mirror of
https://github.com/documize/community.git
synced 2025-07-19 13:19:43 +02:00
Refactor LDAP code into discrete functions
This commit is contained in:
sauls8t
parent
a7865d0f71
commit
e6b557f43b
5 changed files with 211 additions and 266 deletions
|
|
@ -20,7 +20,7 @@ import (
|
||||||
ld "gopkg.in/ldap.v2"
|
ld "gopkg.in/ldap.v2"
|
||||||
)
|
)
|
||||||
|
|
||||||
// Works against AD server in Azure confgiured using:
|
// Works against AD server in Azure configured using:
|
||||||
//
|
//
|
||||||
// https://auth0.com/docs/connector/test-dc
|
// https://auth0.com/docs/connector/test-dc
|
||||||
//
|
//
|
||||||
|
|
@ -45,53 +45,24 @@ var testConfigPublicAD = lm.LDAPConfig{
|
||||||
AttributeGroupMember: "member",
|
AttributeGroupMember: "member",
|
||||||
}
|
}
|
||||||
|
|
||||||
func TestADServer_UserList(t *testing.T) {
|
func TestUserFilter_PublicAD(t *testing.T) {
|
||||||
testConfigPublicAD.UserFilter = "(|(objectCategory=person)(objectClass=user)(objectClass=inetOrgPerson))"
|
testConfigPublicAD.UserFilter = "(|(objectCategory=person)(objectClass=user)(objectClass=inetOrgPerson))"
|
||||||
testConfigPublicAD.GroupFilter = ""
|
|
||||||
userAttrs := testConfigPublicAD.GetUserFilterAttributes()
|
|
||||||
|
|
||||||
l, err := Connect(testConfigPublicAD)
|
e, err := executeUserFilter(testConfigPublicAD)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
t.Error("Error: unable to dial LDAP server: ", err.Error())
|
t.Error("unable to exeucte user filter", err.Error())
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
defer l.Close()
|
if len(e) == 0 {
|
||||||
|
t.Error("Received ZERO LDAP search entries")
|
||||||
// Authenticate with AD server using admin credentials.
|
|
||||||
t.Log("Binding LDAP admin user")
|
|
||||||
err = l.Bind(testConfigPublicAD.BindDN, testConfigPublicAD.BindPassword)
|
|
||||||
if err != nil {
|
|
||||||
t.Error("Error: unable to bind specified admin user to AD: ", err.Error())
|
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
searchRequest := ld.NewSearchRequest(
|
t.Logf("LDAP search entries found: %d", len(e))
|
||||||
testConfigPublicAD.BaseDN,
|
|
||||||
ld.ScopeWholeSubtree, ld.NeverDerefAliases, 0, 0, false,
|
|
||||||
testConfigPublicAD.UserFilter,
|
|
||||||
userAttrs,
|
|
||||||
nil,
|
|
||||||
)
|
|
||||||
|
|
||||||
sr, err := l.Search(searchRequest)
|
for _, u := range e {
|
||||||
if err != nil {
|
|
||||||
t.Error("Error: unable to execute directory search: ", err.Error())
|
|
||||||
return
|
|
||||||
}
|
|
||||||
|
|
||||||
t.Logf("AD search entries found: %d", len(sr.Entries))
|
|
||||||
if len(sr.Entries) == 0 {
|
|
||||||
t.Error("Received ZERO AD search entries")
|
|
||||||
return
|
|
||||||
}
|
|
||||||
|
|
||||||
for _, entry := range sr.Entries {
|
|
||||||
t.Logf("[%s] %s (%s %s) @ %s\n",
|
t.Logf("[%s] %s (%s %s) @ %s\n",
|
||||||
entry.GetAttributeValue(testConfigPublicAD.AttributeUserRDN),
|
u.RemoteID, u.CN, u.Firstname, u.Lastname, u.Email)
|
||||||
entry.GetAttributeValue("cn"),
|
|
||||||
entry.GetAttributeValue(testConfigPublicAD.AttributeUserFirstname),
|
|
||||||
entry.GetAttributeValue(testConfigPublicAD.AttributeUserLastname),
|
|
||||||
entry.GetAttributeValue(testConfigPublicAD.AttributeUserEmail))
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -101,7 +72,7 @@ func TestADServer_Groups(t *testing.T) {
|
||||||
groupAttrs := testConfigPublicAD.GetGroupFilterAttributes()
|
groupAttrs := testConfigPublicAD.GetGroupFilterAttributes()
|
||||||
userAttrs := testConfigPublicAD.GetUserFilterAttributes()
|
userAttrs := testConfigPublicAD.GetUserFilterAttributes()
|
||||||
|
|
||||||
l, err := Connect(testConfigPublicAD)
|
l, err := connect(testConfigPublicAD)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
t.Error("Error: unable to dial AD server: ", err.Error())
|
t.Error("Error: unable to dial AD server: ", err.Error())
|
||||||
return
|
return
|
||||||
|
|
@ -142,8 +113,6 @@ func TestADServer_Groups(t *testing.T) {
|
||||||
t.Log("Found group", group.DN)
|
t.Log("Found group", group.DN)
|
||||||
|
|
||||||
rawMembers := group.GetAttributeValues(testConfigPublicAD.AttributeGroupMember)
|
rawMembers := group.GetAttributeValues(testConfigPublicAD.AttributeGroupMember)
|
||||||
fmt.Printf("%s", group.DN)
|
|
||||||
|
|
||||||
if len(rawMembers) == 0 {
|
if len(rawMembers) == 0 {
|
||||||
t.Log("Error: group member attribute returned no users")
|
t.Log("Error: group member attribute returned no users")
|
||||||
continue
|
continue
|
||||||
|
|
@ -187,61 +156,43 @@ func TestADServer_Groups(t *testing.T) {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
func TestADServer_Authenticate(t *testing.T) {
|
|
||||||
testConfigPublicAD.UserFilter = ""
|
|
||||||
testConfigPublicAD.GroupFilter = ""
|
|
||||||
userAttrs := testConfigPublicAD.GetUserFilterAttributes()
|
|
||||||
|
|
||||||
l, err := Connect(testConfigPublicAD)
|
func TestAuthenticate_PublicAD(t *testing.T) {
|
||||||
|
l, err := connect(testConfigPublicAD)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
t.Error("Error: unable to dial LDAP server: ", err.Error())
|
t.Error("Error: unable to dial LDAP server: ", err.Error())
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
defer l.Close()
|
defer l.Close()
|
||||||
|
|
||||||
// Authenticate with AD server using admin credentials.
|
ok, err := authenticate(l, testConfigPublicAD, "bob.johnson", "Pass@word1!")
|
||||||
t.Log("Binding AD admin user")
|
|
||||||
err = l.Bind(testConfigPublicAD.BindDN, testConfigPublicAD.BindPassword)
|
|
||||||
if err != nil {
|
if err != nil {
|
||||||
t.Error("Error: unable to bind specified admin user to AD: ", err.Error())
|
t.Error("error during LDAP authentication: ", err.Error())
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
username := `bob.johnson`
|
if !ok {
|
||||||
password := "Pass@word1!"
|
t.Error("failed LDAP authentication")
|
||||||
filter := fmt.Sprintf("(%s=%s)", testConfigPublicAD.AttributeUserRDN, username)
|
|
||||||
|
|
||||||
searchRequest := ld.NewSearchRequest(
|
|
||||||
testConfigPublicAD.BaseDN,
|
|
||||||
ld.ScopeWholeSubtree, ld.NeverDerefAliases, 0, 0, false,
|
|
||||||
filter,
|
|
||||||
userAttrs,
|
|
||||||
nil,
|
|
||||||
)
|
|
||||||
|
|
||||||
t.Log("AD search filter:", filter)
|
|
||||||
sr, err := l.Search(searchRequest)
|
|
||||||
if err != nil {
|
|
||||||
t.Error("Error: unable to execute directory search: ", err.Error())
|
|
||||||
return
|
|
||||||
}
|
}
|
||||||
|
|
||||||
if len(sr.Entries) == 0 {
|
t.Log("Authenticated")
|
||||||
t.Error("Error: user not found")
|
}
|
||||||
return
|
|
||||||
}
|
func TestNotAuthenticate_PublicAD(t *testing.T) {
|
||||||
if len(sr.Entries) != 1 {
|
l, err := connect(testConfigPublicAD)
|
||||||
t.Error("Error: too many users found during authentication")
|
if err != nil {
|
||||||
return
|
t.Error("Error: unable to dial LDAP server: ", err.Error())
|
||||||
}
|
return
|
||||||
|
}
|
||||||
userdn := sr.Entries[0].DN
|
defer l.Close()
|
||||||
|
|
||||||
// Bind as the user to verify their password
|
ok, err := authenticate(l, testConfigPublicAD, "junk", "junk")
|
||||||
err = l.Bind(userdn, password)
|
if err != nil {
|
||||||
if err != nil {
|
t.Error("error during LDAP authentication: ", err.Error())
|
||||||
t.Error("Error: invalid credentials", err.Error())
|
return
|
||||||
return
|
}
|
||||||
}
|
if ok {
|
||||||
|
t.Error("incorrect LDAP authentication")
|
||||||
t.Log("Authenticated", username)
|
}
|
||||||
|
|
||||||
|
t.Log("Not authenticated")
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -16,12 +16,13 @@ import (
|
||||||
"fmt"
|
"fmt"
|
||||||
|
|
||||||
lm "github.com/documize/community/model/auth"
|
lm "github.com/documize/community/model/auth"
|
||||||
|
// "github.com/documize/community/model/user"
|
||||||
"github.com/pkg/errors"
|
"github.com/pkg/errors"
|
||||||
ld "gopkg.in/ldap.v2"
|
ld "gopkg.in/ldap.v2"
|
||||||
)
|
)
|
||||||
|
|
||||||
// Connect establishes connection to LDAP server.
|
// Connect establishes connection to LDAP server.
|
||||||
func Connect(c lm.LDAPConfig) (l *ld.Conn, err error) {
|
func connect(c lm.LDAPConfig) (l *ld.Conn, err error) {
|
||||||
address := fmt.Sprintf("%s:%d", c.ServerHost, c.ServerPort)
|
address := fmt.Sprintf("%s:%d", c.ServerHost, c.ServerPort)
|
||||||
|
|
||||||
fmt.Println("Connecting to LDAP server", address)
|
fmt.Println("Connecting to LDAP server", address)
|
||||||
|
|
@ -43,3 +44,97 @@ func Connect(c lm.LDAPConfig) (l *ld.Conn, err error) {
|
||||||
|
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// Authenticate user against LDAP provider.
|
||||||
|
func authenticate(l *ld.Conn, c lm.LDAPConfig, username, pwd string) (success bool, err error) {
|
||||||
|
success = false
|
||||||
|
userAttrs := c.GetUserFilterAttributes()
|
||||||
|
filter := fmt.Sprintf("(%s=%s)", c.AttributeUserRDN, username)
|
||||||
|
|
||||||
|
searchRequest := ld.NewSearchRequest(
|
||||||
|
c.BaseDN,
|
||||||
|
ld.ScopeWholeSubtree, ld.NeverDerefAliases, 0, 0, false,
|
||||||
|
filter,
|
||||||
|
userAttrs,
|
||||||
|
nil,
|
||||||
|
)
|
||||||
|
|
||||||
|
err = l.Bind(c.BindDN, c.BindPassword)
|
||||||
|
if err != nil {
|
||||||
|
errors.Wrap(err, "unable to bind admin user")
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
sr, err := l.Search(searchRequest)
|
||||||
|
if err != nil {
|
||||||
|
err = errors.Wrap(err, "unable to execute LDAP search during authentication")
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
if len(sr.Entries) == 0 {
|
||||||
|
err = errors.Wrap(err, "user not found during LDAP authentication")
|
||||||
|
return
|
||||||
|
}
|
||||||
|
if len(sr.Entries) != 1 {
|
||||||
|
err = errors.Wrap(err, "dupe users found during LDAP authentication")
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
userdn := sr.Entries[0].DN
|
||||||
|
|
||||||
|
// Bind as the user to verify their password
|
||||||
|
err = l.Bind(userdn, pwd)
|
||||||
|
if err != nil {
|
||||||
|
return false, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
return true, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// ExecuteUserFilter returns all matching LDAP users.
|
||||||
|
func executeUserFilter(c lm.LDAPConfig) (u []lm.LDAPUser, err error) {
|
||||||
|
l, err := connect(c)
|
||||||
|
if err != nil {
|
||||||
|
err = errors.Wrap(err, "unable to dial LDAP server")
|
||||||
|
return
|
||||||
|
}
|
||||||
|
defer l.Close()
|
||||||
|
|
||||||
|
// Authenticate with LDAP server using admin credentials.
|
||||||
|
err = l.Bind(c.BindDN, c.BindPassword)
|
||||||
|
if err != nil {
|
||||||
|
errors.Wrap(err, "unable to bind admin user")
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
searchRequest := ld.NewSearchRequest(
|
||||||
|
c.BaseDN,
|
||||||
|
ld.ScopeWholeSubtree, ld.NeverDerefAliases, 0, 0, false,
|
||||||
|
c.UserFilter,
|
||||||
|
c.GetUserFilterAttributes(),
|
||||||
|
nil,
|
||||||
|
)
|
||||||
|
|
||||||
|
sr, err := l.Search(searchRequest)
|
||||||
|
if err != nil {
|
||||||
|
errors.Wrap(err, "unable to execute directory search for user filter "+c.UserFilter)
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
for _, e := range sr.Entries {
|
||||||
|
u = append(u, extractUser(c, e))
|
||||||
|
}
|
||||||
|
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
// extractUser build user record from LDAP result attributes.
|
||||||
|
func extractUser(c lm.LDAPConfig, e *ld.Entry) (u lm.LDAPUser) {
|
||||||
|
u.Firstname = e.GetAttributeValue(c.AttributeUserFirstname)
|
||||||
|
u.Lastname = e.GetAttributeValue(c.AttributeUserLastname)
|
||||||
|
u.Email = e.GetAttributeValue(c.AttributeUserEmail)
|
||||||
|
u.RemoteID = e.GetAttributeValue(c.AttributeUserRDN)
|
||||||
|
u.CN = e.GetAttributeValue("cn")
|
||||||
|
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
|
||||||
|
|
@ -42,54 +42,24 @@ var testConfigLocalLDAP = lm.LDAPConfig{
|
||||||
AttributeGroupMember: "member",
|
AttributeGroupMember: "member",
|
||||||
}
|
}
|
||||||
|
|
||||||
func TestLocalLDAPServer_AllUsers(t *testing.T) {
|
func TestUserFilter_LocalLDAP(t *testing.T) {
|
||||||
testConfigLocalLDAP.UserFilter = "(|(objectClass=person)(objectClass=user)(objectClass=inetOrgPerson))"
|
testConfigLocalLDAP.UserFilter = "(|(objectClass=person)(objectClass=user)(objectClass=inetOrgPerson))"
|
||||||
testConfigLocalLDAP.GroupFilter = ""
|
|
||||||
userAttrs := testConfigLocalLDAP.GetUserFilterAttributes()
|
|
||||||
|
|
||||||
l, err := Connect(testConfigLocalLDAP)
|
e, err := executeUserFilter(testConfigLocalLDAP)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
t.Error("Error: unable to dial LDAP server: ", err.Error())
|
t.Error("unable to exeucte user filter", err.Error())
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
defer l.Close()
|
if len(e) == 0 {
|
||||||
|
|
||||||
// Authenticate with LDAP server using admin credentials.
|
|
||||||
t.Log("Binding LDAP admin user")
|
|
||||||
err = l.Bind(testConfigLocalLDAP.BindDN, testConfigLocalLDAP.BindPassword)
|
|
||||||
if err != nil {
|
|
||||||
t.Error("Error: unable to bind specified admin user to LDAP: ", err.Error())
|
|
||||||
return
|
|
||||||
}
|
|
||||||
|
|
||||||
searchRequest := ld.NewSearchRequest(
|
|
||||||
testConfigLocalLDAP.BaseDN,
|
|
||||||
ld.ScopeWholeSubtree, ld.NeverDerefAliases, 0, 0, false,
|
|
||||||
testConfigLocalLDAP.UserFilter,
|
|
||||||
userAttrs,
|
|
||||||
nil,
|
|
||||||
)
|
|
||||||
|
|
||||||
t.Log("LDAP search filter:", testConfigLocalLDAP.UserFilter)
|
|
||||||
sr, err := l.Search(searchRequest)
|
|
||||||
if err != nil {
|
|
||||||
t.Error("Error: unable to execute directory search: ", err.Error())
|
|
||||||
return
|
|
||||||
}
|
|
||||||
|
|
||||||
t.Logf("LDAP search entries found: %d", len(sr.Entries))
|
|
||||||
if len(sr.Entries) == 0 {
|
|
||||||
t.Error("Received ZERO LDAP search entries")
|
t.Error("Received ZERO LDAP search entries")
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
for _, entry := range sr.Entries {
|
t.Logf("LDAP search entries found: %d", len(e))
|
||||||
|
|
||||||
|
for _, u := range e {
|
||||||
t.Logf("[%s] %s (%s %s) @ %s\n",
|
t.Logf("[%s] %s (%s %s) @ %s\n",
|
||||||
entry.GetAttributeValue(testConfigLocalLDAP.AttributeUserRDN),
|
u.RemoteID, u.CN, u.Firstname, u.Lastname, u.Email)
|
||||||
entry.GetAttributeValue("cn"),
|
|
||||||
entry.GetAttributeValue(testConfigLocalLDAP.AttributeUserFirstname),
|
|
||||||
entry.GetAttributeValue(testConfigLocalLDAP.AttributeUserLastname),
|
|
||||||
entry.GetAttributeValue(testConfigLocalLDAP.AttributeUserEmail))
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -99,7 +69,7 @@ func TestLocalLDAPServer_UsersInGroup(t *testing.T) {
|
||||||
groupAttrs := testConfigLocalLDAP.GetGroupFilterAttributes()
|
groupAttrs := testConfigLocalLDAP.GetGroupFilterAttributes()
|
||||||
userAttrs := testConfigLocalLDAP.GetUserFilterAttributes()
|
userAttrs := testConfigLocalLDAP.GetUserFilterAttributes()
|
||||||
|
|
||||||
l, err := Connect(testConfigLocalLDAP)
|
l, err := connect(testConfigLocalLDAP)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
t.Error("Error: unable to dial LDAP server: ", err.Error())
|
t.Error("Error: unable to dial LDAP server: ", err.Error())
|
||||||
return
|
return
|
||||||
|
|
@ -183,62 +153,43 @@ func TestLocalLDAPServer_UsersInGroup(t *testing.T) {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
func TestLocalLDAP_Authenticate(t *testing.T) {
|
|
||||||
testConfigLocalLDAP.UserFilter = ""
|
|
||||||
testConfigLocalLDAP.GroupFilter = ""
|
|
||||||
userAttrs := testConfigLocalLDAP.GetUserFilterAttributes()
|
|
||||||
|
|
||||||
l, err := Connect(testConfigLocalLDAP)
|
func TestAuthenticate_LocalLDAP(t *testing.T) {
|
||||||
|
l, err := connect(testConfigLocalLDAP)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
t.Error("Error: unable to dial LDAP server: ", err.Error())
|
t.Error("Error: unable to dial LDAP server: ", err.Error())
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
defer l.Close()
|
defer l.Close()
|
||||||
|
|
||||||
// Authenticate with LDAP server using admin credentials.
|
ok, err := authenticate(l, testConfigLocalLDAP, "professor", "professor")
|
||||||
t.Log("Binding LDAP admin user")
|
|
||||||
err = l.Bind(testConfigLocalLDAP.BindDN, testConfigLocalLDAP.BindPassword)
|
|
||||||
if err != nil {
|
if err != nil {
|
||||||
t.Error("Error: unable to bind specified admin user to LDAP: ", err.Error())
|
t.Error("error during LDAP authentication: ", err.Error())
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
if !ok {
|
||||||
username := "professor"
|
t.Error("failed LDAP authentication")
|
||||||
password := "professor"
|
|
||||||
filter := fmt.Sprintf("(%s=%s)", testConfigPublicLDAP.AttributeUserRDN, username)
|
|
||||||
|
|
||||||
searchRequest := ld.NewSearchRequest(
|
|
||||||
testConfigLocalLDAP.BaseDN,
|
|
||||||
ld.ScopeWholeSubtree, ld.NeverDerefAliases, 0, 0, false,
|
|
||||||
filter,
|
|
||||||
userAttrs,
|
|
||||||
nil,
|
|
||||||
)
|
|
||||||
|
|
||||||
t.Log("LDAP search filter:", filter)
|
|
||||||
sr, err := l.Search(searchRequest)
|
|
||||||
if err != nil {
|
|
||||||
t.Error("Error: unable to execute directory search: ", err.Error())
|
|
||||||
return
|
|
||||||
}
|
}
|
||||||
|
|
||||||
if len(sr.Entries) == 0 {
|
t.Log("Authenticated")
|
||||||
t.Error("Error: user not found")
|
}
|
||||||
return
|
|
||||||
}
|
func TestNotAuthenticate_LocalLDAP(t *testing.T) {
|
||||||
if len(sr.Entries) != 1 {
|
l, err := connect(testConfigLocalLDAP)
|
||||||
t.Error("Error: too many users found during authentication")
|
if err != nil {
|
||||||
return
|
t.Error("Error: unable to dial LDAP server: ", err.Error())
|
||||||
}
|
return
|
||||||
|
}
|
||||||
userdn := sr.Entries[0].DN
|
defer l.Close()
|
||||||
|
|
||||||
// Bind as the user to verify their password
|
ok, err := authenticate(l, testConfigLocalLDAP, "junk", "junk")
|
||||||
err = l.Bind(userdn, password)
|
if err != nil {
|
||||||
if err != nil {
|
t.Error("error during LDAP authentication: ", err.Error())
|
||||||
t.Error("Error: invalid credentials", err.Error())
|
return
|
||||||
return
|
}
|
||||||
}
|
if ok {
|
||||||
|
t.Error("incorrect LDAP authentication")
|
||||||
t.Log("Authenticated", username)
|
}
|
||||||
|
|
||||||
|
t.Log("Not authenticated")
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -41,53 +41,24 @@ var testConfigPublicLDAP = lm.LDAPConfig{
|
||||||
AttributeGroupMember: "uniqueMember",
|
AttributeGroupMember: "uniqueMember",
|
||||||
}
|
}
|
||||||
|
|
||||||
func TestPublicLDAPServer_UserList(t *testing.T) {
|
func TestUserFilter_PublicLDAP(t *testing.T) {
|
||||||
testConfigPublicLDAP.UserFilter = "(|(objectClass=person)(objectClass=user)(objectClass=inetOrgPerson))"
|
testConfigPublicLDAP.UserFilter = "(|(objectClass=person)(objectClass=user)(objectClass=inetOrgPerson))"
|
||||||
testConfigPublicLDAP.GroupFilter = ""
|
|
||||||
userAttrs := testConfigPublicLDAP.GetUserFilterAttributes()
|
|
||||||
|
|
||||||
l, err := Connect(testConfigPublicLDAP)
|
e, err := executeUserFilter(testConfigPublicLDAP)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
t.Error("Error: unable to dial LDAP server: ", err.Error())
|
t.Error("unable to exeucte user filter", err.Error())
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
defer l.Close()
|
if len(e) == 0 {
|
||||||
|
|
||||||
// Authenticate with LDAP server using admin credentials.
|
|
||||||
t.Log("Binding LDAP admin user")
|
|
||||||
err = l.Bind(testConfigPublicLDAP.BindDN, testConfigPublicLDAP.BindPassword)
|
|
||||||
if err != nil {
|
|
||||||
t.Error("Error: unable to bind specified admin user to LDAP: ", err.Error())
|
|
||||||
return
|
|
||||||
}
|
|
||||||
|
|
||||||
searchRequest := ld.NewSearchRequest(
|
|
||||||
testConfigPublicLDAP.BaseDN,
|
|
||||||
ld.ScopeWholeSubtree, ld.NeverDerefAliases, 0, 0, false,
|
|
||||||
testConfigPublicLDAP.UserFilter,
|
|
||||||
userAttrs,
|
|
||||||
nil,
|
|
||||||
)
|
|
||||||
|
|
||||||
sr, err := l.Search(searchRequest)
|
|
||||||
if err != nil {
|
|
||||||
t.Error("Error: unable to execute directory search: ", err.Error())
|
|
||||||
return
|
|
||||||
}
|
|
||||||
|
|
||||||
t.Logf("LDAP search entries found: %d", len(sr.Entries))
|
|
||||||
if len(sr.Entries) == 0 {
|
|
||||||
t.Error("Received ZERO LDAP search entries")
|
t.Error("Received ZERO LDAP search entries")
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
for _, entry := range sr.Entries {
|
t.Logf("LDAP search entries found: %d", len(e))
|
||||||
|
|
||||||
|
for _, u := range e {
|
||||||
t.Logf("[%s] %s (%s %s) @ %s\n",
|
t.Logf("[%s] %s (%s %s) @ %s\n",
|
||||||
entry.GetAttributeValue(testConfigPublicLDAP.AttributeUserRDN),
|
u.RemoteID, u.CN, u.Firstname, u.Lastname, u.Email)
|
||||||
entry.GetAttributeValue("cn"),
|
|
||||||
entry.GetAttributeValue(testConfigPublicLDAP.AttributeUserFirstname),
|
|
||||||
entry.GetAttributeValue(testConfigPublicLDAP.AttributeUserLastname),
|
|
||||||
entry.GetAttributeValue(testConfigPublicLDAP.AttributeUserEmail))
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -97,7 +68,7 @@ func TestPublicLDAPServer_Groups(t *testing.T) {
|
||||||
groupAttrs := testConfigPublicLDAP.GetGroupFilterAttributes()
|
groupAttrs := testConfigPublicLDAP.GetGroupFilterAttributes()
|
||||||
userAttrs := testConfigPublicLDAP.GetUserFilterAttributes()
|
userAttrs := testConfigPublicLDAP.GetUserFilterAttributes()
|
||||||
|
|
||||||
l, err := Connect(testConfigPublicLDAP)
|
l, err := connect(testConfigPublicLDAP)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
t.Error("Error: unable to dial LDAP server: ", err.Error())
|
t.Error("Error: unable to dial LDAP server: ", err.Error())
|
||||||
return
|
return
|
||||||
|
|
@ -182,62 +153,40 @@ func TestPublicLDAPServer_Groups(t *testing.T) {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
func TestPublicLDAP_Authenticate(t *testing.T) {
|
func TestAuthenticate_PublicLDAP(t *testing.T) {
|
||||||
testConfigPublicLDAP.UserFilter = ""
|
l, err := connect(testConfigPublicLDAP)
|
||||||
testConfigPublicLDAP.GroupFilter = ""
|
|
||||||
userAttrs := testConfigPublicLDAP.GetUserFilterAttributes()
|
|
||||||
|
|
||||||
l, err := Connect(testConfigPublicLDAP)
|
|
||||||
if err != nil {
|
if err != nil {
|
||||||
t.Error("Error: unable to dial LDAP server: ", err.Error())
|
t.Error("Error: unable to dial LDAP server: ", err.Error())
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
defer l.Close()
|
defer l.Close()
|
||||||
|
|
||||||
// Authenticate with LDAP server using admin credentials.
|
ok, err := authenticate(l, testConfigPublicLDAP, "newton", "password")
|
||||||
t.Log("Binding LDAP admin user")
|
|
||||||
err = l.Bind(testConfigPublicLDAP.BindDN, testConfigPublicLDAP.BindPassword)
|
|
||||||
if err != nil {
|
if err != nil {
|
||||||
t.Error("Error: unable to bind specified admin user to LDAP: ", err.Error())
|
t.Error("error during LDAP authentication: ", err.Error())
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
if !ok {
|
||||||
username := "newton"
|
t.Error("failed LDAP authentication")
|
||||||
password := "password"
|
|
||||||
filter := fmt.Sprintf("(%s=%s)", testConfigPublicLDAP.AttributeUserRDN, username)
|
|
||||||
|
|
||||||
searchRequest := ld.NewSearchRequest(
|
|
||||||
testConfigPublicLDAP.BaseDN,
|
|
||||||
ld.ScopeWholeSubtree, ld.NeverDerefAliases, 0, 0, false,
|
|
||||||
filter,
|
|
||||||
userAttrs,
|
|
||||||
nil,
|
|
||||||
)
|
|
||||||
|
|
||||||
t.Log("LDAP search filter:", filter)
|
|
||||||
sr, err := l.Search(searchRequest)
|
|
||||||
if err != nil {
|
|
||||||
t.Error("Error: unable to execute directory search: ", err.Error())
|
|
||||||
return
|
|
||||||
}
|
}
|
||||||
|
}
|
||||||
if len(sr.Entries) == 0 {
|
|
||||||
t.Error("Error: user not found")
|
func TestNotAuthenticate_PublicLDAP(t *testing.T) {
|
||||||
return
|
l, err := connect(testConfigPublicLDAP)
|
||||||
}
|
if err != nil {
|
||||||
if len(sr.Entries) != 1 {
|
t.Error("Error: unable to dial LDAP server: ", err.Error())
|
||||||
t.Error("Error: too many users found during authentication")
|
return
|
||||||
return
|
}
|
||||||
}
|
defer l.Close()
|
||||||
|
|
||||||
userdn := sr.Entries[0].DN
|
ok, err := authenticate(l, testConfigPublicLDAP, "junk", "junk")
|
||||||
|
if err != nil {
|
||||||
// Bind as the user to verify their password
|
t.Error("error during LDAP authentication: ", err.Error())
|
||||||
err = l.Bind(userdn, password)
|
return
|
||||||
if err != nil {
|
}
|
||||||
t.Error("Error: invalid credentials", err.Error())
|
if ok {
|
||||||
return
|
t.Error("incorrect LDAP authentication")
|
||||||
}
|
}
|
||||||
|
|
||||||
t.Log("Authenticated", username)
|
t.Log("Not authenticated")
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -146,14 +146,13 @@ func (c *LDAPConfig) GetGroupFilterAttributes() []string {
|
||||||
}
|
}
|
||||||
|
|
||||||
// LDAPUser details user record returned by LDAP
|
// LDAPUser details user record returned by LDAP
|
||||||
// type LDAPUser struct {
|
type LDAPUser struct {
|
||||||
// ID string `json:"id"`
|
RemoteID string `json:"remoteId"`
|
||||||
// Username string `json:"username"`
|
CN string `json:"cn"`
|
||||||
// Email string `json:"email"`
|
Email string `json:"email"`
|
||||||
// Firstname string `json:"firstName"`
|
Firstname string `json:"firstName"`
|
||||||
// Lastname string `json:"lastName"`
|
Lastname string `json:"lastName"`
|
||||||
// Enabled bool `json:"enabled"`
|
}
|
||||||
// }
|
|
||||||
|
|
||||||
// LDAPAuthRequest data received via LDAP client library
|
// LDAPAuthRequest data received via LDAP client library
|
||||||
// type LDAPAuthRequest struct {
|
// type LDAPAuthRequest struct {
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue