diff --git a/builtin/credential/ldap/backend_test.go b/builtin/credential/ldap/backend_test.go index c59e8ceed..1522e7d12 100644 --- a/builtin/credential/ldap/backend_test.go +++ b/builtin/credential/ldap/backend_test.go @@ -597,6 +597,26 @@ func TestBackend_basic_authbind_userfilter(t *testing.T) { } +func TestBackend_basic_authbind_metadata_name(t *testing.T) { + + b := factory(t) + cleanup, cfg := ldap.PrepareTestContainer(t, "latest") + defer cleanup() + + cfg.UserAttr = "cn" + cfg.UPNDomain = "planetexpress.com" + + addUPNAttributeToLDAPSchemaAndUser(t, cfg, "cn=Hubert J. Farnsworth,ou=people,dc=planetexpress,dc=com", "professor@planetexpress.com") + + logicaltest.Test(t, logicaltest.TestCase{ + CredentialBackend: b, + Steps: []logicaltest.TestStep{ + testAccStepConfigUrlWithAuthBind(t, cfg), + testAccStepLoginAliasMetadataName(t, "professor", "professor"), + }, + }) +} + func addUPNAttributeToLDAPSchemaAndUser(t *testing.T, cfg *ldaputil.ConfigEntry, testUserDN string, testUserUPN string) { // Setup connection client := &ldaputil.Client{ @@ -644,23 +664,6 @@ func addUPNAttributeToLDAPSchemaAndUser(t *testing.T, cfg *ldaputil.ConfigEntry, } -func TestBackend_basic_authbind_upndomain(t *testing.T) { - b := factory(t) - cleanup, cfg := ldap.PrepareTestContainer(t, "latest") - defer cleanup() - cfg.UPNDomain = "planetexpress.com" - - addUPNAttributeToLDAPSchemaAndUser(t, cfg, "cn=Hubert J. Farnsworth,ou=people,dc=planetexpress,dc=com", "professor@planetexpress.com") - - logicaltest.Test(t, logicaltest.TestCase{ - CredentialBackend: b, - Steps: []logicaltest.TestStep{ - testAccStepConfigUrlWithAuthBind(t, cfg), - testAccStepLoginNoAttachedPolicies(t, "professor", "professor"), - }, - }) -} - func TestBackend_basic_discover(t *testing.T) { b := factory(t) cleanup, cfg := ldap.PrepareTestContainer(t, "latest") @@ -990,6 +993,19 @@ func testAccStepLoginNoAttachedPolicies(t *testing.T, user string, pass string) } } +func testAccStepLoginAliasMetadataName(t *testing.T, user string, pass string) logicaltest.TestStep { + return logicaltest.TestStep{ + Operation: logical.UpdateOperation, + Path: "login/" + user, + Data: map[string]interface{}{ + "password": pass, + }, + Unauthenticated: true, + + Check: logicaltest.TestCheckAuthEntityAliasMetadataName("name", user), + } +} + func testAccStepLoginFailure(t *testing.T, user string, pass string) logicaltest.TestStep { return logicaltest.TestStep{ Operation: logical.UpdateOperation, diff --git a/builtin/credential/ldap/path_login.go b/builtin/credential/ldap/path_login.go index 57cbc8185..eea2006e7 100644 --- a/builtin/credential/ldap/path_login.go +++ b/builtin/credential/ldap/path_login.go @@ -97,6 +97,9 @@ func (b *backend) pathLogin(ctx context.Context, req *logical.Request, d *framew DisplayName: username, Alias: &logical.Alias{ Name: effectiveUsername, + Metadata: map[string]string{ + "name": username, + }, }, } diff --git a/changelog/13669.txt b/changelog/13669.txt new file mode 100644 index 000000000..01d4fe46a --- /dev/null +++ b/changelog/13669.txt @@ -0,0 +1,3 @@ +```release-note:improvement +auth/ldap: Add username to alias metadata +``` \ No newline at end of file diff --git a/helper/testhelpers/logical/testing.go b/helper/testhelpers/logical/testing.go index 7037d1592..ffc801b78 100644 --- a/helper/testhelpers/logical/testing.go +++ b/helper/testhelpers/logical/testing.go @@ -457,17 +457,41 @@ func TestCheckAuthEntityId(entity_id *string) TestCheckFunc { return fmt.Errorf("no auth in response") } - if *entity_id == "" { - // If we don't know what the entity_id should be, just save it - *entity_id = resp.Auth.EntityID - } else if resp.Auth.EntityID != *entity_id { + if *entity_id == "" { + // If we don't know what the entity_id should be, just save it + *entity_id = resp.Auth.EntityID + } else if resp.Auth.EntityID != *entity_id { return fmt.Errorf("entity_id %s does not match the expected value of %s", resp.Auth.EntityID, *entity_id) - } + } return nil } } +// TestCheckAuthEntityAliasMetadataName is a helper to check that a request generated an +// auth token with the expected alias metadata. +func TestCheckAuthEntityAliasMetadataName(key string, value string) TestCheckFunc { + return func(resp *logical.Response) error { + if resp == nil || resp.Auth == nil { + return fmt.Errorf("no auth in response") + } + + if key == "" || value == "" { + return fmt.Errorf("alias metadata key and value required") + } + + name, ok := resp.Auth.Alias.Metadata[key] + if !ok { + return fmt.Errorf("metadata key %s does not exist, it should", key) + } + + if name != value { + return fmt.Errorf("expected map value %s, got %s", value, name) + } + return nil + } +} + // TestCheckAuthDisplayName is a helper to check that a request generated a // valid display name. func TestCheckAuthDisplayName(n string) TestCheckFunc {