Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Check if user is present in any of multiple possible group names #271

Open
wants to merge 6 commits into
base: default
Choose a base branch
from
Open

Check if user is present in any of multiple possible group names #271

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
41ca993
Check if user is present in any listed group
RoxasShadow Oct 4, 2021
dc72554
Update tmpls to show how to match multiple groups
RoxasShadow Oct 4, 2021
6be32e4
Remove original line of code for group verification
RoxasShadow Oct 7, 2021
3ce637f
Create manifest
RoxasShadow Oct 7, 2021
9cc57d9
Ignore rails tmp files
RoxasShadow Oct 7, 2021
ade9a1e
Add tests for #in_required_groups?
RoxasShadow Oct 7, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions .gitignore
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,3 +9,4 @@ test/rails_app/tmp
pkg/*
*.gem
.vscode
spec/rails_app/tmp
2 changes: 1 addition & 1 deletion lib/devise_ldap_authenticatable/ldap/connection.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -140,7 +140,7 @@ def in_required_groups?

for group in @required_groups
if group.is_a?(Array)
return false unless in_group?(group[1], group[0])
return false unless group[1..-1].select(&:present?).any? { |g| in_group?(g, group[0]) }
else
return false unless in_group?(group)
end
Expand Down
2 changes: 2 additions & 0 deletions lib/generators/devise_ldap_authenticatable/templates/ldap.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,8 @@ authorizations: &AUTHORIZATIONS
- cn=users,ou=groups,dc=test,dc=com
# If an array is given, the first element will be the attribute to check against, the second the group name
- ["moreMembers", "cn=users,ou=groups,dc=test,dc=com"]
# If multiple group names are given, verification will be satisfied if at least one of them matches the check
- ["moreMembers", "cn=mods,ou=groups,dc=test,dc=com", "cn=admins,ou=groups,dc=test,dc=com"]
## Requires config.ldap_check_attributes in devise.rb to be true
## Can have multiple attributes and values, must match all to be authorized
require_attribute:
Expand Down
Empty file added spec/rails_app/app/assets/config/manifest.js
View file
Open in desktop
Empty file.
76 changes: 76 additions & 0 deletions spec/unit/connection_spec.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -70,6 +70,82 @@ class TestOpResult
end
end

describe '#in_required_groups?' do
before do
conn = double(Net::LDAP).as_null_object
allow(Net::LDAP).to receive(:new).and_return(conn)
end

let(:check_group_membership) { true }
let(:required_groups) { %w[group1 group2] }

let(:connection) do
Devise::LDAP::Connection.new.tap do |c|
allow(c).to receive(:dn).and_return('any dn')
c.instance_variable_set(:@required_groups, required_groups)
c.instance_variable_set(:@check_group_membership, check_group_membership)
end
end

context 'required_groups is given as array of strings' do
it 'returns true if member of all the listed group' do
allow(connection).to receive(:in_group?).with('group1').and_return(true)
allow(connection).to receive(:in_group?).with('group2').and_return(false)
expect(connection.in_required_groups?).to be(false)

allow(connection).to receive(:in_group?).with('group1').and_return(true)
allow(connection).to receive(:in_group?).with('group2').and_return(true)
expect(connection.in_required_groups?).to be(true)
end
end

context 'required_groups is given as array of arrays' do
let(:required_groups) do
[
%w[member group1 group2]
]
end

it 'returns true if member of any required group' do
allow(connection).to receive(:in_group?).with('group1', 'member').and_return(false)
allow(connection).to receive(:in_group?).with('group2', 'member').and_return(true)
expect(connection.in_required_groups?).to be(true)

allow(connection).to receive(:in_group?).with('group1', 'member').and_return(true)
allow(connection).to receive(:in_group?).with('group2', 'member').and_return(false)
expect(connection.in_required_groups?).to be(true)

allow(connection).to receive(:in_group?).with('group1', 'member').and_return(false)
allow(connection).to receive(:in_group?).with('group2', 'member').and_return(false)
expect(connection.in_required_groups?).to be(false)
end
end

context 'with check_group_membership false' do
let(:check_group_membership) { false }

it 'returns always true' do
expect(connection.in_required_groups?).to be(true)
end
end

context 'with nil required_groups' do
let(:required_groups) { nil }

it 'returns always false' do
expect(connection.in_required_groups?).to be(false)
end
end

context 'with no required_groups' do
let(:required_groups) { [] }

it 'returns always true' do
expect(connection.in_required_groups?).to be(true)
end
end
end

describe '#authorized?' do
let(:conn) { double(Net::LDAP).as_null_object }
let(:error) { }
Expand Down