lib/adauth/authenticate.rb in adauth-2.0.0pre2 vs lib/adauth/authenticate.rb in adauth-2.0.0

@@ -2,38 +2,48 @@
     # Authenticates the specifed user agains the domain
     #
     # Checks the groups & ous are in the allow/deny lists
     def self.authenticate(username, password)
         begin
+            Adauth.logger.info("authentication") { "Attempting to authenticate as #{username}" }
             if Adauth::AdObjects::User.authenticate(username, password)
                 user = Adauth::AdObjects::User.where('sAMAccountName', username).first
                 if allowed_group_login(user) && allowed_ou_login(user)
+                    Adauth.logger.info("authentication") { "Authentication succesful" }
                     return user
                 else
+                    Adauth.logger.info("authentication") { "Authentication failed (not in allowed group)" }
                     return false
                 end
             else
+                Adauth.logger.info("authentication") { "Authentication failed (bad username/password)" }
                 return false
             end
         rescue RuntimeError
+            Adauth.logger.info("authentication") { "Authentication failed (RuntimeError)" }
             return false
         end
     end
     
     # Makes sure the user meets the group requirements
     def self.allowed_group_login(user)
         if @config.allowed_groups != []
             allowed = (user && @config.allowed_groups != (@config.allowed_groups - user.cn_groups)) ? user : nil
+
+            if allowed == nil
+              allowed = is_group_in_group(user) != nil ? user : nil
+            end
         else
             allowed = user
         end
 
         if @config.denied_groups != []
             denied = (user && @config.denied_groups == (@config.denied_groups - user.cn_groups)) ? user : nil
         else
             denied = user
         end
+
         allowed == denied
     end
     
     # Makes sure the user meets the ou requirements
     def self.allowed_ou_login(user)
@@ -46,8 +56,31 @@
         if @config.denied_ous != []
             denied = (user && @config.denied_ous == (@config.denied_ous - user.dn_ous)) ? user : nil
         else
             denied = user
         end
+
         allowed == denied
     end
+
+  def self.is_group_in_group(adobject)
+    # Loop through each users group and see if it's a member of an allowed group
+    begin
+      adobject.cn_groups.each do |group|
+
+        if @config.allowed_groups.include?(group)
+          return group
+        end
+
+        adGroup = Adauth::AdObjects::Group.where('name', group).first
+
+        unless self.is_group_in_group(adGroup) == nil
+          return true
+        end
+      end
+    rescue
+      return nil
+    end
+
+    nil
+  end
 end