Add LDAP auth module (#6226)

2019-11-25 17:03:38 +01:00
parent cf26434b31
commit 4435154cf9
6 changed files with 452 additions and 0 deletions
--- a/spec/LdapAuth.spec.js
+++ b/spec/LdapAuth.spec.js
@@ -0,0 +1,138 @@
+const ldap = require('../lib/Adapters/Auth/ldap');
+const mockLdapServer = require('./MockLdapServer');
+const port = 12345;
+
+it('Should fail with missing options', done => {
+  ldap
+    .validateAuthData({ id: 'testuser', password: 'testpw' })
+    .then(done.fail)
+    .catch(err => {
+      jequal(err.message, 'LDAP auth configuration missing');
+      done();
+    });
+});
+
+it('Should return a resolved promise when validating the app id', done => {
+  ldap
+    .validateAppId()
+    .then(done)
+    .catch(done.fail);
+});
+
+it('Should succeed with right credentials', done => {
+  mockLdapServer(port, 'uid=testuser, o=example').then(server => {
+    const options = {
+      suffix: 'o=example',
+      url: `ldap://localhost:${port}`,
+      dn: 'uid={{id}}, o=example',
+    };
+    ldap
+      .validateAuthData({ id: 'testuser', password: 'secret' }, options)
+      .then(done)
+      .catch(done.fail)
+      .finally(() => server.close());
+  });
+});
+
+it('Should fail with wrong credentials', done => {
+  mockLdapServer(port, 'uid=testuser, o=example').then(server => {
+    const options = {
+      suffix: 'o=example',
+      url: `ldap://localhost:${port}`,
+      dn: 'uid={{id}}, o=example',
+    };
+    ldap
+      .validateAuthData({ id: 'testuser', password: 'wrong!' }, options)
+      .then(done.fail)
+      .catch(err => {
+        jequal(err.message, 'LDAP: Wrong username or password');
+        done();
+      })
+      .finally(() => server.close());
+  });
+});
+
+it('Should succeed if user is in given group', done => {
+  mockLdapServer(port, 'uid=testuser, o=example').then(server => {
+    const options = {
+      suffix: 'o=example',
+      url: `ldap://localhost:${port}`,
+      dn: 'uid={{id}}, o=example',
+      groupCn: 'powerusers',
+      groupFilter:
+        '(&(uniqueMember=uid={{id}}, o=example)(objectClass=groupOfUniqueNames))',
+    };
+
+    ldap
+      .validateAuthData({ id: 'testuser', password: 'secret' }, options)
+      .then(done)
+      .catch(done.fail)
+      .finally(() => server.close());
+  });
+});
+
+it('Should fail if user is not in given group', done => {
+  mockLdapServer(port, 'uid=testuser, o=example').then(server => {
+    const options = {
+      suffix: 'o=example',
+      url: `ldap://localhost:${port}`,
+      dn: 'uid={{id}}, o=example',
+      groupCn: 'groupTheUserIsNotIn',
+      groupFilter:
+        '(&(uniqueMember=uid={{id}}, o=example)(objectClass=groupOfUniqueNames))',
+    };
+
+    ldap
+      .validateAuthData({ id: 'testuser', password: 'secret' }, options)
+      .then(done.fail)
+      .catch(err => {
+        jequal(err.message, 'LDAP: User not in group');
+        done();
+      })
+      .finally(() => server.close());
+  });
+});
+
+it('Should fail if the LDAP server does not allow searching inside the provided suffix', done => {
+  mockLdapServer(port, 'uid=testuser, o=example').then(server => {
+    const options = {
+      suffix: 'o=invalid',
+      url: `ldap://localhost:${port}`,
+      dn: 'uid={{id}}, o=example',
+      groupCn: 'powerusers',
+      groupFilter:
+        '(&(uniqueMember=uid={{id}}, o=example)(objectClass=groupOfUniqueNames))',
+    };
+
+    ldap
+      .validateAuthData({ id: 'testuser', password: 'secret' }, options)
+      .then(done.fail)
+      .catch(err => {
+        jequal(err.message, 'LDAP group search failed');
+        done();
+      })
+      .finally(() => server.close());
+  });
+});
+
+it('Should fail if the LDAP server encounters an error while searching', done => {
+  mockLdapServer(port, 'uid=testuser, o=example', true).then(server => {
+    const options = {
+      suffix: 'o=example',
+      url: `ldap://localhost:${port}`,
+      dn: 'uid={{id}}, o=example',
+      groupCn: 'powerusers',
+      groupFilter:
+        '(&(uniqueMember=uid={{id}}, o=example)(objectClass=groupOfUniqueNames))',
+    };
+
+    ldap
+      .validateAuthData({ id: 'testuser', password: 'secret' }, options)
+      .then(done.fail)
+      .catch(err => {
+        jequal(err.message, 'LDAP group search failed');
+        done();
+      })
+      .finally(() => server.close());
+  });
+});
--- a/spec/MockLdapServer.js
+++ b/spec/MockLdapServer.js
@@ -0,0 +1,48 @@
+const ldapjs = require('ldapjs');
+
+function newServer(port, dn, provokeSearchError = false) {
+  const server = ldapjs.createServer();
+
+  server.bind('o=example', function(req, res, next) {
+    if (req.dn.toString() !== dn || req.credentials !== 'secret')
+      return next(new ldapjs.InvalidCredentialsError());
+    res.end();
+    return next();
+  });
+
+  server.search('o=example', function(req, res, next) {
+    if (provokeSearchError) {
+      res.end(ldapjs.LDAP_SIZE_LIMIT_EXCEEDED);
+      return next(new ldapjs.NoSuchObjectError('fake error'));
+    }
+    const obj = {
+      dn: req.dn.toString(),
+      attributes: {
+        objectclass: ['organization', 'top'],
+        o: 'example',
+      },
+    };
+
+    const group = {
+      dn: req.dn.toString(),
+      attributes: {
+        objectClass: ['groupOfUniqueNames', 'top'],
+        uniqueMember: ['uid=testuser, o=example'],
+        cn: 'powerusers',
+        ou: 'powerusers',
+      },
+    };
+
+    if (req.filter.matches(obj.attributes)) {
+      res.send(obj);
+    }
+
+    if (req.filter.matches(group.attributes)) {
+      res.send(group);
+    }
+    res.end();
+  });
+  return new Promise(resolve => server.listen(port, () => resolve(server)));
+}
+
+module.exports = newServer;