activeldap 0.9.0 → 0.10.0

data/examples/al-admin/public/stylesheets/base.css

@@ -34,6 +34,11 @@ h1
   background-color: #cfc;
 }
 
+div.flash-box-container
+{
+  position: relative;
+}
+
 div#flash-box
 {
   position: absolute;

data/examples/al-admin/script/performance/request

@@ -0,0 +1,3 @@
+#!/usr/bin/env ruby
+require File.dirname(__FILE__) + '/../../config/boot'
+require 'commands/performance/request'

data/lib/active_ldap.rb

@@ -192,9 +192,9 @@
 #
 # Under ou=People I store user objects, and under ou=Groups, I store group
 # objects.  What |ldap_mapping| has done is mapped the class in to the LDAP tree
-# abstractly. With the given :dnattr and :prefix, it will only work for entries
-# under ou=Groups,dc=dataspill,dc=org using the primary attribute 'cn' as the
-# beginning of the distinguished name.
+# abstractly. With the given :dn_attributes and :prefix, it will only work for
+# entries under ou=Groups,dc=dataspill,dc=org using the primary attribute 'cn'
+# as the beginning of the distinguished name.
 #
 # Just for clarity, here's how the arguments map out:
 #
@@ -205,7 +205,8 @@
 #                :base from configuration.rb
 #
 # :scope tells ActiveLdap to only search under ou=Groups, and not to look deeper
-# for dnattr matches. (e.g. cn=develop,ou=DevGroups,ou=Groups,dc=dataspill,dc=org)
+# for dn_attribute matches.
+# (e.g. cn=develop,ou=DevGroups,ou=Groups,dc=dataspill,dc=org)
 #
 # Something's missing: :classes.  :classes is used to tell Ruby/ActiveLdap what
 # the minimum requirement is when creating a new object. LDAP uses objectClasses
@@ -293,7 +294,7 @@
 # mind, the above definition could become:
 #
 #   irb> class User < ActiveLdap::Base
-#   irb*   ldap_mapping :dnattr => 'uid', :prefix => 'People', :classes => ['top','account']
+#   irb*   ldap_mapping :dn_attribute => 'uid', :prefix => 'People', :classes => ['top','account']
 #   irb*   belongs_to :groups, :class => 'Group', :many => 'memberUid'
 #   irb* end
 #
@@ -348,8 +349,8 @@
 #   => "root"
 #
 # In this simple example, Group.find took the search string of 'deve*' and
-# searched for the first match in Group where the dnattr matched the query. This
-# is the simplest example of .find.
+# searched for the first match in Group where the dn_attribute matched the
+# query. This is the simplest example of .find.
 #
 #   irb> Group.find(:all, '*').collect {|group| group.cn}
 #   => ["root", "daemon", "bin", "sys", "adm", "tty", ..., "develop"]
@@ -921,7 +922,7 @@ if Dependencies.respond_to?(:load_paths)
 end
 
 module ActiveLdap
-  VERSION = "0.9.0"
+  VERSION = "0.10.0"
 end
 
 if RUBY_PLATFORM.match('linux')
@@ -939,6 +940,9 @@ require 'active_ldap/get_text'
 
 require 'active_ldap/base'
 
+require 'active_ldap/distinguished_name'
+require 'active_ldap/ldif'
+
 require 'active_ldap/associations'
 require 'active_ldap/attributes'
 require 'active_ldap/configuration'
@@ -949,7 +953,6 @@ require 'active_ldap/human_readable'
 
 require 'active_ldap/acts/tree'
 
-require 'active_ldap/distinguished_name'
 require 'active_ldap/populate'
 require 'active_ldap/escape'
 require 'active_ldap/helper'
@@ -974,7 +977,7 @@ ActiveLdap::Base.class_eval do
 end
 
 unless defined?(ACTIVE_LDAP_CONNECTION_ADAPTERS)
-  ACTIVE_LDAP_CONNECTION_ADAPTERS = %w(ldap net_ldap)
+  ACTIVE_LDAP_CONNECTION_ADAPTERS = %w(ldap net_ldap jndi)
 end
 
 ACTIVE_LDAP_CONNECTION_ADAPTERS.each do |adapter|

data/lib/active_ldap/adapter/base.rb

@@ -1,4 +1,7 @@
+require 'benchmark'
+
 require 'active_ldap/schema'
+require 'active_ldap/entry_attribute'
 require 'active_ldap/ldap_error'
 
 module ActiveLdap
@@ -13,9 +16,15 @@ module ActiveLdap
                                           :sasl_mechanisms, :sasl_quiet,
                                           :allow_anonymous, :store_password,
                                           :scope]
+
+      @@row_even = true
+
+      attr_reader :runtime
       def initialize(configuration={})
+        @runtime = 0
         @connection = nil
         @disconnected = false
+        @entry_attributes = {}
         @configuration = configuration.dup
         @logger = @configuration.delete(:logger)
         @configuration.assert_valid_keys(VALID_ADAPTER_CONFIGURATION_KEYS)
@@ -24,12 +33,17 @@ module ActiveLdap
         end
       end
 
+      def reset_runtime
+        runtime, @runtime = @runtime, 0
+        runtime
+      end
+
       def connect(options={})
         host = options[:host] || @host
         port = options[:port] || @port
         method = ensure_method(options[:method] || @method)
         @disconnected = false
-        @connection = yield(host, port, method)
+        @connection, @uri, @with_start_tls = yield(host, port, method)
         prepare_connection(options)
         bind(options)
       end
@@ -37,7 +51,7 @@ module ActiveLdap
       def disconnect!(options={})
         return if @connection.nil?
         unbind(options)
-        @connection = nil
+        @connection = @uri = @with_start_tls = nil
       end
 
       def rebind(options={})
@@ -53,20 +67,21 @@ module ActiveLdap
         else
           allow_anonymous = @allow_anonymous
         end
+        options = options.merge(:allow_anonymous => allow_anonymous)
 
         # Rough bind loop:
         # Attempt 1: SASL if available
         # Attempt 2: SIMPLE with credentials if password block
         # Attempt 3: SIMPLE ANONYMOUS if 1 and 2 fail (or pwblock returns '')
         if try_sasl and sasl_bind(bind_dn, options)
-          @logger.info {_('Bound by SASL as %s') % bind_dn}
+          @logger.info {_('Bound to %s by SASL as %s') % [target, bind_dn]}
         elsif simple_bind(bind_dn, options)
-          @logger.info {_('Bound by simple as %s') % bind_dn}
+          @logger.info {_('Bound to %s by simple as %s') % [target, bind_dn]}
         elsif allow_anonymous and bind_as_anonymous(options)
-          @logger.info {_('Bound as anonymous')}
+          @logger.info {_('Bound to %s as anonymous') % target}
         else
           message = yield if block_given?
-          message ||= _('All authentication methods exhausted.')
+          message ||= _('All authentication methods for %s exhausted.') % target
           raise AuthenticationError, message
         end
 
@@ -109,12 +124,9 @@ module ActiveLdap
         end
       end
 
-      def load(ldifs, options={})
-        operation(options) do
-          ldifs.split(/(?:\r?\n){2,}/).each do |ldif|
-            yield(ldif)
-          end
-        end
+      def entry_attribute(object_classes)
+        @entry_attributes[object_classes.uniq.sort] ||=
+          EntryAttribute.new(schema, object_classes)
       end
 
       def search(options={})
@@ -195,26 +207,41 @@ module ActiveLdap
         end
       end
 
+      def modify_rdn(dn, new_rdn, delete_old_rdn, new_superior, options={})
+        operation(options) do
+          yield(dn, new_rdn, delete_old_rdn, new_superior)
+        end
+      end
+
+      def log_info(name, runtime, info=nil)
+        return unless @logger
+        return unless @logger.debug?
+        message = "LDAP: #{name} (#{'%f' % runtime})"
+        @logger.debug(format_log_entry(message, info))
+      end
+
       private
       def prepare_connection(options)
       end
 
       def operation(options)
         retried = false
+        options = options.dup
+        options[:try_reconnect] = true unless options.has_key?(:try_reconnect)
+        try_reconnect = false
         begin
-          reconnect_if_need
-          try_reconnect = !options.has_key?(:try_reconnect) ||
-                             options[:try_reconnect]
+          reconnect_if_need(options)
+          try_reconnect = options[:try_reconnect]
           with_timeout(try_reconnect, options) do
             yield
           end
-        rescue Errno::EPIPE
-          if retried or !try_reconnect
-            raise
-          else
+        rescue Errno::EPIPE, ConnectionError
+          if try_reconnect and !retried
             retried = true
             @disconnected = true
             retry
+          else
+            raise
           end
         end
       end
@@ -253,7 +280,7 @@ module ActiveLdap
           Timeout.alarm(@timeout, &block)
         rescue Timeout::Error => e
           @logger.error {_('Requested action timed out.')}
-          retry if try_reconnect and @retry_on_timeout and reconnect(options)
+          retry if @retry_on_timeout and try_reconnect and reconnect(options)
           @logger.error {e.message}
           raise TimeoutError, e.message
         end
@@ -290,6 +317,16 @@ module ActiveLdap
         passwd = password(bind_dn, options)
         return false unless passwd
 
+        if passwd.empty?
+          if options[:allow_anonymous]
+            @logger.info {_("Skip simple bind with empty password.")}
+            return false
+          else
+            raise AuthenticationError,
+                  _("Can't use empty password for simple bind.")
+          end
+        end
+
         begin
           operation(options) do
             yield(bind_dn, passwd)
@@ -318,24 +355,7 @@ module ActiveLdap
           construct_filter(components, operator)
         else
           operator, components = normalize_array_filter(filter, operator)
-
-          components = components.collect do |component|
-            if component.is_a?(Array) and component.size == 2
-              key, value = component
-              if filter_logical_operator?(key)
-                parse_filter(component)
-              elsif value.is_a?(Hash)
-                parse_filter(value, key)
-              else
-                construct_component(key, value, operator)
-              end
-            elsif component.is_a?(Symbol)
-              assert_filter_logical_operator(component)
-              nil
-            else
-              parse_filter(component, operator)
-            end
-          end
+          components = construct_components(components, operator)
           construct_filter(components, operator)
         end
       end
@@ -358,6 +378,7 @@ module ActiveLdap
           operator = filter_operator
         else
           components.unshift(filter_operator)
+          components = [components] unless filter_operator.is_a?(Array)
         end
         [operator, components]
       end
@@ -370,22 +391,53 @@ module ActiveLdap
             options = value[0]
             value = value[1]
           when "=", "~=", "<=", "=>"
-            options[:operator] = value[1]
-            value = value[1]
+            options[:operator] = value[0]
+            if value.size > 2
+              value = value[1..-1]
+            else
+              value = value[1]
+            end
           end
         end
         [value, options]
       end
 
+      def construct_components(components, operator)
+        components.collect do |component|
+          if component.is_a?(Array)
+            if filter_logical_operator?(component[0])
+              parse_filter(component)
+            elsif component.size == 2
+              key, value = component
+              if value.is_a?(Hash)
+                parse_filter(value, key)
+              else
+                construct_component(key, value, operator)
+              end
+            else
+              construct_component(component[0], component[1..-1], operator)
+            end
+          elsif component.is_a?(Symbol)
+            assert_filter_logical_operator(component)
+            nil
+          else
+            parse_filter(component, operator)
+          end
+        end
+      end
+
       def construct_component(key, value, operator=nil)
         value, options = extract_filter_value_options(value)
+        comparison_operator = options[:operator] || "="
         if collection?(value)
+          return nil if value.empty?
+          operator, value = normalize_array_filter(value, operator)
           values = []
           value.each do |val|
             if collection?(val)
-              values.concat(val.collect {|v| [key, v]})
+              values.concat(val.collect {|v| [key, comparison_operator, v]})
             else
-              values << [key, val]
+              values << [key, comparison_operator, val]
             end
           end
           values[0] = values[0][1] if filter_logical_operator?(values[0][1])
@@ -394,7 +446,7 @@ module ActiveLdap
           [
            "(",
            escape_filter_key(key),
-           options[:operator] || "=",
+           comparison_operator,
            escape_filter_value(value, options),
            ")"
           ].join
@@ -526,6 +578,70 @@ module ActiveLdap
         return [] if dse.nil?
         dse[key] || dse[key.downcase] || []
       end
+
+      def root_dse(attrs, options={})
+        search(:base => "",
+               :scope => :base,
+               :attributes => attrs).collect do |dn, attributes|
+          attributes
+        end
+      end
+
+      def construct_uri(host, port, ssl)
+        protocol = ssl ? "ldaps" : "ldap"
+        URI.parse("#{protocol}://#{host}:#{port}").to_s
+      end
+
+      def target
+        return nil if @uri.nil?
+        if @with_start_tls
+          "#{@uri}(StartTLS)"
+        else
+          @uri
+        end
+      end
+
+      def log(name, info=nil)
+        if block_given?
+          if @logger and @logger.debug?
+            result = nil
+            runtime = Benchmark.realtime {result = yield}
+            @runtime += runtime
+            log_info(name, runtime, info)
+            result
+          else
+            yield
+          end
+        else
+          log_info(name, info, 0)
+          nil
+        end
+      rescue Exception
+        log_info("#{name}: FAILED", 0,
+                 (info || {}).merge(:error => $!.class.name,
+                                    :error_message => $!.message))
+        raise
+      end
+
+      def format_log_entry(message, info=nil)
+        if ActiveLdap::Base.colorize_logging
+          if @@row_even
+            message_color, dump_color = "4;36;1", "0;1"
+          else
+            @@row_even = true
+            message_color, dump_color = "4;35;1", "0"
+          end
+          @@row_even = !@@row_even
+
+          log_entry = "  \e[#{message_color}m#{message}\e[0m"
+          log_entry << ": \e[#{dump_color}m#{info.inspect}\e[0m" if info
+          log_entry
+        else
+          log_entry = message
+          log_entry += ": #{info.inspect}" if info
+          log_entry
+        end
+      end
     end
   end
 end

data/lib/active_ldap/adapter/jndi.rb

@@ -0,0 +1,175 @@
+require 'active_ldap/adapter/base'
+
+module ActiveLdap
+  module Adapter
+    class Base
+      class << self
+        def jndi_connection(options)
+          require 'active_ldap/adapter/jndi_connection'
+          Jndi.new(options)
+        end
+      end
+    end
+
+    class Jndi < Base
+      METHOD = {
+        :ssl => :ssl,
+        :tls => :start_tls,
+        :plain => nil,
+      }
+
+      def connect(options={})
+        super do |host, port, method|
+          uri = construct_uri(host, port, method == :ssl)
+          with_start_tls = method == :start_tls
+          info = {:uri => uri, :with_start_tls => with_start_tls}
+          [log("connect", info) {JndiConnection.new(host, port, method)},
+           uri, with_start_tls]
+        end
+      end
+
+      def unbind(options={})
+        return unless bound?
+        operation(options) do
+          execute(:unbind)
+        end
+      end
+
+      def bind_as_anonymous(options={})
+        super do
+          execute(:bind_as_anonymous, :name => "bind: anonymous")
+        end
+      end
+
+      def bound?
+        connecting? and @connection.bound?
+      end
+
+      def search(options={}, &block)
+        super(options) do |base, scope, filter, attrs, limit, callback|
+          info = {
+            :base => base, :scope => scope_name(scope), :filter => filter,
+            :attributes => attrs,
+          }
+          execute(:search, info,
+                  base, scope, filter, attrs, limit, callback, &block)
+        end
+      end
+
+      def delete(targets, options={})
+        super do |target|
+          execute(:delete, {:dn => target}, target)
+        end
+      end
+
+      def add(dn, entries, options={})
+        super do |dn, entries|
+          info = {:dn => dn, :attributes => entries}
+          execute(:add, info, dn, parse_entries(entries))
+        end
+      end
+
+      def modify(dn, entries, options={})
+        super do |dn, entries|
+          info = {:dn => dn, :attributes => entries}
+          execute(:modify, info, dn, parse_entries(entries))
+        end
+      end
+
+      def modify_rdn(dn, new_rdn, delete_old_rdn, new_superior, options={})
+        super do |dn, new_rdn, delete_old_rdn, new_superior|
+          info = {
+            :name => "modify: RDN", :dn => dn, :new_rdn => new_rdn,
+            :delete_old_rdn => delete_old_rdn,
+          }
+          execute(:modify_rdn, dn, new_rdn, delete_old_rdn)
+        end
+      end
+
+      private
+      def execute(method, info=nil, *args, &block)
+        name = (info || {}).delete(:name) || method
+        log(name, info) {@connection.send(method, *args, &block)}
+      rescue JndiConnection::NamingException
+        if /\[LDAP: error code (\d+) - ([^\]]+)\]/ =~ $!.to_s
+          message = $2
+          klass = LdapError::ERRORS[Integer($1)]
+          klass ||= ActiveLdap::LdapError
+          raise klass, message
+        end
+        raise
+      end
+
+      def ensure_method(method)
+        method ||= "plain"
+        normalized_method = method.to_s.downcase.to_sym
+        return METHOD[normalized_method] if METHOD.has_key?(normalized_method)
+
+        available_methods = METHOD.keys.collect {|m| m.inspect}.join(", ")
+        format = _("%s is not one of the available connect methods: %s")
+        raise ConfigurationError, format % [method.inspect, available_methods]
+      end
+
+      def ensure_scope(scope)
+        scope_map = {
+          :base => 0,
+          :one => 1,
+          :sub => 2,
+        }
+        value = scope_map[scope || :sub]
+        if value.nil?
+          available_scopes = scope_map.keys.inspect
+          format = _("%s is not one of the available LDAP scope: %s")
+          raise ArgumentError, format % [scope.inspect, available_scopes]
+        end
+        value
+      end
+
+      def scope_name(scope)
+        {
+          0 => :base,
+          1 => :one,
+          2 => :sub,
+        }[scope]
+      end
+
+      def sasl_bind(bind_dn, options={})
+        super do |bind_dn, mechanism, quiet|
+          info = {:name => "bind: SASL", :dn => bind_dn, :mechanism => mechanism}
+          execute(:sasl_bind, info, bind_dn, mechanism, quiet)
+        end
+      end
+
+      def simple_bind(bind_dn, options={})
+        super do |bind_dn, passwd|
+          info = {:name => "bind", :dn => bind_dn}
+          execute(:simple_bind, info, bind_dn, passwd)
+        end
+      end
+
+      def parse_entries(entries)
+        result = []
+        entries.each do |type, key, attributes|
+          mod_type = ensure_mod_type(type)
+          binary = schema.attribute(key).binary?
+          attributes.each do |name, values|
+            result << JndiConnection::ModifyRecord.new(mod_type, name,
+                                                       values, binary)
+          end
+        end
+        result
+      end
+
+      def ensure_mod_type(type)
+        case type
+        when :replace, :add
+          type
+        when :delete
+          :remove
+        else
+          raise ArgumentError, _("unknown type: %s") % type
+        end
+      end
+    end
+  end
+end