RubyGems - rom-ldap - Versions diffs - 0.2.2 - Mend

rom-ldap 0.2.2

Files changed (104) hide show

checksums.yaml +7 -0
data/CHANGELOG.md +251 -0
data/CONTRIBUTING.md +18 -0
data/README.md +172 -0
data/TODO.md +33 -0
data/config/responses.yml +328 -0
data/lib/dry/monitor/ldap/colorizers/default.rb +17 -0
data/lib/dry/monitor/ldap/colorizers/rouge.rb +31 -0
data/lib/dry/monitor/ldap/logger.rb +58 -0
data/lib/rom-ldap.rb +1 -0
data/lib/rom/ldap.rb +22 -0
data/lib/rom/ldap/alias.rb +30 -0
data/lib/rom/ldap/associations.rb +6 -0
data/lib/rom/ldap/associations/core.rb +23 -0
data/lib/rom/ldap/associations/many_to_many.rb +18 -0
data/lib/rom/ldap/associations/many_to_one.rb +22 -0
data/lib/rom/ldap/associations/one_to_many.rb +32 -0
data/lib/rom/ldap/associations/one_to_one.rb +19 -0
data/lib/rom/ldap/associations/self_ref.rb +35 -0
data/lib/rom/ldap/attribute.rb +327 -0
data/lib/rom/ldap/client.rb +185 -0
data/lib/rom/ldap/client/authentication.rb +118 -0
data/lib/rom/ldap/client/operations.rb +233 -0
data/lib/rom/ldap/commands.rb +6 -0
data/lib/rom/ldap/commands/create.rb +41 -0
data/lib/rom/ldap/commands/delete.rb +17 -0
data/lib/rom/ldap/commands/update.rb +35 -0
data/lib/rom/ldap/constants.rb +193 -0
data/lib/rom/ldap/dataset.rb +286 -0
data/lib/rom/ldap/dataset/conversion.rb +62 -0
data/lib/rom/ldap/dataset/dsl.rb +299 -0
data/lib/rom/ldap/dataset/persistence.rb +44 -0
data/lib/rom/ldap/directory.rb +126 -0
data/lib/rom/ldap/directory/capabilities.rb +71 -0
data/lib/rom/ldap/directory/entry.rb +200 -0
data/lib/rom/ldap/directory/env.rb +155 -0
data/lib/rom/ldap/directory/operations.rb +282 -0
data/lib/rom/ldap/directory/password.rb +122 -0
data/lib/rom/ldap/directory/root.rb +187 -0
data/lib/rom/ldap/directory/tokenization.rb +66 -0
data/lib/rom/ldap/directory/transactions.rb +31 -0
data/lib/rom/ldap/directory/vendors/active_directory.rb +129 -0
data/lib/rom/ldap/directory/vendors/apache_ds.rb +27 -0
data/lib/rom/ldap/directory/vendors/e_directory.rb +16 -0
data/lib/rom/ldap/directory/vendors/open_directory.rb +12 -0
data/lib/rom/ldap/directory/vendors/open_dj.rb +25 -0
data/lib/rom/ldap/directory/vendors/open_ldap.rb +35 -0
data/lib/rom/ldap/directory/vendors/three_eight_nine.rb +16 -0
data/lib/rom/ldap/directory/vendors/unknown.rb +22 -0
data/lib/rom/ldap/dsl.rb +76 -0
data/lib/rom/ldap/errors.rb +47 -0
data/lib/rom/ldap/expression.rb +77 -0
data/lib/rom/ldap/expression_encoder.rb +174 -0
data/lib/rom/ldap/extensions.rb +50 -0
data/lib/rom/ldap/extensions/active_support_notifications.rb +26 -0
data/lib/rom/ldap/extensions/compatibility.rb +11 -0
data/lib/rom/ldap/extensions/dsml.rb +165 -0
data/lib/rom/ldap/extensions/msgpack.rb +23 -0
data/lib/rom/ldap/extensions/optimised_json.rb +25 -0
data/lib/rom/ldap/extensions/rails_log_subscriber.rb +38 -0
data/lib/rom/ldap/formatter.rb +26 -0
data/lib/rom/ldap/functions.rb +207 -0
data/lib/rom/ldap/gateway.rb +145 -0
data/lib/rom/ldap/ldif.rb +74 -0
data/lib/rom/ldap/ldif/exporter.rb +77 -0
data/lib/rom/ldap/ldif/importer.rb +95 -0
data/lib/rom/ldap/mapper_compiler.rb +19 -0
data/lib/rom/ldap/matchers.rb +69 -0
data/lib/rom/ldap/message_queue.rb +7 -0
data/lib/rom/ldap/oid.rb +101 -0
data/lib/rom/ldap/parsers/abstract_syntax.rb +91 -0
data/lib/rom/ldap/parsers/attribute.rb +290 -0
data/lib/rom/ldap/parsers/filter_syntax.rb +133 -0
data/lib/rom/ldap/pdu.rb +285 -0
data/lib/rom/ldap/plugin/pagination.rb +145 -0
data/lib/rom/ldap/plugins.rb +7 -0
data/lib/rom/ldap/projection_dsl.rb +38 -0
data/lib/rom/ldap/relation.rb +135 -0
data/lib/rom/ldap/relation/exporting.rb +72 -0
data/lib/rom/ldap/relation/reading.rb +461 -0
data/lib/rom/ldap/relation/writing.rb +64 -0
data/lib/rom/ldap/responses.rb +17 -0
data/lib/rom/ldap/restriction_dsl.rb +45 -0
data/lib/rom/ldap/schema.rb +123 -0
data/lib/rom/ldap/schema/attributes_inferrer.rb +59 -0
data/lib/rom/ldap/schema/dsl.rb +13 -0
data/lib/rom/ldap/schema/inferrer.rb +50 -0
data/lib/rom/ldap/schema/type_builder.rb +133 -0
data/lib/rom/ldap/scope.rb +19 -0
data/lib/rom/ldap/search_request.rb +249 -0
data/lib/rom/ldap/socket.rb +210 -0
data/lib/rom/ldap/tasks/ldap.rake +103 -0
data/lib/rom/ldap/tasks/ldif.rake +80 -0
data/lib/rom/ldap/transaction.rb +29 -0
data/lib/rom/ldap/type_map.rb +88 -0
data/lib/rom/ldap/types.rb +158 -0
data/lib/rom/ldap/version.rb +17 -0
data/lib/rom/plugins/relation/ldap/active_directory.rb +182 -0
data/lib/rom/plugins/relation/ldap/auto_restrictions.rb +69 -0
data/lib/rom/plugins/relation/ldap/e_directory.rb +27 -0
data/lib/rom/plugins/relation/ldap/instrumentation.rb +35 -0
data/lib/rouge/lexers/ldap.rb +72 -0
data/lib/rouge/themes/ldap.rb +49 -0
metadata +231 -0

data/lib/rom/ldap/directory/password.rb ADDED Viewed

@@ -0,0 +1,122 @@
+# frozen_string_literal: true
+require 'digest/sha1'
+require 'digest/sha2'
+require 'digest/md5'
+require 'base64'
+require 'securerandom'
+# sha2-512 512bit or 64bytes
+# sha 160bits or 20bytes
+#
+module ROM
+  module LDAP
+    class Directory
+      # @abstract
+      #   Encode and validate passwords using md5, sha or ssha.
+      #
+      # @api public
+      class Password
+        # Generate an ecrypted password.
+        #
+        # @example
+        #   Password.generate(:ssha, 'secret magic word')
+        #
+        # @param type     [Symbol] Encryption type. [:md5, :sha, :ssha].
+        # @param password [String] Plain text password to be encrypted.
+        #
+        # @return [String]
+        #
+        # @raise [PasswordError]
+        #
+        # @api public
+        def self.generate(type, password, salt = secure_salt)
+          raise PasswordError, 'No password supplied' if password.nil?
+          case type
+          when :md5    then _encode(type, md5(password))
+          when :sha    then _encode(type, sha(password))
+          when :ssha   then _encode(type, ssha(password, salt))
+          when :ssha512 then _encode(type, ssha512(password, salt))
+          else
+            raise PasswordError, "Unsupported encryption type (#{type})"
+          end
+        end
+        def self.check_ssha512(password, encrypted)
+          decoded = Base64.decode64(encrypted.gsub(/^{SSHA512}/, EMPTY_STRING))
+          # hash = decoded[0..64]
+          salt = decoded[64..-1]
+          _encode(:ssha512, ssha512(password, salt)) == encrypted
+        end
+        # Validate plain password against encrypted SSHA password.
+        #
+        # @return [Boolean]
+        #
+        # @api public
+        def self.check_ssha(password, encrypted)
+          decoded = Base64.decode64(encrypted.gsub(/^{SSHA}/, EMPTY_STRING))
+          # hash = decoded[0..20]
+          salt = decoded[20..-1]
+          _encode(:ssha, ssha(password, salt)) == encrypted
+        end
+        private_class_method
+        # @return [String] Prepend type to encrypted string.
+        #
+        # @api private
+        def self._encode(type, encrypted)
+          "{#{type.upcase}}" + Base64.strict_encode64(encrypted).chomp
+        end
+        # Generate salt.
+        #
+        # @api private
+        def self.secure_salt
+          SecureRandom.random_bytes(16)
+        end
+        # @param str [String]
+        #
+        # @return [String] MD5 digest.
+        #
+        # @api private
+        def self.md5(str)
+          Digest::MD5.digest(str)
+        end
+        # @param str  [String]
+        # @param salt [String]
+        #
+        # @return [String] SHA1 digest with salt.
+        #
+        # @api private
+        def self.ssha(str, salt)
+          Digest::SHA1.digest(str + salt) + salt
+        end
+        # @param str [String]
+        #
+        # @return [String] SHA1 digest without salt.
+        #
+        # @api private
+        def self.sha(str)
+          Digest::SHA1.digest(str)
+        end
+        # "{SSHA512}A1lCCGYzUEJ5/qQCrFUAztLVaTaWv959RnpzaOsWB9Ij4CBCeNh6i4XrZzrvwUMM/AWbEb8Gjc7FWOBSPnkRuHsexjzeQImm"
+        # initial
+        #
+        def self.ssha512(str, salt)
+          Digest::SHA512.digest(str + salt) + salt
+        end
+      end
+    end
+  end
+end

data/lib/rom/ldap/directory/root.rb ADDED Viewed

@@ -0,0 +1,187 @@
+# frozen_string_literal: true
+module ROM
+  module LDAP
+    class Directory
+      module Root
+        # Identify the LDAP server vendor, type determines vendor extension to load.
+        #
+        # @see https://ldapwiki.com/wiki/Determine%20LDAP%20Server%20Vendor
+        #
+        # @return [Symbol]
+        #
+        # @api public
+        def type
+          case root.first('vendorName')
+          when /389/        then :three_eight_nine
+          when /Apache/     then :apache_ds
+          when /Apple/      then :open_directory
+          when /ForgeRock/  then :open_dj
+          when /IBM/        then :ibm
+          when /Netscape/   then :netscape
+          when /Novell/     then :e_directory
+          when /Oracle/     then :open_ds
+          when /Sun/        then :sun_microsystems
+          when nil
+            return :active_directory if ad?
+            return :open_ldap if od?
+          else
+            :unknown
+          end
+        end
+        # @return [String]
+        #
+        # @api public
+        def vendor_name
+          root.first('vendorName')
+        end
+        # @return [String]
+        #
+        # @api public
+        def vendor_version
+          root.first('vendorVersion')
+        end
+        # @example
+        #   [ 'Apple', '510.30' ]
+        #   [ 'Apache Software Foundation', '2.0.0-M24' ]
+        #
+        # @return [Array<String>]
+        #
+        # @api public
+        def vendor
+          [vendor_name, vendor_version]
+        end
+        # Distinguished name of subschema
+        #
+        # @return [String]
+        #
+        # @api public
+        def sub_schema_entry
+          root.first('subschemaSubentry')
+        end
+        # @return [Array<String>] Object classes known by directory
+        #
+        # @api public
+        def schema_object_classes
+          sub_schema['objectClasses'].sort
+        end
+        # Query directory for all known attribute types
+        #
+        # @return [Array<String>] Attribute types known by directory
+        #
+        # @api public
+        def schema_attribute_types
+          sub_schema['attributeTypes'].sort
+        end
+        # @return [Array<String>]
+        #
+        # @api public
+        def supported_extensions
+          root['supportedExtension'].sort
+        end
+        # @return [Array<String>]
+        #
+        # @api public
+        def supported_controls
+          root['supportedControl'].sort
+        end
+        # @return [Array<String>]
+        #
+        # @api public
+        def supported_mechanisms
+          root['supportedSASLMechanisms'].sort
+        end
+        # @return [Array<String>]
+        #
+        # @api public
+        def supported_features
+          root['supportedFeatures'].sort
+        end
+        # @return [Array<Integer>]
+        #
+        # @api public
+        def supported_versions
+          root['supportedLDAPVersion'].sort.map(&:to_i)
+        end
+        # @return [String]
+        #
+        # @api public
+        def contexts
+          root['namingContexts'].sort
+        end
+        private
+        # Representation of directory RootDSE
+        #
+        # @see https://ldapwiki.com/wiki/Retrieving%20RootDSE
+        #
+        # @return [Directory::Entry]
+        #
+        # @raise [ResponseError]
+        #
+        # @api private
+        def root
+          @root ||= query(
+            base: EMPTY_STRING,
+            scope: SCOPE_BASE,
+            attributes: ALL_ATTRS
+          ).first
+          @root || raise(ResponseError, 'Directory root failed to load')
+        end
+        # Representation of directory SubSchema
+        #
+        # @return [Directory::Entry]
+        #
+        # @raise [ResponseError]
+        #
+        # @api private
+        def sub_schema
+          @sub_schema ||= query(
+            base: sub_schema_entry,
+            scope: SCOPE_BASE,
+            attributes:  %w[objectClasses attributeTypes],
+            filter: '(objectClass=subschema)',
+            max_results: 1
+          ).first
+          @sub_schema || raise(ResponseError, 'Directory schema failed to load')
+        end
+        # Check if vendor identifies as ActiveDirectory
+        #
+        # @return [Boolean]
+        #
+        # @api private
+        def ad?
+          !root['forestFunctionality'].nil?
+        end
+        # Check if vendor identifies as OpenLDAP
+        #
+        # @return [Boolean]
+        #
+        # @api private
+        def od?
+          root['objectClass']&.include?('OpenLDAProotDSE')
+        end
+      end
+    end
+  end
+end

data/lib/rom/ldap/directory/tokenization.rb ADDED Viewed

@@ -0,0 +1,66 @@
+# frozen_string_literal: true
+require 'rom/ldap/parsers/abstract_syntax'
+require 'rom/ldap/parsers/filter_syntax'
+require 'rom/ldap/parsers/attribute'
+module ROM
+  module LDAP
+    class Directory
+      # Parsing Formats
+      #
+      # @api private
+      module Tokenization
+        # Allows adapters that subclass Directory to use custom parsers.
+        # Extends the class with filter abstraction behavior.
+        #
+        # @api private
+        def self.included(klass)
+          klass.class_eval do
+            extend Dry::Core::ClassAttributes
+            defines :attribute_class
+            attribute_class Parsers::Attribute
+            defines :filter_class
+            filter_class Parsers::FilterSyntax
+            defines :ast_class
+            ast_class Parsers::AbstractSyntax
+          end
+        end
+        private
+        # Convert abstract criteria or LDAP filter into an expression object.
+        #   Check for parsed attributes to prevent recursion.
+        #
+        # @param input [Array, String] RFC2254 or AST
+        #
+        def to_expression(input)
+          attrs = !@attribute_types.nil? ? attribute_types : EMPTY_ARRAY
+          # Filter > AST
+          unless input.is_a?(Array)
+            input = self.class.filter_class.new(input, attrs).call
+          end
+          # AST > Expression
+          self.class.ast_class.new(input, attrs).call
+        end
+        # Create parsed attribute from definiton.
+        #
+        # @param attr_def [String]
+        #
+        # @return [Hash]
+        #
+        def to_attribute(attr_def)
+          self.class.attribute_class.new(attr_def).call
+        end
+      end
+    end
+  end
+end

data/lib/rom/ldap/directory/transactions.rb ADDED Viewed

@@ -0,0 +1,31 @@
+# frozen_string_literal: true
+module ROM
+  module LDAP
+    class Directory
+      # https://ldapwiki.com/wiki/Lightweight%20Directory%20Access%20Protocol%20%28LDAP%29%20Transactions
+      # https://tools.ietf.org/html/rfc5805
+      # https://ldapwiki.com/wiki/EDirectory%20LDAP%20Transaction
+      #
+      module Transactions
+        # @example
+        #   directory.transaction(opts) { yield(self) }
+        #
+        # @todo Transactions WIP
+        #
+        # @api public
+        def transaction(_opts)
+          # binding.pry
+          # OID[:transaction_start_request]
+          # OID[:transaction_spec_request]
+          # OID[:transaction_end_request]
+          yield()
+        end
+      end
+    end
+  end
+end

data/lib/rom/ldap/directory/vendors/active_directory.rb ADDED Viewed

@@ -0,0 +1,129 @@
+# frozen_string_literal: true
+module ROM
+  module LDAP
+    #
+    # Microsoft Active Directory Extension
+    #
+    # @api private
+    module ActiveDirectory
+      #
+      # @note
+      #   Use the AD Forest configuration container as a search base.
+      #
+      # @see https://msdn.microsoft.com/en-us/library/ms684291(v=vs.85).aspx
+      #
+      # RootDSE domainFunctionality
+      # RootDSE domainControllerFunctionality
+      # RootDSE forestFunctionality
+      #
+      VERSION_NAMES = {
+        0 => 'Windows Server 2000 (5.0)',
+        1 => 'Windows Server 2003 (5.2)',
+        2 => 'Windows Server 2003 R2 (5.2)',
+        3 => 'Windows Server 2008 (6.0)',
+        4 => 'Windows Server 2008 R2 (6.1)',
+        5 => 'Windows Server 2012 (6.2)',
+        6 => 'Windows Server 2012 R2 (6.3)',
+        7 => 'Windows Server 2016 (10.0)',
+        8 => 'Windows Server Latest Version (?)'
+      }.freeze
+      #
+      # RootDSE supportedLDAPPolicies
+      #
+      POLICIES = %w[
+        InitRecvTimeout
+        MaxBatchReturnMessages
+        MaxConnections
+        MaxConnIdleTime
+        MaxDatagramRecv
+        MaxNotificationPerConn
+        MaxPageSize
+        MaxPercentDirSyncRequests
+        MaxPoolThreads
+        MaxQueryDuration
+        MaxReceiveBuffer
+        MaxResultSetSize
+        MaxResultSetsPerConn
+        MaxTempTableSize
+        MaxValRange
+        MaxValRangeTransitive
+        MinResultSets
+        SystemMemoryLimitPercent
+        ThreadMemoryLimit
+      ].freeze
+      # @return [String]
+      #
+      def vendor_name
+        'Microsoft'
+      end
+      # @return [String]
+      #
+      def vendor_version
+        VERSION_NAMES[domain_functionality]
+      end
+      # @return [Integer]
+      #
+      def controller_functionality
+        root.first('domainControllerFunctionality').to_i
+      end
+      # @return [Integer]
+      #
+      def forest_functionality
+        root.first('forestFunctionality').to_i
+      end
+      # @return [Integer]
+      #
+      def domain_functionality
+        root.first('domainFunctionality').to_i
+      end
+      # LDAP server internal clock
+      #
+      # @return [Time]
+      #
+      def directory_time
+        Functions[:to_time][root.first('currentTime')]
+      end
+      # @return [Array<String>]
+      #
+      def supported_capabilities
+        root['supportedCapabilities'].sort
+      end
+    end
+    # OID = OID.dup.merge!(
+    #   extended_dn:    '1.2.840.113556.1.4.529',   # Extended DN control (Stateless)
+    #   get_stats:      '1.2.840.113556.1.4.970',   # Get stats control (Stateless)
+    #   verify_name:    '1.2.840.113556.1.4.1338',  # Verify name control (Stateless)
+    #   domain_scope:   '1.2.840.113556.1.4.1339',  # LDAP_SERVER_DOMAIN_SCOPE_OID
+    #   unknown:        '1.2.840.113556.1.4.1340',
+    #   # unknown:        '1.2.840.113556.1.4.1341',
+    #   # unknown:        '1.2.840.113556.1.4.1413',
+    #   # unknown:        '1.2.840.113556.1.4.1504',
+    #   # unknown:        '1.2.840.113556.1.4.1852',
+    #   # unknown:        '1.2.840.113556.1.4.1907',
+    #   # unknown:        '1.2.840.113556.1.4.1948',
+    #   # unknown:        '1.2.840.113556.1.4.1974',
+    #   # unknown:        '1.2.840.113556.1.4.2026',
+    #   # unknown:        '1.2.840.113556.1.4.2064',
+    #   # unknown:        '1.2.840.113556.1.4.2065',
+    #   # unknown:        '1.2.840.113556.1.4.2066',
+    #   # unknown:        '1.2.840.113556.1.4.2090',
+    #   # unknown:        '1.2.840.113556.1.4.2204',
+    #   # unknown:        '1.2.840.113556.1.4.2205',
+    #   # unknown:        '1.2.840.113556.1.4.2206',
+    #   # unknown:        '1.2.840.113556.1.4.2211',
+    #   # unknown:        '1.2.840.113556.1.4.2239',
+    #   # unknown:        '1.2.840.113556.1.4.2255',
+    #   # unknown:        '1.2.840.113556.1.4.2256'
+    # ).freeze
+  end
+end