mirror of
https://github.com/puppetlabs/vmpooler.git
synced 2026-01-26 01:58:41 -05:00
Add ability to use bind_as with a service account
This commit is contained in:
Jake Spain
parent
7813470288
commit
fdbb0f3a77
5 changed files with 185 additions and 66 deletions
|
|
@ -184,6 +184,7 @@ GEM
|
||||||
rspec (~> 3)
|
rspec (~> 3)
|
||||||
|
|
||||||
PLATFORMS
|
PLATFORMS
|
||||||
|
arm64-darwin-22
|
||||||
universal-java-11
|
universal-java-11
|
||||||
x86_64-linux
|
x86_64-linux
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -246,6 +246,18 @@ This can be a string providing a single DN. For multiple DNs please specify the
|
||||||
The LDAP object-type used to designate a user object.
|
The LDAP object-type used to designate a user object.
|
||||||
(optional)
|
(optional)
|
||||||
|
|
||||||
|
### LDAP\_SERVICE_ACCOUNT\_HASH
|
||||||
|
|
||||||
|
A hash containing the following parameters for a service account to perform the
|
||||||
|
initial bind. After the initial bind, then a search query is performed using the
|
||||||
|
'base' and 'user_object', then re-binds as the returned user.
|
||||||
|
|
||||||
|
- :user_dn: The full distinguished name (DN) of the service account used to bind.
|
||||||
|
|
||||||
|
- :password: The password for the service account used to bind.
|
||||||
|
|
||||||
|
(optional)
|
||||||
|
|
||||||
### SITE\_NAME
|
### SITE\_NAME
|
||||||
|
|
||||||
The name of your deployment.
|
The name of your deployment.
|
||||||
|
|
|
||||||
|
|
@ -68,7 +68,7 @@ module Vmpooler
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
def authenticate_ldap(port, host, encryption_hash, user_object, base, username_str, password_str)
|
def authenticate_ldap(port, host, encryption_hash, user_object, base, username_str, password_str, service_account_hash = nil)
|
||||||
tracer.in_span(
|
tracer.in_span(
|
||||||
"Vmpooler::API::Helpers.#{__method__}",
|
"Vmpooler::API::Helpers.#{__method__}",
|
||||||
attributes: {
|
attributes: {
|
||||||
|
|
@ -79,6 +79,14 @@ module Vmpooler
|
||||||
},
|
},
|
||||||
kind: :client
|
kind: :client
|
||||||
) do
|
) do
|
||||||
|
if service_account_hash
|
||||||
|
username = service_account_hash[:user_dn]
|
||||||
|
password = service_account_hash[:password]
|
||||||
|
else
|
||||||
|
username = "#{user_object}=#{username_str},#{base}"
|
||||||
|
password = password_str
|
||||||
|
end
|
||||||
|
|
||||||
ldap = Net::LDAP.new(
|
ldap = Net::LDAP.new(
|
||||||
:host => host,
|
:host => host,
|
||||||
:port => port,
|
:port => port,
|
||||||
|
|
@ -86,12 +94,22 @@ module Vmpooler
|
||||||
:base => base,
|
:base => base,
|
||||||
:auth => {
|
:auth => {
|
||||||
:method => :simple,
|
:method => :simple,
|
||||||
:username => "#{user_object}=#{username_str},#{base}",
|
:username => username,
|
||||||
:password => password_str
|
:password => password
|
||||||
}
|
}
|
||||||
)
|
)
|
||||||
|
|
||||||
return true if ldap.bind
|
if service_account_hash
|
||||||
|
return true if ldap.bind_as(
|
||||||
|
:base => base,
|
||||||
|
:filter => "(#{user_object}=#{username_str})",
|
||||||
|
:password => password_str
|
||||||
|
)
|
||||||
|
elsif ldap.bind
|
||||||
|
return true
|
||||||
|
else
|
||||||
|
return false
|
||||||
|
end
|
||||||
|
|
||||||
return false
|
return false
|
||||||
end
|
end
|
||||||
|
|
@ -116,6 +134,7 @@ module Vmpooler
|
||||||
:method => :start_tls,
|
:method => :start_tls,
|
||||||
:tls_options => { :ssl_version => 'TLSv1' }
|
:tls_options => { :ssl_version => 'TLSv1' }
|
||||||
}
|
}
|
||||||
|
service_account_hash = auth[:ldap]['service_account_hash']
|
||||||
|
|
||||||
unless ldap_base.is_a? Array
|
unless ldap_base.is_a? Array
|
||||||
ldap_base = ldap_base.split
|
ldap_base = ldap_base.split
|
||||||
|
|
@ -134,7 +153,8 @@ module Vmpooler
|
||||||
search_user_obj,
|
search_user_obj,
|
||||||
search_base,
|
search_base,
|
||||||
username_str,
|
username_str,
|
||||||
password_str
|
password_str,
|
||||||
|
service_account_hash
|
||||||
)
|
)
|
||||||
return true if result
|
return true if result
|
||||||
end
|
end
|
||||||
|
|
|
||||||
|
|
@ -268,22 +268,62 @@ describe Vmpooler::API::Helpers do
|
||||||
:tls_options => { :ssl_version => 'TLSv1' }
|
:tls_options => { :ssl_version => 'TLSv1' }
|
||||||
}
|
}
|
||||||
end
|
end
|
||||||
it 'should attempt ldap authentication' do
|
|
||||||
expect(subject).to receive(:authenticate_ldap).with(default_port, host, default_encryption, user_object, base, username_str, password_str)
|
|
||||||
|
|
||||||
subject.authenticate(auth, username_str, password_str)
|
context 'without a service account' do
|
||||||
|
it 'should attempt ldap authentication' do
|
||||||
|
expect(subject).to receive(:authenticate_ldap).with(default_port, host, default_encryption, user_object, base, username_str, password_str, nil)
|
||||||
|
|
||||||
|
subject.authenticate(auth, username_str, password_str)
|
||||||
|
end
|
||||||
|
|
||||||
|
it 'should return true when authentication is successful' do
|
||||||
|
expect(subject).to receive(:authenticate_ldap).with(default_port, host, default_encryption, user_object, base, username_str, password_str, nil).and_return(true)
|
||||||
|
|
||||||
|
expect(subject.authenticate(auth, username_str, password_str)).to be true
|
||||||
|
end
|
||||||
|
|
||||||
|
it 'should return false when authentication fails' do
|
||||||
|
expect(subject).to receive(:authenticate_ldap).with(default_port, host, default_encryption, user_object, base, username_str, password_str, nil).and_return(false)
|
||||||
|
|
||||||
|
expect(subject.authenticate(auth, username_str, password_str)).to be false
|
||||||
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
it 'should return true when authentication is successful' do
|
context 'with a service account' do
|
||||||
expect(subject).to receive(:authenticate_ldap).with(default_port, host, default_encryption, user_object, base, username_str, password_str).and_return(true)
|
let(:service_account_hash) do
|
||||||
|
{
|
||||||
|
:user_dn => 'cn=Service Account,ou=users,dc=example,dc=com',
|
||||||
|
:password => 's3cr3t'
|
||||||
|
}
|
||||||
|
end
|
||||||
|
let(:auth) {
|
||||||
|
{
|
||||||
|
'provider' => 'ldap',
|
||||||
|
ldap: {
|
||||||
|
'host' => host,
|
||||||
|
'base' => base,
|
||||||
|
'user_object' => user_object,
|
||||||
|
'service_account_hash' => service_account_hash
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
it 'should attempt ldap authentication' do
|
||||||
|
expect(subject).to receive(:authenticate_ldap).with(default_port, host, default_encryption, user_object, base, username_str, password_str, service_account_hash)
|
||||||
|
|
||||||
expect(subject.authenticate(auth, username_str, password_str)).to be true
|
subject.authenticate(auth, username_str, password_str)
|
||||||
end
|
end
|
||||||
|
|
||||||
it 'should return false when authentication fails' do
|
it 'should return true when authentication is successful' do
|
||||||
expect(subject).to receive(:authenticate_ldap).with(default_port, host, default_encryption, user_object, base, username_str, password_str).and_return(false)
|
expect(subject).to receive(:authenticate_ldap).with(default_port, host, default_encryption, user_object, base, username_str, password_str, service_account_hash).and_return(true)
|
||||||
|
|
||||||
expect(subject.authenticate(auth, username_str, password_str)).to be false
|
expect(subject.authenticate(auth, username_str, password_str)).to be true
|
||||||
|
end
|
||||||
|
|
||||||
|
it 'should return false when authentication fails' do
|
||||||
|
expect(subject).to receive(:authenticate_ldap).with(default_port, host, default_encryption, user_object, base, username_str, password_str, service_account_hash).and_return(false)
|
||||||
|
|
||||||
|
expect(subject.authenticate(auth, username_str, password_str)).to be false
|
||||||
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
context 'with an alternate ssl_version' do
|
context 'with an alternate ssl_version' do
|
||||||
|
|
@ -298,7 +338,7 @@ describe Vmpooler::API::Helpers do
|
||||||
end
|
end
|
||||||
|
|
||||||
it 'should specify the alternate ssl_version when authenticating' do
|
it 'should specify the alternate ssl_version when authenticating' do
|
||||||
expect(subject).to receive(:authenticate_ldap).with(default_port, host, secure_encryption, user_object, base, username_str, password_str)
|
expect(subject).to receive(:authenticate_ldap).with(default_port, host, secure_encryption, user_object, base, username_str, password_str, nil)
|
||||||
|
|
||||||
subject.authenticate(auth, username_str, password_str)
|
subject.authenticate(auth, username_str, password_str)
|
||||||
end
|
end
|
||||||
|
|
@ -311,7 +351,7 @@ describe Vmpooler::API::Helpers do
|
||||||
end
|
end
|
||||||
|
|
||||||
it 'should specify the alternate port when authenticating' do
|
it 'should specify the alternate port when authenticating' do
|
||||||
expect(subject).to receive(:authenticate_ldap).with(alternate_port, host, default_encryption, user_object, base, username_str, password_str)
|
expect(subject).to receive(:authenticate_ldap).with(alternate_port, host, default_encryption, user_object, base, username_str, password_str, nil)
|
||||||
|
|
||||||
subject.authenticate(auth, username_str, password_str)
|
subject.authenticate(auth, username_str, password_str)
|
||||||
end
|
end
|
||||||
|
|
@ -331,7 +371,7 @@ describe Vmpooler::API::Helpers do
|
||||||
end
|
end
|
||||||
|
|
||||||
it 'should specify the secure port and encryption options when authenticating' do
|
it 'should specify the secure port and encryption options when authenticating' do
|
||||||
expect(subject).to receive(:authenticate_ldap).with(secure_port, host, secure_encryption, user_object, base, username_str, password_str)
|
expect(subject).to receive(:authenticate_ldap).with(secure_port, host, secure_encryption, user_object, base, username_str, password_str, nil)
|
||||||
|
|
||||||
subject.authenticate(auth, username_str, password_str)
|
subject.authenticate(auth, username_str, password_str)
|
||||||
end
|
end
|
||||||
|
|
@ -349,36 +389,36 @@ describe Vmpooler::API::Helpers do
|
||||||
end
|
end
|
||||||
|
|
||||||
it 'should attempt to bind with each base' do
|
it 'should attempt to bind with each base' do
|
||||||
expect(subject).to receive(:authenticate_ldap).with(default_port, host, default_encryption, user_object, base[0], username_str, password_str)
|
expect(subject).to receive(:authenticate_ldap).with(default_port, host, default_encryption, user_object, base[0], username_str, password_str, nil)
|
||||||
expect(subject).to receive(:authenticate_ldap).with(default_port, host, default_encryption, user_object, base[1], username_str, password_str)
|
expect(subject).to receive(:authenticate_ldap).with(default_port, host, default_encryption, user_object, base[1], username_str, password_str, nil)
|
||||||
|
|
||||||
subject.authenticate(auth, username_str, password_str)
|
subject.authenticate(auth, username_str, password_str)
|
||||||
end
|
end
|
||||||
|
|
||||||
it 'should not search the second base when the first binds' do
|
it 'should not search the second base when the first binds' do
|
||||||
expect(subject).to receive(:authenticate_ldap).with(default_port, host, default_encryption, user_object, base[0], username_str, password_str).and_return(true)
|
expect(subject).to receive(:authenticate_ldap).with(default_port, host, default_encryption, user_object, base[0], username_str, password_str, nil).and_return(true)
|
||||||
expect(subject).to_not receive(:authenticate_ldap).with(default_port, host, default_encryption, user_object, base[1], username_str, password_str)
|
expect(subject).to_not receive(:authenticate_ldap).with(default_port, host, default_encryption, user_object, base[1], username_str, password_str, nil)
|
||||||
|
|
||||||
subject.authenticate(auth, username_str, password_str)
|
subject.authenticate(auth, username_str, password_str)
|
||||||
end
|
end
|
||||||
|
|
||||||
it 'should search the second base when the first bind fails' do
|
it 'should search the second base when the first bind fails' do
|
||||||
expect(subject).to receive(:authenticate_ldap).with(default_port, host, default_encryption, user_object, base[0], username_str, password_str).and_return(false)
|
expect(subject).to receive(:authenticate_ldap).with(default_port, host, default_encryption, user_object, base[0], username_str, password_str, nil).and_return(false)
|
||||||
expect(subject).to receive(:authenticate_ldap).with(default_port, host, default_encryption, user_object, base[1], username_str, password_str)
|
expect(subject).to receive(:authenticate_ldap).with(default_port, host, default_encryption, user_object, base[1], username_str, password_str, nil)
|
||||||
|
|
||||||
subject.authenticate(auth, username_str, password_str)
|
subject.authenticate(auth, username_str, password_str)
|
||||||
end
|
end
|
||||||
|
|
||||||
it 'should return true when any bind succeeds' do
|
it 'should return true when any bind succeeds' do
|
||||||
expect(subject).to receive(:authenticate_ldap).with(default_port, host, default_encryption, user_object, base[0], username_str, password_str).and_return(false)
|
expect(subject).to receive(:authenticate_ldap).with(default_port, host, default_encryption, user_object, base[0], username_str, password_str, nil).and_return(false)
|
||||||
expect(subject).to receive(:authenticate_ldap).with(default_port, host, default_encryption, user_object, base[1], username_str, password_str).and_return(true)
|
expect(subject).to receive(:authenticate_ldap).with(default_port, host, default_encryption, user_object, base[1], username_str, password_str, nil).and_return(true)
|
||||||
|
|
||||||
expect(subject.authenticate(auth, username_str, password_str)).to be true
|
expect(subject.authenticate(auth, username_str, password_str)).to be true
|
||||||
end
|
end
|
||||||
|
|
||||||
it 'should return false when all bind attempts fail' do
|
it 'should return false when all bind attempts fail' do
|
||||||
expect(subject).to receive(:authenticate_ldap).with(default_port, host, default_encryption, user_object, base[0], username_str, password_str).and_return(false)
|
expect(subject).to receive(:authenticate_ldap).with(default_port, host, default_encryption, user_object, base[0], username_str, password_str, nil).and_return(false)
|
||||||
expect(subject).to receive(:authenticate_ldap).with(default_port, host, default_encryption, user_object, base[1], username_str, password_str).and_return(false)
|
expect(subject).to receive(:authenticate_ldap).with(default_port, host, default_encryption, user_object, base[1], username_str, password_str, nil).and_return(false)
|
||||||
|
|
||||||
expect(subject.authenticate(auth, username_str, password_str)).to be false
|
expect(subject.authenticate(auth, username_str, password_str)).to be false
|
||||||
end
|
end
|
||||||
|
|
@ -396,36 +436,36 @@ describe Vmpooler::API::Helpers do
|
||||||
end
|
end
|
||||||
|
|
||||||
it 'should attempt to bind with each user object' do
|
it 'should attempt to bind with each user object' do
|
||||||
expect(subject).to receive(:authenticate_ldap).with(default_port, host, default_encryption, user_object[0], base, username_str, password_str)
|
expect(subject).to receive(:authenticate_ldap).with(default_port, host, default_encryption, user_object[0], base, username_str, password_str, nil)
|
||||||
expect(subject).to receive(:authenticate_ldap).with(default_port, host, default_encryption, user_object[1], base, username_str, password_str)
|
expect(subject).to receive(:authenticate_ldap).with(default_port, host, default_encryption, user_object[1], base, username_str, password_str, nil)
|
||||||
|
|
||||||
subject.authenticate(auth, username_str, password_str)
|
subject.authenticate(auth, username_str, password_str)
|
||||||
end
|
end
|
||||||
|
|
||||||
it 'should not search the second user object when the first binds' do
|
it 'should not search the second user object when the first binds' do
|
||||||
expect(subject).to receive(:authenticate_ldap).with(default_port, host, default_encryption, user_object[0], base, username_str, password_str).and_return(true)
|
expect(subject).to receive(:authenticate_ldap).with(default_port, host, default_encryption, user_object[0], base, username_str, password_str, nil).and_return(true)
|
||||||
expect(subject).to_not receive(:authenticate_ldap).with(default_port, host, default_encryption, user_object[1], base, username_str, password_str)
|
expect(subject).to_not receive(:authenticate_ldap).with(default_port, host, default_encryption, user_object[1], base, username_str, password_str, nil)
|
||||||
|
|
||||||
subject.authenticate(auth, username_str, password_str)
|
subject.authenticate(auth, username_str, password_str)
|
||||||
end
|
end
|
||||||
|
|
||||||
it 'should search the second user object when the first bind fails' do
|
it 'should search the second user object when the first bind fails' do
|
||||||
expect(subject).to receive(:authenticate_ldap).with(default_port, host, default_encryption, user_object[0], base, username_str, password_str).and_return(false)
|
expect(subject).to receive(:authenticate_ldap).with(default_port, host, default_encryption, user_object[0], base, username_str, password_str, nil).and_return(false)
|
||||||
expect(subject).to receive(:authenticate_ldap).with(default_port, host, default_encryption, user_object[1], base, username_str, password_str)
|
expect(subject).to receive(:authenticate_ldap).with(default_port, host, default_encryption, user_object[1], base, username_str, password_str, nil)
|
||||||
|
|
||||||
subject.authenticate(auth, username_str, password_str)
|
subject.authenticate(auth, username_str, password_str)
|
||||||
end
|
end
|
||||||
|
|
||||||
it 'should return true when any bind succeeds' do
|
it 'should return true when any bind succeeds' do
|
||||||
expect(subject).to receive(:authenticate_ldap).with(default_port, host, default_encryption, user_object[0], base, username_str, password_str).and_return(false)
|
expect(subject).to receive(:authenticate_ldap).with(default_port, host, default_encryption, user_object[0], base, username_str, password_str, nil).and_return(false)
|
||||||
expect(subject).to receive(:authenticate_ldap).with(default_port, host, default_encryption, user_object[1], base, username_str, password_str).and_return(true)
|
expect(subject).to receive(:authenticate_ldap).with(default_port, host, default_encryption, user_object[1], base, username_str, password_str, nil).and_return(true)
|
||||||
|
|
||||||
expect(subject.authenticate(auth, username_str, password_str)).to be true
|
expect(subject.authenticate(auth, username_str, password_str)).to be true
|
||||||
end
|
end
|
||||||
|
|
||||||
it 'should return false when all bind attempts fail' do
|
it 'should return false when all bind attempts fail' do
|
||||||
expect(subject).to receive(:authenticate_ldap).with(default_port, host, default_encryption, user_object[0], base, username_str, password_str).and_return(false)
|
expect(subject).to receive(:authenticate_ldap).with(default_port, host, default_encryption, user_object[0], base, username_str, password_str, nil).and_return(false)
|
||||||
expect(subject).to receive(:authenticate_ldap).with(default_port, host, default_encryption, user_object[1], base, username_str, password_str).and_return(false)
|
expect(subject).to receive(:authenticate_ldap).with(default_port, host, default_encryption, user_object[1], base, username_str, password_str, nil).and_return(false)
|
||||||
|
|
||||||
expect(subject.authenticate(auth, username_str, password_str)).to be false
|
expect(subject.authenticate(auth, username_str, password_str)).to be false
|
||||||
end
|
end
|
||||||
|
|
@ -450,64 +490,64 @@ describe Vmpooler::API::Helpers do
|
||||||
end
|
end
|
||||||
|
|
||||||
it 'should attempt to bind with each user object and base' do
|
it 'should attempt to bind with each user object and base' do
|
||||||
expect(subject).to receive(:authenticate_ldap).with(default_port, host, default_encryption, user_object[0], base[0], username_str, password_str)
|
expect(subject).to receive(:authenticate_ldap).with(default_port, host, default_encryption, user_object[0], base[0], username_str, password_str, nil)
|
||||||
expect(subject).to receive(:authenticate_ldap).with(default_port, host, default_encryption, user_object[1], base[0], username_str, password_str)
|
expect(subject).to receive(:authenticate_ldap).with(default_port, host, default_encryption, user_object[1], base[0], username_str, password_str, nil)
|
||||||
expect(subject).to receive(:authenticate_ldap).with(default_port, host, default_encryption, user_object[0], base[1], username_str, password_str)
|
expect(subject).to receive(:authenticate_ldap).with(default_port, host, default_encryption, user_object[0], base[1], username_str, password_str, nil)
|
||||||
expect(subject).to receive(:authenticate_ldap).with(default_port, host, default_encryption, user_object[1], base[1], username_str, password_str)
|
expect(subject).to receive(:authenticate_ldap).with(default_port, host, default_encryption, user_object[1], base[1], username_str, password_str, nil)
|
||||||
|
|
||||||
subject.authenticate(auth, username_str, password_str)
|
subject.authenticate(auth, username_str, password_str)
|
||||||
end
|
end
|
||||||
|
|
||||||
it 'should not continue searching when the first combination binds' do
|
it 'should not continue searching when the first combination binds' do
|
||||||
expect(subject).to receive(:authenticate_ldap).with(default_port, host, default_encryption, user_object[0], base[0], username_str, password_str).and_return(true)
|
expect(subject).to receive(:authenticate_ldap).with(default_port, host, default_encryption, user_object[0], base[0], username_str, password_str, nil).and_return(true)
|
||||||
expect(subject).to_not receive(:authenticate_ldap).with(default_port, host, default_encryption, user_object[1], base[0], username_str, password_str)
|
expect(subject).to_not receive(:authenticate_ldap).with(default_port, host, default_encryption, user_object[1], base[0], username_str, password_str, nil)
|
||||||
expect(subject).to_not receive(:authenticate_ldap).with(default_port, host, default_encryption, user_object[0], base[1], username_str, password_str)
|
expect(subject).to_not receive(:authenticate_ldap).with(default_port, host, default_encryption, user_object[0], base[1], username_str, password_str, nil)
|
||||||
expect(subject).to_not receive(:authenticate_ldap).with(default_port, host, default_encryption, user_object[1], base[1], username_str, password_str)
|
expect(subject).to_not receive(:authenticate_ldap).with(default_port, host, default_encryption, user_object[1], base[1], username_str, password_str, nil)
|
||||||
|
|
||||||
subject.authenticate(auth, username_str, password_str)
|
subject.authenticate(auth, username_str, password_str)
|
||||||
end
|
end
|
||||||
|
|
||||||
it 'should search the remaining combinations when the first bind fails' do
|
it 'should search the remaining combinations when the first bind fails' do
|
||||||
expect(subject).to receive(:authenticate_ldap).with(default_port, host, default_encryption, user_object[0], base[0], username_str, password_str).and_return(false)
|
expect(subject).to receive(:authenticate_ldap).with(default_port, host, default_encryption, user_object[0], base[0], username_str, password_str, nil).and_return(false)
|
||||||
expect(subject).to receive(:authenticate_ldap).with(default_port, host, default_encryption, user_object[1], base[0], username_str, password_str)
|
expect(subject).to receive(:authenticate_ldap).with(default_port, host, default_encryption, user_object[1], base[0], username_str, password_str, nil)
|
||||||
expect(subject).to receive(:authenticate_ldap).with(default_port, host, default_encryption, user_object[0], base[1], username_str, password_str)
|
expect(subject).to receive(:authenticate_ldap).with(default_port, host, default_encryption, user_object[0], base[1], username_str, password_str, nil)
|
||||||
expect(subject).to receive(:authenticate_ldap).with(default_port, host, default_encryption, user_object[1], base[1], username_str, password_str)
|
expect(subject).to receive(:authenticate_ldap).with(default_port, host, default_encryption, user_object[1], base[1], username_str, password_str, nil)
|
||||||
|
|
||||||
subject.authenticate(auth, username_str, password_str)
|
subject.authenticate(auth, username_str, password_str)
|
||||||
end
|
end
|
||||||
|
|
||||||
it 'should search the remaining combinations when the first two binds fail' do
|
it 'should search the remaining combinations when the first two binds fail' do
|
||||||
expect(subject).to receive(:authenticate_ldap).with(default_port, host, default_encryption, user_object[0], base[0], username_str, password_str).and_return(false)
|
expect(subject).to receive(:authenticate_ldap).with(default_port, host, default_encryption, user_object[0], base[0], username_str, password_str, nil).and_return(false)
|
||||||
expect(subject).to receive(:authenticate_ldap).with(default_port, host, default_encryption, user_object[1], base[0], username_str, password_str).and_return(false)
|
expect(subject).to receive(:authenticate_ldap).with(default_port, host, default_encryption, user_object[1], base[0], username_str, password_str, nil).and_return(false)
|
||||||
expect(subject).to receive(:authenticate_ldap).with(default_port, host, default_encryption, user_object[0], base[1], username_str, password_str)
|
expect(subject).to receive(:authenticate_ldap).with(default_port, host, default_encryption, user_object[0], base[1], username_str, password_str, nil)
|
||||||
expect(subject).to receive(:authenticate_ldap).with(default_port, host, default_encryption, user_object[1], base[1], username_str, password_str)
|
expect(subject).to receive(:authenticate_ldap).with(default_port, host, default_encryption, user_object[1], base[1], username_str, password_str, nil)
|
||||||
|
|
||||||
subject.authenticate(auth, username_str, password_str)
|
subject.authenticate(auth, username_str, password_str)
|
||||||
end
|
end
|
||||||
|
|
||||||
it 'should search the remaining combination when the first three binds fail' do
|
it 'should search the remaining combination when the first three binds fail' do
|
||||||
expect(subject).to receive(:authenticate_ldap).with(default_port, host, default_encryption, user_object[0], base[0], username_str, password_str).and_return(false)
|
expect(subject).to receive(:authenticate_ldap).with(default_port, host, default_encryption, user_object[0], base[0], username_str, password_str, nil).and_return(false)
|
||||||
expect(subject).to receive(:authenticate_ldap).with(default_port, host, default_encryption, user_object[1], base[0], username_str, password_str).and_return(false)
|
expect(subject).to receive(:authenticate_ldap).with(default_port, host, default_encryption, user_object[1], base[0], username_str, password_str, nil).and_return(false)
|
||||||
expect(subject).to receive(:authenticate_ldap).with(default_port, host, default_encryption, user_object[0], base[1], username_str, password_str).and_return(false)
|
expect(subject).to receive(:authenticate_ldap).with(default_port, host, default_encryption, user_object[0], base[1], username_str, password_str, nil).and_return(false)
|
||||||
expect(subject).to receive(:authenticate_ldap).with(default_port, host, default_encryption, user_object[1], base[1], username_str, password_str)
|
expect(subject).to receive(:authenticate_ldap).with(default_port, host, default_encryption, user_object[1], base[1], username_str, password_str, nil)
|
||||||
|
|
||||||
subject.authenticate(auth, username_str, password_str)
|
subject.authenticate(auth, username_str, password_str)
|
||||||
end
|
end
|
||||||
|
|
||||||
it 'should return true when any bind succeeds' do
|
it 'should return true when any bind succeeds' do
|
||||||
expect(subject).to receive(:authenticate_ldap).with(default_port, host, default_encryption, user_object[0], base[0], username_str, password_str).and_return(false)
|
expect(subject).to receive(:authenticate_ldap).with(default_port, host, default_encryption, user_object[0], base[0], username_str, password_str, nil).and_return(false)
|
||||||
expect(subject).to receive(:authenticate_ldap).with(default_port, host, default_encryption, user_object[1], base[0], username_str, password_str).and_return(false)
|
expect(subject).to receive(:authenticate_ldap).with(default_port, host, default_encryption, user_object[1], base[0], username_str, password_str, nil).and_return(false)
|
||||||
expect(subject).to receive(:authenticate_ldap).with(default_port, host, default_encryption, user_object[0], base[1], username_str, password_str).and_return(false)
|
expect(subject).to receive(:authenticate_ldap).with(default_port, host, default_encryption, user_object[0], base[1], username_str, password_str, nil).and_return(false)
|
||||||
expect(subject).to receive(:authenticate_ldap).with(default_port, host, default_encryption, user_object[1], base[1], username_str, password_str).and_return(true)
|
expect(subject).to receive(:authenticate_ldap).with(default_port, host, default_encryption, user_object[1], base[1], username_str, password_str, nil).and_return(true)
|
||||||
|
|
||||||
expect(subject.authenticate(auth, username_str, password_str)).to be true
|
expect(subject.authenticate(auth, username_str, password_str)).to be true
|
||||||
end
|
end
|
||||||
|
|
||||||
it 'should return false when all bind attempts fail' do
|
it 'should return false when all bind attempts fail' do
|
||||||
expect(subject).to receive(:authenticate_ldap).with(default_port, host, default_encryption, user_object[0], base[0], username_str, password_str).and_return(false)
|
expect(subject).to receive(:authenticate_ldap).with(default_port, host, default_encryption, user_object[0], base[0], username_str, password_str, nil).and_return(false)
|
||||||
expect(subject).to receive(:authenticate_ldap).with(default_port, host, default_encryption, user_object[1], base[0], username_str, password_str).and_return(false)
|
expect(subject).to receive(:authenticate_ldap).with(default_port, host, default_encryption, user_object[1], base[0], username_str, password_str, nil).and_return(false)
|
||||||
expect(subject).to receive(:authenticate_ldap).with(default_port, host, default_encryption, user_object[0], base[1], username_str, password_str).and_return(false)
|
expect(subject).to receive(:authenticate_ldap).with(default_port, host, default_encryption, user_object[0], base[1], username_str, password_str, nil).and_return(false)
|
||||||
expect(subject).to receive(:authenticate_ldap).with(default_port, host, default_encryption, user_object[1], base[1], username_str, password_str).and_return(false)
|
expect(subject).to receive(:authenticate_ldap).with(default_port, host, default_encryption, user_object[1], base[1], username_str, password_str, nil).and_return(false)
|
||||||
|
|
||||||
expect(subject.authenticate(auth, username_str, password_str)).to be false
|
expect(subject.authenticate(auth, username_str, password_str)).to be false
|
||||||
end
|
end
|
||||||
|
|
@ -541,6 +581,12 @@ describe Vmpooler::API::Helpers do
|
||||||
:tls_options => { :ssl_version => 'TLSv1' }
|
:tls_options => { :ssl_version => 'TLSv1' }
|
||||||
}
|
}
|
||||||
end
|
end
|
||||||
|
let(:service_account_hash) do
|
||||||
|
{
|
||||||
|
:user_dn => 'cn=Service Account,ou=users,dc=example,dc=com',
|
||||||
|
:password => 's3cr3t'
|
||||||
|
}
|
||||||
|
end
|
||||||
let(:ldap) { double('ldap') }
|
let(:ldap) { double('ldap') }
|
||||||
it 'should create a new ldap connection' do
|
it 'should create a new ldap connection' do
|
||||||
allow(ldap).to receive(:bind)
|
allow(ldap).to receive(:bind)
|
||||||
|
|
@ -572,6 +618,20 @@ describe Vmpooler::API::Helpers do
|
||||||
|
|
||||||
expect(subject.authenticate_ldap(port, host, encryption, user_object, base, username_str, password_str)).to be false
|
expect(subject.authenticate_ldap(port, host, encryption, user_object, base, username_str, password_str)).to be false
|
||||||
end
|
end
|
||||||
|
|
||||||
|
it 'should return true when a bind_as is successful' do
|
||||||
|
expect(Net::LDAP).to receive(:new).and_return(ldap)
|
||||||
|
expect(ldap).to receive(:bind_as).and_return(true)
|
||||||
|
|
||||||
|
expect(subject.authenticate_ldap(port, host, encryption, user_object, base, username_str, password_str, service_account_hash)).to be true
|
||||||
|
end
|
||||||
|
|
||||||
|
it 'should return false when a bind_as fails' do
|
||||||
|
expect(Net::LDAP).to receive(:new).and_return(ldap)
|
||||||
|
expect(ldap).to receive(:bind_as).and_return(false)
|
||||||
|
|
||||||
|
expect(subject.authenticate_ldap(port, host, encryption, user_object, base, username_str, password_str, service_account_hash)).to be false
|
||||||
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
end
|
end
|
||||||
|
|
|
||||||
|
|
@ -367,6 +367,15 @@
|
||||||
# - user_object
|
# - user_object
|
||||||
# The LDAP object-type used to designate a user object.
|
# The LDAP object-type used to designate a user object.
|
||||||
#
|
#
|
||||||
|
# - service_account_hash
|
||||||
|
# A hash containing the following parameters for a service account to perform the
|
||||||
|
# initial bind. After the initial bind, then a search query is performed using the
|
||||||
|
# 'base' and 'user_object', then re-binds as the returned user.
|
||||||
|
# - :user_dn
|
||||||
|
# The full distinguished name (DN) of the service account used to bind.
|
||||||
|
# - :password
|
||||||
|
# The password for the service account used to bind.
|
||||||
|
#
|
||||||
# Example:
|
# Example:
|
||||||
# :auth:
|
# :auth:
|
||||||
# provider: 'ldap'
|
# provider: 'ldap'
|
||||||
|
|
@ -375,6 +384,23 @@
|
||||||
# port: 389
|
# port: 389
|
||||||
# base: 'ou=users,dc=company,dc=com'
|
# base: 'ou=users,dc=company,dc=com'
|
||||||
# user_object: 'uid'
|
# user_object: 'uid'
|
||||||
|
#
|
||||||
|
# :auth:
|
||||||
|
# provider: 'ldap'
|
||||||
|
# :ldap:
|
||||||
|
# host: 'ldap.example.com'
|
||||||
|
# port: 636
|
||||||
|
# service_account_hash:
|
||||||
|
# :user_dn: 'cn=Service Account,ou=Accounts,dc=ldap,dc=example,dc=com'
|
||||||
|
# :password: 'service-account-password'
|
||||||
|
# encryption:
|
||||||
|
# :method: :simple_tls
|
||||||
|
# :tls_options:
|
||||||
|
# :ssl_version: 'TLSv1_2'
|
||||||
|
# base:
|
||||||
|
# - 'ou=Accounts,dc=company,dc=com'
|
||||||
|
# user_object:
|
||||||
|
# - 'samAccountName'
|
||||||
|
|
||||||
:auth:
|
:auth:
|
||||||
provider: 'ldap'
|
provider: 'ldap'
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue