Add group search tests for UserAttributeForFilter in ldap_client_test.go

2023-05-26 08:38:00 -07:00 · 2023-05-26 08:38:00 -07:00 · e3b7ba3677
commit e3b7ba3677
parent c187474499
2 changed files with 95 additions and 3 deletions
--- a/test/deploy/tools/ldap.yaml
+++ b/test/deploy/tools/ldap.yaml
@ -122,7 +122,7 @@ ldap.ldif: |
  objectClass: posixGroup
  objectClass: top
  cn: ball-game-players-posix
-  gidNumber: 1001
+  gidNumber: 1002
  memberUid: pinny
  memberUid: olive

@ -131,7 +131,7 @@ ldap.ldif: |
  objectClass: posixGroup
  objectClass: top
  cn: seals-posix
-  gidNumber: 1002
+  gidNumber: 1001
  memberUid: pinny

  # walruses group again, but this time defined as a posixGroup
@ -139,7 +139,7 @@ ldap.ldif: |
  objectClass: posixGroup
  objectClass: top
  cn: walruses-posix
-  gidNumber: 1002
+  gidNumber: 1000
  memberUid: wally
 #@ end

--- a/test/integration/ldap_client_test.go
+++ b/test/integration/ldap_client_test.go
@ -347,6 +347,98 @@ func TestLDAPSearch_Parallel(t *testing.T) {
 				ExtraRefreshAttributes: map[string]string{},
 			},
 		},
+		{
+			name:     "using a group search with UserAttributeForFilter set to uid",
+			username: "pinny",
+			password: pinnyPassword,
+			provider: upstreamldap.New(*providerConfig(func(p *upstreamldap.ProviderConfig) {
+				p.GroupSearch.Filter = "&(objectClass=posixGroup)(memberUid={})"
+				p.GroupSearch.UserAttributeForFilter = "uid"
+			})),
+			wantAuthResponse: &authenticators.Response{
+				User:                   &user.DefaultInfo{Name: "pinny", UID: b64("1000"), Groups: []string{"ball-game-players-posix", "seals-posix"}},
+				DN:                     "cn=pinny,ou=users,dc=pinniped,dc=dev",
+				ExtraRefreshAttributes: map[string]string{},
+			},
+		},
+		{
+			name:     "using a group search with UserAttributeForFilter set to cn",
+			username: "pinny",
+			password: pinnyPassword,
+			provider: upstreamldap.New(*providerConfig(func(p *upstreamldap.ProviderConfig) {
+				p.GroupSearch.Filter = "&(objectClass=posixGroup)(memberUid={})"
+				p.GroupSearch.UserAttributeForFilter = "cn" // this only works because pinny's uid and cn are both "pinny"
+			})),
+			wantAuthResponse: &authenticators.Response{
+				User:                   &user.DefaultInfo{Name: "pinny", UID: b64("1000"), Groups: []string{"ball-game-players-posix", "seals-posix"}},
+				DN:                     "cn=pinny,ou=users,dc=pinniped,dc=dev",
+				ExtraRefreshAttributes: map[string]string{},
+			},
+		},
+		{
+			name:     "using a group search with UserAttributeForFilter and a creative filter",
+			username: "pinny",
+			password: pinnyPassword,
+			provider: upstreamldap.New(*providerConfig(func(p *upstreamldap.ProviderConfig) {
+				p.GroupSearch.Filter = "&(objectClass=groupOfNames)(member=cn={},ou=users,dc=pinniped,dc=dev)" // not the typical usage, but possible
+				p.GroupSearch.UserAttributeForFilter = "cn"
+			})),
+			wantAuthResponse: &authenticators.Response{
+				User:                   &user.DefaultInfo{Name: "pinny", UID: b64("1000"), Groups: []string{"ball-game-players", "seals"}},
+				DN:                     "cn=pinny,ou=users,dc=pinniped,dc=dev",
+				ExtraRefreshAttributes: map[string]string{},
+			},
+		},
+		{
+			name:     "using a group search with UserAttributeForFilter set to givenName",
+			username: "pinny",
+			password: pinnyPassword,
+			provider: upstreamldap.New(*providerConfig(func(p *upstreamldap.ProviderConfig) {
+				p.GroupSearch.Filter = "&(objectClass=posixGroup)(memberUid={})"
+				p.GroupSearch.UserAttributeForFilter = "givenName" // pinny's givenName is not "pinny" so it should not find any groups, and also should not error on the emoji in the givenName
+			})),
+			wantAuthResponse: &authenticators.Response{
+				User:                   &user.DefaultInfo{Name: "pinny", UID: b64("1000"), Groups: []string{}},
+				DN:                     "cn=pinny,ou=users,dc=pinniped,dc=dev",
+				ExtraRefreshAttributes: map[string]string{},
+			},
+		},
+		{
+			name:     "using a group search with UserAttributeForFilter set to gidNumber",
+			username: "pinny",
+			password: pinnyPassword,
+			provider: upstreamldap.New(*providerConfig(func(p *upstreamldap.ProviderConfig) {
+				p.GroupSearch.Filter = "&(objectClass=posixGroup)(gidNumber={})"
+				p.GroupSearch.UserAttributeForFilter = "gidNumber"
+			})),
+			wantAuthResponse: &authenticators.Response{
+				User:                   &user.DefaultInfo{Name: "pinny", UID: b64("1000"), Groups: []string{"walruses-posix"}},
+				DN:                     "cn=pinny,ou=users,dc=pinniped,dc=dev",
+				ExtraRefreshAttributes: map[string]string{},
+			},
+		},
+		{
+			name:     "using a group search with UserAttributeForFilter set to dn",
+			username: "pinny",
+			password: pinnyPassword,
+			provider: upstreamldap.New(*providerConfig(func(p *upstreamldap.ProviderConfig) {
+				p.GroupSearch.UserAttributeForFilter = "dn" // this should act the same as when it is not set
+			})),
+			wantAuthResponse: &authenticators.Response{
+				User:                   &user.DefaultInfo{Name: "pinny", UID: b64("1000"), Groups: []string{"ball-game-players", "seals"}},
+				DN:                     "cn=pinny,ou=users,dc=pinniped,dc=dev",
+				ExtraRefreshAttributes: map[string]string{},
+			},
+		},
+		{
+			name:     "using a group search with UserAttributeForFilter set to an attribute that does not exist on the user",
+			username: "pinny",
+			password: pinnyPassword,
+			provider: upstreamldap.New(*providerConfig(func(p *upstreamldap.ProviderConfig) {
+				p.GroupSearch.UserAttributeForFilter = "foobar"
+			})),
+			wantError: testutil.WantExactErrorString(`found 0 values for attribute "foobar" while searching for user "pinny", but expected 1 result`),
+		},
 		{
 			name:      "when the bind user username is not a valid DN",
 			username:  "pinny",