From df18cb0c221332c1fe32f4fa217d9c8dcb64c125 Mon Sep 17 00:00:00 2001
From: Stephan Renatus <srenatus@chef.io>
Date: Thu, 14 Jun 2018 10:10:15 +0200
Subject: [PATCH] ldap_test: add filter tests
The filters for user and group searches hadn't been included in our LDAP
tests. Now they are.
The concrete test cases are somewhat contrived, but that shouldn't
matter too much. Also note that the example queries I've used are not
supported in AD: https://stackoverflow.com/a/10043452
Signed-off-by: Stephan Renatus <srenatus@chef.io>
---
connector/ldap/ldap_test.go | 202 ++++++++++++++++++++++++++++++++++++
1 file changed, 202 insertions(+)
diff --git a/connector/ldap/ldap_test.go b/connector/ldap/ldap_test.go
index 6cbff68c..fa6b7062 100644
--- a/connector/ldap/ldap_test.go
+++ b/connector/ldap/ldap_test.go
@@ -185,6 +185,102 @@ userpassword: bar
runTests(t, schema, connectLDAP, c, tests)
}
+func TestUserFilter(t *testing.T) {
+ schema := `
+dn: dc=example,dc=org
+objectClass: dcObject
+objectClass: organization
+o: Example Company
+dc: example
+
+dn: ou=Seattle,dc=example,dc=org
+objectClass: organizationalUnit
+ou: Seattle
+
+dn: ou=Portland,dc=example,dc=org
+objectClass: organizationalUnit
+ou: Portland
+
+dn: ou=People,ou=Seattle,dc=example,dc=org
+objectClass: organizationalUnit
+ou: People
+
+dn: ou=People,ou=Portland,dc=example,dc=org
+objectClass: organizationalUnit
+ou: People
+
+dn: cn=jane,ou=People,ou=Seattle,dc=example,dc=org
+objectClass: person
+objectClass: inetOrgPerson
+sn: doe
+cn: jane
+mail: janedoe@example.com
+userpassword: foo
+
+dn: cn=jane,ou=People,ou=Portland,dc=example,dc=org
+objectClass: person
+objectClass: inetOrgPerson
+sn: doe
+cn: jane
+mail: janedoefromportland@example.com
+userpassword: baz
+
+dn: cn=john,ou=People,ou=Seattle,dc=example,dc=org
+objectClass: person
+objectClass: inetOrgPerson
+sn: doe
+cn: john
+mail: johndoe@example.com
+userpassword: bar
+`
+ c := &Config{}
+ c.UserSearch.BaseDN = "dc=example,dc=org"
+ c.UserSearch.NameAttr = "cn"
+ c.UserSearch.EmailAttr = "mail"
+ c.UserSearch.IDAttr = "DN"
+ c.UserSearch.Username = "cn"
+ c.UserSearch.Filter = "(ou:dn:=Seattle)"
+
+ tests := []subtest{
+ {
+ name: "validpassword",
+ username: "jane",
+ password: "foo",
+ want: connector.Identity{
+ UserID: "cn=jane,ou=People,ou=Seattle,dc=example,dc=org",
+ Username: "jane",
+ Email: "janedoe@example.com",
+ EmailVerified: true,
+ },
+ },
+ {
+ name: "validpassword2",
+ username: "john",
+ password: "bar",
+ want: connector.Identity{
+ UserID: "cn=john,ou=People,ou=Seattle,dc=example,dc=org",
+ Username: "john",
+ Email: "johndoe@example.com",
+ EmailVerified: true,
+ },
+ },
+ {
+ name: "invalidpassword",
+ username: "jane",
+ password: "badpassword",
+ wantBadPW: true,
+ },
+ {
+ name: "invaliduser",
+ username: "idontexist",
+ password: "foo",
+ wantBadPW: true, // Want invalid password, not a query error.
+ },
+ }
+
+ runTests(t, schema, connectLDAP, c, tests)
+}
+
func TestGroupQuery(t *testing.T) {
schema := `
dn: dc=example,dc=org
@@ -370,6 +466,112 @@ gidNumber: 1002
runTests(t, schema, connectLDAP, c, tests)
}
+func TestGroupFilter(t *testing.T) {
+ schema := `
+dn: dc=example,dc=org
+objectClass: dcObject
+objectClass: organization
+o: Example Company
+dc: example
+
+dn: ou=People,dc=example,dc=org
+objectClass: organizationalUnit
+ou: People
+
+dn: cn=jane,ou=People,dc=example,dc=org
+objectClass: person
+objectClass: inetOrgPerson
+sn: doe
+cn: jane
+mail: janedoe@example.com
+userpassword: foo
+
+dn: cn=john,ou=People,dc=example,dc=org
+objectClass: person
+objectClass: inetOrgPerson
+sn: doe
+cn: john
+mail: johndoe@example.com
+userpassword: bar
+
+# Group definitions.
+
+dn: ou=Seattle,dc=example,dc=org
+objectClass: organizationalUnit
+ou: Seattle
+
+dn: ou=Portland,dc=example,dc=org
+objectClass: organizationalUnit
+ou: Portland
+
+dn: ou=Groups,ou=Seattle,dc=example,dc=org
+objectClass: organizationalUnit
+ou: Groups
+
+dn: ou=Groups,ou=Portland,dc=example,dc=org
+objectClass: organizationalUnit
+ou: Groups
+
+dn: cn=qa,ou=Groups,ou=Portland,dc=example,dc=org
+objectClass: groupOfNames
+cn: qa
+member: cn=john,ou=People,dc=example,dc=org
+
+dn: cn=admins,ou=Groups,ou=Seattle,dc=example,dc=org
+objectClass: groupOfNames
+cn: admins
+member: cn=john,ou=People,dc=example,dc=org
+member: cn=jane,ou=People,dc=example,dc=org
+
+dn: cn=developers,ou=Groups,ou=Seattle,dc=example,dc=org
+objectClass: groupOfNames
+cn: developers
+member: cn=jane,ou=People,dc=example,dc=org
+`
+ c := &Config{}
+ c.UserSearch.BaseDN = "ou=People,dc=example,dc=org"
+ c.UserSearch.NameAttr = "cn"
+ c.UserSearch.EmailAttr = "mail"
+ c.UserSearch.IDAttr = "DN"
+ c.UserSearch.Username = "cn"
+ c.GroupSearch.BaseDN = "dc=example,dc=org"
+ c.GroupSearch.UserAttr = "DN"
+ c.GroupSearch.GroupAttr = "member"
+ c.GroupSearch.NameAttr = "cn"
+ c.GroupSearch.Filter = "(ou:dn:=Seattle)" // ignore other groups
+
+ tests := []subtest{
+ {
+ name: "validpassword",
+ username: "jane",
+ password: "foo",
+ groups: true,
+ want: connector.Identity{
+ UserID: "cn=jane,ou=People,dc=example,dc=org",
+ Username: "jane",
+ Email: "janedoe@example.com",
+ EmailVerified: true,
+ Groups: []string{"admins", "developers"},
+ },
+ },
+ {
+ name: "validpassword2",
+ username: "john",
+ password: "bar",
+ groups: true,
+ want: connector.Identity{
+ UserID: "cn=john,ou=People,dc=example,dc=org",
+ Username: "john",
+ Email: "johndoe@example.com",
+ EmailVerified: true,
+ Groups: []string{"admins"},
+ },
+ },
+ }
+
+ runTests(t, schema, connectLDAP, c, tests)
+}
+
func TestStartTLS(t *testing.T) {
schema := `
dn: dc=example,dc=org
--
GitLab