:sparkles: Convert LDAP username (#12461)

* :sparkles: Convert LDAP username #12021

Signed-off-by: mathieu.brunot <mathieu.brunot@monogramm.io>
* :bug: Fix conversion var use

Signed-off-by: mathieu.brunot <mathieu.brunot@monogramm.io>
* :bug: Fix LDAP uid conversion test

Signed-off-by: mathieu.brunot <mathieu.brunot@monogramm.io>
* :ok_hand: Remove comments with ref to PR

Signed-off-by: mathieu.brunot <mathieu.brunot@monogramm.io>
* :ok_hand: Remove unnecessary paranthesis

Signed-off-by: mathieu.brunot <mathieu.brunot@monogramm.io>
* :wrench: Move space in conversion string

Signed-off-by: mathieu.brunot <mathieu.brunot@monogramm.io>

diff --git a/.env.nanobox b/.env.nanobox
index cfbe487fba769387b622a860a177b07662045a82..fc6c3c42f5626ea991be31613b7e21eb8ee2c663 100644 (file)
--- a/.env.nanobox
+++ b/.env.nanobox
@@ -183,6 +183,9 @@ SMTP_FROM_ADDRESS=notifications@${APP_NAME}.nanoapp.io
 # LDAP_BIND_DN=
 # LDAP_PASSWORD=
 # LDAP_UID=cn
+# LDAP_UID_CONVERSION_ENABLED=true
+# LDAP_UID_CONVERSION_SEARCH=., -
+# LDAP_UID_CONVERSION_REPLACE=_
 
 # PAM authentication (optional)
 # PAM authentication uses for the email generation the "email" pam variable

diff --git a/.env.production.sample b/.env.production.sample
index f9a8bb7c1b2ae5be0ed334e4d565395b9b7fb613..6b078c7b2883703e789de9b40566c105a23a9ad6 100644 (file)
--- a/.env.production.sample
+++ b/.env.production.sample
@@ -179,6 +179,9 @@ STREAMING_CLUSTER_NUM=1
 # LDAP_PASSWORD=
 # LDAP_UID=cn
 # LDAP_SEARCH_FILTER=%{uid}=%{email}
+# LDAP_UID_CONVERSION_ENABLED=true
+# LDAP_UID_CONVERSION_SEARCH=., -
+# LDAP_UID_CONVERSION_REPLACE=_
 
 # PAM authentication (optional)
 # PAM authentication uses for the email generation the "email" pam variable

diff --git a/app/models/concerns/ldap_authenticable.rb b/app/models/concerns/ldap_authenticable.rb
index 1179939478454401bf220317a718c0db6b27efcb..2d2e1edbb578b49af5fcf53ec5b72e4b383f8d9a 100644 (file)
--- a/app/models/concerns/ldap_authenticable.rb
+++ b/app/models/concerns/ldap_authenticable.rb
@@ -14,10 +14,18 @@ module LdapAuthenticable
     end
 
     def ldap_get_user(attributes = {})
-      resource = joins(:account).find_by(accounts: { username: attributes[Devise.ldap_uid.to_sym].first })
+      safe_username = attributes[Devise.ldap_uid.to_sym].first
+      if Devise.ldap_uid_conversion_enabled
+        keys = Regexp.union(Devise.ldap_uid_conversion_search.chars)
+        replacement = Devise.ldap_uid_conversion_replace
+
+        safe_username = safe_username.gsub(keys, replacement)
+      end
+
+      resource = joins(:account).find_by(accounts: { username: safe_username })
 
       if resource.blank?
-        resource = new(email: attributes[:mail].first, agreement: true, account_attributes: { username: attributes[Devise.ldap_uid.to_sym].first }, admin: false, external: true, confirmed_at: Time.now.utc)
+        resource = new(email: attributes[:mail].first, agreement: true, account_attributes: { username: safe_username }, admin: false, external: true, confirmed_at: Time.now.utc)
         resource.save!
       end
 

diff --git a/config/initializers/devise.rb b/config/initializers/devise.rb
index fd9a5a8b9b96f14663fe38ddce0e990dcd3a6623..fa9fd8cc447214b24604f6be00fb799a85384958 100644 (file)
--- a/config/initializers/devise.rb
+++ b/config/initializers/devise.rb
@@ -61,6 +61,12 @@ module Devise
   @@ldap_tls_no_verify = false
   mattr_accessor :ldap_search_filter
   @@ldap_search_filter = nil
+  mattr_accessor :ldap_uid_conversion_enabled
+  @@ldap_uid_conversion_enabled = false
+  mattr_accessor :ldap_uid_conversion_search
+  @@ldap_uid_conversion_search = nil
+  mattr_accessor :ldap_uid_conversion_replace
+  @@ldap_uid_conversion_replace = nil
 
   class Strategies::PamAuthenticatable
     def valid?
@@ -365,5 +371,8 @@ Devise.setup do |config|
     config.ldap_uid            = ENV.fetch('LDAP_UID', 'cn')
     config.ldap_tls_no_verify  = ENV['LDAP_TLS_NO_VERIFY'] == 'true'
     config.ldap_search_filter  = ENV.fetch('LDAP_SEARCH_FILTER', '%{uid}=%{email}')
+    config.ldap_uid_conversion_enabled  = ENV['LDAP_UID_CONVERSION_ENABLED'] == 'true'
+    config.ldap_uid_conversion_search   = ENV.fetch('LDAP_UID_CONVERSION_SEARCH', '.,- ')
+    config.ldap_uid_conversion_replace  = ENV.fetch('LDAP_UID_CONVERSION_REPLACE', '_')
   end
 end