Fix setup tool when binding to external auth

We now query the external auth provider for the external service's identifier before adding the linking row into the database. This fixes the case where the external service resolves a different identifier for the same username. Fixes #1477
2016-05-23 15:08:51 -04:00 · 2016-05-23 15:08:51 -04:00 · 60bbca2185
commit 60bbca2185
parent d6b73a41de
6 changed files with 151 additions and 62 deletions
--- a/test/test_api_usage.py
+++ b/test/test_api_usage.py
@ -15,6 +15,7 @@ from playhouse.test_utils import assert_query_count, _QueryLogHandler
 from httmock import urlmatch, HTTMock
 from cryptography.hazmat.primitives import serialization
 from cryptography.hazmat.backends import default_backend
+from mockldap import MockLdap

 from endpoints.api import api_bp, api
 from endpoints.building import PreparedBuild
@ -3523,6 +3524,51 @@ class TestSuperUserConfig(ApiTestCase):
    json = self.getJsonResponse(SuperUserConfigFile, params=dict(filename='ssl.cert'))
    self.assertTrue(json['exists'])

+  def test_update_with_external_auth(self):
+    self.login(ADMIN_ACCESS_USER)
+
+    # Run a mock LDAP.
+    mockldap = MockLdap({
+      'dc=quay,dc=io': {'dc': ['quay', 'io']},
+      'ou=employees,dc=quay,dc=io': {
+        'dc': ['quay', 'io'],
+        'ou': 'employees'
+      },
+      'uid=' + ADMIN_ACCESS_USER + ',ou=employees,dc=quay,dc=io': {
+        'dc': ['quay', 'io'],
+        'ou': 'employees',
+        'uid': [ADMIN_ACCESS_USER],
+        'userPassword': ['password'],
+        'mail': [ADMIN_ACCESS_EMAIL],
+      },
+    })
+
+    config = {
+      'AUTHENTICATION_TYPE': 'LDAP',
+      'LDAP_BASE_DN': ['dc=quay', 'dc=io'],
+      'LDAP_ADMIN_DN': 'uid=devtable,ou=employees,dc=quay,dc=io',
+      'LDAP_ADMIN_PASSWD': 'password',
+      'LDAP_USER_RDN': ['ou=employees'],
+      'LDAP_UID_ATTR': 'uid',
+      'LDAP_EMAIL_ATTR': 'mail',
+    }
+
+    mockldap.start()
+    try:
+      # Try writing some config with an invalid password.
+      self.putResponse(SuperUserConfig, data={'config': config, 'hostname': 'foo'}, expected_code=400)
+      self.putResponse(SuperUserConfig,
+                       data={'config': config, 'password': 'invalid', 'hostname': 'foo'}, expected_code=400)
+
+      # Write the config with the valid password.
+      self.putResponse(SuperUserConfig,
+                       data={'config': config, 'password': 'password', 'hostname': 'foo'}, expected_code=200)
+
+      # Ensure that the user row has been linked.
+      self.assertEquals(ADMIN_ACCESS_USER, model.user.verify_federated_login('ldap', ADMIN_ACCESS_USER).username)
+    finally:
+      mockldap.stop()
+


@urlmatch(netloc=r'(.*\.)?mockclairservice', path=r'/v1/layers/(.+)')