Merge pull request #3139 from quay/spike/install-certs

Install certs in the config app, small refactor to LDAP validation

util/config/validator.py

@@ -102,7 +102,8 @@ class ValidatorContext(object):
   def __init__(self, config, user_password=None, http_client=None, context=None,
                url_scheme_and_hostname=None, jwt_auth_max=None, registry_title=None,
                ip_resolver=None, feature_sec_scanner=False, is_testing=False,
-               uri_creator=None, config_provider=None, instance_keys=None):
+               uri_creator=None, config_provider=None, instance_keys=None,
+               init_scripts_location=None):
     self.config = config
     self.user = get_authenticated_user()
     self.user_password = user_password
@@ -117,10 +118,11 @@ class ValidatorContext(object):
     self.uri_creator = uri_creator
     self.config_provider = config_provider
     self.instance_keys = instance_keys
+    self.init_scripts_location = init_scripts_location
 
   @classmethod
   def from_app(cls, app, config, user_password, ip_resolver, instance_keys, client=None,
-               config_provider=None):
+               config_provider=None, init_scripts_location=None):
     """
     Creates a ValidatorContext from an app config, with a given config to validate
     :param app: the Flask app to pull configuration information from
@@ -128,9 +130,10 @@ class ValidatorContext(object):
     :param user_password: request password
     :param instance_keys: The instance keys handler
     :param ip_resolver: an App
-    :param client:
-    :param config_provider:
-    :return:
+    :param client: http client used to connect to services
+    :param config_provider: config provider used to access config volume(s)
+    :param init_scripts_location: location where initial load scripts are stored
+    :return: ValidatorContext
     """
     url_scheme_and_hostname = URLSchemeAndHostname.from_app_config(app.config)
 
@@ -146,4 +149,5 @@ class ValidatorContext(object):
                is_testing=app.config.get('TESTING', False),
                uri_creator=get_blob_download_uri_getter(app.test_request_context('/'), url_scheme_and_hostname),
                config_provider=config_provider,
-               instance_keys=instance_keys)
+               instance_keys=instance_keys,
+               init_scripts_location=init_scripts_location)

util/config/validators/test/test_validate_ldap.py

@@ -47,22 +47,21 @@ def test_invalid_uri(uri, app):
     LDAPValidator.validate(config)
 
 
-@pytest.mark.parametrize('username, password, expected_exception', [
-  ('invaliduser', 'invalidpass', ConfigValidationException),
-  ('someuser', 'invalidpass', ConfigValidationException),
-  ('invaliduser', 'somepass', ConfigValidationException),
-  ('someuser', 'somepass', None),
+@pytest.mark.parametrize('admin_dn, admin_passwd, user_rdn, expected_exception', [
+  ('uid=testy,ou=employees,dc=quay,dc=io', 'password', ['ou=employees'], None),
+  ('uid=invalidadmindn', 'password', ['ou=employees'], ConfigValidationException),
+  ('uid=testy,ou=employees,dc=quay,dc=io', 'invalid_password', ['ou=employees'], ConfigValidationException),
+  ('uid=testy,ou=employees,dc=quay,dc=io', 'password', ['ou=invalidgroup'], ConfigValidationException),
 ])
-def test_validated_ldap(username, password, expected_exception, app):
+def test_validated_ldap(admin_dn, admin_passwd, user_rdn, expected_exception, app):
   config = {}
   config['AUTHENTICATION_TYPE'] = 'LDAP'
   config['LDAP_BASE_DN'] = ['dc=quay', 'dc=io']
-  config['LDAP_ADMIN_DN'] = 'uid=testy,ou=employees,dc=quay,dc=io'
-  config['LDAP_ADMIN_PASSWD'] = 'password'
-  config['LDAP_USER_RDN'] = ['ou=employees']
+  config['LDAP_ADMIN_DN'] = admin_dn
+  config['LDAP_ADMIN_PASSWD'] = admin_passwd
+  config['LDAP_USER_RDN'] = user_rdn
 
-  unvalidated_config = ValidatorContext(config, user_password=password, config_provider=config_provider)
-  unvalidated_config.user = AttrDict(dict(username=username))
+  unvalidated_config = ValidatorContext(config, config_provider=config_provider)
 
   if expected_exception is not None:
     with pytest.raises(ConfigValidationException):

util/config/validators/validate_ldap.py

@@ -13,16 +13,16 @@ class LDAPValidator(BaseValidator):
   def validate(cls, validator_context):
     """ Validates the LDAP connection. """
     config = validator_context.config
-    user = validator_context.user
-    user_password = validator_context.user_password
     config_provider = validator_context.config_provider
+    init_scripts_location = validator_context.init_scripts_location
 
     if config.get('AUTHENTICATION_TYPE', 'Database') != 'LDAP':
       return
 
     # If there is a custom LDAP certificate, then reinstall the certificates for the container.
     if config_provider.volume_file_exists(LDAP_CERT_FILENAME):
-      subprocess.check_call([os.path.join(config_provider.get_config_root(), '../init/certs_install.sh')])
+      subprocess.check_call([os.path.join(init_scripts_location, 'certs_install.sh')],
+                            env={ 'QUAYCONF': config_provider.get_config_dir_path() })
 
     # Note: raises ldap.INVALID_CREDENTIALS on failure
     admin_dn = config.get('LDAP_ADMIN_DN')
@@ -60,10 +60,10 @@ class LDAPValidator(BaseValidator):
     users = LDAPUsers(ldap_uri, base_dn, admin_dn, admin_passwd, user_rdn, uid_attr, email_attr,
                       allow_tls_fallback, requires_email=requires_email)
 
-    username = user.username
-    (result, err_msg) = users.verify_credentials(username, user_password)
+    # Ensure at least one user exists to verify the connection is setup properly
+    (result, err_msg) = users.at_least_one_user_exists()
     if not result:
-      msg = ('Verification of superuser %s failed: %s. \n\nThe user either does not exist ' +
+      msg = ('Verification that users exist failed: %s. \n\nNo users exist ' +
              'in the remote authentication system ' +
-             'OR LDAP auth is misconfigured.') % (username, err_msg)
+             'OR LDAP auth is misconfigured.') % err_msg
       raise ConfigValidationException(msg)