ruby-ldapserver 0.3.1

data/examples/speedtest.rb

@@ -0,0 +1,37 @@
+#!/usr/local/bin/ruby
+
+require 'ldap'
+
+CHILDREN = 10
+CONNECTS = 1	# per child
+SEARCHES = 100	# per connection
+
+pids = []
+CHILDREN.times do
+  pids << fork do
+    CONNECTS.times do
+      conn = LDAP::Conn.new("localhost",1389)
+      conn.set_option(LDAP::LDAP_OPT_PROTOCOL_VERSION, 3)
+      conn.bind
+      SEARCHES.times do
+        res = conn.search("cn=Fred Flintstone,dc=example,dc=com", LDAP::LDAP_SCOPE_BASE,
+                          "(objectclass=*)") do |e|
+          #puts "#{$$} #{e.dn.inspect}"
+        end
+      end
+      conn.unbind
+    end
+  end
+end
+okcount = 0
+badcount = 0
+pids.each do |p|
+  Process.wait(p)
+  if $?.exitstatus == 0
+    okcount += 1
+  else
+    badcount += 1
+  end
+end
+puts "Children finished: #{okcount} ok, #{badcount} failed"
+exit badcount > 0 ? 1 : 0

data/lib/ldap/server.rb

@@ -0,0 +1,4 @@
+require 'ldap/server/result'
+require 'ldap/server/connection'
+require 'ldap/server/operation'
+require 'ldap/server/server'

data/lib/ldap/server/connection.rb

@@ -0,0 +1,273 @@
+require 'thread'
+require 'openssl'
+require 'ldap/server/result'
+
+module LDAP
+class Server
+
+  # An object which handles an LDAP connection. Note that LDAP allows
+  # requests and responses to be exchanged asynchronously: e.g. a client
+  # can send three requests, and the three responses can come back in
+  # any order. For that reason, we start a new thread for each request,
+  # and we need a mutex on the io object so that multiple responses don't
+  # interfere with each other.
+
+  class Connection
+    attr_reader :binddn, :version, :opt
+
+    def initialize(io, opt={})
+      @io = io
+      @opt = opt
+      @mutex = Mutex.new
+      @active_reqs = {}   # map message ID to thread object
+      @binddn = nil
+      @version = 3
+      @logger = @opt[:logger] || $stderr
+      @ssl = false
+
+      startssl if @opt[:ssl_on_connect]
+    end
+
+    def log(msg)
+      @logger << "[#{@io.peeraddr[3]}]: #{msg}\n"
+    end
+
+    def startssl # :yields:
+      @mutex.synchronize do
+        raise LDAP::ResultError::OperationsError if @ssl or @active_reqs.size > 0
+        yield if block_given?
+        @io = OpenSSL::SSL::SSLSocket.new(@io, @opt[:ssl_ctx])
+        @io.sync_close = true
+        @io.accept
+        @ssl = true
+      end
+    end
+
+    # Read one ASN1 element from the given stream.
+    # Return String containing the raw element.
+
+    def ber_read(io)
+      blk = io.read(2)		# minimum: short tag, short length
+      throw(:close) if blk.nil?
+      tag = blk[0] & 0x1f
+      len = blk[1]
+
+      if tag == 0x1f		# long form
+        tag = 0
+        while true
+          ch = io.getc
+          blk << ch
+          tag = (tag << 7) | (ch & 0x7f)
+          break if (ch & 0x80) == 0
+        end
+        len = io.getc
+        blk << len
+      end
+
+      if (len & 0x80) != 0	# long form
+        len = len & 0x7f
+        raise LDAP::ResultError::ProtocolError, "Indefinite length encoding not supported" if len == 0
+        offset = blk.length
+        blk << io.read(len)
+        # is there a more efficient way of doing this?
+        len = 0
+        blk[offset..-1].each_byte { |b| len = (len << 8) | b }
+      end
+
+      offset = blk.length
+      blk << io.read(len)
+      return blk
+      # or if we wanted to keep the partial decoding we've done:
+      # return blk, [blk[0] >> 6, tag], offset
+    end
+
+    def handle_requests
+      operationClass = @opt[:operation_class]
+      ocArgs = @opt[:operation_args] || []
+      catch(:close) do
+        while true
+          begin
+            blk = ber_read(@io)
+            asn1 = OpenSSL::ASN1::decode(blk)
+            # Debugging:
+            # puts "Request: #{blk.unpack("H*")}\n#{asn1.inspect}" if $debug
+
+            raise LDAP::ResultError::ProtocolError, "LDAPMessage must be SEQUENCE" unless asn1.is_a?(OpenSSL::ASN1::Sequence)
+            raise LDAP::ResultError::ProtocolError, "Bad Message ID" unless asn1.value[0].is_a?(OpenSSL::ASN1::Integer)
+            messageId = asn1.value[0].value
+
+            protocolOp = asn1.value[1]
+            raise LDAP::ResultError::ProtocolError, "Bad protocolOp" unless protocolOp.is_a?(OpenSSL::ASN1::ASN1Data)
+            raise LDAP::ResultError::ProtocolError, "Bad protocolOp tag class" unless protocolOp.tag_class == :APPLICATION
+
+            # controls are not properly implemented
+            c = asn1.value[2]
+            if c.is_a?(OpenSSL::ASN1::ASN1Data) and c.tag_class == :APPLICATION and c.tag == 0
+              controls = c.value
+            end
+
+            case protocolOp.tag
+            when 0 # BindRequest
+              abandon_all
+              @binddn, @version = operationClass.new(self,messageId,*ocArgs).
+                                  do_bind(protocolOp, controls)
+
+            when 2 # UnbindRequest
+              throw(:close)
+
+            when 3 # SearchRequest
+              # Note: RFC 2251 4.4.4.1 says behaviour is undefined if
+              # client sends an overlapping request with same message ID,
+              # so we don't have to worry about the case where there is
+              # already a thread with this id in @active_reqs.
+              # However, to avoid a race we copy messageId/
+              # protocolOp/controls into thread-local variables, because
+              # they will change when the next request comes in.
+              #
+              # There is a theoretical race condition here: a client could
+              # send an abandon request before Thread.current is assigned to
+              # @active_reqs[thrm]. It's not a problem, because abandon isn't
+              # guaranteed to work anyway. Doing it this way ensures that
+              # @active_reqs does not leak memory on a long-lived connection.
+
+              Thread.new(messageId,protocolOp,controls) do |thrm,thrp,thrc|
+                begin
+                  @active_reqs[thrm] = Thread.current
+                  operationClass.new(self,thrm,*ocArgs).do_search(thrp, thrc)
+                ensure
+                  @active_reqs.delete(thrm)
+                end
+              end
+
+            when 6 # ModifyRequest
+              Thread.new(messageId,protocolOp,controls) do |thrm,thrp,thrc|
+                begin
+                  @active_reqs[thrm] = Thread.current
+                  operationClass.new(self,thrm,*ocArgs).do_modify(thrp, thrc)
+                ensure
+                  @active_reqs.delete(thrm)
+                end
+              end
+
+            when 8 # AddRequest
+              Thread.new(messageId,protocolOp,controls) do |thrm,thrp,thrc|
+                begin
+                  @active_reqs[thrm] = Thread.current
+                  operationClass.new(self,thrm,*ocArgs).do_add(thrp, thrc)
+                ensure
+                  @active_reqs.delete(thrm)
+                end
+              end
+
+            when 10 # DelRequest
+              Thread.new(messageId,protocolOp,controls) do |thrm,thrp,thrc|
+                begin
+                  @active_reqs[thrm] = Thread.current
+                  operationClass.new(self,thrm,*ocArgs).do_del(thrp, thrc)
+                ensure
+                  @active_reqs.delete(thrm)
+                end
+              end
+
+            when 12 # ModifyDNRequest
+              Thread.new(messageId,protocolOp,controls) do |thrm,thrp,thrc|
+                begin
+                  @active_reqs[thrm] = Thread.current
+                  operationClass.new(self,thrm,*ocArgs).do_modifydn(thrp, thrc)
+                ensure
+                  @active_reqs.delete(thrm)
+                end
+              end
+
+            when 14 # CompareRequest
+              Thread.new(messageId,protocolOp,controls) do |thrm,thrp,thrc|
+                begin
+                  @active_reqs[thrm] = Thread.current
+                  operationClass.new(self,thrm,*ocArgs).do_compare(thrp, thrc)
+                ensure
+                  @active_reqs.delete(thrm)
+                end
+              end
+
+            when 16 # AbandonRequest
+              abandon(protocolOp.value)
+
+            else
+              raise LDAP::ResultError::ProtocolError, "Unrecognised protocolOp tag #{protocolOp.tag}"
+            end
+
+          rescue LDAP::ResultError::ProtocolError, OpenSSL::ASN1::ASN1Error => e
+            send_notice_of_disconnection(LDAP::ResultError::ProtocolError.new.to_i, e.message)
+            throw(:close)
+
+          # all other exceptions propagate up and are caught by tcpserver
+          end
+        end
+      end
+      abandon_all
+    end
+
+    def write(data)
+      @mutex.synchronize do
+        @io.write(data)
+        @io.flush
+      end
+    end
+
+    def writelock
+      @mutex.synchronize do
+        yield @io
+        @io.flush
+      end
+    end
+
+    def abandon(messageID)
+      @mutex.synchronize do
+        thread = @active_reqs.delete(messageID)
+        thread.raise LDAP::Abandon if thread and thread.alive?
+      end
+    end
+
+    def abandon_all
+      return if @active_reqs.size == 0
+      @mutex.synchronize do
+        @active_reqs.each do |id, thread|
+          thread.raise LDAP::Abandon if thread.alive?
+        end
+        @active_reqs = {}
+      end
+    end
+
+    def send_unsolicited_notification(resultCode, opt={})
+      protocolOp = [
+        OpenSSL::ASN1::Enumerated(resultCode),
+        OpenSSL::ASN1::OctetString(opt[:matchedDN] || ""),
+        OpenSSL::ASN1::OctetString(opt[:errorMessage] || ""),
+      ]
+      if opt[:referral]
+        rs = opt[:referral].collect { |r| OpenSSL::ASN1::OctetString(r) }
+        protocolOp << OpenSSL::ASN1::Sequence(rs, 3, :IMPLICIT, :APPLICATION)
+      end
+      if opt[:responseName]
+        protocolOp << OpenSSL::ASN1::OctetString(opt[:responseName], 10, :IMPLICIT, :APPLICATION)
+      end
+      if opt[:response]
+        protocolOp << OpenSSL::ASN1::OctetString(opt[:response], 11, :IMPLICIT, :APPLICATION)
+      end
+      message = [
+        OpenSSL::ASN1::Integer(0),
+        OpenSSL::ASN1::Sequence(protocolOp, 24, :IMPLICIT, :APPLICATION),
+      ]
+      message << opt[:controls] if opt[:controls]
+      write(OpenSSL::ASN1::Sequence(message).to_der)
+    end
+
+    def send_notice_of_disconnection(resultCode, errorMessage="")
+      send_unsolicited_notification(resultCode,
+        :errorMessage=>errorMessage,
+        :responseName=>"1.3.6.1.4.1.1466.20036"
+      )
+    end
+  end
+end # class Server
+end # module LDAP

data/lib/ldap/server/filter.rb

@@ -0,0 +1,223 @@
+require 'ldap/server/result'
+require 'ldap/server/match'
+
+module LDAP
+class Server
+
+  # LDAP filters are parsed into a LISP-like internal representation:
+  #
+  #   [:true]
+  #   [:false]
+  #   [:undef]
+  #   [:and, ..., ..., ...]
+  #   [:or, ..., ..., ...]
+  #   [:not, ...]
+  #   [:present, attr]
+  #   [:eq, attr, MO, val]
+  #   [:approx, attr, MO, val]
+  #   [:substrings, attr, MO, initial=nil, {any, any...}, final=nil]
+  #   [:ge, attr, MO, val]
+  #   [:le, attr, MO, val]
+  #
+  # This is done rather than a more object-oriented approach, in the
+  # hope that it will make it easier to match certain filter structures
+  # when converting them into something else. e.g. certain LDAP filter
+  # constructs can be mapped to some fixed SQL queries.
+  #
+  # See RFC 2251 4.5.1 for the three-state(!) boolean logic from LDAP
+  #
+  # If no schema is provided: 'attr' is the raw attribute name as provided
+  # by the client. If a schema is provided: attr is converted to its
+  # normalized name as listed in the schema, e.g. 'commonname' becomes 'cn',
+  # 'objectclass' becomes 'objectClass' etc.
+  # If a schema is provided, MO is a matching object which can be used to
+  # perform the match. If no schema is provided, this is 'nil'. In that
+  # case you could use LDAP::Server::MatchingRule::DefaultMatch.
+
+  class Filter
+
+    # Parse a filter in OpenSSL::ASN1 format into our own format.
+    #
+    # There are some trivial optimisations we make: e.g.
+    #   (&(objectClass=*)(cn=foo)) -> (&(cn=foo)) -> (cn=foo)
+
+    def self.parse(asn1, schema=nil)
+      case asn1.tag
+      when 0 # and
+        conds = asn1.value.collect { |a| parse(a) }
+        conds.delete([:true])
+        return [:true] if conds.size == 0
+        return conds.first if conds.size == 1
+        return [:false] if conds.include?([:false])
+        return conds.unshift(:and)
+
+      when 1 # or
+        conds = asn1.value.collect { |a| parse(a) }
+        conds.delete([:false])
+        return [:false] if conds.size == 0
+        return conds.first if conds.size == 1
+        return [:true] if conds.include?([:true])
+        return conds.unshift(:or)
+
+      when 2 # not
+        cond = parse(asn1.value[0])
+        case cond
+        when [:false];	return [:true]
+	when [:true];	return [:false]
+	when [:undef];	return [:undef]
+	end
+	return [:not, cond]
+
+      when 3 # equalityMatch
+        attr = asn1.value[0].value
+        val = asn1.value[1].value
+        return [:true] if attr =~ /\AobjectClass\z/i and val =~ /\Atop\z/i
+        if schema
+          a = schema.find_attrtype(attr)
+          return [:undef] unless a.equality
+          return [:eq, a.to_s, a.equality, val]
+        end
+        return [:eq, attr, nil, val]
+
+      when 4 # substrings
+        attr = asn1.value[0].value
+        if schema
+          a = schema.find_attrtype(attr)
+          return [:undef] unless a.substr
+          res = [:substrings, a.to_s, a.substr, nil]
+        else
+          res = [:substrings, attr, nil, nil]
+        end
+        final_val = nil
+
+        asn1.value[1].value.each do |ss|
+          case ss.tag
+          when 0
+            res[3] = ss.value
+          when 1
+            res << ss.value
+          when 2
+            final_val = ss.value
+          else
+            raise LDAP::ResultError::ProtocolError,
+              "Unrecognised substring tag #{ss.tag.inspect}"
+          end
+        end
+        res << final_val
+        return res
+
+      when 5 # greaterOrEqual
+        attr = asn1.value[0].value
+        val = asn1.value[1].value
+        if schema
+          a = schema.find_attrtype(attr)
+          return [:undef] unless a.ordering
+          return [:ge, a.to_s, a.ordering, val]
+        end
+        return [:ge, attr, nil, val]
+
+      when 6 # lessOrEqual
+        attr = asn1.value[0].value
+        val = asn1.value[1].value
+        if schema
+          a = schema.find_attrtype(attr)
+          return [:undef] unless a.ordering
+          return [:le, a.to_s, a.ordering, val]
+        end
+        return [:le, attr, nil, val]
+
+      when 7 # present
+        attr = asn1.value
+        return [:true] if attr =~ /\AobjectClass\z/i
+        if schema
+          begin
+            a = schema.find_attrtype(attr)
+            return [:present, a.to_s]
+          rescue LDAP::ResultError::UndefinedAttributeType
+            return [:false]
+          end
+        end
+        return [:present, attr]
+
+      when 8 # approxMatch
+        attr = asn1.value[0].value
+        val = asn1.value[1].value
+        if schema
+          a = schema.find_attrtype(attr)
+          # I don't know how properly to deal with approxMatch. I'm assuming
+          # that the object will have an equality MatchingRule, and we
+          # can defer to that.
+          return [:undef] unless a.equality
+          return [:approx, a.to_s, a.equality, val]
+        end
+        return [:approx, attr, nil, val]
+
+      #when 9 # extensibleMatch
+      #  FIXME
+
+      else
+        raise LDAP::ResultError::ProtocolError,
+          "Unrecognised Filter tag #{asn1.tag}"
+      end
+
+    # Unknown attribute type
+    rescue LDAP::ResultError::UndefinedAttributeType
+      return [:undef]
+    end
+
+    # Run a parsed filter against an attr=>[val] hash.
+    #
+    # Returns true, false or nil.
+
+    def self.run(filter, av)
+      case filter[0]
+      when :and
+        res = true
+        filter[1..-1].each do |elem|
+          r = run(elem, av)
+          return false if r == false
+          res = nil if r.nil?
+        end
+        return res
+
+      when :or
+        res = false
+        filter[1..-1].each do |elem|
+          r = run(elem, av)
+          return true if r == true
+          res = nil if r.nil?
+        end
+        return res
+
+      when :not
+        case run(filter[1], av)
+        when true; 	return false
+        when false;	return true
+        else		return nil
+        end
+
+      when :present
+        return av.has_key?(filter[1])
+
+      when :eq, :approx, :le, :ge, :substrings
+        # the filter now includes a suitable matching object
+        return (filter[2] || LDAP::Server::MatchingRule::DefaultMatch).send(
+                filter.first, av[filter[1].to_s], *filter[3..-1])
+
+      when :true
+        return true
+
+      when :false
+        return false
+
+      when :undef
+        return nil
+      end
+
+      raise LDAP::ResultError::OperationsError,
+        "Unimplemented filter #{filter.first.inspect}"
+    end
+
+  end # class Filter
+end # class Server
+end # module LDAP