From b95b9a85972fdfcdb631a7da6ec41f563f9586c9 Mon Sep 17 00:00:00 2001
From: abhishek818 <abhishekguptaatweb17@gmail.com>
Date: Thu, 18 Jul 2024 13:17:36 +0530
Subject: [PATCH] rename ldap' cli flag 'host' to 'host-list' and fix tests
 (#6898)

Signed-off-by: abhishek818 <abhishekguptaatweb17@gmail.com>
---
 cmd/admin_auth_ldap.go                     | 12 +++---
 cmd/admin_auth_ldap_test.go                | 46 +++++++++++-----------
 services/auth/source/ldap/README.md        |  3 +-
 services/auth/source/ldap/source_search.go |  5 ++-
 4 files changed, 35 insertions(+), 31 deletions(-)

diff --git a/cmd/admin_auth_ldap.go b/cmd/admin_auth_ldap.go
index 1bef2f00da..dd435cc1c2 100644
--- a/cmd/admin_auth_ldap.go
+++ b/cmd/admin_auth_ldap.go
@@ -46,8 +46,8 @@ var (
 			Usage: "Disable TLS verification.",
 		},
 		&cli.StringFlag{
-			Name:  "host",
-			Usage: "The address where the LDAP server can be reached.",
+			Name:  "host-list",
+			Usage: "List of addresses where the LDAP server(s) can be reached.",
 		},
 		&cli.IntFlag{
 			Name:  "port",
@@ -206,8 +206,8 @@ func parseLdapConfig(c *cli.Context, config *ldap.Source) error {
 	if c.IsSet("name") {
 		config.Name = c.String("name")
 	}
-	if c.IsSet("host") {
-		config.HostList = c.String("hostlist")
+	if c.IsSet("host-list") {
+		config.HostList = c.String("host-list")
 	}
 	if c.IsSet("port") {
 		config.Port = c.Int("port")
@@ -308,7 +308,7 @@ func (a *authService) getAuthSource(ctx context.Context, c *cli.Context, authTyp
 
 // addLdapBindDn adds a new LDAP via Bind DN authentication source.
 func (a *authService) addLdapBindDn(c *cli.Context) error {
-	if err := argsSet(c, "name", "security-protocol", "host", "port", "user-search-base", "user-filter", "email-attribute"); err != nil {
+	if err := argsSet(c, "name", "security-protocol", "host-list", "port", "user-search-base", "user-filter", "email-attribute"); err != nil {
 		return err
 	}
 
@@ -359,7 +359,7 @@ func (a *authService) updateLdapBindDn(c *cli.Context) error {
 
 // addLdapSimpleAuth adds a new LDAP (simple auth) authentication source.
 func (a *authService) addLdapSimpleAuth(c *cli.Context) error {
-	if err := argsSet(c, "name", "security-protocol", "host", "port", "user-dn", "user-filter", "email-attribute"); err != nil {
+	if err := argsSet(c, "name", "security-protocol", "host-list", "port", "user-dn", "user-filter", "email-attribute"); err != nil {
 		return err
 	}
 
diff --git a/cmd/admin_auth_ldap_test.go b/cmd/admin_auth_ldap_test.go
index e987782e61..0539a15e4c 100644
--- a/cmd/admin_auth_ldap_test.go
+++ b/cmd/admin_auth_ldap_test.go
@@ -34,7 +34,7 @@ func TestAddLdapBindDn(t *testing.T) {
 				"--not-active",
 				"--security-protocol", "ldaps",
 				"--skip-tls-verify",
-				"--host", "ldap-bind-server full",
+				"--host-list", "ldap-bind-server full",
 				"--port", "9876",
 				"--user-search-base", "ou=Users,dc=full-domain-bind,dc=org",
 				"--user-filter", "(memberOf=cn=user-group,ou=example,dc=full-domain-bind,dc=org)",
@@ -87,7 +87,7 @@ func TestAddLdapBindDn(t *testing.T) {
 				"ldap-test",
 				"--name", "ldap (via Bind DN) source min",
 				"--security-protocol", "unencrypted",
-				"--host", "ldap-bind-server min",
+				"--host-list", "ldap-bind-server min",
 				"--port", "1234",
 				"--user-search-base", "ou=Users,dc=min-domain-bind,dc=org",
 				"--user-filter", "(memberOf=cn=user-group,ou=example,dc=min-domain-bind,dc=org)",
@@ -115,7 +115,7 @@ func TestAddLdapBindDn(t *testing.T) {
 				"ldap-test",
 				"--name", "ldap (via Bind DN) source",
 				"--security-protocol", "zzzzz",
-				"--host", "ldap-server",
+				"--host-list", "ldap-server",
 				"--port", "1234",
 				"--user-search-base", "ou=Users,dc=domain,dc=org",
 				"--user-filter", "(memberOf=cn=user-group,ou=example,dc=domain,dc=org)",
@@ -128,7 +128,7 @@ func TestAddLdapBindDn(t *testing.T) {
 			args: []string{
 				"ldap-test",
 				"--security-protocol", "unencrypted",
-				"--host", "ldap-server",
+				"--host-list", "ldap-server",
 				"--port", "1234",
 				"--user-search-base", "ou=Users,dc=domain,dc=org",
 				"--user-filter", "(memberOf=cn=user-group,ou=example,dc=domain,dc=org)",
@@ -141,7 +141,7 @@ func TestAddLdapBindDn(t *testing.T) {
 			args: []string{
 				"ldap-test",
 				"--name", "ldap (via Bind DN) source",
-				"--host", "ldap-server",
+				"--host-list", "ldap-server",
 				"--port", "1234",
 				"--user-search-base", "ou=Users,dc=domain,dc=org",
 				"--user-filter", "(memberOf=cn=user-group,ou=example,dc=domain,dc=org)",
@@ -160,7 +160,7 @@ func TestAddLdapBindDn(t *testing.T) {
 				"--user-filter", "(memberOf=cn=user-group,ou=example,dc=domain,dc=org)",
 				"--email-attribute", "mail",
 			},
-			errMsg: "host is not set",
+			errMsg: "host-list is not set",
 		},
 		// case 6
 		{
@@ -168,7 +168,7 @@ func TestAddLdapBindDn(t *testing.T) {
 				"ldap-test",
 				"--name", "ldap (via Bind DN) source",
 				"--security-protocol", "unencrypted",
-				"--host", "ldap-server",
+				"--host-list", "ldap-server",
 				"--user-search-base", "ou=Users,dc=domain,dc=org",
 				"--user-filter", "(memberOf=cn=user-group,ou=example,dc=domain,dc=org)",
 				"--email-attribute", "mail",
@@ -181,7 +181,7 @@ func TestAddLdapBindDn(t *testing.T) {
 				"ldap-test",
 				"--name", "ldap (via Bind DN) source",
 				"--security-protocol", "unencrypted",
-				"--host", "ldap-server",
+				"--host-list", "ldap-server",
 				"--port", "1234",
 				"--user-search-base", "ou=Users,dc=domain,dc=org",
 				"--email-attribute", "mail",
@@ -194,7 +194,7 @@ func TestAddLdapBindDn(t *testing.T) {
 				"ldap-test",
 				"--name", "ldap (via Bind DN) source",
 				"--security-protocol", "unencrypted",
-				"--host", "ldap-server",
+				"--host-list", "ldap-server",
 				"--port", "1234",
 				"--user-search-base", "ou=Users,dc=domain,dc=org",
 				"--user-filter", "(memberOf=cn=user-group,ou=example,dc=domain,dc=org)",
@@ -260,7 +260,7 @@ func TestAddLdapSimpleAuth(t *testing.T) {
 				"--not-active",
 				"--security-protocol", "starttls",
 				"--skip-tls-verify",
-				"--host", "ldap-simple-server full",
+				"--host-list", "ldap-simple-server full",
 				"--port", "987",
 				"--user-search-base", "ou=Users,dc=full-domain-simple,dc=org",
 				"--user-filter", "(&(objectClass=posixAccount)(full-simple-cn=%s))",
@@ -305,7 +305,7 @@ func TestAddLdapSimpleAuth(t *testing.T) {
 				"ldap-test",
 				"--name", "ldap (simple auth) source min",
 				"--security-protocol", "unencrypted",
-				"--host", "ldap-simple-server min",
+				"--host-list", "ldap-simple-server min",
 				"--port", "123",
 				"--user-filter", "(&(objectClass=posixAccount)(min-simple-cn=%s))",
 				"--email-attribute", "mail-simple min",
@@ -333,7 +333,7 @@ func TestAddLdapSimpleAuth(t *testing.T) {
 				"ldap-test",
 				"--name", "ldap (simple auth) source",
 				"--security-protocol", "zzzzz",
-				"--host", "ldap-server",
+				"--host-list", "ldap-server",
 				"--port", "123",
 				"--user-filter", "(&(objectClass=posixAccount)(cn=%s))",
 				"--email-attribute", "mail",
@@ -346,7 +346,7 @@ func TestAddLdapSimpleAuth(t *testing.T) {
 			args: []string{
 				"ldap-test",
 				"--security-protocol", "unencrypted",
-				"--host", "ldap-server",
+				"--host-list", "ldap-server",
 				"--port", "123",
 				"--user-filter", "(&(objectClass=posixAccount)(cn=%s))",
 				"--email-attribute", "mail",
@@ -359,7 +359,7 @@ func TestAddLdapSimpleAuth(t *testing.T) {
 			args: []string{
 				"ldap-test",
 				"--name", "ldap (simple auth) source",
-				"--host", "ldap-server",
+				"--host-list", "ldap-server",
 				"--port", "123",
 				"--user-filter", "(&(objectClass=posixAccount)(cn=%s))",
 				"--email-attribute", "mail",
@@ -378,7 +378,7 @@ func TestAddLdapSimpleAuth(t *testing.T) {
 				"--email-attribute", "mail",
 				"--user-dn", "cn=%s,ou=Users,dc=domain,dc=org",
 			},
-			errMsg: "host is not set",
+			errMsg: "host-list is not set",
 		},
 		// case 6
 		{
@@ -386,7 +386,7 @@ func TestAddLdapSimpleAuth(t *testing.T) {
 				"ldap-test",
 				"--name", "ldap (simple auth) source",
 				"--security-protocol", "unencrypted",
-				"--host", "ldap-server",
+				"--host-list", "ldap-server",
 				"--user-filter", "(&(objectClass=posixAccount)(cn=%s))",
 				"--email-attribute", "mail",
 				"--user-dn", "cn=%s,ou=Users,dc=domain,dc=org",
@@ -399,7 +399,7 @@ func TestAddLdapSimpleAuth(t *testing.T) {
 				"ldap-test",
 				"--name", "ldap (simple auth) source",
 				"--security-protocol", "unencrypted",
-				"--host", "ldap-server",
+				"--host-list", "ldap-server",
 				"--port", "123",
 				"--email-attribute", "mail",
 				"--user-dn", "cn=%s,ou=Users,dc=domain,dc=org",
@@ -412,7 +412,7 @@ func TestAddLdapSimpleAuth(t *testing.T) {
 				"ldap-test",
 				"--name", "ldap (simple auth) source",
 				"--security-protocol", "unencrypted",
-				"--host", "ldap-server",
+				"--host-list", "ldap-server",
 				"--port", "123",
 				"--user-filter", "(&(objectClass=posixAccount)(cn=%s))",
 				"--user-dn", "cn=%s,ou=Users,dc=domain,dc=org",
@@ -425,7 +425,7 @@ func TestAddLdapSimpleAuth(t *testing.T) {
 				"ldap-test",
 				"--name", "ldap (simple auth) source",
 				"--security-protocol", "unencrypted",
-				"--host", "ldap-server",
+				"--host-list", "ldap-server",
 				"--port", "123",
 				"--user-filter", "(&(objectClass=posixAccount)(cn=%s))",
 				"--email-attribute", "mail",
@@ -494,7 +494,7 @@ func TestUpdateLdapBindDn(t *testing.T) {
 				"--not-active",
 				"--security-protocol", "LDAPS",
 				"--skip-tls-verify",
-				"--host", "ldap-bind-server full",
+				"--host-list", "ldap-bind-server full",
 				"--port", "9876",
 				"--user-search-base", "ou=Users,dc=full-domain-bind,dc=org",
 				"--user-filter", "(memberOf=cn=user-group,ou=example,dc=full-domain-bind,dc=org)",
@@ -625,7 +625,7 @@ func TestUpdateLdapBindDn(t *testing.T) {
 			args: []string{
 				"ldap-test",
 				"--id", "1",
-				"--host", "ldap-server",
+				"--host-list", "ldap-server",
 			},
 			authSource: &auth.Source{
 				Type: auth.LDAP,
@@ -957,7 +957,7 @@ func TestUpdateLdapSimpleAuth(t *testing.T) {
 				"--not-active",
 				"--security-protocol", "starttls",
 				"--skip-tls-verify",
-				"--host", "ldap-simple-server full",
+				"--host-list", "ldap-simple-server full",
 				"--port", "987",
 				"--user-search-base", "ou=Users,dc=full-domain-simple,dc=org",
 				"--user-filter", "(&(objectClass=posixAccount)(full-simple-cn=%s))",
@@ -1073,7 +1073,7 @@ func TestUpdateLdapSimpleAuth(t *testing.T) {
 			args: []string{
 				"ldap-test",
 				"--id", "1",
-				"--host", "ldap-server",
+				"--host-list", "ldap-server",
 			},
 			authSource: &auth.Source{
 				Type: auth.DLDAP,
diff --git a/services/auth/source/ldap/README.md b/services/auth/source/ldap/README.md
index 34c811703f..ec09eee05d 100644
--- a/services/auth/source/ldap/README.md
+++ b/services/auth/source/ldap/README.md
@@ -32,8 +32,9 @@ share the following fields:
   * A name to assign to the new method of authorization.
 
 * Host **(required)**
-  * The address where the LDAP server can be reached.
+  * The list of addresses where the LDAP server(s) can be reached.
   * Example: mydomain.com
+  * Example (with multiple server hosts): mydomain.com, myotherdomain.com, mytempdomain.com
 
 * Port **(required)**
   * The port to use when connecting to the server.
diff --git a/services/auth/source/ldap/source_search.go b/services/auth/source/ldap/source_search.go
index 9b899e7eb9..40016ed271 100644
--- a/services/auth/source/ldap/source_search.go
+++ b/services/auth/source/ldap/source_search.go
@@ -113,8 +113,11 @@ func dial(source *Source) (*ldap.Conn, error) {
 	log.Trace("Dialing LDAP with security protocol (%v) without verifying: %v", source.SecurityProtocol, source.SkipVerify)
 
 	ldap.DefaultTimeout = time.Second * 15
+	// Remove any extra spaces in HostList string
+	tempHostList := strings.ReplaceAll(source.HostList, " ", "")
 	// HostList is a list of hosts separated by commas
-	hostList := strings.Split(source.HostList, ",")
+	hostList := strings.Split(tempHostList, ",")
+	// hostList := strings.Split(source.HostList, ",")
 
 	for _, host := range hostList {
 		tlsConfig := &tls.Config{