test/unit/auth_sources/auth_source_ldap_test.rb

# encoding: utf-8
require 'test_helper'

class AuthSourceLdapTest < ActiveSupport::TestCase
  def setup
    @auth_source_ldap = FactoryGirl.create(:auth_source_ldap)
    User.current = users(:admin)
  end

  test "should exists a name" do
    missing(:name)
    refute @auth_source_ldap.save

    set(:name)
    assert @auth_source_ldap.save
  end

  test "should exists a host" do
    missing(:host)
    refute @auth_source_ldap.save

    set(:host)
    assert @auth_source_ldap.save
  end

  test "should exists a attr_login" do
    missing(:attr_login)
    @auth_source_ldap.onthefly_register = true
    refute @auth_source_ldap.save

    set(:attr_login)
    set(:attr_firstname)
    set(:attr_lastname)
    set(:attr_mail)
    @auth_source_ldap.onthefly_register = true
    assert @auth_source_ldap.save
  end

  test "after initialize if port == 0 should automatically change to 389" do
    other_auth_source_ldap = AuthSourceLdap.new
    assert_equal 389, other_auth_source_ldap.port
  end

  test "the name should not exceed the 60 characters" do
    missing(:name)
    assigns_a_string_of_length_greater_than(60, :name=)
    refute @auth_source_ldap.save
  end

  test "the host should not exceed the 60 characters" do
    missing(:host)
    assigns_a_string_of_length_greater_than(60, :host=)
    refute @auth_source_ldap.save
  end

  test "the account_password should not exceed the 60 characters" do
    assigns_a_string_of_length_greater_than(60, :account_password=)
    refute @auth_source_ldap.save
  end

  test "the account should not exceed the 255 characters" do
    assigns_a_string_of_length_greater_than(255, :account=)
    refute @auth_source_ldap.save
  end

  test "the base_dn should not exceed the 255 characters" do
    assigns_a_string_of_length_greater_than(255, :base_dn=)
    refute @auth_source_ldap.save
  end

  test "the ldap_filter should not exceed the 255 characters" do
    assigns_a_string_of_length_greater_than(255, :ldap_filter=)
    refute @auth_source_ldap.save
  end

  test "the attr_login should not exceed the 30 characters" do
    missing(:attr_login)
    assigns_a_string_of_length_greater_than(30, :attr_login=)
    refute @auth_source_ldap.save
  end

  test "the attr_firstname should not exceed the 30 characters" do
    assigns_a_string_of_length_greater_than(30, :attr_firstname=)
    refute @auth_source_ldap.save
  end

  test "the attr_lastname should not exceed the 30 characters" do
    assigns_a_string_of_length_greater_than(30, :attr_lastname=)
    refute @auth_source_ldap.save
  end

  test "the attr_mail should not exceed the 30 characters" do
    assigns_a_string_of_length_greater_than(30, :attr_mail=)
    refute @auth_source_ldap.save
  end

  test "port should be a integer" do
    missing(:port)
    @auth_source_ldap.port = "crap"
    refute @auth_source_ldap.save

    @auth_source_ldap.port = 123
    assert @auth_source_ldap.save
  end

  test "invalid ldap_filter fails validation" do
    @auth_source_ldap.ldap_filter = "("
    refute @auth_source_ldap.valid?
  end

  test "valid ldap_filter passes validation" do
    missing(:ldap_filter)
    assert @auth_source_ldap.valid?

    @auth_source_ldap.ldap_filter = ""
    assert @auth_source_ldap.valid?

    @auth_source_ldap.ldap_filter = "   "
    assert @auth_source_ldap.valid?

    @auth_source_ldap.ldap_filter = "key=value"
    assert @auth_source_ldap.valid?
  end

  test "should strip the ldap attributes before validate" do
    @auth_source_ldap.attr_login = "following spaces    "
    @auth_source_ldap.attr_firstname = "following spaces    "
    @auth_source_ldap.attr_lastname = "following spaces    "
    @auth_source_ldap.attr_mail = "following spaces    "
    @auth_source_ldap.save

    assert_equal "following spaces", @auth_source_ldap.attr_login
    assert_equal "following spaces", @auth_source_ldap.attr_firstname
    assert_equal "following spaces", @auth_source_ldap.attr_lastname
    assert_equal "following spaces", @auth_source_ldap.attr_mail
  end

  test "return nil if login is blank or password is blank" do
    assert_nil @auth_source_ldap.authenticate("", "")
  end

  test "when auth_method_name is applied should return 'LDAP'" do
    @auth_source_ldap.save

    assert_equal 'LDAP', @auth_source_ldap.auth_method_name
  end

  test "ldap user should be able to login" do
    # stubs out all the actual ldap connectivity, but tests the authenticate
    # method of auth_source_ldap
    setup_ldap_stubs
    LdapFluff.any_instance.stubs(:authenticate?).returns(true)
    LdapFluff.any_instance.stubs(:group_list).returns([])
    assert_not_nil AuthSourceLdap.authenticate("test123", "changeme")
  end

  test "attributes should be encoded and handled in UTF-8" do
    # stubs out all the actual ldap connectivity, but tests the authenticate
    # method of auth_source_ldap
    setup_ldap_stubs('Bär')
    LdapFluff.any_instance.stubs(:authenticate?).returns(true)
    LdapFluff.any_instance.stubs(:group_list).returns([])
    attrs = AuthSourceLdap.authenticate('Bär', 'changeme')
    assert_equal Encoding::UTF_8, attrs[:firstname].encoding
    assert_equal 'Bär', attrs[:firstname]
  end

  test 'update_usergroups returns if entry does not belong to any group' do
    setup_ldap_stubs
    ExternalUsergroup.any_instance.expects(:refresh).never
    LdapFluff.any_instance.expects(:group_list).with('test').returns([])
    @auth_source_ldap.send(:update_usergroups, 'test')
  end

  context 'refresh ldap' do
    setup do
      setup_ldap_stubs
      LdapFluff.any_instance.expects(:group_list).with('test').returns(['ipausers'])
    end

    test 'update_usergroups calls refresh_ldap if entry belongs to some group' do
      @auth_source_ldap.expects(:valid_group?).with('ipausers').returns(true)
      FactoryGirl.create(:external_usergroup, :name => 'ipausers', :auth_source => @auth_source_ldap)
      ExternalUsergroup.any_instance.expects(:refresh)
      @auth_source_ldap.send(:update_usergroups, 'test')
    end

    test 'update_usergroups matches LDAP gids with external user groups case insensitively' do
      @auth_source_ldap.expects(:valid_group?).with('IPAUSERS').returns(true)
      external = FactoryGirl.create(:external_usergroup, :auth_source => @auth_source_ldap, :name => 'IPAUSERS')
      ldap_user = FactoryGirl.create(:user, :login => 'JohnSmith', :mail => 'a@b.com', :auth_source => @auth_source_ldap)
      AuthSourceLdap.any_instance.expects(:users_in_group).with('IPAUSERS').returns(['JohnSmith'])
      @auth_source_ldap.send(:update_usergroups, 'test')
      assert_include ldap_user.usergroups, external.usergroup
    end

    test 'update_usergroups refreshes on all external user groups, in LDAP and in Foreman auth source' do
      @auth_source_ldap.expects(:valid_group?).with('external_usergroup1').returns(true)
      external = FactoryGirl.create(:external_usergroup, :auth_source => @auth_source_ldap)
      User.any_instance.expects(:external_usergroups).returns([external])
      @auth_source_ldap.send(:update_usergroups, 'test')
    end
  end

  test 'update_usergroups is no-op with $login service account' do
    ldap = FactoryGirl.build(:auth_source_ldap, :account => 'DOMAIN/$login')
    User.any_instance.expects(:external_usergroups).never
    ExternalUsergroup.any_instance.expects(:refresh).never
    ldap.send(:update_usergroups, 'test')
  end

  test 'update_usergroups is no-op with usergroup_sync=false' do
    ldap = FactoryGirl.build(:auth_source_ldap, :usergroup_sync => false)
    User.any_instance.expects(:external_usergroups).never
    ExternalUsergroup.any_instance.expects(:refresh).never
    ldap.send(:update_usergroups, 'test')
  end

  test '#to_config with dedicated service account returns hash' do
    conf = FactoryGirl.build(:auth_source_ldap, :service_account).to_config
    assert_kind_of Hash, conf
    refute conf[:anon_queries]
  end

  test '#to_config with $login service account and no username fails' do
    ldap = FactoryGirl.build(:auth_source_ldap, :account => 'DOMAIN/$login')
    assert_raise(Foreman::Exception) { ldap.to_config }
  end

  test '#to_config with $login service account and username returns hash with service user' do
    conf = FactoryGirl.build(:auth_source_ldap, :account => 'DOMAIN/$login').to_config('user', 'pass')
    assert_kind_of Hash, conf
    refute conf[:anon_queries]
    assert_equal 'DOMAIN/user', conf[:service_user]
  end

  test '#to_config with no service account returns hash with anonymous queries' do
    conf = FactoryGirl.build(:auth_source_ldap).to_config('user', 'pass')
    assert_kind_of Hash, conf
    assert conf[:anon_queries]
  end

  test '#to_config keeps encryption nil if tls is not used' do
    AuthSourceLdap.any_instance.stubs(:tls => false)
    conf = FactoryGirl.build(:auth_source_ldap).to_config('user', 'pass')
    assert_nil conf[:encryption]
  end

  test '#to_config enforces verify_mode peer for tls' do
    AuthSourceLdap.any_instance.stubs(:tls => true)
    conf = FactoryGirl.build(:auth_source_ldap).to_config('user', 'pass')
    assert_kind_of Hash, conf[:encryption]
    assert_equal OpenSSL::SSL::VERIFY_PEER, conf[:encryption][:tls_options][:verify_mode]
  end

  test '#ldap_con does not cache connections with user auth' do
    ldap = FactoryGirl.build(:auth_source_ldap, :account => 'DOMAIN/$login')
    refute_equal ldap.ldap_con('user', 'pass'), ldap.ldap_con('user', 'pass')
  end

  test "test connection succeed" do
    setup_ldap_stubs
    LdapFluff.any_instance.stubs(:test).returns(true)
    assert_nothing_raised {@auth_source_ldap.send(:test_connection)}
  end

  test "test connection failed" do
    setup_ldap_stubs
    LdapFluff.any_instance.stubs(:test).raises(StandardError, 'Exception message')
    assert_raise(Foreman::WrappedException) {@auth_source_ldap.send(:test_connection)}
  end

  context 'account_password encryption' do
    setup do
      AuthSourceLdap.any_instance.expects(:encryption_key).at_least_once
        .returns('25d224dd383e92a7e0c82b8bf7c985e815f34cf5')
    end

    test "account_password is stored encrypted" do
      auth_source = FactoryGirl.create(:auth_source_ldap, :account_password => 'fakepass')
      assert auth_source.is_decryptable?(auth_source.account_password_in_db)
    end
  end

  context 'save external avatar' do
    test 'store_avatar can save 8bit ascii files' do
      auth = AuthSourceLdap.new
      FileUtils.mkdir_p(File.join(Rails.root, 'tmp'))
      file = File.open("#{Rails.root}/tmp/out.txt", 'wb+')
      file_string = File.open(file, 'rb') {|f| f.read} # set the file_string to binary
      file_string += 'iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAAAAAA6fptVAAAACklEQVQYV2P4DwABAQEAWk1v8QAAAABJRU5ErkJggg=='
      avatar_hash = Digest::SHA1.hexdigest(file_string)
      assert_equal(Encoding::ASCII_8BIT, file_string.encoding)
      assert_nothing_raised do
        auth.send(:store_avatar, file_string)
      end
      assert(File.exist?("#{Rails.public_path}/assets/avatars/#{avatar_hash}.jpg"))

      File.delete("#{Rails.root}/tmp/out.txt")
      File.delete("#{Rails.public_path}/assets/avatars/#{avatar_hash}.jpg")
    end
  end

  private

  def setup_ldap_stubs(givenname = 'test')
    # stub out all the LDAP connectivity
    entry = Net::LDAP::Entry.new
    {:givenname=>[givenname], :dn=>["uid=test123,cn=users,cn=accounts,dc=example,dc=com"], :mail=>["test123@example.com"], :sn=>["test"]}.each do |k, v|
      entry[k] = v.map { |e| e.encode('UTF-8').force_encoding('ASCII-8BIT') }
    end
    LdapFluff.any_instance.stubs(:valid_user?).returns(true)
    LdapFluff.any_instance.stubs(:find_user).returns([entry])
  end

  def missing(attr)
    @auth_source_ldap.send("#{attr}=", nil)
  end

  def set(attr)
    @auth_source_ldap.send("#{attr}=", FactoryGirl.attributes_for(:auth_source_ldap)[attr])
  end

  def assigns_a_string_of_length_greater_than(length, method)
    @auth_source_ldap.send method, "this is010this is020this is030this is040this is050this is060this is070this is080this is090this is100this is110this is120this is130this is140this is150this is160this is170this is180this is190this is200this is210this is220this is230this is240this is250 and something else"
  end
end