diff --git a/actions/auth/authprovider.go b/actions/auth/authprovider.go index 7bc55f3f0..79138b900 100644 --- a/actions/auth/authprovider.go +++ b/actions/auth/authprovider.go @@ -44,6 +44,8 @@ type AuthConfig struct { NestedUsers []User `yaml:"nestedUsers"` DoubleNestedGroup string `yaml:"doubleNestedGroup"` DoubleNestedUsers []User `yaml:"doubleNestedUsers"` + TripleNestedGroup string `yaml:"tripleNestedGroup"` + TripleNestedUsers []User `yaml:"tripleNestedUsers"` } // SetupAuthenticatedSession enables the auth provider, logs in as the admin user, and returns a new session and client diff --git a/validation/auth/provider/activedirectory/activedirectory_test.go b/validation/auth/provider/activedirectory/activedirectory_test.go index 23d4d3cb9..e29302085 100644 --- a/validation/auth/provider/activedirectory/activedirectory_test.go +++ b/validation/auth/provider/activedirectory/activedirectory_test.go @@ -378,7 +378,67 @@ func (a *ActiveDirectoryAuthProviderSuite) TestActiveDirectoryRestrictedAccessMo require.NoError(a.T(), err, "Failed to rollback access mode") } -func (a *ActiveDirectoryAuthProviderSuite) TestActiveDirectoryUnauthorizedLoginDenied() { +func (a *ActiveDirectoryAuthProviderSuite) TestActiveDirectoryRequiredModeNestedGroupAccess() { + subSession, authAdmin, err := authactions.SetupAuthenticatedSession(a.client, a.session, a.adminUser, authactions.ActiveDirectory) + require.NoError(a.T(), err, "Failed to setup authenticated test") + defer subSession.Cleanup() + + nestedGroupPrincipalID := authactions.GetGroupPrincipalID( + authactions.ActiveDirectory, + a.authConfig.NestedGroup, + a.client.Auth.ActiveDirectory.Config.Users.SearchBase, + a.client.Auth.ActiveDirectory.Config.Groups.SearchBase, + ) + + _, err = rbac.CreateGroupClusterRoleTemplateBinding( + authAdmin, + a.cluster.ID, + nestedGroupPrincipalID, + rbac.ClusterMember.String(), + ) + require.NoError(a.T(), err, "Failed to create cluster role binding") + + principalIDs := []string{nestedGroupPrincipalID} + + nestedUsers := slices.Concat(a.authConfig.NestedUsers, a.authConfig.DoubleNestedUsers) + for _, user := range nestedUsers { + userPrincipalID := authactions.GetUserPrincipalID( + authactions.ActiveDirectory, + user.Username, + a.client.Auth.ActiveDirectory.Config.Users.SearchBase, + a.client.Auth.ActiveDirectory.Config.Groups.SearchBase, + ) + principalIDs = append(principalIDs, userPrincipalID) + } + + newAuthConfig, err := authactions.UpdateAccessMode( + a.client, + authactions.ActiveDirectory, + authactions.AccessModeRequired, + principalIDs, + ) + require.NoError(a.T(), err, "Failed to update access mode") + require.Equal(a.T(), authactions.AccessModeRequired, newAuthConfig.AccessMode, "Access mode should be required") + + err = authactions.VerifyUserLogins( + authAdmin, + authactions.ActiveDirectory, + nestedUsers, + "required access mode with nested groups", + true, + ) + require.NoError(a.T(), err, "Nested group members should be able to login") + + _, err = authactions.UpdateAccessMode( + a.client, + authactions.ActiveDirectory, + authactions.AccessModeUnrestricted, + nil, + ) + require.NoError(a.T(), err, "Failed to rollback access mode") +} + +func (a *ActiveDirectoryAuthProviderSuite) TestActiveDirectoryRequiredModeUnauthorizedLoginDenied() { subSession, authAdmin, err := authactions.SetupAuthenticatedSession(a.client, a.session, a.adminUser, authactions.ActiveDirectory) require.NoError(a.T(), err, "Failed to setup authenticated test") defer subSession.Cleanup() @@ -397,7 +457,7 @@ func (a *ActiveDirectoryAuthProviderSuite) TestActiveDirectoryUnauthorizedLoginD require.NoError(a.T(), err, "Failed to update access mode") require.Equal(a.T(), authactions.AccessModeRequired, newAuthConfig.AccessMode, "Access mode should be required") - unauthorizedUsers := slices.Concat(a.authConfig.NestedUsers, a.authConfig.DoubleNestedUsers) + unauthorizedUsers := a.authConfig.TripleNestedUsers err = authactions.VerifyUserLogins(authAdmin, authactions.ActiveDirectory, unauthorizedUsers, "required access mode", false) require.NoError(a.T(), err, "Unauthorized users should NOT be able to login") diff --git a/validation/auth/provider/openldap/README.md b/validation/auth/provider/openldap/README.md index 43de42c54..21e91d950 100644 --- a/validation/auth/provider/openldap/README.md +++ b/validation/auth/provider/openldap/README.md @@ -83,6 +83,10 @@ openLdapAuthInput: doubleNestedUsers: - username: "" password: "" + tripleNestedGroup: "" + tripleNestedUsers: + - username: "" + password: "" ``` ### Group Hierarchy diff --git a/validation/auth/provider/openldap/openldap_test.go b/validation/auth/provider/openldap/openldap_test.go index 58a13f894..ad7264e52 100644 --- a/validation/auth/provider/openldap/openldap_test.go +++ b/validation/auth/provider/openldap/openldap_test.go @@ -378,7 +378,67 @@ func (a *OpenLDAPAuthProviderSuite) TestOpenLDAPRestrictedAccessModeAuthorizedUs require.NoError(a.T(), err, "Failed to rollback access mode") } -func (a *OpenLDAPAuthProviderSuite) TestOpenLDAPUnauthorizedLoginDenied() { +func (a *OpenLDAPAuthProviderSuite) TestOpenLDAPRequiredModeNestedGroupAccess() { + subSession, authAdmin, err := authactions.SetupAuthenticatedSession(a.client, a.session, a.adminUser, authactions.OpenLdap) + require.NoError(a.T(), err, "Failed to setup authenticated test") + defer subSession.Cleanup() + + nestedGroupPrincipalID := authactions.GetGroupPrincipalID( + authactions.OpenLdap, + a.authConfig.NestedGroup, + a.client.Auth.OLDAP.Config.Users.SearchBase, + a.client.Auth.OLDAP.Config.Groups.SearchBase, + ) + + _, err = rbac.CreateGroupClusterRoleTemplateBinding( + authAdmin, + a.cluster.ID, + nestedGroupPrincipalID, + rbac.ClusterMember.String(), + ) + require.NoError(a.T(), err, "Failed to create cluster role binding") + + principalIDs := []string{nestedGroupPrincipalID} + + nestedUsers := slices.Concat(a.authConfig.NestedUsers, a.authConfig.DoubleNestedUsers) + for _, user := range nestedUsers { + userPrincipalID := authactions.GetUserPrincipalID( + authactions.OpenLdap, + user.Username, + a.client.Auth.OLDAP.Config.Users.SearchBase, + a.client.Auth.OLDAP.Config.Groups.SearchBase, + ) + principalIDs = append(principalIDs, userPrincipalID) + } + + newAuthConfig, err := authactions.UpdateAccessMode( + a.client, + authactions.OpenLdap, + authactions.AccessModeRequired, + principalIDs, + ) + require.NoError(a.T(), err, "Failed to update access mode") + require.Equal(a.T(), authactions.AccessModeRequired, newAuthConfig.AccessMode, "Access mode should be required") + + err = authactions.VerifyUserLogins( + authAdmin, + authactions.OpenLdap, + nestedUsers, + "required access mode with nested groups", + true, + ) + require.NoError(a.T(), err, "Nested group members should be able to login") + + _, err = authactions.UpdateAccessMode( + a.client, + authactions.OpenLdap, + authactions.AccessModeUnrestricted, + nil, + ) + require.NoError(a.T(), err, "Failed to rollback access mode") +} + +func (a *OpenLDAPAuthProviderSuite) TestOpenLDAPRequiredModeUnauthorizedLoginDenied() { subSession, authAdmin, err := authactions.SetupAuthenticatedSession(a.client, a.session, a.adminUser, authactions.OpenLdap) require.NoError(a.T(), err, "Failed to setup authenticated test") defer subSession.Cleanup() @@ -397,7 +457,7 @@ func (a *OpenLDAPAuthProviderSuite) TestOpenLDAPUnauthorizedLoginDenied() { require.NoError(a.T(), err, "Failed to update access mode") require.Equal(a.T(), authactions.AccessModeRequired, newAuthConfig.AccessMode, "Access mode should be required") - unauthorizedUsers := slices.Concat(a.authConfig.NestedUsers, a.authConfig.DoubleNestedUsers) + unauthorizedUsers := a.authConfig.TripleNestedUsers err = authactions.VerifyUserLogins(authAdmin, authactions.OpenLdap, unauthorizedUsers, "required access mode", false) require.NoError(a.T(), err, "Unauthorized users should NOT be able to login")