scottk/vault
1
0
Fork 0
mirror of https://github.com/optim-enterprises-bv/vault.git synced 2025-11-02 03:27:54 +00:00
Code Issues Packages Projects Releases Wiki Activity

ldap/auth: add tests for login regressions (#26327)

Browse Source 
* ldap/auth: add tests for login regressions

Add tests to cover the regressions reported in
- https://github.com/hashicorp/vault/issues/26171
- https://github.com/hashicorp/vault/issues/26183

* fix tests; update image tag
This commit is contained in:
John-Michael Faircloth
2024-04-10 12:39:30 -05:00
committed by GitHub
parent 0445e62546
commit f2b5290bc1
6 changed files with 105 additions and 37 deletions
Download Patch File Download Diff File Expand all files Collapse all files

91
builtin/credential/ldap/backend_test.go
View File

@@ -267,7 +267,7 @@ func TestLdapAuthBackend_CaseSensitivity(t *testing.T) {
} }
} }
cleanup, cfg := ldap.PrepareTestContainer(t, "latest") cleanup, cfg := ldap.PrepareTestContainer(t, "master")
defer cleanup() defer cleanup()
configReq := &logical.Request{ configReq := &logical.Request{
Operation: logical.UpdateOperation, Operation: logical.UpdateOperation,
@@ -313,7 +313,7 @@ func TestLdapAuthBackend_UserPolicies(t *testing.T) {
var err error var err error
b, storage := createBackendWithStorage(t) b, storage := createBackendWithStorage(t)
cleanup, cfg := ldap.PrepareTestContainer(t, "latest") cleanup, cfg := ldap.PrepareTestContainer(t, "master")
defer cleanup() defer cleanup()
configReq := &logical.Request{ configReq := &logical.Request{
Operation: logical.UpdateOperation, Operation: logical.UpdateOperation,
@@ -418,9 +418,77 @@ func factory(t *testing.T) logical.Backend {
return b return b
} }
// TestBackend_LoginRegression_AnonBind is a test for the regression reported in
// https://github.com/hashicorp/vault/issues/26183.
func TestBackend_LoginRegression_AnonBind(t *testing.T) {
b := factory(t)
cleanup, cfg := ldap.PrepareTestContainer(t, "master")
cfg.AnonymousGroupSearch = true
defer cleanup()
logicaltest.Test(t, logicaltest.TestCase{
CredentialBackend: b,
Steps: []logicaltest.TestStep{
testAccStepConfigUrl(t, cfg),
// Map Admin_staff group (from LDAP server) with foo policy
testAccStepGroup(t, "admin_staff", "foo"),
// Map engineers group (local) with bar policy
testAccStepGroup(t, "engineers", "bar"),
// Map hermes conrad user with local engineers group
testAccStepUser(t, "hermes conrad", "engineers"),
// Authenticate
testAccStepLogin(t, "hermes conrad", "hermes"),
// Verify both groups mappings can be listed back
testAccStepGroupList(t, []string{"engineers", "admin_staff"}),
// Verify user mapping can be listed back
testAccStepUserList(t, []string{"hermes conrad"}),
},
})
}
// TestBackend_LoginRegression_UserAttr is a test for the regression reported in
// https://github.com/hashicorp/vault/issues/26171.
// Vault relies on case insensitive user attribute keys for mapping user
// attributes to entity alias metadata.
func TestBackend_LoginRegression_UserAttr(t *testing.T) {
b := factory(t)
cleanup, cfg := ldap.PrepareTestContainer(t, "master")
cfg.UserAttr = "givenName"
defer cleanup()
logicaltest.Test(t, logicaltest.TestCase{
CredentialBackend: b,
Steps: []logicaltest.TestStep{
testAccStepConfigUrl(t, cfg),
// Map Admin_staff group (from LDAP server) with foo policy
testAccStepGroup(t, "admin_staff", "foo"),
// Map engineers group (local) with bar policy
testAccStepGroup(t, "engineers", "bar"),
// Map hermes conrad user with local engineers group
testAccStepUser(t, "hermes", "engineers"),
// Authenticate
testAccStepLogin(t, "hermes", "hermes"),
// Verify both groups mappings can be listed back
testAccStepGroupList(t, []string{"engineers", "admin_staff"}),
// Verify user mapping can be listed back
testAccStepUserList(t, []string{"hermes"}),
},
})
}
func TestBackend_basic(t *testing.T) { func TestBackend_basic(t *testing.T) {
b := factory(t) b := factory(t)
cleanup, cfg := ldap.PrepareTestContainer(t, "latest") cleanup, cfg := ldap.PrepareTestContainer(t, "master")
defer cleanup() defer cleanup()
logicaltest.Test(t, logicaltest.TestCase{ logicaltest.Test(t, logicaltest.TestCase{
@@ -450,7 +518,7 @@ func TestBackend_basic(t *testing.T) {
func TestBackend_basic_noPolicies(t *testing.T) { func TestBackend_basic_noPolicies(t *testing.T) {
b := factory(t) b := factory(t)
cleanup, cfg := ldap.PrepareTestContainer(t, "latest") cleanup, cfg := ldap.PrepareTestContainer(t, "master")
defer cleanup() defer cleanup()
logicaltest.Test(t, logicaltest.TestCase{ logicaltest.Test(t, logicaltest.TestCase{
@@ -468,7 +536,7 @@ func TestBackend_basic_noPolicies(t *testing.T) {
func TestBackend_basic_group_noPolicies(t *testing.T) { func TestBackend_basic_group_noPolicies(t *testing.T) {
b := factory(t) b := factory(t)
cleanup, cfg := ldap.PrepareTestContainer(t, "latest") cleanup, cfg := ldap.PrepareTestContainer(t, "master")
defer cleanup() defer cleanup()
logicaltest.Test(t, logicaltest.TestCase{ logicaltest.Test(t, logicaltest.TestCase{
@@ -489,7 +557,7 @@ func TestBackend_basic_group_noPolicies(t *testing.T) {
func TestBackend_basic_authbind(t *testing.T) { func TestBackend_basic_authbind(t *testing.T) {
b := factory(t) b := factory(t)
cleanup, cfg := ldap.PrepareTestContainer(t, "latest") cleanup, cfg := ldap.PrepareTestContainer(t, "master")
defer cleanup() defer cleanup()
logicaltest.Test(t, logicaltest.TestCase{ logicaltest.Test(t, logicaltest.TestCase{
@@ -506,7 +574,7 @@ func TestBackend_basic_authbind(t *testing.T) {
func TestBackend_basic_authbind_userfilter(t *testing.T) { func TestBackend_basic_authbind_userfilter(t *testing.T) {
b := factory(t) b := factory(t)
cleanup, cfg := ldap.PrepareTestContainer(t, "latest") cleanup, cfg := ldap.PrepareTestContainer(t, "master")
defer cleanup() defer cleanup()
// userattr not used in the userfilter should result in a warning in the response // userattr not used in the userfilter should result in a warning in the response
@@ -649,7 +717,7 @@ func TestBackend_basic_authbind_userfilter(t *testing.T) {
func TestBackend_basic_authbind_metadata_name(t *testing.T) { func TestBackend_basic_authbind_metadata_name(t *testing.T) {
b := factory(t) b := factory(t)
cleanup, cfg := ldap.PrepareTestContainer(t, "latest") cleanup, cfg := ldap.PrepareTestContainer(t, "master")
defer cleanup() defer cleanup()
cfg.UserAttr = "cn" cfg.UserAttr = "cn"
@@ -714,7 +782,7 @@ func addUPNAttributeToLDAPSchemaAndUser(t *testing.T, cfg *ldaputil.ConfigEntry,
func TestBackend_basic_discover(t *testing.T) { func TestBackend_basic_discover(t *testing.T) {
b := factory(t) b := factory(t)
cleanup, cfg := ldap.PrepareTestContainer(t, "latest") cleanup, cfg := ldap.PrepareTestContainer(t, "master")
defer cleanup() defer cleanup()
logicaltest.Test(t, logicaltest.TestCase{ logicaltest.Test(t, logicaltest.TestCase{
@@ -731,7 +799,7 @@ func TestBackend_basic_discover(t *testing.T) {
func TestBackend_basic_nogroupdn(t *testing.T) { func TestBackend_basic_nogroupdn(t *testing.T) {
b := factory(t) b := factory(t)
cleanup, cfg := ldap.PrepareTestContainer(t, "latest") cleanup, cfg := ldap.PrepareTestContainer(t, "master")
defer cleanup() defer cleanup()
logicaltest.Test(t, logicaltest.TestCase{ logicaltest.Test(t, logicaltest.TestCase{
@@ -829,6 +897,7 @@ func testAccStepConfigUrl(t *testing.T, cfg *ldaputil.ConfigEntry) logicaltest.T
"groupattr": cfg.GroupAttr, "groupattr": cfg.GroupAttr,
"binddn": cfg.BindDN, "binddn": cfg.BindDN,
"bindpass": cfg.BindPassword, "bindpass": cfg.BindPassword,
"anonymous_group_search": cfg.AnonymousGroupSearch,
"case_sensitive_names": true, "case_sensitive_names": true,
"token_policies": "abc,xyz", "token_policies": "abc,xyz",
"request_timeout": cfg.RequestTimeout, "request_timeout": cfg.RequestTimeout,
@@ -1180,7 +1249,7 @@ func TestLdapAuthBackend_ConfigUpgrade(t *testing.T) {
ctx := context.Background() ctx := context.Background()
cleanup, cfg := ldap.PrepareTestContainer(t, "latest") cleanup, cfg := ldap.PrepareTestContainer(t, "master")
defer cleanup() defer cleanup()
configReq := &logical.Request{ configReq := &logical.Request{
Operation: logical.UpdateOperation, Operation: logical.UpdateOperation,

7
helper/testhelpers/ldap/ldaphelper.go
View File

@@ -11,6 +11,7 @@ import (
"testing" "testing"
"github.com/hashicorp/cap/ldap" "github.com/hashicorp/cap/ldap"
"github.com/hashicorp/vault/sdk/helper/docker" "github.com/hashicorp/vault/sdk/helper/docker"
"github.com/hashicorp/vault/sdk/helper/ldaputil" "github.com/hashicorp/vault/sdk/helper/ldaputil"
) )
@@ -23,12 +24,10 @@ func PrepareTestContainer(t *testing.T, version string) (cleanup func(), cfg *ld
} }
runner, err := docker.NewServiceRunner(docker.RunOptions{ runner, err := docker.NewServiceRunner(docker.RunOptions{
// Currently set to "michelvocks" until https://github.com/rroemhild/docker-test-openldap/pull/14 ImageRepo: "ghcr.io/rroemhild/docker-test-openldap",
// has been merged.
ImageRepo: "docker.mirror.hashicorp.services/michelvocks/docker-test-openldap",
ImageTag: version, ImageTag: version,
ContainerName: "ldap", ContainerName: "ldap",
Ports: []string{"389/tcp"}, Ports: []string{"10389/tcp"},
// Env: []string{"LDAP_DEBUG_LEVEL=384"}, // Env: []string{"LDAP_DEBUG_LEVEL=384"},
}) })
if err != nil { if err != nil {

4
vault/external_tests/identity/groups_test.go
View File

@@ -153,7 +153,7 @@ func TestIdentityStore_ExternalGroupMembershipsAcrossMounts(t *testing.T) {
} }
ldapMountAccessor1 := auths["ldap/"].Accessor ldapMountAccessor1 := auths["ldap/"].Accessor
cleanup, cfg := ldaphelper.PrepareTestContainer(t, "latest") cleanup, cfg := ldaphelper.PrepareTestContainer(t, "master")
defer cleanup() defer cleanup()
// Configure LDAP auth // Configure LDAP auth
@@ -255,7 +255,7 @@ func TestIdentityStore_ExternalGroupMembershipsAcrossMounts(t *testing.T) {
t.Fatal(err) t.Fatal(err)
} }
cleanup2, cfg2 := ldaphelper.PrepareTestContainer(t, "latest") cleanup2, cfg2 := ldaphelper.PrepareTestContainer(t, "master")
defer cleanup2() defer cleanup2()
// Configure LDAP auth // Configure LDAP auth

8
vault/external_tests/identity/identity_test.go
View File

@@ -30,10 +30,10 @@ func TestIdentityStore_ExternalGroupMemberships_DifferentMounts(t *testing.T) {
require.NoError(t, err) require.NoError(t, err)
entityID := secret.Data["id"].(string) entityID := secret.Data["id"].(string)
cleanup, config1 := ldaphelper.PrepareTestContainer(t, "latest") cleanup, config1 := ldaphelper.PrepareTestContainer(t, "master")
defer cleanup() defer cleanup()
cleanup2, config2 := ldaphelper.PrepareTestContainer(t, "latest") cleanup2, config2 := ldaphelper.PrepareTestContainer(t, "master")
defer cleanup2() defer cleanup2()
setupFunc := func(path string, cfg *ldaputil.ConfigEntry) string { setupFunc := func(path string, cfg *ldaputil.ConfigEntry) string {
@@ -222,7 +222,7 @@ func TestIdentityStore_Integ_GroupAliases(t *testing.T) {
t.Fatalf("bad: group alias: %#v\n", aliasMap) t.Fatalf("bad: group alias: %#v\n", aliasMap)
} }
cleanup, cfg := ldaphelper.PrepareTestContainer(t, "latest") cleanup, cfg := ldaphelper.PrepareTestContainer(t, "master")
defer cleanup() defer cleanup()
// Configure LDAP auth // Configure LDAP auth
@@ -457,7 +457,7 @@ func TestIdentityStore_Integ_RemoveFromExternalGroup(t *testing.T) {
t.Fatalf("bad: group alias: %#v\n", aliasMap) t.Fatalf("bad: group alias: %#v\n", aliasMap)
} }
cleanup, cfg := ldaphelper.PrepareTestContainer(t, "latest") cleanup, cfg := ldaphelper.PrepareTestContainer(t, "master")
defer cleanup() defer cleanup()
// Configure LDAP auth // Configure LDAP auth

4
vault/external_tests/policy/policy_test.go
View File

@@ -48,7 +48,7 @@ func TestPolicy_NoDefaultPolicy(t *testing.T) {
} }
// Configure LDAP auth backend // Configure LDAP auth backend
cleanup, cfg := ldaphelper.PrepareTestContainer(t, "latest") cleanup, cfg := ldaphelper.PrepareTestContainer(t, "master")
defer cleanup() defer cleanup()
_, err = client.Logical().Write("auth/ldap/config", map[string]interface{}{ _, err = client.Logical().Write("auth/ldap/config", map[string]interface{}{
@@ -106,7 +106,7 @@ func TestPolicy_NoConfiguredPolicy(t *testing.T) {
} }
// Configure LDAP auth backend // Configure LDAP auth backend
cleanup, cfg := ldaphelper.PrepareTestContainer(t, "latest") cleanup, cfg := ldaphelper.PrepareTestContainer(t, "master")
defer cleanup() defer cleanup()
_, err = client.Logical().Write("auth/ldap/config", map[string]interface{}{ _, err = client.Logical().Write("auth/ldap/config", map[string]interface{}{

2
vault/external_tests/token/token_test.go
View File

@@ -102,7 +102,7 @@ func TestTokenStore_IdentityPolicies(t *testing.T) {
t.Fatal(err) t.Fatal(err)
} }
cleanup, cfg := ldap.PrepareTestContainer(t, "latest") cleanup, cfg := ldap.PrepareTestContainer(t, "master")
defer cleanup() defer cleanup()
// Configure LDAP auth // Configure LDAP auth