Add first pass at VirtualAttributes membership validator

mtodd · mtodd · commit fc1282438af0 · 2014-10-16T16:35:04.000-07:00
diff --git a/lib/github/ldap/membership_validators.rb b/lib/github/ldap/membership_validators.rb
@@ -1,6 +1,7 @@
 require 'github/ldap/membership_validators/base'
 require 'github/ldap/membership_validators/classic'
 require 'github/ldap/membership_validators/recursive'
+require 'github/ldap/membership_validators/virtual_attributes'
 
 module GitHub
   class Ldap
diff --git a/lib/github/ldap/membership_validators/virtual_attributes.rb b/lib/github/ldap/membership_validators/virtual_attributes.rb
@@ -0,0 +1,76 @@
+module GitHub
+  class Ldap
+    module MembershipValidators
+      # Validates membership recursively using virtual attributes.
+      class VirtualAttributes < Base
+        include Filter
+
+        DEFAULT_MAX_DEPTH = 9
+        ATTRS             = %w(dn cn memberOf)
+
+        def perform(entry, depth = DEFAULT_MAX_DEPTH)
+          return true if groups.empty?
+
+          domains.each do |domain|
+            # get groups entry is an immediate member of
+            membership = entry[member_of_attr]
+
+            # success if any of these groups match the restricted auth groups
+            return true if membership.any? { |entry| group_dns.include?(entry.dn) }
+
+            # give up if the entry has no memberships to recurse
+            next if membership.empty?
+
+            # recurse to at most `depth`
+            depth.times do |n|
+              # find groups whose members include membership groups
+              membership = domain.search(filter: membership_filter(membership), attributes: ATTRS)
+
+              # success if any of these groups match the restricted auth groups
+              return true if membership.any? { |entry| group_dns.include?(entry.dn) }
+
+              # give up if there are no more membersips to recurse
+              break if membership.empty?
+            end
+
+            # give up on this base if there are no memberships to test
+            next if membership.empty?
+          end
+
+          false
+        end
+
+        # Internal: Returns the String memberOf virtual attribute name.
+        def member_of_attr
+          @member_of_attr ||= ldap.virtual_attributes.virtual_membership
+        end
+
+        # Internal: Construct a filter to find groups this entry is a direct
+        # member of.
+        #
+        # Overloads the included `GitHub::Ldap::Filters#member_filter` method
+        # to inject `posixGroup` handling.
+        #
+        # Returns a Net::LDAP::Filter object.
+        def member_filter(entry)
+          Net::LDAP::Filter.eq(member_of_attr, entry.dn)
+        end
+
+        # Internal: Construct a filter to find groups whose members are the
+        # Array of String group DNs passed in.
+        #
+        # Returns a String filter.
+        def membership_filter(groups)
+          groups.map { |entry| member_filter(entry) }.reduce(:|)
+        end
+
+        # Internal: the group DNs to check against.
+        #
+        # Returns an Array of String DNs.
+        def group_dns
+          @group_dns ||= groups.map(&:dn)
+        end
+      end
+    end
+  end
+end
diff --git a/test/membership_validators/virtual_attributes_test.rb b/test/membership_validators/virtual_attributes_test.rb
@@ -0,0 +1,59 @@
+require_relative '../test_helper'
+
+class GitHubLdapVirtualAttributesMembershipValidatorsTest < GitHub::Ldap::Test
+  def setup
+    opts = options.merge \
+      search_domains: %w(dc=github,dc=com),
+      virtual_attributes: true
+    @ldap      = GitHub::Ldap.new(opts)
+    @domain    = @ldap.domain("dc=github,dc=com")
+    @entry     = @domain.user?('user1', :attributes => %w(dn cn memberOf))
+    @validator = GitHub::Ldap::MembershipValidators::VirtualAttributes
+  end
+
+  def make_validator(groups)
+    groups = @domain.groups(groups)
+    @validator.new(@ldap, groups)
+  end
+
+  def test_validates_user_in_group
+    validator = make_validator(%w(nested-group1))
+    assert validator.perform(@entry)
+  end
+
+  def test_validates_user_in_child_group
+    validator = make_validator(%w(n-depth-nested-group1))
+    assert validator.perform(@entry)
+  end
+
+  def test_validates_user_in_grandchild_group
+    validator = make_validator(%w(n-depth-nested-group2))
+    assert validator.perform(@entry)
+  end
+
+  def test_validates_user_in_great_grandchild_group
+    validator = make_validator(%w(n-depth-nested-group3))
+    assert validator.perform(@entry)
+  end
+
+  def test_does_not_validate_user_in_great_granchild_group_with_depth
+    validator = make_validator(%w(n-depth-nested-group3))
+    refute validator.perform(@entry, 2)
+  end
+
+  def test_does_not_validate_user_not_in_group
+    validator = make_validator(%w(ghe-admins))
+    refute validator.perform(@entry)
+  end
+
+  def test_does_not_validate_user_not_in_any_group
+    @entry = @domain.user?('groupless-user1')
+    validator = make_validator(%w(all-users))
+    refute validator.perform(@entry)
+  end
+
+  def test_validates_user_in_posix_group
+    validator = make_validator(%w(posix-group1))
+    assert validator.perform(@entry)
+  end
+end
