Mercurial > hg > soundsoftware-site

annotate .svn/pristine/df/df9bbf954b4f906004aaa967b48274754ad6dcd0.svn-base @ 1298:4f746d8966dd redmine_2.3_integration

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Merge from redmine-2.3 branch to create new branch redmine-2.3-integration
author Chris Cannam
date Fri, 14 Jun 2013 09:28:30 +0100
parents 622f24f53b42
children
rev   line source
Chris@1295 1 # Redmine - project management software
Chris@1295 2 # Copyright (C) 2006-2013 Jean-Philippe Lang
Chris@1295 3 #
Chris@1295 4 # This program is free software; you can redistribute it and/or
Chris@1295 5 # modify it under the terms of the GNU General Public License
Chris@1295 6 # as published by the Free Software Foundation; either version 2
Chris@1295 7 # of the License, or (at your option) any later version.
Chris@1295 8 #
Chris@1295 9 # This program is distributed in the hope that it will be useful,
Chris@1295 10 # but WITHOUT ANY WARRANTY; without even the implied warranty of
Chris@1295 11 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
Chris@1295 12 # GNU General Public License for more details.
Chris@1295 13 #
Chris@1295 14 # You should have received a copy of the GNU General Public License
Chris@1295 15 # along with this program; if not, write to the Free Software
Chris@1295 16 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
Chris@1295 17
Chris@1295 18 require 'net/ldap'
Chris@1295 19 require 'net/ldap/dn'
Chris@1295 20 require 'timeout'
Chris@1295 21
Chris@1295 22 class AuthSourceLdap < AuthSource
Chris@1295 23 validates_presence_of :host, :port, :attr_login
Chris@1295 24 validates_length_of :name, :host, :maximum => 60, :allow_nil => true
Chris@1295 25 validates_length_of :account, :account_password, :base_dn, :filter, :maximum => 255, :allow_blank => true
Chris@1295 26 validates_length_of :attr_login, :attr_firstname, :attr_lastname, :attr_mail, :maximum => 30, :allow_nil => true
Chris@1295 27 validates_numericality_of :port, :only_integer => true
Chris@1295 28 validates_numericality_of :timeout, :only_integer => true, :allow_blank => true
Chris@1295 29 validate :validate_filter
Chris@1295 30
Chris@1295 31 before_validation :strip_ldap_attributes
Chris@1295 32
Chris@1295 33 def initialize(attributes=nil, *args)
Chris@1295 34 super
Chris@1295 35 self.port = 389 if self.port == 0
Chris@1295 36 end
Chris@1295 37
Chris@1295 38 def authenticate(login, password)
Chris@1295 39 return nil if login.blank? || password.blank?
Chris@1295 40
Chris@1295 41 with_timeout do
Chris@1295 42 attrs = get_user_dn(login, password)
Chris@1295 43 if attrs && attrs[:dn] && authenticate_dn(attrs[:dn], password)
Chris@1295 44 logger.debug "Authentication successful for '#{login}'" if logger && logger.debug?
Chris@1295 45 return attrs.except(:dn)
Chris@1295 46 end
Chris@1295 47 end
Chris@1295 48 rescue Net::LDAP::LdapError => e
Chris@1295 49 raise AuthSourceException.new(e.message)
Chris@1295 50 end
Chris@1295 51
Chris@1295 52 # test the connection to the LDAP
Chris@1295 53 def test_connection
Chris@1295 54 with_timeout do
Chris@1295 55 ldap_con = initialize_ldap_con(self.account, self.account_password)
Chris@1295 56 ldap_con.open { }
Chris@1295 57 end
Chris@1295 58 rescue Net::LDAP::LdapError => e
Chris@1295 59 raise AuthSourceException.new(e.message)
Chris@1295 60 end
Chris@1295 61
Chris@1295 62 def auth_method_name
Chris@1295 63 "LDAP"
Chris@1295 64 end
Chris@1295 65
Chris@1295 66 # Returns true if this source can be searched for users
Chris@1295 67 def searchable?
Chris@1295 68 !account.to_s.include?("$login") && %w(login firstname lastname mail).all? {|a| send("attr_#{a}?")}
Chris@1295 69 end
Chris@1295 70
Chris@1295 71 # Searches the source for users and returns an array of results
Chris@1295 72 def search(q)
Chris@1295 73 q = q.to_s.strip
Chris@1295 74 return [] unless searchable? && q.present?
Chris@1295 75
Chris@1295 76 results = []
Chris@1295 77 search_filter = base_filter & Net::LDAP::Filter.begins(self.attr_login, q)
Chris@1295 78 ldap_con = initialize_ldap_con(self.account, self.account_password)
Chris@1295 79 ldap_con.search(:base => self.base_dn,
Chris@1295 80 :filter => search_filter,
Chris@1295 81 :attributes => ['dn', self.attr_login, self.attr_firstname, self.attr_lastname, self.attr_mail],
Chris@1295 82 :size => 10) do |entry|
Chris@1295 83 attrs = get_user_attributes_from_ldap_entry(entry)
Chris@1295 84 attrs[:login] = AuthSourceLdap.get_attr(entry, self.attr_login)
Chris@1295 85 results << attrs
Chris@1295 86 end
Chris@1295 87 results
Chris@1295 88 rescue Net::LDAP::LdapError => e
Chris@1295 89 raise AuthSourceException.new(e.message)
Chris@1295 90 end
Chris@1295 91
Chris@1295 92 private
Chris@1295 93
Chris@1295 94 def with_timeout(&block)
Chris@1295 95 timeout = self.timeout
Chris@1295 96 timeout = 20 unless timeout && timeout > 0
Chris@1295 97 Timeout.timeout(timeout) do
Chris@1295 98 return yield
Chris@1295 99 end
Chris@1295 100 rescue Timeout::Error => e
Chris@1295 101 raise AuthSourceTimeoutException.new(e.message)
Chris@1295 102 end
Chris@1295 103
Chris@1295 104 def ldap_filter
Chris@1295 105 if filter.present?
Chris@1295 106 Net::LDAP::Filter.construct(filter)
Chris@1295 107 end
Chris@1295 108 rescue Net::LDAP::LdapError
Chris@1295 109 nil
Chris@1295 110 end
Chris@1295 111
Chris@1295 112 def base_filter
Chris@1295 113 filter = Net::LDAP::Filter.eq("objectClass", "*")
Chris@1295 114 if f = ldap_filter
Chris@1295 115 filter = filter & f
Chris@1295 116 end
Chris@1295 117 filter
Chris@1295 118 end
Chris@1295 119
Chris@1295 120 def validate_filter
Chris@1295 121 if filter.present? && ldap_filter.nil?
Chris@1295 122 errors.add(:filter, :invalid)
Chris@1295 123 end
Chris@1295 124 end
Chris@1295 125
Chris@1295 126 def strip_ldap_attributes
Chris@1295 127 [:attr_login, :attr_firstname, :attr_lastname, :attr_mail].each do |attr|
Chris@1295 128 write_attribute(attr, read_attribute(attr).strip) unless read_attribute(attr).nil?
Chris@1295 129 end
Chris@1295 130 end
Chris@1295 131
Chris@1295 132 def initialize_ldap_con(ldap_user, ldap_password)
Chris@1295 133 options = { :host => self.host,
Chris@1295 134 :port => self.port,
Chris@1295 135 :encryption => (self.tls ? :simple_tls : nil)
Chris@1295 136 }
Chris@1295 137 options.merge!(:auth => { :method => :simple, :username => ldap_user, :password => ldap_password }) unless ldap_user.blank? && ldap_password.blank?
Chris@1295 138 Net::LDAP.new options
Chris@1295 139 end
Chris@1295 140
Chris@1295 141 def get_user_attributes_from_ldap_entry(entry)
Chris@1295 142 {
Chris@1295 143 :dn => entry.dn,
Chris@1295 144 :firstname => AuthSourceLdap.get_attr(entry, self.attr_firstname),
Chris@1295 145 :lastname => AuthSourceLdap.get_attr(entry, self.attr_lastname),
Chris@1295 146 :mail => AuthSourceLdap.get_attr(entry, self.attr_mail),
Chris@1295 147 :auth_source_id => self.id
Chris@1295 148 }
Chris@1295 149 end
Chris@1295 150
Chris@1295 151 # Return the attributes needed for the LDAP search. It will only
Chris@1295 152 # include the user attributes if on-the-fly registration is enabled
Chris@1295 153 def search_attributes
Chris@1295 154 if onthefly_register?
Chris@1295 155 ['dn', self.attr_firstname, self.attr_lastname, self.attr_mail]
Chris@1295 156 else
Chris@1295 157 ['dn']
Chris@1295 158 end
Chris@1295 159 end
Chris@1295 160
Chris@1295 161 # Check if a DN (user record) authenticates with the password
Chris@1295 162 def authenticate_dn(dn, password)
Chris@1295 163 if dn.present? && password.present?
Chris@1295 164 initialize_ldap_con(dn, password).bind
Chris@1295 165 end
Chris@1295 166 end
Chris@1295 167
Chris@1295 168 # Get the user's dn and any attributes for them, given their login
Chris@1295 169 def get_user_dn(login, password)
Chris@1295 170 ldap_con = nil
Chris@1295 171 if self.account && self.account.include?("$login")
Chris@1295 172 ldap_con = initialize_ldap_con(self.account.sub("$login", Net::LDAP::DN.escape(login)), password)
Chris@1295 173 else
Chris@1295 174 ldap_con = initialize_ldap_con(self.account, self.account_password)
Chris@1295 175 end
Chris@1295 176 attrs = {}
Chris@1295 177 search_filter = base_filter & Net::LDAP::Filter.eq(self.attr_login, login)
Chris@1295 178
Chris@1295 179 ldap_con.search( :base => self.base_dn,
Chris@1295 180 :filter => search_filter,
Chris@1295 181 :attributes=> search_attributes) do |entry|
Chris@1295 182
Chris@1295 183 if onthefly_register?
Chris@1295 184 attrs = get_user_attributes_from_ldap_entry(entry)
Chris@1295 185 else
Chris@1295 186 attrs = {:dn => entry.dn}
Chris@1295 187 end
Chris@1295 188
Chris@1295 189 logger.debug "DN found for #{login}: #{attrs[:dn]}" if logger && logger.debug?
Chris@1295 190 end
Chris@1295 191
Chris@1295 192 attrs
Chris@1295 193 end
Chris@1295 194
Chris@1295 195 def self.get_attr(entry, attr_name)
Chris@1295 196 if !attr_name.blank?
Chris@1295 197 entry[attr_name].is_a?(Array) ? entry[attr_name].first : entry[attr_name]
Chris@1295 198 end
Chris@1295 199 end
Chris@1295 200 end