dap 0.0.9 → 0.0.10

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 487ec0ed128ac49a84730159ed2561cc0abe5a0b
-  data.tar.gz: 4709517322ef8b40ea7527ff852b7f664a256d19
+  metadata.gz: 8b61714c9b3553759bb7c726aad187acbf2adddf
+  data.tar.gz: e5f0ea147aa9a6f9fbcbb09854221b3d247eb467
 SHA512:
-  metadata.gz: 102e072962fc919016d7261e26c1b05c85c3017006810216761202dc0109b4d40ac72db361325058fa1e76798d27c2f38bd474aff386760621aebac5e306693e
-  data.tar.gz: d7667a595feeb261c0109f94d304097f1bcad3b47e70d7dd655cdbf3efa829d806c209f5b4807f92a5f69bd762b41115c07b021321dc26830506d498e0998518
+  metadata.gz: 53c0c68b19babf428a673063963122bb57f1e185a8205423f29c5e66ee9b4e2e3f2cfa5e905741a2bcf742358b2c5ddaef689edb862cb152a68ba453c7e8f592
+  data.tar.gz: fa2601b3d4bcaa99f0e3c4087e101e80f423a42228b95d53325c9bf31355aa8b186c3801f2a20b06a8cc1f4791ac6dfd1bc0b631fc829d4afa7e97b211fad25f

data/lib/dap/filter/ldap.rb

@@ -36,9 +36,11 @@ class FilterDecodeLdapSearchResult
       begin
         elem_decoded = OpenSSL::ASN1.decode(element)
       rescue Exception => e
-        err_msg = 'FilterDecodeLdapSearchResult - Unable to decode ANS1 element'
+        err_msg = 'FilterDecodeLdapSearchResult - Unable to decode ASN.1 element'
         $stderr.puts "#{err_msg}: #{e}"
         $stderr.puts e.backtrace
+        $stderr.puts "Element:\n\t#{element.inspect}"
+        $stderr.puts "Element hex:\n\t#{element.unpack('H*')}\n\n"
         info['Error'] = { 'errorMessage' => err_msg }
         next
       end

data/lib/dap/proto/ldap.rb

@@ -2,6 +2,44 @@ module Dap
 module Proto
 class LDAP
 
+  # LDAPResult element resultCode lookup
+  #   Reference: https://tools.ietf.org/html/rfc4511#section-4.1.9
+  #              https://ldapwiki.willeke.com/wiki/LDAP%20Result%20Codes
+  RESULT_DESC = {
+    0 => 'success',
+    1 => 'operationsError',
+    2 => 'protocolError',
+    3 => 'timeLimitExceeded',
+    4 => 'sizeLimitExceeded',
+    5 => 'compareFalse',
+    6 => 'compareTrue',
+    7 => 'authMethodNotSupported',
+    8 => 'strongerAuthRequired',
+    9 => 'reserved',
+    10 => 'referral',
+    11 => 'adminLimitExceeded',
+    12 => 'unavailableCriticalExtension',
+    13 => 'confidentialityRequired',
+    14 => 'saslBindInProgress',
+    16 => 'noSuchAttribute',
+    17 => 'undefinedAttributeType',
+    18 => 'inappropriateMatching',
+    19 => 'constraintViolation',
+    20 => 'attributeOrValueExists',
+    21 => 'invalidAttributeSyntax',
+    32 => 'noSuchObject',
+    34 => 'invalidDNSyntax',
+    48 => 'inappropriateAuthentication',
+    49 => 'invalidCredentials',
+    50 => 'insufficientAccessRights',
+    51 => 'busy',
+    52 => 'unavailable',
+    53 => 'unwillingToPerform',
+    64 => 'namingViolation',
+    80 => 'other',
+    82 => 'localError (client response)',
+    94 => 'noResultsReturned (client response)',
+  }
 
   #
   # Parse ASN1 element and extract the length.
@@ -25,11 +63,15 @@ class LDAP
       len_bytes = length - 128
       return unless data.length > len_bytes + 2
 
-      if len_bytes == 2
-        length = data.byteslice(2, len_bytes).unpack('S>')[0]
-      else
-        length = data.byteslice(2, len_bytes).unpack('L>')[0]
+      # This shouldn't happen...
+      return unless len_bytes > 0
+
+      length = 0
+      len_bytes.times do |i|
+        temp_len = data.byteslice(2 + i).unpack('C')[0]
+        length = ( length << 8 ) + temp_len
       end
+
       elem_start += len_bytes
     end
 
@@ -61,6 +103,49 @@ class LDAP
     messages
   end
 
+  #
+  # Parse an LDAPResult (not SearchResult) ASN.1 structure
+  #   Reference:  https://tools.ietf.org/html/rfc4511#section-4.1.9
+  #
+  # @param data [OpenSSL::ASN1::ASN1Data] LDAPResult structure
+  # @return [Hash] Hash containing decoded LDAP response
+  #
+  def self.parse_ldapresult(ldap_result)
+    results = {}
+
+    # Sanity check the result code element
+    if ldap_result.value[0] && ldap_result.value[0].value
+      code_elem = ldap_result.value[0]
+      return results unless code_elem.tag == 10 && code_elem.tag_class == :UNIVERSAL
+      results['resultCode'] = code_elem.value.to_i
+    end
+
+    # These are probably safe if the resultCode validates
+    results['resultDesc'] = RESULT_DESC[ results['resultCode'] ] if results['resultCode']
+    results['resultMatchedDN'] = ldap_result.value[1].value if ldap_result.value[1] && ldap_result.value[1].value
+    results['resultdiagMessage'] = ldap_result.value[2].value if ldap_result.value[2] && ldap_result.value[2].value
+
+    # Handle optional elements that may be returned by certain
+    # LDAP application messages
+    ldap_result.value.each do |element|
+      next unless element.tag_class && element.tag && element.value
+      next unless element.tag_class == :CONTEXT_SPECIFIC
+
+      case element.tag
+      when 3
+        results['referral'] = element.value
+      when 7
+        results['serverSaslCreds'] = element.value
+      when 10
+        results['responseName'] = element.value
+      when 11
+        results['responseValue'] = element.value
+      end
+    end
+
+    results
+  end
+
   #
   # Parse an LDAP SearchResult entry.
   #
@@ -88,29 +173,73 @@ class LDAP
         results['objectName'] = data.value[1].value[0].value
       end
 
-      attrib_hash = {}
+      if data.value[1].value[1]
+        attrib_hash = {}
 
-      # Handle PartialAttributeValues
-      data.value[1].value[1].each do |partial_attrib|
+        # Handle PartialAttributeValues
+        data.value[1].value[1].each do |partial_attrib|
 
-        value_array = []
-        attrib_type = partial_attrib.value[0].value
+          value_array = []
+          attrib_type = partial_attrib.value[0].value
 
-        partial_attrib.value[1].each do |part_attrib_value|
-          value_array.push(part_attrib_value.value)
+          partial_attrib.value[1].each do |part_attrib_value|
+            value_array.push(part_attrib_value.value)
+          end
+
+          attrib_hash[attrib_type] = value_array
         end
 
-        attrib_hash[attrib_type] = value_array
+        results['PartialAttributes'] = attrib_hash
       end
 
-      results['PartialAttributes'] = attrib_hash
-
-    elsif data.value[1].tag == 5
+    elsif data.value[1] && data.value[1].tag == 5
       # SearchResultDone found..
       result_type = 'SearchResultDone'
-      results['resultCode'] = data.value[1].value[0].value.to_i if data.value[1].value[0].value
-      results['resultMatchedDN'] = data.value[1].value[1].value if data.value[1].value[1].value
-      results['resultdiagMessage'] = data.value[1].value[2].value if data.value[1].value[2].value
+      ldap_result = data.value[1]
+
+      if ldap_result.value[0] && ldap_result.value[0].class == OpenSSL::ASN1::Sequence
+        # Encoding of the SearchResultDone seems to vary, this is RFC format
+        # of an LDAPResult ASN.1 structure in which the data is contained in a
+        # Sequence
+        results = parse_ldapresult(ldap_result.value[0])
+      elsif ldap_result.value[0]
+        # LDAPResult w/o outer Sequence wrapper, used by MS Windows
+        results = parse_ldapresult(ldap_result)
+      end
+      if data.value[2] && data.value[2].tag == 10
+        # Unknown structure for providing a response, looks like LDAPResult
+        # but placed at a higher level in the response, salvage what we can..
+        results['resultCode'] = data.value[2].value.to_i if data.value[2].value
+        results['resultDesc'] = RESULT_DESC[ results['resultCode'] ] if results['resultCode']
+        results['resultMatchedDN'] = data.value[3].value if data.value[3] && data.value[3].value
+        results['resultdiagMessage'] = data.value[4].value if data.value[4] && data.value[4].value
+      end
+
+    elsif data.value[1] && data.value[1].tag == 1
+      result_type = 'BindResponse'
+      results = parse_ldapresult(data.value[1])
+
+    elsif data.value[1] && data.value[1].tag == 2
+      result_type = 'UnbindRequest'
+
+    elsif data.value[1] && data.value[1].tag == 3
+      # There is no legitimate use of application tag 3
+      # in this context per RFC 4511. Try to figure
+      # out what the intent is.
+      resp_data = data.value[1]
+      if resp_data.value[0].tag == 10 && resp_data.value[2].tag == 4
+        # Probably an incorrectly tagged BindResponse
+        result_type = 'BindResponse'
+        results = parse_ldapresult(resp_data)
+      else
+        result_type = 'UnhandledTag'
+        results['tagNumber'] = data.value[1].tag.to_i if data.value[1].tag
+      end
+
+    elsif data.value[1] && data.value[1].tag == 24
+      result_type = 'ExtendedResponse'
+      results = parse_ldapresult(data.value[1])
+
     else
       # Unhandled tag
       result_type = 'UnhandledTag'

data/lib/dap/version.rb

@@ -1,3 +1,3 @@
 module Dap
-  VERSION = "0.0.9"
+  VERSION = "0.0.10"
 end

data/spec/dap/filter/ldap_filter_spec.rb

@@ -18,6 +18,7 @@ describe Dap::Filter::FilterDecodeLdapSearchResult do
       it 'returns expected value' do
         test_val = { 'SearchResultDone' => {
                        'resultCode' => 0,
+                       'resultDesc' => 'success',
                        'resultMatchedDN' => '',
                        'resultdiagMessage' => ''
                    },

data/spec/dap/proto/ldap_proto_spec.rb

@@ -4,6 +4,7 @@ describe Dap::Proto::LDAP do
   describe '.decode_elem_length' do
     context 'testing lengths shorter than 128 bits' do
       data = ['301402'].pack('H*')
+
       let(:decode_len) { subject.decode_elem_length(data) }
       it 'returns a Fixnum' do
         expect(decode_len.class).to eq(::Fixnum)
@@ -15,6 +16,7 @@ describe Dap::Proto::LDAP do
 
     context 'testing lengths greater than 128 bits' do
       data = ['308400000bc102010'].pack('H*')
+
       let(:decode_len) { subject.decode_elem_length(data) }
       it 'returns a Fixnum' do
         expect(decode_len.class).to eq(::Fixnum)
@@ -24,8 +26,21 @@ describe Dap::Proto::LDAP do
       end
     end
 
+    context 'testing with 3 byte length' do
+      data = ['3083015e0802010764'].pack('H*')
+
+      let(:decode_len) { subject.decode_elem_length(data) }
+      it 'returns a Fixnum' do
+        expect(decode_len.class).to eq(::Fixnum)
+      end
+      it 'returns value correctly' do
+        expect(decode_len).to eq(89613)
+      end
+    end
+
     context 'testing invalid length' do
       data = ['308400000bc1'].pack('H*')
+
       let(:decode_len) { subject.decode_elem_length(data) }
       it 'returns nil as expected' do
         expect(decode_len).to eq(nil)
@@ -77,6 +92,44 @@ describe Dap::Proto::LDAP do
     end
   end
 
+  describe '.parse_ldapresult' do
+
+    context 'testing valid data' do
+      hex = ['300c02010765070a010004000400']
+      data = OpenSSL::ASN1.decode(hex.pack('H*'))
+
+      let(:parse_ldapresult) { subject.parse_ldapresult(data.value[1]) }
+      it 'returns Hash as expected' do
+        expect(parse_ldapresult.class).to eq(::Hash)
+      end
+
+      it 'returns results as expected' do
+        test_val = {  'resultCode' => 0,
+                      'resultDesc' => 'success',
+                      'resultMatchedDN' => '',
+                      'resultdiagMessage' => ''
+        }
+        expect(parse_ldapresult).to eq(test_val)
+      end
+    end
+
+    context 'testing invalid data' do
+      hex = ['300702010765020400']
+      data = OpenSSL::ASN1.decode(hex.pack('H*'))
+
+      let(:parse_ldapresult) { subject.parse_ldapresult(data.value[1]) }
+      it 'returns Hash as expected' do
+        expect(parse_ldapresult.class).to eq(::Hash)
+      end
+
+      it 'returns empty Hash as expected' do
+        test_val = {}
+        expect(parse_ldapresult).to eq(test_val)
+      end
+    end
+
+  end
+
   describe '.parse_messages' do
 
     context 'testing SearchResultEntry' do
@@ -115,6 +168,7 @@ describe Dap::Proto::LDAP do
       it 'returns SearchResultDone value as expected' do
         test_val = ['SearchResultDone', {
                       'resultCode' => 0,
+                      'resultDesc' => 'success',
                       'resultMatchedDN' => '',
                       'resultdiagMessage' => ''
         }]
@@ -122,6 +176,24 @@ describe Dap::Proto::LDAP do
       end
     end
 
+    context 'testing SearchResultDone - edge case #1' do
+      hex = ['300802010765000a0101']
+      data = OpenSSL::ASN1.decode(hex.pack('H*'))
+
+      let(:parse_message) { subject.parse_message(data) }
+      it 'returns Array as expected' do
+        expect(parse_message.class).to eq(::Array)
+      end
+
+      it 'returns operationsError as expected' do
+        test_val = ['SearchResultDone', {
+                      'resultCode' => 1,
+                      'resultDesc' => 'operationsError'
+        }]
+        expect(parse_message).to eq(test_val)
+      end
+    end
+
     context 'testing UnhandledTag' do
       hex = ['300c02010767070a010004000400']
       data = OpenSSL::ASN1.decode(hex.pack('H*'))

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: dap
 version: !ruby/object:Gem::Version
-  version: 0.0.9
+  version: 0.0.10
 platform: ruby
 authors:
 - Rapid7 Research
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2016-07-27 00:00:00.000000000 Z
+date: 2016-08-02 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rspec
@@ -248,7 +248,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.5.1
+rubygems_version: 2.2.5
 signing_key: 
 specification_version: 4
 summary: 'DAP: The Data Analysis Pipeline'
@@ -257,3 +257,4 @@ test_files:
 - spec/dap/proto/ipmi_spec.rb
 - spec/dap/proto/ldap_proto_spec.rb
 - spec/spec_helper.rb
+has_rdoc: