Merge pull request #45 from github/membership-validators

mtodd · mtodd · commit 7ae8fec00809 · 2014-09-26T17:14:33.000-07:00
Membership Validators
diff --git a/lib/github/ldap.rb b/lib/github/ldap.rb
@@ -9,6 +9,7 @@ class Ldap
     require 'github/ldap/virtual_group'
     require 'github/ldap/virtual_attributes'
     require 'github/ldap/instrumentation'
+    require 'github/ldap/membership_validators'
 
     include Instrumentation
 
diff --git a/lib/github/ldap/filter.rb b/lib/github/ldap/filter.rb
@@ -20,16 +20,18 @@ def group_filter(group_names)
 
       # Filter to check group membership.
       #
-      # entry: finds groups this Net::LDAP::Entry is a member of (optional)
+      # entry: finds groups this entry is a member of (optional)
+      #        Expects a Net::LDAP::Entry or String DN.
       #
       # Returns a Net::LDAP::Filter.
       def member_filter(entry = nil)
         if entry
+          entry = entry.dn if entry.respond_to?(:dn)
           MEMBERSHIP_NAMES.
-            map {|n| Net::LDAP::Filter.eq(n, entry.dn) }.reduce(:|)
+            map {|n| Net::LDAP::Filter.eq(n, entry) }.reduce(:|)
         else
           MEMBERSHIP_NAMES.
-            map {|n| Net::LDAP::Filter.pres(n) }.        reduce(:|)
+            map {|n| Net::LDAP::Filter.pres(n) }.     reduce(:|)
         end
       end
 
@@ -41,10 +43,16 @@ def member_filter(entry = nil)
       # uid_attr: specifies the memberUid attribute to match with
       #
       # Returns a Net::LDAP::Filter or nil if no entry has no UID set.
-      def posix_member_filter(entry, uid_attr)
-        if !entry[uid_attr].empty?
-          entry[uid_attr].map { |uid| Net::LDAP::Filter.eq("memberUid", uid) }.
-                          reduce(:|)
+      def posix_member_filter(entry_or_uid, uid_attr = nil)
+        case entry_or_uid
+        when Net::LDAP::Entry
+          entry = entry_or_uid
+          if !entry[uid_attr].empty?
+            entry[uid_attr].map { |uid| Net::LDAP::Filter.eq("memberUid", uid) }.
+                            reduce(:|)
+          end
+        when String
+          Net::LDAP::Filter.eq("memberUid", entry_or_uid)
         end
       end
 
diff --git a/lib/github/ldap/membership_validators.rb b/lib/github/ldap/membership_validators.rb
@@ -0,0 +1,17 @@
+module GitHub
+  class Ldap
+    # Provides various strategies for validating membership.
+    #
+    # For example:
+    #
+    #   groups = domain.groups(%w(Engineering))
+    #   validator = GitHub::Ldap::MembershipValidators::Classic.new(ldap, groups)
+    #   validator.perform(entry) #=> true
+    #
+    module MembershipValidators
+      autoload :Base,      'github/ldap/membership_validators/base'
+      autoload :Classic,   'github/ldap/membership_validators/classic'
+      autoload :Recursive, 'github/ldap/membership_validators/recursive'
+    end
+  end
+end
diff --git a/lib/github/ldap/membership_validators/base.rb b/lib/github/ldap/membership_validators/base.rb
@@ -0,0 +1,37 @@
+module GitHub
+  class Ldap
+    module MembershipValidators
+      class Base
+
+        # Internal: The GitHub::Ldap object to search domains with.
+        attr_reader :ldap
+
+        # Internal: an Array of Net::LDAP::Entry group objects to validate with.
+        attr_reader :groups
+
+        # Public: Instantiate new validator.
+        #
+        # - ldap:   GitHub::Ldap object
+        # - groups: Array of Net::LDAP::Entry group objects
+        def initialize(ldap, groups)
+          @ldap   = ldap
+          @groups = groups
+        end
+
+        # Abstract: Performs the membership validation check.
+        #
+        # Returns Boolean whether the entry's membership is validated or not.
+        # def perform(entry)
+        # end
+
+        # Internal: Domains to search through.
+        #
+        # Returns an Array of GitHub::Ldap::Domain objects.
+        def domains
+          @domains ||= ldap.search_domains.map { |base| ldap.domain(base) }
+        end
+        private :domains
+      end
+    end
+  end
+end
diff --git a/lib/github/ldap/membership_validators/classic.rb b/lib/github/ldap/membership_validators/classic.rb
@@ -0,0 +1,33 @@
+module GitHub
+  class Ldap
+    module MembershipValidators
+      # Validates membership using `GitHub::Ldap::Domain#membership`.
+      #
+      # This is a simple wrapper for existing functionality in order to expose
+      # it consistently with the new approach.
+      class Classic < Base
+        def perform(entry)
+          return true if groups.empty?
+
+          domains.each do |domain|
+            membership = domain.membership(entry, group_names)
+
+            if !membership.empty?
+              entry[:groups] = membership
+              return true
+            end
+          end
+
+          false
+        end
+
+        # Internal: the group names to look up membership for.
+        #
+        # Returns an Array of String group names (CNs).
+        def group_names
+          @group_names ||= groups.map { |g| g[:cn].first }
+        end
+      end
+    end
+  end
+end
diff --git a/lib/github/ldap/membership_validators/recursive.rb b/lib/github/ldap/membership_validators/recursive.rb
@@ -0,0 +1,90 @@
+module GitHub
+  class Ldap
+    module MembershipValidators
+      # Validates membership recursively.
+      #
+      # The first step checks whether the entry is a direct member of the given
+      # groups. If they are, then we've validated membership successfully.
+      #
+      # If not, query for all of the groups that have our groups as members,
+      # then we check if the entry is a member of any of those.
+      #
+      # This is repeated until the entry is found, recursing and requesting
+      # groups in bulk each iteration until we hit the maximum depth allowed
+      # and have to give up.
+      #
+      # This results in a maximum of `depth` queries (per domain) to validate
+      # membership in a list of groups.
+      class Recursive < Base
+        include Filter
+
+        DEFAULT_MAX_DEPTH = 9
+        ATTRS             = %w(dn cn)
+
+        def perform(entry, depth = DEFAULT_MAX_DEPTH)
+          domains.each do |domain|
+            # find groups entry is an immediate member of
+            membership = domain.search(filter: member_filter(entry), attributes: ATTRS)
+
+            # success if any of these groups match the restricted auth groups
+            return true if membership.any? { |entry| group_dns.include?(entry.dn) }
+
+            # give up if the entry has no memberships to recurse
+            next if membership.empty?
+
+            # recurse to at most `depth`
+            depth.times do |n|
+              # find groups whose members include membership groups
+              membership = domain.search(filter: membership_filter(membership), attributes: ATTRS)
+
+              # success if any of these groups match the restricted auth groups
+              return true if membership.any? { |entry| group_dns.include?(entry.dn) }
+
+              # give up if there are no more membersips to recurse
+              break if membership.empty?
+            end
+
+            # give up on this base if there are no memberships to test
+            next if membership.empty?
+          end
+
+          false
+        end
+
+        # Internal: Construct a filter to find groups this entry is a direct
+        # member of.
+        #
+        # Overloads the included `GitHub::Ldap::Filters#member_filter` method
+        # to inject `posixGroup` handling.
+        #
+        # Returns a Net::LDAP::Filter object.
+        def member_filter(entry_or_uid, uid = ldap.uid)
+          filter = super(entry_or_uid)
+
+          if ldap.posix_support_enabled?
+            if posix_filter = posix_member_filter(entry_or_uid, uid)
+              filter |= posix_filter
+            end
+          end
+
+          filter
+        end
+
+        # Internal: Construct a filter to find groups whose members are the
+        # Array of String group DNs passed in.
+        #
+        # Returns a String filter.
+        def membership_filter(groups)
+          groups.map { |entry| member_filter(entry, :cn) }.reduce(:|)
+        end
+
+        # Internal: the group DNs to check against.
+        #
+        # Returns an Array of String DNs.
+        def group_dns
+          @group_dns ||= groups.map(&:dn)
+        end
+      end
+    end
+  end
+end
diff --git a/test/filter_test.rb b/test/filter_test.rb
@@ -20,7 +20,8 @@ def setup
     @subject = Subject.new(@ldap)
     @me      = 'uid=calavera,dc=github,dc=com'
     @uid     = "calavera"
-    @entry   = Entry.new(@me, @uid)
+    @entry   = Net::LDAP::Entry.new(@me)
+    @entry[:uid] = @uid
   end
 
   def test_member_present
@@ -32,6 +33,11 @@ def test_member_equal
                  @subject.member_filter(@entry).to_s
   end
 
+  def test_member_equal_with_string
+    assert_equal "(|(member=#{@me})(uniqueMember=#{@me}))",
+                 @subject.member_filter(@entry.dn).to_s
+  end
+
   def test_posix_member_without_uid
     @entry.uid = nil
     assert_nil @subject.posix_member_filter(@entry, @ldap.uid)
@@ -42,6 +48,11 @@ def test_posix_member_equal
                  @subject.posix_member_filter(@entry, @ldap.uid).to_s
   end
 
+  def test_posix_member_equal_string
+    assert_equal "(memberUid=#{@uid})",
+                 @subject.posix_member_filter(@uid).to_s
+  end
+
   def test_groups_reduced
     assert_equal "(|(cn=Enterprise)(cn=People))",
       @subject.group_filter(%w(Enterprise People)).to_s
diff --git a/test/fixtures/github-with-posixGroups.ldif b/test/fixtures/github-with-posixGroups.ldif
@@ -27,6 +27,29 @@ objectClass: posixGroup
 memberUid: benburkert
 memberUid: mtodd
 
+dn: cn=group1,ou=groups,dc=github,dc=com
+cn: group1
+objectClass: posixGroup
+memberUid: group1.1
+memberUid: user1
+
+dn: cn=group1.1,ou=groups,dc=github,dc=com
+cn: group1.1
+objectClass: posixGroup
+memberUid: group1.1.1
+memberUid: user1.1
+
+dn: cn=group1.1.1,ou=groups,dc=github,dc=com
+cn: group1.1.1
+objectClass: posixGroup
+memberUid: group1.1.1.1
+memberUid: user1.1.1
+
+dn: cn=group1.1.1.1,ou=groups,dc=github,dc=com
+cn: group1.1.1.1
+objectClass: posixGroup
+memberUid: user1.1.1.1
+
 # Users
 
 dn: ou=users,dc=github,dc=com
@@ -48,3 +71,35 @@ uid: mtodd
 userPassword: passworD1
 mail: mtodd@github.com
 objectClass: inetOrgPerson
+
+dn: uid=user1,ou=users,dc=github,dc=com
+cn: user1
+sn: user1
+uid: user1
+userPassword: passworD1
+mail: user1@github.com
+objectClass: inetOrgPerson
+
+dn: uid=user1.1,ou=users,dc=github,dc=com
+cn: user1.1
+sn: user1.1
+uid: user1.1
+userPassword: passworD1
+mail: user1.1@github.com
+objectClass: inetOrgPerson
+
+dn: uid=user1.1.1,ou=users,dc=github,dc=com
+cn: user1.1.1
+sn: user1.1.1
+uid: user1.1.1
+userPassword: passworD1
+mail: user1.1.1@github.com
+objectClass: inetOrgPerson
+
+dn: uid=user1.1.1.1,ou=users,dc=github,dc=com
+cn: user1.1.1.1
+sn: user1.1.1.1
+uid: user1.1.1.1
+userPassword: passworD1
+mail: user1.1.1.1@github.com
+objectClass: inetOrgPerson
diff --git a/test/fixtures/github-with-subgroups.ldif b/test/fixtures/github-with-subgroups.ldif
@@ -50,19 +50,19 @@ member: uid=user1,ou=users,dc=github,dc=com
 member: cn=group1.1,ou=groups,dc=github,dc=com
 
 dn: cn=group1.1,ou=groups,dc=github,dc=com
-cn: group1
+cn: group1.1
 objectClass: groupOfNames
 member: uid=user1.1,ou=users,dc=github,dc=com
 member: cn=group1.1.1,ou=groups,dc=github,dc=com
 
 dn: cn=group1.1.1,ou=groups,dc=github,dc=com
-cn: group1
+cn: group1.1.1
 objectClass: groupOfNames
 member: uid=user1.1.1,ou=users,dc=github,dc=com
 member: cn=group1.1.1.1,ou=groups,dc=github,dc=com
 
 dn: cn=group1.1.1.1,ou=groups,dc=github,dc=com
-cn: group1
+cn: group1.1.1.1
 objectClass: groupOfNames
 member: uid=user1.1.1.1,ou=users,dc=github,dc=com
 
diff --git a/test/membership_validators/classic_test.rb b/test/membership_validators/classic_test.rb
diff --git a/test/membership_validators/recursive_test.rb b/test/membership_validators/recursive_test.rb
diff --git a/test/membership_validators_test.rb b/test/membership_validators_test.rb
