Moved auth backend config settings to db, added unit test for ldap auth.

This commit is contained in:
Martin Edenhofer 2013-02-08 00:03:46 +01:00
parent 409dbe31d1
commit f6545672ee
6 changed files with 172 additions and 78 deletions

View file

@ -27,8 +27,10 @@ class Index extends App.ControllerLevel2
# security # security
if @type is 'security' if @type is 'security'
@menu = [ @menu = [
{ name: 'Authentication', 'target': 'auth', controller: App.SettingsArea, params: { area: 'Security::Authentication' } }, { name: 'Base', 'target': 'base', controller: App.SettingsArea, params: { area: 'Security::Base' } },
{ name: 'Password', 'target': 'password', controller: App.SettingsArea, params: { area: 'Security::Password' } }, # { name: 'Authentication', 'target': 'auth', controller: App.SettingsArea, params: { area: 'Security::Authentication' } },
{ name: 'Password', 'target': 'password', controller: App.SettingsArea, params: { area: 'Security::Password' } },
{ name: 'Third-Party Applications', 'target': 'third_party_auth', controller: App.SettingsArea, params: { area: 'Security::ThirdPartyAuthentication' } },
# { name: 'Session', 'target': 'session', controller: '' }, # { name: 'Session', 'target': 'session', controller: '' },
] ]
@page = { @page = {

View file

@ -121,7 +121,7 @@ class ApplicationModel < ActiveRecord::Base
records = self.where( :name => data[:name] ) records = self.where( :name => data[:name] )
records.each {|record| records.each {|record|
if record.name == data[:name] if record.name == data[:name]
record.update_attributes( :data => data[:data] ) record.update_attributes( data )
return record return record
end end
} }

View file

@ -56,56 +56,26 @@ class User < ApplicationModel
end end
# use auth backends # use auth backends
config = { config = [
:internal => { {
:adapter => 'internal', :adapter => 'internal',
}, },
:test => { {
:adapter => 'test', :adapter => 'test',
}, },
:env => { ]
:adapter => 'env', Setting.where( :area => 'Security::Authentication' ).each {|setting|
}, if setting.state[:value]
:ldap => { config.push setting.state[:value]
:adapter => 'ldap', end
:host => 'localhost',
:port => 389,
:bind_dn => 'cn=Manager,dc=example,dc=org',
:bind_pw => 'example',
:uid => 'mail',
:base => 'dc=example,dc=org',
:always_filter => '',
:always_roles => ['Admin', 'Agent'],
:always_groups => ['Users'],
:sync_params => {
:firstname => 'givenName',
:lastname => 'sn',
:email => 'mail',
:login => 'mail',
},
},
:otrs => {
:adapter => 'otrs',
:required_group_ro => 'stats',
:group_rw_role_map => {
'admin' => 'Admin',
'stats' => 'Report',
},
:group_ro_role_map => {
'stats' => 'Report',
},
:always_role => {
'Agent' => true,
},
},
} }
# try to login against configure auth backends # try to login against configure auth backends
user_auth = nil user_auth = nil
config.each {|key, c| config.each {|config_item|
file = "auth/#{c[:adapter]}" file = "auth/#{config_item[:adapter]}"
require file require file
user_auth = Auth.const_get("#{c[:adapter].to_s.upcase}").check( username, password, c, user ) user_auth = Auth.const_get("#{config_item[:adapter].to_s.upcase}").check( username, password, config_item, user )
# auth ok # auth ok
if user_auth if user_auth

View file

@ -138,7 +138,7 @@ Setting.create_if_not_exists(
Setting.create_if_not_exists( Setting.create_if_not_exists(
:title => 'New User Accounts', :title => 'New User Accounts',
:name => 'user_create_account', :name => 'user_create_account',
:area => 'Security::Authentication', :area => 'Security::Base',
:description => 'Enables users to create their own account via web interface.', :description => 'Enables users to create their own account via web interface.',
:options => { :options => {
:form => [ :form => [
@ -160,7 +160,7 @@ Setting.create_if_not_exists(
Setting.create_if_not_exists( Setting.create_if_not_exists(
:title => 'Lost Password', :title => 'Lost Password',
:name => 'user_lost_password', :name => 'user_lost_password',
:area => 'Security::Authentication', :area => 'Security::Base',
:description => 'Activates lost password feature for agents, in the agent interface.', :description => 'Activates lost password feature for agents, in the agent interface.',
:options => { :options => {
:form => [ :form => [
@ -182,7 +182,7 @@ Setting.create_if_not_exists(
Setting.create_if_not_exists( Setting.create_if_not_exists(
:title => 'Switch to User', :title => 'Switch to User',
:name => 'switch_to_user', :name => 'switch_to_user',
:area => 'Security::Authentication', :area => 'Security::Base',
:description => 'Allows the administrators to login as other users, via the users administration panel.', :description => 'Allows the administrators to login as other users, via the users administration panel.',
:options => { :options => {
:form => [ :form => [
@ -202,31 +202,55 @@ Setting.create_if_not_exists(
:frontend => true :frontend => true
) )
Setting.create_if_not_exists( Setting.create_if_not_exists(
:title => 'Authentication via Database', :title => 'Authentication via OTRS',
:name => 'auth_db', :name => 'auth_otrs',
:area => 'Security::Authentication', :area => 'Security::Authentication',
:description => 'Enables user authentication via database.', :description => 'Enables user authentication via OTRS.',
:options => { :state => {
:form => [ :adapter => 'otrs',
{ :required_group_ro => 'stats',
:display => '', :group_rw_role_map => {
:null => true, 'admin' => 'Admin',
:name => 'auth_db', 'stats' => 'Report',
:tag => 'boolean', },
:options => { :group_ro_role_map => {
true => 'yes', 'stats' => 'Report',
false => 'no', },
}, :always_role => {
}, 'Agent' => true,
], },
}, },
:state => true, :frontend => false
:frontend => true )
Setting.create_if_not_exists(
:title => 'Authentication via LDAP',
:name => 'auth_ldap',
:area => 'Security::Authentication',
:description => 'Enables user authentication via LDAP.',
:state => {
:adapter => 'ldap',
:host => 'localhost',
:port => 389,
:bind_dn => 'cn=Manager,dc=example,dc=org',
:bind_pw => 'example',
:uid => 'mail',
:base => 'dc=example,dc=org',
:always_filter => '',
:always_roles => ['Admin', 'Agent'],
:always_groups => ['Users'],
:sync_params => {
:firstname => 'sn',
:lastname => 'givenName',
:email => 'mail',
:login => 'mail',
},
},
:frontend => false
) )
Setting.create_if_not_exists( Setting.create_if_not_exists(
:title => 'Authentication via Twitter', :title => 'Authentication via Twitter',
:name => 'auth_twitter', :name => 'auth_twitter',
:area => 'Security::Authentication', :area => 'Security::ThirdPartyAuthentication',
:description => 'Enables user authentication via twitter. Register your app first at https://dev.twitter.com/apps', :description => 'Enables user authentication via twitter. Register your app first at https://dev.twitter.com/apps',
:options => { :options => {
:form => [ :form => [
@ -248,7 +272,7 @@ Setting.create_if_not_exists(
Setting.create_if_not_exists( Setting.create_if_not_exists(
:title => 'Twitter App Credentials', :title => 'Twitter App Credentials',
:name => 'auth_twitter_credentials', :name => 'auth_twitter_credentials',
:area => 'Security::Authentication', :area => 'Security::ThirdPartyAuthentication',
:description => 'App credentials for Twitter.', :description => 'App credentials for Twitter.',
:options => { :options => {
:form => [ :form => [
@ -272,7 +296,7 @@ Setting.create_if_not_exists(
Setting.create_if_not_exists( Setting.create_if_not_exists(
:title => 'Authentication via Facebook', :title => 'Authentication via Facebook',
:name => 'auth_facebook', :name => 'auth_facebook',
:area => 'Security::Authentication', :area => 'Security::ThirdPartyAuthentication',
:description => 'Enables user authentication via Facebook. Register your app first at https://developers.facebook.com/apps/', :description => 'Enables user authentication via Facebook. Register your app first at https://developers.facebook.com/apps/',
:options => { :options => {
:form => [ :form => [
@ -295,7 +319,7 @@ Setting.create_if_not_exists(
Setting.create_if_not_exists( Setting.create_if_not_exists(
:title => 'Facebook App Credentials', :title => 'Facebook App Credentials',
:name => 'auth_facebook_credentials', :name => 'auth_facebook_credentials',
:area => 'Security::Authentication', :area => 'Security::ThirdPartyAuthentication',
:description => 'App credentials for Facebook.', :description => 'App credentials for Facebook.',
:options => { :options => {
:form => [ :form => [
@ -320,7 +344,7 @@ Setting.create_if_not_exists(
Setting.create_if_not_exists( Setting.create_if_not_exists(
:title => 'Authentication via Google', :title => 'Authentication via Google',
:name => 'auth_google_oauth2', :name => 'auth_google_oauth2',
:area => 'Security::Authentication', :area => 'Security::ThirdPartyAuthentication',
:description => 'Enables user authentication via Google.', :description => 'Enables user authentication via Google.',
:options => { :options => {
:form => [ :form => [
@ -342,7 +366,7 @@ Setting.create_if_not_exists(
Setting.create_if_not_exists( Setting.create_if_not_exists(
:title => 'Google App Credentials', :title => 'Google App Credentials',
:name => 'auth_google_oauth2_credentials', :name => 'auth_google_oauth2_credentials',
:area => 'Security::Authentication', :area => 'Security::ThirdPartyAuthentication',
:description => 'Enables user authentication via Google.', :description => 'Enables user authentication via Google.',
:options => { :options => {
:form => [ :form => [
@ -367,7 +391,7 @@ Setting.create_if_not_exists(
Setting.create_if_not_exists( Setting.create_if_not_exists(
:title => 'Authentication via LinkedIn', :title => 'Authentication via LinkedIn',
:name => 'auth_linkedin', :name => 'auth_linkedin',
:area => 'Security::Authentication', :area => 'Security::ThirdPartyAuthentication',
:description => 'Enables user authentication via LinkedIn.', :description => 'Enables user authentication via LinkedIn.',
:options => { :options => {
:form => [ :form => [
@ -389,7 +413,7 @@ Setting.create_if_not_exists(
Setting.create_if_not_exists( Setting.create_if_not_exists(
:title => 'LinkedIn App Credentials', :title => 'LinkedIn App Credentials',
:name => 'auth_linkedin_credentials', :name => 'auth_linkedin_credentials',
:area => 'Security::Authentication', :area => 'Security::ThirdPartyAuthentication',
:description => 'Enables user authentication via LinkedIn.', :description => 'Enables user authentication via LinkedIn.',
:options => { :options => {
:form => [ :form => [

View file

@ -23,7 +23,7 @@ module Auth::LDAP
# search user # search user
filter = "(#{config[:uid]}=#{username})" filter = "(#{config[:uid]}=#{username})"
if config[:always_filter] if config[:always_filter] && !config[:always_filter].empty?
filter = "(&#{filter}#{config[:always_filter]})" filter = "(&#{filter}#{config[:always_filter]})"
end end
user_dn = nil user_dn = nil
@ -34,9 +34,9 @@ module Auth::LDAP
# remember attributes for :sync_params # remember attributes for :sync_params
entry.each do |attribute, values| entry.each do |attribute, values|
user_data[ attribute.to_sym ] = '' user_data[ attribute.downcase.to_sym ] = ''
values.each do |value| values.each do |value|
user_data[ attribute.to_sym ] = value user_data[ attribute.downcase.to_sym ] = value
end end
end end
end end
@ -60,8 +60,8 @@ module Auth::LDAP
:updated_by_id => 1, :updated_by_id => 1,
} }
config[:sync_params].each {| local_data, ldap_data | config[:sync_params].each {| local_data, ldap_data |
if user_data[ ldap_data.to_sym ] if user_data[ ldap_data.downcase.to_sym ]
user_attributes[ local_data.to_sym] = user_data[ ldap_data.to_sym ] user_attributes[ local_data.downcase.to_sym] = user_data[ ldap_data.downcase.to_sym ]
end end
} }
if !user if !user

98
test/unit/auth_test.rb Normal file
View file

@ -0,0 +1,98 @@
# encoding: utf-8
require 'test_helper'
Setting.create_or_update(
:title => 'Authentication via LDAP',
:name => 'auth_ldap',
:area => 'Security::Authentication',
:description => 'Enables user authentication via LDAP.',
:state => {
:adapter => 'ldap',
:host => 'localhost',
:port => 389,
:bind_dn => 'cn=Manager,dc=example,dc=org',
:bind_pw => 'example',
:uid => 'mail',
:base => 'dc=example,dc=org',
:always_filter => '',
:always_roles => ['Admin', 'Agent'],
:always_groups => ['Users'],
:sync_params => {
:firstname => 'sn',
:lastname => 'givenName',
:email => 'mail',
:login => 'mail',
},
},
:frontend => false
)
user = User.lookup( :login => 'nicole.braun@zammad.org' )
if user
user.update_attributes(
:password => 'some_pass',
:active => true,
)
else
user = User.create_if_not_exists(
:login => 'nicole.braun@zammad.org',
:firstname => 'Nicole',
:lastname => 'Braun',
:email => 'nicole.braun@zammad.org',
:password => 'some_pass',
:active => true,
:updated_by_id => 1,
:created_by_id => 1
)
end
class AuthTest < ActiveSupport::TestCase
test 'auth' do
tests = [
# test 1
{
:username => 'not_existing',
:password => 'password',
:result => nil,
},
# test 2
{
:username => 'paige.chen@example.org',
:password => 'password',
:result => true,
:verify => {
:firstname => 'Chen',
:lastname => 'Paige',
:email => 'paige.chen@example.org',
}
},
# test 3
{
:username => 'nicole.braun@zammad.org',
:password => 'some_pass',
:result => true,
:verify => {
:firstname => 'Nicole',
:lastname => 'Braun',
:email => 'nicole.braun@zammad.org',
}
},
]
tests.each { |test|
user = User.authenticate( test[:username], test[:password] )
if test[:result] == true
if !user
assert( false, 'auth faild' )
else
test[:verify].each {|key, value|
assert_equal( user[key], value, 'verify' )
}
end
else
assert_equal( test[:result], user, 'faild or not existing' )
end
}
end
end