From e3b7ba3677f96a1a907f17a0345f160b0ceab6f9 Mon Sep 17 00:00:00 2001 From: Ryan Richard Date: Fri, 26 May 2023 08:38:00 -0700 Subject: [PATCH] Add group search tests for UserAttributeForFilter in ldap_client_test.go --- test/deploy/tools/ldap.yaml | 6 +- test/integration/ldap_client_test.go | 92 ++++++++++++++++++++++++++++ 2 files changed, 95 insertions(+), 3 deletions(-) diff --git a/test/deploy/tools/ldap.yaml b/test/deploy/tools/ldap.yaml index d8a82525d..895765070 100644 --- a/test/deploy/tools/ldap.yaml +++ b/test/deploy/tools/ldap.yaml @@ -122,7 +122,7 @@ ldap.ldif: | objectClass: posixGroup objectClass: top cn: ball-game-players-posix - gidNumber: 1001 + gidNumber: 1002 memberUid: pinny memberUid: olive @@ -131,7 +131,7 @@ ldap.ldif: | objectClass: posixGroup objectClass: top cn: seals-posix - gidNumber: 1002 + gidNumber: 1001 memberUid: pinny # walruses group again, but this time defined as a posixGroup @@ -139,7 +139,7 @@ ldap.ldif: | objectClass: posixGroup objectClass: top cn: walruses-posix - gidNumber: 1002 + gidNumber: 1000 memberUid: wally #@ end diff --git a/test/integration/ldap_client_test.go b/test/integration/ldap_client_test.go index 2312516f6..04eead885 100644 --- a/test/integration/ldap_client_test.go +++ b/test/integration/ldap_client_test.go @@ -347,6 +347,98 @@ func TestLDAPSearch_Parallel(t *testing.T) { ExtraRefreshAttributes: map[string]string{}, }, }, + { + name: "using a group search with UserAttributeForFilter set to uid", + username: "pinny", + password: pinnyPassword, + provider: upstreamldap.New(*providerConfig(func(p *upstreamldap.ProviderConfig) { + p.GroupSearch.Filter = "&(objectClass=posixGroup)(memberUid={})" + p.GroupSearch.UserAttributeForFilter = "uid" + })), + wantAuthResponse: &authenticators.Response{ + User: &user.DefaultInfo{Name: "pinny", UID: b64("1000"), Groups: []string{"ball-game-players-posix", "seals-posix"}}, + DN: "cn=pinny,ou=users,dc=pinniped,dc=dev", + ExtraRefreshAttributes: map[string]string{}, + }, + }, + { + name: "using a group search with UserAttributeForFilter set to cn", + username: "pinny", + password: pinnyPassword, + provider: upstreamldap.New(*providerConfig(func(p *upstreamldap.ProviderConfig) { + p.GroupSearch.Filter = "&(objectClass=posixGroup)(memberUid={})" + p.GroupSearch.UserAttributeForFilter = "cn" // this only works because pinny's uid and cn are both "pinny" + })), + wantAuthResponse: &authenticators.Response{ + User: &user.DefaultInfo{Name: "pinny", UID: b64("1000"), Groups: []string{"ball-game-players-posix", "seals-posix"}}, + DN: "cn=pinny,ou=users,dc=pinniped,dc=dev", + ExtraRefreshAttributes: map[string]string{}, + }, + }, + { + name: "using a group search with UserAttributeForFilter and a creative filter", + username: "pinny", + password: pinnyPassword, + provider: upstreamldap.New(*providerConfig(func(p *upstreamldap.ProviderConfig) { + p.GroupSearch.Filter = "&(objectClass=groupOfNames)(member=cn={},ou=users,dc=pinniped,dc=dev)" // not the typical usage, but possible + p.GroupSearch.UserAttributeForFilter = "cn" + })), + wantAuthResponse: &authenticators.Response{ + User: &user.DefaultInfo{Name: "pinny", UID: b64("1000"), Groups: []string{"ball-game-players", "seals"}}, + DN: "cn=pinny,ou=users,dc=pinniped,dc=dev", + ExtraRefreshAttributes: map[string]string{}, + }, + }, + { + name: "using a group search with UserAttributeForFilter set to givenName", + username: "pinny", + password: pinnyPassword, + provider: upstreamldap.New(*providerConfig(func(p *upstreamldap.ProviderConfig) { + p.GroupSearch.Filter = "&(objectClass=posixGroup)(memberUid={})" + p.GroupSearch.UserAttributeForFilter = "givenName" // pinny's givenName is not "pinny" so it should not find any groups, and also should not error on the emoji in the givenName + })), + wantAuthResponse: &authenticators.Response{ + User: &user.DefaultInfo{Name: "pinny", UID: b64("1000"), Groups: []string{}}, + DN: "cn=pinny,ou=users,dc=pinniped,dc=dev", + ExtraRefreshAttributes: map[string]string{}, + }, + }, + { + name: "using a group search with UserAttributeForFilter set to gidNumber", + username: "pinny", + password: pinnyPassword, + provider: upstreamldap.New(*providerConfig(func(p *upstreamldap.ProviderConfig) { + p.GroupSearch.Filter = "&(objectClass=posixGroup)(gidNumber={})" + p.GroupSearch.UserAttributeForFilter = "gidNumber" + })), + wantAuthResponse: &authenticators.Response{ + User: &user.DefaultInfo{Name: "pinny", UID: b64("1000"), Groups: []string{"walruses-posix"}}, + DN: "cn=pinny,ou=users,dc=pinniped,dc=dev", + ExtraRefreshAttributes: map[string]string{}, + }, + }, + { + name: "using a group search with UserAttributeForFilter set to dn", + username: "pinny", + password: pinnyPassword, + provider: upstreamldap.New(*providerConfig(func(p *upstreamldap.ProviderConfig) { + p.GroupSearch.UserAttributeForFilter = "dn" // this should act the same as when it is not set + })), + wantAuthResponse: &authenticators.Response{ + User: &user.DefaultInfo{Name: "pinny", UID: b64("1000"), Groups: []string{"ball-game-players", "seals"}}, + DN: "cn=pinny,ou=users,dc=pinniped,dc=dev", + ExtraRefreshAttributes: map[string]string{}, + }, + }, + { + name: "using a group search with UserAttributeForFilter set to an attribute that does not exist on the user", + username: "pinny", + password: pinnyPassword, + provider: upstreamldap.New(*providerConfig(func(p *upstreamldap.ProviderConfig) { + p.GroupSearch.UserAttributeForFilter = "foobar" + })), + wantError: testutil.WantExactErrorString(`found 0 values for attribute "foobar" while searching for user "pinny", but expected 1 result`), + }, { name: "when the bind user username is not a valid DN", username: "pinny",