Hi Ken, I hope that email will also reach the group/mailinglist. I have already done some work on the authentification plugin refactoring. The patch is in the attachment. It would be nice to get some feedback. And can you test whether it still works with Kerberos authentification, please?
First of all I have moved the username transformation and
auto-registration from the LDAP, Kerberos and SSL authentification
plugins into two mixins:
Gitorious::Authentification::UsernameTransformation
Gitorious::Authentification::AutoRegistration
Those mixins can be used seperatly or in combination, like below:
HTTPAuthentification
include UsernameTransformation
include AutoRegistration
def get_login(credentials)
...
end
def get_attributes(credentials)
...
end
That's it. The mixins will add their own code to the authentification
plugins initialization, in order to parse their options. And the
AutoRegistration mixin will also implement the authentificate() method
for you, based on get_login() and get_attributtes().
get_login() must return the login name. If you have also included the
UsernameTransformation mixin like above, the returned login name will
automatically transformed to a valid Gitorious username.
get_attributes() must return a Hash holding additional information like
email and fullname, saved during auto-registration.
After I have moved all the code into mixins, I realised that the only
difference between the Kerberos and SSL authentification plugin, is the
name of the server variables they rely on. So I replaced the Kerberos
and SSL authentification plugin, with a generic HTTP authentification
plugin, which can be configured to use any server variable as login
name or to get information during auto-registration from. The new HTTP
authentification plugin, will work with every web server based
authentification method, including Kerberos, SSL client certificates,
Basic Auth and everything else.
So what do you think, so far?
Cheers
Sebastian
From 54b8bc55c022f610927c91f1be33461a8f94fc27 Mon Sep 17 00:00:00 2001 From: Sebastian Noack <[email protected]> Date: Wed, 4 Jul 2012 23:18:56 +0200 Subject: [PATCH] Refactored authentification plugins. * Merged SSL and Kerberos plugin together into a general HTTP authentification plugin, usable for every web server bases authentification method. * Moved common parts (auto-registration and transformation of usernames) of HTTP and LDAP authentification into mixins. --- config/authentication.sample.yml | 93 ++++++++++-------- lib/gitorious/authentication.rb | 75 +++++++++++++++ .../authentication/http_authentication.rb | 22 +++++ .../authentication/kerberos_authentication.rb | 100 -------------------- .../authentication/ldap_authentication.rb | 39 +++----- lib/gitorious/authentication/ssl_authentication.rb | 43 --------- .../authentication/http_authentication_test.rb | 65 +++++++++++++ .../authentication/kerberos_authentication_test.rb | 97 ------------------- .../authentication/ssl_authentication_test.rb | 46 --------- 9 files changed, 224 insertions(+), 356 deletions(-) create mode 100644 lib/gitorious/authentication/http_authentication.rb delete mode 100644 lib/gitorious/authentication/kerberos_authentication.rb delete mode 100644 lib/gitorious/authentication/ssl_authentication.rb create mode 100644 test/unit/lib/gitorious/authentication/http_authentication_test.rb delete mode 100644 test/unit/lib/gitorious/authentication/kerberos_authentication_test.rb delete mode 100644 test/unit/lib/gitorious/authentication/ssl_authentication_test.rb diff --git a/config/authentication.sample.yml b/config/authentication.sample.yml index 7b05880..3c2ddc0 100644 --- a/config/authentication.sample.yml +++ b/config/authentication.sample.yml @@ -51,6 +51,18 @@ development: # with an options hash. See LdapAuthenticationTest. #callback_class: SampleCallback + # Whether the domain should be stripped, if an email address is + # used as login name. Default is false. + #login_strip_domain: false + + # Character used to replace forbidden characters in login names. + # Set to '' to strip forbidden characters. Default is '-'. + #login_replace_char: '-' + + # Adds the given domain (if any) to the email address given in the LDAP + # attribute. If it already contains a domain it is replaced. Default is nil. + #email_domain: + # End LDAP configuration example ############################################################################ @@ -77,56 +89,53 @@ development: ############################################################################ ############################################################################ - # Example of configuring Kerberos authentication - #- adapter: Gitorious::Authentication::KerberosAuthentication - - # Set the Kerberos realm (should be uppercase) - #realm: EXAMPLE.COM - - # The default email domain for users in this realm. If you do not - # specify any email_domain, the default is to use the lowercase - # realm value. - #email_domain: example.com - - # Note that you must also set up Apache's mod_auth_kerb within - # httpd.conf. For example: - # # Enable SSO authentication via Kerberos - # <Location /sessions/http> - # AuthType Kerberos - # AuthName "Gitorious Web UI" - # KrbMethodNegotiate on - # KrbMethodK5Passwd off - # KrbServiceName HTTP - # KrbAuthRealm EXAMPLE.COM - # Krb5Keytab /etc/httpd/http.keytab - # Require valid-user - # ErrorDocument 401 /401.html - # </Location> - - # End Kerberos configuration example - ############################################################################ + # Example of configuring HTTP authentication + #- adapter: Gitorious::Authentication::HTTPAuthentication + # What server variable to use as login name. Default is REMOTE_USER. + #login_variable: REMOTE_USER - ############################################################################ - # Example of configuring SSL client certificate authentication - #- adapter: Gitorious::Authentication::SSLAuthentication - # What certificate field to use as login name. Default is CN. - #login_field: Email + # Map server variables to database fields. Default is empty. + #variable_mapping: - # Whether the domain should be stripped, if the email address is + # Whether the domain should be stripped, if an email address is # used as login name. Default is false. - #login_strip_domain: true + #login_strip_domain: false # Character used to replace forbidden characters in login names. # Set to '' to strip forbidden characters. Default is '-'. - #login_replace_char: '' + #login_replace_char: '-' + + # Adds the given domain (if any) to the email address given in the server + # variable. If it already contains a domain it is replaced. Default is nil. + #email_domain: + + # All options are optional. Without any further configuration, every web + # server based authentification method (Basic Auth, Kerberos, SSL, etc.) + # should work out of the box, as long as the web server sets the + # REMOTE_USER variable. However in order to enable auto-registration you + # have to configure at least a server variable providing the email address. + + # Example for email addresses given in REMOTE_USER: + #login_strip_domain: true + #variable_mapping: + #REMOTE_USER: email + + # Example for email address and full name given in SSL client certificate: + #login_variable: SSL_CLIENT_S_DN_Email + #login_strip_domain: true + #variable_mapping: + #SSL_CLIENT_S_DN_Email: email + #SSL_CLIENT_S_DN_CN: fullname - # Note that you must also set up Apache to create SSL related - # environment variables for the http auth controller: - # <Location /sessions/http> - # SSLOptions +StdEnvVars - # </Location> + # Example for cases where REMOTE_USER contains the username which is also + # the email alias or where REMOTE_USER is in the format <username>@<domain>, + # and the given domain isn't the email domain but e.g. a Kerberos realm: + #login_strip_domain: true + #email_domain: example.com + #variable_mapping: + #REMOTE_USER: email - # End SSL client certificate configuration example + # End HTTP configuration example ############################################################################ # production: diff --git a/lib/gitorious/authentication.rb b/lib/gitorious/authentication.rb index 0f34cd3..0307bc6 100644 --- a/lib/gitorious/authentication.rb +++ b/lib/gitorious/authentication.rb @@ -28,5 +28,80 @@ module Gitorious end return nil end + + module UsernameTransformation + def initialize_options(options) + @login_replace_char = options['login_replace_char'] || '-' + @login_strip_domain = options['login_strip_domain'] + + super if defined?(super) + end + + def initialize(options) + initialize_options(options) + end + + def transform_username(username) + username = username.split('@')[0] if @login_strip_domain + username.gsub(/[^a-z0-9\-]/i, @login_replace_char) + end + end + + module AutoRegistration + def initialize_options(options) + @email_domain = options['email_domain'] + + super if defined?(super) + end + + def initialize(options) + initialize_options(options) + end + + def authenticate(credentials) + username = get_login(credentials) + return unless username + + username = transform_username(username) if defined?(transform_username) + return if username.empty? + + User.find_by_login(username) || auto_register(username, credentials) + end + + def auto_register(username, credentials) + # If the authentification plugin hasn't set at least + # the email address, auto registration isn't possible. + return if (attributes = get_attributes(credentials))['email'].blank? + + user = User.new + user.login = username + + attributes.each do |name, val| + if name == 'email' and !(@email_domain.blank?) + user.email = "#{val.split('@')[0]}@#{@email_domain}" + else + user.write_attribute(name, val) + end + end + + user.password = 'left_blank' + user.password_confirmation = 'left_blank' + user.terms_of_use = '1' + user.aasm_state = 'terms_accepted' + user.activated_at = Time.now.utc + user.save! + # Reset the password to something random + user.reset_password! + user + end + + def get_login(credentials) + credentials.username + end + + def get_attributes(credentials) + {} + end + end end end diff --git a/lib/gitorious/authentication/http_authentication.rb b/lib/gitorious/authentication/http_authentication.rb new file mode 100644 index 0000000..5789f4a --- /dev/null +++ b/lib/gitorious/authentication/http_authentication.rb @@ -0,0 +1,22 @@ +module Gitorious + module Authentication + class HTTPAuthentication + include UsernameTransformation + include AutoRegistration + + def initialize(options) + @login_variable = options['login_variable'] || 'REMOTE_USER' + @variable_mapping = options['variable_mapping'] || {} + super + end + + def get_login(credentials) + credentials.env && credentials.env[@login_variable] + end + + def get_attributes(credentials) + Hash[@variable_mapping.map{|var_name, our_name| [our_name, (credentials.env || {})[var_name]]}] + end + end + end +end diff --git a/lib/gitorious/authentication/kerberos_authentication.rb b/lib/gitorious/authentication/kerberos_authentication.rb deleted file mode 100644 index 4cd25e9..0000000 --- a/lib/gitorious/authentication/kerberos_authentication.rb +++ /dev/null @@ -1,100 +0,0 @@ -# encoding: utf-8 -#-- -# Copyright (C) 2011 Gitorious AS -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU Affero General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU Affero General Public License for more details. -# -# You should have received a copy of the GNU Affero General Public License -# along with this program. If not, see <http://www.gnu.org/licenses/>. -#++ -module Gitorious - module Authentication - class KerberosAuthentication - attr_reader(:realm, :email_domain) - - def initialize(options) - validate_requirements(options) - setup_attributes(options) - end - - def validate_requirements(options) - # Multi-realm auth is not possible, because we could have username - # collisions in the user database. It will be possible when Gitorious - # supports "@" signs in usernames. For now you can only authenticate - # users from a single Kerberos relam. - raise ConfigurationError, "Kerberos Realm required" unless options.key?("realm") - end - - def setup_attributes(options) - @realm = options["realm"] - @email_domain = options["email_domain"] || options["realm"].downcase - end - - # Check if this HTTP user logged in with Kerberos, or not. - # Apache's mod_auth_kerb will set this environment variable. - # If the login was unsuccesful, we'll never get this far because - # mod_auth_kerb will return a 401 error to the browser. - def valid_kerberos_login(env) - # We could also check find_username_from_kerberos - # to ensure the user isn't using an admin principal. - return (env['HTTP_AUTHORIZATION'] =~ /Negotiate /) - end - - # The HTTP authentication callback - def authenticate(credentials) - return false unless credentials.env && valid_kerberos_login(credentials.env) - username = find_username_from_kerberos(credentials.env) - Rails.logger.debug("Kerberos: REMOTE_USER '#{credentials.env['REMOTE_USER']}'.") - Rails.logger.debug("Kerberos: found username '#{username}'.") - if existing_user = User.find_by_login(transform_username(username)) - user = existing_user - else - user = auto_register(username) - end - user - end - - # Find the Gitorious username from a Kerberos principal in the - # request.env HTTP object. See the above note about multi-realm and - # Gitorious username restrictions. - def find_username_from_kerberos(env) - # strip off the realm. - env['REMOTE_USER'].gsub("@#{@realm}", '') - end - - # Transform a Kerberos username into something that passes Gitorious' - # username validations (like the LDAPAuthentication module does). - def transform_username(username) - username.gsub(".", "-") - end - - def auto_register(username) - user = User.new - user.login = transform_username(username) - user.email = username + '@' + @email_domain - Rails.logger.debug("Kerberos: username after transform_username: '#{user.login}'.") - Rails.logger.debug("Kerberos: email '#{user.email}'.") - - # Again, similar to LDAPAuthentication's implementation - user.password = "left_blank" - user.password_confirmation = "left_blank" - user.terms_of_use = '1' - user.aasm_state = "terms_accepted" - user.activated_at = Time.now.utc - user.save! - # Reset the password to something random - user.reset_password! - user - end - - end - end -end diff --git a/lib/gitorious/authentication/ldap_authentication.rb b/lib/gitorious/authentication/ldap_authentication.rb index 8efbd83..575824f 100644 --- a/lib/gitorious/authentication/ldap_authentication.rb +++ b/lib/gitorious/authentication/ldap_authentication.rb @@ -19,12 +19,16 @@ require "net/ldap" module Gitorious module Authentication class LDAPAuthentication + include UsernameTransformation + include AutoRegistration + attr_reader(:server, :port, :encryption, :attribute_mapping, :base_dn, :connection_type, :distinguished_name_template, :connection, :login_attribute) def initialize(options) validate_requirements(options) setup_attributes(options) + super end def validate_requirements(options) @@ -65,13 +69,8 @@ module Gitorious # The actual authentication callback def authenticate(credentials) - return false unless valid_credentials?(credentials.username, credentials.password) - if existing_user = User.find_by_login(transform_username(credentials.username)) - user = existing_user - else - user = auto_register(credentials.username) - end - + return unless valid_credentials?(credentials.username, credentials.password) + return unless user = super return unless post_authenticate({ :connection => connection, :username => credentials.username, @@ -80,35 +79,19 @@ module Gitorious user end - # Transform a username usable towards LDAP into something that passes Gitorious' - # username validations - def transform_username(username) - username.gsub(".", "-") - end - - def auto_register(username) - result = connection.search(:base => base_dn, :filter => username_filter(username), + def get_attributes(credentials) + attributes = {} + result = connection.search(:base => base_dn, :filter => username_filter(credentials.username), :attributes => attribute_mapping.keys, :return_result => true) if result.size > 0 data = result.detect do |element| attribute_mapping.keys.all? {|ldap_name| element[ldap_name] } end - user = User.new - user.login = transform_username(username) attribute_mapping.each do |ldap_name, our_name| - user.write_attribute(our_name, data[ldap_name].first) + attributes[our_name] = data[ldap_name].first end - - user.password = "left_blank" - user.password_confirmation = "left_blank" - user.terms_of_use = '1' - user.aasm_state = "terms_accepted" - user.activated_at = Time.now.utc - user.save! - # Reset the password to something random - user.reset_password! - user end + attributes end private diff --git a/lib/gitorious/authentication/ssl_authentication.rb b/lib/gitorious/authentication/ssl_authentication.rb deleted file mode 100644 index ecb66a1..0000000 --- a/lib/gitorious/authentication/ssl_authentication.rb +++ /dev/null @@ -1,43 +0,0 @@ -module Gitorious - module Authentication - class SSLAuthentication - attr_reader(:login_field, :login_replace_char, :login_strip_domain) - - def initialize(options) - @login_field = options['login_field'] || 'CN' - @login_replace_char = options['login_replace_char'] || '-' - @login_strip_domain = options['login_strip_domain'] - end - - def authenticate(credentials) - return false unless credentials.env - username = username_from_ssl_header(credentials.env) - User.find_by_login(username) || auto_register(username, credentials.env) - end - - def username_from_ssl_header(env) - username = env['SSL_CLIENT_S_DN_' + login_field] - username = username.split('@')[0] if login_strip_domain - username.gsub(/[^a-z0-9\-]/i, login_replace_char) - end - - def auto_register(username, env) - user = User.new - - user.login = username - user.email = env['SSL_CLIENT_S_DN_Email'] - user.fullname = env['SSL_CLIENT_S_DN_CN'] - user.password = 'left_blank' - user.password_confirmation = 'left_blank' - user.terms_of_use = '1' - user.aasm_state = 'terms_accepted' - user.activated_at = Time.now.utc - user.save! - - # Reset the password to something random - user.reset_password! - user - end - end - end -end diff --git a/test/unit/lib/gitorious/authentication/http_authentication_test.rb b/test/unit/lib/gitorious/authentication/http_authentication_test.rb new file mode 100644 index 0000000..ad5c914 --- /dev/null +++ b/test/unit/lib/gitorious/authentication/http_authentication_test.rb @@ -0,0 +1,65 @@ +require "test_helper" + +class Gitorious::Authentication::HTTPAuthenticationTest < ActiveSupport::TestCase + def make_credentials(env) + credentials = Gitorious::Authentication::Credentials.new + credentials.env = env + credentials + end + + context "Authentication (REMOTE_USER)" do + setup do + @ssl = Gitorious::Authentication::HTTPAuthentication.new({}) + @credentials = make_credentials({'REMOTE_USER' => 'moe'}) + end + + should "return the actual user" do + assert_equal(users(:moe), @ssl.authenticate(@credentials)) + end + end + + context "Authentication (SSL)" do + setup do + @ssl = Gitorious::Authentication::HTTPAuthentication.new({ + 'login_variable' => 'SSL_CLIENT_S_DN_Email', + 'login_strip_domain' => true, + }) + @credentials = make_credentials({ + 'SSL_CLIENT_S_DN_Email' => '[email protected]', + }) + end + + should "return the actual user" do + assert_equal(users(:moe), @ssl.authenticate(@credentials)) + end + end + + context "Auto-registration" do + setup do + @ssl = Gitorious::Authentication::HTTPAuthentication.new({ + 'login_variable' => 'SSL_CLIENT_S_DN_Email', + 'login_strip_domain' => true, + 'login_replace_char' => '', + 'email_domain' => 'example.com', + 'variable_mapping:' => { + 'SSL_CLIENT_S_DN_CN' => 'fullname', + 'SSL_CLIENT_S_DN_Email' => 'email', + }, + }) + @credentials = make_credentials({ + 'SSL_CLIENT_S_DN_CN' => 'John Doe', + 'SSL_CLIENT_S_DN_Email' => 'j.doe@localhost', + }) + end + + should "create a new user with information from server variables" do + user = @ssl.authenticate(@credentials) + + assert_equal "jdoe", user.login + assert_equal "[email protected]", user.email + assert_equal "John Doe", user.fullname + + assert user.valid? + end + end +end diff --git a/test/unit/lib/gitorious/authentication/kerberos_authentication_test.rb b/test/unit/lib/gitorious/authentication/kerberos_authentication_test.rb deleted file mode 100644 index 712a289..0000000 --- a/test/unit/lib/gitorious/authentication/kerberos_authentication_test.rb +++ /dev/null @@ -1,97 +0,0 @@ -# encoding: utf-8 -#-- -# Copyright (C) 2011 Gitorious AS -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU Affero General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU Affero General Public License for more details. -# -# You should have received a copy of the GNU Affero General Public License -# along with this program. If not, see <http://www.gnu.org/licenses/>. -#++ - -require "test_helper" -class Gitorious::Authentication::KerberosAuthenticationTest < ActiveSupport::TestCase - - # Accepts a Kerberos principal string, and returns a - # Gitorious::Authentication::Credentials object - def valid_client_credentials(principal) - # construct a simple Rails request.env hash - env = Hash.new - env['HTTP_AUTHORIZATION'] = 'Negotiate ABCDEF123456' - env['REMOTE_USER'] = principal - # Wrap this in the G::A::Credentials object. - credentials = Gitorious::Authentication::Credentials.new - credentials.env = env - credentials - end - - - context "Configuration" do - setup do - @kerberos = Gitorious::Authentication::KerberosAuthentication.new({ - "realm" => "EXAMPLE.COM", - }) - end - - should "require a realm" do - assert_raises Gitorious::Authentication::ConfigurationError do - kerberos = Gitorious::Authentication::KerberosAuthentication.new({}) - end - end - - should "use a default email domain" do - assert_equal "example.com", @kerberos.email_domain - end - end - - context "Authentication" do - setup do - @kerberos = Gitorious::Authentication::KerberosAuthentication.new({ - "realm" => "EXAMPLE.COM", - }) - end - - should "not accept invalid credentials" do - # Pass in an empty hash, to simulate the missing environment variables. - assert [email protected]_kerberos_login({}) - end - - should "accept valid credentials" do - env = Hash['HTTP_AUTHORIZATION' => 'Negotiate ABCDEF123456'] - assert @kerberos.valid_kerberos_login(env) - end - - should "return the actual user" do - assert_equal(users(:moe), @kerberos.authenticate(valid_client_credentials("[email protected]"))) - end - end - - context "Auto-registration" do - setup do - @kerberos = Gitorious::Authentication::KerberosAuthentication.new({ - "realm" => "EXAMPLE.COM", - }) - end - - should "create a new user with attributes mapped from Kerberos" do - user = @kerberos.authenticate(valid_client_credentials("[email protected]")) - assert_equal "[email protected]", user.email - assert_equal "moe-szyslak", user.login - - assert user.valid? - end - - should "transform user's login to not contain dots" do - user = @kerberos.authenticate(valid_client_credentials("[email protected]")) - - assert_equal "mr-moe-szyslak", user.login - end - end -end diff --git a/test/unit/lib/gitorious/authentication/ssl_authentication_test.rb b/test/unit/lib/gitorious/authentication/ssl_authentication_test.rb deleted file mode 100644 index 8d236d8..0000000 --- a/test/unit/lib/gitorious/authentication/ssl_authentication_test.rb +++ /dev/null @@ -1,46 +0,0 @@ -require "test_helper" - -class Gitorious::Authentication::SSLAuthenticationTest < ActiveSupport::TestCase - def valid_client_credentials(cn, email) - # construct a simple Rails request.env hash - env = Hash.new - env['SSL_CLIENT_S_DN_CN'] = cn - env['SSL_CLIENT_S_DN_Email'] = email - # Wrap this in the G::A::Credentials object. - credentials = Gitorious::Authentication::Credentials.new - credentials.env = env - credentials - end - - context "Authentication" do - setup do - @ssl = Gitorious::Authentication::SSLAuthentication.new({}) - end - - should "return the actual user" do - assert_equal(users(:moe), @ssl.authenticate(valid_client_credentials("moe", "[email protected]"))) - end - end - - context "Auto-registration" do - setup do - @ssl = Gitorious::Authentication::SSLAuthentication.new({ - "login_field" => "Email", - "login_strip_domain" => true, - "login_replace_char" => "", - }) - @cn = 'John Doe' - @email = '[email protected]' - end - - should "create a new user with information from the SSL client certificate" do - user = @ssl.authenticate(valid_client_credentials(@cn, @email)) - - assert_equal "jdoe", user.login - assert_equal @email, user.email - assert_equal @cn, user.fullname - - assert user.valid? - end - end -end -- 1.7.10
signature.asc
Description: PGP signature
