More refactoring of auth handler and related refactor of upstreamldap

- continued refactoring the auth handler to share more code between the two supported browserless flows: OIDC and LDAP/AD - the upstreamldap package should not know about the concept of OIDC granted scopes, so refactored it to be a skipGroups bool
2026-01-05 13:07:14 +00:00 · 2024-02-14 11:56:26 -08:00
parent 9992855cb8
commit 9db87132b1
11 changed files with 164 additions and 139 deletions
--- a/test/integration/ldap_client_test.go
+++ b/test/integration/ldap_client_test.go
@@ -1,4 +1,4 @@
-// Copyright 2021-2023 the Pinniped contributors. All Rights Reserved.
+// Copyright 2021-2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 package integration
@@ -73,7 +73,7 @@ func TestLDAPSearch_Parallel(t *testing.T) {
 		name                string
 		username            string
 		password            string
-		grantedScopes       []string
+		skipGroups          bool
 		provider            *upstreamldap.Provider
 		wantError           testutil.RequireErrorStringFunc
 		wantAuthResponse    *authenticators.Response
@@ -116,11 +116,11 @@ func TestLDAPSearch_Parallel(t *testing.T) {
 			},
 		},
 		{
-			name:          "groups scope not in granted scopes",
-			username:      "pinny",
-			password:      pinnyPassword,
-			grantedScopes: []string{},
-			provider:      upstreamldap.New(*providerConfig(nil)),
+			name:       "skip groups",
+			username:   "pinny",
+			password:   pinnyPassword,
+			skipGroups: true,
+			provider:   upstreamldap.New(*providerConfig(nil)),
 			wantAuthResponse: &authenticators.Response{
 				User:                   &user.DefaultInfo{Name: "pinny", UID: b64("1000"), Groups: nil},
 				DN:                     "cn=pinny,ou=users,dc=pinniped,dc=dev",
@@ -741,10 +741,7 @@ func TestLDAPSearch_Parallel(t *testing.T) {
 	for _, test := range tests {
 		tt := test
 		t.Run(tt.name, func(t *testing.T) {
-			if tt.grantedScopes == nil {
-				tt.grantedScopes = []string{"groups"}
-			}
-			authResponse, authenticated, err := tt.provider.AuthenticateUser(ctx, tt.username, tt.password, tt.grantedScopes)
+			authResponse, authenticated, err := tt.provider.AuthenticateUser(ctx, tt.username, tt.password, tt.skipGroups)

 			switch {
 			case tt.wantError != nil:
@@ -802,7 +799,7 @@ func TestSimultaneousLDAPRequestsOnSingleProvider(t *testing.T) {
 			authUserCtx, authUserCtxCancelFunc := context.WithTimeout(context.Background(), 2*time.Minute)
 			defer authUserCtxCancelFunc()

-			authResponse, authenticated, err := provider.AuthenticateUser(authUserCtx, env.SupervisorUpstreamLDAP.TestUserCN, env.SupervisorUpstreamLDAP.TestUserPassword, []string{"groups"})
+			authResponse, authenticated, err := provider.AuthenticateUser(authUserCtx, env.SupervisorUpstreamLDAP.TestUserCN, env.SupervisorUpstreamLDAP.TestUserPassword, false)
 			resultCh <- authUserResult{
 				response:      authResponse,
 				authenticated: authenticated,