diff options
| author | James Elliott <james-d-elliott@users.noreply.github.com> | 2021-08-05 14:17:07 +1000 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2021-08-05 14:17:07 +1000 |
| commit | a3b14871baeca9ebfbaded981bebb6f9c36b0311 (patch) | |
| tree | b95ecc9cccb71022c4841f97555054fc6dd404d8 /internal/authentication/ldap_user_provider_test.go | |
| parent | c5c6bda8b066f390b4c0863777dc3eba77fee792 (diff) | |
perf(authentication): improve ldap dynamic replacement performance (#2239)
This change means we only check the filters for the existence of placeholders that cannot be replaced at startup. We then utilized cached results of that lookup for subsequent replacements.
Diffstat (limited to 'internal/authentication/ldap_user_provider_test.go')
| -rw-r--r-- | internal/authentication/ldap_user_provider_test.go | 60 |
1 files changed, 36 insertions, 24 deletions
diff --git a/internal/authentication/ldap_user_provider_test.go b/internal/authentication/ldap_user_provider_test.go index 9415bb72c..93d2829d0 100644 --- a/internal/authentication/ldap_user_provider_test.go +++ b/internal/authentication/ldap_user_provider_test.go @@ -174,7 +174,7 @@ func TestShouldCheckLDAPServerExtensions(t *testing.T) { UsersFilter: "(|({username_attribute}={input})({mail_attribute}={input}))", UsernameAttribute: "uid", MailAttribute: "mail", - DisplayNameAttribute: "displayname", + DisplayNameAttribute: "displayName", Password: "password", AdditionalUsersDN: "ou=users", BaseDN: "dc=example,dc=com", @@ -230,7 +230,7 @@ func TestShouldNotEnablePasswdModifyExtension(t *testing.T) { UsersFilter: "(|({username_attribute}={input})({mail_attribute}={input}))", UsernameAttribute: "uid", MailAttribute: "mail", - DisplayNameAttribute: "displayname", + DisplayNameAttribute: "displayName", Password: "password", AdditionalUsersDN: "ou=users", BaseDN: "dc=example,dc=com", @@ -286,7 +286,7 @@ func TestShouldReturnCheckServerConnectError(t *testing.T) { UsersFilter: "(|({username_attribute}={input})({mail_attribute}={input}))", UsernameAttribute: "uid", MailAttribute: "mail", - DisplayNameAttribute: "displayname", + DisplayNameAttribute: "displayName", Password: "password", AdditionalUsersDN: "ou=users", BaseDN: "dc=example,dc=com", @@ -318,7 +318,7 @@ func TestShouldReturnCheckServerSearchError(t *testing.T) { UsersFilter: "(|({username_attribute}={input})({mail_attribute}={input}))", UsernameAttribute: "uid", MailAttribute: "mail", - DisplayNameAttribute: "displayname", + DisplayNameAttribute: "displayName", Password: "password", AdditionalUsersDN: "ou=users", BaseDN: "dc=example,dc=com", @@ -379,7 +379,7 @@ func TestShouldEscapeUserInput(t *testing.T) { UsersFilter: "(|({username_attribute}={input})({mail_attribute}={input}))", UsernameAttribute: "uid", MailAttribute: "mail", - DisplayNameAttribute: "displayname", + DisplayNameAttribute: "displayName", Password: "password", AdditionalUsersDN: "ou=users", BaseDN: "dc=example,dc=com", @@ -414,11 +414,13 @@ func TestShouldCombineUsernameFilterAndUsersFilter(t *testing.T) { AdditionalUsersDN: "ou=users", BaseDN: "dc=example,dc=com", MailAttribute: "mail", - DisplayNameAttribute: "displayname", + DisplayNameAttribute: "displayName", }, nil, mockFactory) + assert.True(t, ldapClient.usersFilterReplacementInput) + mockConn.EXPECT(). Search(NewSearchRequestMatcher("(&(uid=john)(&(objectCategory=person)(objectClass=user)))")). Return(&ldap.SearchResult{}, nil) @@ -456,7 +458,7 @@ func TestShouldNotCrashWhenGroupsAreNotRetrievedFromLDAP(t *testing.T) { Password: "password", UsernameAttribute: "uid", MailAttribute: "mail", - DisplayNameAttribute: "displayname", + DisplayNameAttribute: "displayName", UsersFilter: "uid={input}", AdditionalUsersDN: "ou=users", BaseDN: "dc=example,dc=com", @@ -486,7 +488,7 @@ func TestShouldNotCrashWhenGroupsAreNotRetrievedFromLDAP(t *testing.T) { DN: "uid=test,dc=example,dc=com", Attributes: []*ldap.EntryAttribute{ { - Name: "displayname", + Name: "displayName", Values: []string{"John Doe"}, }, { @@ -587,7 +589,7 @@ func TestShouldReturnUsernameFromLDAP(t *testing.T) { Password: "password", UsernameAttribute: "uid", MailAttribute: "mail", - DisplayNameAttribute: "displayname", + DisplayNameAttribute: "displayName", UsersFilter: "uid={input}", AdditionalUsersDN: "ou=users", BaseDN: "dc=example,dc=com", @@ -617,7 +619,7 @@ func TestShouldReturnUsernameFromLDAP(t *testing.T) { DN: "uid=test,dc=example,dc=com", Attributes: []*ldap.EntryAttribute{ { - Name: "displayname", + Name: "displayName", Values: []string{"John Doe"}, }, { @@ -658,7 +660,7 @@ func TestShouldUpdateUserPasswordPasswdModifyExtension(t *testing.T) { Password: "password", UsernameAttribute: "uid", MailAttribute: "mail", - DisplayNameAttribute: "displayname", + DisplayNameAttribute: "displayName", UsersFilter: "uid={input}", AdditionalUsersDN: "ou=users", BaseDN: "dc=example,dc=com", @@ -716,7 +718,7 @@ func TestShouldUpdateUserPasswordPasswdModifyExtension(t *testing.T) { DN: "uid=test,dc=example,dc=com", Attributes: []*ldap.EntryAttribute{ { - Name: "displayname", + Name: "displayName", Values: []string{"John Doe"}, }, { @@ -822,7 +824,7 @@ func TestShouldUpdateUserPasswordActiveDirectory(t *testing.T) { DN: "cn=test,dc=example,dc=com", Attributes: []*ldap.EntryAttribute{ { - Name: "displayname", + Name: "displayName", Values: []string{"John Doe"}, }, { @@ -968,7 +970,7 @@ func TestShouldCheckValidUserPassword(t *testing.T) { Password: "password", UsernameAttribute: "uid", MailAttribute: "mail", - DisplayNameAttribute: "displayname", + DisplayNameAttribute: "displayName", UsersFilter: "uid={input}", AdditionalUsersDN: "ou=users", BaseDN: "dc=example,dc=com", @@ -991,7 +993,7 @@ func TestShouldCheckValidUserPassword(t *testing.T) { DN: "uid=test,dc=example,dc=com", Attributes: []*ldap.EntryAttribute{ { - Name: "displayname", + Name: "displayName", Values: []string{"John Doe"}, }, { @@ -1035,7 +1037,7 @@ func TestShouldCheckInvalidUserPassword(t *testing.T) { Password: "password", UsernameAttribute: "uid", MailAttribute: "mail", - DisplayNameAttribute: "displayname", + DisplayNameAttribute: "displayName", UsersFilter: "uid={input}", AdditionalUsersDN: "ou=users", BaseDN: "dc=example,dc=com", @@ -1058,7 +1060,7 @@ func TestShouldCheckInvalidUserPassword(t *testing.T) { DN: "uid=test,dc=example,dc=com", Attributes: []*ldap.EntryAttribute{ { - Name: "displayname", + Name: "displayName", Values: []string{"John Doe"}, }, { @@ -1102,7 +1104,7 @@ func TestShouldCallStartTLSWhenEnabled(t *testing.T) { Password: "password", UsernameAttribute: "uid", MailAttribute: "mail", - DisplayNameAttribute: "displayname", + DisplayNameAttribute: "displayName", UsersFilter: "uid={input}", AdditionalUsersDN: "ou=users", BaseDN: "dc=example,dc=com", @@ -1136,7 +1138,7 @@ func TestShouldCallStartTLSWhenEnabled(t *testing.T) { DN: "uid=test,dc=example,dc=com", Attributes: []*ldap.EntryAttribute{ { - Name: "displayname", + Name: "displayName", Values: []string{"John Doe"}, }, { @@ -1176,7 +1178,7 @@ func TestShouldParseDynamicConfiguration(t *testing.T) { Password: "password", UsernameAttribute: "uid", MailAttribute: "mail", - DisplayNameAttribute: "displayname", + DisplayNameAttribute: "displayName", UsersFilter: "(&(|({username_attribute}={input})({mail_attribute}={input})({display_name_attribute}={input}))(objectCategory=person)(objectClass=user)(!userAccountControl:1.2.840.113556.1.4.803:=2)(!pwdLastSet=0))", GroupsFilter: "(&(|(member={dn})(member={input})(member={username}))(objectClass=group))", AdditionalUsersDN: "ou=users", @@ -1187,7 +1189,13 @@ func TestShouldParseDynamicConfiguration(t *testing.T) { nil, mockFactory) - assert.Equal(t, "(&(|(uid={input})(mail={input})(displayname={input}))(objectCategory=person)(objectClass=user)(!userAccountControl:1.2.840.113556.1.4.803:=2)(!pwdLastSet=0))", ldapClient.configuration.UsersFilter) + assert.True(t, ldapClient.groupsFilterReplacementInput) + assert.True(t, ldapClient.groupsFilterReplacementUsername) + assert.True(t, ldapClient.groupsFilterReplacementDN) + + assert.True(t, ldapClient.usersFilterReplacementInput) + + assert.Equal(t, "(&(|(uid={input})(mail={input})(displayName={input}))(objectCategory=person)(objectClass=user)(!userAccountControl:1.2.840.113556.1.4.803:=2)(!pwdLastSet=0))", ldapClient.configuration.UsersFilter) assert.Equal(t, "(&(|(member={dn})(member={input})(member={username}))(objectClass=group))", ldapClient.configuration.GroupsFilter) assert.Equal(t, "ou=users,dc=example,dc=com", ldapClient.usersBaseDN) assert.Equal(t, "ou=groups,dc=example,dc=com", ldapClient.groupsBaseDN) @@ -1207,7 +1215,7 @@ func TestShouldCallStartTLSWithInsecureSkipVerifyWhenSkipVerifyTrue(t *testing.T Password: "password", UsernameAttribute: "uid", MailAttribute: "mail", - DisplayNameAttribute: "displayname", + DisplayNameAttribute: "displayName", UsersFilter: "uid={input}", AdditionalUsersDN: "ou=users", BaseDN: "dc=example,dc=com", @@ -1219,6 +1227,10 @@ func TestShouldCallStartTLSWithInsecureSkipVerifyWhenSkipVerifyTrue(t *testing.T nil, mockFactory) + assert.False(t, ldapClient.groupsFilterReplacementInput) + assert.False(t, ldapClient.groupsFilterReplacementUsername) + assert.False(t, ldapClient.groupsFilterReplacementDN) + dialURL := mockFactory.EXPECT(). DialURL(gomock.Eq("ldap://127.0.0.1:389"), gomock.Any()). Return(mockConn, nil) @@ -1244,7 +1256,7 @@ func TestShouldCallStartTLSWithInsecureSkipVerifyWhenSkipVerifyTrue(t *testing.T DN: "uid=test,dc=example,dc=com", Attributes: []*ldap.EntryAttribute{ { - Name: "displayname", + Name: "displayName", Values: []string{"John Doe"}, }, { @@ -1285,7 +1297,7 @@ func TestShouldReturnLDAPSAlreadySecuredWhenStartTLSAttempted(t *testing.T) { Password: "password", UsernameAttribute: "uid", MailAttribute: "mail", - DisplayNameAttribute: "displayname", + DisplayNameAttribute: "displayName", UsersFilter: "uid={input}", AdditionalUsersDN: "ou=users", BaseDN: "dc=example,dc=com", |