zuora_connect 3.0.2.pre.p → 3.0.2.pre.q

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 10ba53dbb68c71e4355316f0446236cec11abb0e0a1c1fb50db56f932aa566a1
-  data.tar.gz: 5fc99abb2ed44c998fff5ee1b80e02e0b7ccea9f8b905d4057ad9cdb50dbdf6c
+  metadata.gz: 01f35a8df0d99f5782e2a488d77986dfef279609aac6d88dc0687cb61ca2bc96
+  data.tar.gz: dc67e0d6e8557534ebadc62943e9746f7f6d53397b995b8d9c8708ce88233ba5
 SHA512:
-  metadata.gz: e1258e6b3f018f184992fdbd2d956de1c4e5575ddf3ce531087cbda43e72703bc257a46bffdd8b14d7840b997109fd2e18f4c3b3c1a25144d8304debe6d96ddb
-  data.tar.gz: 0ae63bcaee8a665c53f1b43b065111621d66550130c42632431b685be9332eab9452db43afc22bcd20a9a44260a6e4d200fb0e44bdc14c826084461cba18a0ea
+  metadata.gz: '082eef57746ff61b3dcf38b3ab9737c3f96c0e1437698e5e8d47cdcea34e29e3e6bee0e68d3529e073699747b2db2b9cff3fd4ccb9a00ee70c6a4c8ee9922777'
+  data.tar.gz: e44388593aff7b52334dfcc35a1876ba689d66a84defed23b7d5e9f52e55c6d932b35433fe9f8b5b94617e91d435337a6a9bfd48ed03ec5334ac0a2088afe7eb

data/app/controllers/zuora_connect/application_controller.rb

@@ -1,8 +1,33 @@
 module ZuoraConnect
   class ApplicationController < ActionController::Base
     protect_from_forgery with: :exception
-    before_action :authenticate_connect_app_request
-    after_action :persist_connect_app_session
+    before_action :authenticate_connect_app_request, except: [:ldap_login]
+    after_action :persist_connect_app_session, except: [:ldap_login]
 
+    def ldap_login
+      require 'net-ldap'
+
+      username = request.parameters['ldap_username']
+      password = request.parameters['ldap_password']
+
+      begin
+        if ZuoraConnect::LDAP::Adapter.valid_credentials?(username, password)
+          session['ldapAdmin'] = true
+          respond_to do |format|
+            format.html { redirect_to '/admin/app_instances' }
+          end
+        else
+          render 'zuora_connect/application/ldap_login', locals: {
+            title: 'LDAP Authentication Failed',
+            message: 'Invalid username or password'
+          }
+        end
+      rescue Net::LDAP::Error
+        render 'zuora_connect/application/ldap_login', locals: {
+          title: 'LDAP Authentication Net Error',
+          message: 'Failed to connect to server while authenticating the LDAP credentials. Please retry later.'
+        }
+      end
+    end
   end
 end

data/app/helpers/zuora_connect/LDAP/adapter.rb

@@ -0,0 +1,16 @@
+module ZuoraConnect
+  module LDAP
+    module Adapter
+      def self.valid_credentials?(login, password_plaintext)
+        options = {
+          login: login,
+          password: password_plaintext,
+          ldap_auth_username_builder: proc { |attribute, login, _| "#{attribute}=#{login}" },
+          admin: true
+        }
+        ldap_connection = ZuoraConnect::LDAP::Connection.new(options)
+        ldap_connection.authorized?
+      end
+    end
+  end
+end

data/app/helpers/zuora_connect/LDAP/connection.rb

@@ -0,0 +1,123 @@
+# Copied from devise lib and deleted not useful functionality
+
+module ZuoraConnect
+  module LDAP
+    class Connection
+      attr_reader :ldap, :login
+
+      def initialize(params = {})
+        ldap_config = YAML.load(ERB.new(File.read("#{Rails.root}/config/ldap.yml")).result)[Rails.env]
+        ldap_options = params
+
+        # Allow `ssl: true` shorthand in YAML, but enable more control with `encryption`
+        ldap_config['ssl'] = :simple_tls if ldap_config['ssl'] === true
+        ldap_options[:encryption] = ldap_config['ssl'].to_sym if ldap_config['ssl']
+        ldap_options[:encryption] = ldap_config['encryption'] if ldap_config['encryption']
+
+        @ldap = Net::LDAP.new(ldap_options)
+        @ldap.host = ldap_config['host']
+        @ldap.port = ldap_config['port']
+        @ldap.base = ldap_config['base']
+        @attribute = ldap_config['attribute']
+        @allow_unauthenticated_bind = ldap_config['allow_unauthenticated_bind']
+
+        @ldap_auth_username_builder = params[:ldap_auth_username_builder]
+
+        @group_base = ldap_config['group_base']
+        @check_group_membership = ldap_config.key?('check_group_membership') ? ldap_config['check_group_membership'] : false
+        @check_group_membership_without_admin = ldap_config.key?('check_group_membership_without_admin') ? ldap_config['check_group_membership_without_admin'] : false
+        @required_groups = ldap_config['required_groups']
+        @group_membership_attribute = ldap_config.key?('group_membership_attribute') ? ldap_config['group_membership_attribute'] : 'uniqueMember'
+        @required_attributes = ldap_config['require_attribute']
+        @required_attributes_presence = ldap_config['require_attribute_presence']
+
+        @ldap.auth ldap_config['admin_user'], ldap_config['admin_password'] if params[:admin]
+
+        @login = params[:login]
+        @password = params[:password]
+        @new_password = params[:new_password]
+      end
+
+      def dn
+        @dn ||= begin
+                  ZuoraConnect::logger.debug("LDAP dn lookup: #{@attribute}=#{@login}")
+                  ldap_entry = search_for_login
+                  if ldap_entry.nil?
+                    @ldap_auth_username_builder.call(@attribute,@login,@ldap)
+                  else
+                    ldap_entry.dn
+                  end
+                end
+      end
+
+      def search_for_login
+        @login_ldap_entry ||= begin
+                                ZuoraConnect::logger.debug("LDAP search for login: #{@attribute}=#{@login}")
+                                filter = Net::LDAP::Filter.eq(@attribute.to_s, @login.to_s)
+                                ldap_entry = nil
+                                match_count = 0
+                                @ldap.search(:filter => filter) {|entry| ldap_entry = entry; match_count+=1}
+                                op_result= @ldap.get_operation_result
+                                if op_result.code!=0
+                                  ZuoraConnect::logger.debug("LDAP Error #{op_result.code}: #{op_result.message}")
+                                end
+                                ZuoraConnect::logger.debug("LDAP search yielded #{match_count} matches")
+                                ldap_entry
+                              end
+      end
+
+      def authenticate!
+        return false unless @password.present? || @allow_unauthenticated_bind
+        @ldap.auth(dn, @password)
+        @ldap.bind
+      end
+
+      def authenticated?
+        authenticate!
+      end
+
+      def last_message_bad_credentials?
+        @ldap.get_operation_result.error_message.to_s.include? 'AcceptSecurityContext error, data 52e'
+      end
+
+      def last_message_expired_credentials?
+        @ldap.get_operation_result.error_message.to_s.include? 'AcceptSecurityContext error, data 773'
+      end
+
+      def authorized?
+        ZuoraConnect::logger.debug("Authorizing user #{dn}")
+        if !authenticated?
+          if last_message_bad_credentials?
+            ZuoraConnect::logger.debug('Not authorized because of invalid credentials.')
+          elsif last_message_expired_credentials?
+            ZuoraConnect::logger.debug('Not authorized because of expired credentials.')
+          else
+            ZuoraConnect::logger.debug('Not authorized because not authenticated.')
+          end
+
+          false
+        elsif !in_required_groups?
+          ZuoraConnect::logger.debug('Not authorized because not in required groups.')
+          false
+        else
+          true
+        end
+      end
+
+      def in_required_groups?
+        return true unless @check_group_membership || @check_group_membership_without_admin
+
+        return false if @required_groups.nil?
+
+        @required_groups.each do |group|
+          if group.is_a?(Array)
+            return false unless in_group?(group[1], group[0])
+          else
+            return false unless in_group?(group)
+          end
+        end
+        true
+      end
+    end
+  end
+end

data/app/views/zuora_connect/application/ldap_login.html.erb

@@ -0,0 +1,194 @@
+<html>
+  <head>
+    <title>LDAP Log in</title>
+    <style>
+        * {
+            box-sizing: border-box;
+            margin: 0;
+            padding: 0;
+            font-family: Raleway, sans-serif;
+        }
+
+        body {
+            background: linear-gradient(90deg, #C7C5F4, #776BCC);
+        }
+
+        .container {
+            display: flex;
+            align-items: center;
+            justify-content: center;
+            min-height: 100vh;
+        }
+
+        .screen {
+            background: linear-gradient(90deg, #5D54A4, #7C78B8);
+            position: relative;
+            height: 600px;
+            width: 360px;
+            box-shadow: 0px 0px 24px #5C5696;
+        }
+
+        .screen__content {
+            z-index: 1;
+            position: relative;
+            height: 100%;
+        }
+
+        .screen__background {
+            position: absolute;
+            top: 0;
+            left: 0;
+            right: 0;
+            bottom: 0;
+            z-index: 0;
+            -webkit-clip-path: inset(0 0 0 0);
+            clip-path: inset(0 0 0 0);
+        }
+
+        .screen__background__shape {
+            transform: rotate(45deg);
+            position: absolute;
+        }
+
+        .screen__background__shape1 {
+            height: 520px;
+            width: 520px;
+            background: #FFF;
+            top: -50px;
+            right: 120px;
+            border-radius: 0 72px 0 0;
+        }
+
+        .screen__background__shape2 {
+            height: 220px;
+            width: 220px;
+            background: #6C63AC;
+            top: -172px;
+            right: 0;
+            border-radius: 32px;
+        }
+
+        .screen__background__shape3 {
+            height: 540px;
+            width: 190px;
+            background: linear-gradient(270deg, #5D54A4, #6A679E);
+            top: -24px;
+            right: 0;
+            border-radius: 32px;
+        }
+
+        .screen__background__shape4 {
+            height: 400px;
+            width: 200px;
+            background: #7E7BB9;
+            top: 420px;
+            right: 50px;
+            border-radius: 60px;
+        }
+
+        .login {
+            width: 320px;
+            padding: 30px;
+            padding-top: 156px;
+        }
+
+        .login__field {
+            padding: 20px 0px;
+            position: relative;
+        }
+
+        .login__icon {
+            position: absolute;
+            top: 30px;
+            color: #7875B5;
+        }
+
+        .login__input {
+            border: none;
+            border-bottom: 2px solid #D1D1D4;
+            background: none;
+            padding: 10px;
+            padding-left: 24px;
+            font-weight: 700;
+            width: 75%;
+            transition: .2s;
+        }
+
+        .login__input:active,
+        .login__input:focus,
+        .login__input:hover {
+            outline: none;
+            border-bottom-color: #6A679E;
+        }
+
+        .login__submit {
+            background: #fff;
+            font-size: 14px;
+            margin-top: 30px;
+            padding: 16px 20px;
+            border-radius: 26px;
+            border: 1px solid #D4D3E8;
+            text-transform: uppercase;
+            font-weight: 700;
+            display: flex;
+            align-items: center;
+            width: 100%;
+            color: #4C489D;
+            box-shadow: 0px 2px 2px #5C5696;
+            cursor: pointer;
+            transition: .2s;
+        }
+
+        .login__submit:active,
+        .login__submit:focus,
+        .login__submit:hover {
+            border-color: #6A679E;
+            outline: none;
+        }
+
+        .error{
+            color: #D8000C;
+            background-color: #FFBABA;
+        }
+    </style>
+  </head>
+
+  <body>
+    <div class="container">
+      <div class="screen">
+        <div class="screen__content">
+
+          <%= form_with class: "login", url: "/connect/ldap_login", method: :post do |f| %>
+            <div class="login__field">
+              <%= f.text_field :ldap_username, placeholder: "Username", class: "login__input" %>
+            </div>
+
+            <div class="login__field">
+              <%= f.password_field :ldap_password, placeholder: "Password", class: "login__input" %>
+            </div>
+
+            <%= f.button "Log in", class: "button login__submit" %>
+
+          <% end %>
+
+          <% if defined?(message) && defined?(title) %>
+            <div class="error">
+              <h3><%= title %></h3>
+              <p><%= message.html_safe %></p>
+            </div>
+          <% end %>
+
+        </div>
+
+        <div class="screen__background">
+          <span class="screen__background__shape screen__background__shape4"></span>
+          <span class="screen__background__shape screen__background__shape3"></span>
+          <span class="screen__background__shape screen__background__shape2"></span>
+          <span class="screen__background__shape screen__background__shape1"></span>
+        </div>
+
+      </div>
+    </div>
+
+  </body>
+</html>

data/config/routes.rb

@@ -15,4 +15,6 @@ ZuoraConnect::Engine.routes.draw do
       end
     end
   end
+
+  post "ldap_login" => 'application#ldap_login'
 end

data/lib/zuora_connect/controllers/helpers.rb

@@ -320,6 +320,11 @@ module ZuoraConnect
           elsif cookies['ZSession'].present?
             zuora_client = ZuoraAPI::Basic.new(url: "https://#{zuora_host}", session: cookies['ZSession'], entity_id: zuora_entity_id)
             auth_headers.merge!({'Authorization' => "ZSession-a3N2w #{zuora_client.get_session(prefix: false, auth_type: :basic)}"})
+          elsif session["ldapAdmin"]
+            ZuoraConnect::logger.debug("Admin session found")
+          elsif ZuoraConnect::AppInstance::INTERNAL_HOSTS.include?(request.headers.fetch("HOST", nil))
+            render "zuora_connect/application/ldap_login"
+            return
           else
             render "zuora_connect/static/error_handled", :locals => {
               :title => "Missing Authorization Token",
@@ -336,7 +341,7 @@ module ZuoraConnect
             missmatched_entity = session["ZuoraCurrentEntity"] != zuora_entity_id
             missing_identity = session["ZuoraCurrentIdentity"].blank?
 
-            if (missing_identity || missmatched_entity || different_zsession)
+            if (missing_identity || missmatched_entity || different_zsession) && (!session["ldapAdmin"])
               zuora_details.merge!({'identity' => {'different_zsession' => different_zsession, 'missing_identity' => missing_identity, 'missmatched_entity' => missmatched_entity}})
               identity, response = zuora_client.rest_call(
                 url: zuora_client.rest_endpoint("identity"),
@@ -367,7 +372,6 @@ module ZuoraConnect
               if is_different_user || params[:sidebar_launch].to_s.to_bool
                 zuora_instance_id = nil
                 ZuoraConnect.logger.debug("UI Authorization", zuora: zuora_details)
-
                 client_describe, response = zuora_client.rest_call(
                   url: zuora_client.rest_endpoint("genesis/user/info").gsub('v1/', ''),
                   session_type: zuora_client.class == ZuoraAPI::Oauth ? :bearer : :basic,
@@ -378,8 +382,10 @@ module ZuoraConnect
               end
             end
 
+            if session["ldapAdmin"]
+              appinstances = ZuoraConnect::AppInstance.pluck(:id, :name)
             #Find matching app instances.
-            if zuora_instance_id.present?
+            elsif zuora_instance_id.present?
               appinstances = ZuoraConnect::AppInstance.where("zuora_entity_ids ?& array[:entities] = true AND zuora_domain = :host AND id = :id", entities: [zuora_entity_id], host: zuora_client.rest_domain, id: zuora_instance_id.to_i).pluck(:id, :name)
             else
               #if app_instance_ids is present then permissions still controlled by connect
@@ -417,11 +423,22 @@ module ZuoraConnect
               appinstances ||= ZuoraConnect::AppInstance.where("zuora_entity_ids ?& array[:entities] = true AND zuora_domain = :host", entities: [zuora_entity_id], host: zuora_client.rest_domain).pluck(:id, :name)
             end
 
-            zuora_user_id = cookies['Zuora-User-Id'] || session["ZuoraCurrentIdentity"]['userId'] || request.headers["Zuora-User-Id"]
+            if session["ldapAdmin"]
+              zuora_user_id = "3"
+            else
+              zuora_user_id = cookies['Zuora-User-Id'] || session["ZuoraCurrentIdentity"]['userId'] || request.headers["Zuora-User-Id"]
+            end
 
             if appinstances.size == 1
-              ZuoraConnect.logger.debug("Instance is #{appinstances.to_h.keys.first}")
               @appinstance = ZuoraConnect::AppInstance.find(appinstances.to_h.keys.first)
+              session["appInstance"] = @appinstance.id
+              ZuoraConnect::ZuoraUser.current_user_id = zuora_user_id
+            end
+
+            if session["ldapAdmin"]
+              # Maybe error. Should we return because of condition?
+              session["#{@appinstance.id}::admin"] = true
+              return
             end
 
             # One deployed instance with credentials

data/lib/zuora_connect/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module ZuoraConnect
-  VERSION = "3.0.2-p"
+  VERSION = "3.0.2-q"
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: zuora_connect
 version: !ruby/object:Gem::Version
-  version: 3.0.2.pre.p
+  version: 3.0.2.pre.q
 platform: ruby
 authors:
 - Connect Team
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2022-03-24 00:00:00.000000000 Z
+date: 2022-04-18 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: apartment
@@ -162,6 +162,20 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '0.1'
+- !ruby/object:Gem::Dependency
+  name: net-ldap
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: rspec
   requirement: !ruby/object:Gem::Requirement
@@ -365,6 +379,8 @@ files:
 - app/controllers/zuora_connect/api/v1/app_instance_controller.rb
 - app/controllers/zuora_connect/application_controller.rb
 - app/controllers/zuora_connect/static_controller.rb
+- app/helpers/zuora_connect/LDAP/adapter.rb
+- app/helpers/zuora_connect/LDAP/connection.rb
 - app/helpers/zuora_connect/api/v1/app_instance_helper.rb
 - app/helpers/zuora_connect/application_helper.rb
 - app/models/concerns/zuora_connect/auditable.rb
@@ -375,6 +391,7 @@ files:
 - app/models/zuora_connect/zuora_user.rb
 - app/views/layouts/zuora_connect/application.html.erb
 - app/views/sql/refresh_aggregate_table.txt
+- app/views/zuora_connect/application/ldap_login.html.erb
 - app/views/zuora_connect/static/error_handled.html.erb
 - app/views/zuora_connect/static/error_handled.js.erb
 - app/views/zuora_connect/static/error_unhandled.erb