github-ldap 1.0.1 → 1.0.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (5) hide show
  1. data/README.md +0 -4
  2. data/github-ldap.gemspec +1 -1
  3. data/lib/github/ldap.rb +37 -11
  4. data/test/ldap_test.rb +21 -21
  5. metadata +2 -2
data/README.md CHANGED
@@ -36,10 +36,6 @@ Initialize a new adapter using those required options:
36
36
  ldap = GitHub::Ldap.new options
37
37
  ```
38
38
 
39
- There is also an optional configuration setting that you can add:
40
-
41
- * user_groups: is an array of groups used to restrict access to users only in those groups.
42
-
43
39
  ## Testing
44
40
 
45
41
  GitHub-Ldap uses [ladle](https://github.com/NUBIC/ladle) for testing. Ladle is not required by default, so you'll need to add it to your gemfile separatedly and require it.
data/github-ldap.gemspec CHANGED
@@ -2,7 +2,7 @@
2
2
 
3
3
  Gem::Specification.new do |spec|
4
4
  spec.name = "github-ldap"
5
- spec.version = "1.0.1"
5
+ spec.version = "1.0.2"
6
6
  spec.authors = ["David Calavera"]
7
7
  spec.email = ["david.calavera@gmail.com"]
8
8
  spec.description = %q{Ldap authentication for humans}
data/lib/github/ldap.rb CHANGED
@@ -4,7 +4,6 @@ module GitHub
4
4
 
5
5
  def initialize(options = {})
6
6
  @user_domain = options[:user_domain]
7
- @user_groups = Array(options[:user_groups])
8
7
  @uid = options[:uid] || "sAMAccountName"
9
8
 
10
9
  @ldap = Net::LDAP.new({
@@ -23,32 +22,57 @@ module GitHub
23
22
  # Takes the list of the group names and generate a filter for the groups
24
23
  # with cn that match and also include members:
25
24
  #
25
+ # group_names: is an array of group CNs.
26
+ #
26
27
  # Returns the ldap filter.
27
- def group_filter
28
- or_filters = @user_groups.map {|g| Net::LDAP::Filter.eq("cn", g)}.reduce(:|)
28
+ def group_filter(group_names)
29
+ or_filters = group_names.map {|g| Net::LDAP::Filter.eq("cn", g)}.reduce(:|)
29
30
  Net::LDAP::Filter.pres("member") & or_filters
30
31
  end
31
32
 
32
33
  # List the groups in the ldap server that match the configured ones.
33
34
  #
35
+ # group_names: is an array of group CNs.
36
+ #
34
37
  # Returns a list of ldap entries for the configured groups.
35
- def groups
38
+ def groups(group_names)
39
+ filter = group_filter(group_names)
40
+
36
41
  @ldap.search(base: @user_domain,
37
42
  attributes: %w{ou cn dn sAMAccountName member},
38
- filter: group_filter)
43
+ filter: filter)
39
44
  end
40
45
 
46
+ # List the groups that a user is member of.
47
+ #
48
+ # user_dn: is the dn for the user ldap entry.
49
+ # group_names: is an array of group CNs.
50
+ #
51
+ # Return an Array with the groups that the given user is member of that belong to the given group list.
52
+ def membership(user_dn, group_names)
53
+ or_filters = group_names.map {|g| Net::LDAP::Filter.eq("cn", g)}.reduce(:|)
54
+ member_filter = Net::LDAP::Filter.eq("member", user_dn) & or_filters
55
+
56
+ @ldap.search(base: @user_domain,
57
+ attributes: %w{ou cn dn sAMAccountName member},
58
+ filter: member_filter)
59
+ end
60
+
61
+
41
62
  # Check if the user is include in any of the configured groups.
42
63
  #
43
64
  # user_dn: is the dn for the user ldap entry.
65
+ # group_names: is an array of group CNs.
44
66
  #
45
67
  # Returns true if the user belongs to any of the groups.
46
68
  # Returns false otherwise.
47
- def groups_contain_user?(user_dn)
48
- return true if @user_groups.empty?
69
+ def is_member?(user_dn, group_names)
70
+ return true if group_names.nil?
71
+ return true if group_names.empty?
72
+
73
+ user_membership = membership(user_dn, group_names)
49
74
 
50
- members = groups.map(&:member).reduce(:+).uniq
51
- members.include?(user_dn)
75
+ !user_membership.empty?
52
76
  end
53
77
 
54
78
  # Check if the user credentials are valid.
@@ -72,13 +96,15 @@ module GitHub
72
96
  #
73
97
  # login: is the user's login. This method doesn't accept email identifications.
74
98
  # password: is the user's password.
99
+ # group_names: is an array of group CNs.
75
100
  #
76
101
  # Returns the user info if the credentials are valid and there are no groups configured.
77
102
  # Returns the user info if the credentials are valid and the user belongs to a configured group.
78
103
  # Returns nil if the credentials are invalid
79
- def authenticate!(login, password)
104
+ def authenticate!(login, password, group_names = nil)
80
105
  user = valid_login?(login, password)
81
- return user if user && groups_contain_user?(user.dn)
106
+
107
+ return user if user && is_member?(user.dn, group_names)
82
108
  end
83
109
 
84
110
  # Check the legacy auth configuration options (before David's war with omniauth)
data/test/ldap_test.rb CHANGED
@@ -35,34 +35,27 @@ class GitHubLdapTest < Minitest::Test
35
35
  end
36
36
 
37
37
  def test_groups_in_server
38
- options = @options.merge(:user_groups => %w(Enterprise People))
39
- assert_equal 2, GitHub::Ldap.new(options).groups.size
38
+ assert_equal 2, @ldap.groups(%w(Enterprise People)).size
40
39
  end
41
40
 
42
41
  def test_user_in_group
43
- options = @options.merge(:user_groups => %w(Enterprise People))
44
- ldap = GitHub::Ldap.new(options)
45
- user = ldap.valid_login?('calavera', 'secret')
42
+ user = @ldap.valid_login?('calavera', 'secret')
46
43
 
47
- assert ldap.groups_contain_user?(user.dn),
44
+ assert @ldap.is_member?(user.dn, %w(Enterprise People)),
48
45
  "Expected `Enterprise` or `Poeple` to include the member `#{user.dn}`"
49
46
  end
50
47
 
51
48
  def test_user_not_in_different_group
52
- options = @options.merge(:user_groups => %w(People))
53
- ldap = GitHub::Ldap.new(options)
54
- user = ldap.valid_login?('calavera', 'secret')
49
+ user = @ldap.valid_login?('calavera', 'secret')
55
50
 
56
- assert !ldap.groups_contain_user?(user.dn),
51
+ assert !@ldap.is_member?(user.dn, %w(People)),
57
52
  "Expected `Poeple` not to include the member `#{user.dn}`"
58
53
  end
59
54
 
60
55
  def test_user_without_group
61
- options = @options.merge(:user_groups => %w(People))
62
- ldap = GitHub::Ldap.new(options)
63
- user = ldap.valid_login?('ldaptest', 'secret')
56
+ user = @ldap.valid_login?('ldaptest', 'secret')
64
57
 
65
- assert !ldap.groups_contain_user?(user.dn),
58
+ assert !@ldap.is_member?(user.dn, %w(People)),
66
59
  "Expected `Poeple` not to include the member `#{user.dn}`"
67
60
  end
68
61
 
@@ -77,18 +70,13 @@ class GitHubLdapTest < Minitest::Test
77
70
  end
78
71
 
79
72
  def test_authenticate_check_valid_user_and_groups
80
- options = @options.merge(:user_groups => %w(Enterprise People))
81
- ldap = GitHub::Ldap.new(options)
82
- user = ldap.authenticate!('calavera', 'secret')
73
+ user = @ldap.authenticate!('calavera', 'secret', %w(Enterprise People))
83
74
 
84
75
  assert_equal 'uid=calavera,dc=github,dc=com', user.dn
85
76
  end
86
77
 
87
78
  def test_authenticate_doesnt_return_valid_users_in_different_groups
88
- options = @options.merge(:user_groups => %w(People))
89
- ldap = GitHub::Ldap.new(options)
90
-
91
- assert !ldap.authenticate!('calavera', 'secret'),
79
+ assert !@ldap.authenticate!('calavera', 'secret', %w(People)),
92
80
  "Expected `authenticate!` to not return an user"
93
81
  end
94
82
 
@@ -101,4 +89,16 @@ class GitHubLdapTest < Minitest::Test
101
89
  assert_equal :start_tls, @ldap.check_encryption(:tls)
102
90
  assert_equal :start_tls, @ldap.check_encryption(:start_tls)
103
91
  end
92
+
93
+ def test_membership_empty_for_non_members
94
+ assert @ldap.membership('uid=calavera,dc=github,dc=com', %w(People)).empty?,
95
+ "Expected `calavera` not to be a member of `People`."
96
+ end
97
+
98
+ def test_membership_groups_for_members
99
+ groups = @ldap.membership('uid=calavera,dc=github,dc=com', %w(Enterprise People))
100
+
101
+ assert_equal 1, groups.size
102
+ assert_equal 'cn=Enterprise,ou=Group,dc=github,dc=com', groups.first.dn
103
+ end
104
104
  end
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: github-ldap
3
3
  version: !ruby/object:Gem::Version
4
- version: 1.0.1
4
+ version: 1.0.2
5
5
  prerelease:
6
6
  platform: ruby
7
7
  authors:
@@ -9,7 +9,7 @@ authors:
9
9
  autorequire:
10
10
  bindir: bin
11
11
  cert_chain: []
12
- date: 2013-07-07 00:00:00.000000000 Z
12
+ date: 2013-07-08 00:00:00.000000000 Z
13
13
  dependencies:
14
14
  - !ruby/object:Gem::Dependency
15
15
  name: net-ldap