auth/ldap: Add username to alias.metadata.name (hashicorp#13669)

* Fix upndomain bug causing alias name to change * Fix nil map * Add changelog * revert * Update changelog * Add test for alias metadata name * Fix code comment
qk4l · Feb 4, 2022 · 649e8ed · 649e8ed
1 parent 7554fd4
commit 649e8ed
Show file tree

Hide file tree

Showing 4 changed files with 68 additions and 22 deletions.
diff --git a/builtin/credential/ldap/backend_test.go b/builtin/credential/ldap/backend_test.go
@@ -597,6 +597,26 @@ func TestBackend_basic_authbind_userfilter(t *testing.T) {
 
 }
 
+func TestBackend_basic_authbind_metadata_name(t *testing.T) {
+
+	b := factory(t)
+	cleanup, cfg := ldap.PrepareTestContainer(t, "latest")
+	defer cleanup()
+
+	cfg.UserAttr = "cn"
+	cfg.UPNDomain = "planetexpress.com"
+
+	addUPNAttributeToLDAPSchemaAndUser(t, cfg, "cn=Hubert J. Farnsworth,ou=people,dc=planetexpress,dc=com", "professor@planetexpress.com")
+
+	logicaltest.Test(t, logicaltest.TestCase{
+		CredentialBackend: b,
+		Steps: []logicaltest.TestStep{
+			testAccStepConfigUrlWithAuthBind(t, cfg),
+			testAccStepLoginAliasMetadataName(t, "professor", "professor"),
+		},
+	})
+}
+
 func addUPNAttributeToLDAPSchemaAndUser(t *testing.T, cfg *ldaputil.ConfigEntry, testUserDN string, testUserUPN string) {
 	// Setup connection
 	client := &ldaputil.Client{
@@ -644,23 +664,6 @@ func addUPNAttributeToLDAPSchemaAndUser(t *testing.T, cfg *ldaputil.ConfigEntry,
 
 }
 
-func TestBackend_basic_authbind_upndomain(t *testing.T) {
-	b := factory(t)
-	cleanup, cfg := ldap.PrepareTestContainer(t, "latest")
-	defer cleanup()
-	cfg.UPNDomain = "planetexpress.com"
-
-	addUPNAttributeToLDAPSchemaAndUser(t, cfg, "cn=Hubert J. Farnsworth,ou=people,dc=planetexpress,dc=com", "professor@planetexpress.com")
-
-	logicaltest.Test(t, logicaltest.TestCase{
-		CredentialBackend: b,
-		Steps: []logicaltest.TestStep{
-			testAccStepConfigUrlWithAuthBind(t, cfg),
-			testAccStepLoginNoAttachedPolicies(t, "professor", "professor"),
-		},
-	})
-}
-
 func TestBackend_basic_discover(t *testing.T) {
 	b := factory(t)
 	cleanup, cfg := ldap.PrepareTestContainer(t, "latest")
@@ -990,6 +993,19 @@ func testAccStepLoginNoAttachedPolicies(t *testing.T, user string, pass string)
 	}
 }
 
+func testAccStepLoginAliasMetadataName(t *testing.T, user string, pass string) logicaltest.TestStep {
+	return logicaltest.TestStep{
+		Operation: logical.UpdateOperation,
+		Path:      "login/" + user,
+		Data: map[string]interface{}{
+			"password": pass,
+		},
+		Unauthenticated: true,
+
+		Check: logicaltest.TestCheckAuthEntityAliasMetadataName("name", user),
+	}
+}
+
 func testAccStepLoginFailure(t *testing.T, user string, pass string) logicaltest.TestStep {
 	return logicaltest.TestStep{
 		Operation: logical.UpdateOperation,

diff --git a/builtin/credential/ldap/path_login.go b/builtin/credential/ldap/path_login.go
@@ -97,6 +97,9 @@ func (b *backend) pathLogin(ctx context.Context, req *logical.Request, d *framew
 		DisplayName: username,
 		Alias: &logical.Alias{
 			Name: effectiveUsername,
+			Metadata: map[string]string{
+				"name": username,
+			},
 		},
 	}
 

diff --git a/changelog/13669.txt b/changelog/13669.txt
@@ -0,0 +1,3 @@
+```release-note:improvement
+auth/ldap: Add username to alias metadata
+```
diff --git a/helper/testhelpers/logical/testing.go b/helper/testhelpers/logical/testing.go
@@ -457,13 +457,37 @@ func TestCheckAuthEntityId(entity_id *string) TestCheckFunc {
 			return fmt.Errorf("no auth in response")
 		}
 
-        if *entity_id == "" {
-            // If we don't know what the entity_id should be, just save it
-            *entity_id = resp.Auth.EntityID
-        } else if resp.Auth.EntityID != *entity_id {
+		if *entity_id == "" {
+			// If we don't know what the entity_id should be, just save it
+			*entity_id = resp.Auth.EntityID
+		} else if resp.Auth.EntityID != *entity_id {
 			return fmt.Errorf("entity_id %s does not match the expected value of %s", resp.Auth.EntityID, *entity_id)
-        }
+		}
+
+		return nil
+	}
+}
 
+// TestCheckAuthEntityAliasMetadataName is a helper to check that a request generated an
+// auth token with the expected alias metadata.
+func TestCheckAuthEntityAliasMetadataName(key string, value string) TestCheckFunc {
+	return func(resp *logical.Response) error {
+		if resp == nil || resp.Auth == nil {
+			return fmt.Errorf("no auth in response")
+		}
+
+		if key == "" || value == "" {
+			return fmt.Errorf("alias metadata key and value required")
+		}
+
+		name, ok := resp.Auth.Alias.Metadata[key]
+		if !ok {
+			return fmt.Errorf("metadata key %s does not exist, it should", key)
+		}
+
+		if name != value {
+			return fmt.Errorf("expected map value %s, got %s", value, name)
+		}
 		return nil
 	}
 }