Implement minimal account linking for LDAP

ref DEV-1815
authgear · Aug 19, 2024 · 34b70d5 · 34b70d5
2 parents 2f15796 + a84e5fa
commit 34b70d5
Show file tree

Hide file tree

Showing 11 changed files with 516 additions and 4 deletions.
diff --git a/e2e/cmd/proxy/mockldap/handlers.go b/e2e/cmd/proxy/mockldap/handlers.go
@@ -55,6 +55,15 @@ var userData = `
     givenName: Duplicated
     sn: User
     mail: [email protected]
+
+- credential:
+    password: mockpassword
+  dn: cn=mock,ou=people,ou=HK,dc=authgear,dc=com
+  uid: mock
+  attributes:
+    givenName: John
+    sn: Doe
+    mail: [email protected]
 `
 
 type LDAPRouteHandler struct {

diff --git a/e2e/tests/account_linking/incoming_ldap_conflicts_login_id.test.yaml b/e2e/tests/account_linking/incoming_ldap_conflicts_login_id.test.yaml
@@ -0,0 +1,60 @@
+name: Account linking - Incoming LDAP - conflicts login ID error
+authgear.yaml:
+  override: |
+    authentication:
+      identities:
+        - login_id
+        - ldap
+    identity:
+      ldap:
+        servers:
+        - name: ldap-server-1
+          url: ldap://127.0.0.1:8389
+          base_dn: dc=authgear,dc=com
+          search_filter_template: (uid={{.Username}})
+          user_id_attribute_name: uid
+    authentication_flow:
+      signup_flows:
+        - name: f1
+          steps:
+            - type: identify
+              one_of:
+              - identification: ldap
+              - identification: email
+before:
+  - type: user_import
+    user_import: email_users.json
+
+steps:
+  - action: "create"
+    input: |
+      {
+        "type": "signup",
+        "name": "f1"
+      }
+    output:
+      result: |
+        {
+          "action": {
+            "type": "identify"
+          }
+        }
+
+  - action: input
+    input: |
+      {
+        "identification": "ldap",
+        "server_name": "ldap-server-1",
+        "username": "mock",
+        "password": "mockpassword"
+      }
+    output:
+      error: |
+        {
+          "reason": "InvariantViolated",
+          "info": {
+            "cause": {
+              "kind": "DuplicatedIdentity"
+            }
+          }
+        }
diff --git a/e2e/tests/account_linking/incoming_ldap_conflicts_oauth.test.yaml b/e2e/tests/account_linking/incoming_ldap_conflicts_oauth.test.yaml
@@ -0,0 +1,63 @@
+name: Account linking - Incoming LDAP - conflicts OAuth error
+authgear.yaml:
+  override: |
+    authentication:
+      identities:
+        - ldap
+        - oauth
+    identity:
+      ldap:
+        servers:
+        - name: ldap-server-1
+          url: ldap://127.0.0.1:8389
+          base_dn: dc=authgear,dc=com
+          search_filter_template: (uid={{.Username}})
+          user_id_attribute_name: uid
+    authentication_flow:
+      signup_flows:
+        - name: f1
+          steps:
+            - type: identify
+              one_of:
+              - identification: ldap
+              - identification: oauth
+before:
+  - type: user_import
+    user_import: google_user.json
+  - type: custom_sql
+    custom_sql:
+      path: google_user.sql
+
+steps:
+  - action: "create"
+    input: |
+      {
+        "type": "signup",
+        "name": "f1"
+      }
+    output:
+      result: |
+        {
+          "action": {
+            "type": "identify"
+          }
+        }
+
+  - action: input
+    input: |
+      {
+        "identification": "ldap",
+        "server_name": "ldap-server-1",
+        "username": "mock",
+        "password": "mockpassword"
+      }
+    output:
+      error: |
+        {
+          "reason": "InvariantViolated",
+          "info": {
+            "cause": {
+              "kind": "DuplicatedIdentity"
+            }
+          }
+        }
diff --git a/e2e/tests/account_linking/incoming_login_id_conflicts_ldap.test.yaml b/e2e/tests/account_linking/incoming_login_id_conflicts_ldap.test.yaml
@@ -0,0 +1,62 @@
+name: Account linking - Incoming Login ID - conflicts LDAP error
+authgear.yaml:
+  override: |
+    authentication:
+      identities:
+        - login_id
+        - ldap
+    identity:
+      login_id:
+        keys:
+        - type: email
+        - type: username
+    account_linking:
+      login_id:
+        - key: email
+          action: error
+          user_profile:
+            pointer: "/email"
+    authentication_flow:
+      signup_flows:
+        - name: f1
+          steps:
+            - type: identify
+              one_of:
+              - identification: ldap
+              - identification: email
+before:
+  - type: custom_sql
+    custom_sql:
+      path: ldap_user.sql
+
+steps:
+  - action: "create"
+    input: |
+      {
+        "type": "signup",
+        "name": "f1"
+      }
+    output:
+      result: |
+        {
+          "action": {
+            "type": "identify"
+          }
+        }
+
+  - action: input
+    input: |
+      {
+        "identification": "email",
+        "login_id": "[email protected]"
+      }
+    output:
+      error: |
+        {
+          "reason": "InvariantViolated",
+          "info": {
+            "cause": {
+              "kind": "DuplicatedIdentity"
+            }
+          }
+        }
diff --git a/e2e/tests/account_linking/incoming_oauth_conflicts_ldap.test.yaml b/e2e/tests/account_linking/incoming_oauth_conflicts_ldap.test.yaml
@@ -0,0 +1,91 @@
+name: Account linking - Incoming OAuth - conflicts LDAP error
+authgear.yaml:
+  override: |
+    authentication:
+      identities:
+        - ldap
+        - oauth
+    identity:
+      oauth:
+        providers:
+          - alias: google
+            client_id: "google"
+            type: google
+    account_linking:
+      oauth:
+        - alias: google
+          action: error
+          oauth_claim:
+            pointer: "/email"
+          user_profile:
+            pointer: "/email"
+    authentication_flow:
+      signup_flows:
+        - name: f1
+          steps:
+            - type: identify
+              one_of:
+              - identification: ldap
+              - identification: oauth
+before:
+  - type: custom_sql
+    custom_sql:
+      path: ldap_user.sql
+
+steps:
+  - action: "create"
+    input: |
+      {
+        "type": "signup",
+        "name": "f1"
+      }
+    output:
+      result: |
+        {
+          "action": {
+            "type": "identify"
+          }
+        }
+
+  - action: input
+    input: |
+      {
+        "identification": "oauth",
+        "alias": "google",
+        "redirect_uri": "http://mock"
+      }
+    output:
+      result: |
+        {
+          "action": {
+            "type": "identify",
+            "data": {
+              "oauth_authorization_url": "[[string]]"
+            }
+          }
+        }
+
+  - action: oauth_redirect
+    to: "{{ .prev.result.action.data.oauth_authorization_url }}"
+    redirect_uri: http://mock
+    output:
+      result: |
+        {
+          "query": "[[string]]"
+        }
+
+  - action: input
+    input: |
+      {
+        "query": "{{ .prev.result.query }}"
+      }
+    output:
+      error: |
+        {
+          "reason": "InvariantViolated",
+          "info": {
+            "cause": {
+              "kind": "DuplicatedIdentity"
+            }
+          }
+        }
diff --git a/e2e/tests/account_linking/ldap_user.sql b/e2e/tests/account_linking/ldap_user.sql
@@ -0,0 +1,83 @@
+{{ $userID := (uuidv4) }}
+{{ $identityID := (uuidv4) }}
+
+INSERT INTO
+  _auth_user (
+    "id",
+    "app_id",
+    "created_at",
+    "updated_at",
+    "last_login_at",
+    "login_at",
+    "is_disabled",
+    "disable_reason",
+    "standard_attributes",
+    "custom_attributes",
+    "is_deactivated",
+    "delete_at",
+    "is_anonymized",
+    "anonymize_at",
+    "anonymized_at",
+    "last_indexed_at",
+    "require_reindex_after"
+  )
+VALUES
+  (
+    '{{ $userID }}',
+    '{{ .AppID }}',
+    NOW(),
+    NOW(),
+    NULL,
+    NOW(),
+    'f',
+    NULL,
+    '{"email": "[email protected]"}',
+    '{}',
+    'f',
+    NULL,
+    'f',
+    NULL,
+    NULL,
+    NOW(),
+    NOW()
+  );
+
+INSERT INTO
+  _auth_identity (
+    "id",
+    "app_id",
+    "type",
+    "user_id",
+    "created_at",
+    "updated_at"
+  )
+VALUES
+  (
+    '{{ $identityID }}',
+    '{{ .AppID }}',
+    'ldap',
+    '{{ $userID }}',
+    NOW(),
+    NOW()
+  );
+
+INSERT INTO
+  _auth_identity_ldap (
+    "id",
+    "app_id",
+    "server_name",
+    "user_id_attribute_name",
+    "user_id_attribute_value",
+    "claims",
+    "raw_entry_json"
+  )
+VALUES
+  (
+    '{{ $identityID }}',
+    '{{ .AppID }}',
+    'ldap-server-1',
+    'uid',
+    'mock',
+    '{"email": "[email protected]"}',
+    '{"dn": "cn=mock,ou=people,ou=HK,dc=authgear,dc=com"}'
+  );
diff --git a/e2e/tests/ldap/users.sql b/e2e/tests/ldap/users.sql
@@ -79,5 +79,5 @@ VALUES
     'uid',
     'jdoe',
     '{"email": "[email protected]"}',
-    '{"dn": "cn=jdoe,ou=people,ou=HK,dc=authgear,dc=com", "uid": "jdoe", "mail": "[email protected]"}'
+    '{"dn": "cn=jdoe,ou=people,ou=HK,dc=authgear,dc=com"}'
   );
diff --git a/pkg/auth/handler/webapp/authflowv2/account_linking.go b/pkg/auth/handler/webapp/authflowv2/account_linking.go
@@ -131,7 +131,7 @@ func (h *AuthflowV2AccountLinkingHandler) ServeHTTP(w http.ResponseWriter, r *ht
 				"redirect_uri": h.Endpoints.SSOCallbackURL(providerAlias).String(),
 			}
 		case config.AuthenticationFlowIdentificationLDAP:
-			// TODO(DEV-1672)
+			// TODO(DEV-1672): Support Account Linking for LDAP
 			panic(fmt.Errorf("To be implemented identifcation option %v", option.Identifcation))
 		default:
 			panic(fmt.Errorf("unsupported identifcation option %v", option.Identifcation))