Add a pipeline job to test LDAP integration

closes: #1124

.ci/scripts/ldap_config.sh

@@ -0,0 +1,137 @@
+#!/bin/bash
+
+set -eu
+
+function deploy_ldap_server {
+kubectl apply -f-<<EOF
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: ldap-server
+  labels:
+    app.kubernetes.io/name: ldap
+spec:
+  containers:
+  - name: ldap
+    image: docker.io/osixia/openldap:1.3.0
+    ports:
+    - containerPort: 389
+    - containerPort: 636
+    env:
+    - name: LDAP_TLS_VERIFY_CLIENT
+      value: try
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: ldap
+spec:
+  selector:
+    app.kubernetes.io/name: ldap
+  ports:
+    - name: ldap-389
+      protocol: TCP
+      port: 389
+      targetPort: 389
+    - name: ldap-636
+      protocol: TCP
+      port: 636
+      targetPort: 636
+EOF
+}
+
+function add_users_and_groups {
+kubectl exec -i ldap-server -- bash << COMMANDS
+cat<<EOF>/tmp/a
+dn: ou=users,dc=example,dc=org
+objectClass: organizationalUnit
+ou: users
+
+dn: ou=groups,dc=example,dc=org
+objectClass: organizationalUnit
+ou: groups
+EOF
+
+cat<<EOF>/tmp/b
+dn: uid=alice,ou=users,dc=example,dc=org
+changetype: add
+objectClass: inetOrgPerson
+givenName: Alice
+sn: Smith
+mail: alice@example.com
+cn: Alice Smith
+uid: alice
+
+dn: uid=bob,ou=users,dc=example,dc=org
+changetype: add
+objectClass: inetOrgPerson
+givenName: Bob
+sn: Traveller
+mail: bob@example.com
+cn: Bob Traveller
+uid: bob
+
+dn: uid=eve,ou=users,dc=example,dc=org
+changetype: add
+objectClass: inetOrgPerson
+givenName: Eve
+sn: Evil
+mail: eve@example.com
+cn: Eve Evil
+uid: eve
+EOF
+
+cat<<EOF>/tmp/c
+dn: cn=fileGlobalAdmin,ou=groups,dc=example,dc=org
+cn: fileGlobalAdmin
+gidnumber: 10004
+memberuid: alice
+objectclass: posixGroup
+objectclass: top
+EOF
+
+
+ldapadd -x -H ldap://localhost -D "cn=admin,dc=example,dc=org" -w admin -f /tmp/a
+ldapadd -x -H ldap://localhost -D "cn=admin,dc=example,dc=org" -w admin -f /tmp/b
+ldapadd -x -H ldap://localhost -D "cn=admin,dc=example,dc=org" -w admin -f /tmp/c
+
+ldappasswd -s alice -D "cn=admin,dc=example,dc=org" -x "uid=alice,ou=users,dc=example,dc=org" -w admin
+ldappasswd -s bob -D "cn=admin,dc=example,dc=org" -x "uid=bob,ou=users,dc=example,dc=org" -w admin
+ldappasswd -s eve -D "cn=admin,dc=example,dc=org" -x "uid=eve,ou=users,dc=example,dc=org" -w admin
+
+COMMANDS
+}
+
+function build_pulp_minimal_image {
+cat<<EOF>/tmp/Dockerfile
+FROM quay.io/pulp/pulp-minimal:stable
+RUN pip3 install django-auth-ldap==4.6.0
+RUN sed -i '126i \            if options != None:' /usr/local/lib/python3.8/site-packages/django_auth_ldap/backend.py
+RUN sed -i '127i \                options = {int(k):v for k,v in options.items()}' /usr/local/lib/python3.8/site-packages/django_auth_ldap/backend.py
+RUN sed -i '859i \                optInt = int(opt)' /usr/local/lib/python3.8/site-packages/django_auth_ldap/backend.py
+RUN sed -i '860s/opt, value/optInt, value/' /usr/local/lib/python3.8/site-packages/django_auth_ldap/backend.py
+EOF
+
+docker build --no-cache -t localhost/pulp-minimal:stable -f /tmp/Dockerfile /tmp
+
+# for reference, if deploying in a kind cluster with a local registry
+#docker build --no-cache -t localhost:5001/pulp-minimal:stable -f /tmp/Dockerfile /tmp
+#docker push localhost:5001/pulp-minimal:stable
+}
+
+
+echo "Deploying ldap server as a pod ..."
+deploy_ldap_server
+kubectl wait --for=condition=Ready pod/ldap-server
+sleep 5
+kubectl exec ldap-server -- ldapsearch -x -H ldap://localhost -b dc=example,dc=org -D "cn=admin,dc=example,dc=org" -w admin
+
+echo "Creating ldap users and groups ..."
+add_users_and_groups
+
+echo "Checking users ..."
+kubectl exec ldap-server -- ldapsearch -x -H ldap://localhost -b dc=example,dc=org -D "cn=admin,dc=example,dc=org" -w admin
+
+echo "Building pulp-minimal image with django-auth-ldap support ..."
+build_pulp_minimal_image

.ci/scripts/ldap_test.sh

@@ -0,0 +1,30 @@
+#!/bin/bash
+
+set -eu
+
+DEPLOYMENT_NAME="example-pulp-api"
+
+echo "Verifying ldap authentication ..."
+TEST_1=$(kubectl exec deployment/$DEPLOYMENT_NAME -- curl -so /dev/null -w "%{http_code}" -ualice:alice localhost:24817/pulp/api/v3/content/)
+TEST_2=$(kubectl exec deployment/$DEPLOYMENT_NAME -- curl -so /dev/null -w "%{http_code}" -ualice:aaaaa localhost:24817/pulp/api/v3/content/)
+TEST_3=$(kubectl exec deployment/$DEPLOYMENT_NAME -- curl -so /dev/null -w "%{http_code}" -ubob:bob localhost:24817/pulp/api/v3/content/)
+TEST_4=$(kubectl exec deployment/$DEPLOYMENT_NAME -- curl -so /dev/null -w "%{http_code}" -ubob:aaaaa localhost:24817/pulp/api/v3/content/)
+TEST_5=$(kubectl exec deployment/$DEPLOYMENT_NAME -- curl -so /dev/null -w "%{http_code}" -ueve:eve localhost:24817/pulp/api/v3/content/)
+TEST_6=$(kubectl exec deployment/$DEPLOYMENT_NAME -- curl -so /dev/null -w "%{http_code}" -ueve:aaaaa localhost:24817/pulp/api/v3/content/)
+
+declare -A tests
+tests=( ["TEST_1"]="200" ["TEST_2"]="401" ["TEST_3"]="200" ["TEST_4"]="401" ["TEST_5"]="200" ["TEST_6"]="401" )
+
+
+for test in ${!tests[@]} ; do
+  echo -n "$test: ${tests[$test]} "
+  if [[ ${!test} != ${tests[$test]} ]] ; then
+    echo "[ERR]"
+    exit 1
+  else
+    echo "[OK]"
+  fi
+done
+
+
+echo "LDAP auth ok"

.github/workflows/ci.yml

@@ -365,6 +365,7 @@ jobs:
           - COMPONENT_TYPE: ingress
           - COMPONENT_TYPE: nodeport
           - COMPONENT_TYPE: telemetry
+          - COMPONENT_TYPE: ldap
     steps:
       - uses: actions/checkout@v3
         with:
@@ -451,6 +452,9 @@ jobs:
             kubectl apply -f config/samples/simple.ingress.yaml
           elif [[ "$COMPONENT_TYPE" == "telemetry" ]]; then
             kubectl apply -f config/samples/telemetry.yaml
+          elif [[ "$COMPONENT_TYPE" == "ldap" ]]; then
+            .ci/scripts/ldap_config.sh
+            kubectl apply -f config/samples/ldap.yaml
           else
             kubectl apply -f config/samples/simple.yaml
           fi
@@ -469,6 +473,8 @@ jobs:
           .ci/scripts/pulp_tests.sh -m
           if [[ "$COMPONENT_TYPE" == "telemetry" ]]; then
             .ci/scripts/telemetry.sh
+          elif [[ "$COMPONENT_TYPE" == "ldap" ]] ; then
+            .ci/scripts/ldap_test.sh
           fi
         shell: bash
         env:

CHANGES/1124.misc

@@ -0,0 +1 @@
+Added a pipeline job to test ldap integration.

config/samples/ldap.yaml

@@ -0,0 +1,58 @@
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: pulp-ldap-secret
+stringData:
+  auth_ldap_server_uri: "ldap://ldap.pulp-operator-system.svc"
+  auth_ldap_bind_dn: "cn=admin,dc=example,dc=org"
+  auth_ldap_bind_password: "admin"
+  auth_ldap_group_search: LDAPSearch("ou=groups,dc=example,dc=org",ldap.SCOPE_SUBTREE,"(objectClass=posixGroup)")
+  auth_ldap_user_search: LDAPSearch("ou=users,dc=example,dc=org", ldap.SCOPE_SUBTREE, "(uid=%(user)s)")
+  auth_ldap_group_type: PosixGroupType(name_attr='cn')
+---
+apiVersion: repo-manager.pulpproject.org/v1beta2
+kind: Pulp
+metadata:
+  name: example-pulp
+spec:
+  image: localhost/pulp-minimal
+  image_version: stable
+  image_web_version: stable
+  ldap:
+    config: pulp-ldap-secret
+  api:
+    replicas: 1
+  content:
+    replicas: 1
+  worker:
+    replicas: 1
+  web:
+    replicas: 1
+  migration_job:
+    container:
+      resource_requirements:
+        requests:
+          cpu: 1
+        limits:
+          cpu: 1
+  ingress_type: nodeport
+  nodeport_port: 30000
+
+  database:
+    postgres_storage_class: standard
+
+  file_storage_access_mode: "ReadWriteOnce"
+  file_storage_size: "2Gi"
+  file_storage_storage_class: standard
+
+  pulp_settings:
+    api_root: "/pulp/"
+    allowed_export_paths:
+      - /tmp
+    allowed_import_paths:
+      - /tmp
+    telemetry: false
+    token_server: http://nodeport.local:30000/token/
+    content_origin: http://nodeport.local:30000
+    ansible_api_hostname: http://nodeport.local:30000