diff --git a/test/deploy/tools/ldap.yaml b/test/deploy/tools/ldap.yaml index d8a82525..89576507 100644 --- a/test/deploy/tools/ldap.yaml +++ b/test/deploy/tools/ldap.yaml @@ -122,7 +122,7 @@ ldap.ldif: | objectClass: posixGroup objectClass: top cn: ball-game-players-posix - gidNumber: 1001 + gidNumber: 1002 memberUid: pinny memberUid: olive @@ -131,7 +131,7 @@ ldap.ldif: | objectClass: posixGroup objectClass: top cn: seals-posix - gidNumber: 1002 + gidNumber: 1001 memberUid: pinny # walruses group again, but this time defined as a posixGroup @@ -139,7 +139,7 @@ ldap.ldif: | objectClass: posixGroup objectClass: top cn: walruses-posix - gidNumber: 1002 + gidNumber: 1000 memberUid: wally #@ end diff --git a/test/integration/ldap_client_test.go b/test/integration/ldap_client_test.go index 2312516f..04eead88 100644 --- a/test/integration/ldap_client_test.go +++ b/test/integration/ldap_client_test.go @@ -347,6 +347,98 @@ func TestLDAPSearch_Parallel(t *testing.T) { ExtraRefreshAttributes: map[string]string{}, }, }, + { + name: "using a group search with UserAttributeForFilter set to uid", + username: "pinny", + password: pinnyPassword, + provider: upstreamldap.New(*providerConfig(func(p *upstreamldap.ProviderConfig) { + p.GroupSearch.Filter = "&(objectClass=posixGroup)(memberUid={})" + p.GroupSearch.UserAttributeForFilter = "uid" + })), + wantAuthResponse: &authenticators.Response{ + User: &user.DefaultInfo{Name: "pinny", UID: b64("1000"), Groups: []string{"ball-game-players-posix", "seals-posix"}}, + DN: "cn=pinny,ou=users,dc=pinniped,dc=dev", + ExtraRefreshAttributes: map[string]string{}, + }, + }, + { + name: "using a group search with UserAttributeForFilter set to cn", + username: "pinny", + password: pinnyPassword, + provider: upstreamldap.New(*providerConfig(func(p *upstreamldap.ProviderConfig) { + p.GroupSearch.Filter = "&(objectClass=posixGroup)(memberUid={})" + p.GroupSearch.UserAttributeForFilter = "cn" // this only works because pinny's uid and cn are both "pinny" + })), + wantAuthResponse: &authenticators.Response{ + User: &user.DefaultInfo{Name: "pinny", UID: b64("1000"), Groups: []string{"ball-game-players-posix", "seals-posix"}}, + DN: "cn=pinny,ou=users,dc=pinniped,dc=dev", + ExtraRefreshAttributes: map[string]string{}, + }, + }, + { + name: "using a group search with UserAttributeForFilter and a creative filter", + username: "pinny", + password: pinnyPassword, + provider: upstreamldap.New(*providerConfig(func(p *upstreamldap.ProviderConfig) { + p.GroupSearch.Filter = "&(objectClass=groupOfNames)(member=cn={},ou=users,dc=pinniped,dc=dev)" // not the typical usage, but possible + p.GroupSearch.UserAttributeForFilter = "cn" + })), + wantAuthResponse: &authenticators.Response{ + User: &user.DefaultInfo{Name: "pinny", UID: b64("1000"), Groups: []string{"ball-game-players", "seals"}}, + DN: "cn=pinny,ou=users,dc=pinniped,dc=dev", + ExtraRefreshAttributes: map[string]string{}, + }, + }, + { + name: "using a group search with UserAttributeForFilter set to givenName", + username: "pinny", + password: pinnyPassword, + provider: upstreamldap.New(*providerConfig(func(p *upstreamldap.ProviderConfig) { + p.GroupSearch.Filter = "&(objectClass=posixGroup)(memberUid={})" + p.GroupSearch.UserAttributeForFilter = "givenName" // pinny's givenName is not "pinny" so it should not find any groups, and also should not error on the emoji in the givenName + })), + wantAuthResponse: &authenticators.Response{ + User: &user.DefaultInfo{Name: "pinny", UID: b64("1000"), Groups: []string{}}, + DN: "cn=pinny,ou=users,dc=pinniped,dc=dev", + ExtraRefreshAttributes: map[string]string{}, + }, + }, + { + name: "using a group search with UserAttributeForFilter set to gidNumber", + username: "pinny", + password: pinnyPassword, + provider: upstreamldap.New(*providerConfig(func(p *upstreamldap.ProviderConfig) { + p.GroupSearch.Filter = "&(objectClass=posixGroup)(gidNumber={})" + p.GroupSearch.UserAttributeForFilter = "gidNumber" + })), + wantAuthResponse: &authenticators.Response{ + User: &user.DefaultInfo{Name: "pinny", UID: b64("1000"), Groups: []string{"walruses-posix"}}, + DN: "cn=pinny,ou=users,dc=pinniped,dc=dev", + ExtraRefreshAttributes: map[string]string{}, + }, + }, + { + name: "using a group search with UserAttributeForFilter set to dn", + username: "pinny", + password: pinnyPassword, + provider: upstreamldap.New(*providerConfig(func(p *upstreamldap.ProviderConfig) { + p.GroupSearch.UserAttributeForFilter = "dn" // this should act the same as when it is not set + })), + wantAuthResponse: &authenticators.Response{ + User: &user.DefaultInfo{Name: "pinny", UID: b64("1000"), Groups: []string{"ball-game-players", "seals"}}, + DN: "cn=pinny,ou=users,dc=pinniped,dc=dev", + ExtraRefreshAttributes: map[string]string{}, + }, + }, + { + name: "using a group search with UserAttributeForFilter set to an attribute that does not exist on the user", + username: "pinny", + password: pinnyPassword, + provider: upstreamldap.New(*providerConfig(func(p *upstreamldap.ProviderConfig) { + p.GroupSearch.UserAttributeForFilter = "foobar" + })), + wantError: testutil.WantExactErrorString(`found 0 values for attribute "foobar" while searching for user "pinny", but expected 1 result`), + }, { name: "when the bind user username is not a valid DN", username: "pinny",