added ability to specify the attribute name on required groups by passing an array

dpmcnevin · dpmcnevin · commit 7f4cb4b4de8e · 2010-09-23T22:34:31.000-04:00
diff --git a/README.md b/README.md
@@ -32,7 +32,7 @@ This will *only* work for Rails 3 applications.
 In the Gemfile for your application:
 
     gem "devise", "1.1.2"
-    gem "devise_ldap_authenticatable", "0.4.5"
+    gem "devise_ldap_authenticatable"
     
 To get the latest version, pull directly from github instead of the gem:
 
@@ -96,7 +96,6 @@ In initializer  `config/initializers/devise.rb` :
 * ldap\_check\_group_membership _(default: false)_
   * When set to true, the user trying to login will be checked to make sure they are in all of groups specified in the ldap.yml file.
 
-
 * ldap\_check\_attributes _(default: false)_
   * When set to true, the user trying to login will be checked to make sure they have all of the attributes in the ldap.yml file.
 
diff --git a/VERSION b/VERSION
@@ -1 +1 @@
-0.4.5
+0.4.6
diff --git a/devise_ldap_authenticatable.gemspec b/devise_ldap_authenticatable.gemspec
@@ -5,11 +5,11 @@
 
 Gem::Specification.new do |s|
   s.name = %q{devise_ldap_authenticatable}
-  s.version = "0.4.5"
+  s.version = "0.4.6"
 
   s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
   s.authors = ["Curtis Schiewek", "Daniel McNevin"]
-  s.date = %q{2010-08-30}
+  s.date = %q{2010-09-23}
   s.description = %q{LDAP authentication module for Devise}
   s.email = %q{curtis.schiewek@gmail.com}
   s.extra_rdoc_files = [
diff --git a/lib/devise_ldap_authenticatable/ldap_adapter.rb b/lib/devise_ldap_authenticatable/ldap_adapter.rb
@@ -90,9 +90,15 @@ def in_required_groups?
         admin_ldap = LdapConnect.admin
                 
         for group in @required_groups
-          admin_ldap.search(:base => group, :scope => Net::LDAP::SearchScope_BaseObject) do |entry|
-            unless entry.uniqueMember.include? dn
-              DeviseLdapAuthenticatable::Logger.send("User #{dn} is not in group: #{group}")
+          if group.is_a?(Array)
+            group_attribute, group_name = group
+          else
+            group_attribute = "uniqueMember"
+            group_name = group
+          end
+          admin_ldap.search(:base => group_name, :scope => Net::LDAP::SearchScope_BaseObject) do |entry|
+            unless entry[group_attribute].include? dn
+              DeviseLdapAuthenticatable::Logger.send("User #{dn} is not in group: #{group_name }")
               return false
             end
           end
diff --git a/lib/devise_ldap_authenticatable/version.rb b/lib/devise_ldap_authenticatable/version.rb
@@ -1,4 +1,4 @@
 module DeviseLdapAuthenticatable
-  VERSION = "0.4.5"
+  VERSION = "0.4.6"
 end
 
diff --git a/lib/generators/devise_ldap_authenticatable/templates/ldap.yml b/lib/generators/devise_ldap_authenticatable/templates/ldap.yml
@@ -7,8 +7,11 @@ authorizations: &AUTHORIZATIONS
   ## Requires config.ldap_check_group_membership in devise.rb be true
   # Can have multiple values, must match all to be authorized
   required_groups:
+    # If only a group name is given, membership will be checked against "uniqueMember"
     - cn=admins,ou=groups,dc=test,dc=com
     - cn=users,ou=groups,dc=test,dc=com
+    # If an array is given, the first element will be the attribute to check against, the second the group name
+    - ["moreMembers", "cn=users,ou=groups,dc=test,dc=com"]
   ## Requires config.ldap_check_attributes in devise.rb to be true
   ## Can have multiple attributes and values, must match all to be authorized
   require_attribute:
diff --git a/test/ldap/base.ldif b/test/ldap/base.ldif
@@ -58,9 +58,11 @@ userPassword:: e1NIQX0wcUNXaERISGFwWmc3ekJxZWRRanBzNW1EUDA9
 
 # users, groups, test.com
 dn: cn=users,ou=groups,dc=test,dc=com
+objectClass: authorizations
 objectClass: groupOfUniqueNames
 objectClass: top
 uniqueMember: cn=example.user@test.com,ou=people,dc=test,dc=com
+authorizationRole: cn=example.admin@test.com,ou=people,dc=test,dc=com
 cn: users
 
 # users, groups, test.com
diff --git a/test/rails_app/Gemfile.lock b/test/rails_app/Gemfile.lock
@@ -1,9 +1,9 @@
 PATH
   remote: /Users/dpmcnevin/Rails/devise_ldap_authenticatable
   specs:
-    devise_ldap_authenticatable (0.4.4)
-      devise (> 1.0.4)
-      net-ldap (>= 0.1.1)
+    devise_ldap_authenticatable (0.4.5)
+      devise (= 1.1.2)
+      net-ldap (= 0.1.1)
 
 GEM
   remote: http://rubygems.org/
@@ -52,6 +52,7 @@ GEM
       rack (>= 1.0.0)
       rack-test (>= 0.5.4)
       selenium-webdriver (>= 0.0.3)
+    columnize (0.3.1)
     configuration (1.1.0)
     cucumber (0.8.5)
       builder (~> 2.1.2)
@@ -82,6 +83,7 @@ GEM
     launchy (0.3.7)
       configuration (>= 0.0.5)
       rake (>= 0.8.1)
+    linecache (0.43)
     mail (2.2.5)
       activesupport (>= 2.3.6)
       mime-types
@@ -111,6 +113,12 @@ GEM
       rake (>= 0.8.4)
       thor (~> 0.14.0)
     rake (0.8.7)
+    redgreen (1.2.2)
+    ruby-debug (0.10.3)
+      columnize (>= 0.1)
+      ruby-debug-base (~> 0.10.3.0)
+    ruby-debug-base (0.10.3)
+      linecache (>= 0.3)
     rubyzip (0.9.4)
     selenium-webdriver (0.0.28)
       ffi (>= 0.6.1)
@@ -143,5 +151,7 @@ DEPENDENCIES
   launchy
   mocha
   rails (= 3.0.0)
+  redgreen
+  ruby-debug
   shoulda
   sqlite3-ruby
diff --git a/test/rails_app/config/ldap.yml b/test/rails_app/config/ldap.yml
@@ -3,6 +3,7 @@ authorizations: &AUTHORIZATIONS
   group_base: ou=groups,dc=test,dc=com
   required_groups:
     - cn=admins,ou=groups,dc=test,dc=com
+    - ["authorizationRole", "cn=users,ou=groups,dc=test,dc=com"]
   require_attribute:
     objectClass: inetOrgPerson
     authorizationRole: blogAdmin
diff --git a/test/rails_app/test/test_helper.rb b/test/rails_app/test/test_helper.rb
@@ -4,13 +4,21 @@
 
 class ActiveSupport::TestCase
   
+  def ldap_connect_string
+    if ENV["LDAP_SSL"]
+      "-x -H ldaps://localhost:3389 -D 'cn=admin,dc=test,dc=com' -w secret"
+    else
+      "-x -h localhost -p 3389 -D 'cn=admin,dc=test,dc=com' -w secret"
+    end
+  end
+  
   def reset_ldap_server!
     if ENV["LDAP_SSL"]
-      `ldapmodify -x -H ldaps://localhost:3389 -D "cn=admin,dc=test,dc=com" -w secret -f ../ldap/clear.ldif`
-      `ldapadd -x -H ldaps://localhost:3389 -D "cn=admin,dc=test,dc=com" -w secret -f ../ldap/base.ldif`
+      `ldapmodify #{ldap_connect_string} -f ../ldap/clear.ldif`
+      `ldapadd #{ldap_connect_string} -f ../ldap/base.ldif`
     else
-      `ldapmodify -x -h localhost -p 3389 -D "cn=admin,dc=test,dc=com" -w secret -f ../ldap/clear.ldif`
-      `ldapadd -x -h localhost -p 3389 -D "cn=admin,dc=test,dc=com" -w secret -f ../ldap/base.ldif`
+      `ldapmodify #{ldap_connect_string} -f ../ldap/clear.ldif`
+      `ldapadd #{ldap_connect_string} -f ../ldap/base.ldif`
     end
   end
   
diff --git a/test/rails_app/test/unit/post_test.rb b/test/rails_app/test/unit/post_test.rb
@@ -1,8 +1,4 @@
 require 'test_helper'
 
 class PostTest < ActiveSupport::TestCase
-  # Replace this with your real tests.
-  test "the truth" do
-    assert true
-  end
 end
diff --git a/test/rails_app/test/unit/user_test.rb b/test/rails_app/test/unit/user_test.rb
@@ -103,6 +103,11 @@ def should_not_be_validated(user, password, message = "Password is not properly
       should "user should not be allowed in" do
         should_not_be_validated @user, "secret"
       end
+      
+      should "not be validated if group with different attribute is removed" do
+        `ldapmodify #{ldap_connect_string} -f ../ldap/delete_authorization_role.ldif`
+        should_not_be_validated @admin, "admin_secret"
+      end
     end
   
     context "use role attribute for authorization" do
