ldap/auth: add tests for login regressions (#26327)

* ldap/auth: add tests for login regressions Add tests to cover the regressions reported in - https://github.com/hashicorp/vault/issues/26171 - https://github.com/hashicorp/vault/issues/26183 * fix tests; update image tag
2025-10-31 18:48:08 +00:00 · 2024-04-10 12:39:30 -05:00
parent 0445e62546
commit f2b5290bc1
6 changed files with 105 additions and 37 deletions
--- a/builtin/credential/ldap/backend_test.go
+++ b/builtin/credential/ldap/backend_test.go
@@ -267,7 +267,7 @@ func TestLdapAuthBackend_CaseSensitivity(t *testing.T) {
 		}
 	}

-	cleanup, cfg := ldap.PrepareTestContainer(t, "latest")
+	cleanup, cfg := ldap.PrepareTestContainer(t, "master")
 	defer cleanup()
 	configReq := &logical.Request{
 		Operation: logical.UpdateOperation,
@@ -313,7 +313,7 @@ func TestLdapAuthBackend_UserPolicies(t *testing.T) {
 	var err error
 	b, storage := createBackendWithStorage(t)

-	cleanup, cfg := ldap.PrepareTestContainer(t, "latest")
+	cleanup, cfg := ldap.PrepareTestContainer(t, "master")
 	defer cleanup()
 	configReq := &logical.Request{
 		Operation: logical.UpdateOperation,
@@ -418,9 +418,77 @@ func factory(t *testing.T) logical.Backend {
 	return b
 }

+// TestBackend_LoginRegression_AnonBind is a test for the regression reported in
+// https://github.com/hashicorp/vault/issues/26183.
+func TestBackend_LoginRegression_AnonBind(t *testing.T) {
+	b := factory(t)
+	cleanup, cfg := ldap.PrepareTestContainer(t, "master")
+	cfg.AnonymousGroupSearch = true
+	defer cleanup()
+
+	logicaltest.Test(t, logicaltest.TestCase{
+		CredentialBackend: b,
+		Steps: []logicaltest.TestStep{
+			testAccStepConfigUrl(t, cfg),
+			// Map Admin_staff group (from LDAP server) with foo policy
+			testAccStepGroup(t, "admin_staff", "foo"),
+
+			// Map engineers group (local) with bar policy
+			testAccStepGroup(t, "engineers", "bar"),
+
+			// Map hermes conrad user with local engineers group
+			testAccStepUser(t, "hermes conrad", "engineers"),
+
+			// Authenticate
+			testAccStepLogin(t, "hermes conrad", "hermes"),
+
+			// Verify both groups mappings can be listed back
+			testAccStepGroupList(t, []string{"engineers", "admin_staff"}),
+
+			// Verify user mapping can be listed back
+			testAccStepUserList(t, []string{"hermes conrad"}),
+		},
+	})
+}
+
+// TestBackend_LoginRegression_UserAttr is a test for the regression reported in
+// https://github.com/hashicorp/vault/issues/26171.
+// Vault relies on case insensitive user attribute keys for mapping user
+// attributes to entity alias metadata.
+func TestBackend_LoginRegression_UserAttr(t *testing.T) {
+	b := factory(t)
+	cleanup, cfg := ldap.PrepareTestContainer(t, "master")
+	cfg.UserAttr = "givenName"
+	defer cleanup()
+
+	logicaltest.Test(t, logicaltest.TestCase{
+		CredentialBackend: b,
+		Steps: []logicaltest.TestStep{
+			testAccStepConfigUrl(t, cfg),
+			// Map Admin_staff group (from LDAP server) with foo policy
+			testAccStepGroup(t, "admin_staff", "foo"),
+
+			// Map engineers group (local) with bar policy
+			testAccStepGroup(t, "engineers", "bar"),
+
+			// Map hermes conrad user with local engineers group
+			testAccStepUser(t, "hermes", "engineers"),
+
+			// Authenticate
+			testAccStepLogin(t, "hermes", "hermes"),
+
+			// Verify both groups mappings can be listed back
+			testAccStepGroupList(t, []string{"engineers", "admin_staff"}),
+
+			// Verify user mapping can be listed back
+			testAccStepUserList(t, []string{"hermes"}),
+		},
+	})
+}
+
 func TestBackend_basic(t *testing.T) {
 	b := factory(t)
-	cleanup, cfg := ldap.PrepareTestContainer(t, "latest")
+	cleanup, cfg := ldap.PrepareTestContainer(t, "master")
 	defer cleanup()

 	logicaltest.Test(t, logicaltest.TestCase{
@@ -450,7 +518,7 @@ func TestBackend_basic(t *testing.T) {

 func TestBackend_basic_noPolicies(t *testing.T) {
 	b := factory(t)
-	cleanup, cfg := ldap.PrepareTestContainer(t, "latest")
+	cleanup, cfg := ldap.PrepareTestContainer(t, "master")
 	defer cleanup()

 	logicaltest.Test(t, logicaltest.TestCase{
@@ -468,7 +536,7 @@ func TestBackend_basic_noPolicies(t *testing.T) {

 func TestBackend_basic_group_noPolicies(t *testing.T) {
 	b := factory(t)
-	cleanup, cfg := ldap.PrepareTestContainer(t, "latest")
+	cleanup, cfg := ldap.PrepareTestContainer(t, "master")
 	defer cleanup()

 	logicaltest.Test(t, logicaltest.TestCase{
@@ -489,7 +557,7 @@ func TestBackend_basic_group_noPolicies(t *testing.T) {

 func TestBackend_basic_authbind(t *testing.T) {
 	b := factory(t)
-	cleanup, cfg := ldap.PrepareTestContainer(t, "latest")
+	cleanup, cfg := ldap.PrepareTestContainer(t, "master")
 	defer cleanup()

 	logicaltest.Test(t, logicaltest.TestCase{
@@ -506,7 +574,7 @@ func TestBackend_basic_authbind(t *testing.T) {

 func TestBackend_basic_authbind_userfilter(t *testing.T) {
 	b := factory(t)
-	cleanup, cfg := ldap.PrepareTestContainer(t, "latest")
+	cleanup, cfg := ldap.PrepareTestContainer(t, "master")
 	defer cleanup()

 	// userattr not used in the userfilter should result in a warning in the response
@@ -649,7 +717,7 @@ func TestBackend_basic_authbind_userfilter(t *testing.T) {

 func TestBackend_basic_authbind_metadata_name(t *testing.T) {
 	b := factory(t)
-	cleanup, cfg := ldap.PrepareTestContainer(t, "latest")
+	cleanup, cfg := ldap.PrepareTestContainer(t, "master")
 	defer cleanup()

 	cfg.UserAttr = "cn"
@@ -714,7 +782,7 @@ func addUPNAttributeToLDAPSchemaAndUser(t *testing.T, cfg *ldaputil.ConfigEntry,

 func TestBackend_basic_discover(t *testing.T) {
 	b := factory(t)
-	cleanup, cfg := ldap.PrepareTestContainer(t, "latest")
+	cleanup, cfg := ldap.PrepareTestContainer(t, "master")
 	defer cleanup()

 	logicaltest.Test(t, logicaltest.TestCase{
@@ -731,7 +799,7 @@ func TestBackend_basic_discover(t *testing.T) {

 func TestBackend_basic_nogroupdn(t *testing.T) {
 	b := factory(t)
-	cleanup, cfg := ldap.PrepareTestContainer(t, "latest")
+	cleanup, cfg := ldap.PrepareTestContainer(t, "master")
 	defer cleanup()

 	logicaltest.Test(t, logicaltest.TestCase{
@@ -821,19 +889,20 @@ func testAccStepConfigUrl(t *testing.T, cfg *ldaputil.ConfigEntry) logicaltest.T
 		Operation: logical.UpdateOperation,
 		Path:      "config",
 		Data: map[string]interface{}{
-			"url":                  cfg.Url,
-			"userattr":             cfg.UserAttr,
-			"userdn":               cfg.UserDN,
-			"userfilter":           cfg.UserFilter,
-			"groupdn":              cfg.GroupDN,
-			"groupattr":            cfg.GroupAttr,
-			"binddn":               cfg.BindDN,
-			"bindpass":             cfg.BindPassword,
-			"case_sensitive_names": true,
-			"token_policies":       "abc,xyz",
-			"request_timeout":      cfg.RequestTimeout,
-			"connection_timeout":   cfg.ConnectionTimeout,
-			"username_as_alias":    cfg.UsernameAsAlias,
+			"url":                    cfg.Url,
+			"userattr":               cfg.UserAttr,
+			"userdn":                 cfg.UserDN,
+			"userfilter":             cfg.UserFilter,
+			"groupdn":                cfg.GroupDN,
+			"groupattr":              cfg.GroupAttr,
+			"binddn":                 cfg.BindDN,
+			"bindpass":               cfg.BindPassword,
+			"anonymous_group_search": cfg.AnonymousGroupSearch,
+			"case_sensitive_names":   true,
+			"token_policies":         "abc,xyz",
+			"request_timeout":        cfg.RequestTimeout,
+			"connection_timeout":     cfg.ConnectionTimeout,
+			"username_as_alias":      cfg.UsernameAsAlias,
 		},
 	}
 }
@@ -1180,7 +1249,7 @@ func TestLdapAuthBackend_ConfigUpgrade(t *testing.T) {

 	ctx := context.Background()

-	cleanup, cfg := ldap.PrepareTestContainer(t, "latest")
+	cleanup, cfg := ldap.PrepareTestContainer(t, "master")
 	defer cleanup()
 	configReq := &logical.Request{
 		Operation: logical.UpdateOperation,
--- a/helper/testhelpers/ldap/ldaphelper.go
+++ b/helper/testhelpers/ldap/ldaphelper.go
@@ -11,6 +11,7 @@ import (
 	"testing"

 	"github.com/hashicorp/cap/ldap"
+
 	"github.com/hashicorp/vault/sdk/helper/docker"
 	"github.com/hashicorp/vault/sdk/helper/ldaputil"
 )
@@ -23,12 +24,10 @@ func PrepareTestContainer(t *testing.T, version string) (cleanup func(), cfg *ld
 	}

 	runner, err := docker.NewServiceRunner(docker.RunOptions{
-		// Currently set to "michelvocks" until https://github.com/rroemhild/docker-test-openldap/pull/14
-		// has been merged.
-		ImageRepo:     "docker.mirror.hashicorp.services/michelvocks/docker-test-openldap",
+		ImageRepo:     "ghcr.io/rroemhild/docker-test-openldap",
 		ImageTag:      version,
 		ContainerName: "ldap",
-		Ports:         []string{"389/tcp"},
+		Ports:         []string{"10389/tcp"},
 		// Env:        []string{"LDAP_DEBUG_LEVEL=384"},
 	})
 	if err != nil {
--- a/vault/external_tests/identity/groups_test.go
+++ b/vault/external_tests/identity/groups_test.go
@@ -153,7 +153,7 @@ func TestIdentityStore_ExternalGroupMembershipsAcrossMounts(t *testing.T) {
 	}
 	ldapMountAccessor1 := auths["ldap/"].Accessor

-	cleanup, cfg := ldaphelper.PrepareTestContainer(t, "latest")
+	cleanup, cfg := ldaphelper.PrepareTestContainer(t, "master")
 	defer cleanup()

 	// Configure LDAP auth
@@ -255,7 +255,7 @@ func TestIdentityStore_ExternalGroupMembershipsAcrossMounts(t *testing.T) {
 		t.Fatal(err)
 	}

-	cleanup2, cfg2 := ldaphelper.PrepareTestContainer(t, "latest")
+	cleanup2, cfg2 := ldaphelper.PrepareTestContainer(t, "master")
 	defer cleanup2()

 	// Configure LDAP auth
--- a/vault/external_tests/identity/identity_test.go
+++ b/vault/external_tests/identity/identity_test.go
@@ -30,10 +30,10 @@ func TestIdentityStore_ExternalGroupMemberships_DifferentMounts(t *testing.T) {
 	require.NoError(t, err)
 	entityID := secret.Data["id"].(string)

-	cleanup, config1 := ldaphelper.PrepareTestContainer(t, "latest")
+	cleanup, config1 := ldaphelper.PrepareTestContainer(t, "master")
 	defer cleanup()

-	cleanup2, config2 := ldaphelper.PrepareTestContainer(t, "latest")
+	cleanup2, config2 := ldaphelper.PrepareTestContainer(t, "master")
 	defer cleanup2()

 	setupFunc := func(path string, cfg *ldaputil.ConfigEntry) string {
@@ -222,7 +222,7 @@ func TestIdentityStore_Integ_GroupAliases(t *testing.T) {
 		t.Fatalf("bad: group alias: %#v\n", aliasMap)
 	}

-	cleanup, cfg := ldaphelper.PrepareTestContainer(t, "latest")
+	cleanup, cfg := ldaphelper.PrepareTestContainer(t, "master")
 	defer cleanup()

 	// Configure LDAP auth
@@ -457,7 +457,7 @@ func TestIdentityStore_Integ_RemoveFromExternalGroup(t *testing.T) {
 		t.Fatalf("bad: group alias: %#v\n", aliasMap)
 	}

-	cleanup, cfg := ldaphelper.PrepareTestContainer(t, "latest")
+	cleanup, cfg := ldaphelper.PrepareTestContainer(t, "master")
 	defer cleanup()

 	// Configure LDAP auth
--- a/vault/external_tests/policy/policy_test.go
+++ b/vault/external_tests/policy/policy_test.go
@@ -48,7 +48,7 @@ func TestPolicy_NoDefaultPolicy(t *testing.T) {
 	}

 	// Configure LDAP auth backend
-	cleanup, cfg := ldaphelper.PrepareTestContainer(t, "latest")
+	cleanup, cfg := ldaphelper.PrepareTestContainer(t, "master")
 	defer cleanup()

 	_, err = client.Logical().Write("auth/ldap/config", map[string]interface{}{
@@ -106,7 +106,7 @@ func TestPolicy_NoConfiguredPolicy(t *testing.T) {
 	}

 	// Configure LDAP auth backend
-	cleanup, cfg := ldaphelper.PrepareTestContainer(t, "latest")
+	cleanup, cfg := ldaphelper.PrepareTestContainer(t, "master")
 	defer cleanup()

 	_, err = client.Logical().Write("auth/ldap/config", map[string]interface{}{
--- a/vault/external_tests/token/token_test.go
+++ b/vault/external_tests/token/token_test.go
@@ -102,7 +102,7 @@ func TestTokenStore_IdentityPolicies(t *testing.T) {
 		t.Fatal(err)
 	}

-	cleanup, cfg := ldap.PrepareTestContainer(t, "latest")
+	cleanup, cfg := ldap.PrepareTestContainer(t, "master")
 	defer cleanup()

 	// Configure LDAP auth