Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ldap/auth: add tests for login regressions #26327

Merged
merged 6 commits into from
Apr 10, 2024
Merged
Show file tree
Hide file tree
Changes from 3 commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
117 changes: 93 additions & 24 deletions builtin/credential/ldap/backend_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -267,7 +267,7 @@ func TestLdapAuthBackend_CaseSensitivity(t *testing.T) {
}
}

cleanup, cfg := ldap.PrepareTestContainer(t, "latest")
cleanup, cfg := ldap.PrepareTestContainer(t, "master")
defer cleanup()
configReq := &logical.Request{
Operation: logical.UpdateOperation,
Expand Down Expand Up @@ -313,7 +313,7 @@ func TestLdapAuthBackend_UserPolicies(t *testing.T) {
var err error
b, storage := createBackendWithStorage(t)

cleanup, cfg := ldap.PrepareTestContainer(t, "latest")
cleanup, cfg := ldap.PrepareTestContainer(t, "master")
defer cleanup()
configReq := &logical.Request{
Operation: logical.UpdateOperation,
Expand Down Expand Up @@ -418,9 +418,77 @@ func factory(t *testing.T) logical.Backend {
return b
}

// TestBackend_LoginRegression_AnonBind is a test for the regression reported in
// https://github.com/hashicorp/vault/issues/26183.
func TestBackend_LoginRegression_AnonBind(t *testing.T) {
b := factory(t)
cleanup, cfg := ldap.PrepareTestContainer(t, "master")
cfg.AnonymousGroupSearch = true
defer cleanup()

logicaltest.Test(t, logicaltest.TestCase{
CredentialBackend: b,
Steps: []logicaltest.TestStep{
testAccStepConfigUrl(t, cfg),
// Map Admin_staff group (from LDAP server) with foo policy
testAccStepGroup(t, "admin_staff", "foo"),

// Map engineers group (local) with bar policy
testAccStepGroup(t, "engineers", "bar"),

// Map hermes conrad user with local engineers group
testAccStepUser(t, "hermes", "engineers"),

// Authenticate
testAccStepLogin(t, "hermes", "hermes"),

// Verify both groups mappings can be listed back
testAccStepGroupList(t, []string{"engineers", "admin_staff"}),

// Verify user mapping can be listed back
testAccStepUserList(t, []string{"hermes"}),
},
})
}

// TestBackend_LoginRegression_UserAttr is a test for the regression reported in
// https://github.com/hashicorp/vault/issues/26171.
// Vault relies on case insensitive user attribute keys for mapping user
// attributes to entity alias metadata.
func TestBackend_LoginRegression_UserAttr(t *testing.T) {
b := factory(t)
cleanup, cfg := ldap.PrepareTestContainer(t, "master")
cfg.UserAttr = "givenName"
defer cleanup()

logicaltest.Test(t, logicaltest.TestCase{
CredentialBackend: b,
Steps: []logicaltest.TestStep{
testAccStepConfigUrl(t, cfg),
// Map Admin_staff group (from LDAP server) with foo policy
testAccStepGroup(t, "admin_staff", "foo"),

// Map engineers group (local) with bar policy
testAccStepGroup(t, "engineers", "bar"),

// Map hermes conrad user with local engineers group
testAccStepUser(t, "hermes", "engineers"),

// Authenticate
testAccStepLogin(t, "hermes", "hermes"),

// Verify both groups mappings can be listed back
testAccStepGroupList(t, []string{"engineers", "admin_staff"}),

// Verify user mapping can be listed back
testAccStepUserList(t, []string{"hermes"}),
},
})
}

func TestBackend_basic(t *testing.T) {
b := factory(t)
cleanup, cfg := ldap.PrepareTestContainer(t, "latest")
cleanup, cfg := ldap.PrepareTestContainer(t, "master")
defer cleanup()

logicaltest.Test(t, logicaltest.TestCase{
Expand Down Expand Up @@ -450,7 +518,7 @@ func TestBackend_basic(t *testing.T) {

func TestBackend_basic_noPolicies(t *testing.T) {
b := factory(t)
cleanup, cfg := ldap.PrepareTestContainer(t, "latest")
cleanup, cfg := ldap.PrepareTestContainer(t, "master")
defer cleanup()

logicaltest.Test(t, logicaltest.TestCase{
Expand All @@ -468,7 +536,7 @@ func TestBackend_basic_noPolicies(t *testing.T) {

func TestBackend_basic_group_noPolicies(t *testing.T) {
b := factory(t)
cleanup, cfg := ldap.PrepareTestContainer(t, "latest")
cleanup, cfg := ldap.PrepareTestContainer(t, "master")
defer cleanup()

logicaltest.Test(t, logicaltest.TestCase{
Expand All @@ -489,7 +557,7 @@ func TestBackend_basic_group_noPolicies(t *testing.T) {

func TestBackend_basic_authbind(t *testing.T) {
b := factory(t)
cleanup, cfg := ldap.PrepareTestContainer(t, "latest")
cleanup, cfg := ldap.PrepareTestContainer(t, "master")
defer cleanup()

logicaltest.Test(t, logicaltest.TestCase{
Expand All @@ -506,7 +574,7 @@ func TestBackend_basic_authbind(t *testing.T) {

func TestBackend_basic_authbind_userfilter(t *testing.T) {
b := factory(t)
cleanup, cfg := ldap.PrepareTestContainer(t, "latest")
cleanup, cfg := ldap.PrepareTestContainer(t, "master")
defer cleanup()

// userattr not used in the userfilter should result in a warning in the response
Expand Down Expand Up @@ -649,7 +717,7 @@ func TestBackend_basic_authbind_userfilter(t *testing.T) {

func TestBackend_basic_authbind_metadata_name(t *testing.T) {
b := factory(t)
cleanup, cfg := ldap.PrepareTestContainer(t, "latest")
cleanup, cfg := ldap.PrepareTestContainer(t, "master")
defer cleanup()

cfg.UserAttr = "cn"
Expand Down Expand Up @@ -714,7 +782,7 @@ func addUPNAttributeToLDAPSchemaAndUser(t *testing.T, cfg *ldaputil.ConfigEntry,

func TestBackend_basic_discover(t *testing.T) {
b := factory(t)
cleanup, cfg := ldap.PrepareTestContainer(t, "latest")
cleanup, cfg := ldap.PrepareTestContainer(t, "master")
defer cleanup()

logicaltest.Test(t, logicaltest.TestCase{
Expand All @@ -731,7 +799,7 @@ func TestBackend_basic_discover(t *testing.T) {

func TestBackend_basic_nogroupdn(t *testing.T) {
b := factory(t)
cleanup, cfg := ldap.PrepareTestContainer(t, "latest")
cleanup, cfg := ldap.PrepareTestContainer(t, "master")
defer cleanup()

logicaltest.Test(t, logicaltest.TestCase{
Expand Down Expand Up @@ -821,19 +889,20 @@ func testAccStepConfigUrl(t *testing.T, cfg *ldaputil.ConfigEntry) logicaltest.T
Operation: logical.UpdateOperation,
Path: "config",
Data: map[string]interface{}{
"url": cfg.Url,
"userattr": cfg.UserAttr,
"userdn": cfg.UserDN,
"userfilter": cfg.UserFilter,
"groupdn": cfg.GroupDN,
"groupattr": cfg.GroupAttr,
"binddn": cfg.BindDN,
"bindpass": cfg.BindPassword,
"case_sensitive_names": true,
"token_policies": "abc,xyz",
"request_timeout": cfg.RequestTimeout,
"connection_timeout": cfg.ConnectionTimeout,
"username_as_alias": cfg.UsernameAsAlias,
"url": cfg.Url,
"userattr": cfg.UserAttr,
"userdn": cfg.UserDN,
"userfilter": cfg.UserFilter,
"groupdn": cfg.GroupDN,
"groupattr": cfg.GroupAttr,
"binddn": cfg.BindDN,
"bindpass": cfg.BindPassword,
"anonymous_group_search": cfg.AnonymousGroupSearch,
"case_sensitive_names": true,
"token_policies": "abc,xyz",
"request_timeout": cfg.RequestTimeout,
"connection_timeout": cfg.ConnectionTimeout,
"username_as_alias": cfg.UsernameAsAlias,
},
}
}
Expand Down Expand Up @@ -1180,7 +1249,7 @@ func TestLdapAuthBackend_ConfigUpgrade(t *testing.T) {

ctx := context.Background()

cleanup, cfg := ldap.PrepareTestContainer(t, "latest")
cleanup, cfg := ldap.PrepareTestContainer(t, "master")
defer cleanup()
configReq := &logical.Request{
Operation: logical.UpdateOperation,
Expand Down
9 changes: 5 additions & 4 deletions helper/testhelpers/ldap/ldaphelper.go
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,7 @@ import (
"testing"

"github.com/hashicorp/cap/ldap"

"github.com/hashicorp/vault/sdk/helper/docker"
"github.com/hashicorp/vault/sdk/helper/ldaputil"
)
Expand All @@ -23,12 +24,12 @@ func PrepareTestContainer(t *testing.T, version string) (cleanup func(), cfg *ld
}

runner, err := docker.NewServiceRunner(docker.RunOptions{
// Currently set to "michelvocks" until https://github.com/rroemhild/docker-test-openldap/pull/14
// has been merged.
ImageRepo: "docker.mirror.hashicorp.services/michelvocks/docker-test-openldap",
// TODO(JMF): use the mirror once https://github.com/hashicorp/docker-registry-mirror/pull/64 is merged
// ImageRepo: "docker.mirror.hashicorp.services/rroemhild/docker-test-openldap",
ImageRepo: "ghcr.io/rroemhild/docker-test-openldap",
ImageTag: version,
ContainerName: "ldap",
Ports: []string{"389/tcp"},
Ports: []string{"10389/tcp"},
// Env: []string{"LDAP_DEBUG_LEVEL=384"},
})
if err != nil {
Expand Down
4 changes: 2 additions & 2 deletions vault/external_tests/identity/groups_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -153,7 +153,7 @@ func TestIdentityStore_ExternalGroupMembershipsAcrossMounts(t *testing.T) {
}
ldapMountAccessor1 := auths["ldap/"].Accessor

cleanup, cfg := ldaphelper.PrepareTestContainer(t, "latest")
cleanup, cfg := ldaphelper.PrepareTestContainer(t, "master")
defer cleanup()

// Configure LDAP auth
Expand Down Expand Up @@ -255,7 +255,7 @@ func TestIdentityStore_ExternalGroupMembershipsAcrossMounts(t *testing.T) {
t.Fatal(err)
}

cleanup2, cfg2 := ldaphelper.PrepareTestContainer(t, "latest")
cleanup2, cfg2 := ldaphelper.PrepareTestContainer(t, "master")
defer cleanup2()

// Configure LDAP auth
Expand Down
8 changes: 4 additions & 4 deletions vault/external_tests/identity/identity_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -30,10 +30,10 @@ func TestIdentityStore_ExternalGroupMemberships_DifferentMounts(t *testing.T) {
require.NoError(t, err)
entityID := secret.Data["id"].(string)

cleanup, config1 := ldaphelper.PrepareTestContainer(t, "latest")
cleanup, config1 := ldaphelper.PrepareTestContainer(t, "master")
defer cleanup()

cleanup2, config2 := ldaphelper.PrepareTestContainer(t, "latest")
cleanup2, config2 := ldaphelper.PrepareTestContainer(t, "master")
defer cleanup2()

setupFunc := func(path string, cfg *ldaputil.ConfigEntry) string {
Expand Down Expand Up @@ -222,7 +222,7 @@ func TestIdentityStore_Integ_GroupAliases(t *testing.T) {
t.Fatalf("bad: group alias: %#v\n", aliasMap)
}

cleanup, cfg := ldaphelper.PrepareTestContainer(t, "latest")
cleanup, cfg := ldaphelper.PrepareTestContainer(t, "master")
defer cleanup()

// Configure LDAP auth
Expand Down Expand Up @@ -457,7 +457,7 @@ func TestIdentityStore_Integ_RemoveFromExternalGroup(t *testing.T) {
t.Fatalf("bad: group alias: %#v\n", aliasMap)
}

cleanup, cfg := ldaphelper.PrepareTestContainer(t, "latest")
cleanup, cfg := ldaphelper.PrepareTestContainer(t, "master")
defer cleanup()

// Configure LDAP auth
Expand Down
4 changes: 2 additions & 2 deletions vault/external_tests/policy/policy_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -48,7 +48,7 @@ func TestPolicy_NoDefaultPolicy(t *testing.T) {
}

// Configure LDAP auth backend
cleanup, cfg := ldaphelper.PrepareTestContainer(t, "latest")
cleanup, cfg := ldaphelper.PrepareTestContainer(t, "master")
defer cleanup()

_, err = client.Logical().Write("auth/ldap/config", map[string]interface{}{
Expand Down Expand Up @@ -106,7 +106,7 @@ func TestPolicy_NoConfiguredPolicy(t *testing.T) {
}

// Configure LDAP auth backend
cleanup, cfg := ldaphelper.PrepareTestContainer(t, "latest")
cleanup, cfg := ldaphelper.PrepareTestContainer(t, "master")
defer cleanup()

_, err = client.Logical().Write("auth/ldap/config", map[string]interface{}{
Expand Down
2 changes: 1 addition & 1 deletion vault/external_tests/token/token_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -102,7 +102,7 @@ func TestTokenStore_IdentityPolicies(t *testing.T) {
t.Fatal(err)
}

cleanup, cfg := ldap.PrepareTestContainer(t, "latest")
cleanup, cfg := ldap.PrepareTestContainer(t, "master")
defer cleanup()

// Configure LDAP auth
Expand Down
Loading