2019-04-24 21:52:08 +00:00
package validator
import (
2022-10-21 08:41:33 +00:00
"crypto/tls"
2022-04-04 07:46:55 +00:00
"net/url"
2019-04-24 21:52:08 +00:00
"testing"
2021-08-05 04:30:00 +00:00
"time"
2019-04-24 21:52:08 +00:00
"github.com/stretchr/testify/assert"
2019-12-06 08:15:54 +00:00
"github.com/stretchr/testify/require"
2019-04-24 21:52:08 +00:00
"github.com/stretchr/testify/suite"
2020-04-05 12:37:21 +00:00
2021-08-11 01:04:35 +00:00
"github.com/authelia/authelia/v4/internal/configuration/schema"
2019-04-24 21:52:08 +00:00
)
2021-03-22 09:04:09 +00:00
func TestShouldRaiseErrorWhenBothBackendsProvided ( t * testing . T ) {
validator := schema . NewStructValidator ( )
2022-10-17 10:51:59 +00:00
backendConfig := schema . AuthenticationBackend { }
2021-03-22 09:04:09 +00:00
2022-10-17 10:51:59 +00:00
backendConfig . LDAP = & schema . LDAPAuthenticationBackend { }
backendConfig . File = & schema . FileAuthenticationBackend {
2021-03-22 09:04:09 +00:00
Path : "/tmp" ,
}
ValidateAuthenticationBackend ( & backendConfig , validator )
2022-10-17 10:51:59 +00:00
require . Len ( t , validator . Errors ( ) , 7 )
2022-02-28 03:15:01 +00:00
assert . EqualError ( t , validator . Errors ( ) [ 0 ] , "authentication_backend: please ensure only one of the 'file' or 'ldap' backend is configured" )
2023-05-07 06:39:17 +00:00
assert . EqualError ( t , validator . Errors ( ) [ 1 ] , "authentication_backend: ldap: option 'address' is required" )
2022-10-17 10:51:59 +00:00
assert . EqualError ( t , validator . Errors ( ) [ 2 ] , "authentication_backend: ldap: option 'user' is required" )
assert . EqualError ( t , validator . Errors ( ) [ 3 ] , "authentication_backend: ldap: option 'password' is required" )
assert . EqualError ( t , validator . Errors ( ) [ 4 ] , "authentication_backend: ldap: option 'base_dn' is required" )
assert . EqualError ( t , validator . Errors ( ) [ 5 ] , "authentication_backend: ldap: option 'users_filter' is required" )
assert . EqualError ( t , validator . Errors ( ) [ 6 ] , "authentication_backend: ldap: option 'groups_filter' is required" )
2021-03-22 09:04:09 +00:00
}
func TestShouldRaiseErrorWhenNoBackendProvided ( t * testing . T ) {
2019-04-24 21:52:08 +00:00
validator := schema . NewStructValidator ( )
2022-10-17 10:51:59 +00:00
backendConfig := schema . AuthenticationBackend { }
2019-04-24 21:52:08 +00:00
ValidateAuthenticationBackend ( & backendConfig , validator )
2020-11-27 09:59:22 +00:00
require . Len ( t , validator . Errors ( ) , 1 )
2022-02-28 03:15:01 +00:00
assert . EqualError ( t , validator . Errors ( ) [ 0 ] , "authentication_backend: you must ensure either the 'file' or 'ldap' authentication backend is configured" )
2019-04-24 21:52:08 +00:00
}
type FileBasedAuthenticationBackend struct {
suite . Suite
2022-10-17 10:51:59 +00:00
config schema . AuthenticationBackend
2022-02-28 03:15:01 +00:00
validator * schema . StructValidator
2019-04-24 21:52:08 +00:00
}
func ( suite * FileBasedAuthenticationBackend ) SetupTest ( ) {
2022-10-17 10:51:59 +00:00
password := schema . DefaultPasswordConfig
2019-04-24 21:52:08 +00:00
suite . validator = schema . NewStructValidator ( )
2022-10-17 10:51:59 +00:00
suite . config = schema . AuthenticationBackend { }
suite . config . File = & schema . FileAuthenticationBackend { Path : "/a/path" , Password : password }
2019-04-24 21:52:08 +00:00
}
2022-10-17 10:51:59 +00:00
2019-04-24 21:52:08 +00:00
func ( suite * FileBasedAuthenticationBackend ) TestShouldValidateCompleteConfiguration ( ) {
2022-02-28 03:15:01 +00:00
ValidateAuthenticationBackend ( & suite . config , suite . validator )
2021-01-04 10:28:55 +00:00
2023-05-07 06:39:17 +00:00
suite . Len ( suite . validator . Warnings ( ) , 0 )
suite . Len ( suite . validator . Errors ( ) , 0 )
2019-04-24 21:52:08 +00:00
}
func ( suite * FileBasedAuthenticationBackend ) TestShouldRaiseErrorWhenNoPathProvided ( ) {
2022-02-28 03:15:01 +00:00
suite . config . File . Path = ""
2021-01-04 10:28:55 +00:00
2022-02-28 03:15:01 +00:00
ValidateAuthenticationBackend ( & suite . config , suite . validator )
2021-01-04 10:28:55 +00:00
2023-05-07 06:39:17 +00:00
suite . Len ( suite . validator . Warnings ( ) , 0 )
2021-01-04 10:28:55 +00:00
suite . Require ( ) . Len ( suite . validator . Errors ( ) , 1 )
2023-05-07 06:39:17 +00:00
suite . EqualError ( suite . validator . Errors ( ) [ 0 ] , "authentication_backend: file: option 'path' is required" )
2019-04-24 21:52:08 +00:00
}
2022-10-17 10:51:59 +00:00
func ( suite * FileBasedAuthenticationBackend ) TestShouldSetDefaultConfigurationWhenBlank ( ) {
suite . config . File . Password = schema . Password { }
2023-05-07 06:39:17 +00:00
suite . Equal ( 0 , suite . config . File . Password . KeyLength )
suite . Equal ( 0 , suite . config . File . Password . Iterations )
suite . Equal ( 0 , suite . config . File . Password . SaltLength )
suite . Equal ( "" , suite . config . File . Password . Algorithm )
suite . Equal ( 0 , suite . config . File . Password . Memory )
suite . Equal ( 0 , suite . config . File . Password . Parallelism )
2021-01-04 10:28:55 +00:00
2022-02-28 03:15:01 +00:00
ValidateAuthenticationBackend ( & suite . config , suite . validator )
2021-01-04 10:28:55 +00:00
2023-05-07 06:39:17 +00:00
suite . Len ( suite . validator . Warnings ( ) , 0 )
suite . Len ( suite . validator . Errors ( ) , 0 )
2021-01-04 10:28:55 +00:00
2023-05-07 06:39:17 +00:00
suite . Equal ( schema . DefaultPasswordConfig . KeyLength , suite . config . File . Password . KeyLength )
suite . Equal ( schema . DefaultPasswordConfig . Iterations , suite . config . File . Password . Iterations )
suite . Equal ( schema . DefaultPasswordConfig . SaltLength , suite . config . File . Password . SaltLength )
suite . Equal ( schema . DefaultPasswordConfig . Algorithm , suite . config . File . Password . Algorithm )
suite . Equal ( schema . DefaultPasswordConfig . Memory , suite . config . File . Password . Memory )
suite . Equal ( schema . DefaultPasswordConfig . Parallelism , suite . config . File . Password . Parallelism )
2020-03-06 01:38:02 +00:00
}
2022-10-17 10:51:59 +00:00
func ( suite * FileBasedAuthenticationBackend ) TestShouldMigrateLegacyConfigurationSHA512 ( ) {
suite . config . File . Password = schema . Password { }
2023-05-07 06:39:17 +00:00
suite . Equal ( "" , suite . config . File . Password . Algorithm )
2020-03-06 01:38:02 +00:00
2022-10-17 10:51:59 +00:00
suite . config . File . Password = schema . Password {
Algorithm : digestSHA512 ,
Iterations : 1000000 ,
SaltLength : 8 ,
}
ValidateAuthenticationBackend ( & suite . config , suite . validator )
2023-05-07 06:39:17 +00:00
suite . Len ( suite . validator . Warnings ( ) , 0 )
suite . Len ( suite . validator . Errors ( ) , 0 )
2022-10-17 10:51:59 +00:00
2023-05-07 06:39:17 +00:00
suite . Equal ( hashSHA2Crypt , suite . config . File . Password . Algorithm )
suite . Equal ( digestSHA512 , suite . config . File . Password . SHA2Crypt . Variant )
suite . Equal ( 1000000 , suite . config . File . Password . SHA2Crypt . Iterations )
suite . Equal ( 8 , suite . config . File . Password . SHA2Crypt . SaltLength )
2022-10-17 10:51:59 +00:00
}
func ( suite * FileBasedAuthenticationBackend ) TestShouldMigrateLegacyConfigurationSHA512ButNotOverride ( ) {
suite . config . File . Password = schema . Password { }
2023-05-07 06:39:17 +00:00
suite . Equal ( "" , suite . config . File . Password . Algorithm )
2022-10-17 10:51:59 +00:00
suite . config . File . Password = schema . Password {
Algorithm : digestSHA512 ,
Iterations : 1000000 ,
SaltLength : 8 ,
SHA2Crypt : schema . SHA2CryptPassword {
Variant : digestSHA256 ,
Iterations : 50000 ,
SaltLength : 12 ,
} ,
}
ValidateAuthenticationBackend ( & suite . config , suite . validator )
2023-05-07 06:39:17 +00:00
suite . Len ( suite . validator . Warnings ( ) , 0 )
suite . Len ( suite . validator . Errors ( ) , 0 )
2022-10-17 10:51:59 +00:00
2023-05-07 06:39:17 +00:00
suite . Equal ( hashSHA2Crypt , suite . config . File . Password . Algorithm )
suite . Equal ( digestSHA256 , suite . config . File . Password . SHA2Crypt . Variant )
suite . Equal ( 50000 , suite . config . File . Password . SHA2Crypt . Iterations )
suite . Equal ( 12 , suite . config . File . Password . SHA2Crypt . SaltLength )
2022-10-17 10:51:59 +00:00
}
func ( suite * FileBasedAuthenticationBackend ) TestShouldMigrateLegacyConfigurationSHA512Alt ( ) {
suite . config . File . Password = schema . Password { }
2023-05-07 06:39:17 +00:00
suite . Equal ( "" , suite . config . File . Password . Algorithm )
2022-10-17 10:51:59 +00:00
suite . config . File . Password = schema . Password {
Algorithm : digestSHA512 ,
Iterations : 1000000 ,
SaltLength : 64 ,
}
ValidateAuthenticationBackend ( & suite . config , suite . validator )
2023-05-07 06:39:17 +00:00
suite . Len ( suite . validator . Warnings ( ) , 0 )
suite . Len ( suite . validator . Errors ( ) , 0 )
2022-10-17 10:51:59 +00:00
2023-05-07 06:39:17 +00:00
suite . Equal ( hashSHA2Crypt , suite . config . File . Password . Algorithm )
suite . Equal ( digestSHA512 , suite . config . File . Password . SHA2Crypt . Variant )
suite . Equal ( 1000000 , suite . config . File . Password . SHA2Crypt . Iterations )
suite . Equal ( 16 , suite . config . File . Password . SHA2Crypt . SaltLength )
2022-10-17 10:51:59 +00:00
}
func ( suite * FileBasedAuthenticationBackend ) TestShouldMigrateLegacyConfigurationArgon2 ( ) {
suite . config . File . Password = schema . Password { }
2023-05-07 06:39:17 +00:00
suite . Equal ( "" , suite . config . File . Password . Algorithm )
2022-10-17 10:51:59 +00:00
suite . config . File . Password = schema . Password {
Algorithm : "argon2id" ,
Iterations : 4 ,
Memory : 1024 ,
Parallelism : 4 ,
KeyLength : 64 ,
SaltLength : 64 ,
}
2020-03-06 01:38:02 +00:00
2022-02-28 03:15:01 +00:00
ValidateAuthenticationBackend ( & suite . config , suite . validator )
2020-03-06 01:38:02 +00:00
2023-05-07 06:39:17 +00:00
suite . Len ( suite . validator . Warnings ( ) , 0 )
suite . Len ( suite . validator . Errors ( ) , 0 )
2021-01-04 10:28:55 +00:00
2023-05-07 06:39:17 +00:00
suite . Equal ( "argon2" , suite . config . File . Password . Algorithm )
suite . Equal ( "argon2id" , suite . config . File . Password . Argon2 . Variant )
suite . Equal ( 4 , suite . config . File . Password . Argon2 . Iterations )
suite . Equal ( 1048576 , suite . config . File . Password . Argon2 . Memory )
suite . Equal ( 4 , suite . config . File . Password . Argon2 . Parallelism )
suite . Equal ( 64 , suite . config . File . Password . Argon2 . KeyLength )
suite . Equal ( 64 , suite . config . File . Password . Argon2 . SaltLength )
2020-03-06 01:38:02 +00:00
}
2022-10-17 10:51:59 +00:00
func ( suite * FileBasedAuthenticationBackend ) TestShouldMigrateLegacyConfigurationArgon2ButNotOverride ( ) {
suite . config . File . Password = schema . Password { }
2023-05-07 06:39:17 +00:00
suite . Equal ( "" , suite . config . File . Password . Algorithm )
2022-10-17 10:51:59 +00:00
suite . config . File . Password = schema . Password {
Algorithm : "argon2id" ,
Iterations : 4 ,
Memory : 1024 ,
Parallelism : 4 ,
KeyLength : 64 ,
SaltLength : 64 ,
Argon2 : schema . Argon2Password {
Variant : "argon2d" ,
Iterations : 1 ,
Memory : 2048 ,
Parallelism : 1 ,
KeyLength : 32 ,
SaltLength : 32 ,
} ,
}
2020-03-06 01:38:02 +00:00
2022-02-28 03:15:01 +00:00
ValidateAuthenticationBackend ( & suite . config , suite . validator )
2020-03-06 01:38:02 +00:00
2023-05-07 06:39:17 +00:00
suite . Len ( suite . validator . Warnings ( ) , 0 )
suite . Len ( suite . validator . Errors ( ) , 0 )
2021-01-04 10:28:55 +00:00
2023-05-07 06:39:17 +00:00
suite . Equal ( "argon2" , suite . config . File . Password . Algorithm )
suite . Equal ( "argon2d" , suite . config . File . Password . Argon2 . Variant )
suite . Equal ( 1 , suite . config . File . Password . Argon2 . Iterations )
suite . Equal ( 2048 , suite . config . File . Password . Argon2 . Memory )
suite . Equal ( 1 , suite . config . File . Password . Argon2 . Parallelism )
suite . Equal ( 32 , suite . config . File . Password . Argon2 . KeyLength )
suite . Equal ( 32 , suite . config . File . Password . Argon2 . SaltLength )
2020-03-06 01:38:02 +00:00
}
2022-10-17 10:51:59 +00:00
func ( suite * FileBasedAuthenticationBackend ) TestShouldMigrateLegacyConfigurationWhenOnlySHA512Set ( ) {
suite . config . File . Password = schema . Password { }
2023-05-07 06:39:17 +00:00
suite . Equal ( "" , suite . config . File . Password . Algorithm )
2022-10-17 10:51:59 +00:00
suite . config . File . Password . Algorithm = digestSHA512
ValidateAuthenticationBackend ( & suite . config , suite . validator )
2023-05-07 06:39:17 +00:00
suite . Len ( suite . validator . Warnings ( ) , 0 )
suite . Len ( suite . validator . Errors ( ) , 0 )
2022-10-17 10:51:59 +00:00
2023-05-07 06:39:17 +00:00
suite . Equal ( hashSHA2Crypt , suite . config . File . Password . Algorithm )
suite . Equal ( digestSHA512 , suite . config . File . Password . SHA2Crypt . Variant )
suite . Equal ( schema . DefaultPasswordConfig . SHA2Crypt . Iterations , suite . config . File . Password . SHA2Crypt . Iterations )
suite . Equal ( schema . DefaultPasswordConfig . SHA2Crypt . SaltLength , suite . config . File . Password . SHA2Crypt . SaltLength )
2022-10-17 10:51:59 +00:00
}
func ( suite * FileBasedAuthenticationBackend ) TestShouldRaiseErrorOnInvalidArgon2Variant ( ) {
suite . config . File . Password = schema . Password { }
2023-05-07 06:39:17 +00:00
suite . Equal ( "" , suite . config . File . Password . Algorithm )
2022-10-17 10:51:59 +00:00
suite . config . File . Password . Algorithm = "argon2"
suite . config . File . Password . Argon2 . Variant = testInvalid
2021-01-04 10:28:55 +00:00
2022-02-28 03:15:01 +00:00
ValidateAuthenticationBackend ( & suite . config , suite . validator )
2021-01-04 10:28:55 +00:00
2023-05-07 06:39:17 +00:00
suite . Len ( suite . validator . Warnings ( ) , 0 )
2021-01-04 10:28:55 +00:00
suite . Require ( ) . Len ( suite . validator . Errors ( ) , 1 )
2023-05-07 06:39:17 +00:00
suite . EqualError ( suite . validator . Errors ( ) [ 0 ] , "authentication_backend: file: password: argon2: option 'variant' must be one of 'argon2id', 'id', 'argon2i', 'i', 'argon2d', or 'd' but it's configured as 'invalid'" )
2020-03-06 01:38:02 +00:00
}
2022-10-17 10:51:59 +00:00
func ( suite * FileBasedAuthenticationBackend ) TestShouldRaiseErrorOnInvalidSHA2CryptVariant ( ) {
suite . config . File . Password = schema . Password { }
2023-05-07 06:39:17 +00:00
suite . Equal ( "" , suite . config . File . Password . Algorithm )
2022-10-17 10:51:59 +00:00
suite . config . File . Password . Algorithm = hashSHA2Crypt
suite . config . File . Password . SHA2Crypt . Variant = testInvalid
2021-01-04 10:28:55 +00:00
2022-02-28 03:15:01 +00:00
ValidateAuthenticationBackend ( & suite . config , suite . validator )
2021-01-04 10:28:55 +00:00
2023-05-07 06:39:17 +00:00
suite . Len ( suite . validator . Warnings ( ) , 0 )
2021-01-04 10:28:55 +00:00
suite . Require ( ) . Len ( suite . validator . Errors ( ) , 1 )
2023-05-07 06:39:17 +00:00
suite . EqualError ( suite . validator . Errors ( ) [ 0 ] , "authentication_backend: file: password: sha2crypt: option 'variant' must be one of 'sha256' or 'sha512' but it's configured as 'invalid'" )
2020-03-06 01:38:02 +00:00
}
2022-10-17 10:51:59 +00:00
func ( suite * FileBasedAuthenticationBackend ) TestShouldRaiseErrorOnInvalidSHA2CryptSaltLength ( ) {
suite . config . File . Password = schema . Password { }
2023-05-07 06:39:17 +00:00
suite . Equal ( "" , suite . config . File . Password . Algorithm )
2022-10-17 10:51:59 +00:00
suite . config . File . Password . Algorithm = hashSHA2Crypt
suite . config . File . Password . SHA2Crypt . SaltLength = 40
2021-01-04 10:28:55 +00:00
2022-02-28 03:15:01 +00:00
ValidateAuthenticationBackend ( & suite . config , suite . validator )
2021-01-04 10:28:55 +00:00
2023-05-07 06:39:17 +00:00
suite . Len ( suite . validator . Warnings ( ) , 0 )
2021-01-04 10:28:55 +00:00
suite . Require ( ) . Len ( suite . validator . Errors ( ) , 1 )
2023-05-07 06:39:17 +00:00
suite . EqualError ( suite . validator . Errors ( ) [ 0 ] , "authentication_backend: file: password: sha2crypt: option 'salt_length' is configured as '40' but must be less than or equal to '16'" )
2020-03-06 01:38:02 +00:00
}
2022-10-17 10:51:59 +00:00
func ( suite * FileBasedAuthenticationBackend ) TestShouldRaiseErrorOnInvalidPBKDF2Variant ( ) {
suite . config . File . Password = schema . Password { }
2023-05-07 06:39:17 +00:00
suite . Equal ( "" , suite . config . File . Password . Algorithm )
2022-10-17 10:51:59 +00:00
suite . config . File . Password . Algorithm = "pbkdf2"
suite . config . File . Password . PBKDF2 . Variant = testInvalid
2021-01-04 10:28:55 +00:00
2022-02-28 03:15:01 +00:00
ValidateAuthenticationBackend ( & suite . config , suite . validator )
2021-01-04 10:28:55 +00:00
2023-05-07 06:39:17 +00:00
suite . Len ( suite . validator . Warnings ( ) , 0 )
2021-01-04 10:28:55 +00:00
suite . Require ( ) . Len ( suite . validator . Errors ( ) , 1 )
2023-05-07 06:39:17 +00:00
suite . EqualError ( suite . validator . Errors ( ) [ 0 ] , "authentication_backend: file: password: pbkdf2: option 'variant' must be one of 'sha1', 'sha224', 'sha256', 'sha384', or 'sha512' but it's configured as 'invalid'" )
2020-03-06 01:38:02 +00:00
}
2022-10-17 10:51:59 +00:00
func ( suite * FileBasedAuthenticationBackend ) TestShouldRaiseErrorOnInvalidBCryptVariant ( ) {
suite . config . File . Password = schema . Password { }
2023-05-07 06:39:17 +00:00
suite . Equal ( "" , suite . config . File . Password . Algorithm )
2022-10-17 10:51:59 +00:00
suite . config . File . Password . Algorithm = "bcrypt"
suite . config . File . Password . BCrypt . Variant = testInvalid
2021-01-04 10:28:55 +00:00
2022-02-28 03:15:01 +00:00
ValidateAuthenticationBackend ( & suite . config , suite . validator )
2021-01-04 10:28:55 +00:00
2023-05-07 06:39:17 +00:00
suite . Len ( suite . validator . Warnings ( ) , 0 )
2021-01-04 10:28:55 +00:00
suite . Require ( ) . Len ( suite . validator . Errors ( ) , 1 )
2023-05-07 06:39:17 +00:00
suite . EqualError ( suite . validator . Errors ( ) [ 0 ] , "authentication_backend: file: password: bcrypt: option 'variant' must be one of 'standard' or 'sha256' but it's configured as 'invalid'" )
2020-03-06 01:38:02 +00:00
}
2022-10-17 10:51:59 +00:00
func ( suite * FileBasedAuthenticationBackend ) TestShouldRaiseErrorWhenSHA2CryptOptionsTooLow ( ) {
suite . config . File . Password . SHA2Crypt . Iterations = - 1
suite . config . File . Password . SHA2Crypt . SaltLength = - 1
2021-01-04 10:28:55 +00:00
2022-02-28 03:15:01 +00:00
ValidateAuthenticationBackend ( & suite . config , suite . validator )
2021-01-04 10:28:55 +00:00
2023-05-07 06:39:17 +00:00
suite . Len ( suite . validator . Warnings ( ) , 0 )
2022-10-17 10:51:59 +00:00
suite . Require ( ) . Len ( suite . validator . Errors ( ) , 2 )
2021-01-04 10:28:55 +00:00
2023-05-07 06:39:17 +00:00
suite . EqualError ( suite . validator . Errors ( ) [ 0 ] , "authentication_backend: file: password: sha2crypt: option 'iterations' is configured as '-1' but must be greater than or equal to '1000'" )
suite . EqualError ( suite . validator . Errors ( ) [ 1 ] , "authentication_backend: file: password: sha2crypt: option 'salt_length' is configured as '-1' but must be greater than or equal to '1'" )
2020-03-06 01:38:02 +00:00
}
2022-10-17 10:51:59 +00:00
func ( suite * FileBasedAuthenticationBackend ) TestShouldRaiseErrorWhenSHA2CryptOptionsTooHigh ( ) {
suite . config . File . Password . SHA2Crypt . Iterations = 999999999999
suite . config . File . Password . SHA2Crypt . SaltLength = 99
ValidateAuthenticationBackend ( & suite . config , suite . validator )
2023-05-07 06:39:17 +00:00
suite . Len ( suite . validator . Warnings ( ) , 0 )
2022-10-17 10:51:59 +00:00
suite . Require ( ) . Len ( suite . validator . Errors ( ) , 2 )
2023-05-07 06:39:17 +00:00
suite . EqualError ( suite . validator . Errors ( ) [ 0 ] , "authentication_backend: file: password: sha2crypt: option 'iterations' is configured as '999999999999' but must be less than or equal to '999999999'" )
suite . EqualError ( suite . validator . Errors ( ) [ 1 ] , "authentication_backend: file: password: sha2crypt: option 'salt_length' is configured as '99' but must be less than or equal to '16'" )
2019-04-24 21:52:08 +00:00
}
2022-10-17 10:51:59 +00:00
func ( suite * FileBasedAuthenticationBackend ) TestShouldRaiseErrorWhenPBKDF2OptionsTooLow ( ) {
suite . config . File . Password . PBKDF2 . Iterations = - 1
suite . config . File . Password . PBKDF2 . SaltLength = - 1
ValidateAuthenticationBackend ( & suite . config , suite . validator )
2023-05-07 06:39:17 +00:00
suite . Len ( suite . validator . Warnings ( ) , 0 )
2022-10-17 10:51:59 +00:00
suite . Require ( ) . Len ( suite . validator . Errors ( ) , 2 )
2023-05-07 06:39:17 +00:00
suite . EqualError ( suite . validator . Errors ( ) [ 0 ] , "authentication_backend: file: password: pbkdf2: option 'iterations' is configured as '-1' but must be greater than or equal to '100000'" )
suite . EqualError ( suite . validator . Errors ( ) [ 1 ] , "authentication_backend: file: password: pbkdf2: option 'salt_length' is configured as '-1' but must be greater than or equal to '8'" )
2019-04-24 21:52:08 +00:00
}
2022-10-17 10:51:59 +00:00
func ( suite * FileBasedAuthenticationBackend ) TestShouldRaiseErrorWhenPBKDF2OptionsTooHigh ( ) {
suite . config . File . Password . PBKDF2 . Iterations = 2147483649
suite . config . File . Password . PBKDF2 . SaltLength = 2147483650
ValidateAuthenticationBackend ( & suite . config , suite . validator )
2023-05-07 06:39:17 +00:00
suite . Len ( suite . validator . Warnings ( ) , 0 )
2022-10-17 10:51:59 +00:00
suite . Require ( ) . Len ( suite . validator . Errors ( ) , 2 )
2023-05-07 06:39:17 +00:00
suite . EqualError ( suite . validator . Errors ( ) [ 0 ] , "authentication_backend: file: password: pbkdf2: option 'iterations' is configured as '2147483649' but must be less than or equal to '2147483647'" )
suite . EqualError ( suite . validator . Errors ( ) [ 1 ] , "authentication_backend: file: password: pbkdf2: option 'salt_length' is configured as '2147483650' but must be less than or equal to '2147483647'" )
2019-04-24 21:52:08 +00:00
}
2022-10-17 10:51:59 +00:00
func ( suite * FileBasedAuthenticationBackend ) TestShouldRaiseErrorWhenBCryptOptionsTooLow ( ) {
suite . config . File . Password . BCrypt . Cost = - 1
ValidateAuthenticationBackend ( & suite . config , suite . validator )
2023-05-07 06:39:17 +00:00
suite . Len ( suite . validator . Warnings ( ) , 0 )
2022-10-17 10:51:59 +00:00
suite . Require ( ) . Len ( suite . validator . Errors ( ) , 1 )
2023-05-07 06:39:17 +00:00
suite . EqualError ( suite . validator . Errors ( ) [ 0 ] , "authentication_backend: file: password: bcrypt: option 'cost' is configured as '-1' but must be greater than or equal to '10'" )
2022-10-17 10:51:59 +00:00
}
func ( suite * FileBasedAuthenticationBackend ) TestShouldRaiseErrorWhenBCryptOptionsTooHigh ( ) {
suite . config . File . Password . BCrypt . Cost = 900
ValidateAuthenticationBackend ( & suite . config , suite . validator )
2023-05-07 06:39:17 +00:00
suite . Len ( suite . validator . Warnings ( ) , 0 )
2022-10-17 10:51:59 +00:00
suite . Require ( ) . Len ( suite . validator . Errors ( ) , 1 )
2023-05-07 06:39:17 +00:00
suite . EqualError ( suite . validator . Errors ( ) [ 0 ] , "authentication_backend: file: password: bcrypt: option 'cost' is configured as '900' but must be less than or equal to '31'" )
2022-10-17 10:51:59 +00:00
}
func ( suite * FileBasedAuthenticationBackend ) TestShouldRaiseErrorWhenSCryptOptionsTooLow ( ) {
suite . config . File . Password . SCrypt . Iterations = - 1
suite . config . File . Password . SCrypt . BlockSize = - 21
suite . config . File . Password . SCrypt . Parallelism = - 11
suite . config . File . Password . SCrypt . KeyLength = - 77
suite . config . File . Password . SCrypt . SaltLength = 7
ValidateAuthenticationBackend ( & suite . config , suite . validator )
2023-05-07 06:39:17 +00:00
suite . Len ( suite . validator . Warnings ( ) , 0 )
2022-10-17 10:51:59 +00:00
suite . Require ( ) . Len ( suite . validator . Errors ( ) , 5 )
2023-05-07 06:39:17 +00:00
suite . EqualError ( suite . validator . Errors ( ) [ 0 ] , "authentication_backend: file: password: scrypt: option 'iterations' is configured as '-1' but must be greater than or equal to '1'" )
suite . EqualError ( suite . validator . Errors ( ) [ 1 ] , "authentication_backend: file: password: scrypt: option 'block_size' is configured as '-21' but must be greater than or equal to '1'" )
suite . EqualError ( suite . validator . Errors ( ) [ 2 ] , "authentication_backend: file: password: scrypt: option 'parallelism' is configured as '-11' but must be greater than or equal to '1'" )
suite . EqualError ( suite . validator . Errors ( ) [ 3 ] , "authentication_backend: file: password: scrypt: option 'key_length' is configured as '-77' but must be greater than or equal to '1'" )
suite . EqualError ( suite . validator . Errors ( ) [ 4 ] , "authentication_backend: file: password: scrypt: option 'salt_length' is configured as '7' but must be greater than or equal to '8'" )
2022-10-17 10:51:59 +00:00
}
func ( suite * FileBasedAuthenticationBackend ) TestShouldRaiseErrorWhenSCryptOptionsTooHigh ( ) {
2022-12-04 22:37:08 +00:00
suite . config . File . Password . SCrypt . Iterations = 59
2022-10-17 10:51:59 +00:00
suite . config . File . Password . SCrypt . BlockSize = 360287970189639672
2022-12-04 22:37:08 +00:00
suite . config . File . Password . SCrypt . Parallelism = 1073741825
2022-10-17 10:51:59 +00:00
suite . config . File . Password . SCrypt . KeyLength = 1374389534409
suite . config . File . Password . SCrypt . SaltLength = 2147483647
ValidateAuthenticationBackend ( & suite . config , suite . validator )
2023-05-07 06:39:17 +00:00
suite . Len ( suite . validator . Warnings ( ) , 0 )
2022-12-04 22:37:08 +00:00
suite . Require ( ) . Len ( suite . validator . Errors ( ) , 5 )
2022-10-17 10:51:59 +00:00
2023-05-07 06:39:17 +00:00
suite . EqualError ( suite . validator . Errors ( ) [ 0 ] , "authentication_backend: file: password: scrypt: option 'iterations' is configured as '59' but must be less than or equal to '58'" )
suite . EqualError ( suite . validator . Errors ( ) [ 1 ] , "authentication_backend: file: password: scrypt: option 'block_size' is configured as '360287970189639672' but must be less than or equal to '36028797018963967'" )
suite . EqualError ( suite . validator . Errors ( ) [ 2 ] , "authentication_backend: file: password: scrypt: option 'parallelism' is configured as '1073741825' but must be less than or equal to '1073741823'" )
suite . EqualError ( suite . validator . Errors ( ) [ 3 ] , "authentication_backend: file: password: scrypt: option 'key_length' is configured as '1374389534409' but must be less than or equal to '137438953440'" )
suite . EqualError ( suite . validator . Errors ( ) [ 4 ] , "authentication_backend: file: password: scrypt: option 'salt_length' is configured as '2147483647' but must be less than or equal to '1024'" )
2022-10-17 10:51:59 +00:00
}
func ( suite * FileBasedAuthenticationBackend ) TestShouldRaiseErrorWhenArgon2OptionsTooLow ( ) {
suite . config . File . Password . Argon2 . Iterations = - 1
suite . config . File . Password . Argon2 . Memory = - 1
suite . config . File . Password . Argon2 . Parallelism = - 1
suite . config . File . Password . Argon2 . KeyLength = 1
suite . config . File . Password . Argon2 . SaltLength = - 1
ValidateAuthenticationBackend ( & suite . config , suite . validator )
2023-05-07 06:39:17 +00:00
suite . Len ( suite . validator . Warnings ( ) , 0 )
2022-10-17 10:51:59 +00:00
suite . Require ( ) . Len ( suite . validator . Errors ( ) , 5 )
2023-05-07 06:39:17 +00:00
suite . EqualError ( suite . validator . Errors ( ) [ 0 ] , "authentication_backend: file: password: argon2: option 'iterations' is configured as '-1' but must be greater than or equal to '1'" )
suite . EqualError ( suite . validator . Errors ( ) [ 1 ] , "authentication_backend: file: password: argon2: option 'parallelism' is configured as '-1' but must be greater than or equal to '1'" )
suite . EqualError ( suite . validator . Errors ( ) [ 2 ] , "authentication_backend: file: password: argon2: option 'memory' is configured as '-1' but must be greater than or equal to '8'" )
suite . EqualError ( suite . validator . Errors ( ) [ 3 ] , "authentication_backend: file: password: argon2: option 'key_length' is configured as '1' but must be greater than or equal to '4'" )
suite . EqualError ( suite . validator . Errors ( ) [ 4 ] , "authentication_backend: file: password: argon2: option 'salt_length' is configured as '-1' but must be greater than or equal to '1'" )
2022-10-17 10:51:59 +00:00
}
func ( suite * FileBasedAuthenticationBackend ) TestShouldRaiseErrorWhenArgon2OptionsTooHigh ( ) {
suite . config . File . Password . Argon2 . Iterations = 9999999999
2022-12-04 22:37:08 +00:00
suite . config . File . Password . Argon2 . Memory = 4294967296
2022-10-17 10:51:59 +00:00
suite . config . File . Password . Argon2 . Parallelism = 16777216
suite . config . File . Password . Argon2 . KeyLength = 9999999998
suite . config . File . Password . Argon2 . SaltLength = 9999999997
ValidateAuthenticationBackend ( & suite . config , suite . validator )
2023-05-07 06:39:17 +00:00
suite . Len ( suite . validator . Warnings ( ) , 0 )
2022-10-17 10:51:59 +00:00
suite . Require ( ) . Len ( suite . validator . Errors ( ) , 5 )
2023-05-07 06:39:17 +00:00
suite . EqualError ( suite . validator . Errors ( ) [ 0 ] , "authentication_backend: file: password: argon2: option 'iterations' is configured as '9999999999' but must be less than or equal to '2147483647'" )
suite . EqualError ( suite . validator . Errors ( ) [ 1 ] , "authentication_backend: file: password: argon2: option 'parallelism' is configured as '16777216' but must be less than or equal to '16777215'" )
suite . EqualError ( suite . validator . Errors ( ) [ 2 ] , "authentication_backend: file: password: argon2: option 'memory' is configured as '4294967296' but must be less than or equal to '4294967295'" )
suite . EqualError ( suite . validator . Errors ( ) [ 3 ] , "authentication_backend: file: password: argon2: option 'key_length' is configured as '9999999998' but must be less than or equal to '2147483647'" )
suite . EqualError ( suite . validator . Errors ( ) [ 4 ] , "authentication_backend: file: password: argon2: option 'salt_length' is configured as '9999999997' but must be less than or equal to '2147483647'" )
2022-10-17 10:51:59 +00:00
}
func ( suite * FileBasedAuthenticationBackend ) TestShouldRaiseErrorWhenArgon2MemoryTooLow ( ) {
suite . config . File . Password . Argon2 . Memory = 4
suite . config . File . Password . Argon2 . Parallelism = 4
ValidateAuthenticationBackend ( & suite . config , suite . validator )
2023-05-07 06:39:17 +00:00
suite . Len ( suite . validator . Warnings ( ) , 0 )
2022-10-17 10:51:59 +00:00
suite . Require ( ) . Len ( suite . validator . Errors ( ) , 1 )
2023-05-07 06:39:17 +00:00
suite . EqualError ( suite . validator . Errors ( ) [ 0 ] , "authentication_backend: file: password: argon2: option 'memory' is configured as '4' but must be greater than or equal to '8'" )
2022-12-04 22:37:08 +00:00
}
func ( suite * FileBasedAuthenticationBackend ) TestShouldRaiseErrorWhenArgon2MemoryTooLowMultiplier ( ) {
suite . config . File . Password . Argon2 . Memory = 8
suite . config . File . Password . Argon2 . Parallelism = 4
ValidateAuthenticationBackend ( & suite . config , suite . validator )
2023-05-07 06:39:17 +00:00
suite . Len ( suite . validator . Warnings ( ) , 0 )
2022-12-04 22:37:08 +00:00
suite . Require ( ) . Len ( suite . validator . Errors ( ) , 1 )
2023-05-07 06:39:17 +00:00
suite . EqualError ( suite . validator . Errors ( ) [ 0 ] , "authentication_backend: file: password: argon2: option 'memory' is configured as '8' but must be greater than or equal to '32' or '4' (the value of 'parallelism) multiplied by '8'" )
2022-10-17 10:51:59 +00:00
}
func ( suite * FileBasedAuthenticationBackend ) TestShouldRaiseErrorWhenBadAlgorithmDefined ( ) {
suite . config . File . Password . Algorithm = "bogus"
ValidateAuthenticationBackend ( & suite . config , suite . validator )
2023-05-07 06:39:17 +00:00
suite . Len ( suite . validator . Warnings ( ) , 0 )
2022-10-17 10:51:59 +00:00
suite . Require ( ) . Len ( suite . validator . Errors ( ) , 1 )
2023-05-07 06:39:17 +00:00
suite . EqualError ( suite . validator . Errors ( ) [ 0 ] , "authentication_backend: file: password: option 'algorithm' must be one of 'sha2crypt', 'pbkdf2', 'scrypt', 'bcrypt', or 'argon2' but it's configured as 'bogus'" )
2022-10-17 10:51:59 +00:00
}
func ( suite * FileBasedAuthenticationBackend ) TestShouldSetDefaultValues ( ) {
suite . config . File . Password . Algorithm = ""
suite . config . File . Password . Iterations = 0
suite . config . File . Password . SaltLength = 0
suite . config . File . Password . Memory = 0
suite . config . File . Password . Parallelism = 0
2022-02-28 03:15:01 +00:00
ValidateAuthenticationBackend ( & suite . config , suite . validator )
2021-01-04 10:28:55 +00:00
2023-05-07 06:39:17 +00:00
suite . Len ( suite . validator . Warnings ( ) , 0 )
suite . Len ( suite . validator . Errors ( ) , 0 )
2022-10-17 10:51:59 +00:00
2023-05-07 06:39:17 +00:00
suite . Equal ( schema . DefaultPasswordConfig . Algorithm , suite . config . File . Password . Algorithm )
suite . Equal ( schema . DefaultPasswordConfig . Iterations , suite . config . File . Password . Iterations )
suite . Equal ( schema . DefaultPasswordConfig . SaltLength , suite . config . File . Password . SaltLength )
suite . Equal ( schema . DefaultPasswordConfig . Memory , suite . config . File . Password . Memory )
suite . Equal ( schema . DefaultPasswordConfig . Parallelism , suite . config . File . Password . Parallelism )
2022-04-04 07:46:55 +00:00
}
func ( suite * FileBasedAuthenticationBackend ) TestShouldRaiseErrorWhenResetURLIsInvalid ( ) {
suite . config . PasswordReset . CustomURL = url . URL { Scheme : "ldap" , Host : "google.com" }
2022-06-28 03:15:50 +00:00
suite . config . PasswordReset . Disable = true
2022-04-04 07:46:55 +00:00
2023-05-07 06:39:17 +00:00
suite . True ( suite . config . PasswordReset . Disable )
2022-04-04 07:46:55 +00:00
ValidateAuthenticationBackend ( & suite . config , suite . validator )
2023-05-07 06:39:17 +00:00
suite . Len ( suite . validator . Warnings ( ) , 0 )
2022-04-04 07:46:55 +00:00
suite . Require ( ) . Len ( suite . validator . Errors ( ) , 1 )
2023-05-07 06:39:17 +00:00
suite . EqualError ( suite . validator . Errors ( ) [ 0 ] , "authentication_backend: password_reset: option 'custom_url' is configured to 'ldap://google.com' which has the scheme 'ldap' but the scheme must be either 'http' or 'https'" )
2022-04-04 07:46:55 +00:00
2023-05-07 06:39:17 +00:00
suite . True ( suite . config . PasswordReset . Disable )
2022-04-04 07:46:55 +00:00
}
func ( suite * FileBasedAuthenticationBackend ) TestShouldNotRaiseErrorWhenResetURLIsValid ( ) {
suite . config . PasswordReset . CustomURL = url . URL { Scheme : "https" , Host : "google.com" }
ValidateAuthenticationBackend ( & suite . config , suite . validator )
2023-05-07 06:39:17 +00:00
suite . Len ( suite . validator . Warnings ( ) , 0 )
suite . Len ( suite . validator . Errors ( ) , 0 )
2022-04-04 07:46:55 +00:00
}
func ( suite * FileBasedAuthenticationBackend ) TestShouldConfigureDisableResetPasswordWhenCustomURL ( ) {
suite . config . PasswordReset . CustomURL = url . URL { Scheme : "https" , Host : "google.com" }
2022-06-28 03:15:50 +00:00
suite . config . PasswordReset . Disable = true
2022-04-04 07:46:55 +00:00
2023-05-07 06:39:17 +00:00
suite . True ( suite . config . PasswordReset . Disable )
2022-04-04 07:46:55 +00:00
ValidateAuthenticationBackend ( & suite . config , suite . validator )
2023-05-07 06:39:17 +00:00
suite . Len ( suite . validator . Warnings ( ) , 0 )
suite . Len ( suite . validator . Errors ( ) , 0 )
2022-04-04 07:46:55 +00:00
2023-05-07 06:39:17 +00:00
suite . False ( suite . config . PasswordReset . Disable )
2019-04-24 21:52:08 +00:00
}
2022-10-17 10:51:59 +00:00
func TestFileBasedAuthenticationBackend ( t * testing . T ) {
suite . Run ( t , new ( FileBasedAuthenticationBackend ) )
}
type LDAPAuthenticationBackendSuite struct {
suite . Suite
config schema . AuthenticationBackend
validator * schema . StructValidator
}
func ( suite * LDAPAuthenticationBackendSuite ) SetupTest ( ) {
suite . validator = schema . NewStructValidator ( )
suite . config = schema . AuthenticationBackend { }
suite . config . LDAP = & schema . LDAPAuthenticationBackend { }
suite . config . LDAP . Implementation = schema . LDAPImplementationCustom
2023-05-07 06:39:17 +00:00
suite . config . LDAP . Address = & schema . AddressLDAP { Address : * testLDAPAddress }
2022-10-17 10:51:59 +00:00
suite . config . LDAP . User = testLDAPUser
suite . config . LDAP . Password = testLDAPPassword
suite . config . LDAP . BaseDN = testLDAPBaseDN
2023-06-18 04:40:38 +00:00
suite . config . LDAP . Attributes . Username = "uid"
2022-10-17 10:51:59 +00:00
suite . config . LDAP . UsersFilter = "({username_attribute}={input})"
suite . config . LDAP . GroupsFilter = "(cn={input})"
}
func ( suite * LDAPAuthenticationBackendSuite ) TestShouldValidateCompleteConfiguration ( ) {
ValidateAuthenticationBackend ( & suite . config , suite . validator )
2023-05-07 06:39:17 +00:00
suite . Len ( suite . validator . Warnings ( ) , 0 )
suite . Len ( suite . validator . Errors ( ) , 0 )
2022-10-17 10:51:59 +00:00
}
2021-04-16 01:44:37 +00:00
func ( suite * LDAPAuthenticationBackendSuite ) TestShouldValidateDefaultImplementationAndUsernameAttribute ( ) {
2022-02-28 03:15:01 +00:00
suite . config . LDAP . Implementation = ""
2023-06-18 04:40:38 +00:00
suite . config . LDAP . Attributes . Username = ""
2022-02-28 03:15:01 +00:00
ValidateAuthenticationBackend ( & suite . config , suite . validator )
2021-03-05 04:18:31 +00:00
2023-05-07 06:39:17 +00:00
suite . Equal ( schema . LDAPImplementationCustom , suite . config . LDAP . Implementation )
2021-03-05 04:18:31 +00:00
2023-06-18 04:40:38 +00:00
suite . Equal ( suite . config . LDAP . Attributes . Username , schema . DefaultLDAPAuthenticationBackendConfigurationImplementationCustom . Attributes . Username )
2023-05-07 06:39:17 +00:00
suite . Len ( suite . validator . Warnings ( ) , 0 )
suite . Len ( suite . validator . Errors ( ) , 0 )
2021-03-05 04:18:31 +00:00
}
2021-04-16 01:44:37 +00:00
func ( suite * LDAPAuthenticationBackendSuite ) TestShouldRaiseErrorWhenImplementationIsInvalidMSAD ( ) {
2022-02-28 03:15:01 +00:00
suite . config . LDAP . Implementation = "masd"
2021-01-04 10:28:55 +00:00
2022-02-28 03:15:01 +00:00
ValidateAuthenticationBackend ( & suite . config , suite . validator )
2021-01-04 10:28:55 +00:00
2023-05-07 06:39:17 +00:00
suite . Len ( suite . validator . Warnings ( ) , 0 )
2021-01-04 10:28:55 +00:00
suite . Require ( ) . Len ( suite . validator . Errors ( ) , 1 )
2023-05-07 06:39:17 +00:00
suite . EqualError ( suite . validator . Errors ( ) [ 0 ] , "authentication_backend: ldap: option 'implementation' must be one of 'custom', 'activedirectory', 'rfc2307bis', 'freeipa', 'lldap', or 'glauth' but it's configured as 'masd'" )
2020-11-27 09:59:22 +00:00
}
2021-04-16 01:44:37 +00:00
func ( suite * LDAPAuthenticationBackendSuite ) TestShouldRaiseErrorWhenURLNotProvided ( ) {
2023-05-07 06:39:17 +00:00
suite . config . LDAP . Address = nil
2022-02-28 03:15:01 +00:00
ValidateAuthenticationBackend ( & suite . config , suite . validator )
2021-01-04 10:28:55 +00:00
2023-05-07 06:39:17 +00:00
suite . Len ( suite . validator . Warnings ( ) , 0 )
2021-01-04 10:28:55 +00:00
suite . Require ( ) . Len ( suite . validator . Errors ( ) , 1 )
2023-05-07 06:39:17 +00:00
suite . EqualError ( suite . validator . Errors ( ) [ 0 ] , "authentication_backend: ldap: option 'address' is required" )
2019-04-24 21:52:08 +00:00
}
2021-04-16 01:44:37 +00:00
func ( suite * LDAPAuthenticationBackendSuite ) TestShouldRaiseErrorWhenUserNotProvided ( ) {
2022-02-28 03:15:01 +00:00
suite . config . LDAP . User = ""
2021-01-04 10:28:55 +00:00
2022-02-28 03:15:01 +00:00
ValidateAuthenticationBackend ( & suite . config , suite . validator )
2021-01-04 10:28:55 +00:00
2023-05-07 06:39:17 +00:00
suite . Len ( suite . validator . Warnings ( ) , 0 )
2021-01-04 10:28:55 +00:00
suite . Require ( ) . Len ( suite . validator . Errors ( ) , 1 )
2023-05-07 06:39:17 +00:00
suite . EqualError ( suite . validator . Errors ( ) [ 0 ] , "authentication_backend: ldap: option 'user' is required" )
2019-04-24 21:52:08 +00:00
}
2021-04-16 01:44:37 +00:00
func ( suite * LDAPAuthenticationBackendSuite ) TestShouldRaiseErrorWhenPasswordNotProvided ( ) {
2022-02-28 03:15:01 +00:00
suite . config . LDAP . Password = ""
2021-01-04 10:28:55 +00:00
2022-02-28 03:15:01 +00:00
ValidateAuthenticationBackend ( & suite . config , suite . validator )
2021-01-04 10:28:55 +00:00
2023-05-07 06:39:17 +00:00
suite . Len ( suite . validator . Warnings ( ) , 0 )
2021-01-04 10:28:55 +00:00
suite . Require ( ) . Len ( suite . validator . Errors ( ) , 1 )
2023-05-07 06:39:17 +00:00
suite . EqualError ( suite . validator . Errors ( ) [ 0 ] , "authentication_backend: ldap: option 'password' is required" )
2019-04-24 21:52:08 +00:00
}
2022-10-21 08:41:33 +00:00
func ( suite * LDAPAuthenticationBackendSuite ) TestShouldNotRaiseErrorWhenPasswordNotProvidedWithPermitUnauthenticatedBind ( ) {
suite . config . LDAP . Password = ""
suite . config . LDAP . PermitUnauthenticatedBind = true
ValidateAuthenticationBackend ( & suite . config , suite . validator )
2023-05-07 06:39:17 +00:00
suite . Len ( suite . validator . Warnings ( ) , 0 )
2022-10-21 08:41:33 +00:00
suite . Require ( ) . Len ( suite . validator . Errors ( ) , 1 )
2023-05-07 06:39:17 +00:00
suite . EqualError ( suite . validator . Errors ( ) [ 0 ] , "authentication_backend: ldap: option 'permit_unauthenticated_bind' can't be enabled when password reset is enabled" )
2022-10-21 08:41:33 +00:00
}
func ( suite * LDAPAuthenticationBackendSuite ) TestShouldRaiseErrorWhenPasswordProvidedWithPermitUnauthenticatedBind ( ) {
suite . config . LDAP . Password = "test"
suite . config . LDAP . PermitUnauthenticatedBind = true
suite . config . PasswordReset . Disable = true
ValidateAuthenticationBackend ( & suite . config , suite . validator )
2023-05-07 06:39:17 +00:00
suite . Len ( suite . validator . Warnings ( ) , 0 )
2022-10-21 08:41:33 +00:00
suite . Require ( ) . Len ( suite . validator . Errors ( ) , 1 )
2023-05-07 06:39:17 +00:00
suite . EqualError ( suite . validator . Errors ( ) [ 0 ] , "authentication_backend: ldap: option 'permit_unauthenticated_bind' can't be enabled when a password is specified" )
}
func ( suite * LDAPAuthenticationBackendSuite ) TestShouldSetDefaultPorts ( ) {
suite . config . LDAP . Address = & schema . AddressLDAP { Address : MustParseAddress ( "ldap://abc" ) }
ValidateAuthenticationBackend ( & suite . config , suite . validator )
suite . Len ( suite . validator . Warnings ( ) , 0 )
suite . Len ( suite . validator . Errors ( ) , 0 )
suite . Equal ( "ldap://abc:389" , suite . config . LDAP . Address . String ( ) )
suite . config . LDAP . Address = & schema . AddressLDAP { Address : MustParseAddress ( "ldaps://abc" ) }
ValidateAuthenticationBackend ( & suite . config , suite . validator )
suite . Len ( suite . validator . Warnings ( ) , 0 )
suite . Len ( suite . validator . Errors ( ) , 0 )
suite . Equal ( "ldaps://abc:636" , suite . config . LDAP . Address . String ( ) )
suite . config . LDAP . Address = & schema . AddressLDAP { Address : MustParseAddress ( "ldapi:///a/path" ) }
ValidateAuthenticationBackend ( & suite . config , suite . validator )
suite . Len ( suite . validator . Warnings ( ) , 0 )
suite . Len ( suite . validator . Errors ( ) , 0 )
suite . Equal ( "ldapi:///a/path" , suite . config . LDAP . Address . String ( ) )
2022-10-21 08:41:33 +00:00
}
func ( suite * LDAPAuthenticationBackendSuite ) TestShouldNotRaiseErrorWhenPermitUnauthenticatedBindConfiguredCorrectly ( ) {
suite . config . LDAP . Password = ""
suite . config . LDAP . PermitUnauthenticatedBind = true
suite . config . PasswordReset . Disable = true
ValidateAuthenticationBackend ( & suite . config , suite . validator )
2023-05-07 06:39:17 +00:00
suite . Len ( suite . validator . Warnings ( ) , 0 )
2022-10-21 08:41:33 +00:00
suite . Require ( ) . Len ( suite . validator . Errors ( ) , 0 )
}
2021-04-16 01:44:37 +00:00
func ( suite * LDAPAuthenticationBackendSuite ) TestShouldRaiseErrorWhenBaseDNNotProvided ( ) {
2022-02-28 03:15:01 +00:00
suite . config . LDAP . BaseDN = ""
2021-01-04 10:28:55 +00:00
2022-02-28 03:15:01 +00:00
ValidateAuthenticationBackend ( & suite . config , suite . validator )
2021-01-04 10:28:55 +00:00
2023-05-07 06:39:17 +00:00
suite . Len ( suite . validator . Warnings ( ) , 0 )
suite . Len ( suite . validator . Errors ( ) , 1 )
2021-01-04 10:28:55 +00:00
2023-05-07 06:39:17 +00:00
suite . EqualError ( suite . validator . Errors ( ) [ 0 ] , "authentication_backend: ldap: option 'base_dn' is required" )
2019-04-24 21:52:08 +00:00
}
2021-04-16 01:44:37 +00:00
func ( suite * LDAPAuthenticationBackendSuite ) TestShouldRaiseOnEmptyGroupsFilter ( ) {
2022-02-28 03:15:01 +00:00
suite . config . LDAP . GroupsFilter = ""
2021-01-04 10:28:55 +00:00
2022-02-28 03:15:01 +00:00
ValidateAuthenticationBackend ( & suite . config , suite . validator )
2021-01-04 10:28:55 +00:00
2023-05-07 06:39:17 +00:00
suite . Len ( suite . validator . Warnings ( ) , 0 )
2021-01-04 10:28:55 +00:00
suite . Require ( ) . Len ( suite . validator . Errors ( ) , 1 )
2023-05-07 06:39:17 +00:00
suite . EqualError ( suite . validator . Errors ( ) [ 0 ] , "authentication_backend: ldap: option 'groups_filter' is required" )
2020-03-15 12:10:13 +00:00
}
2021-04-16 01:44:37 +00:00
func ( suite * LDAPAuthenticationBackendSuite ) TestShouldRaiseOnEmptyUsersFilter ( ) {
2022-02-28 03:15:01 +00:00
suite . config . LDAP . UsersFilter = ""
2021-01-04 10:28:55 +00:00
2022-02-28 03:15:01 +00:00
ValidateAuthenticationBackend ( & suite . config , suite . validator )
2021-01-04 10:28:55 +00:00
2023-05-07 06:39:17 +00:00
suite . Len ( suite . validator . Warnings ( ) , 0 )
2021-01-04 10:28:55 +00:00
suite . Require ( ) . Len ( suite . validator . Errors ( ) , 1 )
2023-05-07 06:39:17 +00:00
suite . EqualError ( suite . validator . Errors ( ) [ 0 ] , "authentication_backend: ldap: option 'users_filter' is required" )
2019-04-24 21:52:08 +00:00
}
2021-04-16 01:44:37 +00:00
func ( suite * LDAPAuthenticationBackendSuite ) TestShouldNotRaiseOnEmptyUsernameAttribute ( ) {
2023-06-18 04:40:38 +00:00
suite . config . LDAP . Attributes . Username = ""
2021-01-04 10:28:55 +00:00
2022-02-28 03:15:01 +00:00
ValidateAuthenticationBackend ( & suite . config , suite . validator )
2021-01-04 10:28:55 +00:00
2023-05-07 06:39:17 +00:00
suite . Len ( suite . validator . Warnings ( ) , 0 )
suite . Len ( suite . validator . Errors ( ) , 0 )
2019-04-24 21:52:08 +00:00
}
2021-04-16 01:44:37 +00:00
func ( suite * LDAPAuthenticationBackendSuite ) TestShouldRaiseOnBadRefreshInterval ( ) {
2022-02-28 03:15:01 +00:00
suite . config . RefreshInterval = "blah"
2021-01-04 10:28:55 +00:00
2022-02-28 03:15:01 +00:00
ValidateAuthenticationBackend ( & suite . config , suite . validator )
2021-01-04 10:28:55 +00:00
2023-05-07 06:39:17 +00:00
suite . Len ( suite . validator . Warnings ( ) , 0 )
2021-01-04 10:28:55 +00:00
suite . Require ( ) . Len ( suite . validator . Errors ( ) , 1 )
2023-05-08 03:51:17 +00:00
suite . EqualError ( suite . validator . Errors ( ) [ 0 ] , "authentication_backend: option 'refresh_interval' is configured to 'blah' but it must be either in duration common syntax or one of 'disable', or 'always': could not parse 'blah' as a duration" )
2020-05-04 19:39:25 +00:00
}
2021-04-16 01:44:37 +00:00
func ( suite * LDAPAuthenticationBackendSuite ) TestShouldSetDefaultImplementation ( ) {
2022-02-28 03:15:01 +00:00
ValidateAuthenticationBackend ( & suite . config , suite . validator )
2021-01-04 10:28:55 +00:00
2023-05-07 06:39:17 +00:00
suite . Len ( suite . validator . Warnings ( ) , 0 )
suite . Len ( suite . validator . Errors ( ) , 0 )
2021-01-04 10:28:55 +00:00
2023-05-07 06:39:17 +00:00
suite . Equal ( schema . LDAPImplementationCustom , suite . config . LDAP . Implementation )
2020-11-27 09:59:22 +00:00
}
2021-04-16 01:44:37 +00:00
func ( suite * LDAPAuthenticationBackendSuite ) TestShouldRaiseErrorOnBadFilterPlaceholders ( ) {
2022-02-28 03:15:01 +00:00
suite . config . LDAP . UsersFilter = "(&({username_attribute}={0})(objectCategory=person)(objectClass=user)(!userAccountControl:1.2.840.113556.1.4.803:=2))"
suite . config . LDAP . GroupsFilter = "(&({username_attribute}={1})(member={0})(objectClass=group)(objectCategory=group))"
2021-04-16 01:44:37 +00:00
2022-02-28 03:15:01 +00:00
ValidateAuthenticationBackend ( & suite . config , suite . validator )
2021-04-16 01:44:37 +00:00
2023-05-07 06:39:17 +00:00
suite . Len ( suite . validator . Warnings ( ) , 0 )
suite . True ( suite . validator . HasErrors ( ) )
2021-04-16 01:44:37 +00:00
2022-02-28 03:15:01 +00:00
suite . Require ( ) . Len ( suite . validator . Errors ( ) , 4 )
2023-05-07 06:39:17 +00:00
suite . EqualError ( suite . validator . Errors ( ) [ 0 ] , "authentication_backend: ldap: option 'users_filter' has an invalid placeholder: '{0}' has been removed, please use '{input}' instead" )
suite . EqualError ( suite . validator . Errors ( ) [ 1 ] , "authentication_backend: ldap: option 'groups_filter' has an invalid placeholder: '{0}' has been removed, please use '{input}' instead" )
suite . EqualError ( suite . validator . Errors ( ) [ 2 ] , "authentication_backend: ldap: option 'groups_filter' has an invalid placeholder: '{1}' has been removed, please use '{username}' instead" )
suite . EqualError ( suite . validator . Errors ( ) [ 3 ] , "authentication_backend: ldap: option 'users_filter' must contain the placeholder '{input}' but it's absent" )
2021-04-16 01:44:37 +00:00
}
func ( suite * LDAPAuthenticationBackendSuite ) TestShouldSetDefaultGroupNameAttribute ( ) {
2022-02-28 03:15:01 +00:00
ValidateAuthenticationBackend ( & suite . config , suite . validator )
2021-01-04 10:28:55 +00:00
2023-05-07 06:39:17 +00:00
suite . Len ( suite . validator . Warnings ( ) , 0 )
suite . Len ( suite . validator . Errors ( ) , 0 )
2021-01-04 10:28:55 +00:00
2023-06-18 04:40:38 +00:00
suite . Equal ( "cn" , suite . config . LDAP . Attributes . GroupName )
2019-04-24 21:52:08 +00:00
}
2021-04-16 01:44:37 +00:00
func ( suite * LDAPAuthenticationBackendSuite ) TestShouldSetDefaultMailAttribute ( ) {
2022-02-28 03:15:01 +00:00
ValidateAuthenticationBackend ( & suite . config , suite . validator )
2021-01-04 10:28:55 +00:00
2023-05-07 06:39:17 +00:00
suite . Len ( suite . validator . Warnings ( ) , 0 )
suite . Len ( suite . validator . Errors ( ) , 0 )
2021-01-04 10:28:55 +00:00
2023-06-18 04:40:38 +00:00
suite . Equal ( "mail" , suite . config . LDAP . Attributes . Mail )
2019-04-24 21:52:08 +00:00
}
2021-04-16 01:44:37 +00:00
func ( suite * LDAPAuthenticationBackendSuite ) TestShouldSetDefaultDisplayNameAttribute ( ) {
2022-02-28 03:15:01 +00:00
ValidateAuthenticationBackend ( & suite . config , suite . validator )
2021-01-04 10:28:55 +00:00
2023-05-07 06:39:17 +00:00
suite . Len ( suite . validator . Warnings ( ) , 0 )
suite . Len ( suite . validator . Errors ( ) , 0 )
2021-01-04 10:28:55 +00:00
2023-06-18 04:40:38 +00:00
suite . Equal ( "displayName" , suite . config . LDAP . Attributes . DisplayName )
2020-11-27 09:59:22 +00:00
}
2021-04-16 01:44:37 +00:00
func ( suite * LDAPAuthenticationBackendSuite ) TestShouldSetDefaultRefreshInterval ( ) {
2022-02-28 03:15:01 +00:00
ValidateAuthenticationBackend ( & suite . config , suite . validator )
2021-01-04 10:28:55 +00:00
2023-05-07 06:39:17 +00:00
suite . Len ( suite . validator . Warnings ( ) , 0 )
suite . Len ( suite . validator . Errors ( ) , 0 )
2021-01-04 10:28:55 +00:00
2023-05-07 06:39:17 +00:00
suite . Equal ( "5m" , suite . config . RefreshInterval )
2020-05-04 19:39:25 +00:00
}
2021-04-16 01:44:37 +00:00
func ( suite * LDAPAuthenticationBackendSuite ) TestShouldRaiseWhenUsersFilterDoesNotContainEnclosingParenthesis ( ) {
2022-02-28 03:15:01 +00:00
suite . config . LDAP . UsersFilter = "{username_attribute}={input}"
2021-01-04 10:28:55 +00:00
2022-02-28 03:15:01 +00:00
ValidateAuthenticationBackend ( & suite . config , suite . validator )
2021-01-04 10:28:55 +00:00
2023-05-07 06:39:17 +00:00
suite . Len ( suite . validator . Warnings ( ) , 0 )
2021-01-04 10:28:55 +00:00
suite . Require ( ) . Len ( suite . validator . Errors ( ) , 1 )
2023-05-07 06:39:17 +00:00
suite . EqualError ( suite . validator . Errors ( ) [ 0 ] , "authentication_backend: ldap: option 'users_filter' must contain enclosing parenthesis: '{username_attribute}={input}' should probably be '({username_attribute}={input})'" )
2019-12-08 22:21:55 +00:00
}
2021-04-16 01:44:37 +00:00
func ( suite * LDAPAuthenticationBackendSuite ) TestShouldRaiseWhenGroupsFilterDoesNotContainEnclosingParenthesis ( ) {
2022-02-28 03:15:01 +00:00
suite . config . LDAP . GroupsFilter = "cn={input}"
2021-01-04 10:28:55 +00:00
2022-02-28 03:15:01 +00:00
ValidateAuthenticationBackend ( & suite . config , suite . validator )
2021-01-04 10:28:55 +00:00
2023-05-07 06:39:17 +00:00
suite . Len ( suite . validator . Warnings ( ) , 0 )
2021-01-04 10:28:55 +00:00
suite . Require ( ) . Len ( suite . validator . Errors ( ) , 1 )
2023-05-07 06:39:17 +00:00
suite . EqualError ( suite . validator . Errors ( ) [ 0 ] , "authentication_backend: ldap: option 'groups_filter' must contain enclosing parenthesis: 'cn={input}' should probably be '(cn={input})'" )
2020-03-30 22:36:04 +00:00
}
2021-04-16 01:44:37 +00:00
func ( suite * LDAPAuthenticationBackendSuite ) TestShouldRaiseWhenUsersFilterDoesNotContainUsernameAttribute ( ) {
2022-02-28 03:15:01 +00:00
suite . config . LDAP . UsersFilter = "(&({mail_attribute}={input})(objectClass=person))"
ValidateAuthenticationBackend ( & suite . config , suite . validator )
2021-01-04 10:28:55 +00:00
2023-05-07 06:39:17 +00:00
suite . Len ( suite . validator . Warnings ( ) , 0 )
2021-01-04 10:28:55 +00:00
suite . Require ( ) . Len ( suite . validator . Errors ( ) , 1 )
2023-05-07 06:39:17 +00:00
suite . EqualError ( suite . validator . Errors ( ) [ 0 ] , "authentication_backend: ldap: option 'users_filter' must contain the placeholder '{username_attribute}' but it's absent" )
2020-11-27 13:30:27 +00:00
}
2021-04-16 01:44:37 +00:00
func ( suite * LDAPAuthenticationBackendSuite ) TestShouldHelpDetectNoInputPlaceholder ( ) {
2022-02-28 03:15:01 +00:00
suite . config . LDAP . UsersFilter = "(&({username_attribute}={mail_attribute})(objectClass=person))"
2021-01-04 10:28:55 +00:00
2022-02-28 03:15:01 +00:00
ValidateAuthenticationBackend ( & suite . config , suite . validator )
2021-01-04 10:28:55 +00:00
2023-05-07 06:39:17 +00:00
suite . Len ( suite . validator . Warnings ( ) , 0 )
2021-01-04 10:28:55 +00:00
suite . Require ( ) . Len ( suite . validator . Errors ( ) , 1 )
2023-05-07 06:39:17 +00:00
suite . EqualError ( suite . validator . Errors ( ) [ 0 ] , "authentication_backend: ldap: option 'users_filter' must contain the placeholder '{input}' but it's absent" )
2019-12-06 08:15:54 +00:00
}
2021-04-16 01:44:37 +00:00
func ( suite * LDAPAuthenticationBackendSuite ) TestShouldSetDefaultTLSMinimumVersion ( ) {
2022-10-21 08:41:33 +00:00
suite . config . LDAP . TLS = & schema . TLSConfig { MinimumVersion : schema . TLSVersion { } }
2021-04-16 01:44:37 +00:00
2022-02-28 03:15:01 +00:00
ValidateAuthenticationBackend ( & suite . config , suite . validator )
2021-01-04 10:28:55 +00:00
2023-05-07 06:39:17 +00:00
suite . Len ( suite . validator . Warnings ( ) , 0 )
suite . Len ( suite . validator . Errors ( ) , 0 )
2021-01-04 10:28:55 +00:00
2023-05-07 06:39:17 +00:00
suite . Equal ( schema . DefaultLDAPAuthenticationBackendConfigurationImplementationCustom . TLS . MinimumVersion . Value , suite . config . LDAP . TLS . MinimumVersion . MinVersion ( ) )
2022-10-21 08:41:33 +00:00
}
func ( suite * LDAPAuthenticationBackendSuite ) TestShouldNotAllowSSL30 ( ) {
suite . config . LDAP . TLS = & schema . TLSConfig {
MinimumVersion : schema . TLSVersion { Value : tls . VersionSSL30 } , //nolint:staticcheck
}
ValidateAuthenticationBackend ( & suite . config , suite . validator )
2023-05-07 06:39:17 +00:00
suite . Len ( suite . validator . Warnings ( ) , 0 )
2022-10-21 08:41:33 +00:00
suite . Require ( ) . Len ( suite . validator . Errors ( ) , 1 )
2023-05-07 06:39:17 +00:00
suite . EqualError ( suite . validator . Errors ( ) [ 0 ] , "authentication_backend: ldap: tls: option 'minimum_version' is invalid: minimum version is TLS1.0 but SSL3.0 was configured" )
2020-12-03 05:23:52 +00:00
}
2023-06-18 04:40:38 +00:00
func ( suite * LDAPAuthenticationBackendSuite ) TestShouldErrorOnBadSearchMode ( ) {
suite . config . LDAP . GroupSearchMode = "memberOF"
ValidateAuthenticationBackend ( & suite . config , suite . validator )
suite . Len ( suite . validator . Warnings ( ) , 0 )
suite . Require ( ) . Len ( suite . validator . Errors ( ) , 1 )
suite . EqualError ( suite . validator . Errors ( ) [ 0 ] , "authentication_backend: ldap: option 'group_search_mode' must be one of 'filter' or 'memberof' but it's configured as 'memberOF'" )
}
func ( suite * LDAPAuthenticationBackendSuite ) TestShouldNoErrorOnPlaceholderSearchMode ( ) {
suite . config . LDAP . GroupSearchMode = memberof
suite . config . LDAP . GroupsFilter = filterMemberOfRDN
suite . config . LDAP . Attributes . MemberOf = memberOf
ValidateAuthenticationBackend ( & suite . config , suite . validator )
suite . Len ( suite . validator . Warnings ( ) , 0 )
suite . Len ( suite . validator . Errors ( ) , 0 )
}
func ( suite * LDAPAuthenticationBackendSuite ) TestShouldErrorOnMissingPlaceholderSearchMode ( ) {
suite . config . LDAP . GroupSearchMode = memberof
ValidateAuthenticationBackend ( & suite . config , suite . validator )
suite . Len ( suite . validator . Warnings ( ) , 0 )
suite . Require ( ) . Len ( suite . validator . Errors ( ) , 1 )
suite . EqualError ( suite . validator . Errors ( ) [ 0 ] , "authentication_backend: ldap: option 'groups_filter' must contain one of the '{memberof:rdn}' or '{memberof:dn}' placeholders when using a group_search_mode of 'memberof' but they're absent" )
}
func ( suite * LDAPAuthenticationBackendSuite ) TestShouldErrorOnMissingDistinguishedNameDN ( ) {
suite . config . LDAP . Attributes . DistinguishedName = ""
suite . config . LDAP . GroupsFilter = "(|({memberof:dn}))"
ValidateAuthenticationBackend ( & suite . config , suite . validator )
suite . Len ( suite . validator . Warnings ( ) , 0 )
suite . Require ( ) . Len ( suite . validator . Errors ( ) , 2 )
suite . EqualError ( suite . validator . Errors ( ) [ 0 ] , "authentication_backend: ldap: attributes: option 'distinguished_name' must be provided when using the '{memberof:dn}' placeholder but it's absent" )
suite . EqualError ( suite . validator . Errors ( ) [ 1 ] , "authentication_backend: ldap: attributes: option 'member_of' must be provided when using the '{memberof:rdn}' or '{memberof:dn}' placeholder but it's absent" )
}
func ( suite * LDAPAuthenticationBackendSuite ) TestShouldErrorOnMissingMemberOfRDN ( ) {
suite . config . LDAP . Attributes . DistinguishedName = ""
suite . config . LDAP . GroupsFilter = filterMemberOfRDN
ValidateAuthenticationBackend ( & suite . config , suite . validator )
suite . Len ( suite . validator . Warnings ( ) , 0 )
suite . Require ( ) . Len ( suite . validator . Errors ( ) , 1 )
suite . EqualError ( suite . validator . Errors ( ) [ 0 ] , "authentication_backend: ldap: attributes: option 'member_of' must be provided when using the '{memberof:rdn}' or '{memberof:dn}' placeholder but it's absent" )
}
2022-10-21 08:41:33 +00:00
func ( suite * LDAPAuthenticationBackendSuite ) TestShouldNotAllowTLSVerMinGreaterThanVerMax ( ) {
2022-02-28 03:15:01 +00:00
suite . config . LDAP . TLS = & schema . TLSConfig {
2022-10-21 08:41:33 +00:00
MinimumVersion : schema . TLSVersion { Value : tls . VersionTLS13 } ,
MaximumVersion : schema . TLSVersion { Value : tls . VersionTLS12 } ,
2021-01-04 10:28:55 +00:00
}
2022-02-28 03:15:01 +00:00
ValidateAuthenticationBackend ( & suite . config , suite . validator )
2021-01-04 10:28:55 +00:00
2023-05-07 06:39:17 +00:00
suite . Len ( suite . validator . Warnings ( ) , 0 )
2021-01-04 10:28:55 +00:00
suite . Require ( ) . Len ( suite . validator . Errors ( ) , 1 )
2023-05-07 06:39:17 +00:00
suite . EqualError ( suite . validator . Errors ( ) [ 0 ] , "authentication_backend: ldap: tls: option combination of 'minimum_version' and 'maximum_version' is invalid: minimum version TLS1.3 is greater than the maximum version TLS1.2" )
2021-01-04 10:28:55 +00:00
}
2022-12-21 10:07:00 +00:00
func TestLDAPAuthenticationBackend ( t * testing . T ) {
2021-04-16 01:44:37 +00:00
suite . Run ( t , new ( LDAPAuthenticationBackendSuite ) )
2019-04-24 21:52:08 +00:00
}
2020-12-03 05:23:52 +00:00
type ActiveDirectoryAuthenticationBackendSuite struct {
2023-06-18 04:40:38 +00:00
LDAPImplementationSuite
2020-12-03 05:23:52 +00:00
}
func ( suite * ActiveDirectoryAuthenticationBackendSuite ) SetupTest ( ) {
suite . validator = schema . NewStructValidator ( )
2022-10-17 10:51:59 +00:00
suite . config = schema . AuthenticationBackend { }
suite . config . LDAP = & schema . LDAPAuthenticationBackend { }
2022-02-28 03:15:01 +00:00
suite . config . LDAP . Implementation = schema . LDAPImplementationActiveDirectory
2023-05-07 06:39:17 +00:00
suite . config . LDAP . Address = & schema . AddressLDAP { Address : * testLDAPAddress }
2022-02-28 03:15:01 +00:00
suite . config . LDAP . User = testLDAPUser
suite . config . LDAP . Password = testLDAPPassword
suite . config . LDAP . BaseDN = testLDAPBaseDN
2022-12-21 10:07:00 +00:00
suite . config . LDAP . TLS = schema . DefaultLDAPAuthenticationBackendConfigurationImplementationActiveDirectory . TLS
2020-12-03 05:23:52 +00:00
}
func ( suite * ActiveDirectoryAuthenticationBackendSuite ) TestShouldSetActiveDirectoryDefaults ( ) {
2022-02-28 03:15:01 +00:00
ValidateAuthenticationBackend ( & suite . config , suite . validator )
2020-12-03 05:23:52 +00:00
2023-05-07 06:39:17 +00:00
suite . Len ( suite . validator . Warnings ( ) , 0 )
suite . Len ( suite . validator . Errors ( ) , 0 )
2020-12-03 05:23:52 +00:00
2023-06-18 04:40:38 +00:00
suite . EqualImplementationDefaults ( schema . DefaultLDAPAuthenticationBackendConfigurationImplementationActiveDirectory )
2020-12-03 05:23:52 +00:00
}
func ( suite * ActiveDirectoryAuthenticationBackendSuite ) TestShouldOnlySetDefaultsIfNotManuallyConfigured ( ) {
2022-02-28 03:15:01 +00:00
suite . config . LDAP . Timeout = time . Second * 2
suite . config . LDAP . UsersFilter = "(&({username_attribute}={input})(objectCategory=person)(objectClass=user)(!userAccountControl:1.2.840.113556.1.4.803:=2))"
2023-06-18 04:40:38 +00:00
suite . config . LDAP . Attributes . Username = "cn"
suite . config . LDAP . Attributes . Mail = "userPrincipalName"
suite . config . LDAP . Attributes . DisplayName = "name"
2022-02-28 03:15:01 +00:00
suite . config . LDAP . GroupsFilter = "(&(member={dn})(objectClass=group)(objectCategory=group))"
2023-06-18 04:40:38 +00:00
suite . config . LDAP . Attributes . GroupName = "distinguishedName"
2022-12-21 10:51:25 +00:00
suite . config . LDAP . AdditionalUsersDN = "OU=test"
suite . config . LDAP . AdditionalGroupsDN = "OU=grps"
2023-06-18 04:40:38 +00:00
suite . config . LDAP . Attributes . MemberOf = member
suite . config . LDAP . GroupSearchMode = memberof
suite . config . LDAP . Attributes . DistinguishedName = "objectGUID"
2020-12-03 05:23:52 +00:00
2022-02-28 03:15:01 +00:00
ValidateAuthenticationBackend ( & suite . config , suite . validator )
2020-12-03 05:23:52 +00:00
2023-06-18 04:40:38 +00:00
suite . NotEqualImplementationDefaults ( schema . DefaultLDAPAuthenticationBackendConfigurationImplementationActiveDirectory )
suite . Equal ( member , suite . config . LDAP . Attributes . MemberOf )
suite . Equal ( "objectGUID" , suite . config . LDAP . Attributes . DistinguishedName )
suite . Equal ( memberof , suite . config . LDAP . GroupSearchMode )
2022-02-28 03:15:01 +00:00
}
func ( suite * ActiveDirectoryAuthenticationBackendSuite ) TestShouldRaiseErrorOnInvalidURLWithHTTP ( ) {
2023-05-07 06:39:17 +00:00
suite . config . LDAP . Address = & schema . AddressLDAP { Address : MustParseAddress ( "http://dc1:389" ) }
2022-02-28 03:15:01 +00:00
2023-05-07 06:39:17 +00:00
validateLDAPAuthenticationAddress ( suite . config . LDAP , suite . validator )
2022-02-28 03:15:01 +00:00
suite . Require ( ) . Len ( suite . validator . Errors ( ) , 1 )
2023-05-07 06:39:17 +00:00
suite . EqualError ( suite . validator . Errors ( ) [ 0 ] , "authentication_backend: ldap: option 'address' with value 'http://dc1:389' is invalid: scheme must be one of 'ldap', 'ldaps', or 'ldapi' but is configured as 'http'" )
2020-12-03 05:23:52 +00:00
}
func TestActiveDirectoryAuthenticationBackend ( t * testing . T ) {
suite . Run ( t , new ( ActiveDirectoryAuthenticationBackendSuite ) )
}
2022-12-21 10:07:00 +00:00
2023-02-08 02:35:57 +00:00
type RFC2307bisAuthenticationBackendSuite struct {
2023-06-18 04:40:38 +00:00
LDAPImplementationSuite
2023-02-08 02:35:57 +00:00
}
func ( suite * RFC2307bisAuthenticationBackendSuite ) SetupTest ( ) {
suite . validator = schema . NewStructValidator ( )
suite . config = schema . AuthenticationBackend { }
suite . config . LDAP = & schema . LDAPAuthenticationBackend { }
suite . config . LDAP . Implementation = schema . LDAPImplementationRFC2307bis
2023-05-07 06:39:17 +00:00
suite . config . LDAP . Address = & schema . AddressLDAP { Address : * testLDAPAddress }
2023-02-08 02:35:57 +00:00
suite . config . LDAP . User = testLDAPUser
suite . config . LDAP . Password = testLDAPPassword
suite . config . LDAP . BaseDN = testLDAPBaseDN
suite . config . LDAP . TLS = schema . DefaultLDAPAuthenticationBackendConfigurationImplementationRFC2307bis . TLS
}
func ( suite * RFC2307bisAuthenticationBackendSuite ) TestShouldSetDefaults ( ) {
ValidateAuthenticationBackend ( & suite . config , suite . validator )
2023-05-07 06:39:17 +00:00
suite . Len ( suite . validator . Warnings ( ) , 0 )
suite . Len ( suite . validator . Errors ( ) , 0 )
2023-02-08 02:35:57 +00:00
2023-06-18 04:40:38 +00:00
suite . EqualImplementationDefaults ( schema . DefaultLDAPAuthenticationBackendConfigurationImplementationRFC2307bis )
2023-02-08 02:35:57 +00:00
}
func ( suite * RFC2307bisAuthenticationBackendSuite ) TestShouldOnlySetDefaultsIfNotManuallyConfigured ( ) {
suite . config . LDAP . Timeout = time . Second * 2
suite . config . LDAP . UsersFilter = "(&({username_attribute}={input})(objectClass=Person))"
2023-06-18 04:40:38 +00:00
suite . config . LDAP . Attributes . Username = "o"
suite . config . LDAP . Attributes . Mail = "Email"
suite . config . LDAP . Attributes . DisplayName = "Given"
2023-02-08 02:35:57 +00:00
suite . config . LDAP . GroupsFilter = "(&(member={dn})(objectClass=posixGroup)(objectClass=top))"
2023-06-18 04:40:38 +00:00
suite . config . LDAP . Attributes . GroupName = "gid"
suite . config . LDAP . Attributes . MemberOf = member
2023-02-08 02:35:57 +00:00
suite . config . LDAP . AdditionalUsersDN = "OU=users,OU=OpenLDAP"
suite . config . LDAP . AdditionalGroupsDN = "OU=groups,OU=OpenLDAP"
2023-06-18 04:40:38 +00:00
suite . config . LDAP . GroupSearchMode = memberof
2023-02-08 02:35:57 +00:00
ValidateAuthenticationBackend ( & suite . config , suite . validator )
2023-06-18 04:40:38 +00:00
suite . NotEqualImplementationDefaults ( schema . DefaultLDAPAuthenticationBackendConfigurationImplementationRFC2307bis )
suite . Equal ( member , suite . config . LDAP . Attributes . MemberOf )
suite . Equal ( "" , suite . config . LDAP . Attributes . DistinguishedName )
suite . Equal ( schema . LDAPGroupSearchModeMemberOf , suite . config . LDAP . GroupSearchMode )
2023-02-08 02:35:57 +00:00
}
func TestRFC2307bisAuthenticationBackend ( t * testing . T ) {
suite . Run ( t , new ( RFC2307bisAuthenticationBackendSuite ) )
}
2022-12-21 10:07:00 +00:00
type FreeIPAAuthenticationBackendSuite struct {
2023-06-18 04:40:38 +00:00
LDAPImplementationSuite
2022-12-21 10:07:00 +00:00
}
func ( suite * FreeIPAAuthenticationBackendSuite ) SetupTest ( ) {
suite . validator = schema . NewStructValidator ( )
suite . config = schema . AuthenticationBackend { }
suite . config . LDAP = & schema . LDAPAuthenticationBackend { }
suite . config . LDAP . Implementation = schema . LDAPImplementationFreeIPA
2023-05-07 06:39:17 +00:00
suite . config . LDAP . Address = & schema . AddressLDAP { Address : * testLDAPAddress }
2022-12-21 10:07:00 +00:00
suite . config . LDAP . User = testLDAPUser
suite . config . LDAP . Password = testLDAPPassword
suite . config . LDAP . BaseDN = testLDAPBaseDN
suite . config . LDAP . TLS = schema . DefaultLDAPAuthenticationBackendConfigurationImplementationFreeIPA . TLS
}
func ( suite * FreeIPAAuthenticationBackendSuite ) TestShouldSetDefaults ( ) {
ValidateAuthenticationBackend ( & suite . config , suite . validator )
2023-05-07 06:39:17 +00:00
suite . Len ( suite . validator . Warnings ( ) , 0 )
suite . Len ( suite . validator . Errors ( ) , 0 )
2022-12-21 10:07:00 +00:00
2023-06-18 04:40:38 +00:00
suite . EqualImplementationDefaults ( schema . DefaultLDAPAuthenticationBackendConfigurationImplementationFreeIPA )
2022-12-21 10:07:00 +00:00
}
func ( suite * FreeIPAAuthenticationBackendSuite ) TestShouldOnlySetDefaultsIfNotManuallyConfigured ( ) {
suite . config . LDAP . Timeout = time . Second * 2
suite . config . LDAP . UsersFilter = "(&({username_attribute}={input})(objectClass=person)(!(nsAccountLock=TRUE)))"
2023-06-18 04:40:38 +00:00
suite . config . LDAP . Attributes . Username = "dn"
suite . config . LDAP . Attributes . Mail = "email"
suite . config . LDAP . Attributes . DisplayName = "gecos"
2022-12-21 10:07:00 +00:00
suite . config . LDAP . GroupsFilter = "(&(member={dn})(objectClass=posixgroup))"
2023-06-18 04:40:38 +00:00
suite . config . LDAP . GroupSearchMode = schema . LDAPGroupSearchModeMemberOf
suite . config . LDAP . Attributes . GroupName = "groupName"
suite . config . LDAP . Attributes . MemberOf = member
2022-12-21 10:51:25 +00:00
suite . config . LDAP . AdditionalUsersDN = "OU=people"
suite . config . LDAP . AdditionalGroupsDN = "OU=grp"
2022-12-21 10:07:00 +00:00
ValidateAuthenticationBackend ( & suite . config , suite . validator )
2023-06-18 04:40:38 +00:00
suite . NotEqualImplementationDefaults ( schema . DefaultLDAPAuthenticationBackendConfigurationImplementationFreeIPA )
suite . Equal ( member , suite . config . LDAP . Attributes . MemberOf )
suite . Equal ( "" , suite . config . LDAP . Attributes . DistinguishedName )
suite . Equal ( schema . LDAPGroupSearchModeMemberOf , suite . config . LDAP . GroupSearchMode )
2022-12-21 10:07:00 +00:00
}
func TestFreeIPAAuthenticationBackend ( t * testing . T ) {
suite . Run ( t , new ( FreeIPAAuthenticationBackendSuite ) )
}
2022-12-21 10:51:25 +00:00
type LLDAPAuthenticationBackendSuite struct {
2023-06-18 04:40:38 +00:00
LDAPImplementationSuite
2022-12-21 10:51:25 +00:00
}
func ( suite * LLDAPAuthenticationBackendSuite ) SetupTest ( ) {
suite . validator = schema . NewStructValidator ( )
suite . config = schema . AuthenticationBackend { }
suite . config . LDAP = & schema . LDAPAuthenticationBackend { }
suite . config . LDAP . Implementation = schema . LDAPImplementationLLDAP
2023-05-07 06:39:17 +00:00
suite . config . LDAP . Address = & schema . AddressLDAP { Address : * testLDAPAddress }
2022-12-21 10:51:25 +00:00
suite . config . LDAP . User = testLDAPUser
suite . config . LDAP . Password = testLDAPPassword
suite . config . LDAP . BaseDN = testLDAPBaseDN
suite . config . LDAP . TLS = schema . DefaultLDAPAuthenticationBackendConfigurationImplementationLLDAP . TLS
}
func ( suite * LLDAPAuthenticationBackendSuite ) TestShouldSetDefaults ( ) {
ValidateAuthenticationBackend ( & suite . config , suite . validator )
2023-05-07 06:39:17 +00:00
suite . Len ( suite . validator . Warnings ( ) , 0 )
suite . Len ( suite . validator . Errors ( ) , 0 )
2022-12-21 10:51:25 +00:00
2023-06-18 04:40:38 +00:00
suite . EqualImplementationDefaults ( schema . DefaultLDAPAuthenticationBackendConfigurationImplementationLLDAP )
2022-12-21 10:51:25 +00:00
}
func ( suite * LLDAPAuthenticationBackendSuite ) TestShouldOnlySetDefaultsIfNotManuallyConfigured ( ) {
suite . config . LDAP . Timeout = time . Second * 2
suite . config . LDAP . UsersFilter = "(&({username_attribute}={input})(objectClass=Person)(!(nsAccountLock=TRUE)))"
2023-06-18 04:40:38 +00:00
suite . config . LDAP . Attributes . Username = "username"
suite . config . LDAP . Attributes . Mail = "m"
suite . config . LDAP . Attributes . DisplayName = "fn"
suite . config . LDAP . Attributes . MemberOf = member
2022-12-21 11:14:22 +00:00
suite . config . LDAP . GroupsFilter = "(&(member={dn})(!(objectClass=posixGroup)))"
2023-06-18 04:40:38 +00:00
suite . config . LDAP . Attributes . GroupName = "grpz"
2022-12-21 10:51:25 +00:00
suite . config . LDAP . AdditionalUsersDN = "OU=no"
suite . config . LDAP . AdditionalGroupsDN = "OU=yes"
2023-06-18 04:40:38 +00:00
suite . config . LDAP . GroupSearchMode = memberof
2022-12-21 10:51:25 +00:00
ValidateAuthenticationBackend ( & suite . config , suite . validator )
2023-06-18 04:40:38 +00:00
suite . NotEqualImplementationDefaults ( schema . DefaultLDAPAuthenticationBackendConfigurationImplementationLLDAP )
suite . Equal ( member , suite . config . LDAP . Attributes . MemberOf )
suite . Equal ( "" , suite . config . LDAP . Attributes . DistinguishedName )
suite . Equal ( schema . LDAPGroupSearchModeMemberOf , suite . config . LDAP . GroupSearchMode )
2022-12-21 10:51:25 +00:00
}
func TestLLDAPAuthenticationBackend ( t * testing . T ) {
suite . Run ( t , new ( LLDAPAuthenticationBackendSuite ) )
}
2022-12-21 11:14:22 +00:00
type GLAuthAuthenticationBackendSuite struct {
2023-06-18 04:40:38 +00:00
LDAPImplementationSuite
2022-12-21 11:14:22 +00:00
}
func ( suite * GLAuthAuthenticationBackendSuite ) SetupTest ( ) {
suite . validator = schema . NewStructValidator ( )
suite . config = schema . AuthenticationBackend { }
suite . config . LDAP = & schema . LDAPAuthenticationBackend { }
suite . config . LDAP . Implementation = schema . LDAPImplementationGLAuth
2023-05-07 06:39:17 +00:00
suite . config . LDAP . Address = & schema . AddressLDAP { Address : * testLDAPAddress }
2022-12-21 11:14:22 +00:00
suite . config . LDAP . User = testLDAPUser
suite . config . LDAP . Password = testLDAPPassword
suite . config . LDAP . BaseDN = testLDAPBaseDN
suite . config . LDAP . TLS = schema . DefaultLDAPAuthenticationBackendConfigurationImplementationGLAuth . TLS
}
func ( suite * GLAuthAuthenticationBackendSuite ) TestShouldSetDefaults ( ) {
ValidateAuthenticationBackend ( & suite . config , suite . validator )
2023-05-07 06:39:17 +00:00
suite . Len ( suite . validator . Warnings ( ) , 0 )
suite . Len ( suite . validator . Errors ( ) , 0 )
2022-12-21 11:14:22 +00:00
2023-06-18 04:40:38 +00:00
suite . EqualImplementationDefaults ( schema . DefaultLDAPAuthenticationBackendConfigurationImplementationGLAuth )
2022-12-21 11:14:22 +00:00
}
func ( suite * GLAuthAuthenticationBackendSuite ) TestShouldOnlySetDefaultsIfNotManuallyConfigured ( ) {
suite . config . LDAP . Timeout = time . Second * 2
suite . config . LDAP . UsersFilter = "(&({username_attribute}={input})(objectClass=Person)(!(accountStatus=inactive)))"
2023-06-18 04:40:38 +00:00
suite . config . LDAP . Attributes . Username = "description"
suite . config . LDAP . Attributes . Mail = "sender"
suite . config . LDAP . Attributes . DisplayName = "given"
2022-12-21 11:14:22 +00:00
suite . config . LDAP . GroupsFilter = "(&(member={dn})(objectClass=posixGroup))"
2023-06-18 04:40:38 +00:00
suite . config . LDAP . Attributes . GroupName = "grp"
2022-12-21 11:14:22 +00:00
suite . config . LDAP . AdditionalUsersDN = "OU=users,OU=GlAuth"
suite . config . LDAP . AdditionalGroupsDN = "OU=groups,OU=GLAuth"
2023-06-18 04:40:38 +00:00
suite . config . LDAP . Attributes . MemberOf = member
suite . config . LDAP . GroupSearchMode = memberof
2022-12-21 11:14:22 +00:00
ValidateAuthenticationBackend ( & suite . config , suite . validator )
2023-06-18 04:40:38 +00:00
suite . NotEqualImplementationDefaults ( schema . DefaultLDAPAuthenticationBackendConfigurationImplementationGLAuth )
suite . Equal ( member , suite . config . LDAP . Attributes . MemberOf )
suite . Equal ( "" , suite . config . LDAP . Attributes . DistinguishedName )
suite . Equal ( schema . LDAPGroupSearchModeMemberOf , suite . config . LDAP . GroupSearchMode )
2022-12-21 11:14:22 +00:00
}
func TestGLAuthAuthenticationBackend ( t * testing . T ) {
suite . Run ( t , new ( GLAuthAuthenticationBackendSuite ) )
}
2023-06-18 04:40:38 +00:00
type LDAPImplementationSuite struct {
suite . Suite
config schema . AuthenticationBackend
validator * schema . StructValidator
}
func ( suite * LDAPImplementationSuite ) EqualImplementationDefaults ( expected schema . LDAPAuthenticationBackend ) {
suite . Equal ( expected . Timeout , suite . config . LDAP . Timeout )
suite . Equal ( expected . AdditionalUsersDN , suite . config . LDAP . AdditionalUsersDN )
suite . Equal ( expected . AdditionalGroupsDN , suite . config . LDAP . AdditionalGroupsDN )
suite . Equal ( expected . UsersFilter , suite . config . LDAP . UsersFilter )
suite . Equal ( expected . GroupsFilter , suite . config . LDAP . GroupsFilter )
suite . Equal ( expected . GroupSearchMode , suite . config . LDAP . GroupSearchMode )
suite . Equal ( expected . Attributes . DistinguishedName , suite . config . LDAP . Attributes . DistinguishedName )
suite . Equal ( expected . Attributes . Username , suite . config . LDAP . Attributes . Username )
suite . Equal ( expected . Attributes . DisplayName , suite . config . LDAP . Attributes . DisplayName )
suite . Equal ( expected . Attributes . Mail , suite . config . LDAP . Attributes . Mail )
suite . Equal ( expected . Attributes . MemberOf , suite . config . LDAP . Attributes . MemberOf )
suite . Equal ( expected . Attributes . GroupName , suite . config . LDAP . Attributes . GroupName )
}
func ( suite * LDAPImplementationSuite ) NotEqualImplementationDefaults ( expected schema . LDAPAuthenticationBackend ) {
suite . NotEqual ( expected . Timeout , suite . config . LDAP . Timeout )
suite . NotEqual ( expected . UsersFilter , suite . config . LDAP . UsersFilter )
suite . NotEqual ( expected . GroupsFilter , suite . config . LDAP . GroupsFilter )
suite . NotEqual ( expected . GroupSearchMode , suite . config . LDAP . GroupSearchMode )
suite . NotEqual ( expected . Attributes . Username , suite . config . LDAP . Attributes . Username )
suite . NotEqual ( expected . Attributes . DisplayName , suite . config . LDAP . Attributes . DisplayName )
suite . NotEqual ( expected . Attributes . Mail , suite . config . LDAP . Attributes . Mail )
suite . NotEqual ( expected . Attributes . GroupName , suite . config . LDAP . Attributes . GroupName )
if expected . Attributes . DistinguishedName != "" {
suite . NotEqual ( expected . Attributes . DistinguishedName , suite . config . LDAP . Attributes . DistinguishedName )
}
if expected . AdditionalUsersDN != "" {
suite . NotEqual ( expected . AdditionalUsersDN , suite . config . LDAP . AdditionalUsersDN )
}
if expected . AdditionalGroupsDN != "" {
suite . NotEqual ( expected . AdditionalGroupsDN , suite . config . LDAP . AdditionalGroupsDN )
}
if expected . Attributes . MemberOf != "" {
suite . NotEqual ( expected . Attributes . MemberOf , suite . config . LDAP . Attributes . MemberOf )
}
}