Run LDAP tests in another Rails test environment

docker-compose.openldap.yml

@@ -0,0 +1,22 @@
+services:
+  openldap:
+    image: registry.opensuse.org/opensuse/openldap:2.6.8
+    ports:
+      - "389:389"
+      - "636:636"
+    environment:
+      - LDAP_ADMIN_PASSWORD=opensuse
+      - LDAP_CONFIG_PASSWORD=config
+      - LDAP_SEED_LDIF_PATH=/tmp/ldap_seed_ldif
+      # - LDAP_TLS_CA_CRT=/etc/openldap/certs/ca.crt
+      # - LDAP_TLS_CRT=/etc/openldap/certs/ldap.crt
+      # - LDAP_TLS_KEY=/etc/openldap/certs/ldap.key
+      # - LDAP_TLS_VERIFY_CLIENT=never
+      # - SLAPD_LOG_LEVEL=3
+    hostname: openldap.example.org
+    volumes:
+      - ./docker-files/openldap/certs:/etc/openldap/certs
+      - ./docker-files/openldap/conf:/etc/openldap/slapd.d
+      - ./docker-files/openldap/db:/var/lib/ldap
+      - ./docker-files/openldap/seed_ldif:/tmp/ldap_seed_ldif
+      # - ./docker-files/openldap/ldap_workbench:/etc/openldap/slapd.d

docker-compose.yml

@@ -4,27 +4,27 @@ services:
     ports:
       - "3306:3306"
     command: /usr/lib/mysql/mysql-systemd-helper start
-  cache:
-    image: registry.opensuse.org/obs/server/unstable/containers/containers/openbuildservice/memcached
-    ports:
-      - "11211:11211"
-    command: /usr/bin/memcached -u memcached
-  backend:
-    image: registry.opensuse.org/obs/server/unstable/containers/containers/openbuildservice/backend
-    volumes:
-      - .:/obs:z
-      - ./dist/aws_credentials:/etc/obs/cloudupload/.aws/config:Z
-      - ./dist/ec2utils.conf:/etc/obs/cloudupload/.ec2utils.conf:Z
-      - ./dist/clouduploader.rb:/usr/bin/clouduploader:Z
-    command: /obs/contrib/start_development_backend -d /obs
-  worker:
-    image: registry.opensuse.org/obs/server/unstable/containers/containers/openbuildservice/backend
-    volumes:
-      - .:/obs:z
-    privileged: true
-    depends_on:
-      - backend
-    command: /obs/contrib/start_development_worker
+  # cache:
+  #   image: registry.opensuse.org/obs/server/unstable/containers/containers/openbuildservice/memcached
+  #   ports:
+  #     - "11211:11211"
+  #   command: /usr/bin/memcached -u memcached
+  # backend:
+  #   image: registry.opensuse.org/obs/server/unstable/containers/containers/openbuildservice/backend
+  #   volumes:
+  #     - .:/obs:z
+  #     - ./dist/aws_credentials:/etc/obs/cloudupload/.aws/config:Z
+  #     - ./dist/ec2utils.conf:/etc/obs/cloudupload/.ec2utils.conf:Z
+  #     - ./dist/clouduploader.rb:/usr/bin/clouduploader:Z
+  #   command: /obs/contrib/start_development_backend -d /obs
+  # worker:
+  #   image: registry.opensuse.org/obs/server/unstable/containers/containers/openbuildservice/backend
+  #   volumes:
+  #     - .:/obs:z
+  #   privileged: true
+  #   depends_on:
+  #     - backend
+  #   command: /obs/contrib/start_development_worker
   frontend:
     image: openbuildservice/frontend
     command: foreman start -p 3000
@@ -40,6 +40,6 @@ services:
       - "1080:1080"
     depends_on:
       - db
-      - cache
-      - backend
-      - worker
+    #   - cache
+    #   - backend
+    #   - worker

docker-files/openldap/certs/.gitignore

@@ -0,0 +1,4 @@
+# Ignore everything in this directory
+*
+# Except this file
+!.gitignore

docker-files/openldap/conf/.gitignore

@@ -0,0 +1,4 @@
+# Ignore everything in this directory
+*
+# Except this file
+!.gitignore

docker-files/openldap/db/.gitignore

@@ -0,0 +1,4 @@
+# Ignore everything in this directory
+*
+# Except this file
+!.gitignore

docker-files/openldap/seed_ldif/test_ldap.ldif

@@ -0,0 +1,55 @@
+# extended LDIF
+#
+# LDAPv3
+# base <dc=example,dc=org> with scope subtree
+# filter: (objectclass=*)
+# requesting: ALL
+#
+
+# groups, example.org
+dn: ou=groups,dc=example,dc=org
+objectClass: organizationalUnit
+ou: groups
+
+# users, groups, example.org
+dn: cn=users,ou=groups,dc=example,dc=org
+objectClass: top
+objectClass: posixGroup
+gidNumber: 100
+cn: users
+
+# people, example.org
+dn: ou=people,dc=example,dc=org
+objectClass: organizationalUnit
+ou: people
+
+# tux, people, example.org
+dn: cn=tux,ou=people,dc=example,dc=org
+objectClass: top
+objectClass: account
+objectClass: posixAccount
+cn: tux
+uid: tux
+uidNumber: 60001
+gidNumber: 100
+homeDirectory: /home/tux
+userPassword:: e1NTSEF9UkJHUmZHVUxQNDdZQTdqQXBxUmJMdmZpNXZTdlJuR3M=
+
+# admins, groups, example.org
+dn: cn=admins,ou=groups,dc=example,dc=org
+objectClass: top
+objectClass: posixGroup
+gidNumber: 200
+cn: admins
+
+# duck, people, example.org
+dn: cn=duck,ou=people,dc=example,dc=org
+objectClass: top
+objectClass: account
+objectClass: posixAccount
+cn: duck
+uid: duck
+uidNumber: 60002
+gidNumber: 200
+homeDirectory: /home/duck
+userPassword:: e1NTSEF9d3Mzb1pVZ3lvbmZOREJIRng4Mi9xd3ZhSjNKVzJoUlQ=

src/api/Gemfile

@@ -173,7 +173,7 @@ group :test do
   gem 'bunny-mock'
 end
 
-group :development, :test do
+group :development, :test, :test_ldap do
   # as testing framework
   gem 'rspec'
   gem 'rspec-rails'

src/api/Procfile

@@ -1,4 +1,4 @@
 web: bin/rails server -b 0.0.0.0
-delayed: bundle exec script/delayed_job.api.rb run
-clock: bin/clockworkd --log-dir=log -l -c config/clock.rb run
+# delayed: bundle exec script/delayed_job.api.rb run
+# clock: bin/clockworkd --log-dir=log -l -c config/clock.rb run
 search: bin/rails sphinx:start_for_development

src/api/app/models/user_ldap_strategy.rb

@@ -15,7 +15,7 @@ def find_group_with_ldap(group)
       result = []
       @@ldap_search_con.search(CONFIG['ldap_group_search_base'], LDAP::LDAP_SCOPE_SUBTREE, filter) do |entry|
         result << entry.dn
-        result << entry.attrs
+        # result << entry.attrs
       end
 
       if result.empty?
@@ -152,19 +152,20 @@ def find_with_credentials(login, password)
     # this method returns a ldap object using the provided user name
     # and password
     def initialize_ldap_con(user_name, password)
-      return unless defined?(CONFIG['ldap_servers'])
+      return if CONFIG['ldap_servers'].blank?
 
       require 'ldap'
       ldap_servers = CONFIG['ldap_servers'].split(':')
 
       # Do 10 attempts to connect to one of the configured LDAP servers. LDAP server
       # to connect to is chosen randomly.
-      (CONFIG['ldap_max_attempts'] || 10).times do
-        server = ldap_servers[rand(ldap_servers.length)]
-        con = try_ldap_con(server, user_name, password)
+      # (CONFIG['ldap_max_attempts'] || 10).times do
+      server = ldap_servers[rand(ldap_servers.length)]
+      con = try_ldap_con(server, user_name, password)
 
-        return con if con.try(:bound?)
-      end
+      return con if con.try(:bound?)
+
+      # end
 
       Rails.logger.error("UserLdapStrategy:: Unable to bind to any of the servers '#{CONFIG['ldap_servers']}'")
       nil
@@ -189,10 +190,11 @@ def try_ldap_con(server, user_name, password)
               end
         con.set_option(LDAP::LDAP_OPT_PROTOCOL_VERSION, 3)
         con.set_option(LDAP::LDAP_OPT_REFERRALS, LDAP::LDAP_OPT_OFF) if CONFIG['ldap_referrals'] == :off
+        # con.set_option(LDAP::LDAP_OPT_X_TLS_REQUIRE_CERT, LDAP::LDAP_OPT_X_TLS_ALLOW) if Rails.env.test_ldap? && (CONFIG['ldap_ssl'] == :on || CONFIG['ldap_start_tls'] == :on)
         con.bind(user_name, password)
-      rescue LDAP::ResultError
+      rescue LDAP::ResultError => e
+        Rails.logger.info("UserLdapStrategy: Failed to bind as user '#{user_name}': #{con.nil? ? e.message : con.err2string(con.err)}")
         con.unbind if con.try(:bound?)
-        Rails.logger.info("UserLdapStrategy: Failed to bind as user '#{user_name}': #{con.err2string(con.err)}")
         return
       end
       Rails.logger.debug { "UserLdapStrategy: Bound as '#{user_name}'" }
@@ -328,7 +330,7 @@ def ldap_user_filter(login)
     def ldap_port
       return CONFIG['ldap_port'] if CONFIG['ldap_port']
 
-      CONFIG['ldap_ssl'] == :on ? 636 : 389
+      CONFIG['ldap_ssl'] == :on || CONFIG['ldap_start_tls'] == :on ? 636 : 389
     end
   end
 

src/api/config/database.yml.example

@@ -42,3 +42,13 @@ test:
   pool: 30
   reconnect: true
 
+test_ldap:
+  adapter: mysql2
+  database: api_test
+  username: root
+  password: opensuse
+  encoding: utf8mb4
+  collation: utf8mb4_unicode_ci
+  timeout: 15
+  pool: 30
+  reconnect: true

src/api/config/environments/test_ldap.rb

@@ -0,0 +1,143 @@
+require "active_support/core_ext/integer/time"
+
+ENV['CACHENAMESPACE'] ||= "obs-api-test-#{Time.now.to_i}"
+ENV['OBS_BACKEND_TEMP'] ||= Dir.mktmpdir('obsbackend', '/var/tmp')
+
+# The test environment is used exclusively to run your application's
+# test suite. You never need to work with it otherwise. Remember that
+# your test database is "scratch space" for the test suite and is wiped
+# and recreated between test runs. Don't rely on the data there!
+
+Rails.application.configure do
+  config.active_support.test_order = :sorted # switch to :random ?
+end
+
+# This isn't going to change since this is how we configure Rails
+OBSApi::Application.configure do
+  # Settings specified here will take precedence over those in config/application.rb.
+  config.cache_classes = true
+
+  # We set eager loading to true in CI
+  # to run with the same configuration as in production
+  config.eager_load = ENV.fetch('EAGER_LOAD', '0') == '1'
+
+  # Show full error reports and disable caching.
+  config.consider_all_requests_local = true
+  config.action_controller.perform_caching = false
+
+  # Configure public file server for tests with Cache-Control for performance.
+  config.public_file_server.enabled = true
+  config.public_file_server.headers = {
+    'Cache-Control' => "public, max-age=#{1.hour.to_i}"
+  }
+
+  # Raise exceptions instead of rendering exception templates.
+  # config.action_dispatch.show_exceptions = false
+
+  # Store uploaded files on the local file system in a temporary directory.
+  config.active_storage.service = :test
+
+  # Tell Action Mailer not to deliver emails to the real world.
+  # The :test delivery method accumulates sent emails in the
+  # ActionMailer::Base.deliveries array.
+  config.action_mailer.delivery_method = :test
+
+  # Enable request forgery protection in test environment.
+  config.action_controller.allow_forgery_protection = true
+
+  config.action_mailer.perform_caching = false
+
+  config.cache_store = :memory_store
+
+  config.active_support.deprecation = :log
+  # Print deprecation notices to the stderr.
+  #  config.active_support.deprecation = :stderr
+
+  # Expands the lines which load the assets
+  config.assets.debug = false
+  config.assets.log = nil
+  # turn of the asset pipeline log. Previously done by quiet_assets gem.
+  config.assets.quiet = true
+  config.secret_key_base = '92b2ed725cb4d68cc5fbf86d6ba204f1dec4172086ee7eac8f083fb62ef34057f1b770e0722ade7b298837be7399c6152938627e7d15aca5fcda7a4faef91fc7'
+
+  # Raise exceptions for disallowed deprecations.
+  config.active_support.disallowed_deprecation = :raise
+
+  # Tell Active Support which deprecation messages to disallow.
+  config.active_support.disallowed_deprecation_warnings = []
+
+  # # Bullet configuration
+  # config.after_initialize do
+  #   Bullet.enable = true
+  #   Bullet.bullet_logger = true
+  #   Bullet.raise = false # raise an error if n+1 query occurs
+  # end
+
+  # TODO: This shouldn't be needed when we switch to RSpec completely
+  config.action_dispatch.rescue_responses['ActionController::InvalidAuthenticityToken'] = 950
+
+  config.active_job.queue_adapter = :inline
+
+  # Raises error for missing translations.
+  # config.i18n.raise_on_missing_translations = true
+
+  # Annotate rendered view with file names.
+  # config.action_view.annotate_rendered_view_with_filenames = true
+end
+
+CONFIG['response_schema_validation'] = true
+CONFIG['source_url'] = "http://#{CONFIG['source_host']}:#{CONFIG['source_port']}"
+
+# the default is not to write through, only once the backend started
+# we set this to true
+CONFIG['global_write_through'] = false
+
+CONFIG['frontend_host'] = 'localhost'
+CONFIG['frontend_port'] = 3203
+CONFIG['frontend_protocol'] = 'http'
+
+if ENV['RUNNING_MINITEST']
+  CONFIG['source_host'] = 'localhost'
+  CONFIG['source_port'] = '3200'
+end
+
+if ENV['RUNNING_MINITEST_WITH_DOCKER']
+  ENV['BACKEND_STARTED'] = "1"
+  CONFIG['source_host'] = 'backend'
+  CONFIG['source_port'] = '5352'
+end
+
+# Display fake sponsors above the footer on every page
+CONFIG['sponsors'] = [
+  ActiveSupport::HashWithIndifferentAccess.new(
+    name: 'Greens Food Supplies',
+    description: 'Direct delivery service',
+    icon: 'sponsor_greens-food-supplies',
+    url: '#'
+  ),
+  ActiveSupport::HashWithIndifferentAccess.new(
+    name: 'Auto Speed',
+    description: 'Same day auto parts',
+    icon: 'sponsor_auto-speed',
+    url: '#'
+  )
+]
+
+# Making sure that Backend::Logger.info is fully executed to catch potential errors
+CONFIG['extended_backend_log'] = true
+
+# Override LDAP configuration for testing purposes
+CONFIG['ldap_mode'] = :on
+CONFIG['ldap_servers'] = 'openldap'
+# OVERRIDE with your company's ldap search base for the users who will use OBS
+CONFIG['ldap_search_base'] = 'dc=example,dc=org'
+# Sam Account Name is the login name for LDAP
+CONFIG['ldap_search_attr'] = 'cn'
+CONFIG['ldap_name_attr'] = 'cn'
+CONFIG['ldap_search_user'] = 'cn=admin,dc=example,dc=org'
+CONFIG['ldap_search_auth'] = 'opensuse'
+CONFIG['ldap_authenticate'] = :ldap
+CONFIG['ldap_auth_attr'] = 'userPassword'
+CONFIG['ldap_group_search_base'] = 'dc=example,dc=org'
+CONFIG['ldap_group_title_attr'] = 'cn'
+CONFIG['ldap_group_objectclass_attr'] = 'posixGroup'

src/api/docker-files/Dockerfile

@@ -22,6 +22,8 @@ ADD Gemfile /obs/src/api/Gemfile
 ADD Gemfile.lock /obs/src/api/Gemfile.lock
 RUN chown -R frontend /obs/src/api
 
+RUN zypper install -y bind-utils iputils openldap2-client telnet
+
 # Now do the rest as the user with the same ID as the user who
 # builds this container
 USER frontend