Compare AD DNs case-insensitively when checking group membership

2015-05-08 23:56:07 +02:00 · 2015-05-08 23:56:07 +02:00 · 92f18b196f
--- a/lib/github/ldap/membership_validators/active_directory.rb
+++ b/lib/github/ldap/membership_validators/active_directory.rb
@ -31,7 +31,8 @@ module GitHub
            attributes: ATTRS

          # membership validated if entry was matched and returned as a result
-          matched.map(&:dn).include?(entry.dn)
+          # Active Directory DNs are case-insensitive
+          matched.map { |m| m.dn.downcase }.include?(entry.dn.downcase)
        end

        # Internal: Constructs a membership filter using the "in chain"
--- a/test/membership_validators/active_directory_test.rb
+++ b/test/membership_validators/active_directory_test.rb
@ -123,4 +123,13 @@ class GitHubLdapActiveDirectoryMembershipValidatorsIntegrationTest < GitHub::Lda
    validator = make_validator(%w(posix-group1))
    assert validator.perform(@entry)
  end
+
+  def test_validates_user_in_group_with_differently_cased_dn
+    validator = make_validator(%w(all-users))
+    @entry[:dn].map(&:upcase!)
+    assert validator.perform(@entry)
+
+    @entry[:dn].map(&:downcase!)
+    assert validator.perform(@entry)
+  end
 end