Initial Commit

Author: NZKoz

MIT-LICENSE

@@ -0,0 +1,20 @@
+Copyright (c) 2009 Koziarski Software Ltd
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

README

@@ -0,0 +1,53 @@
+ActiveDirectoryAuth
+===================
+
+Lets you authenticate users against an ActiveDirectory systems, also provides a test implementation so you don't need to have an LDAP server when developing.  The goal here is to allow you to store your user information in your local database, but use the LDAP information for authentication and retrieving authorization information.
+
+This will add an 'authenticate' method to your model which works as follows:
+
+  @user = User.authenticate("koz", "mypassword") # returns the user
+  @user = User.authenticate("who knows", "not a password") # nil
+
+In order to map from the ldap result to your database, you need to implement a find_from_ldap method on the user class.  It will be passed an ldap user, which responds to a few key methods.  +username+ returns the account name that successfully authenticated.  +roles+ returns the list of configured group which the user is a member of.  It also adds some simple predicate methods for each of the available roles.  For example:
+
+  def self.find_from_ldap(ldap_user)
+    returning find_or_create_by_login(ldap_user.username) do |user|
+      user.permissions.clear
+      if ldap_user.admin?
+        user.admin = true
+      end
+      if ldap_user.printer_operator?
+        user.permissions.create! :code=>"printer"
+      end
+      user.save!
+    end
+  end
+
+There's obviously a risk that users who have been disabled in ldap could still have an active session in the rails application.  
+
+Example
+=======
+
+in production.rb you can write:
+
+User.authenticates_with_active_directory do |config|
+  config.host    = "ldap.example.com"
+  config.base_dn = "DC=example,DC=com"
+  # Only needed if your ldap server doesn't support anonymous binding
+  config.administrator_dn = "CN=administrator,OU=Administrators Group,OU=Systems"
+  config.administrator_password = "admin"
+
+  config.roles :printer_operator => "CN=Printer Operators,CN=Groups",
+               :backup_operator  => "CN=Backup Operators,CN=Groups",
+               :admin            => "CN=Administrators,CN=Groups"
+end
+
+then in development.rb
+
+User.stub_active_directory_authentication do |config|
+  config.user "koz", "a password", :printer_operator, :backup_operator
+  config.user "dhh", "anotherpassword", :admin
+end
+
+
+Copyright (c) 2009 Koziarski Software Ltd, released under the MIT license

Rakefile

@@ -0,0 +1,23 @@
+require 'rake'
+require 'rake/testtask'
+require 'rake/rdoctask'
+
+desc 'Default: run unit tests.'
+task :default => :test
+
+desc 'Test the active_directory_auth plugin.'
+Rake::TestTask.new(:test) do |t|
+  t.libs << 'lib'
+  t.libs << 'test'
+  t.pattern = 'test/**/*_test.rb'
+  t.verbose = true
+end
+
+desc 'Generate documentation for the active_directory_auth plugin.'
+Rake::RDocTask.new(:rdoc) do |rdoc|
+  rdoc.rdoc_dir = 'rdoc'
+  rdoc.title    = 'ActiveDirectoryAuth'
+  rdoc.options << '--line-numbers' << '--inline-source'
+  rdoc.rdoc_files.include('README')
+  rdoc.rdoc_files.include('lib/**/*.rb')
+end

init.rb

@@ -0,0 +1,2 @@
+# Include hook code hereacti
+ActiveRecord::Base.extend(ActiveDirectoryAuth::BaseMethods)

install.rb

@@ -0,0 +1 @@
+# Install hook code here

lib/active_directory_auth.rb

@@ -0,0 +1,130 @@
+# ActiveDirectoryAuth
+
+require 'net/ldap'
+
+module ActiveDirectoryAuth
+  class LdapConnection 
+    attr_accessor :host, :base_dn, :administrator_dn, :administrator_password,
+                  :fetched_attributes
+    
+    
+    def initialize(clazz)
+      @clazz = clazz
+      @host = "localhost"
+      @fetched_attributes = ['dn','sAMAccountName','displayname','SN','givenName', 'memberOf']
+    end
+    
+    def roles(mapping)
+      @roles_mapping = mapping
+    end
+    
+    def authenticate(username, password)
+      ldap = new_ldap_connection
+      ldap.host = @host
+      
+      if @administrator_dn
+        Rails.logger.info([@administrator_dn, @base_dn].join(','))
+        ldap.auth [@administrator_dn, @base_dn].join(','), @administrator_password
+      end
+      
+      if results = ldap.bind_as(:base       => @base_dn, 
+                                :filter     => new_ldap_criteria(username), 
+                                :attributes => @fetched_attributes,
+                                :password   => password)
+        ad_user = results.first
+        Rails.logger.info "Successfully bound as #{username.inspect}"
+        Rails.logger.info "Found #{ad_user.inspect}"
+        @clazz.find_from_ldap(LdapUser.new(ad_user.samaccountname, map_roles(ad_user.memberOf)))
+      else
+        Rails.logger.info "Failed to bind as #{username.inspect} Error: #{ldap.get_operation_result.inspect}"
+        nil
+      end  
+    end
+    
+    def new_ldap_connection
+      Net::LDAP.new
+    end
+    
+    def new_ldap_criteria(username)
+      Net::LDAP::Filter.eq( "sAMAccountName", username )
+    end
+    
+    def map_roles(roles)
+      @roles_mapping.each_with_object(Set.new) do |pair, memo|
+        pretty_name, ldap_name = pair
+        if roles.include?(ldap_name)|| roles.include?([ldap_name, @base_dn].join(','))
+          memo << pretty_name
+        end
+      end
+    end
+  end
+  
+  class StubConnection
+    def initialize(clazz)
+      @clazz = clazz
+      @credentials = {}
+    end
+    
+    def user(username, password, *roles)
+      @credentials[username] = StubUser.new(username, password, roles)
+    end
+    
+    def authenticate(username, password)
+      if (user = @credentials[username]) && user.password == password
+        return @clazz.find_from_ldap(ad_user)
+      else
+        return nil
+      end
+    end
+  end
+  
+  class LdapUser
+    attr_reader :username, :roles
+
+    def initialize(username, roles)
+      @username, @roles = username, roles
+    end
+
+    def method_missing(name, *args)
+      name_s = name.to_s
+      if name_s.ends_with?("?")
+        @roles.include? name_s[0..-2].to_sym
+      else
+        super
+      end
+    end
+  end
+  
+  
+  class StubUser < LdapUser
+    attr_reader :password
+
+    def initialize(username, password, roles)
+      super(username, roles)
+      @password = password
+    end
+  end
+  
+  module BaseMethods
+    def authenticates_with_active_directory
+      yield @ad_config = ActiveDirectoryAuth::LdapConnection.new(self)
+      extend Authenticate
+    end
+
+    def stub_active_directory_authentication
+      yield @ad_config = ActiveDirectoryAuth::StubConnection.new(self)
+      extend Authenticate
+    end
+
+  end
+  
+  module Authenticate
+    def authenticate(user, password)
+      @ad_config.authenticate(user, password)
+    end
+    
+    def find_from_ldap(ldap_user)
+      find_by_login(ldap_user.username)
+    end
+  end
+end

tasks/active_directory_auth_tasks.rake

@@ -0,0 +1,4 @@
+# desc "Explaining what the task does"
+# task :active_directory_auth do
+#   # Task goes here
+# end

test/active_directory_auth_test.rb

@@ -0,0 +1,48 @@
+require 'test_helper'
+
+User.authenticates_with_active_directory do |config|
+  config.host    = "ldap.example.com"
+  config.base_dn = "DC=example,DC=com"
+  config.administrator_dn = "CN=administrator,OU=Administrators Group,OU=Systems"
+  config.administrator_password = "admin"
+  
+  config.roles :printer_operator => "CN=Printer Operators,CN=Groups",
+               :backup_operator  => "CN=Backup Operators,CN=Groups",
+               :admin            => "CN=Administrators,CN=Groups"
+end
+
+def User.find_from_ldap(ldap_user)
+  ldap_user
+end
+
+class ActiveDirectoryAuthTest < ActiveSupport::TestCase
+  def setup
+    @ldap_connection = mock()
+    ActiveDirectoryAuth::LdapConnection.any_instance.
+                                        expects(:new_ldap_connection).
+                                        returns(@ldap_connection)
+    #
+    @criteria = mock()
+    ActiveDirectoryAuth::LdapConnection.any_instance.
+                                        expects(:new_ldap_criteria).
+                                        returns(@criteria).with("koz")                                       
+                                        
+    @ldap_connection.expects(:host=).with("ldap.example.com")
+    # @ldap_connection.expects(:host=).with("ldap.example.com")    
+    @ldap_connection.expects(:auth).with('CN=administrator,OU=Administrators Group,OU=Systems,DC=example,DC=com', 'admin')
+    @ldap_connection.expects(:bind_as).
+        with(:password => 'password', 
+             :base => 'DC=example,DC=com', 
+             :filter => @criteria, 
+             :attributes => ['dn', 'sAMAccountName', 'displayname', 'SN', 'givenName', 'memberOf']).
+        returns(stub(:samaccountname=>"koz", :memberOf=>["CN=Printer Operators,CN=Groups", "CN=Backup Operators,CN=Groups,DC=example,DC=com"]))
+    
+  end
+  
+  test "authenticate does what it should" do
+    ldap_user = User.authenticate("koz", "password")
+    assert ldap_user.printer_operator?
+    assert ldap_user.backup_operator?
+    assert !ldap_user.admin?
+  end
+end

test/test_helper.rb

@@ -0,0 +1,3 @@
+require 'rubygems'
+require 'active_support'
+require 'active_support/test_case'

test/user_models_test.rb

@@ -0,0 +1,20 @@
+require 'test_helper'
+
+class UserModelsTest < ActiveSupport::TestCase
+  def setup
+  end
+  include ActiveDirectoryAuth
+  
+  test "Stub user roles work right" do
+    @stub_user = StubUser.new("koz", "password", [:admin, :librarian])
+    assert @stub_user.admin?
+    assert @stub_user.librarian?
+    assert !@stub_user.hax?
+    assert_equal [:admin, :librarian].to_set,
+                 @stub_user.roles.to_set
+  end
+  
+  # test ""
+  
+  
+end