From 974dbf60829c7dcf49a027728dd01c4769a1bd2c Mon Sep 17 00:00:00 2001
From: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com>
Date: Thu, 20 Jan 2022 12:30:26 -0500
Subject: [PATCH] auth/ldap: Add username to alias.metadata.name (#13669)

* Fix upndomain bug causing alias name to change

* Fix nil map

* Add changelog

* revert

* Update changelog

* Add test for alias metadata name

* Fix code comment
---
 builtin/credential/ldap/backend_test.go | 50 ++++++++++++++++---------
 builtin/credential/ldap/path_login.go   |  3 ++
 changelog/13669.txt                     |  3 ++
 helper/testhelpers/logical/testing.go   | 34 ++++++++++++++---
 4 files changed, 68 insertions(+), 22 deletions(-)
 create mode 100644 changelog/13669.txt

diff --git a/builtin/credential/ldap/backend_test.go b/builtin/credential/ldap/backend_test.go
index c59e8ceed..1522e7d12 100644
--- a/builtin/credential/ldap/backend_test.go
+++ b/builtin/credential/ldap/backend_test.go
@@ -597,6 +597,26 @@ func TestBackend_basic_authbind_userfilter(t *testing.T) {
 
 }
 
+func TestBackend_basic_authbind_metadata_name(t *testing.T) {
+
+	b := factory(t)
+	cleanup, cfg := ldap.PrepareTestContainer(t, "latest")
+	defer cleanup()
+
+	cfg.UserAttr = "cn"
+	cfg.UPNDomain = "planetexpress.com"
+
+	addUPNAttributeToLDAPSchemaAndUser(t, cfg, "cn=Hubert J. Farnsworth,ou=people,dc=planetexpress,dc=com", "professor@planetexpress.com")
+
+	logicaltest.Test(t, logicaltest.TestCase{
+		CredentialBackend: b,
+		Steps: []logicaltest.TestStep{
+			testAccStepConfigUrlWithAuthBind(t, cfg),
+			testAccStepLoginAliasMetadataName(t, "professor", "professor"),
+		},
+	})
+}
+
 func addUPNAttributeToLDAPSchemaAndUser(t *testing.T, cfg *ldaputil.ConfigEntry, testUserDN string, testUserUPN string) {
 	// Setup connection
 	client := &ldaputil.Client{
@@ -644,23 +664,6 @@ func addUPNAttributeToLDAPSchemaAndUser(t *testing.T, cfg *ldaputil.ConfigEntry,
 
 }
 
-func TestBackend_basic_authbind_upndomain(t *testing.T) {
-	b := factory(t)
-	cleanup, cfg := ldap.PrepareTestContainer(t, "latest")
-	defer cleanup()
-	cfg.UPNDomain = "planetexpress.com"
-
-	addUPNAttributeToLDAPSchemaAndUser(t, cfg, "cn=Hubert J. Farnsworth,ou=people,dc=planetexpress,dc=com", "professor@planetexpress.com")
-
-	logicaltest.Test(t, logicaltest.TestCase{
-		CredentialBackend: b,
-		Steps: []logicaltest.TestStep{
-			testAccStepConfigUrlWithAuthBind(t, cfg),
-			testAccStepLoginNoAttachedPolicies(t, "professor", "professor"),
-		},
-	})
-}
-
 func TestBackend_basic_discover(t *testing.T) {
 	b := factory(t)
 	cleanup, cfg := ldap.PrepareTestContainer(t, "latest")
@@ -990,6 +993,19 @@ func testAccStepLoginNoAttachedPolicies(t *testing.T, user string, pass string)
 	}
 }
 
+func testAccStepLoginAliasMetadataName(t *testing.T, user string, pass string) logicaltest.TestStep {
+	return logicaltest.TestStep{
+		Operation: logical.UpdateOperation,
+		Path:      "login/" + user,
+		Data: map[string]interface{}{
+			"password": pass,
+		},
+		Unauthenticated: true,
+
+		Check: logicaltest.TestCheckAuthEntityAliasMetadataName("name", user),
+	}
+}
+
 func testAccStepLoginFailure(t *testing.T, user string, pass string) logicaltest.TestStep {
 	return logicaltest.TestStep{
 		Operation: logical.UpdateOperation,
diff --git a/builtin/credential/ldap/path_login.go b/builtin/credential/ldap/path_login.go
index 57cbc8185..eea2006e7 100644
--- a/builtin/credential/ldap/path_login.go
+++ b/builtin/credential/ldap/path_login.go
@@ -97,6 +97,9 @@ func (b *backend) pathLogin(ctx context.Context, req *logical.Request, d *framew
 		DisplayName: username,
 		Alias: &logical.Alias{
 			Name: effectiveUsername,
+			Metadata: map[string]string{
+				"name": username,
+			},
 		},
 	}
 
diff --git a/changelog/13669.txt b/changelog/13669.txt
new file mode 100644
index 000000000..01d4fe46a
--- /dev/null
+++ b/changelog/13669.txt
@@ -0,0 +1,3 @@
+```release-note:improvement
+auth/ldap: Add username to alias metadata
+```
\ No newline at end of file
diff --git a/helper/testhelpers/logical/testing.go b/helper/testhelpers/logical/testing.go
index 7037d1592..ffc801b78 100644
--- a/helper/testhelpers/logical/testing.go
+++ b/helper/testhelpers/logical/testing.go
@@ -457,17 +457,41 @@ func TestCheckAuthEntityId(entity_id *string) TestCheckFunc {
 			return fmt.Errorf("no auth in response")
 		}
 
-        if *entity_id == "" {
-            // If we don't know what the entity_id should be, just save it
-            *entity_id = resp.Auth.EntityID
-        } else if resp.Auth.EntityID != *entity_id {
+		if *entity_id == "" {
+			// If we don't know what the entity_id should be, just save it
+			*entity_id = resp.Auth.EntityID
+		} else if resp.Auth.EntityID != *entity_id {
 			return fmt.Errorf("entity_id %s does not match the expected value of %s", resp.Auth.EntityID, *entity_id)
-        }
+		}
 
 		return nil
 	}
 }
 
+// TestCheckAuthEntityAliasMetadataName is a helper to check that a request generated an
+// auth token with the expected alias metadata.
+func TestCheckAuthEntityAliasMetadataName(key string, value string) TestCheckFunc {
+	return func(resp *logical.Response) error {
+		if resp == nil || resp.Auth == nil {
+			return fmt.Errorf("no auth in response")
+		}
+
+		if key == "" || value == "" {
+			return fmt.Errorf("alias metadata key and value required")
+		}
+
+		name, ok := resp.Auth.Alias.Metadata[key]
+		if !ok {
+			return fmt.Errorf("metadata key %s does not exist, it should", key)
+		}
+
+		if name != value {
+			return fmt.Errorf("expected map value %s, got %s", value, name)
+		}
+		return nil
+	}
+}
+
 // TestCheckAuthDisplayName is a helper to check that a request generated a
 // valid display name.
 func TestCheckAuthDisplayName(n string) TestCheckFunc {