documize/domain/auth/ldap/public_test.go

// Copyright 2016 Documize IntestConfigPublicLDAP. <legal@documize.com>. All rights reserved.
//
// This software (Documize Community Edition) is licensed under
// GNU AGPL v3 http://www.gnu.org/licenses/agpl-3.0.en.html
//
// You can operate outside the AGPL restrictions by purchasing
// Documize Enterprise Edition and obtaining a commercial license
// by contacting <sales@documize.com>.
//
// https://documize.com

package ldap

import (
	"fmt"
	"strings"
	"testing"

	lm "github.com/documize/community/model/auth"
	ld "gopkg.in/ldap.v2"
)

// Works against https://www.forumsys.com/tutorials/integration-how-to/ldap/online-ldap-test-server/

var testConfigPublicLDAP = lm.LDAPConfig{
	ServerType:               lm.ServerTypeLDAP,
	ServerHost:               "ldap.forumsys.com",
	ServerPort:               389,
	EncryptionType:           "none",
	BaseDN:                   "dc=example,dc=com",
	BindDN:                   "cn=read-only-admin,dc=example,dc=com",
	BindPassword:             "password",
	UserFilter:               "",
	GroupFilter:              "",
	AttributeUserRDN:         "uid",
	AttributeUserFirstname:   "givenName",
	AttributeUserLastname:    "sn",
	AttributeUserEmail:       "mail",
	AttributeUserDisplayName: "",
	AttributeUserGroupName:   "",
	AttributeGroupMember:     "uniqueMember",
}

func TestPublicLDAPServer_UserList(t *testing.T) {
	testConfigPublicLDAP.UserFilter = "(|(objectClass=person)(objectClass=user)(objectClass=inetOrgPerson))"
	testConfigPublicLDAP.GroupFilter = ""
	userAttrs := testConfigPublicLDAP.GetUserFilterAttributes()

	l, err := Connect(testConfigPublicLDAP)
	if err != nil {
		t.Error("Error: unable to dial LDAP server: ", err.Error())
		return
	}
	defer l.Close()

	// Authenticate with LDAP server using admin credentials.
	t.Log("Binding LDAP admin user")
	err = l.Bind(testConfigPublicLDAP.BindDN, testConfigPublicLDAP.BindPassword)
	if err != nil {
		t.Error("Error: unable to bind specified admin user to LDAP: ", err.Error())
		return
	}

	searchRequest := ld.NewSearchRequest(
		testConfigPublicLDAP.BaseDN,
		ld.ScopeWholeSubtree, ld.NeverDerefAliases, 0, 0, false,
		testConfigPublicLDAP.UserFilter,
		userAttrs,
		nil,
	)

	sr, err := l.Search(searchRequest)
	if err != nil {
		t.Error("Error: unable to execute directory search: ", err.Error())
		return
	}

	t.Logf("LDAP search entries found: %d", len(sr.Entries))
	if len(sr.Entries) == 0 {
		t.Error("Received ZERO LDAP search entries")
		return
	}

	for _, entry := range sr.Entries {
		t.Logf("[%s] %s (%s %s) @ %s\n",
			entry.GetAttributeValue(testConfigPublicLDAP.AttributeUserRDN),
			entry.GetAttributeValue("cn"),
			entry.GetAttributeValue(testConfigPublicLDAP.AttributeUserFirstname),
			entry.GetAttributeValue(testConfigPublicLDAP.AttributeUserLastname),
			entry.GetAttributeValue(testConfigPublicLDAP.AttributeUserEmail))
	}
}

func TestPublicLDAPServer_Groups(t *testing.T) {
	testConfigPublicLDAP.UserFilter = ""
	testConfigPublicLDAP.GroupFilter = "(|(ou=mathematicians)(ou=chemists))"
	groupAttrs := testConfigPublicLDAP.GetGroupFilterAttributes()
	userAttrs := testConfigPublicLDAP.GetUserFilterAttributes()

	l, err := Connect(testConfigPublicLDAP)
	if err != nil {
		t.Error("Error: unable to dial LDAP server: ", err.Error())
		return
	}
	defer l.Close()

	// Authenticate with LDAP server using admin credentials.
	t.Log("Binding LDAP admin user")
	err = l.Bind(testConfigPublicLDAP.BindDN, testConfigPublicLDAP.BindPassword)
	if err != nil {
		t.Error("Error: unable to bind specified admin user to LDAP: ", err.Error())
		return
	}

	searchRequest := ld.NewSearchRequest(
		testConfigPublicLDAP.BaseDN,
		ld.ScopeWholeSubtree, ld.NeverDerefAliases, 0, 0, false,
		testConfigPublicLDAP.GroupFilter,
		groupAttrs,
		nil,
	)

	t.Log("LDAP search filter:", testConfigPublicLDAP.GroupFilter)
	sr, err := l.Search(searchRequest)
	if err != nil {
		t.Error("Error: unable to execute directory search: ", err.Error())
		return
	}

	t.Logf("LDAP search entries found: %d", len(sr.Entries))
	if len(sr.Entries) == 0 {
		t.Error("Received ZERO LDAP search entries")
		return
	}

	// Get list of group members per group found.
	for _, group := range sr.Entries {
		t.Log("Found group", group.DN)

		rawMembers := group.GetAttributeValues(testConfigPublicLDAP.AttributeGroupMember)
		if len(rawMembers) == 0 {
			t.Log("Error: group member attribute returned no users")
			continue
		}

		t.Logf("LDAP group contains %d members", len(rawMembers))

		for _, entry := range rawMembers {
			// get CN element from DN
			parts := strings.Split(entry, ",")
			if len(parts) == 0 {
				continue
			}
			filter := fmt.Sprintf("(%s)", parts[0])

			usr := ld.NewSearchRequest(
				testConfigPublicLDAP.BaseDN,
				ld.ScopeWholeSubtree, ld.NeverDerefAliases, 0, 0, false,
				filter,
				userAttrs,
				nil,
			)
			ue, err := l.Search(usr)
			if err != nil {
				t.Log("Error: unable to execute directory search for group member: ", err.Error())
				continue
			}

			if len(ue.Entries) > 0 {
				for _, ur := range ue.Entries {
					t.Logf("[%s] %s (%s %s) @ %s\n",
						ur.GetAttributeValue(testConfigPublicLDAP.AttributeUserRDN),
						ur.GetAttributeValue("cn"),
						ur.GetAttributeValue(testConfigPublicLDAP.AttributeUserFirstname),
						ur.GetAttributeValue(testConfigPublicLDAP.AttributeUserLastname),
						ur.GetAttributeValue(testConfigPublicLDAP.AttributeUserEmail))
				}
			} else {
				t.Log("group member search failed:", filter)
			}
		}
	}
}

func TestPublicLDAP_Authenticate(t *testing.T) {
	testConfigPublicLDAP.UserFilter = ""
	testConfigPublicLDAP.GroupFilter = ""
	userAttrs := testConfigPublicLDAP.GetUserFilterAttributes()

	l, err := Connect(testConfigPublicLDAP)
	if err != nil {
		t.Error("Error: unable to dial LDAP server: ", err.Error())
		return
	}
	defer l.Close()

	// Authenticate with LDAP server using admin credentials.
	t.Log("Binding LDAP admin user")
	err = l.Bind(testConfigPublicLDAP.BindDN, testConfigPublicLDAP.BindPassword)
	if err != nil {
		t.Error("Error: unable to bind specified admin user to LDAP: ", err.Error())
		return
	}

	username := "newton"
	password := "password"
	filter := fmt.Sprintf("(%s=%s)", testConfigPublicLDAP.AttributeUserRDN, username)

	searchRequest := ld.NewSearchRequest(
		testConfigPublicLDAP.BaseDN,
		ld.ScopeWholeSubtree, ld.NeverDerefAliases, 0, 0, false,
		filter,
		userAttrs,
		nil,
	)

	t.Log("LDAP search filter:", filter)
	sr, err := l.Search(searchRequest)
	if err != nil {
		t.Error("Error: unable to execute directory search: ", err.Error())
		return
	}

	if len(sr.Entries) == 0 {
		t.Error("Error: user not found")
		return
	}
	if len(sr.Entries) != 1 {
		t.Error("Error: too many users found during authentication")
		return
	}

	userdn := sr.Entries[0].DN

	// Bind as the user to verify their password
	err = l.Bind(userdn, password)
	if err != nil {
		t.Error("Error: invalid credentials", err.Error())
		return
	}

	t.Log("Authenticated", username)
}
Refactor LDAP tests with reusable code 2018-08-30 16:01:36 +01:00			`// Copyright 2016 Documize IntestConfigPublicLDAP. <legal@documize.com>. All rights reserved.`
[WIP] Basic LDAP connectivity 2018-08-28 10:19:22 +01:00			`//`
			`// This software (Documize Community Edition) is licensed under`
			`// GNU AGPL v3 http://www.gnu.org/licenses/agpl-3.0.en.html`
			`//`
			`// You can operate outside the AGPL restrictions by purchasing`
			`// Documize Enterprise Edition and obtaining a commercial license`
			`// by contacting <sales@documize.com>.`
			`//`
			`// https://documize.com`

			`package ldap`

			`import (`
			`"fmt"`
LDAP group fetching and AD connectivity 2018-08-29 16:20:37 +01:00			`"strings"`
[WIP] Basic LDAP connectivity 2018-08-28 10:19:22 +01:00			`"testing"`

			`lm "github.com/documize/community/model/auth"`
			`ld "gopkg.in/ldap.v2"`
			`)`

Authentication tests against LDAP and AD 2018-08-29 16:58:54 +01:00			`// Works against https://www.forumsys.com/tutorials/integration-how-to/ldap/online-ldap-test-server/`

Refactor LDAP tests with reusable code 2018-08-30 16:01:36 +01:00			`var testConfigPublicLDAP = lm.LDAPConfig{`
			`ServerType: lm.ServerTypeLDAP,`
			`ServerHost: "ldap.forumsys.com",`
			`ServerPort: 389,`
			`EncryptionType: "none",`
			`BaseDN: "dc=example,dc=com",`
			`BindDN: "cn=read-only-admin,dc=example,dc=com",`
			`BindPassword: "password",`
			`UserFilter: "",`
			`GroupFilter: "",`
			`AttributeUserRDN: "uid",`
			`AttributeUserFirstname: "givenName",`
			`AttributeUserLastname: "sn",`
			`AttributeUserEmail: "mail",`
			`AttributeUserDisplayName: "",`
			`AttributeUserGroupName: "",`
			`AttributeGroupMember: "uniqueMember",`
			`}`
[WIP] Basic LDAP connectivity 2018-08-28 10:19:22 +01:00
Refactor LDAP tests with reusable code 2018-08-30 16:01:36 +01:00			`func TestPublicLDAPServer_UserList(t *testing.T) {`
			`testConfigPublicLDAP.UserFilter = "(\|(objectClass=person)(objectClass=user)(objectClass=inetOrgPerson))"`
			`testConfigPublicLDAP.GroupFilter = ""`
			`userAttrs := testConfigPublicLDAP.GetUserFilterAttributes()`
[WIP] Basic LDAP connectivity 2018-08-28 10:19:22 +01:00
Refactor LDAP tests with reusable code 2018-08-30 16:01:36 +01:00			`l, err := Connect(testConfigPublicLDAP)`
[WIP] Basic LDAP connectivity 2018-08-28 10:19:22 +01:00			`if err != nil {`
			`t.Error("Error: unable to dial LDAP server: ", err.Error())`
			`return`
			`}`
			`defer l.Close()`

			`// Authenticate with LDAP server using admin credentials.`
			`t.Log("Binding LDAP admin user")`
Refactor LDAP tests with reusable code 2018-08-30 16:01:36 +01:00			`err = l.Bind(testConfigPublicLDAP.BindDN, testConfigPublicLDAP.BindPassword)`
[WIP] Basic LDAP connectivity 2018-08-28 10:19:22 +01:00			`if err != nil {`
			`t.Error("Error: unable to bind specified admin user to LDAP: ", err.Error())`
			`return`
			`}`

			`searchRequest := ld.NewSearchRequest(`
Refactor LDAP tests with reusable code 2018-08-30 16:01:36 +01:00			`testConfigPublicLDAP.BaseDN,`
[WIP] Basic LDAP connectivity 2018-08-28 10:19:22 +01:00			`ld.ScopeWholeSubtree, ld.NeverDerefAliases, 0, 0, false,`
Refactor LDAP tests with reusable code 2018-08-30 16:01:36 +01:00			`testConfigPublicLDAP.UserFilter,`
			`userAttrs,`
[WIP] Basic LDAP connectivity 2018-08-28 10:19:22 +01:00			`nil,`
			`)`

			`sr, err := l.Search(searchRequest)`
			`if err != nil {`
			`t.Error("Error: unable to execute directory search: ", err.Error())`
			`return`
			`}`

LDAP group fetching and AD connectivity 2018-08-29 16:20:37 +01:00			`t.Logf("LDAP search entries found: %d", len(sr.Entries))`
[WIP] Basic LDAP connectivity 2018-08-28 10:19:22 +01:00			`if len(sr.Entries) == 0 {`
LDAP group fetching and AD connectivity 2018-08-29 16:20:37 +01:00			`t.Error("Received ZERO LDAP search entries")`
[WIP] Basic LDAP connectivity 2018-08-28 10:19:22 +01:00			`return`
			`}`

			`for _, entry := range sr.Entries {`
Refactor LDAP tests with reusable code 2018-08-30 16:01:36 +01:00			`t.Logf("[%s] %s (%s %s) @ %s\n",`
			`entry.GetAttributeValue(testConfigPublicLDAP.AttributeUserRDN),`
[WIP] Basic LDAP connectivity 2018-08-28 10:19:22 +01:00			`entry.GetAttributeValue("cn"),`
Refactor LDAP tests with reusable code 2018-08-30 16:01:36 +01:00			`entry.GetAttributeValue(testConfigPublicLDAP.AttributeUserFirstname),`
			`entry.GetAttributeValue(testConfigPublicLDAP.AttributeUserLastname),`
			`entry.GetAttributeValue(testConfigPublicLDAP.AttributeUserEmail))`
[WIP] Basic LDAP connectivity 2018-08-28 10:19:22 +01:00			`}`
			`}`

LDAP group fetching and AD connectivity 2018-08-29 16:20:37 +01:00			`func TestPublicLDAPServer_Groups(t *testing.T) {`
Refactor LDAP tests with reusable code 2018-08-30 16:01:36 +01:00			`testConfigPublicLDAP.UserFilter = ""`
			`testConfigPublicLDAP.GroupFilter = "(\|(ou=mathematicians)(ou=chemists))"`
			`groupAttrs := testConfigPublicLDAP.GetGroupFilterAttributes()`
			`userAttrs := testConfigPublicLDAP.GetUserFilterAttributes()`

			`l, err := Connect(testConfigPublicLDAP)`
LDAP group fetching and AD connectivity 2018-08-29 16:20:37 +01:00			`if err != nil {`
			`t.Error("Error: unable to dial LDAP server: ", err.Error())`
			`return`
			`}`
			`defer l.Close()`

			`// Authenticate with LDAP server using admin credentials.`
			`t.Log("Binding LDAP admin user")`
Refactor LDAP tests with reusable code 2018-08-30 16:01:36 +01:00			`err = l.Bind(testConfigPublicLDAP.BindDN, testConfigPublicLDAP.BindPassword)`
LDAP group fetching and AD connectivity 2018-08-29 16:20:37 +01:00			`if err != nil {`
			`t.Error("Error: unable to bind specified admin user to LDAP: ", err.Error())`
			`return`
			`}`

			`searchRequest := ld.NewSearchRequest(`
Refactor LDAP tests with reusable code 2018-08-30 16:01:36 +01:00			`testConfigPublicLDAP.BaseDN,`
LDAP group fetching and AD connectivity 2018-08-29 16:20:37 +01:00			`ld.ScopeWholeSubtree, ld.NeverDerefAliases, 0, 0, false,`
Refactor LDAP tests with reusable code 2018-08-30 16:01:36 +01:00			`testConfigPublicLDAP.GroupFilter,`
			`groupAttrs,`
LDAP group fetching and AD connectivity 2018-08-29 16:20:37 +01:00			`nil,`
			`)`

Refactor LDAP tests with reusable code 2018-08-30 16:01:36 +01:00			`t.Log("LDAP search filter:", testConfigPublicLDAP.GroupFilter)`
LDAP group fetching and AD connectivity 2018-08-29 16:20:37 +01:00			`sr, err := l.Search(searchRequest)`
			`if err != nil {`
			`t.Error("Error: unable to execute directory search: ", err.Error())`
			`return`
			`}`

			`t.Logf("LDAP search entries found: %d", len(sr.Entries))`
			`if len(sr.Entries) == 0 {`
			`t.Error("Received ZERO LDAP search entries")`
			`return`
			`}`

Process mulitple groups in LDAP/AD group filter 2018-08-30 11:37:05 +01:00			`// Get list of group members per group found.`
			`for _, group := range sr.Entries {`
			`t.Log("Found group", group.DN)`
LDAP group fetching and AD connectivity 2018-08-29 16:20:37 +01:00
Refactor LDAP tests with reusable code 2018-08-30 16:01:36 +01:00			`rawMembers := group.GetAttributeValues(testConfigPublicLDAP.AttributeGroupMember)`
Process mulitple groups in LDAP/AD group filter 2018-08-30 11:37:05 +01:00			`if len(rawMembers) == 0 {`
			`t.Log("Error: group member attribute returned no users")`
LDAP group fetching and AD connectivity 2018-08-29 16:20:37 +01:00			`continue`
			`}`

Process mulitple groups in LDAP/AD group filter 2018-08-30 11:37:05 +01:00			`t.Logf("LDAP group contains %d members", len(rawMembers))`

			`for _, entry := range rawMembers {`
			`// get CN element from DN`
			`parts := strings.Split(entry, ",")`
			`if len(parts) == 0 {`
			`continue`
			`}`
			`filter := fmt.Sprintf("(%s)", parts[0])`

			`usr := ld.NewSearchRequest(`
Refactor LDAP tests with reusable code 2018-08-30 16:01:36 +01:00			`testConfigPublicLDAP.BaseDN,`
Process mulitple groups in LDAP/AD group filter 2018-08-30 11:37:05 +01:00			`ld.ScopeWholeSubtree, ld.NeverDerefAliases, 0, 0, false,`
			`filter,`
Refactor LDAP tests with reusable code 2018-08-30 16:01:36 +01:00			`userAttrs,`
Process mulitple groups in LDAP/AD group filter 2018-08-30 11:37:05 +01:00			`nil,`
			`)`
			`ue, err := l.Search(usr)`
			`if err != nil {`
			`t.Log("Error: unable to execute directory search for group member: ", err.Error())`
			`continue`
			`}`

			`if len(ue.Entries) > 0 {`
			`for _, ur := range ue.Entries {`
Refactor LDAP tests with reusable code 2018-08-30 16:01:36 +01:00			`t.Logf("[%s] %s (%s %s) @ %s\n",`
			`ur.GetAttributeValue(testConfigPublicLDAP.AttributeUserRDN),`
			`ur.GetAttributeValue("cn"),`
			`ur.GetAttributeValue(testConfigPublicLDAP.AttributeUserFirstname),`
			`ur.GetAttributeValue(testConfigPublicLDAP.AttributeUserLastname),`
			`ur.GetAttributeValue(testConfigPublicLDAP.AttributeUserEmail))`
Process mulitple groups in LDAP/AD group filter 2018-08-30 11:37:05 +01:00			`}`
			`} else {`
			`t.Log("group member search failed:", filter)`
LDAP group fetching and AD connectivity 2018-08-29 16:20:37 +01:00			`}`
			`}`
			`}`
			`}`

Authentication tests against LDAP and AD 2018-08-29 16:58:54 +01:00			`func TestPublicLDAP_Authenticate(t *testing.T) {`
Refactor LDAP tests with reusable code 2018-08-30 16:01:36 +01:00			`testConfigPublicLDAP.UserFilter = ""`
			`testConfigPublicLDAP.GroupFilter = ""`
			`userAttrs := testConfigPublicLDAP.GetUserFilterAttributes()`

			`l, err := Connect(testConfigPublicLDAP)`
Authentication tests against LDAP and AD 2018-08-29 16:58:54 +01:00			`if err != nil {`
Refactor LDAP tests with reusable code 2018-08-30 16:01:36 +01:00			`t.Error("Error: unable to dial LDAP server: ", err.Error())`
Authentication tests against LDAP and AD 2018-08-29 16:58:54 +01:00			`return`
			`}`
			`defer l.Close()`

			`// Authenticate with LDAP server using admin credentials.`
			`t.Log("Binding LDAP admin user")`
Refactor LDAP tests with reusable code 2018-08-30 16:01:36 +01:00			`err = l.Bind(testConfigPublicLDAP.BindDN, testConfigPublicLDAP.BindPassword)`
Authentication tests against LDAP and AD 2018-08-29 16:58:54 +01:00			`if err != nil {`
			`t.Error("Error: unable to bind specified admin user to LDAP: ", err.Error())`
			`return`
			`}`

			`username := "newton"`
			`password := "password"`
Refactor LDAP tests with reusable code 2018-08-30 16:01:36 +01:00			`filter := fmt.Sprintf("(%s=%s)", testConfigPublicLDAP.AttributeUserRDN, username)`
Authentication tests against LDAP and AD 2018-08-29 16:58:54 +01:00
			`searchRequest := ld.NewSearchRequest(`
Refactor LDAP tests with reusable code 2018-08-30 16:01:36 +01:00			`testConfigPublicLDAP.BaseDN,`
Authentication tests against LDAP and AD 2018-08-29 16:58:54 +01:00			`ld.ScopeWholeSubtree, ld.NeverDerefAliases, 0, 0, false,`
			`filter,`
Refactor LDAP tests with reusable code 2018-08-30 16:01:36 +01:00			`userAttrs,`
Authentication tests against LDAP and AD 2018-08-29 16:58:54 +01:00			`nil,`
			`)`

			`t.Log("LDAP search filter:", filter)`
			`sr, err := l.Search(searchRequest)`
			`if err != nil {`
			`t.Error("Error: unable to execute directory search: ", err.Error())`
			`return`
			`}`

			`if len(sr.Entries) == 0 {`
			`t.Error("Error: user not found")`
			`return`
			`}`
			`if len(sr.Entries) != 1 {`
			`t.Error("Error: too many users found during authentication")`
			`return`
			`}`

			`userdn := sr.Entries[0].DN`

			`// Bind as the user to verify their password`
			`err = l.Bind(userdn, password)`
			`if err != nil {`
			`t.Error("Error: invalid credentials", err.Error())`
			`return`
			`}`

			`t.Log("Authenticated", username)`
			`}`