net-ldap 0.11 → 0.16.0

data/.travis.yml

@@ -1,26 +1,31 @@
 language: ruby
 rvm:
-  - 1.9.3
   - 2.0.0
-  - 2.1.2
+  - 2.1
+  - 2.2
   # optional
+  - ruby-head
   - jruby-19mode
-  - rbx-19mode
+  - jruby-head
   - rbx-2
 
 env:
   - INTEGRATION=openldap
 
+before_install:
+  - gem update bundler
+
 install:
-  - if [ "$INTEGRATION" = "openldap" ]; then ./script/install-openldap; fi
+  - if [ "$INTEGRATION" = "openldap" ]; then sudo script/install-openldap; fi
   - bundle install
 
 script: bundle exec rake ci
 
 matrix:
   allow_failures:
+    - rvm: ruby-head
     - rvm: jruby-19mode
-    - rvm: rbx-19mode
+    - rvm: jruby-head
     - rvm: rbx-2
   fast_finish: true
 

data/Contributors.rdoc

@@ -22,3 +22,4 @@ Contributions since:
 * David J. Lee (DavidJLee)
 * Cody Cutrer (ccutrer)
 * WoodsBagotAndreMarquesLee
+* Rufus Post (mynameisrufus)

data/History.rdoc

@@ -1,3 +1,63 @@
+=== Net::LDAP 0.16.0
+
+* Sasl fix {#281}[https://github.com/ruby-ldap/ruby-net-ldap/pull/281]
+* enable TLS hostname validation {#279}[https://github.com/ruby-ldap/ruby-net-ldap/pull/279]
+* update rubocop to 0.42.0 {#278}[https://github.com/ruby-ldap/ruby-net-ldap/pull/278]
+
+=== Net::LDAP 0.15.0
+
+* Respect connect_timeout when establishing SSL connections {#273}[https://github.com/ruby-ldap/ruby-net-ldap/pull/273]
+
+=== Net::LDAP 0.14.0
+
+* Normalize the encryption parameter passed to the LDAP constructor {#264}[https://github.com/ruby-ldap/ruby-net-ldap/pull/264]
+* Update Docs: Net::LDAP now requires ruby >= 2 {#261}[https://github.com/ruby-ldap/ruby-net-ldap/pull/261]
+* fix symbol proc {#255}[https://github.com/ruby-ldap/ruby-net-ldap/pull/255]
+* fix trailing commas {#256}[https://github.com/ruby-ldap/ruby-net-ldap/pull/256]
+* fix deprecated hash methods {#254}[https://github.com/ruby-ldap/ruby-net-ldap/pull/254]
+* fix space after comma {#253}[https://github.com/ruby-ldap/ruby-net-ldap/pull/253]
+* fix space inside brackets {#252}[https://github.com/ruby-ldap/ruby-net-ldap/pull/252]
+* Rubocop style fixes {#249}[https://github.com/ruby-ldap/ruby-net-ldap/pull/249]
+* Lazy initialize Net::LDAP::Connection's internal socket {#235}[https://github.com/ruby-ldap/ruby-net-ldap/pull/235]
+* Support for rfc3062 Password Modify, closes #163 {#178}[https://github.com/ruby-ldap/ruby-net-ldap/pull/178]
+
+=== Net::LDAP 0.13.0
+
+Avoid this release for because of an backwards incompatibility in how encryption
+is initialized https://github.com/ruby-ldap/ruby-net-ldap/pull/264. We did not
+yank it because people have already worked around it.
+
+* Set a connect_timeout for the creation of a socket {#243}[https://github.com/ruby-ldap/ruby-net-ldap/pull/243]
+* Update bundler before installing gems with bundler {#245}[https://github.com/ruby-ldap/ruby-net-ldap/pull/245]
+* Net::LDAP#encryption accepts string {#239}[https://github.com/ruby-ldap/ruby-net-ldap/pull/239]
+* Adds correct UTF-8 encoding to Net::BER::BerIdentifiedString {#242}[https://github.com/ruby-ldap/ruby-net-ldap/pull/242]
+* Remove 2.3.0-preview since ruby-head already is included {#241}[https://github.com/ruby-ldap/ruby-net-ldap/pull/241]
+* Drop support for ruby 1.9.3 {#240}[https://github.com/ruby-ldap/ruby-net-ldap/pull/240]
+* Fixed capitalization of StartTLSError {#234}[https://github.com/ruby-ldap/ruby-net-ldap/pull/234]
+
+=== Net::LDAP 0.12.1
+
+* Whitespace formatting cleanup {#236}[https://github.com/ruby-ldap/ruby-net-ldap/pull/236]
+* Set operation result if LDAP server is not accessible {#232}[https://github.com/ruby-ldap/ruby-net-ldap/pull/232]
+
+=== Net::LDAP 0.12.0
+
+* DRY up connection handling logic {#224}[https://github.com/ruby-ldap/ruby-net-ldap/pull/224]
+* Define auth adapters {#226}[https://github.com/ruby-ldap/ruby-net-ldap/pull/226]
+* add slash to attribute value filter {#225}[https://github.com/ruby-ldap/ruby-net-ldap/pull/225]
+* Add the ability to provide a list of hosts for a connection {#223}[https://github.com/ruby-ldap/ruby-net-ldap/pull/223]
+* Specify the port of LDAP server by giving INTEGRATION_PORT {#221}[https://github.com/ruby-ldap/ruby-net-ldap/pull/221]
+* Correctly set BerIdentifiedString values to UTF-8  {#212}[https://github.com/ruby-ldap/ruby-net-ldap/pull/212]
+* Raise Net::LDAP::ConnectionRefusedError when new connection is refused. {#213}[https://github.com/ruby-ldap/ruby-net-ldap/pull/213]
+* obscure auth password upon #inspect, added test, closes #216 {#217}[https://github.com/ruby-ldap/ruby-net-ldap/pull/217]
+* Fixing incorrect error class name {#207}[https://github.com/ruby-ldap/ruby-net-ldap/pull/207]
+* Travis update {#205}[https://github.com/ruby-ldap/ruby-net-ldap/pull/205]
+* Remove obsolete rbx-19mode from Travis {#204}[https://github.com/ruby-ldap/ruby-net-ldap/pull/204]
+* mv "sudo" from script/install-openldap to .travis.yml {#199}[https://github.com/ruby-ldap/ruby-net-ldap/pull/199]
+* Remove meaningless shebang {#200}[https://github.com/ruby-ldap/ruby-net-ldap/pull/200]
+* Fix Travis CI build {#202}[https://github.com/ruby-ldap/ruby-net-ldap/pull/202]
+* README.rdoc: fix travis link {#195}[https://github.com/ruby-ldap/ruby-net-ldap/pull/195]
+
 === Net::LDAP 0.11
 * Major enhancements:
   * #183 Specific errors subclassing Net::LDAP::Error

data/README.rdoc

@@ -1,4 +1,4 @@
-= Net::LDAP for Ruby {<img src="https://travis-ci.org/ruby-ldap/ruby-net-ldap.png" />}[https://travis-ci.org/github/ruby-net-ldap]
+= Net::LDAP for Ruby {<img src="https://travis-ci.org/ruby-ldap/ruby-net-ldap.png" />}[https://travis-ci.org/ruby-ldap/ruby-net-ldap]
 
 == Description
 
@@ -25,7 +25,7 @@ See Net::LDAP for documentation and usage samples.
 
 == Requirements
 
-Net::LDAP requires a Ruby 1.9.3 compatible interpreter or better.
+Net::LDAP requires a Ruby 2.0.0 compatible interpreter or better.
 
 == Install
 
@@ -37,6 +37,14 @@ sources.
 
 Simply require either 'net-ldap' or 'net/ldap'.
 
+== Extensions
+
+This library focuses on the core LDAP RFCs referenced in the description.
+However, we recognize there are commonly used extensions to the spec that are
+useful. If there is another library which handles it, we list it here.
+
+* {resolv-srv}[https://rubygems.org/gems/resolv-srv]: Support RFC2782 SRV record lookup and failover
+
 == Develop
 
 This task will run the test suite and the
@@ -44,21 +52,20 @@ This task will run the test suite and the
 
   rake rubotest
 
-To run the integration tests against an LDAP server:
-
-  cd test/support/vm/openldap
-  vagrant up
-  cd ../../../..
-  INTEGRATION=openldap bundle exec rake rubotest
+CI takes too long? If your local box supports
+{Vagrant}[https://www.vagrantup.com/], you can run most of the tests
+in a VM on your local box. For more details and setup instructions, see
+{test/support/vm/openldap/README.md}[https://github.com/ruby-ldap/ruby-net-ldap/tree/master/test/support/vm/openldap/README.md]
 
 == Release
 
 This section is for gem maintainers to cut a new version of the gem.
 
+* Check out a new branch `release-VERSION`
 * Update lib/net/ldap/version.rb to next version number X.X.X following {semver}(http://semver.org/).
-* Update `History.rdoc`. Get latest changes with `git log --oneline vLAST_RELEASE..HEAD | grep Merge`
-
-* On the master branch, run `script/release`
+* Update `History.rdoc`. Get latest changes with `script/changelog`
+* Open a pull request with these changes for review
+* After merging, on the master branch, run `script/release`
 
 :include: Contributors.rdoc
 

data/Rakefile

@@ -1,4 +1,3 @@
-#!/usr/bin/env rake
 # -*- ruby encoding: utf-8 -*-
 # vim: syntax=ruby
 

data/lib/net/ber/ber_parser.rb

@@ -14,7 +14,7 @@ module Net::BER::BERParser
   }
   constructed = {
     16 => :array,
-    17 => :array
+    17 => :array,
   }
   universal = { :primitive => primitive, :constructed => constructed }
 
@@ -172,10 +172,10 @@ module Net::BER::BERParser
     yield id, content_length if block_given?
 
     if -1 == content_length
-      raise Net::BER::BerError, "Indeterminite BER content length not implemented."
-    else
-      data = read(content_length)
+      raise Net::BER::BerError,
+            "Indeterminite BER content length not implemented."
     end
+    data = read(content_length)
 
     parse_ber_object(syntax, id, data)
   end

data/lib/net/ber/core_ext/array.rb

@@ -89,7 +89,7 @@ module Net::BER::Extensions::Array
     #if our array does not contain at least one array then wrap it in an array before going forward
     ary = self[0].kind_of?(Array) ? self : [self]
     ary = ary.collect do |control_sequence|
-      control_sequence.collect{|element| element.to_ber}.to_ber_sequence.reject_empty_ber_arrays
+      control_sequence.collect(&:to_ber).to_ber_sequence.reject_empty_ber_arrays
     end
     ary.to_ber_sequence.reject_empty_ber_arrays
   end

data/lib/net/ber/core_ext/integer.rb

@@ -20,7 +20,7 @@ module Net::BER::Extensions::Integer
     if self <= 127
       [self].pack('C')
     else
-      i = [self].pack('N').sub(/^[\0]+/,"")
+      i = [self].pack('N').sub(/^[\0]+/, "")
       [0x80 + i.length].pack('C') + i
     end
   end

data/lib/net/ber/core_ext/string.rb

@@ -75,6 +75,6 @@ module Net::BER::Extensions::String
   end
 
   def reject_empty_ber_arrays
-    self.gsub(/0\000/n,'')
+    self.gsub(/0\000/n, '')
   end
 end

data/lib/net/ber.rb

@@ -106,6 +106,7 @@ module Net # :nodoc:
   # <tr><th>CHARACTER STRING</th><th>C</th><td>29: 61 (0x3d, 0b00111101)</td></tr>
   # <tr><th>BMPString</th><th>P</th><td>30: 30 (0x1e, 0b00011110)</td></tr>
   # <tr><th>BMPString</th><th>C</th><td>30: 62 (0x3e, 0b00111110)</td></tr>
+  # <tr><th>ExtendedResponse</th><th>C</th><td>107: 139 (0x8b, 0b010001011)</td></tr>
   # </table>
   module BER
     VERSION = Net::LDAP::VERSION
@@ -234,7 +235,7 @@ module Net # :nodoc:
       # TODO 20100327 AZ: Should we be allocating an array of 256 values
       # that will either be +nil+ or an object type symbol, or should we
       # allocate an empty Hash since unknown values return +nil+ anyway?
-      out = [ nil ] * 256
+      out = [nil] * 256
       syntax.each do |tag_class_id, encodings|
         tag_class = TAG_CLASS[tag_class_id]
         encodings.each do |encoding_id, classes|
@@ -269,7 +270,7 @@ class Net::BER::BerIdentifiedOid
 
   def initialize(oid)
     if oid.is_a?(String)
-      oid = oid.split(/\./).map {|s| s.to_i }
+      oid = oid.split(/\./).map(&:to_i)
     end
     @value = oid
   end
@@ -293,12 +294,43 @@ end
 
 ##
 # A String object with a BER identifier attached.
+#
 class Net::BER::BerIdentifiedString < String
   attr_accessor :ber_identifier
+
+  # The binary data provided when parsing the result of the LDAP search
+  # has the encoding 'ASCII-8BIT' (which is basically 'BINARY', or 'unknown').
+  #
+  # This is the kind of a backtrace showing how the binary `data` comes to
+  # BerIdentifiedString.new(data):
+  #
+  #  @conn.read_ber(syntax)
+  #     -> StringIO.new(self).read_ber(syntax), i.e. included from module
+  #     -> Net::BER::BERParser.read_ber(syntax)
+  #        -> (private)Net::BER::BERParser.parse_ber_object(syntax, id, data)
+  #
+  # In the `#parse_ber_object` method `data`, according to its OID, is being
+  # 'casted' to one of the Net::BER:BerIdentifiedXXX classes.
+  #
+  # As we are using LDAP v3 we can safely assume that the data is encoded
+  # in UTF-8 and therefore the only thing to be done when instantiating is to
+  # switch the encoding from 'ASCII-8BIT' to 'UTF-8'.
+  #
+  # Unfortunately, there are some ActiveDirectory specific attributes
+  # (like `objectguid`) that should remain binary (do they really?).
+  # Using the `#valid_encoding?` we can trap this cases. Special cases like
+  # Japanese, Korean, etc. encodings might also profit from this. However
+  # I have no clue how this encodings function.
   def initialize args
-    super args
-    # LDAP uses UTF-8 encoded strings
-    self.encode('UTF-8') if self.respond_to?(:encoding) rescue self
+    super
+    #
+    # Check the encoding of the newly created String and set the encoding
+    # to 'UTF-8' (NOTE: we do NOT change the bytes, but only set the
+    # encoding to 'UTF-8').
+    return unless encoding == Encoding::BINARY
+    current_encoding = encoding
+    force_encoding('UTF-8')
+    force_encoding(current_encoding) unless valid_encoding?
   end
 end
 

data/lib/net/ldap/auth_adapter/gss_spnego.rb

@@ -0,0 +1,41 @@
+require 'net/ldap/auth_adapter'
+require 'net/ldap/auth_adapter/sasl'
+
+module Net
+  class LDAP
+    module AuthAdapers
+      #--
+      # PROVISIONAL, only for testing SASL implementations. DON'T USE THIS YET.
+      # Uses Kohei Kajimoto's Ruby/NTLM. We have to find a clean way to
+      # integrate it without introducing an external dependency.
+      #
+      # This authentication method is accessed by calling #bind with a :method
+      # parameter of :gss_spnego. It requires :username and :password
+      # attributes, just like the :simple authentication method. It performs a
+      # GSS-SPNEGO authentication with the server, which is presumed to be a
+      # Microsoft Active Directory.
+      #++
+      class GSS_SPNEGO < Net::LDAP::AuthAdapter
+        def bind(auth)
+          require 'ntlm'
+
+          user, psw = [auth[:username] || auth[:dn], auth[:password]]
+          raise Net::LDAP::BindingInformationInvalidError, "Invalid binding information" unless (user && psw)
+
+          nego = proc do |challenge|
+            t2_msg = NTLM::Message.parse(challenge)
+            t3_msg = t2_msg.response({ :user => user, :password => psw },
+                                     { :ntlmv2 => true })
+            t3_msg.serialize
+          end
+
+          Net::LDAP::AuthAdapter::Sasl.new(@connection).bind \
+            :method             => :sasl,
+            :mechanism          => "GSS-SPNEGO",
+            :initial_credential => NTLM::Message::Type1.new.serialize,
+            :challenge_response => nego
+        end
+      end
+    end
+  end
+end

data/lib/net/ldap/auth_adapter/sasl.rb

@@ -0,0 +1,62 @@
+require 'net/ldap/auth_adapter'
+
+module Net
+  class LDAP
+    class AuthAdapter
+      class Sasl < Net::LDAP::AuthAdapter
+        MAX_SASL_CHALLENGES = 10
+
+        #--
+        # Required parameters: :mechanism, :initial_credential and
+        # :challenge_response
+        #
+        # Mechanism is a string value that will be passed in the SASL-packet's
+        # "mechanism" field.
+        #
+        # Initial credential is most likely a string. It's passed in the initial
+        # BindRequest that goes to the server. In some protocols, it may be empty.
+        #
+        # Challenge-response is a Ruby proc that takes a single parameter and
+        # returns an object that will typically be a string. The
+        # challenge-response block is called when the server returns a
+        # BindResponse with a result code of 14 (saslBindInProgress). The
+        # challenge-response block receives a parameter containing the data
+        # returned by the server in the saslServerCreds field of the LDAP
+        # BindResponse packet. The challenge-response block may be called multiple
+        # times during the course of a SASL authentication, and each time it must
+        # return a value that will be passed back to the server as the credential
+        # data in the next BindRequest packet.
+        #++
+        def bind(auth)
+          mech, cred, chall = auth[:mechanism], auth[:initial_credential],
+            auth[:challenge_response]
+          raise Net::LDAP::BindingInformationInvalidError, "Invalid binding information" unless (mech && cred && chall)
+
+          message_id = @connection.next_msgid
+
+          n = 0
+          loop do
+            sasl = [mech.to_ber, cred.to_ber].to_ber_contextspecific(3)
+            request = [
+              Net::LDAP::Connection::LdapVersion.to_ber, "".to_ber, sasl
+            ].to_ber_appsequence(Net::LDAP::PDU::BindRequest)
+
+            @connection.send(:write, request, nil, message_id)
+            pdu = @connection.queued_read(message_id)
+
+            if !pdu || pdu.app_tag != Net::LDAP::PDU::BindResult
+              raise Net::LDAP::NoBindResultError, "no bind result"
+            end
+
+            return pdu unless pdu.result_code == Net::LDAP::ResultCodeSaslBindInProgress
+            raise Net::LDAP::SASLChallengeOverflowError, "sasl-challenge overflow" if ((n += 1) > MAX_SASL_CHALLENGES)
+
+            cred = chall.call(pdu.result_server_sasl_creds)
+          end
+
+          raise Net::LDAP::SASLChallengeOverflowError, "why are we here?"
+        end
+      end
+    end
+  end
+end

data/lib/net/ldap/auth_adapter/simple.rb

@@ -0,0 +1,34 @@
+require 'net/ldap/auth_adapter'
+
+module Net
+  class LDAP
+    class AuthAdapter
+      class Simple < AuthAdapter
+        def bind(auth)
+          user, psw = if auth[:method] == :simple
+                        [auth[:username] || auth[:dn], auth[:password]]
+                      else
+                        ["", ""]
+                      end
+
+          raise Net::LDAP::BindingInformationInvalidError, "Invalid binding information" unless (user && psw)
+
+          message_id = @connection.next_msgid
+          request    = [
+            Net::LDAP::Connection::LdapVersion.to_ber, user.to_ber,
+            psw.to_ber_contextspecific(0)
+          ].to_ber_appsequence(Net::LDAP::PDU::BindRequest)
+
+          @connection.send(:write, request, nil, message_id)
+          pdu = @connection.queued_read(message_id)
+
+          if !pdu || pdu.app_tag != Net::LDAP::PDU::BindResult
+            raise Net::LDAP::NoBindResultError, "no bind result"
+          end
+
+          pdu
+        end
+      end
+    end
+  end
+end

data/lib/net/ldap/auth_adapter.rb

@@ -0,0 +1,29 @@
+module Net
+  class LDAP
+    class AuthAdapter
+      def self.register(names, adapter)
+        names = Array(names)
+        @adapters ||= {}
+        names.each do |name|
+          @adapters[name] = adapter
+        end
+      end
+
+      def self.[](name)
+        a = @adapters[name]
+        if a.nil?
+          raise Net::LDAP::AuthMethodUnsupportedError, "Unsupported auth method (#{name})"
+        end
+        return a
+      end
+
+      def initialize(conn)
+        @connection = conn
+      end
+
+      def bind
+        raise "bind method must be overwritten"
+      end
+    end
+  end
+end