fix(auth.ldap): skip LdapOptionsValidator when Enabled=false; bump 0.1.1
A disabled LDAP provider's connection fields are inert — don't require Server/SearchBase/ServiceAccountDn at startup when Enabled=false. Surfaced by the MxGateway 1.2 review (dashboard LDAP can be disabled). +1 test.
This commit is contained in:
Joseph Doherty
@@ -5,7 +5,7 @@
|
|||||||
<Nullable>enable</Nullable>
|
<Nullable>enable</Nullable>
|
||||||
<ImplicitUsings>enable</ImplicitUsings>
|
<ImplicitUsings>enable</ImplicitUsings>
|
||||||
<LangVersion>latest</LangVersion>
|
<LangVersion>latest</LangVersion>
|
||||||
<Version>0.1.0</Version>
|
<Version>0.1.1</Version>
|
||||||
<ManagePackageVersionsCentrally>true</ManagePackageVersionsCentrally>
|
<ManagePackageVersionsCentrally>true</ManagePackageVersionsCentrally>
|
||||||
</PropertyGroup>
|
</PropertyGroup>
|
||||||
|
|
||||||
|
|||||||
@@ -9,7 +9,9 @@ namespace ZB.MOM.WW.Auth.Ldap;
|
|||||||
/// low-level error on the first real login attempt.
|
/// low-level error on the first real login attempt.
|
||||||
/// </summary>
|
/// </summary>
|
||||||
/// <remarks>
|
/// <remarks>
|
||||||
/// Four conditions are enforced:
|
/// Validation is skipped entirely when <see cref="LdapOptions.Enabled"/> is <c>false</c>
|
||||||
|
/// (a disabled provider's connection fields are inert). When enabled, four conditions
|
||||||
|
/// are enforced:
|
||||||
/// <list type="bullet">
|
/// <list type="bullet">
|
||||||
/// <item>plaintext transport (<see cref="LdapTransport.None"/>) is rejected unless
|
/// <item>plaintext transport (<see cref="LdapTransport.None"/>) is rejected unless
|
||||||
/// <see cref="LdapOptions.AllowInsecure"/> is explicitly set (dev/test only);</item>
|
/// <see cref="LdapOptions.AllowInsecure"/> is explicitly set (dev/test only);</item>
|
||||||
@@ -27,6 +29,14 @@ public sealed class LdapOptionsValidator : IValidateOptions<LdapOptions>
|
|||||||
{
|
{
|
||||||
ArgumentNullException.ThrowIfNull(options);
|
ArgumentNullException.ThrowIfNull(options);
|
||||||
|
|
||||||
|
// When LDAP is disabled, its connection fields are inert — do not require them.
|
||||||
|
// A consumer that turns LDAP off should not have to supply a server/search-base/
|
||||||
|
// service-account just to satisfy startup validation.
|
||||||
|
if (!options.Enabled)
|
||||||
|
{
|
||||||
|
return ValidateOptionsResult.Success;
|
||||||
|
}
|
||||||
|
|
||||||
if (options.Transport == LdapTransport.None && !options.AllowInsecure)
|
if (options.Transport == LdapTransport.None && !options.AllowInsecure)
|
||||||
{
|
{
|
||||||
return ValidateOptionsResult.Fail(
|
return ValidateOptionsResult.Fail(
|
||||||
|
|||||||
@@ -72,4 +72,20 @@ public class LdapOptionsValidatorTests
|
|||||||
Assert.False(new LdapOptionsValidator()
|
Assert.False(new LdapOptionsValidator()
|
||||||
.Validate(null, Opts())
|
.Validate(null, Opts())
|
||||||
.Failed);
|
.Failed);
|
||||||
|
|
||||||
|
[Fact]
|
||||||
|
public void Validator_Skips_AllChecks_WhenDisabled() =>
|
||||||
|
// When LDAP is disabled its connection fields are inert; an otherwise-invalid
|
||||||
|
// config (plaintext + blank Server/SearchBase/ServiceAccountDn) must still pass.
|
||||||
|
Assert.False(new LdapOptionsValidator()
|
||||||
|
.Validate(null, new LdapOptions
|
||||||
|
{
|
||||||
|
Enabled = false,
|
||||||
|
Transport = LdapTransport.None,
|
||||||
|
AllowInsecure = false,
|
||||||
|
Server = "",
|
||||||
|
SearchBase = "",
|
||||||
|
ServiceAccountDn = "",
|
||||||
|
})
|
||||||
|
.Failed);
|
||||||
}
|
}
|
||||||
|
|||||||
Reference in New Issue
Block a user