diff options
| author | molotkov-and <molotkov-and@ydb.tech> | 2023-10-12 11:09:27 +0300 |
|---|---|---|
| committer | molotkov-and <molotkov-and@ydb.tech> | 2023-10-12 11:52:39 +0300 |
| commit | a1d12a9ecd63b4c4584c5c81f6d5e242f5b13754 (patch) | |
| tree | 3b7ec5708ec56ff6cae1e3cafc7722f9d4fb7cf6 | |
| parent | 4442a9c0bd2241d66c5c57e1e2b1c9aa415a6f07 (diff) | |
| download | ydb-a1d12a9ecd63b4c4584c5c81f6d5e242f5b13754.tar.gz | |
KIKIMR-18760: Add tests for creating ldap search filter
| -rw-r--r-- | ydb/core/security/CMakeLists.darwin-x86_64.txt | 1 | ||||
| -rw-r--r-- | ydb/core/security/CMakeLists.linux-aarch64.txt | 1 | ||||
| -rw-r--r-- | ydb/core/security/CMakeLists.linux-x86_64.txt | 1 | ||||
| -rw-r--r-- | ydb/core/security/CMakeLists.windows-x86_64.txt | 1 | ||||
| -rw-r--r-- | ydb/core/security/ldap_auth_provider.cpp | 27 | ||||
| -rw-r--r-- | ydb/core/security/ldap_utils.cpp | 37 | ||||
| -rw-r--r-- | ydb/core/security/ldap_utils.h | 19 | ||||
| -rw-r--r-- | ydb/core/security/ldap_utils_ut.cpp | 65 | ||||
| -rw-r--r-- | ydb/core/security/ut/CMakeLists.darwin-x86_64.txt | 1 | ||||
| -rw-r--r-- | ydb/core/security/ut/CMakeLists.linux-aarch64.txt | 1 | ||||
| -rw-r--r-- | ydb/core/security/ut/CMakeLists.linux-x86_64.txt | 1 | ||||
| -rw-r--r-- | ydb/core/security/ut/CMakeLists.windows-x86_64.txt | 1 | ||||
| -rw-r--r-- | ydb/core/security/ut/ya.make | 1 | ||||
| -rw-r--r-- | ydb/core/security/ya.make | 1 |
14 files changed, 136 insertions, 22 deletions
diff --git a/ydb/core/security/CMakeLists.darwin-x86_64.txt b/ydb/core/security/CMakeLists.darwin-x86_64.txt index d31e217a46d..566b4ff619f 100644 --- a/ydb/core/security/CMakeLists.darwin-x86_64.txt +++ b/ydb/core/security/CMakeLists.darwin-x86_64.txt @@ -31,5 +31,6 @@ target_sources(ydb-core-security PRIVATE ${CMAKE_SOURCE_DIR}/ydb/core/security/login_shared_func.cpp ${CMAKE_SOURCE_DIR}/ydb/core/security/ticket_parser.cpp ${CMAKE_SOURCE_DIR}/ydb/core/security/ldap_auth_provider.cpp + ${CMAKE_SOURCE_DIR}/ydb/core/security/ldap_utils.cpp ${CMAKE_SOURCE_DIR}/ydb/core/security/ldap_auth_provider_linux.cpp ) diff --git a/ydb/core/security/CMakeLists.linux-aarch64.txt b/ydb/core/security/CMakeLists.linux-aarch64.txt index 0ecd1920611..2771e6e450b 100644 --- a/ydb/core/security/CMakeLists.linux-aarch64.txt +++ b/ydb/core/security/CMakeLists.linux-aarch64.txt @@ -32,5 +32,6 @@ target_sources(ydb-core-security PRIVATE ${CMAKE_SOURCE_DIR}/ydb/core/security/login_shared_func.cpp ${CMAKE_SOURCE_DIR}/ydb/core/security/ticket_parser.cpp ${CMAKE_SOURCE_DIR}/ydb/core/security/ldap_auth_provider.cpp + ${CMAKE_SOURCE_DIR}/ydb/core/security/ldap_utils.cpp ${CMAKE_SOURCE_DIR}/ydb/core/security/ldap_auth_provider_linux.cpp ) diff --git a/ydb/core/security/CMakeLists.linux-x86_64.txt b/ydb/core/security/CMakeLists.linux-x86_64.txt index 0ecd1920611..2771e6e450b 100644 --- a/ydb/core/security/CMakeLists.linux-x86_64.txt +++ b/ydb/core/security/CMakeLists.linux-x86_64.txt @@ -32,5 +32,6 @@ target_sources(ydb-core-security PRIVATE ${CMAKE_SOURCE_DIR}/ydb/core/security/login_shared_func.cpp ${CMAKE_SOURCE_DIR}/ydb/core/security/ticket_parser.cpp ${CMAKE_SOURCE_DIR}/ydb/core/security/ldap_auth_provider.cpp + ${CMAKE_SOURCE_DIR}/ydb/core/security/ldap_utils.cpp ${CMAKE_SOURCE_DIR}/ydb/core/security/ldap_auth_provider_linux.cpp ) diff --git a/ydb/core/security/CMakeLists.windows-x86_64.txt b/ydb/core/security/CMakeLists.windows-x86_64.txt index 515495b7409..4f70ca5af2a 100644 --- a/ydb/core/security/CMakeLists.windows-x86_64.txt +++ b/ydb/core/security/CMakeLists.windows-x86_64.txt @@ -35,5 +35,6 @@ target_sources(ydb-core-security PRIVATE ${CMAKE_SOURCE_DIR}/ydb/core/security/login_shared_func.cpp ${CMAKE_SOURCE_DIR}/ydb/core/security/ticket_parser.cpp ${CMAKE_SOURCE_DIR}/ydb/core/security/ldap_auth_provider.cpp + ${CMAKE_SOURCE_DIR}/ydb/core/security/ldap_utils.cpp ${CMAKE_SOURCE_DIR}/ydb/core/security/ldap_auth_provider_win.cpp ) diff --git a/ydb/core/security/ldap_auth_provider.cpp b/ydb/core/security/ldap_auth_provider.cpp index 491d5acbcd7..609290381c7 100644 --- a/ydb/core/security/ldap_auth_provider.cpp +++ b/ydb/core/security/ldap_auth_provider.cpp @@ -3,6 +3,7 @@ #include <ydb/core/base/ticket_parser.h> #include "ticket_parser_log.h" #include "ldap_auth_provider.h" +#include "ldap_utils.h" // This temporary solution // These lines should be declared outside ldap_compat.h @@ -67,6 +68,7 @@ private: public: TLdapAuthProvider(const NKikimrProto::TLdapAuthentication& settings) : Settings(settings) + , FilterCreator(Settings) {} void Bootstrap() { @@ -232,7 +234,7 @@ private: char* dn = NKikimrLdap::GetDn(*request.Ld, request.Entry); if (dn == nullptr) { return {{TEvLdapAuthProvider::EStatus::UNAUTHORIZED, - {.Message = "Could not get dn for the first entry matching " + GetFilter(request.Login) + " on server " + Settings.GetHost() + "\n" + {.Message = "Could not get dn for the first entry matching " + FilterCreator.GetFilter(request.Login) + " on server " + Settings.GetHost() + "\n" + NKikimrLdap::LdapError(*request.Ld), .Retryable = false}}}; } @@ -249,7 +251,7 @@ private: TSearchUserResponse SearchUserRecord(const TSearchUserRequest& request) { LDAPMessage* searchMessage = nullptr; - const TString searchFilter = GetFilter(request.User); + const TString searchFilter = FilterCreator.GetFilter(request.User); int result = NKikimrLdap::Search(request.Ld, Settings.GetBaseDn(), @@ -285,28 +287,9 @@ private: return response; } - TString GetFilter(const TString& userName) const { - if (!Settings.GetSearchFilter().empty()) { - return GetFormatSearchFilter(userName); - } else if (!Settings.GetSearchAttribute().empty()) { - return Settings.GetSearchAttribute() + "=" + userName; - } else { - return "uid=" + userName; - } - } - - TString GetFormatSearchFilter(const TString& userName) const { - const TStringBuf namePlaceHolder = "$username"; - const TString& searchFilter = Settings.GetSearchFilter(); - size_t n = searchFilter.find(namePlaceHolder); - if (n == TString::npos) { - return searchFilter; - } - return searchFilter.substr(0, n) + userName + searchFilter.substr(n + namePlaceHolder.size()); - } - private: const NKikimrProto::TLdapAuthentication Settings; + const TSearchFilterCreator FilterCreator; }; IActor* CreateLdapAuthProvider(const NKikimrProto::TLdapAuthentication& settings) { diff --git a/ydb/core/security/ldap_utils.cpp b/ydb/core/security/ldap_utils.cpp new file mode 100644 index 00000000000..3087cbaf137 --- /dev/null +++ b/ydb/core/security/ldap_utils.cpp @@ -0,0 +1,37 @@ +#include <util/stream/str.h> +#include "ldap_utils.h" + +namespace NKikimr { + +TSearchFilterCreator::TSearchFilterCreator(const NKikimrProto::TLdapAuthentication& settings) + : Settings(settings) + {} + +TString TSearchFilterCreator::GetFilter(const TString& userName) const { + if (!Settings.GetSearchFilter().empty()) { + return GetFormatSearchFilter(userName); + } else if (!Settings.GetSearchAttribute().empty()) { + return Settings.GetSearchAttribute() + "=" + userName; + } + return "uid=" + userName; +} + +TString TSearchFilterCreator::GetFormatSearchFilter(const TString& userName) const { + const TStringBuf namePlaceHolder = "$username"; + const TString& searchFilter = Settings.GetSearchFilter(); + size_t n = searchFilter.find(namePlaceHolder); + if (n == TString::npos) { + return searchFilter; + } + TStringStream result; + size_t pos = 0; + while (n != TString::npos) { + result << searchFilter.substr(pos, n - pos) << userName; + pos = n + namePlaceHolder.size(); + n = searchFilter.find(namePlaceHolder, pos); + } + result << searchFilter.substr(pos); + return result.Str(); +} + +} // namespace NKikimr diff --git a/ydb/core/security/ldap_utils.h b/ydb/core/security/ldap_utils.h new file mode 100644 index 00000000000..62fd188d825 --- /dev/null +++ b/ydb/core/security/ldap_utils.h @@ -0,0 +1,19 @@ +#pragma once + +#include <ydb/core/protos/auth.pb.h> + +namespace NKikimr { + +class TSearchFilterCreator { +public: + TSearchFilterCreator(const NKikimrProto::TLdapAuthentication& settings); + TString GetFilter(const TString& userName) const; + +private: + TString GetFormatSearchFilter(const TString& userName) const; + +private: + const NKikimrProto::TLdapAuthentication& Settings; +}; + +} // namespace NKikimr diff --git a/ydb/core/security/ldap_utils_ut.cpp b/ydb/core/security/ldap_utils_ut.cpp new file mode 100644 index 00000000000..26a0cb5a5ca --- /dev/null +++ b/ydb/core/security/ldap_utils_ut.cpp @@ -0,0 +1,65 @@ +#include <library/cpp/testing/unittest/registar.h> +#include "ldap_utils.h" + +namespace NKikimr { + +Y_UNIT_TEST_SUITE(TLdapUtilsTest) { + Y_UNIT_TEST(GetDefaultFilter) { + NKikimrProto::TLdapAuthentication settings; + TSearchFilterCreator filterCreator(settings); + const TString login {"test_user"}; + const TString expectedFilter {"uid=" + login}; + const TString filter = filterCreator.GetFilter(login); + UNIT_ASSERT_STRINGS_EQUAL(expectedFilter, filter); + } + + Y_UNIT_TEST(GetFilterWithoutLoginPlaceholders) { + NKikimrProto::TLdapAuthentication settings; + const TString filterString {"&(uid=admin_user)(groupid=1234)"}; + settings.SetSearchFilter(filterString); + TSearchFilterCreator filterCreator(settings); + const TString login {"test_user"}; + const TString expectedFilter {filterString}; + const TString filter = filterCreator.GetFilter(login); + UNIT_ASSERT_STRINGS_EQUAL(expectedFilter, filter); + } + + Y_UNIT_TEST(GetFilterWithOneLoginPlaceholder) { + auto getFilterString = [] (const TString& name) { + return "&(uid=" + name + ")(groupid=1234)"; + }; + NKikimrProto::TLdapAuthentication settings; + settings.SetSearchFilter(getFilterString("$username")); + TSearchFilterCreator filterCreator(settings); + const TString login {"test_user"}; + const TString expectedFilter {getFilterString(login)}; + const TString filter = filterCreator.GetFilter(login); + UNIT_ASSERT_STRINGS_EQUAL(expectedFilter, filter); + } + + Y_UNIT_TEST(GetFilterWithSearchAttribute) { + NKikimrProto::TLdapAuthentication settings; + const TString searchAttribute {"name"}; + settings.SetSearchAttribute(searchAttribute); + TSearchFilterCreator filterCreator(settings); + const TString login {"test_user"}; + const TString expectedFilter {searchAttribute + "=" + login}; + const TString filter = filterCreator.GetFilter(login); + UNIT_ASSERT_STRINGS_EQUAL(expectedFilter, filter); + } + + Y_UNIT_TEST(GetFilterWithFewLoginPlaceholders) { + auto getFilterString = [] (const TString& name) { + return "|(&(uid=" + name + ")(groupid=1234))(&(login=" + name + ")(groupid=9876))"; + }; + NKikimrProto::TLdapAuthentication settings; + settings.SetSearchFilter(getFilterString("$username")); + TSearchFilterCreator filterCreator(settings); + const TString login {"test_user"}; + const TString expectedFilter {getFilterString(login)}; + const TString filter = filterCreator.GetFilter(login); + UNIT_ASSERT_STRINGS_EQUAL(expectedFilter, filter); + } +} + +} // namespace NKikimr diff --git a/ydb/core/security/ut/CMakeLists.darwin-x86_64.txt b/ydb/core/security/ut/CMakeLists.darwin-x86_64.txt index 56bbf982782..d11e6e8b61e 100644 --- a/ydb/core/security/ut/CMakeLists.darwin-x86_64.txt +++ b/ydb/core/security/ut/CMakeLists.darwin-x86_64.txt @@ -32,6 +32,7 @@ target_link_options(ydb-core-security-ut PRIVATE ) target_sources(ydb-core-security-ut PRIVATE ${CMAKE_SOURCE_DIR}/ydb/core/security/ticket_parser_ut.cpp + ${CMAKE_SOURCE_DIR}/ydb/core/security/ldap_utils_ut.cpp ) set_property( TARGET diff --git a/ydb/core/security/ut/CMakeLists.linux-aarch64.txt b/ydb/core/security/ut/CMakeLists.linux-aarch64.txt index bf3438ea79c..b6ce8a93466 100644 --- a/ydb/core/security/ut/CMakeLists.linux-aarch64.txt +++ b/ydb/core/security/ut/CMakeLists.linux-aarch64.txt @@ -35,6 +35,7 @@ target_link_options(ydb-core-security-ut PRIVATE ) target_sources(ydb-core-security-ut PRIVATE ${CMAKE_SOURCE_DIR}/ydb/core/security/ticket_parser_ut.cpp + ${CMAKE_SOURCE_DIR}/ydb/core/security/ldap_utils_ut.cpp ) set_property( TARGET diff --git a/ydb/core/security/ut/CMakeLists.linux-x86_64.txt b/ydb/core/security/ut/CMakeLists.linux-x86_64.txt index 60b834cc384..b4529a02e31 100644 --- a/ydb/core/security/ut/CMakeLists.linux-x86_64.txt +++ b/ydb/core/security/ut/CMakeLists.linux-x86_64.txt @@ -36,6 +36,7 @@ target_link_options(ydb-core-security-ut PRIVATE ) target_sources(ydb-core-security-ut PRIVATE ${CMAKE_SOURCE_DIR}/ydb/core/security/ticket_parser_ut.cpp + ${CMAKE_SOURCE_DIR}/ydb/core/security/ldap_utils_ut.cpp ) set_property( TARGET diff --git a/ydb/core/security/ut/CMakeLists.windows-x86_64.txt b/ydb/core/security/ut/CMakeLists.windows-x86_64.txt index e7702e90160..854de82b68d 100644 --- a/ydb/core/security/ut/CMakeLists.windows-x86_64.txt +++ b/ydb/core/security/ut/CMakeLists.windows-x86_64.txt @@ -25,6 +25,7 @@ target_link_libraries(ydb-core-security-ut PUBLIC ) target_sources(ydb-core-security-ut PRIVATE ${CMAKE_SOURCE_DIR}/ydb/core/security/ticket_parser_ut.cpp + ${CMAKE_SOURCE_DIR}/ydb/core/security/ldap_utils_ut.cpp ) set_property( TARGET diff --git a/ydb/core/security/ut/ya.make b/ydb/core/security/ut/ya.make index 36e9b4a7da9..053724adc0a 100644 --- a/ydb/core/security/ut/ya.make +++ b/ydb/core/security/ut/ya.make @@ -15,6 +15,7 @@ YQL_LAST_ABI_VERSION() SRCS( ticket_parser_ut.cpp + ldap_utils_ut.cpp ) END() diff --git a/ydb/core/security/ya.make b/ydb/core/security/ya.make index 239abee78c9..5950d6f2fae 100644 --- a/ydb/core/security/ya.make +++ b/ydb/core/security/ya.make @@ -9,6 +9,7 @@ SRCS( ticket_parser.cpp ticket_parser.h ldap_auth_provider.cpp + ldap_utils.cpp ) IF(OS_LINUX OR OS_DARWIN) |