1533 lines
68 KiB
Go
1533 lines
68 KiB
Go
package validator
|
|
|
|
import (
|
|
"crypto/tls"
|
|
"net/url"
|
|
"testing"
|
|
"time"
|
|
|
|
"github.com/stretchr/testify/assert"
|
|
"github.com/stretchr/testify/require"
|
|
"github.com/stretchr/testify/suite"
|
|
|
|
"github.com/authelia/authelia/v4/internal/configuration/schema"
|
|
)
|
|
|
|
func TestShouldRaiseErrorWhenBothBackendsProvided(t *testing.T) {
|
|
validator := schema.NewStructValidator()
|
|
backendConfig := schema.AuthenticationBackend{}
|
|
|
|
backendConfig.LDAP = &schema.LDAPAuthenticationBackend{}
|
|
backendConfig.File = &schema.FileAuthenticationBackend{
|
|
Path: "/tmp",
|
|
}
|
|
|
|
ValidateAuthenticationBackend(&backendConfig, validator)
|
|
|
|
require.Len(t, validator.Errors(), 7)
|
|
assert.EqualError(t, validator.Errors()[0], "authentication_backend: please ensure only one of the 'file' or 'ldap' backend is configured")
|
|
assert.EqualError(t, validator.Errors()[1], "authentication_backend: ldap: option 'address' is required")
|
|
assert.EqualError(t, validator.Errors()[2], "authentication_backend: ldap: option 'user' is required")
|
|
assert.EqualError(t, validator.Errors()[3], "authentication_backend: ldap: option 'password' is required")
|
|
assert.EqualError(t, validator.Errors()[4], "authentication_backend: ldap: option 'base_dn' is required")
|
|
assert.EqualError(t, validator.Errors()[5], "authentication_backend: ldap: option 'users_filter' is required")
|
|
assert.EqualError(t, validator.Errors()[6], "authentication_backend: ldap: option 'groups_filter' is required")
|
|
}
|
|
|
|
func TestShouldRaiseErrorWhenNoBackendProvided(t *testing.T) {
|
|
validator := schema.NewStructValidator()
|
|
backendConfig := schema.AuthenticationBackend{}
|
|
|
|
ValidateAuthenticationBackend(&backendConfig, validator)
|
|
|
|
require.Len(t, validator.Errors(), 1)
|
|
assert.EqualError(t, validator.Errors()[0], "authentication_backend: you must ensure either the 'file' or 'ldap' authentication backend is configured")
|
|
}
|
|
|
|
type FileBasedAuthenticationBackend struct {
|
|
suite.Suite
|
|
config schema.AuthenticationBackend
|
|
validator *schema.StructValidator
|
|
}
|
|
|
|
func (suite *FileBasedAuthenticationBackend) SetupTest() {
|
|
password := schema.DefaultPasswordConfig
|
|
|
|
suite.validator = schema.NewStructValidator()
|
|
suite.config = schema.AuthenticationBackend{}
|
|
suite.config.File = &schema.FileAuthenticationBackend{Path: "/a/path", Password: password}
|
|
}
|
|
|
|
func (suite *FileBasedAuthenticationBackend) TestShouldValidateCompleteConfiguration() {
|
|
ValidateAuthenticationBackend(&suite.config, suite.validator)
|
|
|
|
suite.Len(suite.validator.Warnings(), 0)
|
|
suite.Len(suite.validator.Errors(), 0)
|
|
}
|
|
|
|
func (suite *FileBasedAuthenticationBackend) TestShouldRaiseErrorWhenNoPathProvided() {
|
|
suite.config.File.Path = ""
|
|
|
|
ValidateAuthenticationBackend(&suite.config, suite.validator)
|
|
|
|
suite.Len(suite.validator.Warnings(), 0)
|
|
suite.Require().Len(suite.validator.Errors(), 1)
|
|
|
|
suite.EqualError(suite.validator.Errors()[0], "authentication_backend: file: option 'path' is required")
|
|
}
|
|
|
|
func (suite *FileBasedAuthenticationBackend) TestShouldSetDefaultConfigurationWhenBlank() {
|
|
suite.config.File.Password = schema.Password{}
|
|
|
|
suite.Equal(0, suite.config.File.Password.KeyLength)
|
|
suite.Equal(0, suite.config.File.Password.Iterations)
|
|
suite.Equal(0, suite.config.File.Password.SaltLength)
|
|
suite.Equal("", suite.config.File.Password.Algorithm)
|
|
suite.Equal(0, suite.config.File.Password.Memory)
|
|
suite.Equal(0, suite.config.File.Password.Parallelism)
|
|
|
|
ValidateAuthenticationBackend(&suite.config, suite.validator)
|
|
|
|
suite.Len(suite.validator.Warnings(), 0)
|
|
suite.Len(suite.validator.Errors(), 0)
|
|
|
|
suite.Equal(schema.DefaultPasswordConfig.KeyLength, suite.config.File.Password.KeyLength)
|
|
suite.Equal(schema.DefaultPasswordConfig.Iterations, suite.config.File.Password.Iterations)
|
|
suite.Equal(schema.DefaultPasswordConfig.SaltLength, suite.config.File.Password.SaltLength)
|
|
suite.Equal(schema.DefaultPasswordConfig.Algorithm, suite.config.File.Password.Algorithm)
|
|
suite.Equal(schema.DefaultPasswordConfig.Memory, suite.config.File.Password.Memory)
|
|
suite.Equal(schema.DefaultPasswordConfig.Parallelism, suite.config.File.Password.Parallelism)
|
|
}
|
|
|
|
func (suite *FileBasedAuthenticationBackend) TestShouldMigrateLegacyConfigurationSHA512() {
|
|
suite.config.File.Password = schema.Password{}
|
|
suite.Equal("", suite.config.File.Password.Algorithm)
|
|
|
|
suite.config.File.Password = schema.Password{
|
|
Algorithm: digestSHA512,
|
|
Iterations: 1000000,
|
|
SaltLength: 8,
|
|
}
|
|
|
|
ValidateAuthenticationBackend(&suite.config, suite.validator)
|
|
|
|
suite.Len(suite.validator.Warnings(), 0)
|
|
suite.Len(suite.validator.Errors(), 0)
|
|
|
|
suite.Equal(hashSHA2Crypt, suite.config.File.Password.Algorithm)
|
|
suite.Equal(digestSHA512, suite.config.File.Password.SHA2Crypt.Variant)
|
|
suite.Equal(1000000, suite.config.File.Password.SHA2Crypt.Iterations)
|
|
suite.Equal(8, suite.config.File.Password.SHA2Crypt.SaltLength)
|
|
}
|
|
|
|
func (suite *FileBasedAuthenticationBackend) TestShouldMigrateLegacyConfigurationSHA512ButNotOverride() {
|
|
suite.config.File.Password = schema.Password{}
|
|
suite.Equal("", suite.config.File.Password.Algorithm)
|
|
|
|
suite.config.File.Password = schema.Password{
|
|
Algorithm: digestSHA512,
|
|
Iterations: 1000000,
|
|
SaltLength: 8,
|
|
SHA2Crypt: schema.SHA2CryptPassword{
|
|
Variant: digestSHA256,
|
|
Iterations: 50000,
|
|
SaltLength: 12,
|
|
},
|
|
}
|
|
|
|
ValidateAuthenticationBackend(&suite.config, suite.validator)
|
|
|
|
suite.Len(suite.validator.Warnings(), 0)
|
|
suite.Len(suite.validator.Errors(), 0)
|
|
|
|
suite.Equal(hashSHA2Crypt, suite.config.File.Password.Algorithm)
|
|
suite.Equal(digestSHA256, suite.config.File.Password.SHA2Crypt.Variant)
|
|
suite.Equal(50000, suite.config.File.Password.SHA2Crypt.Iterations)
|
|
suite.Equal(12, suite.config.File.Password.SHA2Crypt.SaltLength)
|
|
}
|
|
|
|
func (suite *FileBasedAuthenticationBackend) TestShouldMigrateLegacyConfigurationSHA512Alt() {
|
|
suite.config.File.Password = schema.Password{}
|
|
suite.Equal("", suite.config.File.Password.Algorithm)
|
|
|
|
suite.config.File.Password = schema.Password{
|
|
Algorithm: digestSHA512,
|
|
Iterations: 1000000,
|
|
SaltLength: 64,
|
|
}
|
|
|
|
ValidateAuthenticationBackend(&suite.config, suite.validator)
|
|
|
|
suite.Len(suite.validator.Warnings(), 0)
|
|
suite.Len(suite.validator.Errors(), 0)
|
|
|
|
suite.Equal(hashSHA2Crypt, suite.config.File.Password.Algorithm)
|
|
suite.Equal(digestSHA512, suite.config.File.Password.SHA2Crypt.Variant)
|
|
suite.Equal(1000000, suite.config.File.Password.SHA2Crypt.Iterations)
|
|
suite.Equal(16, suite.config.File.Password.SHA2Crypt.SaltLength)
|
|
}
|
|
|
|
func (suite *FileBasedAuthenticationBackend) TestShouldMigrateLegacyConfigurationArgon2() {
|
|
suite.config.File.Password = schema.Password{}
|
|
suite.Equal("", suite.config.File.Password.Algorithm)
|
|
|
|
suite.config.File.Password = schema.Password{
|
|
Algorithm: "argon2id",
|
|
Iterations: 4,
|
|
Memory: 1024,
|
|
Parallelism: 4,
|
|
KeyLength: 64,
|
|
SaltLength: 64,
|
|
}
|
|
|
|
ValidateAuthenticationBackend(&suite.config, suite.validator)
|
|
|
|
suite.Len(suite.validator.Warnings(), 0)
|
|
suite.Len(suite.validator.Errors(), 0)
|
|
|
|
suite.Equal("argon2", suite.config.File.Password.Algorithm)
|
|
suite.Equal("argon2id", suite.config.File.Password.Argon2.Variant)
|
|
suite.Equal(4, suite.config.File.Password.Argon2.Iterations)
|
|
suite.Equal(1048576, suite.config.File.Password.Argon2.Memory)
|
|
suite.Equal(4, suite.config.File.Password.Argon2.Parallelism)
|
|
suite.Equal(64, suite.config.File.Password.Argon2.KeyLength)
|
|
suite.Equal(64, suite.config.File.Password.Argon2.SaltLength)
|
|
}
|
|
|
|
func (suite *FileBasedAuthenticationBackend) TestShouldMigrateLegacyConfigurationArgon2ButNotOverride() {
|
|
suite.config.File.Password = schema.Password{}
|
|
suite.Equal("", suite.config.File.Password.Algorithm)
|
|
|
|
suite.config.File.Password = schema.Password{
|
|
Algorithm: "argon2id",
|
|
Iterations: 4,
|
|
Memory: 1024,
|
|
Parallelism: 4,
|
|
KeyLength: 64,
|
|
SaltLength: 64,
|
|
Argon2: schema.Argon2Password{
|
|
Variant: "argon2d",
|
|
Iterations: 1,
|
|
Memory: 2048,
|
|
Parallelism: 1,
|
|
KeyLength: 32,
|
|
SaltLength: 32,
|
|
},
|
|
}
|
|
|
|
ValidateAuthenticationBackend(&suite.config, suite.validator)
|
|
|
|
suite.Len(suite.validator.Warnings(), 0)
|
|
suite.Len(suite.validator.Errors(), 0)
|
|
|
|
suite.Equal("argon2", suite.config.File.Password.Algorithm)
|
|
suite.Equal("argon2d", suite.config.File.Password.Argon2.Variant)
|
|
suite.Equal(1, suite.config.File.Password.Argon2.Iterations)
|
|
suite.Equal(2048, suite.config.File.Password.Argon2.Memory)
|
|
suite.Equal(1, suite.config.File.Password.Argon2.Parallelism)
|
|
suite.Equal(32, suite.config.File.Password.Argon2.KeyLength)
|
|
suite.Equal(32, suite.config.File.Password.Argon2.SaltLength)
|
|
}
|
|
|
|
func (suite *FileBasedAuthenticationBackend) TestShouldMigrateLegacyConfigurationWhenOnlySHA512Set() {
|
|
suite.config.File.Password = schema.Password{}
|
|
suite.Equal("", suite.config.File.Password.Algorithm)
|
|
suite.config.File.Password.Algorithm = digestSHA512
|
|
|
|
ValidateAuthenticationBackend(&suite.config, suite.validator)
|
|
|
|
suite.Len(suite.validator.Warnings(), 0)
|
|
suite.Len(suite.validator.Errors(), 0)
|
|
|
|
suite.Equal(hashSHA2Crypt, suite.config.File.Password.Algorithm)
|
|
suite.Equal(digestSHA512, suite.config.File.Password.SHA2Crypt.Variant)
|
|
suite.Equal(schema.DefaultPasswordConfig.SHA2Crypt.Iterations, suite.config.File.Password.SHA2Crypt.Iterations)
|
|
suite.Equal(schema.DefaultPasswordConfig.SHA2Crypt.SaltLength, suite.config.File.Password.SHA2Crypt.SaltLength)
|
|
}
|
|
|
|
func (suite *FileBasedAuthenticationBackend) TestShouldRaiseErrorOnInvalidArgon2Variant() {
|
|
suite.config.File.Password = schema.Password{}
|
|
suite.Equal("", suite.config.File.Password.Algorithm)
|
|
suite.config.File.Password.Algorithm = "argon2"
|
|
suite.config.File.Password.Argon2.Variant = testInvalid
|
|
|
|
ValidateAuthenticationBackend(&suite.config, suite.validator)
|
|
|
|
suite.Len(suite.validator.Warnings(), 0)
|
|
suite.Require().Len(suite.validator.Errors(), 1)
|
|
|
|
suite.EqualError(suite.validator.Errors()[0], "authentication_backend: file: password: argon2: option 'variant' must be one of 'argon2id', 'id', 'argon2i', 'i', 'argon2d', or 'd' but it's configured as 'invalid'")
|
|
}
|
|
|
|
func (suite *FileBasedAuthenticationBackend) TestShouldRaiseErrorOnInvalidSHA2CryptVariant() {
|
|
suite.config.File.Password = schema.Password{}
|
|
suite.Equal("", suite.config.File.Password.Algorithm)
|
|
suite.config.File.Password.Algorithm = hashSHA2Crypt
|
|
suite.config.File.Password.SHA2Crypt.Variant = testInvalid
|
|
|
|
ValidateAuthenticationBackend(&suite.config, suite.validator)
|
|
|
|
suite.Len(suite.validator.Warnings(), 0)
|
|
suite.Require().Len(suite.validator.Errors(), 1)
|
|
|
|
suite.EqualError(suite.validator.Errors()[0], "authentication_backend: file: password: sha2crypt: option 'variant' must be one of 'sha256' or 'sha512' but it's configured as 'invalid'")
|
|
}
|
|
|
|
func (suite *FileBasedAuthenticationBackend) TestShouldRaiseErrorOnInvalidSHA2CryptSaltLength() {
|
|
suite.config.File.Password = schema.Password{}
|
|
suite.Equal("", suite.config.File.Password.Algorithm)
|
|
suite.config.File.Password.Algorithm = hashSHA2Crypt
|
|
suite.config.File.Password.SHA2Crypt.SaltLength = 40
|
|
|
|
ValidateAuthenticationBackend(&suite.config, suite.validator)
|
|
|
|
suite.Len(suite.validator.Warnings(), 0)
|
|
suite.Require().Len(suite.validator.Errors(), 1)
|
|
|
|
suite.EqualError(suite.validator.Errors()[0], "authentication_backend: file: password: sha2crypt: option 'salt_length' is configured as '40' but must be less than or equal to '16'")
|
|
}
|
|
|
|
func (suite *FileBasedAuthenticationBackend) TestShouldRaiseErrorOnInvalidPBKDF2Variant() {
|
|
suite.config.File.Password = schema.Password{}
|
|
suite.Equal("", suite.config.File.Password.Algorithm)
|
|
suite.config.File.Password.Algorithm = "pbkdf2"
|
|
suite.config.File.Password.PBKDF2.Variant = testInvalid
|
|
|
|
ValidateAuthenticationBackend(&suite.config, suite.validator)
|
|
|
|
suite.Len(suite.validator.Warnings(), 0)
|
|
suite.Require().Len(suite.validator.Errors(), 1)
|
|
|
|
suite.EqualError(suite.validator.Errors()[0], "authentication_backend: file: password: pbkdf2: option 'variant' must be one of 'sha1', 'sha224', 'sha256', 'sha384', or 'sha512' but it's configured as 'invalid'")
|
|
}
|
|
|
|
func (suite *FileBasedAuthenticationBackend) TestShouldRaiseErrorOnInvalidBCryptVariant() {
|
|
suite.config.File.Password = schema.Password{}
|
|
suite.Equal("", suite.config.File.Password.Algorithm)
|
|
suite.config.File.Password.Algorithm = "bcrypt"
|
|
suite.config.File.Password.BCrypt.Variant = testInvalid
|
|
|
|
ValidateAuthenticationBackend(&suite.config, suite.validator)
|
|
|
|
suite.Len(suite.validator.Warnings(), 0)
|
|
suite.Require().Len(suite.validator.Errors(), 1)
|
|
|
|
suite.EqualError(suite.validator.Errors()[0], "authentication_backend: file: password: bcrypt: option 'variant' must be one of 'standard' or 'sha256' but it's configured as 'invalid'")
|
|
}
|
|
|
|
func (suite *FileBasedAuthenticationBackend) TestShouldRaiseErrorWhenSHA2CryptOptionsTooLow() {
|
|
suite.config.File.Password.SHA2Crypt.Iterations = -1
|
|
suite.config.File.Password.SHA2Crypt.SaltLength = -1
|
|
|
|
ValidateAuthenticationBackend(&suite.config, suite.validator)
|
|
|
|
suite.Len(suite.validator.Warnings(), 0)
|
|
suite.Require().Len(suite.validator.Errors(), 2)
|
|
|
|
suite.EqualError(suite.validator.Errors()[0], "authentication_backend: file: password: sha2crypt: option 'iterations' is configured as '-1' but must be greater than or equal to '1000'")
|
|
suite.EqualError(suite.validator.Errors()[1], "authentication_backend: file: password: sha2crypt: option 'salt_length' is configured as '-1' but must be greater than or equal to '1'")
|
|
}
|
|
|
|
func (suite *FileBasedAuthenticationBackend) TestShouldRaiseErrorWhenSHA2CryptOptionsTooHigh() {
|
|
suite.config.File.Password.SHA2Crypt.Iterations = 999999999999
|
|
suite.config.File.Password.SHA2Crypt.SaltLength = 99
|
|
|
|
ValidateAuthenticationBackend(&suite.config, suite.validator)
|
|
|
|
suite.Len(suite.validator.Warnings(), 0)
|
|
suite.Require().Len(suite.validator.Errors(), 2)
|
|
|
|
suite.EqualError(suite.validator.Errors()[0], "authentication_backend: file: password: sha2crypt: option 'iterations' is configured as '999999999999' but must be less than or equal to '999999999'")
|
|
suite.EqualError(suite.validator.Errors()[1], "authentication_backend: file: password: sha2crypt: option 'salt_length' is configured as '99' but must be less than or equal to '16'")
|
|
}
|
|
|
|
func (suite *FileBasedAuthenticationBackend) TestShouldRaiseErrorWhenPBKDF2OptionsTooLow() {
|
|
suite.config.File.Password.PBKDF2.Iterations = -1
|
|
suite.config.File.Password.PBKDF2.SaltLength = -1
|
|
|
|
ValidateAuthenticationBackend(&suite.config, suite.validator)
|
|
|
|
suite.Len(suite.validator.Warnings(), 0)
|
|
suite.Require().Len(suite.validator.Errors(), 2)
|
|
|
|
suite.EqualError(suite.validator.Errors()[0], "authentication_backend: file: password: pbkdf2: option 'iterations' is configured as '-1' but must be greater than or equal to '100000'")
|
|
suite.EqualError(suite.validator.Errors()[1], "authentication_backend: file: password: pbkdf2: option 'salt_length' is configured as '-1' but must be greater than or equal to '8'")
|
|
}
|
|
|
|
func (suite *FileBasedAuthenticationBackend) TestShouldRaiseErrorWhenPBKDF2OptionsTooHigh() {
|
|
suite.config.File.Password.PBKDF2.Iterations = 2147483649
|
|
suite.config.File.Password.PBKDF2.SaltLength = 2147483650
|
|
|
|
ValidateAuthenticationBackend(&suite.config, suite.validator)
|
|
|
|
suite.Len(suite.validator.Warnings(), 0)
|
|
suite.Require().Len(suite.validator.Errors(), 2)
|
|
|
|
suite.EqualError(suite.validator.Errors()[0], "authentication_backend: file: password: pbkdf2: option 'iterations' is configured as '2147483649' but must be less than or equal to '2147483647'")
|
|
suite.EqualError(suite.validator.Errors()[1], "authentication_backend: file: password: pbkdf2: option 'salt_length' is configured as '2147483650' but must be less than or equal to '2147483647'")
|
|
}
|
|
|
|
func (suite *FileBasedAuthenticationBackend) TestShouldRaiseErrorWhenBCryptOptionsTooLow() {
|
|
suite.config.File.Password.BCrypt.Cost = -1
|
|
|
|
ValidateAuthenticationBackend(&suite.config, suite.validator)
|
|
|
|
suite.Len(suite.validator.Warnings(), 0)
|
|
suite.Require().Len(suite.validator.Errors(), 1)
|
|
|
|
suite.EqualError(suite.validator.Errors()[0], "authentication_backend: file: password: bcrypt: option 'cost' is configured as '-1' but must be greater than or equal to '10'")
|
|
}
|
|
|
|
func (suite *FileBasedAuthenticationBackend) TestShouldRaiseErrorWhenBCryptOptionsTooHigh() {
|
|
suite.config.File.Password.BCrypt.Cost = 900
|
|
|
|
ValidateAuthenticationBackend(&suite.config, suite.validator)
|
|
|
|
suite.Len(suite.validator.Warnings(), 0)
|
|
suite.Require().Len(suite.validator.Errors(), 1)
|
|
|
|
suite.EqualError(suite.validator.Errors()[0], "authentication_backend: file: password: bcrypt: option 'cost' is configured as '900' but must be less than or equal to '31'")
|
|
}
|
|
|
|
func (suite *FileBasedAuthenticationBackend) TestShouldRaiseErrorWhenSCryptOptionsTooLow() {
|
|
suite.config.File.Password.SCrypt.Iterations = -1
|
|
suite.config.File.Password.SCrypt.BlockSize = -21
|
|
suite.config.File.Password.SCrypt.Parallelism = -11
|
|
suite.config.File.Password.SCrypt.KeyLength = -77
|
|
suite.config.File.Password.SCrypt.SaltLength = 7
|
|
|
|
ValidateAuthenticationBackend(&suite.config, suite.validator)
|
|
|
|
suite.Len(suite.validator.Warnings(), 0)
|
|
suite.Require().Len(suite.validator.Errors(), 5)
|
|
|
|
suite.EqualError(suite.validator.Errors()[0], "authentication_backend: file: password: scrypt: option 'iterations' is configured as '-1' but must be greater than or equal to '1'")
|
|
suite.EqualError(suite.validator.Errors()[1], "authentication_backend: file: password: scrypt: option 'block_size' is configured as '-21' but must be greater than or equal to '1'")
|
|
suite.EqualError(suite.validator.Errors()[2], "authentication_backend: file: password: scrypt: option 'parallelism' is configured as '-11' but must be greater than or equal to '1'")
|
|
suite.EqualError(suite.validator.Errors()[3], "authentication_backend: file: password: scrypt: option 'key_length' is configured as '-77' but must be greater than or equal to '1'")
|
|
suite.EqualError(suite.validator.Errors()[4], "authentication_backend: file: password: scrypt: option 'salt_length' is configured as '7' but must be greater than or equal to '8'")
|
|
}
|
|
|
|
func (suite *FileBasedAuthenticationBackend) TestShouldRaiseErrorWhenSCryptOptionsTooHigh() {
|
|
suite.config.File.Password.SCrypt.Iterations = 59
|
|
suite.config.File.Password.SCrypt.BlockSize = 360287970189639672
|
|
suite.config.File.Password.SCrypt.Parallelism = 1073741825
|
|
suite.config.File.Password.SCrypt.KeyLength = 1374389534409
|
|
suite.config.File.Password.SCrypt.SaltLength = 2147483647
|
|
|
|
ValidateAuthenticationBackend(&suite.config, suite.validator)
|
|
|
|
suite.Len(suite.validator.Warnings(), 0)
|
|
suite.Require().Len(suite.validator.Errors(), 5)
|
|
|
|
suite.EqualError(suite.validator.Errors()[0], "authentication_backend: file: password: scrypt: option 'iterations' is configured as '59' but must be less than or equal to '58'")
|
|
suite.EqualError(suite.validator.Errors()[1], "authentication_backend: file: password: scrypt: option 'block_size' is configured as '360287970189639672' but must be less than or equal to '36028797018963967'")
|
|
suite.EqualError(suite.validator.Errors()[2], "authentication_backend: file: password: scrypt: option 'parallelism' is configured as '1073741825' but must be less than or equal to '1073741823'")
|
|
suite.EqualError(suite.validator.Errors()[3], "authentication_backend: file: password: scrypt: option 'key_length' is configured as '1374389534409' but must be less than or equal to '137438953440'")
|
|
suite.EqualError(suite.validator.Errors()[4], "authentication_backend: file: password: scrypt: option 'salt_length' is configured as '2147483647' but must be less than or equal to '1024'")
|
|
}
|
|
|
|
func (suite *FileBasedAuthenticationBackend) TestShouldRaiseErrorWhenArgon2OptionsTooLow() {
|
|
suite.config.File.Password.Argon2.Iterations = -1
|
|
suite.config.File.Password.Argon2.Memory = -1
|
|
suite.config.File.Password.Argon2.Parallelism = -1
|
|
suite.config.File.Password.Argon2.KeyLength = 1
|
|
suite.config.File.Password.Argon2.SaltLength = -1
|
|
|
|
ValidateAuthenticationBackend(&suite.config, suite.validator)
|
|
|
|
suite.Len(suite.validator.Warnings(), 0)
|
|
suite.Require().Len(suite.validator.Errors(), 5)
|
|
|
|
suite.EqualError(suite.validator.Errors()[0], "authentication_backend: file: password: argon2: option 'iterations' is configured as '-1' but must be greater than or equal to '1'")
|
|
suite.EqualError(suite.validator.Errors()[1], "authentication_backend: file: password: argon2: option 'parallelism' is configured as '-1' but must be greater than or equal to '1'")
|
|
suite.EqualError(suite.validator.Errors()[2], "authentication_backend: file: password: argon2: option 'memory' is configured as '-1' but must be greater than or equal to '8'")
|
|
suite.EqualError(suite.validator.Errors()[3], "authentication_backend: file: password: argon2: option 'key_length' is configured as '1' but must be greater than or equal to '4'")
|
|
suite.EqualError(suite.validator.Errors()[4], "authentication_backend: file: password: argon2: option 'salt_length' is configured as '-1' but must be greater than or equal to '1'")
|
|
}
|
|
|
|
func (suite *FileBasedAuthenticationBackend) TestShouldRaiseErrorWhenArgon2OptionsTooHigh() {
|
|
suite.config.File.Password.Argon2.Iterations = 9999999999
|
|
suite.config.File.Password.Argon2.Memory = 4294967296
|
|
suite.config.File.Password.Argon2.Parallelism = 16777216
|
|
suite.config.File.Password.Argon2.KeyLength = 9999999998
|
|
suite.config.File.Password.Argon2.SaltLength = 9999999997
|
|
|
|
ValidateAuthenticationBackend(&suite.config, suite.validator)
|
|
|
|
suite.Len(suite.validator.Warnings(), 0)
|
|
suite.Require().Len(suite.validator.Errors(), 5)
|
|
|
|
suite.EqualError(suite.validator.Errors()[0], "authentication_backend: file: password: argon2: option 'iterations' is configured as '9999999999' but must be less than or equal to '2147483647'")
|
|
suite.EqualError(suite.validator.Errors()[1], "authentication_backend: file: password: argon2: option 'parallelism' is configured as '16777216' but must be less than or equal to '16777215'")
|
|
suite.EqualError(suite.validator.Errors()[2], "authentication_backend: file: password: argon2: option 'memory' is configured as '4294967296' but must be less than or equal to '4294967295'")
|
|
suite.EqualError(suite.validator.Errors()[3], "authentication_backend: file: password: argon2: option 'key_length' is configured as '9999999998' but must be less than or equal to '2147483647'")
|
|
suite.EqualError(suite.validator.Errors()[4], "authentication_backend: file: password: argon2: option 'salt_length' is configured as '9999999997' but must be less than or equal to '2147483647'")
|
|
}
|
|
|
|
func (suite *FileBasedAuthenticationBackend) TestShouldRaiseErrorWhenArgon2MemoryTooLow() {
|
|
suite.config.File.Password.Argon2.Memory = 4
|
|
suite.config.File.Password.Argon2.Parallelism = 4
|
|
|
|
ValidateAuthenticationBackend(&suite.config, suite.validator)
|
|
|
|
suite.Len(suite.validator.Warnings(), 0)
|
|
suite.Require().Len(suite.validator.Errors(), 1)
|
|
|
|
suite.EqualError(suite.validator.Errors()[0], "authentication_backend: file: password: argon2: option 'memory' is configured as '4' but must be greater than or equal to '8'")
|
|
}
|
|
|
|
func (suite *FileBasedAuthenticationBackend) TestShouldRaiseErrorWhenArgon2MemoryTooLowMultiplier() {
|
|
suite.config.File.Password.Argon2.Memory = 8
|
|
suite.config.File.Password.Argon2.Parallelism = 4
|
|
|
|
ValidateAuthenticationBackend(&suite.config, suite.validator)
|
|
|
|
suite.Len(suite.validator.Warnings(), 0)
|
|
suite.Require().Len(suite.validator.Errors(), 1)
|
|
|
|
suite.EqualError(suite.validator.Errors()[0], "authentication_backend: file: password: argon2: option 'memory' is configured as '8' but must be greater than or equal to '32' or '4' (the value of 'parallelism) multiplied by '8'")
|
|
}
|
|
|
|
func (suite *FileBasedAuthenticationBackend) TestShouldRaiseErrorWhenBadAlgorithmDefined() {
|
|
suite.config.File.Password.Algorithm = "bogus"
|
|
|
|
ValidateAuthenticationBackend(&suite.config, suite.validator)
|
|
|
|
suite.Len(suite.validator.Warnings(), 0)
|
|
suite.Require().Len(suite.validator.Errors(), 1)
|
|
|
|
suite.EqualError(suite.validator.Errors()[0], "authentication_backend: file: password: option 'algorithm' must be one of 'sha2crypt', 'pbkdf2', 'scrypt', 'bcrypt', or 'argon2' but it's configured as 'bogus'")
|
|
}
|
|
|
|
func (suite *FileBasedAuthenticationBackend) TestShouldSetDefaultValues() {
|
|
suite.config.File.Password.Algorithm = ""
|
|
suite.config.File.Password.Iterations = 0
|
|
suite.config.File.Password.SaltLength = 0
|
|
suite.config.File.Password.Memory = 0
|
|
suite.config.File.Password.Parallelism = 0
|
|
|
|
ValidateAuthenticationBackend(&suite.config, suite.validator)
|
|
|
|
suite.Len(suite.validator.Warnings(), 0)
|
|
suite.Len(suite.validator.Errors(), 0)
|
|
|
|
suite.Equal(schema.DefaultPasswordConfig.Algorithm, suite.config.File.Password.Algorithm)
|
|
suite.Equal(schema.DefaultPasswordConfig.Iterations, suite.config.File.Password.Iterations)
|
|
suite.Equal(schema.DefaultPasswordConfig.SaltLength, suite.config.File.Password.SaltLength)
|
|
suite.Equal(schema.DefaultPasswordConfig.Memory, suite.config.File.Password.Memory)
|
|
suite.Equal(schema.DefaultPasswordConfig.Parallelism, suite.config.File.Password.Parallelism)
|
|
}
|
|
|
|
func (suite *FileBasedAuthenticationBackend) TestShouldRaiseErrorWhenResetURLIsInvalid() {
|
|
suite.config.PasswordReset.CustomURL = url.URL{Scheme: "ldap", Host: "google.com"}
|
|
suite.config.PasswordReset.Disable = true
|
|
|
|
suite.True(suite.config.PasswordReset.Disable)
|
|
|
|
ValidateAuthenticationBackend(&suite.config, suite.validator)
|
|
|
|
suite.Len(suite.validator.Warnings(), 0)
|
|
suite.Require().Len(suite.validator.Errors(), 1)
|
|
|
|
suite.EqualError(suite.validator.Errors()[0], "authentication_backend: password_reset: option 'custom_url' is configured to 'ldap://google.com' which has the scheme 'ldap' but the scheme must be either 'http' or 'https'")
|
|
|
|
suite.True(suite.config.PasswordReset.Disable)
|
|
}
|
|
|
|
func (suite *FileBasedAuthenticationBackend) TestShouldNotRaiseErrorWhenResetURLIsValid() {
|
|
suite.config.PasswordReset.CustomURL = url.URL{Scheme: "https", Host: "google.com"}
|
|
|
|
ValidateAuthenticationBackend(&suite.config, suite.validator)
|
|
|
|
suite.Len(suite.validator.Warnings(), 0)
|
|
suite.Len(suite.validator.Errors(), 0)
|
|
}
|
|
|
|
func (suite *FileBasedAuthenticationBackend) TestShouldConfigureDisableResetPasswordWhenCustomURL() {
|
|
suite.config.PasswordReset.CustomURL = url.URL{Scheme: "https", Host: "google.com"}
|
|
suite.config.PasswordReset.Disable = true
|
|
|
|
suite.True(suite.config.PasswordReset.Disable)
|
|
|
|
ValidateAuthenticationBackend(&suite.config, suite.validator)
|
|
|
|
suite.Len(suite.validator.Warnings(), 0)
|
|
suite.Len(suite.validator.Errors(), 0)
|
|
|
|
suite.False(suite.config.PasswordReset.Disable)
|
|
}
|
|
|
|
func TestFileBasedAuthenticationBackend(t *testing.T) {
|
|
suite.Run(t, new(FileBasedAuthenticationBackend))
|
|
}
|
|
|
|
type LDAPAuthenticationBackendSuite struct {
|
|
suite.Suite
|
|
config schema.AuthenticationBackend
|
|
validator *schema.StructValidator
|
|
}
|
|
|
|
func (suite *LDAPAuthenticationBackendSuite) SetupTest() {
|
|
suite.validator = schema.NewStructValidator()
|
|
suite.config = schema.AuthenticationBackend{}
|
|
suite.config.LDAP = &schema.LDAPAuthenticationBackend{}
|
|
suite.config.LDAP.Implementation = schema.LDAPImplementationCustom
|
|
suite.config.LDAP.Address = &schema.AddressLDAP{Address: *testLDAPAddress}
|
|
suite.config.LDAP.User = testLDAPUser
|
|
suite.config.LDAP.Password = testLDAPPassword
|
|
suite.config.LDAP.BaseDN = testLDAPBaseDN
|
|
suite.config.LDAP.Attributes.Username = "uid"
|
|
suite.config.LDAP.UsersFilter = "({username_attribute}={input})"
|
|
suite.config.LDAP.GroupsFilter = "(cn={input})"
|
|
}
|
|
|
|
func (suite *LDAPAuthenticationBackendSuite) TestShouldValidateCompleteConfiguration() {
|
|
ValidateAuthenticationBackend(&suite.config, suite.validator)
|
|
|
|
suite.Len(suite.validator.Warnings(), 0)
|
|
suite.Len(suite.validator.Errors(), 0)
|
|
}
|
|
|
|
func (suite *LDAPAuthenticationBackendSuite) TestShouldValidateDefaultImplementationAndUsernameAttribute() {
|
|
suite.config.LDAP.Implementation = ""
|
|
suite.config.LDAP.Attributes.Username = ""
|
|
ValidateAuthenticationBackend(&suite.config, suite.validator)
|
|
|
|
suite.Equal(schema.LDAPImplementationCustom, suite.config.LDAP.Implementation)
|
|
|
|
suite.Equal(suite.config.LDAP.Attributes.Username, schema.DefaultLDAPAuthenticationBackendConfigurationImplementationCustom.Attributes.Username)
|
|
suite.Len(suite.validator.Warnings(), 0)
|
|
suite.Len(suite.validator.Errors(), 0)
|
|
}
|
|
|
|
func (suite *LDAPAuthenticationBackendSuite) TestShouldRaiseErrorWhenImplementationIsInvalidMSAD() {
|
|
suite.config.LDAP.Implementation = "masd"
|
|
|
|
ValidateAuthenticationBackend(&suite.config, suite.validator)
|
|
|
|
suite.Len(suite.validator.Warnings(), 0)
|
|
suite.Require().Len(suite.validator.Errors(), 1)
|
|
|
|
suite.EqualError(suite.validator.Errors()[0], "authentication_backend: ldap: option 'implementation' must be one of 'custom', 'activedirectory', 'rfc2307bis', 'freeipa', 'lldap', or 'glauth' but it's configured as 'masd'")
|
|
}
|
|
|
|
func (suite *LDAPAuthenticationBackendSuite) TestShouldRaiseErrorWhenURLNotProvided() {
|
|
suite.config.LDAP.Address = nil
|
|
ValidateAuthenticationBackend(&suite.config, suite.validator)
|
|
|
|
suite.Len(suite.validator.Warnings(), 0)
|
|
suite.Require().Len(suite.validator.Errors(), 1)
|
|
|
|
suite.EqualError(suite.validator.Errors()[0], "authentication_backend: ldap: option 'address' is required")
|
|
}
|
|
|
|
func (suite *LDAPAuthenticationBackendSuite) TestShouldRaiseErrorWhenUserNotProvided() {
|
|
suite.config.LDAP.User = ""
|
|
|
|
ValidateAuthenticationBackend(&suite.config, suite.validator)
|
|
|
|
suite.Len(suite.validator.Warnings(), 0)
|
|
suite.Require().Len(suite.validator.Errors(), 1)
|
|
|
|
suite.EqualError(suite.validator.Errors()[0], "authentication_backend: ldap: option 'user' is required")
|
|
}
|
|
|
|
func (suite *LDAPAuthenticationBackendSuite) TestShouldRaiseErrorWhenPasswordNotProvided() {
|
|
suite.config.LDAP.Password = ""
|
|
|
|
ValidateAuthenticationBackend(&suite.config, suite.validator)
|
|
|
|
suite.Len(suite.validator.Warnings(), 0)
|
|
suite.Require().Len(suite.validator.Errors(), 1)
|
|
|
|
suite.EqualError(suite.validator.Errors()[0], "authentication_backend: ldap: option 'password' is required")
|
|
}
|
|
|
|
func (suite *LDAPAuthenticationBackendSuite) TestShouldNotRaiseErrorWhenPasswordNotProvidedWithPermitUnauthenticatedBind() {
|
|
suite.config.LDAP.Password = ""
|
|
suite.config.LDAP.PermitUnauthenticatedBind = true
|
|
|
|
ValidateAuthenticationBackend(&suite.config, suite.validator)
|
|
|
|
suite.Len(suite.validator.Warnings(), 0)
|
|
suite.Require().Len(suite.validator.Errors(), 1)
|
|
|
|
suite.EqualError(suite.validator.Errors()[0], "authentication_backend: ldap: option 'permit_unauthenticated_bind' can't be enabled when password reset is enabled")
|
|
}
|
|
|
|
func (suite *LDAPAuthenticationBackendSuite) TestShouldRaiseErrorWhenPasswordProvidedWithPermitUnauthenticatedBind() {
|
|
suite.config.LDAP.Password = "test"
|
|
suite.config.LDAP.PermitUnauthenticatedBind = true
|
|
suite.config.PasswordReset.Disable = true
|
|
|
|
ValidateAuthenticationBackend(&suite.config, suite.validator)
|
|
|
|
suite.Len(suite.validator.Warnings(), 0)
|
|
suite.Require().Len(suite.validator.Errors(), 1)
|
|
|
|
suite.EqualError(suite.validator.Errors()[0], "authentication_backend: ldap: option 'permit_unauthenticated_bind' can't be enabled when a password is specified")
|
|
}
|
|
|
|
func (suite *LDAPAuthenticationBackendSuite) TestShouldSetDefaultPorts() {
|
|
suite.config.LDAP.Address = &schema.AddressLDAP{Address: MustParseAddress("ldap://abc")}
|
|
|
|
ValidateAuthenticationBackend(&suite.config, suite.validator)
|
|
|
|
suite.Len(suite.validator.Warnings(), 0)
|
|
suite.Len(suite.validator.Errors(), 0)
|
|
|
|
suite.Equal("ldap://abc:389", suite.config.LDAP.Address.String())
|
|
|
|
suite.config.LDAP.Address = &schema.AddressLDAP{Address: MustParseAddress("ldaps://abc")}
|
|
|
|
ValidateAuthenticationBackend(&suite.config, suite.validator)
|
|
|
|
suite.Len(suite.validator.Warnings(), 0)
|
|
suite.Len(suite.validator.Errors(), 0)
|
|
|
|
suite.Equal("ldaps://abc:636", suite.config.LDAP.Address.String())
|
|
|
|
suite.config.LDAP.Address = &schema.AddressLDAP{Address: MustParseAddress("ldapi:///a/path")}
|
|
|
|
ValidateAuthenticationBackend(&suite.config, suite.validator)
|
|
|
|
suite.Len(suite.validator.Warnings(), 0)
|
|
suite.Len(suite.validator.Errors(), 0)
|
|
|
|
suite.Equal("ldapi:///a/path", suite.config.LDAP.Address.String())
|
|
}
|
|
|
|
func (suite *LDAPAuthenticationBackendSuite) TestShouldNotRaiseErrorWhenPermitUnauthenticatedBindConfiguredCorrectly() {
|
|
suite.config.LDAP.Password = ""
|
|
suite.config.LDAP.PermitUnauthenticatedBind = true
|
|
suite.config.PasswordReset.Disable = true
|
|
|
|
ValidateAuthenticationBackend(&suite.config, suite.validator)
|
|
|
|
suite.Len(suite.validator.Warnings(), 0)
|
|
suite.Require().Len(suite.validator.Errors(), 0)
|
|
}
|
|
|
|
func (suite *LDAPAuthenticationBackendSuite) TestShouldRaiseErrorWhenBaseDNNotProvided() {
|
|
suite.config.LDAP.BaseDN = ""
|
|
|
|
ValidateAuthenticationBackend(&suite.config, suite.validator)
|
|
|
|
suite.Len(suite.validator.Warnings(), 0)
|
|
suite.Len(suite.validator.Errors(), 1)
|
|
|
|
suite.EqualError(suite.validator.Errors()[0], "authentication_backend: ldap: option 'base_dn' is required")
|
|
}
|
|
|
|
func (suite *LDAPAuthenticationBackendSuite) TestShouldRaiseOnEmptyGroupsFilter() {
|
|
suite.config.LDAP.GroupsFilter = ""
|
|
|
|
ValidateAuthenticationBackend(&suite.config, suite.validator)
|
|
|
|
suite.Len(suite.validator.Warnings(), 0)
|
|
suite.Require().Len(suite.validator.Errors(), 1)
|
|
|
|
suite.EqualError(suite.validator.Errors()[0], "authentication_backend: ldap: option 'groups_filter' is required")
|
|
}
|
|
|
|
func (suite *LDAPAuthenticationBackendSuite) TestShouldRaiseOnEmptyUsersFilter() {
|
|
suite.config.LDAP.UsersFilter = ""
|
|
|
|
ValidateAuthenticationBackend(&suite.config, suite.validator)
|
|
|
|
suite.Len(suite.validator.Warnings(), 0)
|
|
suite.Require().Len(suite.validator.Errors(), 1)
|
|
|
|
suite.EqualError(suite.validator.Errors()[0], "authentication_backend: ldap: option 'users_filter' is required")
|
|
}
|
|
|
|
func (suite *LDAPAuthenticationBackendSuite) TestShouldNotRaiseOnEmptyUsernameAttribute() {
|
|
suite.config.LDAP.Attributes.Username = ""
|
|
|
|
ValidateAuthenticationBackend(&suite.config, suite.validator)
|
|
|
|
suite.Len(suite.validator.Warnings(), 0)
|
|
suite.Len(suite.validator.Errors(), 0)
|
|
}
|
|
|
|
func (suite *LDAPAuthenticationBackendSuite) TestShouldRaiseOnBadRefreshInterval() {
|
|
suite.config.RefreshInterval = "blah"
|
|
|
|
ValidateAuthenticationBackend(&suite.config, suite.validator)
|
|
|
|
suite.Len(suite.validator.Warnings(), 0)
|
|
suite.Require().Len(suite.validator.Errors(), 1)
|
|
|
|
suite.EqualError(suite.validator.Errors()[0], "authentication_backend: option 'refresh_interval' is configured to 'blah' but it must be either in duration common syntax or one of 'disable', or 'always': could not parse 'blah' as a duration")
|
|
}
|
|
|
|
func (suite *LDAPAuthenticationBackendSuite) TestShouldSetDefaultImplementation() {
|
|
ValidateAuthenticationBackend(&suite.config, suite.validator)
|
|
|
|
suite.Len(suite.validator.Warnings(), 0)
|
|
suite.Len(suite.validator.Errors(), 0)
|
|
|
|
suite.Equal(schema.LDAPImplementationCustom, suite.config.LDAP.Implementation)
|
|
}
|
|
|
|
func (suite *LDAPAuthenticationBackendSuite) TestShouldRaiseErrorOnBadFilterPlaceholders() {
|
|
suite.config.LDAP.UsersFilter = "(&({username_attribute}={0})(objectCategory=person)(objectClass=user)(!userAccountControl:1.2.840.113556.1.4.803:=2))"
|
|
suite.config.LDAP.GroupsFilter = "(&({username_attribute}={1})(member={0})(objectClass=group)(objectCategory=group))"
|
|
|
|
ValidateAuthenticationBackend(&suite.config, suite.validator)
|
|
|
|
suite.Len(suite.validator.Warnings(), 0)
|
|
suite.True(suite.validator.HasErrors())
|
|
|
|
suite.Require().Len(suite.validator.Errors(), 4)
|
|
suite.EqualError(suite.validator.Errors()[0], "authentication_backend: ldap: option 'users_filter' has an invalid placeholder: '{0}' has been removed, please use '{input}' instead")
|
|
suite.EqualError(suite.validator.Errors()[1], "authentication_backend: ldap: option 'groups_filter' has an invalid placeholder: '{0}' has been removed, please use '{input}' instead")
|
|
suite.EqualError(suite.validator.Errors()[2], "authentication_backend: ldap: option 'groups_filter' has an invalid placeholder: '{1}' has been removed, please use '{username}' instead")
|
|
suite.EqualError(suite.validator.Errors()[3], "authentication_backend: ldap: option 'users_filter' must contain the placeholder '{input}' but it's absent")
|
|
}
|
|
|
|
func (suite *LDAPAuthenticationBackendSuite) TestShouldSetDefaultGroupNameAttribute() {
|
|
ValidateAuthenticationBackend(&suite.config, suite.validator)
|
|
|
|
suite.Len(suite.validator.Warnings(), 0)
|
|
suite.Len(suite.validator.Errors(), 0)
|
|
|
|
suite.Equal("cn", suite.config.LDAP.Attributes.GroupName)
|
|
}
|
|
|
|
func (suite *LDAPAuthenticationBackendSuite) TestShouldSetDefaultMailAttribute() {
|
|
ValidateAuthenticationBackend(&suite.config, suite.validator)
|
|
|
|
suite.Len(suite.validator.Warnings(), 0)
|
|
suite.Len(suite.validator.Errors(), 0)
|
|
|
|
suite.Equal("mail", suite.config.LDAP.Attributes.Mail)
|
|
}
|
|
|
|
func (suite *LDAPAuthenticationBackendSuite) TestShouldSetDefaultDisplayNameAttribute() {
|
|
ValidateAuthenticationBackend(&suite.config, suite.validator)
|
|
|
|
suite.Len(suite.validator.Warnings(), 0)
|
|
suite.Len(suite.validator.Errors(), 0)
|
|
|
|
suite.Equal("displayName", suite.config.LDAP.Attributes.DisplayName)
|
|
}
|
|
|
|
func (suite *LDAPAuthenticationBackendSuite) TestShouldSetDefaultRefreshInterval() {
|
|
ValidateAuthenticationBackend(&suite.config, suite.validator)
|
|
|
|
suite.Len(suite.validator.Warnings(), 0)
|
|
suite.Len(suite.validator.Errors(), 0)
|
|
|
|
suite.Equal("5m", suite.config.RefreshInterval)
|
|
}
|
|
|
|
func (suite *LDAPAuthenticationBackendSuite) TestShouldRaiseWhenUsersFilterDoesNotContainEnclosingParenthesis() {
|
|
suite.config.LDAP.UsersFilter = "{username_attribute}={input}"
|
|
|
|
ValidateAuthenticationBackend(&suite.config, suite.validator)
|
|
|
|
suite.Len(suite.validator.Warnings(), 0)
|
|
suite.Require().Len(suite.validator.Errors(), 1)
|
|
|
|
suite.EqualError(suite.validator.Errors()[0], "authentication_backend: ldap: option 'users_filter' must contain enclosing parenthesis: '{username_attribute}={input}' should probably be '({username_attribute}={input})'")
|
|
}
|
|
|
|
func (suite *LDAPAuthenticationBackendSuite) TestShouldRaiseWhenGroupsFilterDoesNotContainEnclosingParenthesis() {
|
|
suite.config.LDAP.GroupsFilter = "cn={input}"
|
|
|
|
ValidateAuthenticationBackend(&suite.config, suite.validator)
|
|
|
|
suite.Len(suite.validator.Warnings(), 0)
|
|
suite.Require().Len(suite.validator.Errors(), 1)
|
|
|
|
suite.EqualError(suite.validator.Errors()[0], "authentication_backend: ldap: option 'groups_filter' must contain enclosing parenthesis: 'cn={input}' should probably be '(cn={input})'")
|
|
}
|
|
|
|
func (suite *LDAPAuthenticationBackendSuite) TestShouldRaiseWhenUsersFilterDoesNotContainUsernameAttribute() {
|
|
suite.config.LDAP.UsersFilter = "(&({mail_attribute}={input})(objectClass=person))"
|
|
ValidateAuthenticationBackend(&suite.config, suite.validator)
|
|
|
|
suite.Len(suite.validator.Warnings(), 0)
|
|
suite.Require().Len(suite.validator.Errors(), 1)
|
|
|
|
suite.EqualError(suite.validator.Errors()[0], "authentication_backend: ldap: option 'users_filter' must contain the placeholder '{username_attribute}' but it's absent")
|
|
}
|
|
|
|
func (suite *LDAPAuthenticationBackendSuite) TestShouldHelpDetectNoInputPlaceholder() {
|
|
suite.config.LDAP.UsersFilter = "(&({username_attribute}={mail_attribute})(objectClass=person))"
|
|
|
|
ValidateAuthenticationBackend(&suite.config, suite.validator)
|
|
|
|
suite.Len(suite.validator.Warnings(), 0)
|
|
suite.Require().Len(suite.validator.Errors(), 1)
|
|
|
|
suite.EqualError(suite.validator.Errors()[0], "authentication_backend: ldap: option 'users_filter' must contain the placeholder '{input}' but it's absent")
|
|
}
|
|
|
|
func (suite *LDAPAuthenticationBackendSuite) TestShouldSetDefaultTLSMinimumVersion() {
|
|
suite.config.LDAP.TLS = &schema.TLSConfig{MinimumVersion: schema.TLSVersion{}}
|
|
|
|
ValidateAuthenticationBackend(&suite.config, suite.validator)
|
|
|
|
suite.Len(suite.validator.Warnings(), 0)
|
|
suite.Len(suite.validator.Errors(), 0)
|
|
|
|
suite.Equal(schema.DefaultLDAPAuthenticationBackendConfigurationImplementationCustom.TLS.MinimumVersion.Value, suite.config.LDAP.TLS.MinimumVersion.MinVersion())
|
|
}
|
|
|
|
func (suite *LDAPAuthenticationBackendSuite) TestShouldNotAllowSSL30() {
|
|
suite.config.LDAP.TLS = &schema.TLSConfig{
|
|
MinimumVersion: schema.TLSVersion{Value: tls.VersionSSL30}, //nolint:staticcheck
|
|
}
|
|
|
|
ValidateAuthenticationBackend(&suite.config, suite.validator)
|
|
|
|
suite.Len(suite.validator.Warnings(), 0)
|
|
suite.Require().Len(suite.validator.Errors(), 1)
|
|
|
|
suite.EqualError(suite.validator.Errors()[0], "authentication_backend: ldap: tls: option 'minimum_version' is invalid: minimum version is TLS1.0 but SSL3.0 was configured")
|
|
}
|
|
|
|
func (suite *LDAPAuthenticationBackendSuite) TestShouldErrorOnBadSearchMode() {
|
|
suite.config.LDAP.GroupSearchMode = "memberOF"
|
|
|
|
ValidateAuthenticationBackend(&suite.config, suite.validator)
|
|
|
|
suite.Len(suite.validator.Warnings(), 0)
|
|
suite.Require().Len(suite.validator.Errors(), 1)
|
|
|
|
suite.EqualError(suite.validator.Errors()[0], "authentication_backend: ldap: option 'group_search_mode' must be one of 'filter' or 'memberof' but it's configured as 'memberOF'")
|
|
}
|
|
|
|
func (suite *LDAPAuthenticationBackendSuite) TestShouldNoErrorOnPlaceholderSearchMode() {
|
|
suite.config.LDAP.GroupSearchMode = memberof
|
|
suite.config.LDAP.GroupsFilter = filterMemberOfRDN
|
|
suite.config.LDAP.Attributes.MemberOf = memberOf
|
|
|
|
ValidateAuthenticationBackend(&suite.config, suite.validator)
|
|
|
|
suite.Len(suite.validator.Warnings(), 0)
|
|
suite.Len(suite.validator.Errors(), 0)
|
|
}
|
|
|
|
func (suite *LDAPAuthenticationBackendSuite) TestShouldErrorOnMissingPlaceholderSearchMode() {
|
|
suite.config.LDAP.GroupSearchMode = memberof
|
|
|
|
ValidateAuthenticationBackend(&suite.config, suite.validator)
|
|
|
|
suite.Len(suite.validator.Warnings(), 0)
|
|
suite.Require().Len(suite.validator.Errors(), 1)
|
|
|
|
suite.EqualError(suite.validator.Errors()[0], "authentication_backend: ldap: option 'groups_filter' must contain one of the '{memberof:rdn}' or '{memberof:dn}' placeholders when using a group_search_mode of 'memberof' but they're absent")
|
|
}
|
|
|
|
func (suite *LDAPAuthenticationBackendSuite) TestShouldErrorOnMissingDistinguishedNameDN() {
|
|
suite.config.LDAP.Attributes.DistinguishedName = ""
|
|
suite.config.LDAP.GroupsFilter = "(|({memberof:dn}))"
|
|
|
|
ValidateAuthenticationBackend(&suite.config, suite.validator)
|
|
|
|
suite.Len(suite.validator.Warnings(), 0)
|
|
suite.Require().Len(suite.validator.Errors(), 2)
|
|
|
|
suite.EqualError(suite.validator.Errors()[0], "authentication_backend: ldap: attributes: option 'distinguished_name' must be provided when using the '{memberof:dn}' placeholder but it's absent")
|
|
suite.EqualError(suite.validator.Errors()[1], "authentication_backend: ldap: attributes: option 'member_of' must be provided when using the '{memberof:rdn}' or '{memberof:dn}' placeholder but it's absent")
|
|
}
|
|
|
|
func (suite *LDAPAuthenticationBackendSuite) TestShouldErrorOnMissingMemberOfRDN() {
|
|
suite.config.LDAP.Attributes.DistinguishedName = ""
|
|
suite.config.LDAP.GroupsFilter = filterMemberOfRDN
|
|
|
|
ValidateAuthenticationBackend(&suite.config, suite.validator)
|
|
|
|
suite.Len(suite.validator.Warnings(), 0)
|
|
suite.Require().Len(suite.validator.Errors(), 1)
|
|
|
|
suite.EqualError(suite.validator.Errors()[0], "authentication_backend: ldap: attributes: option 'member_of' must be provided when using the '{memberof:rdn}' or '{memberof:dn}' placeholder but it's absent")
|
|
}
|
|
|
|
func (suite *LDAPAuthenticationBackendSuite) TestShouldNotAllowTLSVerMinGreaterThanVerMax() {
|
|
suite.config.LDAP.TLS = &schema.TLSConfig{
|
|
MinimumVersion: schema.TLSVersion{Value: tls.VersionTLS13},
|
|
MaximumVersion: schema.TLSVersion{Value: tls.VersionTLS12},
|
|
}
|
|
|
|
ValidateAuthenticationBackend(&suite.config, suite.validator)
|
|
|
|
suite.Len(suite.validator.Warnings(), 0)
|
|
suite.Require().Len(suite.validator.Errors(), 1)
|
|
|
|
suite.EqualError(suite.validator.Errors()[0], "authentication_backend: ldap: tls: option combination of 'minimum_version' and 'maximum_version' is invalid: minimum version TLS1.3 is greater than the maximum version TLS1.2")
|
|
}
|
|
|
|
func TestLDAPAuthenticationBackend(t *testing.T) {
|
|
suite.Run(t, new(LDAPAuthenticationBackendSuite))
|
|
}
|
|
|
|
type ActiveDirectoryAuthenticationBackendSuite struct {
|
|
suite.Suite
|
|
config schema.AuthenticationBackend
|
|
validator *schema.StructValidator
|
|
}
|
|
|
|
func (suite *ActiveDirectoryAuthenticationBackendSuite) SetupTest() {
|
|
suite.validator = schema.NewStructValidator()
|
|
suite.config = schema.AuthenticationBackend{}
|
|
suite.config.LDAP = &schema.LDAPAuthenticationBackend{}
|
|
suite.config.LDAP.Implementation = schema.LDAPImplementationActiveDirectory
|
|
suite.config.LDAP.Address = &schema.AddressLDAP{Address: *testLDAPAddress}
|
|
suite.config.LDAP.User = testLDAPUser
|
|
suite.config.LDAP.Password = testLDAPPassword
|
|
suite.config.LDAP.BaseDN = testLDAPBaseDN
|
|
suite.config.LDAP.TLS = schema.DefaultLDAPAuthenticationBackendConfigurationImplementationActiveDirectory.TLS
|
|
}
|
|
|
|
func (suite *ActiveDirectoryAuthenticationBackendSuite) TestShouldSetActiveDirectoryDefaults() {
|
|
ValidateAuthenticationBackend(&suite.config, suite.validator)
|
|
|
|
suite.Len(suite.validator.Warnings(), 0)
|
|
suite.Len(suite.validator.Errors(), 0)
|
|
|
|
suite.Equal(
|
|
schema.DefaultLDAPAuthenticationBackendConfigurationImplementationActiveDirectory.Timeout,
|
|
suite.config.LDAP.Timeout)
|
|
suite.Equal(
|
|
schema.DefaultLDAPAuthenticationBackendConfigurationImplementationActiveDirectory.AdditionalUsersDN,
|
|
suite.config.LDAP.AdditionalUsersDN)
|
|
suite.Equal(
|
|
schema.DefaultLDAPAuthenticationBackendConfigurationImplementationActiveDirectory.AdditionalGroupsDN,
|
|
suite.config.LDAP.AdditionalGroupsDN)
|
|
suite.Equal(
|
|
schema.DefaultLDAPAuthenticationBackendConfigurationImplementationActiveDirectory.AdditionalUsersDN,
|
|
suite.config.LDAP.AdditionalUsersDN)
|
|
suite.Equal(
|
|
schema.DefaultLDAPAuthenticationBackendConfigurationImplementationActiveDirectory.AdditionalGroupsDN,
|
|
suite.config.LDAP.AdditionalGroupsDN)
|
|
suite.Equal(
|
|
schema.DefaultLDAPAuthenticationBackendConfigurationImplementationActiveDirectory.UsersFilter,
|
|
suite.config.LDAP.UsersFilter)
|
|
suite.Equal(
|
|
schema.DefaultLDAPAuthenticationBackendConfigurationImplementationActiveDirectory.Attributes.Username,
|
|
suite.config.LDAP.Attributes.Username)
|
|
suite.Equal(
|
|
schema.DefaultLDAPAuthenticationBackendConfigurationImplementationActiveDirectory.Attributes.DisplayName,
|
|
suite.config.LDAP.Attributes.DisplayName)
|
|
suite.Equal(
|
|
schema.DefaultLDAPAuthenticationBackendConfigurationImplementationActiveDirectory.Attributes.Mail,
|
|
suite.config.LDAP.Attributes.Mail)
|
|
suite.Equal(
|
|
schema.DefaultLDAPAuthenticationBackendConfigurationImplementationActiveDirectory.GroupsFilter,
|
|
suite.config.LDAP.GroupsFilter)
|
|
suite.Equal(
|
|
schema.DefaultLDAPAuthenticationBackendConfigurationImplementationActiveDirectory.Attributes.GroupName,
|
|
suite.config.LDAP.Attributes.GroupName)
|
|
|
|
suite.Equal(memberOf, suite.config.LDAP.Attributes.MemberOf)
|
|
suite.Equal("distinguishedName", suite.config.LDAP.Attributes.DistinguishedName)
|
|
suite.Equal(schema.LDAPGroupSearchModeFilter, suite.config.LDAP.GroupSearchMode)
|
|
}
|
|
|
|
func (suite *ActiveDirectoryAuthenticationBackendSuite) TestShouldOnlySetDefaultsIfNotManuallyConfigured() {
|
|
suite.config.LDAP.Timeout = time.Second * 2
|
|
suite.config.LDAP.UsersFilter = "(&({username_attribute}={input})(objectCategory=person)(objectClass=user)(!userAccountControl:1.2.840.113556.1.4.803:=2))"
|
|
suite.config.LDAP.Attributes.Username = "cn"
|
|
suite.config.LDAP.Attributes.Mail = "userPrincipalName"
|
|
suite.config.LDAP.Attributes.DisplayName = "name"
|
|
suite.config.LDAP.GroupsFilter = "(&(member={dn})(objectClass=group)(objectCategory=group))"
|
|
suite.config.LDAP.Attributes.GroupName = "distinguishedName"
|
|
suite.config.LDAP.AdditionalUsersDN = "OU=test"
|
|
suite.config.LDAP.AdditionalGroupsDN = "OU=grps"
|
|
suite.config.LDAP.Attributes.MemberOf = member
|
|
suite.config.LDAP.GroupSearchMode = memberof
|
|
suite.config.LDAP.Attributes.DistinguishedName = "objectGUID"
|
|
|
|
ValidateAuthenticationBackend(&suite.config, suite.validator)
|
|
|
|
suite.NotEqual(
|
|
schema.DefaultLDAPAuthenticationBackendConfigurationImplementationActiveDirectory.Timeout,
|
|
suite.config.LDAP.Timeout)
|
|
suite.NotEqual(
|
|
schema.DefaultLDAPAuthenticationBackendConfigurationImplementationActiveDirectory.AdditionalUsersDN,
|
|
suite.config.LDAP.AdditionalUsersDN)
|
|
suite.NotEqual(
|
|
schema.DefaultLDAPAuthenticationBackendConfigurationImplementationActiveDirectory.AdditionalGroupsDN,
|
|
suite.config.LDAP.AdditionalGroupsDN)
|
|
suite.NotEqual(
|
|
schema.DefaultLDAPAuthenticationBackendConfigurationImplementationActiveDirectory.UsersFilter,
|
|
suite.config.LDAP.UsersFilter)
|
|
suite.NotEqual(
|
|
schema.DefaultLDAPAuthenticationBackendConfigurationImplementationActiveDirectory.Attributes.Username,
|
|
suite.config.LDAP.Attributes.Username)
|
|
suite.NotEqual(
|
|
schema.DefaultLDAPAuthenticationBackendConfigurationImplementationActiveDirectory.Attributes.DisplayName,
|
|
suite.config.LDAP.Attributes.DisplayName)
|
|
suite.NotEqual(
|
|
schema.DefaultLDAPAuthenticationBackendConfigurationImplementationActiveDirectory.Attributes.Mail,
|
|
suite.config.LDAP.Attributes.Mail)
|
|
suite.NotEqual(
|
|
schema.DefaultLDAPAuthenticationBackendConfigurationImplementationActiveDirectory.GroupsFilter,
|
|
suite.config.LDAP.GroupsFilter)
|
|
suite.NotEqual(
|
|
schema.DefaultLDAPAuthenticationBackendConfigurationImplementationActiveDirectory.Attributes.GroupName,
|
|
suite.config.LDAP.Attributes.GroupName)
|
|
|
|
suite.Equal(member, suite.config.LDAP.Attributes.MemberOf)
|
|
suite.Equal("objectGUID", suite.config.LDAP.Attributes.DistinguishedName)
|
|
suite.Equal(memberof, suite.config.LDAP.GroupSearchMode)
|
|
}
|
|
|
|
func (suite *ActiveDirectoryAuthenticationBackendSuite) TestShouldRaiseErrorOnInvalidURLWithHTTP() {
|
|
suite.config.LDAP.Address = &schema.AddressLDAP{Address: MustParseAddress("http://dc1:389")}
|
|
|
|
validateLDAPAuthenticationAddress(suite.config.LDAP, suite.validator)
|
|
|
|
suite.Require().Len(suite.validator.Errors(), 1)
|
|
suite.EqualError(suite.validator.Errors()[0], "authentication_backend: ldap: option 'address' with value 'http://dc1:389' is invalid: scheme must be one of 'ldap', 'ldaps', or 'ldapi' but is configured as 'http'")
|
|
}
|
|
|
|
func TestActiveDirectoryAuthenticationBackend(t *testing.T) {
|
|
suite.Run(t, new(ActiveDirectoryAuthenticationBackendSuite))
|
|
}
|
|
|
|
type RFC2307bisAuthenticationBackendSuite struct {
|
|
suite.Suite
|
|
config schema.AuthenticationBackend
|
|
validator *schema.StructValidator
|
|
}
|
|
|
|
func (suite *RFC2307bisAuthenticationBackendSuite) SetupTest() {
|
|
suite.validator = schema.NewStructValidator()
|
|
suite.config = schema.AuthenticationBackend{}
|
|
suite.config.LDAP = &schema.LDAPAuthenticationBackend{}
|
|
suite.config.LDAP.Implementation = schema.LDAPImplementationRFC2307bis
|
|
suite.config.LDAP.Address = &schema.AddressLDAP{Address: *testLDAPAddress}
|
|
suite.config.LDAP.User = testLDAPUser
|
|
suite.config.LDAP.Password = testLDAPPassword
|
|
suite.config.LDAP.BaseDN = testLDAPBaseDN
|
|
suite.config.LDAP.TLS = schema.DefaultLDAPAuthenticationBackendConfigurationImplementationRFC2307bis.TLS
|
|
}
|
|
|
|
func (suite *RFC2307bisAuthenticationBackendSuite) TestShouldSetDefaults() {
|
|
ValidateAuthenticationBackend(&suite.config, suite.validator)
|
|
|
|
suite.Len(suite.validator.Warnings(), 0)
|
|
suite.Len(suite.validator.Errors(), 0)
|
|
|
|
suite.Equal(
|
|
schema.DefaultLDAPAuthenticationBackendConfigurationImplementationRFC2307bis.Timeout,
|
|
suite.config.LDAP.Timeout)
|
|
suite.Equal(
|
|
schema.DefaultLDAPAuthenticationBackendConfigurationImplementationRFC2307bis.AdditionalUsersDN,
|
|
suite.config.LDAP.AdditionalUsersDN)
|
|
suite.Equal(
|
|
schema.DefaultLDAPAuthenticationBackendConfigurationImplementationRFC2307bis.AdditionalGroupsDN,
|
|
suite.config.LDAP.AdditionalGroupsDN)
|
|
suite.Equal(
|
|
schema.DefaultLDAPAuthenticationBackendConfigurationImplementationRFC2307bis.UsersFilter,
|
|
suite.config.LDAP.UsersFilter)
|
|
suite.Equal(
|
|
schema.DefaultLDAPAuthenticationBackendConfigurationImplementationRFC2307bis.Attributes.Username,
|
|
suite.config.LDAP.Attributes.Username)
|
|
suite.Equal(
|
|
schema.DefaultLDAPAuthenticationBackendConfigurationImplementationRFC2307bis.Attributes.DisplayName,
|
|
suite.config.LDAP.Attributes.DisplayName)
|
|
suite.Equal(
|
|
schema.DefaultLDAPAuthenticationBackendConfigurationImplementationRFC2307bis.Attributes.Mail,
|
|
suite.config.LDAP.Attributes.Mail)
|
|
suite.Equal(
|
|
schema.DefaultLDAPAuthenticationBackendConfigurationImplementationRFC2307bis.GroupsFilter,
|
|
suite.config.LDAP.GroupsFilter)
|
|
suite.Equal(
|
|
schema.DefaultLDAPAuthenticationBackendConfigurationImplementationRFC2307bis.Attributes.GroupName,
|
|
suite.config.LDAP.Attributes.GroupName)
|
|
|
|
suite.Equal(memberOf, suite.config.LDAP.Attributes.MemberOf)
|
|
suite.Equal("", suite.config.LDAP.Attributes.DistinguishedName)
|
|
suite.Equal(schema.LDAPGroupSearchModeFilter, suite.config.LDAP.GroupSearchMode)
|
|
}
|
|
|
|
func (suite *RFC2307bisAuthenticationBackendSuite) TestShouldOnlySetDefaultsIfNotManuallyConfigured() {
|
|
suite.config.LDAP.Timeout = time.Second * 2
|
|
suite.config.LDAP.UsersFilter = "(&({username_attribute}={input})(objectClass=Person))"
|
|
suite.config.LDAP.Attributes.Username = "o"
|
|
suite.config.LDAP.Attributes.Mail = "Email"
|
|
suite.config.LDAP.Attributes.DisplayName = "Given"
|
|
suite.config.LDAP.GroupsFilter = "(&(member={dn})(objectClass=posixGroup)(objectClass=top))"
|
|
suite.config.LDAP.Attributes.GroupName = "gid"
|
|
suite.config.LDAP.Attributes.MemberOf = member
|
|
suite.config.LDAP.AdditionalUsersDN = "OU=users,OU=OpenLDAP"
|
|
suite.config.LDAP.AdditionalGroupsDN = "OU=groups,OU=OpenLDAP"
|
|
suite.config.LDAP.GroupSearchMode = memberof
|
|
|
|
ValidateAuthenticationBackend(&suite.config, suite.validator)
|
|
|
|
suite.NotEqual(
|
|
schema.DefaultLDAPAuthenticationBackendConfigurationImplementationRFC2307bis.Timeout,
|
|
suite.config.LDAP.Timeout)
|
|
suite.NotEqual(
|
|
schema.DefaultLDAPAuthenticationBackendConfigurationImplementationRFC2307bis.AdditionalUsersDN,
|
|
suite.config.LDAP.AdditionalUsersDN)
|
|
suite.NotEqual(
|
|
schema.DefaultLDAPAuthenticationBackendConfigurationImplementationRFC2307bis.AdditionalGroupsDN,
|
|
suite.config.LDAP.AdditionalGroupsDN)
|
|
suite.NotEqual(
|
|
schema.DefaultLDAPAuthenticationBackendConfigurationImplementationRFC2307bis.Timeout,
|
|
suite.config.LDAP.Timeout)
|
|
suite.NotEqual(
|
|
schema.DefaultLDAPAuthenticationBackendConfigurationImplementationRFC2307bis.UsersFilter,
|
|
suite.config.LDAP.UsersFilter)
|
|
suite.NotEqual(
|
|
schema.DefaultLDAPAuthenticationBackendConfigurationImplementationRFC2307bis.Attributes.Username,
|
|
suite.config.LDAP.Attributes.Username)
|
|
suite.NotEqual(
|
|
schema.DefaultLDAPAuthenticationBackendConfigurationImplementationRFC2307bis.Attributes.DisplayName,
|
|
suite.config.LDAP.Attributes.DisplayName)
|
|
suite.NotEqual(
|
|
schema.DefaultLDAPAuthenticationBackendConfigurationImplementationRFC2307bis.Attributes.Mail,
|
|
suite.config.LDAP.Attributes.Mail)
|
|
suite.NotEqual(
|
|
schema.DefaultLDAPAuthenticationBackendConfigurationImplementationRFC2307bis.GroupsFilter,
|
|
suite.config.LDAP.GroupsFilter)
|
|
suite.NotEqual(
|
|
schema.DefaultLDAPAuthenticationBackendConfigurationImplementationRFC2307bis.Attributes.GroupName,
|
|
suite.config.LDAP.Attributes.GroupName)
|
|
|
|
suite.Equal(member, suite.config.LDAP.Attributes.MemberOf)
|
|
suite.Equal("", suite.config.LDAP.Attributes.DistinguishedName)
|
|
suite.Equal(memberof, suite.config.LDAP.GroupSearchMode)
|
|
}
|
|
|
|
func TestRFC2307bisAuthenticationBackend(t *testing.T) {
|
|
suite.Run(t, new(RFC2307bisAuthenticationBackendSuite))
|
|
}
|
|
|
|
type FreeIPAAuthenticationBackendSuite struct {
|
|
suite.Suite
|
|
config schema.AuthenticationBackend
|
|
validator *schema.StructValidator
|
|
}
|
|
|
|
func (suite *FreeIPAAuthenticationBackendSuite) SetupTest() {
|
|
suite.validator = schema.NewStructValidator()
|
|
suite.config = schema.AuthenticationBackend{}
|
|
suite.config.LDAP = &schema.LDAPAuthenticationBackend{}
|
|
suite.config.LDAP.Implementation = schema.LDAPImplementationFreeIPA
|
|
suite.config.LDAP.Address = &schema.AddressLDAP{Address: *testLDAPAddress}
|
|
suite.config.LDAP.User = testLDAPUser
|
|
suite.config.LDAP.Password = testLDAPPassword
|
|
suite.config.LDAP.BaseDN = testLDAPBaseDN
|
|
suite.config.LDAP.TLS = schema.DefaultLDAPAuthenticationBackendConfigurationImplementationFreeIPA.TLS
|
|
}
|
|
|
|
func (suite *FreeIPAAuthenticationBackendSuite) TestShouldSetDefaults() {
|
|
ValidateAuthenticationBackend(&suite.config, suite.validator)
|
|
|
|
suite.Len(suite.validator.Warnings(), 0)
|
|
suite.Len(suite.validator.Errors(), 0)
|
|
|
|
suite.Equal(
|
|
schema.DefaultLDAPAuthenticationBackendConfigurationImplementationFreeIPA.Timeout,
|
|
suite.config.LDAP.Timeout)
|
|
suite.Equal(
|
|
schema.DefaultLDAPAuthenticationBackendConfigurationImplementationFreeIPA.AdditionalUsersDN,
|
|
suite.config.LDAP.AdditionalUsersDN)
|
|
suite.Equal(
|
|
schema.DefaultLDAPAuthenticationBackendConfigurationImplementationFreeIPA.AdditionalGroupsDN,
|
|
suite.config.LDAP.AdditionalGroupsDN)
|
|
suite.Equal(
|
|
schema.DefaultLDAPAuthenticationBackendConfigurationImplementationFreeIPA.UsersFilter,
|
|
suite.config.LDAP.UsersFilter)
|
|
suite.Equal(
|
|
schema.DefaultLDAPAuthenticationBackendConfigurationImplementationFreeIPA.Attributes.Username,
|
|
suite.config.LDAP.Attributes.Username)
|
|
suite.Equal(
|
|
schema.DefaultLDAPAuthenticationBackendConfigurationImplementationFreeIPA.Attributes.DisplayName,
|
|
suite.config.LDAP.Attributes.DisplayName)
|
|
suite.Equal(
|
|
schema.DefaultLDAPAuthenticationBackendConfigurationImplementationFreeIPA.Attributes.Mail,
|
|
suite.config.LDAP.Attributes.Mail)
|
|
suite.Equal(
|
|
schema.DefaultLDAPAuthenticationBackendConfigurationImplementationFreeIPA.GroupsFilter,
|
|
suite.config.LDAP.GroupsFilter)
|
|
suite.Equal(
|
|
schema.DefaultLDAPAuthenticationBackendConfigurationImplementationFreeIPA.Attributes.GroupName,
|
|
suite.config.LDAP.Attributes.GroupName)
|
|
|
|
suite.Equal(memberOf, suite.config.LDAP.Attributes.MemberOf)
|
|
suite.Equal("", suite.config.LDAP.Attributes.DistinguishedName)
|
|
suite.Equal(schema.LDAPGroupSearchModeFilter, suite.config.LDAP.GroupSearchMode)
|
|
}
|
|
|
|
func (suite *FreeIPAAuthenticationBackendSuite) TestShouldOnlySetDefaultsIfNotManuallyConfigured() {
|
|
suite.config.LDAP.Timeout = time.Second * 2
|
|
suite.config.LDAP.UsersFilter = "(&({username_attribute}={input})(objectClass=person)(!(nsAccountLock=TRUE)))"
|
|
suite.config.LDAP.Attributes.Username = "dn"
|
|
suite.config.LDAP.Attributes.Mail = "email"
|
|
suite.config.LDAP.Attributes.DisplayName = "gecos"
|
|
suite.config.LDAP.GroupsFilter = "(&(member={dn})(objectClass=posixgroup))"
|
|
suite.config.LDAP.Attributes.GroupName = "groupName"
|
|
suite.config.LDAP.Attributes.MemberOf = member
|
|
suite.config.LDAP.AdditionalUsersDN = "OU=people"
|
|
suite.config.LDAP.AdditionalGroupsDN = "OU=grp"
|
|
|
|
ValidateAuthenticationBackend(&suite.config, suite.validator)
|
|
|
|
suite.NotEqual(
|
|
schema.DefaultLDAPAuthenticationBackendConfigurationImplementationFreeIPA.Timeout,
|
|
suite.config.LDAP.Timeout)
|
|
suite.NotEqual(
|
|
schema.DefaultLDAPAuthenticationBackendConfigurationImplementationFreeIPA.AdditionalUsersDN,
|
|
suite.config.LDAP.AdditionalUsersDN)
|
|
suite.NotEqual(
|
|
schema.DefaultLDAPAuthenticationBackendConfigurationImplementationFreeIPA.AdditionalGroupsDN,
|
|
suite.config.LDAP.AdditionalGroupsDN)
|
|
suite.NotEqual(
|
|
schema.DefaultLDAPAuthenticationBackendConfigurationImplementationFreeIPA.UsersFilter,
|
|
suite.config.LDAP.UsersFilter)
|
|
suite.NotEqual(
|
|
schema.DefaultLDAPAuthenticationBackendConfigurationImplementationFreeIPA.Attributes.Username,
|
|
suite.config.LDAP.Attributes.Username)
|
|
suite.NotEqual(
|
|
schema.DefaultLDAPAuthenticationBackendConfigurationImplementationFreeIPA.Attributes.DisplayName,
|
|
suite.config.LDAP.Attributes.DisplayName)
|
|
suite.NotEqual(
|
|
schema.DefaultLDAPAuthenticationBackendConfigurationImplementationFreeIPA.Attributes.Mail,
|
|
suite.config.LDAP.Attributes.Mail)
|
|
suite.NotEqual(
|
|
schema.DefaultLDAPAuthenticationBackendConfigurationImplementationFreeIPA.GroupsFilter,
|
|
suite.config.LDAP.GroupsFilter)
|
|
suite.NotEqual(
|
|
schema.DefaultLDAPAuthenticationBackendConfigurationImplementationFreeIPA.Attributes.GroupName,
|
|
suite.config.LDAP.Attributes.GroupName)
|
|
|
|
suite.Equal(member, suite.config.LDAP.Attributes.MemberOf)
|
|
suite.Equal("", suite.config.LDAP.Attributes.DistinguishedName)
|
|
suite.Equal(schema.LDAPGroupSearchModeFilter, suite.config.LDAP.GroupSearchMode)
|
|
}
|
|
|
|
func TestFreeIPAAuthenticationBackend(t *testing.T) {
|
|
suite.Run(t, new(FreeIPAAuthenticationBackendSuite))
|
|
}
|
|
|
|
type LLDAPAuthenticationBackendSuite struct {
|
|
suite.Suite
|
|
config schema.AuthenticationBackend
|
|
validator *schema.StructValidator
|
|
}
|
|
|
|
func (suite *LLDAPAuthenticationBackendSuite) SetupTest() {
|
|
suite.validator = schema.NewStructValidator()
|
|
suite.config = schema.AuthenticationBackend{}
|
|
suite.config.LDAP = &schema.LDAPAuthenticationBackend{}
|
|
suite.config.LDAP.Implementation = schema.LDAPImplementationLLDAP
|
|
suite.config.LDAP.Address = &schema.AddressLDAP{Address: *testLDAPAddress}
|
|
suite.config.LDAP.User = testLDAPUser
|
|
suite.config.LDAP.Password = testLDAPPassword
|
|
suite.config.LDAP.BaseDN = testLDAPBaseDN
|
|
suite.config.LDAP.TLS = schema.DefaultLDAPAuthenticationBackendConfigurationImplementationLLDAP.TLS
|
|
}
|
|
|
|
func (suite *LLDAPAuthenticationBackendSuite) TestShouldSetDefaults() {
|
|
ValidateAuthenticationBackend(&suite.config, suite.validator)
|
|
|
|
suite.Len(suite.validator.Warnings(), 0)
|
|
suite.Len(suite.validator.Errors(), 0)
|
|
|
|
suite.Equal(
|
|
schema.DefaultLDAPAuthenticationBackendConfigurationImplementationLLDAP.Timeout,
|
|
suite.config.LDAP.Timeout)
|
|
suite.Equal(
|
|
schema.DefaultLDAPAuthenticationBackendConfigurationImplementationLLDAP.AdditionalUsersDN,
|
|
suite.config.LDAP.AdditionalUsersDN)
|
|
suite.Equal(
|
|
schema.DefaultLDAPAuthenticationBackendConfigurationImplementationLLDAP.AdditionalGroupsDN,
|
|
suite.config.LDAP.AdditionalGroupsDN)
|
|
suite.Equal(
|
|
schema.DefaultLDAPAuthenticationBackendConfigurationImplementationLLDAP.UsersFilter,
|
|
suite.config.LDAP.UsersFilter)
|
|
suite.Equal(
|
|
schema.DefaultLDAPAuthenticationBackendConfigurationImplementationLLDAP.Attributes.Username,
|
|
suite.config.LDAP.Attributes.Username)
|
|
suite.Equal(
|
|
schema.DefaultLDAPAuthenticationBackendConfigurationImplementationLLDAP.Attributes.DisplayName,
|
|
suite.config.LDAP.Attributes.DisplayName)
|
|
suite.Equal(
|
|
schema.DefaultLDAPAuthenticationBackendConfigurationImplementationLLDAP.Attributes.Mail,
|
|
suite.config.LDAP.Attributes.Mail)
|
|
suite.Equal(
|
|
schema.DefaultLDAPAuthenticationBackendConfigurationImplementationLLDAP.GroupsFilter,
|
|
suite.config.LDAP.GroupsFilter)
|
|
suite.Equal(
|
|
schema.DefaultLDAPAuthenticationBackendConfigurationImplementationLLDAP.Attributes.GroupName,
|
|
suite.config.LDAP.Attributes.GroupName)
|
|
|
|
suite.Equal("", suite.config.LDAP.Attributes.MemberOf)
|
|
suite.Equal("", suite.config.LDAP.Attributes.DistinguishedName)
|
|
suite.Equal(schema.LDAPGroupSearchModeFilter, suite.config.LDAP.GroupSearchMode)
|
|
}
|
|
|
|
func (suite *LLDAPAuthenticationBackendSuite) TestShouldOnlySetDefaultsIfNotManuallyConfigured() {
|
|
suite.config.LDAP.Timeout = time.Second * 2
|
|
suite.config.LDAP.UsersFilter = "(&({username_attribute}={input})(objectClass=Person)(!(nsAccountLock=TRUE)))"
|
|
suite.config.LDAP.Attributes.Username = "username"
|
|
suite.config.LDAP.Attributes.Mail = "m"
|
|
suite.config.LDAP.Attributes.DisplayName = "fn"
|
|
suite.config.LDAP.GroupsFilter = "(&(member={dn})(!(objectClass=posixGroup)))"
|
|
suite.config.LDAP.Attributes.GroupName = "grpz"
|
|
suite.config.LDAP.AdditionalUsersDN = "OU=no"
|
|
suite.config.LDAP.AdditionalGroupsDN = "OU=yes"
|
|
|
|
ValidateAuthenticationBackend(&suite.config, suite.validator)
|
|
|
|
suite.NotEqual(
|
|
schema.DefaultLDAPAuthenticationBackendConfigurationImplementationLLDAP.Timeout,
|
|
suite.config.LDAP.Timeout)
|
|
suite.NotEqual(
|
|
schema.DefaultLDAPAuthenticationBackendConfigurationImplementationLLDAP.AdditionalUsersDN,
|
|
suite.config.LDAP.AdditionalUsersDN)
|
|
suite.NotEqual(
|
|
schema.DefaultLDAPAuthenticationBackendConfigurationImplementationLLDAP.AdditionalGroupsDN,
|
|
suite.config.LDAP.AdditionalGroupsDN)
|
|
suite.NotEqual(
|
|
schema.DefaultLDAPAuthenticationBackendConfigurationImplementationLLDAP.Timeout,
|
|
suite.config.LDAP.Timeout)
|
|
suite.NotEqual(
|
|
schema.DefaultLDAPAuthenticationBackendConfigurationImplementationLLDAP.UsersFilter,
|
|
suite.config.LDAP.UsersFilter)
|
|
suite.NotEqual(
|
|
schema.DefaultLDAPAuthenticationBackendConfigurationImplementationLLDAP.Attributes.Username,
|
|
suite.config.LDAP.Attributes.Username)
|
|
suite.NotEqual(
|
|
schema.DefaultLDAPAuthenticationBackendConfigurationImplementationLLDAP.Attributes.DisplayName,
|
|
suite.config.LDAP.Attributes.DisplayName)
|
|
suite.NotEqual(
|
|
schema.DefaultLDAPAuthenticationBackendConfigurationImplementationLLDAP.Attributes.Mail,
|
|
suite.config.LDAP.Attributes.Mail)
|
|
suite.NotEqual(
|
|
schema.DefaultLDAPAuthenticationBackendConfigurationImplementationLLDAP.GroupsFilter,
|
|
suite.config.LDAP.GroupsFilter)
|
|
suite.NotEqual(
|
|
schema.DefaultLDAPAuthenticationBackendConfigurationImplementationLLDAP.Attributes.GroupName,
|
|
suite.config.LDAP.Attributes.GroupName)
|
|
|
|
suite.Equal("", suite.config.LDAP.Attributes.MemberOf)
|
|
suite.Equal("", suite.config.LDAP.Attributes.DistinguishedName)
|
|
suite.Equal(schema.LDAPGroupSearchModeFilter, suite.config.LDAP.GroupSearchMode)
|
|
}
|
|
|
|
func TestLLDAPAuthenticationBackend(t *testing.T) {
|
|
suite.Run(t, new(LLDAPAuthenticationBackendSuite))
|
|
}
|
|
|
|
type GLAuthAuthenticationBackendSuite struct {
|
|
suite.Suite
|
|
config schema.AuthenticationBackend
|
|
validator *schema.StructValidator
|
|
}
|
|
|
|
func (suite *GLAuthAuthenticationBackendSuite) SetupTest() {
|
|
suite.validator = schema.NewStructValidator()
|
|
suite.config = schema.AuthenticationBackend{}
|
|
suite.config.LDAP = &schema.LDAPAuthenticationBackend{}
|
|
suite.config.LDAP.Implementation = schema.LDAPImplementationGLAuth
|
|
suite.config.LDAP.Address = &schema.AddressLDAP{Address: *testLDAPAddress}
|
|
suite.config.LDAP.User = testLDAPUser
|
|
suite.config.LDAP.Password = testLDAPPassword
|
|
suite.config.LDAP.BaseDN = testLDAPBaseDN
|
|
suite.config.LDAP.TLS = schema.DefaultLDAPAuthenticationBackendConfigurationImplementationGLAuth.TLS
|
|
}
|
|
|
|
func (suite *GLAuthAuthenticationBackendSuite) TestShouldSetDefaults() {
|
|
ValidateAuthenticationBackend(&suite.config, suite.validator)
|
|
|
|
suite.Len(suite.validator.Warnings(), 0)
|
|
suite.Len(suite.validator.Errors(), 0)
|
|
|
|
suite.Equal(
|
|
schema.DefaultLDAPAuthenticationBackendConfigurationImplementationGLAuth.Timeout,
|
|
suite.config.LDAP.Timeout)
|
|
suite.Equal(
|
|
schema.DefaultLDAPAuthenticationBackendConfigurationImplementationGLAuth.AdditionalUsersDN,
|
|
suite.config.LDAP.AdditionalUsersDN)
|
|
suite.Equal(
|
|
schema.DefaultLDAPAuthenticationBackendConfigurationImplementationGLAuth.AdditionalGroupsDN,
|
|
suite.config.LDAP.AdditionalGroupsDN)
|
|
suite.Equal(
|
|
schema.DefaultLDAPAuthenticationBackendConfigurationImplementationGLAuth.UsersFilter,
|
|
suite.config.LDAP.UsersFilter)
|
|
suite.Equal(
|
|
schema.DefaultLDAPAuthenticationBackendConfigurationImplementationGLAuth.Attributes.Username,
|
|
suite.config.LDAP.Attributes.Username)
|
|
suite.Equal(
|
|
schema.DefaultLDAPAuthenticationBackendConfigurationImplementationGLAuth.Attributes.DisplayName,
|
|
suite.config.LDAP.Attributes.DisplayName)
|
|
suite.Equal(
|
|
schema.DefaultLDAPAuthenticationBackendConfigurationImplementationGLAuth.Attributes.Mail,
|
|
suite.config.LDAP.Attributes.Mail)
|
|
suite.Equal(
|
|
schema.DefaultLDAPAuthenticationBackendConfigurationImplementationGLAuth.GroupsFilter,
|
|
suite.config.LDAP.GroupsFilter)
|
|
suite.Equal(
|
|
schema.DefaultLDAPAuthenticationBackendConfigurationImplementationGLAuth.Attributes.GroupName,
|
|
suite.config.LDAP.Attributes.GroupName)
|
|
|
|
suite.Equal("", suite.config.LDAP.Attributes.MemberOf)
|
|
suite.Equal("", suite.config.LDAP.Attributes.DistinguishedName)
|
|
suite.Equal(schema.LDAPGroupSearchModeFilter, suite.config.LDAP.GroupSearchMode)
|
|
}
|
|
|
|
func (suite *GLAuthAuthenticationBackendSuite) TestShouldOnlySetDefaultsIfNotManuallyConfigured() {
|
|
suite.config.LDAP.Timeout = time.Second * 2
|
|
suite.config.LDAP.UsersFilter = "(&({username_attribute}={input})(objectClass=Person)(!(accountStatus=inactive)))"
|
|
suite.config.LDAP.Attributes.Username = "description"
|
|
suite.config.LDAP.Attributes.Mail = "sender"
|
|
suite.config.LDAP.Attributes.DisplayName = "given"
|
|
suite.config.LDAP.GroupsFilter = "(&(member={dn})(objectClass=posixGroup))"
|
|
suite.config.LDAP.Attributes.GroupName = "grp"
|
|
suite.config.LDAP.AdditionalUsersDN = "OU=users,OU=GlAuth"
|
|
suite.config.LDAP.AdditionalGroupsDN = "OU=groups,OU=GLAuth"
|
|
|
|
ValidateAuthenticationBackend(&suite.config, suite.validator)
|
|
|
|
suite.NotEqual(
|
|
schema.DefaultLDAPAuthenticationBackendConfigurationImplementationGLAuth.Timeout,
|
|
suite.config.LDAP.Timeout)
|
|
suite.NotEqual(
|
|
schema.DefaultLDAPAuthenticationBackendConfigurationImplementationGLAuth.AdditionalUsersDN,
|
|
suite.config.LDAP.AdditionalUsersDN)
|
|
suite.NotEqual(
|
|
schema.DefaultLDAPAuthenticationBackendConfigurationImplementationGLAuth.AdditionalGroupsDN,
|
|
suite.config.LDAP.AdditionalGroupsDN)
|
|
suite.NotEqual(
|
|
schema.DefaultLDAPAuthenticationBackendConfigurationImplementationGLAuth.Timeout,
|
|
suite.config.LDAP.Timeout)
|
|
suite.NotEqual(
|
|
schema.DefaultLDAPAuthenticationBackendConfigurationImplementationGLAuth.UsersFilter,
|
|
suite.config.LDAP.UsersFilter)
|
|
suite.NotEqual(
|
|
schema.DefaultLDAPAuthenticationBackendConfigurationImplementationGLAuth.Attributes.Username,
|
|
suite.config.LDAP.Attributes.Username)
|
|
suite.NotEqual(
|
|
schema.DefaultLDAPAuthenticationBackendConfigurationImplementationGLAuth.Attributes.DisplayName,
|
|
suite.config.LDAP.Attributes.DisplayName)
|
|
suite.NotEqual(
|
|
schema.DefaultLDAPAuthenticationBackendConfigurationImplementationGLAuth.Attributes.Mail,
|
|
suite.config.LDAP.Attributes.Mail)
|
|
suite.NotEqual(
|
|
schema.DefaultLDAPAuthenticationBackendConfigurationImplementationGLAuth.GroupsFilter,
|
|
suite.config.LDAP.GroupsFilter)
|
|
suite.NotEqual(
|
|
schema.DefaultLDAPAuthenticationBackendConfigurationImplementationGLAuth.Attributes.GroupName,
|
|
suite.config.LDAP.Attributes.GroupName)
|
|
|
|
suite.Equal("", suite.config.LDAP.Attributes.MemberOf)
|
|
suite.Equal("", suite.config.LDAP.Attributes.DistinguishedName)
|
|
suite.Equal(schema.LDAPGroupSearchModeFilter, suite.config.LDAP.GroupSearchMode)
|
|
}
|
|
|
|
func TestGLAuthAuthenticationBackend(t *testing.T) {
|
|
suite.Run(t, new(GLAuthAuthenticationBackendSuite))
|
|
}
|