github-ldap 1.0.1 → 1.0.2
Sign up to get free protection for your applications and to get access to all the features.
- data/README.md +0 -4
- data/github-ldap.gemspec +1 -1
- data/lib/github/ldap.rb +37 -11
- data/test/ldap_test.rb +21 -21
- metadata +2 -2
data/README.md
CHANGED
@@ -36,10 +36,6 @@ Initialize a new adapter using those required options:
|
|
36
36
|
ldap = GitHub::Ldap.new options
|
37
37
|
```
|
38
38
|
|
39
|
-
There is also an optional configuration setting that you can add:
|
40
|
-
|
41
|
-
* user_groups: is an array of groups used to restrict access to users only in those groups.
|
42
|
-
|
43
39
|
## Testing
|
44
40
|
|
45
41
|
GitHub-Ldap uses [ladle](https://github.com/NUBIC/ladle) for testing. Ladle is not required by default, so you'll need to add it to your gemfile separatedly and require it.
|
data/github-ldap.gemspec
CHANGED
data/lib/github/ldap.rb
CHANGED
@@ -4,7 +4,6 @@ module GitHub
|
|
4
4
|
|
5
5
|
def initialize(options = {})
|
6
6
|
@user_domain = options[:user_domain]
|
7
|
-
@user_groups = Array(options[:user_groups])
|
8
7
|
@uid = options[:uid] || "sAMAccountName"
|
9
8
|
|
10
9
|
@ldap = Net::LDAP.new({
|
@@ -23,32 +22,57 @@ module GitHub
|
|
23
22
|
# Takes the list of the group names and generate a filter for the groups
|
24
23
|
# with cn that match and also include members:
|
25
24
|
#
|
25
|
+
# group_names: is an array of group CNs.
|
26
|
+
#
|
26
27
|
# Returns the ldap filter.
|
27
|
-
def group_filter
|
28
|
-
or_filters =
|
28
|
+
def group_filter(group_names)
|
29
|
+
or_filters = group_names.map {|g| Net::LDAP::Filter.eq("cn", g)}.reduce(:|)
|
29
30
|
Net::LDAP::Filter.pres("member") & or_filters
|
30
31
|
end
|
31
32
|
|
32
33
|
# List the groups in the ldap server that match the configured ones.
|
33
34
|
#
|
35
|
+
# group_names: is an array of group CNs.
|
36
|
+
#
|
34
37
|
# Returns a list of ldap entries for the configured groups.
|
35
|
-
def groups
|
38
|
+
def groups(group_names)
|
39
|
+
filter = group_filter(group_names)
|
40
|
+
|
36
41
|
@ldap.search(base: @user_domain,
|
37
42
|
attributes: %w{ou cn dn sAMAccountName member},
|
38
|
-
filter:
|
43
|
+
filter: filter)
|
39
44
|
end
|
40
45
|
|
46
|
+
# List the groups that a user is member of.
|
47
|
+
#
|
48
|
+
# user_dn: is the dn for the user ldap entry.
|
49
|
+
# group_names: is an array of group CNs.
|
50
|
+
#
|
51
|
+
# Return an Array with the groups that the given user is member of that belong to the given group list.
|
52
|
+
def membership(user_dn, group_names)
|
53
|
+
or_filters = group_names.map {|g| Net::LDAP::Filter.eq("cn", g)}.reduce(:|)
|
54
|
+
member_filter = Net::LDAP::Filter.eq("member", user_dn) & or_filters
|
55
|
+
|
56
|
+
@ldap.search(base: @user_domain,
|
57
|
+
attributes: %w{ou cn dn sAMAccountName member},
|
58
|
+
filter: member_filter)
|
59
|
+
end
|
60
|
+
|
61
|
+
|
41
62
|
# Check if the user is include in any of the configured groups.
|
42
63
|
#
|
43
64
|
# user_dn: is the dn for the user ldap entry.
|
65
|
+
# group_names: is an array of group CNs.
|
44
66
|
#
|
45
67
|
# Returns true if the user belongs to any of the groups.
|
46
68
|
# Returns false otherwise.
|
47
|
-
def
|
48
|
-
return true if
|
69
|
+
def is_member?(user_dn, group_names)
|
70
|
+
return true if group_names.nil?
|
71
|
+
return true if group_names.empty?
|
72
|
+
|
73
|
+
user_membership = membership(user_dn, group_names)
|
49
74
|
|
50
|
-
|
51
|
-
members.include?(user_dn)
|
75
|
+
!user_membership.empty?
|
52
76
|
end
|
53
77
|
|
54
78
|
# Check if the user credentials are valid.
|
@@ -72,13 +96,15 @@ module GitHub
|
|
72
96
|
#
|
73
97
|
# login: is the user's login. This method doesn't accept email identifications.
|
74
98
|
# password: is the user's password.
|
99
|
+
# group_names: is an array of group CNs.
|
75
100
|
#
|
76
101
|
# Returns the user info if the credentials are valid and there are no groups configured.
|
77
102
|
# Returns the user info if the credentials are valid and the user belongs to a configured group.
|
78
103
|
# Returns nil if the credentials are invalid
|
79
|
-
def authenticate!(login, password)
|
104
|
+
def authenticate!(login, password, group_names = nil)
|
80
105
|
user = valid_login?(login, password)
|
81
|
-
|
106
|
+
|
107
|
+
return user if user && is_member?(user.dn, group_names)
|
82
108
|
end
|
83
109
|
|
84
110
|
# Check the legacy auth configuration options (before David's war with omniauth)
|
data/test/ldap_test.rb
CHANGED
@@ -35,34 +35,27 @@ class GitHubLdapTest < Minitest::Test
|
|
35
35
|
end
|
36
36
|
|
37
37
|
def test_groups_in_server
|
38
|
-
|
39
|
-
assert_equal 2, GitHub::Ldap.new(options).groups.size
|
38
|
+
assert_equal 2, @ldap.groups(%w(Enterprise People)).size
|
40
39
|
end
|
41
40
|
|
42
41
|
def test_user_in_group
|
43
|
-
|
44
|
-
ldap = GitHub::Ldap.new(options)
|
45
|
-
user = ldap.valid_login?('calavera', 'secret')
|
42
|
+
user = @ldap.valid_login?('calavera', 'secret')
|
46
43
|
|
47
|
-
assert ldap.
|
44
|
+
assert @ldap.is_member?(user.dn, %w(Enterprise People)),
|
48
45
|
"Expected `Enterprise` or `Poeple` to include the member `#{user.dn}`"
|
49
46
|
end
|
50
47
|
|
51
48
|
def test_user_not_in_different_group
|
52
|
-
|
53
|
-
ldap = GitHub::Ldap.new(options)
|
54
|
-
user = ldap.valid_login?('calavera', 'secret')
|
49
|
+
user = @ldap.valid_login?('calavera', 'secret')
|
55
50
|
|
56
|
-
assert
|
51
|
+
assert !@ldap.is_member?(user.dn, %w(People)),
|
57
52
|
"Expected `Poeple` not to include the member `#{user.dn}`"
|
58
53
|
end
|
59
54
|
|
60
55
|
def test_user_without_group
|
61
|
-
|
62
|
-
ldap = GitHub::Ldap.new(options)
|
63
|
-
user = ldap.valid_login?('ldaptest', 'secret')
|
56
|
+
user = @ldap.valid_login?('ldaptest', 'secret')
|
64
57
|
|
65
|
-
assert
|
58
|
+
assert !@ldap.is_member?(user.dn, %w(People)),
|
66
59
|
"Expected `Poeple` not to include the member `#{user.dn}`"
|
67
60
|
end
|
68
61
|
|
@@ -77,18 +70,13 @@ class GitHubLdapTest < Minitest::Test
|
|
77
70
|
end
|
78
71
|
|
79
72
|
def test_authenticate_check_valid_user_and_groups
|
80
|
-
|
81
|
-
ldap = GitHub::Ldap.new(options)
|
82
|
-
user = ldap.authenticate!('calavera', 'secret')
|
73
|
+
user = @ldap.authenticate!('calavera', 'secret', %w(Enterprise People))
|
83
74
|
|
84
75
|
assert_equal 'uid=calavera,dc=github,dc=com', user.dn
|
85
76
|
end
|
86
77
|
|
87
78
|
def test_authenticate_doesnt_return_valid_users_in_different_groups
|
88
|
-
|
89
|
-
ldap = GitHub::Ldap.new(options)
|
90
|
-
|
91
|
-
assert !ldap.authenticate!('calavera', 'secret'),
|
79
|
+
assert !@ldap.authenticate!('calavera', 'secret', %w(People)),
|
92
80
|
"Expected `authenticate!` to not return an user"
|
93
81
|
end
|
94
82
|
|
@@ -101,4 +89,16 @@ class GitHubLdapTest < Minitest::Test
|
|
101
89
|
assert_equal :start_tls, @ldap.check_encryption(:tls)
|
102
90
|
assert_equal :start_tls, @ldap.check_encryption(:start_tls)
|
103
91
|
end
|
92
|
+
|
93
|
+
def test_membership_empty_for_non_members
|
94
|
+
assert @ldap.membership('uid=calavera,dc=github,dc=com', %w(People)).empty?,
|
95
|
+
"Expected `calavera` not to be a member of `People`."
|
96
|
+
end
|
97
|
+
|
98
|
+
def test_membership_groups_for_members
|
99
|
+
groups = @ldap.membership('uid=calavera,dc=github,dc=com', %w(Enterprise People))
|
100
|
+
|
101
|
+
assert_equal 1, groups.size
|
102
|
+
assert_equal 'cn=Enterprise,ou=Group,dc=github,dc=com', groups.first.dn
|
103
|
+
end
|
104
104
|
end
|
metadata
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: github-ldap
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 1.0.
|
4
|
+
version: 1.0.2
|
5
5
|
prerelease:
|
6
6
|
platform: ruby
|
7
7
|
authors:
|
@@ -9,7 +9,7 @@ authors:
|
|
9
9
|
autorequire:
|
10
10
|
bindir: bin
|
11
11
|
cert_chain: []
|
12
|
-
date: 2013-07-
|
12
|
+
date: 2013-07-08 00:00:00.000000000 Z
|
13
13
|
dependencies:
|
14
14
|
- !ruby/object:Gem::Dependency
|
15
15
|
name: net-ldap
|