add validation to prevent filters on dn lookups

deads2k · deads2k · commit b35a27854106 · 2016-06-02T12:53:58.000-04:00
diff --git a/pkg/cmd/admin/groups/examples/examples_test.go b/pkg/cmd/admin/groups/examples/examples_test.go
@@ -23,6 +23,7 @@ func TestLDAPSyncConfigFixtures(t *testing.T) {
 		fixtures = append(fixtures, schema+"/sync-config-dn-everywhere.yaml")
 		fixtures = append(fixtures, schema+"/sync-config-partially-user-defined.yaml")
 		fixtures = append(fixtures, schema+"/sync-config-user-defined.yaml")
+		fixtures = append(fixtures, schema+"/sync-config-paging.yaml")
 	}
 
 	for _, fixture := range fixtures {
diff --git a/pkg/cmd/server/api/validation/ldap.go b/pkg/cmd/server/api/validation/ldap.go
@@ -2,6 +2,7 @@ package validation
 
 import (
 	"fmt"
+	"strings"
 
 	"gopkg.in/ldap.v2"
 
@@ -111,7 +112,8 @@ func ValidateRFC2307Config(config *api.RFC2307Config) ValidationResults {
 		validationResults.AddErrors(field.Required(field.NewPath("groupMembershipAttributes"), ""))
 	}
 
-	validationResults.Append(ValidateLDAPQuery(config.AllUsersQuery, field.NewPath("usersQuery")))
+	isUserDNQuery := strings.TrimSpace(strings.ToLower(config.UserUIDAttribute)) == "dn"
+	validationResults.Append(validateLDAPQuery(config.AllUsersQuery, field.NewPath("usersQuery"), isUserDNQuery))
 	if len(config.UserUIDAttribute) == 0 {
 		validationResults.AddErrors(field.Required(field.NewPath("userUIDAttribute"), ""))
 	}
@@ -147,7 +149,8 @@ func ValidateAugmentedActiveDirectoryConfig(config *api.AugmentedActiveDirectory
 		validationResults.AddErrors(field.Required(field.NewPath("groupMembershipAttributes"), ""))
 	}
 
-	validationResults.Append(ValidateLDAPQuery(config.AllGroupsQuery, field.NewPath("groupsQuery")))
+	isGroupDNQuery := strings.TrimSpace(strings.ToLower(config.GroupUIDAttribute)) == "dn"
+	validationResults.Append(validateLDAPQuery(config.AllGroupsQuery, field.NewPath("groupsQuery"), isGroupDNQuery))
 	if len(config.GroupUIDAttribute) == 0 {
 		validationResults.AddErrors(field.Required(field.NewPath("groupUIDAttribute"), ""))
 	}
@@ -159,6 +162,9 @@ func ValidateAugmentedActiveDirectoryConfig(config *api.AugmentedActiveDirectory
 }
 
 func ValidateLDAPQuery(query api.LDAPQuery, fldPath *field.Path) ValidationResults {
+	return validateLDAPQuery(query, fldPath, false)
+}
+func validateLDAPQuery(query api.LDAPQuery, fldPath *field.Path, isDNOnly bool) ValidationResults {
 	validationResults := ValidationResults{}
 
 	if _, err := ldap.ParseDN(query.BaseDN); err != nil {
@@ -185,6 +191,13 @@ func ValidateLDAPQuery(query api.LDAPQuery, fldPath *field.Path) ValidationResul
 			"timeout must be equal to or greater than zero"))
 	}
 
+	if isDNOnly {
+		if len(query.Filter) != 0 {
+			validationResults.AddErrors(field.Invalid(fldPath.Child("filter"), query.Filter, `cannot specify a filter when using "dn" as the UID attribute`))
+		}
+		return validationResults
+	}
+
 	if _, err := ldap.CompileFilter(query.Filter); err != nil {
 		validationResults.AddErrors(field.Invalid(fldPath.Child("filter"), query.Filter,
 			fmt.Sprintf("invalid query filter: %v", err)))
diff --git a/test/extended/authentication/ldap/augmented-ad/sync-config-dn-everywhere.yaml b/test/extended/authentication/ldap/augmented-ad/sync-config-dn-everywhere.yaml
@@ -14,6 +14,5 @@ augmentedActiveDirectory:
         baseDN: "ou=groups,ou=adextended,dc=example,dc=com"
         scope: sub
         derefAliases: never
-        filter: (objectclass=groupOfNames)
     groupUIDAttribute: dn
     groupNameAttributes: [ dn ]
diff --git a/test/extended/authentication/ldap/augmented-ad/sync-config-paging.yaml b/test/extended/authentication/ldap/augmented-ad/sync-config-paging.yaml
@@ -15,7 +15,6 @@ augmentedActiveDirectory:
         baseDN: "ou=groups,ou=adextended,dc=example,dc=com"
         scope: sub
         derefAliases: never
-        filter: (objectclass=groupOfNames)
         pageSize: 1
     groupUIDAttribute: dn
     groupNameAttributes: [ cn ]
diff --git a/test/extended/authentication/ldap/augmented-ad/sync-config-partially-user-defined.yaml b/test/extended/authentication/ldap/augmented-ad/sync-config-partially-user-defined.yaml
@@ -17,6 +17,5 @@ augmentedActiveDirectory:
     baseDN: "ou=groups,ou=adextended,dc=example,dc=com"
     scope: sub
     derefAliases: never
-    filter: (objectclass=groupOfNames)
   groupUIDAttribute: dn
   groupNameAttributes: [ cn ]
diff --git a/test/extended/authentication/ldap/augmented-ad/sync-config-user-defined.yaml b/test/extended/authentication/ldap/augmented-ad/sync-config-user-defined.yaml
@@ -18,6 +18,5 @@ augmentedActiveDirectory:
     baseDN: "ou=groups,ou=adextended,dc=example,dc=com"
     scope: sub
     derefAliases: never
-    filter: (objectclass=groupOfNames)
   groupUIDAttribute: dn
   groupNameAttributes: [ cn ]
diff --git a/test/extended/authentication/ldap/augmented-ad/sync-config.yaml b/test/extended/authentication/ldap/augmented-ad/sync-config.yaml
@@ -14,6 +14,5 @@ augmentedActiveDirectory:
         baseDN: "ou=groups,ou=adextended,dc=example,dc=com"
         scope: sub
         derefAliases: never
-        filter: (objectclass=groupOfNames)
     groupUIDAttribute: dn
     groupNameAttributes: [ cn ]
diff --git a/test/extended/authentication/ldap/rfc2307/sync-config-dn-everywhere.yaml b/test/extended/authentication/ldap/rfc2307/sync-config-dn-everywhere.yaml
@@ -15,6 +15,5 @@ rfc2307:
         baseDN: "ou=people,ou=rfc2307,dc=example,dc=com"
         scope: sub
         derefAliases: never
-        filter: (objectclass=inetOrgPerson)
     userUIDAttribute: dn
     userNameAttributes: [ dn ]
diff --git a/test/extended/authentication/ldap/rfc2307/sync-config-paging.yaml b/test/extended/authentication/ldap/rfc2307/sync-config-paging.yaml
@@ -16,7 +16,6 @@ rfc2307:
         baseDN: "ou=people,ou=rfc2307,dc=example,dc=com"
         scope: sub
         derefAliases: never
-        filter: (objectclass=inetOrgPerson)
         pageSize: 1
     userUIDAttribute: dn
     userNameAttributes: [ mail ]
diff --git a/test/extended/authentication/ldap/rfc2307/sync-config-partially-user-defined.yaml b/test/extended/authentication/ldap/rfc2307/sync-config-partially-user-defined.yaml
@@ -18,6 +18,5 @@ rfc2307:
     baseDN: "ou=people,ou=rfc2307,dc=example,dc=com"
     scope: sub
     derefAliases: never
-    filter: (objectclass=inetOrgPerson)
   userUIDAttribute: dn
   userNameAttributes: [ mail ]
diff --git a/test/extended/authentication/ldap/rfc2307/sync-config-user-defined.yaml b/test/extended/authentication/ldap/rfc2307/sync-config-user-defined.yaml
@@ -19,6 +19,5 @@ rfc2307:
     baseDN: "ou=people,ou=rfc2307,dc=example,dc=com"
     scope: sub
     derefAliases: never
-    filter: (objectclass=inetOrgPerson)
   userUIDAttribute: dn
   userNameAttributes: [ mail ]
diff --git a/test/extended/authentication/ldap/rfc2307/sync-config.yaml b/test/extended/authentication/ldap/rfc2307/sync-config.yaml
@@ -15,6 +15,5 @@ rfc2307:
         baseDN: "ou=people,ou=rfc2307,dc=example,dc=com"
         scope: sub
         derefAliases: never
-        filter: (objectclass=inetOrgPerson)
     userUIDAttribute: dn
     userNameAttributes: [ mail ]

Original file line number	Diff line number	Diff line change
`@@ -23,6 +23,7 @@ func TestLDAPSyncConfigFixtures(t *testing.T) {`
`23`	`23`	`fixtures = append(fixtures, schema+"/sync-config-dn-everywhere.yaml")`
`24`	`24`	`fixtures = append(fixtures, schema+"/sync-config-partially-user-defined.yaml")`
`25`	`25`	`fixtures = append(fixtures, schema+"/sync-config-user-defined.yaml")`
	`26`	`+ fixtures = append(fixtures, schema+"/sync-config-paging.yaml")`
`26`	`27`	`}`
`27`	`28`
`28`	`29`	`for _, fixture := range fixtures {`