3 # This script demonstrates using LDAP for Arvados user authentication.
5 # It configures arvados controller in a docker container, optionally
6 # with pam_ldap(5) configured to authenticate against an OpenLDAP
7 # server in a second docker container.
9 # After adding a "foo" user entry, it uses curl to check that the
10 # Arvados controller's login endpoint accepts the "foo" account
11 # username/password and rejects invalid credentials.
13 # It is intended to be run inside .../build/run-tests.sh (in
14 # interactive mode: "test lib/controller/localdb -tags=docker
15 # -check.f=LDAP -check.vv"). It assumes ARVADOS_TEST_API_HOST points
16 # to a RailsAPI server and the desired version of arvados-server is
17 # installed in $GOPATH/bin.
22 if [[ -n ${ARVADOS_DEBUG} ]]; then
27 case "${config_method}" in
31 echo >&2 "\$config_method env var must be 'pam' or 'ldap'"
36 hostname="$(hostname)"
41 for h in ${ldapctr} ${ctrlctr}; do
42 if [[ -n ${h} ]]; then
49 if [[ -z "$(docker image ls -q osixia/openldap:1.3.0)" ]]; then
50 echo >&2 "Pulling docker image for ldap server"
51 docker pull osixia/openldap:1.3.0
54 ldapctr=ldap-${RANDOM}
55 echo >&2 "Starting ldap server in docker container ${ldapctr}"
56 docker run --rm --detach \
60 docker logs --follow ${ldapctr} 2>$debug >$debug &
61 ldaphostport=$(docker port ${ldapctr} 389/tcp)
62 ldapport=${ldaphostport##*:}
63 ldapurl="ldap://${hostname}:${ldapport}"
64 passwordhash="$(docker exec -i ${ldapctr} slappasswd -s "secret")"
66 # These are the default admin credentials for osixia/openldap:1.3.0
70 cat >"${tmpdir}/zzzzz.yml" <<EOF
79 password: insecure_arvados_test
80 ManagementToken: e687950a23c3a9bceec28c6223a06c79
81 SystemRootToken: systemusertesttoken1234567890aoeuidhtnsqjkxbmwvzpy
87 BlobSigningKey: zfhgfenhffzltr9dixws36j1yhksjoll2grmku38mi7yxd66h5j4q9w4jzanezacp8s6q0ro3hxakfye02152hncy6zml2ed0uc
89 ForwardSlashNameSubstitution: /
93 "https://${hostname}:${ARVADOS_TEST_API_HOST##*:}/": {}
95 ExternalURL: http://0.0.0.0:9999/
97 "http://0.0.0.0:9999/": {}
101 case "${config_method}" in
103 setup_pam_ldap="apt update && DEBIAN_FRONTEND=noninteractive apt install -y ldap-utils libpam-ldap && pam-auth-update --package /usr/share/pam-configs/ldap"
104 cat >>"${tmpdir}/zzzzz.yml" <<EOF
107 # Without this magic PAMDefaultEmailDomain, inserted users would
108 # prevent subsequent database/reset from working (see
109 # database_controller.rb).
110 PAMDefaultEmailDomain: example.com
115 cat >>"${tmpdir}/zzzzz.yml" <<EOF
121 SearchBase: dc=example,dc=org
122 SearchBindUser: cn=admin,dc=example,dc=org
123 SearchBindPassword: admin
128 cat >&2 "${tmpdir}/zzzzz.yml"
130 cat >"${tmpdir}/pam_ldap.conf" <<EOF
131 base dc=example,dc=org
135 binddn cn=${adminuser},dc=example,dc=org
136 bindpw ${adminpassword}
139 cat >"${tmpdir}/add_example_user.ldif" <<EOF
140 dn: cn=bar,dc=example,dc=org
141 objectClass: posixGroup
145 description: "Example group 'bar'"
147 dn: uid=foo-bar,dc=example,dc=org
152 mail: foo-bar-baz@example.com
153 objectClass: inetOrgPerson
154 objectClass: posixAccount
156 objectClass: shadowAccount
160 shadowLastChange: 10701
161 loginShell: /bin/bash
164 homeDirectory: /home/foo-bar
165 userPassword: ${passwordhash}
168 echo >&2 "Adding example user entry user=foo-bar pass=secret (retrying until server comes up)"
169 docker run --rm --entrypoint= \
170 -v "${tmpdir}/add_example_user.ldif":/add_example_user.ldif:ro \
171 osixia/openldap:1.3.0 \
172 bash -c "for f in \$(seq 1 5); do if ldapadd -H '${ldapurl}' -D 'cn=${adminuser},dc=example,dc=org' -w '${adminpassword}' -f /add_example_user.ldif; then exit 0; else sleep 2; fi; done; echo 'failed to add user entry'; exit 1"
174 echo >&2 "Building arvados controller binary to run in container"
175 go build -o "${tmpdir}" ../../../cmd/arvados-server
177 ctrlctr=ctrl-${RANDOM}
178 echo >&2 "Starting arvados controller in docker container ${ctrlctr}"
179 docker run --detach --rm --name=${ctrlctr} \
181 -v "${tmpdir}/pam_ldap.conf":/etc/pam_ldap.conf:ro \
182 -v "${tmpdir}/arvados-server":/bin/arvados-server:ro \
183 -v "${tmpdir}/zzzzz.yml":/etc/arvados/config.yml:ro \
184 -v $(realpath "${PWD}/../../.."):/arvados:ro \
186 bash -c "${setup_pam_ldap:-true} && arvados-server controller"
187 docker logs --follow ${ctrlctr} 2>$debug >$debug &
188 ctrlhostport=$(docker port ${ctrlctr} 9999/tcp)
190 echo >&2 "Waiting for arvados controller to come up..."
191 for f in $(seq 1 20); do
192 if curl -s "http://${ctrlhostport}/arvados/v1/config" >/dev/null; then
200 echo >&2 "Arvados controller is up at http://${ctrlhostport}"
205 if ! echo "${resp}" | fgrep -q "${str}"; then
207 echo >&2 "FAIL: expected in response, but not found: ${str@Q}"
214 echo >&2 "Testing authentication failure"
215 resp="$(set -x; curl -s --include -d username=foo-bar -d password=nosecret "http://${ctrlhostport}/arvados/v1/users/authenticate" | tee $debug)"
216 check_contains "${resp}" "HTTP/1.1 401"
217 if [[ "${config_method}" = ldap ]]; then
218 check_contains "${resp}" '{"errors":["LDAP: Authentication failure (with username \"foo-bar\" and password)"]}'
220 check_contains "${resp}" '{"errors":["PAM: Authentication failure (with username \"foo-bar\" and password)"]}'
223 echo >&2 "Testing authentication success"
224 resp="$(set -x; curl -s --include -d username=foo-bar -d password=secret "http://${ctrlhostport}/arvados/v1/users/authenticate" | tee $debug)"
225 check_contains "${resp}" "HTTP/1.1 200"
226 check_contains "${resp}" '"api_token":"'
227 check_contains "${resp}" '"scopes":["all"]'
228 check_contains "${resp}" '"uuid":"zzzzz-gj3su-'
230 secret="${resp##*api_token\":\"}"
231 secret="${secret%%\"*}"
232 uuid="${resp##*uuid\":\"}"
234 token="v2/$uuid/$secret"
235 echo >&2 "New token is ${token}"
237 resp="$(set -x; curl -s --include -H "Authorization: Bearer ${token}" "http://${ctrlhostport}/arvados/v1/users/current" | tee $debug)"
238 check_contains "${resp}" "HTTP/1.1 200"
239 if [[ "${config_method}" = ldap ]]; then
240 # user fields come from LDAP attributes
241 check_contains "${resp}" '"first_name":"Foo"'
242 check_contains "${resp}" '"last_name":"Bar"'
243 check_contains "${resp}" '"username":"foobar"' # "-" removed by rails api
244 check_contains "${resp}" '"email":"foo-bar-baz@example.com"'
246 # PAMDefaultEmailDomain
247 check_contains "${resp}" '"email":"foo-bar@example.com"'