plugins/user-authenticators/ldap/src/test/java/org/apache/cloudstack/ldap/LdapAuthenticatorTest.java

// Licensed to the Apache Software Foundation (ASF) under one
// or more contributor license agreements.  See the NOTICE file
// distributed with this work for additional information
// regarding copyright ownership.  The ASF licenses this file
// to you under the Apache License, Version 2.0 (the
// "License"); you may not use this file except in compliance
// with the License.  You may obtain a copy of the License at
//
//   http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied.  See the License for the
// specific language governing permissions and limitations
// under the License.
package org.apache.cloudstack.ldap;


import com.cloud.user.AccountManager;
import com.cloud.user.AccountVO;
import com.cloud.user.Account;
import com.cloud.user.User;
import com.cloud.user.UserAccount;
import com.cloud.user.UserAccountVO;
import com.cloud.user.dao.UserAccountDao;
import com.cloud.utils.Pair;
import org.apache.cloudstack.auth.UserAuthenticator;
import org.junit.Before;
import org.junit.Test;
import org.junit.runner.RunWith;
import org.mockito.InjectMocks;
import org.mockito.Mock;
import org.mockito.junit.MockitoJUnitRunner;

import java.util.ArrayList;
import java.util.List;
import java.util.Map;

import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertFalse;
import static org.junit.Assert.assertNull;
import static org.junit.Assert.assertTrue;
import static org.mockito.Matchers.anyLong;
import static org.mockito.Mockito.lenient;
import static org.mockito.Mockito.spy;
import static org.mockito.Mockito.when;


@RunWith(MockitoJUnitRunner.class)
public class LdapAuthenticatorTest {

    @Mock
    LdapManager ldapManager;
    @Mock
    UserAccountDao userAccountDao;
    @Mock
    AccountManager accountManager;
    @Mock
    UserAccount user = new UserAccountVO();

    @InjectMocks
    LdapAuthenticator ldapAuthenticator = new LdapAuthenticator();
    private String username  = "bbanner";
    private String principal = "cd=bbanner";
    private String hardcoded = "password";
    private Long domainId = 1L;

    @Before
    public void setUp() throws Exception {
    }

    @Test
    public void authenticateAsNativeUser() throws Exception {
        final UserAccountVO user = new UserAccountVO();
        user.setSource(User.Source.NATIVE);

        lenient().when(userAccountDao.getUserAccount(username, domainId)).thenReturn(user);
        Pair<Boolean, UserAuthenticator.ActionOnFailedAuthentication> rc;
        rc = ldapAuthenticator.authenticate(username, "password", domainId, (Map<String, Object[]>)null);
        assertFalse("authentication succeeded when it should have failed", rc.first());
        assertEquals("We should not have tried to authenticate", null,rc.second());
    }

    @Test
    public void authenticateWithoutAccount() throws Exception {
        LdapUser ldapUser = new LdapUser(username,"a@b","b","banner",principal,"",false,null);
        Pair<Boolean, UserAuthenticator.ActionOnFailedAuthentication> rc;
        when(ldapManager.getUser(username, domainId)).thenReturn(ldapUser);
        rc = ldapAuthenticator.authenticate(username, "password", domainId, user);
        assertFalse("authentication succeeded when it should have failed", rc.first());
        assertEquals("", UserAuthenticator.ActionOnFailedAuthentication.INCREMENT_INCORRECT_LOGIN_ATTEMPT_COUNT,rc.second());
    }

    @Test
    public void authenticateFailingOnSyncedAccount() throws Exception {
        Pair<Boolean, UserAuthenticator.ActionOnFailedAuthentication> rc;

        List<String> memberships = new ArrayList<>();
        memberships.add("g1");
        List<String> mappedGroups = new ArrayList<>();
        mappedGroups.add("g1");
        mappedGroups.add("g2");

        LdapUser ldapUser = new LdapUser(username,"a@b","b","banner",principal,"",false,null);
        LdapUser userSpy = spy(ldapUser);
        when(userSpy.getMemberships()).thenReturn(memberships);

        List<LdapTrustMapVO> maps = new ArrayList<>();
        LdapAuthenticator auth = spy(ldapAuthenticator);
        when(auth.getMappedGroups(maps)).thenReturn(mappedGroups);

        LdapTrustMapVO trustMap = new LdapTrustMapVO(domainId, LdapManager.LinkType.GROUP, "cn=name", Account.Type.DOMAIN_ADMIN, 1l);

        AccountVO account = new AccountVO("accountName" , domainId, "domain.net", Account.Type.DOMAIN_ADMIN, "final String uuid");
        when(accountManager.getAccount(anyLong())).thenReturn(account);
        when(ldapManager.getUser(username, domainId)).thenReturn(userSpy);
        when(ldapManager.getLinkedLdapGroup(domainId, "g1")).thenReturn(trustMap);
        rc = auth.authenticate(username, "password", domainId, user, maps);
        assertFalse("authentication succeeded when it should have failed", rc.first());
        assertEquals("", UserAuthenticator.ActionOnFailedAuthentication.INCREMENT_INCORRECT_LOGIN_ATTEMPT_COUNT,rc.second());
    }

    @Test
    public void authenticate() throws Exception {
        LdapUser ldapUser = new LdapUser(username, "a@b", "b", "banner", principal, "", false, null);
        when(ldapManager.getUser(username, domainId)).thenReturn(ldapUser);
        when(ldapManager.canAuthenticate(principal, hardcoded, domainId)).thenReturn(true);
        Pair<Boolean, UserAuthenticator.ActionOnFailedAuthentication> rc = ldapAuthenticator.authenticate(username, hardcoded, domainId, user);
        assertTrue("authentication failed when it should have succeeded", rc.first());
        assertNull(rc.second());
    }
}