Merge pull request #301 from mssola/ldap

Introducing LDAP support

CHANGELOG.md

@@ -1,5 +1,6 @@
 ## Upcoming Version
 
+- Introduced LDAP support. See PR [#301](https://github.com/SUSE/Portus/pull/301).
 - Users will not be able to create namespaces without a Registry currently
 existing.
 - PhantomJS is now being used in the testing infrastructure. See the following

Gemfile

@@ -18,6 +18,7 @@ gem "mysql2"
 gem "search_cop"
 gem "kaminari"
 gem "crono"
+gem "net-ldap"
 
 # Assets group.
 #

Gemfile.lock

@@ -146,6 +146,7 @@ GEM
     multi_json (1.11.1)
     multipart-post (2.0.0)
     mysql2 (0.3.18)
+    net-ldap (0.11)
     nokogiri (1.6.6.2)
       mini_portile (~> 0.6.0)
     octokit (2.0.0)
@@ -339,6 +340,7 @@ DEPENDENCIES
   jwt
   kaminari
   mysql2
+  net-ldap
   poltergeist
   pry-rails
   public_activity

app/controllers/application_controller.rb

@@ -2,15 +2,20 @@ class ApplicationController < ActionController::Base
   before_action :check_requirements
   helper_method :fixes
   before_action :authenticate_user!
+  before_action :force_update_profile!
   protect_from_forgery with: :exception
 
   include Pundit
   rescue_from Pundit::NotAuthorizedError, with: :deny_access
 
   respond_to :html
 
+  # Two things can happen when signing in.
+  #   1. The current user has no email: this happens on LDAP registration. In
+  #      this case, the user will be asked to submit an email.
+  #   2. Everything is fine, go to the root url.
   def after_sign_in_path_for(_resource)
-    root_url
+    current_user.email.empty? ? edit_user_registration_url : root_url
   end
 
   def after_sign_out_path_for(_resource)
@@ -39,6 +44,16 @@ def check_requirements
     redirect_to "/errors/500"
   end
 
+  # Redirect users to their profile page if they haven't set up their email
+  # account (this happens when signing up through LDAP suppor).
+  def force_update_profile!
+    return unless current_user && current_user.email.empty?
+
+    controller = params[:controller]
+    return if controller == "auth/registrations" || controller == "auth/sessions"
+    redirect_to edit_user_registration_url
+  end
+
   def deny_access
     render text: "Access Denied", status: :unauthorized
   end

app/controllers/auth/registrations_controller.rb

@@ -1,6 +1,7 @@
 class Auth::RegistrationsController < Devise::RegistrationsController
   layout "authentication", except: :edit
 
+  before_action :check_ldap, only: [:new, :create]
   before_action :check_admin, only: [:new, :create]
   before_action :configure_sign_up_params, only: [:create]
   before_action :authenticate_user!, only: [:disable]
@@ -86,6 +87,11 @@ def configure_sign_up_params
 
   protected
 
+  # Redirect to the login page if LDAP is enabled.
+  def check_ldap
+    redirect_to new_user_session_path if Portus::LDAP.enabled?
+  end
+
   # Returns true if the contents of the `params` hash contains the needed keys
   # to update the password of the user.
   def password_update?

app/controllers/auth/sessions_controller.rb

@@ -1,10 +1,11 @@
 class Auth::SessionsController < Devise::SessionsController
   layout "authentication"
 
-  # Re-implementing. The logic is: if there is already a user that can log in,
-  # work as usual. Otherwise, redirect always to the signup page.
+  # Re-implementing. The logic is: if there is already a user that can log in
+  # or LDAP support is enabled, work as usual. Otherwise, redirect always to
+  # the signup page.
   def new
-    if User.not_portus.any?
+    if User.not_portus.any? || Portus::LDAP.enabled?
       super
     else
       # For some reason if we get here from the root path, we'll get a flashy

app/models/user.rb

@@ -2,10 +2,14 @@ class User < ActiveRecord::Base
   devise :database_authenticatable, :registerable,
          :recoverable, :rememberable, :trackable, :validatable, authentication_keys: [:username]
 
-  validates :username, presence: true, uniqueness: true,
-                       format: { with:    /\A[a-z0-9]{4,30}\Z/,
-                                 message: 'Accepted format: "\A[a-z0-9]{4,30}\Z"' }
+  USERNAME_CHARS  = "a-z0-9"
+  USERNAME_FORMAT = /\A[#{USERNAME_CHARS}]{4,30}\Z/
 
+  validates :username, presence: true, uniqueness: true,
+    format: {
+      with:    USERNAME_FORMAT,
+      message: "Only alphanumeric characters are allowed. Minimum 4 characters, maximum 30."
+    }
   validate :private_namespace_available, on: :create
 
   has_many :team_users
@@ -16,6 +20,12 @@ class User < ActiveRecord::Base
   scope :enabled,    -> { not_portus.where enabled: true }
   scope :admins,     -> { not_portus.where enabled: true, admin: true }
 
+  # Special method used by Devise to require an email on signup. This is always
+  # true except for LDAP.
+  def email_required?
+    !(Portus::LDAP.enabled? && !ldap_name.nil?)
+  end
+
   def private_namespace_available
     return unless Namespace.exists?(name: username)
     errors.add(:username, "cannot be used as name for private namespace")

app/views/devise/registrations/edit.html.slim

@@ -7,48 +7,56 @@
         ' Public Profile
     .panel-body
       = form_for(resource, as: resource_name, url: registration_path(resource_name), html: { method: :put, class: 'profile' }) do |f|
-        .form-group
+        - if current_user.email.empty?
+          p
+            | Your profile is not complete. Please, submit an email to be used in this Portus instance.
+        .form-group class=(current_user.email.empty? ? "has-error" : "")
           .field
-            = f.label :email
-            = f.text_field(:email, class: 'form-control', required: true)
+            - if current_user.email.empty?
+              = f.label :email, "Email", class: "control-label", title: "This profile is not complete. You need to provide an email first"
+            - else
+              = f.label :email
+            = f.text_field(:email, class: 'form-control', required: true, autofocus: true)
         .form-group
           .actions
             = f.submit('Update', class: 'btn btn-primary', disabled: true)
 
-  .panel.panel-default
-    .panel-heading
-      h5
-        ' Change Password
-    .panel-body
-      = form_for(resource, as: resource_name, url: registration_path(resource_name), html: { method: :put, class: 'password' }) do |f|
-        - if devise_mapping.confirmable? && resource.pending_reconfirmation?
-          div
-            Currently waiting confirmation for: #{resource.unconfirmed_email}
-        .form-group
-          .field
-            = f.label :current_password, class: 'control-label'
-            = f.password_field :current_password, autocomplete: 'off', class: 'form-control'
-            br
-          .field
-            = f.label :password, class: 'control-label'
-            = f.password_field :password, autocomplete: 'off', class: 'form-control'
-            br
-          .field
-            = f.label :password_confirmation, class: 'control-label'
-            = f.password_field :password_confirmation, autocomplete: 'off', class: 'form-control'
-        .form-group
-          .actions
-            = f.submit('Change', class: 'btn btn-primary', disabled: true)
-
-  - unless current_user.admin? && @admin_count == 1
-    .panel.panel-default
-      .panel-heading
-        h5
-          ' Disable account
-      .panel-body
-        = form_tag(toggle_enabled_path(current_user), method: :put, remote: true, id: 'disable-form') do
+  - unless current_user.email.empty?
+    - if current_user.ldap_name.nil?
+      .panel.panel-default
+        .panel-heading
+          h5
+            ' Change Password
+        .panel-body
+          = form_for(resource, as: resource_name, url: registration_path(resource_name), html: { method: :put, class: 'password' }) do |f|
+            - if devise_mapping.confirmable? && resource.pending_reconfirmation?
+              div
+                Currently waiting confirmation for: #{resource.unconfirmed_email}
+            .form-group
+              .field
+                = f.label :current_password, class: 'control-label'
+                = f.password_field :current_password, autocomplete: 'off', class: 'form-control'
+                br
+              .field
+                = f.label :password, class: 'control-label'
+                = f.password_field :password, autocomplete: 'off', class: 'form-control'
+                br
+              .field
+                = f.label :password_confirmation, class: 'control-label'
+                = f.password_field :password_confirmation, autocomplete: 'off', class: 'form-control'
             .form-group
-              p
-                | By disabling the account, you won't be able to access Portus with it, and
-                  any affiliations with any team will be lost.
-              = submit_tag('Disable', class: 'btn btn-primary btn-danger')
+              .actions
+                = f.submit('Change', class: 'btn btn-primary', disabled: true)
+
+    - unless current_user.admin? && @admin_count == 1
+      .panel.panel-default
+        .panel-heading
+          h5
+            ' Disable account
+        .panel-body
+          = form_tag(toggle_enabled_path(current_user), method: :put, remote: true, id: 'disable-form') do
+              .form-group
+                p
+                  | By disabling the account, you won't be able to access Portus with it, and
+                    any affiliations with any team will be lost.
+                = submit_tag('Disable', class: 'btn btn-primary btn-danger')

app/views/devise/sessions/new.html.slim

@@ -8,6 +8,14 @@ section.row-0
         = f.text_field :username, class: 'input form-control input-lg first', placeholder: 'Username', autofocus: true, required: true
         = f.password_field :password, class: 'input form-control input-lg last', placeholder: 'Password', autocomplete: false, required: true
         = f.button class: 'classbutton btn btn-primary btn-block btn-lg' do
-          i.fa.fa-check Login
+          - if Portus::LDAP.enabled?
+            i.fa.fa-check  LDAP Login
+          - else
+            i.fa.fa-check Login
 
-        .text-center = link_to 'or, Create a new account', new_user_registration_url
+        - if Portus::LDAP.enabled?
+          - unless User.not_portus.any?
+            p
+              | <b>NOTE</b>: The first user to be created will have admin permissions !
+        - else
+          .text-center = link_to 'or, Create a new account', new_user_registration_url

app/views/shared/_header.html.slim

@@ -13,7 +13,7 @@
           i.fa.fa-search
   .username-logout
     .hidden-xs
-      - if APP_CONFIG['gravatar']
+      - if APP_CONFIG.enabled?("gravatar")
         = gravatar_image_tag(current_user.email)
       - else
         i.fa.fa-user.fa-1x

config/config.yml

@@ -2,5 +2,14 @@
 # application. In order to change them, write your own config-local.yml file
 # (it will be ignored by git).
 
-settings:
-  gravatar: true
+gravatar:
+  enabled: true
+
+ldap:
+  enabled: false
+
+  hostname: "ldap_hostname"
+  port: 389
+
+  # The base where users are located (e.g. "ou=users,dc=example,dc=com").
+  base: ""

config/initializers/config.rb

@@ -1,17 +1,34 @@
 
+# TODO: (mssola) move this into its own file in the `lib` directory.
+# TODO: (mssola) take advantage of YAML syntax for inheriting values. This way
+# we could define different values for different environments (useful for
+# testing).
+
 config = File.join(Rails.root, "config", "config.yml")
 local = File.join(Rails.root, "config", "config-local.yml")
 
-app_config = YAML.load_file(config)["settings"] || {}
+app_config = YAML.load_file(config) || {}
 
 if File.exist?(local)
   # Check for bad user input in the local config.yml file.
-  local_config = YAML.load_file(local)["settings"]
+  local_config = YAML.load_file(local)
   if local_config.nil? || !local_config.is_a?(Hash)
     raise StandardError, "Wrong format for the config-local file!"
   end
 
   app_config = app_config.merge(local_config)
 end
 
+class << app_config
+  # The `enabled?` method is a convenient method that checks whether a specific
+  # feature is enabled or not. This method takes advantage of the convention
+  # that each feature has the "enabled" key inside of it. If this key exists in
+  # the checked feature, and it's set to true, then this method will return
+  # true. It returns false otherwise.
+  def enabled?(feature)
+    return false if !self[feature] || self[feature].empty?
+    self[feature]["enabled"].eql?(true)
+  end
+end
+
 APP_CONFIG = app_config

config/initializers/devise.rb

@@ -243,6 +243,12 @@
   #   manager.intercept_401 = false
   #   manager.default_strategies(scope: :user).unshift :some_external_strategy
   # end
+  if Portus::LDAP.enabled? && !Rails.env.test?
+    config.warden do |manager|
+      # Let's put LDAP in front of every other strategy.
+      manager.default_strategies(scope: :user).unshift :ldap_authenticatable
+    end
+  end
 
   # ==> Mountable engine configurations
   # When using Devise inside an engine, let's call it `MyEngine`, and this engine

config/initializers/ldap_authenticatable.rb

@@ -0,0 +1,2 @@
+require "portus/ldap"
+Warden::Strategies.add(:ldap_authenticatable, Portus::LDAP)

config/locales/devise.en.yml

@@ -16,6 +16,8 @@ en:
       timeout: "Your session expired. Please sign in again to continue."
       unauthenticated: "You need to sign in or sign up before continuing."
       unconfirmed: "You have to confirm your email address before continuing."
+      user:
+        invalid_login: "Invalid %{authentication_keys} or password."
     mailer:
       confirmation_instructions:
         subject: "Confirmation instructions"

db/migrate/20150831131727_add_ldap_name_to_users.rb

@@ -0,0 +1,6 @@
+class AddLdapNameToUsers < ActiveRecord::Migration
+  def change
+    add_column :users, :ldap_name, :string, default: nil
+    add_index :users, :ldap_name, unique: true
+  end
+end

db/schema.rb

@@ -11,7 +11,7 @@
 #
 # It's strongly recommended that you check this file into your version control system.
 
-ActiveRecord::Schema.define(version: 20150805130722) do
+ActiveRecord::Schema.define(version: 20150831131727) do
 
   create_table "activities", force: :cascade do |t|
     t.integer  "trackable_id",   limit: 4
@@ -136,9 +136,11 @@
     t.datetime "updated_at"
     t.boolean  "admin",                  limit: 1,   default: false
     t.boolean  "enabled",                limit: 1,   default: true
+    t.string   "ldap_name",              limit: 255
   end
 
   add_index "users", ["email"], name: "index_users_on_email", unique: true, using: :btree
+  add_index "users", ["ldap_name"], name: "index_users_on_ldap_name", unique: true, using: :btree
   add_index "users", ["reset_password_token"], name: "index_users_on_reset_password_token", unique: true, using: :btree
   add_index "users", ["username"], name: "index_users_on_username", unique: true, using: :btree