hydra/t/Hydra/Controller/User/ldap.t

use strict;
use warnings;
use Setup;
use LDAPContext;
use Test2::V0;
use Catalyst::Test ();
use HTTP::Request::Common;
use JSON::MaybeXS;

my $ldap = LDAPContext->new();
my $users = {
    unrelated => $ldap->add_user("unrelated_user"),
    admin => $ldap->add_user("admin_user"),
    not_admin => $ldap->add_user("not_admin_user"),
    many_roles => $ldap->add_user("many_roles"),
    many_roles_one_group => $ldap->add_user("many_roles_one_group"),
};

$ldap->add_group("hydra_admin", $users->{"admin"}->{"username"});
$ldap->add_group("hydra-admin", $users->{"not_admin"}->{"username"});
$ldap->add_group("hydra_one_group_many_roles", $users->{"many_roles_one_group"}->{"username"});

$ldap->add_group("hydra_create-projects", $users->{"many_roles"}->{"username"});
$ldap->add_group("hydra_restart-jobs", $users->{"many_roles"}->{"username"});
$ldap->add_group("hydra_bump-to-front", $users->{"many_roles"}->{"username"});
$ldap->add_group("hydra_cancel-build", $users->{"many_roles"}->{"username"});
$ldap->add_group("hydra_eval-jobset", $users->{"many_roles"}->{"username"});


my $ctx = test_context(
    before_init => sub {
        my ($ctx) = @_;
        write_file($ctx->{"tmpdir"} . "/password.conf", "bindpw = ${\$ldap->{'root_password'}}");
    },
    hydra_config => <<CFG
        <ldap>
            <config>
                <credential>
                    class = Password
                    password_field = password
                    password_type = self_check
                </credential>
                <store>
                    class = LDAP
                    ldap_server = ${\$ldap->server_url()}
                    <ldap_server_options>
                        timeout = 30
                        debug = 0
                    </ldap_server_options>
                    binddn = "cn=root,dc=example"
                    include password.conf
                    start_tls = 0
                    <start_tls_options>
                        verify = none
                    </start_tls_options>
                    user_basedn = "ou=users,dc=example"
                    user_filter = "(&(objectClass=inetOrgPerson)(cn=%s))"
                    user_scope = one
                    user_field = cn
                    <user_search_options>
                        deref = always
                    </user_search_options>
                    use_roles = 1
                    role_basedn = "ou=groups,dc=example"
                    role_filter = "(&(objectClass=groupOfNames)(member=%s))"
                    role_scope = one
                    role_field = cn
                    role_value = dn
                    <role_search_options>
                        deref = always
                    </role_search_options>
                </store>
            </config>
            <role_mapping>
                hydra_admin = admin
                hydra_create-projects = create-projects
                hydra_cancel-build = cancel-build
                hydra_bump-to-front = bump-to-front
                hydra_restart-jobs = restart-jobs
                hydra_eval-jobset = eval-jobset

                hydra_one_group_many_roles = create-projects
                hydra_one_group_many_roles = cancel-build
                hydra_one_group_many_roles = bump-to-front
                hydra_one_group_many-roles = eval-jobset
            </role_mapping>
        </ldap>
CFG
);

Catalyst::Test->import('Hydra');

subtest "Valid login attempts" => sub {
    my %users_to_roles = (
        unrelated => [],
        admin => ["admin"],
        not_admin => [],
        many_roles => [ "create-projects", "restart-jobs", "bump-to-front", "cancel-build", "eval-jobset" ],
        many_roles_one_group => [ "create-projects", "bump-to-front", "cancel-build" ],
    );
    for my $username (keys %users_to_roles) {
        my $user = $users->{$username};
        my $roles = $users_to_roles{$username};

        subtest "Verifying $username" => sub {
            my $req = request(POST '/login',
                Referer => 'http://localhost/',
                Accept => 'application/json',
                Content => {
                    username => $user->{"username"},
                    password => $user->{"password"}
                }
            );

            is($req->code, 302, "The login redirects");
            my $data = decode_json($req->content());
            is($data->{"username"}, $user->{"username"}, "Username matches");
            is($data->{"emailaddress"}, $user->{"email"}, "Email matches");
            is([sort @{$data->{"userroles"}}], [sort @$roles], "Roles match");
        };
    }
};

# Logging in with an invalid user is rejected
is(request(POST '/login',
    Referer => 'http://localhost/',
    Content => {
        username => 'alice',
        password => 'foobar'
    }
)->code, 403, "Logging in with invalid credentials does not work");


done_testing;
LDAP: Create a test which does not use a VM 2022-02-09 14:27:45 -05:00			`use strict;`
			`use warnings;`
			`use Setup;`
			`use LDAPContext;`
			`use Test2::V0;`
			`use Catalyst::Test ();`
			`use HTTP::Request::Common;`
			`use JSON::MaybeXS;`

			`my $ldap = LDAPContext->new();`
			`my $users = {`
			`unrelated => $ldap->add_user("unrelated_user"),`
			`admin => $ldap->add_user("admin_user"),`
			`not_admin => $ldap->add_user("not_admin_user"),`
			`many_roles => $ldap->add_user("many_roles"),`
LDAP support: include BC support for the YAML based loading Includes a refactoring of the configuration loader. 2022-02-09 21:06:28 -05:00			`many_roles_one_group => $ldap->add_user("many_roles_one_group"),`
LDAP: Create a test which does not use a VM 2022-02-09 14:27:45 -05:00			`};`

			`$ldap->add_group("hydra_admin", $users->{"admin"}->{"username"});`
			`$ldap->add_group("hydra-admin", $users->{"not_admin"}->{"username"});`
LDAP support: include BC support for the YAML based loading Includes a refactoring of the configuration loader. 2022-02-09 21:06:28 -05:00			`$ldap->add_group("hydra_one_group_many_roles", $users->{"many_roles_one_group"}->{"username"});`
LDAP: Create a test which does not use a VM 2022-02-09 14:27:45 -05:00
			`$ldap->add_group("hydra_create-projects", $users->{"many_roles"}->{"username"});`
			`$ldap->add_group("hydra_restart-jobs", $users->{"many_roles"}->{"username"});`
			`$ldap->add_group("hydra_bump-to-front", $users->{"many_roles"}->{"username"});`
			`$ldap->add_group("hydra_cancel-build", $users->{"many_roles"}->{"username"});`
Create eval-jobset role and guard /api/push route 2024-08-27 17:00:00 +02:00			`$ldap->add_group("hydra_eval-jobset", $users->{"many_roles"}->{"username"});`
LDAP: Create a test which does not use a VM 2022-02-09 14:27:45 -05:00
ldap.t: write the password to an external .conf file 2022-02-11 11:27:10 -05:00
Move ldap.t to a legacy-ldap.t, make ldap.t use the new format config. 2022-02-09 15:01:42 -05:00			`my $ctx = test_context(`
ldap.t: write the password to an external .conf file 2022-02-11 11:27:10 -05:00			`before_init => sub {`
			`my ($ctx) = @_;`
			`write_file($ctx->{"tmpdir"} . "/password.conf", "bindpw = ${\$ldap->{'root_password'}}");`
			`},`
Move ldap.t to a legacy-ldap.t, make ldap.t use the new format config. 2022-02-09 15:01:42 -05:00			`hydra_config => <<CFG`
			`<ldap>`
			`<config>`
			`<credential>`
			`class = Password`
			`password_field = password`
			`password_type = self_check`
			`</credential>`
			`<store>`
			`class = LDAP`
			`ldap_server = ${\$ldap->server_url()}`
			`<ldap_server_options>`
			`timeout = 30`
			`debug = 0`
			`</ldap_server_options>`
			`binddn = "cn=root,dc=example"`
ldap.t: write the password to an external .conf file 2022-02-11 11:27:10 -05:00			`include password.conf`
Move ldap.t to a legacy-ldap.t, make ldap.t use the new format config. 2022-02-09 15:01:42 -05:00			`start_tls = 0`
			`<start_tls_options>`
			`verify = none`
			`</start_tls_options>`
			`user_basedn = "ou=users,dc=example"`
			`user_filter = "(&(objectClass=inetOrgPerson)(cn=%s))"`
			`user_scope = one`
			`user_field = cn`
			`<user_search_options>`
			`deref = always`
			`</user_search_options>`
			`use_roles = 1`
			`role_basedn = "ou=groups,dc=example"`
			`role_filter = "(&(objectClass=groupOfNames)(member=%s))"`
			`role_scope = one`
			`role_field = cn`
			`role_value = dn`
			`<role_search_options>`
			`deref = always`
			`</role_search_options>`
			`</store>`
			`</config>`
			`<role_mapping>`
			`hydra_admin = admin`
			`hydra_create-projects = create-projects`
			`hydra_cancel-build = cancel-build`
			`hydra_bump-to-front = bump-to-front`
			`hydra_restart-jobs = restart-jobs`
Create eval-jobset role and guard /api/push route 2024-08-27 17:00:00 +02:00			`hydra_eval-jobset = eval-jobset`
LDAP support: include BC support for the YAML based loading Includes a refactoring of the configuration loader. 2022-02-09 21:06:28 -05:00
			`hydra_one_group_many_roles = create-projects`
			`hydra_one_group_many_roles = cancel-build`
			`hydra_one_group_many_roles = bump-to-front`
Create eval-jobset role and guard /api/push route 2024-08-27 17:00:00 +02:00			`hydra_one_group_many-roles = eval-jobset`
Move ldap.t to a legacy-ldap.t, make ldap.t use the new format config. 2022-02-09 15:01:42 -05:00			`</role_mapping>`
			`</ldap>`
			`CFG`
			`);`
LDAP: Create a test which does not use a VM 2022-02-09 14:27:45 -05:00
			`Catalyst::Test->import('Hydra');`

			`subtest "Valid login attempts" => sub {`
			`my %users_to_roles = (`
			`unrelated => [],`
LDAP support: include BC support for the YAML based loading Includes a refactoring of the configuration loader. 2022-02-09 21:06:28 -05:00			`admin => ["admin"],`
			`not_admin => [],`
Create eval-jobset role and guard /api/push route 2024-08-27 17:00:00 +02:00			`many_roles => [ "create-projects", "restart-jobs", "bump-to-front", "cancel-build", "eval-jobset" ],`
LDAP support: include BC support for the YAML based loading Includes a refactoring of the configuration loader. 2022-02-09 21:06:28 -05:00			`many_roles_one_group => [ "create-projects", "bump-to-front", "cancel-build" ],`
LDAP: Create a test which does not use a VM 2022-02-09 14:27:45 -05:00			`);`
			`for my $username (keys %users_to_roles) {`
			`my $user = $users->{$username};`
			`my $roles = $users_to_roles{$username};`

			`subtest "Verifying $username" => sub {`
			`my $req = request(POST '/login',`
			`Referer => 'http://localhost/',`
			`Accept => 'application/json',`
			`Content => {`
			`username => $user->{"username"},`
			`password => $user->{"password"}`
			`}`
			`);`

			`is($req->code, 302, "The login redirects");`
			`my $data = decode_json($req->content());`
			`is($data->{"username"}, $user->{"username"}, "Username matches");`
			`is($data->{"emailaddress"}, $user->{"email"}, "Email matches");`
			`is([sort @{$data->{"userroles"}}], [sort @$roles], "Roles match");`
			`};`
			`}`
			`};`

			`# Logging in with an invalid user is rejected`
			`is(request(POST '/login',`
			`Referer => 'http://localhost/',`
			`Content => {`
			`username => 'alice',`
			`password => 'foobar'`
			`}`
			`)->code, 403, "Logging in with invalid credentials does not work");`



			`done_testing;`