zuora_connect 3.0.2.pre.p → 3.1.0.pre.a

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 10ba53dbb68c71e4355316f0446236cec11abb0e0a1c1fb50db56f932aa566a1
-  data.tar.gz: 5fc99abb2ed44c998fff5ee1b80e02e0b7ccea9f8b905d4057ad9cdb50dbdf6c
+  metadata.gz: 1bfbbb07eb966a69d84820c47abc61d68930e326962a7254fbaff709fc5e734f
+  data.tar.gz: 8f964b17242b8db5ec83bf8bd70d5ec113bd4f6dabbfefac8005548a079b0272
 SHA512:
-  metadata.gz: e1258e6b3f018f184992fdbd2d956de1c4e5575ddf3ce531087cbda43e72703bc257a46bffdd8b14d7840b997109fd2e18f4c3b3c1a25144d8304debe6d96ddb
-  data.tar.gz: 0ae63bcaee8a665c53f1b43b065111621d66550130c42632431b685be9332eab9452db43afc22bcd20a9a44260a6e4d200fb0e44bdc14c826084461cba18a0ea
+  metadata.gz: 9240e5e7e344b0886407c9eb90abcc0a464c1d0a86daba0043871844003f954a3b9748086b21169f01d4e696428188181bb5d35feb38ebb75f804f9e862ff2df
+  data.tar.gz: 365883658d6fe47b2996f35bd2382380788983d9564378930864031361b42ce58efd6a46a65b7341313e7d9c0b9f6afcc180ad28f4b2540862155003ced1ca03

data/app/controllers/zuora_connect/application_controller.rb

@@ -1,8 +1,33 @@
 module ZuoraConnect
   class ApplicationController < ActionController::Base
     protect_from_forgery with: :exception
-    before_action :authenticate_connect_app_request
-    after_action :persist_connect_app_session
+    before_action :authenticate_connect_app_request, except: [:ldap_login]
+    after_action :persist_connect_app_session, except: [:ldap_login]
 
+    def ldap_login
+      require 'net-ldap'
+
+      username = request.parameters['ldap_username']
+      password = request.parameters['ldap_password']
+
+      begin
+        if ZuoraConnect::LDAP::Adapter.valid_credentials?(username, password)
+          session['ldapAdmin'] = true
+          respond_to do |format|
+            format.html { redirect_to '/admin/app_instances' }
+          end
+        else
+          render 'zuora_connect/application/ldap_login', locals: {
+            title: 'LDAP Authentication Failed',
+            message: 'Invalid username or password'
+          }
+        end
+      rescue Net::LDAP::Error
+        render 'zuora_connect/application/ldap_login', locals: {
+          title: 'LDAP Authentication Net Error',
+          message: 'Failed to connect to server while authenticating the LDAP credentials. Please retry later.'
+        }
+      end
+    end
   end
 end

data/app/helpers/zuora_connect/LDAP/adapter.rb

@@ -0,0 +1,16 @@
+module ZuoraConnect
+  module LDAP
+    module Adapter
+      def self.valid_credentials?(login, password_plaintext)
+        options = {
+          login: login,
+          password: password_plaintext,
+          ldap_auth_username_builder: proc { |attribute, login, _| "#{attribute}=#{login}" },
+          admin: true
+        }
+        ldap_connection = ZuoraConnect::LDAP::Connection.new(options)
+        ldap_connection.authorized?
+      end
+    end
+  end
+end

data/app/helpers/zuora_connect/LDAP/connection.rb

@@ -0,0 +1,123 @@
+# Copied from devise lib and deleted not useful functionality
+
+module ZuoraConnect
+  module LDAP
+    class Connection
+      attr_reader :ldap, :login
+
+      def initialize(params = {})
+        ldap_config = YAML.load(ERB.new(File.read("#{Rails.root}/config/ldap.yml")).result)[Rails.env]
+        ldap_options = params
+
+        # Allow `ssl: true` shorthand in YAML, but enable more control with `encryption`
+        ldap_config['ssl'] = :simple_tls if ldap_config['ssl'] === true
+        ldap_options[:encryption] = ldap_config['ssl'].to_sym if ldap_config['ssl']
+        ldap_options[:encryption] = ldap_config['encryption'] if ldap_config['encryption']
+
+        @ldap = Net::LDAP.new(ldap_options)
+        @ldap.host = ldap_config['host']
+        @ldap.port = ldap_config['port']
+        @ldap.base = ldap_config['base']
+        @attribute = ldap_config['attribute']
+        @allow_unauthenticated_bind = ldap_config['allow_unauthenticated_bind']
+
+        @ldap_auth_username_builder = params[:ldap_auth_username_builder]
+
+        @group_base = ldap_config['group_base']
+        @check_group_membership = ldap_config.key?('check_group_membership') ? ldap_config['check_group_membership'] : false
+        @check_group_membership_without_admin = ldap_config.key?('check_group_membership_without_admin') ? ldap_config['check_group_membership_without_admin'] : false
+        @required_groups = ldap_config['required_groups']
+        @group_membership_attribute = ldap_config.key?('group_membership_attribute') ? ldap_config['group_membership_attribute'] : 'uniqueMember'
+        @required_attributes = ldap_config['require_attribute']
+        @required_attributes_presence = ldap_config['require_attribute_presence']
+
+        @ldap.auth ldap_config['admin_user'], ldap_config['admin_password'] if params[:admin]
+
+        @login = params[:login]
+        @password = params[:password]
+        @new_password = params[:new_password]
+      end
+
+      def dn
+        @dn ||= begin
+                  ZuoraConnect::logger.debug("LDAP dn lookup: #{@attribute}=#{@login}")
+                  ldap_entry = search_for_login
+                  if ldap_entry.nil?
+                    @ldap_auth_username_builder.call(@attribute,@login,@ldap)
+                  else
+                    ldap_entry.dn
+                  end
+                end
+      end
+
+      def search_for_login
+        @login_ldap_entry ||= begin
+                                ZuoraConnect::logger.debug("LDAP search for login: #{@attribute}=#{@login}")
+                                filter = Net::LDAP::Filter.eq(@attribute.to_s, @login.to_s)
+                                ldap_entry = nil
+                                match_count = 0
+                                @ldap.search(:filter => filter) {|entry| ldap_entry = entry; match_count+=1}
+                                op_result= @ldap.get_operation_result
+                                if op_result.code!=0
+                                  ZuoraConnect::logger.debug("LDAP Error #{op_result.code}: #{op_result.message}")
+                                end
+                                ZuoraConnect::logger.debug("LDAP search yielded #{match_count} matches")
+                                ldap_entry
+                              end
+      end
+
+      def authenticate!
+        return false unless @password.present? || @allow_unauthenticated_bind
+        @ldap.auth(dn, @password)
+        @ldap.bind
+      end
+
+      def authenticated?
+        authenticate!
+      end
+
+      def last_message_bad_credentials?
+        @ldap.get_operation_result.error_message.to_s.include? 'AcceptSecurityContext error, data 52e'
+      end
+
+      def last_message_expired_credentials?
+        @ldap.get_operation_result.error_message.to_s.include? 'AcceptSecurityContext error, data 773'
+      end
+
+      def authorized?
+        ZuoraConnect::logger.debug("Authorizing user #{dn}")
+        if !authenticated?
+          if last_message_bad_credentials?
+            ZuoraConnect::logger.debug('Not authorized because of invalid credentials.')
+          elsif last_message_expired_credentials?
+            ZuoraConnect::logger.debug('Not authorized because of expired credentials.')
+          else
+            ZuoraConnect::logger.debug('Not authorized because not authenticated.')
+          end
+
+          false
+        elsif !in_required_groups?
+          ZuoraConnect::logger.debug('Not authorized because not in required groups.')
+          false
+        else
+          true
+        end
+      end
+
+      def in_required_groups?
+        return true unless @check_group_membership || @check_group_membership_without_admin
+
+        return false if @required_groups.nil?
+
+        @required_groups.each do |group|
+          if group.is_a?(Array)
+            return false unless in_group?(group[1], group[0])
+          else
+            return false unless in_group?(group)
+          end
+        end
+        true
+      end
+    end
+  end
+end

data/app/models/zuora_connect/app_instance_base.rb

@@ -5,7 +5,7 @@ module ZuoraConnect
   require 'aws-sdk-ses'
   require 'aws-sdk-kms'
   class AppInstanceBase < ActiveRecord::Base
-    default_scope {select(ZuoraConnect::AppInstance.column_names.delete_if {|x| ["catalog_mapping", "catalog"].include?(x) }) }
+    default_scope { select(ZuoraConnect::AppInstance.column_names.reject { |x| ["catalog_mapping", "catalog"].include?(x) }) }
     after_initialize :init
     after_create :initialize_redis_placeholders
     before_destroy :prune_data

data/app/views/zuora_connect/application/ldap_login.html.erb

@@ -0,0 +1,194 @@
+<html>
+  <head>
+    <title>LDAP Log in</title>
+    <style>
+        * {
+            box-sizing: border-box;
+            margin: 0;
+            padding: 0;
+            font-family: Raleway, sans-serif;
+        }
+
+        body {
+            background: linear-gradient(90deg, #C7C5F4, #776BCC);
+        }
+
+        .container {
+            display: flex;
+            align-items: center;
+            justify-content: center;
+            min-height: 100vh;
+        }
+
+        .screen {
+            background: linear-gradient(90deg, #5D54A4, #7C78B8);
+            position: relative;
+            height: 600px;
+            width: 360px;
+            box-shadow: 0px 0px 24px #5C5696;
+        }
+
+        .screen__content {
+            z-index: 1;
+            position: relative;
+            height: 100%;
+        }
+
+        .screen__background {
+            position: absolute;
+            top: 0;
+            left: 0;
+            right: 0;
+            bottom: 0;
+            z-index: 0;
+            -webkit-clip-path: inset(0 0 0 0);
+            clip-path: inset(0 0 0 0);
+        }
+
+        .screen__background__shape {
+            transform: rotate(45deg);
+            position: absolute;
+        }
+
+        .screen__background__shape1 {
+            height: 520px;
+            width: 520px;
+            background: #FFF;
+            top: -50px;
+            right: 120px;
+            border-radius: 0 72px 0 0;
+        }
+
+        .screen__background__shape2 {
+            height: 220px;
+            width: 220px;
+            background: #6C63AC;
+            top: -172px;
+            right: 0;
+            border-radius: 32px;
+        }
+
+        .screen__background__shape3 {
+            height: 540px;
+            width: 190px;
+            background: linear-gradient(270deg, #5D54A4, #6A679E);
+            top: -24px;
+            right: 0;
+            border-radius: 32px;
+        }
+
+        .screen__background__shape4 {
+            height: 400px;
+            width: 200px;
+            background: #7E7BB9;
+            top: 420px;
+            right: 50px;
+            border-radius: 60px;
+        }
+
+        .login {
+            width: 320px;
+            padding: 30px;
+            padding-top: 156px;
+        }
+
+        .login__field {
+            padding: 20px 0px;
+            position: relative;
+        }
+
+        .login__icon {
+            position: absolute;
+            top: 30px;
+            color: #7875B5;
+        }
+
+        .login__input {
+            border: none;
+            border-bottom: 2px solid #D1D1D4;
+            background: none;
+            padding: 10px;
+            padding-left: 24px;
+            font-weight: 700;
+            width: 75%;
+            transition: .2s;
+        }
+
+        .login__input:active,
+        .login__input:focus,
+        .login__input:hover {
+            outline: none;
+            border-bottom-color: #6A679E;
+        }
+
+        .login__submit {
+            background: #fff;
+            font-size: 14px;
+            margin-top: 30px;
+            padding: 16px 20px;
+            border-radius: 26px;
+            border: 1px solid #D4D3E8;
+            text-transform: uppercase;
+            font-weight: 700;
+            display: flex;
+            align-items: center;
+            width: 100%;
+            color: #4C489D;
+            box-shadow: 0px 2px 2px #5C5696;
+            cursor: pointer;
+            transition: .2s;
+        }
+
+        .login__submit:active,
+        .login__submit:focus,
+        .login__submit:hover {
+            border-color: #6A679E;
+            outline: none;
+        }
+
+        .error{
+            color: #D8000C;
+            background-color: #FFBABA;
+        }
+    </style>
+  </head>
+
+  <body>
+    <div class="container">
+      <div class="screen">
+        <div class="screen__content">
+
+          <%= form_with class: "login", url: "/connect/ldap_login", method: :post do |f| %>
+            <div class="login__field">
+              <%= f.text_field :ldap_username, placeholder: "Username", class: "login__input" %>
+            </div>
+
+            <div class="login__field">
+              <%= f.password_field :ldap_password, placeholder: "Password", class: "login__input" %>
+            </div>
+
+            <%= f.button "Log in", class: "button login__submit" %>
+
+          <% end %>
+
+          <% if defined?(message) && defined?(title) %>
+            <div class="error">
+              <h3><%= title %></h3>
+              <p><%= message.html_safe %></p>
+            </div>
+          <% end %>
+
+        </div>
+
+        <div class="screen__background">
+          <span class="screen__background__shape screen__background__shape4"></span>
+          <span class="screen__background__shape screen__background__shape3"></span>
+          <span class="screen__background__shape screen__background__shape2"></span>
+          <span class="screen__background__shape screen__background__shape1"></span>
+        </div>
+
+      </div>
+    </div>
+
+  </body>
+</html>

data/config/initializers/postgresql_adapter.rb

@@ -5,7 +5,35 @@ module ActiveRecord
       SCHEMA_ADDITIONAL_TYPES = 'SchemaAdditionalTypes'.freeze
 
       private
-        def load_additional_types_latest(oids = nil)
+        def load_additional_types_rails_7_0(oids = nil)
+          initializer = OID::TypeMapInitializer.new(type_map)
+          return if loaded_from_cache?(initializer)
+          additional_types = []
+          load_types_queries(initializer, oids) do |query|
+            execute_and_clear(query, "SCHEMA", []) do |records|
+              additional_types.push(records)
+              initializer.run(records)
+            end
+          end
+          cache_additional_types(additional_types)
+        end
+
+        def load_types_queries(initializer, oids)
+          query = <<~SQL
+              SELECT DISTINCT on (t.typname) t.oid, t.typname, t.typelem, t.typdelim, t.typinput, r.rngsubtype, t.typtype, t.typbasetype
+              FROM pg_type as t
+              LEFT JOIN pg_range as r ON oid = rngtypid
+          SQL
+          if oids
+            yield query + "WHERE t.oid IN (%s)" % oids.join(", ")
+          else
+            yield query + initializer.query_conditions_for_known_type_names
+            yield query + initializer.query_conditions_for_known_type_types
+            yield query + initializer.query_conditions_for_array_types
+          end
+        end
+
+        def load_additional_types_rails_5_2(oids = nil)
           initializer = OID::TypeMapInitializer.new(type_map)
 
           return if loaded_from_cache?(initializer)
@@ -69,7 +97,12 @@ module ActiveRecord
           if defined?(Redis.current)
             begin
               if Redis.current.exists(SCHEMA_ADDITIONAL_TYPES)
-                initializer.run(JSON.parse(Redis.current.get(SCHEMA_ADDITIONAL_TYPES)))
+                additional_types = JSON.parse(Redis.current.get(SCHEMA_ADDITIONAL_TYPES))
+                if additional_types.is_a?(Array)
+                  additional_types.each { |additional_type| initializer.run(additional_type) }
+                else
+                  initializer.run(additional_types)
+                end
                 return true
               end
             rescue => ex
@@ -92,8 +125,10 @@ module ActiveRecord
 
 
         rails_version = Rails.version.split('.').map { |x| x.to_i }
-        if (rails_version <=> [5, 2, 0]) >= 1
-          alias :load_additional_types :load_additional_types_latest
+        if (rails_version <=> [7, 0, 0]) >= 1
+          alias :load_additional_types :load_additional_types_rails_7_0
+        elsif(rails_version <=> [5, 2, 0]) >= 1
+          alias :load_additional_types :load_additional_types_rails_5_2
         else
           alias :load_additional_types :load_additional_types_deprecated
         end

data/config/routes.rb

@@ -15,4 +15,6 @@ ZuoraConnect::Engine.routes.draw do
       end
     end
   end
+
+  post "ldap_login" => 'application#ldap_login'
 end

data/lib/zuora_connect/controllers/helpers.rb

@@ -320,6 +320,11 @@ module ZuoraConnect
           elsif cookies['ZSession'].present?
             zuora_client = ZuoraAPI::Basic.new(url: "https://#{zuora_host}", session: cookies['ZSession'], entity_id: zuora_entity_id)
             auth_headers.merge!({'Authorization' => "ZSession-a3N2w #{zuora_client.get_session(prefix: false, auth_type: :basic)}"})
+          elsif session["ldapAdmin"]
+            ZuoraConnect::logger.debug("Admin session found")
+          elsif ZuoraConnect::AppInstance::INTERNAL_HOSTS.include?(request.headers.fetch("HOST", nil))
+            render "zuora_connect/application/ldap_login"
+            return
           else
             render "zuora_connect/static/error_handled", :locals => {
               :title => "Missing Authorization Token",
@@ -336,7 +341,7 @@ module ZuoraConnect
             missmatched_entity = session["ZuoraCurrentEntity"] != zuora_entity_id
             missing_identity = session["ZuoraCurrentIdentity"].blank?
 
-            if (missing_identity || missmatched_entity || different_zsession)
+            if (missing_identity || missmatched_entity || different_zsession) && (!session["ldapAdmin"])
               zuora_details.merge!({'identity' => {'different_zsession' => different_zsession, 'missing_identity' => missing_identity, 'missmatched_entity' => missmatched_entity}})
               identity, response = zuora_client.rest_call(
                 url: zuora_client.rest_endpoint("identity"),
@@ -367,7 +372,6 @@ module ZuoraConnect
               if is_different_user || params[:sidebar_launch].to_s.to_bool
                 zuora_instance_id = nil
                 ZuoraConnect.logger.debug("UI Authorization", zuora: zuora_details)
-
                 client_describe, response = zuora_client.rest_call(
                   url: zuora_client.rest_endpoint("genesis/user/info").gsub('v1/', ''),
                   session_type: zuora_client.class == ZuoraAPI::Oauth ? :bearer : :basic,
@@ -378,8 +382,10 @@ module ZuoraConnect
               end
             end
 
+            if session["ldapAdmin"]
+              appinstances = ZuoraConnect::AppInstance.pluck(:id, :name)
             #Find matching app instances.
-            if zuora_instance_id.present?
+            elsif zuora_instance_id.present?
               appinstances = ZuoraConnect::AppInstance.where("zuora_entity_ids ?& array[:entities] = true AND zuora_domain = :host AND id = :id", entities: [zuora_entity_id], host: zuora_client.rest_domain, id: zuora_instance_id.to_i).pluck(:id, :name)
             else
               #if app_instance_ids is present then permissions still controlled by connect
@@ -417,11 +423,23 @@ module ZuoraConnect
               appinstances ||= ZuoraConnect::AppInstance.where("zuora_entity_ids ?& array[:entities] = true AND zuora_domain = :host", entities: [zuora_entity_id], host: zuora_client.rest_domain).pluck(:id, :name)
             end
 
-            zuora_user_id = cookies['Zuora-User-Id'] || session["ZuoraCurrentIdentity"]['userId'] || request.headers["Zuora-User-Id"]
+            if session["ldapAdmin"]
+              zuora_user_id = "3"
+            else
+              zuora_user_id = cookies['Zuora-User-Id'] || session["ZuoraCurrentIdentity"]['userId'] || request.headers["Zuora-User-Id"]
+            end
 
             if appinstances.size == 1
               ZuoraConnect.logger.debug("Instance is #{appinstances.to_h.keys.first}")
               @appinstance = ZuoraConnect::AppInstance.find(appinstances.to_h.keys.first)
+              session["appInstance"] = @appinstance.id
+              ZuoraConnect::ZuoraUser.current_user_id = zuora_user_id
+            end
+
+            if session["ldapAdmin"]
+              # Maybe error. Should we return because of condition?
+              session["#{@appinstance.id}::admin"] = true
+              return
             end
 
             # One deployed instance with credentials

data/lib/zuora_connect/engine.rb

@@ -28,12 +28,10 @@ module ZuoraConnect
       end
     end
 
-    initializer "connect.helpers" do
-      ActiveSupport.on_load(:action_controller) do
-        include ZuoraConnect::Controllers::Helpers
-        include ZuoraConnect::Authenticate
-        helper ZuoraConnect::ApplicationHelper
-      end
+    config.to_prepare do
+      ActionController::Base.send(:include, ZuoraConnect::Controllers::Helpers)
+      ActionController::Base.send(:include, ZuoraConnect::Authenticate)
+      ActionController::Base.send(:helper, ZuoraConnect::ApplicationHelper)
     end
   end
 end

data/lib/zuora_connect/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module ZuoraConnect
-  VERSION = "3.0.2-p"
+  VERSION = "3.1.0-a"
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: zuora_connect
 version: !ruby/object:Gem::Version
-  version: 3.0.2.pre.p
+  version: 3.1.0.pre.a
 platform: ruby
 authors:
 - Connect Team
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2022-03-24 00:00:00.000000000 Z
+date: 2022-05-20 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: apartment
@@ -121,9 +121,6 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '5.0'
-    - - "<"
-      - !ruby/object:Gem::Version
-        version: '6.1'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
@@ -131,9 +128,6 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '5.0'
-    - - "<"
-      - !ruby/object:Gem::Version
-        version: '6.1'
 - !ruby/object:Gem::Dependency
   name: raindrops
   requirement: !ruby/object:Gem::Requirement
@@ -162,6 +156,20 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '0.1'
+- !ruby/object:Gem::Dependency
+  name: net-ldap
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: rspec
   requirement: !ruby/object:Gem::Requirement
@@ -365,6 +373,8 @@ files:
 - app/controllers/zuora_connect/api/v1/app_instance_controller.rb
 - app/controllers/zuora_connect/application_controller.rb
 - app/controllers/zuora_connect/static_controller.rb
+- app/helpers/zuora_connect/LDAP/adapter.rb
+- app/helpers/zuora_connect/LDAP/connection.rb
 - app/helpers/zuora_connect/api/v1/app_instance_helper.rb
 - app/helpers/zuora_connect/application_helper.rb
 - app/models/concerns/zuora_connect/auditable.rb
@@ -375,6 +385,7 @@ files:
 - app/models/zuora_connect/zuora_user.rb
 - app/views/layouts/zuora_connect/application.html.erb
 - app/views/sql/refresh_aggregate_table.txt
+- app/views/zuora_connect/application/ldap_login.html.erb
 - app/views/zuora_connect/static/error_handled.html.erb
 - app/views/zuora_connect/static/error_handled.js.erb
 - app/views/zuora_connect/static/error_unhandled.erb