Case insensitive behavior for LDAP (#4238)

2025-11-01 19:17:58 +00:00 · 2018-04-03 09:52:43 -04:00
parent a4fc5a40cd
commit 266a57fab2
7 changed files with 365 additions and 59 deletions
--- a/builtin/credential/ldap/backend_test.go
+++ b/builtin/credential/ldap/backend_test.go
@@ -31,6 +31,182 @@ func createBackendWithStorage(t *testing.T) (*backend, logical.Storage) {
 	return b, config.StorageView
 }

+func TestLdapAuthBackend_CaseSensitivity(t *testing.T) {
+	var resp *logical.Response
+	var err error
+	b, storage := createBackendWithStorage(t)
+
+	ctx := context.Background()
+
+	testVals := func(caseSensitive bool) {
+		// Clear storage
+		userList, err := storage.List(ctx, "user/")
+		if err != nil {
+			t.Fatal(err)
+		}
+		for _, user := range userList {
+			err = storage.Delete(ctx, "user/"+user)
+			if err != nil {
+				t.Fatal(err)
+			}
+		}
+		groupList, err := storage.List(ctx, "group/")
+		if err != nil {
+			t.Fatal(err)
+		}
+		for _, group := range groupList {
+			err = storage.Delete(ctx, "group/"+group)
+			if err != nil {
+				t.Fatal(err)
+			}
+		}
+
+		configReq := &logical.Request{
+			Path:      "config",
+			Operation: logical.ReadOperation,
+			Storage:   storage,
+		}
+		resp, err = b.HandleRequest(ctx, configReq)
+		if err != nil || (resp != nil && resp.IsError()) {
+			t.Fatalf("err:%v resp:%#v", err, resp)
+		}
+		if resp == nil {
+			t.Fatal("nil response")
+		}
+		if resp.Data["case_sensitive_names"].(bool) != caseSensitive {
+			t.Fatalf("expected case sensitivity %t, got %t", caseSensitive, resp.Data["case_sensitive_names"].(bool))
+		}
+
+		groupReq := &logical.Request{
+			Operation: logical.UpdateOperation,
+			Data: map[string]interface{}{
+				"policies": "grouppolicy",
+			},
+			Path:    "groups/EngineerS",
+			Storage: storage,
+		}
+		resp, err = b.HandleRequest(ctx, groupReq)
+		if err != nil || (resp != nil && resp.IsError()) {
+			t.Fatalf("err:%v resp:%#v", err, resp)
+		}
+		keys, err := storage.List(ctx, "group/")
+		if err != nil {
+			t.Fatal(err)
+		}
+		switch caseSensitive {
+		case true:
+			if keys[0] != "EngineerS" {
+				t.Fatalf("bad: %s", keys[0])
+			}
+		default:
+			if keys[0] != "engineers" {
+				t.Fatalf("bad: %s", keys[0])
+			}
+		}
+
+		userReq := &logical.Request{
+			Operation: logical.UpdateOperation,
+			Data: map[string]interface{}{
+				"groups":   "EngineerS",
+				"policies": "userpolicy",
+			},
+			Path:    "users/teSlA",
+			Storage: storage,
+		}
+		resp, err = b.HandleRequest(ctx, userReq)
+		if err != nil || (resp != nil && resp.IsError()) {
+			t.Fatalf("err:%v resp:%#v", err, resp)
+		}
+		keys, err = storage.List(ctx, "user/")
+		if err != nil {
+			t.Fatal(err)
+		}
+		switch caseSensitive {
+		case true:
+			if keys[0] != "teSlA" {
+				t.Fatalf("bad: %s", keys[0])
+			}
+		default:
+			if keys[0] != "tesla" {
+				t.Fatalf("bad: %s", keys[0])
+			}
+		}
+
+		if caseSensitive {
+			// The online test server is actually case sensitive so we need to
+			// write again so it works
+			userReq = &logical.Request{
+				Operation: logical.UpdateOperation,
+				Data: map[string]interface{}{
+					"groups":   "EngineerS",
+					"policies": "userpolicy",
+				},
+				Path:    "users/tesla",
+				Storage: storage,
+			}
+			resp, err = b.HandleRequest(ctx, userReq)
+			if err != nil || (resp != nil && resp.IsError()) {
+				t.Fatalf("err:%v resp:%#v", err, resp)
+			}
+		}
+
+		loginReq := &logical.Request{
+			Operation: logical.UpdateOperation,
+			Path:      "login/tesla",
+			Data: map[string]interface{}{
+				"password": "password",
+			},
+			Storage: storage,
+		}
+		resp, err = b.HandleRequest(ctx, loginReq)
+		if err != nil || (resp != nil && resp.IsError()) {
+			t.Fatalf("err:%v resp:%#v", err, resp)
+		}
+		expected := []string{"grouppolicy", "userpolicy"}
+		if !reflect.DeepEqual(expected, resp.Auth.Policies) {
+			t.Fatalf("bad: policies: expected: %q, actual: %q", expected, resp.Auth.Policies)
+		}
+	}
+
+	configReq := &logical.Request{
+		Operation: logical.UpdateOperation,
+		Path:      "config",
+		Data: map[string]interface{}{
+			// Online LDAP test server
+			// http://www.forumsys.com/tutorials/integration-how-to/ldap/online-ldap-test-server/
+			"url":      "ldap://ldap.forumsys.com",
+			"userattr": "uid",
+			"userdn":   "dc=example,dc=com",
+			"groupdn":  "dc=example,dc=com",
+			"binddn":   "cn=read-only-admin,dc=example,dc=com",
+		},
+		Storage: storage,
+	}
+	resp, err = b.HandleRequest(ctx, configReq)
+	if err != nil || (resp != nil && resp.IsError()) {
+		t.Fatalf("err:%v resp:%#v", err, resp)
+	}
+
+	testVals(false)
+
+	// Check that if the value is nil, on read it is case sensitive
+	configEntry, err := b.Config(ctx, configReq)
+	if err != nil {
+		t.Fatal(err)
+	}
+	configEntry.CaseSensitiveNames = nil
+	entry, err := logical.StorageEntryJSON("config", configEntry)
+	if err != nil {
+		t.Fatal(err)
+	}
+	err = configReq.Storage.Put(ctx, entry)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	testVals(true)
+}
+
 func TestLdapAuthBackend_UserPolicies(t *testing.T) {
 	var resp *logical.Response
 	var err error
@@ -278,10 +454,11 @@ func testAccStepConfigUrl(t *testing.T) logicaltest.TestStep {
 		Data: map[string]interface{}{
 			// Online LDAP test server
 			// http://www.forumsys.com/tutorials/integration-how-to/ldap/online-ldap-test-server/
-			"url":      "ldap://ldap.forumsys.com",
-			"userattr": "uid",
-			"userdn":   "dc=example,dc=com",
-			"groupdn":  "dc=example,dc=com",
+			"url":                  "ldap://ldap.forumsys.com",
+			"userattr":             "uid",
+			"userdn":               "dc=example,dc=com",
+			"groupdn":              "dc=example,dc=com",
+			"case_sensitive_names": true,
 		},
 	}
 }
@@ -294,12 +471,13 @@ func testAccStepConfigUrlWithAuthBind(t *testing.T) logicaltest.TestStep {
 			// Online LDAP test server
 			// http://www.forumsys.com/tutorials/integration-how-to/ldap/online-ldap-test-server/
 			// In this test we also exercise multiple URL support
-			"url":      "foobar://ldap.example.com,ldap://ldap.forumsys.com",
-			"userattr": "uid",
-			"userdn":   "dc=example,dc=com",
-			"groupdn":  "dc=example,dc=com",
-			"binddn":   "cn=read-only-admin,dc=example,dc=com",
-			"bindpass": "password",
+			"url":                  "foobar://ldap.example.com,ldap://ldap.forumsys.com",
+			"userattr":             "uid",
+			"userdn":               "dc=example,dc=com",
+			"groupdn":              "dc=example,dc=com",
+			"binddn":               "cn=read-only-admin,dc=example,dc=com",
+			"bindpass":             "password",
+			"case_sensitive_names": true,
 		},
 	}
 }
@@ -311,11 +489,12 @@ func testAccStepConfigUrlWithDiscover(t *testing.T) logicaltest.TestStep {
 		Data: map[string]interface{}{
 			// Online LDAP test server
 			// http://www.forumsys.com/tutorials/integration-how-to/ldap/online-ldap-test-server/
-			"url":        "ldap://ldap.forumsys.com",
-			"userattr":   "uid",
-			"userdn":     "dc=example,dc=com",
-			"groupdn":    "dc=example,dc=com",
-			"discoverdn": true,
+			"url":                  "ldap://ldap.forumsys.com",
+			"userattr":             "uid",
+			"userdn":               "dc=example,dc=com",
+			"groupdn":              "dc=example,dc=com",
+			"discoverdn":           true,
+			"case_sensitive_names": true,
 		},
 	}
 }
@@ -327,10 +506,11 @@ func testAccStepConfigUrlNoGroupDN(t *testing.T) logicaltest.TestStep {
 		Data: map[string]interface{}{
 			// Online LDAP test server
 			// http://www.forumsys.com/tutorials/integration-how-to/ldap/online-ldap-test-server/
-			"url":        "ldap://ldap.forumsys.com",
-			"userattr":   "uid",
-			"userdn":     "dc=example,dc=com",
-			"discoverdn": true,
+			"url":                  "ldap://ldap.forumsys.com",
+			"userattr":             "uid",
+			"userdn":               "dc=example,dc=com",
+			"discoverdn":           true,
+			"case_sensitive_names": true,
 		},
 	}
 }