Automation Tests for OpenLDAP authentication provider functionality

.gitignore

@@ -3,3 +3,7 @@
 .idea/
 .kube/
 *.pem
+go.mod
+go.sumterraform.tfstate
+terraform.tfstate.backup
+*.tfstate

go.mod

@@ -7,11 +7,11 @@ replace (
 	github.com/crewjam/saml => github.com/rancher/saml v0.4.14-rancher3
 	github.com/docker/distribution => github.com/docker/distribution v2.8.2+incompatible // rancher-machine requires a replace is set
 	github.com/docker/docker => github.com/docker/docker v20.10.27+incompatible // rancher-machine requires a replace is set
-
 	github.com/openshift/api => github.com/openshift/api v0.0.0-20191219222812-2987a591a72c
 	github.com/openshift/client-go => github.com/openshift/client-go v0.0.0-20191219222812-2987a591a72c
 	github.com/rancher/rancher/pkg/apis => github.com/rancher/rancher/pkg/apis v0.0.0-20250410003522-2a1bf3d05723
 	github.com/rancher/rancher/pkg/client => github.com/rancher/rancher/pkg/client v0.0.0-20250212213103-5c3550f55322
+	github.com/rancher/shepherd => github.com/dasarinaidu/shepherd v0.0.0-20250729203419-7dc4784cb281
 
 	github.com/rancher/tests/actions => ./actions
 	github.com/rancher/tests/interoperability => ./interoperability

go.sum

@@ -1511,6 +1511,8 @@ github.com/creack/pty v1.1.18 h1:n56/Zwd5o6whRC5PMGretI4IdRLlmBXYNjScPaBgsbY=
 github.com/creack/pty v1.1.18/go.mod h1:MOBLtS5ELjhRRrroQr9kyvTxUAFNvYEK993ew/Vr4O4=
 github.com/creasty/defaults v1.5.2 h1:/VfB6uxpyp6h0fr7SPp7n8WJBoV8jfxQXPCnkVSjyls=
 github.com/creasty/defaults v1.5.2/go.mod h1:FPZ+Y0WNrbqOVw+c6av63eyHUAl6pMHZwqLPvXUZGfY=
+github.com/dasarinaidu/shepherd v0.0.0-20250729203419-7dc4784cb281 h1:Oap17Ygp4lI7c8Q7c9vxNtlYjKKgTYUnSSu3k2FZbNs=
+github.com/dasarinaidu/shepherd v0.0.0-20250729203419-7dc4784cb281/go.mod h1:IVVaLrIQ1/1Fk7KTrkhpKFlgaqhh3uv27CokmEhXHJc=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM=
@@ -2199,8 +2201,6 @@ github.com/rancher/rancher/pkg/apis v0.0.0-20250410003522-2a1bf3d05723 h1:IVPo5J
 github.com/rancher/rancher/pkg/apis v0.0.0-20250410003522-2a1bf3d05723/go.mod h1:hc8fdG6FIRMmt9DEaolO/AmZku9so2R840mImM5HhD8=
 github.com/rancher/rke v1.8.0-rc.4 h1:jowVyaF3LsJonC7vNsAwWf3MONHAtEFUD/j3UzNSE5U=
 github.com/rancher/rke v1.8.0-rc.4/go.mod h1:x9N1abruzDFMwTpqq2cnaDYpKCptlNoW8VraNWB6Pc4=
-github.com/rancher/shepherd v0.0.0-20250411212007-f3f2fd268849 h1:hxa/Y0LRTx8BzMPxirT9Yg3IZg2YXus7+smLLn5n9tw=
-github.com/rancher/shepherd v0.0.0-20250411212007-f3f2fd268849/go.mod h1:IVVaLrIQ1/1Fk7KTrkhpKFlgaqhh3uv27CokmEhXHJc=
 github.com/rancher/system-upgrade-controller/pkg/apis v0.0.0-20250306000150-b1a9781accab h1:Ttxt14bAImsWyFrtQZ314GW2DeExrYRNoAb+u9V3RiA=
 github.com/rancher/system-upgrade-controller/pkg/apis v0.0.0-20250306000150-b1a9781accab/go.mod h1:9gzmXntv/s0sEDBERi/fS58PRt5HFUfZr7niDGsDbAA=
 github.com/rancher/tfp-automation v0.0.0-20250725201905-900dbf2acfc8 h1:MSp9wtMwb8RZJtEu7M2h2Wk+dmTdx/6S8msk4MHScuE=

validation/auth/provider/openldap/README.md

@@ -0,0 +1,82 @@
+# OpenLDAP Authentication Tests
+
+This package contains tests for OpenLDAP authentication provider functionality in Rancher.
+
+## Table of Contents
+- [OpenLDAP Authentication Tests](#openldap-authentication-tests)
+  - [Table of Contents](#table-of-contents)
+  - [Test Coverage](#test-coverage)
+  - [Getting Started](#getting-started)
+  - [Configuration](#configuration)
+  - [Running the Tests](#running-the-tests)
+
+## Test Coverage
+The OpenLDAP authentication tests validate:
+- Authentication provider enable/disable functionality
+- User authentication with different access modes
+- Group membership and nested group inheritance
+- Cluster and project role bindings with LDAP groups
+- Access control modes (unrestricted, restricted, cluster/project members)
+
+## Getting Started
+In your config file, set the following:
+```yaml
+rancher:
+  host: "rancher_server_address"
+  adminToken: "rancher_admin_token"
+  clusterName: "cluster_to_run_tests_on"
+  insecure: true # optional
+  cleanup: false # optional
+```
+
+## Configuration
+Add the OpenLDAP configuration to your config file:
+
+```yaml
+openLDAP:
+  servers: ["your-ldap-server.domain.com"]
+  port: 389
+  tls: false
+  starttls: false
+  insecure: true
+  connectionTimeout: 5000
+  users:
+    searchBase: "ou=users,dc=example,dc=com"
+    admin:
+      username: "admin_username"
+      password: "admin_password"
+    userLoginAttribute: "uid"
+    userNameAttribute: "cn"
+    userSearchAttribute: "uid|sn|givenName"
+    userObjectClass: "inetOrgPerson"
+    userMemberAttribute: "memberOf"
+  serviceAccount:
+    distinguishedName: "cn=admin,dc=example,dc=com"
+    password: "service_account_password"
+  group:
+    groupSearchBase: "ou=groups,dc=example,dc=com"
+    objectClass: "groupOfNames"
+    memberMappingAttribute: "member"
+    nestedGroupMembershipEnabled: true
+    groupNameAttribute: "cn"
+    groupSearchAttribute: "cn"
+    groupDNAttribute: "entryDN"
+    groupMemberUserAttribute: "member"
+  testUsers:
+    users:
+      - username: "testuser1"
+        password: "user_password"
+    nestedUsers:
+      - username: "nesteduser1"
+        password: "user_password"
+    doubleNestedUsers:
+      - username: "doublenesteduser1"
+        password: "user_password"
+  testGroups:
+    group: "parentgroup"
+    nestedGroup: "childgroup"
+    doubleNestedGroup: "grandchildgroup"
+```
+
+## Running the Tests
+These tests utilize Go build tags, set the GO suite to `-run ^TestOpenLDAPAuthProviderSuite$` You can find specific tests by checking the test file you plan to run.

validation/auth/provider/openldap/openldap.go

@@ -0,0 +1,90 @@
+package openldap
+
+import (
+	"context"
+	"fmt"
+	"testing"
+	"time"
+
+	"github.com/rancher/shepherd/clients/rancher"
+	"github.com/rancher/shepherd/clients/rancher/auth"
+	v3 "github.com/rancher/shepherd/clients/rancher/generated/management/v3"
+	"github.com/stretchr/testify/require"
+	kwait "k8s.io/apimachinery/pkg/util/wait"
+)
+
+const ConfigurationFileKey = "authInput"
+
+type User struct {
+	Username string `json:"username,omitempty" yaml:"username,omitempty"`
+	Password string `json:"password,omitempty" yaml:"password,omitempty"`
+}
+
+type AuthConfig struct {
+	Group             string `json:"group,omitempty" yaml:"group,omitempty"`
+	Users             []User `json:"users,omitempty" yaml:"users,omitempty"`
+	NestedGroup       string `json:"nestedGroup,omitempty" yaml:"nestedGroup,omitempty"`
+	NestedUsers       []User `json:"nestedUsers,omitempty" yaml:"nestedUsers,omitempty"`
+	DoubleNestedGroup string `json:"doubleNestedGroup,omitempty" yaml:"doubleNestedGroup,omitempty"`
+	DoubleNestedUsers []User `json:"doubleNestedUsers,omitempty" yaml:"doubleNestedUsers,omitempty"`
+}
+
+const (
+	passwordSecretID                     = "cattle-global-data/openldapconfig-serviceaccountpassword"
+	authProvCleanupAnnotationKey         = "management.cattle.io/auth-provider-cleanup"
+	authProvCleanupAnnotationValLocked   = "rancher-locked"
+	authProvCleanupAnnotationValUnlocked = "unlocked"
+)
+
+func waitUntilAnnotationIsUpdated(client *rancher.Client) (*v3.AuthConfig, error) {
+	ldapConfig, err := client.Management.AuthConfig.ByID("openldap")
+	if err != nil {
+		return nil, err
+	}
+
+	err = kwait.PollUntilContextTimeout(context.TODO(), 500*time.Millisecond, 2*time.Minute, true, func(context.Context) (bool, error) {
+		newLDAPConfig, err := client.Management.AuthConfig.ByID("openldap")
+		if err != nil {
+			return false, nil
+		}
+
+		if ldapConfig.Annotations[authProvCleanupAnnotationKey] != newLDAPConfig.Annotations[authProvCleanupAnnotationKey] {
+			ldapConfig = newLDAPConfig
+			return true, nil
+		}
+
+		return false, nil
+	})
+	if err != nil {
+		return nil, err
+	}
+
+	return ldapConfig, err
+}
+
+var userEnabled = true
+
+func login(client *rancher.Client, authProvider auth.Provider, user *v3.User) (*rancher.Client, error) {
+	user.Enabled = &userEnabled
+	return client.AsAuthUser(user, authProvider)
+}
+
+func newPrincipalID(authConfigID, principalType, name, searchBase string) string {
+	return fmt.Sprintf("%v_%v://cn=%v,ou=%vs,%v", authConfigID, principalType, name, principalType, searchBase)
+}
+
+func newWithAccessMode(t *testing.T, client *rancher.Client, authConfigID, accessMode string, allowedPrincipalIDs []string) (existing, updates *v3.AuthConfig) {
+	t.Helper()
+
+	existing, err := client.Management.AuthConfig.ByID(authConfigID)
+	require.NoError(t, err)
+
+	updates = existing
+	updates.AccessMode = accessMode
+
+	if allowedPrincipalIDs != nil {
+		updates.AllowedPrincipalIDs = allowedPrincipalIDs
+	}
+
+	return
+}