RPJosh
/
authelia
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
authelia/internal/authentication/ldap_user_provider_test.go

5418 lines
150 KiB
Go
Raw Permalink Normal View History

Add support for LDAP over TLS.
2019-12-06 08:15:54 +00:00
package authentication
import (
[FEATURE] LDAP StartTLS (#1500) * add start_tls config option * add StartTLS method to the LDAP conn factory and the mock * implemented use of the StartTLS method when the config is set to true * add mock unit tests * add docs * add TLS min version support * add tests to tls version method * fix lint issues * minor adjustments * remove SSL3.0 * add tls consts * deprecate old filter placeholders * remove redundant fake hashing in file auth provider (to delay username enumeration, was replaced by #993 * make suite ActiveDirectory use StartTLS * misc adjustments to docs * suggested changes from code review * deprecation notice conformity * add mock test for LDAPS plus StartTLS
2020-12-03 05:23:52 +00:00
"errors"
feat(authentiation): check ldap support for extended operations on startup (#2133) * feat(authentiation): check ldap server on startup This PR adds a startup check to the LDAP authentication backend. It additionally adds support for checking supportedExtension OIDs, currently only checking passwdModifyOID (1.3.6.1.4.1.4203.1.11.3). This can relatively easily be enhanced to add detection for other rootDSE capabilities like supportedControl and supportedCapabilities as necessary. * test(authentication): add unit tests for new feature * refactor(authentication): factorize ldap user provider newup * refactor: minor adjustments
2021-07-01 23:16:16 +00:00
"fmt"
Add support for LDAP over TLS.
2019-12-06 08:15:54 +00:00
"testing"
feat(authentication): ldap time replacements (#4483) This adds and utilizes several time replacements for both specialized LDAP implementations. Closes #1964, Closes #1284
2022-12-21 10:31:21 +00:00
"time"
Add support for LDAP over TLS.
2019-12-06 08:15:54 +00:00
[DEPS] Fix gopkg.in/ldap.v3 import for dependabot (#726)
2020-03-19 04:22:46 +00:00
"github.com/go-ldap/ldap/v3"
[FEATURE] Automatic Profile Refresh - LDAP (#912) * [FIX] LDAP Not Checking for Updated Groups * refactor handlers verifyFromSessionCookie * refactor authorizer selectMatchingObjectRules * refactor authorizer isDomainMatching * add authorizer URLHasGroupSubjects method * add user provider ProviderType method * update tests * check for new LDAP groups and update session when: * user provider type is LDAP * authorization is forbidden * URL has rule with group subjects * Implement Refresh Interval * add default values for LDAP user provider * add default for refresh interval * add schema validator for refresh interval * add various tests * rename hasUserBeenInactiveLongEnough to hasUserBeenInactiveTooLong * use Authelia ctx clock * add check to determine if user is deleted, if so destroy the * make ldap user not found error a const * implement GetRefreshSettings in mock * Use user not found const with FileProvider * comment exports * use ctx.Clock instead of time pkg * add debug logging * use ptr to reference userSession so we don't have to retrieve it again * add documenation * add check for 0 refresh interval to reduce CPU cost * remove badly copied debug msg * add group change delta message * add SliceStringDelta * refactor ldap refresh to use the new func * improve delta add/remove log message * fix incorrect logic in SliceStringDelta * add tests to SliceStringDelta * add always config option * add tests for always config option * update docs * apply suggestions from code review Co-Authored-By: Amir Zarrinkafsh <nightah@me.com> * complete mocks and fix an old one * show warning when LDAP details failed to update for an unknown reason * golint fix * actually fix existing mocks * use mocks for LDAP refresh testing * use mocks for LDAP refresh testing for both added and removed groups * use test mock to verify disabled refresh behaviour * add information to threat model * add time const for default Unix() value * misc adjustments to mocks * Suggestions from code review * requested changes * update emails * docs updates * test updates * misc * golint fix * set debug for dev testing * misc docs and logging updates * misc grammar/spelling * use built function for VerifyGet * fix reviewdog suggestions * requested changes * Apply suggestions from code review Co-authored-by: Amir Zarrinkafsh <nightah@me.com> Co-authored-by: Clément Michaud <clement.michaud34@gmail.com>
2020-05-04 19:39:25 +00:00
"github.com/golang/mock/gomock"
Escape special LDAP characters as suggested by OWASP. https://owasp.org/www-project-cheat-sheets/cheatsheets/LDAP_Injection_Prevention_Cheat_Sheet.html
2020-01-20 19:34:53 +00:00
"github.com/stretchr/testify/assert"
Add support for LDAP over TLS.
2019-12-06 08:15:54 +00:00
"github.com/stretchr/testify/require"
fix(authentication): ldap connection left open (#2179) The recent ldap changes in cb71df5 left a connection to the LDAP server open at startup. This resolves this which prevents an ugly log message and unnecessary open sockets.
2021-07-13 11:12:50 +00:00
"golang.org/x/text/encoding/unicode"
[MISC] Update durations to notation format and housekeeping (#824) * added regulation validator * made regulations find_time and ban_time values duration notation strings * added DefaultRegulationConfiguration for the validator * made session expiration and inactivity values duration notation strings * TOTP period does not need to be converted because adjustment should be discouraged * moved TOTP defaults to DefaultTOTPConfiguration and removed the consts * arranged the root config validator in configuration file order * adjusted tests for the changes * moved duration notation docs to root of configuration * added references to duration notation where applicable * project wide gofmt and goimports: * run gofmt * run goimports -local github.com/authelia/authelia -w on all files * Make jwt_secret error uniform and add tests * now at 100% coverage for internal/configuration/validator/configuration.go
2020-04-05 12:37:21 +00:00
fix: include major in go.mod module directive (#2278) * build: include major in go.mod module directive * fix: xflags * revert: cobra changes * fix: mock doc
2021-08-11 01:04:35 +00:00
"github.com/authelia/authelia/v4/internal/configuration/schema"
"github.com/authelia/authelia/v4/internal/utils"
Add support for LDAP over TLS.
2019-12-06 08:15:54 +00:00
)
feat(authentication): ldap memberof group search (#5418) Introduces the concept of group search mode into the LDAP configuration. This also adds the filter and memberof search modes. The full description of these is included in the docs but the filter mode is the same mode as previous which is also the default and recommended value. The memberof mode should only be used by users who are aware of how the concept works as per the docs. Closes #2161 Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
2023-06-18 04:40:38 +00:00
func TestNewLDAPUserProvider(t *testing.T) {
provider := NewLDAPUserProvider(schema.AuthenticationBackend{LDAP: &schema.LDAPAuthenticationBackend{}}, nil)
assert.NotNil(t, provider)
}
func TestNewLDAPUserProviderWithFactoryWithoutFactory(t *testing.T) {
provider := NewLDAPUserProviderWithFactory(schema.LDAPAuthenticationBackend{}, false, nil, nil)
assert.NotNil(t, provider)
assert.IsType(t, &ProductionLDAPClientFactory{}, provider.factory)
}
Add support for LDAP over TLS.
2019-12-06 08:15:54 +00:00
func TestShouldCreateRawConnectionWhenSchemeIsLDAP(t *testing.T) {
ctrl := gomock.NewController(t)
defer ctrl.Finish()
fix(authentication): utilize msad password history control (#3256) This fixes an issue where the Microsoft Active Directory Server Policy Hints control was not being used to prevent avoidance of the PSO / FGPP applicable to the user.
2022-05-10 04:38:36 +00:00
mockFactory := NewMockLDAPClientFactory(ctrl)
mockClient := NewMockLDAPClient(ctrl)
Add support for LDAP over TLS.
2019-12-06 08:15:54 +00:00
feat(authentication): ldap time replacements (#4483) This adds and utilizes several time replacements for both specialized LDAP implementations. Closes #1964, Closes #1284
2022-12-21 10:31:21 +00:00
provider := NewLDAPUserProviderWithFactory(
feat(authentication): file password algorithms (#3848) This adds significant enhancements to the file auth provider including multiple additional algorithms.
2022-10-17 10:51:59 +00:00
schema.LDAPAuthenticationBackend{
feat(authentication): suport ldap over unix socket (#5397) This adds support for LDAP unix sockets using the ldapi scheme. In addition it improves all of the address related parsing significantly deprecating old options. Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
2023-05-07 06:39:17 +00:00
Address: testLDAPAddress,
fix(authentication): follow ldap referrals (#3251) This ensures we are able to follow referrals for LDAP password modify operations when permit_referrals is true. Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2022-05-02 01:51:38 +00:00
User: "cn=admin,dc=example,dc=com",
Password: "password",
[FEATURE] Enhance LDAP/SMTP TLS Configuration and Unify Them (#1557) * add new directive in the global scope `certificates_directory` which is used to bulk load certs and trust them in Authelia * this is in ADDITION to system certs and are trusted by both LDAP and SMTP * added a shared TLSConfig struct to be used by both SMTP and LDAP, and anything else in the future that requires tuning the TLS * remove usage of deprecated LDAP funcs Dial and DialTLS in favor of DialURL which is also easier to use * use the server name from LDAP URL or SMTP host when validating the certificate unless otherwise defined in the TLS section * added temporary translations from the old names to the new ones for all deprecated options * added docs * updated example configuration * final deprecations to be done in 4.28.0 * doc updates * fix misc linting issues * uniform deprecation notices for ease of final removal * added additional tests covering previously uncovered areas and the new configuration options * add non-fatal to certificate loading when system certs could not be loaded * adjust timeout of Suite ShortTimeouts * add warnings pusher for the StructValidator * make the schema suites uninform * utilize the warnings in the StructValidator * fix test suite usage for skip_verify * extract LDAP filter parsing into it's own function to make it possible to test * test LDAP filter parsing * update ErrorContainer interface * add tests to the StructValidator * add NewTLSConfig test * move baseDN for users/groups into parsed values * add tests to cover many of the outstanding areas in LDAP * add explicit deferred LDAP conn close to UpdatePassword * add some basic testing to SMTP notifier * suggestions from code review
2021-01-04 10:28:55 +00:00
},
refactor: factorize startup checks (#2386) * refactor: factorize startup checks * refactor: address linting issues
2021-09-17 09:53:59 +00:00
false,
[FEATURE] Enhance LDAP/SMTP TLS Configuration and Unify Them (#1557) * add new directive in the global scope `certificates_directory` which is used to bulk load certs and trust them in Authelia * this is in ADDITION to system certs and are trusted by both LDAP and SMTP * added a shared TLSConfig struct to be used by both SMTP and LDAP, and anything else in the future that requires tuning the TLS * remove usage of deprecated LDAP funcs Dial and DialTLS in favor of DialURL which is also easier to use * use the server name from LDAP URL or SMTP host when validating the certificate unless otherwise defined in the TLS section * added temporary translations from the old names to the new ones for all deprecated options * added docs * updated example configuration * final deprecations to be done in 4.28.0 * doc updates * fix misc linting issues * uniform deprecation notices for ease of final removal * added additional tests covering previously uncovered areas and the new configuration options * add non-fatal to certificate loading when system certs could not be loaded * adjust timeout of Suite ShortTimeouts * add warnings pusher for the StructValidator * make the schema suites uninform * utilize the warnings in the StructValidator * fix test suite usage for skip_verify * extract LDAP filter parsing into it's own function to make it possible to test * test LDAP filter parsing * update ErrorContainer interface * add tests to the StructValidator * add NewTLSConfig test * move baseDN for users/groups into parsed values * add tests to cover many of the outstanding areas in LDAP * add explicit deferred LDAP conn close to UpdatePassword * add some basic testing to SMTP notifier * suggestions from code review
2021-01-04 10:28:55 +00:00
nil,
mockFactory)
Add support for LDAP over TLS.
2019-12-06 08:15:54 +00:00
fix(authentication): ldap connection left open (#2179) The recent ldap changes in cb71df5 left a connection to the LDAP server open at startup. This resolves this which prevents an ugly log message and unnecessary open sockets.
2021-07-13 11:12:50 +00:00
dialURL := mockFactory.EXPECT().
[FEATURE] Enhance LDAP/SMTP TLS Configuration and Unify Them (#1557) * add new directive in the global scope `certificates_directory` which is used to bulk load certs and trust them in Authelia * this is in ADDITION to system certs and are trusted by both LDAP and SMTP * added a shared TLSConfig struct to be used by both SMTP and LDAP, and anything else in the future that requires tuning the TLS * remove usage of deprecated LDAP funcs Dial and DialTLS in favor of DialURL which is also easier to use * use the server name from LDAP URL or SMTP host when validating the certificate unless otherwise defined in the TLS section * added temporary translations from the old names to the new ones for all deprecated options * added docs * updated example configuration * final deprecations to be done in 4.28.0 * doc updates * fix misc linting issues * uniform deprecation notices for ease of final removal * added additional tests covering previously uncovered areas and the new configuration options * add non-fatal to certificate loading when system certs could not be loaded * adjust timeout of Suite ShortTimeouts * add warnings pusher for the StructValidator * make the schema suites uninform * utilize the warnings in the StructValidator * fix test suite usage for skip_verify * extract LDAP filter parsing into it's own function to make it possible to test * test LDAP filter parsing * update ErrorContainer interface * add tests to the StructValidator * add NewTLSConfig test * move baseDN for users/groups into parsed values * add tests to cover many of the outstanding areas in LDAP * add explicit deferred LDAP conn close to UpdatePassword * add some basic testing to SMTP notifier * suggestions from code review
2021-01-04 10:28:55 +00:00
DialURL(gomock.Eq("ldap://127.0.0.1:389"), gomock.Any()).
fix(authentication): utilize msad password history control (#3256) This fixes an issue where the Microsoft Active Directory Server Policy Hints control was not being used to prevent avoidance of the PSO / FGPP applicable to the user.
2022-05-10 04:38:36 +00:00
Return(mockClient, nil)
Add support for LDAP over TLS.
2019-12-06 08:15:54 +00:00
fix(authentication): utilize msad password history control (#3256) This fixes an issue where the Microsoft Active Directory Server Policy Hints control was not being used to prevent avoidance of the PSO / FGPP applicable to the user.
2022-05-10 04:38:36 +00:00
connBind := mockClient.EXPECT().
Add support for LDAP over TLS.
2019-12-06 08:15:54 +00:00
Bind(gomock.Eq("cn=admin,dc=example,dc=com"), gomock.Eq("password")).
Return(nil)
fix(authentication): ldap connection left open (#2179) The recent ldap changes in cb71df5 left a connection to the LDAP server open at startup. This resolves this which prevents an ugly log message and unnecessary open sockets.
2021-07-13 11:12:50 +00:00
gomock.InOrder(dialURL, connBind)
feat(authentication): ldap time replacements (#4483) This adds and utilizes several time replacements for both specialized LDAP implementations. Closes #1964, Closes #1284
2022-12-21 10:31:21 +00:00
_, err := provider.connect()
Add support for LDAP over TLS.
2019-12-06 08:15:54 +00:00
require.NoError(t, err)
}
func TestShouldCreateTLSConnectionWhenSchemeIsLDAPS(t *testing.T) {
ctrl := gomock.NewController(t)
defer ctrl.Finish()
fix(authentication): utilize msad password history control (#3256) This fixes an issue where the Microsoft Active Directory Server Policy Hints control was not being used to prevent avoidance of the PSO / FGPP applicable to the user.
2022-05-10 04:38:36 +00:00
mockFactory := NewMockLDAPClientFactory(ctrl)
mockClient := NewMockLDAPClient(ctrl)
Add support for LDAP over TLS.
2019-12-06 08:15:54 +00:00
feat(authentication): ldap time replacements (#4483) This adds and utilizes several time replacements for both specialized LDAP implementations. Closes #1964, Closes #1284
2022-12-21 10:31:21 +00:00
provider := NewLDAPUserProviderWithFactory(
feat(authentication): file password algorithms (#3848) This adds significant enhancements to the file auth provider including multiple additional algorithms.
2022-10-17 10:51:59 +00:00
schema.LDAPAuthenticationBackend{
feat(authentication): suport ldap over unix socket (#5397) This adds support for LDAP unix sockets using the ldapi scheme. In addition it improves all of the address related parsing significantly deprecating old options. Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
2023-05-07 06:39:17 +00:00
Address: testLDAPSAddress,
fix(authentication): follow ldap referrals (#3251) This ensures we are able to follow referrals for LDAP password modify operations when permit_referrals is true. Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2022-05-02 01:51:38 +00:00
User: "cn=admin,dc=example,dc=com",
Password: "password",
[FEATURE] Enhance LDAP/SMTP TLS Configuration and Unify Them (#1557) * add new directive in the global scope `certificates_directory` which is used to bulk load certs and trust them in Authelia * this is in ADDITION to system certs and are trusted by both LDAP and SMTP * added a shared TLSConfig struct to be used by both SMTP and LDAP, and anything else in the future that requires tuning the TLS * remove usage of deprecated LDAP funcs Dial and DialTLS in favor of DialURL which is also easier to use * use the server name from LDAP URL or SMTP host when validating the certificate unless otherwise defined in the TLS section * added temporary translations from the old names to the new ones for all deprecated options * added docs * updated example configuration * final deprecations to be done in 4.28.0 * doc updates * fix misc linting issues * uniform deprecation notices for ease of final removal * added additional tests covering previously uncovered areas and the new configuration options * add non-fatal to certificate loading when system certs could not be loaded * adjust timeout of Suite ShortTimeouts * add warnings pusher for the StructValidator * make the schema suites uninform * utilize the warnings in the StructValidator * fix test suite usage for skip_verify * extract LDAP filter parsing into it's own function to make it possible to test * test LDAP filter parsing * update ErrorContainer interface * add tests to the StructValidator * add NewTLSConfig test * move baseDN for users/groups into parsed values * add tests to cover many of the outstanding areas in LDAP * add explicit deferred LDAP conn close to UpdatePassword * add some basic testing to SMTP notifier * suggestions from code review
2021-01-04 10:28:55 +00:00
},
refactor: factorize startup checks (#2386) * refactor: factorize startup checks * refactor: address linting issues
2021-09-17 09:53:59 +00:00
false,
[FEATURE] Enhance LDAP/SMTP TLS Configuration and Unify Them (#1557) * add new directive in the global scope `certificates_directory` which is used to bulk load certs and trust them in Authelia * this is in ADDITION to system certs and are trusted by both LDAP and SMTP * added a shared TLSConfig struct to be used by both SMTP and LDAP, and anything else in the future that requires tuning the TLS * remove usage of deprecated LDAP funcs Dial and DialTLS in favor of DialURL which is also easier to use * use the server name from LDAP URL or SMTP host when validating the certificate unless otherwise defined in the TLS section * added temporary translations from the old names to the new ones for all deprecated options * added docs * updated example configuration * final deprecations to be done in 4.28.0 * doc updates * fix misc linting issues * uniform deprecation notices for ease of final removal * added additional tests covering previously uncovered areas and the new configuration options * add non-fatal to certificate loading when system certs could not be loaded * adjust timeout of Suite ShortTimeouts * add warnings pusher for the StructValidator * make the schema suites uninform * utilize the warnings in the StructValidator * fix test suite usage for skip_verify * extract LDAP filter parsing into it's own function to make it possible to test * test LDAP filter parsing * update ErrorContainer interface * add tests to the StructValidator * add NewTLSConfig test * move baseDN for users/groups into parsed values * add tests to cover many of the outstanding areas in LDAP * add explicit deferred LDAP conn close to UpdatePassword * add some basic testing to SMTP notifier * suggestions from code review
2021-01-04 10:28:55 +00:00
nil,
mockFactory)
Add support for LDAP over TLS.
2019-12-06 08:15:54 +00:00
fix(authentication): ldap connection left open (#2179) The recent ldap changes in cb71df5 left a connection to the LDAP server open at startup. This resolves this which prevents an ugly log message and unnecessary open sockets.
2021-07-13 11:12:50 +00:00
dialURL := mockFactory.EXPECT().
[FEATURE] Enhance LDAP/SMTP TLS Configuration and Unify Them (#1557) * add new directive in the global scope `certificates_directory` which is used to bulk load certs and trust them in Authelia * this is in ADDITION to system certs and are trusted by both LDAP and SMTP * added a shared TLSConfig struct to be used by both SMTP and LDAP, and anything else in the future that requires tuning the TLS * remove usage of deprecated LDAP funcs Dial and DialTLS in favor of DialURL which is also easier to use * use the server name from LDAP URL or SMTP host when validating the certificate unless otherwise defined in the TLS section * added temporary translations from the old names to the new ones for all deprecated options * added docs * updated example configuration * final deprecations to be done in 4.28.0 * doc updates * fix misc linting issues * uniform deprecation notices for ease of final removal * added additional tests covering previously uncovered areas and the new configuration options * add non-fatal to certificate loading when system certs could not be loaded * adjust timeout of Suite ShortTimeouts * add warnings pusher for the StructValidator * make the schema suites uninform * utilize the warnings in the StructValidator * fix test suite usage for skip_verify * extract LDAP filter parsing into it's own function to make it possible to test * test LDAP filter parsing * update ErrorContainer interface * add tests to the StructValidator * add NewTLSConfig test * move baseDN for users/groups into parsed values * add tests to cover many of the outstanding areas in LDAP * add explicit deferred LDAP conn close to UpdatePassword * add some basic testing to SMTP notifier * suggestions from code review
2021-01-04 10:28:55 +00:00
DialURL(gomock.Eq("ldaps://127.0.0.1:389"), gomock.Any()).
fix(authentication): utilize msad password history control (#3256) This fixes an issue where the Microsoft Active Directory Server Policy Hints control was not being used to prevent avoidance of the PSO / FGPP applicable to the user.
2022-05-10 04:38:36 +00:00
Return(mockClient, nil)
Add support for LDAP over TLS.
2019-12-06 08:15:54 +00:00
fix(authentication): utilize msad password history control (#3256) This fixes an issue where the Microsoft Active Directory Server Policy Hints control was not being used to prevent avoidance of the PSO / FGPP applicable to the user.
2022-05-10 04:38:36 +00:00
connBind := mockClient.EXPECT().
Add support for LDAP over TLS.
2019-12-06 08:15:54 +00:00
Bind(gomock.Eq("cn=admin,dc=example,dc=com"), gomock.Eq("password")).
Return(nil)
fix(authentication): ldap connection left open (#2179) The recent ldap changes in cb71df5 left a connection to the LDAP server open at startup. This resolves this which prevents an ugly log message and unnecessary open sockets.
2021-07-13 11:12:50 +00:00
gomock.InOrder(dialURL, connBind)
feat(authentication): ldap time replacements (#4483) This adds and utilizes several time replacements for both specialized LDAP implementations. Closes #1964, Closes #1284
2022-12-21 10:31:21 +00:00
_, err := provider.connect()
Add support for LDAP over TLS.
2019-12-06 08:15:54 +00:00
require.NoError(t, err)
}
Escape special LDAP characters as suggested by OWASP. https://owasp.org/www-project-cheat-sheets/cheatsheets/LDAP_Injection_Prevention_Cheat_Sheet.html
2020-01-20 19:34:53 +00:00
[FEATURE][BREAKING] Allow users to sign in with email. (#792) * [FEATURE][BREAKING] Allow users to sign in with email. The users_filter purpose evolved with the introduction of username_attribute but is reverted here to allow the most flexibility. users_filter is now the actual filter used for searching the user and not a sub-filter based on the username_attribute anymore. * {input} placeholder has been introduced to later deprecate {0} which has been kept for backward compatibility. * {username_attribute} and {mail_attribute} are new placeholders used to back reference other configuration options. Fix #735 * [MISC] Introduce new placeholders for groups_filter too. * [MISC] Update BREAKING.md to mention the change regarding users_filter. * [MISC] Fix unit and integration tests. * Log an error message in console when U2F is not supported. * Apply suggestions from code review * Update BREAKING.md Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com> Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2020-03-30 22:36:04 +00:00
func TestEscapeSpecialCharsFromUserInput(t *testing.T) {
refactor: apply godot recommendations (#2839)
2022-01-31 05:25:15 +00:00
// No escape.
fix(authentication): follow ldap referrals (#3251) This ensures we are able to follow referrals for LDAP password modify operations when permit_referrals is true. Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2022-05-02 01:51:38 +00:00
assert.Equal(t, "xyz", ldapEscape("xyz"))
Escape special LDAP characters as suggested by OWASP. https://owasp.org/www-project-cheat-sheets/cheatsheets/LDAP_Injection_Prevention_Cheat_Sheet.html
2020-01-20 19:34:53 +00:00
refactor: apply godot recommendations (#2839)
2022-01-31 05:25:15 +00:00
// Escape.
fix(authentication): follow ldap referrals (#3251) This ensures we are able to follow referrals for LDAP password modify operations when permit_referrals is true. Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2022-05-02 01:51:38 +00:00
assert.Equal(t, "test\\,abc", ldapEscape("test,abc"))
assert.Equal(t, "test\\5cabc", ldapEscape("test\\abc"))
assert.Equal(t, "test\\2aabc", ldapEscape("test*abc"))
assert.Equal(t, "test \\28abc\\29", ldapEscape("test (abc)"))
assert.Equal(t, "test\\#abc", ldapEscape("test#abc"))
assert.Equal(t, "test\\+abc", ldapEscape("test+abc"))
assert.Equal(t, "test\\<abc", ldapEscape("test<abc"))
assert.Equal(t, "test\\>abc", ldapEscape("test>abc"))
assert.Equal(t, "test\\;abc", ldapEscape("test;abc"))
assert.Equal(t, "test\\\"abc", ldapEscape("test\"abc"))
assert.Equal(t, "test\\=abc", ldapEscape("test=abc"))
assert.Equal(t, "test\\,\\5c\\28abc\\29", ldapEscape("test,\\(abc)"))
[FEATURE][BREAKING] Allow users to sign in with email. (#792) * [FEATURE][BREAKING] Allow users to sign in with email. The users_filter purpose evolved with the introduction of username_attribute but is reverted here to allow the most flexibility. users_filter is now the actual filter used for searching the user and not a sub-filter based on the username_attribute anymore. * {input} placeholder has been introduced to later deprecate {0} which has been kept for backward compatibility. * {username_attribute} and {mail_attribute} are new placeholders used to back reference other configuration options. Fix #735 * [MISC] Introduce new placeholders for groups_filter too. * [MISC] Update BREAKING.md to mention the change regarding users_filter. * [MISC] Fix unit and integration tests. * Log an error message in console when U2F is not supported. * Apply suggestions from code review * Update BREAKING.md Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com> Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2020-03-30 22:36:04 +00:00
}
func TestEscapeSpecialCharsInGroupsFilter(t *testing.T) {
ctrl := gomock.NewController(t)
defer ctrl.Finish()
Escape special LDAP characters as suggested by OWASP. https://owasp.org/www-project-cheat-sheets/cheatsheets/LDAP_Injection_Prevention_Cheat_Sheet.html
2020-01-20 19:34:53 +00:00
fix(authentication): utilize msad password history control (#3256) This fixes an issue where the Microsoft Active Directory Server Policy Hints control was not being used to prevent avoidance of the PSO / FGPP applicable to the user.
2022-05-10 04:38:36 +00:00
mockFactory := NewMockLDAPClientFactory(ctrl)
[FEATURE] Enhance LDAP/SMTP TLS Configuration and Unify Them (#1557) * add new directive in the global scope `certificates_directory` which is used to bulk load certs and trust them in Authelia * this is in ADDITION to system certs and are trusted by both LDAP and SMTP * added a shared TLSConfig struct to be used by both SMTP and LDAP, and anything else in the future that requires tuning the TLS * remove usage of deprecated LDAP funcs Dial and DialTLS in favor of DialURL which is also easier to use * use the server name from LDAP URL or SMTP host when validating the certificate unless otherwise defined in the TLS section * added temporary translations from the old names to the new ones for all deprecated options * added docs * updated example configuration * final deprecations to be done in 4.28.0 * doc updates * fix misc linting issues * uniform deprecation notices for ease of final removal * added additional tests covering previously uncovered areas and the new configuration options * add non-fatal to certificate loading when system certs could not be loaded * adjust timeout of Suite ShortTimeouts * add warnings pusher for the StructValidator * make the schema suites uninform * utilize the warnings in the StructValidator * fix test suite usage for skip_verify * extract LDAP filter parsing into it's own function to make it possible to test * test LDAP filter parsing * update ErrorContainer interface * add tests to the StructValidator * add NewTLSConfig test * move baseDN for users/groups into parsed values * add tests to cover many of the outstanding areas in LDAP * add explicit deferred LDAP conn close to UpdatePassword * add some basic testing to SMTP notifier * suggestions from code review
2021-01-04 10:28:55 +00:00
feat(authentication): ldap time replacements (#4483) This adds and utilizes several time replacements for both specialized LDAP implementations. Closes #1964, Closes #1284
2022-12-21 10:31:21 +00:00
provider := NewLDAPUserProviderWithFactory(
feat(authentication): file password algorithms (#3848) This adds significant enhancements to the file auth provider including multiple additional algorithms.
2022-10-17 10:51:59 +00:00
schema.LDAPAuthenticationBackend{
feat(authentication): suport ldap over unix socket (#5397) This adds support for LDAP unix sockets using the ldapi scheme. In addition it improves all of the address related parsing significantly deprecating old options. Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
2023-05-07 06:39:17 +00:00
Address: testLDAPSAddress,
[FEATURE] Enhance LDAP/SMTP TLS Configuration and Unify Them (#1557) * add new directive in the global scope `certificates_directory` which is used to bulk load certs and trust them in Authelia * this is in ADDITION to system certs and are trusted by both LDAP and SMTP * added a shared TLSConfig struct to be used by both SMTP and LDAP, and anything else in the future that requires tuning the TLS * remove usage of deprecated LDAP funcs Dial and DialTLS in favor of DialURL which is also easier to use * use the server name from LDAP URL or SMTP host when validating the certificate unless otherwise defined in the TLS section * added temporary translations from the old names to the new ones for all deprecated options * added docs * updated example configuration * final deprecations to be done in 4.28.0 * doc updates * fix misc linting issues * uniform deprecation notices for ease of final removal * added additional tests covering previously uncovered areas and the new configuration options * add non-fatal to certificate loading when system certs could not be loaded * adjust timeout of Suite ShortTimeouts * add warnings pusher for the StructValidator * make the schema suites uninform * utilize the warnings in the StructValidator * fix test suite usage for skip_verify * extract LDAP filter parsing into it's own function to make it possible to test * test LDAP filter parsing * update ErrorContainer interface * add tests to the StructValidator * add NewTLSConfig test * move baseDN for users/groups into parsed values * add tests to cover many of the outstanding areas in LDAP * add explicit deferred LDAP conn close to UpdatePassword * add some basic testing to SMTP notifier * suggestions from code review
2021-01-04 10:28:55 +00:00
GroupsFilter: "(|(member={dn})(uid={username})(uid={input}))",
},
refactor: factorize startup checks (#2386) * refactor: factorize startup checks * refactor: address linting issues
2021-09-17 09:53:59 +00:00
false,
[FEATURE] Enhance LDAP/SMTP TLS Configuration and Unify Them (#1557) * add new directive in the global scope `certificates_directory` which is used to bulk load certs and trust them in Authelia * this is in ADDITION to system certs and are trusted by both LDAP and SMTP * added a shared TLSConfig struct to be used by both SMTP and LDAP, and anything else in the future that requires tuning the TLS * remove usage of deprecated LDAP funcs Dial and DialTLS in favor of DialURL which is also easier to use * use the server name from LDAP URL or SMTP host when validating the certificate unless otherwise defined in the TLS section * added temporary translations from the old names to the new ones for all deprecated options * added docs * updated example configuration * final deprecations to be done in 4.28.0 * doc updates * fix misc linting issues * uniform deprecation notices for ease of final removal * added additional tests covering previously uncovered areas and the new configuration options * add non-fatal to certificate loading when system certs could not be loaded * adjust timeout of Suite ShortTimeouts * add warnings pusher for the StructValidator * make the schema suites uninform * utilize the warnings in the StructValidator * fix test suite usage for skip_verify * extract LDAP filter parsing into it's own function to make it possible to test * test LDAP filter parsing * update ErrorContainer interface * add tests to the StructValidator * add NewTLSConfig test * move baseDN for users/groups into parsed values * add tests to cover many of the outstanding areas in LDAP * add explicit deferred LDAP conn close to UpdatePassword * add some basic testing to SMTP notifier * suggestions from code review
2021-01-04 10:28:55 +00:00
nil,
mockFactory)
[FEATURE][BREAKING] Allow users to sign in with email. (#792) * [FEATURE][BREAKING] Allow users to sign in with email. The users_filter purpose evolved with the introduction of username_attribute but is reverted here to allow the most flexibility. users_filter is now the actual filter used for searching the user and not a sub-filter based on the username_attribute anymore. * {input} placeholder has been introduced to later deprecate {0} which has been kept for backward compatibility. * {username_attribute} and {mail_attribute} are new placeholders used to back reference other configuration options. Fix #735 * [MISC] Introduce new placeholders for groups_filter too. * [MISC] Update BREAKING.md to mention the change regarding users_filter. * [MISC] Fix unit and integration tests. * Log an error message in console when U2F is not supported. * Apply suggestions from code review * Update BREAKING.md Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com> Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2020-03-30 22:36:04 +00:00
profile := ldapUserProfile{
[FEATURE] Add configurable display name to frontend (#1124) * [FEATURE] Add configurable display name to frontend This feature allows users with a LDAP backend to specify an attribute (default is "displayname") to retrieve a users name for the portal greeting. Similarly for the file based backend a new required key "name" has been introduced. This can also be used down the line with OIDC as a separate scope. * Update references from Name to DisplayName * Update compose bundles to include displayname refs * Update LDAP automatic profile refresh * Ensure display name is updated * Fix bug which prevented trace logging for profile refresh to not trigger
2020-06-19 10:50:21 +00:00
DN: "cn=john (external),dc=example,dc=com",
Username: "john",
DisplayName: "John Doe",
Emails: []string{"john.doe@authelia.com"},
[FEATURE][BREAKING] Allow users to sign in with email. (#792) * [FEATURE][BREAKING] Allow users to sign in with email. The users_filter purpose evolved with the introduction of username_attribute but is reverted here to allow the most flexibility. users_filter is now the actual filter used for searching the user and not a sub-filter based on the username_attribute anymore. * {input} placeholder has been introduced to later deprecate {0} which has been kept for backward compatibility. * {username_attribute} and {mail_attribute} are new placeholders used to back reference other configuration options. Fix #735 * [MISC] Introduce new placeholders for groups_filter too. * [MISC] Update BREAKING.md to mention the change regarding users_filter. * [MISC] Fix unit and integration tests. * Log an error message in console when U2F is not supported. * Apply suggestions from code review * Update BREAKING.md Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com> Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2020-03-30 22:36:04 +00:00
}
feat(authentication): ldap time replacements (#4483) This adds and utilizes several time replacements for both specialized LDAP implementations. Closes #1964, Closes #1284
2022-12-21 10:31:21 +00:00
filter := provider.resolveGroupsFilter("john", &profile)
[FEATURE][BREAKING] Allow users to sign in with email. (#792) * [FEATURE][BREAKING] Allow users to sign in with email. The users_filter purpose evolved with the introduction of username_attribute but is reverted here to allow the most flexibility. users_filter is now the actual filter used for searching the user and not a sub-filter based on the username_attribute anymore. * {input} placeholder has been introduced to later deprecate {0} which has been kept for backward compatibility. * {username_attribute} and {mail_attribute} are new placeholders used to back reference other configuration options. Fix #735 * [MISC] Introduce new placeholders for groups_filter too. * [MISC] Update BREAKING.md to mention the change regarding users_filter. * [MISC] Fix unit and integration tests. * Log an error message in console when U2F is not supported. * Apply suggestions from code review * Update BREAKING.md Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com> Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2020-03-30 22:36:04 +00:00
assert.Equal(t, "(|(member=cn=john \\28external\\29,dc=example,dc=com)(uid=john)(uid=john))", filter)
feat(authentication): ldap time replacements (#4483) This adds and utilizes several time replacements for both specialized LDAP implementations. Closes #1964, Closes #1284
2022-12-21 10:31:21 +00:00
filter = provider.resolveGroupsFilter("john#=(abc,def)", &profile)
[FEATURE][BREAKING] Allow users to sign in with email. (#792) * [FEATURE][BREAKING] Allow users to sign in with email. The users_filter purpose evolved with the introduction of username_attribute but is reverted here to allow the most flexibility. users_filter is now the actual filter used for searching the user and not a sub-filter based on the username_attribute anymore. * {input} placeholder has been introduced to later deprecate {0} which has been kept for backward compatibility. * {username_attribute} and {mail_attribute} are new placeholders used to back reference other configuration options. Fix #735 * [MISC] Introduce new placeholders for groups_filter too. * [MISC] Update BREAKING.md to mention the change regarding users_filter. * [MISC] Fix unit and integration tests. * Log an error message in console when U2F is not supported. * Apply suggestions from code review * Update BREAKING.md Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com> Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2020-03-30 22:36:04 +00:00
assert.Equal(t, "(|(member=cn=john \\28external\\29,dc=example,dc=com)(uid=john)(uid=john\\#\\=\\28abc\\,def\\29))", filter)
Escape special LDAP characters as suggested by OWASP. https://owasp.org/www-project-cheat-sheets/cheatsheets/LDAP_Injection_Prevention_Cheat_Sheet.html
2020-01-20 19:34:53 +00:00
}
feat(authentication): ldap memberof group search (#5418) Introduces the concept of group search mode into the LDAP configuration. This also adds the filter and memberof search modes. The full description of these is included in the docs but the filter mode is the same mode as previous which is also the default and recommended value. The memberof mode should only be used by users who are aware of how the concept works as per the docs. Closes #2161 Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
2023-06-18 04:40:38 +00:00
func TestResolveGroupsFilter(t *testing.T) {
ctrl := gomock.NewController(t)
defer ctrl.Finish()
mockFactory := NewMockLDAPClientFactory(ctrl)
testCases := []struct {
name string
have schema.LDAPAuthenticationBackend
input string
profile ldapUserProfile
expected string
}{
{
"ShouldResolveEmptyFilter",
schema.LDAPAuthenticationBackend{},
"",
ldapUserProfile{},
"",
},
{
"ShouldResolveMemberOfRDNFilter",
schema.LDAPAuthenticationBackend{
GroupsFilter: "(|{memberof:rdn})",
Attributes: schema.LDAPAuthenticationAttributes{
DistinguishedName: "distinguishedName",
GroupName: "cn",
MemberOf: "memberOf",
Username: "uid",
Mail: "mail",
DisplayName: "displayName",
},
},
"",
ldapUserProfile{
MemberOf: []string{"CN=abc,DC=example,DC=com", "CN=xyz,DC=example,DC=com"},
},
"(|(CN=abc)(CN=xyz))",
},
{
"ShouldResolveMemberOfDNFilter",
schema.LDAPAuthenticationBackend{
GroupsFilter: "(|{memberof:dn})",
Attributes: schema.LDAPAuthenticationAttributes{
DistinguishedName: "distinguishedName",
GroupName: "cn",
MemberOf: "memberOf",
Username: "uid",
Mail: "mail",
DisplayName: "displayName",
},
},
"",
ldapUserProfile{
MemberOf: []string{"CN=abc,DC=example,DC=com", "CN=xyz,DC=example,DC=com"},
},
"(|(distinguishedName=CN=abc,DC=example,DC=com)(distinguishedName=CN=xyz,DC=example,DC=com))",
},
}
for _, tc := range testCases {
t.Run(tc.name, func(t *testing.T) {
provider := NewLDAPUserProviderWithFactory(
tc.have,
false,
nil,
mockFactory)
assert.Equal(t, tc.expected, provider.resolveGroupsFilter("", &tc.profile))
})
}
}
feat(authentiation): check ldap support for extended operations on startup (#2133) * feat(authentiation): check ldap server on startup This PR adds a startup check to the LDAP authentication backend. It additionally adds support for checking supportedExtension OIDs, currently only checking passwdModifyOID (1.3.6.1.4.1.4203.1.11.3). This can relatively easily be enhanced to add detection for other rootDSE capabilities like supportedControl and supportedCapabilities as necessary. * test(authentication): add unit tests for new feature * refactor(authentication): factorize ldap user provider newup * refactor: minor adjustments
2021-07-01 23:16:16 +00:00
type ExtendedSearchRequestMatcher struct {
filter string
baseDN string
scope int
derefAliases int
typesOnly bool
attributes []string
}
func NewExtendedSearchRequestMatcher(filter, base string, scope, derefAliases int, typesOnly bool, attributes []string) *ExtendedSearchRequestMatcher {
return &ExtendedSearchRequestMatcher{filter, base, scope, derefAliases, typesOnly, attributes}
}
refactor: any (#4133) * refactor: any * refactor: fix test
2022-10-05 05:05:23 +00:00
func (e *ExtendedSearchRequestMatcher) Matches(x any) bool {
feat(authentiation): check ldap support for extended operations on startup (#2133) * feat(authentiation): check ldap server on startup This PR adds a startup check to the LDAP authentication backend. It additionally adds support for checking supportedExtension OIDs, currently only checking passwdModifyOID (1.3.6.1.4.1.4203.1.11.3). This can relatively easily be enhanced to add detection for other rootDSE capabilities like supportedControl and supportedCapabilities as necessary. * test(authentication): add unit tests for new feature * refactor(authentication): factorize ldap user provider newup * refactor: minor adjustments
2021-07-01 23:16:16 +00:00
sr := x.(*ldap.SearchRequest)
if e.filter != sr.Filter || e.baseDN != sr.BaseDN || e.scope != sr.Scope || e.derefAliases != sr.DerefAliases ||
e.typesOnly != sr.TypesOnly || utils.IsStringSlicesDifferent(e.attributes, sr.Attributes) {
return false
}
return true
}
func (e *ExtendedSearchRequestMatcher) String() string {
return fmt.Sprintf("baseDN: %s, filter %s", e.baseDN, e.filter)
}
feat(authentication): ldap memberof group search (#5418) Introduces the concept of group search mode into the LDAP configuration. This also adds the filter and memberof search modes. The full description of these is included in the docs but the filter mode is the same mode as previous which is also the default and recommended value. The memberof mode should only be used by users who are aware of how the concept works as per the docs. Closes #2161 Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
2023-06-18 04:40:38 +00:00
func TestShouldCheckLDAPEpochFilters(t *testing.T) {
type have struct {
users string
attr schema.LDAPAuthenticationAttributes
}
type expected struct {
dtgeneralized bool
dtmsftnt bool
dtunix bool
}
testCases := []struct {
name string
have have
expected expected
}{
{
"ShouldNotEnableAny",
have{},
expected{},
},
{
"ShouldNotEnableMSFTNT",
have{
users: "(abc={date-time:microsoft-nt})",
},
expected{
dtmsftnt: true,
},
},
{
"ShouldNotEnableUnix",
have{
users: "(abc={date-time:unix})",
},
expected{
dtunix: true,
},
},
{
"ShouldNotEnableGeneralized",
have{
users: "(abc={date-time:generalized})",
},
expected{
dtgeneralized: true,
},
},
}
ctrl := gomock.NewController(t)
defer ctrl.Finish()
mockFactory := NewMockLDAPClientFactory(ctrl)
for _, tc := range testCases {
t.Run(tc.name, func(t *testing.T) {
provider := NewLDAPUserProviderWithFactory(
schema.LDAPAuthenticationBackend{
UsersFilter: tc.have.users,
Attributes: tc.have.attr,
BaseDN: "dc=example,dc=com",
},
false,
nil,
mockFactory)
assert.Equal(t, tc.expected.dtgeneralized, provider.usersFilterReplacementDateTimeGeneralized)
assert.Equal(t, tc.expected.dtmsftnt, provider.usersFilterReplacementDateTimeMicrosoftNTTimeEpoch)
assert.Equal(t, tc.expected.dtunix, provider.usersFilterReplacementDateTimeUnixEpoch)
})
}
}
feat(authentiation): check ldap support for extended operations on startup (#2133) * feat(authentiation): check ldap server on startup This PR adds a startup check to the LDAP authentication backend. It additionally adds support for checking supportedExtension OIDs, currently only checking passwdModifyOID (1.3.6.1.4.1.4203.1.11.3). This can relatively easily be enhanced to add detection for other rootDSE capabilities like supportedControl and supportedCapabilities as necessary. * test(authentication): add unit tests for new feature * refactor(authentication): factorize ldap user provider newup * refactor: minor adjustments
2021-07-01 23:16:16 +00:00
func TestShouldCheckLDAPServerExtensions(t *testing.T) {
ctrl := gomock.NewController(t)
defer ctrl.Finish()
fix(authentication): utilize msad password history control (#3256) This fixes an issue where the Microsoft Active Directory Server Policy Hints control was not being used to prevent avoidance of the PSO / FGPP applicable to the user.
2022-05-10 04:38:36 +00:00
mockFactory := NewMockLDAPClientFactory(ctrl)
mockClient := NewMockLDAPClient(ctrl)
feat(authentiation): check ldap support for extended operations on startup (#2133) * feat(authentiation): check ldap server on startup This PR adds a startup check to the LDAP authentication backend. It additionally adds support for checking supportedExtension OIDs, currently only checking passwdModifyOID (1.3.6.1.4.1.4203.1.11.3). This can relatively easily be enhanced to add detection for other rootDSE capabilities like supportedControl and supportedCapabilities as necessary. * test(authentication): add unit tests for new feature * refactor(authentication): factorize ldap user provider newup * refactor: minor adjustments
2021-07-01 23:16:16 +00:00
feat(authentication): ldap time replacements (#4483) This adds and utilizes several time replacements for both specialized LDAP implementations. Closes #1964, Closes #1284
2022-12-21 10:31:21 +00:00
provider := NewLDAPUserProviderWithFactory(
feat(authentication): file password algorithms (#3848) This adds significant enhancements to the file auth provider including multiple additional algorithms.
2022-10-17 10:51:59 +00:00
schema.LDAPAuthenticationBackend{
feat(authentication): ldap memberof group search (#5418) Introduces the concept of group search mode into the LDAP configuration. This also adds the filter and memberof search modes. The full description of these is included in the docs but the filter mode is the same mode as previous which is also the default and recommended value. The memberof mode should only be used by users who are aware of how the concept works as per the docs. Closes #2161 Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
2023-06-18 04:40:38 +00:00
Address: testLDAPAddress,
User: "cn=admin,dc=example,dc=com",
UsersFilter: "(|({username_attribute}={input})({mail_attribute}={input}))",
Attributes: schema.LDAPAuthenticationAttributes{
Username: "uid",
Mail: "mail",
DisplayName: "displayName",
MemberOf: "memberOf",
},
Password: "password",
AdditionalUsersDN: "ou=users",
BaseDN: "dc=example,dc=com",
feat(authentiation): check ldap support for extended operations on startup (#2133) * feat(authentiation): check ldap server on startup This PR adds a startup check to the LDAP authentication backend. It additionally adds support for checking supportedExtension OIDs, currently only checking passwdModifyOID (1.3.6.1.4.1.4203.1.11.3). This can relatively easily be enhanced to add detection for other rootDSE capabilities like supportedControl and supportedCapabilities as necessary. * test(authentication): add unit tests for new feature * refactor(authentication): factorize ldap user provider newup * refactor: minor adjustments
2021-07-01 23:16:16 +00:00
},
refactor: factorize startup checks (#2386) * refactor: factorize startup checks * refactor: address linting issues
2021-09-17 09:53:59 +00:00
false,
feat(authentiation): check ldap support for extended operations on startup (#2133) * feat(authentiation): check ldap server on startup This PR adds a startup check to the LDAP authentication backend. It additionally adds support for checking supportedExtension OIDs, currently only checking passwdModifyOID (1.3.6.1.4.1.4203.1.11.3). This can relatively easily be enhanced to add detection for other rootDSE capabilities like supportedControl and supportedCapabilities as necessary. * test(authentication): add unit tests for new feature * refactor(authentication): factorize ldap user provider newup * refactor: minor adjustments
2021-07-01 23:16:16 +00:00
nil,
mockFactory)
fix(authentication): ldap connection left open (#2179) The recent ldap changes in cb71df5 left a connection to the LDAP server open at startup. This resolves this which prevents an ugly log message and unnecessary open sockets.
2021-07-13 11:12:50 +00:00
dialURL := mockFactory.EXPECT().
feat(authentiation): check ldap support for extended operations on startup (#2133) * feat(authentiation): check ldap server on startup This PR adds a startup check to the LDAP authentication backend. It additionally adds support for checking supportedExtension OIDs, currently only checking passwdModifyOID (1.3.6.1.4.1.4203.1.11.3). This can relatively easily be enhanced to add detection for other rootDSE capabilities like supportedControl and supportedCapabilities as necessary. * test(authentication): add unit tests for new feature * refactor(authentication): factorize ldap user provider newup * refactor: minor adjustments
2021-07-01 23:16:16 +00:00
DialURL(gomock.Eq("ldap://127.0.0.1:389"), gomock.Any()).
fix(authentication): utilize msad password history control (#3256) This fixes an issue where the Microsoft Active Directory Server Policy Hints control was not being used to prevent avoidance of the PSO / FGPP applicable to the user.
2022-05-10 04:38:36 +00:00
Return(mockClient, nil)
feat(authentiation): check ldap support for extended operations on startup (#2133) * feat(authentiation): check ldap server on startup This PR adds a startup check to the LDAP authentication backend. It additionally adds support for checking supportedExtension OIDs, currently only checking passwdModifyOID (1.3.6.1.4.1.4203.1.11.3). This can relatively easily be enhanced to add detection for other rootDSE capabilities like supportedControl and supportedCapabilities as necessary. * test(authentication): add unit tests for new feature * refactor(authentication): factorize ldap user provider newup * refactor: minor adjustments
2021-07-01 23:16:16 +00:00
fix(authentication): utilize msad password history control (#3256) This fixes an issue where the Microsoft Active Directory Server Policy Hints control was not being used to prevent avoidance of the PSO / FGPP applicable to the user.
2022-05-10 04:38:36 +00:00
connBind := mockClient.EXPECT().
feat(authentiation): check ldap support for extended operations on startup (#2133) * feat(authentiation): check ldap server on startup This PR adds a startup check to the LDAP authentication backend. It additionally adds support for checking supportedExtension OIDs, currently only checking passwdModifyOID (1.3.6.1.4.1.4203.1.11.3). This can relatively easily be enhanced to add detection for other rootDSE capabilities like supportedControl and supportedCapabilities as necessary. * test(authentication): add unit tests for new feature * refactor(authentication): factorize ldap user provider newup * refactor: minor adjustments
2021-07-01 23:16:16 +00:00
Bind(gomock.Eq("cn=admin,dc=example,dc=com"), gomock.Eq("password")).
Return(nil)
fix(authentication): utilize msad password history control (#3256) This fixes an issue where the Microsoft Active Directory Server Policy Hints control was not being used to prevent avoidance of the PSO / FGPP applicable to the user.
2022-05-10 04:38:36 +00:00
searchOIDs := mockClient.EXPECT().
Search(NewExtendedSearchRequestMatcher("(objectClass=*)", "", ldap.ScopeBaseObject, ldap.NeverDerefAliases, false, []string{ldapSupportedExtensionAttribute, ldapSupportedControlAttribute})).
feat(authentiation): check ldap support for extended operations on startup (#2133) * feat(authentiation): check ldap server on startup This PR adds a startup check to the LDAP authentication backend. It additionally adds support for checking supportedExtension OIDs, currently only checking passwdModifyOID (1.3.6.1.4.1.4203.1.11.3). This can relatively easily be enhanced to add detection for other rootDSE capabilities like supportedControl and supportedCapabilities as necessary. * test(authentication): add unit tests for new feature * refactor(authentication): factorize ldap user provider newup * refactor: minor adjustments
2021-07-01 23:16:16 +00:00
Return(&ldap.SearchResult{
Entries: []*ldap.Entry{
{
DN: "",
Attributes: []*ldap.EntryAttribute{
{
Name: ldapSupportedExtensionAttribute,
fix(authentication): utilize msad password history control (#3256) This fixes an issue where the Microsoft Active Directory Server Policy Hints control was not being used to prevent avoidance of the PSO / FGPP applicable to the user.
2022-05-10 04:38:36 +00:00
Values: []string{ldapOIDExtensionPwdModifyExOp, ldapOIDExtensionTLS},
},
{
Name: ldapSupportedControlAttribute,
Values: []string{},
},
},
},
},
}, nil)
connClose := mockClient.EXPECT().Close()
gomock.InOrder(dialURL, connBind, searchOIDs, connClose)
feat(authentication): ldap time replacements (#4483) This adds and utilizes several time replacements for both specialized LDAP implementations. Closes #1964, Closes #1284
2022-12-21 10:31:21 +00:00
err := provider.StartupCheck()
fix(authentication): utilize msad password history control (#3256) This fixes an issue where the Microsoft Active Directory Server Policy Hints control was not being used to prevent avoidance of the PSO / FGPP applicable to the user.
2022-05-10 04:38:36 +00:00
assert.NoError(t, err)
feat(authentication): ldap time replacements (#4483) This adds and utilizes several time replacements for both specialized LDAP implementations. Closes #1964, Closes #1284
2022-12-21 10:31:21 +00:00
assert.True(t, provider.features.Extensions.PwdModifyExOp)
assert.True(t, provider.features.Extensions.TLS)
fix(authentication): utilize msad password history control (#3256) This fixes an issue where the Microsoft Active Directory Server Policy Hints control was not being used to prevent avoidance of the PSO / FGPP applicable to the user.
2022-05-10 04:38:36 +00:00
feat(authentication): ldap time replacements (#4483) This adds and utilizes several time replacements for both specialized LDAP implementations. Closes #1964, Closes #1284
2022-12-21 10:31:21 +00:00
assert.False(t, provider.features.ControlTypes.MsftPwdPolHints)
assert.False(t, provider.features.ControlTypes.MsftPwdPolHintsDeprecated)
fix(authentication): utilize msad password history control (#3256) This fixes an issue where the Microsoft Active Directory Server Policy Hints control was not being used to prevent avoidance of the PSO / FGPP applicable to the user.
2022-05-10 04:38:36 +00:00
}
func TestShouldNotCheckLDAPServerExtensionsWhenRootDSEReturnsMoreThanOneEntry(t *testing.T) {
ctrl := gomock.NewController(t)
defer ctrl.Finish()
mockFactory := NewMockLDAPClientFactory(ctrl)
mockClient := NewMockLDAPClient(ctrl)
feat(authentication): ldap time replacements (#4483) This adds and utilizes several time replacements for both specialized LDAP implementations. Closes #1964, Closes #1284
2022-12-21 10:31:21 +00:00
provider := NewLDAPUserProviderWithFactory(
feat(authentication): file password algorithms (#3848) This adds significant enhancements to the file auth provider including multiple additional algorithms.
2022-10-17 10:51:59 +00:00
schema.LDAPAuthenticationBackend{
feat(authentication): ldap memberof group search (#5418) Introduces the concept of group search mode into the LDAP configuration. This also adds the filter and memberof search modes. The full description of these is included in the docs but the filter mode is the same mode as previous which is also the default and recommended value. The memberof mode should only be used by users who are aware of how the concept works as per the docs. Closes #2161 Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
2023-06-18 04:40:38 +00:00
Address: testLDAPAddress,
User: "cn=admin,dc=example,dc=com",
UsersFilter: "(|({username_attribute}={input})({mail_attribute}={input}))",
Attributes: schema.LDAPAuthenticationAttributes{
Username: "uid",
Mail: "mail",
DisplayName: "displayName",
MemberOf: "memberOf",
},
Password: "password",
AdditionalUsersDN: "ou=users",
BaseDN: "dc=example,dc=com",
fix(authentication): utilize msad password history control (#3256) This fixes an issue where the Microsoft Active Directory Server Policy Hints control was not being used to prevent avoidance of the PSO / FGPP applicable to the user.
2022-05-10 04:38:36 +00:00
},
false,
nil,
mockFactory)
dialURL := mockFactory.EXPECT().
DialURL(gomock.Eq("ldap://127.0.0.1:389"), gomock.Any()).
Return(mockClient, nil)
connBind := mockClient.EXPECT().
Bind(gomock.Eq("cn=admin,dc=example,dc=com"), gomock.Eq("password")).
Return(nil)
searchOIDs := mockClient.EXPECT().
Search(NewExtendedSearchRequestMatcher("(objectClass=*)", "", ldap.ScopeBaseObject, ldap.NeverDerefAliases, false, []string{ldapSupportedExtensionAttribute, ldapSupportedControlAttribute})).
Return(&ldap.SearchResult{
Entries: []*ldap.Entry{
{
DN: "",
Attributes: []*ldap.EntryAttribute{
{
Name: ldapSupportedExtensionAttribute,
Values: []string{ldapOIDExtensionPwdModifyExOp, ldapOIDExtensionTLS},
},
{
Name: ldapSupportedControlAttribute,
Values: []string{},
},
},
},
{},
},
}, nil)
connClose := mockClient.EXPECT().Close()
gomock.InOrder(dialURL, connBind, searchOIDs, connClose)
feat(authentication): ldap time replacements (#4483) This adds and utilizes several time replacements for both specialized LDAP implementations. Closes #1964, Closes #1284
2022-12-21 10:31:21 +00:00
err := provider.StartupCheck()
fix(authentication): utilize msad password history control (#3256) This fixes an issue where the Microsoft Active Directory Server Policy Hints control was not being used to prevent avoidance of the PSO / FGPP applicable to the user.
2022-05-10 04:38:36 +00:00
assert.NoError(t, err)
feat(authentication): ldap time replacements (#4483) This adds and utilizes several time replacements for both specialized LDAP implementations. Closes #1964, Closes #1284
2022-12-21 10:31:21 +00:00
assert.False(t, provider.features.Extensions.PwdModifyExOp)
assert.False(t, provider.features.Extensions.TLS)
fix(authentication): utilize msad password history control (#3256) This fixes an issue where the Microsoft Active Directory Server Policy Hints control was not being used to prevent avoidance of the PSO / FGPP applicable to the user.
2022-05-10 04:38:36 +00:00
feat(authentication): ldap time replacements (#4483) This adds and utilizes several time replacements for both specialized LDAP implementations. Closes #1964, Closes #1284
2022-12-21 10:31:21 +00:00
assert.False(t, provider.features.ControlTypes.MsftPwdPolHints)
assert.False(t, provider.features.ControlTypes.MsftPwdPolHintsDeprecated)
fix(authentication): utilize msad password history control (#3256) This fixes an issue where the Microsoft Active Directory Server Policy Hints control was not being used to prevent avoidance of the PSO / FGPP applicable to the user.
2022-05-10 04:38:36 +00:00
}
func TestShouldCheckLDAPServerControlTypes(t *testing.T) {
ctrl := gomock.NewController(t)
defer ctrl.Finish()
mockFactory := NewMockLDAPClientFactory(ctrl)
mockClient := NewMockLDAPClient(ctrl)
feat(authentication): ldap time replacements (#4483) This adds and utilizes several time replacements for both specialized LDAP implementations. Closes #1964, Closes #1284
2022-12-21 10:31:21 +00:00
provider := NewLDAPUserProviderWithFactory(
feat(authentication): file password algorithms (#3848) This adds significant enhancements to the file auth provider including multiple additional algorithms.
2022-10-17 10:51:59 +00:00
schema.LDAPAuthenticationBackend{
feat(authentication): ldap memberof group search (#5418) Introduces the concept of group search mode into the LDAP configuration. This also adds the filter and memberof search modes. The full description of these is included in the docs but the filter mode is the same mode as previous which is also the default and recommended value. The memberof mode should only be used by users who are aware of how the concept works as per the docs. Closes #2161 Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
2023-06-18 04:40:38 +00:00
Address: testLDAPAddress,
User: "cn=admin,dc=example,dc=com",
UsersFilter: "(|({username_attribute}={input})({mail_attribute}={input}))",
Attributes: schema.LDAPAuthenticationAttributes{
Username: "uid",
Mail: "mail",
DisplayName: "displayName",
MemberOf: "memberOf",
},
Password: "password",
AdditionalUsersDN: "ou=users",
BaseDN: "dc=example,dc=com",
fix(authentication): utilize msad password history control (#3256) This fixes an issue where the Microsoft Active Directory Server Policy Hints control was not being used to prevent avoidance of the PSO / FGPP applicable to the user.
2022-05-10 04:38:36 +00:00
},
false,
nil,
mockFactory)
dialURL := mockFactory.EXPECT().
DialURL(gomock.Eq("ldap://127.0.0.1:389"), gomock.Any()).
Return(mockClient, nil)
connBind := mockClient.EXPECT().
Bind(gomock.Eq("cn=admin,dc=example,dc=com"), gomock.Eq("password")).
Return(nil)
searchOIDs := mockClient.EXPECT().
Search(NewExtendedSearchRequestMatcher("(objectClass=*)", "", ldap.ScopeBaseObject, ldap.NeverDerefAliases, false, []string{ldapSupportedExtensionAttribute, ldapSupportedControlAttribute})).
Return(&ldap.SearchResult{
Entries: []*ldap.Entry{
{
DN: "",
Attributes: []*ldap.EntryAttribute{
{
Name: ldapSupportedExtensionAttribute,
Values: []string{},
},
{
Name: ldapSupportedControlAttribute,
Values: []string{ldapOIDControlMsftServerPolicyHints, ldapOIDControlMsftServerPolicyHintsDeprecated},
feat(authentiation): check ldap support for extended operations on startup (#2133) * feat(authentiation): check ldap server on startup This PR adds a startup check to the LDAP authentication backend. It additionally adds support for checking supportedExtension OIDs, currently only checking passwdModifyOID (1.3.6.1.4.1.4203.1.11.3). This can relatively easily be enhanced to add detection for other rootDSE capabilities like supportedControl and supportedCapabilities as necessary. * test(authentication): add unit tests for new feature * refactor(authentication): factorize ldap user provider newup * refactor: minor adjustments
2021-07-01 23:16:16 +00:00
},
},
},
},
}, nil)
fix(authentication): utilize msad password history control (#3256) This fixes an issue where the Microsoft Active Directory Server Policy Hints control was not being used to prevent avoidance of the PSO / FGPP applicable to the user.
2022-05-10 04:38:36 +00:00
connClose := mockClient.EXPECT().Close()
fix(authentication): ldap connection left open (#2179) The recent ldap changes in cb71df5 left a connection to the LDAP server open at startup. This resolves this which prevents an ugly log message and unnecessary open sockets.
2021-07-13 11:12:50 +00:00
gomock.InOrder(dialURL, connBind, searchOIDs, connClose)
feat(authentication): ldap time replacements (#4483) This adds and utilizes several time replacements for both specialized LDAP implementations. Closes #1964, Closes #1284
2022-12-21 10:31:21 +00:00
err := provider.StartupCheck()
feat(authentiation): check ldap support for extended operations on startup (#2133) * feat(authentiation): check ldap server on startup This PR adds a startup check to the LDAP authentication backend. It additionally adds support for checking supportedExtension OIDs, currently only checking passwdModifyOID (1.3.6.1.4.1.4203.1.11.3). This can relatively easily be enhanced to add detection for other rootDSE capabilities like supportedControl and supportedCapabilities as necessary. * test(authentication): add unit tests for new feature * refactor(authentication): factorize ldap user provider newup * refactor: minor adjustments
2021-07-01 23:16:16 +00:00
assert.NoError(t, err)
feat(authentication): ldap time replacements (#4483) This adds and utilizes several time replacements for both specialized LDAP implementations. Closes #1964, Closes #1284
2022-12-21 10:31:21 +00:00
assert.False(t, provider.features.Extensions.PwdModifyExOp)
assert.False(t, provider.features.Extensions.TLS)
fix(authentication): utilize msad password history control (#3256) This fixes an issue where the Microsoft Active Directory Server Policy Hints control was not being used to prevent avoidance of the PSO / FGPP applicable to the user.
2022-05-10 04:38:36 +00:00
feat(authentication): ldap time replacements (#4483) This adds and utilizes several time replacements for both specialized LDAP implementations. Closes #1964, Closes #1284
2022-12-21 10:31:21 +00:00
assert.True(t, provider.features.ControlTypes.MsftPwdPolHints)
assert.True(t, provider.features.ControlTypes.MsftPwdPolHintsDeprecated)
feat(authentiation): check ldap support for extended operations on startup (#2133) * feat(authentiation): check ldap server on startup This PR adds a startup check to the LDAP authentication backend. It additionally adds support for checking supportedExtension OIDs, currently only checking passwdModifyOID (1.3.6.1.4.1.4203.1.11.3). This can relatively easily be enhanced to add detection for other rootDSE capabilities like supportedControl and supportedCapabilities as necessary. * test(authentication): add unit tests for new feature * refactor(authentication): factorize ldap user provider newup * refactor: minor adjustments
2021-07-01 23:16:16 +00:00
}
fix(authentication): utilize msad password history control (#3256) This fixes an issue where the Microsoft Active Directory Server Policy Hints control was not being used to prevent avoidance of the PSO / FGPP applicable to the user.
2022-05-10 04:38:36 +00:00
func TestShouldNotEnablePasswdModifyExtensionOrControlTypes(t *testing.T) {
feat(authentiation): check ldap support for extended operations on startup (#2133) * feat(authentiation): check ldap server on startup This PR adds a startup check to the LDAP authentication backend. It additionally adds support for checking supportedExtension OIDs, currently only checking passwdModifyOID (1.3.6.1.4.1.4203.1.11.3). This can relatively easily be enhanced to add detection for other rootDSE capabilities like supportedControl and supportedCapabilities as necessary. * test(authentication): add unit tests for new feature * refactor(authentication): factorize ldap user provider newup * refactor: minor adjustments
2021-07-01 23:16:16 +00:00
ctrl := gomock.NewController(t)
defer ctrl.Finish()
fix(authentication): utilize msad password history control (#3256) This fixes an issue where the Microsoft Active Directory Server Policy Hints control was not being used to prevent avoidance of the PSO / FGPP applicable to the user.
2022-05-10 04:38:36 +00:00
mockFactory := NewMockLDAPClientFactory(ctrl)
mockClient := NewMockLDAPClient(ctrl)
feat(authentiation): check ldap support for extended operations on startup (#2133) * feat(authentiation): check ldap server on startup This PR adds a startup check to the LDAP authentication backend. It additionally adds support for checking supportedExtension OIDs, currently only checking passwdModifyOID (1.3.6.1.4.1.4203.1.11.3). This can relatively easily be enhanced to add detection for other rootDSE capabilities like supportedControl and supportedCapabilities as necessary. * test(authentication): add unit tests for new feature * refactor(authentication): factorize ldap user provider newup * refactor: minor adjustments
2021-07-01 23:16:16 +00:00
feat(authentication): ldap time replacements (#4483) This adds and utilizes several time replacements for both specialized LDAP implementations. Closes #1964, Closes #1284
2022-12-21 10:31:21 +00:00
provider := NewLDAPUserProviderWithFactory(
feat(authentication): file password algorithms (#3848) This adds significant enhancements to the file auth provider including multiple additional algorithms.
2022-10-17 10:51:59 +00:00
schema.LDAPAuthenticationBackend{
feat(authentication): ldap memberof group search (#5418) Introduces the concept of group search mode into the LDAP configuration. This also adds the filter and memberof search modes. The full description of these is included in the docs but the filter mode is the same mode as previous which is also the default and recommended value. The memberof mode should only be used by users who are aware of how the concept works as per the docs. Closes #2161 Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
2023-06-18 04:40:38 +00:00
Address: testLDAPAddress,
User: "cn=admin,dc=example,dc=com",
UsersFilter: "(|({username_attribute}={input})({mail_attribute}={input}))",
Attributes: schema.LDAPAuthenticationAttributes{
Username: "uid",
Mail: "mail",
DisplayName: "displayName",
MemberOf: "memberOf",
},
Password: "password",
AdditionalUsersDN: "ou=users",
BaseDN: "dc=example,dc=com",
feat(authentiation): check ldap support for extended operations on startup (#2133) * feat(authentiation): check ldap server on startup This PR adds a startup check to the LDAP authentication backend. It additionally adds support for checking supportedExtension OIDs, currently only checking passwdModifyOID (1.3.6.1.4.1.4203.1.11.3). This can relatively easily be enhanced to add detection for other rootDSE capabilities like supportedControl and supportedCapabilities as necessary. * test(authentication): add unit tests for new feature * refactor(authentication): factorize ldap user provider newup * refactor: minor adjustments
2021-07-01 23:16:16 +00:00
},
refactor: factorize startup checks (#2386) * refactor: factorize startup checks * refactor: address linting issues
2021-09-17 09:53:59 +00:00
false,
feat(authentiation): check ldap support for extended operations on startup (#2133) * feat(authentiation): check ldap server on startup This PR adds a startup check to the LDAP authentication backend. It additionally adds support for checking supportedExtension OIDs, currently only checking passwdModifyOID (1.3.6.1.4.1.4203.1.11.3). This can relatively easily be enhanced to add detection for other rootDSE capabilities like supportedControl and supportedCapabilities as necessary. * test(authentication): add unit tests for new feature * refactor(authentication): factorize ldap user provider newup * refactor: minor adjustments
2021-07-01 23:16:16 +00:00
nil,
mockFactory)
fix(authentication): ldap connection left open (#2179) The recent ldap changes in cb71df5 left a connection to the LDAP server open at startup. This resolves this which prevents an ugly log message and unnecessary open sockets.
2021-07-13 11:12:50 +00:00
dialURL := mockFactory.EXPECT().
feat(authentiation): check ldap support for extended operations on startup (#2133) * feat(authentiation): check ldap server on startup This PR adds a startup check to the LDAP authentication backend. It additionally adds support for checking supportedExtension OIDs, currently only checking passwdModifyOID (1.3.6.1.4.1.4203.1.11.3). This can relatively easily be enhanced to add detection for other rootDSE capabilities like supportedControl and supportedCapabilities as necessary. * test(authentication): add unit tests for new feature * refactor(authentication): factorize ldap user provider newup * refactor: minor adjustments
2021-07-01 23:16:16 +00:00
DialURL(gomock.Eq("ldap://127.0.0.1:389"), gomock.Any()).
fix(authentication): utilize msad password history control (#3256) This fixes an issue where the Microsoft Active Directory Server Policy Hints control was not being used to prevent avoidance of the PSO / FGPP applicable to the user.
2022-05-10 04:38:36 +00:00
Return(mockClient, nil)
feat(authentiation): check ldap support for extended operations on startup (#2133) * feat(authentiation): check ldap server on startup This PR adds a startup check to the LDAP authentication backend. It additionally adds support for checking supportedExtension OIDs, currently only checking passwdModifyOID (1.3.6.1.4.1.4203.1.11.3). This can relatively easily be enhanced to add detection for other rootDSE capabilities like supportedControl and supportedCapabilities as necessary. * test(authentication): add unit tests for new feature * refactor(authentication): factorize ldap user provider newup * refactor: minor adjustments
2021-07-01 23:16:16 +00:00
fix(authentication): utilize msad password history control (#3256) This fixes an issue where the Microsoft Active Directory Server Policy Hints control was not being used to prevent avoidance of the PSO / FGPP applicable to the user.
2022-05-10 04:38:36 +00:00
connBind := mockClient.EXPECT().
feat(authentiation): check ldap support for extended operations on startup (#2133) * feat(authentiation): check ldap server on startup This PR adds a startup check to the LDAP authentication backend. It additionally adds support for checking supportedExtension OIDs, currently only checking passwdModifyOID (1.3.6.1.4.1.4203.1.11.3). This can relatively easily be enhanced to add detection for other rootDSE capabilities like supportedControl and supportedCapabilities as necessary. * test(authentication): add unit tests for new feature * refactor(authentication): factorize ldap user provider newup * refactor: minor adjustments
2021-07-01 23:16:16 +00:00
Bind(gomock.Eq("cn=admin,dc=example,dc=com"), gomock.Eq("password")).
Return(nil)
fix(authentication): utilize msad password history control (#3256) This fixes an issue where the Microsoft Active Directory Server Policy Hints control was not being used to prevent avoidance of the PSO / FGPP applicable to the user.
2022-05-10 04:38:36 +00:00
searchOIDs := mockClient.EXPECT().
Search(NewExtendedSearchRequestMatcher("(objectClass=*)", "", ldap.ScopeBaseObject, ldap.NeverDerefAliases, false, []string{ldapSupportedExtensionAttribute, ldapSupportedControlAttribute})).
feat(authentiation): check ldap support for extended operations on startup (#2133) * feat(authentiation): check ldap server on startup This PR adds a startup check to the LDAP authentication backend. It additionally adds support for checking supportedExtension OIDs, currently only checking passwdModifyOID (1.3.6.1.4.1.4203.1.11.3). This can relatively easily be enhanced to add detection for other rootDSE capabilities like supportedControl and supportedCapabilities as necessary. * test(authentication): add unit tests for new feature * refactor(authentication): factorize ldap user provider newup * refactor: minor adjustments
2021-07-01 23:16:16 +00:00
Return(&ldap.SearchResult{
Entries: []*ldap.Entry{
{
DN: "",
Attributes: []*ldap.EntryAttribute{
{
Name: ldapSupportedExtensionAttribute,
Values: []string{},
},
fix(authentication): utilize msad password history control (#3256) This fixes an issue where the Microsoft Active Directory Server Policy Hints control was not being used to prevent avoidance of the PSO / FGPP applicable to the user.
2022-05-10 04:38:36 +00:00
{
Name: ldapSupportedControlAttribute,
Values: []string{},
},
feat(authentiation): check ldap support for extended operations on startup (#2133) * feat(authentiation): check ldap server on startup This PR adds a startup check to the LDAP authentication backend. It additionally adds support for checking supportedExtension OIDs, currently only checking passwdModifyOID (1.3.6.1.4.1.4203.1.11.3). This can relatively easily be enhanced to add detection for other rootDSE capabilities like supportedControl and supportedCapabilities as necessary. * test(authentication): add unit tests for new feature * refactor(authentication): factorize ldap user provider newup * refactor: minor adjustments
2021-07-01 23:16:16 +00:00
},
},
},
}, nil)
fix(authentication): utilize msad password history control (#3256) This fixes an issue where the Microsoft Active Directory Server Policy Hints control was not being used to prevent avoidance of the PSO / FGPP applicable to the user.
2022-05-10 04:38:36 +00:00
connClose := mockClient.EXPECT().Close()
fix(authentication): ldap connection left open (#2179) The recent ldap changes in cb71df5 left a connection to the LDAP server open at startup. This resolves this which prevents an ugly log message and unnecessary open sockets.
2021-07-13 11:12:50 +00:00
gomock.InOrder(dialURL, connBind, searchOIDs, connClose)
feat(authentication): ldap time replacements (#4483) This adds and utilizes several time replacements for both specialized LDAP implementations. Closes #1964, Closes #1284
2022-12-21 10:31:21 +00:00
err := provider.StartupCheck()
feat(authentiation): check ldap support for extended operations on startup (#2133) * feat(authentiation): check ldap server on startup This PR adds a startup check to the LDAP authentication backend. It additionally adds support for checking supportedExtension OIDs, currently only checking passwdModifyOID (1.3.6.1.4.1.4203.1.11.3). This can relatively easily be enhanced to add detection for other rootDSE capabilities like supportedControl and supportedCapabilities as necessary. * test(authentication): add unit tests for new feature * refactor(authentication): factorize ldap user provider newup * refactor: minor adjustments
2021-07-01 23:16:16 +00:00
assert.NoError(t, err)
feat(authentication): ldap time replacements (#4483) This adds and utilizes several time replacements for both specialized LDAP implementations. Closes #1964, Closes #1284
2022-12-21 10:31:21 +00:00
assert.False(t, provider.features.Extensions.PwdModifyExOp)
assert.False(t, provider.features.Extensions.TLS)
fix(authentication): utilize msad password history control (#3256) This fixes an issue where the Microsoft Active Directory Server Policy Hints control was not being used to prevent avoidance of the PSO / FGPP applicable to the user.
2022-05-10 04:38:36 +00:00
feat(authentication): ldap time replacements (#4483) This adds and utilizes several time replacements for both specialized LDAP implementations. Closes #1964, Closes #1284
2022-12-21 10:31:21 +00:00
assert.False(t, provider.features.ControlTypes.MsftPwdPolHints)
assert.False(t, provider.features.ControlTypes.MsftPwdPolHintsDeprecated)
feat(authentiation): check ldap support for extended operations on startup (#2133) * feat(authentiation): check ldap server on startup This PR adds a startup check to the LDAP authentication backend. It additionally adds support for checking supportedExtension OIDs, currently only checking passwdModifyOID (1.3.6.1.4.1.4203.1.11.3). This can relatively easily be enhanced to add detection for other rootDSE capabilities like supportedControl and supportedCapabilities as necessary. * test(authentication): add unit tests for new feature * refactor(authentication): factorize ldap user provider newup * refactor: minor adjustments
2021-07-01 23:16:16 +00:00
}
func TestShouldReturnCheckServerConnectError(t *testing.T) {
ctrl := gomock.NewController(t)
defer ctrl.Finish()
fix(authentication): utilize msad password history control (#3256) This fixes an issue where the Microsoft Active Directory Server Policy Hints control was not being used to prevent avoidance of the PSO / FGPP applicable to the user.
2022-05-10 04:38:36 +00:00
mockFactory := NewMockLDAPClientFactory(ctrl)
mockClient := NewMockLDAPClient(ctrl)
feat(authentiation): check ldap support for extended operations on startup (#2133) * feat(authentiation): check ldap server on startup This PR adds a startup check to the LDAP authentication backend. It additionally adds support for checking supportedExtension OIDs, currently only checking passwdModifyOID (1.3.6.1.4.1.4203.1.11.3). This can relatively easily be enhanced to add detection for other rootDSE capabilities like supportedControl and supportedCapabilities as necessary. * test(authentication): add unit tests for new feature * refactor(authentication): factorize ldap user provider newup * refactor: minor adjustments
2021-07-01 23:16:16 +00:00
feat(authentication): ldap time replacements (#4483) This adds and utilizes several time replacements for both specialized LDAP implementations. Closes #1964, Closes #1284
2022-12-21 10:31:21 +00:00
provider := NewLDAPUserProviderWithFactory(
feat(authentication): file password algorithms (#3848) This adds significant enhancements to the file auth provider including multiple additional algorithms.
2022-10-17 10:51:59 +00:00
schema.LDAPAuthenticationBackend{
feat(authentication): ldap memberof group search (#5418) Introduces the concept of group search mode into the LDAP configuration. This also adds the filter and memberof search modes. The full description of these is included in the docs but the filter mode is the same mode as previous which is also the default and recommended value. The memberof mode should only be used by users who are aware of how the concept works as per the docs. Closes #2161 Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
2023-06-18 04:40:38 +00:00
Address: testLDAPAddress,
User: "cn=admin,dc=example,dc=com",
UsersFilter: "(|({username_attribute}={input})({mail_attribute}={input}))",
Attributes: schema.LDAPAuthenticationAttributes{
Username: "uid",
Mail: "mail",
DisplayName: "displayName",
MemberOf: "memberOf",
},
Password: "password",
AdditionalUsersDN: "ou=users",
BaseDN: "dc=example,dc=com",
feat(authentiation): check ldap support for extended operations on startup (#2133) * feat(authentiation): check ldap server on startup This PR adds a startup check to the LDAP authentication backend. It additionally adds support for checking supportedExtension OIDs, currently only checking passwdModifyOID (1.3.6.1.4.1.4203.1.11.3). This can relatively easily be enhanced to add detection for other rootDSE capabilities like supportedControl and supportedCapabilities as necessary. * test(authentication): add unit tests for new feature * refactor(authentication): factorize ldap user provider newup * refactor: minor adjustments
2021-07-01 23:16:16 +00:00
},
refactor: factorize startup checks (#2386) * refactor: factorize startup checks * refactor: address linting issues
2021-09-17 09:53:59 +00:00
false,
feat(authentiation): check ldap support for extended operations on startup (#2133) * feat(authentiation): check ldap server on startup This PR adds a startup check to the LDAP authentication backend. It additionally adds support for checking supportedExtension OIDs, currently only checking passwdModifyOID (1.3.6.1.4.1.4203.1.11.3). This can relatively easily be enhanced to add detection for other rootDSE capabilities like supportedControl and supportedCapabilities as necessary. * test(authentication): add unit tests for new feature * refactor(authentication): factorize ldap user provider newup * refactor: minor adjustments
2021-07-01 23:16:16 +00:00
nil,
mockFactory)
mockFactory.EXPECT().
DialURL(gomock.Eq("ldap://127.0.0.1:389"), gomock.Any()).
fix(authentication): utilize msad password history control (#3256) This fixes an issue where the Microsoft Active Directory Server Policy Hints control was not being used to prevent avoidance of the PSO / FGPP applicable to the user.
2022-05-10 04:38:36 +00:00
Return(mockClient, errors.New("could not connect"))
feat(authentiation): check ldap support for extended operations on startup (#2133) * feat(authentiation): check ldap server on startup This PR adds a startup check to the LDAP authentication backend. It additionally adds support for checking supportedExtension OIDs, currently only checking passwdModifyOID (1.3.6.1.4.1.4203.1.11.3). This can relatively easily be enhanced to add detection for other rootDSE capabilities like supportedControl and supportedCapabilities as necessary. * test(authentication): add unit tests for new feature * refactor(authentication): factorize ldap user provider newup * refactor: minor adjustments
2021-07-01 23:16:16 +00:00
feat(authentication): ldap time replacements (#4483) This adds and utilizes several time replacements for both specialized LDAP implementations. Closes #1964, Closes #1284
2022-12-21 10:31:21 +00:00
err := provider.StartupCheck()
fix(authentication): follow ldap referrals (#3251) This ensures we are able to follow referrals for LDAP password modify operations when permit_referrals is true. Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2022-05-02 01:51:38 +00:00
assert.EqualError(t, err, "dial failed with error: could not connect")
feat(authentiation): check ldap support for extended operations on startup (#2133) * feat(authentiation): check ldap server on startup This PR adds a startup check to the LDAP authentication backend. It additionally adds support for checking supportedExtension OIDs, currently only checking passwdModifyOID (1.3.6.1.4.1.4203.1.11.3). This can relatively easily be enhanced to add detection for other rootDSE capabilities like supportedControl and supportedCapabilities as necessary. * test(authentication): add unit tests for new feature * refactor(authentication): factorize ldap user provider newup * refactor: minor adjustments
2021-07-01 23:16:16 +00:00
feat(authentication): ldap time replacements (#4483) This adds and utilizes several time replacements for both specialized LDAP implementations. Closes #1964, Closes #1284
2022-12-21 10:31:21 +00:00
assert.False(t, provider.features.Extensions.PwdModifyExOp)
feat(authentiation): check ldap support for extended operations on startup (#2133) * feat(authentiation): check ldap server on startup This PR adds a startup check to the LDAP authentication backend. It additionally adds support for checking supportedExtension OIDs, currently only checking passwdModifyOID (1.3.6.1.4.1.4203.1.11.3). This can relatively easily be enhanced to add detection for other rootDSE capabilities like supportedControl and supportedCapabilities as necessary. * test(authentication): add unit tests for new feature * refactor(authentication): factorize ldap user provider newup * refactor: minor adjustments
2021-07-01 23:16:16 +00:00
}
func TestShouldReturnCheckServerSearchError(t *testing.T) {
ctrl := gomock.NewController(t)
defer ctrl.Finish()
fix(authentication): utilize msad password history control (#3256) This fixes an issue where the Microsoft Active Directory Server Policy Hints control was not being used to prevent avoidance of the PSO / FGPP applicable to the user.
2022-05-10 04:38:36 +00:00
mockFactory := NewMockLDAPClientFactory(ctrl)
mockClient := NewMockLDAPClient(ctrl)
feat(authentiation): check ldap support for extended operations on startup (#2133) * feat(authentiation): check ldap server on startup This PR adds a startup check to the LDAP authentication backend. It additionally adds support for checking supportedExtension OIDs, currently only checking passwdModifyOID (1.3.6.1.4.1.4203.1.11.3). This can relatively easily be enhanced to add detection for other rootDSE capabilities like supportedControl and supportedCapabilities as necessary. * test(authentication): add unit tests for new feature * refactor(authentication): factorize ldap user provider newup * refactor: minor adjustments
2021-07-01 23:16:16 +00:00
feat(authentication): ldap time replacements (#4483) This adds and utilizes several time replacements for both specialized LDAP implementations. Closes #1964, Closes #1284
2022-12-21 10:31:21 +00:00
provider := NewLDAPUserProviderWithFactory(
feat(authentication): file password algorithms (#3848) This adds significant enhancements to the file auth provider including multiple additional algorithms.
2022-10-17 10:51:59 +00:00
schema.LDAPAuthenticationBackend{
feat(authentication): ldap memberof group search (#5418) Introduces the concept of group search mode into the LDAP configuration. This also adds the filter and memberof search modes. The full description of these is included in the docs but the filter mode is the same mode as previous which is also the default and recommended value. The memberof mode should only be used by users who are aware of how the concept works as per the docs. Closes #2161 Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
2023-06-18 04:40:38 +00:00
Address: testLDAPAddress,
User: "cn=admin,dc=example,dc=com",
UsersFilter: "(|({username_attribute}={input})({mail_attribute}={input}))",
Attributes: schema.LDAPAuthenticationAttributes{
Username: "uid",
Mail: "mail",
DisplayName: "displayName",
MemberOf: "memberOf",
},
Password: "password",
AdditionalUsersDN: "ou=users",
BaseDN: "dc=example,dc=com",
feat(authentiation): check ldap support for extended operations on startup (#2133) * feat(authentiation): check ldap server on startup This PR adds a startup check to the LDAP authentication backend. It additionally adds support for checking supportedExtension OIDs, currently only checking passwdModifyOID (1.3.6.1.4.1.4203.1.11.3). This can relatively easily be enhanced to add detection for other rootDSE capabilities like supportedControl and supportedCapabilities as necessary. * test(authentication): add unit tests for new feature * refactor(authentication): factorize ldap user provider newup * refactor: minor adjustments
2021-07-01 23:16:16 +00:00
},
refactor: factorize startup checks (#2386) * refactor: factorize startup checks * refactor: address linting issues
2021-09-17 09:53:59 +00:00
false,
feat(authentiation): check ldap support for extended operations on startup (#2133) * feat(authentiation): check ldap server on startup This PR adds a startup check to the LDAP authentication backend. It additionally adds support for checking supportedExtension OIDs, currently only checking passwdModifyOID (1.3.6.1.4.1.4203.1.11.3). This can relatively easily be enhanced to add detection for other rootDSE capabilities like supportedControl and supportedCapabilities as necessary. * test(authentication): add unit tests for new feature * refactor(authentication): factorize ldap user provider newup * refactor: minor adjustments
2021-07-01 23:16:16 +00:00
nil,
mockFactory)
fix(authentication): ldap connection left open (#2179) The recent ldap changes in cb71df5 left a connection to the LDAP server open at startup. This resolves this which prevents an ugly log message and unnecessary open sockets.
2021-07-13 11:12:50 +00:00
dialURL := mockFactory.EXPECT().
feat(authentiation): check ldap support for extended operations on startup (#2133) * feat(authentiation): check ldap server on startup This PR adds a startup check to the LDAP authentication backend. It additionally adds support for checking supportedExtension OIDs, currently only checking passwdModifyOID (1.3.6.1.4.1.4203.1.11.3). This can relatively easily be enhanced to add detection for other rootDSE capabilities like supportedControl and supportedCapabilities as necessary. * test(authentication): add unit tests for new feature * refactor(authentication): factorize ldap user provider newup * refactor: minor adjustments
2021-07-01 23:16:16 +00:00
DialURL(gomock.Eq("ldap://127.0.0.1:389"), gomock.Any()).
fix(authentication): utilize msad password history control (#3256) This fixes an issue where the Microsoft Active Directory Server Policy Hints control was not being used to prevent avoidance of the PSO / FGPP applicable to the user.
2022-05-10 04:38:36 +00:00
Return(mockClient, nil)
feat(authentiation): check ldap support for extended operations on startup (#2133) * feat(authentiation): check ldap server on startup This PR adds a startup check to the LDAP authentication backend. It additionally adds support for checking supportedExtension OIDs, currently only checking passwdModifyOID (1.3.6.1.4.1.4203.1.11.3). This can relatively easily be enhanced to add detection for other rootDSE capabilities like supportedControl and supportedCapabilities as necessary. * test(authentication): add unit tests for new feature * refactor(authentication): factorize ldap user provider newup * refactor: minor adjustments
2021-07-01 23:16:16 +00:00
fix(authentication): utilize msad password history control (#3256) This fixes an issue where the Microsoft Active Directory Server Policy Hints control was not being used to prevent avoidance of the PSO / FGPP applicable to the user.
2022-05-10 04:38:36 +00:00
connBind := mockClient.EXPECT().
feat(authentiation): check ldap support for extended operations on startup (#2133) * feat(authentiation): check ldap server on startup This PR adds a startup check to the LDAP authentication backend. It additionally adds support for checking supportedExtension OIDs, currently only checking passwdModifyOID (1.3.6.1.4.1.4203.1.11.3). This can relatively easily be enhanced to add detection for other rootDSE capabilities like supportedControl and supportedCapabilities as necessary. * test(authentication): add unit tests for new feature * refactor(authentication): factorize ldap user provider newup * refactor: minor adjustments
2021-07-01 23:16:16 +00:00
Bind(gomock.Eq("cn=admin,dc=example,dc=com"), gomock.Eq("password")).
Return(nil)
fix(authentication): utilize msad password history control (#3256) This fixes an issue where the Microsoft Active Directory Server Policy Hints control was not being used to prevent avoidance of the PSO / FGPP applicable to the user.
2022-05-10 04:38:36 +00:00
searchOIDs := mockClient.EXPECT().
Search(NewExtendedSearchRequestMatcher("(objectClass=*)", "", ldap.ScopeBaseObject, ldap.NeverDerefAliases, false, []string{ldapSupportedExtensionAttribute, ldapSupportedControlAttribute})).
feat(authentiation): check ldap support for extended operations on startup (#2133) * feat(authentiation): check ldap server on startup This PR adds a startup check to the LDAP authentication backend. It additionally adds support for checking supportedExtension OIDs, currently only checking passwdModifyOID (1.3.6.1.4.1.4203.1.11.3). This can relatively easily be enhanced to add detection for other rootDSE capabilities like supportedControl and supportedCapabilities as necessary. * test(authentication): add unit tests for new feature * refactor(authentication): factorize ldap user provider newup * refactor: minor adjustments
2021-07-01 23:16:16 +00:00
Return(nil, errors.New("could not perform the search"))
fix(authentication): utilize msad password history control (#3256) This fixes an issue where the Microsoft Active Directory Server Policy Hints control was not being used to prevent avoidance of the PSO / FGPP applicable to the user.
2022-05-10 04:38:36 +00:00
connClose := mockClient.EXPECT().Close()
fix(authentication): ldap connection left open (#2179) The recent ldap changes in cb71df5 left a connection to the LDAP server open at startup. This resolves this which prevents an ugly log message and unnecessary open sockets.
2021-07-13 11:12:50 +00:00
gomock.InOrder(dialURL, connBind, searchOIDs, connClose)
feat(authentication): ldap time replacements (#4483) This adds and utilizes several time replacements for both specialized LDAP implementations. Closes #1964, Closes #1284
2022-12-21 10:31:21 +00:00
err := provider.StartupCheck()
feat(authentication): permit feature detection failures (#4061) This adds a configuration option which permits the failure of feature detection (control type OIDs and extension OIDs).
2022-10-01 20:44:18 +00:00
assert.EqualError(t, err, "error occurred during RootDSE search: could not perform the search")
feat(authentiation): check ldap support for extended operations on startup (#2133) * feat(authentiation): check ldap server on startup This PR adds a startup check to the LDAP authentication backend. It additionally adds support for checking supportedExtension OIDs, currently only checking passwdModifyOID (1.3.6.1.4.1.4203.1.11.3). This can relatively easily be enhanced to add detection for other rootDSE capabilities like supportedControl and supportedCapabilities as necessary. * test(authentication): add unit tests for new feature * refactor(authentication): factorize ldap user provider newup * refactor: minor adjustments
2021-07-01 23:16:16 +00:00
feat(authentication): ldap time replacements (#4483) This adds and utilizes several time replacements for both specialized LDAP implementations. Closes #1964, Closes #1284
2022-12-21 10:31:21 +00:00
assert.False(t, provider.features.Extensions.PwdModifyExOp)
feat(authentiation): check ldap support for extended operations on startup (#2133) * feat(authentiation): check ldap server on startup This PR adds a startup check to the LDAP authentication backend. It additionally adds support for checking supportedExtension OIDs, currently only checking passwdModifyOID (1.3.6.1.4.1.4203.1.11.3). This can relatively easily be enhanced to add detection for other rootDSE capabilities like supportedControl and supportedCapabilities as necessary. * test(authentication): add unit tests for new feature * refactor(authentication): factorize ldap user provider newup * refactor: minor adjustments
2021-07-01 23:16:16 +00:00
}
feat(authentication): ldap memberof group search (#5418) Introduces the concept of group search mode into the LDAP configuration. This also adds the filter and memberof search modes. The full description of these is included in the docs but the filter mode is the same mode as previous which is also the default and recommended value. The memberof mode should only be used by users who are aware of how the concept works as per the docs. Closes #2161 Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
2023-06-18 04:40:38 +00:00
func TestShouldPermitRootDSEFailure(t *testing.T) {
ctrl := gomock.NewController(t)
defer ctrl.Finish()
mockFactory := NewMockLDAPClientFactory(ctrl)
mockClient := NewMockLDAPClient(ctrl)
provider := NewLDAPUserProviderWithFactory(
schema.LDAPAuthenticationBackend{
PermitFeatureDetectionFailure: true,
Address: testLDAPAddress,
User: "cn=admin,dc=example,dc=com",
UsersFilter: "(|({username_attribute}={input})({mail_attribute}={input}))",
Attributes: schema.LDAPAuthenticationAttributes{
Username: "uid",
Mail: "mail",
DisplayName: "displayName",
MemberOf: "memberOf",
},
Password: "password",
AdditionalUsersDN: "ou=users",
BaseDN: "dc=example,dc=com",
},
false,
nil,
mockFactory)
dialURL := mockFactory.EXPECT().
DialURL(gomock.Eq("ldap://127.0.0.1:389"), gomock.Any()).
Return(mockClient, nil)
connBind := mockClient.EXPECT().
Bind(gomock.Eq("cn=admin,dc=example,dc=com"), gomock.Eq("password")).
Return(nil)
searchOIDs := mockClient.EXPECT().
Search(NewExtendedSearchRequestMatcher("(objectClass=*)", "", ldap.ScopeBaseObject, ldap.NeverDerefAliases, false, []string{ldapSupportedExtensionAttribute, ldapSupportedControlAttribute})).
Return(nil, errors.New("could not perform the search"))
connClose := mockClient.EXPECT().Close()
gomock.InOrder(dialURL, connBind, searchOIDs, connClose)
err := provider.StartupCheck()
assert.NoError(t, err)
}
Escape special LDAP characters as suggested by OWASP. https://owasp.org/www-project-cheat-sheets/cheatsheets/LDAP_Injection_Prevention_Cheat_Sheet.html
2020-01-20 19:34:53 +00:00
type SearchRequestMatcher struct {
expected string
}
func NewSearchRequestMatcher(expected string) *SearchRequestMatcher {
return &SearchRequestMatcher{expected}
}
refactor: any (#4133) * refactor: any * refactor: fix test
2022-10-05 05:05:23 +00:00
func (srm *SearchRequestMatcher) Matches(x any) bool {
Escape special LDAP characters as suggested by OWASP. https://owasp.org/www-project-cheat-sheets/cheatsheets/LDAP_Injection_Prevention_Cheat_Sheet.html
2020-01-20 19:34:53 +00:00
sr := x.(*ldap.SearchRequest)
return sr.Filter == srm.expected
}
func (srm *SearchRequestMatcher) String() string {
return ""
}
func TestShouldEscapeUserInput(t *testing.T) {
ctrl := gomock.NewController(t)
defer ctrl.Finish()
fix(authentication): utilize msad password history control (#3256) This fixes an issue where the Microsoft Active Directory Server Policy Hints control was not being used to prevent avoidance of the PSO / FGPP applicable to the user.
2022-05-10 04:38:36 +00:00
mockFactory := NewMockLDAPClientFactory(ctrl)
mockClient := NewMockLDAPClient(ctrl)
Escape special LDAP characters as suggested by OWASP. https://owasp.org/www-project-cheat-sheets/cheatsheets/LDAP_Injection_Prevention_Cheat_Sheet.html
2020-01-20 19:34:53 +00:00
feat(authentication): ldap time replacements (#4483) This adds and utilizes several time replacements for both specialized LDAP implementations. Closes #1964, Closes #1284
2022-12-21 10:31:21 +00:00
provider := NewLDAPUserProviderWithFactory(
feat(authentication): file password algorithms (#3848) This adds significant enhancements to the file auth provider including multiple additional algorithms.
2022-10-17 10:51:59 +00:00
schema.LDAPAuthenticationBackend{
feat(authentication): ldap memberof group search (#5418) Introduces the concept of group search mode into the LDAP configuration. This also adds the filter and memberof search modes. The full description of these is included in the docs but the filter mode is the same mode as previous which is also the default and recommended value. The memberof mode should only be used by users who are aware of how the concept works as per the docs. Closes #2161 Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
2023-06-18 04:40:38 +00:00
Address: testLDAPAddress,
User: "cn=admin,dc=example,dc=com",
UsersFilter: "(|({username_attribute}={input})({mail_attribute}={input}))",
Attributes: schema.LDAPAuthenticationAttributes{
Username: "uid",
Mail: "mail",
DisplayName: "displayName",
MemberOf: "memberOf",
},
Password: "password",
AdditionalUsersDN: "ou=users",
BaseDN: "dc=example,dc=com",
PermitReferrals: true,
[FEATURE] Enhance LDAP/SMTP TLS Configuration and Unify Them (#1557) * add new directive in the global scope `certificates_directory` which is used to bulk load certs and trust them in Authelia * this is in ADDITION to system certs and are trusted by both LDAP and SMTP * added a shared TLSConfig struct to be used by both SMTP and LDAP, and anything else in the future that requires tuning the TLS * remove usage of deprecated LDAP funcs Dial and DialTLS in favor of DialURL which is also easier to use * use the server name from LDAP URL or SMTP host when validating the certificate unless otherwise defined in the TLS section * added temporary translations from the old names to the new ones for all deprecated options * added docs * updated example configuration * final deprecations to be done in 4.28.0 * doc updates * fix misc linting issues * uniform deprecation notices for ease of final removal * added additional tests covering previously uncovered areas and the new configuration options * add non-fatal to certificate loading when system certs could not be loaded * adjust timeout of Suite ShortTimeouts * add warnings pusher for the StructValidator * make the schema suites uninform * utilize the warnings in the StructValidator * fix test suite usage for skip_verify * extract LDAP filter parsing into it's own function to make it possible to test * test LDAP filter parsing * update ErrorContainer interface * add tests to the StructValidator * add NewTLSConfig test * move baseDN for users/groups into parsed values * add tests to cover many of the outstanding areas in LDAP * add explicit deferred LDAP conn close to UpdatePassword * add some basic testing to SMTP notifier * suggestions from code review
2021-01-04 10:28:55 +00:00
},
refactor: factorize startup checks (#2386) * refactor: factorize startup checks * refactor: address linting issues
2021-09-17 09:53:59 +00:00
false,
[FEATURE] Enhance LDAP/SMTP TLS Configuration and Unify Them (#1557) * add new directive in the global scope `certificates_directory` which is used to bulk load certs and trust them in Authelia * this is in ADDITION to system certs and are trusted by both LDAP and SMTP * added a shared TLSConfig struct to be used by both SMTP and LDAP, and anything else in the future that requires tuning the TLS * remove usage of deprecated LDAP funcs Dial and DialTLS in favor of DialURL which is also easier to use * use the server name from LDAP URL or SMTP host when validating the certificate unless otherwise defined in the TLS section * added temporary translations from the old names to the new ones for all deprecated options * added docs * updated example configuration * final deprecations to be done in 4.28.0 * doc updates * fix misc linting issues * uniform deprecation notices for ease of final removal * added additional tests covering previously uncovered areas and the new configuration options * add non-fatal to certificate loading when system certs could not be loaded * adjust timeout of Suite ShortTimeouts * add warnings pusher for the StructValidator * make the schema suites uninform * utilize the warnings in the StructValidator * fix test suite usage for skip_verify * extract LDAP filter parsing into it's own function to make it possible to test * test LDAP filter parsing * update ErrorContainer interface * add tests to the StructValidator * add NewTLSConfig test * move baseDN for users/groups into parsed values * add tests to cover many of the outstanding areas in LDAP * add explicit deferred LDAP conn close to UpdatePassword * add some basic testing to SMTP notifier * suggestions from code review
2021-01-04 10:28:55 +00:00
nil,
mockFactory)
Escape special LDAP characters as suggested by OWASP. https://owasp.org/www-project-cheat-sheets/cheatsheets/LDAP_Injection_Prevention_Cheat_Sheet.html
2020-01-20 19:34:53 +00:00
fix(authentication): utilize msad password history control (#3256) This fixes an issue where the Microsoft Active Directory Server Policy Hints control was not being used to prevent avoidance of the PSO / FGPP applicable to the user.
2022-05-10 04:38:36 +00:00
mockClient.EXPECT().
[BUGFIX] [BREAKING] Set username retrieved from authentication backend in session. (#687) * [BUGFIX] Set username retrieved from authentication backend in session. In some setups, binding is case insensitive but Authelia is case sensitive and therefore need the actual username as stored in the authentication backend in order for Authelia to work correctly. Fixes #561. * Use uid attribute as unique user identifier in suites. * Fix the integration tests. * Update config.template.yml * Compute user filter based on username attribute and users_filter. The filter provided in users_filter is now combined with a filter based on the username attribute to perform the LDAP search query finding a user object from the username. * Fix LDAP based integration tests. * Update `users_filter` reference examples
2020-03-15 07:10:25 +00:00
// Here we ensure that the input has been correctly escaped.
[FEATURE][BREAKING] Allow users to sign in with email. (#792) * [FEATURE][BREAKING] Allow users to sign in with email. The users_filter purpose evolved with the introduction of username_attribute but is reverted here to allow the most flexibility. users_filter is now the actual filter used for searching the user and not a sub-filter based on the username_attribute anymore. * {input} placeholder has been introduced to later deprecate {0} which has been kept for backward compatibility. * {username_attribute} and {mail_attribute} are new placeholders used to back reference other configuration options. Fix #735 * [MISC] Introduce new placeholders for groups_filter too. * [MISC] Update BREAKING.md to mention the change regarding users_filter. * [MISC] Fix unit and integration tests. * Log an error message in console when U2F is not supported. * Apply suggestions from code review * Update BREAKING.md Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com> Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2020-03-30 22:36:04 +00:00
Search(NewSearchRequestMatcher("(|(uid=john\\=abc)(mail=john\\=abc))")).
[BUGFIX] [BREAKING] Set username retrieved from authentication backend in session. (#687) * [BUGFIX] Set username retrieved from authentication backend in session. In some setups, binding is case insensitive but Authelia is case sensitive and therefore need the actual username as stored in the authentication backend in order for Authelia to work correctly. Fixes #561. * Use uid attribute as unique user identifier in suites. * Fix the integration tests. * Update config.template.yml * Compute user filter based on username attribute and users_filter. The filter provided in users_filter is now combined with a filter based on the username attribute to perform the LDAP search query finding a user object from the username. * Fix LDAP based integration tests. * Update `users_filter` reference examples
2020-03-15 07:10:25 +00:00
Return(&ldap.SearchResult{}, nil)
Escape special LDAP characters as suggested by OWASP. https://owasp.org/www-project-cheat-sheets/cheatsheets/LDAP_Injection_Prevention_Cheat_Sheet.html
2020-01-20 19:34:53 +00:00
feat(authentication): ldap time replacements (#4483) This adds and utilizes several time replacements for both specialized LDAP implementations. Closes #1964, Closes #1284
2022-12-21 10:31:21 +00:00
_, err := provider.getUserProfile(mockClient, "john=abc")
[FEATURE] LDAP StartTLS (#1500) * add start_tls config option * add StartTLS method to the LDAP conn factory and the mock * implemented use of the StartTLS method when the config is set to true * add mock unit tests * add docs * add TLS min version support * add tests to tls version method * fix lint issues * minor adjustments * remove SSL3.0 * add tls consts * deprecate old filter placeholders * remove redundant fake hashing in file auth provider (to delay username enumeration, was replaced by #993 * make suite ActiveDirectory use StartTLS * misc adjustments to docs * suggested changes from code review * deprecation notice conformity * add mock test for LDAPS plus StartTLS
2020-12-03 05:23:52 +00:00
require.Error(t, err)
assert.EqualError(t, err, "user not found")
[BUGFIX] [BREAKING] Set username retrieved from authentication backend in session. (#687) * [BUGFIX] Set username retrieved from authentication backend in session. In some setups, binding is case insensitive but Authelia is case sensitive and therefore need the actual username as stored in the authentication backend in order for Authelia to work correctly. Fixes #561. * Use uid attribute as unique user identifier in suites. * Fix the integration tests. * Update config.template.yml * Compute user filter based on username attribute and users_filter. The filter provided in users_filter is now combined with a filter based on the username attribute to perform the LDAP search query finding a user object from the username. * Fix LDAP based integration tests. * Update `users_filter` reference examples
2020-03-15 07:10:25 +00:00
}
fix(authentication): err when user/display name same ldap attribute (#3364) This fixes an issue when both the username and display name attributes are the same. If the username attribute is the same as the display name attribute previously we only set the display name profile value which is incorrect. We should set the username profile value instead and allow the display name to be blank.
2022-05-15 06:37:23 +00:00
func TestShouldReturnEmailWhenAttributeSameAsUsername(t *testing.T) {
ctrl := gomock.NewController(t)
defer ctrl.Finish()
mockFactory := NewMockLDAPClientFactory(ctrl)
mockClient := NewMockLDAPClient(ctrl)
feat(authentication): ldap time replacements (#4483) This adds and utilizes several time replacements for both specialized LDAP implementations. Closes #1964, Closes #1284
2022-12-21 10:31:21 +00:00
provider := NewLDAPUserProviderWithFactory(
feat(authentication): file password algorithms (#3848) This adds significant enhancements to the file auth provider including multiple additional algorithms.
2022-10-17 10:51:59 +00:00
schema.LDAPAuthenticationBackend{
feat(authentication): ldap memberof group search (#5418) Introduces the concept of group search mode into the LDAP configuration. This also adds the filter and memberof search modes. The full description of these is included in the docs but the filter mode is the same mode as previous which is also the default and recommended value. The memberof mode should only be used by users who are aware of how the concept works as per the docs. Closes #2161 Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
2023-06-18 04:40:38 +00:00
Address: testLDAPAddress,
User: "cn=admin,dc=example,dc=com",
Password: "password",
Attributes: schema.LDAPAuthenticationAttributes{
Username: "mail",
Mail: "mail",
DisplayName: "displayName",
MemberOf: "memberOf",
},
UsersFilter: "(&({username_attribute}={input})(objectClass=inetOrgPerson))",
AdditionalUsersDN: "ou=users",
BaseDN: "dc=example,dc=com",
fix(authentication): err when user/display name same ldap attribute (#3364) This fixes an issue when both the username and display name attributes are the same. If the username attribute is the same as the display name attribute previously we only set the display name profile value which is incorrect. We should set the username profile value instead and allow the display name to be blank.
2022-05-15 06:37:23 +00:00
},
false,
nil,
mockFactory)
feat(authentication): ldap memberof group search (#5418) Introduces the concept of group search mode into the LDAP configuration. This also adds the filter and memberof search modes. The full description of these is included in the docs but the filter mode is the same mode as previous which is also the default and recommended value. The memberof mode should only be used by users who are aware of how the concept works as per the docs. Closes #2161 Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
2023-06-18 04:40:38 +00:00
assert.Equal(t, []string{"mail", "displayName", "memberOf"}, provider.usersAttributes)
fix(authentication): err when user/display name same ldap attribute (#3364) This fixes an issue when both the username and display name attributes are the same. If the username attribute is the same as the display name attribute previously we only set the display name profile value which is incorrect. We should set the username profile value instead and allow the display name to be blank.
2022-05-15 06:37:23 +00:00
dialURL := mockFactory.EXPECT().
DialURL(gomock.Eq("ldap://127.0.0.1:389"), gomock.Any()).
Return(mockClient, nil)
bind := mockClient.EXPECT().
Bind(gomock.Eq("cn=admin,dc=example,dc=com"), gomock.Eq("password")).
Return(nil)
search := mockClient.EXPECT().
Search(NewSearchRequestMatcher("(&(mail=john@example.com)(objectClass=inetOrgPerson))")).
Return(&ldap.SearchResult{
Entries: []*ldap.Entry{
{
DN: "uid=john,dc=example,dc=com",
Attributes: []*ldap.EntryAttribute{
{
Name: "mail",
Values: []string{"john@example.com"},
},
{
Name: "displayName",
Values: []string{"John Doe"},
},
},
},
},
}, nil)
gomock.InOrder(dialURL, bind, search)
feat(authentication): ldap time replacements (#4483) This adds and utilizes several time replacements for both specialized LDAP implementations. Closes #1964, Closes #1284
2022-12-21 10:31:21 +00:00
client, err := provider.connect()
fix(authentication): err when user/display name same ldap attribute (#3364) This fixes an issue when both the username and display name attributes are the same. If the username attribute is the same as the display name attribute previously we only set the display name profile value which is incorrect. We should set the username profile value instead and allow the display name to be blank.
2022-05-15 06:37:23 +00:00
assert.NoError(t, err)
feat(authentication): ldap time replacements (#4483) This adds and utilizes several time replacements for both specialized LDAP implementations. Closes #1964, Closes #1284
2022-12-21 10:31:21 +00:00
profile, err := provider.getUserProfile(client, "john@example.com")
fix(authentication): err when user/display name same ldap attribute (#3364) This fixes an issue when both the username and display name attributes are the same. If the username attribute is the same as the display name attribute previously we only set the display name profile value which is incorrect. We should set the username profile value instead and allow the display name to be blank.
2022-05-15 06:37:23 +00:00
assert.NoError(t, err)
require.NotNil(t, profile)
assert.Equal(t, "uid=john,dc=example,dc=com", profile.DN)
assert.Equal(t, "john@example.com", profile.Username)
assert.Equal(t, "John Doe", profile.DisplayName)
require.Len(t, profile.Emails, 1)
assert.Equal(t, "john@example.com", profile.Emails[0])
}
func TestShouldReturnUsernameAndBlankDisplayNameWhenAttributesTheSame(t *testing.T) {
ctrl := gomock.NewController(t)
defer ctrl.Finish()
mockFactory := NewMockLDAPClientFactory(ctrl)
mockClient := NewMockLDAPClient(ctrl)
feat(authentication): ldap time replacements (#4483) This adds and utilizes several time replacements for both specialized LDAP implementations. Closes #1964, Closes #1284
2022-12-21 10:31:21 +00:00
provider := NewLDAPUserProviderWithFactory(
feat(authentication): file password algorithms (#3848) This adds significant enhancements to the file auth provider including multiple additional algorithms.
2022-10-17 10:51:59 +00:00
schema.LDAPAuthenticationBackend{
feat(authentication): ldap memberof group search (#5418) Introduces the concept of group search mode into the LDAP configuration. This also adds the filter and memberof search modes. The full description of these is included in the docs but the filter mode is the same mode as previous which is also the default and recommended value. The memberof mode should only be used by users who are aware of how the concept works as per the docs. Closes #2161 Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
2023-06-18 04:40:38 +00:00
Address: testLDAPAddress,
User: "cn=admin,dc=example,dc=com",
Password: "password",
Attributes: schema.LDAPAuthenticationAttributes{
Username: "uid",
Mail: "mail",
DisplayName: "uid",
MemberOf: "memberOf",
},
UsersFilter: "(&(|({username_attribute}={input})({mail_attribute}={input}))(objectClass=inetOrgPerson))",
AdditionalUsersDN: "ou=users",
BaseDN: "dc=example,dc=com",
fix(authentication): err when user/display name same ldap attribute (#3364) This fixes an issue when both the username and display name attributes are the same. If the username attribute is the same as the display name attribute previously we only set the display name profile value which is incorrect. We should set the username profile value instead and allow the display name to be blank.
2022-05-15 06:37:23 +00:00
},
false,
nil,
mockFactory)
feat(authentication): ldap memberof group search (#5418) Introduces the concept of group search mode into the LDAP configuration. This also adds the filter and memberof search modes. The full description of these is included in the docs but the filter mode is the same mode as previous which is also the default and recommended value. The memberof mode should only be used by users who are aware of how the concept works as per the docs. Closes #2161 Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
2023-06-18 04:40:38 +00:00
assert.Equal(t, []string{"uid", "mail", "memberOf"}, provider.usersAttributes)
fix(authentication): err when user/display name same ldap attribute (#3364) This fixes an issue when both the username and display name attributes are the same. If the username attribute is the same as the display name attribute previously we only set the display name profile value which is incorrect. We should set the username profile value instead and allow the display name to be blank.
2022-05-15 06:37:23 +00:00
dialURL := mockFactory.EXPECT().
DialURL(gomock.Eq("ldap://127.0.0.1:389"), gomock.Any()).
Return(mockClient, nil)
bind := mockClient.EXPECT().
Bind(gomock.Eq("cn=admin,dc=example,dc=com"), gomock.Eq("password")).
Return(nil)
search := mockClient.EXPECT().
Search(NewSearchRequestMatcher("(&(|(uid=john@example.com)(mail=john@example.com))(objectClass=inetOrgPerson))")).
Return(&ldap.SearchResult{
Entries: []*ldap.Entry{
{
DN: "uid=john,dc=example,dc=com",
Attributes: []*ldap.EntryAttribute{
{
Name: "uid",
Values: []string{"john"},
},
{
Name: "mail",
Values: []string{"john@example.com"},
},
},
},
},
}, nil)
gomock.InOrder(dialURL, bind, search)
feat(authentication): ldap time replacements (#4483) This adds and utilizes several time replacements for both specialized LDAP implementations. Closes #1964, Closes #1284
2022-12-21 10:31:21 +00:00
client, err := provider.connect()
fix(authentication): err when user/display name same ldap attribute (#3364) This fixes an issue when both the username and display name attributes are the same. If the username attribute is the same as the display name attribute previously we only set the display name profile value which is incorrect. We should set the username profile value instead and allow the display name to be blank.
2022-05-15 06:37:23 +00:00
assert.NoError(t, err)
feat(authentication): ldap time replacements (#4483) This adds and utilizes several time replacements for both specialized LDAP implementations. Closes #1964, Closes #1284
2022-12-21 10:31:21 +00:00
profile, err := provider.getUserProfile(client, "john@example.com")
fix(authentication): err when user/display name same ldap attribute (#3364) This fixes an issue when both the username and display name attributes are the same. If the username attribute is the same as the display name attribute previously we only set the display name profile value which is incorrect. We should set the username profile value instead and allow the display name to be blank.
2022-05-15 06:37:23 +00:00
assert.NoError(t, err)
require.NotNil(t, profile)
assert.Equal(t, "uid=john,dc=example,dc=com", profile.DN)
assert.Equal(t, "john", profile.Username)
assert.Equal(t, "john", profile.DisplayName)
require.Len(t, profile.Emails, 1)
assert.Equal(t, "john@example.com", profile.Emails[0])
}
func TestShouldReturnBlankEmailAndDisplayNameWhenAttrsLenZero(t *testing.T) {
ctrl := gomock.NewController(t)
defer ctrl.Finish()
mockFactory := NewMockLDAPClientFactory(ctrl)
mockClient := NewMockLDAPClient(ctrl)
feat(authentication): ldap time replacements (#4483) This adds and utilizes several time replacements for both specialized LDAP implementations. Closes #1964, Closes #1284
2022-12-21 10:31:21 +00:00
provider := NewLDAPUserProviderWithFactory(
feat(authentication): file password algorithms (#3848) This adds significant enhancements to the file auth provider including multiple additional algorithms.
2022-10-17 10:51:59 +00:00
schema.LDAPAuthenticationBackend{
feat(authentication): ldap memberof group search (#5418) Introduces the concept of group search mode into the LDAP configuration. This also adds the filter and memberof search modes. The full description of these is included in the docs but the filter mode is the same mode as previous which is also the default and recommended value. The memberof mode should only be used by users who are aware of how the concept works as per the docs. Closes #2161 Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
2023-06-18 04:40:38 +00:00
Address: testLDAPAddress,
User: "cn=admin,dc=example,dc=com",
Password: "password",
Attributes: schema.LDAPAuthenticationAttributes{
Username: "uid",
Mail: "mail",
DisplayName: "displayName",
MemberOf: "memberOf",
},
UsersFilter: "(&(|({username_attribute}={input})({mail_attribute}={input}))(objectClass=inetOrgPerson))",
AdditionalUsersDN: "ou=users",
BaseDN: "dc=example,dc=com",
fix(authentication): err when user/display name same ldap attribute (#3364) This fixes an issue when both the username and display name attributes are the same. If the username attribute is the same as the display name attribute previously we only set the display name profile value which is incorrect. We should set the username profile value instead and allow the display name to be blank.
2022-05-15 06:37:23 +00:00
},
false,
nil,
mockFactory)
feat(authentication): ldap memberof group search (#5418) Introduces the concept of group search mode into the LDAP configuration. This also adds the filter and memberof search modes. The full description of these is included in the docs but the filter mode is the same mode as previous which is also the default and recommended value. The memberof mode should only be used by users who are aware of how the concept works as per the docs. Closes #2161 Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
2023-06-18 04:40:38 +00:00
assert.Equal(t, []string{"uid", "mail", "displayName", "memberOf"}, provider.usersAttributes)
fix(authentication): err when user/display name same ldap attribute (#3364) This fixes an issue when both the username and display name attributes are the same. If the username attribute is the same as the display name attribute previously we only set the display name profile value which is incorrect. We should set the username profile value instead and allow the display name to be blank.
2022-05-15 06:37:23 +00:00
dialURL := mockFactory.EXPECT().
DialURL(gomock.Eq("ldap://127.0.0.1:389"), gomock.Any()).
Return(mockClient, nil)
bind := mockClient.EXPECT().
Bind(gomock.Eq("cn=admin,dc=example,dc=com"), gomock.Eq("password")).
Return(nil)
search := mockClient.EXPECT().
Search(NewSearchRequestMatcher("(&(|(uid=john@example.com)(mail=john@example.com))(objectClass=inetOrgPerson))")).
Return(&ldap.SearchResult{
Entries: []*ldap.Entry{
{
DN: "uid=john,dc=example,dc=com",
Attributes: []*ldap.EntryAttribute{
{
Name: "uid",
Values: []string{"john"},
},
{
Name: "mail",
Values: []string{},
},
{
Name: "displayName",
Values: []string{},
},
feat(authentication): ldap memberof group search (#5418) Introduces the concept of group search mode into the LDAP configuration. This also adds the filter and memberof search modes. The full description of these is included in the docs but the filter mode is the same mode as previous which is also the default and recommended value. The memberof mode should only be used by users who are aware of how the concept works as per the docs. Closes #2161 Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
2023-06-18 04:40:38 +00:00
{
Name: "memberOf",
Values: []string{},
},
fix(authentication): err when user/display name same ldap attribute (#3364) This fixes an issue when both the username and display name attributes are the same. If the username attribute is the same as the display name attribute previously we only set the display name profile value which is incorrect. We should set the username profile value instead and allow the display name to be blank.
2022-05-15 06:37:23 +00:00
},
},
},
}, nil)
gomock.InOrder(dialURL, bind, search)
feat(authentication): ldap time replacements (#4483) This adds and utilizes several time replacements for both specialized LDAP implementations. Closes #1964, Closes #1284
2022-12-21 10:31:21 +00:00
client, err := provider.connect()
fix(authentication): err when user/display name same ldap attribute (#3364) This fixes an issue when both the username and display name attributes are the same. If the username attribute is the same as the display name attribute previously we only set the display name profile value which is incorrect. We should set the username profile value instead and allow the display name to be blank.
2022-05-15 06:37:23 +00:00
assert.NoError(t, err)
feat(authentication): ldap time replacements (#4483) This adds and utilizes several time replacements for both specialized LDAP implementations. Closes #1964, Closes #1284
2022-12-21 10:31:21 +00:00
profile, err := provider.getUserProfile(client, "john@example.com")
fix(authentication): err when user/display name same ldap attribute (#3364) This fixes an issue when both the username and display name attributes are the same. If the username attribute is the same as the display name attribute previously we only set the display name profile value which is incorrect. We should set the username profile value instead and allow the display name to be blank.
2022-05-15 06:37:23 +00:00
assert.NoError(t, err)
require.NotNil(t, profile)
assert.Equal(t, "uid=john,dc=example,dc=com", profile.DN)
assert.Equal(t, "john", profile.Username)
assert.Equal(t, "", profile.DisplayName)
assert.Len(t, profile.Emails, 0)
}
[BUGFIX] [BREAKING] Set username retrieved from authentication backend in session. (#687) * [BUGFIX] Set username retrieved from authentication backend in session. In some setups, binding is case insensitive but Authelia is case sensitive and therefore need the actual username as stored in the authentication backend in order for Authelia to work correctly. Fixes #561. * Use uid attribute as unique user identifier in suites. * Fix the integration tests. * Update config.template.yml * Compute user filter based on username attribute and users_filter. The filter provided in users_filter is now combined with a filter based on the username attribute to perform the LDAP search query finding a user object from the username. * Fix LDAP based integration tests. * Update `users_filter` reference examples
2020-03-15 07:10:25 +00:00
func TestShouldCombineUsernameFilterAndUsersFilter(t *testing.T) {
ctrl := gomock.NewController(t)
defer ctrl.Finish()
fix(authentication): utilize msad password history control (#3256) This fixes an issue where the Microsoft Active Directory Server Policy Hints control was not being used to prevent avoidance of the PSO / FGPP applicable to the user.
2022-05-10 04:38:36 +00:00
mockFactory := NewMockLDAPClientFactory(ctrl)
mockClient := NewMockLDAPClient(ctrl)
[BUGFIX] [BREAKING] Set username retrieved from authentication backend in session. (#687) * [BUGFIX] Set username retrieved from authentication backend in session. In some setups, binding is case insensitive but Authelia is case sensitive and therefore need the actual username as stored in the authentication backend in order for Authelia to work correctly. Fixes #561. * Use uid attribute as unique user identifier in suites. * Fix the integration tests. * Update config.template.yml * Compute user filter based on username attribute and users_filter. The filter provided in users_filter is now combined with a filter based on the username attribute to perform the LDAP search query finding a user object from the username. * Fix LDAP based integration tests. * Update `users_filter` reference examples
2020-03-15 07:10:25 +00:00
feat(authentication): ldap time replacements (#4483) This adds and utilizes several time replacements for both specialized LDAP implementations. Closes #1964, Closes #1284
2022-12-21 10:31:21 +00:00
provider := NewLDAPUserProviderWithFactory(
feat(authentication): file password algorithms (#3848) This adds significant enhancements to the file auth provider including multiple additional algorithms.
2022-10-17 10:51:59 +00:00
schema.LDAPAuthenticationBackend{
feat(authentication): ldap memberof group search (#5418) Introduces the concept of group search mode into the LDAP configuration. This also adds the filter and memberof search modes. The full description of these is included in the docs but the filter mode is the same mode as previous which is also the default and recommended value. The memberof mode should only be used by users who are aware of how the concept works as per the docs. Closes #2161 Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
2023-06-18 04:40:38 +00:00
Address: testLDAPAddress,
User: "cn=admin,dc=example,dc=com",
UsersFilter: "(&({username_attribute}={input})(&(objectCategory=person)(objectClass=user)))",
Password: "password",
Attributes: schema.LDAPAuthenticationAttributes{
Username: "uid",
Mail: "mail",
DisplayName: "displayName",
MemberOf: "memberOf",
},
AdditionalUsersDN: "ou=users",
BaseDN: "dc=example,dc=com",
PermitReferrals: true,
[FEATURE] Enhance LDAP/SMTP TLS Configuration and Unify Them (#1557) * add new directive in the global scope `certificates_directory` which is used to bulk load certs and trust them in Authelia * this is in ADDITION to system certs and are trusted by both LDAP and SMTP * added a shared TLSConfig struct to be used by both SMTP and LDAP, and anything else in the future that requires tuning the TLS * remove usage of deprecated LDAP funcs Dial and DialTLS in favor of DialURL which is also easier to use * use the server name from LDAP URL or SMTP host when validating the certificate unless otherwise defined in the TLS section * added temporary translations from the old names to the new ones for all deprecated options * added docs * updated example configuration * final deprecations to be done in 4.28.0 * doc updates * fix misc linting issues * uniform deprecation notices for ease of final removal * added additional tests covering previously uncovered areas and the new configuration options * add non-fatal to certificate loading when system certs could not be loaded * adjust timeout of Suite ShortTimeouts * add warnings pusher for the StructValidator * make the schema suites uninform * utilize the warnings in the StructValidator * fix test suite usage for skip_verify * extract LDAP filter parsing into it's own function to make it possible to test * test LDAP filter parsing * update ErrorContainer interface * add tests to the StructValidator * add NewTLSConfig test * move baseDN for users/groups into parsed values * add tests to cover many of the outstanding areas in LDAP * add explicit deferred LDAP conn close to UpdatePassword * add some basic testing to SMTP notifier * suggestions from code review
2021-01-04 10:28:55 +00:00
},
refactor: factorize startup checks (#2386) * refactor: factorize startup checks * refactor: address linting issues
2021-09-17 09:53:59 +00:00
false,
[FEATURE] Enhance LDAP/SMTP TLS Configuration and Unify Them (#1557) * add new directive in the global scope `certificates_directory` which is used to bulk load certs and trust them in Authelia * this is in ADDITION to system certs and are trusted by both LDAP and SMTP * added a shared TLSConfig struct to be used by both SMTP and LDAP, and anything else in the future that requires tuning the TLS * remove usage of deprecated LDAP funcs Dial and DialTLS in favor of DialURL which is also easier to use * use the server name from LDAP URL or SMTP host when validating the certificate unless otherwise defined in the TLS section * added temporary translations from the old names to the new ones for all deprecated options * added docs * updated example configuration * final deprecations to be done in 4.28.0 * doc updates * fix misc linting issues * uniform deprecation notices for ease of final removal * added additional tests covering previously uncovered areas and the new configuration options * add non-fatal to certificate loading when system certs could not be loaded * adjust timeout of Suite ShortTimeouts * add warnings pusher for the StructValidator * make the schema suites uninform * utilize the warnings in the StructValidator * fix test suite usage for skip_verify * extract LDAP filter parsing into it's own function to make it possible to test * test LDAP filter parsing * update ErrorContainer interface * add tests to the StructValidator * add NewTLSConfig test * move baseDN for users/groups into parsed values * add tests to cover many of the outstanding areas in LDAP * add explicit deferred LDAP conn close to UpdatePassword * add some basic testing to SMTP notifier * suggestions from code review
2021-01-04 10:28:55 +00:00
nil,
mockFactory)
Escape special LDAP characters as suggested by OWASP. https://owasp.org/www-project-cheat-sheets/cheatsheets/LDAP_Injection_Prevention_Cheat_Sheet.html
2020-01-20 19:34:53 +00:00
feat(authentication): ldap memberof group search (#5418) Introduces the concept of group search mode into the LDAP configuration. This also adds the filter and memberof search modes. The full description of these is included in the docs but the filter mode is the same mode as previous which is also the default and recommended value. The memberof mode should only be used by users who are aware of how the concept works as per the docs. Closes #2161 Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
2023-06-18 04:40:38 +00:00
assert.Equal(t, []string{"uid", "mail", "displayName", "memberOf"}, provider.usersAttributes)
fix(authentication): err when user/display name same ldap attribute (#3364) This fixes an issue when both the username and display name attributes are the same. If the username attribute is the same as the display name attribute previously we only set the display name profile value which is incorrect. We should set the username profile value instead and allow the display name to be blank.
2022-05-15 06:37:23 +00:00
feat(authentication): ldap time replacements (#4483) This adds and utilizes several time replacements for both specialized LDAP implementations. Closes #1964, Closes #1284
2022-12-21 10:31:21 +00:00
assert.True(t, provider.usersFilterReplacementInput)
perf(authentication): improve ldap dynamic replacement performance (#2239) This change means we only check the filters for the existence of placeholders that cannot be replaced at startup. We then utilized cached results of that lookup for subsequent replacements.
2021-08-05 04:17:07 +00:00
fix(authentication): utilize msad password history control (#3256) This fixes an issue where the Microsoft Active Directory Server Policy Hints control was not being used to prevent avoidance of the PSO / FGPP applicable to the user.
2022-05-10 04:38:36 +00:00
mockClient.EXPECT().
[BUGFIX] [BREAKING] Set username retrieved from authentication backend in session. (#687) * [BUGFIX] Set username retrieved from authentication backend in session. In some setups, binding is case insensitive but Authelia is case sensitive and therefore need the actual username as stored in the authentication backend in order for Authelia to work correctly. Fixes #561. * Use uid attribute as unique user identifier in suites. * Fix the integration tests. * Update config.template.yml * Compute user filter based on username attribute and users_filter. The filter provided in users_filter is now combined with a filter based on the username attribute to perform the LDAP search query finding a user object from the username. * Fix LDAP based integration tests. * Update `users_filter` reference examples
2020-03-15 07:10:25 +00:00
Search(NewSearchRequestMatcher("(&(uid=john)(&(objectCategory=person)(objectClass=user)))")).
Escape special LDAP characters as suggested by OWASP. https://owasp.org/www-project-cheat-sheets/cheatsheets/LDAP_Injection_Prevention_Cheat_Sheet.html
2020-01-20 19:34:53 +00:00
Return(&ldap.SearchResult{}, nil)
feat(authentication): ldap time replacements (#4483) This adds and utilizes several time replacements for both specialized LDAP implementations. Closes #1964, Closes #1284
2022-12-21 10:31:21 +00:00
_, err := provider.getUserProfile(mockClient, "john")
[FEATURE] LDAP StartTLS (#1500) * add start_tls config option * add StartTLS method to the LDAP conn factory and the mock * implemented use of the StartTLS method when the config is set to true * add mock unit tests * add docs * add TLS min version support * add tests to tls version method * fix lint issues * minor adjustments * remove SSL3.0 * add tls consts * deprecate old filter placeholders * remove redundant fake hashing in file auth provider (to delay username enumeration, was replaced by #993 * make suite ActiveDirectory use StartTLS * misc adjustments to docs * suggested changes from code review * deprecation notice conformity * add mock test for LDAPS plus StartTLS
2020-12-03 05:23:52 +00:00
require.Error(t, err)
assert.EqualError(t, err, "user not found")
Escape special LDAP characters as suggested by OWASP. https://owasp.org/www-project-cheat-sheets/cheatsheets/LDAP_Injection_Prevention_Cheat_Sheet.html
2020-01-20 19:34:53 +00:00
}
[BUGFIX] Fix crash when no emails or groups are retrieved from LDAP. (#651) * [BUGFIX] Fix crash when no emails or groups are retrieved from LDAP. If group or email attribute configured by user in configuration is not found in user object the list of attributes in LDAP search result is empty. This change introduces a check before accessing the first element of the list which previously led to out of bound access. Fixes #647. * [MISC] Change log level of LDAP connection creation to trace.
2020-02-27 22:21:07 +00:00
func createSearchResultWithAttributes(attributes ...*ldap.EntryAttribute) *ldap.SearchResult {
return &ldap.SearchResult{
Entries: []*ldap.Entry{
[Buildkite] Introduce CI linting with golangci-lint and reviewdog (#832) * [Buildkite] Introduce CI linting with golangci-lint and reviewdog * Initial pass of golangci-lint * Add gosimple (megacheck) recommendations * Add golint recommendations * [BUGFIX] Migrate authentication traces from v3 mongodb * Add deadcode recommendations * [BUGFIX] Fix ShortTimeouts suite when run in dev workflow * Add unused recommendations * Add unparam recommendations * Disable linting on unfixable errors instead of skipping files * Adjust nolint notation for unparam * Fix ineffectual assignment to err raised by linter. * Export environment variable in agent hook * Add ineffassign recommendations * Add staticcheck recommendations * Add gocyclo recommendations * Adjust ineffassign recommendations Co-authored-by: Clement Michaud <clement.michaud34@gmail.com>
2020-04-09 01:05:17 +00:00
{Attributes: attributes},
[BUGFIX] Fix crash when no emails or groups are retrieved from LDAP. (#651) * [BUGFIX] Fix crash when no emails or groups are retrieved from LDAP. If group or email attribute configured by user in configuration is not found in user object the list of attributes in LDAP search result is empty. This change introduces a check before accessing the first element of the list which previously led to out of bound access. Fixes #647. * [MISC] Change log level of LDAP connection creation to trace.
2020-02-27 22:21:07 +00:00
},
}
}
feat(authentication): ldap memberof group search (#5418) Introduces the concept of group search mode into the LDAP configuration. This also adds the filter and memberof search modes. The full description of these is included in the docs but the filter mode is the same mode as previous which is also the default and recommended value. The memberof mode should only be used by users who are aware of how the concept works as per the docs. Closes #2161 Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
2023-06-18 04:40:38 +00:00
func createGroupSearchResultModeFilter(name string, groupNames ...string) *ldap.SearchResult {
result := &ldap.SearchResult{
Entries: make([]*ldap.Entry, len(groupNames)),
}
for i, groupName := range groupNames {
result.Entries[i] = &ldap.Entry{Attributes: []*ldap.EntryAttribute{{Name: name, Values: []string{groupName}}}}
}
return result
}
func createGroupSearchResultModeFilterWithDN(name string, groupNames []string, groupDNs []string) *ldap.SearchResult {
if len(groupNames) != len(groupDNs) {
panic("input sizes mismatch")
}
result := &ldap.SearchResult{
Entries: make([]*ldap.Entry, len(groupNames)),
}
for i, groupName := range groupNames {
result.Entries[i] = &ldap.Entry{
DN: groupDNs[i],
Attributes: []*ldap.EntryAttribute{{Name: name, Values: []string{groupName}}},
}
}
return result
[BUGFIX] Fix crash when no emails or groups are retrieved from LDAP. (#651) * [BUGFIX] Fix crash when no emails or groups are retrieved from LDAP. If group or email attribute configured by user in configuration is not found in user object the list of attributes in LDAP search result is empty. This change introduces a check before accessing the first element of the list which previously led to out of bound access. Fixes #647. * [MISC] Change log level of LDAP connection creation to trace.
2020-02-27 22:21:07 +00:00
}
func TestShouldNotCrashWhenGroupsAreNotRetrievedFromLDAP(t *testing.T) {
ctrl := gomock.NewController(t)
defer ctrl.Finish()
fix(authentication): utilize msad password history control (#3256) This fixes an issue where the Microsoft Active Directory Server Policy Hints control was not being used to prevent avoidance of the PSO / FGPP applicable to the user.
2022-05-10 04:38:36 +00:00
mockFactory := NewMockLDAPClientFactory(ctrl)
mockClient := NewMockLDAPClient(ctrl)
[BUGFIX] Fix crash when no emails or groups are retrieved from LDAP. (#651) * [BUGFIX] Fix crash when no emails or groups are retrieved from LDAP. If group or email attribute configured by user in configuration is not found in user object the list of attributes in LDAP search result is empty. This change introduces a check before accessing the first element of the list which previously led to out of bound access. Fixes #647. * [MISC] Change log level of LDAP connection creation to trace.
2020-02-27 22:21:07 +00:00
feat(authentication): ldap time replacements (#4483) This adds and utilizes several time replacements for both specialized LDAP implementations. Closes #1964, Closes #1284
2022-12-21 10:31:21 +00:00
provider := NewLDAPUserProviderWithFactory(
feat(authentication): file password algorithms (#3848) This adds significant enhancements to the file auth provider including multiple additional algorithms.
2022-10-17 10:51:59 +00:00
schema.LDAPAuthenticationBackend{
feat(authentication): ldap memberof group search (#5418) Introduces the concept of group search mode into the LDAP configuration. This also adds the filter and memberof search modes. The full description of these is included in the docs but the filter mode is the same mode as previous which is also the default and recommended value. The memberof mode should only be used by users who are aware of how the concept works as per the docs. Closes #2161 Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
2023-06-18 04:40:38 +00:00
Address: testLDAPAddress,
User: "cn=admin,dc=example,dc=com",
Password: "password",
Attributes: schema.LDAPAuthenticationAttributes{
Username: "uid",
Mail: "mail",
DisplayName: "displayName",
MemberOf: "memberOf",
GroupName: "cn",
},
UsersFilter: "uid={input}",
AdditionalUsersDN: "ou=users",
BaseDN: "dc=example,dc=com",
PermitReferrals: true,
[FEATURE] Enhance LDAP/SMTP TLS Configuration and Unify Them (#1557) * add new directive in the global scope `certificates_directory` which is used to bulk load certs and trust them in Authelia * this is in ADDITION to system certs and are trusted by both LDAP and SMTP * added a shared TLSConfig struct to be used by both SMTP and LDAP, and anything else in the future that requires tuning the TLS * remove usage of deprecated LDAP funcs Dial and DialTLS in favor of DialURL which is also easier to use * use the server name from LDAP URL or SMTP host when validating the certificate unless otherwise defined in the TLS section * added temporary translations from the old names to the new ones for all deprecated options * added docs * updated example configuration * final deprecations to be done in 4.28.0 * doc updates * fix misc linting issues * uniform deprecation notices for ease of final removal * added additional tests covering previously uncovered areas and the new configuration options * add non-fatal to certificate loading when system certs could not be loaded * adjust timeout of Suite ShortTimeouts * add warnings pusher for the StructValidator * make the schema suites uninform * utilize the warnings in the StructValidator * fix test suite usage for skip_verify * extract LDAP filter parsing into it's own function to make it possible to test * test LDAP filter parsing * update ErrorContainer interface * add tests to the StructValidator * add NewTLSConfig test * move baseDN for users/groups into parsed values * add tests to cover many of the outstanding areas in LDAP * add explicit deferred LDAP conn close to UpdatePassword * add some basic testing to SMTP notifier * suggestions from code review
2021-01-04 10:28:55 +00:00
},
refactor: factorize startup checks (#2386) * refactor: factorize startup checks * refactor: address linting issues
2021-09-17 09:53:59 +00:00
false,
[FEATURE] Enhance LDAP/SMTP TLS Configuration and Unify Them (#1557) * add new directive in the global scope `certificates_directory` which is used to bulk load certs and trust them in Authelia * this is in ADDITION to system certs and are trusted by both LDAP and SMTP * added a shared TLSConfig struct to be used by both SMTP and LDAP, and anything else in the future that requires tuning the TLS * remove usage of deprecated LDAP funcs Dial and DialTLS in favor of DialURL which is also easier to use * use the server name from LDAP URL or SMTP host when validating the certificate unless otherwise defined in the TLS section * added temporary translations from the old names to the new ones for all deprecated options * added docs * updated example configuration * final deprecations to be done in 4.28.0 * doc updates * fix misc linting issues * uniform deprecation notices for ease of final removal * added additional tests covering previously uncovered areas and the new configuration options * add non-fatal to certificate loading when system certs could not be loaded * adjust timeout of Suite ShortTimeouts * add warnings pusher for the StructValidator * make the schema suites uninform * utilize the warnings in the StructValidator * fix test suite usage for skip_verify * extract LDAP filter parsing into it's own function to make it possible to test * test LDAP filter parsing * update ErrorContainer interface * add tests to the StructValidator * add NewTLSConfig test * move baseDN for users/groups into parsed values * add tests to cover many of the outstanding areas in LDAP * add explicit deferred LDAP conn close to UpdatePassword * add some basic testing to SMTP notifier * suggestions from code review
2021-01-04 10:28:55 +00:00
nil,
mockFactory)
[BUGFIX] Fix crash when no emails or groups are retrieved from LDAP. (#651) * [BUGFIX] Fix crash when no emails or groups are retrieved from LDAP. If group or email attribute configured by user in configuration is not found in user object the list of attributes in LDAP search result is empty. This change introduces a check before accessing the first element of the list which previously led to out of bound access. Fixes #647. * [MISC] Change log level of LDAP connection creation to trace.
2020-02-27 22:21:07 +00:00
fix(authentication): ldap connection left open (#2179) The recent ldap changes in cb71df5 left a connection to the LDAP server open at startup. This resolves this which prevents an ugly log message and unnecessary open sockets.
2021-07-13 11:12:50 +00:00
dialURL := mockFactory.EXPECT().
[FEATURE] Enhance LDAP/SMTP TLS Configuration and Unify Them (#1557) * add new directive in the global scope `certificates_directory` which is used to bulk load certs and trust them in Authelia * this is in ADDITION to system certs and are trusted by both LDAP and SMTP * added a shared TLSConfig struct to be used by both SMTP and LDAP, and anything else in the future that requires tuning the TLS * remove usage of deprecated LDAP funcs Dial and DialTLS in favor of DialURL which is also easier to use * use the server name from LDAP URL or SMTP host when validating the certificate unless otherwise defined in the TLS section * added temporary translations from the old names to the new ones for all deprecated options * added docs * updated example configuration * final deprecations to be done in 4.28.0 * doc updates * fix misc linting issues * uniform deprecation notices for ease of final removal * added additional tests covering previously uncovered areas and the new configuration options * add non-fatal to certificate loading when system certs could not be loaded * adjust timeout of Suite ShortTimeouts * add warnings pusher for the StructValidator * make the schema suites uninform * utilize the warnings in the StructValidator * fix test suite usage for skip_verify * extract LDAP filter parsing into it's own function to make it possible to test * test LDAP filter parsing * update ErrorContainer interface * add tests to the StructValidator * add NewTLSConfig test * move baseDN for users/groups into parsed values * add tests to cover many of the outstanding areas in LDAP * add explicit deferred LDAP conn close to UpdatePassword * add some basic testing to SMTP notifier * suggestions from code review
2021-01-04 10:28:55 +00:00
DialURL(gomock.Eq("ldap://127.0.0.1:389"), gomock.Any()).
fix(authentication): utilize msad password history control (#3256) This fixes an issue where the Microsoft Active Directory Server Policy Hints control was not being used to prevent avoidance of the PSO / FGPP applicable to the user.
2022-05-10 04:38:36 +00:00
Return(mockClient, nil)
[BUGFIX] Fix crash when no emails or groups are retrieved from LDAP. (#651) * [BUGFIX] Fix crash when no emails or groups are retrieved from LDAP. If group or email attribute configured by user in configuration is not found in user object the list of attributes in LDAP search result is empty. This change introduces a check before accessing the first element of the list which previously led to out of bound access. Fixes #647. * [MISC] Change log level of LDAP connection creation to trace.
2020-02-27 22:21:07 +00:00
fix(authentication): utilize msad password history control (#3256) This fixes an issue where the Microsoft Active Directory Server Policy Hints control was not being used to prevent avoidance of the PSO / FGPP applicable to the user.
2022-05-10 04:38:36 +00:00
connBind := mockClient.EXPECT().
[BUGFIX] Fix crash when no emails or groups are retrieved from LDAP. (#651) * [BUGFIX] Fix crash when no emails or groups are retrieved from LDAP. If group or email attribute configured by user in configuration is not found in user object the list of attributes in LDAP search result is empty. This change introduces a check before accessing the first element of the list which previously led to out of bound access. Fixes #647. * [MISC] Change log level of LDAP connection creation to trace.
2020-02-27 22:21:07 +00:00
Bind(gomock.Eq("cn=admin,dc=example,dc=com"), gomock.Eq("password")).
[BUGFIX] [BREAKING] Set username retrieved from authentication backend in session. (#687) * [BUGFIX] Set username retrieved from authentication backend in session. In some setups, binding is case insensitive but Authelia is case sensitive and therefore need the actual username as stored in the authentication backend in order for Authelia to work correctly. Fixes #561. * Use uid attribute as unique user identifier in suites. * Fix the integration tests. * Update config.template.yml * Compute user filter based on username attribute and users_filter. The filter provided in users_filter is now combined with a filter based on the username attribute to perform the LDAP search query finding a user object from the username. * Fix LDAP based integration tests. * Update `users_filter` reference examples
2020-03-15 07:10:25 +00:00
Return(nil)
[BUGFIX] Fix crash when no emails or groups are retrieved from LDAP. (#651) * [BUGFIX] Fix crash when no emails or groups are retrieved from LDAP. If group or email attribute configured by user in configuration is not found in user object the list of attributes in LDAP search result is empty. This change introduces a check before accessing the first element of the list which previously led to out of bound access. Fixes #647. * [MISC] Change log level of LDAP connection creation to trace.
2020-02-27 22:21:07 +00:00
fix(authentication): utilize msad password history control (#3256) This fixes an issue where the Microsoft Active Directory Server Policy Hints control was not being used to prevent avoidance of the PSO / FGPP applicable to the user.
2022-05-10 04:38:36 +00:00
connClose := mockClient.EXPECT().Close()
[BUGFIX] Fix crash when no emails or groups are retrieved from LDAP. (#651) * [BUGFIX] Fix crash when no emails or groups are retrieved from LDAP. If group or email attribute configured by user in configuration is not found in user object the list of attributes in LDAP search result is empty. This change introduces a check before accessing the first element of the list which previously led to out of bound access. Fixes #647. * [MISC] Change log level of LDAP connection creation to trace.
2020-02-27 22:21:07 +00:00
fix(authentication): utilize msad password history control (#3256) This fixes an issue where the Microsoft Active Directory Server Policy Hints control was not being used to prevent avoidance of the PSO / FGPP applicable to the user.
2022-05-10 04:38:36 +00:00
searchGroups := mockClient.EXPECT().
[BUGFIX] Fix crash when no emails or groups are retrieved from LDAP. (#651) * [BUGFIX] Fix crash when no emails or groups are retrieved from LDAP. If group or email attribute configured by user in configuration is not found in user object the list of attributes in LDAP search result is empty. This change introduces a check before accessing the first element of the list which previously led to out of bound access. Fixes #647. * [MISC] Change log level of LDAP connection creation to trace.
2020-02-27 22:21:07 +00:00
Search(gomock.Any()).
Return(createSearchResultWithAttributes(), nil)
fix(authentication): ldap connection left open (#2179) The recent ldap changes in cb71df5 left a connection to the LDAP server open at startup. This resolves this which prevents an ugly log message and unnecessary open sockets.
2021-07-13 11:12:50 +00:00
fix(authentication): utilize msad password history control (#3256) This fixes an issue where the Microsoft Active Directory Server Policy Hints control was not being used to prevent avoidance of the PSO / FGPP applicable to the user.
2022-05-10 04:38:36 +00:00
searchProfile := mockClient.EXPECT().
[BUGFIX] Fix crash when no emails or groups are retrieved from LDAP. (#651) * [BUGFIX] Fix crash when no emails or groups are retrieved from LDAP. If group or email attribute configured by user in configuration is not found in user object the list of attributes in LDAP search result is empty. This change introduces a check before accessing the first element of the list which previously led to out of bound access. Fixes #647. * [MISC] Change log level of LDAP connection creation to trace.
2020-02-27 22:21:07 +00:00
Search(gomock.Any()).
[BUGFIX] [BREAKING] Set username retrieved from authentication backend in session. (#687) * [BUGFIX] Set username retrieved from authentication backend in session. In some setups, binding is case insensitive but Authelia is case sensitive and therefore need the actual username as stored in the authentication backend in order for Authelia to work correctly. Fixes #561. * Use uid attribute as unique user identifier in suites. * Fix the integration tests. * Update config.template.yml * Compute user filter based on username attribute and users_filter. The filter provided in users_filter is now combined with a filter based on the username attribute to perform the LDAP search query finding a user object from the username. * Fix LDAP based integration tests. * Update `users_filter` reference examples
2020-03-15 07:10:25 +00:00
Return(&ldap.SearchResult{
Entries: []*ldap.Entry{
[Buildkite] Introduce CI linting with golangci-lint and reviewdog (#832) * [Buildkite] Introduce CI linting with golangci-lint and reviewdog * Initial pass of golangci-lint * Add gosimple (megacheck) recommendations * Add golint recommendations * [BUGFIX] Migrate authentication traces from v3 mongodb * Add deadcode recommendations * [BUGFIX] Fix ShortTimeouts suite when run in dev workflow * Add unused recommendations * Add unparam recommendations * Disable linting on unfixable errors instead of skipping files * Adjust nolint notation for unparam * Fix ineffectual assignment to err raised by linter. * Export environment variable in agent hook * Add ineffassign recommendations * Add staticcheck recommendations * Add gocyclo recommendations * Adjust ineffassign recommendations Co-authored-by: Clement Michaud <clement.michaud34@gmail.com>
2020-04-09 01:05:17 +00:00
{
[BUGFIX] [BREAKING] Set username retrieved from authentication backend in session. (#687) * [BUGFIX] Set username retrieved from authentication backend in session. In some setups, binding is case insensitive but Authelia is case sensitive and therefore need the actual username as stored in the authentication backend in order for Authelia to work correctly. Fixes #561. * Use uid attribute as unique user identifier in suites. * Fix the integration tests. * Update config.template.yml * Compute user filter based on username attribute and users_filter. The filter provided in users_filter is now combined with a filter based on the username attribute to perform the LDAP search query finding a user object from the username. * Fix LDAP based integration tests. * Update `users_filter` reference examples
2020-03-15 07:10:25 +00:00
DN: "uid=test,dc=example,dc=com",
Attributes: []*ldap.EntryAttribute{
[FEATURE] Add configurable display name to frontend (#1124) * [FEATURE] Add configurable display name to frontend This feature allows users with a LDAP backend to specify an attribute (default is "displayname") to retrieve a users name for the portal greeting. Similarly for the file based backend a new required key "name" has been introduced. This can also be used down the line with OIDC as a separate scope. * Update references from Name to DisplayName * Update compose bundles to include displayname refs * Update LDAP automatic profile refresh * Ensure display name is updated * Fix bug which prevented trace logging for profile refresh to not trigger
2020-06-19 10:50:21 +00:00
{
perf(authentication): improve ldap dynamic replacement performance (#2239) This change means we only check the filters for the existence of placeholders that cannot be replaced at startup. We then utilized cached results of that lookup for subsequent replacements.
2021-08-05 04:17:07 +00:00
Name: "displayName",
[FEATURE] Add configurable display name to frontend (#1124) * [FEATURE] Add configurable display name to frontend This feature allows users with a LDAP backend to specify an attribute (default is "displayname") to retrieve a users name for the portal greeting. Similarly for the file based backend a new required key "name" has been introduced. This can also be used down the line with OIDC as a separate scope. * Update references from Name to DisplayName * Update compose bundles to include displayname refs * Update LDAP automatic profile refresh * Ensure display name is updated * Fix bug which prevented trace logging for profile refresh to not trigger
2020-06-19 10:50:21 +00:00
Values: []string{"John Doe"},
},
[Buildkite] Introduce CI linting with golangci-lint and reviewdog (#832) * [Buildkite] Introduce CI linting with golangci-lint and reviewdog * Initial pass of golangci-lint * Add gosimple (megacheck) recommendations * Add golint recommendations * [BUGFIX] Migrate authentication traces from v3 mongodb * Add deadcode recommendations * [BUGFIX] Fix ShortTimeouts suite when run in dev workflow * Add unused recommendations * Add unparam recommendations * Disable linting on unfixable errors instead of skipping files * Adjust nolint notation for unparam * Fix ineffectual assignment to err raised by linter. * Export environment variable in agent hook * Add ineffassign recommendations * Add staticcheck recommendations * Add gocyclo recommendations * Adjust ineffassign recommendations Co-authored-by: Clement Michaud <clement.michaud34@gmail.com>
2020-04-09 01:05:17 +00:00
{
[BUGFIX] [BREAKING] Set username retrieved from authentication backend in session. (#687) * [BUGFIX] Set username retrieved from authentication backend in session. In some setups, binding is case insensitive but Authelia is case sensitive and therefore need the actual username as stored in the authentication backend in order for Authelia to work correctly. Fixes #561. * Use uid attribute as unique user identifier in suites. * Fix the integration tests. * Update config.template.yml * Compute user filter based on username attribute and users_filter. The filter provided in users_filter is now combined with a filter based on the username attribute to perform the LDAP search query finding a user object from the username. * Fix LDAP based integration tests. * Update `users_filter` reference examples
2020-03-15 07:10:25 +00:00
Name: "mail",
Values: []string{"test@example.com"},
},
[Buildkite] Introduce CI linting with golangci-lint and reviewdog (#832) * [Buildkite] Introduce CI linting with golangci-lint and reviewdog * Initial pass of golangci-lint * Add gosimple (megacheck) recommendations * Add golint recommendations * [BUGFIX] Migrate authentication traces from v3 mongodb * Add deadcode recommendations * [BUGFIX] Fix ShortTimeouts suite when run in dev workflow * Add unused recommendations * Add unparam recommendations * Disable linting on unfixable errors instead of skipping files * Adjust nolint notation for unparam * Fix ineffectual assignment to err raised by linter. * Export environment variable in agent hook * Add ineffassign recommendations * Add staticcheck recommendations * Add gocyclo recommendations * Adjust ineffassign recommendations Co-authored-by: Clement Michaud <clement.michaud34@gmail.com>
2020-04-09 01:05:17 +00:00
{
[BUGFIX] [BREAKING] Set username retrieved from authentication backend in session. (#687) * [BUGFIX] Set username retrieved from authentication backend in session. In some setups, binding is case insensitive but Authelia is case sensitive and therefore need the actual username as stored in the authentication backend in order for Authelia to work correctly. Fixes #561. * Use uid attribute as unique user identifier in suites. * Fix the integration tests. * Update config.template.yml * Compute user filter based on username attribute and users_filter. The filter provided in users_filter is now combined with a filter based on the username attribute to perform the LDAP search query finding a user object from the username. * Fix LDAP based integration tests. * Update `users_filter` reference examples
2020-03-15 07:10:25 +00:00
Name: "uid",
Values: []string{"john"},
},
},
},
},
}, nil)
fix(authentication): ldap connection left open (#2179) The recent ldap changes in cb71df5 left a connection to the LDAP server open at startup. This resolves this which prevents an ugly log message and unnecessary open sockets.
2021-07-13 11:12:50 +00:00
gomock.InOrder(dialURL, connBind, searchProfile, searchGroups, connClose)
[BUGFIX] Fix crash when no emails or groups are retrieved from LDAP. (#651) * [BUGFIX] Fix crash when no emails or groups are retrieved from LDAP. If group or email attribute configured by user in configuration is not found in user object the list of attributes in LDAP search result is empty. This change introduces a check before accessing the first element of the list which previously led to out of bound access. Fixes #647. * [MISC] Change log level of LDAP connection creation to trace.
2020-02-27 22:21:07 +00:00
feat(authentication): ldap time replacements (#4483) This adds and utilizes several time replacements for both specialized LDAP implementations. Closes #1964, Closes #1284
2022-12-21 10:31:21 +00:00
details, err := provider.GetDetails("john")
[BUGFIX] Fix crash when no emails or groups are retrieved from LDAP. (#651) * [BUGFIX] Fix crash when no emails or groups are retrieved from LDAP. If group or email attribute configured by user in configuration is not found in user object the list of attributes in LDAP search result is empty. This change introduces a check before accessing the first element of the list which previously led to out of bound access. Fixes #647. * [MISC] Change log level of LDAP connection creation to trace.
2020-02-27 22:21:07 +00:00
require.NoError(t, err)
assert.ElementsMatch(t, details.Groups, []string{})
assert.ElementsMatch(t, details.Emails, []string{"test@example.com"})
[FEATURE] Add configurable display name to frontend (#1124) * [FEATURE] Add configurable display name to frontend This feature allows users with a LDAP backend to specify an attribute (default is "displayname") to retrieve a users name for the portal greeting. Similarly for the file based backend a new required key "name" has been introduced. This can also be used down the line with OIDC as a separate scope. * Update references from Name to DisplayName * Update compose bundles to include displayname refs * Update LDAP automatic profile refresh * Ensure display name is updated * Fix bug which prevented trace logging for profile refresh to not trigger
2020-06-19 10:50:21 +00:00
assert.Equal(t, details.DisplayName, "John Doe")
[BUGFIX] [BREAKING] Set username retrieved from authentication backend in session. (#687) * [BUGFIX] Set username retrieved from authentication backend in session. In some setups, binding is case insensitive but Authelia is case sensitive and therefore need the actual username as stored in the authentication backend in order for Authelia to work correctly. Fixes #561. * Use uid attribute as unique user identifier in suites. * Fix the integration tests. * Update config.template.yml * Compute user filter based on username attribute and users_filter. The filter provided in users_filter is now combined with a filter based on the username attribute to perform the LDAP search query finding a user object from the username. * Fix LDAP based integration tests. * Update `users_filter` reference examples
2020-03-15 07:10:25 +00:00
assert.Equal(t, details.Username, "john")
[BUGFIX] Fix crash when no emails or groups are retrieved from LDAP. (#651) * [BUGFIX] Fix crash when no emails or groups are retrieved from LDAP. If group or email attribute configured by user in configuration is not found in user object the list of attributes in LDAP search result is empty. This change introduces a check before accessing the first element of the list which previously led to out of bound access. Fixes #647. * [MISC] Change log level of LDAP connection creation to trace.
2020-02-27 22:21:07 +00:00
}
feat(authentication): ldap memberof group search (#5418) Introduces the concept of group search mode into the LDAP configuration. This also adds the filter and memberof search modes. The full description of these is included in the docs but the filter mode is the same mode as previous which is also the default and recommended value. The memberof mode should only be used by users who are aware of how the concept works as per the docs. Closes #2161 Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
2023-06-18 04:40:38 +00:00
func TestLDAPUserProvider_GetDetails_ShouldReturnOnUserError(t *testing.T) {
[BUGFIX] Fix crash when no emails or groups are retrieved from LDAP. (#651) * [BUGFIX] Fix crash when no emails or groups are retrieved from LDAP. If group or email attribute configured by user in configuration is not found in user object the list of attributes in LDAP search result is empty. This change introduces a check before accessing the first element of the list which previously led to out of bound access. Fixes #647. * [MISC] Change log level of LDAP connection creation to trace.
2020-02-27 22:21:07 +00:00
ctrl := gomock.NewController(t)
defer ctrl.Finish()
fix(authentication): utilize msad password history control (#3256) This fixes an issue where the Microsoft Active Directory Server Policy Hints control was not being used to prevent avoidance of the PSO / FGPP applicable to the user.
2022-05-10 04:38:36 +00:00
mockFactory := NewMockLDAPClientFactory(ctrl)
mockClient := NewMockLDAPClient(ctrl)
[BUGFIX] Fix crash when no emails or groups are retrieved from LDAP. (#651) * [BUGFIX] Fix crash when no emails or groups are retrieved from LDAP. If group or email attribute configured by user in configuration is not found in user object the list of attributes in LDAP search result is empty. This change introduces a check before accessing the first element of the list which previously led to out of bound access. Fixes #647. * [MISC] Change log level of LDAP connection creation to trace.
2020-02-27 22:21:07 +00:00
feat(authentication): ldap time replacements (#4483) This adds and utilizes several time replacements for both specialized LDAP implementations. Closes #1964, Closes #1284
2022-12-21 10:31:21 +00:00
provider := NewLDAPUserProviderWithFactory(
feat(authentication): file password algorithms (#3848) This adds significant enhancements to the file auth provider including multiple additional algorithms.
2022-10-17 10:51:59 +00:00
schema.LDAPAuthenticationBackend{
feat(authentication): ldap memberof group search (#5418) Introduces the concept of group search mode into the LDAP configuration. This also adds the filter and memberof search modes. The full description of these is included in the docs but the filter mode is the same mode as previous which is also the default and recommended value. The memberof mode should only be used by users who are aware of how the concept works as per the docs. Closes #2161 Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
2023-06-18 04:40:38 +00:00
Address: testLDAPAddress,
User: "cn=admin,dc=example,dc=com",
Password: "password",
Attributes: schema.LDAPAuthenticationAttributes{
Username: "uid",
Mail: "mail",
DisplayName: "displayName",
MemberOf: "memberOf",
},
[FEATURE] Enhance LDAP/SMTP TLS Configuration and Unify Them (#1557) * add new directive in the global scope `certificates_directory` which is used to bulk load certs and trust them in Authelia * this is in ADDITION to system certs and are trusted by both LDAP and SMTP * added a shared TLSConfig struct to be used by both SMTP and LDAP, and anything else in the future that requires tuning the TLS * remove usage of deprecated LDAP funcs Dial and DialTLS in favor of DialURL which is also easier to use * use the server name from LDAP URL or SMTP host when validating the certificate unless otherwise defined in the TLS section * added temporary translations from the old names to the new ones for all deprecated options * added docs * updated example configuration * final deprecations to be done in 4.28.0 * doc updates * fix misc linting issues * uniform deprecation notices for ease of final removal * added additional tests covering previously uncovered areas and the new configuration options * add non-fatal to certificate loading when system certs could not be loaded * adjust timeout of Suite ShortTimeouts * add warnings pusher for the StructValidator * make the schema suites uninform * utilize the warnings in the StructValidator * fix test suite usage for skip_verify * extract LDAP filter parsing into it's own function to make it possible to test * test LDAP filter parsing * update ErrorContainer interface * add tests to the StructValidator * add NewTLSConfig test * move baseDN for users/groups into parsed values * add tests to cover many of the outstanding areas in LDAP * add explicit deferred LDAP conn close to UpdatePassword * add some basic testing to SMTP notifier * suggestions from code review
2021-01-04 10:28:55 +00:00
UsersFilter: "uid={input}",
AdditionalUsersDN: "ou=users",
BaseDN: "dc=example,dc=com",
feat(authentication): ldap memberof group search (#5418) Introduces the concept of group search mode into the LDAP configuration. This also adds the filter and memberof search modes. The full description of these is included in the docs but the filter mode is the same mode as previous which is also the default and recommended value. The memberof mode should only be used by users who are aware of how the concept works as per the docs. Closes #2161 Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
2023-06-18 04:40:38 +00:00
PermitReferrals: true,
[FEATURE] Enhance LDAP/SMTP TLS Configuration and Unify Them (#1557) * add new directive in the global scope `certificates_directory` which is used to bulk load certs and trust them in Authelia * this is in ADDITION to system certs and are trusted by both LDAP and SMTP * added a shared TLSConfig struct to be used by both SMTP and LDAP, and anything else in the future that requires tuning the TLS * remove usage of deprecated LDAP funcs Dial and DialTLS in favor of DialURL which is also easier to use * use the server name from LDAP URL or SMTP host when validating the certificate unless otherwise defined in the TLS section * added temporary translations from the old names to the new ones for all deprecated options * added docs * updated example configuration * final deprecations to be done in 4.28.0 * doc updates * fix misc linting issues * uniform deprecation notices for ease of final removal * added additional tests covering previously uncovered areas and the new configuration options * add non-fatal to certificate loading when system certs could not be loaded * adjust timeout of Suite ShortTimeouts * add warnings pusher for the StructValidator * make the schema suites uninform * utilize the warnings in the StructValidator * fix test suite usage for skip_verify * extract LDAP filter parsing into it's own function to make it possible to test * test LDAP filter parsing * update ErrorContainer interface * add tests to the StructValidator * add NewTLSConfig test * move baseDN for users/groups into parsed values * add tests to cover many of the outstanding areas in LDAP * add explicit deferred LDAP conn close to UpdatePassword * add some basic testing to SMTP notifier * suggestions from code review
2021-01-04 10:28:55 +00:00
},
refactor: factorize startup checks (#2386) * refactor: factorize startup checks * refactor: address linting issues
2021-09-17 09:53:59 +00:00
false,
[FEATURE] Enhance LDAP/SMTP TLS Configuration and Unify Them (#1557) * add new directive in the global scope `certificates_directory` which is used to bulk load certs and trust them in Authelia * this is in ADDITION to system certs and are trusted by both LDAP and SMTP * added a shared TLSConfig struct to be used by both SMTP and LDAP, and anything else in the future that requires tuning the TLS * remove usage of deprecated LDAP funcs Dial and DialTLS in favor of DialURL which is also easier to use * use the server name from LDAP URL or SMTP host when validating the certificate unless otherwise defined in the TLS section * added temporary translations from the old names to the new ones for all deprecated options * added docs * updated example configuration * final deprecations to be done in 4.28.0 * doc updates * fix misc linting issues * uniform deprecation notices for ease of final removal * added additional tests covering previously uncovered areas and the new configuration options * add non-fatal to certificate loading when system certs could not be loaded * adjust timeout of Suite ShortTimeouts * add warnings pusher for the StructValidator * make the schema suites uninform * utilize the warnings in the StructValidator * fix test suite usage for skip_verify * extract LDAP filter parsing into it's own function to make it possible to test * test LDAP filter parsing * update ErrorContainer interface * add tests to the StructValidator * add NewTLSConfig test * move baseDN for users/groups into parsed values * add tests to cover many of the outstanding areas in LDAP * add explicit deferred LDAP conn close to UpdatePassword * add some basic testing to SMTP notifier * suggestions from code review
2021-01-04 10:28:55 +00:00
nil,
mockFactory)
[BUGFIX] Fix crash when no emails or groups are retrieved from LDAP. (#651) * [BUGFIX] Fix crash when no emails or groups are retrieved from LDAP. If group or email attribute configured by user in configuration is not found in user object the list of attributes in LDAP search result is empty. This change introduces a check before accessing the first element of the list which previously led to out of bound access. Fixes #647. * [MISC] Change log level of LDAP connection creation to trace.
2020-02-27 22:21:07 +00:00
fix(authentication): ldap connection left open (#2179) The recent ldap changes in cb71df5 left a connection to the LDAP server open at startup. This resolves this which prevents an ugly log message and unnecessary open sockets.
2021-07-13 11:12:50 +00:00
dialURL := mockFactory.EXPECT().
[FEATURE] Enhance LDAP/SMTP TLS Configuration and Unify Them (#1557) * add new directive in the global scope `certificates_directory` which is used to bulk load certs and trust them in Authelia * this is in ADDITION to system certs and are trusted by both LDAP and SMTP * added a shared TLSConfig struct to be used by both SMTP and LDAP, and anything else in the future that requires tuning the TLS * remove usage of deprecated LDAP funcs Dial and DialTLS in favor of DialURL which is also easier to use * use the server name from LDAP URL or SMTP host when validating the certificate unless otherwise defined in the TLS section * added temporary translations from the old names to the new ones for all deprecated options * added docs * updated example configuration * final deprecations to be done in 4.28.0 * doc updates * fix misc linting issues * uniform deprecation notices for ease of final removal * added additional tests covering previously uncovered areas and the new configuration options * add non-fatal to certificate loading when system certs could not be loaded * adjust timeout of Suite ShortTimeouts * add warnings pusher for the StructValidator * make the schema suites uninform * utilize the warnings in the StructValidator * fix test suite usage for skip_verify * extract LDAP filter parsing into it's own function to make it possible to test * test LDAP filter parsing * update ErrorContainer interface * add tests to the StructValidator * add NewTLSConfig test * move baseDN for users/groups into parsed values * add tests to cover many of the outstanding areas in LDAP * add explicit deferred LDAP conn close to UpdatePassword * add some basic testing to SMTP notifier * suggestions from code review
2021-01-04 10:28:55 +00:00
DialURL(gomock.Eq("ldap://127.0.0.1:389"), gomock.Any()).
fix(authentication): utilize msad password history control (#3256) This fixes an issue where the Microsoft Active Directory Server Policy Hints control was not being used to prevent avoidance of the PSO / FGPP applicable to the user.
2022-05-10 04:38:36 +00:00
Return(mockClient, nil)
[BUGFIX] Fix crash when no emails or groups are retrieved from LDAP. (#651) * [BUGFIX] Fix crash when no emails or groups are retrieved from LDAP. If group or email attribute configured by user in configuration is not found in user object the list of attributes in LDAP search result is empty. This change introduces a check before accessing the first element of the list which previously led to out of bound access. Fixes #647. * [MISC] Change log level of LDAP connection creation to trace.
2020-02-27 22:21:07 +00:00
fix(authentication): utilize msad password history control (#3256) This fixes an issue where the Microsoft Active Directory Server Policy Hints control was not being used to prevent avoidance of the PSO / FGPP applicable to the user.
2022-05-10 04:38:36 +00:00
connBind := mockClient.EXPECT().
[BUGFIX] Fix crash when no emails or groups are retrieved from LDAP. (#651) * [BUGFIX] Fix crash when no emails or groups are retrieved from LDAP. If group or email attribute configured by user in configuration is not found in user object the list of attributes in LDAP search result is empty. This change introduces a check before accessing the first element of the list which previously led to out of bound access. Fixes #647. * [MISC] Change log level of LDAP connection creation to trace.
2020-02-27 22:21:07 +00:00
Bind(gomock.Eq("cn=admin,dc=example,dc=com"), gomock.Eq("password")).
[BUGFIX] [BREAKING] Set username retrieved from authentication backend in session. (#687) * [BUGFIX] Set username retrieved from authentication backend in session. In some setups, binding is case insensitive but Authelia is case sensitive and therefore need the actual username as stored in the authentication backend in order for Authelia to work correctly. Fixes #561. * Use uid attribute as unique user identifier in suites. * Fix the integration tests. * Update config.template.yml * Compute user filter based on username attribute and users_filter. The filter provided in users_filter is now combined with a filter based on the username attribute to perform the LDAP search query finding a user object from the username. * Fix LDAP based integration tests. * Update `users_filter` reference examples
2020-03-15 07:10:25 +00:00
Return(nil)
[BUGFIX] Fix crash when no emails or groups are retrieved from LDAP. (#651) * [BUGFIX] Fix crash when no emails or groups are retrieved from LDAP. If group or email attribute configured by user in configuration is not found in user object the list of attributes in LDAP search result is empty. This change introduces a check before accessing the first element of the list which previously led to out of bound access. Fixes #647. * [MISC] Change log level of LDAP connection creation to trace.
2020-02-27 22:21:07 +00:00
fix(authentication): utilize msad password history control (#3256) This fixes an issue where the Microsoft Active Directory Server Policy Hints control was not being used to prevent avoidance of the PSO / FGPP applicable to the user.
2022-05-10 04:38:36 +00:00
connClose := mockClient.EXPECT().Close()
[BUGFIX] Fix crash when no emails or groups are retrieved from LDAP. (#651) * [BUGFIX] Fix crash when no emails or groups are retrieved from LDAP. If group or email attribute configured by user in configuration is not found in user object the list of attributes in LDAP search result is empty. This change introduces a check before accessing the first element of the list which previously led to out of bound access. Fixes #647. * [MISC] Change log level of LDAP connection creation to trace.
2020-02-27 22:21:07 +00:00
fix(authentication): utilize msad password history control (#3256) This fixes an issue where the Microsoft Active Directory Server Policy Hints control was not being used to prevent avoidance of the PSO / FGPP applicable to the user.
2022-05-10 04:38:36 +00:00
searchProfile := mockClient.EXPECT().
[BUGFIX] Fix crash when no emails or groups are retrieved from LDAP. (#651) * [BUGFIX] Fix crash when no emails or groups are retrieved from LDAP. If group or email attribute configured by user in configuration is not found in user object the list of attributes in LDAP search result is empty. This change introduces a check before accessing the first element of the list which previously led to out of bound access. Fixes #647. * [MISC] Change log level of LDAP connection creation to trace.
2020-02-27 22:21:07 +00:00
Search(gomock.Any()).
feat(authentication): ldap memberof group search (#5418) Introduces the concept of group search mode into the LDAP configuration. This also adds the filter and memberof search modes. The full description of these is included in the docs but the filter mode is the same mode as previous which is also the default and recommended value. The memberof mode should only be used by users who are aware of how the concept works as per the docs. Closes #2161 Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
2023-06-18 04:40:38 +00:00
Return(nil, fmt.Errorf("failed to search"))
[BUGFIX] [BREAKING] Set username retrieved from authentication backend in session. (#687) * [BUGFIX] Set username retrieved from authentication backend in session. In some setups, binding is case insensitive but Authelia is case sensitive and therefore need the actual username as stored in the authentication backend in order for Authelia to work correctly. Fixes #561. * Use uid attribute as unique user identifier in suites. * Fix the integration tests. * Update config.template.yml * Compute user filter based on username attribute and users_filter. The filter provided in users_filter is now combined with a filter based on the username attribute to perform the LDAP search query finding a user object from the username. * Fix LDAP based integration tests. * Update `users_filter` reference examples
2020-03-15 07:10:25 +00:00
feat(authentication): ldap memberof group search (#5418) Introduces the concept of group search mode into the LDAP configuration. This also adds the filter and memberof search modes. The full description of these is included in the docs but the filter mode is the same mode as previous which is also the default and recommended value. The memberof mode should only be used by users who are aware of how the concept works as per the docs. Closes #2161 Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
2023-06-18 04:40:38 +00:00
gomock.InOrder(dialURL, connBind, searchProfile, connClose)
[BUGFIX] Fix crash when no emails or groups are retrieved from LDAP. (#651) * [BUGFIX] Fix crash when no emails or groups are retrieved from LDAP. If group or email attribute configured by user in configuration is not found in user object the list of attributes in LDAP search result is empty. This change introduces a check before accessing the first element of the list which previously led to out of bound access. Fixes #647. * [MISC] Change log level of LDAP connection creation to trace.
2020-02-27 22:21:07 +00:00
feat(authentication): ldap time replacements (#4483) This adds and utilizes several time replacements for both specialized LDAP implementations. Closes #1964, Closes #1284
2022-12-21 10:31:21 +00:00
details, err := provider.GetDetails("john")
feat(authentication): ldap memberof group search (#5418) Introduces the concept of group search mode into the LDAP configuration. This also adds the filter and memberof search modes. The full description of these is included in the docs but the filter mode is the same mode as previous which is also the default and recommended value. The memberof mode should only be used by users who are aware of how the concept works as per the docs. Closes #2161 Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
2023-06-18 04:40:38 +00:00
assert.Nil(t, details)
assert.EqualError(t, err, "cannot find user DN of user 'john'. Cause: failed to search")
[BUGFIX] [BREAKING] Set username retrieved from authentication backend in session. (#687) * [BUGFIX] Set username retrieved from authentication backend in session. In some setups, binding is case insensitive but Authelia is case sensitive and therefore need the actual username as stored in the authentication backend in order for Authelia to work correctly. Fixes #561. * Use uid attribute as unique user identifier in suites. * Fix the integration tests. * Update config.template.yml * Compute user filter based on username attribute and users_filter. The filter provided in users_filter is now combined with a filter based on the username attribute to perform the LDAP search query finding a user object from the username. * Fix LDAP based integration tests. * Update `users_filter` reference examples
2020-03-15 07:10:25 +00:00
}
feat(authentication): ldap memberof group search (#5418) Introduces the concept of group search mode into the LDAP configuration. This also adds the filter and memberof search modes. The full description of these is included in the docs but the filter mode is the same mode as previous which is also the default and recommended value. The memberof mode should only be used by users who are aware of how the concept works as per the docs. Closes #2161 Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
2023-06-18 04:40:38 +00:00
func TestLDAPUserProvider_GetDetails_ShouldReturnOnGroupsError(t *testing.T) {
[BUGFIX] [BREAKING] Set username retrieved from authentication backend in session. (#687) * [BUGFIX] Set username retrieved from authentication backend in session. In some setups, binding is case insensitive but Authelia is case sensitive and therefore need the actual username as stored in the authentication backend in order for Authelia to work correctly. Fixes #561. * Use uid attribute as unique user identifier in suites. * Fix the integration tests. * Update config.template.yml * Compute user filter based on username attribute and users_filter. The filter provided in users_filter is now combined with a filter based on the username attribute to perform the LDAP search query finding a user object from the username. * Fix LDAP based integration tests. * Update `users_filter` reference examples
2020-03-15 07:10:25 +00:00
ctrl := gomock.NewController(t)
defer ctrl.Finish()
fix(authentication): utilize msad password history control (#3256) This fixes an issue where the Microsoft Active Directory Server Policy Hints control was not being used to prevent avoidance of the PSO / FGPP applicable to the user.
2022-05-10 04:38:36 +00:00
mockFactory := NewMockLDAPClientFactory(ctrl)
mockClient := NewMockLDAPClient(ctrl)
[BUGFIX] [BREAKING] Set username retrieved from authentication backend in session. (#687) * [BUGFIX] Set username retrieved from authentication backend in session. In some setups, binding is case insensitive but Authelia is case sensitive and therefore need the actual username as stored in the authentication backend in order for Authelia to work correctly. Fixes #561. * Use uid attribute as unique user identifier in suites. * Fix the integration tests. * Update config.template.yml * Compute user filter based on username attribute and users_filter. The filter provided in users_filter is now combined with a filter based on the username attribute to perform the LDAP search query finding a user object from the username. * Fix LDAP based integration tests. * Update `users_filter` reference examples
2020-03-15 07:10:25 +00:00
feat(authentication): ldap time replacements (#4483) This adds and utilizes several time replacements for both specialized LDAP implementations. Closes #1964, Closes #1284
2022-12-21 10:31:21 +00:00
provider := NewLDAPUserProviderWithFactory(
feat(authentication): file password algorithms (#3848) This adds significant enhancements to the file auth provider including multiple additional algorithms.
2022-10-17 10:51:59 +00:00
schema.LDAPAuthenticationBackend{
feat(authentication): ldap memberof group search (#5418) Introduces the concept of group search mode into the LDAP configuration. This also adds the filter and memberof search modes. The full description of these is included in the docs but the filter mode is the same mode as previous which is also the default and recommended value. The memberof mode should only be used by users who are aware of how the concept works as per the docs. Closes #2161 Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
2023-06-18 04:40:38 +00:00
Address: testLDAPAddress,
User: "cn=admin,dc=example,dc=com",
Password: "password",
Attributes: schema.LDAPAuthenticationAttributes{
Username: "uid",
Mail: "mail",
DisplayName: "displayName",
MemberOf: "memberOf",
},
UsersFilter: "uid={input}",
AdditionalUsersDN: "ou=users",
BaseDN: "dc=example,dc=com",
PermitReferrals: true,
[FEATURE] Enhance LDAP/SMTP TLS Configuration and Unify Them (#1557) * add new directive in the global scope `certificates_directory` which is used to bulk load certs and trust them in Authelia * this is in ADDITION to system certs and are trusted by both LDAP and SMTP * added a shared TLSConfig struct to be used by both SMTP and LDAP, and anything else in the future that requires tuning the TLS * remove usage of deprecated LDAP funcs Dial and DialTLS in favor of DialURL which is also easier to use * use the server name from LDAP URL or SMTP host when validating the certificate unless otherwise defined in the TLS section * added temporary translations from the old names to the new ones for all deprecated options * added docs * updated example configuration * final deprecations to be done in 4.28.0 * doc updates * fix misc linting issues * uniform deprecation notices for ease of final removal * added additional tests covering previously uncovered areas and the new configuration options * add non-fatal to certificate loading when system certs could not be loaded * adjust timeout of Suite ShortTimeouts * add warnings pusher for the StructValidator * make the schema suites uninform * utilize the warnings in the StructValidator * fix test suite usage for skip_verify * extract LDAP filter parsing into it's own function to make it possible to test * test LDAP filter parsing * update ErrorContainer interface * add tests to the StructValidator * add NewTLSConfig test * move baseDN for users/groups into parsed values * add tests to cover many of the outstanding areas in LDAP * add explicit deferred LDAP conn close to UpdatePassword * add some basic testing to SMTP notifier * suggestions from code review
2021-01-04 10:28:55 +00:00
},
refactor: factorize startup checks (#2386) * refactor: factorize startup checks * refactor: address linting issues
2021-09-17 09:53:59 +00:00
false,
[FEATURE] Enhance LDAP/SMTP TLS Configuration and Unify Them (#1557) * add new directive in the global scope `certificates_directory` which is used to bulk load certs and trust them in Authelia * this is in ADDITION to system certs and are trusted by both LDAP and SMTP * added a shared TLSConfig struct to be used by both SMTP and LDAP, and anything else in the future that requires tuning the TLS * remove usage of deprecated LDAP funcs Dial and DialTLS in favor of DialURL which is also easier to use * use the server name from LDAP URL or SMTP host when validating the certificate unless otherwise defined in the TLS section * added temporary translations from the old names to the new ones for all deprecated options * added docs * updated example configuration * final deprecations to be done in 4.28.0 * doc updates * fix misc linting issues * uniform deprecation notices for ease of final removal * added additional tests covering previously uncovered areas and the new configuration options * add non-fatal to certificate loading when system certs could not be loaded * adjust timeout of Suite ShortTimeouts * add warnings pusher for the StructValidator * make the schema suites uninform * utilize the warnings in the StructValidator * fix test suite usage for skip_verify * extract LDAP filter parsing into it's own function to make it possible to test * test LDAP filter parsing * update ErrorContainer interface * add tests to the StructValidator * add NewTLSConfig test * move baseDN for users/groups into parsed values * add tests to cover many of the outstanding areas in LDAP * add explicit deferred LDAP conn close to UpdatePassword * add some basic testing to SMTP notifier * suggestions from code review
2021-01-04 10:28:55 +00:00
nil,
mockFactory)
[BUGFIX] [BREAKING] Set username retrieved from authentication backend in session. (#687) * [BUGFIX] Set username retrieved from authentication backend in session. In some setups, binding is case insensitive but Authelia is case sensitive and therefore need the actual username as stored in the authentication backend in order for Authelia to work correctly. Fixes #561. * Use uid attribute as unique user identifier in suites. * Fix the integration tests. * Update config.template.yml * Compute user filter based on username attribute and users_filter. The filter provided in users_filter is now combined with a filter based on the username attribute to perform the LDAP search query finding a user object from the username. * Fix LDAP based integration tests. * Update `users_filter` reference examples
2020-03-15 07:10:25 +00:00
fix(authentication): ldap connection left open (#2179) The recent ldap changes in cb71df5 left a connection to the LDAP server open at startup. This resolves this which prevents an ugly log message and unnecessary open sockets.
2021-07-13 11:12:50 +00:00
dialURL := mockFactory.EXPECT().
[FEATURE] Enhance LDAP/SMTP TLS Configuration and Unify Them (#1557) * add new directive in the global scope `certificates_directory` which is used to bulk load certs and trust them in Authelia * this is in ADDITION to system certs and are trusted by both LDAP and SMTP * added a shared TLSConfig struct to be used by both SMTP and LDAP, and anything else in the future that requires tuning the TLS * remove usage of deprecated LDAP funcs Dial and DialTLS in favor of DialURL which is also easier to use * use the server name from LDAP URL or SMTP host when validating the certificate unless otherwise defined in the TLS section * added temporary translations from the old names to the new ones for all deprecated options * added docs * updated example configuration * final deprecations to be done in 4.28.0 * doc updates * fix misc linting issues * uniform deprecation notices for ease of final removal * added additional tests covering previously uncovered areas and the new configuration options * add non-fatal to certificate loading when system certs could not be loaded * adjust timeout of Suite ShortTimeouts * add warnings pusher for the StructValidator * make the schema suites uninform * utilize the warnings in the StructValidator * fix test suite usage for skip_verify * extract LDAP filter parsing into it's own function to make it possible to test * test LDAP filter parsing * update ErrorContainer interface * add tests to the StructValidator * add NewTLSConfig test * move baseDN for users/groups into parsed values * add tests to cover many of the outstanding areas in LDAP * add explicit deferred LDAP conn close to UpdatePassword * add some basic testing to SMTP notifier * suggestions from code review
2021-01-04 10:28:55 +00:00
DialURL(gomock.Eq("ldap://127.0.0.1:389"), gomock.Any()).
fix(authentication): utilize msad password history control (#3256) This fixes an issue where the Microsoft Active Directory Server Policy Hints control was not being used to prevent avoidance of the PSO / FGPP applicable to the user.
2022-05-10 04:38:36 +00:00
Return(mockClient, nil)
[BUGFIX] [BREAKING] Set username retrieved from authentication backend in session. (#687) * [BUGFIX] Set username retrieved from authentication backend in session. In some setups, binding is case insensitive but Authelia is case sensitive and therefore need the actual username as stored in the authentication backend in order for Authelia to work correctly. Fixes #561. * Use uid attribute as unique user identifier in suites. * Fix the integration tests. * Update config.template.yml * Compute user filter based on username attribute and users_filter. The filter provided in users_filter is now combined with a filter based on the username attribute to perform the LDAP search query finding a user object from the username. * Fix LDAP based integration tests. * Update `users_filter` reference examples
2020-03-15 07:10:25 +00:00
fix(authentication): utilize msad password history control (#3256) This fixes an issue where the Microsoft Active Directory Server Policy Hints control was not being used to prevent avoidance of the PSO / FGPP applicable to the user.
2022-05-10 04:38:36 +00:00
connBind := mockClient.EXPECT().
[BUGFIX] [BREAKING] Set username retrieved from authentication backend in session. (#687) * [BUGFIX] Set username retrieved from authentication backend in session. In some setups, binding is case insensitive but Authelia is case sensitive and therefore need the actual username as stored in the authentication backend in order for Authelia to work correctly. Fixes #561. * Use uid attribute as unique user identifier in suites. * Fix the integration tests. * Update config.template.yml * Compute user filter based on username attribute and users_filter. The filter provided in users_filter is now combined with a filter based on the username attribute to perform the LDAP search query finding a user object from the username. * Fix LDAP based integration tests. * Update `users_filter` reference examples
2020-03-15 07:10:25 +00:00
Bind(gomock.Eq("cn=admin,dc=example,dc=com"), gomock.Eq("password")).
Return(nil)
fix(authentication): utilize msad password history control (#3256) This fixes an issue where the Microsoft Active Directory Server Policy Hints control was not being used to prevent avoidance of the PSO / FGPP applicable to the user.
2022-05-10 04:38:36 +00:00
connClose := mockClient.EXPECT().Close()
[BUGFIX] [BREAKING] Set username retrieved from authentication backend in session. (#687) * [BUGFIX] Set username retrieved from authentication backend in session. In some setups, binding is case insensitive but Authelia is case sensitive and therefore need the actual username as stored in the authentication backend in order for Authelia to work correctly. Fixes #561. * Use uid attribute as unique user identifier in suites. * Fix the integration tests. * Update config.template.yml * Compute user filter based on username attribute and users_filter. The filter provided in users_filter is now combined with a filter based on the username attribute to perform the LDAP search query finding a user object from the username. * Fix LDAP based integration tests. * Update `users_filter` reference examples
2020-03-15 07:10:25 +00:00
fix(authentication): utilize msad password history control (#3256) This fixes an issue where the Microsoft Active Directory Server Policy Hints control was not being used to prevent avoidance of the PSO / FGPP applicable to the user.
2022-05-10 04:38:36 +00:00
searchGroups := mockClient.EXPECT().
[BUGFIX] [BREAKING] Set username retrieved from authentication backend in session. (#687) * [BUGFIX] Set username retrieved from authentication backend in session. In some setups, binding is case insensitive but Authelia is case sensitive and therefore need the actual username as stored in the authentication backend in order for Authelia to work correctly. Fixes #561. * Use uid attribute as unique user identifier in suites. * Fix the integration tests. * Update config.template.yml * Compute user filter based on username attribute and users_filter. The filter provided in users_filter is now combined with a filter based on the username attribute to perform the LDAP search query finding a user object from the username. * Fix LDAP based integration tests. * Update `users_filter` reference examples
2020-03-15 07:10:25 +00:00
Search(gomock.Any()).
feat(authentication): ldap memberof group search (#5418) Introduces the concept of group search mode into the LDAP configuration. This also adds the filter and memberof search modes. The full description of these is included in the docs but the filter mode is the same mode as previous which is also the default and recommended value. The memberof mode should only be used by users who are aware of how the concept works as per the docs. Closes #2161 Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
2023-06-18 04:40:38 +00:00
Return(nil, fmt.Errorf("failed to search groups"))
fix(authentication): ldap connection left open (#2179) The recent ldap changes in cb71df5 left a connection to the LDAP server open at startup. This resolves this which prevents an ugly log message and unnecessary open sockets.
2021-07-13 11:12:50 +00:00
fix(authentication): utilize msad password history control (#3256) This fixes an issue where the Microsoft Active Directory Server Policy Hints control was not being used to prevent avoidance of the PSO / FGPP applicable to the user.
2022-05-10 04:38:36 +00:00
searchProfile := mockClient.EXPECT().
[BUGFIX] [BREAKING] Set username retrieved from authentication backend in session. (#687) * [BUGFIX] Set username retrieved from authentication backend in session. In some setups, binding is case insensitive but Authelia is case sensitive and therefore need the actual username as stored in the authentication backend in order for Authelia to work correctly. Fixes #561. * Use uid attribute as unique user identifier in suites. * Fix the integration tests. * Update config.template.yml * Compute user filter based on username attribute and users_filter. The filter provided in users_filter is now combined with a filter based on the username attribute to perform the LDAP search query finding a user object from the username. * Fix LDAP based integration tests. * Update `users_filter` reference examples
2020-03-15 07:10:25 +00:00
Search(gomock.Any()).
Return(&ldap.SearchResult{
Entries: []*ldap.Entry{
[Buildkite] Introduce CI linting with golangci-lint and reviewdog (#832) * [Buildkite] Introduce CI linting with golangci-lint and reviewdog * Initial pass of golangci-lint * Add gosimple (megacheck) recommendations * Add golint recommendations * [BUGFIX] Migrate authentication traces from v3 mongodb * Add deadcode recommendations * [BUGFIX] Fix ShortTimeouts suite when run in dev workflow * Add unused recommendations * Add unparam recommendations * Disable linting on unfixable errors instead of skipping files * Adjust nolint notation for unparam * Fix ineffectual assignment to err raised by linter. * Export environment variable in agent hook * Add ineffassign recommendations * Add staticcheck recommendations * Add gocyclo recommendations * Adjust ineffassign recommendations Co-authored-by: Clement Michaud <clement.michaud34@gmail.com>
2020-04-09 01:05:17 +00:00
{
[BUGFIX] [BREAKING] Set username retrieved from authentication backend in session. (#687) * [BUGFIX] Set username retrieved from authentication backend in session. In some setups, binding is case insensitive but Authelia is case sensitive and therefore need the actual username as stored in the authentication backend in order for Authelia to work correctly. Fixes #561. * Use uid attribute as unique user identifier in suites. * Fix the integration tests. * Update config.template.yml * Compute user filter based on username attribute and users_filter. The filter provided in users_filter is now combined with a filter based on the username attribute to perform the LDAP search query finding a user object from the username. * Fix LDAP based integration tests. * Update `users_filter` reference examples
2020-03-15 07:10:25 +00:00
DN: "uid=test,dc=example,dc=com",
Attributes: []*ldap.EntryAttribute{
[FEATURE] Add configurable display name to frontend (#1124) * [FEATURE] Add configurable display name to frontend This feature allows users with a LDAP backend to specify an attribute (default is "displayname") to retrieve a users name for the portal greeting. Similarly for the file based backend a new required key "name" has been introduced. This can also be used down the line with OIDC as a separate scope. * Update references from Name to DisplayName * Update compose bundles to include displayname refs * Update LDAP automatic profile refresh * Ensure display name is updated * Fix bug which prevented trace logging for profile refresh to not trigger
2020-06-19 10:50:21 +00:00
{
perf(authentication): improve ldap dynamic replacement performance (#2239) This change means we only check the filters for the existence of placeholders that cannot be replaced at startup. We then utilized cached results of that lookup for subsequent replacements.
2021-08-05 04:17:07 +00:00
Name: "displayName",
[FEATURE] Add configurable display name to frontend (#1124) * [FEATURE] Add configurable display name to frontend This feature allows users with a LDAP backend to specify an attribute (default is "displayname") to retrieve a users name for the portal greeting. Similarly for the file based backend a new required key "name" has been introduced. This can also be used down the line with OIDC as a separate scope. * Update references from Name to DisplayName * Update compose bundles to include displayname refs * Update LDAP automatic profile refresh * Ensure display name is updated * Fix bug which prevented trace logging for profile refresh to not trigger
2020-06-19 10:50:21 +00:00
Values: []string{"John Doe"},
},
[Buildkite] Introduce CI linting with golangci-lint and reviewdog (#832) * [Buildkite] Introduce CI linting with golangci-lint and reviewdog * Initial pass of golangci-lint * Add gosimple (megacheck) recommendations * Add golint recommendations * [BUGFIX] Migrate authentication traces from v3 mongodb * Add deadcode recommendations * [BUGFIX] Fix ShortTimeouts suite when run in dev workflow * Add unused recommendations * Add unparam recommendations * Disable linting on unfixable errors instead of skipping files * Adjust nolint notation for unparam * Fix ineffectual assignment to err raised by linter. * Export environment variable in agent hook * Add ineffassign recommendations * Add staticcheck recommendations * Add gocyclo recommendations * Adjust ineffassign recommendations Co-authored-by: Clement Michaud <clement.michaud34@gmail.com>
2020-04-09 01:05:17 +00:00
{
[BUGFIX] [BREAKING] Set username retrieved from authentication backend in session. (#687) * [BUGFIX] Set username retrieved from authentication backend in session. In some setups, binding is case insensitive but Authelia is case sensitive and therefore need the actual username as stored in the authentication backend in order for Authelia to work correctly. Fixes #561. * Use uid attribute as unique user identifier in suites. * Fix the integration tests. * Update config.template.yml * Compute user filter based on username attribute and users_filter. The filter provided in users_filter is now combined with a filter based on the username attribute to perform the LDAP search query finding a user object from the username. * Fix LDAP based integration tests. * Update `users_filter` reference examples
2020-03-15 07:10:25 +00:00
Name: "mail",
Values: []string{"test@example.com"},
},
[Buildkite] Introduce CI linting with golangci-lint and reviewdog (#832) * [Buildkite] Introduce CI linting with golangci-lint and reviewdog * Initial pass of golangci-lint * Add gosimple (megacheck) recommendations * Add golint recommendations * [BUGFIX] Migrate authentication traces from v3 mongodb * Add deadcode recommendations * [BUGFIX] Fix ShortTimeouts suite when run in dev workflow * Add unused recommendations * Add unparam recommendations * Disable linting on unfixable errors instead of skipping files * Adjust nolint notation for unparam * Fix ineffectual assignment to err raised by linter. * Export environment variable in agent hook * Add ineffassign recommendations * Add staticcheck recommendations * Add gocyclo recommendations * Adjust ineffassign recommendations Co-authored-by: Clement Michaud <clement.michaud34@gmail.com>
2020-04-09 01:05:17 +00:00
{
[BUGFIX] [BREAKING] Set username retrieved from authentication backend in session. (#687) * [BUGFIX] Set username retrieved from authentication backend in session. In some setups, binding is case insensitive but Authelia is case sensitive and therefore need the actual username as stored in the authentication backend in order for Authelia to work correctly. Fixes #561. * Use uid attribute as unique user identifier in suites. * Fix the integration tests. * Update config.template.yml * Compute user filter based on username attribute and users_filter. The filter provided in users_filter is now combined with a filter based on the username attribute to perform the LDAP search query finding a user object from the username. * Fix LDAP based integration tests. * Update `users_filter` reference examples
2020-03-15 07:10:25 +00:00
Name: "uid",
feat(authentication): ldap memberof group search (#5418) Introduces the concept of group search mode into the LDAP configuration. This also adds the filter and memberof search modes. The full description of these is included in the docs but the filter mode is the same mode as previous which is also the default and recommended value. The memberof mode should only be used by users who are aware of how the concept works as per the docs. Closes #2161 Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
2023-06-18 04:40:38 +00:00
Values: []string{"john"},
[BUGFIX] [BREAKING] Set username retrieved from authentication backend in session. (#687) * [BUGFIX] Set username retrieved from authentication backend in session. In some setups, binding is case insensitive but Authelia is case sensitive and therefore need the actual username as stored in the authentication backend in order for Authelia to work correctly. Fixes #561. * Use uid attribute as unique user identifier in suites. * Fix the integration tests. * Update config.template.yml * Compute user filter based on username attribute and users_filter. The filter provided in users_filter is now combined with a filter based on the username attribute to perform the LDAP search query finding a user object from the username. * Fix LDAP based integration tests. * Update `users_filter` reference examples
2020-03-15 07:10:25 +00:00
},
},
},
},
}, nil)
fix(authentication): ldap connection left open (#2179) The recent ldap changes in cb71df5 left a connection to the LDAP server open at startup. This resolves this which prevents an ugly log message and unnecessary open sockets.
2021-07-13 11:12:50 +00:00
gomock.InOrder(dialURL, connBind, searchProfile, searchGroups, connClose)
[BUGFIX] [BREAKING] Set username retrieved from authentication backend in session. (#687) * [BUGFIX] Set username retrieved from authentication backend in session. In some setups, binding is case insensitive but Authelia is case sensitive and therefore need the actual username as stored in the authentication backend in order for Authelia to work correctly. Fixes #561. * Use uid attribute as unique user identifier in suites. * Fix the integration tests. * Update config.template.yml * Compute user filter based on username attribute and users_filter. The filter provided in users_filter is now combined with a filter based on the username attribute to perform the LDAP search query finding a user object from the username. * Fix LDAP based integration tests. * Update `users_filter` reference examples
2020-03-15 07:10:25 +00:00
feat(authentication): ldap time replacements (#4483) This adds and utilizes several time replacements for both specialized LDAP implementations. Closes #1964, Closes #1284
2022-12-21 10:31:21 +00:00
details, err := provider.GetDetails("john")
[BUGFIX] [BREAKING] Set username retrieved from authentication backend in session. (#687) * [BUGFIX] Set username retrieved from authentication backend in session. In some setups, binding is case insensitive but Authelia is case sensitive and therefore need the actual username as stored in the authentication backend in order for Authelia to work correctly. Fixes #561. * Use uid attribute as unique user identifier in suites. * Fix the integration tests. * Update config.template.yml * Compute user filter based on username attribute and users_filter. The filter provided in users_filter is now combined with a filter based on the username attribute to perform the LDAP search query finding a user object from the username. * Fix LDAP based integration tests. * Update `users_filter` reference examples
2020-03-15 07:10:25 +00:00
feat(authentication): ldap memberof group search (#5418) Introduces the concept of group search mode into the LDAP configuration. This also adds the filter and memberof search modes. The full description of these is included in the docs but the filter mode is the same mode as previous which is also the default and recommended value. The memberof mode should only be used by users who are aware of how the concept works as per the docs. Closes #2161 Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
2023-06-18 04:40:38 +00:00
assert.Nil(t, details)
assert.EqualError(t, err, "unable to retrieve groups of user 'john'. Cause: failed to search groups")
[BUGFIX] Fix crash when no emails or groups are retrieved from LDAP. (#651) * [BUGFIX] Fix crash when no emails or groups are retrieved from LDAP. If group or email attribute configured by user in configuration is not found in user object the list of attributes in LDAP search result is empty. This change introduces a check before accessing the first element of the list which previously led to out of bound access. Fixes #647. * [MISC] Change log level of LDAP connection creation to trace.
2020-02-27 22:21:07 +00:00
}
[FEATURE] LDAP StartTLS (#1500) * add start_tls config option * add StartTLS method to the LDAP conn factory and the mock * implemented use of the StartTLS method when the config is set to true * add mock unit tests * add docs * add TLS min version support * add tests to tls version method * fix lint issues * minor adjustments * remove SSL3.0 * add tls consts * deprecate old filter placeholders * remove redundant fake hashing in file auth provider (to delay username enumeration, was replaced by #993 * make suite ActiveDirectory use StartTLS * misc adjustments to docs * suggested changes from code review * deprecation notice conformity * add mock test for LDAPS plus StartTLS
2020-12-03 05:23:52 +00:00
feat(authentication): ldap memberof group search (#5418) Introduces the concept of group search mode into the LDAP configuration. This also adds the filter and memberof search modes. The full description of these is included in the docs but the filter mode is the same mode as previous which is also the default and recommended value. The memberof mode should only be used by users who are aware of how the concept works as per the docs. Closes #2161 Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
2023-06-18 04:40:38 +00:00
func TestShouldNotCrashWhenEmailsAreNotRetrievedFromLDAP(t *testing.T) {
[FEATURE] Enhance LDAP/SMTP TLS Configuration and Unify Them (#1557) * add new directive in the global scope `certificates_directory` which is used to bulk load certs and trust them in Authelia * this is in ADDITION to system certs and are trusted by both LDAP and SMTP * added a shared TLSConfig struct to be used by both SMTP and LDAP, and anything else in the future that requires tuning the TLS * remove usage of deprecated LDAP funcs Dial and DialTLS in favor of DialURL which is also easier to use * use the server name from LDAP URL or SMTP host when validating the certificate unless otherwise defined in the TLS section * added temporary translations from the old names to the new ones for all deprecated options * added docs * updated example configuration * final deprecations to be done in 4.28.0 * doc updates * fix misc linting issues * uniform deprecation notices for ease of final removal * added additional tests covering previously uncovered areas and the new configuration options * add non-fatal to certificate loading when system certs could not be loaded * adjust timeout of Suite ShortTimeouts * add warnings pusher for the StructValidator * make the schema suites uninform * utilize the warnings in the StructValidator * fix test suite usage for skip_verify * extract LDAP filter parsing into it's own function to make it possible to test * test LDAP filter parsing * update ErrorContainer interface * add tests to the StructValidator * add NewTLSConfig test * move baseDN for users/groups into parsed values * add tests to cover many of the outstanding areas in LDAP * add explicit deferred LDAP conn close to UpdatePassword * add some basic testing to SMTP notifier * suggestions from code review
2021-01-04 10:28:55 +00:00
ctrl := gomock.NewController(t)
defer ctrl.Finish()
fix(authentication): utilize msad password history control (#3256) This fixes an issue where the Microsoft Active Directory Server Policy Hints control was not being used to prevent avoidance of the PSO / FGPP applicable to the user.
2022-05-10 04:38:36 +00:00
mockFactory := NewMockLDAPClientFactory(ctrl)
mockClient := NewMockLDAPClient(ctrl)
[FEATURE] Enhance LDAP/SMTP TLS Configuration and Unify Them (#1557) * add new directive in the global scope `certificates_directory` which is used to bulk load certs and trust them in Authelia * this is in ADDITION to system certs and are trusted by both LDAP and SMTP * added a shared TLSConfig struct to be used by both SMTP and LDAP, and anything else in the future that requires tuning the TLS * remove usage of deprecated LDAP funcs Dial and DialTLS in favor of DialURL which is also easier to use * use the server name from LDAP URL or SMTP host when validating the certificate unless otherwise defined in the TLS section * added temporary translations from the old names to the new ones for all deprecated options * added docs * updated example configuration * final deprecations to be done in 4.28.0 * doc updates * fix misc linting issues * uniform deprecation notices for ease of final removal * added additional tests covering previously uncovered areas and the new configuration options * add non-fatal to certificate loading when system certs could not be loaded * adjust timeout of Suite ShortTimeouts * add warnings pusher for the StructValidator * make the schema suites uninform * utilize the warnings in the StructValidator * fix test suite usage for skip_verify * extract LDAP filter parsing into it's own function to make it possible to test * test LDAP filter parsing * update ErrorContainer interface * add tests to the StructValidator * add NewTLSConfig test * move baseDN for users/groups into parsed values * add tests to cover many of the outstanding areas in LDAP * add explicit deferred LDAP conn close to UpdatePassword * add some basic testing to SMTP notifier * suggestions from code review
2021-01-04 10:28:55 +00:00
feat(authentication): ldap time replacements (#4483) This adds and utilizes several time replacements for both specialized LDAP implementations. Closes #1964, Closes #1284
2022-12-21 10:31:21 +00:00
provider := NewLDAPUserProviderWithFactory(
feat(authentication): file password algorithms (#3848) This adds significant enhancements to the file auth provider including multiple additional algorithms.
2022-10-17 10:51:59 +00:00
schema.LDAPAuthenticationBackend{
feat(authentication): ldap memberof group search (#5418) Introduces the concept of group search mode into the LDAP configuration. This also adds the filter and memberof search modes. The full description of these is included in the docs but the filter mode is the same mode as previous which is also the default and recommended value. The memberof mode should only be used by users who are aware of how the concept works as per the docs. Closes #2161 Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
2023-06-18 04:40:38 +00:00
Address: testLDAPAddress,
User: "cn=admin,dc=example,dc=com",
Password: "password",
Attributes: schema.LDAPAuthenticationAttributes{
Username: "uid",
DisplayName: "displayName",
MemberOf: "memberOf",
GroupName: "displayName",
},
UsersFilter: "uid={input}",
AdditionalUsersDN: "ou=users",
BaseDN: "dc=example,dc=com",
[FEATURE] Enhance LDAP/SMTP TLS Configuration and Unify Them (#1557) * add new directive in the global scope `certificates_directory` which is used to bulk load certs and trust them in Authelia * this is in ADDITION to system certs and are trusted by both LDAP and SMTP * added a shared TLSConfig struct to be used by both SMTP and LDAP, and anything else in the future that requires tuning the TLS * remove usage of deprecated LDAP funcs Dial and DialTLS in favor of DialURL which is also easier to use * use the server name from LDAP URL or SMTP host when validating the certificate unless otherwise defined in the TLS section * added temporary translations from the old names to the new ones for all deprecated options * added docs * updated example configuration * final deprecations to be done in 4.28.0 * doc updates * fix misc linting issues * uniform deprecation notices for ease of final removal * added additional tests covering previously uncovered areas and the new configuration options * add non-fatal to certificate loading when system certs could not be loaded * adjust timeout of Suite ShortTimeouts * add warnings pusher for the StructValidator * make the schema suites uninform * utilize the warnings in the StructValidator * fix test suite usage for skip_verify * extract LDAP filter parsing into it's own function to make it possible to test * test LDAP filter parsing * update ErrorContainer interface * add tests to the StructValidator * add NewTLSConfig test * move baseDN for users/groups into parsed values * add tests to cover many of the outstanding areas in LDAP * add explicit deferred LDAP conn close to UpdatePassword * add some basic testing to SMTP notifier * suggestions from code review
2021-01-04 10:28:55 +00:00
},
refactor: factorize startup checks (#2386) * refactor: factorize startup checks * refactor: address linting issues
2021-09-17 09:53:59 +00:00
false,
[FEATURE] Enhance LDAP/SMTP TLS Configuration and Unify Them (#1557) * add new directive in the global scope `certificates_directory` which is used to bulk load certs and trust them in Authelia * this is in ADDITION to system certs and are trusted by both LDAP and SMTP * added a shared TLSConfig struct to be used by both SMTP and LDAP, and anything else in the future that requires tuning the TLS * remove usage of deprecated LDAP funcs Dial and DialTLS in favor of DialURL which is also easier to use * use the server name from LDAP URL or SMTP host when validating the certificate unless otherwise defined in the TLS section * added temporary translations from the old names to the new ones for all deprecated options * added docs * updated example configuration * final deprecations to be done in 4.28.0 * doc updates * fix misc linting issues * uniform deprecation notices for ease of final removal * added additional tests covering previously uncovered areas and the new configuration options * add non-fatal to certificate loading when system certs could not be loaded * adjust timeout of Suite ShortTimeouts * add warnings pusher for the StructValidator * make the schema suites uninform * utilize the warnings in the StructValidator * fix test suite usage for skip_verify * extract LDAP filter parsing into it's own function to make it possible to test * test LDAP filter parsing * update ErrorContainer interface * add tests to the StructValidator * add NewTLSConfig test * move baseDN for users/groups into parsed values * add tests to cover many of the outstanding areas in LDAP * add explicit deferred LDAP conn close to UpdatePassword * add some basic testing to SMTP notifier * suggestions from code review
2021-01-04 10:28:55 +00:00
nil,
mockFactory)
fix(authentication): utilize msad password history control (#3256) This fixes an issue where the Microsoft Active Directory Server Policy Hints control was not being used to prevent avoidance of the PSO / FGPP applicable to the user.
2022-05-10 04:38:36 +00:00
dialURL := mockFactory.EXPECT().
fix(authentication): ldap connection left open (#2179) The recent ldap changes in cb71df5 left a connection to the LDAP server open at startup. This resolves this which prevents an ugly log message and unnecessary open sockets.
2021-07-13 11:12:50 +00:00
DialURL(gomock.Eq("ldap://127.0.0.1:389"), gomock.Any()).
fix(authentication): utilize msad password history control (#3256) This fixes an issue where the Microsoft Active Directory Server Policy Hints control was not being used to prevent avoidance of the PSO / FGPP applicable to the user.
2022-05-10 04:38:36 +00:00
Return(mockClient, nil)
feat(authentication): use the passwordmodify exop for pwd resets with ldap (#2124) Implement the LDAP password modify extended operation for LDAP providers that advertise they support it.
2021-07-06 09:13:17 +00:00
fix(authentication): utilize msad password history control (#3256) This fixes an issue where the Microsoft Active Directory Server Policy Hints control was not being used to prevent avoidance of the PSO / FGPP applicable to the user.
2022-05-10 04:38:36 +00:00
connBind := mockClient.EXPECT().
fix(authentication): ldap connection left open (#2179) The recent ldap changes in cb71df5 left a connection to the LDAP server open at startup. This resolves this which prevents an ugly log message and unnecessary open sockets.
2021-07-13 11:12:50 +00:00
Bind(gomock.Eq("cn=admin,dc=example,dc=com"), gomock.Eq("password")).
Return(nil)
fix(authentication): utilize msad password history control (#3256) This fixes an issue where the Microsoft Active Directory Server Policy Hints control was not being used to prevent avoidance of the PSO / FGPP applicable to the user.
2022-05-10 04:38:36 +00:00
connClose := mockClient.EXPECT().Close()
searchGroups := mockClient.EXPECT().
Search(gomock.Any()).
feat(authentication): ldap memberof group search (#5418) Introduces the concept of group search mode into the LDAP configuration. This also adds the filter and memberof search modes. The full description of these is included in the docs but the filter mode is the same mode as previous which is also the default and recommended value. The memberof mode should only be used by users who are aware of how the concept works as per the docs. Closes #2161 Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
2023-06-18 04:40:38 +00:00
Return(createGroupSearchResultModeFilter(provider.config.Attributes.GroupName, "group1", "group2"), nil)
fix(authentication): utilize msad password history control (#3256) This fixes an issue where the Microsoft Active Directory Server Policy Hints control was not being used to prevent avoidance of the PSO / FGPP applicable to the user.
2022-05-10 04:38:36 +00:00
searchProfile := mockClient.EXPECT().
fix(authentication): ldap connection left open (#2179) The recent ldap changes in cb71df5 left a connection to the LDAP server open at startup. This resolves this which prevents an ugly log message and unnecessary open sockets.
2021-07-13 11:12:50 +00:00
Search(gomock.Any()).
Return(&ldap.SearchResult{
Entries: []*ldap.Entry{
{
DN: "uid=test,dc=example,dc=com",
Attributes: []*ldap.EntryAttribute{
{
Name: "uid",
feat(authentication): ldap memberof group search (#5418) Introduces the concept of group search mode into the LDAP configuration. This also adds the filter and memberof search modes. The full description of these is included in the docs but the filter mode is the same mode as previous which is also the default and recommended value. The memberof mode should only be used by users who are aware of how the concept works as per the docs. Closes #2161 Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
2023-06-18 04:40:38 +00:00
Values: []string{"john"},
[FEATURE] Enhance LDAP/SMTP TLS Configuration and Unify Them (#1557) * add new directive in the global scope `certificates_directory` which is used to bulk load certs and trust them in Authelia * this is in ADDITION to system certs and are trusted by both LDAP and SMTP * added a shared TLSConfig struct to be used by both SMTP and LDAP, and anything else in the future that requires tuning the TLS * remove usage of deprecated LDAP funcs Dial and DialTLS in favor of DialURL which is also easier to use * use the server name from LDAP URL or SMTP host when validating the certificate unless otherwise defined in the TLS section * added temporary translations from the old names to the new ones for all deprecated options * added docs * updated example configuration * final deprecations to be done in 4.28.0 * doc updates * fix misc linting issues * uniform deprecation notices for ease of final removal * added additional tests covering previously uncovered areas and the new configuration options * add non-fatal to certificate loading when system certs could not be loaded * adjust timeout of Suite ShortTimeouts * add warnings pusher for the StructValidator * make the schema suites uninform * utilize the warnings in the StructValidator * fix test suite usage for skip_verify * extract LDAP filter parsing into it's own function to make it possible to test * test LDAP filter parsing * update ErrorContainer interface * add tests to the StructValidator * add NewTLSConfig test * move baseDN for users/groups into parsed values * add tests to cover many of the outstanding areas in LDAP * add explicit deferred LDAP conn close to UpdatePassword * add some basic testing to SMTP notifier * suggestions from code review
2021-01-04 10:28:55 +00:00
},
},
},
fix(authentication): ldap connection left open (#2179) The recent ldap changes in cb71df5 left a connection to the LDAP server open at startup. This resolves this which prevents an ugly log message and unnecessary open sockets.
2021-07-13 11:12:50 +00:00
},
}, nil)
feat(authentication): ldap memberof group search (#5418) Introduces the concept of group search mode into the LDAP configuration. This also adds the filter and memberof search modes. The full description of these is included in the docs but the filter mode is the same mode as previous which is also the default and recommended value. The memberof mode should only be used by users who are aware of how the concept works as per the docs. Closes #2161 Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
2023-06-18 04:40:38 +00:00
gomock.InOrder(dialURL, connBind, searchProfile, searchGroups, connClose)
fix(authentication): ldap connection left open (#2179) The recent ldap changes in cb71df5 left a connection to the LDAP server open at startup. This resolves this which prevents an ugly log message and unnecessary open sockets.
2021-07-13 11:12:50 +00:00
feat(authentication): ldap time replacements (#4483) This adds and utilizes several time replacements for both specialized LDAP implementations. Closes #1964, Closes #1284
2022-12-21 10:31:21 +00:00
details, err := provider.GetDetails("john")
fix(authentication): ldap connection left open (#2179) The recent ldap changes in cb71df5 left a connection to the LDAP server open at startup. This resolves this which prevents an ugly log message and unnecessary open sockets.
2021-07-13 11:12:50 +00:00
require.NoError(t, err)
fix(authentication): utilize msad password history control (#3256) This fixes an issue where the Microsoft Active Directory Server Policy Hints control was not being used to prevent avoidance of the PSO / FGPP applicable to the user.
2022-05-10 04:38:36 +00:00
assert.ElementsMatch(t, details.Groups, []string{"group1", "group2"})
feat(authentication): ldap memberof group search (#5418) Introduces the concept of group search mode into the LDAP configuration. This also adds the filter and memberof search modes. The full description of these is included in the docs but the filter mode is the same mode as previous which is also the default and recommended value. The memberof mode should only be used by users who are aware of how the concept works as per the docs. Closes #2161 Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
2023-06-18 04:40:38 +00:00
assert.ElementsMatch(t, details.Emails, []string{})
assert.Equal(t, details.Username, "john")
fix(authentication): ldap connection left open (#2179) The recent ldap changes in cb71df5 left a connection to the LDAP server open at startup. This resolves this which prevents an ugly log message and unnecessary open sockets.
2021-07-13 11:12:50 +00:00
}
feat(authentication): ldap memberof group search (#5418) Introduces the concept of group search mode into the LDAP configuration. This also adds the filter and memberof search modes. The full description of these is included in the docs but the filter mode is the same mode as previous which is also the default and recommended value. The memberof mode should only be used by users who are aware of how the concept works as per the docs. Closes #2161 Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
2023-06-18 04:40:38 +00:00
func TestShouldUnauthenticatedBind(t *testing.T) {
fix(authentication): ldap connection left open (#2179) The recent ldap changes in cb71df5 left a connection to the LDAP server open at startup. This resolves this which prevents an ugly log message and unnecessary open sockets.
2021-07-13 11:12:50 +00:00
ctrl := gomock.NewController(t)
defer ctrl.Finish()
fix(authentication): utilize msad password history control (#3256) This fixes an issue where the Microsoft Active Directory Server Policy Hints control was not being used to prevent avoidance of the PSO / FGPP applicable to the user.
2022-05-10 04:38:36 +00:00
mockFactory := NewMockLDAPClientFactory(ctrl)
mockClient := NewMockLDAPClient(ctrl)
fix(authentication): ldap connection left open (#2179) The recent ldap changes in cb71df5 left a connection to the LDAP server open at startup. This resolves this which prevents an ugly log message and unnecessary open sockets.
2021-07-13 11:12:50 +00:00
feat(authentication): ldap time replacements (#4483) This adds and utilizes several time replacements for both specialized LDAP implementations. Closes #1964, Closes #1284
2022-12-21 10:31:21 +00:00
provider := NewLDAPUserProviderWithFactory(
feat(authentication): file password algorithms (#3848) This adds significant enhancements to the file auth provider including multiple additional algorithms.
2022-10-17 10:51:59 +00:00
schema.LDAPAuthenticationBackend{
feat(authentication): ldap memberof group search (#5418) Introduces the concept of group search mode into the LDAP configuration. This also adds the filter and memberof search modes. The full description of these is included in the docs but the filter mode is the same mode as previous which is also the default and recommended value. The memberof mode should only be used by users who are aware of how the concept works as per the docs. Closes #2161 Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
2023-06-18 04:40:38 +00:00
Address: testLDAPAddress,
User: "cn=admin,dc=example,dc=com",
Password: "",
Attributes: schema.LDAPAuthenticationAttributes{
Username: "uid",
DisplayName: "displayName",
MemberOf: "memberOf",
GroupName: "displayName",
},
UsersFilter: "uid={input}",
AdditionalUsersDN: "ou=users",
BaseDN: "dc=example,dc=com",
},
false,
nil,
mockFactory)
dialURL := mockFactory.EXPECT().
DialURL(gomock.Eq("ldap://127.0.0.1:389"), gomock.Any()).
Return(mockClient, nil)
connBind := mockClient.EXPECT().
UnauthenticatedBind(gomock.Eq("cn=admin,dc=example,dc=com")).
Return(nil)
connClose := mockClient.EXPECT().Close()
searchGroups := mockClient.EXPECT().
Search(gomock.Any()).
Return(createGroupSearchResultModeFilter(provider.config.Attributes.GroupName, "group1", "group2"), nil)
searchProfile := mockClient.EXPECT().
Search(gomock.Any()).
Return(&ldap.SearchResult{
Entries: []*ldap.Entry{
{
DN: "uid=test,dc=example,dc=com",
Attributes: []*ldap.EntryAttribute{
{
Name: "uid",
Values: []string{"john"},
},
},
},
},
}, nil)
gomock.InOrder(dialURL, connBind, searchProfile, searchGroups, connClose)
details, err := provider.GetDetails("john")
require.NoError(t, err)
assert.ElementsMatch(t, details.Groups, []string{"group1", "group2"})
assert.ElementsMatch(t, details.Emails, []string{})
assert.Equal(t, details.Username, "john")
}
func TestShouldReturnUsernameFromLDAP(t *testing.T) {
ctrl := gomock.NewController(t)
defer ctrl.Finish()
mockFactory := NewMockLDAPClientFactory(ctrl)
mockClient := NewMockLDAPClient(ctrl)
provider := NewLDAPUserProviderWithFactory(
schema.LDAPAuthenticationBackend{
Address: testLDAPAddress,
User: "cn=admin,dc=example,dc=com",
Password: "password",
Attributes: schema.LDAPAuthenticationAttributes{
Username: "uid",
Mail: "mail",
DisplayName: "displayName",
MemberOf: "memberOf",
GroupName: "cn",
},
UsersFilter: "uid={input}",
AdditionalUsersDN: "ou=users",
BaseDN: "dc=example,dc=com",
},
false,
nil,
mockFactory)
dialURL := mockFactory.EXPECT().
DialURL(gomock.Eq("ldap://127.0.0.1:389"), gomock.Any()).
Return(mockClient, nil)
connBind := mockClient.EXPECT().
Bind(gomock.Eq("cn=admin,dc=example,dc=com"), gomock.Eq("password")).
Return(nil)
connClose := mockClient.EXPECT().Close()
searchGroups := mockClient.EXPECT().
Search(gomock.Any()).
Return(createGroupSearchResultModeFilter(provider.config.Attributes.GroupName, "group1", "group2"), nil)
searchProfile := mockClient.EXPECT().
Search(gomock.Any()).
Return(&ldap.SearchResult{
Entries: []*ldap.Entry{
{
DN: "uid=test,dc=example,dc=com",
Attributes: []*ldap.EntryAttribute{
{
Name: "displayName",
Values: []string{"John Doe"},
},
{
Name: "mail",
Values: []string{"test@example.com"},
},
{
Name: "uid",
Values: []string{"John"},
},
},
},
},
}, nil)
gomock.InOrder(dialURL, connBind, searchProfile, searchGroups, connClose)
details, err := provider.GetDetails("john")
require.NoError(t, err)
assert.ElementsMatch(t, details.Groups, []string{"group1", "group2"})
assert.ElementsMatch(t, details.Emails, []string{"test@example.com"})
assert.Equal(t, details.DisplayName, "John Doe")
assert.Equal(t, details.Username, "John")
}
func TestShouldReturnUsernameFromLDAPSearchModeMemberOfRDN(t *testing.T) {
ctrl := gomock.NewController(t)
defer ctrl.Finish()
mockFactory := NewMockLDAPClientFactory(ctrl)
mockClient := NewMockLDAPClient(ctrl)
provider := NewLDAPUserProviderWithFactory(
schema.LDAPAuthenticationBackend{
Address: testLDAPAddress,
User: "cn=admin,dc=example,dc=com",
Password: "password",
Attributes: schema.LDAPAuthenticationAttributes{
Username: "uid",
Mail: "mail",
DisplayName: "displayName",
MemberOf: "memberOf",
GroupName: "cn",
},
GroupSearchMode: "memberof",
UsersFilter: "uid={input}",
GroupsFilter: "(|{memberof:rdn})",
AdditionalUsersDN: "ou=users",
BaseDN: "DC=example,DC=com",
},
false,
nil,
mockFactory)
dialURL := mockFactory.EXPECT().
DialURL(gomock.Eq("ldap://127.0.0.1:389"), gomock.Any()).
Return(mockClient, nil)
connBind := mockClient.EXPECT().
Bind(gomock.Eq("cn=admin,dc=example,dc=com"), gomock.Eq("password")).
Return(nil)
connClose := mockClient.EXPECT().Close()
requestGroups := ldap.NewSearchRequest(
provider.groupsBaseDN, ldap.ScopeWholeSubtree, ldap.NeverDerefAliases,
0, 0, false, "(|(CN=admins)(CN=users))", provider.groupsAttributes, nil,
)
// This ensures the filtering works correctly in the following ways:
// Item 1 (0th element), has the wrong case.
// Item 2 (1st element), has the wrong DN.
searchGroups := mockClient.EXPECT().
Search(requestGroups).
Return(createGroupSearchResultModeFilterWithDN(provider.config.Attributes.GroupName, []string{"admins", "notadmins", "users"}, []string{"CN=ADMINS,OU=groups,DC=example,DC=com", "CN=notadmins,OU=wronggroups,DC=example,DC=com", "CN=users,OU=groups,DC=example,DC=com"}), nil)
searchProfile := mockClient.EXPECT().
Search(gomock.Any()).
Return(&ldap.SearchResult{
Entries: []*ldap.Entry{
{
DN: "uid=test,dc=example,dc=com",
Attributes: []*ldap.EntryAttribute{
{
Name: "displayName",
Values: []string{"John Doe"},
},
{
Name: "mail",
Values: []string{"test@example.com"},
},
{
Name: "uid",
Values: []string{"John"},
},
{
Name: "memberOf",
Values: []string{"CN=admins,OU=groups,DC=example,DC=com", "CN=users,OU=groups,DC=example,DC=com"},
},
},
},
},
}, nil)
gomock.InOrder(dialURL, connBind, searchProfile, searchGroups, connClose)
details, err := provider.GetDetails("john")
require.NoError(t, err)
assert.ElementsMatch(t, details.Groups, []string{"admins", "users"})
assert.ElementsMatch(t, details.Emails, []string{"test@example.com"})
assert.Equal(t, details.DisplayName, "John Doe")
assert.Equal(t, details.Username, "John")
}
func TestShouldReturnUsernameFromLDAPSearchModeMemberOfDN(t *testing.T) {
ctrl := gomock.NewController(t)
defer ctrl.Finish()
mockFactory := NewMockLDAPClientFactory(ctrl)
mockClient := NewMockLDAPClient(ctrl)
provider := NewLDAPUserProviderWithFactory(
schema.LDAPAuthenticationBackend{
Address: testLDAPAddress,
User: "CN=Administrator,CN=Users,DC=example,DC=com",
Password: "password",
Attributes: schema.LDAPAuthenticationAttributes{
DistinguishedName: "distinguishedName",
Username: "sAMAccountName",
Mail: "mail",
DisplayName: "displayName",
MemberOf: "memberOf",
GroupName: "cn",
},
GroupSearchMode: "memberof",
UsersFilter: "sAMAccountName={input}",
GroupsFilter: "(|{memberof:dn})",
AdditionalUsersDN: "CN=users",
BaseDN: "DC=example,DC=com",
},
false,
nil,
mockFactory)
dialURL := mockFactory.EXPECT().
DialURL(gomock.Eq("ldap://127.0.0.1:389"), gomock.Any()).
Return(mockClient, nil)
connBind := mockClient.EXPECT().
Bind(gomock.Eq("CN=Administrator,CN=Users,DC=example,DC=com"), gomock.Eq("password")).
Return(nil)
connClose := mockClient.EXPECT().Close()
requestGroups := ldap.NewSearchRequest(
provider.groupsBaseDN, ldap.ScopeWholeSubtree, ldap.NeverDerefAliases,
0, 0, false, "(|(distinguishedName=CN=admins,OU=groups,DC=example,DC=com)(distinguishedName=CN=users,OU=groups,DC=example,DC=com))", provider.groupsAttributes, nil,
)
searchGroups := mockClient.EXPECT().
Search(requestGroups).
Return(createGroupSearchResultModeFilterWithDN(provider.config.Attributes.GroupName, []string{"admins", "admins", "users"}, []string{"CN=admins,OU=groups,DC=example,DC=com", "CN=admins,OU=wronggroups,DC=example,DC=com", "CN=users,OU=groups,DC=example,DC=com"}), nil)
searchProfile := mockClient.EXPECT().
Search(gomock.Any()).
Return(&ldap.SearchResult{
Entries: []*ldap.Entry{
{
DN: "uid=test,dc=example,dc=com",
Attributes: []*ldap.EntryAttribute{
{
Name: "displayName",
Values: []string{"John Doe"},
},
{
Name: "mail",
Values: []string{"test@example.com"},
},
{
Name: "sAMAccountName",
Values: []string{"John"},
},
{
Name: "memberOf",
Values: []string{"CN=admins,OU=groups,DC=example,DC=com", "CN=users,OU=groups,DC=example,DC=com"},
},
},
},
},
}, nil)
gomock.InOrder(dialURL, connBind, searchProfile, searchGroups, connClose)
details, err := provider.GetDetails("john")
require.NoError(t, err)
assert.ElementsMatch(t, details.Groups, []string{"admins", "users"})
assert.ElementsMatch(t, details.Emails, []string{"test@example.com"})
assert.Equal(t, details.DisplayName, "John Doe")
assert.Equal(t, details.Username, "John")
}
func TestShouldReturnErrSearchMemberOf(t *testing.T) {
ctrl := gomock.NewController(t)
defer ctrl.Finish()
mockFactory := NewMockLDAPClientFactory(ctrl)
mockClient := NewMockLDAPClient(ctrl)
provider := NewLDAPUserProviderWithFactory(
schema.LDAPAuthenticationBackend{
Address: testLDAPAddress,
User: "CN=Administrator,CN=Users,DC=example,DC=com",
Password: "password",
Attributes: schema.LDAPAuthenticationAttributes{
DistinguishedName: "distinguishedName",
Username: "sAMAccountName",
Mail: "mail",
DisplayName: "displayName",
MemberOf: "memberOf",
GroupName: "cn",
},
GroupSearchMode: "memberof",
UsersFilter: "sAMAccountName={input}",
GroupsFilter: "(|{memberof:dn})",
AdditionalUsersDN: "CN=users",
BaseDN: "DC=example,DC=com",
},
false,
nil,
mockFactory)
dialURL := mockFactory.EXPECT().
DialURL(gomock.Eq("ldap://127.0.0.1:389"), gomock.Any()).
Return(mockClient, nil)
connBind := mockClient.EXPECT().
Bind(gomock.Eq("CN=Administrator,CN=Users,DC=example,DC=com"), gomock.Eq("password")).
Return(nil)
connClose := mockClient.EXPECT().Close()
requestGroups := ldap.NewSearchRequest(
provider.groupsBaseDN, ldap.ScopeWholeSubtree, ldap.NeverDerefAliases,
0, 0, false, "(|(distinguishedName=CN=admins,OU=groups,DC=example,DC=com)(distinguishedName=CN=users,OU=groups,DC=example,DC=com))", provider.groupsAttributes, nil,
)
searchGroups := mockClient.EXPECT().
Search(requestGroups).
Return(nil, fmt.Errorf("failed to get groups"))
searchProfile := mockClient.EXPECT().
Search(gomock.Any()).
Return(&ldap.SearchResult{
Entries: []*ldap.Entry{
{
DN: "uid=test,dc=example,dc=com",
Attributes: []*ldap.EntryAttribute{
{
Name: "displayName",
Values: []string{"John Doe"},
},
{
Name: "mail",
Values: []string{"test@example.com"},
},
{
Name: "sAMAccountName",
Values: []string{"John"},
},
{
Name: "memberOf",
Values: []string{"CN=admins,OU=groups,DC=example,DC=com", "CN=users,OU=groups,DC=example,DC=com"},
},
},
},
},
}, nil)
gomock.InOrder(dialURL, connBind, searchProfile, searchGroups, connClose)
details, err := provider.GetDetails("john")
assert.Nil(t, details)
assert.EqualError(t, err, "unable to retrieve groups of user 'john'. Cause: failed to get groups")
}
func TestShouldReturnErrUnknownSearchMode(t *testing.T) {
ctrl := gomock.NewController(t)
defer ctrl.Finish()
mockFactory := NewMockLDAPClientFactory(ctrl)
mockClient := NewMockLDAPClient(ctrl)
provider := NewLDAPUserProviderWithFactory(
schema.LDAPAuthenticationBackend{
Address: testLDAPAddress,
User: "CN=Administrator,CN=Users,DC=example,DC=com",
Password: "password",
Attributes: schema.LDAPAuthenticationAttributes{
DistinguishedName: "distinguishedName",
Username: "sAMAccountName",
Mail: "mail",
DisplayName: "displayName",
MemberOf: "memberOf",
GroupName: "cn",
},
GroupSearchMode: "bad",
UsersFilter: "sAMAccountName={input}",
GroupsFilter: "(|{memberof:dn})",
AdditionalUsersDN: "CN=users",
BaseDN: "DC=example,DC=com",
},
false,
nil,
mockFactory)
dialURL := mockFactory.EXPECT().
DialURL(gomock.Eq("ldap://127.0.0.1:389"), gomock.Any()).
Return(mockClient, nil)
connBind := mockClient.EXPECT().
Bind(gomock.Eq("CN=Administrator,CN=Users,DC=example,DC=com"), gomock.Eq("password")).
Return(nil)
connClose := mockClient.EXPECT().Close()
searchProfile := mockClient.EXPECT().
Search(gomock.Any()).
Return(&ldap.SearchResult{
Entries: []*ldap.Entry{
{
DN: "uid=test,dc=example,dc=com",
Attributes: []*ldap.EntryAttribute{
{
Name: "displayName",
Values: []string{"John Doe"},
},
{
Name: "mail",
Values: []string{"test@example.com"},
},
{
Name: "sAMAccountName",
Values: []string{"John"},
},
{
Name: "memberOf",
Values: []string{"CN=admins,OU=groups,DC=example,DC=com", "CN=users,OU=groups,DC=example,DC=com"},
},
},
},
},
}, nil)
gomock.InOrder(dialURL, connBind, searchProfile, connClose)
details, err := provider.GetDetails("john")
assert.Nil(t, details)
assert.EqualError(t, err, "could not perform group search with mode 'bad' as it's unknown")
}
func TestShouldSkipEmptyAttributesSearchModeMemberOf(t *testing.T) {
ctrl := gomock.NewController(t)
defer ctrl.Finish()
mockFactory := NewMockLDAPClientFactory(ctrl)
mockClient := NewMockLDAPClient(ctrl)
provider := NewLDAPUserProviderWithFactory(
schema.LDAPAuthenticationBackend{
Address: testLDAPAddress,
User: "CN=Administrator,CN=Users,DC=example,DC=com",
Password: "password",
Attributes: schema.LDAPAuthenticationAttributes{
DistinguishedName: "distinguishedName",
Username: "sAMAccountName",
Mail: "mail",
DisplayName: "displayName",
MemberOf: "memberOf",
GroupName: "cn",
},
GroupSearchMode: "memberof",
UsersFilter: "sAMAccountName={input}",
GroupsFilter: "(|{memberof:dn})",
AdditionalUsersDN: "CN=users",
BaseDN: "DC=example,DC=com",
},
false,
nil,
mockFactory)
dialURL := mockFactory.EXPECT().
DialURL(gomock.Eq("ldap://127.0.0.1:389"), gomock.Any()).
Return(mockClient, nil)
connBind := mockClient.EXPECT().
Bind(gomock.Eq("CN=Administrator,CN=Users,DC=example,DC=com"), gomock.Eq("password")).
Return(nil)
connClose := mockClient.EXPECT().Close()
searchProfile := mockClient.EXPECT().
Search(gomock.Any()).
Return(&ldap.SearchResult{
Entries: []*ldap.Entry{
{
DN: "uid=test,dc=example,dc=com",
Attributes: []*ldap.EntryAttribute{
{
Name: "displayName",
Values: []string{"John Doe"},
},
{
Name: "mail",
Values: []string{"test@example.com"},
},
{
Name: "sAMAccountName",
Values: []string{"John"},
},
{
Name: "memberOf",
Values: []string{"CN=admins,OU=groups,DC=example,DC=com", "CN=users,OU=groups,DC=example,DC=com", "CN=multi,OU=groups,DC=example,DC=com"},
},
},
},
},
}, nil)
searchGroups := mockClient.EXPECT().
Search(gomock.Any()).
Return(&ldap.SearchResult{
Entries: []*ldap.Entry{
{
DN: "uid=grp,dc=example,dc=com",
Attributes: []*ldap.EntryAttribute{},
},
{
DN: "CN=users,OU=groups,DC=example,DC=com",
Attributes: []*ldap.EntryAttribute{
{
Name: "cn",
Values: []string{},
},
},
},
{
DN: "CN=admins,OU=groups,DC=example,DC=com",
Attributes: []*ldap.EntryAttribute{
{
Name: "cn",
Values: []string{""},
},
},
},
{
DN: "CN=multi,OU=groups,DC=example,DC=com",
Attributes: []*ldap.EntryAttribute{
{
Name: "cn",
Values: []string{"a", "b"},
},
},
},
},
}, nil)
gomock.InOrder(dialURL, connBind, searchProfile, searchGroups, connClose)
details, err := provider.GetDetails("john")
assert.NoError(t, err)
assert.NotNil(t, details)
}
func TestShouldSkipEmptyAttributesSearchModeFilter(t *testing.T) {
ctrl := gomock.NewController(t)
defer ctrl.Finish()
mockFactory := NewMockLDAPClientFactory(ctrl)
mockClient := NewMockLDAPClient(ctrl)
provider := NewLDAPUserProviderWithFactory(
schema.LDAPAuthenticationBackend{
Address: testLDAPAddress,
User: "CN=Administrator,CN=Users,DC=example,DC=com",
Password: "password",
Attributes: schema.LDAPAuthenticationAttributes{
DistinguishedName: "distinguishedName",
Username: "sAMAccountName",
Mail: "mail",
DisplayName: "displayName",
MemberOf: "memberOf",
GroupName: "cn",
},
GroupSearchMode: "filter",
UsersFilter: "sAMAccountName={input}",
GroupsFilter: "(|{memberof:dn})",
AdditionalUsersDN: "CN=users",
BaseDN: "DC=example,DC=com",
},
false,
nil,
mockFactory)
dialURL := mockFactory.EXPECT().
DialURL(gomock.Eq("ldap://127.0.0.1:389"), gomock.Any()).
Return(mockClient, nil)
connBind := mockClient.EXPECT().
Bind(gomock.Eq("CN=Administrator,CN=Users,DC=example,DC=com"), gomock.Eq("password")).
Return(nil)
connClose := mockClient.EXPECT().Close()
searchProfile := mockClient.EXPECT().
Search(gomock.Any()).
Return(&ldap.SearchResult{
Entries: []*ldap.Entry{
{
DN: "uid=test,dc=example,dc=com",
Attributes: []*ldap.EntryAttribute{
{
Name: "displayName",
Values: []string{"John Doe"},
},
{
Name: "mail",
Values: []string{"test@example.com"},
},
{
Name: "sAMAccountName",
Values: []string{"John"},
},
{
Name: "memberOf",
Values: []string{"CN=admins,OU=groups,DC=example,DC=com", "CN=users,OU=groups,DC=example,DC=com", "CN=multi,OU=groups,DC=example,DC=com"},
},
},
},
},
}, nil)
searchGroups := mockClient.EXPECT().
Search(gomock.Any()).
Return(&ldap.SearchResult{
Entries: []*ldap.Entry{
{
DN: "uid=grp,dc=example,dc=com",
Attributes: []*ldap.EntryAttribute{},
},
{
DN: "CN=users,OU=groups,DC=example,DC=com",
Attributes: []*ldap.EntryAttribute{
{
Name: "cn",
Values: []string{},
},
},
},
{
DN: "CN=admins,OU=groups,DC=example,DC=com",
Attributes: []*ldap.EntryAttribute{
{
Name: "cn",
Values: []string{""},
},
},
},
{
DN: "CN=multi,OU=groups,DC=example,DC=com",
Attributes: []*ldap.EntryAttribute{
{
Name: "cn",
Values: []string{"a", "b"},
},
},
},
},
}, nil)
gomock.InOrder(dialURL, connBind, searchProfile, searchGroups, connClose)
details, err := provider.GetDetails("john")
assert.NoError(t, err)
assert.NotNil(t, details)
}
func TestShouldSkipEmptyGroupsResultMemberOf(t *testing.T) {
ctrl := gomock.NewController(t)
defer ctrl.Finish()
mockFactory := NewMockLDAPClientFactory(ctrl)
mockClient := NewMockLDAPClient(ctrl)
provider := NewLDAPUserProviderWithFactory(
schema.LDAPAuthenticationBackend{
Address: testLDAPAddress,
User: "cn=admin,dc=example,dc=com",
Password: "password",
Attributes: schema.LDAPAuthenticationAttributes{
Username: "uid",
Mail: "mail",
DisplayName: "displayName",
MemberOf: "memberOf",
GroupName: "cn",
},
UsersFilter: "uid={input}",
AdditionalUsersDN: "ou=users",
BaseDN: "dc=example,dc=com",
PermitReferrals: true,
},
false,
nil,
mockFactory)
dialURL := mockFactory.EXPECT().
DialURL(gomock.Eq("ldap://127.0.0.1:389"), gomock.Any()).
Return(mockClient, nil)
connBind := mockClient.EXPECT().
Bind(gomock.Eq("cn=admin,dc=example,dc=com"), gomock.Eq("password")).
Return(nil)
connClose := mockClient.EXPECT().Close()
searchGroups := mockClient.EXPECT().
Search(gomock.Any()).
Return(&ldap.SearchResult{
Entries: []*ldap.Entry{
{},
},
}, nil)
searchProfile := mockClient.EXPECT().
Search(gomock.Any()).
Return(&ldap.SearchResult{
Entries: []*ldap.Entry{
{
DN: "uid=test,dc=example,dc=com",
Attributes: []*ldap.EntryAttribute{
{
Name: "displayName",
Values: []string{"John Doe"},
},
{
Name: "mail",
Values: []string{"test@example.com"},
},
{
Name: "uid",
Values: []string{"John"},
},
},
},
},
}, nil)
gomock.InOrder(dialURL, connBind, searchProfile, searchGroups, connClose)
details, err := provider.GetDetails("john")
require.NoError(t, err)
assert.ElementsMatch(t, details.Emails, []string{"test@example.com"})
assert.Equal(t, details.DisplayName, "John Doe")
assert.Equal(t, details.Username, "John")
}
func TestShouldReturnUsernameFromLDAPWithReferralsInErrorAndResult(t *testing.T) {
ctrl := gomock.NewController(t)
defer ctrl.Finish()
mockFactory := NewMockLDAPClientFactory(ctrl)
mockClient := NewMockLDAPClient(ctrl)
mockClientReferral := NewMockLDAPClient(ctrl)
mockClientReferralAlt := NewMockLDAPClient(ctrl)
provider := NewLDAPUserProviderWithFactory(
schema.LDAPAuthenticationBackend{
Address: testLDAPAddress,
User: "cn=admin,dc=example,dc=com",
Password: "password",
Attributes: schema.LDAPAuthenticationAttributes{
Username: "uid",
Mail: "mail",
DisplayName: "displayName",
MemberOf: "memberOf",
GroupName: "cn",
},
UsersFilter: "uid={input}",
AdditionalUsersDN: "ou=users",
BaseDN: "dc=example,dc=com",
PermitReferrals: true,
fix(authentication): ldap connection left open (#2179) The recent ldap changes in cb71df5 left a connection to the LDAP server open at startup. This resolves this which prevents an ugly log message and unnecessary open sockets.
2021-07-13 11:12:50 +00:00
},
refactor: factorize startup checks (#2386) * refactor: factorize startup checks * refactor: address linting issues
2021-09-17 09:53:59 +00:00
false,
fix(authentication): ldap connection left open (#2179) The recent ldap changes in cb71df5 left a connection to the LDAP server open at startup. This resolves this which prevents an ugly log message and unnecessary open sockets.
2021-07-13 11:12:50 +00:00
nil,
mockFactory)
fix(authentication): utilize msad password history control (#3256) This fixes an issue where the Microsoft Active Directory Server Policy Hints control was not being used to prevent avoidance of the PSO / FGPP applicable to the user.
2022-05-10 04:38:36 +00:00
dialURL := mockFactory.EXPECT().
DialURL(gomock.Eq("ldap://127.0.0.1:389"), gomock.Any()).
Return(mockClient, nil)
fix(authentication): ldap connection left open (#2179) The recent ldap changes in cb71df5 left a connection to the LDAP server open at startup. This resolves this which prevents an ugly log message and unnecessary open sockets.
2021-07-13 11:12:50 +00:00
fix(authentication): utilize msad password history control (#3256) This fixes an issue where the Microsoft Active Directory Server Policy Hints control was not being used to prevent avoidance of the PSO / FGPP applicable to the user.
2022-05-10 04:38:36 +00:00
connBind := mockClient.EXPECT().
Bind(gomock.Eq("cn=admin,dc=example,dc=com"), gomock.Eq("password")).
Return(nil)
[FEATURE] Enhance LDAP/SMTP TLS Configuration and Unify Them (#1557) * add new directive in the global scope `certificates_directory` which is used to bulk load certs and trust them in Authelia * this is in ADDITION to system certs and are trusted by both LDAP and SMTP * added a shared TLSConfig struct to be used by both SMTP and LDAP, and anything else in the future that requires tuning the TLS * remove usage of deprecated LDAP funcs Dial and DialTLS in favor of DialURL which is also easier to use * use the server name from LDAP URL or SMTP host when validating the certificate unless otherwise defined in the TLS section * added temporary translations from the old names to the new ones for all deprecated options * added docs * updated example configuration * final deprecations to be done in 4.28.0 * doc updates * fix misc linting issues * uniform deprecation notices for ease of final removal * added additional tests covering previously uncovered areas and the new configuration options * add non-fatal to certificate loading when system certs could not be loaded * adjust timeout of Suite ShortTimeouts * add warnings pusher for the StructValidator * make the schema suites uninform * utilize the warnings in the StructValidator * fix test suite usage for skip_verify * extract LDAP filter parsing into it's own function to make it possible to test * test LDAP filter parsing * update ErrorContainer interface * add tests to the StructValidator * add NewTLSConfig test * move baseDN for users/groups into parsed values * add tests to cover many of the outstanding areas in LDAP * add explicit deferred LDAP conn close to UpdatePassword * add some basic testing to SMTP notifier * suggestions from code review
2021-01-04 10:28:55 +00:00
fix(authentication): utilize msad password history control (#3256) This fixes an issue where the Microsoft Active Directory Server Policy Hints control was not being used to prevent avoidance of the PSO / FGPP applicable to the user.
2022-05-10 04:38:36 +00:00
connClose := mockClient.EXPECT().Close()
fix(authentication): ldap connection left open (#2179) The recent ldap changes in cb71df5 left a connection to the LDAP server open at startup. This resolves this which prevents an ugly log message and unnecessary open sockets.
2021-07-13 11:12:50 +00:00
fix(authentication): utilize msad password history control (#3256) This fixes an issue where the Microsoft Active Directory Server Policy Hints control was not being used to prevent avoidance of the PSO / FGPP applicable to the user.
2022-05-10 04:38:36 +00:00
searchGroups := mockClient.EXPECT().
Search(gomock.Any()).
feat(authentication): ldap memberof group search (#5418) Introduces the concept of group search mode into the LDAP configuration. This also adds the filter and memberof search modes. The full description of these is included in the docs but the filter mode is the same mode as previous which is also the default and recommended value. The memberof mode should only be used by users who are aware of how the concept works as per the docs. Closes #2161 Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
2023-06-18 04:40:38 +00:00
Return(createGroupSearchResultModeFilter(provider.config.Attributes.GroupName, "group1", "group2"), nil)
fix(authentication): utilize msad password history control (#3256) This fixes an issue where the Microsoft Active Directory Server Policy Hints control was not being used to prevent avoidance of the PSO / FGPP applicable to the user.
2022-05-10 04:38:36 +00:00
searchProfile := mockClient.EXPECT().
Search(gomock.Any()).
Return(&ldap.SearchResult{
Entries: []*ldap.Entry{},
feat(authentication): ldap memberof group search (#5418) Introduces the concept of group search mode into the LDAP configuration. This also adds the filter and memberof search modes. The full description of these is included in the docs but the filter mode is the same mode as previous which is also the default and recommended value. The memberof mode should only be used by users who are aware of how the concept works as per the docs. Closes #2161 Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
2023-06-18 04:40:38 +00:00
Referrals: []string{"ldap://192.168.0.1"},
fix(authentication): utilize msad password history control (#3256) This fixes an issue where the Microsoft Active Directory Server Policy Hints control was not being used to prevent avoidance of the PSO / FGPP applicable to the user.
2022-05-10 04:38:36 +00:00
}, &ldap.Error{ResultCode: ldap.LDAPResultReferral, Err: errors.New("referral"), Packet: &testBERPacketReferral})
dialURLReferral := mockFactory.EXPECT().
feat(authentication): ldap memberof group search (#5418) Introduces the concept of group search mode into the LDAP configuration. This also adds the filter and memberof search modes. The full description of these is included in the docs but the filter mode is the same mode as previous which is also the default and recommended value. The memberof mode should only be used by users who are aware of how the concept works as per the docs. Closes #2161 Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
2023-06-18 04:40:38 +00:00
DialURL(gomock.Eq("ldap://192.168.0.1"), gomock.Any()).
Return(mockClientReferral, nil)
connBindReferral := mockClientReferral.EXPECT().
Bind(gomock.Eq("cn=admin,dc=example,dc=com"), gomock.Eq("password")).
Return(nil)
connCloseReferral := mockClientReferral.EXPECT().Close()
searchProfileReferral := mockClientReferral.EXPECT().
Search(gomock.Any()).
Return(&ldap.SearchResult{
Entries: []*ldap.Entry{
{
DN: "uid=test,dc=example,dc=com",
Attributes: []*ldap.EntryAttribute{
{
Name: "displayName",
Values: []string{"John Doe"},
},
{
Name: "mail",
Values: []string{"test@example.com"},
},
{
Name: "uid",
Values: []string{"John"},
},
},
},
},
}, nil)
dialURLReferralAlt := mockFactory.EXPECT().
DialURL(gomock.Eq("ldap://192.168.0.1"), gomock.Any()).
Return(mockClientReferralAlt, nil)
connBindReferralAlt := mockClientReferralAlt.EXPECT().
Bind(gomock.Eq("cn=admin,dc=example,dc=com"), gomock.Eq("password")).
Return(nil)
connCloseReferralAlt := mockClientReferralAlt.EXPECT().Close()
searchProfileReferralAlt := mockClientReferralAlt.EXPECT().
Search(gomock.Any()).
Return(&ldap.SearchResult{
Entries: []*ldap.Entry{
{
DN: "uid=test,dc=example,dc=com",
Attributes: []*ldap.EntryAttribute{
{
Name: "displayName",
Values: []string{"John Doe"},
},
{
Name: "mail",
Values: []string{"test@example.com"},
},
{
Name: "uid",
Values: []string{"John"},
},
},
},
},
}, nil)
gomock.InOrder(dialURL, connBind, searchProfile, dialURLReferral, connBindReferral, searchProfileReferral, connCloseReferral, dialURLReferralAlt, connBindReferralAlt, searchProfileReferralAlt, connCloseReferralAlt, searchGroups, connClose)
details, err := provider.GetDetails("john")
require.NoError(t, err)
assert.ElementsMatch(t, details.Groups, []string{"group1", "group2"})
assert.ElementsMatch(t, details.Emails, []string{"test@example.com"})
assert.Equal(t, details.DisplayName, "John Doe")
assert.Equal(t, details.Username, "John")
}
func TestShouldReturnUsernameFromLDAPWithReferralsInErrorAndNoResult(t *testing.T) {
ctrl := gomock.NewController(t)
defer ctrl.Finish()
mockFactory := NewMockLDAPClientFactory(ctrl)
mockClient := NewMockLDAPClient(ctrl)
mockClientReferral := NewMockLDAPClient(ctrl)
provider := NewLDAPUserProviderWithFactory(
schema.LDAPAuthenticationBackend{
Address: testLDAPAddress,
User: "cn=admin,dc=example,dc=com",
Password: "password",
Attributes: schema.LDAPAuthenticationAttributes{
Username: "uid",
Mail: "mail",
DisplayName: "displayName",
MemberOf: "memberOf",
GroupName: "cn",
},
UsersFilter: "uid={input}",
AdditionalUsersDN: "ou=users",
BaseDN: "dc=example,dc=com",
PermitReferrals: true,
},
false,
nil,
mockFactory)
dialURL := mockFactory.EXPECT().
DialURL(gomock.Eq("ldap://127.0.0.1:389"), gomock.Any()).
Return(mockClient, nil)
connBind := mockClient.EXPECT().
Bind(gomock.Eq("cn=admin,dc=example,dc=com"), gomock.Eq("password")).
Return(nil)
connClose := mockClient.EXPECT().Close()
searchGroups := mockClient.EXPECT().
Search(gomock.Any()).
Return(createGroupSearchResultModeFilter(provider.config.Attributes.GroupName, "group1", "group2"), nil)
searchProfile := mockClient.EXPECT().
Search(gomock.Any()).
Return(nil, &ldap.Error{ResultCode: ldap.LDAPResultReferral, Err: errors.New("referral"), Packet: &testBERPacketReferral})
dialURLReferral := mockFactory.EXPECT().
DialURL(gomock.Eq("ldap://192.168.0.1"), gomock.Any()).
fix(authentication): utilize msad password history control (#3256) This fixes an issue where the Microsoft Active Directory Server Policy Hints control was not being used to prevent avoidance of the PSO / FGPP applicable to the user.
2022-05-10 04:38:36 +00:00
Return(mockClientReferral, nil)
fix(authentication): ldap connection left open (#2179) The recent ldap changes in cb71df5 left a connection to the LDAP server open at startup. This resolves this which prevents an ugly log message and unnecessary open sockets.
2021-07-13 11:12:50 +00:00
fix(authentication): utilize msad password history control (#3256) This fixes an issue where the Microsoft Active Directory Server Policy Hints control was not being used to prevent avoidance of the PSO / FGPP applicable to the user.
2022-05-10 04:38:36 +00:00
connBindReferral := mockClientReferral.EXPECT().
fix(authentication): ldap connection left open (#2179) The recent ldap changes in cb71df5 left a connection to the LDAP server open at startup. This resolves this which prevents an ugly log message and unnecessary open sockets.
2021-07-13 11:12:50 +00:00
Bind(gomock.Eq("cn=admin,dc=example,dc=com"), gomock.Eq("password")).
Return(nil)
fix(authentication): utilize msad password history control (#3256) This fixes an issue where the Microsoft Active Directory Server Policy Hints control was not being used to prevent avoidance of the PSO / FGPP applicable to the user.
2022-05-10 04:38:36 +00:00
connCloseReferral := mockClientReferral.EXPECT().Close()
searchProfileReferral := mockClientReferral.EXPECT().
Search(gomock.Any()).
fix(authentication): ldap connection left open (#2179) The recent ldap changes in cb71df5 left a connection to the LDAP server open at startup. This resolves this which prevents an ugly log message and unnecessary open sockets.
2021-07-13 11:12:50 +00:00
Return(&ldap.SearchResult{
Entries: []*ldap.Entry{
{
fix(authentication): utilize msad password history control (#3256) This fixes an issue where the Microsoft Active Directory Server Policy Hints control was not being used to prevent avoidance of the PSO / FGPP applicable to the user.
2022-05-10 04:38:36 +00:00
DN: "uid=test,dc=example,dc=com",
fix(authentication): ldap connection left open (#2179) The recent ldap changes in cb71df5 left a connection to the LDAP server open at startup. This resolves this which prevents an ugly log message and unnecessary open sockets.
2021-07-13 11:12:50 +00:00
Attributes: []*ldap.EntryAttribute{
{
fix(authentication): utilize msad password history control (#3256) This fixes an issue where the Microsoft Active Directory Server Policy Hints control was not being used to prevent avoidance of the PSO / FGPP applicable to the user.
2022-05-10 04:38:36 +00:00
Name: "displayName",
Values: []string{"John Doe"},
},
{
Name: "mail",
Values: []string{"test@example.com"},
},
{
Name: "uid",
Values: []string{"John"},
fix(authentication): ldap connection left open (#2179) The recent ldap changes in cb71df5 left a connection to the LDAP server open at startup. This resolves this which prevents an ugly log message and unnecessary open sockets.
2021-07-13 11:12:50 +00:00
},
},
},
},
}, nil)
feat(authentication): ldap memberof group search (#5418) Introduces the concept of group search mode into the LDAP configuration. This also adds the filter and memberof search modes. The full description of these is included in the docs but the filter mode is the same mode as previous which is also the default and recommended value. The memberof mode should only be used by users who are aware of how the concept works as per the docs. Closes #2161 Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
2023-06-18 04:40:38 +00:00
gomock.InOrder(dialURL, connBind, searchProfile, dialURLReferral, connBindReferral, searchProfileReferral, connCloseReferral, searchGroups, connClose)
details, err := provider.GetDetails("john")
require.NoError(t, err)
assert.ElementsMatch(t, details.Groups, []string{"group1", "group2"})
assert.ElementsMatch(t, details.Emails, []string{"test@example.com"})
assert.Equal(t, details.DisplayName, "John Doe")
assert.Equal(t, details.Username, "John")
}
func TestShouldReturnDialErrDuringReferralSearchUsernameFromLDAPWithReferralsInErrorAndNoResult(t *testing.T) {
ctrl := gomock.NewController(t)
defer ctrl.Finish()
mockFactory := NewMockLDAPClientFactory(ctrl)
mockClient := NewMockLDAPClient(ctrl)
provider := NewLDAPUserProviderWithFactory(
schema.LDAPAuthenticationBackend{
Address: testLDAPAddress,
User: "cn=admin,dc=example,dc=com",
Password: "password",
Attributes: schema.LDAPAuthenticationAttributes{
Username: "uid",
Mail: "mail",
DisplayName: "displayName",
MemberOf: "memberOf",
GroupName: "cn",
},
UsersFilter: "uid={input}",
AdditionalUsersDN: "ou=users",
BaseDN: "dc=example,dc=com",
PermitReferrals: true,
},
false,
nil,
mockFactory)
dialURL := mockFactory.EXPECT().
DialURL(gomock.Eq("ldap://127.0.0.1:389"), gomock.Any()).
Return(mockClient, nil)
connBind := mockClient.EXPECT().
Bind(gomock.Eq("cn=admin,dc=example,dc=com"), gomock.Eq("password")).
Return(nil)
connClose := mockClient.EXPECT().Close()
searchProfile := mockClient.EXPECT().
Search(gomock.Any()).
Return(nil, &ldap.Error{ResultCode: ldap.LDAPResultReferral, Err: errors.New("referral"), Packet: &testBERPacketReferral})
dialURLReferral := mockFactory.EXPECT().
DialURL(gomock.Eq("ldap://192.168.0.1"), gomock.Any()).
Return(nil, fmt.Errorf("failed to connect"))
gomock.InOrder(dialURL, connBind, searchProfile, dialURLReferral, connClose)
details, err := provider.GetDetails("john")
assert.Nil(t, details)
assert.EqualError(t, err, "cannot find user DN of user 'john'. Cause: error occurred connecting to referred LDAP server 'ldap://192.168.0.1': dial failed with error: failed to connect")
}
func TestShouldReturnSearchErrDuringReferralSearchUsernameFromLDAPWithReferralsInErrorAndNoResult(t *testing.T) {
ctrl := gomock.NewController(t)
defer ctrl.Finish()
mockFactory := NewMockLDAPClientFactory(ctrl)
mockClient := NewMockLDAPClient(ctrl)
mockClientReferral := NewMockLDAPClient(ctrl)
provider := NewLDAPUserProviderWithFactory(
schema.LDAPAuthenticationBackend{
Address: testLDAPAddress,
User: "cn=admin,dc=example,dc=com",
Password: "password",
Attributes: schema.LDAPAuthenticationAttributes{
Username: "uid",
Mail: "mail",
DisplayName: "displayName",
MemberOf: "memberOf",
GroupName: "cn",
},
UsersFilter: "uid={input}",
AdditionalUsersDN: "ou=users",
BaseDN: "dc=example,dc=com",
PermitReferrals: true,
},
false,
nil,
mockFactory)
dialURL := mockFactory.EXPECT().
DialURL(gomock.Eq("ldap://127.0.0.1:389"), gomock.Any()).
Return(mockClient, nil)
connBind := mockClient.EXPECT().
Bind(gomock.Eq("cn=admin,dc=example,dc=com"), gomock.Eq("password")).
Return(nil)
connClose := mockClient.EXPECT().Close()
searchProfile := mockClient.EXPECT().
Search(gomock.Any()).
Return(nil, &ldap.Error{ResultCode: ldap.LDAPResultReferral, Err: errors.New("referral"), Packet: &testBERPacketReferral})
dialURLReferral := mockFactory.EXPECT().
DialURL(gomock.Eq("ldap://192.168.0.1"), gomock.Any()).
Return(mockClientReferral, nil)
connBindReferral := mockClientReferral.EXPECT().
Bind(gomock.Eq("cn=admin,dc=example,dc=com"), gomock.Eq("password")).
Return(nil)
connCloseReferral := mockClientReferral.EXPECT().Close()
searchProfileReferral := mockClientReferral.EXPECT().
Search(gomock.Any()).
Return(nil, fmt.Errorf("not found"))
gomock.InOrder(dialURL, connBind, searchProfile, dialURLReferral, connBindReferral, searchProfileReferral, connCloseReferral, connClose)
details, err := provider.GetDetails("john")
assert.Nil(t, details)
assert.EqualError(t, err, "cannot find user DN of user 'john'. Cause: error occurred performing search on referred LDAP server 'ldap://192.168.0.1': not found")
}
func TestShouldNotReturnUsernameFromLDAPWithReferralsInErrorAndReferralsNotPermitted(t *testing.T) {
ctrl := gomock.NewController(t)
defer ctrl.Finish()
mockFactory := NewMockLDAPClientFactory(ctrl)
mockClient := NewMockLDAPClient(ctrl)
provider := NewLDAPUserProviderWithFactory(
schema.LDAPAuthenticationBackend{
Address: testLDAPAddress,
User: "cn=admin,dc=example,dc=com",
Password: "password",
Attributes: schema.LDAPAuthenticationAttributes{
Username: "uid",
Mail: "mail",
DisplayName: "displayName",
MemberOf: "memberOf",
GroupName: "cn",
},
UsersFilter: "uid={input}",
AdditionalUsersDN: "ou=users",
BaseDN: "dc=example,dc=com",
PermitReferrals: false,
},
false,
nil,
mockFactory)
dialURL := mockFactory.EXPECT().
DialURL(gomock.Eq("ldap://127.0.0.1:389"), gomock.Any()).
Return(mockClient, nil)
fix(authentication): ldap connection left open (#2179) The recent ldap changes in cb71df5 left a connection to the LDAP server open at startup. This resolves this which prevents an ugly log message and unnecessary open sockets.
2021-07-13 11:12:50 +00:00
feat(authentication): ldap memberof group search (#5418) Introduces the concept of group search mode into the LDAP configuration. This also adds the filter and memberof search modes. The full description of these is included in the docs but the filter mode is the same mode as previous which is also the default and recommended value. The memberof mode should only be used by users who are aware of how the concept works as per the docs. Closes #2161 Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
2023-06-18 04:40:38 +00:00
connBind := mockClient.EXPECT().
fix(authentication): ldap connection left open (#2179) The recent ldap changes in cb71df5 left a connection to the LDAP server open at startup. This resolves this which prevents an ugly log message and unnecessary open sockets.
2021-07-13 11:12:50 +00:00
Bind(gomock.Eq("cn=admin,dc=example,dc=com"), gomock.Eq("password")).
Return(nil)
feat(authentication): ldap memberof group search (#5418) Introduces the concept of group search mode into the LDAP configuration. This also adds the filter and memberof search modes. The full description of these is included in the docs but the filter mode is the same mode as previous which is also the default and recommended value. The memberof mode should only be used by users who are aware of how the concept works as per the docs. Closes #2161 Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
2023-06-18 04:40:38 +00:00
connClose := mockClient.EXPECT().Close()
fix(authentication): ldap connection left open (#2179) The recent ldap changes in cb71df5 left a connection to the LDAP server open at startup. This resolves this which prevents an ugly log message and unnecessary open sockets.
2021-07-13 11:12:50 +00:00
feat(authentication): ldap memberof group search (#5418) Introduces the concept of group search mode into the LDAP configuration. This also adds the filter and memberof search modes. The full description of these is included in the docs but the filter mode is the same mode as previous which is also the default and recommended value. The memberof mode should only be used by users who are aware of how the concept works as per the docs. Closes #2161 Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
2023-06-18 04:40:38 +00:00
searchProfile := mockClient.EXPECT().
fix(authentication): ldap connection left open (#2179) The recent ldap changes in cb71df5 left a connection to the LDAP server open at startup. This resolves this which prevents an ugly log message and unnecessary open sockets.
2021-07-13 11:12:50 +00:00
Search(gomock.Any()).
feat(authentication): ldap memberof group search (#5418) Introduces the concept of group search mode into the LDAP configuration. This also adds the filter and memberof search modes. The full description of these is included in the docs but the filter mode is the same mode as previous which is also the default and recommended value. The memberof mode should only be used by users who are aware of how the concept works as per the docs. Closes #2161 Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
2023-06-18 04:40:38 +00:00
Return(nil, &ldap.Error{ResultCode: ldap.LDAPResultReferral, Err: errors.New("referral"), Packet: &testBERPacketReferral})
fix(authentication): ldap connection left open (#2179) The recent ldap changes in cb71df5 left a connection to the LDAP server open at startup. This resolves this which prevents an ugly log message and unnecessary open sockets.
2021-07-13 11:12:50 +00:00
feat(authentication): ldap memberof group search (#5418) Introduces the concept of group search mode into the LDAP configuration. This also adds the filter and memberof search modes. The full description of these is included in the docs but the filter mode is the same mode as previous which is also the default and recommended value. The memberof mode should only be used by users who are aware of how the concept works as per the docs. Closes #2161 Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
2023-06-18 04:40:38 +00:00
gomock.InOrder(dialURL, connBind, searchProfile, connClose)
fix(authentication): ldap connection left open (#2179) The recent ldap changes in cb71df5 left a connection to the LDAP server open at startup. This resolves this which prevents an ugly log message and unnecessary open sockets.
2021-07-13 11:12:50 +00:00
feat(authentication): ldap time replacements (#4483) This adds and utilizes several time replacements for both specialized LDAP implementations. Closes #1964, Closes #1284
2022-12-21 10:31:21 +00:00
details, err := provider.GetDetails("john")
feat(authentication): ldap memberof group search (#5418) Introduces the concept of group search mode into the LDAP configuration. This also adds the filter and memberof search modes. The full description of these is included in the docs but the filter mode is the same mode as previous which is also the default and recommended value. The memberof mode should only be used by users who are aware of how the concept works as per the docs. Closes #2161 Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
2023-06-18 04:40:38 +00:00
assert.EqualError(t, err, "cannot find user DN of user 'john'. Cause: LDAP Result Code 10 \"Referral\": referral")
assert.Nil(t, details)
fix(authentication): ldap connection left open (#2179) The recent ldap changes in cb71df5 left a connection to the LDAP server open at startup. This resolves this which prevents an ugly log message and unnecessary open sockets.
2021-07-13 11:12:50 +00:00
}
fix(authentication): utilize msad password history control (#3256) This fixes an issue where the Microsoft Active Directory Server Policy Hints control was not being used to prevent avoidance of the PSO / FGPP applicable to the user.
2022-05-10 04:38:36 +00:00
func TestShouldReturnUsernameFromLDAPWithReferralsErr(t *testing.T) {
fix(authentication): ldap connection left open (#2179) The recent ldap changes in cb71df5 left a connection to the LDAP server open at startup. This resolves this which prevents an ugly log message and unnecessary open sockets.
2021-07-13 11:12:50 +00:00
ctrl := gomock.NewController(t)
defer ctrl.Finish()
fix(authentication): utilize msad password history control (#3256) This fixes an issue where the Microsoft Active Directory Server Policy Hints control was not being used to prevent avoidance of the PSO / FGPP applicable to the user.
2022-05-10 04:38:36 +00:00
mockFactory := NewMockLDAPClientFactory(ctrl)
mockClient := NewMockLDAPClient(ctrl)
mockClientReferral := NewMockLDAPClient(ctrl)
fix(authentication): ldap connection left open (#2179) The recent ldap changes in cb71df5 left a connection to the LDAP server open at startup. This resolves this which prevents an ugly log message and unnecessary open sockets.
2021-07-13 11:12:50 +00:00
feat(authentication): ldap time replacements (#4483) This adds and utilizes several time replacements for both specialized LDAP implementations. Closes #1964, Closes #1284
2022-12-21 10:31:21 +00:00
provider := NewLDAPUserProviderWithFactory(
feat(authentication): file password algorithms (#3848) This adds significant enhancements to the file auth provider including multiple additional algorithms.
2022-10-17 10:51:59 +00:00
schema.LDAPAuthenticationBackend{
feat(authentication): ldap memberof group search (#5418) Introduces the concept of group search mode into the LDAP configuration. This also adds the filter and memberof search modes. The full description of these is included in the docs but the filter mode is the same mode as previous which is also the default and recommended value. The memberof mode should only be used by users who are aware of how the concept works as per the docs. Closes #2161 Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
2023-06-18 04:40:38 +00:00
Address: testLDAPAddress,
User: "cn=admin,dc=example,dc=com",
Password: "password",
Attributes: schema.LDAPAuthenticationAttributes{
Username: "uid",
Mail: "mail",
DisplayName: "displayName",
MemberOf: "memberOf",
GroupName: "cn",
},
UsersFilter: "uid={input}",
AdditionalUsersDN: "ou=users",
BaseDN: "dc=example,dc=com",
PermitReferrals: true,
fix(authentication): ldap connection left open (#2179) The recent ldap changes in cb71df5 left a connection to the LDAP server open at startup. This resolves this which prevents an ugly log message and unnecessary open sockets.
2021-07-13 11:12:50 +00:00
},
refactor: factorize startup checks (#2386) * refactor: factorize startup checks * refactor: address linting issues
2021-09-17 09:53:59 +00:00
false,
fix(authentication): ldap connection left open (#2179) The recent ldap changes in cb71df5 left a connection to the LDAP server open at startup. This resolves this which prevents an ugly log message and unnecessary open sockets.
2021-07-13 11:12:50 +00:00
nil,
mockFactory)
fix(authentication): utilize msad password history control (#3256) This fixes an issue where the Microsoft Active Directory Server Policy Hints control was not being used to prevent avoidance of the PSO / FGPP applicable to the user.
2022-05-10 04:38:36 +00:00
dialURL := mockFactory.EXPECT().
fix(authentication): ldap connection left open (#2179) The recent ldap changes in cb71df5 left a connection to the LDAP server open at startup. This resolves this which prevents an ugly log message and unnecessary open sockets.
2021-07-13 11:12:50 +00:00
DialURL(gomock.Eq("ldap://127.0.0.1:389"), gomock.Any()).
fix(authentication): utilize msad password history control (#3256) This fixes an issue where the Microsoft Active Directory Server Policy Hints control was not being used to prevent avoidance of the PSO / FGPP applicable to the user.
2022-05-10 04:38:36 +00:00
Return(mockClient, nil)
fix(authentication): ldap connection left open (#2179) The recent ldap changes in cb71df5 left a connection to the LDAP server open at startup. This resolves this which prevents an ugly log message and unnecessary open sockets.
2021-07-13 11:12:50 +00:00
fix(authentication): utilize msad password history control (#3256) This fixes an issue where the Microsoft Active Directory Server Policy Hints control was not being used to prevent avoidance of the PSO / FGPP applicable to the user.
2022-05-10 04:38:36 +00:00
connBind := mockClient.EXPECT().
Bind(gomock.Eq("cn=admin,dc=example,dc=com"), gomock.Eq("password")).
fix(authentication): ldap connection left open (#2179) The recent ldap changes in cb71df5 left a connection to the LDAP server open at startup. This resolves this which prevents an ugly log message and unnecessary open sockets.
2021-07-13 11:12:50 +00:00
Return(nil)
fix(authentication): utilize msad password history control (#3256) This fixes an issue where the Microsoft Active Directory Server Policy Hints control was not being used to prevent avoidance of the PSO / FGPP applicable to the user.
2022-05-10 04:38:36 +00:00
connClose := mockClient.EXPECT().Close()
fix(authentication): ldap connection left open (#2179) The recent ldap changes in cb71df5 left a connection to the LDAP server open at startup. This resolves this which prevents an ugly log message and unnecessary open sockets.
2021-07-13 11:12:50 +00:00
fix(authentication): utilize msad password history control (#3256) This fixes an issue where the Microsoft Active Directory Server Policy Hints control was not being used to prevent avoidance of the PSO / FGPP applicable to the user.
2022-05-10 04:38:36 +00:00
searchGroups := mockClient.EXPECT().
Search(gomock.Any()).
feat(authentication): ldap memberof group search (#5418) Introduces the concept of group search mode into the LDAP configuration. This also adds the filter and memberof search modes. The full description of these is included in the docs but the filter mode is the same mode as previous which is also the default and recommended value. The memberof mode should only be used by users who are aware of how the concept works as per the docs. Closes #2161 Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
2023-06-18 04:40:38 +00:00
Return(createGroupSearchResultModeFilter(provider.config.Attributes.GroupName, "group1", "group2"), nil)
fix(authentication): ldap connection left open (#2179) The recent ldap changes in cb71df5 left a connection to the LDAP server open at startup. This resolves this which prevents an ugly log message and unnecessary open sockets.
2021-07-13 11:12:50 +00:00
fix(authentication): utilize msad password history control (#3256) This fixes an issue where the Microsoft Active Directory Server Policy Hints control was not being used to prevent avoidance of the PSO / FGPP applicable to the user.
2022-05-10 04:38:36 +00:00
searchProfile := mockClient.EXPECT().
Search(gomock.Any()).
Return(&ldap.SearchResult{}, &ldap.Error{ResultCode: ldap.LDAPResultReferral, Err: errors.New("referral"), Packet: &testBERPacketReferral})
fix(authentication): ldap connection left open (#2179) The recent ldap changes in cb71df5 left a connection to the LDAP server open at startup. This resolves this which prevents an ugly log message and unnecessary open sockets.
2021-07-13 11:12:50 +00:00
fix(authentication): utilize msad password history control (#3256) This fixes an issue where the Microsoft Active Directory Server Policy Hints control was not being used to prevent avoidance of the PSO / FGPP applicable to the user.
2022-05-10 04:38:36 +00:00
dialURLReferral := mockFactory.EXPECT().
DialURL(gomock.Eq("ldap://192.168.0.1"), gomock.Any()).
Return(mockClientReferral, nil)
connBindReferral := mockClientReferral.EXPECT().
Bind(gomock.Eq("cn=admin,dc=example,dc=com"), gomock.Eq("password")).
fix(authentication): ldap connection left open (#2179) The recent ldap changes in cb71df5 left a connection to the LDAP server open at startup. This resolves this which prevents an ugly log message and unnecessary open sockets.
2021-07-13 11:12:50 +00:00
Return(nil)
fix(authentication): utilize msad password history control (#3256) This fixes an issue where the Microsoft Active Directory Server Policy Hints control was not being used to prevent avoidance of the PSO / FGPP applicable to the user.
2022-05-10 04:38:36 +00:00
connCloseReferral := mockClientReferral.EXPECT().Close()
fix(authentication): ldap connection left open (#2179) The recent ldap changes in cb71df5 left a connection to the LDAP server open at startup. This resolves this which prevents an ugly log message and unnecessary open sockets.
2021-07-13 11:12:50 +00:00
fix(authentication): utilize msad password history control (#3256) This fixes an issue where the Microsoft Active Directory Server Policy Hints control was not being used to prevent avoidance of the PSO / FGPP applicable to the user.
2022-05-10 04:38:36 +00:00
searchProfileReferral := mockClientReferral.EXPECT().
fix(authentication): ldap connection left open (#2179) The recent ldap changes in cb71df5 left a connection to the LDAP server open at startup. This resolves this which prevents an ugly log message and unnecessary open sockets.
2021-07-13 11:12:50 +00:00
Search(gomock.Any()).
Return(&ldap.SearchResult{
Entries: []*ldap.Entry{
{
DN: "uid=test,dc=example,dc=com",
Attributes: []*ldap.EntryAttribute{
{
Name: "displayName",
Values: []string{"John Doe"},
},
{
Name: "mail",
Values: []string{"test@example.com"},
},
{
Name: "uid",
Values: []string{"John"},
},
},
},
},
}, nil)
fix(authentication): utilize msad password history control (#3256) This fixes an issue where the Microsoft Active Directory Server Policy Hints control was not being used to prevent avoidance of the PSO / FGPP applicable to the user.
2022-05-10 04:38:36 +00:00
gomock.InOrder(dialURL, connBind, searchProfile, dialURLReferral, connBindReferral, searchProfileReferral, connCloseReferral, searchGroups, connClose)
fix(authentication): ldap connection left open (#2179) The recent ldap changes in cb71df5 left a connection to the LDAP server open at startup. This resolves this which prevents an ugly log message and unnecessary open sockets.
2021-07-13 11:12:50 +00:00
feat(authentication): ldap time replacements (#4483) This adds and utilizes several time replacements for both specialized LDAP implementations. Closes #1964, Closes #1284
2022-12-21 10:31:21 +00:00
details, err := provider.GetDetails("john")
feat(authentication): use the passwordmodify exop for pwd resets with ldap (#2124) Implement the LDAP password modify extended operation for LDAP providers that advertise they support it.
2021-07-06 09:13:17 +00:00
require.NoError(t, err)
[FEATURE] Enhance LDAP/SMTP TLS Configuration and Unify Them (#1557) * add new directive in the global scope `certificates_directory` which is used to bulk load certs and trust them in Authelia * this is in ADDITION to system certs and are trusted by both LDAP and SMTP * added a shared TLSConfig struct to be used by both SMTP and LDAP, and anything else in the future that requires tuning the TLS * remove usage of deprecated LDAP funcs Dial and DialTLS in favor of DialURL which is also easier to use * use the server name from LDAP URL or SMTP host when validating the certificate unless otherwise defined in the TLS section * added temporary translations from the old names to the new ones for all deprecated options * added docs * updated example configuration * final deprecations to be done in 4.28.0 * doc updates * fix misc linting issues * uniform deprecation notices for ease of final removal * added additional tests covering previously uncovered areas and the new configuration options * add non-fatal to certificate loading when system certs could not be loaded * adjust timeout of Suite ShortTimeouts * add warnings pusher for the StructValidator * make the schema suites uninform * utilize the warnings in the StructValidator * fix test suite usage for skip_verify * extract LDAP filter parsing into it's own function to make it possible to test * test LDAP filter parsing * update ErrorContainer interface * add tests to the StructValidator * add NewTLSConfig test * move baseDN for users/groups into parsed values * add tests to cover many of the outstanding areas in LDAP * add explicit deferred LDAP conn close to UpdatePassword * add some basic testing to SMTP notifier * suggestions from code review
2021-01-04 10:28:55 +00:00
fix(authentication): utilize msad password history control (#3256) This fixes an issue where the Microsoft Active Directory Server Policy Hints control was not being used to prevent avoidance of the PSO / FGPP applicable to the user.
2022-05-10 04:38:36 +00:00
assert.ElementsMatch(t, details.Groups, []string{"group1", "group2"})
assert.ElementsMatch(t, details.Emails, []string{"test@example.com"})
assert.Equal(t, details.DisplayName, "John Doe")
assert.Equal(t, details.Username, "John")
[FEATURE] Enhance LDAP/SMTP TLS Configuration and Unify Them (#1557) * add new directive in the global scope `certificates_directory` which is used to bulk load certs and trust them in Authelia * this is in ADDITION to system certs and are trusted by both LDAP and SMTP * added a shared TLSConfig struct to be used by both SMTP and LDAP, and anything else in the future that requires tuning the TLS * remove usage of deprecated LDAP funcs Dial and DialTLS in favor of DialURL which is also easier to use * use the server name from LDAP URL or SMTP host when validating the certificate unless otherwise defined in the TLS section * added temporary translations from the old names to the new ones for all deprecated options * added docs * updated example configuration * final deprecations to be done in 4.28.0 * doc updates * fix misc linting issues * uniform deprecation notices for ease of final removal * added additional tests covering previously uncovered areas and the new configuration options * add non-fatal to certificate loading when system certs could not be loaded * adjust timeout of Suite ShortTimeouts * add warnings pusher for the StructValidator * make the schema suites uninform * utilize the warnings in the StructValidator * fix test suite usage for skip_verify * extract LDAP filter parsing into it's own function to make it possible to test * test LDAP filter parsing * update ErrorContainer interface * add tests to the StructValidator * add NewTLSConfig test * move baseDN for users/groups into parsed values * add tests to cover many of the outstanding areas in LDAP * add explicit deferred LDAP conn close to UpdatePassword * add some basic testing to SMTP notifier * suggestions from code review
2021-01-04 10:28:55 +00:00
}
fix(authentication): utilize msad password history control (#3256) This fixes an issue where the Microsoft Active Directory Server Policy Hints control was not being used to prevent avoidance of the PSO / FGPP applicable to the user.
2022-05-10 04:38:36 +00:00
func TestShouldNotUpdateUserPasswordConnect(t *testing.T) {
[FEATURE] Enhance LDAP/SMTP TLS Configuration and Unify Them (#1557) * add new directive in the global scope `certificates_directory` which is used to bulk load certs and trust them in Authelia * this is in ADDITION to system certs and are trusted by both LDAP and SMTP * added a shared TLSConfig struct to be used by both SMTP and LDAP, and anything else in the future that requires tuning the TLS * remove usage of deprecated LDAP funcs Dial and DialTLS in favor of DialURL which is also easier to use * use the server name from LDAP URL or SMTP host when validating the certificate unless otherwise defined in the TLS section * added temporary translations from the old names to the new ones for all deprecated options * added docs * updated example configuration * final deprecations to be done in 4.28.0 * doc updates * fix misc linting issues * uniform deprecation notices for ease of final removal * added additional tests covering previously uncovered areas and the new configuration options * add non-fatal to certificate loading when system certs could not be loaded * adjust timeout of Suite ShortTimeouts * add warnings pusher for the StructValidator * make the schema suites uninform * utilize the warnings in the StructValidator * fix test suite usage for skip_verify * extract LDAP filter parsing into it's own function to make it possible to test * test LDAP filter parsing * update ErrorContainer interface * add tests to the StructValidator * add NewTLSConfig test * move baseDN for users/groups into parsed values * add tests to cover many of the outstanding areas in LDAP * add explicit deferred LDAP conn close to UpdatePassword * add some basic testing to SMTP notifier * suggestions from code review
2021-01-04 10:28:55 +00:00
ctrl := gomock.NewController(t)
defer ctrl.Finish()
fix(authentication): utilize msad password history control (#3256) This fixes an issue where the Microsoft Active Directory Server Policy Hints control was not being used to prevent avoidance of the PSO / FGPP applicable to the user.
2022-05-10 04:38:36 +00:00
mockFactory := NewMockLDAPClientFactory(ctrl)
mockClient := NewMockLDAPClient(ctrl)
feat(authentication): ldap time replacements (#4483) This adds and utilizes several time replacements for both specialized LDAP implementations. Closes #1964, Closes #1284
2022-12-21 10:31:21 +00:00
provider := NewLDAPUserProviderWithFactory(
feat(authentication): file password algorithms (#3848) This adds significant enhancements to the file auth provider including multiple additional algorithms.
2022-10-17 10:51:59 +00:00
schema.LDAPAuthenticationBackend{
feat(authentication): ldap memberof group search (#5418) Introduces the concept of group search mode into the LDAP configuration. This also adds the filter and memberof search modes. The full description of these is included in the docs but the filter mode is the same mode as previous which is also the default and recommended value. The memberof mode should only be used by users who are aware of how the concept works as per the docs. Closes #2161 Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
2023-06-18 04:40:38 +00:00
Address: testLDAPAddress,
User: "cn=admin,dc=example,dc=com",
Password: "password",
Attributes: schema.LDAPAuthenticationAttributes{
Username: "uid",
Mail: "mail",
DisplayName: "displayName",
MemberOf: "memberOf",
},
UsersFilter: "uid={input}",
AdditionalUsersDN: "ou=users",
BaseDN: "dc=example,dc=com",
PermitReferrals: false,
fix(authentication): utilize msad password history control (#3256) This fixes an issue where the Microsoft Active Directory Server Policy Hints control was not being used to prevent avoidance of the PSO / FGPP applicable to the user.
2022-05-10 04:38:36 +00:00
},
false,
nil,
mockFactory)
dialURLOIDs := mockFactory.EXPECT().
DialURL(gomock.Eq("ldap://127.0.0.1:389"), gomock.Any()).
Return(mockClient, nil)
connBindOIDs := mockClient.EXPECT().
Bind(gomock.Eq("cn=admin,dc=example,dc=com"), gomock.Eq("password")).
Return(nil)
searchOIDs := mockClient.EXPECT().
Search(NewExtendedSearchRequestMatcher("(objectClass=*)", "", ldap.ScopeBaseObject, ldap.NeverDerefAliases, false, []string{ldapSupportedExtensionAttribute, ldapSupportedControlAttribute})).
Return(&ldap.SearchResult{
Entries: []*ldap.Entry{
{
DN: "",
Attributes: []*ldap.EntryAttribute{
{
Name: ldapSupportedExtensionAttribute,
Values: []string{ldapOIDExtensionPwdModifyExOp},
},
{
Name: ldapSupportedControlAttribute,
Values: []string{},
},
},
},
},
}, nil)
connCloseOIDs := mockClient.EXPECT().Close()
dialURL := mockFactory.EXPECT().
DialURL(gomock.Eq("ldap://127.0.0.1:389"), gomock.Any()).
Return(nil, errors.New("tcp timeout"))
gomock.InOrder(dialURLOIDs, connBindOIDs, searchOIDs, connCloseOIDs, dialURL)
feat(authentication): ldap time replacements (#4483) This adds and utilizes several time replacements for both specialized LDAP implementations. Closes #1964, Closes #1284
2022-12-21 10:31:21 +00:00
err := provider.StartupCheck()
fix(authentication): utilize msad password history control (#3256) This fixes an issue where the Microsoft Active Directory Server Policy Hints control was not being used to prevent avoidance of the PSO / FGPP applicable to the user.
2022-05-10 04:38:36 +00:00
require.NoError(t, err)
feat(authentication): ldap time replacements (#4483) This adds and utilizes several time replacements for both specialized LDAP implementations. Closes #1964, Closes #1284
2022-12-21 10:31:21 +00:00
err = provider.UpdatePassword("john", "password")
fix(authentication): utilize msad password history control (#3256) This fixes an issue where the Microsoft Active Directory Server Policy Hints control was not being used to prevent avoidance of the PSO / FGPP applicable to the user.
2022-05-10 04:38:36 +00:00
assert.EqualError(t, err, "unable to update password. Cause: dial failed with error: tcp timeout")
}
func TestShouldNotUpdateUserPasswordGetDetails(t *testing.T) {
ctrl := gomock.NewController(t)
defer ctrl.Finish()
mockFactory := NewMockLDAPClientFactory(ctrl)
mockClient := NewMockLDAPClient(ctrl)
feat(authentication): ldap time replacements (#4483) This adds and utilizes several time replacements for both specialized LDAP implementations. Closes #1964, Closes #1284
2022-12-21 10:31:21 +00:00
provider := NewLDAPUserProviderWithFactory(
feat(authentication): file password algorithms (#3848) This adds significant enhancements to the file auth provider including multiple additional algorithms.
2022-10-17 10:51:59 +00:00
schema.LDAPAuthenticationBackend{
feat(authentication): ldap memberof group search (#5418) Introduces the concept of group search mode into the LDAP configuration. This also adds the filter and memberof search modes. The full description of these is included in the docs but the filter mode is the same mode as previous which is also the default and recommended value. The memberof mode should only be used by users who are aware of how the concept works as per the docs. Closes #2161 Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
2023-06-18 04:40:38 +00:00
Address: testLDAPAddress,
User: "cn=admin,dc=example,dc=com",
Password: "password",
Attributes: schema.LDAPAuthenticationAttributes{
Username: "uid",
Mail: "mail",
DisplayName: "displayName",
MemberOf: "memberOf",
},
UsersFilter: "uid={input}",
AdditionalUsersDN: "ou=users",
BaseDN: "dc=example,dc=com",
PermitReferrals: false,
fix(authentication): utilize msad password history control (#3256) This fixes an issue where the Microsoft Active Directory Server Policy Hints control was not being used to prevent avoidance of the PSO / FGPP applicable to the user.
2022-05-10 04:38:36 +00:00
},
false,
nil,
mockFactory)
dialURLOIDs := mockFactory.EXPECT().
DialURL(gomock.Eq("ldap://127.0.0.1:389"), gomock.Any()).
Return(mockClient, nil)
connBindOIDs := mockClient.EXPECT().
Bind(gomock.Eq("cn=admin,dc=example,dc=com"), gomock.Eq("password")).
Return(nil)
searchOIDs := mockClient.EXPECT().
Search(NewExtendedSearchRequestMatcher("(objectClass=*)", "", ldap.ScopeBaseObject, ldap.NeverDerefAliases, false, []string{ldapSupportedExtensionAttribute, ldapSupportedControlAttribute})).
Return(&ldap.SearchResult{
Entries: []*ldap.Entry{
{
DN: "",
Attributes: []*ldap.EntryAttribute{
{
Name: ldapSupportedExtensionAttribute,
Values: []string{ldapOIDExtensionPwdModifyExOp},
},
{
Name: ldapSupportedControlAttribute,
Values: []string{},
},
},
},
},
}, nil)
connCloseOIDs := mockClient.EXPECT().Close()
dialURL := mockFactory.EXPECT().
DialURL(gomock.Eq("ldap://127.0.0.1:389"), gomock.Any()).
Return(mockClient, nil)
connBind := mockClient.EXPECT().
Bind(gomock.Eq("cn=admin,dc=example,dc=com"), gomock.Eq("password")).
Return(nil)
connClose := mockClient.EXPECT().Close()
searchProfile := mockClient.EXPECT().
Search(gomock.Any()).
Return(nil, &ldap.Error{ResultCode: ldap.LDAPResultProtocolError, Err: errors.New("permission error")})
gomock.InOrder(dialURLOIDs, connBindOIDs, searchOIDs, connCloseOIDs, dialURL, connBind, searchProfile, connClose)
feat(authentication): ldap time replacements (#4483) This adds and utilizes several time replacements for both specialized LDAP implementations. Closes #1964, Closes #1284
2022-12-21 10:31:21 +00:00
err := provider.StartupCheck()
fix(authentication): utilize msad password history control (#3256) This fixes an issue where the Microsoft Active Directory Server Policy Hints control was not being used to prevent avoidance of the PSO / FGPP applicable to the user.
2022-05-10 04:38:36 +00:00
require.NoError(t, err)
feat(authentication): ldap time replacements (#4483) This adds and utilizes several time replacements for both specialized LDAP implementations. Closes #1964, Closes #1284
2022-12-21 10:31:21 +00:00
err = provider.UpdatePassword("john", "password")
fix(authentication): utilize msad password history control (#3256) This fixes an issue where the Microsoft Active Directory Server Policy Hints control was not being used to prevent avoidance of the PSO / FGPP applicable to the user.
2022-05-10 04:38:36 +00:00
assert.EqualError(t, err, "unable to update password. Cause: cannot find user DN of user 'john'. Cause: LDAP Result Code 2 \"Protocol Error\": permission error")
}
func TestShouldUpdateUserPassword(t *testing.T) {
ctrl := gomock.NewController(t)
defer ctrl.Finish()
mockFactory := NewMockLDAPClientFactory(ctrl)
mockClient := NewMockLDAPClient(ctrl)
feat(authentication): ldap time replacements (#4483) This adds and utilizes several time replacements for both specialized LDAP implementations. Closes #1964, Closes #1284
2022-12-21 10:31:21 +00:00
provider := NewLDAPUserProviderWithFactory(
feat(authentication): file password algorithms (#3848) This adds significant enhancements to the file auth provider including multiple additional algorithms.
2022-10-17 10:51:59 +00:00
schema.LDAPAuthenticationBackend{
feat(authentication): ldap memberof group search (#5418) Introduces the concept of group search mode into the LDAP configuration. This also adds the filter and memberof search modes. The full description of these is included in the docs but the filter mode is the same mode as previous which is also the default and recommended value. The memberof mode should only be used by users who are aware of how the concept works as per the docs. Closes #2161 Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
2023-06-18 04:40:38 +00:00
Address: testLDAPAddress,
User: "cn=admin,dc=example,dc=com",
Password: "password",
Attributes: schema.LDAPAuthenticationAttributes{
Username: "uid",
Mail: "mail",
DisplayName: "displayName",
MemberOf: "memberOf",
},
UsersFilter: "uid={input}",
AdditionalUsersDN: "ou=users",
BaseDN: "dc=example,dc=com",
fix(authentication): utilize msad password history control (#3256) This fixes an issue where the Microsoft Active Directory Server Policy Hints control was not being used to prevent avoidance of the PSO / FGPP applicable to the user.
2022-05-10 04:38:36 +00:00
},
false,
nil,
mockFactory)
modifyRequest := ldap.NewModifyRequest(
"uid=test,dc=example,dc=com",
nil,
)
modifyRequest.Replace(ldapAttributeUserPassword, []string{"password"})
dialURLOIDs := mockFactory.EXPECT().
DialURL(gomock.Eq("ldap://127.0.0.1:389"), gomock.Any()).
Return(mockClient, nil)
connBindOIDs := mockClient.EXPECT().
Bind(gomock.Eq("cn=admin,dc=example,dc=com"), gomock.Eq("password")).
Return(nil)
searchOIDs := mockClient.EXPECT().
Search(NewExtendedSearchRequestMatcher("(objectClass=*)", "", ldap.ScopeBaseObject, ldap.NeverDerefAliases, false, []string{ldapSupportedExtensionAttribute, ldapSupportedControlAttribute})).
Return(&ldap.SearchResult{
Entries: []*ldap.Entry{
{
DN: "",
Attributes: []*ldap.EntryAttribute{
{
Name: ldapSupportedExtensionAttribute,
Values: []string{},
},
{
Name: ldapSupportedControlAttribute,
Values: []string{},
},
},
},
},
}, nil)
connCloseOIDs := mockClient.EXPECT().Close()
dialURL := mockFactory.EXPECT().
DialURL(gomock.Eq("ldap://127.0.0.1:389"), gomock.Any()).
Return(mockClient, nil)
connBind := mockClient.EXPECT().
Bind(gomock.Eq("cn=admin,dc=example,dc=com"), gomock.Eq("password")).
Return(nil)
connClose := mockClient.EXPECT().Close()
searchProfile := mockClient.EXPECT().
Search(gomock.Any()).
Return(&ldap.SearchResult{
Entries: []*ldap.Entry{
{
DN: "uid=test,dc=example,dc=com",
Attributes: []*ldap.EntryAttribute{
{
Name: "displayName",
Values: []string{"John Doe"},
},
{
Name: "mail",
Values: []string{"test@example.com"},
},
{
Name: "uid",
Values: []string{"John"},
},
},
},
},
}, nil)
modify := mockClient.EXPECT().
Modify(modifyRequest).
Return(nil)
gomock.InOrder(dialURLOIDs, connBindOIDs, searchOIDs, connCloseOIDs, dialURL, connBind, searchProfile, modify, connClose)
feat(authentication): ldap time replacements (#4483) This adds and utilizes several time replacements for both specialized LDAP implementations. Closes #1964, Closes #1284
2022-12-21 10:31:21 +00:00
err := provider.StartupCheck()
fix(authentication): utilize msad password history control (#3256) This fixes an issue where the Microsoft Active Directory Server Policy Hints control was not being used to prevent avoidance of the PSO / FGPP applicable to the user.
2022-05-10 04:38:36 +00:00
require.NoError(t, err)
feat(authentication): ldap time replacements (#4483) This adds and utilizes several time replacements for both specialized LDAP implementations. Closes #1964, Closes #1284
2022-12-21 10:31:21 +00:00
err = provider.UpdatePassword("john", "password")
fix(authentication): utilize msad password history control (#3256) This fixes an issue where the Microsoft Active Directory Server Policy Hints control was not being used to prevent avoidance of the PSO / FGPP applicable to the user.
2022-05-10 04:38:36 +00:00
require.NoError(t, err)
}
func TestShouldUpdateUserPasswordMSAD(t *testing.T) {
ctrl := gomock.NewController(t)
defer ctrl.Finish()
mockFactory := NewMockLDAPClientFactory(ctrl)
mockClient := NewMockLDAPClient(ctrl)
feat(authentication): ldap time replacements (#4483) This adds and utilizes several time replacements for both specialized LDAP implementations. Closes #1964, Closes #1284
2022-12-21 10:31:21 +00:00
provider := NewLDAPUserProviderWithFactory(
feat(authentication): file password algorithms (#3848) This adds significant enhancements to the file auth provider including multiple additional algorithms.
2022-10-17 10:51:59 +00:00
schema.LDAPAuthenticationBackend{
feat(authentication): ldap memberof group search (#5418) Introduces the concept of group search mode into the LDAP configuration. This also adds the filter and memberof search modes. The full description of these is included in the docs but the filter mode is the same mode as previous which is also the default and recommended value. The memberof mode should only be used by users who are aware of how the concept works as per the docs. Closes #2161 Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
2023-06-18 04:40:38 +00:00
Implementation: "activedirectory",
Address: testLDAPAddress,
User: "cn=admin,dc=example,dc=com",
Password: "password",
Attributes: schema.LDAPAuthenticationAttributes{
Username: "uid",
Mail: "mail",
DisplayName: "displayName",
MemberOf: "memberOf",
},
UsersFilter: "uid={input}",
AdditionalUsersDN: "ou=users",
BaseDN: "dc=example,dc=com",
fix(authentication): utilize msad password history control (#3256) This fixes an issue where the Microsoft Active Directory Server Policy Hints control was not being used to prevent avoidance of the PSO / FGPP applicable to the user.
2022-05-10 04:38:36 +00:00
},
false,
nil,
mockFactory)
modifyRequest := ldap.NewModifyRequest(
"uid=test,dc=example,dc=com",
[]ldap.Control{&controlMsftServerPolicyHints{ldapOIDControlMsftServerPolicyHints}},
)
test(authentication): add missing type tests (#5483) Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
2023-05-25 02:26:19 +00:00
pwdEncoded, _ := encodingUTF16LittleEndian.NewEncoder().String(fmt.Sprintf("\"%s\"", "password"))
fix(authentication): utilize msad password history control (#3256) This fixes an issue where the Microsoft Active Directory Server Policy Hints control was not being used to prevent avoidance of the PSO / FGPP applicable to the user.
2022-05-10 04:38:36 +00:00
modifyRequest.Replace(ldapAttributeUnicodePwd, []string{pwdEncoded})
dialURLOIDs := mockFactory.EXPECT().
DialURL(gomock.Eq("ldap://127.0.0.1:389"), gomock.Any()).
Return(mockClient, nil)
connBindOIDs := mockClient.EXPECT().
Bind(gomock.Eq("cn=admin,dc=example,dc=com"), gomock.Eq("password")).
Return(nil)
searchOIDs := mockClient.EXPECT().
Search(NewExtendedSearchRequestMatcher("(objectClass=*)", "", ldap.ScopeBaseObject, ldap.NeverDerefAliases, false, []string{ldapSupportedExtensionAttribute, ldapSupportedControlAttribute})).
Return(&ldap.SearchResult{
Entries: []*ldap.Entry{
{
DN: "",
Attributes: []*ldap.EntryAttribute{
{
Name: ldapSupportedExtensionAttribute,
Values: []string{},
},
{
Name: ldapSupportedControlAttribute,
Values: []string{ldapOIDControlMsftServerPolicyHints, ldapOIDControlMsftServerPolicyHintsDeprecated},
},
},
},
},
}, nil)
connCloseOIDs := mockClient.EXPECT().Close()
dialURL := mockFactory.EXPECT().
DialURL(gomock.Eq("ldap://127.0.0.1:389"), gomock.Any()).
Return(mockClient, nil)
connBind := mockClient.EXPECT().
Bind(gomock.Eq("cn=admin,dc=example,dc=com"), gomock.Eq("password")).
Return(nil)
connClose := mockClient.EXPECT().Close()
searchProfile := mockClient.EXPECT().
Search(gomock.Any()).
Return(&ldap.SearchResult{
Entries: []*ldap.Entry{
{
DN: "uid=test,dc=example,dc=com",
Attributes: []*ldap.EntryAttribute{
{
Name: "displayName",
Values: []string{"John Doe"},
},
{
Name: "mail",
Values: []string{"test@example.com"},
},
{
Name: "uid",
Values: []string{"John"},
},
},
},
},
}, nil)
modify := mockClient.EXPECT().
Modify(modifyRequest).
Return(nil)
gomock.InOrder(dialURLOIDs, connBindOIDs, searchOIDs, connCloseOIDs, dialURL, connBind, searchProfile, modify, connClose)
feat(authentication): ldap time replacements (#4483) This adds and utilizes several time replacements for both specialized LDAP implementations. Closes #1964, Closes #1284
2022-12-21 10:31:21 +00:00
err := provider.StartupCheck()
fix(authentication): utilize msad password history control (#3256) This fixes an issue where the Microsoft Active Directory Server Policy Hints control was not being used to prevent avoidance of the PSO / FGPP applicable to the user.
2022-05-10 04:38:36 +00:00
require.NoError(t, err)
feat(authentication): ldap time replacements (#4483) This adds and utilizes several time replacements for both specialized LDAP implementations. Closes #1964, Closes #1284
2022-12-21 10:31:21 +00:00
err = provider.UpdatePassword("john", "password")
fix(authentication): utilize msad password history control (#3256) This fixes an issue where the Microsoft Active Directory Server Policy Hints control was not being used to prevent avoidance of the PSO / FGPP applicable to the user.
2022-05-10 04:38:36 +00:00
require.NoError(t, err)
}
func TestShouldUpdateUserPasswordMSADWithReferrals(t *testing.T) {
ctrl := gomock.NewController(t)
defer ctrl.Finish()
mockFactory := NewMockLDAPClientFactory(ctrl)
mockClient := NewMockLDAPClient(ctrl)
mockClientReferral := NewMockLDAPClient(ctrl)
feat(authentication): ldap time replacements (#4483) This adds and utilizes several time replacements for both specialized LDAP implementations. Closes #1964, Closes #1284
2022-12-21 10:31:21 +00:00
provider := NewLDAPUserProviderWithFactory(
feat(authentication): file password algorithms (#3848) This adds significant enhancements to the file auth provider including multiple additional algorithms.
2022-10-17 10:51:59 +00:00
schema.LDAPAuthenticationBackend{
feat(authentication): ldap memberof group search (#5418) Introduces the concept of group search mode into the LDAP configuration. This also adds the filter and memberof search modes. The full description of these is included in the docs but the filter mode is the same mode as previous which is also the default and recommended value. The memberof mode should only be used by users who are aware of how the concept works as per the docs. Closes #2161 Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
2023-06-18 04:40:38 +00:00
Implementation: "activedirectory",
Address: testLDAPAddress,
User: "cn=admin,dc=example,dc=com",
Password: "password",
Attributes: schema.LDAPAuthenticationAttributes{
Username: "uid",
Mail: "mail",
DisplayName: "displayName",
MemberOf: "memberOf",
},
UsersFilter: "uid={input}",
AdditionalUsersDN: "ou=users",
BaseDN: "dc=example,dc=com",
PermitReferrals: true,
fix(authentication): utilize msad password history control (#3256) This fixes an issue where the Microsoft Active Directory Server Policy Hints control was not being used to prevent avoidance of the PSO / FGPP applicable to the user.
2022-05-10 04:38:36 +00:00
},
false,
nil,
mockFactory)
modifyRequest := ldap.NewModifyRequest(
"uid=test,dc=example,dc=com",
[]ldap.Control{&controlMsftServerPolicyHints{ldapOIDControlMsftServerPolicyHints}},
)
test(authentication): add missing type tests (#5483) Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
2023-05-25 02:26:19 +00:00
pwdEncoded, _ := encodingUTF16LittleEndian.NewEncoder().String(fmt.Sprintf("\"%s\"", "password"))
fix(authentication): utilize msad password history control (#3256) This fixes an issue where the Microsoft Active Directory Server Policy Hints control was not being used to prevent avoidance of the PSO / FGPP applicable to the user.
2022-05-10 04:38:36 +00:00
modifyRequest.Replace(ldapAttributeUnicodePwd, []string{pwdEncoded})
dialURLOIDs := mockFactory.EXPECT().
DialURL(gomock.Eq("ldap://127.0.0.1:389"), gomock.Any()).
Return(mockClient, nil)
connBindOIDs := mockClient.EXPECT().
Bind(gomock.Eq("cn=admin,dc=example,dc=com"), gomock.Eq("password")).
Return(nil)
searchOIDs := mockClient.EXPECT().
Search(NewExtendedSearchRequestMatcher("(objectClass=*)", "", ldap.ScopeBaseObject, ldap.NeverDerefAliases, false, []string{ldapSupportedExtensionAttribute, ldapSupportedControlAttribute})).
Return(&ldap.SearchResult{
Entries: []*ldap.Entry{
{
DN: "",
Attributes: []*ldap.EntryAttribute{
{
Name: ldapSupportedExtensionAttribute,
Values: []string{},
},
{
Name: ldapSupportedControlAttribute,
Values: []string{ldapOIDControlMsftServerPolicyHints, ldapOIDControlMsftServerPolicyHintsDeprecated},
},
},
},
},
}, nil)
connCloseOIDs := mockClient.EXPECT().Close()
dialURL := mockFactory.EXPECT().
DialURL(gomock.Eq("ldap://127.0.0.1:389"), gomock.Any()).
Return(mockClient, nil)
connBind := mockClient.EXPECT().
Bind(gomock.Eq("cn=admin,dc=example,dc=com"), gomock.Eq("password")).
Return(nil)
connClose := mockClient.EXPECT().Close()
searchProfile := mockClient.EXPECT().
Search(gomock.Any()).
Return(&ldap.SearchResult{
Entries: []*ldap.Entry{
{
DN: "uid=test,dc=example,dc=com",
Attributes: []*ldap.EntryAttribute{
{
Name: "displayName",
Values: []string{"John Doe"},
},
{
Name: "mail",
Values: []string{"test@example.com"},
},
{
Name: "uid",
Values: []string{"John"},
},
},
},
},
}, nil)
modify := mockClient.EXPECT().
Modify(modifyRequest).
Return(&ldap.Error{
ResultCode: ldap.LDAPResultReferral,
Err: errors.New("error occurred"),
Packet: &testBERPacketReferral,
})
dialURLReferral := mockFactory.EXPECT().
DialURL(gomock.Eq("ldap://192.168.0.1"), gomock.Any()).
Return(mockClientReferral, nil)
connBindReferral := mockClientReferral.EXPECT().
Bind(gomock.Eq("cn=admin,dc=example,dc=com"), gomock.Eq("password")).
Return(nil)
connCloseReferral := mockClientReferral.EXPECT().Close()
modifyReferral := mockClientReferral.EXPECT().
Modify(modifyRequest).
Return(nil)
gomock.InOrder(dialURLOIDs, connBindOIDs, searchOIDs, connCloseOIDs, dialURL, connBind, searchProfile, modify, dialURLReferral, connBindReferral, modifyReferral, connCloseReferral, connClose)
feat(authentication): ldap time replacements (#4483) This adds and utilizes several time replacements for both specialized LDAP implementations. Closes #1964, Closes #1284
2022-12-21 10:31:21 +00:00
err := provider.StartupCheck()
fix(authentication): utilize msad password history control (#3256) This fixes an issue where the Microsoft Active Directory Server Policy Hints control was not being used to prevent avoidance of the PSO / FGPP applicable to the user.
2022-05-10 04:38:36 +00:00
require.NoError(t, err)
feat(authentication): ldap time replacements (#4483) This adds and utilizes several time replacements for both specialized LDAP implementations. Closes #1964, Closes #1284
2022-12-21 10:31:21 +00:00
err = provider.UpdatePassword("john", "password")
fix(authentication): utilize msad password history control (#3256) This fixes an issue where the Microsoft Active Directory Server Policy Hints control was not being used to prevent avoidance of the PSO / FGPP applicable to the user.
2022-05-10 04:38:36 +00:00
require.NoError(t, err)
}
func TestShouldUpdateUserPasswordMSADWithReferralsWithReferralConnectErr(t *testing.T) {
ctrl := gomock.NewController(t)
defer ctrl.Finish()
mockFactory := NewMockLDAPClientFactory(ctrl)
mockClient := NewMockLDAPClient(ctrl)
feat(authentication): ldap time replacements (#4483) This adds and utilizes several time replacements for both specialized LDAP implementations. Closes #1964, Closes #1284
2022-12-21 10:31:21 +00:00
provider := NewLDAPUserProviderWithFactory(
feat(authentication): file password algorithms (#3848) This adds significant enhancements to the file auth provider including multiple additional algorithms.
2022-10-17 10:51:59 +00:00
schema.LDAPAuthenticationBackend{
feat(authentication): ldap memberof group search (#5418) Introduces the concept of group search mode into the LDAP configuration. This also adds the filter and memberof search modes. The full description of these is included in the docs but the filter mode is the same mode as previous which is also the default and recommended value. The memberof mode should only be used by users who are aware of how the concept works as per the docs. Closes #2161 Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
2023-06-18 04:40:38 +00:00
Implementation: "activedirectory",
Address: testLDAPAddress,
User: "cn=admin,dc=example,dc=com",
Password: "password",
Attributes: schema.LDAPAuthenticationAttributes{
Username: "uid",
Mail: "mail",
DisplayName: "displayName",
MemberOf: "memberOf",
},
UsersFilter: "uid={input}",
AdditionalUsersDN: "ou=users",
BaseDN: "dc=example,dc=com",
PermitReferrals: true,
fix(authentication): utilize msad password history control (#3256) This fixes an issue where the Microsoft Active Directory Server Policy Hints control was not being used to prevent avoidance of the PSO / FGPP applicable to the user.
2022-05-10 04:38:36 +00:00
},
false,
nil,
mockFactory)
modifyRequest := ldap.NewModifyRequest(
"uid=test,dc=example,dc=com",
[]ldap.Control{&controlMsftServerPolicyHints{ldapOIDControlMsftServerPolicyHints}},
)
test(authentication): add missing type tests (#5483) Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
2023-05-25 02:26:19 +00:00
pwdEncoded, _ := encodingUTF16LittleEndian.NewEncoder().String(fmt.Sprintf("\"%s\"", "password"))
fix(authentication): utilize msad password history control (#3256) This fixes an issue where the Microsoft Active Directory Server Policy Hints control was not being used to prevent avoidance of the PSO / FGPP applicable to the user.
2022-05-10 04:38:36 +00:00
modifyRequest.Replace(ldapAttributeUnicodePwd, []string{pwdEncoded})
dialURLOIDs := mockFactory.EXPECT().
DialURL(gomock.Eq("ldap://127.0.0.1:389"), gomock.Any()).
Return(mockClient, nil)
connBindOIDs := mockClient.EXPECT().
Bind(gomock.Eq("cn=admin,dc=example,dc=com"), gomock.Eq("password")).
Return(nil)
searchOIDs := mockClient.EXPECT().
Search(NewExtendedSearchRequestMatcher("(objectClass=*)", "", ldap.ScopeBaseObject, ldap.NeverDerefAliases, false, []string{ldapSupportedExtensionAttribute, ldapSupportedControlAttribute})).
Return(&ldap.SearchResult{
Entries: []*ldap.Entry{
{
DN: "",
Attributes: []*ldap.EntryAttribute{
{
Name: ldapSupportedExtensionAttribute,
Values: []string{},
},
{
Name: ldapSupportedControlAttribute,
Values: []string{ldapOIDControlMsftServerPolicyHints, ldapOIDControlMsftServerPolicyHintsDeprecated},
},
},
},
},
}, nil)
connCloseOIDs := mockClient.EXPECT().Close()
dialURL := mockFactory.EXPECT().
DialURL(gomock.Eq("ldap://127.0.0.1:389"), gomock.Any()).
Return(mockClient, nil)
connBind := mockClient.EXPECT().
Bind(gomock.Eq("cn=admin,dc=example,dc=com"), gomock.Eq("password")).
Return(nil)
connClose := mockClient.EXPECT().Close()
searchProfile := mockClient.EXPECT().
Search(gomock.Any()).
Return(&ldap.SearchResult{
Entries: []*ldap.Entry{
{
DN: "uid=test,dc=example,dc=com",
Attributes: []*ldap.EntryAttribute{
{
Name: "displayName",
Values: []string{"John Doe"},
},
{
Name: "mail",
Values: []string{"test@example.com"},
},
{
Name: "uid",
Values: []string{"John"},
},
},
},
},
}, nil)
modify := mockClient.EXPECT().
Modify(modifyRequest).
Return(&ldap.Error{
ResultCode: ldap.LDAPResultReferral,
Err: errors.New("error occurred"),
Packet: &testBERPacketReferral,
})
dialURLReferral := mockFactory.EXPECT().
DialURL(gomock.Eq("ldap://192.168.0.1"), gomock.Any()).
Return(nil, errors.New("tcp timeout"))
gomock.InOrder(dialURLOIDs, connBindOIDs, searchOIDs, connCloseOIDs, dialURL, connBind, searchProfile, modify, dialURLReferral, connClose)
feat(authentication): ldap time replacements (#4483) This adds and utilizes several time replacements for both specialized LDAP implementations. Closes #1964, Closes #1284
2022-12-21 10:31:21 +00:00
err := provider.StartupCheck()
fix(authentication): utilize msad password history control (#3256) This fixes an issue where the Microsoft Active Directory Server Policy Hints control was not being used to prevent avoidance of the PSO / FGPP applicable to the user.
2022-05-10 04:38:36 +00:00
require.NoError(t, err)
feat(authentication): ldap time replacements (#4483) This adds and utilizes several time replacements for both specialized LDAP implementations. Closes #1964, Closes #1284
2022-12-21 10:31:21 +00:00
err = provider.UpdatePassword("john", "password")
fix(authentication): utilize msad password history control (#3256) This fixes an issue where the Microsoft Active Directory Server Policy Hints control was not being used to prevent avoidance of the PSO / FGPP applicable to the user.
2022-05-10 04:38:36 +00:00
assert.EqualError(t, err, "unable to update password. Cause: error occurred connecting to referred LDAP server 'ldap://192.168.0.1': dial failed with error: tcp timeout. Original Error: LDAP Result Code 10 \"Referral\": error occurred")
}
func TestShouldUpdateUserPasswordMSADWithReferralsWithReferralModifyErr(t *testing.T) {
ctrl := gomock.NewController(t)
defer ctrl.Finish()
mockFactory := NewMockLDAPClientFactory(ctrl)
mockClient := NewMockLDAPClient(ctrl)
mockClientReferral := NewMockLDAPClient(ctrl)
feat(authentication): ldap time replacements (#4483) This adds and utilizes several time replacements for both specialized LDAP implementations. Closes #1964, Closes #1284
2022-12-21 10:31:21 +00:00
provider := NewLDAPUserProviderWithFactory(
feat(authentication): file password algorithms (#3848) This adds significant enhancements to the file auth provider including multiple additional algorithms.
2022-10-17 10:51:59 +00:00
schema.LDAPAuthenticationBackend{
feat(authentication): ldap memberof group search (#5418) Introduces the concept of group search mode into the LDAP configuration. This also adds the filter and memberof search modes. The full description of these is included in the docs but the filter mode is the same mode as previous which is also the default and recommended value. The memberof mode should only be used by users who are aware of how the concept works as per the docs. Closes #2161 Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
2023-06-18 04:40:38 +00:00
Implementation: "activedirectory",
Address: testLDAPAddress,
User: "cn=admin,dc=example,dc=com",
Password: "password",
Attributes: schema.LDAPAuthenticationAttributes{
Username: "uid",
Mail: "mail",
DisplayName: "displayName",
MemberOf: "memberOf",
},
UsersFilter: "uid={input}",
AdditionalUsersDN: "ou=users",
BaseDN: "dc=example,dc=com",
PermitReferrals: true,
fix(authentication): utilize msad password history control (#3256) This fixes an issue where the Microsoft Active Directory Server Policy Hints control was not being used to prevent avoidance of the PSO / FGPP applicable to the user.
2022-05-10 04:38:36 +00:00
},
false,
nil,
mockFactory)
modifyRequest := ldap.NewModifyRequest(
"uid=test,dc=example,dc=com",
[]ldap.Control{&controlMsftServerPolicyHints{ldapOIDControlMsftServerPolicyHints}},
)
test(authentication): add missing type tests (#5483) Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
2023-05-25 02:26:19 +00:00
pwdEncoded, _ := encodingUTF16LittleEndian.NewEncoder().String(fmt.Sprintf("\"%s\"", "password"))
fix(authentication): utilize msad password history control (#3256) This fixes an issue where the Microsoft Active Directory Server Policy Hints control was not being used to prevent avoidance of the PSO / FGPP applicable to the user.
2022-05-10 04:38:36 +00:00
modifyRequest.Replace(ldapAttributeUnicodePwd, []string{pwdEncoded})
dialURLOIDs := mockFactory.EXPECT().
DialURL(gomock.Eq("ldap://127.0.0.1:389"), gomock.Any()).
Return(mockClient, nil)
connBindOIDs := mockClient.EXPECT().
Bind(gomock.Eq("cn=admin,dc=example,dc=com"), gomock.Eq("password")).
Return(nil)
searchOIDs := mockClient.EXPECT().
Search(NewExtendedSearchRequestMatcher("(objectClass=*)", "", ldap.ScopeBaseObject, ldap.NeverDerefAliases, false, []string{ldapSupportedExtensionAttribute, ldapSupportedControlAttribute})).
Return(&ldap.SearchResult{
Entries: []*ldap.Entry{
{
DN: "",
Attributes: []*ldap.EntryAttribute{
{
Name: ldapSupportedExtensionAttribute,
Values: []string{},
},
{
Name: ldapSupportedControlAttribute,
Values: []string{ldapOIDControlMsftServerPolicyHints, ldapOIDControlMsftServerPolicyHintsDeprecated},
},
},
},
},
}, nil)
connCloseOIDs := mockClient.EXPECT().Close()
dialURL := mockFactory.EXPECT().
DialURL(gomock.Eq("ldap://127.0.0.1:389"), gomock.Any()).
Return(mockClient, nil)
connBind := mockClient.EXPECT().
Bind(gomock.Eq("cn=admin,dc=example,dc=com"), gomock.Eq("password")).
Return(nil)
connClose := mockClient.EXPECT().Close()
searchProfile := mockClient.EXPECT().
Search(gomock.Any()).
Return(&ldap.SearchResult{
Entries: []*ldap.Entry{
{
DN: "uid=test,dc=example,dc=com",
Attributes: []*ldap.EntryAttribute{
{
Name: "displayName",
Values: []string{"John Doe"},
},
{
Name: "mail",
Values: []string{"test@example.com"},
},
{
Name: "uid",
Values: []string{"John"},
},
},
},
},
}, nil)
modify := mockClient.EXPECT().
Modify(modifyRequest).
Return(&ldap.Error{
ResultCode: ldap.LDAPResultReferral,
Err: errors.New("error occurred"),
Packet: &testBERPacketReferral,
})
dialURLReferral := mockFactory.EXPECT().
DialURL(gomock.Eq("ldap://192.168.0.1"), gomock.Any()).
Return(mockClientReferral, nil)
connBindReferral := mockClientReferral.EXPECT().
Bind(gomock.Eq("cn=admin,dc=example,dc=com"), gomock.Eq("password")).
Return(nil)
connCloseReferral := mockClientReferral.EXPECT().Close()
modifyReferral := mockClientReferral.EXPECT().
Modify(modifyRequest).
Return(&ldap.Error{
ResultCode: ldap.LDAPResultBusy,
Err: errors.New("error occurred"),
Packet: &testBERPacketReferral,
})
gomock.InOrder(dialURLOIDs, connBindOIDs, searchOIDs, connCloseOIDs, dialURL, connBind, searchProfile, modify, dialURLReferral, connBindReferral, modifyReferral, connCloseReferral, connClose)
feat(authentication): ldap time replacements (#4483) This adds and utilizes several time replacements for both specialized LDAP implementations. Closes #1964, Closes #1284
2022-12-21 10:31:21 +00:00
err := provider.StartupCheck()
fix(authentication): utilize msad password history control (#3256) This fixes an issue where the Microsoft Active Directory Server Policy Hints control was not being used to prevent avoidance of the PSO / FGPP applicable to the user.
2022-05-10 04:38:36 +00:00
require.NoError(t, err)
feat(authentication): ldap time replacements (#4483) This adds and utilizes several time replacements for both specialized LDAP implementations. Closes #1964, Closes #1284
2022-12-21 10:31:21 +00:00
err = provider.UpdatePassword("john", "password")
fix(authentication): utilize msad password history control (#3256) This fixes an issue where the Microsoft Active Directory Server Policy Hints control was not being used to prevent avoidance of the PSO / FGPP applicable to the user.
2022-05-10 04:38:36 +00:00
assert.EqualError(t, err, "unable to update password. Cause: error occurred performing modify on referred LDAP server 'ldap://192.168.0.1': LDAP Result Code 51 \"Busy\": error occurred. Original Error: LDAP Result Code 10 \"Referral\": error occurred")
}
func TestShouldUpdateUserPasswordMSADWithoutReferrals(t *testing.T) {
ctrl := gomock.NewController(t)
defer ctrl.Finish()
mockFactory := NewMockLDAPClientFactory(ctrl)
mockClient := NewMockLDAPClient(ctrl)
feat(authentication): ldap time replacements (#4483) This adds and utilizes several time replacements for both specialized LDAP implementations. Closes #1964, Closes #1284
2022-12-21 10:31:21 +00:00
provider := NewLDAPUserProviderWithFactory(
feat(authentication): file password algorithms (#3848) This adds significant enhancements to the file auth provider including multiple additional algorithms.
2022-10-17 10:51:59 +00:00
schema.LDAPAuthenticationBackend{
feat(authentication): ldap memberof group search (#5418) Introduces the concept of group search mode into the LDAP configuration. This also adds the filter and memberof search modes. The full description of these is included in the docs but the filter mode is the same mode as previous which is also the default and recommended value. The memberof mode should only be used by users who are aware of how the concept works as per the docs. Closes #2161 Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
2023-06-18 04:40:38 +00:00
Implementation: "activedirectory",
Address: testLDAPAddress,
User: "cn=admin,dc=example,dc=com",
Password: "password",
Attributes: schema.LDAPAuthenticationAttributes{
Username: "uid",
Mail: "mail",
DisplayName: "displayName",
MemberOf: "memberOf",
},
UsersFilter: "uid={input}",
AdditionalUsersDN: "ou=users",
BaseDN: "dc=example,dc=com",
PermitReferrals: false,
fix(authentication): utilize msad password history control (#3256) This fixes an issue where the Microsoft Active Directory Server Policy Hints control was not being used to prevent avoidance of the PSO / FGPP applicable to the user.
2022-05-10 04:38:36 +00:00
},
false,
nil,
mockFactory)
modifyRequest := ldap.NewModifyRequest(
"uid=test,dc=example,dc=com",
[]ldap.Control{&controlMsftServerPolicyHints{ldapOIDControlMsftServerPolicyHints}},
)
test(authentication): add missing type tests (#5483) Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
2023-05-25 02:26:19 +00:00
pwdEncoded, _ := encodingUTF16LittleEndian.NewEncoder().String(fmt.Sprintf("\"%s\"", "password"))
fix(authentication): utilize msad password history control (#3256) This fixes an issue where the Microsoft Active Directory Server Policy Hints control was not being used to prevent avoidance of the PSO / FGPP applicable to the user.
2022-05-10 04:38:36 +00:00
modifyRequest.Replace(ldapAttributeUnicodePwd, []string{pwdEncoded})
dialURLOIDs := mockFactory.EXPECT().
DialURL(gomock.Eq("ldap://127.0.0.1:389"), gomock.Any()).
Return(mockClient, nil)
connBindOIDs := mockClient.EXPECT().
Bind(gomock.Eq("cn=admin,dc=example,dc=com"), gomock.Eq("password")).
Return(nil)
searchOIDs := mockClient.EXPECT().
Search(NewExtendedSearchRequestMatcher("(objectClass=*)", "", ldap.ScopeBaseObject, ldap.NeverDerefAliases, false, []string{ldapSupportedExtensionAttribute, ldapSupportedControlAttribute})).
Return(&ldap.SearchResult{
Entries: []*ldap.Entry{
{
DN: "",
Attributes: []*ldap.EntryAttribute{
{
Name: ldapSupportedExtensionAttribute,
Values: []string{},
},
{
Name: ldapSupportedControlAttribute,
Values: []string{ldapOIDControlMsftServerPolicyHints, ldapOIDControlMsftServerPolicyHintsDeprecated},
},
},
},
},
}, nil)
connCloseOIDs := mockClient.EXPECT().Close()
dialURL := mockFactory.EXPECT().
DialURL(gomock.Eq("ldap://127.0.0.1:389"), gomock.Any()).
Return(mockClient, nil)
connBind := mockClient.EXPECT().
Bind(gomock.Eq("cn=admin,dc=example,dc=com"), gomock.Eq("password")).
Return(nil)
connClose := mockClient.EXPECT().Close()
searchProfile := mockClient.EXPECT().
Search(gomock.Any()).
Return(&ldap.SearchResult{
Entries: []*ldap.Entry{
{
DN: "uid=test,dc=example,dc=com",
Attributes: []*ldap.EntryAttribute{
{
Name: "displayName",
Values: []string{"John Doe"},
},
{
Name: "mail",
Values: []string{"test@example.com"},
},
{
Name: "uid",
Values: []string{"John"},
},
},
},
},
}, nil)
modify := mockClient.EXPECT().
Modify(modifyRequest).
Return(&ldap.Error{
ResultCode: ldap.LDAPResultReferral,
Err: errors.New("error occurred"),
Packet: &testBERPacketReferral,
})
gomock.InOrder(dialURLOIDs, connBindOIDs, searchOIDs, connCloseOIDs, dialURL, connBind, searchProfile, modify, connClose)
feat(authentication): ldap time replacements (#4483) This adds and utilizes several time replacements for both specialized LDAP implementations. Closes #1964, Closes #1284
2022-12-21 10:31:21 +00:00
err := provider.StartupCheck()
fix(authentication): utilize msad password history control (#3256) This fixes an issue where the Microsoft Active Directory Server Policy Hints control was not being used to prevent avoidance of the PSO / FGPP applicable to the user.
2022-05-10 04:38:36 +00:00
require.NoError(t, err)
feat(authentication): ldap time replacements (#4483) This adds and utilizes several time replacements for both specialized LDAP implementations. Closes #1964, Closes #1284
2022-12-21 10:31:21 +00:00
err = provider.UpdatePassword("john", "password")
fix(authentication): utilize msad password history control (#3256) This fixes an issue where the Microsoft Active Directory Server Policy Hints control was not being used to prevent avoidance of the PSO / FGPP applicable to the user.
2022-05-10 04:38:36 +00:00
assert.EqualError(t, err, "unable to update password. Cause: LDAP Result Code 10 \"Referral\": error occurred")
}
func TestShouldUpdateUserPasswordPasswdModifyExtension(t *testing.T) {
ctrl := gomock.NewController(t)
defer ctrl.Finish()
mockFactory := NewMockLDAPClientFactory(ctrl)
mockClient := NewMockLDAPClient(ctrl)
feat(authentication): ldap time replacements (#4483) This adds and utilizes several time replacements for both specialized LDAP implementations. Closes #1964, Closes #1284
2022-12-21 10:31:21 +00:00
provider := NewLDAPUserProviderWithFactory(
feat(authentication): file password algorithms (#3848) This adds significant enhancements to the file auth provider including multiple additional algorithms.
2022-10-17 10:51:59 +00:00
schema.LDAPAuthenticationBackend{
feat(authentication): ldap memberof group search (#5418) Introduces the concept of group search mode into the LDAP configuration. This also adds the filter and memberof search modes. The full description of these is included in the docs but the filter mode is the same mode as previous which is also the default and recommended value. The memberof mode should only be used by users who are aware of how the concept works as per the docs. Closes #2161 Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
2023-06-18 04:40:38 +00:00
Address: testLDAPAddress,
User: "cn=admin,dc=example,dc=com",
Password: "password",
Attributes: schema.LDAPAuthenticationAttributes{
Username: "uid",
Mail: "mail",
DisplayName: "displayName",
MemberOf: "memberOf",
},
UsersFilter: "uid={input}",
AdditionalUsersDN: "ou=users",
BaseDN: "dc=example,dc=com",
fix(authentication): utilize msad password history control (#3256) This fixes an issue where the Microsoft Active Directory Server Policy Hints control was not being used to prevent avoidance of the PSO / FGPP applicable to the user.
2022-05-10 04:38:36 +00:00
},
false,
nil,
mockFactory)
pwdModifyRequest := ldap.NewPasswordModifyRequest(
"uid=test,dc=example,dc=com",
"",
"password",
)
dialURLOIDs := mockFactory.EXPECT().
DialURL(gomock.Eq("ldap://127.0.0.1:389"), gomock.Any()).
Return(mockClient, nil)
connBindOIDs := mockClient.EXPECT().
Bind(gomock.Eq("cn=admin,dc=example,dc=com"), gomock.Eq("password")).
Return(nil)
searchOIDs := mockClient.EXPECT().
Search(NewExtendedSearchRequestMatcher("(objectClass=*)", "", ldap.ScopeBaseObject, ldap.NeverDerefAliases, false, []string{ldapSupportedExtensionAttribute, ldapSupportedControlAttribute})).
Return(&ldap.SearchResult{
Entries: []*ldap.Entry{
{
DN: "",
Attributes: []*ldap.EntryAttribute{
{
Name: ldapSupportedExtensionAttribute,
Values: []string{ldapOIDExtensionPwdModifyExOp},
},
{
Name: ldapSupportedControlAttribute,
Values: []string{},
},
},
},
},
}, nil)
connCloseOIDs := mockClient.EXPECT().Close()
dialURL := mockFactory.EXPECT().
DialURL(gomock.Eq("ldap://127.0.0.1:389"), gomock.Any()).
Return(mockClient, nil)
connBind := mockClient.EXPECT().
Bind(gomock.Eq("cn=admin,dc=example,dc=com"), gomock.Eq("password")).
Return(nil)
connClose := mockClient.EXPECT().Close()
searchProfile := mockClient.EXPECT().
Search(gomock.Any()).
Return(&ldap.SearchResult{
Entries: []*ldap.Entry{
{
DN: "uid=test,dc=example,dc=com",
Attributes: []*ldap.EntryAttribute{
{
Name: "displayName",
Values: []string{"John Doe"},
},
{
Name: "mail",
Values: []string{"test@example.com"},
},
{
Name: "uid",
Values: []string{"John"},
},
},
},
},
}, nil)
passwdModify := mockClient.EXPECT().
PasswordModify(pwdModifyRequest).
Return(nil, nil)
gomock.InOrder(dialURLOIDs, connBindOIDs, searchOIDs, connCloseOIDs, dialURL, connBind, searchProfile, passwdModify, connClose)
feat(authentication): ldap time replacements (#4483) This adds and utilizes several time replacements for both specialized LDAP implementations. Closes #1964, Closes #1284
2022-12-21 10:31:21 +00:00
err := provider.StartupCheck()
fix(authentication): utilize msad password history control (#3256) This fixes an issue where the Microsoft Active Directory Server Policy Hints control was not being used to prevent avoidance of the PSO / FGPP applicable to the user.
2022-05-10 04:38:36 +00:00
require.NoError(t, err)
feat(authentication): ldap time replacements (#4483) This adds and utilizes several time replacements for both specialized LDAP implementations. Closes #1964, Closes #1284
2022-12-21 10:31:21 +00:00
err = provider.UpdatePassword("john", "password")
fix(authentication): utilize msad password history control (#3256) This fixes an issue where the Microsoft Active Directory Server Policy Hints control was not being used to prevent avoidance of the PSO / FGPP applicable to the user.
2022-05-10 04:38:36 +00:00
require.NoError(t, err)
}
func TestShouldUpdateUserPasswordPasswdModifyExtensionWithReferrals(t *testing.T) {
ctrl := gomock.NewController(t)
defer ctrl.Finish()
mockFactory := NewMockLDAPClientFactory(ctrl)
mockClient := NewMockLDAPClient(ctrl)
mockClientReferral := NewMockLDAPClient(ctrl)
feat(authentication): ldap time replacements (#4483) This adds and utilizes several time replacements for both specialized LDAP implementations. Closes #1964, Closes #1284
2022-12-21 10:31:21 +00:00
provider := NewLDAPUserProviderWithFactory(
feat(authentication): file password algorithms (#3848) This adds significant enhancements to the file auth provider including multiple additional algorithms.
2022-10-17 10:51:59 +00:00
schema.LDAPAuthenticationBackend{
feat(authentication): ldap memberof group search (#5418) Introduces the concept of group search mode into the LDAP configuration. This also adds the filter and memberof search modes. The full description of these is included in the docs but the filter mode is the same mode as previous which is also the default and recommended value. The memberof mode should only be used by users who are aware of how the concept works as per the docs. Closes #2161 Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
2023-06-18 04:40:38 +00:00
Address: testLDAPAddress,
User: "cn=admin,dc=example,dc=com",
Password: "password",
Attributes: schema.LDAPAuthenticationAttributes{
Username: "uid",
Mail: "mail",
DisplayName: "displayName",
MemberOf: "memberOf",
},
UsersFilter: "uid={input}",
AdditionalUsersDN: "ou=users",
BaseDN: "dc=example,dc=com",
PermitReferrals: true,
fix(authentication): utilize msad password history control (#3256) This fixes an issue where the Microsoft Active Directory Server Policy Hints control was not being used to prevent avoidance of the PSO / FGPP applicable to the user.
2022-05-10 04:38:36 +00:00
},
false,
nil,
mockFactory)
pwdModifyRequest := ldap.NewPasswordModifyRequest(
"uid=test,dc=example,dc=com",
"",
"password",
)
dialURLOIDs := mockFactory.EXPECT().
DialURL(gomock.Eq("ldap://127.0.0.1:389"), gomock.Any()).
Return(mockClient, nil)
connBindOIDs := mockClient.EXPECT().
Bind(gomock.Eq("cn=admin,dc=example,dc=com"), gomock.Eq("password")).
Return(nil)
searchOIDs := mockClient.EXPECT().
Search(NewExtendedSearchRequestMatcher("(objectClass=*)", "", ldap.ScopeBaseObject, ldap.NeverDerefAliases, false, []string{ldapSupportedExtensionAttribute, ldapSupportedControlAttribute})).
Return(&ldap.SearchResult{
Entries: []*ldap.Entry{
{
DN: "",
Attributes: []*ldap.EntryAttribute{
{
Name: ldapSupportedExtensionAttribute,
Values: []string{ldapOIDExtensionPwdModifyExOp},
},
{
Name: ldapSupportedControlAttribute,
Values: []string{},
},
},
},
},
}, nil)
connCloseOIDs := mockClient.EXPECT().Close()
dialURL := mockFactory.EXPECT().
DialURL(gomock.Eq("ldap://127.0.0.1:389"), gomock.Any()).
Return(mockClient, nil)
connBind := mockClient.EXPECT().
Bind(gomock.Eq("cn=admin,dc=example,dc=com"), gomock.Eq("password")).
Return(nil)
connClose := mockClient.EXPECT().Close()
searchProfile := mockClient.EXPECT().
Search(gomock.Any()).
Return(&ldap.SearchResult{
Entries: []*ldap.Entry{
{
DN: "uid=test,dc=example,dc=com",
Attributes: []*ldap.EntryAttribute{
{
Name: "displayName",
Values: []string{"John Doe"},
},
{
Name: "mail",
Values: []string{"test@example.com"},
},
{
Name: "uid",
Values: []string{"John"},
},
},
},
},
}, nil)
passwdModify := mockClient.EXPECT().
PasswordModify(pwdModifyRequest).
Return(&ldap.PasswordModifyResult{
Referral: "ldap://192.168.0.1",
}, &ldap.Error{
ResultCode: ldap.LDAPResultReferral,
Err: errors.New("error occurred"),
Packet: &testBERPacketReferral,
})
dialURLReferral := mockFactory.EXPECT().
DialURL(gomock.Eq("ldap://192.168.0.1"), gomock.Any()).
Return(mockClientReferral, nil)
connBindReferral := mockClientReferral.EXPECT().
Bind(gomock.Eq("cn=admin,dc=example,dc=com"), gomock.Eq("password")).
Return(nil)
connCloseReferral := mockClientReferral.EXPECT().Close()
passwdModifyReferral := mockClientReferral.EXPECT().
PasswordModify(pwdModifyRequest).
Return(&ldap.PasswordModifyResult{}, nil)
gomock.InOrder(dialURLOIDs, connBindOIDs, searchOIDs, connCloseOIDs, dialURL, connBind, searchProfile, passwdModify, dialURLReferral, connBindReferral, passwdModifyReferral, connCloseReferral, connClose)
feat(authentication): ldap time replacements (#4483) This adds and utilizes several time replacements for both specialized LDAP implementations. Closes #1964, Closes #1284
2022-12-21 10:31:21 +00:00
err := provider.StartupCheck()
fix(authentication): utilize msad password history control (#3256) This fixes an issue where the Microsoft Active Directory Server Policy Hints control was not being used to prevent avoidance of the PSO / FGPP applicable to the user.
2022-05-10 04:38:36 +00:00
require.NoError(t, err)
feat(authentication): ldap time replacements (#4483) This adds and utilizes several time replacements for both specialized LDAP implementations. Closes #1964, Closes #1284
2022-12-21 10:31:21 +00:00
err = provider.UpdatePassword("john", "password")
fix(authentication): utilize msad password history control (#3256) This fixes an issue where the Microsoft Active Directory Server Policy Hints control was not being used to prevent avoidance of the PSO / FGPP applicable to the user.
2022-05-10 04:38:36 +00:00
require.NoError(t, err)
}
func TestShouldUpdateUserPasswordPasswdModifyExtensionWithoutReferrals(t *testing.T) {
ctrl := gomock.NewController(t)
defer ctrl.Finish()
mockFactory := NewMockLDAPClientFactory(ctrl)
mockClient := NewMockLDAPClient(ctrl)
feat(authentication): ldap time replacements (#4483) This adds and utilizes several time replacements for both specialized LDAP implementations. Closes #1964, Closes #1284
2022-12-21 10:31:21 +00:00
provider := NewLDAPUserProviderWithFactory(
feat(authentication): file password algorithms (#3848) This adds significant enhancements to the file auth provider including multiple additional algorithms.
2022-10-17 10:51:59 +00:00
schema.LDAPAuthenticationBackend{
feat(authentication): ldap memberof group search (#5418) Introduces the concept of group search mode into the LDAP configuration. This also adds the filter and memberof search modes. The full description of these is included in the docs but the filter mode is the same mode as previous which is also the default and recommended value. The memberof mode should only be used by users who are aware of how the concept works as per the docs. Closes #2161 Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
2023-06-18 04:40:38 +00:00
Address: testLDAPAddress,
User: "cn=admin,dc=example,dc=com",
Password: "password",
Attributes: schema.LDAPAuthenticationAttributes{
Username: "uid",
Mail: "mail",
DisplayName: "displayName",
MemberOf: "memberOf",
},
UsersFilter: "uid={input}",
AdditionalUsersDN: "ou=users",
BaseDN: "dc=example,dc=com",
PermitReferrals: false,
fix(authentication): utilize msad password history control (#3256) This fixes an issue where the Microsoft Active Directory Server Policy Hints control was not being used to prevent avoidance of the PSO / FGPP applicable to the user.
2022-05-10 04:38:36 +00:00
},
false,
nil,
mockFactory)
pwdModifyRequest := ldap.NewPasswordModifyRequest(
"uid=test,dc=example,dc=com",
"",
"password",
)
dialURLOIDs := mockFactory.EXPECT().
DialURL(gomock.Eq("ldap://127.0.0.1:389"), gomock.Any()).
Return(mockClient, nil)
connBindOIDs := mockClient.EXPECT().
Bind(gomock.Eq("cn=admin,dc=example,dc=com"), gomock.Eq("password")).
Return(nil)
searchOIDs := mockClient.EXPECT().
Search(NewExtendedSearchRequestMatcher("(objectClass=*)", "", ldap.ScopeBaseObject, ldap.NeverDerefAliases, false, []string{ldapSupportedExtensionAttribute, ldapSupportedControlAttribute})).
Return(&ldap.SearchResult{
Entries: []*ldap.Entry{
{
DN: "",
Attributes: []*ldap.EntryAttribute{
{
Name: ldapSupportedExtensionAttribute,
Values: []string{ldapOIDExtensionPwdModifyExOp},
},
{
Name: ldapSupportedControlAttribute,
Values: []string{},
},
},
},
},
}, nil)
connCloseOIDs := mockClient.EXPECT().Close()
dialURL := mockFactory.EXPECT().
DialURL(gomock.Eq("ldap://127.0.0.1:389"), gomock.Any()).
Return(mockClient, nil)
connBind := mockClient.EXPECT().
Bind(gomock.Eq("cn=admin,dc=example,dc=com"), gomock.Eq("password")).
Return(nil)
connClose := mockClient.EXPECT().Close()
searchProfile := mockClient.EXPECT().
Search(gomock.Any()).
Return(&ldap.SearchResult{
Entries: []*ldap.Entry{
{
DN: "uid=test,dc=example,dc=com",
Attributes: []*ldap.EntryAttribute{
{
Name: "displayName",
Values: []string{"John Doe"},
},
{
Name: "mail",
Values: []string{"test@example.com"},
},
{
Name: "uid",
Values: []string{"John"},
},
},
},
},
}, nil)
passwdModify := mockClient.EXPECT().
PasswordModify(pwdModifyRequest).
Return(&ldap.PasswordModifyResult{
Referral: "ldap://192.168.0.1",
}, &ldap.Error{
ResultCode: ldap.LDAPResultReferral,
Err: errors.New("error occurred"),
Packet: &testBERPacketReferral,
})
gomock.InOrder(dialURLOIDs, connBindOIDs, searchOIDs, connCloseOIDs, dialURL, connBind, searchProfile, passwdModify, connClose)
feat(authentication): ldap time replacements (#4483) This adds and utilizes several time replacements for both specialized LDAP implementations. Closes #1964, Closes #1284
2022-12-21 10:31:21 +00:00
err := provider.StartupCheck()
fix(authentication): utilize msad password history control (#3256) This fixes an issue where the Microsoft Active Directory Server Policy Hints control was not being used to prevent avoidance of the PSO / FGPP applicable to the user.
2022-05-10 04:38:36 +00:00
require.NoError(t, err)
feat(authentication): ldap time replacements (#4483) This adds and utilizes several time replacements for both specialized LDAP implementations. Closes #1964, Closes #1284
2022-12-21 10:31:21 +00:00
err = provider.UpdatePassword("john", "password")
fix(authentication): utilize msad password history control (#3256) This fixes an issue where the Microsoft Active Directory Server Policy Hints control was not being used to prevent avoidance of the PSO / FGPP applicable to the user.
2022-05-10 04:38:36 +00:00
assert.EqualError(t, err, "unable to update password. Cause: LDAP Result Code 10 \"Referral\": error occurred")
}
func TestShouldUpdateUserPasswordPasswdModifyExtensionWithReferralsReferralConnectErr(t *testing.T) {
ctrl := gomock.NewController(t)
defer ctrl.Finish()
mockFactory := NewMockLDAPClientFactory(ctrl)
mockClient := NewMockLDAPClient(ctrl)
feat(authentication): ldap time replacements (#4483) This adds and utilizes several time replacements for both specialized LDAP implementations. Closes #1964, Closes #1284
2022-12-21 10:31:21 +00:00
provider := NewLDAPUserProviderWithFactory(
feat(authentication): file password algorithms (#3848) This adds significant enhancements to the file auth provider including multiple additional algorithms.
2022-10-17 10:51:59 +00:00
schema.LDAPAuthenticationBackend{
feat(authentication): ldap memberof group search (#5418) Introduces the concept of group search mode into the LDAP configuration. This also adds the filter and memberof search modes. The full description of these is included in the docs but the filter mode is the same mode as previous which is also the default and recommended value. The memberof mode should only be used by users who are aware of how the concept works as per the docs. Closes #2161 Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
2023-06-18 04:40:38 +00:00
Address: testLDAPAddress,
User: "cn=admin,dc=example,dc=com",
Password: "password",
Attributes: schema.LDAPAuthenticationAttributes{
Username: "uid",
Mail: "mail",
DisplayName: "displayName",
MemberOf: "memberOf",
},
UsersFilter: "uid={input}",
AdditionalUsersDN: "ou=users",
BaseDN: "dc=example,dc=com",
PermitReferrals: true,
fix(authentication): utilize msad password history control (#3256) This fixes an issue where the Microsoft Active Directory Server Policy Hints control was not being used to prevent avoidance of the PSO / FGPP applicable to the user.
2022-05-10 04:38:36 +00:00
},
false,
nil,
mockFactory)
pwdModifyRequest := ldap.NewPasswordModifyRequest(
"uid=test,dc=example,dc=com",
"",
"password",
)
dialURLOIDs := mockFactory.EXPECT().
DialURL(gomock.Eq("ldap://127.0.0.1:389"), gomock.Any()).
Return(mockClient, nil)
connBindOIDs := mockClient.EXPECT().
Bind(gomock.Eq("cn=admin,dc=example,dc=com"), gomock.Eq("password")).
Return(nil)
searchOIDs := mockClient.EXPECT().
Search(NewExtendedSearchRequestMatcher("(objectClass=*)", "", ldap.ScopeBaseObject, ldap.NeverDerefAliases, false, []string{ldapSupportedExtensionAttribute, ldapSupportedControlAttribute})).
Return(&ldap.SearchResult{
Entries: []*ldap.Entry{
{
DN: "",
Attributes: []*ldap.EntryAttribute{
{
Name: ldapSupportedExtensionAttribute,
Values: []string{ldapOIDExtensionPwdModifyExOp},
},
{
Name: ldapSupportedControlAttribute,
Values: []string{},
},
},
},
},
}, nil)
connCloseOIDs := mockClient.EXPECT().Close()
dialURL := mockFactory.EXPECT().
DialURL(gomock.Eq("ldap://127.0.0.1:389"), gomock.Any()).
Return(mockClient, nil)
connBind := mockClient.EXPECT().
Bind(gomock.Eq("cn=admin,dc=example,dc=com"), gomock.Eq("password")).
Return(nil)
connClose := mockClient.EXPECT().Close()
searchProfile := mockClient.EXPECT().
Search(gomock.Any()).
Return(&ldap.SearchResult{
Entries: []*ldap.Entry{
{
DN: "uid=test,dc=example,dc=com",
Attributes: []*ldap.EntryAttribute{
{
Name: "displayName",
Values: []string{"John Doe"},
},
{
Name: "mail",
Values: []string{"test@example.com"},
},
{
Name: "uid",
Values: []string{"John"},
},
},
},
},
}, nil)
passwdModify := mockClient.EXPECT().
PasswordModify(pwdModifyRequest).
Return(&ldap.PasswordModifyResult{
Referral: "ldap://192.168.0.1",
}, &ldap.Error{
ResultCode: ldap.LDAPResultReferral,
Err: errors.New("error occurred"),
Packet: &testBERPacketReferral,
})
dialURLReferral := mockFactory.EXPECT().
DialURL(gomock.Eq("ldap://192.168.0.1"), gomock.Any()).
Return(nil, errors.New("tcp timeout"))
gomock.InOrder(dialURLOIDs, connBindOIDs, searchOIDs, connCloseOIDs, dialURL, connBind, searchProfile, passwdModify, dialURLReferral, connClose)
feat(authentication): ldap time replacements (#4483) This adds and utilizes several time replacements for both specialized LDAP implementations. Closes #1964, Closes #1284
2022-12-21 10:31:21 +00:00
err := provider.StartupCheck()
fix(authentication): utilize msad password history control (#3256) This fixes an issue where the Microsoft Active Directory Server Policy Hints control was not being used to prevent avoidance of the PSO / FGPP applicable to the user.
2022-05-10 04:38:36 +00:00
require.NoError(t, err)
feat(authentication): ldap time replacements (#4483) This adds and utilizes several time replacements for both specialized LDAP implementations. Closes #1964, Closes #1284
2022-12-21 10:31:21 +00:00
err = provider.UpdatePassword("john", "password")
fix(authentication): utilize msad password history control (#3256) This fixes an issue where the Microsoft Active Directory Server Policy Hints control was not being used to prevent avoidance of the PSO / FGPP applicable to the user.
2022-05-10 04:38:36 +00:00
assert.EqualError(t, err, "unable to update password. Cause: error occurred connecting to referred LDAP server 'ldap://192.168.0.1': dial failed with error: tcp timeout. Original Error: LDAP Result Code 10 \"Referral\": error occurred")
}
func TestShouldUpdateUserPasswordPasswdModifyExtensionWithReferralsReferralPasswordModifyErr(t *testing.T) {
ctrl := gomock.NewController(t)
defer ctrl.Finish()
mockFactory := NewMockLDAPClientFactory(ctrl)
mockClient := NewMockLDAPClient(ctrl)
mockClientReferral := NewMockLDAPClient(ctrl)
feat(authentication): ldap time replacements (#4483) This adds and utilizes several time replacements for both specialized LDAP implementations. Closes #1964, Closes #1284
2022-12-21 10:31:21 +00:00
provider := NewLDAPUserProviderWithFactory(
feat(authentication): file password algorithms (#3848) This adds significant enhancements to the file auth provider including multiple additional algorithms.
2022-10-17 10:51:59 +00:00
schema.LDAPAuthenticationBackend{
feat(authentication): ldap memberof group search (#5418) Introduces the concept of group search mode into the LDAP configuration. This also adds the filter and memberof search modes. The full description of these is included in the docs but the filter mode is the same mode as previous which is also the default and recommended value. The memberof mode should only be used by users who are aware of how the concept works as per the docs. Closes #2161 Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
2023-06-18 04:40:38 +00:00
Address: testLDAPAddress,
User: "cn=admin,dc=example,dc=com",
Password: "password",
Attributes: schema.LDAPAuthenticationAttributes{
Username: "uid",
Mail: "mail",
DisplayName: "displayName",
MemberOf: "memberOf",
},
UsersFilter: "uid={input}",
AdditionalUsersDN: "ou=users",
BaseDN: "dc=example,dc=com",
PermitReferrals: true,
fix(authentication): utilize msad password history control (#3256) This fixes an issue where the Microsoft Active Directory Server Policy Hints control was not being used to prevent avoidance of the PSO / FGPP applicable to the user.
2022-05-10 04:38:36 +00:00
},
false,
nil,
mockFactory)
pwdModifyRequest := ldap.NewPasswordModifyRequest(
"uid=test,dc=example,dc=com",
"",
"password",
)
dialURLOIDs := mockFactory.EXPECT().
DialURL(gomock.Eq("ldap://127.0.0.1:389"), gomock.Any()).
Return(mockClient, nil)
connBindOIDs := mockClient.EXPECT().
Bind(gomock.Eq("cn=admin,dc=example,dc=com"), gomock.Eq("password")).
Return(nil)
searchOIDs := mockClient.EXPECT().
Search(NewExtendedSearchRequestMatcher("(objectClass=*)", "", ldap.ScopeBaseObject, ldap.NeverDerefAliases, false, []string{ldapSupportedExtensionAttribute, ldapSupportedControlAttribute})).
Return(&ldap.SearchResult{
Entries: []*ldap.Entry{
{
DN: "",
Attributes: []*ldap.EntryAttribute{
{
Name: ldapSupportedExtensionAttribute,
Values: []string{ldapOIDExtensionPwdModifyExOp},
},
{
Name: ldapSupportedControlAttribute,
Values: []string{},
},
},
},
},
}, nil)
connCloseOIDs := mockClient.EXPECT().Close()
dialURL := mockFactory.EXPECT().
DialURL(gomock.Eq("ldap://127.0.0.1:389"), gomock.Any()).
Return(mockClient, nil)
connBind := mockClient.EXPECT().
Bind(gomock.Eq("cn=admin,dc=example,dc=com"), gomock.Eq("password")).
Return(nil)
connClose := mockClient.EXPECT().Close()
searchProfile := mockClient.EXPECT().
Search(gomock.Any()).
Return(&ldap.SearchResult{
Entries: []*ldap.Entry{
{
DN: "uid=test,dc=example,dc=com",
Attributes: []*ldap.EntryAttribute{
{
Name: "displayName",
Values: []string{"John Doe"},
},
{
Name: "mail",
Values: []string{"test@example.com"},
},
{
Name: "uid",
Values: []string{"John"},
},
},
},
},
}, nil)
passwdModify := mockClient.EXPECT().
PasswordModify(pwdModifyRequest).
Return(&ldap.PasswordModifyResult{
Referral: "ldap://192.168.0.1",
}, &ldap.Error{
ResultCode: ldap.LDAPResultReferral,
Err: errors.New("error occurred"),
Packet: &testBERPacketReferral,
})
dialURLReferral := mockFactory.EXPECT().
DialURL(gomock.Eq("ldap://192.168.0.1"), gomock.Any()).
Return(mockClientReferral, nil)
connBindReferral := mockClientReferral.EXPECT().
Bind(gomock.Eq("cn=admin,dc=example,dc=com"), gomock.Eq("password")).
Return(nil)
connCloseReferral := mockClientReferral.EXPECT().Close()
passwdModifyReferral := mockClientReferral.EXPECT().
PasswordModify(pwdModifyRequest).
Return(nil, &ldap.Error{
ResultCode: ldap.LDAPResultBusy,
Err: errors.New("too busy"),
Packet: &testBERPacketReferral,
})
gomock.InOrder(dialURLOIDs, connBindOIDs, searchOIDs, connCloseOIDs, dialURL, connBind, searchProfile, passwdModify, dialURLReferral, connBindReferral, passwdModifyReferral, connCloseReferral, connClose)
feat(authentication): ldap time replacements (#4483) This adds and utilizes several time replacements for both specialized LDAP implementations. Closes #1964, Closes #1284
2022-12-21 10:31:21 +00:00
err := provider.StartupCheck()
fix(authentication): utilize msad password history control (#3256) This fixes an issue where the Microsoft Active Directory Server Policy Hints control was not being used to prevent avoidance of the PSO / FGPP applicable to the user.
2022-05-10 04:38:36 +00:00
require.NoError(t, err)
feat(authentication): ldap time replacements (#4483) This adds and utilizes several time replacements for both specialized LDAP implementations. Closes #1964, Closes #1284
2022-12-21 10:31:21 +00:00
err = provider.UpdatePassword("john", "password")
fix(authentication): utilize msad password history control (#3256) This fixes an issue where the Microsoft Active Directory Server Policy Hints control was not being used to prevent avoidance of the PSO / FGPP applicable to the user.
2022-05-10 04:38:36 +00:00
assert.EqualError(t, err, "unable to update password. Cause: error occurred performing password modify on referred LDAP server 'ldap://192.168.0.1': LDAP Result Code 51 \"Busy\": too busy. Original Error: LDAP Result Code 10 \"Referral\": error occurred")
}
func TestShouldUpdateUserPasswordActiveDirectoryWithServerPolicyHints(t *testing.T) {
ctrl := gomock.NewController(t)
defer ctrl.Finish()
mockFactory := NewMockLDAPClientFactory(ctrl)
mockClient := NewMockLDAPClient(ctrl)
feat(authentication): ldap time replacements (#4483) This adds and utilizes several time replacements for both specialized LDAP implementations. Closes #1964, Closes #1284
2022-12-21 10:31:21 +00:00
provider := NewLDAPUserProviderWithFactory(
feat(authentication): file password algorithms (#3848) This adds significant enhancements to the file auth provider including multiple additional algorithms.
2022-10-17 10:51:59 +00:00
schema.LDAPAuthenticationBackend{
feat(authentication): ldap memberof group search (#5418) Introduces the concept of group search mode into the LDAP configuration. This also adds the filter and memberof search modes. The full description of these is included in the docs but the filter mode is the same mode as previous which is also the default and recommended value. The memberof mode should only be used by users who are aware of how the concept works as per the docs. Closes #2161 Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
2023-06-18 04:40:38 +00:00
Implementation: "activedirectory",
Address: testLDAPAddress,
User: "cn=admin,dc=example,dc=com",
Password: "password",
Attributes: schema.LDAPAuthenticationAttributes{
DistinguishedName: "distinguishedName",
Username: "sAMAccountName",
Mail: "mail",
DisplayName: "displayName",
MemberOf: "memberOf",
},
UsersFilter: "cn={input}",
AdditionalUsersDN: "ou=users",
BaseDN: "dc=example,dc=com",
fix(authentication): utilize msad password history control (#3256) This fixes an issue where the Microsoft Active Directory Server Policy Hints control was not being used to prevent avoidance of the PSO / FGPP applicable to the user.
2022-05-10 04:38:36 +00:00
},
false,
nil,
mockFactory)
utf16 := unicode.UTF16(unicode.LittleEndian, unicode.IgnoreBOM)
pwdEncoded, _ := utf16.NewEncoder().String("\"password\"")
modifyRequest := ldap.NewModifyRequest(
"cn=test,dc=example,dc=com",
[]ldap.Control{&controlMsftServerPolicyHints{ldapOIDControlMsftServerPolicyHints}},
)
modifyRequest.Replace("unicodePwd", []string{pwdEncoded})
dialURLOIDs := mockFactory.EXPECT().
DialURL(gomock.Eq("ldap://127.0.0.1:389"), gomock.Any()).
Return(mockClient, nil)
connBindOIDs := mockClient.EXPECT().
Bind(gomock.Eq("cn=admin,dc=example,dc=com"), gomock.Eq("password")).
Return(nil)
searchOIDs := mockClient.EXPECT().
Search(NewExtendedSearchRequestMatcher("(objectClass=*)", "", ldap.ScopeBaseObject, ldap.NeverDerefAliases, false, []string{ldapSupportedExtensionAttribute, ldapSupportedControlAttribute})).
Return(&ldap.SearchResult{
Entries: []*ldap.Entry{
{
DN: "",
Attributes: []*ldap.EntryAttribute{
{
Name: ldapSupportedExtensionAttribute,
Values: []string{},
},
{
Name: ldapSupportedControlAttribute,
Values: []string{ldapOIDControlMsftServerPolicyHints, ldapOIDControlMsftServerPolicyHintsDeprecated},
},
},
},
},
}, nil)
connCloseOIDs := mockClient.EXPECT().Close()
dialURL := mockFactory.EXPECT().
DialURL(gomock.Eq("ldap://127.0.0.1:389"), gomock.Any()).
Return(mockClient, nil)
connBind := mockClient.EXPECT().
Bind(gomock.Eq("cn=admin,dc=example,dc=com"), gomock.Eq("password")).
Return(nil)
connClose := mockClient.EXPECT().Close()
searchProfile := mockClient.EXPECT().
Search(gomock.Any()).
Return(&ldap.SearchResult{
Entries: []*ldap.Entry{
{
DN: "cn=test,dc=example,dc=com",
Attributes: []*ldap.EntryAttribute{
{
Name: "displayName",
Values: []string{"John Doe"},
},
{
Name: "mail",
Values: []string{"test@example.com"},
},
{
Name: "sAMAccountName",
Values: []string{"john"},
},
},
},
},
}, nil)
passwdModify := mockClient.EXPECT().
Modify(modifyRequest).
Return(nil)
gomock.InOrder(dialURLOIDs, connBindOIDs, searchOIDs, connCloseOIDs, dialURL, connBind, searchProfile, passwdModify, connClose)
feat(authentication): ldap time replacements (#4483) This adds and utilizes several time replacements for both specialized LDAP implementations. Closes #1964, Closes #1284
2022-12-21 10:31:21 +00:00
err := provider.StartupCheck()
fix(authentication): utilize msad password history control (#3256) This fixes an issue where the Microsoft Active Directory Server Policy Hints control was not being used to prevent avoidance of the PSO / FGPP applicable to the user.
2022-05-10 04:38:36 +00:00
require.NoError(t, err)
feat(authentication): ldap time replacements (#4483) This adds and utilizes several time replacements for both specialized LDAP implementations. Closes #1964, Closes #1284
2022-12-21 10:31:21 +00:00
err = provider.UpdatePassword("john", "password")
fix(authentication): utilize msad password history control (#3256) This fixes an issue where the Microsoft Active Directory Server Policy Hints control was not being used to prevent avoidance of the PSO / FGPP applicable to the user.
2022-05-10 04:38:36 +00:00
assert.NoError(t, err)
}
func TestShouldUpdateUserPasswordActiveDirectoryWithServerPolicyHintsDeprecated(t *testing.T) {
ctrl := gomock.NewController(t)
defer ctrl.Finish()
mockFactory := NewMockLDAPClientFactory(ctrl)
mockClient := NewMockLDAPClient(ctrl)
feat(authentication): ldap time replacements (#4483) This adds and utilizes several time replacements for both specialized LDAP implementations. Closes #1964, Closes #1284
2022-12-21 10:31:21 +00:00
provider := NewLDAPUserProviderWithFactory(
feat(authentication): file password algorithms (#3848) This adds significant enhancements to the file auth provider including multiple additional algorithms.
2022-10-17 10:51:59 +00:00
schema.LDAPAuthenticationBackend{
feat(authentication): ldap memberof group search (#5418) Introduces the concept of group search mode into the LDAP configuration. This also adds the filter and memberof search modes. The full description of these is included in the docs but the filter mode is the same mode as previous which is also the default and recommended value. The memberof mode should only be used by users who are aware of how the concept works as per the docs. Closes #2161 Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
2023-06-18 04:40:38 +00:00
Implementation: "activedirectory",
Address: testLDAPAddress,
User: "cn=admin,dc=example,dc=com",
Password: "password",
Attributes: schema.LDAPAuthenticationAttributes{
DistinguishedName: "distinguishedName",
Username: "sAMAccountName",
Mail: "mail",
DisplayName: "displayName",
MemberOf: "memberOf",
},
UsersFilter: "cn={input}",
AdditionalUsersDN: "ou=users",
BaseDN: "dc=example,dc=com",
fix(authentication): utilize msad password history control (#3256) This fixes an issue where the Microsoft Active Directory Server Policy Hints control was not being used to prevent avoidance of the PSO / FGPP applicable to the user.
2022-05-10 04:38:36 +00:00
},
false,
nil,
mockFactory)
utf16 := unicode.UTF16(unicode.LittleEndian, unicode.IgnoreBOM)
pwdEncoded, _ := utf16.NewEncoder().String("\"password\"")
modifyRequest := ldap.NewModifyRequest(
"cn=test,dc=example,dc=com",
[]ldap.Control{&controlMsftServerPolicyHints{ldapOIDControlMsftServerPolicyHintsDeprecated}},
)
modifyRequest.Replace("unicodePwd", []string{pwdEncoded})
dialURLOIDs := mockFactory.EXPECT().
DialURL(gomock.Eq("ldap://127.0.0.1:389"), gomock.Any()).
Return(mockClient, nil)
connBindOIDs := mockClient.EXPECT().
Bind(gomock.Eq("cn=admin,dc=example,dc=com"), gomock.Eq("password")).
Return(nil)
searchOIDs := mockClient.EXPECT().
Search(NewExtendedSearchRequestMatcher("(objectClass=*)", "", ldap.ScopeBaseObject, ldap.NeverDerefAliases, false, []string{ldapSupportedExtensionAttribute, ldapSupportedControlAttribute})).
Return(&ldap.SearchResult{
Entries: []*ldap.Entry{
{
DN: "",
Attributes: []*ldap.EntryAttribute{
{
Name: ldapSupportedExtensionAttribute,
Values: []string{},
},
{
Name: ldapSupportedControlAttribute,
Values: []string{ldapOIDControlMsftServerPolicyHintsDeprecated},
},
},
},
},
}, nil)
connCloseOIDs := mockClient.EXPECT().Close()
dialURL := mockFactory.EXPECT().
DialURL(gomock.Eq("ldap://127.0.0.1:389"), gomock.Any()).
Return(mockClient, nil)
connBind := mockClient.EXPECT().
Bind(gomock.Eq("cn=admin,dc=example,dc=com"), gomock.Eq("password")).
Return(nil)
connClose := mockClient.EXPECT().Close()
searchProfile := mockClient.EXPECT().
Search(gomock.Any()).
Return(&ldap.SearchResult{
Entries: []*ldap.Entry{
{
DN: "cn=test,dc=example,dc=com",
Attributes: []*ldap.EntryAttribute{
{
Name: "displayName",
Values: []string{"John Doe"},
},
{
Name: "mail",
Values: []string{"test@example.com"},
},
{
Name: "sAMAccountName",
Values: []string{"john"},
},
},
},
},
}, nil)
passwdModify := mockClient.EXPECT().
Modify(modifyRequest).
Return(nil)
gomock.InOrder(dialURLOIDs, connBindOIDs, searchOIDs, connCloseOIDs, dialURL, connBind, searchProfile, passwdModify, connClose)
feat(authentication): ldap time replacements (#4483) This adds and utilizes several time replacements for both specialized LDAP implementations. Closes #1964, Closes #1284
2022-12-21 10:31:21 +00:00
err := provider.StartupCheck()
fix(authentication): utilize msad password history control (#3256) This fixes an issue where the Microsoft Active Directory Server Policy Hints control was not being used to prevent avoidance of the PSO / FGPP applicable to the user.
2022-05-10 04:38:36 +00:00
require.NoError(t, err)
feat(authentication): ldap time replacements (#4483) This adds and utilizes several time replacements for both specialized LDAP implementations. Closes #1964, Closes #1284
2022-12-21 10:31:21 +00:00
err = provider.UpdatePassword("john", "password")
fix(authentication): utilize msad password history control (#3256) This fixes an issue where the Microsoft Active Directory Server Policy Hints control was not being used to prevent avoidance of the PSO / FGPP applicable to the user.
2022-05-10 04:38:36 +00:00
require.NoError(t, err)
}
func TestShouldUpdateUserPasswordActiveDirectory(t *testing.T) {
ctrl := gomock.NewController(t)
defer ctrl.Finish()
mockFactory := NewMockLDAPClientFactory(ctrl)
mockClient := NewMockLDAPClient(ctrl)
feat(authentication): ldap time replacements (#4483) This adds and utilizes several time replacements for both specialized LDAP implementations. Closes #1964, Closes #1284
2022-12-21 10:31:21 +00:00
provider := NewLDAPUserProviderWithFactory(
feat(authentication): file password algorithms (#3848) This adds significant enhancements to the file auth provider including multiple additional algorithms.
2022-10-17 10:51:59 +00:00
schema.LDAPAuthenticationBackend{
feat(authentication): ldap memberof group search (#5418) Introduces the concept of group search mode into the LDAP configuration. This also adds the filter and memberof search modes. The full description of these is included in the docs but the filter mode is the same mode as previous which is also the default and recommended value. The memberof mode should only be used by users who are aware of how the concept works as per the docs. Closes #2161 Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
2023-06-18 04:40:38 +00:00
Implementation: "activedirectory",
Address: testLDAPAddress,
User: "cn=admin,dc=example,dc=com",
Password: "password",
Attributes: schema.LDAPAuthenticationAttributes{
DistinguishedName: "distinguishedName",
Username: "sAMAccountName",
Mail: "mail",
DisplayName: "displayName",
MemberOf: "memberOf",
},
UsersFilter: "cn={input}",
AdditionalUsersDN: "ou=users",
BaseDN: "dc=example,dc=com",
fix(authentication): utilize msad password history control (#3256) This fixes an issue where the Microsoft Active Directory Server Policy Hints control was not being used to prevent avoidance of the PSO / FGPP applicable to the user.
2022-05-10 04:38:36 +00:00
},
false,
nil,
mockFactory)
utf16 := unicode.UTF16(unicode.LittleEndian, unicode.IgnoreBOM)
pwdEncoded, _ := utf16.NewEncoder().String("\"password\"")
modifyRequest := ldap.NewModifyRequest(
"cn=test,dc=example,dc=com",
nil,
)
modifyRequest.Replace("unicodePwd", []string{pwdEncoded})
dialURLOIDs := mockFactory.EXPECT().
DialURL(gomock.Eq("ldap://127.0.0.1:389"), gomock.Any()).
Return(mockClient, nil)
connBindOIDs := mockClient.EXPECT().
Bind(gomock.Eq("cn=admin,dc=example,dc=com"), gomock.Eq("password")).
Return(nil)
searchOIDs := mockClient.EXPECT().
Search(NewExtendedSearchRequestMatcher("(objectClass=*)", "", ldap.ScopeBaseObject, ldap.NeverDerefAliases, false, []string{ldapSupportedExtensionAttribute, ldapSupportedControlAttribute})).
Return(&ldap.SearchResult{
Entries: []*ldap.Entry{
{
DN: "",
Attributes: []*ldap.EntryAttribute{
{
Name: ldapSupportedExtensionAttribute,
Values: []string{},
},
{
Name: ldapSupportedControlAttribute,
Values: []string{},
},
},
},
},
}, nil)
connCloseOIDs := mockClient.EXPECT().Close()
dialURL := mockFactory.EXPECT().
DialURL(gomock.Eq("ldap://127.0.0.1:389"), gomock.Any()).
Return(mockClient, nil)
connBind := mockClient.EXPECT().
Bind(gomock.Eq("cn=admin,dc=example,dc=com"), gomock.Eq("password")).
Return(nil)
connClose := mockClient.EXPECT().Close()
searchProfile := mockClient.EXPECT().
Search(gomock.Any()).
Return(&ldap.SearchResult{
Entries: []*ldap.Entry{
{
DN: "cn=test,dc=example,dc=com",
Attributes: []*ldap.EntryAttribute{
{
Name: "displayName",
Values: []string{"John Doe"},
},
{
Name: "mail",
Values: []string{"test@example.com"},
},
{
Name: "sAMAccountName",
Values: []string{"john"},
},
},
},
},
}, nil)
passwdModify := mockClient.EXPECT().
Modify(modifyRequest).
Return(nil)
gomock.InOrder(dialURLOIDs, connBindOIDs, searchOIDs, connCloseOIDs, dialURL, connBind, searchProfile, passwdModify, connClose)
feat(authentication): ldap time replacements (#4483) This adds and utilizes several time replacements for both specialized LDAP implementations. Closes #1964, Closes #1284
2022-12-21 10:31:21 +00:00
err := provider.StartupCheck()
fix(authentication): utilize msad password history control (#3256) This fixes an issue where the Microsoft Active Directory Server Policy Hints control was not being used to prevent avoidance of the PSO / FGPP applicable to the user.
2022-05-10 04:38:36 +00:00
require.NoError(t, err)
feat(authentication): ldap time replacements (#4483) This adds and utilizes several time replacements for both specialized LDAP implementations. Closes #1964, Closes #1284
2022-12-21 10:31:21 +00:00
err = provider.UpdatePassword("john", "password")
fix(authentication): utilize msad password history control (#3256) This fixes an issue where the Microsoft Active Directory Server Policy Hints control was not being used to prevent avoidance of the PSO / FGPP applicable to the user.
2022-05-10 04:38:36 +00:00
require.NoError(t, err)
}
func TestShouldUpdateUserPasswordBasic(t *testing.T) {
ctrl := gomock.NewController(t)
defer ctrl.Finish()
mockFactory := NewMockLDAPClientFactory(ctrl)
mockClient := NewMockLDAPClient(ctrl)
feat(authentication): ldap time replacements (#4483) This adds and utilizes several time replacements for both specialized LDAP implementations. Closes #1964, Closes #1284
2022-12-21 10:31:21 +00:00
provider := NewLDAPUserProviderWithFactory(
feat(authentication): file password algorithms (#3848) This adds significant enhancements to the file auth provider including multiple additional algorithms.
2022-10-17 10:51:59 +00:00
schema.LDAPAuthenticationBackend{
feat(authentication): ldap memberof group search (#5418) Introduces the concept of group search mode into the LDAP configuration. This also adds the filter and memberof search modes. The full description of these is included in the docs but the filter mode is the same mode as previous which is also the default and recommended value. The memberof mode should only be used by users who are aware of how the concept works as per the docs. Closes #2161 Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
2023-06-18 04:40:38 +00:00
Implementation: "custom",
Address: testLDAPAddress,
User: "uid=admin,dc=example,dc=com",
Password: "password",
Attributes: schema.LDAPAuthenticationAttributes{
Username: "uid",
Mail: "mail",
DisplayName: "displayName",
MemberOf: "memberOf",
},
UsersFilter: "uid={input}",
AdditionalUsersDN: "ou=users",
BaseDN: "dc=example,dc=com",
fix(authentication): utilize msad password history control (#3256) This fixes an issue where the Microsoft Active Directory Server Policy Hints control was not being used to prevent avoidance of the PSO / FGPP applicable to the user.
2022-05-10 04:38:36 +00:00
},
false,
nil,
mockFactory)
modifyRequest := ldap.NewModifyRequest(
"uid=test,dc=example,dc=com",
nil,
)
modifyRequest.Replace("userPassword", []string{"password"})
dialURLOIDs := mockFactory.EXPECT().
DialURL(gomock.Eq("ldap://127.0.0.1:389"), gomock.Any()).
Return(mockClient, nil)
connBindOIDs := mockClient.EXPECT().
Bind(gomock.Eq("uid=admin,dc=example,dc=com"), gomock.Eq("password")).
Return(nil)
searchOIDs := mockClient.EXPECT().
Search(NewExtendedSearchRequestMatcher("(objectClass=*)", "", ldap.ScopeBaseObject, ldap.NeverDerefAliases, false, []string{ldapSupportedExtensionAttribute, ldapSupportedControlAttribute})).
Return(&ldap.SearchResult{
Entries: []*ldap.Entry{
{
DN: "",
Attributes: []*ldap.EntryAttribute{
{
Name: ldapSupportedExtensionAttribute,
Values: []string{},
},
{
Name: ldapSupportedControlAttribute,
Values: []string{},
},
},
},
},
}, nil)
connCloseOIDs := mockClient.EXPECT().Close()
dialURL := mockFactory.EXPECT().
DialURL(gomock.Eq("ldap://127.0.0.1:389"), gomock.Any()).
Return(mockClient, nil)
connBind := mockClient.EXPECT().
Bind(gomock.Eq("uid=admin,dc=example,dc=com"), gomock.Eq("password")).
Return(nil)
connClose := mockClient.EXPECT().Close()
searchProfile := mockClient.EXPECT().
Search(gomock.Any()).
Return(&ldap.SearchResult{
Entries: []*ldap.Entry{
{
DN: "uid=test,dc=example,dc=com",
Attributes: []*ldap.EntryAttribute{
{
Name: "displayName",
Values: []string{"John Doe"},
},
{
Name: "mail",
Values: []string{"test@example.com"},
},
{
Name: "uid",
Values: []string{"John"},
},
},
},
},
}, nil)
passwdModify := mockClient.EXPECT().
Modify(modifyRequest).
Return(nil)
gomock.InOrder(dialURLOIDs, connBindOIDs, searchOIDs, connCloseOIDs, dialURL, connBind, searchProfile, passwdModify, connClose)
feat(authentication): ldap time replacements (#4483) This adds and utilizes several time replacements for both specialized LDAP implementations. Closes #1964, Closes #1284
2022-12-21 10:31:21 +00:00
err := provider.StartupCheck()
fix(authentication): utilize msad password history control (#3256) This fixes an issue where the Microsoft Active Directory Server Policy Hints control was not being used to prevent avoidance of the PSO / FGPP applicable to the user.
2022-05-10 04:38:36 +00:00
require.NoError(t, err)
feat(authentication): ldap time replacements (#4483) This adds and utilizes several time replacements for both specialized LDAP implementations. Closes #1964, Closes #1284
2022-12-21 10:31:21 +00:00
err = provider.UpdatePassword("john", "password")
fix(authentication): utilize msad password history control (#3256) This fixes an issue where the Microsoft Active Directory Server Policy Hints control was not being used to prevent avoidance of the PSO / FGPP applicable to the user.
2022-05-10 04:38:36 +00:00
require.NoError(t, err)
}
func TestShouldReturnErrorWhenMultipleUsernameAttributes(t *testing.T) {
ctrl := gomock.NewController(t)
defer ctrl.Finish()
mockFactory := NewMockLDAPClientFactory(ctrl)
mockClient := NewMockLDAPClient(ctrl)
feat(authentication): ldap time replacements (#4483) This adds and utilizes several time replacements for both specialized LDAP implementations. Closes #1964, Closes #1284
2022-12-21 10:31:21 +00:00
provider := NewLDAPUserProviderWithFactory(
feat(authentication): file password algorithms (#3848) This adds significant enhancements to the file auth provider including multiple additional algorithms.
2022-10-17 10:51:59 +00:00
schema.LDAPAuthenticationBackend{
feat(authentication): ldap memberof group search (#5418) Introduces the concept of group search mode into the LDAP configuration. This also adds the filter and memberof search modes. The full description of these is included in the docs but the filter mode is the same mode as previous which is also the default and recommended value. The memberof mode should only be used by users who are aware of how the concept works as per the docs. Closes #2161 Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
2023-06-18 04:40:38 +00:00
Address: testLDAPAddress,
User: "cn=admin,dc=example,dc=com",
Password: "password",
Attributes: schema.LDAPAuthenticationAttributes{
Username: "uid",
Mail: "mail",
DisplayName: "displayName",
MemberOf: "memberOf",
},
UsersFilter: "uid={input}",
AdditionalUsersDN: "ou=users",
BaseDN: "dc=example,dc=com",
fix(authentication): utilize msad password history control (#3256) This fixes an issue where the Microsoft Active Directory Server Policy Hints control was not being used to prevent avoidance of the PSO / FGPP applicable to the user.
2022-05-10 04:38:36 +00:00
},
false,
nil,
mockFactory)
dialURL := mockFactory.EXPECT().
DialURL(gomock.Eq("ldap://127.0.0.1:389"), gomock.Any()).
Return(mockClient, nil)
bind := mockClient.EXPECT().
Bind(gomock.Eq("cn=admin,dc=example,dc=com"), gomock.Eq("password")).
Return(nil)
search := mockClient.EXPECT().
Search(gomock.Any()).
Return(&ldap.SearchResult{
Entries: []*ldap.Entry{
{
DN: "uid=test,dc=example,dc=com",
Attributes: []*ldap.EntryAttribute{
{
Name: "displayName",
Values: []string{"John Doe"},
},
{
Name: "mail",
Values: []string{"test@example.com"},
},
{
Name: "uid",
Values: []string{"John", "Jacob"},
},
},
},
},
}, nil)
gomock.InOrder(dialURL, bind, search)
feat(authentication): ldap time replacements (#4483) This adds and utilizes several time replacements for both specialized LDAP implementations. Closes #1964, Closes #1284
2022-12-21 10:31:21 +00:00
client, err := provider.connect()
fix(authentication): utilize msad password history control (#3256) This fixes an issue where the Microsoft Active Directory Server Policy Hints control was not being used to prevent avoidance of the PSO / FGPP applicable to the user.
2022-05-10 04:38:36 +00:00
assert.NoError(t, err)
feat(authentication): ldap time replacements (#4483) This adds and utilizes several time replacements for both specialized LDAP implementations. Closes #1964, Closes #1284
2022-12-21 10:31:21 +00:00
profile, err := provider.getUserProfile(client, "john")
fix(authentication): utilize msad password history control (#3256) This fixes an issue where the Microsoft Active Directory Server Policy Hints control was not being used to prevent avoidance of the PSO / FGPP applicable to the user.
2022-05-10 04:38:36 +00:00
assert.Nil(t, profile)
assert.EqualError(t, err, "user 'john' has 2 values for for attribute 'uid' but the attribute must be a single value attribute")
}
func TestShouldReturnErrorWhenZeroUsernameAttributes(t *testing.T) {
ctrl := gomock.NewController(t)
defer ctrl.Finish()
mockFactory := NewMockLDAPClientFactory(ctrl)
mockClient := NewMockLDAPClient(ctrl)
feat(authentication): ldap time replacements (#4483) This adds and utilizes several time replacements for both specialized LDAP implementations. Closes #1964, Closes #1284
2022-12-21 10:31:21 +00:00
provider := NewLDAPUserProviderWithFactory(
feat(authentication): file password algorithms (#3848) This adds significant enhancements to the file auth provider including multiple additional algorithms.
2022-10-17 10:51:59 +00:00
schema.LDAPAuthenticationBackend{
feat(authentication): ldap memberof group search (#5418) Introduces the concept of group search mode into the LDAP configuration. This also adds the filter and memberof search modes. The full description of these is included in the docs but the filter mode is the same mode as previous which is also the default and recommended value. The memberof mode should only be used by users who are aware of how the concept works as per the docs. Closes #2161 Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
2023-06-18 04:40:38 +00:00
Address: testLDAPAddress,
User: "cn=admin,dc=example,dc=com",
Password: "password",
Attributes: schema.LDAPAuthenticationAttributes{
Username: "uid",
Mail: "mail",
DisplayName: "displayName",
MemberOf: "memberOf",
},
UsersFilter: "uid={input}",
AdditionalUsersDN: "ou=users",
BaseDN: "dc=example,dc=com",
fix(authentication): utilize msad password history control (#3256) This fixes an issue where the Microsoft Active Directory Server Policy Hints control was not being used to prevent avoidance of the PSO / FGPP applicable to the user.
2022-05-10 04:38:36 +00:00
},
false,
nil,
mockFactory)
dialURL := mockFactory.EXPECT().
DialURL(gomock.Eq("ldap://127.0.0.1:389"), gomock.Any()).
Return(mockClient, nil)
bind := mockClient.EXPECT().
Bind(gomock.Eq("cn=admin,dc=example,dc=com"), gomock.Eq("password")).
Return(nil)
search := mockClient.EXPECT().
Search(gomock.Any()).
Return(&ldap.SearchResult{
Entries: []*ldap.Entry{
{
DN: "uid=test,dc=example,dc=com",
Attributes: []*ldap.EntryAttribute{
{
Name: "displayName",
Values: []string{"John Doe"},
},
{
Name: "mail",
Values: []string{"test@example.com"},
},
{
Name: "uid",
Values: []string{},
},
},
},
},
}, nil)
gomock.InOrder(dialURL, bind, search)
feat(authentication): ldap time replacements (#4483) This adds and utilizes several time replacements for both specialized LDAP implementations. Closes #1964, Closes #1284
2022-12-21 10:31:21 +00:00
client, err := provider.connect()
fix(authentication): utilize msad password history control (#3256) This fixes an issue where the Microsoft Active Directory Server Policy Hints control was not being used to prevent avoidance of the PSO / FGPP applicable to the user.
2022-05-10 04:38:36 +00:00
assert.NoError(t, err)
feat(authentication): ldap time replacements (#4483) This adds and utilizes several time replacements for both specialized LDAP implementations. Closes #1964, Closes #1284
2022-12-21 10:31:21 +00:00
profile, err := provider.getUserProfile(client, "john")
fix(authentication): utilize msad password history control (#3256) This fixes an issue where the Microsoft Active Directory Server Policy Hints control was not being used to prevent avoidance of the PSO / FGPP applicable to the user.
2022-05-10 04:38:36 +00:00
assert.Nil(t, profile)
assert.EqualError(t, err, "user 'john' must have value for attribute 'uid'")
}
func TestShouldReturnErrorWhenUsernameAttributeNotReturned(t *testing.T) {
ctrl := gomock.NewController(t)
defer ctrl.Finish()
mockFactory := NewMockLDAPClientFactory(ctrl)
mockClient := NewMockLDAPClient(ctrl)
feat(authentication): ldap time replacements (#4483) This adds and utilizes several time replacements for both specialized LDAP implementations. Closes #1964, Closes #1284
2022-12-21 10:31:21 +00:00
provider := NewLDAPUserProviderWithFactory(
feat(authentication): file password algorithms (#3848) This adds significant enhancements to the file auth provider including multiple additional algorithms.
2022-10-17 10:51:59 +00:00
schema.LDAPAuthenticationBackend{
feat(authentication): ldap memberof group search (#5418) Introduces the concept of group search mode into the LDAP configuration. This also adds the filter and memberof search modes. The full description of these is included in the docs but the filter mode is the same mode as previous which is also the default and recommended value. The memberof mode should only be used by users who are aware of how the concept works as per the docs. Closes #2161 Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
2023-06-18 04:40:38 +00:00
Address: testLDAPAddress,
User: "cn=admin,dc=example,dc=com",
Password: "password",
Attributes: schema.LDAPAuthenticationAttributes{
Username: "uid",
Mail: "mail",
DisplayName: "displayName",
MemberOf: "memberOf",
},
UsersFilter: "uid={input}",
AdditionalUsersDN: "ou=users",
BaseDN: "dc=example,dc=com",
fix(authentication): utilize msad password history control (#3256) This fixes an issue where the Microsoft Active Directory Server Policy Hints control was not being used to prevent avoidance of the PSO / FGPP applicable to the user.
2022-05-10 04:38:36 +00:00
},
false,
nil,
mockFactory)
dialURL := mockFactory.EXPECT().
DialURL(gomock.Eq("ldap://127.0.0.1:389"), gomock.Any()).
Return(mockClient, nil)
bind := mockClient.EXPECT().
Bind(gomock.Eq("cn=admin,dc=example,dc=com"), gomock.Eq("password")).
Return(nil)
search := mockClient.EXPECT().
Search(gomock.Any()).
Return(&ldap.SearchResult{
Entries: []*ldap.Entry{
{
DN: "uid=test,dc=example,dc=com",
Attributes: []*ldap.EntryAttribute{
{
Name: "displayName",
Values: []string{"John Doe"},
},
{
Name: "mail",
Values: []string{"test@example.com"},
},
},
},
},
}, nil)
gomock.InOrder(dialURL, bind, search)
feat(authentication): ldap time replacements (#4483) This adds and utilizes several time replacements for both specialized LDAP implementations. Closes #1964, Closes #1284
2022-12-21 10:31:21 +00:00
client, err := provider.connect()
fix(authentication): utilize msad password history control (#3256) This fixes an issue where the Microsoft Active Directory Server Policy Hints control was not being used to prevent avoidance of the PSO / FGPP applicable to the user.
2022-05-10 04:38:36 +00:00
assert.NoError(t, err)
feat(authentication): ldap time replacements (#4483) This adds and utilizes several time replacements for both specialized LDAP implementations. Closes #1964, Closes #1284
2022-12-21 10:31:21 +00:00
profile, err := provider.getUserProfile(client, "john")
fix(authentication): utilize msad password history control (#3256) This fixes an issue where the Microsoft Active Directory Server Policy Hints control was not being used to prevent avoidance of the PSO / FGPP applicable to the user.
2022-05-10 04:38:36 +00:00
assert.Nil(t, profile)
assert.EqualError(t, err, "user 'john' must have value for attribute 'uid'")
}
func TestShouldReturnErrorWhenMultipleUsersFound(t *testing.T) {
ctrl := gomock.NewController(t)
defer ctrl.Finish()
mockFactory := NewMockLDAPClientFactory(ctrl)
mockClient := NewMockLDAPClient(ctrl)
feat(authentication): ldap time replacements (#4483) This adds and utilizes several time replacements for both specialized LDAP implementations. Closes #1964, Closes #1284
2022-12-21 10:31:21 +00:00
provider := NewLDAPUserProviderWithFactory(
feat(authentication): file password algorithms (#3848) This adds significant enhancements to the file auth provider including multiple additional algorithms.
2022-10-17 10:51:59 +00:00
schema.LDAPAuthenticationBackend{
feat(authentication): ldap memberof group search (#5418) Introduces the concept of group search mode into the LDAP configuration. This also adds the filter and memberof search modes. The full description of these is included in the docs but the filter mode is the same mode as previous which is also the default and recommended value. The memberof mode should only be used by users who are aware of how the concept works as per the docs. Closes #2161 Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
2023-06-18 04:40:38 +00:00
Address: testLDAPAddress,
User: "cn=admin,dc=example,dc=com",
Password: "password",
Attributes: schema.LDAPAuthenticationAttributes{
Username: "uid",
Mail: "mail",
DisplayName: "displayName",
MemberOf: "memberOf",
},
UsersFilter: "(|(uid={input})(uid=*))",
AdditionalUsersDN: "ou=users",
BaseDN: "dc=example,dc=com",
fix(authentication): utilize msad password history control (#3256) This fixes an issue where the Microsoft Active Directory Server Policy Hints control was not being used to prevent avoidance of the PSO / FGPP applicable to the user.
2022-05-10 04:38:36 +00:00
},
false,
nil,
mockFactory)
dialURL := mockFactory.EXPECT().
DialURL(gomock.Eq("ldap://127.0.0.1:389"), gomock.Any()).
Return(mockClient, nil)
bind := mockClient.EXPECT().
Bind(gomock.Eq("cn=admin,dc=example,dc=com"), gomock.Eq("password")).
Return(nil)
search := mockClient.EXPECT().
Search(gomock.Any()).
Return(&ldap.SearchResult{
Entries: []*ldap.Entry{
{
DN: "uid=test,dc=example,dc=com",
Attributes: []*ldap.EntryAttribute{
{
Name: "displayName",
Values: []string{"John Doe"},
},
{
Name: "mail",
Values: []string{"test@example.com"},
},
{
Name: "uid",
Values: []string{"John"},
},
},
},
{
DN: "uid=sam,dc=example,dc=com",
Attributes: []*ldap.EntryAttribute{
{
Name: "displayName",
Values: []string{"John Doe"},
},
{
Name: "mail",
Values: []string{"test@example.com"},
},
{
Name: "uid",
Values: []string{"sam"},
},
},
},
},
}, nil)
gomock.InOrder(dialURL, bind, search)
feat(authentication): ldap time replacements (#4483) This adds and utilizes several time replacements for both specialized LDAP implementations. Closes #1964, Closes #1284
2022-12-21 10:31:21 +00:00
client, err := provider.connect()
fix(authentication): utilize msad password history control (#3256) This fixes an issue where the Microsoft Active Directory Server Policy Hints control was not being used to prevent avoidance of the PSO / FGPP applicable to the user.
2022-05-10 04:38:36 +00:00
assert.NoError(t, err)
feat(authentication): ldap time replacements (#4483) This adds and utilizes several time replacements for both specialized LDAP implementations. Closes #1964, Closes #1284
2022-12-21 10:31:21 +00:00
profile, err := provider.getUserProfile(client, "john")
fix(authentication): utilize msad password history control (#3256) This fixes an issue where the Microsoft Active Directory Server Policy Hints control was not being used to prevent avoidance of the PSO / FGPP applicable to the user.
2022-05-10 04:38:36 +00:00
assert.Nil(t, profile)
assert.EqualError(t, err, "there were 2 users found when searching for 'john' but there should only be 1")
}
func TestShouldReturnErrorWhenNoDN(t *testing.T) {
ctrl := gomock.NewController(t)
defer ctrl.Finish()
mockFactory := NewMockLDAPClientFactory(ctrl)
mockClient := NewMockLDAPClient(ctrl)
feat(authentication): ldap time replacements (#4483) This adds and utilizes several time replacements for both specialized LDAP implementations. Closes #1964, Closes #1284
2022-12-21 10:31:21 +00:00
provider := NewLDAPUserProviderWithFactory(
feat(authentication): file password algorithms (#3848) This adds significant enhancements to the file auth provider including multiple additional algorithms.
2022-10-17 10:51:59 +00:00
schema.LDAPAuthenticationBackend{
feat(authentication): ldap memberof group search (#5418) Introduces the concept of group search mode into the LDAP configuration. This also adds the filter and memberof search modes. The full description of these is included in the docs but the filter mode is the same mode as previous which is also the default and recommended value. The memberof mode should only be used by users who are aware of how the concept works as per the docs. Closes #2161 Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
2023-06-18 04:40:38 +00:00
Address: testLDAPAddress,
User: "cn=admin,dc=example,dc=com",
Password: "password",
Attributes: schema.LDAPAuthenticationAttributes{
Username: "uid",
Mail: "mail",
DisplayName: "displayName",
MemberOf: "memberOf",
},
UsersFilter: "(|(uid={input})(uid=*))",
AdditionalUsersDN: "ou=users",
BaseDN: "dc=example,dc=com",
fix(authentication): utilize msad password history control (#3256) This fixes an issue where the Microsoft Active Directory Server Policy Hints control was not being used to prevent avoidance of the PSO / FGPP applicable to the user.
2022-05-10 04:38:36 +00:00
},
false,
nil,
mockFactory)
dialURL := mockFactory.EXPECT().
DialURL(gomock.Eq("ldap://127.0.0.1:389"), gomock.Any()).
Return(mockClient, nil)
bind := mockClient.EXPECT().
Bind(gomock.Eq("cn=admin,dc=example,dc=com"), gomock.Eq("password")).
Return(nil)
search := mockClient.EXPECT().
Search(gomock.Any()).
Return(&ldap.SearchResult{
Entries: []*ldap.Entry{
{
DN: "",
Attributes: []*ldap.EntryAttribute{
{
Name: "displayName",
Values: []string{"John Doe"},
},
{
Name: "mail",
Values: []string{"test@example.com"},
},
{
Name: "uid",
Values: []string{"John"},
},
},
},
},
}, nil)
gomock.InOrder(dialURL, bind, search)
feat(authentication): ldap time replacements (#4483) This adds and utilizes several time replacements for both specialized LDAP implementations. Closes #1964, Closes #1284
2022-12-21 10:31:21 +00:00
client, err := provider.connect()
fix(authentication): utilize msad password history control (#3256) This fixes an issue where the Microsoft Active Directory Server Policy Hints control was not being used to prevent avoidance of the PSO / FGPP applicable to the user.
2022-05-10 04:38:36 +00:00
assert.NoError(t, err)
feat(authentication): ldap time replacements (#4483) This adds and utilizes several time replacements for both specialized LDAP implementations. Closes #1964, Closes #1284
2022-12-21 10:31:21 +00:00
profile, err := provider.getUserProfile(client, "john")
fix(authentication): utilize msad password history control (#3256) This fixes an issue where the Microsoft Active Directory Server Policy Hints control was not being used to prevent avoidance of the PSO / FGPP applicable to the user.
2022-05-10 04:38:36 +00:00
assert.Nil(t, profile)
assert.EqualError(t, err, "user 'john' must have a distinguished name but the result returned an empty distinguished name")
}
func TestShouldCheckValidUserPassword(t *testing.T) {
ctrl := gomock.NewController(t)
defer ctrl.Finish()
mockFactory := NewMockLDAPClientFactory(ctrl)
mockClient := NewMockLDAPClient(ctrl)
[FEATURE] Enhance LDAP/SMTP TLS Configuration and Unify Them (#1557) * add new directive in the global scope `certificates_directory` which is used to bulk load certs and trust them in Authelia * this is in ADDITION to system certs and are trusted by both LDAP and SMTP * added a shared TLSConfig struct to be used by both SMTP and LDAP, and anything else in the future that requires tuning the TLS * remove usage of deprecated LDAP funcs Dial and DialTLS in favor of DialURL which is also easier to use * use the server name from LDAP URL or SMTP host when validating the certificate unless otherwise defined in the TLS section * added temporary translations from the old names to the new ones for all deprecated options * added docs * updated example configuration * final deprecations to be done in 4.28.0 * doc updates * fix misc linting issues * uniform deprecation notices for ease of final removal * added additional tests covering previously uncovered areas and the new configuration options * add non-fatal to certificate loading when system certs could not be loaded * adjust timeout of Suite ShortTimeouts * add warnings pusher for the StructValidator * make the schema suites uninform * utilize the warnings in the StructValidator * fix test suite usage for skip_verify * extract LDAP filter parsing into it's own function to make it possible to test * test LDAP filter parsing * update ErrorContainer interface * add tests to the StructValidator * add NewTLSConfig test * move baseDN for users/groups into parsed values * add tests to cover many of the outstanding areas in LDAP * add explicit deferred LDAP conn close to UpdatePassword * add some basic testing to SMTP notifier * suggestions from code review
2021-01-04 10:28:55 +00:00
feat(authentication): ldap time replacements (#4483) This adds and utilizes several time replacements for both specialized LDAP implementations. Closes #1964, Closes #1284
2022-12-21 10:31:21 +00:00
provider := NewLDAPUserProviderWithFactory(
feat(authentication): file password algorithms (#3848) This adds significant enhancements to the file auth provider including multiple additional algorithms.
2022-10-17 10:51:59 +00:00
schema.LDAPAuthenticationBackend{
feat(authentication): ldap memberof group search (#5418) Introduces the concept of group search mode into the LDAP configuration. This also adds the filter and memberof search modes. The full description of these is included in the docs but the filter mode is the same mode as previous which is also the default and recommended value. The memberof mode should only be used by users who are aware of how the concept works as per the docs. Closes #2161 Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
2023-06-18 04:40:38 +00:00
Address: testLDAPAddress,
User: "cn=admin,dc=example,dc=com",
Password: "password",
Attributes: schema.LDAPAuthenticationAttributes{
Username: "uid",
Mail: "mail",
DisplayName: "displayName",
MemberOf: "memberOf",
},
UsersFilter: "uid={input}",
AdditionalUsersDN: "ou=users",
BaseDN: "dc=example,dc=com",
[FEATURE] Enhance LDAP/SMTP TLS Configuration and Unify Them (#1557) * add new directive in the global scope `certificates_directory` which is used to bulk load certs and trust them in Authelia * this is in ADDITION to system certs and are trusted by both LDAP and SMTP * added a shared TLSConfig struct to be used by both SMTP and LDAP, and anything else in the future that requires tuning the TLS * remove usage of deprecated LDAP funcs Dial and DialTLS in favor of DialURL which is also easier to use * use the server name from LDAP URL or SMTP host when validating the certificate unless otherwise defined in the TLS section * added temporary translations from the old names to the new ones for all deprecated options * added docs * updated example configuration * final deprecations to be done in 4.28.0 * doc updates * fix misc linting issues * uniform deprecation notices for ease of final removal * added additional tests covering previously uncovered areas and the new configuration options * add non-fatal to certificate loading when system certs could not be loaded * adjust timeout of Suite ShortTimeouts * add warnings pusher for the StructValidator * make the schema suites uninform * utilize the warnings in the StructValidator * fix test suite usage for skip_verify * extract LDAP filter parsing into it's own function to make it possible to test * test LDAP filter parsing * update ErrorContainer interface * add tests to the StructValidator * add NewTLSConfig test * move baseDN for users/groups into parsed values * add tests to cover many of the outstanding areas in LDAP * add explicit deferred LDAP conn close to UpdatePassword * add some basic testing to SMTP notifier * suggestions from code review
2021-01-04 10:28:55 +00:00
},
refactor: factorize startup checks (#2386) * refactor: factorize startup checks * refactor: address linting issues
2021-09-17 09:53:59 +00:00
false,
[FEATURE] Enhance LDAP/SMTP TLS Configuration and Unify Them (#1557) * add new directive in the global scope `certificates_directory` which is used to bulk load certs and trust them in Authelia * this is in ADDITION to system certs and are trusted by both LDAP and SMTP * added a shared TLSConfig struct to be used by both SMTP and LDAP, and anything else in the future that requires tuning the TLS * remove usage of deprecated LDAP funcs Dial and DialTLS in favor of DialURL which is also easier to use * use the server name from LDAP URL or SMTP host when validating the certificate unless otherwise defined in the TLS section * added temporary translations from the old names to the new ones for all deprecated options * added docs * updated example configuration * final deprecations to be done in 4.28.0 * doc updates * fix misc linting issues * uniform deprecation notices for ease of final removal * added additional tests covering previously uncovered areas and the new configuration options * add non-fatal to certificate loading when system certs could not be loaded * adjust timeout of Suite ShortTimeouts * add warnings pusher for the StructValidator * make the schema suites uninform * utilize the warnings in the StructValidator * fix test suite usage for skip_verify * extract LDAP filter parsing into it's own function to make it possible to test * test LDAP filter parsing * update ErrorContainer interface * add tests to the StructValidator * add NewTLSConfig test * move baseDN for users/groups into parsed values * add tests to cover many of the outstanding areas in LDAP * add explicit deferred LDAP conn close to UpdatePassword * add some basic testing to SMTP notifier * suggestions from code review
2021-01-04 10:28:55 +00:00
nil,
mockFactory)
gomock.InOrder(
mockFactory.EXPECT().
DialURL(gomock.Eq("ldap://127.0.0.1:389"), gomock.Any()).
fix(authentication): utilize msad password history control (#3256) This fixes an issue where the Microsoft Active Directory Server Policy Hints control was not being used to prevent avoidance of the PSO / FGPP applicable to the user.
2022-05-10 04:38:36 +00:00
Return(mockClient, nil),
mockClient.EXPECT().
[FEATURE] Enhance LDAP/SMTP TLS Configuration and Unify Them (#1557) * add new directive in the global scope `certificates_directory` which is used to bulk load certs and trust them in Authelia * this is in ADDITION to system certs and are trusted by both LDAP and SMTP * added a shared TLSConfig struct to be used by both SMTP and LDAP, and anything else in the future that requires tuning the TLS * remove usage of deprecated LDAP funcs Dial and DialTLS in favor of DialURL which is also easier to use * use the server name from LDAP URL or SMTP host when validating the certificate unless otherwise defined in the TLS section * added temporary translations from the old names to the new ones for all deprecated options * added docs * updated example configuration * final deprecations to be done in 4.28.0 * doc updates * fix misc linting issues * uniform deprecation notices for ease of final removal * added additional tests covering previously uncovered areas and the new configuration options * add non-fatal to certificate loading when system certs could not be loaded * adjust timeout of Suite ShortTimeouts * add warnings pusher for the StructValidator * make the schema suites uninform * utilize the warnings in the StructValidator * fix test suite usage for skip_verify * extract LDAP filter parsing into it's own function to make it possible to test * test LDAP filter parsing * update ErrorContainer interface * add tests to the StructValidator * add NewTLSConfig test * move baseDN for users/groups into parsed values * add tests to cover many of the outstanding areas in LDAP * add explicit deferred LDAP conn close to UpdatePassword * add some basic testing to SMTP notifier * suggestions from code review
2021-01-04 10:28:55 +00:00
Bind(gomock.Eq("cn=admin,dc=example,dc=com"), gomock.Eq("password")).
Return(nil),
fix(authentication): utilize msad password history control (#3256) This fixes an issue where the Microsoft Active Directory Server Policy Hints control was not being used to prevent avoidance of the PSO / FGPP applicable to the user.
2022-05-10 04:38:36 +00:00
mockClient.EXPECT().
[FEATURE] Enhance LDAP/SMTP TLS Configuration and Unify Them (#1557) * add new directive in the global scope `certificates_directory` which is used to bulk load certs and trust them in Authelia * this is in ADDITION to system certs and are trusted by both LDAP and SMTP * added a shared TLSConfig struct to be used by both SMTP and LDAP, and anything else in the future that requires tuning the TLS * remove usage of deprecated LDAP funcs Dial and DialTLS in favor of DialURL which is also easier to use * use the server name from LDAP URL or SMTP host when validating the certificate unless otherwise defined in the TLS section * added temporary translations from the old names to the new ones for all deprecated options * added docs * updated example configuration * final deprecations to be done in 4.28.0 * doc updates * fix misc linting issues * uniform deprecation notices for ease of final removal * added additional tests covering previously uncovered areas and the new configuration options * add non-fatal to certificate loading when system certs could not be loaded * adjust timeout of Suite ShortTimeouts * add warnings pusher for the StructValidator * make the schema suites uninform * utilize the warnings in the StructValidator * fix test suite usage for skip_verify * extract LDAP filter parsing into it's own function to make it possible to test * test LDAP filter parsing * update ErrorContainer interface * add tests to the StructValidator * add NewTLSConfig test * move baseDN for users/groups into parsed values * add tests to cover many of the outstanding areas in LDAP * add explicit deferred LDAP conn close to UpdatePassword * add some basic testing to SMTP notifier * suggestions from code review
2021-01-04 10:28:55 +00:00
Search(gomock.Any()).
Return(&ldap.SearchResult{
Entries: []*ldap.Entry{
{
DN: "uid=test,dc=example,dc=com",
Attributes: []*ldap.EntryAttribute{
{
perf(authentication): improve ldap dynamic replacement performance (#2239) This change means we only check the filters for the existence of placeholders that cannot be replaced at startup. We then utilized cached results of that lookup for subsequent replacements.
2021-08-05 04:17:07 +00:00
Name: "displayName",
[FEATURE] Enhance LDAP/SMTP TLS Configuration and Unify Them (#1557) * add new directive in the global scope `certificates_directory` which is used to bulk load certs and trust them in Authelia * this is in ADDITION to system certs and are trusted by both LDAP and SMTP * added a shared TLSConfig struct to be used by both SMTP and LDAP, and anything else in the future that requires tuning the TLS * remove usage of deprecated LDAP funcs Dial and DialTLS in favor of DialURL which is also easier to use * use the server name from LDAP URL or SMTP host when validating the certificate unless otherwise defined in the TLS section * added temporary translations from the old names to the new ones for all deprecated options * added docs * updated example configuration * final deprecations to be done in 4.28.0 * doc updates * fix misc linting issues * uniform deprecation notices for ease of final removal * added additional tests covering previously uncovered areas and the new configuration options * add non-fatal to certificate loading when system certs could not be loaded * adjust timeout of Suite ShortTimeouts * add warnings pusher for the StructValidator * make the schema suites uninform * utilize the warnings in the StructValidator * fix test suite usage for skip_verify * extract LDAP filter parsing into it's own function to make it possible to test * test LDAP filter parsing * update ErrorContainer interface * add tests to the StructValidator * add NewTLSConfig test * move baseDN for users/groups into parsed values * add tests to cover many of the outstanding areas in LDAP * add explicit deferred LDAP conn close to UpdatePassword * add some basic testing to SMTP notifier * suggestions from code review
2021-01-04 10:28:55 +00:00
Values: []string{"John Doe"},
},
{
Name: "mail",
Values: []string{"test@example.com"},
},
{
Name: "uid",
Values: []string{"John"},
},
},
},
},
}, nil),
mockFactory.EXPECT().
DialURL(gomock.Eq("ldap://127.0.0.1:389"), gomock.Any()).
fix(authentication): utilize msad password history control (#3256) This fixes an issue where the Microsoft Active Directory Server Policy Hints control was not being used to prevent avoidance of the PSO / FGPP applicable to the user.
2022-05-10 04:38:36 +00:00
Return(mockClient, nil),
mockClient.EXPECT().
[FEATURE] Enhance LDAP/SMTP TLS Configuration and Unify Them (#1557) * add new directive in the global scope `certificates_directory` which is used to bulk load certs and trust them in Authelia * this is in ADDITION to system certs and are trusted by both LDAP and SMTP * added a shared TLSConfig struct to be used by both SMTP and LDAP, and anything else in the future that requires tuning the TLS * remove usage of deprecated LDAP funcs Dial and DialTLS in favor of DialURL which is also easier to use * use the server name from LDAP URL or SMTP host when validating the certificate unless otherwise defined in the TLS section * added temporary translations from the old names to the new ones for all deprecated options * added docs * updated example configuration * final deprecations to be done in 4.28.0 * doc updates * fix misc linting issues * uniform deprecation notices for ease of final removal * added additional tests covering previously uncovered areas and the new configuration options * add non-fatal to certificate loading when system certs could not be loaded * adjust timeout of Suite ShortTimeouts * add warnings pusher for the StructValidator * make the schema suites uninform * utilize the warnings in the StructValidator * fix test suite usage for skip_verify * extract LDAP filter parsing into it's own function to make it possible to test * test LDAP filter parsing * update ErrorContainer interface * add tests to the StructValidator * add NewTLSConfig test * move baseDN for users/groups into parsed values * add tests to cover many of the outstanding areas in LDAP * add explicit deferred LDAP conn close to UpdatePassword * add some basic testing to SMTP notifier * suggestions from code review
2021-01-04 10:28:55 +00:00
Bind(gomock.Eq("uid=test,dc=example,dc=com"), gomock.Eq("password")).
Return(nil),
fix(authentication): utilize msad password history control (#3256) This fixes an issue where the Microsoft Active Directory Server Policy Hints control was not being used to prevent avoidance of the PSO / FGPP applicable to the user.
2022-05-10 04:38:36 +00:00
mockClient.EXPECT().Close().Times(2),
[FEATURE] Enhance LDAP/SMTP TLS Configuration and Unify Them (#1557) * add new directive in the global scope `certificates_directory` which is used to bulk load certs and trust them in Authelia * this is in ADDITION to system certs and are trusted by both LDAP and SMTP * added a shared TLSConfig struct to be used by both SMTP and LDAP, and anything else in the future that requires tuning the TLS * remove usage of deprecated LDAP funcs Dial and DialTLS in favor of DialURL which is also easier to use * use the server name from LDAP URL or SMTP host when validating the certificate unless otherwise defined in the TLS section * added temporary translations from the old names to the new ones for all deprecated options * added docs * updated example configuration * final deprecations to be done in 4.28.0 * doc updates * fix misc linting issues * uniform deprecation notices for ease of final removal * added additional tests covering previously uncovered areas and the new configuration options * add non-fatal to certificate loading when system certs could not be loaded * adjust timeout of Suite ShortTimeouts * add warnings pusher for the StructValidator * make the schema suites uninform * utilize the warnings in the StructValidator * fix test suite usage for skip_verify * extract LDAP filter parsing into it's own function to make it possible to test * test LDAP filter parsing * update ErrorContainer interface * add tests to the StructValidator * add NewTLSConfig test * move baseDN for users/groups into parsed values * add tests to cover many of the outstanding areas in LDAP * add explicit deferred LDAP conn close to UpdatePassword * add some basic testing to SMTP notifier * suggestions from code review
2021-01-04 10:28:55 +00:00
)
feat(authentication): ldap time replacements (#4483) This adds and utilizes several time replacements for both specialized LDAP implementations. Closes #1964, Closes #1284
2022-12-21 10:31:21 +00:00
valid, err := provider.CheckUserPassword("john", "password")
[FEATURE] Enhance LDAP/SMTP TLS Configuration and Unify Them (#1557) * add new directive in the global scope `certificates_directory` which is used to bulk load certs and trust them in Authelia * this is in ADDITION to system certs and are trusted by both LDAP and SMTP * added a shared TLSConfig struct to be used by both SMTP and LDAP, and anything else in the future that requires tuning the TLS * remove usage of deprecated LDAP funcs Dial and DialTLS in favor of DialURL which is also easier to use * use the server name from LDAP URL or SMTP host when validating the certificate unless otherwise defined in the TLS section * added temporary translations from the old names to the new ones for all deprecated options * added docs * updated example configuration * final deprecations to be done in 4.28.0 * doc updates * fix misc linting issues * uniform deprecation notices for ease of final removal * added additional tests covering previously uncovered areas and the new configuration options * add non-fatal to certificate loading when system certs could not be loaded * adjust timeout of Suite ShortTimeouts * add warnings pusher for the StructValidator * make the schema suites uninform * utilize the warnings in the StructValidator * fix test suite usage for skip_verify * extract LDAP filter parsing into it's own function to make it possible to test * test LDAP filter parsing * update ErrorContainer interface * add tests to the StructValidator * add NewTLSConfig test * move baseDN for users/groups into parsed values * add tests to cover many of the outstanding areas in LDAP * add explicit deferred LDAP conn close to UpdatePassword * add some basic testing to SMTP notifier * suggestions from code review
2021-01-04 10:28:55 +00:00
assert.True(t, valid)
require.NoError(t, err)
}
fix(authentication): utilize msad password history control (#3256) This fixes an issue where the Microsoft Active Directory Server Policy Hints control was not being used to prevent avoidance of the PSO / FGPP applicable to the user.
2022-05-10 04:38:36 +00:00
func TestShouldNotCheckValidUserPasswordWithConnectError(t *testing.T) {
ctrl := gomock.NewController(t)
defer ctrl.Finish()
mockFactory := NewMockLDAPClientFactory(ctrl)
mockClient := NewMockLDAPClient(ctrl)
feat(authentication): ldap time replacements (#4483) This adds and utilizes several time replacements for both specialized LDAP implementations. Closes #1964, Closes #1284
2022-12-21 10:31:21 +00:00
provider := NewLDAPUserProviderWithFactory(
feat(authentication): file password algorithms (#3848) This adds significant enhancements to the file auth provider including multiple additional algorithms.
2022-10-17 10:51:59 +00:00
schema.LDAPAuthenticationBackend{
feat(authentication): ldap memberof group search (#5418) Introduces the concept of group search mode into the LDAP configuration. This also adds the filter and memberof search modes. The full description of these is included in the docs but the filter mode is the same mode as previous which is also the default and recommended value. The memberof mode should only be used by users who are aware of how the concept works as per the docs. Closes #2161 Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
2023-06-18 04:40:38 +00:00
Address: testLDAPAddress,
User: "cn=admin,dc=example,dc=com",
Password: "password",
Attributes: schema.LDAPAuthenticationAttributes{
Username: "uid",
Mail: "mail",
DisplayName: "displayName",
MemberOf: "memberOf",
},
UsersFilter: "uid={input}",
AdditionalUsersDN: "ou=users",
BaseDN: "dc=example,dc=com",
fix(authentication): utilize msad password history control (#3256) This fixes an issue where the Microsoft Active Directory Server Policy Hints control was not being used to prevent avoidance of the PSO / FGPP applicable to the user.
2022-05-10 04:38:36 +00:00
},
false,
nil,
mockFactory)
dialURL := mockFactory.EXPECT().
DialURL(gomock.Eq("ldap://127.0.0.1:389"), gomock.Any()).
Return(mockClient, nil)
bind := mockClient.EXPECT().
Bind(gomock.Eq("cn=admin,dc=example,dc=com"), gomock.Eq("password")).
Return(&ldap.Error{ResultCode: ldap.LDAPResultInvalidCredentials, Err: errors.New("invalid username or password")})
gomock.InOrder(dialURL, bind, mockClient.EXPECT().Close())
feat(authentication): ldap time replacements (#4483) This adds and utilizes several time replacements for both specialized LDAP implementations. Closes #1964, Closes #1284
2022-12-21 10:31:21 +00:00
valid, err := provider.CheckUserPassword("john", "password")
fix(authentication): utilize msad password history control (#3256) This fixes an issue where the Microsoft Active Directory Server Policy Hints control was not being used to prevent avoidance of the PSO / FGPP applicable to the user.
2022-05-10 04:38:36 +00:00
assert.False(t, valid)
assert.EqualError(t, err, "bind failed with error: LDAP Result Code 49 \"Invalid Credentials\": invalid username or password")
}
feat(authentication): ldap memberof group search (#5418) Introduces the concept of group search mode into the LDAP configuration. This also adds the filter and memberof search modes. The full description of these is included in the docs but the filter mode is the same mode as previous which is also the default and recommended value. The memberof mode should only be used by users who are aware of how the concept works as per the docs. Closes #2161 Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
2023-06-18 04:40:38 +00:00
func TestShouldNotCheckValidUserPasswordWithGetProfileError(t *testing.T) {
ctrl := gomock.NewController(t)
defer ctrl.Finish()
mockFactory := NewMockLDAPClientFactory(ctrl)
mockClient := NewMockLDAPClient(ctrl)
provider := NewLDAPUserProviderWithFactory(
schema.LDAPAuthenticationBackend{
Address: testLDAPAddress,
User: "cn=admin,dc=example,dc=com",
Password: "password",
Attributes: schema.LDAPAuthenticationAttributes{
Username: "uid",
Mail: "mail",
DisplayName: "displayName",
MemberOf: "memberOf",
},
UsersFilter: "uid={input}",
AdditionalUsersDN: "ou=users",
BaseDN: "dc=example,dc=com",
},
false,
nil,
mockFactory)
gomock.InOrder(
mockFactory.EXPECT().
DialURL(gomock.Eq("ldap://127.0.0.1:389"), gomock.Any()).
Return(mockClient, nil),
mockClient.EXPECT().
Bind(gomock.Eq("cn=admin,dc=example,dc=com"), gomock.Eq("password")).
Return(nil),
mockClient.EXPECT().
Search(gomock.Any()).
Return(nil, &ldap.Error{ResultCode: ldap.LDAPResultBusy, Err: errors.New("directory server busy")}),
mockClient.EXPECT().Close(),
)
valid, err := provider.CheckUserPassword("john", "password")
assert.False(t, valid)
assert.EqualError(t, err, "cannot find user DN of user 'john'. Cause: LDAP Result Code 51 \"Busy\": directory server busy")
}
[FEATURE] Enhance LDAP/SMTP TLS Configuration and Unify Them (#1557) * add new directive in the global scope `certificates_directory` which is used to bulk load certs and trust them in Authelia * this is in ADDITION to system certs and are trusted by both LDAP and SMTP * added a shared TLSConfig struct to be used by both SMTP and LDAP, and anything else in the future that requires tuning the TLS * remove usage of deprecated LDAP funcs Dial and DialTLS in favor of DialURL which is also easier to use * use the server name from LDAP URL or SMTP host when validating the certificate unless otherwise defined in the TLS section * added temporary translations from the old names to the new ones for all deprecated options * added docs * updated example configuration * final deprecations to be done in 4.28.0 * doc updates * fix misc linting issues * uniform deprecation notices for ease of final removal * added additional tests covering previously uncovered areas and the new configuration options * add non-fatal to certificate loading when system certs could not be loaded * adjust timeout of Suite ShortTimeouts * add warnings pusher for the StructValidator * make the schema suites uninform * utilize the warnings in the StructValidator * fix test suite usage for skip_verify * extract LDAP filter parsing into it's own function to make it possible to test * test LDAP filter parsing * update ErrorContainer interface * add tests to the StructValidator * add NewTLSConfig test * move baseDN for users/groups into parsed values * add tests to cover many of the outstanding areas in LDAP * add explicit deferred LDAP conn close to UpdatePassword * add some basic testing to SMTP notifier * suggestions from code review
2021-01-04 10:28:55 +00:00
func TestShouldCheckInvalidUserPassword(t *testing.T) {
ctrl := gomock.NewController(t)
defer ctrl.Finish()
fix(authentication): utilize msad password history control (#3256) This fixes an issue where the Microsoft Active Directory Server Policy Hints control was not being used to prevent avoidance of the PSO / FGPP applicable to the user.
2022-05-10 04:38:36 +00:00
mockFactory := NewMockLDAPClientFactory(ctrl)
mockClient := NewMockLDAPClient(ctrl)
[FEATURE] Enhance LDAP/SMTP TLS Configuration and Unify Them (#1557) * add new directive in the global scope `certificates_directory` which is used to bulk load certs and trust them in Authelia * this is in ADDITION to system certs and are trusted by both LDAP and SMTP * added a shared TLSConfig struct to be used by both SMTP and LDAP, and anything else in the future that requires tuning the TLS * remove usage of deprecated LDAP funcs Dial and DialTLS in favor of DialURL which is also easier to use * use the server name from LDAP URL or SMTP host when validating the certificate unless otherwise defined in the TLS section * added temporary translations from the old names to the new ones for all deprecated options * added docs * updated example configuration * final deprecations to be done in 4.28.0 * doc updates * fix misc linting issues * uniform deprecation notices for ease of final removal * added additional tests covering previously uncovered areas and the new configuration options * add non-fatal to certificate loading when system certs could not be loaded * adjust timeout of Suite ShortTimeouts * add warnings pusher for the StructValidator * make the schema suites uninform * utilize the warnings in the StructValidator * fix test suite usage for skip_verify * extract LDAP filter parsing into it's own function to make it possible to test * test LDAP filter parsing * update ErrorContainer interface * add tests to the StructValidator * add NewTLSConfig test * move baseDN for users/groups into parsed values * add tests to cover many of the outstanding areas in LDAP * add explicit deferred LDAP conn close to UpdatePassword * add some basic testing to SMTP notifier * suggestions from code review
2021-01-04 10:28:55 +00:00
feat(authentication): ldap time replacements (#4483) This adds and utilizes several time replacements for both specialized LDAP implementations. Closes #1964, Closes #1284
2022-12-21 10:31:21 +00:00
provider := NewLDAPUserProviderWithFactory(
feat(authentication): file password algorithms (#3848) This adds significant enhancements to the file auth provider including multiple additional algorithms.
2022-10-17 10:51:59 +00:00
schema.LDAPAuthenticationBackend{
feat(authentication): ldap memberof group search (#5418) Introduces the concept of group search mode into the LDAP configuration. This also adds the filter and memberof search modes. The full description of these is included in the docs but the filter mode is the same mode as previous which is also the default and recommended value. The memberof mode should only be used by users who are aware of how the concept works as per the docs. Closes #2161 Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
2023-06-18 04:40:38 +00:00
Address: testLDAPAddress,
User: "cn=admin,dc=example,dc=com",
Password: "password",
Attributes: schema.LDAPAuthenticationAttributes{
Username: "uid",
Mail: "mail",
DisplayName: "displayName",
MemberOf: "memberOf",
},
UsersFilter: "uid={input}",
AdditionalUsersDN: "ou=users",
BaseDN: "dc=example,dc=com",
[FEATURE] Enhance LDAP/SMTP TLS Configuration and Unify Them (#1557) * add new directive in the global scope `certificates_directory` which is used to bulk load certs and trust them in Authelia * this is in ADDITION to system certs and are trusted by both LDAP and SMTP * added a shared TLSConfig struct to be used by both SMTP and LDAP, and anything else in the future that requires tuning the TLS * remove usage of deprecated LDAP funcs Dial and DialTLS in favor of DialURL which is also easier to use * use the server name from LDAP URL or SMTP host when validating the certificate unless otherwise defined in the TLS section * added temporary translations from the old names to the new ones for all deprecated options * added docs * updated example configuration * final deprecations to be done in 4.28.0 * doc updates * fix misc linting issues * uniform deprecation notices for ease of final removal * added additional tests covering previously uncovered areas and the new configuration options * add non-fatal to certificate loading when system certs could not be loaded * adjust timeout of Suite ShortTimeouts * add warnings pusher for the StructValidator * make the schema suites uninform * utilize the warnings in the StructValidator * fix test suite usage for skip_verify * extract LDAP filter parsing into it's own function to make it possible to test * test LDAP filter parsing * update ErrorContainer interface * add tests to the StructValidator * add NewTLSConfig test * move baseDN for users/groups into parsed values * add tests to cover many of the outstanding areas in LDAP * add explicit deferred LDAP conn close to UpdatePassword * add some basic testing to SMTP notifier * suggestions from code review
2021-01-04 10:28:55 +00:00
},
refactor: factorize startup checks (#2386) * refactor: factorize startup checks * refactor: address linting issues
2021-09-17 09:53:59 +00:00
false,
[FEATURE] Enhance LDAP/SMTP TLS Configuration and Unify Them (#1557) * add new directive in the global scope `certificates_directory` which is used to bulk load certs and trust them in Authelia * this is in ADDITION to system certs and are trusted by both LDAP and SMTP * added a shared TLSConfig struct to be used by both SMTP and LDAP, and anything else in the future that requires tuning the TLS * remove usage of deprecated LDAP funcs Dial and DialTLS in favor of DialURL which is also easier to use * use the server name from LDAP URL or SMTP host when validating the certificate unless otherwise defined in the TLS section * added temporary translations from the old names to the new ones for all deprecated options * added docs * updated example configuration * final deprecations to be done in 4.28.0 * doc updates * fix misc linting issues * uniform deprecation notices for ease of final removal * added additional tests covering previously uncovered areas and the new configuration options * add non-fatal to certificate loading when system certs could not be loaded * adjust timeout of Suite ShortTimeouts * add warnings pusher for the StructValidator * make the schema suites uninform * utilize the warnings in the StructValidator * fix test suite usage for skip_verify * extract LDAP filter parsing into it's own function to make it possible to test * test LDAP filter parsing * update ErrorContainer interface * add tests to the StructValidator * add NewTLSConfig test * move baseDN for users/groups into parsed values * add tests to cover many of the outstanding areas in LDAP * add explicit deferred LDAP conn close to UpdatePassword * add some basic testing to SMTP notifier * suggestions from code review
2021-01-04 10:28:55 +00:00
nil,
mockFactory)
gomock.InOrder(
mockFactory.EXPECT().
DialURL(gomock.Eq("ldap://127.0.0.1:389"), gomock.Any()).
fix(authentication): utilize msad password history control (#3256) This fixes an issue where the Microsoft Active Directory Server Policy Hints control was not being used to prevent avoidance of the PSO / FGPP applicable to the user.
2022-05-10 04:38:36 +00:00
Return(mockClient, nil),
mockClient.EXPECT().
[FEATURE] Enhance LDAP/SMTP TLS Configuration and Unify Them (#1557) * add new directive in the global scope `certificates_directory` which is used to bulk load certs and trust them in Authelia * this is in ADDITION to system certs and are trusted by both LDAP and SMTP * added a shared TLSConfig struct to be used by both SMTP and LDAP, and anything else in the future that requires tuning the TLS * remove usage of deprecated LDAP funcs Dial and DialTLS in favor of DialURL which is also easier to use * use the server name from LDAP URL or SMTP host when validating the certificate unless otherwise defined in the TLS section * added temporary translations from the old names to the new ones for all deprecated options * added docs * updated example configuration * final deprecations to be done in 4.28.0 * doc updates * fix misc linting issues * uniform deprecation notices for ease of final removal * added additional tests covering previously uncovered areas and the new configuration options * add non-fatal to certificate loading when system certs could not be loaded * adjust timeout of Suite ShortTimeouts * add warnings pusher for the StructValidator * make the schema suites uninform * utilize the warnings in the StructValidator * fix test suite usage for skip_verify * extract LDAP filter parsing into it's own function to make it possible to test * test LDAP filter parsing * update ErrorContainer interface * add tests to the StructValidator * add NewTLSConfig test * move baseDN for users/groups into parsed values * add tests to cover many of the outstanding areas in LDAP * add explicit deferred LDAP conn close to UpdatePassword * add some basic testing to SMTP notifier * suggestions from code review
2021-01-04 10:28:55 +00:00
Bind(gomock.Eq("cn=admin,dc=example,dc=com"), gomock.Eq("password")).
Return(nil),
fix(authentication): utilize msad password history control (#3256) This fixes an issue where the Microsoft Active Directory Server Policy Hints control was not being used to prevent avoidance of the PSO / FGPP applicable to the user.
2022-05-10 04:38:36 +00:00
mockClient.EXPECT().
[FEATURE] Enhance LDAP/SMTP TLS Configuration and Unify Them (#1557) * add new directive in the global scope `certificates_directory` which is used to bulk load certs and trust them in Authelia * this is in ADDITION to system certs and are trusted by both LDAP and SMTP * added a shared TLSConfig struct to be used by both SMTP and LDAP, and anything else in the future that requires tuning the TLS * remove usage of deprecated LDAP funcs Dial and DialTLS in favor of DialURL which is also easier to use * use the server name from LDAP URL or SMTP host when validating the certificate unless otherwise defined in the TLS section * added temporary translations from the old names to the new ones for all deprecated options * added docs * updated example configuration * final deprecations to be done in 4.28.0 * doc updates * fix misc linting issues * uniform deprecation notices for ease of final removal * added additional tests covering previously uncovered areas and the new configuration options * add non-fatal to certificate loading when system certs could not be loaded * adjust timeout of Suite ShortTimeouts * add warnings pusher for the StructValidator * make the schema suites uninform * utilize the warnings in the StructValidator * fix test suite usage for skip_verify * extract LDAP filter parsing into it's own function to make it possible to test * test LDAP filter parsing * update ErrorContainer interface * add tests to the StructValidator * add NewTLSConfig test * move baseDN for users/groups into parsed values * add tests to cover many of the outstanding areas in LDAP * add explicit deferred LDAP conn close to UpdatePassword * add some basic testing to SMTP notifier * suggestions from code review
2021-01-04 10:28:55 +00:00
Search(gomock.Any()).
Return(&ldap.SearchResult{
Entries: []*ldap.Entry{
{
DN: "uid=test,dc=example,dc=com",
Attributes: []*ldap.EntryAttribute{
{
perf(authentication): improve ldap dynamic replacement performance (#2239) This change means we only check the filters for the existence of placeholders that cannot be replaced at startup. We then utilized cached results of that lookup for subsequent replacements.
2021-08-05 04:17:07 +00:00
Name: "displayName",
[FEATURE] Enhance LDAP/SMTP TLS Configuration and Unify Them (#1557) * add new directive in the global scope `certificates_directory` which is used to bulk load certs and trust them in Authelia * this is in ADDITION to system certs and are trusted by both LDAP and SMTP * added a shared TLSConfig struct to be used by both SMTP and LDAP, and anything else in the future that requires tuning the TLS * remove usage of deprecated LDAP funcs Dial and DialTLS in favor of DialURL which is also easier to use * use the server name from LDAP URL or SMTP host when validating the certificate unless otherwise defined in the TLS section * added temporary translations from the old names to the new ones for all deprecated options * added docs * updated example configuration * final deprecations to be done in 4.28.0 * doc updates * fix misc linting issues * uniform deprecation notices for ease of final removal * added additional tests covering previously uncovered areas and the new configuration options * add non-fatal to certificate loading when system certs could not be loaded * adjust timeout of Suite ShortTimeouts * add warnings pusher for the StructValidator * make the schema suites uninform * utilize the warnings in the StructValidator * fix test suite usage for skip_verify * extract LDAP filter parsing into it's own function to make it possible to test * test LDAP filter parsing * update ErrorContainer interface * add tests to the StructValidator * add NewTLSConfig test * move baseDN for users/groups into parsed values * add tests to cover many of the outstanding areas in LDAP * add explicit deferred LDAP conn close to UpdatePassword * add some basic testing to SMTP notifier * suggestions from code review
2021-01-04 10:28:55 +00:00
Values: []string{"John Doe"},
},
{
Name: "mail",
Values: []string{"test@example.com"},
},
{
Name: "uid",
Values: []string{"John"},
},
},
},
},
}, nil),
mockFactory.EXPECT().
DialURL(gomock.Eq("ldap://127.0.0.1:389"), gomock.Any()).
fix(authentication): utilize msad password history control (#3256) This fixes an issue where the Microsoft Active Directory Server Policy Hints control was not being used to prevent avoidance of the PSO / FGPP applicable to the user.
2022-05-10 04:38:36 +00:00
Return(mockClient, nil),
mockClient.EXPECT().
[FEATURE] Enhance LDAP/SMTP TLS Configuration and Unify Them (#1557) * add new directive in the global scope `certificates_directory` which is used to bulk load certs and trust them in Authelia * this is in ADDITION to system certs and are trusted by both LDAP and SMTP * added a shared TLSConfig struct to be used by both SMTP and LDAP, and anything else in the future that requires tuning the TLS * remove usage of deprecated LDAP funcs Dial and DialTLS in favor of DialURL which is also easier to use * use the server name from LDAP URL or SMTP host when validating the certificate unless otherwise defined in the TLS section * added temporary translations from the old names to the new ones for all deprecated options * added docs * updated example configuration * final deprecations to be done in 4.28.0 * doc updates * fix misc linting issues * uniform deprecation notices for ease of final removal * added additional tests covering previously uncovered areas and the new configuration options * add non-fatal to certificate loading when system certs could not be loaded * adjust timeout of Suite ShortTimeouts * add warnings pusher for the StructValidator * make the schema suites uninform * utilize the warnings in the StructValidator * fix test suite usage for skip_verify * extract LDAP filter parsing into it's own function to make it possible to test * test LDAP filter parsing * update ErrorContainer interface * add tests to the StructValidator * add NewTLSConfig test * move baseDN for users/groups into parsed values * add tests to cover many of the outstanding areas in LDAP * add explicit deferred LDAP conn close to UpdatePassword * add some basic testing to SMTP notifier * suggestions from code review
2021-01-04 10:28:55 +00:00
Bind(gomock.Eq("uid=test,dc=example,dc=com"), gomock.Eq("password")).
refactor(web): only fetch totp conf if required (#2663) Prevents the TOTP user config from being requested when the user has not registered or is already authenticated 2FA.
2021-12-02 10:28:16 +00:00
Return(errors.New("invalid username or password")),
fix(authentication): utilize msad password history control (#3256) This fixes an issue where the Microsoft Active Directory Server Policy Hints control was not being used to prevent avoidance of the PSO / FGPP applicable to the user.
2022-05-10 04:38:36 +00:00
mockClient.EXPECT().Close().Times(2),
[FEATURE] Enhance LDAP/SMTP TLS Configuration and Unify Them (#1557) * add new directive in the global scope `certificates_directory` which is used to bulk load certs and trust them in Authelia * this is in ADDITION to system certs and are trusted by both LDAP and SMTP * added a shared TLSConfig struct to be used by both SMTP and LDAP, and anything else in the future that requires tuning the TLS * remove usage of deprecated LDAP funcs Dial and DialTLS in favor of DialURL which is also easier to use * use the server name from LDAP URL or SMTP host when validating the certificate unless otherwise defined in the TLS section * added temporary translations from the old names to the new ones for all deprecated options * added docs * updated example configuration * final deprecations to be done in 4.28.0 * doc updates * fix misc linting issues * uniform deprecation notices for ease of final removal * added additional tests covering previously uncovered areas and the new configuration options * add non-fatal to certificate loading when system certs could not be loaded * adjust timeout of Suite ShortTimeouts * add warnings pusher for the StructValidator * make the schema suites uninform * utilize the warnings in the StructValidator * fix test suite usage for skip_verify * extract LDAP filter parsing into it's own function to make it possible to test * test LDAP filter parsing * update ErrorContainer interface * add tests to the StructValidator * add NewTLSConfig test * move baseDN for users/groups into parsed values * add tests to cover many of the outstanding areas in LDAP * add explicit deferred LDAP conn close to UpdatePassword * add some basic testing to SMTP notifier * suggestions from code review
2021-01-04 10:28:55 +00:00
)
feat(authentication): ldap time replacements (#4483) This adds and utilizes several time replacements for both specialized LDAP implementations. Closes #1964, Closes #1284
2022-12-21 10:31:21 +00:00
valid, err := provider.CheckUserPassword("john", "password")
[FEATURE] Enhance LDAP/SMTP TLS Configuration and Unify Them (#1557) * add new directive in the global scope `certificates_directory` which is used to bulk load certs and trust them in Authelia * this is in ADDITION to system certs and are trusted by both LDAP and SMTP * added a shared TLSConfig struct to be used by both SMTP and LDAP, and anything else in the future that requires tuning the TLS * remove usage of deprecated LDAP funcs Dial and DialTLS in favor of DialURL which is also easier to use * use the server name from LDAP URL or SMTP host when validating the certificate unless otherwise defined in the TLS section * added temporary translations from the old names to the new ones for all deprecated options * added docs * updated example configuration * final deprecations to be done in 4.28.0 * doc updates * fix misc linting issues * uniform deprecation notices for ease of final removal * added additional tests covering previously uncovered areas and the new configuration options * add non-fatal to certificate loading when system certs could not be loaded * adjust timeout of Suite ShortTimeouts * add warnings pusher for the StructValidator * make the schema suites uninform * utilize the warnings in the StructValidator * fix test suite usage for skip_verify * extract LDAP filter parsing into it's own function to make it possible to test * test LDAP filter parsing * update ErrorContainer interface * add tests to the StructValidator * add NewTLSConfig test * move baseDN for users/groups into parsed values * add tests to cover many of the outstanding areas in LDAP * add explicit deferred LDAP conn close to UpdatePassword * add some basic testing to SMTP notifier * suggestions from code review
2021-01-04 10:28:55 +00:00
assert.False(t, valid)
fix(authentication): follow ldap referrals (#3251) This ensures we are able to follow referrals for LDAP password modify operations when permit_referrals is true. Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2022-05-02 01:51:38 +00:00
require.EqualError(t, err, "authentication failed. Cause: bind failed with error: invalid username or password")
[FEATURE] Enhance LDAP/SMTP TLS Configuration and Unify Them (#1557) * add new directive in the global scope `certificates_directory` which is used to bulk load certs and trust them in Authelia * this is in ADDITION to system certs and are trusted by both LDAP and SMTP * added a shared TLSConfig struct to be used by both SMTP and LDAP, and anything else in the future that requires tuning the TLS * remove usage of deprecated LDAP funcs Dial and DialTLS in favor of DialURL which is also easier to use * use the server name from LDAP URL or SMTP host when validating the certificate unless otherwise defined in the TLS section * added temporary translations from the old names to the new ones for all deprecated options * added docs * updated example configuration * final deprecations to be done in 4.28.0 * doc updates * fix misc linting issues * uniform deprecation notices for ease of final removal * added additional tests covering previously uncovered areas and the new configuration options * add non-fatal to certificate loading when system certs could not be loaded * adjust timeout of Suite ShortTimeouts * add warnings pusher for the StructValidator * make the schema suites uninform * utilize the warnings in the StructValidator * fix test suite usage for skip_verify * extract LDAP filter parsing into it's own function to make it possible to test * test LDAP filter parsing * update ErrorContainer interface * add tests to the StructValidator * add NewTLSConfig test * move baseDN for users/groups into parsed values * add tests to cover many of the outstanding areas in LDAP * add explicit deferred LDAP conn close to UpdatePassword * add some basic testing to SMTP notifier * suggestions from code review
2021-01-04 10:28:55 +00:00
}
[FEATURE] LDAP StartTLS (#1500) * add start_tls config option * add StartTLS method to the LDAP conn factory and the mock * implemented use of the StartTLS method when the config is set to true * add mock unit tests * add docs * add TLS min version support * add tests to tls version method * fix lint issues * minor adjustments * remove SSL3.0 * add tls consts * deprecate old filter placeholders * remove redundant fake hashing in file auth provider (to delay username enumeration, was replaced by #993 * make suite ActiveDirectory use StartTLS * misc adjustments to docs * suggested changes from code review * deprecation notice conformity * add mock test for LDAPS plus StartTLS
2020-12-03 05:23:52 +00:00
func TestShouldCallStartTLSWhenEnabled(t *testing.T) {
ctrl := gomock.NewController(t)
defer ctrl.Finish()
fix(authentication): utilize msad password history control (#3256) This fixes an issue where the Microsoft Active Directory Server Policy Hints control was not being used to prevent avoidance of the PSO / FGPP applicable to the user.
2022-05-10 04:38:36 +00:00
mockFactory := NewMockLDAPClientFactory(ctrl)
mockClient := NewMockLDAPClient(ctrl)
[FEATURE] LDAP StartTLS (#1500) * add start_tls config option * add StartTLS method to the LDAP conn factory and the mock * implemented use of the StartTLS method when the config is set to true * add mock unit tests * add docs * add TLS min version support * add tests to tls version method * fix lint issues * minor adjustments * remove SSL3.0 * add tls consts * deprecate old filter placeholders * remove redundant fake hashing in file auth provider (to delay username enumeration, was replaced by #993 * make suite ActiveDirectory use StartTLS * misc adjustments to docs * suggested changes from code review * deprecation notice conformity * add mock test for LDAPS plus StartTLS
2020-12-03 05:23:52 +00:00
feat(authentication): ldap time replacements (#4483) This adds and utilizes several time replacements for both specialized LDAP implementations. Closes #1964, Closes #1284
2022-12-21 10:31:21 +00:00
provider := NewLDAPUserProviderWithFactory(
feat(authentication): file password algorithms (#3848) This adds significant enhancements to the file auth provider including multiple additional algorithms.
2022-10-17 10:51:59 +00:00
schema.LDAPAuthenticationBackend{
feat(authentication): ldap memberof group search (#5418) Introduces the concept of group search mode into the LDAP configuration. This also adds the filter and memberof search modes. The full description of these is included in the docs but the filter mode is the same mode as previous which is also the default and recommended value. The memberof mode should only be used by users who are aware of how the concept works as per the docs. Closes #2161 Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
2023-06-18 04:40:38 +00:00
Address: testLDAPAddress,
User: "cn=admin,dc=example,dc=com",
Password: "password",
Attributes: schema.LDAPAuthenticationAttributes{
Username: "uid",
Mail: "mail",
DisplayName: "displayName",
MemberOf: "memberOf",
GroupName: "cn",
},
UsersFilter: "uid={input}",
AdditionalUsersDN: "ou=users",
BaseDN: "dc=example,dc=com",
StartTLS: true,
[FEATURE] Enhance LDAP/SMTP TLS Configuration and Unify Them (#1557) * add new directive in the global scope `certificates_directory` which is used to bulk load certs and trust them in Authelia * this is in ADDITION to system certs and are trusted by both LDAP and SMTP * added a shared TLSConfig struct to be used by both SMTP and LDAP, and anything else in the future that requires tuning the TLS * remove usage of deprecated LDAP funcs Dial and DialTLS in favor of DialURL which is also easier to use * use the server name from LDAP URL or SMTP host when validating the certificate unless otherwise defined in the TLS section * added temporary translations from the old names to the new ones for all deprecated options * added docs * updated example configuration * final deprecations to be done in 4.28.0 * doc updates * fix misc linting issues * uniform deprecation notices for ease of final removal * added additional tests covering previously uncovered areas and the new configuration options * add non-fatal to certificate loading when system certs could not be loaded * adjust timeout of Suite ShortTimeouts * add warnings pusher for the StructValidator * make the schema suites uninform * utilize the warnings in the StructValidator * fix test suite usage for skip_verify * extract LDAP filter parsing into it's own function to make it possible to test * test LDAP filter parsing * update ErrorContainer interface * add tests to the StructValidator * add NewTLSConfig test * move baseDN for users/groups into parsed values * add tests to cover many of the outstanding areas in LDAP * add explicit deferred LDAP conn close to UpdatePassword * add some basic testing to SMTP notifier * suggestions from code review
2021-01-04 10:28:55 +00:00
},
refactor: factorize startup checks (#2386) * refactor: factorize startup checks * refactor: address linting issues
2021-09-17 09:53:59 +00:00
false,
[FEATURE] Enhance LDAP/SMTP TLS Configuration and Unify Them (#1557) * add new directive in the global scope `certificates_directory` which is used to bulk load certs and trust them in Authelia * this is in ADDITION to system certs and are trusted by both LDAP and SMTP * added a shared TLSConfig struct to be used by both SMTP and LDAP, and anything else in the future that requires tuning the TLS * remove usage of deprecated LDAP funcs Dial and DialTLS in favor of DialURL which is also easier to use * use the server name from LDAP URL or SMTP host when validating the certificate unless otherwise defined in the TLS section * added temporary translations from the old names to the new ones for all deprecated options * added docs * updated example configuration * final deprecations to be done in 4.28.0 * doc updates * fix misc linting issues * uniform deprecation notices for ease of final removal * added additional tests covering previously uncovered areas and the new configuration options * add non-fatal to certificate loading when system certs could not be loaded * adjust timeout of Suite ShortTimeouts * add warnings pusher for the StructValidator * make the schema suites uninform * utilize the warnings in the StructValidator * fix test suite usage for skip_verify * extract LDAP filter parsing into it's own function to make it possible to test * test LDAP filter parsing * update ErrorContainer interface * add tests to the StructValidator * add NewTLSConfig test * move baseDN for users/groups into parsed values * add tests to cover many of the outstanding areas in LDAP * add explicit deferred LDAP conn close to UpdatePassword * add some basic testing to SMTP notifier * suggestions from code review
2021-01-04 10:28:55 +00:00
nil,
mockFactory)
[FEATURE] LDAP StartTLS (#1500) * add start_tls config option * add StartTLS method to the LDAP conn factory and the mock * implemented use of the StartTLS method when the config is set to true * add mock unit tests * add docs * add TLS min version support * add tests to tls version method * fix lint issues * minor adjustments * remove SSL3.0 * add tls consts * deprecate old filter placeholders * remove redundant fake hashing in file auth provider (to delay username enumeration, was replaced by #993 * make suite ActiveDirectory use StartTLS * misc adjustments to docs * suggested changes from code review * deprecation notice conformity * add mock test for LDAPS plus StartTLS
2020-12-03 05:23:52 +00:00
fix(authentication): ldap connection left open (#2179) The recent ldap changes in cb71df5 left a connection to the LDAP server open at startup. This resolves this which prevents an ugly log message and unnecessary open sockets.
2021-07-13 11:12:50 +00:00
dialURL := mockFactory.EXPECT().
[FEATURE] Enhance LDAP/SMTP TLS Configuration and Unify Them (#1557) * add new directive in the global scope `certificates_directory` which is used to bulk load certs and trust them in Authelia * this is in ADDITION to system certs and are trusted by both LDAP and SMTP * added a shared TLSConfig struct to be used by both SMTP and LDAP, and anything else in the future that requires tuning the TLS * remove usage of deprecated LDAP funcs Dial and DialTLS in favor of DialURL which is also easier to use * use the server name from LDAP URL or SMTP host when validating the certificate unless otherwise defined in the TLS section * added temporary translations from the old names to the new ones for all deprecated options * added docs * updated example configuration * final deprecations to be done in 4.28.0 * doc updates * fix misc linting issues * uniform deprecation notices for ease of final removal * added additional tests covering previously uncovered areas and the new configuration options * add non-fatal to certificate loading when system certs could not be loaded * adjust timeout of Suite ShortTimeouts * add warnings pusher for the StructValidator * make the schema suites uninform * utilize the warnings in the StructValidator * fix test suite usage for skip_verify * extract LDAP filter parsing into it's own function to make it possible to test * test LDAP filter parsing * update ErrorContainer interface * add tests to the StructValidator * add NewTLSConfig test * move baseDN for users/groups into parsed values * add tests to cover many of the outstanding areas in LDAP * add explicit deferred LDAP conn close to UpdatePassword * add some basic testing to SMTP notifier * suggestions from code review
2021-01-04 10:28:55 +00:00
DialURL(gomock.Eq("ldap://127.0.0.1:389"), gomock.Any()).
fix(authentication): utilize msad password history control (#3256) This fixes an issue where the Microsoft Active Directory Server Policy Hints control was not being used to prevent avoidance of the PSO / FGPP applicable to the user.
2022-05-10 04:38:36 +00:00
Return(mockClient, nil)
[FEATURE] LDAP StartTLS (#1500) * add start_tls config option * add StartTLS method to the LDAP conn factory and the mock * implemented use of the StartTLS method when the config is set to true * add mock unit tests * add docs * add TLS min version support * add tests to tls version method * fix lint issues * minor adjustments * remove SSL3.0 * add tls consts * deprecate old filter placeholders * remove redundant fake hashing in file auth provider (to delay username enumeration, was replaced by #993 * make suite ActiveDirectory use StartTLS * misc adjustments to docs * suggested changes from code review * deprecation notice conformity * add mock test for LDAPS plus StartTLS
2020-12-03 05:23:52 +00:00
fix(authentication): utilize msad password history control (#3256) This fixes an issue where the Microsoft Active Directory Server Policy Hints control was not being used to prevent avoidance of the PSO / FGPP applicable to the user.
2022-05-10 04:38:36 +00:00
connBind := mockClient.EXPECT().
[FEATURE] LDAP StartTLS (#1500) * add start_tls config option * add StartTLS method to the LDAP conn factory and the mock * implemented use of the StartTLS method when the config is set to true * add mock unit tests * add docs * add TLS min version support * add tests to tls version method * fix lint issues * minor adjustments * remove SSL3.0 * add tls consts * deprecate old filter placeholders * remove redundant fake hashing in file auth provider (to delay username enumeration, was replaced by #993 * make suite ActiveDirectory use StartTLS * misc adjustments to docs * suggested changes from code review * deprecation notice conformity * add mock test for LDAPS plus StartTLS
2020-12-03 05:23:52 +00:00
Bind(gomock.Eq("cn=admin,dc=example,dc=com"), gomock.Eq("password")).
Return(nil)
fix(authentication): utilize msad password history control (#3256) This fixes an issue where the Microsoft Active Directory Server Policy Hints control was not being used to prevent avoidance of the PSO / FGPP applicable to the user.
2022-05-10 04:38:36 +00:00
connStartTLS := mockClient.EXPECT().
feat(authentication): ldap time replacements (#4483) This adds and utilizes several time replacements for both specialized LDAP implementations. Closes #1964, Closes #1284
2022-12-21 10:31:21 +00:00
StartTLS(provider.tlsConfig)
[FEATURE] LDAP StartTLS (#1500) * add start_tls config option * add StartTLS method to the LDAP conn factory and the mock * implemented use of the StartTLS method when the config is set to true * add mock unit tests * add docs * add TLS min version support * add tests to tls version method * fix lint issues * minor adjustments * remove SSL3.0 * add tls consts * deprecate old filter placeholders * remove redundant fake hashing in file auth provider (to delay username enumeration, was replaced by #993 * make suite ActiveDirectory use StartTLS * misc adjustments to docs * suggested changes from code review * deprecation notice conformity * add mock test for LDAPS plus StartTLS
2020-12-03 05:23:52 +00:00
fix(authentication): utilize msad password history control (#3256) This fixes an issue where the Microsoft Active Directory Server Policy Hints control was not being used to prevent avoidance of the PSO / FGPP applicable to the user.
2022-05-10 04:38:36 +00:00
connClose := mockClient.EXPECT().Close()
[FEATURE] LDAP StartTLS (#1500) * add start_tls config option * add StartTLS method to the LDAP conn factory and the mock * implemented use of the StartTLS method when the config is set to true * add mock unit tests * add docs * add TLS min version support * add tests to tls version method * fix lint issues * minor adjustments * remove SSL3.0 * add tls consts * deprecate old filter placeholders * remove redundant fake hashing in file auth provider (to delay username enumeration, was replaced by #993 * make suite ActiveDirectory use StartTLS * misc adjustments to docs * suggested changes from code review * deprecation notice conformity * add mock test for LDAPS plus StartTLS
2020-12-03 05:23:52 +00:00
fix(authentication): utilize msad password history control (#3256) This fixes an issue where the Microsoft Active Directory Server Policy Hints control was not being used to prevent avoidance of the PSO / FGPP applicable to the user.
2022-05-10 04:38:36 +00:00
searchGroups := mockClient.EXPECT().
[FEATURE] LDAP StartTLS (#1500) * add start_tls config option * add StartTLS method to the LDAP conn factory and the mock * implemented use of the StartTLS method when the config is set to true * add mock unit tests * add docs * add TLS min version support * add tests to tls version method * fix lint issues * minor adjustments * remove SSL3.0 * add tls consts * deprecate old filter placeholders * remove redundant fake hashing in file auth provider (to delay username enumeration, was replaced by #993 * make suite ActiveDirectory use StartTLS * misc adjustments to docs * suggested changes from code review * deprecation notice conformity * add mock test for LDAPS plus StartTLS
2020-12-03 05:23:52 +00:00
Search(gomock.Any()).
Return(createSearchResultWithAttributes(), nil)
fix(authentication): ldap connection left open (#2179) The recent ldap changes in cb71df5 left a connection to the LDAP server open at startup. This resolves this which prevents an ugly log message and unnecessary open sockets.
2021-07-13 11:12:50 +00:00
fix(authentication): utilize msad password history control (#3256) This fixes an issue where the Microsoft Active Directory Server Policy Hints control was not being used to prevent avoidance of the PSO / FGPP applicable to the user.
2022-05-10 04:38:36 +00:00
searchProfile := mockClient.EXPECT().
[FEATURE] LDAP StartTLS (#1500) * add start_tls config option * add StartTLS method to the LDAP conn factory and the mock * implemented use of the StartTLS method when the config is set to true * add mock unit tests * add docs * add TLS min version support * add tests to tls version method * fix lint issues * minor adjustments * remove SSL3.0 * add tls consts * deprecate old filter placeholders * remove redundant fake hashing in file auth provider (to delay username enumeration, was replaced by #993 * make suite ActiveDirectory use StartTLS * misc adjustments to docs * suggested changes from code review * deprecation notice conformity * add mock test for LDAPS plus StartTLS
2020-12-03 05:23:52 +00:00
Search(gomock.Any()).
Return(&ldap.SearchResult{
Entries: []*ldap.Entry{
{
DN: "uid=test,dc=example,dc=com",
Attributes: []*ldap.EntryAttribute{
{
perf(authentication): improve ldap dynamic replacement performance (#2239) This change means we only check the filters for the existence of placeholders that cannot be replaced at startup. We then utilized cached results of that lookup for subsequent replacements.
2021-08-05 04:17:07 +00:00
Name: "displayName",
[FEATURE] LDAP StartTLS (#1500) * add start_tls config option * add StartTLS method to the LDAP conn factory and the mock * implemented use of the StartTLS method when the config is set to true * add mock unit tests * add docs * add TLS min version support * add tests to tls version method * fix lint issues * minor adjustments * remove SSL3.0 * add tls consts * deprecate old filter placeholders * remove redundant fake hashing in file auth provider (to delay username enumeration, was replaced by #993 * make suite ActiveDirectory use StartTLS * misc adjustments to docs * suggested changes from code review * deprecation notice conformity * add mock test for LDAPS plus StartTLS
2020-12-03 05:23:52 +00:00
Values: []string{"John Doe"},
},
{
Name: "mail",
Values: []string{"test@example.com"},
},
{
Name: "uid",
Values: []string{"john"},
},
},
},
},
}, nil)
fix(authentication): ldap connection left open (#2179) The recent ldap changes in cb71df5 left a connection to the LDAP server open at startup. This resolves this which prevents an ugly log message and unnecessary open sockets.
2021-07-13 11:12:50 +00:00
gomock.InOrder(dialURL, connStartTLS, connBind, searchProfile, searchGroups, connClose)
[FEATURE] LDAP StartTLS (#1500) * add start_tls config option * add StartTLS method to the LDAP conn factory and the mock * implemented use of the StartTLS method when the config is set to true * add mock unit tests * add docs * add TLS min version support * add tests to tls version method * fix lint issues * minor adjustments * remove SSL3.0 * add tls consts * deprecate old filter placeholders * remove redundant fake hashing in file auth provider (to delay username enumeration, was replaced by #993 * make suite ActiveDirectory use StartTLS * misc adjustments to docs * suggested changes from code review * deprecation notice conformity * add mock test for LDAPS plus StartTLS
2020-12-03 05:23:52 +00:00
feat(authentication): ldap time replacements (#4483) This adds and utilizes several time replacements for both specialized LDAP implementations. Closes #1964, Closes #1284
2022-12-21 10:31:21 +00:00
details, err := provider.GetDetails("john")
[FEATURE] LDAP StartTLS (#1500) * add start_tls config option * add StartTLS method to the LDAP conn factory and the mock * implemented use of the StartTLS method when the config is set to true * add mock unit tests * add docs * add TLS min version support * add tests to tls version method * fix lint issues * minor adjustments * remove SSL3.0 * add tls consts * deprecate old filter placeholders * remove redundant fake hashing in file auth provider (to delay username enumeration, was replaced by #993 * make suite ActiveDirectory use StartTLS * misc adjustments to docs * suggested changes from code review * deprecation notice conformity * add mock test for LDAPS plus StartTLS
2020-12-03 05:23:52 +00:00
require.NoError(t, err)
assert.ElementsMatch(t, details.Groups, []string{})
assert.ElementsMatch(t, details.Emails, []string{"test@example.com"})
assert.Equal(t, details.DisplayName, "John Doe")
assert.Equal(t, details.Username, "john")
}
[FEATURE] Enhance LDAP/SMTP TLS Configuration and Unify Them (#1557) * add new directive in the global scope `certificates_directory` which is used to bulk load certs and trust them in Authelia * this is in ADDITION to system certs and are trusted by both LDAP and SMTP * added a shared TLSConfig struct to be used by both SMTP and LDAP, and anything else in the future that requires tuning the TLS * remove usage of deprecated LDAP funcs Dial and DialTLS in favor of DialURL which is also easier to use * use the server name from LDAP URL or SMTP host when validating the certificate unless otherwise defined in the TLS section * added temporary translations from the old names to the new ones for all deprecated options * added docs * updated example configuration * final deprecations to be done in 4.28.0 * doc updates * fix misc linting issues * uniform deprecation notices for ease of final removal * added additional tests covering previously uncovered areas and the new configuration options * add non-fatal to certificate loading when system certs could not be loaded * adjust timeout of Suite ShortTimeouts * add warnings pusher for the StructValidator * make the schema suites uninform * utilize the warnings in the StructValidator * fix test suite usage for skip_verify * extract LDAP filter parsing into it's own function to make it possible to test * test LDAP filter parsing * update ErrorContainer interface * add tests to the StructValidator * add NewTLSConfig test * move baseDN for users/groups into parsed values * add tests to cover many of the outstanding areas in LDAP * add explicit deferred LDAP conn close to UpdatePassword * add some basic testing to SMTP notifier * suggestions from code review
2021-01-04 10:28:55 +00:00
func TestShouldParseDynamicConfiguration(t *testing.T) {
ctrl := gomock.NewController(t)
defer ctrl.Finish()
fix(authentication): utilize msad password history control (#3256) This fixes an issue where the Microsoft Active Directory Server Policy Hints control was not being used to prevent avoidance of the PSO / FGPP applicable to the user.
2022-05-10 04:38:36 +00:00
mockFactory := NewMockLDAPClientFactory(ctrl)
[FEATURE] Enhance LDAP/SMTP TLS Configuration and Unify Them (#1557) * add new directive in the global scope `certificates_directory` which is used to bulk load certs and trust them in Authelia * this is in ADDITION to system certs and are trusted by both LDAP and SMTP * added a shared TLSConfig struct to be used by both SMTP and LDAP, and anything else in the future that requires tuning the TLS * remove usage of deprecated LDAP funcs Dial and DialTLS in favor of DialURL which is also easier to use * use the server name from LDAP URL or SMTP host when validating the certificate unless otherwise defined in the TLS section * added temporary translations from the old names to the new ones for all deprecated options * added docs * updated example configuration * final deprecations to be done in 4.28.0 * doc updates * fix misc linting issues * uniform deprecation notices for ease of final removal * added additional tests covering previously uncovered areas and the new configuration options * add non-fatal to certificate loading when system certs could not be loaded * adjust timeout of Suite ShortTimeouts * add warnings pusher for the StructValidator * make the schema suites uninform * utilize the warnings in the StructValidator * fix test suite usage for skip_verify * extract LDAP filter parsing into it's own function to make it possible to test * test LDAP filter parsing * update ErrorContainer interface * add tests to the StructValidator * add NewTLSConfig test * move baseDN for users/groups into parsed values * add tests to cover many of the outstanding areas in LDAP * add explicit deferred LDAP conn close to UpdatePassword * add some basic testing to SMTP notifier * suggestions from code review
2021-01-04 10:28:55 +00:00
feat(authentication): ldap time replacements (#4483) This adds and utilizes several time replacements for both specialized LDAP implementations. Closes #1964, Closes #1284
2022-12-21 10:31:21 +00:00
provider := NewLDAPUserProviderWithFactory(
feat(authentication): file password algorithms (#3848) This adds significant enhancements to the file auth provider including multiple additional algorithms.
2022-10-17 10:51:59 +00:00
schema.LDAPAuthenticationBackend{
feat(authentication): ldap memberof group search (#5418) Introduces the concept of group search mode into the LDAP configuration. This also adds the filter and memberof search modes. The full description of these is included in the docs but the filter mode is the same mode as previous which is also the default and recommended value. The memberof mode should only be used by users who are aware of how the concept works as per the docs. Closes #2161 Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
2023-06-18 04:40:38 +00:00
Address: testLDAPAddress,
User: "cn=admin,dc=example,dc=com",
Password: "password",
Attributes: schema.LDAPAuthenticationAttributes{
Username: "uid",
Mail: "mail",
DisplayName: "displayName",
MemberOf: "memberOf",
},
UsersFilter: "(&(|({username_attribute}={input})({mail_attribute}={input}))(sAMAccountType=805306368)(!(userAccountControl:1.2.840.113556.1.4.803:=2))(!(pwdLastSet=0))(|(!(accountExpires=*))(accountExpires=0)(accountExpiresM>={date-time:microsoft-nt})(accountExpiresU>={date-time:unix})(accountExpiresG>={date-time:generalized})))",
GroupsFilter: "(&(|(member={dn})(member={input})(member={username}))(objectClass=group))",
AdditionalUsersDN: "ou=users",
AdditionalGroupsDN: "ou=groups",
BaseDN: "dc=example,dc=com",
StartTLS: true,
[FEATURE] Enhance LDAP/SMTP TLS Configuration and Unify Them (#1557) * add new directive in the global scope `certificates_directory` which is used to bulk load certs and trust them in Authelia * this is in ADDITION to system certs and are trusted by both LDAP and SMTP * added a shared TLSConfig struct to be used by both SMTP and LDAP, and anything else in the future that requires tuning the TLS * remove usage of deprecated LDAP funcs Dial and DialTLS in favor of DialURL which is also easier to use * use the server name from LDAP URL or SMTP host when validating the certificate unless otherwise defined in the TLS section * added temporary translations from the old names to the new ones for all deprecated options * added docs * updated example configuration * final deprecations to be done in 4.28.0 * doc updates * fix misc linting issues * uniform deprecation notices for ease of final removal * added additional tests covering previously uncovered areas and the new configuration options * add non-fatal to certificate loading when system certs could not be loaded * adjust timeout of Suite ShortTimeouts * add warnings pusher for the StructValidator * make the schema suites uninform * utilize the warnings in the StructValidator * fix test suite usage for skip_verify * extract LDAP filter parsing into it's own function to make it possible to test * test LDAP filter parsing * update ErrorContainer interface * add tests to the StructValidator * add NewTLSConfig test * move baseDN for users/groups into parsed values * add tests to cover many of the outstanding areas in LDAP * add explicit deferred LDAP conn close to UpdatePassword * add some basic testing to SMTP notifier * suggestions from code review
2021-01-04 10:28:55 +00:00
},
refactor: factorize startup checks (#2386) * refactor: factorize startup checks * refactor: address linting issues
2021-09-17 09:53:59 +00:00
false,
[FEATURE] Enhance LDAP/SMTP TLS Configuration and Unify Them (#1557) * add new directive in the global scope `certificates_directory` which is used to bulk load certs and trust them in Authelia * this is in ADDITION to system certs and are trusted by both LDAP and SMTP * added a shared TLSConfig struct to be used by both SMTP and LDAP, and anything else in the future that requires tuning the TLS * remove usage of deprecated LDAP funcs Dial and DialTLS in favor of DialURL which is also easier to use * use the server name from LDAP URL or SMTP host when validating the certificate unless otherwise defined in the TLS section * added temporary translations from the old names to the new ones for all deprecated options * added docs * updated example configuration * final deprecations to be done in 4.28.0 * doc updates * fix misc linting issues * uniform deprecation notices for ease of final removal * added additional tests covering previously uncovered areas and the new configuration options * add non-fatal to certificate loading when system certs could not be loaded * adjust timeout of Suite ShortTimeouts * add warnings pusher for the StructValidator * make the schema suites uninform * utilize the warnings in the StructValidator * fix test suite usage for skip_verify * extract LDAP filter parsing into it's own function to make it possible to test * test LDAP filter parsing * update ErrorContainer interface * add tests to the StructValidator * add NewTLSConfig test * move baseDN for users/groups into parsed values * add tests to cover many of the outstanding areas in LDAP * add explicit deferred LDAP conn close to UpdatePassword * add some basic testing to SMTP notifier * suggestions from code review
2021-01-04 10:28:55 +00:00
nil,
mockFactory)
feat(authentication): ldap time replacements (#4483) This adds and utilizes several time replacements for both specialized LDAP implementations. Closes #1964, Closes #1284
2022-12-21 10:31:21 +00:00
clock := &utils.TestingClock{}
perf(authentication): improve ldap dynamic replacement performance (#2239) This change means we only check the filters for the existence of placeholders that cannot be replaced at startup. We then utilized cached results of that lookup for subsequent replacements.
2021-08-05 04:17:07 +00:00
feat(authentication): ldap time replacements (#4483) This adds and utilizes several time replacements for both specialized LDAP implementations. Closes #1964, Closes #1284
2022-12-21 10:31:21 +00:00
provider.clock = clock
perf(authentication): improve ldap dynamic replacement performance (#2239) This change means we only check the filters for the existence of placeholders that cannot be replaced at startup. We then utilized cached results of that lookup for subsequent replacements.
2021-08-05 04:17:07 +00:00
feat(authentication): ldap time replacements (#4483) This adds and utilizes several time replacements for both specialized LDAP implementations. Closes #1964, Closes #1284
2022-12-21 10:31:21 +00:00
clock.Set(time.Unix(1670250519, 0))
assert.True(t, provider.groupsFilterReplacementInput)
assert.True(t, provider.groupsFilterReplacementUsername)
assert.True(t, provider.groupsFilterReplacementDN)
assert.True(t, provider.usersFilterReplacementInput)
assert.True(t, provider.usersFilterReplacementDateTimeGeneralized)
assert.True(t, provider.usersFilterReplacementDateTimeMicrosoftNTTimeEpoch)
feat(authentication): ldap memberof group search (#5418) Introduces the concept of group search mode into the LDAP configuration. This also adds the filter and memberof search modes. The full description of these is included in the docs but the filter mode is the same mode as previous which is also the default and recommended value. The memberof mode should only be used by users who are aware of how the concept works as per the docs. Closes #2161 Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
2023-06-18 04:40:38 +00:00
assert.Equal(t, "(&(|(uid={input})(mail={input}))(sAMAccountType=805306368)(!(userAccountControl:1.2.840.113556.1.4.803:=2))(!(pwdLastSet=0))(|(!(accountExpires=*))(accountExpires=0)(accountExpiresM>={date-time:microsoft-nt})(accountExpiresU>={date-time:unix})(accountExpiresG>={date-time:generalized})))", provider.config.UsersFilter)
feat(authentication): ldap time replacements (#4483) This adds and utilizes several time replacements for both specialized LDAP implementations. Closes #1964, Closes #1284
2022-12-21 10:31:21 +00:00
assert.Equal(t, "(&(|(member={dn})(member={input})(member={username}))(objectClass=group))", provider.config.GroupsFilter)
assert.Equal(t, "ou=users,dc=example,dc=com", provider.usersBaseDN)
assert.Equal(t, "ou=groups,dc=example,dc=com", provider.groupsBaseDN)
feat(authentication): ldap memberof group search (#5418) Introduces the concept of group search mode into the LDAP configuration. This also adds the filter and memberof search modes. The full description of these is included in the docs but the filter mode is the same mode as previous which is also the default and recommended value. The memberof mode should only be used by users who are aware of how the concept works as per the docs. Closes #2161 Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
2023-06-18 04:40:38 +00:00
assert.Equal(t, "(&(|(uid=test@example.com)(mail=test@example.com))(sAMAccountType=805306368)(!(userAccountControl:1.2.840.113556.1.4.803:=2))(!(pwdLastSet=0))(|(!(accountExpires=*))(accountExpires=0)(accountExpiresM>=133147241190000000)(accountExpiresU>=1670250519)(accountExpiresG>=20221205142839.0Z)))", provider.resolveUsersFilter("test@example.com"))
feat(authentication): ldap time replacements (#4483) This adds and utilizes several time replacements for both specialized LDAP implementations. Closes #1964, Closes #1284
2022-12-21 10:31:21 +00:00
assert.Equal(t, "(&(|(member=cn=admin,dc=example,dc=com)(member=test@example.com)(member=test))(objectClass=group))", provider.resolveGroupsFilter("test@example.com", &ldapUserProfile{Username: "test", DN: "cn=admin,dc=example,dc=com"}))
[FEATURE] Enhance LDAP/SMTP TLS Configuration and Unify Them (#1557) * add new directive in the global scope `certificates_directory` which is used to bulk load certs and trust them in Authelia * this is in ADDITION to system certs and are trusted by both LDAP and SMTP * added a shared TLSConfig struct to be used by both SMTP and LDAP, and anything else in the future that requires tuning the TLS * remove usage of deprecated LDAP funcs Dial and DialTLS in favor of DialURL which is also easier to use * use the server name from LDAP URL or SMTP host when validating the certificate unless otherwise defined in the TLS section * added temporary translations from the old names to the new ones for all deprecated options * added docs * updated example configuration * final deprecations to be done in 4.28.0 * doc updates * fix misc linting issues * uniform deprecation notices for ease of final removal * added additional tests covering previously uncovered areas and the new configuration options * add non-fatal to certificate loading when system certs could not be loaded * adjust timeout of Suite ShortTimeouts * add warnings pusher for the StructValidator * make the schema suites uninform * utilize the warnings in the StructValidator * fix test suite usage for skip_verify * extract LDAP filter parsing into it's own function to make it possible to test * test LDAP filter parsing * update ErrorContainer interface * add tests to the StructValidator * add NewTLSConfig test * move baseDN for users/groups into parsed values * add tests to cover many of the outstanding areas in LDAP * add explicit deferred LDAP conn close to UpdatePassword * add some basic testing to SMTP notifier * suggestions from code review
2021-01-04 10:28:55 +00:00
}
[FEATURE] LDAP StartTLS (#1500) * add start_tls config option * add StartTLS method to the LDAP conn factory and the mock * implemented use of the StartTLS method when the config is set to true * add mock unit tests * add docs * add TLS min version support * add tests to tls version method * fix lint issues * minor adjustments * remove SSL3.0 * add tls consts * deprecate old filter placeholders * remove redundant fake hashing in file auth provider (to delay username enumeration, was replaced by #993 * make suite ActiveDirectory use StartTLS * misc adjustments to docs * suggested changes from code review * deprecation notice conformity * add mock test for LDAPS plus StartTLS
2020-12-03 05:23:52 +00:00
func TestShouldCallStartTLSWithInsecureSkipVerifyWhenSkipVerifyTrue(t *testing.T) {
ctrl := gomock.NewController(t)
defer ctrl.Finish()
fix(authentication): utilize msad password history control (#3256) This fixes an issue where the Microsoft Active Directory Server Policy Hints control was not being used to prevent avoidance of the PSO / FGPP applicable to the user.
2022-05-10 04:38:36 +00:00
mockFactory := NewMockLDAPClientFactory(ctrl)
mockClient := NewMockLDAPClient(ctrl)
[FEATURE] LDAP StartTLS (#1500) * add start_tls config option * add StartTLS method to the LDAP conn factory and the mock * implemented use of the StartTLS method when the config is set to true * add mock unit tests * add docs * add TLS min version support * add tests to tls version method * fix lint issues * minor adjustments * remove SSL3.0 * add tls consts * deprecate old filter placeholders * remove redundant fake hashing in file auth provider (to delay username enumeration, was replaced by #993 * make suite ActiveDirectory use StartTLS * misc adjustments to docs * suggested changes from code review * deprecation notice conformity * add mock test for LDAPS plus StartTLS
2020-12-03 05:23:52 +00:00
feat(authentication): ldap time replacements (#4483) This adds and utilizes several time replacements for both specialized LDAP implementations. Closes #1964, Closes #1284
2022-12-21 10:31:21 +00:00
provider := NewLDAPUserProviderWithFactory(
feat(authentication): file password algorithms (#3848) This adds significant enhancements to the file auth provider including multiple additional algorithms.
2022-10-17 10:51:59 +00:00
schema.LDAPAuthenticationBackend{
feat(authentication): ldap memberof group search (#5418) Introduces the concept of group search mode into the LDAP configuration. This also adds the filter and memberof search modes. The full description of these is included in the docs but the filter mode is the same mode as previous which is also the default and recommended value. The memberof mode should only be used by users who are aware of how the concept works as per the docs. Closes #2161 Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
2023-06-18 04:40:38 +00:00
Address: testLDAPAddress,
User: "cn=admin,dc=example,dc=com",
Password: "password",
Attributes: schema.LDAPAuthenticationAttributes{
Username: "uid",
Mail: "mail",
DisplayName: "displayName",
MemberOf: "memberOf",
GroupName: "cn",
},
UsersFilter: "uid={input}",
AdditionalUsersDN: "ou=users",
BaseDN: "dc=example,dc=com",
StartTLS: true,
[FEATURE] Enhance LDAP/SMTP TLS Configuration and Unify Them (#1557) * add new directive in the global scope `certificates_directory` which is used to bulk load certs and trust them in Authelia * this is in ADDITION to system certs and are trusted by both LDAP and SMTP * added a shared TLSConfig struct to be used by both SMTP and LDAP, and anything else in the future that requires tuning the TLS * remove usage of deprecated LDAP funcs Dial and DialTLS in favor of DialURL which is also easier to use * use the server name from LDAP URL or SMTP host when validating the certificate unless otherwise defined in the TLS section * added temporary translations from the old names to the new ones for all deprecated options * added docs * updated example configuration * final deprecations to be done in 4.28.0 * doc updates * fix misc linting issues * uniform deprecation notices for ease of final removal * added additional tests covering previously uncovered areas and the new configuration options * add non-fatal to certificate loading when system certs could not be loaded * adjust timeout of Suite ShortTimeouts * add warnings pusher for the StructValidator * make the schema suites uninform * utilize the warnings in the StructValidator * fix test suite usage for skip_verify * extract LDAP filter parsing into it's own function to make it possible to test * test LDAP filter parsing * update ErrorContainer interface * add tests to the StructValidator * add NewTLSConfig test * move baseDN for users/groups into parsed values * add tests to cover many of the outstanding areas in LDAP * add explicit deferred LDAP conn close to UpdatePassword * add some basic testing to SMTP notifier * suggestions from code review
2021-01-04 10:28:55 +00:00
TLS: &schema.TLSConfig{
SkipVerify: true,
},
},
refactor: factorize startup checks (#2386) * refactor: factorize startup checks * refactor: address linting issues
2021-09-17 09:53:59 +00:00
false,
[FEATURE] Enhance LDAP/SMTP TLS Configuration and Unify Them (#1557) * add new directive in the global scope `certificates_directory` which is used to bulk load certs and trust them in Authelia * this is in ADDITION to system certs and are trusted by both LDAP and SMTP * added a shared TLSConfig struct to be used by both SMTP and LDAP, and anything else in the future that requires tuning the TLS * remove usage of deprecated LDAP funcs Dial and DialTLS in favor of DialURL which is also easier to use * use the server name from LDAP URL or SMTP host when validating the certificate unless otherwise defined in the TLS section * added temporary translations from the old names to the new ones for all deprecated options * added docs * updated example configuration * final deprecations to be done in 4.28.0 * doc updates * fix misc linting issues * uniform deprecation notices for ease of final removal * added additional tests covering previously uncovered areas and the new configuration options * add non-fatal to certificate loading when system certs could not be loaded * adjust timeout of Suite ShortTimeouts * add warnings pusher for the StructValidator * make the schema suites uninform * utilize the warnings in the StructValidator * fix test suite usage for skip_verify * extract LDAP filter parsing into it's own function to make it possible to test * test LDAP filter parsing * update ErrorContainer interface * add tests to the StructValidator * add NewTLSConfig test * move baseDN for users/groups into parsed values * add tests to cover many of the outstanding areas in LDAP * add explicit deferred LDAP conn close to UpdatePassword * add some basic testing to SMTP notifier * suggestions from code review
2021-01-04 10:28:55 +00:00
nil,
mockFactory)
[FEATURE] LDAP StartTLS (#1500) * add start_tls config option * add StartTLS method to the LDAP conn factory and the mock * implemented use of the StartTLS method when the config is set to true * add mock unit tests * add docs * add TLS min version support * add tests to tls version method * fix lint issues * minor adjustments * remove SSL3.0 * add tls consts * deprecate old filter placeholders * remove redundant fake hashing in file auth provider (to delay username enumeration, was replaced by #993 * make suite ActiveDirectory use StartTLS * misc adjustments to docs * suggested changes from code review * deprecation notice conformity * add mock test for LDAPS plus StartTLS
2020-12-03 05:23:52 +00:00
feat(authentication): ldap time replacements (#4483) This adds and utilizes several time replacements for both specialized LDAP implementations. Closes #1964, Closes #1284
2022-12-21 10:31:21 +00:00
assert.False(t, provider.groupsFilterReplacementInput)
assert.False(t, provider.groupsFilterReplacementUsername)
assert.False(t, provider.groupsFilterReplacementDN)
perf(authentication): improve ldap dynamic replacement performance (#2239) This change means we only check the filters for the existence of placeholders that cannot be replaced at startup. We then utilized cached results of that lookup for subsequent replacements.
2021-08-05 04:17:07 +00:00
fix(authentication): ldap connection left open (#2179) The recent ldap changes in cb71df5 left a connection to the LDAP server open at startup. This resolves this which prevents an ugly log message and unnecessary open sockets.
2021-07-13 11:12:50 +00:00
dialURL := mockFactory.EXPECT().
[FEATURE] Enhance LDAP/SMTP TLS Configuration and Unify Them (#1557) * add new directive in the global scope `certificates_directory` which is used to bulk load certs and trust them in Authelia * this is in ADDITION to system certs and are trusted by both LDAP and SMTP * added a shared TLSConfig struct to be used by both SMTP and LDAP, and anything else in the future that requires tuning the TLS * remove usage of deprecated LDAP funcs Dial and DialTLS in favor of DialURL which is also easier to use * use the server name from LDAP URL or SMTP host when validating the certificate unless otherwise defined in the TLS section * added temporary translations from the old names to the new ones for all deprecated options * added docs * updated example configuration * final deprecations to be done in 4.28.0 * doc updates * fix misc linting issues * uniform deprecation notices for ease of final removal * added additional tests covering previously uncovered areas and the new configuration options * add non-fatal to certificate loading when system certs could not be loaded * adjust timeout of Suite ShortTimeouts * add warnings pusher for the StructValidator * make the schema suites uninform * utilize the warnings in the StructValidator * fix test suite usage for skip_verify * extract LDAP filter parsing into it's own function to make it possible to test * test LDAP filter parsing * update ErrorContainer interface * add tests to the StructValidator * add NewTLSConfig test * move baseDN for users/groups into parsed values * add tests to cover many of the outstanding areas in LDAP * add explicit deferred LDAP conn close to UpdatePassword * add some basic testing to SMTP notifier * suggestions from code review
2021-01-04 10:28:55 +00:00
DialURL(gomock.Eq("ldap://127.0.0.1:389"), gomock.Any()).
fix(authentication): utilize msad password history control (#3256) This fixes an issue where the Microsoft Active Directory Server Policy Hints control was not being used to prevent avoidance of the PSO / FGPP applicable to the user.
2022-05-10 04:38:36 +00:00
Return(mockClient, nil)
[FEATURE] LDAP StartTLS (#1500) * add start_tls config option * add StartTLS method to the LDAP conn factory and the mock * implemented use of the StartTLS method when the config is set to true * add mock unit tests * add docs * add TLS min version support * add tests to tls version method * fix lint issues * minor adjustments * remove SSL3.0 * add tls consts * deprecate old filter placeholders * remove redundant fake hashing in file auth provider (to delay username enumeration, was replaced by #993 * make suite ActiveDirectory use StartTLS * misc adjustments to docs * suggested changes from code review * deprecation notice conformity * add mock test for LDAPS plus StartTLS
2020-12-03 05:23:52 +00:00
fix(authentication): utilize msad password history control (#3256) This fixes an issue where the Microsoft Active Directory Server Policy Hints control was not being used to prevent avoidance of the PSO / FGPP applicable to the user.
2022-05-10 04:38:36 +00:00
connBind := mockClient.EXPECT().
[FEATURE] LDAP StartTLS (#1500) * add start_tls config option * add StartTLS method to the LDAP conn factory and the mock * implemented use of the StartTLS method when the config is set to true * add mock unit tests * add docs * add TLS min version support * add tests to tls version method * fix lint issues * minor adjustments * remove SSL3.0 * add tls consts * deprecate old filter placeholders * remove redundant fake hashing in file auth provider (to delay username enumeration, was replaced by #993 * make suite ActiveDirectory use StartTLS * misc adjustments to docs * suggested changes from code review * deprecation notice conformity * add mock test for LDAPS plus StartTLS
2020-12-03 05:23:52 +00:00
Bind(gomock.Eq("cn=admin,dc=example,dc=com"), gomock.Eq("password")).
Return(nil)
fix(authentication): utilize msad password history control (#3256) This fixes an issue where the Microsoft Active Directory Server Policy Hints control was not being used to prevent avoidance of the PSO / FGPP applicable to the user.
2022-05-10 04:38:36 +00:00
connStartTLS := mockClient.EXPECT().
feat(authentication): ldap time replacements (#4483) This adds and utilizes several time replacements for both specialized LDAP implementations. Closes #1964, Closes #1284
2022-12-21 10:31:21 +00:00
StartTLS(provider.tlsConfig)
[FEATURE] LDAP StartTLS (#1500) * add start_tls config option * add StartTLS method to the LDAP conn factory and the mock * implemented use of the StartTLS method when the config is set to true * add mock unit tests * add docs * add TLS min version support * add tests to tls version method * fix lint issues * minor adjustments * remove SSL3.0 * add tls consts * deprecate old filter placeholders * remove redundant fake hashing in file auth provider (to delay username enumeration, was replaced by #993 * make suite ActiveDirectory use StartTLS * misc adjustments to docs * suggested changes from code review * deprecation notice conformity * add mock test for LDAPS plus StartTLS
2020-12-03 05:23:52 +00:00
fix(authentication): utilize msad password history control (#3256) This fixes an issue where the Microsoft Active Directory Server Policy Hints control was not being used to prevent avoidance of the PSO / FGPP applicable to the user.
2022-05-10 04:38:36 +00:00
connClose := mockClient.EXPECT().Close()
[FEATURE] LDAP StartTLS (#1500) * add start_tls config option * add StartTLS method to the LDAP conn factory and the mock * implemented use of the StartTLS method when the config is set to true * add mock unit tests * add docs * add TLS min version support * add tests to tls version method * fix lint issues * minor adjustments * remove SSL3.0 * add tls consts * deprecate old filter placeholders * remove redundant fake hashing in file auth provider (to delay username enumeration, was replaced by #993 * make suite ActiveDirectory use StartTLS * misc adjustments to docs * suggested changes from code review * deprecation notice conformity * add mock test for LDAPS plus StartTLS
2020-12-03 05:23:52 +00:00
fix(authentication): utilize msad password history control (#3256) This fixes an issue where the Microsoft Active Directory Server Policy Hints control was not being used to prevent avoidance of the PSO / FGPP applicable to the user.
2022-05-10 04:38:36 +00:00
searchGroups := mockClient.EXPECT().
[FEATURE] LDAP StartTLS (#1500) * add start_tls config option * add StartTLS method to the LDAP conn factory and the mock * implemented use of the StartTLS method when the config is set to true * add mock unit tests * add docs * add TLS min version support * add tests to tls version method * fix lint issues * minor adjustments * remove SSL3.0 * add tls consts * deprecate old filter placeholders * remove redundant fake hashing in file auth provider (to delay username enumeration, was replaced by #993 * make suite ActiveDirectory use StartTLS * misc adjustments to docs * suggested changes from code review * deprecation notice conformity * add mock test for LDAPS plus StartTLS
2020-12-03 05:23:52 +00:00
Search(gomock.Any()).
Return(createSearchResultWithAttributes(), nil)
fix(authentication): ldap connection left open (#2179) The recent ldap changes in cb71df5 left a connection to the LDAP server open at startup. This resolves this which prevents an ugly log message and unnecessary open sockets.
2021-07-13 11:12:50 +00:00
fix(authentication): utilize msad password history control (#3256) This fixes an issue where the Microsoft Active Directory Server Policy Hints control was not being used to prevent avoidance of the PSO / FGPP applicable to the user.
2022-05-10 04:38:36 +00:00
searchProfile := mockClient.EXPECT().
[FEATURE] LDAP StartTLS (#1500) * add start_tls config option * add StartTLS method to the LDAP conn factory and the mock * implemented use of the StartTLS method when the config is set to true * add mock unit tests * add docs * add TLS min version support * add tests to tls version method * fix lint issues * minor adjustments * remove SSL3.0 * add tls consts * deprecate old filter placeholders * remove redundant fake hashing in file auth provider (to delay username enumeration, was replaced by #993 * make suite ActiveDirectory use StartTLS * misc adjustments to docs * suggested changes from code review * deprecation notice conformity * add mock test for LDAPS plus StartTLS
2020-12-03 05:23:52 +00:00
Search(gomock.Any()).
Return(&ldap.SearchResult{
Entries: []*ldap.Entry{
{
DN: "uid=test,dc=example,dc=com",
Attributes: []*ldap.EntryAttribute{
{
perf(authentication): improve ldap dynamic replacement performance (#2239) This change means we only check the filters for the existence of placeholders that cannot be replaced at startup. We then utilized cached results of that lookup for subsequent replacements.
2021-08-05 04:17:07 +00:00
Name: "displayName",
[FEATURE] LDAP StartTLS (#1500) * add start_tls config option * add StartTLS method to the LDAP conn factory and the mock * implemented use of the StartTLS method when the config is set to true * add mock unit tests * add docs * add TLS min version support * add tests to tls version method * fix lint issues * minor adjustments * remove SSL3.0 * add tls consts * deprecate old filter placeholders * remove redundant fake hashing in file auth provider (to delay username enumeration, was replaced by #993 * make suite ActiveDirectory use StartTLS * misc adjustments to docs * suggested changes from code review * deprecation notice conformity * add mock test for LDAPS plus StartTLS
2020-12-03 05:23:52 +00:00
Values: []string{"John Doe"},
},
{
Name: "mail",
Values: []string{"test@example.com"},
},
{
Name: "uid",
Values: []string{"john"},
},
feat(authentication): ldap memberof group search (#5418) Introduces the concept of group search mode into the LDAP configuration. This also adds the filter and memberof search modes. The full description of these is included in the docs but the filter mode is the same mode as previous which is also the default and recommended value. The memberof mode should only be used by users who are aware of how the concept works as per the docs. Closes #2161 Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
2023-06-18 04:40:38 +00:00
{
Name: "memberOf",
Values: []string{"CN=example,DC=corp,DC=com"},
},
[FEATURE] LDAP StartTLS (#1500) * add start_tls config option * add StartTLS method to the LDAP conn factory and the mock * implemented use of the StartTLS method when the config is set to true * add mock unit tests * add docs * add TLS min version support * add tests to tls version method * fix lint issues * minor adjustments * remove SSL3.0 * add tls consts * deprecate old filter placeholders * remove redundant fake hashing in file auth provider (to delay username enumeration, was replaced by #993 * make suite ActiveDirectory use StartTLS * misc adjustments to docs * suggested changes from code review * deprecation notice conformity * add mock test for LDAPS plus StartTLS
2020-12-03 05:23:52 +00:00
},
},
},
}, nil)
fix(authentication): ldap connection left open (#2179) The recent ldap changes in cb71df5 left a connection to the LDAP server open at startup. This resolves this which prevents an ugly log message and unnecessary open sockets.
2021-07-13 11:12:50 +00:00
gomock.InOrder(dialURL, connStartTLS, connBind, searchProfile, searchGroups, connClose)
[FEATURE] LDAP StartTLS (#1500) * add start_tls config option * add StartTLS method to the LDAP conn factory and the mock * implemented use of the StartTLS method when the config is set to true * add mock unit tests * add docs * add TLS min version support * add tests to tls version method * fix lint issues * minor adjustments * remove SSL3.0 * add tls consts * deprecate old filter placeholders * remove redundant fake hashing in file auth provider (to delay username enumeration, was replaced by #993 * make suite ActiveDirectory use StartTLS * misc adjustments to docs * suggested changes from code review * deprecation notice conformity * add mock test for LDAPS plus StartTLS
2020-12-03 05:23:52 +00:00
feat(authentication): ldap time replacements (#4483) This adds and utilizes several time replacements for both specialized LDAP implementations. Closes #1964, Closes #1284
2022-12-21 10:31:21 +00:00
details, err := provider.GetDetails("john")
[FEATURE] LDAP StartTLS (#1500) * add start_tls config option * add StartTLS method to the LDAP conn factory and the mock * implemented use of the StartTLS method when the config is set to true * add mock unit tests * add docs * add TLS min version support * add tests to tls version method * fix lint issues * minor adjustments * remove SSL3.0 * add tls consts * deprecate old filter placeholders * remove redundant fake hashing in file auth provider (to delay username enumeration, was replaced by #993 * make suite ActiveDirectory use StartTLS * misc adjustments to docs * suggested changes from code review * deprecation notice conformity * add mock test for LDAPS plus StartTLS
2020-12-03 05:23:52 +00:00
require.NoError(t, err)
assert.ElementsMatch(t, details.Groups, []string{})
assert.ElementsMatch(t, details.Emails, []string{"test@example.com"})
assert.Equal(t, details.DisplayName, "John Doe")
assert.Equal(t, details.Username, "john")
}
func TestShouldReturnLDAPSAlreadySecuredWhenStartTLSAttempted(t *testing.T) {
ctrl := gomock.NewController(t)
defer ctrl.Finish()
fix(authentication): utilize msad password history control (#3256) This fixes an issue where the Microsoft Active Directory Server Policy Hints control was not being used to prevent avoidance of the PSO / FGPP applicable to the user.
2022-05-10 04:38:36 +00:00
mockFactory := NewMockLDAPClientFactory(ctrl)
mockClient := NewMockLDAPClient(ctrl)
[FEATURE] LDAP StartTLS (#1500) * add start_tls config option * add StartTLS method to the LDAP conn factory and the mock * implemented use of the StartTLS method when the config is set to true * add mock unit tests * add docs * add TLS min version support * add tests to tls version method * fix lint issues * minor adjustments * remove SSL3.0 * add tls consts * deprecate old filter placeholders * remove redundant fake hashing in file auth provider (to delay username enumeration, was replaced by #993 * make suite ActiveDirectory use StartTLS * misc adjustments to docs * suggested changes from code review * deprecation notice conformity * add mock test for LDAPS plus StartTLS
2020-12-03 05:23:52 +00:00
feat(authentication): ldap time replacements (#4483) This adds and utilizes several time replacements for both specialized LDAP implementations. Closes #1964, Closes #1284
2022-12-21 10:31:21 +00:00
provider := NewLDAPUserProviderWithFactory(
feat(authentication): file password algorithms (#3848) This adds significant enhancements to the file auth provider including multiple additional algorithms.
2022-10-17 10:51:59 +00:00
schema.LDAPAuthenticationBackend{
feat(authentication): ldap memberof group search (#5418) Introduces the concept of group search mode into the LDAP configuration. This also adds the filter and memberof search modes. The full description of these is included in the docs but the filter mode is the same mode as previous which is also the default and recommended value. The memberof mode should only be used by users who are aware of how the concept works as per the docs. Closes #2161 Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
2023-06-18 04:40:38 +00:00
Address: testLDAPSAddress,
User: "cn=admin,dc=example,dc=com",
Password: "password",
Attributes: schema.LDAPAuthenticationAttributes{
Username: "uid",
Mail: "mail",
DisplayName: "displayName",
MemberOf: "memberOf",
},
UsersFilter: "uid={input}",
AdditionalUsersDN: "ou=users",
BaseDN: "dc=example,dc=com",
StartTLS: true,
[FEATURE] Enhance LDAP/SMTP TLS Configuration and Unify Them (#1557) * add new directive in the global scope `certificates_directory` which is used to bulk load certs and trust them in Authelia * this is in ADDITION to system certs and are trusted by both LDAP and SMTP * added a shared TLSConfig struct to be used by both SMTP and LDAP, and anything else in the future that requires tuning the TLS * remove usage of deprecated LDAP funcs Dial and DialTLS in favor of DialURL which is also easier to use * use the server name from LDAP URL or SMTP host when validating the certificate unless otherwise defined in the TLS section * added temporary translations from the old names to the new ones for all deprecated options * added docs * updated example configuration * final deprecations to be done in 4.28.0 * doc updates * fix misc linting issues * uniform deprecation notices for ease of final removal * added additional tests covering previously uncovered areas and the new configuration options * add non-fatal to certificate loading when system certs could not be loaded * adjust timeout of Suite ShortTimeouts * add warnings pusher for the StructValidator * make the schema suites uninform * utilize the warnings in the StructValidator * fix test suite usage for skip_verify * extract LDAP filter parsing into it's own function to make it possible to test * test LDAP filter parsing * update ErrorContainer interface * add tests to the StructValidator * add NewTLSConfig test * move baseDN for users/groups into parsed values * add tests to cover many of the outstanding areas in LDAP * add explicit deferred LDAP conn close to UpdatePassword * add some basic testing to SMTP notifier * suggestions from code review
2021-01-04 10:28:55 +00:00
TLS: &schema.TLSConfig{
SkipVerify: true,
},
},
refactor: factorize startup checks (#2386) * refactor: factorize startup checks * refactor: address linting issues
2021-09-17 09:53:59 +00:00
false,
[FEATURE] Enhance LDAP/SMTP TLS Configuration and Unify Them (#1557) * add new directive in the global scope `certificates_directory` which is used to bulk load certs and trust them in Authelia * this is in ADDITION to system certs and are trusted by both LDAP and SMTP * added a shared TLSConfig struct to be used by both SMTP and LDAP, and anything else in the future that requires tuning the TLS * remove usage of deprecated LDAP funcs Dial and DialTLS in favor of DialURL which is also easier to use * use the server name from LDAP URL or SMTP host when validating the certificate unless otherwise defined in the TLS section * added temporary translations from the old names to the new ones for all deprecated options * added docs * updated example configuration * final deprecations to be done in 4.28.0 * doc updates * fix misc linting issues * uniform deprecation notices for ease of final removal * added additional tests covering previously uncovered areas and the new configuration options * add non-fatal to certificate loading when system certs could not be loaded * adjust timeout of Suite ShortTimeouts * add warnings pusher for the StructValidator * make the schema suites uninform * utilize the warnings in the StructValidator * fix test suite usage for skip_verify * extract LDAP filter parsing into it's own function to make it possible to test * test LDAP filter parsing * update ErrorContainer interface * add tests to the StructValidator * add NewTLSConfig test * move baseDN for users/groups into parsed values * add tests to cover many of the outstanding areas in LDAP * add explicit deferred LDAP conn close to UpdatePassword * add some basic testing to SMTP notifier * suggestions from code review
2021-01-04 10:28:55 +00:00
nil,
mockFactory)
[FEATURE] LDAP StartTLS (#1500) * add start_tls config option * add StartTLS method to the LDAP conn factory and the mock * implemented use of the StartTLS method when the config is set to true * add mock unit tests * add docs * add TLS min version support * add tests to tls version method * fix lint issues * minor adjustments * remove SSL3.0 * add tls consts * deprecate old filter placeholders * remove redundant fake hashing in file auth provider (to delay username enumeration, was replaced by #993 * make suite ActiveDirectory use StartTLS * misc adjustments to docs * suggested changes from code review * deprecation notice conformity * add mock test for LDAPS plus StartTLS
2020-12-03 05:23:52 +00:00
fix(authentication): ldap connection left open (#2179) The recent ldap changes in cb71df5 left a connection to the LDAP server open at startup. This resolves this which prevents an ugly log message and unnecessary open sockets.
2021-07-13 11:12:50 +00:00
dialURL := mockFactory.EXPECT().
[FEATURE] Enhance LDAP/SMTP TLS Configuration and Unify Them (#1557) * add new directive in the global scope `certificates_directory` which is used to bulk load certs and trust them in Authelia * this is in ADDITION to system certs and are trusted by both LDAP and SMTP * added a shared TLSConfig struct to be used by both SMTP and LDAP, and anything else in the future that requires tuning the TLS * remove usage of deprecated LDAP funcs Dial and DialTLS in favor of DialURL which is also easier to use * use the server name from LDAP URL or SMTP host when validating the certificate unless otherwise defined in the TLS section * added temporary translations from the old names to the new ones for all deprecated options * added docs * updated example configuration * final deprecations to be done in 4.28.0 * doc updates * fix misc linting issues * uniform deprecation notices for ease of final removal * added additional tests covering previously uncovered areas and the new configuration options * add non-fatal to certificate loading when system certs could not be loaded * adjust timeout of Suite ShortTimeouts * add warnings pusher for the StructValidator * make the schema suites uninform * utilize the warnings in the StructValidator * fix test suite usage for skip_verify * extract LDAP filter parsing into it's own function to make it possible to test * test LDAP filter parsing * update ErrorContainer interface * add tests to the StructValidator * add NewTLSConfig test * move baseDN for users/groups into parsed values * add tests to cover many of the outstanding areas in LDAP * add explicit deferred LDAP conn close to UpdatePassword * add some basic testing to SMTP notifier * suggestions from code review
2021-01-04 10:28:55 +00:00
DialURL(gomock.Eq("ldaps://127.0.0.1:389"), gomock.Any()).
fix(authentication): utilize msad password history control (#3256) This fixes an issue where the Microsoft Active Directory Server Policy Hints control was not being used to prevent avoidance of the PSO / FGPP applicable to the user.
2022-05-10 04:38:36 +00:00
Return(mockClient, nil)
[FEATURE] LDAP StartTLS (#1500) * add start_tls config option * add StartTLS method to the LDAP conn factory and the mock * implemented use of the StartTLS method when the config is set to true * add mock unit tests * add docs * add TLS min version support * add tests to tls version method * fix lint issues * minor adjustments * remove SSL3.0 * add tls consts * deprecate old filter placeholders * remove redundant fake hashing in file auth provider (to delay username enumeration, was replaced by #993 * make suite ActiveDirectory use StartTLS * misc adjustments to docs * suggested changes from code review * deprecation notice conformity * add mock test for LDAPS plus StartTLS
2020-12-03 05:23:52 +00:00
fix(authentication): utilize msad password history control (#3256) This fixes an issue where the Microsoft Active Directory Server Policy Hints control was not being used to prevent avoidance of the PSO / FGPP applicable to the user.
2022-05-10 04:38:36 +00:00
connStartTLS := mockClient.EXPECT().
feat(authentication): ldap time replacements (#4483) This adds and utilizes several time replacements for both specialized LDAP implementations. Closes #1964, Closes #1284
2022-12-21 10:31:21 +00:00
StartTLS(provider.tlsConfig).
[FEATURE] LDAP StartTLS (#1500) * add start_tls config option * add StartTLS method to the LDAP conn factory and the mock * implemented use of the StartTLS method when the config is set to true * add mock unit tests * add docs * add TLS min version support * add tests to tls version method * fix lint issues * minor adjustments * remove SSL3.0 * add tls consts * deprecate old filter placeholders * remove redundant fake hashing in file auth provider (to delay username enumeration, was replaced by #993 * make suite ActiveDirectory use StartTLS * misc adjustments to docs * suggested changes from code review * deprecation notice conformity * add mock test for LDAPS plus StartTLS
2020-12-03 05:23:52 +00:00
Return(errors.New("LDAP Result Code 200 \"Network Error\": ldap: already encrypted"))
fix(authentication): utilize msad password history control (#3256) This fixes an issue where the Microsoft Active Directory Server Policy Hints control was not being used to prevent avoidance of the PSO / FGPP applicable to the user.
2022-05-10 04:38:36 +00:00
gomock.InOrder(dialURL, connStartTLS, mockClient.EXPECT().Close())
fix(authentication): ldap connection left open (#2179) The recent ldap changes in cb71df5 left a connection to the LDAP server open at startup. This resolves this which prevents an ugly log message and unnecessary open sockets.
2021-07-13 11:12:50 +00:00
feat(authentication): ldap time replacements (#4483) This adds and utilizes several time replacements for both specialized LDAP implementations. Closes #1964, Closes #1284
2022-12-21 10:31:21 +00:00
_, err := provider.GetDetails("john")
fix(authentication): follow ldap referrals (#3251) This ensures we are able to follow referrals for LDAP password modify operations when permit_referrals is true. Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2022-05-02 01:51:38 +00:00
assert.EqualError(t, err, "starttls failed with error: LDAP Result Code 200 \"Network Error\": ldap: already encrypted")
[FEATURE] LDAP StartTLS (#1500) * add start_tls config option * add StartTLS method to the LDAP conn factory and the mock * implemented use of the StartTLS method when the config is set to true * add mock unit tests * add docs * add TLS min version support * add tests to tls version method * fix lint issues * minor adjustments * remove SSL3.0 * add tls consts * deprecate old filter placeholders * remove redundant fake hashing in file auth provider (to delay username enumeration, was replaced by #993 * make suite ActiveDirectory use StartTLS * misc adjustments to docs * suggested changes from code review * deprecation notice conformity * add mock test for LDAPS plus StartTLS
2020-12-03 05:23:52 +00:00
}