open-vault/api/auth/ldap/ldap_test.go
2022-02-04 16:54:06 -05:00

156 lines
4.3 KiB
Go

package ldap
import (
"context"
"encoding/json"
"fmt"
"net"
"net/http"
"os"
"strings"
"testing"
"github.com/hashicorp/vault/api"
)
// testHTTPServer creates a test HTTP server that handles requests until
// the listener returned is closed.
func testHTTPServer(
t *testing.T, handler http.Handler) (*api.Config, net.Listener) {
ln, err := net.Listen("tcp", "127.0.0.1:0")
if err != nil {
t.Fatalf("err: %s", err)
}
server := &http.Server{Handler: handler}
go server.Serve(ln)
config := api.DefaultConfig()
config.Address = fmt.Sprintf("http://%s", ln.Addr())
return config, ln
}
func init() {
os.Setenv("VAULT_TOKEN", "")
}
func TestLogin(t *testing.T) {
passwordEnvVar := "LDAP_PASSWORD"
allowedPassword := "6hrtL!*bro!ywbQbvDwW"
content := []byte(allowedPassword)
tmpfile, err := os.CreateTemp("./", "file-containing-password")
if err != nil {
t.Fatalf("error creating temp file: %v", err)
}
defer os.Remove(tmpfile.Name()) // clean up
err = os.Setenv(passwordEnvVar, allowedPassword)
if err != nil {
t.Fatalf("error writing password to env var: %v", err)
}
if _, err := tmpfile.Write(content); err != nil {
t.Fatalf("error writing to temp file: %v", err)
}
if err := tmpfile.Close(); err != nil {
t.Fatalf("error closing temp file: %v", err)
}
// a response to return if the correct values were passed to login
authSecret := &api.Secret{
Auth: &api.SecretAuth{
ClientToken: "a-client-token",
},
}
authBytes, err := json.Marshal(authSecret)
if err != nil {
t.Fatalf("error marshaling json: %v", err)
}
handler := func(w http.ResponseWriter, req *http.Request) {
payload := make(map[string]interface{})
err := json.NewDecoder(req.Body).Decode(&payload)
if err != nil {
t.Fatalf("error decoding json: %v", err)
}
if payload["password"] == allowedPassword {
w.Write(authBytes)
}
}
config, ln := testHTTPServer(t, http.HandlerFunc(handler))
defer ln.Close()
config.Address = strings.ReplaceAll(config.Address, "127.0.0.1", "localhost")
client, err := api.NewClient(config)
if err != nil {
t.Fatalf("error initializing Vault client: %v", err)
}
// Password fromFile test
authFromFile, err := NewLDAPAuth("my-ldap-username", &Password{FromFile: tmpfile.Name()})
if err != nil {
t.Fatalf("error initializing LDAPAuth with password file: %v", err)
}
loginRespFromFile, err := client.Auth().Login(context.TODO(), authFromFile)
if err != nil {
t.Fatalf("error logging in with password from file: %v", err)
}
if loginRespFromFile.Auth == nil || loginRespFromFile.Auth.ClientToken == "" {
t.Fatalf("no authentication info returned by login")
}
// Password fromEnv Test
authFromEnv, err := NewLDAPAuth("my-ldap-username", &Password{FromEnv: passwordEnvVar})
if err != nil {
t.Fatalf("error initializing LDAPAuth with password env var: %v", err)
}
loginRespFromEnv, err := client.Auth().Login(context.TODO(), authFromEnv)
if err != nil {
t.Fatalf("error logging in with password from env var: %v", err)
}
if loginRespFromEnv.Auth == nil || loginRespFromEnv.Auth.ClientToken == "" {
t.Fatalf("no authentication info returned by login with password from env var")
}
// Password fromStr test
authFromStr, err := NewLDAPAuth("my-ldap-username", &Password{FromString: allowedPassword})
if err != nil {
t.Fatalf("error initializing LDAPAuth with password string: %v", err)
}
loginRespFromStr, err := client.Auth().Login(context.TODO(), authFromStr)
if err != nil {
t.Fatalf("error logging in with string: %v", err)
}
if loginRespFromStr.Auth == nil || loginRespFromStr.Auth.ClientToken == "" {
t.Fatalf("no authentication info returned by login with password from string")
}
// Empty User Test
_, err = NewLDAPAuth("", &Password{FromString: allowedPassword})
if err.Error() != "no user name provided for login" {
t.Fatalf("Auth object created for empty username: %v", err)
}
// Empty Password Test
_, err = NewLDAPAuth("my-ldap-username", nil)
if err.Error() != "no password provided for login" {
t.Fatalf("Auth object created when passing a nil Password struct: %v", err)
}
// Auth with Custom MountPath
ldapMount := WithMountPath("customMount")
_, err = NewLDAPAuth("my-ldap-username", &Password{FromString: allowedPassword}, ldapMount)
if err != nil {
t.Fatalf("error initializing LDAPAuth with custom mountpath: %v", err)
}
}