Refactoring defaulting logic

This commit is contained in:
Margo Crawford 2021-07-21 17:06:52 -07:00
parent f99f7be836
commit 91085e68f9
5 changed files with 56 additions and 59 deletions

View File

@ -392,6 +392,7 @@ export PINNIPED_TEST_AD_USER_PASSWORD="$(gcloud secrets versions access latest -
export PINNIPED_TEST_AD_LDAPS_CA_BUNDLE="$(gcloud secrets versions access latest --secret="concourse-secrets" --project tanzu-user-authentication | yq e '.aws-ad-ca-data' -)" export PINNIPED_TEST_AD_LDAPS_CA_BUNDLE="$(gcloud secrets versions access latest --secret="concourse-secrets" --project tanzu-user-authentication | yq e '.aws-ad-ca-data' -)"
export PINNIPED_TEST_AD_USER_EXPECTED_GROUPS_DN="$(gcloud secrets versions access latest --secret="concourse-secrets" --project tanzu-user-authentication | yq e '.aws-ad-expected-direct-groups-dn' -)" export PINNIPED_TEST_AD_USER_EXPECTED_GROUPS_DN="$(gcloud secrets versions access latest --secret="concourse-secrets" --project tanzu-user-authentication | yq e '.aws-ad-expected-direct-groups-dn' -)"
export PINNIPED_TEST_AD_USER_EXPECTED_GROUPS_CN="$(gcloud secrets versions access latest --secret="concourse-secrets" --project tanzu-user-authentication | yq e '.aws-ad-expected-direct-groups-cn' -)" export PINNIPED_TEST_AD_USER_EXPECTED_GROUPS_CN="$(gcloud secrets versions access latest --secret="concourse-secrets" --project tanzu-user-authentication | yq e '.aws-ad-expected-direct-groups-cn' -)"
export PINNIPED_TEST_AD_USER_EXPECTED_GROUPS_SAMACCOUNTNAME="$(gcloud secrets versions access latest --secret="concourse-secrets" --project tanzu-user-authentication | yq e '.aws-ad-expected-direct-and-nested-groups-samaccountnames' -)"
fi fi
read -r -d '' PINNIPED_TEST_CLUSTER_CAPABILITY_YAML << PINNIPED_TEST_CLUSTER_CAPABILITY_YAML_EOF || true read -r -d '' PINNIPED_TEST_CLUSTER_CAPABILITY_YAML << PINNIPED_TEST_CLUSTER_CAPABILITY_YAML_EOF || true

View File

@ -43,7 +43,7 @@ const (
// - is a group. // - is a group.
// - has a member that matches the DN of the user we successfully logged in as. // - has a member that matches the DN of the user we successfully logged in as.
// - perform nested group search by default. // - perform nested group search by default.
defaultActiveDirectoryGroupSearchFilter = "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={})" defaultActiveDirectoryGroupSearchFilter = "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={}))"
) )
type activeDirectoryUpstreamGenericLDAPImpl struct { type activeDirectoryUpstreamGenericLDAPImpl struct {
@ -142,14 +142,23 @@ func (u *activeDirectoryUpstreamGenericLDAPUserSearch) Base() string {
} }
func (u *activeDirectoryUpstreamGenericLDAPUserSearch) Filter() string { func (u *activeDirectoryUpstreamGenericLDAPUserSearch) Filter() string {
if len(u.userSearch.Filter) == 0 {
return defaultActiveDirectoryUserSearchFilter
}
return u.userSearch.Filter return u.userSearch.Filter
} }
func (u *activeDirectoryUpstreamGenericLDAPUserSearch) UsernameAttribute() string { func (u *activeDirectoryUpstreamGenericLDAPUserSearch) UsernameAttribute() string {
if len(u.userSearch.Attributes.Username) == 0 {
return defaultActiveDirectoryUsernameAttributeName
}
return u.userSearch.Attributes.Username return u.userSearch.Attributes.Username
} }
func (u *activeDirectoryUpstreamGenericLDAPUserSearch) UIDAttribute() string { func (u *activeDirectoryUpstreamGenericLDAPUserSearch) UIDAttribute() string {
if len(u.userSearch.Attributes.UID) == 0 {
return defaultActiveDirectoryUIDAttributeName
}
return u.userSearch.Attributes.UID return u.userSearch.Attributes.UID
} }
@ -162,10 +171,16 @@ func (g *activeDirectoryUpstreamGenericLDAPGroupSearch) Base() string {
} }
func (g *activeDirectoryUpstreamGenericLDAPGroupSearch) Filter() string { func (g *activeDirectoryUpstreamGenericLDAPGroupSearch) Filter() string {
if len(g.groupSearch.Filter) == 0 {
return defaultActiveDirectoryGroupSearchFilter
}
return g.groupSearch.Filter return g.groupSearch.Filter
} }
func (g *activeDirectoryUpstreamGenericLDAPGroupSearch) GroupNameAttribute() string { func (g *activeDirectoryUpstreamGenericLDAPGroupSearch) GroupNameAttribute() string {
if len(g.groupSearch.Attributes.GroupName) == 0 {
return defaultActiveDirectoryGroupNameAttributeName
}
return g.groupSearch.Attributes.GroupName return g.groupSearch.Attributes.GroupName
} }
@ -275,48 +290,26 @@ func (c *activeDirectoryWatcherController) Sync(ctx controllerlib.Context) error
func (c *activeDirectoryWatcherController) validateUpstream(ctx context.Context, upstream *v1alpha1.ActiveDirectoryIdentityProvider) (p provider.UpstreamLDAPIdentityProviderI, requeue bool) { func (c *activeDirectoryWatcherController) validateUpstream(ctx context.Context, upstream *v1alpha1.ActiveDirectoryIdentityProvider) (p provider.UpstreamLDAPIdentityProviderI, requeue bool) {
spec := upstream.Spec spec := upstream.Spec
usernameAttribute := spec.UserSearch.Attributes.Username adUpstreamImpl := activeDirectoryUpstreamGenericLDAPImpl{*upstream}
if len(usernameAttribute) == 0 {
usernameAttribute = defaultActiveDirectoryUsernameAttributeName
}
uidAttribute := spec.UserSearch.Attributes.UID
if len(uidAttribute) == 0 {
uidAttribute = defaultActiveDirectoryUIDAttributeName
}
groupNameAttribute := spec.GroupSearch.Attributes.GroupName
if len(groupNameAttribute) == 0 {
groupNameAttribute = defaultActiveDirectoryGroupNameAttributeName
}
userSearchFilter := spec.UserSearch.Filter
if len(userSearchFilter) == 0 {
userSearchFilter = defaultActiveDirectoryUserSearchFilter
}
groupSearchFilter := spec.GroupSearch.Filter
if len(groupSearchFilter) == 0 {
groupSearchFilter = defaultActiveDirectoryGroupSearchFilter
}
config := &upstreamldap.ProviderConfig{ config := &upstreamldap.ProviderConfig{
Name: upstream.Name, Name: upstream.Name,
Host: spec.Host, Host: spec.Host,
UserSearch: upstreamldap.UserSearchConfig{ UserSearch: upstreamldap.UserSearchConfig{
Base: spec.UserSearch.Base, Base: spec.UserSearch.Base,
Filter: userSearchFilter, Filter: adUpstreamImpl.Spec().UserSearch().Filter(),
UsernameAttribute: usernameAttribute, UsernameAttribute: adUpstreamImpl.Spec().UserSearch().UsernameAttribute(),
UIDAttribute: uidAttribute, UIDAttribute: adUpstreamImpl.Spec().UserSearch().UIDAttribute(),
}, },
GroupSearch: upstreamldap.GroupSearchConfig{ GroupSearch: upstreamldap.GroupSearchConfig{
Base: spec.GroupSearch.Base, Base: spec.GroupSearch.Base,
Filter: groupSearchFilter, Filter: adUpstreamImpl.Spec().GroupSearch().Filter(),
GroupNameAttribute: groupNameAttribute, GroupNameAttribute: adUpstreamImpl.Spec().GroupSearch().GroupNameAttribute(),
}, },
Dialer: c.ldapDialer, Dialer: c.ldapDialer,
} }
conditions := upstreamwatchers.ValidateGenericLDAP(ctx, &activeDirectoryUpstreamGenericLDAPImpl{*upstream}, c.secretInformer, c.validatedSecretVersionsCache, config) conditions := upstreamwatchers.ValidateGenericLDAP(ctx, &adUpstreamImpl, c.secretInformer, c.validatedSecretVersionsCache, config)
c.updateStatus(ctx, upstream, conditions.Conditions()) c.updateStatus(ctx, upstream, conditions.Conditions())

View File

@ -1183,7 +1183,7 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) {
}, },
GroupSearch: upstreamldap.GroupSearchConfig{ GroupSearch: upstreamldap.GroupSearchConfig{
Base: testGroupSearchBase, Base: testGroupSearchBase,
Filter: "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={})", Filter: "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={}))",
GroupNameAttribute: "sAMAccountName", GroupNameAttribute: "sAMAccountName",
}, },
}, },

View File

@ -281,7 +281,7 @@ func TestSupervisorLogin(t *testing.T) {
), ),
// the ID token Username should have been pulled from the requested UserSearch.Attributes.Username attribute // the ID token Username should have been pulled from the requested UserSearch.Attributes.Username attribute
wantDownstreamIDTokenUsernameToMatch: regexp.QuoteMeta(env.SupervisorUpstreamActiveDirectory.TestUserSAMAccountNameValue), wantDownstreamIDTokenUsernameToMatch: regexp.QuoteMeta(env.SupervisorUpstreamActiveDirectory.TestUserSAMAccountNameValue),
wantDownstreamIDTokenGroups: env.SupervisorUpstreamActiveDirectory.TestUserDirectGroupsDNs, wantDownstreamIDTokenGroups: env.SupervisorUpstreamActiveDirectory.TestUserIndirectGroupsSAMAccountNames,
}, },
} }
for _, test := range tests { for _, test := range tests {

View File

@ -82,23 +82,24 @@ type TestOIDCUpstream struct {
} }
type TestLDAPUpstream struct { type TestLDAPUpstream struct {
Host string `json:"host"` Host string `json:"host"`
StartTLSOnlyHost string `json:"startTLSOnlyHost"` StartTLSOnlyHost string `json:"startTLSOnlyHost"`
CABundle string `json:"caBundle"` CABundle string `json:"caBundle"`
BindUsername string `json:"bindUsername"` BindUsername string `json:"bindUsername"`
BindPassword string `json:"bindPassword"` BindPassword string `json:"bindPassword"`
UserSearchBase string `json:"userSearchBase"` UserSearchBase string `json:"userSearchBase"`
GroupSearchBase string `json:"groupSearchBase"` GroupSearchBase string `json:"groupSearchBase"`
TestUserDN string `json:"testUserDN"` TestUserDN string `json:"testUserDN"`
TestUserCN string `json:"testUserCN"` TestUserCN string `json:"testUserCN"`
TestUserPassword string `json:"testUserPassword"` TestUserPassword string `json:"testUserPassword"`
TestUserMailAttributeName string `json:"testUserMailAttributeName"` TestUserMailAttributeName string `json:"testUserMailAttributeName"`
TestUserMailAttributeValue string `json:"testUserMailAttributeValue"` TestUserMailAttributeValue string `json:"testUserMailAttributeValue"`
TestUserUniqueIDAttributeName string `json:"testUserUniqueIDAttributeName"` TestUserUniqueIDAttributeName string `json:"testUserUniqueIDAttributeName"`
TestUserUniqueIDAttributeValue string `json:"testUserUniqueIDAttributeValue"` TestUserUniqueIDAttributeValue string `json:"testUserUniqueIDAttributeValue"`
TestUserDirectGroupsCNs []string `json:"testUserDirectGroupsCNs"` TestUserDirectGroupsCNs []string `json:"testUserDirectGroupsCNs"`
TestUserDirectGroupsDNs []string `json:"testUserDirectGroupsDNs"` //nolint:golint // this is "distinguished names", not "DNS" TestUserDirectGroupsDNs []string `json:"testUserDirectGroupsDNs"` //nolint:golint // this is "distinguished names", not "DNS"
TestUserSAMAccountNameValue string `json:"testUserSAMAccountNameValue"` TestUserSAMAccountNameValue string `json:"testUserSAMAccountNameValue"`
TestUserIndirectGroupsSAMAccountNames []string `json:"TestUserIndirectGroupsSAMAccountNames"`
} }
// ProxyEnv returns a set of environment variable strings (e.g., to combine with os.Environ()) which set up the configured test HTTP proxy. // ProxyEnv returns a set of environment variable strings (e.g., to combine with os.Environ()) which set up the configured test HTTP proxy.
@ -270,22 +271,24 @@ func loadEnvVars(t *testing.T, result *TestEnv) {
} }
result.SupervisorUpstreamActiveDirectory = TestLDAPUpstream{ result.SupervisorUpstreamActiveDirectory = TestLDAPUpstream{
Host: wantEnv("PINNIPED_TEST_AD_HOST", ""), Host: wantEnv("PINNIPED_TEST_AD_HOST", ""),
CABundle: base64Decoded(t, os.Getenv("PINNIPED_TEST_AD_LDAPS_CA_BUNDLE")), CABundle: base64Decoded(t, os.Getenv("PINNIPED_TEST_AD_LDAPS_CA_BUNDLE")),
BindUsername: wantEnv("PINNIPED_TEST_AD_BIND_ACCOUNT_USERNAME", ""), BindUsername: wantEnv("PINNIPED_TEST_AD_BIND_ACCOUNT_USERNAME", ""),
BindPassword: wantEnv("PINNIPED_TEST_AD_BIND_ACCOUNT_PASSWORD", ""), BindPassword: wantEnv("PINNIPED_TEST_AD_BIND_ACCOUNT_PASSWORD", ""),
TestUserPassword: wantEnv("PINNIPED_TEST_AD_USER_PASSWORD", ""), TestUserPassword: wantEnv("PINNIPED_TEST_AD_USER_PASSWORD", ""),
TestUserUniqueIDAttributeName: wantEnv("PINNIPED_TEST_AD_USER_UNIQUE_ID_ATTRIBUTE_NAME", ""), TestUserUniqueIDAttributeName: wantEnv("PINNIPED_TEST_AD_USER_UNIQUE_ID_ATTRIBUTE_NAME", ""),
TestUserUniqueIDAttributeValue: wantEnv("PINNIPED_TEST_AD_USER_UNIQUE_ID_ATTRIBUTE_VALUE", ""), TestUserUniqueIDAttributeValue: wantEnv("PINNIPED_TEST_AD_USER_UNIQUE_ID_ATTRIBUTE_VALUE", ""),
TestUserSAMAccountNameValue: wantEnv("PINNIPED_TEST_AD_USERNAME_ATTRIBUTE_VALUE", ""), TestUserSAMAccountNameValue: wantEnv("PINNIPED_TEST_AD_USERNAME_ATTRIBUTE_VALUE", ""),
TestUserDirectGroupsDNs: filterEmpty(strings.Split(wantEnv("PINNIPED_TEST_AD_USER_EXPECTED_GROUPS_DN", ""), ";")), TestUserDirectGroupsDNs: filterEmpty(strings.Split(wantEnv("PINNIPED_TEST_AD_USER_EXPECTED_GROUPS_DN", ""), ";")),
TestUserDirectGroupsCNs: filterEmpty(strings.Split(wantEnv("PINNIPED_TEST_AD_USER_EXPECTED_GROUPS_CN", ""), ";")), TestUserDirectGroupsCNs: filterEmpty(strings.Split(wantEnv("PINNIPED_TEST_AD_USER_EXPECTED_GROUPS_CN", ""), ";")),
TestUserIndirectGroupsSAMAccountNames: filterEmpty(strings.Split(wantEnv("PINNIPED_TEST_AD_USER_EXPECTED_GROUPS_SAMACCOUNTNAME", ""), ";")),
} }
sort.Strings(result.SupervisorUpstreamLDAP.TestUserDirectGroupsCNs) sort.Strings(result.SupervisorUpstreamLDAP.TestUserDirectGroupsCNs)
sort.Strings(result.SupervisorUpstreamLDAP.TestUserDirectGroupsDNs) sort.Strings(result.SupervisorUpstreamLDAP.TestUserDirectGroupsDNs)
sort.Strings(result.SupervisorUpstreamActiveDirectory.TestUserDirectGroupsCNs) sort.Strings(result.SupervisorUpstreamActiveDirectory.TestUserDirectGroupsCNs)
sort.Strings(result.SupervisorUpstreamActiveDirectory.TestUserDirectGroupsDNs) sort.Strings(result.SupervisorUpstreamActiveDirectory.TestUserDirectGroupsDNs)
sort.Strings(result.SupervisorUpstreamActiveDirectory.TestUserIndirectGroupsSAMAccountNames)
} }
func (e *TestEnv) HasCapability(cap Capability) bool { func (e *TestEnv) HasCapability(cap Capability) bool {