RubyGems - rom-ldap - Versions diffs - 0.2.2 - Mend

rom-ldap 0.2.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (104) hide show

checksums.yaml +7 -0
data/CHANGELOG.md +251 -0
data/CONTRIBUTING.md +18 -0
data/README.md +172 -0
data/TODO.md +33 -0
data/config/responses.yml +328 -0
data/lib/dry/monitor/ldap/colorizers/default.rb +17 -0
data/lib/dry/monitor/ldap/colorizers/rouge.rb +31 -0
data/lib/dry/monitor/ldap/logger.rb +58 -0
data/lib/rom-ldap.rb +1 -0
data/lib/rom/ldap.rb +22 -0
data/lib/rom/ldap/alias.rb +30 -0
data/lib/rom/ldap/associations.rb +6 -0
data/lib/rom/ldap/associations/core.rb +23 -0
data/lib/rom/ldap/associations/many_to_many.rb +18 -0
data/lib/rom/ldap/associations/many_to_one.rb +22 -0
data/lib/rom/ldap/associations/one_to_many.rb +32 -0
data/lib/rom/ldap/associations/one_to_one.rb +19 -0
data/lib/rom/ldap/associations/self_ref.rb +35 -0
data/lib/rom/ldap/attribute.rb +327 -0
data/lib/rom/ldap/client.rb +185 -0
data/lib/rom/ldap/client/authentication.rb +118 -0
data/lib/rom/ldap/client/operations.rb +233 -0
data/lib/rom/ldap/commands.rb +6 -0
data/lib/rom/ldap/commands/create.rb +41 -0
data/lib/rom/ldap/commands/delete.rb +17 -0
data/lib/rom/ldap/commands/update.rb +35 -0
data/lib/rom/ldap/constants.rb +193 -0
data/lib/rom/ldap/dataset.rb +286 -0
data/lib/rom/ldap/dataset/conversion.rb +62 -0
data/lib/rom/ldap/dataset/dsl.rb +299 -0
data/lib/rom/ldap/dataset/persistence.rb +44 -0
data/lib/rom/ldap/directory.rb +126 -0
data/lib/rom/ldap/directory/capabilities.rb +71 -0
data/lib/rom/ldap/directory/entry.rb +200 -0
data/lib/rom/ldap/directory/env.rb +155 -0
data/lib/rom/ldap/directory/operations.rb +282 -0
data/lib/rom/ldap/directory/password.rb +122 -0
data/lib/rom/ldap/directory/root.rb +187 -0
data/lib/rom/ldap/directory/tokenization.rb +66 -0
data/lib/rom/ldap/directory/transactions.rb +31 -0
data/lib/rom/ldap/directory/vendors/active_directory.rb +129 -0
data/lib/rom/ldap/directory/vendors/apache_ds.rb +27 -0
data/lib/rom/ldap/directory/vendors/e_directory.rb +16 -0
data/lib/rom/ldap/directory/vendors/open_directory.rb +12 -0
data/lib/rom/ldap/directory/vendors/open_dj.rb +25 -0
data/lib/rom/ldap/directory/vendors/open_ldap.rb +35 -0
data/lib/rom/ldap/directory/vendors/three_eight_nine.rb +16 -0
data/lib/rom/ldap/directory/vendors/unknown.rb +22 -0
data/lib/rom/ldap/dsl.rb +76 -0
data/lib/rom/ldap/errors.rb +47 -0
data/lib/rom/ldap/expression.rb +77 -0
data/lib/rom/ldap/expression_encoder.rb +174 -0
data/lib/rom/ldap/extensions.rb +50 -0
data/lib/rom/ldap/extensions/active_support_notifications.rb +26 -0
data/lib/rom/ldap/extensions/compatibility.rb +11 -0
data/lib/rom/ldap/extensions/dsml.rb +165 -0
data/lib/rom/ldap/extensions/msgpack.rb +23 -0
data/lib/rom/ldap/extensions/optimised_json.rb +25 -0
data/lib/rom/ldap/extensions/rails_log_subscriber.rb +38 -0
data/lib/rom/ldap/formatter.rb +26 -0
data/lib/rom/ldap/functions.rb +207 -0
data/lib/rom/ldap/gateway.rb +145 -0
data/lib/rom/ldap/ldif.rb +74 -0
data/lib/rom/ldap/ldif/exporter.rb +77 -0
data/lib/rom/ldap/ldif/importer.rb +95 -0
data/lib/rom/ldap/mapper_compiler.rb +19 -0
data/lib/rom/ldap/matchers.rb +69 -0
data/lib/rom/ldap/message_queue.rb +7 -0
data/lib/rom/ldap/oid.rb +101 -0
data/lib/rom/ldap/parsers/abstract_syntax.rb +91 -0
data/lib/rom/ldap/parsers/attribute.rb +290 -0
data/lib/rom/ldap/parsers/filter_syntax.rb +133 -0
data/lib/rom/ldap/pdu.rb +285 -0
data/lib/rom/ldap/plugin/pagination.rb +145 -0
data/lib/rom/ldap/plugins.rb +7 -0
data/lib/rom/ldap/projection_dsl.rb +38 -0
data/lib/rom/ldap/relation.rb +135 -0
data/lib/rom/ldap/relation/exporting.rb +72 -0
data/lib/rom/ldap/relation/reading.rb +461 -0
data/lib/rom/ldap/relation/writing.rb +64 -0
data/lib/rom/ldap/responses.rb +17 -0
data/lib/rom/ldap/restriction_dsl.rb +45 -0
data/lib/rom/ldap/schema.rb +123 -0
data/lib/rom/ldap/schema/attributes_inferrer.rb +59 -0
data/lib/rom/ldap/schema/dsl.rb +13 -0
data/lib/rom/ldap/schema/inferrer.rb +50 -0
data/lib/rom/ldap/schema/type_builder.rb +133 -0
data/lib/rom/ldap/scope.rb +19 -0
data/lib/rom/ldap/search_request.rb +249 -0
data/lib/rom/ldap/socket.rb +210 -0
data/lib/rom/ldap/tasks/ldap.rake +103 -0
data/lib/rom/ldap/tasks/ldif.rake +80 -0
data/lib/rom/ldap/transaction.rb +29 -0
data/lib/rom/ldap/type_map.rb +88 -0
data/lib/rom/ldap/types.rb +158 -0
data/lib/rom/ldap/version.rb +17 -0
data/lib/rom/plugins/relation/ldap/active_directory.rb +182 -0
data/lib/rom/plugins/relation/ldap/auto_restrictions.rb +69 -0
data/lib/rom/plugins/relation/ldap/e_directory.rb +27 -0
data/lib/rom/plugins/relation/ldap/instrumentation.rb +35 -0
data/lib/rouge/lexers/ldap.rb +72 -0
data/lib/rouge/themes/ldap.rb +49 -0
metadata +231 -0

data/lib/rom/ldap/directory/password.rb ADDED Viewed

@@ -0,0 +1,122 @@
+# frozen_string_literal: true
+require 'digest/sha1'
+require 'digest/sha2'
+require 'digest/md5'
+require 'base64'
+require 'securerandom'
+# sha2-512 512bit or 64bytes
+# sha 160bits or 20bytes
+#
+module ROM
+  module LDAP
+    class Directory
+      # @abstract
+      #   Encode and validate passwords using md5, sha or ssha.
+      #
+      # @api public
+      class Password
+        # Generate an ecrypted password.
+        #
+        # @example
+        #   Password.generate(:ssha, 'secret magic word')
+        #
+        # @param type     [Symbol] Encryption type. [:md5, :sha, :ssha].
+        # @param password [String] Plain text password to be encrypted.
+        #
+        # @return [String]
+        #
+        # @raise [PasswordError]
+        #
+        # @api public
+        def self.generate(type, password, salt = secure_salt)
+          raise PasswordError, 'No password supplied' if password.nil?
+          case type
+          when :md5    then _encode(type, md5(password))
+          when :sha    then _encode(type, sha(password))
+          when :ssha   then _encode(type, ssha(password, salt))
+          when :ssha512 then _encode(type, ssha512(password, salt))
+          else
+            raise PasswordError, "Unsupported encryption type (#{type})"
+          end
+        end
+        def self.check_ssha512(password, encrypted)
+          decoded = Base64.decode64(encrypted.gsub(/^{SSHA512}/, EMPTY_STRING))
+          # hash = decoded[0..64]
+          salt = decoded[64..-1]
+          _encode(:ssha512, ssha512(password, salt)) == encrypted
+        end
+        # Validate plain password against encrypted SSHA password.
+        #
+        # @return [Boolean]
+        #
+        # @api public
+        def self.check_ssha(password, encrypted)
+          decoded = Base64.decode64(encrypted.gsub(/^{SSHA}/, EMPTY_STRING))
+          # hash = decoded[0..20]
+          salt = decoded[20..-1]
+          _encode(:ssha, ssha(password, salt)) == encrypted
+        end
+        private_class_method
+        # @return [String] Prepend type to encrypted string.
+        #
+        # @api private
+        def self._encode(type, encrypted)
+          "{#{type.upcase}}" + Base64.strict_encode64(encrypted).chomp
+        end
+        # Generate salt.
+        #
+        # @api private
+        def self.secure_salt
+          SecureRandom.random_bytes(16)
+        end
+        # @param str [String]
+        #
+        # @return [String] MD5 digest.
+        #
+        # @api private
+        def self.md5(str)
+          Digest::MD5.digest(str)
+        end
+        # @param str  [String]
+        # @param salt [String]
+        #
+        # @return [String] SHA1 digest with salt.
+        #
+        # @api private
+        def self.ssha(str, salt)
+          Digest::SHA1.digest(str + salt) + salt
+        end
+        # @param str [String]
+        #
+        # @return [String] SHA1 digest without salt.
+        #
+        # @api private
+        def self.sha(str)
+          Digest::SHA1.digest(str)
+        end
+        # "{SSHA512}A1lCCGYzUEJ5/qQCrFUAztLVaTaWv959RnpzaOsWB9Ij4CBCeNh6i4XrZzrvwUMM/AWbEb8Gjc7FWOBSPnkRuHsexjzeQImm"
+        # initial
+        #
+        def self.ssha512(str, salt)
+          Digest::SHA512.digest(str + salt) + salt
+        end
+      end
+    end
+  end
+end

data/lib/rom/ldap/directory/root.rb ADDED Viewed

@@ -0,0 +1,187 @@
+# frozen_string_literal: true
+module ROM
+  module LDAP
+    class Directory
+      module Root
+        # Identify the LDAP server vendor, type determines vendor extension to load.
+        #
+        # @see https://ldapwiki.com/wiki/Determine%20LDAP%20Server%20Vendor
+        #
+        # @return [Symbol]
+        #
+        # @api public
+        def type
+          case root.first('vendorName')
+          when /389/        then :three_eight_nine
+          when /Apache/     then :apache_ds
+          when /Apple/      then :open_directory
+          when /ForgeRock/  then :open_dj
+          when /IBM/        then :ibm
+          when /Netscape/   then :netscape
+          when /Novell/     then :e_directory
+          when /Oracle/     then :open_ds
+          when /Sun/        then :sun_microsystems
+          when nil
+            return :active_directory if ad?
+            return :open_ldap if od?
+          else
+            :unknown
+          end
+        end
+        # @return [String]
+        #
+        # @api public
+        def vendor_name
+          root.first('vendorName')
+        end
+        # @return [String]
+        #
+        # @api public
+        def vendor_version
+          root.first('vendorVersion')
+        end
+        # @example
+        #   [ 'Apple', '510.30' ]
+        #   [ 'Apache Software Foundation', '2.0.0-M24' ]
+        #
+        # @return [Array<String>]
+        #
+        # @api public
+        def vendor
+          [vendor_name, vendor_version]
+        end
+        # Distinguished name of subschema
+        #
+        # @return [String]
+        #
+        # @api public
+        def sub_schema_entry
+          root.first('subschemaSubentry')
+        end
+        # @return [Array<String>] Object classes known by directory
+        #
+        # @api public
+        def schema_object_classes
+          sub_schema['objectClasses'].sort
+        end
+        # Query directory for all known attribute types
+        #
+        # @return [Array<String>] Attribute types known by directory
+        #
+        # @api public
+        def schema_attribute_types
+          sub_schema['attributeTypes'].sort
+        end
+        # @return [Array<String>]
+        #
+        # @api public
+        def supported_extensions
+          root['supportedExtension'].sort
+        end
+        # @return [Array<String>]
+        #
+        # @api public
+        def supported_controls
+          root['supportedControl'].sort
+        end
+        # @return [Array<String>]
+        #
+        # @api public
+        def supported_mechanisms
+          root['supportedSASLMechanisms'].sort
+        end
+        # @return [Array<String>]
+        #
+        # @api public
+        def supported_features
+          root['supportedFeatures'].sort
+        end
+        # @return [Array<Integer>]
+        #
+        # @api public
+        def supported_versions
+          root['supportedLDAPVersion'].sort.map(&:to_i)
+        end
+        # @return [String]
+        #
+        # @api public
+        def contexts
+          root['namingContexts'].sort
+        end
+        private
+        # Representation of directory RootDSE
+        #
+        # @see https://ldapwiki.com/wiki/Retrieving%20RootDSE
+        #
+        # @return [Directory::Entry]
+        #
+        # @raise [ResponseError]
+        #
+        # @api private
+        def root
+          @root ||= query(
+            base: EMPTY_STRING,
+            scope: SCOPE_BASE,
+            attributes: ALL_ATTRS
+          ).first
+          @root || raise(ResponseError, 'Directory root failed to load')
+        end
+        # Representation of directory SubSchema
+        #
+        # @return [Directory::Entry]
+        #
+        # @raise [ResponseError]
+        #
+        # @api private
+        def sub_schema
+          @sub_schema ||= query(
+            base: sub_schema_entry,
+            scope: SCOPE_BASE,
+            attributes:  %w[objectClasses attributeTypes],
+            filter: '(objectClass=subschema)',
+            max_results: 1
+          ).first
+          @sub_schema || raise(ResponseError, 'Directory schema failed to load')
+        end
+        # Check if vendor identifies as ActiveDirectory
+        #
+        # @return [Boolean]
+        #
+        # @api private
+        def ad?
+          !root['forestFunctionality'].nil?
+        end
+        # Check if vendor identifies as OpenLDAP
+        #
+        # @return [Boolean]
+        #
+        # @api private
+        def od?
+          root['objectClass']&.include?('OpenLDAProotDSE')
+        end
+      end
+    end
+  end
+end

data/lib/rom/ldap/directory/tokenization.rb ADDED Viewed

@@ -0,0 +1,66 @@
+# frozen_string_literal: true
+require 'rom/ldap/parsers/abstract_syntax'
+require 'rom/ldap/parsers/filter_syntax'
+require 'rom/ldap/parsers/attribute'
+module ROM
+  module LDAP
+    class Directory
+      # Parsing Formats
+      #
+      # @api private
+      module Tokenization
+        # Allows adapters that subclass Directory to use custom parsers.
+        # Extends the class with filter abstraction behavior.
+        #
+        # @api private
+        def self.included(klass)
+          klass.class_eval do
+            extend Dry::Core::ClassAttributes
+            defines :attribute_class
+            attribute_class Parsers::Attribute
+            defines :filter_class
+            filter_class Parsers::FilterSyntax
+            defines :ast_class
+            ast_class Parsers::AbstractSyntax
+          end
+        end
+        private
+        # Convert abstract criteria or LDAP filter into an expression object.
+        #   Check for parsed attributes to prevent recursion.
+        #
+        # @param input [Array, String] RFC2254 or AST
+        #
+        def to_expression(input)
+          attrs = !@attribute_types.nil? ? attribute_types : EMPTY_ARRAY
+          # Filter > AST
+          unless input.is_a?(Array)
+            input = self.class.filter_class.new(input, attrs).call
+          end
+          # AST > Expression
+          self.class.ast_class.new(input, attrs).call
+        end
+        # Create parsed attribute from definiton.
+        #
+        # @param attr_def [String]
+        #
+        # @return [Hash]
+        #
+        def to_attribute(attr_def)
+          self.class.attribute_class.new(attr_def).call
+        end
+      end
+    end
+  end
+end

data/lib/rom/ldap/directory/transactions.rb ADDED Viewed

@@ -0,0 +1,31 @@
+# frozen_string_literal: true
+module ROM
+  module LDAP
+    class Directory
+      # https://ldapwiki.com/wiki/Lightweight%20Directory%20Access%20Protocol%20%28LDAP%29%20Transactions
+      # https://tools.ietf.org/html/rfc5805
+      # https://ldapwiki.com/wiki/EDirectory%20LDAP%20Transaction
+      #
+      module Transactions
+        # @example
+        #   directory.transaction(opts) { yield(self) }
+        #
+        # @todo Transactions WIP
+        #
+        # @api public
+        def transaction(_opts)
+          # binding.pry
+          # OID[:transaction_start_request]
+          # OID[:transaction_spec_request]
+          # OID[:transaction_end_request]
+          yield()
+        end
+      end
+    end
+  end
+end

data/lib/rom/ldap/directory/vendors/active_directory.rb ADDED Viewed

@@ -0,0 +1,129 @@
+# frozen_string_literal: true
+module ROM
+  module LDAP
+    #
+    # Microsoft Active Directory Extension
+    #
+    # @api private
+    module ActiveDirectory
+      #
+      # @note
+      #   Use the AD Forest configuration container as a search base.
+      #
+      # @see https://msdn.microsoft.com/en-us/library/ms684291(v=vs.85).aspx
+      #
+      # RootDSE domainFunctionality
+      # RootDSE domainControllerFunctionality
+      # RootDSE forestFunctionality
+      #
+      VERSION_NAMES = {
+        0 => 'Windows Server 2000 (5.0)',
+        1 => 'Windows Server 2003 (5.2)',
+        2 => 'Windows Server 2003 R2 (5.2)',
+        3 => 'Windows Server 2008 (6.0)',
+        4 => 'Windows Server 2008 R2 (6.1)',
+        5 => 'Windows Server 2012 (6.2)',
+        6 => 'Windows Server 2012 R2 (6.3)',
+        7 => 'Windows Server 2016 (10.0)',
+        8 => 'Windows Server Latest Version (?)'
+      }.freeze
+      #
+      # RootDSE supportedLDAPPolicies
+      #
+      POLICIES = %w[
+        InitRecvTimeout
+        MaxBatchReturnMessages
+        MaxConnections
+        MaxConnIdleTime
+        MaxDatagramRecv
+        MaxNotificationPerConn
+        MaxPageSize
+        MaxPercentDirSyncRequests
+        MaxPoolThreads
+        MaxQueryDuration
+        MaxReceiveBuffer
+        MaxResultSetSize
+        MaxResultSetsPerConn
+        MaxTempTableSize
+        MaxValRange
+        MaxValRangeTransitive
+        MinResultSets
+        SystemMemoryLimitPercent
+        ThreadMemoryLimit
+      ].freeze
+      # @return [String]
+      #
+      def vendor_name
+        'Microsoft'
+      end
+      # @return [String]
+      #
+      def vendor_version
+        VERSION_NAMES[domain_functionality]
+      end
+      # @return [Integer]
+      #
+      def controller_functionality
+        root.first('domainControllerFunctionality').to_i
+      end
+      # @return [Integer]
+      #
+      def forest_functionality
+        root.first('forestFunctionality').to_i
+      end
+      # @return [Integer]
+      #
+      def domain_functionality
+        root.first('domainFunctionality').to_i
+      end
+      # LDAP server internal clock
+      #
+      # @return [Time]
+      #
+      def directory_time
+        Functions[:to_time][root.first('currentTime')]
+      end
+      # @return [Array<String>]
+      #
+      def supported_capabilities
+        root['supportedCapabilities'].sort
+      end
+    end
+    # OID = OID.dup.merge!(
+    #   extended_dn:    '1.2.840.113556.1.4.529',   # Extended DN control (Stateless)
+    #   get_stats:      '1.2.840.113556.1.4.970',   # Get stats control (Stateless)
+    #   verify_name:    '1.2.840.113556.1.4.1338',  # Verify name control (Stateless)
+    #   domain_scope:   '1.2.840.113556.1.4.1339',  # LDAP_SERVER_DOMAIN_SCOPE_OID
+    #   unknown:        '1.2.840.113556.1.4.1340',
+    #   # unknown:        '1.2.840.113556.1.4.1341',
+    #   # unknown:        '1.2.840.113556.1.4.1413',
+    #   # unknown:        '1.2.840.113556.1.4.1504',
+    #   # unknown:        '1.2.840.113556.1.4.1852',
+    #   # unknown:        '1.2.840.113556.1.4.1907',
+    #   # unknown:        '1.2.840.113556.1.4.1948',
+    #   # unknown:        '1.2.840.113556.1.4.1974',
+    #   # unknown:        '1.2.840.113556.1.4.2026',
+    #   # unknown:        '1.2.840.113556.1.4.2064',
+    #   # unknown:        '1.2.840.113556.1.4.2065',
+    #   # unknown:        '1.2.840.113556.1.4.2066',
+    #   # unknown:        '1.2.840.113556.1.4.2090',
+    #   # unknown:        '1.2.840.113556.1.4.2204',
+    #   # unknown:        '1.2.840.113556.1.4.2205',
+    #   # unknown:        '1.2.840.113556.1.4.2206',
+    #   # unknown:        '1.2.840.113556.1.4.2211',
+    #   # unknown:        '1.2.840.113556.1.4.2239',
+    #   # unknown:        '1.2.840.113556.1.4.2255',
+    #   # unknown:        '1.2.840.113556.1.4.2256'
+    # ).freeze
+  end
+end