ruby-activeldap 0.7.4 → 0.8.0

data/lib/active_ldap/user_password.rb

@@ -0,0 +1,92 @@
+require 'English'
+require 'base64'
+require 'md5'
+require 'sha1'
+
+module ActiveLdap
+  module UserPassword
+    module_function
+    def valid?(password, hashed_password)
+      unless /^\{([A-Z][A-Z\d]+)\}/ =~ hashed_password
+        raise ArgumentError, "Invalid hashed password"
+      end
+      type = $1
+      hashed_password_without_type = $POSTMATCH
+      normalized_type = type.downcase
+      unless respond_to?(normalized_type)
+        raise ArgumentError, "Unknown Hash type #{type}"
+      end
+      salt_extractor = "extract_salt_for_#{normalized_type}"
+      if respond_to?(salt_extractor)
+        salt = send(salt_extractor, hashed_password_without_type)
+        if salt.nil?
+          raise ArgumentError, "Can't extract salt from hashed password"
+        end
+        generated_password = send(normalized_type, password, salt)
+      else
+        generated_password = send(normalized_type, password)
+      end
+      hashed_password == generated_password
+    end
+
+    def crypt(password, salt=nil)
+      salt ||= "$1$#{Salt.generate(8)}"
+      "{CRYPT}#{password.crypt(salt)}"
+    end
+
+    def extract_salt_for_crypt(crypted_password)
+      if /^\$1\$/ =~ crypted_password
+        $MATCH + $POSTMATCH[0, 8].sub(/\$.*/, '') + "$"
+      else
+        crypted_password[0, 2]
+      end
+    end
+
+    def md5(password)
+      "{MD5}#{Base64.encode64(MD5.md5(password).digest).chomp}"
+    end
+
+    def smd5(password, salt=nil)
+      if salt and salt.size != 4
+        raise ArgumentError.new("salt size must be == 4")
+      end
+      salt ||= Salt.generate(4)
+      md5_hash_with_salt = "#{MD5.md5(password + salt).digest}#{salt}"
+      "{SMD5}#{Base64.encode64(md5_hash_with_salt).chomp}"
+    end
+
+    def extract_salt_for_smd5(smd5ed_password)
+      Base64.decode64(smd5ed_password)[-4, 4]
+    end
+
+    def sha(password)
+      "{SHA}#{Base64.encode64(SHA1.sha1(password).digest).chomp}"
+    end
+
+    def ssha(password, salt=nil)
+      if salt and salt.size != 4
+        raise ArgumentError.new("salt size must be == 4")
+      end
+      salt ||= Salt.generate(4)
+      sha1_hash_with_salt = "#{SHA1.sha1(password + salt).digest}#{salt}"
+      "{SSHA}#{Base64.encode64(sha1_hash_with_salt).chomp}"
+    end
+
+    def extract_salt_for_ssha(sshaed_password)
+      extract_salt_for_smd5(sshaed_password)
+    end
+
+    module Salt
+      CHARS = ['.', '/', '0'..'9', 'A'..'Z', 'a'..'z'].collect do |x|
+        x.to_a
+      end.flatten
+
+      module_function
+      def generate(length)
+        salt = ""
+        length.times {salt << CHARS[rand(CHARS.length)]}
+        salt
+      end
+    end
+  end
+end

data/lib/active_ldap/validations.rb

@@ -0,0 +1,78 @@
+require 'active_record/validations'
+
+module ActiveLdap
+  module Validations
+    def self.append_features(base)
+      super
+
+      base.class_eval do
+        alias_method :new_record?, :new_entry?
+        include ActiveRecord::Validations
+
+        validate :validate_required_values
+
+        class << self
+          alias_method :evaluate_condition_for_active_record,
+                       :evaluate_condition
+          def evaluate_condition(condition, entry)
+            evaluate_condition_for_active_record(condition, entry)
+          rescue ActiveRecord::ActiveRecordError
+            raise Error, $!.message
+          end
+        end
+
+        alias_method :save_with_validation_for_active_record!,
+                     :save_with_validation!
+        def save_with_validation!
+          save_with_validation_for_active_record!
+        rescue ActiveRecord::RecordInvalid
+          raise EntryInvalid, $!.message
+        end
+        alias_method :save!, :save_with_validation!
+
+        def valid?
+          ensure_apply_object_class
+          super
+        end
+
+        # validate_required_values
+        #
+        # Basic validation:
+        # - Verify that every 'MUST' specified in the schema has a value defined
+        def validate_required_values
+          logger.debug {"stub: validate_required_values called"}
+
+          # Make sure all MUST attributes have a value
+          @musts.each do |object_class, attributes|
+            attributes.each do |required_attribute|
+              # Normalize to ensure we catch schema problems
+              real_name = to_real_attribute_name(required_attribute)
+              # # Set default if it wasn't yet set.
+              # @data[real_name] ||= [] # need?
+              value = @data[real_name] || []
+              # Check for missing requirements.
+              if value.empty?
+                aliases = schema.attribute_aliases(real_name) - [real_name]
+                message = "is required attribute "
+                unless aliases.empty?
+                  message << "(aliases: #{aliases.join(', ')}) "
+                end
+                message << "by objectClass '#{object_class}'"
+                errors.add(real_name, message)
+              end
+            end
+          end
+          logger.debug {"stub: validate_required_values finished"}
+        end
+
+        private
+        alias_method :run_validations_for_active_record, :run_validations
+        def run_validations(validation_method)
+          run_validations_for_active_record(validation_method)
+        rescue ActiveRecord::ActiveRecordError
+          raise Error, $!.message
+        end
+      end
+    end
+  end
+end

data/rails/plugin/active_ldap/README

@@ -0,0 +1,54 @@
+= ActiveLdap plugin for Ruby on Rails
+
+== Setup
+
+You need to write RAILS_ROOT/config/ldap.yml like the following:
+
+  development:
+    host: 127.0.0.1
+    port: 389
+    base: dc=devel,dc=local,dc=net
+    bind_dn: cn=admin,dc=local,dc=net
+    password: secret
+
+  test:
+    host: 127.0.0.1
+    port: 389
+    base: dc=test,dc=local,dc=net
+    bind_dn: cn=admin,dc=local,dc=net
+    password: secret
+
+  production:
+    host: 127.0.0.1
+    port: 389
+    base: dc=production,dc=local,dc=net
+    bind_dn: cn=admin,dc=local,dc=net
+    password: secret
+
+== Model
+
+Here is some examples.
+
+app/model/member.rb:
+  class Member < ActiveLdap::Base
+    ldap_mapping :dn_attribute => 'uid',
+                  :classes => ['person', 'posixAccount']
+    belongs_to :primary_group, :class => "Group",
+               :foreign_key => "gidNumber", :primary_key => "gidNumber"
+    belongs_to :groups, :many => 'memberUid'
+  end
+
+app/model/group.rb:
+  class Group < ActiveLdap::Base
+    ldap_mapping :dn_attribute => "cn", :classes => ['posixGroup']
+    has_many :members, :wrap => "memberUid"
+    has_many :primary_members,
+             :foreign_key => 'gidNumber',
+             :primary_key => 'gidNumber'
+  end
+
+app/model/ou.rb:
+  class Ou < ActiveLdap::Base
+    ldap_mapping :prefix => "",
+                 :classes => ["top", "organizationalUnit"]
+  end

data/rails/plugin/active_ldap/init.rb

@@ -0,0 +1,6 @@
+require_dependency 'active_ldap'
+ActiveLdap::Base.logger ||= RAILS_DEFAULT_LOGGER
+ldap_configuration_file = File.join(RAILS_ROOT, 'config', 'ldap.yml')
+configurations = YAML::load(ERB.new(IO.read(ldap_configuration_file)).result)
+ActiveLdap::Base.configurations = configurations
+ActiveLdap::Base.establish_connection

data/test/TODO

@@ -0,0 +1,2 @@
+
+- Perform explicit testing of Schema2, ActiveLdap::Base, etc

data/test/al-test-utils.rb

@@ -0,0 +1,337 @@
+require 'test/unit'
+require 'test-unit-ext'
+
+require 'erb'
+require 'yaml'
+require 'socket'
+require 'openssl'
+require 'rbconfig'
+
+require 'active_ldap'
+
+require File.join(File.expand_path(File.dirname(__FILE__)), "command")
+
+LDAP_ENV = "test" unless defined?(LDAP_ENV)
+
+module AlTestUtils
+  def self.included(base)
+    base.class_eval do
+      include Config
+      include Connection
+      include Populate
+      include TemporaryEntry
+      include CommandSupport
+    end
+  end
+
+  module Config
+    def setup
+      super
+      @base_dir = File.expand_path(File.dirname(__FILE__))
+      @top_dir = File.expand_path(File.join(@base_dir, ".."))
+      @example_dir = File.join(@top_dir, "examples")
+      @config_file = File.join(File.dirname(__FILE__), "config.yaml")
+      ActiveLdap::Base.configurations = read_config
+    end
+
+    def teardown
+      super
+    end
+
+    def current_configuration
+      ActiveLdap::Base.configurations[LDAP_ENV]
+    end
+
+    def read_config
+      unless File.exist?(@config_file)
+        raise "config file for testing doesn't exist: #{@config_file}"
+      end
+      YAML.load(ERB.new(File.read(@config_file)).result)
+    end
+  end
+
+  module Connection
+    def setup
+      super
+      ActiveLdap::Base.establish_connection
+    end
+
+    def teardown
+      ActiveLdap::Base.clear_active_connections!
+      super
+    end
+  end
+
+  module Populate
+    def setup
+      @dumped_data = nil
+      super
+      begin
+        @dumped_data = ActiveLdap::Base.dump(:scope => :sub)
+      rescue ActiveLdap::ConnectionError
+      end
+      ActiveLdap::Base.delete_all(nil, :scope => :sub)
+      populate
+    end
+
+    def teardown
+      if @dumped_data
+        ActiveLdap::Base.establish_connection
+        ActiveLdap::Base.delete_all(nil, :scope => :sub)
+        ActiveLdap::Base.load(@dumped_data)
+      end
+      super
+    end
+
+    def populate
+      populate_base
+      populate_ou
+      populate_user_class
+      populate_group_class
+      populate_associations
+    end
+
+    def populate_base
+      unless ActiveLdap::Base.search(:scope => :base).empty?
+        return
+      end
+
+      suffixes = []
+      ActiveLdap::Base.base.split(/,/).reverse_each do |suffix|
+        prefix = suffixes.join(",")
+        suffixes.unshift(suffix)
+        name, value = suffix.split(/=/, 2)
+        next unless name == "dc"
+        dc_class = Class.new(ActiveLdap::Base)
+        dc_class.ldap_mapping :dn_attribute => "dc",
+                              :prefix => "",
+                              :scope => :base,
+                              :classes => ["top", "dcObject", "organization"]
+        dc_class.base = prefix
+        next if dc_class.exists?(value, :prefix => "dc=#{value}")
+        dc = dc_class.new(value)
+        dc.o = dc.dc
+        dc.save
+      end
+    end
+
+    def ou_class(prefix="")
+      ou_class = Class.new(ActiveLdap::Base)
+      ou_class.ldap_mapping :dn_attribute => "ou",
+                            :prefix => prefix,
+                            :classes => ["top", "organizationalUnit"]
+      ou_class
+    end
+
+    def populate_ou
+      %w(Users Groups).each do |name|
+        make_ou(name)
+      end
+    end
+
+    def make_ou(name)
+      ou_class.new(name).save
+    end
+
+    def populate_user_class
+      @user_class = Class.new(ActiveLdap::Base)
+      @user_class.ldap_mapping :dn_attribute => "uid",
+                               :prefix => "ou=Users",
+                               :scope => :sub,
+                               :classes => ["posixAccount", "person"]
+    end
+
+    def populate_group_class
+      @group_class = Class.new(ActiveLdap::Base)
+      @group_class.ldap_mapping :prefix => "ou=Groups",
+                                :scope => :sub,
+                                :classes => ["posixGroup"]
+    end
+
+    def populate_associations
+      @user_class.belongs_to :groups, :many => "memberUid"
+      @user_class.belongs_to :primary_group,
+                             :foreign_key => "gidNumber",
+                             :primary_key => "gidNumber"
+      @group_class.has_many :members, :wrap => "memberUid"
+      @group_class.has_many :primary_members,
+                            :foreign_key => "gidNumber",
+                            :primary_key => "gidNumber"
+      @user_class.set_associated_class(:groups, @group_class)
+      @user_class.set_associated_class(:primary_group, @group_class)
+      @group_class.set_associated_class(:members, @user_class)
+      @group_class.set_associated_class(:primary_members, @user_class)
+    end
+  end
+
+  module TemporaryEntry
+    @@certificate = nil
+    def setup
+      super
+      @user_index = 0
+      @group_index = 0
+    end
+
+    def make_temporary_user(config={})
+      @user_index += 1
+      uid = config[:uid] || "temp-user#{@user_index}"
+      ensure_delete_user(uid) do
+        password = config[:password] || "password"
+        uid_number = config[:uid_number] || default_uid
+        gid_number = config[:gid_number] || default_gid
+        home_directory = config[:home_directory] || "/nonexistent"
+        _wrap_assertion do
+          assert(!@user_class.exists?(uid))
+          assert_raise(ActiveLdap::EntryNotFound) do
+            @user_class.find(uid).dn
+          end
+          user = @user_class.new(uid)
+          assert(user.new_entry?)
+          user.cn = user.uid
+          user.sn = user.uid
+          user.uid_number = uid_number
+          user.gid_number = gid_number
+          user.home_directory = home_directory
+          user.user_password = ActiveLdap::UserPassword.ssha(password)
+          unless config[:simple]
+            user.add_class('shadowAccount', 'inetOrgPerson',
+                           'organizationalPerson')
+            user.user_certificate = certificate
+            user.jpeg_photo = jpeg_photo
+          end
+          user.save
+          assert(!user.new_entry?)
+          yield(@user_class.find(user.uid), password)
+        end
+      end
+    end
+
+    def make_temporary_group(config={})
+      @group_index += 1
+      cn = config[:cn] || "temp-group#{@group_index}"
+      ensure_delete_group(cn) do
+        gid_number = config[:gid_number] || default_gid
+        _wrap_assertion do
+          assert(!@group_class.exists?(cn))
+          assert_raise(ActiveLdap::EntryNotFound) do
+            @group_class.find(cn)
+          end
+          group = @group_class.new(cn)
+          assert(group.new_entry?)
+          group.gid_number = gid_number
+          assert(group.save)
+          assert(!group.new_entry?)
+          yield(@group_class.find(group.cn))
+        end
+      end
+    end
+
+    def ensure_delete_user(uid)
+      yield(uid)
+    ensure
+      @user_class.delete(uid) if @user_class.exists?(uid)
+    end
+
+    def ensure_delete_group(cn)
+      yield(cn)
+    ensure
+      @group_class.delete(cn) if @group_class.exists?(cn)
+    end
+
+    def default_uid
+      "10000#{@user_index}"
+    end
+
+    def default_gid
+      "10000#{@group_index}"
+    end
+
+    def certificate_path
+      File.join(@example_dir, 'example.der')
+    end
+
+    def certificate
+      return @@certificate if @@certificate
+      if File.exists?(certificate_path)
+        @@certificate = File.read(certificate_path)
+        return @@certificate
+      end
+
+      rsa = OpenSSL::PKey::RSA.new(512)
+      comment = "Generated by Ruby/OpenSSL"
+
+      cert = OpenSSL::X509::Certificate.new
+      cert.version = 3
+      cert.serial = 0
+      subject = [["OU", "test"],
+                 ["CN", Socket.gethostname]]
+      name = OpenSSL::X509::Name.new(subject)
+      cert.subject = name
+      cert.issuer = name
+      cert.not_before = Time.now
+      cert.not_after = Time.now + (365*24*60*60)
+      cert.public_key = rsa.public_key
+
+      ef = OpenSSL::X509::ExtensionFactory.new(nil, cert)
+      ef.issuer_certificate = cert
+      cert.extensions = [
+        ef.create_extension("basicConstraints","CA:FALSE"),
+        ef.create_extension("keyUsage", "keyEncipherment"),
+        ef.create_extension("subjectKeyIdentifier", "hash"),
+        ef.create_extension("extendedKeyUsage", "serverAuth"),
+        ef.create_extension("nsComment", comment),
+      ]
+      aki = ef.create_extension("authorityKeyIdentifier",
+                                "keyid:always,issuer:always")
+      cert.add_extension(aki)
+      cert.sign(rsa, OpenSSL::Digest::SHA1.new)
+
+      @@certificate = cert.to_der
+      @@certificate
+    end
+
+    def jpeg_photo_path
+      File.join(@example_dir, 'example.jpg')
+    end
+
+    def jpeg_photo
+      File.read(jpeg_photo_path)
+    end
+  end
+
+  module CommandSupport
+    def setup
+      super
+      @fakeroot = "fakeroot"
+      @ruby = File.join(::Config::CONFIG["bindir"],
+                        ::Config::CONFIG["RUBY_INSTALL_NAME"])
+      @top_dir = File.expand_path(File.join(File.dirname(__FILE__), ".."))
+      @examples_dir = File.join(@top_dir, "examples")
+      @lib_dir = File.join(@top_dir, "lib")
+      @ruby_args = [
+                    "-I", @examples_dir,
+                    "-I", @lib_dir,
+                   ]
+    end
+
+    def run_command(*args, &block)
+      file = Tempfile.new("al-command-support")
+      file.open
+      file.puts(ActiveLdap::Base.configurations["test"].to_yaml)
+      file.close
+      run_ruby(*[@command, "--config", file.path, *args], &block)
+    end
+
+    def run_ruby(*ruby_args, &block)
+      args = [@ruby, *@ruby_args]
+      args.concat(ruby_args)
+      Command.run(*args, &block)
+    end
+
+    def run_ruby_with_fakeroot(*ruby_args, &block)
+      args = [@fakeroot, @ruby, *@ruby_args]
+      args.concat(ruby_args)
+      Command.run(*args, &block)
+    end
+  end
+end