lib/controller/localdb/login_pam_test.go

   1 // Copyright (C) The Arvados Authors. All rights reserved.
   2 //
   3 // SPDX-License-Identifier: AGPL-3.0
   4
   5 package localdb
   6
   7 import (
   8         "context"
   9         "io/ioutil"
  10         "net/http"
  11         "os"
  12         "strings"
  13
  14         "git.arvados.org/arvados.git/lib/config"
  15         "git.arvados.org/arvados.git/lib/controller/rpc"
  16         "git.arvados.org/arvados.git/sdk/go/arvados"
  17         "git.arvados.org/arvados.git/sdk/go/arvadostest"
  18         "git.arvados.org/arvados.git/sdk/go/ctxlog"
  19         check "gopkg.in/check.v1"
  20 )
  21
  22 var _ = check.Suite(&PamSuite{})
  23
  24 type PamSuite struct {
  25         cluster  *arvados.Cluster
  26         ctrl     *pamLoginController
  27         railsSpy *arvadostest.Proxy
  28 }
  29
  30 func (s *PamSuite) SetUpSuite(c *check.C) {
  31         cfg, err := config.NewLoader(nil, ctxlog.TestLogger(c)).Load()
  32         c.Assert(err, check.IsNil)
  33         s.cluster, err = cfg.GetCluster("")
  34         c.Assert(err, check.IsNil)
  35         s.cluster.Login.PAM.Enable = true
  36         s.cluster.Login.PAM.DefaultEmailDomain = "example.com"
  37         s.railsSpy = arvadostest.NewProxy(c, s.cluster.Services.RailsAPI)
  38         s.ctrl = &pamLoginController{
  39                 Cluster:    s.cluster,
  40                 RailsProxy: rpc.NewConn(s.cluster.ClusterID, s.railsSpy.URL, true, rpc.PassthroughTokenProvider),
  41         }
  42 }
  43
  44 func (s *PamSuite) TestLoginFailure(c *check.C) {
  45         resp, err := s.ctrl.UserAuthenticate(context.Background(), arvados.UserAuthenticateOptions{
  46                 Username: "bogususername",
  47                 Password: "boguspassword",
  48         })
  49         c.Check(err, check.ErrorMatches, `PAM: Authentication failure \(with username "bogususername" and password\)`)
  50         hs, ok := err.(interface{ HTTPStatus() int })
  51         if c.Check(ok, check.Equals, true) {
  52                 c.Check(hs.HTTPStatus(), check.Equals, http.StatusUnauthorized)
  53         }
  54         c.Check(resp.APIToken, check.Equals, "")
  55 }
  56
  57 // This test only runs if the ARVADOS_TEST_PAM_CREDENTIALS_FILE env
  58 // var is set. The credentials file should contain a valid username
  59 // and password, separated by \n.
  60 func (s *PamSuite) TestLoginSuccess(c *check.C) {
  61         testCredsFile := os.Getenv("ARVADOS_TEST_PAM_CREDENTIALS_FILE")
  62         if testCredsFile == "" {
  63                 c.Skip("no test credentials file given in ARVADOS_TEST_PAM_CREDENTIALS_FILE")
  64                 return
  65         }
  66         buf, err := ioutil.ReadFile(testCredsFile)
  67         c.Assert(err, check.IsNil)
  68         lines := strings.Split(string(buf), "\n")
  69         c.Assert(len(lines), check.Equals, 2, check.Commentf("credentials file %s should contain \"username\\npassword\"", testCredsFile))
  70         u, p := lines[0], lines[1]
  71
  72         resp, err := s.ctrl.UserAuthenticate(context.Background(), arvados.UserAuthenticateOptions{
  73                 Username: u,
  74                 Password: p,
  75         })
  76         c.Check(err, check.IsNil)
  77         c.Check(resp.APIToken, check.Not(check.Equals), "")
  78         c.Check(resp.UUID, check.Matches, `zzzzz-gj3su-.*`)
  79         c.Check(resp.Scopes, check.DeepEquals, []string{"all"})
  80
  81         authinfo := getCallbackAuthInfo(c, s.railsSpy)
  82         c.Check(authinfo.Email, check.Equals, u+"@"+s.cluster.Login.PAM.DefaultEmailDomain)
  83         c.Check(authinfo.AlternateEmails, check.DeepEquals, []string(nil))
  84 }