Enterprise Testing Environment - LDAP/LDAP Sync - Phase 1

Owned by Scott Bishel
Last updated: Feb 18, 2020
3 min read

Target release

Q2 2020

Epic

https://mattermost.atlassian.net/browse/MM-20777

Edition

N/A

Document status

85%

OVERVIEW

Increasing automated testing is necessary in order to increase the effectiveness, efficiency and coverage of software testing. Currently testing AD/LDAP and LDAP Sync is a manual process that only occurs during release and feature testing.

Creating reusable automated tests will make testing and supporting additional LDAP providers a much easier process. These tests will ensure a base level of supported functionality. As test coverage increases, supporting a new provider could be as simple as writing the test harness for the given provider. 

GOALS

  1. Define the testing architecture for Automated LDAP testing.

  2. Define the testing architecture for Automated LDAP Sync testing.

  3. Define the base set of required tests.

SCOPE

In scope:

  • Define a pluggable architecture to test LDAP Environment.

  • Define base set of tests

Not in scope:

  • Defining implementation details for specific providers.  

  • Define all tests and all potential data.

  • Define implementation details for all required tests.

SPECIFICATIONS

There are three different pieces of functionality to make this work.

  1. Architecture Definition

    1. Define test structure

    2. Define test data

    3. Define Test Providers

    4. Define base tests to be implemented

  2. Provider Creation and Setup

Architectural Definition

Test Structure

Similar to how the SAML Cypress tests are being put together, the LDAP and LDAP Sync tests should also allow for different providers to be plugged in and tested using the same tests.

File Locations -

../mattermost-webapp/e2e/cypress/integration/enterprise/ldap

  • openldap_login_spec.js- test file specific to a provider and test suite.

../mattermost-webapp/e2e/cypress/integration/support/

  • openldap_api_commands.js - TODO: These may actually need to be commands. OpenLDAP doesn’t seem to support an API but instead uses the `openldap` command.

  • ldap_login_test_commands.js - will contain the shared testing login. A single test may call one or many commands to complete the test.

Test Data

There already exists two sets of test data.

https://github.com/mattermost/mattermost-server/blob/master/tests/qa-data.ldif
https://github.com/mattermost/mattermost-server/blob/master/tests/test-data.ldif

The initial test base tests for this document will use -

Test Providers

Currently we use several different LDAP providers for different types of testing.

  • Unit tests use OpenLDAP in a local docker.

  • The LDAP Group Sync Manual tests use OpenLDAP running in AWS.

  • The AD/LDAP Manual Tests use LDAP installed in JumpCloud.

  • There is also an Active Directory AD/LDAP implementation that is used for manual testing.

Similar to SAML, we may want to test with multiple data providers. Currently, it appears we use OpenLDAP in a local docker for unit testing. OpenLDAP installed in spinmint for manual release testing of LDAP Group Sync and an installation on JumpCloud for normal AD/LDAP testing.
Ideally we will use an ActiveDirectory AD/LDAP implementation, since that is what most of our LDAP customers are using. However, changing from one provider to another, should be as easy as changing the configuration settings.

Base Tests

AD/LDAP Tests

  • LDAP User Login - New user

  • LDAP User Login - Existing user

  • LDAP Guest Login - New user

  • LDAP Guest Login - Existing user

  • LDAP Guest User Promotion/Demotion

  • LDAP Admin Login - New user

  • LDAP Admin Login - Existing user

  • LDAP Admin User Promotion/Demotion

LDAP Group Sync

  • Adding Members

  • Removing Members

  • Removing link in group

  • Removing channels

LDAP Group Sync To Roles

  • Adding Team Role Permission

  • Promote/Demote Team Role Permission

  • Adding Channel Role Permission

  • Promote/Demote Channel Role Permission

The Group Sync and Group Sync to roles can be tested simultaneously if that makes more sense. (Which it probably does.)

Additional Tests (Future Phases)

In addition to the base tests above, eventually, all of the manual tests will be converted into Cypress Tests.

These tests can be further broken down as follows:

  • Pagination (Groups/Teams/Channels)

  • Members Leaving Teams

  • SAML / LDAP Combination Tests

  • Group Constrained Team / Channel

  • LDAP Group Edits

Required LDAP APIs

LDAP doesn’t provide a nice API interface for modifying the users in the LDAP system. For OpenLDAP, command line executables are provided (ie. ldapapp, ldapmodify, ldapdelete). Updating the ldap provider is beyond this set of functionality, although some investigation will need to be done to determine how this can be implemented for future testing phases.