Skip to content

Added a new test to validate tripple nested groups #422

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
dasarinaidu wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Added a new test to validate tripple nested groups #422

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions actions/auth/authprovider.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -43,6 +43,8 @@ type AuthConfig struct {
NestedUsers []User `yaml:"nestedUsers"`
DoubleNestedGroup string `yaml:"doubleNestedGroup"`
DoubleNestedUsers []User `yaml:"doubleNestedUsers"`
TripleNestedGroup string `yaml:"tripleNestedGroup"`
TripleNestedUsers []User `yaml:"tripleNestedUsers"`
}

// SetupAuthenticatedSession enables the auth provider, logs in as the admin user, and returns a new session and client
Expand Down
64 changes: 62 additions & 2 deletions validation/auth/provider/activedirectory/activedirectory_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -378,7 +378,67 @@ func (a *ActiveDirectoryAuthProviderSuite) TestActiveDirectoryRestrictedAccessMo
require.NoError(a.T(), err, "Failed to rollback access mode")
}

func (a *ActiveDirectoryAuthProviderSuite) TestActiveDirectoryUnauthorizedLoginDenied() {
func (a *ActiveDirectoryAuthProviderSuite) TestActiveDirectoryRequiredModeNestedGroupAccess() {
subSession, authAdmin, err := authactions.SetupAuthenticatedSession(a.client, a.session, a.adminUser, authactions.ActiveDirectory)
require.NoError(a.T(), err, "Failed to setup authenticated test")
defer subSession.Cleanup()

nestedGroupPrincipalID := authactions.GetGroupPrincipalID(
authactions.ActiveDirectory,
a.authConfig.NestedGroup,
a.client.Auth.ActiveDirectory.Config.Users.SearchBase,
a.client.Auth.ActiveDirectory.Config.Groups.SearchBase,
)

_, err = rbac.CreateGroupClusterRoleTemplateBinding(
authAdmin,
a.cluster.ID,
nestedGroupPrincipalID,
rbac.ClusterMember.String(),
)
require.NoError(a.T(), err, "Failed to create cluster role binding")

principalIDs := []string{nestedGroupPrincipalID}

nestedUsers := slices.Concat(a.authConfig.NestedUsers, a.authConfig.DoubleNestedUsers)
for _, user := range nestedUsers {
userPrincipalID := authactions.GetUserPrincipalID(
authactions.ActiveDirectory,
user.Username,
a.client.Auth.ActiveDirectory.Config.Users.SearchBase,
a.client.Auth.ActiveDirectory.Config.Groups.SearchBase,
)
principalIDs = append(principalIDs, userPrincipalID)
}

newAuthConfig, err := authactions.UpdateAccessMode(
a.client,
authactions.ActiveDirectory,
authactions.AccessModeRequired,
principalIDs,
)
require.NoError(a.T(), err, "Failed to update access mode")
require.Equal(a.T(), authactions.AccessModeRequired, newAuthConfig.AccessMode, "Access mode should be required")

err = authactions.VerifyUserLogins(
authAdmin,
authactions.ActiveDirectory,
nestedUsers,
"required access mode with nested groups",
true,
)
require.NoError(a.T(), err, "Nested group members should be able to login")

_, err = authactions.UpdateAccessMode(
a.client,
authactions.ActiveDirectory,
authactions.AccessModeUnrestricted,
nil,
)
require.NoError(a.T(), err, "Failed to rollback access mode")
}

func (a *ActiveDirectoryAuthProviderSuite) TestActiveDirectoryRequiredModeUnauthorizedLoginDenied() {
subSession, authAdmin, err := authactions.SetupAuthenticatedSession(a.client, a.session, a.adminUser, authactions.ActiveDirectory)
require.NoError(a.T(), err, "Failed to setup authenticated test")
defer subSession.Cleanup()
Expand All @@ -397,7 +457,7 @@ func (a *ActiveDirectoryAuthProviderSuite) TestActiveDirectoryUnauthorizedLoginD
require.NoError(a.T(), err, "Failed to update access mode")
require.Equal(a.T(), authactions.AccessModeRequired, newAuthConfig.AccessMode, "Access mode should be required")

unauthorizedUsers := slices.Concat(a.authConfig.NestedUsers, a.authConfig.DoubleNestedUsers)
unauthorizedUsers := a.authConfig.TripleNestedUsers
err = authactions.VerifyUserLogins(authAdmin, authactions.ActiveDirectory, unauthorizedUsers, "required access mode", false)
require.NoError(a.T(), err, "Unauthorized users should NOT be able to login")

Expand Down
4 changes: 4 additions & 0 deletions validation/auth/provider/openldap/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -83,6 +83,10 @@ openLdapAuthInput:
doubleNestedUsers:
- username: "<double-nested-username1>"
password: "<double-nested-password1>"
tripleNestedGroup: "<triple-nested-group-name>"
tripleNestedUsers:
- username: "<triple-nested-username1>"
password: "<triple-nested-password1>"
```

### Group Hierarchy
Expand Down
64 changes: 62 additions & 2 deletions validation/auth/provider/openldap/openldap_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -378,7 +378,67 @@ func (a *OpenLDAPAuthProviderSuite) TestOpenLDAPRestrictedAccessModeAuthorizedUs
require.NoError(a.T(), err, "Failed to rollback access mode")
}

func (a *OpenLDAPAuthProviderSuite) TestOpenLDAPUnauthorizedLoginDenied() {
func (a *OpenLDAPAuthProviderSuite) TestOpenLDAPRequiredModeNestedGroupAccess() {
subSession, authAdmin, err := authactions.SetupAuthenticatedSession(a.client, a.session, a.adminUser, authactions.OpenLdap)
require.NoError(a.T(), err, "Failed to setup authenticated test")
defer subSession.Cleanup()

nestedGroupPrincipalID := authactions.GetGroupPrincipalID(
authactions.OpenLdap,
a.authConfig.NestedGroup,
a.client.Auth.OLDAP.Config.Users.SearchBase,
a.client.Auth.OLDAP.Config.Groups.SearchBase,
)

_, err = rbac.CreateGroupClusterRoleTemplateBinding(
authAdmin,
a.cluster.ID,
nestedGroupPrincipalID,
rbac.ClusterMember.String(),
)
require.NoError(a.T(), err, "Failed to create cluster role binding")

principalIDs := []string{nestedGroupPrincipalID}

nestedUsers := slices.Concat(a.authConfig.NestedUsers, a.authConfig.DoubleNestedUsers)
for _, user := range nestedUsers {
userPrincipalID := authactions.GetUserPrincipalID(
authactions.OpenLdap,
user.Username,
a.client.Auth.OLDAP.Config.Users.SearchBase,
a.client.Auth.OLDAP.Config.Groups.SearchBase,
)
principalIDs = append(principalIDs, userPrincipalID)
}

newAuthConfig, err := authactions.UpdateAccessMode(
a.client,
authactions.OpenLdap,
authactions.AccessModeRequired,
principalIDs,
)
require.NoError(a.T(), err, "Failed to update access mode")
require.Equal(a.T(), authactions.AccessModeRequired, newAuthConfig.AccessMode, "Access mode should be required")

err = authactions.VerifyUserLogins(
authAdmin,
authactions.OpenLdap,
nestedUsers,
"required access mode with nested groups",
true,
)
require.NoError(a.T(), err, "Nested group members should be able to login")

_, err = authactions.UpdateAccessMode(
a.client,
authactions.OpenLdap,
authactions.AccessModeUnrestricted,
nil,
)
require.NoError(a.T(), err, "Failed to rollback access mode")
}

func (a *OpenLDAPAuthProviderSuite) TestOpenLDAPRequiredModeUnauthorizedLoginDenied() {
subSession, authAdmin, err := authactions.SetupAuthenticatedSession(a.client, a.session, a.adminUser, authactions.OpenLdap)
require.NoError(a.T(), err, "Failed to setup authenticated test")
defer subSession.Cleanup()
Expand All @@ -397,7 +457,7 @@ func (a *OpenLDAPAuthProviderSuite) TestOpenLDAPUnauthorizedLoginDenied() {
require.NoError(a.T(), err, "Failed to update access mode")
require.Equal(a.T(), authactions.AccessModeRequired, newAuthConfig.AccessMode, "Access mode should be required")

unauthorizedUsers := slices.Concat(a.authConfig.NestedUsers, a.authConfig.DoubleNestedUsers)
unauthorizedUsers := a.authConfig.TripleNestedUsers
err = authactions.VerifyUserLogins(authAdmin, authactions.OpenLdap, unauthorizedUsers, "required access mode", false)
require.NoError(a.T(), err, "Unauthorized users should NOT be able to login")

Expand Down