Class: Identizer::DirectoryEntry

Inherits:

Object

• Object
• Identizer::DirectoryEntry

Defined in:

lib/identizer/directory_entry.rb

Overview

An LDAP-flavoured directory entry: an attribute bag (uid, cn, sn, givenName, mail, ou, memberOf, …) with a computed DN. This is the unit the directory stores and the web admin edits. ‘to_identity` projects it onto the token- facing Identity, mapping LDAP attributes to standard OIDC claims.

Constant Summary

DEFAULT_BASE_DN =

"dc=identizer,dc=local"

DEFAULT_OU =

"people"

CLAIM_MAP =

LDAP attribute -> OIDC claim mapping for the token projection.

{
  "givenName" => "given_name",
  "sn" => "family_name",
  "cn" => "name",
  "memberOf" => "groups",
  "uid" => "preferred_username"
}.freeze

EDITABLE_ATTRIBUTES =

Attributes surfaced as editable fields in the web admin (in order).

%w[mail uid givenName sn cn ou memberOf].freeze

Instance Attribute Summary

• #attributes ⇒ Object readonly

  Returns the value of attribute attributes.

Class Method Summary

• .from(value, base_dn: DEFAULT_BASE_DN) ⇒ Object

Instance Method Summary

• #[](key) ⇒ Object
• #custom_attributes ⇒ Object

  Attributes beyond the standard editable set — provider-specific names a SP might expect (e.g. custom_1, department).

• #dn ⇒ Object
• #groups ⇒ Object
• #initialize(attributes = {}, base_dn: DEFAULT_BASE_DN) ⇒ DirectoryEntry constructor

  A new instance of DirectoryEntry.

• #mail ⇒ Object
• #ou ⇒ Object
• #to_h ⇒ Object
• #to_identity ⇒ Object

  Token-facing projection: email + OIDC-mapped claims (+ dn).

• #uid ⇒ Object

Constructor Details

#initialize(attributes = {}, base_dn: DEFAULT_BASE_DN) ⇒ DirectoryEntry

Returns a new instance of DirectoryEntry.

# File 'lib/identizer/directory_entry.rb', line 26

def initialize(attributes = {}, base_dn: DEFAULT_BASE_DN)
  @base_dn = base_dn
  @attributes = normalize(attributes)
  backfill!
end

Instance Attribute Details

#attributes ⇒ Object (readonly)

Returns the value of attribute attributes.

# File 'lib/identizer/directory_entry.rb', line 24

def attributes
  @attributes
end

Class Method Details

.from(value, base_dn: DEFAULT_BASE_DN) ⇒ Object

# File 'lib/identizer/directory_entry.rb', line 32

def self.from(value, base_dn: DEFAULT_BASE_DN)
  return value if value.is_a?(DirectoryEntry)

  attributes = value.is_a?(Hash) ? value : { "mail" => value }
  new(attributes, base_dn: base_dn)
end

Instance Method Details

#[](key) ⇒ Object

# File 'lib/identizer/directory_entry.rb', line 39

def [](key)
  @attributes[key.to_s]
end

#custom_attributes ⇒ Object

Attributes beyond the standard editable set — provider-specific names a SP might expect (e.g. custom_1, department). Emitted verbatim as claims.

# File 'lib/identizer/directory_entry.rb', line 50

def custom_attributes
  @attributes.except(*EDITABLE_ATTRIBUTES)
end

#dn ⇒ Object

# File 'lib/identizer/directory_entry.rb', line 54

def dn
  "uid=#{uid},ou=#{ou},#{@base_dn}"
end

#groups ⇒ Object

# File 'lib/identizer/directory_entry.rb', line 46

def groups = Array(self["memberOf"]).reject { |group| group.to_s.empty? }

#mail ⇒ Object

# File 'lib/identizer/directory_entry.rb', line 43

def mail = self["mail"]

#ou ⇒ Object

# File 'lib/identizer/directory_entry.rb', line 45

def ou = self["ou"] || DEFAULT_OU

#to_h ⇒ Object

# File 'lib/identizer/directory_entry.rb', line 69

def to_h
  @attributes
end

#to_identity ⇒ Object

Token-facing projection: email + OIDC-mapped claims (+ dn).

# File 'lib/identizer/directory_entry.rb', line 59

def to_identity
  claims = { "dn" => dn }
  @attributes.each do |key, value|
    next if %w[mail userPassword].include?(key)

    claims[CLAIM_MAP[key] || key] = value
  end
  Identity.new(email: mail, sub: dn, claims: claims)
end

#uid ⇒ Object

# File 'lib/identizer/directory_entry.rb', line 44

def uid = self["uid"]