minio/internal/config/identity/ldap/config-validator_test.go
Aditya Manthramurthy ce97313fda
Add extra LDAP configuration validation (#14535)
- The result now contains suggestions on fixing common configuration issues.
- These suggestions will subsequently be exposed in console/mc
2022-03-16 19:57:36 -07:00

190 lines
5.1 KiB
Go

// Copyright (c) 2015-2022 MinIO, Inc.
//
// This file is part of MinIO Object Storage stack
//
// This program is free software: you can redistribute it and/or modify
// it under the terms of the GNU Affero General Public License as published by
// the Free Software Foundation, either version 3 of the License, or
// (at your option) any later version.
//
// This program is distributed in the hope that it will be useful
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU Affero General Public License for more details.
//
// You should have received a copy of the GNU Affero General Public License
// along with this program. If not, see <http://www.gnu.org/licenses/>.
package ldap
import (
"fmt"
"os"
"testing"
"github.com/minio/minio-go/v7/pkg/set"
)
const (
EnvTestLDAPServer = "LDAP_TEST_SERVER"
)
func TestConfigValidator(t *testing.T) {
ldapServer := os.Getenv(EnvTestLDAPServer)
if ldapServer == "" {
t.Skip()
}
testCases := []struct {
cfg Config
expectedResult Result
}{
{
cfg: func() Config {
v := Config{Enabled: true}
return v
}(),
expectedResult: ConnectivityError,
},
{
cfg: func() Config {
v := Config{Enabled: true}
v.ServerAddr = ldapServer
return v
}(),
expectedResult: ConnectivityError,
},
{
cfg: func() Config {
v := Config{Enabled: true}
v.ServerAddr = ldapServer
v.serverInsecure = true
return v
}(),
expectedResult: LookupBindError,
},
{
cfg: func() Config {
v := Config{Enabled: true}
v.ServerAddr = ldapServer
v.serverInsecure = true
v.LookupBindDN = "cn=admin,dc=min,dc=io"
v.LookupBindPassword = "admin1"
return v
}(),
expectedResult: LookupBindError,
},
{ // Case 4
cfg: func() Config {
v := Config{Enabled: true}
v.ServerAddr = ldapServer
v.serverInsecure = true
v.LookupBindDN = "cn=admin,dc=min,dc=io"
v.LookupBindPassword = "admin"
return v
}(),
expectedResult: UserSearchParamsMisconfigured,
},
{
cfg: func() Config {
v := Config{Enabled: true}
v.ServerAddr = ldapServer
v.serverInsecure = true
v.LookupBindDN = "cn=admin,dc=min,dc=io"
v.LookupBindPassword = "admin"
v.UserDNSearchFilter = "(uid=x)"
v.UserDNSearchBaseDistName = "dc=min,dc=io"
return v
}(),
expectedResult: UserSearchParamsMisconfigured,
},
{
cfg: func() Config {
v := Config{Enabled: true}
v.ServerAddr = ldapServer
v.serverInsecure = true
v.LookupBindDN = "cn=admin,dc=min,dc=io"
v.LookupBindPassword = "admin"
v.UserDNSearchFilter = "(uid=%s)"
v.UserDNSearchBaseDistName = "dc=min,dc=io"
return v
}(),
expectedResult: ConfigOk,
},
{ // Case 7
cfg: func() Config {
v := Config{Enabled: true}
v.ServerAddr = ldapServer
v.serverInsecure = true
v.LookupBindDN = "cn=admin,dc=min,dc=io"
v.LookupBindPassword = "admin"
v.UserDNSearchFilter = "(uid=%s)"
v.UserDNSearchBaseDistName = "dc=min,dc=io"
v.GroupSearchBaseDistName = "ou=swengg,dc=min,dc=io"
v.GroupSearchFilter = "(&(objectclass=groupofnames)(member=x))"
return v
}(),
expectedResult: GroupSearchParamsMisconfigured,
},
{
cfg: func() Config {
v := Config{Enabled: true}
v.ServerAddr = ldapServer
v.serverInsecure = true
v.LookupBindDN = "cn=admin,dc=min,dc=io"
v.LookupBindPassword = "admin"
v.UserDNSearchFilter = "(uid=%s)"
v.UserDNSearchBaseDistName = "dc=min,dc=io"
v.GroupSearchFilter = "(&(objectclass=groupofnames)(member=x))"
return v
}(),
expectedResult: GroupSearchParamsMisconfigured,
},
{ // Case 9
cfg: func() Config {
v := Config{Enabled: true}
v.ServerAddr = ldapServer
v.serverInsecure = true
v.LookupBindDN = "cn=admin,dc=min,dc=io"
v.LookupBindPassword = "admin"
v.UserDNSearchFilter = "(uid=%s)"
v.UserDNSearchBaseDistName = "dc=min,dc=io"
v.GroupSearchBaseDistName = "ou=swengg,dc=min,dc=io"
v.GroupSearchFilter = "(&(objectclass=groupofnames)(member=%d))"
return v
}(),
expectedResult: ConfigOk,
},
}
expectedDN := "uid=dillon,ou=people,ou=swengg,dc=min,dc=io"
expectedGroups := set.CreateStringSet(
"cn=projecta,ou=groups,ou=swengg,dc=min,dc=io",
"cn=projectb,ou=groups,ou=swengg,dc=min,dc=io",
)
for i, test := range testCases {
result := test.cfg.Validate()
if result.Result != test.expectedResult {
fmt.Printf("Result: %#v\n", result)
t.Fatalf("Case %d: Got `%s` expected `%s`", i, result.Result, string(test.expectedResult))
}
if result.IsOk() {
lookupResult, validationResult := test.cfg.ValidateLookup("dillon")
if !validationResult.IsOk() {
t.Fatalf("Case %d: Got unexpected validation failure: %#v\n", i, validationResult)
}
if lookupResult.DN != expectedDN {
t.Fatalf("Case %d: Got unexpected DN: %v", i, lookupResult.DN)
}
if test.cfg.GroupSearchFilter == "" {
continue
}
if !set.CreateStringSet(lookupResult.GroupDNMemberships...).Equals(expectedGroups) {
t.Fatalf("Case %d: Got unexpected groups: %v", i, lookupResult.GroupDNMemberships)
}
}
}
}