root
/
rabbitmq-server
mirror of https://github.com/rabbitmq/rabbitmq-server.git
1
0
Fork 0
Code Issues Actions 8 Packages Projects Releases Wiki Activity

setup openldap as part of vagrant provisioning 

seed openldap as part of the test run
This commit is contained in:
kjnilsson 2016-06-29 09:51:28 +01:00
parent 2461f04795
commit 4e6963baf5
13 changed files with 263 additions and 266 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
deps/rabbitmq_auth_backend_ldap/Makefile vendored
View File

@ -15,18 +15,3 @@ ERLANG_MK_COMMIT = rabbitmq-tmp
include rabbitmq-components.mk
TEST_DEPS := $(filter-out rabbitmq_test,$(TEST_DEPS))
include erlang.mk
# --------------------------------------------------------------------
# Testing.
# --------------------------------------------------------------------
# ifneq ($(filter tests tests-with-broker test,$(MAKECMDGOALS)),)
# ifeq ($(shell nc -z localhost 3890 && echo true),true)
# WITH_BROKER_TEST_MAKEVARS := \
# RABBITMQ_CONFIG_FILE=$(CURDIR)/etc/rabbit-test
# WITH_BROKER_TEST_COMMANDS := \
# eunit:test([rabbit_auth_backend_ldap_unit_test,rabbit_auth_backend_ldap_test],[verbose])
# else
# $(info Skipping LDAP tests; no LDAP server found on localhost)
# endif
# endif

18
deps/rabbitmq_auth_backend_ldap/README-tests.md vendored
View File

@ -1,16 +1,16 @@
# Running LDAP Backend Tests
The tests *require* a locally installed LDAP server with some
predefined objects inside. If there's no LDAP server running on port
389, they will be skipped.
On a Debian-based distro you can set up a LDAP server
and run the tests with:
./example/setup.sh && make tests
If you have [Vagrant](https://www.vagrantup.com) installed you
can simply `vagrant up` from the root of the project directory.
This will start a vagrant box with OpenLDAP running, accessible
on local port 3890.
Alternatively run OpenLDAP locally on port 3890 and use
`example/setup.sh` to create the appropriate ldap databases.
IMPORTANT: this will wipe out your local OpenLDAP installation!
The setup script currently needs to be executed between test suite runs,
too.
See the `example` for more details about the setup and seed data.
The test setup will seed the LDAP database with the required objects.
Run `make test` to run the complete test suite.

3
deps/rabbitmq_auth_backend_ldap/Vagrantfile vendored
View File

@ -64,7 +64,8 @@ Vagrant.configure(2) do |config|
# Enable provisioning with a shell script. Additional provisioners such as
# Puppet, Chef, Ansible, Salt, and Docker are also available. Please see the
# documentation for more information about their specific syntax and use.
# config.vm.provision "shell", path: "example/setup.sh"
config.vm.provision "file", source: "example", destination: "~"
config.vm.provision "shell", inline: "/bin/sh /home/vagrant/example/setup.sh"
# config.vm.provision "shell", inline: <<-SHELL
# sudo apt-get update
# sudo apt-get --yes install slapd ldap-utils

44
deps/rabbitmq_auth_backend_ldap/etc/rabbit-test.config vendored
View File

@ -1,44 +0,0 @@
%% -*- erlang -*-
[{rabbit, [{default_vhost, <<"test">>}]},
{rabbitmq_auth_backend_ldap,
[ {servers, ["localhost"]},
{user_dn_pattern, "cn=${username},ou=People,dc=example,dc=com"},
{other_bind, anon},
{use_ssl, false},
{port, 3890},
{log, true},
{group_lookup_base, "ou=groups,dc=example,dc=com"},
{vhost_access_query, {exists, "ou=${vhost},ou=vhosts,dc=example,dc=com"}},
{resource_access_query,
{for, [{resource, exchange,
{for, [{permission, configure,
{in_group, "cn=wheel,ou=groups,dc=example,dc=com"}
},
{permission, write, {constant, true}},
{permission, read,
{match, {string, "${name}"},
{string, "^xch-${username}-.*"}}
}
]}},
{resource, queue,
{for, [{permission, configure,
{match, {attribute, "${user_dn}", "description"},
{string, "can-declare-queues"}}
},
{permission, write, {constant, true}},
{permission, read,
{'or',
[{'and',
[{equals, "${name}", "test1"},
{equals, "${username}", "Alice"}]},
{'and',
[{equals, "${name}", "test2"},
{'not', {equals, "${username}", "Bob"}}]}
]}}
]}}
]}},
{tag_queries, [{monitor, {constant, true}},
{administrator, {constant, false}},
{management, {constant, false}}]}
]}
].

11
deps/rabbitmq_auth_backend_ldap/example/README vendored
View File

@ -1,11 +0,0 @@
This is a very simple example, designed to be set up with the modern
Debian / Ubuntu packaging of OpenLDAP. Running setup.sh after "apt-get
install slapd" will wipe out any existing LDAP database and get you:
* A domain
* An admin user
* A couple of normal users
* A group containing the users
* An OU representing a vhost
These correspond to the examples mentioned in the documentation.

10
deps/rabbitmq_auth_backend_ldap/example/global.ldif vendored
View File

@ -9,19 +9,19 @@ dn: olcDatabase=bdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcBdbConfig
olcDatabase: bdb
# Domain name (e.g. example.com)
olcSuffix: dc=example,dc=com
# Domain name (e.g. rabbitmq.com)
olcSuffix: dc=rabbitmq,dc=com
# Location on system where database is stored
olcDbDirectory: /var/lib/ldap
# Manager of the database
olcRootDN: cn=admin,dc=example,dc=com
olcRootDN: cn=admin,dc=rabbitmq,dc=com
olcRootPW: admin
olcAccess: to attrs=userPassword
by self write
by anonymous auth
by dn.base="cn=admin,dc=example,dc=com" write
by dn.base="cn=admin,dc=rabbitmq,dc=com" write
by * none
olcAccess: to *
by self write
by dn.base="cn=admin,dc=example,dc=com" write
by dn.base="cn=admin,dc=rabbitmq,dc=com" write
by * read

41
deps/rabbitmq_auth_backend_ldap/example/groups.ldif vendored
View File

@ -1,41 +0,0 @@
dn: ou=groups,dc=example,dc=com
objectclass:organizationalunit
ou: groups
dn: cn=wheel,ou=groups,dc=example,dc=com
objectclass: groupOfNames
cn: wheel
member: cn=Alice,ou=people,dc=example,dc=com
member: cn=Charlie,ou=people,dc=example,dc=com
member: cn=Dominic,ou=people,dc=example,dc=com
member: uid=peter,ou=people,dc=example,dc=com
dn: cn=people,ou=groups,dc=example,dc=com
objectclass: groupOfNames
cn: people
member: cn=Charlie,ou=people,dc=example,dc=com
member: cn=Dominic,ou=people,dc=example,dc=com
member: uid=peter,ou=people,dc=example,dc=com
dn: cn=staff,ou=groups,dc=example,dc=com
objectclass: groupOfNames
cn: people
member: cn=Charlie,ou=people,dc=example,dc=com
member: cn=Dominic,ou=people,dc=example,dc=com
member: uid=peter,ou=people,dc=example,dc=com
dn: cn=bobs,ou=groups,dc=example,dc=com
objectclass: groupOfNames
cn: bobs
member: cn=Bob,ou=people,dc=example,dc=com
dn: cn=bobs2,ou=groups,dc=example,dc=com
objectclass: groupOfNames
cn: bobs2
member: cn=bobs,ou=groups,dc=example,dc=com
dn: cn=admins,ou=groups,dc=example,dc=com
objectclass: groupOfNames
cn: admins
member: cn=bobs2,ou=groups,dc=example,dc=com
member: cn=wheel,ou=groups,dc=example,dc=com

87
deps/rabbitmq_auth_backend_ldap/example/people.ldif vendored
View File

@ -1,87 +0,0 @@
dn: dc=example,dc=com
objectClass: top
objectClass: dcObject
objectclass: organization
o: example.com
dc: example
description: Example
dn: ou=people,dc=example,dc=com
objectClass: organizationalUnit
ou: people
dn: cn=Alice,ou=people,dc=example,dc=com
objectClass: person
cn: Alice
sn: Ali
userPassword: password
description: can-declare-queues
dn: cn=Bob,ou=people,dc=example,dc=com
objectClass: person
cn: Bob
sn: Robert
userPassword: password
dn: cn=Dominic,ou=people,dc=example,dc=com
objectClass: person
cn: Dominic
sn: Dom
userPassword: password
dn: cn=Charlie,ou=people,dc=example,dc=com
objectClass: person
cn: Charlie
sn: Charlie Boy
userPassword: password
dn: cn=Edward,ou=people,dc=example,dc=com
objectClass: person
cn: Edward
sn: Ed
userPassword: password
dn: cn=John Doe,ou=people,dc=example,dc=com
objectClass: person
cn: John Doe
sn: Doe
userPassword: password
dn: uid=peter,ou=people,dc=example,dc=com
cn: Peter
givenName: Peter
sn: Jones
uid: peter
uidNumber: 5000
gidNumber: 10000
homeDirectory: /home/peter
mail: peter.jones@example.com
objectClass: top
objectClass: posixAccount
objectClass: shadowAccount
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
loginShell: /bin/bash
userPassword: password
memberOf: cn=wheel,ou=groups,dc=example,dc=com
memberOf: cn=staff,ou=groups,dc=example,dc=com
memberOf: cn=people,ou=groups,dc=example,dc=com
dn: uid=carol,ou=people,dc=example,dc=com
cn: Carol
givenName: Carol
sn: Meyers
uid: carol
uidNumber: 655
gidNumber: 10000
homeDirectory: /home/carol
mail: carol.meyers@example.com
objectClass: top
objectClass: posixAccount
objectClass: shadowAccount
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
loginShell: /bin/bash
userPassword: password

8
deps/rabbitmq_auth_backend_ldap/example/rabbit.ldif vendored
View File

@ -1,8 +0,0 @@
dn: ou=vhosts,dc=example,dc=com
objectClass: organizationalUnit
ou: vhosts
dn: ou=test,ou=vhosts,dc=example,dc=com
objectClass: top
objectClass: organizationalUnit
ou: test

3
deps/rabbitmq_auth_backend_ldap/example/seed.sh vendored
View File

@ -6,6 +6,3 @@ sudo ldapadd -Y EXTERNAL -H ldapi:/// -f ${DIR}/global.ldif
sudo ldapadd -Q -Y EXTERNAL -H ldapi:/// -f ${DIR}/memberof_init.ldif
sudo ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f ${DIR}/refint_1.ldif
sudo ldapadd -Q -Y EXTERNAL -H ldapi:/// -f ${DIR}/refint_2.ldif
ldapadd -x -D cn=admin,dc=example,dc=com -w admin -f ${DIR}/people.ldif
ldapadd -x -D cn=admin,dc=example,dc=com -w admin -f ${DIR}/groups.ldif
ldapadd -x -D cn=admin,dc=example,dc=com -w admin -f ${DIR}/rabbit.ldif

10
deps/rabbitmq_auth_backend_ldap/example/setup.sh vendored
View File

@ -1,10 +1,16 @@
#!/bin/sh -e
export DEBIAN_FRONTEND=noninteractive
sudo apt-get --yes purge slapd
sudo rm -rf /var/lib/ldap
echo -e " \
slapd slapd/internal/generated_adminpw password openstack
slapd slapd/password2 password openstack
slapd slapd/internal/adminpw password openstack
slapd slapd/password1 password openstack
" | sudo debconf-set-selections
sudo apt-get --yes install slapd ldap-utils
sleep 1
DIR=$(dirname $0)
./$DIR/seed.sh
$DIR/seed.sh

200
deps/rabbitmq_auth_backend_ldap/test/ldap_seed.erl vendored Normal file
View File

@ -0,0 +1,200 @@
%% The contents of this file are subject to the Mozilla Public License
%% Version 1.1 (the "License"); you may not use this file except in
%% compliance with the License. You may obtain a copy of the License
%% at http://www.mozilla.org/MPL/
%%
%% Software distributed under the License is distributed on an "AS IS"
%% basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. See
%% the License for the specific language governing rights and
%% limitations under the License.
%%
%% The Original Code is RabbitMQ.
%%
%% The Initial Developer of the Original Code is GoPivotal, Inc.
%% Copyright (c) 2007-2016 Pivotal Software, Inc. All rights reserved.
%%
-module(ldap_seed).
-include_lib("eldap/include/eldap.hrl").
-export([seed/1,delete/1]).
seed(Logon) ->
H = connect(Logon),
ok = add(H, rabbitmq_com()),
ok = add(H, ou("people")),
[ add(H, P) || P <- people() ],
ok = add(H, ou("vhosts")),
ok = add(H, test()),
ok = add(H, ou("groups")),
[ add(H, P) || P <- groups() ],
eldap:close(H),
ok.
rabbitmq_com() ->
{"dc=rabbitmq,dc=com",
[{"objectClass", ["dcObject", "organization"]},
{"dc", ["rabbitmq"]},
{"o", ["Test"]}]}.
delete(Logon) ->
H = connect(Logon),
eldap:delete(H, "ou=test,dc=rabbitmq,dc=com"),
eldap:delete(H, "ou=test,ou=vhosts,dc=rabbitmq,dc=com"),
eldap:delete(H, "ou=vhosts,dc=rabbitmq,dc=com"),
[ eldap:delete(H, P) || {P, _} <- groups() ],
[ eldap:delete(H, P) || {P, _} <- people() ],
eldap:delete(H, "ou=groups,dc=rabbitmq,dc=com"),
eldap:delete(H, "ou=people,dc=rabbitmq,dc=com"),
eldap:delete(H, "dc=rabbitmq,dc=com"),
eldap:close(H),
ok.
people() ->
[ bob(),
dominic(),
charlie(),
edward(),
johndoe(),
alice(),
peter(),
carol()
].
groups() ->
[wheel_group(),
people_group(),
staff_group(),
bobs_group(),
bobs2_group(),
admins_group()
].
wheel_group() ->
{A, _} = alice(),
{C, _} = charlie(),
{D, _} = dominic(),
{P, _} = peter(),
{"cn=wheel,ou=groups,dc=rabbitmq,dc=com",
[{"objectClass", ["groupOfNames"]},
{"cn", ["wheel"]},
{"member", [A, C, D, P]}]}.
people_group() ->
{C, _} = charlie(),
{D, _} = dominic(),
{P, _} = peter(),
{"cn=people,ou=groups,dc=rabbitmq,dc=com",
[{"objectClass", ["groupOfNames"]},
{"cn", ["people"]},
{"member", [C, D, P]}]}.
staff_group() ->
{C, _} = charlie(),
{D, _} = dominic(),
{P, _} = peter(),
{"cn=staff,ou=groups,dc=rabbitmq,dc=com",
[{"objectClass", ["groupOfNames"]},
{"cn", ["people"]},
{"member", [C, D, P]}]}.
bobs_group() ->
{B, _} = bob(),
{"cn=bobs,ou=groups,dc=rabbitmq,dc=com",
[{"objectClass", ["groupOfNames"]},
{"cn", ["bobs"]},
{"member", [B]}]}.
bobs2_group() ->
{B, _} = bobs_group(),
{"cn=bobs2,ou=groups,dc=rabbitmq,dc=com",
[{"objectClass", ["groupOfNames"]},
{"cn", ["bobs2"]},
{"member", [B]}]}.
admins_group() ->
{B, _} = bobs2_group(),
{W, _} = wheel_group(),
{"cn=admins,ou=groups,dc=rabbitmq,dc=com",
[{"objectClass", ["groupOfNames"]},
{"cn", ["admins"]},
{"member", [B, W]}]}.
person(Cn, Sn) ->
{"cn="++Cn++",ou=people,dc=rabbitmq,dc=com",
[{"objectClass", ["person"]},
{"cn", [Cn]},
{"sn", [Sn]},
{"userPassword", ["password"]}]}.
bob() -> person("Bob", "Robert").
dominic() -> person("Dominic", "Dom").
charlie() -> person("Charlie", "Charlie Boy").
edward() -> person("Edward", "Ed").
johndoe() -> person("John Doe", "Doe").
alice() ->
{"cn=Alice,ou=people,dc=rabbitmq,dc=com",
[{"objectClass", ["person"]},
{"cn", ["Alice"]},
{"sn", ["Ali"]},
{"userPassword", ["password"]},
{"description", ["can-declare-queues"]}]}.
peter() ->
{"uid=peter,ou=people,dc=rabbitmq,dc=com",
[{"cn", ["Peter"]},
{"givenName", ["Peter"]},
{"sn", ["Jones"]},
{"uid", ["peter"]},
{"uidNumber", ["5000"]},
{"gidNumber", ["10000"]},
{"homeDirectory", ["/home/peter"]},
{"mail", ["peter.jones@rabbitmq.com"]},
{"objectClass", ["top",
"posixAccount",
"shadowAccount",
"inetOrgPerson",
"organizationalPerson",
"person"]},
{"loginShell", ["/bin/bash"]},
{"userPassword", ["password"]},
{"memberOf", ["cn=wheel,ou=groups,dc=rabbitmq,dc=com",
"cn=staff,ou=groups,dc=rabbitmq,dc=com",
"cn=people,ou=groups,dc=rabbitmq,dc=com"]}]}.
carol() ->
{"uid=carol,ou=people,dc=rabbitmq,dc=com",
[{"cn", ["Carol"]},
{"givenName", ["Carol"]},
{"sn", ["Meyers"]},
{"uid", ["peter"]},
{"uidNumber", ["655"]},
{"gidNumber", ["10000"]},
{"homeDirectory", ["/home/carol"]},
{"mail", ["carol.meyers@example.com"]},
{"objectClass", ["top",
"posixAccount",
"shadowAccount",
"inetOrgPerson",
"organizationalPerson",
"person"]},
{"loginShell", ["/bin/bash"]},
{"userPassword", ["password"]}]}.
add(H, {A, B}) ->
ok = eldap:add(H, A, B).
connect({Host, Port}) ->
{ok, H} = eldap:open([Host], [{port, Port}]),
ok = eldap:simple_bind(H, "cn=admin,dc=rabbitmq,dc=com", "admin"),
H.
ou(Name) ->
{"ou=" ++ Name ++ ",dc=rabbitmq,dc=com", [{"objectClass", ["organizationalUnit"]}, {"ou", [Name]}]}.
test() ->
{"ou=test,ou=vhosts,dc=rabbitmq,dc=com", [{"objectClass", ["top", "organizationalUnit"]}, {"ou", ["test"]}]}.

79
deps/rabbitmq_auth_backend_ldap/test/system_SUITE.erl vendored
View File

@ -27,6 +27,7 @@
-define(PETER_NAME, "Peter").
-define(VHOST, "test").
-define(PORT, 3890).
-define(ALICE, #amqp_params_network{username = <<?ALICE_NAME>>,
password = <<"password">>,
@ -47,17 +48,17 @@
-define(BASE_CONF_RABBIT, {rabbit, [{default_vhost, <<"test">>}]}).
-define(BASE_CONF_LDAP, {rabbitmq_auth_backend_ldap, [ {servers, ["localhost"]},
{user_dn_pattern, "cn=${username},ou=People,dc=example,dc=com"},
{user_dn_pattern, "cn=${username},ou=People,dc=rabbitmq,dc=com"},
{other_bind, anon},
{use_ssl, false},
{port, 3890},
{port, ?PORT},
{log, true},
{group_lookup_base, "ou=groups,dc=example,dc=com"},
{vhost_access_query, {exists, "ou=${vhost},ou=vhosts,dc=example,dc=com"}},
{group_lookup_base, "ou=groups,dc=rabbitmq,dc=com"},
{vhost_access_query, {exists, "ou=${vhost},ou=vhosts,dc=rabbitmq,dc=com"}},
{resource_access_query,
{for, [{resource, exchange,
{for, [{permission, configure,
{in_group, "cn=wheel,ou=groups,dc=example,dc=com"}
{in_group, "cn=wheel,ou=groups,dc=rabbitmq,dc=com"}
},
{permission, write, {constant, true}},
{permission, read,
@ -121,12 +122,16 @@ init_per_suite(Config) ->
]),
Config2 = rabbit_ct_helpers:merge_app_env(Config1, ?BASE_CONF_RABBIT),
Config3 = rabbit_ct_helpers:merge_app_env(Config2, ?BASE_CONF_LDAP),
Logon = {"localhost", ?PORT},
ldap_seed:delete(Logon),
ldap_seed:seed(Logon),
rabbit_ct_helpers:run_setup_steps(Config3,
rabbit_ct_broker_helpers:setup_steps() ++
rabbit_ct_client_helpers:setup_steps()).
end_per_suite(Config) ->
ldap_seed:delete({"localhost", ?PORT}),
rabbit_ct_helpers:run_teardown_steps(Config,
rabbit_ct_client_helpers:teardown_steps() ++
rabbit_ct_broker_helpers:teardown_steps()).
@ -160,7 +165,6 @@ init_per_testcase(Testcase, Config)
when Testcase == tag_attribution_ldap_and_internal;
Testcase == tag_attribution_internal_followed_by_ldap_and_internal ->
% backup tag queries
error_logger:info_msg("init ~p", [Testcase]),
Cfg = case rabbit_ct_broker_helpers:rpc(Config, 0,
application,
get_env,
@ -283,7 +287,6 @@ logins_network(Config) ->
{good, [1, 2, 3, 4, 6, 7, 8], B?PETER, []}].
logins_direct(Config) ->
% error_logger:info_msg("conf: ~p", [Config]),
N = #amqp_params_direct{node = rabbit_ct_broker_helpers:get_node_config(Config, 0, nodename)},
[{bad, [5], N#amqp_params_direct{}, []},
{bad, [5], N#amqp_params_direct{username = <<?ALICE_NAME>>}, []},
@ -305,7 +308,7 @@ login_envs() ->
{8, {good, vhost_access_query_nested_groups_env()}}].
base_login_env() ->
[{user_dn_pattern, "cn=${username},ou=People,dc=example,dc=com"},
[{user_dn_pattern, "cn=${username},ou=People,dc=rabbitmq,dc=com"},
{dn_lookup_attribute, none},
{dn_lookup_base, none},
{dn_lookup_bind, as_user},
@ -313,62 +316,62 @@ base_login_env() ->
{tag_queries, [{monitor, {constant, true}},
{administrator, {constant, false}},
{management, {constant, false}}]},
{vhost_access_query, {exists, "ou=${vhost},ou=vhosts,dc=example,dc=com"}},
{vhost_access_query, {exists, "ou=${vhost},ou=vhosts,dc=rabbitmq,dc=com"}},
{log, true}].
%% TODO configure OpenLDAP to allow a dn_lookup_post_bind_env()
dn_lookup_pre_bind_env() ->
[{user_dn_pattern, "${username}"},
{dn_lookup_attribute, "cn"},
{dn_lookup_base, "OU=People,DC=example,DC=com"},
{dn_lookup_bind, {"cn=admin,dc=example,dc=com", "admin"}}].
{dn_lookup_base, "OU=People,DC=rabbitmq,DC=com"},
{dn_lookup_bind, {"cn=admin,dc=rabbitmq,dc=com", "admin"}}].
other_bind_admin_env() ->
[{other_bind, {"cn=admin,dc=example,dc=com", "admin"}}].
[{other_bind, {"cn=admin,dc=rabbitmq,dc=com", "admin"}}].
other_bind_anon_env() ->
[{other_bind, anon}].
other_bind_broken_env() ->
[{other_bind, {"cn=admin,dc=example,dc=com", "admi"}}].
[{other_bind, {"cn=admin,dc=rabbitmq,dc=com", "admi"}}].
tag_queries_subst_env() ->
[{tag_queries, [{administrator, {constant, false}},
{management,
{exists, "ou=${vhost},ou=vhosts,dc=example,dc=com"}}]}].
{exists, "ou=${vhost},ou=vhosts,dc=rabbitmq,dc=com"}}]}].
posix_vhost_access_multiattr_env() ->
[{user_dn_pattern, "uid=${username},ou=People,dc=example,dc=com"},
[{user_dn_pattern, "uid=${username},ou=People,dc=rabbitmq,dc=com"},
{vhost_access_query,
{'and', [{exists, "ou=${vhost},ou=vhosts,dc=example,dc=com"},
{'and', [{exists, "ou=${vhost},ou=vhosts,dc=rabbitmq,dc=com"},
{equals,
{attribute, "${user_dn}","memberOf"},
{string, "cn=wheel,ou=groups,dc=example,dc=com"}},
{string, "cn=wheel,ou=groups,dc=rabbitmq,dc=com"}},
{equals,
{attribute, "${user_dn}","memberOf"},
{string, "cn=people,ou=groups,dc=example,dc=com"}},
{string, "cn=people,ou=groups,dc=rabbitmq,dc=com"}},
{equals,
{string, "cn=wheel,ou=groups,dc=example,dc=com"},
{string, "cn=wheel,ou=groups,dc=rabbitmq,dc=com"},
{attribute,"${user_dn}","memberOf"}},
{equals,
{string, "cn=people,ou=groups,dc=example,dc=com"},
{string, "cn=people,ou=groups,dc=rabbitmq,dc=com"},
{attribute, "${user_dn}","memberOf"}},
{match,
{attribute, "${user_dn}","memberOf"},
{string, "cn=wheel,ou=groups,dc=example,dc=com"}},
{string, "cn=wheel,ou=groups,dc=rabbitmq,dc=com"}},
{match,
{attribute, "${user_dn}","memberOf"},
{string, "cn=people,ou=groups,dc=example,dc=com"}},
{string, "cn=people,ou=groups,dc=rabbitmq,dc=com"}},
{match,
{string, "cn=wheel,ou=groups,dc=example,dc=com"},
{string, "cn=wheel,ou=groups,dc=rabbitmq,dc=com"},
{attribute, "${user_dn}","memberOf"}},
{match,
{string, "cn=people,ou=groups,dc=example,dc=com"},
{string, "cn=people,ou=groups,dc=rabbitmq,dc=com"},
{attribute, "${user_dn}","memberOf"}}
]}}].
vhost_access_query_nested_groups_env() ->
[{vhost_access_query, {in_group_nested, "cn=admins,ou=groups,dc=example,dc=com"}}].
[{vhost_access_query, {in_group_nested, "cn=admins,ou=groups,dc=rabbitmq,dc=com"}}].
test_login(Config, {N, Env}, Login, FilterList, ResultFun) ->
case lists:member(N, FilterList) of
@ -389,10 +392,7 @@ set_env(Config, Env) ->
[rpc_set_env(Config, [rabbitmq_auth_backend_ldap, K, V]) || {K, V} <- Env].
succ(Login) ->
% error_logger:info_msg("succ: ~p", [Login]),
{ok, Pid} = amqp_connection:start(Login),
% error_logger:info_msg("succ res ~p", [Res]),
% ?assertMatch({ok, _}, Res),
amqp_connection:close(Pid).
fail(Login) -> ?assertMatch({error, _}, amqp_connection:start(Login)).
@ -463,7 +463,6 @@ tag_check(Config, Username, Password, Tags) ->
tag_check(Config, Username, Password, VHost, Outcome, Tags)
when is_binary(Username), is_binary(Password), is_binary(VHost), is_list(Tags) ->
{ok, User} = rabbit_ct_broker_helpers:rpc(Config, 0, rabbit_access_control, check_user_login, [Username, [{password, Password}, {vhost, VHost}]]),
% error_logger:info_msg("post rpc ~p ~p", [User#user.tags, Tags]),
tag_check_outcome(Outcome, Tags, User);
tag_check(_, _, _, _, _, _) -> fun() -> [] end.
@ -471,12 +470,12 @@ tag_check_outcome(good, Tags, User) -> ?assertEqual(Tags, User#user.tags);
tag_check_outcome(bad, Tags, User) -> ?assertNotEqual(Tags, User#user.tags).
test_tag_check(Config, Env, TagCheckFun) ->
?_test(try
set_env(Config, Env),
TagCheckFun()
after
set_env(Config, base_login_env())
end).
try
set_env(Config, Env),
TagCheckFun()
after
set_env(Config, base_login_env())
end.
tag_query_configuration() ->
[{tag_queries,
@ -489,7 +488,7 @@ tag_query_configuration() ->
%% Query result for tag `normal` is TRUE because
%% this object exists.
{normal,
{exists, "cn=${username},ou=people,dc=example,dc=com"}}]}].
{exists, "cn=${username},ou=people,dc=rabbitmq,dc=com"}}]}].
internal_authorization_setup(Config) ->
ok = control_action(Config, add_user, ["Edward", ""]),
@ -527,11 +526,11 @@ logging_envs() ->
scrub_bind_creds_env() ->
[{log, network},
{other_bind, {"cn=admin,dc=example,dc=com", "admin"}}].
{other_bind, {"cn=admin,dc=rabbitmq,dc=com", "admin"}}].
display_bind_creds_env() ->
[{log, network_unsafe},
{other_bind, {"cn=admin,dc=example,dc=com", "admin"}}].
{other_bind, {"cn=admin,dc=rabbitmq,dc=com", "admin"}}].
scrub_bind_single_cred_env() ->
[{log, network},
@ -539,11 +538,11 @@ scrub_bind_single_cred_env() ->
scrub_bind_creds_no_equals_env() ->
[{log, network},
{other_bind, {"cn*admin,dc>example,dc&com", "admin"}}].
{other_bind, {"cn*admin,dc>rabbitmq,dc&com", "admin"}}].
scrub_bind_creds_no_seperator_env() ->
[{log, network},
{other_bind, {"cn=admindc=exampledc&com", "admin"}}].
{other_bind, {"cn=admindc=rabbitmqdc&com", "admin"}}].
%%--------------------------------------------------------------------