def test_team_syncing(client):
with mock_ldap() as ldap:
with patch("endpoints.api.team.authentication", ldap):
with client_with_identity("devtable", client) as cl:
config = {
"group_dn": "cn=AwesomeFolk",
}
conduct_api_call(cl, OrganizationTeamSyncing, "POST",
UNSYNCED_TEAM_PARAMS, config)
# Ensure the team is now synced.
sync_info = model.team.get_team_sync_information(
UNSYNCED_TEAM_PARAMS["orgname"],
UNSYNCED_TEAM_PARAMS["teamname"])
assert sync_info is not None
assert json.loads(sync_info.config) == config
# Remove the syncing.
conduct_api_call(cl, OrganizationTeamSyncing, "DELETE",
UNSYNCED_TEAM_PARAMS, None)
# Ensure the team is no longer synced.
sync_info = model.team.get_team_sync_information(
UNSYNCED_TEAM_PARAMS["orgname"],
UNSYNCED_TEAM_PARAMS["teamname"])
assert sync_info is None
def test_validated_ldap(admin_dn, admin_passwd, user_rdn, expected_exception,
app):
config = {}
config["AUTHENTICATION_TYPE"] = "LDAP"
config["LDAP_BASE_DN"] = ["dc=quay", "dc=io"]
config["LDAP_ADMIN_DN"] = admin_dn
config["LDAP_ADMIN_PASSWD"] = admin_passwd
config["LDAP_USER_RDN"] = user_rdn
unvalidated_config = ValidatorContext(config,
config_provider=config_provider)
if expected_exception is not None:
with pytest.raises(ConfigValidationException):
with mock_ldap():
LDAPValidator.validate(unvalidated_config)
else:
with mock_ldap():
LDAPValidator.validate(unvalidated_config)
def test_organization_teams_sync_bool(client):
with mock_ldap() as ldap:
with patch("endpoints.api.organization.authentication", ldap):
# Ensure synced teams are marked as such in the organization teams list.
with client_with_identity("devtable", client) as cl:
resp = conduct_api_call(cl, Organization, "GET",
{"orgname": "sellnsmall"})
assert not resp.json["teams"]["owners"]["is_synced"]
assert resp.json["teams"]["synced"]["is_synced"]
def test_oidc_ldap_auth(self):
# Test with database auth.
oidc_mocks = self._get_oidc_mocks()
with mock_ldap() as ldap:
with AuthForTesting(ldap):
with HTTMock(*oidc_mocks):
self.invoke_oauth_tests('testoidc_oauth_callback',
'testoidc_oauth_attach',
'testoidc',
'cool.user',
'cool_user',
test_attach=False)
def test_new_account_via_ldap(binding_field, lid, lusername, lemail, expected_error, app):
existing_user_count = database.User.select().count()
config = {"GITHUB": {}}
if binding_field is not None:
config["GITHUB"]["LOGIN_BINDING_FIELD"] = binding_field
external_auth = GithubOAuthService(config, "GITHUB")
internal_auth = _get_users_handler("LDAP")
with mock_ldap():
# Conduct OAuth login.
result = _conduct_oauth_login(internal_auth, external_auth, lid, lusername, lemail)
assert result.error_message == expected_error
current_user_count = database.User.select().count()
if expected_error is None:
# Ensure that the new user was created and that it is bound to both the
# external login service and to LDAP (if a binding_field was given).
assert current_user_count == existing_user_count + 1
assert result.user_obj is not None
# Check the service bindings.
external_login = model.user.lookup_federated_login(
result.user_obj, external_auth.service_id()
)
assert external_login is not None
internal_login = model.user.lookup_federated_login(
result.user_obj, internal_auth.federated_service
)
if binding_field is not None:
assert internal_login is not None
else:
assert internal_login is None
# Ensure that no notification was created.
assert not list(
model.notification.list_notifications(
result.user_obj, kind_name="password_required"
)
)
else:
# Ensure that no addtional users were created.
assert current_user_count == existing_user_count
def test_existing_account(auth_system, login_service):
login_service_lid = "someexternaluser"
# Create an existing bound federated user.
created_user = model.user.create_federated_user(
"someuser", "*****@*****.**", login_service.service_id(), login_service_lid, False
)
existing_user_count = database.User.select().count()
with mock_ldap():
result = _conduct_oauth_login(
auth_system, login_service, login_service_lid, login_service_lid, "*****@*****.**"
)
assert result.user_obj == created_user
# Ensure that no addtional users were created.
current_user_count = database.User.select().count()
assert current_user_count == existing_user_count
def test_existing_account_in_ldap(app):
config = {"GITHUB": {"LOGIN_BINDING_FIELD": "username"}}
external_auth = GithubOAuthService(config, "GITHUB")
internal_auth = _get_users_handler("LDAP")
# Add an existing federated user bound to the LDAP account associated with `someuser`.
bound_user = model.user.create_federated_user(
"someuser", "*****@*****.**", internal_auth.federated_service, "someuser", False
)
existing_user_count = database.User.select().count()
with mock_ldap():
# Conduct OAuth login with the same lid and bound field. This should find the existing LDAP
# user (via the `username` binding), and then bind Github to it as well.
result = _conduct_oauth_login(
internal_auth, external_auth, bound_user.username, bound_user.username, bound_user.email
)
assert result.error_message is None
# Ensure that the same user was returned, and that it is now bound to the Github account
# as well.
assert result.user_obj.id == bound_user.id
# Ensure that no additional users were created.
current_user_count = database.User.select().count()
assert current_user_count == existing_user_count
# Check the service bindings.
external_login = model.user.lookup_federated_login(
result.user_obj, external_auth.service_id()
)
assert external_login is not None
internal_login = model.user.lookup_federated_login(
result.user_obj, internal_auth.federated_service
)
assert internal_login is not None
def test_team_member_sync_info(client):
with mock_ldap() as ldap:
with patch("endpoints.api.team.authentication", ldap):
# Check for an unsynced team, with superuser.
with client_with_identity("devtable", client) as cl:
resp = conduct_api_call(cl, TeamMemberList, "GET",
UNSYNCED_TEAM_PARAMS)
assert "can_sync" in resp.json
assert resp.json["can_sync"]["service"] == "ldap"
assert "synced" not in resp.json
# Check for an unsynced team, with non-superuser.
with client_with_identity("randomuser", client) as cl:
resp = conduct_api_call(cl, TeamMemberList, "GET",
UNSYNCED_TEAM_PARAMS)
assert "can_sync" not in resp.json
assert "synced" not in resp.json
# Check for a synced team, with superuser.
with client_with_identity("devtable", client) as cl:
resp = conduct_api_call(cl, TeamMemberList, "GET",
SYNCED_TEAM_PARAMS)
assert "can_sync" in resp.json
assert resp.json["can_sync"]["service"] == "ldap"
assert "synced" in resp.json
assert "last_updated" in resp.json["synced"]
assert "group_dn" in resp.json["synced"]["config"]
# Check for a synced team, with non-superuser.
with client_with_identity("randomuser", client) as cl:
resp = conduct_api_call(cl, TeamMemberList, "GET",
SYNCED_TEAM_PARAMS)
assert "can_sync" not in resp.json
assert "synced" in resp.json
assert "last_updated" not in resp.json["synced"]
assert "config" not in resp.json["synced"]
