annotate .svn/pristine/61/618e00d1598c8e873b103e16b1ef40228550fc2b.svn-base @ 1519:afce8026aaeb redmine-2.4-integration

Merge from branch "live"
author Chris Cannam
date Tue, 09 Sep 2014 09:34:53 +0100
parents e248c7af89ec
children
rev   line source
Chris@1494 1 # Redmine - project management software
Chris@1494 2 # Copyright (C) 2006-2014 Jean-Philippe Lang
Chris@1494 3 #
Chris@1494 4 # This program is free software; you can redistribute it and/or
Chris@1494 5 # modify it under the terms of the GNU General Public License
Chris@1494 6 # as published by the Free Software Foundation; either version 2
Chris@1494 7 # of the License, or (at your option) any later version.
Chris@1494 8 #
Chris@1494 9 # This program is distributed in the hope that it will be useful,
Chris@1494 10 # but WITHOUT ANY WARRANTY; without even the implied warranty of
Chris@1494 11 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
Chris@1494 12 # GNU General Public License for more details.
Chris@1494 13 #
Chris@1494 14 # You should have received a copy of the GNU General Public License
Chris@1494 15 # along with this program; if not, write to the Free Software
Chris@1494 16 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
Chris@1494 17
Chris@1494 18 require 'net/ldap'
Chris@1494 19 require 'net/ldap/dn'
Chris@1494 20 require 'timeout'
Chris@1494 21
Chris@1494 22 class AuthSourceLdap < AuthSource
Chris@1494 23 validates_presence_of :host, :port, :attr_login
Chris@1494 24 validates_length_of :name, :host, :maximum => 60, :allow_nil => true
Chris@1494 25 validates_length_of :account, :account_password, :base_dn, :filter, :maximum => 255, :allow_blank => true
Chris@1494 26 validates_length_of :attr_login, :attr_firstname, :attr_lastname, :attr_mail, :maximum => 30, :allow_nil => true
Chris@1494 27 validates_numericality_of :port, :only_integer => true
Chris@1494 28 validates_numericality_of :timeout, :only_integer => true, :allow_blank => true
Chris@1494 29 validate :validate_filter
Chris@1494 30
Chris@1494 31 before_validation :strip_ldap_attributes
Chris@1494 32
Chris@1494 33 def initialize(attributes=nil, *args)
Chris@1494 34 super
Chris@1494 35 self.port = 389 if self.port == 0
Chris@1494 36 end
Chris@1494 37
Chris@1494 38 def authenticate(login, password)
Chris@1494 39 return nil if login.blank? || password.blank?
Chris@1494 40
Chris@1494 41 with_timeout do
Chris@1494 42 attrs = get_user_dn(login, password)
Chris@1494 43 if attrs && attrs[:dn] && authenticate_dn(attrs[:dn], password)
Chris@1494 44 logger.debug "Authentication successful for '#{login}'" if logger && logger.debug?
Chris@1494 45 return attrs.except(:dn)
Chris@1494 46 end
Chris@1494 47 end
Chris@1494 48 rescue Net::LDAP::LdapError => e
Chris@1494 49 raise AuthSourceException.new(e.message)
Chris@1494 50 end
Chris@1494 51
Chris@1494 52 # test the connection to the LDAP
Chris@1494 53 def test_connection
Chris@1494 54 with_timeout do
Chris@1494 55 ldap_con = initialize_ldap_con(self.account, self.account_password)
Chris@1494 56 ldap_con.open { }
Chris@1494 57 end
Chris@1494 58 rescue Net::LDAP::LdapError => e
Chris@1494 59 raise AuthSourceException.new(e.message)
Chris@1494 60 end
Chris@1494 61
Chris@1494 62 def auth_method_name
Chris@1494 63 "LDAP"
Chris@1494 64 end
Chris@1494 65
Chris@1494 66 # Returns true if this source can be searched for users
Chris@1494 67 def searchable?
Chris@1494 68 !account.to_s.include?("$login") && %w(login firstname lastname mail).all? {|a| send("attr_#{a}?")}
Chris@1494 69 end
Chris@1494 70
Chris@1494 71 # Searches the source for users and returns an array of results
Chris@1494 72 def search(q)
Chris@1494 73 q = q.to_s.strip
Chris@1494 74 return [] unless searchable? && q.present?
Chris@1494 75
Chris@1494 76 results = []
Chris@1494 77 search_filter = base_filter & Net::LDAP::Filter.begins(self.attr_login, q)
Chris@1494 78 ldap_con = initialize_ldap_con(self.account, self.account_password)
Chris@1494 79 ldap_con.search(:base => self.base_dn,
Chris@1494 80 :filter => search_filter,
Chris@1494 81 :attributes => ['dn', self.attr_login, self.attr_firstname, self.attr_lastname, self.attr_mail],
Chris@1494 82 :size => 10) do |entry|
Chris@1494 83 attrs = get_user_attributes_from_ldap_entry(entry)
Chris@1494 84 attrs[:login] = AuthSourceLdap.get_attr(entry, self.attr_login)
Chris@1494 85 results << attrs
Chris@1494 86 end
Chris@1494 87 results
Chris@1494 88 rescue Net::LDAP::LdapError => e
Chris@1494 89 raise AuthSourceException.new(e.message)
Chris@1494 90 end
Chris@1494 91
Chris@1494 92 private
Chris@1494 93
Chris@1494 94 def with_timeout(&block)
Chris@1494 95 timeout = self.timeout
Chris@1494 96 timeout = 20 unless timeout && timeout > 0
Chris@1494 97 Timeout.timeout(timeout) do
Chris@1494 98 return yield
Chris@1494 99 end
Chris@1494 100 rescue Timeout::Error => e
Chris@1494 101 raise AuthSourceTimeoutException.new(e.message)
Chris@1494 102 end
Chris@1494 103
Chris@1494 104 def ldap_filter
Chris@1494 105 if filter.present?
Chris@1494 106 Net::LDAP::Filter.construct(filter)
Chris@1494 107 end
Chris@1494 108 rescue Net::LDAP::LdapError
Chris@1494 109 nil
Chris@1494 110 end
Chris@1494 111
Chris@1494 112 def base_filter
Chris@1494 113 filter = Net::LDAP::Filter.eq("objectClass", "*")
Chris@1494 114 if f = ldap_filter
Chris@1494 115 filter = filter & f
Chris@1494 116 end
Chris@1494 117 filter
Chris@1494 118 end
Chris@1494 119
Chris@1494 120 def validate_filter
Chris@1494 121 if filter.present? && ldap_filter.nil?
Chris@1494 122 errors.add(:filter, :invalid)
Chris@1494 123 end
Chris@1494 124 end
Chris@1494 125
Chris@1494 126 def strip_ldap_attributes
Chris@1494 127 [:attr_login, :attr_firstname, :attr_lastname, :attr_mail].each do |attr|
Chris@1494 128 write_attribute(attr, read_attribute(attr).strip) unless read_attribute(attr).nil?
Chris@1494 129 end
Chris@1494 130 end
Chris@1494 131
Chris@1494 132 def initialize_ldap_con(ldap_user, ldap_password)
Chris@1494 133 options = { :host => self.host,
Chris@1494 134 :port => self.port,
Chris@1494 135 :encryption => (self.tls ? :simple_tls : nil)
Chris@1494 136 }
Chris@1494 137 options.merge!(:auth => { :method => :simple, :username => ldap_user, :password => ldap_password }) unless ldap_user.blank? && ldap_password.blank?
Chris@1494 138 Net::LDAP.new options
Chris@1494 139 end
Chris@1494 140
Chris@1494 141 def get_user_attributes_from_ldap_entry(entry)
Chris@1494 142 {
Chris@1494 143 :dn => entry.dn,
Chris@1494 144 :firstname => AuthSourceLdap.get_attr(entry, self.attr_firstname),
Chris@1494 145 :lastname => AuthSourceLdap.get_attr(entry, self.attr_lastname),
Chris@1494 146 :mail => AuthSourceLdap.get_attr(entry, self.attr_mail),
Chris@1494 147 :auth_source_id => self.id
Chris@1494 148 }
Chris@1494 149 end
Chris@1494 150
Chris@1494 151 # Return the attributes needed for the LDAP search. It will only
Chris@1494 152 # include the user attributes if on-the-fly registration is enabled
Chris@1494 153 def search_attributes
Chris@1494 154 if onthefly_register?
Chris@1494 155 ['dn', self.attr_firstname, self.attr_lastname, self.attr_mail]
Chris@1494 156 else
Chris@1494 157 ['dn']
Chris@1494 158 end
Chris@1494 159 end
Chris@1494 160
Chris@1494 161 # Check if a DN (user record) authenticates with the password
Chris@1494 162 def authenticate_dn(dn, password)
Chris@1494 163 if dn.present? && password.present?
Chris@1494 164 initialize_ldap_con(dn, password).bind
Chris@1494 165 end
Chris@1494 166 end
Chris@1494 167
Chris@1494 168 # Get the user's dn and any attributes for them, given their login
Chris@1494 169 def get_user_dn(login, password)
Chris@1494 170 ldap_con = nil
Chris@1494 171 if self.account && self.account.include?("$login")
Chris@1494 172 ldap_con = initialize_ldap_con(self.account.sub("$login", Net::LDAP::DN.escape(login)), password)
Chris@1494 173 else
Chris@1494 174 ldap_con = initialize_ldap_con(self.account, self.account_password)
Chris@1494 175 end
Chris@1494 176 attrs = {}
Chris@1494 177 search_filter = base_filter & Net::LDAP::Filter.eq(self.attr_login, login)
Chris@1494 178
Chris@1494 179 ldap_con.search( :base => self.base_dn,
Chris@1494 180 :filter => search_filter,
Chris@1494 181 :attributes=> search_attributes) do |entry|
Chris@1494 182
Chris@1494 183 if onthefly_register?
Chris@1494 184 attrs = get_user_attributes_from_ldap_entry(entry)
Chris@1494 185 else
Chris@1494 186 attrs = {:dn => entry.dn}
Chris@1494 187 end
Chris@1494 188
Chris@1494 189 logger.debug "DN found for #{login}: #{attrs[:dn]}" if logger && logger.debug?
Chris@1494 190 end
Chris@1494 191
Chris@1494 192 attrs
Chris@1494 193 end
Chris@1494 194
Chris@1494 195 def self.get_attr(entry, attr_name)
Chris@1494 196 if !attr_name.blank?
Chris@1494 197 entry[attr_name].is_a?(Array) ? entry[attr_name].first : entry[attr_name]
Chris@1494 198 end
Chris@1494 199 end
Chris@1494 200 end