package auth import "testing" func TestResolveRoles(t *testing.T) { roles := ResolveRoles( []string{ "cn=vctp-admins,ou=groups,dc=example,dc=com", " CN=VCTP-VIEWERS,OU=GROUPS,DC=EXAMPLE,DC=COM ", }, map[string]string{ "cn=vctp-admins,ou=groups,dc=example,dc=com": "admin", "cn=vctp-viewers,ou=groups,dc=example,dc=com": "viewer", }, ) if len(roles) != 2 { t.Fatalf("expected 2 roles, got %d (%#v)", len(roles), roles) } if roles[0] != "admin" || roles[1] != "viewer" { t.Fatalf("unexpected resolved roles: %#v", roles) } } func TestHasAnyGroup(t *testing.T) { groups := []string{ "cn=vctp-admins,ou=groups,dc=example,dc=com", } if !HasAnyGroup(groups, []string{" cn=vctp-admins,ou=groups,dc=example,dc=com "}) { t.Fatal("expected group intersection to match") } if HasAnyGroup(groups, []string{"cn=vctp-operators,ou=groups,dc=example,dc=com"}) { t.Fatal("expected no intersection") } if !HasAnyGroup(groups, nil) { t.Fatal("expected empty required groups to allow") } } func TestPrincipalCandidates(t *testing.T) { tests := []struct { name string username string want []string }{ { name: "upn adds local part", username: "L075239@corpau.wbcau.westpac.com.au", want: []string{"L075239@corpau.wbcau.westpac.com.au", "L075239"}, }, { name: "domain slash user adds sam", username: `CORPAU\L075239`, want: []string{`CORPAU\L075239`, "L075239"}, }, { name: "plain username unchanged", username: "L075239", want: []string{"L075239"}, }, } for _, tc := range tests { t.Run(tc.name, func(t *testing.T) { got := principalCandidates(tc.username) if len(got) != len(tc.want) { t.Fatalf("unexpected candidate count: got=%d want=%d (%#v)", len(got), len(tc.want), got) } for i := range tc.want { if got[i] != tc.want[i] { t.Fatalf("unexpected candidate at %d: got=%q want=%q", i, got[i], tc.want[i]) } } }) } } func TestBuildGroupMembershipFilter(t *testing.T) { filter := buildGroupMembershipFilter( "CN=User,OU=Users,DC=corpau,DC=wbcau,DC=westpac,DC=com,DC=au", []string{"L075239@corpau.wbcau.westpac.com.au", "L075239"}, ) expected := "(|(member=CN=User,OU=Users,DC=corpau,DC=wbcau,DC=westpac,DC=com,DC=au)(uniqueMember=CN=User,OU=Users,DC=corpau,DC=wbcau,DC=westpac,DC=com,DC=au)(memberUid=L075239@corpau.wbcau.westpac.com.au)(memberUid=L075239))" if filter != expected { t.Fatalf("unexpected group filter:\n got: %s\nwant: %s", filter, expected) } } func TestParseWhoAmIDN(t *testing.T) { tests := []struct { name string authzID string wantDN string }{ { name: "dn prefix", authzID: "dn:CN=User,OU=Users,DC=corpau,DC=wbcau,DC=westpac,DC=com,DC=au", wantDN: "CN=User,OU=Users,DC=corpau,DC=wbcau,DC=westpac,DC=com,DC=au", }, { name: "dn prefix upper", authzID: "DN:CN=User,OU=Users,DC=corpau,DC=wbcau,DC=westpac,DC=com,DC=au", wantDN: "CN=User,OU=Users,DC=corpau,DC=wbcau,DC=westpac,DC=com,DC=au", }, { name: "non dn authzid", authzID: "u:L075239@corpau.wbcau.westpac.com.au", wantDN: "", }, { name: "plain non dn", authzID: "L075239@corpau.wbcau.westpac.com.au", wantDN: "", }, } for _, tc := range tests { t.Run(tc.name, func(t *testing.T) { got := parseWhoAmIDN(tc.authzID) if got != tc.wantDN { t.Fatalf("unexpected whoami dn parse: got=%q want=%q", got, tc.wantDN) } }) } } func TestUPNDomainFromBaseDN(t *testing.T) { tests := []struct { name string baseDN string want string }{ { name: "standard dc chain", baseDN: "dc=corpau,dc=wbcau,dc=westpac,dc=com,dc=au", want: "corpau.wbcau.westpac.com.au", }, { name: "mixed dn parts", baseDN: "ou=Users,dc=example,dc=com", want: "example.com", }, { name: "no dc parts", baseDN: "ou=Users,ou=Org", want: "", }, } for _, tc := range tests { t.Run(tc.name, func(t *testing.T) { got := upnDomainFromBaseDN(tc.baseDN) if got != tc.want { t.Fatalf("unexpected upn domain from base dn: got=%q want=%q", got, tc.want) } }) } } func TestNormalizeBindUsername(t *testing.T) { tests := []struct { name string username string baseDN string wantUser string wantRewrite bool }{ { name: "plain sam rewritten", username: "L075239", baseDN: "dc=corpau,dc=wbcau,dc=westpac,dc=com,dc=au", wantUser: "L075239@corpau.wbcau.westpac.com.au", wantRewrite: true, }, { name: "domain user rewritten", username: `CORPAU\L075239`, baseDN: "dc=corpau,dc=wbcau,dc=westpac,dc=com,dc=au", wantUser: "L075239@corpau.wbcau.westpac.com.au", wantRewrite: true, }, { name: "upn unchanged", username: "L075239@corpau.wbcau.westpac.com.au", baseDN: "dc=corpau,dc=wbcau,dc=westpac,dc=com,dc=au", wantUser: "L075239@corpau.wbcau.westpac.com.au", wantRewrite: false, }, { name: "dn unchanged", username: "CN=User,OU=Users,DC=corpau,DC=wbcau,DC=westpac,DC=com,DC=au", baseDN: "dc=corpau,dc=wbcau,dc=westpac,dc=com,dc=au", wantUser: "CN=User,OU=Users,DC=corpau,DC=wbcau,DC=westpac,DC=com,DC=au", wantRewrite: false, }, } for _, tc := range tests { t.Run(tc.name, func(t *testing.T) { gotUser, gotRewrite := normalizeBindUsername(tc.username, tc.baseDN) if gotUser != tc.wantUser { t.Fatalf("unexpected normalized bind username: got=%q want=%q", gotUser, tc.wantUser) } if gotRewrite != tc.wantRewrite { t.Fatalf("unexpected rewrite flag: got=%v want=%v", gotRewrite, tc.wantRewrite) } }) } }