self-hosted/teleport
self-hosted/teleport
1
0
Fork 0
mirror of https://github.com/gravitational/teleport synced 2024-10-21 17:53:28 +00:00
Code Issues Packages Projects Releases Wiki Activity
teleport/lib/config/fileconf_test.go
Russell Jones b4c805fe23 Re-factored cluster configuration.
2017-08-07 17:20:16 -07:00

252 lines
6.7 KiB
Go
Raw Blame History

/*
Copyright 2015 Gravitational, Inc.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package config
import (
"encoding/base64"
"fmt"
"time"
"github.com/gravitational/teleport/lib/defaults"
"github.com/gravitational/teleport/lib/services"
"gopkg.in/check.v1"
)
type FileTestSuite struct {
}
var _ = check.Suite(&FileTestSuite{})
var _ = fmt.Printf
func (s *FileTestSuite) SetUpSuite(c *check.C) {
}
func (s *FileTestSuite) TearDownSuite(c *check.C) {
}
func (s *FileTestSuite) SetUpTest(c *check.C) {
}
func (s *FileTestSuite) TestAuthenticationSection(c *check.C) {
tests := []struct {
inConfigString string
outAuthenticationConfig *AuthenticationConfig
}{
// 0 - local with otp
{
`
auth_service:
authentication:
type: local
second_factor: otp
`,
&AuthenticationConfig{
Type: "local",
SecondFactor: "otp",
},
},
// 1 - local auth without otp
{
`
auth_service:
authentication:
type: local
second_factor: off
`,
&AuthenticationConfig{
Type: "local",
SecondFactor: "off",
},
},
// 2 - local auth with u2f
{
`
auth_service:
authentication:
type: local
second_factor: u2f
u2f:
app_id: https://graviton:3080
facets:
- https://graviton:3080
`,
&AuthenticationConfig{
Type: "local",
SecondFactor: "u2f",
U2F: &UniversalSecondFactor{
AppID: "https://graviton:3080",
Facets: []string{
"https://graviton:3080",
},
},
},
},
// 3 - oidc without second factor
{
`
auth_service:
authentication:
type: oidc
oidc:
id: google
redirect_url: "https://localhost:3080/v1/webapi/oidc/callback"
client_id: id-from-google.apps.googleusercontent.com
client_secret: secret-key-from-google
issuer_url: "https://accounts.google.com"
display: whaterver
scope: [ "ssh_permissions", "roles"]
claims_to_roles:
- claim: role
value: admin
roles: ["dba", "backup", "root"]
`,
&AuthenticationConfig{
Type: "oidc",
OIDC: &OIDCConnector{
ID: "google",
RedirectURL: "https://localhost:3080/v1/webapi/oidc/callback",
ClientID: "id-from-google.apps.googleusercontent.com",
ClientSecret: "secret-key-from-google",
IssuerURL: "https://accounts.google.com",
Display: "whaterver",
Scope: []string{
"ssh_permissions",
"roles",
},
ClaimsToRoles: []ClaimMapping{
ClaimMapping{
Claim: "role",
Value: "admin",
Roles: []string{
"dba",
"backup",
"root",
},
},
},
},
},
},
// 4 - oidc role templates
{
`
auth_service:
authentication:
type: oidc
oidc:
id: google
redirect_url: "https://localhost:3080/v1/webapi/oidc/callback"
client_id: id-from-google.apps.googleusercontent.com
client_secret: secret-key-from-google
issuer_url: "https://accounts.google.com"
display: whaterver
scope: [ "roles" ]
claims_to_roles:
- claim: roles
value: teleport-admin
role_template:
kind: role
version: v2
metadata:
name: "{{index . \"email\"}}"
namespace: "default"
spec:
namespaces: [ "*" ]
max_session_ttl: 90h0m0s
logins: [ "{{index . \"nickname\"}}", root ]
node_labels:
"*": "*"
resources:
"*": [ "read", "write" ]
forward_agent: true
`,
&AuthenticationConfig{
Type: "oidc",
OIDC: &OIDCConnector{
ID: "google",
RedirectURL: "https://localhost:3080/v1/webapi/oidc/callback",
ClientID: "id-from-google.apps.googleusercontent.com",
ClientSecret: "secret-key-from-google",
IssuerURL: "https://accounts.google.com",
Display: "whaterver",
Scope: []string{
"roles",
},
ClaimsToRoles: []ClaimMapping{
ClaimMapping{
Claim: "roles",
Value: "teleport-admin",
RoleTemplate: &services.RoleV2{
Kind: services.KindRole,
Version: services.V2,
Metadata: services.Metadata{
Name: `{{index . "email"}}`,
Namespace: defaults.Namespace,
},
Spec: services.RoleSpecV2{
MaxSessionTTL: services.NewDuration(90 * 60 * time.Minute),
Logins: []string{`{{index . "nickname"}}`, `root`},
NodeLabels: map[string]string{"*": "*"},
Namespaces: []string{"*"},
Resources: map[string][]string{"*": []string{"read", "write"}},
ForwardAgent: true,
},
},
},
},
},
},
},
}
// run tests
for i, tt := range tests {
comment := check.Commentf("Test %v", i)
encodedConfigString := base64.StdEncoding.EncodeToString([]byte(tt.inConfigString))
fc, err := ReadFromString(encodedConfigString)
c.Assert(err, check.IsNil, comment)
c.Assert(fc.Auth.Authentication, check.DeepEquals, tt.outAuthenticationConfig, comment)
}
}
// TestLegacySection ensures we continue to parse and correctly load deprecated
// OIDC connector and U2F authentication configuration.
func (s *FileTestSuite) TestLegacyAuthenticationSection(c *check.C) {
encodedLegacyAuthenticationSection := base64.StdEncoding.EncodeToString([]byte(LegacyAuthenticationSection))
// read config into struct
fc, err := ReadFromString(encodedLegacyAuthenticationSection)
c.Assert(err, check.IsNil)
// validate oidc connector
c.Assert(fc.Auth.OIDCConnectors, check.HasLen, 1)
c.Assert(fc.Auth.OIDCConnectors[0].ID, check.Equals, "google")
c.Assert(fc.Auth.OIDCConnectors[0].RedirectURL, check.Equals, "https://localhost:3080/v1/webapi/oidc/callback")
c.Assert(fc.Auth.OIDCConnectors[0].ClientID, check.Equals, "id-from-google.apps.googleusercontent.com")
c.Assert(fc.Auth.OIDCConnectors[0].ClientSecret, check.Equals, "secret-key-from-google")
c.Assert(fc.Auth.OIDCConnectors[0].IssuerURL, check.Equals, "https://accounts.google.com")
// validate u2f
c.Assert(fc.Auth.U2F.AppID, check.Equals, "https://graviton:3080")
c.Assert(fc.Auth.U2F.Facets, check.HasLen, 1)
c.Assert(fc.Auth.U2F.Facets[0], check.Equals, "https://graviton:3080")
}
Reference in a new issue View git blame Copy permalink