Elgato_dark/fleet
1
0
Fork 0
mirror of https://github.com/fleetdm/fleet synced 2026-05-22 16:39:01 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 121
fleet/server/fleet/sessions_test.go
Lucas Manuel Rodriguez 33d61044b5
Change role of existing users only if SSO attributes are present in the SAMLResponse (#11966) 
#10784

The removal of the now deprecated `sso_settings.enable_jit_role_sync`
config will be tackled in: #10688.

- [X] Changes file added for user-visible changes in `changes/` or
`orbit/changes/`.
See [Changes
files](https://fleetdm.com/docs/contributing/committing-changes#changes-files)
for more information.
- ~[ ] Documented any API changes (docs/Using-Fleet/REST-API.md or
docs/Contributing/API-for-contributors.md)~
- ~[ ] Documented any permissions changes~
- ~[ ] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)~
- ~[ ] Added support on fleet's osquery simulator `cmd/osquery-perf` for
new osquery data ingestion features.~
- [X] Added/updated tests
- [X] Manual QA for all new/changed functionality
  - ~For Orbit and Fleet Desktop changes:~
- ~[ ] Manual QA must be performed in the three main OSs, macOS, Windows
and Linux.~
- ~[ ] Auto-update manual QA, from released version of component to new
version (see [tools/tuf/test](../tools/tuf/test/README.md)).~
2023-05-30 17:49:59 -03:00

328 lines
6.4 KiB
Go
Raw Blame History

package fleet
import (
"testing"
"github.com/fleetdm/fleet/v4/server/ptr"
"github.com/stretchr/testify/require"
)
func TestRolesFromSSOAttributes(t *testing.T) {
for _, tc := range []struct {
name string
attributes []SAMLAttribute
shouldFail bool
expectedSSORolesInfo SSORolesInfo
}{
{
name: "nil",
attributes: nil,
shouldFail: false,
expectedSSORolesInfo: SSORolesInfo{},
},
{
name: "no-role-attributes",
attributes: []SAMLAttribute{},
shouldFail: false,
expectedSSORolesInfo: SSORolesInfo{},
},
{
name: "unknown-key-should-use-default",
attributes: []SAMLAttribute{
{
Name: "foo",
Values: []SAMLAttributeValue{
{Value: "bar"},
},
},
},
shouldFail: false,
expectedSSORolesInfo: SSORolesInfo{},
},
{
name: "global-only",
attributes: []SAMLAttribute{
{
Name: globalUserRoleSSOAttrName,
Values: []SAMLAttributeValue{
{Value: "admin"},
},
},
},
shouldFail: false,
expectedSSORolesInfo: SSORolesInfo{
Global: ptr.String("admin"),
},
},
{
name: "global-and-unknown",
attributes: []SAMLAttribute{
{
Name: globalUserRoleSSOAttrName,
Values: []SAMLAttributeValue{
{Value: "admin"},
},
},
{
Name: "foo",
Values: []SAMLAttributeValue{
{Value: "bar"},
},
},
},
shouldFail: false,
expectedSSORolesInfo: SSORolesInfo{
Global: ptr.String("admin"),
},
},
{
name: "global-and-team",
attributes: []SAMLAttribute{
{
Name: globalUserRoleSSOAttrName,
Values: []SAMLAttributeValue{
{Value: "admin"},
},
},
{
Name: teamUserRoleSSOAttrNamePrefix + "5",
Values: []SAMLAttributeValue{
{Value: "observer"},
},
},
},
shouldFail: true,
expectedSSORolesInfo: SSORolesInfo{},
},
{
name: "invalid-team-id",
attributes: []SAMLAttribute{
{
Name: teamUserRoleSSOAttrNamePrefix + "foo",
Values: []SAMLAttributeValue{
{Value: "observer"},
},
},
},
shouldFail: true,
expectedSSORolesInfo: SSORolesInfo{},
},
{
name: "all-teams",
attributes: []SAMLAttribute{
{
Name: teamUserRoleSSOAttrNamePrefix + "1",
Values: []SAMLAttributeValue{
{Value: "observer"},
},
},
{
Name: teamUserRoleSSOAttrNamePrefix + "2",
Values: []SAMLAttributeValue{
{Value: "admin"},
},
},
},
shouldFail: false,
expectedSSORolesInfo: SSORolesInfo{
Global: nil,
Teams: []TeamRole{
{
ID: 1,
Role: "observer",
},
{
ID: 2,
Role: "admin",
},
},
},
},
{
name: "teams-and-unknown",
attributes: []SAMLAttribute{
{
Name: teamUserRoleSSOAttrNamePrefix + "1",
Values: []SAMLAttributeValue{
{Value: "observer"},
},
},
{
Name: teamUserRoleSSOAttrNamePrefix + "2",
Values: []SAMLAttributeValue{
{Value: "admin"},
},
},
{
Name: "foo",
Values: []SAMLAttributeValue{
{Value: "bar"},
},
},
},
shouldFail: false,
expectedSSORolesInfo: SSORolesInfo{
Global: nil,
Teams: []TeamRole{
{
ID: 1,
Role: "observer",
},
{
ID: 2,
Role: "admin",
},
},
},
},
{
name: "invalid-global-role",
attributes: []SAMLAttribute{
{
Name: globalUserRoleSSOAttrName,
Values: []SAMLAttributeValue{
{Value: "administrator"},
},
},
},
shouldFail: true,
},
{
name: "invalid-team-role",
attributes: []SAMLAttribute{
{
Name: teamUserRoleSSOAttrNamePrefix + "1",
Values: []SAMLAttributeValue{
{Value: "administrator"},
},
},
},
shouldFail: true,
},
{
name: "duplicate-teams",
attributes: []SAMLAttribute{
{
Name: teamUserRoleSSOAttrNamePrefix + "1",
Values: []SAMLAttributeValue{
{Value: "observer"},
},
},
{
Name: teamUserRoleSSOAttrNamePrefix + "1",
Values: []SAMLAttributeValue{
{Value: "admin"},
},
},
{
Name: "foo",
Values: []SAMLAttributeValue{
{Value: "bar"},
},
},
},
shouldFail: true,
},
{
name: "multi-value-attributes-uses-last",
attributes: []SAMLAttribute{
{
Name: teamUserRoleSSOAttrNamePrefix + "1",
Values: []SAMLAttributeValue{
{Value: "observer"},
{Value: "admin"},
},
},
},
shouldFail: false,
expectedSSORolesInfo: SSORolesInfo{
Global: nil,
Teams: []TeamRole{
{
ID: 1,
Role: "admin",
},
},
},
},
{
name: "null-value-on-team-attribute-is-ignored",
attributes: []SAMLAttribute{
{
Name: teamUserRoleSSOAttrNamePrefix + "1",
Values: []SAMLAttributeValue{
{Value: "null"},
},
},
},
shouldFail: false,
expectedSSORolesInfo: SSORolesInfo{},
},
{
name: "null-attributes-on-global-and-team-are-ignored",
attributes: []SAMLAttribute{
{
Name: globalUserRoleSSOAttrName,
Values: []SAMLAttributeValue{
{Value: "null"},
},
},
{
Name: teamUserRoleSSOAttrNamePrefix + "2",
Values: []SAMLAttributeValue{
{Value: "null"},
},
},
},
shouldFail: false,
expectedSSORolesInfo: SSORolesInfo{},
},
{
name: "null-attributes-are-ignored-should-use-the-set-global-attribute",
attributes: []SAMLAttribute{
{
Name: globalUserRoleSSOAttrName,
Values: []SAMLAttributeValue{
{Value: "admin"},
},
},
{
Name: globalUserRoleSSOAttrName,
Values: []SAMLAttributeValue{
{Value: "null"},
},
},
{
Name: teamUserRoleSSOAttrNamePrefix + "1",
Values: []SAMLAttributeValue{
{Value: "null"},
},
},
},
shouldFail: false,
expectedSSORolesInfo: SSORolesInfo{
Global: ptr.String("admin"),
},
},
{
name: "attribute-with-no-values-should-fail",
attributes: []SAMLAttribute{
{
Name: globalUserRoleSSOAttrName,
Values: []SAMLAttributeValue{},
},
},
shouldFail: true,
},
} {
t.Run(tc.name, func(t *testing.T) {
ssoRolesInfo, err := RolesFromSSOAttributes(tc.attributes)
if tc.shouldFail {
require.Error(t, err)
} else {
require.NoError(t, err)
}
require.Equal(t, tc.expectedSSORolesInfo, ssoRolesInfo)
})
}
}
Reference in a new issue View git blame Copy permalink