hardlounge/test/plugins/auth/ldap.ts

import log from "../../../server/log";
import ldapAuth from "../../../server/plugins/auth/ldap";
import Config from "../../../server/config";
import ldap from "ldapjs";
import {expect} from "chai";
import TestUtil from "../../util";
import ClientManager from "../../../server/clientManager";
import sinon from "ts-sinon";

const user = "johndoe";
const wrongUser = "eve";
const correctPassword = "loremipsum";
const wrongPassword = "dolorsitamet";
const baseDN = "ou=accounts,dc=example,dc=com";
const primaryKey = "uid";
const serverPort = 1389;

function normalizeDN(dn: string) {
	return String(ldap.parseDN(dn).toString());
}

function startLdapServer(callback) {
	const server = ldap.createServer();

	const searchConf = Config.values.ldap.searchDN;
	const userDN = primaryKey + "=" + user + "," + baseDN;

	// Two users are authorized: john doe and the root user in case of
	// advanced auth (the user that does the search for john's actual
	// bindDN)
	const authorizedUsers = {};
	authorizedUsers[normalizeDN(searchConf.rootDN)] = searchConf.rootPassword;
	authorizedUsers[normalizeDN(userDN)] = correctPassword;

	function authorize(req: any, res: any, next: (error?: any) => void) {
		const bindDN = req.connection.ldap.bindDN;

		if (bindDN in authorizedUsers) {
			return next();
		}

		return next(new ldap.InsufficientAccessRightsError());
	}

	Object.keys(authorizedUsers).forEach(function (dn) {
		server.bind(dn, function (req, res, next: (error?: any) => void) {
			const bindDN = req.dn.toString();
			const password = req.credentials;

			if (bindDN in authorizedUsers && authorizedUsers[bindDN] === password) {
				req.connection.ldap.bindDN = req.dn;
				res.end();
				return next();
			}

			return next(new ldap.InsufficientAccessRightsError());
		});
	});

	server.search(searchConf.base, authorize, function (req, res) {
		const obj = {
			dn: userDN,
			attributes: {
				objectclass: ["person", "top"],
				cn: ["john doe"],
				sn: ["johnny"],
				uid: ["johndoe"],
				memberof: [baseDN],
			},
		};

		if (req.filter.matches(obj.attributes)) {
			// TODO: check req.scope if ldapjs does not
			res.send(obj);
		}

		res.end();
	});

	server.listen(serverPort, callback);

	return server;
}

function testLdapAuth() {
	// Create mock manager and client. When client is true, manager should not
	// be used. But ideally the auth plugin should not use any of those.
	const manager = {} as ClientManager;
	const client = true;

	it("should successfully authenticate with correct password", function (done) {
		// TODO: why is client = true?
		ldapAuth.auth(manager, client as any, user, correctPassword, function (valid) {
			expect(valid).to.equal(true);
			done();
		});
	});

	it("should fail to authenticate with incorrect password", function (done) {
		let error = "";

		const errorLogStub = sinon
			.stub(log, "error")
			.callsFake(TestUtil.sanitizeLog((str) => (error += str)));

		ldapAuth.auth(manager, client as any, user, wrongPassword, function (valid) {
			expect(valid).to.equal(false);
			expect(error).to.equal(
				"LDAP bind failed: InsufficientAccessRightsError: InsufficientAccessRightsError\n"
			);
			errorLogStub.restore();
			done();
		});
	});

	it("should fail to authenticate with incorrect username", function (done) {
		let warning = "";
		const warnLogStub = sinon
			.stub(log, "warn")
			.callsFake(TestUtil.sanitizeLog((str) => (warning += str)));

		ldapAuth.auth(manager, client as any, wrongUser, correctPassword, function (valid) {
			expect(valid).to.equal(false);
			expect(warning).to.equal("LDAP Search did not find anything for: eve (0)\n");
			warnLogStub.restore();
			done();
		});
	});
}

describe("LDAP authentication plugin", function () {
	// Increase timeout due to unpredictable I/O on CI services
	this.timeout(TestUtil.isRunningOnCI() ? 25000 : 5000);
	this.slow(300);

	let server: ldap.Server;
	let logInfoStub: sinon.SinonStub<string[], void>;

	before(function (done) {
		logInfoStub = sinon.stub(log, "info");
		server = startLdapServer(done);
	});

	after(function () {
		server.close(() => {
			// no-op
		});
		logInfoStub.restore();
	});

	beforeEach(function () {
		Config.values.public = false;
		Config.values.ldap.enable = true;
		Config.values.ldap.url = "ldap://127.0.0.1:" + String(serverPort);
		Config.values.ldap.primaryKey = primaryKey;
	});

	afterEach(function () {
		Config.values.public = true;
		Config.values.ldap.enable = false;
	});

	describe("LDAP authentication availability", function () {
		it("checks that the configuration is correctly tied to isEnabled()", function () {
			Config.values.ldap.enable = true;
			expect(ldapAuth.isEnabled()).to.equal(true);

			Config.values.ldap.enable = false;
			expect(ldapAuth.isEnabled()).to.equal(false);
		});
	});

	describe("Simple LDAP authentication (predefined DN pattern)", function () {
		Config.values.ldap.baseDN = baseDN;
		testLdapAuth();
	});

	describe("Advanced LDAP authentication (DN found by a prior search query)", function () {
		delete Config.values.ldap.baseDN;
		testLdapAuth();
	});
});
TypeScript and Vue 3 (#4559) Co-authored-by: Eric Nemchik <eric@nemchik.com> Co-authored-by: Pavel Djundik <xPaw@users.noreply.github.com> 2022-06-19 00:25:21 +00:00			`import log from "../../../server/log";`
			`import ldapAuth from "../../../server/plugins/auth/ldap";`
			`import Config from "../../../server/config";`
			`import ldap from "ldapjs";`
			`import {expect} from "chai";`
			`import TestUtil from "../../util";`
			`import ClientManager from "../../../server/clientManager";`
			`import sinon from "ts-sinon";`
Add tests for LDAP auth plugin 2017-08-30 09:49:21 +00:00
			`const user = "johndoe";`
			`const wrongUser = "eve";`
			`const correctPassword = "loremipsum";`
			`const wrongPassword = "dolorsitamet";`
			`const baseDN = "ou=accounts,dc=example,dc=com";`
			`const primaryKey = "uid";`
			`const serverPort = 1389;`

TypeScript and Vue 3 (#4559) Co-authored-by: Eric Nemchik <eric@nemchik.com> Co-authored-by: Pavel Djundik <xPaw@users.noreply.github.com> 2022-06-19 00:25:21 +00:00			`function normalizeDN(dn: string) {`
			`return String(ldap.parseDN(dn).toString());`
Add tests for LDAP auth plugin 2017-08-30 09:49:21 +00:00			`}`

			`function startLdapServer(callback) {`
			`const server = ldap.createServer();`

Refactor config out of Helper (#4558) * Remove config from Helper Helper is the usual util grab bag of useful stuff. Somehow the config ended up there historically but structurally that doesn't make any sense. * Add cert folder to prettier ignore file 2022-05-01 19:12:39 +00:00			`const searchConf = Config.values.ldap.searchDN;`
Add tests for LDAP auth plugin 2017-08-30 09:49:21 +00:00			`const userDN = primaryKey + "=" + user + "," + baseDN;`

			`// Two users are authorized: john doe and the root user in case of`
			`// advanced auth (the user that does the search for john's actual`
			`// bindDN)`
			`const authorizedUsers = {};`
			`authorizedUsers[normalizeDN(searchConf.rootDN)] = searchConf.rootPassword;`
			`authorizedUsers[normalizeDN(userDN)] = correctPassword;`

TypeScript and Vue 3 (#4559) Co-authored-by: Eric Nemchik <eric@nemchik.com> Co-authored-by: Pavel Djundik <xPaw@users.noreply.github.com> 2022-06-19 00:25:21 +00:00			`function authorize(req: any, res: any, next: (error?: any) => void) {`
Add tests for LDAP auth plugin 2017-08-30 09:49:21 +00:00			`const bindDN = req.connection.ldap.bindDN;`

			`if (bindDN in authorizedUsers) {`
			`return next();`
			`}`

			`return next(new ldap.InsufficientAccessRightsError());`
			`}`

Run format after updating to prettier 2.0 2020-03-21 20:55:36 +00:00			`Object.keys(authorizedUsers).forEach(function (dn) {`
TypeScript and Vue 3 (#4559) Co-authored-by: Eric Nemchik <eric@nemchik.com> Co-authored-by: Pavel Djundik <xPaw@users.noreply.github.com> 2022-06-19 00:25:21 +00:00			`server.bind(dn, function (req, res, next: (error?: any) => void) {`
Add tests for LDAP auth plugin 2017-08-30 09:49:21 +00:00			`const bindDN = req.dn.toString();`
			`const password = req.credentials;`

			`if (bindDN in authorizedUsers && authorizedUsers[bindDN] === password) {`
			`req.connection.ldap.bindDN = req.dn;`
			`res.end();`
			`return next();`
			`}`

			`return next(new ldap.InsufficientAccessRightsError());`
			`});`
			`});`

Run format after updating to prettier 2.0 2020-03-21 20:55:36 +00:00			`server.search(searchConf.base, authorize, function (req, res) {`
Add tests for LDAP auth plugin 2017-08-30 09:49:21 +00:00			`const obj = {`
			`dn: userDN,`
			`attributes: {`
			`objectclass: ["person", "top"],`
			`cn: ["john doe"],`
			`sn: ["johnny"],`
			`uid: ["johndoe"],`
Enforce dangling commas with ESLint ¯\_(ツ)_/¯ 2017-11-15 06:35:15 +00:00			`memberof: [baseDN],`
			`},`
Add tests for LDAP auth plugin 2017-08-30 09:49:21 +00:00			`};`

			`if (req.filter.matches(obj.attributes)) {`
			`// TODO: check req.scope if ldapjs does not`
			`res.send(obj);`
			`}`

			`res.end();`
			`});`

Change string formatting style 2017-09-01 09:29:52 +00:00			`server.listen(serverPort, callback);`
Generalize auth plugin fallback mechanism @astorije this is for you ;) https://github.com/thelounge/lounge/pull/1478#discussion_r136492534 2017-09-01 09:44:53 +00:00
Add tests for LDAP auth plugin 2017-08-30 09:49:21 +00:00			`return server;`
			`}`

			`function testLdapAuth() {`
			`// Create mock manager and client. When client is true, manager should not`
			`// be used. But ideally the auth plugin should not use any of those.`
TypeScript and Vue 3 (#4559) Co-authored-by: Eric Nemchik <eric@nemchik.com> Co-authored-by: Pavel Djundik <xPaw@users.noreply.github.com> 2022-06-19 00:25:21 +00:00			`const manager = {} as ClientManager;`
Add tests for LDAP auth plugin 2017-08-30 09:49:21 +00:00			`const client = true;`

Run format after updating to prettier 2.0 2020-03-21 20:55:36 +00:00			`it("should successfully authenticate with correct password", function (done) {`
TypeScript and Vue 3 (#4559) Co-authored-by: Eric Nemchik <eric@nemchik.com> Co-authored-by: Pavel Djundik <xPaw@users.noreply.github.com> 2022-06-19 00:25:21 +00:00			`// TODO: why is client = true?`
			`ldapAuth.auth(manager, client as any, user, correctPassword, function (valid) {`
Add tests for LDAP auth plugin 2017-08-30 09:49:21 +00:00			`expect(valid).to.equal(true);`
			`done();`
			`});`
			`});`

Run format after updating to prettier 2.0 2020-03-21 20:55:36 +00:00			`it("should fail to authenticate with incorrect password", function (done) {`
Assert LDAP bind failed error and search warning log messages in ldap tests 2019-01-05 23:08:10 +00:00			`let error = "";`

TypeScript and Vue 3 (#4559) Co-authored-by: Eric Nemchik <eric@nemchik.com> Co-authored-by: Pavel Djundik <xPaw@users.noreply.github.com> 2022-06-19 00:25:21 +00:00			`const errorLogStub = sinon`
			`.stub(log, "error")`
			`.callsFake(TestUtil.sanitizeLog((str) => (error += str)));`

			`ldapAuth.auth(manager, client as any, user, wrongPassword, function (valid) {`
Add tests for LDAP auth plugin 2017-08-30 09:49:21 +00:00			`expect(valid).to.equal(false);`
Format js/vue with prettier 2019-07-17 09:33:59 +00:00			`expect(error).to.equal(`
			`"LDAP bind failed: InsufficientAccessRightsError: InsufficientAccessRightsError\n"`
			`);`
TypeScript and Vue 3 (#4559) Co-authored-by: Eric Nemchik <eric@nemchik.com> Co-authored-by: Pavel Djundik <xPaw@users.noreply.github.com> 2022-06-19 00:25:21 +00:00			`errorLogStub.restore();`
Add tests for LDAP auth plugin 2017-08-30 09:49:21 +00:00			`done();`
			`});`
			`});`

Run format after updating to prettier 2.0 2020-03-21 20:55:36 +00:00			`it("should fail to authenticate with incorrect username", function (done) {`
Assert LDAP bind failed error and search warning log messages in ldap tests 2019-01-05 23:08:10 +00:00			`let warning = "";`
TypeScript and Vue 3 (#4559) Co-authored-by: Eric Nemchik <eric@nemchik.com> Co-authored-by: Pavel Djundik <xPaw@users.noreply.github.com> 2022-06-19 00:25:21 +00:00			`const warnLogStub = sinon`
			`.stub(log, "warn")`
			`.callsFake(TestUtil.sanitizeLog((str) => (warning += str)));`
Assert LDAP bind failed error and search warning log messages in ldap tests 2019-01-05 23:08:10 +00:00
TypeScript and Vue 3 (#4559) Co-authored-by: Eric Nemchik <eric@nemchik.com> Co-authored-by: Pavel Djundik <xPaw@users.noreply.github.com> 2022-06-19 00:25:21 +00:00			`ldapAuth.auth(manager, client as any, wrongUser, correctPassword, function (valid) {`
Add tests for LDAP auth plugin 2017-08-30 09:49:21 +00:00			`expect(valid).to.equal(false);`
Assert LDAP bind failed error and search warning log messages in ldap tests 2019-01-05 23:08:10 +00:00			`expect(warning).to.equal("LDAP Search did not find anything for: eve (0)\n");`
TypeScript and Vue 3 (#4559) Co-authored-by: Eric Nemchik <eric@nemchik.com> Co-authored-by: Pavel Djundik <xPaw@users.noreply.github.com> 2022-06-19 00:25:21 +00:00			`warnLogStub.restore();`
Add tests for LDAP auth plugin 2017-08-30 09:49:21 +00:00			`done();`
			`});`
			`});`
			`}`

Run format after updating to prettier 2.0 2020-03-21 20:55:36 +00:00			`describe("LDAP authentication plugin", function () {`
Increase test timeout due to unpredictable I/O on CI services 2019-11-27 18:25:29 +00:00			`// Increase timeout due to unpredictable I/O on CI services`
Fix increasing test timeout on github actions 2020-02-09 12:21:45 +00:00			`this.timeout(TestUtil.isRunningOnCI() ? 25000 : 5000);`
			`this.slow(300);`
Mark slow tests as such to reduce noise on test report 2017-11-27 23:47:19 +00:00
TypeScript and Vue 3 (#4559) Co-authored-by: Eric Nemchik <eric@nemchik.com> Co-authored-by: Pavel Djundik <xPaw@users.noreply.github.com> 2022-06-19 00:25:21 +00:00			`let server: ldap.Server;`
			`let logInfoStub: sinon.SinonStub<string[], void>;`
Remove dead code in tests, and fix a link test I used `npm run coverage` while not excluding the test folder to detect dead code in our test folder, it is actually pretty useful to do so (as a one-shot, not to do that in our config). Only remaining unreached path is L40 in `test/plugins/auth/ldap.js`, but it does seem to me that it might be useful in case of failures, so I preferred to leave it there. 2017-12-09 23:56:05 +00:00
Run format after updating to prettier 2.0 2020-03-21 20:55:36 +00:00			`before(function (done) {`
TypeScript and Vue 3 (#4559) Co-authored-by: Eric Nemchik <eric@nemchik.com> Co-authored-by: Pavel Djundik <xPaw@users.noreply.github.com> 2022-06-19 00:25:21 +00:00			`logInfoStub = sinon.stub(log, "info");`
Remove dead code in tests, and fix a link test I used `npm run coverage` while not excluding the test folder to detect dead code in our test folder, it is actually pretty useful to do so (as a one-shot, not to do that in our config). Only remaining unreached path is L40 in `test/plugins/auth/ldap.js`, but it does seem to me that it might be useful in case of failures, so I preferred to leave it there. 2017-12-09 23:56:05 +00:00			`server = startLdapServer(done);`
Add tests for LDAP auth plugin 2017-08-30 09:49:21 +00:00			`});`
Teardown sockets in tests 2017-10-06 09:53:08 +00:00
Run format after updating to prettier 2.0 2020-03-21 20:55:36 +00:00			`after(function () {`
TypeScript and Vue 3 (#4559) Co-authored-by: Eric Nemchik <eric@nemchik.com> Co-authored-by: Pavel Djundik <xPaw@users.noreply.github.com> 2022-06-19 00:25:21 +00:00			`server.close(() => {`
			`// no-op`
			`});`
			`logInfoStub.restore();`
Add tests for LDAP auth plugin 2017-08-30 09:49:21 +00:00			`});`

Run format after updating to prettier 2.0 2020-03-21 20:55:36 +00:00			`beforeEach(function () {`
Refactor config out of Helper (#4558) * Remove config from Helper Helper is the usual util grab bag of useful stuff. Somehow the config ended up there historically but structurally that doesn't make any sense. * Add cert folder to prettier ignore file 2022-05-01 19:12:39 +00:00			`Config.values.public = false;`
			`Config.values.ldap.enable = true;`
TypeScript and Vue 3 (#4559) Co-authored-by: Eric Nemchik <eric@nemchik.com> Co-authored-by: Pavel Djundik <xPaw@users.noreply.github.com> 2022-06-19 00:25:21 +00:00			`Config.values.ldap.url = "ldap://127.0.0.1:" + String(serverPort);`
Refactor config out of Helper (#4558) * Remove config from Helper Helper is the usual util grab bag of useful stuff. Somehow the config ended up there historically but structurally that doesn't make any sense. * Add cert folder to prettier ignore file 2022-05-01 19:12:39 +00:00			`Config.values.ldap.primaryKey = primaryKey;`
Add tests for LDAP auth plugin 2017-08-30 09:49:21 +00:00			`});`

Run format after updating to prettier 2.0 2020-03-21 20:55:36 +00:00			`afterEach(function () {`
Refactor config out of Helper (#4558) * Remove config from Helper Helper is the usual util grab bag of useful stuff. Somehow the config ended up there historically but structurally that doesn't make any sense. * Add cert folder to prettier ignore file 2022-05-01 19:12:39 +00:00			`Config.values.public = true;`
			`Config.values.ldap.enable = false;`
Load existing users on startup when LDAP is enabled Fixes #3219 2019-10-31 09:01:44 +00:00			`});`

Run format after updating to prettier 2.0 2020-03-21 20:55:36 +00:00			`describe("LDAP authentication availability", function () {`
			`it("checks that the configuration is correctly tied to isEnabled()", function () {`
Refactor config out of Helper (#4558) * Remove config from Helper Helper is the usual util grab bag of useful stuff. Somehow the config ended up there historically but structurally that doesn't make any sense. * Add cert folder to prettier ignore file 2022-05-01 19:12:39 +00:00			`Config.values.ldap.enable = true;`
Add tests for LDAP auth plugin 2017-08-30 09:49:21 +00:00			`expect(ldapAuth.isEnabled()).to.equal(true);`
Teardown sockets in tests 2017-10-06 09:53:08 +00:00
Refactor config out of Helper (#4558) * Remove config from Helper Helper is the usual util grab bag of useful stuff. Somehow the config ended up there historically but structurally that doesn't make any sense. * Add cert folder to prettier ignore file 2022-05-01 19:12:39 +00:00			`Config.values.ldap.enable = false;`
Add tests for LDAP auth plugin 2017-08-30 09:49:21 +00:00			`expect(ldapAuth.isEnabled()).to.equal(false);`
			`});`
			`});`

Run format after updating to prettier 2.0 2020-03-21 20:55:36 +00:00			`describe("Simple LDAP authentication (predefined DN pattern)", function () {`
Refactor config out of Helper (#4558) * Remove config from Helper Helper is the usual util grab bag of useful stuff. Somehow the config ended up there historically but structurally that doesn't make any sense. * Add cert folder to prettier ignore file 2022-05-01 19:12:39 +00:00			`Config.values.ldap.baseDN = baseDN;`
Add tests for LDAP auth plugin 2017-08-30 09:49:21 +00:00			`testLdapAuth();`
			`});`

Run format after updating to prettier 2.0 2020-03-21 20:55:36 +00:00			`describe("Advanced LDAP authentication (DN found by a prior search query)", function () {`
Refactor config out of Helper (#4558) * Remove config from Helper Helper is the usual util grab bag of useful stuff. Somehow the config ended up there historically but structurally that doesn't make any sense. * Add cert folder to prettier ignore file 2022-05-01 19:12:39 +00:00			`delete Config.values.ldap.baseDN;`
Add tests for LDAP auth plugin 2017-08-30 09:49:21 +00:00			`testLdapAuth();`
			`});`
			`});`