server: refactor group requests to use filters

This commit is contained in:
Valentin Tolmer 2022-02-12 11:00:02 +01:00 committed by nitnelave
parent a1fe703bf0
commit c850fa4273
5 changed files with 319 additions and 149 deletions

View File

@ -54,6 +54,17 @@ pub enum UserRequestFilter {
MemberOfId(GroupId), MemberOfId(GroupId),
} }
#[derive(PartialEq, Eq, Debug, Serialize, Deserialize, Clone)]
pub enum GroupRequestFilter {
And(Vec<GroupRequestFilter>),
Or(Vec<GroupRequestFilter>),
Not(Box<GroupRequestFilter>),
DisplayName(String),
GroupId(GroupId),
// Check if the group contains a user identified by uid.
Member(String),
}
#[derive(PartialEq, Eq, Debug, Serialize, Deserialize, Clone, Default)] #[derive(PartialEq, Eq, Debug, Serialize, Deserialize, Clone, Default)]
pub struct CreateUserRequest { pub struct CreateUserRequest {
// Same fields as User, but no creation_date, and with password. // Same fields as User, but no creation_date, and with password.
@ -94,7 +105,7 @@ pub struct GroupIdAndName(pub GroupId, pub String);
#[async_trait] #[async_trait]
pub trait BackendHandler: Clone + Send { pub trait BackendHandler: Clone + Send {
async fn list_users(&self, filters: Option<UserRequestFilter>) -> Result<Vec<User>>; async fn list_users(&self, filters: Option<UserRequestFilter>) -> Result<Vec<User>>;
async fn list_groups(&self) -> Result<Vec<Group>>; async fn list_groups(&self, filters: Option<GroupRequestFilter>) -> Result<Vec<Group>>;
async fn get_user_details(&self, user_id: &str) -> Result<User>; async fn get_user_details(&self, user_id: &str) -> Result<User>;
async fn get_group_details(&self, group_id: GroupId) -> Result<GroupIdAndName>; async fn get_group_details(&self, group_id: GroupId) -> Result<GroupIdAndName>;
async fn create_user(&self, request: CreateUserRequest) -> Result<()>; async fn create_user(&self, request: CreateUserRequest) -> Result<()>;
@ -117,7 +128,7 @@ mockall::mock! {
#[async_trait] #[async_trait]
impl BackendHandler for TestBackendHandler { impl BackendHandler for TestBackendHandler {
async fn list_users(&self, filters: Option<UserRequestFilter>) -> Result<Vec<User>>; async fn list_users(&self, filters: Option<UserRequestFilter>) -> Result<Vec<User>>;
async fn list_groups(&self) -> Result<Vec<Group>>; async fn list_groups(&self, filters: Option<GroupRequestFilter>) -> Result<Vec<Group>>;
async fn get_user_details(&self, user_id: &str) -> Result<User>; async fn get_user_details(&self, user_id: &str) -> Result<User>;
async fn get_group_details(&self, group_id: GroupId) -> Result<GroupIdAndName>; async fn get_group_details(&self, group_id: GroupId) -> Result<GroupIdAndName>;
async fn create_user(&self, request: CreateUserRequest) -> Result<()>; async fn create_user(&self, request: CreateUserRequest) -> Result<()>;

View File

@ -21,7 +21,7 @@ impl SqlBackendHandler {
struct RequiresGroup(bool); struct RequiresGroup(bool);
// Returns the condition for the SQL query, and whether it requires joining with the groups table. // Returns the condition for the SQL query, and whether it requires joining with the groups table.
fn get_filter_expr(filter: UserRequestFilter) -> (RequiresGroup, SimpleExpr) { fn get_user_filter_expr(filter: UserRequestFilter) -> (RequiresGroup, SimpleExpr) {
use UserRequestFilter::*; use UserRequestFilter::*;
fn get_repeated_filter( fn get_repeated_filter(
fs: Vec<UserRequestFilter>, fs: Vec<UserRequestFilter>,
@ -32,13 +32,13 @@ fn get_filter_expr(filter: UserRequestFilter) -> (RequiresGroup, SimpleExpr) {
let first_expr = match it.next() { let first_expr = match it.next() {
None => return (RequiresGroup(false), Expr::value(true)), None => return (RequiresGroup(false), Expr::value(true)),
Some(f) => { Some(f) => {
let (group, filter) = get_filter_expr(f); let (group, filter) = get_user_filter_expr(f);
requires_group |= group.0; requires_group |= group.0;
filter filter
} }
}; };
let filter = it.fold(first_expr, |e, f| { let filter = it.fold(first_expr, |e, f| {
let (group, filters) = get_filter_expr(f); let (group, filters) = get_user_filter_expr(f);
requires_group |= group.0; requires_group |= group.0;
field(e, filters) field(e, filters)
}); });
@ -48,7 +48,7 @@ fn get_filter_expr(filter: UserRequestFilter) -> (RequiresGroup, SimpleExpr) {
And(fs) => get_repeated_filter(fs, &SimpleExpr::and), And(fs) => get_repeated_filter(fs, &SimpleExpr::and),
Or(fs) => get_repeated_filter(fs, &SimpleExpr::or), Or(fs) => get_repeated_filter(fs, &SimpleExpr::or),
Not(f) => { Not(f) => {
let (requires_group, filters) = get_filter_expr(*f); let (requires_group, filters) = get_user_filter_expr(*f);
(requires_group, Expr::not(Expr::expr(filters))) (requires_group, Expr::not(Expr::expr(filters)))
} }
Equality(s1, s2) => ( Equality(s1, s2) => (
@ -72,6 +72,37 @@ fn get_filter_expr(filter: UserRequestFilter) -> (RequiresGroup, SimpleExpr) {
} }
} }
// Returns the condition for the SQL query, and whether it requires joining with the groups table.
fn get_group_filter_expr(filter: GroupRequestFilter) -> SimpleExpr {
use GroupRequestFilter::*;
fn get_repeated_filter(
fs: Vec<GroupRequestFilter>,
field: &dyn Fn(SimpleExpr, SimpleExpr) -> SimpleExpr,
) -> SimpleExpr {
let mut it = fs.into_iter();
let first_expr = match it.next() {
None => return Expr::value(true),
Some(f) => get_group_filter_expr(f),
};
it.fold(first_expr, |e, f| field(e, get_group_filter_expr(f)))
}
match filter {
And(fs) => get_repeated_filter(fs, &SimpleExpr::and),
Or(fs) => get_repeated_filter(fs, &SimpleExpr::or),
Not(f) => Expr::not(Expr::expr(get_group_filter_expr(*f))),
DisplayName(name) => Expr::col((Groups::Table, Groups::DisplayName)).eq(name),
GroupId(id) => Expr::col((Groups::Table, Groups::GroupId)).eq(id.0),
// WHERE (group_id in (SELECT group_id FROM memberships WHERE user_id = user))
Member(user) => Expr::col((Memberships::Table, Memberships::GroupId)).in_subquery(
Query::select()
.column(Memberships::GroupId)
.from(Memberships::Table)
.and_where(Expr::col(Memberships::UserId).eq(user))
.take(),
),
}
}
#[async_trait] #[async_trait]
impl BackendHandler for SqlBackendHandler { impl BackendHandler for SqlBackendHandler {
async fn list_users(&self, filters: Option<UserRequestFilter>) -> Result<Vec<User>> { async fn list_users(&self, filters: Option<UserRequestFilter>) -> Result<Vec<User>> {
@ -88,17 +119,13 @@ impl BackendHandler for SqlBackendHandler {
.order_by((Users::Table, Users::UserId), Order::Asc) .order_by((Users::Table, Users::UserId), Order::Asc)
.to_owned(); .to_owned();
if let Some(filter) = filters { if let Some(filter) = filters {
if filter if filter == UserRequestFilter::Not(Box::new(UserRequestFilter::And(Vec::new()))) {
== UserRequestFilter::Not(Box::new(
UserRequestFilter::And(Vec::new()),
))
{
return Ok(Vec::new()); return Ok(Vec::new());
} }
if filter != UserRequestFilter::And(Vec::new()) if filter != UserRequestFilter::And(Vec::new())
&& filter != UserRequestFilter::Or(Vec::new()) && filter != UserRequestFilter::Or(Vec::new())
{ {
let (RequiresGroup(requires_group), condition) = get_filter_expr(filter); let (RequiresGroup(requires_group), condition) = get_user_filter_expr(filter);
query_builder.and_where(condition); query_builder.and_where(condition);
if requires_group { if requires_group {
query_builder query_builder
@ -127,20 +154,36 @@ impl BackendHandler for SqlBackendHandler {
Ok(results.into_iter().collect::<sqlx::Result<Vec<User>>>()?) Ok(results.into_iter().collect::<sqlx::Result<Vec<User>>>()?)
} }
async fn list_groups(&self) -> Result<Vec<Group>> { async fn list_groups(&self, filters: Option<GroupRequestFilter>) -> Result<Vec<Group>> {
let query: String = Query::select() let query: String = {
.column((Groups::Table, Groups::GroupId)) let mut query_builder = Query::select()
.column(Groups::DisplayName) .column((Groups::Table, Groups::GroupId))
.column(Memberships::UserId) .column(Groups::DisplayName)
.from(Groups::Table) .column(Memberships::UserId)
.left_join( .from(Groups::Table)
Memberships::Table, .left_join(
Expr::tbl(Groups::Table, Groups::GroupId) Memberships::Table,
.equals(Memberships::Table, Memberships::GroupId), Expr::tbl(Groups::Table, Groups::GroupId)
) .equals(Memberships::Table, Memberships::GroupId),
.order_by(Groups::DisplayName, Order::Asc) )
.order_by(Memberships::UserId, Order::Asc) .order_by(Groups::DisplayName, Order::Asc)
.to_string(DbQueryBuilder {}); .order_by(Memberships::UserId, Order::Asc)
.to_owned();
if let Some(filter) = filters {
if filter == GroupRequestFilter::Not(Box::new(GroupRequestFilter::And(Vec::new())))
{
return Ok(Vec::new());
}
if filter != GroupRequestFilter::And(Vec::new())
&& filter != GroupRequestFilter::Or(Vec::new())
{
query_builder.and_where(get_group_filter_expr(filter));
}
}
query_builder.to_string(DbQueryBuilder {})
};
// For group_by. // For group_by.
use itertools::Itertools; use itertools::Itertools;
@ -546,10 +589,9 @@ mod tests {
} }
{ {
let users = handler let users = handler
.list_users(Some(UserRequestFilter::Not(Box::new(UserRequestFilter::Equality( .list_users(Some(UserRequestFilter::Not(Box::new(
"user_id".to_string(), UserRequestFilter::Equality("user_id".to_string(), "bob".to_string()),
"bob".to_string(), ))))
)))))
.await .await
.unwrap() .unwrap()
.into_iter() .into_iter()
@ -575,7 +617,7 @@ mod tests {
insert_membership(&handler, group_2, "patrick").await; insert_membership(&handler, group_2, "patrick").await;
insert_membership(&handler, group_2, "John").await; insert_membership(&handler, group_2, "John").await;
assert_eq!( assert_eq!(
handler.list_groups().await.unwrap(), handler.list_groups(None).await.unwrap(),
vec![ vec![
Group { Group {
id: group_1, id: group_1,
@ -594,6 +636,43 @@ mod tests {
}, },
] ]
); );
assert_eq!(
handler
.list_groups(Some(GroupRequestFilter::Or(vec![
GroupRequestFilter::DisplayName("Empty Group".to_string()),
GroupRequestFilter::Member("bob".to_string()),
])))
.await
.unwrap(),
vec![
Group {
id: group_1,
display_name: "Best Group".to_string(),
users: vec!["bob".to_string(), "patrick".to_string()]
},
Group {
id: group_3,
display_name: "Empty Group".to_string(),
users: vec![]
},
]
);
assert_eq!(
handler
.list_groups(Some(GroupRequestFilter::And(vec![
GroupRequestFilter::Not(Box::new(GroupRequestFilter::DisplayName(
"value".to_string()
))),
GroupRequestFilter::GroupId(group_1),
])))
.await
.unwrap(),
vec![Group {
id: group_1,
display_name: "Best Group".to_string(),
users: vec!["bob".to_string(), "patrick".to_string()]
}]
);
} }
#[tokio::test] #[tokio::test]

View File

@ -134,7 +134,7 @@ impl<Handler: BackendHandler + Sync> Query<Handler> {
} }
Ok(context Ok(context
.handler .handler
.list_groups() .list_groups(None)
.await .await
.map(|v| v.into_iter().map(Into::into).collect())?) .map(|v| v.into_iter().map(Into::into).collect())?)
} }

View File

@ -1,12 +1,11 @@
use crate::domain::{ use crate::domain::{
handler::{ handler::{
BackendHandler, BindRequest, Group, GroupIdAndName, LoginHandler, UserRequestFilter, User, BackendHandler, BindRequest, Group, GroupRequestFilter, LoginHandler, User,
UserRequestFilter,
}, },
opaque_handler::OpaqueHandler, opaque_handler::OpaqueHandler,
}; };
use anyhow::{bail, Context, Result}; use anyhow::{bail, Context, Result};
use futures::stream::StreamExt;
use futures_util::TryStreamExt;
use ldap3_server::proto::{ use ldap3_server::proto::{
LdapBindCred, LdapBindRequest, LdapBindResponse, LdapExtendedRequest, LdapExtendedResponse, LdapBindCred, LdapBindRequest, LdapBindResponse, LdapExtendedRequest, LdapExtendedResponse,
LdapFilter, LdapOp, LdapPartialAttribute, LdapPasswordModifyRequest, LdapResult, LdapFilter, LdapOp, LdapPartialAttribute, LdapPasswordModifyRequest, LdapResult,
@ -479,8 +478,8 @@ impl<Backend: BackendHandler + LoginHandler + OpaqueHandler> LdapHandler<Backend
} }
async fn get_groups_list(&self, request: &LdapSearchRequest) -> Vec<LdapOp> { async fn get_groups_list(&self, request: &LdapSearchRequest) -> Vec<LdapOp> {
let for_user = match self.get_group_filter(&request.filter) { let filter = match self.convert_group_filter(&request.filter) {
Ok(u) => u, Ok(f) => f,
Err(e) => { Err(e) => {
return vec![make_search_error( return vec![make_search_error(
LdapResultCode::UnwillingToPerform, LdapResultCode::UnwillingToPerform,
@ -489,55 +488,13 @@ impl<Backend: BackendHandler + LoginHandler + OpaqueHandler> LdapHandler<Backend
} }
}; };
async fn get_users_for_group<Backend: BackendHandler>( let groups = match self.backend_handler.list_groups(Some(filter)).await {
backend_handler: &Backend, Ok(groups) => groups,
g: &GroupIdAndName, Err(e) => {
) -> Result<Group> { return vec![make_search_error(
let users = backend_handler LdapResultCode::Other,
.list_users(Some(UserRequestFilter::MemberOfId(g.0))) format!(r#"Error while listing groups "{}": {:#}"#, request.base, e),
.await?; )]
Ok(Group {
id: g.0,
display_name: g.1.clone(),
users: users.into_iter().map(|u| u.user_id).collect(),
})
}
let groups: Vec<Group> = if let Some(user) = for_user {
let groups_without_users = match self.backend_handler.get_user_groups(&user).await {
Ok(groups) => groups,
Err(e) => {
return vec![make_search_error(
LdapResultCode::Other,
format!(
r#"Error while listing user groups: "{}": {:#}"#,
request.base, e
),
)]
}
};
match tokio_stream::iter(groups_without_users.iter())
.then(|g| async move { get_users_for_group::<Backend>(&self.backend_handler, g).await })
.try_collect::<Vec<Group>>()
.await
{
Ok(groups) => groups,
Err(e) => {
return vec![make_search_error(
LdapResultCode::Other,
format!(r#"Error while listing user groups: "{}": {:#}"#, request.base, e),
)]
}
}
} else {
match self.backend_handler.list_groups().await {
Ok(groups) => groups,
Err(e) => {
return vec![make_search_error(
LdapResultCode::Other,
format!(r#"Error while listing groups "{}": {:#}"#, request.base, e),
)]
}
} }
}; };
@ -582,7 +539,7 @@ impl<Backend: BackendHandler + LoginHandler + OpaqueHandler> LdapHandler<Backend
}) })
} }
fn get_group_filter(&self, filter: &LdapFilter) -> Result<Option<String>> { fn convert_group_filter(&self, filter: &LdapFilter) -> Result<GroupRequestFilter> {
match filter { match filter {
LdapFilter::Equality(field, value) => { LdapFilter::Equality(field, value) => {
if field == "member" || field.to_lowercase() == "uniquemember" { if field == "member" || field.to_lowercase() == "uniquemember" {
@ -591,16 +548,33 @@ impl<Backend: BackendHandler + LoginHandler + OpaqueHandler> LdapHandler<Backend
&self.base_dn, &self.base_dn,
&self.base_dn_str, &self.base_dn_str,
)?; )?;
Ok(Some(user_name)) Ok(GroupRequestFilter::Member(user_name))
} else if field.to_lowercase() == "objectclass" && value == "groupOfUniqueNames" { } else if field.to_lowercase() == "objectclass" && value == "groupOfUniqueNames" {
Ok(None) Ok(GroupRequestFilter::And(vec![]))
} else { } else {
bail!("Unsupported group filter: {:?}", filter) let field = map_field(field)?;
if field == "display_name" {
Ok(GroupRequestFilter::DisplayName(value.clone()))
} else {
bail!("Unsupported group attribute: {:?}", field)
}
} }
} }
LdapFilter::And(v) => v LdapFilter::And(filters) => Ok(GroupRequestFilter::And(
.iter() filters
.fold(Ok(None), |o, f| Ok(o?.xor(self.get_group_filter(f)?))), .iter()
.map(|f| self.convert_group_filter(f))
.collect::<Result<_>>()?,
)),
LdapFilter::Or(filters) => Ok(GroupRequestFilter::Or(
filters
.iter()
.map(|f| self.convert_group_filter(f))
.collect::<Result<_>>()?,
)),
LdapFilter::Not(filter) => Ok(GroupRequestFilter::Not(Box::new(
self.convert_group_filter(&*filter)?,
))),
_ => bail!("Unsupported group filter: {:?}", filter), _ => bail!("Unsupported group filter: {:?}", filter),
} }
} }
@ -638,10 +612,15 @@ impl<Backend: BackendHandler + LoginHandler + OpaqueHandler> LdapHandler<Backend
{ {
Ok(UserRequestFilter::And(vec![])) Ok(UserRequestFilter::And(vec![]))
} else { } else {
Ok(UserRequestFilter::Not(Box::new(UserRequestFilter::And(vec![])))) Ok(UserRequestFilter::Not(Box::new(UserRequestFilter::And(
vec![],
))))
} }
} else { } else {
Ok(UserRequestFilter::Equality(map_field(field)?, value.clone())) Ok(UserRequestFilter::Equality(
map_field(field)?,
value.clone(),
))
} }
} }
LdapFilter::Present(field) => { LdapFilter::Present(field) => {
@ -649,7 +628,9 @@ impl<Backend: BackendHandler + LoginHandler + OpaqueHandler> LdapHandler<Backend
if field.to_lowercase() == "objectclass" || map_field(field).is_ok() { if field.to_lowercase() == "objectclass" || map_field(field).is_ok() {
Ok(UserRequestFilter::And(vec![])) Ok(UserRequestFilter::And(vec![]))
} else { } else {
Ok(UserRequestFilter::Not(Box::new(UserRequestFilter::And(vec![])))) Ok(UserRequestFilter::Not(Box::new(UserRequestFilter::And(
vec![],
))))
} }
} }
_ => bail!("Unsupported user filter: {:?}", filter), _ => bail!("Unsupported user filter: {:?}", filter),
@ -679,7 +660,7 @@ mod tests {
#[async_trait] #[async_trait]
impl BackendHandler for TestBackendHandler { impl BackendHandler for TestBackendHandler {
async fn list_users(&self, filters: Option<UserRequestFilter>) -> Result<Vec<User>>; async fn list_users(&self, filters: Option<UserRequestFilter>) -> Result<Vec<User>>;
async fn list_groups(&self) -> Result<Vec<Group>>; async fn list_groups(&self, filters: Option<GroupRequestFilter>) -> Result<Vec<Group>>;
async fn get_user_details(&self, user_id: &str) -> Result<User>; async fn get_user_details(&self, user_id: &str) -> Result<User>;
async fn get_group_details(&self, group_id: GroupId) -> Result<GroupIdAndName>; async fn get_group_details(&self, group_id: GroupId) -> Result<GroupIdAndName>;
async fn get_user_groups(&self, user: &str) -> Result<HashSet<GroupIdAndName>>; async fn get_user_groups(&self, user: &str) -> Result<HashSet<GroupIdAndName>>;
@ -1048,20 +1029,23 @@ mod tests {
#[tokio::test] #[tokio::test]
async fn test_search_groups() { async fn test_search_groups() {
let mut mock = MockTestBackendHandler::new(); let mut mock = MockTestBackendHandler::new();
mock.expect_list_groups().times(1).return_once(|| { mock.expect_list_groups()
Ok(vec![ .with(eq(Some(GroupRequestFilter::And(vec![]))))
Group { .times(1)
id: GroupId(1), .return_once(|_| {
display_name: "group_1".to_string(), Ok(vec![
users: vec!["bob".to_string(), "john".to_string()], Group {
}, id: GroupId(1),
Group { display_name: "group_1".to_string(),
id: GroupId(3), users: vec!["bob".to_string(), "john".to_string()],
display_name: "bestgroup".to_string(), },
users: vec!["john".to_string()], Group {
}, id: GroupId(3),
]) display_name: "bestgroup".to_string(),
}); users: vec!["john".to_string()],
},
])
});
let mut ldap_handler = setup_bound_handler(mock).await; let mut ldap_handler = setup_bound_handler(mock).await;
let request = make_search_request( let request = make_search_request(
"ou=groups,dc=example,dc=com", "ou=groups,dc=example,dc=com",
@ -1124,27 +1108,25 @@ mod tests {
#[tokio::test] #[tokio::test]
async fn test_search_groups_filter() { async fn test_search_groups_filter() {
let mut mock = MockTestBackendHandler::new(); let mut mock = MockTestBackendHandler::new();
mock.expect_get_user_groups() mock.expect_list_groups()
.with(eq("bob")) .with(eq(Some(GroupRequestFilter::And(vec![
GroupRequestFilter::DisplayName("group_1".to_string()),
GroupRequestFilter::Member("bob".to_string()),
GroupRequestFilter::And(vec![]),
]))))
.times(1) .times(1)
.return_once(|_| { .return_once(|_| {
let mut set = HashSet::new(); Ok(vec![Group {
set.insert(GroupIdAndName(GroupId(1), "group_1".to_string())); display_name: "group_1".to_string(),
Ok(set) id: GroupId(1),
}); users: vec![],
mock.expect_list_users()
.with(eq(Some(UserRequestFilter::MemberOfId(GroupId(1)))))
.times(1)
.return_once(|_| {
Ok(vec![User {
user_id: "bob".to_string(),
..Default::default()
}]) }])
}); });
let mut ldap_handler = setup_bound_handler(mock).await; let mut ldap_handler = setup_bound_handler(mock).await;
let request = make_search_request( let request = make_search_request(
"ou=groups,dc=example,dc=com", "ou=groups,dc=example,dc=com",
LdapFilter::And(vec![ LdapFilter::And(vec![
LdapFilter::Equality("cn".to_string(), "group_1".to_string()),
LdapFilter::Equality( LdapFilter::Equality(
"uniqueMember".to_string(), "uniqueMember".to_string(),
"cn=bob,ou=people,dc=example,dc=com".to_string(), "cn=bob,ou=people,dc=example,dc=com".to_string(),
@ -1168,21 +1150,117 @@ mod tests {
); );
} }
#[tokio::test]
async fn test_search_groups_filter_2() {
let mut mock = MockTestBackendHandler::new();
mock.expect_list_groups()
.with(eq(Some(GroupRequestFilter::Or(vec![
GroupRequestFilter::Not(Box::new(GroupRequestFilter::DisplayName(
"group_2".to_string(),
))),
]))))
.times(1)
.return_once(|_| {
Ok(vec![Group {
display_name: "group_1".to_string(),
id: GroupId(1),
users: vec![],
}])
});
let mut ldap_handler = setup_bound_handler(mock).await;
let request = make_search_request(
"ou=groups,dc=example,dc=com",
LdapFilter::Or(vec![LdapFilter::Not(Box::new(LdapFilter::Equality(
"displayname".to_string(),
"group_2".to_string(),
)))]),
vec!["cn"],
);
assert_eq!(
ldap_handler.do_search(&request).await,
vec![
LdapOp::SearchResultEntry(LdapSearchResultEntry {
dn: "cn=group_1,ou=groups,dc=example,dc=com".to_string(),
attributes: vec![LdapPartialAttribute {
atype: "cn".to_string(),
vals: vec!["group_1".to_string()]
},],
}),
make_search_success(),
]
);
}
#[tokio::test]
async fn test_search_groups_error() {
let mut mock = MockTestBackendHandler::new();
mock.expect_list_groups()
.with(eq(Some(GroupRequestFilter::Or(vec![
GroupRequestFilter::Not(Box::new(GroupRequestFilter::DisplayName(
"group_2".to_string(),
))),
]))))
.times(1)
.return_once(|_| {
Err(crate::domain::error::DomainError::InternalError(
"Error getting groups".to_string(),
))
});
let mut ldap_handler = setup_bound_handler(mock).await;
let request = make_search_request(
"ou=groups,dc=example,dc=com",
LdapFilter::Or(vec![LdapFilter::Not(Box::new(LdapFilter::Equality(
"displayname".to_string(),
"group_2".to_string(),
)))]),
vec!["cn"],
);
assert_eq!(
ldap_handler.do_search(&request).await,
vec![make_search_error(
LdapResultCode::Other,
r#"Error while listing groups "ou=groups,dc=example,dc=com": Internal error: `Error getting groups`"#.to_string()
)]
);
}
#[tokio::test]
async fn test_search_groups_filter_error() {
let mut ldap_handler = setup_bound_handler(MockTestBackendHandler::new()).await;
let request = make_search_request(
"ou=groups,dc=example,dc=com",
LdapFilter::And(vec![LdapFilter::Equality(
"whatever".to_string(),
"group_1".to_string(),
)]),
vec!["cn"],
);
assert_eq!(
ldap_handler.do_search(&request).await,
vec![make_search_error(
LdapResultCode::UnwillingToPerform,
"Unsupported group filter: Unknown field: whatever".to_string()
)]
);
}
#[tokio::test] #[tokio::test]
async fn test_search_filters() { async fn test_search_filters() {
let mut mock = MockTestBackendHandler::new(); let mut mock = MockTestBackendHandler::new();
mock.expect_list_users() mock.expect_list_users()
.with(eq(Some(UserRequestFilter::And(vec![UserRequestFilter::Or(vec![ .with(eq(Some(UserRequestFilter::And(vec![
UserRequestFilter::Not(Box::new(UserRequestFilter::Equality( UserRequestFilter::Or(vec![
"user_id".to_string(), UserRequestFilter::Not(Box::new(UserRequestFilter::Equality(
"bob".to_string(), "user_id".to_string(),
))), "bob".to_string(),
UserRequestFilter::And(vec![]), ))),
UserRequestFilter::Not(Box::new(UserRequestFilter::And(vec![]))), UserRequestFilter::And(vec![]),
UserRequestFilter::And(vec![]), UserRequestFilter::Not(Box::new(UserRequestFilter::And(vec![]))),
UserRequestFilter::And(vec![]), UserRequestFilter::And(vec![]),
UserRequestFilter::Not(Box::new(UserRequestFilter::And(vec![]))), UserRequestFilter::And(vec![]),
])])))) UserRequestFilter::Not(Box::new(UserRequestFilter::And(vec![]))),
]),
]))))
.times(1) .times(1)
.return_once(|_| Ok(vec![])); .return_once(|_| Ok(vec![]));
let mut ldap_handler = setup_bound_handler(mock).await; let mut ldap_handler = setup_bound_handler(mock).await;
@ -1256,12 +1334,11 @@ mod tests {
async fn test_search_filters_lowercase() { async fn test_search_filters_lowercase() {
let mut mock = MockTestBackendHandler::new(); let mut mock = MockTestBackendHandler::new();
mock.expect_list_users() mock.expect_list_users()
.with(eq(Some(UserRequestFilter::And(vec![UserRequestFilter::Or(vec![ .with(eq(Some(UserRequestFilter::And(vec![
UserRequestFilter::Not(Box::new(UserRequestFilter::Equality( UserRequestFilter::Or(vec![UserRequestFilter::Not(Box::new(
"first_name".to_string(), UserRequestFilter::Equality("first_name".to_string(), "bob".to_string()),
"bob".to_string(), ))]),
))), ]))))
])]))))
.times(1) .times(1)
.return_once(|_| { .return_once(|_| {
Ok(vec![User { Ok(vec![User {
@ -1309,13 +1386,16 @@ mod tests {
..Default::default() ..Default::default()
}]) }])
}); });
mock.expect_list_groups().times(1).return_once(|| { mock.expect_list_groups()
Ok(vec![Group { .with(eq(Some(GroupRequestFilter::And(vec![]))))
id: GroupId(1), .times(1)
display_name: "group_1".to_string(), .return_once(|_| {
users: vec!["bob".to_string(), "john".to_string()], Ok(vec![Group {
}]) id: GroupId(1),
}); display_name: "group_1".to_string(),
users: vec!["bob".to_string(), "john".to_string()],
}])
});
let mut ldap_handler = setup_bound_handler(mock).await; let mut ldap_handler = setup_bound_handler(mock).await;
let request = make_search_request( let request = make_search_request(
"dc=example,dc=com", "dc=example,dc=com",

View File

@ -36,7 +36,7 @@ mockall::mock! {
#[async_trait] #[async_trait]
impl BackendHandler for TestTcpBackendHandler { impl BackendHandler for TestTcpBackendHandler {
async fn list_users(&self, filters: Option<UserRequestFilter>) -> Result<Vec<User>>; async fn list_users(&self, filters: Option<UserRequestFilter>) -> Result<Vec<User>>;
async fn list_groups(&self) -> Result<Vec<Group>>; async fn list_groups(&self, filters: Option<GroupRequestFilter>) -> Result<Vec<Group>>;
async fn get_user_details(&self, user_id: &str) -> Result<User>; async fn get_user_details(&self, user_id: &str) -> Result<User>;
async fn get_group_details(&self, group_id: GroupId) -> Result<GroupIdAndName>; async fn get_group_details(&self, group_id: GroupId) -> Result<GroupIdAndName>;
async fn get_user_groups(&self, user: &str) -> Result<HashSet<GroupIdAndName>>; async fn get_user_groups(&self, user: &str) -> Result<HashSet<GroupIdAndName>>;