From ffa1f5472c4fa8c80abefee77a5886879f64ef8b Mon Sep 17 00:00:00 2001 From: hc-github-team-secure-vault-core <82990506+hc-github-team-secure-vault-core@users.noreply.github.com> Date: Thu, 20 Jan 2022 13:08:52 -0500 Subject: [PATCH] Backport of auth/ldap: Add username to alias.metadata.name into release/1.9.x (#13726) * backport of commit 5dc6e43303dff074ecc3a9c5949ae64b597bff0f * backport of commit 002ed5fe4630b587d04dc79da7a0bf953b826682 * backport of commit 77e4dfeb07d43e4698458665a9b239b329934db4 * backport of commit 65141513a89d8513f41cb16fb04331f05dcd39a9 * backport of commit eb7cee2ceeaa9ae39298a4eb967b333c58e5d4b2 * backport of commit 7dc5acc806a6fda64cfddb3b0e79430a596a8f68 * backport of commit 9ae01d77ccff5390320a562eebbaf48834213fa2 Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> --- builtin/credential/ldap/backend_test.go | 50 ++++++++++++++++--------- builtin/credential/ldap/path_login.go | 3 ++ changelog/13669.txt | 3 ++ helper/testhelpers/logical/testing.go | 34 ++++++++++++++--- 4 files changed, 68 insertions(+), 22 deletions(-) create mode 100644 changelog/13669.txt diff --git a/builtin/credential/ldap/backend_test.go b/builtin/credential/ldap/backend_test.go index c59e8ceedc0a..1522e7d128e1 100644 --- a/builtin/credential/ldap/backend_test.go +++ b/builtin/credential/ldap/backend_test.go @@ -597,6 +597,26 @@ func TestBackend_basic_authbind_userfilter(t *testing.T) { } +func TestBackend_basic_authbind_metadata_name(t *testing.T) { + + b := factory(t) + cleanup, cfg := ldap.PrepareTestContainer(t, "latest") + defer cleanup() + + cfg.UserAttr = "cn" + cfg.UPNDomain = "planetexpress.com" + + addUPNAttributeToLDAPSchemaAndUser(t, cfg, "cn=Hubert J. Farnsworth,ou=people,dc=planetexpress,dc=com", "professor@planetexpress.com") + + logicaltest.Test(t, logicaltest.TestCase{ + CredentialBackend: b, + Steps: []logicaltest.TestStep{ + testAccStepConfigUrlWithAuthBind(t, cfg), + testAccStepLoginAliasMetadataName(t, "professor", "professor"), + }, + }) +} + func addUPNAttributeToLDAPSchemaAndUser(t *testing.T, cfg *ldaputil.ConfigEntry, testUserDN string, testUserUPN string) { // Setup connection client := &ldaputil.Client{ @@ -644,23 +664,6 @@ func addUPNAttributeToLDAPSchemaAndUser(t *testing.T, cfg *ldaputil.ConfigEntry, } -func TestBackend_basic_authbind_upndomain(t *testing.T) { - b := factory(t) - cleanup, cfg := ldap.PrepareTestContainer(t, "latest") - defer cleanup() - cfg.UPNDomain = "planetexpress.com" - - addUPNAttributeToLDAPSchemaAndUser(t, cfg, "cn=Hubert J. Farnsworth,ou=people,dc=planetexpress,dc=com", "professor@planetexpress.com") - - logicaltest.Test(t, logicaltest.TestCase{ - CredentialBackend: b, - Steps: []logicaltest.TestStep{ - testAccStepConfigUrlWithAuthBind(t, cfg), - testAccStepLoginNoAttachedPolicies(t, "professor", "professor"), - }, - }) -} - func TestBackend_basic_discover(t *testing.T) { b := factory(t) cleanup, cfg := ldap.PrepareTestContainer(t, "latest") @@ -990,6 +993,19 @@ func testAccStepLoginNoAttachedPolicies(t *testing.T, user string, pass string) } } +func testAccStepLoginAliasMetadataName(t *testing.T, user string, pass string) logicaltest.TestStep { + return logicaltest.TestStep{ + Operation: logical.UpdateOperation, + Path: "login/" + user, + Data: map[string]interface{}{ + "password": pass, + }, + Unauthenticated: true, + + Check: logicaltest.TestCheckAuthEntityAliasMetadataName("name", user), + } +} + func testAccStepLoginFailure(t *testing.T, user string, pass string) logicaltest.TestStep { return logicaltest.TestStep{ Operation: logical.UpdateOperation, diff --git a/builtin/credential/ldap/path_login.go b/builtin/credential/ldap/path_login.go index 57cbc8185ddc..eea2006e7f42 100644 --- a/builtin/credential/ldap/path_login.go +++ b/builtin/credential/ldap/path_login.go @@ -97,6 +97,9 @@ func (b *backend) pathLogin(ctx context.Context, req *logical.Request, d *framew DisplayName: username, Alias: &logical.Alias{ Name: effectiveUsername, + Metadata: map[string]string{ + "name": username, + }, }, } diff --git a/changelog/13669.txt b/changelog/13669.txt new file mode 100644 index 000000000000..01d4fe46a268 --- /dev/null +++ b/changelog/13669.txt @@ -0,0 +1,3 @@ +```release-note:improvement +auth/ldap: Add username to alias metadata +``` \ No newline at end of file diff --git a/helper/testhelpers/logical/testing.go b/helper/testhelpers/logical/testing.go index 7037d159237a..ffc801b78d5d 100644 --- a/helper/testhelpers/logical/testing.go +++ b/helper/testhelpers/logical/testing.go @@ -457,13 +457,37 @@ func TestCheckAuthEntityId(entity_id *string) TestCheckFunc { return fmt.Errorf("no auth in response") } - if *entity_id == "" { - // If we don't know what the entity_id should be, just save it - *entity_id = resp.Auth.EntityID - } else if resp.Auth.EntityID != *entity_id { + if *entity_id == "" { + // If we don't know what the entity_id should be, just save it + *entity_id = resp.Auth.EntityID + } else if resp.Auth.EntityID != *entity_id { return fmt.Errorf("entity_id %s does not match the expected value of %s", resp.Auth.EntityID, *entity_id) - } + } + + return nil + } +} +// TestCheckAuthEntityAliasMetadataName is a helper to check that a request generated an +// auth token with the expected alias metadata. +func TestCheckAuthEntityAliasMetadataName(key string, value string) TestCheckFunc { + return func(resp *logical.Response) error { + if resp == nil || resp.Auth == nil { + return fmt.Errorf("no auth in response") + } + + if key == "" || value == "" { + return fmt.Errorf("alias metadata key and value required") + } + + name, ok := resp.Auth.Alias.Metadata[key] + if !ok { + return fmt.Errorf("metadata key %s does not exist, it should", key) + } + + if name != value { + return fmt.Errorf("expected map value %s, got %s", value, name) + } return nil } }