1
0
Fork 0

add nixos test for ldap

This commit is contained in:
Pierre Penninckx 2023-11-30 22:08:38 -08:00 committed by GitHub
parent 039f1cca22
commit 76e27ae7eb
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
3 changed files with 105 additions and 32 deletions

View file

@ -112,6 +112,7 @@
]); ]);
}; };
} }
// (vm_test "ldap" ./test/vm/ldap.nix)
// (vm_test "postgresql" ./test/vm/postgresql.nix) // (vm_test "postgresql" ./test/vm/postgresql.nix)
// (vm_test "monitoring" ./test/vm/monitoring.nix) // (vm_test "monitoring" ./test/vm/monitoring.nix)
); );

View file

@ -7,23 +7,23 @@ let
in in
{ {
options.shb.ldap = { options.shb.ldap = {
enable = lib.mkEnableOption "selfhostblocks.home-assistant"; enable = lib.mkEnableOption "the LDAP service";
dcdomain = lib.mkOption { dcdomain = lib.mkOption {
type = lib.types.str; type = lib.types.str;
description = "dc domain for ldap."; description = "dc domain to serve.";
example = "dc=mydomain,dc=com"; example = "dc=mydomain,dc=com";
}; };
subdomain = lib.mkOption { subdomain = lib.mkOption {
type = lib.types.str; type = lib.types.str;
description = "Subdomain under which home-assistant will be served."; description = "Subdomain under which the LDAP service will be served.";
example = "grafana"; example = "grafana";
}; };
domain = lib.mkOption { domain = lib.mkOption {
type = lib.types.str; type = lib.types.str;
description = "domain under which home-assistant will be served."; description = "Domain under which the LDAP service will be served.";
example = "mydomain.com"; example = "mydomain.com";
}; };
@ -33,43 +33,38 @@ in
default = 3890; default = 3890;
}; };
httpPort = lib.mkOption { webUIListenPort = lib.mkOption {
type = lib.types.port; type = lib.types.port;
description = "Port on which the web UI is exposed."; description = "Port on which the web UI is exposed.";
default = 17170; default = 17170;
}; };
sopsFile = lib.mkOption { ldapUserPasswordFile = lib.mkOption {
type = lib.types.path; type = lib.types.path;
description = "Sops file location"; description = "File containing the LDAP admin user password.";
example = "secrets/ldap.yaml";
}; };
localNetworkIPRange = lib.mkOption { jwtSecretFile = lib.mkOption {
type = lib.types.path;
description = "File containing the JWT secret.";
};
restrictAccessIPRange = lib.mkOption {
type = lib.types.nullOr lib.types.str; type = lib.types.nullOr lib.types.str;
description = "Local network range, to restrict access to the UI to only those IPs."; description = "Set a local network range to restrict access to the UI to only those IPs.";
example = "192.168.1.1/24"; example = "192.168.1.1/24";
default = null; default = null;
}; };
debug = lib.mkOption {
description = "Enable debug logging.";
type = lib.types.bool;
default = false;
};
}; };
config = lib.mkIf cfg.enable { config = lib.mkIf cfg.enable {
sops.secrets."lldap/user_password" = {
inherit (cfg) sopsFile;
mode = "0440";
owner = "lldap";
group = "lldap";
restartUnits = [ "lldap.service" ];
};
sops.secrets."lldap/jwt_secret" = {
inherit (cfg) sopsFile;
mode = "0440";
owner = "lldap";
group = "lldap";
restartUnits = [ "lldap.service" ];
};
services.nginx = { services.nginx = {
enable = true; enable = true;
@ -80,8 +75,8 @@ in
locations."/" = { locations."/" = {
extraConfig = '' extraConfig = ''
proxy_set_header Host $host; proxy_set_header Host $host;
'' + (if isNull cfg.localNetworkIPRange then "" else '' '' + (if isNull cfg.restrictAccessIPRange then "" else ''
allow ${cfg.localNetworkIPRange}; allow ${cfg.restrictAccessIPRange};
deny all; deny all;
''); '');
proxyPass = "http://${toString config.services.lldap.settings.http_host}:${toString config.services.lldap.settings.http_port}/"; proxyPass = "http://${toString config.services.lldap.settings.http_host}:${toString config.services.lldap.settings.http_port}/";
@ -103,23 +98,23 @@ in
enable = true; enable = true;
environment = { environment = {
LLDAP_JWT_SECRET_FILE = "/run/secrets/lldap/jwt_secret"; LLDAP_JWT_SECRET_FILE = toString cfg.jwtSecretFile;
LLDAP_LDAP_USER_PASS_FILE = "/run/secrets/lldap/user_password"; LLDAP_LDAP_USER_PASS_FILE = toString cfg.ldapUserPasswordFile;
# RUST_LOG = "debug"; RUST_LOG = lib.mkIf cfg.debug "debug";
}; };
settings = { settings = {
http_url = "https://${fqdn}"; http_url = "https://${fqdn}";
http_host = "127.0.0.1"; http_host = "127.0.0.1";
http_port = cfg.httpPort; http_port = cfg.webUIListenPort;
ldap_host = "127.0.0.1"; ldap_host = "127.0.0.1";
ldap_port = cfg.ldapPort; ldap_port = cfg.ldapPort;
ldap_base_dn = cfg.dcdomain; ldap_base_dn = cfg.dcdomain;
# verbose = true; verbose = cfg.debug;
}; };
}; };

77
test/vm/ldap.nix Normal file
View file

@ -0,0 +1,77 @@
{ pkgs, lib, ... }:
{
auth = pkgs.nixosTest {
name = "ldap-auth";
nodes.server = { config, pkgs, ... }: {
imports = [
{
options = {
shb.ssl.enable = lib.mkEnableOption "ssl";
shb.backup = lib.mkOption { type = lib.types.anything; };
};
}
../../modules/blocks/ldap.nix
];
shb.ldap = {
enable = true;
dcdomain = "dc=example,dc=com";
subdomain = "ldap";
domain = "example.com";
ldapUserPasswordFile = pkgs.writeText "user_password" "securepw";
jwtSecretFile = pkgs.writeText "jwt_secret" "securejwtsecret";
debug = true;
};
networking.firewall.allowedTCPPorts = [ 80 ]; # nginx port
};
nodes.client = {};
# Inspired from https://github.com/lldap/lldap/blob/33f50d13a2e2d24a3e6bb05a148246bc98090df0/example_configs/lldap-ha-auth.sh
testScript = { nodes, ... }: ''
import json
start_all()
server.wait_for_unit("lldap.service")
with subtest("fail without authenticating"):
client.fail(
"curl -f -s -X GET"
+ """ -H "Content-type: application/json" """
+ """ -H "Host: ldap.example.com" """
+ " http://server/api/graphql"
)
with subtest("fail authenticating with wrong credentials"):
client.fail(
"curl -f -s -X POST"
+ """ -H "Content-type: application/json" """
+ """ -H "Host: ldap.example.com" """
+ " http://server/auth/simple/login"
+ """ -d '{"username": "admin", "password": "wrong"}'"""
)
with subtest("succeed with correct authentication"):
token = json.loads(client.succeed(
"curl -f -s -X POST "
+ """ -H "Content-type: application/json" """
+ """ -H "Host: ldap.example.com" """
+ " http://server/auth/simple/login "
+ """ -d '{"username": "admin", "password": "securepw"}' """
))['token']
data = json.loads(client.succeed(
"curl -f -s -X POST "
+ """ -H "Content-type: application/json" """
+ """ -H "Host: ldap.example.com" """
+ """ -H "Authorization: Bearer {token}" """.format(token=token)
+ " http://server/api/graphql "
+ """ -d '{"variables": {"id": "admin"}, "query":"query($id:String!){user(userId:$id){displayName groups{displayName}}}"}' """
))['data']
assert data['user']['displayName'] == "Administrator"
assert data['user']['groups'][0]['displayName'] == "lldap_admin"
'';
};
}