[ARVADOS] updated: 1.3.0-2552-gf0d798af1

Git user git at public.arvados.org
Wed May 13 14:57:06 UTC 2020 

Summary of changes:
 lib/controller/localdb/login_ldap_test.go | 133 ++++++++++++++++++++++++++++++
 1 file changed, 133 insertions(+)
 create mode 100644 lib/controller/localdb/login_ldap_test.go

       via  f0d798af105d042e3129fca334c080ce9a90293f (commit)
      from  0634b763dd27914cff5ca49c6cfe11233746ee31 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.


commit f0d798af105d042e3129fca334c080ce9a90293f
Author: Tom Clegg <tom at tomclegg.ca>
Date:   Wed May 13 10:56:32 2020 -0400

    15881: Test ldap with fake ldap server.
    
    Adds file missing from 8f435f4ba.
    
    Arvados-DCO-1.1-Signed-off-by: Tom Clegg <tom at tomclegg.ca>

diff --git a/lib/controller/localdb/login_ldap_test.go b/lib/controller/localdb/login_ldap_test.go
new file mode 100644
index 000000000..9a8f83f85
--- /dev/null
+++ b/lib/controller/localdb/login_ldap_test.go
@@ -0,0 +1,133 @@
+// Copyright (C) The Arvados Authors. All rights reserved.
+//
+// SPDX-License-Identifier: AGPL-3.0
+
+package localdb
+
+import (
+	"context"
+	"encoding/json"
+	"net"
+	"net/http"
+
+	"git.arvados.org/arvados.git/lib/config"
+	"git.arvados.org/arvados.git/lib/controller/railsproxy"
+	"git.arvados.org/arvados.git/sdk/go/arvados"
+	"git.arvados.org/arvados.git/sdk/go/arvadostest"
+	"git.arvados.org/arvados.git/sdk/go/auth"
+	"git.arvados.org/arvados.git/sdk/go/ctxlog"
+	"github.com/bradleypeabody/godap"
+	check "gopkg.in/check.v1"
+)
+
+var _ = check.Suite(&LDAPSuite{})
+
+type LDAPSuite struct {
+	cluster *arvados.Cluster
+	ctrl    *ldapLoginController
+	ldap    *godap.LDAPServer // fake ldap server that accepts auth goodusername/goodpassword
+}
+
+func (s *LDAPSuite) TearDownSuite(c *check.C) {
+	// Undo any changes/additions to the user database so they
+	// don't affect subsequent tests.
+	arvadostest.ResetEnv()
+	c.Check(arvados.NewClientFromEnv().RequestAndDecode(nil, "POST", "database/reset", nil, nil), check.IsNil)
+}
+
+func (s *LDAPSuite) SetUpSuite(c *check.C) {
+	cfg, err := config.NewLoader(nil, ctxlog.TestLogger(c)).Load()
+	c.Assert(err, check.IsNil)
+	s.cluster, err = cfg.GetCluster("")
+	c.Assert(err, check.IsNil)
+
+	ln, err := net.Listen("tcp", "127.0.0.1:0")
+	s.ldap = &godap.LDAPServer{
+		Listener: ln,
+		Handlers: []godap.LDAPRequestHandler{
+			&godap.LDAPBindFuncHandler{
+				LDAPBindFunc: func(binddn string, bindpw []byte) bool {
+					return binddn == "cn=goodusername,dc=example,dc=com" && string(bindpw) == "goodpassword"
+				},
+			},
+			&godap.LDAPSimpleSearchFuncHandler{
+				LDAPSimpleSearchFunc: func(req *godap.LDAPSimpleSearchRequest) []*godap.LDAPSimpleSearchResultEntry {
+					if req.FilterAttr != "uid" || req.BaseDN != "dc=example,dc=com" {
+						return []*godap.LDAPSimpleSearchResultEntry{}
+					}
+					return []*godap.LDAPSimpleSearchResultEntry{
+						&godap.LDAPSimpleSearchResultEntry{
+							DN: "cn=" + req.FilterValue + "," + req.BaseDN,
+							Attrs: map[string]interface{}{
+								"SN":   req.FilterValue,
+								"CN":   req.FilterValue,
+								"uid":  req.FilterValue,
+								"mail": req.FilterValue + "@example.com",
+							},
+						},
+					}
+				},
+			},
+		},
+	}
+	go func() {
+		ctxlog.TestLogger(c).Print(s.ldap.Serve())
+	}()
+
+	s.cluster.Login.LDAP.Enable = true
+	err = json.Unmarshal([]byte(`"ldap://`+ln.Addr().String()+`"`), &s.cluster.Login.LDAP.URL)
+	s.cluster.Login.LDAP.StartTLS = false
+	s.cluster.Login.LDAP.SearchBindUser = "cn=goodusername,dc=example,dc=com"
+	s.cluster.Login.LDAP.SearchBindPassword = "goodpassword"
+	s.cluster.Login.LDAP.SearchBase = "dc=example,dc=com"
+	c.Assert(err, check.IsNil)
+	s.ctrl = &ldapLoginController{
+		Cluster:    s.cluster,
+		RailsProxy: railsproxy.NewConn(s.cluster),
+	}
+}
+
+func (s *LDAPSuite) TestLoginSuccess(c *check.C) {
+	resp, err := s.ctrl.UserAuthenticate(context.Background(), arvados.UserAuthenticateOptions{
+		Username: "goodusername",
+		Password: "goodpassword",
+	})
+	c.Check(err, check.IsNil)
+	c.Check(resp.APIToken, check.Not(check.Equals), "")
+	c.Check(resp.UUID, check.Matches, `zzzzz-gj3su-.*`)
+	c.Check(resp.Scopes, check.DeepEquals, []string{"all"})
+
+	ctx := auth.NewContext(context.Background(), &auth.Credentials{Tokens: []string{"v2/" + resp.UUID + "/" + resp.APIToken}})
+	user, err := railsproxy.NewConn(s.cluster).UserGetCurrent(ctx, arvados.GetOptions{})
+	c.Check(err, check.IsNil)
+	c.Check(user.Email, check.Equals, "goodusername at example.com")
+	c.Check(user.Username, check.Equals, "goodusername")
+}
+
+func (s *LDAPSuite) TestLoginFailure(c *check.C) {
+	// search returns no results
+	s.cluster.Login.LDAP.SearchBase = "dc=example,dc=invalid"
+	resp, err := s.ctrl.UserAuthenticate(context.Background(), arvados.UserAuthenticateOptions{
+		Username: "goodusername",
+		Password: "goodpassword",
+	})
+	c.Check(err, check.ErrorMatches, `LDAP: Authentication failure \(with username "goodusername" and password\)`)
+	hs, ok := err.(interface{ HTTPStatus() int })
+	if c.Check(ok, check.Equals, true) {
+		c.Check(hs.HTTPStatus(), check.Equals, http.StatusUnauthorized)
+	}
+	c.Check(resp.APIToken, check.Equals, "")
+
+	// search returns result, but auth fails
+	s.cluster.Login.LDAP.SearchBase = "dc=example,dc=com"
+	resp, err = s.ctrl.UserAuthenticate(context.Background(), arvados.UserAuthenticateOptions{
+		Username: "badusername",
+		Password: "badpassword",
+	})
+	c.Check(err, check.ErrorMatches, `LDAP: Authentication failure \(with username "badusername" and password\)`)
+	hs, ok = err.(interface{ HTTPStatus() int })
+	if c.Check(ok, check.Equals, true) {
+		c.Check(hs.HTTPStatus(), check.Equals, http.StatusUnauthorized)
+	}
+	c.Check(resp.APIToken, check.Equals, "")
+}

-----------------------------------------------------------------------


hooks/post-receive
--

More information about the arvados-commits mailing list