LDAP - Authlogic - ruby

I have a ROR application with authlogic and LDAP, i follow the how to oh authologic and this http://pastie.org/385199 but the method (def valid_ldap_credentials?(password_plaintext)) is not called....any help ?

I don't think you want to set :validate_password_field => false. My understanding is that this disables all password validation, so your custom method won't get called. Try taking that out and see what happens.
Also, the format appears incorrect -- Authlogic configuration options need to be done within a block like so:
acts_as_authentic do |c|
c.validate_password_field = false
end

Related

before filter issue in padrino

I'm trying to create a chain of before filter in padrino that look like this of which look like this
before do
set_current_user
track_order_ip
!current_user and pass
## don't allow the next filter other filter to run if no current user
customer_inactivity!
skip_enforce!
## so the theory is this if a users is is not enforced he should not be allowed to execute enforce! before filter
enforce!
end
Now all filter would execute in chain but if the current_user is not present I wish to drop(i.e pass) the filter chain processing which is taken care by this (!current_user and pass) code
But trying to do something like this in padrino cause the app to redirect the same route multiple time and then break with following error.
ArgumentError at /myaccount/users/authenticate
uncaught throw :pass
at
!current_customer and pass
What I'm find weird and what I'm not able to understand is , why? it not working in Padrino(since I know Padrino internally uses Sinatra) because I did wrote a proof of concept similar application in sinatra (can be found over here) and that just seem to work out of box without any issue
Lastly here the padrino code
Now any one can give me some pointer as too what I'm doing wrong in padrino that is implemented correctly in the proof of concept sinatra app
Thanks

"CSRF detected" with Omniauth and Google

I'm getting this
OmniAuth::Strategies::OAuth2::CallbackError at /auth/google/callback
csrf_detected | CSRF detected
My code:
require 'sinatra'
require "sinatra/json"
require "sinatra/config_file"
require 'omniauth-oauth2'
require 'omniauth-google-oauth2'
use Rack::Logger
config_file "config/app_config.yml"
use Rack::Session::Cookie, secret: '5fb7w345y3489f523y4h'
configure do
enable :sessions
end
use OmniAuth::Builder do
provider :google_oauth2, settings.google[:client_id], settings.google[:secret],
{
:scope => "userinfo.profile",
:access_type => "offline",
:prompt => "select_account consent",
:name => "google"
}
end
get '/list' do
json get_list
end
get '/' do
%Q|<a href='/auth/google'>Sign in with Google</a>|
end
get '/auth/:name/callback' do
#auth = request.env['omniauth.auth']
#auth.inspect
end
My callback is returning both code and state.
This problem occurs with rails when the domain defined in /config/initializer/session_store.rb is different from the origin/redirect_uri defined in the google api console.
MyApp::Application.config.session_store :cookie_store, key: '_app_session', domain: 'my_app.com'
Removing the domain params or using the same domain on both sides fixed the problem.
If you are using Devise with OmniAuth you need to skip the extra omniauth.rb initializer file and simply add config.provider "KEY", "SECRET" inside your initializers/devise.rb and then carry on with your implementation.
Got the same problem
(google_oauth2) Callback phase initiated.
(google_oauth2)
Authentication failure! csrf_detected:
OmniAuth::Strategies::OAuth2::CallbackError, csrf_detected | CSRF
detected
Last Omniauth-oauth2 update introduced the "state" param has a mandatory field.
Some people suggest using provider_ignores_state: true but it's a bad idea because it introduces csrf flaw
Guess we'll have to downgrade to previous version to keep google_oauth2 working.
Issue it on https://github.com/intridea/omniauth-oauth2/issues/58
Are you hitting back and reattempting to log in? I was getting this issue and it was really confusing me, but it was because I was going back to retry. If I typed in the address again, I wouldn't get the issue

checking groups at runtime with devise and devise_ldap_authenticatable

I can get this devise_ldap_authenticatable working just fine when I don't care about what groups they are, it either connects to ldap and authenticates the user signing in under devise or doesn't. But I want to let only certain members that are apart of one or several specific groups in. I had a post on this question here:
Checking group membership in rails devise ldap gem, is it in the yaml?
(the gem for completeness sake is this one: https://github.com/cschiewek/devise_ldap_authenticatable)
Got to thinking I am asking the wrong question. I think I want to know how in devise (and the devise_ldap_authenticatable is the data stored where perhaps I can peek at my array of memberOf's myself and check the groups for myself in code, and then at that time don't let them in. Is there anywhere on the net that's hows this? My googling has turned up nothing but not being a ldap or devise pro I am guessing my terms suck.
I am sure I just might of missed the how to do this, closest I can see that might help (Though in its form as I read it makes little sense to me is the part on the readme here:
https://github.com/cschiewek/devise_ldap_authenticatable/blob/master/README.md
about querying ldap, is this the case?)
You could do this with a callback or validation on the User (or equivalent) model.
before_create :user_is_not_member_of_specified_group?
private
def user_is_not_member_of_specified_group?
member_of = Devise::LdapAdapter.get_ldap_param(self.username,"memberOf")
test member_of
end
where test is a method that returns true/false based on your conditions for the member groups.
The Devise::LdapAdapter.get_ldap_param(self.username,"memberOf") is a method from devise_ldap_authenticatable that will return an array of member groups. You'll want to run your group testing on this array.
If you use a validation you could specify an error message for users that failed the test. Hope this helps.
EDIT
Another way to handle this would be to let your gem handle the redirection and error messages by monkeypatching the authorized? method in Devise::LdapAdapter::LdapConnect (https://github.com/cschiewek/devise_ldap_authenticatable/blob/master/lib/devise_ldap_authenticatable/ldap_adapter.rb). It would look like:
Devise::LdapAdapter::LdapConnect.class_eval do
def user_group_test
member_of = self.ldap_param_value("memberOf")
test member_of # your group test method
end
def authorized?
DeviseLdapAuthenticatable::Logger.send("Authorizing user #{dn}")
if !user_group_test
DeviseLdapAuthenticatable::Logger.send("Not authorized because custom authentication failed.")
return false
elsif !authenticated?
DeviseLdapAuthenticatable::Logger.send("Not authorized because not authenticated.")
return false
elsif !in_required_groups?
DeviseLdapAuthenticatable::Logger.send("Not authorized because not in required groups.")
return false
elsif !has_required_attribute?
DeviseLdapAuthenticatable::Logger.send("Not authorized because does not have required attribute.")
return false
else
return true
end
end
end
You would want to put this in a custom initializer file in config/initializers.

How do I turn off automatic stylesheet/javascript generation on Rails 3.1?

I've got a Rails 3.1 project that I'm working on, but I don't want controller_name.css.sass and controller_name.js.coffee to be generated each time I run rails generate controller controller_name. I could swear I've seen the setting somewhere on the internet, but I can't find it now for the life of me. What is it?
Keep in mind that I'm still wanting to use the Asset Pipeline and the CoffeeScript/Sass integration, but I'm organizing those files in my own way.
I'm pretty sure the answer is a command line argument, but bonus points for turning it off with a generator setting or a hidden file or something.
EDIT: I've found the command line flag for it.
rails generate controller controller_name --assets=false
Or something of the like (that line actually errors out, but it also doesn't generate the assets). The API here shows :assets => true as a default option. How do I change that to false and have it always be false every time I generate a controller?
Add these lines to application.rb:
config.generators.stylesheets = false
config.generators.javascripts = false
New syntax is rails generate controller Resources --no-assets.
Don't forget you can also use g in place of generate. And you can skip the creation of a controller helper using the --no-helper flag.
For just one time, use:
rails generate controller controller_name --no-assets
An update on #Dmitry Maksimov's answer for Rails 4.2. You can disable generation of controller-specific asset files by default with the following in your config/application.rb file (source: the guide):
config.generators do |g|
g.assets false
end
My whole options in the application.rb file:
config.generators do |g|
g.stylesheets = false
g.javascripts = false
g.test_framework :rspec, fixture: false
g.template_engine :haml
g.fixture_replacement :factory_girl, dir: 'spec/factories'
end

ruby Openid compliant lib

I'm using ruby openid compliant library so I can be an openid consumer, I got the sample and when I try to start-up the service, it show errors like
/var/lib/gems/1.8/gems/actionpack-2.3.2/lib/action_controller/session/cookie_store.rb:163:in `ensure_session_key': A key is required to write a cookie containing the session data. Use config.action_controller.session = { :key => "_myapp_session", :secret => "some secret phrase" } in config/environment.rb (ArgumentError)
from /var/lib/gems/1.8/gems/actionpack-2.3.2/lib/action_controller/session/cookie_store.rb:74:in `initialize'
any idea would be appreciated, thanks
I don't know anything about ruby but I strongly suspect you need to change these two things.
"_myapp_session"
"some secret phrase"
1 should probably be a session id (How to get this in I have no idea). 2 could in theory be left alone but it's not very secret then.
Just faced the same error. Although error message (as it often happens with ruby) is a bit messy, it says you exactly what to do: put that piece of code inside config/environment.rb.
To be specific, put it inside Rails::Initializer.run do |config| block.

Resources