add nixos test for ldap
This commit is contained in:
parent
039f1cca22
commit
76e27ae7eb
3 changed files with 105 additions and 32 deletions
|
@ -112,6 +112,7 @@
|
||||||
]);
|
]);
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
// (vm_test "ldap" ./test/vm/ldap.nix)
|
||||||
// (vm_test "postgresql" ./test/vm/postgresql.nix)
|
// (vm_test "postgresql" ./test/vm/postgresql.nix)
|
||||||
// (vm_test "monitoring" ./test/vm/monitoring.nix)
|
// (vm_test "monitoring" ./test/vm/monitoring.nix)
|
||||||
);
|
);
|
||||||
|
|
|
@ -7,23 +7,23 @@ let
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
options.shb.ldap = {
|
options.shb.ldap = {
|
||||||
enable = lib.mkEnableOption "selfhostblocks.home-assistant";
|
enable = lib.mkEnableOption "the LDAP service";
|
||||||
|
|
||||||
dcdomain = lib.mkOption {
|
dcdomain = lib.mkOption {
|
||||||
type = lib.types.str;
|
type = lib.types.str;
|
||||||
description = "dc domain for ldap.";
|
description = "dc domain to serve.";
|
||||||
example = "dc=mydomain,dc=com";
|
example = "dc=mydomain,dc=com";
|
||||||
};
|
};
|
||||||
|
|
||||||
subdomain = lib.mkOption {
|
subdomain = lib.mkOption {
|
||||||
type = lib.types.str;
|
type = lib.types.str;
|
||||||
description = "Subdomain under which home-assistant will be served.";
|
description = "Subdomain under which the LDAP service will be served.";
|
||||||
example = "grafana";
|
example = "grafana";
|
||||||
};
|
};
|
||||||
|
|
||||||
domain = lib.mkOption {
|
domain = lib.mkOption {
|
||||||
type = lib.types.str;
|
type = lib.types.str;
|
||||||
description = "domain under which home-assistant will be served.";
|
description = "Domain under which the LDAP service will be served.";
|
||||||
example = "mydomain.com";
|
example = "mydomain.com";
|
||||||
};
|
};
|
||||||
|
|
||||||
|
@ -33,43 +33,38 @@ in
|
||||||
default = 3890;
|
default = 3890;
|
||||||
};
|
};
|
||||||
|
|
||||||
httpPort = lib.mkOption {
|
webUIListenPort = lib.mkOption {
|
||||||
type = lib.types.port;
|
type = lib.types.port;
|
||||||
description = "Port on which the web UI is exposed.";
|
description = "Port on which the web UI is exposed.";
|
||||||
default = 17170;
|
default = 17170;
|
||||||
};
|
};
|
||||||
|
|
||||||
sopsFile = lib.mkOption {
|
ldapUserPasswordFile = lib.mkOption {
|
||||||
type = lib.types.path;
|
type = lib.types.path;
|
||||||
description = "Sops file location";
|
description = "File containing the LDAP admin user password.";
|
||||||
example = "secrets/ldap.yaml";
|
|
||||||
};
|
};
|
||||||
|
|
||||||
localNetworkIPRange = lib.mkOption {
|
jwtSecretFile = lib.mkOption {
|
||||||
|
type = lib.types.path;
|
||||||
|
description = "File containing the JWT secret.";
|
||||||
|
};
|
||||||
|
|
||||||
|
restrictAccessIPRange = lib.mkOption {
|
||||||
type = lib.types.nullOr lib.types.str;
|
type = lib.types.nullOr lib.types.str;
|
||||||
description = "Local network range, to restrict access to the UI to only those IPs.";
|
description = "Set a local network range to restrict access to the UI to only those IPs.";
|
||||||
example = "192.168.1.1/24";
|
example = "192.168.1.1/24";
|
||||||
default = null;
|
default = null;
|
||||||
};
|
};
|
||||||
|
|
||||||
|
debug = lib.mkOption {
|
||||||
|
description = "Enable debug logging.";
|
||||||
|
type = lib.types.bool;
|
||||||
|
default = false;
|
||||||
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
||||||
config = lib.mkIf cfg.enable {
|
config = lib.mkIf cfg.enable {
|
||||||
sops.secrets."lldap/user_password" = {
|
|
||||||
inherit (cfg) sopsFile;
|
|
||||||
mode = "0440";
|
|
||||||
owner = "lldap";
|
|
||||||
group = "lldap";
|
|
||||||
restartUnits = [ "lldap.service" ];
|
|
||||||
};
|
|
||||||
sops.secrets."lldap/jwt_secret" = {
|
|
||||||
inherit (cfg) sopsFile;
|
|
||||||
mode = "0440";
|
|
||||||
owner = "lldap";
|
|
||||||
group = "lldap";
|
|
||||||
restartUnits = [ "lldap.service" ];
|
|
||||||
};
|
|
||||||
|
|
||||||
services.nginx = {
|
services.nginx = {
|
||||||
enable = true;
|
enable = true;
|
||||||
|
|
||||||
|
@ -80,8 +75,8 @@ in
|
||||||
locations."/" = {
|
locations."/" = {
|
||||||
extraConfig = ''
|
extraConfig = ''
|
||||||
proxy_set_header Host $host;
|
proxy_set_header Host $host;
|
||||||
'' + (if isNull cfg.localNetworkIPRange then "" else ''
|
'' + (if isNull cfg.restrictAccessIPRange then "" else ''
|
||||||
allow ${cfg.localNetworkIPRange};
|
allow ${cfg.restrictAccessIPRange};
|
||||||
deny all;
|
deny all;
|
||||||
'');
|
'');
|
||||||
proxyPass = "http://${toString config.services.lldap.settings.http_host}:${toString config.services.lldap.settings.http_port}/";
|
proxyPass = "http://${toString config.services.lldap.settings.http_host}:${toString config.services.lldap.settings.http_port}/";
|
||||||
|
@ -103,23 +98,23 @@ in
|
||||||
enable = true;
|
enable = true;
|
||||||
|
|
||||||
environment = {
|
environment = {
|
||||||
LLDAP_JWT_SECRET_FILE = "/run/secrets/lldap/jwt_secret";
|
LLDAP_JWT_SECRET_FILE = toString cfg.jwtSecretFile;
|
||||||
LLDAP_LDAP_USER_PASS_FILE = "/run/secrets/lldap/user_password";
|
LLDAP_LDAP_USER_PASS_FILE = toString cfg.ldapUserPasswordFile;
|
||||||
|
|
||||||
# RUST_LOG = "debug";
|
RUST_LOG = lib.mkIf cfg.debug "debug";
|
||||||
};
|
};
|
||||||
|
|
||||||
settings = {
|
settings = {
|
||||||
http_url = "https://${fqdn}";
|
http_url = "https://${fqdn}";
|
||||||
http_host = "127.0.0.1";
|
http_host = "127.0.0.1";
|
||||||
http_port = cfg.httpPort;
|
http_port = cfg.webUIListenPort;
|
||||||
|
|
||||||
ldap_host = "127.0.0.1";
|
ldap_host = "127.0.0.1";
|
||||||
ldap_port = cfg.ldapPort;
|
ldap_port = cfg.ldapPort;
|
||||||
|
|
||||||
ldap_base_dn = cfg.dcdomain;
|
ldap_base_dn = cfg.dcdomain;
|
||||||
|
|
||||||
# verbose = true;
|
verbose = cfg.debug;
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
77
test/vm/ldap.nix
Normal file
77
test/vm/ldap.nix
Normal file
|
@ -0,0 +1,77 @@
|
||||||
|
{ pkgs, lib, ... }:
|
||||||
|
{
|
||||||
|
auth = pkgs.nixosTest {
|
||||||
|
name = "ldap-auth";
|
||||||
|
|
||||||
|
nodes.server = { config, pkgs, ... }: {
|
||||||
|
imports = [
|
||||||
|
{
|
||||||
|
options = {
|
||||||
|
shb.ssl.enable = lib.mkEnableOption "ssl";
|
||||||
|
shb.backup = lib.mkOption { type = lib.types.anything; };
|
||||||
|
};
|
||||||
|
}
|
||||||
|
../../modules/blocks/ldap.nix
|
||||||
|
];
|
||||||
|
|
||||||
|
shb.ldap = {
|
||||||
|
enable = true;
|
||||||
|
dcdomain = "dc=example,dc=com";
|
||||||
|
subdomain = "ldap";
|
||||||
|
domain = "example.com";
|
||||||
|
ldapUserPasswordFile = pkgs.writeText "user_password" "securepw";
|
||||||
|
jwtSecretFile = pkgs.writeText "jwt_secret" "securejwtsecret";
|
||||||
|
debug = true;
|
||||||
|
};
|
||||||
|
networking.firewall.allowedTCPPorts = [ 80 ]; # nginx port
|
||||||
|
};
|
||||||
|
|
||||||
|
nodes.client = {};
|
||||||
|
|
||||||
|
# Inspired from https://github.com/lldap/lldap/blob/33f50d13a2e2d24a3e6bb05a148246bc98090df0/example_configs/lldap-ha-auth.sh
|
||||||
|
testScript = { nodes, ... }: ''
|
||||||
|
import json
|
||||||
|
|
||||||
|
start_all()
|
||||||
|
server.wait_for_unit("lldap.service")
|
||||||
|
|
||||||
|
with subtest("fail without authenticating"):
|
||||||
|
client.fail(
|
||||||
|
"curl -f -s -X GET"
|
||||||
|
+ """ -H "Content-type: application/json" """
|
||||||
|
+ """ -H "Host: ldap.example.com" """
|
||||||
|
+ " http://server/api/graphql"
|
||||||
|
)
|
||||||
|
|
||||||
|
with subtest("fail authenticating with wrong credentials"):
|
||||||
|
client.fail(
|
||||||
|
"curl -f -s -X POST"
|
||||||
|
+ """ -H "Content-type: application/json" """
|
||||||
|
+ """ -H "Host: ldap.example.com" """
|
||||||
|
+ " http://server/auth/simple/login"
|
||||||
|
+ """ -d '{"username": "admin", "password": "wrong"}'"""
|
||||||
|
)
|
||||||
|
|
||||||
|
with subtest("succeed with correct authentication"):
|
||||||
|
token = json.loads(client.succeed(
|
||||||
|
"curl -f -s -X POST "
|
||||||
|
+ """ -H "Content-type: application/json" """
|
||||||
|
+ """ -H "Host: ldap.example.com" """
|
||||||
|
+ " http://server/auth/simple/login "
|
||||||
|
+ """ -d '{"username": "admin", "password": "securepw"}' """
|
||||||
|
))['token']
|
||||||
|
|
||||||
|
data = json.loads(client.succeed(
|
||||||
|
"curl -f -s -X POST "
|
||||||
|
+ """ -H "Content-type: application/json" """
|
||||||
|
+ """ -H "Host: ldap.example.com" """
|
||||||
|
+ """ -H "Authorization: Bearer {token}" """.format(token=token)
|
||||||
|
+ " http://server/api/graphql "
|
||||||
|
+ """ -d '{"variables": {"id": "admin"}, "query":"query($id:String!){user(userId:$id){displayName groups{displayName}}}"}' """
|
||||||
|
))['data']
|
||||||
|
|
||||||
|
assert data['user']['displayName'] == "Administrator"
|
||||||
|
assert data['user']['groups'][0]['displayName'] == "lldap_admin"
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
}
|
Loading…
Reference in a new issue