2017-08-30 09:49:21 +00:00
|
|
|
"use strict";
|
|
|
|
|
2018-06-15 20:31:06 +00:00
|
|
|
const log = require("../../../src/log");
|
2017-08-30 09:49:21 +00:00
|
|
|
const ldapAuth = require("../../../src/plugins/auth/ldap");
|
|
|
|
const Helper = require("../../../src/helper");
|
2019-09-04 10:49:48 +00:00
|
|
|
const ldap = require("ldapjs");
|
2017-08-30 09:49:21 +00:00
|
|
|
const expect = require("chai").expect;
|
2019-01-05 23:08:10 +00:00
|
|
|
const stub = require("sinon").stub;
|
|
|
|
const TestUtil = require("../../util");
|
2017-08-30 09:49:21 +00:00
|
|
|
|
|
|
|
const user = "johndoe";
|
|
|
|
const wrongUser = "eve";
|
|
|
|
const correctPassword = "loremipsum";
|
|
|
|
const wrongPassword = "dolorsitamet";
|
|
|
|
const baseDN = "ou=accounts,dc=example,dc=com";
|
|
|
|
const primaryKey = "uid";
|
|
|
|
const serverPort = 1389;
|
|
|
|
|
|
|
|
function normalizeDN(dn) {
|
|
|
|
return ldap.parseDN(dn).toString();
|
|
|
|
}
|
|
|
|
|
|
|
|
function startLdapServer(callback) {
|
|
|
|
const server = ldap.createServer();
|
|
|
|
|
|
|
|
const searchConf = Helper.config.ldap.searchDN;
|
|
|
|
const userDN = primaryKey + "=" + user + "," + baseDN;
|
|
|
|
|
|
|
|
// Two users are authorized: john doe and the root user in case of
|
|
|
|
// advanced auth (the user that does the search for john's actual
|
|
|
|
// bindDN)
|
|
|
|
const authorizedUsers = {};
|
|
|
|
authorizedUsers[normalizeDN(searchConf.rootDN)] = searchConf.rootPassword;
|
|
|
|
authorizedUsers[normalizeDN(userDN)] = correctPassword;
|
|
|
|
|
|
|
|
function authorize(req, res, next) {
|
|
|
|
const bindDN = req.connection.ldap.bindDN;
|
|
|
|
|
|
|
|
if (bindDN in authorizedUsers) {
|
|
|
|
return next();
|
|
|
|
}
|
|
|
|
|
|
|
|
return next(new ldap.InsufficientAccessRightsError());
|
|
|
|
}
|
|
|
|
|
|
|
|
Object.keys(authorizedUsers).forEach(function(dn) {
|
|
|
|
server.bind(dn, function(req, res, next) {
|
|
|
|
const bindDN = req.dn.toString();
|
|
|
|
const password = req.credentials;
|
|
|
|
|
|
|
|
if (bindDN in authorizedUsers && authorizedUsers[bindDN] === password) {
|
|
|
|
req.connection.ldap.bindDN = req.dn;
|
|
|
|
res.end();
|
|
|
|
return next();
|
|
|
|
}
|
|
|
|
|
|
|
|
return next(new ldap.InsufficientAccessRightsError());
|
|
|
|
});
|
|
|
|
});
|
|
|
|
|
|
|
|
server.search(searchConf.base, authorize, function(req, res) {
|
|
|
|
const obj = {
|
|
|
|
dn: userDN,
|
|
|
|
attributes: {
|
|
|
|
objectclass: ["person", "top"],
|
|
|
|
cn: ["john doe"],
|
|
|
|
sn: ["johnny"],
|
|
|
|
uid: ["johndoe"],
|
2017-11-15 06:35:15 +00:00
|
|
|
memberof: [baseDN],
|
|
|
|
},
|
2017-08-30 09:49:21 +00:00
|
|
|
};
|
|
|
|
|
|
|
|
if (req.filter.matches(obj.attributes)) {
|
|
|
|
// TODO: check req.scope if ldapjs does not
|
|
|
|
res.send(obj);
|
|
|
|
}
|
|
|
|
|
|
|
|
res.end();
|
|
|
|
});
|
|
|
|
|
2017-09-01 09:29:52 +00:00
|
|
|
server.listen(serverPort, callback);
|
2017-09-01 09:44:53 +00:00
|
|
|
|
2017-08-30 09:49:21 +00:00
|
|
|
return server;
|
|
|
|
}
|
|
|
|
|
|
|
|
function testLdapAuth() {
|
|
|
|
// Create mock manager and client. When client is true, manager should not
|
|
|
|
// be used. But ideally the auth plugin should not use any of those.
|
|
|
|
const manager = {};
|
|
|
|
const client = true;
|
|
|
|
|
|
|
|
it("should successfully authenticate with correct password", function(done) {
|
|
|
|
ldapAuth.auth(manager, client, user, correctPassword, function(valid) {
|
|
|
|
expect(valid).to.equal(true);
|
|
|
|
done();
|
|
|
|
});
|
|
|
|
});
|
|
|
|
|
|
|
|
it("should fail to authenticate with incorrect password", function(done) {
|
2019-01-05 23:08:10 +00:00
|
|
|
let error = "";
|
2019-07-17 09:33:59 +00:00
|
|
|
stub(log, "error").callsFake(TestUtil.sanitizeLog((str) => (error += str)));
|
2019-01-05 23:08:10 +00:00
|
|
|
|
2017-08-30 09:49:21 +00:00
|
|
|
ldapAuth.auth(manager, client, user, wrongPassword, function(valid) {
|
|
|
|
expect(valid).to.equal(false);
|
2019-07-17 09:33:59 +00:00
|
|
|
expect(error).to.equal(
|
|
|
|
"LDAP bind failed: InsufficientAccessRightsError: InsufficientAccessRightsError\n"
|
|
|
|
);
|
2019-01-05 23:08:10 +00:00
|
|
|
log.error.restore();
|
2017-08-30 09:49:21 +00:00
|
|
|
done();
|
|
|
|
});
|
|
|
|
});
|
|
|
|
|
|
|
|
it("should fail to authenticate with incorrect username", function(done) {
|
2019-01-05 23:08:10 +00:00
|
|
|
let warning = "";
|
2019-07-17 09:33:59 +00:00
|
|
|
stub(log, "warn").callsFake(TestUtil.sanitizeLog((str) => (warning += str)));
|
2019-01-05 23:08:10 +00:00
|
|
|
|
2017-08-30 09:49:21 +00:00
|
|
|
ldapAuth.auth(manager, client, wrongUser, correctPassword, function(valid) {
|
|
|
|
expect(valid).to.equal(false);
|
2019-01-05 23:08:10 +00:00
|
|
|
expect(warning).to.equal("LDAP Search did not find anything for: eve (0)\n");
|
|
|
|
log.warn.restore();
|
2017-08-30 09:49:21 +00:00
|
|
|
done();
|
|
|
|
});
|
|
|
|
});
|
|
|
|
}
|
|
|
|
|
|
|
|
describe("LDAP authentication plugin", function() {
|
2019-11-27 18:25:29 +00:00
|
|
|
// Increase timeout due to unpredictable I/O on CI services
|
|
|
|
this.timeout(process.env.CI ? 25000 : 5000);
|
2017-11-27 23:47:19 +00:00
|
|
|
this.slow(200);
|
|
|
|
|
2017-12-09 23:56:05 +00:00
|
|
|
let server;
|
|
|
|
let originalLogInfo;
|
|
|
|
|
|
|
|
before(function(done) {
|
|
|
|
originalLogInfo = log.info;
|
2018-02-20 07:28:04 +00:00
|
|
|
|
2017-12-09 23:56:05 +00:00
|
|
|
log.info = () => {};
|
|
|
|
|
|
|
|
server = startLdapServer(done);
|
2017-08-30 09:49:21 +00:00
|
|
|
});
|
2017-10-06 09:53:08 +00:00
|
|
|
|
2017-12-09 23:56:05 +00:00
|
|
|
after(function() {
|
|
|
|
server.close();
|
|
|
|
|
|
|
|
log.info = originalLogInfo;
|
2017-08-30 09:49:21 +00:00
|
|
|
});
|
|
|
|
|
2017-12-09 23:56:05 +00:00
|
|
|
beforeEach(function() {
|
2017-08-30 09:49:21 +00:00
|
|
|
Helper.config.public = false;
|
|
|
|
Helper.config.ldap.enable = true;
|
|
|
|
Helper.config.ldap.url = "ldap://localhost:" + String(serverPort);
|
|
|
|
Helper.config.ldap.primaryKey = primaryKey;
|
|
|
|
});
|
|
|
|
|
2019-10-31 09:01:44 +00:00
|
|
|
afterEach(function() {
|
|
|
|
Helper.config.public = true;
|
|
|
|
Helper.config.ldap.enable = false;
|
|
|
|
});
|
|
|
|
|
2017-08-30 09:49:21 +00:00
|
|
|
describe("LDAP authentication availability", function() {
|
2017-10-06 09:53:08 +00:00
|
|
|
it("checks that the configuration is correctly tied to isEnabled()", function() {
|
2017-08-30 09:49:21 +00:00
|
|
|
Helper.config.ldap.enable = true;
|
|
|
|
expect(ldapAuth.isEnabled()).to.equal(true);
|
2017-10-06 09:53:08 +00:00
|
|
|
|
2017-08-30 09:49:21 +00:00
|
|
|
Helper.config.ldap.enable = false;
|
|
|
|
expect(ldapAuth.isEnabled()).to.equal(false);
|
|
|
|
});
|
|
|
|
});
|
|
|
|
|
|
|
|
describe("Simple LDAP authentication (predefined DN pattern)", function() {
|
|
|
|
Helper.config.ldap.baseDN = baseDN;
|
|
|
|
testLdapAuth();
|
|
|
|
});
|
|
|
|
|
|
|
|
describe("Advanced LDAP authentication (DN found by a prior search query)", function() {
|
|
|
|
delete Helper.config.ldap.baseDN;
|
|
|
|
testLdapAuth();
|
|
|
|
});
|
|
|
|
});
|