Skip to content

Commit

Permalink
Add tests for LDAP
Browse files Browse the repository at this point in the history
  • Loading branch information
CommanderKeynes committed Sep 3, 2024
1 parent 7876624 commit 9c3defa
Show file tree
Hide file tree
Showing 5 changed files with 218 additions and 7 deletions.
111 changes: 111 additions & 0 deletions .circleci/glauth.cfg
Original file line number Diff line number Diff line change
@@ -0,0 +1,111 @@
#################
# glauth.conf

#################
# General configuration.
debug = true

[ldap]
enabled = true
# run on a non privileged port
listen = "0.0.0.0:3893"
tls = false

[ldaps]
enabled = false
#################
# Tracing section controls the tracer configuration
[tracing]
# if enabled is set to false, a no-op tracer will be used
enabled = true
# if both grpcEndpoint and httpEndpoint are unset, the default stdout provider will be used
# TODO add allowGRPCInsecure: right now grpc otlp is using the WithInsecure flag so traffic
# will always go without verifying server certificates
# grpcEndpoint = "otlp.monitoring.io:4317"
# httpEndpoint = "http://otlp.monitoring.io:4318"
#################
# The backend section controls the data store.
[backend]
datastore = "config"
baseDN = "dc=example,dc=com"
nameformat = "cn"
groupformat = "ou"

# If you are using a client that requires reading the root DSE first
# such as SSSD
# anonymousdse = true

## Configure dn format to use structures like
## "uid=serviceuser,cn=svcaccts,$BASEDN" instead of "cn=serviceuser,ou=svcaccts,$BASEDN"
## to help ease migrations from other LDAP systems
# nameformat = "uid"
# groupformat = "cn"

## Configure ssh-key attribute name, default is 'sshPublicKey'
# sshkeyattr = "ipaSshPubKey"

[behaviors]
# Ignore all capabilities restrictions, for instance allowing every user to perform a search
IgnoreCapabilities = false
# Enable a "fail2ban" type backoff mechanism temporarily banning repeated failed login attempts
LimitFailedBinds = true
# How many failed login attempts are allowed before a ban is imposed
NumberOfFailedBinds = 3
# How long (in seconds) is the window for failed login attempts
PeriodOfFailedBinds = 10
# How long (in seconds) is the ban duration
BlockFailedBindsFor = 60
# Clean learnt IP addresses every N seconds
PruneSourceTableEvery = 600
# Clean learnt IP addresses not seen in N seconds
PruneSourcesOlderThan = 600

#################
# The users section contains a hardcoded list of valid users.
# to create a passSHA256: echo -n "mysecret" | openssl dgst -sha256
[[users]]
name = "admin_user"
uidnumber = 5001
primarygroup = 5501
mail = "[email protected]"
passsha256 = "6478579e37aff45f013e14eeb30b3cc56c72ccdc310123bcdf53e0333e3f416a" # dogood
[[users.customattributes]]
employeetype = ["Intern", "Temp"]
employeenumber = [12345, 54321]
[[users.capabilities]]
action = "search"
object = "dc=example,dc=com"

# This user record shows all of the possible fields available
[[users]]
name = "sharding_user"
givenname="John"
sn="Doe"
mail = "[email protected]"
uidnumber = 5002
primarygroup = 5501
loginShell = "/bin/sh"
homeDir = "/root"
passsha256 = "6478579e37aff45f013e14eeb30b3cc56c72ccdc310123bcdf53e0333e3f416a" # dogood
sshkeys = ["ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEA3UKCEllO2IZXgqNygiVb+dDLJJwVw3AJwV34t2jzR+/tUNVeJ9XddKpYQektNHsFmY93lJw5QDSbeH/mAC4KPoUM47EriINKEelRbyG4hC/ko/e2JWqEclPS9LP7GtqGmscXXo4JFkqnKw4TIRD52XI9n1syYM9Y8rJ88fjC/Lpn+01AB0paLVIfppJU35t0Ho9doHAEfEvcQA6tcm7FLJUvklAxc8WUbdziczbRV40KzDroIkXAZRjX7vXXhh/p7XBYnA0GO8oTa2VY4dTQSeDAUJSUxbzevbL0ll9Gi1uYaTDQyE5gbn2NfJSqq0OYA+3eyGtIVjFYZgi+txSuhw== rsa-key-20160209"]
passappsha256 = [
"c32255dbf6fd6b64883ec8801f793bccfa2a860f2b1ae1315cd95cdac1338efa", # TestAppPw1
"c9853d5f2599e90497e9f8cc671bd2022b0fb5d1bd7cfff92f079e8f8f02b8d3", # TestAppPw2
"4939efa7c87095dacb5e7e8b8cfb3a660fa1f5edcc9108f6d7ec20ea4d6b3a88", # TestAppPw3
]

#################
# The groups section contains a hardcoded list of valid users.
[[groups]]
name = "superheros"
gidnumber = 5501

[[groups]]
name = "svcaccts"
gidnumber = 5502

[[groups]]
name = "vpn"
gidnumber = 5503
includegroups = [ 5501 ]

25 changes: 25 additions & 0 deletions .circleci/pgcat_ldap.toml
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@

[general]
host = "0.0.0.0"
port = 6432
admin_username = "admin_user"
admin_password = ""
admin_auth_type = "ldap"
admin_auth_ldapurl = "ldap://127.0.0.1:3893"
admin_auth_ldapsuffix = "@example.com"

[pools.sharded_db.users.0]
username = "sharding_user"
password = "sharding_user"
auth_type = "ldap"
auth_ldapurl = "ldap://127.0.0.1:3893"
auth_ldapsuffix = "@example.com"
pool_size = 10
min_pool_size = 1
pool_mode = "transaction"

[pools.sharded_db.shards.0]
servers = [
[ "127.0.0.1", 5432, "primary" ],
]
database = "shard0"
1 change: 0 additions & 1 deletion .circleci/pgcat_trust.toml
Original file line number Diff line number Diff line change
@@ -1,6 +1,5 @@

[general]

host = "0.0.0.0"
port = 6432
admin_username = "admin_user"
Expand Down
2 changes: 2 additions & 0 deletions tests/docker/Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,8 @@ RUN apt-get update && apt-get install llvm-11 psmisc postgresql-contrib postgres
RUN cargo install cargo-binutils rustfilt
RUN rustup component add llvm-tools-preview
RUN sudo gem install bundler
RUN wget -O /usr/bin/glauth https://github.com/glauth/glauth/releases/download/v2.3.2/glauth-linux-amd64
RUN chmod +x /usr/bin/glauth
RUN wget -O toxiproxy-2.4.0.deb https://github.com/Shopify/toxiproxy/releases/download/v2.4.0/toxiproxy_2.4.0_linux_$(dpkg --print-architecture).deb && \
sudo dpkg -i toxiproxy-2.4.0.deb
RUN wget -O go1.21.3.linux-$(dpkg --print-architecture).tar.gz https://go.dev/dl/go1.21.3.linux-$(dpkg --print-architecture).tar.gz && \
Expand Down
86 changes: 80 additions & 6 deletions tests/python/tests.py
Original file line number Diff line number Diff line change
Expand Up @@ -11,16 +11,43 @@
PGCAT_PORT = "6432"


def pgcat_start():
pg_cat_send_signal(signal.SIGTERM)
os.system("./target/debug/pgcat .circleci/pgcat.toml &")
def ldap_start():
glauth_send_signal(signal.SIGTERM)
os.system("glauth -c .circleci/glauth.cfg &")
time.sleep(2)

def pgcat_trust_start():

def pgcat_start_inner(config_path: str):
pg_cat_send_signal(signal.SIGTERM)
os.system("./target/debug/pgcat .circleci/pgcat_trust.toml &")
os.system(f"./target/debug/pgcat {config_path} &")
time.sleep(2)

def pgcat_start():
pgcat_start_inner(config_path='.circleci/pgcat.toml')


def pgcat_trust_start():
pgcat_start_inner(config_path='.circleci/pgcat_trust.toml')


def pgcat_ldap_start():
pgcat_start_inner(config_path='.circleci/pgcat_ldap.toml')

def glauth_send_signal(signal: signal.Signals):
try:
for proc in psutil.process_iter(["pid", "name"]):
if "glauth" == proc.name():
os.kill(proc.pid, signal)
except Exception as e:
# The process can be gone when we send this signal
print(e)

if signal == signal.SIGTERM:
# Returns 0 if pgcat process exists
time.sleep(2)
if not os.system('pgrep glauth'):
raise Exception("glauth not closed after SIGTERM")


def pg_cat_send_signal(signal: signal.Signals):
try:
Expand Down Expand Up @@ -51,14 +78,36 @@ def connect_db_trust(
db = "sharded_db"

conn = psycopg2.connect(
f"postgres://{user}:@{PGCAT_HOST}:{PGCAT_PORT}/{db}?application_name=testing_pgcat",
f"postgres://{user}@{PGCAT_HOST}:{PGCAT_PORT}/{db}?application_name=testing_pgcat",
connect_timeout=2,
)
conn.autocommit = autocommit
cur = conn.cursor()

return (conn, cur)

def connect_db_ldap(
autocommit: bool = True,
admin: bool = False,
) -> Tuple[psycopg2.extensions.connection, psycopg2.extensions.cursor]:

if admin:
user = "admin_user"
password = "dogood"
db = "pgcat"
else:
user = "sharding_user"
password = "dogood"
db = "sharded_db"

conn = psycopg2.connect(
f"postgres://{user}:{password}@{PGCAT_HOST}:{PGCAT_PORT}/{db}?application_name=testing_pgcat",
connect_timeout=2,
)
conn.autocommit = autocommit
cur = conn.cursor()

return (conn, cur)

def connect_db(
autocommit: bool = True,
Expand Down Expand Up @@ -104,6 +153,30 @@ def test_normal_trust_auth():
print(res)
cleanup_conn(conn, cur)

def test_normal_ldap_auth():
conn, cur = connect_db_ldap(autocommit=False)
cur.execute("SELECT 1")
res = cur.fetchall()
print(res)
cleanup_conn(conn, cur)

def test_admin_ldap_auth():
conn, cur = connect_db_ldap(admin=True)
cur.execute("SHOW POOLS")
res = cur.fetchall()
print(res)
cleanup_conn(conn, cur)

def test_ldap():
ldap_start()
pgcat_ldap_start()

test_admin_ldap_auth()
test_normal_ldap_auth()

glauth_send_signal(signal.SIGTERM)
pg_cat_send_signal(signal.SIGTERM)


def test_trust():
pgcat_trust_start()
Expand Down Expand Up @@ -370,3 +443,4 @@ def test_shutdown_logic():
test_shutdown_logic()

test_trust()
test_ldap()

0 comments on commit 9c3defa

Please sign in to comment.