Merge pull request #177 from joshua-arts/master

LDAP Authentication Support
2017-07-07 10:37:29 -04:00 · 2017-07-07 10:37:29 -04:00 · a45f4d4fd0
parent 9bbb669cc1 0b1ae2497f
commit a45f4d4fd0
11 changed files with 78 additions and 3 deletions
--- a/1
+++ b/1
@ -65,6 +65,7 @@ gem 'tzinfo-data', platforms: [:mingw, :mswin, :x64_mingw, :jruby]
 gem 'omniauth', '1.3.1'
 gem 'omniauth-twitter', '1.2.1'
 gem 'omniauth-google-oauth2', '0.4.1'
+gem 'omniauth-ldap'

 gem 'bigbluebutton-api-ruby'

--- a/Gemfile.lock
+++ b/Gemfile.lock
@ -116,6 +116,7 @@ GEM
    multi_json (1.12.1)
    multi_xml (0.5.5)
    multipart-post (2.0.0)
+    net-ldap (0.16.0)
    nio4r (1.2.1)
    nokogiri (1.6.8.1)
      mini_portile2 (~> 2.1.0)
@ -134,6 +135,11 @@ GEM
      multi_json (~> 1.3)
      omniauth (>= 1.1.1)
      omniauth-oauth2 (>= 1.3.1)
+    omniauth-ldap (1.0.5)
+      net-ldap (~> 0.12)
+      omniauth (~> 1.0)
+      pyu-ruby-sasl (~> 0.0.3.2)
+      rubyntlm (~> 0.3.4)
    omniauth-oauth (1.1.0)
      oauth
      omniauth (~> 1.0)
@ -151,6 +157,7 @@ GEM
      mimemagic (= 0.3.0)
    pg (0.19.0)
    puma (3.6.0)
+    pyu-ruby-sasl (0.0.3.3)
    rack (2.0.1)
    rack-test (0.6.3)
      rack (>= 1.0)
@ -184,6 +191,7 @@ GEM
    rb-fsevent (0.9.7)
    rb-inotify (0.9.7)
      ffi (>= 0.5.0)
+    rubyntlm (0.3.4)
    sass (3.4.22)
    sass-rails (5.0.6)
      railties (>= 4.0.0, < 6)
@ -254,6 +262,7 @@ DEPENDENCIES
  mocha
  omniauth (= 1.3.1)
  omniauth-google-oauth2 (= 0.4.1)
+  omniauth-ldap
  omniauth-twitter (= 1.2.1)
  paperclip (~> 4.2)
  pg
--- a/app/assets/images/ldap_icon.png
+++ b/app/assets/images/ldap_icon.png
--- a/app/assets/stylesheets/main/landing.scss
+++ b/app/assets/stylesheets/main/landing.scss
@ -114,3 +114,9 @@
 .tooltip-wrapper {
  display: inline-block;
 }
+
+ #youtube-footer{
+   font-size: 10px;
+   text-align: center;
+   margin-top: 10px; 
+ }
--- a/app/controllers/sessions_controller.rb
+++ b/app/controllers/sessions_controller.rb
@ -16,7 +16,13 @@

 class SessionsController < ApplicationController

+  skip_before_action :verify_authenticity_token
+
  def new
+    # If LDAP is enabled, just route to it instead.
+    if Rails.application.config.omniauth_ldap
+      redirect_to "#{relative_root}/auth/ldap"
+    end
  end

  def create
@ -36,6 +42,12 @@ class SessionsController < ApplicationController
  end

  def auth_failure
-    redirect_to '/'
+    if params[:message] == 'invalid_credentials'
+      redirect_to '/', flash: {danger: t('invalid_login') }
+    elsif params[:message] == 'ldap_error'
+      redirect_to '/', flash: {danger: t('ldap_error') }
+    else
+      redirect_to '/'
+    end
  end
 end
--- a/app/models/user.rb
+++ b/app/models/user.rb
@ -47,6 +47,14 @@ class User < ApplicationRecord
    auth_hash['info']['email']
  end

+  def self.ldap_username(auth_hash)
+    auth_hash['info']['nickname']
+  end
+  
+  def self.ldap_email(auth_hash)
+    auth_hash['info']['email']
+  end
+
  def set_encrypted_id
    self.encrypted_id = "#{username[0..1]}-#{Digest::SHA1.hexdigest(uid+provider)[0..7]}"
  end
--- a/app/views/landing/rooms.html.erb
+++ b/app/views/landing/rooms.html.erb
@ -76,6 +76,7 @@
            <%= t('upload') %>
          </button>
        </div>
+        <p id = 'youtube-footer'><%= t('youtube_footer') %></p>
    </form>
  </div>
  <div class='mail_youtube_popover'>
--- a/config/initializers/omniauth.rb
+++ b/config/initializers/omniauth.rb
@ -1,11 +1,27 @@
-Rails.application.config.providers = [:google, :twitter]
+Rails.application.config.providers = [:google, :twitter, :ldap]

 Rails.application.config.omniauth_google = ENV['GOOGLE_OAUTH2_ID'].present?

 Rails.application.config.omniauth_twitter = ENV['TWITTER_ID'].present?

+Rails.application.config.omniauth_ldap = ENV['LDAP_SERVER'].present?
+
 Rails.application.config.middleware.use OmniAuth::Builder do
  provider :twitter, ENV['TWITTER_ID'], ENV['TWITTER_SECRET']
  provider :google_oauth2, ENV['GOOGLE_OAUTH2_ID'], ENV['GOOGLE_OAUTH2_SECRET'],
    scope: ['profile', 'email', 'youtube', 'youtube.upload'], access_type: 'online', name: 'google'
+  provider :ldap,
+    host: ENV['LDAP_SERVER'],
+    port: ENV['LDAP_PORT'],
+    method: ENV['LDAP_METHOD'].present? ? ENV['LDAP_METHOD'].to_sym : :plain,
+    allow_username_or_email_login: true,
+    uid: ENV['LDAP_UID'],
+    base: ENV['LDAP_BASE'],
+    bind_dn: ENV['LDAP_BIND_DN'],
+    password: ENV['LDAP_PASSWORD']
 end
+
+# Redirect back to login in development mode.
+OmniAuth.config.on_failure = Proc.new { |env|
+  OmniAuth::FailureEndpoint.new(env).redirect_to_failure
+}
--- a/config/locales/en-us.yml
+++ b/config/locales/en-us.yml
@ -92,6 +92,7 @@ en-US:
  home_page: Home page
  home_title: Welcome to BigBlueButton
  invalid_file: You may only upload an image file (jpg, gif, png).
+  invalid_login: Invalid log in credentials.
  invite: Invite
  invite_description: (share this link below to invite others to this meeting)
  join: Join
@ -101,6 +102,7 @@ en-US:
    connect: Connect in real-time with others
    collaborate: Collaborate with friends
    teach: Teach students online
+  ldap_error: Unable to connect to the LDAP server. Please check your LDAP configuration in the env file and ensure your server is running.
  logged_in_description_html: You are logged in as %{link}
  login: login
  login_description: Want to record a meeting?
@ -182,6 +184,7 @@ en-US:
  watch: Watch
  'yes': 'Yes'
  youtube_description: This recording was recorded with BigBlueButton. For more information check out %{url}.
+  youtube_footer: this will upload all webcam and audio data
  youtube_privacy_options:
    public: Public
    private: Private
--- a/14
+++ b/14
@ -36,6 +36,20 @@ TWITTER_SECRET=
 GOOGLE_OAUTH2_ID=
 GOOGLE_OAUTH2_SECRET=

+# LDAP Login Provider (optional)
+#
+#   You can enable LDAP authentication by providing values for the variables below.
+#   For information about setting up LDAP, see: 
+#     http://docs.bigbluebutton.org/install/green-light.html#ldap-oauth
+#
+LDAP_SERVER=
+LDAP_PORT=
+LDAP_METHOD=
+LDAP_UID=
+LDAP_BASE=
+LDAP_BIND_DN=
+LDAP_PASSWORD=
+
 # If "true", GreenLight will register a webhook callback for each meeting
 # created. This callback is called for all events that happen in the meeting,
 # including the processing of its recording. These events are used to update
--- a/test/controllers/sessions_controller_test.rb
+++ b/test/controllers/sessions_controller_test.rb
@ -8,7 +8,12 @@ class SessionsControllerTest < ActionController::TestCase

  test "should get new" do
    get :new
-    assert_response :success
+    # We redirect directly to LDAP if configured.
+    if ENV['LDAP_SERVER'].present?
+      assert_response :redirect
+    else
+      assert_response :success
+    end
  end

  test "should redirect to home on auth failture" do