Merge pull request github#3 from github/decouple_user_domain

David Calavera · David Calavera · commit 871b5302e9cc · 2013-07-08T17:00:54.000-07:00
Decouple user domain
diff --git a/README.md b/README.md
@@ -20,6 +20,8 @@ Or install it yourself as:
 
 ## Usage
 
+### Initialization
+
 GitHub-Ldap let you use an external ldap server to authenticate your users with.
 
 There are a few configuration options required to use this adapter:
@@ -29,7 +31,6 @@ There are a few configuration options required to use this adapter:
 * admin_user: is the the ldap administrator user. Required to perform search operation.
 * admin_password: is the password for the administrator user. Simple authentication is required on the server.
 * encryptation: is the encryptation protocol, disabled by default. The valid options are `ssl` and `tls`.
-* user_domain: is the default ldap domain base.
 * uid: is the field name in the ldap server used to authenticate your users, in ActiveDirectory this is `sAMAccountName`.
 
 Initialize a new adapter using those required options:
@@ -38,7 +39,28 @@ Initialize a new adapter using those required options:
   ldap = GitHub::Ldap.new options
 ```
 
-## Testing
+### Quering
+
+Searches are performed against an individual domain base, so the first step is to get a new `GitHub::Ldap::Domain` object for the connection:
+
+```ruby
+  ldap = GitHub::Ldap.new options
+  domain = ldap.domain("dc=github,dc=com")
+```
+
+When we have the domain, we can check if a user can log in with a given password:
+
+```ruby
+  domain.valid_login? 'calavera', 'secret'
+```
+
+Or whether a user is member of the given groups:
+
+```ruby
+  domain.is_member? 'uid=calavera,dc=github,dc=com', %w(Enterprise)
+```
+
+### Testing support
 
 GitHub-Ldap uses [ladle](https://github.com/NUBIC/ladle) for testing. Ladle is not required by default, so you'll need to add it to your gemfile separatedly and require it.
 
diff --git a/lib/github/ldap.rb b/lib/github/ldap.rb
@@ -1,112 +1,23 @@
 module GitHub
   class Ldap
     require 'net/ldap'
+    require 'github/ldap/domain'
 
     def initialize(options = {})
-      @user_domain = options[:user_domain]
-      @uid         = options[:uid] || "sAMAccountName"
+      @uid = options[:uid] || "sAMAccountName"
 
-      @ldap = Net::LDAP.new({
+      @connection = Net::LDAP.new({
         host: options[:host],
         port: options[:port]
       })
 
-      @ldap.authenticate(options[:admin_user], options[:admin_password])
+      @connection.authenticate(options[:admin_user], options[:admin_password])
 
       if encryption = check_encryption(options[:encryptation])
-        @ldap.encryption(encryption)
+        @connection.encryption(encryption)
       end
     end
 
-    # Generate a filter to get the configured groups in the ldap server.
-    # Takes the list of the group names and generate a filter for the groups
-    # with cn that match and also include members:
-    #
-    # group_names: is an array of group CNs.
-    #
-    # Returns the ldap filter.
-    def group_filter(group_names)
-      or_filters = group_names.map {|g| Net::LDAP::Filter.eq("cn", g)}.reduce(:|)
-      Net::LDAP::Filter.pres("member") & or_filters
-    end
-
-    # List the groups in the ldap server that match the configured ones.
-    #
-    # group_names: is an array of group CNs.
-    #
-    # Returns a list of ldap entries for the configured groups.
-    def groups(group_names)
-      filter = group_filter(group_names)
-
-      @ldap.search(base: @user_domain,
-                  attributes: %w{ou cn dn sAMAccountName member},
-                  filter: filter)
-    end
-
-    # List the groups that a user is member of.
-    #
-    # user_dn: is the dn for the user ldap entry.
-    # group_names: is an array of group CNs.
-    #
-    # Return an Array with the groups that the given user is member of that belong to the given group list.
-    def membership(user_dn, group_names)
-      or_filters    = group_names.map {|g| Net::LDAP::Filter.eq("cn", g)}.reduce(:|)
-      member_filter = Net::LDAP::Filter.eq("member", user_dn) & or_filters
-
-      @ldap.search(base: @user_domain,
-         attributes: %w{ou cn dn sAMAccountName member},
-         filter: member_filter)
-    end
-
-
-    # Check if the user is include in any of the configured groups.
-    #
-    # user_dn: is the dn for the user ldap entry.
-    # group_names: is an array of group CNs.
-    #
-    # Returns true if the user belongs to any of the groups.
-    # Returns false otherwise.
-    def is_member?(user_dn, group_names)
-      return true if group_names.nil?
-      return true if group_names.empty?
-
-      user_membership = membership(user_dn, group_names)
-
-      !user_membership.empty?
-    end
-
-    # Check if the user credentials are valid.
-    #
-    # login: is the user's login.
-    # password: is the user's password.
-    #
-    # Returns a Ldap::Entry if the credentials are valid.
-    # Returns nil if the credentials are invalid.
-    def valid_login?(login, password)
-      result = @ldap.bind_as(
-        base:     @user_domain,
-        limit:    1,
-        filter:   Net::LDAP::Filter.eq(@uid, login),
-        password: password)
-
-      return result.first if result.is_a?(Array)
-    end
-
-    # Authenticate a user with the ldap server.
-    #
-    # login: is the user's login. This method doesn't accept email identifications.
-    # password: is the user's password.
-    # group_names: is an array of group CNs.
-    #
-    # Returns the user info if the credentials are valid and there are no groups configured.
-    # Returns the user info if the credentials are valid and the user belongs to a configured group.
-    # Returns nil if the credentials are invalid
-    def authenticate!(login, password, group_names = nil)
-      user = valid_login?(login, password)
-
-      return user if user && is_member?(user.dn, group_names)
-    end
-
     # Check the legacy auth configuration options (before David's war with omniauth)
     # to determine whether to use encryptation or not.
     #
@@ -131,7 +42,16 @@ def check_encryption(encryption)
     # Return false if the authentication settings are not valid.
     # Raises an Net::LDAP::LdapError if the connection fails.
     def test_connection
-      @ldap.bind
+      @connection.bind
+    end
+
+    # Creates a new domain object to perform operations
+    #
+    # base_name: is the dn of the base root.
+    #
+    # Returns a new Domain object.
+    def domain(base_name)
+      Domain.new(base_name, @connection, @uid)
     end
   end
 end
diff --git a/lib/github/ldap/domain.rb b/lib/github/ldap/domain.rb
@@ -0,0 +1,108 @@
+module GitHub
+  class Ldap
+    # A domain represents the base object for an ldap tree.
+    # It encapsulates the operations that you can perform against a tree, authenticating users, for instance.
+    #
+    # This makes possible to reuse a server connection to perform operations with two different domain bases.
+    #
+    # To get a domain, you'll need to create a `Ldap` object and then call the method `domain` with the name of the base.
+    #
+    # For example:
+    #
+    # domain = GitHub::Ldap.new(options).domain("dc=github,dc=com")
+    #
+    class Domain
+      def initialize(base_name, connection, uid)
+        @base_name, @connection, @uid = base_name, connection, uid
+      end
+
+      # Generate a filter to get the configured groups in the ldap server.
+      # Takes the list of the group names and generate a filter for the groups
+      # with cn that match and also include members:
+      #
+      # group_names: is an array of group CNs.
+      #
+      # Returns the ldap filter.
+      def group_filter(group_names)
+        or_filters = group_names.map {|g| Net::LDAP::Filter.eq("cn", g)}.reduce(:|)
+        Net::LDAP::Filter.pres("member") & or_filters
+      end
+
+      # List the groups in the ldap server that match the configured ones.
+      #
+      # group_names: is an array of group CNs.
+      #
+      # Returns a list of ldap entries for the configured groups.
+      def groups(group_names)
+        filter = group_filter(group_names)
+
+        @connection.search(base: @base_name,
+          attributes: %w{ou cn dn sAMAccountName member},
+          filter: filter)
+      end
+
+      # List the groups that a user is member of.
+      #
+      # user_dn: is the dn for the user ldap entry.
+      # group_names: is an array of group CNs.
+      #
+      # Return an Array with the groups that the given user is member of that belong to the given group list.
+      def membership(user_dn, group_names)
+        or_filters    = group_names.map {|g| Net::LDAP::Filter.eq("cn", g)}.reduce(:|)
+        member_filter = Net::LDAP::Filter.eq("member", user_dn) & or_filters
+
+        @connection.search(base: @base_name,
+          attributes: %w{ou cn dn sAMAccountName member},
+          filter: member_filter)
+      end
+
+      # Check if the user is include in any of the configured groups.
+      #
+      # user_dn: is the dn for the user ldap entry.
+      # group_names: is an array of group CNs.
+      #
+      # Returns true if the user belongs to any of the groups.
+      # Returns false otherwise.
+      def is_member?(user_dn, group_names)
+        return true if group_names.nil?
+        return true if group_names.empty?
+
+        user_membership = membership(user_dn, group_names)
+
+        !user_membership.empty?
+      end
+
+      # Check if the user credentials are valid.
+      #
+      # login: is the user's login.
+      # password: is the user's password.
+      #
+      # Returns a Ldap::Entry if the credentials are valid.
+      # Returns nil if the credentials are invalid.
+      def valid_login?(login, password)
+        result = @connection.bind_as(
+          base:     @base_name,
+          limit:    1,
+          filter:   Net::LDAP::Filter.eq(@uid, login),
+          password: password)
+
+        return result.first if result.is_a?(Array)
+      end
+
+      # Authenticate a user with the ldap server.
+      #
+      # login: is the user's login. This method doesn't accept email identifications.
+      # password: is the user's password.
+      # group_names: is an array of group CNs.
+      #
+      # Returns the user info if the credentials are valid and there are no groups configured.
+      # Returns the user info if the credentials are valid and the user belongs to a configured group.
+      # Returns nil if the credentials are invalid
+      def authenticate!(login, password, group_names = nil)
+        user = valid_login?(login, password)
+
+        return user if user && is_member?(user.dn, group_names)
+      end
+    end
+  end
+end
diff --git a/test/domain_test.rb b/test/domain_test.rb
@@ -0,0 +1,91 @@
+require 'test_helper'
+
+class GitHubLdapDomainTest < Minitest::Test
+  def setup
+    GitHub::Ldap.start_server
+
+    @options = GitHub::Ldap.server_options.merge \
+      host: 'localhost',
+      uid:  'uid'
+
+    @domain = GitHub::Ldap.new(@options).domain("dc=github,dc=com")
+  end
+
+  def teardown
+    GitHub::Ldap.stop_server
+  end
+
+  def test_user_valid_login
+    user = @domain.valid_login?('calavera', 'secret')
+    assert_equal 'uid=calavera,dc=github,dc=com', user.dn
+  end
+
+  def test_user_with_invalid_password
+    assert !@domain.valid_login?('calavera', 'foo'),
+      "Login `calavera` expected to be invalid with password `foo`"
+  end
+
+  def test_user_with_invalid_login
+    assert !@domain.valid_login?('bar', 'foo'),
+      "Login `bar` expected to be invalid with password `foo`"
+  end
+
+  def test_groups_in_server
+    assert_equal 2, @domain.groups(%w(Enterprise People)).size
+  end
+
+  def test_user_in_group
+    user = @domain.valid_login?('calavera', 'secret')
+
+    assert @domain.is_member?(user.dn, %w(Enterprise People)),
+      "Expected `Enterprise` or `Poeple` to include the member `#{user.dn}`"
+  end
+
+  def test_user_not_in_different_group
+    user = @domain.valid_login?('calavera', 'secret')
+
+    assert !@domain.is_member?(user.dn, %w(People)),
+      "Expected `Poeple` not to include the member `#{user.dn}`"
+  end
+
+  def test_user_without_group
+    user = @domain.valid_login?('ldaptest', 'secret')
+
+    assert !@domain.is_member?(user.dn, %w(People)),
+      "Expected `Poeple` not to include the member `#{user.dn}`"
+  end
+
+  def test_authenticate_doesnt_return_invalid_users
+    user = @domain.authenticate!('calavera', 'secret')
+    assert_equal 'uid=calavera,dc=github,dc=com', user.dn
+  end
+
+  def test_authenticate_doesnt_return_invalid_users
+    assert !@domain.authenticate!('calavera', 'foo'),
+      "Expected `authenticate!` to not return an invalid user"
+  end
+
+  def test_authenticate_check_valid_user_and_groups
+    user = @domain.authenticate!('calavera', 'secret', %w(Enterprise People))
+
+    assert_equal 'uid=calavera,dc=github,dc=com', user.dn
+  end
+
+  def test_authenticate_doesnt_return_valid_users_in_different_groups
+    assert !@domain.authenticate!('calavera', 'secret', %w(People)),
+      "Expected `authenticate!` to not return an user"
+  end
+
+  def test_membership_empty_for_non_members
+    assert @domain.membership('uid=calavera,dc=github,dc=com', %w(People)).empty?,
+      "Expected `calavera` not to be a member of `People`."
+  end
+
+  def test_membership_groups_for_members
+    groups = @domain.membership('uid=calavera,dc=github,dc=com', %w(Enterprise People))
+
+    assert_equal 1, groups.size
+    assert_equal 'cn=Enterprise,ou=Group,dc=github,dc=com', groups.first.dn
+  end
+end
+
diff --git a/test/ldap_test.rb b/test/ldap_test.rb
