salt/tests/unit/auth/test_ldap.py

# -*- coding: utf-8 -*-

# Import python libs
from __future__ import absolute_import

# Import Salt Libs
import salt.auth.ldap

# Import Salt Testing Libs
from tests.support.mock import patch
from tests.support.unit import skipIf, TestCase

salt.auth.ldap.__opts__ = {}


class Bind(object):
    '''
    fake search_s return
    '''

    @staticmethod
    def search_s(*args, **kwargs):
        return [
            (
                'cn=saltusers,cn=groups,cn=compat,dc=saltstack,dc=com',
                {'memberUid': [b'saltuser'], 'cn': [b'saltusers']},
            ),
        ]


@skipIf(not salt.auth.ldap.HAS_LDAP, 'Install python-ldap for this test')
class LDAPAuthTestCase(TestCase):
    '''
    Unit tests for salt.auth.ldap
    '''

    def setUp(self):
        self.opts = {
            'auth.ldap.binddn': 'uid={{username}},cn=users,cn=compat,dc=saltstack,dc=com',
            'auth.ldap.port': 389,
            'auth.ldap.tls': False,
            'auth.ldap.server': '172.18.0.2',
            'auth.ldap.accountattributename': 'memberUid',
            'auth.ldap.groupattribute': 'memberOf',
            'auth.ldap.group_basedn': 'cn=groups,cn=compat,dc=saltstack,dc=com',
            'auth.ldap.basedn': 'dc=saltstack,dc=com',
            'auth.ldap.group_filter': '(&(memberUid={{ username }})(objectClass=posixgroup))'}

    def tearDown(self):
        self.opts['auth.ldap.freeipa'] = False
        self.opts['auth.ldap.activedirectory'] = False

    def test_config(self):
        '''
        Test that the _config function works correctly
        '''
        with patch.dict(salt.auth.ldap.__opts__, self.opts):
            self.assertEqual(salt.auth.ldap._config('basedn'), 'dc=saltstack,dc=com')
            self.assertEqual(salt.auth.ldap._config('group_filter'), '(&(memberUid={{ username }})(objectClass=posixgroup))')
            self.assertEqual(salt.auth.ldap._config('accountattributename'), 'memberUid')
            self.assertEqual(salt.auth.ldap._config('groupattribute'), 'memberOf')

    def test_groups_freeipa(self):
        '''
        test groups in freeipa
        '''
        self.opts['auth.ldap.freeipa'] = True
        with patch.dict(salt.auth.ldap.__opts__, self.opts):
            with patch('salt.auth.ldap._bind', return_value=Bind):
                self.assertIn('saltusers', salt.auth.ldap.groups('saltuser', password='password'))

    def test_groups(self):
        '''
        test groups in ldap
        '''
        with patch.dict(salt.auth.ldap.__opts__, self.opts):
            with patch('salt.auth.ldap._bind', return_value=Bind):
                self.assertIn('saltusers', salt.auth.ldap.groups('saltuser', password='password'))

    def test_groups_activedirectory(self):
        '''
        test groups in activedirectory
        '''
        self.opts['auth.ldap.activedirectory'] = True
        with patch.dict(salt.auth.ldap.__opts__, self.opts):
            with patch('salt.auth.ldap._bind', return_value=Bind):
                self.assertIn('saltusers', salt.auth.ldap.groups('saltuser', password='password'))

    def test_auth_nopass(self):
        opts = self.opts.copy()
        opts['auth.ldap.bindpw'] = 'p@ssw0rd!'
        with patch.dict(salt.auth.ldap.__opts__, opts):
            with patch('salt.auth.ldap._bind_for_search', return_value=Bind):
                self.assertFalse(salt.auth.ldap.auth('foo', None))

    def test_auth_nouser(self):
        opts = self.opts.copy()
        opts['auth.ldap.bindpw'] = 'p@ssw0rd!'
        with patch.dict(salt.auth.ldap.__opts__, opts):
            with patch('salt.auth.ldap._bind_for_search', return_value=Bind):
                self.assertFalse(salt.auth.ldap.auth(None, 'foo'))

    def test_auth_nouserandpass(self):
        opts = self.opts.copy()
        opts['auth.ldap.bindpw'] = 'p@ssw0rd!'
        with patch.dict(salt.auth.ldap.__opts__, opts):
            with patch('salt.auth.ldap._bind_for_search', return_value=Bind):
                self.assertFalse(salt.auth.ldap.auth(None, None))