From d8ec9b62a98c73b7579601bf9f0e4a7d8bac5cbc Mon Sep 17 00:00:00 2001
From: Florian Uhlig <f.uhlig@gsi.de>
Date: Wed, 26 Jun 2013 18:52:18 +0200
Subject: [PATCH] Changes needed for ldap group authentication.

---
 app/models/auth_source.rb                          |    2 +-
 app/models/auth_source_ldap.rb                     |   39 ++++++++++++++++++--
 .../auth_sources/_form_auth_source_ldap.html.erb   |    2 +
 config/locales/de.yml                              |    2 +
 config/locales/en.yml                              |    2 +
 .../20130626115301_add_group_dn_to_auth_sources.rb |    6 +++
 6 files changed, 48 insertions(+), 5 deletions(-)
 create mode 100644 db/migrate/20130626115301_add_group_dn_to_auth_sources.rb

diff --git a/app/models/auth_source.rb b/app/models/auth_source.rb
index 0b4db9b..c11105c 100644
--- a/app/models/auth_source.rb
+++ b/app/models/auth_source.rb
@@ -79,7 +79,7 @@ class AuthSource < ActiveRecord::Base
   def self.authenticate(login, password)
     AuthSource.where(:onthefly_register => true).all.each do |source|
       begin
-        logger.debug "Authenticating '#{login}' against '#{source.name}'" if logger && logger.debug?
+        logger.info "Authenticating '#{login}' against '#{source.name}'" if logger && logger.info?
         attrs = source.authenticate(login, password)
       rescue => e
         logger.error "Error during authentication: #{e.message}"
diff --git a/app/models/auth_source_ldap.rb b/app/models/auth_source_ldap.rb
index 25cdc6f..1a8f5af 100644
--- a/app/models/auth_source_ldap.rb
+++ b/app/models/auth_source_ldap.rb
@@ -22,7 +22,7 @@ require 'timeout'
 class AuthSourceLdap < AuthSource
   validates_presence_of :host, :port, :attr_login
   validates_length_of :name, :host, :maximum => 60, :allow_nil => true
-  validates_length_of :account, :account_password, :base_dn, :filter, :maximum => 255, :allow_blank => true
+  validates_length_of :account, :account_password, :base_dn, :filter, :group_dn, :group_filter, :maximum => 255, :allow_blank => true
   validates_length_of :attr_login, :attr_firstname, :attr_lastname, :attr_mail, :maximum => 30, :allow_nil => true
   validates_numericality_of :port, :only_integer => true
   validates_numericality_of :timeout, :only_integer => true, :allow_blank => true
@@ -40,7 +40,7 @@ class AuthSourceLdap < AuthSource
 
     with_timeout do
       attrs = get_user_dn(login, password)
-      if attrs && attrs[:dn] && authenticate_dn(attrs[:dn], password)
+      if attrs && attrs[:dn] && authenticate_dn(attrs[:dn], password, login)
         logger.debug "Authentication successful for '#{login}'" if logger && logger.debug?
         return attrs.except(:dn)
       end
@@ -159,16 +159,47 @@ class AuthSourceLdap < AuthSource
   end
 
   # Check if a DN (user record) authenticates with the password
-  def authenticate_dn(dn, password)
+  def authenticate_dn(dn, password, login)
     if dn.present? && password.present?
-      initialize_ldap_con(dn, password).bind
+      ldap_con = initialize_ldap_con(dn, password)
+      ldap_con.bind
+      
+      if self.group_dn
+        logger.info "Check if user is in required group" if logger && logger.info?          
+        if self.group_filter && self.group_filter.include?("$login")
+          group_filter = self.group_filter.sub("$login", Net::LDAP::DN.escape(login))
+          logger.info "Filter is '#{group_filter}'" if logger && logger.info?                    
+        end
+        if group_filter.present?
+          search_filter = Net::LDAP::Filter.construct(group_filter)
+        end      
+#        filter1 = Net::LDAP::Filter.eq("cn", "CBM_User") #get entry of cbm_group
+#        filter2 = Net::LDAP::Filter.eq("uniquemember", dn) # check if user is memebr of group
+#       filter = filter1 & filter2
+      
+        ldap_con.search(:base => self.group_dn,
+                        :filter => search_filter,
+                        :return_result => true
+                       ) do |entry|
+          if entry.dn
+            logger.info "User '#{dn}' is member of the CBM group" if logger && logger.info?         
+            return 0
+          else 
+            return false
+          end
+        end
+        return false              
+      end
     end
   end
 
   # Get the user's dn and any attributes for them, given their login
   def get_user_dn(login, password)
     ldap_con = nil
+    logger.info "Try to authenticate for '#{login}'" if logger && logger.info?
     if self.account && self.account.include?("$login")
+      bla = self.account.sub("$login", Net::LDAP::DN.escape(login))
+      logger.info "Try to authenticate for '#{bla}'" if logger && logger.info?          
       ldap_con = initialize_ldap_con(self.account.sub("$login", Net::LDAP::DN.escape(login)), password)
     else
       ldap_con = initialize_ldap_con(self.account, self.account_password)
diff --git a/app/views/auth_sources/_form_auth_source_ldap.html.erb b/app/views/auth_sources/_form_auth_source_ldap.html.erb
index 2ffd4d4..a1012c2 100644
--- a/app/views/auth_sources/_form_auth_source_ldap.html.erb
+++ b/app/views/auth_sources/_form_auth_source_ldap.html.erb
@@ -12,6 +12,8 @@
            :onchange => "this.name='auth_source[account_password]';" %></p>
   <p><%= f.text_field :base_dn, :required => true, :size => 60 %></p>
   <p><%= f.text_field :filter, :size => 60, :label => :field_auth_source_ldap_filter %></p>
+  <p><%= f.text_field :group_dn, :size => 60 %></p>
+  <p><%= f.text_field :group_filter, :size => 60, :label => :field_auth_source_group_ldap_filter %></p>
   <p><%= f.text_field :timeout, :size => 4 %></p>
   <p><%= f.check_box :onthefly_register, :label => :field_onthefly %></p>
 </div>
diff --git a/config/locales/de.yml b/config/locales/de.yml
index 4fffdd8..bdef4be 100644
--- a/config/locales/de.yml
+++ b/config/locales/de.yml
@@ -281,8 +281,10 @@ de:
   field_attr_mail: E-Mail-Attribut
   field_auth_source: Authentifizierungs-Modus
   field_auth_source_ldap_filter: LDAP-Filter
+  field_auth_source_group_ldap_filter: LDAP Gruppen-Filter
   field_author: Autor
   field_base_dn: Base DN
+  field_group_dn: Group DN
   field_board_parent: Übergeordnetes Forum
   field_category: Kategorie
   field_column_names: Spalten
diff --git a/config/locales/en.yml b/config/locales/en.yml
index 135d078..3e9523b 100644
--- a/config/locales/en.yml
+++ b/config/locales/en.yml
@@ -273,6 +273,7 @@ en:
   field_port: Port
   field_account: Account
   field_base_dn: Base DN
+  field_group_dn: Group DN
   field_attr_login: Login attribute
   field_attr_firstname: Firstname attribute
   field_attr_lastname: Lastname attribute
@@ -326,6 +327,7 @@ en:
   field_repository_is_default: Main repository
   field_multiple: Multiple values
   field_auth_source_ldap_filter: LDAP filter
+  field_auth_source_group_ldap_filter: LDAP group filter
   field_core_fields: Standard fields
   field_timeout: "Timeout (in seconds)"
   field_board_parent: Parent forum
diff --git a/db/migrate/20130626115301_add_group_dn_to_auth_sources.rb b/db/migrate/20130626115301_add_group_dn_to_auth_sources.rb
new file mode 100644
index 0000000..d1b9f0a
--- /dev/null
+++ b/db/migrate/20130626115301_add_group_dn_to_auth_sources.rb
@@ -0,0 +1,6 @@
+class AddGroupDnToAuthSources < ActiveRecord::Migration
+  def change
+    add_column :auth_sources, :group_dn, :string
+    add_column :auth_sources, :group_filter, :string    
+  end
+end
\ No newline at end of file
-- 
1.7.10.4