From 173f0e446e5424b856dae5039528600fecc02d5c Mon Sep 17 00:00:00 2001 From: Vishal Nayak Date: Wed, 17 Oct 2018 14:56:51 -0700 Subject: [PATCH] Return absolute paths while listing in LDAP backend (#5537) --- builtin/credential/ldap/backend_test.go | 87 +++++++++++++++++++++++++ builtin/credential/ldap/path_groups.go | 10 ++- builtin/credential/ldap/path_users.go | 11 +++- 3 files changed, 104 insertions(+), 4 deletions(-) diff --git a/builtin/credential/ldap/backend_test.go b/builtin/credential/ldap/backend_test.go index 9d45fd0a397a..1df92ec8b5ab 100644 --- a/builtin/credential/ldap/backend_test.go +++ b/builtin/credential/ldap/backend_test.go @@ -10,6 +10,7 @@ import ( "testing" "time" + "github.com/hashicorp/vault/helper/namespace" "github.com/hashicorp/vault/helper/policyutil" "github.com/hashicorp/vault/logical" logicaltest "github.com/hashicorp/vault/logical/testing" @@ -33,6 +34,92 @@ func createBackendWithStorage(t *testing.T) (*backend, logical.Storage) { return b, config.StorageView } +func TestLdapAuthBackend_Listing(t *testing.T) { + b, storage := createBackendWithStorage(t) + + // Create group "testgroup" + resp, err := b.HandleRequest(namespace.RootContext(nil), &logical.Request{ + Path: "groups/testgroup", + Operation: logical.UpdateOperation, + Storage: storage, + Data: map[string]interface{}{ + "policies": []string{"default"}, + }, + }) + if err != nil || (resp != nil && resp.IsError()) { + t.Fatalf("bad: resp: %#v\nerr: %v", resp, err) + } + + // Create group "nested/testgroup" + resp, err = b.HandleRequest(namespace.RootContext(nil), &logical.Request{ + Path: "groups/nested/testgroup", + Operation: logical.UpdateOperation, + Storage: storage, + Data: map[string]interface{}{ + "policies": []string{"default"}, + }, + }) + if err != nil || (resp != nil && resp.IsError()) { + t.Fatalf("bad: resp: %#v\nerr: %v", resp, err) + } + + // Create user "testuser" + resp, err = b.HandleRequest(namespace.RootContext(nil), &logical.Request{ + Path: "users/testuser", + Operation: logical.UpdateOperation, + Storage: storage, + Data: map[string]interface{}{ + "policies": []string{"default"}, + "groups": "testgroup,nested/testgroup", + }, + }) + if err != nil || (resp != nil && resp.IsError()) { + t.Fatalf("bad: resp: %#v\nerr: %v", resp, err) + } + + // Create user "nested/testuser" + resp, err = b.HandleRequest(namespace.RootContext(nil), &logical.Request{ + Path: "users/nested/testuser", + Operation: logical.UpdateOperation, + Storage: storage, + Data: map[string]interface{}{ + "policies": []string{"default"}, + "groups": "testgroup,nested/testgroup", + }, + }) + if err != nil || (resp != nil && resp.IsError()) { + t.Fatalf("bad: resp: %#v\nerr: %v", resp, err) + } + + // List users + resp, err = b.HandleRequest(namespace.RootContext(nil), &logical.Request{ + Path: "users/", + Operation: logical.ListOperation, + Storage: storage, + }) + if err != nil || (resp != nil && resp.IsError()) { + t.Fatalf("bad: resp: %#v\nerr: %v", resp, err) + } + expected := []string{"testuser", "nested/testuser"} + if !reflect.DeepEqual(expected, resp.Data["keys"].([]string)) { + t.Fatalf("bad: listed users; expected: %#v actual: %#v", expected, resp.Data["keys"].([]string)) + } + + // List groups + resp, err = b.HandleRequest(namespace.RootContext(nil), &logical.Request{ + Path: "groups/", + Operation: logical.ListOperation, + Storage: storage, + }) + if err != nil || (resp != nil && resp.IsError()) { + t.Fatalf("bad: resp: %#v\nerr: %v", resp, err) + } + expected = []string{"testgroup", "nested/testgroup"} + if !reflect.DeepEqual(expected, resp.Data["keys"].([]string)) { + t.Fatalf("bad: listed groups; expected: %#v actual: %#v", expected, resp.Data["keys"].([]string)) + } +} + func TestLdapAuthBackend_CaseSensitivity(t *testing.T) { var resp *logical.Response var err error diff --git a/builtin/credential/ldap/path_groups.go b/builtin/credential/ldap/path_groups.go index 9d402faa9ea1..1cdaea89ebdb 100644 --- a/builtin/credential/ldap/path_groups.go +++ b/builtin/credential/ldap/path_groups.go @@ -132,11 +132,17 @@ func (b *backend) pathGroupWrite(ctx context.Context, req *logical.Request, d *f } func (b *backend) pathGroupList(ctx context.Context, req *logical.Request, d *framework.FieldData) (*logical.Response, error) { - groups, err := req.Storage.List(ctx, "group/") + keys, err := logical.CollectKeys(ctx, req.Storage) if err != nil { return nil, err } - return logical.ListResponse(groups), nil + retKeys := make([]string, 0) + for _, key := range keys { + if strings.HasPrefix(key, "group/") && !strings.HasPrefix(key, "/") { + retKeys = append(retKeys, strings.TrimPrefix(key, "group/")) + } + } + return logical.ListResponse(retKeys), nil } type GroupEntry struct { diff --git a/builtin/credential/ldap/path_users.go b/builtin/credential/ldap/path_users.go index b19004597820..4050454427cd 100644 --- a/builtin/credential/ldap/path_users.go +++ b/builtin/credential/ldap/path_users.go @@ -148,11 +148,18 @@ func (b *backend) pathUserWrite(ctx context.Context, req *logical.Request, d *fr } func (b *backend) pathUserList(ctx context.Context, req *logical.Request, d *framework.FieldData) (*logical.Response, error) { - users, err := req.Storage.List(ctx, "user/") + keys, err := logical.CollectKeys(ctx, req.Storage) if err != nil { return nil, err } - return logical.ListResponse(users), nil + retKeys := make([]string, 0) + for _, key := range keys { + if strings.HasPrefix(key, "user/") && !strings.HasPrefix(key, "/") { + retKeys = append(retKeys, strings.TrimPrefix(key, "user/")) + } + } + return logical.ListResponse(retKeys), nil + } type UserEntry struct {