IntenseWebs/grafana
3
0
Fork 0
mirror of https://github.com/grafana/grafana.git synced 2024-11-27 19:30:36 -06:00
Code Issues Packages Projects Releases Wiki Activity
5f0a7f43c3
grafana/pkg/services/ldap/ldap_private_test.go

172 lines
3.7 KiB
Go
Raw Normal View History

LDAP: refactoring (#17479) * LDAP: use only one struct * Use only models.ExternalUserInfo * Add additional helper method :/ * Move all the helpers to one module * LDAP: refactoring * Rename some of the public methods and change their behaviour * Remove outdated methods * Simplify logic * More tests There is no and never were tests for settings.go, added tests for helper methods (cover is now about 100% for them). Added tests for the main LDAP logic, but there is some stuff to add. Dial() is not tested and not decoupled. It might be a challenge to do it properly * Restructure tests: * they wouldn't depend on external modules * more consistent naming * logical division * More guards for erroneous paths * Login: make login service an explicit dependency * LDAP: remove no longer needed test helper fns * LDAP: remove useless import * LDAP: Use new interface in multildap module * LDAP: corrections for the groups of multiple users * In case there is several users their groups weren't detected correctly * Simplify helpers module
2019-06-13 09:47:52 -05:00
package ldap
import (
"testing"
. "github.com/smartystreets/goconvey/convey"
"gopkg.in/ldap.v3"
"github.com/grafana/grafana/pkg/infra/log"
"github.com/grafana/grafana/pkg/models"
)
func TestLDAPPrivateMethods(t *testing.T) {
Convey("serializeUsers()", t, func() {
Convey("simple case", func() {
server := &Server{
Config: &ServerConfig{
Attr: AttributeMap{
Username: "username",
Name: "name",
MemberOf: "memberof",
Email: "email",
},
SearchBaseDNs: []string{"BaseDNHere"},
},
Connection: &MockConnection{},
log: log.New("test-logger"),
}
entry := ldap.Entry{
DN: "dn",
Attributes: []*ldap.EntryAttribute{
{Name: "username", Values: []string{"roelgerrits"}},
{Name: "surname", Values: []string{"Gerrits"}},
{Name: "email", Values: []string{"roel@test.com"}},
{Name: "name", Values: []string{"Roel"}},
{Name: "memberof", Values: []string{"admins"}},
},
}
LDAP: Divide the requests (#17885) * LDAP: Divide the requests Active Directory does indeed have a limitation with 1000 results per search (default of course). However, that limitation can be workaround with the pagination search feature, meaning `pagination` number is how many times LDAP compatible server will be requested by the client with specified amount of users (like 1000). That feature already embeded with LDAP compatible client (including our `go-ldap`). But slapd server has by default stricter settings. First, limitation is not 1000 but 500, second, pagination workaround presumably (information about it a bit scarce and I still not sure on some of the details from my own testing) cannot be workaround with pagination feature. See https://www.openldap.org/doc/admin24/limits.html https://serverfault.com/questions/328671/paging-using-ldapsearch hashicorp/vault#4162 - not sure why they were hitting the limit in the first place, since `go-ldap` doesn't have one by default. But, given all that, for me `ldapsearch` command with same request as with `go-ldap` still returns more then 500 results, it can even return as much as 10500 items (probably more). So either there is some differences with implementation of the LDAP search between `go-ldap` module and `ldapsearch` or I am missing a step :/. In the wild (see serverfault link), apparently, people still hitting that limitation even with `ldapsearch`, so it still seems to be an issue. But, nevertheless, I'm still confused by this incoherence. To workaround it, I divide the request by no more then 500 items per search
2019-07-03 09:39:54 -05:00
users := []*ldap.Entry{&entry}
LDAP: refactoring (#17479) * LDAP: use only one struct * Use only models.ExternalUserInfo * Add additional helper method :/ * Move all the helpers to one module * LDAP: refactoring * Rename some of the public methods and change their behaviour * Remove outdated methods * Simplify logic * More tests There is no and never were tests for settings.go, added tests for helper methods (cover is now about 100% for them). Added tests for the main LDAP logic, but there is some stuff to add. Dial() is not tested and not decoupled. It might be a challenge to do it properly * Restructure tests: * they wouldn't depend on external modules * more consistent naming * logical division * More guards for erroneous paths * Login: make login service an explicit dependency * LDAP: remove no longer needed test helper fns * LDAP: remove useless import * LDAP: Use new interface in multildap module * LDAP: corrections for the groups of multiple users * In case there is several users their groups weren't detected correctly * Simplify helpers module
2019-06-13 09:47:52 -05:00
result, err := server.serializeUsers(users)
So(err, ShouldBeNil)
So(result[0].Login, ShouldEqual, "roelgerrits")
So(result[0].Email, ShouldEqual, "roel@test.com")
So(result[0].Groups, ShouldContain, "admins")
})
Convey("without lastname", func() {
server := &Server{
Config: &ServerConfig{
Attr: AttributeMap{
Username: "username",
Name: "name",
MemberOf: "memberof",
Email: "email",
},
SearchBaseDNs: []string{"BaseDNHere"},
},
Connection: &MockConnection{},
log: log.New("test-logger"),
}
entry := ldap.Entry{
DN: "dn",
Attributes: []*ldap.EntryAttribute{
{Name: "username", Values: []string{"roelgerrits"}},
{Name: "email", Values: []string{"roel@test.com"}},
{Name: "name", Values: []string{"Roel"}},
{Name: "memberof", Values: []string{"admins"}},
},
}
LDAP: Divide the requests (#17885) * LDAP: Divide the requests Active Directory does indeed have a limitation with 1000 results per search (default of course). However, that limitation can be workaround with the pagination search feature, meaning `pagination` number is how many times LDAP compatible server will be requested by the client with specified amount of users (like 1000). That feature already embeded with LDAP compatible client (including our `go-ldap`). But slapd server has by default stricter settings. First, limitation is not 1000 but 500, second, pagination workaround presumably (information about it a bit scarce and I still not sure on some of the details from my own testing) cannot be workaround with pagination feature. See https://www.openldap.org/doc/admin24/limits.html https://serverfault.com/questions/328671/paging-using-ldapsearch hashicorp/vault#4162 - not sure why they were hitting the limit in the first place, since `go-ldap` doesn't have one by default. But, given all that, for me `ldapsearch` command with same request as with `go-ldap` still returns more then 500 results, it can even return as much as 10500 items (probably more). So either there is some differences with implementation of the LDAP search between `go-ldap` module and `ldapsearch` or I am missing a step :/. In the wild (see serverfault link), apparently, people still hitting that limitation even with `ldapsearch`, so it still seems to be an issue. But, nevertheless, I'm still confused by this incoherence. To workaround it, I divide the request by no more then 500 items per search
2019-07-03 09:39:54 -05:00
users := []*ldap.Entry{&entry}
LDAP: refactoring (#17479) * LDAP: use only one struct * Use only models.ExternalUserInfo * Add additional helper method :/ * Move all the helpers to one module * LDAP: refactoring * Rename some of the public methods and change their behaviour * Remove outdated methods * Simplify logic * More tests There is no and never were tests for settings.go, added tests for helper methods (cover is now about 100% for them). Added tests for the main LDAP logic, but there is some stuff to add. Dial() is not tested and not decoupled. It might be a challenge to do it properly * Restructure tests: * they wouldn't depend on external modules * more consistent naming * logical division * More guards for erroneous paths * Login: make login service an explicit dependency * LDAP: remove no longer needed test helper fns * LDAP: remove useless import * LDAP: Use new interface in multildap module * LDAP: corrections for the groups of multiple users * In case there is several users their groups weren't detected correctly * Simplify helpers module
2019-06-13 09:47:52 -05:00
result, err := server.serializeUsers(users)
So(err, ShouldBeNil)
So(result[0].Name, ShouldEqual, "Roel")
})
})
Convey("validateGrafanaUser()", t, func() {
Convey("Returns error when user does not belong in any of the specified LDAP groups", func() {
server := &Server{
Config: &ServerConfig{
Groups: []*GroupToOrgRole{
{
OrgID: 1,
},
},
},
log: logger.New("test"),
}
user := &models.ExternalUserInfo{
Login: "markelog",
}
result := server.validateGrafanaUser(user)
So(result, ShouldEqual, ErrInvalidCredentials)
})
Convey("Does not return error when group config is empty", func() {
server := &Server{
Config: &ServerConfig{
Groups: []*GroupToOrgRole{},
},
log: logger.New("test"),
}
user := &models.ExternalUserInfo{
Login: "markelog",
}
result := server.validateGrafanaUser(user)
So(result, ShouldBeNil)
})
Convey("Does not return error when groups are there", func() {
server := &Server{
Config: &ServerConfig{
Groups: []*GroupToOrgRole{
{
OrgID: 1,
},
},
},
log: logger.New("test"),
}
user := &models.ExternalUserInfo{
Login: "markelog",
OrgRoles: map[int64]models.RoleType{
1: "test",
},
}
result := server.validateGrafanaUser(user)
So(result, ShouldBeNil)
})
})
LDAP: finishing touches (#17945) * LDAP:Docs: `active_sync_enabled` setting Mention `active_sync_enabled` setting and enable it by default * LDAP: move "disableExternalUser" method Idea behind new design of the LDAP module is to minimise conflation between other parts of the system, so it would decoupled as much as possible from stuff like database, HTTP transport and etc. Following "Do One Thing and Do It Well" Unix philosophy principal, other things could be better fitted on the consumer side of things. Which what this commit trying to archive * LDAP: correct user/admin binding The second binding was not happening, so if the admin login/password in LDAP configuration was correct, anyone could had login as anyone using incorrect password
2019-07-05 09:49:00 -05:00
Convey("shouldAuthAdmin()", t, func() {
Convey("it should require admin auth", func() {
server := &Server{
Config: &ServerConfig{
BindPassword: "test",
},
}
result := server.shouldAuthAdmin()
So(result, ShouldBeTrue)
})
Convey("it should not require admin auth", func() {
server := &Server{
Config: &ServerConfig{
BindPassword: "",
},
}
result := server.shouldAuthAdmin()
So(result, ShouldBeFalse)
})
})
LDAP: refactoring (#17479) * LDAP: use only one struct * Use only models.ExternalUserInfo * Add additional helper method :/ * Move all the helpers to one module * LDAP: refactoring * Rename some of the public methods and change their behaviour * Remove outdated methods * Simplify logic * More tests There is no and never were tests for settings.go, added tests for helper methods (cover is now about 100% for them). Added tests for the main LDAP logic, but there is some stuff to add. Dial() is not tested and not decoupled. It might be a challenge to do it properly * Restructure tests: * they wouldn't depend on external modules * more consistent naming * logical division * More guards for erroneous paths * Login: make login service an explicit dependency * LDAP: remove no longer needed test helper fns * LDAP: remove useless import * LDAP: Use new interface in multildap module * LDAP: corrections for the groups of multiple users * In case there is several users their groups weren't detected correctly * Simplify helpers module
2019-06-13 09:47:52 -05:00
}
Reference in New Issue Copy Permalink