github-ldap 1.3.1 → 1.3.2
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/github-ldap.gemspec +1 -1
- data/lib/github/ldap.rb +15 -1
- data/lib/github/ldap/domain.rb +8 -1
- data/lib/github/ldap/filter.rb +21 -16
- data/test/domain_test.rb +34 -18
- data/test/filter_test.rb +9 -5
- metadata +1 -1
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA1:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 3542310f0a25d44a8fde3c868d6f7df9849797ba
|
4
|
+
data.tar.gz: 98e8bebff1f17dd194d7d959343e6f6e553ba370
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: cc19ef4ef3c90ec0e2d7c380d9897c09037f141965627871ea726245a4dbdeaaeba2aa9b7ac562567917e47155d99590d062aeb9f889efba267bf89a468e7eec
|
7
|
+
data.tar.gz: 568dffb94c106bbf4ea15ebd11cc02f4188f3236b320af1dec3ca9364442b02515fb1bc2aeff4c618bfb94b3903eb4ea71381784940de9e612af85cf53e8f8c3
|
data/github-ldap.gemspec
CHANGED
data/lib/github/ldap.rb
CHANGED
@@ -23,7 +23,7 @@ module GitHub
|
|
23
23
|
# Returns a Net::LDAP::Entry if the operation succeeded.
|
24
24
|
def_delegator :@connection, :bind
|
25
25
|
|
26
|
-
attr_reader :uid, :
|
26
|
+
attr_reader :uid, :search_domains, :virtual_attributes
|
27
27
|
|
28
28
|
def initialize(options = {})
|
29
29
|
@uid = options[:uid] || "sAMAccountName"
|
@@ -43,6 +43,9 @@ module GitHub
|
|
43
43
|
# enable fallback recursive group search unless option is false
|
44
44
|
@recursive_group_search_fallback = (options[:recursive_group_search_fallback] != false)
|
45
45
|
|
46
|
+
# enable posixGroup support unless option is false
|
47
|
+
@posix_support = (options[:posix_support] != false)
|
48
|
+
|
46
49
|
# search_domains is a connection of bases to perform searches
|
47
50
|
# when a base is not explicitly provided.
|
48
51
|
@search_domains = Array(options[:search_domains])
|
@@ -58,6 +61,17 @@ module GitHub
|
|
58
61
|
@recursive_group_search_fallback
|
59
62
|
end
|
60
63
|
|
64
|
+
# Public - Whether membership checks should include posixGroup filter
|
65
|
+
# conditions on `memberUid`. Configurable since some LDAP servers don't
|
66
|
+
# handle unsupported attribute queries gracefully.
|
67
|
+
#
|
68
|
+
# Enable by passing :posix_support => true.
|
69
|
+
#
|
70
|
+
# Returns true, false, or nil (assumed false).
|
71
|
+
def posix_support_enabled?
|
72
|
+
@posix_support
|
73
|
+
end
|
74
|
+
|
61
75
|
# Public - Utility method to check if the connection with the server can be stablished.
|
62
76
|
# It tries to bind with the ldap auth default configuration.
|
63
77
|
#
|
data/lib/github/ldap/domain.rb
CHANGED
@@ -66,7 +66,14 @@ module GitHub
|
|
66
66
|
end
|
67
67
|
else
|
68
68
|
# fallback to non-recursive group membership search
|
69
|
-
filter = member_filter(user_entry)
|
69
|
+
filter = member_filter(user_entry)
|
70
|
+
|
71
|
+
# include memberUid filter if enabled and entry has a UID set
|
72
|
+
if @ldap.posix_support_enabled? && !user_entry[@ldap.uid].empty?
|
73
|
+
filter |= posix_member_filter(user_entry, @ldap.uid)
|
74
|
+
end
|
75
|
+
|
76
|
+
filter &= group_filter(group_names)
|
70
77
|
search(filter: filter)
|
71
78
|
end
|
72
79
|
end
|
data/lib/github/ldap/filter.rb
CHANGED
@@ -20,26 +20,31 @@ module GitHub
|
|
20
20
|
|
21
21
|
# Filter to check group membership.
|
22
22
|
#
|
23
|
-
# entry:
|
24
|
-
# uid_attr: specifies the memberUid attribute to match with (optional)
|
23
|
+
# entry: finds groups this Net::LDAP::Entry is a member of (optional)
|
25
24
|
#
|
26
25
|
# Returns a Net::LDAP::Filter.
|
27
|
-
def member_filter(entry = nil
|
26
|
+
def member_filter(entry = nil)
|
28
27
|
if entry
|
29
|
-
|
30
|
-
|
31
|
-
reduce(:|)
|
32
|
-
|
33
|
-
if !entry[uid_attr].empty?
|
34
|
-
filter |=
|
35
|
-
entry[uid_attr].map { |uid| Net::LDAP::Filter.eq("memberUid", uid) }.
|
36
|
-
reduce(:|)
|
37
|
-
end
|
38
|
-
|
39
|
-
filter
|
28
|
+
MEMBERSHIP_NAMES.
|
29
|
+
map {|n| Net::LDAP::Filter.eq(n, entry.dn) }.reduce(:|)
|
40
30
|
else
|
41
|
-
|
42
|
-
map {|n| Net::LDAP::Filter.pres(n)}.reduce(:|)
|
31
|
+
MEMBERSHIP_NAMES.
|
32
|
+
map {|n| Net::LDAP::Filter.pres(n) }. reduce(:|)
|
33
|
+
end
|
34
|
+
end
|
35
|
+
|
36
|
+
# Filter to check group membership for posixGroups.
|
37
|
+
#
|
38
|
+
# Used by Domain#membership when posix_support_enabled? is true.
|
39
|
+
#
|
40
|
+
# entry: finds groups this Net::LDAP::Entry is a member of
|
41
|
+
# uid_attr: specifies the memberUid attribute to match with
|
42
|
+
#
|
43
|
+
# Returns a Net::LDAP::Filter or nil if no entry has no UID set.
|
44
|
+
def posix_member_filter(entry, uid_attr)
|
45
|
+
if !entry[uid_attr].empty?
|
46
|
+
entry[uid_attr].map { |uid| Net::LDAP::Filter.eq("memberUid", uid) }.
|
47
|
+
reduce(:|)
|
43
48
|
end
|
44
49
|
end
|
45
50
|
|
data/test/domain_test.rb
CHANGED
@@ -173,24 +173,18 @@ class GitHubLdapPosixGroupsWithRecursionFallbackTest < GitHub::Ldap::Test
|
|
173
173
|
def setup
|
174
174
|
@ldap = GitHub::Ldap.new(options)
|
175
175
|
@domain = @ldap.domain("dc=github,dc=com")
|
176
|
-
|
177
|
-
@group = Net::LDAP::Entry._load("""
|
178
|
-
dn: cn=enterprise-posix-devs,ou=groups,dc=github,dc=com
|
179
|
-
cn: enterprise-posix-devs
|
180
|
-
objectClass: posixGroup
|
181
|
-
memberUid: benburkert
|
182
|
-
memberUid: mtodd""")
|
176
|
+
@cn = "enterprise-posix-devs"
|
183
177
|
end
|
184
178
|
|
185
179
|
def test_membership_for_posixGroups
|
186
180
|
assert user = @ldap.domain('uid=mtodd,ou=users,dc=github,dc=com').bind
|
187
181
|
|
188
|
-
assert @domain.is_member?(user, @
|
189
|
-
"Expected `#{@
|
182
|
+
assert @domain.is_member?(user, [@cn]),
|
183
|
+
"Expected `#{@cn}` to include the member `#{user.dn}`"
|
190
184
|
end
|
191
185
|
end
|
192
186
|
|
193
|
-
class
|
187
|
+
class GitHubLdapPosixGroupsWithoutRecursionTest < GitHub::Ldap::Test
|
194
188
|
def self.test_server_options
|
195
189
|
{
|
196
190
|
custom_schemas: FIXTURES.join('posixGroup.schema.ldif'),
|
@@ -203,19 +197,41 @@ class GitHubLdapPosixGroupsTest < GitHub::Ldap::Test
|
|
203
197
|
def setup
|
204
198
|
@ldap = GitHub::Ldap.new(options)
|
205
199
|
@domain = @ldap.domain("dc=github,dc=com")
|
200
|
+
@cn = "enterprise-posix-devs"
|
201
|
+
end
|
202
|
+
|
203
|
+
def test_membership_for_posixGroups
|
204
|
+
assert user = @ldap.domain('uid=mtodd,ou=users,dc=github,dc=com').bind
|
206
205
|
|
207
|
-
@
|
208
|
-
|
209
|
-
|
210
|
-
|
211
|
-
|
212
|
-
|
206
|
+
assert @domain.is_member?(user, [@cn]),
|
207
|
+
"Expected `#{@cn}` to include the member `#{user.dn}`"
|
208
|
+
end
|
209
|
+
end
|
210
|
+
|
211
|
+
# Specifically testing that this doesn't break when posixGroups are not
|
212
|
+
# supported.
|
213
|
+
class GitHubLdapWithoutPosixGroupsTest < GitHub::Ldap::Test
|
214
|
+
def self.test_server_options
|
215
|
+
{
|
216
|
+
custom_schemas: FIXTURES.join('posixGroup.schema.ldif'),
|
217
|
+
user_fixtures: FIXTURES.join('github-with-posixGroups.ldif').to_s,
|
218
|
+
# so we test the test the non-recursive group membership search
|
219
|
+
recursive_group_search_fallback: false,
|
220
|
+
# explicitly disable posixGroup support (even if the schema supports it)
|
221
|
+
posix_support: false
|
222
|
+
}
|
223
|
+
end
|
224
|
+
|
225
|
+
def setup
|
226
|
+
@ldap = GitHub::Ldap.new(options)
|
227
|
+
@domain = @ldap.domain("dc=github,dc=com")
|
228
|
+
@cn = "enterprise-posix-devs"
|
213
229
|
end
|
214
230
|
|
215
231
|
def test_membership_for_posixGroups
|
216
232
|
assert user = @ldap.domain('uid=mtodd,ou=users,dc=github,dc=com').bind
|
217
233
|
|
218
|
-
|
219
|
-
"Expected `#{@
|
234
|
+
refute @domain.is_member?(user, [@cn]),
|
235
|
+
"Expected `#{@cn}` to not include the member `#{user.dn}`"
|
220
236
|
end
|
221
237
|
end
|
data/test/filter_test.rb
CHANGED
@@ -24,18 +24,22 @@ class FilterTest < Minitest::Test
|
|
24
24
|
end
|
25
25
|
|
26
26
|
def test_member_present
|
27
|
-
assert_equal "(|(
|
27
|
+
assert_equal "(|(member=*)(uniqueMember=*))", @subject.member_filter.to_s
|
28
28
|
end
|
29
29
|
|
30
30
|
def test_member_equal
|
31
|
-
assert_equal "(|(
|
31
|
+
assert_equal "(|(member=#{@me})(uniqueMember=#{@me}))",
|
32
32
|
@subject.member_filter(@entry).to_s
|
33
33
|
end
|
34
34
|
|
35
|
-
def
|
35
|
+
def test_posix_member_without_uid
|
36
36
|
@entry.uid = nil
|
37
|
-
|
38
|
-
|
37
|
+
assert_nil @subject.posix_member_filter(@entry, @ldap.uid)
|
38
|
+
end
|
39
|
+
|
40
|
+
def test_posix_member_equal
|
41
|
+
assert_equal "(memberUid=#{@uid})",
|
42
|
+
@subject.posix_member_filter(@entry, @ldap.uid).to_s
|
39
43
|
end
|
40
44
|
|
41
45
|
def test_groups_reduced
|