src/test/directoryserver-test.js

/* jslint node:true */
/* global it:false */
/* global describe:false */
/* global before:false */
/* global after:false */

'use strict';

const async = require('async'),
    common = require('./common.js'),
    constants = require('../constants.js'),
    directoryServer = require('../directoryserver.js'),
    expect = require('expect.js'),
    groups = require('../groups.js'),
    ldap = require('ldapjs'),
    safe = require('safetydance'),
    settings = require('../settings.js');

async function ldapBind(dn, password) {
    return new Promise((resolve, reject) => {
        const client = ldap.createClient({ url: 'ldaps://127.0.0.1:' + constants.USER_DIRECTORY_LDAPS_PORT, tlsOptions: { rejectUnauthorized: false }});

        client.on('error', reject);

        client.bind(dn, password, function (error) {
            client.unbind();

            if (error) reject(error);
            resolve();
        });
    });
}

// ldapsearch -LLL -E pr=10/noprompt -x -h localhost -p 3002 -b cn=userName0@example.com,ou=mailboxes,dc=cloudron objectclass=mailbox
async function ldapSearch(dn, opts, auth) {
    return new Promise((resolve, reject) => {
        const client = ldap.createClient({ url: 'ldaps://127.0.0.1:' + constants.USER_DIRECTORY_LDAPS_PORT, tlsOptions: { rejectUnauthorized: false }});

        function bindAuth(callback) {
            if (!auth) return callback();

            client.on('error', callback);
            client.bind(auth.dn, auth.secret, callback);
        }

        bindAuth(function (error) {
            if (error) return reject(error);

            client.search(dn, opts, function (error, result) {
                if (error) return reject(error);

                let entries = [];

                result.on('searchEntry', function (entry) { entries.push(entry.object); });

                result.on('error', function (error) {
                    client.unbind();
                    reject(error);
                });

                result.on('end', function (result) {
                    if (result.status !== 0) return reject(new Error(`Unexpected status: ${result.status}`));
                    resolve(entries);
                });
            });
        });
    });

}

describe('Directory Server (LDAP)', function () {
    const { setup, cleanup, admin, user, app, domain } = common;
    let group, group2;
    const mockApp = Object.assign({}, app);
    const auth = {
        dn: constants.USER_DIRECTORY_LDAP_DN,
        secret: 'ldapsecret'
    };

    before(function (done) {
        async.series([
            setup,
            directoryServer.start.bind(null),
            directoryServer.setConfig.bind(null, { enabled: true, secret: auth.secret, allowlist: '127.0.0.1' }),
            async () => {
                group = await groups.add({ name: 'ldap-test-1' });
                await groups.setMembers(group.id, [ admin.id, user.id ]);
            },
            async () => {
                group2 = await groups.add({ name: 'ldap-test-2' });
                await groups.setMembers(group2.id, [ admin.id ]);
            }
        ], done);
    });

    after(function (done) {
        async.series([
            directoryServer.stop,
            cleanup
        ], done);
    });

    describe('user bind', function () {
        it('cn= fails for nonexisting user', async function () {
            const [error] = await safe(ldapBind('cn=doesnotexist,ou=users,dc=cloudron', 'password'));
            expect(error).to.be.a(ldap.NoSuchObjectError);
        });

        it('cn= fails with wrong password', async function () {
            const [error] = await safe(ldapBind(`cn=${admin.id},ou=users,dc=cloudron`, 'wrongpassword'));
            expect(error).to.be.a(ldap.InvalidCredentialsError);
        });

        it('cn= succeeds with id', async function () {
            await ldapBind(`cn=${admin.id},ou=users,dc=cloudron`, admin.password);
        });

        it('cn= succeeds with username', async function () {
            await ldapBind(`cn=${admin.username},ou=users,dc=cloudron`, admin.password);
        });

        it('cn= succeeds with email', async function () {
            await ldapBind(`cn=${admin.email},ou=users,dc=cloudron`, admin.password);
        });

        it('mail= fails with bad email', async function () {
            const [error] = await safe(ldapBind('mail=random,ou=users,dc=cloudron', admin.password));
            expect(error).to.be.a(ldap.NoSuchObjectError);
        });

        it('mail= succeeds with email', async function () {
            await ldapBind(`mail=${admin.email},ou=users,dc=cloudron`, admin.password);
        });
    });

    describe('search users', function () {
        it('fails without auth', async function () {
            const [error] = await safe(ldapSearch('ou=users,dc=cloudron', { filter: 'objectcategory=person' }));
            expect(error).to.be.a(ldap.InsufficientAccessRightsError);
        });

        it('fails with wrong auth DN', async function () {
            const [error] = await safe(ldapSearch('ou=users,dc=cloudron', { filter: 'objectcategory=person' }, { dn: 'cn=doesnotexist,ou=system,dc=cloudron', secret: 'ldapsecret' }));
            expect(error).to.be.a(ldap.InvalidCredentialsError);
        });

        it('fails with wrong auth secret', async function () {
            const [error] = await safe(ldapSearch('ou=users,dc=cloudron', { filter: 'objectcategory=person' }, { dn: 'cn=admin,ou=system,dc=cloudron', secret: 'wrongldapsecret' }));
            expect(error).to.be.a(ldap.InvalidCredentialsError);
        });

        it('fails for non existing tree', async function () {
            const [error] = await safe(ldapSearch('o=example', { filter: '(&(l=Seattle)(email=*@' + domain.domain + '))' }, auth));
            expect(error).to.be.a(ldap.NoSuchObjectError);
        });

        it('succeeds with basic filter', async function () {
            const entries = await ldapSearch('ou=users,dc=cloudron', { filter: 'objectcategory=person' }, auth);
            expect(entries.length).to.equal(2);
            entries.sort(function (a, b) { return a.username > b.username; });
            expect(entries[0].username).to.equal(admin.username.toLowerCase());
            expect(entries[0].mail).to.equal(admin.email.toLowerCase());
            expect(entries[1].username).to.equal(user.username.toLowerCase());
            expect(entries[1].mail).to.equal(user.email.toLowerCase());
        });

        it('succeeds with pagination', async function () {
            const entries = await ldapSearch('ou=users,dc=cloudron', { filter: 'objectcategory=person', paged: true }, auth);
            expect(entries.length).to.equal(2);
            entries.sort(function (a, b) { return a.username > b.username; });
            expect(entries[0].username).to.equal(admin.username.toLowerCase());
            expect(entries[0].mail).to.equal(admin.email.toLowerCase());
            expect(entries[1].username).to.equal(user.username.toLowerCase());
            expect(entries[1].mail).to.equal(user.email.toLowerCase());
        });

        it('succeeds with username wildcard filter', async function () {
            const entries = await ldapSearch('ou=users,dc=cloudron', { filter: '&(objectcategory=person)(username=*)' }, auth);
            expect(entries.length).to.equal(2);
            entries.sort(function (a, b) { return a.username > b.username; });
            expect(entries[0].username).to.equal(admin.username.toLowerCase());
            expect(entries[1].username).to.equal(user.username.toLowerCase());
        });

        it('succeeds with username filter', async function () {
            const entries = await ldapSearch('ou=users,dc=cloudron', { filter: '&(objectcategory=person)(username=' + admin.username + ')' }, auth);
            expect(entries.length).to.equal(1);
            expect(entries[0].username).to.equal(admin.username.toLowerCase());
            expect(entries[0].memberof.length).to.equal(2);
        });
    });

    describe('group search', function () {
        it('fails without auth', async function () {
            const [error] = await safe(ldapSearch('ou=groups,dc=cloudron', { filter: 'objectcategory=group' }));
            expect(error).to.be.a(ldap.InsufficientAccessRightsError);
        });

        it('fails with wrong auth DN', async function () {
            const [error] = await safe(ldapSearch('ou=groups,dc=cloudron', { filter: 'objectcategory=group' }, { dn: 'cn=doesnotexist,ou=system,dc=cloudron', secret: 'ldapsecret' }));
            expect(error).to.be.a(ldap.InvalidCredentialsError);
        });

        it('fails with wrong auth secret', async function () {
            const [error] = await safe(ldapSearch('ou=groups,dc=cloudron', { filter: 'objectcategory=group' }, { dn: 'cn=admin,ou=system,dc=cloudron', secret: 'wrongldapsecret' }));
            expect(error).to.be.a(ldap.InvalidCredentialsError);
        });

        it('succeeds with basic filter', async function () {
            mockApp.accessRestriction = null;

            const entries = await ldapSearch('ou=groups,dc=cloudron', { filter: 'objectclass=group' }, auth);
            expect(entries.length).to.equal(2);

            // ensure order for testability
            entries.sort(function (a, b) { return a.cn < b.cn; });

            expect(entries[0].cn).to.equal('ldap-test-1');
            expect(entries[0].memberuid.length).to.equal(2);
            expect(entries[0].memberuid).to.contain(admin.id);
            expect(entries[0].memberuid).to.contain(user.id);
            expect(entries[0].member).to.contain(`cn=${user.id},ou=users,dc=cloudron`);
            expect(entries[0].uniquemember).to.contain(`cn=${user.id},ou=users,dc=cloudron`);

            expect(entries[1].cn).to.equal('ldap-test-2');
            expect(entries[1].memberuid).to.equal(admin.id);
            expect(entries[0].member).to.contain(`cn=${admin.id},ou=users,dc=cloudron`);
            expect(entries[0].uniquemember).to.contain(`cn=${admin.id},ou=users,dc=cloudron`);
        });

        it ('succeeds with cn wildcard filter', async function () {
            const entries = await ldapSearch('ou=groups,dc=cloudron', { filter: '&(objectclass=group)(cn=*)' }, auth);
            expect(entries.length).to.equal(2);

            // ensure order for testability
            entries.sort(function (a, b) { return a.cn < b.cn; });

            expect(entries[0].cn).to.equal('ldap-test-1');
            expect(entries[0].memberuid.length).to.equal(2);
            expect(entries[0].memberuid).to.contain(admin.id);
            expect(entries[0].memberuid).to.contain(user.id);
            expect(entries[0].member).to.contain(`cn=${user.id},ou=users,dc=cloudron`);
            expect(entries[0].member).to.contain(`cn=${admin.id},ou=users,dc=cloudron`);
            expect(entries[0].uniquemember).to.contain(`cn=${user.id},ou=users,dc=cloudron`);
            expect(entries[0].uniquemember).to.contain(`cn=${admin.id},ou=users,dc=cloudron`);

            expect(entries[1].cn).to.equal('ldap-test-2');
            expect(entries[1].memberuid).to.equal(admin.id);
            expect(entries[0].member).to.contain(`cn=${admin.id},ou=users,dc=cloudron`);
            expect(entries[0].uniquemember).to.contain(`cn=${admin.id},ou=users,dc=cloudron`);
        });

        it('succeeds with memberuid filter', async function () {
            const entries = await ldapSearch('ou=groups,dc=cloudron', { filter: '&(objectclass=group)(memberuid=' + user.id + ')' }, auth);
            expect(entries.length).to.equal(1);

            // ensure order for testability
            entries.sort(function (a, b) { return a.cn < b.cn; });

            expect(entries[0].cn).to.equal('ldap-test-1');
            expect(entries[0].memberuid.length).to.equal(2);
            expect(entries[0].memberuid).to.contain(admin.id);
            expect(entries[0].memberuid).to.contain(user.id);
            expect(entries[0].member).to.contain(`cn=${user.id},ou=users,dc=cloudron`);
            expect(entries[0].member).to.contain(`cn=${admin.id},ou=users,dc=cloudron`);
            expect(entries[0].uniquemember).to.contain(`cn=${user.id},ou=users,dc=cloudron`);
            expect(entries[0].uniquemember).to.contain(`cn=${admin.id},ou=users,dc=cloudron`);
        });

        it ('succeeds with pagination', async function () {
            mockApp.accessRestriction = null;
            const entries = await ldapSearch('ou=groups,dc=cloudron', { filter: 'objectclass=group', paged: true }, auth);
            expect(entries.length).to.equal(2);

            // ensure order for testability
            entries.sort(function (a, b) { return a.cn < b.cn; });

            expect(entries[0].cn).to.equal('ldap-test-1');
            expect(entries[0].memberuid.length).to.equal(2);
            expect(entries[0].memberuid).to.contain(admin.id);
            expect(entries[0].memberuid).to.contain(user.id);
            expect(entries[0].member).to.contain(`cn=${user.id},ou=users,dc=cloudron`);
            expect(entries[0].member).to.contain(`cn=${admin.id},ou=users,dc=cloudron`);
            expect(entries[0].uniquemember).to.contain(`cn=${user.id},ou=users,dc=cloudron`);
            expect(entries[0].uniquemember).to.contain(`cn=${admin.id},ou=users,dc=cloudron`);

            expect(entries[1].cn).to.equal('ldap-test-2');
            expect(entries[1].memberuid).to.equal(admin.id);
            expect(entries[0].member).to.contain(`cn=${admin.id},ou=users,dc=cloudron`);
            expect(entries[0].uniquemember).to.contain(`cn=${admin.id},ou=users,dc=cloudron`);
        });
    });
});
Add exposed ldap tests 2021-12-23 21:31:48 +01:00			`/* jslint node:true */`
			`/* global it:false */`
			`/* global describe:false */`
			`/* global before:false */`
			`/* global after:false */`

			`'use strict';`

			`const async = require('async'),`
			`common = require('./common.js'),`
			`constants = require('../constants.js'),`
rename user directory to directory server 2022-08-15 19:14:02 +02:00			`directoryServer = require('../directoryserver.js'),`
Add exposed ldap tests 2021-12-23 21:31:48 +01:00			`expect = require('expect.js'),`
			`groups = require('../groups.js'),`
			`ldap = require('ldapjs'),`
Implement full exposed ldap auth 2022-01-07 09:57:02 +01:00			`safe = require('safetydance'),`
rename user directory to directory server 2022-08-15 19:14:02 +02:00			`settings = require('../settings.js');`
Add exposed ldap tests 2021-12-23 21:31:48 +01:00
			`async function ldapBind(dn, password) {`
			`return new Promise((resolve, reject) => {`
Rename exposed ldap to user directory 2022-01-07 14:06:13 +01:00			`const client = ldap.createClient({ url: 'ldaps://127.0.0.1:' + constants.USER_DIRECTORY_LDAPS_PORT, tlsOptions: { rejectUnauthorized: false }});`
Add exposed ldap tests 2021-12-23 21:31:48 +01:00
			`client.on('error', reject);`

			`client.bind(dn, password, function (error) {`
			`client.unbind();`

			`if (error) reject(error);`
			`resolve();`
			`});`
			`});`
			`}`

			`// ldapsearch -LLL -E pr=10/noprompt -x -h localhost -p 3002 -b cn=userName0@example.com,ou=mailboxes,dc=cloudron objectclass=mailbox`
Implement full exposed ldap auth 2022-01-07 09:57:02 +01:00			`async function ldapSearch(dn, opts, auth) {`
Add exposed ldap tests 2021-12-23 21:31:48 +01:00			`return new Promise((resolve, reject) => {`
Rename exposed ldap to user directory 2022-01-07 14:06:13 +01:00			`const client = ldap.createClient({ url: 'ldaps://127.0.0.1:' + constants.USER_DIRECTORY_LDAPS_PORT, tlsOptions: { rejectUnauthorized: false }});`
Add exposed ldap tests 2021-12-23 21:31:48 +01:00
Implement full exposed ldap auth 2022-01-07 09:57:02 +01:00			`function bindAuth(callback) {`
			`if (!auth) return callback();`

			`client.on('error', callback);`
			`client.bind(auth.dn, auth.secret, callback);`
			`}`

			`bindAuth(function (error) {`
Add exposed ldap tests 2021-12-23 21:31:48 +01:00			`if (error) return reject(error);`

Implement full exposed ldap auth 2022-01-07 09:57:02 +01:00			`client.search(dn, opts, function (error, result) {`
			`if (error) return reject(error);`
Add exposed ldap tests 2021-12-23 21:31:48 +01:00
Implement full exposed ldap auth 2022-01-07 09:57:02 +01:00			`let entries = [];`
Add exposed ldap tests 2021-12-23 21:31:48 +01:00
Implement full exposed ldap auth 2022-01-07 09:57:02 +01:00			`result.on('searchEntry', function (entry) { entries.push(entry.object); });`
Add exposed ldap tests 2021-12-23 21:31:48 +01:00
Implement full exposed ldap auth 2022-01-07 09:57:02 +01:00			`result.on('error', function (error) {`
			`client.unbind();`
			`reject(error);`
			`});`

			`result.on('end', function (result) {`
			if (result.status !== 0) return reject(new Error(`Unexpected status: ${result.status}`));
			`resolve(entries);`
			`});`
Add exposed ldap tests 2021-12-23 21:31:48 +01:00			`});`
			`});`
			`});`

			`}`

ldap server close has no callback 2023-10-01 14:33:19 +05:30			`describe('Directory Server (LDAP)', function () {`
Implement full exposed ldap auth 2022-01-07 09:57:02 +01:00			`const { setup, cleanup, admin, user, app, domain } = common;`
Add exposed ldap tests 2021-12-23 21:31:48 +01:00			`let group, group2;`
			`const mockApp = Object.assign({}, app);`
Implement full exposed ldap auth 2022-01-07 09:57:02 +01:00			`const auth = {`
Rename exposed ldap to user directory 2022-01-07 14:06:13 +01:00			`dn: constants.USER_DIRECTORY_LDAP_DN,`
Implement full exposed ldap auth 2022-01-07 09:57:02 +01:00			`secret: 'ldapsecret'`
			`};`
Add exposed ldap tests 2021-12-23 21:31:48 +01:00
			`before(function (done) {`
			`async.series([`
			`setup,`
rename user directory to directory server 2022-08-15 19:14:02 +02:00			`directoryServer.start.bind(null),`
settings: move directory server config to it's own route 2023-08-03 02:26:11 +05:30			`directoryServer.setConfig.bind(null, { enabled: true, secret: auth.secret, allowlist: '127.0.0.1' }),`
Add exposed ldap tests 2021-12-23 21:31:48 +01:00			`async () => {`
			`group = await groups.add({ name: 'ldap-test-1' });`
			`await groups.setMembers(group.id, [ admin.id, user.id ]);`
			`},`
			`async () => {`
			`group2 = await groups.add({ name: 'ldap-test-2' });`
			`await groups.setMembers(group2.id, [ admin.id ]);`
			`}`
			`], done);`
			`});`

			`after(function (done) {`
			`async.series([`
rename user directory to directory server 2022-08-15 19:14:02 +02:00			`directoryServer.stop,`
Add exposed ldap tests 2021-12-23 21:31:48 +01:00			`cleanup`
			`], done);`
			`});`

			`describe('user bind', function () {`
			`it('cn= fails for nonexisting user', async function () {`
			`const [error] = await safe(ldapBind('cn=doesnotexist,ou=users,dc=cloudron', 'password'));`
			`expect(error).to.be.a(ldap.NoSuchObjectError);`
			`});`

			`it('cn= fails with wrong password', async function () {`
			const [error] = await safe(ldapBind(`cn=${admin.id},ou=users,dc=cloudron`, 'wrongpassword'));
			`expect(error).to.be.a(ldap.InvalidCredentialsError);`
			`});`

			`it('cn= succeeds with id', async function () {`
			await ldapBind(`cn=${admin.id},ou=users,dc=cloudron`, admin.password);
			`});`

			`it('cn= succeeds with username', async function () {`
			await ldapBind(`cn=${admin.username},ou=users,dc=cloudron`, admin.password);
			`});`

			`it('cn= succeeds with email', async function () {`
			await ldapBind(`cn=${admin.email},ou=users,dc=cloudron`, admin.password);
			`});`

			`it('mail= fails with bad email', async function () {`
			`const [error] = await safe(ldapBind('mail=random,ou=users,dc=cloudron', admin.password));`
			`expect(error).to.be.a(ldap.NoSuchObjectError);`
			`});`

			`it('mail= succeeds with email', async function () {`
			await ldapBind(`mail=${admin.email},ou=users,dc=cloudron`, admin.password);
			`});`
			`});`

			`describe('search users', function () {`
Implement full exposed ldap auth 2022-01-07 09:57:02 +01:00			`it('fails without auth', async function () {`
			`const [error] = await safe(ldapSearch('ou=users,dc=cloudron', { filter: 'objectcategory=person' }));`
			`expect(error).to.be.a(ldap.InsufficientAccessRightsError);`
			`});`

			`it('fails with wrong auth DN', async function () {`
			`const [error] = await safe(ldapSearch('ou=users,dc=cloudron', { filter: 'objectcategory=person' }, { dn: 'cn=doesnotexist,ou=system,dc=cloudron', secret: 'ldapsecret' }));`
			`expect(error).to.be.a(ldap.InvalidCredentialsError);`
			`});`

			`it('fails with wrong auth secret', async function () {`
			`const [error] = await safe(ldapSearch('ou=users,dc=cloudron', { filter: 'objectcategory=person' }, { dn: 'cn=admin,ou=system,dc=cloudron', secret: 'wrongldapsecret' }));`
			`expect(error).to.be.a(ldap.InvalidCredentialsError);`
			`});`

Add exposed ldap tests 2021-12-23 21:31:48 +01:00			`it('fails for non existing tree', async function () {`
Implement full exposed ldap auth 2022-01-07 09:57:02 +01:00			`const [error] = await safe(ldapSearch('o=example', { filter: '(&(l=Seattle)(email=*@' + domain.domain + '))' }, auth));`
Add exposed ldap tests 2021-12-23 21:31:48 +01:00			`expect(error).to.be.a(ldap.NoSuchObjectError);`
			`});`

			`it('succeeds with basic filter', async function () {`
Implement full exposed ldap auth 2022-01-07 09:57:02 +01:00			`const entries = await ldapSearch('ou=users,dc=cloudron', { filter: 'objectcategory=person' }, auth);`
Add exposed ldap tests 2021-12-23 21:31:48 +01:00			`expect(entries.length).to.equal(2);`
			`entries.sort(function (a, b) { return a.username > b.username; });`
			`expect(entries[0].username).to.equal(admin.username.toLowerCase());`
			`expect(entries[0].mail).to.equal(admin.email.toLowerCase());`
			`expect(entries[1].username).to.equal(user.username.toLowerCase());`
			`expect(entries[1].mail).to.equal(user.email.toLowerCase());`
			`});`

			`it('succeeds with pagination', async function () {`
Implement full exposed ldap auth 2022-01-07 09:57:02 +01:00			`const entries = await ldapSearch('ou=users,dc=cloudron', { filter: 'objectcategory=person', paged: true }, auth);`
Add exposed ldap tests 2021-12-23 21:31:48 +01:00			`expect(entries.length).to.equal(2);`
			`entries.sort(function (a, b) { return a.username > b.username; });`
			`expect(entries[0].username).to.equal(admin.username.toLowerCase());`
			`expect(entries[0].mail).to.equal(admin.email.toLowerCase());`
			`expect(entries[1].username).to.equal(user.username.toLowerCase());`
			`expect(entries[1].mail).to.equal(user.email.toLowerCase());`
			`});`

			`it('succeeds with username wildcard filter', async function () {`
Implement full exposed ldap auth 2022-01-07 09:57:02 +01:00			`const entries = await ldapSearch('ou=users,dc=cloudron', { filter: '&(objectcategory=person)(username=*)' }, auth);`
Add exposed ldap tests 2021-12-23 21:31:48 +01:00			`expect(entries.length).to.equal(2);`
			`entries.sort(function (a, b) { return a.username > b.username; });`
			`expect(entries[0].username).to.equal(admin.username.toLowerCase());`
			`expect(entries[1].username).to.equal(user.username.toLowerCase());`
			`});`

			`it('succeeds with username filter', async function () {`
Implement full exposed ldap auth 2022-01-07 09:57:02 +01:00			`const entries = await ldapSearch('ou=users,dc=cloudron', { filter: '&(objectcategory=person)(username=' + admin.username + ')' }, auth);`
Add exposed ldap tests 2021-12-23 21:31:48 +01:00			`expect(entries.length).to.equal(1);`
			`expect(entries[0].username).to.equal(admin.username.toLowerCase());`
			`expect(entries[0].memberof.length).to.equal(2);`
			`});`
			`});`

			`describe('group search', function () {`
Implement full exposed ldap auth 2022-01-07 09:57:02 +01:00			`it('fails without auth', async function () {`
			`const [error] = await safe(ldapSearch('ou=groups,dc=cloudron', { filter: 'objectcategory=group' }));`
			`expect(error).to.be.a(ldap.InsufficientAccessRightsError);`
			`});`

			`it('fails with wrong auth DN', async function () {`
			`const [error] = await safe(ldapSearch('ou=groups,dc=cloudron', { filter: 'objectcategory=group' }, { dn: 'cn=doesnotexist,ou=system,dc=cloudron', secret: 'ldapsecret' }));`
			`expect(error).to.be.a(ldap.InvalidCredentialsError);`
			`});`

			`it('fails with wrong auth secret', async function () {`
			`const [error] = await safe(ldapSearch('ou=groups,dc=cloudron', { filter: 'objectcategory=group' }, { dn: 'cn=admin,ou=system,dc=cloudron', secret: 'wrongldapsecret' }));`
			`expect(error).to.be.a(ldap.InvalidCredentialsError);`
			`});`

Add exposed ldap tests 2021-12-23 21:31:48 +01:00			`it('succeeds with basic filter', async function () {`
			`mockApp.accessRestriction = null;`

Implement full exposed ldap auth 2022-01-07 09:57:02 +01:00			`const entries = await ldapSearch('ou=groups,dc=cloudron', { filter: 'objectclass=group' }, auth);`
Also fixup userdirectory tests 2022-06-03 13:59:21 +02:00			`expect(entries.length).to.equal(2);`
Add exposed ldap tests 2021-12-23 21:31:48 +01:00
			`// ensure order for testability`
			`entries.sort(function (a, b) { return a.cn < b.cn; });`

Also fixup userdirectory tests 2022-06-03 13:59:21 +02:00			`expect(entries[0].cn).to.equal('ldap-test-1');`
Add exposed ldap tests 2021-12-23 21:31:48 +01:00			`expect(entries[0].memberuid.length).to.equal(2);`
			`expect(entries[0].memberuid).to.contain(admin.id);`
			`expect(entries[0].memberuid).to.contain(user.id);`
Add direcotry server tests for member and uniquemember attributes 2023-07-31 13:19:42 +02:00			expect(entries[0].member).to.contain(`cn=${user.id},ou=users,dc=cloudron`);
			expect(entries[0].uniquemember).to.contain(`cn=${user.id},ou=users,dc=cloudron`);
Add exposed ldap tests 2021-12-23 21:31:48 +01:00
Also fixup userdirectory tests 2022-06-03 13:59:21 +02:00			`expect(entries[1].cn).to.equal('ldap-test-2');`
Add exposed ldap tests 2021-12-23 21:31:48 +01:00			`expect(entries[1].memberuid).to.equal(admin.id);`
Add direcotry server tests for member and uniquemember attributes 2023-07-31 13:19:42 +02:00			expect(entries[0].member).to.contain(`cn=${admin.id},ou=users,dc=cloudron`);
			expect(entries[0].uniquemember).to.contain(`cn=${admin.id},ou=users,dc=cloudron`);
Add exposed ldap tests 2021-12-23 21:31:48 +01:00			`});`

			`it ('succeeds with cn wildcard filter', async function () {`
Implement full exposed ldap auth 2022-01-07 09:57:02 +01:00			`const entries = await ldapSearch('ou=groups,dc=cloudron', { filter: '&(objectclass=group)(cn=*)' }, auth);`
Also fixup userdirectory tests 2022-06-03 13:59:21 +02:00			`expect(entries.length).to.equal(2);`
Add exposed ldap tests 2021-12-23 21:31:48 +01:00
			`// ensure order for testability`
			`entries.sort(function (a, b) { return a.cn < b.cn; });`

Also fixup userdirectory tests 2022-06-03 13:59:21 +02:00			`expect(entries[0].cn).to.equal('ldap-test-1');`
Add exposed ldap tests 2021-12-23 21:31:48 +01:00			`expect(entries[0].memberuid.length).to.equal(2);`
			`expect(entries[0].memberuid).to.contain(admin.id);`
			`expect(entries[0].memberuid).to.contain(user.id);`
Add direcotry server tests for member and uniquemember attributes 2023-07-31 13:19:42 +02:00			expect(entries[0].member).to.contain(`cn=${user.id},ou=users,dc=cloudron`);
			expect(entries[0].member).to.contain(`cn=${admin.id},ou=users,dc=cloudron`);
			expect(entries[0].uniquemember).to.contain(`cn=${user.id},ou=users,dc=cloudron`);
			expect(entries[0].uniquemember).to.contain(`cn=${admin.id},ou=users,dc=cloudron`);
Add exposed ldap tests 2021-12-23 21:31:48 +01:00
Also fixup userdirectory tests 2022-06-03 13:59:21 +02:00			`expect(entries[1].cn).to.equal('ldap-test-2');`
Add exposed ldap tests 2021-12-23 21:31:48 +01:00			`expect(entries[1].memberuid).to.equal(admin.id);`
Add direcotry server tests for member and uniquemember attributes 2023-07-31 13:19:42 +02:00			expect(entries[0].member).to.contain(`cn=${admin.id},ou=users,dc=cloudron`);
			expect(entries[0].uniquemember).to.contain(`cn=${admin.id},ou=users,dc=cloudron`);
Add exposed ldap tests 2021-12-23 21:31:48 +01:00			`});`

			`it('succeeds with memberuid filter', async function () {`
Implement full exposed ldap auth 2022-01-07 09:57:02 +01:00			`const entries = await ldapSearch('ou=groups,dc=cloudron', { filter: '&(objectclass=group)(memberuid=' + user.id + ')' }, auth);`
Also fixup userdirectory tests 2022-06-03 13:59:21 +02:00			`expect(entries.length).to.equal(1);`
Add exposed ldap tests 2021-12-23 21:31:48 +01:00
			`// ensure order for testability`
			`entries.sort(function (a, b) { return a.cn < b.cn; });`

Also fixup userdirectory tests 2022-06-03 13:59:21 +02:00			`expect(entries[0].cn).to.equal('ldap-test-1');`
Add exposed ldap tests 2021-12-23 21:31:48 +01:00			`expect(entries[0].memberuid.length).to.equal(2);`
Also fixup userdirectory tests 2022-06-03 13:59:21 +02:00			`expect(entries[0].memberuid).to.contain(admin.id);`
			`expect(entries[0].memberuid).to.contain(user.id);`
Add direcotry server tests for member and uniquemember attributes 2023-07-31 13:19:42 +02:00			expect(entries[0].member).to.contain(`cn=${user.id},ou=users,dc=cloudron`);
			expect(entries[0].member).to.contain(`cn=${admin.id},ou=users,dc=cloudron`);
			expect(entries[0].uniquemember).to.contain(`cn=${user.id},ou=users,dc=cloudron`);
			expect(entries[0].uniquemember).to.contain(`cn=${admin.id},ou=users,dc=cloudron`);
Add exposed ldap tests 2021-12-23 21:31:48 +01:00			`});`

			`it ('succeeds with pagination', async function () {`
			`mockApp.accessRestriction = null;`
Implement full exposed ldap auth 2022-01-07 09:57:02 +01:00			`const entries = await ldapSearch('ou=groups,dc=cloudron', { filter: 'objectclass=group', paged: true }, auth);`
Also fixup userdirectory tests 2022-06-03 13:59:21 +02:00			`expect(entries.length).to.equal(2);`
Add exposed ldap tests 2021-12-23 21:31:48 +01:00
			`// ensure order for testability`
			`entries.sort(function (a, b) { return a.cn < b.cn; });`

Also fixup userdirectory tests 2022-06-03 13:59:21 +02:00			`expect(entries[0].cn).to.equal('ldap-test-1');`
Add exposed ldap tests 2021-12-23 21:31:48 +01:00			`expect(entries[0].memberuid.length).to.equal(2);`
			`expect(entries[0].memberuid).to.contain(admin.id);`
			`expect(entries[0].memberuid).to.contain(user.id);`
Add direcotry server tests for member and uniquemember attributes 2023-07-31 13:19:42 +02:00			expect(entries[0].member).to.contain(`cn=${user.id},ou=users,dc=cloudron`);
			expect(entries[0].member).to.contain(`cn=${admin.id},ou=users,dc=cloudron`);
			expect(entries[0].uniquemember).to.contain(`cn=${user.id},ou=users,dc=cloudron`);
			expect(entries[0].uniquemember).to.contain(`cn=${admin.id},ou=users,dc=cloudron`);
Add exposed ldap tests 2021-12-23 21:31:48 +01:00
Also fixup userdirectory tests 2022-06-03 13:59:21 +02:00			`expect(entries[1].cn).to.equal('ldap-test-2');`
Add exposed ldap tests 2021-12-23 21:31:48 +01:00			`expect(entries[1].memberuid).to.equal(admin.id);`
Add direcotry server tests for member and uniquemember attributes 2023-07-31 13:19:42 +02:00			expect(entries[0].member).to.contain(`cn=${admin.id},ou=users,dc=cloudron`);
			expect(entries[0].uniquemember).to.contain(`cn=${admin.id},ou=users,dc=cloudron`);
Add exposed ldap tests 2021-12-23 21:31:48 +01:00			`});`
			`});`
			`});`