diff --git a/lib/net/ldap.rb b/lib/net/ldap.rb index d61f3dc4..75b463fb 100644 --- a/lib/net/ldap.rb +++ b/lib/net/ldap.rb @@ -26,6 +26,7 @@ class LDAP require 'net/ldap/instrumentation' require 'net/ldap/connection' require 'net/ldap/version' +require 'net/ldap/error' # == Quick-start for the Impatient # === Quick Example of a user-authentication against an LDAP directory: @@ -246,8 +247,6 @@ class LDAP class Net::LDAP include Net::LDAP::Instrumentation - class LdapError < StandardError; end - SearchScope_BaseObject = 0 SearchScope_SingleLevel = 1 SearchScope_WholeSubtree = 2 @@ -666,7 +665,7 @@ def open # anything with the bind results. We then pass self to the caller's # block, where he will execute his LDAP operations. Of course they will # all generate auth failures if the bind was unsuccessful. - raise Net::LDAP::LdapError, "Open already in progress" if @open_connection + raise Net::LDAP::AlreadyOpenedError, "Open already in progress" if @open_connection instrument "open.net_ldap" do |payload| begin diff --git a/lib/net/ldap/connection.rb b/lib/net/ldap/connection.rb index 7ed0bdb5..5e735f53 100644 --- a/lib/net/ldap/connection.rb +++ b/lib/net/ldap/connection.rb @@ -12,13 +12,13 @@ def initialize(server) begin @conn = server[:socket] || TCPSocket.new(server[:host], server[:port]) rescue SocketError - raise Net::LDAP::LdapError, "No such address or other socket error." + raise Net::LDAP::Error, "No such address or other socket error." rescue Errno::ECONNREFUSED - raise Net::LDAP::LdapError, "Server #{server[:host]} refused connection on port #{server[:port]}." + raise Net::LDAP::Error, "Server #{server[:host]} refused connection on port #{server[:port]}." rescue Errno::EHOSTUNREACH => error - raise Net::LDAP::LdapError, "Host #{server[:host]} was unreachable (#{error.message})" + raise Net::LDAP::Error, "Host #{server[:host]} was unreachable (#{error.message})" rescue Errno::ETIMEDOUT - raise Net::LDAP::LdapError, "Connection to #{server[:host]} timed out." + raise Net::LDAP::Error, "Connection to #{server[:host]} timed out." end if server[:encryption] @@ -42,7 +42,7 @@ def close end def self.wrap_with_ssl(io, tls_options = {}) - raise Net::LDAP::LdapError, "OpenSSL is unavailable" unless Net::LDAP::HasOpenSSL + raise Net::LDAP::NoOpenSSLError, "OpenSSL is unavailable" unless Net::LDAP::HasOpenSSL ctx = OpenSSL::SSL::SSLContext.new @@ -67,7 +67,7 @@ def self.wrap_with_ssl(io, tls_options = {}) # successfully-opened @conn instance variable, which is a TCP connection. # Depending on the received arguments, we establish SSL, potentially # replacing the value of @conn accordingly. Don't generate any errors here - # if no encryption is requested. DO raise Net::LDAP::LdapError objects if encryption + # if no encryption is requested. DO raise Net::LDAP::Error objects if encryption # is requested and we have trouble setting it up. That includes if OpenSSL # is not set up on the machine. (Question: how does the Ruby OpenSSL # wrapper react in that case?) DO NOT filter exceptions raised by the @@ -105,16 +105,16 @@ def setup_encryption(args) pdu = queued_read(message_id) if pdu.nil? || pdu.app_tag != Net::LDAP::PDU::ExtendedResponse - raise Net::LDAP::LdapError, "no start_tls result" + raise Net::LDAP::NoStartTLSResultError, "no start_tls result" end if pdu.result_code.zero? @conn = self.class.wrap_with_ssl(@conn, args[:tls_options]) else - raise Net::LDAP::LdapError, "start_tls failed: #{pdu.result_code}" + raise Net::LDAP::StartTlSError, "start_tls failed: #{pdu.result_code}" end else - raise Net::LDAP::LdapError, "unsupported encryption method #{args[:method]}" + raise Net::LDAP::EncMethodUnsupportedError, "unsupported encryption method #{args[:method]}" end end @@ -225,7 +225,7 @@ def bind(auth) elsif meth == :gss_spnego bind_gss_spnego(auth) else - raise Net::LDAP::LdapError, "Unsupported auth method (#{meth})" + raise Net::LDAP::AuthMethodUnsupportedError, "Unsupported auth method (#{meth})" end end end @@ -241,7 +241,7 @@ def bind_simple(auth) ["", ""] end - raise Net::LDAP::LdapError, "Invalid binding information" unless (user && psw) + raise Net::LDAP::BindingInformationInvalidError, "Invalid binding information" unless (user && psw) message_id = next_msgid request = [ @@ -253,7 +253,7 @@ def bind_simple(auth) pdu = queued_read(message_id) if !pdu || pdu.app_tag != Net::LDAP::PDU::BindResult - raise Net::LDAP::LdapError, "no bind result" + raise Net::LDAP::NoBindResultError, "no bind result" end pdu @@ -283,7 +283,7 @@ def bind_simple(auth) def bind_sasl(auth) mech, cred, chall = auth[:mechanism], auth[:initial_credential], auth[:challenge_response] - raise Net::LDAP::LdapError, "Invalid binding information" unless (mech && cred && chall) + raise Net::LDAP::BindingInformationInvalidError, "Invalid binding information" unless (mech && cred && chall) message_id = next_msgid @@ -298,16 +298,16 @@ def bind_sasl(auth) pdu = queued_read(message_id) if !pdu || pdu.app_tag != Net::LDAP::PDU::BindResult - raise Net::LDAP::LdapError, "no bind result" + raise Net::LDAP::NoBindResultError, "no bind result" end return pdu unless pdu.result_code == Net::LDAP::ResultCodeSaslBindInProgress - raise Net::LDAP::LdapError, "sasl-challenge overflow" if ((n += 1) > MaxSaslChallenges) + raise Net::LDAP::SASLChallengeOverflowError, "sasl-challenge overflow" if ((n += 1) > MaxSaslChallenges) cred = chall.call(pdu.result_server_sasl_creds) } - raise Net::LDAP::LdapError, "why are we here?" + raise Net::LDAP::SASLChallengeOverflowError, "why are we here?" end private :bind_sasl @@ -326,7 +326,7 @@ def bind_gss_spnego(auth) require 'ntlm' user, psw = [auth[:username] || auth[:dn], auth[:password]] - raise Net::LDAP::LdapError, "Invalid binding information" unless (user && psw) + raise Net::LDAP::BindingInformationInvalidError, "Invalid binding information" unless (user && psw) nego = proc { |challenge| t2_msg = NTLM::Message.parse(challenge) @@ -412,10 +412,10 @@ def search(args = nil) sort = args.fetch(:sort_controls, false) # arg validation - raise Net::LDAP::LdapError, "search base is required" unless base - raise Net::LDAP::LdapError, "invalid search-size" unless size >= 0 - raise Net::LDAP::LdapError, "invalid search scope" unless Net::LDAP::SearchScopes.include?(scope) - raise Net::LDAP::LdapError, "invalid alias dereferencing value" unless Net::LDAP::DerefAliasesArray.include?(deref) + raise ArgumentError, "search base is required" unless base + raise ArgumentError, "invalid search-size" unless size >= 0 + raise ArgumentError, "invalid search scope" unless Net::LDAP::SearchScopes.include?(scope) + raise ArgumentError, "invalid alias dereferencing value" unless Net::LDAP::DerefAliasesArray.include?(deref) # arg transforms filter = Net::LDAP::Filter.construct(filter) if filter.is_a?(String) @@ -527,7 +527,7 @@ def search(args = nil) end break else - raise Net::LDAP::LdapError, "invalid response-type in search: #{pdu.app_tag}" + raise Net::LDAP::ResponseTypeInvalidError, "invalid response-type in search: #{pdu.app_tag}" end end @@ -625,7 +625,7 @@ def modify(args) pdu = queued_read(message_id) if !pdu || pdu.app_tag != Net::LDAP::PDU::ModifyResponse - raise Net::LDAP::LdapError, "response missing or invalid" + raise Net::LDAP::ResponseMissingOrInvalidError, "response missing or invalid" end pdu @@ -639,7 +639,7 @@ def modify(args) # to the error message and the matched-DN returned by the server. #++ def add(args) - add_dn = args[:dn] or raise Net::LDAP::LdapError, "Unable to add empty DN" + add_dn = args[:dn] or raise Net::LDAP::EmptyDNError, "Unable to add empty DN" add_attrs = [] a = args[:attributes] and a.each { |k, v| add_attrs << [ k.to_s.to_ber, Array(v).map { |m| m.to_ber}.to_ber_set ].to_ber_sequence @@ -652,7 +652,7 @@ def add(args) pdu = queued_read(message_id) if !pdu || pdu.app_tag != Net::LDAP::PDU::AddResponse - raise Net::LDAP::LdapError, "response missing or invalid" + raise Net::LDAP::ResponseMissingError, "response missing or invalid" end pdu @@ -675,7 +675,7 @@ def rename(args) pdu = queued_read(message_id) if !pdu || pdu.app_tag != Net::LDAP::PDU::ModifyRDNResponse - raise Net::LDAP::LdapError.new "response missing or invalid" + raise Net::LDAP::ResponseMissingOrInvalidError.new "response missing or invalid" end pdu @@ -694,7 +694,7 @@ def delete(args) pdu = queued_read(message_id) if !pdu || pdu.app_tag != Net::LDAP::PDU::DeleteResponse - raise Net::LDAP::LdapError, "response missing or invalid" + raise Net::LDAP::ResponseMissingOrInvalidError, "response missing or invalid" end pdu diff --git a/lib/net/ldap/entry.rb b/lib/net/ldap/entry.rb index 06943a93..c2615268 100644 --- a/lib/net/ldap/entry.rb +++ b/lib/net/ldap/entry.rb @@ -71,7 +71,7 @@ def from_single_ldif_string(ldif) return nil if ds.empty? - raise Net::LDAP::LdapError, "Too many LDIF entries" unless ds.size == 1 + raise Net::LDAP::EntryOverflowError, "Too many LDIF entries" unless ds.size == 1 entry = ds.to_entries.first diff --git a/lib/net/ldap/error.rb b/lib/net/ldap/error.rb new file mode 100644 index 00000000..c9a25f90 --- /dev/null +++ b/lib/net/ldap/error.rb @@ -0,0 +1,38 @@ +class Net::LDAP + class LdapError < StandardError + def message + "Deprecation warning: Net::LDAP::LdapError is no longer used. Use Net::LDAP::Error or rescue one of it's subclasses. \n" + super + end + end + + class Error < StandardError; end + + class AlreadyOpenedError < Error; end + class SocketError < Error; end + class ConnectionRefusedError < Error; end + class NoOpenSSLError < Error; end + class NoStartTLSResultError < Error; end + class NoSearchBaseError < Error; end + class StartTLSError < Error; end + class EncryptionUnsupportedError < Error; end + class EncMethodUnsupportedError < Error; end + class AuthMethodUnsupportedError < Error; end + class BindingInformationInvalidError < Error; end + class NoBindResultError < Error; end + class SASLChallengeOverflowError < Error; end + class SearchSizeInvalidError < Error; end + class SearchScopeInvalidError < Error; end + class ResponseTypeInvalidError < Error; end + class ResponseMissingOrInvalidError < Error; end + class EmptyDNError < Error; end + class HashTypeUnsupportedError < Error; end + class OperatorError < Error; end + class SubstringFilterError < Error; end + class SearchFilterError < Error; end + class BERInvalidError < Error; end + class SearchFilterTypeUnknownError < Error; end + class BadAttributeError < Error; end + class FilterTypeUnknownError < Error; end + class FilterSyntaxInvalidError < Error; end + class EntryOverflowError < Error; end +end diff --git a/lib/net/ldap/filter.rb b/lib/net/ldap/filter.rb index 4f5da3e5..0ab847b8 100644 --- a/lib/net/ldap/filter.rb +++ b/lib/net/ldap/filter.rb @@ -27,7 +27,7 @@ class Net::LDAP::Filter def initialize(op, left, right) #:nodoc: unless FilterTypes.include?(op) - raise Net::LDAP::LdapError, "Invalid or unsupported operator #{op.inspect} in LDAP Filter." + raise Net::LDAP::OperatorError, "Invalid or unsupported operator #{op.inspect} in LDAP Filter." end @op = op @left = left @@ -290,7 +290,7 @@ def parse_ber(ber) ber.last.each { |b| case b.ber_identifier when 0x80 # context-specific primitive 0, SubstringFilter "initial" - raise Net::LDAP::LdapError, "Unrecognized substring filter; bad initial value." if str.length > 0 + raise Net::LDAP::SubstringFilterError, "Unrecognized substring filter; bad initial value." if str.length > 0 str += escape(b) when 0x81 # context-specific primitive 0, SubstringFilter "any" str += "*#{escape(b)}" @@ -309,7 +309,7 @@ def parse_ber(ber) # call to_s to get rid of the BER-identifiedness of the incoming string. present?(ber.to_s) when 0xa9 # context-specific constructed 9, "extensible comparison" - raise Net::LDAP::LdapError, "Invalid extensible search filter, should be at least two elements" if ber.size<2 + raise Net::LDAP::SearchFilterError, "Invalid extensible search filter, should be at least two elements" if ber.size < 2 # Reassembles the extensible filter parts # (["sn", "2.4.6.8.10", "Barbara Jones", '1']) @@ -330,7 +330,7 @@ def parse_ber(ber) ex(attribute, value) else - raise Net::LDAP::LdapError, "Invalid BER tag-value (#{ber.ber_identifier}) in search filter." + raise Net::LDAP::BERInvalidError, "Invalid BER tag-value (#{ber.ber_identifier}) in search filter." end end @@ -357,7 +357,7 @@ def parse_ldap_filter(obj) when 0xa3 # equalityMatch. context-specific constructed 3. eq(obj[0], obj[1]) else - raise Net::LDAP::LdapError, "Unknown LDAP search-filter type: #{obj.ber_identifier}" + raise Net::LDAP::SearchFilterTypeUnknownError, "Unknown LDAP search-filter type: #{obj.ber_identifier}" end end end @@ -532,7 +532,7 @@ def to_ber seq = [] unless @left =~ /^([-;\w]*)(:dn)?(:(\w+|[.\w]+))?$/ - raise Net::LDAP::LdapError, "Bad attribute #{@left}" + raise Net::LDAP::BadAttributeError, "Bad attribute #{@left}" end type, dn, rule = $1, $2, $4 @@ -639,7 +639,7 @@ def match(entry) l = entry[@left] and l = Array(l) and l.index(@right) end else - raise Net::LDAP::LdapError, "Unknown filter type in match: #{@op}" + raise Net::LDAP::FilterTypeUnknownError, "Unknown filter type in match: #{@op}" end end @@ -671,7 +671,7 @@ def parse(ldap_filter_string) def initialize(str) require 'strscan' # Don't load strscan until we need it. @filter = parse(StringScanner.new(str)) - raise Net::LDAP::LdapError, "Invalid filter syntax." unless @filter + raise Net::LDAP::FilterSyntaxInvalidError, "Invalid filter syntax." unless @filter end ## diff --git a/lib/net/ldap/password.rb b/lib/net/ldap/password.rb index 47ab03f4..28406f03 100644 --- a/lib/net/ldap/password.rb +++ b/lib/net/ldap/password.rb @@ -23,14 +23,14 @@ class << self def generate(type, str) case type when :md5 - attribute_value = '{MD5}' + Base64.encode64(Digest::MD5.digest(str)).chomp! + attribute_value = '{MD5}' + Base64.encode64(Digest::MD5.digest(str)).chomp! when :sha - attribute_value = '{SHA}' + Base64.encode64(Digest::SHA1.digest(str)).chomp! + attribute_value = '{SHA}' + Base64.encode64(Digest::SHA1.digest(str)).chomp! when :ssha - salt = SecureRandom.random_bytes(16) - attribute_value = '{SSHA}' + Base64.encode64(Digest::SHA1.digest(str + salt) + salt).chomp! + salt = SecureRandom.random_bytes(16) + attribute_value = '{SSHA}' + Base64.encode64(Digest::SHA1.digest(str + salt) + salt).chomp! else - raise Net::LDAP::LdapError, "Unsupported password-hash type (#{type})" + raise Net::LDAP::HashTypeUnsupportedError, "Unsupported password-hash type (#{type})" end return attribute_value end diff --git a/test/test_filter.rb b/test/test_filter.rb index 139612a1..2bcccd92 100644 --- a/test/test_filter.rb +++ b/test/test_filter.rb @@ -9,11 +9,11 @@ def test_bug_7534_rfc2254 end def test_invalid_filter_string - assert_raises(Net::LDAP::LdapError) { Filter.from_rfc2254("") } + assert_raises(Net::LDAP::FilterSyntaxInvalidError) { Filter.from_rfc2254("") } end def test_invalid_filter - assert_raises(Net::LDAP::LdapError) { + assert_raises(Net::LDAP::OperatorError) { # This test exists to prove that our constructor blocks unknown filter # types. All filters must be constructed using helpers. Filter.__send__(:new, :xx, nil, nil) diff --git a/test/test_ldap_connection.rb b/test/test_ldap_connection.rb index 424f6bb3..96b542ac 100644 --- a/test/test_ldap_connection.rb +++ b/test/test_ldap_connection.rb @@ -2,14 +2,14 @@ class TestLDAPConnection < Test::Unit::TestCase def test_unresponsive_host - assert_raise Net::LDAP::LdapError do + assert_raise Net::LDAP::Error do Net::LDAP::Connection.new(:host => 'test.mocked.com', :port => 636) end end def test_blocked_port flexmock(TCPSocket).should_receive(:new).and_raise(SocketError) - assert_raise Net::LDAP::LdapError do + assert_raise Net::LDAP::Error do Net::LDAP::Connection.new(:host => 'test.mocked.com', :port => 636) end end