[PM-13008] Add ldap integration tests

[eliykat]

🎟️ Tracking

https://bitwarden.atlassian.net/browse/PM-13008

See the parent ticket https://bitwarden.atlassian.net/browse/PM-13007 for additional context.

📔 Objective

Add integration tests for LdapDirectoryService.

We don't have any integration tests for our directory services, so this was a bit of trial and error, and is open to feedback about the best way to structure these.

The tests use jest because I still needed a test runner and I wanted to isolate LdapDirectoryService from the rest of the app and from the Bitwarden server. The integration is purely between our directory service implementation and the external directory service, which to me is the "here be dragons" part of our code at the moment.

This PR uses the OpenLdap docker image that we already recommend for local development. That's ideal because we can spin it up with seed data on demand. Additional integration tests will probably involve actual third party cloud services or Azure VMs which will require more investigation and setup.

Once this is merged I can remove the OpenLdap configuration from the server repository and update the contributing docs. It really belongs with this repo.

📸 Screenshots

⏰ Reminders before review

• Contributor guidelines followed
• All formatters and local linters executed and passed
• Written new unit and / or integration tests where applicable
• Used internationalization (i18n) for all UI strings
• CI builds passed
• Communicated to DevOps any deployment requirements
• Updated any necessary documentation (Confluence, contributing docs) or informed the documentation team

🦮 Reviewer guidelines

• 👍 (:+1:) or similar for great changes
• 📝 (:memo:) or ℹ️ (:information_source:) for notes or general info
• ❓ (:question:) for questions
• 🤔 (:thinking:) or 💭 (:thought_balloon:) for more open inquiry that's not quite a confirmed issue and could potentially benefit from discussion
• 🎨 (:art:) for suggestions / improvements
• ❌ (:x:) or ⚠️ (:warning:) for more significant problems or concerns needing attention
• 🌱 (:seedling:) or ♻️ (:recycle:) for future improvements or indications of technical debt
• ⛏ (:pick:) for minor or nitpick changes

[codecov]

Codecov Report

Attention: Patch coverage is 20.68966% with 69 lines in your changes missing coverage. Please review.

Project coverage is 8.86%. Comparing base (1931a7f) to head (35c194c).
Report is 2 commits behind head on main.

✅ All tests successful. No failed tests found.

Files with missing lines	Patch %	Lines
...ervices/ldap-directory.service.integration.spec.ts	0.00%	64 Missing ⚠️
src/models/groupEntry.ts	73.33%	4 Missing ⚠️
src/models/userEntry.ts	87.50%	1 Missing ⚠️

Additional details and impacted files

@@           Coverage Diff            @@
##            main    #637      +/-   ##
========================================
+ Coverage   2.29%   8.86%   +6.57%     
========================================
  Files         59      60       +1     
  Lines       2573    2661      +88     
  Branches     467     475       +8     
========================================
+ Hits          59     236     +177     
+ Misses      2511    2402     -109     
- Partials       3      23      +20     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[github-actions]

Checkmarx One – Scan Summary & Details – 59cd89dc-41e9-410c-870c-a3fe80b07298

New Issues

Severity	Issue	Source File / Package	Checkmarx Insight
	Passwords And Secrets - Generic Password	/docker-compose.yml: 7	Query to find passwords and secrets in infrastructure code.
	Container Capabilities Unrestricted	/docker-compose.yml: 2	Some capabilities are not needed in certain (or any) containers. Make sure that you only add capabilities that your container needs. Drop unnecessa...
	Container Traffic Not Bound To Host Interface	/docker-compose.yml: 16	Incoming container traffic should be bound to a specific host interface
	Healthcheck Not Set	/docker-compose.yml: 2	Check containers periodically to see if they are running properly.
	Security Opt Not Set	/docker-compose.yml: 2	Attribute 'security_opt' should be defined.
	Client_DOM_Open_Redirect	/jslib/common/src/misc/iframe_component.ts: 49	Attack Vector
	Client_DOM_Open_Redirect	/jslib/common/src/misc/webauthn_iframe.ts: 25	Attack Vector
	Use_Of_Hardcoded_Password	/src/services/ldap-directory.service.integration.spec.ts: 175	Attack Vector
	Use_Of_Hardcoded_Password	/jslib/common/spec/domain/cipher.spec.ts: 76	Attack Vector
	Use_Of_Hardcoded_Password	/jslib/common/spec/domain/cipher.spec.ts: 70	Attack Vector

Fixed Issues

Severity	Issue	Source File / Package
	Client_Privacy_Violation	/jslib/angular/src/components/icon.component.ts: 28
	Client_Privacy_Violation	/jslib/angular/src/components/icon.component.ts: 29
	Use_Of_Hardcoded_Password	/jslib/common/spec/domain/cipher.spec.ts: 297
	Use_Of_Hardcoded_Password	/jslib/common/spec/domain/cipher.spec.ts: 298
	Use_Of_Hardcoded_Password	/jslib/common/spec/domain/cipher.spec.ts: 553
	Use_Of_Hardcoded_Password	/jslib/common/spec/domain/cipher.spec.ts: 554
	Use_Of_Hardcoded_Password	/jslib/common/spec/domain/cipher.spec.ts: 410
	Use_Of_Hardcoded_Password	/jslib/common/spec/domain/cipher.spec.ts: 411
	Use_Of_Hardcoded_Password	/jslib/common/spec/domain/cipher.spec.ts: 190
	Use_Of_Hardcoded_Password	/jslib/common/spec/domain/cipher.spec.ts: 191
	Use_Of_Hardcoded_Password	/jslib/common/spec/domain/cipher.spec.ts: 76
	Use_Of_Hardcoded_Password	/jslib/common/spec/domain/cipher.spec.ts: 70

[eliykat]

The toJSON/fromJSON methods were added as helpers to instantiate the fixture data. It's maybe a bit weird to add this to runtime code, but the Jsonify type is based on the toJSON return type, so it was the tidiest and least verbose way to add type safety and factory methods to the fixture data.

[eliykat]

Future refactor: it would be good to remove stateService from the directory service implementations and pass in their config as arguments instead.

[addisonbeck]

What's this for?

[eliykat]

It gives a nice name to the grouping in docker desktop:

[addisonbeck]

Does it make more sense to set this in docker-compose.yml? Docker's documentation says it will take the top level name value here.

Also, if you're planning to use this as the scaffolding location for local development containers it doesn't make sense to put it in the integration-tests folder. I do think it's reasonable to put docker-compose.yml (and .env if you keep it) in project root.

[eliykat]

I moved docker-compose.yml to the project root as suggested and this automatically set the project name as well.

[eliykat]

I realised belatedly that the OpenLDAP Docker image is unmaintained since ~3 years ago: https:/osixia/docker-openldap.

I'll look at changing it out for https://hub.docker.com/r/bitnami/openldap, which appears maintained and published by Vmware. Other suggestions are welcome.

[eliykat]

@addisonbeck This is ready for review again:

• changed to a maintained openldap server image
• restructured directory structure in line with your suggestions
• configured TLS certs properly 🙌
• it turns out it wasn't that hard to generate TLS certs in the pipeline, so that has been moved into a script that can be used by both CI and local dev
• EDIT: added tests for SSL over ldaps (not the same as SSL over StartTLS, how many standards do you need?? 😂 )

Once this is merged I will submit separate PRs to remove the docker image from server and update the instructions in contributing-docs.