open-vault/builtin/credential/ldap/backend_test.go

541 lines
14 KiB
Go
Raw Normal View History

2015-05-07 17:54:33 +00:00
package ldap
import (
"fmt"
"reflect"
"sort"
2015-05-07 17:54:33 +00:00
"testing"
"time"
2015-05-07 17:54:33 +00:00
"github.com/hashicorp/vault/logical"
logicaltest "github.com/hashicorp/vault/logical/testing"
"github.com/mitchellh/mapstructure"
)
func createBackendWithStorage(t *testing.T) (*backend, logical.Storage) {
config := logical.TestBackendConfig()
config.StorageView = &logical.InmemStorage{}
b := Backend()
if b == nil {
t.Fatalf("failed to create backend")
}
Backend plugin system (#2874) * Add backend plugin changes * Fix totp backend plugin tests * Fix logical/plugin InvalidateKey test * Fix plugin catalog CRUD test, fix NoopBackend * Clean up commented code block * Fix system backend mount test * Set plugin_name to omitempty, fix handleMountTable config parsing * Clean up comments, keep shim connections alive until cleanup * Include pluginClient, disallow LookupPlugin call from within a plugin * Add wrapper around backendPluginClient for proper cleanup * Add logger shim tests * Add logger, storage, and system shim tests * Use pointer receivers for system view shim * Use plugin name if no path is provided on mount * Enable plugins for auth backends * Add backend type attribute, move builtin/plugin/package * Fix merge conflict * Fix missing plugin name in mount config * Add integration tests on enabling auth backend plugins * Remove dependency cycle on mock-plugin * Add passthrough backend plugin, use logical.BackendType to determine lease generation * Remove vault package dependency on passthrough package * Add basic impl test for passthrough plugin * Incorporate feedback; set b.backend after shims creation on backendPluginServer * Fix totp plugin test * Add plugin backends docs * Fix tests * Fix builtin/plugin tests * Remove flatten from PluginRunner fields * Move mock plugin to logical/plugin, remove totp and passthrough plugins * Move pluginMap into newPluginClient * Do not create storage RPC connection on HandleRequest and HandleExistenceCheck * Change shim logger's Fatal to no-op * Change BackendType to uint32, match UX backend types * Change framework.Backend Setup signature * Add Setup func to logical.Backend interface * Move OptionallyEnableMlock call into plugin.Serve, update docs and comments * Remove commented var in plugin package * RegisterLicense on logical.Backend interface (#3017) * Add RegisterLicense to logical.Backend interface * Update RegisterLicense to use callback func on framework.Backend * Refactor framework.Backend.RegisterLicense * plugin: Prevent plugin.SystemViewClient.ResponseWrapData from getting JWTs * plugin: Revert BackendType to remove TypePassthrough and related references * Fix typo in plugin backends docs
2017-07-20 17:28:40 +00:00
err := b.Backend.Setup(config)
if err != nil {
t.Fatal(err)
}
return b, config.StorageView
}
func TestLdapAuthBackend_UserPolicies(t *testing.T) {
var resp *logical.Response
var err error
b, storage := createBackendWithStorage(t)
configReq := &logical.Request{
Operation: logical.UpdateOperation,
Path: "config",
Data: map[string]interface{}{
// Online LDAP test server
// http://www.forumsys.com/tutorials/integration-how-to/ldap/online-ldap-test-server/
"url": "ldap://ldap.forumsys.com",
"userattr": "uid",
"userdn": "dc=example,dc=com",
"groupdn": "dc=example,dc=com",
"binddn": "cn=read-only-admin,dc=example,dc=com",
},
Storage: storage,
}
resp, err = b.HandleRequest(configReq)
if err != nil || (resp != nil && resp.IsError()) {
t.Fatalf("err:%v resp:%#v", err, resp)
}
groupReq := &logical.Request{
Operation: logical.UpdateOperation,
Data: map[string]interface{}{
"policies": "grouppolicy",
},
Path: "groups/engineers",
Storage: storage,
}
resp, err = b.HandleRequest(groupReq)
if err != nil || (resp != nil && resp.IsError()) {
t.Fatalf("err:%v resp:%#v", err, resp)
}
userReq := &logical.Request{
Operation: logical.UpdateOperation,
Data: map[string]interface{}{
"groups": "engineers",
"policies": "userpolicy",
},
Path: "users/tesla",
Storage: storage,
}
resp, err = b.HandleRequest(userReq)
if err != nil || (resp != nil && resp.IsError()) {
t.Fatalf("err:%v resp:%#v", err, resp)
}
loginReq := &logical.Request{
Operation: logical.UpdateOperation,
Path: "login/tesla",
Data: map[string]interface{}{
"password": "password",
},
Storage: storage,
}
resp, err = b.HandleRequest(loginReq)
if err != nil || (resp != nil && resp.IsError()) {
t.Fatalf("err:%v resp:%#v", err, resp)
}
expected := []string{"default", "grouppolicy", "userpolicy"}
if !reflect.DeepEqual(expected, resp.Auth.Policies) {
t.Fatalf("bad: policies: expected: %q, actual: %q", expected, resp.Auth.Policies)
}
}
/*
* Acceptance test for LDAP Auth Backend
*
* The tests here rely on a public LDAP server:
* [http://www.forumsys.com/tutorials/integration-how-to/ldap/online-ldap-test-server/]
*
* ...as well as existence of a person object, `uid=tesla,dc=example,dc=com`,
* which is a member of a group, `ou=scientists,dc=example,dc=com`
*
* Querying the server from the command line:
* $ ldapsearch -x -H ldap://ldap.forumsys.com -b dc=example,dc=com -s sub \
* '(&(objectClass=groupOfUniqueNames)(uniqueMember=uid=tesla,dc=example,dc=com))'
*
* $ ldapsearch -x -H ldap://ldap.forumsys.com -b dc=example,dc=com -s sub uid=tesla
*/
func factory(t *testing.T) logical.Backend {
defaultLeaseTTLVal := time.Hour * 24
maxLeaseTTLVal := time.Hour * 24 * 32
b, err := Factory(&logical.BackendConfig{
Logger: nil,
System: &logical.StaticSystemView{
DefaultLeaseTTLVal: defaultLeaseTTLVal,
MaxLeaseTTLVal: maxLeaseTTLVal,
},
})
if err != nil {
t.Fatalf("Unable to create backend: %s", err)
}
return b
}
2015-05-07 17:54:33 +00:00
func TestBackend_basic(t *testing.T) {
b := factory(t)
2015-05-07 17:54:33 +00:00
logicaltest.Test(t, logicaltest.TestCase{
Backend: b,
2015-05-07 17:54:33 +00:00
Steps: []logicaltest.TestStep{
testAccStepConfigUrl(t),
// Map Scientists group (from LDAP server) with foo policy
testAccStepGroup(t, "Scientists", "foo"),
// Map engineers group (local) with bar policy
testAccStepGroup(t, "engineers", "bar"),
// Map tesla user with local engineers group
testAccStepUser(t, "tesla", "engineers"),
// Authenticate
2015-05-07 17:54:33 +00:00
testAccStepLogin(t, "tesla", "password"),
// Verify both groups mappings can be listed back
testAccStepGroupList(t, []string{"engineers", "Scientists"}),
// Verify user mapping can be listed back
testAccStepUserList(t, []string{"tesla"}),
2015-05-07 17:54:33 +00:00
},
})
}
func TestBackend_basic_authbind(t *testing.T) {
b := factory(t)
logicaltest.Test(t, logicaltest.TestCase{
Backend: b,
Steps: []logicaltest.TestStep{
testAccStepConfigUrlWithAuthBind(t),
testAccStepGroup(t, "Scientists", "foo"),
testAccStepGroup(t, "engineers", "bar"),
testAccStepUser(t, "tesla", "engineers"),
testAccStepLogin(t, "tesla", "password"),
},
})
}
func TestBackend_basic_discover(t *testing.T) {
b := factory(t)
logicaltest.Test(t, logicaltest.TestCase{
Backend: b,
Steps: []logicaltest.TestStep{
testAccStepConfigUrlWithDiscover(t),
testAccStepGroup(t, "Scientists", "foo"),
testAccStepGroup(t, "engineers", "bar"),
testAccStepUser(t, "tesla", "engineers"),
testAccStepLogin(t, "tesla", "password"),
},
})
}
func TestBackend_basic_nogroupdn(t *testing.T) {
b := factory(t)
logicaltest.Test(t, logicaltest.TestCase{
Backend: b,
Steps: []logicaltest.TestStep{
testAccStepConfigUrlNoGroupDN(t),
testAccStepGroup(t, "Scientists", "foo"),
testAccStepGroup(t, "engineers", "bar"),
testAccStepUser(t, "tesla", "engineers"),
testAccStepLoginNoGroupDN(t, "tesla", "password"),
},
})
}
2015-05-07 17:54:33 +00:00
func TestBackend_groupCrud(t *testing.T) {
b := factory(t)
2015-05-07 17:54:33 +00:00
logicaltest.Test(t, logicaltest.TestCase{
Backend: b,
2015-05-07 17:54:33 +00:00
Steps: []logicaltest.TestStep{
testAccStepGroup(t, "g1", "foo"),
testAccStepReadGroup(t, "g1", "default,foo"),
2015-05-07 17:54:33 +00:00
testAccStepDeleteGroup(t, "g1"),
testAccStepReadGroup(t, "g1", ""),
},
})
}
/*
* Test backend configuration defaults are successfully read.
*/
func TestBackend_configDefaultsAfterUpdate(t *testing.T) {
b := factory(t)
logicaltest.Test(t, logicaltest.TestCase{
Backend: b,
Steps: []logicaltest.TestStep{
logicaltest.TestStep{
Operation: logical.UpdateOperation,
Path: "config",
Data: map[string]interface{}{},
},
logicaltest.TestStep{
Operation: logical.ReadOperation,
Path: "config",
Check: func(resp *logical.Response) error {
if resp == nil {
return fmt.Errorf("bad: %#v", resp)
}
// Test well-known defaults
cfg := resp.Data
defaultGroupFilter := "(|(memberUid={{.Username}})(member={{.UserDN}})(uniqueMember={{.UserDN}}))"
if cfg["groupfilter"] != defaultGroupFilter {
t.Errorf("Default mismatch: groupfilter. Expected: '%s', received :'%s'", defaultGroupFilter, cfg["groupfilter"])
}
defaultGroupAttr := "cn"
if cfg["groupattr"] != defaultGroupAttr {
t.Errorf("Default mismatch: groupattr. Expected: '%s', received :'%s'", defaultGroupAttr, cfg["groupattr"])
}
defaultUserAttr := "cn"
if cfg["userattr"] != defaultUserAttr {
t.Errorf("Default mismatch: userattr. Expected: '%s', received :'%s'", defaultUserAttr, cfg["userattr"])
}
defaultDenyNullBind := true
if cfg["deny_null_bind"] != defaultDenyNullBind {
t.Errorf("Default mismatch: deny_null_bind. Expected: '%s', received :'%s'", defaultDenyNullBind, cfg["deny_null_bind"])
}
return nil
},
},
},
})
}
2015-05-07 17:54:33 +00:00
func testAccStepConfigUrl(t *testing.T) logicaltest.TestStep {
return logicaltest.TestStep{
2016-01-07 15:30:47 +00:00
Operation: logical.UpdateOperation,
2015-05-07 17:54:33 +00:00
Path: "config",
Data: map[string]interface{}{
// Online LDAP test server
// http://www.forumsys.com/tutorials/integration-how-to/ldap/online-ldap-test-server/
2015-05-07 17:54:33 +00:00
"url": "ldap://ldap.forumsys.com",
"userattr": "uid",
"userdn": "dc=example,dc=com",
"groupdn": "dc=example,dc=com",
},
}
}
func testAccStepConfigUrlWithAuthBind(t *testing.T) logicaltest.TestStep {
return logicaltest.TestStep{
Operation: logical.UpdateOperation,
Path: "config",
Data: map[string]interface{}{
// Online LDAP test server
// http://www.forumsys.com/tutorials/integration-how-to/ldap/online-ldap-test-server/
// In this test we also exercise multiple URL support
"url": "foobar://ldap.example.com,ldap://ldap.forumsys.com",
"userattr": "uid",
"userdn": "dc=example,dc=com",
"groupdn": "dc=example,dc=com",
"binddn": "cn=read-only-admin,dc=example,dc=com",
"bindpass": "password",
},
}
}
func testAccStepConfigUrlWithDiscover(t *testing.T) logicaltest.TestStep {
return logicaltest.TestStep{
Operation: logical.UpdateOperation,
Path: "config",
Data: map[string]interface{}{
// Online LDAP test server
// http://www.forumsys.com/tutorials/integration-how-to/ldap/online-ldap-test-server/
"url": "ldap://ldap.forumsys.com",
"userattr": "uid",
"userdn": "dc=example,dc=com",
"groupdn": "dc=example,dc=com",
"discoverdn": true,
},
}
}
func testAccStepConfigUrlNoGroupDN(t *testing.T) logicaltest.TestStep {
return logicaltest.TestStep{
Operation: logical.UpdateOperation,
Path: "config",
Data: map[string]interface{}{
// Online LDAP test server
// http://www.forumsys.com/tutorials/integration-how-to/ldap/online-ldap-test-server/
"url": "ldap://ldap.forumsys.com",
"userattr": "uid",
"userdn": "dc=example,dc=com",
"discoverdn": true,
},
}
}
2015-05-07 17:54:33 +00:00
func testAccStepGroup(t *testing.T, group string, policies string) logicaltest.TestStep {
t.Logf("[testAccStepGroup] - Registering group %s, policy %s", group, policies)
2015-05-07 17:54:33 +00:00
return logicaltest.TestStep{
2016-01-07 15:30:47 +00:00
Operation: logical.UpdateOperation,
2015-05-07 17:54:33 +00:00
Path: "groups/" + group,
Data: map[string]interface{}{
"policies": policies,
},
}
}
func testAccStepReadGroup(t *testing.T, group string, policies string) logicaltest.TestStep {
return logicaltest.TestStep{
Operation: logical.ReadOperation,
Path: "groups/" + group,
Check: func(resp *logical.Response) error {
if resp == nil {
if policies == "" {
return nil
}
return fmt.Errorf("bad: %#v", resp)
}
var d struct {
Policies string `mapstructure:"policies"`
}
if err := mapstructure.Decode(resp.Data, &d); err != nil {
return err
}
if d.Policies != policies {
return fmt.Errorf("bad: %#v", resp)
}
return nil
},
}
}
func testAccStepDeleteGroup(t *testing.T, group string) logicaltest.TestStep {
return logicaltest.TestStep{
Operation: logical.DeleteOperation,
Path: "groups/" + group,
}
}
func TestBackend_userCrud(t *testing.T) {
b := Backend()
logicaltest.Test(t, logicaltest.TestCase{
Backend: b,
Steps: []logicaltest.TestStep{
testAccStepUser(t, "g1", "bar"),
testAccStepReadUser(t, "g1", "bar"),
testAccStepDeleteUser(t, "g1"),
testAccStepReadUser(t, "g1", ""),
},
})
}
func testAccStepUser(t *testing.T, user string, groups string) logicaltest.TestStep {
return logicaltest.TestStep{
2016-01-07 15:30:47 +00:00
Operation: logical.UpdateOperation,
Path: "users/" + user,
Data: map[string]interface{}{
"groups": groups,
},
}
}
func testAccStepReadUser(t *testing.T, user string, groups string) logicaltest.TestStep {
return logicaltest.TestStep{
Operation: logical.ReadOperation,
Path: "users/" + user,
Check: func(resp *logical.Response) error {
if resp == nil {
if groups == "" {
return nil
}
return fmt.Errorf("bad: %#v", resp)
}
var d struct {
Groups string `mapstructure:"groups"`
}
if err := mapstructure.Decode(resp.Data, &d); err != nil {
return err
}
if d.Groups != groups {
return fmt.Errorf("bad: %#v", resp)
}
return nil
},
}
}
func testAccStepDeleteUser(t *testing.T, user string) logicaltest.TestStep {
return logicaltest.TestStep{
Operation: logical.DeleteOperation,
Path: "users/" + user,
}
}
2015-05-07 17:54:33 +00:00
func testAccStepLogin(t *testing.T, user string, pass string) logicaltest.TestStep {
return logicaltest.TestStep{
2016-01-07 15:30:47 +00:00
Operation: logical.UpdateOperation,
Path: "login/" + user,
2015-05-07 17:54:33 +00:00
Data: map[string]interface{}{
"password": pass,
},
Unauthenticated: true,
// Verifies user tesla maps to groups via local group (engineers) as well as remote group (Scientiests)
Check: logicaltest.TestCheckAuth([]string{"bar", "default", "foo"}),
2015-05-07 17:54:33 +00:00
}
}
2015-06-29 21:50:55 +00:00
func testAccStepLoginNoGroupDN(t *testing.T, user string, pass string) logicaltest.TestStep {
return logicaltest.TestStep{
Operation: logical.UpdateOperation,
Path: "login/" + user,
Data: map[string]interface{}{
"password": pass,
},
Unauthenticated: true,
// Verifies a search without defined GroupDN returns a warnting rather than failing
Check: func(resp *logical.Response) error {
if len(resp.Warnings) != 1 {
return fmt.Errorf("expected a warning due to no group dn, got: %#v", resp.Warnings)
}
return logicaltest.TestCheckAuth([]string{"bar", "default"})(resp)
},
}
}
2015-06-29 21:50:55 +00:00
func TestLDAPEscape(t *testing.T) {
testcases := map[string]string{
"#test": "\\#test",
"test,hello": "test\\,hello",
"test,hel+lo": "test\\,hel\\+lo",
"test\\hello": "test\\\\hello",
" test ": "\\ test \\ ",
}
for test, answer := range testcases {
res := EscapeLDAPValue(test)
if res != answer {
t.Errorf("Failed to escape %s: %s != %s\n", test, res, answer)
}
}
2015-06-29 21:50:55 +00:00
}
func testAccStepGroupList(t *testing.T, groups []string) logicaltest.TestStep {
return logicaltest.TestStep{
Operation: logical.ListOperation,
Path: "groups",
Check: func(resp *logical.Response) error {
if resp.IsError() {
return fmt.Errorf("Got error response: %#v", *resp)
}
expected := make([]string, len(groups))
copy(expected, groups)
sort.Strings(expected)
sortedResponse := make([]string, len(resp.Data["keys"].([]string)))
copy(sortedResponse, resp.Data["keys"].([]string))
sort.Strings(sortedResponse)
if !reflect.DeepEqual(expected, sortedResponse) {
return fmt.Errorf("expected:\n%#v\ngot:\n%#v\n", expected, sortedResponse)
}
return nil
},
}
}
func testAccStepUserList(t *testing.T, users []string) logicaltest.TestStep {
return logicaltest.TestStep{
Operation: logical.ListOperation,
Path: "users",
Check: func(resp *logical.Response) error {
if resp.IsError() {
return fmt.Errorf("Got error response: %#v", *resp)
}
expected := make([]string, len(users))
copy(expected, users)
sort.Strings(expected)
sortedResponse := make([]string, len(resp.Data["keys"].([]string)))
copy(sortedResponse, resp.Data["keys"].([]string))
sort.Strings(sortedResponse)
if !reflect.DeepEqual(expected, sortedResponse) {
return fmt.Errorf("expected:\n%#v\ngot:\n%#v\n", expected, sortedResponse)
}
return nil
},
}
}