foreman/test/unit/auth_sources/auth_source_ldap_test.rb @ 33d7500a
2594caf0 | José Luis Escalante | require 'test_helper'
|
|
class AuthSourceLdapTest < ActiveSupport::TestCase
|
|||
def setup
|
|||
6421fa1c | Daniel Lobato | @auth_source_ldap = FactoryGirl.create(:auth_source_ldap)
|
|
9fd7478e | Paul Kelly | User.current = users(:admin)
|
|
2594caf0 | José Luis Escalante | end
|
|
test "should exists a name" do
|
|||
6421fa1c | Daniel Lobato | missing(:name)
|
|
refute @auth_source_ldap.save
|
|||
2594caf0 | José Luis Escalante | ||
6421fa1c | Daniel Lobato | set(:name)
|
|
2594caf0 | José Luis Escalante | assert @auth_source_ldap.save
|
|
end
|
|||
test "should exists a host" do
|
|||
6421fa1c | Daniel Lobato | missing(:host)
|
|
refute @auth_source_ldap.save
|
|||
2594caf0 | José Luis Escalante | ||
6421fa1c | Daniel Lobato | set(:host)
|
|
2594caf0 | José Luis Escalante | assert @auth_source_ldap.save
|
|
end
|
|||
test "should exists a attr_login" do
|
|||
6421fa1c | Daniel Lobato | missing(:attr_login)
|
|
254f36f8 | Ohad Levy | @auth_source_ldap.onthefly_register = true
|
|
6421fa1c | Daniel Lobato | refute @auth_source_ldap.save
|
|
2594caf0 | José Luis Escalante | ||
6421fa1c | Daniel Lobato | set(:attr_login)
|
|
set(:attr_firstname)
|
|||
set(:attr_lastname)
|
|||
set(:attr_mail)
|
|||
254f36f8 | Ohad Levy | @auth_source_ldap.onthefly_register = true
|
|
2594caf0 | José Luis Escalante | assert @auth_source_ldap.save
|
|
end
|
|||
017e1049 | Ohad Levy | test "after initialize if port == 0 should automatically change to 389" do
|
|
other_auth_source_ldap = AuthSourceLdap.new
|
|||
2594caf0 | José Luis Escalante | assert_equal 389, other_auth_source_ldap.port
|
|
end
|
|||
test "the name should not exceed the 60 characters" do
|
|||
6421fa1c | Daniel Lobato | missing(:name)
|
|
7a65bc18 | José Luis Escalante | assigns_a_string_of_length_greater_than(60, :name=)
|
|
6421fa1c | Daniel Lobato | refute @auth_source_ldap.save
|
|
2594caf0 | José Luis Escalante | end
|
|
test "the host should not exceed the 60 characters" do
|
|||
6421fa1c | Daniel Lobato | missing(:host)
|
|
7a65bc18 | José Luis Escalante | assigns_a_string_of_length_greater_than(60, :host=)
|
|
6421fa1c | Daniel Lobato | refute @auth_source_ldap.save
|
|
2594caf0 | José Luis Escalante | end
|
|
test "the account_password should not exceed the 60 characters" do
|
|||
7a65bc18 | José Luis Escalante | assigns_a_string_of_length_greater_than(60, :account_password=)
|
|
6421fa1c | Daniel Lobato | refute @auth_source_ldap.save
|
|
2594caf0 | José Luis Escalante | end
|
|
test "the account should not exceed the 255 characters" do
|
|||
7a65bc18 | José Luis Escalante | assigns_a_string_of_length_greater_than(255, :account=)
|
|
6421fa1c | Daniel Lobato | refute @auth_source_ldap.save
|
|
2594caf0 | José Luis Escalante | end
|
|
test "the base_dn should not exceed the 255 characters" do
|
|||
7a65bc18 | José Luis Escalante | assigns_a_string_of_length_greater_than(255, :base_dn=)
|
|
6421fa1c | Daniel Lobato | refute @auth_source_ldap.save
|
|
2594caf0 | José Luis Escalante | end
|
|
4e4671ce | Nils Domrose | test "the ldap_filter should not exceed the 255 characters" do
|
|
assigns_a_string_of_length_greater_than(255, :ldap_filter=)
|
|||
6421fa1c | Daniel Lobato | refute @auth_source_ldap.save
|
|
4e4671ce | Nils Domrose | end
|
|
2594caf0 | José Luis Escalante | test "the attr_login should not exceed the 30 characters" do
|
|
6421fa1c | Daniel Lobato | missing(:attr_login)
|
|
7a65bc18 | José Luis Escalante | assigns_a_string_of_length_greater_than(30, :attr_login=)
|
|
6421fa1c | Daniel Lobato | refute @auth_source_ldap.save
|
|
2594caf0 | José Luis Escalante | end
|
|
test "the attr_firstname should not exceed the 30 characters" do
|
|||
7a65bc18 | José Luis Escalante | assigns_a_string_of_length_greater_than(30, :attr_firstname=)
|
|
6421fa1c | Daniel Lobato | refute @auth_source_ldap.save
|
|
2594caf0 | José Luis Escalante | end
|
|
test "the attr_lastname should not exceed the 30 characters" do
|
|||
7a65bc18 | José Luis Escalante | assigns_a_string_of_length_greater_than(30, :attr_lastname=)
|
|
6421fa1c | Daniel Lobato | refute @auth_source_ldap.save
|
|
2594caf0 | José Luis Escalante | end
|
|
test "the attr_mail should not exceed the 30 characters" do
|
|||
7a65bc18 | José Luis Escalante | assigns_a_string_of_length_greater_than(30, :attr_mail=)
|
|
6421fa1c | Daniel Lobato | refute @auth_source_ldap.save
|
|
2594caf0 | José Luis Escalante | end
|
|
test "port should be a integer" do
|
|||
6421fa1c | Daniel Lobato | missing(:port)
|
|
2594caf0 | José Luis Escalante | @auth_source_ldap.port = "crap"
|
|
6421fa1c | Daniel Lobato | refute @auth_source_ldap.save
|
|
2594caf0 | José Luis Escalante | ||
@auth_source_ldap.port = 123
|
|||
assert @auth_source_ldap.save
|
|||
end
|
|||
4e4671ce | Nils Domrose | test "invalid ldap_filter fails validation" do
|
|
@auth_source_ldap.ldap_filter = "("
|
|||
6421fa1c | Daniel Lobato | refute @auth_source_ldap.valid?
|
|
4e4671ce | Nils Domrose | end
|
|
test "valid ldap_filter passes validation" do
|
|||
missing(:ldap_filter)
|
|||
assert @auth_source_ldap.valid?
|
|||
@auth_source_ldap.ldap_filter = ""
|
|||
assert @auth_source_ldap.valid?
|
|||
@auth_source_ldap.ldap_filter = " "
|
|||
assert @auth_source_ldap.valid?
|
|||
@auth_source_ldap.ldap_filter = "key=value"
|
|||
assert @auth_source_ldap.valid?
|
|||
end
|
|||
f111e0da | José Luis Escalante | test "should strip the ldap attributes before validate" do
|
|
@auth_source_ldap.attr_login = "following spaces "
|
|||
@auth_source_ldap.attr_firstname = "following spaces "
|
|||
@auth_source_ldap.attr_lastname = "following spaces "
|
|||
@auth_source_ldap.attr_mail = "following spaces "
|
|||
@auth_source_ldap.save
|
|||
assert_equal "following spaces", @auth_source_ldap.attr_login
|
|||
assert_equal "following spaces", @auth_source_ldap.attr_firstname
|
|||
assert_equal "following spaces", @auth_source_ldap.attr_lastname
|
|||
assert_equal "following spaces", @auth_source_ldap.attr_mail
|
|||
end
|
|||
2594caf0 | José Luis Escalante | test "return nil if login is blank or password is blank" do
|
|
6421fa1c | Daniel Lobato | assert_nil @auth_source_ldap.authenticate("", "")
|
|
2594caf0 | José Luis Escalante | end
|
|
7a65bc18 | José Luis Escalante | test "when auth_method_name is applied should return 'LDAP'" do
|
|
@auth_source_ldap.save
|
|||
assert_equal 'LDAP', @auth_source_ldap.auth_method_name
|
|||
end
|
|||
b7f90cc0 | Stephen Benjamin | test "ldap user should be able to login" do
|
|
# stubs out all the actual ldap connectivity, but tests the authenticate
|
|||
# method of auth_source_ldap
|
|||
setup_ldap_stubs
|
|||
6421fa1c | Daniel Lobato | LdapFluff.any_instance.stubs(:authenticate?).returns(true)
|
|
LdapFluff.any_instance.stubs(:group_list).returns([])
|
|||
b7f90cc0 | Stephen Benjamin | assert_not_nil AuthSourceLdap.authenticate("test123", "changeme")
|
|
end
|
|||
6421fa1c | Daniel Lobato | test 'update_usergroups returns if entry does not belong to any group' do
|
|
setup_ldap_stubs
|
|||
ExternalUsergroup.any_instance.expects(:refresh).never
|
|||
LdapFluff.any_instance.expects(:group_list).with('test').returns([])
|
|||
01f8b024 | Daniel Lobato | @auth_source_ldap.send(:update_usergroups, 'test')
|
|
end
|
|||
context 'refresh ldap' do
|
|||
setup do
|
|||
setup_ldap_stubs
|
|||
LdapFluff.any_instance.expects(:group_list).with('test').returns(['ipausers'])
|
|||
end
|
|||
test 'update_usergroups calls refresh_ldap if entry belongs to some group' do
|
|||
33d7500a | Daniel Lobato | @auth_source_ldap.expects(:valid_group?).with('ipausers').returns(true)
|
|
FactoryGirl.create(:external_usergroup, :name => 'ipausers', :auth_source => @auth_source_ldap)
|
|||
ExternalUsergroup.any_instance.expects(:refresh)
|
|||
01f8b024 | Daniel Lobato | @auth_source_ldap.send(:update_usergroups, 'test')
|
|
end
|
|||
33d7500a | Daniel Lobato | test 'update_usergroups matches LDAP gids with external user groups case insensitively' do
|
|
@auth_source_ldap.expects(:valid_group?).with('IPAUSERS').returns(true)
|
|||
external = FactoryGirl.create(:external_usergroup, :auth_source => @auth_source_ldap, :name => 'IPAUSERS')
|
|||
ldap_user = FactoryGirl.create(:user, :login => 'JohnSmith', :mail => 'a@b.com', :auth_source => @auth_source_ldap)
|
|||
AuthSourceLdap.any_instance.expects(:users_in_group).with('IPAUSERS').returns(['JohnSmith'])
|
|||
@auth_source_ldap.send(:update_usergroups, 'test')
|
|||
assert_include ldap_user.usergroups, external.usergroup
|
|||
end
|
|||
01f8b024 | Daniel Lobato | test 'update_usergroups refreshes on all external user groups, in LDAP and in Foreman auth source' do
|
|
33d7500a | Daniel Lobato | @auth_source_ldap.expects(:valid_group?).with('external_usergroup1').returns(true)
|
|
01f8b024 | Daniel Lobato | external = FactoryGirl.create(:external_usergroup, :auth_source => @auth_source_ldap)
|
|
User.any_instance.expects(:external_usergroups).returns([external])
|
|||
@auth_source_ldap.send(:update_usergroups, 'test')
|
|||
end
|
|||
6421fa1c | Daniel Lobato | end
|
|
7891164b | Dominic Cleal | test 'update_usergroups is no-op with $login service account' do
|
|
ldap = FactoryGirl.build(:auth_source_ldap, :account => 'DOMAIN/$login')
|
|||
User.any_instance.expects(:external_usergroups).never
|
|||
ExternalUsergroup.any_instance.expects(:refresh).never
|
|||
ldap.send(:update_usergroups, 'test')
|
|||
end
|
|||
19bf6b09 | Dominic Cleal | test 'update_usergroups is no-op with usergroup_sync=false' do
|
|
ldap = FactoryGirl.build(:auth_source_ldap, :usergroup_sync => false)
|
|||
User.any_instance.expects(:external_usergroups).never
|
|||
ExternalUsergroup.any_instance.expects(:refresh).never
|
|||
ldap.send(:update_usergroups, 'test')
|
|||
end
|
|||
597bd2fb | Dominic Cleal | test '#to_config with dedicated service account returns hash' do
|
|
conf = FactoryGirl.build(:auth_source_ldap, :service_account).to_config
|
|||
assert_kind_of Hash, conf
|
|||
refute conf[:anon_queries]
|
|||
end
|
|||
test '#to_config with $login service account and no username fails' do
|
|||
ldap = FactoryGirl.build(:auth_source_ldap, :account => 'DOMAIN/$login')
|
|||
assert_raise(Foreman::Exception) { ldap.to_config }
|
|||
end
|
|||
test '#to_config with $login service account and username returns hash with service user' do
|
|||
conf = FactoryGirl.build(:auth_source_ldap, :account => 'DOMAIN/$login').to_config('user', 'pass')
|
|||
assert_kind_of Hash, conf
|
|||
refute conf[:anon_queries]
|
|||
assert_equal 'DOMAIN/user', conf[:service_user]
|
|||
end
|
|||
test '#to_config with no service account returns hash with anonymous queries' do
|
|||
conf = FactoryGirl.build(:auth_source_ldap).to_config('user', 'pass')
|
|||
assert_kind_of Hash, conf
|
|||
assert conf[:anon_queries]
|
|||
end
|
|||
5d5e0bb6 | Marek Hulan | test '#to_config keeps encryption nil if tls is not used' do
|
|
AuthSourceLdap.any_instance.stubs(:tls => false)
|
|||
conf = FactoryGirl.build(:auth_source_ldap).to_config('user', 'pass')
|
|||
assert_nil conf[:encryption]
|
|||
end
|
|||
test '#to_config enforces verify_mode peer for tls' do
|
|||
AuthSourceLdap.any_instance.stubs(:tls => true)
|
|||
fc3faf6f | Marek Hulan | conf = FactoryGirl.build(:auth_source_ldap).to_config('user', 'pass')
|
|
assert_kind_of Hash, conf[:encryption]
|
|||
assert_equal OpenSSL::SSL::VERIFY_PEER, conf[:encryption][:tls_options][:verify_mode]
|
|||
end
|
|||
597bd2fb | Dominic Cleal | test '#ldap_con does not cache connections with user auth' do
|
|
ldap = FactoryGirl.build(:auth_source_ldap, :account => 'DOMAIN/$login')
|
|||
refute_equal ldap.ldap_con('user', 'pass'), ldap.ldap_con('user', 'pass')
|
|||
end
|
|||
be6ce5bc | Daniel Lobato | context 'account_password encryption' do
|
|
setup do
|
|||
AuthSourceLdap.any_instance.expects(:encryption_key).at_least_once
|
|||
.returns('25d224dd383e92a7e0c82b8bf7c985e815f34cf5')
|
|||
end
|
|||
test "account_password is stored encrypted" do
|
|||
auth_source = FactoryGirl.create(:auth_source_ldap, :account_password => 'fakepass')
|
|||
assert auth_source.is_decryptable?(auth_source.account_password_in_db)
|
|||
end
|
|||
end
|
|||
597bd2fb | Dominic Cleal | private
|
|
b7f90cc0 | Stephen Benjamin | def setup_ldap_stubs
|
|
# stub out all the LDAP connectivity
|
|||
entry = Net::LDAP::Entry.new
|
|||
{:givenname=>["test"], :dn=>["uid=test123,cn=users,cn=accounts,dc=example,dc=com"], :mail=>["test123@example.com"], :sn=>["test"]}.each do |k, v|
|
|||
entry[k] = v
|
|||
end
|
|||
6421fa1c | Daniel Lobato | LdapFluff.any_instance.stubs(:valid_user?).returns(true)
|
|
LdapFluff.any_instance.stubs(:find_user).returns([entry])
|
|||
b7f90cc0 | Stephen Benjamin | end
|
|
2594caf0 | José Luis Escalante | def missing(attr)
|
|
6421fa1c | Daniel Lobato | @auth_source_ldap.send("#{attr}=", nil)
|
|
2594caf0 | José Luis Escalante | end
|
|
def set(attr)
|
|||
6421fa1c | Daniel Lobato | @auth_source_ldap.send("#{attr}=", FactoryGirl.attributes_for(:auth_source_ldap)[attr])
|
|
2594caf0 | José Luis Escalante | end
|
|
7a65bc18 | José Luis Escalante | ||
def assigns_a_string_of_length_greater_than(length, method)
|
|||
@auth_source_ldap.send method, "this is010this is020this is030this is040this is050this is060this is070this is080this is090this is100this is110this is120this is130this is140this is150this is160this is170this is180this is190this is200this is210this is220this is230this is240this is250 and something else"
|
|||
end
|
|||
2594caf0 | José Luis Escalante | end
|