selfhostblocks/test/vm/ldap.nix

{ pkgs, lib, ... }:
{
  auth = pkgs.nixosTest {
    name = "ldap-auth";

    nodes.server = { config, pkgs, ... }: {
      imports = [
        {
          options = {
            shb.ssl.enable = lib.mkEnableOption "ssl";
            shb.backup = lib.mkOption { type = lib.types.anything; };
          };
        }
        ../../modules/blocks/ldap.nix
      ];

      shb.ldap = {
        enable = true;
        dcdomain = "dc=example,dc=com";
        subdomain = "ldap";
        domain = "example.com";
        ldapUserPasswordFile = pkgs.writeText "user_password" "securepw";
        jwtSecretFile = pkgs.writeText "jwt_secret" "securejwtsecret";
        debug = true;
      };
      networking.firewall.allowedTCPPorts = [ 80 ]; # nginx port
    };

    nodes.client = {};

    # Inspired from https://github.com/lldap/lldap/blob/33f50d13a2e2d24a3e6bb05a148246bc98090df0/example_configs/lldap-ha-auth.sh
    testScript = { nodes, ... }: ''
    import json

    start_all()
    server.wait_for_unit("lldap.service")
    server.wait_for_open_port(${toString nodes.server.services.lldap.settings.http_port})

    with subtest("fail without authenticating"):
        client.fail(
            "curl -f -s -X GET"
            + """ -H "Content-type: application/json" """
            + """ -H "Host: ldap.example.com" """
            + " http://server/api/graphql"
        )

    with subtest("fail authenticating with wrong credentials"):
        client.fail(
            "curl -f -s -X POST"
            + """ -H "Content-type: application/json" """
            + """ -H "Host: ldap.example.com" """
            + " http://server/auth/simple/login"
            + """ -d '{"username": "admin", "password": "wrong"}'"""
        )

    with subtest("succeed with correct authentication"):
        token = json.loads(client.succeed(
            "curl -f -s -X POST "
            + """ -H "Content-type: application/json" """
            + """ -H "Host: ldap.example.com" """
            + " http://server/auth/simple/login "
            + """ -d '{"username": "admin", "password": "securepw"}' """
        ))['token']

        data = json.loads(client.succeed(
            "curl -f -s -X POST "
            + """ -H "Content-type: application/json" """
            + """ -H "Host: ldap.example.com" """
            + """ -H "Authorization: Bearer {token}" """.format(token=token)
            + " http://server/api/graphql "
            + """ -d '{"variables": {"id": "admin"}, "query":"query($id:String!){user(userId:$id){displayName groups{displayName}}}"}' """
        ))['data']

        assert data['user']['displayName'] == "Administrator"
        assert data['user']['groups'][0]['displayName'] == "lldap_admin"
    '';
  };
}
add nixos test for ldap 2023-12-01 07:08:38 +01:00			`{ pkgs, lib, ... }:`
			`{`
			`auth = pkgs.nixosTest {`
			`name = "ldap-auth";`

			`nodes.server = { config, pkgs, ... }: {`
			`imports = [`
			`{`
			`options = {`
			`shb.ssl.enable = lib.mkEnableOption "ssl";`
			`shb.backup = lib.mkOption { type = lib.types.anything; };`
			`};`
			`}`
			`../../modules/blocks/ldap.nix`
			`];`

			`shb.ldap = {`
			`enable = true;`
			`dcdomain = "dc=example,dc=com";`
			`subdomain = "ldap";`
			`domain = "example.com";`
			`ldapUserPasswordFile = pkgs.writeText "user_password" "securepw";`
			`jwtSecretFile = pkgs.writeText "jwt_secret" "securejwtsecret";`
			`debug = true;`
			`};`
			`networking.firewall.allowedTCPPorts = [ 80 ]; # nginx port`
			`};`

			`nodes.client = {};`

			`# Inspired from https://github.com/lldap/lldap/blob/33f50d13a2e2d24a3e6bb05a148246bc98090df0/example_configs/lldap-ha-auth.sh`
			`testScript = { nodes, ... }: ''`
			`import json`

			`start_all()`
			`server.wait_for_unit("lldap.service")`
wait for open port in all tests to reduce flakiness 2023-12-04 08:33:39 +01:00			`server.wait_for_open_port(${toString nodes.server.services.lldap.settings.http_port})`
add nixos test for ldap 2023-12-01 07:08:38 +01:00
			`with subtest("fail without authenticating"):`
			`client.fail(`
			`"curl -f -s -X GET"`
			`+ """ -H "Content-type: application/json" """`
			`+ """ -H "Host: ldap.example.com" """`
			`+ " http://server/api/graphql"`
			`)`

			`with subtest("fail authenticating with wrong credentials"):`
			`client.fail(`
			`"curl -f -s -X POST"`
			`+ """ -H "Content-type: application/json" """`
			`+ """ -H "Host: ldap.example.com" """`
			`+ " http://server/auth/simple/login"`
			`+ """ -d '{"username": "admin", "password": "wrong"}'"""`
			`)`

			`with subtest("succeed with correct authentication"):`
			`token = json.loads(client.succeed(`
			`"curl -f -s -X POST "`
			`+ """ -H "Content-type: application/json" """`
			`+ """ -H "Host: ldap.example.com" """`
			`+ " http://server/auth/simple/login "`
			`+ """ -d '{"username": "admin", "password": "securepw"}' """`
			`))['token']`

			`data = json.loads(client.succeed(`
			`"curl -f -s -X POST "`
			`+ """ -H "Content-type: application/json" """`
			`+ """ -H "Host: ldap.example.com" """`
			`+ """ -H "Authorization: Bearer {token}" """.format(token=token)`
			`+ " http://server/api/graphql "`
			`+ """ -d '{"variables": {"id": "admin"}, "query":"query($id:String!){user(userId:$id){displayName groups{displayName}}}"}' """`
			`))['data']`

			`assert data['user']['displayName'] == "Administrator"`
			`assert data['user']['groups'][0]['displayName'] == "lldap_admin"`
			`'';`
			`};`
			`}`