Merge pull request #1992 from dmitry-sinina/drop_ldap

Remove LDAP Auth support

Author: dmitry-sinina

.github/workflows/tests.yml

@@ -165,54 +165,6 @@ jobs:
             coverage
 
 
-  rspec_ldap:
-    name: Rspec tests for LDAP auth
-    runs-on: ubuntu-latest
-    container: ghcr.io/yeti-switch/yeti-web/build-image:trixie
-    services:
-      db:
-        image: ghcr.io/yeti-switch/yeti-web/pgsql:18
-
-    needs: gems-caching
-    strategy:
-      fail-fast: false
-
-    steps:
-      - uses: actions/checkout@v6
-      - name: use cache
-        uses: actions/cache@v5
-        with:
-          path: |
-            vendor
-            .bundle
-            /opt/yeti-web/vendor/rbenv
-          key: gems-deb13-${{runner.os}}-${{hashFiles('Gemfile.lock')}}-${{hashFiles('.ruby-version')}}
-
-      - name: Run rspec
-        run: cp -v config/ldap.yml.distr config/ldap.yml && make rspec
-        env:
-          PARALLEL_TEST_PROCESSORS: 1
-          TEST_GROUP: 0
-          YETI_DB_HOST: db
-          YETI_DB_PORT: 5432
-          CDR_DB_HOST: db
-          CDR_DB_PORT: 5432
-          CI: true
-          CI_RUN_LDAP: true
-
-      - name: Save artifacts
-        if: always()
-        uses: actions/upload-artifact@v6
-        with:
-          name: rspec-artifacts-ldap
-          if-no-files-found: ignore
-          include-hidden-files: true
-          path: |
-            tmp/capybara
-            coverage
-
-
-
   rspec_oidc:
     name: Rspec tests for OIDC auth
     runs-on: ubuntu-latest
@@ -268,7 +220,6 @@ jobs:
     needs:
       - gems-caching
       - rspec
-      - rspec_ldap
       - rspec_oidc
     steps:
       - uses: actions/checkout@v6

Gemfile

@@ -15,12 +15,9 @@ gem 'responders'
 
 # Authentication
 gem 'activeadmin-oidc', github: 'activeadmin-plugins/activeadmin-oidc'
-gem 'activeldap'
 gem 'd3-rails', '3.5.2'
 gem 'devise', '>= 4.6.0'
-gem 'devise_ldap_authenticatable', github: 'cschiewek/devise_ldap_authenticatable', branch: 'default'
-gem 'net-ldap', '~> 0.19.0'
-gem 'ostruct', '~> 0.6.1' # need for net-ldap
+gem 'ostruct', '~> 0.6.1'
 
 # Seamless JWT authentication for Rails API
 gem 'jwt'

Gemfile.lock

@@ -28,15 +28,6 @@ GIT
       activeadmin
       rspec (~> 3.0)
 
-GIT
-  remote: https://github.com/cschiewek/devise_ldap_authenticatable.git
-  revision: 6ef2131e79ff3421429f8d1b0645c6e113db4dc7
-  branch: default
-  specs:
-    devise_ldap_authenticatable (0.8.7)
-      devise (>= 3.4.1)
-      net-ldap (>= 0.16.0)
-
 GIT
   remote: https://github.com/didww/jrpc.git
   revision: f48c8e08bedbcc582a67538cc69bf8b7902fdc82
@@ -184,12 +175,6 @@ GEM
     activejob (7.2.3.1)
       activesupport (= 7.2.3.1)
       globalid (>= 0.3.6)
-    activeldap (5.1.1)
-      activemodel (> 4.0.0)
-      builder
-      gettext
-      gettext_i18n_rails
-      locale
     activemodel (7.2.3.1)
       activesupport (= 7.2.3.1)
     activemodel-serializers-xml (1.0.2)
@@ -407,7 +392,6 @@ GEM
       faraday (>= 1, < 3)
     faraday-net_http (3.4.2)
       net-http (~> 0.5)
-    fast_gettext (1.6.0)
     ferrum (0.9)
       addressable (~> 2.5)
       cliver (~> 0.3)
@@ -424,11 +408,6 @@ GEM
       raabro (~> 1.4)
     get_process_mem (0.2.7)
       ffi (~> 1.0)
-    gettext (3.2.9)
-      locale (>= 2.0.5)
-      text (>= 1.3.0)
-    gettext_i18n_rails (1.8.0)
-      fast_gettext (>= 0.9.0)
     globalid (1.3.0)
       activesupport (>= 6.1)
     google-protobuf (4.34.0)
@@ -499,7 +478,6 @@ GEM
     listen (3.5.1)
       rb-fsevent (~> 0.10, >= 0.10.3)
       rb-inotify (~> 0.9, >= 0.9.10)
-    locale (2.1.2)
     logger (1.7.0)
     loofah (2.25.1)
       crass (~> 1.0.2)
@@ -526,7 +504,6 @@ GEM
     net-imap (0.6.3)
       date
       net-protocol
-    net-ldap (0.19.0)
     net-pop (0.1.2)
       net-protocol
     net-protocol (0.2.2)
@@ -980,7 +957,6 @@ GEM
       faraday-follow_redirects
     syslog (0.2.0)
     syslog-logger (1.6.8)
-    text (1.3.1)
     thor (1.5.0)
     tilt (2.7.0)
     timeliness (0.4.5)
@@ -1040,7 +1016,6 @@ DEPENDENCIES
   active_record_extended
   activeadmin
   activeadmin-oidc!
-  activeldap
   activemodel-serializers-xml
   activerecord-import
   annotate
@@ -1067,7 +1042,6 @@ DEPENDENCIES
   database_consistency
   delayed_job_active_record
   devise (>= 4.6.0)
-  devise_ldap_authenticatable!
   draper
   dry-validation (~> 1.0)
   elasticsearch
@@ -1086,7 +1060,6 @@ DEPENDENCIES
   listen
   matrix (~> 0.4.2)
   mini_racer
-  net-ldap (~> 0.19.0)
   net-smtp (~> 0.3.3)
   novus-nvd3-rails!
   odf-report!

app/models/admin_user.rb

@@ -68,18 +68,6 @@ def self.from_token_request(request)
     name.present? ? find_by(username: name) : nil
   end
 
-  def self.ldap?
-    AdminUser.devise_modules.include?(:ldap_authenticatable)
-  end
-
-  def self.ldap_config
-    Rails.root.join 'config/ldap.yml'
-  end
-
-  def self.ldap_config_exists?
-    File.exist?(ldap_config)
-  end
-
   def self.oidc?
     respond_to?(:omniauth_providers) && omniauth_providers.include?(:oidc)
   end
@@ -93,7 +81,7 @@ def self.oidc_config_exists?
   end
 
   def self.external_auth?
-    ldap? || oidc?
+    oidc?
   end
 
   def self.available_roles
@@ -104,8 +92,6 @@ def self.available_roles
 
   if oidc_config_exists?
     include AdminUserOidcHandler
-  elsif ldap_config_exists?
-    include AdminUserLdapHandler
   else
     include AdminUserDatabaseHandler
   end
@@ -129,12 +115,7 @@ def customized_update(params)
     if params[:password].present? || params[:password_confirmation].present?
       update_with_password params
     else
-      attrs = params.except(:password, :password_confirmation)
-      if respond_to?(:update_without_password)
-        update_without_password attrs # db auth
-      else
-        update(attrs) # ldap
-      end
+      update_without_password params.except(:password, :password_confirmation)
     end
   end
 

app/models/concerns/admin_user_ldap_handler.rb

@@ -105,8 +105,6 @@ def self.setting_files(config_root, _env)
       optional(:auto_approve).value(:bool)
       optional(:pdf_converter).maybe(:string)
     end
-    optional(:default_ldap_roles).array(:string)
-
     optional(:admin_ui).schema do
       optional(:session_lifetime).maybe(:int?)
     end

config/initializers/config.rb

@@ -237,15 +237,6 @@
   # When using omniauth, Devise cannot automatically set Omniauth path,
   # so you need to do it manually. For the users scope, it would be:
   # config.omniauth_path_prefix = "/my_engine/users/auth"
-  config.secret_key = '649ebc96aad6b55506254450d9ec26e08075cd2fffffffd09e3ed554b790c4b6cbff44f5b67cc'
-
-  if File.exist?(Rails.root.join('config/ldap.yml'))
-    config.ldap_logger = false
-    config.ldap_create_user = true
-    config.ldap_use_admin_to_bind = false
-    config.ldap_check_group_membership = true
-    config.ldap_check_group_membership_without_admin = true
-  end
   config.authentication_keys = [:username]
   config.case_insensitive_keys = []
   config.strip_whitespace_keys = []

config/initializers/devise.rb

@@ -4,7 +4,7 @@
 #   cp -v config/oidc.yml.distr config/oidc.yml
 #
 # Drop config/oidc.yml (and restart) to disable OIDC mode and fall back to
-# database auth. Precedence: oidc.yml > ldap.yml > database.
+# database auth.
 #
 # Note: the on_login lambda in config/initializers/activeadmin_oidc.rb
 # captures the values below at boot time. When you edit this file in

config/ldap.yml.distr

@@ -62,9 +62,6 @@ invoice:
   auto_approve: false
   pdf_converter: ""
 
-default_ldap_roles:
-  - root
-
 api_log_enabled: true
 logs:
   tags: