xn_devise_ldap_authenticatable 0.8.5

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 6c423ee2965e7ef62c4949e422b167f11fec92d2
+  data.tar.gz: 76f8843e1f499aa515e046e386e446a04a4f1b7b
+SHA512:
+  metadata.gz: a1e9ea3d87f9fff0eea4f803e25a14fad1ca29ee40588b8a002b065c8cb43975808f75791220a69cd3dc9fbe44d9242822f848d64486bd46aab669752635b29c
+  data.tar.gz: 63a8dc3a29ef30af5bf66aee4a3c20dcd05a4bc27882581034d8d4bc0a93b6936d879a487b5ea3d4b87e9c7997d5d70faea96a17065f3da27e9f8f3c12ed1733

data/.gitignore

@@ -0,0 +1,10 @@
+.bundle
+Gemfile.lock
+log
+*.sqlite3
+test/ldap/openldap-data/*
+!test/ldap/openldap-data/run
+test/ldap/openldap-data/run/slapd.*
+test/rails_app/tmp
+pkg/*
+*.gem

data/CHANGELOG.md

@@ -0,0 +1,7 @@
+CHANGELOG
+=========
+
+v0.8
+----
+
+[Issue #102](https://github.com/cschiewek/devise_ldap_authenticatable/pull/102): Extract method in_group? from in_required_groups? and expose it to the model

data/Gemfile

@@ -0,0 +1,8 @@
+source "http://rubygems.org"
+
+gemspec
+
+group :development, :test do
+  gem 'debugger', platform: :ruby_19
+  gem 'byebug', platform: :ruby_20
+end

data/MIT-LICENSE

@@ -0,0 +1,20 @@
+Copyright (c) 2010 Curtis Schiewek
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.md

@@ -0,0 +1,143 @@
+Devise LDAP Authenticatable
+===========================
+
+Why this fork?
+--------------
+This fork changes a few lines to allow the admin binding to be set to the user trying to log in.
+
+[![Gem Version](https://badge.fury.io/rb/devise_ldap_authenticatable.png)](http://badge.fury.io/rb/devise_ldap_authenticatable)
+[![Code Climate](https://codeclimate.com/github/cschiewek/devise_ldap_authenticatable.png)](https://codeclimate.com/github/cschiewek/devise_ldap_authenticatable)
+[![Dependency Status](https://gemnasium.com/cschiewek/devise_ldap_authenticatable.png)](https://gemnasium.com/cschiewek/devise_ldap_authenticatable)
+
+Devise LDAP Authenticatable is a LDAP based authentication strategy for the [Devise](http://github.com/plataformatec/devise) authentication framework.
+
+If you are building applications for use within your organization which require authentication and you want to use LDAP, this plugin is for you.
+
+Devise LDAP Authenticatable works in replacement of Database Authenticatable. This devise plugin has not been tested with DatabaseAuthenticatable enabled at the same time. This is meant as a drop in replacement for DatabaseAuthenticatable allowing for a semi single sign on approach.
+
+For a screencast with an example application, please visit: [http://random-rails.blogspot.com/2010/07/ldap-authentication-with-devise.html](http://random-rails.blogspot.com/2010/07/ldap-authentication-with-devise.html)
+
+Prerequisites
+-------------
+ * devise ~> 3.0.0 (which requires rails ~> 4.0)
+ * net-ldap ~> 0.3.1
+
+Note: Rails 3.x / Devise 2.x has been moved to the 0.7 branch.  All 0.7.x gems will support Rails 3, where as 0.8.x will support Rails 4.
+
+Usage
+-----
+In the Gemfile for your application:
+
+    gem "devise_ldap_authenticatable"
+
+To get the latest version, pull directly from github instead of the gem:
+
+    gem "devise_ldap_authenticatable", :git => "git://github.com/cschiewek/devise_ldap_authenticatable.git"
+
+
+Setup
+-----
+Run the rails generators for devise (please check the [devise](http://github.com/plataformatec/devise) documents for further instructions)
+
+    rails generate devise:install
+    rails generate devise MODEL_NAME
+
+Run the rails generator for `devise_ldap_authenticatable`
+
+    rails generate devise_ldap_authenticatable:install [options]
+
+This will install the ldap.yml, update the devise.rb initializer, and update your user model. There are some options you can pass to it:
+
+Options:
+
+    [--user-model=USER_MODEL]  # Model to update
+                               # Default: user
+    [--update-model]           # Update model to change from database_authenticatable to ldap_authenticatable
+                               # Default: true
+    [--add-rescue]             # Update Application Controller with rescue_from for DeviseLdapAuthenticatable::LdapException
+                               # Default: true
+    [--advanced]               # Add advanced config options to the devise initializer
+
+Querying LDAP
+-------------
+Given that `ldap_create_user` is set to true and you are authenticating with username, you can query an LDAP server for other attributes.
+
+in your user model you have to simply define `ldap_before_save` method:
+
+    def ldap_before_save
+      self.email = Devise::LDAP::Adapter.get_ldap_param(self.username,"mail").first
+    end
+
+Configuration
+-------------
+In initializer  `config/initializers/devise.rb` :
+
+* `ldap_logger` _(default: true)_
+  * If set to true, will log LDAP queries to the Rails logger.
+* `ldap_create_user` _(default: false)_
+  * If set to true, all valid LDAP users will be allowed to login and an appropriate user record will be created. If set to false, you will have to create the user record before they will be allowed to login.
+* `ldap_config` _(default: #{Rails.root}/config/ldap.yml)_
+  * Where to find the LDAP config file. Commented out to use the default, change if needed.
+* `ldap_update_password` _(default: true)_
+  * When doing password resets, if true will update the LDAP server. Requires admin password in the ldap.yml
+* `ldap_check_group_membership` _(default: false)_
+  * When set to true, the user trying to login will be checked to make sure they are in all of groups specified in the ldap.yml file.
+* `ldap_check_attributes` _(default: false)_
+  * When set to true, the user trying to login will be checked to make sure they have all of the attributes in the ldap.yml file.
+* `ldap_use_admin_to_bind` _(default: false)_
+  * When set to true, the admin user will be used to bind to the LDAP server during authentication.
+* `ldap_check_group_membership_without_admin` _(default: false)_
+  * When set to true, the group membership check is done with the user's own credentials rather than with admin credentials. Since these credentials are only available to the Devise user model during the login flow, the group check function will not work if a group check is performed when this option is true outside of the login flow (e.g., before particular actions).
+
+Advanced Configuration
+----------------------
+These parameters will be added to `config/initializers/devise.rb` when you pass the `--advanced` switch to the generator:
+
+* `ldap_auth_username_builder` _(default: `Proc.new() {|attribute, login, ldap| "#{attribute}=#{login},#{ldap.base}" }`)_
+  * You can pass a proc to the username option to explicitly specify the format that you search for a users' DN on your LDAP server.
+* `ldap_auth_password_build` _(default: `Proc.new() {|new_password| Net::LDAP::Password.generate(:sha, new_password) }`)_
+  * Optionally you can define a proc to create custom password encrption when user reset password
+
+Troubleshooting
+--------------
+**Using a "username" instead of an "email":** The field that is used for logins is the first key that's configured in the `config/initializers/devise.rb` file under `config.authentication_keys`, which by default is email. For help changing this, please see the [Railscast](http://railscasts.com/episodes/210-customizing-devise) that goes through how to customize Devise. Also, this [documentation](https://github.com/plataformatec/devise/wiki/How-To%3a-Allow-users-to-sign-in-using-their-username-or-email-address) from Devise can very helpful.
+
+**SSL certificate invalid:** If you're using a test LDAP server running a self-signed SSL certificate, make sure the appropriate root certificate is installed on your system. Alternately, you may temporarily disable certificate checking for SSL by modifying your system LDAP configuration (e.g., `/etc/openldap/ldap.conf` or `/etc/ldap/ldap.conf`) to read `TLS_REQCERT never`.
+
+Discussion Group
+------------
+
+For additional support, questions or discussions, please see the discussion forum on [Google Groups](https://groups.google.com/forum/#!forum/devise_ldap_authenticatable)
+
+Development guide
+------------
+
+Devise LDAP Authenticatable uses a running OpenLDAP server to do automated acceptance tests. You'll need the executables `slapd`, `ldapadd`, and `ldapmodify`.
+
+On OS X, this is available out of the box.
+
+On Ubuntu, you can install OpenLDAP with `sudo apt-get install slapd ldap-utils`. If slapd runs under AppArmor, add an exception like this to `/etc/apparmor.d/local/usr.sbin.slapd` to let slapd read our configs.
+
+    /path/to/devise_ldap_authenticatable/spec/ldap/** rw,$
+
+To start hacking on `devise_ldap_authentication`, clone the github repository, start the test LDAP server, and run the rake test task:
+
+    git clone https://github.com/cschiewek/devise_ldap_authenticatable.git
+    cd devise_ldap_authenticatable
+    bundle install
+
+    # in a separate console or backgrounded
+    ./spec/ldap/run-server
+
+    bundle exec rake db:migrate # first time only
+    bundle exec rake spec
+
+References
+----------
+* [OpenLDAP](http://www.openldap.org/)
+* [Devise](http://github.com/plataformatec/devise)
+* [Warden](http://github.com/hassox/warden)
+
+Released under the MIT license
+
+Copyright (c) 2012 [Curtis Schiewek](https://github.com/cschiewek), [Daniel McNevin](https://github.com/dpmcnevin), [Steven Xu](https://github.com/cairo140)

data/Rakefile

@@ -0,0 +1,16 @@
+require File.expand_path('spec/rails_app/config/environment', File.dirname(__FILE__))
+require 'rdoc/task'
+
+desc 'Default: run test suite.'
+task :default => :spec
+
+desc 'Generate documentation for the devise_ldap_authenticatable plugin.'
+Rake::RDocTask.new(:rdoc) do |rdoc|
+  rdoc.rdoc_dir = 'rdoc'
+  rdoc.title    = 'DeviseLDAPAuthenticatable'
+  rdoc.options << '--line-numbers' << '--inline-source'
+  rdoc.rdoc_files.include('README.md')
+  rdoc.rdoc_files.include('lib/**/*.rb')
+end
+
+RailsApp::Application.load_tasks

data/lib/devise_ldap_authenticatable.rb

@@ -0,0 +1,49 @@
+# encoding: utf-8
+require 'devise'
+
+require 'devise_ldap_authenticatable/exception'
+require 'devise_ldap_authenticatable/logger'
+require 'devise_ldap_authenticatable/ldap/adapter'
+require 'devise_ldap_authenticatable/ldap/connection'
+
+# Get ldap information from config/ldap.yml now
+module Devise
+  # Allow logging
+  mattr_accessor :ldap_logger
+  @@ldap_logger = true
+  
+  # Add valid users to database
+  mattr_accessor :ldap_create_user
+  @@ldap_create_user = false
+  
+  # A path to YAML config file or a Proc that returns a
+  # configuration hash
+  mattr_accessor :ldap_config
+  # @@ldap_config = "#{Rails.root}/config/ldap.yml"
+  
+  mattr_accessor :ldap_update_password
+  @@ldap_update_password = true
+  
+  mattr_accessor :ldap_check_group_membership
+  @@ldap_check_group_membership = false
+  
+  mattr_accessor :ldap_check_attributes
+  @@ldap_check_role_attribute = false
+  
+  mattr_accessor :ldap_use_admin_to_bind
+  @@ldap_use_admin_to_bind = false
+  
+  mattr_accessor :ldap_auth_username_builder
+  @@ldap_auth_username_builder = Proc.new() {|attribute, login, ldap| "#{attribute}=#{login},#{ldap.base}" }
+
+  mattr_accessor :ldap_ad_group_check
+  @@ldap_ad_group_check = false
+end
+
+# Add ldap_authenticatable strategy to defaults.
+#
+Devise.add_module(:ldap_authenticatable,
+                  :route => :session, ## This will add the routes, rather than in the routes.rb
+                  :strategy   => true,
+                  :controller => :sessions,
+                  :model  => 'devise_ldap_authenticatable/model')

data/lib/devise_ldap_authenticatable/exception.rb

@@ -0,0 +1,6 @@
+module DeviseLdapAuthenticatable
+
+  class LdapException < Exception
+  end
+
+end

data/lib/devise_ldap_authenticatable/ldap/adapter.rb

@@ -0,0 +1,87 @@
+require "net/ldap"
+
+module Devise
+  module LDAP
+    DEFAULT_GROUP_UNIQUE_MEMBER_LIST_KEY = 'uniqueMember'
+    
+    module Adapter
+      def self.valid_credentials?(login, password_plaintext)
+        options = {:login => login,
+                   :password => password_plaintext,
+                   :ldap_auth_username_builder => ::Devise.ldap_auth_username_builder,
+                   :admin => ::Devise.ldap_use_admin_to_bind}
+
+        resource = Devise::LDAP::Connection.new(options)
+        resource.authorized?
+      end
+
+      def self.update_password(login, new_password)
+        options = {:login => login,
+                   :new_password => new_password,
+                   :ldap_auth_username_builder => ::Devise.ldap_auth_username_builder,
+                   :admin => ::Devise.ldap_use_admin_to_bind}
+
+        resource = Devise::LDAP::Connection.new(options)
+        resource.change_password! if new_password.present?
+      end
+
+      def self.update_own_password(login, new_password, current_password)
+        set_ldap_param(login, :userPassword, ::Devise.ldap_auth_password_builder.call(new_password), current_password)
+      end
+
+      def self.ldap_connect(login)
+        options = {:login => login,
+                   :ldap_auth_username_builder => ::Devise.ldap_auth_username_builder,
+                   :admin => ::Devise.ldap_use_admin_to_bind}
+
+        resource = Devise::LDAP::Connection.new(options)
+      end
+
+      def self.valid_login?(login)
+        self.ldap_connect(login).valid_login?
+      end
+
+      def self.get_groups(login)
+        self.ldap_connect(login).user_groups
+      end
+
+      def self.in_ldap_group?(login, group_name, group_attribute = nil)
+        self.ldap_connect(login).in_group?(group_name, group_attribute)
+      end
+
+      def self.get_dn(login)
+        self.ldap_connect(login).dn
+      end
+
+      def self.set_ldap_param(login, param, new_value, password = nil)
+        options = { :login => login,
+                    :ldap_auth_username_builder => ::Devise.ldap_auth_username_builder,
+                    :password => password }
+
+        resource = Devise::LDAP::Connection.new(options)
+        resource.set_param(param, new_value)
+      end
+
+      def self.delete_ldap_param(login, param, password = nil)
+        options = { :login => login,
+                    :ldap_auth_username_builder => ::Devise.ldap_auth_username_builder,
+                    :password => password }
+
+        resource = Devise::LDAP::Connection.new(options)
+        resource.delete_param(param)
+      end
+
+      def self.get_ldap_param(login,param)
+        resource = self.ldap_connect(login)
+        resource.ldap_param_value(param)
+      end
+
+      def self.get_ldap_entry(login)
+        self.ldap_connect(login).search_for_login
+      end
+
+    end
+
+  end
+
+end

data/lib/devise_ldap_authenticatable/ldap/connection.rb

@@ -0,0 +1,243 @@
+module Devise
+  module LDAP
+    class Connection
+      attr_reader :ldap, :login
+
+      def initialize(params = {})
+        if ::Devise.ldap_config.is_a?(Proc)
+          ldap_config = ::Devise.ldap_config.call
+        else
+          ldap_config = YAML.load(ERB.new(File.read(::Devise.ldap_config || "#{Rails.root}/config/ldap.yml")).result)[Rails.env]
+        end
+        ldap_options = params
+        ldap_config["ssl"] = :simple_tls if ldap_config["ssl"] === true
+        ldap_options[:encryption] = ldap_config["ssl"].to_sym if ldap_config["ssl"]
+
+        @ldap = Net::LDAP.new(ldap_options)
+        @ldap.host = ldap_config["host"]
+        @ldap.port = ldap_config["port"]
+        @ldap.base = ldap_config["base"]
+        @attribute = ldap_config["attribute"]
+        @allow_unauthenticated_bind = ldap_config["allow_unauthenticated_bind"]
+
+        @ldap_auth_username_builder = params[:ldap_auth_username_builder]
+
+        @group_base = ldap_config["group_base"]
+        @check_group_membership = ldap_config.has_key?("check_group_membership") ? ldap_config["check_group_membership"] : ::Devise.ldap_check_group_membership
+        @required_groups = ldap_config["required_groups"]
+        @required_attributes = ldap_config["require_attribute"]
+
+        @additional_ldap_filter=ldap_config["additional_ldap_filter"]
+
+        @ldap.auth ldap_config["admin_user"], ldap_config["admin_password"] if params[:admin]
+        @ldap.auth params[:login], params[:password] if ldap_config["admin_as_user"]
+
+        @login = params[:login]
+        @password = params[:password]
+        @new_password = params[:new_password]
+      end
+
+      def delete_param(param)
+        update_ldap [[:delete, param.to_sym, nil]]
+      end
+
+      def set_param(param, new_value)
+        update_ldap( { param.to_sym => new_value } )
+      end
+
+      def dn
+        @dn ||= begin
+          DeviseLdapAuthenticatable::Logger.send("LDAP dn lookup: #{@attribute}=#{@login}")
+          ldap_entry = search_for_login
+          if ldap_entry.nil?
+            @ldap_auth_username_builder.call(@attribute,@login,@ldap)
+          else
+            ldap_entry.dn
+          end
+        end
+      end
+
+      def ldap_param_value(param)
+        ldap_entry = search_for_login
+
+        if ldap_entry
+          unless ldap_entry[param].empty?
+            value = ldap_entry.send(param)
+            DeviseLdapAuthenticatable::Logger.send("Requested param #{param} has value #{value}")
+            value
+          else
+            DeviseLdapAuthenticatable::Logger.send("Requested param #{param} does not exist")
+            value = nil
+          end
+        else
+          DeviseLdapAuthenticatable::Logger.send("Requested ldap entry does not exist")
+          value = nil
+        end
+      end
+
+      def authenticate!
+        return false unless (@password.present? || @allow_unauthenticated_bind)
+        @ldap.auth(dn, @password)
+        @ldap.bind
+      end
+
+      def authenticated?
+        authenticate!
+      end
+
+      def authorized?
+        DeviseLdapAuthenticatable::Logger.send("Authorizing user #{dn}")
+        if !authenticated?
+          DeviseLdapAuthenticatable::Logger.send("Not authorized because not authenticated.")
+          return false
+        elsif !in_required_groups?
+          DeviseLdapAuthenticatable::Logger.send("Not authorized because not in required groups.")
+          return false
+        elsif !has_required_attribute?
+          DeviseLdapAuthenticatable::Logger.send("Not authorized because does not have required attribute.")
+          return false
+        else
+          return true
+        end
+      end
+
+      def change_password!
+        update_ldap(:userpassword => Net::LDAP::Password.generate(:sha, @new_password))
+      end
+
+      def in_required_groups?
+        return true unless @check_group_membership
+
+        ## FIXME set errors here, the ldap.yml isn't set properly.
+        return false if @required_groups.nil?
+
+        for group in @required_groups
+          if group.is_a?(Array)
+            return false unless in_group?(group[1], group[0])
+          else
+            return false unless in_group?(group)
+          end
+        end
+        return true
+      end
+
+      def in_group?(group_name, group_attribute = LDAP::DEFAULT_GROUP_UNIQUE_MEMBER_LIST_KEY)
+        in_group = false
+
+        admin_ldap = Connection.admin
+
+        unless ::Devise.ldap_ad_group_check
+          admin_ldap.search(:base => group_name, :scope => Net::LDAP::SearchScope_BaseObject) do |entry|
+            if entry[group_attribute].include? dn
+              in_group = true
+            end
+          end
+        else
+          # AD optimization - extension will recursively check sub-groups with one query
+          # "(memberof:1.2.840.113556.1.4.1941:=group_name)"
+          search_result = admin_ldap.search(:base => dn,
+                            :filter => Net::LDAP::Filter.ex("memberof:1.2.840.113556.1.4.1941", group_name),
+                            :scope => Net::LDAP::SearchScope_BaseObject)
+          # Will return  the user entry if belongs to group otherwise nothing
+          if search_result.length == 1 && search_result[0].dn.eql?(dn)
+            in_group = true
+          end
+        end
+
+        unless in_group
+          DeviseLdapAuthenticatable::Logger.send("User #{dn} is not in group: #{group_name}")
+        end
+
+        return in_group
+      end
+
+      def has_required_attribute?
+        return true unless ::Devise.ldap_check_attributes
+
+        admin_ldap = Connection.admin
+
+        user = find_ldap_user(admin_ldap)
+
+        @required_attributes.each do |key,val|
+          unless user[key].include? val
+            DeviseLdapAuthenticatable::Logger.send("User #{dn} did not match attribute #{key}:#{val}")
+            return false
+          end
+        end
+
+        return true
+      end
+
+      def user_groups
+        admin_ldap = Connection.admin
+
+        DeviseLdapAuthenticatable::Logger.send("Getting groups for #{dn}")
+        filter = Net::LDAP::Filter.eq("uniqueMember", dn)
+        admin_ldap.search(:filter => filter, :base => @group_base).collect(&:dn)
+      end
+
+      def valid_login?
+        !search_for_login.nil?
+      end
+
+      # Searches the LDAP for the login
+      #
+      # @return [Object] the LDAP entry found; nil if not found
+      def search_for_login
+        @login_ldap_entry ||= begin
+          DeviseLdapAuthenticatable::Logger.send("LDAP search for login: #{@attribute}=#{@login}")
+          filter = Net::LDAP::Filter.eq(@attribute.to_s, @login.to_s)
+          if @additional_ldap_filter
+            DeviseLdapAuthenticatable::Logger.send("Adding Additional Filter #{@additional_ldap_filter}")
+            additional_filter = Net::LDAP::Filter.from_rfc2254(@additional_ldap_filter)
+            filter = filter & additional_filter
+          end
+          ldap_entry = nil
+          match_count = 0
+          @ldap.search(:filter => filter) {|entry| ldap_entry = entry; match_count+=1}
+          DeviseLdapAuthenticatable::Logger.send("LDAP search yielded #{match_count} matches")
+          ldap_entry
+        end
+      end
+
+      private
+
+      def self.admin
+        ldap = Connection.new(:admin => true).ldap
+
+        unless ldap.bind
+          DeviseLdapAuthenticatable::Logger.send("Cannot bind to admin LDAP user")
+          raise DeviseLdapAuthenticatable::LdapException, "Cannot connect to admin LDAP user"
+        end
+
+        return ldap
+      end
+
+      def find_ldap_user(ldap)
+        DeviseLdapAuthenticatable::Logger.send("Finding user: #{dn}")
+        ldap.search(:base => dn, :scope => Net::LDAP::SearchScope_BaseObject).try(:first)
+      end
+
+      def update_ldap(ops)
+        operations = []
+        if ops.is_a? Hash
+          ops.each do |key,value|
+            operations << [:replace,key,value]
+          end
+        elsif ops.is_a? Array
+          operations = ops
+        end
+
+        if ::Devise.ldap_use_admin_to_bind
+          privileged_ldap = Connection.admin
+        else
+          authenticate!
+          privileged_ldap = self.ldap
+        end
+
+        DeviseLdapAuthenticatable::Logger.send("Modifying user #{dn}")
+        privileged_ldap.modify(:dn => dn, :operations => operations)
+      end
+    end
+  end
+end