djpbessems
/
ContainerImage.Pinniped
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
ContainerImage.Pinniped/internal/upstreamldap/upstreamldap_test.go

2128 lines
84 KiB
Go
Raw Normal View History

Merge branch 'main' into upstream_access_revocation_during_gc
2022-01-14 18:49:22 +00:00
// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved.
ldap: add initial stub upstream LDAP connection package Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-04-09 15:38:53 +00:00
// SPDX-License-Identifier: Apache-2.0
package upstreamldap
import (
"context"
More LDAP WIP: started controller and LDAP server connection code Both are unfinished works in progress.
2021-04-10 01:49:43 +00:00
"crypto/tls"
Use base64 binary-encoded value as UID for LDAP This is to allow the use of binary LDAP entry attributes as the UID. For example, a user might like to configure AD’s objectGUID or maybe objectSid attributes as the UID attribute. This negatively impacts the readability of the UID when it did not come from a binary value, but we're considering this an okay trade-off to keep things simple for now. In the future, we may offer more customizable encoding options for binary attributes. These UIDs are currently only used in the downstream OIDC `sub` claim. They do not effect the user's identity on the Kubernetes cluster, which is only based on their mapped username and group memberships from the upstream identity provider. We are not currently supporting any special encoding for those username and group name LDAP attributes, so their values in the LDAP entry must be ASCII or UTF-8 in order for them to be interpreted correctly.
2021-05-27 20:47:10 +00:00
"encoding/base64"
Started implementation of LDAP user search and bind
2021-04-13 00:50:25 +00:00
"errors"
More LDAP WIP: started controller and LDAP server connection code Both are unfinished works in progress.
2021-04-10 01:49:43 +00:00
"fmt"
"net"
"net/http"
Force the use of secure TLS config This change updates the TLS config used by all pinniped components. There are no configuration knobs associated with this change. Thus this change tightens our static defaults. There are four TLS config levels: 1. Secure (TLS 1.3 only) 2. Default (TLS 1.2+ best ciphers that are well supported) 3. Default LDAP (TLS 1.2+ with less good ciphers) 4. Legacy (currently unused, TLS 1.2+ with all non-broken ciphers) Highlights per component: 1. pinniped CLI - uses "secure" config against KAS - uses "default" for all other connections 2. concierge - uses "secure" config as an aggregated API server - uses "default" config as a impersonation proxy API server - uses "secure" config against KAS - uses "default" config for JWT authenticater (mostly, see code) - no changes to webhook authenticater (see code) 3. supervisor - uses "default" config as a server - uses "secure" config against KAS - uses "default" config against OIDC IDPs - uses "default LDAP" config against LDAP IDPs Signed-off-by: Monis Khan <mok@vmware.com>
2021-10-20 11:59:24 +00:00
"net/http/httptest"
More LDAP WIP: started controller and LDAP server connection code Both are unfinished works in progress.
2021-04-10 01:49:43 +00:00
"net/url"
ldap: add initial stub upstream LDAP connection package Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-04-09 15:38:53 +00:00
"testing"
Add another unit test for the LDAP client code
2021-05-21 19:44:01 +00:00
"time"
ldap: add initial stub upstream LDAP connection package Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-04-09 15:38:53 +00:00
More LDAP WIP: started controller and LDAP server connection code Both are unfinished works in progress.
2021-04-10 01:49:43 +00:00
"github.com/go-ldap/ldap/v3"
ldap: add initial stub upstream LDAP connection package Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-04-09 15:38:53 +00:00
"github.com/golang/mock/gomock"
"github.com/stretchr/testify/require"
"k8s.io/apiserver/pkg/authentication/user"
Addressing code review changes - changed to use custom authenticators.Response rather than the k8s one that doesn't include space for a DN - Added more checking for correct idp type in token handler - small style changes Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-11-03 17:33:22 +00:00
"go.pinniped.dev/internal/authenticators"
Add another unit test for the LDAP client code
2021-05-21 19:44:01 +00:00
"go.pinniped.dev/internal/certauthority"
Force the use of secure TLS config This change updates the TLS config used by all pinniped components. There are no configuration knobs associated with this change. Thus this change tightens our static defaults. There are four TLS config levels: 1. Secure (TLS 1.3 only) 2. Default (TLS 1.2+ best ciphers that are well supported) 3. Default LDAP (TLS 1.2+ with less good ciphers) 4. Legacy (currently unused, TLS 1.2+ with all non-broken ciphers) Highlights per component: 1. pinniped CLI - uses "secure" config against KAS - uses "default" for all other connections 2. concierge - uses "secure" config as an aggregated API server - uses "default" config as a impersonation proxy API server - uses "secure" config against KAS - uses "default" config for JWT authenticater (mostly, see code) - no changes to webhook authenticater (see code) 3. supervisor - uses "default" config as a server - uses "secure" config against KAS - uses "default" config against OIDC IDPs - uses "default LDAP" config against LDAP IDPs Signed-off-by: Monis Khan <mok@vmware.com>
2021-10-20 11:59:24 +00:00
"go.pinniped.dev/internal/crypto/ptls"
Convert LDAP code to use endpointaddr package. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-05-25 19:46:50 +00:00
"go.pinniped.dev/internal/endpointaddr"
ldap: add initial stub upstream LDAP connection package Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-04-09 15:38:53 +00:00
"go.pinniped.dev/internal/mocks/mockldapconn"
Incorporate PR feedback
2021-12-07 00:24:31 +00:00
"go.pinniped.dev/internal/oidc/provider"
More LDAP WIP: started controller and LDAP server connection code Both are unfinished works in progress.
2021-04-10 01:49:43 +00:00
"go.pinniped.dev/internal/testutil"
Force the use of secure TLS config This change updates the TLS config used by all pinniped components. There are no configuration knobs associated with this change. Thus this change tightens our static defaults. There are four TLS config levels: 1. Secure (TLS 1.3 only) 2. Default (TLS 1.2+ best ciphers that are well supported) 3. Default LDAP (TLS 1.2+ with less good ciphers) 4. Legacy (currently unused, TLS 1.2+ with all non-broken ciphers) Highlights per component: 1. pinniped CLI - uses "secure" config against KAS - uses "default" for all other connections 2. concierge - uses "secure" config as an aggregated API server - uses "default" config as a impersonation proxy API server - uses "secure" config against KAS - uses "default" config for JWT authenticater (mostly, see code) - no changes to webhook authenticater (see code) 3. supervisor - uses "default" config as a server - uses "secure" config against KAS - uses "default" config against OIDC IDPs - uses "default LDAP" config against LDAP IDPs Signed-off-by: Monis Khan <mok@vmware.com>
2021-10-20 11:59:24 +00:00
"go.pinniped.dev/internal/testutil/tlsserver"
ldap: add initial stub upstream LDAP connection package Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-04-09 15:38:53 +00:00
)
Started implementation of LDAP user search and bind
2021-04-13 00:50:25 +00:00
const (
Initial support for upstream LDAP group membership Reflect the upstream group membership into the Supervisor's downstream tokens, so they can be added to the user's identity on the workload clusters. LDAP group search is configurable on the LDAPIdentityProvider resource.
2021-05-17 18:10:26 +00:00
testHost = "ldap.example.com:8443"
testBindUsername = "cn=some-bind-username,dc=pinniped,dc=dev"
testBindPassword = "some-bind-password"
testUpstreamUsername = "some-upstream-username"
testUpstreamPassword = "some-upstream-password"
testUserSearchBase = "some-upstream-user-base-dn"
testGroupSearchBase = "some-upstream-group-base-dn"
testUserSearchFilter = "some-user-filter={}-and-more-filter={}"
testGroupSearchFilter = "some-group-filter={}-and-more-filter={}"
testUserSearchUsernameAttribute = "some-upstream-username-attribute"
testUserSearchUIDAttribute = "some-upstream-uid-attribute"
testGroupSearchGroupNameAttribute = "some-upstream-group-name-attribute"
testUserSearchResultDNValue = "some-upstream-user-dn"
testGroupSearchResultDNValue1 = "some-upstream-group-dn1"
testGroupSearchResultDNValue2 = "some-upstream-group-dn2"
testUserSearchResultUsernameAttributeValue = "some-upstream-username-value"
testUserSearchResultUIDAttributeValue = "some-upstream-uid-value"
testGroupSearchResultGroupNameAttributeValue1 = "some-upstream-group-name-value1"
testGroupSearchResultGroupNameAttributeValue2 = "some-upstream-group-name-value2"
expectedGroupSearchPageSize = uint32(250)
Started implementation of LDAP user search and bind
2021-04-13 00:50:25 +00:00
)
ldap: add initial stub upstream LDAP connection package Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-04-09 15:38:53 +00:00
var (
Initial support for upstream LDAP group membership Reflect the upstream group membership into the Supervisor's downstream tokens, so they can be added to the user's identity on the workload clusters. LDAP group search is configurable on the LDAPIdentityProvider resource.
2021-05-17 18:10:26 +00:00
testUserSearchFilterInterpolated = fmt.Sprintf("(some-user-filter=%s-and-more-filter=%s)", testUpstreamUsername, testUpstreamUsername)
testGroupSearchFilterInterpolated = fmt.Sprintf("(some-group-filter=%s-and-more-filter=%s)", testUserSearchResultDNValue, testUserSearchResultDNValue)
ldap: add initial stub upstream LDAP connection package Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-04-09 15:38:53 +00:00
)
Add authentication dry run validation to LDAPIdentityProvider Also force the LDAP server pod to restart whenever the LDIF file changes, so whenever you redeploy the tools deployment with a new test user password the server will be updated.
2021-04-16 21:04:05 +00:00
func TestEndUserAuthentication(t *testing.T) {
Introduce upstreamldap.New to prevent changes to the underlying config Makes it easier to support using the same upstreamldap.Provider from multiple goroutines safely.
2021-04-15 17:25:35 +00:00
providerConfig := func(editFunc func(p *ProviderConfig)) *ProviderConfig {
config := &ProviderConfig{
LDAP upstream watcher controller tries using both TLS and StartTLS - Automatically try to fall back to using StartTLS when using TLS doesn't work. Only complain when both don't work. - Remember (in-memory) which one worked and keeping using that one in the future (unless the pod restarts).
2021-05-20 19:46:33 +00:00
Name: "some-provider-name",
Host: testHost,
CABundle: nil, // this field is only used by the production dialer, which is replaced by a mock for this test
ConnectionProtocol: TLS,
BindUsername: testBindUsername,
BindPassword: testBindPassword,
Introduce upstreamldap.New to prevent changes to the underlying config Makes it easier to support using the same upstreamldap.Provider from multiple goroutines safely.
2021-04-15 17:25:35 +00:00
UserSearch: UserSearchConfig{
Started implementation of LDAP user search and bind
2021-04-13 00:50:25 +00:00
Base: testUserSearchBase,
Filter: testUserSearchFilter,
UsernameAttribute: testUserSearchUsernameAttribute,
UIDAttribute: testUserSearchUIDAttribute,
},
Initial support for upstream LDAP group membership Reflect the upstream group membership into the Supervisor's downstream tokens, so they can be added to the user's identity on the workload clusters. LDAP group search is configurable on the LDAPIdentityProvider resource.
2021-05-17 18:10:26 +00:00
GroupSearch: GroupSearchConfig{
Base: testGroupSearchBase,
Filter: testGroupSearchFilter,
GroupNameAttribute: testGroupSearchGroupNameAttribute,
},
Started implementation of LDAP user search and bind
2021-04-13 00:50:25 +00:00
}
if editFunc != nil {
Introduce upstreamldap.New to prevent changes to the underlying config Makes it easier to support using the same upstreamldap.Provider from multiple goroutines safely.
2021-04-15 17:25:35 +00:00
editFunc(config)
Started implementation of LDAP user search and bind
2021-04-13 00:50:25 +00:00
}
Introduce upstreamldap.New to prevent changes to the underlying config Makes it easier to support using the same upstreamldap.Provider from multiple goroutines safely.
2021-04-15 17:25:35 +00:00
return config
Started implementation of LDAP user search and bind
2021-04-13 00:50:25 +00:00
}
Initial support for upstream LDAP group membership Reflect the upstream group membership into the Supervisor's downstream tokens, so they can be added to the user's identity on the workload clusters. LDAP group search is configurable on the LDAPIdentityProvider resource.
2021-05-17 18:10:26 +00:00
expectedUserSearch := func(editFunc func(r *ldap.SearchRequest)) *ldap.SearchRequest {
Started implementation of LDAP user search and bind
2021-04-13 00:50:25 +00:00
request := &ldap.SearchRequest{
BaseDN: testUserSearchBase,
Scope: ldap.ScopeWholeSubtree,
Some updates based on PR review
2021-04-27 19:43:09 +00:00
DerefAliases: ldap.NeverDerefAliases,
Started implementation of LDAP user search and bind
2021-04-13 00:50:25 +00:00
SizeLimit: 2,
TimeLimit: 90,
TypesOnly: false,
Filter: testUserSearchFilterInterpolated,
Attributes: []string{testUserSearchUsernameAttribute, testUserSearchUIDAttribute},
Initial support for upstream LDAP group membership Reflect the upstream group membership into the Supervisor's downstream tokens, so they can be added to the user's identity on the workload clusters. LDAP group search is configurable on the LDAPIdentityProvider resource.
2021-05-17 18:10:26 +00:00
Controls: nil, // don't need paging because we set the SizeLimit so small
}
if editFunc != nil {
editFunc(request)
}
return request
}
expectedGroupSearch := func(editFunc func(r *ldap.SearchRequest)) *ldap.SearchRequest {
request := &ldap.SearchRequest{
BaseDN: testGroupSearchBase,
Scope: ldap.ScopeWholeSubtree,
DerefAliases: ldap.NeverDerefAliases,
SizeLimit: 0, // unlimited size because we will search with paging
TimeLimit: 90,
TypesOnly: false,
Filter: testGroupSearchFilterInterpolated,
Attributes: []string{testGroupSearchGroupNameAttribute},
Controls: nil, // nil because ldap.SearchWithPaging() will set the appropriate controls for us
Started implementation of LDAP user search and bind
2021-04-13 00:50:25 +00:00
}
if editFunc != nil {
editFunc(request)
}
return request
}
ldap: add initial stub upstream LDAP connection package Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-04-09 15:38:53 +00:00
Initial support for upstream LDAP group membership Reflect the upstream group membership into the Supervisor's downstream tokens, so they can be added to the user's identity on the workload clusters. LDAP group search is configurable on the LDAPIdentityProvider resource.
2021-05-17 18:10:26 +00:00
exampleUserSearchResult := &ldap.SearchResult{
Entries: []*ldap.Entry{
{
DN: testUserSearchResultDNValue,
Attributes: []*ldap.EntryAttribute{
ldap.NewEntryAttribute(testUserSearchUsernameAttribute, []string{testUserSearchResultUsernameAttributeValue}),
ldap.NewEntryAttribute(testUserSearchUIDAttribute, []string{testUserSearchResultUIDAttributeValue}),
},
},
},
}
exampleGroupSearchResult := &ldap.SearchResult{
Entries: []*ldap.Entry{
{
DN: testGroupSearchResultDNValue1,
Attributes: []*ldap.EntryAttribute{
ldap.NewEntryAttribute(testGroupSearchGroupNameAttribute, []string{testGroupSearchResultGroupNameAttributeValue1}),
},
},
{
DN: testGroupSearchResultDNValue2,
Attributes: []*ldap.EntryAttribute{
ldap.NewEntryAttribute(testGroupSearchGroupNameAttribute, []string{testGroupSearchResultGroupNameAttributeValue2}),
},
},
},
Referrals: []string{}, // note that we are not following referrals at this time
Controls: []ldap.Control{},
}
// The auth response which matches the exampleUserSearchResult and exampleGroupSearchResult.
Move ad specific stuff to controller also make extra refresh attributes a separate field rather than part of Extra Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-12-09 22:02:40 +00:00
expectedAuthResponse := func(editFunc func(r *authenticators.Response)) *authenticators.Response {
Initial support for upstream LDAP group membership Reflect the upstream group membership into the Supervisor's downstream tokens, so they can be added to the user's identity on the workload clusters. LDAP group search is configurable on the LDAPIdentityProvider resource.
2021-05-17 18:10:26 +00:00
u := &user.DefaultInfo{
Name: testUserSearchResultUsernameAttributeValue,
Use base64 binary-encoded value as UID for LDAP This is to allow the use of binary LDAP entry attributes as the UID. For example, a user might like to configure AD’s objectGUID or maybe objectSid attributes as the UID attribute. This negatively impacts the readability of the UID when it did not come from a binary value, but we're considering this an okay trade-off to keep things simple for now. In the future, we may offer more customizable encoding options for binary attributes. These UIDs are currently only used in the downstream OIDC `sub` claim. They do not effect the user's identity on the Kubernetes cluster, which is only based on their mapped username and group memberships from the upstream identity provider. We are not currently supporting any special encoding for those username and group name LDAP attributes, so their values in the LDAP entry must be ASCII or UTF-8 in order for them to be interpreted correctly.
2021-05-27 20:47:10 +00:00
UID: base64.RawURLEncoding.EncodeToString([]byte(testUserSearchResultUIDAttributeValue)),
Initial support for upstream LDAP group membership Reflect the upstream group membership into the Supervisor's downstream tokens, so they can be added to the user's identity on the workload clusters. LDAP group search is configurable on the LDAPIdentityProvider resource.
2021-05-17 18:10:26 +00:00
Groups: []string{testGroupSearchResultGroupNameAttributeValue1, testGroupSearchResultGroupNameAttributeValue2},
}
Move ad specific stuff to controller also make extra refresh attributes a separate field rather than part of Extra Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-12-09 22:02:40 +00:00
response := &authenticators.Response{User: u, DN: testUserSearchResultDNValue, ExtraRefreshAttributes: map[string]string{}}
Initial support for upstream LDAP group membership Reflect the upstream group membership into the Supervisor's downstream tokens, so they can be added to the user's identity on the workload clusters. LDAP group search is configurable on the LDAPIdentityProvider resource.
2021-05-17 18:10:26 +00:00
if editFunc != nil {
Move ad specific stuff to controller also make extra refresh attributes a separate field rather than part of Extra Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-12-09 22:02:40 +00:00
editFunc(response)
Initial support for upstream LDAP group membership Reflect the upstream group membership into the Supervisor's downstream tokens, so they can be added to the user's identity on the workload clusters. LDAP group search is configurable on the LDAPIdentityProvider resource.
2021-05-17 18:10:26 +00:00
}
Move ad specific stuff to controller also make extra refresh attributes a separate field rather than part of Extra Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-12-09 22:02:40 +00:00
return response
Initial support for upstream LDAP group membership Reflect the upstream group membership into the Supervisor's downstream tokens, so they can be added to the user's identity on the workload clusters. LDAP group search is configurable on the LDAPIdentityProvider resource.
2021-05-17 18:10:26 +00:00
}
ldap: add initial stub upstream LDAP connection package Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-04-09 15:38:53 +00:00
tests := []struct {
Add authentication dry run validation to LDAPIdentityProvider Also force the LDAP server pod to restart whenever the LDIF file changes, so whenever you redeploy the tools deployment with a new test user password the server will be updated.
2021-04-16 21:04:05 +00:00
name string
username string
password string
providerConfig *ProviderConfig
searchMocks func(conn *mockldapconn.MockConn)
bindEndUserMocks func(conn *mockldapconn.MockConn)
dialError error
wantError string
wantToSkipDial bool
Addressing code review changes - changed to use custom authenticators.Response rather than the k8s one that doesn't include space for a DN - Added more checking for correct idp type in token handler - small style changes Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-11-03 17:33:22 +00:00
wantAuthResponse *authenticators.Response
Add authentication dry run validation to LDAPIdentityProvider Also force the LDAP server pod to restart whenever the LDIF file changes, so whenever you redeploy the tools deployment with a new test user password the server will be updated.
2021-04-16 21:04:05 +00:00
wantUnauthenticated bool
skipDryRunAuthenticateUser bool // tests about when the end user bind fails don't make sense for DryRunAuthenticateUser()
ldap: add initial stub upstream LDAP connection package Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-04-09 15:38:53 +00:00
}{
{
Introduce upstreamldap.New to prevent changes to the underlying config Makes it easier to support using the same upstreamldap.Provider from multiple goroutines safely.
2021-04-15 17:25:35 +00:00
name: "happy path",
username: testUpstreamUsername,
password: testUpstreamPassword,
providerConfig: providerConfig(nil),
Add authentication dry run validation to LDAPIdentityProvider Also force the LDAP server pod to restart whenever the LDIF file changes, so whenever you redeploy the tools deployment with a new test user password the server will be updated.
2021-04-16 21:04:05 +00:00
searchMocks: func(conn *mockldapconn.MockConn) {
Started implementation of LDAP user search and bind
2021-04-13 00:50:25 +00:00
conn.EXPECT().Bind(testBindUsername, testBindPassword).Times(1)
Initial support for upstream LDAP group membership Reflect the upstream group membership into the Supervisor's downstream tokens, so they can be added to the user's identity on the workload clusters. LDAP group search is configurable on the LDAPIdentityProvider resource.
2021-05-17 18:10:26 +00:00
conn.EXPECT().Search(expectedUserSearch(nil)).Return(exampleUserSearchResult, nil).Times(1)
conn.EXPECT().SearchWithPaging(expectedGroupSearch(nil), expectedGroupSearchPageSize).
Return(exampleGroupSearchResult, nil).Times(1)
Started implementation of LDAP user search and bind
2021-04-13 00:50:25 +00:00
conn.EXPECT().Close().Times(1)
},
Add authentication dry run validation to LDAPIdentityProvider Also force the LDAP server pod to restart whenever the LDIF file changes, so whenever you redeploy the tools deployment with a new test user password the server will be updated.
2021-04-16 21:04:05 +00:00
bindEndUserMocks: func(conn *mockldapconn.MockConn) {
Initial support for upstream LDAP group membership Reflect the upstream group membership into the Supervisor's downstream tokens, so they can be added to the user's identity on the workload clusters. LDAP group search is configurable on the LDAPIdentityProvider resource.
2021-05-17 18:10:26 +00:00
conn.EXPECT().Bind(testUserSearchResultDNValue, testUpstreamPassword).Times(1)
Started implementation of LDAP user search and bind
2021-04-13 00:50:25 +00:00
},
Initial support for upstream LDAP group membership Reflect the upstream group membership into the Supervisor's downstream tokens, so they can be added to the user's identity on the workload clusters. LDAP group search is configurable on the LDAPIdentityProvider resource.
2021-05-17 18:10:26 +00:00
wantAuthResponse: expectedAuthResponse(nil),
Started implementation of LDAP user search and bind
2021-04-13 00:50:25 +00:00
},
{
Add integration test for upstreamldap.Provider - The unit tests for upstreamldap.Provider need to mock the LDAP server, so add an integration test which allows us to get fast feedback for this code against a real LDAP server. - Automatically wrap the user search filter in parenthesis if it is not already wrapped in parens. - More special handling for using "dn" as the username or UID attribute name. - Also added some more comments to types_ldapidentityprovider.go.tmpl
2021-04-13 22:23:14 +00:00
name: "when the user search filter is already wrapped by parenthesis then it is not wrapped again",
username: testUpstreamUsername,
password: testUpstreamPassword,
Introduce upstreamldap.New to prevent changes to the underlying config Makes it easier to support using the same upstreamldap.Provider from multiple goroutines safely.
2021-04-15 17:25:35 +00:00
providerConfig: providerConfig(func(p *ProviderConfig) {
Add integration test for upstreamldap.Provider - The unit tests for upstreamldap.Provider need to mock the LDAP server, so add an integration test which allows us to get fast feedback for this code against a real LDAP server. - Automatically wrap the user search filter in parenthesis if it is not already wrapped in parens. - More special handling for using "dn" as the username or UID attribute name. - Also added some more comments to types_ldapidentityprovider.go.tmpl
2021-04-13 22:23:14 +00:00
p.UserSearch.Filter = "(" + testUserSearchFilter + ")"
}),
Add authentication dry run validation to LDAPIdentityProvider Also force the LDAP server pod to restart whenever the LDIF file changes, so whenever you redeploy the tools deployment with a new test user password the server will be updated.
2021-04-16 21:04:05 +00:00
searchMocks: func(conn *mockldapconn.MockConn) {
Add integration test for upstreamldap.Provider - The unit tests for upstreamldap.Provider need to mock the LDAP server, so add an integration test which allows us to get fast feedback for this code against a real LDAP server. - Automatically wrap the user search filter in parenthesis if it is not already wrapped in parens. - More special handling for using "dn" as the username or UID attribute name. - Also added some more comments to types_ldapidentityprovider.go.tmpl
2021-04-13 22:23:14 +00:00
conn.EXPECT().Bind(testBindUsername, testBindPassword).Times(1)
Initial support for upstream LDAP group membership Reflect the upstream group membership into the Supervisor's downstream tokens, so they can be added to the user's identity on the workload clusters. LDAP group search is configurable on the LDAPIdentityProvider resource.
2021-05-17 18:10:26 +00:00
conn.EXPECT().Search(expectedUserSearch(nil)).Return(exampleUserSearchResult, nil).Times(1)
conn.EXPECT().SearchWithPaging(expectedGroupSearch(nil), expectedGroupSearchPageSize).
Return(exampleGroupSearchResult, nil).Times(1)
Add integration test for upstreamldap.Provider - The unit tests for upstreamldap.Provider need to mock the LDAP server, so add an integration test which allows us to get fast feedback for this code against a real LDAP server. - Automatically wrap the user search filter in parenthesis if it is not already wrapped in parens. - More special handling for using "dn" as the username or UID attribute name. - Also added some more comments to types_ldapidentityprovider.go.tmpl
2021-04-13 22:23:14 +00:00
conn.EXPECT().Close().Times(1)
},
Add authentication dry run validation to LDAPIdentityProvider Also force the LDAP server pod to restart whenever the LDIF file changes, so whenever you redeploy the tools deployment with a new test user password the server will be updated.
2021-04-16 21:04:05 +00:00
bindEndUserMocks: func(conn *mockldapconn.MockConn) {
Initial support for upstream LDAP group membership Reflect the upstream group membership into the Supervisor's downstream tokens, so they can be added to the user's identity on the workload clusters. LDAP group search is configurable on the LDAPIdentityProvider resource.
2021-05-17 18:10:26 +00:00
conn.EXPECT().Bind(testUserSearchResultDNValue, testUpstreamPassword).Times(1)
Add authentication dry run validation to LDAPIdentityProvider Also force the LDAP server pod to restart whenever the LDIF file changes, so whenever you redeploy the tools deployment with a new test user password the server will be updated.
2021-04-16 21:04:05 +00:00
},
Initial support for upstream LDAP group membership Reflect the upstream group membership into the Supervisor's downstream tokens, so they can be added to the user's identity on the workload clusters. LDAP group search is configurable on the LDAPIdentityProvider resource.
2021-05-17 18:10:26 +00:00
wantAuthResponse: expectedAuthResponse(nil),
},
{
name: "when the group search filter is already wrapped by parenthesis then it is not wrapped again",
username: testUpstreamUsername,
password: testUpstreamPassword,
providerConfig: providerConfig(func(p *ProviderConfig) {
p.GroupSearch.Filter = "(" + testGroupSearchFilter + ")"
}),
searchMocks: func(conn *mockldapconn.MockConn) {
conn.EXPECT().Bind(testBindUsername, testBindPassword).Times(1)
conn.EXPECT().Search(expectedUserSearch(nil)).Return(exampleUserSearchResult, nil).Times(1)
conn.EXPECT().SearchWithPaging(expectedGroupSearch(nil), expectedGroupSearchPageSize).
Return(exampleGroupSearchResult, nil).Times(1)
conn.EXPECT().Close().Times(1)
},
bindEndUserMocks: func(conn *mockldapconn.MockConn) {
conn.EXPECT().Bind(testUserSearchResultDNValue, testUpstreamPassword).Times(1)
},
wantAuthResponse: expectedAuthResponse(nil),
},
Add unit tests for group parsing overrides
2022-02-11 22:43:37 +00:00
{
name: "when the group search has an override func",
username: testUpstreamUsername,
password: testUpstreamPassword,
providerConfig: providerConfig(func(p *ProviderConfig) {
p.GroupAttributeParsingOverrides = map[string]func(*ldap.Entry) (string, error){testGroupSearchGroupNameAttribute: func(entry *ldap.Entry) (string, error) {
Always update groups even if it's nil Also de-dup groups and various small formatting changes
2022-02-14 22:01:21 +00:00
return "something-else-" + entry.DN, nil
Add unit tests for group parsing overrides
2022-02-11 22:43:37 +00:00
}}
}),
searchMocks: func(conn *mockldapconn.MockConn) {
conn.EXPECT().Bind(testBindUsername, testBindPassword).Times(1)
conn.EXPECT().Search(expectedUserSearch(nil)).Return(exampleUserSearchResult, nil).Times(1)
conn.EXPECT().SearchWithPaging(expectedGroupSearch(nil), expectedGroupSearchPageSize).
Return(exampleGroupSearchResult, nil).Times(1)
conn.EXPECT().Close().Times(1)
},
bindEndUserMocks: func(conn *mockldapconn.MockConn) {
conn.EXPECT().Bind(testUserSearchResultDNValue, testUpstreamPassword).Times(1)
},
wantAuthResponse: expectedAuthResponse(func(r *authenticators.Response) {
r.User = &user.DefaultInfo{
Name: testUserSearchResultUsernameAttributeValue,
UID: base64.RawURLEncoding.EncodeToString([]byte(testUserSearchResultUIDAttributeValue)),
Always update groups even if it's nil Also de-dup groups and various small formatting changes
2022-02-14 22:01:21 +00:00
Groups: []string{"something-else-some-upstream-group-dn1", "something-else-some-upstream-group-dn2"},
Add unit tests for group parsing overrides
2022-02-11 22:43:37 +00:00
}
}),
},
Initial support for upstream LDAP group membership Reflect the upstream group membership into the Supervisor's downstream tokens, so they can be added to the user's identity on the workload clusters. LDAP group search is configurable on the LDAPIdentityProvider resource.
2021-05-17 18:10:26 +00:00
{
name: "when the group search base is empty then skip the group search entirely",
username: testUpstreamUsername,
password: testUpstreamPassword,
providerConfig: providerConfig(func(p *ProviderConfig) {
p.GroupSearch.Base = "" // this configuration means that the user does not want group search to happen
}),
searchMocks: func(conn *mockldapconn.MockConn) {
conn.EXPECT().Bind(testBindUsername, testBindPassword).Times(1)
conn.EXPECT().Search(expectedUserSearch(nil)).Return(exampleUserSearchResult, nil).Times(1)
conn.EXPECT().Close().Times(1)
Add integration test for upstreamldap.Provider - The unit tests for upstreamldap.Provider need to mock the LDAP server, so add an integration test which allows us to get fast feedback for this code against a real LDAP server. - Automatically wrap the user search filter in parenthesis if it is not already wrapped in parens. - More special handling for using "dn" as the username or UID attribute name. - Also added some more comments to types_ldapidentityprovider.go.tmpl
2021-04-13 22:23:14 +00:00
},
Initial support for upstream LDAP group membership Reflect the upstream group membership into the Supervisor's downstream tokens, so they can be added to the user's identity on the workload clusters. LDAP group search is configurable on the LDAPIdentityProvider resource.
2021-05-17 18:10:26 +00:00
bindEndUserMocks: func(conn *mockldapconn.MockConn) {
conn.EXPECT().Bind(testUserSearchResultDNValue, testUpstreamPassword).Times(1)
},
Move ad specific stuff to controller also make extra refresh attributes a separate field rather than part of Extra Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-12-09 22:02:40 +00:00
wantAuthResponse: expectedAuthResponse(func(r *authenticators.Response) {
info := r.User.(*user.DefaultInfo)
Always update groups even if it's nil Also de-dup groups and various small formatting changes
2022-02-14 22:01:21 +00:00
info.Groups = []string{}
Initial support for upstream LDAP group membership Reflect the upstream group membership into the Supervisor's downstream tokens, so they can be added to the user's identity on the workload clusters. LDAP group search is configurable on the LDAPIdentityProvider resource.
2021-05-17 18:10:26 +00:00
}),
Add integration test for upstreamldap.Provider - The unit tests for upstreamldap.Provider need to mock the LDAP server, so add an integration test which allows us to get fast feedback for this code against a real LDAP server. - Automatically wrap the user search filter in parenthesis if it is not already wrapped in parens. - More special handling for using "dn" as the username or UID attribute name. - Also added some more comments to types_ldapidentityprovider.go.tmpl
2021-04-13 22:23:14 +00:00
},
{
name: "when the UsernameAttribute is dn and there is a user search filter provided",
Started implementation of LDAP user search and bind
2021-04-13 00:50:25 +00:00
username: testUpstreamUsername,
password: testUpstreamPassword,
Introduce upstreamldap.New to prevent changes to the underlying config Makes it easier to support using the same upstreamldap.Provider from multiple goroutines safely.
2021-04-15 17:25:35 +00:00
providerConfig: providerConfig(func(p *ProviderConfig) {
Started implementation of LDAP user search and bind
2021-04-13 00:50:25 +00:00
p.UserSearch.UsernameAttribute = "dn"
}),
Add authentication dry run validation to LDAPIdentityProvider Also force the LDAP server pod to restart whenever the LDIF file changes, so whenever you redeploy the tools deployment with a new test user password the server will be updated.
2021-04-16 21:04:05 +00:00
searchMocks: func(conn *mockldapconn.MockConn) {
Started implementation of LDAP user search and bind
2021-04-13 00:50:25 +00:00
conn.EXPECT().Bind(testBindUsername, testBindPassword).Times(1)
Initial support for upstream LDAP group membership Reflect the upstream group membership into the Supervisor's downstream tokens, so they can be added to the user's identity on the workload clusters. LDAP group search is configurable on the LDAPIdentityProvider resource.
2021-05-17 18:10:26 +00:00
conn.EXPECT().Search(expectedUserSearch(func(r *ldap.SearchRequest) {
Started implementation of LDAP user search and bind
2021-04-13 00:50:25 +00:00
r.Attributes = []string{testUserSearchUIDAttribute}
})).Return(&ldap.SearchResult{
Entries: []*ldap.Entry{
{
Initial support for upstream LDAP group membership Reflect the upstream group membership into the Supervisor's downstream tokens, so they can be added to the user's identity on the workload clusters. LDAP group search is configurable on the LDAPIdentityProvider resource.
2021-05-17 18:10:26 +00:00
DN: testUserSearchResultDNValue,
Started implementation of LDAP user search and bind
2021-04-13 00:50:25 +00:00
Attributes: []*ldap.EntryAttribute{
Initial support for upstream LDAP group membership Reflect the upstream group membership into the Supervisor's downstream tokens, so they can be added to the user's identity on the workload clusters. LDAP group search is configurable on the LDAPIdentityProvider resource.
2021-05-17 18:10:26 +00:00
ldap.NewEntryAttribute(testUserSearchUIDAttribute, []string{testUserSearchResultUIDAttributeValue}),
Started implementation of LDAP user search and bind
2021-04-13 00:50:25 +00:00
},
},
},
}, nil).Times(1)
Initial support for upstream LDAP group membership Reflect the upstream group membership into the Supervisor's downstream tokens, so they can be added to the user's identity on the workload clusters. LDAP group search is configurable on the LDAPIdentityProvider resource.
2021-05-17 18:10:26 +00:00
conn.EXPECT().SearchWithPaging(expectedGroupSearch(nil), expectedGroupSearchPageSize).
Return(exampleGroupSearchResult, nil).Times(1)
Started implementation of LDAP user search and bind
2021-04-13 00:50:25 +00:00
conn.EXPECT().Close().Times(1)
},
Add authentication dry run validation to LDAPIdentityProvider Also force the LDAP server pod to restart whenever the LDIF file changes, so whenever you redeploy the tools deployment with a new test user password the server will be updated.
2021-04-16 21:04:05 +00:00
bindEndUserMocks: func(conn *mockldapconn.MockConn) {
Initial support for upstream LDAP group membership Reflect the upstream group membership into the Supervisor's downstream tokens, so they can be added to the user's identity on the workload clusters. LDAP group search is configurable on the LDAPIdentityProvider resource.
2021-05-17 18:10:26 +00:00
conn.EXPECT().Bind(testUserSearchResultDNValue, testUpstreamPassword).Times(1)
ldap: add initial stub upstream LDAP connection package Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-04-09 15:38:53 +00:00
},
Move ad specific stuff to controller also make extra refresh attributes a separate field rather than part of Extra Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-12-09 22:02:40 +00:00
wantAuthResponse: expectedAuthResponse(func(r *authenticators.Response) {
info := r.User.(*user.DefaultInfo)
info.Name = testUserSearchResultDNValue
Initial support for upstream LDAP group membership Reflect the upstream group membership into the Supervisor's downstream tokens, so they can be added to the user's identity on the workload clusters. LDAP group search is configurable on the LDAPIdentityProvider resource.
2021-05-17 18:10:26 +00:00
}),
Started implementation of LDAP user search and bind
2021-04-13 00:50:25 +00:00
},
{
name: "when the UIDAttribute is dn",
username: testUpstreamUsername,
password: testUpstreamPassword,
Introduce upstreamldap.New to prevent changes to the underlying config Makes it easier to support using the same upstreamldap.Provider from multiple goroutines safely.
2021-04-15 17:25:35 +00:00
providerConfig: providerConfig(func(p *ProviderConfig) {
Started implementation of LDAP user search and bind
2021-04-13 00:50:25 +00:00
p.UserSearch.UIDAttribute = "dn"
}),
Add authentication dry run validation to LDAPIdentityProvider Also force the LDAP server pod to restart whenever the LDIF file changes, so whenever you redeploy the tools deployment with a new test user password the server will be updated.
2021-04-16 21:04:05 +00:00
searchMocks: func(conn *mockldapconn.MockConn) {
Started implementation of LDAP user search and bind
2021-04-13 00:50:25 +00:00
conn.EXPECT().Bind(testBindUsername, testBindPassword).Times(1)
Initial support for upstream LDAP group membership Reflect the upstream group membership into the Supervisor's downstream tokens, so they can be added to the user's identity on the workload clusters. LDAP group search is configurable on the LDAPIdentityProvider resource.
2021-05-17 18:10:26 +00:00
conn.EXPECT().Search(expectedUserSearch(func(r *ldap.SearchRequest) {
Started implementation of LDAP user search and bind
2021-04-13 00:50:25 +00:00
r.Attributes = []string{testUserSearchUsernameAttribute}
})).Return(&ldap.SearchResult{
Entries: []*ldap.Entry{
{
Initial support for upstream LDAP group membership Reflect the upstream group membership into the Supervisor's downstream tokens, so they can be added to the user's identity on the workload clusters. LDAP group search is configurable on the LDAPIdentityProvider resource.
2021-05-17 18:10:26 +00:00
DN: testUserSearchResultDNValue,
Started implementation of LDAP user search and bind
2021-04-13 00:50:25 +00:00
Attributes: []*ldap.EntryAttribute{
Initial support for upstream LDAP group membership Reflect the upstream group membership into the Supervisor's downstream tokens, so they can be added to the user's identity on the workload clusters. LDAP group search is configurable on the LDAPIdentityProvider resource.
2021-05-17 18:10:26 +00:00
ldap.NewEntryAttribute(testUserSearchUsernameAttribute, []string{testUserSearchResultUsernameAttributeValue}),
Started implementation of LDAP user search and bind
2021-04-13 00:50:25 +00:00
},
},
},
}, nil).Times(1)
Initial support for upstream LDAP group membership Reflect the upstream group membership into the Supervisor's downstream tokens, so they can be added to the user's identity on the workload clusters. LDAP group search is configurable on the LDAPIdentityProvider resource.
2021-05-17 18:10:26 +00:00
conn.EXPECT().SearchWithPaging(expectedGroupSearch(nil), expectedGroupSearchPageSize).
Return(exampleGroupSearchResult, nil).Times(1)
Started implementation of LDAP user search and bind
2021-04-13 00:50:25 +00:00
conn.EXPECT().Close().Times(1)
},
Add authentication dry run validation to LDAPIdentityProvider Also force the LDAP server pod to restart whenever the LDIF file changes, so whenever you redeploy the tools deployment with a new test user password the server will be updated.
2021-04-16 21:04:05 +00:00
bindEndUserMocks: func(conn *mockldapconn.MockConn) {
Initial support for upstream LDAP group membership Reflect the upstream group membership into the Supervisor's downstream tokens, so they can be added to the user's identity on the workload clusters. LDAP group search is configurable on the LDAPIdentityProvider resource.
2021-05-17 18:10:26 +00:00
conn.EXPECT().Bind(testUserSearchResultDNValue, testUpstreamPassword).Times(1)
Add authentication dry run validation to LDAPIdentityProvider Also force the LDAP server pod to restart whenever the LDIF file changes, so whenever you redeploy the tools deployment with a new test user password the server will be updated.
2021-04-16 21:04:05 +00:00
},
Move ad specific stuff to controller also make extra refresh attributes a separate field rather than part of Extra Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-12-09 22:02:40 +00:00
wantAuthResponse: expectedAuthResponse(func(r *authenticators.Response) {
info := r.User.(*user.DefaultInfo)
info.UID = base64.RawURLEncoding.EncodeToString([]byte(testUserSearchResultDNValue))
Initial support for upstream LDAP group membership Reflect the upstream group membership into the Supervisor's downstream tokens, so they can be added to the user's identity on the workload clusters. LDAP group search is configurable on the LDAPIdentityProvider resource.
2021-05-17 18:10:26 +00:00
}),
},
Default `groupSearch.attributes.groupName` to "dn" instead of "cn" - DNs are more unique than CNs, so it feels like a safer default
2021-05-28 20:27:11 +00:00
{
name: "when the GroupNameAttribute is empty then it defaults to dn",
username: testUpstreamUsername,
password: testUpstreamPassword,
providerConfig: providerConfig(func(p *ProviderConfig) {
p.GroupSearch.GroupNameAttribute = "" // blank means to use dn
}),
searchMocks: func(conn *mockldapconn.MockConn) {
conn.EXPECT().Bind(testBindUsername, testBindPassword).Times(1)
conn.EXPECT().Search(expectedUserSearch(nil)).Return(exampleUserSearchResult, nil).Times(1)
conn.EXPECT().SearchWithPaging(expectedGroupSearch(func(r *ldap.SearchRequest) {
r.Attributes = []string{}
}), expectedGroupSearchPageSize).
Return(exampleGroupSearchResult, nil).Times(1)
conn.EXPECT().Close().Times(1)
},
bindEndUserMocks: func(conn *mockldapconn.MockConn) {
conn.EXPECT().Bind(testUserSearchResultDNValue, testUpstreamPassword).Times(1)
},
Move ad specific stuff to controller also make extra refresh attributes a separate field rather than part of Extra Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-12-09 22:02:40 +00:00
wantAuthResponse: expectedAuthResponse(func(r *authenticators.Response) {
info := r.User.(*user.DefaultInfo)
info.Groups = []string{testGroupSearchResultDNValue1, testGroupSearchResultDNValue2}
Default `groupSearch.attributes.groupName` to "dn" instead of "cn" - DNs are more unique than CNs, so it feels like a safer default
2021-05-28 20:27:11 +00:00
}),
},
Initial support for upstream LDAP group membership Reflect the upstream group membership into the Supervisor's downstream tokens, so they can be added to the user's identity on the workload clusters. LDAP group search is configurable on the LDAPIdentityProvider resource.
2021-05-17 18:10:26 +00:00
{
name: "when the GroupNameAttribute is dn",
username: testUpstreamUsername,
password: testUpstreamPassword,
providerConfig: providerConfig(func(p *ProviderConfig) {
p.GroupSearch.GroupNameAttribute = "dn"
}),
searchMocks: func(conn *mockldapconn.MockConn) {
conn.EXPECT().Bind(testBindUsername, testBindPassword).Times(1)
conn.EXPECT().Search(expectedUserSearch(nil)).Return(exampleUserSearchResult, nil).Times(1)
conn.EXPECT().SearchWithPaging(expectedGroupSearch(func(r *ldap.SearchRequest) {
r.Attributes = []string{}
}), expectedGroupSearchPageSize).
Return(exampleGroupSearchResult, nil).Times(1)
conn.EXPECT().Close().Times(1)
ldap: add initial stub upstream LDAP connection package Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-04-09 15:38:53 +00:00
},
Initial support for upstream LDAP group membership Reflect the upstream group membership into the Supervisor's downstream tokens, so they can be added to the user's identity on the workload clusters. LDAP group search is configurable on the LDAPIdentityProvider resource.
2021-05-17 18:10:26 +00:00
bindEndUserMocks: func(conn *mockldapconn.MockConn) {
conn.EXPECT().Bind(testUserSearchResultDNValue, testUpstreamPassword).Times(1)
},
Move ad specific stuff to controller also make extra refresh attributes a separate field rather than part of Extra Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-12-09 22:02:40 +00:00
wantAuthResponse: expectedAuthResponse(func(r *authenticators.Response) {
info := r.User.(*user.DefaultInfo)
info.Groups = []string{testGroupSearchResultDNValue1, testGroupSearchResultDNValue2}
Initial support for upstream LDAP group membership Reflect the upstream group membership into the Supervisor's downstream tokens, so they can be added to the user's identity on the workload clusters. LDAP group search is configurable on the LDAPIdentityProvider resource.
2021-05-17 18:10:26 +00:00
}),
ldap: add initial stub upstream LDAP connection package Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-04-09 15:38:53 +00:00
},
Started implementation of LDAP user search and bind
2021-04-13 00:50:25 +00:00
{
Default `groupSearch.attributes.groupName` to "dn" instead of "cn" - DNs are more unique than CNs, so it feels like a safer default
2021-05-28 20:27:11 +00:00
name: "when the GroupNameAttribute is cn",
Started implementation of LDAP user search and bind
2021-04-13 00:50:25 +00:00
username: testUpstreamUsername,
password: testUpstreamPassword,
Introduce upstreamldap.New to prevent changes to the underlying config Makes it easier to support using the same upstreamldap.Provider from multiple goroutines safely.
2021-04-15 17:25:35 +00:00
providerConfig: providerConfig(func(p *ProviderConfig) {
Default `groupSearch.attributes.groupName` to "dn" instead of "cn" - DNs are more unique than CNs, so it feels like a safer default
2021-05-28 20:27:11 +00:00
p.GroupSearch.GroupNameAttribute = "cn"
Started implementation of LDAP user search and bind
2021-04-13 00:50:25 +00:00
}),
Add authentication dry run validation to LDAPIdentityProvider Also force the LDAP server pod to restart whenever the LDIF file changes, so whenever you redeploy the tools deployment with a new test user password the server will be updated.
2021-04-16 21:04:05 +00:00
searchMocks: func(conn *mockldapconn.MockConn) {
Started implementation of LDAP user search and bind
2021-04-13 00:50:25 +00:00
conn.EXPECT().Bind(testBindUsername, testBindPassword).Times(1)
Initial support for upstream LDAP group membership Reflect the upstream group membership into the Supervisor's downstream tokens, so they can be added to the user's identity on the workload clusters. LDAP group search is configurable on the LDAPIdentityProvider resource.
2021-05-17 18:10:26 +00:00
conn.EXPECT().Search(expectedUserSearch(nil)).Return(exampleUserSearchResult, nil).Times(1)
conn.EXPECT().SearchWithPaging(expectedGroupSearch(func(r *ldap.SearchRequest) {
r.Attributes = []string{"cn"}
}), expectedGroupSearchPageSize).
Return(&ldap.SearchResult{
Entries: []*ldap.Entry{
{
DN: testGroupSearchResultDNValue1,
Attributes: []*ldap.EntryAttribute{
ldap.NewEntryAttribute("cn", []string{testGroupSearchResultGroupNameAttributeValue1}),
},
},
{
DN: testGroupSearchResultDNValue2,
Attributes: []*ldap.EntryAttribute{
ldap.NewEntryAttribute("cn", []string{testGroupSearchResultGroupNameAttributeValue2}),
},
Started implementation of LDAP user search and bind
2021-04-13 00:50:25 +00:00
},
},
Initial support for upstream LDAP group membership Reflect the upstream group membership into the Supervisor's downstream tokens, so they can be added to the user's identity on the workload clusters. LDAP group search is configurable on the LDAPIdentityProvider resource.
2021-05-17 18:10:26 +00:00
Referrals: []string{}, // note that we are not following referrals at this time
Controls: []ldap.Control{},
}, nil).Times(1)
Started implementation of LDAP user search and bind
2021-04-13 00:50:25 +00:00
conn.EXPECT().Close().Times(1)
},
Add authentication dry run validation to LDAPIdentityProvider Also force the LDAP server pod to restart whenever the LDIF file changes, so whenever you redeploy the tools deployment with a new test user password the server will be updated.
2021-04-16 21:04:05 +00:00
bindEndUserMocks: func(conn *mockldapconn.MockConn) {
Initial support for upstream LDAP group membership Reflect the upstream group membership into the Supervisor's downstream tokens, so they can be added to the user's identity on the workload clusters. LDAP group search is configurable on the LDAPIdentityProvider resource.
2021-05-17 18:10:26 +00:00
conn.EXPECT().Bind(testUserSearchResultDNValue, testUpstreamPassword).Times(1)
Add authentication dry run validation to LDAPIdentityProvider Also force the LDAP server pod to restart whenever the LDIF file changes, so whenever you redeploy the tools deployment with a new test user password the server will be updated.
2021-04-16 21:04:05 +00:00
},
Initial support for upstream LDAP group membership Reflect the upstream group membership into the Supervisor's downstream tokens, so they can be added to the user's identity on the workload clusters. LDAP group search is configurable on the LDAPIdentityProvider resource.
2021-05-17 18:10:26 +00:00
wantAuthResponse: expectedAuthResponse(nil),
},
{
name: "when user search Filter is blank it derives a search filter from the UsernameAttribute",
username: testUpstreamUsername,
password: testUpstreamPassword,
providerConfig: providerConfig(func(p *ProviderConfig) {
p.UserSearch.Filter = ""
}),
searchMocks: func(conn *mockldapconn.MockConn) {
conn.EXPECT().Bind(testBindUsername, testBindPassword).Times(1)
conn.EXPECT().Search(expectedUserSearch(func(r *ldap.SearchRequest) {
r.Filter = "(" + testUserSearchUsernameAttribute + "=" + testUpstreamUsername + ")"
})).Return(exampleUserSearchResult, nil).Times(1)
conn.EXPECT().SearchWithPaging(expectedGroupSearch(nil), expectedGroupSearchPageSize).
Return(exampleGroupSearchResult, nil).Times(1)
conn.EXPECT().Close().Times(1)
},
bindEndUserMocks: func(conn *mockldapconn.MockConn) {
conn.EXPECT().Bind(testUserSearchResultDNValue, testUpstreamPassword).Times(1)
},
wantAuthResponse: expectedAuthResponse(nil),
},
{
name: "when group search Filter is blank it uses a default search filter of member={}",
username: testUpstreamUsername,
password: testUpstreamPassword,
providerConfig: providerConfig(func(p *ProviderConfig) {
p.GroupSearch.Filter = ""
}),
searchMocks: func(conn *mockldapconn.MockConn) {
conn.EXPECT().Bind(testBindUsername, testBindPassword).Times(1)
conn.EXPECT().Search(expectedUserSearch(nil)).Return(exampleUserSearchResult, nil).Times(1)
conn.EXPECT().SearchWithPaging(expectedGroupSearch(func(r *ldap.SearchRequest) {
r.Filter = "(member=" + testUserSearchResultDNValue + ")"
}), expectedGroupSearchPageSize).
Return(exampleGroupSearchResult, nil).Times(1)
conn.EXPECT().Close().Times(1)
},
bindEndUserMocks: func(conn *mockldapconn.MockConn) {
conn.EXPECT().Bind(testUserSearchResultDNValue, testUpstreamPassword).Times(1)
Started implementation of LDAP user search and bind
2021-04-13 00:50:25 +00:00
},
Initial support for upstream LDAP group membership Reflect the upstream group membership into the Supervisor's downstream tokens, so they can be added to the user's identity on the workload clusters. LDAP group search is configurable on the LDAPIdentityProvider resource.
2021-05-17 18:10:26 +00:00
wantAuthResponse: expectedAuthResponse(nil),
Started implementation of LDAP user search and bind
2021-04-13 00:50:25 +00:00
},
{
Escape special characters in LDAP DNs when used in search filters
2022-05-02 20:37:32 +00:00
name: "when the username has special LDAP search filter characters then they must be properly escaped in the custom user search filter, because the username is end-user input",
Introduce upstreamldap.New to prevent changes to the underlying config Makes it easier to support using the same upstreamldap.Provider from multiple goroutines safely.
2021-04-15 17:25:35 +00:00
username: `a&b|c(d)e\f*g`,
password: testUpstreamPassword,
providerConfig: providerConfig(nil),
Add authentication dry run validation to LDAPIdentityProvider Also force the LDAP server pod to restart whenever the LDIF file changes, so whenever you redeploy the tools deployment with a new test user password the server will be updated.
2021-04-16 21:04:05 +00:00
searchMocks: func(conn *mockldapconn.MockConn) {
Started implementation of LDAP user search and bind
2021-04-13 00:50:25 +00:00
conn.EXPECT().Bind(testBindUsername, testBindPassword).Times(1)
Initial support for upstream LDAP group membership Reflect the upstream group membership into the Supervisor's downstream tokens, so they can be added to the user's identity on the workload clusters. LDAP group search is configurable on the LDAPIdentityProvider resource.
2021-05-17 18:10:26 +00:00
conn.EXPECT().Search(expectedUserSearch(func(r *ldap.SearchRequest) {
r.Filter = fmt.Sprintf("(some-user-filter=%s-and-more-filter=%s)", `a&b|c\28d\29e\5cf\2ag`, `a&b|c\28d\29e\5cf\2ag`)
})).Return(exampleUserSearchResult, nil).Times(1)
conn.EXPECT().SearchWithPaging(expectedGroupSearch(nil), expectedGroupSearchPageSize).
Return(exampleGroupSearchResult, nil).Times(1)
conn.EXPECT().Close().Times(1)
},
bindEndUserMocks: func(conn *mockldapconn.MockConn) {
conn.EXPECT().Bind(testUserSearchResultDNValue, testUpstreamPassword).Times(1)
},
wantAuthResponse: expectedAuthResponse(nil),
},
Escape special characters in LDAP DNs when used in search filters
2022-05-02 20:37:32 +00:00
{
name: "when the username has special LDAP search filter characters then they must be properly escaped in the default user search filter, because the username is end-user input",
username: `a&b|c(d)e\f*g`,
password: testUpstreamPassword,
providerConfig: providerConfig(func(p *ProviderConfig) {
p.UserSearch.Filter = ""
}),
searchMocks: func(conn *mockldapconn.MockConn) {
conn.EXPECT().Bind(testBindUsername, testBindPassword).Times(1)
conn.EXPECT().Search(expectedUserSearch(func(r *ldap.SearchRequest) {
r.Filter = fmt.Sprintf("(some-upstream-username-attribute=%s)", `a&b|c\28d\29e\5cf\2ag`)
})).Return(exampleUserSearchResult, nil).Times(1)
conn.EXPECT().SearchWithPaging(expectedGroupSearch(nil), expectedGroupSearchPageSize).
Return(exampleGroupSearchResult, nil).Times(1)
conn.EXPECT().Close().Times(1)
},
bindEndUserMocks: func(conn *mockldapconn.MockConn) {
conn.EXPECT().Bind(testUserSearchResultDNValue, testUpstreamPassword).Times(1)
},
wantAuthResponse: expectedAuthResponse(nil),
},
{
name: "when the user search result DN has special LDAP search filter characters then they must be properly escaped in the custom group search filter",
username: testUpstreamUsername,
password: testUpstreamPassword,
providerConfig: providerConfig(nil),
searchMocks: func(conn *mockldapconn.MockConn) {
conn.EXPECT().Bind(testBindUsername, testBindPassword).Times(1)
conn.EXPECT().Search(expectedUserSearch(nil)).
Return(&ldap.SearchResult{
Entries: []*ldap.Entry{
{
DN: `result DN with * \ special characters ()`,
Attributes: []*ldap.EntryAttribute{
ldap.NewEntryAttribute(testUserSearchUsernameAttribute, []string{testUserSearchResultUsernameAttributeValue}),
ldap.NewEntryAttribute(testUserSearchUIDAttribute, []string{testUserSearchResultUIDAttributeValue}),
},
},
},
}, nil).Times(1)
conn.EXPECT().SearchWithPaging(expectedGroupSearch(func(r *ldap.SearchRequest) {
escapedDN := `result DN with \2a \5c special characters \28\29`
r.Filter = fmt.Sprintf("(some-group-filter=%s-and-more-filter=%s)", escapedDN, escapedDN)
}), expectedGroupSearchPageSize).Return(exampleGroupSearchResult, nil).Times(1)
conn.EXPECT().Close().Times(1)
},
bindEndUserMocks: func(conn *mockldapconn.MockConn) {
conn.EXPECT().Bind(`result DN with * \ special characters ()`, testUpstreamPassword).Times(1)
},
wantAuthResponse: expectedAuthResponse(func(r *authenticators.Response) {
r.DN = `result DN with * \ special characters ()`
}),
},
{
name: "when the user search result DN has special LDAP search filter characters then they must be properly escaped in the default group search filter",
username: testUpstreamUsername,
password: testUpstreamPassword,
providerConfig: providerConfig(func(p *ProviderConfig) {
p.GroupSearch.Filter = ""
}),
searchMocks: func(conn *mockldapconn.MockConn) {
conn.EXPECT().Bind(testBindUsername, testBindPassword).Times(1)
conn.EXPECT().Search(expectedUserSearch(nil)).
Return(&ldap.SearchResult{
Entries: []*ldap.Entry{
{
DN: `result DN with * \ special characters ()`,
Attributes: []*ldap.EntryAttribute{
ldap.NewEntryAttribute(testUserSearchUsernameAttribute, []string{testUserSearchResultUsernameAttributeValue}),
ldap.NewEntryAttribute(testUserSearchUIDAttribute, []string{testUserSearchResultUIDAttributeValue}),
},
},
},
}, nil).Times(1)
conn.EXPECT().SearchWithPaging(expectedGroupSearch(func(r *ldap.SearchRequest) {
r.Filter = fmt.Sprintf("(member=%s)", `result DN with \2a \5c special characters \28\29`)
}), expectedGroupSearchPageSize).Return(exampleGroupSearchResult, nil).Times(1)
conn.EXPECT().Close().Times(1)
},
bindEndUserMocks: func(conn *mockldapconn.MockConn) {
conn.EXPECT().Bind(`result DN with * \ special characters ()`, testUpstreamPassword).Times(1)
},
wantAuthResponse: expectedAuthResponse(func(r *authenticators.Response) {
r.DN = `result DN with * \ special characters ()`
}),
},
Initial support for upstream LDAP group membership Reflect the upstream group membership into the Supervisor's downstream tokens, so they can be added to the user's identity on the workload clusters. LDAP group search is configurable on the LDAPIdentityProvider resource.
2021-05-17 18:10:26 +00:00
{
name: "group names are sorted to make the result more stable/predictable",
username: testUpstreamUsername,
password: testUpstreamPassword,
providerConfig: providerConfig(nil),
searchMocks: func(conn *mockldapconn.MockConn) {
conn.EXPECT().Bind(testBindUsername, testBindPassword).Times(1)
conn.EXPECT().Search(expectedUserSearch(nil)).Return(exampleUserSearchResult, nil).Times(1)
conn.EXPECT().SearchWithPaging(expectedGroupSearch(nil), expectedGroupSearchPageSize).
Return(&ldap.SearchResult{
Entries: []*ldap.Entry{
{
DN: testGroupSearchResultDNValue1,
Attributes: []*ldap.EntryAttribute{
ldap.NewEntryAttribute(testGroupSearchGroupNameAttribute, []string{"c"}),
},
},
{
DN: testGroupSearchResultDNValue2,
Attributes: []*ldap.EntryAttribute{
ldap.NewEntryAttribute(testGroupSearchGroupNameAttribute, []string{"a"}),
},
},
{
DN: testGroupSearchResultDNValue2,
Attributes: []*ldap.EntryAttribute{
ldap.NewEntryAttribute(testGroupSearchGroupNameAttribute, []string{"b"}),
},
Started implementation of LDAP user search and bind
2021-04-13 00:50:25 +00:00
},
},
Initial support for upstream LDAP group membership Reflect the upstream group membership into the Supervisor's downstream tokens, so they can be added to the user's identity on the workload clusters. LDAP group search is configurable on the LDAPIdentityProvider resource.
2021-05-17 18:10:26 +00:00
Referrals: []string{}, // note that we are not following referrals at this time
Controls: []ldap.Control{},
}, nil).Times(1)
Started implementation of LDAP user search and bind
2021-04-13 00:50:25 +00:00
conn.EXPECT().Close().Times(1)
},
Add authentication dry run validation to LDAPIdentityProvider Also force the LDAP server pod to restart whenever the LDIF file changes, so whenever you redeploy the tools deployment with a new test user password the server will be updated.
2021-04-16 21:04:05 +00:00
bindEndUserMocks: func(conn *mockldapconn.MockConn) {
Initial support for upstream LDAP group membership Reflect the upstream group membership into the Supervisor's downstream tokens, so they can be added to the user's identity on the workload clusters. LDAP group search is configurable on the LDAPIdentityProvider resource.
2021-05-17 18:10:26 +00:00
conn.EXPECT().Bind(testUserSearchResultDNValue, testUpstreamPassword).Times(1)
Add authentication dry run validation to LDAPIdentityProvider Also force the LDAP server pod to restart whenever the LDIF file changes, so whenever you redeploy the tools deployment with a new test user password the server will be updated.
2021-04-16 21:04:05 +00:00
},
Addressing code review changes - changed to use custom authenticators.Response rather than the k8s one that doesn't include space for a DN - Added more checking for correct idp type in token handler - small style changes Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-11-03 17:33:22 +00:00
wantAuthResponse: &authenticators.Response{
Started implementation of LDAP user search and bind
2021-04-13 00:50:25 +00:00
User: &user.DefaultInfo{
Initial support for upstream LDAP group membership Reflect the upstream group membership into the Supervisor's downstream tokens, so they can be added to the user's identity on the workload clusters. LDAP group search is configurable on the LDAPIdentityProvider resource.
2021-05-17 18:10:26 +00:00
Name: testUserSearchResultUsernameAttributeValue,
Use base64 binary-encoded value as UID for LDAP This is to allow the use of binary LDAP entry attributes as the UID. For example, a user might like to configure AD’s objectGUID or maybe objectSid attributes as the UID attribute. This negatively impacts the readability of the UID when it did not come from a binary value, but we're considering this an okay trade-off to keep things simple for now. In the future, we may offer more customizable encoding options for binary attributes. These UIDs are currently only used in the downstream OIDC `sub` claim. They do not effect the user's identity on the Kubernetes cluster, which is only based on their mapped username and group memberships from the upstream identity provider. We are not currently supporting any special encoding for those username and group name LDAP attributes, so their values in the LDAP entry must be ASCII or UTF-8 in order for them to be interpreted correctly.
2021-05-27 20:47:10 +00:00
UID: base64.RawURLEncoding.EncodeToString([]byte(testUserSearchResultUIDAttributeValue)),
Initial support for upstream LDAP group membership Reflect the upstream group membership into the Supervisor's downstream tokens, so they can be added to the user's identity on the workload clusters. LDAP group search is configurable on the LDAPIdentityProvider resource.
2021-05-17 18:10:26 +00:00
Groups: []string{"a", "b", "c"},
Started implementation of LDAP user search and bind
2021-04-13 00:50:25 +00:00
},
Move ad specific stuff to controller also make extra refresh attributes a separate field rather than part of Extra Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-12-09 22:02:40 +00:00
DN: testUserSearchResultDNValue,
ExtraRefreshAttributes: map[string]string{},
Started implementation of LDAP user search and bind
2021-04-13 00:50:25 +00:00
},
},
parsing objectGUID as human-readable string version
2021-07-27 18:08:23 +00:00
{
Make pwdLastSet stuff more generic and not require parsing the timestamp Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-12-08 23:03:57 +00:00
name: "requesting additional refresh related attributes",
parsing objectGUID as human-readable string version
2021-07-27 18:08:23 +00:00
username: testUpstreamUsername,
password: testUpstreamPassword,
providerConfig: providerConfig(func(p *ProviderConfig) {
Make pwdLastSet stuff more generic and not require parsing the timestamp Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-12-08 23:03:57 +00:00
p.RefreshAttributeChecks = map[string]func(entry *ldap.Entry, attributes provider.StoredRefreshAttributes) error{
"some-attribute-to-check-during-refresh": func(entry *ldap.Entry, attributes provider.StoredRefreshAttributes) error {
return nil
},
Review comments-- - Change list of attributeParsingOverrides to a map - Add unit test for sAMAccountName as group name without the override - Change some comments in the the type definition.
2021-08-19 21:21:18 +00:00
}
parsing objectGUID as human-readable string version
2021-07-27 18:08:23 +00:00
}),
searchMocks: func(conn *mockldapconn.MockConn) {
conn.EXPECT().Bind(testBindUsername, testBindPassword).Times(1)
conn.EXPECT().Search(expectedUserSearch(func(r *ldap.SearchRequest) {
Make pwdLastSet stuff more generic and not require parsing the timestamp Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-12-08 23:03:57 +00:00
r.Attributes = append(r.Attributes, "some-attribute-to-check-during-refresh")
parsing objectGUID as human-readable string version
2021-07-27 18:08:23 +00:00
})).Return(&ldap.SearchResult{
Entries: []*ldap.Entry{
{
DN: testUserSearchResultDNValue,
Attributes: []*ldap.EntryAttribute{
ldap.NewEntryAttribute(testUserSearchUsernameAttribute, []string{testUserSearchResultUsernameAttributeValue}),
Make pwdLastSet stuff more generic and not require parsing the timestamp Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-12-08 23:03:57 +00:00
ldap.NewEntryAttribute(testUserSearchUIDAttribute, []string{testUserSearchResultUIDAttributeValue}),
ldap.NewEntryAttribute("some-attribute-to-check-during-refresh", []string{"some-attribute-value"}),
parsing objectGUID as human-readable string version
2021-07-27 18:08:23 +00:00
},
},
Make pwdLastSet stuff more generic and not require parsing the timestamp Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-12-08 23:03:57 +00:00
},
}, nil).Times(1)
parsing objectGUID as human-readable string version
2021-07-27 18:08:23 +00:00
conn.EXPECT().SearchWithPaging(expectedGroupSearch(nil), expectedGroupSearchPageSize).
Return(exampleGroupSearchResult, nil).Times(1)
conn.EXPECT().Close().Times(1)
},
bindEndUserMocks: func(conn *mockldapconn.MockConn) {
conn.EXPECT().Bind(testUserSearchResultDNValue, testUpstreamPassword).Times(1)
},
Move ad specific stuff to controller also make extra refresh attributes a separate field rather than part of Extra Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-12-09 22:02:40 +00:00
wantAuthResponse: expectedAuthResponse(func(r *authenticators.Response) {
r.ExtraRefreshAttributes = map[string]string{"some-attribute-to-check-during-refresh": "c29tZS1hdHRyaWJ1dGUtdmFsdWU"}
parsing objectGUID as human-readable string version
2021-07-27 18:08:23 +00:00
}),
},
{
Make pwdLastSet stuff more generic and not require parsing the timestamp Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-12-08 23:03:57 +00:00
name: "requesting additional refresh related attributes, but they aren't returned",
parsing objectGUID as human-readable string version
2021-07-27 18:08:23 +00:00
username: testUpstreamUsername,
password: testUpstreamPassword,
providerConfig: providerConfig(func(p *ProviderConfig) {
Make pwdLastSet stuff more generic and not require parsing the timestamp Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-12-08 23:03:57 +00:00
p.RefreshAttributeChecks = map[string]func(entry *ldap.Entry, attributes provider.StoredRefreshAttributes) error{
"some-attribute-to-check-during-refresh": func(entry *ldap.Entry, attributes provider.StoredRefreshAttributes) error {
return nil
},
Review comments-- - Change list of attributeParsingOverrides to a map - Add unit test for sAMAccountName as group name without the override - Change some comments in the the type definition.
2021-08-19 21:21:18 +00:00
}
parsing objectGUID as human-readable string version
2021-07-27 18:08:23 +00:00
}),
searchMocks: func(conn *mockldapconn.MockConn) {
conn.EXPECT().Bind(testBindUsername, testBindPassword).Times(1)
Make pwdLastSet stuff more generic and not require parsing the timestamp Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-12-08 23:03:57 +00:00
conn.EXPECT().Search(expectedUserSearch(func(r *ldap.SearchRequest) {
r.Attributes = append(r.Attributes, "some-attribute-to-check-during-refresh")
})).Return(exampleUserSearchResult, nil).Times(1)
parsing objectGUID as human-readable string version
2021-07-27 18:08:23 +00:00
conn.EXPECT().SearchWithPaging(expectedGroupSearch(nil), expectedGroupSearchPageSize).
Return(exampleGroupSearchResult, nil).Times(1)
conn.EXPECT().Close().Times(1)
},
Make pwdLastSet stuff more generic and not require parsing the timestamp Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-12-08 23:03:57 +00:00
wantError: "found 0 values for attribute \"some-attribute-to-check-during-refresh\" while searching for user \"some-upstream-username\", but expected 1 result",
Make new combined sAMAccountName@domain attribute the group name Also change default username attribute to userPrincipalName
2021-08-17 23:53:26 +00:00
},
Started implementation of LDAP user search and bind
2021-04-13 00:50:25 +00:00
{
Introduce upstreamldap.New to prevent changes to the underlying config Makes it easier to support using the same upstreamldap.Provider from multiple goroutines safely.
2021-04-15 17:25:35 +00:00
name: "when dial fails",
username: testUpstreamUsername,
password: testUpstreamPassword,
providerConfig: providerConfig(nil),
dialError: errors.New("some dial error"),
wantError: fmt.Sprintf(`error dialing host "%s": some dial error`, testHost),
Started implementation of LDAP user search and bind
2021-04-13 00:50:25 +00:00
},
Add integration test for upstreamldap.Provider - The unit tests for upstreamldap.Provider need to mock the LDAP server, so add an integration test which allows us to get fast feedback for this code against a real LDAP server. - Automatically wrap the user search filter in parenthesis if it is not already wrapped in parens. - More special handling for using "dn" as the username or UID attribute name. - Also added some more comments to types_ldapidentityprovider.go.tmpl
2021-04-13 22:23:14 +00:00
{
name: "when the UsernameAttribute is dn and there is not a user search filter provided",
username: testUpstreamUsername,
password: testUpstreamPassword,
Introduce upstreamldap.New to prevent changes to the underlying config Makes it easier to support using the same upstreamldap.Provider from multiple goroutines safely.
2021-04-15 17:25:35 +00:00
providerConfig: providerConfig(func(p *ProviderConfig) {
Add integration test for upstreamldap.Provider - The unit tests for upstreamldap.Provider need to mock the LDAP server, so add an integration test which allows us to get fast feedback for this code against a real LDAP server. - Automatically wrap the user search filter in parenthesis if it is not already wrapped in parens. - More special handling for using "dn" as the username or UID attribute name. - Also added some more comments to types_ldapidentityprovider.go.tmpl
2021-04-13 22:23:14 +00:00
p.UserSearch.UsernameAttribute = "dn"
p.UserSearch.Filter = ""
}),
wantToSkipDial: true,
wantError: `must specify UserSearch Filter when UserSearch UsernameAttribute is "dn"`,
},
Handle error cases during LDAP user search and bind
2021-04-13 15:38:04 +00:00
{
Introduce upstreamldap.New to prevent changes to the underlying config Makes it easier to support using the same upstreamldap.Provider from multiple goroutines safely.
2021-04-15 17:25:35 +00:00
name: "when binding as the bind user returns an error",
username: testUpstreamUsername,
password: testUpstreamPassword,
providerConfig: providerConfig(nil),
Add authentication dry run validation to LDAPIdentityProvider Also force the LDAP server pod to restart whenever the LDIF file changes, so whenever you redeploy the tools deployment with a new test user password the server will be updated.
2021-04-16 21:04:05 +00:00
searchMocks: func(conn *mockldapconn.MockConn) {
Handle error cases during LDAP user search and bind
2021-04-13 15:38:04 +00:00
conn.EXPECT().Bind(testBindUsername, testBindPassword).Return(errors.New("some bind error")).Times(1)
conn.EXPECT().Close().Times(1)
},
wantError: fmt.Sprintf(`error binding as "%s" before user search: some bind error`, testBindUsername),
},
{
Introduce upstreamldap.New to prevent changes to the underlying config Makes it easier to support using the same upstreamldap.Provider from multiple goroutines safely.
2021-04-15 17:25:35 +00:00
name: "when searching for the user returns an error",
username: testUpstreamUsername,
password: testUpstreamPassword,
providerConfig: providerConfig(nil),
Add authentication dry run validation to LDAPIdentityProvider Also force the LDAP server pod to restart whenever the LDIF file changes, so whenever you redeploy the tools deployment with a new test user password the server will be updated.
2021-04-16 21:04:05 +00:00
searchMocks: func(conn *mockldapconn.MockConn) {
Handle error cases during LDAP user search and bind
2021-04-13 15:38:04 +00:00
conn.EXPECT().Bind(testBindUsername, testBindPassword).Times(1)
Initial support for upstream LDAP group membership Reflect the upstream group membership into the Supervisor's downstream tokens, so they can be added to the user's identity on the workload clusters. LDAP group search is configurable on the LDAPIdentityProvider resource.
2021-05-17 18:10:26 +00:00
conn.EXPECT().Search(expectedUserSearch(nil)).Return(nil, errors.New("some user search error")).Times(1)
conn.EXPECT().Close().Times(1)
},
In LDAP, do not log username until we know the user exists. This prevents accidentally logging a password if the user enters it into the username field by mistake. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-05-28 21:37:31 +00:00
wantError: `error searching for user: some user search error`,
Initial support for upstream LDAP group membership Reflect the upstream group membership into the Supervisor's downstream tokens, so they can be added to the user's identity on the workload clusters. LDAP group search is configurable on the LDAPIdentityProvider resource.
2021-05-17 18:10:26 +00:00
},
{
name: "when searching for the user's groups returns an error",
username: testUpstreamUsername,
password: testUpstreamPassword,
providerConfig: providerConfig(nil),
searchMocks: func(conn *mockldapconn.MockConn) {
conn.EXPECT().Bind(testBindUsername, testBindPassword).Times(1)
conn.EXPECT().Search(expectedUserSearch(nil)).Return(exampleUserSearchResult, nil).Times(1)
conn.EXPECT().SearchWithPaging(expectedGroupSearch(nil), expectedGroupSearchPageSize).
Return(nil, errors.New("some group search error")).Times(1)
Handle error cases during LDAP user search and bind
2021-04-13 15:38:04 +00:00
conn.EXPECT().Close().Times(1)
},
Initial support for upstream LDAP group membership Reflect the upstream group membership into the Supervisor's downstream tokens, so they can be added to the user's identity on the workload clusters. LDAP group search is configurable on the LDAPIdentityProvider resource.
2021-05-17 18:10:26 +00:00
wantError: fmt.Sprintf(`error searching for group memberships for user with DN "%s": some group search error`, testUserSearchResultDNValue),
Handle error cases during LDAP user search and bind
2021-04-13 15:38:04 +00:00
},
{
Introduce upstreamldap.New to prevent changes to the underlying config Makes it easier to support using the same upstreamldap.Provider from multiple goroutines safely.
2021-04-15 17:25:35 +00:00
name: "when searching for the user returns no results",
username: testUpstreamUsername,
password: testUpstreamPassword,
providerConfig: providerConfig(nil),
Add authentication dry run validation to LDAPIdentityProvider Also force the LDAP server pod to restart whenever the LDIF file changes, so whenever you redeploy the tools deployment with a new test user password the server will be updated.
2021-04-16 21:04:05 +00:00
searchMocks: func(conn *mockldapconn.MockConn) {
Handle error cases during LDAP user search and bind
2021-04-13 15:38:04 +00:00
conn.EXPECT().Bind(testBindUsername, testBindPassword).Times(1)
Initial support for upstream LDAP group membership Reflect the upstream group membership into the Supervisor's downstream tokens, so they can be added to the user's identity on the workload clusters. LDAP group search is configurable on the LDAPIdentityProvider resource.
2021-05-17 18:10:26 +00:00
conn.EXPECT().Search(expectedUserSearch(nil)).Return(&ldap.SearchResult{
Handle error cases during LDAP user search and bind
2021-04-13 15:38:04 +00:00
Entries: []*ldap.Entry{},
}, nil).Times(1)
conn.EXPECT().Close().Times(1)
},
Return unauthenticated instead of error for bad username or password - Bad usernames and passwords aren't really errors, since they are based on end-user input. - Other kinds of authentication failures are caused by bad configuration so still treat those as errors. - Empty usernames and passwords are already prevented by our endpoint handler, but just to be safe make sure they cause errors inside the authenticator too.
2021-04-13 23:22:13 +00:00
wantUnauthenticated: true,
Handle error cases during LDAP user search and bind
2021-04-13 15:38:04 +00:00
},
{
Introduce upstreamldap.New to prevent changes to the underlying config Makes it easier to support using the same upstreamldap.Provider from multiple goroutines safely.
2021-04-15 17:25:35 +00:00
name: "when searching for the user returns multiple results",
username: testUpstreamUsername,
password: testUpstreamPassword,
providerConfig: providerConfig(nil),
Add authentication dry run validation to LDAPIdentityProvider Also force the LDAP server pod to restart whenever the LDIF file changes, so whenever you redeploy the tools deployment with a new test user password the server will be updated.
2021-04-16 21:04:05 +00:00
searchMocks: func(conn *mockldapconn.MockConn) {
Handle error cases during LDAP user search and bind
2021-04-13 15:38:04 +00:00
conn.EXPECT().Bind(testBindUsername, testBindPassword).Times(1)
Initial support for upstream LDAP group membership Reflect the upstream group membership into the Supervisor's downstream tokens, so they can be added to the user's identity on the workload clusters. LDAP group search is configurable on the LDAPIdentityProvider resource.
2021-05-17 18:10:26 +00:00
conn.EXPECT().Search(expectedUserSearch(nil)).Return(&ldap.SearchResult{
Handle error cases during LDAP user search and bind
2021-04-13 15:38:04 +00:00
Entries: []*ldap.Entry{
Initial support for upstream LDAP group membership Reflect the upstream group membership into the Supervisor's downstream tokens, so they can be added to the user's identity on the workload clusters. LDAP group search is configurable on the LDAPIdentityProvider resource.
2021-05-17 18:10:26 +00:00
{DN: testUserSearchResultDNValue},
Handle error cases during LDAP user search and bind
2021-04-13 15:38:04 +00:00
{DN: "some-other-dn"},
},
}, nil).Times(1)
conn.EXPECT().Close().Times(1)
},
wantError: fmt.Sprintf(`searching for user "%s" resulted in 2 search results, but expected 1 result`, testUpstreamUsername),
},
{
Introduce upstreamldap.New to prevent changes to the underlying config Makes it easier to support using the same upstreamldap.Provider from multiple goroutines safely.
2021-04-15 17:25:35 +00:00
name: "when searching for the user returns a user without a DN",
username: testUpstreamUsername,
password: testUpstreamPassword,
providerConfig: providerConfig(nil),
Add authentication dry run validation to LDAPIdentityProvider Also force the LDAP server pod to restart whenever the LDIF file changes, so whenever you redeploy the tools deployment with a new test user password the server will be updated.
2021-04-16 21:04:05 +00:00
searchMocks: func(conn *mockldapconn.MockConn) {
Handle error cases during LDAP user search and bind
2021-04-13 15:38:04 +00:00
conn.EXPECT().Bind(testBindUsername, testBindPassword).Times(1)
Initial support for upstream LDAP group membership Reflect the upstream group membership into the Supervisor's downstream tokens, so they can be added to the user's identity on the workload clusters. LDAP group search is configurable on the LDAPIdentityProvider resource.
2021-05-17 18:10:26 +00:00
conn.EXPECT().Search(expectedUserSearch(nil)).Return(&ldap.SearchResult{
Handle error cases during LDAP user search and bind
2021-04-13 15:38:04 +00:00
Entries: []*ldap.Entry{
{DN: ""},
},
}, nil).Times(1)
conn.EXPECT().Close().Times(1)
},
wantError: fmt.Sprintf(`searching for user "%s" resulted in search result without DN`, testUpstreamUsername),
},
Initial support for upstream LDAP group membership Reflect the upstream group membership into the Supervisor's downstream tokens, so they can be added to the user's identity on the workload clusters. LDAP group search is configurable on the LDAPIdentityProvider resource.
2021-05-17 18:10:26 +00:00
{
name: "when searching for the user's groups returns a group without a DN",
username: testUpstreamUsername,
password: testUpstreamPassword,
providerConfig: providerConfig(nil),
searchMocks: func(conn *mockldapconn.MockConn) {
conn.EXPECT().Bind(testBindUsername, testBindPassword).Times(1)
conn.EXPECT().Search(expectedUserSearch(nil)).Return(exampleUserSearchResult, nil).Times(1)
conn.EXPECT().SearchWithPaging(expectedGroupSearch(nil), expectedGroupSearchPageSize).
Return(&ldap.SearchResult{
Entries: []*ldap.Entry{
{
DN: testGroupSearchResultDNValue1,
Attributes: []*ldap.EntryAttribute{
ldap.NewEntryAttribute(testGroupSearchGroupNameAttribute, []string{testGroupSearchResultGroupNameAttributeValue1}),
},
},
{
DN: "",
Attributes: []*ldap.EntryAttribute{
ldap.NewEntryAttribute(testGroupSearchGroupNameAttribute, []string{testGroupSearchResultGroupNameAttributeValue2}),
},
},
},
Referrals: []string{}, // note that we are not following referrals at this time
Controls: []ldap.Control{},
}, nil).Times(1)
conn.EXPECT().Close().Times(1)
},
wantError: fmt.Sprintf(
`searching for group memberships for user with DN "%s" resulted in search result without DN`,
testUserSearchResultDNValue),
},
Handle error cases during LDAP user search and bind
2021-04-13 15:38:04 +00:00
{
Introduce upstreamldap.New to prevent changes to the underlying config Makes it easier to support using the same upstreamldap.Provider from multiple goroutines safely.
2021-04-15 17:25:35 +00:00
name: "when searching for the user returns a user without an expected username attribute",
username: testUpstreamUsername,
password: testUpstreamPassword,
providerConfig: providerConfig(nil),
Add authentication dry run validation to LDAPIdentityProvider Also force the LDAP server pod to restart whenever the LDIF file changes, so whenever you redeploy the tools deployment with a new test user password the server will be updated.
2021-04-16 21:04:05 +00:00
searchMocks: func(conn *mockldapconn.MockConn) {
Handle error cases during LDAP user search and bind
2021-04-13 15:38:04 +00:00
conn.EXPECT().Bind(testBindUsername, testBindPassword).Times(1)
Initial support for upstream LDAP group membership Reflect the upstream group membership into the Supervisor's downstream tokens, so they can be added to the user's identity on the workload clusters. LDAP group search is configurable on the LDAPIdentityProvider resource.
2021-05-17 18:10:26 +00:00
conn.EXPECT().Search(expectedUserSearch(nil)).Return(&ldap.SearchResult{
Handle error cases during LDAP user search and bind
2021-04-13 15:38:04 +00:00
Entries: []*ldap.Entry{
{
Initial support for upstream LDAP group membership Reflect the upstream group membership into the Supervisor's downstream tokens, so they can be added to the user's identity on the workload clusters. LDAP group search is configurable on the LDAPIdentityProvider resource.
2021-05-17 18:10:26 +00:00
DN: testUserSearchResultDNValue,
Handle error cases during LDAP user search and bind
2021-04-13 15:38:04 +00:00
Attributes: []*ldap.EntryAttribute{
Initial support for upstream LDAP group membership Reflect the upstream group membership into the Supervisor's downstream tokens, so they can be added to the user's identity on the workload clusters. LDAP group search is configurable on the LDAPIdentityProvider resource.
2021-05-17 18:10:26 +00:00
ldap.NewEntryAttribute(testUserSearchUIDAttribute, []string{testUserSearchResultUIDAttributeValue}),
Handle error cases during LDAP user search and bind
2021-04-13 15:38:04 +00:00
},
},
},
}, nil).Times(1)
conn.EXPECT().Close().Times(1)
},
Initial support for upstream LDAP group membership Reflect the upstream group membership into the Supervisor's downstream tokens, so they can be added to the user's identity on the workload clusters. LDAP group search is configurable on the LDAPIdentityProvider resource.
2021-05-17 18:10:26 +00:00
wantError: fmt.Sprintf(
`found 0 values for attribute "%s" while searching for user "%s", but expected 1 result`,
testUserSearchUsernameAttribute, testUpstreamUsername),
},
{
name: "when searching for the group memberships returns a group without an expected group name attribute",
username: testUpstreamUsername,
password: testUpstreamPassword,
providerConfig: providerConfig(nil),
searchMocks: func(conn *mockldapconn.MockConn) {
conn.EXPECT().Bind(testBindUsername, testBindPassword).Times(1)
conn.EXPECT().Search(expectedUserSearch(nil)).Return(exampleUserSearchResult, nil).Times(1)
conn.EXPECT().SearchWithPaging(expectedGroupSearch(nil), expectedGroupSearchPageSize).
Return(&ldap.SearchResult{
Entries: []*ldap.Entry{
{
DN: testGroupSearchResultDNValue1,
Attributes: []*ldap.EntryAttribute{
ldap.NewEntryAttribute(testGroupSearchGroupNameAttribute, []string{testGroupSearchResultGroupNameAttributeValue1}),
},
},
{
DN: testGroupSearchResultDNValue1,
Attributes: []*ldap.EntryAttribute{
ldap.NewEntryAttribute("unrelated attribute", []string{"anything"}),
},
},
},
Referrals: []string{}, // note that we are not following referrals at this time
Controls: []ldap.Control{},
}, nil).Times(1)
conn.EXPECT().Close().Times(1)
},
wantError: fmt.Sprintf(
`error searching for group memberships for user with DN "%s": found 0 values for attribute "%s" while searching for user "%s", but expected 1 result`,
testUserSearchResultDNValue, testGroupSearchGroupNameAttribute, testUserSearchResultDNValue),
Handle error cases during LDAP user search and bind
2021-04-13 15:38:04 +00:00
},
{
Introduce upstreamldap.New to prevent changes to the underlying config Makes it easier to support using the same upstreamldap.Provider from multiple goroutines safely.
2021-04-15 17:25:35 +00:00
name: "when searching for the user returns a user with too many values for the expected username attribute",
username: testUpstreamUsername,
password: testUpstreamPassword,
providerConfig: providerConfig(nil),
Add authentication dry run validation to LDAPIdentityProvider Also force the LDAP server pod to restart whenever the LDIF file changes, so whenever you redeploy the tools deployment with a new test user password the server will be updated.
2021-04-16 21:04:05 +00:00
searchMocks: func(conn *mockldapconn.MockConn) {
Handle error cases during LDAP user search and bind
2021-04-13 15:38:04 +00:00
conn.EXPECT().Bind(testBindUsername, testBindPassword).Times(1)
Initial support for upstream LDAP group membership Reflect the upstream group membership into the Supervisor's downstream tokens, so they can be added to the user's identity on the workload clusters. LDAP group search is configurable on the LDAPIdentityProvider resource.
2021-05-17 18:10:26 +00:00
conn.EXPECT().Search(expectedUserSearch(nil)).Return(&ldap.SearchResult{
Handle error cases during LDAP user search and bind
2021-04-13 15:38:04 +00:00
Entries: []*ldap.Entry{
{
Initial support for upstream LDAP group membership Reflect the upstream group membership into the Supervisor's downstream tokens, so they can be added to the user's identity on the workload clusters. LDAP group search is configurable on the LDAPIdentityProvider resource.
2021-05-17 18:10:26 +00:00
DN: testUserSearchResultDNValue,
Handle error cases during LDAP user search and bind
2021-04-13 15:38:04 +00:00
Attributes: []*ldap.EntryAttribute{
ldap.NewEntryAttribute(testUserSearchUsernameAttribute, []string{
Initial support for upstream LDAP group membership Reflect the upstream group membership into the Supervisor's downstream tokens, so they can be added to the user's identity on the workload clusters. LDAP group search is configurable on the LDAPIdentityProvider resource.
2021-05-17 18:10:26 +00:00
testUserSearchResultUsernameAttributeValue,
Handle error cases during LDAP user search and bind
2021-04-13 15:38:04 +00:00
"unexpected-additional-value",
}),
Initial support for upstream LDAP group membership Reflect the upstream group membership into the Supervisor's downstream tokens, so they can be added to the user's identity on the workload clusters. LDAP group search is configurable on the LDAPIdentityProvider resource.
2021-05-17 18:10:26 +00:00
ldap.NewEntryAttribute(testUserSearchUIDAttribute, []string{testUserSearchResultUIDAttributeValue}),
Handle error cases during LDAP user search and bind
2021-04-13 15:38:04 +00:00
},
},
},
}, nil).Times(1)
conn.EXPECT().Close().Times(1)
},
Initial support for upstream LDAP group membership Reflect the upstream group membership into the Supervisor's downstream tokens, so they can be added to the user's identity on the workload clusters. LDAP group search is configurable on the LDAPIdentityProvider resource.
2021-05-17 18:10:26 +00:00
wantError: fmt.Sprintf(
`found 2 values for attribute "%s" while searching for user "%s", but expected 1 result`,
testUserSearchUsernameAttribute, testUpstreamUsername),
},
{
name: "when searching for the group memberships returns a group with too many values for the expected group name attribute",
username: testUpstreamUsername,
password: testUpstreamPassword,
providerConfig: providerConfig(nil),
searchMocks: func(conn *mockldapconn.MockConn) {
conn.EXPECT().Bind(testBindUsername, testBindPassword).Times(1)
conn.EXPECT().Search(expectedUserSearch(nil)).Return(exampleUserSearchResult, nil).Times(1)
conn.EXPECT().SearchWithPaging(expectedGroupSearch(nil), expectedGroupSearchPageSize).
Return(&ldap.SearchResult{
Entries: []*ldap.Entry{
{
DN: testGroupSearchResultDNValue1,
Attributes: []*ldap.EntryAttribute{
ldap.NewEntryAttribute(testGroupSearchGroupNameAttribute, []string{testGroupSearchResultGroupNameAttributeValue1}),
},
},
{
DN: testGroupSearchResultDNValue1,
Attributes: []*ldap.EntryAttribute{
ldap.NewEntryAttribute(testGroupSearchGroupNameAttribute, []string{
testGroupSearchResultGroupNameAttributeValue1,
"unexpected-additional-value",
}),
},
},
},
Referrals: []string{}, // note that we are not following referrals at this time
Controls: []ldap.Control{},
}, nil).Times(1)
conn.EXPECT().Close().Times(1)
},
wantError: fmt.Sprintf(
`error searching for group memberships for user with DN "%s": found 2 values for attribute "%s" while searching for user "%s", but expected 1 result`,
testUserSearchResultDNValue, testGroupSearchGroupNameAttribute, testUserSearchResultDNValue),
Handle error cases during LDAP user search and bind
2021-04-13 15:38:04 +00:00
},
{
Introduce upstreamldap.New to prevent changes to the underlying config Makes it easier to support using the same upstreamldap.Provider from multiple goroutines safely.
2021-04-15 17:25:35 +00:00
name: "when searching for the user returns a user with an empty value for the expected username attribute",
username: testUpstreamUsername,
password: testUpstreamPassword,
providerConfig: providerConfig(nil),
Add authentication dry run validation to LDAPIdentityProvider Also force the LDAP server pod to restart whenever the LDIF file changes, so whenever you redeploy the tools deployment with a new test user password the server will be updated.
2021-04-16 21:04:05 +00:00
searchMocks: func(conn *mockldapconn.MockConn) {
Handle error cases during LDAP user search and bind
2021-04-13 15:38:04 +00:00
conn.EXPECT().Bind(testBindUsername, testBindPassword).Times(1)
Initial support for upstream LDAP group membership Reflect the upstream group membership into the Supervisor's downstream tokens, so they can be added to the user's identity on the workload clusters. LDAP group search is configurable on the LDAPIdentityProvider resource.
2021-05-17 18:10:26 +00:00
conn.EXPECT().Search(expectedUserSearch(nil)).Return(&ldap.SearchResult{
Handle error cases during LDAP user search and bind
2021-04-13 15:38:04 +00:00
Entries: []*ldap.Entry{
{
Initial support for upstream LDAP group membership Reflect the upstream group membership into the Supervisor's downstream tokens, so they can be added to the user's identity on the workload clusters. LDAP group search is configurable on the LDAPIdentityProvider resource.
2021-05-17 18:10:26 +00:00
DN: testUserSearchResultDNValue,
Handle error cases during LDAP user search and bind
2021-04-13 15:38:04 +00:00
Attributes: []*ldap.EntryAttribute{
ldap.NewEntryAttribute(testUserSearchUsernameAttribute, []string{""}),
Initial support for upstream LDAP group membership Reflect the upstream group membership into the Supervisor's downstream tokens, so they can be added to the user's identity on the workload clusters. LDAP group search is configurable on the LDAPIdentityProvider resource.
2021-05-17 18:10:26 +00:00
ldap.NewEntryAttribute(testUserSearchUIDAttribute, []string{testUserSearchResultUIDAttributeValue}),
Handle error cases during LDAP user search and bind
2021-04-13 15:38:04 +00:00
},
},
},
}, nil).Times(1)
conn.EXPECT().Close().Times(1)
},
Initial support for upstream LDAP group membership Reflect the upstream group membership into the Supervisor's downstream tokens, so they can be added to the user's identity on the workload clusters. LDAP group search is configurable on the LDAPIdentityProvider resource.
2021-05-17 18:10:26 +00:00
wantError: fmt.Sprintf(
`found empty value for attribute "%s" while searching for user "%s", but expected value to be non-empty`,
testUserSearchUsernameAttribute, testUpstreamUsername),
},
{
name: "when searching for the group memberships returns a group with an empty value for for the expected group name attribute",
username: testUpstreamUsername,
password: testUpstreamPassword,
providerConfig: providerConfig(nil),
searchMocks: func(conn *mockldapconn.MockConn) {
conn.EXPECT().Bind(testBindUsername, testBindPassword).Times(1)
conn.EXPECT().Search(expectedUserSearch(nil)).Return(exampleUserSearchResult, nil).Times(1)
conn.EXPECT().SearchWithPaging(expectedGroupSearch(nil), expectedGroupSearchPageSize).
Return(&ldap.SearchResult{
Entries: []*ldap.Entry{
{
DN: testGroupSearchResultDNValue1,
Attributes: []*ldap.EntryAttribute{
ldap.NewEntryAttribute(testGroupSearchGroupNameAttribute, []string{testGroupSearchResultGroupNameAttributeValue1}),
},
},
{
DN: testGroupSearchResultDNValue1,
Attributes: []*ldap.EntryAttribute{
ldap.NewEntryAttribute(testGroupSearchGroupNameAttribute, []string{""}),
},
},
},
Referrals: []string{}, // note that we are not following referrals at this time
Controls: []ldap.Control{},
}, nil).Times(1)
conn.EXPECT().Close().Times(1)
},
wantError: fmt.Sprintf(
`error searching for group memberships for user with DN "%s": found empty value for attribute "%s" while searching for user "%s", but expected value to be non-empty`,
testUserSearchResultDNValue, testGroupSearchGroupNameAttribute, testUserSearchResultDNValue),
Handle error cases during LDAP user search and bind
2021-04-13 15:38:04 +00:00
},
{
Introduce upstreamldap.New to prevent changes to the underlying config Makes it easier to support using the same upstreamldap.Provider from multiple goroutines safely.
2021-04-15 17:25:35 +00:00
name: "when searching for the user returns a user without an expected UID attribute",
username: testUpstreamUsername,
password: testUpstreamPassword,
providerConfig: providerConfig(nil),
Add authentication dry run validation to LDAPIdentityProvider Also force the LDAP server pod to restart whenever the LDIF file changes, so whenever you redeploy the tools deployment with a new test user password the server will be updated.
2021-04-16 21:04:05 +00:00
searchMocks: func(conn *mockldapconn.MockConn) {
Handle error cases during LDAP user search and bind
2021-04-13 15:38:04 +00:00
conn.EXPECT().Bind(testBindUsername, testBindPassword).Times(1)
Initial support for upstream LDAP group membership Reflect the upstream group membership into the Supervisor's downstream tokens, so they can be added to the user's identity on the workload clusters. LDAP group search is configurable on the LDAPIdentityProvider resource.
2021-05-17 18:10:26 +00:00
conn.EXPECT().Search(expectedUserSearch(nil)).Return(&ldap.SearchResult{
Handle error cases during LDAP user search and bind
2021-04-13 15:38:04 +00:00
Entries: []*ldap.Entry{
{
Initial support for upstream LDAP group membership Reflect the upstream group membership into the Supervisor's downstream tokens, so they can be added to the user's identity on the workload clusters. LDAP group search is configurable on the LDAPIdentityProvider resource.
2021-05-17 18:10:26 +00:00
DN: testUserSearchResultDNValue,
Handle error cases during LDAP user search and bind
2021-04-13 15:38:04 +00:00
Attributes: []*ldap.EntryAttribute{
Initial support for upstream LDAP group membership Reflect the upstream group membership into the Supervisor's downstream tokens, so they can be added to the user's identity on the workload clusters. LDAP group search is configurable on the LDAPIdentityProvider resource.
2021-05-17 18:10:26 +00:00
ldap.NewEntryAttribute(testUserSearchUsernameAttribute, []string{testUserSearchResultUsernameAttributeValue}),
Handle error cases during LDAP user search and bind
2021-04-13 15:38:04 +00:00
},
},
},
}, nil).Times(1)
conn.EXPECT().Close().Times(1)
},
wantError: fmt.Sprintf(`found 0 values for attribute "%s" while searching for user "%s", but expected 1 result`, testUserSearchUIDAttribute, testUpstreamUsername),
},
{
Introduce upstreamldap.New to prevent changes to the underlying config Makes it easier to support using the same upstreamldap.Provider from multiple goroutines safely.
2021-04-15 17:25:35 +00:00
name: "when searching for the user returns a user with too many values for the expected UID attribute",
username: testUpstreamUsername,
password: testUpstreamPassword,
providerConfig: providerConfig(nil),
Add authentication dry run validation to LDAPIdentityProvider Also force the LDAP server pod to restart whenever the LDIF file changes, so whenever you redeploy the tools deployment with a new test user password the server will be updated.
2021-04-16 21:04:05 +00:00
searchMocks: func(conn *mockldapconn.MockConn) {
Handle error cases during LDAP user search and bind
2021-04-13 15:38:04 +00:00
conn.EXPECT().Bind(testBindUsername, testBindPassword).Times(1)
Initial support for upstream LDAP group membership Reflect the upstream group membership into the Supervisor's downstream tokens, so they can be added to the user's identity on the workload clusters. LDAP group search is configurable on the LDAPIdentityProvider resource.
2021-05-17 18:10:26 +00:00
conn.EXPECT().Search(expectedUserSearch(nil)).Return(&ldap.SearchResult{
Handle error cases during LDAP user search and bind
2021-04-13 15:38:04 +00:00
Entries: []*ldap.Entry{
{
Initial support for upstream LDAP group membership Reflect the upstream group membership into the Supervisor's downstream tokens, so they can be added to the user's identity on the workload clusters. LDAP group search is configurable on the LDAPIdentityProvider resource.
2021-05-17 18:10:26 +00:00
DN: testUserSearchResultDNValue,
Handle error cases during LDAP user search and bind
2021-04-13 15:38:04 +00:00
Attributes: []*ldap.EntryAttribute{
Initial support for upstream LDAP group membership Reflect the upstream group membership into the Supervisor's downstream tokens, so they can be added to the user's identity on the workload clusters. LDAP group search is configurable on the LDAPIdentityProvider resource.
2021-05-17 18:10:26 +00:00
ldap.NewEntryAttribute(testUserSearchUsernameAttribute, []string{testUserSearchResultUsernameAttributeValue}),
Handle error cases during LDAP user search and bind
2021-04-13 15:38:04 +00:00
ldap.NewEntryAttribute(testUserSearchUIDAttribute, []string{
Initial support for upstream LDAP group membership Reflect the upstream group membership into the Supervisor's downstream tokens, so they can be added to the user's identity on the workload clusters. LDAP group search is configurable on the LDAPIdentityProvider resource.
2021-05-17 18:10:26 +00:00
testUserSearchResultUIDAttributeValue,
Handle error cases during LDAP user search and bind
2021-04-13 15:38:04 +00:00
"unexpected-additional-value",
}),
},
},
},
}, nil).Times(1)
conn.EXPECT().Close().Times(1)
},
wantError: fmt.Sprintf(`found 2 values for attribute "%s" while searching for user "%s", but expected 1 result`, testUserSearchUIDAttribute, testUpstreamUsername),
},
{
Introduce upstreamldap.New to prevent changes to the underlying config Makes it easier to support using the same upstreamldap.Provider from multiple goroutines safely.
2021-04-15 17:25:35 +00:00
name: "when searching for the user returns a user with an empty value for the expected UID attribute",
username: testUpstreamUsername,
password: testUpstreamPassword,
providerConfig: providerConfig(nil),
Add authentication dry run validation to LDAPIdentityProvider Also force the LDAP server pod to restart whenever the LDIF file changes, so whenever you redeploy the tools deployment with a new test user password the server will be updated.
2021-04-16 21:04:05 +00:00
searchMocks: func(conn *mockldapconn.MockConn) {
Handle error cases during LDAP user search and bind
2021-04-13 15:38:04 +00:00
conn.EXPECT().Bind(testBindUsername, testBindPassword).Times(1)
Initial support for upstream LDAP group membership Reflect the upstream group membership into the Supervisor's downstream tokens, so they can be added to the user's identity on the workload clusters. LDAP group search is configurable on the LDAPIdentityProvider resource.
2021-05-17 18:10:26 +00:00
conn.EXPECT().Search(expectedUserSearch(nil)).Return(&ldap.SearchResult{
Handle error cases during LDAP user search and bind
2021-04-13 15:38:04 +00:00
Entries: []*ldap.Entry{
{
Initial support for upstream LDAP group membership Reflect the upstream group membership into the Supervisor's downstream tokens, so they can be added to the user's identity on the workload clusters. LDAP group search is configurable on the LDAPIdentityProvider resource.
2021-05-17 18:10:26 +00:00
DN: testUserSearchResultDNValue,
Handle error cases during LDAP user search and bind
2021-04-13 15:38:04 +00:00
Attributes: []*ldap.EntryAttribute{
Initial support for upstream LDAP group membership Reflect the upstream group membership into the Supervisor's downstream tokens, so they can be added to the user's identity on the workload clusters. LDAP group search is configurable on the LDAPIdentityProvider resource.
2021-05-17 18:10:26 +00:00
ldap.NewEntryAttribute(testUserSearchUsernameAttribute, []string{testUserSearchResultUsernameAttributeValue}),
Handle error cases during LDAP user search and bind
2021-04-13 15:38:04 +00:00
ldap.NewEntryAttribute(testUserSearchUIDAttribute, []string{""}),
},
},
},
}, nil).Times(1)
conn.EXPECT().Close().Times(1)
},
wantError: fmt.Sprintf(`found empty value for attribute "%s" while searching for user "%s", but expected value to be non-empty`, testUserSearchUIDAttribute, testUpstreamUsername),
},
Add unit tests for group parsing overrides
2022-02-11 22:43:37 +00:00
{
name: "when the group search has an override func that errors",
username: testUpstreamUsername,
password: testUpstreamPassword,
providerConfig: providerConfig(func(p *ProviderConfig) {
p.GroupAttributeParsingOverrides = map[string]func(*ldap.Entry) (string, error){testGroupSearchGroupNameAttribute: func(entry *ldap.Entry) (string, error) {
return "", errors.New("some error")
}}
}),
searchMocks: func(conn *mockldapconn.MockConn) {
conn.EXPECT().Bind(testBindUsername, testBindPassword).Times(1)
conn.EXPECT().Search(expectedUserSearch(nil)).Return(exampleUserSearchResult, nil).Times(1)
conn.EXPECT().SearchWithPaging(expectedGroupSearch(nil), expectedGroupSearchPageSize).
Return(exampleGroupSearchResult, nil).Times(1)
conn.EXPECT().Close().Times(1)
},
wantError: fmt.Sprintf("error finding groups for user %s: some error", testUserSearchResultDNValue),
},
Handle error cases during LDAP user search and bind
2021-04-13 15:38:04 +00:00
{
Introduce upstreamldap.New to prevent changes to the underlying config Makes it easier to support using the same upstreamldap.Provider from multiple goroutines safely.
2021-04-15 17:25:35 +00:00
name: "when binding as the found user returns an error",
username: testUpstreamUsername,
password: testUpstreamPassword,
providerConfig: providerConfig(nil),
Add authentication dry run validation to LDAPIdentityProvider Also force the LDAP server pod to restart whenever the LDIF file changes, so whenever you redeploy the tools deployment with a new test user password the server will be updated.
2021-04-16 21:04:05 +00:00
searchMocks: func(conn *mockldapconn.MockConn) {
Handle error cases during LDAP user search and bind
2021-04-13 15:38:04 +00:00
conn.EXPECT().Bind(testBindUsername, testBindPassword).Times(1)
Initial support for upstream LDAP group membership Reflect the upstream group membership into the Supervisor's downstream tokens, so they can be added to the user's identity on the workload clusters. LDAP group search is configurable on the LDAPIdentityProvider resource.
2021-05-17 18:10:26 +00:00
conn.EXPECT().Search(expectedUserSearch(nil)).Return(exampleUserSearchResult, nil).Times(1)
conn.EXPECT().SearchWithPaging(expectedGroupSearch(nil), expectedGroupSearchPageSize).
Return(exampleGroupSearchResult, nil).Times(1)
Handle error cases during LDAP user search and bind
2021-04-13 15:38:04 +00:00
conn.EXPECT().Close().Times(1)
},
Add authentication dry run validation to LDAPIdentityProvider Also force the LDAP server pod to restart whenever the LDIF file changes, so whenever you redeploy the tools deployment with a new test user password the server will be updated.
2021-04-16 21:04:05 +00:00
bindEndUserMocks: func(conn *mockldapconn.MockConn) {
Initial support for upstream LDAP group membership Reflect the upstream group membership into the Supervisor's downstream tokens, so they can be added to the user's identity on the workload clusters. LDAP group search is configurable on the LDAPIdentityProvider resource.
2021-05-17 18:10:26 +00:00
conn.EXPECT().Bind(testUserSearchResultDNValue, testUpstreamPassword).Return(errors.New("some bind error")).Times(1)
Add authentication dry run validation to LDAPIdentityProvider Also force the LDAP server pod to restart whenever the LDIF file changes, so whenever you redeploy the tools deployment with a new test user password the server will be updated.
2021-04-16 21:04:05 +00:00
},
skipDryRunAuthenticateUser: true,
Initial support for upstream LDAP group membership Reflect the upstream group membership into the Supervisor's downstream tokens, so they can be added to the user's identity on the workload clusters. LDAP group search is configurable on the LDAPIdentityProvider resource.
2021-05-17 18:10:26 +00:00
wantError: fmt.Sprintf(`error binding for user "%s" using provided password against DN "%s": some bind error`, testUpstreamUsername, testUserSearchResultDNValue),
Handle error cases during LDAP user search and bind
2021-04-13 15:38:04 +00:00
},
Return unauthenticated instead of error for bad username or password - Bad usernames and passwords aren't really errors, since they are based on end-user input. - Other kinds of authentication failures are caused by bad configuration so still treat those as errors. - Empty usernames and passwords are already prevented by our endpoint handler, but just to be safe make sure they cause errors inside the authenticator too.
2021-04-13 23:22:13 +00:00
{
Introduce upstreamldap.New to prevent changes to the underlying config Makes it easier to support using the same upstreamldap.Provider from multiple goroutines safely.
2021-04-15 17:25:35 +00:00
name: "when binding as the found user returns a specific invalid credentials error",
username: testUpstreamUsername,
password: testUpstreamPassword,
providerConfig: providerConfig(nil),
Add authentication dry run validation to LDAPIdentityProvider Also force the LDAP server pod to restart whenever the LDIF file changes, so whenever you redeploy the tools deployment with a new test user password the server will be updated.
2021-04-16 21:04:05 +00:00
searchMocks: func(conn *mockldapconn.MockConn) {
Return unauthenticated instead of error for bad username or password - Bad usernames and passwords aren't really errors, since they are based on end-user input. - Other kinds of authentication failures are caused by bad configuration so still treat those as errors. - Empty usernames and passwords are already prevented by our endpoint handler, but just to be safe make sure they cause errors inside the authenticator too.
2021-04-13 23:22:13 +00:00
conn.EXPECT().Bind(testBindUsername, testBindPassword).Times(1)
Initial support for upstream LDAP group membership Reflect the upstream group membership into the Supervisor's downstream tokens, so they can be added to the user's identity on the workload clusters. LDAP group search is configurable on the LDAPIdentityProvider resource.
2021-05-17 18:10:26 +00:00
conn.EXPECT().Search(expectedUserSearch(nil)).Return(exampleUserSearchResult, nil).Times(1)
conn.EXPECT().SearchWithPaging(expectedGroupSearch(nil), expectedGroupSearchPageSize).
Return(exampleGroupSearchResult, nil).Times(1)
Return unauthenticated instead of error for bad username or password - Bad usernames and passwords aren't really errors, since they are based on end-user input. - Other kinds of authentication failures are caused by bad configuration so still treat those as errors. - Empty usernames and passwords are already prevented by our endpoint handler, but just to be safe make sure they cause errors inside the authenticator too.
2021-04-13 23:22:13 +00:00
conn.EXPECT().Close().Times(1)
},
Add authentication dry run validation to LDAPIdentityProvider Also force the LDAP server pod to restart whenever the LDIF file changes, so whenever you redeploy the tools deployment with a new test user password the server will be updated.
2021-04-16 21:04:05 +00:00
wantUnauthenticated: true,
skipDryRunAuthenticateUser: true,
bindEndUserMocks: func(conn *mockldapconn.MockConn) {
Some updates based on PR review
2021-04-27 19:43:09 +00:00
err := &ldap.Error{
Err: errors.New("some bind error"),
ResultCode: ldap.LDAPResultInvalidCredentials,
}
Initial support for upstream LDAP group membership Reflect the upstream group membership into the Supervisor's downstream tokens, so they can be added to the user's identity on the workload clusters. LDAP group search is configurable on the LDAPIdentityProvider resource.
2021-05-17 18:10:26 +00:00
conn.EXPECT().Bind(testUserSearchResultDNValue, testUpstreamPassword).Return(err).Times(1)
Add authentication dry run validation to LDAPIdentityProvider Also force the LDAP server pod to restart whenever the LDIF file changes, so whenever you redeploy the tools deployment with a new test user password the server will be updated.
2021-04-16 21:04:05 +00:00
},
Return unauthenticated instead of error for bad username or password - Bad usernames and passwords aren't really errors, since they are based on end-user input. - Other kinds of authentication failures are caused by bad configuration so still treat those as errors. - Empty usernames and passwords are already prevented by our endpoint handler, but just to be safe make sure they cause errors inside the authenticator too.
2021-04-13 23:22:13 +00:00
},
{
name: "when no username is specified",
username: "",
password: testUpstreamPassword,
Introduce upstreamldap.New to prevent changes to the underlying config Makes it easier to support using the same upstreamldap.Provider from multiple goroutines safely.
2021-04-15 17:25:35 +00:00
providerConfig: providerConfig(nil),
Return unauthenticated instead of error for bad username or password - Bad usernames and passwords aren't really errors, since they are based on end-user input. - Other kinds of authentication failures are caused by bad configuration so still treat those as errors. - Empty usernames and passwords are already prevented by our endpoint handler, but just to be safe make sure they cause errors inside the authenticator too.
2021-04-13 23:22:13 +00:00
wantToSkipDial: true,
wantUnauthenticated: true,
},
ldap: add initial stub upstream LDAP connection package Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-04-09 15:38:53 +00:00
}
Started implementation of LDAP user search and bind
2021-04-13 00:50:25 +00:00
ldap: add initial stub upstream LDAP connection package Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-04-09 15:38:53 +00:00
for _, test := range tests {
Started implementation of LDAP user search and bind
2021-04-13 00:50:25 +00:00
tt := test
t.Run(tt.name, func(t *testing.T) {
ldap: add initial stub upstream LDAP connection package Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-04-09 15:38:53 +00:00
ctrl := gomock.NewController(t)
t.Cleanup(ctrl.Finish)
Started implementation of LDAP user search and bind
2021-04-13 00:50:25 +00:00
ldap: add initial stub upstream LDAP connection package Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-04-09 15:38:53 +00:00
conn := mockldapconn.NewMockConn(ctrl)
Add authentication dry run validation to LDAPIdentityProvider Also force the LDAP server pod to restart whenever the LDIF file changes, so whenever you redeploy the tools deployment with a new test user password the server will be updated.
2021-04-16 21:04:05 +00:00
if tt.searchMocks != nil {
tt.searchMocks(conn)
}
if tt.bindEndUserMocks != nil {
tt.bindEndUserMocks(conn)
Started implementation of LDAP user search and bind
2021-04-13 00:50:25 +00:00
}
ldap: add initial stub upstream LDAP connection package Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-04-09 15:38:53 +00:00
More LDAP WIP: started controller and LDAP server connection code Both are unfinished works in progress.
2021-04-10 01:49:43 +00:00
dialWasAttempted := false
Convert LDAP code to use endpointaddr package. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-05-25 19:46:50 +00:00
tt.providerConfig.Dialer = LDAPDialerFunc(func(ctx context.Context, addr endpointaddr.HostPort) (Conn, error) {
More LDAP WIP: started controller and LDAP server connection code Both are unfinished works in progress.
2021-04-10 01:49:43 +00:00
dialWasAttempted = true
Convert LDAP code to use endpointaddr package. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-05-25 19:46:50 +00:00
require.Equal(t, tt.providerConfig.Host, addr.Endpoint())
Started implementation of LDAP user search and bind
2021-04-13 00:50:25 +00:00
if tt.dialError != nil {
return nil, tt.dialError
}
ldap: add initial stub upstream LDAP connection package Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-04-09 15:38:53 +00:00
return conn, nil
Add a little more logic to ldap_upstream_watcher.go
2021-04-12 18:23:08 +00:00
})
ldap: add initial stub upstream LDAP connection package Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-04-09 15:38:53 +00:00
Incorporate PR feedback
2021-12-07 00:24:31 +00:00
ldapProvider := New(*tt.providerConfig)
Started implementation of LDAP user search and bind
2021-04-13 00:50:25 +00:00
Incorporate PR feedback
2021-12-07 00:24:31 +00:00
authResponse, authenticated, err := ldapProvider.AuthenticateUser(context.Background(), tt.username, tt.password)
Add integration test for upstreamldap.Provider - The unit tests for upstreamldap.Provider need to mock the LDAP server, so add an integration test which allows us to get fast feedback for this code against a real LDAP server. - Automatically wrap the user search filter in parenthesis if it is not already wrapped in parens. - More special handling for using "dn" as the username or UID attribute name. - Also added some more comments to types_ldapidentityprovider.go.tmpl
2021-04-13 22:23:14 +00:00
require.Equal(t, !tt.wantToSkipDial, dialWasAttempted)
Add authentication dry run validation to LDAPIdentityProvider Also force the LDAP server pod to restart whenever the LDIF file changes, so whenever you redeploy the tools deployment with a new test user password the server will be updated.
2021-04-16 21:04:05 +00:00
switch {
case tt.wantError != "":
require.EqualError(t, err, tt.wantError)
require.False(t, authenticated)
require.Nil(t, authResponse)
case tt.wantUnauthenticated:
require.NoError(t, err)
require.False(t, authenticated)
require.Nil(t, authResponse)
default:
require.NoError(t, err)
require.True(t, authenticated)
require.Equal(t, tt.wantAuthResponse, authResponse)
}
Started implementation of LDAP user search and bind
2021-04-13 00:50:25 +00:00
Add authentication dry run validation to LDAPIdentityProvider Also force the LDAP server pod to restart whenever the LDIF file changes, so whenever you redeploy the tools deployment with a new test user password the server will be updated.
2021-04-16 21:04:05 +00:00
// DryRunAuthenticateUser() should have the same behavior as AuthenticateUser() except that it does not bind
// as the end user to confirm their password. Since it should behave the same, all of the same test cases
// apply, except for those which are specifically testing what happens when the end user bind fails.
if tt.skipDryRunAuthenticateUser {
return // move on to the next test
}
// Reset some variables to get ready to call DryRunAuthenticateUser().
dialWasAttempted = false
conn = mockldapconn.NewMockConn(ctrl)
if tt.searchMocks != nil {
tt.searchMocks(conn)
}
// Skip tt.bindEndUserMocks since DryRunAuthenticateUser() never binds as the end user.
Incorporate PR feedback
2021-12-07 00:24:31 +00:00
authResponse, authenticated, err = ldapProvider.DryRunAuthenticateUser(context.Background(), tt.username)
Add authentication dry run validation to LDAPIdentityProvider Also force the LDAP server pod to restart whenever the LDIF file changes, so whenever you redeploy the tools deployment with a new test user password the server will be updated.
2021-04-16 21:04:05 +00:00
require.Equal(t, !tt.wantToSkipDial, dialWasAttempted)
Return unauthenticated instead of error for bad username or password - Bad usernames and passwords aren't really errors, since they are based on end-user input. - Other kinds of authentication failures are caused by bad configuration so still treat those as errors. - Empty usernames and passwords are already prevented by our endpoint handler, but just to be safe make sure they cause errors inside the authenticator too.
2021-04-13 23:22:13 +00:00
switch {
case tt.wantError != "":
Started implementation of LDAP user search and bind
2021-04-13 00:50:25 +00:00
require.EqualError(t, err, tt.wantError)
require.False(t, authenticated)
require.Nil(t, authResponse)
Return unauthenticated instead of error for bad username or password - Bad usernames and passwords aren't really errors, since they are based on end-user input. - Other kinds of authentication failures are caused by bad configuration so still treat those as errors. - Empty usernames and passwords are already prevented by our endpoint handler, but just to be safe make sure they cause errors inside the authenticator too.
2021-04-13 23:22:13 +00:00
case tt.wantUnauthenticated:
require.NoError(t, err)
require.False(t, authenticated)
require.Nil(t, authResponse)
default:
Started implementation of LDAP user search and bind
2021-04-13 00:50:25 +00:00
require.NoError(t, err)
require.True(t, authenticated)
require.Equal(t, tt.wantAuthResponse, authResponse)
ldap: add initial stub upstream LDAP connection package Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-04-09 15:38:53 +00:00
}
})
}
}
More LDAP WIP: started controller and LDAP server connection code Both are unfinished works in progress.
2021-04-10 01:49:43 +00:00
Basic upstream LDAP/AD refresh This stores the user DN in the session data upon login and checks that the entry still exists upon refresh. It doesn't check anything else about the entry yet.
2021-10-22 20:57:30 +00:00
func TestUpstreamRefresh(t *testing.T) {
Active Directory checks whether password has changed recently during upstream refresh Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-10-28 19:00:56 +00:00
pwdLastSetAttribute := "pwdLastSet"
Basic upstream LDAP/AD refresh This stores the user DN in the session data upon login and checks that the entry still exists upon refresh. It doesn't check anything else about the entry yet.
2021-10-22 20:57:30 +00:00
expectedUserSearch := &ldap.SearchRequest{
BaseDN: testUserSearchResultDNValue,
Scope: ldap.ScopeBaseObject,
DerefAliases: ldap.NeverDerefAliases,
SizeLimit: 2,
TimeLimit: 90,
TypesOnly: false,
Filter: "(objectClass=*)",
Active Directory checks whether password has changed recently during upstream refresh Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-10-28 19:00:56 +00:00
Attributes: []string{testUserSearchUsernameAttribute, testUserSearchUIDAttribute, pwdLastSetAttribute},
Basic upstream LDAP/AD refresh This stores the user DN in the session data upon login and checks that the entry still exists upon refresh. It doesn't check anything else about the entry yet.
2021-10-22 20:57:30 +00:00
Controls: nil, // don't need paging because we set the SizeLimit so small
}
Upstream ldap group refresh: - Doing it inline on the refresh request
2022-01-26 00:19:56 +00:00
expectedGroupSearch := &ldap.SearchRequest{
BaseDN: testGroupSearchBase,
Scope: ldap.ScopeWholeSubtree,
DerefAliases: ldap.NeverDerefAliases,
SizeLimit: 0, // unlimited size because we will search with paging
TimeLimit: 90,
TypesOnly: false,
Filter: testGroupSearchFilterInterpolated,
Attributes: []string{testGroupSearchGroupNameAttribute},
Controls: nil, // nil because ldap.SearchWithPaging() will set the appropriate controls for us
}
Basic upstream LDAP/AD refresh This stores the user DN in the session data upon login and checks that the entry still exists upon refresh. It doesn't check anything else about the entry yet.
2021-10-22 20:57:30 +00:00
happyPathUserSearchResult := &ldap.SearchResult{
Entries: []*ldap.Entry{
{
Check that username and subject remain the same for ldap refresh
2021-10-25 21:25:43 +00:00
DN: testUserSearchResultDNValue,
Attributes: []*ldap.EntryAttribute{
{
Name: testUserSearchUsernameAttribute,
Values: []string{testUserSearchResultUsernameAttributeValue},
},
{
Name: testUserSearchUIDAttribute,
ByteValues: [][]byte{[]byte(testUserSearchResultUIDAttributeValue)},
},
Active Directory checks whether password has changed recently during upstream refresh Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-10-28 19:00:56 +00:00
{
Move ad specific stuff to controller also make extra refresh attributes a separate field rather than part of Extra Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-12-09 22:02:40 +00:00
Name: pwdLastSetAttribute,
Values: []string{"132801740800000000"},
ByteValues: [][]byte{[]byte("132801740800000000")},
Active Directory checks whether password has changed recently during upstream refresh Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-10-28 19:00:56 +00:00
},
Check that username and subject remain the same for ldap refresh
2021-10-25 21:25:43 +00:00
},
Basic upstream LDAP/AD refresh This stores the user DN in the session data upon login and checks that the entry still exists upon refresh. It doesn't check anything else about the entry yet.
2021-10-22 20:57:30 +00:00
},
},
}
providerConfig := &ProviderConfig{
Name: "some-provider-name",
Host: testHost,
CABundle: nil, // this field is only used by the production dialer, which is replaced by a mock for this test
ConnectionProtocol: TLS,
BindUsername: testBindUsername,
BindPassword: testBindPassword,
UserSearch: UserSearchConfig{
Check that username and subject remain the same for ldap refresh
2021-10-25 21:25:43 +00:00
Base: testUserSearchBase,
UIDAttribute: testUserSearchUIDAttribute,
UsernameAttribute: testUserSearchUsernameAttribute,
Basic upstream LDAP/AD refresh This stores the user DN in the session data upon login and checks that the entry still exists upon refresh. It doesn't check anything else about the entry yet.
2021-10-22 20:57:30 +00:00
},
Make pwdLastSet stuff more generic and not require parsing the timestamp Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-12-08 23:03:57 +00:00
RefreshAttributeChecks: map[string]func(*ldap.Entry, provider.StoredRefreshAttributes) error{
pwdLastSetAttribute: AttributeUnchangedSinceLogin(pwdLastSetAttribute),
},
Basic upstream LDAP/AD refresh This stores the user DN in the session data upon login and checks that the entry still exists upon refresh. It doesn't check anything else about the entry yet.
2021-10-22 20:57:30 +00:00
}
tests := []struct {
name string
providerConfig *ProviderConfig
setupMocks func(conn *mockldapconn.MockConn)
dialError error
wantErr string
Upstream ldap group refresh: - Doing it inline on the refresh request
2022-01-26 00:19:56 +00:00
wantGroups []string
Basic upstream LDAP/AD refresh This stores the user DN in the session data upon login and checks that the entry still exists upon refresh. It doesn't check anything else about the entry yet.
2021-10-22 20:57:30 +00:00
}{
{
name: "happy path where searching the dn returns a single entry",
providerConfig: providerConfig,
setupMocks: func(conn *mockldapconn.MockConn) {
conn.EXPECT().Bind(testBindUsername, testBindPassword).Times(1)
conn.EXPECT().Search(expectedUserSearch).Return(happyPathUserSearchResult, nil).Times(1)
conn.EXPECT().Close().Times(1)
},
Always update groups even if it's nil Also de-dup groups and various small formatting changes
2022-02-14 22:01:21 +00:00
wantGroups: []string{},
Basic upstream LDAP/AD refresh This stores the user DN in the session data upon login and checks that the entry still exists upon refresh. It doesn't check anything else about the entry yet.
2021-10-22 20:57:30 +00:00
},
Upstream ldap group refresh: - Doing it inline on the refresh request
2022-01-26 00:19:56 +00:00
{
name: "happy path where group search returns groups",
providerConfig: &ProviderConfig{
Name: "some-provider-name",
Host: testHost,
CABundle: nil, // this field is only used by the production dialer, which is replaced by a mock for this test
ConnectionProtocol: TLS,
BindUsername: testBindUsername,
BindPassword: testBindPassword,
UserSearch: UserSearchConfig{
Base: testUserSearchBase,
UIDAttribute: testUserSearchUIDAttribute,
UsernameAttribute: testUserSearchUsernameAttribute,
},
GroupSearch: GroupSearchConfig{
Base: testGroupSearchBase,
Filter: testGroupSearchFilter,
GroupNameAttribute: testGroupSearchGroupNameAttribute,
},
RefreshAttributeChecks: map[string]func(*ldap.Entry, provider.StoredRefreshAttributes) error{
pwdLastSetAttribute: AttributeUnchangedSinceLogin(pwdLastSetAttribute),
},
},
setupMocks: func(conn *mockldapconn.MockConn) {
conn.EXPECT().Bind(testBindUsername, testBindPassword).Times(1)
conn.EXPECT().Search(expectedUserSearch).Return(happyPathUserSearchResult, nil).Times(1)
conn.EXPECT().SearchWithPaging(expectedGroupSearch, expectedGroupSearchPageSize).Return(&ldap.SearchResult{
Entries: []*ldap.Entry{
{
DN: testGroupSearchResultDNValue1,
Attributes: []*ldap.EntryAttribute{
ldap.NewEntryAttribute(testGroupSearchGroupNameAttribute, []string{testGroupSearchResultGroupNameAttributeValue1}),
},
},
{
DN: testGroupSearchResultDNValue2,
Attributes: []*ldap.EntryAttribute{
ldap.NewEntryAttribute(testGroupSearchGroupNameAttribute, []string{testGroupSearchResultGroupNameAttributeValue2}),
},
},
},
Referrals: []string{}, // note that we are not following referrals at this time
Controls: []ldap.Control{},
}, nil).Times(1)
conn.EXPECT().Close().Times(1)
},
wantGroups: []string{testGroupSearchResultGroupNameAttributeValue1, testGroupSearchResultGroupNameAttributeValue2},
},
{
name: "happy path where group search returns no groups",
providerConfig: &ProviderConfig{
Name: "some-provider-name",
Host: testHost,
CABundle: nil, // this field is only used by the production dialer, which is replaced by a mock for this test
ConnectionProtocol: TLS,
BindUsername: testBindUsername,
BindPassword: testBindPassword,
UserSearch: UserSearchConfig{
Base: testUserSearchBase,
UIDAttribute: testUserSearchUIDAttribute,
UsernameAttribute: testUserSearchUsernameAttribute,
},
GroupSearch: GroupSearchConfig{
Base: testGroupSearchBase,
Filter: testGroupSearchFilter,
GroupNameAttribute: testGroupSearchGroupNameAttribute,
},
RefreshAttributeChecks: map[string]func(*ldap.Entry, provider.StoredRefreshAttributes) error{
pwdLastSetAttribute: AttributeUnchangedSinceLogin(pwdLastSetAttribute),
},
},
setupMocks: func(conn *mockldapconn.MockConn) {
conn.EXPECT().Bind(testBindUsername, testBindPassword).Times(1)
conn.EXPECT().Search(expectedUserSearch).Return(happyPathUserSearchResult, nil).Times(1)
conn.EXPECT().SearchWithPaging(expectedGroupSearch, expectedGroupSearchPageSize).Return(&ldap.SearchResult{
Entries: []*ldap.Entry{},
Referrals: []string{}, // note that we are not following referrals at this time
Controls: []ldap.Control{},
}, nil).Times(1)
conn.EXPECT().Close().Times(1)
},
wantGroups: []string{},
},
Only run group refresh when the skipGroupRefresh boolean isn't set for AD and LDAP
2022-02-01 16:31:29 +00:00
{
name: "happy path where group search is configured but skipGroupRefresh is set",
providerConfig: &ProviderConfig{
Name: "some-provider-name",
Host: testHost,
CABundle: nil, // this field is only used by the production dialer, which is replaced by a mock for this test
ConnectionProtocol: TLS,
BindUsername: testBindUsername,
BindPassword: testBindPassword,
UserSearch: UserSearchConfig{
Base: testUserSearchBase,
UIDAttribute: testUserSearchUIDAttribute,
UsernameAttribute: testUserSearchUsernameAttribute,
},
GroupSearch: GroupSearchConfig{
Base: testGroupSearchBase,
Filter: testGroupSearchFilter,
GroupNameAttribute: testGroupSearchGroupNameAttribute,
SkipGroupRefresh: true,
},
RefreshAttributeChecks: map[string]func(*ldap.Entry, provider.StoredRefreshAttributes) error{
pwdLastSetAttribute: AttributeUnchangedSinceLogin(pwdLastSetAttribute),
},
},
setupMocks: func(conn *mockldapconn.MockConn) {
conn.EXPECT().Bind(testBindUsername, testBindPassword).Times(1)
conn.EXPECT().Search(expectedUserSearch).Return(happyPathUserSearchResult, nil).Times(1) // note that group search is not expected
conn.EXPECT().Close().Times(1)
},
wantGroups: nil, // do not update groups
},
Basic upstream LDAP/AD refresh This stores the user DN in the session data upon login and checks that the entry still exists upon refresh. It doesn't check anything else about the entry yet.
2021-10-22 20:57:30 +00:00
{
name: "error where dial fails",
providerConfig: providerConfig,
dialError: errors.New("some dial error"),
wantErr: "error dialing host \"ldap.example.com:8443\": some dial error",
},
{
name: "error binding",
providerConfig: providerConfig,
setupMocks: func(conn *mockldapconn.MockConn) {
conn.EXPECT().Bind(testBindUsername, testBindPassword).Return(errors.New("some bind error")).Times(1)
conn.EXPECT().Close().Times(1)
},
wantErr: "error binding as \"cn=some-bind-username,dc=pinniped,dc=dev\" before user search: some bind error",
},
{
name: "search result returns no entries",
providerConfig: providerConfig,
setupMocks: func(conn *mockldapconn.MockConn) {
conn.EXPECT().Bind(testBindUsername, testBindPassword).Times(1)
conn.EXPECT().Search(expectedUserSearch).Return(&ldap.SearchResult{
Entries: []*ldap.Entry{},
}, nil).Times(1)
conn.EXPECT().Close().Times(1)
},
wantErr: "searching for user \"some-upstream-user-dn\" resulted in 0 search results, but expected 1 result",
},
{
name: "error searching",
providerConfig: providerConfig,
setupMocks: func(conn *mockldapconn.MockConn) {
conn.EXPECT().Bind(testBindUsername, testBindPassword).Times(1)
conn.EXPECT().Search(expectedUserSearch).Return(nil, errors.New("some search error"))
conn.EXPECT().Close().Times(1)
},
wantErr: "error searching for user \"some-upstream-user-dn\": some search error",
},
{
name: "search result returns more than one entry",
providerConfig: providerConfig,
setupMocks: func(conn *mockldapconn.MockConn) {
conn.EXPECT().Bind(testBindUsername, testBindPassword).Times(1)
conn.EXPECT().Search(expectedUserSearch).Return(&ldap.SearchResult{
Entries: []*ldap.Entry{
{
DN: testUserSearchResultDNValue,
Attributes: []*ldap.EntryAttribute{},
},
{
DN: "doesn't-matter",
Attributes: []*ldap.EntryAttribute{},
},
},
}, nil).Times(1)
conn.EXPECT().Close().Times(1)
},
wantErr: "searching for user \"some-upstream-user-dn\" resulted in 2 search results, but expected 1 result",
},
Check that username and subject remain the same for ldap refresh
2021-10-25 21:25:43 +00:00
{
name: "search result has wrong uid",
providerConfig: providerConfig,
setupMocks: func(conn *mockldapconn.MockConn) {
conn.EXPECT().Bind(testBindUsername, testBindPassword).Times(1)
conn.EXPECT().Search(expectedUserSearch).Return(&ldap.SearchResult{
Entries: []*ldap.Entry{
{
DN: testUserSearchResultDNValue,
Attributes: []*ldap.EntryAttribute{
{
Name: testUserSearchUsernameAttribute,
Values: []string{testUserSearchResultUsernameAttributeValue},
},
{
Name: testUserSearchUIDAttribute,
ByteValues: [][]byte{[]byte("wrong-uid")},
},
},
},
},
}, nil).Times(1)
conn.EXPECT().Close().Times(1)
},
wantErr: "searching for user \"some-upstream-user-dn\" produced a different subject than the previous value. expected: \"ldaps://ldap.example.com:8443?base=some-upstream-user-base-dn&sub=c29tZS11cHN0cmVhbS11aWQtdmFsdWU\", actual: \"ldaps://ldap.example.com:8443?base=some-upstream-user-base-dn&sub=d3JvbmctdWlk\"",
},
{
name: "search result has wrong username",
providerConfig: providerConfig,
setupMocks: func(conn *mockldapconn.MockConn) {
conn.EXPECT().Bind(testBindUsername, testBindPassword).Times(1)
conn.EXPECT().Search(expectedUserSearch).Return(&ldap.SearchResult{
Entries: []*ldap.Entry{
{
DN: testUserSearchResultDNValue,
Attributes: []*ldap.EntryAttribute{
{
Name: testUserSearchUsernameAttribute,
Values: []string{"wrong-username"},
},
},
},
},
}, nil).Times(1)
conn.EXPECT().Close().Times(1)
},
wantErr: "searching for user \"some-upstream-user-dn\" returned a different username than the previous value. expected: \"some-upstream-username-value\", actual: \"wrong-username\"",
},
{
name: "search result has no dn",
providerConfig: providerConfig,
setupMocks: func(conn *mockldapconn.MockConn) {
conn.EXPECT().Bind(testBindUsername, testBindPassword).Times(1)
conn.EXPECT().Search(expectedUserSearch).Return(&ldap.SearchResult{
Entries: []*ldap.Entry{
{
Attributes: []*ldap.EntryAttribute{
{
Name: testUserSearchUsernameAttribute,
Values: []string{testUserSearchResultUsernameAttributeValue},
},
{
resolved a couple of testing related todos
2021-10-25 23:45:30 +00:00
Name: testUserSearchUIDAttribute,
ByteValues: [][]byte{[]byte(testUserSearchResultUIDAttributeValue)},
Check that username and subject remain the same for ldap refresh
2021-10-25 21:25:43 +00:00
},
},
},
},
}, nil).Times(1)
conn.EXPECT().Close().Times(1)
},
wantErr: "searching for user with original DN \"some-upstream-user-dn\" resulted in search result without DN",
},
resolved a couple of testing related todos
2021-10-25 23:45:30 +00:00
{
name: "search result has 0 values for username attribute",
providerConfig: providerConfig,
setupMocks: func(conn *mockldapconn.MockConn) {
conn.EXPECT().Bind(testBindUsername, testBindPassword).Times(1)
conn.EXPECT().Search(expectedUserSearch).Return(&ldap.SearchResult{
Entries: []*ldap.Entry{
{
DN: testUserSearchResultDNValue,
Attributes: []*ldap.EntryAttribute{
{
Name: testUserSearchUsernameAttribute,
Values: []string{},
},
{
Name: testUserSearchUIDAttribute,
ByteValues: [][]byte{[]byte(testUserSearchResultUIDAttributeValue)},
},
},
},
},
}, nil).Times(1)
conn.EXPECT().Close().Times(1)
},
wantErr: "found 0 values for attribute \"some-upstream-username-attribute\" while searching for user \"some-upstream-user-dn\", but expected 1 result",
},
{
name: "search result has more than one value for username attribute",
providerConfig: providerConfig,
setupMocks: func(conn *mockldapconn.MockConn) {
conn.EXPECT().Bind(testBindUsername, testBindPassword).Times(1)
conn.EXPECT().Search(expectedUserSearch).Return(&ldap.SearchResult{
Entries: []*ldap.Entry{
{
DN: testUserSearchResultDNValue,
Attributes: []*ldap.EntryAttribute{
{
Name: testUserSearchUsernameAttribute,
Values: []string{testUserSearchResultUsernameAttributeValue, "something-else"},
},
{
Name: testUserSearchUIDAttribute,
ByteValues: [][]byte{[]byte(testUserSearchResultUIDAttributeValue)},
},
},
},
},
}, nil).Times(1)
conn.EXPECT().Close().Times(1)
},
wantErr: "found 2 values for attribute \"some-upstream-username-attribute\" while searching for user \"some-upstream-user-dn\", but expected 1 result",
},
{
name: "search result has 0 values for uid attribute",
providerConfig: providerConfig,
setupMocks: func(conn *mockldapconn.MockConn) {
conn.EXPECT().Bind(testBindUsername, testBindPassword).Times(1)
conn.EXPECT().Search(expectedUserSearch).Return(&ldap.SearchResult{
Entries: []*ldap.Entry{
{
DN: testUserSearchResultDNValue,
Attributes: []*ldap.EntryAttribute{
{
Name: testUserSearchUsernameAttribute,
Values: []string{testUserSearchResultUsernameAttributeValue},
},
{
Name: testUserSearchUIDAttribute,
ByteValues: [][]byte{},
},
},
},
},
}, nil).Times(1)
conn.EXPECT().Close().Times(1)
},
wantErr: "found 0 values for attribute \"some-upstream-uid-attribute\" while searching for user \"some-upstream-user-dn\", but expected 1 result",
},
{
name: "search result has 2 values for uid attribute",
providerConfig: providerConfig,
setupMocks: func(conn *mockldapconn.MockConn) {
conn.EXPECT().Bind(testBindUsername, testBindPassword).Times(1)
conn.EXPECT().Search(expectedUserSearch).Return(&ldap.SearchResult{
Entries: []*ldap.Entry{
{
DN: testUserSearchResultDNValue,
Attributes: []*ldap.EntryAttribute{
{
Name: testUserSearchUsernameAttribute,
Values: []string{testUserSearchResultUsernameAttributeValue},
},
{
Name: testUserSearchUIDAttribute,
ByteValues: [][]byte{[]byte(testUserSearchResultUIDAttributeValue), []byte("other-uid-value")},
},
},
},
},
}, nil).Times(1)
conn.EXPECT().Close().Times(1)
},
wantErr: "found 2 values for attribute \"some-upstream-uid-attribute\" while searching for user \"some-upstream-user-dn\", but expected 1 result",
},
Active Directory checks whether password has changed recently during upstream refresh Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-10-28 19:00:56 +00:00
{
Make pwdLastSet stuff more generic and not require parsing the timestamp Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-12-08 23:03:57 +00:00
name: "search result has a changed pwdLastSet value",
Active Directory checks whether password has changed recently during upstream refresh Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-10-28 19:00:56 +00:00
providerConfig: providerConfig,
setupMocks: func(conn *mockldapconn.MockConn) {
conn.EXPECT().Bind(testBindUsername, testBindPassword).Times(1)
conn.EXPECT().Search(expectedUserSearch).Return(&ldap.SearchResult{
Entries: []*ldap.Entry{
{
DN: testUserSearchResultDNValue,
Attributes: []*ldap.EntryAttribute{
{
Name: testUserSearchUsernameAttribute,
Values: []string{testUserSearchResultUsernameAttributeValue},
},
{
Name: testUserSearchUIDAttribute,
ByteValues: [][]byte{[]byte(testUserSearchResultUIDAttributeValue)},
},
{
Clean up nits in AD code - Make everything private - Drop unused AuthTime field - Use %q format string instead of "%s" - Only rely on GetRawAttributeValues in AttributeUnchangedSinceLogin Signed-off-by: Monis Khan <mok@vmware.com>
2021-12-15 15:30:36 +00:00
Name: pwdLastSetAttribute,
ByteValues: [][]byte{[]byte("132801740800000001")},
Active Directory checks whether password has changed recently during upstream refresh Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-10-28 19:00:56 +00:00
},
},
},
},
}, nil).Times(1)
conn.EXPECT().Close().Times(1)
},
Move ad specific stuff to controller also make extra refresh attributes a separate field rather than part of Extra Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-12-09 22:02:40 +00:00
wantErr: "validation for attribute \"pwdLastSet\" failed during upstream refresh: value for attribute \"pwdLastSet\" has changed since initial value at login",
Active Directory checks whether password has changed recently during upstream refresh Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-10-28 19:00:56 +00:00
},
Upstream ldap group refresh: - Doing it inline on the refresh request
2022-01-26 00:19:56 +00:00
{
name: "group search returns an error",
providerConfig: &ProviderConfig{
Name: "some-provider-name",
Host: testHost,
CABundle: nil, // this field is only used by the production dialer, which is replaced by a mock for this test
ConnectionProtocol: TLS,
BindUsername: testBindUsername,
BindPassword: testBindPassword,
UserSearch: UserSearchConfig{
Base: testUserSearchBase,
UIDAttribute: testUserSearchUIDAttribute,
UsernameAttribute: testUserSearchUsernameAttribute,
},
GroupSearch: GroupSearchConfig{
Base: testGroupSearchBase,
Filter: testGroupSearchFilter,
GroupNameAttribute: testGroupSearchGroupNameAttribute,
},
RefreshAttributeChecks: map[string]func(*ldap.Entry, provider.StoredRefreshAttributes) error{
pwdLastSetAttribute: AttributeUnchangedSinceLogin(pwdLastSetAttribute),
},
},
setupMocks: func(conn *mockldapconn.MockConn) {
conn.EXPECT().Bind(testBindUsername, testBindPassword).Times(1)
conn.EXPECT().Search(expectedUserSearch).Return(happyPathUserSearchResult, nil).Times(1)
conn.EXPECT().SearchWithPaging(expectedGroupSearch, expectedGroupSearchPageSize).Return(nil, errors.New("some search error")).Times(1)
conn.EXPECT().Close().Times(1)
},
wantErr: "error searching for group memberships for user with DN \"some-upstream-user-dn\": some search error",
},
Basic upstream LDAP/AD refresh This stores the user DN in the session data upon login and checks that the entry still exists upon refresh. It doesn't check anything else about the entry yet.
2021-10-22 20:57:30 +00:00
}
extract ldap refresh search into helper function also added an integration test for refresh failing after updating the username attribute
2021-11-05 21:18:54 +00:00
for _, tt := range tests {
tt := tt
Basic upstream LDAP/AD refresh This stores the user DN in the session data upon login and checks that the entry still exists upon refresh. It doesn't check anything else about the entry yet.
2021-10-22 20:57:30 +00:00
t.Run(tt.name, func(t *testing.T) {
ctrl := gomock.NewController(t)
t.Cleanup(ctrl.Finish)
conn := mockldapconn.NewMockConn(ctrl)
if tt.setupMocks != nil {
tt.setupMocks(conn)
}
dialWasAttempted := false
Upstream ldap group refresh: - Doing it inline on the refresh request
2022-01-26 00:19:56 +00:00
tt.providerConfig.Dialer = LDAPDialerFunc(func(ctx context.Context, addr endpointaddr.HostPort) (Conn, error) {
Basic upstream LDAP/AD refresh This stores the user DN in the session data upon login and checks that the entry still exists upon refresh. It doesn't check anything else about the entry yet.
2021-10-22 20:57:30 +00:00
dialWasAttempted = true
Upstream ldap group refresh: - Doing it inline on the refresh request
2022-01-26 00:19:56 +00:00
require.Equal(t, tt.providerConfig.Host, addr.Endpoint())
Basic upstream LDAP/AD refresh This stores the user DN in the session data upon login and checks that the entry still exists upon refresh. It doesn't check anything else about the entry yet.
2021-10-22 20:57:30 +00:00
if tt.dialError != nil {
return nil, tt.dialError
}
return conn, nil
})
Move ad specific stuff to controller also make extra refresh attributes a separate field rather than part of Extra Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-12-09 22:02:40 +00:00
initialPwdLastSetEncoded := base64.RawURLEncoding.EncodeToString([]byte("132801740800000000"))
Upstream ldap group refresh: - Doing it inline on the refresh request
2022-01-26 00:19:56 +00:00
ldapProvider := New(*tt.providerConfig)
Check that username and subject remain the same for ldap refresh
2021-10-25 21:25:43 +00:00
subject := "ldaps://ldap.example.com:8443?base=some-upstream-user-base-dn&sub=c29tZS11cHN0cmVhbS11aWQtdmFsdWU"
Upstream ldap group refresh: - Doing it inline on the refresh request
2022-01-26 00:19:56 +00:00
groups, err := ldapProvider.PerformRefresh(context.Background(), provider.StoredRefreshAttributes{
Make pwdLastSet stuff more generic and not require parsing the timestamp Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-12-08 23:03:57 +00:00
Username: testUserSearchResultUsernameAttributeValue,
Subject: subject,
DN: testUserSearchResultDNValue,
Move ad specific stuff to controller also make extra refresh attributes a separate field rather than part of Extra Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-12-09 22:02:40 +00:00
AdditionalAttributes: map[string]string{pwdLastSetAttribute: initialPwdLastSetEncoded},
Active Directory checks whether password has changed recently during upstream refresh Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-10-28 19:00:56 +00:00
})
Basic upstream LDAP/AD refresh This stores the user DN in the session data upon login and checks that the entry still exists upon refresh. It doesn't check anything else about the entry yet.
2021-10-22 20:57:30 +00:00
if tt.wantErr != "" {
Check that username and subject remain the same for ldap refresh
2021-10-25 21:25:43 +00:00
require.Error(t, err)
Basic upstream LDAP/AD refresh This stores the user DN in the session data upon login and checks that the entry still exists upon refresh. It doesn't check anything else about the entry yet.
2021-10-22 20:57:30 +00:00
require.Equal(t, tt.wantErr, err.Error())
} else {
require.NoError(t, err)
}
require.Equal(t, true, dialWasAttempted)
Upstream ldap group refresh: - Doing it inline on the refresh request
2022-01-26 00:19:56 +00:00
require.Equal(t, tt.wantGroups, groups)
Basic upstream LDAP/AD refresh This stores the user DN in the session data upon login and checks that the entry still exists upon refresh. It doesn't check anything else about the entry yet.
2021-10-22 20:57:30 +00:00
})
}
}
Test the LDAP config by connecting to the server in the controller
2021-04-15 21:44:43 +00:00
func TestTestConnection(t *testing.T) {
providerConfig := func(editFunc func(p *ProviderConfig)) *ProviderConfig {
config := &ProviderConfig{
LDAP upstream watcher controller tries using both TLS and StartTLS - Automatically try to fall back to using StartTLS when using TLS doesn't work. Only complain when both don't work. - Remember (in-memory) which one worked and keeping using that one in the future (unless the pod restarts).
2021-05-20 19:46:33 +00:00
Name: "some-provider-name",
Host: testHost,
CABundle: nil, // this field is only used by the production dialer, which is replaced by a mock for this test
ConnectionProtocol: TLS,
BindUsername: testBindUsername,
BindPassword: testBindPassword,
UserSearch: UserSearchConfig{}, // not used by TestConnection
Test the LDAP config by connecting to the server in the controller
2021-04-15 21:44:43 +00:00
}
if editFunc != nil {
editFunc(config)
}
return config
}
tests := []struct {
name string
providerConfig *ProviderConfig
setupMocks func(conn *mockldapconn.MockConn)
dialError error
wantError string
wantToSkipDial bool
}{
{
name: "happy path",
providerConfig: providerConfig(nil),
setupMocks: func(conn *mockldapconn.MockConn) {
conn.EXPECT().Bind(testBindUsername, testBindPassword).Times(1)
conn.EXPECT().Close().Times(1)
},
},
{
name: "when dial fails",
providerConfig: providerConfig(nil),
dialError: errors.New("some dial error"),
wantError: fmt.Sprintf(`error dialing host "%s": some dial error`, testHost),
},
{
name: "when binding as the bind user returns an error",
providerConfig: providerConfig(nil),
setupMocks: func(conn *mockldapconn.MockConn) {
conn.EXPECT().Bind(testBindUsername, testBindPassword).Return(errors.New("some bind error")).Times(1)
conn.EXPECT().Close().Times(1)
},
wantError: fmt.Sprintf(`error binding as "%s": some bind error`, testBindUsername),
},
{
name: "when the config is invalid",
providerConfig: providerConfig(func(p *ProviderConfig) {
// This particular combination of options is not allowed.
p.UserSearch.UsernameAttribute = "dn"
p.UserSearch.Filter = ""
}),
wantToSkipDial: true,
wantError: `must specify UserSearch Filter when UserSearch UsernameAttribute is "dn"`,
},
}
for _, test := range tests {
tt := test
t.Run(tt.name, func(t *testing.T) {
ctrl := gomock.NewController(t)
t.Cleanup(ctrl.Finish)
conn := mockldapconn.NewMockConn(ctrl)
if tt.setupMocks != nil {
tt.setupMocks(conn)
}
dialWasAttempted := false
Convert LDAP code to use endpointaddr package. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-05-25 19:46:50 +00:00
tt.providerConfig.Dialer = LDAPDialerFunc(func(ctx context.Context, addr endpointaddr.HostPort) (Conn, error) {
Test the LDAP config by connecting to the server in the controller
2021-04-15 21:44:43 +00:00
dialWasAttempted = true
Convert LDAP code to use endpointaddr package. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-05-25 19:46:50 +00:00
require.Equal(t, tt.providerConfig.Host, addr.Endpoint())
Test the LDAP config by connecting to the server in the controller
2021-04-15 21:44:43 +00:00
if tt.dialError != nil {
return nil, tt.dialError
}
return conn, nil
})
provider := New(*tt.providerConfig)
err := provider.TestConnection(context.Background())
require.Equal(t, !tt.wantToSkipDial, dialWasAttempted)
switch {
case tt.wantError != "":
require.EqualError(t, err, tt.wantError)
default:
require.NoError(t, err)
}
})
}
}
Introduce upstreamldap.New to prevent changes to the underlying config Makes it easier to support using the same upstreamldap.Provider from multiple goroutines safely.
2021-04-15 17:25:35 +00:00
func TestGetConfig(t *testing.T) {
c := ProviderConfig{
Name: "original-provider-name",
Host: testHost,
CABundle: []byte("some-ca-bundle"),
BindUsername: testBindUsername,
BindPassword: testBindPassword,
UserSearch: UserSearchConfig{
Base: testUserSearchBase,
Filter: testUserSearchFilter,
UsernameAttribute: testUserSearchUsernameAttribute,
UIDAttribute: testUserSearchUIDAttribute,
},
}
p := New(c)
require.Equal(t, c, p.c)
require.Equal(t, c, p.GetConfig())
// The original config can be changed without impacting the provider, since the provider made a copy of the config.
c.Name = "changed-name"
require.Equal(t, "original-provider-name", p.c.Name)
// The return value of GetConfig can be modified without impacting the provider, since it is a copy of the config.
returnedConfig := p.GetConfig()
returnedConfig.Name = "changed-name"
require.Equal(t, "original-provider-name", p.c.Name)
}
More LDAP WIP: started controller and LDAP server connection code Both are unfinished works in progress.
2021-04-10 01:49:43 +00:00
func TestGetURL(t *testing.T) {
Add user search base to downstream subject for upstream LDAP - Also add some tests about UTF-8 characters in LDAP attributes
2021-05-27 00:04:20 +00:00
require.Equal(t,
"ldaps://ldap.example.com:1234?base=ou%3Dusers%2Cdc%3Dpinniped%2Cdc%3Ddev",
New(ProviderConfig{
Host: "ldap.example.com:1234",
UserSearch: UserSearchConfig{Base: "ou=users,dc=pinniped,dc=dev"},
}).GetURL().String())
require.Equal(t,
"ldaps://ldap.example.com?base=ou%3Dusers%2Cdc%3Dpinniped%2Cdc%3Ddev",
New(ProviderConfig{
Host: "ldap.example.com",
UserSearch: UserSearchConfig{Base: "ou=users,dc=pinniped,dc=dev"},
}).GetURL().String())
More LDAP WIP: started controller and LDAP server connection code Both are unfinished works in progress.
2021-04-10 01:49:43 +00:00
}
// Testing of host parsing, TLS negotiation, and CA bundle, etc. for the production code's dialer.
func TestRealTLSDialing(t *testing.T) {
Force the use of secure TLS config This change updates the TLS config used by all pinniped components. There are no configuration knobs associated with this change. Thus this change tightens our static defaults. There are four TLS config levels: 1. Secure (TLS 1.3 only) 2. Default (TLS 1.2+ best ciphers that are well supported) 3. Default LDAP (TLS 1.2+ with less good ciphers) 4. Legacy (currently unused, TLS 1.2+ with all non-broken ciphers) Highlights per component: 1. pinniped CLI - uses "secure" config against KAS - uses "default" for all other connections 2. concierge - uses "secure" config as an aggregated API server - uses "default" config as a impersonation proxy API server - uses "secure" config against KAS - uses "default" config for JWT authenticater (mostly, see code) - no changes to webhook authenticater (see code) 3. supervisor - uses "default" config as a server - uses "secure" config against KAS - uses "default" config against OIDC IDPs - uses "default LDAP" config against LDAP IDPs Signed-off-by: Monis Khan <mok@vmware.com>
2021-10-20 11:59:24 +00:00
testServer := tlsserver.TLSTestServer(t, http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {}),
func(server *httptest.Server) {
tlsserver.RecordTLSHello(server)
recordFunc := server.TLS.GetConfigForClient
server.TLS.GetConfigForClient = func(info *tls.ClientHelloInfo) (*tls.Config, error) {
_, _ = recordFunc(info)
r, err := http.NewRequestWithContext(info.Context(), http.MethodGet, "/this-is-ldap", nil)
require.NoError(t, err)
tlsserver.AssertTLS(t, r, ptls.DefaultLDAP)
return nil, nil
}
})
parsedURL, err := url.Parse(testServer.URL)
More LDAP WIP: started controller and LDAP server connection code Both are unfinished works in progress.
2021-04-10 01:49:43 +00:00
require.NoError(t, err)
testServerHostAndPort := parsedURL.Host
Force the use of secure TLS config This change updates the TLS config used by all pinniped components. There are no configuration knobs associated with this change. Thus this change tightens our static defaults. There are four TLS config levels: 1. Secure (TLS 1.3 only) 2. Default (TLS 1.2+ best ciphers that are well supported) 3. Default LDAP (TLS 1.2+ with less good ciphers) 4. Legacy (currently unused, TLS 1.2+ with all non-broken ciphers) Highlights per component: 1. pinniped CLI - uses "secure" config against KAS - uses "default" for all other connections 2. concierge - uses "secure" config as an aggregated API server - uses "default" config as a impersonation proxy API server - uses "secure" config against KAS - uses "default" config for JWT authenticater (mostly, see code) - no changes to webhook authenticater (see code) 3. supervisor - uses "default" config as a server - uses "secure" config against KAS - uses "default" config against OIDC IDPs - uses "default LDAP" config against LDAP IDPs Signed-off-by: Monis Khan <mok@vmware.com>
2021-10-20 11:59:24 +00:00
testServerCABundle := tlsserver.TLSTestServerCA(testServer)
More LDAP WIP: started controller and LDAP server connection code Both are unfinished works in progress.
2021-04-10 01:49:43 +00:00
Add another unit test for the LDAP client code
2021-05-21 19:44:01 +00:00
caForTestServerWithBadCertName, err := certauthority.New("Test CA", time.Hour)
require.NoError(t, err)
wrongIP := net.ParseIP("10.2.3.4")
cert, err := caForTestServerWithBadCertName.IssueServerCert([]string{"wrong-dns-name"}, []net.IP{wrongIP}, time.Hour)
require.NoError(t, err)
testServerWithBadCertNameAddr := testutil.TLSTestServerWithCert(t, func(w http.ResponseWriter, r *http.Request) {}, cert)
More LDAP WIP: started controller and LDAP server connection code Both are unfinished works in progress.
2021-04-10 01:49:43 +00:00
unusedPortGrabbingListener, err := net.Listen("tcp", "127.0.0.1:0")
require.NoError(t, err)
recentlyClaimedHostAndPort := unusedPortGrabbingListener.Addr().String()
require.NoError(t, unusedPortGrabbingListener.Close())
alreadyCancelledContext, cancelFunc := context.WithCancel(context.Background())
cancelFunc() // cancel it immediately
tests := []struct {
name string
host string
upstreamldap.New() now supports a StartTLS config option - This enhances our LDAP client code to make it possible to optionally dial an LDAP server without TLS and then use StartTLS to upgrade the connection to TLS. - The controller for LDAPIdentityProviders is not using this option yet. That will come in a future commit.
2021-05-20 00:17:44 +00:00
connProto LDAPConnectionProtocol
More LDAP WIP: started controller and LDAP server connection code Both are unfinished works in progress.
2021-04-10 01:49:43 +00:00
caBundle []byte
context context.Context
wantError string
}{
{
upstreamldap.New() now supports a StartTLS config option - This enhances our LDAP client code to make it possible to optionally dial an LDAP server without TLS and then use StartTLS to upgrade the connection to TLS. - The controller for LDAPIdentityProviders is not using this option yet. That will come in a future commit.
2021-05-20 00:17:44 +00:00
name: "happy path",
host: testServerHostAndPort,
Force the use of secure TLS config This change updates the TLS config used by all pinniped components. There are no configuration knobs associated with this change. Thus this change tightens our static defaults. There are four TLS config levels: 1. Secure (TLS 1.3 only) 2. Default (TLS 1.2+ best ciphers that are well supported) 3. Default LDAP (TLS 1.2+ with less good ciphers) 4. Legacy (currently unused, TLS 1.2+ with all non-broken ciphers) Highlights per component: 1. pinniped CLI - uses "secure" config against KAS - uses "default" for all other connections 2. concierge - uses "secure" config as an aggregated API server - uses "default" config as a impersonation proxy API server - uses "secure" config against KAS - uses "default" config for JWT authenticater (mostly, see code) - no changes to webhook authenticater (see code) 3. supervisor - uses "default" config as a server - uses "secure" config against KAS - uses "default" config against OIDC IDPs - uses "default LDAP" config against LDAP IDPs Signed-off-by: Monis Khan <mok@vmware.com>
2021-10-20 11:59:24 +00:00
caBundle: testServerCABundle,
upstreamldap.New() now supports a StartTLS config option - This enhances our LDAP client code to make it possible to optionally dial an LDAP server without TLS and then use StartTLS to upgrade the connection to TLS. - The controller for LDAPIdentityProviders is not using this option yet. That will come in a future commit.
2021-05-20 00:17:44 +00:00
connProto: TLS,
context: context.Background(),
},
Add another unit test for the LDAP client code
2021-05-21 19:44:01 +00:00
{
name: "server cert name does not match the address to which the client connected",
host: testServerWithBadCertNameAddr,
caBundle: caForTestServerWithBadCertName.Bundle(),
connProto: TLS,
context: context.Background(),
wantError: `LDAP Result Code 200 "Network Error": x509: certificate is valid for 10.2.3.4, not 127.0.0.1`,
},
upstreamldap.New() now supports a StartTLS config option - This enhances our LDAP client code to make it possible to optionally dial an LDAP server without TLS and then use StartTLS to upgrade the connection to TLS. - The controller for LDAPIdentityProviders is not using this option yet. That will come in a future commit.
2021-05-20 00:17:44 +00:00
{
name: "invalid CA bundle with TLS",
host: testServerHostAndPort,
caBundle: []byte("not a ca bundle"),
connProto: TLS,
context: context.Background(),
wantError: `LDAP Result Code 200 "Network Error": could not parse CA bundle`,
More LDAP WIP: started controller and LDAP server connection code Both are unfinished works in progress.
2021-04-10 01:49:43 +00:00
},
{
upstreamldap.New() now supports a StartTLS config option - This enhances our LDAP client code to make it possible to optionally dial an LDAP server without TLS and then use StartTLS to upgrade the connection to TLS. - The controller for LDAPIdentityProviders is not using this option yet. That will come in a future commit.
2021-05-20 00:17:44 +00:00
name: "invalid CA bundle with StartTLS",
More LDAP WIP: started controller and LDAP server connection code Both are unfinished works in progress.
2021-04-10 01:49:43 +00:00
host: testServerHostAndPort,
caBundle: []byte("not a ca bundle"),
upstreamldap.New() now supports a StartTLS config option - This enhances our LDAP client code to make it possible to optionally dial an LDAP server without TLS and then use StartTLS to upgrade the connection to TLS. - The controller for LDAPIdentityProviders is not using this option yet. That will come in a future commit.
2021-05-20 00:17:44 +00:00
connProto: StartTLS,
More LDAP WIP: started controller and LDAP server connection code Both are unfinished works in progress.
2021-04-10 01:49:43 +00:00
context: context.Background(),
wantError: `LDAP Result Code 200 "Network Error": could not parse CA bundle`,
},
upstreamldap.New() now supports a StartTLS config option - This enhances our LDAP client code to make it possible to optionally dial an LDAP server without TLS and then use StartTLS to upgrade the connection to TLS. - The controller for LDAPIdentityProviders is not using this option yet. That will come in a future commit.
2021-05-20 00:17:44 +00:00
{
name: "invalid host with TLS",
host: "this:is:not:a:valid:hostname",
Force the use of secure TLS config This change updates the TLS config used by all pinniped components. There are no configuration knobs associated with this change. Thus this change tightens our static defaults. There are four TLS config levels: 1. Secure (TLS 1.3 only) 2. Default (TLS 1.2+ best ciphers that are well supported) 3. Default LDAP (TLS 1.2+ with less good ciphers) 4. Legacy (currently unused, TLS 1.2+ with all non-broken ciphers) Highlights per component: 1. pinniped CLI - uses "secure" config against KAS - uses "default" for all other connections 2. concierge - uses "secure" config as an aggregated API server - uses "default" config as a impersonation proxy API server - uses "secure" config against KAS - uses "default" config for JWT authenticater (mostly, see code) - no changes to webhook authenticater (see code) 3. supervisor - uses "default" config as a server - uses "secure" config against KAS - uses "default" config against OIDC IDPs - uses "default LDAP" config against LDAP IDPs Signed-off-by: Monis Khan <mok@vmware.com>
2021-10-20 11:59:24 +00:00
caBundle: testServerCABundle,
upstreamldap.New() now supports a StartTLS config option - This enhances our LDAP client code to make it possible to optionally dial an LDAP server without TLS and then use StartTLS to upgrade the connection to TLS. - The controller for LDAPIdentityProviders is not using this option yet. That will come in a future commit.
2021-05-20 00:17:44 +00:00
connProto: TLS,
context: context.Background(),
Convert LDAP code to use endpointaddr package. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-05-25 19:46:50 +00:00
wantError: `LDAP Result Code 200 "Network Error": host "this:is:not:a:valid:hostname" is not a valid hostname or IP address`,
upstreamldap.New() now supports a StartTLS config option - This enhances our LDAP client code to make it possible to optionally dial an LDAP server without TLS and then use StartTLS to upgrade the connection to TLS. - The controller for LDAPIdentityProviders is not using this option yet. That will come in a future commit.
2021-05-20 00:17:44 +00:00
},
{
name: "invalid host with StartTLS",
host: "this:is:not:a:valid:hostname",
Force the use of secure TLS config This change updates the TLS config used by all pinniped components. There are no configuration knobs associated with this change. Thus this change tightens our static defaults. There are four TLS config levels: 1. Secure (TLS 1.3 only) 2. Default (TLS 1.2+ best ciphers that are well supported) 3. Default LDAP (TLS 1.2+ with less good ciphers) 4. Legacy (currently unused, TLS 1.2+ with all non-broken ciphers) Highlights per component: 1. pinniped CLI - uses "secure" config against KAS - uses "default" for all other connections 2. concierge - uses "secure" config as an aggregated API server - uses "default" config as a impersonation proxy API server - uses "secure" config against KAS - uses "default" config for JWT authenticater (mostly, see code) - no changes to webhook authenticater (see code) 3. supervisor - uses "default" config as a server - uses "secure" config against KAS - uses "default" config against OIDC IDPs - uses "default LDAP" config against LDAP IDPs Signed-off-by: Monis Khan <mok@vmware.com>
2021-10-20 11:59:24 +00:00
caBundle: testServerCABundle,
upstreamldap.New() now supports a StartTLS config option - This enhances our LDAP client code to make it possible to optionally dial an LDAP server without TLS and then use StartTLS to upgrade the connection to TLS. - The controller for LDAPIdentityProviders is not using this option yet. That will come in a future commit.
2021-05-20 00:17:44 +00:00
connProto: StartTLS,
context: context.Background(),
Convert LDAP code to use endpointaddr package. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-05-25 19:46:50 +00:00
wantError: `LDAP Result Code 200 "Network Error": host "this:is:not:a:valid:hostname" is not a valid hostname or IP address`,
upstreamldap.New() now supports a StartTLS config option - This enhances our LDAP client code to make it possible to optionally dial an LDAP server without TLS and then use StartTLS to upgrade the connection to TLS. - The controller for LDAPIdentityProviders is not using this option yet. That will come in a future commit.
2021-05-20 00:17:44 +00:00
},
More LDAP WIP: started controller and LDAP server connection code Both are unfinished works in progress.
2021-04-10 01:49:43 +00:00
{
name: "missing CA bundle when it is required because the host is not using a trusted CA",
host: testServerHostAndPort,
caBundle: nil,
upstreamldap.New() now supports a StartTLS config option - This enhances our LDAP client code to make it possible to optionally dial an LDAP server without TLS and then use StartTLS to upgrade the connection to TLS. - The controller for LDAPIdentityProviders is not using this option yet. That will come in a future commit.
2021-05-20 00:17:44 +00:00
connProto: TLS,
More LDAP WIP: started controller and LDAP server connection code Both are unfinished works in progress.
2021-04-10 01:49:43 +00:00
context: context.Background(),
Error format of untrusted certificate errors should depend on OS Go 1.18.1 started using MacOS' x509 verification APIs on Macs rather than Go's own. The error messages are different. Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-04-15 00:37:36 +00:00
wantError: fmt.Sprintf(`LDAP Result Code 200 "Network Error": %s`, testutil.X509UntrustedCertError("Acme Co")),
More LDAP WIP: started controller and LDAP server connection code Both are unfinished works in progress.
2021-04-10 01:49:43 +00:00
},
{
name: "cannot connect to host",
// This is assuming that this port was not reclaimed by another app since the test setup ran. Seems safe enough.
host: recentlyClaimedHostAndPort,
Force the use of secure TLS config This change updates the TLS config used by all pinniped components. There are no configuration knobs associated with this change. Thus this change tightens our static defaults. There are four TLS config levels: 1. Secure (TLS 1.3 only) 2. Default (TLS 1.2+ best ciphers that are well supported) 3. Default LDAP (TLS 1.2+ with less good ciphers) 4. Legacy (currently unused, TLS 1.2+ with all non-broken ciphers) Highlights per component: 1. pinniped CLI - uses "secure" config against KAS - uses "default" for all other connections 2. concierge - uses "secure" config as an aggregated API server - uses "default" config as a impersonation proxy API server - uses "secure" config against KAS - uses "default" config for JWT authenticater (mostly, see code) - no changes to webhook authenticater (see code) 3. supervisor - uses "default" config as a server - uses "secure" config against KAS - uses "default" config against OIDC IDPs - uses "default LDAP" config against LDAP IDPs Signed-off-by: Monis Khan <mok@vmware.com>
2021-10-20 11:59:24 +00:00
caBundle: testServerCABundle,
upstreamldap.New() now supports a StartTLS config option - This enhances our LDAP client code to make it possible to optionally dial an LDAP server without TLS and then use StartTLS to upgrade the connection to TLS. - The controller for LDAPIdentityProviders is not using this option yet. That will come in a future commit.
2021-05-20 00:17:44 +00:00
connProto: TLS,
More LDAP WIP: started controller and LDAP server connection code Both are unfinished works in progress.
2021-04-10 01:49:43 +00:00
context: context.Background(),
wantError: fmt.Sprintf(`LDAP Result Code 200 "Network Error": dial tcp %s: connect: connection refused`, recentlyClaimedHostAndPort),
},
{
name: "pays attention to the passed context",
host: testServerHostAndPort,
Force the use of secure TLS config This change updates the TLS config used by all pinniped components. There are no configuration knobs associated with this change. Thus this change tightens our static defaults. There are four TLS config levels: 1. Secure (TLS 1.3 only) 2. Default (TLS 1.2+ best ciphers that are well supported) 3. Default LDAP (TLS 1.2+ with less good ciphers) 4. Legacy (currently unused, TLS 1.2+ with all non-broken ciphers) Highlights per component: 1. pinniped CLI - uses "secure" config against KAS - uses "default" for all other connections 2. concierge - uses "secure" config as an aggregated API server - uses "default" config as a impersonation proxy API server - uses "secure" config against KAS - uses "default" config for JWT authenticater (mostly, see code) - no changes to webhook authenticater (see code) 3. supervisor - uses "default" config as a server - uses "secure" config against KAS - uses "default" config against OIDC IDPs - uses "default LDAP" config against LDAP IDPs Signed-off-by: Monis Khan <mok@vmware.com>
2021-10-20 11:59:24 +00:00
caBundle: testServerCABundle,
upstreamldap.New() now supports a StartTLS config option - This enhances our LDAP client code to make it possible to optionally dial an LDAP server without TLS and then use StartTLS to upgrade the connection to TLS. - The controller for LDAPIdentityProviders is not using this option yet. That will come in a future commit.
2021-05-20 00:17:44 +00:00
connProto: TLS,
More LDAP WIP: started controller and LDAP server connection code Both are unfinished works in progress.
2021-04-10 01:49:43 +00:00
context: alreadyCancelledContext,
wantError: fmt.Sprintf(`LDAP Result Code 200 "Network Error": dial tcp %s: operation was canceled`, testServerHostAndPort),
},
upstreamldap.New() now supports a StartTLS config option - This enhances our LDAP client code to make it possible to optionally dial an LDAP server without TLS and then use StartTLS to upgrade the connection to TLS. - The controller for LDAPIdentityProviders is not using this option yet. That will come in a future commit.
2021-05-20 00:17:44 +00:00
{
name: "unsupported connection protocol",
host: testServerHostAndPort,
Force the use of secure TLS config This change updates the TLS config used by all pinniped components. There are no configuration knobs associated with this change. Thus this change tightens our static defaults. There are four TLS config levels: 1. Secure (TLS 1.3 only) 2. Default (TLS 1.2+ best ciphers that are well supported) 3. Default LDAP (TLS 1.2+ with less good ciphers) 4. Legacy (currently unused, TLS 1.2+ with all non-broken ciphers) Highlights per component: 1. pinniped CLI - uses "secure" config against KAS - uses "default" for all other connections 2. concierge - uses "secure" config as an aggregated API server - uses "default" config as a impersonation proxy API server - uses "secure" config against KAS - uses "default" config for JWT authenticater (mostly, see code) - no changes to webhook authenticater (see code) 3. supervisor - uses "default" config as a server - uses "secure" config against KAS - uses "default" config against OIDC IDPs - uses "default LDAP" config against LDAP IDPs Signed-off-by: Monis Khan <mok@vmware.com>
2021-10-20 11:59:24 +00:00
caBundle: testServerCABundle,
upstreamldap.New() now supports a StartTLS config option - This enhances our LDAP client code to make it possible to optionally dial an LDAP server without TLS and then use StartTLS to upgrade the connection to TLS. - The controller for LDAPIdentityProviders is not using this option yet. That will come in a future commit.
2021-05-20 00:17:44 +00:00
connProto: "bad usage of this type",
context: alreadyCancelledContext,
wantError: `LDAP Result Code 200 "Network Error": did not specify valid ConnectionProtocol`,
},
More LDAP WIP: started controller and LDAP server connection code Both are unfinished works in progress.
2021-04-10 01:49:43 +00:00
}
for _, test := range tests {
upstreamldap.New() now supports a StartTLS config option - This enhances our LDAP client code to make it possible to optionally dial an LDAP server without TLS and then use StartTLS to upgrade the connection to TLS. - The controller for LDAPIdentityProviders is not using this option yet. That will come in a future commit.
2021-05-20 00:17:44 +00:00
tt := test
t.Run(tt.name, func(t *testing.T) {
Introduce upstreamldap.New to prevent changes to the underlying config Makes it easier to support using the same upstreamldap.Provider from multiple goroutines safely.
2021-04-15 17:25:35 +00:00
provider := New(ProviderConfig{
upstreamldap.New() now supports a StartTLS config option - This enhances our LDAP client code to make it possible to optionally dial an LDAP server without TLS and then use StartTLS to upgrade the connection to TLS. - The controller for LDAPIdentityProviders is not using this option yet. That will come in a future commit.
2021-05-20 00:17:44 +00:00
Host: tt.host,
CABundle: tt.caBundle,
ConnectionProtocol: tt.connProto,
Dialer: nil, // this test is for the default (production) TLS dialer
Introduce upstreamldap.New to prevent changes to the underlying config Makes it easier to support using the same upstreamldap.Provider from multiple goroutines safely.
2021-04-15 17:25:35 +00:00
})
upstreamldap.New() now supports a StartTLS config option - This enhances our LDAP client code to make it possible to optionally dial an LDAP server without TLS and then use StartTLS to upgrade the connection to TLS. - The controller for LDAPIdentityProviders is not using this option yet. That will come in a future commit.
2021-05-20 00:17:44 +00:00
conn, err := provider.dial(tt.context)
More LDAP WIP: started controller and LDAP server connection code Both are unfinished works in progress.
2021-04-10 01:49:43 +00:00
if conn != nil {
defer conn.Close()
}
upstreamldap.New() now supports a StartTLS config option - This enhances our LDAP client code to make it possible to optionally dial an LDAP server without TLS and then use StartTLS to upgrade the connection to TLS. - The controller for LDAPIdentityProviders is not using this option yet. That will come in a future commit.
2021-05-20 00:17:44 +00:00
if tt.wantError != "" {
More LDAP WIP: started controller and LDAP server connection code Both are unfinished works in progress.
2021-04-10 01:49:43 +00:00
require.Nil(t, conn)
upstreamldap.New() now supports a StartTLS config option - This enhances our LDAP client code to make it possible to optionally dial an LDAP server without TLS and then use StartTLS to upgrade the connection to TLS. - The controller for LDAPIdentityProviders is not using this option yet. That will come in a future commit.
2021-05-20 00:17:44 +00:00
require.EqualError(t, err, tt.wantError)
More LDAP WIP: started controller and LDAP server connection code Both are unfinished works in progress.
2021-04-10 01:49:43 +00:00
} else {
require.NoError(t, err)
require.NotNil(t, conn)
// Should be an instance of the real production LDAP client type.
// Can't test its methods here because we are not dialed to a real LDAP server.
require.IsType(t, &ldap.Conn{}, conn)
Add a little more logic to ldap_upstream_watcher.go
2021-04-12 18:23:08 +00:00
// Indirectly checking that the Dialer method constructed the ldap.Conn with isTLS set to true,
More LDAP WIP: started controller and LDAP server connection code Both are unfinished works in progress.
2021-04-10 01:49:43 +00:00
// since this is always the correct behavior unless/until we want to support StartTLS.
Force the use of secure TLS config This change updates the TLS config used by all pinniped components. There are no configuration knobs associated with this change. Thus this change tightens our static defaults. There are four TLS config levels: 1. Secure (TLS 1.3 only) 2. Default (TLS 1.2+ best ciphers that are well supported) 3. Default LDAP (TLS 1.2+ with less good ciphers) 4. Legacy (currently unused, TLS 1.2+ with all non-broken ciphers) Highlights per component: 1. pinniped CLI - uses "secure" config against KAS - uses "default" for all other connections 2. concierge - uses "secure" config as an aggregated API server - uses "default" config as a impersonation proxy API server - uses "secure" config against KAS - uses "default" config for JWT authenticater (mostly, see code) - no changes to webhook authenticater (see code) 3. supervisor - uses "default" config as a server - uses "secure" config against KAS - uses "default" config against OIDC IDPs - uses "default LDAP" config against LDAP IDPs Signed-off-by: Monis Khan <mok@vmware.com>
2021-10-20 11:59:24 +00:00
err := conn.(*ldap.Conn).StartTLS(ptls.DefaultLDAP(nil))
More LDAP WIP: started controller and LDAP server connection code Both are unfinished works in progress.
2021-04-10 01:49:43 +00:00
require.EqualError(t, err, `LDAP Result Code 200 "Network Error": ldap: already encrypted`)
}
})
}
}
parsing objectGUID as human-readable string version
2021-07-27 18:08:23 +00:00
Make pwdLastSet stuff more generic and not require parsing the timestamp Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-12-08 23:03:57 +00:00
func TestAttributeUnchangedSinceLogin(t *testing.T) {
initialVal := "some-attribute-value"
changedVal := "some-different-attribute-value"
attributeName := "some-attribute-name"
parsing objectGUID as human-readable string version
2021-07-27 18:08:23 +00:00
tests := []struct {
name string
Active Directory checks whether password has changed recently during upstream refresh Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-10-28 19:00:56 +00:00
entry *ldap.Entry
wantResult bool
parsing objectGUID as human-readable string version
2021-07-27 18:08:23 +00:00
wantErr string
}{
{
Make pwdLastSet stuff more generic and not require parsing the timestamp Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-12-08 23:03:57 +00:00
name: "happy path where value has not changed since login",
Active Directory checks whether password has changed recently during upstream refresh Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-10-28 19:00:56 +00:00
entry: &ldap.Entry{
DN: "some-dn",
Attributes: []*ldap.EntryAttribute{
{
Move ad specific stuff to controller also make extra refresh attributes a separate field rather than part of Extra Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-12-09 22:02:40 +00:00
Name: attributeName,
Values: []string{initialVal},
ByteValues: [][]byte{[]byte(initialVal)},
Active Directory checks whether password has changed recently during upstream refresh Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-10-28 19:00:56 +00:00
},
},
},
parsing objectGUID as human-readable string version
2021-07-27 18:08:23 +00:00
},
Make new combined sAMAccountName@domain attribute the group name Also change default username attribute to userPrincipalName
2021-08-17 23:53:26 +00:00
{
Make pwdLastSet stuff more generic and not require parsing the timestamp Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-12-08 23:03:57 +00:00
name: "password has been reset since login",
Active Directory checks whether password has changed recently during upstream refresh Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-10-28 19:00:56 +00:00
entry: &ldap.Entry{
DN: "some-dn",
Attributes: []*ldap.EntryAttribute{
{
Move ad specific stuff to controller also make extra refresh attributes a separate field rather than part of Extra Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-12-09 22:02:40 +00:00
Name: attributeName,
Values: []string{changedVal},
ByteValues: [][]byte{[]byte(changedVal)},
Active Directory checks whether password has changed recently during upstream refresh Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-10-28 19:00:56 +00:00
},
},
},
Move ad specific stuff to controller also make extra refresh attributes a separate field rather than part of Extra Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-12-09 22:02:40 +00:00
wantErr: "value for attribute \"some-attribute-name\" has changed since initial value at login",
Make new combined sAMAccountName@domain attribute the group name Also change default username attribute to userPrincipalName
2021-08-17 23:53:26 +00:00
},
{
Make pwdLastSet stuff more generic and not require parsing the timestamp Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-12-08 23:03:57 +00:00
name: "no value for attribute attribute",
Active Directory checks whether password has changed recently during upstream refresh Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-10-28 19:00:56 +00:00
entry: &ldap.Entry{
DN: "some-dn",
Attributes: []*ldap.EntryAttribute{},
},
Make pwdLastSet stuff more generic and not require parsing the timestamp Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-12-08 23:03:57 +00:00
wantErr: "expected to find 1 value for \"some-attribute-name\" attribute, but found 0",
Make new combined sAMAccountName@domain attribute the group name Also change default username attribute to userPrincipalName
2021-08-17 23:53:26 +00:00
},
{
Make pwdLastSet stuff more generic and not require parsing the timestamp Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-12-08 23:03:57 +00:00
name: "too many values for attribute",
Active Directory checks whether password has changed recently during upstream refresh Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-10-28 19:00:56 +00:00
entry: &ldap.Entry{
DN: "some-dn",
Attributes: []*ldap.EntryAttribute{
{
Clean up nits in AD code - Make everything private - Drop unused AuthTime field - Use %q format string instead of "%s" - Only rely on GetRawAttributeValues in AttributeUnchangedSinceLogin Signed-off-by: Monis Khan <mok@vmware.com>
2021-12-15 15:30:36 +00:00
Name: attributeName,
ByteValues: [][]byte{[]byte("val1"), []byte("val2")},
Active Directory checks whether password has changed recently during upstream refresh Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-10-28 19:00:56 +00:00
},
},
},
Make pwdLastSet stuff more generic and not require parsing the timestamp Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-12-08 23:03:57 +00:00
wantErr: "expected to find 1 value for \"some-attribute-name\" attribute, but found 2",
Make new combined sAMAccountName@domain attribute the group name Also change default username attribute to userPrincipalName
2021-08-17 23:53:26 +00:00
},
}
for _, test := range tests {
tt := test
t.Run(tt.name, func(t *testing.T) {
Move ad specific stuff to controller also make extra refresh attributes a separate field rather than part of Extra Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-12-09 22:02:40 +00:00
initialValRawEncoded := base64.RawURLEncoding.EncodeToString([]byte(initialVal))
err := AttributeUnchangedSinceLogin(attributeName)(tt.entry, provider.StoredRefreshAttributes{AdditionalAttributes: map[string]string{attributeName: initialValRawEncoded}})
Make new combined sAMAccountName@domain attribute the group name Also change default username attribute to userPrincipalName
2021-08-17 23:53:26 +00:00
if tt.wantErr != "" {
Check for locked users on ad upstream refresh Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-11-17 00:31:32 +00:00
require.Error(t, err)
require.Equal(t, tt.wantErr, err.Error())
Make new combined sAMAccountName@domain attribute the group name Also change default username attribute to userPrincipalName
2021-08-17 23:53:26 +00:00
} else {
require.NoError(t, err)
}
})
}
}