ldap_fluff 0.4.4 → 0.6.0

data/lib/ldap_fluff/generic_member_service.rb

@@ -1,17 +1,17 @@
 require 'net/ldap'
 
 class LdapFluff::GenericMemberService
-
   attr_accessor :ldap
 
   def initialize(ldap, config)
     @ldap       = ldap
     @base       = config.base_dn
     @group_base = (config.group_base.empty? ? config.base_dn : config.group_base)
+    @search_filter = nil
     begin
       @search_filter = Net::LDAP::Filter.construct(config.search_filter) unless (config.search_filter.nil? || config.search_filter.empty?)
-    rescue Net::LDAP::LdapError => error
-      puts "Search filter unavailable - #{error}"
+    rescue Net::LDAP::Error => e
+      puts "Search filter unavailable - #{e}"
     end
   end
 
@@ -57,6 +57,11 @@ class LdapFluff::GenericMemberService
     grouplist.map(&:downcase).collect { |g| g.sub(/.*?cn=(.*?),.*/, '\1') }
   end
 
+  def get_netgroup_users(netgroup_triples)
+    return [] if netgroup_triples.nil?
+    netgroup_triples.map { |m| m.split(',')[1] }
+  end
+
   def get_logins(userlist)
     userlist.map(&:downcase!)
     [@attr_login, 'uid', 'cn'].map do |attribute|
@@ -75,5 +80,4 @@ class LdapFluff::GenericMemberService
     end
     nil
   end
-
 end

data/lib/ldap_fluff/ldap_fluff.rb

@@ -20,7 +20,7 @@ class LdapFluff
   end
 
   def authenticate?(uid, password)
-    instrument('authenticate.ldap_fluff', :uid => uid) do |payload|
+    instrument('authenticate.ldap_fluff', :uid => uid) do |_payload|
       if password.nil? || password.empty?
         false
       else
@@ -30,21 +30,21 @@ class LdapFluff
   end
 
   def test
-    instrument('test.ldap_fluff') do |payload|
+    instrument('test.ldap_fluff') do |_payload|
       @ldap.ldap.open {}
     end
   end
 
   # return a list[] of users for a given gid
   def user_list(gid)
-    instrument('user_list.ldap_fluff', :gid => gid) do |payload|
+    instrument('user_list.ldap_fluff', :gid => gid) do |_payload|
       @ldap.users_for_gid(gid)
     end
   end
 
   # return a list[] of groups for a given uid
   def group_list(uid)
-    instrument('group_list.ldap_fluff', :uid => uid) do |payload|
+    instrument('group_list.ldap_fluff', :uid => uid) do |_payload|
       @ldap.groups_for_uid(uid)
     end
   end
@@ -52,35 +52,35 @@ class LdapFluff
   # return true if a user is in all of the groups
   # in grouplist
   def is_in_groups?(uid, grouplist)
-    instrument('is_in_groups?.ldap_fluff', :uid => uid, :grouplist => grouplist) do |payload|
+    instrument('is_in_groups?.ldap_fluff', :uid => uid, :grouplist => grouplist) do |_payload|
       @ldap.is_in_groups(uid, grouplist, true)
     end
   end
 
   # return true if uid exists
   def valid_user?(uid)
-    instrument('valid_user?.ldap_fluff', :uid => uid) do |payload|
+    instrument('valid_user?.ldap_fluff', :uid => uid) do |_payload|
       @ldap.user_exists? uid
     end
   end
 
   # return true if group exists
   def valid_group?(gid)
-    instrument('valid_group?.ldap_fluff', :gid => gid) do |payload|
+    instrument('valid_group?.ldap_fluff', :gid => gid) do |_payload|
       @ldap.group_exists? gid
     end
   end
 
   # return ldap entry
   def find_user(uid)
-    instrument('find_user.ldap_fluff', :uid => uid) do |payload|
+    instrument('find_user.ldap_fluff', :uid => uid) do |_payload|
       @ldap.member_service.find_user(uid)
     end
   end
 
   # return ldap entry
   def find_group(gid)
-    instrument('find_group.ldap_fluff', :gid => gid) do |payload|
+    instrument('find_group.ldap_fluff', :gid => gid) do |_payload|
       @ldap.member_service.find_group(gid)
     end
   end

data/lib/ldap_fluff/posix.rb

@@ -1,27 +1,14 @@
 class LdapFluff::Posix < LdapFluff::Generic
-
   def bind?(uid = nil, password = nil, opts = {})
     unless uid.include?(',') || opts[:search] == false
       service_bind
       user = @member_service.find_user(uid)
-      uid = user.first.dn if user && user.first
+      uid = user.first.dn if user&.first
     end
     @ldap.auth(uid, password)
     @ldap.bind
   end
 
-  # returns whether a user is a member of ALL or ANY particular groups
-  # note: this method is much faster than groups_for_uid
-  #
-  # gids should be an array of group common names
-  #
-  # returns true if owner is in ALL of the groups if all=true, otherwise
-  # returns true if owner is in ANY of the groups
-  def is_in_groups(uid, gids = [], all = true)
-    service_bind
-    (gids.empty? || @member_service.times_in_groups(uid, gids, all) > 0)
-  end
-
   private
 
   def users_from_search_results(search, method)
@@ -29,16 +16,21 @@ class LdapFluff::Posix < LdapFluff::Generic
     # we have to look for OUs or posixGroups within the current group scope,
     # i.e: cn=ldapusers,ou=groups,dc=example,dc=com -> cn=myusers,cn=ldapusers,ou=gr...
 
-    groups = @ldap.search(:base   => search.dn,
-                          :filter => Net::LDAP::Filter.eq('objectClass','posixGroup') |
-                                     Net::LDAP::Filter.eq('objectClass', 'organizationalunit') |
-                                     Net::LDAP::Filter.eq('objectClass', 'groupOfUniqueNames') |
-                                     Net::LDAP::Filter.eq('objectClass', 'groupOfNames'))
-
+    filter = if @use_netgroups
+               Net::LDAP::Filter.eq('objectClass', 'nisNetgroup')
+             else
+               Net::LDAP::Filter.eq('objectClass', 'posixGroup') |
+                 Net::LDAP::Filter.eq('objectClass', 'organizationalunit') |
+                 Net::LDAP::Filter.eq('objectClass', 'groupOfUniqueNames') |
+                 Net::LDAP::Filter.eq('objectClass', 'groupOfNames')
+             end
+    groups = @ldap.search(:base => search.dn, :filter => filter)
     members = groups.map { |group| group.send(method) }.flatten.uniq
 
     if method == :memberuid
       members
+    elsif method == :nisnetgrouptriple
+      @member_service.get_netgroup_users(members)
     else
       @member_service.get_logins(members)
     end

data/lib/ldap_fluff/posix_member_service.rb

@@ -2,14 +2,13 @@ require 'net/ldap'
 
 # handles the naughty bits of posix ldap
 class LdapFluff::Posix::MemberService < LdapFluff::GenericMemberService
-
   def initialize(ldap, config)
     @attr_login = (config.attr_login || 'memberuid')
     super
   end
 
-  def find_user(uid)
-    user = @ldap.search(:filter => name_filter(uid), :base => @base)
+  def find_user(uid, base_dn = @base)
+    user = @ldap.search(:filter => name_filter(uid), :base => base_dn)
     raise UIDNotFoundException if (user.nil? || user.empty?)
     user
   end
@@ -18,7 +17,7 @@ class LdapFluff::Posix::MemberService < LdapFluff::GenericMemberService
   # note : this method is not particularly fast for large ldap systems
   def find_user_groups(uid)
     groups = []
-    @ldap.search(:filter => Net::LDAP::Filter.eq('memberuid', uid)).each do |entry|
+    @ldap.search(:filter => Net::LDAP::Filter.eq('memberuid', uid), :base => @group_base).each do |entry|
       groups << entry[:cn][0]
     end
     groups
@@ -41,7 +40,7 @@ class LdapFluff::Posix::MemberService < LdapFluff::GenericMemberService
       filters[1..(filters.size - 1)].each do |gfilter|
         filter = (all ? filter & gfilter : filter | gfilter)
       end
-      return filter
+      filter
     end
   end
 
@@ -50,5 +49,4 @@ class LdapFluff::Posix::MemberService < LdapFluff::GenericMemberService
 
   class GIDNotFoundException < LdapFluff::Error
   end
-
 end

data/lib/ldap_fluff/posix_netgroup_member_service.rb

@@ -0,0 +1,14 @@
+require 'net/ldap'
+
+# handles the naughty bits of posix ldap
+class LdapFluff::Posix::NetgroupMemberService < LdapFluff::Posix::MemberService
+  # return list of group CNs for a user
+  def find_user_groups(uid)
+    groups = []
+    @ldap.search(:filter => Net::LDAP::Filter.eq('objectClass', 'nisNetgroup'), :base => @group_base).each do |entry|
+      members = get_netgroup_users(entry[:nisnetgrouptriple])
+      groups << entry[:cn][0] if members.include? uid
+    end
+    groups
+  end
+end

data/test/ad_member_services_test.rb

@@ -11,6 +11,7 @@ class TestADMemberService < MiniTest::Test
 
   def basic_user
     @ldap.expect(:search, ad_user_payload, [:filter => ad_name_filter("john")])
+    @ldap.expect(:search, [{ :domainfunctionality => ['5'] }], [:base => "", :scope => 0, :attributes => ['domainFunctionality']])
     @ldap.expect(:search, ad_parent_payload(1), [:base => ad_group_dn, :scope => 0, :attributes => ['memberof']])
   end
 
@@ -20,7 +21,7 @@ class TestADMemberService < MiniTest::Test
 
   def nest_deep(n)
     # add all the expects
-    1.upto(n-1) do |i|
+    1.upto(n - 1) do |i|
       @ldap.expect(:search, ad_parent_payload(i + 1), [:base => ad_group_dn("bros#{i}"), :scope => 0, :attributes => ['memberof']])
     end
     # terminate or we loop FOREVER
@@ -39,11 +40,19 @@ class TestADMemberService < MiniTest::Test
     end
   end
 
+  def transitive_user
+    ad_transitive_payload = [{ 'msds-memberoftransitive' => [ad_group_dn("bros#1"), ad_group_dn("bros#2"), ad_group_dn("bros#3"), ad_group_dn("bros#4"), ad_group_dn("bros#5")] }]
+
+    @ldap.expect(:search, ad_user_payload('john'), [:filter => ad_name_filter("john")])
+    @ldap.expect(:search, [{ :domainfunctionality => ['6'] }], [:base => "", :scope => 0, :attributes => ['domainFunctionality']])
+    @ldap.expect(:search, ad_transitive_payload, [:base => ad_user_dn("john"), :scope => 0, :attributes => ['msds-memberOfTransitive']])
+  end
+
   def test_find_user
     basic_user
     @ldap.expect(:search, [], [:base => ad_group_dn('bros1'), :scope => 0, :attributes => ['memberof']])
     @adms.ldap = @ldap
-    assert_equal(%w(group bros1), @adms.find_user_groups("john"))
+    assert_equal(%w[group bros1], @adms.find_user_groups("john"))
     @ldap.verify
   end
 
@@ -53,7 +62,7 @@ class TestADMemberService < MiniTest::Test
     # now make 'bros1' be memberof 'group' again
     @ldap.expect(:search, ad_user_payload, [:base => ad_group_dn('bros1'), :scope => 0, :attributes => ['memberof']])
     @adms.ldap = @ldap
-    assert_equal(%w(group bros1), @adms.find_user_groups("john"))
+    assert_equal(%w[group bros1], @adms.find_user_groups("john"))
     @ldap.verify
   end
 
@@ -82,6 +91,13 @@ class TestADMemberService < MiniTest::Test
     @ldap.verify
   end
 
+  def test_transitive_groups
+    transitive_user
+    @adms.ldap = @ldap
+    assert_equal(5, @adms.find_user_groups('john').size)
+    @ldap.verify
+  end
+
   def test_nil_payload
     assert_equal([], @adms._groups_from_ldap_data(nil))
   end
@@ -160,5 +176,4 @@ class TestADMemberService < MiniTest::Test
     entry = Net::LDAP::Entry.new('Example User')
     assert_nil(@adms.get_login_from_entry(entry))
   end
-
 end

data/test/ad_test.rb

@@ -5,12 +5,12 @@ class TestAD < MiniTest::Test
 
   def setup
     super
-    @ad   = LdapFluff::ActiveDirectory.new(@config)
+    @ad = LdapFluff::ActiveDirectory.new(@config)
   end
 
   # default setup for service bind users
   def service_bind
-    @ldap.expect(:auth, nil, %w(service pass))
+    @ldap.expect(:auth, nil, %w[service pass])
     super
   end
 
@@ -37,7 +37,7 @@ class TestAD < MiniTest::Test
     @md = MiniTest::Mock.new
     user_result = MiniTest::Mock.new
     user_result.expect(:dn, ad_user_dn('Internet User'))
-    @md.expect(:find_user, [user_result], %w(internet))
+    @md.expect(:find_user, [user_result], %w[internet])
     @ad.member_service = @md
     service_bind
     @ldap.expect(:auth, nil, [ad_user_dn('Internet User'), "password"])
@@ -47,7 +47,7 @@ class TestAD < MiniTest::Test
   end
 
   def test_bad_bind
-    @ldap.expect(:auth, nil, %w(EXAMPLE\\internet password))
+    @ldap.expect(:auth, nil, %w[EXAMPLE\\internet password])
     @ldap.expect(:bind, false)
     @ad.ldap = @ldap
     assert_equal(@ad.bind?("EXAMPLE\\internet", "password"), false)
@@ -57,14 +57,14 @@ class TestAD < MiniTest::Test
   def test_groups
     service_bind
     basic_user
-    assert_equal(@ad.groups_for_uid('john'), %w(bros))
+    assert_equal(@ad.groups_for_uid('john'), %w[bros])
   end
 
   def test_bad_user
     service_bind
     md = MiniTest::Mock.new
-    md.expect(:find_user_groups, nil, %w(john))
-    def md.find_user_groups(*args)
+    md.expect(:find_user_groups, nil, %w[john])
+    def md.find_user_groups(*_args)
       raise LdapFluff::ActiveDirectory::MemberService::UIDNotFoundException
     end
     @ad.member_service = md
@@ -72,7 +72,7 @@ class TestAD < MiniTest::Test
   end
 
   def test_bad_service_user
-    @ldap.expect(:auth, nil, %w(service pass))
+    @ldap.expect(:auth, nil, %w[service pass])
     @ldap.expect(:bind, false)
     @ad.ldap = @ldap
     assert_raises(LdapFluff::ActiveDirectory::UnauthenticatedException) do
@@ -83,36 +83,49 @@ class TestAD < MiniTest::Test
   def test_is_in_groups
     service_bind
     basic_user
-    assert_equal(@ad.is_in_groups("john", %w(bros), false), true)
+    assert_equal(@ad.is_in_groups("john", %w[bros], false), true)
   end
 
   def test_is_some_groups
     service_bind
     basic_user
-    assert_equal(@ad.is_in_groups("john", %w(bros buds), false), true)
+    assert_equal(@ad.is_in_groups("john", %w[bros buds], false), true)
   end
 
   def test_isnt_in_all_groups
     service_bind
     basic_user
-    assert_equal(@ad.is_in_groups("john", %w(bros buds), true), false)
+    assert_equal(@ad.is_in_groups("john", %w[bros buds], true), false)
   end
 
   def test_isnt_in_groups
     service_bind
     basic_user
-    assert_equal(@ad.is_in_groups("john", %w(broskies), false), false)
+    assert_equal(@ad.is_in_groups("john", %w[broskies], false), false)
   end
 
   def test_group_subset
     service_bind
     bigtime_user
-    assert_equal(@ad.is_in_groups("john", %w(broskies), true), true)
+    assert_equal(@ad.is_in_groups("john", %w[broskies], true), true)
+  end
+
+  def test_subgroups_in_groups_are_ignored
+    group = Net::LDAP::Entry.new('foremaners')
+    md = MiniTest::Mock.new
+    2.times { md.expect(:find_group, [group], ['foremaners']) }
+    2.times { service_bind }
+    def md.find_by_dn(_dn)
+      raise LdapFluff::ActiveDirectory::MemberService::UIDNotFoundException
+    end
+    @ad.member_service = md
+    assert_equal @ad.users_for_gid('foremaners'), []
+    md.verify
   end
 
   def test_user_exists
     md = MiniTest::Mock.new
-    md.expect(:find_user, 'notnilluser', %w(john))
+    md.expect(:find_user, 'notnilluser', %w[john])
     @ad.member_service = md
     service_bind
     assert(@ad.user_exists?('john'))
@@ -120,8 +133,8 @@ class TestAD < MiniTest::Test
 
   def test_missing_user
     md = MiniTest::Mock.new
-    md.expect(:find_user, nil, %w(john))
-    def md.find_user(uid)
+    md.expect(:find_user, nil, %w[john])
+    def md.find_user(_uid)
       raise LdapFluff::ActiveDirectory::MemberService::UIDNotFoundException
     end
     @ad.member_service = md
@@ -131,7 +144,7 @@ class TestAD < MiniTest::Test
 
   def test_group_exists
     md = MiniTest::Mock.new
-    md.expect(:find_group, 'notnillgroup', %w(broskies))
+    md.expect(:find_group, 'notnillgroup', %w[broskies])
     @ad.member_service = md
     service_bind
     assert(@ad.group_exists?('broskies'))
@@ -139,8 +152,8 @@ class TestAD < MiniTest::Test
 
   def test_missing_group
     md = MiniTest::Mock.new
-    md.expect(:find_group, nil, %w(broskies))
-    def md.find_group(uid)
+    md.expect(:find_group, nil, %w[broskies])
+    def md.find_group(_uid)
       raise LdapFluff::ActiveDirectory::MemberService::GIDNotFoundException
     end
     @ad.member_service = md
@@ -181,7 +194,7 @@ class TestAD < MiniTest::Test
     nested_group[:cn] = ['katellers']
     nested_group[:objectclass] = ['organizationalunit']
     nested_group[:memberof] = ['CN=foremaners,DC=corp,DC=windows,DC=com']
-    nested_user[:objectclass]  = ['person']
+    nested_user[:objectclass] = ['person']
 
     md = MiniTest::Mock.new
     2.times { md.expect(:find_group, [group], ['foremaners']) }
@@ -195,5 +208,4 @@ class TestAD < MiniTest::Test
     assert_equal @ad.users_for_gid('foremaners'), ['testuser']
     md.verify
   end
-
 end