Example 1 with DisposableSubContext
use of io.trino.plugin.password.ldap.TestingOpenLdapServer.DisposableSubContext in project trino by trinodb.
the class TestLdapAuthenticator method testSingleBindPattern.
@Test
public void testSingleBindPattern() throws Exception {
try (DisposableSubContext organization = openLdapServer.createOrganization();
DisposableSubContext ignored = openLdapServer.createUser(organization, "alice", "alice-pass")) {
LdapAuthenticator ldapAuthenticator = new LdapAuthenticator(client, new LdapConfig().setUserBindSearchPatterns("uid=${USER}," + organization.getDistinguishedName()));
assertThatThrownBy(() -> ldapAuthenticator.createAuthenticatedPrincipal("alice", "invalid")).isInstanceOf(AccessDeniedException.class).hasMessageMatching("Access Denied: Invalid credentials");
assertThatThrownBy(() -> ldapAuthenticator.createAuthenticatedPrincipal("unknown", "alice-pass")).isInstanceOf(RuntimeException.class).hasMessageMatching("Access Denied: Invalid credentials");
assertEquals(ldapAuthenticator.createAuthenticatedPrincipal("alice", "alice-pass"), new BasicPrincipal("alice"));
}
}
Also used :
AccessDeniedException(io.trino.spi.security.AccessDeniedException)
BasicPrincipal(io.trino.spi.security.BasicPrincipal)
DisposableSubContext(io.trino.plugin.password.ldap.TestingOpenLdapServer.DisposableSubContext)
Test(org.testng.annotations.Test)
Example 2 with DisposableSubContext
use of io.trino.plugin.password.ldap.TestingOpenLdapServer.DisposableSubContext in project trino by trinodb.
the class TestLdapAuthenticator method testGroupMembership.
@Test
public void testGroupMembership() throws Exception {
try (DisposableSubContext organization = openLdapServer.createOrganization();
DisposableSubContext group = openLdapServer.createGroup(organization);
DisposableSubContext alice = openLdapServer.createUser(organization, "alice", "alice-pass");
DisposableSubContext ignored = openLdapServer.createUser(organization, "bob", "bob-pass")) {
LdapAuthenticator ldapAuthenticator = new LdapAuthenticator(client, new LdapConfig().setUserBindSearchPatterns("uid=${USER}," + organization.getDistinguishedName()).setUserBaseDistinguishedName(organization.getDistinguishedName()).setGroupAuthorizationSearchPattern(format("(&(objectClass=groupOfNames)(cn=group_*)(member=uid=${USER},%s))", organization.getDistinguishedName())));
assertThatThrownBy(() -> ldapAuthenticator.createAuthenticatedPrincipal("alice", "invalid")).isInstanceOf(AccessDeniedException.class).hasMessageMatching("Access Denied: Invalid credentials");
assertThatThrownBy(() -> ldapAuthenticator.createAuthenticatedPrincipal("unknown", "alice-pass")).isInstanceOf(AccessDeniedException.class).hasMessageMatching("Access Denied: Invalid credentials");
assertThatThrownBy(() -> ldapAuthenticator.createAuthenticatedPrincipal("bob", "bob-pass")).isInstanceOf(AccessDeniedException.class).hasMessageMatching("Access Denied: User \\[bob] not a member of an authorized group");
openLdapServer.addUserToGroup(alice, group);
assertEquals(ldapAuthenticator.createAuthenticatedPrincipal("alice", "alice-pass"), new BasicPrincipal("alice"));
}
}
Also used :
AccessDeniedException(io.trino.spi.security.AccessDeniedException)
BasicPrincipal(io.trino.spi.security.BasicPrincipal)
DisposableSubContext(io.trino.plugin.password.ldap.TestingOpenLdapServer.DisposableSubContext)
Test(org.testng.annotations.Test)
Example 3 with DisposableSubContext
use of io.trino.plugin.password.ldap.TestingOpenLdapServer.DisposableSubContext in project trino by trinodb.
the class TestLdapAuthenticator method testDistinguishedNameLookup.
@Test
public void testDistinguishedNameLookup() throws Exception {
try (DisposableSubContext organization = openLdapServer.createOrganization();
DisposableSubContext group = openLdapServer.createGroup(organization);
DisposableSubContext alice = openLdapServer.createUser(organization, "alice", "alice-pass");
DisposableSubContext bob = openLdapServer.createUser(organization, "bob", "bob-pass")) {
LdapAuthenticator ldapAuthenticator = new LdapAuthenticator(client, new LdapConfig().setUserBaseDistinguishedName(organization.getDistinguishedName()).setGroupAuthorizationSearchPattern(format("(&(objectClass=inetOrgPerson)(memberof=%s))", group.getDistinguishedName())).setBindDistingushedName("cn=admin,dc=trino,dc=testldap,dc=com").setBindPassword("admin"));
assertThatThrownBy(() -> ldapAuthenticator.createAuthenticatedPrincipal("unknown_user", "invalid")).isInstanceOf(AccessDeniedException.class).hasMessageMatching("Access Denied: User \\[unknown_user] not a member of an authorized group");
assertThatThrownBy(() -> ldapAuthenticator.createAuthenticatedPrincipal("alice", "invalid")).isInstanceOf(AccessDeniedException.class).hasMessageMatching("Access Denied: User \\[alice] not a member of an authorized group");
ldapAuthenticator.invalidateCache();
assertThatThrownBy(() -> ldapAuthenticator.createAuthenticatedPrincipal("alice", "alice-pass")).isInstanceOf(AccessDeniedException.class).hasMessageMatching("Access Denied: User \\[alice] not a member of an authorized group");
ldapAuthenticator.invalidateCache();
assertThatThrownBy(() -> ldapAuthenticator.createAuthenticatedPrincipal("bob", "bob-pass")).isInstanceOf(AccessDeniedException.class).hasMessageMatching("Access Denied: User \\[bob] not a member of an authorized group");
ldapAuthenticator.invalidateCache();
openLdapServer.addUserToGroup(alice, group);
assertEquals(ldapAuthenticator.createAuthenticatedPrincipal("alice", "alice-pass"), new BasicPrincipal("alice"));
ldapAuthenticator.invalidateCache();
assertThatThrownBy(() -> ldapAuthenticator.createAuthenticatedPrincipal("alice", "invalid")).isInstanceOf(AccessDeniedException.class).hasMessageMatching("Access Denied: Invalid credentials");
ldapAuthenticator.invalidateCache();
// Now group authorization filter will return multiple entries
openLdapServer.addUserToGroup(bob, group);
assertThatThrownBy(() -> ldapAuthenticator.createAuthenticatedPrincipal("alice", "alice-pass")).isInstanceOf(AccessDeniedException.class).hasMessageMatching("Access Denied: Multiple group membership results for user \\[alice].*");
ldapAuthenticator.invalidateCache();
}
}
Also used :
AccessDeniedException(io.trino.spi.security.AccessDeniedException)
BasicPrincipal(io.trino.spi.security.BasicPrincipal)
DisposableSubContext(io.trino.plugin.password.ldap.TestingOpenLdapServer.DisposableSubContext)
Test(org.testng.annotations.Test)
Example 4 with DisposableSubContext
use of io.trino.plugin.password.ldap.TestingOpenLdapServer.DisposableSubContext in project trino by trinodb.
the class TestLdapAuthenticator method testInvalidBindPassword.
@Test
public void testInvalidBindPassword() throws Exception {
try (DisposableSubContext organization = openLdapServer.createOrganization()) {
LdapAuthenticator ldapAuthenticator = new LdapAuthenticator(client, new LdapConfig().setUserBaseDistinguishedName(organization.getDistinguishedName()).setGroupAuthorizationSearchPattern("(&(objectClass=inetOrgPerson))").setBindDistingushedName("cn=admin,dc=trino,dc=testldap,dc=com").setBindPassword("invalid-password"));
assertThatThrownBy(() -> ldapAuthenticator.createAuthenticatedPrincipal("alice", "alice-pass")).isInstanceOf(AccessDeniedException.class).hasMessageMatching("Access Denied: Invalid credentials");
}
}
Also used :
AccessDeniedException(io.trino.spi.security.AccessDeniedException)
DisposableSubContext(io.trino.plugin.password.ldap.TestingOpenLdapServer.DisposableSubContext)
Test(org.testng.annotations.Test)
Example 5 with DisposableSubContext
use of io.trino.plugin.password.ldap.TestingOpenLdapServer.DisposableSubContext in project trino by trinodb.
the class TestLdapAuthenticator method testMultipleBindPattern.
@Test
public void testMultipleBindPattern() throws Exception {
try (DisposableSubContext organization = openLdapServer.createOrganization();
DisposableSubContext alternativeOrganization = openLdapServer.createOrganization();
DisposableSubContext ignored = openLdapServer.createUser(organization, "alice", "alice-pass");
DisposableSubContext ignored1 = openLdapServer.createUser(alternativeOrganization, "bob", "bob-pass");
DisposableSubContext ignored2 = openLdapServer.createUser(alternativeOrganization, "alice", "alt-alice-pass")) {
LdapAuthenticator ldapAuthenticator = new LdapAuthenticator(client, new LdapConfig().setUserBindSearchPatterns(format("uid=${USER},%s:uid=${USER},%s", organization.getDistinguishedName(), alternativeOrganization.getDistinguishedName())));
assertEquals(ldapAuthenticator.createAuthenticatedPrincipal("alice", "alice-pass"), new BasicPrincipal("alice"));
ldapAuthenticator.invalidateCache();
assertEquals(ldapAuthenticator.createAuthenticatedPrincipal("bob", "bob-pass"), new BasicPrincipal("bob"));
ldapAuthenticator.invalidateCache();
assertEquals(ldapAuthenticator.createAuthenticatedPrincipal("alice", "alt-alice-pass"), new BasicPrincipal("alice"));
ldapAuthenticator.invalidateCache();
assertEquals(ldapAuthenticator.createAuthenticatedPrincipal("alice", "alice-pass"), new BasicPrincipal("alice"));
ldapAuthenticator.invalidateCache();
}
}
Also used :
BasicPrincipal(io.trino.spi.security.BasicPrincipal)
DisposableSubContext(io.trino.plugin.password.ldap.TestingOpenLdapServer.DisposableSubContext)
Test(org.testng.annotations.Test)
Aggregations
DisposableSubContext (io.trino.plugin.password.ldap.TestingOpenLdapServer.DisposableSubContext)7
Test (org.testng.annotations.Test)7
BasicPrincipal (io.trino.spi.security.BasicPrincipal)6
AccessDeniedException (io.trino.spi.security.AccessDeniedException)4
Duration (io.airlift.units.Duration)2
