mart-w/kanidm
1
0
Fork 0
mirror of https://github.com/kanidm/kanidm.git synced 2025-02-23 20:47:01 +01:00
Code Issues Actions Packages Projects Releases Wiki Activity
kanidm/kanidm_unix_int/tests/cache_layer_test.rs

740 lines
24 KiB
Rust
Raw Normal View History

Follow up on ci fixes
2020-12-08 02:06:13 +01:00
use std::net::TcpStream;
use std::sync::atomic::{AtomicU16, Ordering};
129 pam nsswitch stage 1 daemon (#179) Implements #129, pam and nsswitch daemon capability. This is stage 1, which adds a localhost unix domain socket resolver, a ssh key client, support to the server for generating unix tokens, an async client lib, and client handles for adding posix extensions to accounts and groups.
2020-02-13 00:43:01 +01:00
use std::thread;
Fixes #324 account softlocking and rate limiting (#326) This provides bruteforce protection and ratelimiting to stop classes of attacks. This impacts all areas where a password or authentication is performed (unix, ldap, auth).
2020-10-22 06:40:31 +02:00
use std::time::Duration;
129 pam nsswitch stage 1 daemon (#179) Implements #129, pam and nsswitch daemon capability. This is stage 1, which adds a localhost unix domain socket resolver, a ssh key client, support to the server for generating unix tokens, an async client lib, and client handles for adding posix extensions to accounts and groups.
2020-02-13 00:43:01 +01:00
195 rel cleanup (#268) Fixes #195 pre release cleanup. This does a LOT, clippy, formatting, and much much more. It fixes a lot of parts of the book, improves server config and more.
2020-06-18 02:30:42 +02:00
use kanidm::audit::LogLevel;
129 pam nsswitch stage 1 daemon (#179) Implements #129, pam and nsswitch daemon capability. This is stage 1, which adds a localhost unix domain socket resolver, a ssh key client, support to the server for generating unix tokens, an async client lib, and client handles for adding posix extensions to accounts and groups.
2020-02-13 00:43:01 +01:00
use kanidm::config::{Configuration, IntegrationTestConfig};
use kanidm::core::create_server_core;
Unixd - NXCache of unknown items (#338) Previously we would only cache "hits" - items that kanidm is aware of and did know about. However, this mean querying a raw uid/gid number that was not known to files or kanidm would result in kanidm doing an online check each request. This adds a NXcache to cache misses, so they can be served as misses, faster, and to reduce load on the main kanidm servers. Fixes #336
2020-12-28 00:41:16 +01:00
use kanidm_unix_common::cache::{CacheLayer, Id};
181 pam nsswitch name spn (#270) This allows configuration of which attribute is presented during gid/uid resolution, adds home directory prefixing, and home directory name attribute selection.
2020-06-21 13:57:48 +02:00
use kanidm_unix_common::constants::{
Add the unixd tasks daemon (#349) Fixes #180 - this adds an oddjobd style tasks daemon to the unix tools. This supports creation of home directories and the maintenance of alias symlinks to these allowing user renames. The tasks daemon is written to require root, but is seperate from the unixd daemon. Communication is via a root-only unix socket that the task daemon connects into to reduce the possibility of exploit. Fixes #369 due to the changes to call_daemon_blocking
2021-03-13 03:33:15 +01:00
DEFAULT_GID_ATTR_MAP, DEFAULT_HOME_ALIAS, DEFAULT_HOME_ATTR, DEFAULT_HOME_PREFIX,
DEFAULT_SHELL, DEFAULT_UID_ATTR_MAP,
181 pam nsswitch name spn (#270) This allows configuration of which attribute is presented during gid/uid resolution, adds home directory prefixing, and home directory name attribute selection.
2020-06-21 13:57:48 +02:00
};
129 pam nsswitch stage 1 daemon (#179) Implements #129, pam and nsswitch daemon capability. This is stage 1, which adds a localhost unix domain socket resolver, a ssh key client, support to the server for generating unix tokens, an async client lib, and client handles for adding posix extensions to accounts and groups.
2020-02-13 00:43:01 +01:00
use tokio::runtime::Runtime;
129 nsswitch stage 2 groups (#185) Implements #129, adding the libnss_kanidm.so/dylib, and the related caching parts for properly handling these types.
2020-02-15 01:27:25 +01:00
use kanidm_client::asynchronous::KanidmAsyncClient;
129 pam nsswitch stage 1 daemon (#179) Implements #129, pam and nsswitch daemon capability. This is stage 1, which adds a localhost unix domain socket resolver, a ssh key client, support to the server for generating unix tokens, an async client lib, and client handles for adding posix extensions to accounts and groups.
2020-02-13 00:43:01 +01:00
use kanidm_client::{KanidmClient, KanidmClientBuilder};
V large cleanup
2020-08-04 04:58:11 +02:00
use async_std::task;
314 improve async (#316) this completely removes actix and actix-web from the codebase, replacing it with tokio and http-rs/tide. Due to a current temporary limit in tokio parts with openssl/libressl, rustls is used for the webserver, but I'll change this back once that issue is resolved. For now there are likely some other clippy issues, but the next step now is that I can finally run cargo outdated and update this and the other kanidm/* deps to be up to date due to no longer being held back on versions by actix. So following this, I need to finish clippy warnings, and run cargo outdated and cargo audit.
2020-09-06 00:44:35 +02:00
use tokio::sync::mpsc;
V large cleanup
2020-08-04 04:58:11 +02:00
Follow up on ci fixes
2020-12-08 02:06:13 +01:00
static PORT_ALLOC: AtomicU16 = AtomicU16::new(28080);
Making clippy happy (#420)
2021-04-25 03:35:56 +02:00
const ADMIN_TEST_USER: &str = "admin";
Optimized all possible constant values using const Replace all replaceable static declarations with const values. Ref: https://github.com/rust-lang/rfcs/blob/61e3dc9c1e32b9d7f72427d93e2d263a8899b0aa/text/0246-const-vs-static.md
2020-05-03 08:44:01 +02:00
const ADMIN_TEST_PASSWORD: &str = "integration test admin password";
const TESTACCOUNT1_PASSWORD_A: &str = "password a for account1 test";
const TESTACCOUNT1_PASSWORD_B: &str = "password b for account1 test";
const TESTACCOUNT1_PASSWORD_INC: &str = "never going to work";
Account valid-from and expiry (#322) Fixes #59 account policy and lockout. This is achived with a valid_from and expire attribute that are timestamps. Cli tools are added to manage these.
2020-10-10 02:31:51 +02:00
const ACCOUNT_EXPIRE: &str = "1970-01-01T00:00:00+00:00";
129 pam nsswitch stage 1 daemon (#179) Implements #129, pam and nsswitch daemon capability. This is stage 1, which adds a localhost unix domain socket resolver, a ssh key client, support to the server for generating unix tokens, an async client lib, and client handles for adding posix extensions to accounts and groups.
2020-02-13 00:43:01 +01:00
Follow up on ci fixes
2020-12-08 02:06:13 +01:00
fn is_free_port(port: u16) -> bool {
match TcpStream::connect(("0.0.0.0", port)) {
Ok(_) => false,
Err(_) => true,
}
}
Orca - a load testing framework for Kanidm (#431)
2021-05-06 13:15:12 +02:00
fn run_test(fix_fn: fn(&KanidmClient) -> (), test_fn: fn(CacheLayer, KanidmAsyncClient) -> ()) {
Account valid-from and expiry (#322) Fixes #59 account policy and lockout. This is achived with a valid_from and expire attribute that are timestamps. Cli tools are added to manage these.
2020-10-10 02:31:51 +02:00
// ::std::env::set_var("RUST_LOG", "kanidm=debug");
129 pam nsswitch stage 1 daemon (#179) Implements #129, pam and nsswitch daemon capability. This is stage 1, which adds a localhost unix domain socket resolver, a ssh key client, support to the server for generating unix tokens, an async client lib, and client handles for adding posix extensions to accounts and groups.
2020-02-13 00:43:01 +01:00
let _ = env_logger::builder().is_test(true).try_init();
314 improve async (#316) this completely removes actix and actix-web from the codebase, replacing it with tokio and http-rs/tide. Due to a current temporary limit in tokio parts with openssl/libressl, rustls is used for the webserver, but I'll change this back once that issue is resolved. For now there are likely some other clippy issues, but the next step now is that I can finally run cargo outdated and update this and the other kanidm/* deps to be up to date due to no longer being held back on versions by actix. So following this, I need to finish clippy warnings, and run cargo outdated and cargo audit.
2020-09-06 00:44:35 +02:00
Tokio1.0 (#340) Upgrade dependencies, with the major highlight as the upgrade to tokio 1.0
2021-01-10 04:41:56 +01:00
let (ready_tx, mut ready_rx) = mpsc::channel(1);
let (finish_tx, mut finish_rx) = mpsc::channel(1);
314 improve async (#316) this completely removes actix and actix-web from the codebase, replacing it with tokio and http-rs/tide. Due to a current temporary limit in tokio parts with openssl/libressl, rustls is used for the webserver, but I'll change this back once that issue is resolved. For now there are likely some other clippy issues, but the next step now is that I can finally run cargo outdated and update this and the other kanidm/* deps to be up to date due to no longer being held back on versions by actix. So following this, I need to finish clippy warnings, and run cargo outdated and cargo audit.
2020-09-06 00:44:35 +02:00
Follow up on ci fixes
2020-12-08 02:06:13 +01:00
let mut counter = 0;
let port = loop {
let possible_port = PORT_ALLOC.fetch_add(1, Ordering::SeqCst);
if is_free_port(possible_port) {
break possible_port;
}
counter += 1;
if counter >= 5 {
eprintln!("Unable to allocate port!");
assert!(false);
}
};
129 pam nsswitch stage 1 daemon (#179) Implements #129, pam and nsswitch daemon capability. This is stage 1, which adds a localhost unix domain socket resolver, a ssh key client, support to the server for generating unix tokens, an async client lib, and client handles for adding posix extensions to accounts and groups.
2020-02-13 00:43:01 +01:00
let int_config = Box::new(IntegrationTestConfig {
Making clippy happy (#420)
2021-04-25 03:35:56 +02:00
admin_user: ADMIN_TEST_USER.to_string(),
129 pam nsswitch stage 1 daemon (#179) Implements #129, pam and nsswitch daemon capability. This is stage 1, which adds a localhost unix domain socket resolver, a ssh key client, support to the server for generating unix tokens, an async client lib, and client handles for adding posix extensions to accounts and groups.
2020-02-13 00:43:01 +01:00
admin_password: ADMIN_TEST_PASSWORD.to_string(),
});
199 ldap gateway (#246) adds an LDAP gateway to the server. It supports TLS if configured for the webserver, using the same parameters. It is a read only interface, only supporting bind via the configured posix password.
2020-06-10 04:07:43 +02:00
// Setup the config ...
129 pam nsswitch stage 1 daemon (#179) Implements #129, pam and nsswitch daemon capability. This is stage 1, which adds a localhost unix domain socket resolver, a ssh key client, support to the server for generating unix tokens, an async client lib, and client handles for adding posix extensions to accounts and groups.
2020-02-13 00:43:01 +01:00
let mut config = Configuration::new();
config.address = format!("127.0.0.1:{}", port);
config.secure_cookies = false;
config.integration_test_config = Some(int_config);
195 rel cleanup (#268) Fixes #195 pre release cleanup. This does a LOT, clippy, formatting, and much much more. It fixes a lot of parts of the book, improves server config and more.
2020-06-18 02:30:42 +02:00
config.log_level = Some(LogLevel::Quiet as u32);
Account valid-from and expiry (#322) Fixes #59 account policy and lockout. This is achived with a valid_from and expire attribute that are timestamps. Cli tools are added to manage these.
2020-10-10 02:31:51 +02:00
// config.log_level = Some(LogLevel::Verbose as u32);
314 improve async (#316) this completely removes actix and actix-web from the codebase, replacing it with tokio and http-rs/tide. Due to a current temporary limit in tokio parts with openssl/libressl, rustls is used for the webserver, but I'll change this back once that issue is resolved. For now there are likely some other clippy issues, but the next step now is that I can finally run cargo outdated and update this and the other kanidm/* deps to be up to date due to no longer being held back on versions by actix. So following this, I need to finish clippy warnings, and run cargo outdated and cargo audit.
2020-09-06 00:44:35 +02:00
config.threads = 1;
let t_handle = thread::spawn(move || {
129 pam nsswitch stage 1 daemon (#179) Implements #129, pam and nsswitch daemon capability. This is stage 1, which adds a localhost unix domain socket resolver, a ssh key client, support to the server for generating unix tokens, an async client lib, and client handles for adding posix extensions to accounts and groups.
2020-02-13 00:43:01 +01:00
// Spawn a thread for the test runner, this should have a unique
// port....
Tokio1.0 (#340) Upgrade dependencies, with the major highlight as the upgrade to tokio 1.0
2021-01-10 04:41:56 +01:00
let rt = tokio::runtime::Builder::new_current_thread()
314 improve async (#316) this completely removes actix and actix-web from the codebase, replacing it with tokio and http-rs/tide. Due to a current temporary limit in tokio parts with openssl/libressl, rustls is used for the webserver, but I'll change this back once that issue is resolved. For now there are likely some other clippy issues, but the next step now is that I can finally run cargo outdated and update this and the other kanidm/* deps to be up to date due to no longer being held back on versions by actix. So following this, I need to finish clippy warnings, and run cargo outdated and cargo audit.
2020-09-06 00:44:35 +02:00
.enable_all()
.build()
.expect("failed to start tokio");
rt.block_on(async {
create_server_core(config)
.await
.expect("failed to start server core");
// We have to yield now to guarantee that the tide elements are setup.
task::yield_now().await;
ready_tx
.send(())
.await
.expect("failed in indicate readiness");
finish_rx.recv().await;
});
129 pam nsswitch stage 1 daemon (#179) Implements #129, pam and nsswitch daemon capability. This is stage 1, which adds a localhost unix domain socket resolver, a ssh key client, support to the server for generating unix tokens, an async client lib, and client handles for adding posix extensions to accounts and groups.
2020-02-13 00:43:01 +01:00
});
314 improve async (#316) this completely removes actix and actix-web from the codebase, replacing it with tokio and http-rs/tide. Due to a current temporary limit in tokio parts with openssl/libressl, rustls is used for the webserver, but I'll change this back once that issue is resolved. For now there are likely some other clippy issues, but the next step now is that I can finally run cargo outdated and update this and the other kanidm/* deps to be up to date due to no longer being held back on versions by actix. So following this, I need to finish clippy warnings, and run cargo outdated and cargo audit.
2020-09-06 00:44:35 +02:00
let _ = task::block_on(ready_rx.recv()).expect("failed to start ctx");
129 pam nsswitch stage 1 daemon (#179) Implements #129, pam and nsswitch daemon capability. This is stage 1, which adds a localhost unix domain socket resolver, a ssh key client, support to the server for generating unix tokens, an async client lib, and client handles for adding posix extensions to accounts and groups.
2020-02-13 00:43:01 +01:00
// Setup the client, and the address we selected.
let addr = format!("http://127.0.0.1:{}", port);
// Run fixtures
Orca - a load testing framework for Kanidm (#431)
2021-05-06 13:15:12 +02:00
let adminclient = KanidmClientBuilder::new()
129 pam nsswitch stage 1 daemon (#179) Implements #129, pam and nsswitch daemon capability. This is stage 1, which adds a localhost unix domain socket resolver, a ssh key client, support to the server for generating unix tokens, an async client lib, and client handles for adding posix extensions to accounts and groups.
2020-02-13 00:43:01 +01:00
.address(addr.clone())
.build()
.expect("Failed to build sync client");
Orca - a load testing framework for Kanidm (#431)
2021-05-06 13:15:12 +02:00
fix_fn(&adminclient);
129 nsswitch stage 2 groups (#185) Implements #129, adding the libnss_kanidm.so/dylib, and the related caching parts for properly handling these types.
2020-02-15 01:27:25 +01:00
let client = KanidmClientBuilder::new()
.address(addr.clone())
.build_async()
.expect("Failed to build async admin client");
129 pam nsswitch stage 1 daemon (#179) Implements #129, pam and nsswitch daemon capability. This is stage 1, which adds a localhost unix domain socket resolver, a ssh key client, support to the server for generating unix tokens, an async client lib, and client handles for adding posix extensions to accounts and groups.
2020-02-13 00:43:01 +01:00
let rsclient = KanidmClientBuilder::new()
.address(addr)
.build_async()
.expect("Failed to build client");
V large cleanup
2020-08-04 04:58:11 +02:00
let cachelayer = task::block_on(CacheLayer::new(
129 pam nsswitch stage 1 daemon (#179) Implements #129, pam and nsswitch daemon capability. This is stage 1, which adds a localhost unix domain socket resolver, a ssh key client, support to the server for generating unix tokens, an async client lib, and client handles for adding posix extensions to accounts and groups.
2020-02-13 00:43:01 +01:00
"", // The sqlite db path, this is in memory.
20200218 pam (#189) Add support for unix_password handling, and pam authentication for services.
2020-02-29 05:02:14 +01:00
300,
rsclient,
vec!["allowed_group".to_string()],
181 pam nsswitch name spn (#270) This allows configuration of which attribute is presented during gid/uid resolution, adds home directory prefixing, and home directory name attribute selection.
2020-06-21 13:57:48 +02:00
DEFAULT_SHELL.to_string(),
DEFAULT_HOME_PREFIX.to_string(),
DEFAULT_HOME_ATTR,
Add the unixd tasks daemon (#349) Fixes #180 - this adds an oddjobd style tasks daemon to the unix tools. This supports creation of home directories and the maintenance of alias symlinks to these allowing user renames. The tasks daemon is written to require root, but is seperate from the unixd daemon. Communication is via a root-only unix socket that the task daemon connects into to reduce the possibility of exploit. Fixes #369 due to the changes to call_daemon_blocking
2021-03-13 03:33:15 +01:00
DEFAULT_HOME_ALIAS,
181 pam nsswitch name spn (#270) This allows configuration of which attribute is presented during gid/uid resolution, adds home directory prefixing, and home directory name attribute selection.
2020-06-21 13:57:48 +02:00
DEFAULT_UID_ATTR_MAP,
DEFAULT_GID_ATTR_MAP,
V large cleanup
2020-08-04 04:58:11 +02:00
))
129 pam nsswitch stage 1 daemon (#179) Implements #129, pam and nsswitch daemon capability. This is stage 1, which adds a localhost unix domain socket resolver, a ssh key client, support to the server for generating unix tokens, an async client lib, and client handles for adding posix extensions to accounts and groups.
2020-02-13 00:43:01 +01:00
.expect("Failed to build cache layer.");
129 nsswitch stage 2 groups (#185) Implements #129, adding the libnss_kanidm.so/dylib, and the related caching parts for properly handling these types.
2020-02-15 01:27:25 +01:00
test_fn(cachelayer, client);
129 pam nsswitch stage 1 daemon (#179) Implements #129, pam and nsswitch daemon capability. This is stage 1, which adds a localhost unix domain socket resolver, a ssh key client, support to the server for generating unix tokens, an async client lib, and client handles for adding posix extensions to accounts and groups.
2020-02-13 00:43:01 +01:00
// We DO NOT need teardown, as sqlite is in mem
// let the tables hit the floor
314 improve async (#316) this completely removes actix and actix-web from the codebase, replacing it with tokio and http-rs/tide. Due to a current temporary limit in tokio parts with openssl/libressl, rustls is used for the webserver, but I'll change this back once that issue is resolved. For now there are likely some other clippy issues, but the next step now is that I can finally run cargo outdated and update this and the other kanidm/* deps to be up to date due to no longer being held back on versions by actix. So following this, I need to finish clippy warnings, and run cargo outdated and cargo audit.
2020-09-06 00:44:35 +02:00
task::block_on(finish_tx.send(())).expect("unable to send to ctx");
t_handle.join().expect("failed to join thread");
129 pam nsswitch stage 1 daemon (#179) Implements #129, pam and nsswitch daemon capability. This is stage 1, which adds a localhost unix domain socket resolver, a ssh key client, support to the server for generating unix tokens, an async client lib, and client handles for adding posix extensions to accounts and groups.
2020-02-13 00:43:01 +01:00
}
Orca - a load testing framework for Kanidm (#431)
2021-05-06 13:15:12 +02:00
fn test_fixture(rsclient: &KanidmClient) -> () {
129 pam nsswitch stage 1 daemon (#179) Implements #129, pam and nsswitch daemon capability. This is stage 1, which adds a localhost unix domain socket resolver, a ssh key client, support to the server for generating unix tokens, an async client lib, and client handles for adding posix extensions to accounts and groups.
2020-02-13 00:43:01 +01:00
let res = rsclient.auth_simple_password("admin", ADMIN_TEST_PASSWORD);
assert!(res.is_ok());
// Not recommended in production!
rsclient
Cleanup and improve client error handling
2020-08-01 12:31:05 +02:00
.idm_group_add_members("idm_admins", &["admin"])
129 pam nsswitch stage 1 daemon (#179) Implements #129, pam and nsswitch daemon capability. This is stage 1, which adds a localhost unix domain socket resolver, a ssh key client, support to the server for generating unix tokens, an async client lib, and client handles for adding posix extensions to accounts and groups.
2020-02-13 00:43:01 +01:00
.unwrap();
// Create a new account
rsclient
.idm_account_create("testaccount1", "Posix Demo Account")
.unwrap();
// Extend the account with posix attrs.
rsclient
.idm_account_unix_extend("testaccount1", Some(20000), None)
.unwrap();
// Assign an ssh public key.
rsclient
.idm_account_post_ssh_pubkey("testaccount1", "tk",
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAeGW1P6Pc2rPq0XqbRaDKBcXZUPRklo0L1EyR30CwoP william@amethyst")
.unwrap();
20200218 pam (#189) Add support for unix_password handling, and pam authentication for services.
2020-02-29 05:02:14 +01:00
// Set a posix password
rsclient
.idm_account_unix_cred_put("testaccount1", TESTACCOUNT1_PASSWORD_A)
.unwrap();
129 pam nsswitch stage 1 daemon (#179) Implements #129, pam and nsswitch daemon capability. This is stage 1, which adds a localhost unix domain socket resolver, a ssh key client, support to the server for generating unix tokens, an async client lib, and client handles for adding posix extensions to accounts and groups.
2020-02-13 00:43:01 +01:00
// Setup a group
rsclient.idm_group_create("testgroup1").unwrap();
rsclient
Cleanup and improve client error handling
2020-08-01 12:31:05 +02:00
.idm_group_add_members("testgroup1", &["testaccount1"])
129 pam nsswitch stage 1 daemon (#179) Implements #129, pam and nsswitch daemon capability. This is stage 1, which adds a localhost unix domain socket resolver, a ssh key client, support to the server for generating unix tokens, an async client lib, and client handles for adding posix extensions to accounts and groups.
2020-02-13 00:43:01 +01:00
.unwrap();
rsclient
.idm_group_unix_extend("testgroup1", Some(20001))
.unwrap();
20200218 pam (#189) Add support for unix_password handling, and pam authentication for services.
2020-02-29 05:02:14 +01:00
// Setup the allowed group
rsclient.idm_group_create("allowed_group").unwrap();
rsclient
.idm_group_unix_extend("allowed_group", Some(20002))
.unwrap();
129 pam nsswitch stage 1 daemon (#179) Implements #129, pam and nsswitch daemon capability. This is stage 1, which adds a localhost unix domain socket resolver, a ssh key client, support to the server for generating unix tokens, an async client lib, and client handles for adding posix extensions to accounts and groups.
2020-02-13 00:43:01 +01:00
}
#[test]
fn test_cache_sshkey() {
129 nsswitch stage 2 groups (#185) Implements #129, adding the libnss_kanidm.so/dylib, and the related caching parts for properly handling these types.
2020-02-15 01:27:25 +01:00
run_test(test_fixture, |cachelayer, _adminclient| {
Tokio1.0 (#340) Upgrade dependencies, with the major highlight as the upgrade to tokio 1.0
2021-01-10 04:41:56 +01:00
let rt = Runtime::new().expect("Failed to start tokio");
129 pam nsswitch stage 1 daemon (#179) Implements #129, pam and nsswitch daemon capability. This is stage 1, which adds a localhost unix domain socket resolver, a ssh key client, support to the server for generating unix tokens, an async client lib, and client handles for adding posix extensions to accounts and groups.
2020-02-13 00:43:01 +01:00
let fut = async move {
// Force offline. Show we have no keys.
cachelayer.mark_offline().await;
let sk = cachelayer
.get_sshkeys("testaccount1")
.await
.expect("Failed to get from cache.");
assert!(sk.len() == 0);
// Bring ourselves online.
cachelayer.attempt_online().await;
assert!(cachelayer.test_connection().await);
let sk = cachelayer
.get_sshkeys("testaccount1")
.await
.expect("Failed to get from cache.");
assert!(sk.len() == 1);
// Go offline, and get from cache.
cachelayer.mark_offline().await;
let sk = cachelayer
.get_sshkeys("testaccount1")
.await
.expect("Failed to get from cache.");
assert!(sk.len() == 1);
};
rt.block_on(fut);
})
}
129 nsswitch stage 2 groups (#185) Implements #129, adding the libnss_kanidm.so/dylib, and the related caching parts for properly handling these types.
2020-02-15 01:27:25 +01:00
#[test]
fn test_cache_account() {
run_test(test_fixture, |cachelayer, _adminclient| {
Tokio1.0 (#340) Upgrade dependencies, with the major highlight as the upgrade to tokio 1.0
2021-01-10 04:41:56 +01:00
let rt = Runtime::new().expect("Failed to start tokio");
129 nsswitch stage 2 groups (#185) Implements #129, adding the libnss_kanidm.so/dylib, and the related caching parts for properly handling these types.
2020-02-15 01:27:25 +01:00
let fut = async move {
// Force offline. Show we have no account
cachelayer.mark_offline().await;
let ut = cachelayer
.get_nssaccount_name("testaccount1")
.await
.expect("Failed to get from cache");
assert!(ut.is_none());
// go online
cachelayer.attempt_online().await;
assert!(cachelayer.test_connection().await);
// get the account
let ut = cachelayer
.get_nssaccount_name("testaccount1")
.await
.expect("Failed to get from cache");
assert!(ut.is_some());
// go offline
cachelayer.mark_offline().await;
// can still get account
let ut = cachelayer
.get_nssaccount_name("testaccount1")
.await
.expect("Failed to get from cache");
assert!(ut.is_some());
// Finally, check we have "all accounts" in the list.
let us = cachelayer
.get_nssaccounts()
V large cleanup
2020-08-04 04:58:11 +02:00
.await
129 nsswitch stage 2 groups (#185) Implements #129, adding the libnss_kanidm.so/dylib, and the related caching parts for properly handling these types.
2020-02-15 01:27:25 +01:00
.expect("failed to list all accounts");
assert!(us.len() == 1);
};
rt.block_on(fut);
})
}
#[test]
fn test_cache_group() {
run_test(test_fixture, |cachelayer, _adminclient| {
Tokio1.0 (#340) Upgrade dependencies, with the major highlight as the upgrade to tokio 1.0
2021-01-10 04:41:56 +01:00
let rt = Runtime::new().expect("Failed to start tokio");
129 nsswitch stage 2 groups (#185) Implements #129, adding the libnss_kanidm.so/dylib, and the related caching parts for properly handling these types.
2020-02-15 01:27:25 +01:00
let fut = async move {
// Force offline. Show we have no groups.
cachelayer.mark_offline().await;
let gt = cachelayer
.get_nssgroup_name("testgroup1")
.await
.expect("Failed to get from cache");
assert!(gt.is_none());
// go online. Get the group
cachelayer.attempt_online().await;
assert!(cachelayer.test_connection().await);
let gt = cachelayer
.get_nssgroup_name("testgroup1")
.await
.expect("Failed to get from cache");
assert!(gt.is_some());
// go offline. still works
cachelayer.mark_offline().await;
let gt = cachelayer
.get_nssgroup_name("testgroup1")
.await
.expect("Failed to get from cache");
assert!(gt.is_some());
// And check we have no members in the group. Members are an artifact of
// user lookups!
assert!(gt.unwrap().members.len() == 0);
// clear cache, go online
V large cleanup
2020-08-04 04:58:11 +02:00
assert!(cachelayer.invalidate().await.is_ok());
129 nsswitch stage 2 groups (#185) Implements #129, adding the libnss_kanidm.so/dylib, and the related caching parts for properly handling these types.
2020-02-15 01:27:25 +01:00
cachelayer.attempt_online().await;
assert!(cachelayer.test_connection().await);
// get an account with the group
// DO NOT get the group yet.
let ut = cachelayer
.get_nssaccount_name("testaccount1")
.await
.expect("Failed to get from cache");
assert!(ut.is_some());
// go offline.
cachelayer.mark_offline().await;
// show we have the group despite no direct calls
let gt = cachelayer
.get_nssgroup_name("testgroup1")
.await
.expect("Failed to get from cache");
assert!(gt.is_some());
// And check we have members in the group, since we came from a userlook up
assert!(gt.unwrap().members.len() == 1);
// Finally, check we have "all groups" in the list.
let gs = cachelayer
.get_nssgroups()
V large cleanup
2020-08-04 04:58:11 +02:00
.await
129 nsswitch stage 2 groups (#185) Implements #129, adding the libnss_kanidm.so/dylib, and the related caching parts for properly handling these types.
2020-02-15 01:27:25 +01:00
.expect("failed to list all groups");
assert!(gs.len() == 2);
};
rt.block_on(fut);
})
}
#[test]
fn test_cache_group_delete() {
Orca - a load testing framework for Kanidm (#431)
2021-05-06 13:15:12 +02:00
run_test(test_fixture, |cachelayer, adminclient| {
Tokio1.0 (#340) Upgrade dependencies, with the major highlight as the upgrade to tokio 1.0
2021-01-10 04:41:56 +01:00
let rt = Runtime::new().expect("Failed to start tokio");
129 nsswitch stage 2 groups (#185) Implements #129, adding the libnss_kanidm.so/dylib, and the related caching parts for properly handling these types.
2020-02-15 01:27:25 +01:00
let fut = async move {
// get the group
cachelayer.attempt_online().await;
assert!(cachelayer.test_connection().await);
let gt = cachelayer
.get_nssgroup_name("testgroup1")
.await
.expect("Failed to get from cache");
assert!(gt.is_some());
// delete it.
adminclient
.auth_simple_password("admin", ADMIN_TEST_PASSWORD)
.await
.expect("failed to auth as admin");
adminclient
.idm_group_delete("testgroup1")
.await
.expect("failed to delete");
// invalidate cache
V large cleanup
2020-08-04 04:58:11 +02:00
assert!(cachelayer.invalidate().await.is_ok());
129 nsswitch stage 2 groups (#185) Implements #129, adding the libnss_kanidm.so/dylib, and the related caching parts for properly handling these types.
2020-02-15 01:27:25 +01:00
// "get it"
// should be empty.
let gt = cachelayer
.get_nssgroup_name("testgroup1")
.await
.expect("Failed to get from cache");
assert!(gt.is_none());
};
rt.block_on(fut);
})
}
#[test]
fn test_cache_account_delete() {
Orca - a load testing framework for Kanidm (#431)
2021-05-06 13:15:12 +02:00
run_test(test_fixture, |cachelayer, adminclient| {
Tokio1.0 (#340) Upgrade dependencies, with the major highlight as the upgrade to tokio 1.0
2021-01-10 04:41:56 +01:00
let rt = Runtime::new().expect("Failed to start tokio");
129 nsswitch stage 2 groups (#185) Implements #129, adding the libnss_kanidm.so/dylib, and the related caching parts for properly handling these types.
2020-02-15 01:27:25 +01:00
let fut = async move {
// get the account
cachelayer.attempt_online().await;
assert!(cachelayer.test_connection().await);
let ut = cachelayer
.get_nssaccount_name("testaccount1")
.await
.expect("Failed to get from cache");
assert!(ut.is_some());
// delete it.
adminclient
.auth_simple_password("admin", ADMIN_TEST_PASSWORD)
.await
.expect("failed to auth as admin");
adminclient
.idm_account_delete("testaccount1")
.await
.expect("failed to delete");
// invalidate cache
V large cleanup
2020-08-04 04:58:11 +02:00
assert!(cachelayer.invalidate().await.is_ok());
129 nsswitch stage 2 groups (#185) Implements #129, adding the libnss_kanidm.so/dylib, and the related caching parts for properly handling these types.
2020-02-15 01:27:25 +01:00
// "get it"
let ut = cachelayer
.get_nssaccount_name("testaccount1")
.await
.expect("Failed to get from cache");
// should be empty.
assert!(ut.is_none());
// The group should be removed too.
let gt = cachelayer
.get_nssgroup_name("testaccount1")
.await
.expect("Failed to get from cache");
assert!(gt.is_none());
};
rt.block_on(fut);
})
}
20200218 pam (#189) Add support for unix_password handling, and pam authentication for services.
2020-02-29 05:02:14 +01:00
#[test]
fn test_cache_account_password() {
Orca - a load testing framework for Kanidm (#431)
2021-05-06 13:15:12 +02:00
run_test(test_fixture, |cachelayer, adminclient| {
Tokio1.0 (#340) Upgrade dependencies, with the major highlight as the upgrade to tokio 1.0
2021-01-10 04:41:56 +01:00
let rt = Runtime::new().expect("Failed to start tokio");
20200218 pam (#189) Add support for unix_password handling, and pam authentication for services.
2020-02-29 05:02:14 +01:00
let fut = async move {
cachelayer.attempt_online().await;
// Test authentication failure.
let a1 = cachelayer
.pam_account_authenticate("testaccount1", TESTACCOUNT1_PASSWORD_INC)
.await
.expect("failed to authenticate");
assert!(a1 == Some(false));
Fixes #324 account softlocking and rate limiting (#326) This provides bruteforce protection and ratelimiting to stop classes of attacks. This impacts all areas where a password or authentication is performed (unix, ldap, auth).
2020-10-22 06:40:31 +02:00
// We have to wait due to softlocking.
task::sleep(Duration::from_secs(1)).await;
20200218 pam (#189) Add support for unix_password handling, and pam authentication for services.
2020-02-29 05:02:14 +01:00
// Test authentication success.
let a2 = cachelayer
.pam_account_authenticate("testaccount1", TESTACCOUNT1_PASSWORD_A)
.await
.expect("failed to authenticate");
assert!(a2 == Some(true));
// change pw
adminclient
.auth_simple_password("admin", ADMIN_TEST_PASSWORD)
.await
.expect("failed to auth as admin");
adminclient
.idm_account_unix_cred_put("testaccount1", TESTACCOUNT1_PASSWORD_B)
.await
.expect("Failed to change password");
// test auth (old pw) fail
let a3 = cachelayer
.pam_account_authenticate("testaccount1", TESTACCOUNT1_PASSWORD_A)
.await
.expect("failed to authenticate");
assert!(a3 == Some(false));
Fixes #324 account softlocking and rate limiting (#326) This provides bruteforce protection and ratelimiting to stop classes of attacks. This impacts all areas where a password or authentication is performed (unix, ldap, auth).
2020-10-22 06:40:31 +02:00
// We have to wait due to softlocking.
task::sleep(Duration::from_secs(1)).await;
20200218 pam (#189) Add support for unix_password handling, and pam authentication for services.
2020-02-29 05:02:14 +01:00
// test auth (new pw) success
let a4 = cachelayer
.pam_account_authenticate("testaccount1", TESTACCOUNT1_PASSWORD_B)
.await
.expect("failed to authenticate");
assert!(a4 == Some(true));
// Go offline.
cachelayer.mark_offline().await;
// Test auth success
let a5 = cachelayer
.pam_account_authenticate("testaccount1", TESTACCOUNT1_PASSWORD_B)
.await
.expect("failed to authenticate");
assert!(a5 == Some(true));
Fixes #324 account softlocking and rate limiting (#326) This provides bruteforce protection and ratelimiting to stop classes of attacks. This impacts all areas where a password or authentication is performed (unix, ldap, auth).
2020-10-22 06:40:31 +02:00
// No softlock during offline.
20200218 pam (#189) Add support for unix_password handling, and pam authentication for services.
2020-02-29 05:02:14 +01:00
// Test auth failure.
let a6 = cachelayer
.pam_account_authenticate("testaccount1", TESTACCOUNT1_PASSWORD_INC)
.await
.expect("failed to authenticate");
assert!(a6 == Some(false));
// clear cache
V large cleanup
2020-08-04 04:58:11 +02:00
cachelayer
.clear_cache()
.await
.expect("failed to clear cache");
20200218 pam (#189) Add support for unix_password handling, and pam authentication for services.
2020-02-29 05:02:14 +01:00
// test auth good (fail)
let a7 = cachelayer
.pam_account_authenticate("testaccount1", TESTACCOUNT1_PASSWORD_B)
.await
.expect("failed to authenticate");
assert!(a7 == None);
// go online
cachelayer.attempt_online().await;
assert!(cachelayer.test_connection().await);
// test auth success
let a8 = cachelayer
.pam_account_authenticate("testaccount1", TESTACCOUNT1_PASSWORD_B)
.await
.expect("failed to authenticate");
assert!(a8 == Some(true));
};
rt.block_on(fut);
})
}
#[test]
fn test_cache_account_pam_allowed() {
Orca - a load testing framework for Kanidm (#431)
2021-05-06 13:15:12 +02:00
run_test(test_fixture, |cachelayer, adminclient| {
Tokio1.0 (#340) Upgrade dependencies, with the major highlight as the upgrade to tokio 1.0
2021-01-10 04:41:56 +01:00
let rt = Runtime::new().expect("Failed to start tokio");
20200218 pam (#189) Add support for unix_password handling, and pam authentication for services.
2020-02-29 05:02:14 +01:00
let fut = async move {
cachelayer.attempt_online().await;
// Should fail
let a1 = cachelayer
.pam_account_allowed("testaccount1")
.await
.expect("failed to authenticate");
assert!(a1 == Some(false));
adminclient
.auth_simple_password("admin", ADMIN_TEST_PASSWORD)
.await
.expect("failed to auth as admin");
adminclient
Add auth session header type (#398)
2021-03-31 23:14:15 +02:00
.idm_group_add_members("allowed_group", &["testaccount1"])
20200218 pam (#189) Add support for unix_password handling, and pam authentication for services.
2020-02-29 05:02:14 +01:00
.await
.unwrap();
// Invalidate cache to force a refresh
V large cleanup
2020-08-04 04:58:11 +02:00
assert!(cachelayer.invalidate().await.is_ok());
20200218 pam (#189) Add support for unix_password handling, and pam authentication for services.
2020-02-29 05:02:14 +01:00
// Should pass
let a2 = cachelayer
.pam_account_allowed("testaccount1")
.await
.expect("failed to authenticate");
assert!(a2 == Some(true));
};
rt.block_on(fut);
})
}
#[test]
fn test_cache_account_pam_nonexist() {
run_test(test_fixture, |cachelayer, _adminclient| {
Tokio1.0 (#340) Upgrade dependencies, with the major highlight as the upgrade to tokio 1.0
2021-01-10 04:41:56 +01:00
let rt = Runtime::new().expect("Failed to start tokio");
20200218 pam (#189) Add support for unix_password handling, and pam authentication for services.
2020-02-29 05:02:14 +01:00
let fut = async move {
cachelayer.attempt_online().await;
let a1 = cachelayer
.pam_account_allowed("NO_SUCH_ACCOUNT")
.await
.expect("failed to authenticate");
assert!(a1 == None);
let a2 = cachelayer
.pam_account_authenticate("NO_SUCH_ACCOUNT", TESTACCOUNT1_PASSWORD_B)
.await
.expect("failed to authenticate");
assert!(a2 == None);
cachelayer.mark_offline().await;
let a1 = cachelayer
.pam_account_allowed("NO_SUCH_ACCOUNT")
.await
.expect("failed to authenticate");
assert!(a1 == None);
let a2 = cachelayer
.pam_account_authenticate("NO_SUCH_ACCOUNT", TESTACCOUNT1_PASSWORD_B)
.await
.expect("failed to authenticate");
assert!(a2 == None);
};
rt.block_on(fut);
})
}
Account valid-from and expiry (#322) Fixes #59 account policy and lockout. This is achived with a valid_from and expire attribute that are timestamps. Cli tools are added to manage these.
2020-10-10 02:31:51 +02:00
#[test]
fn test_cache_account_expiry() {
Orca - a load testing framework for Kanidm (#431)
2021-05-06 13:15:12 +02:00
run_test(test_fixture, |cachelayer, adminclient| {
Tokio1.0 (#340) Upgrade dependencies, with the major highlight as the upgrade to tokio 1.0
2021-01-10 04:41:56 +01:00
let rt = Runtime::new().expect("Failed to start tokio");
Account valid-from and expiry (#322) Fixes #59 account policy and lockout. This is achived with a valid_from and expire attribute that are timestamps. Cli tools are added to manage these.
2020-10-10 02:31:51 +02:00
let fut = async move {
cachelayer.attempt_online().await;
assert!(cachelayer.test_connection().await);
// We need one good auth first to prime the cache with a hash.
let a1 = cachelayer
.pam_account_authenticate("testaccount1", TESTACCOUNT1_PASSWORD_A)
.await
.expect("failed to authenticate");
assert!(a1 == Some(true));
// Invalidate to make sure we go online next checks.
assert!(cachelayer.invalidate().await.is_ok());
// expire the account
adminclient
.auth_simple_password("admin", ADMIN_TEST_PASSWORD)
.await
.expect("failed to auth as admin");
adminclient
.idm_account_set_attr("testaccount1", "account_expire", &[ACCOUNT_EXPIRE])
.await
.unwrap();
// auth will fail
let a2 = cachelayer
.pam_account_authenticate("testaccount1", TESTACCOUNT1_PASSWORD_A)
.await
.expect("failed to authenticate");
assert!(a2 == Some(false));
// ssh keys should be empty
let sk = cachelayer
.get_sshkeys("testaccount1")
.await
.expect("Failed to get from cache.");
assert!(sk.len() == 0);
// Pam account allowed should be denied.
let a3 = cachelayer
.pam_account_allowed("testaccount1")
.await
.expect("failed to authenticate");
assert!(a3 == Some(false));
// go offline
cachelayer.mark_offline().await;
// Now, check again ...
let a4 = cachelayer
.pam_account_authenticate("testaccount1", TESTACCOUNT1_PASSWORD_A)
.await
.expect("failed to authenticate");
assert!(a4 == Some(false));
// ssh keys should be empty
let sk = cachelayer
.get_sshkeys("testaccount1")
.await
.expect("Failed to get from cache.");
assert!(sk.len() == 0);
// Pam account allowed should be denied.
let a5 = cachelayer
.pam_account_allowed("testaccount1")
.await
.expect("failed to authenticate");
assert!(a5 == Some(false));
};
rt.block_on(fut);
})
}
Unixd - NXCache of unknown items (#338) Previously we would only cache "hits" - items that kanidm is aware of and did know about. However, this mean querying a raw uid/gid number that was not known to files or kanidm would result in kanidm doing an online check each request. This adds a NXcache to cache misses, so they can be served as misses, faster, and to reduce load on the main kanidm servers. Fixes #336
2020-12-28 00:41:16 +01:00
#[test]
fn test_cache_nxcache() {
run_test(test_fixture, |cachelayer, mut _adminclient| {
Tokio1.0 (#340) Upgrade dependencies, with the major highlight as the upgrade to tokio 1.0
2021-01-10 04:41:56 +01:00
let rt = Runtime::new().expect("Failed to start tokio");
Unixd - NXCache of unknown items (#338) Previously we would only cache "hits" - items that kanidm is aware of and did know about. However, this mean querying a raw uid/gid number that was not known to files or kanidm would result in kanidm doing an online check each request. This adds a NXcache to cache misses, so they can be served as misses, faster, and to reduce load on the main kanidm servers. Fixes #336
2020-12-28 00:41:16 +01:00
let fut = async move {
cachelayer.attempt_online().await;
assert!(cachelayer.test_connection().await);
// Is it in the nxcache?
assert!(
!cachelayer
.check_nxcache(&Id::Name("root".to_string()))
.await
);
assert!(!cachelayer.check_nxcache(&Id::Gid(0)).await);
assert!(
!cachelayer
.check_nxcache(&Id::Name("root_group".to_string()))
.await
);
assert!(!cachelayer.check_nxcache(&Id::Gid(1)).await);
// Look for the acc id + nss id
let ut = cachelayer
.get_nssaccount_name("root")
.await
.expect("Failed to get from cache");
assert!(ut.is_none());
let ut = cachelayer
.get_nssaccount_gid(0)
.await
.expect("Failed to get from cache");
assert!(ut.is_none());
let gt = cachelayer
.get_nssgroup_name("root_group")
.await
.expect("Failed to get from cache");
assert!(gt.is_none());
let gt = cachelayer
.get_nssgroup_gid(1)
.await
.expect("Failed to get from cache");
assert!(gt.is_none());
// Should all now be nxed
assert!(
cachelayer
.check_nxcache(&Id::Name("root".to_string()))
.await
);
assert!(cachelayer.check_nxcache(&Id::Gid(0)).await);
assert!(
cachelayer
.check_nxcache(&Id::Name("root_group".to_string()))
.await
);
assert!(cachelayer.check_nxcache(&Id::Gid(1)).await);
// invalidate cache
assert!(cachelayer.invalidate().await.is_ok());
// Both should NOT be in nxcache now.
assert!(
!cachelayer
.check_nxcache(&Id::Name("root".to_string()))
.await
);
assert!(!cachelayer.check_nxcache(&Id::Gid(0)).await);
assert!(
!cachelayer
.check_nxcache(&Id::Name("root_group".to_string()))
.await
);
assert!(!cachelayer.check_nxcache(&Id::Gid(1)).await);
};
rt.block_on(fut);
})
}
Reference in a new issue Copy permalink