KIKIMR-21024: Replace required fields in auth.proto with optional (#1733)

author: Andrey Molotkov <molotkov-and@ydb.tech> 2024-02-14 17:16:19 +0300
committer: GitHub <noreply@github.com> 2024-02-14 17:16:19 +0300
commit: 38d2b19cb39ad6f09ed4b6efb5128d006898d6e0 (patch)
tree: 6ca7fcf1295705f06d5daad973bbd8d52128f645
parent: c85594c99554e7e8f292fd88387a4bc9902f154d (diff)
download: ydb-38d2b19cb39ad6f09ed4b6efb5128d006898d6e0.tar.gz
4 files changed, 121 insertions, 26 deletions
diff --git a/ydb/core/protos/auth.proto b/ydb/core/protos/auth.proto
index 16ccc3a1b7c..ee88b86d76d 100644
--- a/ydb/core/protos/auth.proto
+++ b/ydb/core/protos/auth.proto
@@ -100,9 +100,9 @@ message TLdapAuthentication {
 
     optional string Host = 1;
     optional uint32 Port = 2;
-    required string BaseDn = 3;
-    required string BindDn = 4;
-    required string BindPassword = 5;
+    optional string BaseDn = 3;
+    optional string BindDn = 4;
+    optional string BindPassword = 5;
     optional string SearchFilter = 6;
     optional string SearchAttribute = 7;
     optional TUseTls UseTls = 8;
diff --git a/ydb/core/security/ldap_auth_provider.cpp b/ydb/core/security/ldap_auth_provider.cpp
index 360a69e7087..9b1581b985e 100644
--- a/ydb/core/security/ldap_auth_provider.cpp
+++ b/ydb/core/security/ldap_auth_provider.cpp
@@ -186,13 +186,12 @@ private:
     }
 
     TInitializeLdapConnectionResponse InitializeLDAPConnection(LDAP** ld) {
-        const TString& host = Settings.GetHost();
-        if (host.empty()) {
-            return {{TEvLdapAuthProvider::EStatus::UNAVAILABLE, {.Message = "Ldap server host is empty", .Retryable = false}}};
+        if (TInitializeLdapConnectionResponse response = CheckRequiredSettingsParameters(); response.Status != TEvLdapAuthProvider::EStatus::SUCCESS) {
+            return response;
         }
 
+        const TString& host = Settings.GetHost();
         const ui32 port = Settings.GetPort() != 0 ? Settings.GetPort() : NKikimrLdap::GetPort();
-
         int result = 0;
         if (Settings.GetUseTls().GetEnable()) {
             const TString& caCertificateFile = Settings.GetUseTls().GetCaCertFile();
@@ -290,6 +289,22 @@ private:
         return response;
     }
 
+    TInitializeLdapConnectionResponse CheckRequiredSettingsParameters() const {
+        if (Settings.GetHost().empty()) {
+            return {TEvLdapAuthProvider::EStatus::UNAVAILABLE, {.Message = "Ldap server host is empty", .Retryable = false}};
+        }
+        if (Settings.GetBaseDn().empty()) {
+            return {TEvLdapAuthProvider::EStatus::UNAVAILABLE, {.Message = "Parameter BaseDn is empty", .Retryable = false}};
+        }
+        if (Settings.GetBindDn().empty()) {
+            return {TEvLdapAuthProvider::EStatus::UNAVAILABLE, {.Message = "Parameter BindDn is empty", .Retryable = false}};
+        }
+        if (Settings.GetBindPassword().empty()) {
+            return {TEvLdapAuthProvider::EStatus::UNAVAILABLE, {.Message = "Parameter BindPassword is empty", .Retryable = false}};
+        }
+        return {TEvLdapAuthProvider::EStatus::SUCCESS, {}};
+    }
+
 private:
     const NKikimrProto::TLdapAuthentication Settings;
     const TSearchFilterCreator FilterCreator;
diff --git a/ydb/core/security/ticket_parser_ut.cpp b/ydb/core/security/ticket_parser_ut.cpp
index 57e87fd9e1b..2bcadc1f3f9 100644
--- a/ydb/core/security/ticket_parser_ut.cpp
+++ b/ydb/core/security/ticket_parser_ut.cpp
@@ -77,6 +77,26 @@ void InitLdapSettingsWithUnavailableHost(NKikimrProto::TLdapAuthentication* ldap
     ldapSettings->SetHost("unavailablehost");
 }
 
+void InitLdapSettingsWithEmptyHost(NKikimrProto::TLdapAuthentication* ldapSettings, ui16 ldapPort, TTempFileHandle& certificateFile) {
+    InitLdapSettings(ldapSettings, ldapPort, certificateFile);
+    ldapSettings->SetHost("");
+}
+
+void InitLdapSettingsWithEmptyBaseDn(NKikimrProto::TLdapAuthentication* ldapSettings, ui16 ldapPort, TTempFileHandle& certificateFile) {
+    InitLdapSettings(ldapSettings, ldapPort, certificateFile);
+    ldapSettings->SetBaseDn("");
+}
+
+void InitLdapSettingsWithEmptyBindDn(NKikimrProto::TLdapAuthentication* ldapSettings, ui16 ldapPort, TTempFileHandle& certificateFile) {
+    InitLdapSettings(ldapSettings, ldapPort, certificateFile);
+    ldapSettings->SetBindDn("");
+}
+
+void InitLdapSettingsWithEmptyBindPassword(NKikimrProto::TLdapAuthentication* ldapSettings, ui16 ldapPort, TTempFileHandle& certificateFile) {
+    InitLdapSettings(ldapSettings, ldapPort, certificateFile);
+    ldapSettings->SetBindPassword("");
+}
+
 void InitLdapSettingsWithCustomGroupAttribute(NKikimrProto::TLdapAuthentication* ldapSettings, ui16 ldapPort, TTempFileHandle& certificateFile) {
     InitLdapSettings(ldapSettings, ldapPort, certificateFile);
     ldapSettings->SetRequestedGroupAttribute("groupDN");
@@ -190,6 +210,24 @@ LdapMock::TLdapMockResponses TCorrectLdapResponse::GetResponses(const TString& l
     responses.SearchResponses.push_back({fetchGroupsSearchRequestInfo, fetchGroupsSearchResponseInfo});
     return responses;
 }
+
+void CheckRequiredLdapSettings(std::function<void(NKikimrProto::TLdapAuthentication*, ui16, TTempFileHandle&)> initLdapSettings, const TString& expectedErrorMessage) {
+    TLdapKikimrServer server(initLdapSettings);
+
+    LdapMock::TLdapMockResponses responses;
+    LdapMock::TLdapSimpleServer ldapServer(server.GetLdapPort(), responses);
+
+    TString login = "ldapuser";
+    TString password = "ldapUserPassword";
+
+    TAutoPtr<IEventHandle> handle = LdapAuthenticate(server, login, password);
+    TEvTicketParser::TEvAuthorizeTicketResult* ticketParserResult = handle->Get<TEvTicketParser::TEvAuthorizeTicketResult>();
+    UNIT_ASSERT_C(!ticketParserResult->Error.empty(), "Expected return error message");
+    UNIT_ASSERT_STRINGS_EQUAL(ticketParserResult->Error.Message, expectedErrorMessage);
+
+    ldapServer.Stop();
+}
+
 } // namespace
 
 Y_UNIT_TEST_SUITE(TTicketParserTest) {
@@ -711,20 +749,23 @@ Y_UNIT_TEST_SUITE(TTicketParserTest) {
     }
 
     Y_UNIT_TEST(LdapServerIsUnavailable) {
-        TLdapKikimrServer server(InitLdapSettingsWithUnavailableHost);
+        CheckRequiredLdapSettings(InitLdapSettingsWithUnavailableHost, "Could not start TLS\nCan't contact LDAP server");
+    }
 
-        LdapMock::TLdapMockResponses responses;
-        LdapMock::TLdapSimpleServer ldapServer(server.GetLdapPort(), responses);
+    Y_UNIT_TEST(LdapRequestWithEmptyHost) {
+        CheckRequiredLdapSettings(InitLdapSettingsWithEmptyHost, "Ldap server host is empty");
+    }
 
-        TString login = "ldapuser";
-        TString password = "ldapUserPassword";
+    Y_UNIT_TEST(LdapRequestWithEmptyBaseDn) {
+        CheckRequiredLdapSettings(InitLdapSettingsWithEmptyBaseDn, "Parameter BaseDn is empty");
+    }
 
-        TAutoPtr<IEventHandle> handle = LdapAuthenticate(server, login, password);
-        TEvTicketParser::TEvAuthorizeTicketResult* ticketParserResult = handle->Get<TEvTicketParser::TEvAuthorizeTicketResult>();
-        UNIT_ASSERT_C(!ticketParserResult->Error.empty(), "Expected return error message");
-        UNIT_ASSERT_STRINGS_EQUAL(ticketParserResult->Error.Message, "Could not start TLS\nCan't contact LDAP server");
+    Y_UNIT_TEST(LdapRequestWithEmptyBindDn) {
+        CheckRequiredLdapSettings(InitLdapSettingsWithEmptyBindDn, "Parameter BindDn is empty");
+    }
 
-        ldapServer.Stop();
+    Y_UNIT_TEST(LdapRequestWithEmptyBindPassword) {
+        CheckRequiredLdapSettings(InitLdapSettingsWithEmptyBindPassword, "Parameter BindPassword is empty");
     }
 
     Y_UNIT_TEST(LdapRefreshGroupsInfoGood) {
diff --git a/ydb/services/ydb/ydb_ldap_login_ut.cpp b/ydb/services/ydb/ydb_ldap_login_ut.cpp
index 9a45c136340..5222d75dc3c 100644
--- a/ydb/services/ydb/ydb_ldap_login_ut.cpp
+++ b/ydb/services/ydb/ydb_ldap_login_ut.cpp
@@ -72,9 +72,29 @@ void InitLdapSettingsWithInvalidFilter(NKikimrProto::TLdapAuthentication* ldapSe
     ldapSettings->SetSearchFilter("&(uid=$username)()");
 }
 
-void InitLdapSettingsWithUnavaliableHost(NKikimrProto::TLdapAuthentication* ldapSettings, ui16 ldapPort, TTempFileHandle& certificateFile) {
+void InitLdapSettingsWithUnavailableHost(NKikimrProto::TLdapAuthentication* ldapSettings, ui16 ldapPort, TTempFileHandle& certificateFile) {
     InitLdapSettings(ldapSettings, ldapPort, certificateFile);
-    ldapSettings->SetHost("unavaliablehost");
+    ldapSettings->SetHost("unavailablehost");
+}
+
+void InitLdapSettingsWithEmptyHost(NKikimrProto::TLdapAuthentication* ldapSettings, ui16 ldapPort, TTempFileHandle& certificateFile) {
+    InitLdapSettings(ldapSettings, ldapPort, certificateFile);
+    ldapSettings->SetHost("");
+}
+
+void InitLdapSettingsWithEmptyBaseDn(NKikimrProto::TLdapAuthentication* ldapSettings, ui16 ldapPort, TTempFileHandle& certificateFile) {
+    InitLdapSettings(ldapSettings, ldapPort, certificateFile);
+    ldapSettings->SetBaseDn("");
+}
+
+void InitLdapSettingsWithEmptyBindDn(NKikimrProto::TLdapAuthentication* ldapSettings, ui16 ldapPort, TTempFileHandle& certificateFile) {
+    InitLdapSettings(ldapSettings, ldapPort, certificateFile);
+    ldapSettings->SetBindDn("");
+}
+
+void InitLdapSettingsWithEmptyBindPassword(NKikimrProto::TLdapAuthentication* ldapSettings, ui16 ldapPort, TTempFileHandle& certificateFile) {
+    InitLdapSettings(ldapSettings, ldapPort, certificateFile);
+    ldapSettings->SetBindPassword("");
 }
 
 class TLoginClientConnection {
@@ -233,25 +253,44 @@ Y_UNIT_TEST_SUITE(TGRpcLdapAuthentication) {
         ldapServer.Stop();
     }
 
-    Y_UNIT_TEST(LdapAuthServerIsUnavaliable) {
+    void CheckRequiredLdapSettings(std::function<void(NKikimrProto::TLdapAuthentication*, ui16, TTempFileHandle&)> initLdapSettings, const TString& expectedErrorMessage) {
         TString login = "ldapuser";
         TString password = "ldapUserPassword";
 
-        TLoginClientConnection loginConnection(InitLdapSettingsWithUnavaliableHost);
+        TLoginClientConnection loginConnection(initLdapSettings);
         LdapMock::TLdapMockResponses responses;
         LdapMock::TLdapSimpleServer ldapServer(loginConnection.GetLdapPort(), responses);
 
         auto factory = CreateLoginCredentialsProviderFactory({.User = login + "@ldap", .Password = password});
         auto loginProvider = factory->CreateProvider(loginConnection.GetCoreFacility());
-        TString expectedErrorMessage = "Could not start TLS\nCan't contact LDAP server";
         UNIT_ASSERT_EXCEPTION_CONTAINS(loginProvider->GetAuthInfo(), yexception, expectedErrorMessage);
 
         loginConnection.Stop();
         ldapServer.Stop();
     }
 
+    Y_UNIT_TEST(LdapAuthServerIsUnavailable) {
+        CheckRequiredLdapSettings(InitLdapSettingsWithUnavailableHost, "Could not start TLS\nCan't contact LDAP server");
+    }
+
+    Y_UNIT_TEST(LdapAuthSettingsWithEmptyHost) {
+        CheckRequiredLdapSettings(InitLdapSettingsWithEmptyHost, "Ldap server host is empty");
+    }
+
+    Y_UNIT_TEST(LdapAuthSettingsWithEmptyBaseDn) {
+        CheckRequiredLdapSettings(InitLdapSettingsWithEmptyBaseDn, "Parameter BaseDn is empty");
+    }
+
+    Y_UNIT_TEST(LdapAuthSettingsWithEmptyBindDn) {
+        CheckRequiredLdapSettings(InitLdapSettingsWithEmptyBindDn, "Parameter BindDn is empty");
+    }
+
+    Y_UNIT_TEST(LdapAuthSettingsWithEmptyBindPassword) {
+        CheckRequiredLdapSettings(InitLdapSettingsWithEmptyBindPassword, "Parameter BindPassword is empty");
+    }
+
     Y_UNIT_TEST(LdapAuthWithInvalidLogin) {
-        TString nonExistenUser = "nonexistenldapuser";
+        TString nonExistentUser = "nonexistentldapuser";
         TString password = "ldapUserPassword";
 
         LdapMock::TLdapMockResponses responses;
@@ -262,7 +301,7 @@ Y_UNIT_TEST_SUITE(TGRpcLdapAuthentication) {
                 .BaseDn = "dc=search,dc=yandex,dc=net",
                 .Scope = 2,
                 .DerefAliases = 0,
-                .Filter = {.Type = LdapMock::EFilterType::LDAP_FILTER_EQUALITY, .Attribute = "uid", .Value = nonExistenUser},
+                .Filter = {.Type = LdapMock::EFilterType::LDAP_FILTER_EQUALITY, .Attribute = "uid", .Value = nonExistentUser},
                 .Attributes = {"1.1"}
             }
         };
@@ -276,9 +315,9 @@ Y_UNIT_TEST_SUITE(TGRpcLdapAuthentication) {
         TLoginClientConnection loginConnection(InitLdapSettings);
         LdapMock::TLdapSimpleServer ldapServer(loginConnection.GetLdapPort(), responses);
 
-        auto factory = CreateLoginCredentialsProviderFactory({.User = nonExistenUser + "@ldap", .Password = password});
+        auto factory = CreateLoginCredentialsProviderFactory({.User = nonExistentUser + "@ldap", .Password = password});
         auto loginProvider = factory->CreateProvider(loginConnection.GetCoreFacility());
-        TString expectedErrorMessage = "LDAP user " + nonExistenUser + " does not exist. LDAP search for filter uid=" + nonExistenUser + " on server localhost return no entries";
+        TString expectedErrorMessage = "LDAP user " + nonExistentUser + " does not exist. LDAP search for filter uid=" + nonExistentUser + " on server localhost return no entries";
         UNIT_ASSERT_EXCEPTION_CONTAINS(loginProvider->GetAuthInfo(), yexception, expectedErrorMessage);
 
         loginConnection.Stop();
author	Andrey Molotkov <molotkov-and@ydb.tech>	2024-02-14 17:16:19 +0300
committer	GitHub <noreply@github.com>	2024-02-14 17:16:19 +0300
commit	38d2b19cb39ad6f09ed4b6efb5128d006898d6e0 (patch)
tree	6ca7fcf1295705f06d5daad973bbd8d52128f645
parent	c85594c99554e7e8f292fd88387a4bc9902f154d (diff)
download	ydb-38d2b19cb39ad6f09ed4b6efb5128d006898d6e0.tar.gz