ldap-group-manager 1.3.1

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 9b343d86dae66287a19d9af4d598ab564ade5c2a918483ff2f28ea0b40109ce8
+  data.tar.gz: f64b800326c9d86dd01fe71b5d12fda1f52396057ceb84834b49bba68433c0f5
+SHA512:
+  metadata.gz: a55c41e7b7cc6af29bf0700c72ab3f4360894adfd5ec6e6f0f31ebf4e86d5ba1bcf94fb6bca9a751348b34cc0382cde93ed568257b92876c39e28ae86ea1b817
+  data.tar.gz: 6fd1873161c2ea3411503e87a55bf16eebc64782d37242f45b820ecd83f1cf445e5444ea528d82d2b041ced16747edf8137dc870088781909e8518020cac0da6

data/Gemfile

@@ -0,0 +1,3 @@
+# frozen_string_literal: true
+source 'https://rubygems.org'
+gemspec

data/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2018 AdGear Technologies Inc.
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

data/README.md

@@ -0,0 +1,93 @@
+# ldap-group-manager
+
+A Ruby helper to maintain LDAP group membership as flat yaml files. The goal is
+to enable group membership to be managed through Github's pull requests
+mechanisms by our CI systems.
+
+## Installation
+
+```shell
+gem install ldap-group-manager
+```
+
+## Configuration
+
+Just declare the following environment variables.
+
+| Variable       | Usage                                              |
+|----------------|----------------------------------------------------|
+| AG_LDAP_HOST   | Points to the ldaps server                         |
+| AG_LOCAL_STATE | Points to the yaml definitions of your groups      |
+| AG_PASSWORD    | The binder's password                              |
+| AG_TREEBASE    | The base of your search tree                       |
+| AG_USER_DN     | The full DN of the user to use as a binder to ldap |
+
+## Commands
+
+### diff
+
+Displays the actions to be executed to bring remote in sync with local.
+
+```shell
+$ ldap-group-manager diff --verify-users
+[2018-09-07T16:01:00.001-04:00] INFO: Compiling all local groups
+[2018-09-07T16:02:00.002-04:00] INFO: Compiling local users
+[2018-09-07T16:03:00.003-04:00] INFO: Verifying 67 local users against remote
+[2018-09-07T16:04:00.004-04:00] INFO: Compiling remote groups
+[2018-09-07T16:05:00.005-04:00] INFO: Operations to perform
+{
+    :operations => {
+        :create => [],
+        :modify => [
+            [0] {
+                    :cn => "yul",
+                :attrib => :description,
+                 :value => [
+                    [0] "Montreal"
+                ]
+            },
+            [1] {
+                    :cn => "yul.managers",
+                :attrib => :member,
+                 :value => [
+                    [0] "Keyser Soze",
+                    [1] "Walter White",
+                    [2] "Victor Von Doom"
+                ]
+            }
+        ],
+        :delete => [
+            [0] "yul.qa"
+        ]
+    }
+}
+```
+
+### apply
+
+Applies the changes required to bring the remote state in sync with local.
+
+```shell
+ldap-group-manager apply
+```
+
+### Global flags
+
+- `--verify-users` ensures every locally declared user exists on the
+  remote server. It takes forever to do... be forewarned.
+
+## Contributing
+
+1. Fork it!
+2. Create your feature branch: `git checkout -b my-new-feature`
+3. Commit your changes: `git commit -am 'Add some feature'`
+4. Push to the branch: `git push origin my-new-feature`
+5. Submit a pull request :D
+
+## Credits
+
+Alexis Vanier
+
+## License
+
+Check LICENSE file.

data/bin/ldap-group-manager

@@ -0,0 +1,3 @@
+#!/usr/bin/env ruby
+require_relative('../lib/app.rb')
+AdGear::Infrastructure::GroupManager::App.start(ARGV)

data/lib/app.rb

@@ -0,0 +1,135 @@
+# frozen_string_literal: true
+
+require_relative('config')
+require_relative('logging')
+require_relative('ldap')
+require_relative('utils')
+require_relative('version')
+require('thor')
+
+# AdGear
+# Top level container
+# @since 0.1.0
+module AdGear
+  # Infrastructure
+  # Container within the AdGear space for infrastructure related tools.
+  # @since 0.1.0
+  module Infrastructure
+    # GroupManager
+    # A Ruby gem that pushes group memberships to LDAP.
+    # @since 0.1.0
+    module GroupManager
+      # App
+      # The top of stack abstraction for this application.
+      # Read through the code to check the sequence of events.
+      # @since 0.1.0
+      class App < Thor
+        include AdGear::Infrastructure::GroupManager::Config
+        include AdGear::Infrastructure::GroupManager::Logging
+        include AdGear::Infrastructure::GroupManager::LDAP
+        include AdGear::Infrastructure::GroupManager::Utils
+        include AdGear::Infrastructure::GroupManager::Version
+
+        package_name 'groupmanager'
+
+        map %w[--version -v] => :print_version
+
+        # Displays the gem's version when invoked in the CLI.
+        # @since 0.1.0
+        desc '--version, -v', 'print the version'
+        def print_version
+          puts GEM_VERSION
+        end
+
+        class_option :verify_users, desc: 'Verifies that locally defined users exist remotely', type: :boolean
+
+        desc 'diff', 'displays the difference between local and remote'
+        # Displays the difference between local and remote.
+        # @since 0.1.0
+        def diff
+          # get all local groups
+          Log.info('Compiling all local groups')
+          local_groups = Config.list_all_groups
+          local_groups.each { |i| local_groups[i[0]] = Utils.symbolify_all_keys(i[1]) }
+          local_groups = Utils.sort_member(local_groups)
+          Log.debug(msg: 'local groups', local_groups: local_groups)
+
+          Log.info('Compiling local users')
+          users = Config.list_users
+          Log.debug(msg: 'users', users: users)
+
+          # get all local users and check if they exist remotely
+          if options[:verify_users]
+            Log.info("Verifying #{users.length} local users against remote")
+            users.each { |dn| LDAP.user_exists?(dn) ? Log.debug("#{dn} exists") : raise("#{dn} does not exist") }
+          end
+
+          # get all remote groups
+          Log.info('Compiling remote groups')
+          remote_groups = LDAP.list_all_groups
+          remote_groups = Utils.symbolify_all_keys(remote_groups)
+          remote_groups = Utils.sort_member(remote_groups)
+          Log.debug(msg: 'remote groups', remote_groups: remote_groups)
+
+          ops_to_perform = Utils.create_ops_list(local_groups, remote_groups)
+          Log.info(msg: 'Operations to perform', operations: ops_to_perform)
+          ops_to_perform
+        end
+
+        desc 'apply', 'applies changes to remote'
+        # Applies remote changes
+        # @since 0.1.0
+        def apply
+          ops_to_perform = diff
+          Log.info("Creating #{ops_to_perform[:create].length} new entities")
+          ops_to_perform[:create].each do |cn|
+            LDAP.set_item(
+              :create,
+              ["cn=#{cn}", Utils.find_ou(cn), GLOBAL_CONFIG[:treebase]].join(', ')
+            )
+          end
+          if ops_to_perform[:create].any? && ops_to_perform[:modify].any?
+            sleep_time = GLOBAL_CONFIG[:settle_sleep]
+            sleep sleep_time
+            Log.info("Waiting #{sleep_time} seconds for ldap to propagate changes after object creation")
+          end
+
+          Log.info("Applying #{ops_to_perform[:modify].length} modifications to existing items")
+          ops_to_perform[:modify].each do |i|
+            LDAP.set_item(
+              :modify, ["cn=#{i[:cn]}",
+                        Utils.find_ou(i[:cn]),
+                        GLOBAL_CONFIG[:treebase]].join(', '), i[:attrib], i[:value]
+                      )
+          end
+
+          if ops_to_perform[:delete]
+            Log.info("Removing #{ops_to_perform[:delete].length} deprecated items")
+
+            items_to_delete = ops_to_perform[:delete].map do |i|
+              treebase = GLOBAL_CONFIG[:treebase]
+
+              filter = Net::LDAP::Filter.construct("CN=#{i}*")
+
+              target = nil
+              Binder.search(base: treebase, filter: filter).each do |entry|
+                next unless /^CN=#{i},OU=/ =~ entry.dn
+                target = entry.dn
+              end
+              target
+            end
+
+            items_to_delete.each do |i|
+              LDAP.delete_item(i)
+              Log.debug(Binder.get_operation_result)
+            end
+          end
+
+          Log.info('done')
+
+          exit(0)
+        end
+      end
+    end
+  end
+end

data/lib/config.rb

@@ -0,0 +1,115 @@
+# The global config instance.
+# @since 0.1.0
+module AdGear
+  module Infrastructure
+    module GroupManager
+      module Config
+        require('yaml')
+        require_relative('logging')
+
+        include AdGear::Infrastructure::GroupManager::Logging
+
+        # The global config instance
+        # rubocop:disable Style/MutableConstant
+        GLOBAL_CONFIG = {
+          data: {
+            locations: {},
+            organizational: {},
+            functional: {},
+            permissions: {}
+          }
+        }
+
+        GLOBAL_CONFIG[:user_dn] = ENV['AG_USER_DN']
+        GLOBAL_CONFIG[:password] = ENV['AG_PASSWORD']
+        GLOBAL_CONFIG[:ldap_host] = ENV['AG_LDAP_HOST']
+        GLOBAL_CONFIG[:treebase] = ENV['AG_TREEBASE']
+        GLOBAL_CONFIG[:local_state] = ENV['AG_LOCAL_STATE'] || Dir.pwd
+        GLOBAL_CONFIG[:settle_sleep] = Integer(ENV['AG_SETTLE_SLEEP'] || 15)
+
+        GLOBAL_CONFIG.freeze
+        # rubocop:enable Style/MutableConstant
+
+        config_files = Dir.glob(File.join(GLOBAL_CONFIG[:local_state], '**/*.{yaml,yml}'))
+        Log.trace(config_files)
+        Log.fatal('No configuration files detected') if config_files.empty?
+
+        config_files.each do |file|
+          Log.debug("loading #{file}")
+          parts = file.split('/').reject(&:empty?)
+          target = parts[parts.length - 2]
+          Log.debug("target: #{target}")
+          data = YAML.safe_load(File.read(file)) || {}
+          GLOBAL_CONFIG[:data][target.to_sym].merge!(data)
+
+          # This block sanitizes the schema of incoming configuration to ignore any unknown keys
+          # It's the _"next best thing"_ short of casting the individual items onto a schema. ;_;
+          GLOBAL_CONFIG[:data].each do |type, _|
+            Log.debug("type" => type)
+            GLOBAL_CONFIG[:data][type].each do |group, _|
+              Log.debug("group" => group)
+              Log.debug(GLOBAL_CONFIG[:data][type][group])
+              unknown_keys = GLOBAL_CONFIG[:data][type][group].keys.reject { |k| [ 'description', 'member' ].include?(k) }
+
+              Log.debug(unknown_keys)
+              unknown_keys.each do |k|
+                GLOBAL_CONFIG[:data][type][group].delete(k)
+                Log.debug("deleted #{type}.#{group}.#{k}")
+              end
+            end
+          end
+        end
+
+        module_function
+
+        # Lists all the groups
+        # @since 0.1.0
+        def list_all_groups
+          newobj = {}
+          GLOBAL_CONFIG[:data].each do |_k, v|
+            newobj.merge!(v)
+          end
+          newobj
+        end
+
+        # List all organizational groups defined in local configuration.
+        # @since 0.1.0
+        def list_org_groups
+          GLOBAL_CONFIG[:data][:organizational]
+        end
+
+        # List all organizational groups defined in local configuration.
+        # @since 0.1.0
+        def list_perm_groups
+          GLOBAL_CONFIG[:data][:permissions]
+        end
+
+        # List all funcitonal groups defined in local configuration
+        # @since 1.0.0
+        def list_func_groups
+          GLOBAL_CONFIG[:data][:functional]
+        end
+
+        # List all location groups defined in local configuration.
+        # @since 0.1.0
+        def list_locations
+          GLOBAL_CONFIG[:data][:locations]
+        end
+
+        # List all users defined in local configuration.
+        # @since 0.1.0
+        def list_users
+          users = []
+          list_all_groups.each do |_k, v|
+            next if v.nil?
+            next unless v.key?('member')
+            next if v['member'].nil?
+
+            users += v['member']
+          end
+          users = users.uniq.sort - list_all_groups.keys
+        end
+      end
+    end
+  end
+end

data/lib/ldap.rb

@@ -0,0 +1,192 @@
+# frozen_string_literal: true
+
+# The global ldap instance. Uses the <code>net-ldap</code>.
+# @since 0.1.0
+module AdGear::Infrastructure::GroupManager::LDAP
+  require('net-ldap')
+  require_relative('./config')
+  require_relative('./logging')
+  require_relative('./utils')
+
+  include AdGear::Infrastructure::GroupManager::Config
+  include AdGear::Infrastructure::GroupManager::Logging
+  include AdGear::Infrastructure::GroupManager::Utils
+
+  Binder = Net::LDAP.new host: GLOBAL_CONFIG[:ldap_host],
+                         port: 636,
+                         encryption: {
+                           method: :simple_tls,
+                           tls_options: OpenSSL::SSL::SSLContext::DEFAULT_PARAMS
+                         },
+                         auth: {
+                           method: :simple,
+                           username: GLOBAL_CONFIG[:user_dn],
+                           password: GLOBAL_CONFIG[:password]
+                         }
+
+  module_function
+
+  # Fetches a given item by CN.
+  # @since 0.1.0
+  def get_item(cn, location)
+    treebase = GLOBAL_CONFIG[:treebase]
+
+    filter_string = ["distinguishedName=CN=#{cn}"]
+    filter_string << location if location
+    filter_string << treebase
+    filter_string = filter_string.join(', ')
+
+    filter = Net::LDAP::Filter.construct("(#{filter_string})")
+
+    hash = {}
+    Log.debug("Filter: #{filter}")
+
+    Binder.search(base: treebase, filter: filter) do |entry|
+      entry.each { |var| hash[var.to_s.delete('@')] = entry.public_send(var) }
+      Log.debug(msg: 'Found this!', data: hash)
+    end
+    hash
+  end
+
+  # Verifies that a given user exists.
+  # @since 0.1.0
+  def user_exists?(dn)
+    Log.debug("Verifying if user #{dn} exists")
+    treebase = GLOBAL_CONFIG[:treebase]
+
+    filter_string = ["distinguishedName=CN=#{dn}"]
+    filter_string << 'OU=Keycloak Users'
+    filter_string << treebase
+
+    filter = Net::LDAP::Filter.construct("(#{filter_string.join(', ')})")
+    result = Binder.search(base: treebase, filter: filter)
+    Log.trace("Dumping query inspect", data: result.inspect)
+    Log.trace("Dumping operation result", data: Binder.get_operation_result)
+    result.kind_of?(Array) && result.any?
+  end
+
+  # Modifies or creates an item.
+  # This is shoddily written and modify and create should be split.
+  # @since 0.1.0
+  def set_item(action, dn, attrib = nil, val = nil)
+    if action == :modify
+      if attrib == :member && !val.nil?
+        val.map! do |m|
+          [
+            "cn=#{m}",
+            AdGear::Infrastructure::GroupManager::Utils.find_ou(m),
+            GLOBAL_CONFIG[:treebase]
+          ].join(', ')
+        end
+        Binder.replace_attribute(dn, attrib, val)
+      elsif val.nil?
+        Binder.replace_attribute(dn, attrib, [])
+      else
+        Binder.replace_attribute(dn, attrib, val)
+      end
+      Log.debug(msg: 'Trying to set attribute', result: Binder.get_operation_result, dn: dn, key: attrib, value: val)
+    elsif action == :create
+      base_attributes = {
+        samaccountname: dn.split(',').first.gsub(/cn=/i, ''),
+        objectclass: %w[top group]
+      }
+
+      Binder.add(dn: dn, attributes: base_attributes)
+      result = Binder.get_operation_result
+      Log.debug(msg: 'Trying to add item', result: result, dn: dn)
+    end
+  end
+
+  # Deletes an item. Kerplow!
+  # @since 0.1.0
+  def delete_item(dn)
+    Binder.delete(dn: dn)
+    result = Binder.get_operation_result
+    Log.debug(msg: 'Trying to delete item', result: result, dn: dn)
+  end
+
+  # Lists organizational units in the remote instance.
+  # @since 0.1.0
+  def list_organizational_units
+    treebase = GLOBAL_CONFIG[:treebase]
+
+    result = []
+
+    filter = Net::LDAP::Filter.construct('(objectCategory=organizationalUnit)')
+    Binder.search(base: treebase, filter: filter) do |entry|
+      result.push(entry.dn) if entry.dn.match?(/OU=Keycloak Groups/)
+    end
+    result.empty? ? raise('No valid OUs found') : result
+  end
+
+  # Lists all groups in the remote instance.
+  # @since 0.1.0
+  def list_groups(treebase)
+    filter = Net::LDAP::Filter.construct('(objectClass=group)')
+
+    result = {}
+
+    Log.debug(msg: 'base and filter', base: treebase, filter: filter.to_s)
+
+    Binder.search(base: treebase, filter: filter) do |entry|
+      Log.trace('Dumping binder entry', entry)
+
+      obj = {}
+
+      entry.each do |k, v|
+        next unless [:member].include?(k)
+        Log.trace('dumping key, values', k: k, v: v)
+        obj[k] = v.map { |p| extract_cn(p) }.sort
+      end
+
+      obj[:description] = entry.description if entry.respond_to?(:description)
+
+      result[extract_cn(entry.dn)] = obj unless entry.dn.nil?
+    end
+
+    Binder.get_operation_result
+    Log.error("No results for #{treebase}") if result.empty?
+    result
+  end
+
+  # Lists all organizational groups in the remote instance.
+  # @since 0.1.0
+  def list_org_groups
+    list_groups(list_organizational_units.select { |g| g.match?(/^OU=Organizational/) }.first)
+  end
+
+  # Lists all functional groups in the remote instance.
+  # @since 1.0.0
+  def list_func_groups
+    list_groups(list_organizational_units.select { |g| g.match?(/^OU=Functional/) }.first)
+  end
+
+  # Lists all permissions groups in the remote instance.
+  # @since 0.1.0
+  def list_perm_groups
+    list_groups(list_organizational_units.select { |g| g.match?(/^OU=Permission/) }.first)
+  end
+
+  # Lists all location groups in the remote instance.
+  # @since 0.1.0
+  def list_locations
+    list_groups(list_organizational_units.select { |g| g.match?(/^OU=Location/) }.first)
+  end
+
+  # Lists all groups groups in the remote instance.
+  # @since 0.1.0
+  def list_all_groups
+    groups = {}
+    groups.merge!(list_org_groups)
+    groups.merge!(list_func_groups)
+    groups.merge!(list_perm_groups)
+    groups.merge!(list_locations)
+    groups
+  end
+
+  # Extracts the CN out of a full DN.
+  # @since 0.1.0
+  def extract_cn(dn)
+    dn.split(',').select { |p| p.match(/^CN=/) }.first.gsub('CN=', '')
+  end
+end

data/lib/logging.rb

@@ -0,0 +1,29 @@
+# frozen_string_literal: true
+
+# The global logging instance. Uses the <code>Ougai</code> JSON structured
+# logger.
+# @since 0.1.0
+module AdGear::Infrastructure::GroupManager::Logging
+  require('ougai')
+
+  # The global logging instance
+  if ENV['AG_LOG_FORMAT'] =~ /json/i
+    Log = Ougai::Logger.new(STDOUT)
+  else
+    Log = Ougai::Logger.new(STDERR)
+    Log.formatter = Ougai::Formatters::Readable.new
+  end
+
+  Log.level = ENV['LOG_LEVEL'] || 'info'
+
+  module_function
+
+  # A helper method that allows to log an error and exit.
+  # @param [Array] args passes all arguments, as is, to Ougai.
+  # @return [nil] no return.
+  # @since 0.1.0
+  def fatal(*args)
+    Log.error(*args)
+    exit(1)
+  end
+end

data/lib/utils.rb

@@ -0,0 +1,139 @@
+# frozen_string_literal: true
+
+# The global utils container. Used for storing common stuff.
+# @since 0.1.0
+module AdGear::Infrastructure::GroupManager::Utils
+  require_relative('./config')
+  require_relative('./logging')
+
+  include AdGear::Infrastructure::GroupManager::Config
+  include AdGear::Infrastructure::GroupManager::Logging
+
+  module_function
+
+  # A helper method that converts all symbol keys to string keys.
+  # @since 0.1.0
+  def stringify_all_keys(hash)
+    stringified_hash = {}
+    hash.each do |k, v|
+      stringified_hash[k.to_s] = v.is_a?(Hash) ? stringify_all_keys(v) : v
+    end
+    stringified_hash
+  end
+
+  # A helper method that converts all string keys to symbol keys.
+  # @since 0.1.0
+  def symbolify_all_keys(hash)
+    Log.debug(msg: 'symbolifiying', data: hash)
+    symbolified = {}
+    hash.keys.each do |k|
+      newkey = %w[member description].include?(k) ? k.to_sym : k
+      symbolified[newkey] = hash[k].is_a?(Hash) ? symbolify_all_keys(hash[k]) : hash[k]
+    end
+    symbolified
+  end
+
+  # I don't remember what this does
+  # @since 0.1.0
+  def diff_op_exist?(ops, type, target)
+    ops.select { |op| op[0] == type && op[1] == target }.any?
+  end
+
+  # Checks if the reverse operation exists
+  # @since 0.1.0
+  def duplicate?(ops, item)
+    opposite = case item[0]
+               when '-'
+                 '+'
+               when '+'
+                 '-'
+               end
+    ops.select { |op| op[0] == opposite && op[1] == item[1] && op[2] == item[2] }.any?
+  end
+
+  # Finds in which OU a given CN can be found.
+  # @since 0.1.0
+  def find_ou(cn)
+    if GLOBAL_CONFIG[:data][:organizational].key?(cn)
+      'OU=Organizational, OU=Keycloak Groups'
+    elsif GLOBAL_CONFIG[:data][:functional].key?(cn)
+      'OU=Functional, OU=Keycloak Groups'
+    elsif GLOBAL_CONFIG[:data][:permissions].key?(cn)
+      'OU=Permission, OU=Keycloak Groups'
+    elsif GLOBAL_CONFIG[:data][:locations].key?(cn)
+      'OU=Location, OU=Keycloak Groups'
+    else
+      'OU=Keycloak Users'
+    end
+  end
+
+  # Sorts the member array bundle of groups.
+  # @since 0.1.0
+  def sort_member(all_groups)
+    ordered_groups = {}
+    all_groups.keys.sort.each do |group|
+      ordered_groups[group] = {}
+      begin
+        all_groups[group].sort.map { |k, v| ordered_groups[group][k] = v }
+      rescue => e
+        Log.debug(group)
+        Log.debug(all_groups[group])
+        Log.error(e)
+        exit(1)
+      end
+      unless !all_groups[group].key?(:member) || all_groups[group][:member].nil?
+        ordered_groups[group].delete(:member)
+        ordered_groups[group][:member] = all_groups[group][:member].sort
+      end
+    end
+    ordered_groups
+  end
+
+  # Creates the list of operations to perform to synchronize local with remote.
+  # @since 0.1.0
+  def create_ops_list(local_groups, remote_groups)
+    operations = {
+      create: [],
+      modify: [],
+      delete: []
+    }
+
+    local_groups.each do |gr, vals|
+      # if remote group exists, diff each attribute
+      if remote_groups.key?(gr)
+        vals.keys.each do |key|
+          message = {
+            msg: "diffing local and remote instances of #{gr}",
+            cn: gr,
+            attrib: key,
+            local: local_groups[gr][key],
+            remote: remote_groups.dig(gr, key),
+            require_change: compare_attributes(local_groups[gr][key], remote_groups.dig(gr, key))
+          }
+          Log.debug(message) if message[:require_change]
+          if compare_attributes(local_groups[gr][key], remote_groups.dig(gr, key))
+            operations[:modify] << { cn: gr, attrib: key, value: local_groups[gr][key] }
+          end
+        end
+      else
+        # if remote group doesn't exist create key, then modify
+        operations[:create] << gr
+        vals.keys.each do |key|
+          operations[:modify] << { cn: gr, attrib: key, value: local_groups[gr][key] }
+        end
+      end
+    end
+
+    # delete remote groups that aren't locally described
+    (remote_groups.keys - local_groups.keys).each { |gr| operations[:delete] << gr }
+
+    # return stuff to do
+    operations
+  end
+
+  # A helper method that compares two objects, accounting for LDAP idiosyncracies.
+  # @since 0.1.0
+  def compare_attributes(local, remote)
+    (local == [] ? nil : local) != remote
+  end
+end

data/lib/version.rb

@@ -0,0 +1,13 @@
+# frozen_string_literal: true
+
+# Holds the verison of the gem.
+module AdGear
+  module Infrastructure
+    module GroupManager
+      module Version
+        # The global constant holding the version of the gem.
+        GEM_VERSION = '1.3.1'.freeze
+      end
+    end
+  end
+end

metadata

@@ -0,0 +1,109 @@
+--- !ruby/object:Gem::Specification
+name: ldap-group-manager
+version: !ruby/object:Gem::Version
+  version: 1.3.1
+platform: ruby
+authors:
+- Alexis Vanier
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2018-08-07 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: net-ldap
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.16.1
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.16.1
+- !ruby/object:Gem::Dependency
+  name: ougai
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.7'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.7'
+- !ruby/object:Gem::Dependency
+  name: thor
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.20.0
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.20.0
+- !ruby/object:Gem::Dependency
+  name: awesome_print
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+description: 
+email: 
+executables:
+- ldap-group-manager
+extensions: []
+extra_rdoc_files: []
+files:
+- Gemfile
+- LICENSE
+- README.md
+- bin/ldap-group-manager
+- lib/app.rb
+- lib/config.rb
+- lib/ldap.rb
+- lib/logging.rb
+- lib/utils.rb
+- lib/version.rb
+homepage: https://www.github.com/adgear/ldap-group-manager
+licenses:
+- MIT
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - "~>"
+    - !ruby/object:Gem::Version
+      version: 2.7.0
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 3.1.4
+signing_key: 
+specification_version: 4
+summary: Manage ldap group membership as flat files
+test_files: []