22958: Add missing `become`

[arvados.git] / lib / controller / localdb / login_docker_test.go

// Copyright (C) The Arvados Authors. All rights reserved.
//
// SPDX-License-Identifier: AGPL-3.0

package localdb

import (
        "bytes"
        "encoding/json"
        "fmt"
        "io"
        "net"
        "net/http"
        "net/url"
        "os"
        "os/exec"
        "path"
        "path/filepath"
        "slices"
        "strings"

        "git.arvados.org/arvados.git/sdk/go/arvados"
        check "gopkg.in/check.v1"
)

var _ = check.Suite(&LoginDockerSuite{})

// LoginDockerSuite is an integration test of controller's different Login
// methods.  Each test creates a different Login configuration and runs
// controller in a Docker container with it. It runs other Docker containers
// for supporting services.
type LoginDockerSuite struct {
        localdbSuite
        tmpdir     string
        netName    string
        netAddr    string
        pgProxy    *tcpProxy
        railsProxy *tcpProxy
}

func (s *LoginDockerSuite) setUpDockerNetwork() (string, error) {
        netName := "arvados-net-" + path.Base(path.Dir(s.tmpdir))
        cmd := exec.Command("docker", "network", "create", netName)
        cmd.Stderr = os.Stderr
        if err := cmd.Run(); err != nil {
                return "", err
        }
        return netName, nil
}

// Run cmd and read stdout looking for an IP address on a line by itself.
// Return the last one found.
func (s *LoginDockerSuite) ipFromCmd(cmd *exec.Cmd) (string, error) {
        cmd.Stderr = os.Stderr
        out, err := cmd.Output()
        if err != nil {
                return "", err
        }
        lines := bytes.Split(out, []byte{'\n'})
        slices.Reverse(lines)
        for _, line := range lines {
                if ip := net.ParseIP(string(line)); ip != nil {
                        return ip.String(), nil
                }
        }
        return "", fmt.Errorf("no IP address found in the output of %v", cmd)
}

// SetUpSuite creates a Docker network, starts an openldap server in it, and
// creates user account fixtures in LDAP.
// We used to use the LDAP server for multiple tests. We don't currently, but
// there are pros and cons to starting it here vs. in each individaul test, so
// it's staying here for now.
func (s *LoginDockerSuite) SetUpSuite(c *check.C) {
        s.localdbSuite.SetUpSuite(c)
        s.tmpdir = c.MkDir()
        var err error
        s.netName, err = s.setUpDockerNetwork()
        c.Assert(err, check.IsNil)
        s.netAddr, err = s.ipFromCmd(exec.Command("docker", "network", "inspect",
                "--format", "{{(index .IPAM.Config 0).Gateway}}", s.netName))
        c.Assert(err, check.IsNil)
        setup := exec.Command("login_docker_test/setup_suite.sh", s.netName, s.tmpdir)
        setup.Stderr = os.Stderr
        err = setup.Run()
        c.Assert(err, check.IsNil)
}

// TearDownSuite stops all containers running on the Docker network we set up,
// then deletes the network itself.
func (s *LoginDockerSuite) TearDownSuite(c *check.C) {
        if s.netName != "" {
                cmd := exec.Command("login_docker_test/teardown_suite.sh", s.netName)
                cmd.Stderr = os.Stderr
                err := cmd.Run()
                c.Check(err, check.IsNil)
        }
        s.localdbSuite.TearDownSuite(c)
}

// Create a test cluster configuration in the test temporary directory.
// Update it to use the current PostgreSQL and RailsAPI proxies.
func (s *LoginDockerSuite) setUpConfig(c *check.C) {
        src, err := os.Open(os.Getenv("ARVADOS_CONFIG"))
        c.Assert(err, check.IsNil)
        defer src.Close()
        dst, err := os.Create(path.Join(s.tmpdir, "arvados.yml"))
        c.Assert(err, check.IsNil)
        _, err = io.Copy(dst, src)
        closeErr := dst.Close()
        c.Assert(err, check.IsNil)
        c.Assert(closeErr, check.IsNil)

        pgconn := map[string]interface{}{
                "host": s.netAddr,
                "port": s.pgProxy.Port(),
        }
        err = s.updateConfig(".Clusters.zzzzz.PostgreSQL.Connection |= (. * $arg)", pgconn)
        c.Assert(err, check.IsNil)
        intVal := make(map[string]string)
        intURLs := make(map[string]interface{})
        railsURL := "https://" + net.JoinHostPort(s.netAddr, s.railsProxy.Port())
        intURLs[railsURL] = intVal
        err = s.updateConfig(".Clusters.zzzzz.Services.RailsAPI.InternalURLs = $arg", intURLs)
        c.Assert(err, check.IsNil)
        intURLs = make(map[string]interface{})
        intURLs["http://0.0.0.0:80"] = intVal
        err = s.updateConfig(".Clusters.zzzzz.Services.Controller.InternalURLs = $arg", intURLs)
        c.Assert(err, check.IsNil)
}

// Update the test cluster configuration with the given yq expression.
// The expression can use `$arg` to refer to the object passed in as `arg`.
func (s *LoginDockerSuite) updateConfig(expr string, arg map[string]interface{}) error {
        jsonArg, err := json.Marshal(arg)
        if err != nil {
                return err
        }
        cmd := exec.Command("yq", "-yi",
                "--argjson", "arg", string(jsonArg),
                expr, path.Join(s.tmpdir, "arvados.yml"))
        cmd.Stderr = os.Stderr
        return cmd.Run()
}

// Update the test cluster configuration to use the named login method.
func (s *LoginDockerSuite) enableLogin(key string) error {
        login := make(map[string]interface{})
        login["Test"] = map[string]bool{"Enable": false}
        login[key] = map[string]bool{"Enable": true}
        return s.updateConfig(".Clusters.zzzzz.Login |= (. * $arg)", login)
}

// SetUpTest does all the common preparation for a controller test container:
// it creates TCP proxies for PostgreSQL and RailsAPI on the test host, then
// writes a new Arvados cluster configuration pointed at those for servers to
// use.
func (s *LoginDockerSuite) SetUpTest(c *check.C) {
        s.localdbSuite.SetUpTest(c)
        s.pgProxy = newPgProxy(c, s.cluster, s.netAddr)
        s.railsProxy = newInternalProxy(c, s.cluster.Services.RailsAPI, s.netAddr)
        s.setUpConfig(c)
}

// TearDownTest looks for the `controller.cid` file created when we start the
// test container. If found, it stops that container and deletes the file.
// Then it closes the TCP proxies created by SetUpTest.
func (s *LoginDockerSuite) TearDownTest(c *check.C) {
        cidPath := path.Join(s.tmpdir, "controller.cid")
        if cid, err := os.ReadFile(cidPath); err == nil {
                cmd := exec.Command("docker", "stop", strings.TrimSpace(string(cid)))
                cmd.Stderr = os.Stderr
                err := cmd.Run()
                c.Check(err, check.IsNil)
        }
        if err := os.Remove(cidPath); err != nil {
                c.Check(os.IsNotExist(err), check.Equals, true)
        }
        s.railsProxy.Close()
        s.pgProxy.Close()
        s.localdbSuite.TearDownTest(c)
}

func (s *LoginDockerSuite) startController(args ...string) (*url.URL, error) {
        args = append([]string{s.netName, s.tmpdir}, args...)
        cmd := exec.Command("login_docker_test/start_controller_container.sh", args...)
        ip, err := s.ipFromCmd(cmd)
        if err != nil {
                return nil, err
        }
        return &url.URL{
                Scheme: "http",
                Host:   ip,
        }, nil
}

func (s *LoginDockerSuite) parseResponse(resp *http.Response, body any) error {
        defer resp.Body.Close()
        respBody, err := io.ReadAll(resp.Body)
        if err != nil {
                return err
        }
        if resp.StatusCode < 400 {
                return json.Unmarshal(respBody, body)
        }
        var errResp struct {
                Errors []string
        }
        err = json.Unmarshal(respBody, &errResp)
        if err != nil {
                return fmt.Errorf("%s with malformed JSON response: %w", resp.Status, err)
        } else if len(errResp.Errors) == 0 {
                return fmt.Errorf("%s with no Errors in response", resp.Status)
        } else {
                return fmt.Errorf("%s: %s", resp.Status, strings.Join(errResp.Errors, ":"))
        }
}

func (s *LoginDockerSuite) authenticate(server *url.URL, username, password string) (*arvados.APIClientAuthorization, error) {
        reqURL := server.JoinPath("/arvados/v1/users/authenticate").String()
        reqValues := url.Values{
                "username": {username},
                "password": {password},
        }
        resp, err := http.PostForm(reqURL, reqValues)
        if err != nil {
                return nil, err
        }
        token := &arvados.APIClientAuthorization{}
        err = s.parseResponse(resp, token)
        return token, err
}

func (s *LoginDockerSuite) getCurrentUser(server *url.URL, token string) (*arvados.User, error) {
        reqURL := server.JoinPath("/arvados/v1/users/current").String()
        req, err := http.NewRequest("GET", reqURL, nil)
        if err != nil {
                return nil, err
        }
        req.Header.Add("Authorization", "Bearer "+token)
        resp, err := http.DefaultClient.Do(req)
        if err != nil {
                return nil, err
        }
        user := &arvados.User{}
        err = s.parseResponse(resp, user)
        return user, err
}

func (s *LoginDockerSuite) TestLoginPAM(c *check.C) {
        err := s.enableLogin("PAM")
        c.Assert(err, check.IsNil)
        setupPath, err := filepath.Abs("login_docker_test/setup_pam_test.sh")
        c.Assert(err, check.IsNil)
        arvURL, err := s.startController("-v", setupPath+":/setup.sh:ro")
        c.Assert(err, check.IsNil)

        _, err = s.authenticate(arvURL, "foo-bar", "nosecret")
        c.Check(err, check.ErrorMatches,
                `401 Unauthorized: PAM: Authentication failure \(with username "foo-bar" and password\)`)

        _, err = s.authenticate(arvURL, "expired", "secret")
        c.Check(err, check.ErrorMatches,
                `401 Unauthorized: PAM: Authentication failure; "Your account has expired; please contact your system administrator\."`)

        aca, err := s.authenticate(arvURL, "foo-bar", "secret")
        if c.Check(err, check.IsNil) {
                user, err := s.getCurrentUser(arvURL, aca.TokenV2())
                if c.Check(err, check.IsNil) {
                        // Check PAMDefaultEmailDomain was propagated as expected
                        c.Check(user.Email, check.Equals, "foo-bar@example.com")
                }
        }
}

func (s *LoginDockerSuite) TestLoginLDAPBuiltin(c *check.C) {
        err := s.enableLogin("LDAP")
        c.Assert(err, check.IsNil)
        arvURL, err := s.startController()
        c.Assert(err, check.IsNil)

        _, err = s.authenticate(arvURL, "foo-bar", "nosecret")
        c.Check(err, check.ErrorMatches,
                `401 Unauthorized: LDAP: Authentication failure \(with username "foo-bar" and password\)`)

        aca, err := s.authenticate(arvURL, "foo-bar", "secret")
        if c.Check(err, check.IsNil) {
                user, err := s.getCurrentUser(arvURL, aca.TokenV2())
                if c.Check(err, check.IsNil) {
                        // User fields come from LDAP attributes
                        c.Check(user.FirstName, check.Equals, "Foo")
                        c.Check(user.LastName, check.Equals, "Bar")
                        // "-" character removed by RailsAPI
                        c.Check(user.Username, check.Equals, "foobar")
                        c.Check(user.Email, check.Equals, "foo-bar-baz@example.com")
                }
        }
}