github-ldap 1.3.3 → 1.4.0

data/lib/github/ldap/membership_validators/recursive.rb

@@ -0,0 +1,93 @@
+module GitHub
+  class Ldap
+    module MembershipValidators
+      # Validates membership recursively.
+      #
+      # The first step checks whether the entry is a direct member of the given
+      # groups. If they are, then we've validated membership successfully.
+      #
+      # If not, query for all of the groups that have our groups as members,
+      # then we check if the entry is a member of any of those.
+      #
+      # This is repeated until the entry is found, recursing and requesting
+      # groups in bulk each iteration until we hit the maximum depth allowed
+      # and have to give up.
+      #
+      # This results in a maximum of `depth` queries (per domain) to validate
+      # membership in a list of groups.
+      class Recursive < Base
+        include Filter
+
+        DEFAULT_MAX_DEPTH = 9
+        ATTRS             = %w(dn cn)
+
+        def perform(entry, depth = DEFAULT_MAX_DEPTH)
+          # short circuit validation if there are no groups to check against
+          return true if groups.empty?
+
+          domains.each do |domain|
+            # find groups entry is an immediate member of
+            membership = domain.search(filter: member_filter(entry), attributes: ATTRS)
+
+            # success if any of these groups match the restricted auth groups
+            return true if membership.any? { |entry| group_dns.include?(entry.dn) }
+
+            # give up if the entry has no memberships to recurse
+            next if membership.empty?
+
+            # recurse to at most `depth`
+            depth.times do |n|
+              # find groups whose members include membership groups
+              membership = domain.search(filter: membership_filter(membership), attributes: ATTRS)
+
+              # success if any of these groups match the restricted auth groups
+              return true if membership.any? { |entry| group_dns.include?(entry.dn) }
+
+              # give up if there are no more membersips to recurse
+              break if membership.empty?
+            end
+
+            # give up on this base if there are no memberships to test
+            next if membership.empty?
+          end
+
+          false
+        end
+
+        # Internal: Construct a filter to find groups this entry is a direct
+        # member of.
+        #
+        # Overloads the included `GitHub::Ldap::Filters#member_filter` method
+        # to inject `posixGroup` handling.
+        #
+        # Returns a Net::LDAP::Filter object.
+        def member_filter(entry_or_uid, uid = ldap.uid)
+          filter = super(entry_or_uid)
+
+          if ldap.posix_support_enabled?
+            if posix_filter = posix_member_filter(entry_or_uid, uid)
+              filter |= posix_filter
+            end
+          end
+
+          filter
+        end
+
+        # Internal: Construct a filter to find groups whose members are the
+        # Array of String group DNs passed in.
+        #
+        # Returns a String filter.
+        def membership_filter(groups)
+          groups.map { |entry| member_filter(entry, :cn) }.reduce(:|)
+        end
+
+        # Internal: the group DNs to check against.
+        #
+        # Returns an Array of String DNs.
+        def group_dns
+          @group_dns ||= groups.map(&:dn)
+        end
+      end
+    end
+  end
+end

data/lib/github/ldap/server.rb

@@ -38,6 +38,8 @@ module GitHub
       @server_options[:domain]            = @server_options[:user_domain]
       @server_options[:tmpdir]          ||= server_tmp
 
+      @server_options[:quiet] = false if @server_options[:verbose]
+
       @ldap_server = Ladle::Server.new(@server_options)
       @ldap_server.start
     end

data/script/changelog

@@ -0,0 +1,29 @@
+#!/usr/bin/env sh
+# Usage: script/changelog [-r <repo>] [-b <base>] [-h <head>]
+#
+#  repo: base string of GitHub repository url. e.g. "user_or_org/repository". Defaults to git remote url.
+#  base: git ref to compare from. e.g. "v1.3.1". Defaults to latest git tag.
+#  head: git ref to compare to. Defaults to "HEAD".
+#
+# Generate a changelog preview from pull requests merged between `base` and
+# `head`.
+#
+set -e
+
+[ $# -eq 0 ] && set -- --help
+
+# parse args
+repo=$(git remote -v | grep push | awk '{print $2}' | cut -d'/' -f4-)
+base=$(git tag -l | sort -n | tail -n 1)
+head="HEAD"
+api_url="https://api.github.com"
+
+echo "# $base..$head"
+echo
+
+# get merged PR's. Better way is to query the API for these, but this is easier
+for pr in $(git log --oneline v1.3.6..HEAD | grep "Merge pull request" | awk '{gsub("#",""); print $5}')
+do
+  # frustrated with trying to pull out the right values, fell back to ruby
+  curl -s "$api_url/repos/$repo/pulls/$pr" | ruby -rjson -e 'pr=JSON.parse(STDIN.read); puts "* #{pr[%q(title)]} [##{pr[%q(number)]}](#{pr[%q(html_url)]})"'
+done

data/script/cibuild-apacheds

@@ -0,0 +1,7 @@
+#!/usr/bin/env sh
+set -e
+set -x
+
+cd `dirname $0`/..
+
+bundle exec rake

data/script/cibuild-openldap

@@ -0,0 +1,7 @@
+#!/usr/bin/env sh
+set -e
+set -x
+
+cd `dirname $0`/..
+
+bundle exec rake

data/script/install-openldap

@@ -0,0 +1,44 @@
+#!/usr/bin/env sh
+set -e
+set -x
+
+BASE_PATH="$( cd `dirname $0`/../test/fixtures/openldap && pwd )"
+SEED_PATH="$( cd `dirname $0`/../test/fixtures/common   && pwd )"
+
+DEBIAN_FRONTEND=noninteractive sudo -E apt-get install -y --force-yes slapd time ldap-utils
+
+sudo /etc/init.d/slapd stop
+
+TMPDIR=$(mktemp -d)
+cd $TMPDIR
+
+# Delete data and reconfigure.
+sudo cp -v /var/lib/ldap/DB_CONFIG ./DB_CONFIG
+sudo rm -rf /etc/ldap/slapd.d/*
+sudo rm -rf /var/lib/ldap/*
+sudo cp -v ./DB_CONFIG /var/lib/ldap/DB_CONFIG
+sudo slapadd -F /etc/ldap/slapd.d -b "cn=config" -l $BASE_PATH/slapd.conf.ldif
+# Load memberof and ref-int overlays and configure them.
+sudo slapadd -F /etc/ldap/slapd.d -b "cn=config" -l $BASE_PATH/memberof.ldif
+
+# Add base domain.
+sudo slapadd -F /etc/ldap/slapd.d <<EOM
+dn: dc=github,dc=com
+objectClass: top
+objectClass: domain
+dc: github
+EOM
+
+sudo chown -R openldap.openldap /etc/ldap/slapd.d
+sudo chown -R openldap.openldap /var/lib/ldap
+
+sudo /etc/init.d/slapd start
+
+# Import seed data.
+# NOTE: use ldapadd in order for memberOf and refint to apply, instead of:
+# /vagrant/services/ldap/openldap/seed.rb | sudo slapadd -F /etc/ldap/slapd.d
+cat $SEED_PATH/seed.ldif |
+  /usr/bin/time sudo ldapadd -x -D "cn=admin,dc=github,dc=com" -w passworD1 \
+               -h localhost -p 389
+
+sudo rm -rf $TMPDIR

data/script/package

@@ -0,0 +1,7 @@
+#!/usr/bin/env bash
+# Usage: script/package
+# Updates the gemspec and builds a new gem in the pkg directory.
+
+mkdir -p pkg
+gem build *.gemspec
+mv *.gem pkg

data/script/release

@@ -0,0 +1,16 @@
+#!/usr/bin/env bash
+# Usage: script/release
+# Build the package, tag a commit, push it to origin, and then release the
+# package publicly.
+
+set -e
+
+version="$(script/package | grep Version: | awk '{print $2}')"
+[ -n "$version" ] || exit 1
+
+echo $version
+git commit --allow-empty -a -m "Release $version"
+git tag "v$version"
+git push origin
+git push origin "v$version"
+gem push pkg/*-${version}.gem

data/test/domain_test.rb

@@ -7,13 +7,13 @@ module GitHubLdapDomainTestCases
   end
 
   def test_user_valid_login
-    user = @domain.valid_login?('calavera', 'passworD1')
-    assert_equal 'uid=calavera,dc=github,dc=com', user.dn
+    assert user = @domain.valid_login?('user1', 'passworD1')
+    assert_equal 'uid=user1,ou=People,dc=github,dc=com', user.dn
   end
 
   def test_user_with_invalid_password
-    assert !@domain.valid_login?('calavera', 'foo'),
-      "Login `calavera` expected to be invalid with password `foo`"
+    assert !@domain.valid_login?('user1', 'foo'),
+      "Login `user1` expected to be invalid with password `foo`"
   end
 
   def test_user_with_invalid_login
@@ -22,115 +22,123 @@ module GitHubLdapDomainTestCases
   end
 
   def test_groups_in_server
-    assert_equal 2, @domain.groups(%w(Enterprise People)).size
+    assert_equal 2, @domain.groups(%w(ghe-users ghe-admins)).size
   end
 
   def test_user_in_group
-    user = @domain.valid_login?('calavera', 'passworD1')
+    assert user = @domain.valid_login?('user1', 'passworD1')
 
-    assert @domain.is_member?(user, %w(Enterprise People)),
-      "Expected `Enterprise` or `Poeple` to include the member `#{user.dn}`"
+    assert @domain.is_member?(user, %w(ghe-users ghe-admins)),
+      "Expected `ghe-users` or `ghe-admins` to include the member `#{user.dn}`"
   end
 
   def test_user_not_in_different_group
-    user = @domain.valid_login?('calavera', 'passworD1')
+    user = @domain.valid_login?('user1', 'passworD1')
 
-    assert !@domain.is_member?(user, %w(People)),
-      "Expected `Poeple` not to include the member `#{user.dn}`"
+    refute @domain.is_member?(user, %w(ghe-admins)),
+      "Expected `ghe-admins` not to include the member `#{user.dn}`"
   end
 
   def test_user_without_group
-    user = @domain.valid_login?('ldaptest', 'secret')
+    user = @domain.valid_login?('groupless-user1', 'passworD1')
 
-    assert !@domain.is_member?(user, %w(People)),
-      "Expected `People` not to include the member `#{user.dn}`"
+    assert !@domain.is_member?(user, %w(all-users)),
+      "Expected `all-users` not to include the member `#{user.dn}`"
   end
 
-  def test_authenticate_doesnt_return_invalid_users
-    user = @domain.authenticate!('calavera', 'passworD1')
-    assert_equal 'uid=calavera,dc=github,dc=com', user.dn
+  def test_authenticate_returns_valid_users
+    user = @domain.authenticate!('user1', 'passworD1')
+    assert_equal 'uid=user1,ou=People,dc=github,dc=com', user.dn
   end
 
   def test_authenticate_doesnt_return_invalid_users
-    assert !@domain.authenticate!('calavera', 'foo'),
+    refute @domain.authenticate!('user1', 'foo'),
       "Expected `authenticate!` to not return an invalid user"
   end
 
   def test_authenticate_check_valid_user_and_groups
-    user = @domain.authenticate!('calavera', 'passworD1', %w(Enterprise People))
+    user = @domain.authenticate!('user1', 'passworD1', %w(ghe-users ghe-admins))
 
-    assert_equal 'uid=calavera,dc=github,dc=com', user.dn
+    assert_equal 'uid=user1,ou=People,dc=github,dc=com', user.dn
   end
 
   def test_authenticate_doesnt_return_valid_users_in_different_groups
-    assert !@domain.authenticate!('calavera', 'passworD1', %w(People)),
+    refute @domain.authenticate!('user1', 'passworD1', %w(ghe-admins)),
       "Expected `authenticate!` to not return an user"
   end
 
   def test_membership_empty_for_non_members
-    user = @ldap.domain('uid=calavera,dc=github,dc=com').bind
+    user = @ldap.domain('uid=user1,ou=People,dc=github,dc=com').bind
 
-    assert @domain.membership(user, %w(People)).empty?,
-      "Expected `calavera` not to be a member of `People`."
+    assert @domain.membership(user, %w(ghe-admins)).empty?,
+      "Expected `user1` not to be a member of `ghe-admins`."
   end
 
   def test_membership_groups_for_members
-    user = @ldap.domain('uid=calavera,dc=github,dc=com').bind
-    groups = @domain.membership(user, %w(Enterprise People))
+    user = @ldap.domain('uid=user1,ou=People,dc=github,dc=com').bind
+    groups = @domain.membership(user, %w(ghe-users ghe-admins))
 
     assert_equal 1, groups.size
-    assert_equal 'cn=Enterprise,ou=Group,dc=github,dc=com', groups.first.dn
+    assert_equal 'cn=ghe-users,ou=Groups,dc=github,dc=com', groups.first.dn
   end
 
   def test_membership_with_virtual_attributes
     ldap = GitHub::Ldap.new(options.merge(virtual_attributes: true))
-    user = ldap.domain('uid=calavera,dc=github,dc=com').bind
-    user[:memberof] = 'cn=Enterprise,ou=Group,dc=github,dc=com'
+
+    user = ldap.domain('uid=user1,ou=People,dc=github,dc=com').bind
+    user[:memberof] = 'cn=ghe-admins,ou=Groups,dc=github,dc=com'
 
     domain = ldap.domain("dc=github,dc=com")
-    groups = domain.membership(user, %w(Enterprise People))
+    groups = domain.membership(user, %w(ghe-admins))
 
     assert_equal 1, groups.size
-    assert_equal 'cn=Enterprise,ou=Group,dc=github,dc=com', groups.first.dn
+    assert_equal 'cn=ghe-admins,ou=Groups,dc=github,dc=com', groups.first.dn
   end
 
   def test_search
     assert 1, @domain.search(
       attributes: %w(uid),
-      filter: Net::LDAP::Filter.eq('uid', 'calavera')).size
+      filter: Net::LDAP::Filter.eq('uid', 'user1')).size
   end
 
   def test_search_override_base_name
     assert 1, @domain.search(
       base: "this base name is incorrect",
       attributes: %w(uid),
-      filter: Net::LDAP::Filter.eq('uid', 'calavera')).size
+      filter: Net::LDAP::Filter.eq('uid', 'user1')).size
   end
 
   def test_user_exists
-    assert_equal 'uid=calavera,dc=github,dc=com', @domain.user?('calavera').dn
+    assert user = @domain.user?('user1')
+    assert_equal 'uid=user1,ou=People,dc=github,dc=com', user.dn
   end
 
   def test_user_wildcards_are_filtered
-    assert !@domain.user?('cal*'), 'Expected uid `cal*` to not complete'
+    refute @domain.user?('user*'), 'Expected uid `user*` to not complete'
   end
 
   def test_user_does_not_exist
-    assert !@domain.user?('foobar'), 'Expected uid `foobar` to not exist.'
+    refute @domain.user?('foobar'), 'Expected uid `foobar` to not exist.'
   end
 
   def test_user_returns_every_attribute
-    assert_equal ['calavera@github.com'], @domain.user?('calavera')[:mail]
+    assert user = @domain.user?('user1')
+    assert_equal ['user1@github.com'], user[:mail]
+  end
+
+  def test_user_returns_subset_of_attributes
+    assert entry = @domain.user?('user1', :attributes => [:cn])
+    assert_equal [:dn, :cn], entry.attribute_names
   end
 
   def test_auth_binds
-    user = @domain.user?('calavera')
-    assert @domain.auth(user, 'passworD1'), 'Expected user to be bound.'
+    assert user = @domain.user?('user1')
+    assert @domain.auth(user, 'passworD1'), 'Expected user to bind'
   end
 
   def test_auth_does_not_bind
-    user = @domain.user?('calavera')
-    assert !@domain.auth(user, 'foo'), 'Expected user not to be bound.'
+    assert user = @domain.user?('user1')
+    refute @domain.auth(user, 'foo'), 'Expected user not not bind'
   end
 end
 
@@ -143,48 +151,37 @@ class GitHubLdapDomainUnauthenticatedTest < GitHub::Ldap::UnauthenticatedTest
 end
 
 class GitHubLdapDomainNestedGroupsTest < GitHub::Ldap::Test
-  def self.test_server_options
-    {user_fixtures: FIXTURES.join('github-with-subgroups.ldif').to_s}
-  end
-
   def setup
     @ldap = GitHub::Ldap.new(options)
     @domain = @ldap.domain("dc=github,dc=com")
   end
 
   def test_membership_in_subgroups
-    user = @ldap.domain('uid=rubiojr,ou=users,dc=github,dc=com').bind
+    user = @ldap.domain('uid=user1,ou=People,dc=github,dc=com').bind
 
-    assert @domain.is_member?(user, %w(enterprise-ops)),
-      "Expected `enterprise-ops` to include the member `#{user.dn}`"
+    assert @domain.is_member?(user, %w(nested-groups)),
+      "Expected `nested-groups` to include the member `#{user.dn}`"
   end
 
   def test_membership_in_deeply_nested_subgroups
-    assert user = @ldap.domain('uid=user1.1.1.1,ou=users,dc=github,dc=com').bind
+    assert user = @ldap.domain('uid=user1,ou=People,dc=github,dc=com').bind
 
-    assert @domain.is_member?(user, %w(group1)),
-      "Expected `group1` to include the member `#{user.dn}` via deep recursion"
+    assert @domain.is_member?(user, %w(n-depth-nested-group4)),
+      "Expected `n-depth-nested-group4` to include the member `#{user.dn}` via deep recursion"
   end
 end
 
 class GitHubLdapPosixGroupsWithRecursionFallbackTest < GitHub::Ldap::Test
-  def self.test_server_options
-    {
-      custom_schemas: FIXTURES.join('posixGroup.schema.ldif'),
-      user_fixtures: FIXTURES.join('github-with-posixGroups.ldif').to_s,
-      # so we exercise the recursive group search fallback
-      recursive_group_search_fallback: true
-    }
-  end
-
   def setup
-    @ldap = GitHub::Ldap.new(options)
+    opts = options.merge \
+      recursive_group_search_fallback: true
+    @ldap = GitHub::Ldap.new(opts)
     @domain = @ldap.domain("dc=github,dc=com")
-    @cn = "enterprise-posix-devs"
+    @cn = "posix-group1"
   end
 
   def test_membership_for_posixGroups
-    assert user = @ldap.domain('uid=mtodd,ou=users,dc=github,dc=com').bind
+    assert user = @ldap.domain('uid=user1,ou=People,dc=github,dc=com').bind
 
     assert @domain.is_member?(user, [@cn]),
       "Expected `#{@cn}` to include the member `#{user.dn}`"
@@ -192,23 +189,16 @@ class GitHubLdapPosixGroupsWithRecursionFallbackTest < GitHub::Ldap::Test
 end
 
 class GitHubLdapPosixGroupsWithoutRecursionTest < GitHub::Ldap::Test
-  def self.test_server_options
-    {
-      custom_schemas: FIXTURES.join('posixGroup.schema.ldif'),
-      user_fixtures: FIXTURES.join('github-with-posixGroups.ldif').to_s,
-      # so we test the test the non-recursive group membership search
-      recursive_group_search_fallback: false
-    }
-  end
-
   def setup
-    @ldap = GitHub::Ldap.new(options)
+    opts = options.merge \
+      recursive_group_search_fallback: false
+    @ldap = GitHub::Ldap.new(opts)
     @domain = @ldap.domain("dc=github,dc=com")
-    @cn = "enterprise-posix-devs"
+    @cn = "posix-group1"
   end
 
   def test_membership_for_posixGroups
-    assert user = @ldap.domain('uid=mtodd,ou=users,dc=github,dc=com').bind
+    assert user = @ldap.domain('uid=user1,ou=People,dc=github,dc=com').bind
 
     assert @domain.is_member?(user, [@cn]),
       "Expected `#{@cn}` to include the member `#{user.dn}`"
@@ -218,25 +208,17 @@ end
 # Specifically testing that this doesn't break when posixGroups are not
 # supported.
 class GitHubLdapWithoutPosixGroupsTest < GitHub::Ldap::Test
-  def self.test_server_options
-    {
-      custom_schemas: FIXTURES.join('posixGroup.schema.ldif'),
-      user_fixtures: FIXTURES.join('github-with-posixGroups.ldif').to_s,
-      # so we test the test the non-recursive group membership search
-      recursive_group_search_fallback: false,
-      # explicitly disable posixGroup support (even if the schema supports it)
-      posix_support:                   false
-    }
-  end
-
   def setup
-    @ldap = GitHub::Ldap.new(options)
+    opts = options.merge \
+      recursive_group_search_fallback: false, # test non-recursive group membership search
+      posix_support:                   false  # disable posixGroup support
+    @ldap = GitHub::Ldap.new(opts)
     @domain = @ldap.domain("dc=github,dc=com")
-    @cn = "enterprise-posix-devs"
+    @cn = "posix-group1"
   end
 
   def test_membership_for_posixGroups
-    assert user = @ldap.domain('uid=mtodd,ou=users,dc=github,dc=com').bind
+    assert user = @ldap.domain('uid=user1,ou=People,dc=github,dc=com').bind
 
     refute @domain.is_member?(user, [@cn]),
       "Expected `#{@cn}` to not include the member `#{user.dn}`"