-
Notifications
You must be signed in to change notification settings - Fork 3.8k
/
ldap_test_util.go
156 lines (139 loc) · 5.09 KB
/
ldap_test_util.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
// Copyright 2024 The Cockroach Authors.
//
// Use of this software is governed by the CockroachDB Software License
// included in the /LICENSE file.
package ldapccl
import (
"context"
"crypto/tls"
"fmt"
"strings"
"testing"
"github.com/cockroachdb/cockroach/pkg/sql/pgwire/hba"
"github.com/cockroachdb/errors"
"github.com/go-ldap/ldap/v3"
)
const (
emptyParam = "empty"
invalidParam = "invalid"
)
type mockLDAPUtil struct {
conn *ldap.Conn
tlsConfig *tls.Config
groupDNs []string
}
var _ ILDAPUtil = &mockLDAPUtil{}
var NewMockLDAPUtil func(context.Context, ldapConfig) (ILDAPUtil, error) = func(
ctx context.Context,
conf ldapConfig,
) (ILDAPUtil, error) {
return &mockLDAPUtil{}, nil
}
// MaybeInitLDAPsConn implements the ILDAPUtil interface.
func (lu *mockLDAPUtil) MaybeInitLDAPsConn(ctx context.Context, conf ldapConfig) error {
if strings.Contains(conf.ldapServer, invalidParam) {
return errors.Newf(ldapsFailureMessage + ": invalid ldap server provided")
} else if strings.Contains(conf.ldapPort, invalidParam) {
return errors.Newf(ldapsFailureMessage + ": invalid ldap port provided")
}
lu.conn = &ldap.Conn{}
return nil
}
// Bind implements the ILDAPUtil interface.
func (lu *mockLDAPUtil) Bind(ctx context.Context, userDN string, ldapPwd string) error {
if strings.Contains(userDN, invalidParam) {
return errors.Newf(bindFailureMessage + ": invalid username provided")
} else if strings.Contains(ldapPwd, invalidParam) {
return errors.Newf(bindFailureMessage + ": invalid password provided")
}
return nil
}
// Search implements the ILDAPUtil interface.
func (lu *mockLDAPUtil) Search(
ctx context.Context, conf ldapConfig, username string,
) (userDN string, err error) {
if err := lu.Bind(ctx, conf.ldapBindDN, conf.ldapBindPassword); err != nil {
return "", errors.Wrap(err, searchFailureMessage)
}
if strings.Contains(conf.ldapBaseDN, invalidParam) {
return "", errors.Newf(searchFailureMessage+": invalid base DN %q provided", conf.ldapBaseDN)
}
if strings.Contains(conf.ldapSearchFilter, invalidParam) {
return "", errors.Newf(searchFailureMessage+": invalid search filter %q provided", conf.ldapSearchFilter)
}
if strings.Contains(conf.ldapSearchAttribute, invalidParam) {
return "", errors.Newf(searchFailureMessage+": invalid search attribute %q provided", conf.ldapSearchAttribute)
}
if strings.Contains(username, invalidParam) {
return "", errors.Newf(searchFailureMessage+": invalid search value %q provided", username)
}
commonNames := strings.Split(username, ",")
switch {
case len(username) == 0:
return "", errors.Newf(searchFailureMessage+": user %q does not exist", username)
case len(commonNames) > 1:
return "", errors.Newf(searchFailureMessage+": too many matching entries returned for user %q", username)
}
distinguishedName := "CN=" + commonNames[0]
return distinguishedName, nil
}
// setGroups overrides the return value of ListGroups for testing purposes.
func (lu *mockLDAPUtil) setGroups(groupsDN []string) {
lu.groupDNs = groupsDN
}
// ListGroups implements the ILDAPUtil interface.
func (lu *mockLDAPUtil) ListGroups(
ctx context.Context, conf ldapConfig, userDN string,
) (ldapGroupsDN []string, err error) {
if err := lu.Bind(ctx, conf.ldapBindDN, conf.ldapBindPassword); err != nil {
return nil, errors.Wrap(err, groupListFailureMessage)
}
if strings.Contains(conf.ldapBaseDN, invalidParam) {
return nil, errors.Newf(groupListFailureMessage+": invalid base DN %q provided", conf.ldapBaseDN)
}
if strings.Contains(conf.ldapSearchFilter, invalidParam) {
return nil, errors.Newf(groupListFailureMessage+": invalid search filter %q provided", conf.ldapSearchFilter)
}
if strings.Contains(conf.ldapGroupListFilter, invalidParam) {
return nil, errors.Newf(groupListFailureMessage+": invalid group list filter %q provided", conf.ldapGroupListFilter)
}
if strings.Contains(userDN, invalidParam) {
return nil, errors.Newf(groupListFailureMessage+": invalid user DN %q provided", userDN)
}
if len(userDN) == 0 {
return nil, errors.Newf(groupListFailureMessage+": user dn %q does not belong to any groups", userDN)
}
return lu.groupDNs, nil
}
func constructHBAEntry(
t *testing.T,
hbaEntryBase string,
hbaConfLDAPDefaultOpts map[string]string,
hbaConfLDAPOpts map[string]string,
) hba.Entry {
hbaEntryLDAP := hbaEntryBase
// add options from default and override default options when provided with one
for opt, value := range hbaConfLDAPDefaultOpts {
setValue := value
if hbaConfLDAPOpts[opt] == emptyParam {
continue
} else if hbaConfLDAPOpts[opt] != "" {
setValue = hbaConfLDAPOpts[opt]
}
hbaEntryLDAP += fmt.Sprintf("\"%s=%s\" ", opt, setValue)
}
// add non default options
for additionalOpt, additionalOptValue := range hbaConfLDAPOpts {
if _, ok := hbaConfLDAPDefaultOpts[additionalOpt]; !ok {
hbaEntryLDAP += fmt.Sprintf("\"%s=%s\" ", additionalOpt, additionalOptValue)
}
}
hbaConf, err := hba.ParseAndNormalize(hbaEntryLDAP)
if err != nil {
t.Fatalf("error parsing hba conf: %v", err)
}
if len(hbaConf.Entries) != 1 {
t.Fatalf("hba conf value invalid: should contain only 1 entry")
}
return hbaConf.Entries[0]
}