Class: ZuoraConnect::LDAP::Connection

Inherits:
Object
  • Object
show all
Defined in:
app/helpers/zuora_connect/LDAP/connection.rb

Instance Attribute Summary collapse

Instance Method Summary collapse

Constructor Details

#initialize(params = {}) ⇒ Connection

Returns a new instance of Connection.



8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
# File 'app/helpers/zuora_connect/LDAP/connection.rb', line 8

def initialize(params = {})
  ldap_config = YAML.load(ERB.new(File.read("#{Rails.root}/config/ldap.yml")).result)[Rails.env]
  ldap_options = params

  # Allow `ssl: true` shorthand in YAML, but enable more control with `encryption`
  ldap_config['ssl'] = :simple_tls if ldap_config['ssl'] === true
  ldap_options[:encryption] = ldap_config['ssl'].to_sym if ldap_config['ssl']
  ldap_options[:encryption] = ldap_config['encryption'] if ldap_config['encryption']

  @ldap = Net::LDAP.new(ldap_options)
  @ldap.host = ldap_config['host']
  @ldap.port = ldap_config['port']
  @ldap.base = ldap_config['base']
  @attribute = ldap_config['attribute']
  @allow_unauthenticated_bind = ldap_config['allow_unauthenticated_bind']

  @ldap_auth_username_builder = params[:ldap_auth_username_builder]

  @group_base = ldap_config['group_base']
  @check_group_membership = ldap_config.key?('check_group_membership') ? ldap_config['check_group_membership'] : false
  @check_group_membership_without_admin = ldap_config.key?('check_group_membership_without_admin') ? ldap_config['check_group_membership_without_admin'] : false
  @required_groups = ldap_config['required_groups']
  @group_membership_attribute = ldap_config.key?('group_membership_attribute') ? ldap_config['group_membership_attribute'] : 'uniqueMember'
  @required_attributes = ldap_config['require_attribute']
  @required_attributes_presence = ldap_config['require_attribute_presence']

  @ldap.auth ldap_config['admin_user'], ldap_config['admin_password'] if params[:admin]

  @login = params[:login]
  @password = params[:password]
  @new_password = params[:new_password]
end

Instance Attribute Details

#ldapObject (readonly)

Returns the value of attribute ldap.



6
7
8
# File 'app/helpers/zuora_connect/LDAP/connection.rb', line 6

def ldap
  @ldap
end

#loginObject (readonly)

Returns the value of attribute login.



6
7
8
# File 'app/helpers/zuora_connect/LDAP/connection.rb', line 6

def 
  @login
end

Instance Method Details

#authenticate!Object



69
70
71
72
73
# File 'app/helpers/zuora_connect/LDAP/connection.rb', line 69

def authenticate!
  return false unless @password.present? || @allow_unauthenticated_bind
  @ldap.auth(dn, @password)
  @ldap.bind
end

#authenticated?Boolean

Returns:

  • (Boolean)


75
76
77
# File 'app/helpers/zuora_connect/LDAP/connection.rb', line 75

def authenticated?
  authenticate!
end

#authorized?Boolean

Returns:

  • (Boolean)


87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
# File 'app/helpers/zuora_connect/LDAP/connection.rb', line 87

def authorized?
  ZuoraConnect::logger.debug("Authorizing user #{dn}")
  if !authenticated?
    if last_message_bad_credentials?
      ZuoraConnect::logger.debug('Not authorized because of invalid credentials.')
    elsif last_message_expired_credentials?
      ZuoraConnect::logger.debug('Not authorized because of expired credentials.')
    else
      ZuoraConnect::logger.debug('Not authorized because not authenticated.')
    end

    false
  elsif !in_required_groups?
    ZuoraConnect::logger.debug('Not authorized because not in required groups.')
    false
  else
    true
  end
end

#dnObject



41
42
43
44
45
46
47
48
49
50
51
# File 'app/helpers/zuora_connect/LDAP/connection.rb', line 41

def dn
  @dn ||= begin
            ZuoraConnect::logger.debug("LDAP dn lookup: #{@attribute}=#{@login}")
            ldap_entry = 
            if ldap_entry.nil?
              @ldap_auth_username_builder.call(@attribute,@login,@ldap)
            else
              ldap_entry.dn
            end
          end
end

#in_required_groups?Boolean

Returns:

  • (Boolean)


107
108
109
110
111
112
113
114
115
116
117
118
119
120
# File 'app/helpers/zuora_connect/LDAP/connection.rb', line 107

def in_required_groups?
  return true unless @check_group_membership || @check_group_membership_without_admin

  return false if @required_groups.nil?

  @required_groups.each do |group|
    if group.is_a?(Array)
      return false unless in_group?(group[1], group[0])
    else
      return false unless in_group?(group)
    end
  end
  true
end

#last_message_bad_credentials?Boolean

Returns:

  • (Boolean)


79
80
81
# File 'app/helpers/zuora_connect/LDAP/connection.rb', line 79

def last_message_bad_credentials?
  @ldap.get_operation_result.error_message.to_s.include? 'AcceptSecurityContext error, data 52e'
end

#last_message_expired_credentials?Boolean

Returns:

  • (Boolean)


83
84
85
# File 'app/helpers/zuora_connect/LDAP/connection.rb', line 83

def last_message_expired_credentials?
  @ldap.get_operation_result.error_message.to_s.include? 'AcceptSecurityContext error, data 773'
end

#search_for_loginObject



53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
# File 'app/helpers/zuora_connect/LDAP/connection.rb', line 53

def 
  @login_ldap_entry ||= begin
                          ZuoraConnect::logger.debug("LDAP search for login: #{@attribute}=#{@login}")
                          filter = Net::LDAP::Filter.eq(@attribute.to_s, @login.to_s)
                          ldap_entry = nil
                          match_count = 0
                          @ldap.search(:filter => filter) {|entry| ldap_entry = entry; match_count+=1}
                          op_result= @ldap.get_operation_result
                          if op_result.code!=0
                            ZuoraConnect::logger.debug("LDAP Error #{op_result.code}: #{op_result.message}")
                          end
                          ZuoraConnect::logger.debug("LDAP search yielded #{match_count} matches")
                          ldap_entry
                        end
end