github-ldap 1.0.1 → 1.0.2

Sign up to get free protection for your applications and to get access to all the features.
Files changed (5) hide show
  1. data/README.md +0 -4
  2. data/github-ldap.gemspec +1 -1
  3. data/lib/github/ldap.rb +37 -11
  4. data/test/ldap_test.rb +21 -21
  5. metadata +2 -2
data/README.md CHANGED
@@ -36,10 +36,6 @@ Initialize a new adapter using those required options:
36
36
  ldap = GitHub::Ldap.new options
37
37
  ```
38
38
 
39
- There is also an optional configuration setting that you can add:
40
-
41
- * user_groups: is an array of groups used to restrict access to users only in those groups.
42
-
43
39
  ## Testing
44
40
 
45
41
  GitHub-Ldap uses [ladle](https://github.com/NUBIC/ladle) for testing. Ladle is not required by default, so you'll need to add it to your gemfile separatedly and require it.
data/github-ldap.gemspec CHANGED
@@ -2,7 +2,7 @@
2
2
 
3
3
  Gem::Specification.new do |spec|
4
4
  spec.name = "github-ldap"
5
- spec.version = "1.0.1"
5
+ spec.version = "1.0.2"
6
6
  spec.authors = ["David Calavera"]
7
7
  spec.email = ["david.calavera@gmail.com"]
8
8
  spec.description = %q{Ldap authentication for humans}
data/lib/github/ldap.rb CHANGED
@@ -4,7 +4,6 @@ module GitHub
4
4
 
5
5
  def initialize(options = {})
6
6
  @user_domain = options[:user_domain]
7
- @user_groups = Array(options[:user_groups])
8
7
  @uid = options[:uid] || "sAMAccountName"
9
8
 
10
9
  @ldap = Net::LDAP.new({
@@ -23,32 +22,57 @@ module GitHub
23
22
  # Takes the list of the group names and generate a filter for the groups
24
23
  # with cn that match and also include members:
25
24
  #
25
+ # group_names: is an array of group CNs.
26
+ #
26
27
  # Returns the ldap filter.
27
- def group_filter
28
- or_filters = @user_groups.map {|g| Net::LDAP::Filter.eq("cn", g)}.reduce(:|)
28
+ def group_filter(group_names)
29
+ or_filters = group_names.map {|g| Net::LDAP::Filter.eq("cn", g)}.reduce(:|)
29
30
  Net::LDAP::Filter.pres("member") & or_filters
30
31
  end
31
32
 
32
33
  # List the groups in the ldap server that match the configured ones.
33
34
  #
35
+ # group_names: is an array of group CNs.
36
+ #
34
37
  # Returns a list of ldap entries for the configured groups.
35
- def groups
38
+ def groups(group_names)
39
+ filter = group_filter(group_names)
40
+
36
41
  @ldap.search(base: @user_domain,
37
42
  attributes: %w{ou cn dn sAMAccountName member},
38
- filter: group_filter)
43
+ filter: filter)
39
44
  end
40
45
 
46
+ # List the groups that a user is member of.
47
+ #
48
+ # user_dn: is the dn for the user ldap entry.
49
+ # group_names: is an array of group CNs.
50
+ #
51
+ # Return an Array with the groups that the given user is member of that belong to the given group list.
52
+ def membership(user_dn, group_names)
53
+ or_filters = group_names.map {|g| Net::LDAP::Filter.eq("cn", g)}.reduce(:|)
54
+ member_filter = Net::LDAP::Filter.eq("member", user_dn) & or_filters
55
+
56
+ @ldap.search(base: @user_domain,
57
+ attributes: %w{ou cn dn sAMAccountName member},
58
+ filter: member_filter)
59
+ end
60
+
61
+
41
62
  # Check if the user is include in any of the configured groups.
42
63
  #
43
64
  # user_dn: is the dn for the user ldap entry.
65
+ # group_names: is an array of group CNs.
44
66
  #
45
67
  # Returns true if the user belongs to any of the groups.
46
68
  # Returns false otherwise.
47
- def groups_contain_user?(user_dn)
48
- return true if @user_groups.empty?
69
+ def is_member?(user_dn, group_names)
70
+ return true if group_names.nil?
71
+ return true if group_names.empty?
72
+
73
+ user_membership = membership(user_dn, group_names)
49
74
 
50
- members = groups.map(&:member).reduce(:+).uniq
51
- members.include?(user_dn)
75
+ !user_membership.empty?
52
76
  end
53
77
 
54
78
  # Check if the user credentials are valid.
@@ -72,13 +96,15 @@ module GitHub
72
96
  #
73
97
  # login: is the user's login. This method doesn't accept email identifications.
74
98
  # password: is the user's password.
99
+ # group_names: is an array of group CNs.
75
100
  #
76
101
  # Returns the user info if the credentials are valid and there are no groups configured.
77
102
  # Returns the user info if the credentials are valid and the user belongs to a configured group.
78
103
  # Returns nil if the credentials are invalid
79
- def authenticate!(login, password)
104
+ def authenticate!(login, password, group_names = nil)
80
105
  user = valid_login?(login, password)
81
- return user if user && groups_contain_user?(user.dn)
106
+
107
+ return user if user && is_member?(user.dn, group_names)
82
108
  end
83
109
 
84
110
  # Check the legacy auth configuration options (before David's war with omniauth)
data/test/ldap_test.rb CHANGED
@@ -35,34 +35,27 @@ class GitHubLdapTest < Minitest::Test
35
35
  end
36
36
 
37
37
  def test_groups_in_server
38
- options = @options.merge(:user_groups => %w(Enterprise People))
39
- assert_equal 2, GitHub::Ldap.new(options).groups.size
38
+ assert_equal 2, @ldap.groups(%w(Enterprise People)).size
40
39
  end
41
40
 
42
41
  def test_user_in_group
43
- options = @options.merge(:user_groups => %w(Enterprise People))
44
- ldap = GitHub::Ldap.new(options)
45
- user = ldap.valid_login?('calavera', 'secret')
42
+ user = @ldap.valid_login?('calavera', 'secret')
46
43
 
47
- assert ldap.groups_contain_user?(user.dn),
44
+ assert @ldap.is_member?(user.dn, %w(Enterprise People)),
48
45
  "Expected `Enterprise` or `Poeple` to include the member `#{user.dn}`"
49
46
  end
50
47
 
51
48
  def test_user_not_in_different_group
52
- options = @options.merge(:user_groups => %w(People))
53
- ldap = GitHub::Ldap.new(options)
54
- user = ldap.valid_login?('calavera', 'secret')
49
+ user = @ldap.valid_login?('calavera', 'secret')
55
50
 
56
- assert !ldap.groups_contain_user?(user.dn),
51
+ assert !@ldap.is_member?(user.dn, %w(People)),
57
52
  "Expected `Poeple` not to include the member `#{user.dn}`"
58
53
  end
59
54
 
60
55
  def test_user_without_group
61
- options = @options.merge(:user_groups => %w(People))
62
- ldap = GitHub::Ldap.new(options)
63
- user = ldap.valid_login?('ldaptest', 'secret')
56
+ user = @ldap.valid_login?('ldaptest', 'secret')
64
57
 
65
- assert !ldap.groups_contain_user?(user.dn),
58
+ assert !@ldap.is_member?(user.dn, %w(People)),
66
59
  "Expected `Poeple` not to include the member `#{user.dn}`"
67
60
  end
68
61
 
@@ -77,18 +70,13 @@ class GitHubLdapTest < Minitest::Test
77
70
  end
78
71
 
79
72
  def test_authenticate_check_valid_user_and_groups
80
- options = @options.merge(:user_groups => %w(Enterprise People))
81
- ldap = GitHub::Ldap.new(options)
82
- user = ldap.authenticate!('calavera', 'secret')
73
+ user = @ldap.authenticate!('calavera', 'secret', %w(Enterprise People))
83
74
 
84
75
  assert_equal 'uid=calavera,dc=github,dc=com', user.dn
85
76
  end
86
77
 
87
78
  def test_authenticate_doesnt_return_valid_users_in_different_groups
88
- options = @options.merge(:user_groups => %w(People))
89
- ldap = GitHub::Ldap.new(options)
90
-
91
- assert !ldap.authenticate!('calavera', 'secret'),
79
+ assert !@ldap.authenticate!('calavera', 'secret', %w(People)),
92
80
  "Expected `authenticate!` to not return an user"
93
81
  end
94
82
 
@@ -101,4 +89,16 @@ class GitHubLdapTest < Minitest::Test
101
89
  assert_equal :start_tls, @ldap.check_encryption(:tls)
102
90
  assert_equal :start_tls, @ldap.check_encryption(:start_tls)
103
91
  end
92
+
93
+ def test_membership_empty_for_non_members
94
+ assert @ldap.membership('uid=calavera,dc=github,dc=com', %w(People)).empty?,
95
+ "Expected `calavera` not to be a member of `People`."
96
+ end
97
+
98
+ def test_membership_groups_for_members
99
+ groups = @ldap.membership('uid=calavera,dc=github,dc=com', %w(Enterprise People))
100
+
101
+ assert_equal 1, groups.size
102
+ assert_equal 'cn=Enterprise,ou=Group,dc=github,dc=com', groups.first.dn
103
+ end
104
104
  end
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: github-ldap
3
3
  version: !ruby/object:Gem::Version
4
- version: 1.0.1
4
+ version: 1.0.2
5
5
  prerelease:
6
6
  platform: ruby
7
7
  authors:
@@ -9,7 +9,7 @@ authors:
9
9
  autorequire:
10
10
  bindir: bin
11
11
  cert_chain: []
12
- date: 2013-07-07 00:00:00.000000000 Z
12
+ date: 2013-07-08 00:00:00.000000000 Z
13
13
  dependencies:
14
14
  - !ruby/object:Gem::Dependency
15
15
  name: net-ldap