-
Notifications
You must be signed in to change notification settings - Fork 282
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Ldap authentication #2212
Ldap authentication #2212
Conversation
Codecov Report
@@ Coverage Diff @@
## main #2212 +/- ##
============================================
- Coverage 61.05% 61.05% -0.01%
+ Complexity 3270 3268 -2
============================================
Files 259 259
Lines 18337 18337
Branches 3248 3248
============================================
- Hits 11196 11195 -1
- Misses 5555 5557 +2
+ Partials 1586 1585 -1
Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here. |
dc80aea
to
181ac13
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ty @lukasz-soszynski-eliatra ! Added a few comments. Could you also add brief javadoc to the remaining new class that you have added as part of this PR?
public static LocalCluster cluster = new LocalCluster.Builder() | ||
.testCertificates(TEST_CERTIFICATES) | ||
.clusterManager(ClusterManager.SINGLENODE).anonymousAuth(false) | ||
.authc(new AuthcDomain("ldap", 2, true) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
For my knowledge, why is order set to 2 here?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In order to insert the LDAP authentication domain after LDAP basic auth. The domain AUTHC_HTTPBASIC_INTERNAL
contains an order equal to 0. I will refactor this to increase code readability.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Code refactored in order to get rid of "magic number".
src/integrationTest/java/org/opensearch/security/http/UntrustedLdapServerCertificateTest.java
Outdated
Show resolved
Hide resolved
src/integrationTest/java/org/opensearch/test/framework/ldap/EmbeddedLDAPServer.java
Outdated
Show resolved
Hide resolved
src/integrationTest/java/org/opensearch/test/framework/ldap/LdapServer.java
Show resolved
Hide resolved
src/integrationTest/java/org/opensearch/test/framework/ldap/LdapServer.java
Outdated
Show resolved
Hide resolved
931f25b
to
a948a63
Compare
I added tests related to LDAP and user impersonation: e0ceb8b |
Bwc tests are broken on main. Tracking issue here: #2221 |
e0ceb8b
to
ed14e20
Compare
@@ -19,6 +19,10 @@ logger.testsecconfig.name=org.opensearch.test.framework.TestSecurityConfig | |||
logger.testsecconfig.level = info | |||
logger.localopensearchcluster.name=org.opensearch.test.framework.cluster.LocalOpenSearchCluster | |||
logger.localopensearchcluster.level = info | |||
<<<<<<< HEAD |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks like a merge conflict was missed here
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Removed
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Great contribution thank you
|
||
@RunWith(com.carrotsearch.randomizedtesting.RandomizedRunner.class) | ||
@ThreadLeakScope(ThreadLeakScope.Scope.NONE) | ||
public class LdapStartTlsAuthenticationTest { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please add a comment on these test class for how its distinct from one another
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
done
|
||
HttpResponse response = client.getAuthInfo(); | ||
|
||
response.assertStatusCode(401); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Similar to previous pull request, can we modify these test cases to verify the expected error message by inspecting the log output to differentiate behavior between tests?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sure, LogsRule
is already merged into the main branch.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Actually, I was wrong, the code used to verify log output in the tests is in the following PR https://github.com/opensearch-project/security/pull/2179/files#diff-d8906a1526f563012a51cf0203c4ed498a2299e41b91868b4b2658a59fcc7d26
I can move this code
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
done
response.assertStatusCode(200); | ||
List<String> backendRoles = response.getTextArrayFromJsonBody(POINTER_BACKEND_ROLES); | ||
assertThat(backendRoles, hasSize(2)); | ||
//CN_GROUP_CREW is retrieved recursively: cn=Jean,ou=people,o=test.org -> cn=bridge,ou=groups,o=test.org -> cn=crew,ou=groups,o=test.org |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Great comment
TestRestClient.HttpResponse response = client.getAuthInfo(); | ||
|
||
response.assertStatusCode(401); | ||
//TODO try to verify logs when JWT authentication tests are merged to main. Log should contain message like the below one |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Still working on this?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Here I was waiting to merge PR https://github.com/opensearch-project/security/pull/2179/files#diff-d8906a1526f563012a51cf0203c4ed498a2299e41b91868b4b2658a59fcc7d26
But I can also move the code for logs verification :)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
done
29c3283
to
b9f5d4b
Compare
src/integrationTest/java/org/opensearch/test/framework/log/LogMessage.java
Show resolved
Hide resolved
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM!
16af4cf
to
4e83093
Compare
Signed-off-by: Lukasz Soszynski <[email protected]> Tests for roles recursive search for LDAP. Signed-off-by: Lukasz Soszynski <[email protected]> User impersonation tests for LDAP authentication. Signed-off-by: Lukasz Soszynski <[email protected]>
4e83093
to
20cc9de
Compare
Description
[Describe what this change achieves]
Integration tests related to LDAP authentication.
Issues Resolved
[List any issues this PR will resolve]
Is this a backport? If so, please add backport PR # and/or commits #
Testing
[Please provide details of testing done: unit testing, integration testing and manual testing]
Check List
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.