
+  rescue_from DeviseLdapAuthenticatable::LdapException do |exception|
+    render :text => exception, :status => 500
+  end
+      eof
+    end
+
+  end
+end

data/lib/generators/devise_ldap_authenticatable/templates/ldap.yml

@@ -0,0 +1,55 @@
+## Authorizations
+# Uncomment out the merging for each environment that you'd like to include.
+# You can also just copy and paste the tree (do not include the "authorizations") to each
+# environment if you need something different per enviornment.
+authorizations: &AUTHORIZATIONS
+  allow_unauthenticated_bind: false
+  group_base: ou=groups,dc=test,dc=com
+  ## Requires config.ldap_check_group_membership in devise.rb be true
+  # Can have multiple values, must match all to be authorized
+  required_groups:
+    # If only a group name is given, membership will be checked against "uniqueMember"
+    - cn=admins,ou=groups,dc=test,dc=com
+    - cn=users,ou=groups,dc=test,dc=com
+    # If an array is given, the first element will be the attribute to check against, the second the group name
+    - ["moreMembers", "cn=users,ou=groups,dc=test,dc=com"]
+  ## Requires config.ldap_check_attributes in devise.rb to be true
+  ## Can have multiple attributes and values, must match all to be authorized
+  require_attribute:
+    objectClass: inetOrgPerson
+    authorizationRole: postsAdmin
+
+## Environment
+
+development:
+  host: localhost
+  port: 389
+  attribute: cn
+  base: ou=people,dc=test,dc=com
+  admin_user: cn=admin,dc=test,dc=com
+  admin_password: admin_password
+  ssl: false
+  additional_ldap_filter: "(&(objectClass=user)(sAMAccountType=805306368)(memberof:1.2.840.113556.1.4.1941:=CN=SomeActiveDirectoryGroup,OU=Groupies,cn=admin,dc=test,dc=com))"
+  # <<: *AUTHORIZATIONS
+
+test:
+  host: localhost
+  port: 3389
+  attribute: cn
+  base: ou=people,dc=test,dc=com
+  admin_user: cn=admin,dc=test,dc=com
+  admin_password: admin_password
+  ssl: simple_tls
+  additional_ldap_filter: "(&(objectClass=user)(sAMAccountType=805306368)(memberof:1.2.840.113556.1.4.1941:=CN=SomeActiveDirectoryGroup,OU=Groupies,cn=admin,dc=test,dc=com))"
+  # <<: *AUTHORIZATIONS
+
+production:
+  host: localhost
+  port: 636
+  attribute: cn
+  base: ou=people,dc=test,dc=com
+  admin_user: cn=admin,dc=test,dc=com
+  admin_password: admin_password
+  ssl: start_tls
+  additional_ldap_filter: "(&(objectClass=user)(sAMAccountType=805306368)(memberof:1.2.840.113556.1.4.1941:=CN=SomeActiveDirectoryGroup,OU=Groupies,cn=admin,dc=test,dc=com))"
+  # <<: *AUTHORIZATIONS

data/spec/ldap/.gitignore

@@ -0,0 +1,2 @@
+slapd-test.conf
+slapd-ssl-test.conf

data/spec/ldap/base.ldif

@@ -0,0 +1,73 @@
+# ldapadd -x -h localhost -p 3389 -D "cn=admin,dc=test,dc=com" -w secret -f base.ldif
+
+dn: dc=test,dc=com
+objectClass: dcObject
+objectClass: organizationalUnit
+dc: test
+ou: Test
+
+dn: ou=people,dc=test,dc=com
+objectClass: organizationalUnit
+ou: people
+
+dn: ou=others,dc=test,dc=com
+objectClass: organizationalUnit
+ou: others
+
+dn: ou=groups,dc=test,dc=com
+objectClass: organizationalUnit
+ou: groups
+
+# example.user@test.com, people, test.com
+dn: cn=example.user@test.com,ou=people,dc=test,dc=com
+objectClass: inetOrgPerson
+objectClass: authorizations
+sn: User
+uid: example_user
+mail: example.user@test.com
+cn: example.user@test.com
+authorizationRole: blogUser
+userPassword:: e1NTSEF9ZXRYaE9NcjRjOGFiTjlqYUxyczZKSll5MFlaZUF1NURCVWhhY0E9PQ=
+ =
+
+# other.user@test.com
+dn: cn=other.user@test.com,ou=others,dc=test,dc=com
+objectClass: inetOrgPerson
+objectClass: authorizations
+objectClass: organizationalPerson
+objectClass: person
+objectClass: top
+sn: Other
+uid: other_user
+cn: other.user@test.com
+authorizationRole: blogUser
+userPassword:: e1NIQX1IQXdtdk13RGF1ZUpyZDhwakxXMzZ6Yi9jTUU9
+
+# example.admin@test.com, people, test.com
+dn: cn=example.admin@test.com,ou=people,dc=test,dc=com
+objectClass: inetOrgPerson
+objectClass: authorizations
+objectClass: organizationalPerson
+objectClass: person
+objectClass: top
+sn: Admin
+uid: example_admin
+cn: example.admin@test.com
+authorizationRole: blogAdmin
+userPassword:: e1NIQX0wcUNXaERISGFwWmc3ekJxZWRRanBzNW1EUDA9
+
+# users, groups, test.com
+dn: cn=users,ou=groups,dc=test,dc=com
+objectClass: authorizations
+objectClass: groupOfUniqueNames
+objectClass: top
+uniqueMember: cn=example.user@test.com,ou=people,dc=test,dc=com
+authorizationRole: cn=example.admin@test.com,ou=people,dc=test,dc=com
+cn: users
+
+# users, groups, test.com
+dn: cn=admins,ou=groups,dc=test,dc=com
+objectClass: groupOfUniqueNames
+objectClass: top
+uniqueMember: cn=example.admin@test.com,ou=people,dc=test,dc=com
+cn: admins

data/spec/ldap/clear.ldif

@@ -0,0 +1,26 @@
+dn: cn=admins,ou=groups,dc=test,dc=com
+changetype: delete
+
+dn: cn=users,ou=groups,dc=test,dc=com
+changetype: delete
+
+dn: cn=example.admin@test.com,ou=people,dc=test,dc=com
+changetype: delete
+
+dn: cn=example.user@test.com,ou=people,dc=test,dc=com
+changetype: delete
+
+dn: cn=other.user@test.com,ou=others,dc=test,dc=com
+changetype: delete
+
+dn: ou=groups,dc=test,dc=com
+changetype: delete
+
+dn: ou=people,dc=test,dc=com
+changetype: delete
+
+dn: ou=others,dc=test,dc=com
+changetype: delete
+
+dn: dc=test,dc=com
+changetype: delete

data/spec/ldap/local.schema

@@ -0,0 +1,6 @@
+attributetype ( 1.1.2.2.5 NAME  'authorizationRole' SUP name )
+
+objectclass ( 1.1.2.2.1 NAME 'authorizations'
+        DESC 'mixin authorizations'
+        AUXILIARY
+        MAY authorizationRole )

data/spec/ldap/openldap-data/.gitignore

@@ -0,0 +1,2 @@
+dc=test,dc=com
+dc=test,dc=com.ldif

data/spec/ldap/openldap-data/run/.gitignore

@@ -0,0 +1,2 @@
+slapd.pid
+slapd.args

data/spec/ldap/run-server

@@ -0,0 +1,31 @@
+#!/usr/bin/env ruby
+
+require 'erb'
+require 'fileutils'
+
+FileUtils.chdir(File.dirname(__FILE__))
+
+## For OSX:
+ENV['PATH'] = "#{ENV['PATH']}:/usr/libexec"
+
+template = File.read('slapd-test.conf.erb')
+normal_out = 'slapd-test.conf'
+ssl_out = 'slapd-ssl-test.conf'
+
+File.open(normal_out, 'w') do |f|
+  @ssl = false
+  f.write ERB.new(template).result(binding)
+end
+File.open(ssl_out, 'w') do |f|
+  @ssl = true
+  f.write ERB.new(template).result(binding)
+end
+
+if ARGV.first == '--ssl'
+  cmd = "slapd -d 1 -f #{ssl_out} -h ldaps://localhost:3389"
+else
+  cmd = "slapd -d 1 -f #{normal_out} -h ldap://localhost:3389"
+end
+
+puts(cmd)
+exec(cmd)