def test_basic_enterprise_config(trigger_config, domain, api_endpoint, is_enterprise):
config = {"GITHUB_TRIGGER_CONFIG": trigger_config}
github_trigger = GithubOAuthService(config, "GITHUB_TRIGGER_CONFIG")
assert github_trigger.is_enterprise() == is_enterprise
assert github_trigger.authorize_endpoint().to_url() == "%s/login/oauth/authorize" % domain
assert github_trigger.token_endpoint().to_url() == "%s/login/oauth/access_token" % domain
assert github_trigger.api_endpoint() == api_endpoint
assert github_trigger.user_endpoint().to_url() == "%s/user" % api_endpoint
assert github_trigger.email_endpoint() == "%s/user/emails" % api_endpoint
assert github_trigger.orgs_endpoint() == "%s/user/orgs" % api_endpoint
def validate(cls, validator_context):
"""
Validates the OAuth credentials and API endpoint for a Github service.
"""
config = validator_context.config
client = validator_context.http_client
url_scheme_and_hostname = validator_context.url_scheme_and_hostname
github_config = config.get(cls.config_key)
if not github_config:
raise ConfigValidationException(
"Missing GitHub client id and client secret")
endpoint = github_config.get("GITHUB_ENDPOINT")
if not endpoint:
raise ConfigValidationException("Missing GitHub Endpoint")
if endpoint.find("http://") != 0 and endpoint.find("https://") != 0:
raise ConfigValidationException(
"Github Endpoint must start with http:// or https://")
if not github_config.get("CLIENT_ID"):
raise ConfigValidationException("Missing Client ID")
if not github_config.get("CLIENT_SECRET"):
raise ConfigValidationException("Missing Client Secret")
if github_config.get("ORG_RESTRICT") and not github_config.get(
"ALLOWED_ORGANIZATIONS"):
raise ConfigValidationException(
"Organization restriction must have at least one allowed " +
"organization")
oauth = GithubOAuthService(config, cls.config_key)
result = oauth.validate_client_id_and_secret(client,
url_scheme_and_hostname)
if not result:
raise ConfigValidationException(
"Invalid client id or client secret")
if github_config.get("ALLOWED_ORGANIZATIONS"):
for org_id in github_config.get("ALLOWED_ORGANIZATIONS"):
if not oauth.validate_organization(org_id, client):
raise ConfigValidationException(
"Invalid organization: %s" % org_id)
def test_new_account_via_ldap(binding_field, lid, lusername, lemail, expected_error, app):
existing_user_count = database.User.select().count()
config = {"GITHUB": {}}
if binding_field is not None:
config["GITHUB"]["LOGIN_BINDING_FIELD"] = binding_field
external_auth = GithubOAuthService(config, "GITHUB")
internal_auth = _get_users_handler("LDAP")
with mock_ldap():
# Conduct OAuth login.
result = _conduct_oauth_login(internal_auth, external_auth, lid, lusername, lemail)
assert result.error_message == expected_error
current_user_count = database.User.select().count()
if expected_error is None:
# Ensure that the new user was created and that it is bound to both the
# external login service and to LDAP (if a binding_field was given).
assert current_user_count == existing_user_count + 1
assert result.user_obj is not None
# Check the service bindings.
external_login = model.user.lookup_federated_login(
result.user_obj, external_auth.service_id()
)
assert external_login is not None
internal_login = model.user.lookup_federated_login(
result.user_obj, internal_auth.federated_service
)
if binding_field is not None:
assert internal_login is not None
else:
assert internal_login is None
# Ensure that no notification was created.
assert not list(
model.notification.list_notifications(
result.user_obj, kind_name="password_required"
)
)
else:
# Ensure that no addtional users were created.
assert current_user_count == existing_user_count
def test_existing_account_in_ldap(app):
config = {"GITHUB": {"LOGIN_BINDING_FIELD": "username"}}
external_auth = GithubOAuthService(config, "GITHUB")
internal_auth = _get_users_handler("LDAP")
# Add an existing federated user bound to the LDAP account associated with `someuser`.
bound_user = model.user.create_federated_user(
"someuser", "*****@*****.**", internal_auth.federated_service, "someuser", False
)
existing_user_count = database.User.select().count()
with mock_ldap():
# Conduct OAuth login with the same lid and bound field. This should find the existing LDAP
# user (via the `username` binding), and then bind Github to it as well.
result = _conduct_oauth_login(
internal_auth, external_auth, bound_user.username, bound_user.username, bound_user.email
)
assert result.error_message is None
# Ensure that the same user was returned, and that it is now bound to the Github account
# as well.
assert result.user_obj.id == bound_user.id
# Ensure that no additional users were created.
current_user_count = database.User.select().count()
assert current_user_count == existing_user_count
# Check the service bindings.
external_login = model.user.lookup_federated_login(
result.user_obj, external_auth.service_id()
)
assert external_login is not None
internal_login = model.user.lookup_federated_login(
result.user_obj, internal_auth.federated_service
)
assert internal_login is not None
def login_service(request, app):
config = {'GITHUB': {}}
if request is not None:
config['GITHUB']['LOGIN_BINDING_FIELD'] = request.param
return GithubOAuthService(config, 'GITHUB')
userfiles = Userfiles(app, storage)
log_archive = LogArchive(app, storage)
analytics = Analytics(app)
user_analytics = UserAnalytics(app)
billing = Billing(app)
sentry = Sentry(app)
build_logs = BuildLogs(app)
authentication = UserAuthentication(app, config_provider, OVERRIDE_CONFIG_DIRECTORY)
userevents = UserEventsBuilderModule(app)
superusers = SuperUserManager(app)
signer = Signer(app, config_provider)
instance_keys = InstanceKeys(app)
label_validator = LabelValidator(app)
build_canceller = BuildCanceller(app)
github_trigger = GithubOAuthService(app.config, "GITHUB_TRIGGER_CONFIG")
gitlab_trigger = GitLabOAuthService(app.config, "GITLAB_TRIGGER_CONFIG")
oauth_login = OAuthLoginManager(app.config)
oauth_apps = [github_trigger, gitlab_trigger]
image_replication_queue = WorkQueue(app.config["REPLICATION_QUEUE_NAME"], tf, has_namespace=False)
dockerfile_build_queue = WorkQueue(
app.config["DOCKERFILE_BUILD_QUEUE_NAME"], tf, has_namespace=True
)
notification_queue = WorkQueue(app.config["NOTIFICATION_QUEUE_NAME"], tf, has_namespace=True)
secscan_notification_queue = WorkQueue(
app.config["SECSCAN_NOTIFICATION_QUEUE_NAME"], tf, has_namespace=False
)
export_action_logs_queue = WorkQueue(
app.config["EXPORT_ACTION_LOGS_QUEUE_NAME"], tf, has_namespace=True
def login_service(request, app):
config = {"GITHUB": {}}
if request is not None:
config["GITHUB"]["LOGIN_BINDING_FIELD"] = request.param
return GithubOAuthService(config, "GITHUB")