authelia/server/test/ldap/Authenticator.test.ts


import { Authenticator } from "../../src/lib/ldap/Authenticator";
import { LdapConfiguration } from "../../src/lib/configuration/Configuration";

import Sinon = require("sinon");
import BluebirdPromise = require("bluebird");
import Assert = require("assert");

import { ClientFactoryStub } from "../mocks/ldap/ClientFactoryStub";
import { ClientStub } from "../mocks/ldap/ClientStub";


describe("test ldap authentication", function () {
  const USERNAME = "username";
  const PASSWORD = "password";

  const ADMIN_USER_DN = "cn=admin,dc=example,dc=com";
  const ADMIN_PASSWORD = "admin_password";

  let clientFactoryStub: ClientFactoryStub;
  let adminClientStub: ClientStub;
  let userClientStub: ClientStub;

  let authenticator: Authenticator;
  let ldapConfig: LdapConfiguration;

  beforeEach(function () {
    clientFactoryStub = new ClientFactoryStub();
    adminClientStub = new ClientStub();
    userClientStub = new ClientStub();

    ldapConfig = {
      url: "http://localhost:324",
      users_dn: "ou=users,dc=example,dc=com",
      users_filter: "cn={0}",
      groups_dn: "ou=groups,dc=example,dc=com",
      groups_filter: "member={0}",
      mail_attribute: "mail",
      group_name_attribute: "cn",
      user: ADMIN_USER_DN,
      password: ADMIN_PASSWORD
    };

    authenticator = new Authenticator(ldapConfig, clientFactoryStub);
  });

  describe("success", function () {
    it("should bind the user if good credentials provided", function () {
      clientFactoryStub.createStub.withArgs(ADMIN_USER_DN, ADMIN_PASSWORD)
        .returns(adminClientStub);
      clientFactoryStub.createStub.withArgs("cn=" + USERNAME + ",ou=users,dc=example,dc=com", PASSWORD)
        .returns(userClientStub);

      // admin connects successfully
      adminClientStub.openStub.returns(BluebirdPromise.resolve());
      adminClientStub.closeStub.returns(BluebirdPromise.resolve());

      // admin search for user dn of user
      adminClientStub.searchUserDnStub.withArgs(USERNAME)
        .returns(BluebirdPromise.resolve("cn=" + USERNAME + ",ou=users,dc=example,dc=com"));

      // user connects successfully
      userClientStub.openStub.returns(BluebirdPromise.resolve());
      userClientStub.closeStub.returns(BluebirdPromise.resolve());

      // admin retrieves emails and groups of user
      adminClientStub.searchEmailsStub.returns(BluebirdPromise.resolve(["group1"]));
      adminClientStub.searchGroupsStub.returns(BluebirdPromise.resolve(["user@example.com"]));

      return authenticator.authenticate(USERNAME, PASSWORD);
    });
  });

  describe("failure", function () {
    it("should not bind the user if wrong credentials provided", function () {
      clientFactoryStub.createStub.withArgs(ADMIN_USER_DN, ADMIN_PASSWORD)
        .returns(adminClientStub);
      clientFactoryStub.createStub.withArgs("cn=" + USERNAME + ",ou=users,dc=example,dc=com", PASSWORD)
        .returns(userClientStub);

      // admin connects successfully
      adminClientStub.openStub.returns(BluebirdPromise.resolve());
      adminClientStub.closeStub.returns(BluebirdPromise.resolve());

      // admin search for user dn of user
      adminClientStub.searchUserDnStub.withArgs(USERNAME)
        .returns(BluebirdPromise.resolve("cn=" + USERNAME + ",ou=users,dc=example,dc=com"));

      // user connects successfully
      userClientStub.openStub.returns(BluebirdPromise.reject(new Error("Error while binding")));
      userClientStub.closeStub.returns(BluebirdPromise.resolve());

      return authenticator.authenticate(USERNAME, PASSWORD)
        .then(function () { return BluebirdPromise.reject("Should not be here!"); })
        .catch(function () {
          return BluebirdPromise.resolve();
        });
    });

    it("should not bind the user if search of emails or group fails", function () {
      clientFactoryStub.createStub.withArgs(ADMIN_USER_DN, ADMIN_PASSWORD)
        .returns(adminClientStub);
      clientFactoryStub.createStub.withArgs("cn=" + USERNAME + ",ou=users,dc=example,dc=com", PASSWORD)
        .returns(userClientStub);

      // admin connects successfully
      adminClientStub.openStub.returns(BluebirdPromise.resolve());
      adminClientStub.closeStub.returns(BluebirdPromise.resolve());

      // admin search for user dn of user
      adminClientStub.searchUserDnStub.withArgs(USERNAME)
        .returns(BluebirdPromise.resolve("cn=" + USERNAME + ",ou=users,dc=example,dc=com"));

      // user connects successfully
      userClientStub.openStub.returns(BluebirdPromise.resolve());
      userClientStub.closeStub.returns(BluebirdPromise.resolve());

      adminClientStub.searchEmailsStub.returns(BluebirdPromise.resolve(["group1"]));
      // admin retrieves emails and groups of user
      adminClientStub.searchGroupsStub
        .returns(BluebirdPromise.reject(new Error("Error while retrieving emails and groups")));

      return authenticator.authenticate(USERNAME, PASSWORD)
        .then(function () { return BluebirdPromise.reject("Should not be here!"); })
        .catch(function () {
          return BluebirdPromise.resolve();
        });
    });
  });
});
Open and close ldap client after each operation to avoid issues with idle connections and ECONNRESET exceptions 2017-07-16 15:37:13 +00:00
Split client and server Client and server now have their own tsconfig so that the transpilation is only done on the part that is being modified. It also allows faster transpilation since tests are now excluded from tsconfig. They are compiled by ts-node during unit tests execution. 2017-10-06 22:09:42 +00:00			`import { Authenticator } from "../../src/lib/ldap/Authenticator";`
			`import { LdapConfiguration } from "../../src/lib/configuration/Configuration";`
Open and close ldap client after each operation to avoid issues with idle connections and ECONNRESET exceptions 2017-07-16 15:37:13 +00:00
Introduce LDAP filters to search users and groups for more flexibility. 2017-09-02 20:38:26 +00:00			`import Sinon = require("sinon");`
Open and close ldap client after each operation to avoid issues with idle connections and ECONNRESET exceptions 2017-07-16 15:37:13 +00:00			`import BluebirdPromise = require("bluebird");`
Introduce LDAP filters to search users and groups for more flexibility. 2017-09-02 20:38:26 +00:00			`import Assert = require("assert");`
Open and close ldap client after each operation to avoid issues with idle connections and ECONNRESET exceptions 2017-07-16 15:37:13 +00:00
Introduce LDAP filters to search users and groups for more flexibility. 2017-09-02 20:38:26 +00:00			`import { ClientFactoryStub } from "../mocks/ldap/ClientFactoryStub";`
			`import { ClientStub } from "../mocks/ldap/ClientStub";`
Open and close ldap client after each operation to avoid issues with idle connections and ECONNRESET exceptions 2017-07-16 15:37:13 +00:00

			`describe("test ldap authentication", function () {`
Introduce LDAP filters to search users and groups for more flexibility. 2017-09-02 20:38:26 +00:00			`const USERNAME = "username";`
			`const PASSWORD = "password";`
Open and close ldap client after each operation to avoid issues with idle connections and ECONNRESET exceptions 2017-07-16 15:37:13 +00:00
Introduce LDAP filters to search users and groups for more flexibility. 2017-09-02 20:38:26 +00:00			`const ADMIN_USER_DN = "cn=admin,dc=example,dc=com";`
			`const ADMIN_PASSWORD = "admin_password";`
Open and close ldap client after each operation to avoid issues with idle connections and ECONNRESET exceptions 2017-07-16 15:37:13 +00:00
Introduce LDAP filters to search users and groups for more flexibility. 2017-09-02 20:38:26 +00:00			`let clientFactoryStub: ClientFactoryStub;`
			`let adminClientStub: ClientStub;`
			`let userClientStub: ClientStub;`
Open and close ldap client after each operation to avoid issues with idle connections and ECONNRESET exceptions 2017-07-16 15:37:13 +00:00
Introduce LDAP filters to search users and groups for more flexibility. 2017-09-02 20:38:26 +00:00			`let authenticator: Authenticator;`
			`let ldapConfig: LdapConfiguration;`
Open and close ldap client after each operation to avoid issues with idle connections and ECONNRESET exceptions 2017-07-16 15:37:13 +00:00
			`beforeEach(function () {`
Introduce LDAP filters to search users and groups for more flexibility. 2017-09-02 20:38:26 +00:00			`clientFactoryStub = new ClientFactoryStub();`
			`adminClientStub = new ClientStub();`
			`userClientStub = new ClientStub();`
Open and close ldap client after each operation to avoid issues with idle connections and ECONNRESET exceptions 2017-07-16 15:37:13 +00:00
			`ldapConfig = {`
			`url: "http://localhost:324",`
Introduce LDAP filters to search users and groups for more flexibility. 2017-09-02 20:38:26 +00:00			`users_dn: "ou=users,dc=example,dc=com",`
			`users_filter: "cn={0}",`
			`groups_dn: "ou=groups,dc=example,dc=com",`
			`groups_filter: "member={0}",`
			`mail_attribute: "mail",`
			`group_name_attribute: "cn",`
			`user: ADMIN_USER_DN,`
			`password: ADMIN_PASSWORD`
Open and close ldap client after each operation to avoid issues with idle connections and ECONNRESET exceptions 2017-07-16 15:37:13 +00:00			`};`

Introduce LDAP filters to search users and groups for more flexibility. 2017-09-02 20:38:26 +00:00			`authenticator = new Authenticator(ldapConfig, clientFactoryStub);`
Open and close ldap client after each operation to avoid issues with idle connections and ECONNRESET exceptions 2017-07-16 15:37:13 +00:00			`});`

			`describe("success", function () {`
			`it("should bind the user if good credentials provided", function () {`
Introduce LDAP filters to search users and groups for more flexibility. 2017-09-02 20:38:26 +00:00			`clientFactoryStub.createStub.withArgs(ADMIN_USER_DN, ADMIN_PASSWORD)`
			`.returns(adminClientStub);`
			`clientFactoryStub.createStub.withArgs("cn=" + USERNAME + ",ou=users,dc=example,dc=com", PASSWORD)`
			`.returns(userClientStub);`

			`// admin connects successfully`
			`adminClientStub.openStub.returns(BluebirdPromise.resolve());`
			`adminClientStub.closeStub.returns(BluebirdPromise.resolve());`

			`// admin search for user dn of user`
			`adminClientStub.searchUserDnStub.withArgs(USERNAME)`
			`.returns(BluebirdPromise.resolve("cn=" + USERNAME + ",ou=users,dc=example,dc=com"));`

			`// user connects successfully`
			`userClientStub.openStub.returns(BluebirdPromise.resolve());`
			`userClientStub.closeStub.returns(BluebirdPromise.resolve());`

			`// admin retrieves emails and groups of user`
Use username matcher instead of user dn in group filter Previously, string "{0}" was replaced by the user dn in the groups_filter attributes of the LDAP configuration. However, if the groups children only have a memberUid attribute, one would like to use the username instead of the user dn. Since the user dn can be built from the username, "{0}" is now replaced by the username instead of the user dn so that an LDAP relying on attribute 'memberUid' can be used. 2017-10-07 11:46:19 +00:00			`adminClientStub.searchEmailsStub.returns(BluebirdPromise.resolve(["group1"]));`
			`adminClientStub.searchGroupsStub.returns(BluebirdPromise.resolve(["user@example.com"]));`
Introduce LDAP filters to search users and groups for more flexibility. 2017-09-02 20:38:26 +00:00
			`return authenticator.authenticate(USERNAME, PASSWORD);`
Open and close ldap client after each operation to avoid issues with idle connections and ECONNRESET exceptions 2017-07-16 15:37:13 +00:00			`});`
			`});`

			`describe("failure", function () {`
			`it("should not bind the user if wrong credentials provided", function () {`
Introduce LDAP filters to search users and groups for more flexibility. 2017-09-02 20:38:26 +00:00			`clientFactoryStub.createStub.withArgs(ADMIN_USER_DN, ADMIN_PASSWORD)`
			`.returns(adminClientStub);`
			`clientFactoryStub.createStub.withArgs("cn=" + USERNAME + ",ou=users,dc=example,dc=com", PASSWORD)`
			`.returns(userClientStub);`

			`// admin connects successfully`
			`adminClientStub.openStub.returns(BluebirdPromise.resolve());`
			`adminClientStub.closeStub.returns(BluebirdPromise.resolve());`

			`// admin search for user dn of user`
			`adminClientStub.searchUserDnStub.withArgs(USERNAME)`
			`.returns(BluebirdPromise.resolve("cn=" + USERNAME + ",ou=users,dc=example,dc=com"));`

			`// user connects successfully`
			`userClientStub.openStub.returns(BluebirdPromise.reject(new Error("Error while binding")));`
			`userClientStub.closeStub.returns(BluebirdPromise.resolve());`

			`return authenticator.authenticate(USERNAME, PASSWORD)`
			`.then(function () { return BluebirdPromise.reject("Should not be here!"); })`
Open and close ldap client after each operation to avoid issues with idle connections and ECONNRESET exceptions 2017-07-16 15:37:13 +00:00			`.catch(function () {`
			`return BluebirdPromise.resolve();`
			`});`
			`});`

			`it("should not bind the user if search of emails or group fails", function () {`
Introduce LDAP filters to search users and groups for more flexibility. 2017-09-02 20:38:26 +00:00			`clientFactoryStub.createStub.withArgs(ADMIN_USER_DN, ADMIN_PASSWORD)`
			`.returns(adminClientStub);`
			`clientFactoryStub.createStub.withArgs("cn=" + USERNAME + ",ou=users,dc=example,dc=com", PASSWORD)`
			`.returns(userClientStub);`

			`// admin connects successfully`
			`adminClientStub.openStub.returns(BluebirdPromise.resolve());`
			`adminClientStub.closeStub.returns(BluebirdPromise.resolve());`

			`// admin search for user dn of user`
			`adminClientStub.searchUserDnStub.withArgs(USERNAME)`
			`.returns(BluebirdPromise.resolve("cn=" + USERNAME + ",ou=users,dc=example,dc=com"));`

			`// user connects successfully`
			`userClientStub.openStub.returns(BluebirdPromise.resolve());`
			`userClientStub.closeStub.returns(BluebirdPromise.resolve());`

Use username matcher instead of user dn in group filter Previously, string "{0}" was replaced by the user dn in the groups_filter attributes of the LDAP configuration. However, if the groups children only have a memberUid attribute, one would like to use the username instead of the user dn. Since the user dn can be built from the username, "{0}" is now replaced by the username instead of the user dn so that an LDAP relying on attribute 'memberUid' can be used. 2017-10-07 11:46:19 +00:00			`adminClientStub.searchEmailsStub.returns(BluebirdPromise.resolve(["group1"]));`
Introduce LDAP filters to search users and groups for more flexibility. 2017-09-02 20:38:26 +00:00			`// admin retrieves emails and groups of user`
Use username matcher instead of user dn in group filter Previously, string "{0}" was replaced by the user dn in the groups_filter attributes of the LDAP configuration. However, if the groups children only have a memberUid attribute, one would like to use the username instead of the user dn. Since the user dn can be built from the username, "{0}" is now replaced by the username instead of the user dn so that an LDAP relying on attribute 'memberUid' can be used. 2017-10-07 11:46:19 +00:00			`adminClientStub.searchGroupsStub`
Introduce LDAP filters to search users and groups for more flexibility. 2017-09-02 20:38:26 +00:00			`.returns(BluebirdPromise.reject(new Error("Error while retrieving emails and groups")));`

			`return authenticator.authenticate(USERNAME, PASSWORD)`
			`.then(function () { return BluebirdPromise.reject("Should not be here!"); })`
Open and close ldap client after each operation to avoid issues with idle connections and ECONNRESET exceptions 2017-07-16 15:37:13 +00:00			`.catch(function () {`
			`return BluebirdPromise.resolve();`
			`});`
			`});`
			`});`
			`});`