dex/functional/ldap_test.go

package functional

import (
	"fmt"
	"html/template"
	"net"
	"net/url"
	"os"
	"strconv"
	"sync"
	"testing"
	"time"

	"github.com/coreos/dex/connector"
	"golang.org/x/net/context"
	"gopkg.in/ldap.v2"
)

var (
	ldapHost   string
	ldapPort   uint16
	ldapBindDN string
	ldapBindPw string
)

type LDAPServer struct {
	Host   string
	Port   uint16
	BindDN string
	BindPw string
}

const (
	ldapEnvHost     = "DEX_TEST_LDAP_HOST"
	ldapEnvBindName = "DEX_TEST_LDAP_BINDNAME"
	ldapEnvBindPass = "DEX_TEST_LDAP_BINDPASS"
)

func ldapServer(t *testing.T) LDAPServer {
	host := os.Getenv(ldapEnvHost)
	if host == "" {
		t.Fatalf("%s not set", ldapEnvHost)
	}
	var port uint64 = 389
	if h, p, err := net.SplitHostPort(host); err == nil {
		port, err = strconv.ParseUint(p, 10, 16)
		if err != nil {
			t.Fatalf("failed to parse port: %v", err)
		}
		host = h
	}
	return LDAPServer{host, uint16(port), os.Getenv(ldapEnvBindName), os.Getenv(ldapEnvBindPass)}
}

func TestLDAPConnect(t *testing.T) {
	server := ldapServer(t)
	l, err := ldap.Dial("tcp", fmt.Sprintf("%s:%d", server.Host, server.Port))
	if err != nil {
		t.Fatal(err)
	}
	err = l.Bind(server.BindDN, server.BindPw)
	if err != nil {
		t.Fatal(err)
	}
	l.Close()
}

func TestConnectorLDAPHealthy(t *testing.T) {
	server := ldapServer(t)

	tests := []struct {
		config  connector.LDAPConnectorConfig
		wantErr bool
	}{
		{
			config: connector.LDAPConnectorConfig{
				ID:         "ldap",
				ServerHost: server.Host,
				ServerPort: server.Port + 1,
			},
			wantErr: true,
		},
		{
			config: connector.LDAPConnectorConfig{
				ID:         "ldap",
				ServerHost: server.Host,
				ServerPort: server.Port,
			},
		},
		{
			config: connector.LDAPConnectorConfig{
				ID:         "ldap",
				ServerHost: server.Host,
				ServerPort: server.Port,
				UseTLS:     true,
				CertFile:   "/tmp/ldap.crt",
				KeyFile:    "/tmp/ldap.key",
				CaFile:     "/tmp/openldap-ca.pem",
			},
		},
		{
			config: connector.LDAPConnectorConfig{
				ID:         "ldap",
				ServerHost: server.Host,
				ServerPort: server.Port + 247, // 636
				UseSSL:     true,
				CertFile:   "/tmp/ldap.crt",
				KeyFile:    "/tmp/ldap.key",
				CaFile:     "/tmp/openldap-ca.pem",
			},
		},
	}
	for i, tt := range tests {
		templates := template.New(connector.LDAPLoginPageTemplateName)
		c, err := tt.config.Connector(url.URL{}, nil, templates)
		if err != nil {
			t.Errorf("case %d: failed to create connector: %v", i, err)
			continue
		}
		if err := c.Healthy(); err != nil {
			if !tt.wantErr {
				t.Errorf("case %d: Healthy() returned error: %v", i, err)
			}
		} else if tt.wantErr {
			t.Errorf("case %d: expected Healthy() to fail", i)
		}
	}
}

func TestLDAPPoolHighWatermarkAndLockContention(t *testing.T) {
	server := ldapServer(t)
	ldapPool := &connector.LDAPPool{
		MaxIdleConn: 30,
		ServerHost:  server.Host,
		ServerPort:  server.Port,
		UseTLS:      false,
		UseSSL:      false,
	}

	// Excercise pool operations with MaxIdleConn + 10 concurrent goroutines.
	// We are testing both pool high watermark code and lock contention
	numRoutines := ldapPool.MaxIdleConn + 10
	var wg sync.WaitGroup
	wg.Add(numRoutines)
	ctx, _ := context.WithTimeout(context.Background(), 5*time.Second)
	for i := 0; i < numRoutines; i++ {
		go func() {
			defer wg.Done()
			for {
				select {
				case <-ctx.Done():
					return
				default:
					ldapConn, err := ldapPool.Acquire()
					if err != nil {
						t.Errorf("Unable to acquire LDAP Connection: %v", err)
					}
					s := ldap.NewSearchRequest("", ldap.ScopeBaseObject, ldap.NeverDerefAliases, 0, 0, false, "(objectClass=*)", []string{}, nil)
					_, err = ldapConn.Search(s)
					if err != nil {
						t.Errorf("Search request failed. Dead/invalid LDAP connection from pool?: %v", err)
						ldapConn.Close()
					} else {
						ldapPool.Put(ldapConn)
					}
					_, _ = ldapPool.CheckConnections()
				}
			}
		}()
	}

	// Wait for all operations to complete and check status.
	// There should be MaxIdleConn connections in the pool. This confirms:
	// 1. The tests was indeed executed concurrently
	// 2. Even though we ran more routines than the configured MaxIdleConn the high
	//    watermark code did its job and closed surplus connections
	wg.Wait()
	alive, killed := ldapPool.CheckConnections()
	if alive < ldapPool.MaxIdleConn {
		t.Errorf("expected %v connections, got alive=%v killed=%v", ldapPool.MaxIdleConn, alive, killed)
	}
}
connector: add LDAP connector Authentication is performed by binding to the configured LDAP server using the user supplied credentials. Successfull bind equals authenticated user. Optionally the connector can be configured to search before authentication. The entryDN found will be used to bind to the LDAP server. This feature must be enabled to get supplementary information from the directory (ID, Name, Email). This feature can also be used to limit access to the service. Example use case: Allow your users to log in with e-mail address instead of the identification string in your DNs (typically username). To make re-use of HTTP form handling code from the Local connector possible: - Implemented IdentityProvider interface - Moved the re-used functions to login_local.go Fixes #119 2015-11-11 01:08:40 +05:30			`package functional`

			`import (`
			`"fmt"`
			`"html/template"`
functional: don't fail if postgres or ldap isn't availabl 2016-02-26 01:27:26 +05:30			`"net"`
connector: add LDAP connector Authentication is performed by binding to the configured LDAP server using the user supplied credentials. Successfull bind equals authenticated user. Optionally the connector can be configured to search before authentication. The entryDN found will be used to bind to the LDAP server. This feature must be enabled to get supplementary information from the directory (ID, Name, Email). This feature can also be used to limit access to the service. Example use case: Allow your users to log in with e-mail address instead of the identification string in your DNs (typically username). To make re-use of HTTP form handling code from the Local connector possible: - Implemented IdentityProvider interface - Moved the re-used functions to login_local.go Fixes #119 2015-11-11 01:08:40 +05:30			`"net/url"`
			`"os"`
			`"strconv"`
Functional tests for LDAP Connection Pool 2016-05-27 16:55:31 +05:30			`"sync"`
connector: add LDAP connector Authentication is performed by binding to the configured LDAP server using the user supplied credentials. Successfull bind equals authenticated user. Optionally the connector can be configured to search before authentication. The entryDN found will be used to bind to the LDAP server. This feature must be enabled to get supplementary information from the directory (ID, Name, Email). This feature can also be used to limit access to the service. Example use case: Allow your users to log in with e-mail address instead of the identification string in your DNs (typically username). To make re-use of HTTP form handling code from the Local connector possible: - Implemented IdentityProvider interface - Moved the re-used functions to login_local.go Fixes #119 2015-11-11 01:08:40 +05:30			`"testing"`
Functional tests for LDAP Connection Pool 2016-05-27 16:55:31 +05:30			`"time"`
connector: add LDAP connector Authentication is performed by binding to the configured LDAP server using the user supplied credentials. Successfull bind equals authenticated user. Optionally the connector can be configured to search before authentication. The entryDN found will be used to bind to the LDAP server. This feature must be enabled to get supplementary information from the directory (ID, Name, Email). This feature can also be used to limit access to the service. Example use case: Allow your users to log in with e-mail address instead of the identification string in your DNs (typically username). To make re-use of HTTP form handling code from the Local connector possible: - Implemented IdentityProvider interface - Moved the re-used functions to login_local.go Fixes #119 2015-11-11 01:08:40 +05:30
			`"github.com/coreos/dex/connector"`
Functional tests for LDAP Connection Pool 2016-05-27 16:55:31 +05:30			`"golang.org/x/net/context"`
connector: add LDAP connector Authentication is performed by binding to the configured LDAP server using the user supplied credentials. Successfull bind equals authenticated user. Optionally the connector can be configured to search before authentication. The entryDN found will be used to bind to the LDAP server. This feature must be enabled to get supplementary information from the directory (ID, Name, Email). This feature can also be used to limit access to the service. Example use case: Allow your users to log in with e-mail address instead of the identification string in your DNs (typically username). To make re-use of HTTP form handling code from the Local connector possible: - Implemented IdentityProvider interface - Moved the re-used functions to login_local.go Fixes #119 2015-11-11 01:08:40 +05:30			`"gopkg.in/ldap.v2"`
			`)`

			`var (`
			`ldapHost string`
			`ldapPort uint16`
			`ldapBindDN string`
			`ldapBindPw string`
			`)`

functional: don't fail if postgres or ldap isn't availabl 2016-02-26 01:27:26 +05:30			`type LDAPServer struct {`
			`Host string`
			`Port uint16`
			`BindDN string`
			`BindPw string`
			`}`
connector: add LDAP connector Authentication is performed by binding to the configured LDAP server using the user supplied credentials. Successfull bind equals authenticated user. Optionally the connector can be configured to search before authentication. The entryDN found will be used to bind to the LDAP server. This feature must be enabled to get supplementary information from the directory (ID, Name, Email). This feature can also be used to limit access to the service. Example use case: Allow your users to log in with e-mail address instead of the identification string in your DNs (typically username). To make re-use of HTTP form handling code from the Local connector possible: - Implemented IdentityProvider interface - Moved the re-used functions to login_local.go Fixes #119 2015-11-11 01:08:40 +05:30
functional: don't fail if postgres or ldap isn't availabl 2016-02-26 01:27:26 +05:30			`const (`
			`ldapEnvHost = "DEX_TEST_LDAP_HOST"`
			`ldapEnvBindName = "DEX_TEST_LDAP_BINDNAME"`
			`ldapEnvBindPass = "DEX_TEST_LDAP_BINDPASS"`
			`)`
connector: add LDAP connector Authentication is performed by binding to the configured LDAP server using the user supplied credentials. Successfull bind equals authenticated user. Optionally the connector can be configured to search before authentication. The entryDN found will be used to bind to the LDAP server. This feature must be enabled to get supplementary information from the directory (ID, Name, Email). This feature can also be used to limit access to the service. Example use case: Allow your users to log in with e-mail address instead of the identification string in your DNs (typically username). To make re-use of HTTP form handling code from the Local connector possible: - Implemented IdentityProvider interface - Moved the re-used functions to login_local.go Fixes #119 2015-11-11 01:08:40 +05:30
functional: don't fail if postgres or ldap isn't availabl 2016-02-26 01:27:26 +05:30			`func ldapServer(t *testing.T) LDAPServer {`
			`host := os.Getenv(ldapEnvHost)`
			`if host == "" {`
			`t.Fatalf("%s not set", ldapEnvHost)`
			`}`
			`var port uint64 = 389`
			`if h, p, err := net.SplitHostPort(host); err == nil {`
			`port, err = strconv.ParseUint(p, 10, 16)`
connector: add LDAP connector Authentication is performed by binding to the configured LDAP server using the user supplied credentials. Successfull bind equals authenticated user. Optionally the connector can be configured to search before authentication. The entryDN found will be used to bind to the LDAP server. This feature must be enabled to get supplementary information from the directory (ID, Name, Email). This feature can also be used to limit access to the service. Example use case: Allow your users to log in with e-mail address instead of the identification string in your DNs (typically username). To make re-use of HTTP form handling code from the Local connector possible: - Implemented IdentityProvider interface - Moved the re-used functions to login_local.go Fixes #119 2015-11-11 01:08:40 +05:30			`if err != nil {`
functional: don't fail if postgres or ldap isn't availabl 2016-02-26 01:27:26 +05:30			`t.Fatalf("failed to parse port: %v", err)`
connector: add LDAP connector Authentication is performed by binding to the configured LDAP server using the user supplied credentials. Successfull bind equals authenticated user. Optionally the connector can be configured to search before authentication. The entryDN found will be used to bind to the LDAP server. This feature must be enabled to get supplementary information from the directory (ID, Name, Email). This feature can also be used to limit access to the service. Example use case: Allow your users to log in with e-mail address instead of the identification string in your DNs (typically username). To make re-use of HTTP form handling code from the Local connector possible: - Implemented IdentityProvider interface - Moved the re-used functions to login_local.go Fixes #119 2015-11-11 01:08:40 +05:30			`}`
functional: don't fail if postgres or ldap isn't availabl 2016-02-26 01:27:26 +05:30			`host = h`
connector: add LDAP connector Authentication is performed by binding to the configured LDAP server using the user supplied credentials. Successfull bind equals authenticated user. Optionally the connector can be configured to search before authentication. The entryDN found will be used to bind to the LDAP server. This feature must be enabled to get supplementary information from the directory (ID, Name, Email). This feature can also be used to limit access to the service. Example use case: Allow your users to log in with e-mail address instead of the identification string in your DNs (typically username). To make re-use of HTTP form handling code from the Local connector possible: - Implemented IdentityProvider interface - Moved the re-used functions to login_local.go Fixes #119 2015-11-11 01:08:40 +05:30			`}`
functional: don't fail if postgres or ldap isn't availabl 2016-02-26 01:27:26 +05:30			`return LDAPServer{host, uint16(port), os.Getenv(ldapEnvBindName), os.Getenv(ldapEnvBindPass)}`
connector: add LDAP connector Authentication is performed by binding to the configured LDAP server using the user supplied credentials. Successfull bind equals authenticated user. Optionally the connector can be configured to search before authentication. The entryDN found will be used to bind to the LDAP server. This feature must be enabled to get supplementary information from the directory (ID, Name, Email). This feature can also be used to limit access to the service. Example use case: Allow your users to log in with e-mail address instead of the identification string in your DNs (typically username). To make re-use of HTTP form handling code from the Local connector possible: - Implemented IdentityProvider interface - Moved the re-used functions to login_local.go Fixes #119 2015-11-11 01:08:40 +05:30			`}`

			`func TestLDAPConnect(t *testing.T) {`
functional: don't fail if postgres or ldap isn't availabl 2016-02-26 01:27:26 +05:30			`server := ldapServer(t)`
			`l, err := ldap.Dial("tcp", fmt.Sprintf("%s:%d", server.Host, server.Port))`
connector: add LDAP connector Authentication is performed by binding to the configured LDAP server using the user supplied credentials. Successfull bind equals authenticated user. Optionally the connector can be configured to search before authentication. The entryDN found will be used to bind to the LDAP server. This feature must be enabled to get supplementary information from the directory (ID, Name, Email). This feature can also be used to limit access to the service. Example use case: Allow your users to log in with e-mail address instead of the identification string in your DNs (typically username). To make re-use of HTTP form handling code from the Local connector possible: - Implemented IdentityProvider interface - Moved the re-used functions to login_local.go Fixes #119 2015-11-11 01:08:40 +05:30			`if err != nil {`
			`t.Fatal(err)`
			`}`
functional: don't fail if postgres or ldap isn't availabl 2016-02-26 01:27:26 +05:30			`err = l.Bind(server.BindDN, server.BindPw)`
connector: add LDAP connector Authentication is performed by binding to the configured LDAP server using the user supplied credentials. Successfull bind equals authenticated user. Optionally the connector can be configured to search before authentication. The entryDN found will be used to bind to the LDAP server. This feature must be enabled to get supplementary information from the directory (ID, Name, Email). This feature can also be used to limit access to the service. Example use case: Allow your users to log in with e-mail address instead of the identification string in your DNs (typically username). To make re-use of HTTP form handling code from the Local connector possible: - Implemented IdentityProvider interface - Moved the re-used functions to login_local.go Fixes #119 2015-11-11 01:08:40 +05:30			`if err != nil {`
			`t.Fatal(err)`
			`}`
			`l.Close()`
			`}`

functional: don't fail if postgres or ldap isn't availabl 2016-02-26 01:27:26 +05:30			`func TestConnectorLDAPHealthy(t *testing.T) {`
			`server := ldapServer(t)`

			`tests := []struct {`
			`config connector.LDAPConnectorConfig`
			`wantErr bool`
			`}{`
			`{`
			`config: connector.LDAPConnectorConfig{`
			`ID: "ldap",`
			`ServerHost: server.Host,`
			`ServerPort: server.Port + 1,`
			`},`
			`wantErr: true,`
			`},`
			`{`
			`config: connector.LDAPConnectorConfig{`
			`ID: "ldap",`
			`ServerHost: server.Host,`
			`ServerPort: server.Port,`
			`},`
			`},`
			`{`
			`config: connector.LDAPConnectorConfig{`
			`ID: "ldap",`
			`ServerHost: server.Host,`
			`ServerPort: server.Port,`
			`UseTLS: true,`
			`CertFile: "/tmp/ldap.crt",`
			`KeyFile: "/tmp/ldap.key",`
			`CaFile: "/tmp/openldap-ca.pem",`
			`},`
			`},`
			`{`
			`config: connector.LDAPConnectorConfig{`
			`ID: "ldap",`
			`ServerHost: server.Host,`
			`ServerPort: server.Port + 247, // 636`
			`UseSSL: true,`
			`CertFile: "/tmp/ldap.crt",`
			`KeyFile: "/tmp/ldap.key",`
			`CaFile: "/tmp/openldap-ca.pem",`
			`},`
			`},`
			`}`
			`for i, tt := range tests {`
			`templates := template.New(connector.LDAPLoginPageTemplateName)`
			`c, err := tt.config.Connector(url.URL{}, nil, templates)`
			`if err != nil {`
			`t.Errorf("case %d: failed to create connector: %v", i, err)`
			`continue`
			`}`
			`if err := c.Healthy(); err != nil {`
			`if !tt.wantErr {`
			`t.Errorf("case %d: Healthy() returned error: %v", i, err)`
			`}`
			`} else if tt.wantErr {`
			`t.Errorf("case %d: expected Healthy() to fail", i)`
			`}`
connector: add LDAP connector Authentication is performed by binding to the configured LDAP server using the user supplied credentials. Successfull bind equals authenticated user. Optionally the connector can be configured to search before authentication. The entryDN found will be used to bind to the LDAP server. This feature must be enabled to get supplementary information from the directory (ID, Name, Email). This feature can also be used to limit access to the service. Example use case: Allow your users to log in with e-mail address instead of the identification string in your DNs (typically username). To make re-use of HTTP form handling code from the Local connector possible: - Implemented IdentityProvider interface - Moved the re-used functions to login_local.go Fixes #119 2015-11-11 01:08:40 +05:30			`}`
			`}`
Functional tests for LDAP Connection Pool 2016-05-27 16:55:31 +05:30
			`func TestLDAPPoolHighWatermarkAndLockContention(t *testing.T) {`
			`server := ldapServer(t)`
			`ldapPool := &connector.LDAPPool{`
			`MaxIdleConn: 30,`
			`ServerHost: server.Host,`
			`ServerPort: server.Port,`
			`UseTLS: false,`
			`UseSSL: false,`
			`}`

			`// Excercise pool operations with MaxIdleConn + 10 concurrent goroutines.`
			`// We are testing both pool high watermark code and lock contention`
			`numRoutines := ldapPool.MaxIdleConn + 10`
			`var wg sync.WaitGroup`
			`wg.Add(numRoutines)`
			`ctx, _ := context.WithTimeout(context.Background(), 5*time.Second)`
			`for i := 0; i < numRoutines; i++ {`
			`go func() {`
			`defer wg.Done()`
			`for {`
			`select {`
			`case <-ctx.Done():`
			`return`
			`default:`
			`ldapConn, err := ldapPool.Acquire()`
			`if err != nil {`
			`t.Errorf("Unable to acquire LDAP Connection: %v", err)`
			`}`
			`s := ldap.NewSearchRequest("", ldap.ScopeBaseObject, ldap.NeverDerefAliases, 0, 0, false, "(objectClass=*)", []string{}, nil)`
			`_, err = ldapConn.Search(s)`
			`if err != nil {`
			`t.Errorf("Search request failed. Dead/invalid LDAP connection from pool?: %v", err)`
			`ldapConn.Close()`
			`} else {`
			`ldapPool.Put(ldapConn)`
			`}`
			`_, _ = ldapPool.CheckConnections()`
			`}`
			`}`
			`}()`
			`}`

			`// Wait for all operations to complete and check status.`
			`// There should be MaxIdleConn connections in the pool. This confirms:`
			`// 1. The tests was indeed executed concurrently`
			`// 2. Even though we ran more routines than the configured MaxIdleConn the high`
			`// watermark code did its job and closed surplus connections`
			`wg.Wait()`
			`alive, killed := ldapPool.CheckConnections()`
			`if alive < ldapPool.MaxIdleConn {`
			`t.Errorf("expected %v connections, got alive=%v killed=%v", ldapPool.MaxIdleConn, alive, killed)`
			`}`
			`}`