apitech
/
grafana
mirror of https://github.com/grafana/grafana
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
The open and composable observability and data visualization platform. Visualize metrics, logs, and traces from multiple sources like Prometheus, Loki, Elasticsearch, InfluxDB, Postgres and many more.
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
40035 Commits
5978 Branches
596 Tags
1.7 GiB
 
 
 
 
 
 
Tag: Branch: Tree: 7339dbc090
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '7339dbc090'
${ noResults }
grafana/pkg/services/ldap/ldap_test.go

438 lines
12 KiB
Raw Blame History

package ldap
import (
"errors"
"fmt"
"testing"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
"gopkg.in/ldap.v3"
"github.com/grafana/grafana/pkg/infra/log"
"github.com/grafana/grafana/pkg/models/roletype"
"github.com/grafana/grafana/pkg/setting"
)
func TestNew(t *testing.T) {
result := New(&ServerConfig{
Attr: AttributeMap{},
SearchBaseDNs: []string{"BaseDNHere"},
})
assert.Implements(t, (*IServer)(nil), result)
}
func TestServer_Close(t *testing.T) {
t.Run("close the connection", func(t *testing.T) {
connection := &MockConnection{}
server := &Server{
Config: &ServerConfig{
Attr: AttributeMap{},
SearchBaseDNs: []string{"BaseDNHere"},
},
Connection: connection,
}
assert.NotPanics(t, server.Close)
assert.True(t, connection.CloseCalled)
})
t.Run("panic if no connection", func(t *testing.T) {
server := &Server{
Config: &ServerConfig{
Attr: AttributeMap{},
SearchBaseDNs: []string{"BaseDNHere"},
},
Connection: nil,
}
assert.Panics(t, server.Close)
})
}
func TestServer_Users(t *testing.T) {
t.Run("one user", func(t *testing.T) {
conn := &MockConnection{}
entry := ldap.Entry{
DN: "dn", Attributes: []*ldap.EntryAttribute{
{Name: "username", Values: []string{"roelgerrits"}},
{Name: "surname", Values: []string{"Gerrits"}},
{Name: "email", Values: []string{"roel@test.com"}},
{Name: "name", Values: []string{"Roel"}},
{Name: "memberof", Values: []string{"admins"}},
}}
result := ldap.SearchResult{Entries: []*ldap.Entry{&entry}}
conn.setSearchResult(&result)
// Set up attribute map without surname and email
server := &Server{
Config: &ServerConfig{
Attr: AttributeMap{
Username: "username",
Name: "name",
MemberOf: "memberof",
},
SearchBaseDNs: []string{"BaseDNHere"},
},
Connection: conn,
log: log.New("test-logger"),
}
searchResult, err := server.Users([]string{"roelgerrits"})
require.NoError(t, err)
assert.NotNil(t, searchResult)
// User should be searched in ldap
assert.True(t, conn.SearchCalled)
// No empty attributes should be added to the search request
assert.Len(t, conn.SearchAttributes, 3)
})
t.Run("error", func(t *testing.T) {
expected := errors.New("Killa-gorilla")
conn := &MockConnection{}
conn.setSearchError(expected)
// Set up attribute map without surname and email
server := &Server{
Config: &ServerConfig{
SearchBaseDNs: []string{"BaseDNHere"},
},
Connection: conn,
log: log.New("test-logger"),
}
_, err := server.Users([]string{"roelgerrits"})
assert.ErrorIs(t, err, expected)
})
t.Run("no user", func(t *testing.T) {
conn := &MockConnection{}
result := ldap.SearchResult{Entries: []*ldap.Entry{}}
conn.setSearchResult(&result)
// Set up attribute map without surname and email
server := &Server{
Config: &ServerConfig{
SearchBaseDNs: []string{"BaseDNHere"},
},
Connection: conn,
log: log.New("test-logger"),
}
searchResult, err := server.Users([]string{"roelgerrits"})
require.NoError(t, err)
assert.Empty(t, searchResult)
})
t.Run("multiple DNs", func(t *testing.T) {
conn := &MockConnection{}
serviceDN := "dc=svc,dc=example,dc=org"
serviceEntry := ldap.Entry{
DN: "dn", Attributes: []*ldap.EntryAttribute{
{Name: "username", Values: []string{"imgrenderer"}},
{Name: "name", Values: []string{"Image renderer"}},
}}
services := ldap.SearchResult{Entries: []*ldap.Entry{&serviceEntry}}
userDN := "dc=users,dc=example,dc=org"
userEntry := ldap.Entry{
DN: "dn", Attributes: []*ldap.EntryAttribute{
{Name: "username", Values: []string{"grot"}},
{Name: "name", Values: []string{"Grot"}},
}}
users := ldap.SearchResult{Entries: []*ldap.Entry{&userEntry}}
conn.setSearchFunc(func(request *ldap.SearchRequest) (*ldap.SearchResult, error) {
switch request.BaseDN {
case userDN:
return &users, nil
case serviceDN:
return &services, nil
default:
return nil, fmt.Errorf("test case not defined for baseDN: '%s'", request.BaseDN)
}
})
server := &Server{
Config: &ServerConfig{
Attr: AttributeMap{
Username: "username",
Name: "name",
},
SearchBaseDNs: []string{serviceDN, userDN},
},
Connection: conn,
log: log.New("test-logger"),
}
searchResult, err := server.Users([]string{"imgrenderer", "grot"})
require.NoError(t, err)
assert.Len(t, searchResult, 2)
})
t.Run("same user in multiple DNs", func(t *testing.T) {
conn := &MockConnection{}
firstDN := "dc=users1,dc=example,dc=org"
firstEntry := ldap.Entry{
DN: "dn", Attributes: []*ldap.EntryAttribute{
{Name: "username", Values: []string{"grot"}},
{Name: "name", Values: []string{"Grot the First"}},
}}
firsts := ldap.SearchResult{Entries: []*ldap.Entry{&firstEntry}}
secondDN := "dc=users2,dc=example,dc=org"
secondEntry := ldap.Entry{
DN: "dn", Attributes: []*ldap.EntryAttribute{
{Name: "username", Values: []string{"grot"}},
{Name: "name", Values: []string{"Grot the Second"}},
}}
seconds := ldap.SearchResult{Entries: []*ldap.Entry{&secondEntry}}
conn.setSearchFunc(func(request *ldap.SearchRequest) (*ldap.SearchResult, error) {
switch request.BaseDN {
case secondDN:
return &seconds, nil
case firstDN:
return &firsts, nil
default:
return nil, fmt.Errorf("test case not defined for baseDN: '%s'", request.BaseDN)
}
})
server := &Server{
Config: &ServerConfig{
Attr: AttributeMap{
Username: "username",
Name: "name",
},
SearchBaseDNs: []string{firstDN, secondDN},
},
Connection: conn,
log: log.New("test-logger"),
}
res, err := server.Users([]string{"grot"})
require.NoError(t, err)
require.Len(t, res, 1)
assert.Equal(t, "Grot the First", res[0].Name)
})
t.Run("org role mapping", func(t *testing.T) {
conn := &MockConnection{}
usersOU := "ou=users,dc=example,dc=org"
grootDN := "dn=groot," + usersOU
grootSearch := ldap.SearchResult{Entries: []*ldap.Entry{{DN: grootDN,
Attributes: []*ldap.EntryAttribute{
{Name: "username", Values: []string{"groot"}},
{Name: "name", Values: []string{"I am Groot"}},
}}}}
peterDN := "dn=peter," + usersOU
peterSearch := ldap.SearchResult{Entries: []*ldap.Entry{{DN: peterDN,
Attributes: []*ldap.EntryAttribute{
{Name: "username", Values: []string{"peter"}},
{Name: "name", Values: []string{"Peter"}},
}}}}
groupsOU := "ou=groups,dc=example,dc=org"
creaturesDN := "dn=creatures," + groupsOU
grootGroups := ldap.SearchResult{Entries: []*ldap.Entry{{DN: creaturesDN,
Attributes: []*ldap.EntryAttribute{
{Name: "member", Values: []string{grootDN}},
}}},
}
humansDN := "dn=humans," + groupsOU
peterGroups := ldap.SearchResult{Entries: []*ldap.Entry{{DN: humansDN,
Attributes: []*ldap.EntryAttribute{
{Name: "member", Values: []string{peterDN}},
}}},
}
conn.setSearchFunc(func(request *ldap.SearchRequest) (*ldap.SearchResult, error) {
switch request.BaseDN {
case usersOU:
switch request.Filter {
case "(|(username=groot))":
return &grootSearch, nil
case "(|(username=peter))":
return &peterSearch, nil
default:
return nil, fmt.Errorf("test case not defined for user filter: '%s'", request.Filter)
}
case groupsOU:
switch request.Filter {
case "(member=groot)":
return &grootGroups, nil
case "(member=peter)":
return &peterGroups, nil
default:
return nil, fmt.Errorf("test case not defined for group filter: '%s'", request.Filter)
}
default:
return nil, fmt.Errorf("test case not defined for baseDN: '%s'", request.BaseDN)
}
})
server := &Server{
Config: &ServerConfig{
Attr: AttributeMap{
Username: "username",
Name: "name",
},
SearchBaseDNs: []string{usersOU},
SearchFilter: "(username=%s)",
GroupSearchFilter: "(member=%s)",
GroupSearchBaseDNs: []string{groupsOU},
Groups: []*GroupToOrgRole{
{
GroupDN: creaturesDN,
OrgId: 2,
IsGrafanaAdmin: new(bool),
OrgRole: "Admin",
},
},
},
Connection: conn,
log: log.New("test-logger"),
}
t.Run("disable user with no mapping", func(t *testing.T) {
res, err := server.Users([]string{"peter"})
require.NoError(t, err)
require.Len(t, res, 1)
require.Equal(t, "Peter", res[0].Name)
require.ElementsMatch(t, res[0].Groups, []string{humansDN})
require.Empty(t, res[0].OrgRoles)
require.True(t, res[0].IsDisabled)
})
t.Run("skip org role sync", func(t *testing.T) {
backup := setting.LDAPSkipOrgRoleSync
defer func() {
setting.LDAPSkipOrgRoleSync = backup
}()
setting.LDAPSkipOrgRoleSync = true
res, err := server.Users([]string{"groot"})
require.NoError(t, err)
require.Len(t, res, 1)
require.Equal(t, "I am Groot", res[0].Name)
require.ElementsMatch(t, res[0].Groups, []string{creaturesDN})
require.Empty(t, res[0].OrgRoles)
require.False(t, res[0].IsDisabled)
})
t.Run("sync org role", func(t *testing.T) {
res, err := server.Users([]string{"groot"})
require.NoError(t, err)
require.Len(t, res, 1)
require.Equal(t, "I am Groot", res[0].Name)
require.ElementsMatch(t, res[0].Groups, []string{creaturesDN})
require.Len(t, res[0].OrgRoles, 1)
role, mappingExist := res[0].OrgRoles[2]
require.True(t, mappingExist)
require.Equal(t, roletype.RoleAdmin, role)
require.False(t, res[0].IsDisabled)
})
})
}
func TestServer_UserBind(t *testing.T) {
t.Run("use provided DN and password", func(t *testing.T) {
connection := &MockConnection{}
var actualUsername, actualPassword string
connection.BindProvider = func(username, password string) error {
actualUsername = username
actualPassword = password
return nil
}
server := &Server{
Connection: connection,
Config: &ServerConfig{
BindDN: "cn=admin,dc=grafana,dc=org",
},
}
dn := "cn=user,ou=users,dc=grafana,dc=org"
err := server.UserBind(dn, "pwd")
require.NoError(t, err)
assert.Equal(t, dn, actualUsername)
assert.Equal(t, "pwd", actualPassword)
})
t.Run("error", func(t *testing.T) {
connection := &MockConnection{}
expected := &ldap.Error{
ResultCode: uint16(25),
}
connection.BindProvider = func(username, password string) error {
return expected
}
server := &Server{
Connection: connection,
Config: &ServerConfig{
BindDN: "cn=%s,ou=users,dc=grafana,dc=org",
},
log: log.New("test-logger"),
}
err := server.UserBind("user", "pwd")
assert.ErrorIs(t, err, expected)
})
}
func TestServer_AdminBind(t *testing.T) {
t.Run("use admin DN and password", func(t *testing.T) {
connection := &MockConnection{}
var actualUsername, actualPassword string
connection.BindProvider = func(username, password string) error {
actualUsername = username
actualPassword = password
return nil
}
dn := "cn=admin,dc=grafana,dc=org"
server := &Server{
Connection: connection,
Config: &ServerConfig{
BindPassword: "pwd",
BindDN: dn,
},
}
err := server.AdminBind()
require.NoError(t, err)
assert.Equal(t, dn, actualUsername)
assert.Equal(t, "pwd", actualPassword)
})
t.Run("error", func(t *testing.T) {
connection := &MockConnection{}
expected := &ldap.Error{
ResultCode: uint16(25),
}
connection.BindProvider = func(username, password string) error {
return expected
}
dn := "cn=admin,dc=grafana,dc=org"
server := &Server{
Connection: connection,
Config: &ServerConfig{
BindPassword: "pwd",
BindDN: dn,
},
log: log.New("test-logger"),
}
err := server.AdminBind()
assert.ErrorIs(t, err, expected)
})
}