19907: Log when caching negative result for OIDC token check.
[arvados.git] / lib / controller / localdb / login_ldap_test.go
1 // Copyright (C) The Arvados Authors. All rights reserved.
2 //
3 // SPDX-License-Identifier: AGPL-3.0
4
5 package localdb
6
7 import (
8         "context"
9         "encoding/json"
10         "net"
11         "net/http"
12
13         "git.arvados.org/arvados.git/lib/config"
14         "git.arvados.org/arvados.git/lib/controller/railsproxy"
15         "git.arvados.org/arvados.git/lib/ctrlctx"
16         "git.arvados.org/arvados.git/sdk/go/arvados"
17         "git.arvados.org/arvados.git/sdk/go/arvadostest"
18         "git.arvados.org/arvados.git/sdk/go/auth"
19         "git.arvados.org/arvados.git/sdk/go/ctxlog"
20         "github.com/bradleypeabody/godap"
21         "github.com/jmoiron/sqlx"
22         check "gopkg.in/check.v1"
23 )
24
25 var _ = check.Suite(&LDAPSuite{})
26
27 type LDAPSuite struct {
28         cluster *arvados.Cluster
29         ctrl    *ldapLoginController
30         ldap    *godap.LDAPServer // fake ldap server that accepts auth goodusername/goodpassword
31         db      *sqlx.DB
32
33         // transaction context
34         ctx      context.Context
35         rollback func() error
36 }
37
38 func (s *LDAPSuite) TearDownSuite(c *check.C) {
39         // Undo any changes/additions to the user database so they
40         // don't affect subsequent tests.
41         arvadostest.ResetEnv()
42         c.Check(arvados.NewClientFromEnv().RequestAndDecode(nil, "POST", "database/reset", nil, nil), check.IsNil)
43 }
44
45 func (s *LDAPSuite) SetUpSuite(c *check.C) {
46         cfg, err := config.NewLoader(nil, ctxlog.TestLogger(c)).Load()
47         c.Assert(err, check.IsNil)
48         s.cluster, err = cfg.GetCluster("")
49         c.Assert(err, check.IsNil)
50
51         ln, err := net.Listen("tcp", "127.0.0.1:0")
52         c.Assert(err, check.IsNil)
53         s.ldap = &godap.LDAPServer{
54                 Listener: ln,
55                 Handlers: []godap.LDAPRequestHandler{
56                         &godap.LDAPBindFuncHandler{
57                                 LDAPBindFunc: func(binddn string, bindpw []byte) bool {
58                                         return binddn == "cn=goodusername,dc=example,dc=com" && string(bindpw) == "goodpassword"
59                                 },
60                         },
61                         &godap.LDAPSimpleSearchFuncHandler{
62                                 LDAPSimpleSearchFunc: func(req *godap.LDAPSimpleSearchRequest) []*godap.LDAPSimpleSearchResultEntry {
63                                         if req.FilterAttr != "uid" || req.BaseDN != "dc=example,dc=com" {
64                                                 return []*godap.LDAPSimpleSearchResultEntry{}
65                                         }
66                                         return []*godap.LDAPSimpleSearchResultEntry{
67                                                 {
68                                                         DN: "cn=" + req.FilterValue + "," + req.BaseDN,
69                                                         Attrs: map[string]interface{}{
70                                                                 "SN":   req.FilterValue,
71                                                                 "CN":   req.FilterValue,
72                                                                 "uid":  req.FilterValue,
73                                                                 "mail": req.FilterValue + "@example.com",
74                                                         },
75                                                 },
76                                         }
77                                 },
78                         },
79                 },
80         }
81         go func() {
82                 ctxlog.TestLogger(c).Print(s.ldap.Serve())
83         }()
84
85         s.cluster.Login.LDAP.Enable = true
86         err = json.Unmarshal([]byte(`"ldap://`+ln.Addr().String()+`"`), &s.cluster.Login.LDAP.URL)
87         s.cluster.Login.LDAP.StartTLS = false
88         s.cluster.Login.LDAP.SearchBindUser = "cn=goodusername,dc=example,dc=com"
89         s.cluster.Login.LDAP.SearchBindPassword = "goodpassword"
90         s.cluster.Login.LDAP.SearchBase = "dc=example,dc=com"
91         c.Assert(err, check.IsNil)
92         s.ctrl = &ldapLoginController{
93                 Cluster: s.cluster,
94                 Parent:  &Conn{railsProxy: railsproxy.NewConn(s.cluster)},
95         }
96         s.db = arvadostest.DB(c, s.cluster)
97 }
98
99 func (s *LDAPSuite) SetUpTest(c *check.C) {
100         tx, err := s.db.Beginx()
101         c.Assert(err, check.IsNil)
102         s.ctx = ctrlctx.NewWithTransaction(context.Background(), tx)
103         s.rollback = tx.Rollback
104 }
105
106 func (s *LDAPSuite) TearDownTest(c *check.C) {
107         if s.rollback != nil {
108                 s.rollback()
109         }
110 }
111
112 func (s *LDAPSuite) TestLoginSuccess(c *check.C) {
113         conn := NewConn(s.cluster)
114         conn.loginController = s.ctrl
115         resp, err := conn.UserAuthenticate(s.ctx, arvados.UserAuthenticateOptions{
116                 Username: "goodusername",
117                 Password: "goodpassword",
118         })
119         c.Check(err, check.IsNil)
120         c.Check(resp.APIToken, check.Not(check.Equals), "")
121         c.Check(resp.UUID, check.Matches, `zzzzz-gj3su-.*`)
122         c.Check(resp.Scopes, check.DeepEquals, []string{"all"})
123
124         ctx := auth.NewContext(s.ctx, &auth.Credentials{Tokens: []string{"v2/" + resp.UUID + "/" + resp.APIToken}})
125         user, err := railsproxy.NewConn(s.cluster).UserGetCurrent(ctx, arvados.GetOptions{})
126         c.Check(err, check.IsNil)
127         c.Check(user.Email, check.Equals, "goodusername@example.com")
128         c.Check(user.Username, check.Equals, "goodusername")
129 }
130
131 func (s *LDAPSuite) TestLoginFailure(c *check.C) {
132         // search returns no results
133         s.cluster.Login.LDAP.SearchBase = "dc=example,dc=invalid"
134         resp, err := s.ctrl.UserAuthenticate(s.ctx, arvados.UserAuthenticateOptions{
135                 Username: "goodusername",
136                 Password: "goodpassword",
137         })
138         c.Check(err, check.ErrorMatches, `LDAP: Authentication failure \(with username "goodusername" and password\)`)
139         hs, ok := err.(interface{ HTTPStatus() int })
140         if c.Check(ok, check.Equals, true) {
141                 c.Check(hs.HTTPStatus(), check.Equals, http.StatusUnauthorized)
142         }
143         c.Check(resp.APIToken, check.Equals, "")
144
145         // search returns result, but auth fails
146         s.cluster.Login.LDAP.SearchBase = "dc=example,dc=com"
147         resp, err = s.ctrl.UserAuthenticate(s.ctx, arvados.UserAuthenticateOptions{
148                 Username: "badusername",
149                 Password: "badpassword",
150         })
151         c.Check(err, check.ErrorMatches, `LDAP: Authentication failure \(with username "badusername" and password\)`)
152         hs, ok = err.(interface{ HTTPStatus() int })
153         if c.Check(ok, check.Equals, true) {
154                 c.Check(hs.HTTPStatus(), check.Equals, http.StatusUnauthorized)
155         }
156         c.Check(resp.APIToken, check.Equals, "")
157 }