rubynas 0.1.0.pre.1

data/sandbox/ldap/schema/samba.schema

@@ -0,0 +1,179 @@
+##
+## schema file for OpenLDAP 2.0.x
+## Schema for storing Samba's smbpasswd file in LDAP
+## OIDs are owned by the Samba Team
+##
+## Prerequisite schemas - uid (cosine.schema)
+##                      - displayName (inetorgperson.schema)
+##
+## 1.3.6.1.4.1.7165.2.1.x - attributetypes
+## 1.3.6.1.4.1.7165.2.2.x - objectclasses
+##
+
+##
+## Password hashes
+##
+attributetype ( 1.3.6.1.4.1.7165.2.1.1 NAME 'lmPassword'
+	DESC 'LanManager Passwd'
+	EQUALITY caseIgnoreIA5Match
+	SUBSTR caseIgnoreIA5SubstringsMatch
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
+
+attributetype ( 1.3.6.1.4.1.7165.2.1.2 NAME 'ntPassword'
+	DESC 'NT Passwd'
+	EQUALITY caseIgnoreIA5Match
+	SUBSTR caseIgnoreIA5SubstringsMatch
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
+
+##
+## Account flags in string format ([UWDX     ])
+##
+attributetype ( 1.3.6.1.4.1.7165.2.1.4 NAME 'acctFlags'
+	DESC 'Account Flags'
+	EQUALITY caseIgnoreIA5Match
+	SUBSTR caseIgnoreIA5SubstringsMatch
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
+
+## 
+## Password timestamps & policies
+##
+attributetype ( 1.3.6.1.4.1.7165.2.1.3 NAME 'pwdLastSet'
+	DESC 'NT pwdLastSet'
+	EQUALITY integerMatch
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+
+attributetype ( 1.3.6.1.4.1.7165.2.1.5 NAME 'logonTime'
+	DESC 'NT logonTime'
+	EQUALITY integerMatch
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+
+attributetype ( 1.3.6.1.4.1.7165.2.1.6 NAME 'logoffTime'
+	DESC 'NT logoffTime'
+	EQUALITY integerMatch
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+
+attributetype ( 1.3.6.1.4.1.7165.2.1.7 NAME 'kickoffTime'
+	DESC 'NT kickoffTime'
+	EQUALITY integerMatch
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+
+attributetype ( 1.3.6.1.4.1.7165.2.1.8 NAME 'pwdCanChange'
+	DESC 'NT pwdCanChange'
+	EQUALITY integerMatch
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+
+attributetype ( 1.3.6.1.4.1.7165.2.1.9 NAME 'pwdMustChange'
+	DESC 'NT pwdMustChange'
+	EQUALITY integerMatch
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+
+##
+## string settings
+##
+attributetype ( 1.3.6.1.4.1.7165.2.1.10 NAME 'homeDrive'
+	DESC 'NT homeDrive'
+	EQUALITY caseIgnoreIA5Match
+	SUBSTR caseIgnoreIA5SubstringsMatch
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
+
+attributetype ( 1.3.6.1.4.1.7165.2.1.11 NAME 'scriptPath'
+	DESC 'NT scriptPath'
+	EQUALITY caseIgnoreMatch
+	SUBSTR caseIgnoreSubstringsMatch
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
+
+attributetype ( 1.3.6.1.4.1.7165.2.1.12 NAME 'profilePath'
+	DESC 'NT profilePath'
+	EQUALITY caseIgnoreMatch
+	SUBSTR caseIgnoreSubstringsMatch
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
+
+attributetype ( 1.3.6.1.4.1.7165.2.1.13 NAME 'userWorkstations'
+	DESC 'userWorkstations'
+	EQUALITY caseIgnoreMatch
+	SUBSTR caseIgnoreSubstringsMatch
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
+
+attributetype ( 1.3.6.1.4.1.7165.2.1.17 NAME 'smbHome'
+	DESC 'smbHome'
+	EQUALITY caseIgnoreMatch
+	SUBSTR caseIgnoreSubstringsMatch
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
+
+attributetype ( 1.3.6.1.4.1.7165.2.1.18 NAME 'domain'
+	DESC 'Windows NT domain to which the user belongs'
+	EQUALITY caseIgnoreIA5Match
+	SUBSTR caseIgnoreIA5SubstringsMatch
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+
+##
+## user and group RID
+##
+attributetype ( 1.3.6.1.4.1.7165.2.1.14 NAME 'rid'
+	DESC 'NT rid'
+	EQUALITY integerMatch
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+
+attributetype ( 1.3.6.1.4.1.7165.2.1.15 NAME 'primaryGroupID'
+	DESC 'NT Group RID'
+	EQUALITY integerMatch
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+
+##
+## The smbPasswordEntry objectclass has been depreciated in favor of the
+## sambaAccount objectclass
+##
+#objectclass ( 1.3.6.1.4.1.7165.2.2.1 NAME 'smbPasswordEntry' SUP top AUXILIARY
+#        DESC 'Samba smbpasswd entry'
+#        MUST ( uid $ uidNumber )
+#        MAY  ( lmPassword $ ntPassword $ pwdLastSet $ acctFlags ))
+
+#objectclass ( 1.3.6.1.4.1.7165.2.2.2 NAME 'sambaAccount' SUP top STRUCTURAL
+#	DESC 'Samba Account'
+#	MUST ( uid $ rid ) 
+#	MAY  ( cn $ lmPassword $ ntPassword $ pwdLastSet $ logonTime $
+#               logoffTime $ kickoffTime $ pwdCanChange $ pwdMustChange $ acctFlags $ 
+#               displayName $ smbHome $ homeDrive $ scriptPath $ profilePath $
+#               description $ userWorkstations $ primaryGroupID $ domain ))
+
+## The X.500 data model (and therefore LDAPv3) says that each entry can 
+## only have one structural objectclass.  OpenLDAP 2.0 does not enforce 
+## this currently but will in v2.1
+
+objectclass ( 1.3.6.1.4.1.7165.2.2.3 NAME 'sambaAccount' SUP top AUXILIARY
+	DESC 'Samba Auxilary Account'
+	MUST ( uid $ rid ) 
+	MAY  ( cn $ lmPassword $ ntPassword $ pwdLastSet $ logonTime $
+               logoffTime $ kickoffTime $ pwdCanChange $ pwdMustChange $ acctFlags $ 
+               displayName $ smbHome $ homeDrive $ scriptPath $ profilePath $
+               description $ userWorkstations $ primaryGroupID $ domain ))
+
+##
+## Used for Winbind experimentation
+##
+#objectclass ( 1.3.6.1.4.1.7165.1.2.2.3 NAME 'uidPool' SUP top AUXILIARY
+#	DESC 'Pool for allocating UNIX uids'
+#	MUST ( uidNumber $ cn ) )
+
+#objectclass ( 1.3.6.1.4.1.7165.1.2.2.4 NAME 'gidPool' SUP top AUXILIARY
+#	DESC 'Pool for allocating UNIX gids'
+#	MUST ( gidNumber $ cn ) )
+
+##
+## SID, of any type
+##
+
+attributetype ( 1.3.6.1.4.1.7165.2.1.20 NAME 'sambaSID'
+        DESC 'Security ID'
+        EQUALITY caseIgnoreIA5Match
+        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{64} SINGLE-VALUE )
+
+
+##
+## Primary group SID, compatible with ntSid
+##
+
+attributetype ( 1.3.6.1.4.1.7165.2.1.23 NAME 'sambaPrimaryGroupSID'
+        DESC 'Primary Group Security ID'
+        EQUALITY caseIgnoreIA5Match
+        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{64} SINGLE-VALUE )

data/sandbox/ldap/slapd.conf

@@ -0,0 +1,99 @@
+#
+# See slapd.conf(5) for details on configuration options.
+# This file should NOT be world readable.
+#
+include		sandbox/ldap/schema/core.schema
+include		sandbox/ldap/schema/cosine.schema
+include		sandbox/ldap/schema/inetorgperson.schema
+include		sandbox/ldap/schema/nis.schema
+
+## Local definitions
+include		sandbox/ldap/local.schema
+
+# Allow LDAPv2 client connections.  This is NOT the default.
+allow bind_v2
+
+# Do not enable referrals until AFTER you have a working directory
+# service AND an understanding of referrals.
+#referral	ldap://root.openldap.org
+
+pidfile   sandbox/ldap/data/slapd.pid
+argsfile  sandbox/ldap/data/slapd.args
+
+# Load dynamic backend modules:
+modulepath	/usr/lib/openldap
+
+# modules available in openldap-servers-overlays RPM package:
+# moduleload accesslog.la
+# moduleload auditlog.la
+# moduleload denyop.la
+# moduleload dyngroup.la
+# moduleload dynlist.la
+# moduleload lastmod.la
+# moduleload pcache.la
+# moduleload ppolicy.la
+# moduleload refint.la
+# moduleload retcode.la
+# moduleload rwm.la
+# moduleload smbk5pwd.la
+# moduleload syncprov.la
+# moduleload translucent.la
+# moduleload unique.la
+# moduleload valsort.la
+
+# modules available in openldap-servers-sql RPM package:
+# moduleload back_sql.la
+
+# The next three lines allow use of TLS for encrypting connections using a
+# dummy test certificate which you can generate by changing to
+# /etc/pki/tls/certs, running "make slapd.pem", and fixing permissions on
+# slapd.pem so that the ldap user or group can read it.  Your client software
+# may balk at self-signed certificates, however.
+
+# ## For LDAPS
+# TLSCACertificateFile "config/CACertificateFile.pem"
+# TLSCertificateFile "config/CertificateFile.pem"
+# TLSCertificateKeyFile "config/CertificateKeyFile.pem"
+# 
+# TLSVerifyClient demand
+
+# Sample security restrictions
+#	Require integrity protection (prevent hijacking)
+#	Require 112-bit (3DES or better) encryption for updates
+#	Require 63-bit encryption for simple bind
+# security ssf=1 update_ssf=112 simple_bind=64
+
+# Sample access control policy:
+#	Root DSE: allow anyone to read it
+#	Subschema (sub)entry DSE: allow anyone to read it
+#	Other DSEs:
+#		Allow self write access
+#		Allow authenticated users read access
+#		Allow anonymous users to authenticate
+#	Directives needed to implement policy:
+
+# access to dn.base="dc=esc" by * read
+# access to dn.base="cn=Subschema" by * read
+access to *
+	by self write
+	by * read
+	by anonymous auth
+
+#
+# if no access controls are present, the default policy
+# allows anyone and everyone to read anything but restricts
+# updates to rootdn.  (e.g., "access to * by * read")
+#
+# rootdn can always read and write EVERYTHING!
+
+#######################################################################
+# ldbm and/or bdb database definitions
+#######################################################################
+
+database	ldif
+
+suffix          "dc=rubynas,dc=com"
+directory       sandbox/ldap/data
+rootdn          "cn=admin,dc=rubynas,dc=com"
+## rootpw = secret
+rootpw          {SSHA}fFjKcZb4cfOAcwSjJer8nCGOEVRUnwCC

data/spec/apis/group_api_spec.rb

@@ -0,0 +1,97 @@
+require 'spec_helper'
+
+describe 'Restful Group API' do
+  include Rack::Test::Methods
+
+  def app
+    GroupApi
+  end
+  
+  before { LdapGroup.all.each(&:destroy) }
+  
+  context "GET /" do
+    before do
+      create :user_ldap_group
+      create :admin_ldap_group
+      get '/' 
+    end
+    subject { last_response }
+    
+    it { should be_ok }
+    its(:body) { should include('Users') }
+    its(:body) { should include('Administrators') }
+  end
+  
+  context "GET /:cn" do
+    context "with group" do
+      before do
+        create :user_ldap_group
+        get '/Users' 
+      end
+      subject { last_response }
+    
+      it { should be_ok }
+      its(:body) { should include('Users') }
+      its(:body) { should include('1000') }
+    end
+
+    context "without user" do
+      before { get '/Users' }
+      subject { last_response }
+  
+      its(:status) { should == 404 }
+    end
+  end
+  
+  context "DELETE /" do
+    context "with group" do
+      before do
+        create :user_ldap_group
+        LdapGroup.all.should_not be_empty
+        delete '/Users' 
+      end
+      subject { last_response }
+    
+      it { should be_ok }
+      specify { LdapGroup.all.should be_empty }
+    end
+
+    context "without user" do
+      before { delete '/Users' }
+      subject { last_response }
+  
+      its(:status) { should == 404 }
+    end
+  end
+  
+  context "POST /" do
+    it "adds a new group" do
+      post '/', common_name: "Foo", gid_number: 1001
+      last_response.status.should == 201
+    end
+    
+    it "returns a 400 if params are missing" do
+      post '/'
+      last_response.status.should == 400
+    end
+  end
+  
+  context "PUT /:cn" do
+    context "with user" do
+      before do
+        create :user_ldap_group
+        put '/Users', common_name: "Foo", gid_number: 1001
+      end
+      subject { LdapGroup.find('Users') }
+      
+      its(:gid_number) { should == 1001 }
+    end
+    
+    context "without user" do
+      before { put '/Users', common_name: "Foo", gid_number: 1001 }
+      subject { last_response }
+  
+      its(:status) { should == 404 }
+    end
+  end
+end

data/spec/apis/system_information_api_spec.rb

@@ -0,0 +1,27 @@
+require 'spec_helper'
+
+describe SystemInformationApi do
+  include Rack::Test::Methods
+
+  def app
+    described_class
+  end
+  
+  describe "GET /vmstat" do
+    before do
+      get '/vmstat'
+    end
+    subject { last_response }
+    
+    it { should be_ok }
+  end
+  
+  describe "GET /disk/" do
+    before do
+      get '/disk/' 
+    end
+    subject { last_response }
+    
+    it { should be_ok }
+  end
+end

data/spec/apis/user_api_spec.rb

@@ -0,0 +1,113 @@
+require 'spec_helper'
+
+describe 'Restful User API' do
+  include Rack::Test::Methods
+
+  def app
+    UserApi
+  end
+  
+  before { LdapUser.all.each(&:destroy) }
+  
+  context "GET /" do
+    before do
+      create :ldap_user
+      create :admin_ldap_user
+      get '/' 
+    end
+    subject { last_response }
+    
+    it { should be_ok }
+    its(:body) { should include('user@rubynas.com') }
+    its(:body) { should include('admin@rubynas.com') }
+    its(:body) { should_not include('userPassword') }
+  end
+  
+  context "GET /template" do
+    before do
+      get '/template'
+    end
+    subject { last_response }
+
+    it { should be_ok }
+    its(:body) { should include('1000') }
+    its(:body) { should include('/home/') }
+
+    context "with one user" do
+      before do
+        create :ldap_user
+        get '/template' 
+      end
+      subject { last_response }
+
+      it { should be_ok }
+      its(:body) { should include('1001') }
+      its(:body) { should include('/home/') }
+      its(:body) { should include('1000') } # group
+    end
+  end
+
+  context "POST /" do
+    it "creates a new user" do
+      post '/', :common_name => 'John Doe',
+                     :uid => 'jdoe',
+                     :home_directory => '/tmp',
+                     :gid_number => 1000,
+                     :uid_number => 1000,
+                     :given_name => "John",
+                     :surname => "Doe",
+                     :mail => "john.doe@rubynas.com",
+                     :password => 'password',
+                     :login_shell => '/bin/bash'
+      last_response.status.should == 201
+      user = LdapUser.find('John Doe')
+      user.should be_a(LdapUser)
+      ActiveLdap::UserPassword.valid?('password', 
+                                      user.user_password).should be_true
+    end
+
+    it "doesn't create a new user if fields are missing" do
+      LdapUser.should_not_receive(:create)
+      post '/', :common_name => 'John Doe',
+                     :uid => 'jdoe',
+                     :home_directory => '/tmp',
+                     :gid_number => 1000,
+                     :uid_number => 1000
+      last_response.should_not be_ok
+    end
+  end
+  
+  context "GET /user/cn" do
+    it "searches with filter" do
+      create :ldap_user
+      get '/User'
+      last_response.should be_ok
+    end
+  end
+  
+  context "DELETE /user/cn" do
+    it "searches with filter" do
+      create :ldap_user
+      delete '/User'
+      last_response.status.should == 200
+      expect { LdapUser.find("User") }.to raise_error(ActiveLdap::EntryNotFound)
+    end
+  end
+  
+  context "PUT /user/cn" do
+    it "updates the user" do
+      create :ldap_user
+      put '/User', :uid_number => 2000
+      last_response.should be_ok
+    end
+
+    it "updates the user password" do
+      create :ldap_user
+      put '/User', :password => "foobar"
+      last_response.should be_ok
+      user = LdapUser.find('User')
+      ActiveLdap::UserPassword.valid?("foobar", 
+                                      user.user_password).should be_true
+    end
+  end
+end