From f229da352ebde742517a0c8f70df58d6b4b2eb88 Mon Sep 17 00:00:00 2001 From: Andreas Rammhold Date: Wed, 9 Sep 2020 22:47:36 +0200 Subject: [PATCH] LDAP add test for roles and multiple users --- flake.nix | 49 ++++++++++++++++++++++++++++++++++++++++++++----- 1 file changed, 44 insertions(+), 5 deletions(-) diff --git a/flake.nix b/flake.nix index 3daf1a46..842e4bcc 100644 --- a/flake.nix +++ b/flake.nix @@ -381,6 +381,18 @@ objectClass: top objectClass: organizationalUnit + dn: ou=groups,dc=example + ou: groups + description: All groups + objectClass: top + objectClass: organizationalUnit + + dn: cn=hydra_admin,ou=groups,dc=example + cn: hydra_admin + description: Hydra Admin user group + objectClass: groupOfNames + member: cn=admin,ou=users,dc=example + dn: cn=user,ou=users,dc=example objectClass: organizationalPerson objectClass: inetOrgPerson @@ -388,6 +400,14 @@ cn: user mail: user@example userPassword: foobar + + dn: cn=admin,ou=users,dc=example + objectClass: organizationalPerson + objectClass: inetOrgPerson + sn: admin + cn: admin + mail: admin@example + userPassword: password ''; }; systemd.services.hdyra-server.environment.CATALYST_DEBUG = "1"; @@ -413,11 +433,11 @@ user_field: cn user_search_options: deref: always - use_roles: 0 - role_basedn: "ou=groups,ou=OxObjects,dc=yourcompany,dc=com" - role_filter: "(&(objectClass=posixGroup)(memberUid=%s))" + use_roles: 1 + role_basedn: "ou=groups,dc=example" + role_filter: "(&(objectClass=groupOfNames)(member=%s))" role_scope: one - role_field: uid + role_field: cn role_value: dn role_search_options: deref: always @@ -425,15 +445,34 @@ networking.firewall.enable = false; }; testScript = '' + import json + machine.wait_for_unit("openldap.service") machine.wait_for_job("hydra-init") machine.wait_for_open_port("3000") - machine.succeed( + response = machine.succeed( "curl --fail http://localhost:3000/login -H 'Accept: application/json' -H 'Referer: http://localhost:3000' --data 'username=user&password=foobar'" ) + + response_json = json.loads(response) + assert "user" == response_json["username"] + assert "user@example" == response_json["emailaddress"] + assert len(response_json["userroles"]) == 0 + + # logging on with wrong credentials shouldn't work machine.fail( "curl --fail http://localhost:3000/login -H 'Accept: application/json' -H 'Referer: http://localhost:3000' --data 'username=user&password=wrongpassword'" ) + + # the admin user should get the admin role from his group membership in `hydra_admin` + response = machine.succeed( + "curl --fail http://localhost:3000/login -H 'Accept: application/json' -H 'Referer: http://localhost:3000' --data 'username=admin&password=password'" + ) + + response_json = json.loads(response) + assert "admin" == response_json["username"] + assert "admin@example" == response_json["emailaddress"] + assert "admin" in response_json["userroles"] ''; };