From 197d46051b68d8fe7aea77082b188f45e7e3c144 Mon Sep 17 00:00:00 2001 From: Tatsuya Sato Date: Fri, 2 Oct 2015 14:55:41 +0900 Subject: [PATCH 01/15] Extract Simple method as AuthAdapter --- lib/net/ldap/auth_adapter.rb | 25 ++++++++++++++++++ lib/net/ldap/auth_adapters/anon.rb | 3 +++ lib/net/ldap/auth_adapters/anonymous.rb | 3 +++ lib/net/ldap/auth_adapters/simple.rb | 34 +++++++++++++++++++++++++ lib/net/ldap/connection.rb | 21 ++++++++------- 5 files changed, 77 insertions(+), 9 deletions(-) create mode 100644 lib/net/ldap/auth_adapter.rb create mode 100644 lib/net/ldap/auth_adapters/anon.rb create mode 100644 lib/net/ldap/auth_adapters/anonymous.rb create mode 100644 lib/net/ldap/auth_adapters/simple.rb diff --git a/lib/net/ldap/auth_adapter.rb b/lib/net/ldap/auth_adapter.rb new file mode 100644 index 00000000..1ec74360 --- /dev/null +++ b/lib/net/ldap/auth_adapter.rb @@ -0,0 +1,25 @@ +module Net + class LDAP + class AuthAdapter + def self.regiseter(names, adapter) + names = Array(names) + @adapters ||= {} + names.each do |name| + @adapters[name] = adapter + end + end + + def self.[](name) + @adapters[name] + end + + def initialize(conn) + @connection = conn + end + + def bind + raise "bind method must be overwritten" + end + end + end +end diff --git a/lib/net/ldap/auth_adapters/anon.rb b/lib/net/ldap/auth_adapters/anon.rb new file mode 100644 index 00000000..7cb65cb6 --- /dev/null +++ b/lib/net/ldap/auth_adapters/anon.rb @@ -0,0 +1,3 @@ +require 'net/ldap/auth_adapters/simple' + +Net::LDAP::AuthAdapter.register(:anon, Net::LDAP::AuthAdapters::Simple) diff --git a/lib/net/ldap/auth_adapters/anonymous.rb b/lib/net/ldap/auth_adapters/anonymous.rb new file mode 100644 index 00000000..8ed42298 --- /dev/null +++ b/lib/net/ldap/auth_adapters/anonymous.rb @@ -0,0 +1,3 @@ +require 'net/ldap/auth_adapters/simple' + +Net::LDAP::AuthAdapter.register(:anonymous, Net::LDAP::AuthAdapters::Simple) diff --git a/lib/net/ldap/auth_adapters/simple.rb b/lib/net/ldap/auth_adapters/simple.rb new file mode 100644 index 00000000..36e9e174 --- /dev/null +++ b/lib/net/ldap/auth_adapters/simple.rb @@ -0,0 +1,34 @@ +module Net + class LDAP + module AuthAdapters + class Simple < AuthAdapter + def bind(auth) + user, psw = if auth[:method] == :simple + [auth[:username] || auth[:dn], auth[:password]] + else + ["", ""] + end + + raise Net::LDAP::BindingInformationInvalidError, "Invalid binding information" unless (user && psw) + + message_id = @connection.next_msgid + request = [ + LdapVersion.to_ber, user.to_ber, + psw.to_ber_contextspecific(0) + ].to_ber_appsequence(Net::LDAP::PDU::BindRequest) + + @connection.write(request, nil, message_id) + pdu = @connection.queued_read(message_id) + + if !pdu || pdu.app_tag != Net::LDAP::PDU::BindResult + raise Net::LDAP::NoBindResultError, "no bind result" + end + + pdu + end + end + end + end +end + +Net::LDAP::AuthAdapter.register(:simple, Net::LDAP::AuthAdapters::Simple) diff --git a/lib/net/ldap/connection.rb b/lib/net/ldap/connection.rb index 05aedfef..da53a0b1 100644 --- a/lib/net/ldap/connection.rb +++ b/lib/net/ldap/connection.rb @@ -250,15 +250,18 @@ def next_msgid def bind(auth) instrument "bind.net_ldap_connection" do |payload| payload[:method] = meth = auth[:method] - if [:simple, :anonymous, :anon].include?(meth) - bind_simple auth - elsif meth == :sasl - bind_sasl(auth) - elsif meth == :gss_spnego - bind_gss_spnego(auth) - else - raise Net::LDAP::AuthMethodUnsupportedError, "Unsupported auth method (#{meth})" - end + require "net/ldap/auth_adapters/#{meth}" + adapter = Net::LDAP::AuthAdapterp[meth] + adapter.bind(auth) + # if [:simple, :anonymous, :anon].include?(meth) + # bind_simple auth + # elsif meth == :sasl + # bind_sasl(auth) + # elsif meth == :gss_spnego + # bind_gss_spnego(auth) + # else + # raise Net::LDAP::AuthMethodUnsupportedError, "Unsupported auth method (#{meth})" + # end end end From b57a283c7b87a7a4a07bcf909c03bab32eb1715a Mon Sep 17 00:00:00 2001 From: Tatsuya Sato Date: Fri, 2 Oct 2015 14:59:35 +0900 Subject: [PATCH 02/15] Fix uninitialized constant error by adding require statement --- lib/net/ldap/auth_adapters/simple.rb | 2 ++ 1 file changed, 2 insertions(+) diff --git a/lib/net/ldap/auth_adapters/simple.rb b/lib/net/ldap/auth_adapters/simple.rb index 36e9e174..2c7301d8 100644 --- a/lib/net/ldap/auth_adapters/simple.rb +++ b/lib/net/ldap/auth_adapters/simple.rb @@ -1,3 +1,5 @@ +require 'net/ldap/auth_adapter' + module Net class LDAP module AuthAdapters From 9c7b1af6b62e609b137371882d41dd4c8e2e9cfd Mon Sep 17 00:00:00 2001 From: Tatsuya Sato Date: Fri, 2 Oct 2015 15:02:09 +0900 Subject: [PATCH 03/15] Fix typo --- lib/net/ldap/auth_adapter.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/net/ldap/auth_adapter.rb b/lib/net/ldap/auth_adapter.rb index 1ec74360..bd818dec 100644 --- a/lib/net/ldap/auth_adapter.rb +++ b/lib/net/ldap/auth_adapter.rb @@ -1,7 +1,7 @@ module Net class LDAP class AuthAdapter - def self.regiseter(names, adapter) + def self.register(names, adapter) names = Array(names) @adapters ||= {} names.each do |name| From 2546e35c9d6bd661ade33e4b3ad3edd2c57dba66 Mon Sep 17 00:00:00 2001 From: Tatsuya Sato Date: Fri, 2 Oct 2015 19:42:41 +0900 Subject: [PATCH 04/15] Instantiate AuthAdapter in #bind --- lib/net/ldap/connection.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/net/ldap/connection.rb b/lib/net/ldap/connection.rb index da53a0b1..29f96d8b 100644 --- a/lib/net/ldap/connection.rb +++ b/lib/net/ldap/connection.rb @@ -251,8 +251,8 @@ def bind(auth) instrument "bind.net_ldap_connection" do |payload| payload[:method] = meth = auth[:method] require "net/ldap/auth_adapters/#{meth}" - adapter = Net::LDAP::AuthAdapterp[meth] - adapter.bind(auth) + adapter = Net::LDAP::AuthAdapter[meth] + adapter.new(self).bind(auth) # if [:simple, :anonymous, :anon].include?(meth) # bind_simple auth # elsif meth == :sasl From 069ad98b12bbc33006249d6edbb5f71542fc015c Mon Sep 17 00:00:00 2001 From: Tatsuya Sato Date: Fri, 2 Oct 2015 19:44:47 +0900 Subject: [PATCH 05/15] Fix wrong reference to constant --- lib/net/ldap/auth_adapters/simple.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/net/ldap/auth_adapters/simple.rb b/lib/net/ldap/auth_adapters/simple.rb index 2c7301d8..ade93682 100644 --- a/lib/net/ldap/auth_adapters/simple.rb +++ b/lib/net/ldap/auth_adapters/simple.rb @@ -15,7 +15,7 @@ def bind(auth) message_id = @connection.next_msgid request = [ - LdapVersion.to_ber, user.to_ber, + Net::LDAP::Connection::LdapVersion.to_ber, user.to_ber, psw.to_ber_contextspecific(0) ].to_ber_appsequence(Net::LDAP::PDU::BindRequest) From 585ae827283fc655970579d924368b9dd6f68914 Mon Sep 17 00:00:00 2001 From: Tatsuya Sato Date: Fri, 2 Oct 2015 19:45:16 +0900 Subject: [PATCH 06/15] Call connection#write method with send --- lib/net/ldap/auth_adapters/simple.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/net/ldap/auth_adapters/simple.rb b/lib/net/ldap/auth_adapters/simple.rb index ade93682..c580cf99 100644 --- a/lib/net/ldap/auth_adapters/simple.rb +++ b/lib/net/ldap/auth_adapters/simple.rb @@ -19,7 +19,7 @@ def bind(auth) psw.to_ber_contextspecific(0) ].to_ber_appsequence(Net::LDAP::PDU::BindRequest) - @connection.write(request, nil, message_id) + @connection.send(:write, request, nil, message_id) pdu = @connection.queued_read(message_id) if !pdu || pdu.app_tag != Net::LDAP::PDU::BindResult From ac729dd8c0d748ef4de10a18b78e79197110e39f Mon Sep 17 00:00:00 2001 From: Tatsuya Sato Date: Sat, 3 Oct 2015 00:41:25 +0900 Subject: [PATCH 07/15] Net::LDAP::Connection#bind is abolihsed --- lib/net/ldap/connection.rb | 29 ----------------------------- 1 file changed, 29 deletions(-) diff --git a/lib/net/ldap/connection.rb b/lib/net/ldap/connection.rb index 29f96d8b..802e3832 100644 --- a/lib/net/ldap/connection.rb +++ b/lib/net/ldap/connection.rb @@ -265,35 +265,6 @@ def bind(auth) end end - #-- - # Implements a simple user/psw authentication. Accessed by calling #bind - # with a method of :simple or :anonymous. - #++ - def bind_simple(auth) - user, psw = if auth[:method] == :simple - [auth[:username] || auth[:dn], auth[:password]] - else - ["", ""] - end - - raise Net::LDAP::BindingInformationInvalidError, "Invalid binding information" unless (user && psw) - - message_id = next_msgid - request = [ - LdapVersion.to_ber, user.to_ber, - psw.to_ber_contextspecific(0) - ].to_ber_appsequence(Net::LDAP::PDU::BindRequest) - - write(request, nil, message_id) - pdu = queued_read(message_id) - - if !pdu || pdu.app_tag != Net::LDAP::PDU::BindResult - raise Net::LDAP::NoBindResultError, "no bind result" - end - - pdu - end - #-- # Required parameters: :mechanism, :initial_credential and # :challenge_response From 91db1ba20ef4b31f5e0516b293f7fd29089b22c9 Mon Sep 17 00:00:00 2001 From: Tatsuya Sato Date: Sat, 3 Oct 2015 16:38:01 +0900 Subject: [PATCH 08/15] Define Sasl AuthAdapter --- lib/net/ldap/auth_adapters/sasl.rb | 41 ++++++++++++++++++++++++++++++ 1 file changed, 41 insertions(+) create mode 100644 lib/net/ldap/auth_adapters/sasl.rb diff --git a/lib/net/ldap/auth_adapters/sasl.rb b/lib/net/ldap/auth_adapters/sasl.rb new file mode 100644 index 00000000..01e7f05a --- /dev/null +++ b/lib/net/ldap/auth_adapters/sasl.rb @@ -0,0 +1,41 @@ +require 'net/ldap/auth_adapter' + +module Net + class LDAP + module AuthAdapters + class Sasl < Net::LDAP::AuthAdapter + def bind(auth) + mech, cred, chall = auth[:mechanism], auth[:initial_credential], + auth[:challenge_response] + raise Net::LDAP::BindingInformationInvalidError, "Invalid binding information" unless (mech && cred && chall) + + message_id = @connection.next_msgid + + n = 0 + loop { + sasl = [mech.to_ber, cred.to_ber].to_ber_contextspecific(3) + request = [ + Net::LDAP::Connection::LdapVersion.to_ber, "".to_ber, sasl + ].to_ber_appsequence(Net::LDAP::PDU::BindRequest) + + @connection.send(:write, request, nil, message_id) + pdu = @connection.queued_read(message_id) + + if !pdu || pdu.app_tag != Net::LDAP::PDU::BindResult + raise Net::LDAP::NoBindResultError, "no bind result" + end + + return pdu unless pdu.result_code == Net::LDAP::ResultCodeSaslBindInProgress + raise Net::LDAP::SASLChallengeOverflowError, "sasl-challenge overflow" if ((n += 1) > MaxSaslChallenges) + + cred = chall.call(pdu.result_server_sasl_creds) + } + + raise Net::LDAP::SASLChallengeOverflowError, "why are we here?" + end + end + end + end +end + +Net::LDAP::AuthAdapter.register(:sasl, Net::LDAP::AuthAdapters::Sasl) From ab20ad22cede28a689b47502628fd83a8bb1ba86 Mon Sep 17 00:00:00 2001 From: Tatsuya Sato Date: Sat, 3 Oct 2015 22:17:20 +0900 Subject: [PATCH 09/15] Define GSS_SPNEGO AuthAdapter --- lib/net/ldap/auth_adapters/gss_spnego.rb | 42 +++++++++++ lib/net/ldap/auth_adapters/sasl.rb | 21 ++++++ lib/net/ldap/connection.rb | 92 ------------------------ 3 files changed, 63 insertions(+), 92 deletions(-) create mode 100644 lib/net/ldap/auth_adapters/gss_spnego.rb diff --git a/lib/net/ldap/auth_adapters/gss_spnego.rb b/lib/net/ldap/auth_adapters/gss_spnego.rb new file mode 100644 index 00000000..2513f150 --- /dev/null +++ b/lib/net/ldap/auth_adapters/gss_spnego.rb @@ -0,0 +1,42 @@ +require 'net/ldap/auth_adapter' +require 'net/ldap/auth_adapters/sasl' + +module Net + class LDAP + module AuthAdapers + #-- + # PROVISIONAL, only for testing SASL implementations. DON'T USE THIS YET. + # Uses Kohei Kajimoto's Ruby/NTLM. We have to find a clean way to + # integrate it without introducing an external dependency. + # + # This authentication method is accessed by calling #bind with a :method + # parameter of :gss_spnego. It requires :username and :password + # attributes, just like the :simple authentication method. It performs a + # GSS-SPNEGO authentication with the server, which is presumed to be a + # Microsoft Active Directory. + #++ + class GSS_SPNEGO < Net::LDAP::AuthAdapter + def bind(auth) + require 'ntlm' + + user, psw = [auth[:username] || auth[:dn], auth[:password]] + raise Net::LDAP::BindingInformationInvalidError, "Invalid binding information" unless (user && psw) + + nego = proc { |challenge| + t2_msg = NTLM::Message.parse(challenge) + t3_msg = t2_msg.response({ :user => user, :password => psw }, + { :ntlmv2 => true }) + t3_msg.serialize + } + + Net::LDAP::AuthAdapter.new(@connection). + bind(:method => :sasl, :mechanism => "GSS-SPNEGO", + :initial_credential => NTLM::Message::Type1.new.serialize, + :challenge_response => nego) + end + end + end + end +end + +Net::LDAP::Adapter.register(:gss_spnego, Net::LDAP::AuthAdapters::GSS_SPNEGO) diff --git a/lib/net/ldap/auth_adapters/sasl.rb b/lib/net/ldap/auth_adapters/sasl.rb index 01e7f05a..c7c460c0 100644 --- a/lib/net/ldap/auth_adapters/sasl.rb +++ b/lib/net/ldap/auth_adapters/sasl.rb @@ -4,6 +4,27 @@ module Net class LDAP module AuthAdapters class Sasl < Net::LDAP::AuthAdapter + #-- + # Required parameters: :mechanism, :initial_credential and + # :challenge_response + # + # Mechanism is a string value that will be passed in the SASL-packet's + # "mechanism" field. + # + # Initial credential is most likely a string. It's passed in the initial + # BindRequest that goes to the server. In some protocols, it may be empty. + # + # Challenge-response is a Ruby proc that takes a single parameter and + # returns an object that will typically be a string. The + # challenge-response block is called when the server returns a + # BindResponse with a result code of 14 (saslBindInProgress). The + # challenge-response block receives a parameter containing the data + # returned by the server in the saslServerCreds field of the LDAP + # BindResponse packet. The challenge-response block may be called multiple + # times during the course of a SASL authentication, and each time it must + # return a value that will be passed back to the server as the credential + # data in the next BindRequest packet. + #++ def bind(auth) mech, cred, chall = auth[:mechanism], auth[:initial_credential], auth[:challenge_response] diff --git a/lib/net/ldap/connection.rb b/lib/net/ldap/connection.rb index 802e3832..e3129348 100644 --- a/lib/net/ldap/connection.rb +++ b/lib/net/ldap/connection.rb @@ -253,101 +253,9 @@ def bind(auth) require "net/ldap/auth_adapters/#{meth}" adapter = Net::LDAP::AuthAdapter[meth] adapter.new(self).bind(auth) - # if [:simple, :anonymous, :anon].include?(meth) - # bind_simple auth - # elsif meth == :sasl - # bind_sasl(auth) - # elsif meth == :gss_spnego - # bind_gss_spnego(auth) - # else - # raise Net::LDAP::AuthMethodUnsupportedError, "Unsupported auth method (#{meth})" - # end end end - #-- - # Required parameters: :mechanism, :initial_credential and - # :challenge_response - # - # Mechanism is a string value that will be passed in the SASL-packet's - # "mechanism" field. - # - # Initial credential is most likely a string. It's passed in the initial - # BindRequest that goes to the server. In some protocols, it may be empty. - # - # Challenge-response is a Ruby proc that takes a single parameter and - # returns an object that will typically be a string. The - # challenge-response block is called when the server returns a - # BindResponse with a result code of 14 (saslBindInProgress). The - # challenge-response block receives a parameter containing the data - # returned by the server in the saslServerCreds field of the LDAP - # BindResponse packet. The challenge-response block may be called multiple - # times during the course of a SASL authentication, and each time it must - # return a value that will be passed back to the server as the credential - # data in the next BindRequest packet. - #++ - def bind_sasl(auth) - mech, cred, chall = auth[:mechanism], auth[:initial_credential], - auth[:challenge_response] - raise Net::LDAP::BindingInformationInvalidError, "Invalid binding information" unless (mech && cred && chall) - - message_id = next_msgid - - n = 0 - loop { - sasl = [mech.to_ber, cred.to_ber].to_ber_contextspecific(3) - request = [ - LdapVersion.to_ber, "".to_ber, sasl - ].to_ber_appsequence(Net::LDAP::PDU::BindRequest) - - write(request, nil, message_id) - pdu = queued_read(message_id) - - if !pdu || pdu.app_tag != Net::LDAP::PDU::BindResult - raise Net::LDAP::NoBindResultError, "no bind result" - end - - return pdu unless pdu.result_code == Net::LDAP::ResultCodeSaslBindInProgress - raise Net::LDAP::SASLChallengeOverflowError, "sasl-challenge overflow" if ((n += 1) > MaxSaslChallenges) - - cred = chall.call(pdu.result_server_sasl_creds) - } - - raise Net::LDAP::SASLChallengeOverflowError, "why are we here?" - end - private :bind_sasl - - #-- - # PROVISIONAL, only for testing SASL implementations. DON'T USE THIS YET. - # Uses Kohei Kajimoto's Ruby/NTLM. We have to find a clean way to - # integrate it without introducing an external dependency. - # - # This authentication method is accessed by calling #bind with a :method - # parameter of :gss_spnego. It requires :username and :password - # attributes, just like the :simple authentication method. It performs a - # GSS-SPNEGO authentication with the server, which is presumed to be a - # Microsoft Active Directory. - #++ - def bind_gss_spnego(auth) - require 'ntlm' - - user, psw = [auth[:username] || auth[:dn], auth[:password]] - raise Net::LDAP::BindingInformationInvalidError, "Invalid binding information" unless (user && psw) - - nego = proc { |challenge| - t2_msg = NTLM::Message.parse(challenge) - t3_msg = t2_msg.response({ :user => user, :password => psw }, - { :ntlmv2 => true }) - t3_msg.serialize - } - - bind_sasl(:method => :sasl, :mechanism => "GSS-SPNEGO", - :initial_credential => NTLM::Message::Type1.new.serialize, - :challenge_response => nego) - end - private :bind_gss_spnego - - #-- # Allow the caller to specify a sort control # From 60edf55bacd355b4c742c6f56137fa89467bcff6 Mon Sep 17 00:00:00 2001 From: Tatsuya Sato Date: Wed, 7 Oct 2015 20:21:44 +0900 Subject: [PATCH 10/15] Make namespace of AuthAdapater singular --- lib/net/ldap/{auth_adapters => auth_adapter}/gss_spnego.rb | 2 +- lib/net/ldap/{auth_adapters => auth_adapter}/sasl.rb | 2 +- lib/net/ldap/{auth_adapters => auth_adapter}/simple.rb | 2 +- lib/net/ldap/auth_adapters/anon.rb | 3 --- lib/net/ldap/auth_adapters/anonymous.rb | 3 --- 5 files changed, 3 insertions(+), 9 deletions(-) rename lib/net/ldap/{auth_adapters => auth_adapter}/gss_spnego.rb (97%) rename lib/net/ldap/{auth_adapters => auth_adapter}/sasl.rb (99%) rename lib/net/ldap/{auth_adapters => auth_adapter}/simple.rb (97%) delete mode 100644 lib/net/ldap/auth_adapters/anon.rb delete mode 100644 lib/net/ldap/auth_adapters/anonymous.rb diff --git a/lib/net/ldap/auth_adapters/gss_spnego.rb b/lib/net/ldap/auth_adapter/gss_spnego.rb similarity index 97% rename from lib/net/ldap/auth_adapters/gss_spnego.rb rename to lib/net/ldap/auth_adapter/gss_spnego.rb index 2513f150..b44b5c5e 100644 --- a/lib/net/ldap/auth_adapters/gss_spnego.rb +++ b/lib/net/ldap/auth_adapter/gss_spnego.rb @@ -1,5 +1,5 @@ require 'net/ldap/auth_adapter' -require 'net/ldap/auth_adapters/sasl' +require 'net/ldap/auth_adapter/sasl' module Net class LDAP diff --git a/lib/net/ldap/auth_adapters/sasl.rb b/lib/net/ldap/auth_adapter/sasl.rb similarity index 99% rename from lib/net/ldap/auth_adapters/sasl.rb rename to lib/net/ldap/auth_adapter/sasl.rb index c7c460c0..38e977b9 100644 --- a/lib/net/ldap/auth_adapters/sasl.rb +++ b/lib/net/ldap/auth_adapter/sasl.rb @@ -2,7 +2,7 @@ module Net class LDAP - module AuthAdapters + module AuthAdapter class Sasl < Net::LDAP::AuthAdapter #-- # Required parameters: :mechanism, :initial_credential and diff --git a/lib/net/ldap/auth_adapters/simple.rb b/lib/net/ldap/auth_adapter/simple.rb similarity index 97% rename from lib/net/ldap/auth_adapters/simple.rb rename to lib/net/ldap/auth_adapter/simple.rb index c580cf99..471878c5 100644 --- a/lib/net/ldap/auth_adapters/simple.rb +++ b/lib/net/ldap/auth_adapter/simple.rb @@ -2,7 +2,7 @@ module Net class LDAP - module AuthAdapters + class AuthAdapter class Simple < AuthAdapter def bind(auth) user, psw = if auth[:method] == :simple diff --git a/lib/net/ldap/auth_adapters/anon.rb b/lib/net/ldap/auth_adapters/anon.rb deleted file mode 100644 index 7cb65cb6..00000000 --- a/lib/net/ldap/auth_adapters/anon.rb +++ /dev/null @@ -1,3 +0,0 @@ -require 'net/ldap/auth_adapters/simple' - -Net::LDAP::AuthAdapter.register(:anon, Net::LDAP::AuthAdapters::Simple) diff --git a/lib/net/ldap/auth_adapters/anonymous.rb b/lib/net/ldap/auth_adapters/anonymous.rb deleted file mode 100644 index 8ed42298..00000000 --- a/lib/net/ldap/auth_adapters/anonymous.rb +++ /dev/null @@ -1,3 +0,0 @@ -require 'net/ldap/auth_adapters/simple' - -Net::LDAP::AuthAdapter.register(:anonymous, Net::LDAP::AuthAdapters::Simple) From b56450d0ae75e94da14803057c0b4aa35dfdbbad Mon Sep 17 00:00:00 2001 From: Tatsuya Sato Date: Wed, 7 Oct 2015 20:27:16 +0900 Subject: [PATCH 11/15] Fix wrong adapter used in GSS_SPNEGO --- lib/net/ldap/auth_adapter/gss_spnego.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/net/ldap/auth_adapter/gss_spnego.rb b/lib/net/ldap/auth_adapter/gss_spnego.rb index b44b5c5e..5eb62a0a 100644 --- a/lib/net/ldap/auth_adapter/gss_spnego.rb +++ b/lib/net/ldap/auth_adapter/gss_spnego.rb @@ -29,7 +29,7 @@ def bind(auth) t3_msg.serialize } - Net::LDAP::AuthAdapter.new(@connection). + Net::LDAP::AuthAdapter::Sasl.new(@connection). bind(:method => :sasl, :mechanism => "GSS-SPNEGO", :initial_credential => NTLM::Message::Type1.new.serialize, :challenge_response => nego) From 86e4ba16fe9177bd3fce308616ef2258f4ad4d34 Mon Sep 17 00:00:00 2001 From: Tatsuya Sato Date: Wed, 7 Oct 2015 20:39:31 +0900 Subject: [PATCH 12/15] Move registration of AuthAdapters to net/ldap --- lib/net/ldap.rb | 6 ++++++ lib/net/ldap/auth_adapter/gss_spnego.rb | 2 -- lib/net/ldap/auth_adapter/sasl.rb | 4 +--- lib/net/ldap/auth_adapter/simple.rb | 2 -- lib/net/ldap/connection.rb | 1 - 5 files changed, 7 insertions(+), 8 deletions(-) diff --git a/lib/net/ldap.rb b/lib/net/ldap.rb index ffb48719..7c151895 100644 --- a/lib/net/ldap.rb +++ b/lib/net/ldap.rb @@ -27,6 +27,12 @@ class LDAP require 'net/ldap/connection' require 'net/ldap/version' require 'net/ldap/error' +require 'net/ldap/auth_adapter' +require 'net/ldap/auth_adapter/simple' +require 'net/ldap/auth_adapter/sasl' + +Net::LDAP::AuthAdapter.register([:simple, :anon, :anonymous], Net::LDAP::AuthAdapter::Simple) +Net::LDAP::AuthAdapter.register(:sasl, Net::LDAP::AuthAdapter::Sasl) # == Quick-start for the Impatient # === Quick Example of a user-authentication against an LDAP directory: diff --git a/lib/net/ldap/auth_adapter/gss_spnego.rb b/lib/net/ldap/auth_adapter/gss_spnego.rb index 5eb62a0a..e251f038 100644 --- a/lib/net/ldap/auth_adapter/gss_spnego.rb +++ b/lib/net/ldap/auth_adapter/gss_spnego.rb @@ -38,5 +38,3 @@ def bind(auth) end end end - -Net::LDAP::Adapter.register(:gss_spnego, Net::LDAP::AuthAdapters::GSS_SPNEGO) diff --git a/lib/net/ldap/auth_adapter/sasl.rb b/lib/net/ldap/auth_adapter/sasl.rb index 38e977b9..fa7315b5 100644 --- a/lib/net/ldap/auth_adapter/sasl.rb +++ b/lib/net/ldap/auth_adapter/sasl.rb @@ -2,7 +2,7 @@ module Net class LDAP - module AuthAdapter + class AuthAdapter class Sasl < Net::LDAP::AuthAdapter #-- # Required parameters: :mechanism, :initial_credential and @@ -58,5 +58,3 @@ def bind(auth) end end end - -Net::LDAP::AuthAdapter.register(:sasl, Net::LDAP::AuthAdapters::Sasl) diff --git a/lib/net/ldap/auth_adapter/simple.rb b/lib/net/ldap/auth_adapter/simple.rb index 471878c5..d01b57ae 100644 --- a/lib/net/ldap/auth_adapter/simple.rb +++ b/lib/net/ldap/auth_adapter/simple.rb @@ -32,5 +32,3 @@ def bind(auth) end end end - -Net::LDAP::AuthAdapter.register(:simple, Net::LDAP::AuthAdapters::Simple) diff --git a/lib/net/ldap/connection.rb b/lib/net/ldap/connection.rb index e3129348..f45e54a0 100644 --- a/lib/net/ldap/connection.rb +++ b/lib/net/ldap/connection.rb @@ -250,7 +250,6 @@ def next_msgid def bind(auth) instrument "bind.net_ldap_connection" do |payload| payload[:method] = meth = auth[:method] - require "net/ldap/auth_adapters/#{meth}" adapter = Net::LDAP::AuthAdapter[meth] adapter.new(self).bind(auth) end From fbb1951f41bfe42599bfe691dc276e45f09856d1 Mon Sep 17 00:00:00 2001 From: Tatsuya Sato Date: Fri, 9 Oct 2015 05:00:07 +0900 Subject: [PATCH 13/15] Register gss_spnego when requiring 'net/ldap' --- lib/net/ldap.rb | 2 ++ 1 file changed, 2 insertions(+) diff --git a/lib/net/ldap.rb b/lib/net/ldap.rb index 7c151895..2467663d 100644 --- a/lib/net/ldap.rb +++ b/lib/net/ldap.rb @@ -30,9 +30,11 @@ class LDAP require 'net/ldap/auth_adapter' require 'net/ldap/auth_adapter/simple' require 'net/ldap/auth_adapter/sasl' +require 'net/ldap/auth_adapter/gss_spnego' Net::LDAP::AuthAdapter.register([:simple, :anon, :anonymous], Net::LDAP::AuthAdapter::Simple) Net::LDAP::AuthAdapter.register(:sasl, Net::LDAP::AuthAdapter::Sasl) +Net::LDAP::AuthAdapter.register(:gss_spnego, Net::LDAP::AuthAdapter::Sasl) # == Quick-start for the Impatient # === Quick Example of a user-authentication against an LDAP directory: From 9bf1f3003a5f20c370f8d0dbd0ce88dfdeac1434 Mon Sep 17 00:00:00 2001 From: Tatsuya Sato Date: Fri, 9 Oct 2015 05:35:13 +0900 Subject: [PATCH 14/15] Raise exception when specifying undefined auth method --- lib/net/ldap/auth_adapter.rb | 6 +++++- test/test_auth_adapter.rb | 11 +++++++++++ 2 files changed, 16 insertions(+), 1 deletion(-) create mode 100644 test/test_auth_adapter.rb diff --git a/lib/net/ldap/auth_adapter.rb b/lib/net/ldap/auth_adapter.rb index bd818dec..f74232d1 100644 --- a/lib/net/ldap/auth_adapter.rb +++ b/lib/net/ldap/auth_adapter.rb @@ -10,7 +10,11 @@ def self.register(names, adapter) end def self.[](name) - @adapters[name] + a = @adapters[name] + if a.nil? + raise Net::LDAP::AuthMethodUnsupportedError, "Unsupported auth method (#{name})" + end + return a end def initialize(conn) diff --git a/test/test_auth_adapter.rb b/test/test_auth_adapter.rb new file mode 100644 index 00000000..7cec57bc --- /dev/null +++ b/test/test_auth_adapter.rb @@ -0,0 +1,11 @@ +require 'test_helper' + +class TestAuthAdapter < Test::Unit::TestCase + def test_undefined_auth_adapter + flexmock(TCPSocket).should_receive(:new).ordered.with('ldap.example.com', 379).once.and_return(nil) + conn = Net::LDAP::Connection.new(host: 'ldap.example.com', port: 379) + assert_raise Net::LDAP::AuthMethodUnsupportedError, "Unsupported auth method (foo)" do + conn.bind(method: :foo) + end + end +end From 8be52247f156fd640b0140bd336f0d1b7be302c7 Mon Sep 17 00:00:00 2001 From: Tatsuya Sato Date: Sat, 10 Oct 2015 06:52:02 +0900 Subject: [PATCH 15/15] GSS SPNEGO is not supported --- lib/net/ldap.rb | 2 -- 1 file changed, 2 deletions(-) diff --git a/lib/net/ldap.rb b/lib/net/ldap.rb index 2467663d..7c151895 100644 --- a/lib/net/ldap.rb +++ b/lib/net/ldap.rb @@ -30,11 +30,9 @@ class LDAP require 'net/ldap/auth_adapter' require 'net/ldap/auth_adapter/simple' require 'net/ldap/auth_adapter/sasl' -require 'net/ldap/auth_adapter/gss_spnego' Net::LDAP::AuthAdapter.register([:simple, :anon, :anonymous], Net::LDAP::AuthAdapter::Simple) Net::LDAP::AuthAdapter.register(:sasl, Net::LDAP::AuthAdapter::Sasl) -Net::LDAP::AuthAdapter.register(:gss_spnego, Net::LDAP::AuthAdapter::Sasl) # == Quick-start for the Impatient # === Quick Example of a user-authentication against an LDAP directory: