ldap_fluff 0.2.5 → 0.3.0

data/lib/ldap_fluff/ldap_fluff.rb

@@ -18,17 +18,23 @@ class LdapFluff
     end
   end
 
-  # return true if the user password combination
-  # authenticates the user, otherwise false
   def authenticate?(uid, password)
     if password.nil? || password.empty?
-      # protect against passwordless auth from ldap server
-      return false
+      false
     else
-      @ldap.bind? uid, password
+      !!@ldap.bind?(uid, password)
     end
   end
 
+  def test
+    @ldap.ldap.open {}
+  end
+
+  # return a list[] of users for a given gid
+  def user_list(gid)
+    @ldap.users_for_gid(gid)
+  end
+
   # return a list[] of groups for a given uid
   def group_list(uid)
     @ldap.groups_for_uid(uid)
@@ -50,4 +56,13 @@ class LdapFluff
     @ldap.group_exists? gid
   end
 
+  # return ldap entry
+  def find_user(uid)
+    @ldap.member_service.find_user(uid)
+  end
+
+  # return ldap entry
+  def find_group(gid)
+    @ldap.member_service.find_group(gid)
+  end
 end

data/lib/ldap_fluff/posix.rb

@@ -1,25 +1,14 @@
-class LdapFluff::Posix
-
-  attr_accessor :ldap, :member_service
+class LdapFluff::Posix < LdapFluff::Generic
 
   def initialize(config = {})
-    @ldap           = Net::LDAP.new(:host       => config.host,
-                                    :base       => config.base_dn,
-                                    :port       => config.port,
-                                    :encryption => config.encryption)
-    @group_base     = config.group_base || config.base_dn
     @base           = config.base_dn
-    @member_service = MemberService.new(@ldap, @group_base)
+    super
   end
 
   def bind?(uid = nil, password = nil)
     @ldap.bind_as(:filter => "(uid=#{uid})", :password => password)
   end
 
-  def groups_for_uid(uid)
-    @member_service.find_user_groups(uid)
-  end
-
   # returns whether a user is a member of ALL or ANY particular groups
   # note: this method is much faster than groups_for_uid
   #
@@ -31,22 +20,23 @@ class LdapFluff::Posix
     (gids.empty? || @member_service.times_in_groups(uid, gids, all) > 0)
   end
 
-  def user_exists?(uid)
-    begin
-      @member_service.find_user(uid)
-    rescue MemberService::UIDNotFoundException
-      return false
-    end
-    return true
-  end
+  private
 
-  def group_exists?(gid)
-    begin
-      @member_service.find_group(gid)
-    rescue MemberService::GIDNotFoundException
-      return false
+  def users_from_search_results(search, method)
+    # To find groups in standard LDAP without group membership attributes
+    # we have to look for OUs or posixGroups within the current group scope,
+    # i.e: cn=ldapusers,ou=groups,dc=example,dc=com -> cn=myusers,cn=ldapusers,ou=gr...
+
+    groups = @ldap.search(:base   => search.dn,
+                          :filter => Net::LDAP::Filter.eq('objectClass','posixGroup') |
+                                     Net::LDAP::Filter.eq('objectClass', 'organizationalunit'))
+
+    members = groups.map { |group| group.send(method) }.flatten.uniq
+
+    if method == :memberuid
+      members
+    else
+      @member_service.get_logins(members)
     end
-    return true
   end
-
 end

data/lib/ldap_fluff/posix_member_service.rb

@@ -1,37 +1,29 @@
 require 'net/ldap'
 
 # handles the naughty bits of posix ldap
-class LdapFluff::Posix::MemberService
+class LdapFluff::Posix::MemberService < LdapFluff::GenericMemberService
 
-  attr_accessor :ldap
+  def initialize(ldap, config)
+    @attr_login = (config.attr_login || 'memberuid')
+    super
+  end
 
-  def initialize(ldap, group_base)
-    @ldap       = ldap
-    @group_base = group_base
+  def find_user(uid)
+    user = @ldap.search(:filter => name_filter(uid), :base => @group_base)
+    raise UIDNotFoundException if (user.nil? || user.empty?)
+    user
   end
 
   # return an ldap user with groups attached
   # note : this method is not particularly fast for large ldap systems
   def find_user_groups(uid)
     groups = []
-    find_user(uid).each do |entry|
+    @ldap.search(:filter => Net::LDAP::Filter.eq('memberuid', uid)).each do |entry|
       groups << entry[:cn][0]
     end
     groups
   end
 
-  def find_user(uid)
-    user = @ldap.search(:filter => name_filter(uid), :base => @group_base)
-    raise UIDNotFoundException if (user.nil? || user.empty?)
-    user
-  end
-
-  def find_group(gid)
-    group = @ldap.search(:filter => group_filter(gid), :base => @group_base)
-    raise GIDNotFoundException if (group.nil? || group.empty?)
-    group
-  end
-
   def times_in_groups(uid, gids, all)
     filters = []
     gids.each do |cn|
@@ -42,14 +34,6 @@ class LdapFluff::Posix::MemberService
     @ldap.search(:base => @group_base, :filter => filter).size
   end
 
-  def name_filter(uid)
-    Net::LDAP::Filter.eq("memberUid", uid)
-  end
-
-  def group_filter(cn)
-    Net::LDAP::Filter.eq("cn", cn)
-  end
-
   # AND or OR all of the filters together
   def merge_filters(filters = [], all = false)
     if !filters.nil? && filters.size >= 1
@@ -61,10 +45,10 @@ class LdapFluff::Posix::MemberService
     end
   end
 
-  class UIDNotFoundException < StandardError
+  class UIDNotFoundException < LdapFluff::Error
   end
 
-  class GIDNotFoundException < StandardError
+  class GIDNotFoundException < LdapFluff::Error
   end
 
 end

data/lib/ldap_fluff.rb

@@ -1,5 +1,8 @@
+require 'ldap_fluff/error'
 require 'ldap_fluff/config'
 require 'ldap_fluff/ldap_fluff'
+require 'ldap_fluff/generic'
+require 'ldap_fluff/generic_member_service'
 require 'ldap_fluff/active_directory'
 require 'ldap_fluff/ad_member_service'
 require 'ldap_fluff/posix'

data/test/ad_member_services_test.rb

@@ -4,9 +4,8 @@ class TestADMemberService < MiniTest::Test
   include LdapTestHelper
 
   def setup
-    config
-    @ldap    = MiniTest::Mock.new
-    @adms    = LdapFluff::ActiveDirectory::MemberService.new(@ldap, @config.group_base)
+    super
+    @adms    = LdapFluff::ActiveDirectory::MemberService.new(@ldap, @config)
     @gfilter = group_filter('group') & group_class_filter
   end
 

data/test/ad_test.rb

@@ -4,40 +4,24 @@ class TestAD < MiniTest::Test
   include LdapTestHelper
 
   def setup
-    config
+    super
     @ad   = LdapFluff::ActiveDirectory.new(@config)
-    @ldap = MiniTest::Mock.new
   end
 
   # default setup for service bind users
   def service_bind
-    @ldap.expect(:auth, nil, %w(service@internet.com pass))
-    @ldap.expect(:bind, true)
-    @ad.ldap = @ldap
-  end
-
-  def basic_user
-    @md = MiniTest::Mock.new
-    @md.expect(:find_user_groups, %w(bros), %w(john))
-    @ad.member_service = @md
-  end
-
-  def bigtime_user
-    @md = MiniTest::Mock.new
-    @md.expect(:find_user_groups, %w(bros broskies), %w(john))
-    @ad.member_service = @md
+    @ldap.expect(:auth, nil, %w(service pass))
+    super
   end
 
   def test_good_bind
-    @ldap.expect(:auth, nil, %w(internet@internet.com password))
-    @ldap.expect(:bind, true)
-    @ad.ldap = @ldap
-    assert_equal(@ad.bind?("internet", "password"), true)
+    service_bind
+    assert_equal(@ad.bind?('service', 'pass'), true)
     @ldap.verify
   end
 
   def test_bad_bind
-    @ldap.expect(:auth, nil, %w(internet@internet.com password))
+    @ldap.expect(:auth, nil, %w(internet password))
     @ldap.expect(:bind, false)
     @ad.ldap = @ldap
     assert_equal(@ad.bind?("internet", "password"), false)
@@ -52,20 +36,20 @@ class TestAD < MiniTest::Test
 
   def test_bad_user
     service_bind
-    @md = MiniTest::Mock.new
-    @md.expect(:find_user_groups, nil, %w(john))
-    def @md.find_user_groups(*args)
+    md = MiniTest::Mock.new
+    md.expect(:find_user_groups, nil, %w(john))
+    def md.find_user_groups(*args)
       raise LdapFluff::ActiveDirectory::MemberService::UIDNotFoundException
     end
-    @ad.member_service = @md
+    @ad.member_service = md
     assert_equal(@ad.groups_for_uid('john'), [])
   end
 
   def test_bad_service_user
-    @ldap.expect(:auth, nil, %w(service@internet.com pass))
+    @ldap.expect(:auth, nil, %w(service pass))
     @ldap.expect(:bind, false)
     @ad.ldap = @ldap
-    assert_raises(LdapFluff::ActiveDirectory::UnauthenticatedActiveDirectoryException) do
+    assert_raises(LdapFluff::ActiveDirectory::UnauthenticatedException) do
       @ad.groups_for_uid('john')
     end
   end
@@ -101,41 +85,63 @@ class TestAD < MiniTest::Test
   end
 
   def test_user_exists
-    @md = MiniTest::Mock.new
-    @md.expect(:find_user, 'notnilluser', %w(john))
-    @ad.member_service = @md
+    md = MiniTest::Mock.new
+    md.expect(:find_user, 'notnilluser', %w(john))
+    @ad.member_service = md
     service_bind
     assert(@ad.user_exists?('john'))
   end
 
   def test_missing_user
-    @md = MiniTest::Mock.new
-    @md.expect(:find_user, nil, %w(john))
-    def @md.find_user(uid)
+    md = MiniTest::Mock.new
+    md.expect(:find_user, nil, %w(john))
+    def md.find_user(uid)
       raise LdapFluff::ActiveDirectory::MemberService::UIDNotFoundException
     end
-    @ad.member_service = @md
+    @ad.member_service = md
     service_bind
     refute(@ad.user_exists?('john'))
   end
 
   def test_group_exists
-    @md = MiniTest::Mock.new
-    @md.expect(:find_group, 'notnillgroup', %w(broskies))
-    @ad.member_service = @md
+    md = MiniTest::Mock.new
+    md.expect(:find_group, 'notnillgroup', %w(broskies))
+    @ad.member_service = md
     service_bind
     assert(@ad.group_exists?('broskies'))
   end
 
   def test_missing_group
-    @md = MiniTest::Mock.new
-    @md.expect(:find_group, nil, %w(broskies))
-    def @md.find_group(uid)
+    md = MiniTest::Mock.new
+    md.expect(:find_group, nil, %w(broskies))
+    def md.find_group(uid)
       raise LdapFluff::ActiveDirectory::MemberService::GIDNotFoundException
     end
-    @ad.member_service = @md
+    @ad.member_service = md
     service_bind
     refute(@ad.group_exists?('broskies'))
   end
 
+  def test_find_users_in_nested_groups
+    group        = Net::LDAP::Entry.new('foremaners')
+    nested_group = Net::LDAP::Entry.new('katellers')
+    nested_user  = Net::LDAP::Entry.new('testuser')
+
+    group[:member]        = ['CN=katellers,DC=corp,DC=windows,DC=com']
+    nested_group[:member] = ['CN=testuser,CN=Users,DC=corp,DC=windows,DC=com']
+    nested_group[:objectclass] = ['organizationalunit']
+    nested_user[:objectclass]  = ['person']
+
+    md = MiniTest::Mock.new
+    2.times { md.expect(:find_group, [group], ['foremaners']) }
+    2.times { md.expect(:find_group, [nested_group], ['katellers']) }
+    2.times { service_bind }
+
+    md.expect(:find_user,  [nested_group], ['katellers'])
+    md.expect(:find_user,  [nested_user],  ['testuser'])
+    md.expect(:get_logins, 'testuser', [nested_group.member])
+    @ad.member_service = md
+    assert_equal @ad.users_for_gid('foremaners'), ['testuser']
+  end
+
 end

data/test/config_test.rb

@@ -4,7 +4,7 @@ class ConfigTest < MiniTest::Test
   include LdapTestHelper
 
   def test_unsupported_type
-    assert_raises(LdapFluff::ConfigError) { LdapFluff.new(config_hash.update :server_type => 'inactive_directory') }
+    assert_raises(LdapFluff::Config::ConfigError) { LdapFluff.new(config_hash.update :server_type => 'inactive_directory') }
   end
 
   def test_load_posix

data/test/ipa_member_services_test.rb

@@ -4,9 +4,8 @@ class TestIPAMemberService < MiniTest::Test
   include LdapTestHelper
 
   def setup
-    config
-    @ldap  = MiniTest::Mock.new
-    @ipams = LdapFluff::FreeIPA::MemberService.new(@ldap, @config.group_base)
+    super
+    @ipams = LdapFluff::FreeIPA::MemberService.new(@ldap, @config)
   end
 
   def basic_user

data/test/ipa_test.rb

@@ -4,35 +4,19 @@ class TestIPA < MiniTest::Test
   include LdapTestHelper
 
   def setup
-    config
-    @ipa  = LdapFluff::FreeIPA.new(@config)
-    @ldap = MiniTest::Mock.new
+    super
+    @ipa = LdapFluff::FreeIPA.new(@config)
   end
 
   # default setup for service bind users
   def service_bind
     @ldap.expect(:auth, nil, [ipa_user_bind('service'), "pass"])
-    @ldap.expect(:bind, true)
-    @ipa.ldap = @ldap
-  end
-
-  def basic_user
-    @md = MiniTest::Mock.new
-    @md.expect(:find_user_groups, %w(bros), %w(john))
-    @ipa.member_service = @md
-  end
-
-  def bigtime_user
-    @md = MiniTest::Mock.new
-    @md.expect(:find_user_groups, %w(bros broskies), %w(john))
-    @ipa.member_service = @md
+    super
   end
 
   def test_good_bind
-    @ldap.expect(:auth, nil, [ipa_user_bind('internet'), "password"])
-    @ldap.expect(:bind, true)
-    @ipa.ldap = @ldap
-    assert_equal(@ipa.bind?("internet", "password"), true)
+    service_bind
+    assert_equal(@ipa.bind?('service', 'pass'), true)
     @ldap.verify
   end
 
@@ -65,7 +49,7 @@ class TestIPA < MiniTest::Test
     @ldap.expect(:auth, nil, [ipa_user_bind('service'), "pass"])
     @ldap.expect(:bind, false)
     @ipa.ldap = @ldap
-    assert_raises(LdapFluff::FreeIPA::UnauthenticatedFreeIPAException) do
+    assert_raises(LdapFluff::FreeIPA::UnauthenticatedException) do
       @ipa.groups_for_uid('john')
     end
   end
@@ -138,5 +122,23 @@ class TestIPA < MiniTest::Test
     refute(@ipa.group_exists?('broskies'))
   end
 
+  def test_find_users_in_nested_groups
+    group = Net::LDAP::Entry.new('gid=foremaners,cn=Groups,cn=accounts,dc=localdomain')
+    group[:member] = ['gid=katellers,cn=Groups,cn=accounts,dc=localdomain']
+    nested_group = Net::LDAP::Entry.new('gid=katellers,cn=Groups,cn=accounts,dc=localdomain')
+    nested_group[:member] = ['uid=testuser,cn=users,cn=accounts,dc=localdomain']
+
+    md = MiniTest::Mock.new
+    2.times { md.expect(:find_group, [group], ['foremaners']) }
+    2.times { md.expect(:find_group, [nested_group], ['katellers']) }
+    2.times { service_bind }
+    md.expect(:get_logins, ['testuser'], [['uid=testuser,cn=users,cn=accounts,dc=localdomain']])
+
+    @ipa.member_service = md
+
+    assert_equal @ipa.users_for_gid('foremaners'), ['testuser']
+    md.verify
+  end
+
 end
 

data/test/ldap_test.rb

@@ -4,8 +4,7 @@ class TestLDAP < MiniTest::Test
   include LdapTestHelper
 
   def setup
-    config
-    @ldap  = MiniTest::Mock.new
+    super
     @fluff = LdapFluff.new(config_hash)
   end
 

data/test/lib/ldap_test_helper.rb

@@ -7,22 +7,45 @@ module LdapTestHelper
   attr_accessor :group_base, :class_filter, :user
 
   def config_hash
-    { :host         => "internet.com",
-      :port         => "387",
-      :encryption   => :start_tls,
-      :base_dn      => "dc=internet,dc=com",
-      :group_base   => "ou=group,dc=internet,dc=com",
-      :service_user => "service",
-      :service_pass => "pass",
-      :ad_domain    => "internet.com",
-      :server_type  => :free_ipa
+    { :host          => "internet.com",
+      :port          => "387",
+      :encryption    => :start_tls,
+      :base_dn       => "dc=internet,dc=com",
+      :group_base    => "ou=group,dc=internet,dc=com",
+      :service_user  => "service",
+      :service_pass  => "pass",
+      :server_type   => :free_ipa,
+      :attr_login    => nil,
+      :search_filter => nil
     }
   end
 
+  def setup
+    config
+    @ldap = MiniTest::Mock.new
+  end
+
   def config
     @config ||= LdapFluff::Config.new config_hash
   end
 
+  def service_bind
+    @ldap.expect(:bind, true)
+    get_test_instance_variable.ldap = @ldap
+  end
+
+  def basic_user
+    @md = MiniTest::Mock.new
+    @md.expect(:find_user_groups, %w(bros), %w(john))
+    get_test_instance_variable.member_service = @md
+  end
+
+  def bigtime_user
+    @md = MiniTest::Mock.new
+    @md.expect(:find_user_groups, %w(bros broskies), %w(john))
+    get_test_instance_variable.member_service = @md
+  end
+
   def ad_name_filter(name)
     Net::LDAP::Filter.eq("samaccountname", name)
   end
@@ -52,19 +75,19 @@ module LdapTestHelper
   end
 
   def ad_user_payload
-    [{ :memberof => ["CN=group,dc=internet,dc=com"] }]
+    [{ :memberof => ["cn=group,dc=internet,dc=com"] }]
   end
 
   def ad_group_payload
-    [{ :cn => "broze", :memberof => ["CN=group,dc=internet,dc=com"] }]
+    [{ :cn => "broze", :memberof => ["cn=group,dc=internet,dc=com"] }]
   end
 
   def ad_parent_payload(num)
-    [{ :memberof => ["CN=bros#{num},dc=internet,dc=com"] }]
+    [{ :memberof => ["cn=bros#{num},dc=internet,dc=com"] }]
   end
 
   def ad_double_payload(num)
-    [{ :memberof => ["CN=bros#{num},dc=internet,dc=com", "CN=broskies#{num},dc=internet,dc=com"] }]
+    [{ :memberof => ["cn=bros#{num},dc=internet,dc=com", "cn=broskies#{num},dc=internet,dc=com"] }]
   end
 
   def posix_user_payload
@@ -82,4 +105,10 @@ module LdapTestHelper
   def ipa_group_payload
     [{ :cn => 'group' }, { :memberof => ['cn=group,dc=internet,dc=com', 'cn=bros,dc=internet,dc=com'] }]
   end
+
+  private
+
+  def get_test_instance_variable
+    instance_variable_get("@#{self.class.to_s.underscore.split('_')[1..-1].join}")
+  end
 end

data/test/posix_member_services_test.rb

@@ -4,9 +4,8 @@ class TestPosixMemberService < MiniTest::Test
   include LdapTestHelper
 
   def setup
-    config
-    @ldap = MiniTest::Mock.new
-    @ms   = LdapFluff::Posix::MemberService.new(@ldap, @config.group_base)
+    super
+    @ms = LdapFluff::Posix::MemberService.new(@ldap, @config)
   end
 
   def test_find_user
@@ -14,6 +13,14 @@ class TestPosixMemberService < MiniTest::Test
     @ldap.expect(:search, user, [:filter => @ms.name_filter('john'),
                                  :base   => config.group_base])
     @ms.ldap = @ldap
+    assert_equal posix_user_payload, @ms.find_user('john')
+    @ldap.verify
+  end
+
+  def test_find_user_groups
+    user = posix_user_payload
+    @ldap.expect(:search, user, [:filter => @ms.name_filter('john')])
+    @ms.ldap = @ldap
     assert_equal ['bros'], @ms.find_user_groups('john')
     @ldap.verify
   end