mart-w/kanidm
1
0
Fork 0
mirror of https://github.com/kanidm/kanidm.git synced 2025-02-23 20:47:01 +01:00
Code Issues Actions Packages Projects Releases Wiki Activity
kanidm/unix_integration/resolver/tests/cache_layer_test.rs

1242 lines
38 KiB
Rust
Raw Normal View History

383 170 164 authentication updates 3 (#723)
2022-04-29 05:03:21 +02:00
#![deny(warnings)]
Rework deps (#1079)
2022-10-01 08:08:51 +02:00
use std::future::Future;
use std::pin::Pin;
68 20230919 replication configuration (#2131)
2023-09-29 04:02:13 +02:00
use std::sync::atomic::Ordering;
Foundations of pam/nss multi resolver This starts the support for multi-resolver operation as well as a system level nss resolver. In future we'll add the remaining support to auth system users with pam too.
2024-08-16 01:54:35 +02:00
use std::sync::Arc;
use std::time::{Duration, SystemTime};
Complete the implementation of the posix account cache (#3041) Allow caching and checking of shadow entries (passwords) Cache and serve system id's improve some security warnings prepare for multi-resolver Allow the kanidm provider to be not configured Allow group extension
2024-10-02 04:12:13 +02:00
use time::OffsetDateTime;
129 pam nsswitch stage 1 daemon (#179) Implements #129, pam and nsswitch daemon capability. This is stage 1, which adds a localhost unix domain socket resolver, a ssh key client, support to the server for generating unix tokens, an async client lib, and client handles for adding posix extensions to accounts and groups.
2020-02-13 00:43:01 +01:00
Rework deps (#1079)
2022-10-01 08:08:51 +02:00
use kanidm_client::{KanidmClient, KanidmClientBuilder};
Cinco de yakko (#2108) * there are always more yaks * see? ldap yaks. * fixing stupid radius container build thing
2023-09-16 04:11:06 +02:00
use kanidm_proto::constants::ATTR_ACCOUNT_EXPIRE;
181 pam nsswitch name spn (#270) This allows configuration of which attribute is presented during gid/uid resolution, adds home directory prefixing, and home directory name attribute selection.
2020-06-21 13:57:48 +02:00
use kanidm_unix_common::constants::{
Add the unixd tasks daemon (#349) Fixes #180 - this adds an oddjobd style tasks daemon to the unix tools. This supports creation of home directories and the maintenance of alias symlinks to these allowing user renames. The tasks daemon is written to require root, but is seperate from the unixd daemon. Communication is via a root-only unix socket that the task daemon connects into to reduce the possibility of exploit. Fixes #369 due to the changes to call_daemon_blocking
2021-03-13 03:33:15 +01:00
DEFAULT_GID_ATTR_MAP, DEFAULT_HOME_ALIAS, DEFAULT_HOME_ATTR, DEFAULT_HOME_PREFIX,
DEFAULT_SHELL, DEFAULT_UID_ATTR_MAP,
181 pam nsswitch name spn (#270) This allows configuration of which attribute is presented during gid/uid resolution, adds home directory prefixing, and home directory name attribute selection.
2020-06-21 13:57:48 +02:00
};
Complete the implementation of the posix account cache (#3041) Allow caching and checking of shadow entries (passwords) Cache and serve system id's improve some security warnings prepare for multi-resolver Allow the kanidm provider to be not configured Allow group extension
2024-10-02 04:12:13 +02:00
use kanidm_unix_common::unix_passwd::{EtcGroup, EtcShadow, EtcUser};
Allow providers to be box dyn (#2794) * Allow providers to be box dyn in kanidm_unixd * Massive refactor
2024-06-17 00:21:25 +02:00
use kanidm_unix_resolver::db::{Cache, Db};
use kanidm_unix_resolver::idprovider::interface::Id;
use kanidm_unix_resolver::idprovider::kanidm::KanidmProvider;
Foundations of pam/nss multi resolver This starts the support for multi-resolver operation as well as a system level nss resolver. In future we'll add the remaining support to auth system users with pam too.
2024-08-16 01:54:35 +02:00
use kanidm_unix_resolver::idprovider::system::SystemProvider;
Allow providers to be box dyn (#2794) * Allow providers to be box dyn in kanidm_unixd * Massive refactor
2024-06-17 00:21:25 +02:00
use kanidm_unix_resolver::resolver::Resolver;
Complete the implementation of the posix account cache (#3041) Allow caching and checking of shadow entries (passwords) Cache and serve system id's improve some security warnings prepare for multi-resolver Allow the kanidm provider to be not configured Allow group extension
2024-10-02 04:12:13 +02:00
use kanidm_unix_resolver::unix_config::{GroupMap, KanidmConfig};
20221001 refactor (#1090)
2022-10-05 01:48:48 +02:00
use kanidmd_core::config::{Configuration, IntegrationTestConfig, ServerRole};
use kanidmd_core::create_server_core;
68 20230919 replication configuration (#2131)
2023-09-29 04:02:13 +02:00
use kanidmd_testkit::{is_free_port, PORT_ALLOC};
383 170 164 authentication updates 3 (#723)
2022-04-29 05:03:21 +02:00
use tokio::task;
Fixing test release (#1983) * Fixing cargo test --release * more tracing less dbg
2023-08-15 07:42:15 +02:00
use tracing::log::{debug, trace};
V large cleanup
2020-08-04 04:58:11 +02:00
Fix handling of TPM in some trait contexts (#2347)
2023-12-03 06:33:25 +01:00
use kanidm_hsm_crypto::{soft::SoftTpm, AuthValue, BoxedDynTpm, Tpm};
20231101 add id cert to unixint (#2284)
2023-11-09 04:11:23 +01:00
Making clippy happy (#420)
2021-04-25 03:35:56 +02:00
const ADMIN_TEST_USER: &str = "admin";
Optimized all possible constant values using const Replace all replaceable static declarations with const values. Ref: https://github.com/rust-lang/rfcs/blob/61e3dc9c1e32b9d7f72427d93e2d263a8899b0aa/text/0246-const-vs-static.md
2020-05-03 08:44:01 +02:00
const ADMIN_TEST_PASSWORD: &str = "integration test admin password";
WIP: serialization and domain info setting wonkiness (#2791)
2024-05-28 03:49:30 +02:00
const IDM_ADMIN_TEST_USER: &str = "idm_admin";
const IDM_ADMIN_TEST_PASSWORD: &str = "integration test idm_admin password";
Optimized all possible constant values using const Replace all replaceable static declarations with const values. Ref: https://github.com/rust-lang/rfcs/blob/61e3dc9c1e32b9d7f72427d93e2d263a8899b0aa/text/0246-const-vs-static.md
2020-05-03 08:44:01 +02:00
const TESTACCOUNT1_PASSWORD_A: &str = "password a for account1 test";
const TESTACCOUNT1_PASSWORD_B: &str = "password b for account1 test";
const TESTACCOUNT1_PASSWORD_INC: &str = "never going to work";
Account valid-from and expiry (#322) Fixes #59 account policy and lockout. This is achived with a valid_from and expire attribute that are timestamps. Cli tools are added to manage these.
2020-10-10 02:31:51 +02:00
const ACCOUNT_EXPIRE: &str = "1970-01-01T00:00:00+00:00";
129 pam nsswitch stage 1 daemon (#179) Implements #129, pam and nsswitch daemon capability. This is stage 1, which adds a localhost unix domain socket resolver, a ssh key client, support to the server for generating unix tokens, an async client lib, and client handles for adding posix extensions to accounts and groups.
2020-02-13 00:43:01 +01:00
Remove async references (#724)
2022-04-29 05:23:46 +02:00
type Fixture = Box<dyn FnOnce(KanidmClient) -> Pin<Box<dyn Future<Output = ()>>>>;
314 improve async (#316) this completely removes actix and actix-web from the codebase, replacing it with tokio and http-rs/tide. Due to a current temporary limit in tokio parts with openssl/libressl, rustls is used for the webserver, but I'll change this back once that issue is resolved. For now there are likely some other clippy issues, but the next step now is that I can finally run cargo outdated and update this and the other kanidm/* deps to be up to date due to no longer being held back on versions by actix. So following this, I need to finish clippy warnings, and run cargo outdated and cargo audit.
2020-09-06 00:44:35 +02:00
Remove async references (#724)
2022-04-29 05:23:46 +02:00
fn fixture<T>(f: fn(KanidmClient) -> T) -> Fixture
383 170 164 authentication updates 3 (#723)
2022-04-29 05:03:21 +02:00
where
T: Future<Output = ()> + 'static,
{
Box::new(move |n| Box::pin(f(n)))
}
Allow providers to be box dyn (#2794) * Allow providers to be box dyn in kanidm_unixd * Massive refactor
2024-06-17 00:21:25 +02:00
async fn setup_test(fix_fn: Fixture) -> (Resolver, KanidmClient) {
20230125 pre rel cleanup (#1348)
2023-01-28 04:52:44 +01:00
sketching::test_init();
314 improve async (#316) this completely removes actix and actix-web from the codebase, replacing it with tokio and http-rs/tide. Due to a current temporary limit in tokio parts with openssl/libressl, rustls is used for the webserver, but I'll change this back once that issue is resolved. For now there are likely some other clippy issues, but the next step now is that I can finally run cargo outdated and update this and the other kanidm/* deps to be up to date due to no longer being held back on versions by actix. So following this, I need to finish clippy warnings, and run cargo outdated and cargo audit.
2020-09-06 00:44:35 +02:00
Follow up on ci fixes
2020-12-08 02:06:13 +01:00
let mut counter = 0;
let port = loop {
let possible_port = PORT_ALLOC.fetch_add(1, Ordering::SeqCst);
if is_free_port(possible_port) {
break possible_port;
}
counter += 1;
prctl compile-time fixes, also chasing lints (#2558) * fixing up error handling for prctl calls * minor clippy lintypoos * making clippy happier * clippizing a test * more clippy-calming * adding tpm-udev to ubuntu flows for testing * rebuilt wasm * moving from rg to grep because someone doesn't like nice things * such clippy like wow * clippy config to the rescue
2024-02-20 09:21:33 +01:00
#[allow(clippy::assertions_on_constants)]
Follow up on ci fixes
2020-12-08 02:06:13 +01:00
if counter >= 5 {
eprintln!("Unable to allocate port!");
enforcen den clippen (#2990) * enforcen den clippen * updating outdated oauth2-related docs * sorry clippy, we tried
2024-08-21 02:32:56 +02:00
debug_assert!(false);
Follow up on ci fixes
2020-12-08 02:06:13 +01:00
}
};
129 pam nsswitch stage 1 daemon (#179) Implements #129, pam and nsswitch daemon capability. This is stage 1, which adds a localhost unix domain socket resolver, a ssh key client, support to the server for generating unix tokens, an async client lib, and client handles for adding posix extensions to accounts and groups.
2020-02-13 00:43:01 +01:00
let int_config = Box::new(IntegrationTestConfig {
Making clippy happy (#420)
2021-04-25 03:35:56 +02:00
admin_user: ADMIN_TEST_USER.to_string(),
129 pam nsswitch stage 1 daemon (#179) Implements #129, pam and nsswitch daemon capability. This is stage 1, which adds a localhost unix domain socket resolver, a ssh key client, support to the server for generating unix tokens, an async client lib, and client handles for adding posix extensions to accounts and groups.
2020-02-13 00:43:01 +01:00
admin_password: ADMIN_TEST_PASSWORD.to_string(),
WIP: serialization and domain info setting wonkiness (#2791)
2024-05-28 03:49:30 +02:00
idm_admin_user: IDM_ADMIN_TEST_USER.to_string(),
idm_admin_password: IDM_ADMIN_TEST_PASSWORD.to_string(),
129 pam nsswitch stage 1 daemon (#179) Implements #129, pam and nsswitch daemon capability. This is stage 1, which adds a localhost unix domain socket resolver, a ssh key client, support to the server for generating unix tokens, an async client lib, and client handles for adding posix extensions to accounts and groups.
2020-02-13 00:43:01 +01:00
});
199 ldap gateway (#246) adds an LDAP gateway to the server. It supports TLS if configured for the webserver, using the same parameters. It is a read only interface, only supporting bind via the configured posix password.
2020-06-10 04:07:43 +02:00
// Setup the config ...
129 pam nsswitch stage 1 daemon (#179) Implements #129, pam and nsswitch daemon capability. This is stage 1, which adds a localhost unix domain socket resolver, a ssh key client, support to the server for generating unix tokens, an async client lib, and client handles for adding posix extensions to accounts and groups.
2020-02-13 00:43:01 +01:00
let mut config = Configuration::new();
config.address = format!("127.0.0.1:{}", port);
config.integration_test_config = Some(int_config);
20220219 webui updates + source refactor + clippy go clip clip (#642)
2022-02-20 03:43:38 +01:00
config.role = ServerRole::WriteReplicaNoUI;
314 improve async (#316) this completely removes actix and actix-web from the codebase, replacing it with tokio and http-rs/tide. Due to a current temporary limit in tokio parts with openssl/libressl, rustls is used for the webserver, but I'll change this back once that issue is resolved. For now there are likely some other clippy issues, but the next step now is that I can finally run cargo outdated and update this and the other kanidm/* deps to be up to date due to no longer being held back on versions by actix. So following this, I need to finish clippy warnings, and run cargo outdated and cargo audit.
2020-09-06 00:44:35 +02:00
config.threads = 1;
383 170 164 authentication updates 3 (#723)
2022-04-29 05:03:21 +02:00
create_server_core(config, false)
.await
.expect("failed to start server core");
Converting from tide to axum (#1797) * Starting to chase down testing * commenting out unused/inactive endpoints, adding more tests * clippyism * making clippy happy v2 * testing when things are not right * moar checkpoint * splitting up testkit things a bit * moving https -> tide * mad lad be crabbin * spawning like a frog * something something different spawning * woot it works ish * more server things * adding version header to requests * adding kopid_middleware * well that was supposed to be an hour... four later * more nonsense * carrying on with the conversion * first pass through the conversion is DONE! * less pub more better * session storage works better, fixed some paths * axum-csp version thing * try a typedheader * better openssl config things * updating lockfile * http2 * actually sending JSON when we say we will! * just about to do something dumb * flargl * more yak shaving * So many clippy-isms, fixing up a query handler bleep bloop * So many clippy-isms, fixing up a query handler bleep bloop * fmt * all tests pass including basic web logins and nav * so much clippyism * stripping out old comments * fmt * commenty things * stripping out tide * updates * de-tiding things * fmt * adding optional header matching ,thanks @cuberoot74088 * oauth2 stuff to match #1807 but in axum * CLIPPY IS FINALLY SATED * moving scim from /v1/scim to /scim * one day clippy will make sense * cleanups * removing sketching middleware * cleanup, strip a broken test endpoint (routemap), more clippy * docs fmt * pulling axum-csp from the wrong cargo.toml * docs fmt * fmt fixes
2023-07-05 14:26:39 +02:00
// We have to yield now to guarantee that the elements are setup.
383 170 164 authentication updates 3 (#723)
2022-04-29 05:03:21 +02:00
task::yield_now().await;
129 pam nsswitch stage 1 daemon (#179) Implements #129, pam and nsswitch daemon capability. This is stage 1, which adds a localhost unix domain socket resolver, a ssh key client, support to the server for generating unix tokens, an async client lib, and client handles for adding posix extensions to accounts and groups.
2020-02-13 00:43:01 +01:00
// Setup the client, and the address we selected.
let addr = format!("http://127.0.0.1:{}", port);
// Run fixtures
Orca - a load testing framework for Kanidm (#431)
2021-05-06 13:15:12 +02:00
let adminclient = KanidmClientBuilder::new()
129 pam nsswitch stage 1 daemon (#179) Implements #129, pam and nsswitch daemon capability. This is stage 1, which adds a localhost unix domain socket resolver, a ssh key client, support to the server for generating unix tokens, an async client lib, and client handles for adding posix extensions to accounts and groups.
2020-02-13 00:43:01 +01:00
.address(addr.clone())
Fix proxy usage in tests (#443)
2021-05-19 23:58:11 +02:00
.no_proxy()
Remove async references (#724)
2022-04-29 05:23:46 +02:00
.build()
129 pam nsswitch stage 1 daemon (#179) Implements #129, pam and nsswitch daemon capability. This is stage 1, which adds a localhost unix domain socket resolver, a ssh key client, support to the server for generating unix tokens, an async client lib, and client handles for adding posix extensions to accounts and groups.
2020-02-13 00:43:01 +01:00
.expect("Failed to build sync client");
383 170 164 authentication updates 3 (#723)
2022-04-29 05:03:21 +02:00
fix_fn(adminclient).await;
129 nsswitch stage 2 groups (#185) Implements #129, adding the libnss_kanidm.so/dylib, and the related caching parts for properly handling these types.
2020-02-15 01:27:25 +01:00
let client = KanidmClientBuilder::new()
.address(addr.clone())
Fix proxy usage in tests (#443)
2021-05-19 23:58:11 +02:00
.no_proxy()
Remove async references (#724)
2022-04-29 05:23:46 +02:00
.build()
129 nsswitch stage 2 groups (#185) Implements #129, adding the libnss_kanidm.so/dylib, and the related caching parts for properly handling these types.
2020-02-15 01:27:25 +01:00
.expect("Failed to build async admin client");
129 pam nsswitch stage 1 daemon (#179) Implements #129, pam and nsswitch daemon capability. This is stage 1, which adds a localhost unix domain socket resolver, a ssh key client, support to the server for generating unix tokens, an async client lib, and client handles for adding posix extensions to accounts and groups.
2020-02-13 00:43:01 +01:00
let rsclient = KanidmClientBuilder::new()
.address(addr)
Fix proxy usage in tests (#443)
2021-05-19 23:58:11 +02:00
.no_proxy()
Remove async references (#724)
2022-04-29 05:23:46 +02:00
.build()
129 pam nsswitch stage 1 daemon (#179) Implements #129, pam and nsswitch daemon capability. This is stage 1, which adds a localhost unix domain socket resolver, a ssh key client, support to the server for generating unix tokens, an async client lib, and client handles for adding posix extensions to accounts and groups.
2020-02-13 00:43:01 +01:00
.expect("Failed to build client");
20230720 unix int modular (#1881) * Progress * Db traits mostly sorted, need to get dyn working next * updoot
2023-07-24 09:10:37 +02:00
let db = Db::new(
129 pam nsswitch stage 1 daemon (#179) Implements #129, pam and nsswitch daemon capability. This is stage 1, which adds a localhost unix domain socket resolver, a ssh key client, support to the server for generating unix tokens, an async client lib, and client handles for adding posix extensions to accounts and groups.
2020-02-13 00:43:01 +01:00
"", // The sqlite db path, this is in memory.
20230720 unix int modular (#1881) * Progress * Db traits mostly sorted, need to get dyn working next * updoot
2023-07-24 09:10:37 +02:00
)
.expect("Failed to setup DB");
Expose TPM in more interface places (#2334)
2023-11-27 05:35:59 +01:00
let mut dbtxn = db.write().await;
Foundations of pam/nss multi resolver This starts the support for multi-resolver operation as well as a system level nss resolver. In future we'll add the remaining support to auth system users with pam too.
2024-08-16 01:54:35 +02:00
dbtxn.migrate().expect("Unable to migrate cache db");
Expose TPM in more interface places (#2334)
2023-11-27 05:35:59 +01:00
Fix handling of TPM in some trait contexts (#2347)
2023-12-03 06:33:25 +01:00
let mut hsm = BoxedDynTpm::new(SoftTpm::new());
20231101 add id cert to unixint (#2284)
2023-11-09 04:11:23 +01:00
Expose TPM in more interface places (#2334)
2023-11-27 05:35:59 +01:00
let auth_value = AuthValue::ephemeral().unwrap();
20231101 add id cert to unixint (#2284)
2023-11-09 04:11:23 +01:00
let loadable_machine_key = hsm.machine_key_create(&auth_value).unwrap();
let machine_key = hsm
.machine_key_load(&auth_value, &loadable_machine_key)
.unwrap();
Foundations of pam/nss multi resolver This starts the support for multi-resolver operation as well as a system level nss resolver. In future we'll add the remaining support to auth system users with pam too.
2024-08-16 01:54:35 +02:00
let system_provider = SystemProvider::new().unwrap();
let idprovider = KanidmProvider::new(
rsclient,
Complete the implementation of the posix account cache (#3041) Allow caching and checking of shadow entries (passwords) Cache and serve system id's improve some security warnings prepare for multi-resolver Allow the kanidm provider to be not configured Allow group extension
2024-10-02 04:12:13 +02:00
&KanidmConfig {
conn_timeout: 1,
request_timeout: 1,
pam_allowed_login_groups: vec!["allowed_group".to_string()],
Add support for group extension (#3081)
2024-10-03 08:33:56 +02:00
map_group: vec![GroupMap {
local: "extensible_group".to_string(),
Complete the implementation of the posix account cache (#3041) Allow caching and checking of shadow entries (passwords) Cache and serve system id's improve some security warnings prepare for multi-resolver Allow the kanidm provider to be not configured Allow group extension
2024-10-02 04:12:13 +02:00
with: "testgroup1".to_string(),
}],
},
Foundations of pam/nss multi resolver This starts the support for multi-resolver operation as well as a system level nss resolver. In future we'll add the remaining support to auth system users with pam too.
2024-08-16 01:54:35 +02:00
SystemTime::now(),
&mut (&mut dbtxn).into(),
&mut hsm,
&machine_key,
)
.unwrap();
drop(machine_key);
dbtxn.commit().expect("Unable to commit dbtxn");
20230720 unix int modular (#1881) * Progress * Db traits mostly sorted, need to get dyn working next * updoot
2023-07-24 09:10:37 +02:00
let cachelayer = Resolver::new(
db,
Foundations of pam/nss multi resolver This starts the support for multi-resolver operation as well as a system level nss resolver. In future we'll add the remaining support to auth system users with pam too.
2024-08-16 01:54:35 +02:00
Arc::new(system_provider),
Complete the implementation of the posix account cache (#3041) Allow caching and checking of shadow entries (passwords) Cache and serve system id's improve some security warnings prepare for multi-resolver Allow the kanidm provider to be not configured Allow group extension
2024-10-02 04:12:13 +02:00
vec![Arc::new(idprovider)],
20231101 add id cert to unixint (#2284)
2023-11-09 04:11:23 +01:00
hsm,
20200218 pam (#189) Add support for unix_password handling, and pam authentication for services.
2020-02-29 05:02:14 +01:00
300,
181 pam nsswitch name spn (#270) This allows configuration of which attribute is presented during gid/uid resolution, adds home directory prefixing, and home directory name attribute selection.
2020-06-21 13:57:48 +02:00
DEFAULT_SHELL.to_string(),
20240716 check mkdir (#2906)
2024-07-17 03:11:11 +02:00
DEFAULT_HOME_PREFIX.into(),
181 pam nsswitch name spn (#270) This allows configuration of which attribute is presented during gid/uid resolution, adds home directory prefixing, and home directory name attribute selection.
2020-06-21 13:57:48 +02:00
DEFAULT_HOME_ATTR,
Add the unixd tasks daemon (#349) Fixes #180 - this adds an oddjobd style tasks daemon to the unix tools. This supports creation of home directories and the maintenance of alias symlinks to these allowing user renames. The tasks daemon is written to require root, but is seperate from the unixd daemon. Communication is via a root-only unix socket that the task daemon connects into to reduce the possibility of exploit. Fixes #369 due to the changes to call_daemon_blocking
2021-03-13 03:33:15 +01:00
DEFAULT_HOME_ALIAS,
181 pam nsswitch name spn (#270) This allows configuration of which attribute is presented during gid/uid resolution, adds home directory prefixing, and home directory name attribute selection.
2020-06-21 13:57:48 +02:00
DEFAULT_UID_ATTR_MAP,
DEFAULT_GID_ATTR_MAP,
383 170 164 authentication updates 3 (#723)
2022-04-29 05:03:21 +02:00
)
.await
129 pam nsswitch stage 1 daemon (#179) Implements #129, pam and nsswitch daemon capability. This is stage 1, which adds a localhost unix domain socket resolver, a ssh key client, support to the server for generating unix tokens, an async client lib, and client handles for adding posix extensions to accounts and groups.
2020-02-13 00:43:01 +01:00
.expect("Failed to build cache layer.");
383 170 164 authentication updates 3 (#723)
2022-04-29 05:03:21 +02:00
// test_fn(cachelayer, client);
(cachelayer, client)
129 pam nsswitch stage 1 daemon (#179) Implements #129, pam and nsswitch daemon capability. This is stage 1, which adds a localhost unix domain socket resolver, a ssh key client, support to the server for generating unix tokens, an async client lib, and client handles for adding posix extensions to accounts and groups.
2020-02-13 00:43:01 +01:00
// We DO NOT need teardown, as sqlite is in mem
// let the tables hit the floor
}
Cinco de yakko (#2108) * there are always more yaks * see? ldap yaks. * fixing stupid radius container build thing
2023-09-16 04:11:06 +02:00
/// This is the test fixture. It sets up the following:
/// - adds admin to idm_admins
/// - creates a test account (testaccount1)
/// - extends the test account with posix attrs
/// - adds a ssh public key to the test account
/// - sets a posix password for the test account
/// - creates a test group (testgroup1) and adds the test account to the test group
/// - extends testgroup1 with posix attrs
/// - creates two more groups with unix perms (allowed_group, masked_group)
Remove async references (#724)
2022-04-29 05:23:46 +02:00
async fn test_fixture(rsclient: KanidmClient) {
383 170 164 authentication updates 3 (#723)
2022-04-29 05:03:21 +02:00
let res = rsclient
.auth_simple_password("admin", ADMIN_TEST_PASSWORD)
.await;
Converting from tide to axum (#1797) * Starting to chase down testing * commenting out unused/inactive endpoints, adding more tests * clippyism * making clippy happy v2 * testing when things are not right * moar checkpoint * splitting up testkit things a bit * moving https -> tide * mad lad be crabbin * spawning like a frog * something something different spawning * woot it works ish * more server things * adding version header to requests * adding kopid_middleware * well that was supposed to be an hour... four later * more nonsense * carrying on with the conversion * first pass through the conversion is DONE! * less pub more better * session storage works better, fixed some paths * axum-csp version thing * try a typedheader * better openssl config things * updating lockfile * http2 * actually sending JSON when we say we will! * just about to do something dumb * flargl * more yak shaving * So many clippy-isms, fixing up a query handler bleep bloop * So many clippy-isms, fixing up a query handler bleep bloop * fmt * all tests pass including basic web logins and nav * so much clippyism * stripping out old comments * fmt * commenty things * stripping out tide * updates * de-tiding things * fmt * adding optional header matching ,thanks @cuberoot74088 * oauth2 stuff to match #1807 but in axum * CLIPPY IS FINALLY SATED * moving scim from /v1/scim to /scim * one day clippy will make sense * cleanups * removing sketching middleware * cleanup, strip a broken test endpoint (routemap), more clippy * docs fmt * pulling axum-csp from the wrong cargo.toml * docs fmt * fmt fixes
2023-07-05 14:26:39 +02:00
debug!("auth_simple_password res: {:?}", res);
Fixing test release (#1983) * Fixing cargo test --release * more tracing less dbg
2023-08-15 07:42:15 +02:00
trace!("{:?}", &res);
129 pam nsswitch stage 1 daemon (#179) Implements #129, pam and nsswitch daemon capability. This is stage 1, which adds a localhost unix domain socket resolver, a ssh key client, support to the server for generating unix tokens, an async client lib, and client handles for adding posix extensions to accounts and groups.
2020-02-13 00:43:01 +01:00
assert!(res.is_ok());
// Create a new account
rsclient
20220817 ldap service tokens (#1002)
2022-09-02 06:21:20 +02:00
.idm_person_account_create("testaccount1", "Posix Demo Account")
383 170 164 authentication updates 3 (#723)
2022-04-29 05:03:21 +02:00
.await
129 pam nsswitch stage 1 daemon (#179) Implements #129, pam and nsswitch daemon capability. This is stage 1, which adds a localhost unix domain socket resolver, a ssh key client, support to the server for generating unix tokens, an async client lib, and client handles for adding posix extensions to accounts and groups.
2020-02-13 00:43:01 +01:00
.unwrap();
// Extend the account with posix attrs.
rsclient
20220817 ldap service tokens (#1002)
2022-09-02 06:21:20 +02:00
.idm_person_account_unix_extend("testaccount1", Some(20000), None)
383 170 164 authentication updates 3 (#723)
2022-04-29 05:03:21 +02:00
.await
129 pam nsswitch stage 1 daemon (#179) Implements #129, pam and nsswitch daemon capability. This is stage 1, which adds a localhost unix domain socket resolver, a ssh key client, support to the server for generating unix tokens, an async client lib, and client handles for adding posix extensions to accounts and groups.
2020-02-13 00:43:01 +01:00
.unwrap();
// Assign an ssh public key.
rsclient
20220817 ldap service tokens (#1002)
2022-09-02 06:21:20 +02:00
.idm_person_account_post_ssh_pubkey("testaccount1", "tk",
129 pam nsswitch stage 1 daemon (#179) Implements #129, pam and nsswitch daemon capability. This is stage 1, which adds a localhost unix domain socket resolver, a ssh key client, support to the server for generating unix tokens, an async client lib, and client handles for adding posix extensions to accounts and groups.
2020-02-13 00:43:01 +01:00
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAeGW1P6Pc2rPq0XqbRaDKBcXZUPRklo0L1EyR30CwoP william@amethyst")
383 170 164 authentication updates 3 (#723)
2022-04-29 05:03:21 +02:00
.await
129 pam nsswitch stage 1 daemon (#179) Implements #129, pam and nsswitch daemon capability. This is stage 1, which adds a localhost unix domain socket resolver, a ssh key client, support to the server for generating unix tokens, an async client lib, and client handles for adding posix extensions to accounts and groups.
2020-02-13 00:43:01 +01:00
.unwrap();
20200218 pam (#189) Add support for unix_password handling, and pam authentication for services.
2020-02-29 05:02:14 +01:00
// Set a posix password
rsclient
20220817 ldap service tokens (#1002)
2022-09-02 06:21:20 +02:00
.idm_person_account_unix_cred_put("testaccount1", TESTACCOUNT1_PASSWORD_A)
383 170 164 authentication updates 3 (#723)
2022-04-29 05:03:21 +02:00
.await
20200218 pam (#189) Add support for unix_password handling, and pam authentication for services.
2020-02-29 05:02:14 +01:00
.unwrap();
129 pam nsswitch stage 1 daemon (#179) Implements #129, pam and nsswitch daemon capability. This is stage 1, which adds a localhost unix domain socket resolver, a ssh key client, support to the server for generating unix tokens, an async client lib, and client handles for adding posix extensions to accounts and groups.
2020-02-13 00:43:01 +01:00
// Setup a group
1481 2024 access control rework (#2366) Rework default access controls to better separate roles and access profiles.
2023-12-18 00:10:13 +01:00
rsclient.idm_group_create("testgroup1", None).await.unwrap();
129 pam nsswitch stage 1 daemon (#179) Implements #129, pam and nsswitch daemon capability. This is stage 1, which adds a localhost unix domain socket resolver, a ssh key client, support to the server for generating unix tokens, an async client lib, and client handles for adding posix extensions to accounts and groups.
2020-02-13 00:43:01 +01:00
rsclient
Cleanup and improve client error handling
2020-08-01 12:31:05 +02:00
.idm_group_add_members("testgroup1", &["testaccount1"])
383 170 164 authentication updates 3 (#723)
2022-04-29 05:03:21 +02:00
.await
129 pam nsswitch stage 1 daemon (#179) Implements #129, pam and nsswitch daemon capability. This is stage 1, which adds a localhost unix domain socket resolver, a ssh key client, support to the server for generating unix tokens, an async client lib, and client handles for adding posix extensions to accounts and groups.
2020-02-13 00:43:01 +01:00
.unwrap();
rsclient
.idm_group_unix_extend("testgroup1", Some(20001))
383 170 164 authentication updates 3 (#723)
2022-04-29 05:03:21 +02:00
.await
129 pam nsswitch stage 1 daemon (#179) Implements #129, pam and nsswitch daemon capability. This is stage 1, which adds a localhost unix domain socket resolver, a ssh key client, support to the server for generating unix tokens, an async client lib, and client handles for adding posix extensions to accounts and groups.
2020-02-13 00:43:01 +01:00
.unwrap();
20200218 pam (#189) Add support for unix_password handling, and pam authentication for services.
2020-02-29 05:02:14 +01:00
// Setup the allowed group
1481 2024 access control rework (#2366) Rework default access controls to better separate roles and access profiles.
2023-12-18 00:10:13 +01:00
rsclient
.idm_group_create("allowed_group", None)
.await
.unwrap();
20200218 pam (#189) Add support for unix_password handling, and pam authentication for services.
2020-02-29 05:02:14 +01:00
rsclient
.idm_group_unix_extend("allowed_group", Some(20002))
383 170 164 authentication updates 3 (#723)
2022-04-29 05:03:21 +02:00
.await
20200218 pam (#189) Add support for unix_password handling, and pam authentication for services.
2020-02-29 05:02:14 +01:00
.unwrap();
20230614 unix account security - move account name deny to unixd (#1733)
2023-06-15 05:24:53 +02:00
// Setup a group that is masked by nxset, but allowed in overrides
1481 2024 access control rework (#2366) Rework default access controls to better separate roles and access profiles.
2023-12-18 00:10:13 +01:00
rsclient
.idm_group_create("masked_group", None)
.await
.unwrap();
20230614 unix account security - move account name deny to unixd (#1733)
2023-06-15 05:24:53 +02:00
rsclient
.idm_group_unix_extend("masked_group", Some(20003))
.await
.unwrap();
129 pam nsswitch stage 1 daemon (#179) Implements #129, pam and nsswitch daemon capability. This is stage 1, which adds a localhost unix domain socket resolver, a ssh key client, support to the server for generating unix tokens, an async client lib, and client handles for adding posix extensions to accounts and groups.
2020-02-13 00:43:01 +01:00
}
383 170 164 authentication updates 3 (#723)
2022-04-29 05:03:21 +02:00
#[tokio::test]
async fn test_cache_sshkey() {
let (cachelayer, _adminclient) = setup_test(fixture(test_fixture)).await;
// Force offline. Show we have no keys.
cachelayer.mark_offline().await;
let sk = cachelayer
.get_sshkeys("testaccount1")
.await
.expect("Failed to get from cache.");
20230125 pre rel cleanup (#1348)
2023-01-28 04:52:44 +01:00
assert!(sk.is_empty());
383 170 164 authentication updates 3 (#723)
2022-04-29 05:03:21 +02:00
// Bring ourselves online.
Foundations of pam/nss multi resolver This starts the support for multi-resolver operation as well as a system level nss resolver. In future we'll add the remaining support to auth system users with pam too.
2024-08-16 01:54:35 +02:00
cachelayer.mark_next_check_now(SystemTime::now()).await;
383 170 164 authentication updates 3 (#723)
2022-04-29 05:03:21 +02:00
assert!(cachelayer.test_connection().await);
let sk = cachelayer
.get_sshkeys("testaccount1")
.await
.expect("Failed to get from cache.");
OAuth2 Token Type (#3008) * fix(OAuth2): Invalid `token_type` for token introspection Fixes #3005 * fix(aut): `assert_eq` instead of `assert ==` * fix(OAuth2): IANA registry access token types * fix(OAuth2): deserialize case insensitively
2024-08-26 01:30:20 +02:00
assert_eq!(sk.len(), 1);
383 170 164 authentication updates 3 (#723)
2022-04-29 05:03:21 +02:00
// Go offline, and get from cache.
cachelayer.mark_offline().await;
let sk = cachelayer
.get_sshkeys("testaccount1")
.await
.expect("Failed to get from cache.");
OAuth2 Token Type (#3008) * fix(OAuth2): Invalid `token_type` for token introspection Fixes #3005 * fix(aut): `assert_eq` instead of `assert ==` * fix(OAuth2): IANA registry access token types * fix(OAuth2): deserialize case insensitively
2024-08-26 01:30:20 +02:00
assert_eq!(sk.len(), 1);
129 pam nsswitch stage 1 daemon (#179) Implements #129, pam and nsswitch daemon capability. This is stage 1, which adds a localhost unix domain socket resolver, a ssh key client, support to the server for generating unix tokens, an async client lib, and client handles for adding posix extensions to accounts and groups.
2020-02-13 00:43:01 +01:00
}
129 nsswitch stage 2 groups (#185) Implements #129, adding the libnss_kanidm.so/dylib, and the related caching parts for properly handling these types.
2020-02-15 01:27:25 +01:00
383 170 164 authentication updates 3 (#723)
2022-04-29 05:03:21 +02:00
#[tokio::test]
async fn test_cache_account() {
let (cachelayer, _adminclient) = setup_test(fixture(test_fixture)).await;
// Force offline. Show we have no account
cachelayer.mark_offline().await;
let ut = cachelayer
.get_nssaccount_name("testaccount1")
.await
.expect("Failed to get from cache");
assert!(ut.is_none());
// go online
Foundations of pam/nss multi resolver This starts the support for multi-resolver operation as well as a system level nss resolver. In future we'll add the remaining support to auth system users with pam too.
2024-08-16 01:54:35 +02:00
cachelayer.mark_next_check_now(SystemTime::now()).await;
383 170 164 authentication updates 3 (#723)
2022-04-29 05:03:21 +02:00
assert!(cachelayer.test_connection().await);
// get the account
let ut = cachelayer
.get_nssaccount_name("testaccount1")
.await
.expect("Failed to get from cache");
assert!(ut.is_some());
// #392: Check that a `shell=None` is set to `default_shell`.
OAuth2 Token Type (#3008) * fix(OAuth2): Invalid `token_type` for token introspection Fixes #3005 * fix(aut): `assert_eq` instead of `assert ==` * fix(OAuth2): IANA registry access token types * fix(OAuth2): deserialize case insensitively
2024-08-26 01:30:20 +02:00
assert_eq!(ut.unwrap().shell, *DEFAULT_SHELL);
383 170 164 authentication updates 3 (#723)
2022-04-29 05:03:21 +02:00
// go offline
cachelayer.mark_offline().await;
// can still get account
let ut = cachelayer
.get_nssaccount_name("testaccount1")
.await
.expect("Failed to get from cache");
assert!(ut.is_some());
// Finally, check we have "all accounts" in the list.
let us = cachelayer
.get_nssaccounts()
.await
.expect("failed to list all accounts");
OAuth2 Token Type (#3008) * fix(OAuth2): Invalid `token_type` for token introspection Fixes #3005 * fix(aut): `assert_eq` instead of `assert ==` * fix(OAuth2): IANA registry access token types * fix(OAuth2): deserialize case insensitively
2024-08-26 01:30:20 +02:00
assert_eq!(us.len(), 1);
129 nsswitch stage 2 groups (#185) Implements #129, adding the libnss_kanidm.so/dylib, and the related caching parts for properly handling these types.
2020-02-15 01:27:25 +01:00
}
383 170 164 authentication updates 3 (#723)
2022-04-29 05:03:21 +02:00
#[tokio::test]
async fn test_cache_group() {
let (cachelayer, _adminclient) = setup_test(fixture(test_fixture)).await;
// Force offline. Show we have no groups.
cachelayer.mark_offline().await;
let gt = cachelayer
.get_nssgroup_name("testgroup1")
.await
.expect("Failed to get from cache");
assert!(gt.is_none());
// go online. Get the group
Foundations of pam/nss multi resolver This starts the support for multi-resolver operation as well as a system level nss resolver. In future we'll add the remaining support to auth system users with pam too.
2024-08-16 01:54:35 +02:00
cachelayer.mark_next_check_now(SystemTime::now()).await;
383 170 164 authentication updates 3 (#723)
2022-04-29 05:03:21 +02:00
assert!(cachelayer.test_connection().await);
let gt = cachelayer
.get_nssgroup_name("testgroup1")
.await
.expect("Failed to get from cache");
assert!(gt.is_some());
// go offline. still works
cachelayer.mark_offline().await;
let gt = cachelayer
.get_nssgroup_name("testgroup1")
.await
.expect("Failed to get from cache");
assert!(gt.is_some());
// And check we have no members in the group. Members are an artifact of
// user lookups!
20230125 pre rel cleanup (#1348)
2023-01-28 04:52:44 +01:00
assert!(gt.unwrap().members.is_empty());
383 170 164 authentication updates 3 (#723)
2022-04-29 05:03:21 +02:00
// clear cache, go online
assert!(cachelayer.invalidate().await.is_ok());
Foundations of pam/nss multi resolver This starts the support for multi-resolver operation as well as a system level nss resolver. In future we'll add the remaining support to auth system users with pam too.
2024-08-16 01:54:35 +02:00
cachelayer.mark_next_check_now(SystemTime::now()).await;
383 170 164 authentication updates 3 (#723)
2022-04-29 05:03:21 +02:00
assert!(cachelayer.test_connection().await);
// get an account with the group
// DO NOT get the group yet.
let ut = cachelayer
.get_nssaccount_name("testaccount1")
.await
.expect("Failed to get from cache");
assert!(ut.is_some());
// go offline.
cachelayer.mark_offline().await;
// show we have the group despite no direct calls
let gt = cachelayer
.get_nssgroup_name("testgroup1")
.await
.expect("Failed to get from cache");
assert!(gt.is_some());
// And check we have members in the group, since we came from a userlook up
OAuth2 Token Type (#3008) * fix(OAuth2): Invalid `token_type` for token introspection Fixes #3005 * fix(aut): `assert_eq` instead of `assert ==` * fix(OAuth2): IANA registry access token types * fix(OAuth2): deserialize case insensitively
2024-08-26 01:30:20 +02:00
assert_eq!(gt.unwrap().members.len(), 1);
383 170 164 authentication updates 3 (#723)
2022-04-29 05:03:21 +02:00
// Finally, check we have "all groups" in the list.
let gs = cachelayer
.get_nssgroups()
.await
.expect("failed to list all groups");
OAuth2 Token Type (#3008) * fix(OAuth2): Invalid `token_type` for token introspection Fixes #3005 * fix(aut): `assert_eq` instead of `assert ==` * fix(OAuth2): IANA registry access token types * fix(OAuth2): deserialize case insensitively
2024-08-26 01:30:20 +02:00
assert_eq!(gs.len(), 2);
129 nsswitch stage 2 groups (#185) Implements #129, adding the libnss_kanidm.so/dylib, and the related caching parts for properly handling these types.
2020-02-15 01:27:25 +01:00
}
383 170 164 authentication updates 3 (#723)
2022-04-29 05:03:21 +02:00
#[tokio::test]
async fn test_cache_group_delete() {
let (cachelayer, adminclient) = setup_test(fixture(test_fixture)).await;
// get the group
Foundations of pam/nss multi resolver This starts the support for multi-resolver operation as well as a system level nss resolver. In future we'll add the remaining support to auth system users with pam too.
2024-08-16 01:54:35 +02:00
cachelayer.mark_next_check_now(SystemTime::now()).await;
383 170 164 authentication updates 3 (#723)
2022-04-29 05:03:21 +02:00
assert!(cachelayer.test_connection().await);
let gt = cachelayer
.get_nssgroup_name("testgroup1")
.await
.expect("Failed to get from cache");
assert!(gt.is_some());
// delete it.
adminclient
.auth_simple_password("admin", ADMIN_TEST_PASSWORD)
.await
.expect("failed to auth as admin");
adminclient
.idm_group_delete("testgroup1")
.await
.expect("failed to delete");
// invalidate cache
assert!(cachelayer.invalidate().await.is_ok());
// "get it"
// should be empty.
let gt = cachelayer
.get_nssgroup_name("testgroup1")
.await
.expect("Failed to get from cache");
assert!(gt.is_none());
129 nsswitch stage 2 groups (#185) Implements #129, adding the libnss_kanidm.so/dylib, and the related caching parts for properly handling these types.
2020-02-15 01:27:25 +01:00
}
383 170 164 authentication updates 3 (#723)
2022-04-29 05:03:21 +02:00
#[tokio::test]
async fn test_cache_account_delete() {
let (cachelayer, adminclient) = setup_test(fixture(test_fixture)).await;
// get the account
Foundations of pam/nss multi resolver This starts the support for multi-resolver operation as well as a system level nss resolver. In future we'll add the remaining support to auth system users with pam too.
2024-08-16 01:54:35 +02:00
cachelayer.mark_next_check_now(SystemTime::now()).await;
383 170 164 authentication updates 3 (#723)
2022-04-29 05:03:21 +02:00
assert!(cachelayer.test_connection().await);
let ut = cachelayer
.get_nssaccount_name("testaccount1")
.await
.expect("Failed to get from cache");
assert!(ut.is_some());
// delete it.
adminclient
.auth_simple_password("admin", ADMIN_TEST_PASSWORD)
.await
.expect("failed to auth as admin");
adminclient
20220817 ldap service tokens (#1002)
2022-09-02 06:21:20 +02:00
.idm_person_account_delete("testaccount1")
383 170 164 authentication updates 3 (#723)
2022-04-29 05:03:21 +02:00
.await
.expect("failed to delete");
// invalidate cache
assert!(cachelayer.invalidate().await.is_ok());
// "get it"
let ut = cachelayer
.get_nssaccount_name("testaccount1")
.await
.expect("Failed to get from cache");
// should be empty.
assert!(ut.is_none());
// The group should be removed too.
let gt = cachelayer
.get_nssgroup_name("testaccount1")
.await
.expect("Failed to get from cache");
assert!(gt.is_none());
129 nsswitch stage 2 groups (#185) Implements #129, adding the libnss_kanidm.so/dylib, and the related caching parts for properly handling these types.
2020-02-15 01:27:25 +01:00
}
20200218 pam (#189) Add support for unix_password handling, and pam authentication for services.
2020-02-29 05:02:14 +01:00
383 170 164 authentication updates 3 (#723)
2022-04-29 05:03:21 +02:00
#[tokio::test]
async fn test_cache_account_password() {
Complete the implementation of the posix account cache (#3041) Allow caching and checking of shadow entries (passwords) Cache and serve system id's improve some security warnings prepare for multi-resolver Allow the kanidm provider to be not configured Allow group extension
2024-10-02 04:12:13 +02:00
let current_time = OffsetDateTime::now_utc();
383 170 164 authentication updates 3 (#723)
2022-04-29 05:03:21 +02:00
let (cachelayer, adminclient) = setup_test(fixture(test_fixture)).await;
Foundations of pam/nss multi resolver This starts the support for multi-resolver operation as well as a system level nss resolver. In future we'll add the remaining support to auth system users with pam too.
2024-08-16 01:54:35 +02:00
cachelayer.mark_next_check_now(SystemTime::now()).await;
383 170 164 authentication updates 3 (#723)
2022-04-29 05:03:21 +02:00
// Test authentication failure.
let a1 = cachelayer
Complete the implementation of the posix account cache (#3041) Allow caching and checking of shadow entries (passwords) Cache and serve system id's improve some security warnings prepare for multi-resolver Allow the kanidm provider to be not configured Allow group extension
2024-10-02 04:12:13 +02:00
.pam_account_authenticate("testaccount1", current_time, TESTACCOUNT1_PASSWORD_INC)
383 170 164 authentication updates 3 (#723)
2022-04-29 05:03:21 +02:00
.await
.expect("failed to authenticate");
OAuth2 Token Type (#3008) * fix(OAuth2): Invalid `token_type` for token introspection Fixes #3005 * fix(aut): `assert_eq` instead of `assert ==` * fix(OAuth2): IANA registry access token types * fix(OAuth2): deserialize case insensitively
2024-08-26 01:30:20 +02:00
assert_eq!(a1, Some(false));
383 170 164 authentication updates 3 (#723)
2022-04-29 05:03:21 +02:00
// We have to wait due to softlocking.
tokio::time::sleep(Duration::from_secs(1)).await;
// Test authentication success.
let a2 = cachelayer
Complete the implementation of the posix account cache (#3041) Allow caching and checking of shadow entries (passwords) Cache and serve system id's improve some security warnings prepare for multi-resolver Allow the kanidm provider to be not configured Allow group extension
2024-10-02 04:12:13 +02:00
.pam_account_authenticate("testaccount1", current_time, TESTACCOUNT1_PASSWORD_A)
383 170 164 authentication updates 3 (#723)
2022-04-29 05:03:21 +02:00
.await
.expect("failed to authenticate");
OAuth2 Token Type (#3008) * fix(OAuth2): Invalid `token_type` for token introspection Fixes #3005 * fix(aut): `assert_eq` instead of `assert ==` * fix(OAuth2): IANA registry access token types * fix(OAuth2): deserialize case insensitively
2024-08-26 01:30:20 +02:00
assert_eq!(a2, Some(true));
383 170 164 authentication updates 3 (#723)
2022-04-29 05:03:21 +02:00
// change pw
adminclient
.auth_simple_password("admin", ADMIN_TEST_PASSWORD)
.await
.expect("failed to auth as admin");
adminclient
20220817 ldap service tokens (#1002)
2022-09-02 06:21:20 +02:00
.idm_person_account_unix_cred_put("testaccount1", TESTACCOUNT1_PASSWORD_B)
383 170 164 authentication updates 3 (#723)
2022-04-29 05:03:21 +02:00
.await
.expect("Failed to change password");
// test auth (old pw) fail
let a3 = cachelayer
Complete the implementation of the posix account cache (#3041) Allow caching and checking of shadow entries (passwords) Cache and serve system id's improve some security warnings prepare for multi-resolver Allow the kanidm provider to be not configured Allow group extension
2024-10-02 04:12:13 +02:00
.pam_account_authenticate("testaccount1", current_time, TESTACCOUNT1_PASSWORD_A)
383 170 164 authentication updates 3 (#723)
2022-04-29 05:03:21 +02:00
.await
.expect("failed to authenticate");
OAuth2 Token Type (#3008) * fix(OAuth2): Invalid `token_type` for token introspection Fixes #3005 * fix(aut): `assert_eq` instead of `assert ==` * fix(OAuth2): IANA registry access token types * fix(OAuth2): deserialize case insensitively
2024-08-26 01:30:20 +02:00
assert_eq!(a3, Some(false));
383 170 164 authentication updates 3 (#723)
2022-04-29 05:03:21 +02:00
// We have to wait due to softlocking.
tokio::time::sleep(Duration::from_secs(1)).await;
// test auth (new pw) success
let a4 = cachelayer
Complete the implementation of the posix account cache (#3041) Allow caching and checking of shadow entries (passwords) Cache and serve system id's improve some security warnings prepare for multi-resolver Allow the kanidm provider to be not configured Allow group extension
2024-10-02 04:12:13 +02:00
.pam_account_authenticate("testaccount1", current_time, TESTACCOUNT1_PASSWORD_B)
383 170 164 authentication updates 3 (#723)
2022-04-29 05:03:21 +02:00
.await
.expect("failed to authenticate");
OAuth2 Token Type (#3008) * fix(OAuth2): Invalid `token_type` for token introspection Fixes #3005 * fix(aut): `assert_eq` instead of `assert ==` * fix(OAuth2): IANA registry access token types * fix(OAuth2): deserialize case insensitively
2024-08-26 01:30:20 +02:00
assert_eq!(a4, Some(true));
383 170 164 authentication updates 3 (#723)
2022-04-29 05:03:21 +02:00
// Go offline.
cachelayer.mark_offline().await;
// Test auth success
let a5 = cachelayer
Complete the implementation of the posix account cache (#3041) Allow caching and checking of shadow entries (passwords) Cache and serve system id's improve some security warnings prepare for multi-resolver Allow the kanidm provider to be not configured Allow group extension
2024-10-02 04:12:13 +02:00
.pam_account_authenticate("testaccount1", current_time, TESTACCOUNT1_PASSWORD_B)
383 170 164 authentication updates 3 (#723)
2022-04-29 05:03:21 +02:00
.await
.expect("failed to authenticate");
OAuth2 Token Type (#3008) * fix(OAuth2): Invalid `token_type` for token introspection Fixes #3005 * fix(aut): `assert_eq` instead of `assert ==` * fix(OAuth2): IANA registry access token types * fix(OAuth2): deserialize case insensitively
2024-08-26 01:30:20 +02:00
assert_eq!(a5, Some(true));
383 170 164 authentication updates 3 (#723)
2022-04-29 05:03:21 +02:00
// No softlock during offline.
// Test auth failure.
let a6 = cachelayer
Complete the implementation of the posix account cache (#3041) Allow caching and checking of shadow entries (passwords) Cache and serve system id's improve some security warnings prepare for multi-resolver Allow the kanidm provider to be not configured Allow group extension
2024-10-02 04:12:13 +02:00
.pam_account_authenticate("testaccount1", current_time, TESTACCOUNT1_PASSWORD_INC)
383 170 164 authentication updates 3 (#723)
2022-04-29 05:03:21 +02:00
.await
.expect("failed to authenticate");
OAuth2 Token Type (#3008) * fix(OAuth2): Invalid `token_type` for token introspection Fixes #3005 * fix(aut): `assert_eq` instead of `assert ==` * fix(OAuth2): IANA registry access token types * fix(OAuth2): deserialize case insensitively
2024-08-26 01:30:20 +02:00
assert_eq!(a6, Some(false));
383 170 164 authentication updates 3 (#723)
2022-04-29 05:03:21 +02:00
// clear cache
cachelayer
.clear_cache()
.await
.expect("failed to clear cache");
// test auth good (fail)
let a7 = cachelayer
Complete the implementation of the posix account cache (#3041) Allow caching and checking of shadow entries (passwords) Cache and serve system id's improve some security warnings prepare for multi-resolver Allow the kanidm provider to be not configured Allow group extension
2024-10-02 04:12:13 +02:00
.pam_account_authenticate("testaccount1", current_time, TESTACCOUNT1_PASSWORD_B)
383 170 164 authentication updates 3 (#723)
2022-04-29 05:03:21 +02:00
.await
.expect("failed to authenticate");
20230125 pre rel cleanup (#1348)
2023-01-28 04:52:44 +01:00
assert!(a7.is_none());
383 170 164 authentication updates 3 (#723)
2022-04-29 05:03:21 +02:00
// go online
Foundations of pam/nss multi resolver This starts the support for multi-resolver operation as well as a system level nss resolver. In future we'll add the remaining support to auth system users with pam too.
2024-08-16 01:54:35 +02:00
cachelayer.mark_next_check_now(SystemTime::now()).await;
383 170 164 authentication updates 3 (#723)
2022-04-29 05:03:21 +02:00
assert!(cachelayer.test_connection().await);
// test auth success
let a8 = cachelayer
Complete the implementation of the posix account cache (#3041) Allow caching and checking of shadow entries (passwords) Cache and serve system id's improve some security warnings prepare for multi-resolver Allow the kanidm provider to be not configured Allow group extension
2024-10-02 04:12:13 +02:00
.pam_account_authenticate("testaccount1", current_time, TESTACCOUNT1_PASSWORD_B)
383 170 164 authentication updates 3 (#723)
2022-04-29 05:03:21 +02:00
.await
.expect("failed to authenticate");
OAuth2 Token Type (#3008) * fix(OAuth2): Invalid `token_type` for token introspection Fixes #3005 * fix(aut): `assert_eq` instead of `assert ==` * fix(OAuth2): IANA registry access token types * fix(OAuth2): deserialize case insensitively
2024-08-26 01:30:20 +02:00
assert_eq!(a8, Some(true));
20200218 pam (#189) Add support for unix_password handling, and pam authentication for services.
2020-02-29 05:02:14 +01:00
}
383 170 164 authentication updates 3 (#723)
2022-04-29 05:03:21 +02:00
#[tokio::test]
async fn test_cache_account_pam_allowed() {
let (cachelayer, adminclient) = setup_test(fixture(test_fixture)).await;
Foundations of pam/nss multi resolver This starts the support for multi-resolver operation as well as a system level nss resolver. In future we'll add the remaining support to auth system users with pam too.
2024-08-16 01:54:35 +02:00
cachelayer.mark_next_check_now(SystemTime::now()).await;
383 170 164 authentication updates 3 (#723)
2022-04-29 05:03:21 +02:00
// Should fail
let a1 = cachelayer
.pam_account_allowed("testaccount1")
.await
.expect("failed to authenticate");
OAuth2 Token Type (#3008) * fix(OAuth2): Invalid `token_type` for token introspection Fixes #3005 * fix(aut): `assert_eq` instead of `assert ==` * fix(OAuth2): IANA registry access token types * fix(OAuth2): deserialize case insensitively
2024-08-26 01:30:20 +02:00
assert_eq!(a1, Some(false));
383 170 164 authentication updates 3 (#723)
2022-04-29 05:03:21 +02:00
adminclient
.auth_simple_password("admin", ADMIN_TEST_PASSWORD)
.await
.expect("failed to auth as admin");
adminclient
.idm_group_add_members("allowed_group", &["testaccount1"])
.await
.unwrap();
// Invalidate cache to force a refresh
assert!(cachelayer.invalidate().await.is_ok());
// Should pass
let a2 = cachelayer
.pam_account_allowed("testaccount1")
.await
.expect("failed to authenticate");
OAuth2 Token Type (#3008) * fix(OAuth2): Invalid `token_type` for token introspection Fixes #3005 * fix(aut): `assert_eq` instead of `assert ==` * fix(OAuth2): IANA registry access token types * fix(OAuth2): deserialize case insensitively
2024-08-26 01:30:20 +02:00
assert_eq!(a2, Some(true));
20200218 pam (#189) Add support for unix_password handling, and pam authentication for services.
2020-02-29 05:02:14 +01:00
}
383 170 164 authentication updates 3 (#723)
2022-04-29 05:03:21 +02:00
#[tokio::test]
async fn test_cache_account_pam_nonexist() {
Complete the implementation of the posix account cache (#3041) Allow caching and checking of shadow entries (passwords) Cache and serve system id's improve some security warnings prepare for multi-resolver Allow the kanidm provider to be not configured Allow group extension
2024-10-02 04:12:13 +02:00
let current_time = OffsetDateTime::now_utc();
383 170 164 authentication updates 3 (#723)
2022-04-29 05:03:21 +02:00
let (cachelayer, _adminclient) = setup_test(fixture(test_fixture)).await;
Foundations of pam/nss multi resolver This starts the support for multi-resolver operation as well as a system level nss resolver. In future we'll add the remaining support to auth system users with pam too.
2024-08-16 01:54:35 +02:00
cachelayer.mark_next_check_now(SystemTime::now()).await;
383 170 164 authentication updates 3 (#723)
2022-04-29 05:03:21 +02:00
let a1 = cachelayer
.pam_account_allowed("NO_SUCH_ACCOUNT")
.await
.expect("failed to authenticate");
20230125 pre rel cleanup (#1348)
2023-01-28 04:52:44 +01:00
assert!(a1.is_none());
383 170 164 authentication updates 3 (#723)
2022-04-29 05:03:21 +02:00
let a2 = cachelayer
Complete the implementation of the posix account cache (#3041) Allow caching and checking of shadow entries (passwords) Cache and serve system id's improve some security warnings prepare for multi-resolver Allow the kanidm provider to be not configured Allow group extension
2024-10-02 04:12:13 +02:00
.pam_account_authenticate("NO_SUCH_ACCOUNT", current_time, TESTACCOUNT1_PASSWORD_B)
383 170 164 authentication updates 3 (#723)
2022-04-29 05:03:21 +02:00
.await
.expect("failed to authenticate");
20230125 pre rel cleanup (#1348)
2023-01-28 04:52:44 +01:00
assert!(a2.is_none());
383 170 164 authentication updates 3 (#723)
2022-04-29 05:03:21 +02:00
cachelayer.mark_offline().await;
let a1 = cachelayer
.pam_account_allowed("NO_SUCH_ACCOUNT")
.await
.expect("failed to authenticate");
20230125 pre rel cleanup (#1348)
2023-01-28 04:52:44 +01:00
assert!(a1.is_none());
383 170 164 authentication updates 3 (#723)
2022-04-29 05:03:21 +02:00
let a2 = cachelayer
Complete the implementation of the posix account cache (#3041) Allow caching and checking of shadow entries (passwords) Cache and serve system id's improve some security warnings prepare for multi-resolver Allow the kanidm provider to be not configured Allow group extension
2024-10-02 04:12:13 +02:00
.pam_account_authenticate("NO_SUCH_ACCOUNT", current_time, TESTACCOUNT1_PASSWORD_B)
383 170 164 authentication updates 3 (#723)
2022-04-29 05:03:21 +02:00
.await
.expect("failed to authenticate");
20230125 pre rel cleanup (#1348)
2023-01-28 04:52:44 +01:00
assert!(a2.is_none());
20200218 pam (#189) Add support for unix_password handling, and pam authentication for services.
2020-02-29 05:02:14 +01:00
}
Account valid-from and expiry (#322) Fixes #59 account policy and lockout. This is achived with a valid_from and expire attribute that are timestamps. Cli tools are added to manage these.
2020-10-10 02:31:51 +02:00
383 170 164 authentication updates 3 (#723)
2022-04-29 05:03:21 +02:00
#[tokio::test]
async fn test_cache_account_expiry() {
Complete the implementation of the posix account cache (#3041) Allow caching and checking of shadow entries (passwords) Cache and serve system id's improve some security warnings prepare for multi-resolver Allow the kanidm provider to be not configured Allow group extension
2024-10-02 04:12:13 +02:00
let current_time = OffsetDateTime::now_utc();
383 170 164 authentication updates 3 (#723)
2022-04-29 05:03:21 +02:00
let (cachelayer, adminclient) = setup_test(fixture(test_fixture)).await;
Foundations of pam/nss multi resolver This starts the support for multi-resolver operation as well as a system level nss resolver. In future we'll add the remaining support to auth system users with pam too.
2024-08-16 01:54:35 +02:00
cachelayer.mark_next_check_now(SystemTime::now()).await;
383 170 164 authentication updates 3 (#723)
2022-04-29 05:03:21 +02:00
assert!(cachelayer.test_connection().await);
// We need one good auth first to prime the cache with a hash.
let a1 = cachelayer
Complete the implementation of the posix account cache (#3041) Allow caching and checking of shadow entries (passwords) Cache and serve system id's improve some security warnings prepare for multi-resolver Allow the kanidm provider to be not configured Allow group extension
2024-10-02 04:12:13 +02:00
.pam_account_authenticate("testaccount1", current_time, TESTACCOUNT1_PASSWORD_A)
383 170 164 authentication updates 3 (#723)
2022-04-29 05:03:21 +02:00
.await
.expect("failed to authenticate");
OAuth2 Token Type (#3008) * fix(OAuth2): Invalid `token_type` for token introspection Fixes #3005 * fix(aut): `assert_eq` instead of `assert ==` * fix(OAuth2): IANA registry access token types * fix(OAuth2): deserialize case insensitively
2024-08-26 01:30:20 +02:00
assert_eq!(a1, Some(true));
383 170 164 authentication updates 3 (#723)
2022-04-29 05:03:21 +02:00
// Invalidate to make sure we go online next checks.
assert!(cachelayer.invalidate().await.is_ok());
// expire the account
adminclient
.auth_simple_password("admin", ADMIN_TEST_PASSWORD)
.await
.expect("failed to auth as admin");
adminclient
Cinco de yakko (#2108) * there are always more yaks * see? ldap yaks. * fixing stupid radius container build thing
2023-09-16 04:11:06 +02:00
.idm_person_account_set_attr("testaccount1", ATTR_ACCOUNT_EXPIRE, &[ACCOUNT_EXPIRE])
383 170 164 authentication updates 3 (#723)
2022-04-29 05:03:21 +02:00
.await
.unwrap();
// auth will fail
let a2 = cachelayer
Complete the implementation of the posix account cache (#3041) Allow caching and checking of shadow entries (passwords) Cache and serve system id's improve some security warnings prepare for multi-resolver Allow the kanidm provider to be not configured Allow group extension
2024-10-02 04:12:13 +02:00
.pam_account_authenticate("testaccount1", current_time, TESTACCOUNT1_PASSWORD_A)
383 170 164 authentication updates 3 (#723)
2022-04-29 05:03:21 +02:00
.await
.expect("failed to authenticate");
OAuth2 Token Type (#3008) * fix(OAuth2): Invalid `token_type` for token introspection Fixes #3005 * fix(aut): `assert_eq` instead of `assert ==` * fix(OAuth2): IANA registry access token types * fix(OAuth2): deserialize case insensitively
2024-08-26 01:30:20 +02:00
assert_eq!(a2, Some(false));
383 170 164 authentication updates 3 (#723)
2022-04-29 05:03:21 +02:00
// ssh keys should be empty
let sk = cachelayer
.get_sshkeys("testaccount1")
.await
.expect("Failed to get from cache.");
20230125 pre rel cleanup (#1348)
2023-01-28 04:52:44 +01:00
assert!(sk.is_empty());
383 170 164 authentication updates 3 (#723)
2022-04-29 05:03:21 +02:00
// Pam account allowed should be denied.
let a3 = cachelayer
.pam_account_allowed("testaccount1")
.await
.expect("failed to authenticate");
OAuth2 Token Type (#3008) * fix(OAuth2): Invalid `token_type` for token introspection Fixes #3005 * fix(aut): `assert_eq` instead of `assert ==` * fix(OAuth2): IANA registry access token types * fix(OAuth2): deserialize case insensitively
2024-08-26 01:30:20 +02:00
assert_eq!(a3, Some(false));
383 170 164 authentication updates 3 (#723)
2022-04-29 05:03:21 +02:00
// go offline
cachelayer.mark_offline().await;
Foundations of pam/nss multi resolver This starts the support for multi-resolver operation as well as a system level nss resolver. In future we'll add the remaining support to auth system users with pam too.
2024-08-16 01:54:35 +02:00
// Now, check again. Since this uses the cached pw and we are offline, this
// will now succeed.
383 170 164 authentication updates 3 (#723)
2022-04-29 05:03:21 +02:00
let a4 = cachelayer
Complete the implementation of the posix account cache (#3041) Allow caching and checking of shadow entries (passwords) Cache and serve system id's improve some security warnings prepare for multi-resolver Allow the kanidm provider to be not configured Allow group extension
2024-10-02 04:12:13 +02:00
.pam_account_authenticate("testaccount1", current_time, TESTACCOUNT1_PASSWORD_A)
383 170 164 authentication updates 3 (#723)
2022-04-29 05:03:21 +02:00
.await
.expect("failed to authenticate");
OAuth2 Token Type (#3008) * fix(OAuth2): Invalid `token_type` for token introspection Fixes #3005 * fix(aut): `assert_eq` instead of `assert ==` * fix(OAuth2): IANA registry access token types * fix(OAuth2): deserialize case insensitively
2024-08-26 01:30:20 +02:00
assert_eq!(a4, Some(true));
383 170 164 authentication updates 3 (#723)
2022-04-29 05:03:21 +02:00
// ssh keys should be empty
let sk = cachelayer
.get_sshkeys("testaccount1")
.await
.expect("Failed to get from cache.");
20230125 pre rel cleanup (#1348)
2023-01-28 04:52:44 +01:00
assert!(sk.is_empty());
383 170 164 authentication updates 3 (#723)
2022-04-29 05:03:21 +02:00
// Pam account allowed should be denied.
let a5 = cachelayer
.pam_account_allowed("testaccount1")
.await
.expect("failed to authenticate");
OAuth2 Token Type (#3008) * fix(OAuth2): Invalid `token_type` for token introspection Fixes #3005 * fix(aut): `assert_eq` instead of `assert ==` * fix(OAuth2): IANA registry access token types * fix(OAuth2): deserialize case insensitively
2024-08-26 01:30:20 +02:00
assert_eq!(a5, Some(false));
Account valid-from and expiry (#322) Fixes #59 account policy and lockout. This is achived with a valid_from and expire attribute that are timestamps. Cli tools are added to manage these.
2020-10-10 02:31:51 +02:00
}
Unixd - NXCache of unknown items (#338) Previously we would only cache "hits" - items that kanidm is aware of and did know about. However, this mean querying a raw uid/gid number that was not known to files or kanidm would result in kanidm doing an online check each request. This adds a NXcache to cache misses, so they can be served as misses, faster, and to reduce load on the main kanidm servers. Fixes #336
2020-12-28 00:41:16 +01:00
383 170 164 authentication updates 3 (#723)
2022-04-29 05:03:21 +02:00
#[tokio::test]
async fn test_cache_nxcache() {
let (cachelayer, _adminclient) = setup_test(fixture(test_fixture)).await;
Foundations of pam/nss multi resolver This starts the support for multi-resolver operation as well as a system level nss resolver. In future we'll add the remaining support to auth system users with pam too.
2024-08-16 01:54:35 +02:00
cachelayer.mark_next_check_now(SystemTime::now()).await;
383 170 164 authentication updates 3 (#723)
2022-04-29 05:03:21 +02:00
assert!(cachelayer.test_connection().await);
// Is it in the nxcache?
20230614 unix account security - move account name deny to unixd (#1733)
2023-06-15 05:24:53 +02:00
assert!(cachelayer
.check_nxcache(&Id::Name("oracle".to_string()))
.await
.is_none());
assert!(cachelayer.check_nxcache(&Id::Gid(2000)).await.is_none());
assert!(cachelayer
.check_nxcache(&Id::Name("oracle_group".to_string()))
.await
.is_none());
assert!(cachelayer.check_nxcache(&Id::Gid(3000)).await.is_none());
383 170 164 authentication updates 3 (#723)
2022-04-29 05:03:21 +02:00
// Look for the acc id + nss id
let ut = cachelayer
20230614 unix account security - move account name deny to unixd (#1733)
2023-06-15 05:24:53 +02:00
.get_nssaccount_name("oracle")
383 170 164 authentication updates 3 (#723)
2022-04-29 05:03:21 +02:00
.await
.expect("Failed to get from cache");
assert!(ut.is_none());
let ut = cachelayer
20230614 unix account security - move account name deny to unixd (#1733)
2023-06-15 05:24:53 +02:00
.get_nssaccount_gid(2000)
383 170 164 authentication updates 3 (#723)
2022-04-29 05:03:21 +02:00
.await
.expect("Failed to get from cache");
assert!(ut.is_none());
let gt = cachelayer
20230614 unix account security - move account name deny to unixd (#1733)
2023-06-15 05:24:53 +02:00
.get_nssgroup_name("oracle_group")
383 170 164 authentication updates 3 (#723)
2022-04-29 05:03:21 +02:00
.await
.expect("Failed to get from cache");
assert!(gt.is_none());
let gt = cachelayer
20230614 unix account security - move account name deny to unixd (#1733)
2023-06-15 05:24:53 +02:00
.get_nssgroup_gid(3000)
383 170 164 authentication updates 3 (#723)
2022-04-29 05:03:21 +02:00
.await
.expect("Failed to get from cache");
assert!(gt.is_none());
// Should all now be nxed
Converting from tide to axum (#1797) * Starting to chase down testing * commenting out unused/inactive endpoints, adding more tests * clippyism * making clippy happy v2 * testing when things are not right * moar checkpoint * splitting up testkit things a bit * moving https -> tide * mad lad be crabbin * spawning like a frog * something something different spawning * woot it works ish * more server things * adding version header to requests * adding kopid_middleware * well that was supposed to be an hour... four later * more nonsense * carrying on with the conversion * first pass through the conversion is DONE! * less pub more better * session storage works better, fixed some paths * axum-csp version thing * try a typedheader * better openssl config things * updating lockfile * http2 * actually sending JSON when we say we will! * just about to do something dumb * flargl * more yak shaving * So many clippy-isms, fixing up a query handler bleep bloop * So many clippy-isms, fixing up a query handler bleep bloop * fmt * all tests pass including basic web logins and nav * so much clippyism * stripping out old comments * fmt * commenty things * stripping out tide * updates * de-tiding things * fmt * adding optional header matching ,thanks @cuberoot74088 * oauth2 stuff to match #1807 but in axum * CLIPPY IS FINALLY SATED * moving scim from /v1/scim to /scim * one day clippy will make sense * cleanups * removing sketching middleware * cleanup, strip a broken test endpoint (routemap), more clippy * docs fmt * pulling axum-csp from the wrong cargo.toml * docs fmt * fmt fixes
2023-07-05 14:26:39 +02:00
assert!(
cachelayer
.check_nxcache(&Id::Name("oracle".to_string()))
.await
.is_some(),
"'oracle' Wasn't in the nxcache!"
);
20230614 unix account security - move account name deny to unixd (#1733)
2023-06-15 05:24:53 +02:00
assert!(cachelayer.check_nxcache(&Id::Gid(2000)).await.is_some());
assert!(cachelayer
.check_nxcache(&Id::Name("oracle_group".to_string()))
.await
.is_some());
assert!(cachelayer.check_nxcache(&Id::Gid(3000)).await.is_some());
383 170 164 authentication updates 3 (#723)
2022-04-29 05:03:21 +02:00
// invalidate cache
assert!(cachelayer.invalidate().await.is_ok());
// Both should NOT be in nxcache now.
20230614 unix account security - move account name deny to unixd (#1733)
2023-06-15 05:24:53 +02:00
assert!(cachelayer
.check_nxcache(&Id::Name("oracle".to_string()))
.await
.is_none());
assert!(cachelayer.check_nxcache(&Id::Gid(2000)).await.is_none());
assert!(cachelayer
.check_nxcache(&Id::Name("oracle_group".to_string()))
.await
.is_none());
assert!(cachelayer.check_nxcache(&Id::Gid(3000)).await.is_none());
}
#[tokio::test]
async fn test_cache_nxset_account() {
let (cachelayer, _adminclient) = setup_test(fixture(test_fixture)).await;
// Important! This is what sets up that testaccount1 won't be resolved
// because it's in the "local" user set.
cachelayer
Foundations of pam/nss multi resolver This starts the support for multi-resolver operation as well as a system level nss resolver. In future we'll add the remaining support to auth system users with pam too.
2024-08-16 01:54:35 +02:00
.reload_system_identities(
vec![EtcUser {
name: "testaccount1".to_string(),
uid: 30000,
gid: 30000,
password: Default::default(),
gecos: Default::default(),
homedir: Default::default(),
shell: Default::default(),
}],
Complete the implementation of the posix account cache (#3041) Allow caching and checking of shadow entries (passwords) Cache and serve system id's improve some security warnings prepare for multi-resolver Allow the kanidm provider to be not configured Allow group extension
2024-10-02 04:12:13 +02:00
None,
Foundations of pam/nss multi resolver This starts the support for multi-resolver operation as well as a system level nss resolver. In future we'll add the remaining support to auth system users with pam too.
2024-08-16 01:54:35 +02:00
vec![],
)
20230614 unix account security - move account name deny to unixd (#1733)
2023-06-15 05:24:53 +02:00
.await;
// go online
Foundations of pam/nss multi resolver This starts the support for multi-resolver operation as well as a system level nss resolver. In future we'll add the remaining support to auth system users with pam too.
2024-08-16 01:54:35 +02:00
cachelayer.mark_next_check_now(SystemTime::now()).await;
20230614 unix account security - move account name deny to unixd (#1733)
2023-06-15 05:24:53 +02:00
assert!(cachelayer.test_connection().await);
// get the account
let ut = cachelayer
.get_nssaccount_name("testaccount1")
.await
.expect("Failed to get from cache");
Foundations of pam/nss multi resolver This starts the support for multi-resolver operation as well as a system level nss resolver. In future we'll add the remaining support to auth system users with pam too.
2024-08-16 01:54:35 +02:00
let ut = ut.unwrap();
// Assert the user is the system version.
assert_eq!(ut.uid, 30000);
20230614 unix account security - move account name deny to unixd (#1733)
2023-06-15 05:24:53 +02:00
// go offline
cachelayer.mark_offline().await;
// still not present, was not cached.
let ut = cachelayer
.get_nssaccount_name("testaccount1")
.await
.expect("Failed to get from cache");
Foundations of pam/nss multi resolver This starts the support for multi-resolver operation as well as a system level nss resolver. In future we'll add the remaining support to auth system users with pam too.
2024-08-16 01:54:35 +02:00
let ut = ut.unwrap();
// Assert the user is the system version.
assert_eq!(ut.uid, 30000);
// Finally, check it's the system version in all accounts.
20230614 unix account security - move account name deny to unixd (#1733)
2023-06-15 05:24:53 +02:00
let us = cachelayer
.get_nssaccounts()
.await
.expect("failed to list all accounts");
Foundations of pam/nss multi resolver This starts the support for multi-resolver operation as well as a system level nss resolver. In future we'll add the remaining support to auth system users with pam too.
2024-08-16 01:54:35 +02:00
let us: Vec<_> = us
.into_iter()
.filter(|nss_user| nss_user.name == "testaccount1")
.collect();
assert_eq!(us.len(), 1);
assert_eq!(us[0].gid, 30000);
20230614 unix account security - move account name deny to unixd (#1733)
2023-06-15 05:24:53 +02:00
}
#[tokio::test]
async fn test_cache_nxset_group() {
let (cachelayer, _adminclient) = setup_test(fixture(test_fixture)).await;
// Important! This is what sets up that testgroup1 won't be resolved
// because it's in the "local" group set.
cachelayer
Foundations of pam/nss multi resolver This starts the support for multi-resolver operation as well as a system level nss resolver. In future we'll add the remaining support to auth system users with pam too.
2024-08-16 01:54:35 +02:00
.reload_system_identities(
vec![],
Complete the implementation of the posix account cache (#3041) Allow caching and checking of shadow entries (passwords) Cache and serve system id's improve some security warnings prepare for multi-resolver Allow the kanidm provider to be not configured Allow group extension
2024-10-02 04:12:13 +02:00
None,
Foundations of pam/nss multi resolver This starts the support for multi-resolver operation as well as a system level nss resolver. In future we'll add the remaining support to auth system users with pam too.
2024-08-16 01:54:35 +02:00
vec![EtcGroup {
name: "testgroup1".to_string(),
// Important! We set the GID to differ from what kanidm stores so we can
// tell we got the system version.
gid: 30001,
password: Default::default(),
members: Default::default(),
}],
)
20230614 unix account security - move account name deny to unixd (#1733)
2023-06-15 05:24:53 +02:00
.await;
// go online. Get the group
Foundations of pam/nss multi resolver This starts the support for multi-resolver operation as well as a system level nss resolver. In future we'll add the remaining support to auth system users with pam too.
2024-08-16 01:54:35 +02:00
cachelayer.mark_next_check_now(SystemTime::now()).await;
20230614 unix account security - move account name deny to unixd (#1733)
2023-06-15 05:24:53 +02:00
assert!(cachelayer.test_connection().await);
let gt = cachelayer
.get_nssgroup_name("testgroup1")
.await
.expect("Failed to get from cache");
Foundations of pam/nss multi resolver This starts the support for multi-resolver operation as well as a system level nss resolver. In future we'll add the remaining support to auth system users with pam too.
2024-08-16 01:54:35 +02:00
// We get the group, it's the system version. Check the gid.
let gt = gt.unwrap();
assert_eq!(gt.gid, 30001);
20230614 unix account security - move account name deny to unixd (#1733)
2023-06-15 05:24:53 +02:00
// go offline. still works
cachelayer.mark_offline().await;
let gt = cachelayer
.get_nssgroup_name("testgroup1")
.await
.expect("Failed to get from cache");
Foundations of pam/nss multi resolver This starts the support for multi-resolver operation as well as a system level nss resolver. In future we'll add the remaining support to auth system users with pam too.
2024-08-16 01:54:35 +02:00
let gt = gt.unwrap();
assert_eq!(gt.gid, 30001);
20230614 unix account security - move account name deny to unixd (#1733)
2023-06-15 05:24:53 +02:00
// clear cache, go online
assert!(cachelayer.invalidate().await.is_ok());
Foundations of pam/nss multi resolver This starts the support for multi-resolver operation as well as a system level nss resolver. In future we'll add the remaining support to auth system users with pam too.
2024-08-16 01:54:35 +02:00
cachelayer.mark_next_check_now(SystemTime::now()).await;
20230614 unix account security - move account name deny to unixd (#1733)
2023-06-15 05:24:53 +02:00
assert!(cachelayer.test_connection().await);
Foundations of pam/nss multi resolver This starts the support for multi-resolver operation as well as a system level nss resolver. In future we'll add the remaining support to auth system users with pam too.
2024-08-16 01:54:35 +02:00
// get a kanidm account with the kanidm equivalent group
20230614 unix account security - move account name deny to unixd (#1733)
2023-06-15 05:24:53 +02:00
let ut = cachelayer
.get_nssaccount_name("testaccount1")
.await
.expect("Failed to get from cache");
assert!(ut.is_some());
// go offline.
cachelayer.mark_offline().await;
Foundations of pam/nss multi resolver This starts the support for multi-resolver operation as well as a system level nss resolver. In future we'll add the remaining support to auth system users with pam too.
2024-08-16 01:54:35 +02:00
// show that the group we have is still the system version, and lacks our
// member.
20230614 unix account security - move account name deny to unixd (#1733)
2023-06-15 05:24:53 +02:00
let gt = cachelayer
.get_nssgroup_name("testgroup1")
.await
.expect("Failed to get from cache");
Foundations of pam/nss multi resolver This starts the support for multi-resolver operation as well as a system level nss resolver. In future we'll add the remaining support to auth system users with pam too.
2024-08-16 01:54:35 +02:00
let gt = gt.unwrap();
assert_eq!(gt.gid, 30001);
assert!(gt.members.is_empty());
// Finally, check we only have the system group version in the list.
20230614 unix account security - move account name deny to unixd (#1733)
2023-06-15 05:24:53 +02:00
let gs = cachelayer
.get_nssgroups()
.await
.expect("failed to list all groups");
Foundations of pam/nss multi resolver This starts the support for multi-resolver operation as well as a system level nss resolver. In future we'll add the remaining support to auth system users with pam too.
2024-08-16 01:54:35 +02:00
let gs: Vec<_> = gs
.into_iter()
.filter(|nss_group| nss_group.name == "testgroup1")
.collect();
20230614 unix account security - move account name deny to unixd (#1733)
2023-06-15 05:24:53 +02:00
Foundations of pam/nss multi resolver This starts the support for multi-resolver operation as well as a system level nss resolver. In future we'll add the remaining support to auth system users with pam too.
2024-08-16 01:54:35 +02:00
debug!("{:?}", gs);
assert_eq!(gs.len(), 1);
assert_eq!(gs[0].gid, 30001);
Unixd - NXCache of unknown items (#338) Previously we would only cache "hits" - items that kanidm is aware of and did know about. However, this mean querying a raw uid/gid number that was not known to files or kanidm would result in kanidm doing an online check each request. This adds a NXcache to cache misses, so they can be served as misses, faster, and to reduce load on the main kanidm servers. Fixes #336
2020-12-28 00:41:16 +01:00
}
Resolve issue with order of operations causing group memberships to disappear (#1845)
2023-07-10 08:59:15 +02:00
Complete the implementation of the posix account cache (#3041) Allow caching and checking of shadow entries (passwords) Cache and serve system id's improve some security warnings prepare for multi-resolver Allow the kanidm provider to be not configured Allow group extension
2024-10-02 04:12:13 +02:00
#[tokio::test]
async fn test_cache_authenticate_system_account() {
const SECURE_PASSWORD: &str = "a";
let current_time = OffsetDateTime::UNIX_EPOCH + time::Duration::days(365);
let expire_time = OffsetDateTime::UNIX_EPOCH + time::Duration::days(380);
let (cachelayer, _adminclient) = setup_test(fixture(test_fixture)).await;
// Important! This is what sets up that testaccount1 won't be resolved
// because it's in the "local" user set.
cachelayer
.reload_system_identities(
vec![
EtcUser {
name: "testaccount1".to_string(),
uid: 30000,
gid: 30000,
password: Default::default(),
gecos: Default::default(),
homedir: Default::default(),
shell: Default::default(),
},
EtcUser {
name: "testaccount2".to_string(),
uid: 30001,
gid: 30001,
password: Default::default(),
gecos: Default::default(),
homedir: Default::default(),
shell: Default::default(),
}
],
Some(vec![
EtcShadow {
name: "testaccount1".to_string(),
// The very secure password, "a".
password: "$6$5.bXZTIXuVv.xI3.$sAubscCJPwnBWwaLt2JR33lo539UyiDku.aH5WVSX0Tct9nGL2ePMEmrqT3POEdBlgNQ12HJBwskewGu2dpF//".to_string(),
epoch_change_days: None,
days_min_password_age: 0,
days_max_password_age: Some(1),
days_warning_period: 1,
days_inactivity_period: None,
epoch_expire_date: Some(380),
flag_reserved: None
},
EtcShadow {
name: "testaccount2".to_string(),
// The very secure password, "a".
password: "$6$5.bXZTIXuVv.xI3.$sAubscCJPwnBWwaLt2JR33lo539UyiDku.aH5WVSX0Tct9nGL2ePMEmrqT3POEdBlgNQ12HJBwskewGu2dpF//".to_string(),
epoch_change_days: Some(364),
days_min_password_age: 0,
days_max_password_age: Some(2),
days_warning_period: 1,
days_inactivity_period: None,
epoch_expire_date: Some(380),
flag_reserved: None
},
]),
vec![],
)
.await;
// get the accounts to assert they exist,
let _ = cachelayer
.get_nssaccount_name("testaccount1")
.await
.expect("Failed to get from cache");
let _ = cachelayer
.get_nssaccount_name("testaccount2")
.await
.expect("Failed to get from cache");
// Non exist name
let a1 = cachelayer
.pam_account_authenticate("testaccount69", current_time, SECURE_PASSWORD)
.await
.expect("failed to authenticate");
assert_eq!(a1, None);
// Check wrong pw.
let a1 = cachelayer
.pam_account_authenticate("testaccount1", current_time, "wrong password")
.await
.expect("failed to authenticate");
assert_eq!(a1, Some(false));
// Check correct pw (both accounts)
let a1 = cachelayer
.pam_account_authenticate("testaccount1", current_time, SECURE_PASSWORD)
.await
.expect("failed to authenticate");
assert_eq!(a1, Some(true));
let a1 = cachelayer
.pam_account_authenticate("testaccount2", current_time, SECURE_PASSWORD)
.await
.expect("failed to authenticate");
assert_eq!(a1, Some(true));
// Check expired time (both accounts)
let a1 = cachelayer
.pam_account_authenticate("testaccount1", expire_time, SECURE_PASSWORD)
.await
.expect("failed to authenticate");
assert_eq!(a1, Some(false));
let a1 = cachelayer
.pam_account_authenticate("testaccount2", expire_time, SECURE_PASSWORD)
.await
.expect("failed to authenticate");
assert_eq!(a1, Some(false));
// due to how posix auth works, session and authorisation are simpler, and should
// always just return "true".
let a1 = cachelayer
.pam_account_allowed("testaccount1")
.await
.expect("failed to authorise");
assert_eq!(a1, Some(true));
let a1 = cachelayer
.pam_account_allowed("testaccount2")
.await
.expect("failed to authorise");
assert_eq!(a1, Some(true));
// Should we make home dirs?
let a1 = cachelayer
.pam_account_beginsession("testaccount1")
.await
.expect("failed to begin session");
assert_eq!(a1, None);
let a1 = cachelayer
.pam_account_beginsession("testaccount2")
.await
.expect("failed to begin session");
assert_eq!(a1, None);
}
Resolve issue with order of operations causing group memberships to disappear (#1845)
2023-07-10 08:59:15 +02:00
/// Issue 1830. If cache items expire where we have an account and a group, and we
/// refresh the group *first*, the group appears to drop it's members. This is because
/// sqlite "INSERT OR REPLACE INTO" triggers a delete cascade of the foreign key elements
/// which then makes the group appear empty.
///
/// We can reproduce this by retrieving an account + group, wait for expiry, then retrieve
/// only the group.
#[tokio::test]
async fn test_cache_group_fk_deferred() {
let (cachelayer, _adminclient) = setup_test(fixture(test_fixture)).await;
Foundations of pam/nss multi resolver This starts the support for multi-resolver operation as well as a system level nss resolver. In future we'll add the remaining support to auth system users with pam too.
2024-08-16 01:54:35 +02:00
cachelayer.mark_next_check_now(SystemTime::now()).await;
Resolve issue with order of operations causing group memberships to disappear (#1845)
2023-07-10 08:59:15 +02:00
assert!(cachelayer.test_connection().await);
// Get the account then the group.
let ut = cachelayer
.get_nssaccount_name("testaccount1")
.await
.expect("Failed to get from cache");
assert!(ut.is_some());
let gt = cachelayer
.get_nssgroup_name("testgroup1")
.await
.expect("Failed to get from cache");
assert!(gt.is_some());
OAuth2 Token Type (#3008) * fix(OAuth2): Invalid `token_type` for token introspection Fixes #3005 * fix(aut): `assert_eq` instead of `assert ==` * fix(OAuth2): IANA registry access token types * fix(OAuth2): deserialize case insensitively
2024-08-26 01:30:20 +02:00
assert_eq!(gt.unwrap().members.len(), 1);
Resolve issue with order of operations causing group memberships to disappear (#1845)
2023-07-10 08:59:15 +02:00
// Invalidate all items.
cachelayer.mark_offline().await;
assert!(cachelayer.invalidate().await.is_ok());
Foundations of pam/nss multi resolver This starts the support for multi-resolver operation as well as a system level nss resolver. In future we'll add the remaining support to auth system users with pam too.
2024-08-16 01:54:35 +02:00
cachelayer.mark_next_check_now(SystemTime::now()).await;
Resolve issue with order of operations causing group memberships to disappear (#1845)
2023-07-10 08:59:15 +02:00
assert!(cachelayer.test_connection().await);
// Get the *group*. It *should* still have it's members.
let gt = cachelayer
.get_nssgroup_name("testgroup1")
.await
.expect("Failed to get from cache");
assert!(gt.is_some());
// And check we have members in the group, since we came from a userlook up
OAuth2 Token Type (#3008) * fix(OAuth2): Invalid `token_type` for token introspection Fixes #3005 * fix(aut): `assert_eq` instead of `assert ==` * fix(OAuth2): IANA registry access token types * fix(OAuth2): deserialize case insensitively
2024-08-26 01:30:20 +02:00
assert_eq!(gt.unwrap().members.len(), 1);
Resolve issue with order of operations causing group memberships to disappear (#1845)
2023-07-10 08:59:15 +02:00
}
Add support for group extension (#3081)
2024-10-03 08:33:56 +02:00
#[tokio::test]
/// Test group extension. Groups extension is not the same as "overriding". Extension
/// only allows the *members* of a remote group to supplement the members of the local
/// group. This prevents a remote group changing the gidnumber of the local group and
/// causing breakages.
async fn test_cache_extend_group_members() {
let (cachelayer, _adminclient) = setup_test(fixture(test_fixture)).await;
cachelayer
.reload_system_identities(
vec![EtcUser {
name: "local_account".to_string(),
uid: 30000,
gid: 30000,
password: Default::default(),
gecos: Default::default(),
homedir: Default::default(),
shell: Default::default(),
}],
None,
vec![EtcGroup {
// This group is configured to allow extension from
// the group "testgroup1"
name: "extensible_group".to_string(),
gid: 30001,
password: Default::default(),
// We have the local account as a member, it should NOT be stomped.
members: vec!["local_account".to_string()],
}],
)
.await;
// Force offline. Show we have no groups.
cachelayer.mark_offline().await;
let gt = cachelayer
.get_nssgroup_name("testgroup1")
.await
.expect("Failed to get from cache");
assert!(gt.is_none());
// While offline, extensible_group has only local_account as a member.
let gt = cachelayer
.get_nssgroup_name("extensible_group")
.await
.expect("Failed to get from cache");
let gt = gt.unwrap();
assert_eq!(gt.gid, 30001);
assert_eq!(gt.members.as_slice(), &["local_account".to_string()]);
// Go online. Group now exists, extensible_group has group members.
// Need to resolve test-account first so that the membership is linked.
cachelayer.mark_next_check_now(SystemTime::now()).await;
assert!(cachelayer.test_connection().await);
let ut = cachelayer
.get_nssaccount_name("testaccount1")
.await
.expect("Failed to get from cache");
assert!(ut.is_some());
let gt = cachelayer
.get_nssgroup_name("testgroup1")
.await
.expect("Failed to get from cache");
let gt = gt.unwrap();
assert_eq!(gt.gid, 20001);
assert_eq!(
gt.members.as_slice(),
&["testaccount1@idm.example.com".to_string()]
);
let gt = cachelayer
.get_nssgroup_name("extensible_group")
.await
.expect("Failed to get from cache");
let gt = gt.unwrap();
// Even though it's extended, still needs to be the local uid/gid
assert_eq!(gt.gid, 30001);
assert_eq!(
gt.members.as_slice(),
&[
"local_account".to_string(),
"testaccount1@idm.example.com".to_string()
]
);
let groups = cachelayer
.get_nssgroups()
.await
.expect("Failed to get from cache");
assert!(groups.iter().any(|group| {
group.name == "extensible_group"
&& group.members.as_slice()
== &[
"local_account".to_string(),
"testaccount1@idm.example.com".to_string(),
]
}));
// Go offline. Group cached, extensible_group has members.
cachelayer.mark_offline().await;
let gt = cachelayer
.get_nssgroup_name("testgroup1")
.await
.expect("Failed to get from cache");
let gt = gt.unwrap();
assert_eq!(gt.gid, 20001);
assert_eq!(
gt.members.as_slice(),
&["testaccount1@idm.example.com".to_string()]
);
let gt = cachelayer
.get_nssgroup_name("extensible_group")
.await
.expect("Failed to get from cache");
let gt = gt.unwrap();
// Even though it's extended, still needs to be the local uid/gid
assert_eq!(gt.gid, 30001);
assert_eq!(
gt.members.as_slice(),
&[
"local_account".to_string(),
"testaccount1@idm.example.com".to_string()
]
);
// clear cache
cachelayer
.clear_cache()
.await
.expect("failed to clear cache");
// No longer has testaccount.
let gt = cachelayer
.get_nssgroup_name("extensible_group")
.await
.expect("Failed to get from cache");
let gt = gt.unwrap();
assert_eq!(gt.gid, 30001);
assert_eq!(gt.members.as_slice(), &["local_account".to_string()]);
}
Reference in a new issue Copy permalink