Search in sources :

Example 1 with DisposableSubContext

use of io.trino.plugin.password.ldap.TestingOpenLdapServer.DisposableSubContext in project trino by trinodb.

the class TestLdapAuthenticator method testSingleBindPattern.

@Test
public void testSingleBindPattern() throws Exception {
    try (DisposableSubContext organization = openLdapServer.createOrganization();
        DisposableSubContext ignored = openLdapServer.createUser(organization, "alice", "alice-pass")) {
        LdapAuthenticator ldapAuthenticator = new LdapAuthenticator(client, new LdapConfig().setUserBindSearchPatterns("uid=${USER}," + organization.getDistinguishedName()));
        assertThatThrownBy(() -> ldapAuthenticator.createAuthenticatedPrincipal("alice", "invalid")).isInstanceOf(AccessDeniedException.class).hasMessageMatching("Access Denied: Invalid credentials");
        assertThatThrownBy(() -> ldapAuthenticator.createAuthenticatedPrincipal("unknown", "alice-pass")).isInstanceOf(RuntimeException.class).hasMessageMatching("Access Denied: Invalid credentials");
        assertEquals(ldapAuthenticator.createAuthenticatedPrincipal("alice", "alice-pass"), new BasicPrincipal("alice"));
    }
}
Also used : AccessDeniedException(io.trino.spi.security.AccessDeniedException) BasicPrincipal(io.trino.spi.security.BasicPrincipal) DisposableSubContext(io.trino.plugin.password.ldap.TestingOpenLdapServer.DisposableSubContext) Test(org.testng.annotations.Test)

Example 2 with DisposableSubContext

use of io.trino.plugin.password.ldap.TestingOpenLdapServer.DisposableSubContext in project trino by trinodb.

the class TestLdapAuthenticator method testGroupMembership.

@Test
public void testGroupMembership() throws Exception {
    try (DisposableSubContext organization = openLdapServer.createOrganization();
        DisposableSubContext group = openLdapServer.createGroup(organization);
        DisposableSubContext alice = openLdapServer.createUser(organization, "alice", "alice-pass");
        DisposableSubContext ignored = openLdapServer.createUser(organization, "bob", "bob-pass")) {
        LdapAuthenticator ldapAuthenticator = new LdapAuthenticator(client, new LdapConfig().setUserBindSearchPatterns("uid=${USER}," + organization.getDistinguishedName()).setUserBaseDistinguishedName(organization.getDistinguishedName()).setGroupAuthorizationSearchPattern(format("(&(objectClass=groupOfNames)(cn=group_*)(member=uid=${USER},%s))", organization.getDistinguishedName())));
        assertThatThrownBy(() -> ldapAuthenticator.createAuthenticatedPrincipal("alice", "invalid")).isInstanceOf(AccessDeniedException.class).hasMessageMatching("Access Denied: Invalid credentials");
        assertThatThrownBy(() -> ldapAuthenticator.createAuthenticatedPrincipal("unknown", "alice-pass")).isInstanceOf(AccessDeniedException.class).hasMessageMatching("Access Denied: Invalid credentials");
        assertThatThrownBy(() -> ldapAuthenticator.createAuthenticatedPrincipal("bob", "bob-pass")).isInstanceOf(AccessDeniedException.class).hasMessageMatching("Access Denied: User \\[bob] not a member of an authorized group");
        openLdapServer.addUserToGroup(alice, group);
        assertEquals(ldapAuthenticator.createAuthenticatedPrincipal("alice", "alice-pass"), new BasicPrincipal("alice"));
    }
}
Also used : AccessDeniedException(io.trino.spi.security.AccessDeniedException) BasicPrincipal(io.trino.spi.security.BasicPrincipal) DisposableSubContext(io.trino.plugin.password.ldap.TestingOpenLdapServer.DisposableSubContext) Test(org.testng.annotations.Test)

Example 3 with DisposableSubContext

use of io.trino.plugin.password.ldap.TestingOpenLdapServer.DisposableSubContext in project trino by trinodb.

the class TestLdapAuthenticator method testDistinguishedNameLookup.

@Test
public void testDistinguishedNameLookup() throws Exception {
    try (DisposableSubContext organization = openLdapServer.createOrganization();
        DisposableSubContext group = openLdapServer.createGroup(organization);
        DisposableSubContext alice = openLdapServer.createUser(organization, "alice", "alice-pass");
        DisposableSubContext bob = openLdapServer.createUser(organization, "bob", "bob-pass")) {
        LdapAuthenticator ldapAuthenticator = new LdapAuthenticator(client, new LdapConfig().setUserBaseDistinguishedName(organization.getDistinguishedName()).setGroupAuthorizationSearchPattern(format("(&(objectClass=inetOrgPerson)(memberof=%s))", group.getDistinguishedName())).setBindDistingushedName("cn=admin,dc=trino,dc=testldap,dc=com").setBindPassword("admin"));
        assertThatThrownBy(() -> ldapAuthenticator.createAuthenticatedPrincipal("unknown_user", "invalid")).isInstanceOf(AccessDeniedException.class).hasMessageMatching("Access Denied: User \\[unknown_user] not a member of an authorized group");
        assertThatThrownBy(() -> ldapAuthenticator.createAuthenticatedPrincipal("alice", "invalid")).isInstanceOf(AccessDeniedException.class).hasMessageMatching("Access Denied: User \\[alice] not a member of an authorized group");
        ldapAuthenticator.invalidateCache();
        assertThatThrownBy(() -> ldapAuthenticator.createAuthenticatedPrincipal("alice", "alice-pass")).isInstanceOf(AccessDeniedException.class).hasMessageMatching("Access Denied: User \\[alice] not a member of an authorized group");
        ldapAuthenticator.invalidateCache();
        assertThatThrownBy(() -> ldapAuthenticator.createAuthenticatedPrincipal("bob", "bob-pass")).isInstanceOf(AccessDeniedException.class).hasMessageMatching("Access Denied: User \\[bob] not a member of an authorized group");
        ldapAuthenticator.invalidateCache();
        openLdapServer.addUserToGroup(alice, group);
        assertEquals(ldapAuthenticator.createAuthenticatedPrincipal("alice", "alice-pass"), new BasicPrincipal("alice"));
        ldapAuthenticator.invalidateCache();
        assertThatThrownBy(() -> ldapAuthenticator.createAuthenticatedPrincipal("alice", "invalid")).isInstanceOf(AccessDeniedException.class).hasMessageMatching("Access Denied: Invalid credentials");
        ldapAuthenticator.invalidateCache();
        // Now group authorization filter will return multiple entries
        openLdapServer.addUserToGroup(bob, group);
        assertThatThrownBy(() -> ldapAuthenticator.createAuthenticatedPrincipal("alice", "alice-pass")).isInstanceOf(AccessDeniedException.class).hasMessageMatching("Access Denied: Multiple group membership results for user \\[alice].*");
        ldapAuthenticator.invalidateCache();
    }
}
Also used : AccessDeniedException(io.trino.spi.security.AccessDeniedException) BasicPrincipal(io.trino.spi.security.BasicPrincipal) DisposableSubContext(io.trino.plugin.password.ldap.TestingOpenLdapServer.DisposableSubContext) Test(org.testng.annotations.Test)

Example 4 with DisposableSubContext

use of io.trino.plugin.password.ldap.TestingOpenLdapServer.DisposableSubContext in project trino by trinodb.

the class TestLdapAuthenticator method testInvalidBindPassword.

@Test
public void testInvalidBindPassword() throws Exception {
    try (DisposableSubContext organization = openLdapServer.createOrganization()) {
        LdapAuthenticator ldapAuthenticator = new LdapAuthenticator(client, new LdapConfig().setUserBaseDistinguishedName(organization.getDistinguishedName()).setGroupAuthorizationSearchPattern("(&(objectClass=inetOrgPerson))").setBindDistingushedName("cn=admin,dc=trino,dc=testldap,dc=com").setBindPassword("invalid-password"));
        assertThatThrownBy(() -> ldapAuthenticator.createAuthenticatedPrincipal("alice", "alice-pass")).isInstanceOf(AccessDeniedException.class).hasMessageMatching("Access Denied: Invalid credentials");
    }
}
Also used : AccessDeniedException(io.trino.spi.security.AccessDeniedException) DisposableSubContext(io.trino.plugin.password.ldap.TestingOpenLdapServer.DisposableSubContext) Test(org.testng.annotations.Test)

Example 5 with DisposableSubContext

use of io.trino.plugin.password.ldap.TestingOpenLdapServer.DisposableSubContext in project trino by trinodb.

the class TestLdapAuthenticator method testMultipleBindPattern.

@Test
public void testMultipleBindPattern() throws Exception {
    try (DisposableSubContext organization = openLdapServer.createOrganization();
        DisposableSubContext alternativeOrganization = openLdapServer.createOrganization();
        DisposableSubContext ignored = openLdapServer.createUser(organization, "alice", "alice-pass");
        DisposableSubContext ignored1 = openLdapServer.createUser(alternativeOrganization, "bob", "bob-pass");
        DisposableSubContext ignored2 = openLdapServer.createUser(alternativeOrganization, "alice", "alt-alice-pass")) {
        LdapAuthenticator ldapAuthenticator = new LdapAuthenticator(client, new LdapConfig().setUserBindSearchPatterns(format("uid=${USER},%s:uid=${USER},%s", organization.getDistinguishedName(), alternativeOrganization.getDistinguishedName())));
        assertEquals(ldapAuthenticator.createAuthenticatedPrincipal("alice", "alice-pass"), new BasicPrincipal("alice"));
        ldapAuthenticator.invalidateCache();
        assertEquals(ldapAuthenticator.createAuthenticatedPrincipal("bob", "bob-pass"), new BasicPrincipal("bob"));
        ldapAuthenticator.invalidateCache();
        assertEquals(ldapAuthenticator.createAuthenticatedPrincipal("alice", "alt-alice-pass"), new BasicPrincipal("alice"));
        ldapAuthenticator.invalidateCache();
        assertEquals(ldapAuthenticator.createAuthenticatedPrincipal("alice", "alice-pass"), new BasicPrincipal("alice"));
        ldapAuthenticator.invalidateCache();
    }
}
Also used : BasicPrincipal(io.trino.spi.security.BasicPrincipal) DisposableSubContext(io.trino.plugin.password.ldap.TestingOpenLdapServer.DisposableSubContext) Test(org.testng.annotations.Test)

Aggregations

DisposableSubContext (io.trino.plugin.password.ldap.TestingOpenLdapServer.DisposableSubContext)7 Test (org.testng.annotations.Test)7 BasicPrincipal (io.trino.spi.security.BasicPrincipal)6 AccessDeniedException (io.trino.spi.security.AccessDeniedException)4 Duration (io.airlift.units.Duration)2