Commit 56ea08f2 authored by Francesc Guasch's avatar Francesc Guasch
Browse files

Feature #916 configure access (#925)

* doc(test): LDAP local test server start

issue #922

* wip(ldap): grants can be ordered by this field

issue #922

* feature(auth): deny by LDAP attribute

issue #922

* wip(test): remove tes ldap users after tests

issue #922

* test(auth): check deny access

issue #922

* test(auth): check deny & multiple allow/deny

issue #922

* fix(auth): remove auth on remove domain

issue #922

* wip(auth): finish it match auth

issue #922

* wip(frontend): show user LDAP attributes

It is used for access debugging pusrposes we may remove it later.

issue #916

* feature(frontend): show machine access restrictions

issue #916

* test(auth): test LDAP access attributes edges

issue #922

* wip(auth): methods to manage LDAP access entries

issue #916

* wip(auth): check authorization

- if denied returns false
- if allowed continues until en or false
- if no matches returns default

issue #916

* feature(frontend): manage LDAP access restrictions

issue #916

* wip(backend): remove access restrictions if known domain

issue #916

* wip(auth): fixed edge case with no access entries

issue #916

* feature(auth): check restrictions may be end with last

when the last field is enabled, no more restrictions are checked

issue #916

* wip(frontend): small fixes suggested by @gloriarodriguez

- sort attributes
- remove default after delete the last restriction
- set last to true by default on new

issue #916
parent d2caf8c9
......@@ -3132,4 +3132,5 @@ sub set_ldap_access($self, $id_access, $allowed, $last) {
." WHERE id=?");
$sth->execute($allowed, $last, $id_access);
}
1;
......@@ -97,6 +97,201 @@ sub _do_clones($data, $base, $do_clones) {
return ($clone_student, $clone_teacher);
}
sub test_access_by_attribute_deny($vm, $do_clones=0) {
my $base = create_domain($vm->type);
$base->prepare_base(user_admin);
$base->is_public(1);
my $data = _create_users();
is($data->{student}->{user}->allowed_access( $base->id ), 1);
is($data->{teacher}->{user}->allowed_access( $base->id ), 1);
is($data->{other}->{user}->allowed_access( $base->id ), 1);
_do_clones($data, $base, $do_clones);
$base->deny_ldap_access( givenName => $data->{student}->{user}->{name});
_refresh_users($data);
is($data->{student}->{user}->allowed_access( $base->id ), 0);
is($data->{teacher}->{user}->allowed_access( $base->id ), 1);
is($data->{other}->{user}->allowed_access( $base->id ), 1);
my $list_bases = rvd_front->list_machines_user($data->{student}->{user});
is(scalar (@$list_bases), 0);
$list_bases = rvd_front->list_machines_user($data->{teacher}->{user});
is(scalar (@$list_bases), 1);
# other has no external_auth, access denied
$list_bases = rvd_front->list_machines_user($data->{other}->{user});
is(scalar (@$list_bases), 1);
$list_bases = rvd_front->list_machines_user(user_admin);
is(scalar (@$list_bases), 1);
_remove_bases($base);
_remove_users($data);
}
sub test_access_by_attribute_several($vm, $do_clones=0) {
my $base = create_domain($vm->type);
$base->prepare_base(user_admin);
$base->is_public(1);
my $data = _create_users();
is($data->{student}->{user}->allowed_access( $base->id ), 1);
is($data->{teacher}->{user}->allowed_access( $base->id ), 1);
is($data->{other}->{user}->allowed_access( $base->id ), 1);
_do_clones($data, $base, $do_clones);
$base->deny_ldap_access( givenName => $data->{student}->{user}->{name});
$base->allow_ldap_access( givenName => $data->{teacher}->{user}->{name});
$base->deny_ldap_access( givenName => '*'); #default policy
_refresh_users($data);
is($data->{student}->{user}->allowed_access( $base->id ), 0);
is($data->{teacher}->{user}->allowed_access( $base->id ), 1)
or die Dumper($data->{teacher}->{user}->{_allowed});
is($data->{other}->{user}->allowed_access( $base->id ), 0);
my $list_bases = rvd_front->list_machines_user($data->{student}->{user});
is(scalar (@$list_bases), 0);
$list_bases = rvd_front->list_machines_user($data->{teacher}->{user});
is(scalar (@$list_bases), 1);
# other has no external_auth, access denied
$list_bases = rvd_front->list_machines_user($data->{other}->{user});
is(scalar (@$list_bases), 0);
$list_bases = rvd_front->list_machines_user(user_admin);
is(scalar (@$list_bases), 1);
_remove_bases($base);
_remove_users($data);
}
sub test_access_by_attribute_several2($vm) {
my $base = create_domain($vm->type);
$base->prepare_base(user_admin);
$base->is_public(1);
my $data = _create_users();
is($data->{student}->{user}->allowed_access( $base->id ), 1);
is($data->{teacher}->{user}->allowed_access( $base->id ), 1);
is($data->{other}->{user}->allowed_access( $base->id ), 1);
$base->allow_ldap_access( givenName => $data->{student}->{user}->{name});
$base->deny_ldap_access( sn => $data->{student}->{user}->{name});
$base->allow_ldap_access( givenName => $data->{teacher}->{user}->{name});
$base->deny_ldap_access( givenName => '*'); #default policy
_refresh_users($data);
is($data->{student}->{user}->allowed_access( $base->id ), 0);
is($data->{teacher}->{user}->allowed_access( $base->id ), 1)
or die Dumper($data->{teacher}->{user}->{_allowed});
is($data->{other}->{user}->allowed_access( $base->id ), 0);
_remove_bases($base);
_remove_users($data);
}
sub test_access_by_attribute_move($vm, $do_clones=0) {
my $base = create_domain($vm->type);
$base->prepare_base(user_admin);
$base->is_public(1);
my $data = _create_users();
is($data->{student}->{user}->allowed_access( $base->id ), 1);
is($data->{teacher}->{user}->allowed_access( $base->id ), 1);
is($data->{other}->{user}->allowed_access( $base->id ), 1);
_do_clones($data, $base, $do_clones);
$base->allow_ldap_access( givenName => $data->{teacher}->{user}->{name});
$base->deny_ldap_access( givenName => '*'); #default policy
my @list_ldap_attribute = $base->list_ldap_access();
$base->move_ldap_access($list_ldap_attribute[1]->{id}, -1);
my @list_ldap_attribute2 = $base->list_ldap_access();
is($list_ldap_attribute[0]->{id}, $list_ldap_attribute2[1]->{id}) or exit;
_refresh_users($data);
is($data->{teacher}->{user}->allowed_access( $base->id ), 0)
or die Dumper($data->{teacher}->{user}->{_allowed});
is($data->{other}->{user}->allowed_access( $base->id ), 0);
my $list_bases = rvd_front->list_machines_user($data->{student}->{user});
is(scalar (@$list_bases), 0);
$list_bases = rvd_front->list_machines_user($data->{teacher}->{user});
is(scalar (@$list_bases), 0);
# other has no external_auth, access denied
$list_bases = rvd_front->list_machines_user($data->{other}->{user});
is(scalar (@$list_bases), 0);
$list_bases = rvd_front->list_machines_user(user_admin);
is(scalar (@$list_bases), 1);
_remove_bases($base);
_remove_users($data);
}
sub test_access_by_attribute_move_removed($vm) {
my $base = create_domain($vm->type);
$base->prepare_base(user_admin);
$base->is_public(1);
my $data = _create_users();
$base->allow_ldap_access( givenName => $data->{teacher}->{user}->{name});
$base->allow_ldap_access( givenName => $data->{student}->{user}->{name});
$base->deny_ldap_access( givenName => '*'); #default policy
my @list_ldap_attribute = $base->list_ldap_access();
# remove the access #1
$base->delete_ldap_access($list_ldap_attribute[1]->{id});
$base->move_ldap_access($list_ldap_attribute[2]->{id}, -1);
my @list_ldap_attribute2 = $base->list_ldap_access();
is($list_ldap_attribute[2]->{id}, $list_ldap_attribute2[0]->{id}) or exit;
_remove_bases($base);
_remove_users($data);
}
sub test_2_checks($vm) {
my $data = _create_users();
my $base = create_domain($vm->type);
$base->prepare_base(user_admin);
$base->is_public(1);
$base->allow_ldap_access( givenName => $data->{student}->{name});
$base->deny_ldap_access( givenName => $data->{teacher}->{name});
my $sth = connector->dbh->prepare(
"SELECT id,n_order from access_ldap_attribute "
." WHERE id_domain=?"
." ORDER BY n_order"
);
$sth->execute($base->id);
my $n_order_old;
while (my ($id, $n_order) = $sth->fetchrow ) {
isnt($n_order,$n_order_old,"Expecting new order for access id: $id");
$n_order_old = $n_order;
}
_refresh_users($data);
_remove_bases($base);
_remove_users($data);
}
sub test_access_by_attribute($vm, $do_clones=0) {
my $data = _create_users();
......@@ -118,10 +313,7 @@ sub test_access_by_attribute($vm, $do_clones=0) {
is($data->{other}->{user}->allowed_access( $base->id ), 1);
is(user_admin->allowed_access( $base->id ), 1);
$data->{student}->{user}->ldap_entry->replace( givenName => 'Jimmy');
my $mesg = $data->{student}->{user}->ldap_entry->update(Ravada::Auth::LDAP::_init_ldap_admin);
is($mesg->code,0, $mesg->error) or BAIL_OUT();
$base->allow_ldap_access( givenName => $data->{student}->{name});
_refresh_users($data);
is($data->{student}->{user}->ldap_entry->get_value('givenName'),'Jimmy') or BAIL_OUT();
......@@ -204,7 +396,7 @@ sub test_access_by_attribute_2bases($vm, $do_clones=0) {
is($data->{student}->{user}->ldap_entry->get_value('givenName'),'Jimmy') or BAIL_OUT();
$bases[0]->allow_ldap_attribute( givenName => 'Jimmy');
$bases[0]->allow_ldap_access( givenName => 'Jimmy');
#################################################################
#
......@@ -250,6 +442,18 @@ for my $vm_name ('KVM', 'Void') {
test_external_auth();
test_access_by_attribute($vm);
test_access_by_attribute($vm,1); # with clones
test_access_by_attribute_2bases($vm);
test_access_by_attribute_2bases($vm,1); # with clones
test_access_by_attribute_deny($vm);
test_access_by_attribute_deny($vm,1); # with clones
test_access_by_attribute_several2($vm);
test_access_by_attribute_several($vm);
test_access_by_attribute_move($vm);
test_access_by_attribute_move_removed($vm);
}
}
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment