Remove DryRunAuthenticationUsername from LDAPIdentityProviderSpec

Signed-off-by: Margo Crawford <margaretc@vmware.com>
This commit is contained in:
Ryan Richard 2021-04-28 14:26:57 -07:00 committed by Margo Crawford
parent 5c62a9d0bd
commit 36819989a3
19 changed files with 10 additions and 475 deletions

View File

@ -100,28 +100,6 @@ type LDAPIdentityProviderSpec struct {
// UserSearch contains the configuration for searching for a user by name in the LDAP provider. // UserSearch contains the configuration for searching for a user by name in the LDAP provider.
UserSearch LDAPIdentityProviderUserSearch `json:"userSearch,omitempty"` UserSearch LDAPIdentityProviderUserSearch `json:"userSearch,omitempty"`
// DryRunAuthenticationUsername influences how the LDAPIdentityProvider's configuration is validated.
// When DryRunAuthenticationUsername is blank, the LDAPIdentityProvider will be validated by opening a connection
// to the LDAP server using the Host and TLS settings and also will bind using the Bind settings. The success
// or failure of the connect and bind will be reflected in the LDAPIdentityProvider's status conditions array.
// When DryRunAuthenticationUsername is not blank, the LDAPIdentityProvider will be validated by opening a
// connection to the LDAP server and performing a full dry run of authenticating as the end user with the username
// specified by DryRunAuthenticationUsername. The dry run will act as if the correct password were specified for
// that end user during the authentication. This will test all of the configuration options of the
// LDAPIdentityProvider. The success or failure of the authentication dry run will be reflected in the
// LDAPIdentityProvider's status conditions array, along with details of what username, UID, and group memberships
// were selected for the specified user. If the dry run fails, then that user would not be able to authenticate
// in a real authentication situation either, so the LDAPIdentityProvider's Status.Phase will be set to "Error".
// Therefore, the specified DryRunAuthenticationUsername must be a valid username of a real user who should be able
// to authenticate given all of the LDAPIdentityProvider's configuration. For example, if the UserSearch
// configuration were set up such that an end user should log in using their email address as their username, then
// the DryRunAuthenticationUsername should be the actual email address of a valid user who will be found in the LDAP
// server by the UserSearch criteria. Once you have used DryRunAuthenticationUsername to validate your
// LDAPIdentityProvider's configuration, you might choose to remove the DryRunAuthenticationUsername configuration
// if you are concerned that the user's LDAP account could change in the future, e.g. if the account could become
// disabled in the future.
DryRunAuthenticationUsername string `json:"dryRunAuthenticationUsername,omitempty"`
} }
// LDAPIdentityProvider describes the configuration of an upstream Lightweight Directory Access // LDAPIdentityProvider describes the configuration of an upstream Lightweight Directory Access

View File

@ -70,38 +70,6 @@ spec:
required: required:
- secretName - secretName
type: object type: object
dryRunAuthenticationUsername:
description: DryRunAuthenticationUsername influences how the LDAPIdentityProvider's
configuration is validated. When DryRunAuthenticationUsername is
blank, the LDAPIdentityProvider will be validated by opening a connection
to the LDAP server using the Host and TLS settings and also will
bind using the Bind settings. The success or failure of the connect
and bind will be reflected in the LDAPIdentityProvider's status
conditions array. When DryRunAuthenticationUsername is not blank,
the LDAPIdentityProvider will be validated by opening a connection
to the LDAP server and performing a full dry run of authenticating
as the end user with the username specified by DryRunAuthenticationUsername.
The dry run will act as if the correct password were specified for
that end user during the authentication. This will test all of the
configuration options of the LDAPIdentityProvider. The success or
failure of the authentication dry run will be reflected in the LDAPIdentityProvider's
status conditions array, along with details of what username, UID,
and group memberships were selected for the specified user. If the
dry run fails, then that user would not be able to authenticate
in a real authentication situation either, so the LDAPIdentityProvider's
Status.Phase will be set to "Error". Therefore, the specified DryRunAuthenticationUsername
must be a valid username of a real user who should be able to authenticate
given all of the LDAPIdentityProvider's configuration. For example,
if the UserSearch configuration were set up such that an end user
should log in using their email address as their username, then
the DryRunAuthenticationUsername should be the actual email address
of a valid user who will be found in the LDAP server by the UserSearch
criteria. Once you have used DryRunAuthenticationUsername to validate
your LDAPIdentityProvider's configuration, you might choose to remove
the DryRunAuthenticationUsername configuration if you are concerned
that the user's LDAP account could change in the future, e.g. if
the account could become disabled in the future.
type: string
host: host:
description: 'Host is the hostname of this LDAP identity provider, description: 'Host is the hostname of this LDAP identity provider,
i.e., where to connect. For example: ldap.example.com:636.' i.e., where to connect. For example: ldap.example.com:636.'

View File

@ -757,7 +757,6 @@ Spec for configuring an LDAP identity provider.
| *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-idp-v1alpha1-tlsspec[$$TLSSpec$$]__ | TLS contains the connection settings for how to establish the connection to the Host. | *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-idp-v1alpha1-tlsspec[$$TLSSpec$$]__ | TLS contains the connection settings for how to establish the connection to the Host.
| *`bind`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-idp-v1alpha1-ldapidentityproviderbind[$$LDAPIdentityProviderBind$$]__ | Bind contains the configuration for how to provide access credentials during an initial bind to the LDAP server to be allowed to perform searches and binds to validate a user's credentials during a user's authentication attempt. | *`bind`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-idp-v1alpha1-ldapidentityproviderbind[$$LDAPIdentityProviderBind$$]__ | Bind contains the configuration for how to provide access credentials during an initial bind to the LDAP server to be allowed to perform searches and binds to validate a user's credentials during a user's authentication attempt.
| *`userSearch`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-idp-v1alpha1-ldapidentityproviderusersearch[$$LDAPIdentityProviderUserSearch$$]__ | UserSearch contains the configuration for searching for a user by name in the LDAP provider. | *`userSearch`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-idp-v1alpha1-ldapidentityproviderusersearch[$$LDAPIdentityProviderUserSearch$$]__ | UserSearch contains the configuration for searching for a user by name in the LDAP provider.
| *`dryRunAuthenticationUsername`* __string__ | DryRunAuthenticationUsername influences how the LDAPIdentityProvider's configuration is validated. When DryRunAuthenticationUsername is blank, the LDAPIdentityProvider will be validated by opening a connection to the LDAP server using the Host and TLS settings and also will bind using the Bind settings. The success or failure of the connect and bind will be reflected in the LDAPIdentityProvider's status conditions array. When DryRunAuthenticationUsername is not blank, the LDAPIdentityProvider will be validated by opening a connection to the LDAP server and performing a full dry run of authenticating as the end user with the username specified by DryRunAuthenticationUsername. The dry run will act as if the correct password were specified for that end user during the authentication. This will test all of the configuration options of the LDAPIdentityProvider. The success or failure of the authentication dry run will be reflected in the LDAPIdentityProvider's status conditions array, along with details of what username, UID, and group memberships were selected for the specified user. If the dry run fails, then that user would not be able to authenticate in a real authentication situation either, so the LDAPIdentityProvider's Status.Phase will be set to "Error". Therefore, the specified DryRunAuthenticationUsername must be a valid username of a real user who should be able to authenticate given all of the LDAPIdentityProvider's configuration. For example, if the UserSearch configuration were set up such that an end user should log in using their email address as their username, then the DryRunAuthenticationUsername should be the actual email address of a valid user who will be found in the LDAP server by the UserSearch criteria. Once you have used DryRunAuthenticationUsername to validate your LDAPIdentityProvider's configuration, you might choose to remove the DryRunAuthenticationUsername configuration if you are concerned that the user's LDAP account could change in the future, e.g. if the account could become disabled in the future.
|=== |===

View File

@ -100,28 +100,6 @@ type LDAPIdentityProviderSpec struct {
// UserSearch contains the configuration for searching for a user by name in the LDAP provider. // UserSearch contains the configuration for searching for a user by name in the LDAP provider.
UserSearch LDAPIdentityProviderUserSearch `json:"userSearch,omitempty"` UserSearch LDAPIdentityProviderUserSearch `json:"userSearch,omitempty"`
// DryRunAuthenticationUsername influences how the LDAPIdentityProvider's configuration is validated.
// When DryRunAuthenticationUsername is blank, the LDAPIdentityProvider will be validated by opening a connection
// to the LDAP server using the Host and TLS settings and also will bind using the Bind settings. The success
// or failure of the connect and bind will be reflected in the LDAPIdentityProvider's status conditions array.
// When DryRunAuthenticationUsername is not blank, the LDAPIdentityProvider will be validated by opening a
// connection to the LDAP server and performing a full dry run of authenticating as the end user with the username
// specified by DryRunAuthenticationUsername. The dry run will act as if the correct password were specified for
// that end user during the authentication. This will test all of the configuration options of the
// LDAPIdentityProvider. The success or failure of the authentication dry run will be reflected in the
// LDAPIdentityProvider's status conditions array, along with details of what username, UID, and group memberships
// were selected for the specified user. If the dry run fails, then that user would not be able to authenticate
// in a real authentication situation either, so the LDAPIdentityProvider's Status.Phase will be set to "Error".
// Therefore, the specified DryRunAuthenticationUsername must be a valid username of a real user who should be able
// to authenticate given all of the LDAPIdentityProvider's configuration. For example, if the UserSearch
// configuration were set up such that an end user should log in using their email address as their username, then
// the DryRunAuthenticationUsername should be the actual email address of a valid user who will be found in the LDAP
// server by the UserSearch criteria. Once you have used DryRunAuthenticationUsername to validate your
// LDAPIdentityProvider's configuration, you might choose to remove the DryRunAuthenticationUsername configuration
// if you are concerned that the user's LDAP account could change in the future, e.g. if the account could become
// disabled in the future.
DryRunAuthenticationUsername string `json:"dryRunAuthenticationUsername,omitempty"`
} }
// LDAPIdentityProvider describes the configuration of an upstream Lightweight Directory Access // LDAPIdentityProvider describes the configuration of an upstream Lightweight Directory Access

View File

@ -70,38 +70,6 @@ spec:
required: required:
- secretName - secretName
type: object type: object
dryRunAuthenticationUsername:
description: DryRunAuthenticationUsername influences how the LDAPIdentityProvider's
configuration is validated. When DryRunAuthenticationUsername is
blank, the LDAPIdentityProvider will be validated by opening a connection
to the LDAP server using the Host and TLS settings and also will
bind using the Bind settings. The success or failure of the connect
and bind will be reflected in the LDAPIdentityProvider's status
conditions array. When DryRunAuthenticationUsername is not blank,
the LDAPIdentityProvider will be validated by opening a connection
to the LDAP server and performing a full dry run of authenticating
as the end user with the username specified by DryRunAuthenticationUsername.
The dry run will act as if the correct password were specified for
that end user during the authentication. This will test all of the
configuration options of the LDAPIdentityProvider. The success or
failure of the authentication dry run will be reflected in the LDAPIdentityProvider's
status conditions array, along with details of what username, UID,
and group memberships were selected for the specified user. If the
dry run fails, then that user would not be able to authenticate
in a real authentication situation either, so the LDAPIdentityProvider's
Status.Phase will be set to "Error". Therefore, the specified DryRunAuthenticationUsername
must be a valid username of a real user who should be able to authenticate
given all of the LDAPIdentityProvider's configuration. For example,
if the UserSearch configuration were set up such that an end user
should log in using their email address as their username, then
the DryRunAuthenticationUsername should be the actual email address
of a valid user who will be found in the LDAP server by the UserSearch
criteria. Once you have used DryRunAuthenticationUsername to validate
your LDAPIdentityProvider's configuration, you might choose to remove
the DryRunAuthenticationUsername configuration if you are concerned
that the user's LDAP account could change in the future, e.g. if
the account could become disabled in the future.
type: string
host: host:
description: 'Host is the hostname of this LDAP identity provider, description: 'Host is the hostname of this LDAP identity provider,
i.e., where to connect. For example: ldap.example.com:636.' i.e., where to connect. For example: ldap.example.com:636.'

View File

@ -757,7 +757,6 @@ Spec for configuring an LDAP identity provider.
| *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-idp-v1alpha1-tlsspec[$$TLSSpec$$]__ | TLS contains the connection settings for how to establish the connection to the Host. | *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-idp-v1alpha1-tlsspec[$$TLSSpec$$]__ | TLS contains the connection settings for how to establish the connection to the Host.
| *`bind`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-idp-v1alpha1-ldapidentityproviderbind[$$LDAPIdentityProviderBind$$]__ | Bind contains the configuration for how to provide access credentials during an initial bind to the LDAP server to be allowed to perform searches and binds to validate a user's credentials during a user's authentication attempt. | *`bind`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-idp-v1alpha1-ldapidentityproviderbind[$$LDAPIdentityProviderBind$$]__ | Bind contains the configuration for how to provide access credentials during an initial bind to the LDAP server to be allowed to perform searches and binds to validate a user's credentials during a user's authentication attempt.
| *`userSearch`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-idp-v1alpha1-ldapidentityproviderusersearch[$$LDAPIdentityProviderUserSearch$$]__ | UserSearch contains the configuration for searching for a user by name in the LDAP provider. | *`userSearch`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-idp-v1alpha1-ldapidentityproviderusersearch[$$LDAPIdentityProviderUserSearch$$]__ | UserSearch contains the configuration for searching for a user by name in the LDAP provider.
| *`dryRunAuthenticationUsername`* __string__ | DryRunAuthenticationUsername influences how the LDAPIdentityProvider's configuration is validated. When DryRunAuthenticationUsername is blank, the LDAPIdentityProvider will be validated by opening a connection to the LDAP server using the Host and TLS settings and also will bind using the Bind settings. The success or failure of the connect and bind will be reflected in the LDAPIdentityProvider's status conditions array. When DryRunAuthenticationUsername is not blank, the LDAPIdentityProvider will be validated by opening a connection to the LDAP server and performing a full dry run of authenticating as the end user with the username specified by DryRunAuthenticationUsername. The dry run will act as if the correct password were specified for that end user during the authentication. This will test all of the configuration options of the LDAPIdentityProvider. The success or failure of the authentication dry run will be reflected in the LDAPIdentityProvider's status conditions array, along with details of what username, UID, and group memberships were selected for the specified user. If the dry run fails, then that user would not be able to authenticate in a real authentication situation either, so the LDAPIdentityProvider's Status.Phase will be set to "Error". Therefore, the specified DryRunAuthenticationUsername must be a valid username of a real user who should be able to authenticate given all of the LDAPIdentityProvider's configuration. For example, if the UserSearch configuration were set up such that an end user should log in using their email address as their username, then the DryRunAuthenticationUsername should be the actual email address of a valid user who will be found in the LDAP server by the UserSearch criteria. Once you have used DryRunAuthenticationUsername to validate your LDAPIdentityProvider's configuration, you might choose to remove the DryRunAuthenticationUsername configuration if you are concerned that the user's LDAP account could change in the future, e.g. if the account could become disabled in the future.
|=== |===

View File

@ -100,28 +100,6 @@ type LDAPIdentityProviderSpec struct {
// UserSearch contains the configuration for searching for a user by name in the LDAP provider. // UserSearch contains the configuration for searching for a user by name in the LDAP provider.
UserSearch LDAPIdentityProviderUserSearch `json:"userSearch,omitempty"` UserSearch LDAPIdentityProviderUserSearch `json:"userSearch,omitempty"`
// DryRunAuthenticationUsername influences how the LDAPIdentityProvider's configuration is validated.
// When DryRunAuthenticationUsername is blank, the LDAPIdentityProvider will be validated by opening a connection
// to the LDAP server using the Host and TLS settings and also will bind using the Bind settings. The success
// or failure of the connect and bind will be reflected in the LDAPIdentityProvider's status conditions array.
// When DryRunAuthenticationUsername is not blank, the LDAPIdentityProvider will be validated by opening a
// connection to the LDAP server and performing a full dry run of authenticating as the end user with the username
// specified by DryRunAuthenticationUsername. The dry run will act as if the correct password were specified for
// that end user during the authentication. This will test all of the configuration options of the
// LDAPIdentityProvider. The success or failure of the authentication dry run will be reflected in the
// LDAPIdentityProvider's status conditions array, along with details of what username, UID, and group memberships
// were selected for the specified user. If the dry run fails, then that user would not be able to authenticate
// in a real authentication situation either, so the LDAPIdentityProvider's Status.Phase will be set to "Error".
// Therefore, the specified DryRunAuthenticationUsername must be a valid username of a real user who should be able
// to authenticate given all of the LDAPIdentityProvider's configuration. For example, if the UserSearch
// configuration were set up such that an end user should log in using their email address as their username, then
// the DryRunAuthenticationUsername should be the actual email address of a valid user who will be found in the LDAP
// server by the UserSearch criteria. Once you have used DryRunAuthenticationUsername to validate your
// LDAPIdentityProvider's configuration, you might choose to remove the DryRunAuthenticationUsername configuration
// if you are concerned that the user's LDAP account could change in the future, e.g. if the account could become
// disabled in the future.
DryRunAuthenticationUsername string `json:"dryRunAuthenticationUsername,omitempty"`
} }
// LDAPIdentityProvider describes the configuration of an upstream Lightweight Directory Access // LDAPIdentityProvider describes the configuration of an upstream Lightweight Directory Access

View File

@ -70,38 +70,6 @@ spec:
required: required:
- secretName - secretName
type: object type: object
dryRunAuthenticationUsername:
description: DryRunAuthenticationUsername influences how the LDAPIdentityProvider's
configuration is validated. When DryRunAuthenticationUsername is
blank, the LDAPIdentityProvider will be validated by opening a connection
to the LDAP server using the Host and TLS settings and also will
bind using the Bind settings. The success or failure of the connect
and bind will be reflected in the LDAPIdentityProvider's status
conditions array. When DryRunAuthenticationUsername is not blank,
the LDAPIdentityProvider will be validated by opening a connection
to the LDAP server and performing a full dry run of authenticating
as the end user with the username specified by DryRunAuthenticationUsername.
The dry run will act as if the correct password were specified for
that end user during the authentication. This will test all of the
configuration options of the LDAPIdentityProvider. The success or
failure of the authentication dry run will be reflected in the LDAPIdentityProvider's
status conditions array, along with details of what username, UID,
and group memberships were selected for the specified user. If the
dry run fails, then that user would not be able to authenticate
in a real authentication situation either, so the LDAPIdentityProvider's
Status.Phase will be set to "Error". Therefore, the specified DryRunAuthenticationUsername
must be a valid username of a real user who should be able to authenticate
given all of the LDAPIdentityProvider's configuration. For example,
if the UserSearch configuration were set up such that an end user
should log in using their email address as their username, then
the DryRunAuthenticationUsername should be the actual email address
of a valid user who will be found in the LDAP server by the UserSearch
criteria. Once you have used DryRunAuthenticationUsername to validate
your LDAPIdentityProvider's configuration, you might choose to remove
the DryRunAuthenticationUsername configuration if you are concerned
that the user's LDAP account could change in the future, e.g. if
the account could become disabled in the future.
type: string
host: host:
description: 'Host is the hostname of this LDAP identity provider, description: 'Host is the hostname of this LDAP identity provider,
i.e., where to connect. For example: ldap.example.com:636.' i.e., where to connect. For example: ldap.example.com:636.'

View File

@ -757,7 +757,6 @@ Spec for configuring an LDAP identity provider.
| *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-supervisor-idp-v1alpha1-tlsspec[$$TLSSpec$$]__ | TLS contains the connection settings for how to establish the connection to the Host. | *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-supervisor-idp-v1alpha1-tlsspec[$$TLSSpec$$]__ | TLS contains the connection settings for how to establish the connection to the Host.
| *`bind`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-supervisor-idp-v1alpha1-ldapidentityproviderbind[$$LDAPIdentityProviderBind$$]__ | Bind contains the configuration for how to provide access credentials during an initial bind to the LDAP server to be allowed to perform searches and binds to validate a user's credentials during a user's authentication attempt. | *`bind`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-supervisor-idp-v1alpha1-ldapidentityproviderbind[$$LDAPIdentityProviderBind$$]__ | Bind contains the configuration for how to provide access credentials during an initial bind to the LDAP server to be allowed to perform searches and binds to validate a user's credentials during a user's authentication attempt.
| *`userSearch`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-supervisor-idp-v1alpha1-ldapidentityproviderusersearch[$$LDAPIdentityProviderUserSearch$$]__ | UserSearch contains the configuration for searching for a user by name in the LDAP provider. | *`userSearch`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-supervisor-idp-v1alpha1-ldapidentityproviderusersearch[$$LDAPIdentityProviderUserSearch$$]__ | UserSearch contains the configuration for searching for a user by name in the LDAP provider.
| *`dryRunAuthenticationUsername`* __string__ | DryRunAuthenticationUsername influences how the LDAPIdentityProvider's configuration is validated. When DryRunAuthenticationUsername is blank, the LDAPIdentityProvider will be validated by opening a connection to the LDAP server using the Host and TLS settings and also will bind using the Bind settings. The success or failure of the connect and bind will be reflected in the LDAPIdentityProvider's status conditions array. When DryRunAuthenticationUsername is not blank, the LDAPIdentityProvider will be validated by opening a connection to the LDAP server and performing a full dry run of authenticating as the end user with the username specified by DryRunAuthenticationUsername. The dry run will act as if the correct password were specified for that end user during the authentication. This will test all of the configuration options of the LDAPIdentityProvider. The success or failure of the authentication dry run will be reflected in the LDAPIdentityProvider's status conditions array, along with details of what username, UID, and group memberships were selected for the specified user. If the dry run fails, then that user would not be able to authenticate in a real authentication situation either, so the LDAPIdentityProvider's Status.Phase will be set to "Error". Therefore, the specified DryRunAuthenticationUsername must be a valid username of a real user who should be able to authenticate given all of the LDAPIdentityProvider's configuration. For example, if the UserSearch configuration were set up such that an end user should log in using their email address as their username, then the DryRunAuthenticationUsername should be the actual email address of a valid user who will be found in the LDAP server by the UserSearch criteria. Once you have used DryRunAuthenticationUsername to validate your LDAPIdentityProvider's configuration, you might choose to remove the DryRunAuthenticationUsername configuration if you are concerned that the user's LDAP account could change in the future, e.g. if the account could become disabled in the future.
|=== |===

View File

@ -100,28 +100,6 @@ type LDAPIdentityProviderSpec struct {
// UserSearch contains the configuration for searching for a user by name in the LDAP provider. // UserSearch contains the configuration for searching for a user by name in the LDAP provider.
UserSearch LDAPIdentityProviderUserSearch `json:"userSearch,omitempty"` UserSearch LDAPIdentityProviderUserSearch `json:"userSearch,omitempty"`
// DryRunAuthenticationUsername influences how the LDAPIdentityProvider's configuration is validated.
// When DryRunAuthenticationUsername is blank, the LDAPIdentityProvider will be validated by opening a connection
// to the LDAP server using the Host and TLS settings and also will bind using the Bind settings. The success
// or failure of the connect and bind will be reflected in the LDAPIdentityProvider's status conditions array.
// When DryRunAuthenticationUsername is not blank, the LDAPIdentityProvider will be validated by opening a
// connection to the LDAP server and performing a full dry run of authenticating as the end user with the username
// specified by DryRunAuthenticationUsername. The dry run will act as if the correct password were specified for
// that end user during the authentication. This will test all of the configuration options of the
// LDAPIdentityProvider. The success or failure of the authentication dry run will be reflected in the
// LDAPIdentityProvider's status conditions array, along with details of what username, UID, and group memberships
// were selected for the specified user. If the dry run fails, then that user would not be able to authenticate
// in a real authentication situation either, so the LDAPIdentityProvider's Status.Phase will be set to "Error".
// Therefore, the specified DryRunAuthenticationUsername must be a valid username of a real user who should be able
// to authenticate given all of the LDAPIdentityProvider's configuration. For example, if the UserSearch
// configuration were set up such that an end user should log in using their email address as their username, then
// the DryRunAuthenticationUsername should be the actual email address of a valid user who will be found in the LDAP
// server by the UserSearch criteria. Once you have used DryRunAuthenticationUsername to validate your
// LDAPIdentityProvider's configuration, you might choose to remove the DryRunAuthenticationUsername configuration
// if you are concerned that the user's LDAP account could change in the future, e.g. if the account could become
// disabled in the future.
DryRunAuthenticationUsername string `json:"dryRunAuthenticationUsername,omitempty"`
} }
// LDAPIdentityProvider describes the configuration of an upstream Lightweight Directory Access // LDAPIdentityProvider describes the configuration of an upstream Lightweight Directory Access

View File

@ -70,38 +70,6 @@ spec:
required: required:
- secretName - secretName
type: object type: object
dryRunAuthenticationUsername:
description: DryRunAuthenticationUsername influences how the LDAPIdentityProvider's
configuration is validated. When DryRunAuthenticationUsername is
blank, the LDAPIdentityProvider will be validated by opening a connection
to the LDAP server using the Host and TLS settings and also will
bind using the Bind settings. The success or failure of the connect
and bind will be reflected in the LDAPIdentityProvider's status
conditions array. When DryRunAuthenticationUsername is not blank,
the LDAPIdentityProvider will be validated by opening a connection
to the LDAP server and performing a full dry run of authenticating
as the end user with the username specified by DryRunAuthenticationUsername.
The dry run will act as if the correct password were specified for
that end user during the authentication. This will test all of the
configuration options of the LDAPIdentityProvider. The success or
failure of the authentication dry run will be reflected in the LDAPIdentityProvider's
status conditions array, along with details of what username, UID,
and group memberships were selected for the specified user. If the
dry run fails, then that user would not be able to authenticate
in a real authentication situation either, so the LDAPIdentityProvider's
Status.Phase will be set to "Error". Therefore, the specified DryRunAuthenticationUsername
must be a valid username of a real user who should be able to authenticate
given all of the LDAPIdentityProvider's configuration. For example,
if the UserSearch configuration were set up such that an end user
should log in using their email address as their username, then
the DryRunAuthenticationUsername should be the actual email address
of a valid user who will be found in the LDAP server by the UserSearch
criteria. Once you have used DryRunAuthenticationUsername to validate
your LDAPIdentityProvider's configuration, you might choose to remove
the DryRunAuthenticationUsername configuration if you are concerned
that the user's LDAP account could change in the future, e.g. if
the account could become disabled in the future.
type: string
host: host:
description: 'Host is the hostname of this LDAP identity provider, description: 'Host is the hostname of this LDAP identity provider,
i.e., where to connect. For example: ldap.example.com:636.' i.e., where to connect. For example: ldap.example.com:636.'

View File

@ -757,7 +757,6 @@ Spec for configuring an LDAP identity provider.
| *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-20-apis-supervisor-idp-v1alpha1-tlsspec[$$TLSSpec$$]__ | TLS contains the connection settings for how to establish the connection to the Host. | *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-20-apis-supervisor-idp-v1alpha1-tlsspec[$$TLSSpec$$]__ | TLS contains the connection settings for how to establish the connection to the Host.
| *`bind`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-20-apis-supervisor-idp-v1alpha1-ldapidentityproviderbind[$$LDAPIdentityProviderBind$$]__ | Bind contains the configuration for how to provide access credentials during an initial bind to the LDAP server to be allowed to perform searches and binds to validate a user's credentials during a user's authentication attempt. | *`bind`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-20-apis-supervisor-idp-v1alpha1-ldapidentityproviderbind[$$LDAPIdentityProviderBind$$]__ | Bind contains the configuration for how to provide access credentials during an initial bind to the LDAP server to be allowed to perform searches and binds to validate a user's credentials during a user's authentication attempt.
| *`userSearch`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-20-apis-supervisor-idp-v1alpha1-ldapidentityproviderusersearch[$$LDAPIdentityProviderUserSearch$$]__ | UserSearch contains the configuration for searching for a user by name in the LDAP provider. | *`userSearch`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-20-apis-supervisor-idp-v1alpha1-ldapidentityproviderusersearch[$$LDAPIdentityProviderUserSearch$$]__ | UserSearch contains the configuration for searching for a user by name in the LDAP provider.
| *`dryRunAuthenticationUsername`* __string__ | DryRunAuthenticationUsername influences how the LDAPIdentityProvider's configuration is validated. When DryRunAuthenticationUsername is blank, the LDAPIdentityProvider will be validated by opening a connection to the LDAP server using the Host and TLS settings and also will bind using the Bind settings. The success or failure of the connect and bind will be reflected in the LDAPIdentityProvider's status conditions array. When DryRunAuthenticationUsername is not blank, the LDAPIdentityProvider will be validated by opening a connection to the LDAP server and performing a full dry run of authenticating as the end user with the username specified by DryRunAuthenticationUsername. The dry run will act as if the correct password were specified for that end user during the authentication. This will test all of the configuration options of the LDAPIdentityProvider. The success or failure of the authentication dry run will be reflected in the LDAPIdentityProvider's status conditions array, along with details of what username, UID, and group memberships were selected for the specified user. If the dry run fails, then that user would not be able to authenticate in a real authentication situation either, so the LDAPIdentityProvider's Status.Phase will be set to "Error". Therefore, the specified DryRunAuthenticationUsername must be a valid username of a real user who should be able to authenticate given all of the LDAPIdentityProvider's configuration. For example, if the UserSearch configuration were set up such that an end user should log in using their email address as their username, then the DryRunAuthenticationUsername should be the actual email address of a valid user who will be found in the LDAP server by the UserSearch criteria. Once you have used DryRunAuthenticationUsername to validate your LDAPIdentityProvider's configuration, you might choose to remove the DryRunAuthenticationUsername configuration if you are concerned that the user's LDAP account could change in the future, e.g. if the account could become disabled in the future.
|=== |===

View File

@ -100,28 +100,6 @@ type LDAPIdentityProviderSpec struct {
// UserSearch contains the configuration for searching for a user by name in the LDAP provider. // UserSearch contains the configuration for searching for a user by name in the LDAP provider.
UserSearch LDAPIdentityProviderUserSearch `json:"userSearch,omitempty"` UserSearch LDAPIdentityProviderUserSearch `json:"userSearch,omitempty"`
// DryRunAuthenticationUsername influences how the LDAPIdentityProvider's configuration is validated.
// When DryRunAuthenticationUsername is blank, the LDAPIdentityProvider will be validated by opening a connection
// to the LDAP server using the Host and TLS settings and also will bind using the Bind settings. The success
// or failure of the connect and bind will be reflected in the LDAPIdentityProvider's status conditions array.
// When DryRunAuthenticationUsername is not blank, the LDAPIdentityProvider will be validated by opening a
// connection to the LDAP server and performing a full dry run of authenticating as the end user with the username
// specified by DryRunAuthenticationUsername. The dry run will act as if the correct password were specified for
// that end user during the authentication. This will test all of the configuration options of the
// LDAPIdentityProvider. The success or failure of the authentication dry run will be reflected in the
// LDAPIdentityProvider's status conditions array, along with details of what username, UID, and group memberships
// were selected for the specified user. If the dry run fails, then that user would not be able to authenticate
// in a real authentication situation either, so the LDAPIdentityProvider's Status.Phase will be set to "Error".
// Therefore, the specified DryRunAuthenticationUsername must be a valid username of a real user who should be able
// to authenticate given all of the LDAPIdentityProvider's configuration. For example, if the UserSearch
// configuration were set up such that an end user should log in using their email address as their username, then
// the DryRunAuthenticationUsername should be the actual email address of a valid user who will be found in the LDAP
// server by the UserSearch criteria. Once you have used DryRunAuthenticationUsername to validate your
// LDAPIdentityProvider's configuration, you might choose to remove the DryRunAuthenticationUsername configuration
// if you are concerned that the user's LDAP account could change in the future, e.g. if the account could become
// disabled in the future.
DryRunAuthenticationUsername string `json:"dryRunAuthenticationUsername,omitempty"`
} }
// LDAPIdentityProvider describes the configuration of an upstream Lightweight Directory Access // LDAPIdentityProvider describes the configuration of an upstream Lightweight Directory Access

View File

@ -70,38 +70,6 @@ spec:
required: required:
- secretName - secretName
type: object type: object
dryRunAuthenticationUsername:
description: DryRunAuthenticationUsername influences how the LDAPIdentityProvider's
configuration is validated. When DryRunAuthenticationUsername is
blank, the LDAPIdentityProvider will be validated by opening a connection
to the LDAP server using the Host and TLS settings and also will
bind using the Bind settings. The success or failure of the connect
and bind will be reflected in the LDAPIdentityProvider's status
conditions array. When DryRunAuthenticationUsername is not blank,
the LDAPIdentityProvider will be validated by opening a connection
to the LDAP server and performing a full dry run of authenticating
as the end user with the username specified by DryRunAuthenticationUsername.
The dry run will act as if the correct password were specified for
that end user during the authentication. This will test all of the
configuration options of the LDAPIdentityProvider. The success or
failure of the authentication dry run will be reflected in the LDAPIdentityProvider's
status conditions array, along with details of what username, UID,
and group memberships were selected for the specified user. If the
dry run fails, then that user would not be able to authenticate
in a real authentication situation either, so the LDAPIdentityProvider's
Status.Phase will be set to "Error". Therefore, the specified DryRunAuthenticationUsername
must be a valid username of a real user who should be able to authenticate
given all of the LDAPIdentityProvider's configuration. For example,
if the UserSearch configuration were set up such that an end user
should log in using their email address as their username, then
the DryRunAuthenticationUsername should be the actual email address
of a valid user who will be found in the LDAP server by the UserSearch
criteria. Once you have used DryRunAuthenticationUsername to validate
your LDAPIdentityProvider's configuration, you might choose to remove
the DryRunAuthenticationUsername configuration if you are concerned
that the user's LDAP account could change in the future, e.g. if
the account could become disabled in the future.
type: string
host: host:
description: 'Host is the hostname of this LDAP identity provider, description: 'Host is the hostname of this LDAP identity provider,
i.e., where to connect. For example: ldap.example.com:636.' i.e., where to connect. For example: ldap.example.com:636.'

View File

@ -100,28 +100,6 @@ type LDAPIdentityProviderSpec struct {
// UserSearch contains the configuration for searching for a user by name in the LDAP provider. // UserSearch contains the configuration for searching for a user by name in the LDAP provider.
UserSearch LDAPIdentityProviderUserSearch `json:"userSearch,omitempty"` UserSearch LDAPIdentityProviderUserSearch `json:"userSearch,omitempty"`
// DryRunAuthenticationUsername influences how the LDAPIdentityProvider's configuration is validated.
// When DryRunAuthenticationUsername is blank, the LDAPIdentityProvider will be validated by opening a connection
// to the LDAP server using the Host and TLS settings and also will bind using the Bind settings. The success
// or failure of the connect and bind will be reflected in the LDAPIdentityProvider's status conditions array.
// When DryRunAuthenticationUsername is not blank, the LDAPIdentityProvider will be validated by opening a
// connection to the LDAP server and performing a full dry run of authenticating as the end user with the username
// specified by DryRunAuthenticationUsername. The dry run will act as if the correct password were specified for
// that end user during the authentication. This will test all of the configuration options of the
// LDAPIdentityProvider. The success or failure of the authentication dry run will be reflected in the
// LDAPIdentityProvider's status conditions array, along with details of what username, UID, and group memberships
// were selected for the specified user. If the dry run fails, then that user would not be able to authenticate
// in a real authentication situation either, so the LDAPIdentityProvider's Status.Phase will be set to "Error".
// Therefore, the specified DryRunAuthenticationUsername must be a valid username of a real user who should be able
// to authenticate given all of the LDAPIdentityProvider's configuration. For example, if the UserSearch
// configuration were set up such that an end user should log in using their email address as their username, then
// the DryRunAuthenticationUsername should be the actual email address of a valid user who will be found in the LDAP
// server by the UserSearch criteria. Once you have used DryRunAuthenticationUsername to validate your
// LDAPIdentityProvider's configuration, you might choose to remove the DryRunAuthenticationUsername configuration
// if you are concerned that the user's LDAP account could change in the future, e.g. if the account could become
// disabled in the future.
DryRunAuthenticationUsername string `json:"dryRunAuthenticationUsername,omitempty"`
} }
// LDAPIdentityProvider describes the configuration of an upstream Lightweight Directory Access // LDAPIdentityProvider describes the configuration of an upstream Lightweight Directory Access

View File

@ -158,7 +158,6 @@ spec:
attributes: attributes:
uid: "$PINNIPED_TEST_LDAP_USER_UNIQUE_ID_ATTRIBUTE_NAME" uid: "$PINNIPED_TEST_LDAP_USER_UNIQUE_ID_ATTRIBUTE_NAME"
username: "$PINNIPED_TEST_LDAP_USER_EMAIL_ATTRIBUTE_NAME" username: "$PINNIPED_TEST_LDAP_USER_EMAIL_ATTRIBUTE_NAME"
dryRunAuthenticationUsername: "$PINNIPED_TEST_LDAP_USER_CN"
EOF EOF
# Make a Secret for the above LDAPIdentityProvider to describe the bind account. # Make a Secret for the above LDAPIdentityProvider to describe the bind account.

View File

@ -33,13 +33,12 @@ const (
testLDAPConnectionTimeout = 90 * time.Second testLDAPConnectionTimeout = 90 * time.Second
// Constants related to conditions. // Constants related to conditions.
typeBindSecretValid = "BindSecretValid" typeBindSecretValid = "BindSecretValid"
typeTLSConfigurationValid = "TLSConfigurationValid" typeTLSConfigurationValid = "TLSConfigurationValid"
typeLDAPConnectionValid = "LDAPConnectionValid" typeLDAPConnectionValid = "LDAPConnectionValid"
reasonLDAPConnectionError = "LDAPConnectionError" reasonLDAPConnectionError = "LDAPConnectionError"
reasonAuthenticationDryRunError = "AuthenticationDryRunError" noTLSConfigurationMessage = "no TLS configuration provided"
noTLSConfigurationMessage = "no TLS configuration provided" loadedTLSConfigurationMessage = "loaded TLS configuration"
loadedTLSConfigurationMessage = "loaded TLS configuration"
) )
var ( var (
@ -196,10 +195,6 @@ func (c *ldapWatcherController) validateFinishedConfig(ctx context.Context, upst
testConnectionTimeout, cancelFunc := context.WithTimeout(ctx, testLDAPConnectionTimeout) testConnectionTimeout, cancelFunc := context.WithTimeout(ctx, testLDAPConnectionTimeout)
defer cancelFunc() defer cancelFunc()
if len(upstream.Spec.DryRunAuthenticationUsername) > 0 {
return c.dryRunAuthentication(testConnectionTimeout, upstream, ldapProvider, currentSecretVersion)
}
return c.testConnection(testConnectionTimeout, upstream, config, ldapProvider, currentSecretVersion) return c.testConnection(testConnectionTimeout, upstream, config, ldapProvider, currentSecretVersion)
} }
@ -230,47 +225,6 @@ func (c *ldapWatcherController) testConnection(
} }
} }
func (c *ldapWatcherController) dryRunAuthentication(
ctx context.Context,
upstream *v1alpha1.LDAPIdentityProvider,
ldapProvider *upstreamldap.Provider,
currentSecretVersion string,
) *v1alpha1.Condition {
authResponse, authenticated, err := ldapProvider.DryRunAuthenticateUser(ctx, upstream.Spec.DryRunAuthenticationUsername)
if err != nil {
return &v1alpha1.Condition{
Type: typeLDAPConnectionValid,
Status: v1alpha1.ConditionFalse,
Reason: reasonAuthenticationDryRunError,
Message: fmt.Sprintf(`failed authentication dry run for end user "%s": %s`,
upstream.Spec.DryRunAuthenticationUsername, err.Error()),
}
}
if !authenticated {
// Since we aren't doing a real auth with a password that could be wrong, the only reason we should get
// an unauthenticated response without an error is when the username was wrong.
return &v1alpha1.Condition{
Type: typeLDAPConnectionValid,
Status: v1alpha1.ConditionFalse,
Reason: reasonAuthenticationDryRunError,
Message: fmt.Sprintf(`failed authentication dry run for end user "%s": user not found`,
upstream.Spec.DryRunAuthenticationUsername),
}
}
return &v1alpha1.Condition{
Type: typeLDAPConnectionValid,
Status: v1alpha1.ConditionTrue,
Reason: reasonSuccess,
Message: fmt.Sprintf(
`successful authentication dry run for end user "%s": selected username "%s" and UID "%s" [validated with Secret "%s" at version "%s"]`,
upstream.Spec.DryRunAuthenticationUsername,
authResponse.User.GetName(), authResponse.User.GetUID(),
upstream.Spec.Bind.SecretName, currentSecretVersion),
}
}
func hasPreviousSuccessfulConditionForCurrentSpecGenerationAndSecretVersion(upstream *v1alpha1.LDAPIdentityProvider, currentSecretVersion string) bool { func hasPreviousSuccessfulConditionForCurrentSpecGenerationAndSecretVersion(upstream *v1alpha1.LDAPIdentityProvider, currentSecretVersion string) bool {
currentGeneration := upstream.Generation currentGeneration := upstream.Generation
for _, c := range upstream.Status.Conditions { for _, c := range upstream.Status.Conditions {

View File

@ -12,8 +12,6 @@ import (
"testing" "testing"
"time" "time"
"github.com/go-ldap/ldap/v3"
"github.com/golang/mock/gomock" "github.com/golang/mock/gomock"
"github.com/stretchr/testify/require" "github.com/stretchr/testify/require"
corev1 "k8s.io/api/core/v1" corev1 "k8s.io/api/core/v1"
@ -667,123 +665,6 @@ func TestLDAPUpstreamWatcherControllerSync(t *testing.T) {
}, },
}}, }},
}, },
{
name: "when DryRunAuthenticationUsername is specified and a successful dry run authentication is performed",
inputUpstreams: []runtime.Object{editedValidUpstream(func(upstream *v1alpha1.LDAPIdentityProvider) {
upstream.Spec.DryRunAuthenticationUsername = "endUserUsername"
})},
inputSecrets: []runtime.Object{validBindUserSecret("4242")},
setupMocks: func(conn *mockldapconn.MockConn) {
// Should perform a full auth dry run.
conn.EXPECT().Bind(testBindUsername, testBindPassword).Times(1)
conn.EXPECT().Search(gomock.Any()).Return(&ldap.SearchResult{
Entries: []*ldap.Entry{
{
DN: "testFoundUserDN",
Attributes: []*ldap.EntryAttribute{
ldap.NewEntryAttribute(testUsernameAttrName, []string{"testDownstreamUsername"}),
ldap.NewEntryAttribute(testUIDAttrName, []string{"testDownstreamUID"}),
},
},
},
}, nil).Times(1)
conn.EXPECT().Close().Times(1)
},
wantResultingCache: []*upstreamldap.ProviderConfig{providerConfigForValidUpstream},
wantResultingUpstreams: []v1alpha1.LDAPIdentityProvider{{
ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName, Generation: 1234},
Status: v1alpha1.LDAPIdentityProviderStatus{
Phase: "Ready",
Conditions: []v1alpha1.Condition{
bindSecretValidTrueCondition(1234),
{
Type: "LDAPConnectionValid",
Status: "True",
LastTransitionTime: now,
Reason: "Success",
Message: fmt.Sprintf(
`successful authentication dry run for end user "%s": selected username "%s" and UID "%s" [validated with Secret "%s" at version "%s"]`,
"endUserUsername", "testDownstreamUsername", "testDownstreamUID", testSecretName, "4242"),
ObservedGeneration: 1234,
},
tlsConfigurationValidLoadedTrueCondition(1234),
},
},
}},
},
{
name: "when DryRunAuthenticationUsername is specified and the dry run authentication returns an error",
inputUpstreams: []runtime.Object{editedValidUpstream(func(upstream *v1alpha1.LDAPIdentityProvider) {
upstream.Spec.DryRunAuthenticationUsername = "endUserUsername"
})},
inputSecrets: []runtime.Object{validBindUserSecret("4242")},
setupMocks: func(conn *mockldapconn.MockConn) {
// Failure during a full auth dry run.
conn.EXPECT().Bind(testBindUsername, testBindPassword).Times(1)
conn.EXPECT().Search(gomock.Any()).Return(nil, errors.New("some dry run error")).Times(1)
conn.EXPECT().Close().Times(1)
},
wantErr: controllerlib.ErrSyntheticRequeue.Error(),
wantResultingCache: []*upstreamldap.ProviderConfig{},
wantResultingUpstreams: []v1alpha1.LDAPIdentityProvider{{
ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName, Generation: 1234},
Status: v1alpha1.LDAPIdentityProviderStatus{
Phase: "Error",
Conditions: []v1alpha1.Condition{
bindSecretValidTrueCondition(1234),
{
Type: "LDAPConnectionValid",
Status: "False",
LastTransitionTime: now,
Reason: "AuthenticationDryRunError",
Message: fmt.Sprintf(
`failed authentication dry run for end user "%s": error searching for user "%s": some dry run error`,
"endUserUsername", "endUserUsername"),
ObservedGeneration: 1234,
},
tlsConfigurationValidLoadedTrueCondition(1234),
},
},
}},
},
{
name: "when DryRunAuthenticationUsername is specified and the dry run authentication returns unauthenticated without an error",
inputUpstreams: []runtime.Object{editedValidUpstream(func(upstream *v1alpha1.LDAPIdentityProvider) {
upstream.Spec.DryRunAuthenticationUsername = "endUserUsername"
})},
inputSecrets: []runtime.Object{validBindUserSecret("4242")},
setupMocks: func(conn *mockldapconn.MockConn) {
// Failure during full auth dry run which will cause it to return unauthenticated instead of error.
conn.EXPECT().Bind(testBindUsername, testBindPassword).Times(1)
conn.EXPECT().Search(gomock.Any()).Return(&ldap.SearchResult{
// No search results means the user did not enter a valid username, which is unauthenticated instead of error.
Entries: []*ldap.Entry{},
}, nil).Times(1)
conn.EXPECT().Close().Times(1)
},
wantErr: controllerlib.ErrSyntheticRequeue.Error(),
wantResultingCache: []*upstreamldap.ProviderConfig{},
wantResultingUpstreams: []v1alpha1.LDAPIdentityProvider{{
ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName, Generation: 1234},
Status: v1alpha1.LDAPIdentityProviderStatus{
Phase: "Error",
Conditions: []v1alpha1.Condition{
bindSecretValidTrueCondition(1234),
{
Type: "LDAPConnectionValid",
Status: "False",
LastTransitionTime: now,
Reason: "AuthenticationDryRunError",
Message: fmt.Sprintf(
`failed authentication dry run for end user "%s": user not found`,
"endUserUsername"),
ObservedGeneration: 1234,
},
tlsConfigurationValidLoadedTrueCondition(1234),
},
},
}},
},
} }
for _, tt := range tests { for _, tt := range tests {

View File

@ -67,7 +67,7 @@ func TestSupervisorLogin(t *testing.T) {
wantDownstreamIDTokenUsernameToMatch: regexp.QuoteMeta(env.SupervisorUpstreamOIDC.Issuer+"?sub=") + ".+", wantDownstreamIDTokenUsernameToMatch: regexp.QuoteMeta(env.SupervisorUpstreamOIDC.Issuer+"?sub=") + ".+",
}, },
{ {
name: "ldap with email as username and with dry run", name: "ldap with email as username",
createIDP: func(t *testing.T) { createIDP: func(t *testing.T) {
t.Helper() t.Helper()
secret := library.CreateTestSecret(t, env.SupervisorNamespace, "ldap-service-account", v1.SecretTypeBasicAuth, secret := library.CreateTestSecret(t, env.SupervisorNamespace, "ldap-service-account", v1.SecretTypeBasicAuth,
@ -92,12 +92,10 @@ func TestSupervisorLogin(t *testing.T) {
UID: env.SupervisorUpstreamLDAP.TestUserUniqueIDAttributeName, UID: env.SupervisorUpstreamLDAP.TestUserUniqueIDAttributeName,
}, },
}, },
DryRunAuthenticationUsername: env.SupervisorUpstreamLDAP.TestUserMailAttributeValue,
}, idpv1alpha1.LDAPPhaseReady) }, idpv1alpha1.LDAPPhaseReady)
expectedMsg := fmt.Sprintf( expectedMsg := fmt.Sprintf(
`successful authentication dry run for end user "%s": selected username "%s" and UID "%s" [validated with Secret "%s" at version "%s"]`, `successfully able to connect to "%s" and bind as user "%s" [validated with Secret "%s" at version "%s"]`,
env.SupervisorUpstreamLDAP.TestUserMailAttributeValue, env.SupervisorUpstreamLDAP.TestUserMailAttributeValue, env.SupervisorUpstreamLDAP.Host, env.SupervisorUpstreamLDAP.BindUsername,
env.SupervisorUpstreamLDAP.TestUserUniqueIDAttributeValue,
secret.Name, secret.ResourceVersion, secret.Name, secret.ResourceVersion,
) )
requireSuccessfulLDAPIdentityProviderConditions(t, ldapIDP, expectedMsg) requireSuccessfulLDAPIdentityProviderConditions(t, ldapIDP, expectedMsg)
@ -118,7 +116,7 @@ func TestSupervisorLogin(t *testing.T) {
wantDownstreamIDTokenUsernameToMatch: regexp.QuoteMeta(env.SupervisorUpstreamLDAP.TestUserMailAttributeValue), wantDownstreamIDTokenUsernameToMatch: regexp.QuoteMeta(env.SupervisorUpstreamLDAP.TestUserMailAttributeValue),
}, },
{ {
name: "ldap with CN as username and without dry run", // try another variation of configuration options name: "ldap with CN as username ", // try another variation of configuration options
createIDP: func(t *testing.T) { createIDP: func(t *testing.T) {
t.Helper() t.Helper()
secret := library.CreateTestSecret(t, env.SupervisorNamespace, "ldap-service-account", v1.SecretTypeBasicAuth, secret := library.CreateTestSecret(t, env.SupervisorNamespace, "ldap-service-account", v1.SecretTypeBasicAuth,
@ -143,7 +141,6 @@ func TestSupervisorLogin(t *testing.T) {
UID: env.SupervisorUpstreamLDAP.TestUserUniqueIDAttributeName, UID: env.SupervisorUpstreamLDAP.TestUserUniqueIDAttributeName,
}, },
}, },
DryRunAuthenticationUsername: "", // try without dry run
}, idpv1alpha1.LDAPPhaseReady) }, idpv1alpha1.LDAPPhaseReady)
expectedMsg := fmt.Sprintf( expectedMsg := fmt.Sprintf(
`successfully able to connect to "%s" and bind as user "%s" [validated with Secret "%s" at version "%s"]`, `successfully able to connect to "%s" and bind as user "%s" [validated with Secret "%s" at version "%s"]`,