net-ldap 0.14.0 → 0.16.3

data/test/integration/test_add.rb

@@ -3,9 +3,7 @@ require_relative '../test_helper'
 class TestAddIntegration < LDAPIntegrationTestCase
   def setup
     super
-    @ldap.authenticate "cn=admin,dc=rubyldap,dc=com", "passworD1"
-
-    @dn = "uid=added-user1,ou=People,dc=rubyldap,dc=com"
+    @dn = "uid=added-user1,ou=People,dc=example,dc=org"
   end
 
   def test_add

data/test/integration/test_ber.rb

@@ -8,7 +8,7 @@ class TestBERIntegration < LDAPIntegrationTestCase
     attrs = [:dn, :uid, :cn, :mail]
 
     assert types_entry = @ldap.search(
-      base: "dc=rubyldap,dc=com",
+      base: "dc=example,dc=org",
       filter: "(uid=user1)",
       size: 1,
       attributes: attrs,
@@ -25,6 +25,6 @@ class TestBERIntegration < LDAPIntegrationTestCase
     end
 
     assert_includes Net::LDAP::ResultCodesSearchSuccess,
-      @ldap.get_operation_result.code, "should be a successful search operation"
+                    @ldap.get_operation_result.code, "should be a successful search operation"
   end
 end

data/test/integration/test_bind.rb

@@ -1,42 +1,221 @@
 require_relative '../test_helper'
 
 class TestBindIntegration < LDAPIntegrationTestCase
+  INTEGRATION_HOSTNAME = 'ldap.example.org'.freeze
+
   def test_bind_success
-    assert @ldap.bind(method: :simple, username: "uid=user1,ou=People,dc=rubyldap,dc=com", password: "passworD1"), @ldap.get_operation_result.inspect
+    assert @ldap.bind(BIND_CREDS),
+           @ldap.get_operation_result.inspect
   end
 
   def test_bind_timeout
-    @ldap.port = 8389
+    @ldap.host = "10.255.255.1" # non-routable IP
+
     error = assert_raise Net::LDAP::Error do
-      @ldap.bind(method: :simple, username: "uid=user1,ou=People,dc=rubyldap,dc=com", password: "passworD1")
+      @ldap.bind BIND_CREDS
     end
-    assert_equal('Connection timed out - user specified timeout', error.message)
+    msgs = ['Operation timed out - user specified timeout',
+            'Connection timed out - user specified timeout']
+    assert_send([msgs, :include?, error.message])
   end
 
   def test_bind_anonymous_fail
-    refute @ldap.bind(method: :simple, username: "uid=user1,ou=People,dc=rubyldap,dc=com", password: ""), @ldap.get_operation_result.inspect
+    refute @ldap.bind(BIND_CREDS.merge(password: '')),
+           @ldap.get_operation_result.inspect
 
     result = @ldap.get_operation_result
     assert_equal Net::LDAP::ResultCodeUnwillingToPerform, result.code
     assert_equal Net::LDAP::ResultStrings[Net::LDAP::ResultCodeUnwillingToPerform], result.message
     assert_equal "unauthenticated bind (DN with no password) disallowed",
-      result.error_message
+                 result.error_message
     assert_equal "", result.matched_dn
   end
 
   def test_bind_fail
-    refute @ldap.bind(method: :simple, username: "uid=user1,ou=People,dc=rubyldap,dc=com", password: "not my password"), @ldap.get_operation_result.inspect
+    refute @ldap.bind(BIND_CREDS.merge(password: "not my password")),
+           @ldap.get_operation_result.inspect
   end
 
   def test_bind_tls_with_cafile
-    tls_options = OpenSSL::SSL::SSLContext::DEFAULT_PARAMS.merge(:ca_file => CA_FILE)
-    @ldap.encryption(method: :start_tls, tls_options: tls_options)
-    assert @ldap.bind(method: :simple, username: "uid=user1,ou=People,dc=rubyldap,dc=com", password: "passworD1"), @ldap.get_operation_result.inspect
+    @ldap.host = INTEGRATION_HOSTNAME
+    @ldap.encryption(
+      method:      :start_tls,
+      tls_options: TLS_OPTS.merge(ca_file: CA_FILE),
+    )
+    assert @ldap.bind(BIND_CREDS),
+           @ldap.get_operation_result.inspect
+  end
+
+  def test_bind_tls_with_bad_hostname_verify_none_no_ca_passes
+    @ldap.host = INTEGRATION_HOSTNAME
+    @ldap.encryption(
+      method:      :start_tls,
+      tls_options: { verify_mode: OpenSSL::SSL::VERIFY_NONE },
+    )
+    assert @ldap.bind(BIND_CREDS),
+           @ldap.get_operation_result.inspect
+  end
+
+  def test_bind_tls_with_bad_hostname_verify_none_no_ca_opt_merge_passes
+    @ldap.host = '127.0.0.1'
+    @ldap.encryption(
+      method:      :start_tls,
+      tls_options: TLS_OPTS.merge(verify_mode: OpenSSL::SSL::VERIFY_NONE),
+    )
+    assert @ldap.bind(BIND_CREDS),
+           @ldap.get_operation_result.inspect
+  end
+
+  def test_bind_tls_with_bad_hostname_verify_peer_ca_fails
+    @ldap.host = '127.0.0.1'
+    @ldap.encryption(
+      method:      :start_tls,
+      tls_options: { verify_mode: OpenSSL::SSL::VERIFY_PEER,
+                     ca_file:     CA_FILE },
+    )
+    error = assert_raise Net::LDAP::Error,
+                         Net::LDAP::ConnectionRefusedError do
+      @ldap.bind BIND_CREDS
+    end
+    assert_equal(
+      "hostname \"#{@ldap.host}\" does not match the server certificate",
+      error.message,
+    )
+  end
+
+  def test_bind_tls_with_bad_hostname_ca_default_opt_merge_fails
+    @ldap.host = '127.0.0.1'
+    @ldap.encryption(
+      method:      :start_tls,
+      tls_options: TLS_OPTS.merge(ca_file: CA_FILE),
+    )
+    error = assert_raise Net::LDAP::Error,
+                         Net::LDAP::ConnectionRefusedError do
+      @ldap.bind BIND_CREDS
+    end
+    assert_equal(
+      "hostname \"#{@ldap.host}\" does not match the server certificate",
+      error.message,
+    )
+  end
+
+  def test_bind_tls_with_bad_hostname_ca_no_opt_merge_fails
+    @ldap.host = '127.0.0.1'
+    @ldap.encryption(
+      method:      :start_tls,
+      tls_options: { ca_file: CA_FILE },
+    )
+    error = assert_raise Net::LDAP::Error,
+                         Net::LDAP::ConnectionRefusedError do
+      @ldap.bind BIND_CREDS
+    end
+    assert_equal(
+      "hostname \"#{@ldap.host}\" does not match the server certificate",
+      error.message,
+    )
+  end
+
+  def test_bind_tls_with_valid_hostname_default_opts_passes
+    @ldap.host = INTEGRATION_HOSTNAME
+    @ldap.encryption(
+      method:      :start_tls,
+      tls_options: TLS_OPTS.merge(verify_mode: OpenSSL::SSL::VERIFY_PEER,
+                                  ca_file:     CA_FILE),
+    )
+    assert @ldap.bind(BIND_CREDS),
+           @ldap.get_operation_result.inspect
   end
 
-  def test_bind_tls_with_verify_none
-    tls_options = OpenSSL::SSL::SSLContext::DEFAULT_PARAMS.merge(:verify_mode => OpenSSL::SSL::VERIFY_NONE)
-    @ldap.encryption(method: :start_tls, tls_options: tls_options)
-    assert @ldap.bind(method: :simple, username: "uid=user1,ou=People,dc=rubyldap,dc=com", password: "passworD1"), @ldap.get_operation_result.inspect
+  def test_bind_tls_with_valid_hostname_just_verify_peer_ca_passes
+    @ldap.host = INTEGRATION_HOSTNAME
+    @ldap.encryption(
+      method:      :start_tls,
+      tls_options: { verify_mode: OpenSSL::SSL::VERIFY_PEER,
+                     ca_file:     CA_FILE },
+    )
+    assert @ldap.bind(BIND_CREDS),
+           @ldap.get_operation_result.inspect
+  end
+
+  def test_bind_tls_with_bogus_hostname_system_ca_fails
+    @ldap.host = '127.0.0.1'
+    @ldap.encryption(method: :start_tls, tls_options: {})
+    error = assert_raise Net::LDAP::Error,
+                         Net::LDAP::ConnectionRefusedError do
+      @ldap.bind BIND_CREDS
+    end
+    assert_equal(
+      "hostname \"#{@ldap.host}\" does not match the server certificate",
+      error.message,
+    )
+  end
+
+  def test_bind_tls_with_multiple_hosts
+    @ldap.host = nil
+    @ldap.hosts = [[INTEGRATION_HOSTNAME, 389], [INTEGRATION_HOSTNAME, 389]]
+    @ldap.encryption(
+      method:      :start_tls,
+      tls_options: TLS_OPTS.merge(verify_mode: OpenSSL::SSL::VERIFY_PEER,
+                                  ca_file:     CA_FILE),
+    )
+    assert @ldap.bind(BIND_CREDS),
+           @ldap.get_operation_result.inspect
+  end
+
+  def test_bind_tls_with_multiple_bogus_hosts
+    @ldap.host = nil
+    @ldap.hosts = [['127.0.0.1', 389], ['bogus.example.com', 389]]
+    @ldap.encryption(
+      method:      :start_tls,
+      tls_options: TLS_OPTS.merge(verify_mode: OpenSSL::SSL::VERIFY_PEER,
+                                  ca_file:     CA_FILE),
+    )
+    error = assert_raise Net::LDAP::Error,
+                         Net::LDAP::ConnectionError do
+      @ldap.bind BIND_CREDS
+    end
+    assert_equal("Unable to connect to any given server: ",
+                 error.message.split("\n").shift)
+  end
+
+  def test_bind_tls_with_multiple_bogus_hosts_no_verification
+    @ldap.host = nil
+    @ldap.hosts = [['127.0.0.1', 389], ['bogus.example.com', 389]]
+    @ldap.encryption(
+      method:      :start_tls,
+      tls_options: TLS_OPTS.merge(verify_mode: OpenSSL::SSL::VERIFY_NONE),
+    )
+    assert @ldap.bind(BIND_CREDS),
+           @ldap.get_operation_result.inspect
+  end
+
+  def test_bind_tls_with_multiple_bogus_hosts_ca_check_only_fails
+    @ldap.host = nil
+    @ldap.hosts = [['127.0.0.1', 389], ['bogus.example.com', 389]]
+    @ldap.encryption(
+      method: :start_tls,
+      tls_options: { ca_file: CA_FILE },
+    )
+    error = assert_raise Net::LDAP::Error,
+                         Net::LDAP::ConnectionError do
+      @ldap.bind BIND_CREDS
+    end
+    assert_equal("Unable to connect to any given server: ",
+                 error.message.split("\n").shift)
+  end
+
+  # This test is CI-only because we can't add the fixture CA
+  # to the system CA store on people's dev boxes.
+  def test_bind_tls_valid_hostname_system_ca_on_travis_passes
+    omit "not sure how to install custom CA cert in travis"
+    omit_unless ENV['TRAVIS'] == 'true'
+
+    @ldap.host = INTEGRATION_HOSTNAME
+    @ldap.encryption(
+      method: :start_tls,
+      tls_options: { verify_mode: OpenSSL::SSL::VERIFY_PEER },
+    )
+    assert @ldap.bind(BIND_CREDS),
+           @ldap.get_operation_result.inspect
   end
 end

data/test/integration/test_delete.rb

@@ -3,9 +3,7 @@ require_relative '../test_helper'
 class TestDeleteIntegration < LDAPIntegrationTestCase
   def setup
     super
-    @ldap.authenticate "cn=admin,dc=rubyldap,dc=com", "passworD1"
-
-    @dn = "uid=delete-user1,ou=People,dc=rubyldap,dc=com"
+    @dn = "uid=delete-user1,ou=People,dc=example,dc=org"
 
     attrs = {
       objectclass: %w(top inetOrgPerson organizationalPerson person),

data/test/integration/test_open.rb

@@ -4,8 +4,8 @@ class TestBindIntegration < LDAPIntegrationTestCase
   def test_binds_without_open
     events = @service.subscribe "bind.net_ldap_connection"
 
-    @ldap.search(filter: "uid=user1", base: "ou=People,dc=rubyldap,dc=com", ignore_server_caps: true)
-    @ldap.search(filter: "uid=user1", base: "ou=People,dc=rubyldap,dc=com", ignore_server_caps: true)
+    @ldap.search(filter: "uid=user1", base: "ou=People,dc=example,dc=org", ignore_server_caps: true)
+    @ldap.search(filter: "uid=user1", base: "ou=People,dc=example,dc=org", ignore_server_caps: true)
 
     assert_equal 2, events.size
   end
@@ -14,8 +14,8 @@ class TestBindIntegration < LDAPIntegrationTestCase
     events = @service.subscribe "bind.net_ldap_connection"
 
     @ldap.open do
-      @ldap.search(filter: "uid=user1", base: "ou=People,dc=rubyldap,dc=com", ignore_server_caps: true)
-      @ldap.search(filter: "uid=user1", base: "ou=People,dc=rubyldap,dc=com", ignore_server_caps: true)
+      @ldap.search(filter: "uid=user1", base: "ou=People,dc=example,dc=org", ignore_server_caps: true)
+      @ldap.search(filter: "uid=user1", base: "ou=People,dc=example,dc=org", ignore_server_caps: true)
     end
 
     assert_equal 1, events.size
@@ -29,9 +29,9 @@ class TestBindIntegration < LDAPIntegrationTestCase
     entries = []
     nested_entry = nil
 
-    @ldap.search(filter: "(|(uid=user1)(uid=user2))", base: "ou=People,dc=rubyldap,dc=com") do |entry|
+    @ldap.search(filter: "(|(uid=user1)(uid=user2))", base: "ou=People,dc=example,dc=org") do |entry|
       entries << entry.uid.first
-      nested_entry ||= @ldap.search(filter: "uid=user3", base: "ou=People,dc=rubyldap,dc=com").first
+      nested_entry ||= @ldap.search(filter: "uid=user3", base: "ou=People,dc=example,dc=org").first
     end
 
     assert_equal "user3", nested_entry.uid.first
@@ -43,9 +43,9 @@ class TestBindIntegration < LDAPIntegrationTestCase
     nested_entry = nil
 
     @ldap.open do
-      @ldap.search(filter: "(|(uid=user1)(uid=user2))", base: "ou=People,dc=rubyldap,dc=com") do |entry|
+      @ldap.search(filter: "(|(uid=user1)(uid=user2))", base: "ou=People,dc=example,dc=org") do |entry|
         entries << entry.uid.first
-        nested_entry ||= @ldap.search(filter: "uid=user3", base: "ou=People,dc=rubyldap,dc=com").first
+        nested_entry ||= @ldap.search(filter: "uid=user3", base: "ou=People,dc=example,dc=org").first
       end
     end
 
@@ -57,7 +57,7 @@ class TestBindIntegration < LDAPIntegrationTestCase
     entries = []
     nested_entry = nil
 
-    dn = "uid=nested-open-added-user1,ou=People,dc=rubyldap,dc=com"
+    dn = "uid=nested-open-added-user1,ou=People,dc=example,dc=org"
     attrs = {
       objectclass: %w(top inetOrgPerson organizationalPerson person),
       uid:  "nested-open-added-user1",
@@ -66,11 +66,10 @@ class TestBindIntegration < LDAPIntegrationTestCase
       mail: "nested-open-added-user1@rubyldap.com",
     }
 
-    @ldap.authenticate "cn=admin,dc=rubyldap,dc=com", "passworD1"
     @ldap.delete dn: dn
 
     @ldap.open do
-      @ldap.search(filter: "(|(uid=user1)(uid=user2))", base: "ou=People,dc=rubyldap,dc=com") do |entry|
+      @ldap.search(filter: "(|(uid=user1)(uid=user2))", base: "ou=People,dc=example,dc=org") do |entry|
         entries << entry.uid.first
 
         nested_entry ||= begin

data/test/integration/test_password_modify.rb

@@ -3,9 +3,10 @@ require_relative '../test_helper'
 class TestPasswordModifyIntegration < LDAPIntegrationTestCase
   def setup
     super
-    @ldap.authenticate 'cn=admin,dc=rubyldap,dc=com', 'passworD1'
+    @admin_account = { dn: 'cn=admin,dc=example,dc=org', password: 'admin', method: :simple }
+    @ldap.authenticate @admin_account[:dn], @admin_account[:password]
 
-    @dn = 'uid=modify-password-user1,ou=People,dc=rubyldap,dc=com'
+    @dn = 'uid=modify-password-user1,ou=People,dc=example,dc=org'
 
     attrs = {
       objectclass: %w(top inetOrgPerson organizationalPerson person),
@@ -13,7 +14,7 @@ class TestPasswordModifyIntegration < LDAPIntegrationTestCase
       cn: 'modify-password-user1',
       sn: 'modify-password-user1',
       mail: 'modify-password-user1@rubyldap.com',
-      userPassword: 'passworD1',
+      userPassword: 'admin',
     }
     unless @ldap.search(base: @dn, scope: Net::LDAP::SearchScope_BaseObject)
       assert @ldap.add(dn: @dn, attributes: attrs), @ldap.get_operation_result.inspect
@@ -23,40 +24,40 @@ class TestPasswordModifyIntegration < LDAPIntegrationTestCase
     @auth = {
       method: :simple,
       username: @dn,
-      password: 'passworD1',
+      password: 'admin',
     }
   end
 
   def test_password_modify
     assert @ldap.password_modify(dn: @dn,
                                  auth: @auth,
-                                 old_password: 'passworD1',
+                                 old_password: 'admin',
                                  new_password: 'passworD2')
 
     assert @ldap.get_operation_result.extended_response.nil?,
-      'Should not have generated a new password'
+           'Should not have generated a new password'
 
-    refute @ldap.bind(username: @dn, password: 'passworD1', method: :simple),
-      'Old password should no longer be valid'
+    refute @ldap.bind(username: @dn, password: 'admin', method: :simple),
+           'Old password should no longer be valid'
 
     assert @ldap.bind(username: @dn, password: 'passworD2', method: :simple),
-      'New password should be valid'
+           'New password should be valid'
   end
 
   def test_password_modify_generate
     assert @ldap.password_modify(dn: @dn,
                                  auth: @auth,
-                                 old_password: 'passworD1')
+                                 old_password: 'admin')
 
     generated_password = @ldap.get_operation_result.extended_response[0][0]
 
     assert generated_password, 'Should have generated a password'
 
-    refute @ldap.bind(username: @dn, password: 'passworD1', method: :simple),
-      'Old password should no longer be valid'
+    refute @ldap.bind(username: @dn, password: 'admin', method: :simple),
+           'Old password should no longer be valid'
 
     assert @ldap.bind(username: @dn, password: generated_password, method: :simple),
-      'New password should be valid'
+           'New password should be valid'
   end
 
   def test_password_modify_generate_no_old_password
@@ -67,11 +68,23 @@ class TestPasswordModifyIntegration < LDAPIntegrationTestCase
 
     assert generated_password, 'Should have generated a password'
 
-    refute @ldap.bind(username: @dn, password: 'passworD1', method: :simple),
-      'Old password should no longer be valid'
+    refute @ldap.bind(username: @dn, password: 'admin', method: :simple),
+           'Old password should no longer be valid'
 
     assert @ldap.bind(username: @dn, password: generated_password, method: :simple),
-      'New password should be valid'
+           'New password should be valid'
+  end
+
+  def test_password_modify_overwrite_old_password
+    assert @ldap.password_modify(dn: @dn,
+                                 auth: @admin_account,
+                                 new_password: 'passworD3')
+
+    refute @ldap.bind(username: @dn, password: 'admin', method: :simple),
+           'Old password should no longer be valid'
+
+    assert @ldap.bind(username: @dn, password: 'passworD3', method: :simple),
+           'New password should be valid'
   end
 
   def teardown

data/test/integration/test_return_codes.rb

@@ -4,8 +4,16 @@ require_relative '../test_helper'
 # See: section 12.12 http://www.openldap.org/doc/admin24/overlays.html
 
 class TestReturnCodeIntegration < LDAPIntegrationTestCase
+  def test_open_error
+    @ldap.authenticate "cn=fake", "creds"
+    @ldap.open do
+      result = @ldap.get_operation_result
+      assert_equal Net::LDAP::ResultCodeInvalidCredentials, result.code
+    end
+  end
+
   def test_operations_error
-    refute @ldap.search(filter: "cn=operationsError", base: "ou=Retcodes,dc=rubyldap,dc=com")
+    refute @ldap.search(filter: "cn=operationsError", base: "ou=Retcodes,dc=example,dc=org")
     assert result = @ldap.get_operation_result
 
     assert_equal Net::LDAP::ResultCodeOperationsError, result.code
@@ -13,7 +21,7 @@ class TestReturnCodeIntegration < LDAPIntegrationTestCase
   end
 
   def test_protocol_error
-    refute @ldap.search(filter: "cn=protocolError", base: "ou=Retcodes,dc=rubyldap,dc=com")
+    refute @ldap.search(filter: "cn=protocolError", base: "ou=Retcodes,dc=example,dc=org")
     assert result = @ldap.get_operation_result
 
     assert_equal Net::LDAP::ResultCodeProtocolError, result.code
@@ -21,7 +29,7 @@ class TestReturnCodeIntegration < LDAPIntegrationTestCase
   end
 
   def test_time_limit_exceeded
-    assert @ldap.search(filter: "cn=timeLimitExceeded", base: "ou=Retcodes,dc=rubyldap,dc=com")
+    assert @ldap.search(filter: "cn=timeLimitExceeded", base: "ou=Retcodes,dc=example,dc=org")
     assert result = @ldap.get_operation_result
 
     assert_equal Net::LDAP::ResultCodeTimeLimitExceeded, result.code
@@ -29,7 +37,7 @@ class TestReturnCodeIntegration < LDAPIntegrationTestCase
   end
 
   def test_size_limit_exceeded
-    assert @ldap.search(filter: "cn=sizeLimitExceeded", base: "ou=Retcodes,dc=rubyldap,dc=com")
+    assert @ldap.search(filter: "cn=sizeLimitExceeded", base: "ou=Retcodes,dc=example,dc=org")
     assert result = @ldap.get_operation_result
 
     assert_equal Net::LDAP::ResultCodeSizeLimitExceeded, result.code