[ARVADOS] updated: 1.3.0-2346-g4e0eb166f
Git user
git at public.arvados.org
Tue Mar 17 21:16:40 UTC 2020
Summary of changes:
lib/controller/localdb/login_pam.go | 5 +-
lib/controller/localdb/login_pam_docker_test.go | 23 ++++
lib/controller/localdb/login_pam_docker_test.sh | 164 ++++++++++++++++++++++++
3 files changed, 191 insertions(+), 1 deletion(-)
create mode 100644 lib/controller/localdb/login_pam_docker_test.go
create mode 100755 lib/controller/localdb/login_pam_docker_test.sh
via 4e0eb166fd808b32c10cccc2b4014a02edcf29a6 (commit)
from de5dbb35d103ec6c16d4a2942416fe80aca86ba2 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
commit 4e0eb166fd808b32c10cccc2b4014a02edcf29a6
Author: Tom Clegg <tom at tomclegg.ca>
Date: Tue Mar 17 17:16:15 2020 -0400
16212: Add pam_ldap test.
Arvados-DCO-1.1-Signed-off-by: Tom Clegg <tom at tomclegg.ca>
diff --git a/lib/controller/localdb/login_pam.go b/lib/controller/localdb/login_pam.go
index 1b1a05377..7955aef11 100644
--- a/lib/controller/localdb/login_pam.go
+++ b/lib/controller/localdb/login_pam.go
@@ -66,7 +66,10 @@ func (ctrl *pamLoginController) Login(ctx context.Context, opts arvados.LoginOpt
ctxlog.FromContext(ctx).WithFields(logrus.Fields{"user": user, "email": email}).Debug("pam authentication succeeded")
ctxRoot := auth.NewContext(ctx, &auth.Credentials{Tokens: []string{ctrl.Cluster.SystemRootToken}})
resp, err := ctrl.RailsProxy.UserSessionCreate(ctxRoot, rpc.UserSessionCreateOptions{
- ReturnTo: opts.Remote + "," + opts.ReturnTo,
+ // Send a fake ReturnTo value instead of the caller's
+ // opts.ReturnTo. We won't follow the resulting
+ // redirect target anyway.
+ ReturnTo: opts.Remote + ",https://none.invalid",
AuthInfo: rpc.UserSessionAuthInfo{
Username: user,
Email: email,
diff --git a/lib/controller/localdb/login_pam_docker_test.go b/lib/controller/localdb/login_pam_docker_test.go
new file mode 100644
index 000000000..8a02b2c38
--- /dev/null
+++ b/lib/controller/localdb/login_pam_docker_test.go
@@ -0,0 +1,23 @@
+// Copyright (C) The Arvados Authors. All rights reserved.
+//
+// SPDX-License-Identifier: AGPL-3.0
+
+// Skip this slow test unless invoked as "go test -tags docker".
+// +build docker
+
+package localdb
+
+import (
+ "os"
+ "os/exec"
+
+ check "gopkg.in/check.v1"
+)
+
+func (s *PamSuite) TestLoginLDAPViaPAM(c *check.C) {
+ cmd := exec.Command("bash", "login_pam_docker_test.sh")
+ cmd.Stdout = os.Stderr
+ cmd.Stderr = os.Stderr
+ err := cmd.Run()
+ c.Check(err, check.IsNil)
+}
diff --git a/lib/controller/localdb/login_pam_docker_test.sh b/lib/controller/localdb/login_pam_docker_test.sh
new file mode 100755
index 000000000..7fb0a303a
--- /dev/null
+++ b/lib/controller/localdb/login_pam_docker_test.sh
@@ -0,0 +1,164 @@
+#!/bin/bash
+
+# This script demonstrates using LDAP for Arvados user authentication.
+#
+# It configures pam_ldap(5) and arvados controller in a docker
+# container, with pam_ldap configured to authenticate against an
+# OpenLDAP server in a second docker container.
+#
+# After adding a "foo" user entry, it uses curl to check that the
+# Arvados controller's login endpoint accepts the "foo" account
+# username/password and rejects invalid credentials.
+#
+# It is intended to be run inside .../build/run-tests.sh (in
+# interactive mode: "test lib/controller/localdb -tags=docker
+# -check.f=LDAP -check.vv"). It assumes ARVADOS_TEST_API_HOST points
+# to a RailsAPI server and the desired version of arvados-server is
+# installed in $GOPATH/bin.
+
+set -e -o pipefail
+
+debug=/dev/null
+if [[ -n ${ARVADOS_DEBUG} ]]; then
+ debug=/dev/stderr
+ set -x
+fi
+
+hostname="$(hostname)"
+tmpdir="$(mktemp -d)"
+cleanup() {
+ trap - ERR
+ rm -r ${tmpdir}
+ for h in ${ldapctr} ${ctrlctr}; do
+ if [[ -n ${h} ]]; then
+ docker kill ${h}
+ fi
+ done
+}
+trap cleanup ERR
+
+ldapctr=ldap-${RANDOM}
+echo >&2 "Starting ldap server in docker container ${ldapctr}"
+docker run --rm --detach \
+ -p 389 -p 636 \
+ --name=${ldapctr} \
+ osixia/openldap:1.3.0
+docker logs --follow ${ldapctr} 2>$debug >$debug &
+ldaphostport=$(docker port ${ldapctr} 389/tcp)
+ldapport=${ldaphostport##*:}
+ldapurl="ldap://${hostname}:${ldapport}"
+passwordhash="$(docker exec -i ${ldapctr} slappasswd -s "secret")"
+
+# These are the default admin credentials for osixia/openldap:1.3.0
+adminuser=admin
+adminpassword=admin
+
+cat >"${tmpdir}/zzzzz.yml" <<EOF
+Clusters:
+ zzzzz:
+ PostgreSQL:
+ Connection:
+ client_encoding: utf8
+ host: ${hostname}
+ dbname: arvados_test
+ user: arvados
+ password: insecure_arvados_test
+ ManagementToken: e687950a23c3a9bceec28c6223a06c79
+ SystemRootToken: systemusertesttoken1234567890aoeuidhtnsqjkxbmwvzpy
+ API:
+ RequestTimeout: 30s
+ TLS:
+ Insecure: true
+ Collections:
+ BlobSigningKey: zfhgfenhffzltr9dixws36j1yhksjoll2grmku38mi7yxd66h5j4q9w4jzanezacp8s6q0ro3hxakfye02152hncy6zml2ed0uc
+ TrustAllContent: true
+ ForwardSlashNameSubstitution: /
+ Services:
+ RailsAPI:
+ InternalURLs:
+ "https://${hostname}:${ARVADOS_TEST_API_HOST##*:}/": {}
+ Controller:
+ ExternalURL: http://0.0.0.0:9999/
+ InternalURLs:
+ "http://0.0.0.0:9999/": {}
+ Login:
+ PAM: true
+ SystemLogs:
+ LogLevel: debug
+EOF
+
+cat >"${tmpdir}/pam_ldap.conf" <<EOF
+base dc=example,dc=org
+ldap_version 3
+uri ${ldapurl}
+pam_password crypt
+binddn cn=${adminuser},dc=example,dc=org
+bindpw ${adminpassword}
+EOF
+
+cat >"${tmpdir}/add_example_user.ldif" <<EOF
+dn: cn=bar,dc=example,dc=org
+objectClass: posixGroup
+objectClass: top
+cn: bar
+gidNumber: 11111
+description: "Example group 'bar'"
+
+dn: uid=foo,dc=example,dc=org
+uid: foo
+cn: foo
+givenName: Foo
+sn: Bar
+mail: foobar at example.org
+objectClass: inetOrgPerson
+objectClass: posixAccount
+objectClass: top
+objectClass: shadowAccount
+shadowMax: 180
+shadowMin: 1
+shadowWarning: 7
+shadowLastChange: 10701
+loginShell: /bin/bash
+uidNumber: 11111
+gidNumber: 11111
+homeDirectory: /home/foo
+userPassword: ${passwordhash}
+EOF
+
+echo >&2 "Adding example user entry user=foo pass=secret (retrying until server comes up)"
+docker run --rm --entrypoint= \
+ -v "${tmpdir}/add_example_user.ldif":/add_example_user.ldif:ro \
+ osixia/openldap:1.3.0 \
+ bash -c "for f in \$(seq 1 5); do if ldapadd -H '${ldapurl}' -D 'cn=${adminuser},dc=example,dc=org' -w '${adminpassword}' -f /add_example_user.ldif; then exit 0; else sleep 2; fi; done; echo 'failed to add user entry'; exit 1"
+
+ctrlctr=ctrl-${RANDOM}
+echo >&2 "Starting arvados controller in docker container ${ctrlctr}"
+docker run --detach --rm --name=${ctrlctr} \
+ -p 9999 \
+ -v "${tmpdir}/pam_ldap.conf":/etc/pam_ldap.conf:ro \
+ -v "${GOPATH:-${HOME}/go}/bin/arvados-server":/bin/arvados-server:ro \
+ -v "${tmpdir}/zzzzz.yml":/etc/arvados/config.yml:ro \
+ -v $(realpath "${PWD}/../../.."):/arvados:ro \
+ debian:10 \
+ bash -c "apt update && DEBIAN_FRONTEND=noninteractive apt install -y ldap-utils libpam-ldap && pam-auth-update --package /usr/share/pam-configs/ldap && arvados-server controller"
+docker logs --follow ${ctrlctr} 2>$debug >$debug &
+ctrlhostport=$(docker port ${ctrlctr} 9999/tcp)
+
+echo >&2 "Waiting for arvados controller to come up..."
+for f in $(seq 1 20); do
+ if curl -s "http://${ctrlhostport}/arvados/v1/config" >/dev/null; then
+ break
+ else
+ sleep 1
+ fi
+ echo -n >&2 .
+done
+echo >&2
+echo >&2 "Arvados controller is up at http://${ctrlhostport}"
+
+echo >&2 "Testing authentication failure"
+curl -s -H "X-Http-Method-Override: GET" -d username=foo -d password=nosecret "http://${ctrlhostport}/login" | tee $debug | grep "Authentication failure"
+echo >&2 "Testing authentication success"
+curl -s -H "X-Http-Method-Override: GET" -d username=foo -d password=secret "http://${ctrlhostport}/login" | tee $debug | fgrep '{"token":"v2/zzzzz-gj3su-'
+
+cleanup
-----------------------------------------------------------------------
hooks/post-receive
--
More information about the arvados-commits
mailing list