github-ldap 1.3.3 → 1.4.0

data/test/fixtures/posixGroup.schema.ldif

@@ -1,26 +1,52 @@
 version: 1
 
-dn: m-oid=1.3.6.1.4.1.18055.0.4.1.2.1001,ou=attributeTypes,cn=other,ou=schema
+# attributetype ( 1.3.6.1.1.1.1.1 NAME 'gidNumber'
+#   DESC 'An integer uniquely identifying a group in an administrative domain'
+#   EQUALITY integerMatch
+#   SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+dn: m-oid=1.3.6.1.1.1.1.1,ou=attributeTypes,cn=other,ou=schema
+objectClass: metaAttributeType
+objectClass: metaTop
+objectClass: top
+m-collective: FALSE
+m-description: An integer uniquely identifying a group in an administrative domain
+m-equality: integerMatch
+m-name: gidNumber
+m-syntax: 1.3.6.1.4.1.1466.115.121.1.27
+m-usage: USER_APPLICATIONS
+m-oid: 1.3.6.1.1.1.1.1
+
+# attributetype ( 1.3.6.1.1.1.1.12 NAME 'memberUid'
+#   EQUALITY caseExactIA5Match
+#   SUBSTR caseExactIA5SubstringsMatch
+#   SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+dn: m-oid=1.3.6.1.1.1.1.12,ou=attributeTypes,cn=other,ou=schema
 objectClass: metaAttributeType
 objectClass: metaTop
 objectClass: top
 m-collective: FALSE
 m-description: memberUid
-m-equality: caseExactMatch
+m-equality: caseExactIA5Match
 m-name: memberUid
-m-syntax: 1.3.6.1.4.1.1466.115.121.1.15
+m-syntax: 1.3.6.1.4.1.1466.115.121.1.26
 m-usage: USER_APPLICATIONS
-m-oid: 1.3.6.1.4.1.18055.0.4.1.2.1001
+m-oid: 1.3.6.1.1.1.1.12
 
-dn: m-oid=1.3.6.1.4.1.18055.0.4.1.3.1001,ou=objectClasses,cn=other,ou=schema
+# objectclass ( 1.3.6.1.1.1.2.2 NAME 'posixGroup' SUP top STRUCTURAL
+#   DESC 'Abstraction of a group of accounts'
+#   MUST ( cn $ gidNumber )
+#   MAY ( userPassword $ memberUid $ description ) )
+dn: m-oid=1.3.6.1.1.1.2.2,ou=objectClasses,cn=other,ou=schema
 objectClass: metaObjectClass
 objectClass: metaTop
 objectClass: top
 m-description: posixGroup
-m-may: cn
-m-may: sn
+m-must: cn
+m-must: gidNumber
 m-may: memberUid
+m-may: userPassword
+m-may: description
 m-supobjectclass: top
 m-name: posixGroup
-m-oid: 1.3.6.1.4.1.18055.0.4.1.3.1001
+m-oid: 1.3.6.1.1.1.2.2
 m-typeobjectclass: STRUCTURAL

data/test/group_test.rb

@@ -1,54 +1,56 @@
 require_relative 'test_helper'
 
 class GitHubLdapGroupTest < GitHub::Ldap::Test
-  def self.test_server_options
-    {user_fixtures: FIXTURES.join('github-with-subgroups.ldif').to_s}
-  end
-
   def groups_domain
-    @ldap.domain("ou=groups,dc=github,dc=com")
+    @ldap.domain("ou=Groups,dc=github,dc=com")
   end
 
   def setup
     @ldap  = GitHub::Ldap.new(options)
-    @group = @ldap.group("cn=enterprise,ou=groups,dc=github,dc=com")
+    @group = @ldap.group("cn=ghe-users,ou=Groups,dc=github,dc=com")
   end
 
   def test_group?
+    assert @group.group?(%w(group))
+    assert @group.group?(%w(groupOfUniqueNames))
+    assert @group.group?(%w(posixGroup))
+
     object_classes = %w(groupOfNames)
     assert @group.group?(object_classes)
     assert @group.group?(object_classes.map(&:downcase))
   end
 
   def test_subgroups
-    assert_equal 3, @group.subgroups.size
+    group = @ldap.group("cn=deeply-nested-group0.0,ou=Groups,dc=github,dc=com")
+    assert_equal 2, group.subgroups.size
   end
 
   def test_members_from_subgroups
-    assert_equal 4, @group.members.size
+    group = @ldap.group("cn=deeply-nested-group0.0,ou=Groups,dc=github,dc=com")
+    assert_equal 10, group.members.size
   end
 
   def test_all_domain_groups
     groups = groups_domain.all_groups
-    assert_equal 8, groups.size
+    assert_equal 27, groups.size
   end
 
   def test_filter_domain_groups
-    groups = groups_domain.filter_groups('devs')
+    groups = groups_domain.filter_groups('ghe-users')
     assert_equal 1, groups.size
   end
 
   def test_filter_domain_groups_limited
     groups = []
-    groups_domain.filter_groups('enter', size: 1) do |entry|
+    groups_domain.filter_groups('deeply-nested-group', size: 1) do |entry|
       groups << entry
     end
     assert_equal 1, groups.size
   end
 
   def test_filter_domain_groups_unlimited
-    groups = groups_domain.filter_groups('ent')
-    assert_equal 3, groups.size
+    groups = groups_domain.filter_groups('deeply-nested-group')
+    assert_equal 5, groups.size
   end
 
   def test_unknown_group
@@ -58,33 +60,25 @@ class GitHubLdapGroupTest < GitHub::Ldap::Test
 end
 
 class GitHubLdapLoopedGroupTest < GitHub::Ldap::Test
-  def self.test_server_options
-    {user_fixtures: FIXTURES.join('github-with-looped-subgroups.ldif').to_s}
-  end
-
   def setup
-    @group = GitHub::Ldap.new(options).group("cn=enterprise,ou=groups,dc=github,dc=com")
+    @group = GitHub::Ldap.new(options).group("cn=recursively-nested-groups,ou=Groups,dc=github,dc=com")
   end
 
   def test_members_from_subgroups
-    assert_equal 4, @group.members.size
+    assert_equal 10, @group.members.size
   end
 end
 
 class GitHubLdapMissingEntriesTest < GitHub::Ldap::Test
-  def self.test_server_options
-    {user_fixtures: FIXTURES.join('github-with-missing-entries.ldif').to_s}
-  end
-
   def setup
     @ldap = GitHub::Ldap.new(options)
   end
 
   def test_load_right_members
-    assert_equal 3, @ldap.domain("cn=spaniards,ou=groups,dc=github,dc=com").bind[:member].size
+    assert_equal 3, @ldap.domain("cn=missing-users,ou=groups,dc=github,dc=com").bind[:member].size
   end
 
   def test_ignore_missing_member_entries
-    assert_equal 2, @ldap.group("cn=spaniards,ou=groups,dc=github,dc=com").members.size
+    assert_equal 2, @ldap.group("cn=missing-users,ou=groups,dc=github,dc=com").members.size
   end
 end

data/test/ldap_test.rb

@@ -22,48 +22,55 @@ module GitHubLdapTestCases
   end
 
   def test_search_delegator
-    @ldap.domain('dc=github,dc=com').valid_login? 'calavera', 'secret'
+    assert user = @ldap.domain('dc=github,dc=com').valid_login?('user1', 'passworD1')
 
-    result = @ldap.search(
-        {:base      => 'dc=github,dc=com',
-        :attributes => %w(uid),
-        :filter     => Net::LDAP::Filter.eq('uid', 'calavera')})
+    result = @ldap.search \
+      :base      => 'dc=github,dc=com',
+      :attributes => %w(uid),
+      :filter     => Net::LDAP::Filter.eq('uid', 'user1')
 
     refute result.empty?
-    assert_equal 'calavera', result.first[:uid].first
+    assert_equal 'user1', result.first[:uid].first
   end
 
-  def test_virtual_attributes_defaults
-    @ldap = GitHub::Ldap.new(options.merge(virtual_attributes: true))
-
-    assert @ldap.virtual_attributes.enabled?, "Expected to have virtual attributes enabled with defaults"
-    assert_equal 'memberOf', @ldap.virtual_attributes.virtual_membership
+  def test_virtual_attributes_disabled
+    refute @ldap.virtual_attributes.enabled?, "Expected to have virtual attributes disabled"
   end
 
-  def test_virtual_attributes_defaults
+  def test_virtual_attributes_configured
     ldap = GitHub::Ldap.new(options.merge(virtual_attributes: true))
 
-    assert ldap.virtual_attributes.enabled?, "Expected to have virtual attributes enabled with defaults"
+    assert ldap.virtual_attributes.enabled?,
+      "Expected virtual attributes to be enabled"
     assert_equal 'memberOf', ldap.virtual_attributes.virtual_membership
   end
 
-  def test_virtual_attributes_hash
+  def test_virtual_attributes_configured_with_membership_attribute
     ldap = GitHub::Ldap.new(options.merge(virtual_attributes: {virtual_membership: "isMemberOf"}))
 
-    assert ldap.virtual_attributes.enabled?, "Expected to have virtual attributes enabled with defaults"
+    assert ldap.virtual_attributes.enabled?,
+      "Expected virtual attributes to be enabled"
     assert_equal 'isMemberOf', ldap.virtual_attributes.virtual_membership
   end
 
-  def test_virtual_attributes_disabled
-    refute @ldap.virtual_attributes.enabled?, "Expected to have virtual attributes disabled"
-  end
-
   def test_search_domains
     ldap = GitHub::Ldap.new(options.merge(search_domains: ['dc=github,dc=com']))
-    result = ldap.search(filter: Net::LDAP::Filter.eq('uid', 'calavera'))
+    result = ldap.search(filter: Net::LDAP::Filter.eq('uid', 'user1'))
 
     refute result.empty?
-    assert_equal 'calavera', result.first[:uid].first
+    assert_equal 'user1', result.first[:uid].first
+  end
+
+  def test_instruments_search
+    events = @service.subscribe "search.github_ldap"
+    result = @ldap.search(filter: "(uid=user1)", :base => "dc=github,dc=com")
+    refute_predicate result, :empty?
+    payload, event_result = events.pop
+    assert payload
+    assert event_result
+    assert_equal result, event_result
+    assert_equal "(uid=user1)",      payload[:filter].to_s
+    assert_equal "dc=github,dc=com", payload[:base]
   end
 end
 

data/test/membership_validators/active_directory_test.rb

@@ -0,0 +1,68 @@
+require_relative '../test_helper'
+
+# NOTE: Since this strategy is targeted at ActiveDirectory and we don't have
+# AD setup in CI, we stub out actual queries and test against what AD *would*
+# respond with.
+
+class GitHubLdapActiveDirectoryMembershipValidatorsTest < GitHub::Ldap::Test
+  def setup
+    @ldap      = GitHub::Ldap.new(options.merge(search_domains: %w(dc=github,dc=com)))
+    @domain    = @ldap.domain("dc=github,dc=com")
+    @entry     = @domain.user?('user1')
+    @validator = GitHub::Ldap::MembershipValidators::ActiveDirectory
+  end
+
+  def make_validator(groups)
+    groups = @domain.groups(groups)
+    @validator.new(@ldap, groups)
+  end
+
+  def test_validates_user_in_group
+    validator = make_validator(%w(nested-group1))
+
+    @ldap.stub :search, [@entry] do
+      assert validator.perform(@entry)
+    end
+  end
+
+  def test_validates_user_in_child_group
+    validator = make_validator(%w(n-depth-nested-group1))
+
+    @ldap.stub :search, [@entry] do
+      assert validator.perform(@entry)
+    end
+  end
+
+  def test_validates_user_in_grandchild_group
+    validator = make_validator(%w(n-depth-nested-group2))
+
+    @ldap.stub :search, [@entry] do
+      assert validator.perform(@entry)
+    end
+  end
+
+  def test_validates_user_in_great_grandchild_group
+    validator = make_validator(%w(n-depth-nested-group3))
+
+    @ldap.stub :search, [@entry] do
+      assert validator.perform(@entry)
+    end
+  end
+
+  def test_does_not_validate_user_not_in_group
+    validator = make_validator(%w(ghe-admins))
+
+    @ldap.stub :search, [] do
+      refute validator.perform(@entry)
+    end
+  end
+
+  def test_does_not_validate_user_not_in_any_group
+    entry = @domain.user?('groupless-user1')
+    validator = make_validator(%w(all-users))
+
+    @ldap.stub :search, [] do
+      refute validator.perform(entry)
+    end
+  end
+end

data/test/membership_validators/classic_test.rb

@@ -0,0 +1,51 @@
+require_relative '../test_helper'
+
+class GitHubLdapClassicMembershipValidatorsTest < GitHub::Ldap::Test
+  def setup
+    @ldap      = GitHub::Ldap.new(options.merge(search_domains: %w(dc=github,dc=com)))
+    @domain    = @ldap.domain("dc=github,dc=com")
+    @entry     = @domain.user?('user1')
+    @validator = GitHub::Ldap::MembershipValidators::Classic
+  end
+
+  def make_validator(groups)
+    groups = @domain.groups(groups)
+    @validator.new(@ldap, groups)
+  end
+
+  def test_validates_user_in_group
+    validator = make_validator(%w(nested-group1))
+    assert validator.perform(@entry)
+  end
+
+  def test_validates_user_in_child_group
+    validator = make_validator(%w(n-depth-nested-group1))
+    assert validator.perform(@entry)
+  end
+
+  def test_validates_user_in_grandchild_group
+    validator = make_validator(%w(n-depth-nested-group2))
+    assert validator.perform(@entry)
+  end
+
+  def test_validates_user_in_great_grandchild_group
+    validator = make_validator(%w(n-depth-nested-group3))
+    assert validator.perform(@entry)
+  end
+
+  def test_does_not_validate_user_not_in_group
+    validator = make_validator(%w(ghe-admins))
+    refute validator.perform(@entry)
+  end
+
+  def test_does_not_validate_user_not_in_any_group
+    @entry = @domain.user?('groupless-user1')
+    validator = make_validator(%w(all-users))
+    refute validator.perform(@entry)
+  end
+
+  def test_validates_user_in_posix_group
+    validator = make_validator(%w(posix-group1))
+    assert validator.perform(@entry)
+  end
+end

data/test/membership_validators/recursive_test.rb

@@ -0,0 +1,56 @@
+require_relative '../test_helper'
+
+class GitHubLdapRecursiveMembershipValidatorsTest < GitHub::Ldap::Test
+  def setup
+    @ldap      = GitHub::Ldap.new(options.merge(search_domains: %w(dc=github,dc=com)))
+    @domain    = @ldap.domain("dc=github,dc=com")
+    @entry     = @domain.user?('user1')
+    @validator = GitHub::Ldap::MembershipValidators::Recursive
+  end
+
+  def make_validator(groups)
+    groups = @domain.groups(groups)
+    @validator.new(@ldap, groups)
+  end
+
+  def test_validates_user_in_group
+    validator = make_validator(%w(nested-group1))
+    assert validator.perform(@entry)
+  end
+
+  def test_validates_user_in_child_group
+    validator = make_validator(%w(n-depth-nested-group1))
+    assert validator.perform(@entry)
+  end
+
+  def test_validates_user_in_grandchild_group
+    validator = make_validator(%w(n-depth-nested-group2))
+    assert validator.perform(@entry)
+  end
+
+  def test_validates_user_in_great_grandchild_group
+    validator = make_validator(%w(n-depth-nested-group3))
+    assert validator.perform(@entry)
+  end
+
+  def test_does_not_validate_user_in_great_granchild_group_with_depth
+    validator = make_validator(%w(n-depth-nested-group3))
+    refute validator.perform(@entry, 2)
+  end
+
+  def test_does_not_validate_user_not_in_group
+    validator = make_validator(%w(ghe-admins))
+    refute validator.perform(@entry)
+  end
+
+  def test_does_not_validate_user_not_in_any_group
+    @entry = @domain.user?('groupless-user1')
+    validator = make_validator(%w(all-users))
+    refute validator.perform(@entry)
+  end
+
+  def test_validates_user_in_posix_group
+    validator = make_validator(%w(posix-group1))
+    assert validator.perform(@entry)
+  end
+end

data/test/membership_validators_test.rb

@@ -0,0 +1,46 @@
+require_relative 'test_helper'
+
+module GitHubLdapMembershipValidatorsTestCases
+  def make_validator(groups)
+    groups = @domain.groups(groups)
+    @validator.new(@ldap, groups)
+  end
+
+  def test_validates_user_in_group
+    validator = make_validator(%w(ghe-users))
+    assert validator.perform(@entry)
+  end
+
+  def test_does_not_validate_user_not_in_group
+    validator = make_validator(%w(ghe-admins))
+    refute validator.perform(@entry)
+  end
+
+  def test_does_not_validate_user_not_in_any_group
+    @entry = @domain.user?('groupless-user1')
+    validator = make_validator(%w(ghe-users ghe-admins))
+    refute validator.perform(@entry)
+  end
+end
+
+class GitHubLdapMembershipValidatorsClassicTest < GitHub::Ldap::Test
+  include GitHubLdapMembershipValidatorsTestCases
+
+  def setup
+    @ldap      = GitHub::Ldap.new(options.merge(search_domains: "dc=github,dc=com"))
+    @domain    = @ldap.domain("dc=github,dc=com")
+    @entry     = @domain.user?('user1')
+    @validator = GitHub::Ldap::MembershipValidators::Classic
+  end
+end
+
+class GitHubLdapMembershipValidatorsRecursiveTest < GitHub::Ldap::Test
+  include GitHubLdapMembershipValidatorsTestCases
+
+  def setup
+    @ldap      = GitHub::Ldap.new(options.merge(search_domains: "dc=github,dc=com"))
+    @domain    = @ldap.domain("dc=github,dc=com")
+    @entry     = @domain.user?('user1')
+    @validator = GitHub::Ldap::MembershipValidators::Recursive
+  end
+end