Add SCIM tests: principal-search dedup, uniqueness conflicts, and missing UserAttribute recovery#764
Conversation
|
SCIMOpenLDAPTestSuite TestSCIMPatchDeactivateAdminReturns409 TestSuites above were modified. TestSuites below use modified code from this PR. |
There was a problem hiding this comment.
Pull request overview
Adds OpenLDAP SCIM validation coverage for recent Rancher SCIM/auth fixes: principal search dedup (no “local” duplicates for SCIM identities), recovery when a user’s UserAttribute is missing, and 409 conflicts on identity-field uniqueness collisions.
Changes:
- Added new SCIM OpenLDAP suite tests covering
/v3/principalsdedup behavior, missing-UserAttributerecovery paths, and 409 conflict enforcement. - Introduced
/v3/principalssearch verification helpers (VerifyPrincipalNotLocal/VerifyPrincipalIsLocal) inactions/kubeapi/scim. - Added an action helper to provision a SCIM user and remove its
UserAttributeto reproduce the “never logged in” state.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
validation/auth/scim/scim_openldap_test.go |
Adds new SCIM OpenLDAP validation tests for dedup, missing-attribute recovery, and uniqueness conflicts. |
actions/kubeapi/scim/verify.go |
Adds helper functions to assert /v3/principals search results are/aren’t local. |
actions/kubeapi/scim/scim.go |
Adds helper to provision a SCIM user and delete its UserAttribute for recovery-path testing. |
| _ = kwait.PollUntilContextTimeout( | ||
| context.Background(), | ||
| defaults.FiveSecondTimeout, | ||
| defaults.OneMinuteTimeout, | ||
| true, | ||
| func(ctx context.Context) (bool, error) { | ||
| principals, err := searchPrincipals(client, name) | ||
| if err != nil { | ||
| callErr = err | ||
| return false, err | ||
| } | ||
| for i := range principals { | ||
| if principals[i].Provider == shepherdauth.LocalAuth.String() { | ||
| localErr = fmt.Errorf("principal search for %q returned a local principal (id=%s, type=%s); externally-provisioned principals must not appear as local", name, principals[i].ID, principals[i].PrincipalType) | ||
| return false, localErr | ||
| } | ||
| } | ||
| return len(principals) > 0, nil | ||
| }, | ||
| ) | ||
| if localErr != nil { | ||
| return localErr | ||
| } | ||
| return callErr | ||
| } |
…missing UserAttribute recovery Covers rancher/rancher #54022 / #55820 / #55220 against OpenLDAP: - /v3/principals no longer returns SCIM-provisioned users/groups as local, and a genuine local user still surfaces as local - PATCH externalId / PUT userName changes that collide with another user return 409 - GET, PUT, PATCH, and group add-member recover from a missing UserAttribute instead of returning 500 Adds action helpers VerifyPrincipalNotLocal / VerifyPrincipalIsLocal and ProvisionSCIMUserWithoutAttribute in actions/kubeapi/scim. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
37c8e36 to
18fac50
Compare
|
SCIMOpenLDAPTestSuite TestSCIMPatchDeactivateAdminReturns409 TestSuites above were modified. TestSuites below use modified code from this PR. |
Problem / Motivation
Adds OpenLDAP SCIM validation coverage for three recently-fixed auth behaviors:
/v3/principalssearch returned SCIM-provisioned users/groups aslocalalongside their external principal (duplicate in cluster-member search).GET/PUT/PATCHand group add-member returned500when a user'sUserAttributewas missing (created on first login/refresh).UpdateUser/PatchUser— changingexternalId/userNameto a value held by another user returns409.Changes
Tests (
validation/auth/scim/scim_openldap_test.go)TestSCIMPrincipalSearchUserNotLocal,TestSCIMPrincipalSearchGroupNotLocal— SCIM user/group not returned aslocal.TestSCIMPrincipalSearchLocalUserIsLocal— a genuine local user still surfaces aslocal(dedup fix does not over-exclude).TestSCIMGetUserMissingUserAttributeReturns200,TestSCIMPutUserMissingUserAttributeReturns200,TestSCIMPatchUserMissingUserAttributeReturns200,TestSCIMGroupAddMemberMissingUserAttribute— handlers recover from a missingUserAttribute(200 / membership recorded) instead of 500.TestSCIMPatchExternalIDConflictReturns409,TestSCIMPutUserNameConflictReturns409— identity-field collisions return 409.Action helpers (
actions/kubeapi/scim/)VerifyPrincipalNotLocal/VerifyPrincipalIsLocal+ sharedsearchPrincipals(verify.go) —/v3/principalssearch assertions.ProvisionSCIMUserWithoutAttribute(scim.go) — creates a SCIM user and removes itsUserAttributeto reproduce the not-yet-logged-in state.Testing
Full
TestSCIMOpenLDAPSuiterun green against a build containing #56081. Build tag:validation.🤖 Generated with Claude Code