ldap_fluff 0.2.5 → 0.3.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 4d1b201862035d1d10565885a1bd42c66bf6a749
-  data.tar.gz: feb2b3a0f9ce3f6995494ca55d0962e83f12ef99
+  metadata.gz: 37c4eced1c338a71de90a9bfd06ad6fcf77f2680
+  data.tar.gz: 073cb1a0c739a9a1fc49ff9d32defbd202956504
 SHA512:
-  metadata.gz: 6dee98c9c1171ea486d7258cf75e6ff73a88a20a3a83b22edc86b75f406a1853b0f2806b9e90eafbbc18c9b02b610ab5f6202481f241f96520e53efa71c7928a
-  data.tar.gz: a505593f361c83c8d3687e4601f4063c113b0b8bfbcef63abc699412d11f19b0331bebd54b8d17facefc070a424a1cacc3fec6af6c24042c9fc40f9f0dd73653
+  metadata.gz: 3169fd42b66606a9f94761fbec81689d60891d1b6eb7e70a1225fe1305b79342da68422d5a910d838ce8317ece64ecd17787f1617f6d1c602ca64d4597318eb2
+  data.tar.gz: cae46d73863511bf0f69b99f0bc839728e89b500cfa6338a6de3fedf5c3fc902d1678f42f2eff378df50dd19de11fc15c9fa43b7d8de47afb82034ffd8525b66

data/lib/ldap_fluff/active_directory.rb

@@ -1,42 +1,22 @@
-class LdapFluff::ActiveDirectory
-  attr_accessor :ldap, :member_service
+class LdapFluff::ActiveDirectory < LdapFluff::Generic
 
   def initialize(config = {})
-    @ldap       = Net::LDAP.new(:host       => config.host,
-                                :base       => config.base_dn,
-                                :port       => config.port,
-                                :encryption => config.encryption)
-    @group_base = config.group_base || config.base_dn
-    @ad_domain  = config.ad_domain
     @bind_user  = config.service_user
     @bind_pass  = config.service_pass
     @anon       = config.anon_queries
-
-    @member_service = MemberService.new(@ldap, @group_base)
+    super
   end
 
   def bind?(uid = nil, password = nil)
-    @ldap.auth("#{uid}@#{@ad_domain}", password)
+    @ldap.auth(uid, password)
     @ldap.bind
   end
 
-  # AD generally does not support un-authenticated searching
-  # Typically AD admins configure a public user for searching
-  def service_bind
-    unless @anon || bind?(@bind_user, @bind_pass)
-      raise UnauthenticatedActiveDirectoryException, "Could not bind to AD Service User"
-    end
-  end
-
   # returns the list of groups to which a user belongs
   # this query is simpler in active directory
   def groups_for_uid(uid)
     service_bind
-    begin
-      @member_service.find_user_groups(uid)
-    rescue MemberService::UIDNotFoundException
-      return []
-    end
+    super
   end
 
   # active directory stores group membership on a users model
@@ -54,25 +34,34 @@ class LdapFluff::ActiveDirectory
   end
 
   def user_exists?(uid)
-    begin
-      service_bind
-      @member_service.find_user(uid)
-    rescue MemberService::UIDNotFoundException
-      return false
-    end
-    return true
+    service_bind
+    super
   end
 
   def group_exists?(gid)
-    begin
-      service_bind
-      @member_service.find_group(gid)
-    rescue MemberService::GIDNotFoundException
-      return false
-    end
-    return true
+    service_bind
+    super
   end
 
-  class UnauthenticatedActiveDirectoryException < StandardError
+  private
+
+  def users_from_search_results(search, method)
+    users = []
+
+    search.send(method).each do |member|
+      cn    = member.downcase.split(',')[0].split('=')[1]
+      entry = @member_service.find_user(cn).first
+
+      objectclasses = entry.objectclass.map(&:downcase)
+
+      if (%w(organizationalperson person) & objectclasses).present?
+        users << @member_service.get_logins([member])
+      elsif (%w(organizationalunit group) & objectclasses).present?
+        users << users_for_gid(cn)
+      end
+    end
+
+    users.flatten.uniq
   end
+
 end

data/lib/ldap_fluff/ad_member_service.rb

@@ -1,13 +1,11 @@
 require 'net/ldap'
 
 # Naughty bits of active directory ldap queries
-class LdapFluff::ActiveDirectory::MemberService
+class LdapFluff::ActiveDirectory::MemberService < LdapFluff::GenericMemberService
 
-  attr_accessor :ldap
-
-  def initialize(ldap, group_base)
-    @ldap       = ldap
-    @group_base = group_base
+  def initialize(ldap, config)
+    @attr_login = (config.attr_login || 'samaccountname')
+    super
   end
 
   # get a list [] of ldap groups for a given user
@@ -17,23 +15,11 @@ class LdapFluff::ActiveDirectory::MemberService
     _groups_from_ldap_data(data.first)
   end
 
-  def find_user(uid)
-    data = @ldap.search(:filter => name_filter(uid))
-    raise UIDNotFoundException if (data.nil? || data.empty?)
-    data
-  end
-
-  def find_group(gid)
-    data = @ldap.search(:filter => group_filter(gid), :base => @group_base)
-    raise GIDNotFoundException if (data.nil? || data.empty?)
-    data
-  end
-
   # return the :memberof attrs + parents, recursively
   def _groups_from_ldap_data(payload)
     data = []
     if !payload.nil?
-      first_level  = _group_names_from_cn(payload[:memberof])
+      first_level  = get_groups(payload[:memberof])
       total_groups = _walk_group_ancestry(first_level)
       data         = (first_level + total_groups).uniq
     end
@@ -48,42 +34,20 @@ class LdapFluff::ActiveDirectory::MemberService
       search = @ldap.search(:filter => filter, :base => @group_base)
       if !search.nil? && !search.first.nil?
         group = search.first
-        set  += _group_names_from_cn(group[:memberof])
+        set  += get_groups(group[:memberof])
         set  += _walk_group_ancestry(set)
       end
     end
     set
   end
 
-  def group_filter(gid)
-    Net::LDAP::Filter.eq("cn", gid)
-  end
-
   def class_filter
     Net::LDAP::Filter.eq("objectclass", "group")
   end
 
-  def name_filter(uid)
-    Net::LDAP::Filter.eq("samaccountname", uid)
-  end
-
-  # extract the group names from the LDAP style response,
-  # return string will be something like
-  # CN=bros,OU=bropeeps,DC=jomara,DC=redhat,DC=com
-  #
-  # AD group proc from
-  # http://erniemiller.org/2008/04/04/simplified-active-directory-authentication/
-  #
-  # I think we would normally want to just do the collect at the end,
-  # but we need the individual names for recursive queries
-  def _group_names_from_cn(grouplist)
-    p = proc { |g| g.sub(/.*?CN=(.*?),.*/, '\1') }
-    grouplist.collect(&p)
-  end
-
-  class UIDNotFoundException < StandardError
+  class UIDNotFoundException < LdapFluff::Error
   end
 
-  class GIDNotFoundException < StandardError
+  class GIDNotFoundException < LdapFluff::Error
   end
 end

data/lib/ldap_fluff/config.rb

@@ -1,90 +1,85 @@
 require 'yaml'
 require 'active_support/core_ext/hash'
 
-class LdapFluff
-  class ConfigError < StandardError
-  end
-
-  class Config
-    ATTRIBUTES = %w[host port encryption base_dn group_base server_type ad_domain service_user
-                    service_pass anon_queries]
-    ATTRIBUTES.each { |attr| attr_reader attr.to_sym }
-
-    DEFAULT_CONFIG = { 'port'         => 389,
-                       'encryption'   => nil,
-                       'base_dn'      => 'dc=company,dc=com',
-                       'group_base'   => 'dc=company,dc=com',
-                       'server_type'  => :free_ipa,
-                       'ad_domain'    => nil,
-                       'anon_queries' => false }
-
-    def initialize(config)
-      raise ArgumentError unless config.respond_to?(:to_hash)
-      config = validate(convert(config))
-
-      ATTRIBUTES.each do |attr|
-        instance_variable_set(:"@#{attr}", config[attr])
-      end
+class LdapFluff::Config
+  ATTRIBUTES = %w[host port encryption base_dn group_base server_type service_user
+                    service_pass anon_queries attr_login search_filter]
+  ATTRIBUTES.each { |attr| attr_reader attr.to_sym }
+
+  DEFAULT_CONFIG = { 'port'         => 389,
+                     'encryption'   => nil,
+                     'base_dn'      => 'dc=company,dc=com',
+                     'group_base'   => 'dc=company,dc=com',
+                     'server_type'  => :free_ipa,
+                     'anon_queries' => false }
+
+  def initialize(config)
+    raise ArgumentError unless config.respond_to?(:to_hash)
+    config = validate(convert(config))
+
+    ATTRIBUTES.each do |attr|
+      instance_variable_set(:"@#{attr}", config[attr])
     end
+  end
 
-    private
+  private
 
-    # @param [#to_hash] config
-    def convert(config)
-      config.to_hash.with_indifferent_access.tap do |conf|
-        %w[encryption server_type].each do |key|
-          conf[key] = conf[key].to_sym if conf[key]
-        end
+  # @param [#to_hash] config
+  def convert(config)
+    config.to_hash.with_indifferent_access.tap do |conf|
+      %w[encryption server_type].each do |key|
+        conf[key] = conf[key].to_sym if conf[key]
       end
     end
+  end
 
-    def missing_keys?(config)
-      missing_keys = ATTRIBUTES - config.keys
-      raise ConfigError, "missing configuration for keys: #{missing_keys.join(',')}" unless missing_keys.empty?
-    end
-
-    def unknown_keys?(config)
-      unknown_keys = config.keys - ATTRIBUTES
-      raise ConfigError, "unknown configuration keys: #{unknown_keys.join(',')}" unless unknown_keys.empty?
-    end
+  def missing_keys?(config)
+    missing_keys = ATTRIBUTES - config.keys
+    raise ConfigError, "missing configuration for keys: #{missing_keys.join(',')}" unless missing_keys.empty?
+  end
 
-    def all_required_keys?(config)
-      %w[host port base_dn group_base server_type].all? do |key|
-        raise ConfigError, "config key #{key} has to be set, it was nil" if config[key].nil?
-      end
+  def unknown_keys?(config)
+    unknown_keys = config.keys - ATTRIBUTES
+    raise ConfigError, "unknown configuration keys: #{unknown_keys.join(',')}" unless unknown_keys.empty?
+  end
 
-      %w[service_user service_pass].all? do |key|
-        if !config['anon_queries'] && config['server_type'] != :posix && config[key].nil?
-          raise ConfigError, "config key #{key} has to be set, it was nil"
-        end
-      end
+  def all_required_keys?(config)
+    %w[host port base_dn group_base server_type].all? do |key|
+      raise ConfigError, "config key #{key} has to be set, it was nil" if config[key].nil?
     end
 
-    def anon_queries_set?(config)
-      unless [false, true].include?(config['anon_queries'])
-        raise ConfigError, "config key anon_queries has to be true or false but was #{config['anon_queries']}"
+    %w[service_user service_pass].all? do |key|
+      if !config['anon_queries'] && config['server_type'] != :posix && config[key].nil?
+        raise ConfigError, "config key #{key} has to be set, it was nil"
       end
     end
+  end
 
-    def correct_server_type?(config)
-      unless [:posix, :active_directory, :free_ipa].include?(config['server_type'])
-        raise ConfigError, 'config key server_type has to be :active_directory, :posix, :free_ipa ' +
-          "but was #{config['server_type']}"
-      end
+  def anon_queries_set?(config)
+    unless [false, true].include?(config['anon_queries'])
+      raise ConfigError, "config key anon_queries has to be true or false but was #{config['anon_queries']}"
     end
+  end
 
-    def validate(config)
-      config = DEFAULT_CONFIG.merge(config)
+  def correct_server_type?(config)
+    unless [:posix, :active_directory, :free_ipa].include?(config['server_type'])
+      raise ConfigError, 'config key server_type has to be :active_directory, :posix, :free_ipa ' +
+        "but was #{config['server_type']}"
+    end
+  end
 
-      correct_server_type?(config)
-      missing_keys?(config)
-      unknown_keys?(config)
-      all_required_keys?(config)
-      anon_queries_set?(config)
+  def validate(config)
+    config = DEFAULT_CONFIG.merge(config)
 
-      config
-    end
+    correct_server_type?(config)
+    missing_keys?(config)
+    unknown_keys?(config)
+    all_required_keys?(config)
+    anon_queries_set?(config)
 
-  end # Config
+    config
+  end
 
-end # LdapFluff
+  class ConfigError < LdapFluff::Error
+  end
+end

data/lib/ldap_fluff/error.rb

@@ -0,0 +1,5 @@
+class LdapFluff
+  class Error < StandardError
+  end
+end
+

data/lib/ldap_fluff/freeipa.rb

@@ -1,19 +1,11 @@
-class LdapFluff::FreeIPA
-
-  attr_accessor :ldap, :member_service
+class LdapFluff::FreeIPA < LdapFluff::Generic
 
   def initialize(config = {})
-    @ldap       = Net::LDAP.new(:host       => config.host,
-                                :base       => config.base_dn,
-                                :port       => config.port,
-                                :encryption => config.encryption)
-    @group_base = config.group_base || config.base_dn
     @base       = config.base_dn
     @bind_user  = config.service_user
     @bind_pass  = config.service_pass
     @anon       = config.anon_queries
-
-    @member_service = MemberService.new(@ldap, @group_base)
+    super
   end
 
   def bind?(uid = nil, password = nil)
@@ -22,21 +14,11 @@ class LdapFluff::FreeIPA
   end
 
   def groups_for_uid(uid)
-    service_bind
     begin
-      @member_service.find_user_groups(uid)
-    rescue MemberService::UIDNotFoundException
-      return []
+    service_bind
+    super
     rescue MemberService::InsufficientQueryPrivilegesException
-      raise UnauthenticatedFreeIPAException, "Insufficient Privileges to query groups data"
-    end
-  end
-
-  # AD generally does not support un-authenticated searching
-  # Typically AD admins configure a public user for searching
-  def service_bind
-    unless @anon || bind?(@bind_user, @bind_pass)
-      raise UnauthenticatedFreeIPAException, "Could not bind to FreeIPA Query User"
+      raise UnauthenticatedException, "Insufficient Privileges to query groups data"
     end
   end
 
@@ -58,26 +40,30 @@ class LdapFluff::FreeIPA
   end
 
   def user_exists?(uid)
-    begin
-      service_bind
-      @member_service.find_user(uid)
-    rescue MemberService::UIDNotFoundException
-      return false
-    end
-    return true
+    service_bind
+    super
   end
 
   def group_exists?(gid)
-    begin
-      service_bind
-      @member_service.find_group(gid)
-    rescue MemberService::GIDNotFoundException
-      return false
-    end
-    return true
+    service_bind
+    super
   end
 
-  class UnauthenticatedFreeIPAException < StandardError
-  end
+  private
 
+  def users_from_search_results(search, method)
+    # Member results come in the form uid=sampleuser,cn=users, etc.. or gid=samplegroup,cn=groups
+    users = []
+
+    search.send(method).each do |member|
+      type = member.downcase.split(',')[1]
+      if type == 'cn=users'
+        users << @member_service.get_logins([member])
+      elsif type == 'cn=groups'
+        users << users_for_gid(member.split(',')[0].split('=')[1])
+      end
+    end
+
+    users.flatten.uniq
+  end
 end

data/lib/ldap_fluff/freeipa_member_service.rb

@@ -1,13 +1,11 @@
 require 'net/ldap'
 
 # handles the naughty bits of posix ldap
-class LdapFluff::FreeIPA::MemberService
+class LdapFluff::FreeIPA::MemberService < LdapFluff::GenericMemberService
 
-  attr_accessor :ldap
-
-  def initialize(ldap, group_base)
-    @ldap       = ldap
-    @group_base = group_base
+  def initialize(ldap, config)
+    @attr_login = (config.attr_login || 'uid')
+    super
   end
 
   # return an ldap user with groups attached
@@ -17,41 +15,16 @@ class LdapFluff::FreeIPA::MemberService
     # if group data is missing, they aren't querying with a user
     # with enough privileges
     raise InsufficientQueryPrivilegesException if user.size <= 1
-    _group_names_from_cn(user[1][:memberof])
-  end
-
-  def find_user(uid)
-    user = @ldap.search(:filter => name_filter(uid))
-    raise UIDNotFoundException if (user.nil? || user.empty?)
-    user
-  end
-
-  def find_group(gid)
-    group = @ldap.search(:filter => group_filter(gid), :base => @group_base)
-    raise GIDNotFoundException if (group.nil? || group.empty?)
-    group
-  end
-
-  def name_filter(uid)
-    Net::LDAP::Filter.eq("uid", uid)
-  end
-
-  def group_filter(gid)
-    Net::LDAP::Filter.eq("cn", gid)
-  end
-
-  def _group_names_from_cn(grouplist)
-    p = proc { |g| g.sub(/.*?cn=(.*?),.*/, '\1') }
-    grouplist.collect(&p)
+    get_groups(user[1][:memberof])
   end
 
-  class UIDNotFoundException < StandardError
+  class UIDNotFoundException < LdapFluff::Error
   end
 
-  class GIDNotFoundException < StandardError
+  class GIDNotFoundException < LdapFluff::Error
   end
 
-  class InsufficientQueryPrivilegesException < StandardError
+  class InsufficientQueryPrivilegesException < LdapFluff::Error
   end
 
 end

data/lib/ldap_fluff/generic.rb

@@ -0,0 +1,75 @@
+class LdapFluff::Generic
+  attr_accessor :ldap, :member_service
+
+  def initialize(config = {})
+    @ldap = Net::LDAP.new(:host       => config.host,
+                          :base       => config.base_dn,
+                          :port       => config.port,
+                          :encryption => config.encryption)
+    @attr_login = config.attr_login
+    @group_base = (config.group_base.empty? ? config.base_dn : config.group_base)
+    @member_service = self.class::MemberService.new(@ldap, config)
+  end
+
+  def user_exists?(uid)
+    @member_service.find_user(uid)
+    true
+  rescue self.class::MemberService::UIDNotFoundException
+    false
+  end
+
+  def group_exists?(gid)
+    @member_service.find_group(gid)
+    true
+  rescue self.class::MemberService::GIDNotFoundException
+    false
+  end
+
+  def groups_for_uid(uid)
+    @member_service.find_user_groups(uid)
+  rescue self.class::MemberService::UIDNotFoundException
+    return []
+  end
+
+  def users_for_gid(gid)
+    return [] unless group_exists?(gid)
+    search = @member_service.find_group(gid).last
+
+    method = [:member, :ismemberof,
+              :memberof, :memberuid].find { |m| search.respond_to? m } or
+             raise 'Group does not have any members'
+
+    users_from_search_results(search, method)
+  end
+
+  def includes_cn?(cn)
+    filter = Net::LDAP::Filter.eq('cn', cn)
+    @ldap.search(:base => @ldap.base, :filter => filter).present?
+  end
+
+  def service_bind
+    unless @anon || bind?(@bind_user, @bind_pass)
+      raise UnauthenticatedException,
+            "Could not bind to #{class_name} user #{@bind_user}"
+    end
+  end
+
+  private
+  def class_name
+    self.class.name.split('::').last
+  end
+
+  def users_from_search_results(search, method)
+    members = search.send method
+    if method == :memberuid
+      # memberuid contains an array ['user1','user2'], no need to parse it
+      members
+    else
+      @member_service.get_logins(members)
+    end
+  end
+
+  class UnauthenticatedException < LdapFluff::Error
+  end
+end
+

data/lib/ldap_fluff/generic_member_service.rb

@@ -0,0 +1,62 @@
+require 'net/ldap'
+
+class LdapFluff::GenericMemberService
+
+  attr_accessor :ldap
+
+  def initialize(ldap, config)
+    @ldap       = ldap
+    @group_base = (config.group_base.empty? ? config.base_dn : config.group_base)
+    begin
+      @search_filter = Net::LDAP::Filter.construct(config.search_filter) unless (config.search_filter.nil? || config.search_filter.empty?)
+    rescue Net::LDAP::LdapError => error
+      puts "Search filter unavailable - #{error}"
+    end
+  end
+
+  def find_user(uid)
+    user = @ldap.search(:filter => name_filter(uid))
+    raise self.class::UIDNotFoundException if (user.nil? || user.empty?)
+    user
+  end
+
+  def find_group(gid)
+    group = @ldap.search(:filter => group_filter(gid), :base => @group_base)
+    raise self.class::GIDNotFoundException if (group.nil? || group.empty?)
+    group
+  end
+
+  def name_filter(uid)
+    filter = Net::LDAP::Filter.eq(@attr_login, uid)
+
+    if @search_filter.nil?
+      filter
+    else
+      filter & @search_filter
+    end
+  end
+
+  def group_filter(gid)
+    Net::LDAP::Filter.eq("cn", gid)
+  end
+
+  # extract the group names from the LDAP style response,
+  # return string will be something like
+  # CN=bros,OU=bropeeps,DC=jomara,DC=redhat,DC=com
+  def get_groups(grouplist)
+    grouplist.map(&:downcase).collect { |g| g.sub(/.*?cn=(.*?),.*/, '\1') }
+  end
+
+  def get_logins(userlist)
+    userlist.map(&:downcase!)
+    [@attr_login, 'uid', 'cn'].map do |attribute|
+      logins = userlist.collect { |g| g.sub(/.*?#{attribute}=(.*?),.*/, '\1') }
+      if logins == userlist
+        nil
+      else
+        logins
+      end
+    end.compact.flatten
+  end
+
+end