1 // Copyright (C) The Arvados Authors. All rights reserved.
3 // SPDX-License-Identifier: AGPL-3.0
13 "git.arvados.org/arvados.git/lib/config"
14 "git.arvados.org/arvados.git/lib/controller/railsproxy"
15 "git.arvados.org/arvados.git/lib/ctrlctx"
16 "git.arvados.org/arvados.git/sdk/go/arvados"
17 "git.arvados.org/arvados.git/sdk/go/arvadostest"
18 "git.arvados.org/arvados.git/sdk/go/auth"
19 "git.arvados.org/arvados.git/sdk/go/ctxlog"
20 "github.com/bradleypeabody/godap"
21 "github.com/jmoiron/sqlx"
22 check "gopkg.in/check.v1"
25 var _ = check.Suite(&LDAPSuite{})
27 type LDAPSuite struct {
28 cluster *arvados.Cluster
29 ctrl *ldapLoginController
30 ldap *godap.LDAPServer // fake ldap server that accepts auth goodusername/goodpassword
33 // transaction context
38 func (s *LDAPSuite) TearDownSuite(c *check.C) {
39 // Undo any changes/additions to the user database so they
40 // don't affect subsequent tests.
41 arvadostest.ResetEnv()
42 c.Check(arvados.NewClientFromEnv().RequestAndDecode(nil, "POST", "database/reset", nil, nil), check.IsNil)
45 func (s *LDAPSuite) SetUpSuite(c *check.C) {
46 cfg, err := config.NewLoader(nil, ctxlog.TestLogger(c)).Load()
47 c.Assert(err, check.IsNil)
48 s.cluster, err = cfg.GetCluster("")
49 c.Assert(err, check.IsNil)
51 ln, err := net.Listen("tcp", "127.0.0.1:0")
52 s.ldap = &godap.LDAPServer{
54 Handlers: []godap.LDAPRequestHandler{
55 &godap.LDAPBindFuncHandler{
56 LDAPBindFunc: func(binddn string, bindpw []byte) bool {
57 return binddn == "cn=goodusername,dc=example,dc=com" && string(bindpw) == "goodpassword"
60 &godap.LDAPSimpleSearchFuncHandler{
61 LDAPSimpleSearchFunc: func(req *godap.LDAPSimpleSearchRequest) []*godap.LDAPSimpleSearchResultEntry {
62 if req.FilterAttr != "uid" || req.BaseDN != "dc=example,dc=com" {
63 return []*godap.LDAPSimpleSearchResultEntry{}
65 return []*godap.LDAPSimpleSearchResultEntry{
66 &godap.LDAPSimpleSearchResultEntry{
67 DN: "cn=" + req.FilterValue + "," + req.BaseDN,
68 Attrs: map[string]interface{}{
69 "SN": req.FilterValue,
70 "CN": req.FilterValue,
71 "uid": req.FilterValue,
72 "mail": req.FilterValue + "@example.com",
81 ctxlog.TestLogger(c).Print(s.ldap.Serve())
84 s.cluster.Login.LDAP.Enable = true
85 err = json.Unmarshal([]byte(`"ldap://`+ln.Addr().String()+`"`), &s.cluster.Login.LDAP.URL)
86 s.cluster.Login.LDAP.StartTLS = false
87 s.cluster.Login.LDAP.SearchBindUser = "cn=goodusername,dc=example,dc=com"
88 s.cluster.Login.LDAP.SearchBindPassword = "goodpassword"
89 s.cluster.Login.LDAP.SearchBase = "dc=example,dc=com"
90 c.Assert(err, check.IsNil)
91 s.ctrl = &ldapLoginController{
93 RailsProxy: railsproxy.NewConn(s.cluster),
95 s.db = arvadostest.DB(c, s.cluster)
98 func (s *LDAPSuite) SetUpTest(c *check.C) {
99 tx, err := s.db.Beginx()
100 c.Assert(err, check.IsNil)
101 s.ctx = ctrlctx.NewWithTransaction(context.Background(), tx)
102 s.rollback = tx.Rollback
105 func (s *LDAPSuite) TearDownTest(c *check.C) {
106 if s.rollback != nil {
111 func (s *LDAPSuite) TestLoginSuccess(c *check.C) {
112 conn := NewConn(s.cluster)
113 conn.loginController = s.ctrl
114 resp, err := conn.UserAuthenticate(s.ctx, arvados.UserAuthenticateOptions{
115 Username: "goodusername",
116 Password: "goodpassword",
118 c.Check(err, check.IsNil)
119 c.Check(resp.APIToken, check.Not(check.Equals), "")
120 c.Check(resp.UUID, check.Matches, `zzzzz-gj3su-.*`)
121 c.Check(resp.Scopes, check.DeepEquals, []string{"all"})
123 ctx := auth.NewContext(s.ctx, &auth.Credentials{Tokens: []string{"v2/" + resp.UUID + "/" + resp.APIToken}})
124 user, err := railsproxy.NewConn(s.cluster).UserGetCurrent(ctx, arvados.GetOptions{})
125 c.Check(err, check.IsNil)
126 c.Check(user.Email, check.Equals, "goodusername@example.com")
127 c.Check(user.Username, check.Equals, "goodusername")
130 func (s *LDAPSuite) TestLoginFailure(c *check.C) {
131 // search returns no results
132 s.cluster.Login.LDAP.SearchBase = "dc=example,dc=invalid"
133 resp, err := s.ctrl.UserAuthenticate(s.ctx, arvados.UserAuthenticateOptions{
134 Username: "goodusername",
135 Password: "goodpassword",
137 c.Check(err, check.ErrorMatches, `LDAP: Authentication failure \(with username "goodusername" and password\)`)
138 hs, ok := err.(interface{ HTTPStatus() int })
139 if c.Check(ok, check.Equals, true) {
140 c.Check(hs.HTTPStatus(), check.Equals, http.StatusUnauthorized)
142 c.Check(resp.APIToken, check.Equals, "")
144 // search returns result, but auth fails
145 s.cluster.Login.LDAP.SearchBase = "dc=example,dc=com"
146 resp, err = s.ctrl.UserAuthenticate(s.ctx, arvados.UserAuthenticateOptions{
147 Username: "badusername",
148 Password: "badpassword",
150 c.Check(err, check.ErrorMatches, `LDAP: Authentication failure \(with username "badusername" and password\)`)
151 hs, ok = err.(interface{ HTTPStatus() int })
152 if c.Check(ok, check.Equals, true) {
153 c.Check(hs.HTTPStatus(), check.Equals, http.StatusUnauthorized)
155 c.Check(resp.APIToken, check.Equals, "")