github · mtodd · Oct 16, 2014 · Sep 24, 2014 · Sep 24, 2014 · Sep 24, 2014
diff --git a/.travis.yml b/.travis.yml
@@ -1,7 +1,20 @@
 language: ruby
 rvm:
-    - 1.9.3
-    - 2.1.0
+  - 1.9.3
+  - 2.1.0
 
+env:
+  - TESTENV=openldap
+  - TESTENV=apacheds
+
+install:
+  - if [ "$TESTENV" = "openldap" ]; then ./script/install-openldap; fi
+  - bundle install
+
+script:
+  - ./script/cibuild-$TESTENV
+
+matrix:
+  fast_finish: true
 notifications:
   email: false
diff --git a/Gemfile b/Gemfile
@@ -2,3 +2,7 @@ source 'https://rubygems.org'
 
 # Specify your gem's dependencies in github-ldap.gemspec
 gemspec
+
+group :test, :development do
+  gem "byebug", :platforms => [:mri_20, :mri_21]
+end
diff --git a/lib/github/ldap.rb b/lib/github/ldap.rb
@@ -9,6 +9,7 @@ class Ldap
     require 'github/ldap/virtual_group'
     require 'github/ldap/virtual_attributes'
     require 'github/ldap/instrumentation'
+    require 'github/ldap/membership_validators'
 
     include Instrumentation
 

diff --git a/lib/github/ldap/domain.rb b/lib/github/ldap/domain.rb
@@ -110,11 +110,15 @@ def valid_login?(login, password)
       # Check if a user exists based in the `uid`.
       #
       # login: is the user's login
+      # search_options: Net::LDAP#search compatible options to pass through
       #
       # Returns the user if the login matches any `uid`.
       # Returns nil if there are no matches.
-      def user?(login)
-        search(filter: login_filter(@uid, login), size: 1).first
+      def user?(login, search_options = {})
+        options = search_options.merge \
+          filter: login_filter(@uid, login),
+          size: 1
+        search(options).first
       end
 
       # Check if a user can be bound with a password.

diff --git a/lib/github/ldap/filter.rb b/lib/github/ldap/filter.rb
@@ -20,16 +20,18 @@ def group_filter(group_names)
 
       # Filter to check group membership.
       #
-      # entry: finds groups this Net::LDAP::Entry is a member of (optional)
+      # entry: finds groups this entry is a member of (optional)
+      #        Expects a Net::LDAP::Entry or String DN.
       #
       # Returns a Net::LDAP::Filter.
       def member_filter(entry = nil)
         if entry
+          entry = entry.dn if entry.respond_to?(:dn)
           MEMBERSHIP_NAMES.
-            map {|n| Net::LDAP::Filter.eq(n, entry.dn) }.reduce(:|)
+            map {|n| Net::LDAP::Filter.eq(n, entry) }.reduce(:|)
         else
           MEMBERSHIP_NAMES.
-            map {|n| Net::LDAP::Filter.pres(n) }.        reduce(:|)
+            map {|n| Net::LDAP::Filter.pres(n) }.     reduce(:|)
         end
       end
 
@@ -41,10 +43,16 @@ def member_filter(entry = nil)
       # uid_attr: specifies the memberUid attribute to match with
       #
       # Returns a Net::LDAP::Filter or nil if no entry has no UID set.
-      def posix_member_filter(entry, uid_attr)
-        if !entry[uid_attr].empty?
-          entry[uid_attr].map { |uid| Net::LDAP::Filter.eq("memberUid", uid) }.
-                          reduce(:|)
+      def posix_member_filter(entry_or_uid, uid_attr = nil)
+        case entry_or_uid
+        when Net::LDAP::Entry
+          entry = entry_or_uid
+          if !entry[uid_attr].empty?
+            entry[uid_attr].map { |uid| Net::LDAP::Filter.eq("memberUid", uid) }.
+                            reduce(:|)
+          end
+        when String
+          Net::LDAP::Filter.eq("memberUid", entry_or_uid)
         end
       end
 

diff --git a/lib/github/ldap/membership_validators.rb b/lib/github/ldap/membership_validators.rb
@@ -0,0 +1,17 @@
+require 'github/ldap/membership_validators/base'
+require 'github/ldap/membership_validators/classic'
+require 'github/ldap/membership_validators/recursive'
+
+module GitHub
+  class Ldap
+    # Provides various strategies for validating membership.
+    #
+    # For example:
+    #
+    #   groups = domain.groups(%w(Engineering))
+    #   validator = GitHub::Ldap::MembershipValidators::Classic.new(ldap, groups)
+    #   validator.perform(entry) #=> true
+    #
+    module MembershipValidators; end
+  end
+end
diff --git a/lib/github/ldap/membership_validators/base.rb b/lib/github/ldap/membership_validators/base.rb
@@ -0,0 +1,37 @@
+module GitHub
+  class Ldap
+    module MembershipValidators
+      class Base
+
+        # Internal: The GitHub::Ldap object to search domains with.
+        attr_reader :ldap
+
+        # Internal: an Array of Net::LDAP::Entry group objects to validate with.
+        attr_reader :groups
+
+        # Public: Instantiate new validator.
+        #
+        # - ldap:   GitHub::Ldap object
+        # - groups: Array of Net::LDAP::Entry group objects
+        def initialize(ldap, groups)
+          @ldap   = ldap
+          @groups = groups
+        end
+
+        # Abstract: Performs the membership validation check.
+        #
+        # Returns Boolean whether the entry's membership is validated or not.
+        # def perform(entry)
+        # end
+
+        # Internal: Domains to search through.
+        #
+        # Returns an Array of GitHub::Ldap::Domain objects.
+        def domains
+          @domains ||= ldap.search_domains.map { |base| ldap.domain(base) }
+        end
+        private :domains
+      end
+    end
+  end
+end
diff --git a/lib/github/ldap/membership_validators/classic.rb b/lib/github/ldap/membership_validators/classic.rb
@@ -0,0 +1,33 @@
+module GitHub
+  class Ldap
+    module MembershipValidators
+      # Validates membership using `GitHub::Ldap::Domain#membership`.
+      #
+      # This is a simple wrapper for existing functionality in order to expose
+      # it consistently with the new approach.
+      class Classic < Base
+        def perform(entry)
+          return true if groups.empty?
+
+          domains.each do |domain|
+            membership = domain.membership(entry, group_names)
+
+            if !membership.empty?
+              entry[:groups] = membership
+              return true
+            end
+          end
+
+          false
+        end
+
+        # Internal: the group names to look up membership for.
+        #
+        # Returns an Array of String group names (CNs).
+        def group_names
+          @group_names ||= groups.map { |g| g[:cn].first }
+        end
+      end
+    end
+  end
+end
diff --git a/lib/github/ldap/membership_validators/recursive.rb b/lib/github/ldap/membership_validators/recursive.rb
@@ -0,0 +1,90 @@
+module GitHub
+  class Ldap
+    module MembershipValidators
+      # Validates membership recursively.
+      #
+      # The first step checks whether the entry is a direct member of the given
+      # groups. If they are, then we've validated membership successfully.
+      #
+      # If not, query for all of the groups that have our groups as members,
+      # then we check if the entry is a member of any of those.
+      #
+      # This is repeated until the entry is found, recursing and requesting
+      # groups in bulk each iteration until we hit the maximum depth allowed
+      # and have to give up.
+      #
+      # This results in a maximum of `depth` queries (per domain) to validate
+      # membership in a list of groups.
+      class Recursive < Base
+        include Filter
+
+        DEFAULT_MAX_DEPTH = 9
+        ATTRS             = %w(dn cn)
+
+        def perform(entry, depth = DEFAULT_MAX_DEPTH)
+          domains.each do |domain|
+            # find groups entry is an immediate member of
+            membership = domain.search(filter: member_filter(entry), attributes: ATTRS)
+
+            # success if any of these groups match the restricted auth groups
+            return true if membership.any? { |entry| group_dns.include?(entry.dn) }
+
+            # give up if the entry has no memberships to recurse
+            next if membership.empty?
+
+            # recurse to at most `depth`
+            depth.times do |n|
+              # find groups whose members include membership groups
+              membership = domain.search(filter: membership_filter(membership), attributes: ATTRS)
+
+              # success if any of these groups match the restricted auth groups
+              return true if membership.any? { |entry| group_dns.include?(entry.dn) }
+
+              # give up if there are no more membersips to recurse
+              break if membership.empty?
+            end
+
+            # give up on this base if there are no memberships to test
+            next if membership.empty?
+          end
+
+          false
+        end
+
+        # Internal: Construct a filter to find groups this entry is a direct
+        # member of.
+        #
+        # Overloads the included `GitHub::Ldap::Filters#member_filter` method
+        # to inject `posixGroup` handling.
+        #
+        # Returns a Net::LDAP::Filter object.
+        def member_filter(entry_or_uid, uid = ldap.uid)
+          filter = super(entry_or_uid)
+
+          if ldap.posix_support_enabled?
+            if posix_filter = posix_member_filter(entry_or_uid, uid)
+              filter |= posix_filter
+            end
+          end
+
+          filter
+        end
+
+        # Internal: Construct a filter to find groups whose members are the
+        # Array of String group DNs passed in.
+        #
+        # Returns a String filter.
+        def membership_filter(groups)
+          groups.map { |entry| member_filter(entry, :cn) }.reduce(:|)
+        end
+
+        # Internal: the group DNs to check against.
+        #
+        # Returns an Array of String DNs.
+        def group_dns
+          @group_dns ||= groups.map(&:dn)
+        end
+      end
+    end
+  end
+end
diff --git a/lib/github/ldap/server.rb b/lib/github/ldap/server.rb
@@ -38,6 +38,8 @@ def self.start_server(options = {})
       @server_options[:domain]            = @server_options[:user_domain]
       @server_options[:tmpdir]          ||= server_tmp
 
+      @server_options[:quiet] = false if @server_options[:verbose]
+
       @ldap_server = Ladle::Server.new(@server_options)
       @ldap_server.start
     end

diff --git a/script/cibuild-apacheds b/script/cibuild-apacheds
@@ -0,0 +1,7 @@
+#!/usr/bin/env sh
+set -e
+set -x
+
+cd `dirname $0`/..
+
+bundle exec rake
diff --git a/script/cibuild-openldap b/script/cibuild-openldap
@@ -0,0 +1,7 @@
+#!/usr/bin/env sh
+set -e
+set -x
+
+cd `dirname $0`/..
+
+bundle exec rake
diff --git a/script/install-openldap b/script/install-openldap
@@ -0,0 +1,44 @@
+#!/usr/bin/env sh
+set -e
+set -x
+
+BASE_PATH="$( cd `dirname $0`/../test/fixtures/openldap && pwd )"
+SEED_PATH="$( cd `dirname $0`/../test/fixtures/common   && pwd )"
+
+DEBIAN_FRONTEND=noninteractive sudo -E apt-get install -y --force-yes slapd time ldap-utils
+
+sudo /etc/init.d/slapd stop
+
+TMPDIR=$(mktemp -d)
+cd $TMPDIR
+
+# Delete data and reconfigure.
+sudo cp -v /var/lib/ldap/DB_CONFIG ./DB_CONFIG
+sudo rm -rf /etc/ldap/slapd.d/*
+sudo rm -rf /var/lib/ldap/*
+sudo cp -v ./DB_CONFIG /var/lib/ldap/DB_CONFIG
+sudo slapadd -F /etc/ldap/slapd.d -b "cn=config" -l $BASE_PATH/slapd.conf.ldif
+# Load memberof and ref-int overlays and configure them.
+sudo slapadd -F /etc/ldap/slapd.d -b "cn=config" -l $BASE_PATH/memberof.ldif
+
+# Add base domain.
+sudo slapadd -F /etc/ldap/slapd.d <<EOM
+dn: dc=github,dc=com
+objectClass: top
+objectClass: domain
+dc: github
+EOM
+
+sudo chown -R openldap.openldap /etc/ldap/slapd.d
+sudo chown -R openldap.openldap /var/lib/ldap
+
+sudo /etc/init.d/slapd start
+
+# Import seed data.
+# NOTE: use ldapadd in order for memberOf and refint to apply, instead of:
+# /vagrant/services/ldap/openldap/seed.rb | sudo slapadd -F /etc/ldap/slapd.d
+cat $SEED_PATH/seed.ldif |
+  /usr/bin/time sudo ldapadd -x -D "cn=admin,dc=github,dc=com" -w passworD1 \
+               -h localhost -p 389
+
+sudo rm -rf $TMPDIR