summaryrefslogtreecommitdiff
path: root/internal/configuration/validator/authentication_test.go
diff options
context:
space:
mode:
authorJames Elliott <james-d-elliott@users.noreply.github.com>2021-01-04 21:28:55 +1100
committerGitHub <noreply@github.com>2021-01-04 21:28:55 +1100
commit29a900226d8ac85fa04e11af022a9561dae9e652 (patch)
treef6d575ddbe474fc3472ae2743b716529046292a6 /internal/configuration/validator/authentication_test.go
parent3487fd392e770c3e4c7af9aa5ef8e3e25b9a73eb (diff)
[FEATURE] Enhance LDAP/SMTP TLS Configuration and Unify Them (#1557)
* add new directive in the global scope `certificates_directory` which is used to bulk load certs and trust them in Authelia * this is in ADDITION to system certs and are trusted by both LDAP and SMTP * added a shared TLSConfig struct to be used by both SMTP and LDAP, and anything else in the future that requires tuning the TLS * remove usage of deprecated LDAP funcs Dial and DialTLS in favor of DialURL which is also easier to use * use the server name from LDAP URL or SMTP host when validating the certificate unless otherwise defined in the TLS section * added temporary translations from the old names to the new ones for all deprecated options * added docs * updated example configuration * final deprecations to be done in 4.28.0 * doc updates * fix misc linting issues * uniform deprecation notices for ease of final removal * added additional tests covering previously uncovered areas and the new configuration options * add non-fatal to certificate loading when system certs could not be loaded * adjust timeout of Suite ShortTimeouts * add warnings pusher for the StructValidator * make the schema suites uninform * utilize the warnings in the StructValidator * fix test suite usage for skip_verify * extract LDAP filter parsing into it's own function to make it possible to test * test LDAP filter parsing * update ErrorContainer interface * add tests to the StructValidator * add NewTLSConfig test * move baseDN for users/groups into parsed values * add tests to cover many of the outstanding areas in LDAP * add explicit deferred LDAP conn close to UpdatePassword * add some basic testing to SMTP notifier * suggestions from code review
Diffstat (limited to 'internal/configuration/validator/authentication_test.go')
-rw-r--r--internal/configuration/validator/authentication_test.go387
1 files changed, 279 insertions, 108 deletions
diff --git a/internal/configuration/validator/authentication_test.go b/internal/configuration/validator/authentication_test.go
index 7da18d0dc..cf01525f7 100644
--- a/internal/configuration/validator/authentication_test.go
+++ b/internal/configuration/validator/authentication_test.go
@@ -41,93 +41,127 @@ func (suite *FileBasedAuthenticationBackend) SetupTest() {
}
func (suite *FileBasedAuthenticationBackend) TestShouldValidateCompleteConfiguration() {
ValidateAuthenticationBackend(&suite.configuration, suite.validator)
- assert.Len(suite.T(), suite.validator.Errors(), 0)
+
+ suite.Assert().False(suite.validator.HasWarnings())
+ suite.Assert().False(suite.validator.HasErrors())
}
func (suite *FileBasedAuthenticationBackend) TestShouldRaiseErrorWhenNoPathProvided() {
suite.configuration.File.Path = ""
+
ValidateAuthenticationBackend(&suite.configuration, suite.validator)
- require.Len(suite.T(), suite.validator.Errors(), 1)
- assert.EqualError(suite.T(), suite.validator.Errors()[0], "Please provide a `path` for the users database in `authentication_backend`")
+
+ suite.Assert().False(suite.validator.HasWarnings())
+ suite.Require().Len(suite.validator.Errors(), 1)
+
+ suite.Assert().EqualError(suite.validator.Errors()[0], "Please provide a `path` for the users database in `authentication_backend`")
}
func (suite *FileBasedAuthenticationBackend) TestShouldRaiseErrorWhenMemoryNotMoreThanEightTimesParallelism() {
suite.configuration.File.Password.Memory = 8
suite.configuration.File.Password.Parallelism = 2
+
ValidateAuthenticationBackend(&suite.configuration, suite.validator)
- require.Len(suite.T(), suite.validator.Errors(), 1)
- assert.EqualError(suite.T(), suite.validator.Errors()[0], "Memory for argon2id must be 16 or more (parallelism * 8), you configured memory as 8 and parallelism as 2")
+
+ suite.Assert().False(suite.validator.HasWarnings())
+ suite.Require().Len(suite.validator.Errors(), 1)
+
+ suite.Assert().EqualError(suite.validator.Errors()[0], "Memory for argon2id must be 16 or more (parallelism * 8), you configured memory as 8 and parallelism as 2")
}
func (suite *FileBasedAuthenticationBackend) TestShouldSetDefaultConfigurationWhenBlank() {
suite.configuration.File.Password = &schema.PasswordConfiguration{}
- assert.Equal(suite.T(), 0, suite.configuration.File.Password.KeyLength)
- assert.Equal(suite.T(), 0, suite.configuration.File.Password.Iterations)
- assert.Equal(suite.T(), 0, suite.configuration.File.Password.SaltLength)
- assert.Equal(suite.T(), "", suite.configuration.File.Password.Algorithm)
- assert.Equal(suite.T(), 0, suite.configuration.File.Password.Memory)
- assert.Equal(suite.T(), 0, suite.configuration.File.Password.Parallelism)
+ suite.Assert().Equal(0, suite.configuration.File.Password.KeyLength)
+ suite.Assert().Equal(0, suite.configuration.File.Password.Iterations)
+ suite.Assert().Equal(0, suite.configuration.File.Password.SaltLength)
+ suite.Assert().Equal("", suite.configuration.File.Password.Algorithm)
+ suite.Assert().Equal(0, suite.configuration.File.Password.Memory)
+ suite.Assert().Equal(0, suite.configuration.File.Password.Parallelism)
ValidateAuthenticationBackend(&suite.configuration, suite.validator)
- assert.Len(suite.T(), suite.validator.Errors(), 0)
- assert.Equal(suite.T(), schema.DefaultPasswordConfiguration.KeyLength, suite.configuration.File.Password.KeyLength)
- assert.Equal(suite.T(), schema.DefaultPasswordConfiguration.Iterations, suite.configuration.File.Password.Iterations)
- assert.Equal(suite.T(), schema.DefaultPasswordConfiguration.SaltLength, suite.configuration.File.Password.SaltLength)
- assert.Equal(suite.T(), schema.DefaultPasswordConfiguration.Algorithm, suite.configuration.File.Password.Algorithm)
- assert.Equal(suite.T(), schema.DefaultPasswordConfiguration.Memory, suite.configuration.File.Password.Memory)
- assert.Equal(suite.T(), schema.DefaultPasswordConfiguration.Parallelism, suite.configuration.File.Password.Parallelism)
+ suite.Assert().False(suite.validator.HasWarnings())
+ suite.Assert().False(suite.validator.HasErrors())
+
+ suite.Assert().Equal(schema.DefaultPasswordConfiguration.KeyLength, suite.configuration.File.Password.KeyLength)
+ suite.Assert().Equal(schema.DefaultPasswordConfiguration.Iterations, suite.configuration.File.Password.Iterations)
+ suite.Assert().Equal(schema.DefaultPasswordConfiguration.SaltLength, suite.configuration.File.Password.SaltLength)
+ suite.Assert().Equal(schema.DefaultPasswordConfiguration.Algorithm, suite.configuration.File.Password.Algorithm)
+ suite.Assert().Equal(schema.DefaultPasswordConfiguration.Memory, suite.configuration.File.Password.Memory)
+ suite.Assert().Equal(schema.DefaultPasswordConfiguration.Parallelism, suite.configuration.File.Password.Parallelism)
}
func (suite *FileBasedAuthenticationBackend) TestShouldSetDefaultConfigurationWhenOnlySHA512Set() {
suite.configuration.File.Password = &schema.PasswordConfiguration{}
- assert.Equal(suite.T(), "", suite.configuration.File.Password.Algorithm)
+ suite.Assert().Equal("", suite.configuration.File.Password.Algorithm)
suite.configuration.File.Password.Algorithm = "sha512"
ValidateAuthenticationBackend(&suite.configuration, suite.validator)
- assert.Len(suite.T(), suite.validator.Errors(), 0)
- assert.Equal(suite.T(), schema.DefaultPasswordSHA512Configuration.KeyLength, suite.configuration.File.Password.KeyLength)
- assert.Equal(suite.T(), schema.DefaultPasswordSHA512Configuration.Iterations, suite.configuration.File.Password.Iterations)
- assert.Equal(suite.T(), schema.DefaultPasswordSHA512Configuration.SaltLength, suite.configuration.File.Password.SaltLength)
- assert.Equal(suite.T(), schema.DefaultPasswordSHA512Configuration.Algorithm, suite.configuration.File.Password.Algorithm)
- assert.Equal(suite.T(), schema.DefaultPasswordSHA512Configuration.Memory, suite.configuration.File.Password.Memory)
- assert.Equal(suite.T(), schema.DefaultPasswordSHA512Configuration.Parallelism, suite.configuration.File.Password.Parallelism)
+ suite.Assert().False(suite.validator.HasWarnings())
+ suite.Assert().False(suite.validator.HasErrors())
+
+ suite.Assert().Equal(schema.DefaultPasswordSHA512Configuration.KeyLength, suite.configuration.File.Password.KeyLength)
+ suite.Assert().Equal(schema.DefaultPasswordSHA512Configuration.Iterations, suite.configuration.File.Password.Iterations)
+ suite.Assert().Equal(schema.DefaultPasswordSHA512Configuration.SaltLength, suite.configuration.File.Password.SaltLength)
+ suite.Assert().Equal(schema.DefaultPasswordSHA512Configuration.Algorithm, suite.configuration.File.Password.Algorithm)
+ suite.Assert().Equal(schema.DefaultPasswordSHA512Configuration.Memory, suite.configuration.File.Password.Memory)
+ suite.Assert().Equal(schema.DefaultPasswordSHA512Configuration.Parallelism, suite.configuration.File.Password.Parallelism)
}
func (suite *FileBasedAuthenticationBackend) TestShouldRaiseErrorWhenKeyLengthTooLow() {
suite.configuration.File.Password.KeyLength = 1
+
ValidateAuthenticationBackend(&suite.configuration, suite.validator)
- require.Len(suite.T(), suite.validator.Errors(), 1)
- assert.EqualError(suite.T(), suite.validator.Errors()[0], "Key length for argon2id must be 16, you configured 1")
+
+ suite.Assert().False(suite.validator.HasWarnings())
+ suite.Require().Len(suite.validator.Errors(), 1)
+
+ suite.Assert().EqualError(suite.validator.Errors()[0], "Key length for argon2id must be 16, you configured 1")
}
func (suite *FileBasedAuthenticationBackend) TestShouldRaiseErrorWhenSaltLengthTooLow() {
suite.configuration.File.Password.SaltLength = -1
+
ValidateAuthenticationBackend(&suite.configuration, suite.validator)
- require.Len(suite.T(), suite.validator.Errors(), 1)
- assert.EqualError(suite.T(), suite.validator.Errors()[0], "The salt length must be 2 or more, you configured -1")
+
+ suite.Assert().False(suite.validator.HasWarnings())
+ suite.Require().Len(suite.validator.Errors(), 1)
+
+ suite.Assert().EqualError(suite.validator.Errors()[0], "The salt length must be 2 or more, you configured -1")
}
func (suite *FileBasedAuthenticationBackend) TestShouldRaiseErrorWhenBadAlgorithmDefined() {
suite.configuration.File.Password.Algorithm = "bogus"
+
ValidateAuthenticationBackend(&suite.configuration, suite.validator)
- require.Len(suite.T(), suite.validator.Errors(), 1)
- assert.EqualError(suite.T(), suite.validator.Errors()[0], "Unknown hashing algorithm supplied, valid values are argon2id and sha512, you configured 'bogus'")
+
+ suite.Assert().False(suite.validator.HasWarnings())
+ suite.Require().Len(suite.validator.Errors(), 1)
+
+ suite.Assert().EqualError(suite.validator.Errors()[0], "Unknown hashing algorithm supplied, valid values are argon2id and sha512, you configured 'bogus'")
}
func (suite *FileBasedAuthenticationBackend) TestShouldRaiseErrorWhenIterationsTooLow() {
suite.configuration.File.Password.Iterations = -1
+
ValidateAuthenticationBackend(&suite.configuration, suite.validator)
- require.Len(suite.T(), suite.validator.Errors(), 1)
- assert.EqualError(suite.T(), suite.validator.Errors()[0], "The number of iterations specified is invalid, must be 1 or more, you configured -1")
+
+ suite.Assert().False(suite.validator.HasWarnings())
+ suite.Require().Len(suite.validator.Errors(), 1)
+
+ suite.Assert().EqualError(suite.validator.Errors()[0], "The number of iterations specified is invalid, must be 1 or more, you configured -1")
}
func (suite *FileBasedAuthenticationBackend) TestShouldRaiseErrorWhenParallelismTooLow() {
suite.configuration.File.Password.Parallelism = -1
+
ValidateAuthenticationBackend(&suite.configuration, suite.validator)
- require.Len(suite.T(), suite.validator.Errors(), 1)
- assert.EqualError(suite.T(), suite.validator.Errors()[0], "Parallelism for argon2id must be 1 or more, you configured -1")
+
+ suite.Assert().False(suite.validator.HasWarnings())
+ suite.Require().Len(suite.validator.Errors(), 1)
+
+ suite.Assert().EqualError(suite.validator.Errors()[0], "Parallelism for argon2id must be 1 or more, you configured -1")
}
func (suite *FileBasedAuthenticationBackend) TestShouldSetDefaultValues() {
@@ -136,13 +170,17 @@ func (suite *FileBasedAuthenticationBackend) TestShouldSetDefaultValues() {
suite.configuration.File.Password.SaltLength = 0
suite.configuration.File.Password.Memory = 0
suite.configuration.File.Password.Parallelism = 0
+
ValidateAuthenticationBackend(&suite.configuration, suite.validator)
- assert.Len(suite.T(), suite.validator.Errors(), 0)
- assert.Equal(suite.T(), schema.DefaultPasswordConfiguration.Algorithm, suite.configuration.File.Password.Algorithm)
- assert.Equal(suite.T(), schema.DefaultPasswordConfiguration.Iterations, suite.configuration.File.Password.Iterations)
- assert.Equal(suite.T(), schema.DefaultPasswordConfiguration.SaltLength, suite.configuration.File.Password.SaltLength)
- assert.Equal(suite.T(), schema.DefaultPasswordConfiguration.Memory, suite.configuration.File.Password.Memory)
- assert.Equal(suite.T(), schema.DefaultPasswordConfiguration.Parallelism, suite.configuration.File.Password.Parallelism)
+
+ suite.Assert().False(suite.validator.HasWarnings())
+ suite.Assert().False(suite.validator.HasErrors())
+
+ suite.Assert().Equal(schema.DefaultPasswordConfiguration.Algorithm, suite.configuration.File.Password.Algorithm)
+ suite.Assert().Equal(schema.DefaultPasswordConfiguration.Iterations, suite.configuration.File.Password.Iterations)
+ suite.Assert().Equal(schema.DefaultPasswordConfiguration.SaltLength, suite.configuration.File.Password.SaltLength)
+ suite.Assert().Equal(schema.DefaultPasswordConfiguration.Memory, suite.configuration.File.Password.Memory)
+ suite.Assert().Equal(schema.DefaultPasswordConfiguration.Parallelism, suite.configuration.File.Password.Parallelism)
}
func TestFileBasedAuthenticationBackend(t *testing.T) {
@@ -171,158 +209,289 @@ func (suite *LdapAuthenticationBackendSuite) SetupTest() {
func (suite *LdapAuthenticationBackendSuite) TestShouldValidateCompleteConfiguration() {
ValidateAuthenticationBackend(&suite.configuration, suite.validator)
- assert.Len(suite.T(), suite.validator.Errors(), 0)
+
+ suite.Assert().False(suite.validator.HasWarnings())
+ suite.Assert().False(suite.validator.HasErrors())
}
func (suite *LdapAuthenticationBackendSuite) TestShouldRaiseErrorWhenImplementationIsInvalidMSAD() {
suite.configuration.Ldap.Implementation = "masd"
+
ValidateAuthenticationBackend(&suite.configuration, suite.validator)
- require.Len(suite.T(), suite.validator.Errors(), 1)
- assert.EqualError(suite.T(), suite.validator.Errors()[0], "authentication backend ldap implementation must be blank or one of the following values `custom`, `activedirectory`")
+
+ suite.Assert().False(suite.validator.HasWarnings())
+ suite.Require().Len(suite.validator.Errors(), 1)
+
+ suite.Assert().EqualError(suite.validator.Errors()[0], "authentication backend ldap implementation must be blank or one of the following values `custom`, `activedirectory`")
}
func (suite *LdapAuthenticationBackendSuite) TestShouldRaiseErrorWhenURLNotProvided() {
suite.configuration.Ldap.URL = ""
ValidateAuthenticationBackend(&suite.configuration, suite.validator)
- require.Len(suite.T(), suite.validator.Errors(), 1)
- assert.EqualError(suite.T(), suite.validator.Errors()[0], "Please provide a URL to the LDAP server")
+
+ suite.Assert().False(suite.validator.HasWarnings())
+ suite.Require().Len(suite.validator.Errors(), 1)
+
+ suite.Assert().EqualError(suite.validator.Errors()[0], "Please provide a URL to the LDAP server")
}
func (suite *LdapAuthenticationBackendSuite) TestShouldRaiseErrorWhenUserNotProvided() {
suite.configuration.Ldap.User = ""
+
ValidateAuthenticationBackend(&suite.configuration, suite.validator)
- require.Len(suite.T(), suite.validator.Errors(), 1)
- assert.EqualError(suite.T(), suite.validator.Errors()[0], "Please provide a user name to connect to the LDAP server")
+
+ suite.Assert().False(suite.validator.HasWarnings())
+ suite.Require().Len(suite.validator.Errors(), 1)
+
+ suite.Assert().EqualError(suite.validator.Errors()[0], "Please provide a user name to connect to the LDAP server")
}
func (suite *LdapAuthenticationBackendSuite) TestShouldRaiseErrorWhenPasswordNotProvided() {
suite.configuration.Ldap.Password = ""
+
ValidateAuthenticationBackend(&suite.configuration, suite.validator)
- require.Len(suite.T(), suite.validator.Errors(), 1)
- assert.EqualError(suite.T(), suite.validator.Errors()[0], "Please provide a password to connect to the LDAP server")
+
+ suite.Assert().False(suite.validator.HasWarnings())
+ suite.Require().Len(suite.validator.Errors(), 1)
+
+ suite.Assert().EqualError(suite.validator.Errors()[0], "Please provide a password to connect to the LDAP server")
}
func (suite *LdapAuthenticationBackendSuite) TestShouldRaiseErrorWhenBaseDNNotProvided() {
suite.configuration.Ldap.BaseDN = ""
+
ValidateAuthenticationBackend(&suite.configuration, suite.validator)
- require.Len(suite.T(), suite.validator.Errors(), 1)
- assert.EqualError(suite.T(), suite.validator.Errors()[0], "Please provide a base DN to connect to the LDAP server")
+
+ suite.Assert().False(suite.validator.HasWarnings())
+ suite.Assert().Len(suite.validator.Errors(), 1)
+
+ suite.Assert().EqualError(suite.validator.Errors()[0], "Please provide a base DN to connect to the LDAP server")
}
func (suite *LdapAuthenticationBackendSuite) TestShouldRaiseOnEmptyGroupsFilter() {
suite.configuration.Ldap.GroupsFilter = ""
+
ValidateAuthenticationBackend(&suite.configuration, suite.validator)
- require.Len(suite.T(), suite.validator.Errors(), 1)
- assert.EqualError(suite.T(), suite.validator.Errors()[0], "Please provide a groups filter with `groups_filter` attribute")
+
+ suite.Assert().False(suite.validator.HasWarnings())
+ suite.Require().Len(suite.validator.Errors(), 1)
+
+ suite.Assert().EqualError(suite.validator.Errors()[0], "Please provide a groups filter with `groups_filter` attribute")
}
func (suite *LdapAuthenticationBackendSuite) TestShouldRaiseOnEmptyUsersFilter() {
suite.configuration.Ldap.UsersFilter = ""
+
ValidateAuthenticationBackend(&suite.configuration, suite.validator)
- require.Len(suite.T(), suite.validator.Errors(), 1)
- assert.EqualError(suite.T(), suite.validator.Errors()[0], "Please provide a users filter with `users_filter` attribute")
+
+ suite.Assert().False(suite.validator.HasWarnings())
+ suite.Require().Len(suite.validator.Errors(), 1)
+
+ suite.Assert().EqualError(suite.validator.Errors()[0], "Please provide a users filter with `users_filter` attribute")
}
func (suite *LdapAuthenticationBackendSuite) TestShouldNotRaiseOnEmptyUsernameAttribute() {
suite.configuration.Ldap.UsernameAttribute = ""
+
ValidateAuthenticationBackend(&suite.configuration, suite.validator)
- assert.Len(suite.T(), suite.validator.Errors(), 0)
+
+ suite.Assert().False(suite.validator.HasWarnings())
+ suite.Assert().False(suite.validator.HasErrors())
}
func (suite *LdapAuthenticationBackendSuite) TestShouldRaiseOnBadRefreshInterval() {
suite.configuration.RefreshInterval = "blah"
+
ValidateAuthenticationBackend(&suite.configuration, suite.validator)
- require.Len(suite.T(), suite.validator.Errors(), 1)
- assert.EqualError(suite.T(), suite.validator.Errors()[0], "Auth Backend `refresh_interval` is configured to 'blah' but it must be either a duration notation or one of 'disable', or 'always'. Error from parser: Could not convert the input string of blah into a duration")
+
+ suite.Assert().False(suite.validator.HasWarnings())
+ suite.Require().Len(suite.validator.Errors(), 1)
+
+ suite.Assert().EqualError(suite.validator.Errors()[0], "Auth Backend `refresh_interval` is configured to 'blah' but it must be either a duration notation or one of 'disable', or 'always'. Error from parser: Could not convert the input string of blah into a duration")
}
func (suite *LdapAuthenticationBackendSuite) TestShouldSetDefaultImplementation() {
ValidateAuthenticationBackend(&suite.configuration, suite.validator)
- assert.Len(suite.T(), suite.validator.Errors(), 0)
- assert.Equal(suite.T(), schema.LDAPImplementationCustom, suite.configuration.Ldap.Implementation)
+
+ suite.Assert().False(suite.validator.HasWarnings())
+ suite.Assert().False(suite.validator.HasErrors())
+
+ suite.Assert().Equal(schema.LDAPImplementationCustom, suite.configuration.Ldap.Implementation)
}
func (suite *LdapAuthenticationBackendSuite) TestShouldSetDefaultGroupNameAttribute() {
ValidateAuthenticationBackend(&suite.configuration, suite.validator)
- assert.Len(suite.T(), suite.validator.Errors(), 0)
- assert.Equal(suite.T(), "cn", suite.configuration.Ldap.GroupNameAttribute)
+
+ suite.Assert().False(suite.validator.HasWarnings())
+ suite.Assert().False(suite.validator.HasErrors())
+
+ suite.Assert().Equal("cn", suite.configuration.Ldap.GroupNameAttribute)
}
func (suite *LdapAuthenticationBackendSuite) TestShouldSetDefaultMailAttribute() {
ValidateAuthenticationBackend(&suite.configuration, suite.validator)
- require.Len(suite.T(), suite.validator.Errors(), 0)
- assert.Equal(suite.T(), "mail", suite.configuration.Ldap.MailAttribute)
+
+ suite.Assert().False(suite.validator.HasWarnings())
+ suite.Assert().False(suite.validator.HasErrors())
+
+ suite.Assert().Equal("mail", suite.configuration.Ldap.MailAttribute)
}
func (suite *LdapAuthenticationBackendSuite) TestShouldSetDefaultDisplayNameAttribute() {
ValidateAuthenticationBackend(&suite.configuration, suite.validator)
- require.Len(suite.T(), suite.validator.Errors(), 0)
- assert.Equal(suite.T(), "displayname", suite.configuration.Ldap.DisplayNameAttribute)
+
+ suite.Assert().False(suite.validator.HasWarnings())
+ suite.Assert().False(suite.validator.HasErrors())
+
+ suite.Assert().Equal("displayname", suite.configuration.Ldap.DisplayNameAttribute)
}
func (suite *LdapAuthenticationBackendSuite) TestShouldSetDefaultRefreshInterval() {
ValidateAuthenticationBackend(&suite.configuration, suite.validator)
- require.Len(suite.T(), suite.validator.Errors(), 0)
- assert.Equal(suite.T(), "5m", suite.configuration.RefreshInterval)
+
+ suite.Assert().False(suite.validator.HasWarnings())
+ suite.Assert().False(suite.validator.HasErrors())
+
+ suite.Assert().Equal("5m", suite.configuration.RefreshInterval)
}
func (suite *LdapAuthenticationBackendSuite) TestShouldRaiseWhenUsersFilterDoesNotContainEnclosingParenthesis() {
suite.configuration.Ldap.UsersFilter = "{username_attribute}={input}"
+
ValidateAuthenticationBackend(&suite.configuration, suite.validator)
- require.Len(suite.T(), suite.validator.Errors(), 1)
- assert.EqualError(suite.T(), suite.validator.Errors()[0], "The users filter should contain enclosing parenthesis. For instance {username_attribute}={input} should be ({username_attribute}={input})")
+
+ suite.Assert().False(suite.validator.HasWarnings())
+ suite.Require().Len(suite.validator.Errors(), 1)
+
+ suite.Assert().EqualError(suite.validator.Errors()[0], "The users filter should contain enclosing parenthesis. For instance {username_attribute}={input} should be ({username_attribute}={input})")
}
func (suite *LdapAuthenticationBackendSuite) TestShouldRaiseWhenGroupsFilterDoesNotContainEnclosingParenthesis() {
suite.configuration.Ldap.GroupsFilter = "cn={input}"
+
ValidateAuthenticationBackend(&suite.configuration, suite.validator)
- require.Len(suite.T(), suite.validator.Errors(), 1)
- assert.EqualError(suite.T(), suite.validator.Errors()[0], "The groups filter should contain enclosing parenthesis. For instance cn={input} should be (cn={input})")
+
+ suite.Assert().False(suite.validator.HasWarnings())
+ suite.Require().Len(suite.validator.Errors(), 1)
+
+ suite.Assert().EqualError(suite.validator.Errors()[0], "The groups filter should contain enclosing parenthesis. For instance cn={input} should be (cn={input})")
}
func (suite *LdapAuthenticationBackendSuite) TestShouldRaiseWhenUsersFilterDoesNotContainUsernameAttribute() {
suite.configuration.Ldap.UsersFilter = "(&({mail_attribute}={input})(objectClass=person))"
ValidateAuthenticationBackend(&suite.configuration, suite.validator)
- require.Len(suite.T(), suite.validator.Errors(), 1)
- assert.EqualError(suite.T(), suite.validator.Errors()[0], "Unable to detect {username_attribute} placeholder in users_filter, your configuration is broken. Please review configuration options listed at https://docs.authelia.com/configuration/authentication/ldap.html")
+
+ suite.Assert().False(suite.validator.HasWarnings())
+ suite.Require().Len(suite.validator.Errors(), 1)
+
+ suite.Assert().EqualError(suite.validator.Errors()[0], "Unable to detect {username_attribute} placeholder in users_filter, your configuration is broken. Please review configuration options listed at https://docs.authelia.com/configuration/authentication/ldap.html")
}
func (suite *LdapAuthenticationBackendSuite) TestShouldHelpDetectNoInputPlaceholder() {
suite.configuration.Ldap.UsersFilter = "(&({username_attribute}={mail_attribute})(objectClass=person))"
+
ValidateAuthenticationBackend(&suite.configuration, suite.validator)
- require.Len(suite.T(), suite.validator.Errors(), 1)
- assert.EqualError(suite.T(), suite.validator.Errors()[0], "Unable to detect {input} placeholder in users_filter, your configuration might be broken. Please review configuration options listed at https://docs.authelia.com/configuration/authentication/ldap.html")
+
+ suite.Assert().False(suite.validator.HasWarnings())
+ suite.Require().Len(suite.validator.Errors(), 1)
+
+ suite.Assert().EqualError(suite.validator.Errors()[0], "Unable to detect {input} placeholder in users_filter, your configuration might be broken. Please review configuration options listed at https://docs.authelia.com/configuration/authentication/ldap.html")
}
func (suite *LdapAuthenticationBackendSuite) TestShouldAdaptLDAPURL() {
- assert.Equal(suite.T(), "", validateLdapURL("127.0.0.1", suite.validator))
- require.Len(suite.T(), suite.validator.Errors(), 1)
- assert.EqualError(suite.T(), suite.validator.Errors()[0], "Unknown scheme for ldap url, should be ldap:// or ldaps://")
+ suite.Assert().Equal("", validateLdapURLSimple("127.0.0.1", suite.validator))
+
+ suite.Assert().False(suite.validator.HasWarnings())
+ suite.Require().Len(suite.validator.Errors(), 1)
+
+ suite.Assert().EqualError(suite.validator.Errors()[0], "Unknown scheme for ldap url, should be ldap:// or ldaps://")
- assert.Equal(suite.T(), "", validateLdapURL("127.0.0.1:636", suite.validator))
- require.Len(suite.T(), suite.validator.Errors(), 2)
- assert.EqualError(suite.T(), suite.validator.Errors()[1], "Unable to parse URL to ldap server. The scheme is probably missing: ldap:// or ldaps://")
+ suite.Assert().Equal("", validateLdapURLSimple("127.0.0.1:636", suite.validator))
- assert.Equal(suite.T(), "ldap://127.0.0.1:389", validateLdapURL("ldap://127.0.0.1", suite.validator))
- assert.Equal(suite.T(), "ldap://127.0.0.1:390", validateLdapURL("ldap://127.0.0.1:390", suite.validator))
- assert.Equal(suite.T(), "ldap://127.0.0.1:389/abc", validateLdapURL("ldap://127.0.0.1/abc", suite.validator))
- assert.Equal(suite.T(), "ldap://127.0.0.1:389/abc?test=abc&x=y", validateLdapURL("ldap://127.0.0.1/abc?test=abc&x=y", suite.validator))
+ suite.Assert().False(suite.validator.HasWarnings())
+ suite.Require().Len(suite.validator.Errors(), 2)
+ suite.Assert().EqualError(suite.validator.Errors()[1], "Unable to parse URL to ldap server. The scheme is probably missing: ldap:// or ldaps://")
- assert.Equal(suite.T(), "ldaps://127.0.0.1:390", validateLdapURL("ldaps://127.0.0.1:390", suite.validator))
- assert.Equal(suite.T(), "ldaps://127.0.0.1:636", validateLdapURL("ldaps://127.0.0.1", suite.validator))
+ suite.Assert().Equal("ldap://127.0.0.1", validateLdapURLSimple("ldap://127.0.0.1", suite.validator))
+ suite.Assert().Equal("ldap://127.0.0.1:390", validateLdapURLSimple("ldap://127.0.0.1:390", suite.validator))
+ suite.Assert().Equal("ldap://127.0.0.1/abc", validateLdapURLSimple("ldap://127.0.0.1/abc", suite.validator))
+ suite.Assert().Equal("ldap://127.0.0.1/abc?test=abc&x=y", validateLdapURLSimple("ldap://127.0.0.1/abc?test=abc&x=y", suite.validator))
+
+ suite.Assert().Equal("ldaps://127.0.0.1:390", validateLdapURLSimple("ldaps://127.0.0.1:390", suite.validator))
+ suite.Assert().Equal("ldaps://127.0.0.1", validateLdapURLSimple("ldaps://127.0.0.1", suite.validator))
}
func (suite *LdapAuthenticationBackendSuite) TestShouldDefaultTLS12() {
ValidateAuthenticationBackend(&suite.configuration, suite.validator)
- assert.Len(suite.T(), suite.validator.Errors(), 0)
- assert.Equal(suite.T(), schema.DefaultLDAPAuthenticationBackendConfiguration.MinimumTLSVersion, suite.configuration.Ldap.MinimumTLSVersion)
+
+ suite.Assert().False(suite.validator.HasWarnings())
+ suite.Assert().False(suite.validator.HasErrors())
+
+ suite.Assert().Equal(schema.DefaultLDAPAuthenticationBackendConfiguration.MinimumTLSVersion, suite.configuration.Ldap.MinimumTLSVersion)
}
func (suite *LdapAuthenticationBackendSuite) TestShouldNotAllowInvalidTLSValue() {
- suite.configuration.Ldap.MinimumTLSVersion = "SSL2.0"
+ suite.configuration.Ldap.TLS = &schema.TLSConfig{
+ MinimumVersion: "SSL2.0",
+ }
+
ValidateAuthenticationBackend(&suite.configuration, suite.validator)
- require.Len(suite.T(), suite.validator.Errors(), 1)
- assert.EqualError(suite.T(), suite.validator.Errors()[0], "error occurred validating the LDAP minimum_tls_version key with value SSL2.0: supplied TLS version isn't supported")
+
+ suite.Assert().False(suite.validator.HasWarnings())
+ suite.Require().Len(suite.validator.Errors(), 1)
+
+ suite.Assert().EqualError(suite.validator.Errors()[0], "error occurred validating the LDAP minimum_tls_version key with value SSL2.0: supplied TLS version isn't supported")
+}
+
+// Deprecated: Temporary Test. TODO: Remove in 4.28 (Whole Test).
+func (suite *LdapAuthenticationBackendSuite) TestShouldReturnDeprecationWarningsAndNoMappingFor428() {
+ var skipVerify = true
+
+ suite.configuration.Ldap.MinimumTLSVersion = "TLS1.0"
+ suite.configuration.Ldap.SkipVerify = &skipVerify
+ suite.configuration.Ldap.TLS = nil
+ suite.configuration.Ldap.TLS = &schema.TLSConfig{
+ ServerName: "golang.org",
+ MinimumVersion: "",
+ }
+
+ ValidateAuthenticationBackend(&suite.configuration, suite.validator)
+
+ // Should not override since TLS schema is defined
+ suite.Assert().Equal(false, suite.configuration.Ldap.TLS.SkipVerify)
+ suite.Assert().Equal(schema.DefaultLDAPAuthenticationBackendConfiguration.TLS.MinimumVersion, suite.configuration.Ldap.TLS.MinimumVersion)
+
+ suite.Assert().False(suite.validator.HasErrors())
+ suite.Require().Len(suite.validator.Warnings(), 2)
+
+ warnings := suite.validator.Warnings()
+
+ suite.Assert().EqualError(warnings[0], "DEPRECATED: LDAP Auth Backend `skip_verify` option has been replaced by `authentication_backend.ldap.tls.skip_verify` (will be removed in 4.28.0)")
+ suite.Assert().EqualError(warnings[1], "DEPRECATED: LDAP Auth Backend `minimum_tls_version` option has been replaced by `authentication_backend.ldap.tls.minimum_version` (will be removed in 4.28.0)")
+}
+
+// Deprecated: Temporary Test. TODO: Remove in 4.28 (Whole Test).
+func (suite *LdapAuthenticationBackendSuite) TestShouldReturnDeprecationWarningsAndMappingFor428() {
+ var skipVerify = true
+
+ tlsVersion := "TLS1.1"
+
+ suite.configuration.Ldap.MinimumTLSVersion = tlsVersion
+ suite.configuration.Ldap.SkipVerify = &skipVerify
+
+ ValidateAuthenticationBackend(&suite.configuration, suite.validator)
+
+ // Should override since TLS schema is not defined
+ suite.Assert().Equal(true, suite.configuration.Ldap.TLS.SkipVerify)
+ suite.Assert().Equal(tlsVersion, suite.configuration.Ldap.TLS.MinimumVersion)
+
+ suite.Assert().False(suite.validator.HasErrors())
+ suite.Require().Len(suite.validator.Warnings(), 2)
+
+ warnings := suite.validator.Warnings()
+
+ suite.Assert().EqualError(warnings[0], "DEPRECATED: LDAP Auth Backend `skip_verify` option has been replaced by `authentication_backend.ldap.tls.skip_verify` (will be removed in 4.28.0)")
+ suite.Assert().EqualError(warnings[1], "DEPRECATED: LDAP Auth Backend `minimum_tls_version` option has been replaced by `authentication_backend.ldap.tls.minimum_version` (will be removed in 4.28.0)")
}
func TestLdapAuthenticationBackend(t *testing.T) {
@@ -344,29 +513,31 @@ func (suite *ActiveDirectoryAuthenticationBackendSuite) SetupTest() {
suite.configuration.Ldap.User = testLDAPUser
suite.configuration.Ldap.Password = testLDAPPassword
suite.configuration.Ldap.BaseDN = testLDAPBaseDN
+ suite.configuration.Ldap.TLS = schema.DefaultLDAPAuthenticationBackendConfiguration.TLS
}
func (suite *ActiveDirectoryAuthenticationBackendSuite) TestShouldSetActiveDirectoryDefaults() {
ValidateAuthenticationBackend(&suite.configuration, suite.validator)
- assert.Len(suite.T(), suite.validator.Errors(), 0)
+ suite.Assert().False(suite.validator.HasWarnings())
+ suite.Assert().False(suite.validator.HasErrors())
- assert.Equal(suite.T(),
+ suite.Assert().Equal(
suite.configuration.Ldap.UsersFilter,
schema.DefaultLDAPAuthenticationBackendImplementationActiveDirectoryConfiguration.UsersFilter)
- assert.Equal(suite.T(),
+ suite.Assert().Equal(
suite.configuration.Ldap.UsernameAttribute,
schema.DefaultLDAPAuthenticationBackendImplementationActiveDirectoryConfiguration.UsernameAttribute)
- assert.Equal(suite.T(),
+ suite.Assert().Equal(
suite.configuration.Ldap.DisplayNameAttribute,
schema.DefaultLDAPAuthenticationBackendImplementationActiveDirectoryConfiguration.DisplayNameAttribute)
- assert.Equal(suite.T(),
+ suite.Assert().Equal(
suite.configuration.Ldap.MailAttribute,
schema.DefaultLDAPAuthenticationBackendImplementationActiveDirectoryConfiguration.MailAttribute)
- assert.Equal(suite.T(),
+ suite.Assert().Equal(
suite.configuration.Ldap.GroupsFilter,
schema.DefaultLDAPAuthenticationBackendImplementationActiveDirectoryConfiguration.GroupsFilter)
- assert.Equal(suite.T(),
+ suite.Assert().Equal(
suite.configuration.Ldap.GroupNameAttribute,
schema.DefaultLDAPAuthenticationBackendImplementationActiveDirectoryConfiguration.GroupNameAttribute)
}
@@ -381,22 +552,22 @@ func (suite *ActiveDirectoryAuthenticationBackendSuite) TestShouldOnlySetDefault
ValidateAuthenticationBackend(&suite.configuration, suite.validator)
- assert.NotEqual(suite.T(),
+ suite.Assert().NotEqual(
suite.configuration.Ldap.UsersFilter,
schema.DefaultLDAPAuthenticationBackendImplementationActiveDirectoryConfiguration.UsersFilter)
- assert.NotEqual(suite.T(),
+ suite.Assert().NotEqual(
suite.configuration.Ldap.UsernameAttribute,
schema.DefaultLDAPAuthenticationBackendImplementationActiveDirectoryConfiguration.UsernameAttribute)
- assert.NotEqual(suite.T(),
+ suite.Assert().NotEqual(
suite.configuration.Ldap.DisplayNameAttribute,
schema.DefaultLDAPAuthenticationBackendImplementationActiveDirectoryConfiguration.DisplayNameAttribute)
- assert.NotEqual(suite.T(),
+ suite.Assert().NotEqual(
suite.configuration.Ldap.MailAttribute,
schema.DefaultLDAPAuthenticationBackendImplementationActiveDirectoryConfiguration.MailAttribute)
- assert.NotEqual(suite.T(),
+ suite.Assert().NotEqual(
suite.configuration.Ldap.GroupsFilter,
schema.DefaultLDAPAuthenticationBackendImplementationActiveDirectoryConfiguration.GroupsFilter)
- assert.NotEqual(suite.T(),
+ suite.Assert().NotEqual(
suite.configuration.Ldap.GroupNameAttribute,
schema.DefaultLDAPAuthenticationBackendImplementationActiveDirectoryConfiguration.GroupNameAttribute)
}