def test_team_syncing(client): with mock_ldap() as ldap: with patch("endpoints.api.team.authentication", ldap): with client_with_identity("devtable", client) as cl: config = { "group_dn": "cn=AwesomeFolk", } conduct_api_call(cl, OrganizationTeamSyncing, "POST", UNSYNCED_TEAM_PARAMS, config) # Ensure the team is now synced. sync_info = model.team.get_team_sync_information( UNSYNCED_TEAM_PARAMS["orgname"], UNSYNCED_TEAM_PARAMS["teamname"]) assert sync_info is not None assert json.loads(sync_info.config) == config # Remove the syncing. conduct_api_call(cl, OrganizationTeamSyncing, "DELETE", UNSYNCED_TEAM_PARAMS, None) # Ensure the team is no longer synced. sync_info = model.team.get_team_sync_information( UNSYNCED_TEAM_PARAMS["orgname"], UNSYNCED_TEAM_PARAMS["teamname"]) assert sync_info is None
def test_validated_ldap(admin_dn, admin_passwd, user_rdn, expected_exception, app): config = {} config["AUTHENTICATION_TYPE"] = "LDAP" config["LDAP_BASE_DN"] = ["dc=quay", "dc=io"] config["LDAP_ADMIN_DN"] = admin_dn config["LDAP_ADMIN_PASSWD"] = admin_passwd config["LDAP_USER_RDN"] = user_rdn unvalidated_config = ValidatorContext(config, config_provider=config_provider) if expected_exception is not None: with pytest.raises(ConfigValidationException): with mock_ldap(): LDAPValidator.validate(unvalidated_config) else: with mock_ldap(): LDAPValidator.validate(unvalidated_config)
def test_organization_teams_sync_bool(client): with mock_ldap() as ldap: with patch("endpoints.api.organization.authentication", ldap): # Ensure synced teams are marked as such in the organization teams list. with client_with_identity("devtable", client) as cl: resp = conduct_api_call(cl, Organization, "GET", {"orgname": "sellnsmall"}) assert not resp.json["teams"]["owners"]["is_synced"] assert resp.json["teams"]["synced"]["is_synced"]
def test_oidc_ldap_auth(self): # Test with database auth. oidc_mocks = self._get_oidc_mocks() with mock_ldap() as ldap: with AuthForTesting(ldap): with HTTMock(*oidc_mocks): self.invoke_oauth_tests('testoidc_oauth_callback', 'testoidc_oauth_attach', 'testoidc', 'cool.user', 'cool_user', test_attach=False)
def test_new_account_via_ldap(binding_field, lid, lusername, lemail, expected_error, app): existing_user_count = database.User.select().count() config = {"GITHUB": {}} if binding_field is not None: config["GITHUB"]["LOGIN_BINDING_FIELD"] = binding_field external_auth = GithubOAuthService(config, "GITHUB") internal_auth = _get_users_handler("LDAP") with mock_ldap(): # Conduct OAuth login. result = _conduct_oauth_login(internal_auth, external_auth, lid, lusername, lemail) assert result.error_message == expected_error current_user_count = database.User.select().count() if expected_error is None: # Ensure that the new user was created and that it is bound to both the # external login service and to LDAP (if a binding_field was given). assert current_user_count == existing_user_count + 1 assert result.user_obj is not None # Check the service bindings. external_login = model.user.lookup_federated_login( result.user_obj, external_auth.service_id() ) assert external_login is not None internal_login = model.user.lookup_federated_login( result.user_obj, internal_auth.federated_service ) if binding_field is not None: assert internal_login is not None else: assert internal_login is None # Ensure that no notification was created. assert not list( model.notification.list_notifications( result.user_obj, kind_name="password_required" ) ) else: # Ensure that no addtional users were created. assert current_user_count == existing_user_count
def test_existing_account(auth_system, login_service): login_service_lid = "someexternaluser" # Create an existing bound federated user. created_user = model.user.create_federated_user( "someuser", "*****@*****.**", login_service.service_id(), login_service_lid, False ) existing_user_count = database.User.select().count() with mock_ldap(): result = _conduct_oauth_login( auth_system, login_service, login_service_lid, login_service_lid, "*****@*****.**" ) assert result.user_obj == created_user # Ensure that no addtional users were created. current_user_count = database.User.select().count() assert current_user_count == existing_user_count
def test_existing_account_in_ldap(app): config = {"GITHUB": {"LOGIN_BINDING_FIELD": "username"}} external_auth = GithubOAuthService(config, "GITHUB") internal_auth = _get_users_handler("LDAP") # Add an existing federated user bound to the LDAP account associated with `someuser`. bound_user = model.user.create_federated_user( "someuser", "*****@*****.**", internal_auth.federated_service, "someuser", False ) existing_user_count = database.User.select().count() with mock_ldap(): # Conduct OAuth login with the same lid and bound field. This should find the existing LDAP # user (via the `username` binding), and then bind Github to it as well. result = _conduct_oauth_login( internal_auth, external_auth, bound_user.username, bound_user.username, bound_user.email ) assert result.error_message is None # Ensure that the same user was returned, and that it is now bound to the Github account # as well. assert result.user_obj.id == bound_user.id # Ensure that no additional users were created. current_user_count = database.User.select().count() assert current_user_count == existing_user_count # Check the service bindings. external_login = model.user.lookup_federated_login( result.user_obj, external_auth.service_id() ) assert external_login is not None internal_login = model.user.lookup_federated_login( result.user_obj, internal_auth.federated_service ) assert internal_login is not None
def test_team_member_sync_info(client): with mock_ldap() as ldap: with patch("endpoints.api.team.authentication", ldap): # Check for an unsynced team, with superuser. with client_with_identity("devtable", client) as cl: resp = conduct_api_call(cl, TeamMemberList, "GET", UNSYNCED_TEAM_PARAMS) assert "can_sync" in resp.json assert resp.json["can_sync"]["service"] == "ldap" assert "synced" not in resp.json # Check for an unsynced team, with non-superuser. with client_with_identity("randomuser", client) as cl: resp = conduct_api_call(cl, TeamMemberList, "GET", UNSYNCED_TEAM_PARAMS) assert "can_sync" not in resp.json assert "synced" not in resp.json # Check for a synced team, with superuser. with client_with_identity("devtable", client) as cl: resp = conduct_api_call(cl, TeamMemberList, "GET", SYNCED_TEAM_PARAMS) assert "can_sync" in resp.json assert resp.json["can_sync"]["service"] == "ldap" assert "synced" in resp.json assert "last_updated" in resp.json["synced"] assert "group_dn" in resp.json["synced"]["config"] # Check for a synced team, with non-superuser. with client_with_identity("randomuser", client) as cl: resp = conduct_api_call(cl, TeamMemberList, "GET", SYNCED_TEAM_PARAMS) assert "can_sync" not in resp.json assert "synced" in resp.json assert "last_updated" not in resp.json["synced"] assert "config" not in resp.json["synced"]