Add LDAP test

This finally tests the LDAP login/info plugins as well as the special "groups" attribute. Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
author: Simo Sorce <simo@redhat.com> 2015-03-17 20:25:18 -0400
committer: Patrick Uiterwijk <puiterwijk@redhat.com> 2015-03-23 15:44:25 +0100
commit: cacb41e93b377496e77f824f4f1b0ce206da0bed (patch)
tree: e3f08b34d1480099eb1aca84ad25e0324bf16c22
parent: 521a28fd446a64c4fa5895e1aa768512249652f6 (diff)
download: ipsilon-cacb41e93b377496e77f824f4f1b0ce206da0bed.tar.gz
ipsilon-cacb41e93b377496e77f824f4f1b0ce206da0bed.tar.xz
ipsilon-cacb41e93b377496e77f824f4f1b0ce206da0bed.zip
7 files changed, 252 insertions, 2 deletions
diff --git a/Makefile b/Makefile
index 662c893..6068024 100644
--- a/Makefile
+++ b/Makefile
@@ -65,6 +65,7 @@ tests: wrappers
 	PYTHONPATH=./ ./tests/tests.py --test=trans
 	PYTHONPATH=./ ./tests/tests.py --test=pgdb
 	PYTHONPATH=./ ./tests/tests.py --test=fconf
+	PYTHONPATH=./ ./tests/tests.py --test=ldap
 
 test: lp-test unittests tests
 
diff --git a/ipsilon/info/infoldap.py b/ipsilon/info/infoldap.py
index e56a6a0..01d2512 100644
--- a/ipsilon/info/infoldap.py
+++ b/ipsilon/info/infoldap.py
@@ -209,7 +209,12 @@ class Installer(InfoProviderInstaller):
             config['user dn template'] = opts['info_ldap_user_dn_template']
         elif 'ldap_bind_dn_template' in opts:
             config['user dn template'] = opts['ldap_bind_dn_template']
-        config['tls'] = 'Demand'
+        if 'info_ldap_tls_level' in opts and opts['info_ldap_tls_level']:
+            config['tls'] = opts['info_ldap_tls_level']
+        elif 'ldap_tls_level' in opts and opts['ldap_tls_level']:
+            config['tls'] = opts['ldap_tls_level']
+        else:
+            config['tls'] = 'Demand'
         if 'info_ldap_base_dn' in opts and opts['info_ldap_base_dn']:
             config['base dn'] = opts['info_ldap_base_dn']
         elif 'ldap_base_dn' in opts and opts['ldap_base_dn']:
diff --git a/ipsilon/login/authldap.py b/ipsilon/login/authldap.py
index db58360..595d6be 100644
--- a/ipsilon/login/authldap.py
+++ b/ipsilon/login/authldap.py
@@ -190,6 +190,8 @@ class Installer(LoginManagerInstaller):
                            help='LDAP Server Url')
         group.add_argument('--ldap-bind-dn-template', action='store',
                            help='LDAP Bind DN Template')
+        group.add_argument('--ldap-tls-level', action='store', default=None,
+                           help='LDAP TLS level')
         group.add_argument('--ldap-base-dn', action='store',
                            help='LDAP Base DN')
 
@@ -208,7 +210,10 @@ class Installer(LoginManagerInstaller):
             config['server url'] = opts['ldap_server_url']
         if 'ldap_bind_dn_template' in opts:
             config['bind dn template'] = opts['ldap_bind_dn_template']
-        config['tls'] = 'Demand'
+        if 'ldap_tls_level' in opts and opts['ldap_tls_level'] is not None:
+            config['tls'] = opts['ldap_tls_level']
+        else:
+            config['tls'] = 'Demand'
         if 'ldap_base_dn' in opts and opts['ldap_base_dn'] is not None:
             config['base dn'] = opts['ldap_base_dn']
         po.save_plugin_config(config)
diff --git a/tests/helpers/common.py b/tests/helpers/common.py
index 56ea9ff..07a41fe 100755
--- a/tests/helpers/common.py
+++ b/tests/helpers/common.py
@@ -145,6 +145,26 @@ class IpsilonTestBase(object):
             cmd = ['/usr/bin/createdb', '-h', addr, '-p', port, d]
             subprocess.check_call(cmd, env=env)
 
+    def setup_ldap(self, env):
+        ldapdir = os.path.join(self.testdir, 'ldap')
+        os.mkdir(ldapdir)
+        with open(os.path.join(self.rootdir, 'tests/slapd.conf')) as f:
+            t = Template(f.read())
+            text = t.substitute({'ldapdir': ldapdir})
+        filename = os.path.join(ldapdir, 'slapd.conf')
+        with open(filename, 'w+') as f:
+            f.write(text)
+        subprocess.check_call(['/usr/sbin/slapadd', '-f', filename, '-l',
+                               'tests/ldapdata.ldif'], env=env)
+
+        return filename
+
+    def start_ldap_server(self, conf, addr, port, env):
+        p = subprocess.Popen(['/usr/sbin/slapd', '-d', '0', '-f', conf,
+                             '-h', 'ldap://%s:%s' % (addr, port)],
+                             env=env, preexec_fn=os.setsid)
+        self.processes.append(p)
+
     def wait(self):
         for p in self.processes:
             os.killpg(p.pid, signal.SIGTERM)
diff --git a/tests/ldap.py b/tests/ldap.py
new file mode 100755
index 0000000..52676d3
--- /dev/null
+++ b/tests/ldap.py
@@ -0,0 +1,153 @@
+#!/usr/bin/python
+#
+# Copyright (C) 2015  Ipsilon Contributors, see COPYING for license
+
+
+from helpers.common import IpsilonTestBase  # pylint: disable=relative-import
+from helpers.http import HttpSessions  # pylint: disable=relative-import
+import os
+import sys
+from string import Template
+
+
+idp_g = {'TEMPLATES': '${TESTDIR}/templates/install',
+         'CONFDIR': '${TESTDIR}/etc',
+         'DATADIR': '${TESTDIR}/lib',
+         'HTTPDCONFD': '${TESTDIR}/${NAME}/conf.d',
+         'STATICDIR': '${ROOTDIR}',
+         'BINDIR': '${ROOTDIR}/ipsilon',
+         'WSGI_SOCKET_PREFIX': '${TESTDIR}/${NAME}/logs/wsgi'}
+
+
+idp_a = {'hostname': '${ADDRESS}:${PORT}',
+         'admin_user': 'tuser',
+         'system_user': '${TEST_USER}',
+         'instance': '${NAME}',
+         'secure': 'no',
+         'pam': 'no',
+         'krb': 'no',
+         'ipa': 'no',
+         'ldap': 'yes',
+         'ldap_server_url': 'ldap://${ADDRESS}:45389/',
+         'ldap_bind_dn_template':
+         'uid=%(username)s,ou=People,dc=example,dc=com',
+         'ldap_tls_level': 'NoTLS',
+         'server_debugging': 'True'}
+
+
+sp_g = {'HTTPDCONFD': '${TESTDIR}/${NAME}/conf.d',
+        'SAML2_TEMPLATE': '${TESTDIR}/templates/install/saml2/sp.conf',
+        'SAML2_CONFFILE': '${TESTDIR}/${NAME}/conf.d/ipsilon-saml.conf',
+        'SAML2_HTTPDIR': '${TESTDIR}/${NAME}/saml2'}
+
+
+sp_a = {'hostname': '${ADDRESS}:${PORT}',
+        'saml_idp_metadata': 'http://127.0.0.10:45080/idp1/saml2/metadata',
+        'saml_secure_setup': 'False',
+        'saml_auth': '/sp',
+        'httpd_user': '${TEST_USER}'}
+
+
+def fixup_sp_httpd(httpdir):
+    merge = """
+    MellonSetEnv "GROUPS" "groups"
+    MellonMergeEnvVars On
+</Location>"""
+    with open(httpdir + '/conf.d/ipsilon-saml.conf', 'r') as f:
+        conf = f.read()
+    conf = conf.replace('</Location>', merge, 1)
+    with open(httpdir + '/conf.d/ipsilon-saml.conf', 'w') as f:
+        f.write(conf)
+
+    location = """
+
+Alias /sp ${HTTPDIR}/sp
+
+<Directory ${HTTPDIR}/sp>
+    Require all granted
+    Options +Includes
+</Directory>
+"""
+    t = Template(location)
+    text = t.substitute({'HTTPDIR': httpdir})
+    with open(httpdir + '/conf.d/ipsilon-saml.conf', 'a') as f:
+        f.write(text)
+
+    index = """<!--#echo var="MELLON_GROUPS" -->"""
+    os.mkdir(httpdir + '/sp')
+    with open(httpdir + '/sp/index.shtml', 'w') as f:
+        f.write(index)
+
+
+class IpsilonTest(IpsilonTestBase):
+
+    def __init__(self):
+        super(IpsilonTest, self).__init__('ldap', __file__)
+
+    def setup_servers(self, env=None):
+
+        print "Installing IDP's ldap server"
+        addr = '127.0.0.10'
+        port = '45389'
+        conf = self.setup_ldap(env)
+
+        print "Starting IDP's ldap server"
+        self.start_ldap_server(conf, addr, port, env)
+
+        print "Installing IDP server"
+        name = 'idp1'
+        addr = '127.0.0.10'
+        port = '45080'
+        idp = self.generate_profile(idp_g, idp_a, name, addr, port)
+        conf = self.setup_idp_server(idp, name, addr, port, env)
+
+        print "Starting IDP's httpd server"
+        self.start_http_server(conf, env)
+
+        print "Installing SP server"
+        name = 'sp1'
+        addr = '127.0.0.11'
+        port = '45081'
+        sp = self.generate_profile(sp_g, sp_a, name, addr, port)
+        conf = self.setup_sp_server(sp, name, addr, port, env)
+        fixup_sp_httpd(os.path.dirname(conf))
+
+        print "Starting SP's httpd server"
+        self.start_http_server(conf, env)
+
+
+if __name__ == '__main__':
+
+    idpname = 'idp1'
+    spname = 'sp1'
+    user = 'tuser'
+
+    sess = HttpSessions()
+    sess.add_server(idpname, 'http://127.0.0.10:45080', user, 'tuser')
+    sess.add_server(spname, 'http://127.0.0.11:45081')
+
+    print "test1: Authenticate to IDP ...",
+    try:
+        sess.auth_to_idp(idpname)
+    except Exception, e:  # pylint: disable=broad-except
+        print >> sys.stderr, " ERROR: %s" % repr(e)
+        sys.exit(1)
+    print " SUCCESS"
+
+    print "test1: Add SP Metadata to IDP ...",
+    try:
+        sess.add_sp_metadata(idpname, spname)
+    except Exception, e:  # pylint: disable=broad-except
+        print >> sys.stderr, " ERROR: %s" % repr(e)
+        sys.exit(1)
+    print " SUCCESS"
+
+    print "test1: Access SP Protected Area ...",
+    try:
+        page = sess.fetch_page(idpname,
+                               'http://127.0.0.11:45081/sp/index.shtml')
+        page.expected_value('text()', 'Test Group;Test Group 2')
+    except ValueError, e:
+        print >> sys.stderr, " ERROR: %s" % repr(e)
+        sys.exit(1)
+    print " SUCCESS"
diff --git a/tests/ldapdata.ldif b/tests/ldapdata.ldif
new file mode 100644
index 0000000..bc4731c
--- /dev/null
+++ b/tests/ldapdata.ldif
@@ -0,0 +1,45 @@
+dn: dc=example,dc=com
+dc: example
+description: tests tree
+objectClass: dcObject
+objectClass: organization
+o: Example
+
+dn: ou=People,dc=example,dc=com
+ou: People
+objectClass: organizationalUnit
+description: Test People
+
+dn: uid=tuser,ou=People,dc=example,dc=com
+objectClass: inetOrgPerson
+uid: tuser
+cn: Test User
+sn: Doe
+# password: tuser
+userPassword: {SSHA}g+LImPDfqn8HSf6LpJaN0Lpdp12OCbKf
+
+dn: uid=tuser2,ou=People,dc=example,dc=com
+objectClass: inetOrgPerson
+uid: tuser2
+cn: Test User 2
+sn: Doe
+# password: tuser
+userPassword: {SSHA}g+LImPDfqn8HSf6LpJaN0Lpdp12OCbKf
+
+dn: ou=Group,dc=example,dc=com
+ou: Group
+objectClass: organizationalUnit
+description: Groups of People
+
+dn: cn=Test Group,ou=Group,dc=example,dc=com
+cn: Test Group
+objectClass: posixGroup
+gidNumber: 100
+memberUid: tuser
+
+dn: cn=Test Group 2,ou=Group,dc=example,dc=com
+cn: Test Group 2
+objectClass: posixGroup
+gidNumber: 101
+memberUid: tuser
+memberUid: tuser2
diff --git a/tests/slapd.conf b/tests/slapd.conf
new file mode 100644
index 0000000..83416ba
--- /dev/null
+++ b/tests/slapd.conf
@@ -0,0 +1,21 @@
+include   /etc/openldap/schema/core.schema
+include   /etc/openldap/schema/cosine.schema
+include   /etc/openldap/schema/inetorgperson.schema
+include   /etc/openldap/schema/nis.schema
+pidfile   ${ldapdir}/slapd.pid
+
+attributeoptions x-hidden lang-
+access to attrs=name;x-hidden by * =cs
+
+access    to attrs=userPassword  by * auth
+access    to *  by * read
+
+logfile   ${ldapdir}/slapd.log
+loglevel  0x2ff
+
+database  mdb
+suffix    "dc=example,dc=com"
+directory ${ldapdir}
+rootdn    cn=root,dc=example,dc=com
+# pw: root
+rootpw    {SSHA}I9OPIS+SsizMZ/FmYgZL2GVCx63+kITj
author	Simo Sorce <simo@redhat.com>	2015-03-17 20:25:18 -0400
committer	Patrick Uiterwijk <puiterwijk@redhat.com>	2015-03-23 15:44:25 +0100
commit	cacb41e93b377496e77f824f4f1b0ce206da0bed (patch)
tree	e3f08b34d1480099eb1aca84ad25e0324bf16c22
parent	521a28fd446a64c4fa5895e1aa768512249652f6 (diff)
download	ipsilon-cacb41e93b377496e77f824f4f1b0ce206da0bed.tar.gz ipsilon-cacb41e93b377496e77f824f4f1b0ce206da0bed.tar.xz ipsilon-cacb41e93b377496e77f824f4f1b0ce206da0bed.zip