diff options
34 files changed, 3276 insertions, 2313 deletions
diff --git a/config.template.yml b/config.template.yml index a3181081d..2e01b7a15 100644 --- a/config.template.yml +++ b/config.template.yml @@ -459,6 +459,7 @@ identity_validation: ## Use StartTLS with the LDAP connection. # start_tls: false + ## TLS configuration. # tls: ## The server subject name to check the servers certificate against during the validation process. ## This option is not required if the certificate has a SAN which matches the address options hostname. @@ -495,6 +496,20 @@ identity_validation: # ... # -----END RSA PRIVATE KEY----- + ## Connection Pooling configuration. + # pooling: + ## Enable Pooling. + # enable: false + + ## Pool count. + # count: 5 + + ## Retries to obtain a connection during the timeout. + # retries: 2 + + ## Timeout before the attempt to obtain a connection fails. + # timeout: '10 seconds' + ## The distinguished name of the container searched for objects in the directory information tree. ## See also: additional_users_dn, additional_groups_dn. # base_dn: 'dc=example,dc=com' diff --git a/docs/content/configuration/first-factor/ldap.md b/docs/content/configuration/first-factor/ldap.md index 3d2043f5f..6730e302c 100644 --- a/docs/content/configuration/first-factor/ldap.md +++ b/docs/content/configuration/first-factor/ldap.md @@ -50,6 +50,11 @@ authentication_backend: -----BEGIN RSA PRIVATE KEY----- ... -----END RSA PRIVATE KEY----- + pooling: + enable: false + count: 5 + retries: 2 + timeout: '10 seconds' base_dn: '{{< sitevar name="domain" format="dn" nojs="DC=example,DC=com" >}}' additional_users_dn: 'OU=users' users_filter: '(&({username_attribute}={input})(objectClass=person))' @@ -155,6 +160,35 @@ By default Authelia uses the system certificate trust for TLS certificate verifi this. +### pooling + +The connection pooling configuration. + +#### enable + +{{< confkey type="boolean" default="false" required="no" >}} + +Enables the connection pooling functionality. + +#### count + +{{< confkey type="integer" default="5" required="no" >}} + +The number of open connections to be available in the pool at any given time. + +#### retries + +{{< confkey type="integer" default="2" required="no" >}} + +The number of attempts to obtain a free connecting that are made within the timeout period. This effectively splits the +timeout into chunks. + +#### timeout + +{{< confkey type="string,integer" syntax="duration" default="5 seconds" required="no" >}} + +The amount of time that we wait for a connection to become free in the pool before giving up and failing with an error. + ### base_dn {{< confkey type="string" required="situational" >}} diff --git a/docs/content/integration/openid-connect/stirling-pdf/index.md b/docs/content/integration/openid-connect/stirling-pdf/index.md index 36c5ae29b..912c95391 100644 --- a/docs/content/integration/openid-connect/stirling-pdf/index.md +++ b/docs/content/integration/openid-connect/stirling-pdf/index.md @@ -2,7 +2,7 @@ title: "Stirling-PDF" description: "Integrating Stirling-PDF with the Authelia OpenID Connect 1.0 Provider." summary: "" -date: 2025-02-23T17:51:47+10:00 +date: 2025-02-23T04:38:52+00:00 draft: false images: [] weight: 620 diff --git a/docs/content/reference/guides/authentication-method-references.md b/docs/content/reference/guides/authentication-method-references.md index 6470e680e..c00d35fdc 100644 --- a/docs/content/reference/guides/authentication-method-references.md +++ b/docs/content/reference/guides/authentication-method-references.md @@ -2,7 +2,7 @@ title: "Authentication Method Reference Values" description: "This guide shows a list of Authentication Method Reference Values based on RFC8176 and how they are implemented within Authelia" summary: "This guide shows a list of other frequently asked question documents as well as some general ones." -date: 2025-01-27T09:23:06+11:00 +date: 2025-02-23T16:08:49+11:00 draft: false images: [] weight: 220 diff --git a/docs/content/reference/guides/webauthn.md b/docs/content/reference/guides/webauthn.md index 71e8d9e57..2ff01c566 100644 --- a/docs/content/reference/guides/webauthn.md +++ b/docs/content/reference/guides/webauthn.md @@ -2,7 +2,7 @@ title: "WebAuthn" description: "A reference guide on various WebAuthn features and topics" summary: "This section contains reference documentation for Authelia's WebAuthn implementation and capabilities." -date: 2025-01-27T09:23:06+11:00 +date: 2025-02-23T16:08:49+11:00 draft: false images: [] weight: 220 diff --git a/docs/data/configkeys.json b/docs/data/configkeys.json index 9f3f8de57..a93d83920 100644 --- a/docs/data/configkeys.json +++ b/docs/data/configkeys.json @@ -305,6 +305,26 @@ "env": "AUTHELIA_AUTHENTICATION_BACKEND_LDAP_TLS_CERTIFICATE_CHAIN_FILE" }, { + "path": "authentication_backend.ldap.pooling.enable", + "secret": false, + "env": "AUTHELIA_AUTHENTICATION_BACKEND_LDAP_POOLING_ENABLE" + }, + { + "path": "authentication_backend.ldap.pooling.count", + "secret": false, + "env": "AUTHELIA_AUTHENTICATION_BACKEND_LDAP_POOLING_COUNT" + }, + { + "path": "authentication_backend.ldap.pooling.retries", + "secret": false, + "env": "AUTHELIA_AUTHENTICATION_BACKEND_LDAP_POOLING_RETRIES" + }, + { + "path": "authentication_backend.ldap.pooling.timeout", + "secret": false, + "env": "AUTHELIA_AUTHENTICATION_BACKEND_LDAP_POOLING_TIMEOUT" + }, + { "path": "authentication_backend.ldap.base_dn", "secret": false, "env": "AUTHELIA_AUTHENTICATION_BACKEND_LDAP_BASE_DN" diff --git a/docs/static/schemas/latest/json-schema/configuration.json b/docs/static/schemas/latest/json-schema/configuration.json index 0bbeac431..a6d722ba3 100644 --- a/docs/static/schemas/latest/json-schema/configuration.json +++ b/docs/static/schemas/latest/json-schema/configuration.json @@ -713,6 +713,11 @@ "title": "TLS", "description": "The LDAP directory server TLS connection properties." }, + "pooling": { + "$ref": "#/$defs/AuthenticationBackendLDAPPooling", + "title": "Pooling", + "description": "The LDAP Connection Pooling properties." + }, "base_dn": { "type": "string", "title": "Base DN", @@ -821,6 +826,44 @@ "type": "object", "description": "AuthenticationBackendLDAPAttributes represents the configuration related to LDAP server attributes." }, + "AuthenticationBackendLDAPPooling": { + "properties": { + "enable": { + "type": "boolean", + "title": "Enable", + "description": "Enable LDAP connection pooling.", + "default": false + }, + "count": { + "type": "integer", + "title": "Count", + "description": "The number of connections to keep open for LDAP connection pooling.", + "default": 5 + }, + "retries": { + "type": "integer", + "title": "Retries", + "description": "The number of attempts to retrieve a connection from the pool during the timeout.", + "default": 2 + }, + "timeout": { + "oneOf": [ + { + "type": "string", + "pattern": "^\\d+\\s*(y|M|w|d|h|m|s|ms|((year|month|week|day|hour|minute|second|millisecond)s?))(\\s*\\d+\\s*(y|M|w|d|h|m|s|ms|((year|month|week|day|hour|minute|second|millisecond)s?)))*$" + }, + { + "type": "integer", + "description": "The duration in seconds" + } + ], + "title": "Timeout", + "description": "The duration of time to wait for a connection to become available in the connection pool." + } + }, + "additionalProperties": false, + "type": "object" + }, "AuthenticationBackendPasswordReset": { "properties": { "disable": { diff --git a/docs/static/schemas/v4.38/json-schema/configuration.json b/docs/static/schemas/v4.38/json-schema/configuration.json index 0bbeac431..a6d722ba3 100644 --- a/docs/static/schemas/v4.38/json-schema/configuration.json +++ b/docs/static/schemas/v4.38/json-schema/configuration.json @@ -713,6 +713,11 @@ "title": "TLS", "description": "The LDAP directory server TLS connection properties." }, + "pooling": { + "$ref": "#/$defs/AuthenticationBackendLDAPPooling", + "title": "Pooling", + "description": "The LDAP Connection Pooling properties." + }, "base_dn": { "type": "string", "title": "Base DN", @@ -821,6 +826,44 @@ "type": "object", "description": "AuthenticationBackendLDAPAttributes represents the configuration related to LDAP server attributes." }, + "AuthenticationBackendLDAPPooling": { + "properties": { + "enable": { + "type": "boolean", + "title": "Enable", + "description": "Enable LDAP connection pooling.", + "default": false + }, + "count": { + "type": "integer", + "title": "Count", + "description": "The number of connections to keep open for LDAP connection pooling.", + "default": 5 + }, + "retries": { + "type": "integer", + "title": "Retries", + "description": "The number of attempts to retrieve a connection from the pool during the timeout.", + "default": 2 + }, + "timeout": { + "oneOf": [ + { + "type": "string", + "pattern": "^\\d+\\s*(y|M|w|d|h|m|s|ms|((year|month|week|day|hour|minute|second|millisecond)s?))(\\s*\\d+\\s*(y|M|w|d|h|m|s|ms|((year|month|week|day|hour|minute|second|millisecond)s?)))*$" + }, + { + "type": "integer", + "description": "The duration in seconds" + } + ], + "title": "Timeout", + "description": "The duration of time to wait for a connection to become available in the connection pool." + } + }, + "additionalProperties": false, + "type": "object" + }, "AuthenticationBackendPasswordReset": { "properties": { "disable": { diff --git a/docs/static/schemas/v4.39/json-schema/configuration.json b/docs/static/schemas/v4.39/json-schema/configuration.json index 221ec38d6..39d9ad7d4 100644 --- a/docs/static/schemas/v4.39/json-schema/configuration.json +++ b/docs/static/schemas/v4.39/json-schema/configuration.json @@ -734,6 +734,11 @@ "title": "TLS", "description": "The LDAP directory server TLS connection properties." }, + "pooling": { + "$ref": "#/$defs/AuthenticationBackendLDAPPooling", + "title": "Pooling", + "description": "The LDAP Connection Pooling properties." + }, "base_dn": { "type": "string", "title": "Base DN", @@ -968,6 +973,44 @@ "additionalProperties": false, "type": "object" }, + "AuthenticationBackendLDAPPooling": { + "properties": { + "enable": { + "type": "boolean", + "title": "Enable", + "description": "Enable LDAP connection pooling.", + "default": false + }, + "count": { + "type": "integer", + "title": "Count", + "description": "The number of connections to keep open for LDAP connection pooling.", + "default": 5 + }, + "retries": { + "type": "integer", + "title": "Retries", + "description": "The number of attempts to retrieve a connection from the pool during the timeout.", + "default": 2 + }, + "timeout": { + "oneOf": [ + { + "type": "string", + "pattern": "^\\d+\\s*(y|M|w|d|h|m|s|ms|((year|month|week|day|hour|minute|second|millisecond)s?))(\\s*\\d+\\s*(y|M|w|d|h|m|s|ms|((year|month|week|day|hour|minute|second|millisecond)s?)))*$" + }, + { + "type": "integer", + "description": "The duration in seconds" + } + ], + "title": "Timeout", + "description": "The duration of time to wait for a connection to become available in the connection pool." + } + }, + "additionalProperties": false, + "type": "object" + }, "AuthenticationBackendPasswordReset": { "properties": { "disable": { diff --git a/internal/authentication/file_user_provider.go b/internal/authentication/file_user_provider.go index 02e0faa81..0dd84e085 100644 --- a/internal/authentication/file_user_provider.go +++ b/internal/authentication/file_user_provider.go @@ -25,7 +25,7 @@ type FileUserProvider struct { config *schema.AuthenticationBackendFile hash algorithm.Hash database FileUserProviderDatabase - mutex *sync.Mutex + mutex sync.Mutex timeoutReload time.Time } @@ -33,7 +33,6 @@ type FileUserProvider struct { func NewFileUserProvider(config *schema.AuthenticationBackendFile) (provider *FileUserProvider) { return &FileUserProvider{ config: config, - mutex: &sync.Mutex{}, timeoutReload: time.Now().Add(-1 * time.Second), database: NewFileUserDatabase(config.Path, config.Search.Email, config.Search.CaseInsensitive, getExtra(config)), } @@ -77,6 +76,10 @@ func (p *FileUserProvider) Reload() (reloaded bool, err error) { return true, nil } +func (p *FileUserProvider) Shutdown() (err error) { + return nil +} + // CheckUserPassword checks if provided password matches for the given user. func (p *FileUserProvider) CheckUserPassword(username string, password string) (match bool, err error) { var details FileUserDatabaseUserDetails diff --git a/internal/authentication/file_user_provider_test.go b/internal/authentication/file_user_provider_test.go index 1da33a389..0925d893f 100644 --- a/internal/authentication/file_user_provider_test.go +++ b/internal/authentication/file_user_provider_test.go @@ -86,7 +86,6 @@ func TestShouldNotPanicOnNilDB(t *testing.T) { provider := &FileUserProvider{ config: &schema.AuthenticationBackendFile{Path: f, Password: schema.DefaultPasswordConfig}, - mutex: &sync.Mutex{}, timeoutReload: time.Now().Add(-1 * time.Second), } @@ -102,7 +101,7 @@ func TestShouldHandleBadConfig(t *testing.T) { provider := &FileUserProvider{ config: &schema.AuthenticationBackendFile{Path: f, Password: schema.DefaultPasswordConfig, ExtraAttributes: map[string]schema.AuthenticationBackendExtraAttribute{"example": {ValueType: "integer"}}}, - mutex: &sync.Mutex{}, + mutex: sync.Mutex{}, timeoutReload: time.Now().Add(-1 * time.Second), } diff --git a/internal/authentication/gen.go b/internal/authentication/gen.go index 3e92fd178..c908f02d7 100644 --- a/internal/authentication/gen.go +++ b/internal/authentication/gen.go @@ -3,7 +3,8 @@ package authentication // This file is used to generate mocks. You can generate all mocks using the // command `go generate github.com/authelia/authelia/v4/internal/authentication`. -//go:generate mockgen -package authentication -destination ldap_client_mock_test.go -mock_names LDAPClient=MockLDAPClient github.com/authelia/authelia/v4/internal/authentication LDAPClient +//go:generate mockgen -package authentication -destination ldap_client_mock_test.go -mock_names Client=MockLDAPClient github.com/go-ldap/ldap/v3 Client +//go:generate mockgen -package authentication -destination ldap_client_dialer_test.go -mock_names LDAPClientDialer=MockLDAPClientDialer github.com/authelia/authelia/v4/internal/authentication LDAPClientDialer //go:generate mockgen -package authentication -destination ldap_client_factory_mock_test.go -mock_names LDAPClientFactory=MockLDAPClientFactory github.com/authelia/authelia/v4/internal/authentication LDAPClientFactory //go:generate mockgen -package authentication -destination file_user_provider_database_mock_test.go -mock_names FileUserProviderDatabase=MockFileUserDatabase github.com/authelia/authelia/v4/internal/authentication FileUserProviderDatabase //go:generate mockgen -package authentication -destination file_user_provider_hash_mock_test.go -mock_names Hash=MockHash github.com/go-crypt/crypt/algorithm Hash diff --git a/internal/authentication/ldap_client_dialer.go b/internal/authentication/ldap_client_dialer.go new file mode 100644 index 000000000..4577e2eae --- /dev/null +++ b/internal/authentication/ldap_client_dialer.go @@ -0,0 +1,31 @@ +package authentication + +import ( + "fmt" + + "github.com/go-ldap/ldap/v3" +) + +// LDAPClientDialer is an abstract type that dials a ldap.Client. +type LDAPClientDialer interface { + // DialURL takes a single address and dials it returning the ldap.Client. + DialURL(addr string, opts ...ldap.DialOpt) (client ldap.Client, err error) +} + +// NewLDAPClientDialerStandard returns a new *LDAPClientDialerStandard. +func NewLDAPClientDialerStandard() *LDAPClientDialerStandard { + return &LDAPClientDialerStandard{} +} + +// LDAPClientDialerStandard is a concrete type that dials a ldap.Client and returns it, implementing the +// LDAPClientDialer. +type LDAPClientDialerStandard struct{} + +// DialURL takes a single address and dials it returning the ldap.Client. +func (d *LDAPClientDialerStandard) DialURL(addr string, opts ...ldap.DialOpt) (client ldap.Client, err error) { + if client, err = ldap.DialURL(addr, opts...); err != nil { + return nil, fmt.Errorf("failed to dial LDAP server at %s: %w", addr, err) + } + + return client, nil +} diff --git a/internal/authentication/ldap_client_dialer_test.go b/internal/authentication/ldap_client_dialer_test.go new file mode 100644 index 000000000..40228a8ea --- /dev/null +++ b/internal/authentication/ldap_client_dialer_test.go @@ -0,0 +1,61 @@ +// Code generated by MockGen. DO NOT EDIT. +// Source: github.com/authelia/authelia/v4/internal/authentication (interfaces: LDAPClientDialer) +// +// Generated by this command: +// +// mockgen -package authentication -destination ldap_client_dialer_test.go -mock_names LDAPClientDialer=MockLDAPClientDialer github.com/authelia/authelia/v4/internal/authentication LDAPClientDialer +// + +// Package authentication is a generated GoMock package. +package authentication + +import ( + reflect "reflect" + + ldap "github.com/go-ldap/ldap/v3" + gomock "go.uber.org/mock/gomock" +) + +// MockLDAPClientDialer is a mock of LDAPClientDialer interface. +type MockLDAPClientDialer struct { + ctrl *gomock.Controller + recorder *MockLDAPClientDialerMockRecorder + isgomock struct{} +} + +// MockLDAPClientDialerMockRecorder is the mock recorder for MockLDAPClientDialer. +type MockLDAPClientDialerMockRecorder struct { + mock *MockLDAPClientDialer +} + +// NewMockLDAPClientDialer creates a new mock instance. +func NewMockLDAPClientDialer(ctrl *gomock.Controller) *MockLDAPClientDialer { + mock := &MockLDAPClientDialer{ctrl: ctrl} + mock.recorder = &MockLDAPClientDialerMockRecorder{mock} + return mock +} + +// EXPECT returns an object that allows the caller to indicate expected use. +func (m *MockLDAPClientDialer) EXPECT() *MockLDAPClientDialerMockRecorder { + return m.recorder +} + +// DialURL mocks base method. +func (m *MockLDAPClientDialer) DialURL(addr string, opts ...ldap.DialOpt) (ldap.Client, error) { + m.ctrl.T.Helper() + varargs := []any{addr} + for _, a := range opts { + varargs = append(varargs, a) + } + ret := m.ctrl.Call(m, "DialURL", varargs...) + ret0, _ := ret[0].(ldap.Client) + ret1, _ := ret[1].(error) + return ret0, ret1 +} + +// DialURL indicates an expected call of DialURL. +func (mr *MockLDAPClientDialerMockRecorder) DialURL(addr any, opts ...any) *gomock.Call { + mr.mock.ctrl.T.Helper() + varargs := append([]any{addr}, opts...) + return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "DialURL", reflect.TypeOf((*MockLDAPClientDialer)(nil).DialURL), varargs...) +} diff --git a/internal/authentication/ldap_client_factory.go b/internal/authentication/ldap_client_factory.go index d360f05b3..9bb55502c 100644 --- a/internal/authentication/ldap_client_factory.go +++ b/internal/authentication/ldap_client_factory.go @@ -1,18 +1,314 @@ package authentication import ( + "context" + "crypto/tls" + "crypto/x509" + "errors" + "fmt" + "net" + "sync" + "time" + "github.com/go-ldap/ldap/v3" + + "github.com/authelia/authelia/v4/internal/configuration/schema" + "github.com/authelia/authelia/v4/internal/utils" ) -// ProductionLDAPClientFactory the production implementation of an ldap connection factory. -type ProductionLDAPClientFactory struct{} +// LDAPClientFactory an interface describing factories that produce LDAPConnection implementations. +type LDAPClientFactory interface { + Initialize() (err error) + GetClient(opts ...LDAPClientFactoryOption) (client ldap.Client, err error) + ReleaseClient(client ldap.Client) (err error) + Close() (err error) +} + +// NewStandardLDAPClientFactory create a concrete ldap connection factory. +func NewStandardLDAPClientFactory(config *schema.AuthenticationBackendLDAP, certs *x509.CertPool, dialer LDAPClientDialer) LDAPClientFactory { + if dialer == nil { + dialer = &LDAPClientDialerStandard{} + } + + tlsc := utils.NewTLSConfig(config.TLS, certs) + + opts := []ldap.DialOpt{ + ldap.DialWithDialer(&net.Dialer{Timeout: config.Timeout}), + ldap.DialWithTLSConfig(tlsc), + } + + return &StandardLDAPClientFactory{ + config: config, + tls: tlsc, + opts: opts, + dialer: dialer, + } +} + +// StandardLDAPClientFactory the production implementation of an ldap connection factory. +type StandardLDAPClientFactory struct { + config *schema.AuthenticationBackendLDAP + tls *tls.Config + opts []ldap.DialOpt + dialer LDAPClientDialer +} + +func (f *StandardLDAPClientFactory) Initialize() (err error) { + return nil +} + +func (f *StandardLDAPClientFactory) GetClient(opts ...LDAPClientFactoryOption) (client ldap.Client, err error) { + return getLDAPClient(f.config.Address.String(), f.config.User, f.config.Password, f.dialer, f.tls, f.config.StartTLS, f.opts, opts...) +} + +func (f *StandardLDAPClientFactory) ReleaseClient(client ldap.Client) (err error) { + if err = client.Close(); err != nil { + return fmt.Errorf("error occurred closing LDAP client: %w", err) + } + + return nil +} -// NewProductionLDAPClientFactory create a concrete ldap connection factory. -func NewProductionLDAPClientFactory() *ProductionLDAPClientFactory { - return &ProductionLDAPClientFactory{} +func (f *StandardLDAPClientFactory) Close() (err error) { + return nil } -// DialURL creates a client from an LDAP URL when successful. -func (f *ProductionLDAPClientFactory) DialURL(addr string, opts ...ldap.DialOpt) (client LDAPClient, err error) { - return ldap.DialURL(addr, opts...) +// NewPooledLDAPClientFactory is a decorator for a LDAPClientFactory that performs pooling. +func NewPooledLDAPClientFactory(config *schema.AuthenticationBackendLDAP, certs *x509.CertPool, dialer LDAPClientDialer) (factory LDAPClientFactory) { + if dialer == nil { + dialer = &LDAPClientDialerStandard{} + } + + tlsc := utils.NewTLSConfig(config.TLS, certs) + + opts := []ldap.DialOpt{ + ldap.DialWithDialer(&net.Dialer{Timeout: config.Timeout}), + ldap.DialWithTLSConfig(tlsc), + } + + if config.Pooling.Count <= 0 { + config.Pooling.Count = 3 + } + + if config.Pooling.Retries <= 0 { + config.Pooling.Retries = 3 + } + + if config.Pooling.Timeout <= 0 { + config.Pooling.Timeout = time.Second + } + + sleep := config.Pooling.Timeout / time.Duration(config.Pooling.Retries) + + return &PooledLDAPClientFactory{ + config: config, + tls: tlsc, + opts: opts, + dialer: dialer, + sleep: sleep, + } +} + +// PooledLDAPClientFactory is a LDAPClientFactory that takes another LDAPClientFactory and pools the +// factory generated connections using a channel for thread safety. +type PooledLDAPClientFactory struct { + config *schema.AuthenticationBackendLDAP + tls *tls.Config + opts []ldap.DialOpt + dialer LDAPClientDialer + + pool chan *LDAPClientPooled + mu sync.Mutex + + sleep time.Duration + + closing bool +} + +func (f *PooledLDAPClientFactory) Initialize() (err error) { + f.mu.Lock() + + defer f.mu.Unlock() + + if f.pool != nil { + return nil + } + + f.pool = make(chan *LDAPClientPooled, f.config.Pooling.Count) + + var ( + errs []error + client *LDAPClientPooled + ) + + for i := 0; i < f.config.Pooling.Count; i++ { + if client, err = f.new(); err != nil { + errs = append(errs, err) + + continue + } + + f.pool <- client + } + + if len(errs) == f.config.Pooling.Count { + return fmt.Errorf("errors occurred initializing the client pool: no connections could be established") + } + + return nil +} + +// GetClient opens new client using the pool. +func (f *PooledLDAPClientFactory) GetClient(opts ...LDAPClientFactoryOption) (conn ldap.Client, err error) { + if len(opts) != 0 { + return getLDAPClient(f.config.Address.String(), f.config.User, f.config.Password, f.dialer, f.tls, f.config.StartTLS, f.opts, opts...) + } + + return f.acquire(context.Background()) +} + +// The new function creates a pool based client. This function is not thread safe. +func (f *PooledLDAPClientFactory) new() (pooled *LDAPClientPooled, err error) { + var client ldap.Client + + if client, err = getLDAPClient(f.config.Address.String(), f.config.User, f.config.Password, f.dialer, f.tls, f.config.StartTLS, f.opts); err != nil { + return nil, fmt.Errorf("error occurred establishing new client for the pool: %w", err) + } + + return &LDAPClientPooled{Client: client}, nil +} + +// ReleaseClient returns a client using the pool or closes it. +func (f *PooledLDAPClientFactory) ReleaseClient(client ldap.Client) (err error) { + f.mu.Lock() + + defer f.mu.Unlock() + + if f.closing { + return client.Close() + } + + if pool, ok := client.(*LDAPClientPooled); !ok || cap(f.pool) == len(f.pool) { + // Prevent extra or non-pool connections from being returned into the pool. + return client.Close() + } else { + f.pool <- pool + } + + return nil +} + +func (f *PooledLDAPClientFactory) acquire(ctx context.Context) (client *LDAPClientPooled, err error) { + f.mu.Lock() + + defer f.mu.Unlock() + + if f.closing { + return nil, fmt.Errorf("error acquiring client: the pool is closed") + } + + if cap(f.pool) != f.config.Pooling.Count { + if err = f.Initialize(); err != nil { + return nil, err + } + } + + ctx, cancel := context.WithTimeout(ctx, f.config.Pooling.Timeout) + defer cancel() + + select { + case <-ctx.Done(): + return nil, ctx.Err() + case client = <-f.pool: + if client.IsClosing() || client.Client == nil { + for { + select { + case <-ctx.Done(): + return nil, ctx.Err() + default: + if client, err = f.new(); err != nil { + time.Sleep(f.sleep) + + continue + } + + return client, nil + } + } + } + + return client, nil + } +} + +func (f *PooledLDAPClientFactory) Close() (err error) { + f.mu.Lock() + + defer f.mu.Unlock() + + f.closing = true + + close(f.pool) + + var errs []error + + for client := range f.pool { + if client.IsClosing() { + continue + } + + if err = client.Close(); err != nil { + errs = append(errs, err) + } + } + + if len(errs) > 0 { + return fmt.Errorf("errors occurred closing the client pool: %w", errors.Join(errs...)) + } + + return nil +} + +// LDAPClientPooled is a decorator for the ldap.Client which handles the pooling functionality. i.e. prevents the client +// from being closed and instead relinquishes the connection back to the pool. +type LDAPClientPooled struct { + ldap.Client +} + +func getLDAPClient(address, username, password string, dialer LDAPClientDialer, tls *tls.Config, startTLS bool, dialerOpts []ldap.DialOpt, opts ...LDAPClientFactoryOption) (client ldap.Client, err error) { + config := &LDAPClientFactoryOptions{ + Address: address, + Username: username, + Password: password, + } + + for _, opt := range opts { + opt(config) + } + + if client, err = dialer.DialURL(config.Address, dialerOpts...); err != nil { + return nil, fmt.Errorf("error occurred dialing address: %w", err) + } + + if tls != nil && startTLS { + if err = client.StartTLS(tls); err != nil { + _ = client.Close() + + return nil, fmt.Errorf("error occurred performing starttls: %w", err) + } + } + + if config.Password == "" { + err = client.UnauthenticatedBind(config.Username) + } else { + err = client.Bind(config.Username, config.Password) + } + + if err != nil { + _ = client.Close() + + return nil, fmt.Errorf("error occurred performing bind: %w", err) + } + + return client, nil } diff --git a/internal/authentication/ldap_client_factory_config.go b/internal/authentication/ldap_client_factory_config.go new file mode 100644 index 000000000..c66222c79 --- /dev/null +++ b/internal/authentication/ldap_client_factory_config.go @@ -0,0 +1,27 @@ +package authentication + +type LDAPClientFactoryOptions struct { + Address string + Username string + Password string +} + +type LDAPClientFactoryOption func(*LDAPClientFactoryOptions) + +func WithAddress(address string) func(*LDAPClientFactoryOptions) { + return func(settings *LDAPClientFactoryOptions) { + settings.Address = address + } +} + +func WithUsername(username string) func(*LDAPClientFactoryOptions) { + return func(settings *LDAPClientFactoryOptions) { + settings.Username = username + } +} + +func WithPassword(password string) func(*LDAPClientFactoryOptions) { + return func(settings *LDAPClientFactoryOptions) { + settings.Password = password + } +} diff --git a/internal/authentication/ldap_client_factory_mock_test.go b/internal/authentication/ldap_client_factory_mock_test.go index f8ce5bb81..fe0a8c2e4 100644 --- a/internal/authentication/ldap_client_factory_mock_test.go +++ b/internal/authentication/ldap_client_factory_mock_test.go @@ -40,22 +40,63 @@ func (m *MockLDAPClientFactory) EXPECT() *MockLDAPClientFactoryMockRecorder { return m.recorder } -// DialURL mocks base method. -func (m *MockLDAPClientFactory) DialURL(addr string, opts ...ldap.DialOpt) (LDAPClient, error) { +// Close mocks base method. +func (m *MockLDAPClientFactory) Close() error { m.ctrl.T.Helper() - varargs := []any{addr} + ret := m.ctrl.Call(m, "Close") + ret0, _ := ret[0].(error) + return ret0 +} + +// Close indicates an expected call of Close. +func (mr *MockLDAPClientFactoryMockRecorder) Close() *gomock.Call { + mr.mock.ctrl.T.Helper() + return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Close", reflect.TypeOf((*MockLDAPClientFactory)(nil).Close)) +} + +// GetClient mocks base method. +func (m *MockLDAPClientFactory) GetClient(opts ...LDAPClientFactoryOption) (ldap.Client, error) { + m.ctrl.T.Helper() + varargs := []any{} for _, a := range opts { varargs = append(varargs, a) } - ret := m.ctrl.Call(m, "DialURL", varargs...) - ret0, _ := ret[0].(LDAPClient) + ret := m.ctrl.Call(m, "GetClient", varargs...) + ret0, _ := ret[0].(ldap.Client) ret1, _ := ret[1].(error) return ret0, ret1 } -// DialURL indicates an expected call of DialURL. -func (mr *MockLDAPClientFactoryMockRecorder) DialURL(addr any, opts ...any) *gomock.Call { +// GetClient indicates an expected call of GetClient. +func (mr *MockLDAPClientFactoryMockRecorder) GetClient(opts ...any) *gomock.Call { + mr.mock.ctrl.T.Helper() + return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetClient", reflect.TypeOf((*MockLDAPClientFactory)(nil).GetClient), opts...) +} + +// Initialize mocks base method. +func (m *MockLDAPClientFactory) Initialize() error { + m.ctrl.T.Helper() + ret := m.ctrl.Call(m, "Initialize") + ret0, _ := ret[0].(error) + return ret0 +} + +// Initialize indicates an expected call of Initialize. +func (mr *MockLDAPClientFactoryMockRecorder) Initialize() *gomock.Call { + mr.mock.ctrl.T.Helper() + return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Initialize", reflect.TypeOf((*MockLDAPClientFactory)(nil).Initialize)) +} + +// ReleaseClient mocks base method. +func (m *MockLDAPClientFactory) ReleaseClient(client ldap.Client) error { + m.ctrl.T.Helper() + ret := m.ctrl.Call(m, "ReleaseClient", client) + ret0, _ := ret[0].(error) + return ret0 +} + +// ReleaseClient indicates an expected call of ReleaseClient. +func (mr *MockLDAPClientFactoryMockRecorder) ReleaseClient(client any) *gomock.Call { mr.mock.ctrl.T.Helper() - varargs := append([]any{addr}, opts...) - return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "DialURL", reflect.TypeOf((*MockLDAPClientFactory)(nil).DialURL), varargs...) + return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ReleaseClient", reflect.TypeOf((*MockLDAPClientFactory)(nil).ReleaseClient), client) } diff --git a/internal/authentication/ldap_client_mock_test.go b/internal/authentication/ldap_client_mock_test.go index 3a492be2e..055beecbe 100644 --- a/internal/authentication/ldap_client_mock_test.go +++ b/internal/authentication/ldap_client_mock_test.go @@ -1,15 +1,16 @@ // Code generated by MockGen. DO NOT EDIT. -// Source: github.com/authelia/authelia/v4/internal/authentication (interfaces: LDAPClient) +// Source: github.com/go-ldap/ldap/v3 (interfaces: Client) // // Generated by this command: // -// mockgen -package authentication -destination ldap_client_mock_test.go -mock_names LDAPClient=MockLDAPClient github.com/authelia/authelia/v4/internal/authentication LDAPClient +// mockgen -package authentication -destination ldap_client_mock_test.go -mock_names Client=MockLDAPClient github.com/go-ldap/ldap/v3 Client // // Package authentication is a generated GoMock package. package authentication import ( + context "context" tls "crypto/tls" reflect "reflect" time "time" @@ -18,7 +19,7 @@ import ( gomock "go.uber.org/mock/gomock" ) -// MockLDAPClient is a mock of LDAPClient interface. +// MockLDAPClient is a mock of Client interface. type MockLDAPClient struct { ctrl *gomock.Controller recorder *MockLDAPClientMockRecorder @@ -43,17 +44,17 @@ func (m *MockLDAPClient) EXPECT() *MockLDAPClientMockRecorder { } // Add mocks base method. -func (m *MockLDAPClient) Add(request *ldap.AddRequest) error { +func (m *MockLDAPClient) Add(arg0 *ldap.AddRequest) error { m.ctrl.T.Helper() - ret := m.ctrl.Call(m, "Add", request) + ret := m.ctrl.Call(m, "Add", arg0) ret0, _ := ret[0].(error) return ret0 } // Add indicates an expected call of Add. -func (mr *MockLDAPClientMockRecorder) Add(request any) *gomock.Call { +func (mr *MockLDAPClientMockRecorder) Add(arg0 any) *gomock.Call { mr.mock.ctrl.T.Helper() - return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Add", reflect.TypeOf((*MockLDAPClient)(nil).Add), request) + return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Add", reflect.TypeOf((*MockLDAPClient)(nil).Add), arg0) } // Bind mocks base method. @@ -100,160 +101,146 @@ func (mr *MockLDAPClientMockRecorder) Compare(dn, attribute, value any) *gomock. } // Del mocks base method. -func (m *MockLDAPClient) Del(request *ldap.DelRequest) error { +func (m *MockLDAPClient) Del(arg0 *ldap.DelRequest) error { m.ctrl.T.Helper() - ret := m.ctrl.Call(m, "Del", request) + ret := m.ctrl.Call(m, "Del", arg0) ret0, _ := ret[0].(error) return ret0 } // Del indicates an expected call of Del. -func (mr *MockLDAPClientMockRecorder) Del(request any) *gomock.Call { +func (mr *MockLDAPClientMockRecorder) Del(arg0 any) *gomock.Call { mr.mock.ctrl.T.Helper() - return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Del", reflect.TypeOf((*MockLDAPClient)(nil).Del), request) + return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Del", reflect.TypeOf((*MockLDAPClient)(nil).Del), arg0) } -// DigestMD5Bind mocks base method. -func (m *MockLDAPClient) DigestMD5Bind(request *ldap.DigestMD5BindRequest) (*ldap.DigestMD5BindResult, error) { +// DirSync mocks base method. +func (m *MockLDAPClient) DirSync(searchRequest *ldap.SearchRequest, flags, maxAttrCount int64, cookie []byte) (*ldap.SearchResult, error) { m.ctrl.T.Helper() - ret := m.ctrl.Call(m, "DigestMD5Bind", request) - ret0, _ := ret[0].(*ldap.DigestMD5BindResult) + ret := m.ctrl.Call(m, "DirSync", searchRequest, flags, maxAttrCount, cookie) + ret0, _ := ret[0].(*ldap.SearchResult) ret1, _ := ret[1].(error) return ret0, ret1 } -// DigestMD5Bind indicates an expected call of DigestMD5Bind. -func (mr *MockLDAPClientMockRecorder) DigestMD5Bind(request any) *gomock.Call { +// DirSync indicates an expected call of DirSync. +func (mr *MockLDAPClientMockRecorder) DirSync(searchRequest, flags, maxAttrCount, cookie any) *gomock.Call { mr.mock.ctrl.T.Helper() - return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "DigestMD5Bind", reflect.TypeOf((*MockLDAPClient)(nil).DigestMD5Bind), request) + return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "DirSync", reflect.TypeOf((*MockLDAPClient)(nil).DirSync), searchRequest, flags, maxAttrCount, cookie) } -// ExternalBind mocks base method. -func (m *MockLDAPClient) ExternalBind() error { +// DirSyncAsync mocks base method. +func (m *MockLDAPClient) DirSyncAsync(ctx context.Context, searchRequest *ldap.SearchRequest, bufferSize int, flags, maxAttrCount int64, cookie []byte) ldap.Response { m.ctrl.T.Helper() - ret := m.ctrl.Call(m, "ExternalBind") - ret0, _ := ret[0].(error) + ret := m.ctrl.Call(m, "DirSyncAsync", ctx, searchRequest, bufferSize, flags, maxAttrCount, cookie) + ret0, _ := ret[0].(ldap.Response) return ret0 } -// ExternalBind indicates an expected call of ExternalBind. -func (mr *MockLDAPClientMockRecorder) ExternalBind() *gomock.Call { +// DirSyncAsync indicates an expected call of DirSyncAsync. +func (mr *MockLDAPClientMockRecorder) DirSyncAsync(ctx, searchRequest, bufferSize, flags, maxAttrCount, cookie any) *gomock.Call { mr.mock.ctrl.T.Helper() - return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ExternalBind", reflect.TypeOf((*MockLDAPClient)(nil).ExternalBind)) + return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "DirSyncAsync", reflect.TypeOf((*MockLDAPClient)(nil).DirSyncAsync), ctx, searchRequest, bufferSize, flags, maxAttrCount, cookie) } -// IsClosing mocks base method. -func (m *MockLDAPClient) IsClosing() bool { +// Extended mocks base method. +func (m *MockLDAPClient) Extended(arg0 *ldap.ExtendedRequest) (*ldap.ExtendedResponse, error) { m.ctrl.T.Helper() - ret := m.ctrl.Call(m, "IsClosing") - ret0, _ := ret[0].(bool) - return ret0 + ret := m.ctrl.Call(m, "Extended", arg0) + ret0, _ := ret[0].(*ldap.ExtendedResponse) + ret1, _ := ret[1].(error) + return ret0, ret1 } -// IsClosing indicates an expected call of IsClosing. -func (mr *MockLDAPClientMockRecorder) IsClosing() *gomock.Call { +// Extended indicates an expected call of Extended. +func (mr *MockLDAPClientMockRecorder) Extended(arg0 any) *gomock.Call { mr.mock.ctrl.T.Helper() - return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "IsClosing", reflect.TypeOf((*MockLDAPClient)(nil).IsClosing)) + return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Extended", reflect.TypeOf((*MockLDAPClient)(nil).Extended), arg0) } -// MD5Bind mocks base method. -func (m *MockLDAPClient) MD5Bind(host, username, password string) error { +// ExternalBind mocks base method. +func (m *MockLDAPClient) ExternalBind() error { m.ctrl.T.Helper() - ret := m.ctrl.Call(m, "MD5Bind", host, username, password) + ret := m.ctrl.Call(m, "ExternalBind") ret0, _ := ret[0].(error) return ret0 } -// MD5Bind indicates an expected call of MD5Bind. -func (mr *MockLDAPClientMockRecorder) MD5Bind(host, username, password any) *gomock.Call { +// ExternalBind indicates an expected call of ExternalBind. +func (mr *MockLDAPClientMockRecorder) ExternalBind() *gomock.Call { mr.mock.ctrl.T.Helper() - return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "MD5Bind", reflect.TypeOf((*MockLDAPClient)(nil).MD5Bind), host, username, password) + return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ExternalBind", reflect.TypeOf((*MockLDAPClient)(nil).ExternalBind)) } -// Modify mocks base method. -func (m *MockLDAPClient) Modify(request *ldap.ModifyRequest) error { +// GetLastError mocks base method. +func (m *MockLDAPClient) GetLastError() error { m.ctrl.T.Helper() - ret := m.ctrl.Call(m, "Modify", request) + ret := m.ctrl.Call(m, "GetLastError") ret0, _ := ret[0].(error) return ret0 } -// Modify indicates an expected call of Modify. -func (mr *MockLDAPClientMockRecorder) Modify(request any) *gomock.Call { +// GetLastError indicates an expected call of GetLastError. +func (mr *MockLDAPClientMockRecorder) GetLastError() *gomock.Call { mr.mock.ctrl.T.Helper() - return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Modify", reflect.TypeOf((*MockLDAPClient)(nil).Modify), request) + return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetLastError", reflect.TypeOf((*MockLDAPClient)(nil).GetLastError)) } -// ModifyDN mocks base method. -func (m_2 *MockLDAPClient) ModifyDN(m *ldap.ModifyDNRequest) error { - m_2.ctrl.T.Helper() - ret := m_2.ctrl.Call(m_2, "ModifyDN", m) - ret0, _ := ret[0].(error) - return ret0 -} - -// ModifyDN indicates an expected call of ModifyDN. -func (mr *MockLDAPClientMockRecorder) ModifyDN(m any) *gomock.Call { - mr.mock.ctrl.T.Helper() - return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ModifyDN", reflect.TypeOf((*MockLDAPClient)(nil).ModifyDN), m) -} - -// ModifyWithResult mocks base method. -func (m *MockLDAPClient) ModifyWithResult(request *ldap.ModifyRequest) (*ldap.ModifyResult, error) { +// IsClosing mocks base method. +func (m *MockLDAPClient) IsClosing() bool { m.ctrl.T.Helper() - ret := m.ctrl.Call(m, "ModifyWithResult", request) - ret0, _ := ret[0].(*ldap.ModifyResult) - ret1, _ := ret[1].(error) - return ret0, ret1 + ret := m.ctrl.Call(m, "IsClosing") + ret0, _ := ret[0].(bool) + return ret0 } -// ModifyWithResult indicates an expected call of ModifyWithResult. -func (mr *MockLDAPClientMockRecorder) ModifyWithResult(request any) *gomock.Call { +// IsClosing indicates an expected call of IsClosing. +func (mr *MockLDAPClientMockRecorder) IsClosing() *gomock.Call { mr.mock.ctrl.T.Helper() - return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ModifyWithResult", reflect.TypeOf((*MockLDAPClient)(nil).ModifyWithResult), request) + return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "IsClosing", reflect.TypeOf((*MockLDAPClient)(nil).IsClosing)) } -// NTLMBind mocks base method. -func (m *MockLDAPClient) NTLMBind(domain, username, password string) error { +// Modify mocks base method. +func (m *MockLDAPClient) Modify(arg0 *ldap.ModifyRequest) error { m.ctrl.T.Helper() - ret := m.ctrl.Call(m, "NTLMBind", domain, username, password) + ret := m.ctrl.Call(m, "Modify", arg0) ret0, _ := ret[0].(error) return ret0 } -// NTLMBind indicates an expected call of NTLMBind. -func (mr *MockLDAPClientMockRecorder) NTLMBind(domain, username, password any) *gomock.Call { +// Modify indicates an expected call of Modify. +func (mr *MockLDAPClientMockRecorder) Modify(arg0 any) *gomock.Call { mr.mock.ctrl.T.Helper() - return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "NTLMBind", reflect.TypeOf((*MockLDAPClient)(nil).NTLMBind), domain, username, password) + return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Modify", reflect.TypeOf((*MockLDAPClient)(nil).Modify), arg0) } -// NTLMBindWithHash mocks base method. -func (m *MockLDAPClient) NTLMBindWithHash(domain, username, hash string) error { +// ModifyDN mocks base method. +func (m *MockLDAPClient) ModifyDN(arg0 *ldap.ModifyDNRequest) error { m.ctrl.T.Helper() - ret := m.ctrl.Call(m, "NTLMBindWithHash", domain, username, hash) + ret := m.ctrl.Call(m, "ModifyDN", arg0) ret0, _ := ret[0].(error) return ret0 } -// NTLMBindWithHash indicates an expected call of NTLMBindWithHash. -func (mr *MockLDAPClientMockRecorder) NTLMBindWithHash(domain, username, hash any) *gomock.Call { +// ModifyDN indicates an expected call of ModifyDN. +func (mr *MockLDAPClientMockRecorder) ModifyDN(arg0 any) *gomock.Call { mr.mock.ctrl.T.Helper() - return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "NTLMBindWithHash", reflect.TypeOf((*MockLDAPClient)(nil).NTLMBindWithHash), domain, username, hash) + return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ModifyDN", reflect.TypeOf((*MockLDAPClient)(nil).ModifyDN), arg0) } -// NTLMChallengeBind mocks base method. -func (m *MockLDAPClient) NTLMChallengeBind(request *ldap.NTLMBindRequest) (*ldap.NTLMBindResult, error) { +// ModifyWithResult mocks base method. +func (m *MockLDAPClient) ModifyWithResult(arg0 *ldap.ModifyRequest) (*ldap.ModifyResult, error) { m.ctrl.T.Helper() - ret := m.ctrl.Call(m, "NTLMChallengeBind", request) - ret0, _ := ret[0].(*ldap.NTLMBindResult) + ret := m.ctrl.Call(m, "ModifyWithResult", arg0) + ret0, _ := ret[0].(*ldap.ModifyResult) ret1, _ := ret[1].(error) return ret0, ret1 } -// NTLMChallengeBind indicates an expected call of NTLMChallengeBind. -func (mr *MockLDAPClientMockRecorder) NTLMChallengeBind(request any) *gomock.Call { +// ModifyWithResult indicates an expected call of ModifyWithResult. +func (mr *MockLDAPClientMockRecorder) ModifyWithResult(arg0 any) *gomock.Call { mr.mock.ctrl.T.Helper() - return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "NTLMChallengeBind", reflect.TypeOf((*MockLDAPClient)(nil).NTLMChallengeBind), request) + return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ModifyWithResult", reflect.TypeOf((*MockLDAPClient)(nil).ModifyWithResult), arg0) } // NTLMUnauthenticatedBind mocks base method. @@ -271,89 +258,129 @@ func (mr *MockLDAPClientMockRecorder) NTLMUnauthenticatedBind(domain, username a } // PasswordModify mocks base method. -func (m *MockLDAPClient) PasswordModify(request *ldap.PasswordModifyRequest) (*ldap.PasswordModifyResult, error) { +func (m *MockLDAPClient) PasswordModify(arg0 *ldap.PasswordModifyRequest) (*ldap.PasswordModifyResult, error) { m.ctrl.T.Helper() - ret := m.ctrl.Call(m, "PasswordModify", request) + ret := m.ctrl.Call(m, "PasswordModify", arg0) ret0, _ := ret[0].(*ldap.PasswordModifyResult) ret1, _ := ret[1].(error) return ret0, ret1 } // PasswordModify indicates an expected call of PasswordModify. -func (mr *MockLDAPClientMockRecorder) PasswordModify(request any) *gomock.Call { +func (mr *MockLDAPClientMockRecorder) PasswordModify(arg0 any) *gomock.Call { mr.mock.ctrl.T.Helper() - return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "PasswordModify", reflect.TypeOf((*MockLDAPClient)(nil).PasswordModify), request) + return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "PasswordModify", reflect.TypeOf((*MockLDAPClient)(nil).PasswordModify), arg0) } // Search mocks base method. -func (m *MockLDAPClient) Search(request *ldap.SearchRequest) (*ldap.SearchResult, error) { +func (m *MockLDAPClient) Search(arg0 *ldap.SearchRequest) (*ldap.SearchResult, error) { m.ctrl.T.Helper() - ret := m.ctrl.Call(m, "Search", request) + ret := m.ctrl.Call(m, "Search", arg0) ret0, _ := ret[0].(*ldap.SearchResult) ret1, _ := ret[1].(error) return ret0, ret1 } // Search indicates an expected call of Search. -func (mr *MockLDAPClientMockRecorder) Search(request any) *gomock.Call { +func (mr *MockLDAPClientMockRecorder) Search(arg0 any) *gomock.Call { + mr.mock.ctrl.T.Helper() + return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Search", reflect.TypeOf((*MockLDAPClient)(nil).Search), arg0) +} + +// SearchAsync mocks base method. +func (m *MockLDAPClient) SearchAsync(ctx context.Context, searchRequest *ldap.SearchRequest, bufferSize int) ldap.Response { + m.ctrl.T.Helper() + ret := m.ctrl.Call(m, "SearchAsync", ctx, searchRequest, bufferSize) + ret0, _ := ret[0].(ldap.Response) + return ret0 +} + +// SearchAsync indicates an expected call of SearchAsync. +func (mr *MockLDAPClientMockRecorder) SearchAsync(ctx, searchRequest, bufferSize any) *gomock.Call { mr.mock.ctrl.T.Helper() - return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Search", reflect.TypeOf((*MockLDAPClient)(nil).Search), request) + return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "SearchAsync", reflect.TypeOf((*MockLDAPClient)(nil).SearchAsync), ctx, searchRequest, bufferSize) } // SearchWithPaging mocks base method. -func (m *MockLDAPClient) SearchWithPaging(request *ldap.SearchRequest, pagingSize uint32) (*ldap.SearchResult, error) { +func (m *MockLDAPClient) SearchWithPaging(searchRequest *ldap.SearchRequest, pagingSize uint32) (*ldap.SearchResult, error) { m.ctrl.T.Helper() - ret := m.ctrl.Call(m, "SearchWithPaging", request, pagingSize) + ret := m.ctrl.Call(m, "SearchWithPaging", searchRequest, pagingSize) ret0, _ := ret[0].(*ldap.SearchResult) ret1, _ := ret[1].(error) return ret0, ret1 } // SearchWithPaging indicates an expected call of SearchWithPaging. -func (mr *MockLDAPClientMockRecorder) SearchWithPaging(request, pagingSize any) *gomock.Call { +func (mr *MockLDAPClientMockRecorder) SearchWithPaging(searchRequest, pagingSize any) *gomock.Call { mr.mock.ctrl.T.Helper() - return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "SearchWithPaging", reflect.TypeOf((*MockLDAPClient)(nil).SearchWithPaging), request, pagingSize) + return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "SearchWithPaging", reflect.TypeOf((*MockLDAPClient)(nil).SearchWithPaging), searchRequest, pagingSize) } // SetTimeout mocks base method. -func (m *MockLDAPClient) SetTimeout(timeout time.Duration) { +func (m *MockLDAPClient) SetTimeout(arg0 time.Duration) { m.ctrl.T.Helper() - m.ctrl.Call(m, "SetTimeout", timeout) + m.ctrl.Call(m, "SetTimeout", arg0) } // SetTimeout indicates an expected call of SetTimeout. -func (mr *MockLDAPClientMockRecorder) SetTimeout(timeout any) *gomock.Call { +func (mr *MockLDAPClientMockRecorder) SetTimeout(arg0 any) *gomock.Call { mr.mock.ctrl.T.Helper() - return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "SetTimeout", reflect.TypeOf((*MockLDAPClient)(nil).SetTimeout), timeout) + return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "SetTimeout", reflect.TypeOf((*MockLDAPClient)(nil).SetTimeout), arg0) } // SimpleBind mocks base method. -func (m *MockLDAPClient) SimpleBind(request *ldap.SimpleBindRequest) (*ldap.SimpleBindResult, error) { +func (m *MockLDAPClient) SimpleBind(arg0 *ldap.SimpleBindRequest) (*ldap.SimpleBindResult, error) { m.ctrl.T.Helper() - ret := m.ctrl.Call(m, "SimpleBind", request) + ret := m.ctrl.Call(m, "SimpleBind", arg0) ret0, _ := ret[0].(*ldap.SimpleBindResult) ret1, _ := ret[1].(error) return ret0, ret1 } // SimpleBind indicates an expected call of SimpleBind. -func (mr *MockLDAPClientMockRecorder) SimpleBind(request any) *gomock.Call { +func (mr *MockLDAPClientMockRecorder) SimpleBind(arg0 any) *gomock.Call { mr.mock.ctrl.T.Helper() - return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "SimpleBind", reflect.TypeOf((*MockLDAPClient)(nil).SimpleBind), request) + return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "SimpleBind", reflect.TypeOf((*MockLDAPClient)(nil).SimpleBind), arg0) +} + +// Start mocks base method. +func (m *MockLDAPClient) Start() { + m.ctrl.T.Helper() + m.ctrl.Call(m, "Start") +} + +// Start indicates an expected call of Start. +func (mr *MockLDAPClientMockRecorder) Start() *gomock.Call { + mr.mock.ctrl.T.Helper() + return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Start", reflect.TypeOf((*MockLDAPClient)(nil).Start)) } // StartTLS mocks base method. -func (m *MockLDAPClient) StartTLS(config *tls.Config) error { +func (m *MockLDAPClient) StartTLS(arg0 *tls.Config) error { m.ctrl.T.Helper() - ret := m.ctrl.Call(m, "StartTLS", config) + ret := m.ctrl.Call(m, "StartTLS", arg0) ret0, _ := ret[0].(error) return ret0 } // StartTLS indicates an expected call of StartTLS. -func (mr *MockLDAPClientMockRecorder) StartTLS(config any) *gomock.Call { +func (mr *MockLDAPClientMockRecorder) StartTLS(arg0 any) *gomock.Call { + mr.mock.ctrl.T.Helper() + return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "StartTLS", reflect.TypeOf((*MockLDAPClient)(nil).StartTLS), arg0) +} + +// Syncrepl mocks base method. +func (m *MockLDAPClient) Syncrepl(ctx context.Context, searchRequest *ldap.SearchRequest, bufferSize int, mode ldap.ControlSyncRequestMode, cookie []byte, reloadHint bool) ldap.Response { + m.ctrl.T.Helper() + ret := m.ctrl.Call(m, "Syncrepl", ctx, searchRequest, bufferSize, mode, cookie, reloadHint) + ret0, _ := ret[0].(ldap.Response) + return ret0 +} + +// Syncrepl indicates an expected call of Syncrepl. +func (mr *MockLDAPClientMockRecorder) Syncrepl(ctx, searchRequest, bufferSize, mode, cookie, reloadHint any) *gomock.Call { mr.mock.ctrl.T.Helper() - return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "StartTLS", reflect.TypeOf((*MockLDAPClient)(nil).StartTLS), config) + return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Syncrepl", reflect.TypeOf((*MockLDAPClient)(nil).Syncrepl), ctx, searchRequest, bufferSize, mode, cookie, reloadHint) } // TLSConnectionState mocks base method. @@ -398,18 +425,3 @@ func (mr *MockLDAPClientMockRecorder) Unbind() *gomock.Call { mr.mock.ctrl.T.Helper() return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Unbind", reflect.TypeOf((*MockLDAPClient)(nil).Unbind)) } - -// WhoAmI mocks base method. -func (m *MockLDAPClient) WhoAmI(controls []ldap.Control) (*ldap.WhoAmIResult, error) { - m.ctrl.T.Helper() - ret := m.ctrl.Call(m, "WhoAmI", controls) - ret0, _ := ret[0].(*ldap.WhoAmIResult) - ret1, _ := ret[1].(error) - return ret0, ret1 -} - -// WhoAmI indicates an expected call of WhoAmI. -func (mr *MockLDAPClientMockRecorder) WhoAmI(controls any) *gomock.Call { - mr.mock.ctrl.T.Helper() - return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "WhoAmI", reflect.TypeOf((*MockLDAPClient)(nil).WhoAmI), controls) -} diff --git a/internal/authentication/ldap_user_provider.go b/internal/authentication/ldap_user_provider.go index 66687e1a1..905bf07e8 100644 --- a/internal/authentication/ldap_user_provider.go +++ b/internal/authentication/ldap_user_provider.go @@ -1,10 +1,8 @@ package authentication import ( - "crypto/tls" "crypto/x509" "fmt" - "net" "net/url" "strconv" "strings" @@ -21,11 +19,9 @@ import ( // LDAPUserProvider is a UserProvider that connects to LDAP servers like ActiveDirectory, OpenLDAP, OpenDJ, FreeIPA, etc. type LDAPUserProvider struct { - config schema.AuthenticationBackendLDAP - tlsConfig *tls.Config - dialOpts []ldap.DialOpt - log *logrus.Logger - factory LDAPClientFactory + config *schema.AuthenticationBackendLDAP + log *logrus.Logger + factory LDAPClientFactory clock clock.Provider @@ -53,37 +49,27 @@ type LDAPUserProvider struct { groupsFilterReplacementsMemberOfRDN bool } -// NewLDAPUserProvider creates a new instance of LDAPUserProvider with the ProductionLDAPClientFactory. -func NewLDAPUserProvider(config schema.AuthenticationBackend, certPool *x509.CertPool) (provider *LDAPUserProvider) { - provider = NewLDAPUserProviderWithFactory(*config.LDAP, config.PasswordReset.Disable, certPool, NewProductionLDAPClientFactory()) - - return provider -} - -// NewLDAPUserProviderWithFactory creates a new instance of LDAPUserProvider with the specified LDAPClientFactory. -func NewLDAPUserProviderWithFactory(config schema.AuthenticationBackendLDAP, disableResetPassword bool, certPool *x509.CertPool, factory LDAPClientFactory) (provider *LDAPUserProvider) { - if config.TLS == nil { - config.TLS = schema.DefaultLDAPAuthenticationBackendConfigurationImplementationCustom.TLS +// NewLDAPUserProvider creates a new instance of LDAPUserProvider with the StandardLDAPClientFactory. +func NewLDAPUserProvider(config schema.AuthenticationBackend, certs *x509.CertPool) (provider *LDAPUserProvider) { + if config.LDAP.TLS == nil { + config.LDAP.TLS = schema.DefaultLDAPAuthenticationBackendConfigurationImplementationCustom.TLS } - tlsConfig := utils.NewTLSConfig(config.TLS, certPool) + var factory LDAPClientFactory - var dialOpts = []ldap.DialOpt{ - ldap.DialWithDialer(&net.Dialer{Timeout: config.Timeout}), - } - - if tlsConfig != nil { - dialOpts = append(dialOpts, ldap.DialWithTLSConfig(tlsConfig)) + if config.LDAP.Pooling.Enable { + factory = NewPooledLDAPClientFactory(config.LDAP, certs, nil) + } else { + factory = NewStandardLDAPClientFactory(config.LDAP, certs, nil) } - if factory == nil { - factory = NewProductionLDAPClientFactory() - } + return NewLDAPUserProviderWithFactory(config.LDAP, config.PasswordReset.Disable, factory) +} +// NewLDAPUserProviderWithFactory creates a new instance of LDAPUserProvider with the specified LDAPClientFactory. +func NewLDAPUserProviderWithFactory(config *schema.AuthenticationBackendLDAP, disableResetPassword bool, factory LDAPClientFactory) (provider *LDAPUserProvider) { provider = &LDAPUserProvider{ config: config, - tlsConfig: tlsConfig, - dialOpts: dialOpts, log: logging.Logger(), factory: factory, disableResetPassword: disableResetPassword, @@ -99,25 +85,33 @@ func NewLDAPUserProviderWithFactory(config schema.AuthenticationBackendLDAP, dis // CheckUserPassword checks if provided password matches for the given user. func (p *LDAPUserProvider) CheckUserPassword(username string, password string) (valid bool, err error) { var ( - client, clientUser LDAPClient - profile *ldapUserProfile + client, uclient ldap.Client + profile *ldapUserProfile ) - if client, err = p.connect(); err != nil { + if client, err = p.factory.GetClient(); err != nil { return false, err } - defer client.Close() + defer func() { + if err := p.factory.ReleaseClient(client); err != nil { + p.log.WithError(err).Warn("Error occurred releasing the LDAP client") + } + }() if profile, err = p.getUserProfile(client, username); err != nil { return false, err } - if clientUser, err = p.connectCustom(p.config.Address.String(), profile.DN, password, p.config.StartTLS, p.dialOpts...); err != nil { + if uclient, err = p.factory.GetClient(WithUsername(profile.DN), WithPassword(password)); err != nil { return false, fmt.Errorf("authentication failed. Cause: %w", err) } - defer clientUser.Close() + defer func() { + if err := p.factory.ReleaseClient(uclient); err != nil { + p.log.WithError(err).Warn("Error occurred releasing the LDAP client") + } + }() return true, nil } @@ -125,15 +119,19 @@ func (p *LDAPUserProvider) CheckUserPassword(username string, password string) ( // GetDetails retrieve the groups a user belongs to. func (p *LDAPUserProvider) GetDetails(username string) (details *UserDetails, err error) { var ( - client LDAPClient + client ldap.Client profile *ldapUserProfile ) - if client, err = p.connect(); err != nil { + if client, err = p.factory.GetClient(); err != nil { return nil, err } - defer client.Close() + defer func() { + if err := p.factory.ReleaseClient(client); err != nil { + p.log.WithError(err).Warn("Error occurred releasing the LDAP client") + } + }() if profile, err = p.getUserProfile(client, username); err != nil { return nil, err @@ -158,11 +156,11 @@ func (p *LDAPUserProvider) GetDetails(username string) (details *UserDetails, er // GetDetailsExtended retrieves the UserDetailsExtended values. func (p *LDAPUserProvider) GetDetailsExtended(username string) (details *UserDetailsExtended, err error) { var ( - client LDAPClient + client ldap.Client profile *ldapUserProfileExtended ) - if client, err = p.connect(); err != nil { + if client, err = p.factory.GetClient(); err != nil { return nil, err } @@ -243,15 +241,19 @@ func (p *LDAPUserProvider) GetDetailsExtended(username string) (details *UserDet // UpdatePassword update the password of the given user. func (p *LDAPUserProvider) UpdatePassword(username, password string) (err error) { var ( - client LDAPClient + client ldap.Client profile *ldapUserProfile ) - if client, err = p.connect(); err != nil { + if client, err = p.factory.GetClient(); err != nil { return fmt.Errorf("unable to update password. Cause: %w", err) } - defer client.Close() + defer func() { + if err := p.factory.ReleaseClient(client); err != nil { + p.log.WithError(err).Warn("Error occurred releasing the LDAP client") + } + }() if profile, err = p.getUserProfile(client, username); err != nil { return fmt.Errorf("unable to update password. Cause: %w", err) @@ -297,39 +299,7 @@ func (p *LDAPUserProvider) UpdatePassword(username, password string) (err error) return nil } -func (p *LDAPUserProvider) connect() (client LDAPClient, err error) { - return p.connectCustom(p.config.Address.String(), p.config.User, p.config.Password, p.config.StartTLS, p.dialOpts...) -} - -func (p *LDAPUserProvider) connectCustom(url, username, password string, startTLS bool, opts ...ldap.DialOpt) (client LDAPClient, err error) { - if client, err = p.factory.DialURL(url, opts...); err != nil { - return nil, fmt.Errorf("dial failed with error: %w", err) - } - - if startTLS { - if err = client.StartTLS(p.tlsConfig); err != nil { - client.Close() - - return nil, fmt.Errorf("starttls failed with error: %w", err) - } - } - - if password == "" { - err = client.UnauthenticatedBind(username) - } else { - err = client.Bind(username, password) - } - - if err != nil { - client.Close() - - return nil, fmt.Errorf("bind failed with error: %w", err) - } - - return client, nil -} - -func (p *LDAPUserProvider) search(client LDAPClient, request *ldap.SearchRequest) (result *ldap.SearchResult, err error) { +func (p *LDAPUserProvider) search(client ldap.Client, request *ldap.SearchRequest) (result *ldap.SearchResult, err error) { if result, err = client.Search(request); err != nil { if referral, ok := p.getReferral(err); ok { if result == nil { @@ -357,15 +327,19 @@ func (p *LDAPUserProvider) search(client LDAPClient, request *ldap.SearchRequest func (p *LDAPUserProvider) searchReferral(referral string, request *ldap.SearchRequest, searchResult *ldap.SearchResult) (err error) { var ( - client LDAPClient + client ldap.Client result *ldap.SearchResult ) - if client, err = p.connectCustom(referral, p.config.User, p.config.Password, p.config.StartTLS, p.dialOpts...); err != nil { + if client, err = p.factory.GetClient(WithAddress(referral)); err != nil { return fmt.Errorf("error occurred connecting to referred LDAP server '%s': %w", referral, err) } - defer client.Close() + defer func() { + if err := p.factory.ReleaseClient(client); err != nil { + p.log.WithError(err).Warn("Error occurred releasing the LDAP client") + } + }() if result, err = client.Search(request); err != nil { return fmt.Errorf("error occurred performing search on referred LDAP server '%s': %w", referral, err) @@ -390,7 +364,7 @@ func (p *LDAPUserProvider) searchReferrals(request *ldap.SearchRequest, result * return nil } -func (p *LDAPUserProvider) getUserProfile(client LDAPClient, username string) (profile *ldapUserProfile, err error) { +func (p *LDAPUserProvider) getUserProfile(client ldap.Client, username string) (profile *ldapUserProfile, err error) { // Search for the given username. request := ldap.NewSearchRequest( p.usersBaseDN, ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, @@ -463,7 +437,7 @@ func (p *LDAPUserProvider) getUserProfileResultToProfile(username string, entry return &userProfile, nil } -func (p *LDAPUserProvider) getUserProfileExtended(client LDAPClient, username string) (profile *ldapUserProfileExtended, err error) { +func (p *LDAPUserProvider) getUserProfileExtended(client ldap.Client, username string) (profile *ldapUserProfileExtended, err error) { // Search for the given username. request := ldap.NewSearchRequest( p.usersBaseDN, ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, @@ -552,7 +526,7 @@ func (p *LDAPUserProvider) getUserProfileResultToProfileExtended(username string return &userProfile, nil } -func (p *LDAPUserProvider) getUserGroups(client LDAPClient, username string, profile *ldapUserProfile) (groups []string, err error) { +func (p *LDAPUserProvider) getUserGroups(client ldap.Client, username string, profile *ldapUserProfile) (groups []string, err error) { request := ldap.NewSearchRequest( p.groupsBaseDN, ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 0, 0, false, p.resolveGroupsFilter(username, profile), p.groupsAttributes, nil, @@ -577,7 +551,7 @@ func (p *LDAPUserProvider) getUserGroups(client LDAPClient, username string, pro } } -func (p *LDAPUserProvider) getUserGroupsRequestFilter(client LDAPClient, username string, _ *ldapUserProfile, request *ldap.SearchRequest) (groups []string, err error) { +func (p *LDAPUserProvider) getUserGroupsRequestFilter(client ldap.Client, username string, _ *ldapUserProfile, request *ldap.SearchRequest) (groups []string, err error) { var result *ldap.SearchResult if result, err = p.search(client, request); err != nil { @@ -593,7 +567,7 @@ func (p *LDAPUserProvider) getUserGroupsRequestFilter(client LDAPClient, usernam return groups, nil } -func (p *LDAPUserProvider) getUserGroupsRequestMemberOf(client LDAPClient, username string, profile *ldapUserProfile, request *ldap.SearchRequest) (groups []string, err error) { +func (p *LDAPUserProvider) getUserGroupsRequestMemberOf(client ldap.Client, username string, profile *ldapUserProfile, request *ldap.SearchRequest) (groups []string, err error) { var result *ldap.SearchResult if result, err = p.search(client, request); err != nil { @@ -733,7 +707,7 @@ func (p *LDAPUserProvider) resolveGroupsFilter(input string, profile *ldapUserPr return filter } -func (p *LDAPUserProvider) modify(client LDAPClient, modifyRequest *ldap.ModifyRequest) (err error) { +func (p *LDAPUserProvider) modify(client ldap.Client, modifyRequest *ldap.ModifyRequest) (err error) { if err = client.Modify(modifyRequest); err != nil { var ( referral string @@ -747,15 +721,19 @@ func (p *LDAPUserProvider) modify(client LDAPClient, modifyRequest *ldap.ModifyR p.log.Debugf("Attempting Modify on referred URL %s", referral) var ( - clientRef LDAPClient + clientRef ldap.Client errRef error ) - if clientRef, errRef = p.connectCustom(referral, p.config.User, p.config.Password, p.config.StartTLS, p.dialOpts...); errRef != nil { + if clientRef, errRef = p.factory.GetClient(WithAddress(referral)); errRef != nil { return fmt.Errorf("error occurred connecting to referred LDAP server '%s': %+v. Original Error: %w", referral, errRef, err) } - defer clientRef.Close() + defer func() { + if err := p.factory.ReleaseClient(clientRef); err != nil { + p.log.WithError(err).Warn("Error occurred releasing the LDAP client") + } + }() if errRef = clientRef.Modify(modifyRequest); errRef != nil { return fmt.Errorf("error occurred performing modify on referred LDAP server '%s': %+v. Original Error: %w", referral, errRef, err) @@ -767,7 +745,7 @@ func (p *LDAPUserProvider) modify(client LDAPClient, modifyRequest *ldap.ModifyR return nil } -func (p *LDAPUserProvider) pwdModify(client LDAPClient, pwdModifyRequest *ldap.PasswordModifyRequest) (err error) { +func (p *LDAPUserProvider) pwdModify(client ldap.Client, pwdModifyRequest *ldap.PasswordModifyRequest) (err error) { if _, err = client.PasswordModify(pwdModifyRequest); err != nil { var ( referral string @@ -781,15 +759,19 @@ func (p *LDAPUserProvider) pwdModify(client LDAPClient, pwdModifyRequest *ldap.P p.log.Debugf("Attempting PwdModify ExOp (1.3.6.1.4.1.4203.1.11.1) on referred URL %s", referral) var ( - clientRef LDAPClient + clientRef ldap.Client errRef error ) - if clientRef, errRef = p.connectCustom(referral, p.config.User, p.config.Password, p.config.StartTLS, p.dialOpts...); errRef != nil { + if clientRef, errRef = p.factory.GetClient(WithAddress(referral)); errRef != nil { return fmt.Errorf("error occurred connecting to referred LDAP server '%s': %+v. Original Error: %w", referral, errRef, err) } - defer clientRef.Close() + defer func() { + if err := p.factory.ReleaseClient(clientRef); err != nil { + p.log.WithError(err).Warn("Error occurred releasing the LDAP client") + } + }() if _, errRef = clientRef.PasswordModify(pwdModifyRequest); errRef != nil { return fmt.Errorf("error occurred performing password modify on referred LDAP server '%s': %+v. Original Error: %w", referral, errRef, err) diff --git a/internal/authentication/ldap_user_provider_startup.go b/internal/authentication/ldap_user_provider_lifecycle.go index 20d7e7653..73dceaa6a 100644 --- a/internal/authentication/ldap_user_provider_startup.go +++ b/internal/authentication/ldap_user_provider_lifecycle.go @@ -10,15 +10,27 @@ import ( "github.com/authelia/authelia/v4/internal/utils" ) +func (p *LDAPUserProvider) Shutdown() (err error) { + return p.factory.Close() +} + // StartupCheck implements the startup check provider interface. func (p *LDAPUserProvider) StartupCheck() (err error) { - var client LDAPClient + if err = p.factory.Initialize(); err != nil { + return err + } + + var client ldap.Client - if client, err = p.connect(); err != nil { + if client, err = p.factory.GetClient(); err != nil { return err } - defer client.Close() + defer func() { + if err := p.factory.ReleaseClient(client); err != nil { + p.log.WithError(err).Warn("Error occurred releasing the LDAP client") + } + }() if p.features, err = p.getServerSupportedFeatures(client); err != nil { return err @@ -40,7 +52,7 @@ func (p *LDAPUserProvider) StartupCheck() (err error) { return nil } -func (p *LDAPUserProvider) getServerSupportedFeatures(client LDAPClient) (features LDAPSupportedFeatures, err error) { +func (p *LDAPUserProvider) getServerSupportedFeatures(client ldap.Client) (features LDAPSupportedFeatures, err error) { var ( request *ldap.SearchRequest result *ldap.SearchResult diff --git a/internal/authentication/ldap_user_provider_test.go b/internal/authentication/ldap_user_provider_test.go index 04a37e5f2..3975faa39 100644 --- a/internal/authentication/ldap_user_provider_test.go +++ b/internal/authentication/ldap_user_provider_test.go @@ -25,42 +25,35 @@ func TestNewLDAPUserProvider(t *testing.T) { assert.NotNil(t, provider) } -func TestNewLDAPUserProviderWithFactoryWithoutFactory(t *testing.T) { - provider := NewLDAPUserProviderWithFactory(schema.AuthenticationBackendLDAP{}, false, nil, nil) - - assert.NotNil(t, provider) - - assert.IsType(t, &ProductionLDAPClientFactory{}, provider.factory) -} - func TestShouldCreateRawConnectionWhenSchemeIsLDAP(t *testing.T) { ctrl := gomock.NewController(t) defer ctrl.Finish() - mockFactory := NewMockLDAPClientFactory(ctrl) + config := &schema.AuthenticationBackendLDAP{ + Address: testLDAPAddress, + User: "cn=admin,dc=example,dc=com", + Password: "password", + } + + mockDialer := NewMockLDAPClientDialer(ctrl) + + factory := NewStandardLDAPClientFactory(config, nil, mockDialer) mockClient := NewMockLDAPClient(ctrl) provider := NewLDAPUserProviderWithFactory( - schema.AuthenticationBackendLDAP{ - Address: testLDAPAddress, - User: "cn=admin,dc=example,dc=com", - Password: "password", - }, + config, false, - nil, - mockFactory) + factory) - dialURL := mockFactory.EXPECT(). - DialURL(gomock.Eq("ldap://127.0.0.1:389"), gomock.Any()). - Return(mockClient, nil) + dialURL := mockDialer.EXPECT().DialURL(gomock.Eq("ldap://127.0.0.1:389"), gomock.Any()).Return(mockClient, nil) - connBind := mockClient.EXPECT(). + clientBind := mockClient.EXPECT(). Bind(gomock.Eq("cn=admin,dc=example,dc=com"), gomock.Eq("password")). Return(nil) - gomock.InOrder(dialURL, connBind) + gomock.InOrder(dialURL, clientBind) - _, err := provider.connect() + _, err := provider.factory.GetClient() require.NoError(t, err) } @@ -69,30 +62,29 @@ func TestShouldCreateTLSConnectionWhenSchemeIsLDAPS(t *testing.T) { ctrl := gomock.NewController(t) defer ctrl.Finish() - mockFactory := NewMockLDAPClientFactory(ctrl) + config := &schema.AuthenticationBackendLDAP{ + Address: testLDAPSAddress, + User: "cn=admin,dc=example,dc=com", + Password: "password", + } + + mockDialer := NewMockLDAPClientDialer(ctrl) + + factory := NewStandardLDAPClientFactory(config, nil, mockDialer) + mockClient := NewMockLDAPClient(ctrl) - provider := NewLDAPUserProviderWithFactory( - schema.AuthenticationBackendLDAP{ - Address: testLDAPSAddress, - User: "cn=admin,dc=example,dc=com", - Password: "password", - }, - false, - nil, - mockFactory) + provider := NewLDAPUserProviderWithFactory(config, false, factory) - dialURL := mockFactory.EXPECT(). - DialURL(gomock.Eq("ldaps://127.0.0.1:389"), gomock.Any()). - Return(mockClient, nil) + dialURL := mockDialer.EXPECT().DialURL("ldaps://127.0.0.1:389", gomock.Any()).Return(mockClient, nil) - connBind := mockClient.EXPECT(). + clientBind := mockClient.EXPECT(). Bind(gomock.Eq("cn=admin,dc=example,dc=com"), gomock.Eq("password")). Return(nil) - gomock.InOrder(dialURL, connBind) + gomock.InOrder(dialURL, clientBind) - _, err := provider.connect() + _, err := provider.factory.GetClient() require.NoError(t, err) } @@ -120,16 +112,16 @@ func TestEscapeSpecialCharsInGroupsFilter(t *testing.T) { ctrl := gomock.NewController(t) defer ctrl.Finish() - mockFactory := NewMockLDAPClientFactory(ctrl) + config := &schema.AuthenticationBackendLDAP{ + Address: testLDAPSAddress, + GroupsFilter: "(|(member={dn})(uid={username})(uid={input}))", + } - provider := NewLDAPUserProviderWithFactory( - schema.AuthenticationBackendLDAP{ - Address: testLDAPSAddress, - GroupsFilter: "(|(member={dn})(uid={username})(uid={input}))", - }, - false, - nil, - mockFactory) + mockDialer := NewMockLDAPClientDialer(ctrl) + + factory := NewStandardLDAPClientFactory(config, nil, mockDialer) + + provider := NewLDAPUserProviderWithFactory(config, false, factory) profile := ldapUserProfile{ DN: "cn=john (external),dc=example,dc=com", @@ -149,7 +141,15 @@ func TestResolveGroupsFilter(t *testing.T) { ctrl := gomock.NewController(t) defer ctrl.Finish() - mockFactory := NewMockLDAPClientFactory(ctrl) + config := &schema.AuthenticationBackendLDAP{ + Address: testLDAPSAddress, + User: "cn=admin,dc=example,dc=com", + Password: "password", + } + + mockDialer := NewMockLDAPClientDialer(ctrl) + + factory := NewStandardLDAPClientFactory(config, nil, mockDialer) testCases := []struct { name string @@ -207,11 +207,7 @@ func TestResolveGroupsFilter(t *testing.T) { for _, tc := range testCases { t.Run(tc.name, func(t *testing.T) { - provider := NewLDAPUserProviderWithFactory( - tc.have, - false, - nil, - mockFactory) + provider := NewLDAPUserProviderWithFactory(&tc.have, false, factory) assert.Equal(t, tc.expected, provider.resolveGroupsFilter("", tc.profile)) }) @@ -305,13 +301,12 @@ func TestShouldCheckLDAPEpochFilters(t *testing.T) { for _, tc := range testCases { t.Run(tc.name, func(t *testing.T) { provider := NewLDAPUserProviderWithFactory( - schema.AuthenticationBackendLDAP{ + &schema.AuthenticationBackendLDAP{ UsersFilter: tc.have.users, Attributes: tc.have.attr, BaseDN: "dc=example,dc=com", }, false, - nil, mockFactory) assert.Equal(t, tc.expected.dtgeneralized, provider.usersFilterReplacementDateTimeGeneralized) @@ -325,33 +320,102 @@ func TestShouldCheckLDAPServerExtensions(t *testing.T) { ctrl := gomock.NewController(t) defer ctrl.Finish() - mockFactory := NewMockLDAPClientFactory(ctrl) + config := &schema.AuthenticationBackendLDAP{ + Address: testLDAPAddress, + User: "cn=admin,dc=example,dc=com", + UsersFilter: "(|({username_attribute}={input})({mail_attribute}={input}))", + Attributes: schema.AuthenticationBackendLDAPAttributes{ + Username: "uid", + Mail: "mail", + DisplayName: "displayName", + MemberOf: "memberOf", + }, + Password: "password", + AdditionalUsersDN: "ou=users", + BaseDN: "dc=example,dc=com", + } + + mockDialer := NewMockLDAPClientDialer(ctrl) + + factory := NewStandardLDAPClientFactory(config, nil, mockDialer) + mockClient := NewMockLDAPClient(ctrl) - provider := NewLDAPUserProviderWithFactory( - schema.AuthenticationBackendLDAP{ - Address: testLDAPAddress, - User: "cn=admin,dc=example,dc=com", - UsersFilter: "(|({username_attribute}={input})({mail_attribute}={input}))", - Attributes: schema.AuthenticationBackendLDAPAttributes{ - Username: "uid", - Mail: "mail", - DisplayName: "displayName", - MemberOf: "memberOf", + provider := NewLDAPUserProviderWithFactory(config, false, factory) + + dialURL := mockDialer.EXPECT().DialURL("ldap://127.0.0.1:389", gomock.Any()).Return(mockClient, nil) + + clientBind := mockClient.EXPECT(). + Bind(gomock.Eq("cn=admin,dc=example,dc=com"), gomock.Eq("password")). + Return(nil) + + searchOIDs := mockClient.EXPECT(). + Search(NewExtendedSearchRequestMatcher("(objectClass=*)", "", ldap.ScopeBaseObject, ldap.NeverDerefAliases, false, []string{ldapSupportedExtensionAttribute, ldapSupportedControlAttribute})). + Return(&ldap.SearchResult{ + Entries: []*ldap.Entry{ + { + DN: "", + Attributes: []*ldap.EntryAttribute{ + { + Name: ldapSupportedExtensionAttribute, + Values: []string{ldapOIDExtensionPwdModifyExOp, ldapOIDExtensionTLS}, + }, + { + Name: ldapSupportedControlAttribute, + Values: []string{}, + }, + }, + }, }, - Password: "password", - AdditionalUsersDN: "ou=users", - BaseDN: "dc=example,dc=com", + }, nil) + + clientClose := mockClient.EXPECT().Close() + + gomock.InOrder(dialURL, clientBind, searchOIDs, clientClose) + + err := provider.StartupCheck() + assert.NoError(t, err) + + assert.True(t, provider.features.Extensions.PwdModifyExOp) + assert.True(t, provider.features.Extensions.TLS) + + assert.False(t, provider.features.ControlTypes.MsftPwdPolHints) + assert.False(t, provider.features.ControlTypes.MsftPwdPolHintsDeprecated) +} + +func TestShouldCheckLDAPServerExtensionsPooled(t *testing.T) { + ctrl := gomock.NewController(t) + defer ctrl.Finish() + + config := &schema.AuthenticationBackendLDAP{ + Address: testLDAPAddress, + User: "cn=admin,dc=example,dc=com", + UsersFilter: "(|({username_attribute}={input})({mail_attribute}={input}))", + Attributes: schema.AuthenticationBackendLDAPAttributes{ + Username: "uid", + Mail: "mail", + DisplayName: "displayName", + MemberOf: "memberOf", }, - false, - nil, - mockFactory) + Password: "password", + AdditionalUsersDN: "ou=users", + BaseDN: "dc=example,dc=com", + Pooling: schema.AuthenticationBackendLDAPPooling{ + Count: 1, + }, + } - dialURL := mockFactory.EXPECT(). - DialURL(gomock.Eq("ldap://127.0.0.1:389"), gomock.Any()). - Return(mockClient, nil) + mockDialer := NewMockLDAPClientDialer(ctrl) - connBind := mockClient.EXPECT(). + factory := NewPooledLDAPClientFactory(config, nil, mockDialer) + + mockClient := NewMockLDAPClient(ctrl) + + provider := NewLDAPUserProviderWithFactory(config, false, factory) + + dialURL := mockDialer.EXPECT().DialURL("ldap://127.0.0.1:389", gomock.Any()).Return(mockClient, nil) + + clientBind := mockClient.EXPECT(). Bind(gomock.Eq("cn=admin,dc=example,dc=com"), gomock.Eq("password")). Return(nil) @@ -375,9 +439,14 @@ func TestShouldCheckLDAPServerExtensions(t *testing.T) { }, }, nil) - connClose := mockClient.EXPECT().Close() - - gomock.InOrder(dialURL, connBind, searchOIDs, connClose) + gomock.InOrder( + dialURL, + clientBind, + mockClient.EXPECT().IsClosing().Return(false), + searchOIDs, + mockClient.EXPECT().IsClosing().Return(false), + mockClient.EXPECT().Close().Return(fmt.Errorf("close error")), + ) err := provider.StartupCheck() assert.NoError(t, err) @@ -387,39 +456,105 @@ func TestShouldCheckLDAPServerExtensions(t *testing.T) { assert.False(t, provider.features.ControlTypes.MsftPwdPolHints) assert.False(t, provider.features.ControlTypes.MsftPwdPolHintsDeprecated) + + assert.EqualError(t, provider.Shutdown(), "errors occurred closing the client pool: close error") } func TestShouldNotCheckLDAPServerExtensionsWhenRootDSEReturnsMoreThanOneEntry(t *testing.T) { ctrl := gomock.NewController(t) defer ctrl.Finish() - mockFactory := NewMockLDAPClientFactory(ctrl) + config := &schema.AuthenticationBackendLDAP{ + Address: testLDAPAddress, + User: "cn=admin,dc=example,dc=com", + UsersFilter: "(|({username_attribute}={input})({mail_attribute}={input}))", + Attributes: schema.AuthenticationBackendLDAPAttributes{ + Username: "uid", + Mail: "mail", + DisplayName: "displayName", + MemberOf: "memberOf", + }, + Password: "password", + AdditionalUsersDN: "ou=users", + BaseDN: "dc=example,dc=com", + } + + mockDialer := NewMockLDAPClientDialer(ctrl) + mockClient := NewMockLDAPClient(ctrl) - provider := NewLDAPUserProviderWithFactory( - schema.AuthenticationBackendLDAP{ - Address: testLDAPAddress, - User: "cn=admin,dc=example,dc=com", - UsersFilter: "(|({username_attribute}={input})({mail_attribute}={input}))", - Attributes: schema.AuthenticationBackendLDAPAttributes{ - Username: "uid", - Mail: "mail", - DisplayName: "displayName", - MemberOf: "memberOf", + dialURL := mockDialer.EXPECT().DialURL("ldap://127.0.0.1:389", gomock.Any()).Return(mockClient, nil) + + provider := NewLDAPUserProviderWithFactory(config, false, NewStandardLDAPClientFactory(config, nil, mockDialer)) + + clientBind := mockClient.EXPECT(). + Bind(gomock.Eq("cn=admin,dc=example,dc=com"), gomock.Eq("password")). + Return(nil) + + searchOIDs := mockClient.EXPECT(). + Search(NewExtendedSearchRequestMatcher("(objectClass=*)", "", ldap.ScopeBaseObject, ldap.NeverDerefAliases, false, []string{ldapSupportedExtensionAttribute, ldapSupportedControlAttribute})). + Return(&ldap.SearchResult{ + Entries: []*ldap.Entry{ + { + DN: "", + Attributes: []*ldap.EntryAttribute{ + { + Name: ldapSupportedExtensionAttribute, + Values: []string{ldapOIDExtensionPwdModifyExOp, ldapOIDExtensionTLS}, + }, + { + Name: ldapSupportedControlAttribute, + Values: []string{}, + }, + }, + }, + {}, }, - Password: "password", - AdditionalUsersDN: "ou=users", - BaseDN: "dc=example,dc=com", + }, nil) + + clientClose := mockClient.EXPECT().Close() + + gomock.InOrder(dialURL, clientBind, searchOIDs, clientClose) + + err := provider.StartupCheck() + assert.NoError(t, err) + + assert.False(t, provider.features.Extensions.PwdModifyExOp) + assert.False(t, provider.features.Extensions.TLS) + + assert.False(t, provider.features.ControlTypes.MsftPwdPolHints) + assert.False(t, provider.features.ControlTypes.MsftPwdPolHintsDeprecated) +} + +func TestShouldNotCheckLDAPServerExtensionsWhenRootDSEReturnsMoreThanOneEntryPooled(t *testing.T) { + ctrl := gomock.NewController(t) + defer ctrl.Finish() + + config := &schema.AuthenticationBackendLDAP{ + Address: testLDAPAddress, + User: "cn=admin,dc=example,dc=com", + UsersFilter: "(|({username_attribute}={input})({mail_attribute}={input}))", + Attributes: schema.AuthenticationBackendLDAPAttributes{ + Username: "uid", + Mail: "mail", + DisplayName: "displayName", + MemberOf: "memberOf", }, - false, - nil, - mockFactory) + Password: "password", + AdditionalUsersDN: "ou=users", + BaseDN: "dc=example,dc=com", + Pooling: schema.AuthenticationBackendLDAPPooling{Count: 1}, + } - dialURL := mockFactory.EXPECT(). - DialURL(gomock.Eq("ldap://127.0.0.1:389"), gomock.Any()). - Return(mockClient, nil) + mockDialer := NewMockLDAPClientDialer(ctrl) - connBind := mockClient.EXPECT(). + mockClient := NewMockLDAPClient(ctrl) + + dialURL := mockDialer.EXPECT().DialURL("ldap://127.0.0.1:389", gomock.Any()).Return(mockClient, nil) + + provider := NewLDAPUserProviderWithFactory(config, false, NewPooledLDAPClientFactory(config, nil, mockDialer)) + + clientBind := mockClient.EXPECT(). Bind(gomock.Eq("cn=admin,dc=example,dc=com"), gomock.Eq("password")). Return(nil) @@ -444,9 +579,97 @@ func TestShouldNotCheckLDAPServerExtensionsWhenRootDSEReturnsMoreThanOneEntry(t }, }, nil) - connClose := mockClient.EXPECT().Close() + gomock.InOrder( + dialURL, + clientBind, + mockClient.EXPECT().IsClosing().Return(false), + searchOIDs, + mockClient.EXPECT().IsClosing().Return(false), + mockClient.EXPECT().Close().Return(nil), + ) + + err := provider.StartupCheck() + assert.NoError(t, err) + + assert.False(t, provider.features.Extensions.PwdModifyExOp) + assert.False(t, provider.features.Extensions.TLS) + + assert.False(t, provider.features.ControlTypes.MsftPwdPolHints) + assert.False(t, provider.features.ControlTypes.MsftPwdPolHintsDeprecated) + + assert.NoError(t, provider.Shutdown()) +} + +func TestShouldNotCheckLDAPServerExtensionsWhenRootDSEReturnsMoreThanOneEntryPooledClosing(t *testing.T) { + ctrl := gomock.NewController(t) + defer ctrl.Finish() + + config := &schema.AuthenticationBackendLDAP{ + Address: testLDAPAddress, + User: "cn=admin,dc=example,dc=com", + UsersFilter: "(|({username_attribute}={input})({mail_attribute}={input}))", + Attributes: schema.AuthenticationBackendLDAPAttributes{ + Username: "uid", + Mail: "mail", + DisplayName: "displayName", + MemberOf: "memberOf", + }, + Password: "password", + AdditionalUsersDN: "ou=users", + BaseDN: "dc=example,dc=com", + Pooling: schema.AuthenticationBackendLDAPPooling{Count: 1}, + } + + mockDialer := NewMockLDAPClientDialer(ctrl) + + mockClient := NewMockLDAPClient(ctrl) + mockClientSecond := NewMockLDAPClient(ctrl) + + dialURL := mockDialer.EXPECT().DialURL("ldap://127.0.0.1:389", gomock.Any()).Return(mockClient, nil) + + dialURLSecond := mockDialer.EXPECT().DialURL("ldap://127.0.0.1:389", gomock.Any()).Return(mockClientSecond, nil) + + provider := NewLDAPUserProviderWithFactory(config, false, NewPooledLDAPClientFactory(config, nil, mockDialer)) + + clientBind := mockClient.EXPECT(). + Bind(gomock.Eq("cn=admin,dc=example,dc=com"), gomock.Eq("password")). + Return(nil) - gomock.InOrder(dialURL, connBind, searchOIDs, connClose) + clientBindSecond := mockClientSecond.EXPECT(). + Bind(gomock.Eq("cn=admin,dc=example,dc=com"), gomock.Eq("password")). + Return(nil) + + searchOIDs := mockClientSecond.EXPECT(). + Search(NewExtendedSearchRequestMatcher("(objectClass=*)", "", ldap.ScopeBaseObject, ldap.NeverDerefAliases, false, []string{ldapSupportedExtensionAttribute, ldapSupportedControlAttribute})). + Return(&ldap.SearchResult{ + Entries: []*ldap.Entry{ + { + DN: "", + Attributes: []*ldap.EntryAttribute{ + { + Name: ldapSupportedExtensionAttribute, + Values: []string{ldapOIDExtensionPwdModifyExOp, ldapOIDExtensionTLS}, + }, + { + Name: ldapSupportedControlAttribute, + Values: []string{}, + }, + }, + }, + {}, + }, + }, nil) + + gomock.InOrder( + dialURL, + clientBind, + mockClient.EXPECT().IsClosing().Return(true), + dialURLSecond, + clientBindSecond, + searchOIDs, + mockClientSecond.EXPECT().IsClosing().Return(false), + mockClientSecond.EXPECT().Close().Return(nil), + ) err := provider.StartupCheck() assert.NoError(t, err) @@ -456,39 +679,104 @@ func TestShouldNotCheckLDAPServerExtensionsWhenRootDSEReturnsMoreThanOneEntry(t assert.False(t, provider.features.ControlTypes.MsftPwdPolHints) assert.False(t, provider.features.ControlTypes.MsftPwdPolHintsDeprecated) + + assert.NoError(t, provider.Shutdown()) } func TestShouldCheckLDAPServerControlTypes(t *testing.T) { ctrl := gomock.NewController(t) defer ctrl.Finish() - mockFactory := NewMockLDAPClientFactory(ctrl) + config := &schema.AuthenticationBackendLDAP{ + Address: testLDAPAddress, + User: "cn=admin,dc=example,dc=com", + UsersFilter: "(|({username_attribute}={input})({mail_attribute}={input}))", + Attributes: schema.AuthenticationBackendLDAPAttributes{ + Username: "uid", + Mail: "mail", + DisplayName: "displayName", + MemberOf: "memberOf", + }, + Password: "password", + AdditionalUsersDN: "ou=users", + BaseDN: "dc=example,dc=com", + } + + mockDialer := NewMockLDAPClientDialer(ctrl) + mockClient := NewMockLDAPClient(ctrl) - provider := NewLDAPUserProviderWithFactory( - schema.AuthenticationBackendLDAP{ - Address: testLDAPAddress, - User: "cn=admin,dc=example,dc=com", - UsersFilter: "(|({username_attribute}={input})({mail_attribute}={input}))", - Attributes: schema.AuthenticationBackendLDAPAttributes{ - Username: "uid", - Mail: "mail", - DisplayName: "displayName", - MemberOf: "memberOf", + dialURL := mockDialer.EXPECT().DialURL("ldap://127.0.0.1:389", gomock.Any()).Return(mockClient, nil) + + provider := NewLDAPUserProviderWithFactory(config, false, NewStandardLDAPClientFactory(config, nil, mockDialer)) + + clientBind := mockClient.EXPECT(). + Bind(gomock.Eq("cn=admin,dc=example,dc=com"), gomock.Eq("password")). + Return(nil) + + searchOIDs := mockClient.EXPECT(). + Search(NewExtendedSearchRequestMatcher("(objectClass=*)", "", ldap.ScopeBaseObject, ldap.NeverDerefAliases, false, []string{ldapSupportedExtensionAttribute, ldapSupportedControlAttribute})). + Return(&ldap.SearchResult{ + Entries: []*ldap.Entry{ + { + DN: "", + Attributes: []*ldap.EntryAttribute{ + { + Name: ldapSupportedExtensionAttribute, + Values: []string{}, + }, + { + Name: ldapSupportedControlAttribute, + Values: []string{ldapOIDControlMsftServerPolicyHints, ldapOIDControlMsftServerPolicyHintsDeprecated}, + }, + }, + }, }, - Password: "password", - AdditionalUsersDN: "ou=users", - BaseDN: "dc=example,dc=com", + }, nil) + + clientClose := mockClient.EXPECT().Close() + + gomock.InOrder(dialURL, clientBind, searchOIDs, clientClose) + + err := provider.StartupCheck() + assert.NoError(t, err) + + assert.False(t, provider.features.Extensions.PwdModifyExOp) + assert.False(t, provider.features.Extensions.TLS) + + assert.True(t, provider.features.ControlTypes.MsftPwdPolHints) + assert.True(t, provider.features.ControlTypes.MsftPwdPolHintsDeprecated) +} + +func TestShouldCheckLDAPServerControlTypesPooled(t *testing.T) { + ctrl := gomock.NewController(t) + defer ctrl.Finish() + + config := &schema.AuthenticationBackendLDAP{ + Address: testLDAPAddress, + User: "cn=admin,dc=example,dc=com", + UsersFilter: "(|({username_attribute}={input})({mail_attribute}={input}))", + Attributes: schema.AuthenticationBackendLDAPAttributes{ + Username: "uid", + Mail: "mail", + DisplayName: "displayName", + MemberOf: "memberOf", }, - false, - nil, - mockFactory) + Password: "password", + AdditionalUsersDN: "ou=users", + BaseDN: "dc=example,dc=com", + Pooling: schema.AuthenticationBackendLDAPPooling{Count: 1}, + } - dialURL := mockFactory.EXPECT(). - DialURL(gomock.Eq("ldap://127.0.0.1:389"), gomock.Any()). - Return(mockClient, nil) + mockDialer := NewMockLDAPClientDialer(ctrl) - connBind := mockClient.EXPECT(). + mockClient := NewMockLDAPClient(ctrl) + + dialURL := mockDialer.EXPECT().DialURL("ldap://127.0.0.1:389", gomock.Any()).Return(mockClient, nil) + + provider := NewLDAPUserProviderWithFactory(config, false, NewPooledLDAPClientFactory(config, nil, mockDialer)) + + clientBind := mockClient.EXPECT(). Bind(gomock.Eq("cn=admin,dc=example,dc=com"), gomock.Eq("password")). Return(nil) @@ -512,9 +800,16 @@ func TestShouldCheckLDAPServerControlTypes(t *testing.T) { }, }, nil) - connClose := mockClient.EXPECT().Close() + clientClose := mockClient.EXPECT().Close() - gomock.InOrder(dialURL, connBind, searchOIDs, connClose) + gomock.InOrder( + dialURL, + clientBind, + mockClient.EXPECT().IsClosing().Return(false), + searchOIDs, + mockClient.EXPECT().IsClosing().Return(false), + clientClose, + ) err := provider.StartupCheck() assert.NoError(t, err) @@ -524,39 +819,38 @@ func TestShouldCheckLDAPServerControlTypes(t *testing.T) { assert.True(t, provider.features.ControlTypes.MsftPwdPolHints) assert.True(t, provider.features.ControlTypes.MsftPwdPolHintsDeprecated) + + assert.NoError(t, provider.Shutdown()) } func TestShouldNotEnablePasswdModifyExtensionOrControlTypes(t *testing.T) { ctrl := gomock.NewController(t) defer ctrl.Finish() - mockFactory := NewMockLDAPClientFactory(ctrl) + config := &schema.AuthenticationBackendLDAP{ + Address: testLDAPAddress, + User: "cn=admin,dc=example,dc=com", + UsersFilter: "(|({username_attribute}={input})({mail_attribute}={input}))", + Attributes: schema.AuthenticationBackendLDAPAttributes{ + Username: "uid", + Mail: "mail", + DisplayName: "displayName", + MemberOf: "memberOf", + }, + Password: "password", + AdditionalUsersDN: "ou=users", + BaseDN: "dc=example,dc=com", + } + + mockDialer := NewMockLDAPClientDialer(ctrl) + mockClient := NewMockLDAPClient(ctrl) - provider := NewLDAPUserProviderWithFactory( - schema.AuthenticationBackendLDAP{ - Address: testLDAPAddress, - User: "cn=admin,dc=example,dc=com", - UsersFilter: "(|({username_attribute}={input})({mail_attribute}={input}))", - Attributes: schema.AuthenticationBackendLDAPAttributes{ - Username: "uid", - Mail: "mail", - DisplayName: "displayName", - MemberOf: "memberOf", - }, - Password: "password", - AdditionalUsersDN: "ou=users", - BaseDN: "dc=example,dc=com", - }, - false, - nil, - mockFactory) + dialURL := mockDialer.EXPECT().DialURL("ldap://127.0.0.1:389", gomock.Any()).Return(mockClient, nil) - dialURL := mockFactory.EXPECT(). - DialURL(gomock.Eq("ldap://127.0.0.1:389"), gomock.Any()). - Return(mockClient, nil) + provider := NewLDAPUserProviderWithFactory(config, false, NewStandardLDAPClientFactory(config, nil, mockDialer)) - connBind := mockClient.EXPECT(). + clientBind := mockClient.EXPECT(). Bind(gomock.Eq("cn=admin,dc=example,dc=com"), gomock.Eq("password")). Return(nil) @@ -580,52 +874,123 @@ func TestShouldNotEnablePasswdModifyExtensionOrControlTypes(t *testing.T) { }, }, nil) - connClose := mockClient.EXPECT().Close() + clientClose := mockClient.EXPECT().Close() - gomock.InOrder(dialURL, connBind, searchOIDs, connClose) + gomock.InOrder(dialURL, clientBind, searchOIDs, clientClose) - err := provider.StartupCheck() - assert.NoError(t, err) + assert.NoError(t, provider.StartupCheck()) assert.False(t, provider.features.Extensions.PwdModifyExOp) assert.False(t, provider.features.Extensions.TLS) assert.False(t, provider.features.ControlTypes.MsftPwdPolHints) assert.False(t, provider.features.ControlTypes.MsftPwdPolHintsDeprecated) + + assert.NoError(t, provider.Shutdown()) } -func TestShouldReturnCheckServerConnectError(t *testing.T) { +func TestShouldNotEnablePasswdModifyExtensionOrControlTypesPooled(t *testing.T) { ctrl := gomock.NewController(t) defer ctrl.Finish() - mockFactory := NewMockLDAPClientFactory(ctrl) + config := &schema.AuthenticationBackendLDAP{ + Address: testLDAPAddress, + User: "cn=admin,dc=example,dc=com", + UsersFilter: "(|({username_attribute}={input})({mail_attribute}={input}))", + Attributes: schema.AuthenticationBackendLDAPAttributes{ + Username: "uid", + Mail: "mail", + DisplayName: "displayName", + MemberOf: "memberOf", + }, + Password: "password", + AdditionalUsersDN: "ou=users", + BaseDN: "dc=example,dc=com", + Pooling: schema.AuthenticationBackendLDAPPooling{ + Count: 1, + }, + } + + mockDialer := NewMockLDAPClientDialer(ctrl) + mockClient := NewMockLDAPClient(ctrl) - provider := NewLDAPUserProviderWithFactory( - schema.AuthenticationBackendLDAP{ - Address: testLDAPAddress, - User: "cn=admin,dc=example,dc=com", - UsersFilter: "(|({username_attribute}={input})({mail_attribute}={input}))", - Attributes: schema.AuthenticationBackendLDAPAttributes{ - Username: "uid", - Mail: "mail", - DisplayName: "displayName", - MemberOf: "memberOf", + dialURL := mockDialer.EXPECT().DialURL("ldap://127.0.0.1:389", gomock.Any()).Return(mockClient, nil) + + provider := NewLDAPUserProviderWithFactory(config, false, NewPooledLDAPClientFactory(config, nil, mockDialer)) + + clientBind := mockClient.EXPECT(). + Bind(gomock.Eq("cn=admin,dc=example,dc=com"), gomock.Eq("password")). + Return(nil) + + searchOIDs := mockClient.EXPECT(). + Search(NewExtendedSearchRequestMatcher("(objectClass=*)", "", ldap.ScopeBaseObject, ldap.NeverDerefAliases, false, []string{ldapSupportedExtensionAttribute, ldapSupportedControlAttribute})). + Return(&ldap.SearchResult{ + Entries: []*ldap.Entry{ + { + DN: "", + Attributes: []*ldap.EntryAttribute{ + { + Name: ldapSupportedExtensionAttribute, + Values: []string{}, + }, + { + Name: ldapSupportedControlAttribute, + Values: []string{}, + }, + }, + }, }, - Password: "password", - AdditionalUsersDN: "ou=users", - BaseDN: "dc=example,dc=com", + }, nil) + + clientClose := mockClient.EXPECT().Close() + + gomock.InOrder( + dialURL, + clientBind, + mockClient.EXPECT().IsClosing().Return(false), + searchOIDs, + mockClient.EXPECT().IsClosing().Return(false), + clientClose, + ) + + assert.NoError(t, provider.StartupCheck()) + + assert.False(t, provider.features.Extensions.PwdModifyExOp) + assert.False(t, provider.features.Extensions.TLS) + + assert.False(t, provider.features.ControlTypes.MsftPwdPolHints) + assert.False(t, provider.features.ControlTypes.MsftPwdPolHintsDeprecated) + + assert.NoError(t, provider.Shutdown()) +} + +func TestShouldReturnCheckServerConnectError(t *testing.T) { + ctrl := gomock.NewController(t) + defer ctrl.Finish() + + config := &schema.AuthenticationBackendLDAP{ + Address: testLDAPAddress, + User: "cn=admin,dc=example,dc=com", + UsersFilter: "(|({username_attribute}={input})({mail_attribute}={input}))", + Attributes: schema.AuthenticationBackendLDAPAttributes{ + Username: "uid", + Mail: "mail", + DisplayName: "displayName", + MemberOf: "memberOf", }, - false, - nil, - mockFactory) + Password: "password", + AdditionalUsersDN: "ou=users", + BaseDN: "dc=example,dc=com", + } - mockFactory.EXPECT(). - DialURL(gomock.Eq("ldap://127.0.0.1:389"), gomock.Any()). - Return(mockClient, errors.New("could not connect")) + mockDialer := NewMockLDAPClientDialer(ctrl) - err := provider.StartupCheck() - assert.EqualError(t, err, "dial failed with error: could not connect") + provider := NewLDAPUserProviderWithFactory(config, false, NewStandardLDAPClientFactory(config, nil, mockDialer)) + + mockDialer.EXPECT().DialURL("ldap://127.0.0.1:389", gomock.Any()).Return(nil, errors.New("could not connect")) + + assert.EqualError(t, provider.StartupCheck(), "error occurred dialing address: could not connect") assert.False(t, provider.features.Extensions.PwdModifyExOp) } @@ -634,33 +999,76 @@ func TestShouldReturnCheckServerSearchError(t *testing.T) { ctrl := gomock.NewController(t) defer ctrl.Finish() - mockFactory := NewMockLDAPClientFactory(ctrl) + config := &schema.AuthenticationBackendLDAP{ + Address: testLDAPAddress, + User: "cn=admin,dc=example,dc=com", + UsersFilter: "(|({username_attribute}={input})({mail_attribute}={input}))", + Attributes: schema.AuthenticationBackendLDAPAttributes{ + Username: "uid", + Mail: "mail", + DisplayName: "displayName", + MemberOf: "memberOf", + }, + Password: "password", + AdditionalUsersDN: "ou=users", + BaseDN: "dc=example,dc=com", + } + + mockDialer := NewMockLDAPClientDialer(ctrl) + mockClient := NewMockLDAPClient(ctrl) - provider := NewLDAPUserProviderWithFactory( - schema.AuthenticationBackendLDAP{ - Address: testLDAPAddress, - User: "cn=admin,dc=example,dc=com", - UsersFilter: "(|({username_attribute}={input})({mail_attribute}={input}))", - Attributes: schema.AuthenticationBackendLDAPAttributes{ - Username: "uid", - Mail: "mail", - DisplayName: "displayName", - MemberOf: "memberOf", - }, - Password: "password", - AdditionalUsersDN: "ou=users", - BaseDN: "dc=example,dc=com", + dialURL := mockDialer.EXPECT().DialURL("ldap://127.0.0.1:389", gomock.Any()).Return(mockClient, nil) + + provider := NewLDAPUserProviderWithFactory(config, false, NewStandardLDAPClientFactory(config, nil, mockDialer)) + + clientBind := mockClient.EXPECT(). + Bind(gomock.Eq("cn=admin,dc=example,dc=com"), gomock.Eq("password")). + Return(nil) + + searchOIDs := mockClient.EXPECT(). + Search(NewExtendedSearchRequestMatcher("(objectClass=*)", "", ldap.ScopeBaseObject, ldap.NeverDerefAliases, false, []string{ldapSupportedExtensionAttribute, ldapSupportedControlAttribute})). + Return(nil, errors.New("could not perform the search")) + + clientClose := mockClient.EXPECT().Close() + + gomock.InOrder(dialURL, clientBind, searchOIDs, clientClose) + + err := provider.StartupCheck() + assert.EqualError(t, err, "error occurred during RootDSE search: could not perform the search") + + assert.False(t, provider.features.Extensions.PwdModifyExOp) +} + +func TestShouldReturnCheckServerSearchErrorPooled(t *testing.T) { + ctrl := gomock.NewController(t) + defer ctrl.Finish() + + config := &schema.AuthenticationBackendLDAP{ + Address: testLDAPAddress, + User: "cn=admin,dc=example,dc=com", + UsersFilter: "(|({username_attribute}={input})({mail_attribute}={input}))", + Attributes: schema.AuthenticationBackendLDAPAttributes{ + Username: "uid", + Mail: "mail", + DisplayName: "displayName", + MemberOf: "memberOf", }, - false, - nil, - mockFactory) + Password: "password", + AdditionalUsersDN: "ou=users", + BaseDN: "dc=example,dc=com", + Pooling: schema.AuthenticationBackendLDAPPooling{Count: 1}, + } - dialURL := mockFactory.EXPECT(). - DialURL(gomock.Eq("ldap://127.0.0.1:389"), gomock.Any()). - Return(mockClient, nil) + mockDialer := NewMockLDAPClientDialer(ctrl) - connBind := mockClient.EXPECT(). + mockClient := NewMockLDAPClient(ctrl) + + dialURL := mockDialer.EXPECT().DialURL("ldap://127.0.0.1:389", gomock.Any()).Return(mockClient, nil) + + provider := NewLDAPUserProviderWithFactory(config, false, NewPooledLDAPClientFactory(config, nil, mockDialer)) + + clientBind := mockClient.EXPECT(). Bind(gomock.Eq("cn=admin,dc=example,dc=com"), gomock.Eq("password")). Return(nil) @@ -668,48 +1076,98 @@ func TestShouldReturnCheckServerSearchError(t *testing.T) { Search(NewExtendedSearchRequestMatcher("(objectClass=*)", "", ldap.ScopeBaseObject, ldap.NeverDerefAliases, false, []string{ldapSupportedExtensionAttribute, ldapSupportedControlAttribute})). Return(nil, errors.New("could not perform the search")) - connClose := mockClient.EXPECT().Close() + clientClose := mockClient.EXPECT().Close() - gomock.InOrder(dialURL, connBind, searchOIDs, connClose) + gomock.InOrder( + dialURL, + clientBind, + mockClient.EXPECT().IsClosing().Return(false), + searchOIDs, + mockClient.EXPECT().IsClosing().Return(false), + clientClose, + ) err := provider.StartupCheck() assert.EqualError(t, err, "error occurred during RootDSE search: could not perform the search") assert.False(t, provider.features.Extensions.PwdModifyExOp) + + assert.NoError(t, provider.Shutdown()) } func TestShouldPermitRootDSEFailure(t *testing.T) { ctrl := gomock.NewController(t) defer ctrl.Finish() - mockFactory := NewMockLDAPClientFactory(ctrl) + config := &schema.AuthenticationBackendLDAP{ + PermitFeatureDetectionFailure: true, + Address: testLDAPAddress, + User: "cn=admin,dc=example,dc=com", + UsersFilter: "(|({username_attribute}={input})({mail_attribute}={input}))", + Attributes: schema.AuthenticationBackendLDAPAttributes{ + Username: "uid", + Mail: "mail", + DisplayName: "displayName", + MemberOf: "memberOf", + }, + Password: "password", + AdditionalUsersDN: "ou=users", + BaseDN: "dc=example,dc=com", + } + + mockDialer := NewMockLDAPClientDialer(ctrl) + mockClient := NewMockLDAPClient(ctrl) - provider := NewLDAPUserProviderWithFactory( - schema.AuthenticationBackendLDAP{ - PermitFeatureDetectionFailure: true, - Address: testLDAPAddress, - User: "cn=admin,dc=example,dc=com", - UsersFilter: "(|({username_attribute}={input})({mail_attribute}={input}))", - Attributes: schema.AuthenticationBackendLDAPAttributes{ - Username: "uid", - Mail: "mail", - DisplayName: "displayName", - MemberOf: "memberOf", - }, - Password: "password", - AdditionalUsersDN: "ou=users", - BaseDN: "dc=example,dc=com", + dialURL := mockDialer.EXPECT().DialURL("ldap://127.0.0.1:389", gomock.Any()).Return(mockClient, nil) + + provider := NewLDAPUserProviderWithFactory(config, false, NewStandardLDAPClientFactory(config, nil, mockDialer)) + + clientBind := mockClient.EXPECT(). + Bind(gomock.Eq("cn=admin,dc=example,dc=com"), gomock.Eq("password")). + Return(nil) + + searchOIDs := mockClient.EXPECT(). + Search(NewExtendedSearchRequestMatcher("(objectClass=*)", "", ldap.ScopeBaseObject, ldap.NeverDerefAliases, false, []string{ldapSupportedExtensionAttribute, ldapSupportedControlAttribute})). + Return(nil, errors.New("could not perform the search")) + + clientClose := mockClient.EXPECT().Close() + + gomock.InOrder(dialURL, clientBind, searchOIDs, clientClose) + + assert.NoError(t, provider.StartupCheck()) +} + +func TestShouldPermitRootDSEFailurePooled(t *testing.T) { + ctrl := gomock.NewController(t) + defer ctrl.Finish() + + config := &schema.AuthenticationBackendLDAP{ + PermitFeatureDetectionFailure: true, + Address: testLDAPAddress, + User: "cn=admin,dc=example,dc=com", + UsersFilter: "(|({username_attribute}={input})({mail_attribute}={input}))", + Attributes: schema.AuthenticationBackendLDAPAttributes{ + Username: "uid", + Mail: "mail", + DisplayName: "displayName", + MemberOf: "memberOf", }, - false, - nil, - mockFactory) + Password: "password", + AdditionalUsersDN: "ou=users", + BaseDN: "dc=example,dc=com", + Pooling: schema.AuthenticationBackendLDAPPooling{Count: 1}, + } - dialURL := mockFactory.EXPECT(). - DialURL(gomock.Eq("ldap://127.0.0.1:389"), gomock.Any()). - Return(mockClient, nil) + mockDialer := NewMockLDAPClientDialer(ctrl) - connBind := mockClient.EXPECT(). + mockClient := NewMockLDAPClient(ctrl) + + dialURL := mockDialer.EXPECT().DialURL("ldap://127.0.0.1:389", gomock.Any()).Return(mockClient, nil) + + provider := NewLDAPUserProviderWithFactory(config, false, NewPooledLDAPClientFactory(config, nil, mockDialer)) + + clientBind := mockClient.EXPECT(). Bind(gomock.Eq("cn=admin,dc=example,dc=com"), gomock.Eq("password")). Return(nil) @@ -717,12 +1175,19 @@ func TestShouldPermitRootDSEFailure(t *testing.T) { Search(NewExtendedSearchRequestMatcher("(objectClass=*)", "", ldap.ScopeBaseObject, ldap.NeverDerefAliases, false, []string{ldapSupportedExtensionAttribute, ldapSupportedControlAttribute})). Return(nil, errors.New("could not perform the search")) - connClose := mockClient.EXPECT().Close() + clientClose := mockClient.EXPECT().Close() - gomock.InOrder(dialURL, connBind, searchOIDs, connClose) + gomock.InOrder( + dialURL, + clientBind, + mockClient.EXPECT().IsClosing().Return(false), + searchOIDs, + mockClient.EXPECT().IsClosing().Return(false), + clientClose, + ) - err := provider.StartupCheck() - assert.NoError(t, err) + assert.NoError(t, provider.StartupCheck()) + assert.NoError(t, provider.Shutdown()) } type SearchRequestMatcher struct { @@ -750,7 +1215,7 @@ func TestShouldEscapeUserInput(t *testing.T) { mockClient := NewMockLDAPClient(ctrl) provider := NewLDAPUserProviderWithFactory( - schema.AuthenticationBackendLDAP{ + &schema.AuthenticationBackendLDAP{ Address: testLDAPAddress, User: "cn=admin,dc=example,dc=com", UsersFilter: "(|({username_attribute}={input})({mail_attribute}={input}))", @@ -766,7 +1231,6 @@ func TestShouldEscapeUserInput(t *testing.T) { PermitReferrals: true, }, false, - nil, mockFactory) mockClient.EXPECT(). @@ -783,35 +1247,32 @@ func TestShouldReturnEmailWhenAttributeSameAsUsername(t *testing.T) { ctrl := gomock.NewController(t) defer ctrl.Finish() - mockFactory := NewMockLDAPClientFactory(ctrl) + config := &schema.AuthenticationBackendLDAP{ + Address: testLDAPAddress, + User: "cn=admin,dc=example,dc=com", + Password: "password", + Attributes: schema.AuthenticationBackendLDAPAttributes{ + Username: "mail", + Mail: "mail", + DisplayName: "displayName", + MemberOf: "memberOf", + }, + UsersFilter: "(&({username_attribute}={input})(objectClass=inetOrgPerson))", + AdditionalUsersDN: "ou=users", + BaseDN: "dc=example,dc=com", + } + + mockDialer := NewMockLDAPClientDialer(ctrl) + mockClient := NewMockLDAPClient(ctrl) - provider := NewLDAPUserProviderWithFactory( - schema.AuthenticationBackendLDAP{ - Address: testLDAPAddress, - User: "cn=admin,dc=example,dc=com", - Password: "password", - Attributes: schema.AuthenticationBackendLDAPAttributes{ - Username: "mail", - Mail: "mail", - DisplayName: "displayName", - MemberOf: "memberOf", - }, - UsersFilter: "(&({username_attribute}={input})(objectClass=inetOrgPerson))", - AdditionalUsersDN: "ou=users", - BaseDN: "dc=example,dc=com", - }, - false, - nil, - mockFactory) + dialURL := mockDialer.EXPECT().DialURL("ldap://127.0.0.1:389", gomock.Any()).Return(mockClient, nil) - assert.Equal(t, []string{"mail", "displayName", "memberOf"}, provider.usersAttributes) + provider := NewLDAPUserProviderWithFactory(config, false, NewStandardLDAPClientFactory(config, nil, mockDialer)) - dialURL := mockFactory.EXPECT(). - DialURL(gomock.Eq("ldap://127.0.0.1:389"), gomock.Any()). - Return(mockClient, nil) + assert.Equal(t, []string{"mail", "displayName", "memberOf"}, provider.usersAttributes) - bind := mockClient.EXPECT(). + clientBind := mockClient.EXPECT(). Bind(gomock.Eq("cn=admin,dc=example,dc=com"), gomock.Eq("password")). Return(nil) @@ -835,9 +1296,9 @@ func TestShouldReturnEmailWhenAttributeSameAsUsername(t *testing.T) { }, }, nil) - gomock.InOrder(dialURL, bind, search) + gomock.InOrder(dialURL, clientBind, search) - client, err := provider.connect() + client, err := provider.factory.GetClient() assert.NoError(t, err) profile, err := provider.getUserProfile(client, "john@example.com") @@ -857,35 +1318,32 @@ func TestShouldReturnUsernameAndBlankDisplayNameWhenAttributesTheSame(t *testing ctrl := gomock.NewController(t) defer ctrl.Finish() - mockFactory := NewMockLDAPClientFactory(ctrl) + config := &schema.AuthenticationBackendLDAP{ + Address: testLDAPAddress, + User: "cn=admin,dc=example,dc=com", + Password: "password", + Attributes: schema.AuthenticationBackendLDAPAttributes{ + Username: "uid", + Mail: "mail", + DisplayName: "uid", + MemberOf: "memberOf", + }, + UsersFilter: "(&(|({username_attribute}={input})({mail_attribute}={input}))(objectClass=inetOrgPerson))", + AdditionalUsersDN: "ou=users", + BaseDN: "dc=example,dc=com", + } + + mockDialer := NewMockLDAPClientDialer(ctrl) + mockClient := NewMockLDAPClient(ctrl) - provider := NewLDAPUserProviderWithFactory( - schema.AuthenticationBackendLDAP{ - Address: testLDAPAddress, - User: "cn=admin,dc=example,dc=com", - Password: "password", - Attributes: schema.AuthenticationBackendLDAPAttributes{ - Username: "uid", - Mail: "mail", - DisplayName: "uid", - MemberOf: "memberOf", - }, - UsersFilter: "(&(|({username_attribute}={input})({mail_attribute}={input}))(objectClass=inetOrgPerson))", - AdditionalUsersDN: "ou=users", - BaseDN: "dc=example,dc=com", - }, - false, - nil, - mockFactory) + dialURL := mockDialer.EXPECT().DialURL("ldap://127.0.0.1:389", gomock.Any()).Return(mockClient, nil) - assert.Equal(t, []string{"uid", "mail", "memberOf"}, provider.usersAttributes) + provider := NewLDAPUserProviderWithFactory(config, false, NewStandardLDAPClientFactory(config, nil, mockDialer)) - dialURL := mockFactory.EXPECT(). - DialURL(gomock.Eq("ldap://127.0.0.1:389"), gomock.Any()). - Return(mockClient, nil) + assert.Equal(t, []string{"uid", "mail", "memberOf"}, provider.usersAttributes) - bind := mockClient.EXPECT(). + clientBind := mockClient.EXPECT(). Bind(gomock.Eq("cn=admin,dc=example,dc=com"), gomock.Eq("password")). Return(nil) @@ -909,9 +1367,9 @@ func TestShouldReturnUsernameAndBlankDisplayNameWhenAttributesTheSame(t *testing }, }, nil) - gomock.InOrder(dialURL, bind, search) + gomock.InOrder(dialURL, clientBind, search) - client, err := provider.connect() + client, err := provider.factory.GetClient() assert.NoError(t, err) profile, err := provider.getUserProfile(client, "john@example.com") @@ -931,35 +1389,32 @@ func TestShouldReturnBlankEmailAndDisplayNameWhenAttrsLenZero(t *testing.T) { ctrl := gomock.NewController(t) defer ctrl.Finish() - mockFactory := NewMockLDAPClientFactory(ctrl) + config := &schema.AuthenticationBackendLDAP{ + Address: testLDAPAddress, + User: "cn=admin,dc=example,dc=com", + Password: "password", + Attributes: schema.AuthenticationBackendLDAPAttributes{ + Username: "uid", + Mail: "mail", + DisplayName: "displayName", + MemberOf: "memberOf", + }, + UsersFilter: "(&(|({username_attribute}={input})({mail_attribute}={input}))(objectClass=inetOrgPerson))", + AdditionalUsersDN: "ou=users", + BaseDN: "dc=example,dc=com", + } + + mockDialer := NewMockLDAPClientDialer(ctrl) + mockClient := NewMockLDAPClient(ctrl) - provider := NewLDAPUserProviderWithFactory( - schema.AuthenticationBackendLDAP{ - Address: testLDAPAddress, - User: "cn=admin,dc=example,dc=com", - Password: "password", - Attributes: schema.AuthenticationBackendLDAPAttributes{ - Username: "uid", - Mail: "mail", - DisplayName: "displayName", - MemberOf: "memberOf", - }, - UsersFilter: "(&(|({username_attribute}={input})({mail_attribute}={input}))(objectClass=inetOrgPerson))", - AdditionalUsersDN: "ou=users", - BaseDN: "dc=example,dc=com", - }, - false, - nil, - mockFactory) + dialURL := mockDialer.EXPECT().DialURL("ldap://127.0.0.1:389", gomock.Any()).Return(mockClient, nil) - assert.Equal(t, []string{"uid", "mail", "displayName", "memberOf"}, provider.usersAttributes) + provider := NewLDAPUserProviderWithFactory(config, false, NewStandardLDAPClientFactory(config, nil, mockDialer)) - dialURL := mockFactory.EXPECT(). - DialURL(gomock.Eq("ldap://127.0.0.1:389"), gomock.Any()). - Return(mockClient, nil) + assert.Equal(t, []string{"uid", "mail", "displayName", "memberOf"}, provider.usersAttributes) - bind := mockClient.EXPECT(). + clientBind := mockClient.EXPECT(). Bind(gomock.Eq("cn=admin,dc=example,dc=com"), gomock.Eq("password")). Return(nil) @@ -991,9 +1446,9 @@ func TestShouldReturnBlankEmailAndDisplayNameWhenAttrsLenZero(t *testing.T) { }, }, nil) - gomock.InOrder(dialURL, bind, search) + gomock.InOrder(dialURL, clientBind, search) - client, err := provider.connect() + client, err := provider.factory.GetClient() assert.NoError(t, err) profile, err := provider.getUserProfile(client, "john@example.com") @@ -1016,7 +1471,7 @@ func TestShouldCombineUsernameFilterAndUsersFilter(t *testing.T) { mockClient := NewMockLDAPClient(ctrl) provider := NewLDAPUserProviderWithFactory( - schema.AuthenticationBackendLDAP{ + &schema.AuthenticationBackendLDAP{ Address: testLDAPAddress, User: "cn=admin,dc=example,dc=com", UsersFilter: "(&({username_attribute}={input})(&(objectCategory=person)(objectClass=user)))", @@ -1032,7 +1487,6 @@ func TestShouldCombineUsernameFilterAndUsersFilter(t *testing.T) { PermitReferrals: true, }, false, - nil, mockFactory) assert.Equal(t, []string{"uid", "mail", "displayName", "memberOf"}, provider.usersAttributes) @@ -1092,39 +1546,36 @@ func TestShouldNotCrashWhenGroupsAreNotRetrievedFromLDAP(t *testing.T) { ctrl := gomock.NewController(t) defer ctrl.Finish() - mockFactory := NewMockLDAPClientFactory(ctrl) + config := &schema.AuthenticationBackendLDAP{ + Address: testLDAPAddress, + User: "cn=admin,dc=example,dc=com", + Password: "password", + Attributes: schema.AuthenticationBackendLDAPAttributes{ + Username: "uid", + Mail: "mail", + DisplayName: "displayName", + MemberOf: "memberOf", + GroupName: "cn", + }, + UsersFilter: "uid={input}", + AdditionalUsersDN: "ou=users", + BaseDN: "dc=example,dc=com", + PermitReferrals: true, + } + + mockDialer := NewMockLDAPClientDialer(ctrl) + mockClient := NewMockLDAPClient(ctrl) - provider := NewLDAPUserProviderWithFactory( - schema.AuthenticationBackendLDAP{ - Address: testLDAPAddress, - User: "cn=admin,dc=example,dc=com", - Password: "password", - Attributes: schema.AuthenticationBackendLDAPAttributes{ - Username: "uid", - Mail: "mail", - DisplayName: "displayName", - MemberOf: "memberOf", - GroupName: "cn", - }, - UsersFilter: "uid={input}", - AdditionalUsersDN: "ou=users", - BaseDN: "dc=example,dc=com", - PermitReferrals: true, - }, - false, - nil, - mockFactory) + dialURL := mockDialer.EXPECT().DialURL("ldap://127.0.0.1:389", gomock.Any()).Return(mockClient, nil) - dialURL := mockFactory.EXPECT(). - DialURL(gomock.Eq("ldap://127.0.0.1:389"), gomock.Any()). - Return(mockClient, nil) + provider := NewLDAPUserProviderWithFactory(config, false, NewStandardLDAPClientFactory(config, nil, mockDialer)) - connBind := mockClient.EXPECT(). + clientBind := mockClient.EXPECT(). Bind(gomock.Eq("cn=admin,dc=example,dc=com"), gomock.Eq("password")). Return(nil) - connClose := mockClient.EXPECT().Close() + clientClose := mockClient.EXPECT().Close() searchGroups := mockClient.EXPECT(). Search(gomock.Any()). @@ -1154,7 +1605,7 @@ func TestShouldNotCrashWhenGroupsAreNotRetrievedFromLDAP(t *testing.T) { }, }, nil) - gomock.InOrder(dialURL, connBind, searchProfile, searchGroups, connClose) + gomock.InOrder(dialURL, clientBind, searchProfile, searchGroups, clientClose) details, err := provider.GetDetails("john") require.NoError(t, err) @@ -1169,99 +1620,100 @@ func TestLDAPUserProvider_GetDetailsExtended_ShouldPass(t *testing.T) { ctrl := gomock.NewController(t) defer ctrl.Finish() - mockFactory := NewMockLDAPClientFactory(ctrl) - mockClient := NewMockLDAPClient(ctrl) - - provider := NewLDAPUserProviderWithFactory( - schema.AuthenticationBackendLDAP{ - Address: testLDAPAddress, - User: "cn=admin,dc=example,dc=com", - Password: "password", - Attributes: schema.AuthenticationBackendLDAPAttributes{ - Username: "uid", - Mail: "mail", - DisplayName: "displayName", - MemberOf: "memberOf", - StreetAddress: "street", - FamilyName: "sn", - MiddleName: "middle", - GivenName: "givenName", - Nickname: "nickname", - Gender: "gender", - Birthdate: "birthDate", - Website: "website", - Profile: "profile", - Picture: "picture", - ZoneInfo: "zoneinfo", - Locale: "locale", - PhoneNumber: "phone", - PhoneExtension: "ext", - Locality: "locality", - Region: "region", - PostalCode: "postCode", - Country: "c", - Extra: map[string]schema.AuthenticationBackendLDAPAttributesAttribute{ - "exampleStr": { - AuthenticationBackendExtraAttribute: schema.AuthenticationBackendExtraAttribute{ - MultiValued: false, - ValueType: ValueTypeString, - }, + mockDialer := NewMockLDAPClientDialer(ctrl) + + config := &schema.AuthenticationBackendLDAP{ + Address: testLDAPAddress, + User: "cn=admin,dc=example,dc=com", + Password: "password", + Attributes: schema.AuthenticationBackendLDAPAttributes{ + Username: "uid", + Mail: "mail", + DisplayName: "displayName", + MemberOf: "memberOf", + StreetAddress: "street", + FamilyName: "sn", + MiddleName: "middle", + GivenName: "givenName", + Nickname: "nickname", + Gender: "gender", + Birthdate: "birthDate", + Website: "website", + Profile: "profile", + Picture: "picture", + ZoneInfo: "zoneinfo", + Locale: "locale", + PhoneNumber: "phone", + PhoneExtension: "ext", + Locality: "locality", + Region: "region", + PostalCode: "postCode", + Country: "c", + Extra: map[string]schema.AuthenticationBackendLDAPAttributesAttribute{ + "exampleStr": { + AuthenticationBackendExtraAttribute: schema.AuthenticationBackendExtraAttribute{ + MultiValued: false, + ValueType: ValueTypeString, }, - "exampleStrMV": { - AuthenticationBackendExtraAttribute: schema.AuthenticationBackendExtraAttribute{ - MultiValued: true, - ValueType: ValueTypeString, - }, + }, + "exampleStrMV": { + AuthenticationBackendExtraAttribute: schema.AuthenticationBackendExtraAttribute{ + MultiValued: true, + ValueType: ValueTypeString, }, - "exampleInt": { - Name: "exampleIntChangedAttributeName", - AuthenticationBackendExtraAttribute: schema.AuthenticationBackendExtraAttribute{ - MultiValued: false, - ValueType: ValueTypeInteger, - }, + }, + "exampleInt": { + Name: "exampleIntChangedAttributeName", + AuthenticationBackendExtraAttribute: schema.AuthenticationBackendExtraAttribute{ + MultiValued: false, + ValueType: ValueTypeInteger, }, - "exampleIntMV": { - AuthenticationBackendExtraAttribute: schema.AuthenticationBackendExtraAttribute{ - MultiValued: true, - ValueType: ValueTypeInteger, - }, + }, + "exampleIntMV": { + AuthenticationBackendExtraAttribute: schema.AuthenticationBackendExtraAttribute{ + MultiValued: true, + ValueType: ValueTypeInteger, }, - "exampleBool": { - AuthenticationBackendExtraAttribute: schema.AuthenticationBackendExtraAttribute{ - MultiValued: false, - ValueType: ValueTypeBoolean, - }, + }, + "exampleBool": { + AuthenticationBackendExtraAttribute: schema.AuthenticationBackendExtraAttribute{ + MultiValued: false, + ValueType: ValueTypeBoolean, }, - "exampleBoolMV": { - AuthenticationBackendExtraAttribute: schema.AuthenticationBackendExtraAttribute{ - MultiValued: true, - ValueType: ValueTypeBoolean, - }, + }, + "exampleBoolMV": { + AuthenticationBackendExtraAttribute: schema.AuthenticationBackendExtraAttribute{ + MultiValued: true, + ValueType: ValueTypeBoolean, }, - "exampleEmptyStringInt": { - AuthenticationBackendExtraAttribute: schema.AuthenticationBackendExtraAttribute{ - MultiValued: false, - ValueType: ValueTypeInteger, - }, + }, + "exampleEmptyStringInt": { + AuthenticationBackendExtraAttribute: schema.AuthenticationBackendExtraAttribute{ + MultiValued: false, + ValueType: ValueTypeInteger, }, - "exampleEmptyStringBoolean": { - AuthenticationBackendExtraAttribute: schema.AuthenticationBackendExtraAttribute{ - MultiValued: false, - ValueType: ValueTypeBoolean, - }, + }, + "exampleEmptyStringBoolean": { + AuthenticationBackendExtraAttribute: schema.AuthenticationBackendExtraAttribute{ + MultiValued: false, + ValueType: ValueTypeBoolean, }, }, }, - UsersFilter: "uid={input}", - AdditionalUsersDN: "ou=users", - BaseDN: "dc=example,dc=com", - PermitReferrals: true, }, - false, - nil, - mockFactory) + UsersFilter: "uid={input}", + AdditionalUsersDN: "ou=users", + BaseDN: "dc=example,dc=com", + PermitReferrals: true, + } + + factory := NewStandardLDAPClientFactory(config, nil, mockDialer) - dialURL := mockFactory.EXPECT(). + provider := NewLDAPUserProviderWithFactory(config, false, factory) + + mockClient := NewMockLDAPClient(ctrl) + + dialURL := mockDialer.EXPECT(). DialURL(gomock.Eq("ldap://127.0.0.1:389"), gomock.Any()). Return(mockClient, nil) @@ -1487,39 +1939,40 @@ func TestLDAPUserProvider_GetDetailsExtended_ShouldParseError(t *testing.T) { ctrl := gomock.NewController(t) defer ctrl.Finish() - mockFactory := NewMockLDAPClientFactory(ctrl) - mockClient := NewMockLDAPClient(ctrl) + mockDialer := NewMockLDAPClientDialer(ctrl) - provider := NewLDAPUserProviderWithFactory( - schema.AuthenticationBackendLDAP{ - Address: testLDAPAddress, - User: "cn=admin,dc=example,dc=com", - Password: "password", - Attributes: schema.AuthenticationBackendLDAPAttributes{ - Username: "uid", - Mail: "mail", - DisplayName: "displayName", - MemberOf: "memberOf", - StreetAddress: "street", - Extra: map[string]schema.AuthenticationBackendLDAPAttributesAttribute{ - "example": { - AuthenticationBackendExtraAttribute: schema.AuthenticationBackendExtraAttribute{ - MultiValued: tc.multiValued, - ValueType: tc.valueType, - }, + config := &schema.AuthenticationBackendLDAP{ + Address: testLDAPAddress, + User: "cn=admin,dc=example,dc=com", + Password: "password", + Attributes: schema.AuthenticationBackendLDAPAttributes{ + Username: "uid", + Mail: "mail", + DisplayName: "displayName", + MemberOf: "memberOf", + StreetAddress: "street", + Extra: map[string]schema.AuthenticationBackendLDAPAttributesAttribute{ + "example": { + AuthenticationBackendExtraAttribute: schema.AuthenticationBackendExtraAttribute{ + MultiValued: tc.multiValued, + ValueType: tc.valueType, }, }, }, - UsersFilter: "uid={input}", - AdditionalUsersDN: "ou=users", - BaseDN: "dc=example,dc=com", - PermitReferrals: true, }, - false, - nil, - mockFactory) + UsersFilter: "uid={input}", + AdditionalUsersDN: "ou=users", + BaseDN: "dc=example,dc=com", + PermitReferrals: true, + } + + factory := NewStandardLDAPClientFactory(config, nil, mockDialer) + + provider := NewLDAPUserProviderWithFactory(config, false, factory) - dialURL := mockFactory.EXPECT(). + mockClient := NewMockLDAPClient(ctrl) + + dialURL := mockDialer.EXPECT(). DialURL(gomock.Eq("ldap://127.0.0.1:389"), gomock.Any()). Return(mockClient, nil) @@ -1578,31 +2031,32 @@ func TestLDAPUserProvider_GetDetailsExtended_ShouldErrorBadPictureURL(t *testing ctrl := gomock.NewController(t) defer ctrl.Finish() - mockFactory := NewMockLDAPClientFactory(ctrl) - mockClient := NewMockLDAPClient(ctrl) - - provider := NewLDAPUserProviderWithFactory( - schema.AuthenticationBackendLDAP{ - Address: testLDAPAddress, - User: "cn=admin,dc=example,dc=com", - Password: "password", - Attributes: schema.AuthenticationBackendLDAPAttributes{ - Username: "uid", - Mail: "mail", - DisplayName: "displayName", - MemberOf: "memberOf", - Picture: "photoURL", - }, - UsersFilter: "uid={input}", - AdditionalUsersDN: "ou=users", - BaseDN: "dc=example,dc=com", - PermitReferrals: true, + mockDialer := NewMockLDAPClientDialer(ctrl) + + config := &schema.AuthenticationBackendLDAP{ + Address: testLDAPAddress, + User: "cn=admin,dc=example,dc=com", + Password: "password", + Attributes: schema.AuthenticationBackendLDAPAttributes{ + Username: "uid", + Mail: "mail", + DisplayName: "displayName", + MemberOf: "memberOf", + Picture: "photoURL", }, - false, - nil, - mockFactory) + UsersFilter: "uid={input}", + AdditionalUsersDN: "ou=users", + BaseDN: "dc=example,dc=com", + PermitReferrals: true, + } + + factory := NewStandardLDAPClientFactory(config, nil, mockDialer) + + provider := NewLDAPUserProviderWithFactory(config, false, factory) - dialURL := mockFactory.EXPECT(). + mockClient := NewMockLDAPClient(ctrl) + + dialURL := mockDialer.EXPECT(). DialURL(gomock.Eq("ldap://127.0.0.1:389"), gomock.Any()). Return(mockClient, nil) @@ -1657,31 +2111,32 @@ func TestLDAPUserProvider_GetDetailsExtended_ShouldErrorBadProfileURL(t *testing ctrl := gomock.NewController(t) defer ctrl.Finish() - mockFactory := NewMockLDAPClientFactory(ctrl) - mockClient := NewMockLDAPClient(ctrl) - - provider := NewLDAPUserProviderWithFactory( - schema.AuthenticationBackendLDAP{ - Address: testLDAPAddress, - User: "cn=admin,dc=example,dc=com", - Password: "password", - Attributes: schema.AuthenticationBackendLDAPAttributes{ - Username: "uid", - Mail: "mail", - DisplayName: "displayName", - MemberOf: "memberOf", - Profile: "profile", - }, - UsersFilter: "uid={input}", - AdditionalUsersDN: "ou=users", - BaseDN: "dc=example,dc=com", - PermitReferrals: true, + mockDialer := NewMockLDAPClientDialer(ctrl) + + config := &schema.AuthenticationBackendLDAP{ + Address: testLDAPAddress, + User: "cn=admin,dc=example,dc=com", + Password: "password", + Attributes: schema.AuthenticationBackendLDAPAttributes{ + Username: "uid", + Mail: "mail", + DisplayName: "displayName", + MemberOf: "memberOf", + Profile: "profile", }, - false, - nil, - mockFactory) + UsersFilter: "uid={input}", + AdditionalUsersDN: "ou=users", + BaseDN: "dc=example,dc=com", + PermitReferrals: true, + } + + factory := NewStandardLDAPClientFactory(config, nil, mockDialer) - dialURL := mockFactory.EXPECT(). + provider := NewLDAPUserProviderWithFactory(config, false, factory) + + mockClient := NewMockLDAPClient(ctrl) + + dialURL := mockDialer.EXPECT(). DialURL(gomock.Eq("ldap://127.0.0.1:389"), gomock.Any()). Return(mockClient, nil) @@ -1736,31 +2191,32 @@ func TestLDAPUserProvider_GetDetailsExtended_ShouldErrorBadWebsiteURL(t *testing ctrl := gomock.NewController(t) defer ctrl.Finish() - mockFactory := NewMockLDAPClientFactory(ctrl) - mockClient := NewMockLDAPClient(ctrl) - - provider := NewLDAPUserProviderWithFactory( - schema.AuthenticationBackendLDAP{ - Address: testLDAPAddress, - User: "cn=admin,dc=example,dc=com", - Password: "password", - Attributes: schema.AuthenticationBackendLDAPAttributes{ - Username: "uid", - Mail: "mail", - DisplayName: "displayName", - MemberOf: "memberOf", - Website: "www", - }, - UsersFilter: "uid={input}", - AdditionalUsersDN: "ou=users", - BaseDN: "dc=example,dc=com", - PermitReferrals: true, + mockDialer := NewMockLDAPClientDialer(ctrl) + + config := &schema.AuthenticationBackendLDAP{ + Address: testLDAPAddress, + User: "cn=admin,dc=example,dc=com", + Password: "password", + Attributes: schema.AuthenticationBackendLDAPAttributes{ + Username: "uid", + Mail: "mail", + DisplayName: "displayName", + MemberOf: "memberOf", + Website: "www", }, - false, - nil, - mockFactory) + UsersFilter: "uid={input}", + AdditionalUsersDN: "ou=users", + BaseDN: "dc=example,dc=com", + PermitReferrals: true, + } + + factory := NewStandardLDAPClientFactory(config, nil, mockDialer) + + provider := NewLDAPUserProviderWithFactory(config, false, factory) + + mockClient := NewMockLDAPClient(ctrl) - dialURL := mockFactory.EXPECT(). + dialURL := mockDialer.EXPECT(). DialURL(gomock.Eq("ldap://127.0.0.1:389"), gomock.Any()). Return(mockClient, nil) @@ -1815,31 +2271,32 @@ func TestLDAPUserProvider_GetDetailsExtended_ShouldErrorBadLocale(t *testing.T) ctrl := gomock.NewController(t) defer ctrl.Finish() - mockFactory := NewMockLDAPClientFactory(ctrl) - mockClient := NewMockLDAPClient(ctrl) - - provider := NewLDAPUserProviderWithFactory( - schema.AuthenticationBackendLDAP{ - Address: testLDAPAddress, - User: "cn=admin,dc=example,dc=com", - Password: "password", - Attributes: schema.AuthenticationBackendLDAPAttributes{ - Username: "uid", - Mail: "mail", - DisplayName: "displayName", - MemberOf: "memberOf", - Locale: "locale", - }, - UsersFilter: "uid={input}", - AdditionalUsersDN: "ou=users", - BaseDN: "dc=example,dc=com", - PermitReferrals: true, + mockDialer := NewMockLDAPClientDialer(ctrl) + + config := &schema.AuthenticationBackendLDAP{ + Address: testLDAPAddress, + User: "cn=admin,dc=example,dc=com", + Password: "password", + Attributes: schema.AuthenticationBackendLDAPAttributes{ + Username: "uid", + Mail: "mail", + DisplayName: "displayName", + MemberOf: "memberOf", + Locale: "locale", }, - false, - nil, - mockFactory) + UsersFilter: "uid={input}", + AdditionalUsersDN: "ou=users", + BaseDN: "dc=example,dc=com", + PermitReferrals: true, + } + + factory := NewStandardLDAPClientFactory(config, nil, mockDialer) + + provider := NewLDAPUserProviderWithFactory(config, false, factory) + + mockClient := NewMockLDAPClient(ctrl) - dialURL := mockFactory.EXPECT(). + dialURL := mockDialer.EXPECT(). DialURL(gomock.Eq("ldap://127.0.0.1:389"), gomock.Any()). Return(mockClient, nil) @@ -1894,44 +2351,41 @@ func TestLDAPUserProvider_GetDetails_ShouldReturnOnUserError(t *testing.T) { ctrl := gomock.NewController(t) defer ctrl.Finish() - mockFactory := NewMockLDAPClientFactory(ctrl) + config := &schema.AuthenticationBackendLDAP{ + Address: testLDAPAddress, + User: "cn=admin,dc=example,dc=com", + Password: "password", + Attributes: schema.AuthenticationBackendLDAPAttributes{ + Username: "uid", + Mail: "mail", + DisplayName: "displayName", + MemberOf: "memberOf", + }, + UsersFilter: "uid={input}", + AdditionalUsersDN: "ou=users", + BaseDN: "dc=example,dc=com", + PermitReferrals: true, + } + + mockDialer := NewMockLDAPClientDialer(ctrl) + mockClient := NewMockLDAPClient(ctrl) - provider := NewLDAPUserProviderWithFactory( - schema.AuthenticationBackendLDAP{ - Address: testLDAPAddress, - User: "cn=admin,dc=example,dc=com", - Password: "password", - Attributes: schema.AuthenticationBackendLDAPAttributes{ - Username: "uid", - Mail: "mail", - DisplayName: "displayName", - MemberOf: "memberOf", - }, - UsersFilter: "uid={input}", - AdditionalUsersDN: "ou=users", - BaseDN: "dc=example,dc=com", - PermitReferrals: true, - }, - false, - nil, - mockFactory) + dialURL := mockDialer.EXPECT().DialURL("ldap://127.0.0.1:389", gomock.Any()).Return(mockClient, nil) - dialURL := mockFactory.EXPECT(). - DialURL(gomock.Eq("ldap://127.0.0.1:389"), gomock.Any()). - Return(mockClient, nil) + provider := NewLDAPUserProviderWithFactory(config, false, NewStandardLDAPClientFactory(config, nil, mockDialer)) - connBind := mockClient.EXPECT(). + clientBind := mockClient.EXPECT(). Bind(gomock.Eq("cn=admin,dc=example,dc=com"), gomock.Eq("password")). Return(nil) - connClose := mockClient.EXPECT().Close() + clientClose := mockClient.EXPECT().Close() searchProfile := mockClient.EXPECT(). Search(gomock.Any()). Return(nil, fmt.Errorf("failed to search")) - gomock.InOrder(dialURL, connBind, searchProfile, connClose) + gomock.InOrder(dialURL, clientBind, searchProfile, clientClose) details, err := provider.GetDetails("john") assert.Nil(t, details) @@ -1942,30 +2396,31 @@ func TestLDAPUserProvider_GetDetailsExtendedShouldReturnOnBindError(t *testing.T ctrl := gomock.NewController(t) defer ctrl.Finish() - mockFactory := NewMockLDAPClientFactory(ctrl) - mockClient := NewMockLDAPClient(ctrl) - - provider := NewLDAPUserProviderWithFactory( - schema.AuthenticationBackendLDAP{ - Address: testLDAPAddress, - User: "cn=admin,dc=example,dc=com", - Password: "password", - Attributes: schema.AuthenticationBackendLDAPAttributes{ - Username: "uid", - Mail: "mail", - DisplayName: "displayName", - MemberOf: "memberOf", - }, - UsersFilter: "uid={input}", - AdditionalUsersDN: "ou=users", - BaseDN: "dc=example,dc=com", - PermitReferrals: true, + mockDialer := NewMockLDAPClientDialer(ctrl) + + config := &schema.AuthenticationBackendLDAP{ + Address: testLDAPAddress, + User: "cn=admin,dc=example,dc=com", + Password: "password", + Attributes: schema.AuthenticationBackendLDAPAttributes{ + Username: "uid", + Mail: "mail", + DisplayName: "displayName", + MemberOf: "memberOf", }, - false, - nil, - mockFactory) + UsersFilter: "uid={input}", + AdditionalUsersDN: "ou=users", + BaseDN: "dc=example,dc=com", + PermitReferrals: true, + } + + factory := NewStandardLDAPClientFactory(config, nil, mockDialer) - dialURL := mockFactory.EXPECT(). + provider := NewLDAPUserProviderWithFactory(config, false, factory) + + mockClient := NewMockLDAPClient(ctrl) + + dialURL := mockDialer.EXPECT(). DialURL(gomock.Eq("ldap://127.0.0.1:389"), gomock.Any()). Return(mockClient, nil) @@ -1979,36 +2434,36 @@ func TestLDAPUserProvider_GetDetailsExtendedShouldReturnOnBindError(t *testing.T details, err := provider.GetDetailsExtended("john") assert.Nil(t, details) - assert.EqualError(t, err, "bind failed with error: bad bind") + assert.EqualError(t, err, "error occurred performing bind: bad bind") } func TestLDAPUserProvider_GetDetailsExtendedShouldReturnOnDialError(t *testing.T) { ctrl := gomock.NewController(t) defer ctrl.Finish() - mockFactory := NewMockLDAPClientFactory(ctrl) - - provider := NewLDAPUserProviderWithFactory( - schema.AuthenticationBackendLDAP{ - Address: testLDAPAddress, - User: "cn=admin,dc=example,dc=com", - Password: "password", - Attributes: schema.AuthenticationBackendLDAPAttributes{ - Username: "uid", - Mail: "mail", - DisplayName: "displayName", - MemberOf: "memberOf", - }, - UsersFilter: "uid={input}", - AdditionalUsersDN: "ou=users", - BaseDN: "dc=example,dc=com", - PermitReferrals: true, + mockDialer := NewMockLDAPClientDialer(ctrl) + + config := &schema.AuthenticationBackendLDAP{ + Address: testLDAPAddress, + User: "cn=admin,dc=example,dc=com", + Password: "password", + Attributes: schema.AuthenticationBackendLDAPAttributes{ + Username: "uid", + Mail: "mail", + DisplayName: "displayName", + MemberOf: "memberOf", }, - false, - nil, - mockFactory) + UsersFilter: "uid={input}", + AdditionalUsersDN: "ou=users", + BaseDN: "dc=example,dc=com", + PermitReferrals: true, + } + + factory := NewStandardLDAPClientFactory(config, nil, mockDialer) - dialURL := mockFactory.EXPECT(). + provider := NewLDAPUserProviderWithFactory(config, false, factory) + + dialURL := mockDialer.EXPECT(). DialURL(gomock.Eq("ldap://127.0.0.1:389"), gomock.Any()). Return(nil, fmt.Errorf("failed to dial")) @@ -2016,37 +2471,37 @@ func TestLDAPUserProvider_GetDetailsExtendedShouldReturnOnDialError(t *testing.T details, err := provider.GetDetailsExtended("john") assert.Nil(t, details) - assert.EqualError(t, err, "dial failed with error: failed to dial") + assert.EqualError(t, err, "error occurred dialing address: failed to dial") } func TestLDAPUserProvider_GetDetailsExtendedShouldReturnOnUserError(t *testing.T) { ctrl := gomock.NewController(t) defer ctrl.Finish() - mockFactory := NewMockLDAPClientFactory(ctrl) + config := &schema.AuthenticationBackendLDAP{ + Address: testLDAPAddress, + User: "cn=admin,dc=example,dc=com", + Password: "password", + Attributes: schema.AuthenticationBackendLDAPAttributes{ + Username: "uid", + Mail: "mail", + DisplayName: "displayName", + MemberOf: "memberOf", + }, + UsersFilter: "uid={input}", + AdditionalUsersDN: "ou=users", + BaseDN: "dc=example,dc=com", + PermitReferrals: true, + } + + mockDialer := NewMockLDAPClientDialer(ctrl) + + factory := NewStandardLDAPClientFactory(config, nil, mockDialer) mockClient := NewMockLDAPClient(ctrl) - provider := NewLDAPUserProviderWithFactory( - schema.AuthenticationBackendLDAP{ - Address: testLDAPAddress, - User: "cn=admin,dc=example,dc=com", - Password: "password", - Attributes: schema.AuthenticationBackendLDAPAttributes{ - Username: "uid", - Mail: "mail", - DisplayName: "displayName", - MemberOf: "memberOf", - }, - UsersFilter: "uid={input}", - AdditionalUsersDN: "ou=users", - BaseDN: "dc=example,dc=com", - PermitReferrals: true, - }, - false, - nil, - mockFactory) + provider := NewLDAPUserProviderWithFactory(config, false, factory) - dialURL := mockFactory.EXPECT(). + dialURL := mockDialer.EXPECT(). DialURL(gomock.Eq("ldap://127.0.0.1:389"), gomock.Any()). Return(mockClient, nil) @@ -2071,38 +2526,35 @@ func TestLDAPUserProvider_GetDetails_ShouldReturnOnGroupsError(t *testing.T) { ctrl := gomock.NewController(t) defer ctrl.Finish() - mockFactory := NewMockLDAPClientFactory(ctrl) + config := &schema.AuthenticationBackendLDAP{ + Address: testLDAPAddress, + User: "cn=admin,dc=example,dc=com", + Password: "password", + Attributes: schema.AuthenticationBackendLDAPAttributes{ + Username: "uid", + Mail: "mail", + DisplayName: "displayName", + MemberOf: "memberOf", + }, + UsersFilter: "uid={input}", + AdditionalUsersDN: "ou=users", + BaseDN: "dc=example,dc=com", + PermitReferrals: true, + } + + mockDialer := NewMockLDAPClientDialer(ctrl) + mockClient := NewMockLDAPClient(ctrl) - provider := NewLDAPUserProviderWithFactory( - schema.AuthenticationBackendLDAP{ - Address: testLDAPAddress, - User: "cn=admin,dc=example,dc=com", - Password: "password", - Attributes: schema.AuthenticationBackendLDAPAttributes{ - Username: "uid", - Mail: "mail", - DisplayName: "displayName", - MemberOf: "memberOf", - }, - UsersFilter: "uid={input}", - AdditionalUsersDN: "ou=users", - BaseDN: "dc=example,dc=com", - PermitReferrals: true, - }, - false, - nil, - mockFactory) + dialURL := mockDialer.EXPECT().DialURL("ldap://127.0.0.1:389", gomock.Any()).Return(mockClient, nil) - dialURL := mockFactory.EXPECT(). - DialURL(gomock.Eq("ldap://127.0.0.1:389"), gomock.Any()). - Return(mockClient, nil) + provider := NewLDAPUserProviderWithFactory(config, false, NewStandardLDAPClientFactory(config, nil, mockDialer)) - connBind := mockClient.EXPECT(). + clientBind := mockClient.EXPECT(). Bind(gomock.Eq("cn=admin,dc=example,dc=com"), gomock.Eq("password")). Return(nil) - connClose := mockClient.EXPECT().Close() + clientClose := mockClient.EXPECT().Close() searchGroups := mockClient.EXPECT(). Search(gomock.Any()). @@ -2132,7 +2584,7 @@ func TestLDAPUserProvider_GetDetails_ShouldReturnOnGroupsError(t *testing.T) { }, }, nil) - gomock.InOrder(dialURL, connBind, searchProfile, searchGroups, connClose) + gomock.InOrder(dialURL, clientBind, searchProfile, searchGroups, clientClose) details, err := provider.GetDetails("john") @@ -2144,37 +2596,34 @@ func TestShouldNotCrashWhenEmailsAreNotRetrievedFromLDAP(t *testing.T) { ctrl := gomock.NewController(t) defer ctrl.Finish() - mockFactory := NewMockLDAPClientFactory(ctrl) + config := &schema.AuthenticationBackendLDAP{ + Address: testLDAPAddress, + User: "cn=admin,dc=example,dc=com", + Password: "password", + Attributes: schema.AuthenticationBackendLDAPAttributes{ + Username: "uid", + DisplayName: "displayName", + MemberOf: "memberOf", + GroupName: "displayName", + }, + UsersFilter: "uid={input}", + AdditionalUsersDN: "ou=users", + BaseDN: "dc=example,dc=com", + } + + mockDialer := NewMockLDAPClientDialer(ctrl) + mockClient := NewMockLDAPClient(ctrl) - provider := NewLDAPUserProviderWithFactory( - schema.AuthenticationBackendLDAP{ - Address: testLDAPAddress, - User: "cn=admin,dc=example,dc=com", - Password: "password", - Attributes: schema.AuthenticationBackendLDAPAttributes{ - Username: "uid", - DisplayName: "displayName", - MemberOf: "memberOf", - GroupName: "displayName", - }, - UsersFilter: "uid={input}", - AdditionalUsersDN: "ou=users", - BaseDN: "dc=example,dc=com", - }, - false, - nil, - mockFactory) + dialURL := mockDialer.EXPECT().DialURL("ldap://127.0.0.1:389", gomock.Any()).Return(mockClient, nil) - dialURL := mockFactory.EXPECT(). - DialURL(gomock.Eq("ldap://127.0.0.1:389"), gomock.Any()). - Return(mockClient, nil) + provider := NewLDAPUserProviderWithFactory(config, false, NewStandardLDAPClientFactory(config, nil, mockDialer)) - connBind := mockClient.EXPECT(). + clientBind := mockClient.EXPECT(). Bind(gomock.Eq("cn=admin,dc=example,dc=com"), gomock.Eq("password")). Return(nil) - connClose := mockClient.EXPECT().Close() + clientClose := mockClient.EXPECT().Close() searchGroups := mockClient.EXPECT(). Search(gomock.Any()). @@ -2196,7 +2645,7 @@ func TestShouldNotCrashWhenEmailsAreNotRetrievedFromLDAP(t *testing.T) { }, }, nil) - gomock.InOrder(dialURL, connBind, searchProfile, searchGroups, connClose) + gomock.InOrder(dialURL, clientBind, searchProfile, searchGroups, clientClose) details, err := provider.GetDetails("john") require.NoError(t, err) @@ -2210,37 +2659,34 @@ func TestShouldUnauthenticatedBind(t *testing.T) { ctrl := gomock.NewController(t) defer ctrl.Finish() - mockFactory := NewMockLDAPClientFactory(ctrl) + config := &schema.AuthenticationBackendLDAP{ + Address: testLDAPAddress, + User: "cn=admin,dc=example,dc=com", + Password: "", + Attributes: schema.AuthenticationBackendLDAPAttributes{ + Username: "uid", + DisplayName: "displayName", + MemberOf: "memberOf", + GroupName: "displayName", + }, + UsersFilter: "uid={input}", + AdditionalUsersDN: "ou=users", + BaseDN: "dc=example,dc=com", + } + + mockDialer := NewMockLDAPClientDialer(ctrl) + mockClient := NewMockLDAPClient(ctrl) - provider := NewLDAPUserProviderWithFactory( - schema.AuthenticationBackendLDAP{ - Address: testLDAPAddress, - User: "cn=admin,dc=example,dc=com", - Password: "", - Attributes: schema.AuthenticationBackendLDAPAttributes{ - Username: "uid", - DisplayName: "displayName", - MemberOf: "memberOf", - GroupName: "displayName", - }, - UsersFilter: "uid={input}", - AdditionalUsersDN: "ou=users", - BaseDN: "dc=example,dc=com", - }, - false, - nil, - mockFactory) + dialURL := mockDialer.EXPECT().DialURL("ldap://127.0.0.1:389", gomock.Any()).Return(mockClient, nil) - dialURL := mockFactory.EXPECT(). - DialURL(gomock.Eq("ldap://127.0.0.1:389"), gomock.Any()). - Return(mockClient, nil) + provider := NewLDAPUserProviderWithFactory(config, false, NewStandardLDAPClientFactory(config, nil, mockDialer)) - connBind := mockClient.EXPECT(). + clientBind := mockClient.EXPECT(). UnauthenticatedBind(gomock.Eq("cn=admin,dc=example,dc=com")). Return(nil) - connClose := mockClient.EXPECT().Close() + clientClose := mockClient.EXPECT().Close() searchGroups := mockClient.EXPECT(). Search(gomock.Any()). @@ -2262,7 +2708,7 @@ func TestShouldUnauthenticatedBind(t *testing.T) { }, }, nil) - gomock.InOrder(dialURL, connBind, searchProfile, searchGroups, connClose) + gomock.InOrder(dialURL, clientBind, searchProfile, searchGroups, clientClose) details, err := provider.GetDetails("john") require.NoError(t, err) @@ -2276,38 +2722,35 @@ func TestShouldReturnUsernameFromLDAP(t *testing.T) { ctrl := gomock.NewController(t) defer ctrl.Finish() - mockFactory := NewMockLDAPClientFactory(ctrl) + config := &schema.AuthenticationBackendLDAP{ + Address: testLDAPAddress, + User: "cn=admin,dc=example,dc=com", + Password: "password", + Attributes: schema.AuthenticationBackendLDAPAttributes{ + Username: "uid", + Mail: "mail", + DisplayName: "displayName", + MemberOf: "memberOf", + GroupName: "cn", + }, + UsersFilter: "uid={input}", + AdditionalUsersDN: "ou=users", + BaseDN: "dc=example,dc=com", + } + + mockDialer := NewMockLDAPClientDialer(ctrl) + mockClient := NewMockLDAPClient(ctrl) - provider := NewLDAPUserProviderWithFactory( - schema.AuthenticationBackendLDAP{ - Address: testLDAPAddress, - User: "cn=admin,dc=example,dc=com", - Password: "password", - Attributes: schema.AuthenticationBackendLDAPAttributes{ - Username: "uid", - Mail: "mail", - DisplayName: "displayName", - MemberOf: "memberOf", - GroupName: "cn", - }, - UsersFilter: "uid={input}", - AdditionalUsersDN: "ou=users", - BaseDN: "dc=example,dc=com", - }, - false, - nil, - mockFactory) + dialURL := mockDialer.EXPECT().DialURL("ldap://127.0.0.1:389", gomock.Any()).Return(mockClient, nil) - dialURL := mockFactory.EXPECT(). - DialURL(gomock.Eq("ldap://127.0.0.1:389"), gomock.Any()). - Return(mockClient, nil) + provider := NewLDAPUserProviderWithFactory(config, false, NewStandardLDAPClientFactory(config, nil, mockDialer)) - connBind := mockClient.EXPECT(). + clientBind := mockClient.EXPECT(). Bind(gomock.Eq("cn=admin,dc=example,dc=com"), gomock.Eq("password")). Return(nil) - connClose := mockClient.EXPECT().Close() + clientClose := mockClient.EXPECT().Close() searchGroups := mockClient.EXPECT(). Search(gomock.Any()). @@ -2337,7 +2780,7 @@ func TestShouldReturnUsernameFromLDAP(t *testing.T) { }, }, nil) - gomock.InOrder(dialURL, connBind, searchProfile, searchGroups, connClose) + gomock.InOrder(dialURL, clientBind, searchProfile, searchGroups, clientClose) details, err := provider.GetDetails("john") require.NoError(t, err) @@ -2352,40 +2795,37 @@ func TestShouldReturnUsernameFromLDAPSearchModeMemberOfRDN(t *testing.T) { ctrl := gomock.NewController(t) defer ctrl.Finish() - mockFactory := NewMockLDAPClientFactory(ctrl) + config := &schema.AuthenticationBackendLDAP{ + Address: testLDAPAddress, + User: "cn=admin,dc=example,dc=com", + Password: "password", + Attributes: schema.AuthenticationBackendLDAPAttributes{ + Username: "uid", + Mail: "mail", + DisplayName: "displayName", + MemberOf: "memberOf", + GroupName: "cn", + }, + GroupSearchMode: "memberof", + UsersFilter: "uid={input}", + GroupsFilter: "(|{memberof:rdn})", + AdditionalUsersDN: "ou=users", + BaseDN: "DC=example,DC=com", + } + + mockDialer := NewMockLDAPClientDialer(ctrl) + mockClient := NewMockLDAPClient(ctrl) - provider := NewLDAPUserProviderWithFactory( - schema.AuthenticationBackendLDAP{ - Address: testLDAPAddress, - User: "cn=admin,dc=example,dc=com", - Password: "password", - Attributes: schema.AuthenticationBackendLDAPAttributes{ - Username: "uid", - Mail: "mail", - DisplayName: "displayName", - MemberOf: "memberOf", - GroupName: "cn", - }, - GroupSearchMode: "memberof", - UsersFilter: "uid={input}", - GroupsFilter: "(|{memberof:rdn})", - AdditionalUsersDN: "ou=users", - BaseDN: "DC=example,DC=com", - }, - false, - nil, - mockFactory) + dialURL := mockDialer.EXPECT().DialURL("ldap://127.0.0.1:389", gomock.Any()).Return(mockClient, nil) - dialURL := mockFactory.EXPECT(). - DialURL(gomock.Eq("ldap://127.0.0.1:389"), gomock.Any()). - Return(mockClient, nil) + provider := NewLDAPUserProviderWithFactory(config, false, NewStandardLDAPClientFactory(config, nil, mockDialer)) - connBind := mockClient.EXPECT(). + clientBind := mockClient.EXPECT(). Bind(gomock.Eq("cn=admin,dc=example,dc=com"), gomock.Eq("password")). Return(nil) - connClose := mockClient.EXPECT().Close() + clientClose := mockClient.EXPECT().Close() requestGroups := ldap.NewSearchRequest( provider.groupsBaseDN, ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, @@ -2427,7 +2867,7 @@ func TestShouldReturnUsernameFromLDAPSearchModeMemberOfRDN(t *testing.T) { }, }, nil) - gomock.InOrder(dialURL, connBind, searchProfile, searchGroups, connClose) + gomock.InOrder(dialURL, clientBind, searchProfile, searchGroups, clientClose) details, err := provider.GetDetails("john") require.NoError(t, err) @@ -2442,41 +2882,38 @@ func TestShouldReturnUsernameFromLDAPSearchModeMemberOfDN(t *testing.T) { ctrl := gomock.NewController(t) defer ctrl.Finish() - mockFactory := NewMockLDAPClientFactory(ctrl) + config := &schema.AuthenticationBackendLDAP{ + Address: testLDAPAddress, + User: "CN=Administrator,CN=Users,DC=example,DC=com", + Password: "password", + Attributes: schema.AuthenticationBackendLDAPAttributes{ + DistinguishedName: "distinguishedName", + Username: "sAMAccountName", + Mail: "mail", + DisplayName: "displayName", + MemberOf: "memberOf", + GroupName: "cn", + }, + GroupSearchMode: "memberof", + UsersFilter: "sAMAccountName={input}", + GroupsFilter: "(|{memberof:dn})", + AdditionalUsersDN: "CN=users", + BaseDN: "DC=example,DC=com", + } + + mockDialer := NewMockLDAPClientDialer(ctrl) + mockClient := NewMockLDAPClient(ctrl) - provider := NewLDAPUserProviderWithFactory( - schema.AuthenticationBackendLDAP{ - Address: testLDAPAddress, - User: "CN=Administrator,CN=Users,DC=example,DC=com", - Password: "password", - Attributes: schema.AuthenticationBackendLDAPAttributes{ - DistinguishedName: "distinguishedName", - Username: "sAMAccountName", - Mail: "mail", - DisplayName: "displayName", - MemberOf: "memberOf", - GroupName: "cn", - }, - GroupSearchMode: "memberof", - UsersFilter: "sAMAccountName={input}", - GroupsFilter: "(|{memberof:dn})", - AdditionalUsersDN: "CN=users", - BaseDN: "DC=example,DC=com", - }, - false, - nil, - mockFactory) + dialURL := mockDialer.EXPECT().DialURL("ldap://127.0.0.1:389", gomock.Any()).Return(mockClient, nil) - dialURL := mockFactory.EXPECT(). - DialURL(gomock.Eq("ldap://127.0.0.1:389"), gomock.Any()). - Return(mockClient, nil) + provider := NewLDAPUserProviderWithFactory(config, false, NewStandardLDAPClientFactory(config, nil, mockDialer)) - connBind := mockClient.EXPECT(). + clientBind := mockClient.EXPECT(). Bind(gomock.Eq("CN=Administrator,CN=Users,DC=example,DC=com"), gomock.Eq("password")). Return(nil) - connClose := mockClient.EXPECT().Close() + clientClose := mockClient.EXPECT().Close() requestGroups := ldap.NewSearchRequest( provider.groupsBaseDN, ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, @@ -2515,7 +2952,7 @@ func TestShouldReturnUsernameFromLDAPSearchModeMemberOfDN(t *testing.T) { }, }, nil) - gomock.InOrder(dialURL, connBind, searchProfile, searchGroups, connClose) + gomock.InOrder(dialURL, clientBind, searchProfile, searchGroups, clientClose) details, err := provider.GetDetails("john") require.NoError(t, err) @@ -2530,41 +2967,38 @@ func TestShouldReturnErrSearchMemberOf(t *testing.T) { ctrl := gomock.NewController(t) defer ctrl.Finish() - mockFactory := NewMockLDAPClientFactory(ctrl) + config := &schema.AuthenticationBackendLDAP{ + Address: testLDAPAddress, + User: "CN=Administrator,CN=Users,DC=example,DC=com", + Password: "password", + Attributes: schema.AuthenticationBackendLDAPAttributes{ + DistinguishedName: "distinguishedName", + Username: "sAMAccountName", + Mail: "mail", + DisplayName: "displayName", + MemberOf: "memberOf", + GroupName: "cn", + }, + GroupSearchMode: "memberof", + UsersFilter: "sAMAccountName={input}", + GroupsFilter: "(|{memberof:dn})", + AdditionalUsersDN: "CN=users", + BaseDN: "DC=example,DC=com", + } + + mockDialer := NewMockLDAPClientDialer(ctrl) + mockClient := NewMockLDAPClient(ctrl) - provider := NewLDAPUserProviderWithFactory( - schema.AuthenticationBackendLDAP{ - Address: testLDAPAddress, - User: "CN=Administrator,CN=Users,DC=example,DC=com", - Password: "password", - Attributes: schema.AuthenticationBackendLDAPAttributes{ - DistinguishedName: "distinguishedName", - Username: "sAMAccountName", - Mail: "mail", - DisplayName: "displayName", - MemberOf: "memberOf", - GroupName: "cn", - }, - GroupSearchMode: "memberof", - UsersFilter: "sAMAccountName={input}", - GroupsFilter: "(|{memberof:dn})", - AdditionalUsersDN: "CN=users", - BaseDN: "DC=example,DC=com", - }, - false, - nil, - mockFactory) + dialURL := mockDialer.EXPECT().DialURL("ldap://127.0.0.1:389", gomock.Any()).Return(mockClient, nil) - dialURL := mockFactory.EXPECT(). - DialURL(gomock.Eq("ldap://127.0.0.1:389"), gomock.Any()). - Return(mockClient, nil) + provider := NewLDAPUserProviderWithFactory(config, false, NewStandardLDAPClientFactory(config, nil, mockDialer)) - connBind := mockClient.EXPECT(). + clientBind := mockClient.EXPECT(). Bind(gomock.Eq("CN=Administrator,CN=Users,DC=example,DC=com"), gomock.Eq("password")). Return(nil) - connClose := mockClient.EXPECT().Close() + clientClose := mockClient.EXPECT().Close() requestGroups := ldap.NewSearchRequest( provider.groupsBaseDN, ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, @@ -2603,7 +3037,7 @@ func TestShouldReturnErrSearchMemberOf(t *testing.T) { }, }, nil) - gomock.InOrder(dialURL, connBind, searchProfile, searchGroups, connClose) + gomock.InOrder(dialURL, clientBind, searchProfile, searchGroups, clientClose) details, err := provider.GetDetails("john") assert.Nil(t, details) @@ -2614,41 +3048,38 @@ func TestShouldReturnErrUnknownSearchMode(t *testing.T) { ctrl := gomock.NewController(t) defer ctrl.Finish() - mockFactory := NewMockLDAPClientFactory(ctrl) + config := &schema.AuthenticationBackendLDAP{ + Address: testLDAPAddress, + User: "CN=Administrator,CN=Users,DC=example,DC=com", + Password: "password", + Attributes: schema.AuthenticationBackendLDAPAttributes{ + DistinguishedName: "distinguishedName", + Username: "sAMAccountName", + Mail: "mail", + DisplayName: "displayName", + MemberOf: "memberOf", + GroupName: "cn", + }, + GroupSearchMode: "bad", + UsersFilter: "sAMAccountName={input}", + GroupsFilter: "(|{memberof:dn})", + AdditionalUsersDN: "CN=users", + BaseDN: "DC=example,DC=com", + } + + mockDialer := NewMockLDAPClientDialer(ctrl) + mockClient := NewMockLDAPClient(ctrl) - provider := NewLDAPUserProviderWithFactory( - schema.AuthenticationBackendLDAP{ - Address: testLDAPAddress, - User: "CN=Administrator,CN=Users,DC=example,DC=com", - Password: "password", - Attributes: schema.AuthenticationBackendLDAPAttributes{ - DistinguishedName: "distinguishedName", - Username: "sAMAccountName", - Mail: "mail", - DisplayName: "displayName", - MemberOf: "memberOf", - GroupName: "cn", - }, - GroupSearchMode: "bad", - UsersFilter: "sAMAccountName={input}", - GroupsFilter: "(|{memberof:dn})", - AdditionalUsersDN: "CN=users", - BaseDN: "DC=example,DC=com", - }, - false, - nil, - mockFactory) + dialURL := mockDialer.EXPECT().DialURL("ldap://127.0.0.1:389", gomock.Any()).Return(mockClient, nil) - dialURL := mockFactory.EXPECT(). - DialURL(gomock.Eq("ldap://127.0.0.1:389"), gomock.Any()). - Return(mockClient, nil) + provider := NewLDAPUserProviderWithFactory(config, false, NewStandardLDAPClientFactory(config, nil, mockDialer)) - connBind := mockClient.EXPECT(). + clientBind := mockClient.EXPECT(). Bind(gomock.Eq("CN=Administrator,CN=Users,DC=example,DC=com"), gomock.Eq("password")). Return(nil) - connClose := mockClient.EXPECT().Close() + clientClose := mockClient.EXPECT().Close() searchProfile := mockClient.EXPECT(). Search(gomock.Any()). @@ -2678,7 +3109,7 @@ func TestShouldReturnErrUnknownSearchMode(t *testing.T) { }, }, nil) - gomock.InOrder(dialURL, connBind, searchProfile, connClose) + gomock.InOrder(dialURL, clientBind, searchProfile, clientClose) details, err := provider.GetDetails("john") assert.Nil(t, details) @@ -2690,41 +3121,38 @@ func TestShouldSkipEmptyAttributesSearchModeMemberOf(t *testing.T) { ctrl := gomock.NewController(t) defer ctrl.Finish() - mockFactory := NewMockLDAPClientFactory(ctrl) + config := &schema.AuthenticationBackendLDAP{ + Address: testLDAPAddress, + User: "CN=Administrator,CN=Users,DC=example,DC=com", + Password: "password", + Attributes: schema.AuthenticationBackendLDAPAttributes{ + DistinguishedName: "distinguishedName", + Username: "sAMAccountName", + Mail: "mail", + DisplayName: "displayName", + MemberOf: "memberOf", + GroupName: "cn", + }, + GroupSearchMode: "memberof", + UsersFilter: "sAMAccountName={input}", + GroupsFilter: "(|{memberof:dn})", + AdditionalUsersDN: "CN=users", + BaseDN: "DC=example,DC=com", + } + + mockDialer := NewMockLDAPClientDialer(ctrl) + mockClient := NewMockLDAPClient(ctrl) - provider := NewLDAPUserProviderWithFactory( - schema.AuthenticationBackendLDAP{ - Address: testLDAPAddress, - User: "CN=Administrator,CN=Users,DC=example,DC=com", - Password: "password", - Attributes: schema.AuthenticationBackendLDAPAttributes{ - DistinguishedName: "distinguishedName", - Username: "sAMAccountName", - Mail: "mail", - DisplayName: "displayName", - MemberOf: "memberOf", - GroupName: "cn", - }, - GroupSearchMode: "memberof", - UsersFilter: "sAMAccountName={input}", - GroupsFilter: "(|{memberof:dn})", - AdditionalUsersDN: "CN=users", - BaseDN: "DC=example,DC=com", - }, - false, - nil, - mockFactory) + dialURL := mockDialer.EXPECT().DialURL("ldap://127.0.0.1:389", gomock.Any()).Return(mockClient, nil) - dialURL := mockFactory.EXPECT(). - DialURL(gomock.Eq("ldap://127.0.0.1:389"), gomock.Any()). - Return(mockClient, nil) + provider := NewLDAPUserProviderWithFactory(config, false, NewStandardLDAPClientFactory(config, nil, mockDialer)) - connBind := mockClient.EXPECT(). + clientBind := mockClient.EXPECT(). Bind(gomock.Eq("CN=Administrator,CN=Users,DC=example,DC=com"), gomock.Eq("password")). Return(nil) - connClose := mockClient.EXPECT().Close() + clientClose := mockClient.EXPECT().Close() searchProfile := mockClient.EXPECT(). Search(gomock.Any()). @@ -2792,7 +3220,7 @@ func TestShouldSkipEmptyAttributesSearchModeMemberOf(t *testing.T) { }, }, nil) - gomock.InOrder(dialURL, connBind, searchProfile, searchGroups, connClose) + gomock.InOrder(dialURL, clientBind, searchProfile, searchGroups, clientClose) details, err := provider.GetDetails("john") @@ -2804,41 +3232,38 @@ func TestShouldSkipEmptyAttributesSearchModeFilter(t *testing.T) { ctrl := gomock.NewController(t) defer ctrl.Finish() - mockFactory := NewMockLDAPClientFactory(ctrl) + config := &schema.AuthenticationBackendLDAP{ + Address: testLDAPAddress, + User: "CN=Administrator,CN=Users,DC=example,DC=com", + Password: "password", + Attributes: schema.AuthenticationBackendLDAPAttributes{ + DistinguishedName: "distinguishedName", + Username: "sAMAccountName", + Mail: "mail", + DisplayName: "displayName", + MemberOf: "memberOf", + GroupName: "cn", + }, + GroupSearchMode: "filter", + UsersFilter: "sAMAccountName={input}", + GroupsFilter: "(|{memberof:dn})", + AdditionalUsersDN: "CN=users", + BaseDN: "DC=example,DC=com", + } + + mockDialer := NewMockLDAPClientDialer(ctrl) + mockClient := NewMockLDAPClient(ctrl) - provider := NewLDAPUserProviderWithFactory( - schema.AuthenticationBackendLDAP{ - Address: testLDAPAddress, - User: "CN=Administrator,CN=Users,DC=example,DC=com", - Password: "password", - Attributes: schema.AuthenticationBackendLDAPAttributes{ - DistinguishedName: "distinguishedName", - Username: "sAMAccountName", - Mail: "mail", - DisplayName: "displayName", - MemberOf: "memberOf", - GroupName: "cn", - }, - GroupSearchMode: "filter", - UsersFilter: "sAMAccountName={input}", - GroupsFilter: "(|{memberof:dn})", - AdditionalUsersDN: "CN=users", - BaseDN: "DC=example,DC=com", - }, - false, - nil, - mockFactory) + dialURL := mockDialer.EXPECT().DialURL("ldap://127.0.0.1:389", gomock.Any()).Return(mockClient, nil) - dialURL := mockFactory.EXPECT(). - DialURL(gomock.Eq("ldap://127.0.0.1:389"), gomock.Any()). - Return(mockClient, nil) + provider := NewLDAPUserProviderWithFactory(config, false, NewStandardLDAPClientFactory(config, nil, mockDialer)) - connBind := mockClient.EXPECT(). + clientBind := mockClient.EXPECT(). Bind(gomock.Eq("CN=Administrator,CN=Users,DC=example,DC=com"), gomock.Eq("password")). Return(nil) - connClose := mockClient.EXPECT().Close() + clientClose := mockClient.EXPECT().Close() searchProfile := mockClient.EXPECT(). Search(gomock.Any()). @@ -2906,7 +3331,7 @@ func TestShouldSkipEmptyAttributesSearchModeFilter(t *testing.T) { }, }, nil) - gomock.InOrder(dialURL, connBind, searchProfile, searchGroups, connClose) + gomock.InOrder(dialURL, clientBind, searchProfile, searchGroups, clientClose) details, err := provider.GetDetails("john") @@ -2918,39 +3343,36 @@ func TestShouldSkipEmptyGroupsResultMemberOf(t *testing.T) { ctrl := gomock.NewController(t) defer ctrl.Finish() - mockFactory := NewMockLDAPClientFactory(ctrl) + config := &schema.AuthenticationBackendLDAP{ + Address: testLDAPAddress, + User: "cn=admin,dc=example,dc=com", + Password: "password", + Attributes: schema.AuthenticationBackendLDAPAttributes{ + Username: "uid", + Mail: "mail", + DisplayName: "displayName", + MemberOf: "memberOf", + GroupName: "cn", + }, + UsersFilter: "uid={input}", + AdditionalUsersDN: "ou=users", + BaseDN: "dc=example,dc=com", + PermitReferrals: true, + } + + mockDialer := NewMockLDAPClientDialer(ctrl) + mockClient := NewMockLDAPClient(ctrl) - provider := NewLDAPUserProviderWithFactory( - schema.AuthenticationBackendLDAP{ - Address: testLDAPAddress, - User: "cn=admin,dc=example,dc=com", - Password: "password", - Attributes: schema.AuthenticationBackendLDAPAttributes{ - Username: "uid", - Mail: "mail", - DisplayName: "displayName", - MemberOf: "memberOf", - GroupName: "cn", - }, - UsersFilter: "uid={input}", - AdditionalUsersDN: "ou=users", - BaseDN: "dc=example,dc=com", - PermitReferrals: true, - }, - false, - nil, - mockFactory) + dialURL := mockDialer.EXPECT().DialURL("ldap://127.0.0.1:389", gomock.Any()).Return(mockClient, nil) - dialURL := mockFactory.EXPECT(). - DialURL(gomock.Eq("ldap://127.0.0.1:389"), gomock.Any()). - Return(mockClient, nil) + provider := NewLDAPUserProviderWithFactory(config, false, NewStandardLDAPClientFactory(config, nil, mockDialer)) - connBind := mockClient.EXPECT(). + clientBind := mockClient.EXPECT(). Bind(gomock.Eq("cn=admin,dc=example,dc=com"), gomock.Eq("password")). Return(nil) - connClose := mockClient.EXPECT().Close() + clientClose := mockClient.EXPECT().Close() searchGroups := mockClient.EXPECT(). Search(gomock.Any()). @@ -2984,7 +3406,7 @@ func TestShouldSkipEmptyGroupsResultMemberOf(t *testing.T) { }, }, nil) - gomock.InOrder(dialURL, connBind, searchProfile, searchGroups, connClose) + gomock.InOrder(dialURL, clientBind, searchProfile, searchGroups, clientClose) details, err := provider.GetDetails("john") require.NoError(t, err) @@ -2998,41 +3420,38 @@ func TestShouldReturnUsernameFromLDAPWithReferralsInErrorAndResult(t *testing.T) ctrl := gomock.NewController(t) defer ctrl.Finish() - mockFactory := NewMockLDAPClientFactory(ctrl) + config := &schema.AuthenticationBackendLDAP{ + Address: testLDAPAddress, + User: "cn=admin,dc=example,dc=com", + Password: "password", + Attributes: schema.AuthenticationBackendLDAPAttributes{ + Username: "uid", + Mail: "mail", + DisplayName: "displayName", + MemberOf: "memberOf", + GroupName: "cn", + }, + UsersFilter: "uid={input}", + AdditionalUsersDN: "ou=users", + BaseDN: "dc=example,dc=com", + PermitReferrals: true, + } + + mockDialer := NewMockLDAPClientDialer(ctrl) + mockClient := NewMockLDAPClient(ctrl) mockClientReferral := NewMockLDAPClient(ctrl) mockClientReferralAlt := NewMockLDAPClient(ctrl) - provider := NewLDAPUserProviderWithFactory( - schema.AuthenticationBackendLDAP{ - Address: testLDAPAddress, - User: "cn=admin,dc=example,dc=com", - Password: "password", - Attributes: schema.AuthenticationBackendLDAPAttributes{ - Username: "uid", - Mail: "mail", - DisplayName: "displayName", - MemberOf: "memberOf", - GroupName: "cn", - }, - UsersFilter: "uid={input}", - AdditionalUsersDN: "ou=users", - BaseDN: "dc=example,dc=com", - PermitReferrals: true, - }, - false, - nil, - mockFactory) + dialURL := mockDialer.EXPECT().DialURL("ldap://127.0.0.1:389", gomock.Any()).Return(mockClient, nil) - dialURL := mockFactory.EXPECT(). - DialURL(gomock.Eq("ldap://127.0.0.1:389"), gomock.Any()). - Return(mockClient, nil) + provider := NewLDAPUserProviderWithFactory(config, false, NewStandardLDAPClientFactory(config, nil, mockDialer)) - connBind := mockClient.EXPECT(). + clientBind := mockClient.EXPECT(). Bind(gomock.Eq("cn=admin,dc=example,dc=com"), gomock.Eq("password")). Return(nil) - connClose := mockClient.EXPECT().Close() + clientClose := mockClient.EXPECT().Close() searchGroups := mockClient.EXPECT(). Search(gomock.Any()). @@ -3045,15 +3464,13 @@ func TestShouldReturnUsernameFromLDAPWithReferralsInErrorAndResult(t *testing.T) Referrals: []string{"ldap://192.168.0.1"}, }, &ldap.Error{ResultCode: ldap.LDAPResultReferral, Err: errors.New("referral"), Packet: &testBERPacketReferral}) - dialURLReferral := mockFactory.EXPECT(). - DialURL(gomock.Eq("ldap://192.168.0.1"), gomock.Any()). - Return(mockClientReferral, nil) + dialURLReferral := mockDialer.EXPECT().DialURL("ldap://192.168.0.1", gomock.Any()).Return(mockClientReferral, nil) - connBindReferral := mockClientReferral.EXPECT(). + clientBindReferral := mockClientReferral.EXPECT(). Bind(gomock.Eq("cn=admin,dc=example,dc=com"), gomock.Eq("password")). Return(nil) - connCloseReferral := mockClientReferral.EXPECT().Close() + clientCloseReferral := mockClientReferral.EXPECT().Close() searchProfileReferral := mockClientReferral.EXPECT(). Search(gomock.Any()). @@ -3079,15 +3496,13 @@ func TestShouldReturnUsernameFromLDAPWithReferralsInErrorAndResult(t *testing.T) }, }, nil) - dialURLReferralAlt := mockFactory.EXPECT(). - DialURL(gomock.Eq("ldap://192.168.0.1"), gomock.Any()). - Return(mockClientReferralAlt, nil) + dialURLReferralAlt := mockDialer.EXPECT().DialURL("ldap://192.168.0.1", gomock.Any()).Return(mockClientReferralAlt, nil) - connBindReferralAlt := mockClientReferralAlt.EXPECT(). + clientBindReferralAlt := mockClientReferralAlt.EXPECT(). Bind(gomock.Eq("cn=admin,dc=example,dc=com"), gomock.Eq("password")). Return(nil) - connCloseReferralAlt := mockClientReferralAlt.EXPECT().Close() + clientCloseReferralAlt := mockClientReferralAlt.EXPECT().Close() searchProfileReferralAlt := mockClientReferralAlt.EXPECT(). Search(gomock.Any()). @@ -3113,7 +3528,7 @@ func TestShouldReturnUsernameFromLDAPWithReferralsInErrorAndResult(t *testing.T) }, }, nil) - gomock.InOrder(dialURL, connBind, searchProfile, dialURLReferral, connBindReferral, searchProfileReferral, connCloseReferral, dialURLReferralAlt, connBindReferralAlt, searchProfileReferralAlt, connCloseReferralAlt, searchGroups, connClose) + gomock.InOrder(dialURL, clientBind, searchProfile, dialURLReferral, clientBindReferral, searchProfileReferral, clientCloseReferral, dialURLReferralAlt, clientBindReferralAlt, searchProfileReferralAlt, clientCloseReferralAlt, searchGroups, clientClose) details, err := provider.GetDetails("john") require.NoError(t, err) @@ -3128,40 +3543,37 @@ func TestShouldReturnUsernameFromLDAPWithReferralsInErrorAndNoResult(t *testing. ctrl := gomock.NewController(t) defer ctrl.Finish() - mockFactory := NewMockLDAPClientFactory(ctrl) + config := &schema.AuthenticationBackendLDAP{ + Address: testLDAPAddress, + User: "cn=admin,dc=example,dc=com", + Password: "password", + Attributes: schema.AuthenticationBackendLDAPAttributes{ + Username: "uid", + Mail: "mail", + DisplayName: "displayName", + MemberOf: "memberOf", + GroupName: "cn", + }, + UsersFilter: "uid={input}", + AdditionalUsersDN: "ou=users", + BaseDN: "dc=example,dc=com", + PermitReferrals: true, + } + + mockDialer := NewMockLDAPClientDialer(ctrl) + mockClient := NewMockLDAPClient(ctrl) mockClientReferral := NewMockLDAPClient(ctrl) - provider := NewLDAPUserProviderWithFactory( - schema.AuthenticationBackendLDAP{ - Address: testLDAPAddress, - User: "cn=admin,dc=example,dc=com", - Password: "password", - Attributes: schema.AuthenticationBackendLDAPAttributes{ - Username: "uid", - Mail: "mail", - DisplayName: "displayName", - MemberOf: "memberOf", - GroupName: "cn", - }, - UsersFilter: "uid={input}", - AdditionalUsersDN: "ou=users", - BaseDN: "dc=example,dc=com", - PermitReferrals: true, - }, - false, - nil, - mockFactory) + dialURL := mockDialer.EXPECT().DialURL("ldap://127.0.0.1:389", gomock.Any()).Return(mockClient, nil) - dialURL := mockFactory.EXPECT(). - DialURL(gomock.Eq("ldap://127.0.0.1:389"), gomock.Any()). - Return(mockClient, nil) + provider := NewLDAPUserProviderWithFactory(config, false, NewStandardLDAPClientFactory(config, nil, mockDialer)) - connBind := mockClient.EXPECT(). + clientBind := mockClient.EXPECT(). Bind(gomock.Eq("cn=admin,dc=example,dc=com"), gomock.Eq("password")). Return(nil) - connClose := mockClient.EXPECT().Close() + clientClose := mockClient.EXPECT().Close() searchGroups := mockClient.EXPECT(). Search(gomock.Any()). @@ -3171,15 +3583,13 @@ func TestShouldReturnUsernameFromLDAPWithReferralsInErrorAndNoResult(t *testing. Search(gomock.Any()). Return(nil, &ldap.Error{ResultCode: ldap.LDAPResultReferral, Err: errors.New("referral"), Packet: &testBERPacketReferral}) - dialURLReferral := mockFactory.EXPECT(). - DialURL(gomock.Eq("ldap://192.168.0.1"), gomock.Any()). - Return(mockClientReferral, nil) + dialURLReferral := mockDialer.EXPECT().DialURL("ldap://192.168.0.1", gomock.Any()).Return(mockClientReferral, nil) - connBindReferral := mockClientReferral.EXPECT(). + clientBindReferral := mockClientReferral.EXPECT(). Bind(gomock.Eq("cn=admin,dc=example,dc=com"), gomock.Eq("password")). Return(nil) - connCloseReferral := mockClientReferral.EXPECT().Close() + clientCloseReferral := mockClientReferral.EXPECT().Close() searchProfileReferral := mockClientReferral.EXPECT(). Search(gomock.Any()). @@ -3205,7 +3615,7 @@ func TestShouldReturnUsernameFromLDAPWithReferralsInErrorAndNoResult(t *testing. }, }, nil) - gomock.InOrder(dialURL, connBind, searchProfile, dialURLReferral, connBindReferral, searchProfileReferral, connCloseReferral, searchGroups, connClose) + gomock.InOrder(dialURL, clientBind, searchProfile, dialURLReferral, clientBindReferral, searchProfileReferral, clientCloseReferral, searchGroups, clientClose) details, err := provider.GetDetails("john") require.NoError(t, err) @@ -3220,114 +3630,104 @@ func TestShouldReturnDialErrDuringReferralSearchUsernameFromLDAPWithReferralsInE ctrl := gomock.NewController(t) defer ctrl.Finish() - mockFactory := NewMockLDAPClientFactory(ctrl) + config := &schema.AuthenticationBackendLDAP{ + Address: testLDAPAddress, + User: "cn=admin,dc=example,dc=com", + Password: "password", + Attributes: schema.AuthenticationBackendLDAPAttributes{ + Username: "uid", + Mail: "mail", + DisplayName: "displayName", + MemberOf: "memberOf", + GroupName: "cn", + }, + UsersFilter: "uid={input}", + AdditionalUsersDN: "ou=users", + BaseDN: "dc=example,dc=com", + PermitReferrals: true, + } + + mockDialer := NewMockLDAPClientDialer(ctrl) + mockClient := NewMockLDAPClient(ctrl) - provider := NewLDAPUserProviderWithFactory( - schema.AuthenticationBackendLDAP{ - Address: testLDAPAddress, - User: "cn=admin,dc=example,dc=com", - Password: "password", - Attributes: schema.AuthenticationBackendLDAPAttributes{ - Username: "uid", - Mail: "mail", - DisplayName: "displayName", - MemberOf: "memberOf", - GroupName: "cn", - }, - UsersFilter: "uid={input}", - AdditionalUsersDN: "ou=users", - BaseDN: "dc=example,dc=com", - PermitReferrals: true, - }, - false, - nil, - mockFactory) + dialURL := mockDialer.EXPECT().DialURL("ldap://127.0.0.1:389", gomock.Any()).Return(mockClient, nil) - dialURL := mockFactory.EXPECT(). - DialURL(gomock.Eq("ldap://127.0.0.1:389"), gomock.Any()). - Return(mockClient, nil) + provider := NewLDAPUserProviderWithFactory(config, false, NewStandardLDAPClientFactory(config, nil, mockDialer)) - connBind := mockClient.EXPECT(). + clientBind := mockClient.EXPECT(). Bind(gomock.Eq("cn=admin,dc=example,dc=com"), gomock.Eq("password")). Return(nil) - connClose := mockClient.EXPECT().Close() + clientClose := mockClient.EXPECT().Close() searchProfile := mockClient.EXPECT(). Search(gomock.Any()). Return(nil, &ldap.Error{ResultCode: ldap.LDAPResultReferral, Err: errors.New("referral"), Packet: &testBERPacketReferral}) - dialURLReferral := mockFactory.EXPECT(). - DialURL(gomock.Eq("ldap://192.168.0.1"), gomock.Any()). - Return(nil, fmt.Errorf("failed to connect")) + dialURLReferral := mockDialer.EXPECT().DialURL("ldap://192.168.0.1", gomock.Any()).Return(nil, fmt.Errorf("failed to connect")) - gomock.InOrder(dialURL, connBind, searchProfile, dialURLReferral, connClose) + gomock.InOrder(dialURL, clientBind, searchProfile, dialURLReferral, clientClose) details, err := provider.GetDetails("john") assert.Nil(t, details) - assert.EqualError(t, err, "cannot find user DN of user 'john'. Cause: error occurred connecting to referred LDAP server 'ldap://192.168.0.1': dial failed with error: failed to connect") + assert.EqualError(t, err, "cannot find user DN of user 'john'. Cause: error occurred connecting to referred LDAP server 'ldap://192.168.0.1': error occurred dialing address: failed to connect") } func TestShouldReturnSearchErrDuringReferralSearchUsernameFromLDAPWithReferralsInErrorAndNoResult(t *testing.T) { ctrl := gomock.NewController(t) defer ctrl.Finish() - mockFactory := NewMockLDAPClientFactory(ctrl) + config := &schema.AuthenticationBackendLDAP{ + Address: testLDAPAddress, + User: "cn=admin,dc=example,dc=com", + Password: "password", + Attributes: schema.AuthenticationBackendLDAPAttributes{ + Username: "uid", + Mail: "mail", + DisplayName: "displayName", + MemberOf: "memberOf", + GroupName: "cn", + }, + UsersFilter: "uid={input}", + AdditionalUsersDN: "ou=users", + BaseDN: "dc=example,dc=com", + PermitReferrals: true, + } + + mockDialer := NewMockLDAPClientDialer(ctrl) + mockClient := NewMockLDAPClient(ctrl) mockClientReferral := NewMockLDAPClient(ctrl) - provider := NewLDAPUserProviderWithFactory( - schema.AuthenticationBackendLDAP{ - Address: testLDAPAddress, - User: "cn=admin,dc=example,dc=com", - Password: "password", - Attributes: schema.AuthenticationBackendLDAPAttributes{ - Username: "uid", - Mail: "mail", - DisplayName: "displayName", - MemberOf: "memberOf", - GroupName: "cn", - }, - UsersFilter: "uid={input}", - AdditionalUsersDN: "ou=users", - BaseDN: "dc=example,dc=com", - PermitReferrals: true, - }, - false, - nil, - mockFactory) + dialURL := mockDialer.EXPECT().DialURL("ldap://127.0.0.1:389", gomock.Any()).Return(mockClient, nil) - dialURL := mockFactory.EXPECT(). - DialURL(gomock.Eq("ldap://127.0.0.1:389"), gomock.Any()). - Return(mockClient, nil) + provider := NewLDAPUserProviderWithFactory(config, false, NewStandardLDAPClientFactory(config, nil, mockDialer)) - connBind := mockClient.EXPECT(). + clientBind := mockClient.EXPECT(). Bind(gomock.Eq("cn=admin,dc=example,dc=com"), gomock.Eq("password")). Return(nil) - connClose := mockClient.EXPECT().Close() + clientClose := mockClient.EXPECT().Close() searchProfile := mockClient.EXPECT(). Search(gomock.Any()). Return(nil, &ldap.Error{ResultCode: ldap.LDAPResultReferral, Err: errors.New("referral"), Packet: &testBERPacketReferral}) - dialURLReferral := mockFactory.EXPECT(). - DialURL(gomock.Eq("ldap://192.168.0.1"), gomock.Any()). - Return(mockClientReferral, nil) + dialURLReferral := mockDialer.EXPECT().DialURL("ldap://192.168.0.1", gomock.Any()).Return(mockClientReferral, nil) - connBindReferral := mockClientReferral.EXPECT(). + clientBindReferral := mockClientReferral.EXPECT(). Bind(gomock.Eq("cn=admin,dc=example,dc=com"), gomock.Eq("password")). Return(nil) - connCloseReferral := mockClientReferral.EXPECT().Close() + clientCloseReferral := mockClientReferral.EXPECT().Close() searchProfileReferral := mockClientReferral.EXPECT(). Search(gomock.Any()). Return(nil, fmt.Errorf("not found")) - gomock.InOrder(dialURL, connBind, searchProfile, dialURLReferral, connBindReferral, searchProfileReferral, connCloseReferral, connClose) + gomock.InOrder(dialURL, clientBind, searchProfile, dialURLReferral, clientBindReferral, searchProfileReferral, clientCloseReferral, clientClose) details, err := provider.GetDetails("john") @@ -3339,45 +3739,42 @@ func TestShouldNotReturnUsernameFromLDAPWithReferralsInErrorAndReferralsNotPermi ctrl := gomock.NewController(t) defer ctrl.Finish() - mockFactory := NewMockLDAPClientFactory(ctrl) + config := &schema.AuthenticationBackendLDAP{ + Address: testLDAPAddress, + User: "cn=admin,dc=example,dc=com", + Password: "password", + Attributes: schema.AuthenticationBackendLDAPAttributes{ + Username: "uid", + Mail: "mail", + DisplayName: "displayName", + MemberOf: "memberOf", + GroupName: "cn", + }, + UsersFilter: "uid={input}", + AdditionalUsersDN: "ou=users", + BaseDN: "dc=example,dc=com", + PermitReferrals: false, + } + + mockDialer := NewMockLDAPClientDialer(ctrl) + mockClient := NewMockLDAPClient(ctrl) - provider := NewLDAPUserProviderWithFactory( - schema.AuthenticationBackendLDAP{ - Address: testLDAPAddress, - User: "cn=admin,dc=example,dc=com", - Password: "password", - Attributes: schema.AuthenticationBackendLDAPAttributes{ - Username: "uid", - Mail: "mail", - DisplayName: "displayName", - MemberOf: "memberOf", - GroupName: "cn", - }, - UsersFilter: "uid={input}", - AdditionalUsersDN: "ou=users", - BaseDN: "dc=example,dc=com", - PermitReferrals: false, - }, - false, - nil, - mockFactory) + dialURL := mockDialer.EXPECT().DialURL("ldap://127.0.0.1:389", gomock.Any()).Return(mockClient, nil) - dialURL := mockFactory.EXPECT(). - DialURL(gomock.Eq("ldap://127.0.0.1:389"), gomock.Any()). - Return(mockClient, nil) + provider := NewLDAPUserProviderWithFactory(config, false, NewStandardLDAPClientFactory(config, nil, mockDialer)) - connBind := mockClient.EXPECT(). + clientBind := mockClient.EXPECT(). Bind(gomock.Eq("cn=admin,dc=example,dc=com"), gomock.Eq("password")). Return(nil) - connClose := mockClient.EXPECT().Close() + clientClose := mockClient.EXPECT().Close() searchProfile := mockClient.EXPECT(). Search(gomock.Any()). Return(nil, &ldap.Error{ResultCode: ldap.LDAPResultReferral, Err: errors.New("referral"), Packet: &testBERPacketReferral}) - gomock.InOrder(dialURL, connBind, searchProfile, connClose) + gomock.InOrder(dialURL, clientBind, searchProfile, clientClose) details, err := provider.GetDetails("john") assert.EqualError(t, err, "cannot find user DN of user 'john'. Cause: LDAP Result Code 10 \"Referral\": referral") @@ -3388,40 +3785,37 @@ func TestShouldReturnUsernameFromLDAPWithReferralsErr(t *testing.T) { ctrl := gomock.NewController(t) defer ctrl.Finish() - mockFactory := NewMockLDAPClientFactory(ctrl) + config := &schema.AuthenticationBackendLDAP{ + Address: testLDAPAddress, + User: "cn=admin,dc=example,dc=com", + Password: "password", + Attributes: schema.AuthenticationBackendLDAPAttributes{ + Username: "uid", + Mail: "mail", + DisplayName: "displayName", + MemberOf: "memberOf", + GroupName: "cn", + }, + UsersFilter: "uid={input}", + AdditionalUsersDN: "ou=users", + BaseDN: "dc=example,dc=com", + PermitReferrals: true, + } + + mockDialer := NewMockLDAPClientDialer(ctrl) + mockClient := NewMockLDAPClient(ctrl) mockClientReferral := NewMockLDAPClient(ctrl) - provider := NewLDAPUserProviderWithFactory( - schema.AuthenticationBackendLDAP{ - Address: testLDAPAddress, - User: "cn=admin,dc=example,dc=com", - Password: "password", - Attributes: schema.AuthenticationBackendLDAPAttributes{ - Username: "uid", - Mail: "mail", - DisplayName: "displayName", - MemberOf: "memberOf", - GroupName: "cn", - }, - UsersFilter: "uid={input}", - AdditionalUsersDN: "ou=users", - BaseDN: "dc=example,dc=com", - PermitReferrals: true, - }, - false, - nil, - mockFactory) + dialURL := mockDialer.EXPECT().DialURL("ldap://127.0.0.1:389", gomock.Any()).Return(mockClient, nil) - dialURL := mockFactory.EXPECT(). - DialURL(gomock.Eq("ldap://127.0.0.1:389"), gomock.Any()). - Return(mockClient, nil) + provider := NewLDAPUserProviderWithFactory(config, false, NewStandardLDAPClientFactory(config, nil, mockDialer)) - connBind := mockClient.EXPECT(). + clientBind := mockClient.EXPECT(). Bind(gomock.Eq("cn=admin,dc=example,dc=com"), gomock.Eq("password")). Return(nil) - connClose := mockClient.EXPECT().Close() + clientClose := mockClient.EXPECT().Close() searchGroups := mockClient.EXPECT(). Search(gomock.Any()). @@ -3431,15 +3825,13 @@ func TestShouldReturnUsernameFromLDAPWithReferralsErr(t *testing.T) { Search(gomock.Any()). Return(&ldap.SearchResult{}, &ldap.Error{ResultCode: ldap.LDAPResultReferral, Err: errors.New("referral"), Packet: &testBERPacketReferral}) - dialURLReferral := mockFactory.EXPECT(). - DialURL(gomock.Eq("ldap://192.168.0.1"), gomock.Any()). - Return(mockClientReferral, nil) + dialURLReferral := mockDialer.EXPECT().DialURL("ldap://192.168.0.1", gomock.Any()).Return(mockClientReferral, nil) - connBindReferral := mockClientReferral.EXPECT(). + clientBindReferral := mockClientReferral.EXPECT(). Bind(gomock.Eq("cn=admin,dc=example,dc=com"), gomock.Eq("password")). Return(nil) - connCloseReferral := mockClientReferral.EXPECT().Close() + clientCloseReferral := mockClientReferral.EXPECT().Close() searchProfileReferral := mockClientReferral.EXPECT(). Search(gomock.Any()). @@ -3465,7 +3857,7 @@ func TestShouldReturnUsernameFromLDAPWithReferralsErr(t *testing.T) { }, }, nil) - gomock.InOrder(dialURL, connBind, searchProfile, dialURLReferral, connBindReferral, searchProfileReferral, connCloseReferral, searchGroups, connClose) + gomock.InOrder(dialURL, clientBind, searchProfile, dialURLReferral, clientBindReferral, searchProfileReferral, clientCloseReferral, searchGroups, clientClose) details, err := provider.GetDetails("john") require.NoError(t, err) @@ -3480,34 +3872,33 @@ func TestShouldNotUpdateUserPasswordConnect(t *testing.T) { ctrl := gomock.NewController(t) defer ctrl.Finish() - mockFactory := NewMockLDAPClientFactory(ctrl) + config := &schema.AuthenticationBackendLDAP{ + Address: testLDAPAddress, + User: "cn=admin,dc=example,dc=com", + Password: "password", + Attributes: schema.AuthenticationBackendLDAPAttributes{ + Username: "uid", + Mail: "mail", + DisplayName: "displayName", + MemberOf: "memberOf", + }, + UsersFilter: "uid={input}", + AdditionalUsersDN: "ou=users", + BaseDN: "dc=example,dc=com", + PermitReferrals: false, + } + + mockDialer := NewMockLDAPClientDialer(ctrl) + mockClient := NewMockLDAPClient(ctrl) - provider := NewLDAPUserProviderWithFactory( - schema.AuthenticationBackendLDAP{ - Address: testLDAPAddress, - User: "cn=admin,dc=example,dc=com", - Password: "password", - Attributes: schema.AuthenticationBackendLDAPAttributes{ - Username: "uid", - Mail: "mail", - DisplayName: "displayName", - MemberOf: "memberOf", - }, - UsersFilter: "uid={input}", - AdditionalUsersDN: "ou=users", - BaseDN: "dc=example,dc=com", - PermitReferrals: false, - }, - false, - nil, - mockFactory) + dialURL := mockDialer.EXPECT().DialURL("ldap://127.0.0.1:389", gomock.Any()).Return(nil, errors.New("tcp timeout")) - dialURLOIDs := mockFactory.EXPECT(). - DialURL(gomock.Eq("ldap://127.0.0.1:389"), gomock.Any()). - Return(mockClient, nil) + provider := NewLDAPUserProviderWithFactory(config, false, NewStandardLDAPClientFactory(config, nil, mockDialer)) - connBindOIDs := mockClient.EXPECT(). + dialURLOIDs := mockDialer.EXPECT().DialURL("ldap://127.0.0.1:389", gomock.Any()).Return(mockClient, nil) + + clientBindOIDs := mockClient.EXPECT(). Bind(gomock.Eq("cn=admin,dc=example,dc=com"), gomock.Eq("password")). Return(nil) @@ -3531,53 +3922,46 @@ func TestShouldNotUpdateUserPasswordConnect(t *testing.T) { }, }, nil) - connCloseOIDs := mockClient.EXPECT().Close() + clientCloseOIDs := mockClient.EXPECT().Close() - dialURL := mockFactory.EXPECT(). - DialURL(gomock.Eq("ldap://127.0.0.1:389"), gomock.Any()). - Return(nil, errors.New("tcp timeout")) + gomock.InOrder(dialURLOIDs, clientBindOIDs, searchOIDs, clientCloseOIDs, dialURL) - gomock.InOrder(dialURLOIDs, connBindOIDs, searchOIDs, connCloseOIDs, dialURL) + require.NoError(t, provider.StartupCheck()) - err := provider.StartupCheck() - require.NoError(t, err) - - err = provider.UpdatePassword("john", "password") - assert.EqualError(t, err, "unable to update password. Cause: dial failed with error: tcp timeout") + assert.EqualError(t, provider.UpdatePassword("john", "password"), "unable to update password. Cause: error occurred dialing address: tcp timeout") } func TestShouldNotUpdateUserPasswordGetDetails(t *testing.T) { ctrl := gomock.NewController(t) defer ctrl.Finish() - mockFactory := NewMockLDAPClientFactory(ctrl) + config := &schema.AuthenticationBackendLDAP{ + Address: testLDAPAddress, + User: "cn=admin,dc=example,dc=com", + Password: "password", + Attributes: schema.AuthenticationBackendLDAPAttributes{ + Username: "uid", + Mail: "mail", + DisplayName: "displayName", + MemberOf: "memberOf", + }, + UsersFilter: "uid={input}", + AdditionalUsersDN: "ou=users", + BaseDN: "dc=example,dc=com", + PermitReferrals: false, + } + + mockDialer := NewMockLDAPClientDialer(ctrl) + mockClient := NewMockLDAPClient(ctrl) - provider := NewLDAPUserProviderWithFactory( - schema.AuthenticationBackendLDAP{ - Address: testLDAPAddress, - User: "cn=admin,dc=example,dc=com", - Password: "password", - Attributes: schema.AuthenticationBackendLDAPAttributes{ - Username: "uid", - Mail: "mail", - DisplayName: "displayName", - MemberOf: "memberOf", - }, - UsersFilter: "uid={input}", - AdditionalUsersDN: "ou=users", - BaseDN: "dc=example,dc=com", - PermitReferrals: false, - }, - false, - nil, - mockFactory) + dialURL := mockDialer.EXPECT().DialURL("ldap://127.0.0.1:389", gomock.Any()).Return(mockClient, nil) - dialURLOIDs := mockFactory.EXPECT(). - DialURL(gomock.Eq("ldap://127.0.0.1:389"), gomock.Any()). - Return(mockClient, nil) + provider := NewLDAPUserProviderWithFactory(config, false, NewStandardLDAPClientFactory(config, nil, mockDialer)) - connBindOIDs := mockClient.EXPECT(). + dialURLOIDs := mockDialer.EXPECT().DialURL("ldap://127.0.0.1:389", gomock.Any()).Return(mockClient, nil) + + clientBindOIDs := mockClient.EXPECT(). Bind(gomock.Eq("cn=admin,dc=example,dc=com"), gomock.Eq("password")). Return(nil) @@ -3601,56 +3985,51 @@ func TestShouldNotUpdateUserPasswordGetDetails(t *testing.T) { }, }, nil) - connCloseOIDs := mockClient.EXPECT().Close() + clientCloseOIDs := mockClient.EXPECT().Close() - dialURL := mockFactory.EXPECT(). - DialURL(gomock.Eq("ldap://127.0.0.1:389"), gomock.Any()). - Return(mockClient, nil) - - connBind := mockClient.EXPECT(). + clientBind := mockClient.EXPECT(). Bind(gomock.Eq("cn=admin,dc=example,dc=com"), gomock.Eq("password")). Return(nil) - connClose := mockClient.EXPECT().Close() + clientClose := mockClient.EXPECT().Close() searchProfile := mockClient.EXPECT(). Search(gomock.Any()). Return(nil, &ldap.Error{ResultCode: ldap.LDAPResultProtocolError, Err: errors.New("permission error")}) - gomock.InOrder(dialURLOIDs, connBindOIDs, searchOIDs, connCloseOIDs, dialURL, connBind, searchProfile, connClose) + gomock.InOrder(dialURLOIDs, clientBindOIDs, searchOIDs, clientCloseOIDs, dialURL, clientBind, searchProfile, clientClose) - err := provider.StartupCheck() - require.NoError(t, err) + require.NoError(t, provider.StartupCheck()) - err = provider.UpdatePassword("john", "password") - assert.EqualError(t, err, "unable to update password. Cause: cannot find user DN of user 'john'. Cause: LDAP Result Code 2 \"Protocol Error\": permission error") + assert.EqualError(t, provider.UpdatePassword("john", "password"), "unable to update password. Cause: cannot find user DN of user 'john'. Cause: LDAP Result Code 2 \"Protocol Error\": permission error") } func TestShouldUpdateUserPassword(t *testing.T) { ctrl := gomock.NewController(t) defer ctrl.Finish() - mockFactory := NewMockLDAPClientFactory(ctrl) + config := &schema.AuthenticationBackendLDAP{ + Address: testLDAPAddress, + User: "cn=admin,dc=example,dc=com", + Password: "password", + Attributes: schema.AuthenticationBackendLDAPAttributes{ + Username: "uid", + Mail: "mail", + DisplayName: "displayName", + MemberOf: "memberOf", + }, + UsersFilter: "uid={input}", + AdditionalUsersDN: "ou=users", + BaseDN: "dc=example,dc=com", + } + + mockDialer := NewMockLDAPClientDialer(ctrl) + mockClient := NewMockLDAPClient(ctrl) - provider := NewLDAPUserProviderWithFactory( - schema.AuthenticationBackendLDAP{ - Address: testLDAPAddress, - User: "cn=admin,dc=example,dc=com", - Password: "password", - Attributes: schema.AuthenticationBackendLDAPAttributes{ - Username: "uid", - Mail: "mail", - DisplayName: "displayName", - MemberOf: "memberOf", - }, - UsersFilter: "uid={input}", - AdditionalUsersDN: "ou=users", - BaseDN: "dc=example,dc=com", - }, - false, - nil, - mockFactory) + dialURL := mockDialer.EXPECT().DialURL("ldap://127.0.0.1:389", gomock.Any()).Return(mockClient, nil) + + provider := NewLDAPUserProviderWithFactory(config, false, NewStandardLDAPClientFactory(config, nil, mockDialer)) modifyRequest := ldap.NewModifyRequest( "uid=test,dc=example,dc=com", @@ -3659,11 +4038,9 @@ func TestShouldUpdateUserPassword(t *testing.T) { modifyRequest.Replace(ldapAttributeUserPassword, []string{"password"}) - dialURLOIDs := mockFactory.EXPECT(). - DialURL(gomock.Eq("ldap://127.0.0.1:389"), gomock.Any()). - Return(mockClient, nil) + dialURLOIDs := mockDialer.EXPECT().DialURL("ldap://127.0.0.1:389", gomock.Any()).Return(mockClient, nil) - connBindOIDs := mockClient.EXPECT(). + clientBindOIDs := mockClient.EXPECT(). Bind(gomock.Eq("cn=admin,dc=example,dc=com"), gomock.Eq("password")). Return(nil) @@ -3687,17 +4064,13 @@ func TestShouldUpdateUserPassword(t *testing.T) { }, }, nil) - connCloseOIDs := mockClient.EXPECT().Close() + clientCloseOIDs := mockClient.EXPECT().Close() - dialURL := mockFactory.EXPECT(). - DialURL(gomock.Eq("ldap://127.0.0.1:389"), gomock.Any()). - Return(mockClient, nil) - - connBind := mockClient.EXPECT(). + clientBind := mockClient.EXPECT(). Bind(gomock.Eq("cn=admin,dc=example,dc=com"), gomock.Eq("password")). Return(nil) - connClose := mockClient.EXPECT().Close() + clientClose := mockClient.EXPECT().Close() searchProfile := mockClient.EXPECT(). Search(gomock.Any()). @@ -3727,7 +4100,7 @@ func TestShouldUpdateUserPassword(t *testing.T) { Modify(modifyRequest). Return(nil) - gomock.InOrder(dialURLOIDs, connBindOIDs, searchOIDs, connCloseOIDs, dialURL, connBind, searchProfile, modify, connClose) + gomock.InOrder(dialURLOIDs, clientBindOIDs, searchOIDs, clientCloseOIDs, dialURL, clientBind, searchProfile, modify, clientClose) err := provider.StartupCheck() require.NoError(t, err) @@ -3740,28 +4113,29 @@ func TestShouldUpdateUserPasswordMSAD(t *testing.T) { ctrl := gomock.NewController(t) defer ctrl.Finish() - mockFactory := NewMockLDAPClientFactory(ctrl) + config := &schema.AuthenticationBackendLDAP{ + Implementation: "activedirectory", + Address: testLDAPAddress, + User: "cn=admin,dc=example,dc=com", + Password: "password", + Attributes: schema.AuthenticationBackendLDAPAttributes{ + Username: "uid", + Mail: "mail", + DisplayName: "displayName", + MemberOf: "memberOf", + }, + UsersFilter: "uid={input}", + AdditionalUsersDN: "ou=users", + BaseDN: "dc=example,dc=com", + } + + mockDialer := NewMockLDAPClientDialer(ctrl) + mockClient := NewMockLDAPClient(ctrl) - provider := NewLDAPUserProviderWithFactory( - schema.AuthenticationBackendLDAP{ - Implementation: "activedirectory", - Address: testLDAPAddress, - User: "cn=admin,dc=example,dc=com", - Password: "password", - Attributes: schema.AuthenticationBackendLDAPAttributes{ - Username: "uid", - Mail: "mail", - DisplayName: "displayName", - MemberOf: "memberOf", - }, - UsersFilter: "uid={input}", - AdditionalUsersDN: "ou=users", - BaseDN: "dc=example,dc=com", - }, - false, - nil, - mockFactory) + dialURL := mockDialer.EXPECT().DialURL("ldap://127.0.0.1:389", gomock.Any()).Return(mockClient, nil) + + provider := NewLDAPUserProviderWithFactory(config, false, NewStandardLDAPClientFactory(config, nil, mockDialer)) modifyRequest := ldap.NewModifyRequest( "uid=test,dc=example,dc=com", @@ -3771,11 +4145,9 @@ func TestShouldUpdateUserPasswordMSAD(t *testing.T) { pwdEncoded, _ := encodingUTF16LittleEndian.NewEncoder().String(fmt.Sprintf("\"%s\"", "password")) modifyRequest.Replace(ldapAttributeUnicodePwd, []string{pwdEncoded}) - dialURLOIDs := mockFactory.EXPECT(). - DialURL(gomock.Eq("ldap://127.0.0.1:389"), gomock.Any()). - Return(mockClient, nil) + dialURLOIDs := mockDialer.EXPECT().DialURL("ldap://127.0.0.1:389", gomock.Any()).Return(mockClient, nil) - connBindOIDs := mockClient.EXPECT(). + clientBindOIDs := mockClient.EXPECT(). Bind(gomock.Eq("cn=admin,dc=example,dc=com"), gomock.Eq("password")). Return(nil) @@ -3799,17 +4171,13 @@ func TestShouldUpdateUserPasswordMSAD(t *testing.T) { }, }, nil) - connCloseOIDs := mockClient.EXPECT().Close() - - dialURL := mockFactory.EXPECT(). - DialURL(gomock.Eq("ldap://127.0.0.1:389"), gomock.Any()). - Return(mockClient, nil) + clientCloseOIDs := mockClient.EXPECT().Close() - connBind := mockClient.EXPECT(). + clientBind := mockClient.EXPECT(). Bind(gomock.Eq("cn=admin,dc=example,dc=com"), gomock.Eq("password")). Return(nil) - connClose := mockClient.EXPECT().Close() + clientClose := mockClient.EXPECT().Close() searchProfile := mockClient.EXPECT(). Search(gomock.Any()). @@ -3839,7 +4207,7 @@ func TestShouldUpdateUserPasswordMSAD(t *testing.T) { Modify(modifyRequest). Return(nil) - gomock.InOrder(dialURLOIDs, connBindOIDs, searchOIDs, connCloseOIDs, dialURL, connBind, searchProfile, modify, connClose) + gomock.InOrder(dialURLOIDs, clientBindOIDs, searchOIDs, clientCloseOIDs, dialURL, clientBind, searchProfile, modify, clientClose) err := provider.StartupCheck() require.NoError(t, err) @@ -3852,30 +4220,31 @@ func TestShouldUpdateUserPasswordMSADWithReferrals(t *testing.T) { ctrl := gomock.NewController(t) defer ctrl.Finish() - mockFactory := NewMockLDAPClientFactory(ctrl) + config := &schema.AuthenticationBackendLDAP{ + Implementation: "activedirectory", + Address: testLDAPAddress, + User: "cn=admin,dc=example,dc=com", + Password: "password", + Attributes: schema.AuthenticationBackendLDAPAttributes{ + Username: "uid", + Mail: "mail", + DisplayName: "displayName", + MemberOf: "memberOf", + }, + UsersFilter: "uid={input}", + AdditionalUsersDN: "ou=users", + BaseDN: "dc=example,dc=com", + PermitReferrals: true, + } + + mockDialer := NewMockLDAPClientDialer(ctrl) + mockClient := NewMockLDAPClient(ctrl) mockClientReferral := NewMockLDAPClient(ctrl) - provider := NewLDAPUserProviderWithFactory( - schema.AuthenticationBackendLDAP{ - Implementation: "activedirectory", - Address: testLDAPAddress, - User: "cn=admin,dc=example,dc=com", - Password: "password", - Attributes: schema.AuthenticationBackendLDAPAttributes{ - Username: "uid", - Mail: "mail", - DisplayName: "displayName", - MemberOf: "memberOf", - }, - UsersFilter: "uid={input}", - AdditionalUsersDN: "ou=users", - BaseDN: "dc=example,dc=com", - PermitReferrals: true, - }, - false, - nil, - mockFactory) + dialURL := mockDialer.EXPECT().DialURL("ldap://127.0.0.1:389", gomock.Any()).Return(mockClient, nil) + + provider := NewLDAPUserProviderWithFactory(config, false, NewStandardLDAPClientFactory(config, nil, mockDialer)) modifyRequest := ldap.NewModifyRequest( "uid=test,dc=example,dc=com", @@ -3885,11 +4254,9 @@ func TestShouldUpdateUserPasswordMSADWithReferrals(t *testing.T) { pwdEncoded, _ := encodingUTF16LittleEndian.NewEncoder().String(fmt.Sprintf("\"%s\"", "password")) modifyRequest.Replace(ldapAttributeUnicodePwd, []string{pwdEncoded}) - dialURLOIDs := mockFactory.EXPECT(). - DialURL(gomock.Eq("ldap://127.0.0.1:389"), gomock.Any()). - Return(mockClient, nil) + dialURLOIDs := mockDialer.EXPECT().DialURL("ldap://127.0.0.1:389", gomock.Any()).Return(mockClient, nil) - connBindOIDs := mockClient.EXPECT(). + clientBindOIDs := mockClient.EXPECT(). Bind(gomock.Eq("cn=admin,dc=example,dc=com"), gomock.Eq("password")). Return(nil) @@ -3913,17 +4280,13 @@ func TestShouldUpdateUserPasswordMSADWithReferrals(t *testing.T) { }, }, nil) - connCloseOIDs := mockClient.EXPECT().Close() + clientCloseOIDs := mockClient.EXPECT().Close() - dialURL := mockFactory.EXPECT(). - DialURL(gomock.Eq("ldap://127.0.0.1:389"), gomock.Any()). - Return(mockClient, nil) - - connBind := mockClient.EXPECT(). + clientBind := mockClient.EXPECT(). Bind(gomock.Eq("cn=admin,dc=example,dc=com"), gomock.Eq("password")). Return(nil) - connClose := mockClient.EXPECT().Close() + clientClose := mockClient.EXPECT().Close() searchProfile := mockClient.EXPECT(). Search(gomock.Any()). @@ -3957,21 +4320,19 @@ func TestShouldUpdateUserPasswordMSADWithReferrals(t *testing.T) { Packet: &testBERPacketReferral, }) - dialURLReferral := mockFactory.EXPECT(). - DialURL(gomock.Eq("ldap://192.168.0.1"), gomock.Any()). - Return(mockClientReferral, nil) + dialURLReferral := mockDialer.EXPECT().DialURL("ldap://192.168.0.1", gomock.Any()).Return(mockClientReferral, nil) - connBindReferral := mockClientReferral.EXPECT(). + clientBindReferral := mockClientReferral.EXPECT(). Bind(gomock.Eq("cn=admin,dc=example,dc=com"), gomock.Eq("password")). Return(nil) - connCloseReferral := mockClientReferral.EXPECT().Close() + clientCloseReferral := mockClientReferral.EXPECT().Close() modifyReferral := mockClientReferral.EXPECT(). Modify(modifyRequest). Return(nil) - gomock.InOrder(dialURLOIDs, connBindOIDs, searchOIDs, connCloseOIDs, dialURL, connBind, searchProfile, modify, dialURLReferral, connBindReferral, modifyReferral, connCloseReferral, connClose) + gomock.InOrder(dialURLOIDs, clientBindOIDs, searchOIDs, clientCloseOIDs, dialURL, clientBind, searchProfile, modify, dialURLReferral, clientBindReferral, modifyReferral, clientCloseReferral, clientClose) err := provider.StartupCheck() require.NoError(t, err) @@ -3984,29 +4345,30 @@ func TestShouldUpdateUserPasswordMSADWithReferralsWithReferralConnectErr(t *test ctrl := gomock.NewController(t) defer ctrl.Finish() - mockFactory := NewMockLDAPClientFactory(ctrl) + config := &schema.AuthenticationBackendLDAP{ + Implementation: "activedirectory", + Address: testLDAPAddress, + User: "cn=admin,dc=example,dc=com", + Password: "password", + Attributes: schema.AuthenticationBackendLDAPAttributes{ + Username: "uid", + Mail: "mail", + DisplayName: "displayName", + MemberOf: "memberOf", + }, + UsersFilter: "uid={input}", + AdditionalUsersDN: "ou=users", + BaseDN: "dc=example,dc=com", + PermitReferrals: true, + } + + mockDialer := NewMockLDAPClientDialer(ctrl) + mockClient := NewMockLDAPClient(ctrl) - provider := NewLDAPUserProviderWithFactory( - schema.AuthenticationBackendLDAP{ - Implementation: "activedirectory", - Address: testLDAPAddress, - User: "cn=admin,dc=example,dc=com", - Password: "password", - Attributes: schema.AuthenticationBackendLDAPAttributes{ - Username: "uid", - Mail: "mail", - DisplayName: "displayName", - MemberOf: "memberOf", - }, - UsersFilter: "uid={input}", - AdditionalUsersDN: "ou=users", - BaseDN: "dc=example,dc=com", - PermitReferrals: true, - }, - false, - nil, - mockFactory) + dialURL := mockDialer.EXPECT().DialURL("ldap://127.0.0.1:389", gomock.Any()).Return(mockClient, nil) + + provider := NewLDAPUserProviderWithFactory(config, false, NewStandardLDAPClientFactory(config, nil, mockDialer)) modifyRequest := ldap.NewModifyRequest( "uid=test,dc=example,dc=com", @@ -4016,11 +4378,9 @@ func TestShouldUpdateUserPasswordMSADWithReferralsWithReferralConnectErr(t *test pwdEncoded, _ := encodingUTF16LittleEndian.NewEncoder().String(fmt.Sprintf("\"%s\"", "password")) modifyRequest.Replace(ldapAttributeUnicodePwd, []string{pwdEncoded}) - dialURLOIDs := mockFactory.EXPECT(). - DialURL(gomock.Eq("ldap://127.0.0.1:389"), gomock.Any()). - Return(mockClient, nil) + dialURLOIDs := mockDialer.EXPECT().DialURL("ldap://127.0.0.1:389", gomock.Any()).Return(mockClient, nil) - connBindOIDs := mockClient.EXPECT(). + clientBindOIDs := mockClient.EXPECT(). Bind(gomock.Eq("cn=admin,dc=example,dc=com"), gomock.Eq("password")). Return(nil) @@ -4044,17 +4404,13 @@ func TestShouldUpdateUserPasswordMSADWithReferralsWithReferralConnectErr(t *test }, }, nil) - connCloseOIDs := mockClient.EXPECT().Close() - - dialURL := mockFactory.EXPECT(). - DialURL(gomock.Eq("ldap://127.0.0.1:389"), gomock.Any()). - Return(mockClient, nil) + clientCloseOIDs := mockClient.EXPECT().Close() - connBind := mockClient.EXPECT(). + clientBind := mockClient.EXPECT(). Bind(gomock.Eq("cn=admin,dc=example,dc=com"), gomock.Eq("password")). Return(nil) - connClose := mockClient.EXPECT().Close() + clientClose := mockClient.EXPECT().Close() searchProfile := mockClient.EXPECT(). Search(gomock.Any()). @@ -4088,47 +4444,46 @@ func TestShouldUpdateUserPasswordMSADWithReferralsWithReferralConnectErr(t *test Packet: &testBERPacketReferral, }) - dialURLReferral := mockFactory.EXPECT(). - DialURL(gomock.Eq("ldap://192.168.0.1"), gomock.Any()). - Return(nil, errors.New("tcp timeout")) + dialURLReferral := mockDialer.EXPECT().DialURL("ldap://192.168.0.1", gomock.Any()).Return(nil, errors.New("tcp timeout")) - gomock.InOrder(dialURLOIDs, connBindOIDs, searchOIDs, connCloseOIDs, dialURL, connBind, searchProfile, modify, dialURLReferral, connClose) + gomock.InOrder(dialURLOIDs, clientBindOIDs, searchOIDs, clientCloseOIDs, dialURL, clientBind, searchProfile, modify, dialURLReferral, clientClose) err := provider.StartupCheck() require.NoError(t, err) err = provider.UpdatePassword("john", "password") - assert.EqualError(t, err, "unable to update password. Cause: error occurred connecting to referred LDAP server 'ldap://192.168.0.1': dial failed with error: tcp timeout. Original Error: LDAP Result Code 10 \"Referral\": error occurred") + assert.EqualError(t, err, "unable to update password. Cause: error occurred connecting to referred LDAP server 'ldap://192.168.0.1': error occurred dialing address: tcp timeout. Original Error: LDAP Result Code 10 \"Referral\": error occurred") } func TestShouldUpdateUserPasswordMSADWithReferralsWithReferralModifyErr(t *testing.T) { ctrl := gomock.NewController(t) defer ctrl.Finish() - mockFactory := NewMockLDAPClientFactory(ctrl) + config := &schema.AuthenticationBackendLDAP{ + Implementation: "activedirectory", + Address: testLDAPAddress, + User: "cn=admin,dc=example,dc=com", + Password: "password", + Attributes: schema.AuthenticationBackendLDAPAttributes{ + Username: "uid", + Mail: "mail", + DisplayName: "displayName", + MemberOf: "memberOf", + }, + UsersFilter: "uid={input}", + AdditionalUsersDN: "ou=users", + BaseDN: "dc=example,dc=com", + PermitReferrals: true, + } + + mockDialer := NewMockLDAPClientDialer(ctrl) + mockClient := NewMockLDAPClient(ctrl) mockClientReferral := NewMockLDAPClient(ctrl) - provider := NewLDAPUserProviderWithFactory( - schema.AuthenticationBackendLDAP{ - Implementation: "activedirectory", - Address: testLDAPAddress, - User: "cn=admin,dc=example,dc=com", - Password: "password", - Attributes: schema.AuthenticationBackendLDAPAttributes{ - Username: "uid", - Mail: "mail", - DisplayName: "displayName", - MemberOf: "memberOf", - }, - UsersFilter: "uid={input}", - AdditionalUsersDN: "ou=users", - BaseDN: "dc=example,dc=com", - PermitReferrals: true, - }, - false, - nil, - mockFactory) + dialURL := mockDialer.EXPECT().DialURL("ldap://127.0.0.1:389", gomock.Any()).Return(mockClient, nil) + + provider := NewLDAPUserProviderWithFactory(config, false, NewStandardLDAPClientFactory(config, nil, mockDialer)) modifyRequest := ldap.NewModifyRequest( "uid=test,dc=example,dc=com", @@ -4138,11 +4493,9 @@ func TestShouldUpdateUserPasswordMSADWithReferralsWithReferralModifyErr(t *testi pwdEncoded, _ := encodingUTF16LittleEndian.NewEncoder().String(fmt.Sprintf("\"%s\"", "password")) modifyRequest.Replace(ldapAttributeUnicodePwd, []string{pwdEncoded}) - dialURLOIDs := mockFactory.EXPECT(). - DialURL(gomock.Eq("ldap://127.0.0.1:389"), gomock.Any()). - Return(mockClient, nil) + dialURLOIDs := mockDialer.EXPECT().DialURL("ldap://127.0.0.1:389", gomock.Any()).Return(mockClient, nil) - connBindOIDs := mockClient.EXPECT(). + clientBindOIDs := mockClient.EXPECT(). Bind(gomock.Eq("cn=admin,dc=example,dc=com"), gomock.Eq("password")). Return(nil) @@ -4166,17 +4519,13 @@ func TestShouldUpdateUserPasswordMSADWithReferralsWithReferralModifyErr(t *testi }, }, nil) - connCloseOIDs := mockClient.EXPECT().Close() - - dialURL := mockFactory.EXPECT(). - DialURL(gomock.Eq("ldap://127.0.0.1:389"), gomock.Any()). - Return(mockClient, nil) + clientCloseOIDs := mockClient.EXPECT().Close() - connBind := mockClient.EXPECT(). + clientBind := mockClient.EXPECT(). Bind(gomock.Eq("cn=admin,dc=example,dc=com"), gomock.Eq("password")). Return(nil) - connClose := mockClient.EXPECT().Close() + clientClose := mockClient.EXPECT().Close() searchProfile := mockClient.EXPECT(). Search(gomock.Any()). @@ -4210,15 +4559,13 @@ func TestShouldUpdateUserPasswordMSADWithReferralsWithReferralModifyErr(t *testi Packet: &testBERPacketReferral, }) - dialURLReferral := mockFactory.EXPECT(). - DialURL(gomock.Eq("ldap://192.168.0.1"), gomock.Any()). - Return(mockClientReferral, nil) + dialURLReferral := mockDialer.EXPECT().DialURL("ldap://192.168.0.1", gomock.Any()).Return(mockClientReferral, nil) - connBindReferral := mockClientReferral.EXPECT(). + clientBindReferral := mockClientReferral.EXPECT(). Bind(gomock.Eq("cn=admin,dc=example,dc=com"), gomock.Eq("password")). Return(nil) - connCloseReferral := mockClientReferral.EXPECT().Close() + clientCloseReferral := mockClientReferral.EXPECT().Close() modifyReferral := mockClientReferral.EXPECT(). Modify(modifyRequest). @@ -4228,7 +4575,7 @@ func TestShouldUpdateUserPasswordMSADWithReferralsWithReferralModifyErr(t *testi Packet: &testBERPacketReferral, }) - gomock.InOrder(dialURLOIDs, connBindOIDs, searchOIDs, connCloseOIDs, dialURL, connBind, searchProfile, modify, dialURLReferral, connBindReferral, modifyReferral, connCloseReferral, connClose) + gomock.InOrder(dialURLOIDs, clientBindOIDs, searchOIDs, clientCloseOIDs, dialURL, clientBind, searchProfile, modify, dialURLReferral, clientBindReferral, modifyReferral, clientCloseReferral, clientClose) err := provider.StartupCheck() require.NoError(t, err) @@ -4241,29 +4588,30 @@ func TestShouldUpdateUserPasswordMSADWithoutReferrals(t *testing.T) { ctrl := gomock.NewController(t) defer ctrl.Finish() - mockFactory := NewMockLDAPClientFactory(ctrl) + config := &schema.AuthenticationBackendLDAP{ + Implementation: "activedirectory", + Address: testLDAPAddress, + User: "cn=admin,dc=example,dc=com", + Password: "password", + Attributes: schema.AuthenticationBackendLDAPAttributes{ + Username: "uid", + Mail: "mail", + DisplayName: "displayName", + MemberOf: "memberOf", + }, + UsersFilter: "uid={input}", + AdditionalUsersDN: "ou=users", + BaseDN: "dc=example,dc=com", + PermitReferrals: false, + } + + mockDialer := NewMockLDAPClientDialer(ctrl) + mockClient := NewMockLDAPClient(ctrl) - provider := NewLDAPUserProviderWithFactory( - schema.AuthenticationBackendLDAP{ - Implementation: "activedirectory", - Address: testLDAPAddress, - User: "cn=admin,dc=example,dc=com", - Password: "password", - Attributes: schema.AuthenticationBackendLDAPAttributes{ - Username: "uid", - Mail: "mail", - DisplayName: "displayName", - MemberOf: "memberOf", - }, - UsersFilter: "uid={input}", - AdditionalUsersDN: "ou=users", - BaseDN: "dc=example,dc=com", - PermitReferrals: false, - }, - false, - nil, - mockFactory) + dialURL := mockDialer.EXPECT().DialURL("ldap://127.0.0.1:389", gomock.Any()).Return(mockClient, nil) + + provider := NewLDAPUserProviderWithFactory(config, false, NewStandardLDAPClientFactory(config, nil, mockDialer)) modifyRequest := ldap.NewModifyRequest( "uid=test,dc=example,dc=com", @@ -4273,11 +4621,9 @@ func TestShouldUpdateUserPasswordMSADWithoutReferrals(t *testing.T) { pwdEncoded, _ := encodingUTF16LittleEndian.NewEncoder().String(fmt.Sprintf("\"%s\"", "password")) modifyRequest.Replace(ldapAttributeUnicodePwd, []string{pwdEncoded}) - dialURLOIDs := mockFactory.EXPECT(). - DialURL(gomock.Eq("ldap://127.0.0.1:389"), gomock.Any()). - Return(mockClient, nil) + dialURLOIDs := mockDialer.EXPECT().DialURL("ldap://127.0.0.1:389", gomock.Any()).Return(mockClient, nil) - connBindOIDs := mockClient.EXPECT(). + clientBindOIDs := mockClient.EXPECT(). Bind(gomock.Eq("cn=admin,dc=example,dc=com"), gomock.Eq("password")). Return(nil) @@ -4301,17 +4647,13 @@ func TestShouldUpdateUserPasswordMSADWithoutReferrals(t *testing.T) { }, }, nil) - connCloseOIDs := mockClient.EXPECT().Close() - - dialURL := mockFactory.EXPECT(). - DialURL(gomock.Eq("ldap://127.0.0.1:389"), gomock.Any()). - Return(mockClient, nil) + clientCloseOIDs := mockClient.EXPECT().Close() - connBind := mockClient.EXPECT(). + clientBind := mockClient.EXPECT(). Bind(gomock.Eq("cn=admin,dc=example,dc=com"), gomock.Eq("password")). Return(nil) - connClose := mockClient.EXPECT().Close() + clientClose := mockClient.EXPECT().Close() searchProfile := mockClient.EXPECT(). Search(gomock.Any()). @@ -4345,7 +4687,7 @@ func TestShouldUpdateUserPasswordMSADWithoutReferrals(t *testing.T) { Packet: &testBERPacketReferral, }) - gomock.InOrder(dialURLOIDs, connBindOIDs, searchOIDs, connCloseOIDs, dialURL, connBind, searchProfile, modify, connClose) + gomock.InOrder(dialURLOIDs, clientBindOIDs, searchOIDs, clientCloseOIDs, dialURL, clientBind, searchProfile, modify, clientClose) err := provider.StartupCheck() require.NoError(t, err) @@ -4358,27 +4700,28 @@ func TestShouldUpdateUserPasswordPasswdModifyExtension(t *testing.T) { ctrl := gomock.NewController(t) defer ctrl.Finish() - mockFactory := NewMockLDAPClientFactory(ctrl) + config := &schema.AuthenticationBackendLDAP{ + Address: testLDAPAddress, + User: "cn=admin,dc=example,dc=com", + Password: "password", + Attributes: schema.AuthenticationBackendLDAPAttributes{ + Username: "uid", + Mail: "mail", + DisplayName: "displayName", + MemberOf: "memberOf", + }, + UsersFilter: "uid={input}", + AdditionalUsersDN: "ou=users", + BaseDN: "dc=example,dc=com", + } + + mockDialer := NewMockLDAPClientDialer(ctrl) + mockClient := NewMockLDAPClient(ctrl) - provider := NewLDAPUserProviderWithFactory( - schema.AuthenticationBackendLDAP{ - Address: testLDAPAddress, - User: "cn=admin,dc=example,dc=com", - Password: "password", - Attributes: schema.AuthenticationBackendLDAPAttributes{ - Username: "uid", - Mail: "mail", - DisplayName: "displayName", - MemberOf: "memberOf", - }, - UsersFilter: "uid={input}", - AdditionalUsersDN: "ou=users", - BaseDN: "dc=example,dc=com", - }, - false, - nil, - mockFactory) + dialURL := mockDialer.EXPECT().DialURL("ldap://127.0.0.1:389", gomock.Any()).Return(mockClient, nil) + + provider := NewLDAPUserProviderWithFactory(config, false, NewStandardLDAPClientFactory(config, nil, mockDialer)) pwdModifyRequest := ldap.NewPasswordModifyRequest( "uid=test,dc=example,dc=com", @@ -4386,11 +4729,9 @@ func TestShouldUpdateUserPasswordPasswdModifyExtension(t *testing.T) { "password", ) - dialURLOIDs := mockFactory.EXPECT(). - DialURL(gomock.Eq("ldap://127.0.0.1:389"), gomock.Any()). - Return(mockClient, nil) + dialURLOIDs := mockDialer.EXPECT().DialURL("ldap://127.0.0.1:389", gomock.Any()).Return(mockClient, nil) - connBindOIDs := mockClient.EXPECT(). + clientBindOIDs := mockClient.EXPECT(). Bind(gomock.Eq("cn=admin,dc=example,dc=com"), gomock.Eq("password")). Return(nil) @@ -4414,17 +4755,13 @@ func TestShouldUpdateUserPasswordPasswdModifyExtension(t *testing.T) { }, }, nil) - connCloseOIDs := mockClient.EXPECT().Close() + clientCloseOIDs := mockClient.EXPECT().Close() - dialURL := mockFactory.EXPECT(). - DialURL(gomock.Eq("ldap://127.0.0.1:389"), gomock.Any()). - Return(mockClient, nil) - - connBind := mockClient.EXPECT(). + clientBind := mockClient.EXPECT(). Bind(gomock.Eq("cn=admin,dc=example,dc=com"), gomock.Eq("password")). Return(nil) - connClose := mockClient.EXPECT().Close() + clientClose := mockClient.EXPECT().Close() searchProfile := mockClient.EXPECT(). Search(gomock.Any()). @@ -4454,7 +4791,7 @@ func TestShouldUpdateUserPasswordPasswdModifyExtension(t *testing.T) { PasswordModify(pwdModifyRequest). Return(nil, nil) - gomock.InOrder(dialURLOIDs, connBindOIDs, searchOIDs, connCloseOIDs, dialURL, connBind, searchProfile, passwdModify, connClose) + gomock.InOrder(dialURLOIDs, clientBindOIDs, searchOIDs, clientCloseOIDs, dialURL, clientBind, searchProfile, passwdModify, clientClose) err := provider.StartupCheck() require.NoError(t, err) @@ -4467,29 +4804,30 @@ func TestShouldUpdateUserPasswordPasswdModifyExtensionWithReferrals(t *testing.T ctrl := gomock.NewController(t) defer ctrl.Finish() - mockFactory := NewMockLDAPClientFactory(ctrl) + config := &schema.AuthenticationBackendLDAP{ + Address: testLDAPAddress, + User: "cn=admin,dc=example,dc=com", + Password: "password", + Attributes: schema.AuthenticationBackendLDAPAttributes{ + Username: "uid", + Mail: "mail", + DisplayName: "displayName", + MemberOf: "memberOf", + }, + UsersFilter: "uid={input}", + AdditionalUsersDN: "ou=users", + BaseDN: "dc=example,dc=com", + PermitReferrals: true, + } + + mockDialer := NewMockLDAPClientDialer(ctrl) + mockClient := NewMockLDAPClient(ctrl) mockClientReferral := NewMockLDAPClient(ctrl) - provider := NewLDAPUserProviderWithFactory( - schema.AuthenticationBackendLDAP{ - Address: testLDAPAddress, - User: "cn=admin,dc=example,dc=com", - Password: "password", - Attributes: schema.AuthenticationBackendLDAPAttributes{ - Username: "uid", - Mail: "mail", - DisplayName: "displayName", - MemberOf: "memberOf", - }, - UsersFilter: "uid={input}", - AdditionalUsersDN: "ou=users", - BaseDN: "dc=example,dc=com", - PermitReferrals: true, - }, - false, - nil, - mockFactory) + dialURL := mockDialer.EXPECT().DialURL("ldap://127.0.0.1:389", gomock.Any()).Return(mockClient, nil) + + provider := NewLDAPUserProviderWithFactory(config, false, NewStandardLDAPClientFactory(config, nil, mockDialer)) pwdModifyRequest := ldap.NewPasswordModifyRequest( "uid=test,dc=example,dc=com", @@ -4497,11 +4835,9 @@ func TestShouldUpdateUserPasswordPasswdModifyExtensionWithReferrals(t *testing.T "password", ) - dialURLOIDs := mockFactory.EXPECT(). - DialURL(gomock.Eq("ldap://127.0.0.1:389"), gomock.Any()). - Return(mockClient, nil) + dialURLOIDs := mockDialer.EXPECT().DialURL("ldap://127.0.0.1:389", gomock.Any()).Return(mockClient, nil) - connBindOIDs := mockClient.EXPECT(). + clientBindOIDs := mockClient.EXPECT(). Bind(gomock.Eq("cn=admin,dc=example,dc=com"), gomock.Eq("password")). Return(nil) @@ -4525,17 +4861,13 @@ func TestShouldUpdateUserPasswordPasswdModifyExtensionWithReferrals(t *testing.T }, }, nil) - connCloseOIDs := mockClient.EXPECT().Close() + clientCloseOIDs := mockClient.EXPECT().Close() - dialURL := mockFactory.EXPECT(). - DialURL(gomock.Eq("ldap://127.0.0.1:389"), gomock.Any()). - Return(mockClient, nil) - - connBind := mockClient.EXPECT(). + clientBind := mockClient.EXPECT(). Bind(gomock.Eq("cn=admin,dc=example,dc=com"), gomock.Eq("password")). Return(nil) - connClose := mockClient.EXPECT().Close() + clientClose := mockClient.EXPECT().Close() searchProfile := mockClient.EXPECT(). Search(gomock.Any()). @@ -4571,21 +4903,19 @@ func TestShouldUpdateUserPasswordPasswdModifyExtensionWithReferrals(t *testing.T Packet: &testBERPacketReferral, }) - dialURLReferral := mockFactory.EXPECT(). - DialURL(gomock.Eq("ldap://192.168.0.1"), gomock.Any()). - Return(mockClientReferral, nil) + dialURLReferral := mockDialer.EXPECT().DialURL("ldap://192.168.0.1", gomock.Any()).Return(mockClientReferral, nil) - connBindReferral := mockClientReferral.EXPECT(). + clientBindReferral := mockClientReferral.EXPECT(). Bind(gomock.Eq("cn=admin,dc=example,dc=com"), gomock.Eq("password")). Return(nil) - connCloseReferral := mockClientReferral.EXPECT().Close() + clientCloseReferral := mockClientReferral.EXPECT().Close() passwdModifyReferral := mockClientReferral.EXPECT(). PasswordModify(pwdModifyRequest). Return(&ldap.PasswordModifyResult{}, nil) - gomock.InOrder(dialURLOIDs, connBindOIDs, searchOIDs, connCloseOIDs, dialURL, connBind, searchProfile, passwdModify, dialURLReferral, connBindReferral, passwdModifyReferral, connCloseReferral, connClose) + gomock.InOrder(dialURLOIDs, clientBindOIDs, searchOIDs, clientCloseOIDs, dialURL, clientBind, searchProfile, passwdModify, dialURLReferral, clientBindReferral, passwdModifyReferral, clientCloseReferral, clientClose) err := provider.StartupCheck() require.NoError(t, err) @@ -4598,28 +4928,29 @@ func TestShouldUpdateUserPasswordPasswdModifyExtensionWithoutReferrals(t *testin ctrl := gomock.NewController(t) defer ctrl.Finish() - mockFactory := NewMockLDAPClientFactory(ctrl) + config := &schema.AuthenticationBackendLDAP{ + Address: testLDAPAddress, + User: "cn=admin,dc=example,dc=com", + Password: "password", + Attributes: schema.AuthenticationBackendLDAPAttributes{ + Username: "uid", + Mail: "mail", + DisplayName: "displayName", + MemberOf: "memberOf", + }, + UsersFilter: "uid={input}", + AdditionalUsersDN: "ou=users", + BaseDN: "dc=example,dc=com", + PermitReferrals: false, + } + + mockDialer := NewMockLDAPClientDialer(ctrl) + mockClient := NewMockLDAPClient(ctrl) - provider := NewLDAPUserProviderWithFactory( - schema.AuthenticationBackendLDAP{ - Address: testLDAPAddress, - User: "cn=admin,dc=example,dc=com", - Password: "password", - Attributes: schema.AuthenticationBackendLDAPAttributes{ - Username: "uid", - Mail: "mail", - DisplayName: "displayName", - MemberOf: "memberOf", - }, - UsersFilter: "uid={input}", - AdditionalUsersDN: "ou=users", - BaseDN: "dc=example,dc=com", - PermitReferrals: false, - }, - false, - nil, - mockFactory) + dialURL := mockDialer.EXPECT().DialURL("ldap://127.0.0.1:389", gomock.Any()).Return(mockClient, nil) + + provider := NewLDAPUserProviderWithFactory(config, false, NewStandardLDAPClientFactory(config, nil, mockDialer)) pwdModifyRequest := ldap.NewPasswordModifyRequest( "uid=test,dc=example,dc=com", @@ -4627,11 +4958,9 @@ func TestShouldUpdateUserPasswordPasswdModifyExtensionWithoutReferrals(t *testin "password", ) - dialURLOIDs := mockFactory.EXPECT(). - DialURL(gomock.Eq("ldap://127.0.0.1:389"), gomock.Any()). - Return(mockClient, nil) + dialURLOIDs := mockDialer.EXPECT().DialURL("ldap://127.0.0.1:389", gomock.Any()).Return(mockClient, nil) - connBindOIDs := mockClient.EXPECT(). + clientBindOIDs := mockClient.EXPECT(). Bind(gomock.Eq("cn=admin,dc=example,dc=com"), gomock.Eq("password")). Return(nil) @@ -4655,17 +4984,13 @@ func TestShouldUpdateUserPasswordPasswdModifyExtensionWithoutReferrals(t *testin }, }, nil) - connCloseOIDs := mockClient.EXPECT().Close() + clientCloseOIDs := mockClient.EXPECT().Close() - dialURL := mockFactory.EXPECT(). - DialURL(gomock.Eq("ldap://127.0.0.1:389"), gomock.Any()). - Return(mockClient, nil) - - connBind := mockClient.EXPECT(). + clientBind := mockClient.EXPECT(). Bind(gomock.Eq("cn=admin,dc=example,dc=com"), gomock.Eq("password")). Return(nil) - connClose := mockClient.EXPECT().Close() + clientClose := mockClient.EXPECT().Close() searchProfile := mockClient.EXPECT(). Search(gomock.Any()). @@ -4701,7 +5026,7 @@ func TestShouldUpdateUserPasswordPasswdModifyExtensionWithoutReferrals(t *testin Packet: &testBERPacketReferral, }) - gomock.InOrder(dialURLOIDs, connBindOIDs, searchOIDs, connCloseOIDs, dialURL, connBind, searchProfile, passwdModify, connClose) + gomock.InOrder(dialURLOIDs, clientBindOIDs, searchOIDs, clientCloseOIDs, dialURL, clientBind, searchProfile, passwdModify, clientClose) err := provider.StartupCheck() require.NoError(t, err) @@ -4714,28 +5039,29 @@ func TestShouldUpdateUserPasswordPasswdModifyExtensionWithReferralsReferralConne ctrl := gomock.NewController(t) defer ctrl.Finish() - mockFactory := NewMockLDAPClientFactory(ctrl) + config := &schema.AuthenticationBackendLDAP{ + Address: testLDAPAddress, + User: "cn=admin,dc=example,dc=com", + Password: "password", + Attributes: schema.AuthenticationBackendLDAPAttributes{ + Username: "uid", + Mail: "mail", + DisplayName: "displayName", + MemberOf: "memberOf", + }, + UsersFilter: "uid={input}", + AdditionalUsersDN: "ou=users", + BaseDN: "dc=example,dc=com", + PermitReferrals: true, + } + + mockDialer := NewMockLDAPClientDialer(ctrl) + mockClient := NewMockLDAPClient(ctrl) - provider := NewLDAPUserProviderWithFactory( - schema.AuthenticationBackendLDAP{ - Address: testLDAPAddress, - User: "cn=admin,dc=example,dc=com", - Password: "password", - Attributes: schema.AuthenticationBackendLDAPAttributes{ - Username: "uid", - Mail: "mail", - DisplayName: "displayName", - MemberOf: "memberOf", - }, - UsersFilter: "uid={input}", - AdditionalUsersDN: "ou=users", - BaseDN: "dc=example,dc=com", - PermitReferrals: true, - }, - false, - nil, - mockFactory) + dialURL := mockDialer.EXPECT().DialURL("ldap://127.0.0.1:389", gomock.Any()).Return(mockClient, nil) + + provider := NewLDAPUserProviderWithFactory(config, false, NewStandardLDAPClientFactory(config, nil, mockDialer)) pwdModifyRequest := ldap.NewPasswordModifyRequest( "uid=test,dc=example,dc=com", @@ -4743,11 +5069,9 @@ func TestShouldUpdateUserPasswordPasswdModifyExtensionWithReferralsReferralConne "password", ) - dialURLOIDs := mockFactory.EXPECT(). - DialURL(gomock.Eq("ldap://127.0.0.1:389"), gomock.Any()). - Return(mockClient, nil) + dialURLOIDs := mockDialer.EXPECT().DialURL("ldap://127.0.0.1:389", gomock.Any()).Return(mockClient, nil) - connBindOIDs := mockClient.EXPECT(). + clientBindOIDs := mockClient.EXPECT(). Bind(gomock.Eq("cn=admin,dc=example,dc=com"), gomock.Eq("password")). Return(nil) @@ -4771,17 +5095,13 @@ func TestShouldUpdateUserPasswordPasswdModifyExtensionWithReferralsReferralConne }, }, nil) - connCloseOIDs := mockClient.EXPECT().Close() + clientCloseOIDs := mockClient.EXPECT().Close() - dialURL := mockFactory.EXPECT(). - DialURL(gomock.Eq("ldap://127.0.0.1:389"), gomock.Any()). - Return(mockClient, nil) - - connBind := mockClient.EXPECT(). + clientBind := mockClient.EXPECT(). Bind(gomock.Eq("cn=admin,dc=example,dc=com"), gomock.Eq("password")). Return(nil) - connClose := mockClient.EXPECT().Close() + clientClose := mockClient.EXPECT().Close() searchProfile := mockClient.EXPECT(). Search(gomock.Any()). @@ -4817,46 +5137,45 @@ func TestShouldUpdateUserPasswordPasswdModifyExtensionWithReferralsReferralConne Packet: &testBERPacketReferral, }) - dialURLReferral := mockFactory.EXPECT(). - DialURL(gomock.Eq("ldap://192.168.0.1"), gomock.Any()). - Return(nil, errors.New("tcp timeout")) + dialURLReferral := mockDialer.EXPECT().DialURL("ldap://192.168.0.1", gomock.Any()).Return(nil, errors.New("tcp timeout")) - gomock.InOrder(dialURLOIDs, connBindOIDs, searchOIDs, connCloseOIDs, dialURL, connBind, searchProfile, passwdModify, dialURLReferral, connClose) + gomock.InOrder(dialURLOIDs, clientBindOIDs, searchOIDs, clientCloseOIDs, dialURL, clientBind, searchProfile, passwdModify, dialURLReferral, clientClose) err := provider.StartupCheck() require.NoError(t, err) err = provider.UpdatePassword("john", "password") - assert.EqualError(t, err, "unable to update password. Cause: error occurred connecting to referred LDAP server 'ldap://192.168.0.1': dial failed with error: tcp timeout. Original Error: LDAP Result Code 10 \"Referral\": error occurred") + assert.EqualError(t, err, "unable to update password. Cause: error occurred connecting to referred LDAP server 'ldap://192.168.0.1': error occurred dialing address: tcp timeout. Original Error: LDAP Result Code 10 \"Referral\": error occurred") } func TestShouldUpdateUserPasswordPasswdModifyExtensionWithReferralsReferralPasswordModifyErr(t *testing.T) { ctrl := gomock.NewController(t) defer ctrl.Finish() - mockFactory := NewMockLDAPClientFactory(ctrl) + config := &schema.AuthenticationBackendLDAP{ + Address: testLDAPAddress, + User: "cn=admin,dc=example,dc=com", + Password: "password", + Attributes: schema.AuthenticationBackendLDAPAttributes{ + Username: "uid", + Mail: "mail", + DisplayName: "displayName", + MemberOf: "memberOf", + }, + UsersFilter: "uid={input}", + AdditionalUsersDN: "ou=users", + BaseDN: "dc=example,dc=com", + PermitReferrals: true, + } + + mockDialer := NewMockLDAPClientDialer(ctrl) + mockClient := NewMockLDAPClient(ctrl) mockClientReferral := NewMockLDAPClient(ctrl) - provider := NewLDAPUserProviderWithFactory( - schema.AuthenticationBackendLDAP{ - Address: testLDAPAddress, - User: "cn=admin,dc=example,dc=com", - Password: "password", - Attributes: schema.AuthenticationBackendLDAPAttributes{ - Username: "uid", - Mail: "mail", - DisplayName: "displayName", - MemberOf: "memberOf", - }, - UsersFilter: "uid={input}", - AdditionalUsersDN: "ou=users", - BaseDN: "dc=example,dc=com", - PermitReferrals: true, - }, - false, - nil, - mockFactory) + dialURL := mockDialer.EXPECT().DialURL("ldap://127.0.0.1:389", gomock.Any()).Return(mockClient, nil) + + provider := NewLDAPUserProviderWithFactory(config, false, NewStandardLDAPClientFactory(config, nil, mockDialer)) pwdModifyRequest := ldap.NewPasswordModifyRequest( "uid=test,dc=example,dc=com", @@ -4864,11 +5183,9 @@ func TestShouldUpdateUserPasswordPasswdModifyExtensionWithReferralsReferralPassw "password", ) - dialURLOIDs := mockFactory.EXPECT(). - DialURL(gomock.Eq("ldap://127.0.0.1:389"), gomock.Any()). - Return(mockClient, nil) + dialURLOIDs := mockDialer.EXPECT().DialURL("ldap://127.0.0.1:389", gomock.Any()).Return(mockClient, nil) - connBindOIDs := mockClient.EXPECT(). + clientBindOIDs := mockClient.EXPECT(). Bind(gomock.Eq("cn=admin,dc=example,dc=com"), gomock.Eq("password")). Return(nil) @@ -4892,17 +5209,13 @@ func TestShouldUpdateUserPasswordPasswdModifyExtensionWithReferralsReferralPassw }, }, nil) - connCloseOIDs := mockClient.EXPECT().Close() - - dialURL := mockFactory.EXPECT(). - DialURL(gomock.Eq("ldap://127.0.0.1:389"), gomock.Any()). - Return(mockClient, nil) + clientCloseOIDs := mockClient.EXPECT().Close() - connBind := mockClient.EXPECT(). + clientBind := mockClient.EXPECT(). Bind(gomock.Eq("cn=admin,dc=example,dc=com"), gomock.Eq("password")). Return(nil) - connClose := mockClient.EXPECT().Close() + clientClose := mockClient.EXPECT().Close() searchProfile := mockClient.EXPECT(). Search(gomock.Any()). @@ -4938,15 +5251,13 @@ func TestShouldUpdateUserPasswordPasswdModifyExtensionWithReferralsReferralPassw Packet: &testBERPacketReferral, }) - dialURLReferral := mockFactory.EXPECT(). - DialURL(gomock.Eq("ldap://192.168.0.1"), gomock.Any()). - Return(mockClientReferral, nil) + dialURLReferral := mockDialer.EXPECT().DialURL("ldap://192.168.0.1", gomock.Any()).Return(mockClientReferral, nil) - connBindReferral := mockClientReferral.EXPECT(). + clientBindReferral := mockClientReferral.EXPECT(). Bind(gomock.Eq("cn=admin,dc=example,dc=com"), gomock.Eq("password")). Return(nil) - connCloseReferral := mockClientReferral.EXPECT().Close() + clientCloseReferral := mockClientReferral.EXPECT().Close() passwdModifyReferral := mockClientReferral.EXPECT(). PasswordModify(pwdModifyRequest). @@ -4956,7 +5267,7 @@ func TestShouldUpdateUserPasswordPasswdModifyExtensionWithReferralsReferralPassw Packet: &testBERPacketReferral, }) - gomock.InOrder(dialURLOIDs, connBindOIDs, searchOIDs, connCloseOIDs, dialURL, connBind, searchProfile, passwdModify, dialURLReferral, connBindReferral, passwdModifyReferral, connCloseReferral, connClose) + gomock.InOrder(dialURLOIDs, clientBindOIDs, searchOIDs, clientCloseOIDs, dialURL, clientBind, searchProfile, passwdModify, dialURLReferral, clientBindReferral, passwdModifyReferral, clientCloseReferral, clientClose) err := provider.StartupCheck() require.NoError(t, err) @@ -4969,29 +5280,30 @@ func TestShouldUpdateUserPasswordActiveDirectoryWithServerPolicyHints(t *testing ctrl := gomock.NewController(t) defer ctrl.Finish() - mockFactory := NewMockLDAPClientFactory(ctrl) + config := &schema.AuthenticationBackendLDAP{ + Implementation: "activedirectory", + Address: testLDAPAddress, + User: "cn=admin,dc=example,dc=com", + Password: "password", + Attributes: schema.AuthenticationBackendLDAPAttributes{ + DistinguishedName: "distinguishedName", + Username: "sAMAccountName", + Mail: "mail", + DisplayName: "displayName", + MemberOf: "memberOf", + }, + UsersFilter: "cn={input}", + AdditionalUsersDN: "ou=users", + BaseDN: "dc=example,dc=com", + } + + mockDialer := NewMockLDAPClientDialer(ctrl) + mockClient := NewMockLDAPClient(ctrl) - provider := NewLDAPUserProviderWithFactory( - schema.AuthenticationBackendLDAP{ - Implementation: "activedirectory", - Address: testLDAPAddress, - User: "cn=admin,dc=example,dc=com", - Password: "password", - Attributes: schema.AuthenticationBackendLDAPAttributes{ - DistinguishedName: "distinguishedName", - Username: "sAMAccountName", - Mail: "mail", - DisplayName: "displayName", - MemberOf: "memberOf", - }, - UsersFilter: "cn={input}", - AdditionalUsersDN: "ou=users", - BaseDN: "dc=example,dc=com", - }, - false, - nil, - mockFactory) + dialURL := mockDialer.EXPECT().DialURL("ldap://127.0.0.1:389", gomock.Any()).Return(mockClient, nil) + + provider := NewLDAPUserProviderWithFactory(config, false, NewStandardLDAPClientFactory(config, nil, mockDialer)) utf16 := unicode.UTF16(unicode.LittleEndian, unicode.IgnoreBOM) pwdEncoded, _ := utf16.NewEncoder().String("\"password\"") @@ -5003,11 +5315,9 @@ func TestShouldUpdateUserPasswordActiveDirectoryWithServerPolicyHints(t *testing modifyRequest.Replace("unicodePwd", []string{pwdEncoded}) - dialURLOIDs := mockFactory.EXPECT(). - DialURL(gomock.Eq("ldap://127.0.0.1:389"), gomock.Any()). - Return(mockClient, nil) + dialURLOIDs := mockDialer.EXPECT().DialURL("ldap://127.0.0.1:389", gomock.Any()).Return(mockClient, nil) - connBindOIDs := mockClient.EXPECT(). + clientBindOIDs := mockClient.EXPECT(). Bind(gomock.Eq("cn=admin,dc=example,dc=com"), gomock.Eq("password")). Return(nil) @@ -5031,17 +5341,13 @@ func TestShouldUpdateUserPasswordActiveDirectoryWithServerPolicyHints(t *testing }, }, nil) - connCloseOIDs := mockClient.EXPECT().Close() + clientCloseOIDs := mockClient.EXPECT().Close() - dialURL := mockFactory.EXPECT(). - DialURL(gomock.Eq("ldap://127.0.0.1:389"), gomock.Any()). - Return(mockClient, nil) - - connBind := mockClient.EXPECT(). + clientBind := mockClient.EXPECT(). Bind(gomock.Eq("cn=admin,dc=example,dc=com"), gomock.Eq("password")). Return(nil) - connClose := mockClient.EXPECT().Close() + clientClose := mockClient.EXPECT().Close() searchProfile := mockClient.EXPECT(). Search(gomock.Any()). @@ -5071,7 +5377,7 @@ func TestShouldUpdateUserPasswordActiveDirectoryWithServerPolicyHints(t *testing Modify(modifyRequest). Return(nil) - gomock.InOrder(dialURLOIDs, connBindOIDs, searchOIDs, connCloseOIDs, dialURL, connBind, searchProfile, passwdModify, connClose) + gomock.InOrder(dialURLOIDs, clientBindOIDs, searchOIDs, clientCloseOIDs, dialURL, clientBind, searchProfile, passwdModify, clientClose) err := provider.StartupCheck() require.NoError(t, err) @@ -5084,29 +5390,30 @@ func TestShouldUpdateUserPasswordActiveDirectoryWithServerPolicyHintsDeprecated( ctrl := gomock.NewController(t) defer ctrl.Finish() - mockFactory := NewMockLDAPClientFactory(ctrl) + config := &schema.AuthenticationBackendLDAP{ + Implementation: "activedirectory", + Address: testLDAPAddress, + User: "cn=admin,dc=example,dc=com", + Password: "password", + Attributes: schema.AuthenticationBackendLDAPAttributes{ + DistinguishedName: "distinguishedName", + Username: "sAMAccountName", + Mail: "mail", + DisplayName: "displayName", + MemberOf: "memberOf", + }, + UsersFilter: "cn={input}", + AdditionalUsersDN: "ou=users", + BaseDN: "dc=example,dc=com", + } + + mockDialer := NewMockLDAPClientDialer(ctrl) + mockClient := NewMockLDAPClient(ctrl) - provider := NewLDAPUserProviderWithFactory( - schema.AuthenticationBackendLDAP{ - Implementation: "activedirectory", - Address: testLDAPAddress, - User: "cn=admin,dc=example,dc=com", - Password: "password", - Attributes: schema.AuthenticationBackendLDAPAttributes{ - DistinguishedName: "distinguishedName", - Username: "sAMAccountName", - Mail: "mail", - DisplayName: "displayName", - MemberOf: "memberOf", - }, - UsersFilter: "cn={input}", - AdditionalUsersDN: "ou=users", - BaseDN: "dc=example,dc=com", - }, - false, - nil, - mockFactory) + dialURL := mockDialer.EXPECT().DialURL("ldap://127.0.0.1:389", gomock.Any()).Return(mockClient, nil) + + provider := NewLDAPUserProviderWithFactory(config, false, NewStandardLDAPClientFactory(config, nil, mockDialer)) utf16 := unicode.UTF16(unicode.LittleEndian, unicode.IgnoreBOM) pwdEncoded, _ := utf16.NewEncoder().String("\"password\"") @@ -5118,11 +5425,9 @@ func TestShouldUpdateUserPasswordActiveDirectoryWithServerPolicyHintsDeprecated( modifyRequest.Replace("unicodePwd", []string{pwdEncoded}) - dialURLOIDs := mockFactory.EXPECT(). - DialURL(gomock.Eq("ldap://127.0.0.1:389"), gomock.Any()). - Return(mockClient, nil) + dialURLOIDs := mockDialer.EXPECT().DialURL("ldap://127.0.0.1:389", gomock.Any()).Return(mockClient, nil) - connBindOIDs := mockClient.EXPECT(). + clientBindOIDs := mockClient.EXPECT(). Bind(gomock.Eq("cn=admin,dc=example,dc=com"), gomock.Eq("password")). Return(nil) @@ -5146,17 +5451,13 @@ func TestShouldUpdateUserPasswordActiveDirectoryWithServerPolicyHintsDeprecated( }, }, nil) - connCloseOIDs := mockClient.EXPECT().Close() - - dialURL := mockFactory.EXPECT(). - DialURL(gomock.Eq("ldap://127.0.0.1:389"), gomock.Any()). - Return(mockClient, nil) + clientCloseOIDs := mockClient.EXPECT().Close() - connBind := mockClient.EXPECT(). + clientBind := mockClient.EXPECT(). Bind(gomock.Eq("cn=admin,dc=example,dc=com"), gomock.Eq("password")). Return(nil) - connClose := mockClient.EXPECT().Close() + clientClose := mockClient.EXPECT().Close() searchProfile := mockClient.EXPECT(). Search(gomock.Any()). @@ -5186,7 +5487,7 @@ func TestShouldUpdateUserPasswordActiveDirectoryWithServerPolicyHintsDeprecated( Modify(modifyRequest). Return(nil) - gomock.InOrder(dialURLOIDs, connBindOIDs, searchOIDs, connCloseOIDs, dialURL, connBind, searchProfile, passwdModify, connClose) + gomock.InOrder(dialURLOIDs, clientBindOIDs, searchOIDs, clientCloseOIDs, dialURL, clientBind, searchProfile, passwdModify, clientClose) err := provider.StartupCheck() require.NoError(t, err) @@ -5199,29 +5500,30 @@ func TestShouldUpdateUserPasswordActiveDirectory(t *testing.T) { ctrl := gomock.NewController(t) defer ctrl.Finish() - mockFactory := NewMockLDAPClientFactory(ctrl) + config := &schema.AuthenticationBackendLDAP{ + Implementation: "activedirectory", + Address: testLDAPAddress, + User: "cn=admin,dc=example,dc=com", + Password: "password", + Attributes: schema.AuthenticationBackendLDAPAttributes{ + DistinguishedName: "distinguishedName", + Username: "sAMAccountName", + Mail: "mail", + DisplayName: "displayName", + MemberOf: "memberOf", + }, + UsersFilter: "cn={input}", + AdditionalUsersDN: "ou=users", + BaseDN: "dc=example,dc=com", + } + + mockDialer := NewMockLDAPClientDialer(ctrl) + mockClient := NewMockLDAPClient(ctrl) - provider := NewLDAPUserProviderWithFactory( - schema.AuthenticationBackendLDAP{ - Implementation: "activedirectory", - Address: testLDAPAddress, - User: "cn=admin,dc=example,dc=com", - Password: "password", - Attributes: schema.AuthenticationBackendLDAPAttributes{ - DistinguishedName: "distinguishedName", - Username: "sAMAccountName", - Mail: "mail", - DisplayName: "displayName", - MemberOf: "memberOf", - }, - UsersFilter: "cn={input}", - AdditionalUsersDN: "ou=users", - BaseDN: "dc=example,dc=com", - }, - false, - nil, - mockFactory) + dialURL := mockDialer.EXPECT().DialURL("ldap://127.0.0.1:389", gomock.Any()).Return(mockClient, nil) + + provider := NewLDAPUserProviderWithFactory(config, false, NewStandardLDAPClientFactory(config, nil, mockDialer)) utf16 := unicode.UTF16(unicode.LittleEndian, unicode.IgnoreBOM) pwdEncoded, _ := utf16.NewEncoder().String("\"password\"") @@ -5233,11 +5535,9 @@ func TestShouldUpdateUserPasswordActiveDirectory(t *testing.T) { modifyRequest.Replace("unicodePwd", []string{pwdEncoded}) - dialURLOIDs := mockFactory.EXPECT(). - DialURL(gomock.Eq("ldap://127.0.0.1:389"), gomock.Any()). - Return(mockClient, nil) + dialURLOIDs := mockDialer.EXPECT().DialURL("ldap://127.0.0.1:389", gomock.Any()).Return(mockClient, nil) - connBindOIDs := mockClient.EXPECT(). + clientBindOIDs := mockClient.EXPECT(). Bind(gomock.Eq("cn=admin,dc=example,dc=com"), gomock.Eq("password")). Return(nil) @@ -5261,17 +5561,13 @@ func TestShouldUpdateUserPasswordActiveDirectory(t *testing.T) { }, }, nil) - connCloseOIDs := mockClient.EXPECT().Close() - - dialURL := mockFactory.EXPECT(). - DialURL(gomock.Eq("ldap://127.0.0.1:389"), gomock.Any()). - Return(mockClient, nil) + clientCloseOIDs := mockClient.EXPECT().Close() - connBind := mockClient.EXPECT(). + clientBind := mockClient.EXPECT(). Bind(gomock.Eq("cn=admin,dc=example,dc=com"), gomock.Eq("password")). Return(nil) - connClose := mockClient.EXPECT().Close() + clientClose := mockClient.EXPECT().Close() searchProfile := mockClient.EXPECT(). Search(gomock.Any()). @@ -5301,7 +5597,7 @@ func TestShouldUpdateUserPasswordActiveDirectory(t *testing.T) { Modify(modifyRequest). Return(nil) - gomock.InOrder(dialURLOIDs, connBindOIDs, searchOIDs, connCloseOIDs, dialURL, connBind, searchProfile, passwdModify, connClose) + gomock.InOrder(dialURLOIDs, clientBindOIDs, searchOIDs, clientCloseOIDs, dialURL, clientBind, searchProfile, passwdModify, clientClose) err := provider.StartupCheck() require.NoError(t, err) @@ -5314,28 +5610,29 @@ func TestShouldUpdateUserPasswordBasic(t *testing.T) { ctrl := gomock.NewController(t) defer ctrl.Finish() - mockFactory := NewMockLDAPClientFactory(ctrl) + config := &schema.AuthenticationBackendLDAP{ + Implementation: "custom", + Address: testLDAPAddress, + User: "uid=admin,dc=example,dc=com", + Password: "password", + Attributes: schema.AuthenticationBackendLDAPAttributes{ + Username: "uid", + Mail: "mail", + DisplayName: "displayName", + MemberOf: "memberOf", + }, + UsersFilter: "uid={input}", + AdditionalUsersDN: "ou=users", + BaseDN: "dc=example,dc=com", + } + + mockDialer := NewMockLDAPClientDialer(ctrl) + mockClient := NewMockLDAPClient(ctrl) - provider := NewLDAPUserProviderWithFactory( - schema.AuthenticationBackendLDAP{ - Implementation: "custom", - Address: testLDAPAddress, - User: "uid=admin,dc=example,dc=com", - Password: "password", - Attributes: schema.AuthenticationBackendLDAPAttributes{ - Username: "uid", - Mail: "mail", - DisplayName: "displayName", - MemberOf: "memberOf", - }, - UsersFilter: "uid={input}", - AdditionalUsersDN: "ou=users", - BaseDN: "dc=example,dc=com", - }, - false, - nil, - mockFactory) + dialURL := mockDialer.EXPECT().DialURL("ldap://127.0.0.1:389", gomock.Any()).Return(mockClient, nil) + + provider := NewLDAPUserProviderWithFactory(config, false, NewStandardLDAPClientFactory(config, nil, mockDialer)) modifyRequest := ldap.NewModifyRequest( "uid=test,dc=example,dc=com", @@ -5344,11 +5641,9 @@ func TestShouldUpdateUserPasswordBasic(t *testing.T) { modifyRequest.Replace("userPassword", []string{"password"}) - dialURLOIDs := mockFactory.EXPECT(). - DialURL(gomock.Eq("ldap://127.0.0.1:389"), gomock.Any()). - Return(mockClient, nil) + dialURLOIDs := mockDialer.EXPECT().DialURL("ldap://127.0.0.1:389", gomock.Any()).Return(mockClient, nil) - connBindOIDs := mockClient.EXPECT(). + clientBindOIDs := mockClient.EXPECT(). Bind(gomock.Eq("uid=admin,dc=example,dc=com"), gomock.Eq("password")). Return(nil) @@ -5372,17 +5667,13 @@ func TestShouldUpdateUserPasswordBasic(t *testing.T) { }, }, nil) - connCloseOIDs := mockClient.EXPECT().Close() + clientCloseOIDs := mockClient.EXPECT().Close() - dialURL := mockFactory.EXPECT(). - DialURL(gomock.Eq("ldap://127.0.0.1:389"), gomock.Any()). - Return(mockClient, nil) - - connBind := mockClient.EXPECT(). + clientBind := mockClient.EXPECT(). Bind(gomock.Eq("uid=admin,dc=example,dc=com"), gomock.Eq("password")). Return(nil) - connClose := mockClient.EXPECT().Close() + clientClose := mockClient.EXPECT().Close() searchProfile := mockClient.EXPECT(). Search(gomock.Any()). @@ -5412,7 +5703,7 @@ func TestShouldUpdateUserPasswordBasic(t *testing.T) { Modify(modifyRequest). Return(nil) - gomock.InOrder(dialURLOIDs, connBindOIDs, searchOIDs, connCloseOIDs, dialURL, connBind, searchProfile, passwdModify, connClose) + gomock.InOrder(dialURLOIDs, clientBindOIDs, searchOIDs, clientCloseOIDs, dialURL, clientBind, searchProfile, passwdModify, clientClose) err := provider.StartupCheck() require.NoError(t, err) @@ -5425,33 +5716,30 @@ func TestShouldReturnErrorWhenMultipleUsernameAttributes(t *testing.T) { ctrl := gomock.NewController(t) defer ctrl.Finish() - mockFactory := NewMockLDAPClientFactory(ctrl) + config := &schema.AuthenticationBackendLDAP{ + Address: testLDAPAddress, + User: "cn=admin,dc=example,dc=com", + Password: "password", + Attributes: schema.AuthenticationBackendLDAPAttributes{ + Username: "uid", + Mail: "mail", + DisplayName: "displayName", + MemberOf: "memberOf", + }, + UsersFilter: "uid={input}", + AdditionalUsersDN: "ou=users", + BaseDN: "dc=example,dc=com", + } + + mockDialer := NewMockLDAPClientDialer(ctrl) + mockClient := NewMockLDAPClient(ctrl) - provider := NewLDAPUserProviderWithFactory( - schema.AuthenticationBackendLDAP{ - Address: testLDAPAddress, - User: "cn=admin,dc=example,dc=com", - Password: "password", - Attributes: schema.AuthenticationBackendLDAPAttributes{ - Username: "uid", - Mail: "mail", - DisplayName: "displayName", - MemberOf: "memberOf", - }, - UsersFilter: "uid={input}", - AdditionalUsersDN: "ou=users", - BaseDN: "dc=example,dc=com", - }, - false, - nil, - mockFactory) + dialURL := mockDialer.EXPECT().DialURL("ldap://127.0.0.1:389", gomock.Any()).Return(mockClient, nil) - dialURL := mockFactory.EXPECT(). - DialURL(gomock.Eq("ldap://127.0.0.1:389"), gomock.Any()). - Return(mockClient, nil) + provider := NewLDAPUserProviderWithFactory(config, false, NewStandardLDAPClientFactory(config, nil, mockDialer)) - bind := mockClient.EXPECT(). + clientBind := mockClient.EXPECT(). Bind(gomock.Eq("cn=admin,dc=example,dc=com"), gomock.Eq("password")). Return(nil) @@ -5479,9 +5767,9 @@ func TestShouldReturnErrorWhenMultipleUsernameAttributes(t *testing.T) { }, }, nil) - gomock.InOrder(dialURL, bind, search) + gomock.InOrder(dialURL, clientBind, search) - client, err := provider.connect() + client, err := provider.factory.GetClient() assert.NoError(t, err) profile, err := provider.getUserProfile(client, "john") @@ -5494,33 +5782,30 @@ func TestShouldReturnErrorWhenZeroUsernameAttributes(t *testing.T) { ctrl := gomock.NewController(t) defer ctrl.Finish() - mockFactory := NewMockLDAPClientFactory(ctrl) + config := &schema.AuthenticationBackendLDAP{ + Address: testLDAPAddress, + User: "cn=admin,dc=example,dc=com", + Password: "password", + Attributes: schema.AuthenticationBackendLDAPAttributes{ + Username: "uid", + Mail: "mail", + DisplayName: "displayName", + MemberOf: "memberOf", + }, + UsersFilter: "uid={input}", + AdditionalUsersDN: "ou=users", + BaseDN: "dc=example,dc=com", + } + + mockDialer := NewMockLDAPClientDialer(ctrl) + mockClient := NewMockLDAPClient(ctrl) - provider := NewLDAPUserProviderWithFactory( - schema.AuthenticationBackendLDAP{ - Address: testLDAPAddress, - User: "cn=admin,dc=example,dc=com", - Password: "password", - Attributes: schema.AuthenticationBackendLDAPAttributes{ - Username: "uid", - Mail: "mail", - DisplayName: "displayName", - MemberOf: "memberOf", - }, - UsersFilter: "uid={input}", - AdditionalUsersDN: "ou=users", - BaseDN: "dc=example,dc=com", - }, - false, - nil, - mockFactory) + dialURL := mockDialer.EXPECT().DialURL("ldap://127.0.0.1:389", gomock.Any()).Return(mockClient, nil) - dialURL := mockFactory.EXPECT(). - DialURL(gomock.Eq("ldap://127.0.0.1:389"), gomock.Any()). - Return(mockClient, nil) + provider := NewLDAPUserProviderWithFactory(config, false, NewStandardLDAPClientFactory(config, nil, mockDialer)) - bind := mockClient.EXPECT(). + clientBind := mockClient.EXPECT(). Bind(gomock.Eq("cn=admin,dc=example,dc=com"), gomock.Eq("password")). Return(nil) @@ -5548,9 +5833,9 @@ func TestShouldReturnErrorWhenZeroUsernameAttributes(t *testing.T) { }, }, nil) - gomock.InOrder(dialURL, bind, search) + gomock.InOrder(dialURL, clientBind, search) - client, err := provider.connect() + client, err := provider.factory.GetClient() assert.NoError(t, err) profile, err := provider.getUserProfile(client, "john") @@ -5563,33 +5848,30 @@ func TestShouldReturnErrorWhenUsernameAttributeNotReturned(t *testing.T) { ctrl := gomock.NewController(t) defer ctrl.Finish() - mockFactory := NewMockLDAPClientFactory(ctrl) + config := &schema.AuthenticationBackendLDAP{ + Address: testLDAPAddress, + User: "cn=admin,dc=example,dc=com", + Password: "password", + Attributes: schema.AuthenticationBackendLDAPAttributes{ + Username: "uid", + Mail: "mail", + DisplayName: "displayName", + MemberOf: "memberOf", + }, + UsersFilter: "uid={input}", + AdditionalUsersDN: "ou=users", + BaseDN: "dc=example,dc=com", + } + + mockDialer := NewMockLDAPClientDialer(ctrl) + mockClient := NewMockLDAPClient(ctrl) - provider := NewLDAPUserProviderWithFactory( - schema.AuthenticationBackendLDAP{ - Address: testLDAPAddress, - User: "cn=admin,dc=example,dc=com", - Password: "password", - Attributes: schema.AuthenticationBackendLDAPAttributes{ - Username: "uid", - Mail: "mail", - DisplayName: "displayName", - MemberOf: "memberOf", - }, - UsersFilter: "uid={input}", - AdditionalUsersDN: "ou=users", - BaseDN: "dc=example,dc=com", - }, - false, - nil, - mockFactory) + dialURL := mockDialer.EXPECT().DialURL("ldap://127.0.0.1:389", gomock.Any()).Return(mockClient, nil) - dialURL := mockFactory.EXPECT(). - DialURL(gomock.Eq("ldap://127.0.0.1:389"), gomock.Any()). - Return(mockClient, nil) + provider := NewLDAPUserProviderWithFactory(config, false, NewStandardLDAPClientFactory(config, nil, mockDialer)) - bind := mockClient.EXPECT(). + clientBind := mockClient.EXPECT(). Bind(gomock.Eq("cn=admin,dc=example,dc=com"), gomock.Eq("password")). Return(nil) @@ -5613,9 +5895,9 @@ func TestShouldReturnErrorWhenUsernameAttributeNotReturned(t *testing.T) { }, }, nil) - gomock.InOrder(dialURL, bind, search) + gomock.InOrder(dialURL, clientBind, search) - client, err := provider.connect() + client, err := provider.factory.GetClient() assert.NoError(t, err) profile, err := provider.getUserProfile(client, "john") @@ -5628,33 +5910,30 @@ func TestShouldReturnErrorWhenMultipleUsersFound(t *testing.T) { ctrl := gomock.NewController(t) defer ctrl.Finish() - mockFactory := NewMockLDAPClientFactory(ctrl) + config := &schema.AuthenticationBackendLDAP{ + Address: testLDAPAddress, + User: "cn=admin,dc=example,dc=com", + Password: "password", + Attributes: schema.AuthenticationBackendLDAPAttributes{ + Username: "uid", + Mail: "mail", + DisplayName: "displayName", + MemberOf: "memberOf", + }, + UsersFilter: "(|(uid={input})(uid=*))", + AdditionalUsersDN: "ou=users", + BaseDN: "dc=example,dc=com", + } + + mockDialer := NewMockLDAPClientDialer(ctrl) + mockClient := NewMockLDAPClient(ctrl) - provider := NewLDAPUserProviderWithFactory( - schema.AuthenticationBackendLDAP{ - Address: testLDAPAddress, - User: "cn=admin,dc=example,dc=com", - Password: "password", - Attributes: schema.AuthenticationBackendLDAPAttributes{ - Username: "uid", - Mail: "mail", - DisplayName: "displayName", - MemberOf: "memberOf", - }, - UsersFilter: "(|(uid={input})(uid=*))", - AdditionalUsersDN: "ou=users", - BaseDN: "dc=example,dc=com", - }, - false, - nil, - mockFactory) + dialURL := mockDialer.EXPECT().DialURL("ldap://127.0.0.1:389", gomock.Any()).Return(mockClient, nil) - dialURL := mockFactory.EXPECT(). - DialURL(gomock.Eq("ldap://127.0.0.1:389"), gomock.Any()). - Return(mockClient, nil) + provider := NewLDAPUserProviderWithFactory(config, false, NewStandardLDAPClientFactory(config, nil, mockDialer)) - bind := mockClient.EXPECT(). + clientBind := mockClient.EXPECT(). Bind(gomock.Eq("cn=admin,dc=example,dc=com"), gomock.Eq("password")). Return(nil) @@ -5699,9 +5978,9 @@ func TestShouldReturnErrorWhenMultipleUsersFound(t *testing.T) { }, }, nil) - gomock.InOrder(dialURL, bind, search) + gomock.InOrder(dialURL, clientBind, search) - client, err := provider.connect() + client, err := provider.factory.GetClient() assert.NoError(t, err) profile, err := provider.getUserProfile(client, "john") @@ -5714,33 +5993,30 @@ func TestShouldReturnErrorWhenNoDN(t *testing.T) { ctrl := gomock.NewController(t) defer ctrl.Finish() - mockFactory := NewMockLDAPClientFactory(ctrl) + config := &schema.AuthenticationBackendLDAP{ + Address: testLDAPAddress, + User: "cn=admin,dc=example,dc=com", + Password: "password", + Attributes: schema.AuthenticationBackendLDAPAttributes{ + Username: "uid", + Mail: "mail", + DisplayName: "displayName", + MemberOf: "memberOf", + }, + UsersFilter: "(|(uid={input})(uid=*))", + AdditionalUsersDN: "ou=users", + BaseDN: "dc=example,dc=com", + } + + mockDialer := NewMockLDAPClientDialer(ctrl) + mockClient := NewMockLDAPClient(ctrl) - provider := NewLDAPUserProviderWithFactory( - schema.AuthenticationBackendLDAP{ - Address: testLDAPAddress, - User: "cn=admin,dc=example,dc=com", - Password: "password", - Attributes: schema.AuthenticationBackendLDAPAttributes{ - Username: "uid", - Mail: "mail", - DisplayName: "displayName", - MemberOf: "memberOf", - }, - UsersFilter: "(|(uid={input})(uid=*))", - AdditionalUsersDN: "ou=users", - BaseDN: "dc=example,dc=com", - }, - false, - nil, - mockFactory) + dialURL := mockDialer.EXPECT().DialURL("ldap://127.0.0.1:389", gomock.Any()).Return(mockClient, nil) - dialURL := mockFactory.EXPECT(). - DialURL(gomock.Eq("ldap://127.0.0.1:389"), gomock.Any()). - Return(mockClient, nil) + provider := NewLDAPUserProviderWithFactory(config, false, NewStandardLDAPClientFactory(config, nil, mockDialer)) - bind := mockClient.EXPECT(). + clientBind := mockClient.EXPECT(). Bind(gomock.Eq("cn=admin,dc=example,dc=com"), gomock.Eq("password")). Return(nil) @@ -5768,9 +6044,9 @@ func TestShouldReturnErrorWhenNoDN(t *testing.T) { }, }, nil) - gomock.InOrder(dialURL, bind, search) + gomock.InOrder(dialURL, clientBind, search) - client, err := provider.connect() + client, err := provider.factory.GetClient() assert.NoError(t, err) profile, err := provider.getUserProfile(client, "john") @@ -5783,32 +6059,29 @@ func TestShouldCheckValidUserPassword(t *testing.T) { ctrl := gomock.NewController(t) defer ctrl.Finish() - mockFactory := NewMockLDAPClientFactory(ctrl) + config := &schema.AuthenticationBackendLDAP{ + Address: testLDAPAddress, + User: "cn=admin,dc=example,dc=com", + Password: "password", + Attributes: schema.AuthenticationBackendLDAPAttributes{ + Username: "uid", + Mail: "mail", + DisplayName: "displayName", + MemberOf: "memberOf", + }, + UsersFilter: "uid={input}", + AdditionalUsersDN: "ou=users", + BaseDN: "dc=example,dc=com", + } + + mockDialer := NewMockLDAPClientDialer(ctrl) + mockClient := NewMockLDAPClient(ctrl) - provider := NewLDAPUserProviderWithFactory( - schema.AuthenticationBackendLDAP{ - Address: testLDAPAddress, - User: "cn=admin,dc=example,dc=com", - Password: "password", - Attributes: schema.AuthenticationBackendLDAPAttributes{ - Username: "uid", - Mail: "mail", - DisplayName: "displayName", - MemberOf: "memberOf", - }, - UsersFilter: "uid={input}", - AdditionalUsersDN: "ou=users", - BaseDN: "dc=example,dc=com", - }, - false, - nil, - mockFactory) + provider := NewLDAPUserProviderWithFactory(config, false, NewStandardLDAPClientFactory(config, nil, mockDialer)) gomock.InOrder( - mockFactory.EXPECT(). - DialURL(gomock.Eq("ldap://127.0.0.1:389"), gomock.Any()). - Return(mockClient, nil), + mockDialer.EXPECT().DialURL("ldap://127.0.0.1:389", gomock.Any()).Return(mockClient, nil), mockClient.EXPECT(). Bind(gomock.Eq("cn=admin,dc=example,dc=com"), gomock.Eq("password")). Return(nil), @@ -5835,9 +6108,7 @@ func TestShouldCheckValidUserPassword(t *testing.T) { }, }, }, nil), - mockFactory.EXPECT(). - DialURL(gomock.Eq("ldap://127.0.0.1:389"), gomock.Any()). - Return(mockClient, nil), + mockDialer.EXPECT().DialURL("ldap://127.0.0.1:389", gomock.Any()).Return(mockClient, nil), mockClient.EXPECT(). Bind(gomock.Eq("uid=test,dc=example,dc=com"), gomock.Eq("password")). Return(nil), @@ -5854,74 +6125,68 @@ func TestShouldNotCheckValidUserPasswordWithConnectError(t *testing.T) { ctrl := gomock.NewController(t) defer ctrl.Finish() - mockFactory := NewMockLDAPClientFactory(ctrl) + config := &schema.AuthenticationBackendLDAP{ + Address: testLDAPAddress, + User: "cn=admin,dc=example,dc=com", + Password: "password", + Attributes: schema.AuthenticationBackendLDAPAttributes{ + Username: "uid", + Mail: "mail", + DisplayName: "displayName", + MemberOf: "memberOf", + }, + UsersFilter: "uid={input}", + AdditionalUsersDN: "ou=users", + BaseDN: "dc=example,dc=com", + } + + mockDialer := NewMockLDAPClientDialer(ctrl) + mockClient := NewMockLDAPClient(ctrl) - provider := NewLDAPUserProviderWithFactory( - schema.AuthenticationBackendLDAP{ - Address: testLDAPAddress, - User: "cn=admin,dc=example,dc=com", - Password: "password", - Attributes: schema.AuthenticationBackendLDAPAttributes{ - Username: "uid", - Mail: "mail", - DisplayName: "displayName", - MemberOf: "memberOf", - }, - UsersFilter: "uid={input}", - AdditionalUsersDN: "ou=users", - BaseDN: "dc=example,dc=com", - }, - false, - nil, - mockFactory) + dialURL := mockDialer.EXPECT().DialURL("ldap://127.0.0.1:389", gomock.Any()).Return(mockClient, nil) - dialURL := mockFactory.EXPECT(). - DialURL(gomock.Eq("ldap://127.0.0.1:389"), gomock.Any()). - Return(mockClient, nil) + provider := NewLDAPUserProviderWithFactory(config, false, NewStandardLDAPClientFactory(config, nil, mockDialer)) - bind := mockClient.EXPECT(). + clientBind := mockClient.EXPECT(). Bind(gomock.Eq("cn=admin,dc=example,dc=com"), gomock.Eq("password")). Return(&ldap.Error{ResultCode: ldap.LDAPResultInvalidCredentials, Err: errors.New("invalid username or password")}) - gomock.InOrder(dialURL, bind, mockClient.EXPECT().Close()) + gomock.InOrder(dialURL, clientBind, mockClient.EXPECT().Close()) valid, err := provider.CheckUserPassword("john", "password") assert.False(t, valid) - assert.EqualError(t, err, "bind failed with error: LDAP Result Code 49 \"Invalid Credentials\": invalid username or password") + assert.EqualError(t, err, "error occurred performing bind: LDAP Result Code 49 \"Invalid Credentials\": invalid username or password") } func TestShouldNotCheckValidUserPasswordWithGetProfileError(t *testing.T) { ctrl := gomock.NewController(t) defer ctrl.Finish() - mockFactory := NewMockLDAPClientFactory(ctrl) + config := &schema.AuthenticationBackendLDAP{ + Address: testLDAPAddress, + User: "cn=admin,dc=example,dc=com", + Password: "password", + Attributes: schema.AuthenticationBackendLDAPAttributes{ + Username: "uid", + Mail: "mail", + DisplayName: "displayName", + MemberOf: "memberOf", + }, + UsersFilter: "uid={input}", + AdditionalUsersDN: "ou=users", + BaseDN: "dc=example,dc=com", + } + + mockDialer := NewMockLDAPClientDialer(ctrl) + mockClient := NewMockLDAPClient(ctrl) - provider := NewLDAPUserProviderWithFactory( - schema.AuthenticationBackendLDAP{ - Address: testLDAPAddress, - User: "cn=admin,dc=example,dc=com", - Password: "password", - Attributes: schema.AuthenticationBackendLDAPAttributes{ - Username: "uid", - Mail: "mail", - DisplayName: "displayName", - MemberOf: "memberOf", - }, - UsersFilter: "uid={input}", - AdditionalUsersDN: "ou=users", - BaseDN: "dc=example,dc=com", - }, - false, - nil, - mockFactory) + provider := NewLDAPUserProviderWithFactory(config, false, NewStandardLDAPClientFactory(config, nil, mockDialer)) gomock.InOrder( - mockFactory.EXPECT(). - DialURL(gomock.Eq("ldap://127.0.0.1:389"), gomock.Any()). - Return(mockClient, nil), + mockDialer.EXPECT().DialURL("ldap://127.0.0.1:389", gomock.Any()).Return(mockClient, nil), mockClient.EXPECT(). Bind(gomock.Eq("cn=admin,dc=example,dc=com"), gomock.Eq("password")). Return(nil), @@ -5941,32 +6206,29 @@ func TestShouldCheckInvalidUserPassword(t *testing.T) { ctrl := gomock.NewController(t) defer ctrl.Finish() - mockFactory := NewMockLDAPClientFactory(ctrl) + config := &schema.AuthenticationBackendLDAP{ + Address: testLDAPAddress, + User: "cn=admin,dc=example,dc=com", + Password: "password", + Attributes: schema.AuthenticationBackendLDAPAttributes{ + Username: "uid", + Mail: "mail", + DisplayName: "displayName", + MemberOf: "memberOf", + }, + UsersFilter: "uid={input}", + AdditionalUsersDN: "ou=users", + BaseDN: "dc=example,dc=com", + } + + mockDialer := NewMockLDAPClientDialer(ctrl) + mockClient := NewMockLDAPClient(ctrl) - provider := NewLDAPUserProviderWithFactory( - schema.AuthenticationBackendLDAP{ - Address: testLDAPAddress, - User: "cn=admin,dc=example,dc=com", - Password: "password", - Attributes: schema.AuthenticationBackendLDAPAttributes{ - Username: "uid", - Mail: "mail", - DisplayName: "displayName", - MemberOf: "memberOf", - }, - UsersFilter: "uid={input}", - AdditionalUsersDN: "ou=users", - BaseDN: "dc=example,dc=com", - }, - false, - nil, - mockFactory) + provider := NewLDAPUserProviderWithFactory(config, false, NewStandardLDAPClientFactory(config, nil, mockDialer)) gomock.InOrder( - mockFactory.EXPECT(). - DialURL(gomock.Eq("ldap://127.0.0.1:389"), gomock.Any()). - Return(mockClient, nil), + mockDialer.EXPECT().DialURL("ldap://127.0.0.1:389", gomock.Any()).Return(mockClient, nil), mockClient.EXPECT(). Bind(gomock.Eq("cn=admin,dc=example,dc=com"), gomock.Eq("password")). Return(nil), @@ -5993,9 +6255,7 @@ func TestShouldCheckInvalidUserPassword(t *testing.T) { }, }, }, nil), - mockFactory.EXPECT(). - DialURL(gomock.Eq("ldap://127.0.0.1:389"), gomock.Any()). - Return(mockClient, nil), + mockDialer.EXPECT().DialURL("ldap://127.0.0.1:389", gomock.Any()).Return(mockClient, nil), mockClient.EXPECT(). Bind(gomock.Eq("uid=test,dc=example,dc=com"), gomock.Eq("password")). Return(errors.New("invalid username or password")), @@ -6005,49 +6265,47 @@ func TestShouldCheckInvalidUserPassword(t *testing.T) { valid, err := provider.CheckUserPassword("john", "password") assert.False(t, valid) - require.EqualError(t, err, "authentication failed. Cause: bind failed with error: invalid username or password") + require.EqualError(t, err, "authentication failed. Cause: error occurred performing bind: invalid username or password") } func TestShouldCallStartTLSWhenEnabled(t *testing.T) { ctrl := gomock.NewController(t) defer ctrl.Finish() - mockFactory := NewMockLDAPClientFactory(ctrl) + config := &schema.AuthenticationBackendLDAP{ + Address: testLDAPAddress, + User: "cn=admin,dc=example,dc=com", + Password: "password", + Attributes: schema.AuthenticationBackendLDAPAttributes{ + Username: "uid", + Mail: "mail", + DisplayName: "displayName", + MemberOf: "memberOf", + GroupName: "cn", + }, + UsersFilter: "uid={input}", + AdditionalUsersDN: "ou=users", + BaseDN: "dc=example,dc=com", + TLS: schema.DefaultLDAPAuthenticationBackendConfigurationImplementationCustom.TLS, + StartTLS: true, + } + + mockDialer := NewMockLDAPClientDialer(ctrl) + mockClient := NewMockLDAPClient(ctrl) - provider := NewLDAPUserProviderWithFactory( - schema.AuthenticationBackendLDAP{ - Address: testLDAPAddress, - User: "cn=admin,dc=example,dc=com", - Password: "password", - Attributes: schema.AuthenticationBackendLDAPAttributes{ - Username: "uid", - Mail: "mail", - DisplayName: "displayName", - MemberOf: "memberOf", - GroupName: "cn", - }, - UsersFilter: "uid={input}", - AdditionalUsersDN: "ou=users", - BaseDN: "dc=example,dc=com", - StartTLS: true, - }, - false, - nil, - mockFactory) + dialURL := mockDialer.EXPECT().DialURL("ldap://127.0.0.1:389", gomock.Any()).Return(mockClient, nil) - dialURL := mockFactory.EXPECT(). - DialURL(gomock.Eq("ldap://127.0.0.1:389"), gomock.Any()). - Return(mockClient, nil) + provider := NewLDAPUserProviderWithFactory(config, false, NewStandardLDAPClientFactory(config, nil, mockDialer)) - connBind := mockClient.EXPECT(). + connStartTLS := mockClient.EXPECT(). + StartTLS(gomock.Any()) + + clientBind := mockClient.EXPECT(). Bind(gomock.Eq("cn=admin,dc=example,dc=com"), gomock.Eq("password")). Return(nil) - connStartTLS := mockClient.EXPECT(). - StartTLS(provider.tlsConfig) - - connClose := mockClient.EXPECT().Close() + clientClose := mockClient.EXPECT().Close() searchGroups := mockClient.EXPECT(). Search(gomock.Any()). @@ -6077,7 +6335,7 @@ func TestShouldCallStartTLSWhenEnabled(t *testing.T) { }, }, nil) - gomock.InOrder(dialURL, connStartTLS, connBind, searchProfile, searchGroups, connClose) + gomock.InOrder(dialURL, connStartTLS, clientBind, searchProfile, searchGroups, clientClose) details, err := provider.GetDetails("john") require.NoError(t, err) @@ -6095,7 +6353,7 @@ func TestShouldParseDynamicConfiguration(t *testing.T) { mockFactory := NewMockLDAPClientFactory(ctrl) provider := NewLDAPUserProviderWithFactory( - schema.AuthenticationBackendLDAP{ + &schema.AuthenticationBackendLDAP{ Address: testLDAPAddress, User: "cn=admin,dc=example,dc=com", Password: "password", @@ -6113,7 +6371,6 @@ func TestShouldParseDynamicConfiguration(t *testing.T) { StartTLS: true, }, false, - nil, mockFactory) provider.clock = clock.NewFixed(time.Unix(1670250519, 0)) @@ -6139,49 +6396,46 @@ func TestShouldCallStartTLSWithInsecureSkipVerifyWhenSkipVerifyTrue(t *testing.T ctrl := gomock.NewController(t) defer ctrl.Finish() - mockFactory := NewMockLDAPClientFactory(ctrl) + config := &schema.AuthenticationBackendLDAP{ + Address: testLDAPAddress, + User: "cn=admin,dc=example,dc=com", + Password: "password", + Attributes: schema.AuthenticationBackendLDAPAttributes{ + Username: "uid", + Mail: "mail", + DisplayName: "displayName", + MemberOf: "memberOf", + GroupName: "cn", + }, + UsersFilter: "uid={input}", + AdditionalUsersDN: "ou=users", + BaseDN: "dc=example,dc=com", + StartTLS: true, + TLS: &schema.TLS{ + SkipVerify: true, + }, + } + + mockDialer := NewMockLDAPClientDialer(ctrl) + mockClient := NewMockLDAPClient(ctrl) - provider := NewLDAPUserProviderWithFactory( - schema.AuthenticationBackendLDAP{ - Address: testLDAPAddress, - User: "cn=admin,dc=example,dc=com", - Password: "password", - Attributes: schema.AuthenticationBackendLDAPAttributes{ - Username: "uid", - Mail: "mail", - DisplayName: "displayName", - MemberOf: "memberOf", - GroupName: "cn", - }, - UsersFilter: "uid={input}", - AdditionalUsersDN: "ou=users", - BaseDN: "dc=example,dc=com", - StartTLS: true, - TLS: &schema.TLS{ - SkipVerify: true, - }, - }, - false, - nil, - mockFactory) + provider := NewLDAPUserProviderWithFactory(config, false, NewStandardLDAPClientFactory(config, nil, mockDialer)) assert.False(t, provider.groupsFilterReplacementInput) assert.False(t, provider.groupsFilterReplacementUsername) assert.False(t, provider.groupsFilterReplacementDN) - dialURL := mockFactory.EXPECT(). - DialURL(gomock.Eq("ldap://127.0.0.1:389"), gomock.Any()). - Return(mockClient, nil) + dialURL := mockDialer.EXPECT().DialURL("ldap://127.0.0.1:389", gomock.Any()).Return(mockClient, nil) - connBind := mockClient.EXPECT(). + clientBind := mockClient.EXPECT(). Bind(gomock.Eq("cn=admin,dc=example,dc=com"), gomock.Eq("password")). Return(nil) connStartTLS := mockClient.EXPECT(). - StartTLS(provider.tlsConfig) + StartTLS(gomock.Not(gomock.Nil())) - connClose := mockClient.EXPECT().Close() + clientClose := mockClient.EXPECT().Close() searchGroups := mockClient.EXPECT(). Search(gomock.Any()). @@ -6215,7 +6469,7 @@ func TestShouldCallStartTLSWithInsecureSkipVerifyWhenSkipVerifyTrue(t *testing.T }, }, nil) - gomock.InOrder(dialURL, connStartTLS, connBind, searchProfile, searchGroups, connClose) + gomock.InOrder(dialURL, connStartTLS, clientBind, searchProfile, searchGroups, clientClose) details, err := provider.GetDetails("john") require.NoError(t, err) @@ -6230,42 +6484,39 @@ func TestShouldReturnLDAPSAlreadySecuredWhenStartTLSAttempted(t *testing.T) { ctrl := gomock.NewController(t) defer ctrl.Finish() - mockFactory := NewMockLDAPClientFactory(ctrl) + config := &schema.AuthenticationBackendLDAP{ + Address: testLDAPSAddress, + User: "cn=admin,dc=example,dc=com", + Password: "password", + Attributes: schema.AuthenticationBackendLDAPAttributes{ + Username: "uid", + Mail: "mail", + DisplayName: "displayName", + MemberOf: "memberOf", + }, + UsersFilter: "uid={input}", + AdditionalUsersDN: "ou=users", + BaseDN: "dc=example,dc=com", + StartTLS: true, + TLS: &schema.TLS{ + SkipVerify: true, + }, + } + + mockDialer := NewMockLDAPClientDialer(ctrl) + mockClient := NewMockLDAPClient(ctrl) - provider := NewLDAPUserProviderWithFactory( - schema.AuthenticationBackendLDAP{ - Address: testLDAPSAddress, - User: "cn=admin,dc=example,dc=com", - Password: "password", - Attributes: schema.AuthenticationBackendLDAPAttributes{ - Username: "uid", - Mail: "mail", - DisplayName: "displayName", - MemberOf: "memberOf", - }, - UsersFilter: "uid={input}", - AdditionalUsersDN: "ou=users", - BaseDN: "dc=example,dc=com", - StartTLS: true, - TLS: &schema.TLS{ - SkipVerify: true, - }, - }, - false, - nil, - mockFactory) + dialURL := mockDialer.EXPECT().DialURL("ldaps://127.0.0.1:389", gomock.Any()).Return(mockClient, nil) - dialURL := mockFactory.EXPECT(). - DialURL(gomock.Eq("ldaps://127.0.0.1:389"), gomock.Any()). - Return(mockClient, nil) + provider := NewLDAPUserProviderWithFactory(config, false, NewStandardLDAPClientFactory(config, nil, mockDialer)) connStartTLS := mockClient.EXPECT(). - StartTLS(provider.tlsConfig). + StartTLS(gomock.Not(gomock.Nil())). Return(errors.New("LDAP Result Code 200 \"Network Error\": ldap: already encrypted")) gomock.InOrder(dialURL, connStartTLS, mockClient.EXPECT().Close()) _, err := provider.GetDetails("john") - assert.EqualError(t, err, "starttls failed with error: LDAP Result Code 200 \"Network Error\": ldap: already encrypted") + assert.EqualError(t, err, "error occurred performing starttls: LDAP Result Code 200 \"Network Error\": ldap: already encrypted") } diff --git a/internal/authentication/types.go b/internal/authentication/types.go index d1853d5f3..145a83818 100644 --- a/internal/authentication/types.go +++ b/internal/authentication/types.go @@ -1,59 +1,13 @@ package authentication import ( - "crypto/tls" "fmt" "net/mail" "net/url" - "time" - "github.com/go-ldap/ldap/v3" "golang.org/x/text/language" ) -// LDAPClientFactory an interface of factory of LDAP clients. -type LDAPClientFactory interface { - DialURL(addr string, opts ...ldap.DialOpt) (client LDAPClient, err error) -} - -// LDAPClient is a cut down version of the ldap.Client interface with just the methods we use. -// -// Methods added to this interface that have a direct correlation with one from ldap.Client should have the same signature. -type LDAPClient interface { - Close() (err error) - IsClosing() bool - SetTimeout(timeout time.Duration) - - TLSConnectionState() (state tls.ConnectionState, ok bool) - StartTLS(config *tls.Config) (err error) - - Unbind() (err error) - Bind(username, password string) (err error) - SimpleBind(request *ldap.SimpleBindRequest) (result *ldap.SimpleBindResult, err error) - MD5Bind(host string, username string, password string) (err error) - DigestMD5Bind(request *ldap.DigestMD5BindRequest) (result *ldap.DigestMD5BindResult, err error) - UnauthenticatedBind(username string) (err error) - ExternalBind() (err error) - NTLMBind(domain string, username string, password string) (err error) - NTLMUnauthenticatedBind(domain string, username string) (err error) - NTLMBindWithHash(domain string, username string, hash string) (err error) - NTLMChallengeBind(request *ldap.NTLMBindRequest) (result *ldap.NTLMBindResult, err error) - - Modify(request *ldap.ModifyRequest) (err error) - ModifyWithResult(request *ldap.ModifyRequest) (result *ldap.ModifyResult, err error) - ModifyDN(m *ldap.ModifyDNRequest) (err error) - PasswordModify(request *ldap.PasswordModifyRequest) (result *ldap.PasswordModifyResult, err error) - - Add(request *ldap.AddRequest) (err error) - Del(request *ldap.DelRequest) (err error) - - Search(request *ldap.SearchRequest) (result *ldap.SearchResult, err error) - SearchWithPaging(request *ldap.SearchRequest, pagingSize uint32) (result *ldap.SearchResult, err error) - Compare(dn string, attribute string, value string) (same bool, err error) - - WhoAmI(controls []ldap.Control) (result *ldap.WhoAmIResult, err error) -} - // UserDetails represent the details retrieved for a given user. type UserDetails struct { Username string diff --git a/internal/authentication/user_provider.go b/internal/authentication/user_provider.go index f6c63ca57..516345d15 100644 --- a/internal/authentication/user_provider.go +++ b/internal/authentication/user_provider.go @@ -13,4 +13,5 @@ type UserProvider interface { GetDetails(username string) (details *UserDetails, err error) GetDetailsExtended(username string) (details *UserDetailsExtended, err error) UpdatePassword(username, newPassword string) (err error) + Shutdown() (err error) } diff --git a/internal/commands/services.go b/internal/commands/services.go index 332a29357..18598b488 100644 --- a/internal/commands/services.go +++ b/internal/commands/services.go @@ -447,6 +447,10 @@ func servicesRun(ctx ServiceCtx) { var err error + if err = ctx.GetProviders().UserProvider.Shutdown(); err != nil { + ctx.GetLogger().WithError(err).Error("Error occurred closing authentication connections") + } + if err = ctx.GetProviders().StorageProvider.Close(); err != nil { ctx.GetLogger().WithError(err).Error("Error occurred closing database connections") } diff --git a/internal/configuration/config.template.yml b/internal/configuration/config.template.yml index a3181081d..2e01b7a15 100644 --- a/internal/configuration/config.template.yml +++ b/internal/configuration/config.template.yml @@ -459,6 +459,7 @@ identity_validation: ## Use StartTLS with the LDAP connection. # start_tls: false + ## TLS configuration. # tls: ## The server subject name to check the servers certificate against during the validation process. ## This option is not required if the certificate has a SAN which matches the address options hostname. @@ -495,6 +496,20 @@ identity_validation: # ... # -----END RSA PRIVATE KEY----- + ## Connection Pooling configuration. + # pooling: + ## Enable Pooling. + # enable: false + + ## Pool count. + # count: 5 + + ## Retries to obtain a connection during the timeout. + # retries: 2 + + ## Timeout before the attempt to obtain a connection fails. + # timeout: '10 seconds' + ## The distinguished name of the container searched for objects in the directory information tree. ## See also: additional_users_dn, additional_groups_dn. # base_dn: 'dc=example,dc=com' diff --git a/internal/configuration/schema/authentication.go b/internal/configuration/schema/authentication.go index 4ebfb680f..010262abf 100644 --- a/internal/configuration/schema/authentication.go +++ b/internal/configuration/schema/authentication.go @@ -127,6 +127,8 @@ type AuthenticationBackendLDAP struct { StartTLS bool `koanf:"start_tls" json:"start_tls" jsonschema:"default=false,title=StartTLS" jsonschema_description:"Enables the use of StartTLS."` TLS *TLS `koanf:"tls" json:"tls" jsonschema:"title=TLS" jsonschema_description:"The LDAP directory server TLS connection properties."` + Pooling AuthenticationBackendLDAPPooling `koanf:"pooling" json:"pooling" jsonschema:"title=Pooling" jsonschema_description:"The LDAP Connection Pooling properties."` + BaseDN string `koanf:"base_dn" json:"base_dn" jsonschema:"title=Base DN" jsonschema_description:"The base for all directory server operations."` AdditionalUsersDN string `koanf:"additional_users_dn" json:"additional_users_dn" jsonschema:"title=Additional User Base" jsonschema_description:"The base in addition to the Base DN for all directory server operations for users."` @@ -146,6 +148,13 @@ type AuthenticationBackendLDAP struct { Password string `koanf:"password" json:"password" jsonschema:"title=Password" jsonschema_description:"The password for LDAP authenticated binding."` } +type AuthenticationBackendLDAPPooling struct { + Enable bool `koanf:"enable" json:"enable" jsonschema:"title=Enable,default=false" jsonschema_description:"Enable LDAP connection pooling."` + Count int `koanf:"count" json:"count" jsonschema:"title=Count,default=5" jsonschema_description:"The number of connections to keep open for LDAP connection pooling."` + Retries int `koanf:"retries" json:"retries" jsonschema:"title=Retries,default=2" jsonschema_description:"The number of attempts to retrieve a connection from the pool during the timeout."` + Timeout time.Duration `koanf:"timeout" json:"timeout" jsonschema:"title=Timeout,default=10 seconds" jsonschema_description:"The duration of time to wait for a connection to become available in the connection pool."` +} + // AuthenticationBackendLDAPAttributes represents the configuration related to LDAP server attributes. type AuthenticationBackendLDAPAttributes struct { DistinguishedName string `koanf:"distinguished_name" json:"distinguished_name" jsonschema:"title=Attribute: Distinguished Name" jsonschema_description:"The directory server attribute which contains the distinguished name for all objects."` @@ -243,6 +252,11 @@ var DefaultLDAPAuthenticationBackendConfigurationImplementationCustom = Authenti GroupName: ldapAttrCommonName, }, Timeout: time.Second * 5, + Pooling: AuthenticationBackendLDAPPooling{ + Count: 5, + Retries: 2, + Timeout: time.Second * 10, + }, TLS: &TLS{ MinimumVersion: TLSVersion{tls.VersionTLS12}, }, diff --git a/internal/configuration/schema/keys.go b/internal/configuration/schema/keys.go index b065409ae..f2efaca93 100644 --- a/internal/configuration/schema/keys.go +++ b/internal/configuration/schema/keys.go @@ -197,6 +197,10 @@ var Keys = []string{ "authentication_backend.ldap.tls.server_name", "authentication_backend.ldap.tls.private_key", "authentication_backend.ldap.tls.certificate_chain", + "authentication_backend.ldap.pooling.enable", + "authentication_backend.ldap.pooling.count", + "authentication_backend.ldap.pooling.retries", + "authentication_backend.ldap.pooling.timeout", "authentication_backend.ldap.base_dn", "authentication_backend.ldap.additional_users_dn", "authentication_backend.ldap.users_filter", diff --git a/internal/configuration/validator/authentication.go b/internal/configuration/validator/authentication.go index e53c7695d..c0dde8a26 100644 --- a/internal/configuration/validator/authentication.go +++ b/internal/configuration/validator/authentication.go @@ -349,6 +349,20 @@ func validateLDAPAuthenticationBackend(config *schema.AuthenticationBackend, val validator.Push(fmt.Errorf(errFmtLDAPAuthBackendTLSConfigInvalid, err)) } + if config.LDAP.Pooling.Enable { + if config.LDAP.Pooling.Count < 1 { + config.LDAP.Pooling.Count = schema.DefaultLDAPAuthenticationBackendConfigurationImplementationCustom.Pooling.Count + } + + if config.LDAP.Pooling.Retries < 1 { + config.LDAP.Pooling.Retries = schema.DefaultLDAPAuthenticationBackendConfigurationImplementationCustom.Pooling.Retries + } + + if config.LDAP.Pooling.Timeout < 1 { + config.LDAP.Pooling.Timeout = schema.DefaultLDAPAuthenticationBackendConfigurationImplementationCustom.Pooling.Timeout + } + } + if strings.Contains(config.LDAP.UsersFilter, "{0}") { validator.Push(fmt.Errorf(errFmtLDAPAuthBackendFilterReplacedPlaceholders, "users_filter", "{0}", "{input}")) } diff --git a/internal/configuration/validator/authentication_test.go b/internal/configuration/validator/authentication_test.go index c1ee3fe14..1fe5e2937 100644 --- a/internal/configuration/validator/authentication_test.go +++ b/internal/configuration/validator/authentication_test.go @@ -608,9 +608,22 @@ func (suite *LDAPAuthenticationBackendSuite) TestShouldValidateDefaultImplementa suite.Equal(schema.LDAPImplementationCustom, suite.config.LDAP.Implementation) - suite.Equal(suite.config.LDAP.Attributes.Username, schema.DefaultLDAPAuthenticationBackendConfigurationImplementationCustom.Attributes.Username) + suite.Equal(schema.DefaultLDAPAuthenticationBackendConfigurationImplementationCustom.Attributes.Username, suite.config.LDAP.Attributes.Username) suite.Len(suite.validator.Warnings(), 0) suite.Len(suite.validator.Errors(), 0) + + suite.Equal(0, suite.config.LDAP.Pooling.Retries) + suite.Equal(0, suite.config.LDAP.Pooling.Count) + suite.Equal(time.Duration(0), suite.config.LDAP.Pooling.Timeout) +} + +func (suite *LDAPAuthenticationBackendSuite) TestShouldValidateDefaultPooling() { + suite.config.LDAP.Pooling.Enable = true + ValidateAuthenticationBackend(&suite.config, suite.validator) + + suite.Equal(schema.DefaultLDAPAuthenticationBackendConfigurationImplementationCustom.Pooling.Retries, suite.config.LDAP.Pooling.Retries) + suite.Equal(schema.DefaultLDAPAuthenticationBackendConfigurationImplementationCustom.Pooling.Count, suite.config.LDAP.Pooling.Count) + suite.Equal(schema.DefaultLDAPAuthenticationBackendConfigurationImplementationCustom.Pooling.Timeout, suite.config.LDAP.Pooling.Timeout) } func (suite *LDAPAuthenticationBackendSuite) TestShouldRaiseErrorWhenImplementationIsInvalidMSAD() { diff --git a/internal/mocks/gen.go b/internal/mocks/gen.go index f7cab1b14..46c9446d2 100644 --- a/internal/mocks/gen.go +++ b/internal/mocks/gen.go @@ -10,7 +10,9 @@ package mocks //go:generate mockgen -package mocks -destination duo_api.go -mock_names API=MockAPI github.com/authelia/authelia/v4/internal/duo API //go:generate mockgen -package mocks -destination random.go -mock_names Provider=MockRandom github.com/authelia/authelia/v4/internal/random Provider -// Fosite Mocks. +// External Mocks. + +// Mocks for authelia.com/provider/oauth2. //go:generate mockgen -package mocks -destination oauth2_client_credentials_grant_storage.go -mock_names Provider=MockClientCredentialsGrantStorage authelia.com/provider/oauth2/handler/oauth2 ClientCredentialsGrantStorage //go:generate mockgen -package mocks -destination oauth2_token_revocation_storage.go -mock_names Provider=MockTokenRevocationStorage authelia.com/provider/oauth2/handler/oauth2 TokenRevocationStorage //go:generate mockgen -package mocks -destination oauth2_access_token_strategy.go -mock_names Provider=MockAccessTokenStrategy authelia.com/provider/oauth2/handler/oauth2 AccessTokenStrategy diff --git a/internal/mocks/user_provider.go b/internal/mocks/user_provider.go index 81fa53483..b235d80b7 100644 --- a/internal/mocks/user_provider.go +++ b/internal/mocks/user_provider.go @@ -85,6 +85,20 @@ func (mr *MockUserProviderMockRecorder) GetDetailsExtended(username any) *gomock return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetDetailsExtended", reflect.TypeOf((*MockUserProvider)(nil).GetDetailsExtended), username) } +// Shutdown mocks base method. +func (m *MockUserProvider) Shutdown() error { + m.ctrl.T.Helper() + ret := m.ctrl.Call(m, "Shutdown") + ret0, _ := ret[0].(error) + return ret0 +} + +// Shutdown indicates an expected call of Shutdown. +func (mr *MockUserProviderMockRecorder) Shutdown() *gomock.Call { + mr.mock.ctrl.T.Helper() + return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Shutdown", reflect.TypeOf((*MockUserProvider)(nil).Shutdown)) +} + // StartupCheck mocks base method. func (m *MockUserProvider) StartupCheck() error { m.ctrl.T.Helper() diff --git a/internal/suites/ActiveDirectory/configuration.yml b/internal/suites/ActiveDirectory/configuration.yml index eb5ae0359..657bacc2c 100644 --- a/internal/suites/ActiveDirectory/configuration.yml +++ b/internal/suites/ActiveDirectory/configuration.yml @@ -43,6 +43,11 @@ session: authentication_backend: ldap: address: 'ldap://sambaldap' + pooling: + enable: true + count: 4 + retries: 3 + timeout: 10s implementation: 'activedirectory' tls: skip_verify: true diff --git a/internal/suites/LDAP/configuration.yml b/internal/suites/LDAP/configuration.yml index a96976996..72876c0b5 100644 --- a/internal/suites/LDAP/configuration.yml +++ b/internal/suites/LDAP/configuration.yml @@ -43,6 +43,11 @@ session: authentication_backend: ldap: address: 'ldaps://openldap' + pooling: + enable: true + count: 4 + retries: 3 + timeout: 10s tls: skip_verify: true base_dn: 'dc=example,dc=com' diff --git a/internal/utils/crypto.go b/internal/utils/crypto.go index 884aac5a2..9493ade5b 100644 --- a/internal/utils/crypto.go +++ b/internal/utils/crypto.go @@ -314,6 +314,10 @@ func IsX509PrivateKey(i any) bool { // NewTLSConfig generates a tls.Config from a schema.TLS and a x509.CertPool. func NewTLSConfig(config *schema.TLS, rootCAs *x509.CertPool) (tlsConfig *tls.Config) { + if config == nil { + return nil + } + var certificates []tls.Certificate if config.PrivateKey != nil && config.CertificateChain.HasCertificates() { |