github-ldap 1.0.15 → 1.0.16

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 07498d4477565ea224ca8af669cc442308276298
-  data.tar.gz: cf73c24745848b687a4efacf7d3eaa19a19418bb
+  metadata.gz: 1fe44b5c68117c2b0d616f164f8b40901d2ad2dd
+  data.tar.gz: a61c80ebbaabb8ff06793f13910440d403209a7b
 SHA512:
-  metadata.gz: 96c0ab7db485b52cd67bc1939eaa68fd85c7ae31515e0b06e2abc780980302ac501b1d070b9c05712e7debf804f2cd0618eb4eca1ff81dbddca3887e2f4f22e2
-  data.tar.gz: 9ba0caec46275cfd3cced39d07bac7f2ba398a88539f6756d83dea441de784d6d0a198f93a8bc51c9d17c7dc82bbb17fa17ddd588721820e5aa61c3414112f9f
+  metadata.gz: 060534d71ad7bfcbd1682699cfa81cebb3552366bd661b94127df79542f97b9c640ebf4414785055ad88923931588bd89ac274a03fc635cb757353c1a717a133
+  data.tar.gz: b20400377b5b2d508a910ba6acc3ffeec0a18e5aae7918290c2622be7536a5f625c74a06a31fc2f3d73c0a65cf425ce89e3de4c037a993c2f343c0c1a2bd82d4

data/github-ldap.gemspec

@@ -2,7 +2,7 @@
 
 Gem::Specification.new do |spec|
   spec.name          = "github-ldap"
-  spec.version       = "1.0.15"
+  spec.version       = "1.0.16"
   spec.authors       = ["David Calavera"]
   spec.email         = ["david.calavera@gmail.com"]
   spec.description   = %q{Ldap authentication for humans}

data/lib/github/ldap.rb

@@ -4,6 +4,7 @@ module GitHub
     require 'forwardable'
     require 'github/ldap/filter'
     require 'github/ldap/domain'
+    require 'github/ldap/group'
 
     extend Forwardable
 
@@ -69,5 +70,14 @@ module GitHub
     def domain(base_name)
       Domain.new(base_name, @connection, @uid)
     end
+
+    # Creates a new group object to perform operations
+    #
+    # base_name: is the dn of the base root.
+    #
+    # Returns a new Group object.
+    def group(base_name)
+      Group.new(self, domain(base_name).bind)
+    end
   end
 end

data/lib/github/ldap/domain.rb

@@ -18,6 +18,20 @@ module GitHub
         @base_name, @connection, @uid = base_name, connection, uid
       end
 
+      # List all groups under this tree, including subgroups.
+      #
+      # Returns a list of ldap entries.
+      def all_groups
+        search(filter: ALL_GROUPS_FILTER)
+      end
+
+      # List all groups under this tree that match the query.
+      #
+      # Returns a list of ldap entries.
+      def filter_groups(query)
+        search(filter: group_contains_filter(query))
+      end
+
       # List the groups in the ldap server that match the configured ones.
       #
       # group_names: is an array of group CNs.
@@ -73,12 +87,7 @@ module GitHub
       # Returns the user if the login matches any `uid`.
       # Returns nil if there are no matches.
       def user?(login)
-        escaped_login = Net::LDAP::Filter.escape(login)
-        rs = search(
-          filter: Net::LDAP::Filter.eq(@uid, escaped_login),
-          attributes: [],
-          limit: 1)
-        rs and rs.first
+        search(filter: login_filter(@uid, login), limit: 1).first
       end
 
       # Check if a user can be bound with a password.
@@ -112,13 +121,13 @@ module GitHub
       # The base option is always overriden.
       #
       # Returns an array with the entries found.
-      # Returns nil if there are no entries.
       def search(options)
         options[:base] = @base_name
-        options[:attributes] ||= %w{ou cn dn sAMAccountName member}
+        options[:attributes] ||= []
         options[:ignore_server_caps] ||= true
+        options[:paged_searches_supported] ||= true
 
-        @connection.search(options)
+        Array(@connection.search(options))
       end
 
       # Provide a meaningful result after a protocol operation (for example,
@@ -130,6 +139,13 @@ module GitHub
       def get_operation_result
         @connection.get_operation_result
       end
+
+      # Get the entry for this domain.
+      #
+      # Returns a Net::LDAP::Entry
+      def bind
+        search({}).first
+      end
     end
   end
 end

data/lib/github/ldap/filter.rb

@@ -1,6 +1,9 @@
 module GitHub
   class Ldap
     module Filter
+      ALL_GROUPS_FILTER = Net::LDAP::Filter.eq("objectClass", "groupOfNames") |
+                          Net::LDAP::Filter.eq("objectClass", "groupOfUniqueNames")
+
       # Filter to get the configured groups in the ldap server.
       # Takes the list of the group names and generate a filter for the groups
       # with cn that match and also include members:
@@ -21,11 +24,31 @@ module GitHub
       # Returns a Net::LDAP::Filter.
       def member_filter(user_dn = nil)
         if user_dn
-          Net::LDAP::Filter.eq("member", user_dn)
+          Net::LDAP::Filter.eq("member", user_dn) | Net::LDAP::Filter.eq("uniqueMember", user_dn)
         else
-          Net::LDAP::Filter.pres("member")
+          Net::LDAP::Filter.pres("member") | Net::LDAP::Filter.pres("uniqueMember")
         end
       end
+
+      # Filter to map a uid with a login.
+      # It escapes the login before creating the filter.
+      #
+      # uid: the entry field to map.
+      # login: the login to map.
+      #
+      # Returns a Net::LDAP::Filter.
+      def login_filter(uid, login)
+        Net::LDAP::Filter.eq(uid, Net::LDAP::Filter.escape(login))
+      end
+
+      # Filter groups that match a query cn.
+      #
+      # query: is a string to match the cn with.
+      #
+      # Returns a Net::LDAP::Filter.
+      def group_contains_filter(query)
+        Net::LDAP::Filter.contains("cn", query) & ALL_GROUPS_FILTER
+      end
     end
   end
 end

data/lib/github/ldap/fixtures.ldif

@@ -49,7 +49,7 @@ cn: David Calavera
 cn: David
 sn: Calavera
 uid: calavera
-userPassword: secret
+userPassword: passworD1
 mail: calavera@github.com
 objectClass: inetOrgPerson
 

data/lib/github/ldap/group.rb

@@ -0,0 +1,73 @@
+module GitHub
+  class Ldap
+    # This class represents an LDAP group.
+    # It encapsulates operations that you can perform against a group, like retrieving its members.
+    #
+    # To get a group, you'll need to create a `Ldap` object and then call the method `group` with the name of its base.
+    #
+    # For example:
+    #
+    # domain = GitHub::Ldap.new(options).group("cn=enterprise,dc=github,dc=com")
+    #
+    class Group
+      GROUP_CLASS_NAMES = %w(groupOfNames groupOfUniqueNames)
+
+      def initialize(ldap, entry)
+        @ldap, @entry = ldap, entry
+      end
+
+      # Get all members that belong to a group.
+      # This list also includes the members of subgroups.
+      #
+      # Returns an array with all the member entries.
+      def members
+        groups, members = member_entries.partition {|e| group?(e[:objectclass])}
+        results = members
+
+        groups.each do |result|
+          results.concat @ldap.group(result.dn).members
+        end
+
+        results.uniq {|m| m.dn }
+      end
+
+      # Get all the subgroups from a group recursively.
+      #
+      # Returns an array with all the subgroup entries.
+      def subgroups
+        groups, _ = member_entries.partition {|e| group?(e[:objectclass])}
+        results = groups
+
+        groups.each do |result|
+          results.concat @ldap.group(result.dn).subgroups
+        end
+
+        results
+      end
+
+      # Get all the member entries for a group.
+      #
+      # Returns an array of Net::LDAP::Entry.
+      def member_entries
+        @member_entries ||= member_names.map do |m|
+          @ldap.domain(m).bind
+        end
+      end
+
+      # Get all the names under `member` and `uniqueMember`.
+      #
+      # Returns an array with all the DN members.
+      def member_names
+        @entry[:member] + @entry[:uniqueMember]
+      end
+
+      # Check if an object class includes the member names
+      # Use `&` rathen than `include?` because both are arrays.
+      #
+      # Returns true if the object class includes one of the group class names.
+      def group?(object_class)
+        !(GROUP_CLASS_NAMES & object_class).empty?
+      end
+    end
+  end
+end

data/lib/github/ldap/server.rb

@@ -7,11 +7,11 @@ module GitHub
 
     DEFAULT_SERVER_OPTIONS = {
       user_fixtures:  DEFAULT_FIXTURES_PATH,
-      user_domain:     'dc=github,dc=com',
-      admin_user:      'uid=admin,dc=github,dc=com',
-      admin_password:  'secret',
-      quiet:           true,
-      port:            3897
+      user_domain:    'dc=github,dc=com',
+      admin_user:     'uid=admin,dc=github,dc=com',
+      admin_password: 'secret',
+      quiet:          true,
+      port:           3897
     }
 
     class << self

data/test/domain_test.rb

@@ -6,7 +6,7 @@ module GitHubLdapDomainTestCases
   end
 
   def test_user_valid_login
-    user = @domain.valid_login?('calavera', 'secret')
+    user = @domain.valid_login?('calavera', 'passworD1')
     assert_equal 'uid=calavera,dc=github,dc=com', user.dn
   end
 
@@ -25,14 +25,14 @@ module GitHubLdapDomainTestCases
   end
 
   def test_user_in_group
-    user = @domain.valid_login?('calavera', 'secret')
+    user = @domain.valid_login?('calavera', 'passworD1')
 
     assert @domain.is_member?(user.dn, %w(Enterprise People)),
       "Expected `Enterprise` or `Poeple` to include the member `#{user.dn}`"
   end
 
   def test_user_not_in_different_group
-    user = @domain.valid_login?('calavera', 'secret')
+    user = @domain.valid_login?('calavera', 'passworD1')
 
     assert !@domain.is_member?(user.dn, %w(People)),
       "Expected `Poeple` not to include the member `#{user.dn}`"
@@ -46,7 +46,7 @@ module GitHubLdapDomainTestCases
   end
 
   def test_authenticate_doesnt_return_invalid_users
-    user = @domain.authenticate!('calavera', 'secret')
+    user = @domain.authenticate!('calavera', 'passworD1')
     assert_equal 'uid=calavera,dc=github,dc=com', user.dn
   end
 
@@ -56,13 +56,13 @@ module GitHubLdapDomainTestCases
   end
 
   def test_authenticate_check_valid_user_and_groups
-    user = @domain.authenticate!('calavera', 'secret', %w(Enterprise People))
+    user = @domain.authenticate!('calavera', 'passworD1', %w(Enterprise People))
 
     assert_equal 'uid=calavera,dc=github,dc=com', user.dn
   end
 
   def test_authenticate_doesnt_return_valid_users_in_different_groups
-    assert !@domain.authenticate!('calavera', 'secret', %w(People)),
+    assert !@domain.authenticate!('calavera', 'passworD1', %w(People)),
       "Expected `authenticate!` to not return an user"
   end
 
@@ -109,7 +109,7 @@ module GitHubLdapDomainTestCases
 
   def test_auth_binds
     user = @domain.user?('calavera')
-    assert @domain.auth(user, 'secret'), 'Expected user to be bound.'
+    assert @domain.auth(user, 'passworD1'), 'Expected user to be bound.'
   end
 
   def test_auth_does_not_bind

data/test/filter_test.rb

@@ -9,20 +9,20 @@ class FilterTest < Minitest::Test
   end
 
   def test_member_present
-    assert_equal "(member=*)", @subject.member_filter.to_s
+    assert_equal "(|(member=*)(uniqueMember=*))", @subject.member_filter.to_s
   end
 
   def test_member_equal
-    assert_equal "(member=#{@me})", @subject.member_filter(@me).to_s
+    assert_equal "(|(member=#{@me})(uniqueMember=#{@me}))", @subject.member_filter(@me).to_s
   end
 
   def test_groups_reduced
-    assert_equal "(&(member=*)(|(cn=Enterprise)(cn=People)))",
+    assert_equal "(&(|(member=*)(uniqueMember=*))(|(cn=Enterprise)(cn=People)))",
       @subject.group_filter(%w(Enterprise People)).to_s
   end
 
   def test_groups_for_member
-    assert_equal "(&(member=#{@me})(|(cn=Enterprise)(cn=People)))",
+    assert_equal "(&(|(member=#{@me})(uniqueMember=#{@me}))(|(cn=Enterprise)(cn=People)))",
       @subject.group_filter(%w(Enterprise People), @me).to_s
   end
 end

data/test/fixtures/github-with-subgroups.ldif

@@ -0,0 +1,90 @@
+version: 1
+
+# Organizations
+
+dn: dc=github,dc=com
+cn: github
+objectClass: dcObject
+objectClass: organization
+dc: github
+o: GitHub Inc.
+
+# Admin user
+
+dn: uid=admin,dc=github,dc=com
+objectClass: top
+objectClass: person
+objectClass: organizationalPerson
+objectClass: inetOrgPerson
+cn: system administrator
+sn: administrator
+displayName: Directory Superuser
+uid: admin
+userPassword: secret
+
+# Groups
+
+dn: ou=groups,dc=github,dc=com
+objectclass: organizationalUnit
+
+dn: cn=enterprise,ou=groups,dc=github,dc=com
+cn: Enterprise
+objectClass: groupOfNames
+member: uid=calavera,ou=users,dc=github,dc=com
+member: cn=enterprise-devs,ou=groups,dc=github,dc=com
+member: cn=enterprise-ops,ou=groups,dc=github,dc=com
+
+dn: cn=enterprise-devs,ou=groups,dc=github,dc=com
+cn: enterprise-devs
+objectClass: groupOfNames
+member: uid=benburkert,ou=users,dc=github,dc=com
+
+dn: cn=enterprise-ops,ou=groups,dc=github,dc=com
+cn: enterprise-ops
+objectClass: groupOfNames
+member: uid=sbryant,ou=users,dc=github,dc=com
+member: cn=spaniards,ou=groups,dc=github,dc=com
+
+dn: cn=spaniards,ou=groups,dc=github,dc=com
+cn: spaniards
+objectClass: groupOfNames
+member: uid=calavera,ou=users,dc=github,dc=com
+member: uid=rubiojr,ou=users,dc=github,dc=com
+
+# Users
+
+dn: ou=users,dc=github,dc=com
+objectclass: organizationalUnit
+
+dn: uid=calavera,ou=users,dc=github,dc=com
+cn: David Calavera
+cn: David
+sn: Calavera
+uid: calavera
+userPassword: passworD1
+mail: calavera@github.com
+objectClass: inetOrgPerson
+
+dn: uid=benburkert,ou=users,dc=github,dc=com
+cn: benburkert
+sn: benburkert
+uid: benburkert
+userPassword: passworD1
+mail: benburkert@github.com
+objectClass: inetOrgPerson
+
+dn: uid=sbryant,ou=users,dc=github,dc=com
+cn: sbryant
+sn: sbryant
+uid: sbryant
+userPassword: passworD1
+mail: sbryant@github.com
+objectClass: inetOrgPerson
+
+dn: uid=rubiojr,ou=users,dc=github,dc=com
+cn: rubiojr
+sn: rubiojr
+uid: rubiojr
+userPassword: passworD1
+mail: rubiojr@github.com
+objectClass: inetOrgPerson

data/test/group_test.rb

@@ -0,0 +1,33 @@
+require 'test_helper'
+
+class GitHubLdapGroupTest < GitHub::Ldap::Test
+  def self.test_server_options
+    {user_fixtures: FIXTURES.join('github-with-subgroups.ldif').to_s}
+  end
+
+  def groups_domain
+    GitHub::Ldap.new(options).domain("ou=groups,dc=github,dc=com")
+  end
+
+  def setup
+    @group = GitHub::Ldap.new(options).group("cn=enterprise,ou=groups,dc=github,dc=com")
+  end
+
+  def test_subgroups
+    assert_equal 3, @group.subgroups.size
+  end
+
+  def test_members_from_subgroups
+    assert_equal 4, @group.members.size
+  end
+
+  def test_all_domain_groups
+    groups = groups_domain.all_groups
+    assert_equal 4, groups.size
+  end
+
+  def test_filter_domain_groups
+    groups = groups_domain.filter_groups('devs')
+    assert_equal 1, groups.size
+  end
+end

data/test/test_helper.rb

@@ -4,6 +4,9 @@ __lib__ = File.expand_path('lib', File.dirname(__FILE__))
 $LOAD_PATH << __dir__ unless $LOAD_PATH.include?(__dir__)
 $LOAD_PATH << __lib__ unless $LOAD_PATH.include?(__lib__)
 
+require 'pathname'
+FIXTURES = Pathname(File.expand_path('fixtures', __dir__))
+
 require 'github/ldap'
 require 'github/ldap/server'
 
@@ -21,7 +24,8 @@ class GitHub::Ldap::Test < Minitest::Test
   end
 
   def self.start_server
-    GitHub::Ldap.start_server
+    server_opts = respond_to?(:test_server_options) ? test_server_options : {}
+    GitHub::Ldap.start_server(server_opts)
   end
 
   def options

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: github-ldap
 version: !ruby/object:Gem::Version
-  version: 1.0.15
+  version: 1.0.16
 platform: ruby
 authors:
 - David Calavera
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2013-11-30 00:00:00.000000000 Z
+date: 2014-02-20 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: net-ldap
@@ -98,9 +98,12 @@ files:
 - lib/github/ldap/domain.rb
 - lib/github/ldap/filter.rb
 - lib/github/ldap/fixtures.ldif
+- lib/github/ldap/group.rb
 - lib/github/ldap/server.rb
 - test/domain_test.rb
 - test/filter_test.rb
+- test/fixtures/github-with-subgroups.ldif
+- test/group_test.rb
 - test/ldap_test.rb
 - test/test_helper.rb
 homepage: https://github.com/github/github-ldap
@@ -130,5 +133,8 @@ summary: Ldap client authentication wrapper without all the boilerplate
 test_files:
 - test/domain_test.rb
 - test/filter_test.rb
+- test/fixtures/github-with-subgroups.ldif
+- test/group_test.rb
 - test/ldap_test.rb
 - test/test_helper.rb
+has_rdoc: