From a3ec58dacf0d390512144d79c8972de2c41fc60b Mon Sep 17 00:00:00 2001 From: Michael Kozono Date: Sun, 17 Sep 2017 23:13:45 -0700 Subject: [PATCH] Downcase normalized LDAP DNs and UIDs --- lib/gitlab/ldap/person.rb | 2 +- spec/lib/gitlab/ldap/auth_hash_spec.rb | 12 ++- spec/lib/gitlab/ldap/person_spec.rb | 116 ++++++++++++------------- 3 files changed, 69 insertions(+), 61 deletions(-) diff --git a/lib/gitlab/ldap/person.rb b/lib/gitlab/ldap/person.rb index 267514d0fcd..d2d6aedba0f 100644 --- a/lib/gitlab/ldap/person.rb +++ b/lib/gitlab/ldap/person.rb @@ -100,7 +100,7 @@ module Gitlab private def self.normalize_dn_part(part) - cleaned = part.strip + cleaned = part.strip.downcase if cleaned.ends_with?('\\') # If it ends with an escape character that is not followed by a diff --git a/spec/lib/gitlab/ldap/auth_hash_spec.rb b/spec/lib/gitlab/ldap/auth_hash_spec.rb index a4bd40705df..1785094af10 100644 --- a/spec/lib/gitlab/ldap/auth_hash_spec.rb +++ b/spec/lib/gitlab/ldap/auth_hash_spec.rb @@ -68,10 +68,18 @@ describe Gitlab::LDAP::AuthHash do describe '#uid' do context 'when there is extraneous (but valid) whitespace' do - let(:given_uid) { 'uid =John Smith , ou = People, dc= example,dc =com' } + let(:given_uid) { 'uid =john smith , ou = people, dc= example,dc =com' } it 'removes the extraneous whitespace' do - expect(auth_hash.uid).to eq('uid=John Smith,ou=People,dc=example,dc=com') + expect(auth_hash.uid).to eq('uid=john smith,ou=people,dc=example,dc=com') + end + end + + context 'when there are upper case characters' do + let(:given_uid) { 'UID=John Smith,ou=People,dc=example,dc=com' } + + it 'downcases' do + expect(auth_hash.uid).to eq('uid=john smith,ou=people,dc=example,dc=com') end end end diff --git a/spec/lib/gitlab/ldap/person_spec.rb b/spec/lib/gitlab/ldap/person_spec.rb index 58e63b52631..c2294e63171 100644 --- a/spec/lib/gitlab/ldap/person_spec.rb +++ b/spec/lib/gitlab/ldap/person_spec.rb @@ -26,24 +26,24 @@ describe Gitlab::LDAP::Person do # I am not sure if it matters to us or anyone else, so rather than dig # through RFCs, I am only documenting the behavior here. where(:test_description, :given, :expected) do - 'strips extraneous whitespace' | 'uid =John Smith , ou = People, dc= example,dc =com' | 'uid=John Smith,ou=People,dc=example,dc=com' - 'strips extraneous whitespace for a DN with a single RDN' | 'uid = John Smith' | 'uid=John Smith' - 'strips extraneous whitespace without changing escaped characters' | 'uid = Sebasti\\c3\\a1n\\ C.\\20Smith\\ , ou=People (aka. \\22humans\\") ,dc=example, dc=com' | 'uid=Sebasti\\c3\\a1n\\ C.\\20Smith\\ ,ou=People (aka. \\22humans\\"),dc=example,dc=com' - 'strips extraneous whitespace without modifying the multivalued RDN' | 'uid = John Smith + telephoneNumber = +1 555-555-5555 , ou = People,dc=example,dc=com' | 'uid=John Smith+telephoneNumber=+1 555-555-5555,ou=People,dc=example,dc=com' - 'strips the space after the plus sign in the telephoneNumber' | 'uid = John Smith + telephoneNumber = + 1 555-555-5555 , ou = People,dc=example,dc=com' | 'uid=John Smith+telephoneNumber=+1 555-555-5555,ou=People,dc=example,dc=com' + 'strips extraneous whitespace' | 'uid =John Smith , ou = People, dc= example,dc =com' | 'uid=john smith,ou=people,dc=example,dc=com' + 'strips extraneous whitespace for a DN with a single RDN' | 'uid = John Smith' | 'uid=john smith' + 'strips extraneous whitespace without changing escaped characters' | 'uid = Sebasti\\c3\\a1n\\ C.\\20Smith\\ , ou=People (aka. \\22humans\\") ,dc=example, dc=com' | 'uid=sebasti\\c3\\a1n\\ c.\\20smith\\ ,ou=people (aka. \\22humans\\"),dc=example,dc=com' + 'strips extraneous whitespace without modifying the multivalued RDN' | 'uid = John Smith + telephoneNumber = +1 555-555-5555 , ou = People,dc=example,dc=com' | 'uid=john smith+telephonenumber=+1 555-555-5555,ou=people,dc=example,dc=com' + 'strips the space after the plus sign in the telephoneNumber' | 'uid = John Smith + telephoneNumber = + 1 555-555-5555 , ou = People,dc=example,dc=com' | 'uid=john smith+telephonenumber=+1 555-555-5555,ou=people,dc=example,dc=com' + 'downcases the whole string' | 'UID=John Smith,ou=People,dc=example,dc=com' | 'uid=john smith,ou=people,dc=example,dc=com' 'for a null DN (empty string), returns empty string and does not error' | '' | '' - 'does not strip the escaped leading space in an attribute value (and does not error like Net::LDAP::DN.new does)' | 'uid=\\ John Smith,ou=People,dc=example,dc=com' | 'uid=\\ John Smith,ou=People,dc=example,dc=com' - 'does not strip the escaped trailing space in an attribute value' | 'uid=John Smith\\ ,ou=People,dc=example,dc=com' | 'uid=John Smith\\ ,ou=People,dc=example,dc=com' - 'does not strip the escaped leading newline in an attribute value' | 'uid=\\\nJohn Smith,ou=People,dc=example,dc=com' | 'uid=\\\nJohn Smith,ou=People,dc=example,dc=com' - 'does not strip the escaped trailing newline in an attribute value' | 'uid=John Smith\\\n,ou=People,dc=example,dc=com' | 'uid=John Smith\\\n,ou=People,dc=example,dc=com' - 'does not strip the unescaped leading newline in an attribute value' | 'uid=\nJohn Smith,ou=People,dc=example,dc=com' | 'uid=\nJohn Smith,ou=People,dc=example,dc=com' - 'does not strip the unescaped trailing newline in an attribute value' | 'uid=John Smith\n ,ou=People,dc=example,dc=com' | 'uid=John Smith\n,ou=People,dc=example,dc=com' - 'does not modify casing' | 'UID=John Smith,ou=People,dc=example,dc=com' | 'UID=John Smith,ou=People,dc=example,dc=com' - 'does not strip non whitespace' | 'uid=John Smith,ou=People,dc=example,dc=com' | 'uid=John Smith,ou=People,dc=example,dc=com' + 'does not strip the escaped leading space in an attribute value (and does not error like Net::LDAP::DN.new does)' | 'uid=\\ John Smith,ou=People,dc=example,dc=com' | 'uid=\\ john smith,ou=people,dc=example,dc=com' + 'does not strip the escaped trailing space in an attribute value' | 'uid=John Smith\\ ,ou=People,dc=example,dc=com' | 'uid=john smith\\ ,ou=people,dc=example,dc=com' + 'does not strip the escaped leading newline in an attribute value' | 'uid=\\\nJohn Smith,ou=People,dc=example,dc=com' | 'uid=\\\njohn smith,ou=people,dc=example,dc=com' + 'does not strip the escaped trailing newline in an attribute value' | 'uid=John Smith\\\n,ou=People,dc=example,dc=com' | 'uid=john smith\\\n,ou=people,dc=example,dc=com' + 'does not strip the unescaped leading newline in an attribute value' | 'uid=\nJohn Smith,ou=People,dc=example,dc=com' | 'uid=\njohn smith,ou=people,dc=example,dc=com' + 'does not strip the unescaped trailing newline in an attribute value' | 'uid=John Smith\n ,ou=People,dc=example,dc=com' | 'uid=john smith\n,ou=people,dc=example,dc=com' + 'does not strip non whitespace' | 'uid=John Smith,ou=People,dc=example,dc=com' | 'uid=john smith,ou=people,dc=example,dc=com' 'does not treat escaped equal signs as attribute delimiters' | 'uid= foo \\= bar' | 'uid=foo \\= bar' - 'does not treat escaped hex equal signs as attribute delimiters' | 'uid= foo \\3D bar' | 'uid=foo \\3D bar' - 'does not treat escaped commas as attribute delimiters' | 'uid= John C. Smith, ou=San Francisco\\, CA' | 'uid=John C. Smith,ou=San Francisco\\, CA' - 'does not treat escaped hex commas as attribute delimiters' | 'uid= John C. Smith, ou=San Francisco\\2C CA' | 'uid=John C. Smith,ou=San Francisco\\2C CA' + 'does not treat escaped hex equal signs as attribute delimiters' | 'uid= foo \\3D bar' | 'uid=foo \\3d bar' + 'does not treat escaped commas as attribute delimiters' | 'uid= John C. Smith, ou=San Francisco\\, CA' | 'uid=john c. smith,ou=san francisco\\, ca' + 'does not treat escaped hex commas as attribute delimiters' | 'uid= John C. Smith, ou=San Francisco\\2C CA' | 'uid=john c. smith,ou=san francisco\\2c ca' end with_them do @@ -55,20 +55,20 @@ describe Gitlab::LDAP::Person do context 'given a UID' do where(:test_description, :given, :expected) do - 'strips extraneous whitespace' | ' John C. Smith ' | 'John C. Smith' - 'strips extraneous whitespace without changing escaped characters' | ' Sebasti\\c3\\a1n\\ C.\\20Smith\\ ' | 'Sebasti\\c3\\a1n\\ C.\\20Smith\\ ' - 'does not strip the escaped leading space in an attribute value' | ' \\ John Smith ' | '\\ John Smith' - 'does not strip the escaped trailing space in an attribute value' | ' John Smith\\ ' | 'John Smith\\ ' - 'does not strip the escaped leading newline in an attribute value' | ' \\\nJohn Smith ' | '\\\nJohn Smith' - 'does not strip the escaped trailing newline in an attribute value' | ' John Smith\\\n ' | 'John Smith\\\n' - 'does not strip the unescaped leading newline in an attribute value' | ' \nJohn Smith ' | '\nJohn Smith' - 'does not strip the unescaped trailing newline in an attribute value' | ' John Smith\n ' | 'John Smith\n' - 'does not modify casing' | ' John Smith ' | 'John Smith' - 'does not strip non whitespace' | 'John Smith' | 'John Smith' + 'strips extraneous whitespace' | ' John C. Smith ' | 'john c. smith' + 'strips extraneous whitespace without changing escaped characters' | ' Sebasti\\c3\\a1n\\ C.\\20Smith\\ ' | 'sebasti\\c3\\a1n\\ c.\\20smith\\ ' + 'downcases the whole string' | 'John Smith' | 'john smith' + 'does not strip the escaped leading space in an attribute value' | ' \\ John Smith ' | '\\ john smith' + 'does not strip the escaped trailing space in an attribute value' | ' John Smith\\ ' | 'john smith\\ ' + 'does not strip the escaped leading newline in an attribute value' | ' \\\nJohn Smith ' | '\\\njohn smith' + 'does not strip the escaped trailing newline in an attribute value' | ' John Smith\\\n ' | 'john smith\\\n' + 'does not strip the unescaped leading newline in an attribute value' | ' \nJohn Smith ' | '\njohn smith' + 'does not strip the unescaped trailing newline in an attribute value' | ' John Smith\n ' | 'john smith\n' + 'does not strip non whitespace' | 'John Smith' | 'john smith' 'does not treat escaped equal signs as attribute delimiters' | ' foo \\= bar' | 'foo \\= bar' - 'does not treat escaped hex equal signs as attribute delimiters' | ' foo \\3D bar' | 'foo \\3D bar' - 'does not treat escaped commas as attribute delimiters' | ' Smith\\, John C.' | 'Smith\\, John C.' - 'does not treat escaped hex commas as attribute delimiters' | ' Smith\\2C John C.' | 'Smith\\2C John C.' + 'does not treat escaped hex equal signs as attribute delimiters' | ' foo \\3D bar' | 'foo \\3d bar' + 'does not treat escaped commas as attribute delimiters' | ' Smith\\, John C.' | 'smith\\, john c.' + 'does not treat escaped hex commas as attribute delimiters' | ' Smith\\2C John C.' | 'smith\\2c john c.' end with_them do @@ -82,20 +82,20 @@ describe Gitlab::LDAP::Person do describe '.normalize_uid' do context 'given a UID' do where(:test_description, :given, :expected) do - 'strips extraneous whitespace' | ' John C. Smith ' | 'John C. Smith' - 'strips extraneous whitespace without changing escaped characters' | ' Sebasti\\c3\\a1n\\ C.\\20Smith\\ ' | 'Sebasti\\c3\\a1n\\ C.\\20Smith\\ ' - 'does not strip the escaped leading space in an attribute value' | ' \\ John Smith ' | '\\ John Smith' - 'does not strip the escaped trailing space in an attribute value' | ' John Smith\\ ' | 'John Smith\\ ' - 'does not strip the escaped leading newline in an attribute value' | ' \\\nJohn Smith ' | '\\\nJohn Smith' - 'does not strip the escaped trailing newline in an attribute value' | ' John Smith\\\n ' | 'John Smith\\\n' - 'does not strip the unescaped leading newline in an attribute value' | ' \nJohn Smith ' | '\nJohn Smith' - 'does not strip the unescaped trailing newline in an attribute value' | ' John Smith\n ' | 'John Smith\n' - 'does not modify casing' | ' John Smith ' | 'John Smith' - 'does not strip non whitespace' | 'John Smith' | 'John Smith' + 'strips extraneous whitespace' | ' John C. Smith ' | 'john c. smith' + 'strips extraneous whitespace without changing escaped characters' | ' Sebasti\\c3\\a1n\\ C.\\20Smith\\ ' | 'sebasti\\c3\\a1n\\ c.\\20smith\\ ' + 'downcases the whole string' | 'John Smith' | 'john smith' + 'does not strip the escaped leading space in an attribute value' | ' \\ John Smith ' | '\\ john smith' + 'does not strip the escaped trailing space in an attribute value' | ' John Smith\\ ' | 'john smith\\ ' + 'does not strip the escaped leading newline in an attribute value' | ' \\\nJohn Smith ' | '\\\njohn smith' + 'does not strip the escaped trailing newline in an attribute value' | ' John Smith\\\n ' | 'john smith\\\n' + 'does not strip the unescaped leading newline in an attribute value' | ' \nJohn Smith ' | '\njohn smith' + 'does not strip the unescaped trailing newline in an attribute value' | ' John Smith\n ' | 'john smith\n' + 'does not strip non whitespace' | 'John Smith' | 'john smith' 'does not treat escaped equal signs as attribute delimiters' | ' foo \\= bar' | 'foo \\= bar' - 'does not treat escaped hex equal signs as attribute delimiters' | ' foo \\3D bar' | 'foo \\3D bar' - 'does not treat escaped commas as attribute delimiters' | ' Smith\\, John C.' | 'Smith\\, John C.' - 'does not treat escaped hex commas as attribute delimiters' | ' Smith\\2C John C.' | 'Smith\\2C John C.' + 'does not treat escaped hex equal signs as attribute delimiters' | ' foo \\3D bar' | 'foo \\3d bar' + 'does not treat escaped commas as attribute delimiters' | ' Smith\\, John C.' | 'smith\\, john c.' + 'does not treat escaped hex commas as attribute delimiters' | ' Smith\\2C John C.' | 'smith\\2c john c.' end with_them do @@ -114,24 +114,24 @@ describe Gitlab::LDAP::Person do # I am not sure if it matters to us or anyone else, so rather than dig # through RFCs, I am only documenting the behavior here. where(:test_description, :given, :expected) do - 'strips extraneous whitespace' | 'uid =John Smith , ou = People, dc= example,dc =com' | 'uid=John Smith,ou=People,dc=example,dc=com' - 'strips extraneous whitespace for a DN with a single RDN' | 'uid = John Smith' | 'uid=John Smith' - 'strips extraneous whitespace without changing escaped characters' | 'uid = Sebasti\\c3\\a1n\\ C.\\20Smith\\ , ou=People (aka. \\22humans\\") ,dc=example, dc=com' | 'uid=Sebasti\\c3\\a1n\\ C.\\20Smith\\ ,ou=People (aka. \\22humans\\"),dc=example,dc=com' - 'strips extraneous whitespace without modifying the multivalued RDN' | 'uid = John Smith + telephoneNumber = +1 555-555-5555 , ou = People,dc=example,dc=com' | 'uid=John Smith+telephoneNumber=+1 555-555-5555,ou=People,dc=example,dc=com' - 'strips the space after the plus sign in the telephoneNumber' | 'uid = John Smith + telephoneNumber = + 1 555-555-5555 , ou = People,dc=example,dc=com' | 'uid=John Smith+telephoneNumber=+1 555-555-5555,ou=People,dc=example,dc=com' + 'strips extraneous whitespace' | 'uid =John Smith , ou = People, dc= example,dc =com' | 'uid=john smith,ou=people,dc=example,dc=com' + 'strips extraneous whitespace for a DN with a single RDN' | 'uid = John Smith' | 'uid=john smith' + 'strips extraneous whitespace without changing escaped characters' | 'uid = Sebasti\\c3\\a1n\\ C.\\20Smith\\ , ou=People (aka. \\22humans\\") ,dc=example, dc=com' | 'uid=sebasti\\c3\\a1n\\ c.\\20smith\\ ,ou=people (aka. \\22humans\\"),dc=example,dc=com' + 'strips extraneous whitespace without modifying the multivalued RDN' | 'uid = John Smith + telephoneNumber = +1 555-555-5555 , ou = People,dc=example,dc=com' | 'uid=john smith+telephonenumber=+1 555-555-5555,ou=people,dc=example,dc=com' + 'strips the space after the plus sign in the telephoneNumber' | 'uid = John Smith + telephoneNumber = + 1 555-555-5555 , ou = People,dc=example,dc=com' | 'uid=john smith+telephonenumber=+1 555-555-5555,ou=people,dc=example,dc=com' + 'downcases the whole string' | 'UID=John Smith,ou=People,dc=example,dc=com' | 'uid=john smith,ou=people,dc=example,dc=com' 'for a null DN (empty string), returns empty string and does not error' | '' | '' - 'does not strip the escaped leading space in an attribute value (and does not error like Net::LDAP::DN.new does)' | 'uid=\\ John Smith,ou=People,dc=example,dc=com' | 'uid=\\ John Smith,ou=People,dc=example,dc=com' - 'does not strip the escaped trailing space in an attribute value' | 'uid=John Smith\\ ,ou=People,dc=example,dc=com' | 'uid=John Smith\\ ,ou=People,dc=example,dc=com' - 'does not strip the escaped leading newline in an attribute value' | 'uid=\\\nJohn Smith,ou=People,dc=example,dc=com' | 'uid=\\\nJohn Smith,ou=People,dc=example,dc=com' - 'does not strip the escaped trailing newline in an attribute value' | 'uid=John Smith\\\n,ou=People,dc=example,dc=com' | 'uid=John Smith\\\n,ou=People,dc=example,dc=com' - 'does not strip the unescaped leading newline in an attribute value' | 'uid=\nJohn Smith,ou=People,dc=example,dc=com' | 'uid=\nJohn Smith,ou=People,dc=example,dc=com' - 'does not strip the unescaped trailing newline in an attribute value' | 'uid=John Smith\n ,ou=People,dc=example,dc=com' | 'uid=John Smith\n,ou=People,dc=example,dc=com' - 'does not modify casing' | 'UID=John Smith,ou=People,dc=example,dc=com' | 'UID=John Smith,ou=People,dc=example,dc=com' - 'does not strip non whitespace' | 'uid=John Smith,ou=People,dc=example,dc=com' | 'uid=John Smith,ou=People,dc=example,dc=com' + 'does not strip the escaped leading space in an attribute value (and does not error like Net::LDAP::DN.new does)' | 'uid=\\ John Smith,ou=People,dc=example,dc=com' | 'uid=\\ john smith,ou=people,dc=example,dc=com' + 'does not strip the escaped trailing space in an attribute value' | 'uid=John Smith\\ ,ou=People,dc=example,dc=com' | 'uid=john smith\\ ,ou=people,dc=example,dc=com' + 'does not strip the escaped leading newline in an attribute value' | 'uid=\\\nJohn Smith,ou=People,dc=example,dc=com' | 'uid=\\\njohn smith,ou=people,dc=example,dc=com' + 'does not strip the escaped trailing newline in an attribute value' | 'uid=John Smith\\\n,ou=People,dc=example,dc=com' | 'uid=john smith\\\n,ou=people,dc=example,dc=com' + 'does not strip the unescaped leading newline in an attribute value' | 'uid=\nJohn Smith,ou=People,dc=example,dc=com' | 'uid=\njohn smith,ou=people,dc=example,dc=com' + 'does not strip the unescaped trailing newline in an attribute value' | 'uid=John Smith\n ,ou=People,dc=example,dc=com' | 'uid=john smith\n,ou=people,dc=example,dc=com' + 'does not strip non whitespace' | 'uid=John Smith,ou=People,dc=example,dc=com' | 'uid=john smith,ou=people,dc=example,dc=com' 'does not treat escaped equal signs as attribute delimiters' | 'uid= foo \\= bar' | 'uid=foo \\= bar' - 'does not treat escaped hex equal signs as attribute delimiters' | 'uid= foo \\3D bar' | 'uid=foo \\3D bar' - 'does not treat escaped commas as attribute delimiters' | 'uid= John C. Smith, ou=San Francisco\\, CA' | 'uid=John C. Smith,ou=San Francisco\\, CA' - 'does not treat escaped hex commas as attribute delimiters' | 'uid= John C. Smith, ou=San Francisco\\2C CA' | 'uid=John C. Smith,ou=San Francisco\\2C CA' + 'does not treat escaped hex equal signs as attribute delimiters' | 'uid= foo \\3D bar' | 'uid=foo \\3d bar' + 'does not treat escaped commas as attribute delimiters' | 'uid= John C. Smith, ou=San Francisco\\, CA' | 'uid=john c. smith,ou=san francisco\\, ca' + 'does not treat escaped hex commas as attribute delimiters' | 'uid= John C. Smith, ou=San Francisco\\2C CA' | 'uid=john c. smith,ou=san francisco\\2c ca' end with_them do