Integration test fixes, fixing objectGUID handling

2021-07-12 13:29:37 -07:00 · 2021-07-12 13:29:37 -07:00 · b3d0b28bd0
commit b3d0b28bd0
parent 5c283d941c
5 changed files with 41 additions and 16 deletions
--- a/hack/prepare-for-integration-tests.sh
+++ b/hack/prepare-for-integration-tests.sh
@ -381,15 +381,17 @@ if [[ -z "$(gcloud config list account --format "value(core.account)")" ]]; then
  exit 1
 fi

-export PINNIPED_TEST_AD_HOST="$(gcloud secrets versions access latest --secret="concourse-secrets" --project tanzu-user-authentication | yq e '.aws-ad-host' -))"
-export PINNIPED_TEST_AD_BIND_ACCOUNT_USERNAME="$(gcloud secrets versions access latest --secret="concourse-secrets" --project tanzu-user-authentication | yq e '.aws-ad-bind-account-username' -))"
+export PINNIPED_TEST_AD_HOST="$(gcloud secrets versions access latest --secret="concourse-secrets" --project tanzu-user-authentication | yq e '.aws-ad-host' -)"
+export PINNIPED_TEST_AD_BIND_ACCOUNT_USERNAME="$(gcloud secrets versions access latest --secret="concourse-secrets" --project tanzu-user-authentication | yq e '.aws-ad-bind-account-username' -)"
 export PINNIPED_TEST_AD_BIND_ACCOUNT_PASSWORD="$(gcloud secrets versions access latest --secret="concourse-secrets" --project tanzu-user-authentication | yq e '.aws-ad-bind-account-password' -)"
 export PINNIPED_TEST_AD_USER_UNIQUE_ID_ATTRIBUTE_NAME="objectGUID"
 export PINNIPED_TEST_AD_USER_UNIQUE_ID_ATTRIBUTE_VALUE="$(gcloud secrets versions access latest --secret="concourse-secrets" --project tanzu-user-authentication | yq e '.aws-ad-user-unique-id-attribute-value' -)"
 export PINNIPED_TEST_AD_USERNAME_ATTRIBUTE_NAME="sAMAccountName"
-export PINNIPED_TEST_AD_USERNAME_ATTRIBUTE_VALUE="$(gcloud secrets versions access latest --secret="concourse-secrets" --project tanzu-user-authentication | yq e '.aws-ad-user-sAMAccountName' -))"
+export PINNIPED_TEST_AD_USERNAME_ATTRIBUTE_VALUE="$(gcloud secrets versions access latest --secret="concourse-secrets" --project tanzu-user-authentication | yq e '.aws-ad-user-sAMAccountName' -)"
 export PINNIPED_TEST_AD_USER_PASSWORD="$(gcloud secrets versions access latest --secret="concourse-secrets" --project tanzu-user-authentication | yq e '.aws-ad-user-password' -)"
-export PINNIPED_TEST_AD_LDAPS_CA_BUNDLE="$(gcloud secrets versions access latest --secret="concourse-secrets" --project tanzu-user-authentication | yq e '.aws-ad-ca-data' -))"
+export PINNIPED_TEST_AD_LDAPS_CA_BUNDLE="$(gcloud secrets versions access latest --secret="concourse-secrets" --project tanzu-user-authentication | yq e '.aws-ad-ca-data' -)"
+export PINNIPED_TEST_AD_USER_EXPECTED_GROUPS_DN="$(gcloud secrets versions access latest --secret="concourse-secrets" --project tanzu-user-authentication | yq e '.aws-ad-expected-direct-groups-dn' -)"
+export PINNIPED_TEST_AD_USER_EXPECTED_GROUPS_CN="$(gcloud secrets versions access latest --secret="concourse-secrets" --project tanzu-user-authentication | yq e '.aws-ad-expected-direct-groups-cn' -)"
 fi

 read -r -d '' PINNIPED_TEST_CLUSTER_CAPABILITY_YAML << PINNIPED_TEST_CLUSTER_CAPABILITY_YAML_EOF || true
--- a/internal/oidc/auth/auth_handler_test.go
+++ b/internal/oidc/auth/auth_handler_test.go
@ -477,6 +477,29 @@ func TestAuthorizationEndpoint(t *testing.T) {
 			wantDownstreamPKCEChallenge:       downstreamPKCEChallenge,
 			wantDownstreamPKCEChallengeMethod: downstreamPKCEChallengeMethod,
 		},
+		{
+			name:                              "Active Directory upstream happy path using POST",
+			idpLister:                         oidctestutil.NewUpstreamIDPListerBuilder().WithActiveDirectory(&upstreamLDAPIdentityProvider).Build(),
+			method:                            http.MethodPost,
+			path:                              "/some/path",
+			contentType:                       "application/x-www-form-urlencoded",
+			body:                              encodeQuery(happyGetRequestQueryMap),
+			customUsernameHeader:              pointer.StringPtr(happyLDAPUsername),
+			customPasswordHeader:              pointer.StringPtr(happyLDAPPassword),
+			wantStatus:                        http.StatusFound,
+			wantContentType:                   htmlContentType,
+			wantRedirectLocationRegexp:        happyAuthcodeDownstreamRedirectLocationRegexp,
+			wantBodyStringWithLocationInHref:  false,
+			wantDownstreamIDTokenSubject:      upstreamLDAPURL + "&sub=" + happyLDAPUID,
+			wantDownstreamIDTokenUsername:     happyLDAPUsernameFromAuthenticator,
+			wantDownstreamIDTokenGroups:       happyLDAPGroups,
+			wantDownstreamRequestedScopes:     happyDownstreamScopesRequested,
+			wantDownstreamRedirectURI:         downstreamRedirectURI,
+			wantDownstreamGrantedScopes:       happyDownstreamScopesGranted,
+			wantDownstreamNonce:               downstreamNonce,
+			wantDownstreamPKCEChallenge:       downstreamPKCEChallenge,
+			wantDownstreamPKCEChallengeMethod: downstreamPKCEChallengeMethod,
+		},
 		{
 			name:                                   "OIDC upstream happy path with prompt param login passed through to redirect uri",
 			idpLister:                              oidctestutil.NewUpstreamIDPListerBuilder().WithOIDC(&upstreamOIDCIdentityProvider).Build(),
--- a/internal/upstreamad/upstreamad.go
+++ b/internal/upstreamad/upstreamad.go
@ -369,8 +369,6 @@ func (p *Provider) searchAndBindUser(conn upstreamldap.Conn, username string, bi
 		return "", "", nil, err
 	}

-	// We would like to support binary typed attributes for UIDs, so always read them as binary and encode them,
-	// even when the attribute may not be binary.
 	mappedUID, err := p.getSearchResultAttributeRawValueEncoded(p.uidAttribute(), userEntry, username)
 	if err != nil {
 		return "", "", nil, err
@ -523,13 +521,7 @@ func (p *Provider) getSearchResultAttributeRawValueEncoded(attributeName string,
 	}

 	if attributeName == objectGUIDAttributeName {
-		// In AD, objectGUID will be represented as a base64-encoded UUID. Convert it back to UUID encoding.
-		base64decoded, err := base64.StdEncoding.DecodeString(entry.GetAttributeValue(attributeName))
-		if err != nil {
-			// TODO if there is an error, should we throw it or pass it through as base64?
-			return "", fmt.Errorf("Error decoding UID: %s", err.Error())
-		}
-		uuidEntry, err := uuid.FromBytes(base64decoded)
+		uuidEntry, err := uuid.FromBytes(attributeValue)
 		if err != nil {
 			return "", fmt.Errorf("Error decoding UID: %s", err.Error())
 		}
--- a/internal/upstreamad/upstreamad_test.go
+++ b/internal/upstreamad/upstreamad_test.go
@ -46,7 +46,7 @@ const (
 	testGroupSearchResultDNValue1                 = "some-upstream-group-dn1"
 	testGroupSearchResultDNValue2                 = "some-upstream-group-dn2"
 	testUserSearchResultUsernameAttributeValue    = "some-upstream-username-value"
-	testUserSearchResultUIDAttributeValue         = "Ej5FZ+ibEtOkVkJmFBdAAA==" // this is base64 encoded 123e4567-e89b-12d3-a456-426614174000
+	testUserSearchResultUIDAttributeValue         = "\x12>Eg\xe8\x9b\x12\u04e4VBf\x14\x17@\x00" // binary representation of 123e4567-e89b-12d3-a456-426614174000
 	testGroupSearchResultGroupNameAttributeValue1 = "some-upstream-group-name-value1"
 	testGroupSearchResultGroupNameAttributeValue2 = "some-upstream-group-name-value2"

@ -207,6 +207,7 @@ func TestEndUserAuthentication(t *testing.T) {
 				ConnectionProtocol: upstreamldap.TLS,
 				BindUsername:       testBindUsername,
 				BindPassword:       testBindPassword,
+				// no user search... that's all defaulted.
 				GroupSearch: upstreamldap.GroupSearchConfig{
 					Base:               testGroupSearchBase,
 					Filter:             testGroupSearchFilter,
--- a/test/integration/supervisor_login_test.go
+++ b/test/integration/supervisor_login_test.go
@ -254,6 +254,12 @@ func TestSupervisorLogin(t *testing.T) {
 					TLS: &idpv1alpha1.TLSSpec{
 						CertificateAuthorityData: base64.StdEncoding.EncodeToString([]byte(env.SupervisorUpstreamActiveDirectory.CABundle)),
 					},
+					UserSearch: idpv1alpha1.ActiveDirectoryIdentityProviderUserSearch{
+						Base: "dc=activedirectory,dc=test,dc=pinniped,dc=dev",
+					},
+					GroupSearch: idpv1alpha1.ActiveDirectoryIdentityProviderGroupSearch{
+						Base: "dc=activedirectory,dc=test,dc=pinniped,dc=dev",
+					},
 					Bind: idpv1alpha1.ActiveDirectoryIdentityProviderBind{
 						SecretName: secret.Name,
 					},
@ -276,11 +282,12 @@ func TestSupervisorLogin(t *testing.T) {
 			// the ID token Subject should be the Host URL plus the value pulled from the requested UserSearch.Attributes.UID attribute
 			wantDownstreamIDTokenSubjectToMatch: regexp.QuoteMeta(
 				"ldaps://" + env.SupervisorUpstreamActiveDirectory.Host +
-					"&sub=" + base64.RawURLEncoding.EncodeToString([]byte(env.SupervisorUpstreamActiveDirectory.TestUserUniqueIDAttributeValue)),
+					"?base=" + url.QueryEscape("dc=activedirectory,dc=test,dc=pinniped,dc=dev") +
+					"&sub=" + env.SupervisorUpstreamActiveDirectory.TestUserUniqueIDAttributeValue,
 			),
 			// the ID token Username should have been pulled from the requested UserSearch.Attributes.Username attribute
 			wantDownstreamIDTokenUsernameToMatch: regexp.QuoteMeta(env.SupervisorUpstreamActiveDirectory.TestUsernameAttributeValue),
-			wantDownstreamIDTokenGroups:          env.SupervisorUpstreamActiveDirectory.TestUserDirectGroupsCNs,
+			wantDownstreamIDTokenGroups:          env.SupervisorUpstreamActiveDirectory.TestUserDirectGroupsDNs,
 		},
 	}
 	for _, test := range tests {