mirror of
https://github.com/puppetlabs/vmpooler.git
synced 2026-01-26 18:08:42 -05:00
(DIO-2621) Make LDAP encryption configurable
Prior to this, the encryption settings for LDAP auth were hard coded to start_tls on port 389 with TLSv1. These are still the defaults, as insecure as they are, so as to not break existing users. This change facilitates replacing the defaults so that simple_tls over port 636 via TLS1.2 can be used.
This commit is contained in:
parent
5f0d41412c
commit
5cd7658ab4
4 changed files with 123 additions and 65 deletions
|
|
@ -119,6 +119,11 @@ module Vmpooler
|
||||||
parsed_config[:auth][:ldap]['port'] = string_to_int(ENV['LDAP_PORT']) if ENV['LDAP_PORT']
|
parsed_config[:auth][:ldap]['port'] = string_to_int(ENV['LDAP_PORT']) if ENV['LDAP_PORT']
|
||||||
parsed_config[:auth][:ldap]['base'] = ENV['LDAP_BASE'] if ENV['LDAP_BASE']
|
parsed_config[:auth][:ldap]['base'] = ENV['LDAP_BASE'] if ENV['LDAP_BASE']
|
||||||
parsed_config[:auth][:ldap]['user_object'] = ENV['LDAP_USER_OBJECT'] if ENV['LDAP_USER_OBJECT']
|
parsed_config[:auth][:ldap]['user_object'] = ENV['LDAP_USER_OBJECT'] if ENV['LDAP_USER_OBJECT']
|
||||||
|
if parsed_config[:auth]['provider'] == 'ldap' && parsed_config[:auth][:ldap].key?('encryption')
|
||||||
|
parsed_config[:auth][:ldap]['encryption'] = parsed_config[:auth][:ldap]['encryption']
|
||||||
|
elsif parsed_config[:auth]['provider'] == 'ldap'
|
||||||
|
parsed_config[:auth][:ldap]['encryption'] = {}
|
||||||
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
# Create an index of pool aliases
|
# Create an index of pool aliases
|
||||||
|
|
|
||||||
|
|
@ -56,14 +56,11 @@ module Vmpooler
|
||||||
return false
|
return false
|
||||||
end
|
end
|
||||||
|
|
||||||
def authenticate_ldap(port, host, user_object, base, username_str, password_str)
|
def authenticate_ldap(port, host, encryption_hash, user_object, base, username_str, password_str)
|
||||||
ldap = Net::LDAP.new(
|
ldap = Net::LDAP.new(
|
||||||
:host => host,
|
:host => host,
|
||||||
:port => port,
|
:port => port,
|
||||||
:encryption => {
|
:encryption => encryption_hash,
|
||||||
:method => :start_tls,
|
|
||||||
:tls_options => { :ssl_version => 'TLSv1' }
|
|
||||||
},
|
|
||||||
:base => base,
|
:base => base,
|
||||||
:auth => {
|
:auth => {
|
||||||
:method => :simple,
|
:method => :simple,
|
||||||
|
|
@ -86,6 +83,10 @@ module Vmpooler
|
||||||
ldap_port = auth[:ldap]['port'] || 389
|
ldap_port = auth[:ldap]['port'] || 389
|
||||||
ldap_user_obj = auth[:ldap]['user_object']
|
ldap_user_obj = auth[:ldap]['user_object']
|
||||||
ldap_host = auth[:ldap]['host']
|
ldap_host = auth[:ldap]['host']
|
||||||
|
ldap_encryption_hash = auth[:ldap]['encryption'] || {
|
||||||
|
:method => :start_tls,
|
||||||
|
:tls_options => { :ssl_version => 'TLSv1' }
|
||||||
|
}
|
||||||
|
|
||||||
unless ldap_base.is_a? Array
|
unless ldap_base.is_a? Array
|
||||||
ldap_base = ldap_base.split
|
ldap_base = ldap_base.split
|
||||||
|
|
@ -100,6 +101,7 @@ module Vmpooler
|
||||||
result = authenticate_ldap(
|
result = authenticate_ldap(
|
||||||
ldap_port,
|
ldap_port,
|
||||||
ldap_host,
|
ldap_host,
|
||||||
|
ldap_encryption_hash,
|
||||||
search_user_obj,
|
search_user_obj,
|
||||||
search_base,
|
search_base,
|
||||||
username_str,
|
username_str,
|
||||||
|
|
|
||||||
|
|
@ -264,24 +264,48 @@ describe Vmpooler::API::Helpers do
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
let(:default_port) { 389 }
|
let(:default_port) { 389 }
|
||||||
|
let(:default_encryption) do
|
||||||
|
{
|
||||||
|
:method => :start_tls,
|
||||||
|
:tls_options => { :ssl_version => 'TLSv1' }
|
||||||
|
}
|
||||||
|
end
|
||||||
it 'should attempt ldap authentication' do
|
it 'should attempt ldap authentication' do
|
||||||
expect(subject).to receive(:authenticate_ldap).with(default_port, host, user_object, base, username_str, password_str)
|
expect(subject).to receive(:authenticate_ldap).with(default_port, host, default_encryption, user_object, base, username_str, password_str)
|
||||||
|
|
||||||
subject.authenticate(auth, username_str, password_str)
|
subject.authenticate(auth, username_str, password_str)
|
||||||
end
|
end
|
||||||
|
|
||||||
it 'should return true when authentication is successful' do
|
it 'should return true when authentication is successful' do
|
||||||
expect(subject).to receive(:authenticate_ldap).with(default_port, host, user_object, base, username_str, password_str).and_return(true)
|
expect(subject).to receive(:authenticate_ldap).with(default_port, host, default_encryption, user_object, base, username_str, password_str).and_return(true)
|
||||||
|
|
||||||
expect(subject.authenticate(auth, username_str, password_str)).to be true
|
expect(subject.authenticate(auth, username_str, password_str)).to be true
|
||||||
end
|
end
|
||||||
|
|
||||||
it 'should return false when authentication fails' do
|
it 'should return false when authentication fails' do
|
||||||
expect(subject).to receive(:authenticate_ldap).with(default_port, host, user_object, base, username_str, password_str).and_return(false)
|
expect(subject).to receive(:authenticate_ldap).with(default_port, host, default_encryption, user_object, base, username_str, password_str).and_return(false)
|
||||||
|
|
||||||
expect(subject.authenticate(auth, username_str, password_str)).to be false
|
expect(subject.authenticate(auth, username_str, password_str)).to be false
|
||||||
end
|
end
|
||||||
|
|
||||||
|
context 'with an alternate ssl_version' do
|
||||||
|
let(:secure_encryption) do
|
||||||
|
{
|
||||||
|
:method => :start_tls,
|
||||||
|
:tls_options => { :ssl_version => 'TLSv1_2' }
|
||||||
|
}
|
||||||
|
end
|
||||||
|
before(:each) do
|
||||||
|
auth[:ldap]['encryption'] = secure_encryption
|
||||||
|
end
|
||||||
|
|
||||||
|
it 'should specify the alternate ssl_version when authenticating' do
|
||||||
|
expect(subject).to receive(:authenticate_ldap).with(default_port, host, secure_encryption, user_object, base, username_str, password_str)
|
||||||
|
|
||||||
|
subject.authenticate(auth, username_str, password_str)
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
context 'with an alternate port' do
|
context 'with an alternate port' do
|
||||||
let(:alternate_port) { 636 }
|
let(:alternate_port) { 636 }
|
||||||
before(:each) do
|
before(:each) do
|
||||||
|
|
@ -289,7 +313,27 @@ describe Vmpooler::API::Helpers do
|
||||||
end
|
end
|
||||||
|
|
||||||
it 'should specify the alternate port when authenticating' do
|
it 'should specify the alternate port when authenticating' do
|
||||||
expect(subject).to receive(:authenticate_ldap).with(alternate_port, host, user_object, base, username_str, password_str)
|
expect(subject).to receive(:authenticate_ldap).with(alternate_port, host, default_encryption, user_object, base, username_str, password_str)
|
||||||
|
|
||||||
|
subject.authenticate(auth, username_str, password_str)
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
context 'with simple_tls and port 636' do
|
||||||
|
let(:secure_port) { 636 }
|
||||||
|
let(:secure_encryption) do
|
||||||
|
{
|
||||||
|
:method => :simple_tls,
|
||||||
|
:tls_options => { :ssl_version => 'TLSv1_2' }
|
||||||
|
}
|
||||||
|
end
|
||||||
|
before(:each) do
|
||||||
|
auth[:ldap]['port'] = secure_port
|
||||||
|
auth[:ldap]['encryption'] = secure_encryption
|
||||||
|
end
|
||||||
|
|
||||||
|
it 'should specify the secure port and encryption options when authenticating' do
|
||||||
|
expect(subject).to receive(:authenticate_ldap).with(secure_port, host, secure_encryption, user_object, base, username_str, password_str)
|
||||||
|
|
||||||
subject.authenticate(auth, username_str, password_str)
|
subject.authenticate(auth, username_str, password_str)
|
||||||
end
|
end
|
||||||
|
|
@ -307,36 +351,36 @@ describe Vmpooler::API::Helpers do
|
||||||
end
|
end
|
||||||
|
|
||||||
it 'should attempt to bind with each base' do
|
it 'should attempt to bind with each base' do
|
||||||
expect(subject).to receive(:authenticate_ldap).with(default_port, host, user_object, base[0], username_str, password_str)
|
expect(subject).to receive(:authenticate_ldap).with(default_port, host, default_encryption, user_object, base[0], username_str, password_str)
|
||||||
expect(subject).to receive(:authenticate_ldap).with(default_port, host, user_object, base[1], username_str, password_str)
|
expect(subject).to receive(:authenticate_ldap).with(default_port, host, default_encryption, user_object, base[1], username_str, password_str)
|
||||||
|
|
||||||
subject.authenticate(auth, username_str, password_str)
|
subject.authenticate(auth, username_str, password_str)
|
||||||
end
|
end
|
||||||
|
|
||||||
it 'should not search the second base when the first binds' do
|
it 'should not search the second base when the first binds' do
|
||||||
expect(subject).to receive(:authenticate_ldap).with(default_port, host, user_object, base[0], username_str, password_str).and_return(true)
|
expect(subject).to receive(:authenticate_ldap).with(default_port, host, default_encryption, user_object, base[0], username_str, password_str).and_return(true)
|
||||||
expect(subject).to_not receive(:authenticate_ldap).with(default_port, host, user_object, base[1], username_str, password_str)
|
expect(subject).to_not receive(:authenticate_ldap).with(default_port, host, default_encryption, user_object, base[1], username_str, password_str)
|
||||||
|
|
||||||
subject.authenticate(auth, username_str, password_str)
|
subject.authenticate(auth, username_str, password_str)
|
||||||
end
|
end
|
||||||
|
|
||||||
it 'should search the second base when the first bind fails' do
|
it 'should search the second base when the first bind fails' do
|
||||||
expect(subject).to receive(:authenticate_ldap).with(default_port, host, user_object, base[0], username_str, password_str).and_return(false)
|
expect(subject).to receive(:authenticate_ldap).with(default_port, host, default_encryption, user_object, base[0], username_str, password_str).and_return(false)
|
||||||
expect(subject).to receive(:authenticate_ldap).with(default_port, host, user_object, base[1], username_str, password_str)
|
expect(subject).to receive(:authenticate_ldap).with(default_port, host, default_encryption, user_object, base[1], username_str, password_str)
|
||||||
|
|
||||||
subject.authenticate(auth, username_str, password_str)
|
subject.authenticate(auth, username_str, password_str)
|
||||||
end
|
end
|
||||||
|
|
||||||
it 'should return true when any bind succeeds' do
|
it 'should return true when any bind succeeds' do
|
||||||
expect(subject).to receive(:authenticate_ldap).with(default_port, host, user_object, base[0], username_str, password_str).and_return(false)
|
expect(subject).to receive(:authenticate_ldap).with(default_port, host, default_encryption, user_object, base[0], username_str, password_str).and_return(false)
|
||||||
expect(subject).to receive(:authenticate_ldap).with(default_port, host, user_object, base[1], username_str, password_str).and_return(true)
|
expect(subject).to receive(:authenticate_ldap).with(default_port, host, default_encryption, user_object, base[1], username_str, password_str).and_return(true)
|
||||||
|
|
||||||
expect(subject.authenticate(auth, username_str, password_str)).to be true
|
expect(subject.authenticate(auth, username_str, password_str)).to be true
|
||||||
end
|
end
|
||||||
|
|
||||||
it 'should return false when all bind attempts fail' do
|
it 'should return false when all bind attempts fail' do
|
||||||
expect(subject).to receive(:authenticate_ldap).with(default_port, host, user_object, base[0], username_str, password_str).and_return(false)
|
expect(subject).to receive(:authenticate_ldap).with(default_port, host, default_encryption, user_object, base[0], username_str, password_str).and_return(false)
|
||||||
expect(subject).to receive(:authenticate_ldap).with(default_port, host, user_object, base[1], username_str, password_str).and_return(false)
|
expect(subject).to receive(:authenticate_ldap).with(default_port, host, default_encryption, user_object, base[1], username_str, password_str).and_return(false)
|
||||||
|
|
||||||
expect(subject.authenticate(auth, username_str, password_str)).to be false
|
expect(subject.authenticate(auth, username_str, password_str)).to be false
|
||||||
end
|
end
|
||||||
|
|
@ -354,36 +398,36 @@ describe Vmpooler::API::Helpers do
|
||||||
end
|
end
|
||||||
|
|
||||||
it 'should attempt to bind with each user object' do
|
it 'should attempt to bind with each user object' do
|
||||||
expect(subject).to receive(:authenticate_ldap).with(default_port, host, user_object[0], base, username_str, password_str)
|
expect(subject).to receive(:authenticate_ldap).with(default_port, host, default_encryption, user_object[0], base, username_str, password_str)
|
||||||
expect(subject).to receive(:authenticate_ldap).with(default_port, host, user_object[1], base, username_str, password_str)
|
expect(subject).to receive(:authenticate_ldap).with(default_port, host, default_encryption, user_object[1], base, username_str, password_str)
|
||||||
|
|
||||||
subject.authenticate(auth, username_str, password_str)
|
subject.authenticate(auth, username_str, password_str)
|
||||||
end
|
end
|
||||||
|
|
||||||
it 'should not search the second user object when the first binds' do
|
it 'should not search the second user object when the first binds' do
|
||||||
expect(subject).to receive(:authenticate_ldap).with(default_port, host, user_object[0], base, username_str, password_str).and_return(true)
|
expect(subject).to receive(:authenticate_ldap).with(default_port, host, default_encryption, user_object[0], base, username_str, password_str).and_return(true)
|
||||||
expect(subject).to_not receive(:authenticate_ldap).with(default_port, host, user_object[1], base, username_str, password_str)
|
expect(subject).to_not receive(:authenticate_ldap).with(default_port, host, default_encryption, user_object[1], base, username_str, password_str)
|
||||||
|
|
||||||
subject.authenticate(auth, username_str, password_str)
|
subject.authenticate(auth, username_str, password_str)
|
||||||
end
|
end
|
||||||
|
|
||||||
it 'should search the second user object when the first bind fails' do
|
it 'should search the second user object when the first bind fails' do
|
||||||
expect(subject).to receive(:authenticate_ldap).with(default_port, host, user_object[0], base, username_str, password_str).and_return(false)
|
expect(subject).to receive(:authenticate_ldap).with(default_port, host, default_encryption, user_object[0], base, username_str, password_str).and_return(false)
|
||||||
expect(subject).to receive(:authenticate_ldap).with(default_port, host, user_object[1], base, username_str, password_str)
|
expect(subject).to receive(:authenticate_ldap).with(default_port, host, default_encryption, user_object[1], base, username_str, password_str)
|
||||||
|
|
||||||
subject.authenticate(auth, username_str, password_str)
|
subject.authenticate(auth, username_str, password_str)
|
||||||
end
|
end
|
||||||
|
|
||||||
it 'should return true when any bind succeeds' do
|
it 'should return true when any bind succeeds' do
|
||||||
expect(subject).to receive(:authenticate_ldap).with(default_port, host, user_object[0], base, username_str, password_str).and_return(false)
|
expect(subject).to receive(:authenticate_ldap).with(default_port, host, default_encryption, user_object[0], base, username_str, password_str).and_return(false)
|
||||||
expect(subject).to receive(:authenticate_ldap).with(default_port, host, user_object[1], base, username_str, password_str).and_return(true)
|
expect(subject).to receive(:authenticate_ldap).with(default_port, host, default_encryption, user_object[1], base, username_str, password_str).and_return(true)
|
||||||
|
|
||||||
expect(subject.authenticate(auth, username_str, password_str)).to be true
|
expect(subject.authenticate(auth, username_str, password_str)).to be true
|
||||||
end
|
end
|
||||||
|
|
||||||
it 'should return false when all bind attempts fail' do
|
it 'should return false when all bind attempts fail' do
|
||||||
expect(subject).to receive(:authenticate_ldap).with(default_port, host, user_object[0], base, username_str, password_str).and_return(false)
|
expect(subject).to receive(:authenticate_ldap).with(default_port, host, default_encryption, user_object[0], base, username_str, password_str).and_return(false)
|
||||||
expect(subject).to receive(:authenticate_ldap).with(default_port, host, user_object[1], base, username_str, password_str).and_return(false)
|
expect(subject).to receive(:authenticate_ldap).with(default_port, host, default_encryption, user_object[1], base, username_str, password_str).and_return(false)
|
||||||
|
|
||||||
expect(subject.authenticate(auth, username_str, password_str)).to be false
|
expect(subject.authenticate(auth, username_str, password_str)).to be false
|
||||||
end
|
end
|
||||||
|
|
@ -408,64 +452,64 @@ describe Vmpooler::API::Helpers do
|
||||||
end
|
end
|
||||||
|
|
||||||
it 'should attempt to bind with each user object and base' do
|
it 'should attempt to bind with each user object and base' do
|
||||||
expect(subject).to receive(:authenticate_ldap).with(default_port, host, user_object[0], base[0], username_str, password_str)
|
expect(subject).to receive(:authenticate_ldap).with(default_port, host, default_encryption, user_object[0], base[0], username_str, password_str)
|
||||||
expect(subject).to receive(:authenticate_ldap).with(default_port, host, user_object[1], base[0], username_str, password_str)
|
expect(subject).to receive(:authenticate_ldap).with(default_port, host, default_encryption, user_object[1], base[0], username_str, password_str)
|
||||||
expect(subject).to receive(:authenticate_ldap).with(default_port, host, user_object[0], base[1], username_str, password_str)
|
expect(subject).to receive(:authenticate_ldap).with(default_port, host, default_encryption, user_object[0], base[1], username_str, password_str)
|
||||||
expect(subject).to receive(:authenticate_ldap).with(default_port, host, user_object[1], base[1], username_str, password_str)
|
expect(subject).to receive(:authenticate_ldap).with(default_port, host, default_encryption, user_object[1], base[1], username_str, password_str)
|
||||||
|
|
||||||
subject.authenticate(auth, username_str, password_str)
|
subject.authenticate(auth, username_str, password_str)
|
||||||
end
|
end
|
||||||
|
|
||||||
it 'should not continue searching when the first combination binds' do
|
it 'should not continue searching when the first combination binds' do
|
||||||
expect(subject).to receive(:authenticate_ldap).with(default_port, host, user_object[0], base[0], username_str, password_str).and_return(true)
|
expect(subject).to receive(:authenticate_ldap).with(default_port, host, default_encryption, user_object[0], base[0], username_str, password_str).and_return(true)
|
||||||
expect(subject).to_not receive(:authenticate_ldap).with(default_port, host, user_object[1], base[0], username_str, password_str)
|
expect(subject).to_not receive(:authenticate_ldap).with(default_port, host, default_encryption, user_object[1], base[0], username_str, password_str)
|
||||||
expect(subject).to_not receive(:authenticate_ldap).with(default_port, host, user_object[0], base[1], username_str, password_str)
|
expect(subject).to_not receive(:authenticate_ldap).with(default_port, host, default_encryption, user_object[0], base[1], username_str, password_str)
|
||||||
expect(subject).to_not receive(:authenticate_ldap).with(default_port, host, user_object[1], base[1], username_str, password_str)
|
expect(subject).to_not receive(:authenticate_ldap).with(default_port, host, default_encryption, user_object[1], base[1], username_str, password_str)
|
||||||
|
|
||||||
subject.authenticate(auth, username_str, password_str)
|
subject.authenticate(auth, username_str, password_str)
|
||||||
end
|
end
|
||||||
|
|
||||||
it 'should search the remaining combinations when the first bind fails' do
|
it 'should search the remaining combinations when the first bind fails' do
|
||||||
expect(subject).to receive(:authenticate_ldap).with(default_port, host, user_object[0], base[0], username_str, password_str).and_return(false)
|
expect(subject).to receive(:authenticate_ldap).with(default_port, host, default_encryption, user_object[0], base[0], username_str, password_str).and_return(false)
|
||||||
expect(subject).to receive(:authenticate_ldap).with(default_port, host, user_object[1], base[0], username_str, password_str)
|
expect(subject).to receive(:authenticate_ldap).with(default_port, host, default_encryption, user_object[1], base[0], username_str, password_str)
|
||||||
expect(subject).to receive(:authenticate_ldap).with(default_port, host, user_object[0], base[1], username_str, password_str)
|
expect(subject).to receive(:authenticate_ldap).with(default_port, host, default_encryption, user_object[0], base[1], username_str, password_str)
|
||||||
expect(subject).to receive(:authenticate_ldap).with(default_port, host, user_object[1], base[1], username_str, password_str)
|
expect(subject).to receive(:authenticate_ldap).with(default_port, host, default_encryption, user_object[1], base[1], username_str, password_str)
|
||||||
|
|
||||||
subject.authenticate(auth, username_str, password_str)
|
subject.authenticate(auth, username_str, password_str)
|
||||||
end
|
end
|
||||||
|
|
||||||
it 'should search the remaining combinations when the first two binds fail' do
|
it 'should search the remaining combinations when the first two binds fail' do
|
||||||
expect(subject).to receive(:authenticate_ldap).with(default_port, host, user_object[0], base[0], username_str, password_str).and_return(false)
|
expect(subject).to receive(:authenticate_ldap).with(default_port, host, default_encryption, user_object[0], base[0], username_str, password_str).and_return(false)
|
||||||
expect(subject).to receive(:authenticate_ldap).with(default_port, host, user_object[1], base[0], username_str, password_str).and_return(false)
|
expect(subject).to receive(:authenticate_ldap).with(default_port, host, default_encryption, user_object[1], base[0], username_str, password_str).and_return(false)
|
||||||
expect(subject).to receive(:authenticate_ldap).with(default_port, host, user_object[0], base[1], username_str, password_str)
|
expect(subject).to receive(:authenticate_ldap).with(default_port, host, default_encryption, user_object[0], base[1], username_str, password_str)
|
||||||
expect(subject).to receive(:authenticate_ldap).with(default_port, host, user_object[1], base[1], username_str, password_str)
|
expect(subject).to receive(:authenticate_ldap).with(default_port, host, default_encryption, user_object[1], base[1], username_str, password_str)
|
||||||
|
|
||||||
subject.authenticate(auth, username_str, password_str)
|
subject.authenticate(auth, username_str, password_str)
|
||||||
end
|
end
|
||||||
|
|
||||||
it 'should search the remaining combination when the first three binds fail' do
|
it 'should search the remaining combination when the first three binds fail' do
|
||||||
expect(subject).to receive(:authenticate_ldap).with(default_port, host, user_object[0], base[0], username_str, password_str).and_return(false)
|
expect(subject).to receive(:authenticate_ldap).with(default_port, host, default_encryption, user_object[0], base[0], username_str, password_str).and_return(false)
|
||||||
expect(subject).to receive(:authenticate_ldap).with(default_port, host, user_object[1], base[0], username_str, password_str).and_return(false)
|
expect(subject).to receive(:authenticate_ldap).with(default_port, host, default_encryption, user_object[1], base[0], username_str, password_str).and_return(false)
|
||||||
expect(subject).to receive(:authenticate_ldap).with(default_port, host, user_object[0], base[1], username_str, password_str).and_return(false)
|
expect(subject).to receive(:authenticate_ldap).with(default_port, host, default_encryption, user_object[0], base[1], username_str, password_str).and_return(false)
|
||||||
expect(subject).to receive(:authenticate_ldap).with(default_port, host, user_object[1], base[1], username_str, password_str)
|
expect(subject).to receive(:authenticate_ldap).with(default_port, host, default_encryption, user_object[1], base[1], username_str, password_str)
|
||||||
|
|
||||||
subject.authenticate(auth, username_str, password_str)
|
subject.authenticate(auth, username_str, password_str)
|
||||||
end
|
end
|
||||||
|
|
||||||
it 'should return true when any bind succeeds' do
|
it 'should return true when any bind succeeds' do
|
||||||
expect(subject).to receive(:authenticate_ldap).with(default_port, host, user_object[0], base[0], username_str, password_str).and_return(false)
|
expect(subject).to receive(:authenticate_ldap).with(default_port, host, default_encryption, user_object[0], base[0], username_str, password_str).and_return(false)
|
||||||
expect(subject).to receive(:authenticate_ldap).with(default_port, host, user_object[1], base[0], username_str, password_str).and_return(false)
|
expect(subject).to receive(:authenticate_ldap).with(default_port, host, default_encryption, user_object[1], base[0], username_str, password_str).and_return(false)
|
||||||
expect(subject).to receive(:authenticate_ldap).with(default_port, host, user_object[0], base[1], username_str, password_str).and_return(false)
|
expect(subject).to receive(:authenticate_ldap).with(default_port, host, default_encryption, user_object[0], base[1], username_str, password_str).and_return(false)
|
||||||
expect(subject).to receive(:authenticate_ldap).with(default_port, host, user_object[1], base[1], username_str, password_str).and_return(true)
|
expect(subject).to receive(:authenticate_ldap).with(default_port, host, default_encryption, user_object[1], base[1], username_str, password_str).and_return(true)
|
||||||
|
|
||||||
expect(subject.authenticate(auth, username_str, password_str)).to be true
|
expect(subject.authenticate(auth, username_str, password_str)).to be true
|
||||||
end
|
end
|
||||||
|
|
||||||
it 'should return false when all bind attempts fail' do
|
it 'should return false when all bind attempts fail' do
|
||||||
expect(subject).to receive(:authenticate_ldap).with(default_port, host, user_object[0], base[0], username_str, password_str).and_return(false)
|
expect(subject).to receive(:authenticate_ldap).with(default_port, host, default_encryption, user_object[0], base[0], username_str, password_str).and_return(false)
|
||||||
expect(subject).to receive(:authenticate_ldap).with(default_port, host, user_object[1], base[0], username_str, password_str).and_return(false)
|
expect(subject).to receive(:authenticate_ldap).with(default_port, host, default_encryption, user_object[1], base[0], username_str, password_str).and_return(false)
|
||||||
expect(subject).to receive(:authenticate_ldap).with(default_port, host, user_object[0], base[1], username_str, password_str).and_return(false)
|
expect(subject).to receive(:authenticate_ldap).with(default_port, host, default_encryption, user_object[0], base[1], username_str, password_str).and_return(false)
|
||||||
expect(subject).to receive(:authenticate_ldap).with(default_port, host, user_object[1], base[1], username_str, password_str).and_return(false)
|
expect(subject).to receive(:authenticate_ldap).with(default_port, host, default_encryption, user_object[1], base[1], username_str, password_str).and_return(false)
|
||||||
|
|
||||||
expect(subject.authenticate(auth, username_str, password_str)).to be false
|
expect(subject.authenticate(auth, username_str, password_str)).to be false
|
||||||
end
|
end
|
||||||
|
|
@ -493,16 +537,19 @@ describe Vmpooler::API::Helpers do
|
||||||
let(:base) { 'ou=users,dc=example,dc=com' }
|
let(:base) { 'ou=users,dc=example,dc=com' }
|
||||||
let(:username_str) { 'admin' }
|
let(:username_str) { 'admin' }
|
||||||
let(:password_str) { 's3cr3t' }
|
let(:password_str) { 's3cr3t' }
|
||||||
|
let(:encryption) do
|
||||||
|
{
|
||||||
|
:method => :start_tls,
|
||||||
|
:tls_options => { :ssl_version => 'TLSv1' }
|
||||||
|
}
|
||||||
|
end
|
||||||
let(:ldap) { double('ldap') }
|
let(:ldap) { double('ldap') }
|
||||||
it 'should create a new ldap connection' do
|
it 'should create a new ldap connection' do
|
||||||
allow(ldap).to receive(:bind)
|
allow(ldap).to receive(:bind)
|
||||||
expect(Net::LDAP).to receive(:new).with(
|
expect(Net::LDAP).to receive(:new).with(
|
||||||
:host => host,
|
:host => host,
|
||||||
:port => port,
|
:port => port,
|
||||||
:encryption => {
|
:encryption => encryption,
|
||||||
:method => :start_tls,
|
|
||||||
:tls_options => { :ssl_version => 'TLSv1' }
|
|
||||||
},
|
|
||||||
:base => base,
|
:base => base,
|
||||||
:auth => {
|
:auth => {
|
||||||
:method => :simple,
|
:method => :simple,
|
||||||
|
|
@ -511,21 +558,21 @@ describe Vmpooler::API::Helpers do
|
||||||
}
|
}
|
||||||
).and_return(ldap)
|
).and_return(ldap)
|
||||||
|
|
||||||
subject.authenticate_ldap(port, host, user_object, base, username_str, password_str)
|
subject.authenticate_ldap(port, host, encryption, user_object, base, username_str, password_str)
|
||||||
end
|
end
|
||||||
|
|
||||||
it 'should return true when a bind is successful' do
|
it 'should return true when a bind is successful' do
|
||||||
expect(Net::LDAP).to receive(:new).and_return(ldap)
|
expect(Net::LDAP).to receive(:new).and_return(ldap)
|
||||||
expect(ldap).to receive(:bind).and_return(true)
|
expect(ldap).to receive(:bind).and_return(true)
|
||||||
|
|
||||||
expect(subject.authenticate_ldap(port, host, user_object, base, username_str, password_str)).to be true
|
expect(subject.authenticate_ldap(port, host, encryption, user_object, base, username_str, password_str)).to be true
|
||||||
end
|
end
|
||||||
|
|
||||||
it 'should return false when a bind fails' do
|
it 'should return false when a bind fails' do
|
||||||
expect(Net::LDAP).to receive(:new).and_return(ldap)
|
expect(Net::LDAP).to receive(:new).and_return(ldap)
|
||||||
expect(ldap).to receive(:bind).and_return(false)
|
expect(ldap).to receive(:bind).and_return(false)
|
||||||
|
|
||||||
expect(subject.authenticate_ldap(port, host, user_object, base, username_str, password_str)).to be false
|
expect(subject.authenticate_ldap(port, host, encryption, user_object, base, username_str, password_str)).to be false
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -373,7 +373,11 @@
|
||||||
provider: 'ldap'
|
provider: 'ldap'
|
||||||
:ldap:
|
:ldap:
|
||||||
host: 'ldap.example.com'
|
host: 'ldap.example.com'
|
||||||
port: 389
|
port: 636
|
||||||
|
encryption:
|
||||||
|
:method: :simple_tls
|
||||||
|
:tls_options:
|
||||||
|
:ssl_version: 'TLSv1_2'
|
||||||
base: 'ou=users,dc=company,dc=com'
|
base: 'ou=users,dc=company,dc=com'
|
||||||
user_object: 'uid'
|
user_object: 'uid'
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue