Class: Entitlements::Backend::LDAP::Provider

Inherits:

Object

• Object
• Entitlements::Backend::LDAP::Provider

Includes:

Contracts::Core

Defined in:

lib/entitlements/backend/ldap/provider.rb

Constant Summary

C =

::Contracts

Instance Method Summary

• #delete(dn) ⇒ Object
• #initialize(ldap:) ⇒ Provider constructor

  A new instance of Provider.

• #read(dn) ⇒ Object
• #read_all(ou) ⇒ Object
• #upsert(group, override = {}) ⇒ Object

Methods included from Contracts::Core

common, extended, included

Constructor Details

#initialize(ldap:) ⇒ Provider

Returns a new instance of Provider.

# File 'lib/entitlements/backend/ldap/provider.rb', line 16

def initialize(ldap:)
  @ldap = ldap
  @groups_in_ou_cache = {}

  # Keep track of each LDAP group we have read so we do not end up re-reading
  # certain referenced groups over and over again. This is at a program-wide level. If
  # multiple backends have the same namespace this will probably break.
  Entitlements.cache[:ldap_cache] ||= {}
end

Instance Method Details

#delete(dn) ⇒ Object

# File 'lib/entitlements/backend/ldap/provider.rb', line 86

def delete(dn)
  return if ldap.delete(dn)
  raise "Unable to delete LDAP group #{dn.inspect}!"
end

#read(dn) ⇒ Object

# File 'lib/entitlements/backend/ldap/provider.rb', line 33

def read(dn)
  Entitlements.cache[:ldap_cache][dn] ||= begin
    Entitlements.logger.debug "Loading group #{dn}"

    # Look up the group by its DN.
    result = ldap.search(base: dn, scope: Net::LDAP::SearchScope_BaseObject)

    # Ensure exactly one result found.
    unless result.size == 1 && result.key?(dn)
      raise Entitlements::Data::Groups::GroupNotFoundError, "No response from LDAP for dn=#{dn}"
    end

    Entitlements::Service::LDAP.entry_to_group(result[dn])
  end
end

#read_all(ou) ⇒ Object

# File 'lib/entitlements/backend/ldap/provider.rb', line 56

def read_all(ou)
  @groups_in_ou_cache[ou] ||= begin
    Entitlements.logger.debug "Loading all groups for #{ou}"

    # Find all groups in the OU
    raw = ldap.search(
      base: ou,
      filter: Net::LDAP::Filter.eq("cn", "*"),
      scope: Net::LDAP::SearchScope_SingleLevel
    )

    # Construct a Set of DNs from the result, and also cache the content of the
    # group to avoid a future lookup.
    result = Set.new
    raw.each do |dn, entry|
      Entitlements.cache[:ldap_cache][dn] = Entitlements::Service::LDAP.entry_to_group(entry)
      result.add dn
    end

    # Return that result
    result
  end
end

#upsert(group, override = {}) ⇒ Object

# File 'lib/entitlements/backend/ldap/provider.rb', line 98

def upsert(group, override = {})
  members = group.member_strings.map { |ms| ldap.person_dn_format.gsub("%KEY%", ms) }

  attributes = {
    "uniqueMember" => members,
    "description"  => group.description || "",
    "owner"        => [ldap.binddn],
    "objectClass"  => ["groupOfUniqueNames"],
    "cn"           => group.cn
  }.merge(override)
  override.each { |key, val| attributes.delete(key) if val.nil? }

  # LDAP schema does not allow empty groups but does allow a group to be a member of itself.
  # This gets around having to commit a dummy user in case an LDAP group is empty.
  if group.member_strings.empty?
    attributes["uniqueMember"] = [group.dn]
  end

  result = ldap.upsert(dn: group.dn, attributes: attributes)
  return result if result == true
  return false if result.nil?
  raise "Unable to upsert LDAP group #{group.dn.inspect}!"
end