From 2aa8c10eea518d2ffd4d8d917b7ab6c50dfded42 Mon Sep 17 00:00:00 2001 From: Jerry Cheung Date: Tue, 28 Oct 2014 15:12:47 -0700 Subject: [PATCH 1/5] document local AD integration testing --- test/support/vm/activedirectory/.gitignore | 1 + test/support/vm/activedirectory/README.md | 23 +++++++++++++++++++ .../support/vm/activedirectory/env.sh.example | 8 +++++++ test/support/vm/activedirectory/reset-env.sh | 6 +++++ 4 files changed, 38 insertions(+) create mode 100644 test/support/vm/activedirectory/.gitignore create mode 100644 test/support/vm/activedirectory/README.md create mode 100644 test/support/vm/activedirectory/env.sh.example create mode 100644 test/support/vm/activedirectory/reset-env.sh diff --git a/test/support/vm/activedirectory/.gitignore b/test/support/vm/activedirectory/.gitignore new file mode 100644 index 0000000..137e678 --- /dev/null +++ b/test/support/vm/activedirectory/.gitignore @@ -0,0 +1 @@ +env.sh diff --git a/test/support/vm/activedirectory/README.md b/test/support/vm/activedirectory/README.md new file mode 100644 index 0000000..7450b49 --- /dev/null +++ b/test/support/vm/activedirectory/README.md @@ -0,0 +1,23 @@ +# Local ActiveDirectory Integration Testing + +Integration tests are not run for ActiveDirectory in continuous integration +because we cannot install a Windows VM on TravisCI. To test ActiveDirectory, +configure a local VM with AD running. + +From the project root, run: + +```sh +$ cp test/support/vm/activedirectory/env.sh{.example,} + +# edit ad-env.sh and fill in with your VM's values, then +$ source test/support/vm/activedirectory/env.sh + +# run all tests against AD +$ time bundle exec rake + +# run a specific test file against AD +$ time bundle exec ruby test/membership_validators/active_directory_test.rb + +# reset environment to test other ldap servers +$ source test/support/vm/activedirectory/reset-env.sh +``` diff --git a/test/support/vm/activedirectory/env.sh.example b/test/support/vm/activedirectory/env.sh.example new file mode 100644 index 0000000..5a17fe8 --- /dev/null +++ b/test/support/vm/activedirectory/env.sh.example @@ -0,0 +1,8 @@ +# Copy this to ad-env.sh, and fill in with your own values + +export TESTENV=activedirectory +export ACTIVEDIRECTORY_HOST=123.123.123.123 +export ACTIVEDIRECTORY_PORT=389 +export ACTIVEDIRECTORY_USER="CN=Administrator,CN=Users,DC=ad,DC=example,DC=com" +export ACTIVEDIRECTORY_PASSWORD='passworD1' +export ACTIVEDIRECTORY_SEARCH_DOMAINS='CN=Users,DC=ad,DC=ghe,DC=local' diff --git a/test/support/vm/activedirectory/reset-env.sh b/test/support/vm/activedirectory/reset-env.sh new file mode 100644 index 0000000..6bfab09 --- /dev/null +++ b/test/support/vm/activedirectory/reset-env.sh @@ -0,0 +1,6 @@ +unset TESTENV +unset ACTIVEDIRECTORY_HOST +unset ACTIVEDIRECTORY_PORT +unset ACTIVEDIRECTORY_USER +unset ACTIVEDIRECTORY_PASSWORD +unset ACTIVEDIRECTORY_SEARCH_DOMAINS From 8ef4551e16a69e0ee4d9e63cb7cb5433455aa26b Mon Sep 17 00:00:00 2001 From: Jerry Cheung Date: Tue, 28 Oct 2014 15:13:13 -0700 Subject: [PATCH 2/5] add activedirectory test options --- test/test_helper.rb | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/test/test_helper.rb b/test/test_helper.rb index 7780371..1f828c4 100644 --- a/test/test_helper.rb +++ b/test/test_helper.rb @@ -79,6 +79,15 @@ def options uid: 'uid', instrumentation_service: @service } + when "activedirectory" + { + host: ENV.fetch("ACTIVEDIRECTORY_HOST"), + port: ENV.fetch("ACTIVEDIRECTORY_PORT", 389), + admin_user: ENV.fetch("ACTIVEDIRECTORY_USER"), + admin_password: ENV.fetch("ACTIVEDIRECTORY_PASSWORD"), + search_domains: ENV.fetch("ACTIVEDIRECTORY_SEARCH_DOMAINS"), + instrumentation_service: @service + } end end end From cf0d90720f67179f8fff0409fc36b2778db3cc64 Mon Sep 17 00:00:00 2001 From: Jerry Cheung Date: Tue, 28 Oct 2014 15:13:31 -0700 Subject: [PATCH 3/5] add AD validator integration tests --- .../active_directory_test.rb | 66 +++++++++++++++++-- 1 file changed, 62 insertions(+), 4 deletions(-) diff --git a/test/membership_validators/active_directory_test.rb b/test/membership_validators/active_directory_test.rb index b44d9b2..0caafe2 100644 --- a/test/membership_validators/active_directory_test.rb +++ b/test/membership_validators/active_directory_test.rb @@ -1,10 +1,11 @@ require_relative '../test_helper' -# NOTE: Since this strategy is targeted at ActiveDirectory and we don't have -# AD setup in CI, we stub out actual queries and test against what AD *would* -# respond with. +class GitHubLdapActiveDirectoryMembershipValidatorsStubbedTest < GitHub::Ldap::Test + # Only run when AD integration tests aren't run + def run(*) + self.class.test_env != "activedirectory" ? super : self + end -class GitHubLdapActiveDirectoryMembershipValidatorsTest < GitHub::Ldap::Test def setup @ldap = GitHub::Ldap.new(options.merge(search_domains: %w(dc=github,dc=com))) @domain = @ldap.domain("dc=github,dc=com") @@ -66,3 +67,60 @@ def test_does_not_validate_user_not_in_any_group end end end + +# See test/support/vm/activedirectory/README.md for details +class GitHubLdapActiveDirectoryMembershipValidatorsIntegrationTest < GitHub::Ldap::Test + # Only run this test suite if ActiveDirectory is configured + def run(*) + self.class.test_env == "activedirectory" ? super : self + end + + def setup + @ldap = GitHub::Ldap.new(options) + @domain = @ldap.domain(options[:search_domains]) + @entry = @domain.user?('user1') + @validator = GitHub::Ldap::MembershipValidators::ActiveDirectory + end + + def make_validator(groups) + groups = @domain.groups(groups) + @validator.new(@ldap, groups) + end + + def test_validates_user_in_group + validator = make_validator(%w(nested-group1)) + assert validator.perform(@entry) + end + + def test_validates_user_in_child_group + validator = make_validator(%w(n-depth-nested-group1)) + assert validator.perform(@entry) + end + + def test_validates_user_in_grandchild_group + validator = make_validator(%w(n-depth-nested-group2)) + assert validator.perform(@entry) + end + + def test_validates_user_in_great_grandchild_group + validator = make_validator(%w(n-depth-nested-group3)) + assert validator.perform(@entry) + end + + def test_does_not_validate_user_not_in_group + validator = make_validator(%w(ghe-admins)) + refute validator.perform(@entry) + end + + def test_does_not_validate_user_not_in_any_group + skip "update AD ldif to have a groupless user" + @entry = @domain.user?('groupless-user1') + validator = make_validator(%w(all-users)) + refute validator.perform(@entry) + end + + def test_validates_user_in_posix_group + validator = make_validator(%w(posix-group1)) + assert validator.perform(@entry) + end +end From a316402f5326e7d54cebcb29cbba994c15fd8ab1 Mon Sep 17 00:00:00 2001 From: Matt Todd Date: Fri, 14 Nov 2014 14:10:54 -0800 Subject: [PATCH 4/5] Minor tweaks and corrections --- test/support/vm/activedirectory/README.md | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/test/support/vm/activedirectory/README.md b/test/support/vm/activedirectory/README.md index 7450b49..36155bd 100644 --- a/test/support/vm/activedirectory/README.md +++ b/test/support/vm/activedirectory/README.md @@ -2,14 +2,17 @@ Integration tests are not run for ActiveDirectory in continuous integration because we cannot install a Windows VM on TravisCI. To test ActiveDirectory, -configure a local VM with AD running. +configure a local VM with AD running (this is left as an exercise for the +reader). -From the project root, run: +To run integration tests against the local ActiveDirectory VM, from the project +root run: -```sh +``` bash +# duplicate example env.sh for specific config $ cp test/support/vm/activedirectory/env.sh{.example,} -# edit ad-env.sh and fill in with your VM's values, then +# edit env.sh and fill in with your VM's values, then $ source test/support/vm/activedirectory/env.sh # run all tests against AD @@ -18,6 +21,6 @@ $ time bundle exec rake # run a specific test file against AD $ time bundle exec ruby test/membership_validators/active_directory_test.rb -# reset environment to test other ldap servers +# reset environment to test other LDAP servers $ source test/support/vm/activedirectory/reset-env.sh ``` From ec9021e0956f15447d9aaa2d809df10b7510c152 Mon Sep 17 00:00:00 2001 From: Matt Todd Date: Fri, 14 Nov 2014 14:26:18 -0800 Subject: [PATCH 5/5] Use INTEGRATION_* instead of flavor-specific ENV vars --- test/support/vm/activedirectory/env.sh.example | 10 +++++----- test/support/vm/activedirectory/reset-env.sh | 10 +++++----- test/support/vm/openldap/README.md | 4 ++-- test/test_helper.rb | 12 ++++++------ 4 files changed, 18 insertions(+), 18 deletions(-) diff --git a/test/support/vm/activedirectory/env.sh.example b/test/support/vm/activedirectory/env.sh.example index 5a17fe8..3ca2c9b 100644 --- a/test/support/vm/activedirectory/env.sh.example +++ b/test/support/vm/activedirectory/env.sh.example @@ -1,8 +1,8 @@ # Copy this to ad-env.sh, and fill in with your own values export TESTENV=activedirectory -export ACTIVEDIRECTORY_HOST=123.123.123.123 -export ACTIVEDIRECTORY_PORT=389 -export ACTIVEDIRECTORY_USER="CN=Administrator,CN=Users,DC=ad,DC=example,DC=com" -export ACTIVEDIRECTORY_PASSWORD='passworD1' -export ACTIVEDIRECTORY_SEARCH_DOMAINS='CN=Users,DC=ad,DC=ghe,DC=local' +export INTEGRATION_HOST=123.123.123.123 +export INTEGRATION_PORT=389 +export INTEGRATION_USER="CN=Administrator,CN=Users,DC=ad,DC=example,DC=com" +export INTEGRATION_PASSWORD='passworD1' +export INTEGRATION_SEARCH_DOMAINS='CN=Users,DC=example,DC=com' diff --git a/test/support/vm/activedirectory/reset-env.sh b/test/support/vm/activedirectory/reset-env.sh index 6bfab09..971423f 100644 --- a/test/support/vm/activedirectory/reset-env.sh +++ b/test/support/vm/activedirectory/reset-env.sh @@ -1,6 +1,6 @@ unset TESTENV -unset ACTIVEDIRECTORY_HOST -unset ACTIVEDIRECTORY_PORT -unset ACTIVEDIRECTORY_USER -unset ACTIVEDIRECTORY_PASSWORD -unset ACTIVEDIRECTORY_SEARCH_DOMAINS +unset INTEGRATION_HOST +unset INTEGRATION_PORT +unset INTEGRATION_USER +unset INTEGRATION_PASSWORD +unset INTEGRATION_SEARCH_DOMAINS diff --git a/test/support/vm/openldap/README.md b/test/support/vm/openldap/README.md index 67a4ded..ced5a63 100644 --- a/test/support/vm/openldap/README.md +++ b/test/support/vm/openldap/README.md @@ -16,10 +16,10 @@ $ ip=$(vagrant ssh -- "ifconfig eth1 | grep -o -E '[0-9]+\.[0-9]+\.[0-9]+\.[0-9] $ cd ../../../.. # run all tests against OpenLDAP -$ time TESTENV=openldap OPENLDAP_HOST=$ip bundle exec rake +$ time TESTENV=openldap INTEGRATION_HOST=$ip bundle exec rake # run a specific test file against OpenLDAP -$ time TESTENV=openldap OPENLDAP_HOST=$ip bundle exec ruby test/membership_validators/recursive_test.rb +$ time TESTENV=openldap INTEGRATION_HOST=$ip bundle exec ruby test/membership_validators/recursive_test.rb # run OpenLDAP tests by default $ export TESTENV=openldap diff --git a/test/test_helper.rb b/test/test_helper.rb index 1f828c4..5beca09 100644 --- a/test/test_helper.rb +++ b/test/test_helper.rb @@ -71,7 +71,7 @@ def options instrumentation_service: @service when "openldap" { - host: ENV.fetch("OPENLDAP_HOST", "localhost"), + host: ENV.fetch("INTEGRATION_HOST", "localhost"), port: 389, admin_user: 'uid=admin,dc=github,dc=com', admin_password: 'passworD1', @@ -81,11 +81,11 @@ def options } when "activedirectory" { - host: ENV.fetch("ACTIVEDIRECTORY_HOST"), - port: ENV.fetch("ACTIVEDIRECTORY_PORT", 389), - admin_user: ENV.fetch("ACTIVEDIRECTORY_USER"), - admin_password: ENV.fetch("ACTIVEDIRECTORY_PASSWORD"), - search_domains: ENV.fetch("ACTIVEDIRECTORY_SEARCH_DOMAINS"), + host: ENV.fetch("INTEGRATION_HOST"), + port: ENV.fetch("INTEGRATION_PORT", 389), + admin_user: ENV.fetch("INTEGRATION_USER"), + admin_password: ENV.fetch("INTEGRATION_PASSWORD"), + search_domains: ENV.fetch("INTEGRATION_SEARCH_DOMAINS"), instrumentation_service: @service } end