From edb6a795f1687e4aeafc354b511c5bf2bbbf017a Mon Sep 17 00:00:00 2001 From: Jacob Floyd Date: Tue, 22 Oct 2024 11:39:06 -0500 Subject: [PATCH] add rdn test cases --- tests/unit/test_backend.py | 95 +++++++++++++++++++++++--------------- 1 file changed, 59 insertions(+), 36 deletions(-) diff --git a/tests/unit/test_backend.py b/tests/unit/test_backend.py index e0e997d..6e1552f 100644 --- a/tests/unit/test_backend.py +++ b/tests/unit/test_backend.py @@ -21,6 +21,8 @@ import mock import unittest +import pytest + from st2auth_ldap import ldap_backend @@ -30,6 +32,10 @@ LDAP_BIND_DN = 'cn=Administrator,cn=users,dc=stackstorm,dc=net' LDAP_BIND_PASSWORD = uuid.uuid4().hex LDAP_GROUP_DNS = ['cn=testers,dc=stackstorm,dc=net'] +LDAP_GROUP_DNS_CASES = ( + pytest.param(LDAP_GROUP_DNS, id="group_fqdn"), + pytest.param(['cn=testers'], id="group_rdn"), +) LDAP_CACERT = '../fixtures/certs/cacert.pem' LDAP_CACERT_REAL_PATH = os.path.join(os.path.dirname(os.path.abspath(__file__)), LDAP_CACERT) LDAP_BASE_OU = 'dc=stackstorm,dc=net' @@ -102,12 +108,13 @@ def test_instantaite_no_group_dns_provided(self): @mock.patch.object( ldap.ldapobject.SimpleLDAPObject, 'search_s', mock.MagicMock(side_effect=[LDAP_USER_SEARCH_RESULT, LDAP_GROUP_SEARCH_RESULT])) - def test_authenticate(self): + @pytest.mark.parametrize("required_group_dns", LDAP_GROUP_DNS_CASES) + def test_authenticate(self, required_group_dns): backend = ldap_backend.LDAPAuthenticationBackend( LDAP_BIND_DN, LDAP_BIND_PASSWORD, LDAP_BASE_OU, - LDAP_GROUP_DNS, + required_group_dns, LDAP_HOST, id_attr=LDAP_ID_ATTR ) @@ -121,12 +128,13 @@ def test_authenticate(self): @mock.patch.object( ldap.ldapobject.SimpleLDAPObject, 'search_s', mock.MagicMock(side_effect=[LDAP_USER_SEARCH_RESULT, LDAP_GROUP_SEARCH_RESULT])) - def test_authenticate_with_multiple_ldap_hosts(self): + @pytest.mark.parametrize("required_group_dns", LDAP_GROUP_DNS_CASES) + def test_authenticate_with_multiple_ldap_hosts(self, required_group_dns): backend = ldap_backend.LDAPAuthenticationBackend( LDAP_BIND_DN, LDAP_BIND_PASSWORD, LDAP_BASE_OU, - LDAP_GROUP_DNS, + required_group_dns, LDAP_MULTIPLE_HOSTS, id_attr=LDAP_ID_ATTR ) @@ -140,12 +148,13 @@ def test_authenticate_with_multiple_ldap_hosts(self): @mock.patch.object( ldap.ldapobject.SimpleLDAPObject, 'search_s', mock.MagicMock(side_effect=[LDAP_USER_SEARCH_RESULT, LDAP_GROUP_SEARCH_RESULT])) - def test_authenticate_without_password(self): + @pytest.mark.parametrize("required_group_dns", LDAP_GROUP_DNS_CASES) + def test_authenticate_without_password(self, required_group_dns): backend = ldap_backend.LDAPAuthenticationBackend( LDAP_BIND_DN, LDAP_BIND_PASSWORD, LDAP_BASE_OU, - LDAP_GROUP_DNS, + required_group_dns, LDAP_HOST, id_attr=LDAP_ID_ATTR ) @@ -156,12 +165,13 @@ def test_authenticate_without_password(self): @mock.patch.object( ldap.ldapobject.SimpleLDAPObject, 'simple_bind_s', mock.MagicMock(side_effect=Exception())) - def test_authenticate_failure_bad_bind_cred(self): + @pytest.mark.parametrize("required_group_dns", LDAP_GROUP_DNS_CASES) + def test_authenticate_failure_bad_bind_cred(self, required_group_dns): backend = ldap_backend.LDAPAuthenticationBackend( LDAP_BIND_DN, LDAP_BIND_PASSWORD, LDAP_BASE_OU, - LDAP_GROUP_DNS, + required_group_dns, LDAP_HOST, id_attr=LDAP_ID_ATTR ) @@ -175,12 +185,13 @@ def test_authenticate_failure_bad_bind_cred(self): @mock.patch.object( ldap.ldapobject.SimpleLDAPObject, 'search_s', mock.MagicMock(side_effect=[LDAP_USER_SEARCH_RESULT, LDAP_GROUP_SEARCH_RESULT])) - def test_authenticate_failure_bad_user_password(self): + @pytest.mark.parametrize("required_group_dns", LDAP_GROUP_DNS_CASES) + def test_authenticate_failure_bad_user_password(self, required_group_dns): backend = ldap_backend.LDAPAuthenticationBackend( LDAP_BIND_DN, LDAP_BIND_PASSWORD, LDAP_BASE_OU, - LDAP_GROUP_DNS, + required_group_dns, LDAP_HOST, id_attr=LDAP_ID_ATTR ) @@ -194,13 +205,14 @@ def test_authenticate_failure_bad_user_password(self): @mock.patch.object( ldap.ldapobject.SimpleLDAPObject, 'search_s', mock.MagicMock(side_effect=[LDAP_USER_SEARCH_RESULT, []])) - def test_authenticate_failure_non_group_member_no_groups(self): + @pytest.mark.parametrize("required_group_dns", LDAP_GROUP_DNS_CASES) + def test_authenticate_failure_non_group_member_no_groups(self, required_group_dns): # User is not member of any of the required group backend = ldap_backend.LDAPAuthenticationBackend( LDAP_BIND_DN, LDAP_BIND_PASSWORD, LDAP_BASE_OU, - LDAP_GROUP_DNS, + required_group_dns, LDAP_HOST, id_attr=LDAP_ID_ATTR, group_dns_check='and' @@ -213,7 +225,7 @@ def test_authenticate_failure_non_group_member_no_groups(self): LDAP_BIND_DN, LDAP_BIND_PASSWORD, LDAP_BASE_OU, - LDAP_GROUP_DNS, + required_group_dns, LDAP_HOST, id_attr=LDAP_ID_ATTR, group_dns_check='or' @@ -229,13 +241,14 @@ def test_authenticate_failure_non_group_member_no_groups(self): ldap.ldapobject.SimpleLDAPObject, 'search_s', mock.MagicMock(side_effect=[LDAP_USER_SEARCH_RESULT, [('cn=group1,dc=stackstorm,dc=net', ())]])) - def test_authenticatefailure_non_group_member_non_required_group(self): + @pytest.mark.parametrize("required_group_dns", LDAP_GROUP_DNS_CASES) + def test_authenticatefailure_non_group_member_non_required_group(self, required_group_dns): # User is member of a group which is not required backend = ldap_backend.LDAPAuthenticationBackend( LDAP_BIND_DN, LDAP_BIND_PASSWORD, LDAP_BASE_OU, - LDAP_GROUP_DNS, + required_group_dns, LDAP_HOST, id_attr=LDAP_ID_ATTR, group_dns_check='and' @@ -248,7 +261,7 @@ def test_authenticatefailure_non_group_member_non_required_group(self): LDAP_BIND_DN, LDAP_BIND_PASSWORD, LDAP_BASE_OU, - LDAP_GROUP_DNS, + required_group_dns, LDAP_HOST, id_attr=LDAP_ID_ATTR, group_dns_check='or' @@ -576,12 +589,13 @@ def test_authenticate_or_behavior_success_member_of_multiple_groups_3b(self): @mock.patch.object( ldap.ldapobject.SimpleLDAPObject, 'search_s', mock.MagicMock(side_effect=[LDAP_USER_SEARCH_RESULT, LDAP_GROUP_SEARCH_RESULT])) - def test_ssl_authenticate(self): + @pytest.mark.parametrize("required_group_dns", LDAP_GROUP_DNS_CASES) + def test_ssl_authenticate(self, required_group_dns): backend = ldap_backend.LDAPAuthenticationBackend( LDAP_BIND_DN, LDAP_BIND_PASSWORD, LDAP_BASE_OU, - LDAP_GROUP_DNS, + required_group_dns, LDAP_HOST, port=LDAPS_PORT, use_ssl=True, @@ -597,12 +611,13 @@ def test_ssl_authenticate(self): @mock.patch.object( ldap.ldapobject.SimpleLDAPObject, 'search_s', mock.MagicMock(side_effect=[LDAP_USER_SEARCH_RESULT, LDAP_GROUP_SEARCH_RESULT])) - def test_ssl_authenticate_failure(self): + @pytest.mark.parametrize("required_group_dns", LDAP_GROUP_DNS_CASES) + def test_ssl_authenticate_failure(self, required_group_dns): backend = ldap_backend.LDAPAuthenticationBackend( LDAP_BIND_DN, LDAP_BIND_PASSWORD, LDAP_BASE_OU, - LDAP_GROUP_DNS, + required_group_dns, LDAP_HOST, port=LDAPS_PORT, use_ssl=True, @@ -618,12 +633,13 @@ def test_ssl_authenticate_failure(self): @mock.patch.object( ldap.ldapobject.SimpleLDAPObject, 'search_s', mock.MagicMock(side_effect=[LDAP_USER_SEARCH_RESULT, LDAP_GROUP_SEARCH_RESULT])) - def test_ssl_authenticate_validate_cert(self): + @pytest.mark.parametrize("required_group_dns", LDAP_GROUP_DNS_CASES) + def test_ssl_authenticate_validate_cert(self, required_group_dns): backend = ldap_backend.LDAPAuthenticationBackend( LDAP_BIND_DN, LDAP_BIND_PASSWORD, LDAP_BASE_OU, - LDAP_GROUP_DNS, + required_group_dns, LDAP_HOST, port=LDAPS_PORT, use_ssl=True, @@ -643,12 +659,13 @@ def test_ssl_authenticate_validate_cert(self): @mock.patch.object( ldap.ldapobject.SimpleLDAPObject, 'search_s', mock.MagicMock(side_effect=[LDAP_USER_SEARCH_RESULT, LDAP_GROUP_SEARCH_RESULT])) - def test_tls_authenticate(self): + @pytest.mark.parametrize("required_group_dns", LDAP_GROUP_DNS_CASES) + def test_tls_authenticate(self, required_group_dns): backend = ldap_backend.LDAPAuthenticationBackend( LDAP_BIND_DN, LDAP_BIND_PASSWORD, LDAP_BASE_OU, - LDAP_GROUP_DNS, + required_group_dns, LDAP_HOST, use_tls=True, id_attr=LDAP_ID_ATTR @@ -666,12 +683,13 @@ def test_tls_authenticate(self): @mock.patch.object( ldap.ldapobject.SimpleLDAPObject, 'search_s', mock.MagicMock(side_effect=[LDAP_USER_SEARCH_RESULT, LDAP_GROUP_SEARCH_RESULT])) - def test_tls_authenticate_failure(self): + @pytest.mark.parametrize("required_group_dns", LDAP_GROUP_DNS_CASES) + def test_tls_authenticate_failure(self, required_group_dns): backend = ldap_backend.LDAPAuthenticationBackend( LDAP_BIND_DN, LDAP_BIND_PASSWORD, LDAP_BASE_OU, - LDAP_GROUP_DNS, + required_group_dns, LDAP_HOST, use_tls=True, id_attr=LDAP_ID_ATTR @@ -689,12 +707,13 @@ def test_tls_authenticate_failure(self): @mock.patch.object( ldap.ldapobject.SimpleLDAPObject, 'search_s', mock.MagicMock(side_effect=[LDAP_USER_SEARCH_RESULT, LDAP_GROUP_SEARCH_RESULT])) - def test_tls_authenticate_validate_cert(self): + @pytest.mark.parametrize("required_group_dns", LDAP_GROUP_DNS_CASES) + def test_tls_authenticate_validate_cert(self, required_group_dns): backend = ldap_backend.LDAPAuthenticationBackend( LDAP_BIND_DN, LDAP_BIND_PASSWORD, LDAP_BASE_OU, - LDAP_GROUP_DNS, + required_group_dns, LDAP_HOST, use_tls=True, cacert=LDAP_CACERT_REAL_PATH, @@ -710,13 +729,14 @@ def test_tls_authenticate_validate_cert(self): @mock.patch.object( ldap.ldapobject.SimpleLDAPObject, 'search_s', mock.MagicMock(side_effect=[LDAP_USER_SEARCH_RESULT, []])) - def test_special_characters_in_username_are_escaped(self): + @pytest.mark.parametrize("required_group_dns", LDAP_GROUP_DNS_CASES) + def test_special_characters_in_username_are_escaped(self, required_group_dns): # User is not member of any of the required group backend = ldap_backend.LDAPAuthenticationBackend( LDAP_BIND_DN, LDAP_BIND_PASSWORD, LDAP_BASE_OU, - LDAP_GROUP_DNS, + required_group_dns, LDAP_HOST, id_attr=LDAP_ID_ATTR ) @@ -753,12 +773,13 @@ def test_special_characters_in_username_are_escaped(self): @mock.patch.object( ldap.ldapobject.SimpleLDAPObject, 'search_s', mock.MagicMock(side_effect=[LDAP_USER_SEARCH_RESULT, LDAP_GROUP_SEARCH_RESULT])) - def test_get_user(self): + @pytest.mark.parametrize("required_group_dns", LDAP_GROUP_DNS_CASES) + def test_get_user(self, required_group_dns): backend = ldap_backend.LDAPAuthenticationBackend( LDAP_BIND_DN, LDAP_BIND_PASSWORD, LDAP_BASE_OU, - LDAP_GROUP_DNS, + required_group_dns, LDAP_HOST, id_attr=LDAP_ID_ATTR ) @@ -775,12 +796,13 @@ def test_get_user(self): @mock.patch.object( ldap.ldapobject.SimpleLDAPObject, 'search_s', mock.MagicMock(side_effect=[2 * LDAP_USER_SEARCH_RESULT, LDAP_GROUP_SEARCH_RESULT])) - def test_get_user_multiple_results(self): + @pytest.mark.parametrize("required_group_dns", LDAP_GROUP_DNS_CASES) + def test_get_user_multiple_results(self, required_group_dns): backend = ldap_backend.LDAPAuthenticationBackend( LDAP_BIND_DN, LDAP_BIND_PASSWORD, LDAP_BASE_OU, - LDAP_GROUP_DNS, + required_group_dns, LDAP_HOST, id_attr=LDAP_ID_ATTR ) @@ -794,12 +816,13 @@ def test_get_user_multiple_results(self): @mock.patch.object( ldap.ldapobject.SimpleLDAPObject, 'search_s', mock.MagicMock(side_effect=[LDAP_USER_SEARCH_RESULT, LDAP_GROUP_SEARCH_RESULT])) - def test_get_user_groups(self): + @pytest.mark.parametrize("required_group_dns", LDAP_GROUP_DNS_CASES) + def test_get_user_groups(self, required_group_dns): backend = ldap_backend.LDAPAuthenticationBackend( LDAP_BIND_DN, LDAP_BIND_PASSWORD, LDAP_BASE_OU, - LDAP_GROUP_DNS, + required_group_dns, LDAP_HOST, id_attr=LDAP_ID_ATTR )