net-ldap 0.14.0 → 0.18.0

data/lib/net/ldap/error.rb

@@ -1,38 +1,13 @@
 class Net::LDAP
-  class LdapError < StandardError
-    def message
-      "Deprecation warning: Net::LDAP::LdapError is no longer used. Use Net::LDAP::Error or rescue one of it's subclasses. \n" + super
-    end
-  end
-
   class Error < StandardError; end
 
   class AlreadyOpenedError < Error; end
   class SocketError < Error; end
-  class ConnectionRefusedError < Error;
-    def initialize(*args)
-      warn_deprecation_message
-      super
-    end
-
-    def message
-      warn_deprecation_message
-      super
-    end
-
-    private
-
-    def warn_deprecation_message
-      warn "Deprecation warning: Net::LDAP::ConnectionRefused will be deprecated. Use Errno::ECONNREFUSED instead."
-    end
-  end
   class ConnectionError < Error
     def self.new(errors)
       error = errors.first.first
       if errors.size == 1
-        if error.kind_of? Errno::ECONNREFUSED
-          return Net::LDAP::ConnectionRefusedError.new(error.message)
-        end
+        return error if error.is_a? Errno::ECONNREFUSED
 
         return Net::LDAP::Error.new(error.message)
       end
@@ -60,6 +35,7 @@ class Net::LDAP
   class ResponseTypeInvalidError < Error; end
   class ResponseMissingOrInvalidError < Error; end
   class EmptyDNError < Error; end
+  class InvalidDNError < Error; end
   class HashTypeUnsupportedError < Error; end
   class OperatorError < Error; end
   class SubstringFilterError < Error; end

data/lib/net/ldap/filter.rb

@@ -490,7 +490,7 @@ class Net::LDAP::Filter
     when :eq
       if @right == "*" # presence test
         @left.to_s.to_ber_contextspecific(7)
-      elsif @right =~ /[*]/ # substring
+      elsif @right.to_s =~ /[*]/ # substring
         # Parsing substrings is a little tricky. We use String#split to
         # break a string into substrings delimited by the * (star)
         # character. But we also need to know whether there is a star at the
@@ -645,8 +645,15 @@ class Net::LDAP::Filter
 
   ##
   # Converts escaped characters (e.g., "\\28") to unescaped characters
+  # @note slawson20170317: Don't attempt to unescape 16 byte binary data which we assume are objectGUIDs
+  # The binary form of 5936AE79-664F-44EA-BCCB-5C39399514C6 triggers a BINARY -> UTF-8 conversion error
   def unescape(right)
-    right.to_s.gsub(/\\([a-fA-F\d]{2})/) { [$1.hex].pack("U") }
+    right = right.to_s
+    if right.length == 16 && right.encoding == Encoding::BINARY
+      right
+    else
+      right.to_s.gsub(/\\([a-fA-F\d]{2})/) { [$1.hex].pack("U") }
+    end
   end
   private :unescape
 
@@ -748,7 +755,7 @@ class Net::LDAP::Filter
     # This parses a given expression inside of parentheses.
     def parse_filter_branch(scanner)
       scanner.scan(/\s*/)
-      if token = scanner.scan(/[-\w:.]*[\w]/)
+      if token = scanner.scan(/[-\w:.;]*[\w]/)
         scanner.scan(/\s*/)
         if op = scanner.scan(/<=|>=|!=|:=|=/)
           scanner.scan(/\s*/)

data/lib/net/ldap/instrumentation.rb

@@ -12,8 +12,8 @@ module Net::LDAP::Instrumentation
   def instrument(event, payload = {})
     payload = (payload || {}).dup
     if instrumentation_service
-      instrumentation_service.instrument(event, payload) do |payload|
-        payload[:result] = yield(payload) if block_given?
+      instrumentation_service.instrument(event, payload) do |instr_payload|
+        instr_payload[:result] = yield(instr_payload) if block_given?
       end
     else
       yield(payload) if block_given?

data/lib/net/ldap/password.rb

@@ -1,5 +1,6 @@
 # -*- ruby encoding: utf-8 -*-
 require 'digest/sha1'
+require 'digest/sha2'
 require 'digest/md5'
 require 'base64'
 require 'securerandom'
@@ -19,20 +20,21 @@ class Net::LDAP::Password
     # * Should we provide sha1 as a synonym for sha1? I vote no because then
     #   should you also provide ssha1 for symmetry?
     #
-    attribute_value = ""
     def generate(type, str)
       case type
       when :md5
-         attribute_value = '{MD5}' + Base64.encode64(Digest::MD5.digest(str)).chomp!
+         '{MD5}' + Base64.strict_encode64(Digest::MD5.digest(str))
       when :sha
-         attribute_value = '{SHA}' + Base64.encode64(Digest::SHA1.digest(str)).chomp!
+         '{SHA}' + Base64.strict_encode64(Digest::SHA1.digest(str))
       when :ssha
          salt = SecureRandom.random_bytes(16)
-         attribute_value = '{SSHA}' + Base64.encode64(Digest::SHA1.digest(str + salt) + salt).chomp!
+         '{SSHA}' + Base64.strict_encode64(Digest::SHA1.digest(str + salt) + salt)
+      when :ssha256
+        salt = SecureRandom.random_bytes(16)
+        '{SSHA256}' + Base64.strict_encode64(Digest::SHA256.digest(str + salt) + salt)
       else
          raise Net::LDAP::HashTypeUnsupportedError, "Unsupported password-hash type (#{type})"
       end
-      return attribute_value
     end
   end
 end

data/lib/net/ldap/pdu.rb

@@ -123,7 +123,7 @@ class Net::LDAP::PDU
     when ExtendedResponse
       parse_extended_response(ber_object[1])
     else
-      raise LdapPduError.new("unknown pdu-type: #{@app_tag}")
+      raise Error.new("unknown pdu-type: #{@app_tag}")
     end
 
     parse_controls(ber_object[2]) if ber_object[2]

data/lib/net/ldap/version.rb

@@ -1,5 +1,5 @@
 module Net
   class LDAP
-    VERSION = "0.14.0"
+    VERSION = "0.18.0"
   end
 end

data/lib/net/ldap.rb

@@ -17,19 +17,19 @@ module Net # :nodoc:
 end
 require 'socket'
 
-require 'net/ber'
-require 'net/ldap/pdu'
-require 'net/ldap/filter'
-require 'net/ldap/dataset'
-require 'net/ldap/password'
-require 'net/ldap/entry'
-require 'net/ldap/instrumentation'
-require 'net/ldap/connection'
-require 'net/ldap/version'
-require 'net/ldap/error'
-require 'net/ldap/auth_adapter'
-require 'net/ldap/auth_adapter/simple'
-require 'net/ldap/auth_adapter/sasl'
+require_relative 'ber'
+require_relative 'ldap/pdu'
+require_relative 'ldap/filter'
+require_relative 'ldap/dataset'
+require_relative 'ldap/password'
+require_relative 'ldap/entry'
+require_relative 'ldap/instrumentation'
+require_relative 'ldap/connection'
+require_relative 'ldap/version'
+require_relative 'ldap/error'
+require_relative 'ldap/auth_adapter'
+require_relative 'ldap/auth_adapter/simple'
+require_relative 'ldap/auth_adapter/sasl'
 
 Net::LDAP::AuthAdapter.register([:simple, :anon, :anonymous], Net::LDAP::AuthAdapter::Simple)
 Net::LDAP::AuthAdapter.register(:sasl, Net::LDAP::AuthAdapter::Sasl)
@@ -412,7 +412,7 @@ class Net::LDAP
     ResultCodeStrongerAuthRequired         => "Stronger Auth Needed",
     ResultCodeReferral                     => "Referral",
     ResultCodeAdminLimitExceeded           => "Admin Limit Exceeded",
-    ResultCodeUnavailableCriticalExtension => "Unavailable crtical extension",
+    ResultCodeUnavailableCriticalExtension => "Unavailable critical extension",
     ResultCodeConfidentialityRequired      => "Confidentiality Required",
     ResultCodeSaslBindInProgress           => "saslBindInProgress",
     ResultCodeNoSuchAttribute              => "No Such Attribute",
@@ -476,61 +476,73 @@ class Net::LDAP
   #   specify a treebase. If you give a treebase value in any particular
   #   call to #search, that value will override any treebase value you give
   #   here.
+  # * :force_no_page => Set to true to prevent paged results even if your
+  #   server says it supports them. This is a fix for MS Active Directory
+  # * :instrumentation_service => An object responsible for instrumenting
+  #   operations, compatible with ActiveSupport::Notifications' public API.
   # * :encryption => specifies the encryption to be used in communicating
   #   with the LDAP server. The value must be a Hash containing additional
   #   parameters, which consists of two keys:
   #     method: - :simple_tls or :start_tls
-  #     options: - Hash of options for that method
+  #     tls_options: - Hash of options for that method
   #   The :simple_tls encryption method encrypts <i>all</i> communications
   #   with the LDAP server. It completely establishes SSL/TLS encryption with
   #   the LDAP server before any LDAP-protocol data is exchanged. There is no
   #   plaintext negotiation and no special encryption-request controls are
   #   sent to the server. <i>The :simple_tls option is the simplest, easiest
   #   way to encrypt communications between Net::LDAP and LDAP servers.</i>
-  #   It's intended for cases where you have an implicit level of trust in the
-  #   authenticity of the LDAP server. No validation of the LDAP server's SSL
-  #   certificate is performed. This means that :simple_tls will not produce
-  #   errors if the LDAP server's encryption certificate is not signed by a
-  #   well-known Certification Authority. If you get communications or
-  #   protocol errors when using this option, check with your LDAP server
-  #   administrator. Pay particular attention to the TCP port you are
-  #   connecting to. It's impossible for an LDAP server to support plaintext
-  #   LDAP communications and <i>simple TLS</i> connections on the same port.
-  #   The standard TCP port for unencrypted LDAP connections is 389, but the
-  #   standard port for simple-TLS encrypted connections is 636. Be sure you
-  #   are using the correct port.
-  #
+  #   If you get communications or protocol errors when using this option,
+  #   check with your LDAP server administrator. Pay particular attention
+  #   to the TCP port you are connecting to. It's impossible for an LDAP
+  #   server to support plaintext LDAP communications and <i>simple TLS</i>
+  #   connections on the same port. The standard TCP port for unencrypted
+  #   LDAP connections is 389, but the standard port for simple-TLS
+  #   encrypted connections is 636. Be sure you are using the correct port.
   #   The :start_tls like the :simple_tls encryption method also encrypts all
   #   communcations with the LDAP server. With the exception that it operates
   #   over the standard TCP port.
   #
-  #   In order to verify certificates and enable other TLS options, the
-  #   :tls_options hash can be passed alongside :simple_tls or :start_tls.
-  #   This hash contains any options that can be passed to
-  #   OpenSSL::SSL::SSLContext#set_params(). The most common options passed
-  #   should be OpenSSL::SSL::SSLContext::DEFAULT_PARAMS, or the :ca_file option,
-  #   which contains a path to a Certificate Authority file (PEM-encoded).
-  #
-  #   Example for a default setup without custom settings:
-  #     {
-  #       :method => :simple_tls,
-  #       :tls_options => OpenSSL::SSL::SSLContext::DEFAULT_PARAMS
-  #     }
-  #
-  #   Example for specifying a CA-File and only allowing TLSv1.1 connections:
+  #   To validate the LDAP server's certificate (a security must if you're
+  #   talking over the public internet), you need to set :tls_options
+  #   something like this...
   #
-  #     {
-  #       :method => :start_tls,
-  #       :tls_options => { :ca_file => "/etc/cafile.pem", :ssl_version => "TLSv1_1" }
+  #   Net::LDAP.new(
+  #     # ... set host, bind dn, etc ...
+  #     encryption: {
+  #       method: :simple_tls,
+  #       tls_options: OpenSSL::SSL::SSLContext::DEFAULT_PARAMS,
   #     }
-  # * :force_no_page => Set to true to prevent paged results even if your
-  #   server says it supports them. This is a fix for MS Active Directory
-  # * :instrumentation_service => An object responsible for instrumenting
-  #   operations, compatible with ActiveSupport::Notifications' public API.
+  #   )
+  #
+  #   The above will use the operating system-provided store of CA
+  #   certificates to validate your LDAP server's cert.
+  #   If cert validation fails, it'll happen during the #bind
+  #   whenever you first try to open a connection to the server.
+  #   Those methods will throw Net::LDAP::ConnectionError with
+  #   a message about certificate verify failing. If your
+  #   LDAP server's certificate is signed by DigiCert, Comodo, etc.,
+  #   you're probably good. If you've got a self-signed cert but it's
+  #   been added to the host's OS-maintained CA store (e.g. on Debian
+  #   add foobar.crt to /usr/local/share/ca-certificates/ and run
+  #   `update-ca-certificates`), then the cert should pass validation.
+  #   To ignore the OS's CA store, put your CA in a PEM-encoded file and...
+  #
+  #   encryption: {
+  #     method:      :simple_tls,
+  #     tls_options: { ca_file:     '/path/to/my-little-ca.pem',
+  #                    ssl_version: 'TLSv1_1' },
+  #   }
+  #
+  #   As you might guess, the above example also fails the connection
+  #   if the client can't negotiate TLS v1.1.
+  #   tls_options is ultimately passed to OpenSSL::SSL::SSLContext#set_params
+  #   For more details, see
+  #    http://ruby-doc.org/stdlib-2.0.0/libdoc/openssl/rdoc/OpenSSL/SSL/SSLContext.html
   #
   # Instantiating a Net::LDAP object does <i>not</i> result in network
   # traffic to the LDAP server. It simply stores the connection and binding
-  # parameters in the object.
+  # parameters in the object. That's why Net::LDAP.new doesn't throw
+  # cert validation errors itself; #bind does instead.
   def initialize(args = {})
     @host = args[:host] || DefaultHost
     @port = args[:port] || DefaultPort
@@ -700,7 +712,7 @@ class Net::LDAP
       begin
         @open_connection = new_connection
         payload[:connection] = @open_connection
-        payload[:bind]       = @open_connection.bind(@auth)
+        payload[:bind]       = @result = @open_connection.bind(@auth)
         yield self
       ensure
         @open_connection.close if @open_connection
@@ -1170,14 +1182,22 @@ class Net::LDAP
   # entries. This method sends an extra control code to tell the LDAP server
   # to do a tree delete. ('1.2.840.113556.1.4.805')
   #
+  # If the LDAP server does not support the DELETE_TREE control code, subordinate
+  # entries are deleted recursively instead.
+  #
   # Returns True or False to indicate whether the delete succeeded. Extended
   # status information is available by calling #get_operation_result.
   #
   #  dn = "mail=deleteme@example.com, ou=people, dc=example, dc=com"
   #  ldap.delete_tree :dn => dn
   def delete_tree(args)
-    delete(args.merge(:control_codes => [[Net::LDAP::LDAPControls::DELETE_TREE, true]]))
+    if search_root_dse[:supportedcontrol].include? Net::LDAP::LDAPControls::DELETE_TREE
+      delete(args.merge(:control_codes => [[Net::LDAP::LDAPControls::DELETE_TREE, true]]))
+    else
+      recursive_delete(args)
+    end
   end
+
   # This method is experimental and subject to change. Return the rootDSE
   # record from the LDAP server as a Net::LDAP::Entry, or an empty Entry if
   # the server doesn't return the record.
@@ -1286,11 +1306,9 @@ class Net::LDAP
     else
       begin
         conn = new_connection
-        if (result = conn.bind(args[:auth] || @auth)).result_code == Net::LDAP::ResultCodeSuccess
-          yield conn
-        else
-          return result
-        end
+        result = conn.bind(args[:auth] || @auth)
+        return result unless result.result_code == Net::LDAP::ResultCodeSuccess
+        yield conn
       ensure
         conn.close if conn
       end
@@ -1310,7 +1328,7 @@ class Net::LDAP
     # Force connect to see if there's a connection error
     connection.socket
     connection
-  rescue Errno::ECONNREFUSED, Errno::ETIMEDOUT, Net::LDAP::ConnectionRefusedError => e
+  rescue Errno::ECONNREFUSED, Errno::ETIMEDOUT => e
     @result = {
       :resultCode   => 52,
       :errorMessage => ResultStrings[ResultCodeUnavailable],
@@ -1330,4 +1348,19 @@ class Net::LDAP
     end
   end
 
+  # Recursively delete a dn and it's subordinate children.
+  # This is useful when a server does not support the DELETE_TREE control code.
+  def recursive_delete(args)
+    raise EmptyDNError unless args.is_a?(Hash) && args.key?(:dn)
+    # Delete Children
+    search(base: args[:dn], scope: Net::LDAP::SearchScope_SingleLevel) do |entry|
+      recursive_delete(dn: entry.dn)
+    end
+    # Delete Self
+    unless delete(dn: args[:dn])
+      raise Net::LDAP::Error, get_operation_result[:error_message].to_s
+    end
+    true
+  end
+
 end # class LDAP

data/lib/net/snmp.rb

@@ -1,5 +1,5 @@
 # -*- ruby encoding: utf-8 -*-
-require 'net/ldap/version'
+require_relative 'ldap/version'
 
 # :stopdoc:
 module Net

data/lib/net-ldap.rb

@@ -1,2 +1,2 @@
 # -*- ruby encoding: utf-8 -*-
-require 'net/ldap'
+require_relative 'net/ldap'

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: net-ldap
 version: !ruby/object:Gem::Version
-  version: 0.14.0
+  version: 0.18.0
 platform: ruby
 authors:
 - Francis Cianfrocca
@@ -13,7 +13,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2016-02-05 00:00:00.000000000 Z
+date: 2023-04-04 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: flexmock
@@ -35,56 +35,56 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '10.0'
+        version: 12.3.3
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '10.0'
+        version: 12.3.3
 - !ruby/object:Gem::Dependency
   name: rubocop
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.28.0
+        version: '1.48'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.28.0
+        version: '1.48'
 - !ruby/object:Gem::Dependency
   name: test-unit
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '0'
+        version: '3.3'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '0'
+        version: '3.3'
 - !ruby/object:Gem::Dependency
   name: byebug
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '0'
+        version: 9.0.6
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '0'
+        version: 9.0.6
 description: |-
   Net::LDAP for Ruby (also called net-ldap) implements client access for the
   Lightweight Directory Access Protocol (LDAP), an IETF standard protocol for
@@ -112,18 +112,11 @@ extra_rdoc_files:
 - License.rdoc
 - README.rdoc
 files:
-- ".gitignore"
-- ".rubocop.yml"
-- ".rubocop_todo.yml"
-- ".travis.yml"
-- CONTRIBUTING.md
 - Contributors.rdoc
-- Gemfile
 - Hacking.rdoc
 - History.rdoc
 - License.rdoc
 - README.rdoc
-- Rakefile
 - lib/net-ldap.rb
 - lib/net/ber.rb
 - lib/net/ber/ber_parser.rb
@@ -149,47 +142,6 @@ files:
 - lib/net/ldap/pdu.rb
 - lib/net/ldap/version.rb
 - lib/net/snmp.rb
-- net-ldap.gemspec
-- script/changelog
-- script/install-openldap
-- script/package
-- script/release
-- test/ber/core_ext/test_array.rb
-- test/ber/core_ext/test_string.rb
-- test/ber/test_ber.rb
-- test/fixtures/cacert.pem
-- test/fixtures/openldap/memberof.ldif
-- test/fixtures/openldap/retcode.ldif
-- test/fixtures/openldap/slapd.conf.ldif
-- test/fixtures/seed.ldif
-- test/integration/test_add.rb
-- test/integration/test_ber.rb
-- test/integration/test_bind.rb
-- test/integration/test_delete.rb
-- test/integration/test_open.rb
-- test/integration/test_password_modify.rb
-- test/integration/test_return_codes.rb
-- test/integration/test_search.rb
-- test/support/vm/openldap/.gitignore
-- test/support/vm/openldap/README.md
-- test/support/vm/openldap/Vagrantfile
-- test/test_auth_adapter.rb
-- test/test_dn.rb
-- test/test_entry.rb
-- test/test_filter.rb
-- test/test_filter_parser.rb
-- test/test_helper.rb
-- test/test_ldap.rb
-- test/test_ldap_connection.rb
-- test/test_ldif.rb
-- test/test_password.rb
-- test/test_rename.rb
-- test/test_search.rb
-- test/test_snmp.rb
-- test/test_ssl_ber.rb
-- test/testdata.ldif
-- testserver/ldapserver.rb
-- testserver/testdata.ldif
 homepage: http://github.com/ruby-ldap/ruby-net-ldap
 licenses:
 - MIT
@@ -211,47 +163,10 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubyforge_project: 
-rubygems_version: 2.5.1
+rubygems_version: 3.4.7
 signing_key: 
 specification_version: 4
 summary: Net::LDAP for Ruby (also called net-ldap) implements client access for the
   Lightweight Directory Access Protocol (LDAP), an IETF standard protocol for accessing
   distributed directory services
-test_files:
-- test/ber/core_ext/test_array.rb
-- test/ber/core_ext/test_string.rb
-- test/ber/test_ber.rb
-- test/fixtures/cacert.pem
-- test/fixtures/openldap/memberof.ldif
-- test/fixtures/openldap/retcode.ldif
-- test/fixtures/openldap/slapd.conf.ldif
-- test/fixtures/seed.ldif
-- test/integration/test_add.rb
-- test/integration/test_ber.rb
-- test/integration/test_bind.rb
-- test/integration/test_delete.rb
-- test/integration/test_open.rb
-- test/integration/test_password_modify.rb
-- test/integration/test_return_codes.rb
-- test/integration/test_search.rb
-- test/support/vm/openldap/.gitignore
-- test/support/vm/openldap/README.md
-- test/support/vm/openldap/Vagrantfile
-- test/test_auth_adapter.rb
-- test/test_dn.rb
-- test/test_entry.rb
-- test/test_filter.rb
-- test/test_filter_parser.rb
-- test/test_helper.rb
-- test/test_ldap.rb
-- test/test_ldap_connection.rb
-- test/test_ldif.rb
-- test/test_password.rb
-- test/test_rename.rb
-- test/test_search.rb
-- test/test_snmp.rb
-- test/test_ssl_ber.rb
-- test/testdata.ldif
-- testserver/ldapserver.rb
-- testserver/testdata.ldif
+test_files: []

data/.gitignore

@@ -1,9 +0,0 @@
-*~
-*.swp
-.rvmrc
-pkg/
-doc/
-publish/
-Gemfile.lock
-.bundle
-bin/

data/.rubocop.yml

@@ -1,17 +0,0 @@
-inherit_from: .rubocop_todo.yml
-
-AllCops:
-  Exclude:
-    - 'pkg/**/*'
-
-Style/ExtraSpacing:
-  Enabled: false
-
-Lint/AssignmentInCondition:
-  Enabled: false
-
-Style/ParallelAssignment:
-  Enabled: false
-
-Style/TrailingComma:
-  EnforcedStyleForMultiline: comma