github-ldap 1.3.1 → 1.3.2

Sign up to get free protection for your applications and to get access to all the features.
Files changed (8) hide show
  1. checksums.yaml +4 -4
  2. data/github-ldap.gemspec +1 -1
  3. data/lib/github/ldap.rb +15 -1
  4. data/lib/github/ldap/domain.rb +8 -1
  5. data/lib/github/ldap/filter.rb +21 -16
  6. data/test/domain_test.rb +34 -18
  7. data/test/filter_test.rb +9 -5
  8. metadata +1 -1
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: f9c7b785a3c6daf7679b1722ee0d22a81dcb4028
4
- data.tar.gz: 83cc3a67ee48508032a660fa75952a3691d3fff4
3
+ metadata.gz: 3542310f0a25d44a8fde3c868d6f7df9849797ba
4
+ data.tar.gz: 98e8bebff1f17dd194d7d959343e6f6e553ba370
5
5
  SHA512:
6
- metadata.gz: 60424b6d8541c2c2ee493958e368b5194cda45b4a5f67807ee5fc9dd31b015b01e1abc72c5b4fece2739900ba70ee953d94e4e8ad8dadba49324336472bac6ad
7
- data.tar.gz: 340bf76161061af7a4a35307e36731c72ace77c79699f4f641f97531dd36b66fb73e7b3ab3b47ae1ff0cf0aa3d0065648e7b7d888211d2f52f12e22109706880
6
+ metadata.gz: cc19ef4ef3c90ec0e2d7c380d9897c09037f141965627871ea726245a4dbdeaaeba2aa9b7ac562567917e47155d99590d062aeb9f889efba267bf89a468e7eec
7
+ data.tar.gz: 568dffb94c106bbf4ea15ebd11cc02f4188f3236b320af1dec3ca9364442b02515fb1bc2aeff4c618bfb94b3903eb4ea71381784940de9e612af85cf53e8f8c3
data/github-ldap.gemspec CHANGED
@@ -2,7 +2,7 @@
2
2
 
3
3
  Gem::Specification.new do |spec|
4
4
  spec.name = "github-ldap"
5
- spec.version = "1.3.1"
5
+ spec.version = "1.3.2"
6
6
  spec.authors = ["David Calavera"]
7
7
  spec.email = ["david.calavera@gmail.com"]
8
8
  spec.description = %q{Ldap authentication for humans}
data/lib/github/ldap.rb CHANGED
@@ -23,7 +23,7 @@ module GitHub
23
23
  # Returns a Net::LDAP::Entry if the operation succeeded.
24
24
  def_delegator :@connection, :bind
25
25
 
26
- attr_reader :uid, :virtual_attributes, :search_domains
26
+ attr_reader :uid, :search_domains, :virtual_attributes
27
27
 
28
28
  def initialize(options = {})
29
29
  @uid = options[:uid] || "sAMAccountName"
@@ -43,6 +43,9 @@ module GitHub
43
43
  # enable fallback recursive group search unless option is false
44
44
  @recursive_group_search_fallback = (options[:recursive_group_search_fallback] != false)
45
45
 
46
+ # enable posixGroup support unless option is false
47
+ @posix_support = (options[:posix_support] != false)
48
+
46
49
  # search_domains is a connection of bases to perform searches
47
50
  # when a base is not explicitly provided.
48
51
  @search_domains = Array(options[:search_domains])
@@ -58,6 +61,17 @@ module GitHub
58
61
  @recursive_group_search_fallback
59
62
  end
60
63
 
64
+ # Public - Whether membership checks should include posixGroup filter
65
+ # conditions on `memberUid`. Configurable since some LDAP servers don't
66
+ # handle unsupported attribute queries gracefully.
67
+ #
68
+ # Enable by passing :posix_support => true.
69
+ #
70
+ # Returns true, false, or nil (assumed false).
71
+ def posix_support_enabled?
72
+ @posix_support
73
+ end
74
+
61
75
  # Public - Utility method to check if the connection with the server can be stablished.
62
76
  # It tries to bind with the ldap auth default configuration.
63
77
  #
data/lib/github/ldap/domain.rb CHANGED
@@ -66,7 +66,14 @@ module GitHub
66
66
  end
67
67
  else
68
68
  # fallback to non-recursive group membership search
69
- filter = member_filter(user_entry) & group_filter(group_names)
69
+ filter = member_filter(user_entry)
70
+
71
+ # include memberUid filter if enabled and entry has a UID set
72
+ if @ldap.posix_support_enabled? && !user_entry[@ldap.uid].empty?
73
+ filter |= posix_member_filter(user_entry, @ldap.uid)
74
+ end
75
+
76
+ filter &= group_filter(group_names)
70
77
  search(filter: filter)
71
78
  end
72
79
  end
data/lib/github/ldap/filter.rb CHANGED
@@ -20,26 +20,31 @@ module GitHub
20
20
 
21
21
  # Filter to check group membership.
22
22
  #
23
- # entry: finds groups this Net::LDAP::Entry is a member of (optional)
24
- # uid_attr: specifies the memberUid attribute to match with (optional)
23
+ # entry: finds groups this Net::LDAP::Entry is a member of (optional)
25
24
  #
26
25
  # Returns a Net::LDAP::Filter.
27
- def member_filter(entry = nil, uid_attr = @ldap.uid)
26
+ def member_filter(entry = nil)
28
27
  if entry
29
- filter =
30
- MEMBERSHIP_NAMES. map {|n| Net::LDAP::Filter.eq(n, entry.dn) }.
31
- reduce(:|)
32
-
33
- if !entry[uid_attr].empty?
34
- filter |=
35
- entry[uid_attr].map { |uid| Net::LDAP::Filter.eq("memberUid", uid) }.
36
- reduce(:|)
37
- end
38
-
39
- filter
28
+ MEMBERSHIP_NAMES.
29
+ map {|n| Net::LDAP::Filter.eq(n, entry.dn) }.reduce(:|)
40
30
  else
41
- (MEMBERSHIP_NAMES + %w(memberUid)).
42
- map {|n| Net::LDAP::Filter.pres(n)}.reduce(:|)
31
+ MEMBERSHIP_NAMES.
32
+ map {|n| Net::LDAP::Filter.pres(n) }. reduce(:|)
33
+ end
34
+ end
35
+
36
+ # Filter to check group membership for posixGroups.
37
+ #
38
+ # Used by Domain#membership when posix_support_enabled? is true.
39
+ #
40
+ # entry: finds groups this Net::LDAP::Entry is a member of
41
+ # uid_attr: specifies the memberUid attribute to match with
42
+ #
43
+ # Returns a Net::LDAP::Filter or nil if no entry has no UID set.
44
+ def posix_member_filter(entry, uid_attr)
45
+ if !entry[uid_attr].empty?
46
+ entry[uid_attr].map { |uid| Net::LDAP::Filter.eq("memberUid", uid) }.
47
+ reduce(:|)
43
48
  end
44
49
  end
45
50
 
data/test/domain_test.rb CHANGED
@@ -173,24 +173,18 @@ class GitHubLdapPosixGroupsWithRecursionFallbackTest < GitHub::Ldap::Test
173
173
  def setup
174
174
  @ldap = GitHub::Ldap.new(options)
175
175
  @domain = @ldap.domain("dc=github,dc=com")
176
-
177
- @group = Net::LDAP::Entry._load("""
178
- dn: cn=enterprise-posix-devs,ou=groups,dc=github,dc=com
179
- cn: enterprise-posix-devs
180
- objectClass: posixGroup
181
- memberUid: benburkert
182
- memberUid: mtodd""")
176
+ @cn = "enterprise-posix-devs"
183
177
  end
184
178
 
185
179
  def test_membership_for_posixGroups
186
180
  assert user = @ldap.domain('uid=mtodd,ou=users,dc=github,dc=com').bind
187
181
 
188
- assert @domain.is_member?(user, @group.cn),
189
- "Expected `#{@group.cn.first}` to include the member `#{user.dn}`"
182
+ assert @domain.is_member?(user, [@cn]),
183
+ "Expected `#{@cn}` to include the member `#{user.dn}`"
190
184
  end
191
185
  end
192
186
 
193
- class GitHubLdapPosixGroupsTest < GitHub::Ldap::Test
187
+ class GitHubLdapPosixGroupsWithoutRecursionTest < GitHub::Ldap::Test
194
188
  def self.test_server_options
195
189
  {
196
190
  custom_schemas: FIXTURES.join('posixGroup.schema.ldif'),
@@ -203,19 +197,41 @@ class GitHubLdapPosixGroupsTest < GitHub::Ldap::Test
203
197
  def setup
204
198
  @ldap = GitHub::Ldap.new(options)
205
199
  @domain = @ldap.domain("dc=github,dc=com")
200
+ @cn = "enterprise-posix-devs"
201
+ end
202
+
203
+ def test_membership_for_posixGroups
204
+ assert user = @ldap.domain('uid=mtodd,ou=users,dc=github,dc=com').bind
206
205
 
207
- @group = Net::LDAP::Entry._load("""
208
- dn: cn=enterprise-posix-devs,ou=groups,dc=github,dc=com
209
- cn: enterprise-posix-devs
210
- objectClass: posixGroup
211
- memberUid: benburkert
212
- memberUid: mtodd""")
206
+ assert @domain.is_member?(user, [@cn]),
207
+ "Expected `#{@cn}` to include the member `#{user.dn}`"
208
+ end
209
+ end
210
+
211
+ # Specifically testing that this doesn't break when posixGroups are not
212
+ # supported.
213
+ class GitHubLdapWithoutPosixGroupsTest < GitHub::Ldap::Test
214
+ def self.test_server_options
215
+ {
216
+ custom_schemas: FIXTURES.join('posixGroup.schema.ldif'),
217
+ user_fixtures: FIXTURES.join('github-with-posixGroups.ldif').to_s,
218
+ # so we test the test the non-recursive group membership search
219
+ recursive_group_search_fallback: false,
220
+ # explicitly disable posixGroup support (even if the schema supports it)
221
+ posix_support: false
222
+ }
223
+ end
224
+
225
+ def setup
226
+ @ldap = GitHub::Ldap.new(options)
227
+ @domain = @ldap.domain("dc=github,dc=com")
228
+ @cn = "enterprise-posix-devs"
213
229
  end
214
230
 
215
231
  def test_membership_for_posixGroups
216
232
  assert user = @ldap.domain('uid=mtodd,ou=users,dc=github,dc=com').bind
217
233
 
218
- assert @domain.is_member?(user, @group.cn),
219
- "Expected `#{@group.cn.first}` to include the member `#{user.dn}`"
234
+ refute @domain.is_member?(user, [@cn]),
235
+ "Expected `#{@cn}` to not include the member `#{user.dn}`"
220
236
  end
221
237
  end
data/test/filter_test.rb CHANGED
@@ -24,18 +24,22 @@ class FilterTest < Minitest::Test
24
24
  end
25
25
 
26
26
  def test_member_present
27
- assert_equal "(|(|(member=*)(uniqueMember=*))(memberUid=*))", @subject.member_filter.to_s
27
+ assert_equal "(|(member=*)(uniqueMember=*))", @subject.member_filter.to_s
28
28
  end
29
29
 
30
30
  def test_member_equal
31
- assert_equal "(|(|(member=#{@me})(uniqueMember=#{@me}))(memberUid=#{@uid}))",
31
+ assert_equal "(|(member=#{@me})(uniqueMember=#{@me}))",
32
32
  @subject.member_filter(@entry).to_s
33
33
  end
34
34
 
35
- def test_member_without_uid
35
+ def test_posix_member_without_uid
36
36
  @entry.uid = nil
37
- assert_equal "(|(member=#{@me})(uniqueMember=#{@me}))",
38
- @subject.member_filter(@entry).to_s
37
+ assert_nil @subject.posix_member_filter(@entry, @ldap.uid)
38
+ end
39
+
40
+ def test_posix_member_equal
41
+ assert_equal "(memberUid=#{@uid})",
42
+ @subject.posix_member_filter(@entry, @ldap.uid).to_s
39
43
  end
40
44
 
41
45
  def test_groups_reduced
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: github-ldap
3
3
  version: !ruby/object:Gem::Version
4
- version: 1.3.1
4
+ version: 1.3.2
5
5
  platform: ruby
6
6
  authors:
7
7
  - David Calavera