ContainerImage.Pinniped/test/integration/ldap_client_test.go

627 lines
21 KiB
Go

// Copyright 2021 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
package integration
import (
"context"
"fmt"
"io"
"io/ioutil"
"net"
"os"
"os/exec"
"path"
"strings"
"testing"
"time"
"github.com/stretchr/testify/require"
"k8s.io/apiserver/pkg/authentication/authenticator"
"k8s.io/apiserver/pkg/authentication/user"
"go.pinniped.dev/internal/certauthority"
"go.pinniped.dev/internal/upstreamldap"
"go.pinniped.dev/test/library"
)
func TestLDAPSearch(t *testing.T) {
// Unlike most other integration tests, you can run this test with no special setup, as long
// as you have Docker. It does not depend on Kubernetes.
library.SkipUnlessIntegration(t)
ctx, cancelFunc := context.WithCancel(context.Background())
t.Cleanup(func() {
cancelFunc() // this will send SIGKILL to the docker process, just in case
})
port := localhostPort(t)
caBundle := dockerRunLDAPServer(ctx, t, port)
provider := func(editFunc func(p *upstreamldap.Provider)) *upstreamldap.Provider {
provider := &upstreamldap.Provider{
Name: "test-ldap-provider",
Host: "127.0.0.1:" + port,
CABundle: caBundle,
BindUsername: "cn=admin,dc=pinniped,dc=dev",
BindPassword: "password",
UserSearch: &upstreamldap.UserSearch{
Base: "ou=users,dc=pinniped,dc=dev",
Filter: "", // defaults to UsernameAttribute={}, i.e. "cn={}" in this case
UsernameAttribute: "cn",
UIDAttribute: "uidNumber",
},
}
if editFunc != nil {
editFunc(provider)
}
return provider
}
pinnyPassword := "password123" // from the LDIF file below
wallyPassword := "password456" // from the LDIF file below
tests := []struct {
name string
username string
password string
provider *upstreamldap.Provider
wantError string
wantAuthResponse *authenticator.Response
wantUnauthenticated bool
}{
{
name: "happy path",
username: "pinny",
password: pinnyPassword,
provider: provider(nil),
wantAuthResponse: &authenticator.Response{
User: &user.DefaultInfo{Name: "pinny", UID: "1000", Groups: []string{}},
},
},
{
name: "happy path as a different user",
username: "wally",
password: wallyPassword,
provider: provider(nil),
wantAuthResponse: &authenticator.Response{
User: &user.DefaultInfo{Name: "wally", UID: "1001", Groups: []string{}},
},
},
{
name: "using a different user search base",
username: "pinny",
password: pinnyPassword,
provider: provider(func(p *upstreamldap.Provider) { p.UserSearch.Base = "dc=pinniped,dc=dev" }),
wantAuthResponse: &authenticator.Response{
User: &user.DefaultInfo{Name: "pinny", UID: "1000", Groups: []string{}},
},
},
{
name: "when the user search filter is already wrapped by parenthesis",
username: "pinny",
password: pinnyPassword,
provider: provider(func(p *upstreamldap.Provider) { p.UserSearch.Filter = "(cn={})" }),
wantAuthResponse: &authenticator.Response{
User: &user.DefaultInfo{Name: "pinny", UID: "1000", Groups: []string{}},
},
},
{
name: "when the UsernameAttribute is dn and a user search filter is provided",
username: "pinny",
password: pinnyPassword,
provider: provider(func(p *upstreamldap.Provider) {
p.UserSearch.UsernameAttribute = "dn"
p.UserSearch.Filter = "cn={}"
}),
wantAuthResponse: &authenticator.Response{
User: &user.DefaultInfo{Name: "cn=pinny,ou=users,dc=pinniped,dc=dev", UID: "1000", Groups: []string{}},
},
},
{
name: "when the user search filter allows for different ways of logging in and the first one is used",
username: "pinny",
password: pinnyPassword,
provider: provider(func(p *upstreamldap.Provider) {
p.UserSearch.Filter = "(|(cn={})(mail={}))"
}),
wantAuthResponse: &authenticator.Response{
User: &user.DefaultInfo{Name: "pinny", UID: "1000", Groups: []string{}},
},
},
{
name: "when the user search filter allows for different ways of logging in and the second one is used",
username: "pinny.ldap@example.com",
password: pinnyPassword,
provider: provider(func(p *upstreamldap.Provider) {
p.UserSearch.Filter = "(|(cn={})(mail={}))"
}),
wantAuthResponse: &authenticator.Response{
User: &user.DefaultInfo{Name: "pinny", UID: "1000", Groups: []string{}},
},
},
{
name: "when the UIDAttribute is dn",
username: "pinny",
password: pinnyPassword,
provider: provider(func(p *upstreamldap.Provider) { p.UserSearch.UIDAttribute = "dn" }),
wantAuthResponse: &authenticator.Response{
User: &user.DefaultInfo{Name: "pinny", UID: "cn=pinny,ou=users,dc=pinniped,dc=dev", Groups: []string{}},
},
},
{
name: "when the UIDAttribute is sn",
username: "pinny",
password: pinnyPassword,
provider: provider(func(p *upstreamldap.Provider) { p.UserSearch.UIDAttribute = "sn" }),
wantAuthResponse: &authenticator.Response{
User: &user.DefaultInfo{Name: "pinny", UID: "Seal", Groups: []string{}},
},
},
{
name: "when the UsernameAttribute is sn",
username: "seAl", // note that this is not case-sensitive! sn=Seal. The server decides which fields are compared case-sensitive.
password: pinnyPassword,
provider: provider(func(p *upstreamldap.Provider) { p.UserSearch.UsernameAttribute = "sn" }),
wantAuthResponse: &authenticator.Response{
User: &user.DefaultInfo{Name: "Seal", UID: "1000", Groups: []string{}}, // note that the final answer has case preserved from the entry
},
},
{
name: "when the UsernameAttribute is dn and there is no user search filter provided",
username: "cn=pinny,ou=users,dc=pinniped,dc=dev",
password: pinnyPassword,
provider: provider(func(p *upstreamldap.Provider) {
p.UserSearch.UsernameAttribute = "dn"
p.UserSearch.Filter = ""
}),
wantError: `must specify UserSearch Filter when UserSearch UsernameAttribute is "dn"`,
},
{
name: "when the bind user username is not a valid DN",
username: "pinny",
password: pinnyPassword,
provider: provider(func(p *upstreamldap.Provider) { p.BindUsername = "invalid-dn" }),
wantError: `error binding as "invalid-dn" before user search: LDAP Result Code 34 "Invalid DN Syntax": invalid DN`,
},
{
name: "when the bind user username is wrong",
username: "pinny",
password: pinnyPassword,
provider: provider(func(p *upstreamldap.Provider) { p.BindUsername = "cn=wrong,dc=pinniped,dc=dev" }),
wantError: `error binding as "cn=wrong,dc=pinniped,dc=dev" before user search: LDAP Result Code 49 "Invalid Credentials": `,
},
{
name: "when the bind user password is wrong",
username: "pinny",
password: pinnyPassword,
provider: provider(func(p *upstreamldap.Provider) { p.BindPassword = "wrong-password" }),
wantError: `error binding as "cn=admin,dc=pinniped,dc=dev" before user search: LDAP Result Code 49 "Invalid Credentials": `,
},
{
name: "when the end user password is wrong",
username: "pinny",
password: "wrong-pinny-password",
provider: provider(nil),
wantUnauthenticated: true,
},
{
name: "when the end user password has the wrong case (passwords are compared as case-sensitive)",
username: "pinny",
password: strings.ToUpper(pinnyPassword),
provider: provider(nil),
wantUnauthenticated: true,
},
{
name: "when the end user username is wrong",
username: "wrong-username",
password: pinnyPassword,
provider: provider(nil),
wantUnauthenticated: true,
},
{
name: "when the user search filter does not compile",
username: "pinny",
password: pinnyPassword,
provider: provider(func(p *upstreamldap.Provider) { p.UserSearch.Filter = "*" }),
wantError: `error searching for user "pinny": LDAP Result Code 201 "Filter Compile Error": ldap: error parsing filter`,
},
{
name: "when there are too many search results for the user",
username: "pinny",
password: pinnyPassword,
provider: provider(func(p *upstreamldap.Provider) {
p.UserSearch.Filter = "objectClass=*" // overly broad search filter
}),
wantError: `error searching for user "pinny": LDAP Result Code 4 "Size Limit Exceeded": `,
},
{
name: "when the server is unreachable",
username: "pinny",
password: pinnyPassword,
provider: provider(func(p *upstreamldap.Provider) { p.Host = "127.0.0.1:27534" }), // hopefully this port is not in use on the host running tests
wantError: `error dialing host "127.0.0.1:27534": LDAP Result Code 200 "Network Error": dial tcp 127.0.0.1:27534: connect: connection refused`,
},
{
name: "when the server is not parsable",
username: "pinny",
password: pinnyPassword,
provider: provider(func(p *upstreamldap.Provider) { p.Host = "too:many:ports" }),
wantError: `error dialing host "too:many:ports": LDAP Result Code 200 "Network Error": address too:many:ports: too many colons in address`,
},
{
name: "when the CA bundle is not parsable",
username: "pinny",
password: pinnyPassword,
provider: provider(func(p *upstreamldap.Provider) { p.CABundle = []byte("invalid-pem") }),
wantError: fmt.Sprintf(`error dialing host "127.0.0.1:%s": LDAP Result Code 200 "Network Error": could not parse CA bundle`, port),
},
{
name: "when the CA bundle does not cause the host to be trusted",
username: "pinny",
password: pinnyPassword,
provider: provider(func(p *upstreamldap.Provider) { p.CABundle = nil }),
wantError: fmt.Sprintf(`error dialing host "127.0.0.1:%s": LDAP Result Code 200 "Network Error": x509: certificate signed by unknown authority`, port),
},
{
name: "when the UsernameAttribute attribute has multiple values in the entry",
username: "wally.ldap@example.com",
password: wallyPassword,
provider: provider(func(p *upstreamldap.Provider) { p.UserSearch.UsernameAttribute = "mail" }),
wantError: `found 2 values for attribute "mail" while searching for user "wally.ldap@example.com", but expected 1 result`,
},
{
name: "when the UIDAttribute attribute has multiple values in the entry",
username: "wally",
password: wallyPassword,
provider: provider(func(p *upstreamldap.Provider) { p.UserSearch.UIDAttribute = "mail" }),
wantError: `found 2 values for attribute "mail" while searching for user "wally", but expected 1 result`,
},
{
name: "when the UsernameAttribute attribute is not found in the entry",
username: "wally",
password: wallyPassword,
provider: provider(func(p *upstreamldap.Provider) {
p.UserSearch.Filter = "cn={}"
p.UserSearch.UsernameAttribute = "attr-does-not-exist"
}),
wantError: `found 0 values for attribute "attr-does-not-exist" while searching for user "wally", but expected 1 result`,
},
{
name: "when the UIDAttribute attribute is not found in the entry",
username: "wally",
password: wallyPassword,
provider: provider(func(p *upstreamldap.Provider) { p.UserSearch.UIDAttribute = "attr-does-not-exist" }),
wantError: `found 0 values for attribute "attr-does-not-exist" while searching for user "wally", but expected 1 result`,
},
{
name: "when the UsernameAttribute has the wrong case",
username: "Seal",
password: pinnyPassword,
provider: provider(func(p *upstreamldap.Provider) { p.UserSearch.UsernameAttribute = "SN" }), // this is case-sensitive
wantError: `found 0 values for attribute "SN" while searching for user "Seal", but expected 1 result`,
},
{
name: "when the UIDAttribute has the wrong case",
username: "pinny",
password: pinnyPassword,
provider: provider(func(p *upstreamldap.Provider) { p.UserSearch.UIDAttribute = "SN" }), // this is case-sensitive
wantError: `found 0 values for attribute "SN" while searching for user "pinny", but expected 1 result`,
},
{
name: "when the UsernameAttribute is DN and has the wrong case",
username: "pinny",
password: pinnyPassword,
provider: provider(func(p *upstreamldap.Provider) {
p.UserSearch.UsernameAttribute = "DN" // dn must be lower-case
p.UserSearch.Filter = "cn={}"
}),
wantError: `found 0 values for attribute "DN" while searching for user "pinny", but expected 1 result`,
},
{
name: "when the UIDAttribute is DN and has the wrong case",
username: "pinny",
password: pinnyPassword,
provider: provider(func(p *upstreamldap.Provider) {
p.UserSearch.UIDAttribute = "DN" // dn must be lower-case
}),
wantError: `found 0 values for attribute "DN" while searching for user "pinny", but expected 1 result`,
},
{
name: "when the search base is invalid",
username: "pinny",
password: pinnyPassword,
provider: provider(func(p *upstreamldap.Provider) { p.UserSearch.Base = "invalid-base" }),
wantError: `error searching for user "pinny": LDAP Result Code 34 "Invalid DN Syntax": invalid DN`,
},
{
name: "when the search base does not exist",
username: "pinny",
password: pinnyPassword,
provider: provider(func(p *upstreamldap.Provider) { p.UserSearch.Base = "ou=does-not-exist,dc=pinniped,dc=dev" }),
wantError: `error searching for user "pinny": LDAP Result Code 32 "No Such Object": `,
},
{
name: "when the search base causes no search results",
username: "pinny",
password: pinnyPassword,
provider: provider(func(p *upstreamldap.Provider) { p.UserSearch.Base = "ou=groups,dc=pinniped,dc=dev" }),
wantUnauthenticated: true,
},
{
name: "when there is no username specified",
username: "",
password: pinnyPassword,
provider: provider(nil),
wantUnauthenticated: true,
},
{
name: "when there is no password specified",
username: "pinny",
password: "",
provider: provider(nil),
wantError: `error binding for user "pinny" using provided password against DN "cn=pinny,ou=users,dc=pinniped,dc=dev": LDAP Result Code 206 "Empty password not allowed by the client": ldap: empty password not allowed by the client`,
},
{
name: "when the user has no password in their entry",
username: "olive",
password: "anything",
provider: provider(nil),
wantUnauthenticated: true,
},
}
for _, test := range tests {
tt := test
t.Run(tt.name, func(t *testing.T) {
authResponse, authenticated, err := tt.provider.AuthenticateUser(ctx, tt.username, tt.password)
switch {
case tt.wantError != "":
require.EqualError(t, err, tt.wantError)
require.False(t, authenticated)
require.Nil(t, authResponse)
case tt.wantUnauthenticated:
require.NoError(t, err)
require.False(t, authenticated)
require.Nil(t, authResponse)
default:
require.NoError(t, err)
require.True(t, authenticated)
require.Equal(t, tt.wantAuthResponse, authResponse)
}
})
}
}
func localhostPort(t *testing.T) string {
t.Helper()
unusedPortGrabbingListener, err := net.Listen("tcp", "127.0.0.1:0")
require.NoError(t, err)
recentlyClaimedHostAndPort := unusedPortGrabbingListener.Addr().String()
require.NoError(t, unusedPortGrabbingListener.Close())
splitHostAndPort := strings.Split(recentlyClaimedHostAndPort, ":")
require.Len(t, splitHostAndPort, 2)
return splitHostAndPort[1]
}
func dockerRunLDAPServer(ctx context.Context, t *testing.T, hostPort string) []byte {
t.Helper()
_, err := exec.LookPath("docker")
require.NoError(t, err)
ca, err := certauthority.New("Test LDAP CA", time.Hour*24)
require.NoError(t, err)
certPEM, keyPEM, err := ca.IssueServerCertPEM(nil, []net.IP{net.ParseIP("127.0.0.1")}, time.Hour*24)
require.NoError(t, err)
tempDir, err := ioutil.TempDir("", "pinniped-test-*")
require.NoError(t, err)
t.Cleanup(func() {
err := os.Remove(tempDir)
require.NoError(t, err)
})
writeToNewTempFile(t, tempDir, "cert.pem", certPEM)
writeToNewTempFile(t, tempDir, "key.pem", keyPEM)
writeToNewTempFile(t, tempDir, "ca.pem", ca.Bundle())
writeToNewTempFile(t, tempDir, "test.ldif", []byte(testLDIF))
dockerArgs := []string{
"run",
"-e", "BITNAMI_DEBUG=true",
"-e", "LDAP_ADMIN_USERNAME=admin",
"-e", "LDAP_ADMIN_PASSWORD=password",
"-e", "LDAP_ENABLE_TLS=yes",
"-e", "LDAP_TLS_CERT_FILE=/inputs/cert.pem",
"-e", "LDAP_TLS_KEY_FILE=/inputs/key.pem",
"-e", "LDAP_TLS_CA_FILE=/inputs/ca.pem",
"-e", "LDAP_CUSTOM_LDIF_DIR=/inputs",
"-e", "LDAP_ROOT=dc=pinniped,dc=dev",
"-v", tempDir + ":/inputs",
"-p", hostPort + ":1636",
"-m", "64m",
"--rm", // automatically delete the container when finished
"docker.io/bitnami/openldap",
}
t.Log("Starting:", "docker", strings.Join(dockerArgs, " "))
cmd := exec.CommandContext(ctx, "docker", dockerArgs...)
var stdoutBuf, stderrBuf syncBuffer
cmd.Stdout = &stdoutBuf
cmd.Stderr = &stderrBuf
cmd.Stdout = io.MultiWriter(os.Stdout, &stdoutBuf)
cmd.Stderr = io.MultiWriter(os.Stderr, &stderrBuf)
err = cmd.Start()
require.NoError(t, err)
t.Cleanup(func() {
// docker requires an interrupt signal to end the container.
// This t.Cleanup is registered after the one that cancels the context, so this one will happen first.
err := cmd.Process.Signal(os.Interrupt)
require.NoError(t, err)
time.Sleep(time.Second) // give a moment before we move on, because we'll send SIGKILL in a later t.Cleanup
})
earlyTerminationCh := make(chan bool, 1)
go func() {
err = cmd.Wait()
earlyTerminationCh <- true
}()
terminatedEarly := false
require.Eventually(t, func() bool {
t.Log("Waiting for slapd to start...")
// This substring is contained in the last line of output before the server starts.
if strings.Contains(stderrBuf.String(), " slapd starting\n") {
return true
}
select {
case <-earlyTerminationCh:
terminatedEarly = true
return true
default: // ignore when this non-blocking read found no message
}
return false
}, 2*time.Minute, time.Second)
require.Falsef(t, terminatedEarly, "docker command ended sooner than expected")
t.Log("Detected LDAP server has started successfully")
return ca.Bundle()
}
func writeToNewTempFile(t *testing.T, dir string, filename string, contents []byte) {
t.Helper()
filePath := path.Join(dir, filename)
err := ioutil.WriteFile(filePath, contents, 0600)
require.NoError(t, err)
t.Cleanup(func() {
err := os.Remove(filePath)
require.NoError(t, err)
})
}
var testLDIF = `
# ** CAUTION: Blank lines separate entries in the LDIF format! Do not remove them! ***
# Here's a good explanation of LDIF:
# https://www.digitalocean.com/community/tutorials/how-to-use-ldif-files-to-make-changes-to-an-openldap-system
# pinniped.dev (organization, root)
dn: dc=pinniped,dc=dev
objectClass: dcObject
objectClass: organization
dc: pinniped
o: example
# users, pinniped.dev (organization unit)
dn: ou=users,dc=pinniped,dc=dev
objectClass: organizationalUnit
ou: users
# groups, pinniped.dev (organization unit)
dn: ou=groups,dc=pinniped,dc=dev
objectClass: organizationalUnit
ou: groups
# beach-groups, groups, pinniped.dev (organization unit)
dn: ou=beach-groups,ou=groups,dc=pinniped,dc=dev
objectClass: organizationalUnit
ou: beach-groups
# pinny, users, pinniped.dev (user)
dn: cn=pinny,ou=users,dc=pinniped,dc=dev
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
cn: pinny
sn: Seal
givenName: Pinny
mail: pinny.ldap@example.com
userPassword: password123
uid: pinny
uidNumber: 1000
gidNumber: 1000
homeDirectory: /home/pinny
loginShell: /bin/bash
gecos: pinny-the-seal
# wally, users, pinniped.dev
dn: cn=wally,ou=users,dc=pinniped,dc=dev
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
cn: wally
sn: Walrus
givenName: Wally
mail: wally.ldap@example.com
mail: wally.alternate@example.com
userPassword: password456
uid: wally
uidNumber: 1001
gidNumber: 1001
homeDirectory: /home/wally
loginShell: /bin/bash
gecos: wally-the-walrus
# olive, users, pinniped.dev (user without password)
dn: cn=olive,ou=users,dc=pinniped,dc=dev
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
cn: olive
sn: Boston Terrier
givenName: Olive
mail: olive.ldap@example.com
uid: olive
uidNumber: 1002
gidNumber: 1002
homeDirectory: /home/olive
loginShell: /bin/bash
gecos: olive-the-dog
# ball-game-players, beach-groups, groups, pinniped.dev (group of users)
dn: cn=ball-game-players,ou=beach-groups,ou=groups,dc=pinniped,dc=dev
cn: ball-game-players
objectClass: groupOfNames
member: cn=pinny,ou=users,dc=pinniped,dc=dev
member: cn=olive,ou=users,dc=pinniped,dc=dev
# seals, groups, pinniped.dev (group of users)
dn: cn=seals,ou=groups,dc=pinniped,dc=dev
cn: seals
objectClass: groupOfNames
member: cn=pinny,ou=users,dc=pinniped,dc=dev
# walruses, groups, pinniped.dev (group of users)
dn: cn=walruses,ou=groups,dc=pinniped,dc=dev
cn: walruses
objectClass: groupOfNames
member: cn=wally,ou=users,dc=pinniped,dc=dev
# pinnipeds, users, pinniped.dev (group of groups)
dn: cn=pinnipeds,ou=groups,dc=pinniped,dc=dev
cn: pinnipeds
objectClass: groupOfNames
member: cn=seals,ou=groups,dc=pinniped,dc=dev
member: cn=walruses,ou=groups,dc=pinniped,dc=dev
# mammals, groups, pinniped.dev (group of both groups and users)
dn: cn=mammals,ou=groups,dc=pinniped,dc=dev
cn: mammals
objectClass: groupOfNames
member: cn=pinninpeds,ou=groups,dc=pinniped,dc=dev
member: cn=olive,ou=users,dc=pinniped,dc=dev
`