cratus 0.2.1

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: edca85708a85f952e904d928dbaa959fd9788289
+  data.tar.gz: fed75393016468b8451f926fee9836dde5b6b519
+SHA512:
+  metadata.gz: 3640dd6ba0f250a6c02be3f8d07b092e0a7235e27b27a62839325b4db6eef546506d6607f7d22065f56b8527ac15d6703269f7b206cdecf6795bf378bc9d0d82
+  data.tar.gz: e4e42674b01a639246e984d13170671550705f75cd2b2af961b788729aeaa0d12e82e8a2aab705c844db8388df7158cb8aba2e068680ae794f15b98088473095

data/LICENSE

@@ -0,0 +1,22 @@
+Copyright (c) 2016 KnuEdge Corporation
+
+Permission is hereby granted, free of charge, to any person
+obtaining a copy of this software and associated documentation
+files (the "Software"), to deal in the Software without
+restriction, including without limitation the rights to use,
+copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the
+Software is furnished to do so, subject to the following
+conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES
+OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT
+HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY,
+WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
+FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
+OTHER DEALINGS IN THE SOFTWARE.

data/bin/cratus

@@ -0,0 +1,31 @@
+#!/usr/bin/env ruby
+
+require 'cratus'
+
+include Cratus
+
+LDAP.connect
+
+# Read in arguments
+group_mapping_arg = ARGV[0]
+raise "Missing Group Mapping Argument!" unless group_mapping_arg
+group_mapping_file = File.expand_path(group_mapping_arg)
+raise "Invalid Group Mapping File #{group_mapping_file}" unless File.readable?(group_mapping_file)
+
+# Load the YAML file(s) for mapping permissions
+group_permissions =  YAML.load_file(group_mapping_file)
+
+# Gather group memberships and permissions
+@results = {} # stash all the results here... might get really big
+User.all.sort.each do |user|
+  key = user.username.to_s
+  user_groups = user.member_of.map { |g| g.name.to_s }
+
+  @results[key] = {'groups' => {}}
+  user_groups.sort.each do |ugroup|
+    group_perm_set = group_permissions[ugroup] ? group_permissions[ugroup].sort : []
+    @results[key]['groups'][ugroup] = group_perm_set
+  end
+end
+
+puts @results.to_yaml

data/bin/cratus-compare

@@ -0,0 +1,87 @@
+#!/usr/bin/env ruby
+
+require 'yaml'
+require 'tempfile'
+
+# Used to compare the output of the `cratus` command across multiple runs
+
+input1 = ARGV[0]
+input2 = ARGV[1]
+
+# Find our diff command and break if we don't have one
+diff_path = `which diff`.chomp
+raise "Missing diff command in PATH!" unless $?.success?
+
+# The command we'll use later to see what has changed
+diff_cmd = "#{diff_path} -U 999999"
+
+## Methods / Functions
+def validate_input(input)
+  # Make sure the input is set
+  raise "Missing First Input!" unless input
+  # Make sure the input is a valid file that we can read
+  raise "Invalid Input File #{input}" unless File.readable?(input)
+  # TODO: make sure the input file is valid YAML
+end
+
+# Read in some input
+def read_input(input)
+  begin
+    YAML.load_file(input)
+  rescue => e
+    raise "Unable to open #{input}: #{e.message}"
+  end
+end
+
+## Execution
+validate_input(input1)
+validate_input(input2)
+
+data1 = read_input(input1)
+data2 = read_input(input2)
+
+if data1 == data2
+  exit 0
+else
+  STDERR.puts "Looks like things have changed!"
+
+  # Calculate what has actually changed
+  additions_and_differences = (data2.to_a - data1.to_a)
+  removals = (data1.to_a - data2.to_a)
+  results = {}
+  additions_and_differences.each do |user|
+    results[user[0]] = user[1]
+  end
+
+  # Temporary files for a call to `diff`
+  newdata = Tempfile.new('new')
+  olddata = Tempfile.new('old')
+
+  # Add the results from our comparison to the first temp file
+  newdata.write(results.to_yaml)
+
+  # Grab the old data for just our changed users and put it into a new hash
+  oldhash = {}
+  results.each do |user,data|
+    oldhash[user] = data1[user] if data1.key?(user)
+  end
+  # Add things that were removed from the old data (removed users)
+  removals.each do |removed_user|
+    oldhash[removed_user[0]] = removed_user[1]
+  end
+
+  # Write out the old data
+  olddata.write(oldhash.to_yaml)
+
+  # Close and flush our temp files
+  newdata.close
+  olddata.close
+
+  # The actual call to the `diff` command
+  system("#{diff_cmd} #{olddata.path} #{newdata.path}")
+
+  # Destroy the temp files after the diff command finishes
+  newdata.unlink
+  olddata.unlink
+end
+

data/lib/cratus.rb

@@ -0,0 +1,14 @@
+# Standard Library
+require 'ostruct'
+require 'yaml'
+
+# External Requirements
+require 'net/ldap'
+
+# Internal Requirements
+require 'cratus/version'
+require 'cratus/config'
+Cratus.config.load
+require 'cratus/ldap'
+require 'cratus/group'
+require 'cratus/user'

data/lib/cratus/config.rb

@@ -0,0 +1,65 @@
+# A generic way of constructing a mergeable configuration
+class Cratus::Config < OpenStruct
+  # Construct a base config using the following order of precedence:
+  #   * environment variables
+  #   * YAML file
+  #   * defaults
+  def load
+    # First, apply the defaults
+    defaults = {
+      group_dn_attribute: :cn,
+      group_member_attribute: :member,
+      group_description_attribute: :description,
+      group_objectclass: :group,
+      group_basedn: 'ou=groups,dc=example,dc=com',
+      group_memberof_attribute: :memberOf,
+      user_dn_attribute: :samaccountname,
+      user_objectclass: :user,
+      user_basedn: 'ou=users,dc=example,dc=com',
+      user_department_attribute: :department,
+      user_lockout_attribute: :lockouttime,
+      user_mail_attribute: :mail,
+      user_displayname_attribute: :displayName,
+      user_memberof_attribute: :memberOf,
+      host: 'ldap.example.com',
+      port: 389,
+      basedn: 'dc=example,dc=com',
+      username: 'username',
+      password: 'p@assedWard!',
+    }
+    merge defaults
+
+    # Then apply the config file, if one exists
+    begin
+      apprc_dir = File.expand_path('~')
+      config_file = File.expand_path(File.join(apprc_dir, '.cratus.yml'))
+      merge YAML.load_file(config_file) if File.readable?(config_file)
+    rescue => e
+      puts "WARNING: Unable to read from #{config_file}"
+    end
+
+    # Finally, apply any environment variables specified
+    env_conf = {}
+    defaults.keys.each do |key|
+      cratus_key = "CRATUS_#{key}".upcase
+      env_conf[key] = ENV[cratus_key] if ENV.key?(cratus_key)
+    end
+    merge env_conf unless env_conf.empty?
+  end
+
+  def merge(data)
+    raise 'Invalid Config Data' unless data.is_a?(Hash)
+    data.each do |k, v|
+      self[k.to_sym] = v
+    end
+  end
+end
+
+# Make the config available as a singleton
+module Cratus
+  class << self
+    def config
+      @config ||= Config.new
+    end
+  end
+end

data/lib/cratus/group.rb

@@ -0,0 +1,131 @@
+module Cratus
+  class Group
+    include Comparable
+    attr_reader :name, :search_base
+
+    def initialize(name)
+      @name = name
+      @search_base = self.class.ldap_search_base
+      @raw_ldap_data = Cratus::LDAP.search(
+        "(#{self.class.ldap_dn_attribute}=#{@name})",
+        basedn: @search_base,
+        attrs: self.class.ldap_return_attributes
+      ).last
+    end
+
+    # LDAP users that are a member of this group
+    def members
+      all_members[:users]
+    end
+
+    def member_groups
+      all_members[:groups]
+    end
+
+    def member_of
+      memrof_attr = Cratus.config.group_memberof_attribute
+
+      # TODO make this work with more things...
+      unless @raw_ldap_data
+        STDERR.puts "WARNING: Group '#{@name}' appears to be invalid or beyond the search scope!"
+        return []
+      end
+
+      # TODO: move the search filter to a configurable param
+      raw_groups = @raw_ldap_data[memrof_attr].reject {|g| g.match /OU=Distribution Groups/ }
+      initial_groups = raw_groups.map do |raw_group|
+        Group.new(raw_group.match(/^#{Group.ldap_dn_attribute.to_s.upcase}=([^,]+),/)[1])
+      end
+      all_the_groups = initial_groups
+      initial_groups.each do |group|
+        all_the_groups.concat(group.member_of) # recursion!
+      end
+      all_the_groups.uniq { |g| g.name }
+    end
+
+    # LDAP description attribute
+    def description
+      @raw_ldap_data[Cratus.config.group_description_attribute].last
+    end
+
+    # All the LDAP Groups
+    def self.all
+      filter = "(#{ldap_dn_attribute}=*)"
+      Cratus::LDAP.search(filter, basedn: ldap_search_base, attrs: ldap_dn_attribute).map do |entry|
+        self.new(entry[ldap_dn_attribute].last)
+      end
+    end
+
+    def self.ldap_dn_attribute
+      Cratus.config.group_dn_attribute.to_s
+    end
+
+    def self.ldap_object_class
+      Cratus.config.group_objectclass.to_s
+    end
+
+    def self.ldap_return_attributes
+      [
+        Cratus.config.group_dn_attribute.to_s,
+        Cratus.config.group_member_attribute.to_s,
+        Cratus.config.group_description_attribute.to_s,
+        Cratus.config.group_memberof_attribute.to_s
+      ]
+    end
+
+    def self.ldap_search_base
+      Cratus.config.group_basedn.to_s
+    end
+
+    def <=>(other)
+      @name <=> other.name
+    end
+
+    private
+
+    # provides a Hash of member users and groups
+    def all_members
+      # filters used to determine if each group member is a User or Group
+      group_filter = "(objectClass=#{Cratus.config.group_objectclass.to_s})"
+      user_filter  = "(objectClass=#{Cratus.config.user_objectclass.to_s})"
+
+      # The raw LDAP data (a list of DNs)
+      raw_members = @raw_ldap_data[Cratus.config.group_member_attribute]
+
+      # Somewhere to store users and groups as we gather them
+      results = { users: [], groups: [] }
+
+      # Iterate over the members and provide a user or group
+      raw_members.each do |member|
+        user_result = Cratus::LDAP.search(
+          user_filter,
+          basedn: member,
+          scope: 'object',
+          attrs: User.ldap_return_attributes
+        )
+
+        if !user_result.nil? && !user_result.empty?
+          results[:users] << User.new(user_result.last[User.ldap_dn_attribute].last)
+        else
+          group_result = Cratus::LDAP.search(
+            group_filter,
+            basedn: member,
+            scope: 'object',
+            attrs: self.class.ldap_return_attributes
+          )
+          unless group_result.nil? || group_result.empty?
+            nested_group = Group.new(group_result.last[self.class.ldap_dn_attribute].last)
+            results[:groups] << nested_group
+            results[:groups].concat(nested_group.member_groups)
+            results[:users].concat(nested_group.members)
+          end
+        end
+      end
+
+      # deliver the results
+      results[:groups].uniq! { |g| g.name }
+      results[:users].uniq!  { |u| u.username }
+      return results
+    end
+  end
+end

data/lib/cratus/ldap.rb

@@ -0,0 +1,88 @@
+module Cratus
+  module LDAP
+    # Define the LDAP connection
+    # Note: does not actually connect (bind), just sets up the connection
+    def self.connection
+      options = {
+        host: Cratus.config.host,
+        port: Cratus.config.port,
+        base: Cratus.config.basedn,
+        auth: {
+          method: :simple,
+          username: Cratus.config.username,
+          password: Cratus.config.password
+        }
+      }
+      # TODO: make the validations do something useful
+      #validate_connection_options(options)
+      @@ldap_connection ||= Net::LDAP.new(options)
+    end
+
+    # Actually connect (bind) to LDAP
+    def self.connect
+      connection
+      validate_ldap_connection
+      @@ldap_connection.bind
+      @@ldap_bound = true
+    end
+
+    # Perform an LDAP search
+    #
+    # Required Options: :basedn
+    # Optional Options: :attrs, :scope
+    def self.search(filter, options = {})
+      validate_ldap_connection
+      validate_ldap_bound
+      validate_search_options(options)
+
+      attrs = options.key?(:attrs) ? options[:attrs] : []
+      scope = options.key?(:scope) ? options[:scope] : 'subtree'
+
+      scope_class = case scope.to_s
+                    when 'subtree','recursive','whole_subtree'
+                      Net::LDAP::SearchScope_WholeSubtree
+                    when 'single','single_level'
+                      Net::LDAP::SearchScope_SingleLevel
+                    when 'object','base_object'
+                      Net::LDAP::SearchScope_BaseObject
+                    else
+                      fail "Invalid LDAP Scope!"
+                    end
+
+      results = @@ldap_connection.search(
+        base: options[:basedn],
+        filter: filter,
+        scope: scope_class,
+        attributes: [*attrs].map(&:to_s)
+      )
+      raise "Search Failed" if results.nil?
+      results.compact
+    end
+
+    # Validation Methods
+
+    def self.validate_ldap_bound
+      raise "LDAP Not Connected" unless defined? @@ldap_bound
+    end
+
+    def self.validate_ldap_connection
+      raise "No LDAP Connection" unless defined? @@ldap_connection
+    end
+
+    def self.validate_search_options(options)
+      raise "Invalid Options" unless options.respond_to?(:key?)
+
+      [:basedn].each do |key|
+        raise "Missing Option: #{key}" unless options.key?(key)
+      end
+    end
+
+    def self.validate_connection_options(options)
+      raise "Invalid Options" unless options.respond_to?(:key?)
+
+      [:host, :port, :basedn, :username, :password].each do |key|
+        raise "Missing Option: #{key}" unless options.key?(key)
+      end
+    end
+  end
+end

data/lib/cratus/user.rb

@@ -0,0 +1,91 @@
+module Cratus
+  class User
+    include Comparable
+    attr_reader :username, :search_base
+
+    def initialize(username)
+      @username = username
+      @search_base = self.class.ldap_search_base
+      @raw_ldap_data = Cratus::LDAP.search(
+        "(#{self.class.ldap_dn_attribute}=#{@username})",
+        basedn: @search_base,
+        attrs: self.class.ldap_return_attributes
+      ).last
+    end
+
+    def department
+      @raw_ldap_data[Cratus.config.user_department_attribute].last
+    end
+
+    def email
+      @raw_ldap_data[Cratus.config.user_mail_attribute].last
+    end
+
+    def fullname
+      @raw_ldap_data[Cratus.config.user_displayname_attribute].last
+    end
+
+    def lockouttime
+      @raw_ldap_data[Cratus.config.user_lockout_attribute].last
+    end
+
+    def locked?
+      lockouttime != '0'
+    end
+
+    def member_of
+      memrof_attr = Cratus.config.user_memberof_attribute
+      # TODO: move the search filter to a configurable param
+      raw_groups = @raw_ldap_data[memrof_attr].reject {|g| g.match /OU=Distribution Groups/ }
+      initial_groups = raw_groups.map do |raw_group|
+        Group.new(raw_group.match(/^#{Group.ldap_dn_attribute.to_s.upcase}=([^,]+),/)[1])
+      end
+      all_the_groups = initial_groups
+      initial_groups.each do |group|
+        all_the_groups.concat(group.member_of)
+      end
+      all_the_groups.uniq { |g| g.name }
+    end
+
+    alias_method :groups, :member_of
+
+    def <=>(other)
+      @username <=> other.username
+    end
+
+    # All the LDAP Users
+    def self.all
+      raw_results = Cratus::LDAP.search(
+        "(objectClass=#{ldap_object_class})",
+        basedn: ldap_search_base,
+        attrs: ldap_dn_attribute
+      )
+      raw_results.map do |entry|
+        self.new(entry[ldap_dn_attribute.to_sym].last)
+      end
+    end
+
+    def self.ldap_dn_attribute
+      Cratus.config.user_dn_attribute.to_s
+    end
+
+    def self.ldap_object_class
+      Cratus.config.user_objectclass.to_s
+    end
+
+    def self.ldap_return_attributes
+      [
+        Cratus.config.user_dn_attribute.to_s,
+        Cratus.config.user_department_attribute.to_s,
+        Cratus.config.user_mail_attribute.to_s,
+        Cratus.config.user_displayname_attribute.to_s,
+        Cratus.config.user_memberof_attribute.to_s,
+        Cratus.config.user_lockout_attribute.to_s
+      ]
+    end
+
+    def self.ldap_search_base
+      Cratus.config.user_basedn.to_s
+    end
+  end
+end

data/lib/cratus/version.rb

@@ -0,0 +1,8 @@
+module Cratus
+  def self.version
+    major = 0 # Breaking, incompatible releases
+    minor = 2 # Compatible, but new features
+    patch = 1 # Fixes to existing features
+    [major, minor, patch].map(&:to_s).join('.')
+  end
+end

metadata

@@ -0,0 +1,126 @@
+--- !ruby/object:Gem::Specification
+name: cratus
+version: !ruby/object:Gem::Version
+  version: 0.2.1
+platform: ruby
+authors:
+- Jonathan Gnagy
+- Daniel Schaaff
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2016-11-08 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: colorize
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.7'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.7'
+- !ruby/object:Gem::Dependency
+  name: net-ldap
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.10'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.10'
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.1'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.1'
+- !ruby/object:Gem::Dependency
+  name: rubocop
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.35'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.35'
+- !ruby/object:Gem::Dependency
+  name: yard
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.8'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.8'
+description: The Ruby tool for auditing and reporting on user permissions based on
+  groups
+email: jgnagy@knuedge.com
+executables:
+- cratus
+- cratus-compare
+extensions: []
+extra_rdoc_files: []
+files:
+- LICENSE
+- bin/cratus
+- bin/cratus-compare
+- lib/cratus.rb
+- lib/cratus/config.rb
+- lib/cratus/group.rb
+- lib/cratus/ldap.rb
+- lib/cratus/user.rb
+- lib/cratus/version.rb
+homepage: 
+licenses:
+- MIT
+metadata: {}
+post_install_message: Thanks for installing Cratus!
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - "~>"
+    - !ruby/object:Gem::Version
+      version: '2.2'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.5.1
+signing_key: 
+specification_version: 4
+summary: Cratus queries LDAP for users and their memberships, then reports on it.
+test_files: []