Protecting Rake Task Using LDAP Authentication
TLDR: Scroll to “Protecting rake task with LDAP” section if you are in hurry.
Security is one of important aspect when we develop application regardless it sizes. Especially, when it comes to web application. Because web applications typically have a large attack surface that can be exploited by malicious actors. As a result, when we release a web application to the production environment, we must ensure that the attack surface is as small as possible.
Although we may have already protected our web application from outsiders, this does not imply that it is secure. There is yet another attack factor to consider. Have you ever considered that the attack could come from within?
This might not be a problem in small companies where there only one or two people that has access to production environment of our web application. However, the situation became complex in companies that has hundreds software engineer like Mekari where there is tens of people have access to different web application production environment and this does not include Devops teams where each of them also have access to production environment.
In small companies where only one or two people have access to our web application’s production environment, this may not be an issue. However, this could be a complex issue in companies with hundreds of software engineers, such as Mekari, where tens of people have access to various web application production environments, this does not include Devops teams, who all have access to production environments.
Consider a scenario in which an error occurs in the production environment as a result of someone running the rake task and we are unable to identify that person. This is going to be a nightmare. Here’s where LDAP comes to the rescue.
Protecting rake task with LDAP
In my company’s Ruby on Rails application, I recently deployed a feature that integrated LDAP with rake tasks. The goal is to use LDAP authentication to protect each rake task and to log each rake task process so that we can identify when an issue occurs during rake task execution.
So let’s take a look at how to use LDAP authentication to secure rake tasks in Ruby on Rails. First, we’ll need to add the net-ldap gem to our Ruby on Rails project; the full documentation can be found here.
net-ldap provide simple interface to connect your Ruby application to your LDAP server. After importing the gem, we can just simply setup the LDAP configuration and authenticate the user credentials using bind
We can also pass the configuration using the parameter on the constructor. There is multiple authentication method you can choose on LDAP, but for now we can use simple authentication, which require you to setup the username and the password.
As you can see, in the username field we need to set the detail of the user. This detail will be different depending on your LDAP server requirement. Usually it consist of user id (uid), domain code (dc), or organizational unit (ou).
Let’s wrap the code into a module called LDAPAuthenticator and method connect
Attach the module in Rakefile, use $stdout.puts and $stdin.gets to create interactive shell, but do not forget to use $stdin.getpass for the password input to make sure the password user type in is not visible to other people. This is the final code will looks like on your Rakefile.
I hope this simple guide can help you to integrate your rake task with LDAP authentication to make your application environment more secure.
