Merge pull request #1023 from lsst-sqre/tickets/DM-44136

DM-44136: Add test for disabling LDAP attributes
lsst-sqre · May 8, 2024 · 23c5e16 · 23c5e16
2 parents d593a5f + 390a973
commit 23c5e16
Show file tree

Hide file tree

Showing 3 changed files with 80 additions and 0 deletions.
diff --git a/tests/data/config/oidc-firestore.yaml.in b/tests/data/config/oidc-firestore.yaml.in
@@ -20,6 +20,8 @@ ldap:
   url: "ldaps://ldap.example.com/"
   groupBaseDn: "dc=example,dc=com"
   userBaseDn: "ou=people,dc=example,dc=com"
+  uidAttr: null
+  gidAttr: null
   addUserGroup: true
 oidc:
   clientId: "some-oidc-client-id"

diff --git a/tests/data/config/oidc-no-attrs.yaml.in b/tests/data/config/oidc-no-attrs.yaml.in
@@ -0,0 +1,36 @@
+realm: "example.com"
+logLevel: "DEBUG"
+sessionSecretFile: "{session_secret_file}"
+databaseUrl: "{database_url}"
+redisUrl: "redis://localhost:6379/0"
+initialAdmins: ["admin"]
+afterLogoutUrl: "https://example.com/landing"
+groupMapping:
+  "exec:admin": ["admin"]
+  "exec:test": ["test"]
+  "read:all": ["foo", "admin", "org-a-team"]
+knownScopes:
+  "admin:token": "Can create and modify tokens for any user"
+  "exec:admin": "admin description"
+  "exec:test": "test description"
+  "read:all": "can read everything"
+  "user:token": "Can create and modify user tokens"
+ldap:
+  url: "ldaps://ldap.example.com/"
+  groupBaseDn: "dc=example,dc=com"
+  userBaseDn: "ou=people,dc=example,dc=com"
+  nameAttr: null
+  emailAttr: null
+  gidAttr: null
+oidc:
+  clientId: "some-oidc-client-id"
+  clientSecretFile: "{oidc_secret_file}"
+  loginUrl: "https://upstream.example.com/oidc/login"
+  redirectUrl: "https://upstream.example.com/login"
+  tokenUrl: "https://upstream.example.com/token"
+  enrollmentUrl: "https://upstream.example.com/enroll"
+  scopes:
+    - "email"
+    - "voPerson"
+  issuer: "https://upstream.example.com/"
+  audience: "https://test.example.com/"
diff --git a/tests/handlers/login_oidc_test.py b/tests/handlers/login_oidc_test.py
@@ -345,6 +345,48 @@ async def test_missing_attrs(
     assert "X-Auth-Request-Email" not in r.headers
 
 
+@pytest.mark.asyncio
+async def test_no_attrs(
+    tmp_path: Path,
+    client: AsyncClient,
+    respx_mock: respx.Router,
+    mock_ldap: MockLDAP,
+) -> None:
+    """Test configuring LDAP to not request any optional attributes."""
+    await reconfigure(tmp_path, "oidc-no-attrs")
+    token = create_upstream_oidc_jwt("some-user")
+    mock_ldap.add_test_user(
+        UserInfo(
+            username="some-user",
+            name="Some User",
+            email="some-user@example.com",
+            uid=2000,
+            gid=2000,
+        )
+    )
+    mock_ldap.add_test_group_membership(
+        "some-user", [Group(name="foo", id=1222)]
+    )
+
+    r = await simulate_oidc_login(client, respx_mock, token)
+    assert r.status_code == 307
+
+    # Check that the data returned from the user-info API is correct.
+    r = await client.get("/auth/api/v1/user-info")
+    assert r.status_code == 200
+    assert r.json() == {
+        "username": "some-user",
+        "uid": 2000,
+        "groups": [{"name": "foo", "id": 1222}],
+    }
+
+    # Check that the headers returned by the auth endpoint are also correct.
+    r = await client.get("/auth", params={"scope": "read:all"})
+    assert r.status_code == 200
+    assert r.headers["X-Auth-Request-User"] == "some-user"
+    assert "X-Auth-Request-Email" not in r.headers
+
+
 @pytest.mark.asyncio
 async def test_invalidate_cache(
     tmp_path: Path,