debian/0000755000000000000000000000000012133002316007155 5ustar debian/rules0000755000000000000000000000070212133002316010234 0ustar #!/usr/bin/make -f #export DH_VERBOSE=1 # # Uncomment to ignore all test failures (but the tests will run anyway) export DH_RUBY_IGNORE_TESTS=ruby1.8 # Uncomment to ignore some test failures (but the tests will run anyway). # Valid values: #export DH_RUBY_IGNORE_TESTS=ruby1.8 ruby1.9.1 require-rubygems # # If you need to specify the .gemspec (eg there is more than one) #export DH_RUBY_GEMSPEC=gem.gemspec %: dh $@ --buildsystem=ruby --with ruby debian/compat0000644000000000000000000000000212133002316010353 0ustar 7 debian/copyright0000644000000000000000000001126112133002316011111 0ustar Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ Upstream-Name: omniauth-ldap Source: https://github.com/gitlabhq/omniauth-ldap Files: * Copyright: 2011 by Ping Yu and Intridea, Inc. License: Expat Files: ./lib/omniauth-ldap/adaptor.rb Copyright: 2011 by Ping Yu and Intridea, Inc. 2006–2011 Francis Cianfrocca and other contributors. License: Expat Files: debian/* Copyright: 2013 Ondřej Surý License: Expat License: GPL-2 This package is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; version 2 dated June, 1991. . This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. . You should have received a copy of the GNU General Public License along with this package; if not, write to the Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA . On Debian systems, the full text of the GNU General Public License version 2 can be found in the file `/usr/share/common-licenses/GPL-2'. License: Ruby 1. You may make and give away verbatim copies of the source form of the software without restriction, provided that you duplicate all of the original copyright notices and associated disclaimers. . 2. You may modify your copy of the software in any way, provided that you do at least ONE of the following: . a) place your modifications in the Public Domain or otherwise make them Freely Available, such as by posting said modifications to Usenet or an equivalent medium, or by allowing the author to include your modifications in the software. . b) use the modified software only within your corporation or organization. . c) rename any non-standard executables so the names do not conflict with standard executables, which must also be provided. . d) make other distribution arrangements with the author. . 3. You may distribute the software in object code or executable form, provided that you do at least ONE of the following: . a) distribute the executables and library files of the software, together with instructions (in the manual page or equivalent) on where to get the original distribution. . b) accompany the distribution with the machine-readable source of the software. . c) give non-standard executables non-standard names, with instructions on where to get the original software distribution. . d) make other distribution arrangements with the author. . 4. You may modify and include the part of the software into any other software (possibly commercial). But some files in the distribution are not written by the author, so that they are not under this terms. . They are gc.c(partly), utils.c(partly), regex.[ch], st.[ch] and some files under the ./missing directory. See each file for the copying condition. . 5. The scripts and library files supplied as input to or produced as output from the software do not automatically fall under the copyright of the software, but belong to whomever generated them, and may be sold commercially, and may be aggregated with this software. . 6. THIS SOFTWARE IS PROVIDED "AS IS" AND WITHOUT ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. License: Expat Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: . The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. . THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. debian/source/0000755000000000000000000000000012133002316010455 5ustar debian/source/format0000644000000000000000000000001412133002316011663 0ustar 3.0 (quilt) debian/watch0000644000000000000000000000015712133002316010211 0ustar version=3 http://pkg-ruby-extras.alioth.debian.org/cgi-bin/gemwatch/omniauth-ldap .*/omniauth-ldap-(.*).tar.gz debian/ruby-tests.rake0000644000000000000000000000022312133002316012137 0ustar require 'rspec/core/rake_task' RSpec::Core::RakeTask.new(:spec) do |spec| spec.pattern = './spec/**/*_spec.rb' end task :default => :spec debian/ruby-omniauth-ldap.docs0000644000000000000000000000001212133002316013541 0ustar README.md debian/patches/0000755000000000000000000000000012133002316010604 5ustar debian/patches/series0000644000000000000000000000005012133002316012014 0ustar gitlab.patch get-rid-of-simplecov.patch debian/patches/get-rid-of-simplecov.patch0000644000000000000000000000040512133002316015560 0ustar --- a/spec/spec_helper.rb +++ b/spec/spec_helper.rb @@ -1,7 +1,5 @@ $:.unshift File.expand_path('..', __FILE__) $:.unshift File.expand_path('../../lib', __FILE__) -require 'simplecov' -SimpleCov.start require 'rspec' require 'rack/test' require 'omniauth' debian/patches/gitlab.patch0000644000000000000000000001251212133002316013070 0ustar --- a/lib/omniauth/strategies/ldap.rb +++ b/lib/omniauth/strategies/ldap.rb @@ -3,6 +3,7 @@ require 'omniauth' module OmniAuth module Strategies class LDAP + class MissingCredentialsError < StandardError; end include OmniAuth::Strategy @@config = { 'name' => 'cn', @@ -37,8 +38,13 @@ module OmniAuth def callback_phase @adaptor = OmniAuth::LDAP::Adaptor.new @options - return fail!(:missing_credentials) if missing_credentials? begin + # GITLAB security patch + # Dont allow blank password for ldap auth + if request['username'].nil? || request['username'].empty? || request['password'].nil? || request['password'].empty? + raise MissingCredentialsError.new("Missing login credentials") + end + @ldap_user_info = @adaptor.bind_as(:filter => Net::LDAP::Filter.eq(@adaptor.uid, @options[:name_proc].call(request['username'])),:size => 1, :password => request['password']) return fail!(:invalid_credentials) if !@ldap_user_info @@ -80,12 +86,6 @@ module OmniAuth end user end - - protected - - def missing_credentials? - request['username'].nil? or request['username'].empty? or request['password'].nil? or request['password'].empty? - end # missing_credentials? end end end --- a/spec/omniauth/strategies/ldap_spec.rb +++ b/spec/omniauth/strategies/ldap_spec.rb @@ -19,7 +19,7 @@ describe "OmniAuth::Strategies::LDAP" do }.to_app end - let(:session) do + def session last_request.env['rack.session'] end @@ -58,66 +58,23 @@ describe "OmniAuth::Strategies::LDAP" do @adaptor.stub(:bind_as).and_return(false) end - context "when username is not preset" do - it 'should redirect to error page' do - post('/auth/ldap/callback', {}) - - last_response.should be_redirect - last_response.headers['Location'].should =~ %r{missing_credentials} - end - end - - context "when username is empty" do - it 'should redirect to error page' do - post('/auth/ldap/callback', {:username => ""}) - - last_response.should be_redirect - last_response.headers['Location'].should =~ %r{missing_credentials} - end - end - - context "when username is present" do - context "and password is not preset" do - it 'should redirect to error page' do - post('/auth/ldap/callback', {:username => "ping"}) - - last_response.should be_redirect - last_response.headers['Location'].should =~ %r{missing_credentials} - end - end - - context "and password is empty" do - it 'should redirect to error page' do - post('/auth/ldap/callback', {:username => "ping", :password => ""}) - - last_response.should be_redirect - last_response.headers['Location'].should =~ %r{missing_credentials} - end - end - end - - context "when username and password are present" do - context "and bind on LDAP server failed" do - it 'should redirect to error page' do - post('/auth/ldap/callback', {:username => 'ping', :password => 'password'}) - - last_response.should be_redirect - last_response.headers['Location'].should =~ %r{invalid_credentials} - end - end - - context "and communication with LDAP server caused an exception" do - before :each do - @adaptor.stub(:bind_as).and_throw(Exception.new('connection_error')) - end - - it 'should redirect to error page' do - post('/auth/ldap/callback', {:username => "ping", :password => "password"}) - - last_response.should be_redirect - last_response.headers['Location'].should =~ %r{ldap_error} - end - end + it 'should raise MissingCredentialsError' do + post('/auth/ldap/callback', {}) + last_response.should be_redirect + last_response.headers['Location'].should =~ %r{ldap_error} + end + + it 'should redirect to error page' do + post('/auth/ldap/callback', {:username => 'ping', :password => 'password'}) + last_response.should be_redirect + last_response.headers['Location'].should =~ %r{invalid_credentials} + end + + it 'should redirect to error page when there is exception' do + @adaptor.stub(:bind_as).and_throw(Exception.new('connection_error')) + post('/auth/ldap/callback', {:username => 'ping', :password => 'password'}) + last_response.should be_redirect + last_response.headers['Location'].should =~ %r{ldap_error} end end @@ -142,11 +99,10 @@ describe "OmniAuth::Strategies::LDAP" do post('/auth/ldap/callback', {:username => 'ping', :password => 'password'}) end - it 'should not redirect to error page' do - last_response.should_not be_redirect + it 'should raise MissingCredentialsError' do + should_not raise_error OmniAuth::Strategies::LDAP::MissingCredentialsError end - - it 'should map user info to Auth Hash' do + it 'should map user info' do auth_hash.uid.should == 'cn=ping, dc=intridea, dc=com' auth_hash.info.email.should == 'ping@intridea.com' auth_hash.info.first_name.should == 'Ping' debian/control0000644000000000000000000000271712133002316010567 0ustar Source: ruby-omniauth-ldap Section: ruby Priority: optional Maintainer: Debian Ruby Extras Maintainers Uploaders: Ondřej Surý DM-Upload-Allowed: yes Build-Depends: debhelper (>= 7.0.50~), gem2deb (>= 0.3.0~), ruby-omniauth (>= 1.0), ruby-net-ldap (>= 0.2.2), ruby-sasl (>= 0.0.3.1), ruby-ntlm (>= 0.1.1), ruby-rspec, ruby-rack-test Standards-Version: 3.9.3 Vcs-Git: git://git.debian.org/pkg-ruby-extras/ruby-omniauth-ldap.git Vcs-Browser: http://git.debian.org/?p=pkg-ruby-extras/ruby-omniauth-ldap.git;a=summary Homepage: https://github.com/intridea/omniauth-ldap XS-Ruby-Versions: all Package: ruby-omniauth-ldap Architecture: all XB-Ruby-Versions: ${ruby:Versions} Depends: ${shlibs:Depends}, ${misc:Depends}, ruby | ruby-interpreter, ruby-omniauth (>= 1.0), ruby-net-ldap (>= 0.2.2), ruby-sasl (>= 0.0.3.1), ruby-ntlm (>= 0.1.1) Description: LDAP strategy for Ruby OmniAuth library OmniAuth is a Ruby library that standardizes multi-provider authentication for web applications. It was created to be powerful, flexible, and do as little as possible. Any developer can create strategies for OmniAuth that can authenticate users via disparate systems. OmniAuth strategies have been created for everything from Facebook to LDAP. . This package contains LDAP strategy for OmniAuth . This version has been patched for use with GITLAB. debian/changelog0000644000000000000000000000043612133002316011032 0ustar ruby-omniauth-ldap (1.0.3-1) unstable; urgency=low * Initial release (Closes: #705472) * Add gitlab security patch for empty passwords * Update copyright to include copyright for ruby-net-ldap borrowed file -- Ondřej Surý Mon, 15 Apr 2013 15:02:40 +0200