ruby-ldapserver 0.5.3 → 0.7.0

data/lib/ldap/server/connection.rb

@@ -31,11 +31,11 @@ class Server
     def log(msg, severity = Logger::INFO)
       @logger.add(severity, msg, @io.peeraddr[3])
     end
-    
+
     def debug msg
       log msg, Logger::DEBUG
     end
-    
+
     def log_exception(e)
       log "#{e}: #{e.backtrace.join("\n\tfrom ")}", Logger::ERROR
     end
@@ -93,8 +93,6 @@ class Server
     end
 
     def handle_requests
-      operationClass = @opt[:operation_class]
-      ocArgs = @opt[:operation_args] || []
       catch(:close) do
         while true
           begin
@@ -120,9 +118,14 @@ class Server
             case protocolOp.tag
             when 0 # BindRequest
               abandon_all
-              @binddn, @version = operationClass.new(self,messageId,*ocArgs).
-                                  do_bind(protocolOp, controls)
-
+              if @opt[:router]
+                @binddn, @version = @opt[:router].do_bind(self, messageId, protocolOp, controls)
+              else
+                operationClass = @opt[:operation_class]
+                ocArgs = @opt[:operation_args] || []
+                @binddn, @version = operationClass.new(self,messageId,*ocArgs).
+                                    do_bind(protocolOp, controls)
+              end
             when 2 # UnbindRequest
               throw(:close)
 
@@ -171,14 +174,17 @@ class Server
     # client sends an overlapping request with same message ID,
     # so we don't have to worry about the case where there is
     # already a thread with this messageId in @threadgroup.
-
     def start_op(messageId,protocolOp,controls,meth)
       operationClass = @opt[:operation_class]
       ocArgs = @opt[:operation_args] || []
       thr = Thread.new do
         begin
-          operationClass.new(self,messageId,*ocArgs).
-          send(meth,protocolOp,controls)
+          if @opt[:router]
+            @opt[:router].send meth, self, messageId, protocolOp, controls
+          else
+            operationClass.new(self,messageId,*ocArgs).
+            send(meth,protocolOp,controls)
+          end
         rescue Exception => e
           log_exception e
         end

data/lib/ldap/server/dn.rb

@@ -0,0 +1,220 @@
+require 'ldap/server/util'
+
+module LDAP
+class Server
+
+  class DN
+    include Enumerable
+
+    attr_reader :dname
+
+    # Combines a set of elements to a syntactically correct DN
+    # elements is [elements, ...] where elements
+    # can be either { attr => val } or [attr, val]
+    def self.join(elements)
+      LDAP::Server::Operation.join_dn(elements)
+    end
+
+    def initialize(dn)
+      @dname = LDAP::Server::Operation.split_dn(dn)
+    end
+
+    # Returns the value of the first occurrence of attr (bottom-up)
+    def find_first(attr)
+      @dname.each do |pair|
+        return pair[attr.to_s] if pair[attr.to_s]
+      end
+      nil
+    end
+
+    # Returns the value of the last occurrence of attr (bottom-up)
+    def find_last(attr)
+      @dname.reverse_each do |pair|
+        return pair[attr.to_s] if pair[attr.to_s]
+      end
+      nil
+    end
+
+    # Returns all values of all occurrences of attr (bottom-up)
+    def find(attr)
+      result = []
+      @dname.each do |pair|
+        result << pair[attr.to_s] if pair[attr.to_s]
+      end
+      result
+    end
+
+    # Returns the value of the n-th occurrence of attr (top-down, 0 is first element)
+    def find_nth(attr, n)
+      i = 0
+      @dname.each do |pair|
+        if pair[attr.to_s]
+          return pair[attr.to_s] if i == n
+          i += 1
+        end
+      end
+      nil
+    end
+
+    # Whether or not the DN starts with dn (bottom-up)
+    # dn is a string
+    def start_with?(dn)
+      needle = LDAP::Server::Operation.split_dn(dn)
+
+      # Needle is longer than haystack
+      return false if needle.length > @dname.length
+
+      needle_index = 0
+      haystack_index = 0
+
+      while needle_index < needle.length
+        return false if @dname[haystack_index] != needle[needle_index]
+        needle_index += 1
+        haystack_index += 1
+      end
+      true
+    end
+
+    # Whether or not the DN starts with a format (bottom-up) (values are ignored)
+    # dn is a string
+    def start_with_format?(dn)
+      needle = LDAP::Server::Operation.split_dn(dn)
+
+      # Needle is longer than haystack
+      return false if needle.length > @dname.length
+
+      needle_index = 0
+      haystack_index = 0
+
+      while needle_index < needle.length
+        return false if @dname[haystack_index].keys != needle[needle_index].keys
+        needle_index += 1
+        haystack_index += 1
+      end
+      true
+    end
+
+    # Whether or not the DN ends with dn (top-down)
+    # dn is a string
+    def end_with?(dn)
+      needle = LDAP::Server::Operation.split_dn(dn)
+
+      # Needle is longer than haystack
+      return false if needle.length > @dname.length
+
+      needle_index = needle.length - 1
+      haystack_index = @dname.length - 1
+
+      while needle_index >= 0
+        return false if @dname[haystack_index] != needle[needle_index]
+        needle_index -= 1
+        haystack_index -= 1
+      end
+      true
+    end
+
+    # Whether or not the DN ends with format (top-down) (values are ignored)
+    # dn is a string
+    def end_with_format?(dn)
+      needle = LDAP::Server::Operation.split_dn(dn)
+
+      # Needle is longer than haystack
+      return false if needle.length > @dname.length
+
+      needle_index = needle.length - 1
+      haystack_index = @dname.length - 1
+
+      while needle_index >= 0
+        return false if @dname[haystack_index].keys != needle[needle_index].keys
+        needle_index -= 1
+        haystack_index -= 1
+      end
+      true
+    end
+
+    # Whether or not the DN equals dn (values are case sensitive)
+    # dn is a string
+    def equal?(dn)
+      split_dn = LDAP::Server::Operation.split_dn(dn)
+
+      return false if split_dn.length != @dname.length
+
+      @dname.each_with_index do |pair, index|
+        return false if pair != split_dn[index]
+      end
+      true
+    end
+
+    # Whether or not the DN equals dn's format (values are ignored) (case insensitive)
+    # dn is a string
+    def equal_format?(dn)
+      split_dn = LDAP::Server::Operation.split_dn(dn)
+
+      return false if split_dn.length != @dname.length
+
+      @dname.each_with_index do |pair, index|
+        return false if pair.keys != split_dn[index].keys
+      end
+      true
+    end
+
+    # Whether or not the DN constains a substring equal to dn (values are case sensitive)
+    # dn is a string
+    def include?(dn)
+      split_dn = LDAP::Server::Operation.split_dn(dn)
+      return false if split_dn.length > @dname.length
+      LDAP::Server::Operation.join_dn(@dname).include?(LDAP::Server::Operation.join_dn(split_dn))
+    end
+
+    # Whether or not the DN constains a substring format equal to dn (values are ignored) (case insensitive)
+    # dn is a string
+    def include_format?(dn)
+      split_dn = LDAP::Server::Operation.split_dn(dn)
+
+      return false if split_dn.length > @dname.length
+
+      haystack = []
+      @dname.each { |pair| haystack << pair.keys }
+
+      needle = []
+      split_dn.each { |pair| needle << pair.keys }
+
+      haystack.join.include?(needle.join)
+    end
+
+    # Generates a mapping for variables
+    # For example:
+    # > dn = LDAP::Server.DN.new("uid=user,ou=Users,dc=mydomain,dc=com")
+    # > dn.parse("uid=:uid, ou=:category, dc=mydomain, dc=com")
+    # => { :uid => "user", :category => "Users" }
+    def parse(template_dn)
+      result = {}
+      template = LDAP::Server::Operation.split_dn(template_dn)
+      template.reverse.zip(@dname.reverse).each do |temp, const|
+        break if const and temp.keys.first != const.keys.first
+        if temp.values.first.start_with?(':')
+          sym = temp.values.first[1..-1].to_sym
+          if const
+            result[sym] = const.values.first unless result[sym]
+          else
+            result[sym] = nil
+          end
+        elsif temp.values.first != const.values.first
+          break
+        end
+      end
+      result
+    end
+
+    def each(&block)
+      @dname.each(&block)
+    end
+
+    def reverse_each(&block)
+      @dname.reverse_each(&block)
+    end
+
+  end
+
+end
+end

data/lib/ldap/server/filter.rb

@@ -202,7 +202,7 @@ class Server
       when :eq, :approx, :le, :ge, :substrings
         # the filter now includes a suitable matching object
         return (filter[2] || LDAP::Server::MatchingRule::DefaultMatch).send(
-                filter.first, av[filter[1].to_s], *filter[3..-1])
+                filter.first, Array(av[filter[1].to_s]), *filter[3..-1])
 
       when :true
         return true

data/lib/ldap/server/operation.rb

@@ -1,4 +1,5 @@
 require 'timeout'
+require 'openssl'
 require 'ldap/server/result'
 require 'ldap/server/filter'
 
@@ -36,6 +37,7 @@ class Server
       ])
       @schema = @connection.opt[:schema]
       @server = @connection.opt[:server]
+      @attribute_range_limit = @connection.opt[:attribute_range_limit]
     end
 
     def log msg, severity = Logger::INFO
@@ -45,9 +47,9 @@ class Server
     def debug msg
       @connection.debug msg
     end
-    
+
     # Send an exception report to the log
-    
+
     def log_exception msg
       @connection.log_exception msg
     end
@@ -84,7 +86,7 @@ class Server
         seq << OpenSSL::ASN1::Sequence(rs, 3, :IMPLICIT, :APPLICATION)
       end
       yield seq if block_given?   # opportunity to add more elements
-        
+
       send_LDAPMessage(OpenSSL::ASN1::Sequence(seq, tag, :IMPLICIT, :APPLICATION), opt)
     end
 
@@ -96,6 +98,9 @@ class Server
       end
     end
 
+
+    AttributeRange = Struct.new :start, :end
+
     # Send a found entry. Avs are {attr1=>val1, attr2=>[val2,val3]}
     # If schema given, return operational attributes only if
     # explicitly requested
@@ -114,23 +119,43 @@ class Server
       sendall = @attributes == [] || @attributes.include?("*")
       avseq = []
 
-      avs.each do |attr, vals|
-        if !@attributes.include?(attr)
+      avs.each_with_index do |(attr, vals), aidx|
+        query_attr_idx = @attributes.index(attr)
+        if !query_attr_idx
           next unless sendall
           if @schema
             a = @schema.find_attrtype(attr)
             next unless a and (a.usage.nil? or a.usage == :userApplications)
           end
         end
+        query_attr = query_attr_idx && @attribute_ranges[query_attr_idx]
 
         if @typesOnly
-          vals = [] 
+          vals = []
         else
           vals = [vals] unless vals.kind_of?(Array)
           # FIXME: optionally do a value_to_s conversion here?
           # FIXME: handle attribute;binary
         end
 
+        if (@attribute_range_limit && vals.size > @attribute_range_limit) || query_attr&.start
+          if query_attr&.start
+            range_start = query_attr.start.to_i
+            range_end = query_attr.end == "*" ? -1 : query_attr.end.to_i
+          else
+            range_start = 0
+            range_end = @attribute_range_limit ? @attribute_range_limit - 1 : -1
+          end
+          range_end = range_start + @attribute_range_limit - 1 if @attribute_range_limit && (vals.size - range_start > @attribute_range_limit)
+          range_end = -1 if vals.size <= range_end
+          rvals = vals[range_start .. range_end]
+          vals = []
+          avseq << OpenSSL::ASN1::Sequence([
+            OpenSSL::ASN1::OctetString("#{attr};range=#{range_start}-#{range_end == -1 ? "*" : range_end}"),
+            OpenSSL::ASN1::Set(rvals.collect { |v| OpenSSL::ASN1::OctetString(v.to_s) })
+          ])
+        end
+
         avseq << OpenSSL::ASN1::Sequence([
           OpenSSL::ASN1::OctetString(attr),
           OpenSSL::ASN1::Set(vals.collect { |v| OpenSSL::ASN1::OctetString(v.to_s) })
@@ -200,8 +225,8 @@ class Server
       when 0
         simple_bind(version, dn, authentication.value)
       when 3
-        mechanism = authentication.value[0].value
-        credentials = authentication.value[1].value
+        # mechanism = authentication.value[0].value
+        # credentials = authentication.value[1].value
         # sasl_bind(version, dn, mechanism, credentials)
         # FIXME: needs to exchange further BindRequests
         raise LDAP::ResultError::AuthMethodNotSupported
@@ -246,7 +271,20 @@ class Server
       client_timelimit = protocolOp.value[4].value.to_i
       @typesOnly = protocolOp.value[5].value
       filter = Filter::parse(protocolOp.value[6], @schema)
-      @attributes = protocolOp.value[7].value.collect {|x| x.value}
+      attributes = protocolOp.value[7].value.collect {|x| x.value}
+      attributes = attributes.map do |attr|
+        if attr =~ /(.*);range=(\d+)-(\d+|\*)\z/
+          [$1, $2, $3]
+        else
+          attr
+        end
+      end
+      @attributes = attributes.map do |name, |
+        name
+      end
+      @attribute_ranges = attributes.map do |_, range_start, range_end|
+        range_start && AttributeRange.new(range_start, range_end)
+      end
 
       @rescount = 0
       @sizelimit = server_sizelimit

data/lib/ldap/server/request.rb

@@ -0,0 +1,166 @@
+require 'openssl'
+
+module LDAP
+class Server
+
+  class Request
+    attr_accessor :connection, :typesOnly, :attributes, :rescount, :sizelimit
+
+    # Object to handle a single LDAP request. This object is created on
+    # every request by the router, and is passed as argument to the defined
+    # routes.
+
+    def initialize(connection, messageId)
+      @connection = connection
+      @respEnvelope = OpenSSL::ASN1::Sequence([
+        OpenSSL::ASN1::Integer(messageId),
+        # protocolOp,
+        # controls [0] OPTIONAL,
+      ])
+      @schema = @connection.opt[:schema]
+      @server = @connection.opt[:server]
+      @rescount = 0
+    end
+
+    ##################################################
+    ### Utility methods to send protocol responses ###
+    ##################################################
+
+    def send_LDAPMessage(protocolOp, opt={}) # :nodoc:
+      @respEnvelope.value[1] = protocolOp
+      if opt[:controls]
+        @respEnvelope.value[2] = OpenSSL::ASN1::Set(opt[:controls], 0, :IMPLICIT, APPLICATION)
+      else
+        @respEnvelope.value.delete_at(2)
+      end
+
+      @connection.write(@respEnvelope.to_der)
+    end
+
+    def send_LDAPResult(tag, resultCode, opt={}) # :nodoc:
+      seq = [
+        OpenSSL::ASN1::Enumerated(resultCode),
+        OpenSSL::ASN1::OctetString(opt[:matchedDN] || ""),
+        OpenSSL::ASN1::OctetString(opt[:errorMessage] || ""),
+      ]
+      if opt[:referral]
+        rs = opt[:referral].collect { |r| OpenSSL::ASN1::OctetString(r) }
+        seq << OpenSSL::ASN1::Sequence(rs, 3, :IMPLICIT, :APPLICATION)
+      end
+      yield seq if block_given?   # opportunity to add more elements
+
+      send_LDAPMessage(OpenSSL::ASN1::Sequence(seq, tag, :IMPLICIT, :APPLICATION), opt)
+    end
+
+    def send_BindResponse(resultCode, opt={})
+      send_LDAPResult(1, resultCode, opt) do |resp|
+        if opt[:serverSaslCreds]
+          resp << OpenSSL::ASN1::OctetString(opt[:serverSaslCreds], 7, :IMPLICIT, :APPLICATION)
+        end
+      end
+    end
+
+    # Send a found entry. Avs are {attr1=>val1, attr2=>[val2,val3]}
+    # If schema given, return operational attributes only if
+    # explicitly requested
+
+    def send_SearchResultEntry(dn, avs, opt={})
+      @rescount += 1
+      if @sizelimit
+        raise LDAP::ResultError::SizeLimitExceeded if @rescount > @sizelimit
+      end
+
+      if @schema
+        # normalize the attribute names
+        @attributes = @attributes.map { |a| a == '*' ? a : @schema.find_attrtype(a).to_s }
+      end
+
+      sendall = @attributes == [] || @attributes.include?("*")
+      avseq = []
+
+      avs.each do |attr, vals|
+        if !@attributes.include?(attr)
+          next unless sendall
+          if @schema
+            a = @schema.find_attrtype(attr)
+            next unless a and (a.usage.nil? or a.usage == :userApplications)
+          end
+        end
+
+        if @typesOnly
+          vals = []
+        else
+          vals = [vals] unless vals.kind_of?(Array)
+          # FIXME: optionally do a value_to_s conversion here?
+          # FIXME: handle attribute;binary
+        end
+
+        avseq << OpenSSL::ASN1::Sequence([
+          OpenSSL::ASN1::OctetString(attr),
+          OpenSSL::ASN1::Set(vals.collect { |v| OpenSSL::ASN1::OctetString(v.to_s) })
+        ])
+      end
+
+      send_LDAPMessage(OpenSSL::ASN1::Sequence([
+          OpenSSL::ASN1::OctetString(dn),
+          OpenSSL::ASN1::Sequence(avseq),
+        ], 4, :IMPLICIT, :APPLICATION), opt)
+    end
+
+    def send_SearchResultDone(resultCode, opt={})
+      send_LDAPResult(5, resultCode, opt)
+    end
+
+    def send_ModifyResponse(resultCode, opt={})
+      send_LDAPResult(7, resultCode, opt)
+    end
+
+    def send_AddResponse(resultCode, opt={})
+      send_LDAPResult(9, resultCode, opt)
+    end
+
+    def send_DelResponse(resultCode, opt={})
+      send_LDAPResult(11, resultCode, opt)
+    end
+
+    def send_ModifyDNResponse(resultCode, opt={})
+      send_LDAPResult(13, resultCode, opt)
+    end
+
+    def send_CompareResponse(resultCode, opt={})
+      send_LDAPResult(15, resultCode, opt)
+    end
+
+    def send_ExtendedResponse(resultCode, opt={})
+      send_LDAPResult(24, resultCode, opt) do |resp|
+        if opt[:responseName]
+          resp << OpenSSL::ASN1::OctetString(opt[:responseName], 10, :IMPLICIT, :APPLICATION)
+        end
+        if opt[:response]
+          resp << OpenSSL::ASN1::OctetString(opt[:response], 11, :IMPLICIT, :APPLICATION)
+        end
+      end
+    end
+
+    ############################################################
+    ### Methods to get parameters related to this connection ###
+    ############################################################
+
+    # Server-set maximum time limit. Override for more complex behaviour
+    # (e.g. limit depends on @connection.binddn). Nil uses hardcoded default.
+
+    def server_timelimit
+      @connection.opt[:timelimit]
+    end
+
+    # Server-set maximum size limit. Override for more complex behaviour
+    # (e.g. limit depends on @connection.binddn). Return nil for unlimited.
+
+    def server_sizelimit
+      @connection.opt[:sizelimit]
+    end
+
+  end
+
+end
+end

data/lib/ldap/server/result.rb

@@ -63,7 +63,7 @@ class ResultError
     53 => UnwillingToPerform,
     # FIXME: please fill in the rest
   }
-  def self.[] (n)
+  def self.[](n)
     return N_TO_CLASS[n] || self
   end
 end # class ResultError