lib/adauth/authenticate.rb in adauth-2.0.0 vs lib/adauth/authenticate.rb in adauth-2.0.1
- old
+ new
@@ -5,82 +5,32 @@
def self.authenticate(username, password)
begin
Adauth.logger.info("authentication") { "Attempting to authenticate as #{username}" }
if Adauth::AdObjects::User.authenticate(username, password)
user = Adauth::AdObjects::User.where('sAMAccountName', username).first
- if allowed_group_login(user) && allowed_ou_login(user)
+ if allowed_to_login(user)
Adauth.logger.info("authentication") { "Authentication succesful" }
return user
else
- Adauth.logger.info("authentication") { "Authentication failed (not in allowed group)" }
+ Adauth.logger.info("authentication") { "Authentication failed (not in allowed group or ou)" }
return false
end
- else
- Adauth.logger.info("authentication") { "Authentication failed (bad username/password)" }
- return false
end
rescue RuntimeError
Adauth.logger.info("authentication") { "Authentication failed (RuntimeError)" }
return false
end
end
- # Makes sure the user meets the group requirements
- def self.allowed_group_login(user)
- if @config.allowed_groups != []
- allowed = (user && @config.allowed_groups != (@config.allowed_groups - user.cn_groups)) ? user : nil
-
- if allowed == nil
- allowed = is_group_in_group(user) != nil ? user : nil
- end
- else
- allowed = user
- end
-
- if @config.denied_groups != []
- denied = (user && @config.denied_groups == (@config.denied_groups - user.cn_groups)) ? user : nil
- else
- denied = user
- end
-
- allowed == denied
+ # Check if the user is allowed to login
+ def self.allowed_to_login(user)
+ (allowed_from_arrays(@config.allowed_groups, @config.denied_groups, user.cn_groups_nested) && allowed_from_arrays(@config.allowed_ous, @config.denied_ous, user.dn_ous))
end
- # Makes sure the user meets the ou requirements
- def self.allowed_ou_login(user)
- if @config.allowed_ous != []
- allowed = (user && @config.allowed_ous != (@config.allowed_ous - user.dn_ous)) ? user : nil
- else
- allowed = user
- end
-
- if @config.denied_ous != []
- denied = (user && @config.denied_ous == (@config.denied_ous - user.dn_ous)) ? user : nil
- else
- denied = user
- end
-
- allowed == denied
+ private
+
+ def self.allowed_from_arrays(allowed, denied, test)
+ return true if allowed.empty? && denied.empty?
+ return true if !((allowed & test).empty?)
+ return false if !((denied & test).empty?)
end
-
- def self.is_group_in_group(adobject)
- # Loop through each users group and see if it's a member of an allowed group
- begin
- adobject.cn_groups.each do |group|
-
- if @config.allowed_groups.include?(group)
- return group
- end
-
- adGroup = Adauth::AdObjects::Group.where('name', group).first
-
- unless self.is_group_in_group(adGroup) == nil
- return true
- end
- end
- rescue
- return nil
- end
-
- nil
- end
end