ruby-ldapserver 0.5.3 → 0.7.0

data/lib/ldap/server/router.rb

@@ -0,0 +1,220 @@
+require 'ldap/server/dn'
+require 'ldap/server/util'
+require 'ldap/server/trie'
+require 'ldap/server/request'
+require 'ldap/server/filter'
+
+module LDAP
+class Server
+class Router
+  @logger
+  @routes
+
+  # Scope
+  BaseObject    = 0
+  SingleLevel   = 1
+  WholeSubtree  = 2
+
+  # DerefAliases
+  NeverDerefAliases   = 0
+  DerefInSearching    = 1
+  DerefFindingBaseObj = 2
+  DerefAlways         = 3
+
+  def initialize(logger, &block)
+    @logger = logger
+
+    @routes = Hash.new
+    @routes = Trie.new do |trie|
+      # Add an artificial LDAP component
+      trie << "op=bind"
+      trie << "op=search"
+    end
+
+    self.instance_eval(&block)
+  end
+
+  def log_exception(e, level = :error)
+    @logger.send level, e.message
+    e.backtrace.each { |line| @logger.send level, "\tfrom#{line}" } if e.backtrace
+  end
+
+  ######################
+  ### Initialization ###
+  ######################
+
+  def route(operation, hash)
+    hash.each do |key, value|
+      if key.nil?
+        @routes.insert "op=#{operation.to_s}", value
+        @logger.debug "map operation #{operation.to_s} all routes to #{value}"
+      else
+        @routes.insert "#{key},op=#{operation.to_s}", value
+        @logger.debug "map #{operation.to_s} #{key} to #{value}"
+      end
+    end
+  end
+
+  def method_missing(name, *args, &block)
+    if [:bind, :search, :add, :modify, :modifydn, :del, :compare].include? name
+      send :route, name, *args
+    else
+      super
+    end
+  end
+
+
+  ####################################################
+  ### Methods to parse and route each request type ###
+  ####################################################
+  def parse_route(dn, method)
+    route, action = @routes.match("#{dn},op=#{method.to_s}")
+    if not route or route.empty?
+      @logger.warn "No route defined for \'#{route}\'"
+      raise LDAP::ResultError::UnwillingToPerform
+    end
+    if action.nil?
+      @logger.error "No action defined for route \'#{route}\'"
+      raise LDAP::ResultError::UnwillingToPerform
+    end
+
+    class_name = action.split('#').first
+    method_name = action.split('#').last
+
+    params = LDAP::Server::DN.new("#{dn},op=#{method.to_s}").parse(route)
+
+    return class_name, method_name, params
+  end
+
+  def do_bind(connection, messageId, protocolOp, controls) # :nodoc:
+    request = Request.new(connection, messageId)
+    version = protocolOp.value[0].value
+    dn = protocolOp.value[1].value
+    dn = nil if dn.empty?
+    authentication = protocolOp.value[2]
+
+    @logger.debug "subject:#{connection.binddn} predicate:bind object:#{dn}"
+
+    # Find a route in the routing tree
+    class_name, method_name, params = parse_route(dn, :bind)
+
+    case authentication.tag   # tag_class == :CONTEXT_SPECIFIC (check why)
+    when 0
+      Object.const_get(class_name).send method_name, request, version, dn, authentication.value, params
+    when 3
+      mechanism = authentication.value[0].value
+      credentials = authentication.value[1].value
+      # sasl_bind(version, dn, mechanism, credentials)
+      # FIXME: needs to exchange further BindRequests
+      # route_sasl_bind(request, version, dn, mechanism, credentials)
+      raise LDAP::ResultError::AuthMethodNotSupported
+    else
+      raise LDAP::ResultError::ProtocolError, "BindRequest bad AuthenticationChoice"
+    end
+    request.send_BindResponse(0)
+    return dn, version
+  rescue NoMethodError => e
+    log_exception e
+    request.send_BindResponse(LDAP::ResultError::OperationsError.new.to_i, :errorMessage => e.message)
+    return nil, version
+  rescue LDAP::ResultError => e
+    log_exception e
+    request.send_BindResponse(e.to_i, :errorMessage => e.message)
+    return nil, version
+  end
+
+  def do_search(connection, messageId, protocolOp, controls) # :nodoc:
+    request = Request.new(connection, messageId)
+    server = connection.opt[:server]
+    schema = connection.opt[:schema]
+    baseObject = protocolOp.value[0].value
+    scope = protocolOp.value[1].value
+    deref = protocolOp.value[2].value
+    client_sizelimit = protocolOp.value[3].value
+    client_timelimit = protocolOp.value[4].value.to_i
+    request.typesOnly = protocolOp.value[5].value
+    filter = LDAP::Server::Filter::parse(protocolOp.value[6], schema)
+    request.attributes = protocolOp.value[7].value.collect {|x| x.value}
+
+    sizelimit = request.server_sizelimit
+    sizelimit = client_sizelimit if client_sizelimit > 0 and
+                 (sizelimit.nil? or client_sizelimit < sizelimit)
+    request.sizelimit = sizelimit
+
+    if baseObject.empty? and scope == BaseObject
+      request.send_SearchResultEntry("", server.root_dse) if
+        server.root_dse and LDAP::Server::Filter.run(filter, server.root_dse)
+      request.send_SearchResultDone(0)
+      return
+    elsif schema and baseObject == schema.subschema_dn
+      request.send_SearchResultEntry(baseObject, schema.subschema_subentry) if
+        schema and schema.subschema_subentry and
+        LDAP::Server::Filter.run(filter, schema.subschema_subentry)
+      request.send_SearchResultDone(0)
+      return
+    end
+
+    t = request.server_timelimit || 10
+    t = client_timelimit if client_timelimit > 0 and client_timelimit < t
+
+    @logger.debug "subject:#{connection.binddn} predicate:search object:#{baseObject}"
+
+    # Find a route in the routing tree
+    class_name, method_name, params = parse_route(baseObject, :search)
+
+    Timeout::timeout(t, LDAP::ResultError::TimeLimitExceeded) do
+      Object.const_get(class_name).send method_name, request, baseObject, scope, deref, filter, params
+    end
+    request.send_SearchResultDone(0)
+
+  # Note that TimeLimitExceeded is a subclass of LDAP::ResultError
+  rescue LDAP::ResultError => e
+    request.send_SearchResultDone(e.to_i, :errorMessage=>e.message)
+
+  rescue Abandon
+    # send no response
+
+  # Since this Operation is running in its own thread, we have to
+  # catch all other exceptions. Otherwise, in the event of a programming
+  # error, this thread will silently terminate and the client will wait
+  # forever for a response.
+
+  rescue Exception => e
+    log_exception e
+    request.send_SearchResultDone(LDAP::ResultError::OperationsError.new.to_i, :errorMessage=>e.message)
+  end
+
+
+  ###########################################################
+  ### Methods to actually perform the work requested      ###
+  ### Use the signatures below to write your own handlers ###
+  ###########################################################
+
+  # Handle a simple bind request; raise an exception if the bind is
+  # not acceptable, otherwise just return to accept the bind.
+  #
+  # Write your own class method using this signature
+
+#  def simple_bind(request, version, dn, password, params)
+#    if version != 3
+#      raise LDAP::ResultError::ProtocolError, "version 3 only"
+#    end
+#    if dn
+#      raise LDAP::ResultError::InappropriateAuthentication, "This server only supports anonymous bind"
+#    end
+#  end
+
+    # Handle a search request
+    #
+    # Call request. send_SearchResultEntry for each result found. Raise
+    # an exception if there is a problem. timeLimit, sizeLimit and
+    # typesOnly are taken care of, but you need to perform all
+    # authorisation checks yourself, using @connection.binddn
+
+#    def search(basedn, scope, deref, filter)
+#      debug "search(#{basedn}, #{scope}, #{deref}, #{filter})"
+#      raise LDAP::ResultError::UnwillingToPerform, "search not implemented"
+#    end
+end
+end
+end

data/lib/ldap/server/server.rb

@@ -15,20 +15,31 @@ class Server
 
   # Create a new server. Options include all those to tcpserver/preforkserver
   # plus:
-  #   :operation_class=>Class			- set Operation handler class
-  #   :operation_args=>[...]			- args to Operation.new
-  #   :ssl_key_file=>pem, :ssl_cert_file=>pem	- enable SSL
-  #   :ssl_ca_path=>directory			- verify peer certificates
-  #   :schema=>Schema				- Schema object
-  #   :namingContexts=>[dn, ...]		- base DN(s) we answer
-  
+  # either
+  #   :router=>Router             - request router instance
+  # or
+  #   :operation_class=>Class     - set Operation handler class
+  #   :operation_args=>[...]      - args to Operation.new
+  #
+  #   :ssl_key_file=>pem, :ssl_cert_file=>pem - enable SSL
+  #   :ssl_ca_path=>directory     - verify peer certificates
+  #   :schema=>Schema             - Schema object
+  #   :namingContexts=>[dn, ...]  - base DN(s) we answer
+  #
+  # Specifying a :router always overrides :operation_class
+
   attr_reader :logger
 
   def initialize(opt = DEFAULT_OPT)
     @opt = opt
     @opt[:server] = self
-    @opt[:operation_class] ||= LDAP::Server::Operation
-    @opt[:operation_args] ||= []
+    if @opt[:router]
+      @opt.delete(:operation_class)
+      @opt.delete(:operation_args)
+    else
+      @opt[:operation_class] ||= LDAP::Server::Operation
+      @opt[:operation_args] ||= []
+    end
     unless @opt[:logger]
        @opt[:logger] ||= Logger.new($stderr)
        @opt[:logger].level = Logger::INFO
@@ -92,7 +103,11 @@ class Server
   end
 
   def join
-    @thread.join
+    begin
+      @thread.join
+    rescue Interrupt
+      @logger.info "Exiting..."
+    end
   end
 
   def stop

data/lib/ldap/server/syntax.rb

@@ -230,6 +230,6 @@ class Server
     add("1.3.6.1.4.1.1466.115.121.1.40", "Octet String")
     add("1.3.6.1.4.1.1466.115.121.1.58", "Substring Assertion")
   end
-    
+
 end # class Server
 end # module LDAP

data/lib/ldap/server/tcpserver.rb

@@ -1,4 +1,5 @@
 require 'socket'
+require 'fileutils'
 
 module LDAP
 class Server
@@ -22,13 +23,25 @@ class Server
   #   :nodelay=>true				- set TCP_NODELAY option
 
   def self.tcpserver(opt, &blk)
-    server = TCPServer.new(opt[:bindaddr] || "0.0.0.0", opt[:port])
+    if opt[:socket]
+      server = UNIXServer.new(opt[:socket])
+      FileUtils.chmod(0777, opt[:socket])
+    else
+      server = TCPServer.new(opt[:bindaddr] || "0.0.0.0", opt[:port])
+    end
 
     # Drop privileges if requested
     require 'etc' if opt[:group] or opt[:user]
     Process.gid = Process.egid = Etc.getgrnam(opt[:group]).gid if opt[:group]
     Process.uid = Process.euid = Etc.getpwnam(opt[:user]).uid if opt[:user]
-   
+
+    Process.gid = opt[:gid] if opt[:gid]
+    Process.uid = opt[:uid] if opt[:uid]
+
+    if opt[:socket]
+      FileUtils.chown((opt[:user] || opt[:uid]), (opt[:group] || opt[:gid]), opt[:socket])
+    end
+
     # Typically the O/S will buffer response data for 100ms before sending.
     # If the response is sent as a single write() then there's no need for it.
     if opt[:nodelay]
@@ -86,4 +99,4 @@ if __FILE__ == $0
   end
   #sleep 10; t.raise Interrupt	# uncomment to run for fixed time period
   t.join
-end 
+end

data/lib/ldap/server/trie.rb

@@ -0,0 +1,92 @@
+require 'ldap/server/dn'
+
+module LDAP
+class Server
+class Trie
+
+  # Trie or prefix tree suitable for storing LDAP paths
+  # Variables (wildcards) are supported
+
+  class NodeNotFoundError < Error; end
+
+  attr_accessor :parent, :value, :children
+
+  # Create a new Trie. Use with a block
+  def initialize(parent = nil, value = nil)
+    @parent = parent
+    @value = value
+    @children = Hash.new
+
+    yield self if block_given?
+  end
+
+  # Insert a path (empty node)
+  def <<(dn)
+    insert(dn)
+  end
+
+  # Insert a node with a value
+  def insert(dn, value = nil)
+    dn = LDAP::Server::DN.new(dn || '') if not dn.is_a? LDAP::Server::DN
+    dn.reverse_each do |component|
+      @children[component] = Trie.new(self) if @children[component].nil?
+      dn.dname.pop
+      if dn.any?
+        @children[component].insert dn, value
+      else
+        @children[component].value = value
+      end
+    end
+  end
+
+  # Looks up a node and returns its value or raises
+  # LDAP::Server::Trie::NodeNotFoundError if it's not in the tree
+  def lookup(dn)
+    dn = LDAP::Server::DN.new(dn || '') if not dn.is_a? LDAP::Server::DN
+    return @value if dn.dname.empty?
+    component = dn.dname.pop
+    @children.each do |key, value|
+      if key.keys.first == component.keys.first
+        if key.values.first.start_with?(':') or key.values.first == component.values.first
+          return value.lookup dn
+        end
+      end
+    end
+    raise NodeNotFoundError
+  end
+
+  # Looks up a node and returns its value or the (non-nil) value of
+  # the nearest ancestor.
+  def match(dn, path = '')
+    dn = LDAP::Server::DN.new(dn || '') if not dn.is_a? LDAP::Server::DN
+    return path, @value if dn.dname.empty?
+    component = dn.dname.pop
+    @children.each do |key, value|
+      if key.keys.first == component.keys.first
+        if key.values.first.start_with?(':') or key.values.first == component.values.first
+          path.prepend ',' unless path.empty?
+          path.prepend "#{LDAP::Server::DN.join key}"
+          new_path, new_value = value.match dn, path
+          if new_value
+            return new_path, new_value
+          else
+            return (@value ? path : nil), @value
+          end
+        end
+      end
+    end
+    return path, @value
+  end
+
+  def print_tree(prefix = '')
+    if @value
+      p "#{prefix}{{#{@value}}}"
+    end
+    @children.each do |key, value|
+        p "#{prefix}#{key.keys.first} => #{key.values.first}"
+      @children[key].print_tree("#{prefix}  ")
+    end
+  end
+end
+end
+end

data/lib/ldap/server/version.rb

@@ -1,5 +1,5 @@
 module LDAP #:nodoc:
   class Server #:nodoc:
-    VERSION = '0.5.3'
+    VERSION = '0.7.0'
   end
 end

data/ruby-ldapserver.gemspec

@@ -7,21 +7,21 @@ Gem::Specification.new do |s|
   s.name = %q{ruby-ldapserver}
   s.version = LDAP::Server::VERSION
 
-  s.authors = ["Brian Candler"]
+  s.authors = ["Brian Candler", "Florian Dejonckheere", "Lars Kanis"]
   s.description = %q{ruby-ldapserver is a lightweight, pure-Ruby skeleton for implementing LDAP server applications.}
-  s.email = %q{B.Candler@pobox.com}
+  s.email = ["B.Candler@pobox.com", "florian@floriandejonckheere.be", "lars@greiz-reinsdorf.de"]
   s.files = `git ls-files`.split($/)
-  s.homepage = %q{https://github.com/inscitiv/ruby-ldapserver}
-  s.rdoc_options = ["--main", "README.txt"]
+  s.homepage = %q{https://github.com/larskanis/ruby-ldapserver}
+  s.rdoc_options = ["--main", "README.md"]
   s.require_paths = ["lib"]
   s.summary = %q{A pure-Ruby framework for building LDAP servers}
   s.test_files = s.files.grep(%r{^(test|spec|features)/})
 
-  s.required_ruby_version = '>= 1.9'
+  s.required_ruby_version = '>= 2.3'
 
-  s.add_development_dependency 'bundler', '~> 1.3'
-  s.add_development_dependency 'rake', '~> 10.0'
-  s.add_development_dependency 'ruby-ldap', '~> 0.9.16' unless RUBY_PLATFORM == 'java'
-  s.add_development_dependency 'jruby-ldap', '~> 0.0' if RUBY_PLATFORM == 'java'
+  s.add_development_dependency 'bundler', '>= 1.3', '< 3.0'
+  s.add_development_dependency 'rake', '~> 13.0'
+  s.add_development_dependency 'net-ldap', '~> 0.10'
   s.add_development_dependency 'rspec', '~> 3.1'
+  s.add_development_dependency 'test-unit', '~> 3.0'
 end

data/test/dn_test.rb

@@ -0,0 +1,149 @@
+require File.dirname(__FILE__) + '/test_helper'
+require 'ldap/server/dn'
+
+class TestLdapDn < Test::Unit::TestCase
+  def setup
+    @dn = LDAP::Server::DN.new("cn=Steve Kille,o=Isode Limited,o=Companies,c=GB")
+  end
+
+  def test_find_first
+    assert_equal(nil, @dn.find_first("ou"))
+    assert_equal("Steve Kille", @dn.find_first("cn"))
+    assert_equal("Isode Limited", @dn.find_first("o"))
+  end
+
+  def test_find_last
+    assert_equal(nil, @dn.find_last("ou"))
+    assert_equal("Steve Kille", @dn.find_last("cn"))
+    assert_equal("Companies", @dn.find_last("o"))
+  end
+
+  def test_find
+    assert_equal([], @dn.find("ou"))
+    assert_equal(["Steve Kille"], @dn.find("cn"))
+    assert_equal(["Isode Limited", "Companies"], @dn.find("o"))
+  end
+
+  def test_find_nth
+    assert_equal(nil, @dn.find_nth("ou", 0))
+    assert_equal("Steve Kille", @dn.find_nth("cn", 0))
+    assert_equal(nil, @dn.find_nth("cn", 1))
+    assert_equal("Isode Limited", @dn.find_nth("o", 0))
+    assert_equal("Companies", @dn.find_nth("o", 1))
+    assert_equal(nil, @dn.find_nth("o", 2))
+  end
+
+  def test_start_with
+    assert @dn.start_with?("cn=Steve Kille")
+    assert @dn.start_with?("cn=Steve Kille, o=Isode Limited")
+    refute @dn.start_with?("cn=John Doe")
+  end
+
+  def test_start_with_format
+    assert @dn.start_with_format?("cn=Steve Kille")
+    assert @dn.start_with_format?("cn=foo, o=bar")
+    refute @dn.start_with_format?("c=GB")
+    refute @dn.start_with_format?("c=BE")
+  end
+
+  def test_end_with
+    assert @dn.end_with?("c=GB")
+    assert @dn.end_with?("o=Companies, c=GB")
+    refute @dn.end_with?("c=BE")
+  end
+
+  def test_end_with_format
+    assert @dn.end_with_format?("c=GB")
+    assert @dn.end_with_format?("o=foo, c=bar")
+    refute @dn.end_with_format?("cn=Steve Kille")
+    refute @dn.end_with_format?("cn=foo")
+  end
+
+  def test_equal
+    assert @dn.equal?("CN=Steve Kille,     o=Isode Limited,O=Companies,c=GB")
+    refute @dn.equal?("cn=John Doe,o=Isode Limited,o=Companies,c=GB")
+  end
+
+  def test_equal_format
+    assert @dn.equal_format?("cn=Steve Kille,o=Isode Limited,o=Companies,c=GB")
+    assert @dn.equal_format?("cn=STEVE KILLE,o=ISODE LIMITED,o=COMPANIES,c=GB")
+    assert @dn.equal_format?("cn=foo,o=bar,o=baz,c=bat")
+    assert @dn.equal_format?("CN=foo,O=bar,O=baz,C=bat")
+    refute @dn.equal_format?("cn=foo,o=Isode Limited,c=GB")
+  end
+
+  def test_include
+    assert @dn.include?("cn=Steve Kille,o=Isode Limited,o=Companies,c=GB")
+    assert @dn.include?("cn=Steve Kille")
+    assert @dn.include?("o=Isode Limited")
+    assert @dn.include?("o=Isode Limited,o=Companies")
+    assert @dn.include?("c=GB")
+
+    refute @dn.include?("cn=John Doe,o=Isode Limited,o=Companies,c=GB")
+    refute @dn.include?("cn=Steve Kille,o=Isode Limited,c=GB")
+  end
+
+  def test_include_format
+    assert @dn.include_format?("cn=foo,o=bar,o=baz,c=bat")
+    assert @dn.include_format?("cn=foo")
+    assert @dn.include_format?("o=bar")
+    assert @dn.include_format?("o=bar,o=baz")
+    assert @dn.include_format?("c=bat")
+
+    refute @dn.include_format?("cn=foo,o=bar,c=bat")
+    refute @dn.include_format?("cn=bar,c=bat")
+  end
+
+  def test_parse
+    assert_equal @dn.parse("cn=:cn,o=:company,o=Companies,c=:country"),
+      {
+        :cn => 'Steve Kille',
+        :company => 'Isode Limited',
+        :country => 'GB'
+      }
+    assert_equal @dn.parse("cn=:cn,o=:company,o=:company,c=:country"),
+      {
+        :cn => 'Steve Kille',
+        :company => 'Companies',
+        :country => 'GB'
+      }
+    assert_empty @dn.parse("cn=Steve Kille,o=Isode Limited,o=Companies,c=GB")
+
+    assert_equal @dn.parse("cn=:cn,cn=Steve Kille,o=Isode Limited,o=Companies,c=GB"),
+      {
+        :cn => nil
+      }
+
+    assert_empty @dn.parse("o=Foo,o=Companies,c=GB")
+    assert_empty @dn.parse("cn=:cn,o=Foo,o=Companies,c=GB")
+
+  end
+
+  def test_each
+    answer = [
+      { 'cn' => 'Steve Kille' },
+      { 'o' => 'Isode Limited' },
+      { 'o' => 'Companies' },
+      { 'c' => 'GB' }
+    ]
+    i = 0
+    @dn.each do |pair|
+      assert_equal pair, answer[i]
+      i += 1
+    end
+  end
+
+  def test_reverse_each
+    answer = [
+      { 'c' => 'GB' },
+      { 'o' => 'Companies' },
+      { 'o' => 'Isode Limited' },
+      { 'cn' => 'Steve Kille' }
+    ]
+    i = 0
+    @dn.reverse_each do |pair|
+      assert_equal pair, answer[i]
+      i += 1
+    end
+  end
+end