include unboundid ldap in integration tests

drewmullen · drewmullen · commit fdcd4a7f7035 · 2026-01-05T14:08:05.000-05:00
Signed-off-by: Drew Mullen &lt;drew.mullen@hashicorp.com&gt;
diff --git a/spring-cloud-vault-config-ldap/pom.xml b/spring-cloud-vault-config-ldap/pom.xml
@@ -49,6 +49,12 @@
 			<scope>test</scope>
 		</dependency>
 
+		<dependency>
+			<groupId>com.unboundid</groupId>
+			<artifactId>unboundid-ldapsdk</artifactId>
+			<scope>test</scope>
+		</dependency>
+
 	</dependencies>
 
 </project>
diff --git a/spring-cloud-vault-config-ldap/src/test/java/org/springframework/cloud/vault/config/ldap/LdapSecretIntegrationTests.java b/spring-cloud-vault-config-ldap/src/test/java/org/springframework/cloud/vault/config/ldap/LdapSecretIntegrationTests.java
@@ -16,64 +16,87 @@
 
 package org.springframework.cloud.vault.config.ldap;
 
+import java.util.HashMap;
 import java.util.Map;
 
 import org.junit.jupiter.api.BeforeEach;
-import org.junit.jupiter.api.Disabled;
 import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.extension.RegisterExtension;
 
 import org.springframework.cloud.vault.config.VaultConfigOperations;
 import org.springframework.cloud.vault.config.VaultConfigTemplate;
 import org.springframework.cloud.vault.config.VaultProperties;
 import org.springframework.cloud.vault.config.ldap.VaultConfigLdapBootstrapConfiguration.LdapSecretBackendMetadataFactory;
 import org.springframework.cloud.vault.util.IntegrationTestSupport;
 import org.springframework.cloud.vault.util.Settings;
+import org.springframework.vault.core.VaultOperations;
 
 import static org.assertj.core.api.Assertions.assertThat;
-import static org.junit.jupiter.api.Assumptions.assumeTrue;
 
 /**
- * Integration tests for {@link VaultConfigTemplate} using the LDAP secret engine. These
- * tests require a running LDAP instance and properly configured Vault LDAP secret engine.
- * <p>
- * Note: This test will be skipped if the LDAP secret engine is not available or not
- * configured in Vault.
+ * Integration tests for {@link VaultConfigTemplate} using the LDAP secret engine with an
+ * in-memory UnboundID LDAP server.
  *
  * @author Drew Mullen
  */
-@Disabled
 public class LdapSecretIntegrationTests extends IntegrationTestSupport {
 
+	@RegisterExtension
+	public static final LdapServerExtension ldapServer = new LdapServerExtension();
+
 	private VaultProperties vaultProperties = Settings.createVaultProperties();
 
 	private VaultConfigOperations configOperations;
 
 	private VaultLdapProperties ldapProperties = new VaultLdapProperties();
 
 	/**
-	 * Initialize the LDAP secret engine configuration. Tests will be skipped if the LDAP
-	 * secret engine is not available.
+	 * Initialize the LDAP secret engine configuration with the in-memory LDAP server.
 	 */
 	@BeforeEach
 	public void setUp() {
-		// Skip tests if LDAP secret engine is not mounted/available
-		assumeTrue(isLdapSecretEngineAvailable(), "LDAP secret engine is not available or configured");
-
 		this.ldapProperties.setEnabled(true);
 		this.ldapProperties.setBackend("ldap");
 
-		this.configOperations = new VaultConfigTemplate(this.vaultRule.prepare().getVaultOperations(),
-				this.vaultProperties);
+		VaultOperations vaultOperations = this.vaultRule.prepare().getVaultOperations();
+
+		// Mount the LDAP secret engine if not already mounted
+		if (!prepare().hasSecretBackend(this.ldapProperties.getBackend())) {
+			prepare().mountSecret(this.ldapProperties.getBackend());
+		}
+
+		// Configure Vault LDAP backend to connect to the in-memory LDAP server
+		Map<String, Object> ldapConfig = new HashMap<>();
+		ldapConfig.put("binddn", "uid=vault-admin,ou=people," + ldapServer.getBaseDn());
+		ldapConfig.put("bindpass", "vault-admin-password");
+		ldapConfig.put("url", ldapServer.getLdapUrl());
+		ldapConfig.put("userdn", "ou=people," + ldapServer.getBaseDn());
+
+		vaultOperations.write(String.format("%s/config", this.ldapProperties.getBackend()), ldapConfig);
+
+		this.configOperations = new VaultConfigTemplate(vaultOperations, this.vaultProperties);
 	}
 
 	/**
-	 * Test for dynamic role credential retrieval. This test requires a configured dynamic
-	 * role in Vault's LDAP secret engine.
+	 * Test for dynamic role credential retrieval.
 	 */
 	@Test
 	public void shouldCreateDynamicCredentialsCorrectly() {
-		// This test requires a pre-configured dynamic role named "dynamic-role" in Vault
-		assumeTrue(isDynamicRoleAvailable("dynamic-role"), "Dynamic role 'dynamic-role' is not configured");
+		VaultOperations vaultOperations = this.vaultRule.prepare().getVaultOperations();
+
+		// Configure a dynamic role
+		Map<String, Object> dynamicRoleConfig = new HashMap<>();
+		dynamicRoleConfig.put("creation_ldif",
+				"dn: cn={{.Username}},ou=people," + ldapServer.getBaseDn() + "\n" + "objectClass: person\n"
+						+ "objectClass: top\n" + "cn: {{.Username}}\n" + "sn: {{.Username}}\n"
+						+ "userPassword: {{.Password}}");
+		dynamicRoleConfig.put("deletion_ldif",
+				"dn: cn={{.Username}},ou=people," + ldapServer.getBaseDn() + "\nchangetype: delete");
+		dynamicRoleConfig.put("default_ttl", "1h");
+		dynamicRoleConfig.put("max_ttl", "24h");
+
+		vaultOperations.write(String.format("%s/role/dynamic-role", this.ldapProperties.getBackend()),
+				dynamicRoleConfig);
 
 		this.ldapProperties.setRole("dynamic-role");
 		this.ldapProperties.setStaticRole(false);
@@ -86,13 +109,20 @@ public void shouldCreateDynamicCredentialsCorrectly() {
 	}
 
 	/**
-	 * Test for static role credential retrieval. This test requires a configured static
-	 * role in Vault's LDAP secret engine.
+	 * Test for static role credential retrieval.
 	 */
 	@Test
 	public void shouldCreateStaticCredentialsCorrectly() {
-		// This test requires a pre-configured static role named "static-role" in Vault
-		assumeTrue(isStaticRoleAvailable("static-role"), "Static role 'static-role' is not configured");
+		VaultOperations vaultOperations = this.vaultRule.prepare().getVaultOperations();
+
+		// Configure a static role
+		Map<String, Object> staticRoleConfig = new HashMap<>();
+		staticRoleConfig.put("dn", "uid=static-user,ou=people," + ldapServer.getBaseDn());
+		staticRoleConfig.put("username", "static-user");
+		staticRoleConfig.put("rotation_period", "24h");
+
+		vaultOperations.write(String.format("%s/static-role/static-role", this.ldapProperties.getBackend()),
+				staticRoleConfig);
 
 		this.ldapProperties.setRole("static-role");
 		this.ldapProperties.setStaticRole(true);
@@ -104,44 +134,4 @@ public void shouldCreateStaticCredentialsCorrectly() {
 		assertThat(secretProperties).containsKeys("spring.ldap.username", "spring.ldap.password");
 	}
 
-	/**
-	 * Check if the LDAP secret engine is available in Vault. This can be determined by
-	 * attempting to read the LDAP config endpoint.
-	 */
-	private boolean isLdapSecretEngineAvailable() {
-		try {
-			this.vaultRule.prepare().getVaultOperations().read("ldap/config");
-			return true;
-		}
-		catch (Exception e) {
-			return false;
-		}
-	}
-
-	/**
-	 * Check if a dynamic role exists in Vault.
-	 */
-	private boolean isDynamicRoleAvailable(String roleName) {
-		try {
-			this.vaultRule.prepare().getVaultOperations().read("ldap/role/" + roleName);
-			return true;
-		}
-		catch (Exception e) {
-			return false;
-		}
-	}
-
-	/**
-	 * Check if a static role exists in Vault.
-	 */
-	private boolean isStaticRoleAvailable(String roleName) {
-		try {
-			this.vaultRule.prepare().getVaultOperations().read("ldap/static-role/" + roleName);
-			return true;
-		}
-		catch (Exception e) {
-			return false;
-		}
-	}
-
 }
diff --git a/spring-cloud-vault-config-ldap/src/test/java/org/springframework/cloud/vault/config/ldap/LdapServerExtension.java b/spring-cloud-vault-config-ldap/src/test/java/org/springframework/cloud/vault/config/ldap/LdapServerExtension.java
@@ -0,0 +1,90 @@
+/*
+ * Copyright 2016-present the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.cloud.vault.config.ldap;
+
+import com.unboundid.ldap.listener.InMemoryDirectoryServer;
+import com.unboundid.ldap.listener.InMemoryDirectoryServerConfig;
+import com.unboundid.ldap.listener.InMemoryListenerConfig;
+import org.junit.jupiter.api.extension.AfterAllCallback;
+import org.junit.jupiter.api.extension.BeforeAllCallback;
+import org.junit.jupiter.api.extension.ExtensionContext;
+
+/**
+ * JUnit 5 extension for managing an in-memory UnboundID LDAP server for testing.
+ *
+ * @author Drew Mullen
+ */
+public class LdapServerExtension implements BeforeAllCallback, AfterAllCallback {
+
+	private InMemoryDirectoryServer ldapServer;
+
+	private int ldapPort = 10389;
+
+	private String baseDn = "dc=springframework,dc=org";
+
+	@Override
+	public void beforeAll(ExtensionContext context) throws Exception {
+		InMemoryDirectoryServerConfig config = new InMemoryDirectoryServerConfig(this.baseDn);
+
+		// Configure the listener with the specific port
+		config.setListenerConfigs(InMemoryListenerConfig.createLDAPConfig("default", this.ldapPort));
+
+		// Create the LDAP server
+		this.ldapServer = new InMemoryDirectoryServer(config);
+
+		// Add base entries
+		this.ldapServer.add("dn: " + this.baseDn, "objectClass: top", "objectClass: domain", "dc: springframework");
+
+		this.ldapServer.add("dn: ou=people," + this.baseDn, "objectClass: organizationalUnit", "ou: people");
+
+		// Add test users for static and dynamic role testing
+		this.ldapServer.add("dn: uid=static-user,ou=people," + this.baseDn, "objectClass: inetOrgPerson",
+				"objectClass: organizationalPerson", "objectClass: person", "objectClass: top", "cn: Static User",
+				"sn: User", "uid: static-user", "userPassword: initial-password");
+
+		this.ldapServer.add("dn: uid=vault-admin,ou=people," + this.baseDn, "objectClass: inetOrgPerson",
+				"objectClass: organizationalPerson", "objectClass: person", "objectClass: top", "cn: Vault Admin",
+				"sn: Admin", "uid: vault-admin", "userPassword: vault-admin-password");
+
+		// Start the server
+		this.ldapServer.startListening();
+	}
+
+	@Override
+	public void afterAll(ExtensionContext context) {
+		if (this.ldapServer != null) {
+			this.ldapServer.shutDown(true);
+		}
+	}
+
+	public int getLdapPort() {
+		return this.ldapPort;
+	}
+
+	public String getBaseDn() {
+		return this.baseDn;
+	}
+
+	public String getLdapUrl() {
+		return "ldap://localhost:" + this.ldapPort;
+	}
+
+	public InMemoryDirectoryServer getLdapServer() {
+		return this.ldapServer;
+	}
+
+}
