From b8f72d7ff28c0c80825309ee5217993309aa6eb9 Mon Sep 17 00:00:00 2001 From: Graham Christensen Date: Fri, 21 Jan 2022 10:48:04 -0500 Subject: [PATCH 1/2] LDAP support: require the prefix 'hydra_' to match documentation --- src/lib/Hydra/Controller/User.pm | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/lib/Hydra/Controller/User.pm b/src/lib/Hydra/Controller/User.pm index 2aec69ee..01f59dee 100644 --- a/src/lib/Hydra/Controller/User.pm +++ b/src/lib/Hydra/Controller/User.pm @@ -59,7 +59,7 @@ sub doLDAPLogin { my $user = $c->find_user({ username => $username }); my $LDAPUser = $c->find_user({ username => $username }, 'ldap'); - my @LDAPRoles = grep { (substr $_, 0, 5) eq "hydra" } $LDAPUser->roles; + my @LDAPRoles = grep { (substr $_, 0, 6) eq "hydra_" } $LDAPUser->roles; if (!$user) { $c->model('DB::Users')->create( From a888a57baf065812b227fe6175382037ce5b7a15 Mon Sep 17 00:00:00 2001 From: Graham Christensen Date: Fri, 21 Jan 2022 12:46:02 -0500 Subject: [PATCH 2/2] tests.ldap: verify the hydra_ prefix is required --- flake.nix | 49 ++++++++++++++++++++++++++++++++++++++++++++++--- 1 file changed, 46 insertions(+), 3 deletions(-) diff --git a/flake.nix b/flake.nix index 43cce4bd..1a8325d3 100644 --- a/flake.nix +++ b/flake.nix @@ -868,9 +868,16 @@ services.openldap.enable = true; services.openldap.settings.children = { + "cn=schema".includes = [ + "${pkgs.openldap}/etc/schema/core.ldif" + "${pkgs.openldap}/etc/schema/cosine.ldif" + "${pkgs.openldap}/etc/schema/inetorgperson.ldif" + "${pkgs.openldap}/etc/schema/nis.ldif" + ]; + "olcDatabase={1}mdb".attrs = { objectClass = [ "olcDatabaseConfig" "olcMdbConfig" ]; - database = "{1}mdbg"; + olcDatabase = "{1}mdb"; olcSuffix = "dc=example"; olcRootDN = "cn=root,dc=example"; olcRootPW = "notapassword"; @@ -906,6 +913,12 @@ objectClass: groupOfNames member: cn=admin,ou=users,dc=example + dn: cn=hydra-admin,ou=groups,dc=example + cn: hydra-admin + description: Users who are NOT Hydra Admins because the prefix needs to be a _ + objectClass: groupOfNames + member: cn=notadmin,ou=users,dc=example + dn: cn=user,ou=users,dc=example objectClass: organizationalPerson objectClass: inetOrgPerson @@ -921,6 +934,15 @@ cn: admin mail: admin@example userPassword: {SSHA}BsgOQcRnoiULzwLrGmuzVGH6EC5Dkwmf + + dn: cn=notadmin,ou=users,dc=example + objectClass: organizationalPerson + objectClass: inetOrgPerson + sn: notadmin + cn: notadmin + mail: notadmin@example + userPassword: {SSHA}BsgOQcRnoiULzwLrGmuzVGH6EC5Dkwmf + ''; systemd.services.hydra-server.environment.CATALYST_DEBUG = "1"; systemd.services.hydra-server.environment.HYDRA_LDAP_CONFIG = pkgs.writeText "config.yaml" @@ -933,7 +955,9 @@ store: class: LDAP ldap_server: localhost - ldap_server_options.timeout: 30 + ldap_server_options: + timeout: 30 + debug: 2 binddn: "cn=root,dc=example" bindpw: notapassword start_tls: 0 @@ -953,38 +977,57 @@ role_value: dn role_search_options: deref: always - ''; + ''; networking.firewall.enable = false; }; testScript = '' import json + from pprint import pprint machine.wait_for_unit("openldap.service") machine.wait_for_job("hydra-init") machine.wait_for_open_port("3000") + + print("Logging in as a regular user:") response = machine.succeed( "curl --fail http://localhost:3000/login -H 'Accept: application/json' -H 'Referer: http://localhost:3000' --data 'username=user&password=foobar'" ) response_json = json.loads(response) + pprint(response_json) assert "user" == response_json["username"] assert "user@example" == response_json["emailaddress"] assert len(response_json["userroles"]) == 0 # logging on with wrong credentials shouldn't work + print("Logging in with bad creds:") machine.fail( "curl --fail http://localhost:3000/login -H 'Accept: application/json' -H 'Referer: http://localhost:3000' --data 'username=user&password=wrongpassword'" ) + # the admin user should get the admin role from his group membership in `hydra_admin` + print("Logging in as an admin user:") response = machine.succeed( "curl --fail http://localhost:3000/login -H 'Accept: application/json' -H 'Referer: http://localhost:3000' --data 'username=admin&password=password'" ) response_json = json.loads(response) + pprint(response_json) assert "admin" == response_json["username"] assert "admin@example" == response_json["emailaddress"] assert "admin" in response_json["userroles"] + + # the notadmin user should NOT get the admin role from their group membership in `hydra-admin` + response = machine.succeed( + "curl --fail http://localhost:3000/login -H 'Accept: application/json' -H 'Referer: http://localhost:3000' --data 'username=notadmin&password=password'" + ) + + response_json = json.loads(response) + pprint(response_json) + assert "notadmin" == response_json["username"] + assert "notadmin@example" == response_json["emailaddress"] + assert "admin" not in response_json["userroles"] ''; };