Skip to content

Commit

Permalink
Fixing handle_admin_role so that it actually works. Resolves #2
Browse files Browse the repository at this point in the history
  • Loading branch information
danielmoore committed May 18, 2014
1 parent 0bd7edd commit c6135ee
Show file tree
Hide file tree
Showing 4 changed files with 24 additions and 7 deletions.
2 changes: 1 addition & 1 deletion .gitignore
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
.eunit
deps
/deps/*
*.o
*.beam
*.plt
Expand Down
6 changes: 5 additions & 1 deletion priv/local.d/ldap_auth.ini
Original file line number Diff line number Diff line change
Expand Up @@ -2,12 +2,16 @@
_session = {ldap_auth, handle_session_req}

[httpd]
authentication_handlers = {couch_httpd_auth, cookie_authentication_handler}, {ldap_auth, handle_basic_auth_req}, {ldap_auth, handle_admin_role}
authentication_handlers = {ldap_auth, handle_admin_role}

[ldap_auth]
; NOTE: for all of the following configurations, if the key is suffixed in "DN", ldap_auth
; will expect you to provide a real LDAP Distinguished Name.

; If you use handle_admin_role to assign your system admins, specify the authentication handlers it should
; query here. See SystemAdminRoleName for more details.
AuthenticationHandlers = {couch_httpd_auth, cookie_authentication_handler}, {ldap_auth, handle_basic_auth_req}

; Enable SSL to the LDAP server.
UseSsl = false

Expand Down
2 changes: 1 addition & 1 deletion rebar.config
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
%%-*- mode: erlang -*-
{deps, [
{meck, "0.8.1", {git, "https://github.com/eproxus/meck.git", {tag, "0.8.1"}}}
{meck, "0.8.2", {git, "https://github.com/eproxus/meck.git", {tag, "0.8.2"}}}
]}.
21 changes: 17 additions & 4 deletions src/ldap_auth.erl
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,7 @@
-export([handle_basic_auth_req/1, handle_admin_role/1]).
-export([handle_session_req/1]).

-import(couch_httpd, [header_value/2, send_json/2,send_json/4, send_method_not_allowed/2]).
-import(couch_httpd, [header_value/2, send_json/2, send_json/4, send_method_not_allowed/2]).

-import(ldap_auth_config, [get_config/1]).
-import(ldap_auth_gateway, [connect/0, authenticate/3, get_user_dn/2, get_group_memberships/2]).
Expand All @@ -41,13 +41,26 @@ handle_basic_auth_req(Req) ->
Req
end.

handle_admin_role(#httpd{ user_ctx = #user_ctx{ roles = Roles } = UserCtx } = Req) when size(Roles) > 0 ->
handle_admin_role(Req) ->
% This is a workaround pending a resolution to https://issues.apache.org/jira/browse/COUCHDB-2034
[AuthenticationHandlers] = get_config(["AuthenticationHandlers"]),
{ok, Tokens, _} = erl_scan:string("[" ++ AuthenticationHandlers ++ "]."),
{ok, Term} = erl_parse:parse_term(Tokens),
AuthedReq = run_auth_handlers(Req, Term),
prepend_admin_role(AuthedReq).

prepend_admin_role(#httpd{ user_ctx = #user_ctx{ name = User, roles = Roles } = UserCtx } = Req) when length(Roles) > 0 ->
[SystemAdminRoleName] = get_config(["SystemAdminRoleName"]),
case lists:member(SystemAdminRoleName, Roles) of
?LOG_DEBUG("Checking for system admin role ~p for user ~p with roles: ~p", [ SystemAdminRoleName, User, Roles ]),
case lists:member(?l2b(SystemAdminRoleName), Roles) of
true -> Req#httpd{ user_ctx = UserCtx#user_ctx{ roles = [<<"_admin">>|Roles] } };
_ -> Req
end;
handle_admin_role(Req) -> Req.
prepend_admin_role(#httpd{} = Req) -> Req.

run_auth_handlers(Req, []) -> Req;
run_auth_handlers(Req, [ {Mod, Fun} | Rem]) -> run_auth_handlers(Mod:Fun(Req), Rem);
run_auth_handlers(Req, [ {Mod, Fun, SpecArg} | Rem]) -> run_auth_handlers(Mod:Fun(Req, SpecArg), Rem).

% session handlers
% Login handler with user db
Expand Down

0 comments on commit c6135ee

Please sign in to comment.