package auth import "testing" func TestResolveRoles(t *testing.T) { roles := ResolveRoles( []string{ "cn=vctp-admins,ou=groups,dc=example,dc=com", " CN=VCTP-VIEWERS,OU=GROUPS,DC=EXAMPLE,DC=COM ", }, map[string]string{ "cn=vctp-admins,ou=groups,dc=example,dc=com": "admin", "cn=vctp-viewers,ou=groups,dc=example,dc=com": "viewer", }, ) if len(roles) != 2 { t.Fatalf("expected 2 roles, got %d (%#v)", len(roles), roles) } if roles[0] != "admin" || roles[1] != "viewer" { t.Fatalf("unexpected resolved roles: %#v", roles) } } func TestHasAnyGroup(t *testing.T) { groups := []string{ "cn=vctp-admins,ou=groups,dc=example,dc=com", } if !HasAnyGroup(groups, []string{" cn=vctp-admins,ou=groups,dc=example,dc=com "}) { t.Fatal("expected group intersection to match") } if HasAnyGroup(groups, []string{"cn=vctp-operators,ou=groups,dc=example,dc=com"}) { t.Fatal("expected no intersection") } if !HasAnyGroup(groups, nil) { t.Fatal("expected empty required groups to allow") } } func TestPrincipalCandidates(t *testing.T) { tests := []struct { name string username string want []string }{ { name: "upn adds local part", username: "L075239@corpau.wbcau.westpac.com.au", want: []string{"L075239@corpau.wbcau.westpac.com.au", "L075239"}, }, { name: "domain slash user adds sam", username: `CORPAU\L075239`, want: []string{`CORPAU\L075239`, "L075239"}, }, { name: "plain username unchanged", username: "L075239", want: []string{"L075239"}, }, } for _, tc := range tests { t.Run(tc.name, func(t *testing.T) { got := principalCandidates(tc.username) if len(got) != len(tc.want) { t.Fatalf("unexpected candidate count: got=%d want=%d (%#v)", len(got), len(tc.want), got) } for i := range tc.want { if got[i] != tc.want[i] { t.Fatalf("unexpected candidate at %d: got=%q want=%q", i, got[i], tc.want[i]) } } }) } } func TestBuildGroupMembershipFilter(t *testing.T) { filter := buildGroupMembershipFilter( "CN=User,OU=Users,DC=corpau,DC=wbcau,DC=westpac,DC=com,DC=au", []string{"L075239@corpau.wbcau.westpac.com.au", "L075239"}, ) expected := "(|(member=CN=User,OU=Users,DC=corpau,DC=wbcau,DC=westpac,DC=com,DC=au)(uniqueMember=CN=User,OU=Users,DC=corpau,DC=wbcau,DC=westpac,DC=com,DC=au)(memberUid=L075239@corpau.wbcau.westpac.com.au)(memberUid=L075239))" if filter != expected { t.Fatalf("unexpected group filter:\n got: %s\nwant: %s", filter, expected) } } func TestParseWhoAmIDN(t *testing.T) { tests := []struct { name string authzID string wantDN string }{ { name: "dn prefix", authzID: "dn:CN=User,OU=Users,DC=corpau,DC=wbcau,DC=westpac,DC=com,DC=au", wantDN: "CN=User,OU=Users,DC=corpau,DC=wbcau,DC=westpac,DC=com,DC=au", }, { name: "dn prefix upper", authzID: "DN:CN=User,OU=Users,DC=corpau,DC=wbcau,DC=westpac,DC=com,DC=au", wantDN: "CN=User,OU=Users,DC=corpau,DC=wbcau,DC=westpac,DC=com,DC=au", }, { name: "non dn authzid", authzID: "u:L075239@corpau.wbcau.westpac.com.au", wantDN: "", }, { name: "plain non dn", authzID: "L075239@corpau.wbcau.westpac.com.au", wantDN: "", }, } for _, tc := range tests { t.Run(tc.name, func(t *testing.T) { got := parseWhoAmIDN(tc.authzID) if got != tc.wantDN { t.Fatalf("unexpected whoami dn parse: got=%q want=%q", got, tc.wantDN) } }) } }