Merge pull request #1132 from DeterminateSystems/ldap-role-match

LDAP support: require the prefix 'hydra_' to match documentation
2022-01-21 12:58:35 -05:00 · 2022-01-21 12:58:35 -05:00 · 61325853a6
parent 8ba4ae461e a888a57baf
commit 61325853a6
2 changed files with 47 additions and 4 deletions
--- a/flake.nix
+++ b/flake.nix
@ -868,9 +868,16 @@

              services.openldap.enable = true;
              services.openldap.settings.children = {
+                "cn=schema".includes = [
+                  "${pkgs.openldap}/etc/schema/core.ldif"
+                  "${pkgs.openldap}/etc/schema/cosine.ldif"
+                  "${pkgs.openldap}/etc/schema/inetorgperson.ldif"
+                  "${pkgs.openldap}/etc/schema/nis.ldif"
+                ];
+
                "olcDatabase={1}mdb".attrs = {
                  objectClass = [ "olcDatabaseConfig" "olcMdbConfig" ];
-                  database = "{1}mdbg";
+                  olcDatabase = "{1}mdb";
                  olcSuffix = "dc=example";
                  olcRootDN = "cn=root,dc=example";
                  olcRootPW = "notapassword";
@ -906,6 +913,12 @@
                objectClass: groupOfNames
                member: cn=admin,ou=users,dc=example

+                dn: cn=hydra-admin,ou=groups,dc=example
+                cn: hydra-admin
+                description: Users who are NOT Hydra Admins because the prefix needs to be a _
+                objectClass: groupOfNames
+                member: cn=notadmin,ou=users,dc=example
+
                dn: cn=user,ou=users,dc=example
                objectClass: organizationalPerson
                objectClass: inetOrgPerson
@ -921,6 +934,15 @@
                cn: admin
                mail: admin@example
                userPassword: {SSHA}BsgOQcRnoiULzwLrGmuzVGH6EC5Dkwmf
+
+                dn: cn=notadmin,ou=users,dc=example
+                objectClass: organizationalPerson
+                objectClass: inetOrgPerson
+                sn: notadmin
+                cn: notadmin
+                mail: notadmin@example
+                userPassword: {SSHA}BsgOQcRnoiULzwLrGmuzVGH6EC5Dkwmf
+
              '';
              systemd.services.hydra-server.environment.CATALYST_DEBUG = "1";
              systemd.services.hydra-server.environment.HYDRA_LDAP_CONFIG = pkgs.writeText "config.yaml"
@ -933,7 +955,9 @@
                  store:
                    class: LDAP
                    ldap_server: localhost
-                    ldap_server_options.timeout: 30
+                    ldap_server_options:
+                      timeout: 30
+                      debug: 2
                    binddn: "cn=root,dc=example"
                    bindpw: notapassword
                    start_tls: 0
@ -953,38 +977,57 @@
                    role_value: dn
                    role_search_options:
                      deref: always
-                  '';
+                '';
              networking.firewall.enable = false;
            };
            testScript = ''
              import json
+              from pprint import pprint

              machine.wait_for_unit("openldap.service")
              machine.wait_for_job("hydra-init")
              machine.wait_for_open_port("3000")
+
+              print("Logging in as a regular user:")
              response = machine.succeed(
                  "curl --fail http://localhost:3000/login -H 'Accept: application/json' -H 'Referer: http://localhost:3000' --data 'username=user&password=foobar'"
              )

              response_json = json.loads(response)
+              pprint(response_json)
              assert "user" == response_json["username"]
              assert "user@example" == response_json["emailaddress"]
              assert len(response_json["userroles"]) == 0

              # logging on with wrong credentials shouldn't work
+              print("Logging in with bad creds:")
              machine.fail(
                  "curl --fail http://localhost:3000/login -H 'Accept: application/json' -H 'Referer: http://localhost:3000' --data 'username=user&password=wrongpassword'"
              )

+
              # the admin user should get the admin role from his group membership in `hydra_admin`
+              print("Logging in as an admin user:")
              response = machine.succeed(
                  "curl --fail http://localhost:3000/login -H 'Accept: application/json' -H 'Referer: http://localhost:3000' --data 'username=admin&password=password'"
              )

              response_json = json.loads(response)
+              pprint(response_json)
              assert "admin" == response_json["username"]
              assert "admin@example" == response_json["emailaddress"]
              assert "admin" in response_json["userroles"]
+
+              # the notadmin user should NOT get the admin role from their group membership in `hydra-admin`
+              response = machine.succeed(
+                  "curl --fail http://localhost:3000/login -H 'Accept: application/json' -H 'Referer: http://localhost:3000' --data 'username=notadmin&password=password'"
+              )
+
+              response_json = json.loads(response)
+              pprint(response_json)
+              assert "notadmin" == response_json["username"]
+              assert "notadmin@example" == response_json["emailaddress"]
+              assert "admin" not in response_json["userroles"]
            '';
          };

--- a/src/lib/Hydra/Controller/User.pm
+++ b/src/lib/Hydra/Controller/User.pm
@ -59,7 +59,7 @@ sub doLDAPLogin {

    my $user = $c->find_user({ username => $username });
    my $LDAPUser = $c->find_user({ username => $username }, 'ldap');
-    my @LDAPRoles = grep { (substr $_, 0, 5) eq "hydra" } $LDAPUser->roles;
+    my @LDAPRoles = grep { (substr $_, 0, 6) eq "hydra_" } $LDAPUser->roles;

    if (!$user) {
        $c->model('DB::Users')->create(