diff options
Diffstat (limited to 'internal/authentication/ldap_user_provider_test.go')
| -rw-r--r-- | internal/authentication/ldap_user_provider_test.go | 187 |
1 files changed, 185 insertions, 2 deletions
diff --git a/internal/authentication/ldap_user_provider_test.go b/internal/authentication/ldap_user_provider_test.go index d831c11aa..b4c3ab6e2 100644 --- a/internal/authentication/ldap_user_provider_test.go +++ b/internal/authentication/ldap_user_provider_test.go @@ -1,6 +1,7 @@ package authentication import ( + "errors" "testing" "github.com/go-ldap/ldap/v3" @@ -151,7 +152,9 @@ func TestShouldEscapeUserInput(t *testing.T) { Search(NewSearchRequestMatcher("(|(uid=john\\=abc)(mail=john\\=abc))")). Return(&ldap.SearchResult{}, nil) - ldapClient.getUserProfile(mockConn, "john=abc") //nolint:errcheck // TODO: Legacy code, consider refactoring time permitting. + _, err := ldapClient.getUserProfile(mockConn, "john=abc") + require.Error(t, err) + assert.EqualError(t, err, "user not found") } func TestShouldCombineUsernameFilterAndUsersFilter(t *testing.T) { @@ -177,7 +180,9 @@ func TestShouldCombineUsernameFilterAndUsersFilter(t *testing.T) { Search(NewSearchRequestMatcher("(&(uid=john)(&(objectCategory=person)(objectClass=user)))")). Return(&ldap.SearchResult{}, nil) - ldapClient.getUserProfile(mockConn, "john") //nolint:errcheck // TODO: Legacy code, consider refactoring time permitting. + _, err := ldapClient.getUserProfile(mockConn, "john") + require.Error(t, err) + assert.EqualError(t, err, "user not found") } func createSearchResultWithAttributes(attributes ...*ldap.EntryAttribute) *ldap.SearchResult { @@ -386,3 +391,181 @@ func TestShouldReturnUsernameFromLDAP(t *testing.T) { assert.Equal(t, details.DisplayName, "John Doe") assert.Equal(t, details.Username, "John") } + +func TestShouldCallStartTLSWhenEnabled(t *testing.T) { + ctrl := gomock.NewController(t) + defer ctrl.Finish() + + mockFactory := NewMockLDAPConnectionFactory(ctrl) + mockConn := NewMockLDAPConnection(ctrl) + + ldapClient := NewLDAPUserProviderWithFactory(schema.LDAPAuthenticationBackendConfiguration{ + URL: "ldap://127.0.0.1:389", + User: "cn=admin,dc=example,dc=com", + Password: "password", + UsernameAttribute: "uid", + MailAttribute: "mail", + DisplayNameAttribute: "displayname", + UsersFilter: "uid={input}", + AdditionalUsersDN: "ou=users", + BaseDN: "dc=example,dc=com", + StartTLS: true, + }, mockFactory) + + mockFactory.EXPECT(). + Dial(gomock.Eq("tcp"), gomock.Eq("127.0.0.1:389")). + Return(mockConn, nil) + + mockConn.EXPECT(). + Bind(gomock.Eq("cn=admin,dc=example,dc=com"), gomock.Eq("password")). + Return(nil) + + mockConn.EXPECT(). + StartTLS(ldapClient.tlsConfig) + + mockConn.EXPECT(). + Close() + + searchGroups := mockConn.EXPECT(). + Search(gomock.Any()). + Return(createSearchResultWithAttributes(), nil) + searchProfile := mockConn.EXPECT(). + Search(gomock.Any()). + Return(&ldap.SearchResult{ + Entries: []*ldap.Entry{ + { + DN: "uid=test,dc=example,dc=com", + Attributes: []*ldap.EntryAttribute{ + { + Name: "displayname", + Values: []string{"John Doe"}, + }, + { + Name: "mail", + Values: []string{"test@example.com"}, + }, + { + Name: "uid", + Values: []string{"john"}, + }, + }, + }, + }, + }, nil) + + gomock.InOrder(searchProfile, searchGroups) + + details, err := ldapClient.GetDetails("john") + require.NoError(t, err) + + assert.ElementsMatch(t, details.Groups, []string{}) + assert.ElementsMatch(t, details.Emails, []string{"test@example.com"}) + assert.Equal(t, details.DisplayName, "John Doe") + assert.Equal(t, details.Username, "john") +} + +func TestShouldCallStartTLSWithInsecureSkipVerifyWhenSkipVerifyTrue(t *testing.T) { + ctrl := gomock.NewController(t) + defer ctrl.Finish() + + mockFactory := NewMockLDAPConnectionFactory(ctrl) + mockConn := NewMockLDAPConnection(ctrl) + + ldapClient := NewLDAPUserProviderWithFactory(schema.LDAPAuthenticationBackendConfiguration{ + URL: "ldap://127.0.0.1:389", + User: "cn=admin,dc=example,dc=com", + Password: "password", + UsernameAttribute: "uid", + MailAttribute: "mail", + DisplayNameAttribute: "displayname", + UsersFilter: "uid={input}", + AdditionalUsersDN: "ou=users", + BaseDN: "dc=example,dc=com", + StartTLS: true, + SkipVerify: true, + }, mockFactory) + + mockFactory.EXPECT(). + Dial(gomock.Eq("tcp"), gomock.Eq("127.0.0.1:389")). + Return(mockConn, nil) + + mockConn.EXPECT(). + Bind(gomock.Eq("cn=admin,dc=example,dc=com"), gomock.Eq("password")). + Return(nil) + + mockConn.EXPECT(). + StartTLS(ldapClient.tlsConfig) + + mockConn.EXPECT(). + Close() + + searchGroups := mockConn.EXPECT(). + Search(gomock.Any()). + Return(createSearchResultWithAttributes(), nil) + searchProfile := mockConn.EXPECT(). + Search(gomock.Any()). + Return(&ldap.SearchResult{ + Entries: []*ldap.Entry{ + { + DN: "uid=test,dc=example,dc=com", + Attributes: []*ldap.EntryAttribute{ + { + Name: "displayname", + Values: []string{"John Doe"}, + }, + { + Name: "mail", + Values: []string{"test@example.com"}, + }, + { + Name: "uid", + Values: []string{"john"}, + }, + }, + }, + }, + }, nil) + + gomock.InOrder(searchProfile, searchGroups) + + details, err := ldapClient.GetDetails("john") + require.NoError(t, err) + + assert.ElementsMatch(t, details.Groups, []string{}) + assert.ElementsMatch(t, details.Emails, []string{"test@example.com"}) + assert.Equal(t, details.DisplayName, "John Doe") + assert.Equal(t, details.Username, "john") +} + +func TestShouldReturnLDAPSAlreadySecuredWhenStartTLSAttempted(t *testing.T) { + ctrl := gomock.NewController(t) + defer ctrl.Finish() + + mockFactory := NewMockLDAPConnectionFactory(ctrl) + mockConn := NewMockLDAPConnection(ctrl) + + ldapClient := NewLDAPUserProviderWithFactory(schema.LDAPAuthenticationBackendConfiguration{ + URL: "ldaps://127.0.0.1:389", + User: "cn=admin,dc=example,dc=com", + Password: "password", + UsernameAttribute: "uid", + MailAttribute: "mail", + DisplayNameAttribute: "displayname", + UsersFilter: "uid={input}", + AdditionalUsersDN: "ou=users", + BaseDN: "dc=example,dc=com", + StartTLS: true, + SkipVerify: true, + }, mockFactory) + + mockFactory.EXPECT(). + DialTLS(gomock.Eq("tcp"), gomock.Eq("127.0.0.1:389"), gomock.Any()). + Return(mockConn, nil) + + mockConn.EXPECT(). + StartTLS(ldapClient.tlsConfig). + Return(errors.New("LDAP Result Code 200 \"Network Error\": ldap: already encrypted")) + + _, err := ldapClient.GetDetails("john") + assert.EqualError(t, err, "LDAP Result Code 200 \"Network Error\": ldap: already encrypted") +} |