Merge pull request #12105 from liggitt/ldap-fix

Merged by openshift-bot

Author: OpenShift Bot

Godeps/Godeps.json

@@ -105,10 +105,15 @@ type LDAPQueryOnAttribute struct {
 // the attribute to be filtered as well as any attributes that need to be recovered
 func (o *LDAPQueryOnAttribute) NewSearchRequest(attributeValue string, attributes []string) (*ldap.SearchRequest, error) {
 	if strings.EqualFold(o.QueryAttribute, "dn") {
-		if _, err := ldap.ParseDN(attributeValue); err != nil {
+		dn, err := ldap.ParseDN(attributeValue)
+		if err != nil {
 			return nil, fmt.Errorf("could not search by dn, invalid dn value: %v", err)
 		}
-		if !strings.Contains(attributeValue, o.BaseDN) {
+		baseDN, err := ldap.ParseDN(o.BaseDN)
+		if err != nil {
+			return nil, fmt.Errorf("could not search by dn, invalid dn value: %v", err)
+		}
+		if !baseDN.AncestorOf(dn) && !baseDN.Equal(dn) {
 			return nil, NewQueryOutOfBoundsError(attributeValue, o.BaseDN)
 		}
 		return o.buildDNQuery(attributeValue, attributes), nil

pkg/auth/ldaputil/query.go

@@ -2,6 +2,7 @@ package testclient
 
 import (
 	"crypto/tls"
+	"time"
 
 	"gopkg.in/ldap.v2"
 )
@@ -95,6 +96,10 @@ func (c *Fake) SearchWithPaging(searchRequest *ldap.SearchRequest, pagingSize ui
 	return c.SearchResponse, nil
 }
 
+// SetTimeout sets a timeout on the client
+func (c *Fake) SetTimeout(d time.Duration) {
+}
+
 // NewMatchingSearchErrorClient returns a new MatchingSearchError client sitting on top of the parent
 // client. This client returns the given error when a search base DN matches the given base DN, and
 // defers to the parent otherwise.

pkg/auth/ldaputil/testclient/testclient.go

@@ -67,8 +67,8 @@ func TestGroupEntryFor(t *testing.T) {
 		},
 		{
 			name:           "search request error",
-			baseDNOverride: "otherBaseDN",
-			expectedError:  ldaputil.NewQueryOutOfBoundsError("cn=testGroup,ou=groups,dc=example,dc=com", "otherBaseDN"),
+			baseDNOverride: "dc=foo",
+			expectedError:  ldaputil.NewQueryOutOfBoundsError("cn=testGroup,ou=groups,dc=example,dc=com", "dc=foo"),
 			expectedEntry:  nil,
 		},
 		{

pkg/cmd/admin/groups/sync/ad/augmented_ldapinterface_test.go

@@ -192,8 +192,8 @@ func TestGroupEntryFor(t *testing.T) {
 		},
 		{
 			name:                "search request failure",
-			queryBaseDNOverride: "otherBaseDN",
-			expectedError:       ldaputil.NewQueryOutOfBoundsError("cn=testGroup,ou=groups,dc=example,dc=com", "otherBaseDN"),
+			queryBaseDNOverride: "dc=foo",
+			expectedError:       ldaputil.NewQueryOutOfBoundsError("cn=testGroup,ou=groups,dc=example,dc=com", "dc=foo"),
 			expectedEntry:       nil,
 		},
 		{
@@ -312,8 +312,8 @@ func TestUserEntryFor(t *testing.T) {
 		},
 		{
 			name:                "search request failure",
-			queryBaseDNOverride: "otherBaseDN",
-			expectedError:       ldaputil.NewQueryOutOfBoundsError("cn=testUser,ou=users,dc=example,dc=com", "otherBaseDN"),
+			queryBaseDNOverride: "dc=foo",
+			expectedError:       ldaputil.NewQueryOutOfBoundsError("cn=testUser,ou=users,dc=example,dc=com", "dc=foo"),
 			expectedEntry:       nil,
 		},
 		{