RPJosh
/
authelia
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
authelia/internal/authentication/ldap_user_provider_test.go

374 lines
11 KiB
Go
Raw Normal View History

Add support for LDAP over TLS.
2019-12-06 08:15:54 +00:00
package authentication
import (
"testing"
[DEPS] Fix gopkg.in/ldap.v3 import for dependabot (#726)
2020-03-19 04:22:46 +00:00
"github.com/go-ldap/ldap/v3"
Add support for LDAP over TLS.
2019-12-06 08:15:54 +00:00
gomock "github.com/golang/mock/gomock"
Escape special LDAP characters as suggested by OWASP. https://owasp.org/www-project-cheat-sheets/cheatsheets/LDAP_Injection_Prevention_Cheat_Sheet.html
2020-01-20 19:34:53 +00:00
"github.com/stretchr/testify/assert"
Add support for LDAP over TLS.
2019-12-06 08:15:54 +00:00
"github.com/stretchr/testify/require"
[MISC] Update durations to notation format and housekeeping (#824) * added regulation validator * made regulations find_time and ban_time values duration notation strings * added DefaultRegulationConfiguration for the validator * made session expiration and inactivity values duration notation strings * TOTP period does not need to be converted because adjustment should be discouraged * moved TOTP defaults to DefaultTOTPConfiguration and removed the consts * arranged the root config validator in configuration file order * adjusted tests for the changes * moved duration notation docs to root of configuration * added references to duration notation where applicable * project wide gofmt and goimports: * run gofmt * run goimports -local github.com/authelia/authelia -w on all files * Make jwt_secret error uniform and add tests * now at 100% coverage for internal/configuration/validator/configuration.go
2020-04-05 12:37:21 +00:00
"github.com/authelia/authelia/internal/configuration/schema"
Add support for LDAP over TLS.
2019-12-06 08:15:54 +00:00
)
func TestShouldCreateRawConnectionWhenSchemeIsLDAP(t *testing.T) {
ctrl := gomock.NewController(t)
defer ctrl.Finish()
mockFactory := NewMockLDAPConnectionFactory(ctrl)
mockConn := NewMockLDAPConnection(ctrl)
ldap := NewLDAPUserProviderWithFactory(schema.LDAPAuthenticationBackendConfiguration{
URL: "ldap://127.0.0.1:389",
}, mockFactory)
mockFactory.EXPECT().
Dial(gomock.Eq("tcp"), gomock.Eq("127.0.0.1:389")).
Return(mockConn, nil)
mockConn.EXPECT().
Bind(gomock.Eq("cn=admin,dc=example,dc=com"), gomock.Eq("password")).
Return(nil)
_, err := ldap.connect("cn=admin,dc=example,dc=com", "password")
require.NoError(t, err)
}
func TestShouldCreateTLSConnectionWhenSchemeIsLDAPS(t *testing.T) {
ctrl := gomock.NewController(t)
defer ctrl.Finish()
mockFactory := NewMockLDAPConnectionFactory(ctrl)
mockConn := NewMockLDAPConnection(ctrl)
ldap := NewLDAPUserProviderWithFactory(schema.LDAPAuthenticationBackendConfiguration{
URL: "ldaps://127.0.0.1:389",
}, mockFactory)
mockFactory.EXPECT().
DialTLS(gomock.Eq("tcp"), gomock.Eq("127.0.0.1:389"), gomock.Any()).
Return(mockConn, nil)
mockConn.EXPECT().
Bind(gomock.Eq("cn=admin,dc=example,dc=com"), gomock.Eq("password")).
Return(nil)
_, err := ldap.connect("cn=admin,dc=example,dc=com", "password")
require.NoError(t, err)
}
Escape special LDAP characters as suggested by OWASP. https://owasp.org/www-project-cheat-sheets/cheatsheets/LDAP_Injection_Prevention_Cheat_Sheet.html
2020-01-20 19:34:53 +00:00
[FEATURE][BREAKING] Allow users to sign in with email. (#792) * [FEATURE][BREAKING] Allow users to sign in with email. The users_filter purpose evolved with the introduction of username_attribute but is reverted here to allow the most flexibility. users_filter is now the actual filter used for searching the user and not a sub-filter based on the username_attribute anymore. * {input} placeholder has been introduced to later deprecate {0} which has been kept for backward compatibility. * {username_attribute} and {mail_attribute} are new placeholders used to back reference other configuration options. Fix #735 * [MISC] Introduce new placeholders for groups_filter too. * [MISC] Update BREAKING.md to mention the change regarding users_filter. * [MISC] Fix unit and integration tests. * Log an error message in console when U2F is not supported. * Apply suggestions from code review * Update BREAKING.md Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com> Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2020-03-30 22:36:04 +00:00
func TestEscapeSpecialCharsFromUserInput(t *testing.T) {
Escape special LDAP characters as suggested by OWASP. https://owasp.org/www-project-cheat-sheets/cheatsheets/LDAP_Injection_Prevention_Cheat_Sheet.html
2020-01-20 19:34:53 +00:00
ctrl := gomock.NewController(t)
defer ctrl.Finish()
mockFactory := NewMockLDAPConnectionFactory(ctrl)
ldap := NewLDAPUserProviderWithFactory(schema.LDAPAuthenticationBackendConfiguration{
URL: "ldaps://127.0.0.1:389",
}, mockFactory)
// No escape
assert.Equal(t, "xyz", ldap.ldapEscape("xyz"))
// Escape
assert.Equal(t, "test\\,abc", ldap.ldapEscape("test,abc"))
[FEATURE][BREAKING] Allow users to sign in with email. (#792) * [FEATURE][BREAKING] Allow users to sign in with email. The users_filter purpose evolved with the introduction of username_attribute but is reverted here to allow the most flexibility. users_filter is now the actual filter used for searching the user and not a sub-filter based on the username_attribute anymore. * {input} placeholder has been introduced to later deprecate {0} which has been kept for backward compatibility. * {username_attribute} and {mail_attribute} are new placeholders used to back reference other configuration options. Fix #735 * [MISC] Introduce new placeholders for groups_filter too. * [MISC] Update BREAKING.md to mention the change regarding users_filter. * [MISC] Fix unit and integration tests. * Log an error message in console when U2F is not supported. * Apply suggestions from code review * Update BREAKING.md Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com> Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2020-03-30 22:36:04 +00:00
assert.Equal(t, "test\\5cabc", ldap.ldapEscape("test\\abc"))
assert.Equal(t, "test\\2aabc", ldap.ldapEscape("test*abc"))
assert.Equal(t, "test \\28abc\\29", ldap.ldapEscape("test (abc)"))
Escape special LDAP characters as suggested by OWASP. https://owasp.org/www-project-cheat-sheets/cheatsheets/LDAP_Injection_Prevention_Cheat_Sheet.html
2020-01-20 19:34:53 +00:00
assert.Equal(t, "test\\#abc", ldap.ldapEscape("test#abc"))
assert.Equal(t, "test\\+abc", ldap.ldapEscape("test+abc"))
assert.Equal(t, "test\\<abc", ldap.ldapEscape("test<abc"))
assert.Equal(t, "test\\>abc", ldap.ldapEscape("test>abc"))
assert.Equal(t, "test\\;abc", ldap.ldapEscape("test;abc"))
assert.Equal(t, "test\\\"abc", ldap.ldapEscape("test\"abc"))
assert.Equal(t, "test\\=abc", ldap.ldapEscape("test=abc"))
[FEATURE][BREAKING] Allow users to sign in with email. (#792) * [FEATURE][BREAKING] Allow users to sign in with email. The users_filter purpose evolved with the introduction of username_attribute but is reverted here to allow the most flexibility. users_filter is now the actual filter used for searching the user and not a sub-filter based on the username_attribute anymore. * {input} placeholder has been introduced to later deprecate {0} which has been kept for backward compatibility. * {username_attribute} and {mail_attribute} are new placeholders used to back reference other configuration options. Fix #735 * [MISC] Introduce new placeholders for groups_filter too. * [MISC] Update BREAKING.md to mention the change regarding users_filter. * [MISC] Fix unit and integration tests. * Log an error message in console when U2F is not supported. * Apply suggestions from code review * Update BREAKING.md Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com> Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2020-03-30 22:36:04 +00:00
assert.Equal(t, "test\\,\\5c\\28abc\\29", ldap.ldapEscape("test,\\(abc)"))
}
func TestEscapeSpecialCharsInGroupsFilter(t *testing.T) {
ctrl := gomock.NewController(t)
defer ctrl.Finish()
Escape special LDAP characters as suggested by OWASP. https://owasp.org/www-project-cheat-sheets/cheatsheets/LDAP_Injection_Prevention_Cheat_Sheet.html
2020-01-20 19:34:53 +00:00
[FEATURE][BREAKING] Allow users to sign in with email. (#792) * [FEATURE][BREAKING] Allow users to sign in with email. The users_filter purpose evolved with the introduction of username_attribute but is reverted here to allow the most flexibility. users_filter is now the actual filter used for searching the user and not a sub-filter based on the username_attribute anymore. * {input} placeholder has been introduced to later deprecate {0} which has been kept for backward compatibility. * {username_attribute} and {mail_attribute} are new placeholders used to back reference other configuration options. Fix #735 * [MISC] Introduce new placeholders for groups_filter too. * [MISC] Update BREAKING.md to mention the change regarding users_filter. * [MISC] Fix unit and integration tests. * Log an error message in console when U2F is not supported. * Apply suggestions from code review * Update BREAKING.md Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com> Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2020-03-30 22:36:04 +00:00
mockFactory := NewMockLDAPConnectionFactory(ctrl)
ldap := NewLDAPUserProviderWithFactory(schema.LDAPAuthenticationBackendConfiguration{
URL: "ldaps://127.0.0.1:389",
GroupsFilter: "(|(member={dn})(uid={username})(uid={input}))",
}, mockFactory)
profile := ldapUserProfile{
DN: "cn=john (external),dc=example,dc=com",
Username: "john",
Emails: []string{"john.doe@authelia.com"},
}
filter, _ := ldap.resolveGroupsFilter("john", &profile)
assert.Equal(t, "(|(member=cn=john \\28external\\29,dc=example,dc=com)(uid=john)(uid=john))", filter)
filter, _ = ldap.resolveGroupsFilter("john#=(abc,def)", &profile)
assert.Equal(t, "(|(member=cn=john \\28external\\29,dc=example,dc=com)(uid=john)(uid=john\\#\\=\\28abc\\,def\\29))", filter)
Escape special LDAP characters as suggested by OWASP. https://owasp.org/www-project-cheat-sheets/cheatsheets/LDAP_Injection_Prevention_Cheat_Sheet.html
2020-01-20 19:34:53 +00:00
}
type SearchRequestMatcher struct {
expected string
}
func NewSearchRequestMatcher(expected string) *SearchRequestMatcher {
return &SearchRequestMatcher{expected}
}
func (srm *SearchRequestMatcher) Matches(x interface{}) bool {
sr := x.(*ldap.SearchRequest)
return sr.Filter == srm.expected
}
func (srm *SearchRequestMatcher) String() string {
return ""
}
func TestShouldEscapeUserInput(t *testing.T) {
ctrl := gomock.NewController(t)
defer ctrl.Finish()
mockFactory := NewMockLDAPConnectionFactory(ctrl)
mockConn := NewMockLDAPConnection(ctrl)
ldapClient := NewLDAPUserProviderWithFactory(schema.LDAPAuthenticationBackendConfiguration{
URL: "ldap://127.0.0.1:389",
User: "cn=admin,dc=example,dc=com",
[FEATURE][BREAKING] Allow users to sign in with email. (#792) * [FEATURE][BREAKING] Allow users to sign in with email. The users_filter purpose evolved with the introduction of username_attribute but is reverted here to allow the most flexibility. users_filter is now the actual filter used for searching the user and not a sub-filter based on the username_attribute anymore. * {input} placeholder has been introduced to later deprecate {0} which has been kept for backward compatibility. * {username_attribute} and {mail_attribute} are new placeholders used to back reference other configuration options. Fix #735 * [MISC] Introduce new placeholders for groups_filter too. * [MISC] Update BREAKING.md to mention the change regarding users_filter. * [MISC] Fix unit and integration tests. * Log an error message in console when U2F is not supported. * Apply suggestions from code review * Update BREAKING.md Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com> Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2020-03-30 22:36:04 +00:00
UsersFilter: "(|({username_attribute}={input})({mail_attribute}={input}))",
[BUGFIX] [BREAKING] Set username retrieved from authentication backend in session. (#687) * [BUGFIX] Set username retrieved from authentication backend in session. In some setups, binding is case insensitive but Authelia is case sensitive and therefore need the actual username as stored in the authentication backend in order for Authelia to work correctly. Fixes #561. * Use uid attribute as unique user identifier in suites. * Fix the integration tests. * Update config.template.yml * Compute user filter based on username attribute and users_filter. The filter provided in users_filter is now combined with a filter based on the username attribute to perform the LDAP search query finding a user object from the username. * Fix LDAP based integration tests. * Update `users_filter` reference examples
2020-03-15 07:10:25 +00:00
UsernameAttribute: "uid",
[FEATURE][BREAKING] Allow users to sign in with email. (#792) * [FEATURE][BREAKING] Allow users to sign in with email. The users_filter purpose evolved with the introduction of username_attribute but is reverted here to allow the most flexibility. users_filter is now the actual filter used for searching the user and not a sub-filter based on the username_attribute anymore. * {input} placeholder has been introduced to later deprecate {0} which has been kept for backward compatibility. * {username_attribute} and {mail_attribute} are new placeholders used to back reference other configuration options. Fix #735 * [MISC] Introduce new placeholders for groups_filter too. * [MISC] Update BREAKING.md to mention the change regarding users_filter. * [MISC] Fix unit and integration tests. * Log an error message in console when U2F is not supported. * Apply suggestions from code review * Update BREAKING.md Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com> Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2020-03-30 22:36:04 +00:00
MailAttribute: "mail",
Escape special LDAP characters as suggested by OWASP. https://owasp.org/www-project-cheat-sheets/cheatsheets/LDAP_Injection_Prevention_Cheat_Sheet.html
2020-01-20 19:34:53 +00:00
Password: "password",
AdditionalUsersDN: "ou=users",
BaseDN: "dc=example,dc=com",
}, mockFactory)
mockConn.EXPECT().
[BUGFIX] [BREAKING] Set username retrieved from authentication backend in session. (#687) * [BUGFIX] Set username retrieved from authentication backend in session. In some setups, binding is case insensitive but Authelia is case sensitive and therefore need the actual username as stored in the authentication backend in order for Authelia to work correctly. Fixes #561. * Use uid attribute as unique user identifier in suites. * Fix the integration tests. * Update config.template.yml * Compute user filter based on username attribute and users_filter. The filter provided in users_filter is now combined with a filter based on the username attribute to perform the LDAP search query finding a user object from the username. * Fix LDAP based integration tests. * Update `users_filter` reference examples
2020-03-15 07:10:25 +00:00
// Here we ensure that the input has been correctly escaped.
[FEATURE][BREAKING] Allow users to sign in with email. (#792) * [FEATURE][BREAKING] Allow users to sign in with email. The users_filter purpose evolved with the introduction of username_attribute but is reverted here to allow the most flexibility. users_filter is now the actual filter used for searching the user and not a sub-filter based on the username_attribute anymore. * {input} placeholder has been introduced to later deprecate {0} which has been kept for backward compatibility. * {username_attribute} and {mail_attribute} are new placeholders used to back reference other configuration options. Fix #735 * [MISC] Introduce new placeholders for groups_filter too. * [MISC] Update BREAKING.md to mention the change regarding users_filter. * [MISC] Fix unit and integration tests. * Log an error message in console when U2F is not supported. * Apply suggestions from code review * Update BREAKING.md Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com> Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2020-03-30 22:36:04 +00:00
Search(NewSearchRequestMatcher("(|(uid=john\\=abc)(mail=john\\=abc))")).
[BUGFIX] [BREAKING] Set username retrieved from authentication backend in session. (#687) * [BUGFIX] Set username retrieved from authentication backend in session. In some setups, binding is case insensitive but Authelia is case sensitive and therefore need the actual username as stored in the authentication backend in order for Authelia to work correctly. Fixes #561. * Use uid attribute as unique user identifier in suites. * Fix the integration tests. * Update config.template.yml * Compute user filter based on username attribute and users_filter. The filter provided in users_filter is now combined with a filter based on the username attribute to perform the LDAP search query finding a user object from the username. * Fix LDAP based integration tests. * Update `users_filter` reference examples
2020-03-15 07:10:25 +00:00
Return(&ldap.SearchResult{}, nil)
Escape special LDAP characters as suggested by OWASP. https://owasp.org/www-project-cheat-sheets/cheatsheets/LDAP_Injection_Prevention_Cheat_Sheet.html
2020-01-20 19:34:53 +00:00
[BUGFIX] [BREAKING] Set username retrieved from authentication backend in session. (#687) * [BUGFIX] Set username retrieved from authentication backend in session. In some setups, binding is case insensitive but Authelia is case sensitive and therefore need the actual username as stored in the authentication backend in order for Authelia to work correctly. Fixes #561. * Use uid attribute as unique user identifier in suites. * Fix the integration tests. * Update config.template.yml * Compute user filter based on username attribute and users_filter. The filter provided in users_filter is now combined with a filter based on the username attribute to perform the LDAP search query finding a user object from the username. * Fix LDAP based integration tests. * Update `users_filter` reference examples
2020-03-15 07:10:25 +00:00
ldapClient.getUserProfile(mockConn, "john=abc")
}
func TestShouldCombineUsernameFilterAndUsersFilter(t *testing.T) {
ctrl := gomock.NewController(t)
defer ctrl.Finish()
mockFactory := NewMockLDAPConnectionFactory(ctrl)
mockConn := NewMockLDAPConnection(ctrl)
ldapClient := NewLDAPUserProviderWithFactory(schema.LDAPAuthenticationBackendConfiguration{
URL: "ldap://127.0.0.1:389",
User: "cn=admin,dc=example,dc=com",
UsernameAttribute: "uid",
[FEATURE][BREAKING] Allow users to sign in with email. (#792) * [FEATURE][BREAKING] Allow users to sign in with email. The users_filter purpose evolved with the introduction of username_attribute but is reverted here to allow the most flexibility. users_filter is now the actual filter used for searching the user and not a sub-filter based on the username_attribute anymore. * {input} placeholder has been introduced to later deprecate {0} which has been kept for backward compatibility. * {username_attribute} and {mail_attribute} are new placeholders used to back reference other configuration options. Fix #735 * [MISC] Introduce new placeholders for groups_filter too. * [MISC] Update BREAKING.md to mention the change regarding users_filter. * [MISC] Fix unit and integration tests. * Log an error message in console when U2F is not supported. * Apply suggestions from code review * Update BREAKING.md Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com> Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2020-03-30 22:36:04 +00:00
UsersFilter: "(&({username_attribute}={input})(&(objectCategory=person)(objectClass=user)))",
[BUGFIX] [BREAKING] Set username retrieved from authentication backend in session. (#687) * [BUGFIX] Set username retrieved from authentication backend in session. In some setups, binding is case insensitive but Authelia is case sensitive and therefore need the actual username as stored in the authentication backend in order for Authelia to work correctly. Fixes #561. * Use uid attribute as unique user identifier in suites. * Fix the integration tests. * Update config.template.yml * Compute user filter based on username attribute and users_filter. The filter provided in users_filter is now combined with a filter based on the username attribute to perform the LDAP search query finding a user object from the username. * Fix LDAP based integration tests. * Update `users_filter` reference examples
2020-03-15 07:10:25 +00:00
Password: "password",
AdditionalUsersDN: "ou=users",
BaseDN: "dc=example,dc=com",
[FEATURE][BREAKING] Allow users to sign in with email. (#792) * [FEATURE][BREAKING] Allow users to sign in with email. The users_filter purpose evolved with the introduction of username_attribute but is reverted here to allow the most flexibility. users_filter is now the actual filter used for searching the user and not a sub-filter based on the username_attribute anymore. * {input} placeholder has been introduced to later deprecate {0} which has been kept for backward compatibility. * {username_attribute} and {mail_attribute} are new placeholders used to back reference other configuration options. Fix #735 * [MISC] Introduce new placeholders for groups_filter too. * [MISC] Update BREAKING.md to mention the change regarding users_filter. * [MISC] Fix unit and integration tests. * Log an error message in console when U2F is not supported. * Apply suggestions from code review * Update BREAKING.md Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com> Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2020-03-30 22:36:04 +00:00
MailAttribute: "mail",
[BUGFIX] [BREAKING] Set username retrieved from authentication backend in session. (#687) * [BUGFIX] Set username retrieved from authentication backend in session. In some setups, binding is case insensitive but Authelia is case sensitive and therefore need the actual username as stored in the authentication backend in order for Authelia to work correctly. Fixes #561. * Use uid attribute as unique user identifier in suites. * Fix the integration tests. * Update config.template.yml * Compute user filter based on username attribute and users_filter. The filter provided in users_filter is now combined with a filter based on the username attribute to perform the LDAP search query finding a user object from the username. * Fix LDAP based integration tests. * Update `users_filter` reference examples
2020-03-15 07:10:25 +00:00
}, mockFactory)
Escape special LDAP characters as suggested by OWASP. https://owasp.org/www-project-cheat-sheets/cheatsheets/LDAP_Injection_Prevention_Cheat_Sheet.html
2020-01-20 19:34:53 +00:00
mockConn.EXPECT().
[BUGFIX] [BREAKING] Set username retrieved from authentication backend in session. (#687) * [BUGFIX] Set username retrieved from authentication backend in session. In some setups, binding is case insensitive but Authelia is case sensitive and therefore need the actual username as stored in the authentication backend in order for Authelia to work correctly. Fixes #561. * Use uid attribute as unique user identifier in suites. * Fix the integration tests. * Update config.template.yml * Compute user filter based on username attribute and users_filter. The filter provided in users_filter is now combined with a filter based on the username attribute to perform the LDAP search query finding a user object from the username. * Fix LDAP based integration tests. * Update `users_filter` reference examples
2020-03-15 07:10:25 +00:00
Search(NewSearchRequestMatcher("(&(uid=john)(&(objectCategory=person)(objectClass=user)))")).
Escape special LDAP characters as suggested by OWASP. https://owasp.org/www-project-cheat-sheets/cheatsheets/LDAP_Injection_Prevention_Cheat_Sheet.html
2020-01-20 19:34:53 +00:00
Return(&ldap.SearchResult{}, nil)
[BUGFIX] [BREAKING] Set username retrieved from authentication backend in session. (#687) * [BUGFIX] Set username retrieved from authentication backend in session. In some setups, binding is case insensitive but Authelia is case sensitive and therefore need the actual username as stored in the authentication backend in order for Authelia to work correctly. Fixes #561. * Use uid attribute as unique user identifier in suites. * Fix the integration tests. * Update config.template.yml * Compute user filter based on username attribute and users_filter. The filter provided in users_filter is now combined with a filter based on the username attribute to perform the LDAP search query finding a user object from the username. * Fix LDAP based integration tests. * Update `users_filter` reference examples
2020-03-15 07:10:25 +00:00
ldapClient.getUserProfile(mockConn, "john")
Escape special LDAP characters as suggested by OWASP. https://owasp.org/www-project-cheat-sheets/cheatsheets/LDAP_Injection_Prevention_Cheat_Sheet.html
2020-01-20 19:34:53 +00:00
}
[BUGFIX] Fix crash when no emails or groups are retrieved from LDAP. (#651) * [BUGFIX] Fix crash when no emails or groups are retrieved from LDAP. If group or email attribute configured by user in configuration is not found in user object the list of attributes in LDAP search result is empty. This change introduces a check before accessing the first element of the list which previously led to out of bound access. Fixes #647. * [MISC] Change log level of LDAP connection creation to trace.
2020-02-27 22:21:07 +00:00
func createSearchResultWithAttributes(attributes ...*ldap.EntryAttribute) *ldap.SearchResult {
return &ldap.SearchResult{
Entries: []*ldap.Entry{
&ldap.Entry{Attributes: attributes},
},
}
}
func createSearchResultWithAttributeValues(values ...string) *ldap.SearchResult {
return createSearchResultWithAttributes(&ldap.EntryAttribute{
Values: values,
})
}
func TestShouldNotCrashWhenGroupsAreNotRetrievedFromLDAP(t *testing.T) {
ctrl := gomock.NewController(t)
defer ctrl.Finish()
mockFactory := NewMockLDAPConnectionFactory(ctrl)
mockConn := NewMockLDAPConnection(ctrl)
ldapClient := NewLDAPUserProviderWithFactory(schema.LDAPAuthenticationBackendConfiguration{
URL: "ldap://127.0.0.1:389",
User: "cn=admin,dc=example,dc=com",
Password: "password",
[BUGFIX] [BREAKING] Set username retrieved from authentication backend in session. (#687) * [BUGFIX] Set username retrieved from authentication backend in session. In some setups, binding is case insensitive but Authelia is case sensitive and therefore need the actual username as stored in the authentication backend in order for Authelia to work correctly. Fixes #561. * Use uid attribute as unique user identifier in suites. * Fix the integration tests. * Update config.template.yml * Compute user filter based on username attribute and users_filter. The filter provided in users_filter is now combined with a filter based on the username attribute to perform the LDAP search query finding a user object from the username. * Fix LDAP based integration tests. * Update `users_filter` reference examples
2020-03-15 07:10:25 +00:00
UsernameAttribute: "uid",
MailAttribute: "mail",
[FEATURE][BREAKING] Allow users to sign in with email. (#792) * [FEATURE][BREAKING] Allow users to sign in with email. The users_filter purpose evolved with the introduction of username_attribute but is reverted here to allow the most flexibility. users_filter is now the actual filter used for searching the user and not a sub-filter based on the username_attribute anymore. * {input} placeholder has been introduced to later deprecate {0} which has been kept for backward compatibility. * {username_attribute} and {mail_attribute} are new placeholders used to back reference other configuration options. Fix #735 * [MISC] Introduce new placeholders for groups_filter too. * [MISC] Update BREAKING.md to mention the change regarding users_filter. * [MISC] Fix unit and integration tests. * Log an error message in console when U2F is not supported. * Apply suggestions from code review * Update BREAKING.md Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com> Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2020-03-30 22:36:04 +00:00
UsersFilter: "uid={input}",
[BUGFIX] Fix crash when no emails or groups are retrieved from LDAP. (#651) * [BUGFIX] Fix crash when no emails or groups are retrieved from LDAP. If group or email attribute configured by user in configuration is not found in user object the list of attributes in LDAP search result is empty. This change introduces a check before accessing the first element of the list which previously led to out of bound access. Fixes #647. * [MISC] Change log level of LDAP connection creation to trace.
2020-02-27 22:21:07 +00:00
AdditionalUsersDN: "ou=users",
BaseDN: "dc=example,dc=com",
}, mockFactory)
mockFactory.EXPECT().
Dial(gomock.Eq("tcp"), gomock.Eq("127.0.0.1:389")).
[BUGFIX] [BREAKING] Set username retrieved from authentication backend in session. (#687) * [BUGFIX] Set username retrieved from authentication backend in session. In some setups, binding is case insensitive but Authelia is case sensitive and therefore need the actual username as stored in the authentication backend in order for Authelia to work correctly. Fixes #561. * Use uid attribute as unique user identifier in suites. * Fix the integration tests. * Update config.template.yml * Compute user filter based on username attribute and users_filter. The filter provided in users_filter is now combined with a filter based on the username attribute to perform the LDAP search query finding a user object from the username. * Fix LDAP based integration tests. * Update `users_filter` reference examples
2020-03-15 07:10:25 +00:00
Return(mockConn, nil)
[BUGFIX] Fix crash when no emails or groups are retrieved from LDAP. (#651) * [BUGFIX] Fix crash when no emails or groups are retrieved from LDAP. If group or email attribute configured by user in configuration is not found in user object the list of attributes in LDAP search result is empty. This change introduces a check before accessing the first element of the list which previously led to out of bound access. Fixes #647. * [MISC] Change log level of LDAP connection creation to trace.
2020-02-27 22:21:07 +00:00
mockConn.EXPECT().
Bind(gomock.Eq("cn=admin,dc=example,dc=com"), gomock.Eq("password")).
[BUGFIX] [BREAKING] Set username retrieved from authentication backend in session. (#687) * [BUGFIX] Set username retrieved from authentication backend in session. In some setups, binding is case insensitive but Authelia is case sensitive and therefore need the actual username as stored in the authentication backend in order for Authelia to work correctly. Fixes #561. * Use uid attribute as unique user identifier in suites. * Fix the integration tests. * Update config.template.yml * Compute user filter based on username attribute and users_filter. The filter provided in users_filter is now combined with a filter based on the username attribute to perform the LDAP search query finding a user object from the username. * Fix LDAP based integration tests. * Update `users_filter` reference examples
2020-03-15 07:10:25 +00:00
Return(nil)
[BUGFIX] Fix crash when no emails or groups are retrieved from LDAP. (#651) * [BUGFIX] Fix crash when no emails or groups are retrieved from LDAP. If group or email attribute configured by user in configuration is not found in user object the list of attributes in LDAP search result is empty. This change introduces a check before accessing the first element of the list which previously led to out of bound access. Fixes #647. * [MISC] Change log level of LDAP connection creation to trace.
2020-02-27 22:21:07 +00:00
mockConn.EXPECT().
[BUGFIX] [BREAKING] Set username retrieved from authentication backend in session. (#687) * [BUGFIX] Set username retrieved from authentication backend in session. In some setups, binding is case insensitive but Authelia is case sensitive and therefore need the actual username as stored in the authentication backend in order for Authelia to work correctly. Fixes #561. * Use uid attribute as unique user identifier in suites. * Fix the integration tests. * Update config.template.yml * Compute user filter based on username attribute and users_filter. The filter provided in users_filter is now combined with a filter based on the username attribute to perform the LDAP search query finding a user object from the username. * Fix LDAP based integration tests. * Update `users_filter` reference examples
2020-03-15 07:10:25 +00:00
Close()
[BUGFIX] Fix crash when no emails or groups are retrieved from LDAP. (#651) * [BUGFIX] Fix crash when no emails or groups are retrieved from LDAP. If group or email attribute configured by user in configuration is not found in user object the list of attributes in LDAP search result is empty. This change introduces a check before accessing the first element of the list which previously led to out of bound access. Fixes #647. * [MISC] Change log level of LDAP connection creation to trace.
2020-02-27 22:21:07 +00:00
searchGroups := mockConn.EXPECT().
Search(gomock.Any()).
Return(createSearchResultWithAttributes(), nil)
[BUGFIX] [BREAKING] Set username retrieved from authentication backend in session. (#687) * [BUGFIX] Set username retrieved from authentication backend in session. In some setups, binding is case insensitive but Authelia is case sensitive and therefore need the actual username as stored in the authentication backend in order for Authelia to work correctly. Fixes #561. * Use uid attribute as unique user identifier in suites. * Fix the integration tests. * Update config.template.yml * Compute user filter based on username attribute and users_filter. The filter provided in users_filter is now combined with a filter based on the username attribute to perform the LDAP search query finding a user object from the username. * Fix LDAP based integration tests. * Update `users_filter` reference examples
2020-03-15 07:10:25 +00:00
searchProfile := mockConn.EXPECT().
[BUGFIX] Fix crash when no emails or groups are retrieved from LDAP. (#651) * [BUGFIX] Fix crash when no emails or groups are retrieved from LDAP. If group or email attribute configured by user in configuration is not found in user object the list of attributes in LDAP search result is empty. This change introduces a check before accessing the first element of the list which previously led to out of bound access. Fixes #647. * [MISC] Change log level of LDAP connection creation to trace.
2020-02-27 22:21:07 +00:00
Search(gomock.Any()).
[BUGFIX] [BREAKING] Set username retrieved from authentication backend in session. (#687) * [BUGFIX] Set username retrieved from authentication backend in session. In some setups, binding is case insensitive but Authelia is case sensitive and therefore need the actual username as stored in the authentication backend in order for Authelia to work correctly. Fixes #561. * Use uid attribute as unique user identifier in suites. * Fix the integration tests. * Update config.template.yml * Compute user filter based on username attribute and users_filter. The filter provided in users_filter is now combined with a filter based on the username attribute to perform the LDAP search query finding a user object from the username. * Fix LDAP based integration tests. * Update `users_filter` reference examples
2020-03-15 07:10:25 +00:00
Return(&ldap.SearchResult{
Entries: []*ldap.Entry{
&ldap.Entry{
DN: "uid=test,dc=example,dc=com",
Attributes: []*ldap.EntryAttribute{
&ldap.EntryAttribute{
Name: "mail",
Values: []string{"test@example.com"},
},
&ldap.EntryAttribute{
Name: "uid",
Values: []string{"john"},
},
},
},
},
}, nil)
[FEATURE][BREAKING] Allow users to sign in with email. (#792) * [FEATURE][BREAKING] Allow users to sign in with email. The users_filter purpose evolved with the introduction of username_attribute but is reverted here to allow the most flexibility. users_filter is now the actual filter used for searching the user and not a sub-filter based on the username_attribute anymore. * {input} placeholder has been introduced to later deprecate {0} which has been kept for backward compatibility. * {username_attribute} and {mail_attribute} are new placeholders used to back reference other configuration options. Fix #735 * [MISC] Introduce new placeholders for groups_filter too. * [MISC] Update BREAKING.md to mention the change regarding users_filter. * [MISC] Fix unit and integration tests. * Log an error message in console when U2F is not supported. * Apply suggestions from code review * Update BREAKING.md Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com> Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2020-03-30 22:36:04 +00:00
gomock.InOrder(searchProfile, searchGroups)
[BUGFIX] Fix crash when no emails or groups are retrieved from LDAP. (#651) * [BUGFIX] Fix crash when no emails or groups are retrieved from LDAP. If group or email attribute configured by user in configuration is not found in user object the list of attributes in LDAP search result is empty. This change introduces a check before accessing the first element of the list which previously led to out of bound access. Fixes #647. * [MISC] Change log level of LDAP connection creation to trace.
2020-02-27 22:21:07 +00:00
details, err := ldapClient.GetDetails("john")
require.NoError(t, err)
assert.ElementsMatch(t, details.Groups, []string{})
assert.ElementsMatch(t, details.Emails, []string{"test@example.com"})
[BUGFIX] [BREAKING] Set username retrieved from authentication backend in session. (#687) * [BUGFIX] Set username retrieved from authentication backend in session. In some setups, binding is case insensitive but Authelia is case sensitive and therefore need the actual username as stored in the authentication backend in order for Authelia to work correctly. Fixes #561. * Use uid attribute as unique user identifier in suites. * Fix the integration tests. * Update config.template.yml * Compute user filter based on username attribute and users_filter. The filter provided in users_filter is now combined with a filter based on the username attribute to perform the LDAP search query finding a user object from the username. * Fix LDAP based integration tests. * Update `users_filter` reference examples
2020-03-15 07:10:25 +00:00
assert.Equal(t, details.Username, "john")
[BUGFIX] Fix crash when no emails or groups are retrieved from LDAP. (#651) * [BUGFIX] Fix crash when no emails or groups are retrieved from LDAP. If group or email attribute configured by user in configuration is not found in user object the list of attributes in LDAP search result is empty. This change introduces a check before accessing the first element of the list which previously led to out of bound access. Fixes #647. * [MISC] Change log level of LDAP connection creation to trace.
2020-02-27 22:21:07 +00:00
}
func TestShouldNotCrashWhenEmailsAreNotRetrievedFromLDAP(t *testing.T) {
ctrl := gomock.NewController(t)
defer ctrl.Finish()
mockFactory := NewMockLDAPConnectionFactory(ctrl)
mockConn := NewMockLDAPConnection(ctrl)
ldapClient := NewLDAPUserProviderWithFactory(schema.LDAPAuthenticationBackendConfiguration{
URL: "ldap://127.0.0.1:389",
User: "cn=admin,dc=example,dc=com",
Password: "password",
[BUGFIX] [BREAKING] Set username retrieved from authentication backend in session. (#687) * [BUGFIX] Set username retrieved from authentication backend in session. In some setups, binding is case insensitive but Authelia is case sensitive and therefore need the actual username as stored in the authentication backend in order for Authelia to work correctly. Fixes #561. * Use uid attribute as unique user identifier in suites. * Fix the integration tests. * Update config.template.yml * Compute user filter based on username attribute and users_filter. The filter provided in users_filter is now combined with a filter based on the username attribute to perform the LDAP search query finding a user object from the username. * Fix LDAP based integration tests. * Update `users_filter` reference examples
2020-03-15 07:10:25 +00:00
UsernameAttribute: "uid",
[FEATURE][BREAKING] Allow users to sign in with email. (#792) * [FEATURE][BREAKING] Allow users to sign in with email. The users_filter purpose evolved with the introduction of username_attribute but is reverted here to allow the most flexibility. users_filter is now the actual filter used for searching the user and not a sub-filter based on the username_attribute anymore. * {input} placeholder has been introduced to later deprecate {0} which has been kept for backward compatibility. * {username_attribute} and {mail_attribute} are new placeholders used to back reference other configuration options. Fix #735 * [MISC] Introduce new placeholders for groups_filter too. * [MISC] Update BREAKING.md to mention the change regarding users_filter. * [MISC] Fix unit and integration tests. * Log an error message in console when U2F is not supported. * Apply suggestions from code review * Update BREAKING.md Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com> Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2020-03-30 22:36:04 +00:00
UsersFilter: "uid={input}",
[BUGFIX] Fix crash when no emails or groups are retrieved from LDAP. (#651) * [BUGFIX] Fix crash when no emails or groups are retrieved from LDAP. If group or email attribute configured by user in configuration is not found in user object the list of attributes in LDAP search result is empty. This change introduces a check before accessing the first element of the list which previously led to out of bound access. Fixes #647. * [MISC] Change log level of LDAP connection creation to trace.
2020-02-27 22:21:07 +00:00
AdditionalUsersDN: "ou=users",
BaseDN: "dc=example,dc=com",
}, mockFactory)
mockFactory.EXPECT().
Dial(gomock.Eq("tcp"), gomock.Eq("127.0.0.1:389")).
[BUGFIX] [BREAKING] Set username retrieved from authentication backend in session. (#687) * [BUGFIX] Set username retrieved from authentication backend in session. In some setups, binding is case insensitive but Authelia is case sensitive and therefore need the actual username as stored in the authentication backend in order for Authelia to work correctly. Fixes #561. * Use uid attribute as unique user identifier in suites. * Fix the integration tests. * Update config.template.yml * Compute user filter based on username attribute and users_filter. The filter provided in users_filter is now combined with a filter based on the username attribute to perform the LDAP search query finding a user object from the username. * Fix LDAP based integration tests. * Update `users_filter` reference examples
2020-03-15 07:10:25 +00:00
Return(mockConn, nil)
[BUGFIX] Fix crash when no emails or groups are retrieved from LDAP. (#651) * [BUGFIX] Fix crash when no emails or groups are retrieved from LDAP. If group or email attribute configured by user in configuration is not found in user object the list of attributes in LDAP search result is empty. This change introduces a check before accessing the first element of the list which previously led to out of bound access. Fixes #647. * [MISC] Change log level of LDAP connection creation to trace.
2020-02-27 22:21:07 +00:00
mockConn.EXPECT().
Bind(gomock.Eq("cn=admin,dc=example,dc=com"), gomock.Eq("password")).
[BUGFIX] [BREAKING] Set username retrieved from authentication backend in session. (#687) * [BUGFIX] Set username retrieved from authentication backend in session. In some setups, binding is case insensitive but Authelia is case sensitive and therefore need the actual username as stored in the authentication backend in order for Authelia to work correctly. Fixes #561. * Use uid attribute as unique user identifier in suites. * Fix the integration tests. * Update config.template.yml * Compute user filter based on username attribute and users_filter. The filter provided in users_filter is now combined with a filter based on the username attribute to perform the LDAP search query finding a user object from the username. * Fix LDAP based integration tests. * Update `users_filter` reference examples
2020-03-15 07:10:25 +00:00
Return(nil)
[BUGFIX] Fix crash when no emails or groups are retrieved from LDAP. (#651) * [BUGFIX] Fix crash when no emails or groups are retrieved from LDAP. If group or email attribute configured by user in configuration is not found in user object the list of attributes in LDAP search result is empty. This change introduces a check before accessing the first element of the list which previously led to out of bound access. Fixes #647. * [MISC] Change log level of LDAP connection creation to trace.
2020-02-27 22:21:07 +00:00
mockConn.EXPECT().
[BUGFIX] [BREAKING] Set username retrieved from authentication backend in session. (#687) * [BUGFIX] Set username retrieved from authentication backend in session. In some setups, binding is case insensitive but Authelia is case sensitive and therefore need the actual username as stored in the authentication backend in order for Authelia to work correctly. Fixes #561. * Use uid attribute as unique user identifier in suites. * Fix the integration tests. * Update config.template.yml * Compute user filter based on username attribute and users_filter. The filter provided in users_filter is now combined with a filter based on the username attribute to perform the LDAP search query finding a user object from the username. * Fix LDAP based integration tests. * Update `users_filter` reference examples
2020-03-15 07:10:25 +00:00
Close()
[BUGFIX] Fix crash when no emails or groups are retrieved from LDAP. (#651) * [BUGFIX] Fix crash when no emails or groups are retrieved from LDAP. If group or email attribute configured by user in configuration is not found in user object the list of attributes in LDAP search result is empty. This change introduces a check before accessing the first element of the list which previously led to out of bound access. Fixes #647. * [MISC] Change log level of LDAP connection creation to trace.
2020-02-27 22:21:07 +00:00
searchGroups := mockConn.EXPECT().
Search(gomock.Any()).
Return(createSearchResultWithAttributeValues("group1", "group2"), nil)
[BUGFIX] [BREAKING] Set username retrieved from authentication backend in session. (#687) * [BUGFIX] Set username retrieved from authentication backend in session. In some setups, binding is case insensitive but Authelia is case sensitive and therefore need the actual username as stored in the authentication backend in order for Authelia to work correctly. Fixes #561. * Use uid attribute as unique user identifier in suites. * Fix the integration tests. * Update config.template.yml * Compute user filter based on username attribute and users_filter. The filter provided in users_filter is now combined with a filter based on the username attribute to perform the LDAP search query finding a user object from the username. * Fix LDAP based integration tests. * Update `users_filter` reference examples
2020-03-15 07:10:25 +00:00
searchProfile := mockConn.EXPECT().
[BUGFIX] Fix crash when no emails or groups are retrieved from LDAP. (#651) * [BUGFIX] Fix crash when no emails or groups are retrieved from LDAP. If group or email attribute configured by user in configuration is not found in user object the list of attributes in LDAP search result is empty. This change introduces a check before accessing the first element of the list which previously led to out of bound access. Fixes #647. * [MISC] Change log level of LDAP connection creation to trace.
2020-02-27 22:21:07 +00:00
Search(gomock.Any()).
[BUGFIX] [BREAKING] Set username retrieved from authentication backend in session. (#687) * [BUGFIX] Set username retrieved from authentication backend in session. In some setups, binding is case insensitive but Authelia is case sensitive and therefore need the actual username as stored in the authentication backend in order for Authelia to work correctly. Fixes #561. * Use uid attribute as unique user identifier in suites. * Fix the integration tests. * Update config.template.yml * Compute user filter based on username attribute and users_filter. The filter provided in users_filter is now combined with a filter based on the username attribute to perform the LDAP search query finding a user object from the username. * Fix LDAP based integration tests. * Update `users_filter` reference examples
2020-03-15 07:10:25 +00:00
Return(&ldap.SearchResult{
Entries: []*ldap.Entry{
&ldap.Entry{
DN: "uid=test,dc=example,dc=com",
Attributes: []*ldap.EntryAttribute{
&ldap.EntryAttribute{
Name: "uid",
Values: []string{"john"},
},
},
},
},
}, nil)
[FEATURE][BREAKING] Allow users to sign in with email. (#792) * [FEATURE][BREAKING] Allow users to sign in with email. The users_filter purpose evolved with the introduction of username_attribute but is reverted here to allow the most flexibility. users_filter is now the actual filter used for searching the user and not a sub-filter based on the username_attribute anymore. * {input} placeholder has been introduced to later deprecate {0} which has been kept for backward compatibility. * {username_attribute} and {mail_attribute} are new placeholders used to back reference other configuration options. Fix #735 * [MISC] Introduce new placeholders for groups_filter too. * [MISC] Update BREAKING.md to mention the change regarding users_filter. * [MISC] Fix unit and integration tests. * Log an error message in console when U2F is not supported. * Apply suggestions from code review * Update BREAKING.md Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com> Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2020-03-30 22:36:04 +00:00
gomock.InOrder(searchProfile, searchGroups)
[BUGFIX] Fix crash when no emails or groups are retrieved from LDAP. (#651) * [BUGFIX] Fix crash when no emails or groups are retrieved from LDAP. If group or email attribute configured by user in configuration is not found in user object the list of attributes in LDAP search result is empty. This change introduces a check before accessing the first element of the list which previously led to out of bound access. Fixes #647. * [MISC] Change log level of LDAP connection creation to trace.
2020-02-27 22:21:07 +00:00
details, err := ldapClient.GetDetails("john")
require.NoError(t, err)
assert.ElementsMatch(t, details.Groups, []string{"group1", "group2"})
assert.ElementsMatch(t, details.Emails, []string{})
[BUGFIX] [BREAKING] Set username retrieved from authentication backend in session. (#687) * [BUGFIX] Set username retrieved from authentication backend in session. In some setups, binding is case insensitive but Authelia is case sensitive and therefore need the actual username as stored in the authentication backend in order for Authelia to work correctly. Fixes #561. * Use uid attribute as unique user identifier in suites. * Fix the integration tests. * Update config.template.yml * Compute user filter based on username attribute and users_filter. The filter provided in users_filter is now combined with a filter based on the username attribute to perform the LDAP search query finding a user object from the username. * Fix LDAP based integration tests. * Update `users_filter` reference examples
2020-03-15 07:10:25 +00:00
assert.Equal(t, details.Username, "john")
}
func TestShouldReturnUsernameFromLDAP(t *testing.T) {
ctrl := gomock.NewController(t)
defer ctrl.Finish()
mockFactory := NewMockLDAPConnectionFactory(ctrl)
mockConn := NewMockLDAPConnection(ctrl)
ldapClient := NewLDAPUserProviderWithFactory(schema.LDAPAuthenticationBackendConfiguration{
URL: "ldap://127.0.0.1:389",
User: "cn=admin,dc=example,dc=com",
Password: "password",
UsernameAttribute: "uid",
MailAttribute: "mail",
[FEATURE][BREAKING] Allow users to sign in with email. (#792) * [FEATURE][BREAKING] Allow users to sign in with email. The users_filter purpose evolved with the introduction of username_attribute but is reverted here to allow the most flexibility. users_filter is now the actual filter used for searching the user and not a sub-filter based on the username_attribute anymore. * {input} placeholder has been introduced to later deprecate {0} which has been kept for backward compatibility. * {username_attribute} and {mail_attribute} are new placeholders used to back reference other configuration options. Fix #735 * [MISC] Introduce new placeholders for groups_filter too. * [MISC] Update BREAKING.md to mention the change regarding users_filter. * [MISC] Fix unit and integration tests. * Log an error message in console when U2F is not supported. * Apply suggestions from code review * Update BREAKING.md Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com> Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2020-03-30 22:36:04 +00:00
UsersFilter: "uid={input}",
[BUGFIX] [BREAKING] Set username retrieved from authentication backend in session. (#687) * [BUGFIX] Set username retrieved from authentication backend in session. In some setups, binding is case insensitive but Authelia is case sensitive and therefore need the actual username as stored in the authentication backend in order for Authelia to work correctly. Fixes #561. * Use uid attribute as unique user identifier in suites. * Fix the integration tests. * Update config.template.yml * Compute user filter based on username attribute and users_filter. The filter provided in users_filter is now combined with a filter based on the username attribute to perform the LDAP search query finding a user object from the username. * Fix LDAP based integration tests. * Update `users_filter` reference examples
2020-03-15 07:10:25 +00:00
AdditionalUsersDN: "ou=users",
BaseDN: "dc=example,dc=com",
}, mockFactory)
mockFactory.EXPECT().
Dial(gomock.Eq("tcp"), gomock.Eq("127.0.0.1:389")).
Return(mockConn, nil)
mockConn.EXPECT().
Bind(gomock.Eq("cn=admin,dc=example,dc=com"), gomock.Eq("password")).
Return(nil)
mockConn.EXPECT().
Close()
searchGroups := mockConn.EXPECT().
Search(gomock.Any()).
Return(createSearchResultWithAttributeValues("group1", "group2"), nil)
searchProfile := mockConn.EXPECT().
Search(gomock.Any()).
Return(&ldap.SearchResult{
Entries: []*ldap.Entry{
&ldap.Entry{
DN: "uid=test,dc=example,dc=com",
Attributes: []*ldap.EntryAttribute{
&ldap.EntryAttribute{
Name: "mail",
Values: []string{"test@example.com"},
},
&ldap.EntryAttribute{
Name: "uid",
Values: []string{"John"},
},
},
},
},
}, nil)
[FEATURE][BREAKING] Allow users to sign in with email. (#792) * [FEATURE][BREAKING] Allow users to sign in with email. The users_filter purpose evolved with the introduction of username_attribute but is reverted here to allow the most flexibility. users_filter is now the actual filter used for searching the user and not a sub-filter based on the username_attribute anymore. * {input} placeholder has been introduced to later deprecate {0} which has been kept for backward compatibility. * {username_attribute} and {mail_attribute} are new placeholders used to back reference other configuration options. Fix #735 * [MISC] Introduce new placeholders for groups_filter too. * [MISC] Update BREAKING.md to mention the change regarding users_filter. * [MISC] Fix unit and integration tests. * Log an error message in console when U2F is not supported. * Apply suggestions from code review * Update BREAKING.md Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com> Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2020-03-30 22:36:04 +00:00
gomock.InOrder(searchProfile, searchGroups)
[BUGFIX] [BREAKING] Set username retrieved from authentication backend in session. (#687) * [BUGFIX] Set username retrieved from authentication backend in session. In some setups, binding is case insensitive but Authelia is case sensitive and therefore need the actual username as stored in the authentication backend in order for Authelia to work correctly. Fixes #561. * Use uid attribute as unique user identifier in suites. * Fix the integration tests. * Update config.template.yml * Compute user filter based on username attribute and users_filter. The filter provided in users_filter is now combined with a filter based on the username attribute to perform the LDAP search query finding a user object from the username. * Fix LDAP based integration tests. * Update `users_filter` reference examples
2020-03-15 07:10:25 +00:00
details, err := ldapClient.GetDetails("john")
require.NoError(t, err)
assert.ElementsMatch(t, details.Groups, []string{"group1", "group2"})
assert.ElementsMatch(t, details.Emails, []string{"test@example.com"})
assert.Equal(t, details.Username, "John")
[BUGFIX] Fix crash when no emails or groups are retrieved from LDAP. (#651) * [BUGFIX] Fix crash when no emails or groups are retrieved from LDAP. If group or email attribute configured by user in configuration is not found in user object the list of attributes in LDAP search result is empty. This change introduces a check before accessing the first element of the list which previously led to out of bound access. Fixes #647. * [MISC] Change log level of LDAP connection creation to trace.
2020-02-27 22:21:07 +00:00
}