forked from lix-project/hydra
Merge pull request #1132 from DeterminateSystems/ldap-role-match
LDAP support: require the prefix 'hydra_' to match documentation
This commit is contained in:
Graham Christensen
GitHub
commit
61325853a6
49
flake.nix
49
flake.nix
|
|
@ -868,9 +868,16 @@
|
||||||
|
|
||||||
services.openldap.enable = true;
|
services.openldap.enable = true;
|
||||||
services.openldap.settings.children = {
|
services.openldap.settings.children = {
|
||||||
|
"cn=schema".includes = [
|
||||||
|
"${pkgs.openldap}/etc/schema/core.ldif"
|
||||||
|
"${pkgs.openldap}/etc/schema/cosine.ldif"
|
||||||
|
"${pkgs.openldap}/etc/schema/inetorgperson.ldif"
|
||||||
|
"${pkgs.openldap}/etc/schema/nis.ldif"
|
||||||
|
];
|
||||||
|
|
||||||
"olcDatabase={1}mdb".attrs = {
|
"olcDatabase={1}mdb".attrs = {
|
||||||
objectClass = [ "olcDatabaseConfig" "olcMdbConfig" ];
|
objectClass = [ "olcDatabaseConfig" "olcMdbConfig" ];
|
||||||
database = "{1}mdbg";
|
olcDatabase = "{1}mdb";
|
||||||
olcSuffix = "dc=example";
|
olcSuffix = "dc=example";
|
||||||
olcRootDN = "cn=root,dc=example";
|
olcRootDN = "cn=root,dc=example";
|
||||||
olcRootPW = "notapassword";
|
olcRootPW = "notapassword";
|
||||||
|
|
@ -906,6 +913,12 @@
|
||||||
objectClass: groupOfNames
|
objectClass: groupOfNames
|
||||||
member: cn=admin,ou=users,dc=example
|
member: cn=admin,ou=users,dc=example
|
||||||
|
|
||||||
|
dn: cn=hydra-admin,ou=groups,dc=example
|
||||||
|
cn: hydra-admin
|
||||||
|
description: Users who are NOT Hydra Admins because the prefix needs to be a _
|
||||||
|
objectClass: groupOfNames
|
||||||
|
member: cn=notadmin,ou=users,dc=example
|
||||||
|
|
||||||
dn: cn=user,ou=users,dc=example
|
dn: cn=user,ou=users,dc=example
|
||||||
objectClass: organizationalPerson
|
objectClass: organizationalPerson
|
||||||
objectClass: inetOrgPerson
|
objectClass: inetOrgPerson
|
||||||
|
|
@ -921,6 +934,15 @@
|
||||||
cn: admin
|
cn: admin
|
||||||
mail: admin@example
|
mail: admin@example
|
||||||
userPassword: {SSHA}BsgOQcRnoiULzwLrGmuzVGH6EC5Dkwmf
|
userPassword: {SSHA}BsgOQcRnoiULzwLrGmuzVGH6EC5Dkwmf
|
||||||
|
|
||||||
|
dn: cn=notadmin,ou=users,dc=example
|
||||||
|
objectClass: organizationalPerson
|
||||||
|
objectClass: inetOrgPerson
|
||||||
|
sn: notadmin
|
||||||
|
cn: notadmin
|
||||||
|
mail: notadmin@example
|
||||||
|
userPassword: {SSHA}BsgOQcRnoiULzwLrGmuzVGH6EC5Dkwmf
|
||||||
|
|
||||||
'';
|
'';
|
||||||
systemd.services.hydra-server.environment.CATALYST_DEBUG = "1";
|
systemd.services.hydra-server.environment.CATALYST_DEBUG = "1";
|
||||||
systemd.services.hydra-server.environment.HYDRA_LDAP_CONFIG = pkgs.writeText "config.yaml"
|
systemd.services.hydra-server.environment.HYDRA_LDAP_CONFIG = pkgs.writeText "config.yaml"
|
||||||
|
|
@ -933,7 +955,9 @@
|
||||||
store:
|
store:
|
||||||
class: LDAP
|
class: LDAP
|
||||||
ldap_server: localhost
|
ldap_server: localhost
|
||||||
ldap_server_options.timeout: 30
|
ldap_server_options:
|
||||||
|
timeout: 30
|
||||||
|
debug: 2
|
||||||
binddn: "cn=root,dc=example"
|
binddn: "cn=root,dc=example"
|
||||||
bindpw: notapassword
|
bindpw: notapassword
|
||||||
start_tls: 0
|
start_tls: 0
|
||||||
|
|
@ -953,38 +977,57 @@
|
||||||
role_value: dn
|
role_value: dn
|
||||||
role_search_options:
|
role_search_options:
|
||||||
deref: always
|
deref: always
|
||||||
'';
|
'';
|
||||||
networking.firewall.enable = false;
|
networking.firewall.enable = false;
|
||||||
};
|
};
|
||||||
testScript = ''
|
testScript = ''
|
||||||
import json
|
import json
|
||||||
|
from pprint import pprint
|
||||||
|
|
||||||
machine.wait_for_unit("openldap.service")
|
machine.wait_for_unit("openldap.service")
|
||||||
machine.wait_for_job("hydra-init")
|
machine.wait_for_job("hydra-init")
|
||||||
machine.wait_for_open_port("3000")
|
machine.wait_for_open_port("3000")
|
||||||
|
|
||||||
|
print("Logging in as a regular user:")
|
||||||
response = machine.succeed(
|
response = machine.succeed(
|
||||||
"curl --fail http://localhost:3000/login -H 'Accept: application/json' -H 'Referer: http://localhost:3000' --data 'username=user&password=foobar'"
|
"curl --fail http://localhost:3000/login -H 'Accept: application/json' -H 'Referer: http://localhost:3000' --data 'username=user&password=foobar'"
|
||||||
)
|
)
|
||||||
|
|
||||||
response_json = json.loads(response)
|
response_json = json.loads(response)
|
||||||
|
pprint(response_json)
|
||||||
assert "user" == response_json["username"]
|
assert "user" == response_json["username"]
|
||||||
assert "user@example" == response_json["emailaddress"]
|
assert "user@example" == response_json["emailaddress"]
|
||||||
assert len(response_json["userroles"]) == 0
|
assert len(response_json["userroles"]) == 0
|
||||||
|
|
||||||
# logging on with wrong credentials shouldn't work
|
# logging on with wrong credentials shouldn't work
|
||||||
|
print("Logging in with bad creds:")
|
||||||
machine.fail(
|
machine.fail(
|
||||||
"curl --fail http://localhost:3000/login -H 'Accept: application/json' -H 'Referer: http://localhost:3000' --data 'username=user&password=wrongpassword'"
|
"curl --fail http://localhost:3000/login -H 'Accept: application/json' -H 'Referer: http://localhost:3000' --data 'username=user&password=wrongpassword'"
|
||||||
)
|
)
|
||||||
|
|
||||||
|
|
||||||
# the admin user should get the admin role from his group membership in `hydra_admin`
|
# the admin user should get the admin role from his group membership in `hydra_admin`
|
||||||
|
print("Logging in as an admin user:")
|
||||||
response = machine.succeed(
|
response = machine.succeed(
|
||||||
"curl --fail http://localhost:3000/login -H 'Accept: application/json' -H 'Referer: http://localhost:3000' --data 'username=admin&password=password'"
|
"curl --fail http://localhost:3000/login -H 'Accept: application/json' -H 'Referer: http://localhost:3000' --data 'username=admin&password=password'"
|
||||||
)
|
)
|
||||||
|
|
||||||
response_json = json.loads(response)
|
response_json = json.loads(response)
|
||||||
|
pprint(response_json)
|
||||||
assert "admin" == response_json["username"]
|
assert "admin" == response_json["username"]
|
||||||
assert "admin@example" == response_json["emailaddress"]
|
assert "admin@example" == response_json["emailaddress"]
|
||||||
assert "admin" in response_json["userroles"]
|
assert "admin" in response_json["userroles"]
|
||||||
|
|
||||||
|
# the notadmin user should NOT get the admin role from their group membership in `hydra-admin`
|
||||||
|
response = machine.succeed(
|
||||||
|
"curl --fail http://localhost:3000/login -H 'Accept: application/json' -H 'Referer: http://localhost:3000' --data 'username=notadmin&password=password'"
|
||||||
|
)
|
||||||
|
|
||||||
|
response_json = json.loads(response)
|
||||||
|
pprint(response_json)
|
||||||
|
assert "notadmin" == response_json["username"]
|
||||||
|
assert "notadmin@example" == response_json["emailaddress"]
|
||||||
|
assert "admin" not in response_json["userroles"]
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -59,7 +59,7 @@ sub doLDAPLogin {
|
||||||
|
|
||||||
my $user = $c->find_user({ username => $username });
|
my $user = $c->find_user({ username => $username });
|
||||||
my $LDAPUser = $c->find_user({ username => $username }, 'ldap');
|
my $LDAPUser = $c->find_user({ username => $username }, 'ldap');
|
||||||
my @LDAPRoles = grep { (substr $_, 0, 5) eq "hydra" } $LDAPUser->roles;
|
my @LDAPRoles = grep { (substr $_, 0, 6) eq "hydra_" } $LDAPUser->roles;
|
||||||
|
|
||||||
if (!$user) {
|
if (!$user) {
|
||||||
$c->model('DB::Users')->create(
|
$c->model('DB::Users')->create(
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue