* Tests for edge-cases for password / user_dn

Author: lukebakken

deps/rabbitmq_auth_backend_ldap/src/rabbit_auth_backend_ldap_mgmt.erl

@@ -65,9 +65,17 @@ accept_content(ReqData0, Context) ->
                                 ok ->
                                     {true, ReqData1, Context};
                                 {error, invalidCredentials} ->
-                                    rabbit_mgmt_util:unprocessable_entity("Invalid LDAP credentials", ReqData1, Context);
+                                    rabbit_mgmt_util:unprocessable_entity("invalid LDAP credentials: "
+                                                                          "authentication failure",
+                                                                          ReqData1, Context);
                                 {error, unwillingToPerform} ->
-                                    rabbit_mgmt_util:unprocessable_entity("Invalid LDAP credentials", ReqData1, Context);
+                                    rabbit_mgmt_util:unprocessable_entity("invalid LDAP credentials: "
+                                                                          "authentication failure",
+                                                                          ReqData1, Context);
+                                {error, invalidDNSyntax} ->
+                                    rabbit_mgmt_util:unprocessable_entity("invalid LDAP credentials: "
+                                                                          "DN syntax invalid / too long",
+                                                                          ReqData1, Context);
                                 {error, E} ->
                                     Reason = unicode_format(E),
                                     rabbit_mgmt_util:unprocessable_entity(Reason, ReqData1, Context)

deps/rabbitmq_auth_backend_ldap/test/system_SUITE.erl

@@ -443,6 +443,65 @@ validate_ldap_configuration_via_api(Config) ->
             'servers' => ["not..a..valid..hostname"],
             'port' => LdapPort
         }, ?BAD_REQUEST),
+
+    %% Edge case credentials tests
+    %% Empty password - should be 422 (credential validation failure)
+    {ok, {{_, 422, _}, _Headers1, EmptyPasswordBody}} =
+        rabbit_mgmt_test_util:req(Config, 0, put, "/ldap/validate/simple-bind",
+                                  [rabbit_mgmt_test_util:auth_header("guest", "guest")],
+                                  rabbit_mgmt_test_util:format_for_upload(#{
+                                      'user_dn' => AliceUserDN,
+                                      'password' => "",
+                                      'servers' => ["localhost"],
+                                      'port' => LdapPort
+                                  })),
+    EmptyPasswordJson = rabbit_json:decode(EmptyPasswordBody),
+    ?assertEqual(<<"unprocessable_entity">>, maps:get(<<"error">>, EmptyPasswordJson)),
+    ?assertEqual(<<"anonymous_auth">>, maps:get(<<"reason">>, EmptyPasswordJson)),
+
+    %% Empty user DN - should be 422 (credential validation failure)
+    {ok, {{_, 422, _}, _Headers2, EmptyUserDnBody}} =
+        rabbit_mgmt_test_util:req(Config, 0, put, "/ldap/validate/simple-bind",
+                                  [rabbit_mgmt_test_util:auth_header("guest", "guest")],
+                                  rabbit_mgmt_test_util:format_for_upload(#{
+                                      'user_dn' => "",
+                                      'password' => Password,
+                                      'servers' => ["localhost"],
+                                      'port' => LdapPort
+                                  })),
+    EmptyUserDnJson = rabbit_json:decode(EmptyUserDnBody),
+    ?assertEqual(<<"unprocessable_entity">>, maps:get(<<"error">>, EmptyUserDnJson)),
+    ?assertEqual(<<"anonymous_auth">>, maps:get(<<"reason">>, EmptyUserDnJson)),
+
+    %% Very long user DN (test size limits)
+    {ok, {{_, 422, _}, _Headers3, LongUserDnBody}} =
+        rabbit_mgmt_test_util:req(Config, 0, put, "/ldap/validate/simple-bind",
+                                  [rabbit_mgmt_test_util:auth_header("guest", "guest")],
+                                  rabbit_mgmt_test_util:format_for_upload(#{
+                                      'user_dn' => binary:copy(<<"x">>, 10000),
+                                      'password' => Password,
+                                      'servers' => ["localhost"],
+                                      'port' => LdapPort
+                                  })),
+    LongUserDnJson = rabbit_json:decode(LongUserDnBody),
+    ?assertEqual(<<"unprocessable_entity">>, maps:get(<<"error">>, LongUserDnJson)),
+    ?assertEqual(<<"invalid LDAP credentials: DN syntax invalid / too long">>,
+                 maps:get(<<"reason">>, LongUserDnJson)),
+
+    %% Very long password (test size limits)
+    {ok, {{_, 422, _}, _Headers4, LongPasswordBody}} =
+        rabbit_mgmt_test_util:req(Config, 0, put, "/ldap/validate/simple-bind",
+                                  [rabbit_mgmt_test_util:auth_header("guest", "guest")],
+                                  rabbit_mgmt_test_util:format_for_upload(#{
+                                      'user_dn' => AliceUserDN,
+                                      'password' => binary:copy(<<"x">>, 10000),
+                                      'servers' => ["localhost"],
+                                      'port' => LdapPort
+                                  })),
+    LongPasswordJson = rabbit_json:decode(LongPasswordBody),
+    ?assertEqual(<<"unprocessable_entity">>, maps:get(<<"error">>, LongPasswordJson)),
+    ?assertEqual(<<"invalid LDAP credentials: authentication failure">>,
+                 maps:get(<<"reason">>, LongPasswordJson)),
     http_put(Config, "/ldap/validate/simple-bind",
         #{
             'user_dn' => AliceUserDN,