open-vault/builtin/credential/ldap/backend_test.go
swayne275 4632a26a09
Use %q for quoted strings where appropriate (#15216)
* change '%s' to %q where single vs double quotes shouldn't matter

* replace double quotes with %q in logs and errors
2022-08-03 12:32:45 -06:00

1265 lines
37 KiB
Go

package ldap
import (
"context"
"fmt"
"reflect"
"sort"
"testing"
"time"
goldap "github.com/go-ldap/ldap/v3"
"github.com/go-test/deep"
hclog "github.com/hashicorp/go-hclog"
"github.com/hashicorp/go-secure-stdlib/strutil"
"github.com/hashicorp/vault/helper/namespace"
"github.com/hashicorp/vault/helper/testhelpers/ldap"
logicaltest "github.com/hashicorp/vault/helper/testhelpers/logical"
"github.com/hashicorp/vault/sdk/helper/ldaputil"
"github.com/hashicorp/vault/sdk/helper/policyutil"
"github.com/hashicorp/vault/sdk/helper/tokenutil"
"github.com/hashicorp/vault/sdk/logical"
"github.com/mitchellh/mapstructure"
)
func createBackendWithStorage(t *testing.T) (*backend, logical.Storage) {
config := logical.TestBackendConfig()
config.StorageView = &logical.InmemStorage{}
b := Backend()
if b == nil {
t.Fatalf("failed to create backend")
}
err := b.Backend.Setup(context.Background(), config)
if err != nil {
t.Fatal(err)
}
return b, config.StorageView
}
func TestLdapAuthBackend_Listing(t *testing.T) {
b, storage := createBackendWithStorage(t)
// Create group "testgroup"
resp, err := b.HandleRequest(namespace.RootContext(nil), &logical.Request{
Path: "groups/testgroup",
Operation: logical.UpdateOperation,
Storage: storage,
Data: map[string]interface{}{
"policies": []string{"default"},
},
})
if err != nil || (resp != nil && resp.IsError()) {
t.Fatalf("bad: resp: %#v\nerr: %v", resp, err)
}
// Create group "nested/testgroup"
resp, err = b.HandleRequest(namespace.RootContext(nil), &logical.Request{
Path: "groups/nested/testgroup",
Operation: logical.UpdateOperation,
Storage: storage,
Data: map[string]interface{}{
"policies": []string{"default"},
},
})
if err != nil || (resp != nil && resp.IsError()) {
t.Fatalf("bad: resp: %#v\nerr: %v", resp, err)
}
// Create user "testuser"
resp, err = b.HandleRequest(namespace.RootContext(nil), &logical.Request{
Path: "users/testuser",
Operation: logical.UpdateOperation,
Storage: storage,
Data: map[string]interface{}{
"policies": []string{"default"},
"groups": "testgroup,nested/testgroup",
},
})
if err != nil || (resp != nil && resp.IsError()) {
t.Fatalf("bad: resp: %#v\nerr: %v", resp, err)
}
// Create user "nested/testuser"
resp, err = b.HandleRequest(namespace.RootContext(nil), &logical.Request{
Path: "users/nested/testuser",
Operation: logical.UpdateOperation,
Storage: storage,
Data: map[string]interface{}{
"policies": []string{"default"},
"groups": "testgroup,nested/testgroup",
},
})
if err != nil || (resp != nil && resp.IsError()) {
t.Fatalf("bad: resp: %#v\nerr: %v", resp, err)
}
// List users
resp, err = b.HandleRequest(namespace.RootContext(nil), &logical.Request{
Path: "users/",
Operation: logical.ListOperation,
Storage: storage,
})
if err != nil || (resp != nil && resp.IsError()) {
t.Fatalf("bad: resp: %#v\nerr: %v", resp, err)
}
expected := []string{"testuser", "nested/testuser"}
if !reflect.DeepEqual(expected, resp.Data["keys"].([]string)) {
t.Fatalf("bad: listed users; expected: %#v actual: %#v", expected, resp.Data["keys"].([]string))
}
// List groups
resp, err = b.HandleRequest(namespace.RootContext(nil), &logical.Request{
Path: "groups/",
Operation: logical.ListOperation,
Storage: storage,
})
if err != nil || (resp != nil && resp.IsError()) {
t.Fatalf("bad: resp: %#v\nerr: %v", resp, err)
}
expected = []string{"testgroup", "nested/testgroup"}
if !reflect.DeepEqual(expected, resp.Data["keys"].([]string)) {
t.Fatalf("bad: listed groups; expected: %#v actual: %#v", expected, resp.Data["keys"].([]string))
}
}
func TestLdapAuthBackend_CaseSensitivity(t *testing.T) {
var resp *logical.Response
var err error
b, storage := createBackendWithStorage(t)
ctx := context.Background()
testVals := func(caseSensitive bool) {
// Clear storage
userList, err := storage.List(ctx, "user/")
if err != nil {
t.Fatal(err)
}
for _, user := range userList {
err = storage.Delete(ctx, "user/"+user)
if err != nil {
t.Fatal(err)
}
}
groupList, err := storage.List(ctx, "group/")
if err != nil {
t.Fatal(err)
}
for _, group := range groupList {
err = storage.Delete(ctx, "group/"+group)
if err != nil {
t.Fatal(err)
}
}
configReq := &logical.Request{
Path: "config",
Operation: logical.ReadOperation,
Storage: storage,
}
resp, err = b.HandleRequest(ctx, configReq)
if err != nil || (resp != nil && resp.IsError()) {
t.Fatalf("err:%v resp:%#v", err, resp)
}
if resp == nil {
t.Fatal("nil response")
}
if resp.Data["case_sensitive_names"].(bool) != caseSensitive {
t.Fatalf("expected case sensitivity %t, got %t", caseSensitive, resp.Data["case_sensitive_names"].(bool))
}
groupReq := &logical.Request{
Operation: logical.UpdateOperation,
Data: map[string]interface{}{
"policies": "grouppolicy",
},
Path: "groups/EngineerS",
Storage: storage,
}
resp, err = b.HandleRequest(ctx, groupReq)
if err != nil || (resp != nil && resp.IsError()) {
t.Fatalf("err:%v resp:%#v", err, resp)
}
keys, err := storage.List(ctx, "group/")
if err != nil {
t.Fatal(err)
}
switch caseSensitive {
case true:
if keys[0] != "EngineerS" {
t.Fatalf("bad: %s", keys[0])
}
default:
if keys[0] != "engineers" {
t.Fatalf("bad: %s", keys[0])
}
}
userReq := &logical.Request{
Operation: logical.UpdateOperation,
Data: map[string]interface{}{
"groups": "EngineerS",
"policies": "userpolicy",
},
Path: "users/hermeS conRad",
Storage: storage,
}
resp, err = b.HandleRequest(ctx, userReq)
if err != nil || (resp != nil && resp.IsError()) {
t.Fatalf("err:%v resp:%#v", err, resp)
}
keys, err = storage.List(ctx, "user/")
if err != nil {
t.Fatal(err)
}
switch caseSensitive {
case true:
if keys[0] != "hermeS conRad" {
t.Fatalf("bad: %s", keys[0])
}
default:
if keys[0] != "hermes conrad" {
t.Fatalf("bad: %s", keys[0])
}
}
if caseSensitive {
// The online test server is actually case sensitive so we need to
// write again so it works
userReq = &logical.Request{
Operation: logical.UpdateOperation,
Data: map[string]interface{}{
"groups": "EngineerS",
"policies": "userpolicy",
},
Path: "users/Hermes Conrad",
Storage: storage,
Connection: &logical.Connection{},
}
resp, err = b.HandleRequest(ctx, userReq)
if err != nil || (resp != nil && resp.IsError()) {
t.Fatalf("err:%v resp:%#v", err, resp)
}
}
loginReq := &logical.Request{
Operation: logical.UpdateOperation,
Path: "login/Hermes Conrad",
Data: map[string]interface{}{
"password": "hermes",
},
Storage: storage,
Connection: &logical.Connection{},
}
resp, err = b.HandleRequest(ctx, loginReq)
if err != nil || (resp != nil && resp.IsError()) {
t.Fatalf("err:%v resp:%#v", err, resp)
}
expected := []string{"grouppolicy", "userpolicy"}
if !reflect.DeepEqual(expected, resp.Auth.Policies) {
t.Fatalf("bad: policies: expected: %q, actual: %q", expected, resp.Auth.Policies)
}
}
cleanup, cfg := ldap.PrepareTestContainer(t, "latest")
defer cleanup()
configReq := &logical.Request{
Operation: logical.UpdateOperation,
Path: "config",
Data: map[string]interface{}{
"url": cfg.Url,
"userattr": cfg.UserAttr,
"userdn": cfg.UserDN,
"groupdn": cfg.GroupDN,
"groupattr": cfg.GroupAttr,
"binddn": cfg.BindDN,
"bindpass": cfg.BindPassword,
},
Storage: storage,
}
resp, err = b.HandleRequest(ctx, configReq)
if err != nil || (resp != nil && resp.IsError()) {
t.Fatalf("err:%v resp:%#v", err, resp)
}
testVals(false)
// Check that if the value is nil, on read it is case sensitive
configEntry, err := b.Config(ctx, configReq)
if err != nil {
t.Fatal(err)
}
configEntry.CaseSensitiveNames = nil
entry, err := logical.StorageEntryJSON("config", configEntry)
if err != nil {
t.Fatal(err)
}
err = configReq.Storage.Put(ctx, entry)
if err != nil {
t.Fatal(err)
}
testVals(true)
}
func TestLdapAuthBackend_UserPolicies(t *testing.T) {
var resp *logical.Response
var err error
b, storage := createBackendWithStorage(t)
cleanup, cfg := ldap.PrepareTestContainer(t, "latest")
defer cleanup()
configReq := &logical.Request{
Operation: logical.UpdateOperation,
Path: "config",
Data: map[string]interface{}{
"url": cfg.Url,
"userattr": cfg.UserAttr,
"userdn": cfg.UserDN,
"groupdn": cfg.GroupDN,
"groupattr": cfg.GroupAttr,
"binddn": cfg.BindDN,
"bindpassword": cfg.BindPassword,
},
Storage: storage,
}
resp, err = b.HandleRequest(context.Background(), configReq)
if err != nil || (resp != nil && resp.IsError()) {
t.Fatalf("err:%v resp:%#v", err, resp)
}
groupReq := &logical.Request{
Operation: logical.UpdateOperation,
Data: map[string]interface{}{
"policies": "grouppolicy",
},
Path: "groups/engineers",
Storage: storage,
Connection: &logical.Connection{},
}
resp, err = b.HandleRequest(context.Background(), groupReq)
if err != nil || (resp != nil && resp.IsError()) {
t.Fatalf("err:%v resp:%#v", err, resp)
}
userReq := &logical.Request{
Operation: logical.UpdateOperation,
Data: map[string]interface{}{
"groups": "engineers",
"policies": "userpolicy",
},
Path: "users/hermes conrad",
Storage: storage,
Connection: &logical.Connection{},
}
resp, err = b.HandleRequest(context.Background(), userReq)
if err != nil || (resp != nil && resp.IsError()) {
t.Fatalf("err:%v resp:%#v", err, resp)
}
loginReq := &logical.Request{
Operation: logical.UpdateOperation,
Path: "login/hermes conrad",
Data: map[string]interface{}{
"password": "hermes",
},
Storage: storage,
Connection: &logical.Connection{},
}
resp, err = b.HandleRequest(context.Background(), loginReq)
if err != nil || (resp != nil && resp.IsError()) {
t.Fatalf("err:%v resp:%#v", err, resp)
}
expected := []string{"grouppolicy", "userpolicy"}
if !reflect.DeepEqual(expected, resp.Auth.Policies) {
t.Fatalf("bad: policies: expected: %q, actual: %q", expected, resp.Auth.Policies)
}
}
/*
* Acceptance test for LDAP Auth Method
*
* The tests here rely on a docker LDAP server:
* [https://github.com/rroemhild/docker-test-openldap]
*
* ...as well as existence of a person object, `cn=Hermes Conrad,dc=example,dc=com`,
* which is a member of a group, `cn=admin_staff,ou=people,dc=example,dc=com`
*
* Querying the server from the command line:
* $ docker run --privileged -d -p 389:389 --name ldap --rm rroemhild/test-openldap
* $ ldapsearch -x -H ldap://localhost -b dc=planetexpress,dc=com -s sub uid=hermes
* $ ldapsearch -x -H ldap://localhost -b dc=planetexpress,dc=com -s sub \
'member=cn=Hermes Conrad,ou=people,dc=planetexpress,dc=com'
*/
func factory(t *testing.T) logical.Backend {
defaultLeaseTTLVal := time.Hour * 24
maxLeaseTTLVal := time.Hour * 24 * 32
b, err := Factory(context.Background(), &logical.BackendConfig{
Logger: hclog.New(&hclog.LoggerOptions{
Name: "FactoryLogger",
Level: hclog.Debug,
}),
System: &logical.StaticSystemView{
DefaultLeaseTTLVal: defaultLeaseTTLVal,
MaxLeaseTTLVal: maxLeaseTTLVal,
},
})
if err != nil {
t.Fatalf("Unable to create backend: %s", err)
}
return b
}
func TestBackend_basic(t *testing.T) {
b := factory(t)
cleanup, cfg := ldap.PrepareTestContainer(t, "latest")
defer cleanup()
logicaltest.Test(t, logicaltest.TestCase{
CredentialBackend: b,
Steps: []logicaltest.TestStep{
testAccStepConfigUrl(t, cfg),
// Map Admin_staff group (from LDAP server) with foo policy
testAccStepGroup(t, "admin_staff", "foo"),
// Map engineers group (local) with bar policy
testAccStepGroup(t, "engineers", "bar"),
// Map hermes conrad user with local engineers group
testAccStepUser(t, "hermes conrad", "engineers"),
// Authenticate
testAccStepLogin(t, "hermes conrad", "hermes"),
// Verify both groups mappings can be listed back
testAccStepGroupList(t, []string{"engineers", "admin_staff"}),
// Verify user mapping can be listed back
testAccStepUserList(t, []string{"hermes conrad"}),
},
})
}
func TestBackend_basic_noPolicies(t *testing.T) {
b := factory(t)
cleanup, cfg := ldap.PrepareTestContainer(t, "latest")
defer cleanup()
logicaltest.Test(t, logicaltest.TestCase{
CredentialBackend: b,
Steps: []logicaltest.TestStep{
testAccStepConfigUrl(t, cfg),
// Create LDAP user
testAccStepUser(t, "hermes conrad", ""),
// Authenticate
testAccStepLoginNoAttachedPolicies(t, "hermes conrad", "hermes"),
testAccStepUserList(t, []string{"hermes conrad"}),
},
})
}
func TestBackend_basic_group_noPolicies(t *testing.T) {
b := factory(t)
cleanup, cfg := ldap.PrepareTestContainer(t, "latest")
defer cleanup()
logicaltest.Test(t, logicaltest.TestCase{
CredentialBackend: b,
Steps: []logicaltest.TestStep{
testAccStepConfigUrl(t, cfg),
// Create engineers group with no policies
testAccStepGroup(t, "engineers", ""),
// Map hermes conrad user with local engineers group
testAccStepUser(t, "hermes conrad", "engineers"),
// Authenticate
testAccStepLoginNoAttachedPolicies(t, "hermes conrad", "hermes"),
// Verify group mapping can be listed back
testAccStepGroupList(t, []string{"engineers"}),
},
})
}
func TestBackend_basic_authbind(t *testing.T) {
b := factory(t)
cleanup, cfg := ldap.PrepareTestContainer(t, "latest")
defer cleanup()
logicaltest.Test(t, logicaltest.TestCase{
CredentialBackend: b,
Steps: []logicaltest.TestStep{
testAccStepConfigUrlWithAuthBind(t, cfg),
testAccStepGroup(t, "admin_staff", "foo"),
testAccStepGroup(t, "engineers", "bar"),
testAccStepUser(t, "hermes conrad", "engineers"),
testAccStepLogin(t, "hermes conrad", "hermes"),
},
})
}
func TestBackend_basic_authbind_userfilter(t *testing.T) {
b := factory(t)
cleanup, cfg := ldap.PrepareTestContainer(t, "latest")
defer cleanup()
// userattr not used in the userfilter should result in a warning in the response
cfg.UserFilter = "((mail={{.Username}}))"
logicaltest.Test(t, logicaltest.TestCase{
CredentialBackend: b,
Steps: []logicaltest.TestStep{
testAccStepConfigUrlWarningCheck(t, cfg, logical.UpdateOperation, []string{userFilterWarning}),
testAccStepConfigUrlWarningCheck(t, cfg, logical.ReadOperation, []string{userFilterWarning}),
},
})
// If both upndomain and userfilter is set, ensure that a warning is still
// returned if userattr is not considered
cfg.UPNDomain = "planetexpress.com"
logicaltest.Test(t, logicaltest.TestCase{
CredentialBackend: b,
Steps: []logicaltest.TestStep{
testAccStepConfigUrlWarningCheck(t, cfg, logical.UpdateOperation, []string{userFilterWarning}),
testAccStepConfigUrlWarningCheck(t, cfg, logical.ReadOperation, []string{userFilterWarning}),
},
})
cfg.UPNDomain = ""
// Add a liberal user filter, allowing to log in with either cn or email
cfg.UserFilter = "(|({{.UserAttr}}={{.Username}})(mail={{.Username}}))"
logicaltest.Test(t, logicaltest.TestCase{
CredentialBackend: b,
Steps: []logicaltest.TestStep{
testAccStepConfigUrl(t, cfg),
// Create engineers group with no policies
testAccStepGroup(t, "engineers", ""),
// Map hermes conrad user with local engineers group
testAccStepUser(t, "hermes conrad", "engineers"),
// Authenticate with cn attribute
testAccStepLoginNoAttachedPolicies(t, "hermes conrad", "hermes"),
// Authenticate with mail attribute
testAccStepLoginNoAttachedPolicies(t, "hermes@planetexpress.com", "hermes"),
},
})
// A filter giving the same DN makes the entity_id the same
entity_id := ""
logicaltest.Test(t, logicaltest.TestCase{
CredentialBackend: b,
Steps: []logicaltest.TestStep{
testAccStepConfigUrl(t, cfg),
// Create engineers group with no policies
testAccStepGroup(t, "engineers", ""),
// Map hermes conrad user with local engineers group
testAccStepUser(t, "hermes conrad", "engineers"),
// Authenticate with cn attribute
testAccStepLoginReturnsSameEntity(t, "hermes conrad", "hermes", &entity_id),
// Authenticate with mail attribute
testAccStepLoginReturnsSameEntity(t, "hermes@planetexpress.com", "hermes", &entity_id),
},
})
// Missing entity alias attribute means access denied
cfg.UserAttr = "inexistent"
cfg.UserFilter = "(|({{.UserAttr}}={{.Username}})(mail={{.Username}}))"
logicaltest.Test(t, logicaltest.TestCase{
CredentialBackend: b,
Steps: []logicaltest.TestStep{
testAccStepConfigUrl(t, cfg),
// Authenticate with mail attribute will find DN but missing attribute means access denied
testAccStepLoginFailure(t, "hermes@planetexpress.com", "hermes"),
},
})
cfg.UserAttr = "cn"
// UPNDomain has precedence over userfilter, for backward compatibility
cfg.UPNDomain = "planetexpress.com"
addUPNAttributeToLDAPSchemaAndUser(t, cfg, "cn=Hubert J. Farnsworth,ou=people,dc=planetexpress,dc=com", "professor@planetexpress.com")
logicaltest.Test(t, logicaltest.TestCase{
CredentialBackend: b,
Steps: []logicaltest.TestStep{
testAccStepConfigUrlWithAuthBind(t, cfg),
testAccStepLoginNoAttachedPolicies(t, "professor", "professor"),
},
})
cfg.UPNDomain = ""
// Add a strict user filter, rejecting login of bureaucrats
cfg.UserFilter = "(&({{.UserAttr}}={{.Username}})(!(employeeType=Bureaucrat)))"
logicaltest.Test(t, logicaltest.TestCase{
CredentialBackend: b,
Steps: []logicaltest.TestStep{
testAccStepConfigUrl(t, cfg),
// Authenticate with cn attribute
testAccStepLoginFailure(t, "hermes conrad", "hermes"),
},
})
// Login fails when multiple user match search filter (using an incorrect filter on purporse)
cfg.UserFilter = "(objectClass=*)"
logicaltest.Test(t, logicaltest.TestCase{
CredentialBackend: b,
Steps: []logicaltest.TestStep{
// testAccStepConfigUrl(t, cfg),
testAccStepConfigUrlWithAuthBind(t, cfg),
// Authenticate with cn attribute
testAccStepLoginFailure(t, "hermes conrad", "hermes"),
},
})
// If UserAttr returns multiple attributes that can be used as alias then
// we return an error...
cfg.UserAttr = "employeeType"
cfg.UserFilter = "(cn={{.Username}})"
cfg.UsernameAsAlias = false
logicaltest.Test(t, logicaltest.TestCase{
CredentialBackend: b,
Steps: []logicaltest.TestStep{
testAccStepConfigUrl(t, cfg),
testAccStepLoginFailure(t, "hermes conrad", "hermes"),
},
})
// ...unless username_as_alias has been set in which case we don't care
// about the alias returned by the LDAP server and always use the username
cfg.UsernameAsAlias = true
logicaltest.Test(t, logicaltest.TestCase{
CredentialBackend: b,
Steps: []logicaltest.TestStep{
testAccStepConfigUrl(t, cfg),
testAccStepLoginNoAttachedPolicies(t, "hermes conrad", "hermes"),
},
})
}
func TestBackend_basic_authbind_metadata_name(t *testing.T) {
b := factory(t)
cleanup, cfg := ldap.PrepareTestContainer(t, "latest")
defer cleanup()
cfg.UserAttr = "cn"
cfg.UPNDomain = "planetexpress.com"
addUPNAttributeToLDAPSchemaAndUser(t, cfg, "cn=Hubert J. Farnsworth,ou=people,dc=planetexpress,dc=com", "professor@planetexpress.com")
logicaltest.Test(t, logicaltest.TestCase{
CredentialBackend: b,
Steps: []logicaltest.TestStep{
testAccStepConfigUrlWithAuthBind(t, cfg),
testAccStepLoginAliasMetadataName(t, "professor", "professor"),
},
})
}
func addUPNAttributeToLDAPSchemaAndUser(t *testing.T, cfg *ldaputil.ConfigEntry, testUserDN string, testUserUPN string) {
// Setup connection
client := &ldaputil.Client{
Logger: hclog.New(&hclog.LoggerOptions{
Name: "LDAPAuthTest",
Level: hclog.Debug,
}),
LDAP: ldaputil.NewLDAP(),
}
conn, err := client.DialLDAP(cfg)
if err != nil {
t.Fatal(err)
}
defer conn.Close()
if err := conn.Bind("cn=admin,cn=config", cfg.BindPassword); err != nil {
t.Fatal(err)
}
// Add userPrincipalName attribute type
userPrincipleNameTypeReq := goldap.NewModifyRequest("cn={0}core,cn=schema,cn=config", nil)
userPrincipleNameTypeReq.Add("olcAttributetypes", []string{"( 2.25.247072656268950430024439664556757516066 NAME ( 'userPrincipalName' ) SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 EQUALITY caseIgnoreMatch SINGLE-VALUE )"})
if err := conn.Modify(userPrincipleNameTypeReq); err != nil {
t.Fatal(err)
}
// Add new object class
userPrincipleNameObjClassReq := goldap.NewModifyRequest("cn={0}core,cn=schema,cn=config", nil)
userPrincipleNameObjClassReq.Add("olcObjectClasses", []string{"( 1.2.840.113556.6.2.6 NAME 'PrincipalNameClass' AUXILIARY MAY ( userPrincipalName ) )"})
if err := conn.Modify(userPrincipleNameObjClassReq); err != nil {
t.Fatal(err)
}
// Re-authenticate with the binddn user
if err := conn.Bind(cfg.BindDN, cfg.BindPassword); err != nil {
t.Fatal(err)
}
// Modify professor user and add userPrincipalName attribute
modifyUserReq := goldap.NewModifyRequest(testUserDN, nil)
modifyUserReq.Add("objectClass", []string{"PrincipalNameClass"})
modifyUserReq.Add("userPrincipalName", []string{testUserUPN})
if err := conn.Modify(modifyUserReq); err != nil {
t.Fatal(err)
}
}
func TestBackend_basic_discover(t *testing.T) {
b := factory(t)
cleanup, cfg := ldap.PrepareTestContainer(t, "latest")
defer cleanup()
logicaltest.Test(t, logicaltest.TestCase{
CredentialBackend: b,
Steps: []logicaltest.TestStep{
testAccStepConfigUrlWithDiscover(t, cfg),
testAccStepGroup(t, "admin_staff", "foo"),
testAccStepGroup(t, "engineers", "bar"),
testAccStepUser(t, "hermes conrad", "engineers"),
testAccStepLogin(t, "hermes conrad", "hermes"),
},
})
}
func TestBackend_basic_nogroupdn(t *testing.T) {
b := factory(t)
cleanup, cfg := ldap.PrepareTestContainer(t, "latest")
defer cleanup()
logicaltest.Test(t, logicaltest.TestCase{
CredentialBackend: b,
Steps: []logicaltest.TestStep{
testAccStepConfigUrlNoGroupDN(t, cfg),
testAccStepGroup(t, "admin_staff", "foo"),
testAccStepGroup(t, "engineers", "bar"),
testAccStepUser(t, "hermes conrad", "engineers"),
testAccStepLoginNoGroupDN(t, "hermes conrad", "hermes"),
},
})
}
func TestBackend_groupCrud(t *testing.T) {
b := factory(t)
logicaltest.Test(t, logicaltest.TestCase{
CredentialBackend: b,
Steps: []logicaltest.TestStep{
testAccStepGroup(t, "g1", "foo"),
testAccStepReadGroup(t, "g1", "foo"),
testAccStepDeleteGroup(t, "g1"),
testAccStepReadGroup(t, "g1", ""),
},
})
}
/*
* Test backend configuration defaults are successfully read.
*/
func TestBackend_configDefaultsAfterUpdate(t *testing.T) {
b := factory(t)
logicaltest.Test(t, logicaltest.TestCase{
CredentialBackend: b,
Steps: []logicaltest.TestStep{
{
Operation: logical.UpdateOperation,
Path: "config",
Data: map[string]interface{}{},
},
{
Operation: logical.ReadOperation,
Path: "config",
Check: func(resp *logical.Response) error {
if resp == nil {
return fmt.Errorf("bad: %#v", resp)
}
// Test well-known defaults
cfg := resp.Data
defaultGroupFilter := "(|(memberUid={{.Username}})(member={{.UserDN}})(uniqueMember={{.UserDN}}))"
if cfg["groupfilter"] != defaultGroupFilter {
t.Errorf("Default mismatch: groupfilter. Expected: %q, received :%q", defaultGroupFilter, cfg["groupfilter"])
}
defaultGroupAttr := "cn"
if cfg["groupattr"] != defaultGroupAttr {
t.Errorf("Default mismatch: groupattr. Expected: %q, received :%q", defaultGroupAttr, cfg["groupattr"])
}
defaultUserAttr := "cn"
if cfg["userattr"] != defaultUserAttr {
t.Errorf("Default mismatch: userattr. Expected: %q, received :%q", defaultUserAttr, cfg["userattr"])
}
defaultUserFilter := "({{.UserAttr}}={{.Username}})"
if cfg["userfilter"] != defaultUserFilter {
t.Errorf("Default mismatch: userfilter. Expected: %q, received :%q", defaultUserFilter, cfg["userfilter"])
}
defaultDenyNullBind := true
if cfg["deny_null_bind"] != defaultDenyNullBind {
t.Errorf("Default mismatch: deny_null_bind. Expected: '%t', received :%q", defaultDenyNullBind, cfg["deny_null_bind"])
}
return nil
},
},
},
})
}
func testAccStepConfigUrl(t *testing.T, cfg *ldaputil.ConfigEntry) logicaltest.TestStep {
return logicaltest.TestStep{
Operation: logical.UpdateOperation,
Path: "config",
Data: map[string]interface{}{
"url": cfg.Url,
"userattr": cfg.UserAttr,
"userdn": cfg.UserDN,
"userfilter": cfg.UserFilter,
"groupdn": cfg.GroupDN,
"groupattr": cfg.GroupAttr,
"binddn": cfg.BindDN,
"bindpass": cfg.BindPassword,
"case_sensitive_names": true,
"token_policies": "abc,xyz",
"request_timeout": cfg.RequestTimeout,
"username_as_alias": cfg.UsernameAsAlias,
},
}
}
func testAccStepConfigUrlWithAuthBind(t *testing.T, cfg *ldaputil.ConfigEntry) logicaltest.TestStep {
return logicaltest.TestStep{
Operation: logical.UpdateOperation,
Path: "config",
Data: map[string]interface{}{
// In this test we also exercise multiple URL support
"url": "foobar://ldap.example.com," + cfg.Url,
"userattr": cfg.UserAttr,
"userdn": cfg.UserDN,
"groupdn": cfg.GroupDN,
"groupattr": cfg.GroupAttr,
"binddn": cfg.BindDN,
"bindpass": cfg.BindPassword,
"upndomain": cfg.UPNDomain,
"case_sensitive_names": true,
"token_policies": "abc,xyz",
"request_timeout": cfg.RequestTimeout,
},
}
}
func testAccStepConfigUrlWithDiscover(t *testing.T, cfg *ldaputil.ConfigEntry) logicaltest.TestStep {
return logicaltest.TestStep{
Operation: logical.UpdateOperation,
Path: "config",
Data: map[string]interface{}{
"url": cfg.Url,
"userattr": cfg.UserAttr,
"userdn": cfg.UserDN,
"groupdn": cfg.GroupDN,
"groupattr": cfg.GroupAttr,
"binddn": cfg.BindDN,
"bindpass": cfg.BindPassword,
"discoverdn": true,
"case_sensitive_names": true,
"token_policies": "abc,xyz",
"request_timeout": cfg.RequestTimeout,
},
}
}
func testAccStepConfigUrlNoGroupDN(t *testing.T, cfg *ldaputil.ConfigEntry) logicaltest.TestStep {
return logicaltest.TestStep{
Operation: logical.UpdateOperation,
Path: "config",
Data: map[string]interface{}{
"url": cfg.Url,
"userattr": cfg.UserAttr,
"userdn": cfg.UserDN,
"binddn": cfg.BindDN,
"bindpass": cfg.BindPassword,
"discoverdn": true,
"case_sensitive_names": true,
"request_timeout": cfg.RequestTimeout,
},
}
}
func testAccStepConfigUrlWarningCheck(t *testing.T, cfg *ldaputil.ConfigEntry, operation logical.Operation, warnings []string) logicaltest.TestStep {
return logicaltest.TestStep{
Operation: operation,
Path: "config",
Data: map[string]interface{}{
"url": cfg.Url,
"userattr": cfg.UserAttr,
"userdn": cfg.UserDN,
"userfilter": cfg.UserFilter,
"groupdn": cfg.GroupDN,
"groupattr": cfg.GroupAttr,
"binddn": cfg.BindDN,
"bindpass": cfg.BindPassword,
"case_sensitive_names": true,
"token_policies": "abc,xyz",
"request_timeout": cfg.RequestTimeout,
},
Check: func(response *logical.Response) error {
if len(response.Warnings) == 0 {
return fmt.Errorf("expected warnings, got none")
}
if !strutil.StrListSubset(response.Warnings, warnings) {
return fmt.Errorf("expected response to contain the following warnings:\n%s\ngot:\n%s", warnings, response.Warnings)
}
return nil
},
}
}
func testAccStepGroup(t *testing.T, group string, policies string) logicaltest.TestStep {
t.Logf("[testAccStepGroup] - Registering group %s, policy %s", group, policies)
return logicaltest.TestStep{
Operation: logical.UpdateOperation,
Path: "groups/" + group,
Data: map[string]interface{}{
"policies": policies,
},
}
}
func testAccStepReadGroup(t *testing.T, group string, policies string) logicaltest.TestStep {
return logicaltest.TestStep{
Operation: logical.ReadOperation,
Path: "groups/" + group,
Check: func(resp *logical.Response) error {
if resp == nil {
if policies == "" {
return nil
}
return fmt.Errorf("bad: %#v", resp)
}
var d struct {
Policies []string `mapstructure:"policies"`
}
if err := mapstructure.Decode(resp.Data, &d); err != nil {
return err
}
if !reflect.DeepEqual(d.Policies, policyutil.ParsePolicies(policies)) {
return fmt.Errorf("bad: %#v", resp)
}
return nil
},
}
}
func testAccStepDeleteGroup(t *testing.T, group string) logicaltest.TestStep {
return logicaltest.TestStep{
Operation: logical.DeleteOperation,
Path: "groups/" + group,
}
}
func TestBackend_userCrud(t *testing.T) {
b := Backend()
logicaltest.Test(t, logicaltest.TestCase{
CredentialBackend: b,
Steps: []logicaltest.TestStep{
testAccStepUser(t, "g1", "bar"),
testAccStepReadUser(t, "g1", "bar"),
testAccStepDeleteUser(t, "g1"),
testAccStepReadUser(t, "g1", ""),
},
})
}
func testAccStepUser(t *testing.T, user string, groups string) logicaltest.TestStep {
return logicaltest.TestStep{
Operation: logical.UpdateOperation,
Path: "users/" + user,
Data: map[string]interface{}{
"groups": groups,
},
}
}
func testAccStepReadUser(t *testing.T, user string, groups string) logicaltest.TestStep {
return logicaltest.TestStep{
Operation: logical.ReadOperation,
Path: "users/" + user,
Check: func(resp *logical.Response) error {
if resp == nil {
if groups == "" {
return nil
}
return fmt.Errorf("bad: %#v", resp)
}
var d struct {
Groups string `mapstructure:"groups"`
}
if err := mapstructure.Decode(resp.Data, &d); err != nil {
return err
}
if d.Groups != groups {
return fmt.Errorf("bad: %#v", resp)
}
return nil
},
}
}
func testAccStepDeleteUser(t *testing.T, user string) logicaltest.TestStep {
return logicaltest.TestStep{
Operation: logical.DeleteOperation,
Path: "users/" + user,
}
}
func testAccStepLogin(t *testing.T, user string, pass string) logicaltest.TestStep {
return logicaltest.TestStep{
Operation: logical.UpdateOperation,
Path: "login/" + user,
Data: map[string]interface{}{
"password": pass,
},
Unauthenticated: true,
// Verifies user hermes conrad maps to groups via local group (engineers) as well as remote group (Scientists)
Check: logicaltest.TestCheckAuth([]string{"abc", "bar", "default", "foo", "xyz"}),
}
}
func testAccStepLoginReturnsSameEntity(t *testing.T, user string, pass string, entity_id *string) logicaltest.TestStep {
return logicaltest.TestStep{
Operation: logical.UpdateOperation,
Path: "login/" + user,
Data: map[string]interface{}{
"password": pass,
},
Unauthenticated: true,
// Verifies user hermes conrad maps to groups via local group (engineers) as well as remote group (Scientists)
Check: logicaltest.TestCheckAuthEntityId(entity_id),
}
}
func testAccStepLoginNoAttachedPolicies(t *testing.T, user string, pass string) logicaltest.TestStep {
return logicaltest.TestStep{
Operation: logical.UpdateOperation,
Path: "login/" + user,
Data: map[string]interface{}{
"password": pass,
},
Unauthenticated: true,
// Verifies user hermes conrad maps to groups via local group (engineers) as well as remote group (Scientists)
Check: logicaltest.TestCheckAuth([]string{"abc", "default", "xyz"}),
}
}
func testAccStepLoginAliasMetadataName(t *testing.T, user string, pass string) logicaltest.TestStep {
return logicaltest.TestStep{
Operation: logical.UpdateOperation,
Path: "login/" + user,
Data: map[string]interface{}{
"password": pass,
},
Unauthenticated: true,
Check: logicaltest.TestCheckAuthEntityAliasMetadataName("name", user),
}
}
func testAccStepLoginFailure(t *testing.T, user string, pass string) logicaltest.TestStep {
return logicaltest.TestStep{
Operation: logical.UpdateOperation,
Path: "login/" + user,
Data: map[string]interface{}{
"password": pass,
},
Unauthenticated: true,
ErrorOk: true,
}
}
func testAccStepLoginNoGroupDN(t *testing.T, user string, pass string) logicaltest.TestStep {
return logicaltest.TestStep{
Operation: logical.UpdateOperation,
Path: "login/" + user,
Data: map[string]interface{}{
"password": pass,
},
Unauthenticated: true,
// Verifies a search without defined GroupDN returns a warning rather than failing
Check: func(resp *logical.Response) error {
if len(resp.Warnings) != 1 {
return fmt.Errorf("expected a warning due to no group dn, got: %#v", resp.Warnings)
}
return logicaltest.TestCheckAuth([]string{"bar", "default"})(resp)
},
}
}
func testAccStepGroupList(t *testing.T, groups []string) logicaltest.TestStep {
return logicaltest.TestStep{
Operation: logical.ListOperation,
Path: "groups",
Check: func(resp *logical.Response) error {
if resp.IsError() {
return fmt.Errorf("got error response: %#v", *resp)
}
expected := make([]string, len(groups))
copy(expected, groups)
sort.Strings(expected)
sortedResponse := make([]string, len(resp.Data["keys"].([]string)))
copy(sortedResponse, resp.Data["keys"].([]string))
sort.Strings(sortedResponse)
if !reflect.DeepEqual(expected, sortedResponse) {
return fmt.Errorf("expected:\n%#v\ngot:\n%#v\n", expected, sortedResponse)
}
return nil
},
}
}
func testAccStepUserList(t *testing.T, users []string) logicaltest.TestStep {
return logicaltest.TestStep{
Operation: logical.ListOperation,
Path: "users",
Check: func(resp *logical.Response) error {
if resp.IsError() {
return fmt.Errorf("got error response: %#v", *resp)
}
expected := make([]string, len(users))
copy(expected, users)
sort.Strings(expected)
sortedResponse := make([]string, len(resp.Data["keys"].([]string)))
copy(sortedResponse, resp.Data["keys"].([]string))
sort.Strings(sortedResponse)
if !reflect.DeepEqual(expected, sortedResponse) {
return fmt.Errorf("expected:\n%#v\ngot:\n%#v\n", expected, sortedResponse)
}
return nil
},
}
}
func TestLdapAuthBackend_ConfigUpgrade(t *testing.T) {
var resp *logical.Response
var err error
b, storage := createBackendWithStorage(t)
ctx := context.Background()
cleanup, cfg := ldap.PrepareTestContainer(t, "latest")
defer cleanup()
configReq := &logical.Request{
Operation: logical.UpdateOperation,
Path: "config",
Data: map[string]interface{}{
"url": cfg.Url,
"userattr": cfg.UserAttr,
"userdn": cfg.UserDN,
"userfilter": cfg.UserFilter,
"groupdn": cfg.GroupDN,
"groupattr": cfg.GroupAttr,
"binddn": cfg.BindDN,
"bindpass": cfg.BindPassword,
"token_period": "5m",
"token_explicit_max_ttl": "24h",
"request_timeout": cfg.RequestTimeout,
},
Storage: storage,
Connection: &logical.Connection{},
}
resp, err = b.HandleRequest(ctx, configReq)
if err != nil || (resp != nil && resp.IsError()) {
t.Fatalf("err:%v resp:%#v", err, resp)
}
fd, err := b.getConfigFieldData()
if err != nil {
t.Fatal(err)
}
defParams, err := ldaputil.NewConfigEntry(nil, fd)
if err != nil {
t.Fatal(err)
}
falseBool := new(bool)
*falseBool = false
exp := &ldapConfigEntry{
TokenParams: tokenutil.TokenParams{
TokenPeriod: 5 * time.Minute,
TokenExplicitMaxTTL: 24 * time.Hour,
},
ConfigEntry: &ldaputil.ConfigEntry{
Url: cfg.Url,
UserAttr: cfg.UserAttr,
UserFilter: cfg.UserFilter,
UserDN: cfg.UserDN,
GroupDN: cfg.GroupDN,
GroupAttr: cfg.GroupAttr,
BindDN: cfg.BindDN,
BindPassword: cfg.BindPassword,
GroupFilter: defParams.GroupFilter,
DenyNullBind: defParams.DenyNullBind,
TLSMinVersion: defParams.TLSMinVersion,
TLSMaxVersion: defParams.TLSMaxVersion,
CaseSensitiveNames: falseBool,
UsePre111GroupCNBehavior: new(bool),
RequestTimeout: cfg.RequestTimeout,
UsernameAsAlias: false,
},
}
configEntry, err := b.Config(ctx, configReq)
if err != nil {
t.Fatal(err)
}
if diff := deep.Equal(exp, configEntry); diff != nil {
t.Fatal(diff)
}
// Store just the config entry portion, for upgrade testing
entry, err := logical.StorageEntryJSON("config", configEntry.ConfigEntry)
if err != nil {
t.Fatal(err)
}
err = configReq.Storage.Put(ctx, entry)
if err != nil {
t.Fatal(err)
}
configEntry, err = b.Config(ctx, configReq)
if err != nil {
t.Fatal(err)
}
// We won't have token params anymore so nil those out
exp.TokenParams = tokenutil.TokenParams{}
if diff := deep.Equal(exp, configEntry); diff != nil {
t.Fatal(diff)
}
}