rom-ldap 0.2.2

data/lib/rom/ldap/client.rb

@@ -0,0 +1,185 @@
+# frozen_string_literal: true
+
+require 'ber'
+
+require 'rom/initializer'
+require 'rom/ldap/message_queue'
+require 'rom/ldap/pdu'
+require 'rom/ldap/socket'
+require 'rom/ldap/client/operations'
+require 'rom/ldap/client/authentication'
+
+module ROM
+  module LDAP
+    #
+    # Uses socket to read and write using BER encoding.
+    #
+    # @api private
+    class Client
+
+      using ::BER
+
+      extend Initializer
+
+      # @!attribute [r] host
+      #   @return [String]
+      option :host, reader: :private, type: Types::Strict::String
+
+      option :port, reader: :private, type: Types::Strict::Integer
+      option :path, reader: :private, type: Types::Strict::String
+      option :auth, reader: :private, type: Types::Strict::Hash, optional: true
+      option :ssl,  reader: :private, type: Types::Strict::Hash, optional: true
+      option :queue, default: -> { MessageQueue }
+
+      include Operations
+      include Authentication
+
+      attr_reader :socket
+
+      # Create connection (encrypted) and authenticate.
+      #
+      # @yield [Socket]
+      #
+      # @raise [BindError, SecureBindError]
+      def open
+        unless alive?
+          @socket = Socket.new(options).call
+
+          # tls
+          if ssl
+            start_tls
+            sasl_bind # (mechanism:, credentials:, challenge:)
+          end
+
+          bind(auth) unless auth.nil? # simple auth
+        end
+
+        yield(@socket)
+      end
+
+      # @return [Boolean]
+      #
+      def closed?
+        socket.nil? || (socket.is_a?(::Socket) && socket.closed?)
+      end
+
+      # @return [NilClass]
+      #
+      def close
+        return if socket.nil?
+
+        socket.close
+        @socket = nil
+      end
+
+      # @return [Boolean]
+      #
+      def alive?
+        return false if closed?
+
+        if IO.select([socket], nil, nil, 0)
+          begin
+            !socket.eof?
+          rescue StandardError
+            false
+          end
+        else
+          true
+        end
+      rescue IOError
+        false
+      end
+
+      private
+
+      # @see BER
+      #
+      # @param symbol [Symbol]
+      #
+      # @return [Integer]
+      def pdu_lookup(symbol)
+        ::BER.fetch(:response, symbol)
+      end
+
+      # Read from socket and wrap in PDU class.
+      #
+      # @return [PDU, NilClass]
+      def read
+        open do |socket|
+          return unless (ber_object = socket.read_ber)
+
+          PDU.new(*ber_object)
+        end
+      rescue Errno::ECONNRESET
+        close
+        retry
+      end
+
+      # Write to socket.
+      #
+      # @api private
+      def write(request, message_id, controls = nil)
+        open do |socket|
+          packet = [message_id.to_ber, request, controls].compact.to_ber_sequence
+          socket.write(packet)
+          socket.flush
+        end
+      rescue Errno::EPIPE, IOError
+        close
+        retry
+      end
+
+      # @return [PDU]
+      #
+      # @api private
+      def from_queue(message_id)
+        if (pdu = queue[message_id].shift)
+          return pdu
+        end
+
+        while (pdu = read)
+          return pdu if pdu.message_id.eql?(message_id)
+
+          queue[pdu.message_id].push(pdu)
+          next
+        end
+
+        pdu
+      end
+
+      # Increment the message counter.
+      #
+      # @return [Integer]
+      #
+      # @api private
+      def next_msgid
+        @msgid ||= 0
+        @msgid += 1
+      end
+
+      # Persist changes to the server and return response object.
+      # Enable stdout debugging with DEBUG=y.
+      #
+      # @return [PDU]
+      #
+      # @raise [ResponseError]
+      #
+      # @api private
+      def submit(type, request, controls = nil)
+        message_id = next_msgid
+
+        write(request, message_id, controls)
+
+        pdu = from_queue(message_id)
+
+        if pdu&.app_tag == pdu_lookup(type)
+          puts pdu.advice if ENV['DEBUG'] && pdu.advice && !pdu.advice.empty?
+          pdu
+        else
+          raise(ResponseError, "Invalid #{type}")
+        end
+      end
+
+    end
+  end
+end

data/lib/rom/ldap/client/authentication.rb

@@ -0,0 +1,118 @@
+# frozen_string_literal: true
+
+# rubocop:disable Lint/SuppressedException
+begin
+  # TODO: Windows NTLM authentication
+  # @see https://github.com/winrb/rubyntlm
+  require 'rubyntlm'
+rescue LoadError
+  # ntlm_bind
+end
+# rubocop:enable Lint/SuppressedException
+
+module ROM
+  module LDAP
+    # @api private
+    class Client
+
+      using ::BER
+
+      # Adds authentication capability to the client.
+      #
+      # @api private
+      module Authentication
+        #
+        # The Bind request is defined as follows:
+        #
+        #       BindRequest ::= [APPLICATION 0] SEQUENCE {
+        #            version                 INTEGER (1 ..  127),
+        #            name                    LDAPDN,
+        #            authentication          AuthenticationChoice }
+        #
+        #       AuthenticationChoice ::= CHOICE {
+        #            simple                  [0] OCTET STRING,
+        #                                    -- 1 and 2 reserved
+        #            sasl                    [3] SaslCredentials,
+        #            ...  }
+        #
+        #       SaslCredentials ::= SEQUENCE {
+        #            mechanism               LDAPString,
+        #            credentials             OCTET STRING OPTIONAL }
+        #
+        # @see https://tools.ietf.org/html/rfc4511#section-4.2
+        # @see https://tools.ietf.org/html/rfc4513
+        #
+        #
+        # @option :username [String]
+        #
+        # @option :password [String]
+        #
+        # @return [PDU] result object
+        #
+        # @raise [BindError]
+        #
+        # @api public
+        def bind(username:, password:)
+          request_type = pdu_lookup(:bind_request)
+
+          request = [
+            3.to_ber,
+            username.to_ber,
+            password.to_ber_contextspecific(0)
+          ].to_ber_appsequence(request_type)
+
+          pdu = submit(:bind_result, request)
+          raise(BindError, username) if pdu.failure?
+
+          pdu
+        end
+
+        #
+        #
+        # @return [PDU] result object
+        #
+        # @api private
+        def start_tls
+          request_type = pdu_lookup(:extended_request)
+
+          request = [
+            OID[:start_tls].to_ber_contextspecific(0)
+          ].to_ber_appsequence(request_type)
+
+          submit(:extended_response, request)
+        end
+
+        #
+        # @return
+        #
+        # @raise [SecureBindError]
+        #
+        # @api private
+        def sasl_bind(mechanism:, credentials:, challenge:)
+          request_type = pdu_lookup(:bind_request)
+          n = 0
+
+          loop do
+            sasl = [
+              mechanism.to_ber,
+              credentials.to_ber
+            ].to_ber_contextspecific(3)
+
+            request = [
+              3.to_ber,
+              EMPTY_STRING.to_ber,
+              sasl
+            ].to_ber_appsequence(request_type)
+
+            raise SecureBindError, 'sasl-challenge overflow' if (n += 1) > 10
+
+            pdu = submit(:bind_request, request)
+
+            credentials = challenge.call(pdu.result_server_sasl_creds)
+          end
+        end
+      end
+
+    end
+  end
+end

data/lib/rom/ldap/client/operations.rb

@@ -0,0 +1,233 @@
+# frozen_string_literal: true
+
+require 'rom/ldap/search_request'
+
+module ROM
+  module LDAP
+    # @api private
+    class Client
+
+      using ::BER
+
+      # Adds entry creation capability to the connection.
+      #
+      # @api private
+      module Operations
+        # Connection Search Operation
+        #
+        # @see https://tools.ietf.org/html/rfc4511#section-4.5.3
+        # @see https://tools.ietf.org/html/rfc2696
+        #
+        # @todo Write spec for yielding search_referrals
+        #
+        # @yield [Entry]
+        # @yield [Hash] :search_referrals
+        #
+        # @api private
+        def search(return_refs: true, **params)
+          search_request = SearchRequest.new(params)
+          request_type   = pdu_lookup(:search_request)
+          result_pdu     = nil
+
+          more_pages = false
+          paged_results_cookie = [126, EMPTY_STRING]
+          # paged_results_cookie = [10, EMPTY_STRING]
+
+          request    = search_request.parts.to_ber_appsequence(request_type)
+          controls   = search_request.controls
+          message_id = next_msgid
+
+          loop do
+            write(request, message_id, controls)
+
+            result_pdu = nil
+            controls   = EMPTY_ARRAY
+
+            while (pdu = from_queue(message_id))
+              case pdu.app_tag
+              when pdu_lookup(:search_returned_data) # 4
+                yield(pdu.search_entry)
+
+              when pdu_lookup(:search_result) # 5
+                result_pdu = pdu
+                controls   = pdu.result_controls
+                yield(search_referrals: pdu.search_referrals) if return_refs && pdu.search_referral?
+                break
+
+              when pdu_lookup(:search_result_referral) # 19
+                yield(search_referrals: pdu.search_referrals) if return_refs
+
+              else
+                raise ResponseTypeInvalidError, "invalid response-type in search: #{pdu.app_tag}"
+              end
+            end
+
+            if result_pdu&.success?
+              controls.each do |c|
+                next if c.oid != OID[:paged_results]
+
+                next if c.value&.empty?
+
+                # [ 0, "" ]
+                _int, cookie = c.value.read_ber
+
+                # next page of results
+                #
+                unless cookie&.empty?
+
+                  # cookie => "\u0001\u0000\u0000"
+                  # cookie.read_ber => true
+
+                  paged_results_cookie[1] = cookie
+                  more_pages = true
+                end
+              end
+            end
+
+            break unless more_pages
+          end
+
+          result_pdu
+        ensure
+          queue.delete(message_id)
+        end
+
+        #
+        # @option :dn [String] distinguished name
+        # @option :attrs [Hash]
+        #
+        # @api private
+        def add(dn:, attrs:)
+          request_type = pdu_lookup(:add_request)
+
+          ber_attrs = attrs.each_with_object([]) do |(k, v), attributes|
+            ber_values = values_to_ber_set(v)
+            attributes << [k.to_s.to_ber, ber_values].to_ber_sequence
+          end
+
+          request = [
+            dn.to_ber,
+            ber_attrs.to_ber_sequence
+          ].to_ber_appsequence(request_type)
+
+          submit(:add_response, request)
+        end
+
+        # @option :dn [String] distinguished name
+        #
+        # @option :controls [Array<String>] e.g. DELETE_TREE
+        #
+        # @api private
+        def delete(dn:, controls: nil)
+          request_type = pdu_lookup(:delete_request)
+          request = dn.to_ber_application_string(request_type)
+
+          if controls
+            submit(:delete_response, request, controls.to_ber_control)
+          else
+            submit(:delete_response, request)
+          end
+        end
+
+        # @option :dn [String] distinguished name
+        #
+        # @option :ops [Array<Mixed>] operation ast
+        #
+        # @return [PDU] result object
+        #
+        # @api private
+        def update(dn:, ops:)
+          request_type = pdu_lookup(:modify_request)
+          operations = modify_ops(ops)
+
+          request = [
+            dn.to_ber,
+            operations.to_ber_sequence
+          ].to_ber_appsequence(request_type)
+
+          submit(:modify_response, request)
+        end
+
+        # TODO: spec rename and use by relations
+        #
+        # @option :dn [String] current distinguished name
+        #
+        # @option :rdn [String] new relative distinguished name
+        #
+        # @option :replace [TrueClass] replace existing rdn
+        #
+        # @option :superior [String] new parent dn
+        #
+        # @return [PDU] result object
+        #
+        # @api public
+        def rename(dn:, rdn:, replace: false, superior: nil)
+          request_type = pdu_lookup(:modify_rdn_request)
+
+          request = [dn, rdn, replace].map { |a| a.to_ber } # &:to_ber
+
+          request << superior.to_ber_contextspecific(0) if superior
+
+          request = request.to_ber_appsequence(request_type)
+
+          submit(:modify_rdn_response, request)
+        end
+
+        # Password should have a minimum of 5 characters.
+        #
+        # @see http://tools.ietf.org/html/rfc3062
+        #
+        # @option :dn [String] distinguished name
+        #
+        # @option :old_pwd [String] current password (optional for admin reset)
+        #
+        # @option :new_pwd [String] replacement password
+        #
+        # @return [PDU] result object
+        #
+        # @api public
+        def password_modify(dn:, old_pwd: nil, new_pwd:)
+          request_type = pdu_lookup(:extended_request)
+          context = OID[:password_modify].to_ber_contextspecific(0)
+
+          payload = [dn.to_ber(0x80)]
+          payload << old_pwd.to_ber(0x81) if old_pwd
+          payload << new_pwd.to_ber(0x82)
+          payload = payload.to_ber_sequence.to_ber(0x81)
+
+          request = [context, payload].to_ber_appsequence(request_type)
+
+          submit(:extended_response, request)
+        end
+
+        private
+
+        # Encode (replace) operation AST to BER.
+        # Operation tokens are add=0, delete=1 and replace=2.
+        #
+        # @param operations [Array]
+        #
+        # @return [Array] BER encoded operations
+        def modify_ops(operations = EMPTY_ARRAY)
+          operations.each_with_object([]) do |(attribute, values), ops|
+            payload = [
+              attribute.to_s.to_ber,
+              values_to_ber_set(values)
+            ].to_ber_sequence
+
+            ops << [2.to_ber_enumerated, payload].to_ber
+          end
+        end
+
+        # @param values [String, Array<String>]
+        #
+        # @return [String] Encoding:ASCII-8BIT
+        #
+        def values_to_ber_set(values)
+          Array(values).map { |v| v&.to_ber }.to_ber_set
+        end
+      end
+
+    end
+  end
+end