diff --git a/flake.nix b/flake.nix index 3746530e..5f1029cd 100644 --- a/flake.nix +++ b/flake.nix @@ -925,178 +925,6 @@ ''; }; - tests.ldap.x86_64-linux = - with import (nixpkgs + "/nixos/lib/testing-python.nix") { system = "x86_64-linux"; }; - makeTest { - machine = { pkgs, ... }: { - imports = [ hydraServer ]; - - services.openldap.enable = true; - services.openldap.settings.children = { - "cn=schema".includes = [ - "${pkgs.openldap}/etc/schema/core.ldif" - "${pkgs.openldap}/etc/schema/cosine.ldif" - "${pkgs.openldap}/etc/schema/inetorgperson.ldif" - "${pkgs.openldap}/etc/schema/nis.ldif" - ]; - - "olcDatabase={1}mdb".attrs = { - objectClass = [ "olcDatabaseConfig" "olcMdbConfig" ]; - olcDatabase = "{1}mdb"; - olcSuffix = "dc=example"; - olcRootDN = "cn=root,dc=example"; - olcRootPW = "notapassword"; - olcDbDirectory = "/var/lib/openldap"; - }; - }; - - # userPassword generated via `slappasswd` - # The admin user has the password `password` and `user` has the password `foobar`. - services.openldap.declarativeContents."dc=example" = '' - dn: dc=example - dc: example - o: Root - objectClass: top - objectClass: dcObject - objectClass: organization - - - dn: ou=users,dc=example - ou: users - description: All users - objectClass: top - objectClass: organizationalUnit - - dn: ou=groups,dc=example - ou: groups - description: All groups - objectClass: top - objectClass: organizationalUnit - - dn: cn=hydra_admin,ou=groups,dc=example - cn: hydra_admin - description: Hydra Admin user group - objectClass: groupOfNames - member: cn=admin,ou=users,dc=example - - dn: cn=hydra-admin,ou=groups,dc=example - cn: hydra-admin - description: Users who are NOT Hydra Admins because the prefix needs to be a _ - objectClass: groupOfNames - member: cn=notadmin,ou=users,dc=example - - dn: cn=user,ou=users,dc=example - objectClass: organizationalPerson - objectClass: inetOrgPerson - sn: user - cn: user - mail: user@example - userPassword: {SSHA}gLgBMb86/3wecoCp8gtORgIF2/qCRpqs - - dn: cn=admin,ou=users,dc=example - objectClass: organizationalPerson - objectClass: inetOrgPerson - sn: admin - cn: admin - mail: admin@example - userPassword: {SSHA}BsgOQcRnoiULzwLrGmuzVGH6EC5Dkwmf - - dn: cn=notadmin,ou=users,dc=example - objectClass: organizationalPerson - objectClass: inetOrgPerson - sn: notadmin - cn: notadmin - mail: notadmin@example - userPassword: {SSHA}BsgOQcRnoiULzwLrGmuzVGH6EC5Dkwmf - - ''; - systemd.services.hydra-server.environment.CATALYST_DEBUG = "1"; - systemd.services.hydra-server.environment.HYDRA_LDAP_CONFIG = pkgs.writeText "config.yaml" - # example config based on https://metacpan.org/source/ILMARI/Catalyst-Authentication-Store-LDAP-1.016/README#L103 - '' - credential: - class: Password - password_field: password - password_type: self_check - store: - class: LDAP - ldap_server: localhost - ldap_server_options: - timeout: 30 - debug: 2 - binddn: "cn=root,dc=example" - bindpw: notapassword - start_tls: 0 - start_tls_options: - verify: none - user_basedn: "ou=users,dc=example" - user_filter: "(&(objectClass=inetOrgPerson)(cn=%s))" - user_scope: one - user_field: cn - user_search_options: - deref: always - use_roles: 1 - role_basedn: "ou=groups,dc=example" - role_filter: "(&(objectClass=groupOfNames)(member=%s))" - role_scope: one - role_field: cn - role_value: dn - role_search_options: - deref: always - ''; - networking.firewall.enable = false; - }; - testScript = '' - import json - from pprint import pprint - - machine.wait_for_unit("openldap.service") - machine.wait_for_job("hydra-init") - machine.wait_for_open_port("3000") - - print("Logging in as a regular user:") - response = machine.succeed( - "curl --fail http://localhost:3000/login -H 'Accept: application/json' -H 'Referer: http://localhost:3000' --data 'username=user&password=foobar'" - ) - - response_json = json.loads(response) - pprint(response_json) - assert "user" == response_json["username"] - assert "user@example" == response_json["emailaddress"] - assert len(response_json["userroles"]) == 0 - - # logging on with wrong credentials shouldn't work - print("Logging in with bad creds:") - machine.fail( - "curl --fail http://localhost:3000/login -H 'Accept: application/json' -H 'Referer: http://localhost:3000' --data 'username=user&password=wrongpassword'" - ) - - - # the admin user should get the admin role from his group membership in `hydra_admin` - print("Logging in as an admin user:") - response = machine.succeed( - "curl --fail http://localhost:3000/login -H 'Accept: application/json' -H 'Referer: http://localhost:3000' --data 'username=admin&password=password'" - ) - - response_json = json.loads(response) - pprint(response_json) - assert "admin" == response_json["username"] - assert "admin@example" == response_json["emailaddress"] - assert "admin" in response_json["userroles"] - - # the notadmin user should NOT get the admin role from their group membership in `hydra-admin` - response = machine.succeed( - "curl --fail http://localhost:3000/login -H 'Accept: application/json' -H 'Referer: http://localhost:3000' --data 'username=notadmin&password=password'" - ) - - response_json = json.loads(response) - pprint(response_json) - assert "notadmin" == response_json["username"] - assert "notadmin@example" == response_json["emailaddress"] - assert "admin" not in response_json["userroles"] - ''; - }; - tests.validate-openapi = pkgs.runCommand "validate-openapi" { buildInputs = [ pkgs.openapi-generator-cli ]; } ''