RubyGems - github-ldap - Versions diffs - 1.1.5 → 1.2.0 - Mend

github-ldap 1.1.5 → 1.2.0

Files changed (13) hide show

checksums.yaml +4 -4
data/.travis.yml +2 -2
data/github-ldap.gemspec +1 -1
data/lib/github/ldap.rb +57 -29
data/lib/github/ldap/domain.rb +4 -8
data/lib/github/ldap/filter.rb +19 -8
data/lib/github/ldap/group.rb +12 -6
data/lib/github/ldap/posix_group.rb +81 -0
data/test/filter_test.rb +6 -6
data/test/fixtures/github-with-subgroups.ldif +10 -1
data/test/ldap_test.rb +9 -0
data/test/posix_group_test.rb +120 -0
metadata +5 -2

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 64a07fbfbd7d8fd5486e4d211698d803071909e7
-  data.tar.gz: 1a4508994676bcd35676000b9f8d8f5c719c543e
+  metadata.gz: 64ef77cae7b6d41804fd11a87a169001313320ec
+  data.tar.gz: 0d9fc6ed121d40dfcead6c8cd1c29cedc7598672
 SHA512:
-  metadata.gz: 2b6dedbd71a4f0bd1a0a542c73f5ea90c41864448daef057acbd6b9c7fa7880d892dffb9a274b1658980442a32e8034d95af125663b9fff3915a588440ebdd80
-  data.tar.gz: c43d7601a75c38577a8a922b550d4fec7efdc8102308bb10b652b9f6ae9d88c3d997deefb4fc1a936693edee67bf25fcbfe67349b99a88689d9bd93110dc241f
+  metadata.gz: 55c95dda73fffdce9e46a9718a8d1d58f32c9e47fc367b73c835a0f2e17b161a764c46cdeac24fc67331978764289696a99ea5586fc6c0382bf7d77ece583ad0
+  data.tar.gz: 8cb01bc061b35bf11f00b34c4340fe08ebe826f419f142c4e3949c720d0e54857ac15066d0c49ef29f26d60f8b85402718fabd13c0e2c648f4b04017ce7bbd7b

data/.travis.yml CHANGED Viewed

@@ -1,7 +1,7 @@
 language: ruby
 rvm:
     - 1.9.3
-    - 2.0.0
+    - 2.1.0
 notifications:
   email: false

data/github-ldap.gemspec CHANGED Viewed

@@ -2,7 +2,7 @@
 Gem::Specification.new do |spec|
   spec.name          = "github-ldap"
-  spec.version       = "1.1.5"
+  spec.version       = "1.2.0"
   spec.authors       = ["David Calavera"]
   spec.email         = ["david.calavera@gmail.com"]
   spec.description   = %q{Ldap authentication for humans}

data/lib/github/ldap.rb CHANGED Viewed

@@ -5,18 +5,12 @@ module GitHub
     require 'github/ldap/filter'
     require 'github/ldap/domain'
     require 'github/ldap/group'
+    require 'github/ldap/posix_group'
     require 'github/ldap/virtual_group'
     require 'github/ldap/virtual_attributes'
     extend Forwardable
-    # Utility method to perform searches against the ldap server.
-    #
-    # It takes the same arguments than Net::LDAP::Connection#search.
-    # Returns an Array with the entries that match the search.
-    # Returns nil if there are no entries that match the search.
-    def_delegator :@connection, :search
     # Utility method to get the last operation result with a human friendly message.
     #
     # Returns an OpenStruct with `code` and `message`.
@@ -29,7 +23,7 @@ module GitHub
     # Returns a Net::LDAP::Entry if the operation succeeded.
     def_delegator :@connection, :bind
-    attr_reader :virtual_attributes
+    attr_reader :uid, :virtual_attributes, :search_domains
     def initialize(options = {})
       @uid = options[:uid] || "sAMAccountName"
@@ -45,25 +39,13 @@ module GitHub
       end
       configure_virtual_attributes(options[:virtual_attributes])
-    end
-    # Determine whether to use encryption or not.
-    #
-    # encryption: is the encryption method, either 'ssl', 'tls', 'simple_tls' or 'start_tls'.
-    #
-    # Returns the real encryption type.
-    def check_encryption(encryption)
-      return unless encryption
-      case encryption.downcase.to_sym
-      when :ssl, :simple_tls
-        :simple_tls
-      when :tls, :start_tls
-        :start_tls
-      end
+      # search_domains is a connection of bases to perform searches
+      # when a base is not explicitly provided.
+      @search_domains = Array(options[:search_domains])
     end
-    # Utility method to check if the connection with the server can be stablished.
+    # Public - Utility method to check if the connection with the server can be stablished.
     # It tries to bind with the ldap auth default configuration.
     #
     # Returns an OpenStruct with `code` and `message`.
@@ -73,7 +55,7 @@ module GitHub
       last_operation_result
     end
-    # Creates a new domain object to perform operations
+    # Public - Creates a new domain object to perform operations
     #
     # base_name: is the dn of the base root.
     #
@@ -82,7 +64,7 @@ module GitHub
       Domain.new(self, base_name, @uid)
     end
-    # Creates a new group object to perform operations
+    # Public - Creates a new group object to perform operations
     #
     # base_name: is the dn of the base root.
     #
@@ -92,14 +74,60 @@ module GitHub
       entry = domain(base_name).bind
       return unless entry
+      load_group(entry)
+    end
+    # Public - Create a new group object based on a Net::LDAP::Entry.
+    #
+    # group_entry: is a Net::LDAP::Entry.
+    #
+    # Returns a Group, PosixGroup or VirtualGroup object.
+    def load_group(group_entry)
       if @virtual_attributes.enabled?
-        VirtualGroup.new(self, entry)
+        VirtualGroup.new(self, group_entry)
+      elsif PosixGroup.valid?(group_entry)
+        PosixGroup.new(self, group_entry)
+      else
+        Group.new(self, group_entry)
+      end
+    end
+    # Public - Search entries in the ldap server.
+    #
+    # options: is a hash with the same options that Net::LDAP::Connection#search supports.
+    #
+    # Returns an Array of Net::LDAP::Entry.
+    def search(options)
+      result = if options[:base]
+        @connection.search(options)
       else
-        Group.new(self, entry)
+        search_domains.each_with_object([]) do |base, result|
+          rs = @connection.search(options.merge(:base => base))
+          result.concat Array(rs) unless rs == false
+        end
+      end
+      return [] if result == false
+      Array(result)
+    end
+    # Internal - Determine whether to use encryption or not.
+    #
+    # encryption: is the encryption method, either 'ssl', 'tls', 'simple_tls' or 'start_tls'.
+    #
+    # Returns the real encryption type.
+    def check_encryption(encryption)
+      return unless encryption
+      case encryption.downcase.to_sym
+      when :ssl, :simple_tls
+        :simple_tls
+      when :tls, :start_tls
+        :start_tls
       end
     end
-    # Configure virtual attributes for this server.
+    # Internal - Configure virtual attributes for this server.
     # If the option is `true`, we'll use the default virual attributes.
     # If it's a Hash we'll map the attributes in the hash.
     #

data/lib/github/ldap/domain.rb CHANGED Viewed

@@ -55,8 +55,8 @@ module GitHub
           member_of = groups_map.keys & user_entry[@ldap.virtual_attributes.virtual_membership]
           member_of.map {|dn| groups_map[dn]}
         else
-          groups_map.each_with_object([]) do |(dn, group), acc|
-            acc << group if Group.new(@ldap, group).is_member?(user_entry.dn)
+          groups_map.each_with_object([]) do |(dn, group_entry), acc|
+            acc << group_entry if @ldap.load_group(group_entry).is_member?(user_entry)
           end
         end
       end
@@ -134,13 +134,9 @@ module GitHub
       def search(options)
         options[:base] = @base_name
         options[:attributes] ||= []
-        options[:ignore_server_caps] ||= true
-        options[:paged_searches_supported] ||= true
+        options[:paged_searches_supported] = true
-        rs = @ldap.search(options)
-        return [] if rs == false
-        Array(rs)
+        @ldap.search(options)
       end
       # Provide a meaningful result after a protocol operation (for example,

data/lib/github/ldap/filter.rb CHANGED Viewed

@@ -2,19 +2,20 @@ module GitHub
   class Ldap
     module Filter
       ALL_GROUPS_FILTER = Net::LDAP::Filter.eq("objectClass", "groupOfNames") |
-                          Net::LDAP::Filter.eq("objectClass", "groupOfUniqueNames")
+                          Net::LDAP::Filter.eq("objectClass", "groupOfUniqueNames") |
+                          Net::LDAP::Filter.eq("objectClass", "posixGroup")
+      MEMBERSHIP_NAMES  = %w(member uniqueMember)
       # Filter to get the configured groups in the ldap server.
       # Takes the list of the group names and generate a filter for the groups
-      # with cn that match and also include members:
+      # with cn that match.
       #
       # group_names: is an array of group CNs.
-      # user_dn: is an optional member to scope the search to.
       #
       # Returns a Net::LDAP::Filter.
-      def group_filter(group_names, user_dn = nil)
-        or_filters = group_names.map {|g| Net::LDAP::Filter.eq("cn", g)}.reduce(:|)
-        member_filter(user_dn) & or_filters
+      def group_filter(group_names)
+        group_names.map {|g| Net::LDAP::Filter.eq("cn", g)}.reduce(:|)
       end
       # Filter to check a group membership.
@@ -24,9 +25,9 @@ module GitHub
       # Returns a Net::LDAP::Filter.
       def member_filter(user_dn = nil)
         if user_dn
-          Net::LDAP::Filter.eq("member", user_dn) | Net::LDAP::Filter.eq("uniqueMember", user_dn)
+          MEMBERSHIP_NAMES.map {|n| Net::LDAP::Filter.eq(n, user_dn)}.reduce(:|)
         else
-          Net::LDAP::Filter.pres("member") | Net::LDAP::Filter.pres("uniqueMember")
+          MEMBERSHIP_NAMES.map {|n| Net::LDAP::Filter.pres(n)}.reduce(:|)
         end
       end
@@ -69,6 +70,16 @@ module GitHub
       def subgroups_of_group(group_dn, attr = 'memberOf')
         Net::LDAP::Filter.eq(attr, group_dn) & ALL_GROUPS_FILTER
       end
+      # Filter to get all the members of a group which uid is included in `memberUid`.
+      #
+      # uids: is an array with all the uids to search.
+      # uid_attr: is the names of the uid attribute in the directory.
+      #
+      # Returns a Net::LDAP::Filter
+      def all_members_by_uid(uids, uid_attr)
+        uids.map {|uid| Net::LDAP::Filter.eq(uid_attr, uid)}.reduce(:|)
+      end
     end
   end
 end

data/lib/github/ldap/group.rb CHANGED Viewed

@@ -10,7 +10,11 @@ module GitHub
     # domain = GitHub::Ldap.new(options).group("cn=enterprise,dc=github,dc=com")
     #
     class Group
-      GROUP_CLASS_NAMES = %w(groupOfNames groupOfUniqueNames)
+      include Filter
+      GROUP_CLASS_NAMES = %w(groupOfNames groupOfUniqueNames posixGroup)
+      attr_reader :ldap, :entry
       def initialize(ldap, entry)
         @ldap, @entry = ldap, entry
@@ -37,12 +41,12 @@ module GitHub
       # Public - Check if a user dn is included in the members of this group and its subgroups.
       #
-      # user_dn: is the dn to check.
+      # user_entry: is the user entry to check the membership.
       #
       # Returns true if the dn is in the list of members.
-      def is_member?(user_dn)
-        member_names.include?(user_dn) ||
-          members.detect {|entry| entry.dn == user_dn}
+      def is_member?(user_entry)
+        member_names.include?(user_entry.dn) ||
+          members.detect {|entry| entry.dn == user_entry.dn}
       end
@@ -60,7 +64,9 @@ module GitHub
       #
       # Returns an array with all the DN members.
       def member_names
-        @entry[:member] + @entry[:uniqueMember]
+        MEMBERSHIP_NAMES.each_with_object([]) do |n, cache|
+          cache.concat @entry[n]
+        end
       end
       # Internal - Check if an object class includes the member names

data/lib/github/ldap/posix_group.rb ADDED Viewed

@@ -0,0 +1,81 @@
+module GitHub
+  class Ldap
+    # This class represents a POSIX group.
+    #
+    # To get a POSIX group, you'll need to create a `Ldap` object and then call the method `group`.
+    # The parameter for `group` must be a dn to a group entry with `posixGroup` amongs the values for the attribute `objectClass`.
+    #
+    # For example:
+    #
+    # domain = GitHub::Ldap.new(options).group("cn=enterprise,dc=github,dc=com")
+    #
+    class PosixGroup < Group
+      # Public - Check if an ldap entry is a valid posixGroup.
+      #
+      # entry: is the ldap entry to check.
+      #
+      # Returns true if the entry includes the objectClass `posixGroup`.
+      def self.valid?(entry)
+        entry[:objectClass].any? {|oc| oc.downcase == 'posixgroup'}
+      end
+      # Public - Overrides Group#members
+      #
+      # Search the entries corresponding to the members in the `memberUid` attribute.
+      # It calls `super` if the group entry includes `member` or `uniqueMember`.
+      #
+      # Returns an array with the members of this group and its submembers if there is any.
+      def members
+        return @all_posix_members if @all_posix_members
+        @all_posix_members = search_members_by_uids
+        @all_posix_members.concat super if combined_group?
+        @all_posix_members.uniq! {|m| m.dn }
+        @all_posix_members
+      end
+      # Public - Overrides Group#subgroups
+      #
+      # Prevent to call super when the group entry does not include `member` or `uniqueMember`.
+      #
+      # Returns an array with the subgroups of this group.
+      def subgroups
+        return [] unless combined_group?
+        super
+      end
+      # Public - Overrides Group#is_member?
+      #
+      # Chech if the user entry uid exists in the collection of `memberUid`.
+      # It calls `super` if the group entry includes `member` or `uniqueMember`.
+      #
+      # Return true if the user is member if this group or any subgroup.
+      def is_member?(user_entry)
+        entry_uids = user_entry[ldap.uid]
+        return true if !(entry_uids & entry[:memberUid]).empty?
+        super if combined_group?
+      end
+      # Internal - Check if this posix group also includes `member` and `uniqueMember` entries.
+      #
+      # Returns true if any of the membership names is include in this group entry.
+      def combined_group?
+        MEMBERSHIP_NAMES.any? {|name| !entry[name].empty? }
+      end
+      # Internal - Search all members by uid.
+      #
+      # Return an array of user entries.
+      def search_members_by_uids
+        member_uids = entry[:memberUid]
+        return [] if member_uids.empty?
+        filter = all_members_by_uid(member_uids, ldap.uid)
+        ldap.search(filter: filter)
+      end
+    end
+  end
+end

data/test/filter_test.rb CHANGED Viewed

@@ -17,15 +17,10 @@ class FilterTest < Minitest::Test
   end
   def test_groups_reduced
-    assert_equal "(&(|(member=*)(uniqueMember=*))(|(cn=Enterprise)(cn=People)))",
+    assert_equal "(|(cn=Enterprise)(cn=People))",
       @subject.group_filter(%w(Enterprise People)).to_s
   end
-  def test_groups_for_member
-    assert_equal "(&(|(member=#{@me})(uniqueMember=#{@me}))(|(cn=Enterprise)(cn=People)))",
-      @subject.group_filter(%w(Enterprise People), @me).to_s
-  end
   def test_members_of_group
     assert_equal "(memberOf=cn=group,dc=github,dc=com)",
       @subject.members_of_group('cn=group,dc=github,dc=com').to_s
@@ -41,4 +36,9 @@ class FilterTest < Minitest::Test
     assert_equal "(&(isMemberOf=cn=group,dc=github,dc=com)#{Subject::ALL_GROUPS_FILTER})",
       @subject.subgroups_of_group('cn=group,dc=github,dc=com', 'isMemberOf').to_s
   end
+  def test_all_members_by_uid
+    assert_equal "(|(uid=calavera)(uid=mtodd))",
+      @subject.all_members_by_uid(%w(calavera mtodd), :uid).to_s
+  end
 end

data/test/fixtures/github-with-subgroups.ldif CHANGED Viewed

@@ -3,7 +3,6 @@ version: 1
 # Organizations
 dn: dc=github,dc=com
-cn: github
 objectClass: dcObject
 objectClass: organization
 dc: github
@@ -26,6 +25,7 @@ userPassword: secret
 dn: ou=groups,dc=github,dc=com
 objectclass: organizationalUnit
+ou: groups
 dn: cn=enterprise,ou=groups,dc=github,dc=com
 cn: Enterprise
@@ -55,6 +55,7 @@ member: uid=rubiojr,ou=users,dc=github,dc=com
 dn: ou=users,dc=github,dc=com
 objectclass: organizationalUnit
+ou: users
 dn: uid=calavera,ou=users,dc=github,dc=com
 cn: David Calavera
@@ -88,3 +89,11 @@ uid: rubiojr
 userPassword: passworD1
 mail: rubiojr@github.com
 objectClass: inetOrgPerson
+dn: uid=mtodd,ou=users,dc=github,dc=com
+cn: mtodd
+sn: mtodd
+uid: mtodd
+userPassword: passworD1
+mail: mtodd@github.com
+objectClass: inetOrgPerson

data/test/ldap_test.rb CHANGED Viewed

@@ -29,6 +29,7 @@ module GitHubLdapTestCases
         :attributes => %w(uid),
         :filter     => Net::LDAP::Filter.eq('uid', 'calavera')})
+    refute result.empty?
     assert_equal 'calavera', result.first[:uid].first
   end
@@ -56,6 +57,14 @@ module GitHubLdapTestCases
   def test_virtual_attributes_disabled
     refute @ldap.virtual_attributes.enabled?, "Expected to have virtual attributes disabled"
   end
+  def test_search_domains
+    ldap = GitHub::Ldap.new(options.merge(search_domains: ['dc=github,dc=com']))
+    result = ldap.search(filter: Net::LDAP::Filter.eq('uid', 'calavera'))
+    refute result.empty?
+    assert_equal 'calavera', result.first[:uid].first
+  end
 end
 class GitHubLdapTest < GitHub::Ldap::Test

data/test/posix_group_test.rb ADDED Viewed

@@ -0,0 +1,120 @@
+require 'test_helper'
+class GitHubLdapPosixGroupTest < GitHub::Ldap::Test
+  def self.test_server_options
+    {user_fixtures: FIXTURES.join('github-with-subgroups.ldif').to_s}
+  end
+  def setup
+    @simple_group = Net::LDAP::Entry._load("""
+dn: cn=enterprise-posix-devs,ou=groups,dc=github,dc=com
+cn: enterprise-posix-devs
+objectClass: posixGroup
+memberUid: benburkert
+memberUid: mtodd""")
+    @one_level_deep_group = Net::LDAP::Entry._load("""
+dn: cn=enterprise-posix-ops,ou=groups,dc=github,dc=com
+cn: enterprise-posix-ops
+objectClass: posixGroup
+objectClass: groupOfNames
+memberUid: sbryant
+member: cn=spaniards,ou=groups,dc=github,dc=com""")
+    @two_levels_deep_group = Net::LDAP::Entry._load("""
+dn: cn=enterprise-posix,ou=groups,dc=github,dc=com
+cn: Enterprise Posix
+objectClass: posixGroup
+objectClass: groupOfNames
+memberUid: calavera
+member: cn=enterprise-devs,ou=groups,dc=github,dc=com
+member: cn=enterprise-ops,ou=groups,dc=github,dc=com""")
+    @empty_group = Net::LDAP::Entry._load("""
+dn: cn=enterprise-posix-empty,ou=groups,dc=github,dc=com
+cn: enterprise-posix-empty
+objectClass: posixGroup""")
+    @ldap = GitHub::Ldap.new(options.merge(search_domains: %w(dc=github,dc=com)))
+  end
+  def test_posix_group
+    assert GitHub::Ldap::PosixGroup.valid?(@simple_group),
+      "Expected entry to be a valid posixGroup"
+  end
+  def test_posix_simple_members
+    group = GitHub::Ldap::PosixGroup.new(@ldap, @simple_group)
+    members = group.members
+    assert_equal 2, members.size
+    assert_equal 'benburkert', members.first[:uid].first
+  end
+  def test_posix_combined_group
+    group = GitHub::Ldap::PosixGroup.new(@ldap, @one_level_deep_group)
+    members = group.members
+    assert_equal 3, members.size
+  end
+  def test_posix_combined_group_unique_members
+    group = GitHub::Ldap::PosixGroup.new(@ldap, @two_levels_deep_group)
+    members = group.members
+    assert_equal 4, members.size
+  end
+  def test_empty_subgroups
+    group = GitHub::Ldap::PosixGroup.new(@ldap, @simple_group)
+    subgroups = group.subgroups
+    assert subgroups.empty?, "Simple posixgroup expected to not have subgroups"
+  end
+  def test_posix_combined_group_subgroups
+    group = GitHub::Ldap::PosixGroup.new(@ldap, @one_level_deep_group)
+    subgroups = group.subgroups
+    assert_equal 1, subgroups.size
+  end
+  def test_is_member_simple_group
+    group = GitHub::Ldap::PosixGroup.new(@ldap, @simple_group)
+    user  = @ldap.domain("uid=benburkert,ou=users,dc=github,dc=com").bind
+    assert group.is_member?(user),
+      "Expected user in the memberUid list to be a member of the posixgroup"
+  end
+  def test_is_member_combined_group
+    group = GitHub::Ldap::PosixGroup.new(@ldap, @one_level_deep_group)
+    user  = @ldap.domain("uid=calavera,ou=users,dc=github,dc=com").bind
+    assert group.is_member?(user),
+      "Expected user in a subgroup to be a member of the posixgroup"
+  end
+  def test_is_not_member_simple_group
+    group = GitHub::Ldap::PosixGroup.new(@ldap, @simple_group)
+    user  = @ldap.domain("uid=calavera,ou=users,dc=github,dc=com").bind
+    refute group.is_member?(user),
+      "Expected user to not be member when her uid is not in the list of memberUid"
+  end
+  def test_is_member_combined_group
+    group = GitHub::Ldap::PosixGroup.new(@ldap, @one_level_deep_group)
+    user  = @ldap.domain("uid=benburkert,ou=users,dc=github,dc=com").bind
+    refute group.is_member?(user),
+      "Expected user to not be member when she's not member of any subgroup"
+  end
+  def test_empty_posix_group
+    group = GitHub::Ldap::PosixGroup.new(@ldap, @empty_group)
+    assert group.members.empty?,
+      "Expected members to be an empty array"
+  end
+end

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: github-ldap
 version: !ruby/object:Gem::Version
-  version: 1.1.5
+  version: 1.2.0
 platform: ruby
 authors:
 - David Calavera
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2014-03-11 00:00:00.000000000 Z
+date: 2014-03-17 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: net-ldap
@@ -99,6 +99,7 @@ files:
 - lib/github/ldap/filter.rb
 - lib/github/ldap/fixtures.ldif
 - lib/github/ldap/group.rb
+- lib/github/ldap/posix_group.rb
 - lib/github/ldap/server.rb
 - lib/github/ldap/virtual_attributes.rb
 - lib/github/ldap/virtual_group.rb
@@ -109,6 +110,7 @@ files:
 - test/fixtures/github-with-subgroups.ldif
 - test/group_test.rb
 - test/ldap_test.rb
+- test/posix_group_test.rb
 - test/test_helper.rb
 homepage: https://github.com/github/github-ldap
 licenses:
@@ -142,5 +144,6 @@ test_files:
 - test/fixtures/github-with-subgroups.ldif
 - test/group_test.rb
 - test/ldap_test.rb
+- test/posix_group_test.rb
 - test/test_helper.rb
 has_rdoc: