github-ldap 1.5.0 → 1.6.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: f94f5af944845beec077b7ae4f67f73bcdcd3324
-  data.tar.gz: d0cbf4bb74c1fedfce35a886967b084061c95cfb
+  metadata.gz: 13b19164520b8ed69dc3defdfa76b747767d9006
+  data.tar.gz: f34f58a9d8d91a89b5f9873b7a17daf251b9ac3d
 SHA512:
-  metadata.gz: cd8ca33063aff485c5e0d4df63ca8e5d6c83641d202d3dddc02ace9d373710e511f152197a2d9c36e71e9dfe67ce56692859183a7ced2fe7fb847caeb2fcc1bb
-  data.tar.gz: 75a413369b9d935499bae900382569314b90f71259ac5b813cd059328ca92f6533acdb106947c7d9139228f4f3597599d405a4be5bada4609d1aaef7e43c521d
+  metadata.gz: 7c492ec6ceba65de3683871843f7c1ae878e08dea0be24cbe1096723858d7b6b68bb37e7ab1a27c60453e65d4cac26b1bd84f3c79206cbcb5c289f03cf945a67
+  data.tar.gz: 4b8bc4c463f7b29b12983e245615f99f6908be16d6bc491b06a7433d86ef2d482bf0f8da647834e176ed1d4128afc6e5cc521811c7a17ce9c028405923c924b6

data/CHANGELOG.md

@@ -1,5 +1,11 @@
 # CHANGELOG
 
+## v1.6.0
+
+* Expose `GitHub::Ldap::Group.group?` for testing if entry is a group [#67](https://github.com/github/github-ldap/pull/67)
+* Add *Member Search* strategies [#64](https://github.com/github/github-ldap/pull/64) [#68](https://github.com/github/github-ldap/pull/68) [#69](https://github.com/github/github-ldap/pull/69)
+* Simplify *Member Search* and *Membership Validation* search strategy configuration, detection, and default behavior [#70](https://github.com/github/github-ldap/pull/70)
+
 ## v1.5.0
 
 * Automatically detect membership validator strategy by default [#58](https://github.com/github/github-ldap/pull/58) [#62](https://github.com/github/github-ldap/pull/62)

data/github-ldap.gemspec

@@ -2,11 +2,11 @@
 
 Gem::Specification.new do |spec|
   spec.name          = "github-ldap"
-  spec.version       = "1.5.0"
-  spec.authors       = ["David Calavera"]
-  spec.email         = ["david.calavera@gmail.com"]
-  spec.description   = %q{Ldap authentication for humans}
-  spec.summary       = %q{Ldap client authentication wrapper without all the boilerplate}
+  spec.version       = "1.6.0"
+  spec.authors       = ["David Calavera", "Matt Todd"]
+  spec.email         = ["david.calavera@gmail.com", "chiology@gmail.com"]
+  spec.description   = %q{LDAP authentication for humans}
+  spec.summary       = %q{LDAP client authentication wrapper without all the boilerplate}
   spec.homepage      = "https://github.com/github/github-ldap"
   spec.license       = "MIT"
 

data/lib/github/ldap.rb

@@ -1,20 +1,26 @@
+require 'net/ldap'
+require 'forwardable'
+
+require 'github/ldap/filter'
+require 'github/ldap/domain'
+require 'github/ldap/group'
+require 'github/ldap/posix_group'
+require 'github/ldap/virtual_group'
+require 'github/ldap/virtual_attributes'
+require 'github/ldap/instrumentation'
+require 'github/ldap/member_search'
+require 'github/ldap/membership_validators'
+
 module GitHub
   class Ldap
-    require 'net/ldap'
-    require 'forwardable'
-    require 'github/ldap/filter'
-    require 'github/ldap/domain'
-    require 'github/ldap/group'
-    require 'github/ldap/posix_group'
-    require 'github/ldap/virtual_group'
-    require 'github/ldap/virtual_attributes'
-    require 'github/ldap/instrumentation'
-    require 'github/ldap/membership_validators'
-
     include Instrumentation
 
     extend Forwardable
 
+    # Internal: The capability required to use ActiveDirectory features.
+    # See: http://msdn.microsoft.com/en-us/library/cc223359.aspx.
+    ACTIVE_DIRECTORY_V61_R2_OID = "1.2.840.113556.1.4.2080".freeze
+
     # Utility method to get the last operation result with a human friendly message.
     #
     # Returns an OpenStruct with `code` and `message`.
@@ -35,6 +41,7 @@ module GitHub
 
     attr_reader :uid, :search_domains, :virtual_attributes,
                 :membership_validator,
+                :member_search_strategy,
                 :instrumentation_service
 
     # Build a new GitHub::Ldap instance
@@ -88,8 +95,8 @@ module GitHub
       # when a base is not explicitly provided.
       @search_domains = Array(options[:search_domains])
 
-      # configure which strategy should be used to validate user membership
-      configure_membership_validation_strategy(options[:membership_validator])
+      # configure both the membership validator and the member search strategies
+      configure_search_strategy(options[:search_strategy])
 
       # enables instrumenting queries
       @instrumentation_service = options[:instrumentation_service]
@@ -236,23 +243,78 @@ module GitHub
       end
     end
 
-    # Internal: Configure the membership validation strategy.
+    # Internal: Configure the member search and membership validation strategies.
+    #
+    # TODO: Inline the logic in these two methods here.
     #
-    # Used by GitHub::Ldap::MembershipValidators::Detect to force a specific
-    # strategy (instead of detecting host capabilities and deciding at runtime).
+    # Returns nothing.
+    def configure_search_strategy(strategy = nil)
+      # configure which strategy should be used to validate user membership
+      configure_membership_validation_strategy(strategy)
+
+      # configure which strategy should be used for member search
+      configure_member_search_strategy(strategy)
+    end
+
+    # Internal: Configure the membership validation strategy.
     #
-    # If `strategy` is not provided, or doesn't match a known strategy,
-    # defaults to `:detect`. Otherwise the configured strategy is selected.
+    # If no known strategy is provided, detects ActiveDirectory capabilities or
+    # falls back to the Recursive strategy by default.
     #
-    # Returns the selected membership validator strategy Symbol.
+    # Returns the membership validator strategy Class.
     def configure_membership_validation_strategy(strategy = nil)
       @membership_validator =
         case strategy.to_s
-        when "classic", "recursive", "active_directory"
-          strategy.to_sym
+        when "classic"
+          GitHub::Ldap::MembershipValidators::Classic
+        when "recursive"
+          GitHub::Ldap::MembershipValidators::Recursive
+        when "active_directory"
+          GitHub::Ldap::MembershipValidators::ActiveDirectory
+        else
+          # fallback to detection, defaulting to recursive strategy
+          if active_directory_capability?
+            GitHub::Ldap::MembershipValidators::ActiveDirectory
+          else
+            GitHub::Ldap::MembershipValidators::Recursive
+          end
+        end
+    end
+
+    # Internal: Configure the member search strategy.
+    #
+    #
+    # If no known strategy is provided, detects ActiveDirectory capabilities or
+    # falls back to the Recursive strategy by default.
+    #
+    # Returns the selected strategy Class.
+    def configure_member_search_strategy(strategy = nil)
+      @member_search_strategy =
+        case strategy.to_s
+        when "classic"
+          GitHub::Ldap::MemberSearch::Classic
+        when "recursive"
+          GitHub::Ldap::MemberSearch::Recursive
+        when "active_directory"
+          GitHub::Ldap::MemberSearch::ActiveDirectory
         else
-          :detect
+          # fallback to detection, defaulting to recursive strategy
+          if active_directory_capability?
+            GitHub::Ldap::MemberSearch::ActiveDirectory
+          else
+            GitHub::Ldap::MemberSearch::Recursive
+          end
         end
     end
+
+    # Internal: Detect whether the LDAP host is an ActiveDirectory server.
+    #
+    # See: http://msdn.microsoft.com/en-us/library/cc223359.aspx.
+    #
+    # Returns true if the host is an ActiveDirectory server, false otherwise.
+    def active_directory_capability?
+      capabilities[:supportedcapabilities].include?(ACTIVE_DIRECTORY_V61_R2_OID)
+    end
+    private :active_directory_capability?
   end
 end

data/lib/github/ldap/domain.rb

@@ -163,8 +163,11 @@ module GitHub
       # Get the entry for this domain.
       #
       # Returns a Net::LDAP::Entry
-      def bind
-        search(size: 1, scope: Net::LDAP::SearchScope_BaseObject).first
+      def bind(options = {})
+        options[:size]  = 1
+        options[:scope] = Net::LDAP::SearchScope_BaseObject
+        options[:attributes] ||= []
+        search(options).first
       end
     end
   end

data/lib/github/ldap/group.rb

@@ -69,6 +69,11 @@ module GitHub
         end
       end
 
+      # Internal: Returns true if the object class(es) provided match a group's.
+      def group?(object_class)
+        self.class.group?(object_class)
+      end
+
       # Internal - Check if an object class includes the member names
       # Use `&` rathen than `include?` because both are arrays.
       #
@@ -76,7 +81,7 @@ module GitHub
       # will fail to match correctly unless we also downcase our group classes.
       #
       # Returns true if the object class includes one of the group class names.
-      def group?(object_class)
+      def self.group?(object_class)
         !(GROUP_CLASS_NAMES.map(&:downcase) & object_class.map(&:downcase)).empty?
       end
 

data/lib/github/ldap/member_search.rb

@@ -0,0 +1,4 @@
+require 'github/ldap/member_search/base'
+require 'github/ldap/member_search/classic'
+require 'github/ldap/member_search/recursive'
+require 'github/ldap/member_search/active_directory'

data/lib/github/ldap/member_search/active_directory.rb

@@ -0,0 +1,60 @@
+module GitHub
+  class Ldap
+    module MemberSearch
+      # Look up group members using the ActiveDirectory "in chain" matching rule.
+      #
+      # The 1.2.840.113556.1.4.1941 matching rule (LDAP_MATCHING_RULE_IN_CHAIN)
+      # "walks the chain of ancestry in objects all the way to the root until
+      # it finds a match".
+      # Source: http://msdn.microsoft.com/en-us/library/aa746475(v=vs.85).aspx
+      #
+      # This means we have an efficient method of searching for group members,
+      # even in nested groups, performed on the server side.
+      class ActiveDirectory < Base
+        OID = "1.2.840.113556.1.4.1941"
+
+        # Internal: The default attributes to query for.
+        # NOTE: We technically don't need any by default, but if we left this
+        # empty, we'd be querying for *all* attributes which is less ideal.
+        DEFAULT_ATTRS = %w(objectClass)
+
+        # Internal: The attributes to search for.
+        attr_reader :attrs
+
+        # Public: Instantiate new search strategy.
+        #
+        # - ldap:    GitHub::Ldap object
+        # - options: Hash of options
+        #
+        # NOTE: This overrides default behavior to configure attrs`.
+        def initialize(ldap, options = {})
+          super
+          @attrs = Array(options[:attrs]).concat DEFAULT_ATTRS
+        end
+
+        # Public: Performs search for group members, including groups and
+        # members of subgroups, using ActiveDirectory's "in chain" matching
+        # rule.
+        #
+        # Returns Array of Net::LDAP::Entry objects.
+        def perform(group)
+          filter = member_of_in_chain_filter(group)
+
+          # search for all members of the group, including subgroups, by
+          # searching "in chain".
+          domains.each_with_object([]) do |domain, members|
+            members.concat domain.search(filter: filter, attributes: attrs)
+          end
+        end
+
+        # Internal: Constructs a member filter using the "in chain"
+        # extended matching rule afforded by ActiveDirectory.
+        #
+        # Returns a Net::LDAP::Filter object.
+        def member_of_in_chain_filter(entry)
+          Net::LDAP::Filter.ex("memberOf:#{OID}", entry.dn)
+        end
+      end
+    end
+  end
+end

data/lib/github/ldap/member_search/base.rb

@@ -0,0 +1,34 @@
+module GitHub
+  class Ldap
+    module MemberSearch
+      class Base
+
+        # Internal: The GitHub::Ldap object to search domains with.
+        attr_reader :ldap
+
+        # Public: Instantiate new search strategy.
+        #
+        # - ldap:    GitHub::Ldap object
+        # - options: Hash of options
+        def initialize(ldap, options = {})
+          @ldap    = ldap
+          @options = options
+        end
+
+        # Public: Abstract: Performs search for group members.
+        #
+        # Returns Array of Net::LDAP::Entry objects.
+        # def perform(entry)
+        # end
+
+        # Internal: Domains to search through.
+        #
+        # Returns an Array of GitHub::Ldap::Domain objects.
+        def domains
+          @domains ||= ldap.search_domains.map { |base| ldap.domain(base) }
+        end
+        private :domains
+      end
+    end
+  end
+end

data/lib/github/ldap/member_search/classic.rb

@@ -0,0 +1,18 @@
+module GitHub
+  class Ldap
+    module MemberSearch
+      # Look up group members using the existing `Group#members` and
+      # `Group#subgroups` API.
+      class Classic < Base
+        # Public: Performs search for group members, including groups and
+        # members of subgroups recursively.
+        #
+        # Returns Array of Net::LDAP::Entry objects.
+        def perform(group_entry)
+          group = ldap.load_group(group_entry)
+          group.members + group.subgroups
+        end
+      end
+    end
+  end
+end

data/lib/github/ldap/member_search/recursive.rb

@@ -0,0 +1,133 @@
+module GitHub
+  class Ldap
+    module MemberSearch
+      # Look up group members recursively.
+      #
+      # This results in a maximum of `depth` iterations/recursions to look up
+      # members of a group and its subgroups.
+      class Recursive < Base
+        include Filter
+
+        DEFAULT_MAX_DEPTH = 9
+        DEFAULT_ATTRS     = %w(member uniqueMember memberUid)
+
+        # Internal: The maximum depth to search for members.
+        attr_reader :depth
+
+        # Internal: The attributes to search for.
+        attr_reader :attrs
+
+        # Public: Instantiate new search strategy.
+        #
+        # - ldap:    GitHub::Ldap object
+        # - options: Hash of options
+        #
+        # NOTE: This overrides default behavior to configure `depth` and `attrs`.
+        def initialize(ldap, options = {})
+          super
+          @depth = options[:depth] || DEFAULT_MAX_DEPTH
+          @attrs = Array(options[:attrs]).concat DEFAULT_ATTRS
+        end
+
+        # Public: Performs search for group members, including groups and
+        # members of subgroups recursively.
+        #
+        # Returns Array of Net::LDAP::Entry objects.
+        def perform(group)
+          found = Hash.new
+
+          # find members (N queries)
+          entries = member_entries(group)
+          return [] if entries.empty?
+
+          # track found entries
+          entries.each do |entry|
+            found[entry.dn] = entry
+          end
+
+          # descend to `depth` levels, at most
+          depth.times do |n|
+            # find every (new, unique) member entry
+            depth_subentries = entries.each_with_object([]) do |entry, depth_entries|
+              submembers = entry["member"]
+
+              # skip any members we've already found
+              submembers.reject! { |dn| found.key?(dn) }
+
+              # find members of subgroup, including subgroups (N queries)
+              subentries = member_entries(entry)
+              next if subentries.empty?
+
+              # track found subentries
+              subentries.each { |entry| found[entry.dn] = entry }
+
+              # collect all entries for this depth
+              depth_entries.concat subentries
+            end
+
+            # stop if there are no more subgroups to search
+            break if depth_subentries.empty?
+
+            # go one level deeper
+            entries = depth_subentries
+          end
+
+          # return all found entries
+          found.values
+        end
+
+        # Internal: Fetch member entries, including subgroups, for the given
+        # entry.
+        #
+        # Returns an Array of Net::LDAP::Entry objects.
+        def member_entries(entry)
+          entries = []
+          dns     = member_dns(entry)
+          uids    = member_uids(entry)
+
+          entries.concat entries_by_uid(uids) unless uids.empty?
+          entries.concat entries_by_dn(dns)   unless dns.empty?
+
+          entries
+        end
+        private :member_entries
+
+        # Internal: Bind a list of DNs to their respective entries.
+        #
+        # Returns an Array of Net::LDAP::Entry objects.
+        def entries_by_dn(members)
+          members.map do |dn|
+            ldap.domain(dn).bind(attributes: attrs)
+          end.compact
+        end
+        private :entries_by_dn
+
+        # Internal: Fetch entries by UID.
+        #
+        # Returns an Array of Net::LDAP::Entry objects.
+        def entries_by_uid(members)
+          filter = members.map { |uid| Net::LDAP::Filter.eq(ldap.uid, uid) }.reduce(:|)
+          domains.each_with_object([]) do |domain, entries|
+            entries.concat domain.search(filter: filter, attributes: attrs)
+          end.compact
+        end
+        private :entries_by_uid
+
+        # Internal: Returns an Array of String DNs for `groupOfNames` and
+        # `uniqueGroupOfNames` members.
+        def member_dns(entry)
+          MEMBERSHIP_NAMES.each_with_object([]) do |attr_name, members|
+            members.concat entry[attr_name]
+          end
+        end
+        private :member_dns
+
+        # Internal: Returns an Array of String UIDs for PosixGroups members.
+        def member_uids(entry)
+          entry["memberUid"]
+        end
+        private :member_uids
+      end
+    end
+  end
+end

data/lib/github/ldap/membership_validators.rb

@@ -1,26 +1,4 @@
 require 'github/ldap/membership_validators/base'
-require 'github/ldap/membership_validators/detect'
 require 'github/ldap/membership_validators/classic'
 require 'github/ldap/membership_validators/recursive'
 require 'github/ldap/membership_validators/active_directory'
-
-module GitHub
-  class Ldap
-    # Provides various strategies for validating membership.
-    #
-    # For example:
-    #
-    #   groups = domain.groups(%w(Engineering))
-    #   validator = GitHub::Ldap::MembershipValidators::Classic.new(ldap, groups)
-    #   validator.perform(entry) #=> true
-    #
-    module MembershipValidators
-      # Internal: Mapping of strategy name to class.
-      STRATEGIES = {
-        :classic          => GitHub::Ldap::MembershipValidators::Classic,
-        :recursive        => GitHub::Ldap::MembershipValidators::Recursive,
-        :active_directory => GitHub::Ldap::MembershipValidators::ActiveDirectory
-      }
-    end
-  end
-end

data/test/ldap_test.rb

@@ -73,28 +73,45 @@ module GitHubLdapTestCases
     assert_equal "dc=github,dc=com", payload[:base]
   end
 
-  def test_membership_validator_default
-    assert_equal :detect, @ldap.membership_validator
+  def test_search_strategy_defaults
+    assert_equal GitHub::Ldap::MembershipValidators::Recursive, @ldap.membership_validator
+    assert_equal GitHub::Ldap::MemberSearch::Recursive,         @ldap.member_search_strategy
   end
 
-  def test_membership_validator_configured_to_classic_strategy
-    @ldap.configure_membership_validation_strategy :classic
-    assert_equal :classic, @ldap.membership_validator
+  def test_search_strategy_detects_active_directory
+    caps = Net::LDAP::Entry.new
+    caps[:supportedcapabilities] = [GitHub::Ldap::ACTIVE_DIRECTORY_V61_R2_OID]
+
+    @ldap.stub :capabilities, caps do
+      @ldap.configure_search_strategy :detect
+
+      assert_equal GitHub::Ldap::MembershipValidators::ActiveDirectory, @ldap.membership_validator
+      assert_equal GitHub::Ldap::MemberSearch::ActiveDirectory,         @ldap.member_search_strategy
+    end
+  end
+
+  def test_search_strategy_configured_to_classic
+    @ldap.configure_search_strategy :classic
+    assert_equal GitHub::Ldap::MembershipValidators::Classic, @ldap.membership_validator
+    assert_equal GitHub::Ldap::MemberSearch::Classic,         @ldap.member_search_strategy
   end
 
-  def test_membership_validator_configured_to_recursive_strategy
-    @ldap.configure_membership_validation_strategy :recursive
-    assert_equal :recursive, @ldap.membership_validator
+  def test_search_strategy_configured_to_recursive
+    @ldap.configure_search_strategy :recursive
+    assert_equal GitHub::Ldap::MembershipValidators::Recursive, @ldap.membership_validator
+    assert_equal GitHub::Ldap::MemberSearch::Recursive,         @ldap.member_search_strategy
   end
 
-  def test_membership_validator_configured_to_active_directory_strategy
-    @ldap.configure_membership_validation_strategy :active_directory
-    assert_equal :active_directory, @ldap.membership_validator
+  def test_search_strategy_configured_to_active_directory
+    @ldap.configure_search_strategy :active_directory
+    assert_equal GitHub::Ldap::MembershipValidators::ActiveDirectory, @ldap.membership_validator
+    assert_equal GitHub::Ldap::MemberSearch::ActiveDirectory,         @ldap.member_search_strategy
   end
 
-  def test_membership_validator_misconfigured_to_unrecognized_strategy_falls_back_to_default
-    @ldap.configure_membership_validation_strategy :unknown
-    assert_equal :detect, @ldap.membership_validator
+  def test_search_strategy_misconfigured_to_unrecognized_strategy_falls_back_to_default
+    @ldap.configure_search_strategy :unknown
+    assert_equal GitHub::Ldap::MembershipValidators::Recursive, @ldap.membership_validator
+    assert_equal GitHub::Ldap::MemberSearch::Recursive,         @ldap.member_search_strategy
   end
 
   def test_capabilities

data/test/member_search/active_directory_test.rb

@@ -0,0 +1,77 @@
+require_relative '../test_helper'
+
+class GitHubLdapActiveDirectoryMemberSearchStubbedTest < GitHub::Ldap::Test
+  # Only run when AD integration tests aren't run
+  def run(*)
+    self.class.test_env != "activedirectory" ? super : self
+  end
+
+  def find_group(cn)
+    @domain.groups([cn]).first
+  end
+
+  def setup
+    @ldap     = GitHub::Ldap.new(options.merge(search_domains: %w(dc=github,dc=com)))
+    @domain   = @ldap.domain("dc=github,dc=com")
+    @entry    = @domain.user?('user1')
+    @strategy = GitHub::Ldap::MemberSearch::ActiveDirectory.new(@ldap)
+  end
+
+  def test_finds_group_members
+    members =
+      @ldap.stub :search, [@entry] do
+        @strategy.perform(find_group("nested-group1")).map(&:dn)
+      end
+    assert_includes members, @entry.dn
+  end
+
+  def test_finds_nested_group_members
+    members =
+      @ldap.stub :search, [@entry] do
+        @strategy.perform(find_group("n-depth-nested-group1")).map(&:dn)
+      end
+    assert_includes members, @entry.dn
+  end
+
+  def test_finds_deeply_nested_group_members
+    members =
+      @ldap.stub :search, [@entry] do
+        @strategy.perform(find_group("n-depth-nested-group9")).map(&:dn)
+      end
+    assert_includes members, @entry.dn
+  end
+end
+
+# See test/support/vm/activedirectory/README.md for details
+class GitHubLdapActiveDirectoryMemberSearchIntegrationTest < GitHub::Ldap::Test
+  # Only run this test suite if ActiveDirectory is configured
+  def run(*)
+    self.class.test_env == "activedirectory" ? super : self
+  end
+
+  def find_group(cn)
+    @domain.groups([cn]).first
+  end
+
+  def setup
+    @ldap     = GitHub::Ldap.new(options)
+    @domain   = @ldap.domain(options[:search_domains])
+    @entry    = @domain.user?('user1')
+    @strategy = GitHub::Ldap::MemberSearch::ActiveDirectory.new(@ldap)
+  end
+
+  def test_finds_group_members
+    members = @strategy.perform(find_group("nested-group1")).map(&:dn)
+    assert_includes members, @entry.dn
+  end
+
+  def test_finds_nested_group_members
+    members = @strategy.perform(find_group("n-depth-nested-group1")).map(&:dn)
+    assert_includes members, @entry.dn
+  end
+
+  def test_finds_deeply_nested_group_members
+    members = @strategy.perform(find_group("n-depth-nested-group9")).map(&:dn)
+    assert_includes members, @entry.dn
+  end
+end

data/test/member_search/classic_test.rb

@@ -0,0 +1,40 @@
+require_relative '../test_helper'
+
+class GitHubLdapRecursiveMemberSearchTest < GitHub::Ldap::Test
+  def setup
+    @ldap     = GitHub::Ldap.new(options.merge(search_domains: %w(dc=github,dc=com)))
+    @domain   = @ldap.domain("dc=github,dc=com")
+    @entry     = @domain.user?('user1')
+    @strategy = GitHub::Ldap::MemberSearch::Classic.new(@ldap)
+  end
+
+  def find_group(cn)
+    @domain.groups([cn]).first
+  end
+
+  def test_finds_group_members
+    members = @strategy.perform(find_group("nested-group1")).map(&:dn)
+    assert_includes members, @entry.dn
+  end
+
+  def test_finds_nested_group_members
+    members = @strategy.perform(find_group("n-depth-nested-group1")).map(&:dn)
+    assert_includes members, @entry.dn
+  end
+
+  def test_finds_deeply_nested_group_members
+    members = @strategy.perform(find_group("n-depth-nested-group9")).map(&:dn)
+    assert_includes members, @entry.dn
+  end
+
+  def test_finds_posix_group_members
+    members = @strategy.perform(find_group("posix-group1")).map(&:dn)
+    assert_includes members, @entry.dn
+  end
+
+  def test_does_not_respect_configured_depth_limit
+    strategy = GitHub::Ldap::MemberSearch::Classic.new(@ldap, depth: 2)
+    members = strategy.perform(find_group("n-depth-nested-group9")).map(&:dn)
+    assert_includes members, @entry.dn
+  end
+end

data/test/member_search/recursive_test.rb

@@ -0,0 +1,40 @@
+require_relative '../test_helper'
+
+class GitHubLdapRecursiveMemberSearchTest < GitHub::Ldap::Test
+  def setup
+    @ldap     = GitHub::Ldap.new(options.merge(search_domains: %w(dc=github,dc=com)))
+    @domain   = @ldap.domain("dc=github,dc=com")
+    @entry     = @domain.user?('user1')
+    @strategy = GitHub::Ldap::MemberSearch::Recursive.new(@ldap)
+  end
+
+  def find_group(cn)
+    @domain.groups([cn]).first
+  end
+
+  def test_finds_group_members
+    members = @strategy.perform(find_group("nested-group1")).map(&:dn)
+    assert_includes members, @entry.dn
+  end
+
+  def test_finds_nested_group_members
+    members = @strategy.perform(find_group("n-depth-nested-group1")).map(&:dn)
+    assert_includes members, @entry.dn
+  end
+
+  def test_finds_deeply_nested_group_members
+    members = @strategy.perform(find_group("n-depth-nested-group9")).map(&:dn)
+    assert_includes members, @entry.dn
+  end
+
+  def test_finds_posix_group_members
+    members = @strategy.perform(find_group("posix-group1")).map(&:dn)
+    assert_includes members, @entry.dn
+  end
+
+  def test_respects_configured_depth_limit
+    strategy = GitHub::Ldap::MemberSearch::Recursive.new(@ldap, depth: 2)
+    members = strategy.perform(find_group("n-depth-nested-group9")).map(&:dn)
+    refute_includes members, @entry.dn
+  end
+end

metadata

@@ -1,14 +1,15 @@
 --- !ruby/object:Gem::Specification
 name: github-ldap
 version: !ruby/object:Gem::Version
-  version: 1.5.0
+  version: 1.6.0
 platform: ruby
 authors:
 - David Calavera
+- Matt Todd
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2014-11-15 00:00:00.000000000 Z
+date: 2014-12-06 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: net-ldap
@@ -80,9 +81,10 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
-description: Ldap authentication for humans
+description: LDAP authentication for humans
 email:
 - david.calavera@gmail.com
+- chiology@gmail.com
 executables: []
 extensions: []
 extra_rdoc_files: []
@@ -101,11 +103,15 @@ files:
 - lib/github/ldap/fixtures.ldif
 - lib/github/ldap/group.rb
 - lib/github/ldap/instrumentation.rb
+- lib/github/ldap/member_search.rb
+- lib/github/ldap/member_search/active_directory.rb
+- lib/github/ldap/member_search/base.rb
+- lib/github/ldap/member_search/classic.rb
+- lib/github/ldap/member_search/recursive.rb
 - lib/github/ldap/membership_validators.rb
 - lib/github/ldap/membership_validators/active_directory.rb
 - lib/github/ldap/membership_validators/base.rb
 - lib/github/ldap/membership_validators/classic.rb
-- lib/github/ldap/membership_validators/detect.rb
 - lib/github/ldap/membership_validators/recursive.rb
 - lib/github/ldap/posix_group.rb
 - lib/github/ldap/server.rb
@@ -125,9 +131,11 @@ files:
 - test/fixtures/posixGroup.schema.ldif
 - test/group_test.rb
 - test/ldap_test.rb
+- test/member_search/active_directory_test.rb
+- test/member_search/classic_test.rb
+- test/member_search/recursive_test.rb
 - test/membership_validators/active_directory_test.rb
 - test/membership_validators/classic_test.rb
-- test/membership_validators/detect_test.rb
 - test/membership_validators/recursive_test.rb
 - test/posix_group_test.rb
 - test/support/vm/activedirectory/.gitignore
@@ -161,7 +169,7 @@ rubyforge_project:
 rubygems_version: 2.2.2
 signing_key: 
 specification_version: 4
-summary: Ldap client authentication wrapper without all the boilerplate
+summary: LDAP client authentication wrapper without all the boilerplate
 test_files:
 - test/domain_test.rb
 - test/filter_test.rb
@@ -171,9 +179,11 @@ test_files:
 - test/fixtures/posixGroup.schema.ldif
 - test/group_test.rb
 - test/ldap_test.rb
+- test/member_search/active_directory_test.rb
+- test/member_search/classic_test.rb
+- test/member_search/recursive_test.rb
 - test/membership_validators/active_directory_test.rb
 - test/membership_validators/classic_test.rb
-- test/membership_validators/detect_test.rb
 - test/membership_validators/recursive_test.rb
 - test/posix_group_test.rb
 - test/support/vm/activedirectory/.gitignore

data/lib/github/ldap/membership_validators/detect.rb

@@ -1,69 +0,0 @@
-module GitHub
-  class Ldap
-    module MembershipValidators
-      # Detects the LDAP host's capabilities and determines the appropriate
-      # membership validation strategy at runtime. Currently detects for
-      # ActiveDirectory in-chain membership validation. An explicit strategy can
-      # also be defined via `GitHub::Ldap#membership_validator=`. See also
-      # `GitHub::Ldap#configure_membership_validation_strategy`.
-      class Detect < Base
-        # Internal: The capability required to use the ActiveDirectory strategy.
-        # See: http://msdn.microsoft.com/en-us/library/cc223359.aspx.
-        ACTIVE_DIRECTORY_V61_R2_OID = "1.2.840.113556.1.4.2080".freeze
-
-        def perform(entry)
-          # short circuit validation if there are no groups to check against
-          return true if groups.empty?
-
-          strategy.perform(entry)
-        end
-
-        # Internal: Returns the membership validation strategy object.
-        def strategy
-          @strategy ||= begin
-            strategy = detect_strategy
-            strategy.new(ldap, groups)
-          end
-        end
-
-        # Internal: Detects LDAP host's capabilities and chooses the best
-        # strategy for the host.
-        #
-        # If the strategy has been set explicitly, skips detection and uses the
-        # configured strategy instead.
-        #
-        # Returns the strategy class.
-        def detect_strategy
-          case
-          when GitHub::Ldap::MembershipValidators::STRATEGIES.key?(strategy_config)
-            GitHub::Ldap::MembershipValidators::STRATEGIES[strategy_config]
-          when active_directory_capability?
-            GitHub::Ldap::MembershipValidators::STRATEGIES[:active_directory]
-          else
-            GitHub::Ldap::MembershipValidators::STRATEGIES[:recursive]
-          end
-        end
-
-        # Internal: Returns the configured membership validator strategy Symbol.
-        def strategy_config
-          ldap.membership_validator
-        end
-
-        # Internal: Detect whether the LDAP host is an ActiveDirectory server.
-        #
-        # See: http://msdn.microsoft.com/en-us/library/cc223359.aspx.
-        #
-        # Returns true if the host is an ActiveDirectory server, false otherwise.
-        def active_directory_capability?
-          capabilities[:supportedcapabilities].include?(ACTIVE_DIRECTORY_V61_R2_OID)
-        end
-
-        # Internal: Returns the Net::LDAP::Entry object describing the LDAP
-        # host's capabilities (via the Root DSE).
-        def capabilities
-          ldap.capabilities
-        end
-      end
-    end
-  end
-end

data/test/membership_validators/detect_test.rb

@@ -1,49 +0,0 @@
-require_relative '../test_helper'
-
-# NOTE: Since this strategy is targeted at detecting ActiveDirectory
-# capabilities, and we don't have AD setup in CI, we stub out actual queries
-# and test against what AD *would* respond with.
-
-class GitHubLdapDetectMembershipValidatorsTest < GitHub::Ldap::Test
-  def setup
-    @ldap      = GitHub::Ldap.new(options.merge(search_domains: %w(dc=github,dc=com)))
-    @domain    = @ldap.domain("dc=github,dc=com")
-    @entry     = @domain.user?('user1')
-    @validator = GitHub::Ldap::MembershipValidators::Detect
-  end
-
-  def make_validator(groups)
-    groups = @domain.groups(groups)
-    @validator.new(@ldap, groups)
-  end
-
-  def test_defers_to_configured_strategy
-    @ldap.configure_membership_validation_strategy(:classic)
-    validator = make_validator(%w(group))
-
-    assert_kind_of GitHub::Ldap::MembershipValidators::Classic, validator.strategy
-  end
-
-  def test_detects_active_directory
-    caps = Net::LDAP::Entry.new
-    caps[:supportedcapabilities] =
-      [GitHub::Ldap::MembershipValidators::Detect::ACTIVE_DIRECTORY_V61_R2_OID]
-
-    validator = make_validator(%w(group))
-    @ldap.stub :capabilities, caps do
-      assert_kind_of GitHub::Ldap::MembershipValidators::ActiveDirectory,
-        validator.strategy
-    end
-  end
-
-  def test_falls_back_to_recursive
-    caps = Net::LDAP::Entry.new
-    caps[:supportedcapabilities] = []
-
-    validator = make_validator(%w(group))
-    @ldap.stub :capabilities, caps do
-      assert_kind_of GitHub::Ldap::MembershipValidators::Recursive,
-        validator.strategy
-    end
-  end
-end