diff --git a/.ci/scripts/ldap_config.sh b/.ci/scripts/ldap_config.sh new file mode 100755 index 000000000..33442ce70 --- /dev/null +++ b/.ci/scripts/ldap_config.sh @@ -0,0 +1,137 @@ +#!/bin/bash + +set -eu + +function deploy_ldap_server { +kubectl apply -f-</tmp/a +dn: ou=users,dc=example,dc=org +objectClass: organizationalUnit +ou: users + +dn: ou=groups,dc=example,dc=org +objectClass: organizationalUnit +ou: groups +EOF + +cat</tmp/b +dn: uid=alice,ou=users,dc=example,dc=org +changetype: add +objectClass: inetOrgPerson +givenName: Alice +sn: Smith +mail: alice@example.com +cn: Alice Smith +uid: alice + +dn: uid=bob,ou=users,dc=example,dc=org +changetype: add +objectClass: inetOrgPerson +givenName: Bob +sn: Traveller +mail: bob@example.com +cn: Bob Traveller +uid: bob + +dn: uid=eve,ou=users,dc=example,dc=org +changetype: add +objectClass: inetOrgPerson +givenName: Eve +sn: Evil +mail: eve@example.com +cn: Eve Evil +uid: eve +EOF + +cat</tmp/c +dn: cn=fileGlobalAdmin,ou=groups,dc=example,dc=org +cn: fileGlobalAdmin +gidnumber: 10004 +memberuid: alice +objectclass: posixGroup +objectclass: top +EOF + + +ldapadd -x -H ldap://localhost -D "cn=admin,dc=example,dc=org" -w admin -f /tmp/a +ldapadd -x -H ldap://localhost -D "cn=admin,dc=example,dc=org" -w admin -f /tmp/b +ldapadd -x -H ldap://localhost -D "cn=admin,dc=example,dc=org" -w admin -f /tmp/c + +ldappasswd -s alice -D "cn=admin,dc=example,dc=org" -x "uid=alice,ou=users,dc=example,dc=org" -w admin +ldappasswd -s bob -D "cn=admin,dc=example,dc=org" -x "uid=bob,ou=users,dc=example,dc=org" -w admin +ldappasswd -s eve -D "cn=admin,dc=example,dc=org" -x "uid=eve,ou=users,dc=example,dc=org" -w admin + +COMMANDS +} + +function build_pulp_minimal_image { +cat</tmp/Dockerfile +FROM quay.io/pulp/pulp-minimal:stable +RUN pip3 install django-auth-ldap==4.6.0 +RUN sed -i '126i \ if options != None:' /usr/local/lib/python3.8/site-packages/django_auth_ldap/backend.py +RUN sed -i '127i \ options = {int(k):v for k,v in options.items()}' /usr/local/lib/python3.8/site-packages/django_auth_ldap/backend.py +RUN sed -i '859i \ optInt = int(opt)' /usr/local/lib/python3.8/site-packages/django_auth_ldap/backend.py +RUN sed -i '860s/opt, value/optInt, value/' /usr/local/lib/python3.8/site-packages/django_auth_ldap/backend.py +EOF + +docker build --no-cache -t localhost/pulp-minimal:stable -f /tmp/Dockerfile /tmp + +# for reference, if deploying in a kind cluster with a local registry +#docker build --no-cache -t localhost:5001/pulp-minimal:stable -f /tmp/Dockerfile /tmp +#docker push localhost:5001/pulp-minimal:stable +} + + +echo "Deploying ldap server as a pod ..." +deploy_ldap_server +kubectl wait --for=condition=Ready pod/ldap-server +sleep 5 +kubectl exec ldap-server -- ldapsearch -x -H ldap://localhost -b dc=example,dc=org -D "cn=admin,dc=example,dc=org" -w admin + +echo "Creating ldap users and groups ..." +add_users_and_groups + +echo "Checking users ..." +kubectl exec ldap-server -- ldapsearch -x -H ldap://localhost -b dc=example,dc=org -D "cn=admin,dc=example,dc=org" -w admin + +echo "Building pulp-minimal image with django-auth-ldap support ..." +build_pulp_minimal_image diff --git a/.ci/scripts/ldap_test.sh b/.ci/scripts/ldap_test.sh new file mode 100755 index 000000000..22f3be2c6 --- /dev/null +++ b/.ci/scripts/ldap_test.sh @@ -0,0 +1,30 @@ +#!/bin/bash + +set -eu + +DEPLOYMENT_NAME="example-pulp-api" + +echo "Verifying ldap authentication ..." +TEST_1=$(kubectl exec deployment/$DEPLOYMENT_NAME -- curl -so /dev/null -w "%{http_code}" -ualice:alice localhost:24817/pulp/api/v3/content/) +TEST_2=$(kubectl exec deployment/$DEPLOYMENT_NAME -- curl -so /dev/null -w "%{http_code}" -ualice:aaaaa localhost:24817/pulp/api/v3/content/) +TEST_3=$(kubectl exec deployment/$DEPLOYMENT_NAME -- curl -so /dev/null -w "%{http_code}" -ubob:bob localhost:24817/pulp/api/v3/content/) +TEST_4=$(kubectl exec deployment/$DEPLOYMENT_NAME -- curl -so /dev/null -w "%{http_code}" -ubob:aaaaa localhost:24817/pulp/api/v3/content/) +TEST_5=$(kubectl exec deployment/$DEPLOYMENT_NAME -- curl -so /dev/null -w "%{http_code}" -ueve:eve localhost:24817/pulp/api/v3/content/) +TEST_6=$(kubectl exec deployment/$DEPLOYMENT_NAME -- curl -so /dev/null -w "%{http_code}" -ueve:aaaaa localhost:24817/pulp/api/v3/content/) + +declare -A tests +tests=( ["TEST_1"]="200" ["TEST_2"]="401" ["TEST_3"]="200" ["TEST_4"]="401" ["TEST_5"]="200" ["TEST_6"]="401" ) + + +for test in ${!tests[@]} ; do + echo -n "$test: ${tests[$test]} " + if [[ ${!test} != ${tests[$test]} ]] ; then + echo "[ERR]" + exit 1 + else + echo "[OK]" + fi +done + + +echo "LDAP auth ok" diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 8ee2281fc..85a90763f 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -365,6 +365,7 @@ jobs: - COMPONENT_TYPE: ingress - COMPONENT_TYPE: nodeport - COMPONENT_TYPE: telemetry + - COMPONENT_TYPE: ldap steps: - uses: actions/checkout@v3 with: @@ -451,6 +452,9 @@ jobs: kubectl apply -f config/samples/simple.ingress.yaml elif [[ "$COMPONENT_TYPE" == "telemetry" ]]; then kubectl apply -f config/samples/telemetry.yaml + elif [[ "$COMPONENT_TYPE" == "ldap" ]]; then + .ci/scripts/ldap_config.sh + kubectl apply -f config/samples/ldap.yaml else kubectl apply -f config/samples/simple.yaml fi @@ -469,6 +473,8 @@ jobs: .ci/scripts/pulp_tests.sh -m if [[ "$COMPONENT_TYPE" == "telemetry" ]]; then .ci/scripts/telemetry.sh + elif [[ "$COMPONENT_TYPE" == "ldap" ]] ; then + .ci/scripts/ldap_test.sh fi shell: bash env: diff --git a/CHANGES/1124.misc b/CHANGES/1124.misc new file mode 100644 index 000000000..7a51b37b3 --- /dev/null +++ b/CHANGES/1124.misc @@ -0,0 +1 @@ +Added a pipeline job to test ldap integration. diff --git a/config/samples/ldap.yaml b/config/samples/ldap.yaml new file mode 100644 index 000000000..72ee09fbe --- /dev/null +++ b/config/samples/ldap.yaml @@ -0,0 +1,58 @@ +--- +apiVersion: v1 +kind: Secret +metadata: + name: pulp-ldap-secret +stringData: + auth_ldap_server_uri: "ldap://ldap.pulp-operator-system.svc" + auth_ldap_bind_dn: "cn=admin,dc=example,dc=org" + auth_ldap_bind_password: "admin" + auth_ldap_group_search: LDAPSearch("ou=groups,dc=example,dc=org",ldap.SCOPE_SUBTREE,"(objectClass=posixGroup)") + auth_ldap_user_search: LDAPSearch("ou=users,dc=example,dc=org", ldap.SCOPE_SUBTREE, "(uid=%(user)s)") + auth_ldap_group_type: PosixGroupType(name_attr='cn') +--- +apiVersion: repo-manager.pulpproject.org/v1beta2 +kind: Pulp +metadata: + name: example-pulp +spec: + image: localhost/pulp-minimal + image_version: stable + image_web_version: stable + ldap: + config: pulp-ldap-secret + api: + replicas: 1 + content: + replicas: 1 + worker: + replicas: 1 + web: + replicas: 1 + migration_job: + container: + resource_requirements: + requests: + cpu: 1 + limits: + cpu: 1 + ingress_type: nodeport + nodeport_port: 30000 + + database: + postgres_storage_class: standard + + file_storage_access_mode: "ReadWriteOnce" + file_storage_size: "2Gi" + file_storage_storage_class: standard + + pulp_settings: + api_root: "/pulp/" + allowed_export_paths: + - /tmp + allowed_import_paths: + - /tmp + telemetry: false + token_server: http://nodeport.local:30000/token/ + content_origin: http://nodeport.local:30000 + ansible_api_hostname: http://nodeport.local:30000