RubyGems - github-ldap - Versions diffs - 1.1.5 → 1.2.0 - Mend

github-ldap 1.1.5 → 1.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (13) hide show

checksums.yaml +4 -4
data/.travis.yml +2 -2
data/github-ldap.gemspec +1 -1
data/lib/github/ldap.rb +57 -29
data/lib/github/ldap/domain.rb +4 -8
data/lib/github/ldap/filter.rb +19 -8
data/lib/github/ldap/group.rb +12 -6
data/lib/github/ldap/posix_group.rb +81 -0
data/test/filter_test.rb +6 -6
data/test/fixtures/github-with-subgroups.ldif +10 -1
data/test/ldap_test.rb +9 -0
data/test/posix_group_test.rb +120 -0
metadata +5 -2

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 64a07fbfbd7d8fd5486e4d211698d803071909e7
-  data.tar.gz: 1a4508994676bcd35676000b9f8d8f5c719c543e
+  metadata.gz: 64ef77cae7b6d41804fd11a87a169001313320ec
+  data.tar.gz: 0d9fc6ed121d40dfcead6c8cd1c29cedc7598672
 SHA512:
-  metadata.gz: 2b6dedbd71a4f0bd1a0a542c73f5ea90c41864448daef057acbd6b9c7fa7880d892dffb9a274b1658980442a32e8034d95af125663b9fff3915a588440ebdd80
-  data.tar.gz: c43d7601a75c38577a8a922b550d4fec7efdc8102308bb10b652b9f6ae9d88c3d997deefb4fc1a936693edee67bf25fcbfe67349b99a88689d9bd93110dc241f
+  metadata.gz: 55c95dda73fffdce9e46a9718a8d1d58f32c9e47fc367b73c835a0f2e17b161a764c46cdeac24fc67331978764289696a99ea5586fc6c0382bf7d77ece583ad0
+  data.tar.gz: 8cb01bc061b35bf11f00b34c4340fe08ebe826f419f142c4e3949c720d0e54857ac15066d0c49ef29f26d60f8b85402718fabd13c0e2c648f4b04017ce7bbd7b

data/.travis.yml CHANGED Viewed

@@ -1,7 +1,7 @@
 language: ruby
 rvm:
     - 1.9.3
-    - 2.0.0
+    - 2.1.0
 notifications:
   email: false

data/github-ldap.gemspec CHANGED Viewed

@@ -2,7 +2,7 @@
 Gem::Specification.new do |spec|
   spec.name          = "github-ldap"
-  spec.version       = "1.1.5"
+  spec.version       = "1.2.0"
   spec.authors       = ["David Calavera"]
   spec.email         = ["david.calavera@gmail.com"]
   spec.description   = %q{Ldap authentication for humans}

data/lib/github/ldap.rb CHANGED Viewed

@@ -5,18 +5,12 @@ module GitHub
     require 'github/ldap/filter'
     require 'github/ldap/domain'
     require 'github/ldap/group'
+    require 'github/ldap/posix_group'
     require 'github/ldap/virtual_group'
     require 'github/ldap/virtual_attributes'
     extend Forwardable
-    # Utility method to perform searches against the ldap server.
-    #
-    # It takes the same arguments than Net::LDAP::Connection#search.
-    # Returns an Array with the entries that match the search.
-    # Returns nil if there are no entries that match the search.
-    def_delegator :@connection, :search
     # Utility method to get the last operation result with a human friendly message.
     #
     # Returns an OpenStruct with `code` and `message`.
@@ -29,7 +23,7 @@ module GitHub
     # Returns a Net::LDAP::Entry if the operation succeeded.
     def_delegator :@connection, :bind
-    attr_reader :virtual_attributes
+    attr_reader :uid, :virtual_attributes, :search_domains
     def initialize(options = {})
       @uid = options[:uid] || "sAMAccountName"
@@ -45,25 +39,13 @@ module GitHub
       end
       configure_virtual_attributes(options[:virtual_attributes])
-    end
-    # Determine whether to use encryption or not.
-    #
-    # encryption: is the encryption method, either 'ssl', 'tls', 'simple_tls' or 'start_tls'.
-    #
-    # Returns the real encryption type.
-    def check_encryption(encryption)
-      return unless encryption
-      case encryption.downcase.to_sym
-      when :ssl, :simple_tls
-        :simple_tls
-      when :tls, :start_tls
-        :start_tls
-      end
+      # search_domains is a connection of bases to perform searches
+      # when a base is not explicitly provided.
+      @search_domains = Array(options[:search_domains])
     end
-    # Utility method to check if the connection with the server can be stablished.
+    # Public - Utility method to check if the connection with the server can be stablished.
     # It tries to bind with the ldap auth default configuration.
     #
     # Returns an OpenStruct with `code` and `message`.
@@ -73,7 +55,7 @@ module GitHub
       last_operation_result
     end
-    # Creates a new domain object to perform operations
+    # Public - Creates a new domain object to perform operations
     #
     # base_name: is the dn of the base root.
     #
@@ -82,7 +64,7 @@ module GitHub
       Domain.new(self, base_name, @uid)
     end
-    # Creates a new group object to perform operations
+    # Public - Creates a new group object to perform operations
     #
     # base_name: is the dn of the base root.
     #
@@ -92,14 +74,60 @@ module GitHub
       entry = domain(base_name).bind
       return unless entry
+      load_group(entry)
+    end
+    # Public - Create a new group object based on a Net::LDAP::Entry.
+    #
+    # group_entry: is a Net::LDAP::Entry.
+    #
+    # Returns a Group, PosixGroup or VirtualGroup object.
+    def load_group(group_entry)
       if @virtual_attributes.enabled?
-        VirtualGroup.new(self, entry)
+        VirtualGroup.new(self, group_entry)
+      elsif PosixGroup.valid?(group_entry)
+        PosixGroup.new(self, group_entry)
+      else
+        Group.new(self, group_entry)
+      end
+    end
+    # Public - Search entries in the ldap server.
+    #
+    # options: is a hash with the same options that Net::LDAP::Connection#search supports.
+    #
+    # Returns an Array of Net::LDAP::Entry.
+    def search(options)
+      result = if options[:base]
+        @connection.search(options)
       else
-        Group.new(self, entry)
+        search_domains.each_with_object([]) do |base, result|
+          rs = @connection.search(options.merge(:base => base))
+          result.concat Array(rs) unless rs == false
+        end
+      end
+      return [] if result == false
+      Array(result)
+    end
+    # Internal - Determine whether to use encryption or not.
+    #
+    # encryption: is the encryption method, either 'ssl', 'tls', 'simple_tls' or 'start_tls'.
+    #
+    # Returns the real encryption type.
+    def check_encryption(encryption)
+      return unless encryption
+      case encryption.downcase.to_sym
+      when :ssl, :simple_tls
+        :simple_tls
+      when :tls, :start_tls
+        :start_tls
       end
     end
-    # Configure virtual attributes for this server.
+    # Internal - Configure virtual attributes for this server.
     # If the option is `true`, we'll use the default virual attributes.
     # If it's a Hash we'll map the attributes in the hash.
     #

data/lib/github/ldap/domain.rb CHANGED Viewed

@@ -55,8 +55,8 @@ module GitHub
           member_of = groups_map.keys & user_entry[@ldap.virtual_attributes.virtual_membership]
           member_of.map {|dn| groups_map[dn]}
         else
-          groups_map.each_with_object([]) do |(dn, group), acc|
-            acc << group if Group.new(@ldap, group).is_member?(user_entry.dn)
+          groups_map.each_with_object([]) do |(dn, group_entry), acc|
+            acc << group_entry if @ldap.load_group(group_entry).is_member?(user_entry)
           end
         end
       end
@@ -134,13 +134,9 @@ module GitHub
       def search(options)
         options[:base] = @base_name
         options[:attributes] ||= []
-        options[:ignore_server_caps] ||= true
-        options[:paged_searches_supported] ||= true
+        options[:paged_searches_supported] = true
-        rs = @ldap.search(options)
-        return [] if rs == false
-        Array(rs)
+        @ldap.search(options)
       end
       # Provide a meaningful result after a protocol operation (for example,

data/lib/github/ldap/filter.rb CHANGED Viewed

@@ -2,19 +2,20 @@ module GitHub
   class Ldap
     module Filter
       ALL_GROUPS_FILTER = Net::LDAP::Filter.eq("objectClass", "groupOfNames") |
-                          Net::LDAP::Filter.eq("objectClass", "groupOfUniqueNames")
+                          Net::LDAP::Filter.eq("objectClass", "groupOfUniqueNames") |
+                          Net::LDAP::Filter.eq("objectClass", "posixGroup")
+      MEMBERSHIP_NAMES  = %w(member uniqueMember)
       # Filter to get the configured groups in the ldap server.
       # Takes the list of the group names and generate a filter for the groups
-      # with cn that match and also include members:
+      # with cn that match.
       #
       # group_names: is an array of group CNs.
-      # user_dn: is an optional member to scope the search to.
       #
       # Returns a Net::LDAP::Filter.
-      def group_filter(group_names, user_dn = nil)
-        or_filters = group_names.map {|g| Net::LDAP::Filter.eq("cn", g)}.reduce(:|)
-        member_filter(user_dn) & or_filters
+      def group_filter(group_names)
+        group_names.map {|g| Net::LDAP::Filter.eq("cn", g)}.reduce(:|)
       end
       # Filter to check a group membership.
@@ -24,9 +25,9 @@ module GitHub
       # Returns a Net::LDAP::Filter.
       def member_filter(user_dn = nil)
         if user_dn
-          Net::LDAP::Filter.eq("member", user_dn) | Net::LDAP::Filter.eq("uniqueMember", user_dn)
+          MEMBERSHIP_NAMES.map {|n| Net::LDAP::Filter.eq(n, user_dn)}.reduce(:|)
         else
-          Net::LDAP::Filter.pres("member") | Net::LDAP::Filter.pres("uniqueMember")
+          MEMBERSHIP_NAMES.map {|n| Net::LDAP::Filter.pres(n)}.reduce(:|)
         end
       end
@@ -69,6 +70,16 @@ module GitHub
       def subgroups_of_group(group_dn, attr = 'memberOf')
         Net::LDAP::Filter.eq(attr, group_dn) & ALL_GROUPS_FILTER
       end
+      # Filter to get all the members of a group which uid is included in `memberUid`.
+      #
+      # uids: is an array with all the uids to search.
+      # uid_attr: is the names of the uid attribute in the directory.
+      #
+      # Returns a Net::LDAP::Filter
+      def all_members_by_uid(uids, uid_attr)
+        uids.map {|uid| Net::LDAP::Filter.eq(uid_attr, uid)}.reduce(:|)
+      end
     end
   end
 end

data/lib/github/ldap/group.rb CHANGED Viewed

@@ -10,7 +10,11 @@ module GitHub
     # domain = GitHub::Ldap.new(options).group("cn=enterprise,dc=github,dc=com")
     #
     class Group
-      GROUP_CLASS_NAMES = %w(groupOfNames groupOfUniqueNames)
+      include Filter
+      GROUP_CLASS_NAMES = %w(groupOfNames groupOfUniqueNames posixGroup)
+      attr_reader :ldap, :entry
       def initialize(ldap, entry)
         @ldap, @entry = ldap, entry
@@ -37,12 +41,12 @@ module GitHub
       # Public - Check if a user dn is included in the members of this group and its subgroups.
       #
-      # user_dn: is the dn to check.
+      # user_entry: is the user entry to check the membership.
       #
       # Returns true if the dn is in the list of members.
-      def is_member?(user_dn)
-        member_names.include?(user_dn) ||
-          members.detect {|entry| entry.dn == user_dn}
+      def is_member?(user_entry)
+        member_names.include?(user_entry.dn) ||
+          members.detect {|entry| entry.dn == user_entry.dn}
       end
@@ -60,7 +64,9 @@ module GitHub
       #
       # Returns an array with all the DN members.
       def member_names
-        @entry[:member] + @entry[:uniqueMember]
+        MEMBERSHIP_NAMES.each_with_object([]) do |n, cache|
+          cache.concat @entry[n]
+        end
       end
       # Internal - Check if an object class includes the member names

data/lib/github/ldap/posix_group.rb ADDED Viewed

@@ -0,0 +1,81 @@
+module GitHub
+  class Ldap
+    # This class represents a POSIX group.
+    #
+    # To get a POSIX group, you'll need to create a `Ldap` object and then call the method `group`.
+    # The parameter for `group` must be a dn to a group entry with `posixGroup` amongs the values for the attribute `objectClass`.
+    #
+    # For example:
+    #
+    # domain = GitHub::Ldap.new(options).group("cn=enterprise,dc=github,dc=com")
+    #
+    class PosixGroup < Group
+      # Public - Check if an ldap entry is a valid posixGroup.
+      #
+      # entry: is the ldap entry to check.
+      #
+      # Returns true if the entry includes the objectClass `posixGroup`.
+      def self.valid?(entry)
+        entry[:objectClass].any? {|oc| oc.downcase == 'posixgroup'}
+      end
+      # Public - Overrides Group#members
+      #
+      # Search the entries corresponding to the members in the `memberUid` attribute.
+      # It calls `super` if the group entry includes `member` or `uniqueMember`.
+      #
+      # Returns an array with the members of this group and its submembers if there is any.
+      def members
+        return @all_posix_members if @all_posix_members
+        @all_posix_members = search_members_by_uids
+        @all_posix_members.concat super if combined_group?
+        @all_posix_members.uniq! {|m| m.dn }
+        @all_posix_members
+      end
+      # Public - Overrides Group#subgroups
+      #
+      # Prevent to call super when the group entry does not include `member` or `uniqueMember`.
+      #
+      # Returns an array with the subgroups of this group.
+      def subgroups
+        return [] unless combined_group?
+        super
+      end
+      # Public - Overrides Group#is_member?
+      #
+      # Chech if the user entry uid exists in the collection of `memberUid`.
+      # It calls `super` if the group entry includes `member` or `uniqueMember`.
+      #
+      # Return true if the user is member if this group or any subgroup.
+      def is_member?(user_entry)
+        entry_uids = user_entry[ldap.uid]
+        return true if !(entry_uids & entry[:memberUid]).empty?
+        super if combined_group?
+      end
+      # Internal - Check if this posix group also includes `member` and `uniqueMember` entries.
+      #
+      # Returns true if any of the membership names is include in this group entry.
+      def combined_group?
+        MEMBERSHIP_NAMES.any? {|name| !entry[name].empty? }
+      end
+      # Internal - Search all members by uid.
+      #
+      # Return an array of user entries.
+      def search_members_by_uids
+        member_uids = entry[:memberUid]
+        return [] if member_uids.empty?
+        filter = all_members_by_uid(member_uids, ldap.uid)
+        ldap.search(filter: filter)
+      end
+    end
+  end
+end

data/test/filter_test.rb CHANGED Viewed

@@ -17,15 +17,10 @@ class FilterTest < Minitest::Test
   end
   def test_groups_reduced
-    assert_equal "(&(|(member=*)(uniqueMember=*))(|(cn=Enterprise)(cn=People)))",
+    assert_equal "(|(cn=Enterprise)(cn=People))",
       @subject.group_filter(%w(Enterprise People)).to_s
   end
-  def test_groups_for_member
-    assert_equal "(&(|(member=#{@me})(uniqueMember=#{@me}))(|(cn=Enterprise)(cn=People)))",
-      @subject.group_filter(%w(Enterprise People), @me).to_s
-  end
   def test_members_of_group
     assert_equal "(memberOf=cn=group,dc=github,dc=com)",
       @subject.members_of_group('cn=group,dc=github,dc=com').to_s
@@ -41,4 +36,9 @@ class FilterTest < Minitest::Test
     assert_equal "(&(isMemberOf=cn=group,dc=github,dc=com)#{Subject::ALL_GROUPS_FILTER})",
       @subject.subgroups_of_group('cn=group,dc=github,dc=com', 'isMemberOf').to_s
   end
+  def test_all_members_by_uid
+    assert_equal "(|(uid=calavera)(uid=mtodd))",
+      @subject.all_members_by_uid(%w(calavera mtodd), :uid).to_s
+  end
 end

data/test/fixtures/github-with-subgroups.ldif CHANGED Viewed

@@ -3,7 +3,6 @@ version: 1
 # Organizations
 dn: dc=github,dc=com
-cn: github
 objectClass: dcObject
 objectClass: organization
 dc: github
@@ -26,6 +25,7 @@ userPassword: secret
 dn: ou=groups,dc=github,dc=com
 objectclass: organizationalUnit
+ou: groups
 dn: cn=enterprise,ou=groups,dc=github,dc=com
 cn: Enterprise
@@ -55,6 +55,7 @@ member: uid=rubiojr,ou=users,dc=github,dc=com
 dn: ou=users,dc=github,dc=com
 objectclass: organizationalUnit
+ou: users
 dn: uid=calavera,ou=users,dc=github,dc=com
 cn: David Calavera
@@ -88,3 +89,11 @@ uid: rubiojr
 userPassword: passworD1
 mail: rubiojr@github.com
 objectClass: inetOrgPerson
+dn: uid=mtodd,ou=users,dc=github,dc=com
+cn: mtodd
+sn: mtodd
+uid: mtodd
+userPassword: passworD1
+mail: mtodd@github.com
+objectClass: inetOrgPerson

data/test/ldap_test.rb CHANGED Viewed

@@ -29,6 +29,7 @@ module GitHubLdapTestCases
         :attributes => %w(uid),
         :filter     => Net::LDAP::Filter.eq('uid', 'calavera')})
+    refute result.empty?
     assert_equal 'calavera', result.first[:uid].first
   end
@@ -56,6 +57,14 @@ module GitHubLdapTestCases
   def test_virtual_attributes_disabled
     refute @ldap.virtual_attributes.enabled?, "Expected to have virtual attributes disabled"
   end
+  def test_search_domains
+    ldap = GitHub::Ldap.new(options.merge(search_domains: ['dc=github,dc=com']))
+    result = ldap.search(filter: Net::LDAP::Filter.eq('uid', 'calavera'))
+    refute result.empty?
+    assert_equal 'calavera', result.first[:uid].first
+  end
 end
 class GitHubLdapTest < GitHub::Ldap::Test

data/test/posix_group_test.rb ADDED Viewed

@@ -0,0 +1,120 @@
+require 'test_helper'
+class GitHubLdapPosixGroupTest < GitHub::Ldap::Test
+  def self.test_server_options
+    {user_fixtures: FIXTURES.join('github-with-subgroups.ldif').to_s}
+  end
+  def setup
+    @simple_group = Net::LDAP::Entry._load("""
+dn: cn=enterprise-posix-devs,ou=groups,dc=github,dc=com
+cn: enterprise-posix-devs
+objectClass: posixGroup
+memberUid: benburkert
+memberUid: mtodd""")
+    @one_level_deep_group = Net::LDAP::Entry._load("""
+dn: cn=enterprise-posix-ops,ou=groups,dc=github,dc=com
+cn: enterprise-posix-ops
+objectClass: posixGroup
+objectClass: groupOfNames
+memberUid: sbryant
+member: cn=spaniards,ou=groups,dc=github,dc=com""")
+    @two_levels_deep_group = Net::LDAP::Entry._load("""
+dn: cn=enterprise-posix,ou=groups,dc=github,dc=com
+cn: Enterprise Posix
+objectClass: posixGroup
+objectClass: groupOfNames
+memberUid: calavera
+member: cn=enterprise-devs,ou=groups,dc=github,dc=com
+member: cn=enterprise-ops,ou=groups,dc=github,dc=com""")
+    @empty_group = Net::LDAP::Entry._load("""
+dn: cn=enterprise-posix-empty,ou=groups,dc=github,dc=com
+cn: enterprise-posix-empty
+objectClass: posixGroup""")
+    @ldap = GitHub::Ldap.new(options.merge(search_domains: %w(dc=github,dc=com)))
+  end
+  def test_posix_group
+    assert GitHub::Ldap::PosixGroup.valid?(@simple_group),
+      "Expected entry to be a valid posixGroup"
+  end
+  def test_posix_simple_members
+    group = GitHub::Ldap::PosixGroup.new(@ldap, @simple_group)
+    members = group.members
+    assert_equal 2, members.size
+    assert_equal 'benburkert', members.first[:uid].first
+  end
+  def test_posix_combined_group
+    group = GitHub::Ldap::PosixGroup.new(@ldap, @one_level_deep_group)
+    members = group.members
+    assert_equal 3, members.size
+  end
+  def test_posix_combined_group_unique_members
+    group = GitHub::Ldap::PosixGroup.new(@ldap, @two_levels_deep_group)
+    members = group.members
+    assert_equal 4, members.size
+  end
+  def test_empty_subgroups
+    group = GitHub::Ldap::PosixGroup.new(@ldap, @simple_group)
+    subgroups = group.subgroups
+    assert subgroups.empty?, "Simple posixgroup expected to not have subgroups"
+  end
+  def test_posix_combined_group_subgroups
+    group = GitHub::Ldap::PosixGroup.new(@ldap, @one_level_deep_group)
+    subgroups = group.subgroups
+    assert_equal 1, subgroups.size
+  end
+  def test_is_member_simple_group
+    group = GitHub::Ldap::PosixGroup.new(@ldap, @simple_group)
+    user  = @ldap.domain("uid=benburkert,ou=users,dc=github,dc=com").bind
+    assert group.is_member?(user),
+      "Expected user in the memberUid list to be a member of the posixgroup"
+  end
+  def test_is_member_combined_group
+    group = GitHub::Ldap::PosixGroup.new(@ldap, @one_level_deep_group)
+    user  = @ldap.domain("uid=calavera,ou=users,dc=github,dc=com").bind
+    assert group.is_member?(user),
+      "Expected user in a subgroup to be a member of the posixgroup"
+  end
+  def test_is_not_member_simple_group
+    group = GitHub::Ldap::PosixGroup.new(@ldap, @simple_group)
+    user  = @ldap.domain("uid=calavera,ou=users,dc=github,dc=com").bind
+    refute group.is_member?(user),
+      "Expected user to not be member when her uid is not in the list of memberUid"
+  end
+  def test_is_member_combined_group
+    group = GitHub::Ldap::PosixGroup.new(@ldap, @one_level_deep_group)
+    user  = @ldap.domain("uid=benburkert,ou=users,dc=github,dc=com").bind
+    refute group.is_member?(user),
+      "Expected user to not be member when she's not member of any subgroup"
+  end
+  def test_empty_posix_group
+    group = GitHub::Ldap::PosixGroup.new(@ldap, @empty_group)
+    assert group.members.empty?,
+      "Expected members to be an empty array"
+  end
+end

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: github-ldap
 version: !ruby/object:Gem::Version
-  version: 1.1.5
+  version: 1.2.0
 platform: ruby
 authors:
 - David Calavera
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2014-03-11 00:00:00.000000000 Z
+date: 2014-03-17 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: net-ldap
@@ -99,6 +99,7 @@ files:
 - lib/github/ldap/filter.rb
 - lib/github/ldap/fixtures.ldif
 - lib/github/ldap/group.rb
+- lib/github/ldap/posix_group.rb
 - lib/github/ldap/server.rb
 - lib/github/ldap/virtual_attributes.rb
 - lib/github/ldap/virtual_group.rb
@@ -109,6 +110,7 @@ files:
 - test/fixtures/github-with-subgroups.ldif
 - test/group_test.rb
 - test/ldap_test.rb
+- test/posix_group_test.rb
 - test/test_helper.rb
 homepage: https://github.com/github/github-ldap
 licenses:
@@ -142,5 +144,6 @@ test_files:
 - test/fixtures/github-with-subgroups.ldif
 - test/group_test.rb
 - test/ldap_test.rb
+- test/posix_group_test.rb
 - test/test_helper.rb
 has_rdoc: