ldap: allow the admin to provide extra filter options

Fixes #379 Signed-off-by: Miquel Sabaté Solà <msabate@suse.com>
SUSE · Dec 18, 2015 · 99daa00 · 99daa00
1 parent 09d8733
commit 99daa00
Show file tree

Hide file tree

Showing 5 changed files with 22 additions and 10 deletions.
diff --git a/.rubocop.yml b/.rubocop.yml
@@ -4,7 +4,7 @@ inherit_from:
 
 # TODO: (mssola) only the LDAP class requires this.
 Metrics/ClassLength:
-  Max: 135
+  Max: 150
 
 # TODO: (mssola) Some methods are offending this cop. In the SUSE's style guide
 # the approach is to use Rubocop's default value. In the near future I will

diff --git a/config/config.yml b/config/config.yml
@@ -39,6 +39,9 @@ ldap:
   # The base where users are located (e.g. "ou=users,dc=example,dc=com").
   base: ""
 
+  # User filter (e.g. "mail=george*").
+  filter: ""
+
   # The LDAP attribute where to search for username. The default is 'uid'.
   uid: "uid"
 

diff --git a/lib/portus/ldap.rb b/lib/portus/ldap.rb
@@ -121,9 +121,17 @@ def bind_options
     # Returns the hash to be used in order to search for a user in the LDAP
     # server.
     def search_options
+      # First provide the filters: uid + the user-defined filter.
+      uid = APP_CONFIG["ldap"]["uid"]
+      filter = Net::LDAP::Filter.equals(uid, username)
+      provided = APP_CONFIG["ldap"]["filter"]
+      unless provided.blank?
+        provided_filter = Net::LDAP::Filter.construct(provided)
+        filter = Net::LDAP::Filter.join(filter, provided_filter)
+      end
+
       {}.tap do |opts|
-        uid = APP_CONFIG["ldap"]["uid"]
-        opts[:filter] = "(#{uid}=#{username})"
+        opts[:filter] = filter
         opts[:base]   = APP_CONFIG["ldap"]["base"] unless APP_CONFIG["ldap"]["base"].empty?
       end
     end

diff --git a/packaging/suse/portusctl/lib/configurator.rb b/packaging/suse/portusctl/lib/configurator.rb
@@ -1,5 +1,3 @@
-# rubocop:disable Metrics/ClassLength
-
 # Class taking care of configuring the system according to
 # what the user specified on the command line
 class Configurator
@@ -186,5 +184,3 @@ def database_local?
     @options["db-host"] == "localhost" || @options["db-host"] == HOSTNAME
   end
 end
-
-# rubocop:enable Metrics/ClassLength
diff --git a/spec/lib/portus/ldap_spec.rb b/spec/lib/portus/ldap_spec.rb
@@ -185,20 +185,25 @@ def load_configuration_test
     lm = LdapMock.new(username: "name", password: "1234")
     opts = lm.bind_options_test
     expect(opts.size).to eq 2
-    expect(opts[:filter]).to eq "(uid=name)"
+    expect(opts[:filter].to_s).to eq "(uid=name)"
     expect(opts[:password]).to eq "1234"
 
     APP_CONFIG["ldap"] = ldap_config
     opts = lm.bind_options_test
     expect(opts.size).to eq 3
-    expect(opts[:filter]).to eq "(uid=name)"
+    expect(opts[:filter].to_s).to eq "(uid=name)"
     expect(opts[:password]).to eq "1234"
     expect(opts[:base]).to eq "ou=users,dc=example,dc=com"
 
     APP_CONFIG["ldap"] = { "enabled" => true, "base" => "", "uid" => "foo" }
     lm = LdapMock.new(username: "name", password: "12341234")
     opts = lm.bind_options_test
-    expect(opts[:filter]).to eq "(foo=name)"
+    expect(opts[:filter].to_s).to eq "(foo=name)"
+
+    APP_CONFIG["ldap"] = { "enabled" => true, "base" => "", "uid" => "foo", "filter" => "mail=g*" }
+    lm = LdapMock.new(username: "name", password: "12341234")
+    opts = lm.bind_options_test
+    expect(opts[:filter].to_s).to eq "(&(foo=name)(mail=g*))"
   end
 
   describe "#find_or_create_user!" do