From 36819989a30f8694cb2e70692898e845906d1f84 Mon Sep 17 00:00:00 2001 From: Ryan Richard Date: Wed, 28 Apr 2021 14:26:57 -0700 Subject: [PATCH] Remove DryRunAuthenticationUsername from LDAPIdentityProviderSpec Signed-off-by: Margo Crawford --- .../types_ldapidentityprovider.go.tmpl | 22 ---- ...or.pinniped.dev_ldapidentityproviders.yaml | 32 ----- generated/1.17/README.adoc | 1 - .../v1alpha1/types_ldapidentityprovider.go | 22 ---- ...or.pinniped.dev_ldapidentityproviders.yaml | 32 ----- generated/1.18/README.adoc | 1 - .../v1alpha1/types_ldapidentityprovider.go | 22 ---- ...or.pinniped.dev_ldapidentityproviders.yaml | 32 ----- generated/1.19/README.adoc | 1 - .../v1alpha1/types_ldapidentityprovider.go | 22 ---- ...or.pinniped.dev_ldapidentityproviders.yaml | 32 ----- generated/1.20/README.adoc | 1 - .../v1alpha1/types_ldapidentityprovider.go | 22 ---- ...or.pinniped.dev_ldapidentityproviders.yaml | 32 ----- .../v1alpha1/types_ldapidentityprovider.go | 22 ---- hack/prepare-supervisor-on-kind.sh | 1 - .../upstreamwatcher/ldap_upstream_watcher.go | 58 +-------- .../ldap_upstream_watcher_test.go | 119 ------------------ test/integration/supervisor_login_test.go | 11 +- 19 files changed, 10 insertions(+), 475 deletions(-) diff --git a/apis/supervisor/idp/v1alpha1/types_ldapidentityprovider.go.tmpl b/apis/supervisor/idp/v1alpha1/types_ldapidentityprovider.go.tmpl index 0699ddfc..d718ba65 100644 --- a/apis/supervisor/idp/v1alpha1/types_ldapidentityprovider.go.tmpl +++ b/apis/supervisor/idp/v1alpha1/types_ldapidentityprovider.go.tmpl @@ -100,28 +100,6 @@ type LDAPIdentityProviderSpec struct { // UserSearch contains the configuration for searching for a user by name in the LDAP provider. UserSearch LDAPIdentityProviderUserSearch `json:"userSearch,omitempty"` - - // DryRunAuthenticationUsername influences how the LDAPIdentityProvider's configuration is validated. - // When DryRunAuthenticationUsername is blank, the LDAPIdentityProvider will be validated by opening a connection - // to the LDAP server using the Host and TLS settings and also will bind using the Bind settings. The success - // or failure of the connect and bind will be reflected in the LDAPIdentityProvider's status conditions array. - // When DryRunAuthenticationUsername is not blank, the LDAPIdentityProvider will be validated by opening a - // connection to the LDAP server and performing a full dry run of authenticating as the end user with the username - // specified by DryRunAuthenticationUsername. The dry run will act as if the correct password were specified for - // that end user during the authentication. This will test all of the configuration options of the - // LDAPIdentityProvider. The success or failure of the authentication dry run will be reflected in the - // LDAPIdentityProvider's status conditions array, along with details of what username, UID, and group memberships - // were selected for the specified user. If the dry run fails, then that user would not be able to authenticate - // in a real authentication situation either, so the LDAPIdentityProvider's Status.Phase will be set to "Error". - // Therefore, the specified DryRunAuthenticationUsername must be a valid username of a real user who should be able - // to authenticate given all of the LDAPIdentityProvider's configuration. For example, if the UserSearch - // configuration were set up such that an end user should log in using their email address as their username, then - // the DryRunAuthenticationUsername should be the actual email address of a valid user who will be found in the LDAP - // server by the UserSearch criteria. Once you have used DryRunAuthenticationUsername to validate your - // LDAPIdentityProvider's configuration, you might choose to remove the DryRunAuthenticationUsername configuration - // if you are concerned that the user's LDAP account could change in the future, e.g. if the account could become - // disabled in the future. - DryRunAuthenticationUsername string `json:"dryRunAuthenticationUsername,omitempty"` } // LDAPIdentityProvider describes the configuration of an upstream Lightweight Directory Access diff --git a/deploy/supervisor/idp.supervisor.pinniped.dev_ldapidentityproviders.yaml b/deploy/supervisor/idp.supervisor.pinniped.dev_ldapidentityproviders.yaml index 5ed9901b..d396129d 100644 --- a/deploy/supervisor/idp.supervisor.pinniped.dev_ldapidentityproviders.yaml +++ b/deploy/supervisor/idp.supervisor.pinniped.dev_ldapidentityproviders.yaml @@ -70,38 +70,6 @@ spec: required: - secretName type: object - dryRunAuthenticationUsername: - description: DryRunAuthenticationUsername influences how the LDAPIdentityProvider's - configuration is validated. When DryRunAuthenticationUsername is - blank, the LDAPIdentityProvider will be validated by opening a connection - to the LDAP server using the Host and TLS settings and also will - bind using the Bind settings. The success or failure of the connect - and bind will be reflected in the LDAPIdentityProvider's status - conditions array. When DryRunAuthenticationUsername is not blank, - the LDAPIdentityProvider will be validated by opening a connection - to the LDAP server and performing a full dry run of authenticating - as the end user with the username specified by DryRunAuthenticationUsername. - The dry run will act as if the correct password were specified for - that end user during the authentication. This will test all of the - configuration options of the LDAPIdentityProvider. The success or - failure of the authentication dry run will be reflected in the LDAPIdentityProvider's - status conditions array, along with details of what username, UID, - and group memberships were selected for the specified user. If the - dry run fails, then that user would not be able to authenticate - in a real authentication situation either, so the LDAPIdentityProvider's - Status.Phase will be set to "Error". Therefore, the specified DryRunAuthenticationUsername - must be a valid username of a real user who should be able to authenticate - given all of the LDAPIdentityProvider's configuration. For example, - if the UserSearch configuration were set up such that an end user - should log in using their email address as their username, then - the DryRunAuthenticationUsername should be the actual email address - of a valid user who will be found in the LDAP server by the UserSearch - criteria. Once you have used DryRunAuthenticationUsername to validate - your LDAPIdentityProvider's configuration, you might choose to remove - the DryRunAuthenticationUsername configuration if you are concerned - that the user's LDAP account could change in the future, e.g. if - the account could become disabled in the future. - type: string host: description: 'Host is the hostname of this LDAP identity provider, i.e., where to connect. For example: ldap.example.com:636.' diff --git a/generated/1.17/README.adoc b/generated/1.17/README.adoc index 111a374a..edda79aa 100644 --- a/generated/1.17/README.adoc +++ b/generated/1.17/README.adoc @@ -757,7 +757,6 @@ Spec for configuring an LDAP identity provider. | *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-idp-v1alpha1-tlsspec[$$TLSSpec$$]__ | TLS contains the connection settings for how to establish the connection to the Host. | *`bind`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-idp-v1alpha1-ldapidentityproviderbind[$$LDAPIdentityProviderBind$$]__ | Bind contains the configuration for how to provide access credentials during an initial bind to the LDAP server to be allowed to perform searches and binds to validate a user's credentials during a user's authentication attempt. | *`userSearch`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-idp-v1alpha1-ldapidentityproviderusersearch[$$LDAPIdentityProviderUserSearch$$]__ | UserSearch contains the configuration for searching for a user by name in the LDAP provider. -| *`dryRunAuthenticationUsername`* __string__ | DryRunAuthenticationUsername influences how the LDAPIdentityProvider's configuration is validated. When DryRunAuthenticationUsername is blank, the LDAPIdentityProvider will be validated by opening a connection to the LDAP server using the Host and TLS settings and also will bind using the Bind settings. The success or failure of the connect and bind will be reflected in the LDAPIdentityProvider's status conditions array. When DryRunAuthenticationUsername is not blank, the LDAPIdentityProvider will be validated by opening a connection to the LDAP server and performing a full dry run of authenticating as the end user with the username specified by DryRunAuthenticationUsername. The dry run will act as if the correct password were specified for that end user during the authentication. This will test all of the configuration options of the LDAPIdentityProvider. The success or failure of the authentication dry run will be reflected in the LDAPIdentityProvider's status conditions array, along with details of what username, UID, and group memberships were selected for the specified user. If the dry run fails, then that user would not be able to authenticate in a real authentication situation either, so the LDAPIdentityProvider's Status.Phase will be set to "Error". Therefore, the specified DryRunAuthenticationUsername must be a valid username of a real user who should be able to authenticate given all of the LDAPIdentityProvider's configuration. For example, if the UserSearch configuration were set up such that an end user should log in using their email address as their username, then the DryRunAuthenticationUsername should be the actual email address of a valid user who will be found in the LDAP server by the UserSearch criteria. Once you have used DryRunAuthenticationUsername to validate your LDAPIdentityProvider's configuration, you might choose to remove the DryRunAuthenticationUsername configuration if you are concerned that the user's LDAP account could change in the future, e.g. if the account could become disabled in the future. |=== diff --git a/generated/1.17/apis/supervisor/idp/v1alpha1/types_ldapidentityprovider.go b/generated/1.17/apis/supervisor/idp/v1alpha1/types_ldapidentityprovider.go index 0699ddfc..d718ba65 100644 --- a/generated/1.17/apis/supervisor/idp/v1alpha1/types_ldapidentityprovider.go +++ b/generated/1.17/apis/supervisor/idp/v1alpha1/types_ldapidentityprovider.go @@ -100,28 +100,6 @@ type LDAPIdentityProviderSpec struct { // UserSearch contains the configuration for searching for a user by name in the LDAP provider. UserSearch LDAPIdentityProviderUserSearch `json:"userSearch,omitempty"` - - // DryRunAuthenticationUsername influences how the LDAPIdentityProvider's configuration is validated. - // When DryRunAuthenticationUsername is blank, the LDAPIdentityProvider will be validated by opening a connection - // to the LDAP server using the Host and TLS settings and also will bind using the Bind settings. The success - // or failure of the connect and bind will be reflected in the LDAPIdentityProvider's status conditions array. - // When DryRunAuthenticationUsername is not blank, the LDAPIdentityProvider will be validated by opening a - // connection to the LDAP server and performing a full dry run of authenticating as the end user with the username - // specified by DryRunAuthenticationUsername. The dry run will act as if the correct password were specified for - // that end user during the authentication. This will test all of the configuration options of the - // LDAPIdentityProvider. The success or failure of the authentication dry run will be reflected in the - // LDAPIdentityProvider's status conditions array, along with details of what username, UID, and group memberships - // were selected for the specified user. If the dry run fails, then that user would not be able to authenticate - // in a real authentication situation either, so the LDAPIdentityProvider's Status.Phase will be set to "Error". - // Therefore, the specified DryRunAuthenticationUsername must be a valid username of a real user who should be able - // to authenticate given all of the LDAPIdentityProvider's configuration. For example, if the UserSearch - // configuration were set up such that an end user should log in using their email address as their username, then - // the DryRunAuthenticationUsername should be the actual email address of a valid user who will be found in the LDAP - // server by the UserSearch criteria. Once you have used DryRunAuthenticationUsername to validate your - // LDAPIdentityProvider's configuration, you might choose to remove the DryRunAuthenticationUsername configuration - // if you are concerned that the user's LDAP account could change in the future, e.g. if the account could become - // disabled in the future. - DryRunAuthenticationUsername string `json:"dryRunAuthenticationUsername,omitempty"` } // LDAPIdentityProvider describes the configuration of an upstream Lightweight Directory Access diff --git a/generated/1.17/crds/idp.supervisor.pinniped.dev_ldapidentityproviders.yaml b/generated/1.17/crds/idp.supervisor.pinniped.dev_ldapidentityproviders.yaml index 5ed9901b..d396129d 100644 --- a/generated/1.17/crds/idp.supervisor.pinniped.dev_ldapidentityproviders.yaml +++ b/generated/1.17/crds/idp.supervisor.pinniped.dev_ldapidentityproviders.yaml @@ -70,38 +70,6 @@ spec: required: - secretName type: object - dryRunAuthenticationUsername: - description: DryRunAuthenticationUsername influences how the LDAPIdentityProvider's - configuration is validated. When DryRunAuthenticationUsername is - blank, the LDAPIdentityProvider will be validated by opening a connection - to the LDAP server using the Host and TLS settings and also will - bind using the Bind settings. The success or failure of the connect - and bind will be reflected in the LDAPIdentityProvider's status - conditions array. When DryRunAuthenticationUsername is not blank, - the LDAPIdentityProvider will be validated by opening a connection - to the LDAP server and performing a full dry run of authenticating - as the end user with the username specified by DryRunAuthenticationUsername. - The dry run will act as if the correct password were specified for - that end user during the authentication. This will test all of the - configuration options of the LDAPIdentityProvider. The success or - failure of the authentication dry run will be reflected in the LDAPIdentityProvider's - status conditions array, along with details of what username, UID, - and group memberships were selected for the specified user. If the - dry run fails, then that user would not be able to authenticate - in a real authentication situation either, so the LDAPIdentityProvider's - Status.Phase will be set to "Error". Therefore, the specified DryRunAuthenticationUsername - must be a valid username of a real user who should be able to authenticate - given all of the LDAPIdentityProvider's configuration. For example, - if the UserSearch configuration were set up such that an end user - should log in using their email address as their username, then - the DryRunAuthenticationUsername should be the actual email address - of a valid user who will be found in the LDAP server by the UserSearch - criteria. Once you have used DryRunAuthenticationUsername to validate - your LDAPIdentityProvider's configuration, you might choose to remove - the DryRunAuthenticationUsername configuration if you are concerned - that the user's LDAP account could change in the future, e.g. if - the account could become disabled in the future. - type: string host: description: 'Host is the hostname of this LDAP identity provider, i.e., where to connect. For example: ldap.example.com:636.' diff --git a/generated/1.18/README.adoc b/generated/1.18/README.adoc index f4849bba..cc33968f 100644 --- a/generated/1.18/README.adoc +++ b/generated/1.18/README.adoc @@ -757,7 +757,6 @@ Spec for configuring an LDAP identity provider. | *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-idp-v1alpha1-tlsspec[$$TLSSpec$$]__ | TLS contains the connection settings for how to establish the connection to the Host. | *`bind`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-idp-v1alpha1-ldapidentityproviderbind[$$LDAPIdentityProviderBind$$]__ | Bind contains the configuration for how to provide access credentials during an initial bind to the LDAP server to be allowed to perform searches and binds to validate a user's credentials during a user's authentication attempt. | *`userSearch`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-idp-v1alpha1-ldapidentityproviderusersearch[$$LDAPIdentityProviderUserSearch$$]__ | UserSearch contains the configuration for searching for a user by name in the LDAP provider. -| *`dryRunAuthenticationUsername`* __string__ | DryRunAuthenticationUsername influences how the LDAPIdentityProvider's configuration is validated. When DryRunAuthenticationUsername is blank, the LDAPIdentityProvider will be validated by opening a connection to the LDAP server using the Host and TLS settings and also will bind using the Bind settings. The success or failure of the connect and bind will be reflected in the LDAPIdentityProvider's status conditions array. When DryRunAuthenticationUsername is not blank, the LDAPIdentityProvider will be validated by opening a connection to the LDAP server and performing a full dry run of authenticating as the end user with the username specified by DryRunAuthenticationUsername. The dry run will act as if the correct password were specified for that end user during the authentication. This will test all of the configuration options of the LDAPIdentityProvider. The success or failure of the authentication dry run will be reflected in the LDAPIdentityProvider's status conditions array, along with details of what username, UID, and group memberships were selected for the specified user. If the dry run fails, then that user would not be able to authenticate in a real authentication situation either, so the LDAPIdentityProvider's Status.Phase will be set to "Error". Therefore, the specified DryRunAuthenticationUsername must be a valid username of a real user who should be able to authenticate given all of the LDAPIdentityProvider's configuration. For example, if the UserSearch configuration were set up such that an end user should log in using their email address as their username, then the DryRunAuthenticationUsername should be the actual email address of a valid user who will be found in the LDAP server by the UserSearch criteria. Once you have used DryRunAuthenticationUsername to validate your LDAPIdentityProvider's configuration, you might choose to remove the DryRunAuthenticationUsername configuration if you are concerned that the user's LDAP account could change in the future, e.g. if the account could become disabled in the future. |=== diff --git a/generated/1.18/apis/supervisor/idp/v1alpha1/types_ldapidentityprovider.go b/generated/1.18/apis/supervisor/idp/v1alpha1/types_ldapidentityprovider.go index 0699ddfc..d718ba65 100644 --- a/generated/1.18/apis/supervisor/idp/v1alpha1/types_ldapidentityprovider.go +++ b/generated/1.18/apis/supervisor/idp/v1alpha1/types_ldapidentityprovider.go @@ -100,28 +100,6 @@ type LDAPIdentityProviderSpec struct { // UserSearch contains the configuration for searching for a user by name in the LDAP provider. UserSearch LDAPIdentityProviderUserSearch `json:"userSearch,omitempty"` - - // DryRunAuthenticationUsername influences how the LDAPIdentityProvider's configuration is validated. - // When DryRunAuthenticationUsername is blank, the LDAPIdentityProvider will be validated by opening a connection - // to the LDAP server using the Host and TLS settings and also will bind using the Bind settings. The success - // or failure of the connect and bind will be reflected in the LDAPIdentityProvider's status conditions array. - // When DryRunAuthenticationUsername is not blank, the LDAPIdentityProvider will be validated by opening a - // connection to the LDAP server and performing a full dry run of authenticating as the end user with the username - // specified by DryRunAuthenticationUsername. The dry run will act as if the correct password were specified for - // that end user during the authentication. This will test all of the configuration options of the - // LDAPIdentityProvider. The success or failure of the authentication dry run will be reflected in the - // LDAPIdentityProvider's status conditions array, along with details of what username, UID, and group memberships - // were selected for the specified user. If the dry run fails, then that user would not be able to authenticate - // in a real authentication situation either, so the LDAPIdentityProvider's Status.Phase will be set to "Error". - // Therefore, the specified DryRunAuthenticationUsername must be a valid username of a real user who should be able - // to authenticate given all of the LDAPIdentityProvider's configuration. For example, if the UserSearch - // configuration were set up such that an end user should log in using their email address as their username, then - // the DryRunAuthenticationUsername should be the actual email address of a valid user who will be found in the LDAP - // server by the UserSearch criteria. Once you have used DryRunAuthenticationUsername to validate your - // LDAPIdentityProvider's configuration, you might choose to remove the DryRunAuthenticationUsername configuration - // if you are concerned that the user's LDAP account could change in the future, e.g. if the account could become - // disabled in the future. - DryRunAuthenticationUsername string `json:"dryRunAuthenticationUsername,omitempty"` } // LDAPIdentityProvider describes the configuration of an upstream Lightweight Directory Access diff --git a/generated/1.18/crds/idp.supervisor.pinniped.dev_ldapidentityproviders.yaml b/generated/1.18/crds/idp.supervisor.pinniped.dev_ldapidentityproviders.yaml index 5ed9901b..d396129d 100644 --- a/generated/1.18/crds/idp.supervisor.pinniped.dev_ldapidentityproviders.yaml +++ b/generated/1.18/crds/idp.supervisor.pinniped.dev_ldapidentityproviders.yaml @@ -70,38 +70,6 @@ spec: required: - secretName type: object - dryRunAuthenticationUsername: - description: DryRunAuthenticationUsername influences how the LDAPIdentityProvider's - configuration is validated. When DryRunAuthenticationUsername is - blank, the LDAPIdentityProvider will be validated by opening a connection - to the LDAP server using the Host and TLS settings and also will - bind using the Bind settings. The success or failure of the connect - and bind will be reflected in the LDAPIdentityProvider's status - conditions array. When DryRunAuthenticationUsername is not blank, - the LDAPIdentityProvider will be validated by opening a connection - to the LDAP server and performing a full dry run of authenticating - as the end user with the username specified by DryRunAuthenticationUsername. - The dry run will act as if the correct password were specified for - that end user during the authentication. This will test all of the - configuration options of the LDAPIdentityProvider. The success or - failure of the authentication dry run will be reflected in the LDAPIdentityProvider's - status conditions array, along with details of what username, UID, - and group memberships were selected for the specified user. If the - dry run fails, then that user would not be able to authenticate - in a real authentication situation either, so the LDAPIdentityProvider's - Status.Phase will be set to "Error". Therefore, the specified DryRunAuthenticationUsername - must be a valid username of a real user who should be able to authenticate - given all of the LDAPIdentityProvider's configuration. For example, - if the UserSearch configuration were set up such that an end user - should log in using their email address as their username, then - the DryRunAuthenticationUsername should be the actual email address - of a valid user who will be found in the LDAP server by the UserSearch - criteria. Once you have used DryRunAuthenticationUsername to validate - your LDAPIdentityProvider's configuration, you might choose to remove - the DryRunAuthenticationUsername configuration if you are concerned - that the user's LDAP account could change in the future, e.g. if - the account could become disabled in the future. - type: string host: description: 'Host is the hostname of this LDAP identity provider, i.e., where to connect. For example: ldap.example.com:636.' diff --git a/generated/1.19/README.adoc b/generated/1.19/README.adoc index 0a938587..d0effe28 100644 --- a/generated/1.19/README.adoc +++ b/generated/1.19/README.adoc @@ -757,7 +757,6 @@ Spec for configuring an LDAP identity provider. | *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-supervisor-idp-v1alpha1-tlsspec[$$TLSSpec$$]__ | TLS contains the connection settings for how to establish the connection to the Host. | *`bind`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-supervisor-idp-v1alpha1-ldapidentityproviderbind[$$LDAPIdentityProviderBind$$]__ | Bind contains the configuration for how to provide access credentials during an initial bind to the LDAP server to be allowed to perform searches and binds to validate a user's credentials during a user's authentication attempt. | *`userSearch`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-supervisor-idp-v1alpha1-ldapidentityproviderusersearch[$$LDAPIdentityProviderUserSearch$$]__ | UserSearch contains the configuration for searching for a user by name in the LDAP provider. -| *`dryRunAuthenticationUsername`* __string__ | DryRunAuthenticationUsername influences how the LDAPIdentityProvider's configuration is validated. When DryRunAuthenticationUsername is blank, the LDAPIdentityProvider will be validated by opening a connection to the LDAP server using the Host and TLS settings and also will bind using the Bind settings. The success or failure of the connect and bind will be reflected in the LDAPIdentityProvider's status conditions array. When DryRunAuthenticationUsername is not blank, the LDAPIdentityProvider will be validated by opening a connection to the LDAP server and performing a full dry run of authenticating as the end user with the username specified by DryRunAuthenticationUsername. The dry run will act as if the correct password were specified for that end user during the authentication. This will test all of the configuration options of the LDAPIdentityProvider. The success or failure of the authentication dry run will be reflected in the LDAPIdentityProvider's status conditions array, along with details of what username, UID, and group memberships were selected for the specified user. If the dry run fails, then that user would not be able to authenticate in a real authentication situation either, so the LDAPIdentityProvider's Status.Phase will be set to "Error". Therefore, the specified DryRunAuthenticationUsername must be a valid username of a real user who should be able to authenticate given all of the LDAPIdentityProvider's configuration. For example, if the UserSearch configuration were set up such that an end user should log in using their email address as their username, then the DryRunAuthenticationUsername should be the actual email address of a valid user who will be found in the LDAP server by the UserSearch criteria. Once you have used DryRunAuthenticationUsername to validate your LDAPIdentityProvider's configuration, you might choose to remove the DryRunAuthenticationUsername configuration if you are concerned that the user's LDAP account could change in the future, e.g. if the account could become disabled in the future. |=== diff --git a/generated/1.19/apis/supervisor/idp/v1alpha1/types_ldapidentityprovider.go b/generated/1.19/apis/supervisor/idp/v1alpha1/types_ldapidentityprovider.go index 0699ddfc..d718ba65 100644 --- a/generated/1.19/apis/supervisor/idp/v1alpha1/types_ldapidentityprovider.go +++ b/generated/1.19/apis/supervisor/idp/v1alpha1/types_ldapidentityprovider.go @@ -100,28 +100,6 @@ type LDAPIdentityProviderSpec struct { // UserSearch contains the configuration for searching for a user by name in the LDAP provider. UserSearch LDAPIdentityProviderUserSearch `json:"userSearch,omitempty"` - - // DryRunAuthenticationUsername influences how the LDAPIdentityProvider's configuration is validated. - // When DryRunAuthenticationUsername is blank, the LDAPIdentityProvider will be validated by opening a connection - // to the LDAP server using the Host and TLS settings and also will bind using the Bind settings. The success - // or failure of the connect and bind will be reflected in the LDAPIdentityProvider's status conditions array. - // When DryRunAuthenticationUsername is not blank, the LDAPIdentityProvider will be validated by opening a - // connection to the LDAP server and performing a full dry run of authenticating as the end user with the username - // specified by DryRunAuthenticationUsername. The dry run will act as if the correct password were specified for - // that end user during the authentication. This will test all of the configuration options of the - // LDAPIdentityProvider. The success or failure of the authentication dry run will be reflected in the - // LDAPIdentityProvider's status conditions array, along with details of what username, UID, and group memberships - // were selected for the specified user. If the dry run fails, then that user would not be able to authenticate - // in a real authentication situation either, so the LDAPIdentityProvider's Status.Phase will be set to "Error". - // Therefore, the specified DryRunAuthenticationUsername must be a valid username of a real user who should be able - // to authenticate given all of the LDAPIdentityProvider's configuration. For example, if the UserSearch - // configuration were set up such that an end user should log in using their email address as their username, then - // the DryRunAuthenticationUsername should be the actual email address of a valid user who will be found in the LDAP - // server by the UserSearch criteria. Once you have used DryRunAuthenticationUsername to validate your - // LDAPIdentityProvider's configuration, you might choose to remove the DryRunAuthenticationUsername configuration - // if you are concerned that the user's LDAP account could change in the future, e.g. if the account could become - // disabled in the future. - DryRunAuthenticationUsername string `json:"dryRunAuthenticationUsername,omitempty"` } // LDAPIdentityProvider describes the configuration of an upstream Lightweight Directory Access diff --git a/generated/1.19/crds/idp.supervisor.pinniped.dev_ldapidentityproviders.yaml b/generated/1.19/crds/idp.supervisor.pinniped.dev_ldapidentityproviders.yaml index 5ed9901b..d396129d 100644 --- a/generated/1.19/crds/idp.supervisor.pinniped.dev_ldapidentityproviders.yaml +++ b/generated/1.19/crds/idp.supervisor.pinniped.dev_ldapidentityproviders.yaml @@ -70,38 +70,6 @@ spec: required: - secretName type: object - dryRunAuthenticationUsername: - description: DryRunAuthenticationUsername influences how the LDAPIdentityProvider's - configuration is validated. When DryRunAuthenticationUsername is - blank, the LDAPIdentityProvider will be validated by opening a connection - to the LDAP server using the Host and TLS settings and also will - bind using the Bind settings. The success or failure of the connect - and bind will be reflected in the LDAPIdentityProvider's status - conditions array. When DryRunAuthenticationUsername is not blank, - the LDAPIdentityProvider will be validated by opening a connection - to the LDAP server and performing a full dry run of authenticating - as the end user with the username specified by DryRunAuthenticationUsername. - The dry run will act as if the correct password were specified for - that end user during the authentication. This will test all of the - configuration options of the LDAPIdentityProvider. The success or - failure of the authentication dry run will be reflected in the LDAPIdentityProvider's - status conditions array, along with details of what username, UID, - and group memberships were selected for the specified user. If the - dry run fails, then that user would not be able to authenticate - in a real authentication situation either, so the LDAPIdentityProvider's - Status.Phase will be set to "Error". Therefore, the specified DryRunAuthenticationUsername - must be a valid username of a real user who should be able to authenticate - given all of the LDAPIdentityProvider's configuration. For example, - if the UserSearch configuration were set up such that an end user - should log in using their email address as their username, then - the DryRunAuthenticationUsername should be the actual email address - of a valid user who will be found in the LDAP server by the UserSearch - criteria. Once you have used DryRunAuthenticationUsername to validate - your LDAPIdentityProvider's configuration, you might choose to remove - the DryRunAuthenticationUsername configuration if you are concerned - that the user's LDAP account could change in the future, e.g. if - the account could become disabled in the future. - type: string host: description: 'Host is the hostname of this LDAP identity provider, i.e., where to connect. For example: ldap.example.com:636.' diff --git a/generated/1.20/README.adoc b/generated/1.20/README.adoc index 805fe2bc..348c55d0 100644 --- a/generated/1.20/README.adoc +++ b/generated/1.20/README.adoc @@ -757,7 +757,6 @@ Spec for configuring an LDAP identity provider. | *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-20-apis-supervisor-idp-v1alpha1-tlsspec[$$TLSSpec$$]__ | TLS contains the connection settings for how to establish the connection to the Host. | *`bind`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-20-apis-supervisor-idp-v1alpha1-ldapidentityproviderbind[$$LDAPIdentityProviderBind$$]__ | Bind contains the configuration for how to provide access credentials during an initial bind to the LDAP server to be allowed to perform searches and binds to validate a user's credentials during a user's authentication attempt. | *`userSearch`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-20-apis-supervisor-idp-v1alpha1-ldapidentityproviderusersearch[$$LDAPIdentityProviderUserSearch$$]__ | UserSearch contains the configuration for searching for a user by name in the LDAP provider. -| *`dryRunAuthenticationUsername`* __string__ | DryRunAuthenticationUsername influences how the LDAPIdentityProvider's configuration is validated. When DryRunAuthenticationUsername is blank, the LDAPIdentityProvider will be validated by opening a connection to the LDAP server using the Host and TLS settings and also will bind using the Bind settings. The success or failure of the connect and bind will be reflected in the LDAPIdentityProvider's status conditions array. When DryRunAuthenticationUsername is not blank, the LDAPIdentityProvider will be validated by opening a connection to the LDAP server and performing a full dry run of authenticating as the end user with the username specified by DryRunAuthenticationUsername. The dry run will act as if the correct password were specified for that end user during the authentication. This will test all of the configuration options of the LDAPIdentityProvider. The success or failure of the authentication dry run will be reflected in the LDAPIdentityProvider's status conditions array, along with details of what username, UID, and group memberships were selected for the specified user. If the dry run fails, then that user would not be able to authenticate in a real authentication situation either, so the LDAPIdentityProvider's Status.Phase will be set to "Error". Therefore, the specified DryRunAuthenticationUsername must be a valid username of a real user who should be able to authenticate given all of the LDAPIdentityProvider's configuration. For example, if the UserSearch configuration were set up such that an end user should log in using their email address as their username, then the DryRunAuthenticationUsername should be the actual email address of a valid user who will be found in the LDAP server by the UserSearch criteria. Once you have used DryRunAuthenticationUsername to validate your LDAPIdentityProvider's configuration, you might choose to remove the DryRunAuthenticationUsername configuration if you are concerned that the user's LDAP account could change in the future, e.g. if the account could become disabled in the future. |=== diff --git a/generated/1.20/apis/supervisor/idp/v1alpha1/types_ldapidentityprovider.go b/generated/1.20/apis/supervisor/idp/v1alpha1/types_ldapidentityprovider.go index 0699ddfc..d718ba65 100644 --- a/generated/1.20/apis/supervisor/idp/v1alpha1/types_ldapidentityprovider.go +++ b/generated/1.20/apis/supervisor/idp/v1alpha1/types_ldapidentityprovider.go @@ -100,28 +100,6 @@ type LDAPIdentityProviderSpec struct { // UserSearch contains the configuration for searching for a user by name in the LDAP provider. UserSearch LDAPIdentityProviderUserSearch `json:"userSearch,omitempty"` - - // DryRunAuthenticationUsername influences how the LDAPIdentityProvider's configuration is validated. - // When DryRunAuthenticationUsername is blank, the LDAPIdentityProvider will be validated by opening a connection - // to the LDAP server using the Host and TLS settings and also will bind using the Bind settings. The success - // or failure of the connect and bind will be reflected in the LDAPIdentityProvider's status conditions array. - // When DryRunAuthenticationUsername is not blank, the LDAPIdentityProvider will be validated by opening a - // connection to the LDAP server and performing a full dry run of authenticating as the end user with the username - // specified by DryRunAuthenticationUsername. The dry run will act as if the correct password were specified for - // that end user during the authentication. This will test all of the configuration options of the - // LDAPIdentityProvider. The success or failure of the authentication dry run will be reflected in the - // LDAPIdentityProvider's status conditions array, along with details of what username, UID, and group memberships - // were selected for the specified user. If the dry run fails, then that user would not be able to authenticate - // in a real authentication situation either, so the LDAPIdentityProvider's Status.Phase will be set to "Error". - // Therefore, the specified DryRunAuthenticationUsername must be a valid username of a real user who should be able - // to authenticate given all of the LDAPIdentityProvider's configuration. For example, if the UserSearch - // configuration were set up such that an end user should log in using their email address as their username, then - // the DryRunAuthenticationUsername should be the actual email address of a valid user who will be found in the LDAP - // server by the UserSearch criteria. Once you have used DryRunAuthenticationUsername to validate your - // LDAPIdentityProvider's configuration, you might choose to remove the DryRunAuthenticationUsername configuration - // if you are concerned that the user's LDAP account could change in the future, e.g. if the account could become - // disabled in the future. - DryRunAuthenticationUsername string `json:"dryRunAuthenticationUsername,omitempty"` } // LDAPIdentityProvider describes the configuration of an upstream Lightweight Directory Access diff --git a/generated/1.20/crds/idp.supervisor.pinniped.dev_ldapidentityproviders.yaml b/generated/1.20/crds/idp.supervisor.pinniped.dev_ldapidentityproviders.yaml index 5ed9901b..d396129d 100644 --- a/generated/1.20/crds/idp.supervisor.pinniped.dev_ldapidentityproviders.yaml +++ b/generated/1.20/crds/idp.supervisor.pinniped.dev_ldapidentityproviders.yaml @@ -70,38 +70,6 @@ spec: required: - secretName type: object - dryRunAuthenticationUsername: - description: DryRunAuthenticationUsername influences how the LDAPIdentityProvider's - configuration is validated. When DryRunAuthenticationUsername is - blank, the LDAPIdentityProvider will be validated by opening a connection - to the LDAP server using the Host and TLS settings and also will - bind using the Bind settings. The success or failure of the connect - and bind will be reflected in the LDAPIdentityProvider's status - conditions array. When DryRunAuthenticationUsername is not blank, - the LDAPIdentityProvider will be validated by opening a connection - to the LDAP server and performing a full dry run of authenticating - as the end user with the username specified by DryRunAuthenticationUsername. - The dry run will act as if the correct password were specified for - that end user during the authentication. This will test all of the - configuration options of the LDAPIdentityProvider. The success or - failure of the authentication dry run will be reflected in the LDAPIdentityProvider's - status conditions array, along with details of what username, UID, - and group memberships were selected for the specified user. If the - dry run fails, then that user would not be able to authenticate - in a real authentication situation either, so the LDAPIdentityProvider's - Status.Phase will be set to "Error". Therefore, the specified DryRunAuthenticationUsername - must be a valid username of a real user who should be able to authenticate - given all of the LDAPIdentityProvider's configuration. For example, - if the UserSearch configuration were set up such that an end user - should log in using their email address as their username, then - the DryRunAuthenticationUsername should be the actual email address - of a valid user who will be found in the LDAP server by the UserSearch - criteria. Once you have used DryRunAuthenticationUsername to validate - your LDAPIdentityProvider's configuration, you might choose to remove - the DryRunAuthenticationUsername configuration if you are concerned - that the user's LDAP account could change in the future, e.g. if - the account could become disabled in the future. - type: string host: description: 'Host is the hostname of this LDAP identity provider, i.e., where to connect. For example: ldap.example.com:636.' diff --git a/generated/latest/apis/supervisor/idp/v1alpha1/types_ldapidentityprovider.go b/generated/latest/apis/supervisor/idp/v1alpha1/types_ldapidentityprovider.go index 0699ddfc..d718ba65 100644 --- a/generated/latest/apis/supervisor/idp/v1alpha1/types_ldapidentityprovider.go +++ b/generated/latest/apis/supervisor/idp/v1alpha1/types_ldapidentityprovider.go @@ -100,28 +100,6 @@ type LDAPIdentityProviderSpec struct { // UserSearch contains the configuration for searching for a user by name in the LDAP provider. UserSearch LDAPIdentityProviderUserSearch `json:"userSearch,omitempty"` - - // DryRunAuthenticationUsername influences how the LDAPIdentityProvider's configuration is validated. - // When DryRunAuthenticationUsername is blank, the LDAPIdentityProvider will be validated by opening a connection - // to the LDAP server using the Host and TLS settings and also will bind using the Bind settings. The success - // or failure of the connect and bind will be reflected in the LDAPIdentityProvider's status conditions array. - // When DryRunAuthenticationUsername is not blank, the LDAPIdentityProvider will be validated by opening a - // connection to the LDAP server and performing a full dry run of authenticating as the end user with the username - // specified by DryRunAuthenticationUsername. The dry run will act as if the correct password were specified for - // that end user during the authentication. This will test all of the configuration options of the - // LDAPIdentityProvider. The success or failure of the authentication dry run will be reflected in the - // LDAPIdentityProvider's status conditions array, along with details of what username, UID, and group memberships - // were selected for the specified user. If the dry run fails, then that user would not be able to authenticate - // in a real authentication situation either, so the LDAPIdentityProvider's Status.Phase will be set to "Error". - // Therefore, the specified DryRunAuthenticationUsername must be a valid username of a real user who should be able - // to authenticate given all of the LDAPIdentityProvider's configuration. For example, if the UserSearch - // configuration were set up such that an end user should log in using their email address as their username, then - // the DryRunAuthenticationUsername should be the actual email address of a valid user who will be found in the LDAP - // server by the UserSearch criteria. Once you have used DryRunAuthenticationUsername to validate your - // LDAPIdentityProvider's configuration, you might choose to remove the DryRunAuthenticationUsername configuration - // if you are concerned that the user's LDAP account could change in the future, e.g. if the account could become - // disabled in the future. - DryRunAuthenticationUsername string `json:"dryRunAuthenticationUsername,omitempty"` } // LDAPIdentityProvider describes the configuration of an upstream Lightweight Directory Access diff --git a/hack/prepare-supervisor-on-kind.sh b/hack/prepare-supervisor-on-kind.sh index a5009c66..2d7c7d44 100755 --- a/hack/prepare-supervisor-on-kind.sh +++ b/hack/prepare-supervisor-on-kind.sh @@ -158,7 +158,6 @@ spec: attributes: uid: "$PINNIPED_TEST_LDAP_USER_UNIQUE_ID_ATTRIBUTE_NAME" username: "$PINNIPED_TEST_LDAP_USER_EMAIL_ATTRIBUTE_NAME" - dryRunAuthenticationUsername: "$PINNIPED_TEST_LDAP_USER_CN" EOF # Make a Secret for the above LDAPIdentityProvider to describe the bind account. diff --git a/internal/controller/supervisorconfig/upstreamwatcher/ldap_upstream_watcher.go b/internal/controller/supervisorconfig/upstreamwatcher/ldap_upstream_watcher.go index df7406b0..274cccd4 100644 --- a/internal/controller/supervisorconfig/upstreamwatcher/ldap_upstream_watcher.go +++ b/internal/controller/supervisorconfig/upstreamwatcher/ldap_upstream_watcher.go @@ -33,13 +33,12 @@ const ( testLDAPConnectionTimeout = 90 * time.Second // Constants related to conditions. - typeBindSecretValid = "BindSecretValid" - typeTLSConfigurationValid = "TLSConfigurationValid" - typeLDAPConnectionValid = "LDAPConnectionValid" - reasonLDAPConnectionError = "LDAPConnectionError" - reasonAuthenticationDryRunError = "AuthenticationDryRunError" - noTLSConfigurationMessage = "no TLS configuration provided" - loadedTLSConfigurationMessage = "loaded TLS configuration" + typeBindSecretValid = "BindSecretValid" + typeTLSConfigurationValid = "TLSConfigurationValid" + typeLDAPConnectionValid = "LDAPConnectionValid" + reasonLDAPConnectionError = "LDAPConnectionError" + noTLSConfigurationMessage = "no TLS configuration provided" + loadedTLSConfigurationMessage = "loaded TLS configuration" ) var ( @@ -196,10 +195,6 @@ func (c *ldapWatcherController) validateFinishedConfig(ctx context.Context, upst testConnectionTimeout, cancelFunc := context.WithTimeout(ctx, testLDAPConnectionTimeout) defer cancelFunc() - if len(upstream.Spec.DryRunAuthenticationUsername) > 0 { - return c.dryRunAuthentication(testConnectionTimeout, upstream, ldapProvider, currentSecretVersion) - } - return c.testConnection(testConnectionTimeout, upstream, config, ldapProvider, currentSecretVersion) } @@ -230,47 +225,6 @@ func (c *ldapWatcherController) testConnection( } } -func (c *ldapWatcherController) dryRunAuthentication( - ctx context.Context, - upstream *v1alpha1.LDAPIdentityProvider, - ldapProvider *upstreamldap.Provider, - currentSecretVersion string, -) *v1alpha1.Condition { - authResponse, authenticated, err := ldapProvider.DryRunAuthenticateUser(ctx, upstream.Spec.DryRunAuthenticationUsername) - if err != nil { - return &v1alpha1.Condition{ - Type: typeLDAPConnectionValid, - Status: v1alpha1.ConditionFalse, - Reason: reasonAuthenticationDryRunError, - Message: fmt.Sprintf(`failed authentication dry run for end user "%s": %s`, - upstream.Spec.DryRunAuthenticationUsername, err.Error()), - } - } - - if !authenticated { - // Since we aren't doing a real auth with a password that could be wrong, the only reason we should get - // an unauthenticated response without an error is when the username was wrong. - return &v1alpha1.Condition{ - Type: typeLDAPConnectionValid, - Status: v1alpha1.ConditionFalse, - Reason: reasonAuthenticationDryRunError, - Message: fmt.Sprintf(`failed authentication dry run for end user "%s": user not found`, - upstream.Spec.DryRunAuthenticationUsername), - } - } - - return &v1alpha1.Condition{ - Type: typeLDAPConnectionValid, - Status: v1alpha1.ConditionTrue, - Reason: reasonSuccess, - Message: fmt.Sprintf( - `successful authentication dry run for end user "%s": selected username "%s" and UID "%s" [validated with Secret "%s" at version "%s"]`, - upstream.Spec.DryRunAuthenticationUsername, - authResponse.User.GetName(), authResponse.User.GetUID(), - upstream.Spec.Bind.SecretName, currentSecretVersion), - } -} - func hasPreviousSuccessfulConditionForCurrentSpecGenerationAndSecretVersion(upstream *v1alpha1.LDAPIdentityProvider, currentSecretVersion string) bool { currentGeneration := upstream.Generation for _, c := range upstream.Status.Conditions { diff --git a/internal/controller/supervisorconfig/upstreamwatcher/ldap_upstream_watcher_test.go b/internal/controller/supervisorconfig/upstreamwatcher/ldap_upstream_watcher_test.go index 79049037..89f817a9 100644 --- a/internal/controller/supervisorconfig/upstreamwatcher/ldap_upstream_watcher_test.go +++ b/internal/controller/supervisorconfig/upstreamwatcher/ldap_upstream_watcher_test.go @@ -12,8 +12,6 @@ import ( "testing" "time" - "github.com/go-ldap/ldap/v3" - "github.com/golang/mock/gomock" "github.com/stretchr/testify/require" corev1 "k8s.io/api/core/v1" @@ -667,123 +665,6 @@ func TestLDAPUpstreamWatcherControllerSync(t *testing.T) { }, }}, }, - { - name: "when DryRunAuthenticationUsername is specified and a successful dry run authentication is performed", - inputUpstreams: []runtime.Object{editedValidUpstream(func(upstream *v1alpha1.LDAPIdentityProvider) { - upstream.Spec.DryRunAuthenticationUsername = "endUserUsername" - })}, - inputSecrets: []runtime.Object{validBindUserSecret("4242")}, - setupMocks: func(conn *mockldapconn.MockConn) { - // Should perform a full auth dry run. - conn.EXPECT().Bind(testBindUsername, testBindPassword).Times(1) - conn.EXPECT().Search(gomock.Any()).Return(&ldap.SearchResult{ - Entries: []*ldap.Entry{ - { - DN: "testFoundUserDN", - Attributes: []*ldap.EntryAttribute{ - ldap.NewEntryAttribute(testUsernameAttrName, []string{"testDownstreamUsername"}), - ldap.NewEntryAttribute(testUIDAttrName, []string{"testDownstreamUID"}), - }, - }, - }, - }, nil).Times(1) - conn.EXPECT().Close().Times(1) - }, - wantResultingCache: []*upstreamldap.ProviderConfig{providerConfigForValidUpstream}, - wantResultingUpstreams: []v1alpha1.LDAPIdentityProvider{{ - ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName, Generation: 1234}, - Status: v1alpha1.LDAPIdentityProviderStatus{ - Phase: "Ready", - Conditions: []v1alpha1.Condition{ - bindSecretValidTrueCondition(1234), - { - Type: "LDAPConnectionValid", - Status: "True", - LastTransitionTime: now, - Reason: "Success", - Message: fmt.Sprintf( - `successful authentication dry run for end user "%s": selected username "%s" and UID "%s" [validated with Secret "%s" at version "%s"]`, - "endUserUsername", "testDownstreamUsername", "testDownstreamUID", testSecretName, "4242"), - ObservedGeneration: 1234, - }, - tlsConfigurationValidLoadedTrueCondition(1234), - }, - }, - }}, - }, - { - name: "when DryRunAuthenticationUsername is specified and the dry run authentication returns an error", - inputUpstreams: []runtime.Object{editedValidUpstream(func(upstream *v1alpha1.LDAPIdentityProvider) { - upstream.Spec.DryRunAuthenticationUsername = "endUserUsername" - })}, - inputSecrets: []runtime.Object{validBindUserSecret("4242")}, - setupMocks: func(conn *mockldapconn.MockConn) { - // Failure during a full auth dry run. - conn.EXPECT().Bind(testBindUsername, testBindPassword).Times(1) - conn.EXPECT().Search(gomock.Any()).Return(nil, errors.New("some dry run error")).Times(1) - conn.EXPECT().Close().Times(1) - }, - wantErr: controllerlib.ErrSyntheticRequeue.Error(), - wantResultingCache: []*upstreamldap.ProviderConfig{}, - wantResultingUpstreams: []v1alpha1.LDAPIdentityProvider{{ - ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName, Generation: 1234}, - Status: v1alpha1.LDAPIdentityProviderStatus{ - Phase: "Error", - Conditions: []v1alpha1.Condition{ - bindSecretValidTrueCondition(1234), - { - Type: "LDAPConnectionValid", - Status: "False", - LastTransitionTime: now, - Reason: "AuthenticationDryRunError", - Message: fmt.Sprintf( - `failed authentication dry run for end user "%s": error searching for user "%s": some dry run error`, - "endUserUsername", "endUserUsername"), - ObservedGeneration: 1234, - }, - tlsConfigurationValidLoadedTrueCondition(1234), - }, - }, - }}, - }, - { - name: "when DryRunAuthenticationUsername is specified and the dry run authentication returns unauthenticated without an error", - inputUpstreams: []runtime.Object{editedValidUpstream(func(upstream *v1alpha1.LDAPIdentityProvider) { - upstream.Spec.DryRunAuthenticationUsername = "endUserUsername" - })}, - inputSecrets: []runtime.Object{validBindUserSecret("4242")}, - setupMocks: func(conn *mockldapconn.MockConn) { - // Failure during full auth dry run which will cause it to return unauthenticated instead of error. - conn.EXPECT().Bind(testBindUsername, testBindPassword).Times(1) - conn.EXPECT().Search(gomock.Any()).Return(&ldap.SearchResult{ - // No search results means the user did not enter a valid username, which is unauthenticated instead of error. - Entries: []*ldap.Entry{}, - }, nil).Times(1) - conn.EXPECT().Close().Times(1) - }, - wantErr: controllerlib.ErrSyntheticRequeue.Error(), - wantResultingCache: []*upstreamldap.ProviderConfig{}, - wantResultingUpstreams: []v1alpha1.LDAPIdentityProvider{{ - ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName, Generation: 1234}, - Status: v1alpha1.LDAPIdentityProviderStatus{ - Phase: "Error", - Conditions: []v1alpha1.Condition{ - bindSecretValidTrueCondition(1234), - { - Type: "LDAPConnectionValid", - Status: "False", - LastTransitionTime: now, - Reason: "AuthenticationDryRunError", - Message: fmt.Sprintf( - `failed authentication dry run for end user "%s": user not found`, - "endUserUsername"), - ObservedGeneration: 1234, - }, - tlsConfigurationValidLoadedTrueCondition(1234), - }, - }, - }}, - }, } for _, tt := range tests { diff --git a/test/integration/supervisor_login_test.go b/test/integration/supervisor_login_test.go index d9b2fd83..2cba7da0 100644 --- a/test/integration/supervisor_login_test.go +++ b/test/integration/supervisor_login_test.go @@ -67,7 +67,7 @@ func TestSupervisorLogin(t *testing.T) { wantDownstreamIDTokenUsernameToMatch: regexp.QuoteMeta(env.SupervisorUpstreamOIDC.Issuer+"?sub=") + ".+", }, { - name: "ldap with email as username and with dry run", + name: "ldap with email as username", createIDP: func(t *testing.T) { t.Helper() secret := library.CreateTestSecret(t, env.SupervisorNamespace, "ldap-service-account", v1.SecretTypeBasicAuth, @@ -92,12 +92,10 @@ func TestSupervisorLogin(t *testing.T) { UID: env.SupervisorUpstreamLDAP.TestUserUniqueIDAttributeName, }, }, - DryRunAuthenticationUsername: env.SupervisorUpstreamLDAP.TestUserMailAttributeValue, }, idpv1alpha1.LDAPPhaseReady) expectedMsg := fmt.Sprintf( - `successful authentication dry run for end user "%s": selected username "%s" and UID "%s" [validated with Secret "%s" at version "%s"]`, - env.SupervisorUpstreamLDAP.TestUserMailAttributeValue, env.SupervisorUpstreamLDAP.TestUserMailAttributeValue, - env.SupervisorUpstreamLDAP.TestUserUniqueIDAttributeValue, + `successfully able to connect to "%s" and bind as user "%s" [validated with Secret "%s" at version "%s"]`, + env.SupervisorUpstreamLDAP.Host, env.SupervisorUpstreamLDAP.BindUsername, secret.Name, secret.ResourceVersion, ) requireSuccessfulLDAPIdentityProviderConditions(t, ldapIDP, expectedMsg) @@ -118,7 +116,7 @@ func TestSupervisorLogin(t *testing.T) { wantDownstreamIDTokenUsernameToMatch: regexp.QuoteMeta(env.SupervisorUpstreamLDAP.TestUserMailAttributeValue), }, { - name: "ldap with CN as username and without dry run", // try another variation of configuration options + name: "ldap with CN as username ", // try another variation of configuration options createIDP: func(t *testing.T) { t.Helper() secret := library.CreateTestSecret(t, env.SupervisorNamespace, "ldap-service-account", v1.SecretTypeBasicAuth, @@ -143,7 +141,6 @@ func TestSupervisorLogin(t *testing.T) { UID: env.SupervisorUpstreamLDAP.TestUserUniqueIDAttributeName, }, }, - DryRunAuthenticationUsername: "", // try without dry run }, idpv1alpha1.LDAPPhaseReady) expectedMsg := fmt.Sprintf( `successfully able to connect to "%s" and bind as user "%s" [validated with Secret "%s" at version "%s"]`,