// Copyright (C) The Arvados Authors. All rights reserved.
//
// SPDX-License-Identifier: AGPL-3.0
package localdb
import (
"encoding/json"
"net"
"net/http"
"git.arvados.org/arvados.git/lib/controller/railsproxy"
"git.arvados.org/arvados.git/lib/ctrlctx"
"git.arvados.org/arvados.git/sdk/go/arvados"
"git.arvados.org/arvados.git/sdk/go/ctxlog"
"github.com/bradleypeabody/godap"
check "gopkg.in/check.v1"
)
var _ = check.Suite(&LDAPSuite{})
type LDAPSuite struct {
localdbSuite
ldap *godap.LDAPServer // fake ldap server that accepts auth goodusername/goodpassword
}
func (s *LDAPSuite) SetUpTest(c *check.C) {
s.localdbSuite.SetUpTest(c)
ln, err := net.Listen("tcp", "127.0.0.1:0")
c.Assert(err, check.IsNil)
s.ldap = &godap.LDAPServer{
Listener: ln,
Handlers: []godap.LDAPRequestHandler{
&godap.LDAPBindFuncHandler{
LDAPBindFunc: func(binddn string, bindpw []byte) bool {
return binddn == "cn=goodusername,dc=example,dc=com" && string(bindpw) == "goodpassword"
},
},
&godap.LDAPSimpleSearchFuncHandler{
LDAPSimpleSearchFunc: func(req *godap.LDAPSimpleSearchRequest) []*godap.LDAPSimpleSearchResultEntry {
if req.FilterAttr != "uid" || req.BaseDN != "dc=example,dc=com" {
return []*godap.LDAPSimpleSearchResultEntry{}
}
return []*godap.LDAPSimpleSearchResultEntry{
{
DN: "cn=" + req.FilterValue + "," + req.BaseDN,
Attrs: map[string]interface{}{
"SN": req.FilterValue,
"CN": req.FilterValue,
"uid": req.FilterValue,
"mail": req.FilterValue + "@example.com",
},
},
}
},
},
},
}
go func() {
ctxlog.TestLogger(c).Print(s.ldap.Serve())
}()
s.cluster.Login.LDAP.Enable = true
err = json.Unmarshal([]byte(`"ldap://`+ln.Addr().String()+`"`), &s.cluster.Login.LDAP.URL)
c.Assert(err, check.IsNil)
s.cluster.Login.LDAP.StartTLS = false
s.cluster.Login.LDAP.SearchBindUser = "cn=goodusername,dc=example,dc=com"
s.cluster.Login.LDAP.SearchBindPassword = "goodpassword"
s.cluster.Login.LDAP.SearchBase = "dc=example,dc=com"
s.localdb.loginController = &ldapLoginController{
Cluster: s.cluster,
Parent: s.localdb,
}
}
func (s *LDAPSuite) TestLoginSuccess(c *check.C) {
resp, err := s.localdb.UserAuthenticate(s.ctx, arvados.UserAuthenticateOptions{
Username: "goodusername",
Password: "goodpassword",
})
c.Check(err, check.IsNil)
c.Check(resp.APIToken, check.Not(check.Equals), "")
c.Check(resp.UUID, check.Matches, `zzzzz-gj3su-.*`)
c.Check(resp.Scopes, check.DeepEquals, []string{"all"})
ctx := ctrlctx.NewWithToken(s.ctx, s.cluster, "v2/"+resp.UUID+"/"+resp.APIToken)
user, err := railsproxy.NewConn(s.cluster).UserGetCurrent(ctx, arvados.GetOptions{})
c.Check(err, check.IsNil)
c.Check(user.Email, check.Equals, "goodusername@example.com")
c.Check(user.Username, check.Equals, "goodusername")
}
func (s *LDAPSuite) TestLoginFailure(c *check.C) {
// search returns no results
s.cluster.Login.LDAP.SearchBase = "dc=example,dc=invalid"
resp, err := s.localdb.UserAuthenticate(s.ctx, arvados.UserAuthenticateOptions{
Username: "goodusername",
Password: "goodpassword",
})
c.Check(err, check.ErrorMatches, `LDAP: Authentication failure \(with username "goodusername" and password\)`)
hs, ok := err.(interface{ HTTPStatus() int })
if c.Check(ok, check.Equals, true) {
c.Check(hs.HTTPStatus(), check.Equals, http.StatusUnauthorized)
}
c.Check(resp.APIToken, check.Equals, "")
// search returns result, but auth fails
s.cluster.Login.LDAP.SearchBase = "dc=example,dc=com"
resp, err = s.localdb.UserAuthenticate(s.ctx, arvados.UserAuthenticateOptions{
Username: "badusername",
Password: "badpassword",
})
c.Check(err, check.ErrorMatches, `LDAP: Authentication failure \(with username "badusername" and password\)`)
hs, ok = err.(interface{ HTTPStatus() int })
if c.Check(ok, check.Equals, true) {
c.Check(hs.HTTPStatus(), check.Equals, http.StatusUnauthorized)
}
c.Check(resp.APIToken, check.Equals, "")
}