Enterprise Testing Environment - LDAP/LDAP Sync - Phase 1
OVERVIEW
Increasing automated testing is necessary in order to increase the effectiveness, efficiency and coverage of software testing. Currently testing AD/LDAP and LDAP Sync is a manual process that only occurs during release and feature testing.
Creating reusable automated tests will make testing and supporting additional LDAP providers a much easier process. These tests will ensure a base level of supported functionality. As test coverage increases, supporting a new provider could be as simple as writing the test harness for the given provider.
GOALS
Define the testing architecture for Automated LDAP testing.
Define the testing architecture for Automated LDAP Sync testing.
Define the base set of required tests.
SCOPE
In scope:
Define a pluggable architecture to test LDAP Environment.
Define base set of tests
Not in scope:
Defining implementation details for specific providers.
Define all tests and all potential data.
Define implementation details for all required tests.
SPECIFICATIONS
There are three different pieces of functionality to make this work.
Architecture Definition
Define test structure
Define test data
Define Test Providers
Define base tests to be implemented
Provider Creation and Setup
Architectural Definition
Test Structure
Similar to how the SAML Cypress tests are being put together, the LDAP and LDAP Sync tests should also allow for different providers to be plugged in and tested using the same tests.
File Locations -
../mattermost-webapp/e2e/cypress/integration/enterprise/ldap
openldap_login_spec.js- test file specific to a provider and test suite.
../mattermost-webapp/e2e/cypress/integration/support/
openldap_api_commands.js - TODO: These may actually need to be commands. OpenLDAP doesn’t seem to support an API but instead uses the `openldap` command.
ldap_login_test_commands.js - will contain the shared testing login. A single test may call one or many commands to complete the test.
Test Data
There already exists two sets of test data.
https://github.com/mattermost/mattermost-server/blob/master/tests/qa-data.ldif
https://github.com/mattermost/mattermost-server/blob/master/tests/test-data.ldif
The initial test base tests for this document will use -
Test Providers
Currently we use several different LDAP providers for different types of testing.
Unit tests use OpenLDAP in a local docker.
The LDAP Group Sync Manual tests use OpenLDAP running in AWS.
The AD/LDAP Manual Tests use LDAP installed in JumpCloud.
There is also an Active Directory AD/LDAP implementation that is used for manual testing.
Similar to SAML, we may want to test with multiple data providers. Currently, it appears we use OpenLDAP in a local docker for unit testing. OpenLDAP installed in spinmint for manual release testing of LDAP Group Sync and an installation on JumpCloud for normal AD/LDAP testing.
Ideally we will use an ActiveDirectory AD/LDAP implementation, since that is what most of our LDAP customers are using. However, changing from one provider to another, should be as easy as changing the configuration settings.
Base Tests
AD/LDAP Tests
LDAP User Login - New user
LDAP User Login - Existing user
LDAP Guest Login - New user
LDAP Guest Login - Existing user
LDAP Guest User Promotion/Demotion
LDAP Admin Login - New user
LDAP Admin Login - Existing user
LDAP Admin User Promotion/Demotion
LDAP Group Sync
Adding Members
Removing Members
Removing link in group
Removing channels
LDAP Group Sync To Roles
Adding Team Role Permission
Promote/Demote Team Role Permission
Adding Channel Role Permission
Promote/Demote Channel Role Permission
The Group Sync and Group Sync to roles can be tested simultaneously if that makes more sense. (Which it probably does.)
Additional Tests (Future Phases)
In addition to the base tests above, eventually, all of the manual tests will be converted into Cypress Tests.
These tests can be further broken down as follows:
Pagination (Groups/Teams/Channels)
Members Leaving Teams
SAML / LDAP Combination Tests
Group Constrained Team / Channel
LDAP Group Edits
Required LDAP APIs
LDAP doesn’t provide a nice API interface for modifying the users in the LDAP system. For OpenLDAP, command line executables are provided (ie. ldapapp, ldapmodify, ldapdelete). Updating the ldap provider is beyond this set of functionality, although some investigation will need to be done to determine how this can be implemented for future testing phases.