Check ldap domain as suffix of user login (#6426)

Author: molotkov-and

ydb/core/security/login_shared_func.cpp

@@ -19,9 +19,9 @@ THolder<NSchemeCache::TSchemeCacheNavigate> CreateNavigateKeySetRequest(const TS
 
 TAuthCredentials PrepareCredentials(const TString& login, const TString& password, const NKikimrProto::TAuthConfig& config) {
     if (config.HasLdapAuthentication() && !config.GetLdapAuthenticationDomain().empty()) {
-        size_t n = login.find("@" + config.GetLdapAuthenticationDomain());
-        if (n != TString::npos) {
-            return {.AuthType = TAuthCredentials::EAuthType::Ldap, .Login = login.substr(0, n), .Password = password};
+        const TString domain = "@" + config.GetLdapAuthenticationDomain();
+        if (login.EndsWith(domain)) {
+            return {.AuthType = TAuthCredentials::EAuthType::Ldap, .Login = login.substr(0, login.size() - domain.size()), .Password = password};
         }
     }
     return {.AuthType = TAuthCredentials::EAuthType::Internal, .Login = login, .Password = password};

ydb/services/ydb/ydb_ldap_login_ut.cpp

@@ -378,5 +378,18 @@ Y_UNIT_TEST_SUITE(TGRpcLdapAuthentication) {
         loginConnection.Stop();
         ldapServer.Stop();
     }
+
+    Y_UNIT_TEST(LdapAuthSetIncorrectDomain) {
+        TString login = "ldapuser";
+        TString password = "ldapUserPassword";
+        const TString incorrectLdapDomain = "@ldap.domain"; // Correct domain is AuthConfig.LdapAuthenticationDomain: "ldap"
+
+        auto factory = CreateLoginCredentialsProviderFactory({.User = login + incorrectLdapDomain, .Password = password});
+        TLoginClientConnection loginConnection(InitLdapSettings);
+        auto loginProvider = factory->CreateProvider(loginConnection.GetCoreFacility());
+        UNIT_ASSERT_EXCEPTION_CONTAINS(loginProvider->GetAuthInfo(), yexception, "Invalid user");
+
+        loginConnection.Stop();
+    }
 }
 } //namespace NKikimr