github · davesims · Aug 5, 2016 · Jul 25, 2016 · Jul 25, 2016 · Jul 25, 2016
diff --git a/.travis.yml b/.travis.yml
@@ -1,12 +1,18 @@
 language: ruby
 rvm:
-  - 1.9.3
+  - 2.0.0
   - 2.1.0
 
 env:
   - TESTENV=openldap
   - TESTENV=apacheds
 
+# https://docs.travis-ci.com/user/hosts/
+addons:
+  hosts:
+    - ad1.ghe.dev
+    - ad2.ghe.dev
+
 install:
   - if [ "$TESTENV" = "openldap" ]; then ./script/install-openldap; fi
   - bundle install

diff --git a/Gemfile b/Gemfile
@@ -6,3 +6,7 @@ gemspec
 group :test, :development do
   gem "byebug", :platforms => [:mri_20, :mri_21]
 end
+
+group :test do
+  gem "mocha"
+end
diff --git a/lib/github/ldap.rb b/lib/github/ldap.rb
@@ -10,6 +10,11 @@
 require 'github/ldap/instrumentation'
 require 'github/ldap/member_search'
 require 'github/ldap/membership_validators'
+require 'github/ldap/user_search/default'
+require 'github/ldap/user_search/active_directory'
+require 'github/ldap/connection_cache'
+require 'github/ldap/referral_chaser'
+require 'github/ldap/url'
 
 module GitHub
   class Ldap
@@ -38,11 +43,17 @@ class Ldap
     #
     # Returns the return value of the block.
     def_delegator :@connection, :open
+    def_delegator :@connection, :host
 
     attr_reader :uid, :search_domains, :virtual_attributes,
                 :membership_validator,
                 :member_search_strategy,
-                :instrumentation_service
+                :instrumentation_service,
+                :user_search_strategy,
+                :connection,
+                :admin_user,
+                :admin_password,
+                :port
 
     # Build a new GitHub::Ldap instance
     #
@@ -69,6 +80,11 @@ class Ldap
     def initialize(options = {})
       @uid = options[:uid] || "sAMAccountName"
 
+      # Keep a reference to these as default auth for a Global Catalog if needed
+      @admin_user = options[:admin_user]
+      @admin_password = options[:admin_password]
+      @port = options[:port]
+
       @connection = Net::LDAP.new({
         host: options[:host],
         port: options[:port],
@@ -98,6 +114,9 @@ def initialize(options = {})
       # configure both the membership validator and the member search strategies
       configure_search_strategy(options[:search_strategy])
 
+      # configure the strategy used by Domain#user? to look up a user entry for login
+      configure_user_search_strategy(options[:user_search_strategy])
+
       # enables instrumenting queries
       @instrumentation_service = options[:instrumentation_service]
     end
@@ -281,6 +300,29 @@ def configure_membership_validation_strategy(strategy = nil)
         end
     end
 
+    # Internal:  Set the user search strategy that will be used by
+    #            Domain#user?.
+    #
+    # strategy - Can be either 'default' or 'global_catalog'.
+    #            'default' strategy will search the configured
+    #            domain controller with a search base relative
+    #            to the controller's domain context.
+    #            'global_catalog' will search the entire forest
+    #            using Active Directory's Global Catalog
+    #            functionality.
+    def configure_user_search_strategy(strategy)
+      @user_search_strategy = begin
+        case strategy.to_s
+        when "default"
+          GitHub::Ldap::UserSearch::Default.new(self)
+        when "global_catalog"
+          GitHub::Ldap::UserSearch::ActiveDirectory.new(self)
+        else
+          GitHub::Ldap::UserSearch::Default.new(self)
+        end
+      end
+    end
+
     # Internal: Configure the member search strategy.
     #
     #

diff --git a/lib/github/ldap/connection_cache.rb b/lib/github/ldap/connection_cache.rb
@@ -0,0 +1,26 @@
+module GitHub
+  class Ldap
+
+    # A simple cache of GitHub::Ldap objects to prevent creating multiple
+    # instances of connections that point to the same URI/host.
+    class ConnectionCache
+
+      # Public - Create or return cached instance of GitHub::Ldap created with options,
+      # where the cache key is the value of options[:host].
+      #
+      # options - Initialization attributes suitable for creating a new connection with
+      # GitHub::Ldap.new(options)
+      #
+      # Returns true or false.
+      def self.get_connection(options={})
+        @cache ||= self.new
+        @cache.get_connection(options)
+      end
+
+      def get_connection(options)
+        @connections ||= {}
+        @connections[options[:host]] ||= GitHub::Ldap.new(options)
+      end
+    end
+  end
+end
diff --git a/lib/github/ldap/domain.rb b/lib/github/ldap/domain.rb
@@ -115,10 +115,7 @@ def valid_login?(login, password)
       # Returns the user if the login matches any `uid`.
       # Returns nil if there are no matches.
       def user?(login, search_options = {})
-        options = search_options.merge \
-          filter: login_filter(@uid, login),
-          size: 1
-        search(options).first
+        @ldap.user_search_strategy.perform(login, @base_name, @uid, search_options).first
       end
 
       # Check if a user can be bound with a password.

diff --git a/lib/github/ldap/membership_validators/active_directory.rb b/lib/github/ldap/membership_validators/active_directory.rb
@@ -24,15 +24,23 @@ def perform(entry)
           # Sets the entry to the base and scopes the search to the base,
           # according to the source documentation, found here:
           # http://msdn.microsoft.com/en-us/library/aa746475(v=vs.85).aspx
-          matched = ldap.search \
+          #
+          # Use ReferralChaser to chase any potential referrals for an entry that may be owned by a different
+          # domain controller.
+          matched = referral_chaser.search \
             filter: membership_in_chain_filter(entry),
             base:   entry.dn,
             scope:  Net::LDAP::SearchScope_BaseObject,
+            return_referrals: true,
             attributes: ATTRS
 
           # membership validated if entry was matched and returned as a result
           # Active Directory DNs are case-insensitive
-          matched.map { |m| m.dn.downcase }.include?(entry.dn.downcase)
+          Array(matched).map { |m| m.dn.downcase }.include?(entry.dn.downcase)
+        end
+
+        def referral_chaser
+          @referral_chaser ||= GitHub::Ldap::ReferralChaser.new(@ldap)
         end
 
         # Internal: Constructs a membership filter using the "in chain"

diff --git a/lib/github/ldap/referral_chaser.rb b/lib/github/ldap/referral_chaser.rb
@@ -0,0 +1,98 @@
+module GitHub
+  class Ldap
+
+    # This class adds referral chasing capability to a GitHub::Ldap connection.
+    #
+    # See: https://technet.microsoft.com/en-us/library/cc978014.aspx
+    #      http://www.umich.edu/~dirsvcs/ldap/doc/other/ldap-ref.html
+    #
+    class ReferralChaser
+
+      # Public - Creates a ReferralChaser that decorates an instance of GitHub::Ldap
+      # with additional functionality to the #search method, allowing it to chase
+      # any referral entries and aggregate the results into a single response.
+      #
+      # connection - The instance of GitHub::Ldap to use for searching. Will use
+      # the connection's authentication, (admin_user and admin_password) as credentials
+      # for connecting to referred domain controllers.
+      def initialize(connection)
+        @connection = connection
+        @admin_user = connection.admin_user
+        @admin_password = connection.admin_password
+        @port = connection.port
+      end
+
+      # Public - Search the domain controller represented by this instance's connection.
+      # If a referral is returned, search only one of the domain controllers indicated
+      # by the referral entries, per RFC 4511 (https://tools.ietf.org/html/rfc4511):
+      #
+      # "If the client wishes to progress the operation, it contacts one of
+      #  the supported services found in the referral.  If multiple URIs are
+      #  present, the client assumes that any supported URI may be used to
+      #  progress the operation."
+      #
+      # options - is a hash with the same options that Net::LDAP::Connection#search supports.
+      #           Referral searches will use the given options, but will replace options[:base]
+      #           with the referral URL's base search dn.
+      #
+      # Does not take a block argument as GitHub::Ldap and Net::LDAP::Connection#search do.
+      #
+      # Will not recursively follow any subsequent referrals.
+      #
+      # Returns an Array of Net::LDAP::Entry.
+      def search(options)
+        search_results = []
+        referral_entries = []
+
+        search_results = connection.search(options) do |entry|
+          if entry && entry[:search_referrals]
+            referral_entries << entry
+          end
+        end
+
+        unless referral_entries.empty?
+          entry = referral_entries.first
+          referral_string = entry[:search_referrals].first
+          if GitHub::Ldap::URL.valid?(referral_string)
+            referral = Referral.new(referral_string, admin_user, admin_password, port)
+            search_results = referral.search(options)
+          end
+        end
+
+        Array(search_results)
+      end
+
+      private
+
+      attr_reader :connection, :admin_user, :admin_password, :port
+
+      # Represents a referral entry from an LDAP search result. Constructs a corresponding
+      # GitHub::Ldap object from the paramaters on the referral_url and provides a #search
+      # method to continue the search on the referred domain.
+      class Referral
+        def initialize(referral_url, admin_user, admin_password, port=nil)
+          url = GitHub::Ldap::URL.new(referral_url)
+          @search_base = url.dn
+
+          connection_options = {
+            host: url.host,
+            port: port || url.port,
+            scope: url.scope,
+            admin_user: admin_user,
+            admin_password: admin_password
+          }
+
+          @connection = GitHub::Ldap::ConnectionCache.get_connection(connection_options)
+        end
+
+        # Search the referred domain controller with options, merging in the referred search
+        # base DN onto options[:base].
+        def search(options)
+          connection.search(options.merge(base: search_base))
+        end
+
+        attr_reader :search_base, :connection
+      end
+    end
+  end
+end
diff --git a/lib/github/ldap/url.rb b/lib/github/ldap/url.rb
@@ -0,0 +1,87 @@
+module GitHub
+  class Ldap
+
+    # This class represents an LDAP URL
+    #
+    # See: https://tools.ietf.org/html/rfc4516#section-2
+    #      https://docs.oracle.com/cd/E19957-01/817-6707/urls.html
+    #
+    class URL
+      extend Forwardable
+      SCOPES = {
+        "base" => Net::LDAP::SearchScope_BaseObject,
+        "one" => Net::LDAP::SearchScope_SingleLevel,
+        "sub" => Net::LDAP::SearchScope_WholeSubtree
+      }
+      SCOPES.default = Net::LDAP::SearchScope_BaseObject
+
+      attr_reader :dn, :attributes, :scope, :filter
+
+      def_delegators :@uri, :port, :host, :scheme
+
+      # Public - Creates a new GitHub::Ldap::URL object with :port, :host and :scheme
+      # delegated to a URI object parsed from url_string, and then parses the
+      # query params according to the LDAP specification.
+      #
+      # url_string  - An LDAP URL string.
+      # returns     - a GitHub::Ldap::URL with the following attributes:
+      #   host         - Name or IP of the LDAP server.
+      #   port         - The given port, defaults to 389.
+      #   dn           - The base search DN.
+      #   attributes   - The comma-delimited list of attributes to be returned.
+      #   scope        - The scope of the search.
+      #   filter       - Search filter to apply to entries within the specified scope of the search.
+      #
+      # Supported LDAP URL strings look like this, where sections in brackets are optional:
+      #
+      #          ldap[s]://[hostport][/[dn[?[attributes][?[scope][?[filter]]]]]]
+      #
+      #      where:
+      #
+      #          hostport is a host name with an optional ":portnumber"
+      #          dn is the base DN to be used for an LDAP search operation
+      #          attributes is a comma separated list of attributes to be retrieved
+      #          scope is one of these three strings: base one sub (default=base)
+      #          filter is LDAP search filter as used in a call to ldap_search
+      #
+      #      For example:
+      #
+      #      ldap://dc4.ghe.local:456/CN=Maggie,DC=dc4,DC=ghe,DC=local?cn,mail?base?(cn=Charlie)
+      #
+      def initialize(url_string)
+        if !self.class.valid?(url_string)
+          raise InvalidLdapURLException.new("Invalid LDAP URL: #{url_string}")
+        end
+        @uri = URI(url_string)
+        @dn = URI.unescape(@uri.path.sub(/^\//, ""))
+        if @uri.query
+          @attributes, @scope, @filter = @uri.query.split("?")
+        end
+      end
+
+      def self.valid?(url_string)
+        url_string =~ URI::regexp && ["ldap", "ldaps"].include?(URI(url_string).scheme)
+      end
+
+      # Maps the returned scope value from the URL to one of Net::LDAP::Scopes
+      #
+      # The URL scope value can be one of:
+      #     "base" - retrieves information only about the DN (base_dn) specified.
+      #     "one"  - retrieves information about entries one level below the DN (base_dn) specified. The base entry is not included in this scope.
+      #     "sub"  - retrieves information about entries at all levels below the DN (base_dn) specified. The base entry is included in this scope.
+      #
+      # Which will map to one of the following Net::LDAP::Scopes:
+      #   SearchScope_BaseObject   = 0
+      #   SearchScope_SingleLevel  = 1
+      #   SearchScope_WholeSubtree = 2
+      #
+      # If no scope or an invalid scope is given, defaults to SearchScope_BaseObject
+      def net_ldap_scope
+        Net::LDAP::SearchScopes[SCOPES[scope]]
+      end
+
+      class InvalidLdapURLException < Exception; end
+    end
+  end
+end
+