Fix processing password modify responses

Per RFC4511 section 4.12, the responseValue field of an ExtendedResponse object is an optional string. Per RFC3062 section 2, the response to a passsword modify request is a sequence. This means the extended response must be parsed.
ruby-ldap · Nov 22, 2024 · 3f33379 · 3f33379
1 parent c3320a0
commit 3f33379
Show file tree

Hide file tree

Showing 4 changed files with 24 additions and 6 deletions.
diff --git a/.rubocop_todo.yml b/.rubocop_todo.yml
@@ -293,7 +293,7 @@ Metrics/BlockNesting:
 # Offense count: 11
 # Configuration parameters: CountComments, CountAsOne.
 Metrics/ClassLength:
-  Max: 443
+  Max: 451
 
 # Offense count: 20
 # Configuration parameters: AllowedMethods, AllowedPatterns.

diff --git a/lib/net/ldap.rb b/lib/net/ldap.rb
@@ -311,7 +311,7 @@ class Net::LDAP
     0 => :array, # RFC-2251 Control and Filter-AND
     1 => :array, # SearchFilter-OR
     2 => :array, # SearchFilter-NOT
-    3 => :array, # Seach referral
+    3 => :array, # Search referral
     4 => :array, # unknown use in Microsoft Outlook
     5 => :array, # SearchFilter-GE
     6 => :array, # SearchFilter-LE

diff --git a/lib/net/ldap/pdu.rb b/lib/net/ldap/pdu.rb
@@ -200,7 +200,7 @@ def parse_extended_response(sequence)
       :matchedDN => sequence[1],
       :errorMessage => sequence[2],
     }
-    @extended_response = sequence.last
+    @extended_response = sequence.length == 3 ? nil : sequence.last
   end
   private :parse_extended_response
 

diff --git a/test/integration/test_password_modify.rb b/test/integration/test_password_modify.rb
@@ -1,6 +1,13 @@
 require_relative '../test_helper'
 
 class TestPasswordModifyIntegration < LDAPIntegrationTestCase
+  # see: https://www.rfc-editor.org/rfc/rfc3062#section-2
+  PASSWORD_MODIFY_SYNTAX = Net::BER.compile_syntax(
+    application: {},
+    universal: {},
+    context_specific: { primitive: { 0 => :string } },
+  )
+
   def setup
     super
     @admin_account = { dn: 'cn=admin,dc=example,dc=org', password: 'admin', method: :simple }
@@ -49,7 +56,13 @@ def test_password_modify_generate
                                  auth: @auth,
                                  old_password: 'admin')
 
-    generated_password = @ldap.get_operation_result.extended_response[0][0]
+    passwd_modify_response_value = @ldap.get_operation_result.extended_response
+    seq = Net::BER::BerIdentifiedArray.new
+    sio = StringIO.new(passwd_modify_response_value)
+    until (e = sio.read_ber(PASSWORD_MODIFY_SYNTAX)).nil?
+      seq << e
+    end
+    generated_password = seq[0][0]
 
     assert generated_password, 'Should have generated a password'
 
@@ -64,8 +77,13 @@ def test_password_modify_generate_no_old_password
     assert @ldap.password_modify(dn: @dn,
                                  auth: @auth)
 
-    generated_password = @ldap.get_operation_result.extended_response[0][0]
-
+    passwd_modify_response_value = @ldap.get_operation_result.extended_response
+    seq = Net::BER::BerIdentifiedArray.new
+    sio = StringIO.new(passwd_modify_response_value)
+    until (e = sio.read_ber(PASSWORD_MODIFY_SYNTAX)).nil?
+      seq << e
+    end
+    generated_password = seq[0][0]
     assert generated_password, 'Should have generated a password'
 
     refute @ldap.bind(username: @dn, password: 'admin', method: :simple),