1aff701bc7
Fixes two issues found with our LDAP handling code. First, we now follow referrals in both LDAP calls, as some LDAP systems will return a referral instead of the original record. Second, we now make sure to handle multiple search result pairs properly by further filtering based on the presence of the 'mail' attribute when we have multiple valid pairs. This CL also adds tests for all of the above cases.
133 lines
4.3 KiB
Python
133 lines
4.3 KiB
Python
import unittest
|
|
|
|
from app import app
|
|
from initdb import setup_database_for_testing, finished_database_for_testing
|
|
from data import model
|
|
from data.users import LDAPUsers
|
|
|
|
from mockldap import MockLdap
|
|
|
|
class TestLDAP(unittest.TestCase):
|
|
def setUp(self):
|
|
setup_database_for_testing(self)
|
|
self.app = app.test_client()
|
|
self.ctx = app.test_request_context()
|
|
self.ctx.__enter__()
|
|
|
|
self.mockldap = MockLdap({
|
|
'dc=quay,dc=io': {'dc': ['quay', 'io']},
|
|
'ou=employees,dc=quay,dc=io': {
|
|
'dc': ['quay', 'io'],
|
|
'ou': 'employees'
|
|
},
|
|
'uid=testy,ou=employees,dc=quay,dc=io': {
|
|
'dc': ['quay', 'io'],
|
|
'ou': 'employees',
|
|
'uid': 'testy',
|
|
'userPassword': ['password']
|
|
},
|
|
'uid=someuser,ou=employees,dc=quay,dc=io': {
|
|
'dc': ['quay', 'io'],
|
|
'ou': 'employees',
|
|
'uid': ['someuser'],
|
|
'userPassword': ['somepass'],
|
|
'mail': ['foo@bar.com']
|
|
},
|
|
'uid=nomail,ou=employees,dc=quay,dc=io': {
|
|
'dc': ['quay', 'io'],
|
|
'ou': 'employees',
|
|
'uid': ['nomail'],
|
|
'userPassword': ['somepass']
|
|
},
|
|
'uid=cool.user,ou=employees,dc=quay,dc=io': {
|
|
'dc': ['quay', 'io'],
|
|
'ou': 'employees',
|
|
'uid': ['cool.user', 'referred'],
|
|
'userPassword': ['somepass'],
|
|
'mail': ['foo@bar.com']
|
|
},
|
|
'uid=referred,ou=employees,dc=quay,dc=io': {
|
|
'uid': ['referred'],
|
|
'_referral': 'ldap:///uid=cool.user,ou=employees,dc=quay,dc=io'
|
|
},
|
|
'uid=invalidreferred,ou=employees,dc=quay,dc=io': {
|
|
'uid': ['invalidreferred'],
|
|
'_referral': 'ldap:///uid=someinvaliduser,ou=employees,dc=quay,dc=io'
|
|
},
|
|
'uid=multientry,ou=subgroup1,ou=employees,dc=quay,dc=io': {
|
|
'uid': ['multientry'],
|
|
'mail': ['foo@bar.com'],
|
|
'userPassword': ['somepass'],
|
|
},
|
|
'uid=multientry,ou=subgroup2,ou=employees,dc=quay,dc=io': {
|
|
'uid': ['multientry'],
|
|
'another': ['key']
|
|
},
|
|
})
|
|
|
|
self.mockldap.start()
|
|
|
|
base_dn = ['dc=quay', 'dc=io']
|
|
admin_dn = 'uid=testy,ou=employees,dc=quay,dc=io'
|
|
admin_passwd = 'password'
|
|
user_rdn = ['ou=employees']
|
|
uid_attr = 'uid'
|
|
email_attr = 'mail'
|
|
|
|
ldap = LDAPUsers('ldap://localhost', base_dn, admin_dn, admin_passwd, user_rdn,
|
|
uid_attr, email_attr)
|
|
|
|
self.ldap = ldap
|
|
|
|
|
|
def tearDown(self):
|
|
self.mockldap.stop()
|
|
finished_database_for_testing(self)
|
|
self.ctx.__exit__(True, None, None)
|
|
|
|
def test_login(self):
|
|
# Verify we can login.
|
|
(response, _) = self.ldap.verify_user('someuser', 'somepass')
|
|
self.assertEquals(response.username, 'someuser')
|
|
|
|
# Verify we can confirm the user.
|
|
(response, _) = self.ldap.confirm_existing_user('someuser', 'somepass')
|
|
self.assertEquals(response.username, 'someuser')
|
|
|
|
def test_missing_mail(self):
|
|
(response, err_msg) = self.ldap.verify_user('nomail', 'somepass')
|
|
self.assertIsNone(response)
|
|
self.assertEquals('Missing mail field "mail" in user record', err_msg)
|
|
|
|
def test_confirm_different_username(self):
|
|
# Verify that the user is logged in and their username was adjusted.
|
|
(response, _) = self.ldap.verify_user('cool.user', 'somepass')
|
|
self.assertEquals(response.username, 'cool_user')
|
|
|
|
# Verify we can confirm the user's quay username.
|
|
(response, _) = self.ldap.confirm_existing_user('cool_user', 'somepass')
|
|
self.assertEquals(response.username, 'cool_user')
|
|
|
|
# Verify that we *cannot* confirm the LDAP username.
|
|
(response, _) = self.ldap.confirm_existing_user('cool.user', 'somepass')
|
|
self.assertIsNone(response)
|
|
|
|
def test_referral(self):
|
|
(response, _) = self.ldap.verify_user('referred', 'somepass')
|
|
self.assertEquals(response.username, 'cool_user')
|
|
|
|
# Verify we can confirm the user's quay username.
|
|
(response, _) = self.ldap.confirm_existing_user('cool_user', 'somepass')
|
|
self.assertEquals(response.username, 'cool_user')
|
|
|
|
def test_invalid_referral(self):
|
|
(response, _) = self.ldap.verify_user('invalidreferred', 'somepass')
|
|
self.assertIsNone(response)
|
|
|
|
def test_multientry(self):
|
|
(response, _) = self.ldap.verify_user('multientry', 'somepass')
|
|
self.assertEquals(response.username, 'multientry')
|
|
|
|
if __name__ == '__main__':
|
|
unittest.main()
|
|
|