From 8f435f4bac86e7ba7dbd9770d2db9bb4db6cf569 Mon Sep 17 00:00:00 2001 From: Tom Clegg Date: Fri, 8 May 2020 15:28:56 -0400 Subject: [PATCH] 15881: Test ldap login with fake ldap server. Arvados-DCO-1.1-Signed-off-by: Tom Clegg --- go.mod | 2 ++ go.sum | 4 ++++ lib/controller/localdb/login_ldap.go | 9 ++++++--- lib/controller/localdb/login_ldap_docker_test.go | 13 ------------- 4 files changed, 12 insertions(+), 16 deletions(-) diff --git a/go.mod b/go.mod index 482c6971d3..cc5457975f 100644 --- a/go.mod +++ b/go.mod @@ -12,6 +12,7 @@ require ( github.com/arvados/cgofuse v1.2.0-arvados1 github.com/aws/aws-sdk-go v1.25.30 github.com/bgentry/speakeasy v0.1.0 // indirect + github.com/bradleypeabody/godap v0.0.0-20170216002349-c249933bc092 github.com/coreos/go-oidc v2.1.0+incompatible github.com/coreos/go-systemd v0.0.0-20180108085132-cc4f39464dc7 github.com/dgrijalva/jwt-go v3.1.0+incompatible // indirect @@ -25,6 +26,7 @@ require ( github.com/fsnotify/fsnotify v1.4.9 github.com/ghodss/yaml v1.0.0 github.com/gliderlabs/ssh v0.2.2 // indirect + github.com/go-asn1-ber/asn1-ber v1.4.1 // indirect github.com/go-ldap/ldap v3.0.3+incompatible github.com/gogo/protobuf v1.1.1 github.com/gorilla/context v1.1.1 // indirect diff --git a/go.sum b/go.sum index a92b3c11a4..38153ce3ea 100644 --- a/go.sum +++ b/go.sum @@ -29,6 +29,8 @@ github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM= github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw= github.com/bgentry/speakeasy v0.1.0 h1:ByYyxL9InA1OWqxJqqp2A5pYHUrCiAL6K3J+LKSsQkY= github.com/bgentry/speakeasy v0.1.0/go.mod h1:+zsyZBPWlz7T6j88CTgSN5bM796AkVf0kBD4zp0CCIs= +github.com/bradleypeabody/godap v0.0.0-20170216002349-c249933bc092 h1:0Di2onNnlN5PAyWPbqlPyN45eOQ+QW/J9eqLynt4IV4= +github.com/bradleypeabody/godap v0.0.0-20170216002349-c249933bc092/go.mod h1:8IzBjZCRSnsvM6MJMG8HNNtnzMl48H22rbJL2kRUJ0Y= github.com/cespare/xxhash/v2 v2.1.0 h1:yTUvW7Vhb89inJ+8irsUqiWjh8iT6sQPZiQzI6ReGkA= github.com/cespare/xxhash/v2 v2.1.0/go.mod h1:dgIUBU3pDso/gPgZ1osOZ0iQf77oPR28Tjxl5dIMyVM= github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw= @@ -62,6 +64,8 @@ github.com/ghodss/yaml v1.0.0 h1:wQHKEahhL6wmXdzwWG11gIVCkOv05bNOh+Rxn0yngAk= github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04= github.com/gliderlabs/ssh v0.2.2 h1:6zsha5zo/TWhRhwqCD3+EarCAgZ2yN28ipRnGPnwkI0= github.com/gliderlabs/ssh v0.2.2/go.mod h1:U7qILu1NlMHj9FlMhZLlkCdDnU1DBEAqr0aevW3Awn0= +github.com/go-asn1-ber/asn1-ber v1.4.1 h1:qP/QDxOtmMoJVgXHCXNzDpA0+wkgYB2x5QoLMVOciyw= +github.com/go-asn1-ber/asn1-ber v1.4.1/go.mod h1:hEBeB/ic+5LoWskz+yKT7vGhhPYkProFKoKdwZRWMe0= github.com/go-kit/kit v0.8.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as= github.com/go-kit/kit v0.9.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as= github.com/go-ldap/ldap v3.0.3+incompatible h1:HTeSZO8hWMS1Rgb2Ziku6b8a7qRIZZMHjsvuZyatzwk= diff --git a/lib/controller/localdb/login_ldap.go b/lib/controller/localdb/login_ldap.go index 44e42ac405..373b113240 100644 --- a/lib/controller/localdb/login_ldap.go +++ b/lib/controller/localdb/login_ldap.go @@ -93,7 +93,10 @@ func (ctrl *ldapLoginController) UserAuthenticate(ctx context.Context, opts arva return arvados.APIClientAuthorization{}, errors.New("config error: must provide SearchAttribute") } - search := fmt.Sprintf("(&%s(%s=%s))", conf.SearchFilters, ldap.EscapeFilter(conf.SearchAttribute), ldap.EscapeFilter(username)) + search := fmt.Sprintf("(%s=%s)", ldap.EscapeFilter(conf.SearchAttribute), ldap.EscapeFilter(username)) + if conf.SearchFilters != "" { + search = fmt.Sprintf("(&%s%s)", conf.SearchFilters, search) + } log = log.WithField("search", search) req := ldap.NewSearchRequest( conf.SearchBase, @@ -105,7 +108,7 @@ func (ctrl *ldapLoginController) UserAuthenticate(ctx context.Context, opts arva if ldap.IsErrorWithCode(err, ldap.LDAPResultNoResultsReturned) || ldap.IsErrorWithCode(err, ldap.LDAPResultNoSuchObject) || (err == nil && len(resp.Entries) == 0) { - log.WithError(err).Debug("ldap lookup returned no results") + log.WithError(err).Info("ldap lookup returned no results") return arvados.APIClientAuthorization{}, errFailed } else if err != nil { log.WithError(err).Error("ldap lookup failed") @@ -130,7 +133,7 @@ func (ctrl *ldapLoginController) UserAuthenticate(ctx context.Context, opts arva // Now that we have the DN, try authenticating. err = l.Bind(userdn, opts.Password) if err != nil { - log.WithError(err).Warn("ldap user authentication failed") + log.WithError(err).Info("ldap user authentication failed") return arvados.APIClientAuthorization{}, errFailed } log.Debug("ldap authentication succeeded") diff --git a/lib/controller/localdb/login_ldap_docker_test.go b/lib/controller/localdb/login_ldap_docker_test.go index 54454a190f..2f0d22075f 100644 --- a/lib/controller/localdb/login_ldap_docker_test.go +++ b/lib/controller/localdb/login_ldap_docker_test.go @@ -11,22 +11,9 @@ import ( "os" "os/exec" - "git.arvados.org/arvados.git/sdk/go/arvados" - "git.arvados.org/arvados.git/sdk/go/arvadostest" check "gopkg.in/check.v1" ) -var _ = check.Suite(&LDAPSuite{}) - -type LDAPSuite struct{} - -func (s *LDAPSuite) TearDownSuite(c *check.C) { - // Undo any changes/additions to the user database so they - // don't affect subsequent tests. - arvadostest.ResetEnv() - c.Check(arvados.NewClientFromEnv().RequestAndDecode(nil, "POST", "database/reset", nil, nil), check.IsNil) -} - func (s *LDAPSuite) TestLoginLDAPViaPAM(c *check.C) { cmd := exec.Command("bash", "login_ldap_docker_test.sh") cmd.Stdout = os.Stderr -- 2.30.2