mirror of
https://github.com/nitnelave/lldap.git
synced 2023-04-12 14:25:13 +00:00
server: refactor group requests to use filters
This commit is contained in:
parent
a1fe703bf0
commit
c850fa4273
@ -54,6 +54,17 @@ pub enum UserRequestFilter {
|
|||||||
MemberOfId(GroupId),
|
MemberOfId(GroupId),
|
||||||
}
|
}
|
||||||
|
|
||||||
|
#[derive(PartialEq, Eq, Debug, Serialize, Deserialize, Clone)]
|
||||||
|
pub enum GroupRequestFilter {
|
||||||
|
And(Vec<GroupRequestFilter>),
|
||||||
|
Or(Vec<GroupRequestFilter>),
|
||||||
|
Not(Box<GroupRequestFilter>),
|
||||||
|
DisplayName(String),
|
||||||
|
GroupId(GroupId),
|
||||||
|
// Check if the group contains a user identified by uid.
|
||||||
|
Member(String),
|
||||||
|
}
|
||||||
|
|
||||||
#[derive(PartialEq, Eq, Debug, Serialize, Deserialize, Clone, Default)]
|
#[derive(PartialEq, Eq, Debug, Serialize, Deserialize, Clone, Default)]
|
||||||
pub struct CreateUserRequest {
|
pub struct CreateUserRequest {
|
||||||
// Same fields as User, but no creation_date, and with password.
|
// Same fields as User, but no creation_date, and with password.
|
||||||
@ -94,7 +105,7 @@ pub struct GroupIdAndName(pub GroupId, pub String);
|
|||||||
#[async_trait]
|
#[async_trait]
|
||||||
pub trait BackendHandler: Clone + Send {
|
pub trait BackendHandler: Clone + Send {
|
||||||
async fn list_users(&self, filters: Option<UserRequestFilter>) -> Result<Vec<User>>;
|
async fn list_users(&self, filters: Option<UserRequestFilter>) -> Result<Vec<User>>;
|
||||||
async fn list_groups(&self) -> Result<Vec<Group>>;
|
async fn list_groups(&self, filters: Option<GroupRequestFilter>) -> Result<Vec<Group>>;
|
||||||
async fn get_user_details(&self, user_id: &str) -> Result<User>;
|
async fn get_user_details(&self, user_id: &str) -> Result<User>;
|
||||||
async fn get_group_details(&self, group_id: GroupId) -> Result<GroupIdAndName>;
|
async fn get_group_details(&self, group_id: GroupId) -> Result<GroupIdAndName>;
|
||||||
async fn create_user(&self, request: CreateUserRequest) -> Result<()>;
|
async fn create_user(&self, request: CreateUserRequest) -> Result<()>;
|
||||||
@ -117,7 +128,7 @@ mockall::mock! {
|
|||||||
#[async_trait]
|
#[async_trait]
|
||||||
impl BackendHandler for TestBackendHandler {
|
impl BackendHandler for TestBackendHandler {
|
||||||
async fn list_users(&self, filters: Option<UserRequestFilter>) -> Result<Vec<User>>;
|
async fn list_users(&self, filters: Option<UserRequestFilter>) -> Result<Vec<User>>;
|
||||||
async fn list_groups(&self) -> Result<Vec<Group>>;
|
async fn list_groups(&self, filters: Option<GroupRequestFilter>) -> Result<Vec<Group>>;
|
||||||
async fn get_user_details(&self, user_id: &str) -> Result<User>;
|
async fn get_user_details(&self, user_id: &str) -> Result<User>;
|
||||||
async fn get_group_details(&self, group_id: GroupId) -> Result<GroupIdAndName>;
|
async fn get_group_details(&self, group_id: GroupId) -> Result<GroupIdAndName>;
|
||||||
async fn create_user(&self, request: CreateUserRequest) -> Result<()>;
|
async fn create_user(&self, request: CreateUserRequest) -> Result<()>;
|
||||||
|
@ -21,7 +21,7 @@ impl SqlBackendHandler {
|
|||||||
struct RequiresGroup(bool);
|
struct RequiresGroup(bool);
|
||||||
|
|
||||||
// Returns the condition for the SQL query, and whether it requires joining with the groups table.
|
// Returns the condition for the SQL query, and whether it requires joining with the groups table.
|
||||||
fn get_filter_expr(filter: UserRequestFilter) -> (RequiresGroup, SimpleExpr) {
|
fn get_user_filter_expr(filter: UserRequestFilter) -> (RequiresGroup, SimpleExpr) {
|
||||||
use UserRequestFilter::*;
|
use UserRequestFilter::*;
|
||||||
fn get_repeated_filter(
|
fn get_repeated_filter(
|
||||||
fs: Vec<UserRequestFilter>,
|
fs: Vec<UserRequestFilter>,
|
||||||
@ -32,13 +32,13 @@ fn get_filter_expr(filter: UserRequestFilter) -> (RequiresGroup, SimpleExpr) {
|
|||||||
let first_expr = match it.next() {
|
let first_expr = match it.next() {
|
||||||
None => return (RequiresGroup(false), Expr::value(true)),
|
None => return (RequiresGroup(false), Expr::value(true)),
|
||||||
Some(f) => {
|
Some(f) => {
|
||||||
let (group, filter) = get_filter_expr(f);
|
let (group, filter) = get_user_filter_expr(f);
|
||||||
requires_group |= group.0;
|
requires_group |= group.0;
|
||||||
filter
|
filter
|
||||||
}
|
}
|
||||||
};
|
};
|
||||||
let filter = it.fold(first_expr, |e, f| {
|
let filter = it.fold(first_expr, |e, f| {
|
||||||
let (group, filters) = get_filter_expr(f);
|
let (group, filters) = get_user_filter_expr(f);
|
||||||
requires_group |= group.0;
|
requires_group |= group.0;
|
||||||
field(e, filters)
|
field(e, filters)
|
||||||
});
|
});
|
||||||
@ -48,7 +48,7 @@ fn get_filter_expr(filter: UserRequestFilter) -> (RequiresGroup, SimpleExpr) {
|
|||||||
And(fs) => get_repeated_filter(fs, &SimpleExpr::and),
|
And(fs) => get_repeated_filter(fs, &SimpleExpr::and),
|
||||||
Or(fs) => get_repeated_filter(fs, &SimpleExpr::or),
|
Or(fs) => get_repeated_filter(fs, &SimpleExpr::or),
|
||||||
Not(f) => {
|
Not(f) => {
|
||||||
let (requires_group, filters) = get_filter_expr(*f);
|
let (requires_group, filters) = get_user_filter_expr(*f);
|
||||||
(requires_group, Expr::not(Expr::expr(filters)))
|
(requires_group, Expr::not(Expr::expr(filters)))
|
||||||
}
|
}
|
||||||
Equality(s1, s2) => (
|
Equality(s1, s2) => (
|
||||||
@ -72,6 +72,37 @@ fn get_filter_expr(filter: UserRequestFilter) -> (RequiresGroup, SimpleExpr) {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// Returns the condition for the SQL query, and whether it requires joining with the groups table.
|
||||||
|
fn get_group_filter_expr(filter: GroupRequestFilter) -> SimpleExpr {
|
||||||
|
use GroupRequestFilter::*;
|
||||||
|
fn get_repeated_filter(
|
||||||
|
fs: Vec<GroupRequestFilter>,
|
||||||
|
field: &dyn Fn(SimpleExpr, SimpleExpr) -> SimpleExpr,
|
||||||
|
) -> SimpleExpr {
|
||||||
|
let mut it = fs.into_iter();
|
||||||
|
let first_expr = match it.next() {
|
||||||
|
None => return Expr::value(true),
|
||||||
|
Some(f) => get_group_filter_expr(f),
|
||||||
|
};
|
||||||
|
it.fold(first_expr, |e, f| field(e, get_group_filter_expr(f)))
|
||||||
|
}
|
||||||
|
match filter {
|
||||||
|
And(fs) => get_repeated_filter(fs, &SimpleExpr::and),
|
||||||
|
Or(fs) => get_repeated_filter(fs, &SimpleExpr::or),
|
||||||
|
Not(f) => Expr::not(Expr::expr(get_group_filter_expr(*f))),
|
||||||
|
DisplayName(name) => Expr::col((Groups::Table, Groups::DisplayName)).eq(name),
|
||||||
|
GroupId(id) => Expr::col((Groups::Table, Groups::GroupId)).eq(id.0),
|
||||||
|
// WHERE (group_id in (SELECT group_id FROM memberships WHERE user_id = user))
|
||||||
|
Member(user) => Expr::col((Memberships::Table, Memberships::GroupId)).in_subquery(
|
||||||
|
Query::select()
|
||||||
|
.column(Memberships::GroupId)
|
||||||
|
.from(Memberships::Table)
|
||||||
|
.and_where(Expr::col(Memberships::UserId).eq(user))
|
||||||
|
.take(),
|
||||||
|
),
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
#[async_trait]
|
#[async_trait]
|
||||||
impl BackendHandler for SqlBackendHandler {
|
impl BackendHandler for SqlBackendHandler {
|
||||||
async fn list_users(&self, filters: Option<UserRequestFilter>) -> Result<Vec<User>> {
|
async fn list_users(&self, filters: Option<UserRequestFilter>) -> Result<Vec<User>> {
|
||||||
@ -88,17 +119,13 @@ impl BackendHandler for SqlBackendHandler {
|
|||||||
.order_by((Users::Table, Users::UserId), Order::Asc)
|
.order_by((Users::Table, Users::UserId), Order::Asc)
|
||||||
.to_owned();
|
.to_owned();
|
||||||
if let Some(filter) = filters {
|
if let Some(filter) = filters {
|
||||||
if filter
|
if filter == UserRequestFilter::Not(Box::new(UserRequestFilter::And(Vec::new()))) {
|
||||||
== UserRequestFilter::Not(Box::new(
|
|
||||||
UserRequestFilter::And(Vec::new()),
|
|
||||||
))
|
|
||||||
{
|
|
||||||
return Ok(Vec::new());
|
return Ok(Vec::new());
|
||||||
}
|
}
|
||||||
if filter != UserRequestFilter::And(Vec::new())
|
if filter != UserRequestFilter::And(Vec::new())
|
||||||
&& filter != UserRequestFilter::Or(Vec::new())
|
&& filter != UserRequestFilter::Or(Vec::new())
|
||||||
{
|
{
|
||||||
let (RequiresGroup(requires_group), condition) = get_filter_expr(filter);
|
let (RequiresGroup(requires_group), condition) = get_user_filter_expr(filter);
|
||||||
query_builder.and_where(condition);
|
query_builder.and_where(condition);
|
||||||
if requires_group {
|
if requires_group {
|
||||||
query_builder
|
query_builder
|
||||||
@ -127,20 +154,36 @@ impl BackendHandler for SqlBackendHandler {
|
|||||||
Ok(results.into_iter().collect::<sqlx::Result<Vec<User>>>()?)
|
Ok(results.into_iter().collect::<sqlx::Result<Vec<User>>>()?)
|
||||||
}
|
}
|
||||||
|
|
||||||
async fn list_groups(&self) -> Result<Vec<Group>> {
|
async fn list_groups(&self, filters: Option<GroupRequestFilter>) -> Result<Vec<Group>> {
|
||||||
let query: String = Query::select()
|
let query: String = {
|
||||||
.column((Groups::Table, Groups::GroupId))
|
let mut query_builder = Query::select()
|
||||||
.column(Groups::DisplayName)
|
.column((Groups::Table, Groups::GroupId))
|
||||||
.column(Memberships::UserId)
|
.column(Groups::DisplayName)
|
||||||
.from(Groups::Table)
|
.column(Memberships::UserId)
|
||||||
.left_join(
|
.from(Groups::Table)
|
||||||
Memberships::Table,
|
.left_join(
|
||||||
Expr::tbl(Groups::Table, Groups::GroupId)
|
Memberships::Table,
|
||||||
.equals(Memberships::Table, Memberships::GroupId),
|
Expr::tbl(Groups::Table, Groups::GroupId)
|
||||||
)
|
.equals(Memberships::Table, Memberships::GroupId),
|
||||||
.order_by(Groups::DisplayName, Order::Asc)
|
)
|
||||||
.order_by(Memberships::UserId, Order::Asc)
|
.order_by(Groups::DisplayName, Order::Asc)
|
||||||
.to_string(DbQueryBuilder {});
|
.order_by(Memberships::UserId, Order::Asc)
|
||||||
|
.to_owned();
|
||||||
|
|
||||||
|
if let Some(filter) = filters {
|
||||||
|
if filter == GroupRequestFilter::Not(Box::new(GroupRequestFilter::And(Vec::new())))
|
||||||
|
{
|
||||||
|
return Ok(Vec::new());
|
||||||
|
}
|
||||||
|
if filter != GroupRequestFilter::And(Vec::new())
|
||||||
|
&& filter != GroupRequestFilter::Or(Vec::new())
|
||||||
|
{
|
||||||
|
query_builder.and_where(get_group_filter_expr(filter));
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
query_builder.to_string(DbQueryBuilder {})
|
||||||
|
};
|
||||||
|
|
||||||
// For group_by.
|
// For group_by.
|
||||||
use itertools::Itertools;
|
use itertools::Itertools;
|
||||||
@ -546,10 +589,9 @@ mod tests {
|
|||||||
}
|
}
|
||||||
{
|
{
|
||||||
let users = handler
|
let users = handler
|
||||||
.list_users(Some(UserRequestFilter::Not(Box::new(UserRequestFilter::Equality(
|
.list_users(Some(UserRequestFilter::Not(Box::new(
|
||||||
"user_id".to_string(),
|
UserRequestFilter::Equality("user_id".to_string(), "bob".to_string()),
|
||||||
"bob".to_string(),
|
))))
|
||||||
)))))
|
|
||||||
.await
|
.await
|
||||||
.unwrap()
|
.unwrap()
|
||||||
.into_iter()
|
.into_iter()
|
||||||
@ -575,7 +617,7 @@ mod tests {
|
|||||||
insert_membership(&handler, group_2, "patrick").await;
|
insert_membership(&handler, group_2, "patrick").await;
|
||||||
insert_membership(&handler, group_2, "John").await;
|
insert_membership(&handler, group_2, "John").await;
|
||||||
assert_eq!(
|
assert_eq!(
|
||||||
handler.list_groups().await.unwrap(),
|
handler.list_groups(None).await.unwrap(),
|
||||||
vec![
|
vec![
|
||||||
Group {
|
Group {
|
||||||
id: group_1,
|
id: group_1,
|
||||||
@ -594,6 +636,43 @@ mod tests {
|
|||||||
},
|
},
|
||||||
]
|
]
|
||||||
);
|
);
|
||||||
|
assert_eq!(
|
||||||
|
handler
|
||||||
|
.list_groups(Some(GroupRequestFilter::Or(vec![
|
||||||
|
GroupRequestFilter::DisplayName("Empty Group".to_string()),
|
||||||
|
GroupRequestFilter::Member("bob".to_string()),
|
||||||
|
])))
|
||||||
|
.await
|
||||||
|
.unwrap(),
|
||||||
|
vec![
|
||||||
|
Group {
|
||||||
|
id: group_1,
|
||||||
|
display_name: "Best Group".to_string(),
|
||||||
|
users: vec!["bob".to_string(), "patrick".to_string()]
|
||||||
|
},
|
||||||
|
Group {
|
||||||
|
id: group_3,
|
||||||
|
display_name: "Empty Group".to_string(),
|
||||||
|
users: vec![]
|
||||||
|
},
|
||||||
|
]
|
||||||
|
);
|
||||||
|
assert_eq!(
|
||||||
|
handler
|
||||||
|
.list_groups(Some(GroupRequestFilter::And(vec![
|
||||||
|
GroupRequestFilter::Not(Box::new(GroupRequestFilter::DisplayName(
|
||||||
|
"value".to_string()
|
||||||
|
))),
|
||||||
|
GroupRequestFilter::GroupId(group_1),
|
||||||
|
])))
|
||||||
|
.await
|
||||||
|
.unwrap(),
|
||||||
|
vec![Group {
|
||||||
|
id: group_1,
|
||||||
|
display_name: "Best Group".to_string(),
|
||||||
|
users: vec!["bob".to_string(), "patrick".to_string()]
|
||||||
|
}]
|
||||||
|
);
|
||||||
}
|
}
|
||||||
|
|
||||||
#[tokio::test]
|
#[tokio::test]
|
||||||
|
@ -134,7 +134,7 @@ impl<Handler: BackendHandler + Sync> Query<Handler> {
|
|||||||
}
|
}
|
||||||
Ok(context
|
Ok(context
|
||||||
.handler
|
.handler
|
||||||
.list_groups()
|
.list_groups(None)
|
||||||
.await
|
.await
|
||||||
.map(|v| v.into_iter().map(Into::into).collect())?)
|
.map(|v| v.into_iter().map(Into::into).collect())?)
|
||||||
}
|
}
|
||||||
|
@ -1,12 +1,11 @@
|
|||||||
use crate::domain::{
|
use crate::domain::{
|
||||||
handler::{
|
handler::{
|
||||||
BackendHandler, BindRequest, Group, GroupIdAndName, LoginHandler, UserRequestFilter, User,
|
BackendHandler, BindRequest, Group, GroupRequestFilter, LoginHandler, User,
|
||||||
|
UserRequestFilter,
|
||||||
},
|
},
|
||||||
opaque_handler::OpaqueHandler,
|
opaque_handler::OpaqueHandler,
|
||||||
};
|
};
|
||||||
use anyhow::{bail, Context, Result};
|
use anyhow::{bail, Context, Result};
|
||||||
use futures::stream::StreamExt;
|
|
||||||
use futures_util::TryStreamExt;
|
|
||||||
use ldap3_server::proto::{
|
use ldap3_server::proto::{
|
||||||
LdapBindCred, LdapBindRequest, LdapBindResponse, LdapExtendedRequest, LdapExtendedResponse,
|
LdapBindCred, LdapBindRequest, LdapBindResponse, LdapExtendedRequest, LdapExtendedResponse,
|
||||||
LdapFilter, LdapOp, LdapPartialAttribute, LdapPasswordModifyRequest, LdapResult,
|
LdapFilter, LdapOp, LdapPartialAttribute, LdapPasswordModifyRequest, LdapResult,
|
||||||
@ -479,8 +478,8 @@ impl<Backend: BackendHandler + LoginHandler + OpaqueHandler> LdapHandler<Backend
|
|||||||
}
|
}
|
||||||
|
|
||||||
async fn get_groups_list(&self, request: &LdapSearchRequest) -> Vec<LdapOp> {
|
async fn get_groups_list(&self, request: &LdapSearchRequest) -> Vec<LdapOp> {
|
||||||
let for_user = match self.get_group_filter(&request.filter) {
|
let filter = match self.convert_group_filter(&request.filter) {
|
||||||
Ok(u) => u,
|
Ok(f) => f,
|
||||||
Err(e) => {
|
Err(e) => {
|
||||||
return vec![make_search_error(
|
return vec![make_search_error(
|
||||||
LdapResultCode::UnwillingToPerform,
|
LdapResultCode::UnwillingToPerform,
|
||||||
@ -489,55 +488,13 @@ impl<Backend: BackendHandler + LoginHandler + OpaqueHandler> LdapHandler<Backend
|
|||||||
}
|
}
|
||||||
};
|
};
|
||||||
|
|
||||||
async fn get_users_for_group<Backend: BackendHandler>(
|
let groups = match self.backend_handler.list_groups(Some(filter)).await {
|
||||||
backend_handler: &Backend,
|
Ok(groups) => groups,
|
||||||
g: &GroupIdAndName,
|
Err(e) => {
|
||||||
) -> Result<Group> {
|
return vec![make_search_error(
|
||||||
let users = backend_handler
|
LdapResultCode::Other,
|
||||||
.list_users(Some(UserRequestFilter::MemberOfId(g.0)))
|
format!(r#"Error while listing groups "{}": {:#}"#, request.base, e),
|
||||||
.await?;
|
)]
|
||||||
Ok(Group {
|
|
||||||
id: g.0,
|
|
||||||
display_name: g.1.clone(),
|
|
||||||
users: users.into_iter().map(|u| u.user_id).collect(),
|
|
||||||
})
|
|
||||||
}
|
|
||||||
|
|
||||||
let groups: Vec<Group> = if let Some(user) = for_user {
|
|
||||||
let groups_without_users = match self.backend_handler.get_user_groups(&user).await {
|
|
||||||
Ok(groups) => groups,
|
|
||||||
Err(e) => {
|
|
||||||
return vec![make_search_error(
|
|
||||||
LdapResultCode::Other,
|
|
||||||
format!(
|
|
||||||
r#"Error while listing user groups: "{}": {:#}"#,
|
|
||||||
request.base, e
|
|
||||||
),
|
|
||||||
)]
|
|
||||||
}
|
|
||||||
};
|
|
||||||
match tokio_stream::iter(groups_without_users.iter())
|
|
||||||
.then(|g| async move { get_users_for_group::<Backend>(&self.backend_handler, g).await })
|
|
||||||
.try_collect::<Vec<Group>>()
|
|
||||||
.await
|
|
||||||
{
|
|
||||||
Ok(groups) => groups,
|
|
||||||
Err(e) => {
|
|
||||||
return vec![make_search_error(
|
|
||||||
LdapResultCode::Other,
|
|
||||||
format!(r#"Error while listing user groups: "{}": {:#}"#, request.base, e),
|
|
||||||
)]
|
|
||||||
}
|
|
||||||
}
|
|
||||||
} else {
|
|
||||||
match self.backend_handler.list_groups().await {
|
|
||||||
Ok(groups) => groups,
|
|
||||||
Err(e) => {
|
|
||||||
return vec![make_search_error(
|
|
||||||
LdapResultCode::Other,
|
|
||||||
format!(r#"Error while listing groups "{}": {:#}"#, request.base, e),
|
|
||||||
)]
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
};
|
};
|
||||||
|
|
||||||
@ -582,7 +539,7 @@ impl<Backend: BackendHandler + LoginHandler + OpaqueHandler> LdapHandler<Backend
|
|||||||
})
|
})
|
||||||
}
|
}
|
||||||
|
|
||||||
fn get_group_filter(&self, filter: &LdapFilter) -> Result<Option<String>> {
|
fn convert_group_filter(&self, filter: &LdapFilter) -> Result<GroupRequestFilter> {
|
||||||
match filter {
|
match filter {
|
||||||
LdapFilter::Equality(field, value) => {
|
LdapFilter::Equality(field, value) => {
|
||||||
if field == "member" || field.to_lowercase() == "uniquemember" {
|
if field == "member" || field.to_lowercase() == "uniquemember" {
|
||||||
@ -591,16 +548,33 @@ impl<Backend: BackendHandler + LoginHandler + OpaqueHandler> LdapHandler<Backend
|
|||||||
&self.base_dn,
|
&self.base_dn,
|
||||||
&self.base_dn_str,
|
&self.base_dn_str,
|
||||||
)?;
|
)?;
|
||||||
Ok(Some(user_name))
|
Ok(GroupRequestFilter::Member(user_name))
|
||||||
} else if field.to_lowercase() == "objectclass" && value == "groupOfUniqueNames" {
|
} else if field.to_lowercase() == "objectclass" && value == "groupOfUniqueNames" {
|
||||||
Ok(None)
|
Ok(GroupRequestFilter::And(vec![]))
|
||||||
} else {
|
} else {
|
||||||
bail!("Unsupported group filter: {:?}", filter)
|
let field = map_field(field)?;
|
||||||
|
if field == "display_name" {
|
||||||
|
Ok(GroupRequestFilter::DisplayName(value.clone()))
|
||||||
|
} else {
|
||||||
|
bail!("Unsupported group attribute: {:?}", field)
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
LdapFilter::And(v) => v
|
LdapFilter::And(filters) => Ok(GroupRequestFilter::And(
|
||||||
.iter()
|
filters
|
||||||
.fold(Ok(None), |o, f| Ok(o?.xor(self.get_group_filter(f)?))),
|
.iter()
|
||||||
|
.map(|f| self.convert_group_filter(f))
|
||||||
|
.collect::<Result<_>>()?,
|
||||||
|
)),
|
||||||
|
LdapFilter::Or(filters) => Ok(GroupRequestFilter::Or(
|
||||||
|
filters
|
||||||
|
.iter()
|
||||||
|
.map(|f| self.convert_group_filter(f))
|
||||||
|
.collect::<Result<_>>()?,
|
||||||
|
)),
|
||||||
|
LdapFilter::Not(filter) => Ok(GroupRequestFilter::Not(Box::new(
|
||||||
|
self.convert_group_filter(&*filter)?,
|
||||||
|
))),
|
||||||
_ => bail!("Unsupported group filter: {:?}", filter),
|
_ => bail!("Unsupported group filter: {:?}", filter),
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -638,10 +612,15 @@ impl<Backend: BackendHandler + LoginHandler + OpaqueHandler> LdapHandler<Backend
|
|||||||
{
|
{
|
||||||
Ok(UserRequestFilter::And(vec![]))
|
Ok(UserRequestFilter::And(vec![]))
|
||||||
} else {
|
} else {
|
||||||
Ok(UserRequestFilter::Not(Box::new(UserRequestFilter::And(vec![]))))
|
Ok(UserRequestFilter::Not(Box::new(UserRequestFilter::And(
|
||||||
|
vec![],
|
||||||
|
))))
|
||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
Ok(UserRequestFilter::Equality(map_field(field)?, value.clone()))
|
Ok(UserRequestFilter::Equality(
|
||||||
|
map_field(field)?,
|
||||||
|
value.clone(),
|
||||||
|
))
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
LdapFilter::Present(field) => {
|
LdapFilter::Present(field) => {
|
||||||
@ -649,7 +628,9 @@ impl<Backend: BackendHandler + LoginHandler + OpaqueHandler> LdapHandler<Backend
|
|||||||
if field.to_lowercase() == "objectclass" || map_field(field).is_ok() {
|
if field.to_lowercase() == "objectclass" || map_field(field).is_ok() {
|
||||||
Ok(UserRequestFilter::And(vec![]))
|
Ok(UserRequestFilter::And(vec![]))
|
||||||
} else {
|
} else {
|
||||||
Ok(UserRequestFilter::Not(Box::new(UserRequestFilter::And(vec![]))))
|
Ok(UserRequestFilter::Not(Box::new(UserRequestFilter::And(
|
||||||
|
vec![],
|
||||||
|
))))
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
_ => bail!("Unsupported user filter: {:?}", filter),
|
_ => bail!("Unsupported user filter: {:?}", filter),
|
||||||
@ -679,7 +660,7 @@ mod tests {
|
|||||||
#[async_trait]
|
#[async_trait]
|
||||||
impl BackendHandler for TestBackendHandler {
|
impl BackendHandler for TestBackendHandler {
|
||||||
async fn list_users(&self, filters: Option<UserRequestFilter>) -> Result<Vec<User>>;
|
async fn list_users(&self, filters: Option<UserRequestFilter>) -> Result<Vec<User>>;
|
||||||
async fn list_groups(&self) -> Result<Vec<Group>>;
|
async fn list_groups(&self, filters: Option<GroupRequestFilter>) -> Result<Vec<Group>>;
|
||||||
async fn get_user_details(&self, user_id: &str) -> Result<User>;
|
async fn get_user_details(&self, user_id: &str) -> Result<User>;
|
||||||
async fn get_group_details(&self, group_id: GroupId) -> Result<GroupIdAndName>;
|
async fn get_group_details(&self, group_id: GroupId) -> Result<GroupIdAndName>;
|
||||||
async fn get_user_groups(&self, user: &str) -> Result<HashSet<GroupIdAndName>>;
|
async fn get_user_groups(&self, user: &str) -> Result<HashSet<GroupIdAndName>>;
|
||||||
@ -1048,20 +1029,23 @@ mod tests {
|
|||||||
#[tokio::test]
|
#[tokio::test]
|
||||||
async fn test_search_groups() {
|
async fn test_search_groups() {
|
||||||
let mut mock = MockTestBackendHandler::new();
|
let mut mock = MockTestBackendHandler::new();
|
||||||
mock.expect_list_groups().times(1).return_once(|| {
|
mock.expect_list_groups()
|
||||||
Ok(vec![
|
.with(eq(Some(GroupRequestFilter::And(vec![]))))
|
||||||
Group {
|
.times(1)
|
||||||
id: GroupId(1),
|
.return_once(|_| {
|
||||||
display_name: "group_1".to_string(),
|
Ok(vec![
|
||||||
users: vec!["bob".to_string(), "john".to_string()],
|
Group {
|
||||||
},
|
id: GroupId(1),
|
||||||
Group {
|
display_name: "group_1".to_string(),
|
||||||
id: GroupId(3),
|
users: vec!["bob".to_string(), "john".to_string()],
|
||||||
display_name: "bestgroup".to_string(),
|
},
|
||||||
users: vec!["john".to_string()],
|
Group {
|
||||||
},
|
id: GroupId(3),
|
||||||
])
|
display_name: "bestgroup".to_string(),
|
||||||
});
|
users: vec!["john".to_string()],
|
||||||
|
},
|
||||||
|
])
|
||||||
|
});
|
||||||
let mut ldap_handler = setup_bound_handler(mock).await;
|
let mut ldap_handler = setup_bound_handler(mock).await;
|
||||||
let request = make_search_request(
|
let request = make_search_request(
|
||||||
"ou=groups,dc=example,dc=com",
|
"ou=groups,dc=example,dc=com",
|
||||||
@ -1124,27 +1108,25 @@ mod tests {
|
|||||||
#[tokio::test]
|
#[tokio::test]
|
||||||
async fn test_search_groups_filter() {
|
async fn test_search_groups_filter() {
|
||||||
let mut mock = MockTestBackendHandler::new();
|
let mut mock = MockTestBackendHandler::new();
|
||||||
mock.expect_get_user_groups()
|
mock.expect_list_groups()
|
||||||
.with(eq("bob"))
|
.with(eq(Some(GroupRequestFilter::And(vec![
|
||||||
|
GroupRequestFilter::DisplayName("group_1".to_string()),
|
||||||
|
GroupRequestFilter::Member("bob".to_string()),
|
||||||
|
GroupRequestFilter::And(vec![]),
|
||||||
|
]))))
|
||||||
.times(1)
|
.times(1)
|
||||||
.return_once(|_| {
|
.return_once(|_| {
|
||||||
let mut set = HashSet::new();
|
Ok(vec![Group {
|
||||||
set.insert(GroupIdAndName(GroupId(1), "group_1".to_string()));
|
display_name: "group_1".to_string(),
|
||||||
Ok(set)
|
id: GroupId(1),
|
||||||
});
|
users: vec![],
|
||||||
mock.expect_list_users()
|
|
||||||
.with(eq(Some(UserRequestFilter::MemberOfId(GroupId(1)))))
|
|
||||||
.times(1)
|
|
||||||
.return_once(|_| {
|
|
||||||
Ok(vec![User {
|
|
||||||
user_id: "bob".to_string(),
|
|
||||||
..Default::default()
|
|
||||||
}])
|
}])
|
||||||
});
|
});
|
||||||
let mut ldap_handler = setup_bound_handler(mock).await;
|
let mut ldap_handler = setup_bound_handler(mock).await;
|
||||||
let request = make_search_request(
|
let request = make_search_request(
|
||||||
"ou=groups,dc=example,dc=com",
|
"ou=groups,dc=example,dc=com",
|
||||||
LdapFilter::And(vec![
|
LdapFilter::And(vec![
|
||||||
|
LdapFilter::Equality("cn".to_string(), "group_1".to_string()),
|
||||||
LdapFilter::Equality(
|
LdapFilter::Equality(
|
||||||
"uniqueMember".to_string(),
|
"uniqueMember".to_string(),
|
||||||
"cn=bob,ou=people,dc=example,dc=com".to_string(),
|
"cn=bob,ou=people,dc=example,dc=com".to_string(),
|
||||||
@ -1168,21 +1150,117 @@ mod tests {
|
|||||||
);
|
);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
#[tokio::test]
|
||||||
|
async fn test_search_groups_filter_2() {
|
||||||
|
let mut mock = MockTestBackendHandler::new();
|
||||||
|
mock.expect_list_groups()
|
||||||
|
.with(eq(Some(GroupRequestFilter::Or(vec![
|
||||||
|
GroupRequestFilter::Not(Box::new(GroupRequestFilter::DisplayName(
|
||||||
|
"group_2".to_string(),
|
||||||
|
))),
|
||||||
|
]))))
|
||||||
|
.times(1)
|
||||||
|
.return_once(|_| {
|
||||||
|
Ok(vec![Group {
|
||||||
|
display_name: "group_1".to_string(),
|
||||||
|
id: GroupId(1),
|
||||||
|
users: vec![],
|
||||||
|
}])
|
||||||
|
});
|
||||||
|
let mut ldap_handler = setup_bound_handler(mock).await;
|
||||||
|
let request = make_search_request(
|
||||||
|
"ou=groups,dc=example,dc=com",
|
||||||
|
LdapFilter::Or(vec![LdapFilter::Not(Box::new(LdapFilter::Equality(
|
||||||
|
"displayname".to_string(),
|
||||||
|
"group_2".to_string(),
|
||||||
|
)))]),
|
||||||
|
vec!["cn"],
|
||||||
|
);
|
||||||
|
assert_eq!(
|
||||||
|
ldap_handler.do_search(&request).await,
|
||||||
|
vec![
|
||||||
|
LdapOp::SearchResultEntry(LdapSearchResultEntry {
|
||||||
|
dn: "cn=group_1,ou=groups,dc=example,dc=com".to_string(),
|
||||||
|
attributes: vec![LdapPartialAttribute {
|
||||||
|
atype: "cn".to_string(),
|
||||||
|
vals: vec!["group_1".to_string()]
|
||||||
|
},],
|
||||||
|
}),
|
||||||
|
make_search_success(),
|
||||||
|
]
|
||||||
|
);
|
||||||
|
}
|
||||||
|
|
||||||
|
#[tokio::test]
|
||||||
|
async fn test_search_groups_error() {
|
||||||
|
let mut mock = MockTestBackendHandler::new();
|
||||||
|
mock.expect_list_groups()
|
||||||
|
.with(eq(Some(GroupRequestFilter::Or(vec![
|
||||||
|
GroupRequestFilter::Not(Box::new(GroupRequestFilter::DisplayName(
|
||||||
|
"group_2".to_string(),
|
||||||
|
))),
|
||||||
|
]))))
|
||||||
|
.times(1)
|
||||||
|
.return_once(|_| {
|
||||||
|
Err(crate::domain::error::DomainError::InternalError(
|
||||||
|
"Error getting groups".to_string(),
|
||||||
|
))
|
||||||
|
});
|
||||||
|
let mut ldap_handler = setup_bound_handler(mock).await;
|
||||||
|
let request = make_search_request(
|
||||||
|
"ou=groups,dc=example,dc=com",
|
||||||
|
LdapFilter::Or(vec![LdapFilter::Not(Box::new(LdapFilter::Equality(
|
||||||
|
"displayname".to_string(),
|
||||||
|
"group_2".to_string(),
|
||||||
|
)))]),
|
||||||
|
vec!["cn"],
|
||||||
|
);
|
||||||
|
assert_eq!(
|
||||||
|
ldap_handler.do_search(&request).await,
|
||||||
|
vec![make_search_error(
|
||||||
|
LdapResultCode::Other,
|
||||||
|
r#"Error while listing groups "ou=groups,dc=example,dc=com": Internal error: `Error getting groups`"#.to_string()
|
||||||
|
)]
|
||||||
|
);
|
||||||
|
}
|
||||||
|
|
||||||
|
#[tokio::test]
|
||||||
|
async fn test_search_groups_filter_error() {
|
||||||
|
let mut ldap_handler = setup_bound_handler(MockTestBackendHandler::new()).await;
|
||||||
|
let request = make_search_request(
|
||||||
|
"ou=groups,dc=example,dc=com",
|
||||||
|
LdapFilter::And(vec![LdapFilter::Equality(
|
||||||
|
"whatever".to_string(),
|
||||||
|
"group_1".to_string(),
|
||||||
|
)]),
|
||||||
|
vec!["cn"],
|
||||||
|
);
|
||||||
|
assert_eq!(
|
||||||
|
ldap_handler.do_search(&request).await,
|
||||||
|
vec![make_search_error(
|
||||||
|
LdapResultCode::UnwillingToPerform,
|
||||||
|
"Unsupported group filter: Unknown field: whatever".to_string()
|
||||||
|
)]
|
||||||
|
);
|
||||||
|
}
|
||||||
|
|
||||||
#[tokio::test]
|
#[tokio::test]
|
||||||
async fn test_search_filters() {
|
async fn test_search_filters() {
|
||||||
let mut mock = MockTestBackendHandler::new();
|
let mut mock = MockTestBackendHandler::new();
|
||||||
mock.expect_list_users()
|
mock.expect_list_users()
|
||||||
.with(eq(Some(UserRequestFilter::And(vec![UserRequestFilter::Or(vec![
|
.with(eq(Some(UserRequestFilter::And(vec![
|
||||||
UserRequestFilter::Not(Box::new(UserRequestFilter::Equality(
|
UserRequestFilter::Or(vec![
|
||||||
"user_id".to_string(),
|
UserRequestFilter::Not(Box::new(UserRequestFilter::Equality(
|
||||||
"bob".to_string(),
|
"user_id".to_string(),
|
||||||
))),
|
"bob".to_string(),
|
||||||
UserRequestFilter::And(vec![]),
|
))),
|
||||||
UserRequestFilter::Not(Box::new(UserRequestFilter::And(vec![]))),
|
UserRequestFilter::And(vec![]),
|
||||||
UserRequestFilter::And(vec![]),
|
UserRequestFilter::Not(Box::new(UserRequestFilter::And(vec![]))),
|
||||||
UserRequestFilter::And(vec![]),
|
UserRequestFilter::And(vec![]),
|
||||||
UserRequestFilter::Not(Box::new(UserRequestFilter::And(vec![]))),
|
UserRequestFilter::And(vec![]),
|
||||||
])]))))
|
UserRequestFilter::Not(Box::new(UserRequestFilter::And(vec![]))),
|
||||||
|
]),
|
||||||
|
]))))
|
||||||
.times(1)
|
.times(1)
|
||||||
.return_once(|_| Ok(vec![]));
|
.return_once(|_| Ok(vec![]));
|
||||||
let mut ldap_handler = setup_bound_handler(mock).await;
|
let mut ldap_handler = setup_bound_handler(mock).await;
|
||||||
@ -1256,12 +1334,11 @@ mod tests {
|
|||||||
async fn test_search_filters_lowercase() {
|
async fn test_search_filters_lowercase() {
|
||||||
let mut mock = MockTestBackendHandler::new();
|
let mut mock = MockTestBackendHandler::new();
|
||||||
mock.expect_list_users()
|
mock.expect_list_users()
|
||||||
.with(eq(Some(UserRequestFilter::And(vec![UserRequestFilter::Or(vec![
|
.with(eq(Some(UserRequestFilter::And(vec![
|
||||||
UserRequestFilter::Not(Box::new(UserRequestFilter::Equality(
|
UserRequestFilter::Or(vec![UserRequestFilter::Not(Box::new(
|
||||||
"first_name".to_string(),
|
UserRequestFilter::Equality("first_name".to_string(), "bob".to_string()),
|
||||||
"bob".to_string(),
|
))]),
|
||||||
))),
|
]))))
|
||||||
])]))))
|
|
||||||
.times(1)
|
.times(1)
|
||||||
.return_once(|_| {
|
.return_once(|_| {
|
||||||
Ok(vec![User {
|
Ok(vec![User {
|
||||||
@ -1309,13 +1386,16 @@ mod tests {
|
|||||||
..Default::default()
|
..Default::default()
|
||||||
}])
|
}])
|
||||||
});
|
});
|
||||||
mock.expect_list_groups().times(1).return_once(|| {
|
mock.expect_list_groups()
|
||||||
Ok(vec![Group {
|
.with(eq(Some(GroupRequestFilter::And(vec![]))))
|
||||||
id: GroupId(1),
|
.times(1)
|
||||||
display_name: "group_1".to_string(),
|
.return_once(|_| {
|
||||||
users: vec!["bob".to_string(), "john".to_string()],
|
Ok(vec![Group {
|
||||||
}])
|
id: GroupId(1),
|
||||||
});
|
display_name: "group_1".to_string(),
|
||||||
|
users: vec!["bob".to_string(), "john".to_string()],
|
||||||
|
}])
|
||||||
|
});
|
||||||
let mut ldap_handler = setup_bound_handler(mock).await;
|
let mut ldap_handler = setup_bound_handler(mock).await;
|
||||||
let request = make_search_request(
|
let request = make_search_request(
|
||||||
"dc=example,dc=com",
|
"dc=example,dc=com",
|
||||||
|
@ -36,7 +36,7 @@ mockall::mock! {
|
|||||||
#[async_trait]
|
#[async_trait]
|
||||||
impl BackendHandler for TestTcpBackendHandler {
|
impl BackendHandler for TestTcpBackendHandler {
|
||||||
async fn list_users(&self, filters: Option<UserRequestFilter>) -> Result<Vec<User>>;
|
async fn list_users(&self, filters: Option<UserRequestFilter>) -> Result<Vec<User>>;
|
||||||
async fn list_groups(&self) -> Result<Vec<Group>>;
|
async fn list_groups(&self, filters: Option<GroupRequestFilter>) -> Result<Vec<Group>>;
|
||||||
async fn get_user_details(&self, user_id: &str) -> Result<User>;
|
async fn get_user_details(&self, user_id: &str) -> Result<User>;
|
||||||
async fn get_group_details(&self, group_id: GroupId) -> Result<GroupIdAndName>;
|
async fn get_group_details(&self, group_id: GroupId) -> Result<GroupIdAndName>;
|
||||||
async fn get_user_groups(&self, user: &str) -> Result<HashSet<GroupIdAndName>>;
|
async fn get_user_groups(&self, user: &str) -> Result<HashSet<GroupIdAndName>>;
|
||||||
|
Loading…
Reference in New Issue
Block a user