X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/2c5417221843491727e4e5505012fc115e3bc7b0..35db495717a628e0a6ef52a453b8d8ced793c41b:/lib/controller/localdb/login_ldap_docker_test.sh diff --git a/lib/controller/localdb/login_ldap_docker_test.sh b/lib/controller/localdb/login_ldap_docker_test.sh index 0225f20461..6fc6dd9444 100755 --- a/lib/controller/localdb/login_ldap_docker_test.sh +++ b/lib/controller/localdb/login_ldap_docker_test.sh @@ -62,8 +62,8 @@ docker run --rm --detach \ --name=${ldapctr} \ osixia/openldap:1.3.0 docker logs --follow ${ldapctr} 2>$debug >$debug & -ldaphostport=$(docker port ${ldapctr} 389/tcp) -ldapport=${ldaphostport##*:} +ldaphostports=$(docker port ${ldapctr} 389/tcp) +ldapport=${ldaphostports##*:} ldapurl="ldap://${hostname}:${ldapport}" passwordhash="$(docker exec -i ${ldapctr} slappasswd -s "secret")" @@ -160,7 +160,7 @@ objectClass: inetOrgPerson objectClass: posixAccount objectClass: top objectClass: shadowAccount -shadowMax: 180 +shadowMax: -1 shadowMin: 1 shadowWarning: 7 shadowLastChange: 10701 @@ -169,6 +169,26 @@ uidNumber: 11111 gidNumber: 11111 homeDirectory: /home/foo-bar userPassword: ${passwordhash} + +dn: uid=expired,dc=example,dc=org +uid: expired +cn: "Exp Ired" +givenName: Exp +sn: Ired +mail: expired@example.com +objectClass: inetOrgPerson +objectClass: posixAccount +objectClass: top +objectClass: shadowAccount +shadowMax: 180 +shadowMin: 1 +shadowWarning: 7 +shadowLastChange: 10701 +loginShell: /bin/bash +uidNumber: 11112 +gidNumber: 11111 +homeDirectory: /home/expired +userPassword: ${passwordhash} EOF echo >&2 "Adding example user entry user=foo-bar pass=secret (retrying until server comes up)" @@ -191,11 +211,12 @@ docker run --detach --rm --name=${ctrlctr} \ debian:10 \ bash -c "${setup_pam_ldap:-true} && arvados-server controller" docker logs --follow ${ctrlctr} 2>$debug >$debug & -ctrlhostport=$(docker port ${ctrlctr} 9999/tcp) +ctrlhostports=$(docker port ${ctrlctr} 9999/tcp) +ctrlport=${ctrlhostports##*:} echo >&2 "Waiting for arvados controller to come up..." for f in $(seq 1 20); do - if curl -s "http://${ctrlhostport}/arvados/v1/config" >/dev/null; then + if curl -s "http://0.0.0.0:${ctrlport}/arvados/v1/config" >/dev/null; then break else sleep 1 @@ -203,7 +224,7 @@ for f in $(seq 1 20); do echo -n >&2 . done echo >&2 -echo >&2 "Arvados controller is up at http://${ctrlhostport}" +echo >&2 "Arvados controller is up at http://0.0.0.0:${ctrlport}" check_contains() { resp="${1}" @@ -218,7 +239,7 @@ check_contains() { set +x echo >&2 "Testing authentication failure" -resp="$(set -x; curl -s --include -d username=foo-bar -d password=nosecret "http://${ctrlhostport}/arvados/v1/users/authenticate" | tee $debug)" +resp="$(set -x; curl -s --include -d username=foo-bar -d password=nosecret "http://0.0.0.0:${ctrlport}/arvados/v1/users/authenticate" | tee $debug)" check_contains "${resp}" "HTTP/1.1 401" if [[ "${config_method}" = ldap ]]; then check_contains "${resp}" '{"errors":["LDAP: Authentication failure (with username \"foo-bar\" and password)"]}' @@ -226,8 +247,15 @@ else check_contains "${resp}" '{"errors":["PAM: Authentication failure (with username \"foo-bar\" and password)"]}' fi +if [[ "${config_method}" = pam ]]; then + echo >&2 "Testing expired credentials" + resp="$(set -x; curl -s --include -d username=expired -d password=secret "http://0.0.0.0:${ctrlport}/arvados/v1/users/authenticate" | tee $debug)" + check_contains "${resp}" "HTTP/1.1 401" + check_contains "${resp}" '{"errors":["PAM: Authentication failure; \"You are required to change your LDAP password immediately.\""]}' +fi + echo >&2 "Testing authentication success" -resp="$(set -x; curl -s --include -d username=foo-bar -d password=secret "http://${ctrlhostport}/arvados/v1/users/authenticate" | tee $debug)" +resp="$(set -x; curl -s --include -d username=foo-bar -d password=secret "http://0.0.0.0:${ctrlport}/arvados/v1/users/authenticate" | tee $debug)" check_contains "${resp}" "HTTP/1.1 200" check_contains "${resp}" '"api_token":"' check_contains "${resp}" '"scopes":["all"]' @@ -240,7 +268,7 @@ uuid="${uuid%%\"*}" token="v2/$uuid/$secret" echo >&2 "New token is ${token}" -resp="$(set -x; curl -s --include -H "Authorization: Bearer ${token}" "http://${ctrlhostport}/arvados/v1/users/current" | tee $debug)" +resp="$(set -x; curl -s --include -H "Authorization: Bearer ${token}" "http://0.0.0.0:${ctrlport}/arvados/v1/users/current" | tee $debug)" check_contains "${resp}" "HTTP/1.1 200" if [[ "${config_method}" = ldap ]]; then # user fields come from LDAP attributes