Merge pull request #1132 from DeterminateSystems/ldap-role-match

LDAP support: require the prefix 'hydra_' to match documentation
This commit is contained in:
Graham Christensen 2022-01-21 12:58:35 -05:00 committed by GitHub
commit 61325853a6
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 47 additions and 4 deletions

View file

@ -868,9 +868,16 @@
services.openldap.enable = true; services.openldap.enable = true;
services.openldap.settings.children = { services.openldap.settings.children = {
"cn=schema".includes = [
"${pkgs.openldap}/etc/schema/core.ldif"
"${pkgs.openldap}/etc/schema/cosine.ldif"
"${pkgs.openldap}/etc/schema/inetorgperson.ldif"
"${pkgs.openldap}/etc/schema/nis.ldif"
];
"olcDatabase={1}mdb".attrs = { "olcDatabase={1}mdb".attrs = {
objectClass = [ "olcDatabaseConfig" "olcMdbConfig" ]; objectClass = [ "olcDatabaseConfig" "olcMdbConfig" ];
database = "{1}mdbg"; olcDatabase = "{1}mdb";
olcSuffix = "dc=example"; olcSuffix = "dc=example";
olcRootDN = "cn=root,dc=example"; olcRootDN = "cn=root,dc=example";
olcRootPW = "notapassword"; olcRootPW = "notapassword";
@ -906,6 +913,12 @@
objectClass: groupOfNames objectClass: groupOfNames
member: cn=admin,ou=users,dc=example member: cn=admin,ou=users,dc=example
dn: cn=hydra-admin,ou=groups,dc=example
cn: hydra-admin
description: Users who are NOT Hydra Admins because the prefix needs to be a _
objectClass: groupOfNames
member: cn=notadmin,ou=users,dc=example
dn: cn=user,ou=users,dc=example dn: cn=user,ou=users,dc=example
objectClass: organizationalPerson objectClass: organizationalPerson
objectClass: inetOrgPerson objectClass: inetOrgPerson
@ -921,6 +934,15 @@
cn: admin cn: admin
mail: admin@example mail: admin@example
userPassword: {SSHA}BsgOQcRnoiULzwLrGmuzVGH6EC5Dkwmf userPassword: {SSHA}BsgOQcRnoiULzwLrGmuzVGH6EC5Dkwmf
dn: cn=notadmin,ou=users,dc=example
objectClass: organizationalPerson
objectClass: inetOrgPerson
sn: notadmin
cn: notadmin
mail: notadmin@example
userPassword: {SSHA}BsgOQcRnoiULzwLrGmuzVGH6EC5Dkwmf
''; '';
systemd.services.hydra-server.environment.CATALYST_DEBUG = "1"; systemd.services.hydra-server.environment.CATALYST_DEBUG = "1";
systemd.services.hydra-server.environment.HYDRA_LDAP_CONFIG = pkgs.writeText "config.yaml" systemd.services.hydra-server.environment.HYDRA_LDAP_CONFIG = pkgs.writeText "config.yaml"
@ -933,7 +955,9 @@
store: store:
class: LDAP class: LDAP
ldap_server: localhost ldap_server: localhost
ldap_server_options.timeout: 30 ldap_server_options:
timeout: 30
debug: 2
binddn: "cn=root,dc=example" binddn: "cn=root,dc=example"
bindpw: notapassword bindpw: notapassword
start_tls: 0 start_tls: 0
@ -958,33 +982,52 @@
}; };
testScript = '' testScript = ''
import json import json
from pprint import pprint
machine.wait_for_unit("openldap.service") machine.wait_for_unit("openldap.service")
machine.wait_for_job("hydra-init") machine.wait_for_job("hydra-init")
machine.wait_for_open_port("3000") machine.wait_for_open_port("3000")
print("Logging in as a regular user:")
response = machine.succeed( response = machine.succeed(
"curl --fail http://localhost:3000/login -H 'Accept: application/json' -H 'Referer: http://localhost:3000' --data 'username=user&password=foobar'" "curl --fail http://localhost:3000/login -H 'Accept: application/json' -H 'Referer: http://localhost:3000' --data 'username=user&password=foobar'"
) )
response_json = json.loads(response) response_json = json.loads(response)
pprint(response_json)
assert "user" == response_json["username"] assert "user" == response_json["username"]
assert "user@example" == response_json["emailaddress"] assert "user@example" == response_json["emailaddress"]
assert len(response_json["userroles"]) == 0 assert len(response_json["userroles"]) == 0
# logging on with wrong credentials shouldn't work # logging on with wrong credentials shouldn't work
print("Logging in with bad creds:")
machine.fail( machine.fail(
"curl --fail http://localhost:3000/login -H 'Accept: application/json' -H 'Referer: http://localhost:3000' --data 'username=user&password=wrongpassword'" "curl --fail http://localhost:3000/login -H 'Accept: application/json' -H 'Referer: http://localhost:3000' --data 'username=user&password=wrongpassword'"
) )
# the admin user should get the admin role from his group membership in `hydra_admin` # the admin user should get the admin role from his group membership in `hydra_admin`
print("Logging in as an admin user:")
response = machine.succeed( response = machine.succeed(
"curl --fail http://localhost:3000/login -H 'Accept: application/json' -H 'Referer: http://localhost:3000' --data 'username=admin&password=password'" "curl --fail http://localhost:3000/login -H 'Accept: application/json' -H 'Referer: http://localhost:3000' --data 'username=admin&password=password'"
) )
response_json = json.loads(response) response_json = json.loads(response)
pprint(response_json)
assert "admin" == response_json["username"] assert "admin" == response_json["username"]
assert "admin@example" == response_json["emailaddress"] assert "admin@example" == response_json["emailaddress"]
assert "admin" in response_json["userroles"] assert "admin" in response_json["userroles"]
# the notadmin user should NOT get the admin role from their group membership in `hydra-admin`
response = machine.succeed(
"curl --fail http://localhost:3000/login -H 'Accept: application/json' -H 'Referer: http://localhost:3000' --data 'username=notadmin&password=password'"
)
response_json = json.loads(response)
pprint(response_json)
assert "notadmin" == response_json["username"]
assert "notadmin@example" == response_json["emailaddress"]
assert "admin" not in response_json["userroles"]
''; '';
}; };

View file

@ -59,7 +59,7 @@ sub doLDAPLogin {
my $user = $c->find_user({ username => $username }); my $user = $c->find_user({ username => $username });
my $LDAPUser = $c->find_user({ username => $username }, 'ldap'); my $LDAPUser = $c->find_user({ username => $username }, 'ldap');
my @LDAPRoles = grep { (substr $_, 0, 5) eq "hydra" } $LDAPUser->roles; my @LDAPRoles = grep { (substr $_, 0, 6) eq "hydra_" } $LDAPUser->roles;
if (!$user) { if (!$user) {
$c->model('DB::Users')->create( $c->model('DB::Users')->create(