djpbessems
/
ContainerImage.Pinniped
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
ContainerImage.Pinniped/internal/upstreamldap/upstreamldap_test.go

1365 lines
52 KiB
Go
Raw Normal View History

ldap: add initial stub upstream LDAP connection package Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-04-09 15:38:53 +00:00
// Copyright 2021 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
package upstreamldap
import (
"context"
More LDAP WIP: started controller and LDAP server connection code Both are unfinished works in progress.
2021-04-10 01:49:43 +00:00
"crypto/tls"
Started implementation of LDAP user search and bind
2021-04-13 00:50:25 +00:00
"errors"
More LDAP WIP: started controller and LDAP server connection code Both are unfinished works in progress.
2021-04-10 01:49:43 +00:00
"fmt"
"net"
"net/http"
"net/url"
ldap: add initial stub upstream LDAP connection package Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-04-09 15:38:53 +00:00
"testing"
More LDAP WIP: started controller and LDAP server connection code Both are unfinished works in progress.
2021-04-10 01:49:43 +00:00
"github.com/go-ldap/ldap/v3"
ldap: add initial stub upstream LDAP connection package Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-04-09 15:38:53 +00:00
"github.com/golang/mock/gomock"
"github.com/stretchr/testify/require"
"k8s.io/apiserver/pkg/authentication/authenticator"
"k8s.io/apiserver/pkg/authentication/user"
"go.pinniped.dev/internal/mocks/mockldapconn"
More LDAP WIP: started controller and LDAP server connection code Both are unfinished works in progress.
2021-04-10 01:49:43 +00:00
"go.pinniped.dev/internal/testutil"
ldap: add initial stub upstream LDAP connection package Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-04-09 15:38:53 +00:00
)
Started implementation of LDAP user search and bind
2021-04-13 00:50:25 +00:00
const (
Initial support for upstream LDAP group membership Reflect the upstream group membership into the Supervisor's downstream tokens, so they can be added to the user's identity on the workload clusters. LDAP group search is configurable on the LDAPIdentityProvider resource.
2021-05-17 18:10:26 +00:00
testHost = "ldap.example.com:8443"
testBindUsername = "cn=some-bind-username,dc=pinniped,dc=dev"
testBindPassword = "some-bind-password"
testUpstreamUsername = "some-upstream-username"
testUpstreamPassword = "some-upstream-password"
testUserSearchBase = "some-upstream-user-base-dn"
testGroupSearchBase = "some-upstream-group-base-dn"
testUserSearchFilter = "some-user-filter={}-and-more-filter={}"
testGroupSearchFilter = "some-group-filter={}-and-more-filter={}"
testUserSearchUsernameAttribute = "some-upstream-username-attribute"
testUserSearchUIDAttribute = "some-upstream-uid-attribute"
testGroupSearchGroupNameAttribute = "some-upstream-group-name-attribute"
testUserSearchResultDNValue = "some-upstream-user-dn"
testGroupSearchResultDNValue1 = "some-upstream-group-dn1"
testGroupSearchResultDNValue2 = "some-upstream-group-dn2"
testUserSearchResultUsernameAttributeValue = "some-upstream-username-value"
testUserSearchResultUIDAttributeValue = "some-upstream-uid-value"
testGroupSearchResultGroupNameAttributeValue1 = "some-upstream-group-name-value1"
testGroupSearchResultGroupNameAttributeValue2 = "some-upstream-group-name-value2"
expectedGroupSearchPageSize = uint32(250)
Started implementation of LDAP user search and bind
2021-04-13 00:50:25 +00:00
)
ldap: add initial stub upstream LDAP connection package Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-04-09 15:38:53 +00:00
var (
Initial support for upstream LDAP group membership Reflect the upstream group membership into the Supervisor's downstream tokens, so they can be added to the user's identity on the workload clusters. LDAP group search is configurable on the LDAPIdentityProvider resource.
2021-05-17 18:10:26 +00:00
testUserSearchFilterInterpolated = fmt.Sprintf("(some-user-filter=%s-and-more-filter=%s)", testUpstreamUsername, testUpstreamUsername)
testGroupSearchFilterInterpolated = fmt.Sprintf("(some-group-filter=%s-and-more-filter=%s)", testUserSearchResultDNValue, testUserSearchResultDNValue)
ldap: add initial stub upstream LDAP connection package Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-04-09 15:38:53 +00:00
)
Add authentication dry run validation to LDAPIdentityProvider Also force the LDAP server pod to restart whenever the LDIF file changes, so whenever you redeploy the tools deployment with a new test user password the server will be updated.
2021-04-16 21:04:05 +00:00
func TestEndUserAuthentication(t *testing.T) {
Introduce upstreamldap.New to prevent changes to the underlying config Makes it easier to support using the same upstreamldap.Provider from multiple goroutines safely.
2021-04-15 17:25:35 +00:00
providerConfig := func(editFunc func(p *ProviderConfig)) *ProviderConfig {
config := &ProviderConfig{
ldap_upstream_watcher.go: decode and validate CertificateAuthorityData
2021-04-14 00:16:57 +00:00
Name: "some-provider-name",
Started implementation of LDAP user search and bind
2021-04-13 00:50:25 +00:00
Host: testHost,
ldap_upstream_watcher.go: decode and validate CertificateAuthorityData
2021-04-14 00:16:57 +00:00
CABundle: nil, // this field is only used by the production dialer, which is replaced by a mock for this test
Started implementation of LDAP user search and bind
2021-04-13 00:50:25 +00:00
BindUsername: testBindUsername,
BindPassword: testBindPassword,
Introduce upstreamldap.New to prevent changes to the underlying config Makes it easier to support using the same upstreamldap.Provider from multiple goroutines safely.
2021-04-15 17:25:35 +00:00
UserSearch: UserSearchConfig{
Started implementation of LDAP user search and bind
2021-04-13 00:50:25 +00:00
Base: testUserSearchBase,
Filter: testUserSearchFilter,
UsernameAttribute: testUserSearchUsernameAttribute,
UIDAttribute: testUserSearchUIDAttribute,
},
Initial support for upstream LDAP group membership Reflect the upstream group membership into the Supervisor's downstream tokens, so they can be added to the user's identity on the workload clusters. LDAP group search is configurable on the LDAPIdentityProvider resource.
2021-05-17 18:10:26 +00:00
GroupSearch: GroupSearchConfig{
Base: testGroupSearchBase,
Filter: testGroupSearchFilter,
GroupNameAttribute: testGroupSearchGroupNameAttribute,
},
Started implementation of LDAP user search and bind
2021-04-13 00:50:25 +00:00
}
if editFunc != nil {
Introduce upstreamldap.New to prevent changes to the underlying config Makes it easier to support using the same upstreamldap.Provider from multiple goroutines safely.
2021-04-15 17:25:35 +00:00
editFunc(config)
Started implementation of LDAP user search and bind
2021-04-13 00:50:25 +00:00
}
Introduce upstreamldap.New to prevent changes to the underlying config Makes it easier to support using the same upstreamldap.Provider from multiple goroutines safely.
2021-04-15 17:25:35 +00:00
return config
Started implementation of LDAP user search and bind
2021-04-13 00:50:25 +00:00
}
Initial support for upstream LDAP group membership Reflect the upstream group membership into the Supervisor's downstream tokens, so they can be added to the user's identity on the workload clusters. LDAP group search is configurable on the LDAPIdentityProvider resource.
2021-05-17 18:10:26 +00:00
expectedUserSearch := func(editFunc func(r *ldap.SearchRequest)) *ldap.SearchRequest {
Started implementation of LDAP user search and bind
2021-04-13 00:50:25 +00:00
request := &ldap.SearchRequest{
BaseDN: testUserSearchBase,
Scope: ldap.ScopeWholeSubtree,
Some updates based on PR review
2021-04-27 19:43:09 +00:00
DerefAliases: ldap.NeverDerefAliases,
Started implementation of LDAP user search and bind
2021-04-13 00:50:25 +00:00
SizeLimit: 2,
TimeLimit: 90,
TypesOnly: false,
Filter: testUserSearchFilterInterpolated,
Attributes: []string{testUserSearchUsernameAttribute, testUserSearchUIDAttribute},
Initial support for upstream LDAP group membership Reflect the upstream group membership into the Supervisor's downstream tokens, so they can be added to the user's identity on the workload clusters. LDAP group search is configurable on the LDAPIdentityProvider resource.
2021-05-17 18:10:26 +00:00
Controls: nil, // don't need paging because we set the SizeLimit so small
}
if editFunc != nil {
editFunc(request)
}
return request
}
expectedGroupSearch := func(editFunc func(r *ldap.SearchRequest)) *ldap.SearchRequest {
request := &ldap.SearchRequest{
BaseDN: testGroupSearchBase,
Scope: ldap.ScopeWholeSubtree,
DerefAliases: ldap.NeverDerefAliases,
SizeLimit: 0, // unlimited size because we will search with paging
TimeLimit: 90,
TypesOnly: false,
Filter: testGroupSearchFilterInterpolated,
Attributes: []string{testGroupSearchGroupNameAttribute},
Controls: nil, // nil because ldap.SearchWithPaging() will set the appropriate controls for us
Started implementation of LDAP user search and bind
2021-04-13 00:50:25 +00:00
}
if editFunc != nil {
editFunc(request)
}
return request
}
ldap: add initial stub upstream LDAP connection package Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-04-09 15:38:53 +00:00
Initial support for upstream LDAP group membership Reflect the upstream group membership into the Supervisor's downstream tokens, so they can be added to the user's identity on the workload clusters. LDAP group search is configurable on the LDAPIdentityProvider resource.
2021-05-17 18:10:26 +00:00
exampleUserSearchResult := &ldap.SearchResult{
Entries: []*ldap.Entry{
{
DN: testUserSearchResultDNValue,
Attributes: []*ldap.EntryAttribute{
ldap.NewEntryAttribute(testUserSearchUsernameAttribute, []string{testUserSearchResultUsernameAttributeValue}),
ldap.NewEntryAttribute(testUserSearchUIDAttribute, []string{testUserSearchResultUIDAttributeValue}),
},
},
},
}
exampleGroupSearchResult := &ldap.SearchResult{
Entries: []*ldap.Entry{
{
DN: testGroupSearchResultDNValue1,
Attributes: []*ldap.EntryAttribute{
ldap.NewEntryAttribute(testGroupSearchGroupNameAttribute, []string{testGroupSearchResultGroupNameAttributeValue1}),
},
},
{
DN: testGroupSearchResultDNValue2,
Attributes: []*ldap.EntryAttribute{
ldap.NewEntryAttribute(testGroupSearchGroupNameAttribute, []string{testGroupSearchResultGroupNameAttributeValue2}),
},
},
},
Referrals: []string{}, // note that we are not following referrals at this time
Controls: []ldap.Control{},
}
// The auth response which matches the exampleUserSearchResult and exampleGroupSearchResult.
expectedAuthResponse := func(editFunc func(r *user.DefaultInfo)) *authenticator.Response {
u := &user.DefaultInfo{
Name: testUserSearchResultUsernameAttributeValue,
UID: testUserSearchResultUIDAttributeValue,
Groups: []string{testGroupSearchResultGroupNameAttributeValue1, testGroupSearchResultGroupNameAttributeValue2},
}
if editFunc != nil {
editFunc(u)
}
return &authenticator.Response{User: u}
}
ldap: add initial stub upstream LDAP connection package Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-04-09 15:38:53 +00:00
tests := []struct {
Add authentication dry run validation to LDAPIdentityProvider Also force the LDAP server pod to restart whenever the LDIF file changes, so whenever you redeploy the tools deployment with a new test user password the server will be updated.
2021-04-16 21:04:05 +00:00
name string
username string
password string
providerConfig *ProviderConfig
searchMocks func(conn *mockldapconn.MockConn)
bindEndUserMocks func(conn *mockldapconn.MockConn)
dialError error
wantError string
wantToSkipDial bool
wantAuthResponse *authenticator.Response
wantUnauthenticated bool
skipDryRunAuthenticateUser bool // tests about when the end user bind fails don't make sense for DryRunAuthenticateUser()
ldap: add initial stub upstream LDAP connection package Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-04-09 15:38:53 +00:00
}{
{
Introduce upstreamldap.New to prevent changes to the underlying config Makes it easier to support using the same upstreamldap.Provider from multiple goroutines safely.
2021-04-15 17:25:35 +00:00
name: "happy path",
username: testUpstreamUsername,
password: testUpstreamPassword,
providerConfig: providerConfig(nil),
Add authentication dry run validation to LDAPIdentityProvider Also force the LDAP server pod to restart whenever the LDIF file changes, so whenever you redeploy the tools deployment with a new test user password the server will be updated.
2021-04-16 21:04:05 +00:00
searchMocks: func(conn *mockldapconn.MockConn) {
Started implementation of LDAP user search and bind
2021-04-13 00:50:25 +00:00
conn.EXPECT().Bind(testBindUsername, testBindPassword).Times(1)
Initial support for upstream LDAP group membership Reflect the upstream group membership into the Supervisor's downstream tokens, so they can be added to the user's identity on the workload clusters. LDAP group search is configurable on the LDAPIdentityProvider resource.
2021-05-17 18:10:26 +00:00
conn.EXPECT().Search(expectedUserSearch(nil)).Return(exampleUserSearchResult, nil).Times(1)
conn.EXPECT().SearchWithPaging(expectedGroupSearch(nil), expectedGroupSearchPageSize).
Return(exampleGroupSearchResult, nil).Times(1)
Started implementation of LDAP user search and bind
2021-04-13 00:50:25 +00:00
conn.EXPECT().Close().Times(1)
},
Add authentication dry run validation to LDAPIdentityProvider Also force the LDAP server pod to restart whenever the LDIF file changes, so whenever you redeploy the tools deployment with a new test user password the server will be updated.
2021-04-16 21:04:05 +00:00
bindEndUserMocks: func(conn *mockldapconn.MockConn) {
Initial support for upstream LDAP group membership Reflect the upstream group membership into the Supervisor's downstream tokens, so they can be added to the user's identity on the workload clusters. LDAP group search is configurable on the LDAPIdentityProvider resource.
2021-05-17 18:10:26 +00:00
conn.EXPECT().Bind(testUserSearchResultDNValue, testUpstreamPassword).Times(1)
Started implementation of LDAP user search and bind
2021-04-13 00:50:25 +00:00
},
Initial support for upstream LDAP group membership Reflect the upstream group membership into the Supervisor's downstream tokens, so they can be added to the user's identity on the workload clusters. LDAP group search is configurable on the LDAPIdentityProvider resource.
2021-05-17 18:10:26 +00:00
wantAuthResponse: expectedAuthResponse(nil),
Started implementation of LDAP user search and bind
2021-04-13 00:50:25 +00:00
},
{
Add integration test for upstreamldap.Provider - The unit tests for upstreamldap.Provider need to mock the LDAP server, so add an integration test which allows us to get fast feedback for this code against a real LDAP server. - Automatically wrap the user search filter in parenthesis if it is not already wrapped in parens. - More special handling for using "dn" as the username or UID attribute name. - Also added some more comments to types_ldapidentityprovider.go.tmpl
2021-04-13 22:23:14 +00:00
name: "when the user search filter is already wrapped by parenthesis then it is not wrapped again",
username: testUpstreamUsername,
password: testUpstreamPassword,
Introduce upstreamldap.New to prevent changes to the underlying config Makes it easier to support using the same upstreamldap.Provider from multiple goroutines safely.
2021-04-15 17:25:35 +00:00
providerConfig: providerConfig(func(p *ProviderConfig) {
Add integration test for upstreamldap.Provider - The unit tests for upstreamldap.Provider need to mock the LDAP server, so add an integration test which allows us to get fast feedback for this code against a real LDAP server. - Automatically wrap the user search filter in parenthesis if it is not already wrapped in parens. - More special handling for using "dn" as the username or UID attribute name. - Also added some more comments to types_ldapidentityprovider.go.tmpl
2021-04-13 22:23:14 +00:00
p.UserSearch.Filter = "(" + testUserSearchFilter + ")"
}),
Add authentication dry run validation to LDAPIdentityProvider Also force the LDAP server pod to restart whenever the LDIF file changes, so whenever you redeploy the tools deployment with a new test user password the server will be updated.
2021-04-16 21:04:05 +00:00
searchMocks: func(conn *mockldapconn.MockConn) {
Add integration test for upstreamldap.Provider - The unit tests for upstreamldap.Provider need to mock the LDAP server, so add an integration test which allows us to get fast feedback for this code against a real LDAP server. - Automatically wrap the user search filter in parenthesis if it is not already wrapped in parens. - More special handling for using "dn" as the username or UID attribute name. - Also added some more comments to types_ldapidentityprovider.go.tmpl
2021-04-13 22:23:14 +00:00
conn.EXPECT().Bind(testBindUsername, testBindPassword).Times(1)
Initial support for upstream LDAP group membership Reflect the upstream group membership into the Supervisor's downstream tokens, so they can be added to the user's identity on the workload clusters. LDAP group search is configurable on the LDAPIdentityProvider resource.
2021-05-17 18:10:26 +00:00
conn.EXPECT().Search(expectedUserSearch(nil)).Return(exampleUserSearchResult, nil).Times(1)
conn.EXPECT().SearchWithPaging(expectedGroupSearch(nil), expectedGroupSearchPageSize).
Return(exampleGroupSearchResult, nil).Times(1)
Add integration test for upstreamldap.Provider - The unit tests for upstreamldap.Provider need to mock the LDAP server, so add an integration test which allows us to get fast feedback for this code against a real LDAP server. - Automatically wrap the user search filter in parenthesis if it is not already wrapped in parens. - More special handling for using "dn" as the username or UID attribute name. - Also added some more comments to types_ldapidentityprovider.go.tmpl
2021-04-13 22:23:14 +00:00
conn.EXPECT().Close().Times(1)
},
Add authentication dry run validation to LDAPIdentityProvider Also force the LDAP server pod to restart whenever the LDIF file changes, so whenever you redeploy the tools deployment with a new test user password the server will be updated.
2021-04-16 21:04:05 +00:00
bindEndUserMocks: func(conn *mockldapconn.MockConn) {
Initial support for upstream LDAP group membership Reflect the upstream group membership into the Supervisor's downstream tokens, so they can be added to the user's identity on the workload clusters. LDAP group search is configurable on the LDAPIdentityProvider resource.
2021-05-17 18:10:26 +00:00
conn.EXPECT().Bind(testUserSearchResultDNValue, testUpstreamPassword).Times(1)
Add authentication dry run validation to LDAPIdentityProvider Also force the LDAP server pod to restart whenever the LDIF file changes, so whenever you redeploy the tools deployment with a new test user password the server will be updated.
2021-04-16 21:04:05 +00:00
},
Initial support for upstream LDAP group membership Reflect the upstream group membership into the Supervisor's downstream tokens, so they can be added to the user's identity on the workload clusters. LDAP group search is configurable on the LDAPIdentityProvider resource.
2021-05-17 18:10:26 +00:00
wantAuthResponse: expectedAuthResponse(nil),
},
{
name: "when the group search filter is already wrapped by parenthesis then it is not wrapped again",
username: testUpstreamUsername,
password: testUpstreamPassword,
providerConfig: providerConfig(func(p *ProviderConfig) {
p.GroupSearch.Filter = "(" + testGroupSearchFilter + ")"
}),
searchMocks: func(conn *mockldapconn.MockConn) {
conn.EXPECT().Bind(testBindUsername, testBindPassword).Times(1)
conn.EXPECT().Search(expectedUserSearch(nil)).Return(exampleUserSearchResult, nil).Times(1)
conn.EXPECT().SearchWithPaging(expectedGroupSearch(nil), expectedGroupSearchPageSize).
Return(exampleGroupSearchResult, nil).Times(1)
conn.EXPECT().Close().Times(1)
},
bindEndUserMocks: func(conn *mockldapconn.MockConn) {
conn.EXPECT().Bind(testUserSearchResultDNValue, testUpstreamPassword).Times(1)
},
wantAuthResponse: expectedAuthResponse(nil),
},
{
name: "when the group search base is empty then skip the group search entirely",
username: testUpstreamUsername,
password: testUpstreamPassword,
providerConfig: providerConfig(func(p *ProviderConfig) {
p.GroupSearch.Base = "" // this configuration means that the user does not want group search to happen
}),
searchMocks: func(conn *mockldapconn.MockConn) {
conn.EXPECT().Bind(testBindUsername, testBindPassword).Times(1)
conn.EXPECT().Search(expectedUserSearch(nil)).Return(exampleUserSearchResult, nil).Times(1)
conn.EXPECT().Close().Times(1)
Add integration test for upstreamldap.Provider - The unit tests for upstreamldap.Provider need to mock the LDAP server, so add an integration test which allows us to get fast feedback for this code against a real LDAP server. - Automatically wrap the user search filter in parenthesis if it is not already wrapped in parens. - More special handling for using "dn" as the username or UID attribute name. - Also added some more comments to types_ldapidentityprovider.go.tmpl
2021-04-13 22:23:14 +00:00
},
Initial support for upstream LDAP group membership Reflect the upstream group membership into the Supervisor's downstream tokens, so they can be added to the user's identity on the workload clusters. LDAP group search is configurable on the LDAPIdentityProvider resource.
2021-05-17 18:10:26 +00:00
bindEndUserMocks: func(conn *mockldapconn.MockConn) {
conn.EXPECT().Bind(testUserSearchResultDNValue, testUpstreamPassword).Times(1)
},
wantAuthResponse: expectedAuthResponse(func(r *user.DefaultInfo) {
r.Groups = []string{}
}),
Add integration test for upstreamldap.Provider - The unit tests for upstreamldap.Provider need to mock the LDAP server, so add an integration test which allows us to get fast feedback for this code against a real LDAP server. - Automatically wrap the user search filter in parenthesis if it is not already wrapped in parens. - More special handling for using "dn" as the username or UID attribute name. - Also added some more comments to types_ldapidentityprovider.go.tmpl
2021-04-13 22:23:14 +00:00
},
{
name: "when the UsernameAttribute is dn and there is a user search filter provided",
Started implementation of LDAP user search and bind
2021-04-13 00:50:25 +00:00
username: testUpstreamUsername,
password: testUpstreamPassword,
Introduce upstreamldap.New to prevent changes to the underlying config Makes it easier to support using the same upstreamldap.Provider from multiple goroutines safely.
2021-04-15 17:25:35 +00:00
providerConfig: providerConfig(func(p *ProviderConfig) {
Started implementation of LDAP user search and bind
2021-04-13 00:50:25 +00:00
p.UserSearch.UsernameAttribute = "dn"
}),
Add authentication dry run validation to LDAPIdentityProvider Also force the LDAP server pod to restart whenever the LDIF file changes, so whenever you redeploy the tools deployment with a new test user password the server will be updated.
2021-04-16 21:04:05 +00:00
searchMocks: func(conn *mockldapconn.MockConn) {
Started implementation of LDAP user search and bind
2021-04-13 00:50:25 +00:00
conn.EXPECT().Bind(testBindUsername, testBindPassword).Times(1)
Initial support for upstream LDAP group membership Reflect the upstream group membership into the Supervisor's downstream tokens, so they can be added to the user's identity on the workload clusters. LDAP group search is configurable on the LDAPIdentityProvider resource.
2021-05-17 18:10:26 +00:00
conn.EXPECT().Search(expectedUserSearch(func(r *ldap.SearchRequest) {
Started implementation of LDAP user search and bind
2021-04-13 00:50:25 +00:00
r.Attributes = []string{testUserSearchUIDAttribute}
})).Return(&ldap.SearchResult{
Entries: []*ldap.Entry{
{
Initial support for upstream LDAP group membership Reflect the upstream group membership into the Supervisor's downstream tokens, so they can be added to the user's identity on the workload clusters. LDAP group search is configurable on the LDAPIdentityProvider resource.
2021-05-17 18:10:26 +00:00
DN: testUserSearchResultDNValue,
Started implementation of LDAP user search and bind
2021-04-13 00:50:25 +00:00
Attributes: []*ldap.EntryAttribute{
Initial support for upstream LDAP group membership Reflect the upstream group membership into the Supervisor's downstream tokens, so they can be added to the user's identity on the workload clusters. LDAP group search is configurable on the LDAPIdentityProvider resource.
2021-05-17 18:10:26 +00:00
ldap.NewEntryAttribute(testUserSearchUIDAttribute, []string{testUserSearchResultUIDAttributeValue}),
Started implementation of LDAP user search and bind
2021-04-13 00:50:25 +00:00
},
},
},
}, nil).Times(1)
Initial support for upstream LDAP group membership Reflect the upstream group membership into the Supervisor's downstream tokens, so they can be added to the user's identity on the workload clusters. LDAP group search is configurable on the LDAPIdentityProvider resource.
2021-05-17 18:10:26 +00:00
conn.EXPECT().SearchWithPaging(expectedGroupSearch(nil), expectedGroupSearchPageSize).
Return(exampleGroupSearchResult, nil).Times(1)
Started implementation of LDAP user search and bind
2021-04-13 00:50:25 +00:00
conn.EXPECT().Close().Times(1)
},
Add authentication dry run validation to LDAPIdentityProvider Also force the LDAP server pod to restart whenever the LDIF file changes, so whenever you redeploy the tools deployment with a new test user password the server will be updated.
2021-04-16 21:04:05 +00:00
bindEndUserMocks: func(conn *mockldapconn.MockConn) {
Initial support for upstream LDAP group membership Reflect the upstream group membership into the Supervisor's downstream tokens, so they can be added to the user's identity on the workload clusters. LDAP group search is configurable on the LDAPIdentityProvider resource.
2021-05-17 18:10:26 +00:00
conn.EXPECT().Bind(testUserSearchResultDNValue, testUpstreamPassword).Times(1)
ldap: add initial stub upstream LDAP connection package Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-04-09 15:38:53 +00:00
},
Initial support for upstream LDAP group membership Reflect the upstream group membership into the Supervisor's downstream tokens, so they can be added to the user's identity on the workload clusters. LDAP group search is configurable on the LDAPIdentityProvider resource.
2021-05-17 18:10:26 +00:00
wantAuthResponse: expectedAuthResponse(func(r *user.DefaultInfo) {
r.Name = testUserSearchResultDNValue
}),
Started implementation of LDAP user search and bind
2021-04-13 00:50:25 +00:00
},
{
name: "when the UIDAttribute is dn",
username: testUpstreamUsername,
password: testUpstreamPassword,
Introduce upstreamldap.New to prevent changes to the underlying config Makes it easier to support using the same upstreamldap.Provider from multiple goroutines safely.
2021-04-15 17:25:35 +00:00
providerConfig: providerConfig(func(p *ProviderConfig) {
Started implementation of LDAP user search and bind
2021-04-13 00:50:25 +00:00
p.UserSearch.UIDAttribute = "dn"
}),
Add authentication dry run validation to LDAPIdentityProvider Also force the LDAP server pod to restart whenever the LDIF file changes, so whenever you redeploy the tools deployment with a new test user password the server will be updated.
2021-04-16 21:04:05 +00:00
searchMocks: func(conn *mockldapconn.MockConn) {
Started implementation of LDAP user search and bind
2021-04-13 00:50:25 +00:00
conn.EXPECT().Bind(testBindUsername, testBindPassword).Times(1)
Initial support for upstream LDAP group membership Reflect the upstream group membership into the Supervisor's downstream tokens, so they can be added to the user's identity on the workload clusters. LDAP group search is configurable on the LDAPIdentityProvider resource.
2021-05-17 18:10:26 +00:00
conn.EXPECT().Search(expectedUserSearch(func(r *ldap.SearchRequest) {
Started implementation of LDAP user search and bind
2021-04-13 00:50:25 +00:00
r.Attributes = []string{testUserSearchUsernameAttribute}
})).Return(&ldap.SearchResult{
Entries: []*ldap.Entry{
{
Initial support for upstream LDAP group membership Reflect the upstream group membership into the Supervisor's downstream tokens, so they can be added to the user's identity on the workload clusters. LDAP group search is configurable on the LDAPIdentityProvider resource.
2021-05-17 18:10:26 +00:00
DN: testUserSearchResultDNValue,
Started implementation of LDAP user search and bind
2021-04-13 00:50:25 +00:00
Attributes: []*ldap.EntryAttribute{
Initial support for upstream LDAP group membership Reflect the upstream group membership into the Supervisor's downstream tokens, so they can be added to the user's identity on the workload clusters. LDAP group search is configurable on the LDAPIdentityProvider resource.
2021-05-17 18:10:26 +00:00
ldap.NewEntryAttribute(testUserSearchUsernameAttribute, []string{testUserSearchResultUsernameAttributeValue}),
Started implementation of LDAP user search and bind
2021-04-13 00:50:25 +00:00
},
},
},
}, nil).Times(1)
Initial support for upstream LDAP group membership Reflect the upstream group membership into the Supervisor's downstream tokens, so they can be added to the user's identity on the workload clusters. LDAP group search is configurable on the LDAPIdentityProvider resource.
2021-05-17 18:10:26 +00:00
conn.EXPECT().SearchWithPaging(expectedGroupSearch(nil), expectedGroupSearchPageSize).
Return(exampleGroupSearchResult, nil).Times(1)
Started implementation of LDAP user search and bind
2021-04-13 00:50:25 +00:00
conn.EXPECT().Close().Times(1)
},
Add authentication dry run validation to LDAPIdentityProvider Also force the LDAP server pod to restart whenever the LDIF file changes, so whenever you redeploy the tools deployment with a new test user password the server will be updated.
2021-04-16 21:04:05 +00:00
bindEndUserMocks: func(conn *mockldapconn.MockConn) {
Initial support for upstream LDAP group membership Reflect the upstream group membership into the Supervisor's downstream tokens, so they can be added to the user's identity on the workload clusters. LDAP group search is configurable on the LDAPIdentityProvider resource.
2021-05-17 18:10:26 +00:00
conn.EXPECT().Bind(testUserSearchResultDNValue, testUpstreamPassword).Times(1)
Add authentication dry run validation to LDAPIdentityProvider Also force the LDAP server pod to restart whenever the LDIF file changes, so whenever you redeploy the tools deployment with a new test user password the server will be updated.
2021-04-16 21:04:05 +00:00
},
Initial support for upstream LDAP group membership Reflect the upstream group membership into the Supervisor's downstream tokens, so they can be added to the user's identity on the workload clusters. LDAP group search is configurable on the LDAPIdentityProvider resource.
2021-05-17 18:10:26 +00:00
wantAuthResponse: expectedAuthResponse(func(r *user.DefaultInfo) {
r.UID = testUserSearchResultDNValue
}),
},
{
name: "when the GroupNameAttribute is dn",
username: testUpstreamUsername,
password: testUpstreamPassword,
providerConfig: providerConfig(func(p *ProviderConfig) {
p.GroupSearch.GroupNameAttribute = "dn"
}),
searchMocks: func(conn *mockldapconn.MockConn) {
conn.EXPECT().Bind(testBindUsername, testBindPassword).Times(1)
conn.EXPECT().Search(expectedUserSearch(nil)).Return(exampleUserSearchResult, nil).Times(1)
conn.EXPECT().SearchWithPaging(expectedGroupSearch(func(r *ldap.SearchRequest) {
r.Attributes = []string{}
}), expectedGroupSearchPageSize).
Return(exampleGroupSearchResult, nil).Times(1)
conn.EXPECT().Close().Times(1)
ldap: add initial stub upstream LDAP connection package Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-04-09 15:38:53 +00:00
},
Initial support for upstream LDAP group membership Reflect the upstream group membership into the Supervisor's downstream tokens, so they can be added to the user's identity on the workload clusters. LDAP group search is configurable on the LDAPIdentityProvider resource.
2021-05-17 18:10:26 +00:00
bindEndUserMocks: func(conn *mockldapconn.MockConn) {
conn.EXPECT().Bind(testUserSearchResultDNValue, testUpstreamPassword).Times(1)
},
wantAuthResponse: expectedAuthResponse(func(r *user.DefaultInfo) {
r.Groups = []string{testGroupSearchResultDNValue1, testGroupSearchResultDNValue2}
}),
ldap: add initial stub upstream LDAP connection package Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-04-09 15:38:53 +00:00
},
Started implementation of LDAP user search and bind
2021-04-13 00:50:25 +00:00
{
Initial support for upstream LDAP group membership Reflect the upstream group membership into the Supervisor's downstream tokens, so they can be added to the user's identity on the workload clusters. LDAP group search is configurable on the LDAPIdentityProvider resource.
2021-05-17 18:10:26 +00:00
name: "when the GroupNameAttribute is empty then it defaults to cn",
Started implementation of LDAP user search and bind
2021-04-13 00:50:25 +00:00
username: testUpstreamUsername,
password: testUpstreamPassword,
Introduce upstreamldap.New to prevent changes to the underlying config Makes it easier to support using the same upstreamldap.Provider from multiple goroutines safely.
2021-04-15 17:25:35 +00:00
providerConfig: providerConfig(func(p *ProviderConfig) {
Initial support for upstream LDAP group membership Reflect the upstream group membership into the Supervisor's downstream tokens, so they can be added to the user's identity on the workload clusters. LDAP group search is configurable on the LDAPIdentityProvider resource.
2021-05-17 18:10:26 +00:00
p.GroupSearch.GroupNameAttribute = "" // blank means to use cn
Started implementation of LDAP user search and bind
2021-04-13 00:50:25 +00:00
}),
Add authentication dry run validation to LDAPIdentityProvider Also force the LDAP server pod to restart whenever the LDIF file changes, so whenever you redeploy the tools deployment with a new test user password the server will be updated.
2021-04-16 21:04:05 +00:00
searchMocks: func(conn *mockldapconn.MockConn) {
Started implementation of LDAP user search and bind
2021-04-13 00:50:25 +00:00
conn.EXPECT().Bind(testBindUsername, testBindPassword).Times(1)
Initial support for upstream LDAP group membership Reflect the upstream group membership into the Supervisor's downstream tokens, so they can be added to the user's identity on the workload clusters. LDAP group search is configurable on the LDAPIdentityProvider resource.
2021-05-17 18:10:26 +00:00
conn.EXPECT().Search(expectedUserSearch(nil)).Return(exampleUserSearchResult, nil).Times(1)
conn.EXPECT().SearchWithPaging(expectedGroupSearch(func(r *ldap.SearchRequest) {
r.Attributes = []string{"cn"}
}), expectedGroupSearchPageSize).
Return(&ldap.SearchResult{
Entries: []*ldap.Entry{
{
DN: testGroupSearchResultDNValue1,
Attributes: []*ldap.EntryAttribute{
ldap.NewEntryAttribute("cn", []string{testGroupSearchResultGroupNameAttributeValue1}),
},
},
{
DN: testGroupSearchResultDNValue2,
Attributes: []*ldap.EntryAttribute{
ldap.NewEntryAttribute("cn", []string{testGroupSearchResultGroupNameAttributeValue2}),
},
Started implementation of LDAP user search and bind
2021-04-13 00:50:25 +00:00
},
},
Initial support for upstream LDAP group membership Reflect the upstream group membership into the Supervisor's downstream tokens, so they can be added to the user's identity on the workload clusters. LDAP group search is configurable on the LDAPIdentityProvider resource.
2021-05-17 18:10:26 +00:00
Referrals: []string{}, // note that we are not following referrals at this time
Controls: []ldap.Control{},
}, nil).Times(1)
Started implementation of LDAP user search and bind
2021-04-13 00:50:25 +00:00
conn.EXPECT().Close().Times(1)
},
Add authentication dry run validation to LDAPIdentityProvider Also force the LDAP server pod to restart whenever the LDIF file changes, so whenever you redeploy the tools deployment with a new test user password the server will be updated.
2021-04-16 21:04:05 +00:00
bindEndUserMocks: func(conn *mockldapconn.MockConn) {
Initial support for upstream LDAP group membership Reflect the upstream group membership into the Supervisor's downstream tokens, so they can be added to the user's identity on the workload clusters. LDAP group search is configurable on the LDAPIdentityProvider resource.
2021-05-17 18:10:26 +00:00
conn.EXPECT().Bind(testUserSearchResultDNValue, testUpstreamPassword).Times(1)
Add authentication dry run validation to LDAPIdentityProvider Also force the LDAP server pod to restart whenever the LDIF file changes, so whenever you redeploy the tools deployment with a new test user password the server will be updated.
2021-04-16 21:04:05 +00:00
},
Initial support for upstream LDAP group membership Reflect the upstream group membership into the Supervisor's downstream tokens, so they can be added to the user's identity on the workload clusters. LDAP group search is configurable on the LDAPIdentityProvider resource.
2021-05-17 18:10:26 +00:00
wantAuthResponse: expectedAuthResponse(nil),
},
{
name: "when user search Filter is blank it derives a search filter from the UsernameAttribute",
username: testUpstreamUsername,
password: testUpstreamPassword,
providerConfig: providerConfig(func(p *ProviderConfig) {
p.UserSearch.Filter = ""
}),
searchMocks: func(conn *mockldapconn.MockConn) {
conn.EXPECT().Bind(testBindUsername, testBindPassword).Times(1)
conn.EXPECT().Search(expectedUserSearch(func(r *ldap.SearchRequest) {
r.Filter = "(" + testUserSearchUsernameAttribute + "=" + testUpstreamUsername + ")"
})).Return(exampleUserSearchResult, nil).Times(1)
conn.EXPECT().SearchWithPaging(expectedGroupSearch(nil), expectedGroupSearchPageSize).
Return(exampleGroupSearchResult, nil).Times(1)
conn.EXPECT().Close().Times(1)
},
bindEndUserMocks: func(conn *mockldapconn.MockConn) {
conn.EXPECT().Bind(testUserSearchResultDNValue, testUpstreamPassword).Times(1)
},
wantAuthResponse: expectedAuthResponse(nil),
},
{
name: "when group search Filter is blank it uses a default search filter of member={}",
username: testUpstreamUsername,
password: testUpstreamPassword,
providerConfig: providerConfig(func(p *ProviderConfig) {
p.GroupSearch.Filter = ""
}),
searchMocks: func(conn *mockldapconn.MockConn) {
conn.EXPECT().Bind(testBindUsername, testBindPassword).Times(1)
conn.EXPECT().Search(expectedUserSearch(nil)).Return(exampleUserSearchResult, nil).Times(1)
conn.EXPECT().SearchWithPaging(expectedGroupSearch(func(r *ldap.SearchRequest) {
r.Filter = "(member=" + testUserSearchResultDNValue + ")"
}), expectedGroupSearchPageSize).
Return(exampleGroupSearchResult, nil).Times(1)
conn.EXPECT().Close().Times(1)
},
bindEndUserMocks: func(conn *mockldapconn.MockConn) {
conn.EXPECT().Bind(testUserSearchResultDNValue, testUpstreamPassword).Times(1)
Started implementation of LDAP user search and bind
2021-04-13 00:50:25 +00:00
},
Initial support for upstream LDAP group membership Reflect the upstream group membership into the Supervisor's downstream tokens, so they can be added to the user's identity on the workload clusters. LDAP group search is configurable on the LDAPIdentityProvider resource.
2021-05-17 18:10:26 +00:00
wantAuthResponse: expectedAuthResponse(nil),
Started implementation of LDAP user search and bind
2021-04-13 00:50:25 +00:00
},
{
Initial support for upstream LDAP group membership Reflect the upstream group membership into the Supervisor's downstream tokens, so they can be added to the user's identity on the workload clusters. LDAP group search is configurable on the LDAPIdentityProvider resource.
2021-05-17 18:10:26 +00:00
name: "when the username has special LDAP search filter characters then they must be properly escaped in the search filter, because the username is end-user input",
Introduce upstreamldap.New to prevent changes to the underlying config Makes it easier to support using the same upstreamldap.Provider from multiple goroutines safely.
2021-04-15 17:25:35 +00:00
username: `a&b|c(d)e\f*g`,
password: testUpstreamPassword,
providerConfig: providerConfig(nil),
Add authentication dry run validation to LDAPIdentityProvider Also force the LDAP server pod to restart whenever the LDIF file changes, so whenever you redeploy the tools deployment with a new test user password the server will be updated.
2021-04-16 21:04:05 +00:00
searchMocks: func(conn *mockldapconn.MockConn) {
Started implementation of LDAP user search and bind
2021-04-13 00:50:25 +00:00
conn.EXPECT().Bind(testBindUsername, testBindPassword).Times(1)
Initial support for upstream LDAP group membership Reflect the upstream group membership into the Supervisor's downstream tokens, so they can be added to the user's identity on the workload clusters. LDAP group search is configurable on the LDAPIdentityProvider resource.
2021-05-17 18:10:26 +00:00
conn.EXPECT().Search(expectedUserSearch(func(r *ldap.SearchRequest) {
r.Filter = fmt.Sprintf("(some-user-filter=%s-and-more-filter=%s)", `a&b|c\28d\29e\5cf\2ag`, `a&b|c\28d\29e\5cf\2ag`)
})).Return(exampleUserSearchResult, nil).Times(1)
conn.EXPECT().SearchWithPaging(expectedGroupSearch(nil), expectedGroupSearchPageSize).
Return(exampleGroupSearchResult, nil).Times(1)
conn.EXPECT().Close().Times(1)
},
bindEndUserMocks: func(conn *mockldapconn.MockConn) {
conn.EXPECT().Bind(testUserSearchResultDNValue, testUpstreamPassword).Times(1)
},
wantAuthResponse: expectedAuthResponse(nil),
},
{
name: "group names are sorted to make the result more stable/predictable",
username: testUpstreamUsername,
password: testUpstreamPassword,
providerConfig: providerConfig(nil),
searchMocks: func(conn *mockldapconn.MockConn) {
conn.EXPECT().Bind(testBindUsername, testBindPassword).Times(1)
conn.EXPECT().Search(expectedUserSearch(nil)).Return(exampleUserSearchResult, nil).Times(1)
conn.EXPECT().SearchWithPaging(expectedGroupSearch(nil), expectedGroupSearchPageSize).
Return(&ldap.SearchResult{
Entries: []*ldap.Entry{
{
DN: testGroupSearchResultDNValue1,
Attributes: []*ldap.EntryAttribute{
ldap.NewEntryAttribute(testGroupSearchGroupNameAttribute, []string{"c"}),
},
},
{
DN: testGroupSearchResultDNValue2,
Attributes: []*ldap.EntryAttribute{
ldap.NewEntryAttribute(testGroupSearchGroupNameAttribute, []string{"a"}),
},
},
{
DN: testGroupSearchResultDNValue2,
Attributes: []*ldap.EntryAttribute{
ldap.NewEntryAttribute(testGroupSearchGroupNameAttribute, []string{"b"}),
},
Started implementation of LDAP user search and bind
2021-04-13 00:50:25 +00:00
},
},
Initial support for upstream LDAP group membership Reflect the upstream group membership into the Supervisor's downstream tokens, so they can be added to the user's identity on the workload clusters. LDAP group search is configurable on the LDAPIdentityProvider resource.
2021-05-17 18:10:26 +00:00
Referrals: []string{}, // note that we are not following referrals at this time
Controls: []ldap.Control{},
}, nil).Times(1)
Started implementation of LDAP user search and bind
2021-04-13 00:50:25 +00:00
conn.EXPECT().Close().Times(1)
},
Add authentication dry run validation to LDAPIdentityProvider Also force the LDAP server pod to restart whenever the LDIF file changes, so whenever you redeploy the tools deployment with a new test user password the server will be updated.
2021-04-16 21:04:05 +00:00
bindEndUserMocks: func(conn *mockldapconn.MockConn) {
Initial support for upstream LDAP group membership Reflect the upstream group membership into the Supervisor's downstream tokens, so they can be added to the user's identity on the workload clusters. LDAP group search is configurable on the LDAPIdentityProvider resource.
2021-05-17 18:10:26 +00:00
conn.EXPECT().Bind(testUserSearchResultDNValue, testUpstreamPassword).Times(1)
Add authentication dry run validation to LDAPIdentityProvider Also force the LDAP server pod to restart whenever the LDIF file changes, so whenever you redeploy the tools deployment with a new test user password the server will be updated.
2021-04-16 21:04:05 +00:00
},
Started implementation of LDAP user search and bind
2021-04-13 00:50:25 +00:00
wantAuthResponse: &authenticator.Response{
User: &user.DefaultInfo{
Initial support for upstream LDAP group membership Reflect the upstream group membership into the Supervisor's downstream tokens, so they can be added to the user's identity on the workload clusters. LDAP group search is configurable on the LDAPIdentityProvider resource.
2021-05-17 18:10:26 +00:00
Name: testUserSearchResultUsernameAttributeValue,
UID: testUserSearchResultUIDAttributeValue,
Groups: []string{"a", "b", "c"},
Started implementation of LDAP user search and bind
2021-04-13 00:50:25 +00:00
},
},
},
{
Introduce upstreamldap.New to prevent changes to the underlying config Makes it easier to support using the same upstreamldap.Provider from multiple goroutines safely.
2021-04-15 17:25:35 +00:00
name: "when dial fails",
username: testUpstreamUsername,
password: testUpstreamPassword,
providerConfig: providerConfig(nil),
dialError: errors.New("some dial error"),
wantError: fmt.Sprintf(`error dialing host "%s": some dial error`, testHost),
Started implementation of LDAP user search and bind
2021-04-13 00:50:25 +00:00
},
Add integration test for upstreamldap.Provider - The unit tests for upstreamldap.Provider need to mock the LDAP server, so add an integration test which allows us to get fast feedback for this code against a real LDAP server. - Automatically wrap the user search filter in parenthesis if it is not already wrapped in parens. - More special handling for using "dn" as the username or UID attribute name. - Also added some more comments to types_ldapidentityprovider.go.tmpl
2021-04-13 22:23:14 +00:00
{
name: "when the UsernameAttribute is dn and there is not a user search filter provided",
username: testUpstreamUsername,
password: testUpstreamPassword,
Introduce upstreamldap.New to prevent changes to the underlying config Makes it easier to support using the same upstreamldap.Provider from multiple goroutines safely.
2021-04-15 17:25:35 +00:00
providerConfig: providerConfig(func(p *ProviderConfig) {
Add integration test for upstreamldap.Provider - The unit tests for upstreamldap.Provider need to mock the LDAP server, so add an integration test which allows us to get fast feedback for this code against a real LDAP server. - Automatically wrap the user search filter in parenthesis if it is not already wrapped in parens. - More special handling for using "dn" as the username or UID attribute name. - Also added some more comments to types_ldapidentityprovider.go.tmpl
2021-04-13 22:23:14 +00:00
p.UserSearch.UsernameAttribute = "dn"
p.UserSearch.Filter = ""
}),
wantToSkipDial: true,
wantError: `must specify UserSearch Filter when UserSearch UsernameAttribute is "dn"`,
},
Handle error cases during LDAP user search and bind
2021-04-13 15:38:04 +00:00
{
Introduce upstreamldap.New to prevent changes to the underlying config Makes it easier to support using the same upstreamldap.Provider from multiple goroutines safely.
2021-04-15 17:25:35 +00:00
name: "when binding as the bind user returns an error",
username: testUpstreamUsername,
password: testUpstreamPassword,
providerConfig: providerConfig(nil),
Add authentication dry run validation to LDAPIdentityProvider Also force the LDAP server pod to restart whenever the LDIF file changes, so whenever you redeploy the tools deployment with a new test user password the server will be updated.
2021-04-16 21:04:05 +00:00
searchMocks: func(conn *mockldapconn.MockConn) {
Handle error cases during LDAP user search and bind
2021-04-13 15:38:04 +00:00
conn.EXPECT().Bind(testBindUsername, testBindPassword).Return(errors.New("some bind error")).Times(1)
conn.EXPECT().Close().Times(1)
},
wantError: fmt.Sprintf(`error binding as "%s" before user search: some bind error`, testBindUsername),
},
{
Introduce upstreamldap.New to prevent changes to the underlying config Makes it easier to support using the same upstreamldap.Provider from multiple goroutines safely.
2021-04-15 17:25:35 +00:00
name: "when searching for the user returns an error",
username: testUpstreamUsername,
password: testUpstreamPassword,
providerConfig: providerConfig(nil),
Add authentication dry run validation to LDAPIdentityProvider Also force the LDAP server pod to restart whenever the LDIF file changes, so whenever you redeploy the tools deployment with a new test user password the server will be updated.
2021-04-16 21:04:05 +00:00
searchMocks: func(conn *mockldapconn.MockConn) {
Handle error cases during LDAP user search and bind
2021-04-13 15:38:04 +00:00
conn.EXPECT().Bind(testBindUsername, testBindPassword).Times(1)
Initial support for upstream LDAP group membership Reflect the upstream group membership into the Supervisor's downstream tokens, so they can be added to the user's identity on the workload clusters. LDAP group search is configurable on the LDAPIdentityProvider resource.
2021-05-17 18:10:26 +00:00
conn.EXPECT().Search(expectedUserSearch(nil)).Return(nil, errors.New("some user search error")).Times(1)
conn.EXPECT().Close().Times(1)
},
wantError: fmt.Sprintf(`error searching for user "%s": some user search error`, testUpstreamUsername),
},
{
name: "when searching for the user's groups returns an error",
username: testUpstreamUsername,
password: testUpstreamPassword,
providerConfig: providerConfig(nil),
searchMocks: func(conn *mockldapconn.MockConn) {
conn.EXPECT().Bind(testBindUsername, testBindPassword).Times(1)
conn.EXPECT().Search(expectedUserSearch(nil)).Return(exampleUserSearchResult, nil).Times(1)
conn.EXPECT().SearchWithPaging(expectedGroupSearch(nil), expectedGroupSearchPageSize).
Return(nil, errors.New("some group search error")).Times(1)
Handle error cases during LDAP user search and bind
2021-04-13 15:38:04 +00:00
conn.EXPECT().Close().Times(1)
},
Initial support for upstream LDAP group membership Reflect the upstream group membership into the Supervisor's downstream tokens, so they can be added to the user's identity on the workload clusters. LDAP group search is configurable on the LDAPIdentityProvider resource.
2021-05-17 18:10:26 +00:00
wantError: fmt.Sprintf(`error searching for group memberships for user with DN "%s": some group search error`, testUserSearchResultDNValue),
Handle error cases during LDAP user search and bind
2021-04-13 15:38:04 +00:00
},
{
Introduce upstreamldap.New to prevent changes to the underlying config Makes it easier to support using the same upstreamldap.Provider from multiple goroutines safely.
2021-04-15 17:25:35 +00:00
name: "when searching for the user returns no results",
username: testUpstreamUsername,
password: testUpstreamPassword,
providerConfig: providerConfig(nil),
Add authentication dry run validation to LDAPIdentityProvider Also force the LDAP server pod to restart whenever the LDIF file changes, so whenever you redeploy the tools deployment with a new test user password the server will be updated.
2021-04-16 21:04:05 +00:00
searchMocks: func(conn *mockldapconn.MockConn) {
Handle error cases during LDAP user search and bind
2021-04-13 15:38:04 +00:00
conn.EXPECT().Bind(testBindUsername, testBindPassword).Times(1)
Initial support for upstream LDAP group membership Reflect the upstream group membership into the Supervisor's downstream tokens, so they can be added to the user's identity on the workload clusters. LDAP group search is configurable on the LDAPIdentityProvider resource.
2021-05-17 18:10:26 +00:00
conn.EXPECT().Search(expectedUserSearch(nil)).Return(&ldap.SearchResult{
Handle error cases during LDAP user search and bind
2021-04-13 15:38:04 +00:00
Entries: []*ldap.Entry{},
}, nil).Times(1)
conn.EXPECT().Close().Times(1)
},
Return unauthenticated instead of error for bad username or password - Bad usernames and passwords aren't really errors, since they are based on end-user input. - Other kinds of authentication failures are caused by bad configuration so still treat those as errors. - Empty usernames and passwords are already prevented by our endpoint handler, but just to be safe make sure they cause errors inside the authenticator too.
2021-04-13 23:22:13 +00:00
wantUnauthenticated: true,
Handle error cases during LDAP user search and bind
2021-04-13 15:38:04 +00:00
},
{
Introduce upstreamldap.New to prevent changes to the underlying config Makes it easier to support using the same upstreamldap.Provider from multiple goroutines safely.
2021-04-15 17:25:35 +00:00
name: "when searching for the user returns multiple results",
username: testUpstreamUsername,
password: testUpstreamPassword,
providerConfig: providerConfig(nil),
Add authentication dry run validation to LDAPIdentityProvider Also force the LDAP server pod to restart whenever the LDIF file changes, so whenever you redeploy the tools deployment with a new test user password the server will be updated.
2021-04-16 21:04:05 +00:00
searchMocks: func(conn *mockldapconn.MockConn) {
Handle error cases during LDAP user search and bind
2021-04-13 15:38:04 +00:00
conn.EXPECT().Bind(testBindUsername, testBindPassword).Times(1)
Initial support for upstream LDAP group membership Reflect the upstream group membership into the Supervisor's downstream tokens, so they can be added to the user's identity on the workload clusters. LDAP group search is configurable on the LDAPIdentityProvider resource.
2021-05-17 18:10:26 +00:00
conn.EXPECT().Search(expectedUserSearch(nil)).Return(&ldap.SearchResult{
Handle error cases during LDAP user search and bind
2021-04-13 15:38:04 +00:00
Entries: []*ldap.Entry{
Initial support for upstream LDAP group membership Reflect the upstream group membership into the Supervisor's downstream tokens, so they can be added to the user's identity on the workload clusters. LDAP group search is configurable on the LDAPIdentityProvider resource.
2021-05-17 18:10:26 +00:00
{DN: testUserSearchResultDNValue},
Handle error cases during LDAP user search and bind
2021-04-13 15:38:04 +00:00
{DN: "some-other-dn"},
},
}, nil).Times(1)
conn.EXPECT().Close().Times(1)
},
wantError: fmt.Sprintf(`searching for user "%s" resulted in 2 search results, but expected 1 result`, testUpstreamUsername),
},
{
Introduce upstreamldap.New to prevent changes to the underlying config Makes it easier to support using the same upstreamldap.Provider from multiple goroutines safely.
2021-04-15 17:25:35 +00:00
name: "when searching for the user returns a user without a DN",
username: testUpstreamUsername,
password: testUpstreamPassword,
providerConfig: providerConfig(nil),
Add authentication dry run validation to LDAPIdentityProvider Also force the LDAP server pod to restart whenever the LDIF file changes, so whenever you redeploy the tools deployment with a new test user password the server will be updated.
2021-04-16 21:04:05 +00:00
searchMocks: func(conn *mockldapconn.MockConn) {
Handle error cases during LDAP user search and bind
2021-04-13 15:38:04 +00:00
conn.EXPECT().Bind(testBindUsername, testBindPassword).Times(1)
Initial support for upstream LDAP group membership Reflect the upstream group membership into the Supervisor's downstream tokens, so they can be added to the user's identity on the workload clusters. LDAP group search is configurable on the LDAPIdentityProvider resource.
2021-05-17 18:10:26 +00:00
conn.EXPECT().Search(expectedUserSearch(nil)).Return(&ldap.SearchResult{
Handle error cases during LDAP user search and bind
2021-04-13 15:38:04 +00:00
Entries: []*ldap.Entry{
{DN: ""},
},
}, nil).Times(1)
conn.EXPECT().Close().Times(1)
},
wantError: fmt.Sprintf(`searching for user "%s" resulted in search result without DN`, testUpstreamUsername),
},
Initial support for upstream LDAP group membership Reflect the upstream group membership into the Supervisor's downstream tokens, so they can be added to the user's identity on the workload clusters. LDAP group search is configurable on the LDAPIdentityProvider resource.
2021-05-17 18:10:26 +00:00
{
name: "when searching for the user's groups returns a group without a DN",
username: testUpstreamUsername,
password: testUpstreamPassword,
providerConfig: providerConfig(nil),
searchMocks: func(conn *mockldapconn.MockConn) {
conn.EXPECT().Bind(testBindUsername, testBindPassword).Times(1)
conn.EXPECT().Search(expectedUserSearch(nil)).Return(exampleUserSearchResult, nil).Times(1)
conn.EXPECT().SearchWithPaging(expectedGroupSearch(nil), expectedGroupSearchPageSize).
Return(&ldap.SearchResult{
Entries: []*ldap.Entry{
{
DN: testGroupSearchResultDNValue1,
Attributes: []*ldap.EntryAttribute{
ldap.NewEntryAttribute(testGroupSearchGroupNameAttribute, []string{testGroupSearchResultGroupNameAttributeValue1}),
},
},
{
DN: "",
Attributes: []*ldap.EntryAttribute{
ldap.NewEntryAttribute(testGroupSearchGroupNameAttribute, []string{testGroupSearchResultGroupNameAttributeValue2}),
},
},
},
Referrals: []string{}, // note that we are not following referrals at this time
Controls: []ldap.Control{},
}, nil).Times(1)
conn.EXPECT().Close().Times(1)
},
wantError: fmt.Sprintf(
`searching for group memberships for user with DN "%s" resulted in search result without DN`,
testUserSearchResultDNValue),
},
Handle error cases during LDAP user search and bind
2021-04-13 15:38:04 +00:00
{
Introduce upstreamldap.New to prevent changes to the underlying config Makes it easier to support using the same upstreamldap.Provider from multiple goroutines safely.
2021-04-15 17:25:35 +00:00
name: "when searching for the user returns a user without an expected username attribute",
username: testUpstreamUsername,
password: testUpstreamPassword,
providerConfig: providerConfig(nil),
Add authentication dry run validation to LDAPIdentityProvider Also force the LDAP server pod to restart whenever the LDIF file changes, so whenever you redeploy the tools deployment with a new test user password the server will be updated.
2021-04-16 21:04:05 +00:00
searchMocks: func(conn *mockldapconn.MockConn) {
Handle error cases during LDAP user search and bind
2021-04-13 15:38:04 +00:00
conn.EXPECT().Bind(testBindUsername, testBindPassword).Times(1)
Initial support for upstream LDAP group membership Reflect the upstream group membership into the Supervisor's downstream tokens, so they can be added to the user's identity on the workload clusters. LDAP group search is configurable on the LDAPIdentityProvider resource.
2021-05-17 18:10:26 +00:00
conn.EXPECT().Search(expectedUserSearch(nil)).Return(&ldap.SearchResult{
Handle error cases during LDAP user search and bind
2021-04-13 15:38:04 +00:00
Entries: []*ldap.Entry{
{
Initial support for upstream LDAP group membership Reflect the upstream group membership into the Supervisor's downstream tokens, so they can be added to the user's identity on the workload clusters. LDAP group search is configurable on the LDAPIdentityProvider resource.
2021-05-17 18:10:26 +00:00
DN: testUserSearchResultDNValue,
Handle error cases during LDAP user search and bind
2021-04-13 15:38:04 +00:00
Attributes: []*ldap.EntryAttribute{
Initial support for upstream LDAP group membership Reflect the upstream group membership into the Supervisor's downstream tokens, so they can be added to the user's identity on the workload clusters. LDAP group search is configurable on the LDAPIdentityProvider resource.
2021-05-17 18:10:26 +00:00
ldap.NewEntryAttribute(testUserSearchUIDAttribute, []string{testUserSearchResultUIDAttributeValue}),
Handle error cases during LDAP user search and bind
2021-04-13 15:38:04 +00:00
},
},
},
}, nil).Times(1)
conn.EXPECT().Close().Times(1)
},
Initial support for upstream LDAP group membership Reflect the upstream group membership into the Supervisor's downstream tokens, so they can be added to the user's identity on the workload clusters. LDAP group search is configurable on the LDAPIdentityProvider resource.
2021-05-17 18:10:26 +00:00
wantError: fmt.Sprintf(
`found 0 values for attribute "%s" while searching for user "%s", but expected 1 result`,
testUserSearchUsernameAttribute, testUpstreamUsername),
},
{
name: "when searching for the group memberships returns a group without an expected group name attribute",
username: testUpstreamUsername,
password: testUpstreamPassword,
providerConfig: providerConfig(nil),
searchMocks: func(conn *mockldapconn.MockConn) {
conn.EXPECT().Bind(testBindUsername, testBindPassword).Times(1)
conn.EXPECT().Search(expectedUserSearch(nil)).Return(exampleUserSearchResult, nil).Times(1)
conn.EXPECT().SearchWithPaging(expectedGroupSearch(nil), expectedGroupSearchPageSize).
Return(&ldap.SearchResult{
Entries: []*ldap.Entry{
{
DN: testGroupSearchResultDNValue1,
Attributes: []*ldap.EntryAttribute{
ldap.NewEntryAttribute(testGroupSearchGroupNameAttribute, []string{testGroupSearchResultGroupNameAttributeValue1}),
},
},
{
DN: testGroupSearchResultDNValue1,
Attributes: []*ldap.EntryAttribute{
ldap.NewEntryAttribute("unrelated attribute", []string{"anything"}),
},
},
},
Referrals: []string{}, // note that we are not following referrals at this time
Controls: []ldap.Control{},
}, nil).Times(1)
conn.EXPECT().Close().Times(1)
},
wantError: fmt.Sprintf(
`error searching for group memberships for user with DN "%s": found 0 values for attribute "%s" while searching for user "%s", but expected 1 result`,
testUserSearchResultDNValue, testGroupSearchGroupNameAttribute, testUserSearchResultDNValue),
Handle error cases during LDAP user search and bind
2021-04-13 15:38:04 +00:00
},
{
Introduce upstreamldap.New to prevent changes to the underlying config Makes it easier to support using the same upstreamldap.Provider from multiple goroutines safely.
2021-04-15 17:25:35 +00:00
name: "when searching for the user returns a user with too many values for the expected username attribute",
username: testUpstreamUsername,
password: testUpstreamPassword,
providerConfig: providerConfig(nil),
Add authentication dry run validation to LDAPIdentityProvider Also force the LDAP server pod to restart whenever the LDIF file changes, so whenever you redeploy the tools deployment with a new test user password the server will be updated.
2021-04-16 21:04:05 +00:00
searchMocks: func(conn *mockldapconn.MockConn) {
Handle error cases during LDAP user search and bind
2021-04-13 15:38:04 +00:00
conn.EXPECT().Bind(testBindUsername, testBindPassword).Times(1)
Initial support for upstream LDAP group membership Reflect the upstream group membership into the Supervisor's downstream tokens, so they can be added to the user's identity on the workload clusters. LDAP group search is configurable on the LDAPIdentityProvider resource.
2021-05-17 18:10:26 +00:00
conn.EXPECT().Search(expectedUserSearch(nil)).Return(&ldap.SearchResult{
Handle error cases during LDAP user search and bind
2021-04-13 15:38:04 +00:00
Entries: []*ldap.Entry{
{
Initial support for upstream LDAP group membership Reflect the upstream group membership into the Supervisor's downstream tokens, so they can be added to the user's identity on the workload clusters. LDAP group search is configurable on the LDAPIdentityProvider resource.
2021-05-17 18:10:26 +00:00
DN: testUserSearchResultDNValue,
Handle error cases during LDAP user search and bind
2021-04-13 15:38:04 +00:00
Attributes: []*ldap.EntryAttribute{
ldap.NewEntryAttribute(testUserSearchUsernameAttribute, []string{
Initial support for upstream LDAP group membership Reflect the upstream group membership into the Supervisor's downstream tokens, so they can be added to the user's identity on the workload clusters. LDAP group search is configurable on the LDAPIdentityProvider resource.
2021-05-17 18:10:26 +00:00
testUserSearchResultUsernameAttributeValue,
Handle error cases during LDAP user search and bind
2021-04-13 15:38:04 +00:00
"unexpected-additional-value",
}),
Initial support for upstream LDAP group membership Reflect the upstream group membership into the Supervisor's downstream tokens, so they can be added to the user's identity on the workload clusters. LDAP group search is configurable on the LDAPIdentityProvider resource.
2021-05-17 18:10:26 +00:00
ldap.NewEntryAttribute(testUserSearchUIDAttribute, []string{testUserSearchResultUIDAttributeValue}),
Handle error cases during LDAP user search and bind
2021-04-13 15:38:04 +00:00
},
},
},
}, nil).Times(1)
conn.EXPECT().Close().Times(1)
},
Initial support for upstream LDAP group membership Reflect the upstream group membership into the Supervisor's downstream tokens, so they can be added to the user's identity on the workload clusters. LDAP group search is configurable on the LDAPIdentityProvider resource.
2021-05-17 18:10:26 +00:00
wantError: fmt.Sprintf(
`found 2 values for attribute "%s" while searching for user "%s", but expected 1 result`,
testUserSearchUsernameAttribute, testUpstreamUsername),
},
{
name: "when searching for the group memberships returns a group with too many values for the expected group name attribute",
username: testUpstreamUsername,
password: testUpstreamPassword,
providerConfig: providerConfig(nil),
searchMocks: func(conn *mockldapconn.MockConn) {
conn.EXPECT().Bind(testBindUsername, testBindPassword).Times(1)
conn.EXPECT().Search(expectedUserSearch(nil)).Return(exampleUserSearchResult, nil).Times(1)
conn.EXPECT().SearchWithPaging(expectedGroupSearch(nil), expectedGroupSearchPageSize).
Return(&ldap.SearchResult{
Entries: []*ldap.Entry{
{
DN: testGroupSearchResultDNValue1,
Attributes: []*ldap.EntryAttribute{
ldap.NewEntryAttribute(testGroupSearchGroupNameAttribute, []string{testGroupSearchResultGroupNameAttributeValue1}),
},
},
{
DN: testGroupSearchResultDNValue1,
Attributes: []*ldap.EntryAttribute{
ldap.NewEntryAttribute(testGroupSearchGroupNameAttribute, []string{
testGroupSearchResultGroupNameAttributeValue1,
"unexpected-additional-value",
}),
},
},
},
Referrals: []string{}, // note that we are not following referrals at this time
Controls: []ldap.Control{},
}, nil).Times(1)
conn.EXPECT().Close().Times(1)
},
wantError: fmt.Sprintf(
`error searching for group memberships for user with DN "%s": found 2 values for attribute "%s" while searching for user "%s", but expected 1 result`,
testUserSearchResultDNValue, testGroupSearchGroupNameAttribute, testUserSearchResultDNValue),
Handle error cases during LDAP user search and bind
2021-04-13 15:38:04 +00:00
},
{
Introduce upstreamldap.New to prevent changes to the underlying config Makes it easier to support using the same upstreamldap.Provider from multiple goroutines safely.
2021-04-15 17:25:35 +00:00
name: "when searching for the user returns a user with an empty value for the expected username attribute",
username: testUpstreamUsername,
password: testUpstreamPassword,
providerConfig: providerConfig(nil),
Add authentication dry run validation to LDAPIdentityProvider Also force the LDAP server pod to restart whenever the LDIF file changes, so whenever you redeploy the tools deployment with a new test user password the server will be updated.
2021-04-16 21:04:05 +00:00
searchMocks: func(conn *mockldapconn.MockConn) {
Handle error cases during LDAP user search and bind
2021-04-13 15:38:04 +00:00
conn.EXPECT().Bind(testBindUsername, testBindPassword).Times(1)
Initial support for upstream LDAP group membership Reflect the upstream group membership into the Supervisor's downstream tokens, so they can be added to the user's identity on the workload clusters. LDAP group search is configurable on the LDAPIdentityProvider resource.
2021-05-17 18:10:26 +00:00
conn.EXPECT().Search(expectedUserSearch(nil)).Return(&ldap.SearchResult{
Handle error cases during LDAP user search and bind
2021-04-13 15:38:04 +00:00
Entries: []*ldap.Entry{
{
Initial support for upstream LDAP group membership Reflect the upstream group membership into the Supervisor's downstream tokens, so they can be added to the user's identity on the workload clusters. LDAP group search is configurable on the LDAPIdentityProvider resource.
2021-05-17 18:10:26 +00:00
DN: testUserSearchResultDNValue,
Handle error cases during LDAP user search and bind
2021-04-13 15:38:04 +00:00
Attributes: []*ldap.EntryAttribute{
ldap.NewEntryAttribute(testUserSearchUsernameAttribute, []string{""}),
Initial support for upstream LDAP group membership Reflect the upstream group membership into the Supervisor's downstream tokens, so they can be added to the user's identity on the workload clusters. LDAP group search is configurable on the LDAPIdentityProvider resource.
2021-05-17 18:10:26 +00:00
ldap.NewEntryAttribute(testUserSearchUIDAttribute, []string{testUserSearchResultUIDAttributeValue}),
Handle error cases during LDAP user search and bind
2021-04-13 15:38:04 +00:00
},
},
},
}, nil).Times(1)
conn.EXPECT().Close().Times(1)
},
Initial support for upstream LDAP group membership Reflect the upstream group membership into the Supervisor's downstream tokens, so they can be added to the user's identity on the workload clusters. LDAP group search is configurable on the LDAPIdentityProvider resource.
2021-05-17 18:10:26 +00:00
wantError: fmt.Sprintf(
`found empty value for attribute "%s" while searching for user "%s", but expected value to be non-empty`,
testUserSearchUsernameAttribute, testUpstreamUsername),
},
{
name: "when searching for the group memberships returns a group with an empty value for for the expected group name attribute",
username: testUpstreamUsername,
password: testUpstreamPassword,
providerConfig: providerConfig(nil),
searchMocks: func(conn *mockldapconn.MockConn) {
conn.EXPECT().Bind(testBindUsername, testBindPassword).Times(1)
conn.EXPECT().Search(expectedUserSearch(nil)).Return(exampleUserSearchResult, nil).Times(1)
conn.EXPECT().SearchWithPaging(expectedGroupSearch(nil), expectedGroupSearchPageSize).
Return(&ldap.SearchResult{
Entries: []*ldap.Entry{
{
DN: testGroupSearchResultDNValue1,
Attributes: []*ldap.EntryAttribute{
ldap.NewEntryAttribute(testGroupSearchGroupNameAttribute, []string{testGroupSearchResultGroupNameAttributeValue1}),
},
},
{
DN: testGroupSearchResultDNValue1,
Attributes: []*ldap.EntryAttribute{
ldap.NewEntryAttribute(testGroupSearchGroupNameAttribute, []string{""}),
},
},
},
Referrals: []string{}, // note that we are not following referrals at this time
Controls: []ldap.Control{},
}, nil).Times(1)
conn.EXPECT().Close().Times(1)
},
wantError: fmt.Sprintf(
`error searching for group memberships for user with DN "%s": found empty value for attribute "%s" while searching for user "%s", but expected value to be non-empty`,
testUserSearchResultDNValue, testGroupSearchGroupNameAttribute, testUserSearchResultDNValue),
Handle error cases during LDAP user search and bind
2021-04-13 15:38:04 +00:00
},
{
Introduce upstreamldap.New to prevent changes to the underlying config Makes it easier to support using the same upstreamldap.Provider from multiple goroutines safely.
2021-04-15 17:25:35 +00:00
name: "when searching for the user returns a user without an expected UID attribute",
username: testUpstreamUsername,
password: testUpstreamPassword,
providerConfig: providerConfig(nil),
Add authentication dry run validation to LDAPIdentityProvider Also force the LDAP server pod to restart whenever the LDIF file changes, so whenever you redeploy the tools deployment with a new test user password the server will be updated.
2021-04-16 21:04:05 +00:00
searchMocks: func(conn *mockldapconn.MockConn) {
Handle error cases during LDAP user search and bind
2021-04-13 15:38:04 +00:00
conn.EXPECT().Bind(testBindUsername, testBindPassword).Times(1)
Initial support for upstream LDAP group membership Reflect the upstream group membership into the Supervisor's downstream tokens, so they can be added to the user's identity on the workload clusters. LDAP group search is configurable on the LDAPIdentityProvider resource.
2021-05-17 18:10:26 +00:00
conn.EXPECT().Search(expectedUserSearch(nil)).Return(&ldap.SearchResult{
Handle error cases during LDAP user search and bind
2021-04-13 15:38:04 +00:00
Entries: []*ldap.Entry{
{
Initial support for upstream LDAP group membership Reflect the upstream group membership into the Supervisor's downstream tokens, so they can be added to the user's identity on the workload clusters. LDAP group search is configurable on the LDAPIdentityProvider resource.
2021-05-17 18:10:26 +00:00
DN: testUserSearchResultDNValue,
Handle error cases during LDAP user search and bind
2021-04-13 15:38:04 +00:00
Attributes: []*ldap.EntryAttribute{
Initial support for upstream LDAP group membership Reflect the upstream group membership into the Supervisor's downstream tokens, so they can be added to the user's identity on the workload clusters. LDAP group search is configurable on the LDAPIdentityProvider resource.
2021-05-17 18:10:26 +00:00
ldap.NewEntryAttribute(testUserSearchUsernameAttribute, []string{testUserSearchResultUsernameAttributeValue}),
Handle error cases during LDAP user search and bind
2021-04-13 15:38:04 +00:00
},
},
},
}, nil).Times(1)
conn.EXPECT().Close().Times(1)
},
wantError: fmt.Sprintf(`found 0 values for attribute "%s" while searching for user "%s", but expected 1 result`, testUserSearchUIDAttribute, testUpstreamUsername),
},
{
Introduce upstreamldap.New to prevent changes to the underlying config Makes it easier to support using the same upstreamldap.Provider from multiple goroutines safely.
2021-04-15 17:25:35 +00:00
name: "when searching for the user returns a user with too many values for the expected UID attribute",
username: testUpstreamUsername,
password: testUpstreamPassword,
providerConfig: providerConfig(nil),
Add authentication dry run validation to LDAPIdentityProvider Also force the LDAP server pod to restart whenever the LDIF file changes, so whenever you redeploy the tools deployment with a new test user password the server will be updated.
2021-04-16 21:04:05 +00:00
searchMocks: func(conn *mockldapconn.MockConn) {
Handle error cases during LDAP user search and bind
2021-04-13 15:38:04 +00:00
conn.EXPECT().Bind(testBindUsername, testBindPassword).Times(1)
Initial support for upstream LDAP group membership Reflect the upstream group membership into the Supervisor's downstream tokens, so they can be added to the user's identity on the workload clusters. LDAP group search is configurable on the LDAPIdentityProvider resource.
2021-05-17 18:10:26 +00:00
conn.EXPECT().Search(expectedUserSearch(nil)).Return(&ldap.SearchResult{
Handle error cases during LDAP user search and bind
2021-04-13 15:38:04 +00:00
Entries: []*ldap.Entry{
{
Initial support for upstream LDAP group membership Reflect the upstream group membership into the Supervisor's downstream tokens, so they can be added to the user's identity on the workload clusters. LDAP group search is configurable on the LDAPIdentityProvider resource.
2021-05-17 18:10:26 +00:00
DN: testUserSearchResultDNValue,
Handle error cases during LDAP user search and bind
2021-04-13 15:38:04 +00:00
Attributes: []*ldap.EntryAttribute{
Initial support for upstream LDAP group membership Reflect the upstream group membership into the Supervisor's downstream tokens, so they can be added to the user's identity on the workload clusters. LDAP group search is configurable on the LDAPIdentityProvider resource.
2021-05-17 18:10:26 +00:00
ldap.NewEntryAttribute(testUserSearchUsernameAttribute, []string{testUserSearchResultUsernameAttributeValue}),
Handle error cases during LDAP user search and bind
2021-04-13 15:38:04 +00:00
ldap.NewEntryAttribute(testUserSearchUIDAttribute, []string{
Initial support for upstream LDAP group membership Reflect the upstream group membership into the Supervisor's downstream tokens, so they can be added to the user's identity on the workload clusters. LDAP group search is configurable on the LDAPIdentityProvider resource.
2021-05-17 18:10:26 +00:00
testUserSearchResultUIDAttributeValue,
Handle error cases during LDAP user search and bind
2021-04-13 15:38:04 +00:00
"unexpected-additional-value",
}),
},
},
},
}, nil).Times(1)
conn.EXPECT().Close().Times(1)
},
wantError: fmt.Sprintf(`found 2 values for attribute "%s" while searching for user "%s", but expected 1 result`, testUserSearchUIDAttribute, testUpstreamUsername),
},
{
Introduce upstreamldap.New to prevent changes to the underlying config Makes it easier to support using the same upstreamldap.Provider from multiple goroutines safely.
2021-04-15 17:25:35 +00:00
name: "when searching for the user returns a user with an empty value for the expected UID attribute",
username: testUpstreamUsername,
password: testUpstreamPassword,
providerConfig: providerConfig(nil),
Add authentication dry run validation to LDAPIdentityProvider Also force the LDAP server pod to restart whenever the LDIF file changes, so whenever you redeploy the tools deployment with a new test user password the server will be updated.
2021-04-16 21:04:05 +00:00
searchMocks: func(conn *mockldapconn.MockConn) {
Handle error cases during LDAP user search and bind
2021-04-13 15:38:04 +00:00
conn.EXPECT().Bind(testBindUsername, testBindPassword).Times(1)
Initial support for upstream LDAP group membership Reflect the upstream group membership into the Supervisor's downstream tokens, so they can be added to the user's identity on the workload clusters. LDAP group search is configurable on the LDAPIdentityProvider resource.
2021-05-17 18:10:26 +00:00
conn.EXPECT().Search(expectedUserSearch(nil)).Return(&ldap.SearchResult{
Handle error cases during LDAP user search and bind
2021-04-13 15:38:04 +00:00
Entries: []*ldap.Entry{
{
Initial support for upstream LDAP group membership Reflect the upstream group membership into the Supervisor's downstream tokens, so they can be added to the user's identity on the workload clusters. LDAP group search is configurable on the LDAPIdentityProvider resource.
2021-05-17 18:10:26 +00:00
DN: testUserSearchResultDNValue,
Handle error cases during LDAP user search and bind
2021-04-13 15:38:04 +00:00
Attributes: []*ldap.EntryAttribute{
Initial support for upstream LDAP group membership Reflect the upstream group membership into the Supervisor's downstream tokens, so they can be added to the user's identity on the workload clusters. LDAP group search is configurable on the LDAPIdentityProvider resource.
2021-05-17 18:10:26 +00:00
ldap.NewEntryAttribute(testUserSearchUsernameAttribute, []string{testUserSearchResultUsernameAttributeValue}),
Handle error cases during LDAP user search and bind
2021-04-13 15:38:04 +00:00
ldap.NewEntryAttribute(testUserSearchUIDAttribute, []string{""}),
},
},
},
}, nil).Times(1)
conn.EXPECT().Close().Times(1)
},
wantError: fmt.Sprintf(`found empty value for attribute "%s" while searching for user "%s", but expected value to be non-empty`, testUserSearchUIDAttribute, testUpstreamUsername),
},
{
Introduce upstreamldap.New to prevent changes to the underlying config Makes it easier to support using the same upstreamldap.Provider from multiple goroutines safely.
2021-04-15 17:25:35 +00:00
name: "when binding as the found user returns an error",
username: testUpstreamUsername,
password: testUpstreamPassword,
providerConfig: providerConfig(nil),
Add authentication dry run validation to LDAPIdentityProvider Also force the LDAP server pod to restart whenever the LDIF file changes, so whenever you redeploy the tools deployment with a new test user password the server will be updated.
2021-04-16 21:04:05 +00:00
searchMocks: func(conn *mockldapconn.MockConn) {
Handle error cases during LDAP user search and bind
2021-04-13 15:38:04 +00:00
conn.EXPECT().Bind(testBindUsername, testBindPassword).Times(1)
Initial support for upstream LDAP group membership Reflect the upstream group membership into the Supervisor's downstream tokens, so they can be added to the user's identity on the workload clusters. LDAP group search is configurable on the LDAPIdentityProvider resource.
2021-05-17 18:10:26 +00:00
conn.EXPECT().Search(expectedUserSearch(nil)).Return(exampleUserSearchResult, nil).Times(1)
conn.EXPECT().SearchWithPaging(expectedGroupSearch(nil), expectedGroupSearchPageSize).
Return(exampleGroupSearchResult, nil).Times(1)
Handle error cases during LDAP user search and bind
2021-04-13 15:38:04 +00:00
conn.EXPECT().Close().Times(1)
},
Add authentication dry run validation to LDAPIdentityProvider Also force the LDAP server pod to restart whenever the LDIF file changes, so whenever you redeploy the tools deployment with a new test user password the server will be updated.
2021-04-16 21:04:05 +00:00
bindEndUserMocks: func(conn *mockldapconn.MockConn) {
Initial support for upstream LDAP group membership Reflect the upstream group membership into the Supervisor's downstream tokens, so they can be added to the user's identity on the workload clusters. LDAP group search is configurable on the LDAPIdentityProvider resource.
2021-05-17 18:10:26 +00:00
conn.EXPECT().Bind(testUserSearchResultDNValue, testUpstreamPassword).Return(errors.New("some bind error")).Times(1)
Add authentication dry run validation to LDAPIdentityProvider Also force the LDAP server pod to restart whenever the LDIF file changes, so whenever you redeploy the tools deployment with a new test user password the server will be updated.
2021-04-16 21:04:05 +00:00
},
skipDryRunAuthenticateUser: true,
Initial support for upstream LDAP group membership Reflect the upstream group membership into the Supervisor's downstream tokens, so they can be added to the user's identity on the workload clusters. LDAP group search is configurable on the LDAPIdentityProvider resource.
2021-05-17 18:10:26 +00:00
wantError: fmt.Sprintf(`error binding for user "%s" using provided password against DN "%s": some bind error`, testUpstreamUsername, testUserSearchResultDNValue),
Handle error cases during LDAP user search and bind
2021-04-13 15:38:04 +00:00
},
Return unauthenticated instead of error for bad username or password - Bad usernames and passwords aren't really errors, since they are based on end-user input. - Other kinds of authentication failures are caused by bad configuration so still treat those as errors. - Empty usernames and passwords are already prevented by our endpoint handler, but just to be safe make sure they cause errors inside the authenticator too.
2021-04-13 23:22:13 +00:00
{
Introduce upstreamldap.New to prevent changes to the underlying config Makes it easier to support using the same upstreamldap.Provider from multiple goroutines safely.
2021-04-15 17:25:35 +00:00
name: "when binding as the found user returns a specific invalid credentials error",
username: testUpstreamUsername,
password: testUpstreamPassword,
providerConfig: providerConfig(nil),
Add authentication dry run validation to LDAPIdentityProvider Also force the LDAP server pod to restart whenever the LDIF file changes, so whenever you redeploy the tools deployment with a new test user password the server will be updated.
2021-04-16 21:04:05 +00:00
searchMocks: func(conn *mockldapconn.MockConn) {
Return unauthenticated instead of error for bad username or password - Bad usernames and passwords aren't really errors, since they are based on end-user input. - Other kinds of authentication failures are caused by bad configuration so still treat those as errors. - Empty usernames and passwords are already prevented by our endpoint handler, but just to be safe make sure they cause errors inside the authenticator too.
2021-04-13 23:22:13 +00:00
conn.EXPECT().Bind(testBindUsername, testBindPassword).Times(1)
Initial support for upstream LDAP group membership Reflect the upstream group membership into the Supervisor's downstream tokens, so they can be added to the user's identity on the workload clusters. LDAP group search is configurable on the LDAPIdentityProvider resource.
2021-05-17 18:10:26 +00:00
conn.EXPECT().Search(expectedUserSearch(nil)).Return(exampleUserSearchResult, nil).Times(1)
conn.EXPECT().SearchWithPaging(expectedGroupSearch(nil), expectedGroupSearchPageSize).
Return(exampleGroupSearchResult, nil).Times(1)
Return unauthenticated instead of error for bad username or password - Bad usernames and passwords aren't really errors, since they are based on end-user input. - Other kinds of authentication failures are caused by bad configuration so still treat those as errors. - Empty usernames and passwords are already prevented by our endpoint handler, but just to be safe make sure they cause errors inside the authenticator too.
2021-04-13 23:22:13 +00:00
conn.EXPECT().Close().Times(1)
},
Add authentication dry run validation to LDAPIdentityProvider Also force the LDAP server pod to restart whenever the LDIF file changes, so whenever you redeploy the tools deployment with a new test user password the server will be updated.
2021-04-16 21:04:05 +00:00
wantUnauthenticated: true,
skipDryRunAuthenticateUser: true,
bindEndUserMocks: func(conn *mockldapconn.MockConn) {
Some updates based on PR review
2021-04-27 19:43:09 +00:00
err := &ldap.Error{
Err: errors.New("some bind error"),
ResultCode: ldap.LDAPResultInvalidCredentials,
}
Initial support for upstream LDAP group membership Reflect the upstream group membership into the Supervisor's downstream tokens, so they can be added to the user's identity on the workload clusters. LDAP group search is configurable on the LDAPIdentityProvider resource.
2021-05-17 18:10:26 +00:00
conn.EXPECT().Bind(testUserSearchResultDNValue, testUpstreamPassword).Return(err).Times(1)
Add authentication dry run validation to LDAPIdentityProvider Also force the LDAP server pod to restart whenever the LDIF file changes, so whenever you redeploy the tools deployment with a new test user password the server will be updated.
2021-04-16 21:04:05 +00:00
},
Return unauthenticated instead of error for bad username or password - Bad usernames and passwords aren't really errors, since they are based on end-user input. - Other kinds of authentication failures are caused by bad configuration so still treat those as errors. - Empty usernames and passwords are already prevented by our endpoint handler, but just to be safe make sure they cause errors inside the authenticator too.
2021-04-13 23:22:13 +00:00
},
{
name: "when no username is specified",
username: "",
password: testUpstreamPassword,
Introduce upstreamldap.New to prevent changes to the underlying config Makes it easier to support using the same upstreamldap.Provider from multiple goroutines safely.
2021-04-15 17:25:35 +00:00
providerConfig: providerConfig(nil),
Return unauthenticated instead of error for bad username or password - Bad usernames and passwords aren't really errors, since they are based on end-user input. - Other kinds of authentication failures are caused by bad configuration so still treat those as errors. - Empty usernames and passwords are already prevented by our endpoint handler, but just to be safe make sure they cause errors inside the authenticator too.
2021-04-13 23:22:13 +00:00
wantToSkipDial: true,
wantUnauthenticated: true,
},
ldap: add initial stub upstream LDAP connection package Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-04-09 15:38:53 +00:00
}
Started implementation of LDAP user search and bind
2021-04-13 00:50:25 +00:00
ldap: add initial stub upstream LDAP connection package Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-04-09 15:38:53 +00:00
for _, test := range tests {
Started implementation of LDAP user search and bind
2021-04-13 00:50:25 +00:00
tt := test
t.Run(tt.name, func(t *testing.T) {
ldap: add initial stub upstream LDAP connection package Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-04-09 15:38:53 +00:00
ctrl := gomock.NewController(t)
t.Cleanup(ctrl.Finish)
Started implementation of LDAP user search and bind
2021-04-13 00:50:25 +00:00
ldap: add initial stub upstream LDAP connection package Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-04-09 15:38:53 +00:00
conn := mockldapconn.NewMockConn(ctrl)
Add authentication dry run validation to LDAPIdentityProvider Also force the LDAP server pod to restart whenever the LDIF file changes, so whenever you redeploy the tools deployment with a new test user password the server will be updated.
2021-04-16 21:04:05 +00:00
if tt.searchMocks != nil {
tt.searchMocks(conn)
}
if tt.bindEndUserMocks != nil {
tt.bindEndUserMocks(conn)
Started implementation of LDAP user search and bind
2021-04-13 00:50:25 +00:00
}
ldap: add initial stub upstream LDAP connection package Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-04-09 15:38:53 +00:00
More LDAP WIP: started controller and LDAP server connection code Both are unfinished works in progress.
2021-04-10 01:49:43 +00:00
dialWasAttempted := false
Introduce upstreamldap.New to prevent changes to the underlying config Makes it easier to support using the same upstreamldap.Provider from multiple goroutines safely.
2021-04-15 17:25:35 +00:00
tt.providerConfig.Dialer = LDAPDialerFunc(func(ctx context.Context, hostAndPort string) (Conn, error) {
More LDAP WIP: started controller and LDAP server connection code Both are unfinished works in progress.
2021-04-10 01:49:43 +00:00
dialWasAttempted = true
Introduce upstreamldap.New to prevent changes to the underlying config Makes it easier to support using the same upstreamldap.Provider from multiple goroutines safely.
2021-04-15 17:25:35 +00:00
require.Equal(t, tt.providerConfig.Host, hostAndPort)
Started implementation of LDAP user search and bind
2021-04-13 00:50:25 +00:00
if tt.dialError != nil {
return nil, tt.dialError
}
ldap: add initial stub upstream LDAP connection package Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-04-09 15:38:53 +00:00
return conn, nil
Add a little more logic to ldap_upstream_watcher.go
2021-04-12 18:23:08 +00:00
})
ldap: add initial stub upstream LDAP connection package Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-04-09 15:38:53 +00:00
Introduce upstreamldap.New to prevent changes to the underlying config Makes it easier to support using the same upstreamldap.Provider from multiple goroutines safely.
2021-04-15 17:25:35 +00:00
provider := New(*tt.providerConfig)
Started implementation of LDAP user search and bind
2021-04-13 00:50:25 +00:00
Add authentication dry run validation to LDAPIdentityProvider Also force the LDAP server pod to restart whenever the LDIF file changes, so whenever you redeploy the tools deployment with a new test user password the server will be updated.
2021-04-16 21:04:05 +00:00
authResponse, authenticated, err := provider.AuthenticateUser(context.Background(), tt.username, tt.password)
Add integration test for upstreamldap.Provider - The unit tests for upstreamldap.Provider need to mock the LDAP server, so add an integration test which allows us to get fast feedback for this code against a real LDAP server. - Automatically wrap the user search filter in parenthesis if it is not already wrapped in parens. - More special handling for using "dn" as the username or UID attribute name. - Also added some more comments to types_ldapidentityprovider.go.tmpl
2021-04-13 22:23:14 +00:00
require.Equal(t, !tt.wantToSkipDial, dialWasAttempted)
Add authentication dry run validation to LDAPIdentityProvider Also force the LDAP server pod to restart whenever the LDIF file changes, so whenever you redeploy the tools deployment with a new test user password the server will be updated.
2021-04-16 21:04:05 +00:00
switch {
case tt.wantError != "":
require.EqualError(t, err, tt.wantError)
require.False(t, authenticated)
require.Nil(t, authResponse)
case tt.wantUnauthenticated:
require.NoError(t, err)
require.False(t, authenticated)
require.Nil(t, authResponse)
default:
require.NoError(t, err)
require.True(t, authenticated)
require.Equal(t, tt.wantAuthResponse, authResponse)
}
Started implementation of LDAP user search and bind
2021-04-13 00:50:25 +00:00
Add authentication dry run validation to LDAPIdentityProvider Also force the LDAP server pod to restart whenever the LDIF file changes, so whenever you redeploy the tools deployment with a new test user password the server will be updated.
2021-04-16 21:04:05 +00:00
// DryRunAuthenticateUser() should have the same behavior as AuthenticateUser() except that it does not bind
// as the end user to confirm their password. Since it should behave the same, all of the same test cases
// apply, except for those which are specifically testing what happens when the end user bind fails.
if tt.skipDryRunAuthenticateUser {
return // move on to the next test
}
// Reset some variables to get ready to call DryRunAuthenticateUser().
dialWasAttempted = false
conn = mockldapconn.NewMockConn(ctrl)
if tt.searchMocks != nil {
tt.searchMocks(conn)
}
// Skip tt.bindEndUserMocks since DryRunAuthenticateUser() never binds as the end user.
authResponse, authenticated, err = provider.DryRunAuthenticateUser(context.Background(), tt.username)
require.Equal(t, !tt.wantToSkipDial, dialWasAttempted)
Return unauthenticated instead of error for bad username or password - Bad usernames and passwords aren't really errors, since they are based on end-user input. - Other kinds of authentication failures are caused by bad configuration so still treat those as errors. - Empty usernames and passwords are already prevented by our endpoint handler, but just to be safe make sure they cause errors inside the authenticator too.
2021-04-13 23:22:13 +00:00
switch {
case tt.wantError != "":
Started implementation of LDAP user search and bind
2021-04-13 00:50:25 +00:00
require.EqualError(t, err, tt.wantError)
require.False(t, authenticated)
require.Nil(t, authResponse)
Return unauthenticated instead of error for bad username or password - Bad usernames and passwords aren't really errors, since they are based on end-user input. - Other kinds of authentication failures are caused by bad configuration so still treat those as errors. - Empty usernames and passwords are already prevented by our endpoint handler, but just to be safe make sure they cause errors inside the authenticator too.
2021-04-13 23:22:13 +00:00
case tt.wantUnauthenticated:
require.NoError(t, err)
require.False(t, authenticated)
require.Nil(t, authResponse)
default:
Started implementation of LDAP user search and bind
2021-04-13 00:50:25 +00:00
require.NoError(t, err)
require.True(t, authenticated)
require.Equal(t, tt.wantAuthResponse, authResponse)
ldap: add initial stub upstream LDAP connection package Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-04-09 15:38:53 +00:00
}
})
}
}
More LDAP WIP: started controller and LDAP server connection code Both are unfinished works in progress.
2021-04-10 01:49:43 +00:00
Test the LDAP config by connecting to the server in the controller
2021-04-15 21:44:43 +00:00
func TestTestConnection(t *testing.T) {
providerConfig := func(editFunc func(p *ProviderConfig)) *ProviderConfig {
config := &ProviderConfig{
Name: "some-provider-name",
Host: testHost,
CABundle: nil, // this field is only used by the production dialer, which is replaced by a mock for this test
BindUsername: testBindUsername,
BindPassword: testBindPassword,
UserSearch: UserSearchConfig{}, // not used by TestConnection
}
if editFunc != nil {
editFunc(config)
}
return config
}
tests := []struct {
name string
providerConfig *ProviderConfig
setupMocks func(conn *mockldapconn.MockConn)
dialError error
wantError string
wantToSkipDial bool
}{
{
name: "happy path",
providerConfig: providerConfig(nil),
setupMocks: func(conn *mockldapconn.MockConn) {
conn.EXPECT().Bind(testBindUsername, testBindPassword).Times(1)
conn.EXPECT().Close().Times(1)
},
},
{
name: "when dial fails",
providerConfig: providerConfig(nil),
dialError: errors.New("some dial error"),
wantError: fmt.Sprintf(`error dialing host "%s": some dial error`, testHost),
},
{
name: "when binding as the bind user returns an error",
providerConfig: providerConfig(nil),
setupMocks: func(conn *mockldapconn.MockConn) {
conn.EXPECT().Bind(testBindUsername, testBindPassword).Return(errors.New("some bind error")).Times(1)
conn.EXPECT().Close().Times(1)
},
wantError: fmt.Sprintf(`error binding as "%s": some bind error`, testBindUsername),
},
{
name: "when the config is invalid",
providerConfig: providerConfig(func(p *ProviderConfig) {
// This particular combination of options is not allowed.
p.UserSearch.UsernameAttribute = "dn"
p.UserSearch.Filter = ""
}),
wantToSkipDial: true,
wantError: `must specify UserSearch Filter when UserSearch UsernameAttribute is "dn"`,
},
}
for _, test := range tests {
tt := test
t.Run(tt.name, func(t *testing.T) {
ctrl := gomock.NewController(t)
t.Cleanup(ctrl.Finish)
conn := mockldapconn.NewMockConn(ctrl)
if tt.setupMocks != nil {
tt.setupMocks(conn)
}
dialWasAttempted := false
tt.providerConfig.Dialer = LDAPDialerFunc(func(ctx context.Context, hostAndPort string) (Conn, error) {
dialWasAttempted = true
require.Equal(t, tt.providerConfig.Host, hostAndPort)
if tt.dialError != nil {
return nil, tt.dialError
}
return conn, nil
})
provider := New(*tt.providerConfig)
err := provider.TestConnection(context.Background())
require.Equal(t, !tt.wantToSkipDial, dialWasAttempted)
switch {
case tt.wantError != "":
require.EqualError(t, err, tt.wantError)
default:
require.NoError(t, err)
}
})
}
}
Introduce upstreamldap.New to prevent changes to the underlying config Makes it easier to support using the same upstreamldap.Provider from multiple goroutines safely.
2021-04-15 17:25:35 +00:00
func TestGetConfig(t *testing.T) {
c := ProviderConfig{
Name: "original-provider-name",
Host: testHost,
CABundle: []byte("some-ca-bundle"),
BindUsername: testBindUsername,
BindPassword: testBindPassword,
UserSearch: UserSearchConfig{
Base: testUserSearchBase,
Filter: testUserSearchFilter,
UsernameAttribute: testUserSearchUsernameAttribute,
UIDAttribute: testUserSearchUIDAttribute,
},
}
p := New(c)
require.Equal(t, c, p.c)
require.Equal(t, c, p.GetConfig())
// The original config can be changed without impacting the provider, since the provider made a copy of the config.
c.Name = "changed-name"
require.Equal(t, "original-provider-name", p.c.Name)
// The return value of GetConfig can be modified without impacting the provider, since it is a copy of the config.
returnedConfig := p.GetConfig()
returnedConfig.Name = "changed-name"
require.Equal(t, "original-provider-name", p.c.Name)
}
More LDAP WIP: started controller and LDAP server connection code Both are unfinished works in progress.
2021-04-10 01:49:43 +00:00
func TestGetURL(t *testing.T) {
Introduce upstreamldap.New to prevent changes to the underlying config Makes it easier to support using the same upstreamldap.Provider from multiple goroutines safely.
2021-04-15 17:25:35 +00:00
require.Equal(t, "ldaps://ldap.example.com:1234", New(ProviderConfig{Host: "ldap.example.com:1234"}).GetURL())
require.Equal(t, "ldaps://ldap.example.com", New(ProviderConfig{Host: "ldap.example.com"}).GetURL())
More LDAP WIP: started controller and LDAP server connection code Both are unfinished works in progress.
2021-04-10 01:49:43 +00:00
}
// Testing of host parsing, TLS negotiation, and CA bundle, etc. for the production code's dialer.
func TestRealTLSDialing(t *testing.T) {
testServerCABundle, testServerURL := testutil.TLSTestServer(t, func(w http.ResponseWriter, r *http.Request) {})
parsedURL, err := url.Parse(testServerURL)
require.NoError(t, err)
testServerHostAndPort := parsedURL.Host
unusedPortGrabbingListener, err := net.Listen("tcp", "127.0.0.1:0")
require.NoError(t, err)
recentlyClaimedHostAndPort := unusedPortGrabbingListener.Addr().String()
require.NoError(t, unusedPortGrabbingListener.Close())
alreadyCancelledContext, cancelFunc := context.WithCancel(context.Background())
cancelFunc() // cancel it immediately
tests := []struct {
name string
host string
upstreamldap.New() now supports a StartTLS config option - This enhances our LDAP client code to make it possible to optionally dial an LDAP server without TLS and then use StartTLS to upgrade the connection to TLS. - The controller for LDAPIdentityProviders is not using this option yet. That will come in a future commit.
2021-05-20 00:17:44 +00:00
connProto LDAPConnectionProtocol
More LDAP WIP: started controller and LDAP server connection code Both are unfinished works in progress.
2021-04-10 01:49:43 +00:00
caBundle []byte
context context.Context
wantError string
}{
{
upstreamldap.New() now supports a StartTLS config option - This enhances our LDAP client code to make it possible to optionally dial an LDAP server without TLS and then use StartTLS to upgrade the connection to TLS. - The controller for LDAPIdentityProviders is not using this option yet. That will come in a future commit.
2021-05-20 00:17:44 +00:00
name: "happy path",
host: testServerHostAndPort,
caBundle: []byte(testServerCABundle),
connProto: TLS,
context: context.Background(),
},
{
name: "invalid CA bundle with TLS",
host: testServerHostAndPort,
caBundle: []byte("not a ca bundle"),
connProto: TLS,
context: context.Background(),
wantError: `LDAP Result Code 200 "Network Error": could not parse CA bundle`,
More LDAP WIP: started controller and LDAP server connection code Both are unfinished works in progress.
2021-04-10 01:49:43 +00:00
},
{
upstreamldap.New() now supports a StartTLS config option - This enhances our LDAP client code to make it possible to optionally dial an LDAP server without TLS and then use StartTLS to upgrade the connection to TLS. - The controller for LDAPIdentityProviders is not using this option yet. That will come in a future commit.
2021-05-20 00:17:44 +00:00
name: "invalid CA bundle with StartTLS",
More LDAP WIP: started controller and LDAP server connection code Both are unfinished works in progress.
2021-04-10 01:49:43 +00:00
host: testServerHostAndPort,
caBundle: []byte("not a ca bundle"),
upstreamldap.New() now supports a StartTLS config option - This enhances our LDAP client code to make it possible to optionally dial an LDAP server without TLS and then use StartTLS to upgrade the connection to TLS. - The controller for LDAPIdentityProviders is not using this option yet. That will come in a future commit.
2021-05-20 00:17:44 +00:00
connProto: StartTLS,
More LDAP WIP: started controller and LDAP server connection code Both are unfinished works in progress.
2021-04-10 01:49:43 +00:00
context: context.Background(),
wantError: `LDAP Result Code 200 "Network Error": could not parse CA bundle`,
},
upstreamldap.New() now supports a StartTLS config option - This enhances our LDAP client code to make it possible to optionally dial an LDAP server without TLS and then use StartTLS to upgrade the connection to TLS. - The controller for LDAPIdentityProviders is not using this option yet. That will come in a future commit.
2021-05-20 00:17:44 +00:00
{
name: "invalid host with TLS",
host: "this:is:not:a:valid:hostname",
caBundle: []byte(testServerCABundle),
connProto: TLS,
context: context.Background(),
wantError: `LDAP Result Code 200 "Network Error": address this:is:not:a:valid:hostname: too many colons in address`,
},
{
name: "invalid host with StartTLS",
host: "this:is:not:a:valid:hostname",
caBundle: []byte(testServerCABundle),
connProto: StartTLS,
context: context.Background(),
wantError: `LDAP Result Code 200 "Network Error": address this:is:not:a:valid:hostname: too many colons in address`,
},
More LDAP WIP: started controller and LDAP server connection code Both are unfinished works in progress.
2021-04-10 01:49:43 +00:00
{
name: "missing CA bundle when it is required because the host is not using a trusted CA",
host: testServerHostAndPort,
caBundle: nil,
upstreamldap.New() now supports a StartTLS config option - This enhances our LDAP client code to make it possible to optionally dial an LDAP server without TLS and then use StartTLS to upgrade the connection to TLS. - The controller for LDAPIdentityProviders is not using this option yet. That will come in a future commit.
2021-05-20 00:17:44 +00:00
connProto: TLS,
More LDAP WIP: started controller and LDAP server connection code Both are unfinished works in progress.
2021-04-10 01:49:43 +00:00
context: context.Background(),
wantError: `LDAP Result Code 200 "Network Error": x509: certificate signed by unknown authority`,
},
{
name: "cannot connect to host",
// This is assuming that this port was not reclaimed by another app since the test setup ran. Seems safe enough.
host: recentlyClaimedHostAndPort,
caBundle: []byte(testServerCABundle),
upstreamldap.New() now supports a StartTLS config option - This enhances our LDAP client code to make it possible to optionally dial an LDAP server without TLS and then use StartTLS to upgrade the connection to TLS. - The controller for LDAPIdentityProviders is not using this option yet. That will come in a future commit.
2021-05-20 00:17:44 +00:00
connProto: TLS,
More LDAP WIP: started controller and LDAP server connection code Both are unfinished works in progress.
2021-04-10 01:49:43 +00:00
context: context.Background(),
wantError: fmt.Sprintf(`LDAP Result Code 200 "Network Error": dial tcp %s: connect: connection refused`, recentlyClaimedHostAndPort),
},
{
name: "pays attention to the passed context",
host: testServerHostAndPort,
caBundle: []byte(testServerCABundle),
upstreamldap.New() now supports a StartTLS config option - This enhances our LDAP client code to make it possible to optionally dial an LDAP server without TLS and then use StartTLS to upgrade the connection to TLS. - The controller for LDAPIdentityProviders is not using this option yet. That will come in a future commit.
2021-05-20 00:17:44 +00:00
connProto: TLS,
More LDAP WIP: started controller and LDAP server connection code Both are unfinished works in progress.
2021-04-10 01:49:43 +00:00
context: alreadyCancelledContext,
wantError: fmt.Sprintf(`LDAP Result Code 200 "Network Error": dial tcp %s: operation was canceled`, testServerHostAndPort),
},
upstreamldap.New() now supports a StartTLS config option - This enhances our LDAP client code to make it possible to optionally dial an LDAP server without TLS and then use StartTLS to upgrade the connection to TLS. - The controller for LDAPIdentityProviders is not using this option yet. That will come in a future commit.
2021-05-20 00:17:44 +00:00
{
name: "unsupported connection protocol",
host: testServerHostAndPort,
caBundle: []byte(testServerCABundle),
connProto: "bad usage of this type",
context: alreadyCancelledContext,
wantError: `LDAP Result Code 200 "Network Error": did not specify valid ConnectionProtocol`,
},
More LDAP WIP: started controller and LDAP server connection code Both are unfinished works in progress.
2021-04-10 01:49:43 +00:00
}
for _, test := range tests {
upstreamldap.New() now supports a StartTLS config option - This enhances our LDAP client code to make it possible to optionally dial an LDAP server without TLS and then use StartTLS to upgrade the connection to TLS. - The controller for LDAPIdentityProviders is not using this option yet. That will come in a future commit.
2021-05-20 00:17:44 +00:00
tt := test
t.Run(tt.name, func(t *testing.T) {
Introduce upstreamldap.New to prevent changes to the underlying config Makes it easier to support using the same upstreamldap.Provider from multiple goroutines safely.
2021-04-15 17:25:35 +00:00
provider := New(ProviderConfig{
upstreamldap.New() now supports a StartTLS config option - This enhances our LDAP client code to make it possible to optionally dial an LDAP server without TLS and then use StartTLS to upgrade the connection to TLS. - The controller for LDAPIdentityProviders is not using this option yet. That will come in a future commit.
2021-05-20 00:17:44 +00:00
Host: tt.host,
CABundle: tt.caBundle,
ConnectionProtocol: tt.connProto,
Dialer: nil, // this test is for the default (production) TLS dialer
Introduce upstreamldap.New to prevent changes to the underlying config Makes it easier to support using the same upstreamldap.Provider from multiple goroutines safely.
2021-04-15 17:25:35 +00:00
})
upstreamldap.New() now supports a StartTLS config option - This enhances our LDAP client code to make it possible to optionally dial an LDAP server without TLS and then use StartTLS to upgrade the connection to TLS. - The controller for LDAPIdentityProviders is not using this option yet. That will come in a future commit.
2021-05-20 00:17:44 +00:00
conn, err := provider.dial(tt.context)
More LDAP WIP: started controller and LDAP server connection code Both are unfinished works in progress.
2021-04-10 01:49:43 +00:00
if conn != nil {
defer conn.Close()
}
upstreamldap.New() now supports a StartTLS config option - This enhances our LDAP client code to make it possible to optionally dial an LDAP server without TLS and then use StartTLS to upgrade the connection to TLS. - The controller for LDAPIdentityProviders is not using this option yet. That will come in a future commit.
2021-05-20 00:17:44 +00:00
if tt.wantError != "" {
More LDAP WIP: started controller and LDAP server connection code Both are unfinished works in progress.
2021-04-10 01:49:43 +00:00
require.Nil(t, conn)
upstreamldap.New() now supports a StartTLS config option - This enhances our LDAP client code to make it possible to optionally dial an LDAP server without TLS and then use StartTLS to upgrade the connection to TLS. - The controller for LDAPIdentityProviders is not using this option yet. That will come in a future commit.
2021-05-20 00:17:44 +00:00
require.EqualError(t, err, tt.wantError)
More LDAP WIP: started controller and LDAP server connection code Both are unfinished works in progress.
2021-04-10 01:49:43 +00:00
} else {
require.NoError(t, err)
require.NotNil(t, conn)
// Should be an instance of the real production LDAP client type.
// Can't test its methods here because we are not dialed to a real LDAP server.
require.IsType(t, &ldap.Conn{}, conn)
Add a little more logic to ldap_upstream_watcher.go
2021-04-12 18:23:08 +00:00
// Indirectly checking that the Dialer method constructed the ldap.Conn with isTLS set to true,
More LDAP WIP: started controller and LDAP server connection code Both are unfinished works in progress.
2021-04-10 01:49:43 +00:00
// since this is always the correct behavior unless/until we want to support StartTLS.
err := conn.(*ldap.Conn).StartTLS(&tls.Config{})
require.EqualError(t, err, `LDAP Result Code 200 "Network Error": ldap: already encrypted`)
}
})
}
}
// Test various cases of host and port parsing.
func TestHostAndPortWithDefaultPort(t *testing.T) {
tests := []struct {
name string
hostAndPort string
defaultPort string
wantError string
wantHostAndPort string
}{
{
name: "host already has port",
hostAndPort: "host.example.com:99",
defaultPort: "42",
wantHostAndPort: "host.example.com:99",
},
{
name: "host does not have port",
hostAndPort: "host.example.com",
defaultPort: "42",
wantHostAndPort: "host.example.com:42",
},
{
name: "host does not have port and default port is empty",
hostAndPort: "host.example.com",
defaultPort: "",
wantHostAndPort: "host.example.com",
},
upstreamldap.New() now supports a StartTLS config option - This enhances our LDAP client code to make it possible to optionally dial an LDAP server without TLS and then use StartTLS to upgrade the connection to TLS. - The controller for LDAPIdentityProviders is not using this option yet. That will come in a future commit.
2021-05-20 00:17:44 +00:00
{
name: "host has port and default port is empty",
hostAndPort: "host.example.com:42",
defaultPort: "",
wantHostAndPort: "host.example.com:42",
},
More LDAP WIP: started controller and LDAP server connection code Both are unfinished works in progress.
2021-04-10 01:49:43 +00:00
{
name: "IPv6 host already has port",
hostAndPort: "[::1%lo0]:80",
defaultPort: "42",
wantHostAndPort: "[::1%lo0]:80",
},
{
name: "IPv6 host does not have port",
hostAndPort: "[::1%lo0]",
defaultPort: "42",
wantHostAndPort: "[::1%lo0]:42",
},
{
name: "IPv6 host does not have port and default port is empty",
hostAndPort: "[::1%lo0]",
defaultPort: "",
wantHostAndPort: "[::1%lo0]",
},
{
name: "host is not valid",
hostAndPort: "host.example.com:port1:port2",
defaultPort: "42",
wantError: "address host.example.com:port1:port2: too many colons in address",
},
}
for _, test := range tests {
upstreamldap.New() now supports a StartTLS config option - This enhances our LDAP client code to make it possible to optionally dial an LDAP server without TLS and then use StartTLS to upgrade the connection to TLS. - The controller for LDAPIdentityProviders is not using this option yet. That will come in a future commit.
2021-05-20 00:17:44 +00:00
tt := test
t.Run(tt.name, func(t *testing.T) {
hostAndPort, err := hostAndPortWithDefaultPort(tt.hostAndPort, tt.defaultPort)
if tt.wantError != "" {
require.EqualError(t, err, tt.wantError)
} else {
require.NoError(t, err)
}
require.Equal(t, tt.wantHostAndPort, hostAndPort)
})
}
}
// Test various cases of host and port parsing.
func TestHostWithoutPort(t *testing.T) {
tests := []struct {
name string
hostAndPort string
wantError string
wantHostAndPort string
}{
{
name: "host already has port",
hostAndPort: "host.example.com:99",
wantHostAndPort: "host.example.com",
},
{
name: "host does not have port",
hostAndPort: "host.example.com",
wantHostAndPort: "host.example.com",
},
{
name: "IPv6 host already has port",
hostAndPort: "[::1%lo0]:80",
wantHostAndPort: "[::1%lo0]",
},
{
name: "IPv6 host does not have port",
hostAndPort: "[::1%lo0]",
wantHostAndPort: "[::1%lo0]",
},
{
name: "host is not valid",
hostAndPort: "host.example.com:port1:port2",
wantError: "address host.example.com:port1:port2: too many colons in address",
},
}
for _, test := range tests {
tt := test
t.Run(tt.name, func(t *testing.T) {
hostAndPort, err := hostWithoutPort(tt.hostAndPort)
if tt.wantError != "" {
require.EqualError(t, err, tt.wantError)
More LDAP WIP: started controller and LDAP server connection code Both are unfinished works in progress.
2021-04-10 01:49:43 +00:00
} else {
require.NoError(t, err)
}
upstreamldap.New() now supports a StartTLS config option - This enhances our LDAP client code to make it possible to optionally dial an LDAP server without TLS and then use StartTLS to upgrade the connection to TLS. - The controller for LDAPIdentityProviders is not using this option yet. That will come in a future commit.
2021-05-20 00:17:44 +00:00
require.Equal(t, tt.wantHostAndPort, hostAndPort)
More LDAP WIP: started controller and LDAP server connection code Both are unfinished works in progress.
2021-04-10 01:49:43 +00:00
})
}
}