whimsy-asf 0.0.76 → 0.0.77

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 42ee442311d0fc054e4dd8fb6f2bdb4635d03ce1
-  data.tar.gz: d556f03175acf95b7882d59b1abfe0b3332c81b5
+  metadata.gz: 9de8ca22abe552126b86e1490237de5bd1c7f601
+  data.tar.gz: 94c07c220d6efacbbb4667f76ab06bcf6d08e17c
 SHA512:
-  metadata.gz: 5a00c4fa7f49262e06d04cdffb11929b1955e27afb55b3bc5f2224703a1ccd3d6d609a3656e6a6a3d54677bfcd8e7191641e944888aeebc8359028ab33d7c57c
-  data.tar.gz: ed851c6a5edc6fef8325345c96d75d9abfaafa2b1e6753b2de2a8ff3d65ccdb30f35f5bbc74fc0912eb2cdd87227c27d08c4564610b753a06e84721638b2525c
+  metadata.gz: a52d9845077b7f361e70870c6f71cd16c5564ef4669f8ceff4302f6edba39af239e4276190d0c9f2668a4d405946846fe6f5883a947b43e631c538aa57f67139
+  data.tar.gz: a0e00b2a2dbc544e9e7a5763ccda6f4d8e631976e90c0371add54188bce0ad48c8f19fa29c9bf836f8e0c494e2e2edd60e62a3ac55a2b7f0cde275ba4f56ca18

data/asf.version

@@ -1 +1 @@
-0.0.76
+0.0.77

data/lib/whimsy/asf.rb

@@ -1,14 +1,17 @@
-require File.expand_path('../asf/config', __FILE__)
-require File.expand_path('../asf/committee', __FILE__)
-require File.expand_path('../asf/ldap', __FILE__)
-require File.expand_path('../asf/mail', __FILE__)
-require File.expand_path('../asf/svn', __FILE__)
-require File.expand_path('../asf/watch', __FILE__)
-require File.expand_path('../asf/nominees', __FILE__)
-require File.expand_path('../asf/icla', __FILE__)
-require File.expand_path('../asf/auth', __FILE__)
-require File.expand_path('../asf/member', __FILE__)
-require File.expand_path('../asf/site', __FILE__)
+require_relative 'asf/config'
+require_relative 'asf/committee'
+require_relative 'asf/ldap'
+require_relative 'asf/mail'
+require_relative 'asf/svn'
+require_relative 'asf/git'
+require_relative 'asf/watch'
+require_relative 'asf/nominees'
+require_relative 'asf/icla'
+require_relative 'asf/auth'
+require_relative 'asf/member'
+require_relative 'asf/site'
+require_relative 'asf/podlings'
+require_relative 'asf/person'
 
 module ASF
   def self.library_mtime
@@ -17,8 +20,9 @@ module ASF
     times = sources.map {|source| File.mtime(source)}
     times.max.gmtime
   end
+
   def self.library_gitinfo
     return @info if @info
-    @info = `git show --format="%h  %ci"  -s HEAD`.chomp
+    @info = `git show --format="%h  %ci"  -s HEAD`.strip
   end
 end

data/lib/whimsy/asf/agenda.rb

@@ -124,6 +124,15 @@ class ASF::Board::Agenda
       hash[:attach] = section
     end
 
+    # look for missing titles
+    @sections.each do |section, hash|
+      hash['title'] ||= "UNKNOWN"
+
+      if hash['title'] == "UNKNOWN"
+        hash['warnings'] = ['unable to find attachment']
+      end
+    end
+
     @sections.values
   end
 

data/lib/whimsy/asf/agenda/special.rb

@@ -23,7 +23,7 @@ class ASF::Board::Agenda
       title.sub! /\sthe\s/, ' '
       title.sub! /\sApache\s/, ' '
       title.sub! /\sCommittee\s/, ' '
-      title.sub! /\sProject(\s|$)/, '\1'
+      title.sub! /\sProject(\s|$)/i, '\1'
       title.sub! /\sPMC(\s|$)/, '\1'
       title.sub! /\s\(.*\)$/, ''
 
@@ -49,9 +49,9 @@ class ASF::Board::Agenda
 
       people = text.scan(/#{list_item}\((#{asfid})\)\s*$/)
       people += text.scan(/#{list_item}\((#{asfid})(?:@|\s*at\s*)
-        (?:\.\.\.|apache\.org)\)\s*$/x)
+        (?:\.\.\.|apache\.org|apache\sdot\sorg)\)\s*$/xi)
       people += text.scan(/#{list_item}<(#{asfid})(?:@|\s*at\s*)
-        (?:\.\.\.|apache\.org|apache\sdot\sorg)>\s*$/x)
+        (?:\.\.\.|apache\.org|apache\sdot\sorg)>\s*$/xi)
 
       whimsy = 'https://whimsy.apache.org'
       if title =~ /Change (.*?) Chair/ or title =~ /Terminate (\w+)$/
@@ -87,10 +87,25 @@ class ASF::Board::Agenda
             "#{whimsy}/board/minutes/#{name.gsub(/\W/,'_')}"
           if text =~ /FURTHER RESOLVED, that\s+([^,]*?),?\s+be\b/
             chairname = $1.gsub(/\s+/, ' ').strip
-            chair = people.find {|person| person.first == chairname}
-            attrs['chair'] = (chair ? chair.last : nil)
-            unless chair and chair.last
-              attrs['warnings'] ||= ['Chair not found in resolution'] 
+
+            if chairname =~ /\s\(([-.\w]+)\)$/
+              # if chair's id is present in parens, use that value
+              attrs['chair'] = $1 unless $1.empty?
+              chairname.sub! /\s+\(.*\)$/, ''
+            else
+              # match chair's name against people in the committee
+              chair = people.find {|person| person.first == chairname}
+              attrs['chair'] = (chair ? chair.last : nil)
+            end
+
+            unless people.include? [chairname, attrs['chair']]
+              if people.empty?
+                attrs['warnings'] ||= ['Unable to locate PMC email addresses'] 
+              elsif attrs['chair']
+                attrs['warnings'] ||= ['Chair not member of PMC'] 
+              else
+                attrs['warnings'] ||= ['Chair not found in resolution'] 
+              end
             end
           else
             attrs['warnings'] ||= ['Chair not found in resolution'] 

data/lib/whimsy/asf/auth.rb

@@ -12,12 +12,27 @@ module ASF
     end
 
     def each
-      auth = ASF::SVN['infra/infrastructure/trunk/subversion/authorization']
+      # TODO - should this read the Git repo directly?
+      auth = ASF::Git.find('infrastructure-puppet')
+      if auth
+        auth += '/modules/subversion_server/files/authorization'
+      else
+        # SVN copy is no longer in use - see INFRA-11452
+        raise Exception.new("Cannot find Git: infrastructure-puppet")
+      end
+
       File.read("#{auth}/#{@file}-authorization-template").
         scan(/^([-\w]+)=(\w.*)$/).each do |pmc, ids|
         yield pmc, ids.split(',')
       end
     end
+
+    unless Enumerable.instance_methods.include? :to_h
+      # backwards compatibility for Ruby versions <= 2.0
+      def to_h
+        Hash[self.to_a]
+      end
+    end
   end
 
   class Person

data/lib/whimsy/asf/committee.rb

@@ -52,14 +52,19 @@ module ASF
         return @committee_info 
       end
 
-      list = Hash.new {|hash, name| hash[name] = find(name)}
 
       @committee_mtime = File.mtime(file)
       @@svn_change = Time.parse(
         `svn info #{file}`[/Last Changed Date: (.*) \(/, 1]).gmtime
 
+      parse_committee_info File.read(file)
+    end
+
+    def self.parse_committee_info(contents)
+      list = Hash.new {|hash, name| hash[name] = find(name)}
+
       # Split the file on lines starting "* ", i.e. the start of each group in section 3
-      info = File.read(file).split(/^\* /)
+      info = contents.split(/^\* /)
       # Extract the text before first entry in section 3 and split on section headers,
       # keeping sections 1 (COMMITTEES) and 2 (REPORTING).
       head, report = info.shift.split(/^\d\./)[1..2]
@@ -82,21 +87,22 @@ module ASF
       # for each committee in section 3
       info.each do |roster|
         # extract the committee name and canonicalise
-        committee = list[@@namemap.call(roster[/(\w.*?)\s+\(/,1])]
+        committee = list[@@namemap.call(roster[/(\w.*?)[ \t]+\(/,1])]
         # get the start date
         committee.established = roster[/\(est\. (.*?)\)/, 1]
         # extract the availids (is this used?)
         committee.info = roster.scan(/<(.*?)@apache\.org>/).flatten
         # drop (chair) markers and extract 0: name, 1: availid, 2: [date], 3: date
+        # the date is optional (e.g. infrastructure)
         committee.roster = Hash[roster.gsub(/\(\w+\)/, '').
-          scan(/^\s*(.*?)\s*<(.*?)@apache\.org>\s+(\[(.*?)\])?/).
+          scan(/^[ \t]*(.*?)[ \t]*<(.*?)@apache\.org>(?:[ \t]+(\[(.*?)\]))?/).
           map {|list| [list[1], {name: list[0], date: list[3]}]}]
       end
 
       # process report section
       report.scan(/^([^\n]+)\n---+\n(.*?)\n\n/m).each do |period, committees|
-        committees.scan(/^   \s*(.*)/).each do |committee|
-          committee, comment = committee.first.split(/\s+#\s+/,2)
+        committees.scan(/^   [ \t]*(.*)/).each do |committee|
+          committee, comment = committee.first.split(/[ \t]+#[ \t]+/,2)
           committee = list[committee]
           if comment
             committee.report = "#{period}: #{comment}"

data/lib/whimsy/asf/git.rb

@@ -0,0 +1,48 @@
+require 'thread'
+require 'open3'
+
+module ASF
+
+  class Git
+    @semaphore = Mutex.new
+
+    def self.repos
+      @semaphore.synchronize do
+        git = Array(ASF::Config.get(:git)).map {|dir| dir.untaint}
+        @repos ||= Hash[Dir[*git].map { |name| 
+          next unless Dir.exist? name.untaint
+          Dir.chdir name.untaint do
+            out, err, status = 
+              Open3.capture3(*%(git config --get remote.origin.url))
+            if status.success?
+              [File.basename(out.chomp, '.git'), Dir.pwd.untaint]
+            end
+          end
+        }.compact]
+      end
+    end
+
+    def self.[]=(name, path)
+      @testdata[name] = File.expand_path(path).untaint
+    end
+
+    def self.[](name)
+      self.find!(name)
+    end
+
+    def self.find(name)
+      repos[name]
+    end
+
+    def self.find!(name)
+      result = self.find(name)
+
+      if not result
+        raise Exception.new("Unable to find git clone for #{name}")
+      end
+
+      result
+    end
+  end
+
+end

data/lib/whimsy/asf/icla.rb

@@ -1,3 +1,5 @@
+require 'json'
+
 module ASF
 
   class ICLA
@@ -8,7 +10,7 @@ module ASF
 
     @@mtime = nil
 
-    OFFICERS = ASF::SVN['private/foundation/officers']
+    OFFICERS = ASF::SVN.find('private/foundation/officers')
     SOURCE = OFFICERS ? "#{OFFICERS}/iclas.txt" : nil
 
     # flush caches if source file changed
@@ -120,60 +122,6 @@ module ASF
       end
     end
 
-    # sort support
-
-    def self.asciize(name)
-      if name.match /[^\x00-\x7F]/
-        # digraphs.  May be culturally sensitive
-        name.gsub! /\u00df/, 'ss'
-        name.gsub! /\u00e4|a\u0308/, 'ae'
-        name.gsub! /\u00e5|a\u030a/, 'aa'
-        name.gsub! /\u00e6/, 'ae'
-        name.gsub! /\u00f1|n\u0303/, 'ny'
-        name.gsub! /\u00f6|o\u0308/, 'oe'
-        name.gsub! /\u00fc|u\u0308/, 'ue'
-
-        # latin 1
-        name.gsub! /[\u00e0-\u00e5]/, 'a'
-        name.gsub! /\u00e7/, 'c'
-        name.gsub! /[\u00e8-\u00eb]/, 'e'
-        name.gsub! /[\u00ec-\u00ef]/, 'i'
-        name.gsub! /[\u00f2-\u00f6]|\u00f8/, 'o'
-        name.gsub! /[\u00f9-\u00fc]/, 'u'
-        name.gsub! /[\u00fd\u00ff]/, 'y'
-
-        # Latin Extended-A
-        name.gsub! /[\u0100-\u0105]/, 'a'
-        name.gsub! /[\u0106-\u010d]/, 'c'
-        name.gsub! /[\u010e-\u0111]/, 'd'
-        name.gsub! /[\u0112-\u011b]/, 'e'
-        name.gsub! /[\u011c-\u0123]/, 'g'
-        name.gsub! /[\u0124-\u0127]/, 'h'
-        name.gsub! /[\u0128-\u0131]/, 'i'
-        name.gsub! /[\u0132-\u0133]/, 'ij'
-        name.gsub! /[\u0134-\u0135]/, 'j'
-        name.gsub! /[\u0136-\u0138]/, 'k'
-        name.gsub! /[\u0139-\u0142]/, 'l'
-        name.gsub! /[\u0143-\u014b]/, 'n'
-        name.gsub! /[\u014C-\u0151]/, 'o'
-        name.gsub! /[\u0152-\u0153]/, 'oe'
-        name.gsub! /[\u0154-\u0159]/, 'r'
-        name.gsub! /[\u015a-\u0162]/, 's'
-        name.gsub! /[\u0162-\u0167]/, 't'
-        name.gsub! /[\u0168-\u0173]/, 'u'
-        name.gsub! /[\u0174-\u0175]/, 'w'
-        name.gsub! /[\u0176-\u0178]/, 'y'
-        name.gsub! /[\u0179-\u017e]/, 'z'
-
-        # denormalized diacritics
-        name.gsub! /[\u0300-\u036f]/, ''
-      end
-
-      name.strip.gsub /[^\w]+/, '-'
-    end
-
-    SUFFIXES = /^([Jj][Rr]\.?|I{2,3}|I?V|VI{1,3}|[A-Z]\.)$/
-
     # rearrange line in an order suitable for sorting
     def self.lname(line)
       return '' if line.start_with? '#'
@@ -185,18 +133,7 @@ module ASF
       name.sub! /\/\*.+\*\/$/,''
       return '' if name.strip.empty?
 
-      name = name.split.reverse
-      suffix = (name.shift if name.first =~ SUFFIXES)
-      suffix += ' ' + name.shift if name.first =~ SUFFIXES
-      name << name.shift
-      name << name.shift if name.first=='Lewis' and name.last=='Ship'
-      name << name.shift if name.first=='Gallardo' and name.last=='Rivera'
-      name << name.shift if name.first=="S\u00e1nchez" and name.last=='Vega'
-      # name << name.shift if name.first=='van'
-      name.last.sub! /^IJ/, 'Ij'
-      name.unshift(suffix) if suffix
-      name.map! {|word| asciize(word)}
-      name = name.reverse.join(' ')
+      name = ASF::Person.sortable_name(name)
 
       "#{name}:#{rest}"
     end
@@ -228,18 +165,10 @@ module ASF
   # Search archive for historical records of people who were committers
   # but never submitted an ICLA (some of which are still ASF members or
   # members of a PMC).
-  def self.search_archive_by_id(value)
-    require 'net/http'
-    require 'nokogiri'
-    historical_committers = 'http://people.apache.org/~rubys/committers.html'
-    doc = Nokogiri::HTML(Net::HTTP.get(URI.parse(historical_committers)))
-    doc.search('tr').each do |tr|
-      tds = tr.search('td')
-      next unless tds.length == 3
-      return tds[1].text if tds[0].text == value
-    end
-    nil
-  rescue
-    nil
+  def self.search_archive_by_id(id)
+    archive = ASF::SVN['private/foundation/officers/historic']
+    name = JSON.parse(File.read("#{archive}/committers.json"))[id]
+    name = id if name and name.empty?
+    name
   end
 end

data/lib/whimsy/asf/ldap.rb

@@ -39,14 +39,15 @@ module ASF
   module LDAP
      # https://www.pingmybox.com/dashboard?location=304
      # https://github.com/apache/infrastructure-puppet/blob/deployment/data/common.yaml (ldapserver::slapd_peers)
+     # Updated 2016-04-11 
     HOSTS = %w(
-      ldaps://ldap1-us-west.apache.org:636
-      ldaps://ldap1-lw-us.apache.org:636
-      ldaps://ldap2-us-west.apache.org:636
+      ldaps://devops.apache.org:636
       ldaps://ldap1-lw-eu.apache.org:636
-      ldaps://snappy5.apache.org:636
-      ldaps://ldap2-lw-us.apache.org:636
+      ldaps://ldap1-lw-us.apache.org:636
       ldaps://ldap2-lw-eu.apache.org:636
+      ldaps://ldap2-lw-us.apache.org:636
+      ldaps://snappy5.apache.org:636
+      ldaps://themis.apache.org:636
     )
 
     CONNECT_LOCK = Mutex.new
@@ -58,6 +59,8 @@ module ASF
       file = '/apache/infrastructure-puppet/deployment/data/common.yaml'
       http = Net::HTTP.new('raw.githubusercontent.com', 443)
       http.use_ssl = true
+      # the enclosing method is optional, so we only require the gem here
+      require 'yaml'
       @puppet = YAML.load(http.request(Net::HTTP::Get.new(file)).body)
     end
 
@@ -82,7 +85,7 @@ module ASF
         hosts.each {|host| HOST_QUEUE.push host} if HOST_QUEUE.empty?
         host = HOST_QUEUE.shift
 
-        Wunderbar.info "Connecting to LDAP server: #{host}"
+        Wunderbar.info "[#{host}] - Connecting to LDAP server"
 
         begin
           # request connection
@@ -101,7 +104,7 @@ module ASF
 
           return ldap
         rescue ::LDAP::ResultError => re
-          Wunderbar.warn "Error connecting to LDAP server #{host}: " +
+          Wunderbar.warn "[#{host}] - Error connecting to LDAP server: " +
             re.message + " (continuing)"
         end
 
@@ -110,6 +113,124 @@ module ASF
       Wunderbar.error "Failed to connect to any LDAP host"
       return nil
     end
+
+    def self.bind(user, password, &block)
+      dn = ASF::Person.new(user).dn
+      raise ::LDAP::ResultError.new('Unknown user') unless dn
+
+      ASF.ldap.unbind if ASF.ldap.bound? rescue nil
+      ldap = ASF.init_ldap(true)
+      if block
+        ldap.bind(dn, password, &block)
+        ASF.init_ldap(true)
+      else
+        ldap.bind(dn, password)
+      end
+    end
+
+    # validate HTTP authorization, and optionally invoke a block bound to
+    # that user.
+    def self.http_auth(string, &block)
+      auth = Base64.decode64(string.to_s[/Basic (.*)/, 1] || '')
+      user, password = auth.split(':', 2)
+      return unless password
+
+      if block
+        self.bind(user, password, &block)
+      else
+        begin
+          ASF::LDAP.bind(user, password) {}
+          return ASF::Person.new(user)
+        rescue ::LDAP::ResultError
+          return nil
+        end
+      end
+    end
+
+    # Return the last chosen host (if any)
+    def self.host
+      @host
+    end
+
+    # determine what LDAP hosts are available
+    def self.hosts
+      return @hosts if @hosts # cache the hosts list
+      # try whimsy config
+      hosts = Array(ASF::Config.get(:ldap))
+
+      # check system configuration
+      if hosts.empty?
+        conf = "#{ETCLDAP}/ldap.conf"
+        if File.exist? conf
+          uris = File.read(conf)[/^uri\s+(.*)/i, 1].to_s
+          hosts = uris.scan(/ldaps?:\/\/\S+?:\d+/)
+          Wunderbar.debug "Using hosts from LDAP config"
+        end
+      else
+        Wunderbar.debug "Using hosts from Whimsy config"
+      end
+
+      # if all else fails, use default list
+      Wunderbar.debug "Using default host list" if hosts.empty?
+      hosts = ASF::LDAP::HOSTS if hosts.empty?
+
+      hosts.shuffle!
+      #Wunderbar.debug "Hosts:\n#{hosts.join(' ')}"
+      @hosts = hosts
+    end
+
+    # query and extract cert from openssl output
+    def self.extract_cert
+      host = hosts.sample[%r{//(.*?)(/|$)}, 1]
+      puts ['openssl', 's_client', '-connect', host, '-showcerts'].join(' ')
+      out, err, rc = Open3.capture3 'openssl', 's_client',
+        '-connect', host, '-showcerts'
+      out[/^-+BEGIN.*?\n-+END[^\n]+\n/m]
+    end
+
+    # update /etc/ldap.conf. Usage:
+    #
+    #   sudo ruby -r whimsy/asf -e "ASF::LDAP.configure"
+    #
+    def self.configure
+      cert = Dir["#{ETCLDAP}/asf*-ldap-client.pem"].first
+
+      # verify/obtain/write the cert
+      if not cert
+        cert = "#{ETCLDAP}/asf-ldap-client.pem"
+        File.write cert, ASF::LDAP.puppet_cert || self.extract_cert
+      end
+
+      # read the current configuration file
+      ldap_conf = "#{ETCLDAP}/ldap.conf"
+      content = File.read(ldap_conf)
+
+      # ensure that the right cert is used
+      unless content =~ /asf.*-ldap-client\.pem/
+        content.gsub!(/^TLS_CACERT/i, '# TLS_CACERT')
+        content += "TLS_CACERT #{ETCLDAP}/asf-ldap-client.pem\n"
+      end
+
+      # provide the URIs of the ldap hosts
+      content.gsub!(/^URI/, '# URI')
+      content += "uri \n" unless content =~ /^uri /
+      content[/uri (.*)\n/, 1] = hosts.join(' ')
+
+      # verify/set the base
+      unless content.include? 'base dc=apache'
+        content.gsub!(/^BASE/i, '# BASE')
+        content += "base dc=apache,dc=org\n"
+      end
+
+      # ensure TLS_REQCERT is allow (Mac OS/X only)
+      if ETCLDAP.include? 'openldap' and not content.include? 'REQCERT allow'
+        content.gsub!(/^TLS_REQCERT/i, '# TLS_REQCERT')
+        content += "TLS_REQCERT allow\n"
+      end
+
+      # write the configuration if there were any changes
+      File.write(ldap_conf, content) unless content == File.read(ldap_conf)
+    end
   end
 
   # public entry point for establishing a connection safely
@@ -126,6 +247,8 @@ module ASF
   else
     ETCLDAP = '/etc/ldap'
   end
+  # Note: FreeBSD seems to use
+  # /usr/local/etc/openldap/ldap.conf
 
   def self.ldap
     @ldap || self.init_ldap
@@ -201,6 +324,11 @@ module ASF
   class Base
     attr_reader :name
 
+    # define default sort key (make Base objects sortable)
+    def <=>(other)
+      @name <=> other.name
+    end
+
     def self.base
       @base
     end
@@ -249,6 +377,19 @@ module ASF
         @name
       end
     end
+
+    def self.mod_add(attr, vals)
+      ::LDAP::Mod.new(::LDAP::LDAP_MOD_ADD, attr.to_s, Array(vals))
+    end
+
+    def self.mod_replace(attr, vals)
+      vals = Array(vals) unless Hash === vals
+      ::LDAP::Mod.new(::LDAP::LDAP_MOD_REPLACE, attr.to_s, vals)
+    end
+
+    def self.mod_delete(attr, vals)
+      ::LDAP::Mod.new(::LDAP::LDAP_MOD_DELETE, attr.to_s, Array(vals))
+    end
   end
 
   class LazyHash < Hash
@@ -311,6 +452,11 @@ module ASF
       @attrs ||= LazyHash.new {ASF.search_one(base, "uid=#{name}").first}
     end
 
+    def reload!
+      @attrs = nil
+      attrs
+    end
+
     def public_name
       return icla.name if icla
       cn = [attrs['cn']].flatten.first
@@ -347,21 +493,34 @@ module ASF
       attrs['asf-pgpKeyFingerprint'] || []
     end
 
+    def ssh_public_keys
+      attrs['sshPublicKey'] || []
+    end
+
     def urls
       attrs['asf-personalURL'] || []
     end
 
     def committees
-      Committee.list("member=uid=#{name},#{base}")
+      weakref(:committees) do
+        Committee.list("member=uid=#{name},#{base}")
+      end
     end
 
     def groups
-      Group.list("memberUid=#{name}")
+      weakref(:groups) do
+        Group.list("memberUid=#{name}")
+      end
+    end
+
+    def services
+      weakref(:services) do
+        Service.list("member=#{dn}")
+      end
     end
 
     def dn
-      value = attrs['dn']
-      value.first if Array === value
+      "uid=#{name},#{ASF::Person.base}"
     end
 
     def method_missing(name, *args)
@@ -390,9 +549,7 @@ module ASF
     end
 
     def modify(attr, value)
-      value = Array(value) unless Hash === value
-      mod = ::LDAP::Mod.new(::LDAP::LDAP_MOD_REPLACE, attr.to_s, value)
-      ASF.ldap.modify(self.dn, [mod])
+      ASF.ldap.modify(self.dn, [ASF::Base.mod_replace(attr.to_s, value)])
       attrs[attr.to_s] = value
     end
   end
@@ -443,19 +600,46 @@ module ASF
       @dn ||= ASF.search_one(base, "cn=#{name}", 'dn').first.first
     end
 
+    # remove people from an existing group
     def remove(people)
-      people = Array(people).map(&:id)
-      mod = ::LDAP::Mod.new(::LDAP::LDAP_MOD_DELETE, 'memberUid', people)
-      ASF.ldap.modify(self.dn, [mod])
+      @members = nil
+      people = (Array(people) & members).map(&:id)
+      return if people.empty?
+      ASF.ldap.modify(self.dn, [ASF::Base.mod_delete('memberUid', people)])
+    ensure
       @members = nil
     end
 
+    # add people to an existing group
     def add(people)
-      people = Array(people).map(&:dn)
-      mod = ::LDAP::Mod.new(::LDAP::LDAP_MOD_ADD, 'memberUid', people)
-      ASF.ldap.modify(self.dn, [mod])
+      @members = nil
+      people = (Array(people) - members).map(&:id)
+      return if people.empty?
+      ASF.ldap.modify(self.dn, [ASF::Base.mod_add('memberUid', people)])
+    ensure
       @members = nil
     end
+
+    # add a new group
+    def self.add(name, people)
+      nextgid = ASF::search_one(ASF::Group.base, 'cn=*', 'gidNumber').
+        flatten.map(&:to_i).max + 1
+
+      entry = [
+        mod_add('objectClass', ['posixGroup', 'top']),
+        mod_add('cn', name),
+        mod_add('userPassword', '{crypt}*'),
+        mod_add('gidNumber', nextgid.to_s),
+        mod_add('memberUid', people.map(&:id))
+      ]
+
+      ASF.ldap.add("cn=#{name},#{base}", entry)
+    end
+
+    # remove a group
+    def self.remove(name)
+      ASF.ldap.delete("cn=#{name},#{base}")
+    end
   end
 
   class Committee < Base
@@ -495,18 +679,38 @@ module ASF
       @dn ||= ASF.search_one(base, "cn=#{name}", 'dn').first.first
     end
 
+    # remove people from a committee
     def remove(people)
-      people = Array(people).map(&:dn)
-      mod = ::LDAP::Mod.new(::LDAP::LDAP_MOD_DELETE, 'member', people)
-      ASF.ldap.modify(self.dn, [mod])
+      @members = nil
+      people = (Array(people) & members).map(&:dn)
+      ASF.ldap.modify(self.dn, [ASF::Base.mod_delete('member', people)])
+    ensure
       @members = nil
     end
 
+    # add people to a committee
     def add(people)
-      people = Array(people).map(&:dn)
-      mod = ::LDAP::Mod.new(::LDAP::LDAP_MOD_ADD, 'member', people)
-      ASF.ldap.modify(self.dn, [mod])
       @members = nil
+      people = (Array(people) - members).map(&:dn)
+      ASF.ldap.modify(self.dn, [ASF::Base.mod_add('member', people)])
+    ensure
+      @members = nil
+    end
+
+    # add a new committee
+    def self.add(name, people)
+      entry = [
+        mod_add('objectClass', ['groupOfNames', 'top']),
+        mod_add('cn', name),
+        mod_add('member', Array(people).map(&:dn))
+      ]
+
+      ASF.ldap.add("cn=#{name},#{base}", entry)
+    end
+
+    # remove a committee
+    def self.remove(name)
+      ASF.ldap.delete("cn=#{name},#{base}")
     end
   end
 
@@ -548,132 +752,47 @@ module ASF
     end
 
     def remove(people)
-      people = Array(people).map(&:dn)
-      mod = ::LDAP::Mod.new(::LDAP::LDAP_MOD_DELETE, 'member', people)
-      ASF.ldap.modify(self.dn, [mod])
+      @members = nil
+      people = Array(people - members).map(&:dn)
+      ASF.ldap.modify(self.dn, [ASF::Base.mod_delete('member', people)])
+    ensure
       @members = nil
     end
 
     def add(people)
-      people = Array(people).map(&:dn)
-      mod = ::LDAP::Mod.new(::LDAP::LDAP_MOD_ADD, 'member', people)
-      ASF.ldap.modify(self.dn, [mod])
+      @members = nil
+      people = (Array(people) & members).map(&:dn)
+      ASF.ldap.modify(self.dn, [ASF::Base.mod_add('member', people)])
+    ensure
       @members = nil
     end
   end
 
-  module LDAP
-    def self.bind(user, password, &block)
-      dn = ASF::Person.new(user).dn
-      raise ::LDAP::ResultError.new('Unknown user') unless dn
-
-      ASF.ldap.unbind if ASF.ldap.bound? rescue nil
-      ldap = ASF.init_ldap(true)
-      if block
-        ldap.bind(dn, password, &block)
-        ASF.init_ldap(true)
-      else
-        ldap.bind(dn, password)
-      end
-    end
-
-    # validate HTTP authorization, and optionally invoke a block bound to
-    # that user.
-    def self.http_auth(string, &block)
-      auth = Base64.decode64(string.to_s[/Basic (.*)/, 1] || '')
-      user, password = auth.split(':', 2)
-      return unless password
+end
 
-      if block
-        self.bind(user, password, &block)
-      else
-        begin
-          ASF::LDAP.bind(user, password) {}
-          return ASF::Person.new(user)
-        rescue ::LDAP::ResultError
-          return nil
-        end
+if __FILE__ == $0
+  module ASF
+    module LDAP
+      def self.getHOSTS
+        HOSTS
       end
     end
-
-    # determine what LDAP hosts are available
-    def self.hosts
-      return @hosts if @hosts # cache the hosts list
-      # try whimsy config
-      hosts = Array(ASF::Config.get(:ldap))
-
-      # check system configuration
-      if hosts.empty?
-        conf = "#{ETCLDAP}/ldap.conf"
-        if File.exist? conf
-          uris = File.read(conf)[/^uri\s+(.*)/i, 1].to_s
-          hosts = uris.scan(/ldaps?:\/\/\S+?:\d+/)
-          Wunderbar.debug "Using hosts from LDAP config"
-        end
-      else
-        Wunderbar.debug "Using hosts from Whimsy config"
-      end
-
-      # if all else fails, use default list
-      Wunderbar.debug "Using default host list" if hosts.empty?
-      hosts = ASF::LDAP::HOSTS if hosts.empty?
-
-      hosts.shuffle!
-      #Wunderbar.debug "Hosts:\n#{hosts.join(' ')}"
-      @hosts = hosts
-    end
-
-    # query and extract cert from openssl output
-    def self.extract_cert
-      host = hosts.sample[%r{//(.*?)(/|$)}, 1]
-      puts ['openssl', 's_client', '-connect', host, '-showcerts'].join(' ')
-      out, err, rc = Open3.capture3 'openssl', 's_client',
-        '-connect', host, '-showcerts'
-      out[/^-+BEGIN.*?\n-+END[^\n]+\n/m]
-    end
-
-    # update /etc/ldap.conf. Usage:
-    #
-    #   sudo ruby -r whimsy/asf -e "ASF::LDAP.configure"
-    #
-    def self.configure
-      cert = Dir["#{ETCLDAP}/asf*-ldap-client.pem"].first
-
-      # verify/obtain/write the cert
-      if not cert
-        cert = "#{ETCLDAP}/asf-ldap-client.pem"
-        File.write cert, ASF::LDAP.puppet_cert || self.extract_cert
-      end
-
-      # read the current configuration file
-      ldap_conf = "#{ETCLDAP}/ldap.conf"
-      content = File.read(ldap_conf)
-
-      # ensure that the right cert is used
-      unless content =~ /asf.*-ldap-client\.pem/
-        content.gsub!(/^TLS_CACERT/i, '# TLS_CACERT')
-        content += "TLS_CACERT #{ETCLDAP}/asf-ldap-client.pem\n"
-      end
-
-      # provide the URIs of the ldap hosts
-      content.gsub!(/^URI/, '# URI')
-      content += "uri \n" unless content =~ /^uri /
-      content[/uri (.*)\n/, 1] = hosts.join(' ')
-
-      # verify/set the base
-      unless content.include? 'base dc=apache'
-        content.gsub!(/^BASE/i, '# BASE')
-        content += "base dc=apache,dc=org\n"
-      end
-
-      # ensure TLS_REQCERT is allow (Mac OS/X only)
-      if ETCLDAP.include? 'openldap' and not content.include? 'REQCERT allow'
-        content.gsub!(/^TLS_REQCERT/i, '# TLS_REQCERT')
-        content += "TLS_REQCERT allow\n"
-      end
-
-      # write the configuration if there were any changes
-      File.write(ldap_conf, content) unless content == File.read(ldap_conf)
+  end
+  hosts=ASF::LDAP.getHOSTS().sort!
+  puppet=ASF::LDAP.puppet_ldapservers().sort!
+  if hosts == puppet
+    puts("LDAP HOSTS array is up to date with the puppet list")
+  else
+    puts("LDAP HOSTS array does not agree with the puppet list")
+    hostsonly=hosts-puppet
+    if hostsonly.length > 0
+      print("In HOSTS but not in puppet:")
+      puts(hostsonly)
+    end
+    puppetonly=puppet-hosts
+    if puppetonly.length > 0
+      print("In puppet but not in HOSTS: ")
+      puts(puppetonly)
     end
   end
 end