21703: Merge branch 'main' into 21703-collection-update-lock
[arvados.git] / lib / controller / localdb / login_pam_test.go
1 // Copyright (C) The Arvados Authors. All rights reserved.
2 //
3 // SPDX-License-Identifier: AGPL-3.0
4
5 package localdb
6
7 import (
8         "io/ioutil"
9         "net/http"
10         "os"
11         "strings"
12
13         "git.arvados.org/arvados.git/sdk/go/arvados"
14         check "gopkg.in/check.v1"
15 )
16
17 var _ = check.Suite(&PamSuite{})
18
19 type PamSuite struct {
20         localdbSuite
21 }
22
23 func (s *PamSuite) SetUpTest(c *check.C) {
24         s.localdbSuite.SetUpTest(c)
25         s.cluster.Login.PAM.Enable = true
26         s.cluster.Login.PAM.DefaultEmailDomain = "example.com"
27         s.localdb.loginController = &pamLoginController{
28                 Cluster: s.cluster,
29                 Parent:  s.localdb,
30         }
31 }
32
33 func (s *PamSuite) TestLoginFailure(c *check.C) {
34         resp, err := s.localdb.UserAuthenticate(s.ctx, arvados.UserAuthenticateOptions{
35                 Username: "bogususername",
36                 Password: "boguspassword",
37         })
38         c.Check(err, check.ErrorMatches, `PAM: Authentication failure \(with username "bogususername" and password\)`)
39         hs, ok := err.(interface{ HTTPStatus() int })
40         if c.Check(ok, check.Equals, true) {
41                 c.Check(hs.HTTPStatus(), check.Equals, http.StatusUnauthorized)
42         }
43         c.Check(resp.APIToken, check.Equals, "")
44 }
45
46 // This test only runs if the ARVADOS_TEST_PAM_CREDENTIALS_FILE env
47 // var is set. The credentials file should contain a valid username
48 // and password, separated by \n.
49 //
50 // Depending on the host config, this test succeeds only if the test
51 // credentials are for the same account being used to run tests.
52 func (s *PamSuite) TestLoginSuccess(c *check.C) {
53         testCredsFile := os.Getenv("ARVADOS_TEST_PAM_CREDENTIALS_FILE")
54         if testCredsFile == "" {
55                 c.Skip("no test credentials file given in ARVADOS_TEST_PAM_CREDENTIALS_FILE")
56                 return
57         }
58         buf, err := ioutil.ReadFile(testCredsFile)
59         c.Assert(err, check.IsNil)
60         lines := strings.Split(string(buf), "\n")
61         c.Assert(len(lines), check.Equals, 2, check.Commentf("credentials file %s should contain \"username\\npassword\"", testCredsFile))
62         u, p := lines[0], lines[1]
63
64         resp, err := s.localdb.UserAuthenticate(s.ctx, arvados.UserAuthenticateOptions{
65                 Username: u,
66                 Password: p,
67         })
68         c.Check(err, check.IsNil)
69         c.Check(resp.APIToken, check.Not(check.Equals), "")
70         c.Check(resp.UUID, check.Matches, `zzzzz-gj3su-.*`)
71         c.Check(resp.Scopes, check.DeepEquals, []string{"all"})
72
73         authinfo := getCallbackAuthInfo(c, s.railsSpy)
74         c.Check(authinfo.Email, check.Equals, u+"@"+s.cluster.Login.PAM.DefaultEmailDomain)
75         c.Check(authinfo.AlternateEmails, check.DeepEquals, []string(nil))
76 }