github-ldap 1.2.1 → 1.3.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: a23a62005338f49107b2e82997fbdb9c02d4004c
-  data.tar.gz: bb3a1b3bed1dfb66a1b110bf2e7b31e5a74d7378
+  metadata.gz: 8c05560a6e80e800f35e6d9173fa14492b8d7201
+  data.tar.gz: 95dd52b0e87152cd37d22b1f804ad336499fd47a
 SHA512:
-  metadata.gz: 24548e4cf5b738fb303b635297fd12c634d5a85d42076e367763e833fd0f59e107e398a3f9ff00ce8a69bb4a5d119bf91f5180661d5274e7c6f79e3445ed2bb3
-  data.tar.gz: 56669b0b27287bdd8cdf3b7820690e2b2832ac9adf12eacb5b882c6d71e687b05c1aa0f4459231738e0001dda538fed02817b13496bbf7e8c4366cc52dacc5c6
+  metadata.gz: 6162767914b01776e7d2e8bcab9101f2f7a70acafeee389295abb0caa4953f79e4992181ef01f3465b7f19c576a1781a2b9972de3f815801277937cffa980f96
+  data.tar.gz: 381cc12fde5eaba702d4c6abfe7caa07cc75f85f85f644cbd2947fe0bbbb7003c0ca5274ef48a36a28bb89e913ad9271ef78c2276cecf80d1a4fed020fc244e7

data/github-ldap.gemspec

@@ -2,7 +2,7 @@
 
 Gem::Specification.new do |spec|
   spec.name          = "github-ldap"
-  spec.version       = "1.2.1"
+  spec.version       = "1.3.0"
   spec.authors       = ["David Calavera"]
   spec.email         = ["david.calavera@gmail.com"]
   spec.description   = %q{Ldap authentication for humans}
@@ -15,7 +15,7 @@ Gem::Specification.new do |spec|
   spec.test_files    = spec.files.grep(%r{^(test|spec|features)/})
   spec.require_paths = ["lib"]
 
-  spec.add_dependency 'net-ldap', '>= 0.2.2'
+  spec.add_dependency 'net-ldap', '~> 0.7.0'
 
   spec.add_development_dependency "bundler", "~> 1.3"
   spec.add_development_dependency 'ladle'

data/lib/github/ldap.rb

@@ -40,11 +40,24 @@ module GitHub
 
       configure_virtual_attributes(options[:virtual_attributes])
 
+      # enable fallback recursive group search unless option is false
+      @recursive_group_search_fallback = (options[:recursive_group_search_fallback] != false)
+
       # search_domains is a connection of bases to perform searches
       # when a base is not explicitly provided.
       @search_domains = Array(options[:search_domains])
     end
 
+    # Public - Whether membership checks should recurse into nested groups when
+    # virtual attributes aren't enabled. The fallback search has poor
+    # performance characteristics in some cases, in which case this should be
+    # disabled by passing :recursive_group_search_fallback => false.
+    #
+    # Returns true or false.
+    def recursive_group_search_fallback?
+      @recursive_group_search_fallback
+    end
+
     # Public - Utility method to check if the connection with the server can be stablished.
     # It tries to bind with the ldap auth default configuration.
     #

data/lib/github/ldap/domain.rb

@@ -52,16 +52,22 @@ module GitHub
       #
       # Return an Array with the groups that the given user is member of that belong to the given group list.
       def membership(user_entry, group_names)
-        all_groups = search(filter: group_filter(group_names))
-        groups_map = all_groups.each_with_object({}) {|entry, hash| hash[entry.dn] = entry}
-
-        if @ldap.virtual_attributes.enabled?
-          member_of = groups_map.keys & user_entry[@ldap.virtual_attributes.virtual_membership]
-          member_of.map {|dn| groups_map[dn]}
-        else
-          groups_map.each_with_object([]) do |(dn, group_entry), acc|
-            acc << group_entry if @ldap.load_group(group_entry).is_member?(user_entry)
+        if @ldap.virtual_attributes.enabled? || @ldap.recursive_group_search_fallback?
+          all_groups = search(filter: group_filter(group_names))
+          groups_map = all_groups.each_with_object({}) {|entry, hash| hash[entry.dn] = entry}
+
+          if @ldap.virtual_attributes.enabled?
+            member_of = groups_map.keys & user_entry[@ldap.virtual_attributes.virtual_membership]
+            member_of.map {|dn| groups_map[dn]}
+          else # recursive group search fallback
+            groups_map.each_with_object([]) do |(dn, group_entry), acc|
+              acc << group_entry if @ldap.load_group(group_entry).is_member?(user_entry)
+            end
           end
+        else
+          # fallback to non-recursive group membership search
+          filter = member_filter(user_entry) & group_filter(group_names)
+          search(filter: filter)
         end
       end
 
@@ -143,16 +149,6 @@ module GitHub
         @ldap.search(options, &block)
       end
 
-      # Provide a meaningful result after a protocol operation (for example,
-      # bind or search) has completed.
-      #
-      # Returns an OpenStruct containing an LDAP result code and a
-      # human-readable string.
-      # See http://tools.ietf.org/html/rfc4511#appendix-A
-      def get_operation_result
-        @ldap.get_operation_result
-      end
-
       # Get the entry for this domain.
       #
       # Returns a Net::LDAP::Entry

data/lib/github/ldap/filter.rb

@@ -18,16 +18,21 @@ module GitHub
         group_names.map {|g| Net::LDAP::Filter.eq("cn", g)}.reduce(:|)
       end
 
-      # Filter to check a group membership.
+      # Filter to check group membership.
       #
-      # user_dn: is an optional user_dn to scope the search to.
+      # entry:    finds groups this Net::LDAP::Entry is a member of (optional)
+      # uid_attr: specifies the memberUid attribute to match with   (optional)
       #
       # Returns a Net::LDAP::Filter.
-      def member_filter(user_dn = nil)
-        if user_dn
-          MEMBERSHIP_NAMES.map {|n| Net::LDAP::Filter.eq(n, user_dn)}.reduce(:|)
+      def member_filter(entry = nil, uid_attr = @ldap.uid)
+        if entry
+          MEMBERSHIP_NAMES.map {|n| Net::LDAP::Filter.eq(n, entry.dn) }.
+                           reduce(:|) |
+          entry[uid_attr]. map { |uid| Net::LDAP::Filter.eq("memberUid", uid) }.
+                           reduce(:|)
         else
-          MEMBERSHIP_NAMES.map {|n| Net::LDAP::Filter.pres(n)}.reduce(:|)
+          (MEMBERSHIP_NAMES + %w(memberUid)).
+            map {|n| Net::LDAP::Filter.pres(n)}.reduce(:|)
         end
       end
 

data/lib/github/ldap/fixtures.ldif

@@ -1,12 +1,5 @@
 version: 1
 
-# Organizations
-dn: dc=github,dc=com
-objectClass: dcObject
-objectClass: organization
-dc: github
-o: GitHub Inc.
-
 dn: ou=Group,dc=github,dc=com
 objectclass: organizationalUnit
 ou: Group

data/lib/github/ldap/virtual_group.rb

@@ -1,6 +1,8 @@
 module GitHub
   class Ldap
     class VirtualGroup < Group
+      include Filter
+
       def members
         @ldap.search(filter: members_of_group(@entry.dn, membership_attribute))
       end
@@ -17,7 +19,7 @@ module GitHub
       #
       # Returns a string.
       def membership_attribute
-        @ldap.virual_attributes.virtual_membership
+        @ldap.virtual_attributes.virtual_membership
       end
     end
   end

data/test/domain_test.rb

@@ -1,4 +1,4 @@
-require 'test_helper'
+require_relative 'test_helper'
 
 module GitHubLdapDomainTestCases
   def setup
@@ -159,3 +159,63 @@ class GitHubLdapDomainNestedGroupsTest < GitHub::Ldap::Test
       "Expected `enterprise-ops` to include the member `#{user.dn}`"
   end
 end
+
+class GitHubLdapPosixGroupsWithRecursionFallbackTest < GitHub::Ldap::Test
+  def self.test_server_options
+    {
+      custom_schemas: FIXTURES.join('posixGroup.schema.ldif'),
+      user_fixtures: FIXTURES.join('github-with-posixGroups.ldif').to_s,
+      # so we exercise the recursive group search fallback
+      recursive_group_search_fallback: true
+    }
+  end
+
+  def setup
+    @ldap = GitHub::Ldap.new(options)
+    @domain = @ldap.domain("dc=github,dc=com")
+
+    @group = Net::LDAP::Entry._load("""
+dn: cn=enterprise-posix-devs,ou=groups,dc=github,dc=com
+cn: enterprise-posix-devs
+objectClass: posixGroup
+memberUid: benburkert
+memberUid: mtodd""")
+  end
+
+  def test_membership_for_posixGroups
+    assert user = @ldap.domain('uid=mtodd,ou=users,dc=github,dc=com').bind
+
+    assert @domain.is_member?(user, @group.cn),
+      "Expected `#{@group.cn.first}` to include the member `#{user.dn}`"
+  end
+end
+
+class GitHubLdapPosixGroupsTest < GitHub::Ldap::Test
+  def self.test_server_options
+    {
+      custom_schemas: FIXTURES.join('posixGroup.schema.ldif'),
+      user_fixtures: FIXTURES.join('github-with-posixGroups.ldif').to_s,
+      # so we test the test the non-recursive group membership search
+      recursive_group_search_fallback: false
+    }
+  end
+
+  def setup
+    @ldap = GitHub::Ldap.new(options)
+    @domain = @ldap.domain("dc=github,dc=com")
+
+    @group = Net::LDAP::Entry._load("""
+dn: cn=enterprise-posix-devs,ou=groups,dc=github,dc=com
+cn: enterprise-posix-devs
+objectClass: posixGroup
+memberUid: benburkert
+memberUid: mtodd""")
+  end
+
+  def test_membership_for_posixGroups
+    assert user = @ldap.domain('uid=mtodd,ou=users,dc=github,dc=com').bind
+
+    assert @domain.is_member?(user, @group.cn),
+      "Expected `#{@group.cn.first}` to include the member `#{user.dn}`"
+  end
+end

data/test/filter_test.rb

@@ -1,19 +1,35 @@
-require 'test_helper'
+require_relative 'test_helper'
 
 class FilterTest < Minitest::Test
-  class Subject; include GitHub::Ldap::Filter; end
+  class Subject
+    include GitHub::Ldap::Filter
+    def initialize(ldap)
+      @ldap = ldap
+    end
+  end
+
+  # Fake a Net::LDAP::Entry
+  class Entry < Struct.new(:dn, :uid)
+    def [](field)
+      Array(send(field))
+    end
+  end
 
   def setup
-    @subject = Subject.new
-    @me = 'uid=calavera,dc=github,dc=com'
+    @ldap    = GitHub::Ldap.new(:uid => 'uid')
+    @subject = Subject.new(@ldap)
+    @me      = 'uid=calavera,dc=github,dc=com'
+    @uid     = "calavera"
+    @entry   = Entry.new(@me, @uid)
   end
 
   def test_member_present
-    assert_equal "(|(member=*)(uniqueMember=*))", @subject.member_filter.to_s
+    assert_equal "(|(|(member=*)(uniqueMember=*))(memberUid=*))", @subject.member_filter.to_s
   end
 
   def test_member_equal
-    assert_equal "(|(member=#{@me})(uniqueMember=#{@me}))", @subject.member_filter(@me).to_s
+    assert_equal "(|(|(member=#{@me})(uniqueMember=#{@me}))(memberUid=#{@uid}))",
+                 @subject.member_filter(@entry).to_s
   end
 
   def test_groups_reduced

data/test/fixtures/github-with-looped-subgroups.ldif

@@ -1,14 +1,5 @@
 version: 1
 
-# Organizations
-
-dn: dc=github,dc=com
-cn: github
-objectClass: dcObject
-objectClass: organization
-dc: github
-o: GitHub Inc.
-
 # Admin user
 
 dn: uid=admin,dc=github,dc=com

data/test/fixtures/github-with-missing-entries.ldif

@@ -1,14 +1,5 @@
 version: 1
 
-# Organizations
-
-dn: dc=github,dc=com
-cn: github
-objectClass: dcObject
-objectClass: organization
-dc: github
-o: GitHub Inc.
-
 # Admin user
 
 dn: uid=admin,dc=github,dc=com

data/test/fixtures/github-with-posixGroups.ldif

@@ -0,0 +1,50 @@
+version: 1
+
+# Admin user
+
+dn: uid=admin,dc=github,dc=com
+objectClass: top
+objectClass: person
+objectClass: organizationalPerson
+objectClass: inetOrgPerson
+cn: system administrator
+sn: administrator
+displayName: Directory Superuser
+uid: admin
+userPassword: secret
+
+# Groups
+
+dn: ou=groups,dc=github,dc=com
+objectclass: organizationalUnit
+ou: groups
+
+# Posix Groups
+
+dn: cn=enterprise-posix-devs,ou=groups,dc=github,dc=com
+cn: enterprise-posix-devs
+objectClass: posixGroup
+memberUid: benburkert
+memberUid: mtodd
+
+# Users
+
+dn: ou=users,dc=github,dc=com
+objectclass: organizationalUnit
+ou: users
+
+dn: uid=benburkert,ou=users,dc=github,dc=com
+cn: benburkert
+sn: benburkert
+uid: benburkert
+userPassword: passworD1
+mail: benburkert@github.com
+objectClass: inetOrgPerson
+
+dn: uid=mtodd,ou=users,dc=github,dc=com
+cn: mtodd
+sn: mtodd
+uid: mtodd
+userPassword: passworD1
+mail: mtodd@github.com
+objectClass: inetOrgPerson

data/test/fixtures/github-with-subgroups.ldif

@@ -1,13 +1,5 @@
 version: 1
 
-# Organizations
-
-dn: dc=github,dc=com
-objectClass: dcObject
-objectClass: organization
-dc: github
-o: GitHub Inc.
-
 # Admin user
 
 dn: uid=admin,dc=github,dc=com

data/test/fixtures/posixGroup.schema.ldif

@@ -0,0 +1,26 @@
+version: 1
+
+dn: m-oid=1.3.6.1.4.1.18055.0.4.1.2.1001,ou=attributeTypes,cn=other,ou=schema
+objectClass: metaAttributeType
+objectClass: metaTop
+objectClass: top
+m-collective: FALSE
+m-description: memberUid
+m-equality: caseExactMatch
+m-name: memberUid
+m-syntax: 1.3.6.1.4.1.1466.115.121.1.15
+m-usage: USER_APPLICATIONS
+m-oid: 1.3.6.1.4.1.18055.0.4.1.2.1001
+
+dn: m-oid=1.3.6.1.4.1.18055.0.4.1.3.1001,ou=objectClasses,cn=other,ou=schema
+objectClass: metaObjectClass
+objectClass: metaTop
+objectClass: top
+m-description: posixGroup
+m-may: cn
+m-may: sn
+m-may: memberUid
+m-supobjectclass: top
+m-name: posixGroup
+m-oid: 1.3.6.1.4.1.18055.0.4.1.3.1001
+m-typeobjectclass: STRUCTURAL

data/test/group_test.rb

@@ -1,4 +1,4 @@
-require 'test_helper'
+require_relative 'test_helper'
 
 class GitHubLdapGroupTest < GitHub::Ldap::Test
   def self.test_server_options

data/test/ldap_test.rb

@@ -1,4 +1,4 @@
-require 'test_helper'
+require_relative 'test_helper'
 
 module GitHubLdapTestCases
   def setup

data/test/posix_group_test.rb

@@ -1,4 +1,4 @@
-require 'test_helper'
+require_relative 'test_helper'
 
 class GitHubLdapPosixGroupTest < GitHub::Ldap::Test
   def self.test_server_options
@@ -48,7 +48,7 @@ objectClass: posixGroup""")
     members = group.members
 
     assert_equal 2, members.size
-    assert_equal 'benburkert', members.first[:uid].first
+    assert_equal %w(benburkert mtodd), members.map(&:uid).flatten.sort
   end
 
   def test_posix_combined_group

metadata

@@ -1,83 +1,83 @@
 --- !ruby/object:Gem::Specification
 name: github-ldap
 version: !ruby/object:Gem::Version
-  version: 1.2.1
+  version: 1.3.0
 platform: ruby
 authors:
 - David Calavera
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2014-03-20 00:00:00.000000000 Z
+date: 2014-08-19 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: net-ldap
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - '>='
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.2.2
+        version: 0.7.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - '>='
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.2.2
+        version: 0.7.0
 - !ruby/object:Gem::Dependency
   name: bundler
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ~>
+    - - "~>"
       - !ruby/object:Gem::Version
         version: '1.3'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ~>
+    - - "~>"
       - !ruby/object:Gem::Version
         version: '1.3'
 - !ruby/object:Gem::Dependency
   name: ladle
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0'
 - !ruby/object:Gem::Dependency
   name: minitest
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ~>
+    - - "~>"
       - !ruby/object:Gem::Version
         version: '5'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ~>
+    - - "~>"
       - !ruby/object:Gem::Version
         version: '5'
 - !ruby/object:Gem::Dependency
   name: rake
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0'
 description: Ldap authentication for humans
@@ -87,8 +87,8 @@ executables: []
 extensions: []
 extra_rdoc_files: []
 files:
-- .gitignore
-- .travis.yml
+- ".gitignore"
+- ".travis.yml"
 - Gemfile
 - LICENSE.txt
 - README.md
@@ -107,7 +107,9 @@ files:
 - test/filter_test.rb
 - test/fixtures/github-with-looped-subgroups.ldif
 - test/fixtures/github-with-missing-entries.ldif
+- test/fixtures/github-with-posixGroups.ldif
 - test/fixtures/github-with-subgroups.ldif
+- test/fixtures/posixGroup.schema.ldif
 - test/group_test.rb
 - test/ldap_test.rb
 - test/posix_group_test.rb
@@ -122,17 +124,17 @@ require_paths:
 - lib
 required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
-  - - '>='
+  - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
-  - - '>='
+  - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.0.3
+rubygems_version: 2.2.2
 signing_key: 
 specification_version: 4
 summary: Ldap client authentication wrapper without all the boilerplate
@@ -141,9 +143,10 @@ test_files:
 - test/filter_test.rb
 - test/fixtures/github-with-looped-subgroups.ldif
 - test/fixtures/github-with-missing-entries.ldif
+- test/fixtures/github-with-posixGroups.ldif
 - test/fixtures/github-with-subgroups.ldif
+- test/fixtures/posixGroup.schema.ldif
 - test/group_test.rb
 - test/ldap_test.rb
 - test/posix_group_test.rb
 - test/test_helper.rb
-has_rdoc: