ruby-activeldap 0.8.1 → 0.8.2

data/lib/active_ldap/adapter/ldap.rb

@@ -0,0 +1,232 @@
+require 'active_ldap/adapter/base'
+
+module ActiveLdap
+  module Adapter
+    class Base
+      class << self
+        def ldap_connection(options)
+          unless defined?(::LDAP)
+            require 'active_ldap/adapter/ldap_ext'
+          end
+          Ldap.new(options)
+        end
+      end
+    end
+
+    class Ldap < Base
+      module Method
+        class SSL
+          def connect(host, port)
+            LDAP::SSLConn.new(host, port, false)
+          end
+        end
+
+        class TLS
+          def connect(host, port)
+            LDAP::SSLConn.new(host, port, true)
+          end
+        end
+
+        class Plain
+          def connect(host, port)
+            LDAP::Conn.new(host, port)
+          end
+        end
+      end
+
+      def connect(options={})
+        super do |host, port, method|
+          method.connect(host, port)
+        end
+      end
+
+      def unbind(options={})
+        return unless bound?
+        operation(options) do
+          execute(:unbind)
+        end
+      end
+
+      def bind(options={})
+        super do
+          @connection.error_message
+        end
+      end
+
+      def bind_as_anonymous(options={})
+        super do
+          execute(:bind)
+          true
+        end
+      end
+
+      def bound?
+        connecting? and @connection.bound?
+      end
+
+      def search(options={}, &block)
+        super(options) do |base, scope, filter, attrs, limit, callback|
+          begin
+            i = 0
+            execute(:search, base, scope, filter, attrs) do |entry|
+              i += 1
+              attributes = {}
+              entry.attrs.each do |attr|
+                attributes[attr] = entry.vals(attr)
+              end
+              callback.call([entry.dn, attributes], block)
+              break if limit and limit >= i
+            end
+          rescue RuntimeError
+            if $!.message == "no result returned by search"
+              @logger.debug {"No matches for #{filter} and attrs " +
+                             "#{attrs.inspect}"}
+            else
+              raise
+            end
+          end
+        end
+      end
+
+      def to_ldif(dn, attributes)
+        ldif = LDAP::LDIF.to_ldif("dn", [dn.dup])
+        attributes.sort_by do |key, value|
+          key
+        end.each do |key, values|
+          ldif << LDAP::LDIF.to_ldif(key, values)
+        end
+        ldif
+      end
+
+      def load(ldifs, options={})
+        super do |ldif|
+          LDAP::LDIF.parse_entry(ldif).send(@connection)
+        end
+      end
+
+      def delete(targets, options={})
+        super do |target|
+          execute(:delete, target)
+        end
+      end
+
+      def add(dn, entries, options={})
+        super do |dn, entries|
+          execute(:add, dn, parse_entries(entries))
+        end
+      end
+
+      def modify(dn, entries, options={})
+        super do |dn, entries|
+          execute(:modify, dn, parse_entries(entries))
+        end
+      end
+
+      private
+      def prepare_connection(options={})
+        operation(options) do
+          @connection.set_option(LDAP::LDAP_OPT_PROTOCOL_VERSION, 3)
+        end
+      end
+
+      def root_dse(attributes, options={})
+        sec = options[:sec] || 0
+        usec = options[:usec] || 0
+        @connection.root_dse(attributes, sec, usec)
+      end
+
+      def execute(method, *args, &block)
+        begin
+          @connection.send(method, *args, &block)
+        rescue LDAP::ResultError
+          @connection.assert_error_code
+          raise $!.message
+        end
+      end
+
+      def with_timeout(try_reconnect=true, options={}, &block)
+        begin
+          super
+        rescue LDAP::ServerDown => e
+          @logger.error {"LDAP server is down: #{e.message}"}
+          retry if try_reconnect and reconnect(options)
+          raise ConnectionError.new(e.message)
+        end
+      end
+
+      def ensure_method(method)
+        Method.constants.each do |name|
+          if method.to_s.downcase == name.downcase
+            return Method.const_get(name).new
+          end
+        end
+
+        available_methods = Method.constants.collect do |name|
+          name.downcase.to_sym.inspect
+        end.join(", ")
+        raise ConfigurationError,
+                "#{method.inspect} is not one of the available connect " +
+                "methods #{available_methods}"
+      end
+
+      def ensure_scope(scope)
+        scope_map = {
+          :base => LDAP::LDAP_SCOPE_BASE,
+          :sub => LDAP::LDAP_SCOPE_SUBTREE,
+          :one => LDAP::LDAP_SCOPE_ONELEVEL,
+        }
+        value = scope_map[scope || :sub]
+        if value.nil?
+          available_scopes = scope_map.keys.inspect
+          raise ArgumentError, "#{scope.inspect} is not one of the available " +
+                               "LDAP scope #{available_scopes}"
+        end
+        value
+      end
+
+      def sasl_bind(bind_dn, options={})
+        super do |bind_dn, mechanism, quiet|
+          begin
+            sasl_quiet = @connection.sasl_quiet
+            @connection.sasl_quiet = quiet unless quiet.nil?
+            args = [bind_dn, mechanism]
+            if need_credential_sasl_mechanism?(mechanism)
+              args << password(bind_dn, options)
+            end
+            execute(:sasl_bind, *args)
+          ensure
+            @connection.sasl_quiet = sasl_quiet
+          end
+        end
+      end
+
+      def simple_bind(bind_dn, options={})
+        super do |bind_dn, passwd|
+          execute(:bind, bind_dn, passwd)
+        end
+      end
+
+      def parse_entries(entries)
+        result = []
+        entries.each do |type, key, attributes|
+          mod_type = ensure_mod_type(type)
+          binary = schema.binary?(key)
+          mod_type |= LDAP::LDAP_MOD_BVALUES if binary
+          attributes.each do |name, values|
+            result << LDAP.mod(mod_type, name, values)
+          end
+        end
+        result
+      end
+
+      def ensure_mod_type(type)
+        case type
+        when :replace, :add
+          LDAP.const_get("LDAP_MOD_#{type.to_s.upcase}")
+        else
+          raise ArgumentError, "unknown type: #{type}"
+        end
+      end
+    end
+  end
+end

data/lib/active_ldap/adapter/ldap_ext.rb

@@ -0,0 +1,69 @@
+require_library_or_gem 'ldap'
+require 'ldap/ldif'
+require 'ldap/schema'
+
+module LDAP
+  class Mod
+    unless instance_method(:to_s).arity.zero?
+      alias_method :original_to_s, :to_s
+      def to_s
+        inspect
+      end
+    end
+
+    alias_method :_initialize, :initialize
+    def initialize(op, type, vals)
+      if (LDAP::VERSION.split(/\./).collect {|x| x.to_i} <=> [0, 9, 7]) <= 0
+        @op, @type, @vals = op, type, vals # to protect from GC
+      end
+      _initialize(op, type, vals)
+    end
+  end
+
+  IMPLEMENT_SPECIFIC_ERRORS = {}
+  {
+    0x51 => "SERVER_DOWN",
+    0x52 => "LOCAL_ERROR",
+    0x53 => "ENCODING_ERROR",
+    0x54 => "DECODING_ERROR",
+    0x55 => "TIMEOUT",
+    0x56 => "AUTH_UNKNOWN",
+    0x57 => "FILTER_ERROR",
+    0x58 => "USER_CANCELLED",
+    0x59 => "PARAM_ERROR",
+    0x5a => "NO_MEMORY",
+
+    0x5b => "CONNECT_ERROR",
+    0x5c => "NOT_SUPPORTED",
+    0x5d => "CONTROL_NOT_FOUND",
+    0x5e => "NO_RESULTS_RETURNED",
+    0x5f => "MORE_RESULTS_TO_RETURN",
+    0x60 => "CLIENT_LOOP",
+    0x61 => "REFERRAL_LIMIT_EXCEEDED",
+  }.each do |code, name|
+    IMPLEMENT_SPECIFIC_ERRORS[code] =
+      ActiveLdap::LdapError.define(code, name, self)
+  end
+
+  class Conn
+    def failed?
+      not err.zero?
+    end
+
+    def error_message
+      if failed?
+        LDAP.err2string(err)
+      else
+        nil
+      end
+    end
+
+    def assert_error_code
+      return unless failed?
+      klass = ActiveLdap::LdapError::ERRORS[err]
+      klass ||= IMPLEMENT_SPECIFIC_ERRORS[err]
+      klass ||= ActiveLdap::LdapError
+      raise klass, LDAP.err2string(err)
+    end
+  end
+end

data/lib/active_ldap/adapter/net_ldap.rb

@@ -0,0 +1,288 @@
+require 'digest/md5'
+
+require 'active_ldap/adapter/base'
+
+module ActiveLdap
+  module Adapter
+    class Base
+      class << self
+        def net_ldap_connection(options)
+          unless defined?(::Net::LDAP)
+            require 'active_ldap/adapter/net_ldap_ext'
+          end
+          NetLdap.new(options)
+        end
+      end
+    end
+
+    class NetLdap < Base
+      METHOD = {
+        :ssl => :simple_tls,
+        :tls => :start_tls,
+        :plain => nil,
+      }
+
+      def connect(options={})
+        @bound = false
+        super do |host, port, method|
+          config = {
+            :host => host,
+            :port => port,
+          }
+          config[:encryption] = {:method => method} if method
+          Net::LDAP::Connection.new(config)
+        end
+      end
+
+      def unbind(options={})
+        @bound = false
+      end
+
+      def bind(options={})
+        @bound = false
+        begin
+          super
+        rescue Net::LDAP::LdapError
+          raise AuthenticationError, $!.message
+        end
+      end
+
+      def bind_as_anonymous(options={})
+        super do
+          @bound = false
+          execute(:bind, :method => :anonymous)
+          @bound = true
+        end
+      end
+
+      def bound?
+        connecting? and @bound
+      end
+
+      def search(options={}, &block)
+        super(options) do |base, scope, filter, attrs, limit, callback|
+          args = {
+            :base => base,
+            :scope => scope,
+            :filter => filter,
+            :attributes => attrs,
+            :size => limit,
+          }
+          execute(:search, args) do |entry|
+            attributes = {}
+            entry.original_attribute_names.each do |name|
+              attributes[name] = entry[name]
+            end
+            callback.call([entry.dn, attributes], block)
+          end
+        end
+      end
+
+      def to_ldif(dn, attributes)
+        entry = Net::LDAP::Entry.new(dn.dup)
+        attributes.each do |key, values|
+          entry[key] = values.flatten
+        end
+        entry.to_ldif
+      end
+
+      def load(ldifs, options={})
+        super do |ldif|
+          entry = Net::LDAP::Entry.from_single_ldif_string(ldif)
+          attributes = {}
+          entry.each do |name, values|
+            attributes[name] = values
+          end
+          attributes.delete(:dn)
+          execute(:add,
+                  :dn => entry.dn,
+                  :attributes => attributes)
+        end
+      end
+
+      def delete(targets, options={})
+        super do |target|
+          execute(:delete, :dn => target)
+        end
+      end
+
+      def add(dn, entries, options={})
+        super do |dn, entries|
+          attributes = {}
+          entries.each do |type, key, attrs|
+            attrs.each do |name, values|
+              attributes[name] = values
+            end
+          end
+          execute(:add, :dn => dn, :attributes => attributes)
+        end
+      end
+
+      def modify(dn, entries, options={})
+        super do |dn, entries|
+          execute(:modify,
+                  :dn => dn,
+                  :operations => parse_entries(entries))
+        end
+      end
+
+      private
+      def execute(method, *args, &block)
+        result = @connection.send(method, *args, &block)
+        message = nil
+        if result.is_a?(Hash)
+          message = result[:errorMessage]
+          result = result[:resultCode]
+        end
+        unless result.zero?
+          klass = LdapError::ERRORS[result]
+          klass ||= LdapError
+          raise klass,
+                [Net::LDAP.result2string(result), message].compact.join(": ")
+        end
+      end
+
+      def root_dse(attrs, options={})
+        search(:base => "",
+               :scope => :base,
+               :attributes => attrs).collect do |dn, attributes|
+          attributes
+        end
+      end
+
+      def ensure_method(method)
+        method ||= "plain"
+        normalized_method = method.to_s.downcase.to_sym
+        return METHOD[normalized_method] if METHOD.has_key?(normalized_method)
+
+        available_methods = METHOD.keys.collect {|m| m.inspect}.join(", ")
+        raise ConfigurationError,
+                "#{method.inspect} is not one of the available connect " +
+                "methods #{available_methods}"
+      end
+
+      def ensure_scope(scope)
+        scope_map = {
+          :base => Net::LDAP::SearchScope_BaseObject,
+          :sub => Net::LDAP::SearchScope_WholeSubtree,
+          :one => Net::LDAP::SearchScope_SingleLevel,
+        }
+        value = scope_map[scope || :sub]
+        if value.nil?
+          available_scopes = scope_map.keys.inspect
+          raise ArgumentError, "#{scope.inspect} is not one of the available " +
+                               "LDAP scope #{available_scopes}"
+        end
+        value
+      end
+
+      def sasl_bind(bind_dn, options={})
+        super do |bind_dn, mechanism, quiet|
+          normalized_mechanism = mechanism.downcase.gsub(/-/, '_')
+          sasl_bind_setup = "sasl_bind_setup_#{normalized_mechanism}"
+          next unless respond_to?(sasl_bind_setup, true)
+          initial_credential, challenge_response =
+            send(sasl_bind_setup, bind_dn, options)
+          args = {
+            :method => :sasl,
+            :initial_credential => initial_credential,
+            :mechanism => mechanism,
+            :challenge_response => challenge_response,
+          }
+          @bound = false
+          execute(:bind, args)
+          @bound = true
+        end
+      end
+
+      def sasl_bind_setup_digest_md5(bind_dn, options)
+        initial_credential = ""
+        nonce_count = 1
+        challenge_response = Proc.new do |cred|
+          params = parse_sasl_digest_md5_credential(cred)
+          qops = params["qop"].split(/,/)
+          return "unsupported qops: #{qops.inspect}" unless qops.include?("auth")
+          qop = "auth"
+          server = @connection.instance_variable_get("@conn").addr[2]
+          realm = params['realm']
+          uri = "ldap/#{server}"
+          nc = "%08x" % nonce_count
+          nonce = params["nonce"]
+          cnonce = generate_client_nonce
+          requests = {
+            :username => bind_dn.inspect,
+            :realm => realm.inspect,
+            :nonce => nonce.inspect,
+            :cnonce => cnonce.inspect,
+            :nc => nc,
+            :qop => qop,
+            :maxbuf => "65536",
+            "digest-uri" => uri.inspect,
+          }
+          a1 = "#{bind_dn}:#{realm}:#{password(cred, options)}"
+          a1 = "#{Digest::MD5.digest(a1)}:#{nonce}:#{cnonce}"
+          ha1 = Digest::MD5.hexdigest(a1)
+          a2 = "AUTHENTICATE:#{uri}"
+          ha2 = Digest::MD5.hexdigest(a2)
+          response = "#{ha1}:#{nonce}:#{nc}:#{cnonce}:#{qop}:#{ha2}"
+          requests["response"] = Digest::MD5.hexdigest(response)
+          nonce_count += 1
+          requests.collect do |key, value|
+            "#{key}=#{value}"
+          end.join(",")
+        end
+        [initial_credential, challenge_response]
+      end
+
+      def parse_sasl_digest_md5_credential(cred)
+        params = {}
+        cred.scan(/(\w+)=(\"?)(.+?)\2(?:,|$)/) do |name, sep, value|
+          params[name] = value
+        end
+        params
+      end
+
+      CHARS = ("a".."z").to_a + ("A".."Z").to_a + ("0".."9").to_a
+      def generate_client_nonce(size=32)
+        nonce = ""
+        size.times do |i|
+          nonce << CHARS[rand(CHARS.size)]
+        end
+        nonce
+      end
+
+      def simple_bind(bind_dn, options={})
+        super do |bind_dn, passwd|
+          args = {
+            :method => :simple,
+            :username => bind_dn,
+            :password => passwd,
+          }
+          @bound = false
+          execute(:bind, args)
+          @bound = true
+        end
+      end
+
+      def parse_entries(entries)
+        result = []
+        entries.each do |type, key, attributes|
+          mod_type = ensure_mod_type(type)
+          attributes.each do |name, values|
+            result << [mod_type, name, values]
+          end
+        end
+        result
+      end
+
+      def ensure_mod_type(type)
+        case type
+        when :replace, :add
+          type
+        else
+          raise ArgumentError, "unknown type: #{type}"
+        end
+      end
+    end
+  end
+end