-
Notifications
You must be signed in to change notification settings - Fork 277
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
LDAP: Support Account Attribute Maps #4788
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
One nit, otherwise this looks great. Please also add a changelog entry for this
if aam.ToAttribute == DefaultEmailAttribute { | ||
emailAttr = aam.FromAttribute | ||
} | ||
if aam.ToAttribute == DefaultFullNameAttribute { | ||
fullNameAttr = aam.FromAttribute | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: have a switch here, possibly even include a default that returns an error
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't think we should error if we get an unexpected attribute from the LDAP server - We should just ignore it, otherwise we could get into a situation where, for example, an LDAP setup for multiple downstream services could be incompatible with Boundary.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I believe convertAccountAttributeMaps
calls ConvertToAccountToAttribute
which will validate the attribs and error if there's an unexpected one.
There's also a column constraint to_attribute_valid_values
that validates the
valid values in the db.
Given these two constraints, it seems reasonable for us to have a switch here that
explicity returns an error before sending an invalid transaction to the db.
if aam.ToAttribute == DefaultEmailAttribute { | ||
emailAttr = aam.FromAttribute | ||
} | ||
if aam.ToAttribute == DefaultFullNameAttribute { | ||
fullNameAttr = aam.FromAttribute | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I believe convertAccountAttributeMaps
calls ConvertToAccountToAttribute
which will validate the attribs and error if there's an unexpected one.
There's also a column constraint to_attribute_valid_values
that validates the
valid values in the db.
Given these two constraints, it seems reasonable for us to have a switch here that
explicity returns an error before sending an invalid transaction to the db.
@jimlambrt Wouldn't that default case essentially be dead code? The pre-requisite for this new code to run is that |
A few things come to mind. First, you have no tests which ensure that |
I wasn't able to write a test to this unfortunately. The account map test state required to produce an error is invalid at multiple levels (
This is very fair - With depth and defense patterns in mind, should we handle and surface the error from ie:
|
@jimlambrt See changes with 6d8dd73 |
Let me know when you're ready for re-review. |
@jimlambrt Ready to re-review - I was able to write that test we talked about using |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ty!
This PR enables CLI support for account attribute maps and also takes the LDAP server's user attributes into account when authenticating with an LDAP auth method