Add WIP recursive member search strategy

mtodd · mtodd · commit 0dd969d6386b · 2014-11-24T18:29:40.000-08:00
diff --git a/lib/github/ldap.rb b/lib/github/ldap.rb
@@ -9,6 +9,7 @@ class Ldap
     require 'github/ldap/virtual_group'
     require 'github/ldap/virtual_attributes'
     require 'github/ldap/instrumentation'
+    require 'github/ldap/members'
     require 'github/ldap/membership_validators'
 
     include Instrumentation
diff --git a/lib/github/ldap/members.rb b/lib/github/ldap/members.rb
@@ -0,0 +1,20 @@
+require 'github/ldap/members/recursive'
+
+module GitHub
+  class Ldap
+    # Provides various strategies for member lookup.
+    #
+    # For example:
+    #
+    #   group = domain.groups(%w(Engineering)).first
+    #   strategy = GitHub::Ldap::Members::Recursive.new(ldap)
+    #   strategy.perform(group) #=> [#<Net::LDAP::Entry>]
+    #
+    module Members
+      # Internal: Mapping of strategy name to class.
+      STRATEGIES = {
+        :recursive => GitHub::Ldap::Members::Recursive
+      }
+    end
+  end
+end
diff --git a/lib/github/ldap/members/recursive.rb b/lib/github/ldap/members/recursive.rb
@@ -0,0 +1,94 @@
+module GitHub
+  class Ldap
+    module Members
+      # Look up group members recursively.
+      #
+      # In this case, we're returning User Net::LDAP::Entry objects, not entries
+      # for LDAP Groups.
+      #
+      # This results in a maximum of `depth` queries (per domain) to look up
+      # members of a group and its subgroups.
+      class Recursive
+        include Filter
+
+        DEFAULT_MAX_DEPTH = 9
+        ATTRS             = %w(dn cn)
+
+        # Internal: The GitHub::Ldap object to search domains with.
+        attr_reader :ldap
+
+        # Public: Instantiate new search strategy.
+        #
+        # - ldap:    GitHub::Ldap object
+        # - options: Hash of options
+        def initialize(ldap, options = {})
+          @ldap    = ldap
+          @options = options
+        end
+
+        # Internal: Domains to search through.
+        #
+        # Returns an Array of GitHub::Ldap::Domain objects.
+        def domains
+          @domains ||= ldap.search_domains.map { |base| ldap.domain(base) }
+        end
+        private :domains
+
+        # Public: Performs search for group members, including members of
+        # subgroups recursively.
+        #
+        # Returns Array of Net::LDAP::Entry objects.
+        def perform(group, depth = DEFAULT_MAX_DEPTH)
+          members = Hash.new
+
+          member_dns = group["member"]
+
+          domains.each do |domain|
+            # find members
+            entries = domain.search(filter: membership_filter(member_dns), attributes: ATTRS)
+
+            next if entries.empty?
+
+            return entries
+          end
+
+          []
+        end
+
+        # Internal: Construct a filter to find groups this entry is a direct
+        # member of.
+        #
+        # Overloads the included `GitHub::Ldap::Filters#member_filter` method
+        # to inject `posixGroup` handling.
+        #
+        # Returns a Net::LDAP::Filter object.
+        def member_filter(entry_or_uid, uid = ldap.uid)
+          filter = super(entry_or_uid)
+
+          if ldap.posix_support_enabled?
+            if posix_filter = posix_member_filter(entry_or_uid, uid)
+              filter |= posix_filter
+            end
+          end
+
+          filter
+        end
+
+        # Internal: Construct a filter to find groups whose members are the
+        # Array of String group DNs passed in.
+        #
+        # Returns a String filter.
+        def membership_filter(groups)
+          groups.map { |entry| member_filter(entry, :cn) }.reduce(:|)
+        end
+
+        # Internal: the group DNs to check against.
+        #
+        # Returns an Array of String DNs.
+        def group_dns
+          @group_dns ||= groups.map(&:dn)
+        end
+      end
+    end
+  end
+end
diff --git a/test/members/recursive_test.rb b/test/members/recursive_test.rb
@@ -0,0 +1,24 @@
+require_relative '../test_helper'
+
+class GitHubLdapRecursiveMembersTest < GitHub::Ldap::Test
+  def setup
+    @ldap     = GitHub::Ldap.new(options.merge(search_domains: %w(dc=github,dc=com)))
+    @domain   = @ldap.domain("dc=github,dc=com")
+    @entry     = @domain.user?('user1')
+    @strategy = GitHub::Ldap::Members::Recursive.new(@ldap)
+  end
+
+  def find_group(cn)
+    @domain.groups([cn]).first
+  end
+
+  def test_finds_group_members
+    members = @strategy.perform(find_group("nested-group1")).map(&:dn)
+    assert_includes members, @entry.dn
+  end
+
+  def test_finds_nested_group_members
+    members = @strategy.perform(find_group("n-depth-nested-group1")).map(&:dn)
+    assert_includes members, @entry.dn
+  end
+end
