Fix processing password modify responses

zeroSteiner · zeroSteiner · commit 7a3dbc347c07 · 2024-11-22T18:42:37.000-05:00
Per RFC4511 section 4.12, the responseValue field of an ExtendedResponse object is an optional string.
Per RFC3062 section 2, the response to a passsword modify request is a sequence.
This means the extended response must be parsed.
diff --git a/lib/net/ldap.rb b/lib/net/ldap.rb
@@ -311,7 +311,7 @@ class Net::LDAP
     0 => :array, # RFC-2251 Control and Filter-AND
     1 => :array, # SearchFilter-OR
     2 => :array, # SearchFilter-NOT
-    3 => :array, # Seach referral
+    3 => :array, # Search referral
     4 => :array, # unknown use in Microsoft Outlook
     5 => :array, # SearchFilter-GE
     6 => :array, # SearchFilter-LE
diff --git a/lib/net/ldap/pdu.rb b/lib/net/ldap/pdu.rb
@@ -200,7 +200,7 @@ def parse_extended_response(sequence)
       :matchedDN => sequence[1],
       :errorMessage => sequence[2],
     }
-    @extended_response = sequence.last
+    @extended_response = sequence.length == 3 ? nil : sequence.last
   end
   private :parse_extended_response
 
diff --git a/test/integration/test_password_modify.rb b/test/integration/test_password_modify.rb
@@ -1,6 +1,13 @@
 require_relative '../test_helper'
 
 class TestPasswordModifyIntegration < LDAPIntegrationTestCase
+  # see: https://www.rfc-editor.org/rfc/rfc3062#section-2
+  PASSWORD_MODIFY_SYNTAX = Net::BER.compile_syntax(
+    application: {},
+    universal: {},
+    context_specific: { primitive: { 0 => :string } },
+  )
+
   def setup
     super
     @admin_account = { dn: 'cn=admin,dc=example,dc=org', password: 'admin', method: :simple }
@@ -49,7 +56,13 @@ def test_password_modify_generate
                                  auth: @auth,
                                  old_password: 'admin')
 
-    generated_password = @ldap.get_operation_result.extended_response[0][0]
+    passwd_modify_response_value = @ldap.get_operation_result.extended_response
+    seq = Net::BER::BerIdentifiedArray.new
+    sio = StringIO.new(passwd_modify_response_value)
+    until (e = sio.read_ber(PASSWORD_MODIFY_SYNTAX)).nil?
+      seq << e
+    end
+    generated_password = seq[0][0]
 
     assert generated_password, 'Should have generated a password'
 
@@ -64,8 +77,13 @@ def test_password_modify_generate_no_old_password
     assert @ldap.password_modify(dn: @dn,
                                  auth: @auth)
 
-    generated_password = @ldap.get_operation_result.extended_response[0][0]
-
+    passwd_modify_response_value = @ldap.get_operation_result.extended_response
+    seq = Net::BER::BerIdentifiedArray.new
+    sio = StringIO.new(passwd_modify_response_value)
+    until (e = sio.read_ber(PASSWORD_MODIFY_SYNTAX)).nil?
+      seq << e
+    end
+    generated_password = seq[0][0]
     assert generated_password, 'Should have generated a password'
 
     refute @ldap.bind(username: @dn, password: 'admin', method: :simple),

Original file line number	Diff line number	Diff line change
`@@ -200,7 +200,7 @@ def parse_extended_response(sequence)`
`200`	`200`	`:matchedDN => sequence[1],`
`201`	`201`	`:errorMessage => sequence[2],`
`202`	`202`	`}`
`203`		`- @extended_response = sequence.last`
	`203`	`+ @extended_response = sequence.length == 3 ? nil : sequence.last`
`204`	`204`	`end`
`205`	`205`	`private :parse_extended_response`
`206`	`206`