Merge branch 'ruby-ldap:master' into master

Author: frankwalentowski

Diff for: .github/workflows/test.yml

@@ -19,15 +19,13 @@ jobs:
     strategy:
       matrix:
         ruby:
-          - "2.6"
-          - "2.7"
           - "3.0"
           - "3.1"
           - "3.2"
-          - "jruby-9.3"
+          - "3.3"
           - "jruby-9.4"
-          - "truffleruby-22"
+          - "truffleruby"
     steps:
     - uses: actions/checkout@v2
     - name: Run tests with Ruby ${{ matrix.ruby }}
-      run: docker-compose run ci-${{ matrix.ruby }}
+      run: docker compose run ci-${{ matrix.ruby }}

Diff for: .rubocop_todo.yml

@@ -293,7 +293,7 @@ Metrics/BlockNesting:
 # Offense count: 11
 # Configuration parameters: CountComments, CountAsOne.
 Metrics/ClassLength:
-  Max: 443
+  Max: 451
 
 # Offense count: 20
 # Configuration parameters: AllowedMethods, AllowedPatterns.

Diff for: README.rdoc

@@ -23,7 +23,7 @@ the most recent LDAP RFCs (4510–4519, plus portions of 4520–4532).
 
 == Synopsis
 
-See {Net::LDAP on rubydoc.info}[https://www.rubydoc.info/github/ruby-ldap/ruby-net-ldap] for documentation and usage samples.
+See {Net::LDAP on rubydoc.info}[https://www.rubydoc.info/github/ruby-ldap/ruby-net-ldap/Net/LDAP] for documentation and usage samples.
 
 == Requirements
 

Diff for: docker-compose.yml

@@ -1,5 +1,3 @@
-version: "3.8"
-
 networks:
   integration_test_network:
 
@@ -24,22 +22,8 @@ services:
     volumes:
       - ./test/fixtures/ldif:/ldif:ro
 
-  ci-2.6:
-    image: ruby:2.7
-    entrypoint: /code/ci-run.sh
-    environment:
-      INTEGRATION: openldap
-      INTEGRATION_HOST: ldap.example.org
-    depends_on:
-      - openldap
-    networks:
-      integration_test_network:
-    volumes:
-      - .:/code
-    working_dir: /code
-
-  ci-2.7:
-    image: ruby:2.7
+  ci-3.0:
+    image: ruby:3.0
     entrypoint: /code/ci-run.sh
     environment:
       INTEGRATION: openldap
@@ -52,8 +36,8 @@ services:
       - .:/code
     working_dir: /code
 
-  ci-3.0:
-    image: ruby:3.0
+  ci-3.1:
+    image: ruby:3.1
     entrypoint: /code/ci-run.sh
     environment:
       INTEGRATION: openldap
@@ -66,8 +50,8 @@ services:
       - .:/code
     working_dir: /code
 
-  ci-3.1:
-    image: ruby:3.1
+  ci-3.2:
+    image: ruby:3.2
     entrypoint: /code/ci-run.sh
     environment:
       INTEGRATION: openldap
@@ -80,8 +64,8 @@ services:
       - .:/code
     working_dir: /code
 
-  ci-3.2:
-    image: ruby:3.2
+  ci-3.3:
+    image: ruby:3.3
     entrypoint: /code/ci-run.sh
     environment:
       INTEGRATION: openldap
@@ -95,8 +79,8 @@ services:
     working_dir: /code
 
   # https://github.com/flavorjones/truffleruby/pkgs/container/truffleruby
-  ci-truffleruby-22:
-    image: ghcr.io/flavorjones/truffleruby:22.3.1
+  ci-truffleruby:
+    image: ghcr.io/flavorjones/truffleruby:stable
     entrypoint: /code/ci-run.sh
     environment:
       INTEGRATION: openldap

Diff for: lib/net/ldap.rb

@@ -311,7 +311,7 @@ class Net::LDAP
     0 => :array, # RFC-2251 Control and Filter-AND
     1 => :array, # SearchFilter-OR
     2 => :array, # SearchFilter-NOT
-    3 => :array, # Seach referral
+    3 => :array, # Search referral
     4 => :array, # unknown use in Microsoft Outlook
     5 => :array, # SearchFilter-GE
     6 => :array, # SearchFilter-LE
@@ -325,7 +325,7 @@ class Net::LDAP
 
   universal = {
     constructed: {
-      107 => :array, #ExtendedResponse (PasswdModifyResponseValue)
+      107 => :string, # ExtendedResponse
     },
   }
 
@@ -341,6 +341,7 @@ class Net::LDAP
 
   StartTlsOid = '1.3.6.1.4.1.1466.20037'
   PasswdModifyOid = '1.3.6.1.4.1.4203.1.11.1'
+  WhoamiOid = '1.3.6.1.4.1.4203.1.11.3'
 
   # https://tools.ietf.org/html/rfc4511#section-4.1.9
   # https://tools.ietf.org/html/rfc4511#appendix-A
@@ -1200,6 +1201,23 @@ def delete_tree(args)
     end
   end
 
+  # Return the authorization identity of the client that issues the
+  # ldapwhoami request.  The method does not support any arguments.
+  #
+  # Returns True or False to indicate whether the request was successfull.
+  # The result is available in the extended status information when calling
+  # #get_operation_result.
+  #
+  #  ldap.ldapwhoami
+  #  puts ldap.get_operation_result.extended_response
+  def ldapwhoami(args = {})
+    instrument "ldapwhoami.net_ldap", args do |payload|
+      @result = use_connection(args, &:ldapwhoami)
+      @result.success? ? @result.extended_response : nil
+    end
+  end
+  alias_method :whoami, :ldapwhoami
+
   # This method is experimental and subject to change. Return the rootDSE
   # record from the LDAP server as a Net::LDAP::Entry, or an empty Entry if
   # the server doesn't return the record.

Diff for: lib/net/ldap/connection.rb

@@ -569,7 +569,12 @@ def modify(args)
       ops.to_ber_sequence,
     ].to_ber_appsequence(Net::LDAP::PDU::ModifyRequest)
 
-    write(request, nil, message_id)
+    controls = args.fetch(:controls, nil)
+    unless controls.nil?
+      controls = controls.to_ber_contextspecific(0)
+    end
+
+    write(request, controls, message_id)
     pdu = queued_read(message_id)
 
     if !pdu || pdu.app_tag != Net::LDAP::PDU::ModifyResponse
@@ -641,7 +646,12 @@ def add(args)
     message_id = next_msgid
     request    = [add_dn.to_ber, add_attrs.to_ber_sequence].to_ber_appsequence(Net::LDAP::PDU::AddRequest)
 
-    write(request, nil, message_id)
+    controls = args.fetch(:controls, nil)
+    unless controls.nil?
+      controls = controls.to_ber_contextspecific(0)
+    end
+
+    write(request, controls, message_id)
     pdu = queued_read(message_id)
 
     if !pdu || pdu.app_tag != Net::LDAP::PDU::AddResponse
@@ -693,6 +703,22 @@ def delete(args)
     pdu
   end
 
+  def ldapwhoami
+    ext_seq = [Net::LDAP::WhoamiOid.to_ber_contextspecific(0)]
+    request = ext_seq.to_ber_appsequence(Net::LDAP::PDU::ExtendedRequest)
+
+    message_id = next_msgid
+
+    write(request, nil, message_id)
+    pdu = queued_read(message_id)
+
+    if !pdu || pdu.app_tag != Net::LDAP::PDU::ExtendedResponse
+      raise Net::LDAP::ResponseMissingOrInvalidError, "response missing or invalid"
+    end
+
+    pdu
+  end
+
   # Internal: Returns a Socket like object used internally to communicate with
   # LDAP server.
   #

Diff for: lib/net/ldap/pdu.rb

@@ -194,13 +194,13 @@ def parse_ldap_result(sequence)
   #           requestValue     [1] OCTET STRING OPTIONAL }
 
   def parse_extended_response(sequence)
-    sequence.length >= 3 or raise Net::LDAP::PDU::Error, "Invalid LDAP result length."
+    sequence.length.between?(3, 5) or raise Net::LDAP::PDU::Error, "Invalid LDAP result length."
     @ldap_result = {
       :resultCode => sequence[0],
       :matchedDN => sequence[1],
       :errorMessage => sequence[2],
     }
-    @extended_response = sequence[3]
+    @extended_response = sequence.length == 3 ? nil : sequence.last
   end
   private :parse_extended_response
 

Diff for: net-ldap.gemspec

@@ -26,9 +26,10 @@ the most recent LDAP RFCs (4510-4519, plutions of 4520-4532).}
   s.homepage = %q{http://github.com/ruby-ldap/ruby-net-ldap}
   s.rdoc_options = ["--main", "README.rdoc"]
   s.require_paths = ["lib"]
-  s.required_ruby_version = ">= 2.0.0"
+  s.required_ruby_version = ">= 3.0.0"
   s.summary = %q{Net::LDAP for Ruby (also called net-ldap) implements client access for the Lightweight Directory Access Protocol (LDAP), an IETF standard protocol for accessing distributed directory services}
 
+  s.add_dependency("ostruct")
   s.add_development_dependency("flexmock", "~> 1.3")
   s.add_development_dependency("rake", "~> 12.3.3")
   s.add_development_dependency("rubocop", "~> 1.48")

Diff for: test/integration/test_password_modify.rb

@@ -1,6 +1,13 @@
 require_relative '../test_helper'
 
 class TestPasswordModifyIntegration < LDAPIntegrationTestCase
+  # see: https://www.rfc-editor.org/rfc/rfc3062#section-2
+  PASSWORD_MODIFY_SYNTAX = Net::BER.compile_syntax(
+    application: {},
+    universal: {},
+    context_specific: { primitive: { 0 => :string } },
+  )
+
   def setup
     super
     @admin_account = { dn: 'cn=admin,dc=example,dc=org', password: 'admin', method: :simple }
@@ -49,7 +56,13 @@ def test_password_modify_generate
                                  auth: @auth,
                                  old_password: 'admin')
 
-    generated_password = @ldap.get_operation_result.extended_response[0][0]
+    passwd_modify_response_value = @ldap.get_operation_result.extended_response
+    seq = Net::BER::BerIdentifiedArray.new
+    sio = StringIO.new(passwd_modify_response_value)
+    until (e = sio.read_ber(PASSWORD_MODIFY_SYNTAX)).nil?
+      seq << e
+    end
+    generated_password = seq[0][0]
 
     assert generated_password, 'Should have generated a password'
 
@@ -64,8 +77,13 @@ def test_password_modify_generate_no_old_password
     assert @ldap.password_modify(dn: @dn,
                                  auth: @auth)
 
-    generated_password = @ldap.get_operation_result.extended_response[0][0]
-
+    passwd_modify_response_value = @ldap.get_operation_result.extended_response
+    seq = Net::BER::BerIdentifiedArray.new
+    sio = StringIO.new(passwd_modify_response_value)
+    until (e = sio.read_ber(PASSWORD_MODIFY_SYNTAX)).nil?
+      seq << e
+    end
+    generated_password = seq[0][0]
     assert generated_password, 'Should have generated a password'
 
     refute @ldap.bind(username: @dn, password: 'admin', method: :simple),

Diff for: test/test_ldap_connection.rb

@@ -502,6 +502,40 @@ def test_search_net_ldap_connection_event
     assert unread.empty?, "should not have any leftover unread messages"
   end
 
+  def test_add_with_controls
+    dacl_flag = 0x4 # DACL_SECURITY_INFORMATION
+    control_values = [dacl_flag].map(&:to_ber).to_ber_sequence.to_s.to_ber
+    controls = []
+    # LDAP_SERVER_SD_FLAGS constant definition, taken from https://ldapwiki.com/wiki/LDAP_SERVER_SD_FLAGS_OID
+    ldap_server_sd_flags = '1.2.840.113556.1.4.801'.freeze
+    controls << [ldap_server_sd_flags.to_ber, true.to_ber, control_values].to_ber_sequence
+
+    ber = Net::BER::BerIdentifiedArray.new([Net::LDAP::ResultCodeSuccess, "", ""])
+    ber.ber_identifier = Net::LDAP::PDU::AddResponse
+    @tcp_socket.should_receive(:read_ber).and_return([1, ber])
+
+    result = @connection.add(:dn => "uid=added-user1,ou=People,dc=rubyldap,dc=com", :controls => controls)
+    assert result.success?, "should be success"
+    assert_equal "", result.error_message
+  end
+
+  def test_modify_with_controls
+    dacl_flag = 0x4 # DACL_SECURITY_INFORMATION
+    control_values = [dacl_flag].map(&:to_ber).to_ber_sequence.to_s.to_ber
+    controls = []
+    # LDAP_SERVER_SD_FLAGS constant definition, taken from https://ldapwiki.com/wiki/LDAP_SERVER_SD_FLAGS_OID
+    ldap_server_sd_flags = '1.2.840.113556.1.4.801'.freeze
+    controls << [ldap_server_sd_flags.to_ber, true.to_ber, control_values].to_ber_sequence
+
+    ber = Net::BER::BerIdentifiedArray.new([Net::LDAP::ResultCodeSuccess, "", ""])
+    ber.ber_identifier = Net::LDAP::PDU::ModifyResponse
+    @tcp_socket.should_receive(:read_ber).and_return([1, ber])
+
+    result = @connection.modify(:dn => "1", :operations => [[:replace, "mail", "[email protected]"]], :controls => controls)
+    assert result.success?, "should be success"
+    assert_equal "", result.error_message
+  end
+
   def test_search_with_controls
     # search data
     search_data_ber = Net::BER::BerIdentifiedArray.new([1, [
@@ -540,4 +574,15 @@ def test_search_with_controls
     # ensure no unread
     assert unread.empty?, "should not have any leftover unread messages"
   end
+
+  def test_ldapwhoami
+    ber = Net::BER::BerIdentifiedArray.new([Net::LDAP::ResultCodeSuccess, '', '', 0, 'dn:uid=zerosteiner,ou=users,dc=example,dc=org'])
+    ber.ber_identifier = Net::LDAP::PDU::ExtendedResponse
+    response = [1, ber]
+
+    @tcp_socket.should_receive(:read_ber).and_return(response)
+
+    result = @connection.ldapwhoami
+    assert result.extended_response == 'dn:uid=zerosteiner,ou=users,dc=example,dc=org'
+  end
 end