Merge pull request #33 from github/posixGroup-membership

posixGroup membership queries from Domain
2014-08-19 16:16:07 -07:00 · 2014-08-19 16:16:07 -07:00 · d6b6705255
--- a/lib/github/ldap/domain.rb
+++ b/lib/github/ldap/domain.rb
@ -66,7 +66,7 @@ module GitHub
          end
        else
          # fallback to non-recursive group membership search
-          filter = member_filter(user_entry.dn) & group_filter(group_names)
+          filter = member_filter(user_entry) & group_filter(group_names)
          search(filter: filter)
        end
      end
--- a/lib/github/ldap/filter.rb
+++ b/lib/github/ldap/filter.rb
@ -18,16 +18,21 @@ module GitHub
        group_names.map {|g| Net::LDAP::Filter.eq("cn", g)}.reduce(:|)
      end

-      # Filter to check a group membership.
+      # Filter to check group membership.
      #
-      # user_dn: is an optional user_dn to scope the search to.
+      # entry:    finds groups this Net::LDAP::Entry is a member of (optional)
+      # uid_attr: specifies the memberUid attribute to match with   (optional)
      #
      # Returns a Net::LDAP::Filter.
-      def member_filter(user_dn = nil)
-        if user_dn
-          MEMBERSHIP_NAMES.map {|n| Net::LDAP::Filter.eq(n, user_dn)}.reduce(:|)
+      def member_filter(entry = nil, uid_attr = @ldap.uid)
+        if entry
+          MEMBERSHIP_NAMES.map {|n| Net::LDAP::Filter.eq(n, entry.dn) }.
+                           reduce(:|) |
+          entry[uid_attr]. map { |uid| Net::LDAP::Filter.eq("memberUid", uid) }.
+                           reduce(:|)
        else
-          MEMBERSHIP_NAMES.map {|n| Net::LDAP::Filter.pres(n)}.reduce(:|)
+          (MEMBERSHIP_NAMES + %w(memberUid)).
+            map {|n| Net::LDAP::Filter.pres(n)}.reduce(:|)
        end
      end

--- a/test/domain_test.rb
+++ b/test/domain_test.rb
@ -159,3 +159,63 @@ class GitHubLdapDomainNestedGroupsTest < GitHub::Ldap::Test
      "Expected `enterprise-ops` to include the member `#{user.dn}`"
  end
 end
+
+class GitHubLdapPosixGroupsWithRecursionFallbackTest < GitHub::Ldap::Test
+  def self.test_server_options
+    {
+      custom_schemas: FIXTURES.join('posixGroup.schema.ldif'),
+      user_fixtures: FIXTURES.join('github-with-posixGroups.ldif').to_s,
+      # so we exercise the recursive group search fallback
+      recursive_group_search_fallback: true
+    }
+  end
+
+  def setup
+    @ldap = GitHub::Ldap.new(options)
+    @domain = @ldap.domain("dc=github,dc=com")
+
+    @group = Net::LDAP::Entry._load("""
+dn: cn=enterprise-posix-devs,ou=groups,dc=github,dc=com
+cn: enterprise-posix-devs
+objectClass: posixGroup
+memberUid: benburkert
+memberUid: mtodd""")
+  end
+
+  def test_membership_for_posixGroups
+    assert user = @ldap.domain('uid=mtodd,ou=users,dc=github,dc=com').bind
+
+    assert @domain.is_member?(user, @group.cn),
+      "Expected `#{@group.cn.first}` to include the member `#{user.dn}`"
+  end
+end
+
+class GitHubLdapPosixGroupsTest < GitHub::Ldap::Test
+  def self.test_server_options
+    {
+      custom_schemas: FIXTURES.join('posixGroup.schema.ldif'),
+      user_fixtures: FIXTURES.join('github-with-posixGroups.ldif').to_s,
+      # so we test the test the non-recursive group membership search
+      recursive_group_search_fallback: false
+    }
+  end
+
+  def setup
+    @ldap = GitHub::Ldap.new(options)
+    @domain = @ldap.domain("dc=github,dc=com")
+
+    @group = Net::LDAP::Entry._load("""
+dn: cn=enterprise-posix-devs,ou=groups,dc=github,dc=com
+cn: enterprise-posix-devs
+objectClass: posixGroup
+memberUid: benburkert
+memberUid: mtodd""")
+  end
+
+  def test_membership_for_posixGroups
+    assert user = @ldap.domain('uid=mtodd,ou=users,dc=github,dc=com').bind
+
+    assert @domain.is_member?(user, @group.cn),
+      "Expected `#{@group.cn.first}` to include the member `#{user.dn}`"
+  end
+end
--- a/test/filter_test.rb
+++ b/test/filter_test.rb
@ -1,19 +1,35 @@
 require_relative 'test_helper'

 class FilterTest < Minitest::Test
-  class Subject; include GitHub::Ldap::Filter; end
+  class Subject
+    include GitHub::Ldap::Filter
+    def initialize(ldap)
+      @ldap = ldap
+    end
+  end
+
+  # Fake a Net::LDAP::Entry
+  class Entry < Struct.new(:dn, :uid)
+    def [](field)
+      Array(send(field))
+    end
+  end

  def setup
-    @subject = Subject.new
-    @me = 'uid=calavera,dc=github,dc=com'
+    @ldap    = GitHub::Ldap.new(:uid => 'uid')
+    @subject = Subject.new(@ldap)
+    @me      = 'uid=calavera,dc=github,dc=com'
+    @uid     = "calavera"
+    @entry   = Entry.new(@me, @uid)
  end

  def test_member_present
-    assert_equal "(|(member=*)(uniqueMember=*))", @subject.member_filter.to_s
+    assert_equal "(|(|(member=*)(uniqueMember=*))(memberUid=*))", @subject.member_filter.to_s
  end

  def test_member_equal
-    assert_equal "(|(member=#{@me})(uniqueMember=#{@me}))", @subject.member_filter(@me).to_s
+    assert_equal "(|(|(member=#{@me})(uniqueMember=#{@me}))(memberUid=#{@uid}))",
+                 @subject.member_filter(@entry).to_s
  end

  def test_groups_reduced
--- a/test/fixtures/github-with-posixGroups.ldif
+++ b/test/fixtures/github-with-posixGroups.ldif
@ -0,0 +1,50 @@
+version: 1
+
+# Admin user
+
+dn: uid=admin,dc=github,dc=com
+objectClass: top
+objectClass: person
+objectClass: organizationalPerson
+objectClass: inetOrgPerson
+cn: system administrator
+sn: administrator
+displayName: Directory Superuser
+uid: admin
+userPassword: secret
+
+# Groups
+
+dn: ou=groups,dc=github,dc=com
+objectclass: organizationalUnit
+ou: groups
+
+# Posix Groups
+
+dn: cn=enterprise-posix-devs,ou=groups,dc=github,dc=com
+cn: enterprise-posix-devs
+objectClass: posixGroup
+memberUid: benburkert
+memberUid: mtodd
+
+# Users
+
+dn: ou=users,dc=github,dc=com
+objectclass: organizationalUnit
+ou: users
+
+dn: uid=benburkert,ou=users,dc=github,dc=com
+cn: benburkert
+sn: benburkert
+uid: benburkert
+userPassword: passworD1
+mail: benburkert@github.com
+objectClass: inetOrgPerson
+
+dn: uid=mtodd,ou=users,dc=github,dc=com
+cn: mtodd
+sn: mtodd
+uid: mtodd
+userPassword: passworD1
+mail: mtodd@github.com
+objectClass: inetOrgPerson
--- a/test/fixtures/posixGroup.schema.ldif
+++ b/test/fixtures/posixGroup.schema.ldif
@ -0,0 +1,26 @@
+version: 1
+
+dn: m-oid=1.3.6.1.4.1.18055.0.4.1.2.1001,ou=attributeTypes,cn=other,ou=schema
+objectClass: metaAttributeType
+objectClass: metaTop
+objectClass: top
+m-collective: FALSE
+m-description: memberUid
+m-equality: caseExactMatch
+m-name: memberUid
+m-syntax: 1.3.6.1.4.1.1466.115.121.1.15
+m-usage: USER_APPLICATIONS
+m-oid: 1.3.6.1.4.1.18055.0.4.1.2.1001
+
+dn: m-oid=1.3.6.1.4.1.18055.0.4.1.3.1001,ou=objectClasses,cn=other,ou=schema
+objectClass: metaObjectClass
+objectClass: metaTop
+objectClass: top
+m-description: posixGroup
+m-may: cn
+m-may: sn
+m-may: memberUid
+m-supobjectclass: top
+m-name: posixGroup
+m-oid: 1.3.6.1.4.1.18055.0.4.1.3.1001
+m-typeobjectclass: STRUCTURAL