From 83290f4953f22dd408bf6c9a23ace1d1a9022c3b Mon Sep 17 00:00:00 2001
From: Martin Edenhofer <me@edenhofer.de>
Date: Thu, 24 Jan 2013 00:55:33 +0100
Subject: [PATCH] Moved to modular auth backend layers. Still config options
 are needed. Related to #58.

---
 app/models/user.rb   | 52 +++++++++++++++++++++++++++++++-------------
 lib/auth/env.rb      | 17 +++++++++++++++
 lib/auth/internal.rb | 15 +++++++++++++
 lib/auth/ldap.rb     | 13 +++++++++++
 lib/auth/otrs.rb     | 42 +++++++++++++++++++++++++++++++++++
 lib/auth/test.rb     | 11 ++++++++++
 6 files changed, 135 insertions(+), 15 deletions(-)
 create mode 100644 lib/auth/env.rb
 create mode 100644 lib/auth/internal.rb
 create mode 100644 lib/auth/ldap.rb
 create mode 100644 lib/auth/otrs.rb
 create mode 100644 lib/auth/test.rb

diff --git a/app/models/user.rb b/app/models/user.rb
index 46853275b..82c8be56d 100644
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -53,21 +53,43 @@ class User < ApplicationModel
     # no user found
     return nil if !user
 
-    # development systems
-    if !ENV['RAILS_ENV'] || ENV['RAILS_ENV'] == 'development'
-      if password == 'test'
-        return user
-      end
-    end
-
-    # sha auth check
-    if user.password =~ /^\{sha2\}/
-      crypted = Digest::SHA2.hexdigest( password )
-      return user if user.password == "{sha2}#{crypted}"
-    end
-
-    # plain auth check
-    return user if user.password == password
+    # use auth backends
+    config = {
+      :internal => {
+        :adapter => 'internal',
+      },
+      :test => {
+        :adapter => 'test',
+      },
+      :env => {
+        :adapter => 'env',
+      },
+      :ldap => {
+        :adapter    => 'ldap',
+        :host       => 'somehost',
+        :port       => '3333',
+        :base_dn    => 'some base dn',
+        :bind_user  => 'some bind user',
+        :bind_pw    => 'some pw',
+      },
+      :otrs => {
+        :adapter        => 'otrs',
+        :required_group => 'stats',
+        :group_role_map => {
+          'admin' => 'Admin',
+          'stats' => 'Report',
+        },
+        :always_role    => {
+          'Agent' => true,
+        },
+      },
+    }
+    config.each {|key, c|
+      file = "auth/#{c[:adapter]}"
+      require file
+      user_auth = Auth.const_get("#{c[:adapter].to_s.upcase}").check( user, username, password, c )
+      return user_auth if user_auth
+    }
 
     # auth failed
     return false
diff --git a/lib/auth/env.rb b/lib/auth/env.rb
new file mode 100644
index 000000000..ff045691e
--- /dev/null
+++ b/lib/auth/env.rb
@@ -0,0 +1,17 @@
+module Auth::ENV
+  def self.check( user, username, password, config )
+
+    # try to find user based on login
+    if ENV['REMOTE_USER']
+      user = User.where( :login => ENV['REMOTE_USER'], :active => true ).first
+      return user if user
+    end
+
+    if ENV['HTTP_REMOTE_USER']
+      user = User.where( :login => ENV['HTTP_REMOTE_USER'], :active => true ).first
+      return user if user
+    end
+
+    return false
+  end
+end
diff --git a/lib/auth/internal.rb b/lib/auth/internal.rb
new file mode 100644
index 000000000..2437420a5
--- /dev/null
+++ b/lib/auth/internal.rb
@@ -0,0 +1,15 @@
+module Auth::INTERNAL
+  def self.check( user, username, password, config )
+    
+    # sha auth check
+    if user.password =~ /^\{sha2\}/
+      crypted = Digest::SHA2.hexdigest( password )
+      return user if user.password == "{sha2}#{crypted}"
+    end
+
+    # plain auth check
+    return user if user.password == password
+
+    return false
+  end
+end
diff --git a/lib/auth/ldap.rb b/lib/auth/ldap.rb
new file mode 100644
index 000000000..0576eb810
--- /dev/null
+++ b/lib/auth/ldap.rb
@@ -0,0 +1,13 @@
+module Auth::LDAP
+  def self.check( user, username, password, config )
+    
+    # ldap connect
+    
+    # ldap bind
+    
+    # sync roles / groups
+#    return user
+
+    return false
+  end
+end
diff --git a/lib/auth/otrs.rb b/lib/auth/otrs.rb
new file mode 100644
index 000000000..99dcf06e3
--- /dev/null
+++ b/lib/auth/otrs.rb
@@ -0,0 +1,42 @@
+class Auth::OTRS
+  def self.check( user, username, password, config )
+
+    # connect to OTRS
+    result = Import::OTRS.auth( username, password )
+    return false if !result
+    return false if !result['groups_rw']
+
+    # check if required OTRS group exists
+    return false if !result['groups_rw'].has_value?( config[:required_group] )
+
+    # sync roles / groups
+    if config[:group_role_map]
+      config[:group_role_map].each {|otrs_group, role|
+        if result['groups_rw'].has_value?( otrs_group )
+          role_ids = user.role_ids
+          role = Role.where( :name => role ).first
+          if role
+            role_ids.push role.id
+            user.role_ids = role_ids
+            user.save
+          end
+        end
+      }
+    end
+
+    if config[:always_role]
+      config[:always_role].each {|role, active|
+        next if !active
+        role_ids = user.role_ids
+        role = Role.where( :name => role ).first
+        if role
+          role_ids.push role.id
+          user.role_ids = role_ids
+          user.save
+        end
+      }
+    end
+
+    return user
+  end
+end
diff --git a/lib/auth/test.rb b/lib/auth/test.rb
new file mode 100644
index 000000000..850eb5850
--- /dev/null
+++ b/lib/auth/test.rb
@@ -0,0 +1,11 @@
+module Auth::TEST
+  def self.check( user, username, password, config )
+
+    # development systems
+    if !ENV['RAILS_ENV'] || ENV['RAILS_ENV'] == 'development'
+      return user if password == 'test'
+    end
+    
+    return false
+  end
+end