Don't do ldap group search when group scope not specified

Signed-off-by: Margo Crawford <margaretc@vmware.com>
2026-01-07 14:05:50 +00:00 · 2022-06-22 10:58:08 -07:00
parent 9903c5f79e
commit c70a0b99a8
11 changed files with 88 additions and 60 deletions
--- a/test/integration/ldap_client_test.go
+++ b/test/integration/ldap_client_test.go
@@ -73,6 +73,7 @@ func TestLDAPSearch_Parallel(t *testing.T) {
 		name                string
 		username            string
 		password            string
+		grantedScopes       []string
 		provider            *upstreamldap.Provider
 		wantError           string
 		wantAuthResponse    *authenticators.Response
@@ -114,6 +115,18 @@ func TestLDAPSearch_Parallel(t *testing.T) {
 				ExtraRefreshAttributes: map[string]string{},
 			},
 		},
+		{
+			name:          "groups scope not in granted scopes",
+			username:      "pinny",
+			password:      pinnyPassword,
+			grantedScopes: []string{},
+			provider:      upstreamldap.New(*providerConfig(nil)),
+			wantAuthResponse: &authenticators.Response{
+				User:                   &user.DefaultInfo{Name: "pinny", UID: b64("1000"), Groups: nil},
+				DN:                     "cn=pinny,ou=users,dc=pinniped,dc=dev",
+				ExtraRefreshAttributes: map[string]string{},
+			},
+		},
 		{
 			name:     "when the user search filter is already wrapped by parenthesis",
 			username: "pinny",
@@ -636,7 +649,10 @@ func TestLDAPSearch_Parallel(t *testing.T) {
 	for _, test := range tests {
 		tt := test
 		t.Run(tt.name, func(t *testing.T) {
-			authResponse, authenticated, err := tt.provider.AuthenticateUser(ctx, tt.username, tt.password)
+			if tt.grantedScopes == nil {
+				tt.grantedScopes = []string{"groups"}
+			}
+			authResponse, authenticated, err := tt.provider.AuthenticateUser(ctx, tt.username, tt.password, tt.grantedScopes)

 			switch {
 			case tt.wantError != "":
@@ -694,9 +710,7 @@ func TestSimultaneousLDAPRequestsOnSingleProvider(t *testing.T) {
 			authUserCtx, authUserCtxCancelFunc := context.WithTimeout(context.Background(), 2*time.Minute)
 			defer authUserCtxCancelFunc()

-			authResponse, authenticated, err := provider.AuthenticateUser(authUserCtx,
-				env.SupervisorUpstreamLDAP.TestUserCN, env.SupervisorUpstreamLDAP.TestUserPassword,
-			)
+			authResponse, authenticated, err := provider.AuthenticateUser(authUserCtx, env.SupervisorUpstreamLDAP.TestUserCN, env.SupervisorUpstreamLDAP.TestUserPassword, []string{"groups"})
 			resultCh <- authUserResult{
 				response:      authResponse,
 				authenticated: authenticated,