afan
/
gitea
Bevaka 1
Stjärnmärk 0
Förgrening 0
Kod Ärenden 0 Pull-förfrågningar 0 Släpp 0 Wiki Activity
gitea源码
2 Incheckningar
2 Grenar
Träd: f5d5e77162
Grenar Taggar
${ item.name }
Create branch ${ searchTerm }
from 'f5d5e77162'
${ noResults }
gitea/cmd/admin_auth_ldap_test.go

admin_auth_ldap_test.go 35KB
Historik

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091929394959697989910010110210310410510610710810911011111211311411511611711811912012112212312412512612712812913013113213313413513613713813914014114214314414514614714814915015115215315415515615715815916016116216316416516616716816917017117217317417517617717817918018118218318418518618718818919019119219319419519619719819920020120220320420520620720820921021121221321421521621721821922022122222322422522622722822923023123223323423523623723823924024124224324424524624724824925025125225325425525625725825926026126226326426526626726826927027127227327427527627727827928028128228328428528628728828929029129229329429529629729829930030130230330430530630730830931031131231331431531631731831932032132232332432532632732832933033133233333433533633733833934034134234334434534634734834935035135235335435535635735835936036136236336436536636736836937037137237337437537637737837938038138238338438538638738838939039139239339439539639739839940040140240340440540640740840941041141241341441541641741841942042142242342442542642742842943043143243343443543643743843944044144244344444544644744844945045145245345445545645745845946046146246346446546646746846947047147247347447547647747847948048148248348448548648748848949049149249349449549649749849950050150250350450550650750850951051151251351451551651751851952052152252352452552652752852953053153253353453553653753853954054154254354454554654754854955055155255355455555655755855956056156256356456556656756856957057157257357457557657757857958058158258358458558658758858959059159259359459559659759859960060160260360460560660760860961061161261361461561661761861962062162262362462562662762862963063163263363463563663763863964064164264364464564664764864965065165265365465565665765865966066166266366466566666766866967067167267367467567667767867968068168268368468568668768868969069169269369469569669769869970070170270370470570670770870971071171271371471571671771871972072172272372472572672772872973073173273373473573673773873974074174274374474574674774874975075175275375475575675775875976076176276376476576676776876977077177277377477577677777877978078178278378478578678778878979079179279379479579679779879980080180280380480580680780880981081181281381481581681781881982082182282382482582682782882983083183283383483583683783883984084184284384484584684784884985085185285385485585685785885986086186286386486586686786886987087187287387487587687787887988088188288388488588688788888989089189289389489589689789889990090190290390490590690790890991091191291391491591691791891992092192292392492592692792892993093193293393493593693793893994094194294394494594694794894995095195295395495595695795895996096196296396496596696796896997097197297397497597697797897998098198298398498598698798898999099199299399499599699799899910001001100210031004100510061007100810091010101110121013101410151016101710181019102010211022102310241025102610271028102910301031103210331034103510361037103810391040104110421043104410451046104710481049105010511052105310541055105610571058105910601061106210631064106510661067106810691070107110721073107410751076107710781079108010811082108310841085108610871088108910901091109210931094109510961097109810991100110111021103110411051106110711081109111011111112111311141115111611171118111911201121112211231124112511261127112811291130113111321133113411351136113711381139114011411142114311441145114611471148114911501151115211531154115511561157115811591160116111621163116411651166116711681169117011711172117311741175117611771178117911801181118211831184118511861187118811891190119111921193119411951196119711981199120012011202120312041205120612071208120912101211121212131214121512161217121812191220122112221223122412251226122712281229123012311232123312341235123612371238123912401241124212431244124512461247124812491250125112521253125412551256125712581259126012611262126312641265126612671268126912701271127212731274127512761277127812791280128112821283128412851286128712881289129012911292129312941295129612971298129913001301130213031304130513061307130813091310131113121313131413151316131713181319132013211322132313241325132613271328132913301331133213331334133513361337133813391340134113421343134413451346134713481349 
  1. // Copyright 2019 The Gitea Authors. All rights reserved.

  2. // SPDX-License-Identifier: MIT

  3. 

  4. package cmd

  5. 

  6. import (

  7. 	"context"

  8. 	"testing"

  9. 

  10. 	"code.gitea.io/gitea/models/auth"

  11. 	"code.gitea.io/gitea/modules/test"

  12. 	"code.gitea.io/gitea/services/auth/source/ldap"

  13. 

  14. 	"github.com/stretchr/testify/assert"

  15. 	"github.com/urfave/cli/v3"

  16. )

  17. 

  18. func TestAddLdapBindDn(t *testing.T) {

  19. 	// Mock cli functions to do not exit on error

  20. 	defer test.MockVariableValue(&cli.OsExiter, func(code int) {})()

  21. 

  22. 	// Test cases

  23. 	cases := []struct {

  24. 		args   []string

  25. 		source *auth.Source

  26. 		errMsg string

  27. 	}{

  28. 		// case 0

  29. 		{

  30. 			args: []string{

  31. 				"ldap-test",

  32. 				"--name", "ldap (via Bind DN) source full",

  33. 				"--not-active",

  34. 				"--security-protocol", "ldaps",

  35. 				"--skip-tls-verify",

  36. 				"--host", "ldap-bind-server full",

  37. 				"--port", "9876",

  38. 				"--user-search-base", "ou=Users,dc=full-domain-bind,dc=org",

  39. 				"--user-filter", "(memberOf=cn=user-group,ou=example,dc=full-domain-bind,dc=org)",

  40. 				"--admin-filter", "(memberOf=cn=admin-group,ou=example,dc=full-domain-bind,dc=org)",

  41. 				"--restricted-filter", "(memberOf=cn=restricted-group,ou=example,dc=full-domain-bind,dc=org)",

  42. 				"--username-attribute", "uid-bind full",

  43. 				"--firstname-attribute", "givenName-bind full",

  44. 				"--surname-attribute", "sn-bind full",

  45. 				"--email-attribute", "mail-bind full",

  46. 				"--public-ssh-key-attribute", "publickey-bind full",

  47. 				"--avatar-attribute", "avatar-bind full",

  48. 				"--bind-dn", "cn=readonly,dc=full-domain-bind,dc=org",

  49. 				"--bind-password", "secret-bind-full",

  50. 				"--attributes-in-bind",

  51. 				"--synchronize-users",

  52. 				"--page-size", "99",

  53. 				"--enable-groups",

  54. 				"--group-search-base-dn", "ou=group,dc=full-domain-bind,dc=org",

  55. 				"--group-member-attribute", "memberUid",

  56. 				"--group-user-attribute", "uid",

  57. 				"--group-filter", "(|(cn=gitea_users)(cn=admins))",

  58. 				"--group-team-map", `{"cn=my-group,cn=groups,dc=example,dc=org": {"MyGiteaOrganization": ["MyGiteaTeam1", "MyGiteaTeam2"]}}`,

  59. 				"--group-team-map-removal",

  60. 			},

  61. 			source: &auth.Source{

  62. 				Type:          auth.LDAP,

  63. 				Name:          "ldap (via Bind DN) source full",

  64. 				IsActive:      false,

  65. 				IsSyncEnabled: true,

  66. 				Cfg: &ldap.Source{

  67. 					Name:                  "ldap (via Bind DN) source full",

  68. 					Host:                  "ldap-bind-server full",

  69. 					Port:                  9876,

  70. 					SecurityProtocol:      ldap.SecurityProtocol(1),

  71. 					SkipVerify:            true,

  72. 					BindDN:                "cn=readonly,dc=full-domain-bind,dc=org",

  73. 					BindPassword:          "secret-bind-full",

  74. 					UserBase:              "ou=Users,dc=full-domain-bind,dc=org",

  75. 					AttributeUsername:     "uid-bind full",

  76. 					AttributeName:         "givenName-bind full",

  77. 					AttributeSurname:      "sn-bind full",

  78. 					AttributeMail:         "mail-bind full",

  79. 					AttributesInBind:      true,

  80. 					AttributeSSHPublicKey: "publickey-bind full",

  81. 					AttributeAvatar:       "avatar-bind full",

  82. 					SearchPageSize:        99,

  83. 					Filter:                "(memberOf=cn=user-group,ou=example,dc=full-domain-bind,dc=org)",

  84. 					AdminFilter:           "(memberOf=cn=admin-group,ou=example,dc=full-domain-bind,dc=org)",

  85. 					RestrictedFilter:      "(memberOf=cn=restricted-group,ou=example,dc=full-domain-bind,dc=org)",

  86. 					Enabled:               true,

  87. 					GroupsEnabled:         true,

  88. 					GroupDN:               "ou=group,dc=full-domain-bind,dc=org",

  89. 					GroupMemberUID:        "memberUid",

  90. 					UserUID:               "uid",

  91. 					GroupFilter:           "(|(cn=gitea_users)(cn=admins))",

  92. 					GroupTeamMap:          `{"cn=my-group,cn=groups,dc=example,dc=org": {"MyGiteaOrganization": ["MyGiteaTeam1", "MyGiteaTeam2"]}}`,

  93. 					GroupTeamMapRemoval:   true,

  94. 				},

  95. 			},

  96. 		},

  97. 		// case 1

  98. 		{

  99. 			args: []string{

  100. 				"ldap-test",

  101. 				"--name", "ldap (via Bind DN) source min",

  102. 				"--security-protocol", "unencrypted",

  103. 				"--host", "ldap-bind-server min",

  104. 				"--port", "1234",

  105. 				"--user-search-base", "ou=Users,dc=min-domain-bind,dc=org",

  106. 				"--user-filter", "(memberOf=cn=user-group,ou=example,dc=min-domain-bind,dc=org)",

  107. 				"--email-attribute", "mail-bind min",

  108. 			},

  109. 			source: &auth.Source{

  110. 				Type:     auth.LDAP,

  111. 				Name:     "ldap (via Bind DN) source min",

  112. 				IsActive: true,

  113. 				Cfg: &ldap.Source{

  114. 					Name:             "ldap (via Bind DN) source min",

  115. 					Host:             "ldap-bind-server min",

  116. 					Port:             1234,

  117. 					SecurityProtocol: ldap.SecurityProtocol(0),

  118. 					UserBase:         "ou=Users,dc=min-domain-bind,dc=org",

  119. 					AttributeMail:    "mail-bind min",

  120. 					Filter:           "(memberOf=cn=user-group,ou=example,dc=min-domain-bind,dc=org)",

  121. 					Enabled:          true,

  122. 				},

  123. 			},

  124. 		},

  125. 		// case 2

  126. 		{

  127. 			args: []string{

  128. 				"ldap-test",

  129. 				"--name", "ldap (via Bind DN) source",

  130. 				"--security-protocol", "zzzzz",

  131. 				"--host", "ldap-server",

  132. 				"--port", "1234",

  133. 				"--user-search-base", "ou=Users,dc=domain,dc=org",

  134. 				"--user-filter", "(memberOf=cn=user-group,ou=example,dc=domain,dc=org)",

  135. 				"--email-attribute", "mail",

  136. 			},

  137. 			errMsg: "unknown security protocol name: zzzzz",

  138. 		},

  139. 		// case 3

  140. 		{

  141. 			args: []string{

  142. 				"ldap-test",

  143. 				"--security-protocol", "unencrypted",

  144. 				"--host", "ldap-server",

  145. 				"--port", "1234",

  146. 				"--user-search-base", "ou=Users,dc=domain,dc=org",

  147. 				"--user-filter", "(memberOf=cn=user-group,ou=example,dc=domain,dc=org)",

  148. 				"--email-attribute", "mail",

  149. 			},

  150. 			errMsg: "name is not set",

  151. 		},

  152. 		// case 4

  153. 		{

  154. 			args: []string{

  155. 				"ldap-test",

  156. 				"--name", "ldap (via Bind DN) source",

  157. 				"--host", "ldap-server",

  158. 				"--port", "1234",

  159. 				"--user-search-base", "ou=Users,dc=domain,dc=org",

  160. 				"--user-filter", "(memberOf=cn=user-group,ou=example,dc=domain,dc=org)",

  161. 				"--email-attribute", "mail",

  162. 			},

  163. 			errMsg: "security-protocol is not set",

  164. 		},

  165. 		// case 5

  166. 		{

  167. 			args: []string{

  168. 				"ldap-test",

  169. 				"--name", "ldap (via Bind DN) source",

  170. 				"--security-protocol", "unencrypted",

  171. 				"--port", "1234",

  172. 				"--user-search-base", "ou=Users,dc=domain,dc=org",

  173. 				"--user-filter", "(memberOf=cn=user-group,ou=example,dc=domain,dc=org)",

  174. 				"--email-attribute", "mail",

  175. 			},

  176. 			errMsg: "host is not set",

  177. 		},

  178. 		// case 6

  179. 		{

  180. 			args: []string{

  181. 				"ldap-test",

  182. 				"--name", "ldap (via Bind DN) source",

  183. 				"--security-protocol", "unencrypted",

  184. 				"--host", "ldap-server",

  185. 				"--user-search-base", "ou=Users,dc=domain,dc=org",

  186. 				"--user-filter", "(memberOf=cn=user-group,ou=example,dc=domain,dc=org)",

  187. 				"--email-attribute", "mail",

  188. 			},

  189. 			errMsg: "port is not set",

  190. 		},

  191. 		// case 7

  192. 		{

  193. 			args: []string{

  194. 				"ldap-test",

  195. 				"--name", "ldap (via Bind DN) source",

  196. 				"--security-protocol", "unencrypted",

  197. 				"--host", "ldap-server",

  198. 				"--port", "1234",

  199. 				"--user-search-base", "ou=Users,dc=domain,dc=org",

  200. 				"--email-attribute", "mail",

  201. 			},

  202. 			errMsg: "user-filter is not set",

  203. 		},

  204. 		// case 8

  205. 		{

  206. 			args: []string{

  207. 				"ldap-test",

  208. 				"--name", "ldap (via Bind DN) source",

  209. 				"--security-protocol", "unencrypted",

  210. 				"--host", "ldap-server",

  211. 				"--port", "1234",

  212. 				"--user-search-base", "ou=Users,dc=domain,dc=org",

  213. 				"--user-filter", "(memberOf=cn=user-group,ou=example,dc=domain,dc=org)",

  214. 			},

  215. 			errMsg: "email-attribute is not set",

  216. 		},

  217. 	}

  218. 

  219. 	for n, c := range cases {

  220. 		// Mock functions.

  221. 		var createdAuthSource *auth.Source

  222. 		service := &authService{

  223. 			initDB: func(context.Context) error {

  224. 				return nil

  225. 			},

  226. 			createAuthSource: func(ctx context.Context, authSource *auth.Source) error {

  227. 				createdAuthSource = authSource

  228. 				return nil

  229. 			},

  230. 			updateAuthSource: func(ctx context.Context, authSource *auth.Source) error {

  231. 				assert.FailNow(t, "updateAuthSource called", "case %d: should not call updateAuthSource", n)

  232. 				return nil

  233. 			},

  234. 			getAuthSourceByID: func(ctx context.Context, id int64) (*auth.Source, error) {

  235. 				assert.FailNow(t, "getAuthSourceByID called", "case %d: should not call getAuthSourceByID", n)

  236. 				return nil, nil

  237. 			},

  238. 		}

  239. 

  240. 		// Create a copy of command to test

  241. 		app := cli.Command{

  242. 			Flags:  microcmdAuthAddLdapBindDn().Flags,

  243. 			Action: service.addLdapBindDn,

  244. 		}

  245. 

  246. 		// Run it

  247. 		err := app.Run(t.Context(), c.args)

  248. 		if c.errMsg != "" {

  249. 			assert.EqualError(t, err, c.errMsg, "case %d: error should match", n)

  250. 		} else {

  251. 			assert.NoError(t, err, "case %d: should have no errors", n)

  252. 			assert.Equal(t, c.source, createdAuthSource, "case %d: wrong authSource", n)

  253. 		}

  254. 	}

  255. }

  256. 

  257. func TestAddLdapSimpleAuth(t *testing.T) {

  258. 	// Mock cli functions to do not exit on error

  259. 	defer test.MockVariableValue(&cli.OsExiter, func(code int) {})()

  260. 

  261. 	// Test cases

  262. 	cases := []struct {

  263. 		args       []string

  264. 		authSource *auth.Source

  265. 		errMsg     string

  266. 	}{

  267. 		// case 0

  268. 		{

  269. 			args: []string{

  270. 				"ldap-test",

  271. 				"--name", "ldap (simple auth) source full",

  272. 				"--not-active",

  273. 				"--security-protocol", "starttls",

  274. 				"--skip-tls-verify",

  275. 				"--host", "ldap-simple-server full",

  276. 				"--port", "987",

  277. 				"--user-search-base", "ou=Users,dc=full-domain-simple,dc=org",

  278. 				"--user-filter", "(&(objectClass=posixAccount)(full-simple-cn=%s))",

  279. 				"--admin-filter", "(memberOf=cn=admin-group,ou=example,dc=full-domain-simple,dc=org)",

  280. 				"--restricted-filter", "(memberOf=cn=restricted-group,ou=example,dc=full-domain-simple,dc=org)",

  281. 				"--username-attribute", "uid-simple full",

  282. 				"--firstname-attribute", "givenName-simple full",

  283. 				"--surname-attribute", "sn-simple full",

  284. 				"--email-attribute", "mail-simple full",

  285. 				"--public-ssh-key-attribute", "publickey-simple full",

  286. 				"--avatar-attribute", "avatar-simple full",

  287. 				"--user-dn", "cn=%s,ou=Users,dc=full-domain-simple,dc=org",

  288. 			},

  289. 			authSource: &auth.Source{

  290. 				Type:     auth.DLDAP,

  291. 				Name:     "ldap (simple auth) source full",

  292. 				IsActive: false,

  293. 				Cfg: &ldap.Source{

  294. 					Name:                  "ldap (simple auth) source full",

  295. 					Host:                  "ldap-simple-server full",

  296. 					Port:                  987,

  297. 					SecurityProtocol:      ldap.SecurityProtocol(2),

  298. 					SkipVerify:            true,

  299. 					UserDN:                "cn=%s,ou=Users,dc=full-domain-simple,dc=org",

  300. 					UserBase:              "ou=Users,dc=full-domain-simple,dc=org",

  301. 					AttributeUsername:     "uid-simple full",

  302. 					AttributeName:         "givenName-simple full",

  303. 					AttributeSurname:      "sn-simple full",

  304. 					AttributeMail:         "mail-simple full",

  305. 					AttributeSSHPublicKey: "publickey-simple full",

  306. 					AttributeAvatar:       "avatar-simple full",

  307. 					Filter:                "(&(objectClass=posixAccount)(full-simple-cn=%s))",

  308. 					AdminFilter:           "(memberOf=cn=admin-group,ou=example,dc=full-domain-simple,dc=org)",

  309. 					RestrictedFilter:      "(memberOf=cn=restricted-group,ou=example,dc=full-domain-simple,dc=org)",

  310. 					Enabled:               true,

  311. 				},

  312. 			},

  313. 		},

  314. 		// case 1

  315. 		{

  316. 			args: []string{

  317. 				"ldap-test",

  318. 				"--name", "ldap (simple auth) source min",

  319. 				"--security-protocol", "unencrypted",

  320. 				"--host", "ldap-simple-server min",

  321. 				"--port", "123",

  322. 				"--user-filter", "(&(objectClass=posixAccount)(min-simple-cn=%s))",

  323. 				"--email-attribute", "mail-simple min",

  324. 				"--user-dn", "cn=%s,ou=Users,dc=min-domain-simple,dc=org",

  325. 			},

  326. 			authSource: &auth.Source{

  327. 				Type:     auth.DLDAP,

  328. 				Name:     "ldap (simple auth) source min",

  329. 				IsActive: true,

  330. 				Cfg: &ldap.Source{

  331. 					Name:             "ldap (simple auth) source min",

  332. 					Host:             "ldap-simple-server min",

  333. 					Port:             123,

  334. 					SecurityProtocol: ldap.SecurityProtocol(0),

  335. 					UserDN:           "cn=%s,ou=Users,dc=min-domain-simple,dc=org",

  336. 					AttributeMail:    "mail-simple min",

  337. 					Filter:           "(&(objectClass=posixAccount)(min-simple-cn=%s))",

  338. 					Enabled:          true,

  339. 				},

  340. 			},

  341. 		},

  342. 		// case 2

  343. 		{

  344. 			args: []string{

  345. 				"ldap-test",

  346. 				"--name", "ldap (simple auth) source",

  347. 				"--security-protocol", "zzzzz",

  348. 				"--host", "ldap-server",

  349. 				"--port", "1234",

  350. 				"--user-filter", "(&(objectClass=posixAccount)(cn=%s))",

  351. 				"--email-attribute", "mail",

  352. 				"--user-dn", "cn=%s,ou=Users,dc=domain,dc=org",

  353. 			},

  354. 			errMsg: "unknown security protocol name: zzzzz",

  355. 		},

  356. 		// case 3

  357. 		{

  358. 			args: []string{

  359. 				"ldap-test",

  360. 				"--security-protocol", "unencrypted",

  361. 				"--host", "ldap-server",

  362. 				"--port", "123",

  363. 				"--user-filter", "(&(objectClass=posixAccount)(cn=%s))",

  364. 				"--email-attribute", "mail",

  365. 				"--user-dn", "cn=%s,ou=Users,dc=domain,dc=org",

  366. 			},

  367. 			errMsg: "name is not set",

  368. 		},

  369. 		// case 4

  370. 		{

  371. 			args: []string{

  372. 				"ldap-test",

  373. 				"--name", "ldap (simple auth) source",

  374. 				"--host", "ldap-server",

  375. 				"--port", "123",

  376. 				"--user-filter", "(&(objectClass=posixAccount)(cn=%s))",

  377. 				"--email-attribute", "mail",

  378. 				"--user-dn", "cn=%s,ou=Users,dc=domain,dc=org",

  379. 			},

  380. 			errMsg: "security-protocol is not set",

  381. 		},

  382. 		// case 5

  383. 		{

  384. 			args: []string{

  385. 				"ldap-test",

  386. 				"--name", "ldap (simple auth) source",

  387. 				"--security-protocol", "unencrypted",

  388. 				"--port", "123",

  389. 				"--user-filter", "(&(objectClass=posixAccount)(cn=%s))",

  390. 				"--email-attribute", "mail",

  391. 				"--user-dn", "cn=%s,ou=Users,dc=domain,dc=org",

  392. 			},

  393. 			errMsg: "host is not set",

  394. 		},

  395. 		// case 6

  396. 		{

  397. 			args: []string{

  398. 				"ldap-test",

  399. 				"--name", "ldap (simple auth) source",

  400. 				"--security-protocol", "unencrypted",

  401. 				"--host", "ldap-server",

  402. 				"--user-filter", "(&(objectClass=posixAccount)(cn=%s))",

  403. 				"--email-attribute", "mail",

  404. 				"--user-dn", "cn=%s,ou=Users,dc=domain,dc=org",

  405. 			},

  406. 			errMsg: "port is not set",

  407. 		},

  408. 		// case 7

  409. 		{

  410. 			args: []string{

  411. 				"ldap-test",

  412. 				"--name", "ldap (simple auth) source",

  413. 				"--security-protocol", "unencrypted",

  414. 				"--host", "ldap-server",

  415. 				"--port", "123",

  416. 				"--email-attribute", "mail",

  417. 				"--user-dn", "cn=%s,ou=Users,dc=domain,dc=org",

  418. 			},

  419. 			errMsg: "user-filter is not set",

  420. 		},

  421. 		// case 8

  422. 		{

  423. 			args: []string{

  424. 				"ldap-test",

  425. 				"--name", "ldap (simple auth) source",

  426. 				"--security-protocol", "unencrypted",

  427. 				"--host", "ldap-server",

  428. 				"--port", "123",

  429. 				"--user-filter", "(&(objectClass=posixAccount)(cn=%s))",

  430. 				"--user-dn", "cn=%s,ou=Users,dc=domain,dc=org",

  431. 			},

  432. 			errMsg: "email-attribute is not set",

  433. 		},

  434. 		// case 9

  435. 		{

  436. 			args: []string{

  437. 				"ldap-test",

  438. 				"--name", "ldap (simple auth) source",

  439. 				"--security-protocol", "unencrypted",

  440. 				"--host", "ldap-server",

  441. 				"--port", "123",

  442. 				"--user-filter", "(&(objectClass=posixAccount)(cn=%s))",

  443. 				"--email-attribute", "mail",

  444. 			},

  445. 			errMsg: "user-dn is not set",

  446. 		},

  447. 	}

  448. 

  449. 	for n, c := range cases {

  450. 		// Mock functions.

  451. 		var createdAuthSource *auth.Source

  452. 		service := &authService{

  453. 			initDB: func(context.Context) error {

  454. 				return nil

  455. 			},

  456. 			createAuthSource: func(ctx context.Context, authSource *auth.Source) error {

  457. 				createdAuthSource = authSource

  458. 				return nil

  459. 			},

  460. 			updateAuthSource: func(ctx context.Context, authSource *auth.Source) error {

  461. 				assert.FailNow(t, "updateAuthSource called", "case %d: should not call updateAuthSource", n)

  462. 				return nil

  463. 			},

  464. 			getAuthSourceByID: func(ctx context.Context, id int64) (*auth.Source, error) {

  465. 				assert.FailNow(t, "getAuthSourceById called", "case %d: should not call getAuthSourceByID", n)

  466. 				return nil, nil

  467. 			},

  468. 		}

  469. 

  470. 		// Create a copy of command to test

  471. 		app := &cli.Command{

  472. 			Flags:  microcmdAuthAddLdapSimpleAuth().Flags,

  473. 			Action: service.addLdapSimpleAuth,

  474. 		}

  475. 

  476. 		// Run it

  477. 		err := app.Run(t.Context(), c.args)

  478. 		if c.errMsg != "" {

  479. 			assert.EqualError(t, err, c.errMsg, "case %d: error should match", n)

  480. 		} else {

  481. 			assert.NoError(t, err, "case %d: should have no errors", n)

  482. 			assert.Equal(t, c.authSource, createdAuthSource, "case %d: wrong authSource", n)

  483. 		}

  484. 	}

  485. }

  486. 

  487. func TestUpdateLdapBindDn(t *testing.T) {

  488. 	// Mock cli functions to do not exit on error

  489. 	defer test.MockVariableValue(&cli.OsExiter, func(code int) {})()

  490. 

  491. 	// Test cases

  492. 	cases := []struct {

  493. 		args               []string

  494. 		id                 int64

  495. 		existingAuthSource *auth.Source

  496. 		authSource         *auth.Source

  497. 		errMsg             string

  498. 	}{

  499. 		// case 0

  500. 		{

  501. 			args: []string{

  502. 				"ldap-test",

  503. 				"--id", "23",

  504. 				"--name", "ldap (via Bind DN) source full",

  505. 				"--not-active",

  506. 				"--security-protocol", "LDAPS",

  507. 				"--skip-tls-verify",

  508. 				"--host", "ldap-bind-server full",

  509. 				"--port", "9876",

  510. 				"--user-search-base", "ou=Users,dc=full-domain-bind,dc=org",

  511. 				"--user-filter", "(memberOf=cn=user-group,ou=example,dc=full-domain-bind,dc=org)",

  512. 				"--admin-filter", "(memberOf=cn=admin-group,ou=example,dc=full-domain-bind,dc=org)",

  513. 				"--restricted-filter", "(memberOf=cn=restricted-group,ou=example,dc=full-domain-bind,dc=org)",

  514. 				"--username-attribute", "uid-bind full",

  515. 				"--firstname-attribute", "givenName-bind full",

  516. 				"--surname-attribute", "sn-bind full",

  517. 				"--email-attribute", "mail-bind full",

  518. 				"--public-ssh-key-attribute", "publickey-bind full",

  519. 				"--avatar-attribute", "avatar-bind full",

  520. 				"--bind-dn", "cn=readonly,dc=full-domain-bind,dc=org",

  521. 				"--bind-password", "secret-bind-full",

  522. 				"--synchronize-users",

  523. 				"--page-size", "99",

  524. 				"--enable-groups",

  525. 				"--group-search-base-dn", "ou=group,dc=full-domain-bind,dc=org",

  526. 				"--group-member-attribute", "memberUid",

  527. 				"--group-user-attribute", "uid",

  528. 				"--group-filter", "(|(cn=gitea_users)(cn=admins))",

  529. 				"--group-team-map", `{"cn=my-group,cn=groups,dc=example,dc=org": {"MyGiteaOrganization": ["MyGiteaTeam1", "MyGiteaTeam2"]}}`,

  530. 				"--group-team-map-removal",

  531. 			},

  532. 			id: 23,

  533. 			existingAuthSource: &auth.Source{

  534. 				Type:     auth.LDAP,

  535. 				IsActive: true,

  536. 				Cfg: &ldap.Source{

  537. 					Enabled: true,

  538. 				},

  539. 			},

  540. 			authSource: &auth.Source{

  541. 				Type:          auth.LDAP,

  542. 				Name:          "ldap (via Bind DN) source full",

  543. 				IsActive:      false,

  544. 				IsSyncEnabled: true,

  545. 				Cfg: &ldap.Source{

  546. 					Name:                  "ldap (via Bind DN) source full",

  547. 					Host:                  "ldap-bind-server full",

  548. 					Port:                  9876,

  549. 					SecurityProtocol:      ldap.SecurityProtocol(1),

  550. 					SkipVerify:            true,

  551. 					BindDN:                "cn=readonly,dc=full-domain-bind,dc=org",

  552. 					BindPassword:          "secret-bind-full",

  553. 					UserBase:              "ou=Users,dc=full-domain-bind,dc=org",

  554. 					AttributeUsername:     "uid-bind full",

  555. 					AttributeName:         "givenName-bind full",

  556. 					AttributeSurname:      "sn-bind full",

  557. 					AttributeMail:         "mail-bind full",

  558. 					AttributesInBind:      false,

  559. 					AttributeSSHPublicKey: "publickey-bind full",

  560. 					AttributeAvatar:       "avatar-bind full",

  561. 					SearchPageSize:        99,

  562. 					Filter:                "(memberOf=cn=user-group,ou=example,dc=full-domain-bind,dc=org)",

  563. 					AdminFilter:           "(memberOf=cn=admin-group,ou=example,dc=full-domain-bind,dc=org)",

  564. 					RestrictedFilter:      "(memberOf=cn=restricted-group,ou=example,dc=full-domain-bind,dc=org)",

  565. 					Enabled:               true,

  566. 					GroupsEnabled:         true,

  567. 					GroupDN:               "ou=group,dc=full-domain-bind,dc=org",

  568. 					GroupMemberUID:        "memberUid",

  569. 					UserUID:               "uid",

  570. 					GroupFilter:           "(|(cn=gitea_users)(cn=admins))",

  571. 					GroupTeamMap:          `{"cn=my-group,cn=groups,dc=example,dc=org": {"MyGiteaOrganization": ["MyGiteaTeam1", "MyGiteaTeam2"]}}`,

  572. 					GroupTeamMapRemoval:   true,

  573. 				},

  574. 			},

  575. 		},

  576. 		// case 1

  577. 		{

  578. 			args: []string{

  579. 				"ldap-test",

  580. 				"--id", "1",

  581. 			},

  582. 			authSource: &auth.Source{

  583. 				Type: auth.LDAP,

  584. 				Cfg:  &ldap.Source{},

  585. 			},

  586. 		},

  587. 		// case 2

  588. 		{

  589. 			args: []string{

  590. 				"ldap-test",

  591. 				"--id", "1",

  592. 				"--name", "ldap (via Bind DN) source",

  593. 			},

  594. 			authSource: &auth.Source{

  595. 				Type: auth.LDAP,

  596. 				Name: "ldap (via Bind DN) source",

  597. 				Cfg: &ldap.Source{

  598. 					Name: "ldap (via Bind DN) source",

  599. 				},

  600. 			},

  601. 		},

  602. 		// case 3

  603. 		{

  604. 			args: []string{

  605. 				"ldap-test",

  606. 				"--id", "1",

  607. 				"--not-active",

  608. 			},

  609. 			existingAuthSource: &auth.Source{

  610. 				Type:     auth.LDAP,

  611. 				IsActive: true,

  612. 				Cfg:      &ldap.Source{},

  613. 			},

  614. 			authSource: &auth.Source{

  615. 				Type:     auth.LDAP,

  616. 				IsActive: false,

  617. 				Cfg:      &ldap.Source{},

  618. 			},

  619. 		},

  620. 		// case 4

  621. 		{

  622. 			args: []string{

  623. 				"ldap-test",

  624. 				"--id", "1",

  625. 				"--security-protocol", "LDAPS",

  626. 			},

  627. 			authSource: &auth.Source{

  628. 				Type: auth.LDAP,

  629. 				Cfg: &ldap.Source{

  630. 					SecurityProtocol: ldap.SecurityProtocol(1),

  631. 				},

  632. 			},

  633. 		},

  634. 		// case 5

  635. 		{

  636. 			args: []string{

  637. 				"ldap-test",

  638. 				"--id", "1",

  639. 				"--skip-tls-verify",

  640. 			},

  641. 			authSource: &auth.Source{

  642. 				Type: auth.LDAP,

  643. 				Cfg: &ldap.Source{

  644. 					SkipVerify: true,

  645. 				},

  646. 			},

  647. 		},

  648. 		// case 6

  649. 		{

  650. 			args: []string{

  651. 				"ldap-test",

  652. 				"--id", "1",

  653. 				"--host", "ldap-server",

  654. 			},

  655. 			authSource: &auth.Source{

  656. 				Type: auth.LDAP,

  657. 				Cfg: &ldap.Source{

  658. 					Host: "ldap-server",

  659. 				},

  660. 			},

  661. 		},

  662. 		// case 7

  663. 		{

  664. 			args: []string{

  665. 				"ldap-test",

  666. 				"--id", "1",

  667. 				"--port", "389",

  668. 			},

  669. 			authSource: &auth.Source{

  670. 				Type: auth.LDAP,

  671. 				Cfg: &ldap.Source{

  672. 					Port: 389,

  673. 				},

  674. 			},

  675. 		},

  676. 		// case 8

  677. 		{

  678. 			args: []string{

  679. 				"ldap-test",

  680. 				"--id", "1",

  681. 				"--user-search-base", "ou=Users,dc=domain,dc=org",

  682. 			},

  683. 			authSource: &auth.Source{

  684. 				Type: auth.LDAP,

  685. 				Cfg: &ldap.Source{

  686. 					UserBase: "ou=Users,dc=domain,dc=org",

  687. 				},

  688. 			},

  689. 		},

  690. 		// case 9

  691. 		{

  692. 			args: []string{

  693. 				"ldap-test",

  694. 				"--id", "1",

  695. 				"--user-filter", "(memberOf=cn=user-group,ou=example,dc=domain,dc=org)",

  696. 			},

  697. 			authSource: &auth.Source{

  698. 				Type: auth.LDAP,

  699. 				Cfg: &ldap.Source{

  700. 					Filter: "(memberOf=cn=user-group,ou=example,dc=domain,dc=org)",

  701. 				},

  702. 			},

  703. 		},

  704. 		// case 10

  705. 		{

  706. 			args: []string{

  707. 				"ldap-test",

  708. 				"--id", "1",

  709. 				"--admin-filter", "(memberOf=cn=admin-group,ou=example,dc=domain,dc=org)",

  710. 			},

  711. 			authSource: &auth.Source{

  712. 				Type: auth.LDAP,

  713. 				Cfg: &ldap.Source{

  714. 					AdminFilter: "(memberOf=cn=admin-group,ou=example,dc=domain,dc=org)",

  715. 				},

  716. 			},

  717. 		},

  718. 		// case 11

  719. 		{

  720. 			args: []string{

  721. 				"ldap-test",

  722. 				"--id", "1",

  723. 				"--username-attribute", "uid",

  724. 			},

  725. 			authSource: &auth.Source{

  726. 				Type: auth.LDAP,

  727. 				Cfg: &ldap.Source{

  728. 					AttributeUsername: "uid",

  729. 				},

  730. 			},

  731. 		},

  732. 		// case 12

  733. 		{

  734. 			args: []string{

  735. 				"ldap-test",

  736. 				"--id", "1",

  737. 				"--firstname-attribute", "givenName",

  738. 			},

  739. 			authSource: &auth.Source{

  740. 				Type: auth.LDAP,

  741. 				Cfg: &ldap.Source{

  742. 					AttributeName: "givenName",

  743. 				},

  744. 			},

  745. 		},

  746. 		// case 13

  747. 		{

  748. 			args: []string{

  749. 				"ldap-test",

  750. 				"--id", "1",

  751. 				"--surname-attribute", "sn",

  752. 			},

  753. 			authSource: &auth.Source{

  754. 				Type: auth.LDAP,

  755. 				Cfg: &ldap.Source{

  756. 					AttributeSurname: "sn",

  757. 				},

  758. 			},

  759. 		},

  760. 		// case 14

  761. 		{

  762. 			args: []string{

  763. 				"ldap-test",

  764. 				"--id", "1",

  765. 				"--email-attribute", "mail",

  766. 			},

  767. 			authSource: &auth.Source{

  768. 				Type: auth.LDAP,

  769. 				Cfg: &ldap.Source{

  770. 					AttributeMail: "mail",

  771. 				},

  772. 			},

  773. 		},

  774. 		// case 15

  775. 		{

  776. 			args: []string{

  777. 				"ldap-test",

  778. 				"--id", "1",

  779. 				"--attributes-in-bind",

  780. 			},

  781. 			authSource: &auth.Source{

  782. 				Type: auth.LDAP,

  783. 				Cfg: &ldap.Source{

  784. 					AttributesInBind: true,

  785. 				},

  786. 			},

  787. 		},

  788. 		// case 16

  789. 		{

  790. 			args: []string{

  791. 				"ldap-test",

  792. 				"--id", "1",

  793. 				"--public-ssh-key-attribute", "publickey",

  794. 			},

  795. 			authSource: &auth.Source{

  796. 				Type: auth.LDAP,

  797. 				Cfg: &ldap.Source{

  798. 					AttributeSSHPublicKey: "publickey",

  799. 				},

  800. 			},

  801. 		},

  802. 		// case 17

  803. 		{

  804. 			args: []string{

  805. 				"ldap-test",

  806. 				"--id", "1",

  807. 				"--bind-dn", "cn=readonly,dc=domain,dc=org",

  808. 			},

  809. 			authSource: &auth.Source{

  810. 				Type: auth.LDAP,

  811. 				Cfg: &ldap.Source{

  812. 					BindDN: "cn=readonly,dc=domain,dc=org",

  813. 				},

  814. 			},

  815. 		},

  816. 		// case 18

  817. 		{

  818. 			args: []string{

  819. 				"ldap-test",

  820. 				"--id", "1",

  821. 				"--bind-password", "secret",

  822. 			},

  823. 			authSource: &auth.Source{

  824. 				Type: auth.LDAP,

  825. 				Cfg: &ldap.Source{

  826. 					BindPassword: "secret",

  827. 				},

  828. 			},

  829. 		},

  830. 		// case 19

  831. 		{

  832. 			args: []string{

  833. 				"ldap-test",

  834. 				"--id", "1",

  835. 				"--synchronize-users",

  836. 			},

  837. 			authSource: &auth.Source{

  838. 				Type:          auth.LDAP,

  839. 				IsSyncEnabled: true,

  840. 				Cfg:           &ldap.Source{},

  841. 			},

  842. 		},

  843. 		// case 20

  844. 		{

  845. 			args: []string{

  846. 				"ldap-test",

  847. 				"--id", "1",

  848. 				"--page-size", "12",

  849. 			},

  850. 			authSource: &auth.Source{

  851. 				Type: auth.LDAP,

  852. 				Cfg: &ldap.Source{

  853. 					SearchPageSize: 12,

  854. 				},

  855. 			},

  856. 		},

  857. 		// case 21

  858. 		{

  859. 			args: []string{

  860. 				"ldap-test",

  861. 				"--id", "1",

  862. 				"--security-protocol", "xxxxx",

  863. 			},

  864. 			errMsg: "unknown security protocol name: xxxxx",

  865. 		},

  866. 		// case 22

  867. 		{

  868. 			args: []string{

  869. 				"ldap-test",

  870. 			},

  871. 			errMsg: "id is not set",

  872. 		},

  873. 		// case 23

  874. 		{

  875. 			args: []string{

  876. 				"ldap-test",

  877. 				"--id", "1",

  878. 			},

  879. 			existingAuthSource: &auth.Source{

  880. 				Type: auth.OAuth2,

  881. 				Cfg:  &ldap.Source{},

  882. 			},

  883. 			errMsg: "invalid authentication type. expected: LDAP (via BindDN), actual: OAuth2",

  884. 		},

  885. 		// case 24

  886. 		{

  887. 			args: []string{

  888. 				"ldap-test",

  889. 				"--id", "24",

  890. 				"--name", "ldap (via Bind DN) flip 'active' and 'user sync' attributes",

  891. 				"--active",

  892. 				"--disable-synchronize-users",

  893. 			},

  894. 			id: 24,

  895. 			existingAuthSource: &auth.Source{

  896. 				Type:          auth.LDAP,

  897. 				IsActive:      false,

  898. 				IsSyncEnabled: true,

  899. 				Cfg: &ldap.Source{

  900. 					Name:    "ldap (via Bind DN) flip 'active' and 'user sync' attributes",

  901. 					Enabled: true,

  902. 				},

  903. 			},

  904. 			authSource: &auth.Source{

  905. 				Type:          auth.LDAP,

  906. 				Name:          "ldap (via Bind DN) flip 'active' and 'user sync' attributes",

  907. 				IsActive:      true,

  908. 				IsSyncEnabled: false,

  909. 				Cfg: &ldap.Source{

  910. 					Name:    "ldap (via Bind DN) flip 'active' and 'user sync' attributes",

  911. 					Enabled: true,

  912. 				},

  913. 			},

  914. 		},

  915. 	}

  916. 

  917. 	for n, c := range cases {

  918. 		// Mock functions.

  919. 		var updatedAuthSource *auth.Source

  920. 		service := &authService{

  921. 			initDB: func(context.Context) error {

  922. 				return nil

  923. 			},

  924. 			createAuthSource: func(ctx context.Context, authSource *auth.Source) error {

  925. 				assert.FailNow(t, "createAuthSource called", "case %d: should not call createAuthSource", n)

  926. 				return nil

  927. 			},

  928. 			updateAuthSource: func(ctx context.Context, authSource *auth.Source) error {

  929. 				updatedAuthSource = authSource

  930. 				return nil

  931. 			},

  932. 			getAuthSourceByID: func(ctx context.Context, id int64) (*auth.Source, error) {

  933. 				if c.id != 0 {

  934. 					assert.Equal(t, c.id, id, "case %d: wrong id", n)

  935. 				}

  936. 				if c.existingAuthSource != nil {

  937. 					return c.existingAuthSource, nil

  938. 				}

  939. 				return &auth.Source{

  940. 					Type: auth.LDAP,

  941. 					Cfg:  &ldap.Source{},

  942. 				}, nil

  943. 			},

  944. 		}

  945. 

  946. 		// Create a copy of command to test

  947. 		app := cli.Command{

  948. 			Flags:  microcmdAuthUpdateLdapBindDn().Flags,

  949. 			Action: service.updateLdapBindDn,

  950. 		}

  951. 		// Run it

  952. 		err := app.Run(t.Context(), c.args)

  953. 		if c.errMsg != "" {

  954. 			assert.EqualError(t, err, c.errMsg, "case %d: error should match", n)

  955. 		} else {

  956. 			assert.NoError(t, err, "case %d: should have no errors", n)

  957. 			assert.Equal(t, c.authSource, updatedAuthSource, "case %d: wrong authSource", n)

  958. 		}

  959. 	}

  960. }

  961. 

  962. func TestUpdateLdapSimpleAuth(t *testing.T) {

  963. 	// Mock cli functions to do not exit on error

  964. 	defer test.MockVariableValue(&cli.OsExiter, func(code int) {})()

  965. 

  966. 	// Test cases

  967. 	cases := []struct {

  968. 		args               []string

  969. 		id                 int64

  970. 		existingAuthSource *auth.Source

  971. 		authSource         *auth.Source

  972. 		errMsg             string

  973. 	}{

  974. 		// case 0

  975. 		{

  976. 			args: []string{

  977. 				"ldap-test",

  978. 				"--id", "7",

  979. 				"--name", "ldap (simple auth) source full",

  980. 				"--not-active",

  981. 				"--security-protocol", "starttls",

  982. 				"--skip-tls-verify",

  983. 				"--host", "ldap-simple-server full",

  984. 				"--port", "987",

  985. 				"--user-search-base", "ou=Users,dc=full-domain-simple,dc=org",

  986. 				"--user-filter", "(&(objectClass=posixAccount)(full-simple-cn=%s))",

  987. 				"--admin-filter", "(memberOf=cn=admin-group,ou=example,dc=full-domain-simple,dc=org)",

  988. 				"--restricted-filter", "(memberOf=cn=restricted-group,ou=example,dc=full-domain-simple,dc=org)",

  989. 				"--username-attribute", "uid-simple full",

  990. 				"--firstname-attribute", "givenName-simple full",

  991. 				"--surname-attribute", "sn-simple full",

  992. 				"--email-attribute", "mail-simple full",

  993. 				"--public-ssh-key-attribute", "publickey-simple full",

  994. 				"--avatar-attribute", "avatar-simple full",

  995. 				"--user-dn", "cn=%s,ou=Users,dc=full-domain-simple,dc=org",

  996. 			},

  997. 			id: 7,

  998. 			authSource: &auth.Source{

  999. 				Type:     auth.DLDAP,

  1000. 				Name:     "ldap (simple auth) source full",

  1001. 				IsActive: false,

  1002. 				Cfg: &ldap.Source{

  1003. 					Name:                  "ldap (simple auth) source full",

  1004. 					Host:                  "ldap-simple-server full",

  1005. 					Port:                  987,

  1006. 					SecurityProtocol:      ldap.SecurityProtocol(2),

  1007. 					SkipVerify:            true,

  1008. 					UserDN:                "cn=%s,ou=Users,dc=full-domain-simple,dc=org",

  1009. 					UserBase:              "ou=Users,dc=full-domain-simple,dc=org",

  1010. 					AttributeUsername:     "uid-simple full",

  1011. 					AttributeName:         "givenName-simple full",

  1012. 					AttributeSurname:      "sn-simple full",

  1013. 					AttributeMail:         "mail-simple full",

  1014. 					AttributeSSHPublicKey: "publickey-simple full",

  1015. 					AttributeAvatar:       "avatar-simple full",

  1016. 					Filter:                "(&(objectClass=posixAccount)(full-simple-cn=%s))",

  1017. 					AdminFilter:           "(memberOf=cn=admin-group,ou=example,dc=full-domain-simple,dc=org)",

  1018. 					RestrictedFilter:      "(memberOf=cn=restricted-group,ou=example,dc=full-domain-simple,dc=org)",

  1019. 				},

  1020. 			},

  1021. 		},

  1022. 		// case 1

  1023. 		{

  1024. 			args: []string{

  1025. 				"ldap-test",

  1026. 				"--id", "1",

  1027. 			},

  1028. 			authSource: &auth.Source{

  1029. 				Type: auth.DLDAP,

  1030. 				Cfg:  &ldap.Source{},

  1031. 			},

  1032. 		},

  1033. 		// case 2

  1034. 		{

  1035. 			args: []string{

  1036. 				"ldap-test",

  1037. 				"--id", "1",

  1038. 				"--name", "ldap (simple auth) source",

  1039. 			},

  1040. 			authSource: &auth.Source{

  1041. 				Type: auth.DLDAP,

  1042. 				Name: "ldap (simple auth) source",

  1043. 				Cfg: &ldap.Source{

  1044. 					Name: "ldap (simple auth) source",

  1045. 				},

  1046. 			},

  1047. 		},

  1048. 		// case 3

  1049. 		{

  1050. 			args: []string{

  1051. 				"ldap-test",

  1052. 				"--id", "1",

  1053. 				"--not-active",

  1054. 			},

  1055. 			existingAuthSource: &auth.Source{

  1056. 				Type:     auth.DLDAP,

  1057. 				IsActive: true,

  1058. 				Cfg:      &ldap.Source{},

  1059. 			},

  1060. 			authSource: &auth.Source{

  1061. 				Type:     auth.DLDAP,

  1062. 				IsActive: false,

  1063. 				Cfg:      &ldap.Source{},

  1064. 			},

  1065. 		},

  1066. 		// case 4

  1067. 		{

  1068. 			args: []string{

  1069. 				"ldap-test",

  1070. 				"--id", "1",

  1071. 				"--security-protocol", "starttls",

  1072. 			},

  1073. 			authSource: &auth.Source{

  1074. 				Type: auth.DLDAP,

  1075. 				Cfg: &ldap.Source{

  1076. 					SecurityProtocol: ldap.SecurityProtocol(2),

  1077. 				},

  1078. 			},

  1079. 		},

  1080. 		// case 5

  1081. 		{

  1082. 			args: []string{

  1083. 				"ldap-test",

  1084. 				"--id", "1",

  1085. 				"--skip-tls-verify",

  1086. 			},

  1087. 			authSource: &auth.Source{

  1088. 				Type: auth.DLDAP,

  1089. 				Cfg: &ldap.Source{

  1090. 					SkipVerify: true,

  1091. 				},

  1092. 			},

  1093. 		},

  1094. 		// case 6

  1095. 		{

  1096. 			args: []string{

  1097. 				"ldap-test",

  1098. 				"--id", "1",

  1099. 				"--host", "ldap-server",

  1100. 			},

  1101. 			authSource: &auth.Source{

  1102. 				Type: auth.DLDAP,

  1103. 				Cfg: &ldap.Source{

  1104. 					Host: "ldap-server",

  1105. 				},

  1106. 			},

  1107. 		},

  1108. 		// case 7

  1109. 		{

  1110. 			args: []string{

  1111. 				"ldap-test",

  1112. 				"--id", "1",

  1113. 				"--port", "987",

  1114. 			},

  1115. 			authSource: &auth.Source{

  1116. 				Type: auth.DLDAP,

  1117. 				Cfg: &ldap.Source{

  1118. 					Port: 987,

  1119. 				},

  1120. 			},

  1121. 		},

  1122. 		// case 8

  1123. 		{

  1124. 			args: []string{

  1125. 				"ldap-test",

  1126. 				"--id", "1",

  1127. 				"--user-search-base", "ou=Users,dc=domain,dc=org",

  1128. 			},

  1129. 			authSource: &auth.Source{

  1130. 				Type: auth.DLDAP,

  1131. 				Cfg: &ldap.Source{

  1132. 					UserBase: "ou=Users,dc=domain,dc=org",

  1133. 				},

  1134. 			},

  1135. 		},

  1136. 		// case 9

  1137. 		{

  1138. 			args: []string{

  1139. 				"ldap-test",

  1140. 				"--id", "1",

  1141. 				"--user-filter", "(&(objectClass=posixAccount)(cn=%s))",

  1142. 			},

  1143. 			authSource: &auth.Source{

  1144. 				Type: auth.DLDAP,

  1145. 				Cfg: &ldap.Source{

  1146. 					Filter: "(&(objectClass=posixAccount)(cn=%s))",

  1147. 				},

  1148. 			},

  1149. 		},

  1150. 		// case 10

  1151. 		{

  1152. 			args: []string{

  1153. 				"ldap-test",

  1154. 				"--id", "1",

  1155. 				"--admin-filter", "(memberOf=cn=admin-group,ou=example,dc=domain,dc=org)",

  1156. 			},

  1157. 			authSource: &auth.Source{

  1158. 				Type: auth.DLDAP,

  1159. 				Cfg: &ldap.Source{

  1160. 					AdminFilter: "(memberOf=cn=admin-group,ou=example,dc=domain,dc=org)",

  1161. 				},

  1162. 			},

  1163. 		},

  1164. 		// case 11

  1165. 		{

  1166. 			args: []string{

  1167. 				"ldap-test",

  1168. 				"--id", "1",

  1169. 				"--username-attribute", "uid",

  1170. 			},

  1171. 			authSource: &auth.Source{

  1172. 				Type: auth.DLDAP,

  1173. 				Cfg: &ldap.Source{

  1174. 					AttributeUsername: "uid",

  1175. 				},

  1176. 			},

  1177. 		},

  1178. 		// case 12

  1179. 		{

  1180. 			args: []string{

  1181. 				"ldap-test",

  1182. 				"--id", "1",

  1183. 				"--firstname-attribute", "givenName",

  1184. 			},

  1185. 			authSource: &auth.Source{

  1186. 				Type: auth.DLDAP,

  1187. 				Cfg: &ldap.Source{

  1188. 					AttributeName: "givenName",

  1189. 				},

  1190. 			},

  1191. 		},

  1192. 		// case 13

  1193. 		{

  1194. 			args: []string{

  1195. 				"ldap-test",

  1196. 				"--id", "1",

  1197. 				"--surname-attribute", "sn",

  1198. 			},

  1199. 			authSource: &auth.Source{

  1200. 				Type: auth.DLDAP,

  1201. 				Cfg: &ldap.Source{

  1202. 					AttributeSurname: "sn",

  1203. 				},

  1204. 			},

  1205. 		},

  1206. 		// case 14

  1207. 		{

  1208. 			args: []string{

  1209. 				"ldap-test",

  1210. 				"--id", "1",

  1211. 				"--email-attribute", "mail",

  1212. 			},

  1213. 			authSource: &auth.Source{

  1214. 				Type: auth.DLDAP,

  1215. 				Cfg: &ldap.Source{

  1216. 					AttributeMail: "mail",

  1217. 				},

  1218. 			},

  1219. 		},

  1220. 		// case 15

  1221. 		{

  1222. 			args: []string{

  1223. 				"ldap-test",

  1224. 				"--id", "1",

  1225. 				"--public-ssh-key-attribute", "publickey",

  1226. 			},

  1227. 			authSource: &auth.Source{

  1228. 				Type: auth.DLDAP,

  1229. 				Cfg: &ldap.Source{

  1230. 					AttributeSSHPublicKey: "publickey",

  1231. 				},

  1232. 			},

  1233. 		},

  1234. 		// case 16

  1235. 		{

  1236. 			args: []string{

  1237. 				"ldap-test",

  1238. 				"--id", "1",

  1239. 				"--user-dn", "cn=%s,ou=Users,dc=domain,dc=org",

  1240. 			},

  1241. 			authSource: &auth.Source{

  1242. 				Type: auth.DLDAP,

  1243. 				Cfg: &ldap.Source{

  1244. 					UserDN: "cn=%s,ou=Users,dc=domain,dc=org",

  1245. 				},

  1246. 			},

  1247. 		},

  1248. 		// case 17

  1249. 		{

  1250. 			args: []string{

  1251. 				"ldap-test",

  1252. 				"--id", "1",

  1253. 				"--security-protocol", "xxxxx",

  1254. 			},

  1255. 			errMsg: "unknown security protocol name: xxxxx",

  1256. 		},

  1257. 		// case 18

  1258. 		{

  1259. 			args: []string{

  1260. 				"ldap-test",

  1261. 			},

  1262. 			errMsg: "id is not set",

  1263. 		},

  1264. 		// case 19

  1265. 		{

  1266. 			args: []string{

  1267. 				"ldap-test",

  1268. 				"--id", "1",

  1269. 			},

  1270. 			existingAuthSource: &auth.Source{

  1271. 				Type: auth.PAM,

  1272. 				Cfg:  &ldap.Source{},

  1273. 			},

  1274. 			errMsg: "invalid authentication type. expected: LDAP (simple auth), actual: PAM",

  1275. 		},

  1276. 		// case 20

  1277. 		{

  1278. 			args: []string{

  1279. 				"ldap-test",

  1280. 				"--id", "20",

  1281. 				"--name", "ldap (simple auth) flip 'active' attribute",

  1282. 				"--active",

  1283. 			},

  1284. 			id: 20,

  1285. 			existingAuthSource: &auth.Source{

  1286. 				Type:     auth.DLDAP,

  1287. 				IsActive: false,

  1288. 				Cfg: &ldap.Source{

  1289. 					Name:    "ldap (simple auth) flip 'active' attribute",

  1290. 					Enabled: true,

  1291. 				},

  1292. 			},

  1293. 			authSource: &auth.Source{

  1294. 				Type:     auth.DLDAP,

  1295. 				Name:     "ldap (simple auth) flip 'active' attribute",

  1296. 				IsActive: true,

  1297. 				Cfg: &ldap.Source{

  1298. 					Name:    "ldap (simple auth) flip 'active' attribute",

  1299. 					Enabled: true,

  1300. 				},

  1301. 			},

  1302. 		},

  1303. 	}

  1304. 

  1305. 	for n, c := range cases {

  1306. 		// Mock functions.

  1307. 		var updatedAuthSource *auth.Source

  1308. 		service := &authService{

  1309. 			initDB: func(context.Context) error {

  1310. 				return nil

  1311. 			},

  1312. 			createAuthSource: func(ctx context.Context, authSource *auth.Source) error {

  1313. 				assert.FailNow(t, "createAuthSource called", "case %d: should not call createAuthSource", n)

  1314. 				return nil

  1315. 			},

  1316. 			updateAuthSource: func(ctx context.Context, authSource *auth.Source) error {

  1317. 				updatedAuthSource = authSource

  1318. 				return nil

  1319. 			},

  1320. 			getAuthSourceByID: func(ctx context.Context, id int64) (*auth.Source, error) {

  1321. 				if c.id != 0 {

  1322. 					assert.Equal(t, c.id, id, "case %d: wrong id", n)

  1323. 				}

  1324. 				if c.existingAuthSource != nil {

  1325. 					return c.existingAuthSource, nil

  1326. 				}

  1327. 				return &auth.Source{

  1328. 					Type: auth.DLDAP,

  1329. 					Cfg:  &ldap.Source{},

  1330. 				}, nil

  1331. 			},

  1332. 		}

  1333. 

  1334. 		// Create a copy of command to test

  1335. 		app := cli.Command{

  1336. 			Flags:  microcmdAuthUpdateLdapSimpleAuth().Flags,

  1337. 			Action: service.updateLdapSimpleAuth,

  1338. 		}

  1339. 		// Run it

  1340. 		err := app.Run(t.Context(), c.args)

  1341. 		if c.errMsg != "" {

  1342. 			assert.EqualError(t, err, c.errMsg, "case %d: error should match", n)

  1343. 		} else {

  1344. 			assert.NoError(t, err, "case %d: should have no errors", n)

  1345. 			assert.Equal(t, c.authSource, updatedAuthSource, "case %d: wrong authSource", n)

  1346. 		}

  1347. 	}

  1348. }