Merge pull request #103 from tapis-project/dev

Update staging release

Author: kevinpricethesecond

Makefile

@@ -29,7 +29,7 @@ build: build.api build.migrations build.test
 
 # ----- run tests
 test: build.test
-	cd $(cwd); touch service.log; chmod a+w service.log; docker-compose run $(api)-tests;
+	cd $(cwd); touch service.log; chmod a+w service.log; docker-compose run -e MFA_GEN_CODE=$(MFA_GEN_CODE) $(api)-tests;
 
 # ----- shutdown the currently running services
 down:

service/models.py

@@ -724,15 +724,24 @@ def from_ldap3_entry(cls, tenant_id, entry):
         attrs = {}
         try:
             cn = entry['cn'][0]
-        except Exception as e:
+        except Exception:
             logger.error(f"Got exception trying to get cn from entry; entry: {entry}")
             raise DAOError("Unable to parse LDAP user objects.")
-        # the cn is the uid/username
-        attrs['uid'] = cn
+        # the cn is supposed to be the uid/username
+        # however, some tenants have cn configured incorrectly
+        # we can look for uid instead
+        if 'uid' in entry:
+            logger.debug(f"Found uid in entry: {entry['uid']}")
+            attrs['uid'] = entry['uid'][0]
+        else:
+            attrs['uid'] = cn
         # compute the DN from the CN
         tenant = tenants.get_tenant_config(tenant_id)
         ldap_user_dn = tenant.ldap_user_dn
-        attrs['dn'] = f'cn={cn},{ldap_user_dn}'
+        if "${username}" in ldap_user_dn:
+            attrs['dn'] = ldap_user_dn.replace("${username}", attrs['uid'])
+        else:
+            attrs['dn'] = f'cn={cn},{ldap_user_dn}'
         # the remaining params are computed directly in the same way -- as the first entry in an array of bytes
         params = ['givenName', 'sn', 'mail', 'telephoneNumber', 'mobile', 'createTimestamp',
                   'uidNumber', 'userPassword']

service/tests/basic_test.py

@@ -2,6 +2,8 @@
 import datetime
 import pytest
 import json
+import pyotp
+import os
 
 from tapisservice.auth import validate_token
 from tapisservice.config import conf as tapisconf
@@ -19,6 +21,8 @@
 TEST_CLIENT_REDIRECT_URI = 'http://localhost:5000/testsuite'
 TEST_USERNAME = 'testuser1'
 TEST_PASSWORD = 'testuser1'
+MFA_USERNAME = 'cicsvc'
+MFA_GEN_CODE = os.environ.get('MFA_GEN_CODE')
 
 @pytest.fixture
 def client():
@@ -244,13 +248,19 @@ def get_jwt(client):
     return access_token_str
 
 
-def gen_mfa_token(username, tokencode=None):
+@pytest.fixture
+def mfa_token(tokencode=None):
     """
     Generate a OTP mfa code using pyotp given a username and token code.
     If a token code is not provided, a random one will be used.
     """
-    pass
-
+    if tokencode is None:
+        tokencode = MFA_GEN_CODE
+    print(f'DEBUG:: generating MFA token with tokencode: {tokencode}')
+    if tokencode is None:
+        print(f'ERROR! tokencode should not be None! Env: {os.environ.items()}')
+    totp = pyotp.TOTP(tokencode)
+    return totp.now()
 
 # =====================
 # Actual test functions
@@ -272,7 +282,6 @@ def test_get_jwt(client):
 def test_get_mfa_config(client):
     print('top of get mfa config')
     try:
-        print(f'what the heck is going on here')
         tenant_config = tenant_configs_cache.get_config(TEST_TENANT_ID)
         print(f'after tenant config get:: {tenant_config}')
         mfa_config = json.loads(tenant_config.mfa_config)
@@ -295,6 +304,9 @@ def test_get_mfa_config(client):
         print(f'got {e} while trying to get mfa config for tenant {TEST_TENANT_ID}')
         raise Exception()
 
+def test_get_mfa_code(client, mfa_token):
+    print(f'got mfa tken:: {mfa_token}')
+    assert mfa_token is not None
 
 ## Health Check
 # hello
@@ -318,7 +330,9 @@ def test_get_metadata(client):
 
 ## Admin
 # get_config
+# TODO
 # update_config
+# TODO
 
 ## Clients
 
@@ -361,8 +375,10 @@ def test_authenticator_create_clients(client, capsys): ## TODO: this works, but
     check_clients_table(TEST_CLIENT_ID, TEST_CLIENT_REDIRECT_URI, 'A Test Client', "This is a client just for testing")
 
 # Get client details
+# TODO
 
 # Update client details
+# TODO
 
 # Permanantly set a client to inactive
 def test_authenticator_delete_clients(client):
@@ -540,6 +556,8 @@ def test_password_grant_no_client(client, init_db):
     assert 'refresh_token' not in response.json['result']
 
 # Create a v2 bearer token from a Tapis v3 JWT
+# TODO
+
 # Revoke a token 
 def test_revoke_token(client, init_db):
     """
@@ -591,10 +609,15 @@ def test_revoke_token(client, init_db):
 
         check_refresh_token_table(refresh_token_claims, "password", True, TEST_CLIENT_ID)
 
+# Note: Device code checks are below
+
 ## Profiles
 # get_userinfo
+# TODO
 # list_profiles
+# TODO
 # get_profile
+# TODO
 
 ## grant type tests
 
@@ -846,7 +869,19 @@ def test_exchange_device_code(client):
     validate_access_token(response)
 
 ## MFA tests
+# TODO
+def test_mfa_valid_code(mfa_token):
+    # uses the cicsvc creds to auth. 
+    response = mfa.call_mfa(mfa_token, TEST_TENANT_ID, MFA_USERNAME)
+    print(f'DEBUG:: mfa response: {response}')
+    assert response is True
+
+def test_mfa_invalid_code(mfa_token):
+    response = mfa.call_mfa('123456', TEST_TENANT_ID, MFA_USERNAME)
+    print(f'DEBUG:: mfa response: {response}')
+    assert response is False
 
 ## OAuth2ProviderExtCallback tests
+# TODO
 
 

tests-requirements.txt

@@ -1 +1,2 @@
-pytest==5.1.2
+pytest==5.1.2
+pyotp==2.9.0