From 51e1a16a93dc7230f50cd72fd88daaf767c3b310 Mon Sep 17 00:00:00 2001
From: Luke Bakken <lbakken@pivotal.io>
Date: Fri, 2 Nov 2018 11:38:42 -0700
Subject: [PATCH] Add failing test for rabbitmq/rabbitmq-auth-backend-ldap#100

---
 deps/rabbitmq_auth_backend_ldap/Vagrantfile   |  2 +-
 .../test/rabbit_ldap_seed.erl                 | 12 ++++-
 .../test/system_SUITE.erl                     | 51 +++++++++++++++----
 3 files changed, 54 insertions(+), 11 deletions(-)

diff --git a/deps/rabbitmq_auth_backend_ldap/Vagrantfile b/deps/rabbitmq_auth_backend_ldap/Vagrantfile
index f56723b85a..20b9b8f0b1 100644
--- a/deps/rabbitmq_auth_backend_ldap/Vagrantfile
+++ b/deps/rabbitmq_auth_backend_ldap/Vagrantfile
@@ -2,7 +2,7 @@
 # vi: set ft=ruby :
 
 Vagrant.configure(2) do |config|
-  config.vm.box = "ubuntu/trusty64"
+  config.vm.box = 'ubuntu/xenial64'
   config.vm.network "forwarded_port", guest: 389, host: 3890
   config.vm.provision "shell", inline: "sudo apt-get -y update"
   config.vm.provision "file", source: "example", destination: "~/example"
diff --git a/deps/rabbitmq_auth_backend_ldap/test/rabbit_ldap_seed.erl b/deps/rabbitmq_auth_backend_ldap/test/rabbit_ldap_seed.erl
index 11ca9c272c..22166a723d 100644
--- a/deps/rabbitmq_auth_backend_ldap/test/rabbit_ldap_seed.erl
+++ b/deps/rabbitmq_auth_backend_ldap/test/rabbit_ldap_seed.erl
@@ -60,7 +60,8 @@ people() ->
       johndoe(),
       alice(),
       peter(),
-      carol()
+      carol(),
+      jimmy()
     ].
 
 groups() ->
@@ -184,6 +185,15 @@ carol() ->
       {"loginShell", ["/bin/bash"]},
       {"userPassword", ["password"]}]}.
 
+% rabbitmq/rabbitmq-auth-backend-ldap#100
+jimmy() ->
+    {"cn=Jimmy,ou=people,dc=rabbitmq,dc=com",
+     [{"objectClass", ["person"]},
+      {"cn", ["Jimmy"]},
+      {"sn", ["Makes"]},
+      {"userPassword", ["password"]},
+      {"description", ["^RMQ-foobar", "^RMQ-.*$"]}]}.
+
 add(H, {A, B}) ->
     ok = eldap:add(H, A, B).
 
diff --git a/deps/rabbitmq_auth_backend_ldap/test/system_SUITE.erl b/deps/rabbitmq_auth_backend_ldap/test/system_SUITE.erl
index 4726fc18e3..af2798195e 100644
--- a/deps/rabbitmq_auth_backend_ldap/test/system_SUITE.erl
+++ b/deps/rabbitmq_auth_backend_ldap/test/system_SUITE.erl
@@ -25,6 +25,7 @@
 -define(BOB_NAME, "Bob").
 -define(CAROL_NAME, "Carol").
 -define(PETER_NAME, "Peter").
+-define(JIMMY_NAME, "Jimmy").
 
 -define(VHOST, "test").
 -define(DEFAULT_LDAP_PORT, "3890").
@@ -45,6 +46,10 @@
                                     password     = <<"password">>,
                                     virtual_host = <<?VHOST>>}).
 
+-define(JIMMY, #amqp_params_network{username     = <<?JIMMY_NAME>>,
+                                    password     = <<"password">>,
+                                    virtual_host = <<?VHOST>>}).
+
 -define(BASE_CONF_RABBIT, {rabbit, [{default_vhost, <<"test">>}]}).
 
 base_conf_ldap(LdapPort, IdleTimeout, PoolSize) ->
@@ -113,7 +118,8 @@ groups() ->
         invalid_and_clause_ldap_only,
         topic_authorisation_publishing_ldap_only,
         topic_authorisation_consumption,
-        match_bidirectional
+        match_bidirectional,
+        match_bidirectional_gh_100
     ],
     [
       {non_parallel_tests, [], Tests
@@ -475,10 +481,8 @@ topic_authorisation_consumption1(Config) ->
     false = rabbit_auth_backend_ldap:check_topic_access(Alice, Resource, read, #{routing_key => <<"b.c">>}),
     %% user KO, routing key OK, should fail
     false = rabbit_auth_backend_ldap:check_topic_access(Bob, Resource, read, #{routing_key => <<"a.b.c">>}),
-
     ok.
 
-
 match_bidirectional(Config) ->
     ok = rabbit_ct_broker_helpers:rpc(Config, 0,
         application, set_env, [rabbit, auth_backends, [rabbit_auth_backend_ldap]]),
@@ -500,6 +504,25 @@ match_bidirectional(Config) ->
      end || ConfigurationFunction <- Configurations],
     ok.
 
+match_bidirectional_gh_100(Config) ->
+    ok = rabbit_ct_broker_helpers:rpc(Config, 0,
+        application, set_env, [rabbit, auth_backends, [rabbit_auth_backend_ldap]]),
+
+    Configurations = [
+        fun resource_access_query_match_gh_100/0,
+        fun resource_access_query_match_query_is_string_gh_100/0
+    ],
+
+    [begin
+         set_env(Config, ConfigurationFunction()),
+         Q1 = [#'queue.declare'{queue = <<"Jimmy-queue">>}],
+         Q2 = [#'queue.declare'{queue = <<"Jimmy">>}],
+         P = #amqp_params_network{port = rabbit_ct_broker_helpers:get_node_config(Config, 0, tcp_port_amqp)},
+         [test_resource(PTR) || PTR <- [{P?JIMMY, Q1, ok},
+                                        {P?JIMMY, Q2, ok}]]
+     end || ConfigurationFunction <- Configurations],
+    ok.
+
 %%--------------------------------------------------------------------
 
 test_publish(Person, Exchange, RoutingKey, ExpectedResult) ->
@@ -646,6 +669,22 @@ vhost_access_query_and_in_group() ->
 vhost_access_query_nested_groups_env() ->
     [{vhost_access_query, {in_group_nested, "cn=admins,ou=groups,dc=rabbitmq,dc=com"}}].
 
+vhost_access_query_base_env() ->
+    [{vhost_access_query, vhost_access_query_base()}].
+
+vhost_access_query_base() ->
+    {exists, "ou=${vhost},ou=vhosts,dc=rabbitmq,dc=com"}.
+
+resource_access_query_match_gh_100() ->
+    [{resource_access_query,
+      {match, {string, "RMQ-${vhost}"}, {attribute, "${user_dn}", "description"}}
+     }].
+
+resource_access_query_match_query_is_string_gh_100() ->
+    [{resource_access_query,
+      {match, "RMQ-${vhost}", {attribute, "${user_dn}", "description"}}
+     }].
+
 resource_access_query_match() ->
     [{resource_access_query, {match, {string, "${name}"},
         {string, "^${username}-"}}
@@ -666,12 +705,6 @@ resource_access_query_match_query_and_re_query_are_strings() ->
         "^${username}-"}
     }].
 
-vhost_access_query_base_env() ->
-    [{vhost_access_query, vhost_access_query_base()}].
-
-vhost_access_query_base() ->
-    {exists, "ou=${vhost},ou=vhosts,dc=rabbitmq,dc=com"}.
-
 topic_access_query_base_env() ->
     [{topic_access_query, topic_access_query_base()}].