mart-w/kanidm
1
0
Fork 0
mirror of https://github.com/kanidm/kanidm.git synced 2025-02-23 20:47:01 +01:00
Code Issues Actions Packages Projects Releases Wiki Activity
kanidm/kanidm_unix_int/tests/cache_layer_test.rs

526 lines
17 KiB
Rust
Raw Normal View History

129 pam nsswitch stage 1 daemon (#179) Implements #129, pam and nsswitch daemon capability. This is stage 1, which adds a localhost unix domain socket resolver, a ssh key client, support to the server for generating unix tokens, an async client lib, and client handles for adding posix extensions to accounts and groups.
2020-02-13 00:43:01 +01:00
use std::sync::atomic::{AtomicUsize, Ordering};
use std::sync::mpsc;
use std::thread;
use actix::prelude::*;
195 rel cleanup (#268) Fixes #195 pre release cleanup. This does a LOT, clippy, formatting, and much much more. It fixes a lot of parts of the book, improves server config and more.
2020-06-18 02:30:42 +02:00
use kanidm::audit::LogLevel;
129 pam nsswitch stage 1 daemon (#179) Implements #129, pam and nsswitch daemon capability. This is stage 1, which adds a localhost unix domain socket resolver, a ssh key client, support to the server for generating unix tokens, an async client lib, and client handles for adding posix extensions to accounts and groups.
2020-02-13 00:43:01 +01:00
use kanidm::config::{Configuration, IntegrationTestConfig};
use kanidm::core::create_server_core;
use kanidm_unix_common::cache::CacheLayer;
use tokio::runtime::Runtime;
129 nsswitch stage 2 groups (#185) Implements #129, adding the libnss_kanidm.so/dylib, and the related caching parts for properly handling these types.
2020-02-15 01:27:25 +01:00
use kanidm_client::asynchronous::KanidmAsyncClient;
129 pam nsswitch stage 1 daemon (#179) Implements #129, pam and nsswitch daemon capability. This is stage 1, which adds a localhost unix domain socket resolver, a ssh key client, support to the server for generating unix tokens, an async client lib, and client handles for adding posix extensions to accounts and groups.
2020-02-13 00:43:01 +01:00
use kanidm_client::{KanidmClient, KanidmClientBuilder};
static PORT_ALLOC: AtomicUsize = AtomicUsize::new(18080);
Optimized all possible constant values using const Replace all replaceable static declarations with const values. Ref: https://github.com/rust-lang/rfcs/blob/61e3dc9c1e32b9d7f72427d93e2d263a8899b0aa/text/0246-const-vs-static.md
2020-05-03 08:44:01 +02:00
const ADMIN_TEST_PASSWORD: &str = "integration test admin password";
const TESTACCOUNT1_PASSWORD_A: &str = "password a for account1 test";
const TESTACCOUNT1_PASSWORD_B: &str = "password b for account1 test";
const TESTACCOUNT1_PASSWORD_INC: &str = "never going to work";
129 pam nsswitch stage 1 daemon (#179) Implements #129, pam and nsswitch daemon capability. This is stage 1, which adds a localhost unix domain socket resolver, a ssh key client, support to the server for generating unix tokens, an async client lib, and client handles for adding posix extensions to accounts and groups.
2020-02-13 00:43:01 +01:00
129 nsswitch stage 2 groups (#185) Implements #129, adding the libnss_kanidm.so/dylib, and the related caching parts for properly handling these types.
2020-02-15 01:27:25 +01:00
fn run_test(fix_fn: fn(&KanidmClient) -> (), test_fn: fn(CacheLayer, KanidmAsyncClient) -> ()) {
245 ldap compat (#247) Add's improvements to ldap compatibility. This stabilises DN formats and how they are returned, and adds the name2uuid index to help speed up binds and entry resolves on large queries. Even on the largest queries, this is able to process them rapidly, and the ldap interface now has single operation times of sub 0.001 second even on 100k entry databases with references.
2020-06-14 01:34:23 +02:00
// ::std::env::set_var("RUST_LOG", "actix_web=warn,kanidm=error");
129 pam nsswitch stage 1 daemon (#179) Implements #129, pam and nsswitch daemon capability. This is stage 1, which adds a localhost unix domain socket resolver, a ssh key client, support to the server for generating unix tokens, an async client lib, and client handles for adding posix extensions to accounts and groups.
2020-02-13 00:43:01 +01:00
let _ = env_logger::builder().is_test(true).try_init();
let (tx, rx) = mpsc::channel();
let port = PORT_ALLOC.fetch_add(1, Ordering::SeqCst);
let int_config = Box::new(IntegrationTestConfig {
admin_password: ADMIN_TEST_PASSWORD.to_string(),
});
199 ldap gateway (#246) adds an LDAP gateway to the server. It supports TLS if configured for the webserver, using the same parameters. It is a read only interface, only supporting bind via the configured posix password.
2020-06-10 04:07:43 +02:00
// Setup the config ...
129 pam nsswitch stage 1 daemon (#179) Implements #129, pam and nsswitch daemon capability. This is stage 1, which adds a localhost unix domain socket resolver, a ssh key client, support to the server for generating unix tokens, an async client lib, and client handles for adding posix extensions to accounts and groups.
2020-02-13 00:43:01 +01:00
let mut config = Configuration::new();
config.address = format!("127.0.0.1:{}", port);
config.secure_cookies = false;
config.integration_test_config = Some(int_config);
195 rel cleanup (#268) Fixes #195 pre release cleanup. This does a LOT, clippy, formatting, and much much more. It fixes a lot of parts of the book, improves server config and more.
2020-06-18 02:30:42 +02:00
config.log_level = Some(LogLevel::Quiet as u32);
129 pam nsswitch stage 1 daemon (#179) Implements #129, pam and nsswitch daemon capability. This is stage 1, which adds a localhost unix domain socket resolver, a ssh key client, support to the server for generating unix tokens, an async client lib, and client handles for adding posix extensions to accounts and groups.
2020-02-13 00:43:01 +01:00
thread::spawn(move || {
// Spawn a thread for the test runner, this should have a unique
// port....
199 ldap gateway (#246) adds an LDAP gateway to the server. It supports TLS if configured for the webserver, using the same parameters. It is a read only interface, only supporting bind via the configured posix password.
2020-06-10 04:07:43 +02:00
let system = System::new("test-rctx");
let rctx = async move {
let sctx = create_server_core(config).await;
Improve errors, tagging, logging and more across the codebase. (#243)
2020-06-05 06:01:20 +02:00
let _ = tx.send(sctx);
199 ldap gateway (#246) adds an LDAP gateway to the server. It supports TLS if configured for the webserver, using the same parameters. It is a read only interface, only supporting bind via the configured posix password.
2020-06-10 04:07:43 +02:00
};
Arbiter::spawn(rctx);
system.run().expect("Failed to start thread");
129 pam nsswitch stage 1 daemon (#179) Implements #129, pam and nsswitch daemon capability. This is stage 1, which adds a localhost unix domain socket resolver, a ssh key client, support to the server for generating unix tokens, an async client lib, and client handles for adding posix extensions to accounts and groups.
2020-02-13 00:43:01 +01:00
});
199 ldap gateway (#246) adds an LDAP gateway to the server. It supports TLS if configured for the webserver, using the same parameters. It is a read only interface, only supporting bind via the configured posix password.
2020-06-10 04:07:43 +02:00
let sctx = rx.recv().unwrap().expect("failed to start ctx");
Improve errors, tagging, logging and more across the codebase. (#243)
2020-06-05 06:01:20 +02:00
System::set_current(sctx.current());
129 pam nsswitch stage 1 daemon (#179) Implements #129, pam and nsswitch daemon capability. This is stage 1, which adds a localhost unix domain socket resolver, a ssh key client, support to the server for generating unix tokens, an async client lib, and client handles for adding posix extensions to accounts and groups.
2020-02-13 00:43:01 +01:00
// Setup the client, and the address we selected.
let addr = format!("http://127.0.0.1:{}", port);
// Run fixtures
129 nsswitch stage 2 groups (#185) Implements #129, adding the libnss_kanidm.so/dylib, and the related caching parts for properly handling these types.
2020-02-15 01:27:25 +01:00
let adminclient = KanidmClientBuilder::new()
129 pam nsswitch stage 1 daemon (#179) Implements #129, pam and nsswitch daemon capability. This is stage 1, which adds a localhost unix domain socket resolver, a ssh key client, support to the server for generating unix tokens, an async client lib, and client handles for adding posix extensions to accounts and groups.
2020-02-13 00:43:01 +01:00
.address(addr.clone())
.build()
.expect("Failed to build sync client");
129 nsswitch stage 2 groups (#185) Implements #129, adding the libnss_kanidm.so/dylib, and the related caching parts for properly handling these types.
2020-02-15 01:27:25 +01:00
fix_fn(&adminclient);
let client = KanidmClientBuilder::new()
.address(addr.clone())
.build_async()
.expect("Failed to build async admin client");
129 pam nsswitch stage 1 daemon (#179) Implements #129, pam and nsswitch daemon capability. This is stage 1, which adds a localhost unix domain socket resolver, a ssh key client, support to the server for generating unix tokens, an async client lib, and client handles for adding posix extensions to accounts and groups.
2020-02-13 00:43:01 +01:00
let rsclient = KanidmClientBuilder::new()
.address(addr)
.build_async()
.expect("Failed to build client");
let cachelayer = CacheLayer::new(
"", // The sqlite db path, this is in memory.
20200218 pam (#189) Add support for unix_password handling, and pam authentication for services.
2020-02-29 05:02:14 +01:00
300,
rsclient,
vec!["allowed_group".to_string()],
129 pam nsswitch stage 1 daemon (#179) Implements #129, pam and nsswitch daemon capability. This is stage 1, which adds a localhost unix domain socket resolver, a ssh key client, support to the server for generating unix tokens, an async client lib, and client handles for adding posix extensions to accounts and groups.
2020-02-13 00:43:01 +01:00
)
.expect("Failed to build cache layer.");
129 nsswitch stage 2 groups (#185) Implements #129, adding the libnss_kanidm.so/dylib, and the related caching parts for properly handling these types.
2020-02-15 01:27:25 +01:00
test_fn(cachelayer, client);
129 pam nsswitch stage 1 daemon (#179) Implements #129, pam and nsswitch daemon capability. This is stage 1, which adds a localhost unix domain socket resolver, a ssh key client, support to the server for generating unix tokens, an async client lib, and client handles for adding posix extensions to accounts and groups.
2020-02-13 00:43:01 +01:00
// We DO NOT need teardown, as sqlite is in mem
// let the tables hit the floor
Improve errors, tagging, logging and more across the codebase. (#243)
2020-06-05 06:01:20 +02:00
sctx.stop();
129 pam nsswitch stage 1 daemon (#179) Implements #129, pam and nsswitch daemon capability. This is stage 1, which adds a localhost unix domain socket resolver, a ssh key client, support to the server for generating unix tokens, an async client lib, and client handles for adding posix extensions to accounts and groups.
2020-02-13 00:43:01 +01:00
}
129 nsswitch stage 2 groups (#185) Implements #129, adding the libnss_kanidm.so/dylib, and the related caching parts for properly handling these types.
2020-02-15 01:27:25 +01:00
fn test_fixture(rsclient: &KanidmClient) -> () {
129 pam nsswitch stage 1 daemon (#179) Implements #129, pam and nsswitch daemon capability. This is stage 1, which adds a localhost unix domain socket resolver, a ssh key client, support to the server for generating unix tokens, an async client lib, and client handles for adding posix extensions to accounts and groups.
2020-02-13 00:43:01 +01:00
let res = rsclient.auth_simple_password("admin", ADMIN_TEST_PASSWORD);
assert!(res.is_ok());
// Not recommended in production!
rsclient
.idm_group_add_members("idm_admins", vec!["admin"])
.unwrap();
// Create a new account
rsclient
.idm_account_create("testaccount1", "Posix Demo Account")
.unwrap();
// Extend the account with posix attrs.
rsclient
.idm_account_unix_extend("testaccount1", Some(20000), None)
.unwrap();
// Assign an ssh public key.
rsclient
.idm_account_post_ssh_pubkey("testaccount1", "tk",
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAeGW1P6Pc2rPq0XqbRaDKBcXZUPRklo0L1EyR30CwoP william@amethyst")
.unwrap();
20200218 pam (#189) Add support for unix_password handling, and pam authentication for services.
2020-02-29 05:02:14 +01:00
// Set a posix password
rsclient
.idm_account_unix_cred_put("testaccount1", TESTACCOUNT1_PASSWORD_A)
.unwrap();
129 pam nsswitch stage 1 daemon (#179) Implements #129, pam and nsswitch daemon capability. This is stage 1, which adds a localhost unix domain socket resolver, a ssh key client, support to the server for generating unix tokens, an async client lib, and client handles for adding posix extensions to accounts and groups.
2020-02-13 00:43:01 +01:00
// Setup a group
rsclient.idm_group_create("testgroup1").unwrap();
rsclient
.idm_group_add_members("testgroup1", vec!["testaccount1"])
.unwrap();
rsclient
.idm_group_unix_extend("testgroup1", Some(20001))
.unwrap();
20200218 pam (#189) Add support for unix_password handling, and pam authentication for services.
2020-02-29 05:02:14 +01:00
// Setup the allowed group
rsclient.idm_group_create("allowed_group").unwrap();
rsclient
.idm_group_unix_extend("allowed_group", Some(20002))
.unwrap();
129 pam nsswitch stage 1 daemon (#179) Implements #129, pam and nsswitch daemon capability. This is stage 1, which adds a localhost unix domain socket resolver, a ssh key client, support to the server for generating unix tokens, an async client lib, and client handles for adding posix extensions to accounts and groups.
2020-02-13 00:43:01 +01:00
}
#[test]
fn test_cache_sshkey() {
129 nsswitch stage 2 groups (#185) Implements #129, adding the libnss_kanidm.so/dylib, and the related caching parts for properly handling these types.
2020-02-15 01:27:25 +01:00
run_test(test_fixture, |cachelayer, _adminclient| {
129 pam nsswitch stage 1 daemon (#179) Implements #129, pam and nsswitch daemon capability. This is stage 1, which adds a localhost unix domain socket resolver, a ssh key client, support to the server for generating unix tokens, an async client lib, and client handles for adding posix extensions to accounts and groups.
2020-02-13 00:43:01 +01:00
let mut rt = Runtime::new().expect("Failed to start tokio");
let fut = async move {
// Force offline. Show we have no keys.
cachelayer.mark_offline().await;
let sk = cachelayer
.get_sshkeys("testaccount1")
.await
.expect("Failed to get from cache.");
assert!(sk.len() == 0);
// Bring ourselves online.
cachelayer.attempt_online().await;
assert!(cachelayer.test_connection().await);
let sk = cachelayer
.get_sshkeys("testaccount1")
.await
.expect("Failed to get from cache.");
assert!(sk.len() == 1);
// Go offline, and get from cache.
cachelayer.mark_offline().await;
let sk = cachelayer
.get_sshkeys("testaccount1")
.await
.expect("Failed to get from cache.");
assert!(sk.len() == 1);
};
rt.block_on(fut);
})
}
129 nsswitch stage 2 groups (#185) Implements #129, adding the libnss_kanidm.so/dylib, and the related caching parts for properly handling these types.
2020-02-15 01:27:25 +01:00
#[test]
fn test_cache_account() {
run_test(test_fixture, |cachelayer, _adminclient| {
let mut rt = Runtime::new().expect("Failed to start tokio");
let fut = async move {
// Force offline. Show we have no account
cachelayer.mark_offline().await;
let ut = cachelayer
.get_nssaccount_name("testaccount1")
.await
.expect("Failed to get from cache");
assert!(ut.is_none());
// go online
cachelayer.attempt_online().await;
assert!(cachelayer.test_connection().await);
// get the account
let ut = cachelayer
.get_nssaccount_name("testaccount1")
.await
.expect("Failed to get from cache");
assert!(ut.is_some());
// go offline
cachelayer.mark_offline().await;
// can still get account
let ut = cachelayer
.get_nssaccount_name("testaccount1")
.await
.expect("Failed to get from cache");
assert!(ut.is_some());
// Finally, check we have "all accounts" in the list.
let us = cachelayer
.get_nssaccounts()
.expect("failed to list all accounts");
assert!(us.len() == 1);
};
rt.block_on(fut);
})
}
#[test]
fn test_cache_group() {
run_test(test_fixture, |cachelayer, _adminclient| {
let mut rt = Runtime::new().expect("Failed to start tokio");
let fut = async move {
// Force offline. Show we have no groups.
cachelayer.mark_offline().await;
let gt = cachelayer
.get_nssgroup_name("testgroup1")
.await
.expect("Failed to get from cache");
assert!(gt.is_none());
// go online. Get the group
cachelayer.attempt_online().await;
assert!(cachelayer.test_connection().await);
let gt = cachelayer
.get_nssgroup_name("testgroup1")
.await
.expect("Failed to get from cache");
assert!(gt.is_some());
// go offline. still works
cachelayer.mark_offline().await;
let gt = cachelayer
.get_nssgroup_name("testgroup1")
.await
.expect("Failed to get from cache");
assert!(gt.is_some());
// And check we have no members in the group. Members are an artifact of
// user lookups!
assert!(gt.unwrap().members.len() == 0);
// clear cache, go online
assert!(cachelayer.invalidate().is_ok());
cachelayer.attempt_online().await;
assert!(cachelayer.test_connection().await);
// get an account with the group
// DO NOT get the group yet.
let ut = cachelayer
.get_nssaccount_name("testaccount1")
.await
.expect("Failed to get from cache");
assert!(ut.is_some());
// go offline.
cachelayer.mark_offline().await;
// show we have the group despite no direct calls
let gt = cachelayer
.get_nssgroup_name("testgroup1")
.await
.expect("Failed to get from cache");
assert!(gt.is_some());
// And check we have members in the group, since we came from a userlook up
assert!(gt.unwrap().members.len() == 1);
// Finally, check we have "all groups" in the list.
let gs = cachelayer
.get_nssgroups()
.expect("failed to list all groups");
assert!(gs.len() == 2);
};
rt.block_on(fut);
})
}
#[test]
fn test_cache_group_delete() {
run_test(test_fixture, |cachelayer, adminclient| {
let mut rt = Runtime::new().expect("Failed to start tokio");
let fut = async move {
// get the group
cachelayer.attempt_online().await;
assert!(cachelayer.test_connection().await);
let gt = cachelayer
.get_nssgroup_name("testgroup1")
.await
.expect("Failed to get from cache");
assert!(gt.is_some());
// delete it.
adminclient
.auth_simple_password("admin", ADMIN_TEST_PASSWORD)
.await
.expect("failed to auth as admin");
adminclient
.idm_group_delete("testgroup1")
.await
.expect("failed to delete");
// invalidate cache
assert!(cachelayer.invalidate().is_ok());
// "get it"
// should be empty.
let gt = cachelayer
.get_nssgroup_name("testgroup1")
.await
.expect("Failed to get from cache");
assert!(gt.is_none());
};
rt.block_on(fut);
})
}
#[test]
fn test_cache_account_delete() {
run_test(test_fixture, |cachelayer, adminclient| {
let mut rt = Runtime::new().expect("Failed to start tokio");
let fut = async move {
// get the account
cachelayer.attempt_online().await;
assert!(cachelayer.test_connection().await);
let ut = cachelayer
.get_nssaccount_name("testaccount1")
.await
.expect("Failed to get from cache");
assert!(ut.is_some());
// delete it.
adminclient
.auth_simple_password("admin", ADMIN_TEST_PASSWORD)
.await
.expect("failed to auth as admin");
adminclient
.idm_account_delete("testaccount1")
.await
.expect("failed to delete");
// invalidate cache
assert!(cachelayer.invalidate().is_ok());
// "get it"
let ut = cachelayer
.get_nssaccount_name("testaccount1")
.await
.expect("Failed to get from cache");
// should be empty.
assert!(ut.is_none());
// The group should be removed too.
let gt = cachelayer
.get_nssgroup_name("testaccount1")
.await
.expect("Failed to get from cache");
assert!(gt.is_none());
};
rt.block_on(fut);
})
}
20200218 pam (#189) Add support for unix_password handling, and pam authentication for services.
2020-02-29 05:02:14 +01:00
#[test]
fn test_cache_account_password() {
run_test(test_fixture, |cachelayer, adminclient| {
let mut rt = Runtime::new().expect("Failed to start tokio");
let fut = async move {
cachelayer.attempt_online().await;
// Test authentication failure.
let a1 = cachelayer
.pam_account_authenticate("testaccount1", TESTACCOUNT1_PASSWORD_INC)
.await
.expect("failed to authenticate");
assert!(a1 == Some(false));
// Test authentication success.
let a2 = cachelayer
.pam_account_authenticate("testaccount1", TESTACCOUNT1_PASSWORD_A)
.await
.expect("failed to authenticate");
assert!(a2 == Some(true));
// change pw
adminclient
.auth_simple_password("admin", ADMIN_TEST_PASSWORD)
.await
.expect("failed to auth as admin");
adminclient
.idm_account_unix_cred_put("testaccount1", TESTACCOUNT1_PASSWORD_B)
.await
.expect("Failed to change password");
// test auth (old pw) fail
let a3 = cachelayer
.pam_account_authenticate("testaccount1", TESTACCOUNT1_PASSWORD_A)
.await
.expect("failed to authenticate");
assert!(a3 == Some(false));
// test auth (new pw) success
let a4 = cachelayer
.pam_account_authenticate("testaccount1", TESTACCOUNT1_PASSWORD_B)
.await
.expect("failed to authenticate");
assert!(a4 == Some(true));
// Go offline.
cachelayer.mark_offline().await;
// Test auth success
let a5 = cachelayer
.pam_account_authenticate("testaccount1", TESTACCOUNT1_PASSWORD_B)
.await
.expect("failed to authenticate");
assert!(a5 == Some(true));
// Test auth failure.
let a6 = cachelayer
.pam_account_authenticate("testaccount1", TESTACCOUNT1_PASSWORD_INC)
.await
.expect("failed to authenticate");
assert!(a6 == Some(false));
// clear cache
cachelayer.clear_cache().expect("failed to clear cache");
// test auth good (fail)
let a7 = cachelayer
.pam_account_authenticate("testaccount1", TESTACCOUNT1_PASSWORD_B)
.await
.expect("failed to authenticate");
assert!(a7 == None);
// go online
cachelayer.attempt_online().await;
assert!(cachelayer.test_connection().await);
// test auth success
let a8 = cachelayer
.pam_account_authenticate("testaccount1", TESTACCOUNT1_PASSWORD_B)
.await
.expect("failed to authenticate");
assert!(a8 == Some(true));
};
rt.block_on(fut);
})
}
#[test]
fn test_cache_account_pam_allowed() {
run_test(test_fixture, |cachelayer, adminclient| {
let mut rt = Runtime::new().expect("Failed to start tokio");
let fut = async move {
cachelayer.attempt_online().await;
// Should fail
let a1 = cachelayer
.pam_account_allowed("testaccount1")
.await
.expect("failed to authenticate");
assert!(a1 == Some(false));
adminclient
.auth_simple_password("admin", ADMIN_TEST_PASSWORD)
.await
.expect("failed to auth as admin");
adminclient
.idm_group_add_members("allowed_group", vec!["testaccount1"])
.await
.unwrap();
// Invalidate cache to force a refresh
assert!(cachelayer.invalidate().is_ok());
// Should pass
let a2 = cachelayer
.pam_account_allowed("testaccount1")
.await
.expect("failed to authenticate");
assert!(a2 == Some(true));
};
rt.block_on(fut);
})
}
#[test]
fn test_cache_account_pam_nonexist() {
run_test(test_fixture, |cachelayer, _adminclient| {
let mut rt = Runtime::new().expect("Failed to start tokio");
let fut = async move {
cachelayer.attempt_online().await;
let a1 = cachelayer
.pam_account_allowed("NO_SUCH_ACCOUNT")
.await
.expect("failed to authenticate");
assert!(a1 == None);
let a2 = cachelayer
.pam_account_authenticate("NO_SUCH_ACCOUNT", TESTACCOUNT1_PASSWORD_B)
.await
.expect("failed to authenticate");
assert!(a2 == None);
cachelayer.mark_offline().await;
let a1 = cachelayer
.pam_account_allowed("NO_SUCH_ACCOUNT")
.await
.expect("failed to authenticate");
assert!(a1 == None);
let a2 = cachelayer
.pam_account_authenticate("NO_SUCH_ACCOUNT", TESTACCOUNT1_PASSWORD_B)
.await
.expect("failed to authenticate");
assert!(a2 == None);
};
rt.block_on(fut);
})
}
Reference in a new issue Copy permalink