check for case sensitivity at delete for user and group paths, modify… (#29922)

* check for case sensitivity at delete for user and group paths, modify tests to cover proper deletions * add changelog
2026-02-18 18:38:08 -05:00 · 2025-03-14 12:14:33 -04:00 · 2025-03-14 12:14:33 -04:00 · fb6c833eb5
commit fb6c833eb5
parent 1802204dec
4 changed files with 96 additions and 24 deletions
--- a/builtin/credential/ldap/backend_test.go
+++ b/builtin/credential/ldap/backend_test.go
@ -155,28 +155,6 @@ func TestLdapAuthBackend_CaseSensitivity(t *testing.T) {
 	ctx := context.Background()

 	testVals := func(caseSensitive bool) {
-		// Clear storage
-		userList, err := storage.List(ctx, "user/")
-		if err != nil {
-			t.Fatal(err)
-		}
-		for _, user := range userList {
-			err = storage.Delete(ctx, "user/"+user)
-			if err != nil {
-				t.Fatal(err)
-			}
-		}
-		groupList, err := storage.List(ctx, "group/")
-		if err != nil {
-			t.Fatal(err)
-		}
-		for _, group := range groupList {
-			err = storage.Delete(ctx, "group/"+group)
-			if err != nil {
-				t.Fatal(err)
-			}
-		}
-
 		configReq := &logical.Request{
 			Path:      "config",
 			Operation: logical.ReadOperation,
@ -284,6 +262,71 @@ func TestLdapAuthBackend_CaseSensitivity(t *testing.T) {
 		if !reflect.DeepEqual(expected, resp.Auth.Policies) {
 			t.Fatalf("bad: policies: expected: %q, actual: %q", expected, resp.Auth.Policies)
 		}
+
+		// Test proper deletion of users
+		userReqDel := &logical.Request{
+			Operation: logical.DeleteOperation,
+			Data: map[string]interface{}{
+				"groups":   "EngineerS",
+				"policies": "userpolicy",
+			},
+			Path:    "users/hermeS conRad",
+			Storage: storage,
+		}
+		resp, err = b.HandleRequest(ctx, userReqDel)
+		if err != nil || (resp != nil && resp.IsError()) {
+			t.Fatalf("err:%v resp:%#v", err, resp)
+		}
+		if caseSensitive {
+			// The online test server is actually case sensitive so we need to
+			// delete again so it works
+			userReq = &logical.Request{
+				Operation: logical.DeleteOperation,
+				Data: map[string]interface{}{
+					"groups":   "EngineerS",
+					"policies": "userpolicy",
+				},
+				Path:       "users/Hermes Conrad",
+				Storage:    storage,
+				Connection: &logical.Connection{},
+			}
+			resp, err = b.HandleRequest(ctx, userReq)
+			if err != nil || (resp != nil && resp.IsError()) {
+				t.Fatalf("err:%v resp:%#v", err, resp)
+			}
+		}
+
+		// Expect storage for user path to be cleared
+		userList, err := storage.List(ctx, "user/")
+		if err != nil {
+			t.Fatal(err)
+		}
+		if userList != nil {
+			t.Fatalf("deletion of users failed")
+		}
+
+		// Test proper deletion of groups
+		groupReqDel := &logical.Request{
+			Operation: logical.DeleteOperation,
+			Data: map[string]interface{}{
+				"policies": "grouppolicy",
+			},
+			Path:    "groups/EngineerS",
+			Storage: storage,
+		}
+		resp, err = b.HandleRequest(ctx, groupReqDel)
+		if err != nil || (resp != nil && resp.IsError()) {
+			t.Fatalf("err:%v resp:%#v", err, resp)
+		}
+
+		// Expect storage for group path to be cleared
+		groupList, err := storage.List(ctx, "group/")
+		if err != nil {
+			t.Fatal(err)
+		}
+		if groupList != nil {
+			t.Fatalf("deletion of groups failed")
+		}
 	}

 	cleanup, cfg := ldap.PrepareTestContainer(t, "master")
--- a/builtin/credential/ldap/path_groups.go
+++ b/builtin/credential/ldap/path_groups.go
@ -87,7 +87,20 @@ func (b *backend) Group(ctx context.Context, s logical.Storage, n string) (*Grou
 }

 func (b *backend) pathGroupDelete(ctx context.Context, req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
-	err := req.Storage.Delete(ctx, "group/"+d.Get("name").(string))
+	groupname := d.Get("name").(string)
+
+	cfg, err := b.Config(ctx, req)
+	if err != nil {
+		return nil, err
+	}
+	if cfg == nil {
+		return logical.ErrorResponse("ldap backend not configured"), nil
+	}
+	if !*cfg.CaseSensitiveNames {
+		groupname = strings.ToLower(groupname)
+	}
+
+	err = req.Storage.Delete(ctx, "group/"+groupname)
 	if err != nil {
 		return nil, err
 	}
--- a/builtin/credential/ldap/path_users.go
+++ b/builtin/credential/ldap/path_users.go
@ -96,7 +96,20 @@ func (b *backend) User(ctx context.Context, s logical.Storage, n string) (*UserE
 }

 func (b *backend) pathUserDelete(ctx context.Context, req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
-	err := req.Storage.Delete(ctx, "user/"+d.Get("name").(string))
+	username := d.Get("name").(string)
+
+	cfg, err := b.Config(ctx, req)
+	if err != nil {
+		return nil, err
+	}
+	if cfg == nil {
+		return logical.ErrorResponse("ldap backend not configured"), nil
+	}
+	if !*cfg.CaseSensitiveNames {
+		username = strings.ToLower(username)
+	}
+
+	err = req.Storage.Delete(ctx, "user/"+username)
 	if err != nil {
 		return nil, err
 	}
--- a/changelog/29922.txt
+++ b/changelog/29922.txt
@ -0,0 +1,3 @@
+```release-note:bug
+auth/ldap: Fix a bug that does not properly delete users and groups by first converting their names to lowercase when case senstivity option is off.
+```