diff options
| author | Andrey Molotkov <[email protected]> | 2024-07-25 14:01:54 +0300 |
|---|---|---|
| committer | GitHub <[email protected]> | 2024-07-25 14:01:54 +0300 |
| commit | af4bb4b332c46e4f6db4fdbc19a4a441e95458c2 (patch) | |
| tree | b07c01c3288b589d680400b9c4308d1919989e5e | |
| parent | 1bde86484b03ac3437d46f535f2e1db492aac0a3 (diff) | |
[Ldap] Remove redundant details from error message. Add logging to ldap auth provider (#7060)
| -rw-r--r-- | ydb/core/security/ldap_auth_provider/ldap_auth_provider.cpp | 111 | ||||
| -rw-r--r-- | ydb/core/security/ldap_auth_provider/ldap_auth_provider_log.h | 12 | ||||
| -rw-r--r-- | ydb/core/security/ldap_auth_provider/ldap_auth_provider_ut.cpp | 32 | ||||
| -rw-r--r-- | ydb/library/services/services.proto | 1 | ||||
| -rw-r--r-- | ydb/services/ydb/ydb_ldap_login_ut.cpp | 28 |
5 files changed, 108 insertions, 76 deletions
diff --git a/ydb/core/security/ldap_auth_provider/ldap_auth_provider.cpp b/ydb/core/security/ldap_auth_provider/ldap_auth_provider.cpp index 3f206f4a72d..7d4173141fb 100644 --- a/ydb/core/security/ldap_auth_provider/ldap_auth_provider.cpp +++ b/ydb/core/security/ldap_auth_provider/ldap_auth_provider.cpp @@ -6,6 +6,7 @@ #include <queue> #include "ldap_auth_provider.h" #include "ldap_utils.h" +#include "ldap_auth_provider_log.h" // This temporary solution // These lines should be declared outside ldap_compat.h @@ -172,11 +173,12 @@ private: int result = 0; if (Settings.GetScheme() != NKikimrLdap::LDAPS_SCHEME && Settings.GetUseTls().GetEnable()) { + LDAP_LOG_D("start TLS"); result = NKikimrLdap::StartTLS(*ld); if (!NKikimrLdap::IsSuccess(result)) { + LDAP_LOG_D("Could not start TLS. " << NKikimrLdap::ErrorToString(result)); TEvLdapAuthProvider::TError error { - .Message = "Could not start TLS\n" + NKikimrLdap::ErrorToString(result), - .Retryable = NKikimrLdap::IsRetryableError(result) + .Message = ERROR_MESSAGE, .Retryable = NKikimrLdap::IsRetryableError(result) }; // The Unbind operation is not the antithesis of the Bind operation as the name implies. // Close the LDAP connection, free the resources contained in the LDAP structure @@ -185,12 +187,13 @@ private: } } + LDAP_LOG_D("bind: bindDn: " << Settings.GetBindDn()); result = NKikimrLdap::Bind(*ld, Settings.GetBindDn(), Settings.GetBindPassword()); if (!NKikimrLdap::IsSuccess(result)) { + LDAP_LOG_D("Could not perform initial LDAP bind for dn " << Settings.GetBindDn() << " on server " + UrisCreator.GetUris() << ". " + << NKikimrLdap::ErrorToString(result)); TEvLdapAuthProvider::TError error { - .Message = "Could not perform initial LDAP bind for dn " + Settings.GetBindDn() + " on server " + UrisCreator.GetUris() + "\n" - + NKikimrLdap::ErrorToString(result), - .Retryable = NKikimrLdap::IsRetryableError(result) + .Message = ERROR_MESSAGE, .Retryable = NKikimrLdap::IsRetryableError(result) }; // The Unbind operation is not the antithesis of the Bind operation as the name implies. // Close the LDAP connection, free the resources contained in the LDAP structure @@ -210,26 +213,27 @@ private: const TString& caCertificateFile = Settings.GetUseTls().GetCaCertFile(); result = NKikimrLdap::SetOption(*ld, NKikimrLdap::EOption::TLS_CACERTFILE, caCertificateFile.c_str()); if (!NKikimrLdap::IsSuccess(result)) { + LDAP_LOG_D("Could not set LDAP ca certificate file \"" << caCertificateFile + "\": " << NKikimrLdap::ErrorToString(result)); NKikimrLdap::Unbind(*ld); return {{NKikimrLdap::ErrorToStatus(result), - {.Message = "Could not set LDAP ca certificate file \"" + caCertificateFile + "\": " + NKikimrLdap::ErrorToString(result), - .Retryable = NKikimrLdap::IsRetryableError(result)}}}; + {.Message = ERROR_MESSAGE, .Retryable = NKikimrLdap::IsRetryableError(result)}}}; } } + LDAP_LOG_D("init: scheme: " << Settings.GetScheme() << ", uris: " << UrisCreator.GetUris() << ", port: " << UrisCreator.GetConfiguredPort()); result = NKikimrLdap::Init(ld, Settings.GetScheme(), UrisCreator.GetUris(), UrisCreator.GetConfiguredPort()); if (!NKikimrLdap::IsSuccess(result)) { + LDAP_LOG_D("Could not initialize LDAP connection for uris: " << UrisCreator.GetUris() << ". " << NKikimrLdap::LdapError(*ld)); return {{TEvLdapAuthProvider::EStatus::UNAVAILABLE, - {.Message = "Could not initialize LDAP connection for uris: " + UrisCreator.GetUris() + ". " + NKikimrLdap::LdapError(*ld), - .Retryable = false}}}; + {.Message = ERROR_MESSAGE, .Retryable = false}}}; } result = NKikimrLdap::SetProtocolVersion(*ld); if (!NKikimrLdap::IsSuccess(result)) { NKikimrLdap::Unbind(*ld); + LDAP_LOG_D("Could not set LDAP protocol version: " << NKikimrLdap::ErrorToString(result)); return {{NKikimrLdap::ErrorToStatus(result), - {.Message = "Could not set LDAP protocol version: " + NKikimrLdap::ErrorToString(result), - .Retryable = NKikimrLdap::IsRetryableError(result)}}}; + {.Message = ERROR_MESSAGE, .Retryable = NKikimrLdap::IsRetryableError(result)}}}; } if (Settings.GetScheme() == NKikimrLdap::LDAPS_SCHEME || Settings.GetUseTls().GetEnable()) { @@ -237,9 +241,9 @@ private: result = NKikimrLdap::SetOption(*ld, NKikimrLdap::EOption::TLS_REQUIRE_CERT, &requireCert); if (!NKikimrLdap::IsSuccess(result)) { NKikimrLdap::Unbind(*ld); + LDAP_LOG_D("Could not set require certificate option: " << NKikimrLdap::ErrorToString(result)); return {{NKikimrLdap::ErrorToStatus(result), - {.Message = "Could not set require certificate option: " + NKikimrLdap::ErrorToString(result), - .Retryable = NKikimrLdap::IsRetryableError(result)}}}; + {.Message = ERROR_MESSAGE, .Retryable = NKikimrLdap::IsRetryableError(result)}}}; } } @@ -249,16 +253,18 @@ private: TAuthenticateUserResponse AuthenticateUser(const TAuthenticateUserRequest& request) { char* dn = NKikimrLdap::GetDn(*request.Ld, request.Entry); if (dn == nullptr) { + LDAP_LOG_D("Could not get dn for the first entry matching " << FilterCreator.GetFilter(request.Login) << " on server " << UrisCreator.GetUris() << ". " + << NKikimrLdap::LdapError(*request.Ld)); return {{TEvLdapAuthProvider::EStatus::UNAUTHORIZED, - {.Message = "Could not get dn for the first entry matching " + FilterCreator.GetFilter(request.Login) + " on server " + UrisCreator.GetUris() + "\n" - + NKikimrLdap::LdapError(*request.Ld), - .Retryable = false}}}; + {.Message = ERROR_MESSAGE, .Retryable = false}}}; } TEvLdapAuthProvider::TError error; + LDAP_LOG_D("bind: bindDn: " << dn); int result = NKikimrLdap::Bind(*request.Ld, dn, request.Password); if (!NKikimrLdap::IsSuccess(result)) { - error.Message = "LDAP login failed for user " + TString(dn) + " on server " + UrisCreator.GetUris() + "\n" - + NKikimrLdap::ErrorToString((result)); + LDAP_LOG_D("LDAP login failed for user " << TString(dn) << " on server " << UrisCreator.GetUris() << ". " + << NKikimrLdap::ErrorToString((result))); + error.Message = ERROR_MESSAGE; error.Retryable = NKikimrLdap::IsRetryableError(result); } NKikimrLdap::MemFree(dn); @@ -269,6 +275,10 @@ private: LDAPMessage* searchMessage = nullptr; const TString searchFilter = FilterCreator.GetFilter(request.User); + LDAP_LOG_D("search: baseDn: " << Settings.GetBaseDn() + << ", scope: " << ConvertSearchScopeToString(NKikimrLdap::EScope::SUBTREE) + << ", filter: " << searchFilter + << ", attributes: " << GetStringOfRequestedAttributes(request.RequestedAttributes)); int result = NKikimrLdap::Search(request.Ld, Settings.GetBaseDn(), NKikimrLdap::EScope::SUBTREE, @@ -278,23 +288,22 @@ private: &searchMessage); TSearchUserResponse response; if (!NKikimrLdap::IsSuccess(result)) { + LDAP_LOG_D("Could not search for filter " << searchFilter << " on server " << UrisCreator.GetUris() << ". " + << NKikimrLdap::ErrorToString(result)); response.Status = NKikimrLdap::ErrorToStatus(result); - response.Error = {.Message = "Could not search for filter " + searchFilter + " on server " + UrisCreator.GetUris() + "\n" - + NKikimrLdap::ErrorToString(result), - .Retryable = NKikimrLdap::IsRetryableError(result)}; + response.Error = {.Message = ERROR_MESSAGE, .Retryable = NKikimrLdap::IsRetryableError(result)}; return response; } const int countEntries = NKikimrLdap::CountEntries(request.Ld, searchMessage); if (countEntries != 1) { if (countEntries == 0) { - response.Error = {.Message = "LDAP user " + request.User + " does not exist. " - "LDAP search for filter " + searchFilter + " on server " + UrisCreator.GetUris() + " return no entries", - .Retryable = false}; + LDAP_LOG_D("LDAP user " << request.User << " does not exist. " + "LDAP search for filter " << searchFilter << " on server " << UrisCreator.GetUris() << " return no entries"); } else { - response.Error = {.Message = "LDAP user " + request.User + " is not unique. " - "LDAP search for filter " + searchFilter + " on server " + UrisCreator.GetUris() + " return " + countEntries + " entries", - .Retryable = false}; + LDAP_LOG_D("LDAP user " << request.User << " is not unique. " + "LDAP search for filter " << searchFilter << " on server " << UrisCreator.GetUris() << " return " << countEntries << " entries"); } + response.Error = {.Message = ERROR_MESSAGE, .Retryable = false}; response.Status = TEvLdapAuthProvider::EStatus::UNAUTHORIZED; NKikimrLdap::MsgFree(searchMessage); return response; @@ -306,7 +315,14 @@ private: std::vector<TString> TryToGetGroupsUseMatchingRuleInChain(LDAP* ld, LDAPMessage* entry) const { static const TString matchingRuleInChain = "1.2.840.113556.1.4.1941"; // Only Active Directory supports TStringBuilder filter; - filter << "(member:" << matchingRuleInChain << ":=" << NKikimrLdap::GetDn(ld, entry) << ')'; + char* dn = NKikimrLdap::GetDn(ld, entry); + filter << "(member:" << matchingRuleInChain << ":=" << dn << ')'; + NKikimrLdap::MemFree(dn); + dn = nullptr; + LDAP_LOG_D("search: baseDn: " << Settings.GetBaseDn() + << ", scope: " << ConvertSearchScopeToString(NKikimrLdap::EScope::SUBTREE) + << ", filter: " << filter + << ", attributes: " << GetStringOfRequestedAttributes(NKikimrLdap::noAttributes)); LDAPMessage* searchMessage = nullptr; int result = NKikimrLdap::Search(ld, Settings.GetBaseDn(), NKikimrLdap::EScope::SUBTREE, filter, NKikimrLdap::noAttributes, 0, &searchMessage); if (!NKikimrLdap::IsSuccess(result)) { @@ -320,13 +336,18 @@ private: std::vector<TString> groups; groups.reserve(countEntries); for (LDAPMessage* groupEntry = NKikimrLdap::FirstEntry(ld, searchMessage); groupEntry != nullptr; groupEntry = NKikimrLdap::NextEntry(ld, groupEntry)) { - groups.push_back(NKikimrLdap::GetDn(ld, groupEntry)); + dn = NKikimrLdap::GetDn(ld, groupEntry); + groups.push_back(dn); + NKikimrLdap::MemFree(dn); + dn = nullptr; } NKikimrLdap::MsgFree(searchMessage); return groups; } void GetNestedGroups(LDAP* ld, std::vector<TString>* groups) { + LDAP_LOG_D("Try to get nested groups - tree traversal"); + std::unordered_set<TString> viewedGroups(groups->cbegin(), groups->cend()); std::queue<TString> queue; for (const auto& group : *groups) { @@ -344,6 +365,10 @@ private: queue.pop(); } filter << ')'; + LDAP_LOG_D("search: baseDn: " << Settings.GetBaseDn() + << ", scope: " << ConvertSearchScopeToString(NKikimrLdap::EScope::SUBTREE) + << ", filter: " << filter + << ", attributes: " << GetStringOfRequestedAttributes(RequestedAttributes)); LDAPMessage* searchMessage = nullptr; int result = NKikimrLdap::Search(ld, Settings.GetBaseDn(), NKikimrLdap::EScope::SUBTREE, filter, RequestedAttributes, 0, &searchMessage); if (!NKikimrLdap::IsSuccess(result)) { @@ -392,7 +417,35 @@ private: return {TEvLdapAuthProvider::EStatus::SUCCESS, {}}; } + static TString ConvertSearchScopeToString(const NKikimrLdap::EScope& scope) { + switch (scope) { + case NKikimrLdap::EScope::BASE: + return "base"; + case NKikimrLdap::EScope::ONE_LEVEL: + return "one level"; + case NKikimrLdap::EScope::SUBTREE: + return "subtree"; + } + } + + static TString GetStringOfRequestedAttributes(char** attributes) { + if (!attributes) { + return ""; + } + TStringBuilder result; + char* firstAttribute = *attributes; + if (firstAttribute) { + result << firstAttribute; + for (char* currentAttribute = *(++attributes); currentAttribute != nullptr; currentAttribute = *(++attributes)) { + result << ", " << currentAttribute; + } + } + return result; + } + private: + static constexpr const char* ERROR_MESSAGE = "User is unauthorized in LDAP server"; + const NKikimrProto::TLdapAuthentication Settings; const TSearchFilterCreator FilterCreator; const TLdapUrisCreator UrisCreator; diff --git a/ydb/core/security/ldap_auth_provider/ldap_auth_provider_log.h b/ydb/core/security/ldap_auth_provider/ldap_auth_provider_log.h new file mode 100644 index 00000000000..2399e89206b --- /dev/null +++ b/ydb/core/security/ldap_auth_provider/ldap_auth_provider_log.h @@ -0,0 +1,12 @@ +#pragma once + +#include <ydb/library/actors/core/log.h> + +#if defined LDAP_LOG_D || defined LDAP_LOG_W || defined LDAP_LOG_ERROR || defined LDAP_LOG_TRACE +#error log macro definition clash +#endif + +#define LDAP_LOG_D(stream) LOG_DEBUG_S(*TlsActivationContext, NKikimrServices::LDAP_AUTH_PROVIDER, stream) +#define LDAP_LOG_TRACE(stream) LOG_TRACE_S(*TlsActivationContext, NKikimrServices::LDAP_AUTH_PROVIDER, stream) +#define LDAP_LOG_ERROR(stream) LOG_ERROR_S(*TlsActivationContext, NKikimrServices::LDAP_AUTH_PROVIDER, stream) +#define LDAP_LOG_W(stream) LOG_WARN_S(*TlsActivationContext, NKikimrServices::LDAP_AUTH_PROVIDER, stream) diff --git a/ydb/core/security/ldap_auth_provider/ldap_auth_provider_ut.cpp b/ydb/core/security/ldap_auth_provider/ldap_auth_provider_ut.cpp index 3b6f41026f6..e526717e118 100644 --- a/ydb/core/security/ldap_auth_provider/ldap_auth_provider_ut.cpp +++ b/ydb/core/security/ldap_auth_provider/ldap_auth_provider_ut.cpp @@ -125,6 +125,7 @@ public: Server.EnableGRpc(GrpcPort); Server.GetRuntime()->SetLogPriority(NKikimrServices::TICKET_PARSER, NLog::PRI_TRACE); Server.GetRuntime()->SetLogPriority(NKikimrServices::GRPC_CLIENT, NLog::PRI_TRACE); + Server.GetRuntime()->SetLogPriority(NKikimrServices::LDAP_AUTH_PROVIDER, NLog::PRI_TRACE); } TTestActorRuntime* GetRuntime() const { @@ -832,11 +833,7 @@ void CheckRequiredLdapSettings(std::function<void(NKikimrProto::TLdapAuthenticat TAutoPtr<IEventHandle> handle = LdapAuthenticate(server, login, password); TEvTicketParser::TEvAuthorizeTicketResult* ticketParserResult = handle->Get<TEvTicketParser::TEvAuthorizeTicketResult>(); UNIT_ASSERT_C(!ticketParserResult->Error.empty(), "Expected return error message"); - TStringBuilder expectedErrorMessage; - expectedErrorMessage << "Could not perform initial LDAP bind for dn cn=invalidRobouser,dc=search,dc=yandex,dc=net on server " - << (secureType == ESecurityConnectionType::LDAPS_SCHEME ? "ldaps://" : "ldap://") << "localhost:" - << server.GetLdapPort() << "\nInvalid credentials"; - UNIT_ASSERT_STRINGS_EQUAL(ticketParserResult->Error.Message, expectedErrorMessage); + UNIT_ASSERT_STRINGS_EQUAL(ticketParserResult->Error.Message, "User is unauthorized in LDAP server"); UNIT_ASSERT(ticketParserResult->Token == nullptr); ldapServer.Stop(); @@ -855,11 +852,7 @@ void CheckRequiredLdapSettings(std::function<void(NKikimrProto::TLdapAuthenticat TAutoPtr<IEventHandle> handle = LdapAuthenticate(server, login, password); TEvTicketParser::TEvAuthorizeTicketResult* ticketParserResult = handle->Get<TEvTicketParser::TEvAuthorizeTicketResult>(); UNIT_ASSERT_C(!ticketParserResult->Error.empty(), "Expected return error message"); - TStringBuilder expectedErrorMessage; - expectedErrorMessage << "Could not perform initial LDAP bind for dn cn=robouser,dc=search,dc=yandex,dc=net on server " - << (secureType == ESecurityConnectionType::LDAPS_SCHEME ? "ldaps://" : "ldap://") << "localhost:" - << server.GetLdapPort() << "\nInvalid credentials"; - UNIT_ASSERT_STRINGS_EQUAL(ticketParserResult->Error.Message, expectedErrorMessage); + UNIT_ASSERT_STRINGS_EQUAL(ticketParserResult->Error.Message, "User is unauthorized in LDAP server"); UNIT_ASSERT(ticketParserResult->Token == nullptr); ldapServer.Stop(); @@ -894,11 +887,7 @@ void CheckRequiredLdapSettings(std::function<void(NKikimrProto::TLdapAuthenticat TAutoPtr<IEventHandle> handle = LdapAuthenticate(server, removedUserLogin, removedUserPassword); TEvTicketParser::TEvAuthorizeTicketResult* ticketParserResult = handle->Get<TEvTicketParser::TEvAuthorizeTicketResult>(); UNIT_ASSERT_C(!ticketParserResult->Error.empty(), "Expected return error message"); - const TString expectedErrorMessage = "LDAP user " + removedUserLogin + " does not exist. " - "LDAP search for filter uid=" + removedUserLogin + " on server " + - (secureType == ESecurityConnectionType::LDAPS_SCHEME ? "ldaps://" : "ldap://") + "localhost:" + - ToString(server.GetLdapPort()) + " return no entries"; - UNIT_ASSERT_STRINGS_EQUAL(ticketParserResult->Error.Message, expectedErrorMessage); + UNIT_ASSERT_STRINGS_EQUAL(ticketParserResult->Error.Message, "User is unauthorized in LDAP server"); ldapServer.Stop(); } @@ -916,10 +905,7 @@ void CheckRequiredLdapSettings(std::function<void(NKikimrProto::TLdapAuthenticat TAutoPtr<IEventHandle> handle = LdapAuthenticate(server, login, password); TEvTicketParser::TEvAuthorizeTicketResult* ticketParserResult = handle->Get<TEvTicketParser::TEvAuthorizeTicketResult>(); UNIT_ASSERT_C(!ticketParserResult->Error.empty(), "Expected return error message"); - const TString expectedErrorMessage = "Could not search for filter &(uid=" + login + ")() on server " + - (secureType == ESecurityConnectionType::LDAPS_SCHEME ? "ldaps://" : "ldap://") + "localhost:" + - ToString(server.GetLdapPort()) + "\nBad search filter"; - UNIT_ASSERT_STRINGS_EQUAL(ticketParserResult->Error.Message, expectedErrorMessage); + UNIT_ASSERT_STRINGS_EQUAL(ticketParserResult->Error.Message, "User is unauthorized in LDAP server"); ldapServer.Stop(); } @@ -1026,11 +1012,7 @@ void CheckRequiredLdapSettings(std::function<void(NKikimrProto::TLdapAuthenticat UNIT_ASSERT_C(!ticketParserResult->Error.empty(), "Expected return error message"); UNIT_ASSERT(ticketParserResult->Token == nullptr); - const TString expectedErrorMessage = "LDAP user " + login + " does not exist. " - "LDAP search for filter uid=" + login + " on server " + - (secureType == ESecurityConnectionType::LDAPS_SCHEME ? "ldaps://" : "ldap://") + "localhost:" + - ToString(server.GetLdapPort()) + " return no entries"; - UNIT_ASSERT_STRINGS_EQUAL(ticketParserResult->Error.Message, expectedErrorMessage); + UNIT_ASSERT_STRINGS_EQUAL(ticketParserResult->Error.Message, "User is unauthorized in LDAP server"); UNIT_ASSERT_EQUAL(ticketParserResult->Error.Retryable, false); ldapServer.Stop(); @@ -1038,7 +1020,7 @@ void CheckRequiredLdapSettings(std::function<void(NKikimrProto::TLdapAuthenticat Y_UNIT_TEST_SUITE(LdapAuthProviderTest) { Y_UNIT_TEST(LdapServerIsUnavailable) { - CheckRequiredLdapSettings(InitLdapSettingsWithUnavailableHost, "Could not start TLS\nCan't contact LDAP server", ESecurityConnectionType::START_TLS); + CheckRequiredLdapSettings(InitLdapSettingsWithUnavailableHost, "User is unauthorized in LDAP server", ESecurityConnectionType::START_TLS); } Y_UNIT_TEST(LdapRequestWithEmptyHost) { diff --git a/ydb/library/services/services.proto b/ydb/library/services/services.proto index 1693816d730..ef29f8181d1 100644 --- a/ydb/library/services/services.proto +++ b/ydb/library/services/services.proto @@ -188,6 +188,7 @@ enum EServiceKikimr { TOKEN_BUILDER = 450; TICKET_PARSER = 455; BLACKBOX_VALIDATOR = 460; + LDAP_AUTH_PROVIDER = 2650; GRPC_CLIENT = 461; diff --git a/ydb/services/ydb/ydb_ldap_login_ut.cpp b/ydb/services/ydb/ydb_ldap_login_ut.cpp index 54f132431c7..43043688a09 100644 --- a/ydb/services/ydb/ydb_ldap_login_ut.cpp +++ b/ydb/services/ydb/ydb_ldap_login_ut.cpp @@ -210,10 +210,7 @@ Y_UNIT_TEST_SUITE(TGRpcLdapAuthentication) { auto factory = CreateLoginCredentialsProviderFactory({.User = login + "@ldap", .Password = password}); auto loginProvider = factory->CreateProvider(loginConnection.GetCoreFacility()); - TStringBuilder expectedErrorMessage; - expectedErrorMessage << "Could not perform initial LDAP bind for dn cn=invalidRobouser,dc=search,dc=yandex,dc=net on server " - << "ldap://localhost:" << loginConnection.GetLdapPort() << "\nInvalid credentials"; - UNIT_ASSERT_EXCEPTION_CONTAINS(loginProvider->GetAuthInfo(), yexception, expectedErrorMessage); + UNIT_ASSERT_EXCEPTION_CONTAINS(loginProvider->GetAuthInfo(), yexception, "User is unauthorized in LDAP server"); loginConnection.Stop(); ldapServer.Stop(); @@ -231,10 +228,7 @@ Y_UNIT_TEST_SUITE(TGRpcLdapAuthentication) { auto factory = CreateLoginCredentialsProviderFactory({.User = login + "@ldap", .Password = password}); auto loginProvider = factory->CreateProvider(loginConnection.GetCoreFacility()); - TStringBuilder expectedErrorMessage; - expectedErrorMessage << "Could not perform initial LDAP bind for dn cn=robouser,dc=search,dc=yandex,dc=net on server " - << "ldap://localhost:" << loginConnection.GetLdapPort() << "\nInvalid credentials"; - UNIT_ASSERT_EXCEPTION_CONTAINS(loginProvider->GetAuthInfo(), yexception, expectedErrorMessage); + UNIT_ASSERT_EXCEPTION_CONTAINS(loginProvider->GetAuthInfo(), yexception, "User is unauthorized in LDAP server"); loginConnection.Stop(); ldapServer.Stop(); @@ -252,10 +246,7 @@ Y_UNIT_TEST_SUITE(TGRpcLdapAuthentication) { auto factory = CreateLoginCredentialsProviderFactory({.User = login + "@ldap", .Password = password}); auto loginProvider = factory->CreateProvider(loginConnection.GetCoreFacility()); - TStringBuilder expectedErrorMessage; - expectedErrorMessage << "Could not search for filter &(uid=" << login << ")() on server " - << "ldap://localhost:" << loginConnection.GetLdapPort() << "\nBad search filter"; - UNIT_ASSERT_EXCEPTION_CONTAINS(loginProvider->GetAuthInfo(), yexception, expectedErrorMessage); + UNIT_ASSERT_EXCEPTION_CONTAINS(loginProvider->GetAuthInfo(), yexception, "User is unauthorized in LDAP server"); loginConnection.Stop(); ldapServer.Stop(); @@ -278,7 +269,7 @@ Y_UNIT_TEST_SUITE(TGRpcLdapAuthentication) { } Y_UNIT_TEST(LdapAuthServerIsUnavailable) { - CheckRequiredLdapSettings(InitLdapSettingsWithUnavailableHost, "Could not start TLS\nCan't contact LDAP server"); + CheckRequiredLdapSettings(InitLdapSettingsWithUnavailableHost, "User is unauthorized in LDAP server"); } Y_UNIT_TEST(LdapAuthSettingsWithEmptyHosts) { @@ -325,11 +316,7 @@ Y_UNIT_TEST_SUITE(TGRpcLdapAuthentication) { auto factory = CreateLoginCredentialsProviderFactory({.User = nonExistentUser + "@ldap", .Password = password}); auto loginProvider = factory->CreateProvider(loginConnection.GetCoreFacility()); - TStringBuilder expectedErrorMessage; - expectedErrorMessage << "LDAP user " << nonExistentUser << " does not exist. LDAP search for filter uid=" - << nonExistentUser << " on server " - << "ldap://localhost:" << loginConnection.GetLdapPort() << " return no entries"; - UNIT_ASSERT_EXCEPTION_CONTAINS(loginProvider->GetAuthInfo(), yexception, expectedErrorMessage); + UNIT_ASSERT_EXCEPTION_CONTAINS(loginProvider->GetAuthInfo(), yexception, "User is unauthorized in LDAP server"); loginConnection.Stop(); ldapServer.Stop(); @@ -370,10 +357,7 @@ Y_UNIT_TEST_SUITE(TGRpcLdapAuthentication) { auto factory = CreateLoginCredentialsProviderFactory({.User = login + "@ldap", .Password = password}); auto loginProvider = factory->CreateProvider(loginConnection.GetCoreFacility()); - TStringBuilder expectedErrorMessage; - expectedErrorMessage << "LDAP login failed for user uid=" << login << ",dc=search,dc=yandex,dc=net on server " - << "ldap://localhost:" << loginConnection.GetLdapPort() << "\nInvalid credentials"; - UNIT_ASSERT_EXCEPTION_CONTAINS(loginProvider->GetAuthInfo(), yexception, expectedErrorMessage); + UNIT_ASSERT_EXCEPTION_CONTAINS(loginProvider->GetAuthInfo(), yexception, "User is unauthorized in LDAP server"); loginConnection.Stop(); ldapServer.Stop(); |
