17944: Updates config knobs and documentation.
[arvados.git] / lib / pam / docker_test.go
1 // Copyright (C) The Arvados Authors. All rights reserved.
2 //
3 // SPDX-License-Identifier: Apache-2.0
4
5 package main
6
7 import (
8         "bytes"
9         "crypto/tls"
10         "fmt"
11         "io/ioutil"
12         "net"
13         "net/http"
14         "net/http/httputil"
15         "net/url"
16         "os"
17         "os/exec"
18         "strings"
19         "testing"
20
21         "git.arvados.org/arvados.git/sdk/go/arvadostest"
22         "gopkg.in/check.v1"
23 )
24
25 type DockerSuite struct {
26         tmpdir   string
27         hostip   string
28         proxyln  net.Listener
29         proxysrv *http.Server
30 }
31
32 var _ = check.Suite(&DockerSuite{})
33
34 func Test(t *testing.T) { check.TestingT(t) }
35
36 func (s *DockerSuite) SetUpSuite(c *check.C) {
37         if testing.Short() {
38                 c.Skip("skipping docker tests in short mode")
39         } else if _, err := exec.Command("docker", "info").CombinedOutput(); err != nil {
40                 c.Skip("skipping docker tests because docker is not available")
41         }
42
43         s.tmpdir = c.MkDir()
44
45         // The integration-testing controller listens on the loopback
46         // interface, so it won't be reachable directly from the
47         // docker container -- so here we run a proxy on 0.0.0.0 for
48         // the duration of the test.
49         hostips, err := exec.Command("hostname", "-I").Output()
50         c.Assert(err, check.IsNil)
51         s.hostip = strings.Split(strings.Trim(string(hostips), "\n"), " ")[0]
52         ln, err := net.Listen("tcp", s.hostip+":0")
53         c.Assert(err, check.IsNil)
54         s.proxyln = ln
55         proxy := httputil.NewSingleHostReverseProxy(&url.URL{Scheme: "https", Host: os.Getenv("ARVADOS_API_HOST")})
56         proxy.Transport = &http.Transport{
57                 TLSClientConfig: &tls.Config{
58                         InsecureSkipVerify: true,
59                 },
60         }
61         s.proxysrv = &http.Server{Handler: proxy}
62         go s.proxysrv.ServeTLS(ln, "../../services/api/tmp/self-signed.pem", "../../services/api/tmp/self-signed.key")
63
64         // Build a pam module to install & configure in the docker
65         // container.
66         cmd := exec.Command("go", "build", "-buildmode=c-shared", "-o", s.tmpdir+"/pam_arvados.so")
67         cmd.Stdout = os.Stdout
68         cmd.Stderr = os.Stderr
69         err = cmd.Run()
70         c.Assert(err, check.IsNil)
71
72         // Build the testclient program that will (from inside the
73         // docker container) configure the system to use the above PAM
74         // config, and then try authentication.
75         cmd = exec.Command("go", "build", "-o", s.tmpdir+"/testclient", "./testclient.go")
76         cmd.Stdout = os.Stdout
77         cmd.Stderr = os.Stderr
78         err = cmd.Run()
79         c.Assert(err, check.IsNil)
80 }
81
82 func (s *DockerSuite) TearDownSuite(c *check.C) {
83         if s.proxysrv != nil {
84                 s.proxysrv.Close()
85         }
86         if s.proxyln != nil {
87                 s.proxyln.Close()
88         }
89 }
90
91 func (s *DockerSuite) SetUpTest(c *check.C) {
92         // Write a PAM config file that uses our proxy as
93         // ARVADOS_API_HOST.
94         proxyhost := s.proxyln.Addr().String()
95         confdata := fmt.Sprintf(`Name: Arvados authentication
96 Default: yes
97 Priority: 256
98 Auth-Type: Primary
99 Auth:
100         [success=end default=ignore]    /usr/lib/pam_arvados.so %s testvm2.shell insecure
101 Auth-Initial:
102         [success=end default=ignore]    /usr/lib/pam_arvados.so %s testvm2.shell insecure
103 `, proxyhost, proxyhost)
104         err := ioutil.WriteFile(s.tmpdir+"/conffile", []byte(confdata), 0755)
105         c.Assert(err, check.IsNil)
106 }
107
108 func (s *DockerSuite) runTestClient(c *check.C, args ...string) (stdout, stderr *bytes.Buffer, err error) {
109
110         cmd := exec.Command("docker", append([]string{
111                 "run", "--rm",
112                 "--hostname", "testvm2.shell",
113                 "--add-host", "zzzzz.arvadosapi.com:" + s.hostip,
114                 "-v", s.tmpdir + "/pam_arvados.so:/usr/lib/pam_arvados.so:ro",
115                 "-v", s.tmpdir + "/conffile:/usr/share/pam-configs/arvados:ro",
116                 "-v", s.tmpdir + "/testclient:/testclient:ro",
117                 "debian:buster",
118                 "/testclient"}, args...)...)
119         stdout = &bytes.Buffer{}
120         stderr = &bytes.Buffer{}
121         cmd.Stdout = stdout
122         cmd.Stderr = stderr
123         err = cmd.Run()
124         return
125 }
126
127 func (s *DockerSuite) TestSuccess(c *check.C) {
128         stdout, stderr, err := s.runTestClient(c, "try", "active", arvadostest.ActiveTokenV2)
129         c.Check(err, check.IsNil)
130         c.Logf("%s", stderr.String())
131         c.Check(stdout.String(), check.Equals, "")
132         c.Check(stderr.String(), check.Matches, `(?ms).*authentication succeeded.*`)
133 }
134
135 func (s *DockerSuite) TestFailure(c *check.C) {
136         for _, trial := range []struct {
137                 label    string
138                 username string
139                 token    string
140         }{
141                 {"bad token", "active", arvadostest.ActiveTokenV2 + "badtoken"},
142                 {"empty token", "active", ""},
143                 {"empty username", "", arvadostest.ActiveTokenV2},
144                 {"wrong username", "wrongusername", arvadostest.ActiveTokenV2},
145         } {
146                 c.Logf("trial: %s", trial.label)
147                 stdout, stderr, err := s.runTestClient(c, "try", trial.username, trial.token)
148                 c.Logf("%s", stderr.String())
149                 c.Check(err, check.NotNil)
150                 c.Check(stdout.String(), check.Equals, "")
151                 c.Check(stderr.String(), check.Matches, `(?ms).*authentication failed.*`)
152         }
153 }
154
155 func (s *DockerSuite) TestDefaultHostname(c *check.C) {
156         confdata := fmt.Sprintf(`Name: Arvados authentication
157 Default: yes
158 Priority: 256
159 Auth-Type: Primary
160 Auth:
161         [success=end default=ignore]    /usr/lib/pam_arvados.so %s - insecure debug
162 Auth-Initial:
163         [success=end default=ignore]    /usr/lib/pam_arvados.so %s - insecure debug
164 `, s.proxyln.Addr().String(), s.proxyln.Addr().String())
165         err := ioutil.WriteFile(s.tmpdir+"/conffile", []byte(confdata), 0755)
166         c.Assert(err, check.IsNil)
167
168         stdout, stderr, err := s.runTestClient(c, "try", "active", arvadostest.ActiveTokenV2)
169         c.Check(err, check.IsNil)
170         c.Logf("%s", stderr.String())
171         c.Check(stdout.String(), check.Equals, "")
172         c.Check(stderr.String(), check.Matches, `(?ms).*authentication succeeded.*`)
173 }