nathan/vctp2
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
dev
vctp2/internal/auth/ldap_test.go
T
Nathan Coad a8e38784d9
continuous-integration/drone/push Build is passing
Details
more ldap logging
2026-04-21 13:21:32 +10:00

211 lines
5.5 KiB
Go
Raw Permalink Blame History

package auth
import "testing"
func TestResolveRoles(t *testing.T) {
roles := ResolveRoles(
[]string{
"cn=vctp-admins,ou=groups,dc=example,dc=com",
" CN=VCTP-VIEWERS,OU=GROUPS,DC=EXAMPLE,DC=COM ",
},
map[string]string{
"cn=vctp-admins,ou=groups,dc=example,dc=com": "admin",
"cn=vctp-viewers,ou=groups,dc=example,dc=com": "viewer",
},
)
if len(roles) != 2 {
t.Fatalf("expected 2 roles, got %d (%#v)", len(roles), roles)
}
if roles[0] != "admin" || roles[1] != "viewer" {
t.Fatalf("unexpected resolved roles: %#v", roles)
}
}
func TestHasAnyGroup(t *testing.T) {
groups := []string{
"cn=vctp-admins,ou=groups,dc=example,dc=com",
}
if !HasAnyGroup(groups, []string{" cn=vctp-admins,ou=groups,dc=example,dc=com "}) {
t.Fatal("expected group intersection to match")
}
if HasAnyGroup(groups, []string{"cn=vctp-operators,ou=groups,dc=example,dc=com"}) {
t.Fatal("expected no intersection")
}
if !HasAnyGroup(groups, nil) {
t.Fatal("expected empty required groups to allow")
}
}
func TestPrincipalCandidates(t *testing.T) {
tests := []struct {
name string
username string
want []string
}{
{
name: "upn adds local part",
username: "L075239@corpau.wbcau.westpac.com.au",
want: []string{"L075239@corpau.wbcau.westpac.com.au", "L075239"},
},
{
name: "domain slash user adds sam",
username: `CORPAU\L075239`,
want: []string{`CORPAU\L075239`, "L075239"},
},
{
name: "plain username unchanged",
username: "L075239",
want: []string{"L075239"},
},
}
for _, tc := range tests {
t.Run(tc.name, func(t *testing.T) {
got := principalCandidates(tc.username)
if len(got) != len(tc.want) {
t.Fatalf("unexpected candidate count: got=%d want=%d (%#v)", len(got), len(tc.want), got)
}
for i := range tc.want {
if got[i] != tc.want[i] {
t.Fatalf("unexpected candidate at %d: got=%q want=%q", i, got[i], tc.want[i])
}
}
})
}
}
func TestBuildGroupMembershipFilter(t *testing.T) {
filter := buildGroupMembershipFilter(
"CN=User,OU=Users,DC=corpau,DC=wbcau,DC=westpac,DC=com,DC=au",
[]string{"L075239@corpau.wbcau.westpac.com.au", "L075239"},
)
expected := "(|(member=CN=User,OU=Users,DC=corpau,DC=wbcau,DC=westpac,DC=com,DC=au)(uniqueMember=CN=User,OU=Users,DC=corpau,DC=wbcau,DC=westpac,DC=com,DC=au)(memberUid=L075239@corpau.wbcau.westpac.com.au)(memberUid=L075239))"
if filter != expected {
t.Fatalf("unexpected group filter:\n got: %s\nwant: %s", filter, expected)
}
}
func TestParseWhoAmIDN(t *testing.T) {
tests := []struct {
name string
authzID string
wantDN string
}{
{
name: "dn prefix",
authzID: "dn:CN=User,OU=Users,DC=corpau,DC=wbcau,DC=westpac,DC=com,DC=au",
wantDN: "CN=User,OU=Users,DC=corpau,DC=wbcau,DC=westpac,DC=com,DC=au",
},
{
name: "dn prefix upper",
authzID: "DN:CN=User,OU=Users,DC=corpau,DC=wbcau,DC=westpac,DC=com,DC=au",
wantDN: "CN=User,OU=Users,DC=corpau,DC=wbcau,DC=westpac,DC=com,DC=au",
},
{
name: "non dn authzid",
authzID: "u:L075239@corpau.wbcau.westpac.com.au",
wantDN: "",
},
{
name: "plain non dn",
authzID: "L075239@corpau.wbcau.westpac.com.au",
wantDN: "",
},
}
for _, tc := range tests {
t.Run(tc.name, func(t *testing.T) {
got := parseWhoAmIDN(tc.authzID)
if got != tc.wantDN {
t.Fatalf("unexpected whoami dn parse: got=%q want=%q", got, tc.wantDN)
}
})
}
}
func TestUPNDomainFromBaseDN(t *testing.T) {
tests := []struct {
name string
baseDN string
want string
}{
{
name: "standard dc chain",
baseDN: "dc=corpau,dc=wbcau,dc=westpac,dc=com,dc=au",
want: "corpau.wbcau.westpac.com.au",
},
{
name: "mixed dn parts",
baseDN: "ou=Users,dc=example,dc=com",
want: "example.com",
},
{
name: "no dc parts",
baseDN: "ou=Users,ou=Org",
want: "",
},
}
for _, tc := range tests {
t.Run(tc.name, func(t *testing.T) {
got := upnDomainFromBaseDN(tc.baseDN)
if got != tc.want {
t.Fatalf("unexpected upn domain from base dn: got=%q want=%q", got, tc.want)
}
})
}
}
func TestNormalizeBindUsername(t *testing.T) {
tests := []struct {
name string
username string
baseDN string
wantUser string
wantRewrite bool
}{
{
name: "plain sam rewritten",
username: "L075239",
baseDN: "dc=corpau,dc=wbcau,dc=westpac,dc=com,dc=au",
wantUser: "L075239@corpau.wbcau.westpac.com.au",
wantRewrite: true,
},
{
name: "domain user rewritten",
username: `CORPAU\L075239`,
baseDN: "dc=corpau,dc=wbcau,dc=westpac,dc=com,dc=au",
wantUser: "L075239@corpau.wbcau.westpac.com.au",
wantRewrite: true,
},
{
name: "upn unchanged",
username: "L075239@corpau.wbcau.westpac.com.au",
baseDN: "dc=corpau,dc=wbcau,dc=westpac,dc=com,dc=au",
wantUser: "L075239@corpau.wbcau.westpac.com.au",
wantRewrite: false,
},
{
name: "dn unchanged",
username: "CN=User,OU=Users,DC=corpau,DC=wbcau,DC=westpac,DC=com,DC=au",
baseDN: "dc=corpau,dc=wbcau,dc=westpac,dc=com,dc=au",
wantUser: "CN=User,OU=Users,DC=corpau,DC=wbcau,DC=westpac,DC=com,DC=au",
wantRewrite: false,
},
}
for _, tc := range tests {
t.Run(tc.name, func(t *testing.T) {
gotUser, gotRewrite := normalizeBindUsername(tc.username, tc.baseDN)
if gotUser != tc.wantUser {
t.Fatalf("unexpected normalized bind username: got=%q want=%q", gotUser, tc.wantUser)
}
if gotRewrite != tc.wantRewrite {
t.Fatalf("unexpected rewrite flag: got=%v want=%v", gotRewrite, tc.wantRewrite)
}
})
}
}
Reference in New Issue View Git Blame Copy Permalink