Skip to content

Commit

Permalink
Add a pipeline job to test LDAP integration
Browse files Browse the repository at this point in the history
closes: #1124
  • Loading branch information
git-hyagi committed Nov 29, 2023
1 parent a4adf73 commit 2cb116f
Show file tree
Hide file tree
Showing 5 changed files with 232 additions and 0 deletions.
137 changes: 137 additions & 0 deletions .ci/scripts/ldap_config.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,137 @@
#!/bin/bash

set -eu

function deploy_ldap_server {
kubectl apply -f-<<EOF
---
apiVersion: v1
kind: Pod
metadata:
name: ldap-server
labels:
app.kubernetes.io/name: ldap
spec:
containers:
- name: ldap
image: docker.io/osixia/openldap:1.3.0
ports:
- containerPort: 389
- containerPort: 636
env:
- name: LDAP_TLS_VERIFY_CLIENT
value: try
---
apiVersion: v1
kind: Service
metadata:
name: ldap
spec:
selector:
app.kubernetes.io/name: ldap
ports:
- name: ldap-389
protocol: TCP
port: 389
targetPort: 389
- name: ldap-636
protocol: TCP
port: 636
targetPort: 636
EOF
}

function add_users_and_groups {
kubectl exec -i ldap-server -- bash << COMMANDS
cat<<EOF>/tmp/a
dn: ou=users,dc=example,dc=org
objectClass: organizationalUnit
ou: users
dn: ou=groups,dc=example,dc=org
objectClass: organizationalUnit
ou: groups
EOF
cat<<EOF>/tmp/b
dn: uid=alice,ou=users,dc=example,dc=org
changetype: add
objectClass: inetOrgPerson
givenName: Alice
sn: Smith
mail: alice@example.com
cn: Alice Smith
uid: alice
dn: uid=bob,ou=users,dc=example,dc=org
changetype: add
objectClass: inetOrgPerson
givenName: Bob
sn: Traveller
mail: bob@example.com
cn: Bob Traveller
uid: bob
dn: uid=eve,ou=users,dc=example,dc=org
changetype: add
objectClass: inetOrgPerson
givenName: Eve
sn: Evil
mail: eve@example.com
cn: Eve Evil
uid: eve
EOF
cat<<EOF>/tmp/c
dn: cn=fileGlobalAdmin,ou=groups,dc=example,dc=org
cn: fileGlobalAdmin
gidnumber: 10004
memberuid: alice
objectclass: posixGroup
objectclass: top
EOF
ldapadd -x -H ldap://localhost -D "cn=admin,dc=example,dc=org" -w admin -f /tmp/a
ldapadd -x -H ldap://localhost -D "cn=admin,dc=example,dc=org" -w admin -f /tmp/b
ldapadd -x -H ldap://localhost -D "cn=admin,dc=example,dc=org" -w admin -f /tmp/c
ldappasswd -s alice -D "cn=admin,dc=example,dc=org" -x "uid=alice,ou=users,dc=example,dc=org" -w admin
ldappasswd -s bob -D "cn=admin,dc=example,dc=org" -x "uid=bob,ou=users,dc=example,dc=org" -w admin
ldappasswd -s eve -D "cn=admin,dc=example,dc=org" -x "uid=eve,ou=users,dc=example,dc=org" -w admin
COMMANDS
}

function build_pulp_minimal_image {
cat<<EOF>/tmp/Dockerfile
FROM quay.io/pulp/pulp-minimal:stable
RUN pip3 install django-auth-ldap==4.6.0
RUN sed -i '126i \ if options != None:' /usr/local/lib/python3.8/site-packages/django_auth_ldap/backend.py
RUN sed -i '127i \ options = {int(k):v for k,v in options.items()}' /usr/local/lib/python3.8/site-packages/django_auth_ldap/backend.py
RUN sed -i '859i \ optInt = int(opt)' /usr/local/lib/python3.8/site-packages/django_auth_ldap/backend.py
RUN sed -i '860s/opt, value/optInt, value/' /usr/local/lib/python3.8/site-packages/django_auth_ldap/backend.py
EOF
docker build --no-cache -t localhost/pulp-minimal:stable -f /tmp/Dockerfile /tmp
# for reference, if deploying in a kind cluster with a local registry
#docker build --no-cache -t localhost:5001/pulp-minimal:stable -f /tmp/Dockerfile /tmp
#docker push localhost:5001/pulp-minimal:stable
}
echo "Deploying ldap server as a pod ..."
deploy_ldap_server
kubectl wait --for=condition=Ready pod/ldap-server
sleep 5
kubectl exec ldap-server -- ldapsearch -x -H ldap://localhost -b dc=example,dc=org -D "cn=admin,dc=example,dc=org" -w admin
echo "Creating ldap users and groups ..."
add_users_and_groups
echo "Checking users ..."
kubectl exec ldap-server -- ldapsearch -x -H ldap://localhost -b dc=example,dc=org -D "cn=admin,dc=example,dc=org" -w admin
echo "Building pulp-minimal image with django-auth-ldap support ..."
build_pulp_minimal_image
30 changes: 30 additions & 0 deletions .ci/scripts/ldap_test.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,30 @@
#!/bin/bash

set -eu

DEPLOYMENT_NAME="example-pulp-api"

echo "Verifying ldap authentication ..."
TEST_1=$(kubectl exec deployment/$DEPLOYMENT_NAME -- curl -so /dev/null -w "%{http_code}" -ualice:alice localhost:24817/pulp/api/v3/content/)
TEST_2=$(kubectl exec deployment/$DEPLOYMENT_NAME -- curl -so /dev/null -w "%{http_code}" -ualice:aaaaa localhost:24817/pulp/api/v3/content/)
TEST_3=$(kubectl exec deployment/$DEPLOYMENT_NAME -- curl -so /dev/null -w "%{http_code}" -ubob:bob localhost:24817/pulp/api/v3/content/)
TEST_4=$(kubectl exec deployment/$DEPLOYMENT_NAME -- curl -so /dev/null -w "%{http_code}" -ubob:aaaaa localhost:24817/pulp/api/v3/content/)
TEST_5=$(kubectl exec deployment/$DEPLOYMENT_NAME -- curl -so /dev/null -w "%{http_code}" -ueve:eve localhost:24817/pulp/api/v3/content/)
TEST_6=$(kubectl exec deployment/$DEPLOYMENT_NAME -- curl -so /dev/null -w "%{http_code}" -ueve:aaaaa localhost:24817/pulp/api/v3/content/)

declare -A tests
tests=( ["TEST_1"]="200" ["TEST_2"]="401" ["TEST_3"]="200" ["TEST_4"]="401" ["TEST_5"]="200" ["TEST_6"]="401" )


for test in ${!tests[@]} ; do
echo -n "$test: ${tests[$test]} "
if [[ ${!test} != ${tests[$test]} ]] ; then
echo "[ERR]"
exit 1
else
echo "[OK]"
fi
done


echo "LDAP auth ok"
6 changes: 6 additions & 0 deletions .github/workflows/ci.yml
Original file line number Diff line number Diff line change
Expand Up @@ -365,6 +365,7 @@ jobs:
- COMPONENT_TYPE: ingress
- COMPONENT_TYPE: nodeport
- COMPONENT_TYPE: telemetry
- COMPONENT_TYPE: ldap
steps:
- uses: actions/checkout@v3
with:
Expand Down Expand Up @@ -451,6 +452,9 @@ jobs:
kubectl apply -f config/samples/simple.ingress.yaml
elif [[ "$COMPONENT_TYPE" == "telemetry" ]]; then
kubectl apply -f config/samples/telemetry.yaml
elif [[ "$COMPONENT_TYPE" == "ldap" ]]; then
.ci/scripts/ldap_config.sh
kubectl apply -f config/samples/ldap.yaml
else
kubectl apply -f config/samples/simple.yaml
fi
Expand All @@ -469,6 +473,8 @@ jobs:
.ci/scripts/pulp_tests.sh -m
if [[ "$COMPONENT_TYPE" == "telemetry" ]]; then
.ci/scripts/telemetry.sh
elif [[ "$COMPONENT_TYPE" == "ldap" ]] ; then
.ci/scripts/ldap_test.sh
fi
shell: bash
env:
Expand Down
1 change: 1 addition & 0 deletions CHANGES/1124.misc
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
Added a pipeline job to test ldap integration.
58 changes: 58 additions & 0 deletions config/samples/ldap.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,58 @@
---
apiVersion: v1
kind: Secret
metadata:
name: pulp-ldap-secret
stringData:
auth_ldap_server_uri: "ldap://ldap.pulp-operator-system.svc"
auth_ldap_bind_dn: "cn=admin,dc=example,dc=org"
auth_ldap_bind_password: "admin"
auth_ldap_group_search: LDAPSearch("ou=groups,dc=example,dc=org",ldap.SCOPE_SUBTREE,"(objectClass=posixGroup)")
auth_ldap_user_search: LDAPSearch("ou=users,dc=example,dc=org", ldap.SCOPE_SUBTREE, "(uid=%(user)s)")
auth_ldap_group_type: PosixGroupType(name_attr='cn')
---
apiVersion: repo-manager.pulpproject.org/v1beta2
kind: Pulp
metadata:
name: example-pulp
spec:
image: localhost/pulp-minimal
image_version: stable
image_web_version: stable
ldap:
config: pulp-ldap-secret
api:
replicas: 1
content:
replicas: 1
worker:
replicas: 1
web:
replicas: 1
migration_job:
container:
resource_requirements:
requests:
cpu: 1
limits:
cpu: 1
ingress_type: nodeport
nodeport_port: 30000

database:
postgres_storage_class: standard

file_storage_access_mode: "ReadWriteOnce"
file_storage_size: "2Gi"
file_storage_storage_class: standard

pulp_settings:
api_root: "/pulp/"
allowed_export_paths:
- /tmp
allowed_import_paths:
- /tmp
telemetry: false
token_server: http://nodeport.local:30000/token/
content_origin: http://nodeport.local:30000
ansible_api_hostname: http://nodeport.local:30000

0 comments on commit 2cb116f

Please sign in to comment.