ldumbd 0.1.0

data/lib/ldumbd/preforkserver.rb

@@ -0,0 +1,64 @@
+require 'socket'
+require 'etc'
+
+module Ldumbd
+  class PreforkServer
+    def initialize(opt)
+      @acceptor = nil
+      @bind_address = opt[:bindaddr] || '0.0.0.0'
+      @port = opt[:port] || 1389
+      @group = opt[:group]
+      @user = opt[:user]
+      @nodelay = opt.has_key?(:nodelay) ? opt[:nodelay] : true
+      @listen = opt[:listen] || 10
+      @num_processes = opt[:num_processes] || 10
+      @debug = opt[:debug]
+    end
+
+    def run(&block)
+      start
+      Process::GID.change_privilege(Etc.getgrnam(@group)) if @group
+      Process::UID.change_privilege(Etc.getpwnam(@user)) if @user
+      @num_processes.times do
+        fork do
+          trap('INT') { exit }
+
+          puts "child #$$ accepting connections on #{@bind_address}:#{@port}" if @debug
+          loop do
+            socket = @acceptor.accept
+            block.call(socket)
+            socket.close
+          end
+          exit
+        end
+      end
+      self
+    end
+
+    def join
+      Process.waitall
+    end
+
+    private
+    def start
+      @acceptor = TCPServer.new(@bind_address, @port)
+      if @nodelay
+        @acceptor.setsockopt(Socket::IPPROTO_TCP, Socket::TCP_NODELAY, 1)
+      end
+      @acceptor.listen(@listen)
+      trap('EXIT') { @acceptor.close }
+    end
+  end
+end
+
+module LDAP
+  class Server
+    def run_preforkserver
+      opt = @opt
+      server = Ldumbd::PreforkServer.new(opt)
+      @thread = server.run do |socket|
+        LDAP::Server::Connection::new(socket, opt).handle_requests
+      end
+    end
+  end
+end

data/lib/ldumbd/table_map.rb

@@ -0,0 +1,89 @@
+module Ldumbd
+  class TableMap
+    TABLE_MAP = {
+      group: {
+        object_classes: ['posixGroup'],
+        attributes: {
+          'gidNumber' => :groups__id,
+          'cn'        => :groups__name,
+          'memberUid' => :users
+        },
+      },
+      user: {
+        object_classes: ['posixAccount'],
+        attributes: {
+          'uidNumber'     => :users__id,
+          'uid'           => :users__name,
+          'cn'            => :users__realname,
+          'loginShell'    => :users__shell,
+          'homeDirectory' => :users__homedir,
+          'gidNumber'     => :users__group_id
+        }
+      }
+    }
+
+    def self.invert_attribute_map(attributes)
+      attribute_array = attributes.map do |ldap_key, db_key|
+        /\A[a-z]*__(?<db_key_compact>.*)\z/ =~ db_key.to_s
+        [db_key_compact.nil? ? nil : db_key_compact.to_sym, ldap_key]
+      end
+      Hash[attribute_array].delete_if { |k, v| k.nil? }
+    end
+    private_class_method :invert_attribute_map
+
+    def self.invert_table_map(table_map)
+      table_array = table_map.map do |model, properties|
+        [model, invert_attribute_map(properties[:attributes])]
+      end
+      Hash[table_array]
+    end
+    private_class_method :invert_table_map
+
+    INVERSE_TABLE_MAP = invert_table_map(TABLE_MAP)
+
+    def self.db_key(model, ldap_key)
+      table = model_to_sym(model)
+      TABLE_MAP[table][:attributes][ldap_key]
+    end
+
+    def self.object_classes(model)
+      table = model_to_sym(model)
+      TABLE_MAP[table][:object_classes]
+    end
+
+    def self.model_to_sym(model)
+      model.name.downcase.to_sym
+    end
+    private_class_method :model_to_sym
+
+    def self.ldap_keys(model)
+      table = model_to_sym(model)
+      INVERSE_TABLE_MAP[table]
+    end
+
+    # TODO: move this into User/Group model class
+    def self.sequel_to_ldap_object(sequel_object)
+      # return unmodified object if it is not a Sequel model instance
+      return sequel_object unless sequel_object.is_a?(Sequel::Model)
+
+      model = sequel_object.class
+      ldap_keys = ldap_keys(model)
+      ldap_array = sequel_object.values.map do |sequel_key, value|
+        # LDAP::Server expects all values to be Arrays
+        [ldap_keys[sequel_key], [value]]
+      end
+      ldap_object = Hash[ldap_array]
+
+      ldap_object['objectClass'] = object_classes(model)
+      if sequel_object.is_a?(Group)
+        ldap_object['dn_prefix'] = "cn=#{sequel_object.name},ou=Groups"
+        if sequel_object.users.any?
+          ldap_object['memberUid'] = sequel_object.users.map { |u| u.name }
+        end
+      elsif sequel_object.is_a?(User)
+        ldap_object['dn_prefix'] = "uid=#{sequel_object.name},ou=People"
+      end
+      ldap_object
+    end
+  end
+end

data/lib/ldumbd/tree_object.rb

@@ -0,0 +1,67 @@
+require 'ldap/server'
+require 'sequel'
+require 'ldumbd/filter_converter'
+
+module Ldumbd
+  class TreeObject
+    attr_accessor :children
+    attr_accessor :attributes
+
+    def initialize(attributes = {})
+      @attributes = attributes
+      @children = []
+    end
+
+    def matches_filter?(filter)
+      ldap_object = TableMap.sequel_to_ldap_object(@attributes)
+      LDAP::Server::Filter.run(filter, ldap_object)
+    end
+
+    def each_child(filter = [:true], recurse = false, &block)
+      @children.each do |child|
+        if child.is_a?(TreeObject)
+          if LDAP::Server::Filter.run(filter, child.attributes)
+            yield child.attributes
+          end
+          child.each_child(filter, recurse, &block) if recurse
+        elsif child < Sequel::Model
+          query = Ldumbd::FilterConverter.filter_to_sequel(child, filter)
+          child.where(query).each do |r|
+            yield r
+          end
+        end
+      end
+    end
+
+    def self.by_dn(basedn, dn)
+      object = nil
+
+      dn_filter, model = dn_to_filter_and_model(basedn, dn)
+      if dn_filter
+        query = Ldumbd::FilterConverter.filter_to_sequel(model, dn_filter)
+        result = model.where(query).first
+        object = result ? self.new(result) : nil
+      end
+      object
+    end
+
+    def self.attribute_from_dn(basedn, dn, attribute, ou)
+      dn.scan(/\A#{attribute}=([^,]*),ou=#{ou},#{basedn}\z/).flatten.last
+    end
+    private_class_method :attribute_from_dn
+
+    def self.dn_to_filter_and_model(basedn, dn)
+      uid = attribute_from_dn(basedn, dn, 'uid', 'People')
+      cn = attribute_from_dn(basedn, dn, 'cn', 'Groups')
+
+      if uid
+        return [:eq, 'uid', nil, uid], User
+      elsif cn
+        return [:eq, 'cn', nil, cn], Group
+      else
+        return nil, nil
+      end
+    end
+    private_class_method :dn_to_filter_and_model
+  end
+end

data/lib/ldumbd/user.rb

@@ -0,0 +1,3 @@
+class User < Sequel::Model
+  many_to_many :groups
+end

data/lib/ldumbd/version.rb

@@ -0,0 +1,3 @@
+module Ldumbd
+  VERSION = '0.1.0'
+end

data/spec/filter_converter_spec.rb

@@ -0,0 +1,154 @@
+require_relative 'spec_helper'
+
+require 'ldumbd/filter_converter'
+
+describe Ldumbd::FilterConverter do
+  before(:each) do
+    @john = new_user('John Doe')
+    @jane = new_user('Jane Doe')
+    @all_group = Group.create(name: 'allusers')
+    @all_group.add_user(@john)
+    @all_group.add_user(@jane)
+  end
+
+  it 'should process :true filters' do
+    filter = [:true]
+    user_query = Ldumbd::FilterConverter.filter_to_sequel(User, filter)
+    group_query = Ldumbd::FilterConverter.filter_to_sequel(Group, filter)
+    users = User.where(user_query)
+    groups = Group.where(group_query)
+    users.count.must_equal User.count
+    groups.count.must_equal Group.count
+  end
+
+  it 'should process :false filters' do
+    filter = [:false]
+    user_query = Ldumbd::FilterConverter.filter_to_sequel(User, filter)
+    group_query = Ldumbd::FilterConverter.filter_to_sequel(Group, filter)
+    users = User.where(user_query)
+    groups = Group.where(group_query)
+    users.count.must_equal 0
+    groups.count.must_equal 0
+  end
+
+  it 'should process :eq filters' do
+    filter = [:eq, 'uid', nil, @john.name]
+    query = Ldumbd::FilterConverter.filter_to_sequel(User, filter)
+    users = User.where(query)
+    users.count.must_equal 1
+    users.first.must_equal @john
+  end
+
+  it 'should process :or filters' do
+    filter = [:or,
+              [:eq, 'uid', nil, @john.name],
+              [:eq, 'uid', nil, @jane.name]]
+    query = Ldumbd::FilterConverter.filter_to_sequel(User, filter)
+    users = User.where(query).order(:id)
+    users.count.must_equal 2
+    users.all[0].must_equal @john
+    users.all[1].must_equal @jane
+  end
+
+  it 'should process memberUid filters' do
+    filter = [:eq, 'memberUid', nil, @jane.name]
+    query = Ldumbd::FilterConverter.filter_to_sequel(Group, filter)
+    groups = Group.where(query)
+    groups.count.must_equal 1
+    groups.first.must_equal @all_group
+  end
+
+  it 'should process :and filters' do
+    filter = [:and,
+              [:eq, 'gidNumber', nil, @all_group.id],
+              [:eq, 'memberUid', nil, @jane.name],
+              [:not, [:eq, 'memberUid', nil, 'nonexistentusername42']]]
+    query = Ldumbd::FilterConverter.filter_to_sequel(Group, filter)
+    groups = Group.where(query)
+    groups.count.must_equal 1
+    groups.first.must_equal @all_group
+  end
+
+  it 'should process :ge and :le filters' do
+    filter = [:and,
+              [:ge, 'gidNumber', nil, 65000],
+              [:le, 'gidNumber', nil, 66000]]
+    query = Ldumbd::FilterConverter.filter_to_sequel(User, filter)
+    users = User.where(query).order(:id)
+    users.count.must_equal 2
+    users.all[0].must_equal @john
+    users.all[1].must_equal @jane
+  end
+
+  it 'should process :substrings filters' do
+    filter = [:substrings, 'uid', nil, "jo", "doe"]
+    query = Ldumbd::FilterConverter.filter_to_sequel(User, filter)
+    users = User.where(query)
+    users.count.must_equal 1
+    users.first.must_equal @john
+  end
+
+  it 'should process :substrings filters on memberUids' do
+    filter = [:substrings, 'memberUid', nil, "jo", "doe"]
+    query = Ldumbd::FilterConverter.filter_to_sequel(Group, filter)
+    groups = Group.where(query)
+    groups.count.must_equal 1
+    groups.first.must_equal @all_group
+  end
+
+  it 'should return no results for unknown attributes' do
+    filter = [:eq, 'nonexistent', nil, 'somethingsomething']
+    query = Ldumbd::FilterConverter.filter_to_sequel(Group, filter)
+    groups = Group.where(query)
+    groups.count.must_equal 0
+  end
+
+  it 'should process objectClass :substrings requests' do
+    # (objectClass=posixGr*)
+    filter = [:substrings, 'objectClass', nil, 'posixGr', nil]
+    query = Ldumbd::FilterConverter.filter_to_sequel(Group, filter)
+    groups = Group.where(query)
+    groups.count.must_equal Group.count
+  end
+
+  it 'should process objectClass :eq requests' do
+    # (objectClass=posixGroup)
+    filter = [:eq, 'objectClass', nil, 'posixGroup']
+    query = Ldumbd::FilterConverter.filter_to_sequel(Group, filter)
+    groups = Group.where(query)
+    groups.count.must_equal Group.count
+  end
+
+  it 'should process objectClass :le requests' do
+    # (objectClass<=posixGroupZZZ)
+    filter = [:le, 'objectClass', nil, 'posixGroupZZZ']
+    query = Ldumbd::FilterConverter.filter_to_sequel(Group, filter)
+    groups = Group.where(query)
+    groups.count.must_equal Group.count
+  end
+
+  it 'should process objectClass :ge requests' do
+    # (objectClass>=posixGroupGaaah)
+    filter = [:ge, 'objectClass', nil, 'posixGaaah']
+    query = Ldumbd::FilterConverter.filter_to_sequel(Group, filter)
+    groups = Group.where(query)
+    groups.count.must_equal Group.count
+  end
+
+  it 'should process :present filters' do
+    # (homeDirectory=*)
+    filter = [:present, 'homeDirectory']
+    query = Ldumbd::FilterConverter.filter_to_sequel(User, filter)
+    users = User.where(query)
+    users.count.must_equal User.count
+  end
+
+  it 'should process :present filters on memberUids' do
+    # (memberUid=*)
+    filter = [:present, 'memberUid']
+    query = Ldumbd::FilterConverter.filter_to_sequel(Group, filter)
+    groups = Group.where(query)
+    groups_with_members = Group.where(users: User.all)
+    groups.count.must_equal groups_with_members.count
+  end
+end

data/spec/operation_spec.rb

@@ -0,0 +1,274 @@
+require_relative 'spec_helper'
+
+require 'ldumbd/table_map'
+require 'ldumbd/ldap_tree'
+require 'ldumbd/operation'
+
+class Ldumbd::Operation
+  public :search_results
+end
+
+class ConnectionMock
+  def opt
+    Hash.new
+  end
+end
+
+class MessageIDMock; end
+
+def ldap_objects(sequel_objects)
+  sequel_objects.map { |o| Ldumbd::TableMap.sequel_to_ldap_object(o) }
+end
+
+describe Ldumbd::Operation do
+  before(:each) do
+    @john = new_user('John Doe')
+    @jane = new_user('Jane Doe')
+    @no_group = Group.where(id: 65534, name: 'nogroup').first
+    @all_group = Group.create(name: 'allusers')
+    @all_group.add_user(@john)
+    @all_group.add_user(@jane)
+
+    @basedn = 'dc=example,dc=org'
+    @root = {
+      'dn_prefix' => '',
+      'dc' => 'example',
+      'objectClass' => %w{top domain}
+    }
+    @people = {
+      'dn_prefix' => 'ou=People',
+      'ou' => 'People',
+      'objectClass' => %w{top organizationalUnit}
+    }
+    @groups = {
+      'dn_prefix' => 'ou=Groups',
+      'ou' => 'Groups',
+      'objectClass' => %w{top organizationalUnit}
+    }
+    @operation = Ldumbd::Operation.new(ConnectionMock.new,
+                                       MessageIDMock.new,
+                                       Ldumbd::LdapTree.new(@basedn))
+  end
+
+  it 'should raise exceptions when using an invalid search scope' do
+    proc do
+      @operation.search_results(nil, 'InvalidScope', nil, nil)
+    end.must_raise LDAP::ResultError::UnwillingToPerform
+  end
+
+  describe LDAP::Server::BaseObject do
+    before(:each) do
+      @scope = LDAP::Server::BaseObject
+    end
+
+    it 'should find users by dn' do
+      filter = [:true]
+      dn = "uid=#{@john.name},ou=People,#{@basedn}"
+      results = []
+      @operation.search_results(dn, @scope, nil, filter) do |r|
+        results << r
+      end
+      results.must_equal ldap_objects([@john])
+    end
+
+    it 'should find organization units by dn' do
+      filter = [:true]
+      dn = "ou=People,#{@basedn}"
+      results = []
+      @operation.search_results(dn, @scope, nil, filter) do |r|
+        results << r
+      end
+      results.must_equal [@people]
+    end
+
+    it 'should find the root object by dn' do
+      filter = [:true]
+      dn = @basedn
+      results = []
+      @operation.search_results(dn, @scope, nil, filter) do |r|
+        results << r
+      end
+      results.must_equal [@root]
+    end
+
+    it 'should raise exceptions when searching for nonexistent objects' do
+      filter = [:true]
+      ["dc=non,dc=existent",
+       "uid=nonexistent,ou=People,#{@basedn}"].each do |dn|
+        proc do
+          @operation.search_results(dn, @scope, nil, filter)
+        end.must_raise LDAP::ResultError::NoSuchObject
+      end
+    end
+
+    it 'should not return any objects when using unsatisfiable filters' do
+      filter = [:eq, 'nonexistent_attribute', nil, 'nonexistent_value']
+      dn = @basedn
+      results = []
+      @operation.search_results(dn, @scope, nil, filter) do |r|
+        results << r
+      end
+      results.must_equal []
+    end
+  end
+
+  describe LDAP::Server::SingleLevel do
+    before(:each) do
+      @scope = LDAP::Server::SingleLevel
+    end
+
+    it 'should retrieve the immediate children of an object' do
+      filter = [:true]
+      dn = @basedn
+      results = []
+      @operation.search_results(dn, @scope, nil, filter) do |r|
+        results << r
+      end
+      subtree = [@people, @groups]
+      results.must_equal_unordered subtree
+    end
+
+    it 'should retrieve all users via the People ou' do
+      filter = [:true]
+      dn = "ou=People,#{@basedn}"
+      results = []
+      @operation.search_results(dn, @scope, nil, filter) do |r|
+        results << r
+      end
+      people_tree = [@john, @jane]
+      results.must_equal_unordered ldap_objects(people_tree)
+    end
+
+    it 'should retrieve all users via the People ou when using a filter' do
+      filter = [:eq, 'objectClass', nil, 'posixAccount']
+      dn = "ou=People,#{@basedn}"
+      results = []
+      @operation.search_results(dn, @scope, nil, filter) do |r|
+        results << r
+      end
+      people_tree = [@john, @jane]
+      results.must_equal_unordered ldap_objects(people_tree)
+    end
+
+    it 'should raise exceptions when searching for nonexistent objects' do
+      filter = [:true]
+      ["dc=non,dc=existent",
+       "uid=nonexistent,ou=People,#{@basedn}"].each do |dn|
+        proc do
+          @operation.search_results(dn, @scope, nil, filter)
+        end.must_raise LDAP::ResultError::NoSuchObject
+      end
+    end
+
+    it 'should not return any objects when using unsatisfiable filters' do
+      filter = [:eq, 'nonexistent_attribute', nil, 'nonexistent_value']
+      dn = @basedn
+      results = []
+      @operation.search_results(dn, @scope, nil, filter) do |r|
+        results << r
+      end
+      results.must_equal []
+    end
+  end
+
+  describe LDAP::Server::WholeSubtree do
+    before(:each) do
+      @scope = LDAP::Server::WholeSubtree
+    end
+
+    it 'should retrieve the whole tree via the basedn' do
+      filter = [:true]
+      dn = @basedn
+      results = []
+      @operation.search_results(dn, @scope, nil, filter) do |r|
+        results << r
+      end
+      ldap_tree = [@root, @people, @john, @jane, @groups, @no_group, @all_group]
+      results.must_equal_unordered ldap_objects(ldap_tree)
+    end
+
+    it 'should include the base object in the results when using filters' do
+      filter = [:eq, 'uid', nil, @john.name]
+      dn = "uid=#{@john.name},ou=People,#{@basedn}"
+      results = []
+      @operation.search_results(dn, @scope, nil, filter) do |r|
+        results << r
+      end
+      results.must_equal ldap_objects([@john])
+    end
+
+    it 'should retrieve all users via the People ou' do
+      filter = [:true]
+      dn = "ou=People,#{@basedn}"
+      results = []
+      @operation.search_results(dn, @scope, nil, filter) do |r|
+        results << r
+      end
+      people_tree = [@people, @john, @jane]
+      results.must_equal_unordered ldap_objects(people_tree)
+    end
+
+    it 'should retrieve all users via the People ou when using a filter' do
+      filter = [:eq, 'objectClass', nil, 'posixAccount']
+      dn = "ou=People,#{@basedn}"
+      results = []
+      @operation.search_results(dn, @scope, nil, filter) do |r|
+        results << r
+      end
+      people_tree = [@john, @jane]
+      results.must_equal_unordered ldap_objects(people_tree)
+    end
+
+    it 'should retrieve single users by dn' do
+      filter = [:true]
+      dn = "uid=#{@john.name},ou=People,#{@basedn}"
+      results = []
+      @operation.search_results(dn, @scope, nil, filter) do |r|
+        results << r
+      end
+      results.must_equal ldap_objects([@john])
+    end
+
+    it 'should raise exceptions when searching for nonexistent objects' do
+      filter = [:true]
+      ["dc=non,dc=existent",
+       "uid=nonexistent,ou=People,#{@basedn}"].each do |dn|
+        proc do
+          @operation.search_results(dn, @scope, nil, filter)
+        end.must_raise LDAP::ResultError::NoSuchObject
+      end
+    end
+
+    it 'should not return any objects when using unsatisfiable filters' do
+      filter = [:eq, 'nonexistent_attribute', nil, 'nonexistent_value']
+      dn = @basedn
+      results = []
+      @operation.search_results(dn, @scope, nil, filter) do |r|
+        results << r
+      end
+      results.must_equal []
+    end
+  end
+
+  describe 'search' do
+    it 'should call send_SearchResultEntry' do
+      filter = [:true]
+      scope = LDAP::Server::BaseObject
+      mock = MiniTest::Mock.new
+
+      root_dn = @basedn
+      root_avs = @root.reject { |k, v| k == 'dn_prefix' }
+      john_dn = "uid=#{@john.name},ou=People,#{@basedn}"
+      john_attrs = Ldumbd::TableMap.sequel_to_ldap_object(@john)
+      john_avs = john_attrs.reject { |k, v| k == 'dn_prefix' }
+
+      mock.expect(:send_SearchResultEntry, nil, [root_dn, root_avs])
+      mock.expect(:send_SearchResultEntry, nil, [john_dn, john_avs])
+      @operation.stub(:send_SearchResultEntry,
+                      ->(dn, avs) { mock.send_SearchResultEntry(dn, avs) }) do
+        @operation.search(root_dn, scope, nil, filter)
+        @operation.search(john_dn, scope, nil, filter)
+      end
+    end
+  end
+end

data/spec/spec_helper.rb

@@ -0,0 +1,41 @@
+require 'minitest/autorun'
+require 'yaml'
+require 'sequel'
+
+DATABASE_URL = ENV['DATABASE_URL'] || 'sqlite://ldumbd-test.sqlite3'
+DB = Sequel.connect(DATABASE_URL)
+
+require 'ldumbd/user'
+require 'ldumbd/group'
+
+class MiniTest::Spec
+  before :each do
+    @db_transaction = Fiber.new do
+      DB.transaction(savepoint: true, rollback: :always) { Fiber.yield }
+    end
+    @db_transaction.resume
+  end
+
+  after :each do
+    @db_transaction.resume
+  end
+end
+
+def new_user(realname)
+  name = realname.downcase.gsub(' ', '')
+  homedir = "/home/#{name}"
+  User.create(name: name,
+              homedir: homedir,
+              realname: realname)
+end
+
+module MiniTest::Assertions
+  def assert_equal_unordered(a, b, msg = nil)
+    msg ||= "Expected #{mu_pp(a)} to be equivalent to #{mu_pp(b)}"
+    freq_a = a.inject(Hash.new(0)) { |h, v| h[v] += 1; h }
+    freq_b = b.inject(Hash.new(0)) { |h, v| h[v] += 1; h }
+    assert(freq_a == freq_b, msg)
+  end
+end
+
+Array.infect_an_assertion :assert_equal_unordered, :must_equal_unordered