apitech
/
grafana
mirror of https://github.com/grafana/grafana
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
The open and composable observability and data visualization platform. Visualize metrics, logs, and traces from multiple sources like Prometheus, Loki, Elasticsearch, InfluxDB, Postgres and many more.
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
22366 Commits
5978 Branches
596 Tags
1.7 GiB
Tag: Branch: Tree: 3063ef6c2a
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '3063ef6c2a'
${ noResults }
grafana/pkg/services/ldap/ldap_private_test.go

210 lines
4.6 KiB
Raw Normal View History Unescape

LDAP: refactoring (#17479) * LDAP: use only one struct * Use only models.ExternalUserInfo * Add additional helper method :/ * Move all the helpers to one module * LDAP: refactoring * Rename some of the public methods and change their behaviour * Remove outdated methods * Simplify logic * More tests There is no and never were tests for settings.go, added tests for helper methods (cover is now about 100% for them). Added tests for the main LDAP logic, but there is some stuff to add. Dial() is not tested and not decoupled. It might be a challenge to do it properly * Restructure tests: * they wouldn't depend on external modules * more consistent naming * logical division * More guards for erroneous paths * Login: make login service an explicit dependency * LDAP: remove no longer needed test helper fns * LDAP: remove useless import * LDAP: Use new interface in multildap module * LDAP: corrections for the groups of multiple users * In case there is several users their groups weren't detected correctly * Simplify helpers module
6 years ago
package ldap
import (
"testing"
. "github.com/smartystreets/goconvey/convey"
"gopkg.in/ldap.v3"
"github.com/grafana/grafana/pkg/infra/log"
"github.com/grafana/grafana/pkg/models"
)
func TestLDAPPrivateMethods(t *testing.T) {
LDAP: improve POSIX support (#18235) * LDAP: improve POSIX support * Correctly abtain DN attributes result * Allow more flexibility with comparison mapping between POSIX group & user * Add devenv for POSIX LDAP server * Correct the docs Fixes #18140
6 years ago
Convey("getSearchRequest()", t, func() {
Convey("with enabled GroupSearchFilterUserAttribute setting", func() {
server := &Server{
Config: &ServerConfig{
Attr: AttributeMap{
Username: "username",
Name: "name",
MemberOf: "memberof",
Email: "email",
},
GroupSearchFilterUserAttribute: "gansta",
SearchBaseDNs: []string{"BaseDNHere"},
},
log: log.New("test-logger"),
}
result := server.getSearchRequest("killa", []string{"gorilla"})
So(result, ShouldResemble, &ldap.SearchRequest{
BaseDN: "killa",
Scope: 2,
DerefAliases: 0,
SizeLimit: 0,
TimeLimit: 0,
TypesOnly: false,
Filter: "(|)",
Attributes: []string{
"username",
"email",
"name",
"memberof",
"gansta",
},
Controls: nil,
})
})
})
LDAP: refactoring (#17479) * LDAP: use only one struct * Use only models.ExternalUserInfo * Add additional helper method :/ * Move all the helpers to one module * LDAP: refactoring * Rename some of the public methods and change their behaviour * Remove outdated methods * Simplify logic * More tests There is no and never were tests for settings.go, added tests for helper methods (cover is now about 100% for them). Added tests for the main LDAP logic, but there is some stuff to add. Dial() is not tested and not decoupled. It might be a challenge to do it properly * Restructure tests: * they wouldn't depend on external modules * more consistent naming * logical division * More guards for erroneous paths * Login: make login service an explicit dependency * LDAP: remove no longer needed test helper fns * LDAP: remove useless import * LDAP: Use new interface in multildap module * LDAP: corrections for the groups of multiple users * In case there is several users their groups weren't detected correctly * Simplify helpers module
6 years ago
Convey("serializeUsers()", t, func() {
Convey("simple case", func() {
server := &Server{
Config: &ServerConfig{
Attr: AttributeMap{
Username: "username",
Name: "name",
MemberOf: "memberof",
Email: "email",
},
SearchBaseDNs: []string{"BaseDNHere"},
},
Connection: &MockConnection{},
log: log.New("test-logger"),
}
entry := ldap.Entry{
DN: "dn",
Attributes: []*ldap.EntryAttribute{
{Name: "username", Values: []string{"roelgerrits"}},
{Name: "surname", Values: []string{"Gerrits"}},
{Name: "email", Values: []string{"roel@test.com"}},
{Name: "name", Values: []string{"Roel"}},
{Name: "memberof", Values: []string{"admins"}},
},
}
LDAP: Divide the requests (#17885) * LDAP: Divide the requests Active Directory does indeed have a limitation with 1000 results per search (default of course). However, that limitation can be workaround with the pagination search feature, meaning `pagination` number is how many times LDAP compatible server will be requested by the client with specified amount of users (like 1000). That feature already embeded with LDAP compatible client (including our `go-ldap`). But slapd server has by default stricter settings. First, limitation is not 1000 but 500, second, pagination workaround presumably (information about it a bit scarce and I still not sure on some of the details from my own testing) cannot be workaround with pagination feature. See https://www.openldap.org/doc/admin24/limits.html https://serverfault.com/questions/328671/paging-using-ldapsearch hashicorp/vault#4162 - not sure why they were hitting the limit in the first place, since `go-ldap` doesn't have one by default. But, given all that, for me `ldapsearch` command with same request as with `go-ldap` still returns more then 500 results, it can even return as much as 10500 items (probably more). So either there is some differences with implementation of the LDAP search between `go-ldap` module and `ldapsearch` or I am missing a step :/. In the wild (see serverfault link), apparently, people still hitting that limitation even with `ldapsearch`, so it still seems to be an issue. But, nevertheless, I'm still confused by this incoherence. To workaround it, I divide the request by no more then 500 items per search
6 years ago
users := []*ldap.Entry{&entry}
LDAP: refactoring (#17479) * LDAP: use only one struct * Use only models.ExternalUserInfo * Add additional helper method :/ * Move all the helpers to one module * LDAP: refactoring * Rename some of the public methods and change their behaviour * Remove outdated methods * Simplify logic * More tests There is no and never were tests for settings.go, added tests for helper methods (cover is now about 100% for them). Added tests for the main LDAP logic, but there is some stuff to add. Dial() is not tested and not decoupled. It might be a challenge to do it properly * Restructure tests: * they wouldn't depend on external modules * more consistent naming * logical division * More guards for erroneous paths * Login: make login service an explicit dependency * LDAP: remove no longer needed test helper fns * LDAP: remove useless import * LDAP: Use new interface in multildap module * LDAP: corrections for the groups of multiple users * In case there is several users their groups weren't detected correctly * Simplify helpers module
6 years ago
result, err := server.serializeUsers(users)
So(err, ShouldBeNil)
So(result[0].Login, ShouldEqual, "roelgerrits")
So(result[0].Email, ShouldEqual, "roel@test.com")
So(result[0].Groups, ShouldContain, "admins")
})
Convey("without lastname", func() {
server := &Server{
Config: &ServerConfig{
Attr: AttributeMap{
Username: "username",
Name: "name",
MemberOf: "memberof",
Email: "email",
},
SearchBaseDNs: []string{"BaseDNHere"},
},
Connection: &MockConnection{},
log: log.New("test-logger"),
}
entry := ldap.Entry{
DN: "dn",
Attributes: []*ldap.EntryAttribute{
{Name: "username", Values: []string{"roelgerrits"}},
{Name: "email", Values: []string{"roel@test.com"}},
{Name: "name", Values: []string{"Roel"}},
{Name: "memberof", Values: []string{"admins"}},
},
}
LDAP: Divide the requests (#17885) * LDAP: Divide the requests Active Directory does indeed have a limitation with 1000 results per search (default of course). However, that limitation can be workaround with the pagination search feature, meaning `pagination` number is how many times LDAP compatible server will be requested by the client with specified amount of users (like 1000). That feature already embeded with LDAP compatible client (including our `go-ldap`). But slapd server has by default stricter settings. First, limitation is not 1000 but 500, second, pagination workaround presumably (information about it a bit scarce and I still not sure on some of the details from my own testing) cannot be workaround with pagination feature. See https://www.openldap.org/doc/admin24/limits.html https://serverfault.com/questions/328671/paging-using-ldapsearch hashicorp/vault#4162 - not sure why they were hitting the limit in the first place, since `go-ldap` doesn't have one by default. But, given all that, for me `ldapsearch` command with same request as with `go-ldap` still returns more then 500 results, it can even return as much as 10500 items (probably more). So either there is some differences with implementation of the LDAP search between `go-ldap` module and `ldapsearch` or I am missing a step :/. In the wild (see serverfault link), apparently, people still hitting that limitation even with `ldapsearch`, so it still seems to be an issue. But, nevertheless, I'm still confused by this incoherence. To workaround it, I divide the request by no more then 500 items per search
6 years ago
users := []*ldap.Entry{&entry}
LDAP: refactoring (#17479) * LDAP: use only one struct * Use only models.ExternalUserInfo * Add additional helper method :/ * Move all the helpers to one module * LDAP: refactoring * Rename some of the public methods and change their behaviour * Remove outdated methods * Simplify logic * More tests There is no and never were tests for settings.go, added tests for helper methods (cover is now about 100% for them). Added tests for the main LDAP logic, but there is some stuff to add. Dial() is not tested and not decoupled. It might be a challenge to do it properly * Restructure tests: * they wouldn't depend on external modules * more consistent naming * logical division * More guards for erroneous paths * Login: make login service an explicit dependency * LDAP: remove no longer needed test helper fns * LDAP: remove useless import * LDAP: Use new interface in multildap module * LDAP: corrections for the groups of multiple users * In case there is several users their groups weren't detected correctly * Simplify helpers module
6 years ago
result, err := server.serializeUsers(users)
So(err, ShouldBeNil)
So(result[0].Name, ShouldEqual, "Roel")
})
})
Convey("validateGrafanaUser()", t, func() {
Convey("Returns error when user does not belong in any of the specified LDAP groups", func() {
server := &Server{
Config: &ServerConfig{
Groups: []*GroupToOrgRole{
{
OrgID: 1,
},
},
},
log: logger.New("test"),
}
user := &models.ExternalUserInfo{
Login: "markelog",
}
result := server.validateGrafanaUser(user)
So(result, ShouldEqual, ErrInvalidCredentials)
})
Convey("Does not return error when group config is empty", func() {
server := &Server{
Config: &ServerConfig{
Groups: []*GroupToOrgRole{},
},
log: logger.New("test"),
}
user := &models.ExternalUserInfo{
Login: "markelog",
}
result := server.validateGrafanaUser(user)
So(result, ShouldBeNil)
})
Convey("Does not return error when groups are there", func() {
server := &Server{
Config: &ServerConfig{
Groups: []*GroupToOrgRole{
{
OrgID: 1,
},
},
},
log: logger.New("test"),
}
user := &models.ExternalUserInfo{
Login: "markelog",
OrgRoles: map[int64]models.RoleType{
1: "test",
},
}
result := server.validateGrafanaUser(user)
So(result, ShouldBeNil)
})
})
LDAP: finishing touches (#17945) * LDAP:Docs: `active_sync_enabled` setting Mention `active_sync_enabled` setting and enable it by default * LDAP: move "disableExternalUser" method Idea behind new design of the LDAP module is to minimise conflation between other parts of the system, so it would decoupled as much as possible from stuff like database, HTTP transport and etc. Following "Do One Thing and Do It Well" Unix philosophy principal, other things could be better fitted on the consumer side of things. Which what this commit trying to archive * LDAP: correct user/admin binding The second binding was not happening, so if the admin login/password in LDAP configuration was correct, anyone could had login as anyone using incorrect password
6 years ago
Convey("shouldAuthAdmin()", t, func() {
LDAP: Adds bind before searching LDAP for non-login cases. (#18023)
6 years ago
Convey("it should require admin userBind", func() {
LDAP: finishing touches (#17945) * LDAP:Docs: `active_sync_enabled` setting Mention `active_sync_enabled` setting and enable it by default * LDAP: move "disableExternalUser" method Idea behind new design of the LDAP module is to minimise conflation between other parts of the system, so it would decoupled as much as possible from stuff like database, HTTP transport and etc. Following "Do One Thing and Do It Well" Unix philosophy principal, other things could be better fitted on the consumer side of things. Which what this commit trying to archive * LDAP: correct user/admin binding The second binding was not happening, so if the admin login/password in LDAP configuration was correct, anyone could had login as anyone using incorrect password
6 years ago
server := &Server{
Config: &ServerConfig{
BindPassword: "test",
},
}
result := server.shouldAuthAdmin()
So(result, ShouldBeTrue)
})
LDAP: Adds bind before searching LDAP for non-login cases. (#18023)
6 years ago
Convey("it should not require admin userBind", func() {
LDAP: finishing touches (#17945) * LDAP:Docs: `active_sync_enabled` setting Mention `active_sync_enabled` setting and enable it by default * LDAP: move "disableExternalUser" method Idea behind new design of the LDAP module is to minimise conflation between other parts of the system, so it would decoupled as much as possible from stuff like database, HTTP transport and etc. Following "Do One Thing and Do It Well" Unix philosophy principal, other things could be better fitted on the consumer side of things. Which what this commit trying to archive * LDAP: correct user/admin binding The second binding was not happening, so if the admin login/password in LDAP configuration was correct, anyone could had login as anyone using incorrect password
6 years ago
server := &Server{
Config: &ServerConfig{
BindPassword: "",
},
}
result := server.shouldAuthAdmin()
So(result, ShouldBeFalse)
})
})
LDAP: refactoring (#17479) * LDAP: use only one struct * Use only models.ExternalUserInfo * Add additional helper method :/ * Move all the helpers to one module * LDAP: refactoring * Rename some of the public methods and change their behaviour * Remove outdated methods * Simplify logic * More tests There is no and never were tests for settings.go, added tests for helper methods (cover is now about 100% for them). Added tests for the main LDAP logic, but there is some stuff to add. Dial() is not tested and not decoupled. It might be a challenge to do it properly * Restructure tests: * they wouldn't depend on external modules * more consistent naming * logical division * More guards for erroneous paths * Login: make login service an explicit dependency * LDAP: remove no longer needed test helper fns * LDAP: remove useless import * LDAP: Use new interface in multildap module * LDAP: corrections for the groups of multiple users * In case there is several users their groups weren't detected correctly * Simplify helpers module
6 years ago
}