rom-ldap 0.2.2

data/lib/rom/ldap/scope.rb

@@ -0,0 +1,19 @@
+# frozen_string_literal: true
+
+module ROM
+  module LDAP
+    #
+    # Search Scope
+    #
+    # @see https://ldapwiki.com/wiki/LDAP%20Search%20Scopes
+    #
+    # Constrained to the entry named by baseObject.
+    SCOPE_BASE  = 0 # "base"
+    # Constrained to the immediate subordinates of the entry named by baseObject.
+    SCOPE_ONE   = 1 # "one"
+    # Constrained to the entry named by baseObject and to all its subordinates.
+    SCOPE_SUB   = 2 # "sub"
+
+    SCOPES = [SCOPE_BASE, SCOPE_ONE, SCOPE_SUB].freeze
+  end
+end

data/lib/rom/ldap/search_request.rb

@@ -0,0 +1,249 @@
+# frozen_string_literal: true
+
+using ::BER
+
+require 'rom/ldap/types'
+require 'rom/ldap/expression'
+
+module ROM
+  module LDAP
+    # The Search request is defined as follows:
+    #
+    #       SearchRequest ::= [APPLICATION 3] SEQUENCE {
+    #            baseObject      LDAPDN,
+    #            scope           ENUMERATED {
+    #                 baseObject              (0),
+    #                 singleLevel             (1),
+    #                 wholeSubtree            (2),
+    #                 ...  },
+    #            derefAliases    ENUMERATED {
+    #                 neverDerefAliases       (0),
+    #                 derefInSearching        (1),
+    #                 derefFindingBaseObj     (2),
+    #                 derefAlways             (3) },
+    #            sizeLimit       INTEGER (0 ..  maxInt),
+    #            timeLimit       INTEGER (0 ..  maxInt),
+    #            typesOnly       BOOLEAN,
+    #            filter          Filter,
+    #            attributes      AttributeSelection }
+    #
+    #       AttributeSelection ::= SEQUENCE OF selector LDAPString
+    #                       -- The LDAPString is constrained to
+    #                       -- <attributeSelector> in Section 4.5.1.8
+    #
+    #       Filter ::= CHOICE {
+    #            and             [0] SET SIZE (1..MAX) OF filter Filter,
+    #            or              [1] SET SIZE (1..MAX) OF filter Filter,
+    #            not             [2] Filter,
+    #            equalityMatch   [3] AttributeValueAssertion,
+    #            substrings      [4] SubstringFilter,
+    #            greaterOrEqual  [5] AttributeValueAssertion,
+    #            lessOrEqual     [6] AttributeValueAssertion,
+    #            present         [7] AttributeDescription,
+    #            approxMatch     [8] AttributeValueAssertion,
+    #            extensibleMatch [9] MatchingRuleAssertion,
+    #            ...  }
+    #
+    #       SubstringFilter ::= SEQUENCE {
+    #            type           AttributeDescription,
+    #            substrings     SEQUENCE SIZE (1..MAX) OF substring CHOICE {
+    #                 initial [0] AssertionValue,  -- can occur at most once
+    #                 any     [1] AssertionValue,
+    #                 final   [2] AssertionValue } -- can occur at most once
+    #            }
+    #
+    #       MatchingRuleAssertion ::= SEQUENCE {
+    #            matchingRule    [1] MatchingRuleId OPTIONAL,
+    #            type            [2] AttributeDescription OPTIONAL,
+    #            matchValue      [3] AssertionValue,
+    #            dnAttributes    [4] BOOLEAN DEFAULT FALSE }
+    #
+    #
+    #
+    #
+    # @see https://tools.ietf.org/html/rfc4511#section-4.5.1
+    #
+    # @api private
+    class SearchRequest
+
+      extend Initializer
+
+      # @see https://tools.ietf.org/html/rfc4511#section-4.5.1.7
+      #
+      # @!attribute [r] expression
+      #   @return [Expression] Required.
+      option :expression, type: Types.Instance(Expression)
+
+      # @see https://tools.ietf.org/html/rfc4511#section-4.5.1.1
+      #
+      # @!attribute [r] base
+      #   @return [String] Set to Relation default_base:
+      option :base, proc(&:to_s), type: Types::DN, default: -> { EMPTY_STRING }
+
+      # Defaults to only searching entries under base object.
+      #
+      # @see https://tools.ietf.org/html/rfc4511#section-4.5.1.2
+      #
+      # @!attribute [r] scope
+      #   @return [Integer]
+      option :scope, type: Types::Scope, default: -> { SCOPE_SUB }
+
+      # Defaults to dereferencing both when searching and when locating the search base.
+      #
+      # @see https://tools.ietf.org/html/rfc4511#section-4.5.1.3
+      #
+      # @!attribute [r] deref
+      #   @return [Integer]
+      option :deref, type: Types::Deref, default: -> { DEREF_ALWAYS }
+
+      # Defaults to all attributes '*' but not operational.
+      #
+      # @see https://tools.ietf.org/html/rfc4511#section-4.5.1.8
+      #
+      # @!attribute [r] attributes
+      #   @return [Array<String>] Restrict attributes returned.
+      option :attributes, type: Types::Strings, default: -> { [WILDCARD] }
+
+      # @see https://tools.ietf.org/html/rfc4511#section-4.5.1.6
+      #
+      # @!attribute [r] attributes_only
+      #   @return [Boolean] Do not include values.
+      option :attributes_only, type: Types::Strict::Bool, default: -> { false }
+
+      # @!attribute [r] reverse
+      #   @return [Boolean]
+      option :reverse, type: Types::Strict::Bool, default: -> { false }
+
+      # Defaults to not paging results
+      #
+      # Adds :paged_result control to the request.
+      #
+      # @!attribute [r] paged
+      #   @return [Boolean]
+      option :paged, type: Types::Strict::Bool, default: -> { false }
+
+      # ads-maxTimeLimit: 15000
+      # Defaults to zero, no timeout.
+      #
+      # @see https://tools.ietf.org/html/rfc4511#section-4.5.1.5
+      #
+      # @!attribute [r] timeout
+      #   @return [Integer]
+      option :timeout, type: Types::Strict::Integer, default: -> { 0 }
+
+      # ads-maxSizeLimit: 200
+      #
+      # @see https://tools.ietf.org/html/rfc4511#section-4.5.1.4
+      #
+      # @!attribute [r] max
+      #   @return [Integer]
+      option :max, type: Types::Strict::Integer, optional: true
+
+      # @!attribute [r] sort
+      #   @return [Array<String>]
+      option :sorted, type: Types::Strict::Array, optional: true
+
+      # Search request components.
+      #
+      # @return [Array]
+      def parts
+        [
+          base.to_ber,                  # 4.5.1.1.  SearchRequest.baseObject
+          scope.to_ber_enumerated,      # 4.5.1.2.  SearchRequest.scope
+          deref.to_ber_enumerated,      # 4.5.1.3.  SearchRequest.derefAliases
+          limit.to_ber,                 # 4.5.1.4.  SearchRequest.sizeLimit
+          timeout.to_ber,               # 4.5.1.5.  SearchRequest.timeLimit
+          attributes_only.to_ber,       # 4.5.1.6.  SearchRequest.typesOnly
+          expression.to_ber,            # 4.5.1.7.  SearchRequest.filter
+          ber_attrs.to_ber_sequence     # 4.5.1.8.  SearchRequest.attributes
+        ]
+      end
+
+      #
+      # Controls sent by clients are termed 'request controls', and those
+      #   sent by servers are termed 'response controls'.
+      #
+      #        Controls ::= SEQUENCE OF control Control
+      #
+      #        Control ::= SEQUENCE {
+      #             controlType             LDAPOID,
+      #             criticality             BOOLEAN DEFAULT FALSE,
+      #             controlValue            OCTET STRING OPTIONAL }
+      #
+      #
+      # @see https://tools.ietf.org/html/rfc4511#section-4.1.11
+      #
+      # @return [Array]
+      def controls
+        ctrls = []
+        ctrls << build_controls(:paged_results, cookie)    if paged
+        ctrls << build_controls(:sort_request, sort_rules) if sorted
+        ctrls.empty? ? nil : ctrls.to_ber_contextspecific(0)
+      end
+
+      private
+
+      # Set test server to only serve 200 at a time to check paging
+      #
+      # Limit to no more than 126 entries.
+      #
+      # @return [Integer]
+      #
+      # @api private
+      def limit
+        (0..126).cover?(max) ? max : 0
+      end
+
+      # @return [Array]
+      #
+      # @api private
+      def ber_attrs
+        Array(attributes).map { |attr| attr.to_s.to_ber }
+      end
+
+      # @see https://tools.ietf.org/html/rfc2696
+      #
+      # @return [Array]
+      #
+      # @api private
+      def cookie
+        [126.to_ber, EMPTY_STRING.to_ber]
+        # [99.to_ber, EMPTY_STRING.to_ber]
+      end
+
+      #       Control ::= SEQUENCE {
+      #         controlType             LDAPOID,
+      #         criticality             BOOLEAN DEFAULT FALSE,
+      #         controlValue            OCTET STRING OPTIONAL }
+      #
+      # @return [String] LDAP 'control'
+      #
+      # @see PDU#result_controls
+      #
+      def build_controls(type, payload)
+        [
+          OID[type].to_ber,
+          false.to_ber,
+          payload.to_ber_sequence.to_s.to_ber
+        ].to_ber_sequence
+      end
+
+      # Only uses attribute names because not all vendors have fully implemented SSS.
+      #
+      #       SortKeyList ::= SEQUENCE OF SEQUENCE {
+      #            attributeType   AttributeDescription,
+      #            orderingRule    [0] MatchingRuleId OPTIONAL,
+      #            reverseOrder    [1] BOOLEAN DEFAULT FALSE }
+      #
+      #
+      # @see https://tools.ietf.org/html/rfc2891
+      # @see https://docs.ldap.com/ldap-sdk/docs/javadoc/com/unboundid/ldap/sdk/controls/ServerSideSortRequestControl.html
+      #
+      # @api private
+      def sort_rules
+        sorted.map { |attr| [attr.to_ber].to_ber_sequence }
+      end
+
+    end
+  end
+end

data/lib/rom/ldap/socket.rb

@@ -0,0 +1,210 @@
+# frozen_string_literal: true
+
+require 'socket'
+require 'rom/initializer'
+
+module GetbyteForSSLSocket
+  def getbyte
+    byte = getc
+    return nil if byte.nil?
+
+    byte.ord
+  end
+end
+
+module FixSSLSocketSyncClose
+  def close
+    super
+    io.close
+  end
+end
+
+module ROM
+  module LDAP
+    #
+    # Builds either TCP or UNIX.
+    #
+    # @api private
+    class Socket
+
+      extend Initializer
+
+      # Unix socket absolute file path
+      #
+      # @!attribute [r] path
+      #   @return [String]
+      option :path, type: Types::Strict::String, reader: :private, optional: true
+
+      # Domain name or IP for TCP connection
+      #
+      # @!attribute [r] host
+      #   @return [String]
+      option :host, type: Types::Strict::String, reader: :private, optional: true
+
+      # TCP port
+      #
+      # @!attribute [r] host
+      #   @return [Integer]
+      option :port, type: Types::Strict::Integer, reader: :private, optional: true
+
+      # OpenSSL
+      # OpenSSL::SSL::SSLContext::DEFAULT_PARAMS
+      option :ssl, type: Types::Strict::Hash, reader: :private, optional: true
+
+      # Config
+      # option :timeout, type: Types::Strict::Integer, reader: :private, default: -> { 10 }
+
+      option :read_timeout, type: Types::Strict::Integer, reader: :private, default: -> { 20 }
+
+      # Timeout limit in seconds when writing to the socket
+      #
+      # @!attribute [r] write_timeout
+      #   @return [Integer] default: 10
+      option :write_timeout, type: Types::Strict::Integer, reader: :private, default: -> { 10 }
+
+      # Retry limit when establishing connection
+      #
+      # @!attribute [r] retry_count
+      #   @return [Integer] default: 3
+      option :retry_count, type: Types::Strict::Integer, reader: :private, default: -> { 3 }
+
+      #
+      #
+      # @!attribute [r] retry_count
+      #   @return [Boolean] default: true
+      option :keep_alive, type: Types::Strict::Bool, reader: :private, default: -> { true }
+
+      #
+      #
+      # @!attribute [r] buffered
+      #   @return [Boolean] default: true
+      option :buffered, type: Types::Strict::Bool, reader: :private, default: -> { true }
+
+      # @return [::Socket, ::OpenSSL::SSL::SSLSocket]
+      #
+      def call
+        socket.do_not_reverse_lookup = true
+        socket.sync = buffered
+        socket.setsockopt(:SOCKET, :KEEPALIVE, keep_alive)
+        socket.setsockopt(:TCP, :NODELAY, buffered) unless path
+
+        connect!
+      end
+
+      private
+
+      # @return [::Socket]
+      #
+      # @raise [ConnectionError]
+      #
+      def connect!
+        @counter ||= 1
+
+        if ssl
+          require 'openssl'
+
+          ctx = OpenSSL::SSL::SSLContext.new
+          ctx.set_params(ssl)
+          @socket = OpenSSL::SSL::SSLSocket.new(socket, ctx)
+          # socket.extend(GetbyteForSSLSocket) unless socket.respond_to?(:getbyte)
+          # socket.extend(FixSSLSocketSyncClose)
+          socket.connect_nonblock
+        else
+          socket.connect_nonblock(sockaddr)
+        end
+
+        socket
+      rescue Errno::EISCONN
+        socket
+      rescue IO::WaitWritable
+        # OpenSSL::SSL::SSLErrorWaitWritable
+        if writable?
+          connect!
+        else
+          disconnect!
+          raise ConnectionError, "Connection write timeout - #{host}:#{port}"
+        end
+      rescue IO::WaitReadable
+        if readable?
+          @counter += 1
+          retry unless @counter > retry_count
+        else
+          raise ConnectionError, "Connection read timeout - #{host}:#{port}"
+        end
+      rescue Errno::EADDRNOTAVAIL
+        raise ConnectionError, "Host or port is invalid - #{host}:#{port}"
+      rescue SocketError
+        raise ConnectionError, "Host could not be resolved - #{host}:#{port}"
+      rescue Errno::ENOENT
+        raise ConnectionError, "Path to unix socket is invalid - #{path}"
+      rescue Errno::EHOSTDOWN
+        raise ConnectionError, "Server is down - #{host}:#{port}"
+      rescue Errno::ECONNREFUSED
+        raise ConnectionError, "Connection refused - #{host}:#{port}"
+      rescue Errno::EAFNOSUPPORT
+        raise ConnectionError, "Connection is not supported - #{host}:#{port}"
+      rescue
+        disconnect!
+        raise ConnectionError, "Connection failed - #{host}:#{port}"
+      end
+
+      #
+      #
+      # @return [::Socket]
+      #
+      def socket
+        @socket ||= ::Socket.new((path ? :UNIX : :INET), :STREAM)
+      end
+
+      # @return [NilClass]
+      #
+      def disconnect!
+        socket.close
+        @socket = nil
+      end
+
+      # IPV4 or UNIX socket address
+      #
+      # @return [String] ASCII-8BIT
+      #
+      # @api private
+      def sockaddr
+        if addrinfo.unix?
+          ::Socket.pack_sockaddr_un(addrinfo.unix_path)
+
+        elsif addrinfo.ipv4?
+          ::Socket.pack_sockaddr_in(addrinfo.ip_port, addrinfo.ip_address)
+
+        elsif addrinfo.ipv6_loopback?
+          ::Socket.pack_sockaddr_in(addrinfo.ip_port, '127.0.0.1')
+        end
+      end
+
+      # Performs DNS lookup
+      #
+      # @return [Addrinfo]
+      #
+      # @api private
+      def addrinfo
+        return Addrinfo.unix(path) if path
+
+        Addrinfo.tcp(host, port)
+      end
+
+      # @return [TrueClass,FalseClass]
+      #
+      # @api private
+      def writable?
+        !IO.select(nil, [socket], nil, write_timeout).nil?
+      end
+
+      # @return [TrueClass,FalseClass]
+      #
+      # @api private
+      def readable?
+        !IO.select([socket], nil, nil, read_timeout).nil?
+      end
+
+    end
+  end
+end