empayre/fleet
14
0
Fork 0
mirror of https://github.com/empayre/fleet.git synced 2024-11-06 17:05:18 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
e6ce8c29fc
fleet/server/service/integration_sso_test.go

334 lines
11 KiB
Go
Raw Normal View History

Add tests to SSO/SAML implementation (#2997)
2021-11-23 13:25:43 +00:00
package service
import (
"bytes"
"compress/flate"
add back-end implementation for SSO JIT provisioning (#7182) Related to #7053, this uses the SSO config added in #7140 to enable JIT provisioning for premium instances.
2022-08-15 17:42:33 +00:00
"context"
Add tests to SSO/SAML implementation (#2997)
2021-11-23 13:25:43 +00:00
"encoding/base64"
Validate team and appconfig payloads, with `dry-run` and `force` modes (#7731)
2022-09-19 17:53:44 +00:00
"encoding/json"
Add tests to SSO/SAML implementation (#2997)
2021-11-23 13:25:43 +00:00
"encoding/xml"
"net/http"
"net/url"
Log failed login attempts as activities (#9430) #9119 To test the SSO changes locally you can use: https://github.com/fleetdm/fleet/blob/main/docs/Contributing/Testing-and-local-development.md#testing-sso @RachelElysia Please take a look at the UI changes (All I did was copy/paste and amend the changes for the new activity type.) IMO we shouldn't display an avatar because there's no "actual user" involved in these failed login attempts activities (by "actual user" I mean the user attributed to the activity): <img width="446" alt="Screenshot 2023-01-19 at 10 41 05" src="https://user-images.githubusercontent.com/2073526/213524771-b85901ce-eec0-4cf3-919c-73162285e20b.png"> - [X] Changes file added for user-visible changes in `changes/` or `orbit/changes/`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information. - [X] Documented any API changes (docs/Using-Fleet/REST-API.md or docs/Contributing/API-for-contributors.md) - ~[ ] Documented any permissions changes~ - ~[ ] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements)~ - ~[ ] Added support on fleet's osquery simulator `cmd/osquery-perf` for new osquery data ingestion features.~ - [X] Added/updated tests - [X] Manual QA for all new/changed functionality - ~For Orbit and Fleet Desktop changes:~ - ~[ ] Manual QA must be performed in the three main OSs, macOS, Windows and Linux.~ - ~[ ] Auto-update manual QA, from released version of component to new version (see [tools/tuf/test](../tools/tuf/test/README.md)).~
2023-01-20 15:43:22 +00:00
"sort"
Add tests to SSO/SAML implementation (#2997)
2021-11-23 13:25:43 +00:00
"strings"
"testing"
Return 403 instead of 500 when conditions are not met to perform a required pwd reset (#13244)
2023-08-09 19:28:04 +00:00
"github.com/fleetdm/fleet/v4/server/datastore/mysql"
Add tests to SSO/SAML implementation (#2997)
2021-11-23 13:25:43 +00:00
"github.com/fleetdm/fleet/v4/server/datastore/redis/redistest"
add back-end implementation for SSO JIT provisioning (#7182) Related to #7053, this uses the SSO config added in #7140 to enable JIT provisioning for premium instances.
2022-08-15 17:42:33 +00:00
"github.com/fleetdm/fleet/v4/server/fleet"
"github.com/fleetdm/fleet/v4/server/ptr"
Add tests to SSO/SAML implementation (#2997)
2021-11-23 13:25:43 +00:00
"github.com/fleetdm/fleet/v4/server/sso"
Return 403 instead of 500 when conditions are not met to perform a required pwd reset (#13244)
2023-08-09 19:28:04 +00:00
"github.com/fleetdm/fleet/v4/server/test"
"github.com/jmoiron/sqlx"
Add tests to SSO/SAML implementation (#2997)
2021-11-23 13:25:43 +00:00
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
"github.com/stretchr/testify/suite"
)
type integrationSSOTestSuite struct {
suite.Suite
withServer
}
func (s *integrationSSOTestSuite) SetupSuite() {
s.withDS.SetupSuite("integrationSSOTestSuite")
Migrate team-related endpoints to new pattern (#3740)
2022-01-19 15:52:14 +00:00
pool := redistest.SetupRedis(s.T(), "zz", false, false, false)
Support async saving of hosts' last seen time (#5640)
2022-05-10 15:29:17 +00:00
users, server := RunServerForTestsWithDS(s.T(), s.ds, &TestServerOpts{Pool: pool})
Add tests to SSO/SAML implementation (#2997)
2021-11-23 13:25:43 +00:00
s.server = server
s.users = users
s.token = s.getTestAdminToken()
}
func TestIntegrationsSSO(t *testing.T) {
testingSuite := new(integrationSSOTestSuite)
testingSuite.s = &testingSuite.Suite
suite.Run(t, testingSuite)
}
func (s *integrationSSOTestSuite) TestGetSSOSettings() {
t := s.T()
add back-end implementation for SSO JIT provisioning (#7182) Related to #7053, this uses the SSO config added in #7140 to enable JIT provisioning for premium instances.
2022-08-15 17:42:33 +00:00
acResp := appConfigResponse{}
Validate team and appconfig payloads, with `dry-run` and `force` modes (#7731)
2022-09-19 17:53:44 +00:00
s.DoJSON("PATCH", "/api/latest/fleet/config", json.RawMessage(`{
"sso_settings": {
"enable_sso": true,
"entity_id": "https://localhost:8080",
"issuer_uri": "http://localhost:8080/simplesaml/saml2/idp/SSOService.php",
"idp_name": "SimpleSAML",
"metadata_url": "http://localhost:9080/simplesaml/saml2/idp/metadata.php",
"enable_jit_provisioning": false
}
}`), http.StatusOK, &acResp)
add back-end implementation for SSO JIT provisioning (#7182) Related to #7053, this uses the SSO config added in #7140 to enable JIT provisioning for premium instances.
2022-08-15 17:42:33 +00:00
require.NotNil(t, acResp)
Add tests to SSO/SAML implementation (#2997)
2021-11-23 13:25:43 +00:00
// double-check the settings
var resGet ssoSettingsResponse
Fix SSO paths to always use `/v1/` instead of `/latest/` (#5246)
2022-04-20 16:46:45 +00:00
s.DoJSON("GET", "/api/v1/fleet/sso", nil, http.StatusOK, &resGet)
Add tests to SSO/SAML implementation (#2997)
2021-11-23 13:25:43 +00:00
require.True(t, resGet.Settings.SSOEnabled)
// initiate an SSO auth
var resIni initiateSSOResponse
Fix SSO paths to always use `/v1/` instead of `/latest/` (#5246)
2022-04-20 16:46:45 +00:00
s.DoJSON("POST", "/api/v1/fleet/sso", map[string]string{}, http.StatusOK, &resIni)
Add tests to SSO/SAML implementation (#2997)
2021-11-23 13:25:43 +00:00
require.NotEmpty(t, resIni.URL)
parsed, err := url.Parse(resIni.URL)
require.NoError(t, err)
q := parsed.Query()
encoded := q.Get("SAMLRequest")
assert.NotEmpty(t, encoded)
authReq := inflate(t, encoded)
add back-end implementation for SSO JIT provisioning (#7182) Related to #7053, this uses the SSO config added in #7140 to enable JIT provisioning for premium instances.
2022-08-15 17:42:33 +00:00
assert.Equal(t, "https://localhost:8080", authReq.Issuer.Url)
Add tests to SSO/SAML implementation (#2997)
2021-11-23 13:25:43 +00:00
assert.Equal(t, "Fleet", authReq.ProviderName)
assert.True(t, strings.HasPrefix(authReq.ID, "id"), authReq.ID)
}
Invalid SSO metadata now generates 400 error instead of 500 (#14903) /fleet/sso endpoint now returns 400 status code (as opposed to 500) when SSO Metadata URL returns invalid data or SSO Metadata is invalid #12559 # Checklist for submitter If some of the following don't apply, delete the relevant line. - [x] Changes file added for user-visible changes in `changes/` or `orbit/changes/`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information. - [x] Added/updated tests - [x] Manual QA for all new/changed functionality
2023-11-03 14:33:25 +00:00
func (s *integrationSSOTestSuite) TestSSOInvalidMetadataURL() {
t := s.T()
badMetadataUrl := "https://www.fleetdm.com"
acResp := appConfigResponse{}
s.DoJSON(
"PATCH", "/api/latest/fleet/config", json.RawMessage(
`{
"sso_settings": {
"enable_sso": true,
"entity_id": "https://localhost:8080",
"issuer_uri": "http://localhost:8080/simplesaml/saml2/idp/SSOService.php",
"idp_name": "SimpleSAML",
"metadata_url": "`+badMetadataUrl+`",
"enable_jit_provisioning": false
}
}`,
), http.StatusOK, &acResp,
)
require.NotNil(t, acResp)
var resIni initiateSSOResponse
expectedStatus := http.StatusBadRequest
t.Logf("Expecting 400 %v status when bad SSO metadata_url is set: %v", expectedStatus, badMetadataUrl)
s.DoJSON("POST", "/api/v1/fleet/sso", map[string]string{}, expectedStatus, &resIni)
}
func (s *integrationSSOTestSuite) TestSSOInvalidMetadata() {
t := s.T()
badMetadata := "<EntityDescriptor>foo</EntityDescriptor>"
acResp := appConfigResponse{}
s.DoJSON(
"PATCH", "/api/latest/fleet/config", json.RawMessage(
`{
"sso_settings": {
"enable_sso": true,
"entity_id": "https://localhost:8080",
"issuer_uri": "http://localhost:8080/simplesaml/saml2/idp/SSOService.php",
"idp_name": "SimpleSAML",
"metadata": "`+badMetadata+`",
"metadata_url": "",
"enable_jit_provisioning": false
}
}`,
), http.StatusOK, &acResp,
)
require.NotNil(t, acResp)
var resIni initiateSSOResponse
expectedStatus := http.StatusBadRequest
t.Logf("Expecting %v status when bad SSO metadata is provided: %v", expectedStatus, badMetadata)
s.DoJSON("POST", "/api/v1/fleet/sso", map[string]string{}, expectedStatus, &resIni)
}
SSO Metadata URL can only be https/http (#12388) When setting up SSO, validate that the Metadata URL has the proper scheme.
2023-06-22 12:17:37 +00:00
func (s *integrationSSOTestSuite) TestSSOValidation() {
acResp := appConfigResponse{}
// Test we are validating metadata_url
s.DoJSON("PATCH", "/api/latest/fleet/config", json.RawMessage(`{
"sso_settings": {
"enable_sso": true,
"entity_id": "https://localhost:8080",
"idp_name": "SimpleSAML",
"metadata_url": "ssh://localhost:9080/simplesaml/saml2/idp/metadata.php"
}
}`), http.StatusUnprocessableEntity, &acResp)
}
add back-end implementation for SSO JIT provisioning (#7182) Related to #7053, this uses the SSO config added in #7140 to enable JIT provisioning for premium instances.
2022-08-15 17:42:33 +00:00
func (s *integrationSSOTestSuite) TestSSOLogin() {
t := s.T()
acResp := appConfigResponse{}
Validate team and appconfig payloads, with `dry-run` and `force` modes (#7731)
2022-09-19 17:53:44 +00:00
s.DoJSON("PATCH", "/api/latest/fleet/config", json.RawMessage(`{
"sso_settings": {
"enable_sso": true,
"entity_id": "https://localhost:8080",
"issuer_uri": "http://localhost:8080/simplesaml/saml2/idp/SSOService.php",
"idp_name": "SimpleSAML",
"metadata_url": "http://localhost:9080/simplesaml/saml2/idp/metadata.php"
}
}`), http.StatusOK, &acResp)
add back-end implementation for SSO JIT provisioning (#7182) Related to #7053, this uses the SSO config added in #7140 to enable JIT provisioning for premium instances.
2022-08-15 17:42:33 +00:00
require.NotNil(t, acResp)
Log failed login attempts as activities (#9430) #9119 To test the SSO changes locally you can use: https://github.com/fleetdm/fleet/blob/main/docs/Contributing/Testing-and-local-development.md#testing-sso @RachelElysia Please take a look at the UI changes (All I did was copy/paste and amend the changes for the new activity type.) IMO we shouldn't display an avatar because there's no "actual user" involved in these failed login attempts activities (by "actual user" I mean the user attributed to the activity): <img width="446" alt="Screenshot 2023-01-19 at 10 41 05" src="https://user-images.githubusercontent.com/2073526/213524771-b85901ce-eec0-4cf3-919c-73162285e20b.png"> - [X] Changes file added for user-visible changes in `changes/` or `orbit/changes/`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information. - [X] Documented any API changes (docs/Using-Fleet/REST-API.md or docs/Contributing/API-for-contributors.md) - ~[ ] Documented any permissions changes~ - ~[ ] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements)~ - ~[ ] Added support on fleet's osquery simulator `cmd/osquery-perf` for new osquery data ingestion features.~ - [X] Added/updated tests - [X] Manual QA for all new/changed functionality - ~For Orbit and Fleet Desktop changes:~ - ~[ ] Manual QA must be performed in the three main OSs, macOS, Windows and Linux.~ - ~[ ] Auto-update manual QA, from released version of component to new version (see [tools/tuf/test](../tools/tuf/test/README.md)).~
2023-01-20 15:43:22 +00:00
// Register current number of activities.
activitiesResp := listActivitiesResponse{}
s.DoJSON("GET", "/api/latest/fleet/activities", nil, http.StatusOK, &activitiesResp)
require.NoError(t, activitiesResp.Err)
oldActivitiesCount := len(activitiesResp.Activities)
add back-end implementation for SSO JIT provisioning (#7182) Related to #7053, this uses the SSO config added in #7140 to enable JIT provisioning for premium instances.
2022-08-15 17:42:33 +00:00
// users can't login if they don't have an account on free plans
_, body := s.LoginSSOUser("sso_user", "user123#")
require.Contains(t, body, "/login?status=account_invalid")
Log failed login attempts as activities (#9430) #9119 To test the SSO changes locally you can use: https://github.com/fleetdm/fleet/blob/main/docs/Contributing/Testing-and-local-development.md#testing-sso @RachelElysia Please take a look at the UI changes (All I did was copy/paste and amend the changes for the new activity type.) IMO we shouldn't display an avatar because there's no "actual user" involved in these failed login attempts activities (by "actual user" I mean the user attributed to the activity): <img width="446" alt="Screenshot 2023-01-19 at 10 41 05" src="https://user-images.githubusercontent.com/2073526/213524771-b85901ce-eec0-4cf3-919c-73162285e20b.png"> - [X] Changes file added for user-visible changes in `changes/` or `orbit/changes/`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information. - [X] Documented any API changes (docs/Using-Fleet/REST-API.md or docs/Contributing/API-for-contributors.md) - ~[ ] Documented any permissions changes~ - ~[ ] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements)~ - ~[ ] Added support on fleet's osquery simulator `cmd/osquery-perf` for new osquery data ingestion features.~ - [X] Added/updated tests - [X] Manual QA for all new/changed functionality - ~For Orbit and Fleet Desktop changes:~ - ~[ ] Manual QA must be performed in the three main OSs, macOS, Windows and Linux.~ - ~[ ] Auto-update manual QA, from released version of component to new version (see [tools/tuf/test](../tools/tuf/test/README.md)).~
2023-01-20 15:43:22 +00:00
newActivitiesCount := 1
checkNewFailedLoginActivity := func() {
activitiesResp = listActivitiesResponse{}
s.DoJSON("GET", "/api/latest/fleet/activities", nil, http.StatusOK, &activitiesResp)
require.NoError(t, activitiesResp.Err)
require.Len(t, activitiesResp.Activities, oldActivitiesCount+newActivitiesCount)
sort.Slice(activitiesResp.Activities, func(i, j int) bool {
return activitiesResp.Activities[i].ID < activitiesResp.Activities[j].ID
})
activity := activitiesResp.Activities[len(activitiesResp.Activities)-1]
require.Equal(t, activity.Type, fleet.ActivityTypeUserFailedLogin{}.ActivityName())
require.NotNil(t, activity.Details)
actDetails := fleet.ActivityTypeUserFailedLogin{}
err := json.Unmarshal(*activity.Details, &actDetails)
require.NoError(t, err)
require.Equal(t, "sso_user@example.com", actDetails.Email)
newActivitiesCount++
}
// A new activity item for the failed SSO login is created.
checkNewFailedLoginActivity()
add back-end implementation for SSO JIT provisioning (#7182) Related to #7053, this uses the SSO config added in #7140 to enable JIT provisioning for premium instances.
2022-08-15 17:42:33 +00:00
// users can't login if they don't have an account on free plans
// even if JIT provisioning is enabled
ac, err := s.ds.AppConfig(context.Background())
ac.SSOSettings.EnableJITProvisioning = true
require.NoError(t, err)
err = s.ds.SaveAppConfig(context.Background(), ac)
require.NoError(t, err)
_, body = s.LoginSSOUser("sso_user", "user123#")
require.Contains(t, body, "/login?status=account_invalid")
Log failed login attempts as activities (#9430) #9119 To test the SSO changes locally you can use: https://github.com/fleetdm/fleet/blob/main/docs/Contributing/Testing-and-local-development.md#testing-sso @RachelElysia Please take a look at the UI changes (All I did was copy/paste and amend the changes for the new activity type.) IMO we shouldn't display an avatar because there's no "actual user" involved in these failed login attempts activities (by "actual user" I mean the user attributed to the activity): <img width="446" alt="Screenshot 2023-01-19 at 10 41 05" src="https://user-images.githubusercontent.com/2073526/213524771-b85901ce-eec0-4cf3-919c-73162285e20b.png"> - [X] Changes file added for user-visible changes in `changes/` or `orbit/changes/`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information. - [X] Documented any API changes (docs/Using-Fleet/REST-API.md or docs/Contributing/API-for-contributors.md) - ~[ ] Documented any permissions changes~ - ~[ ] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements)~ - ~[ ] Added support on fleet's osquery simulator `cmd/osquery-perf` for new osquery data ingestion features.~ - [X] Added/updated tests - [X] Manual QA for all new/changed functionality - ~For Orbit and Fleet Desktop changes:~ - ~[ ] Manual QA must be performed in the three main OSs, macOS, Windows and Linux.~ - ~[ ] Auto-update manual QA, from released version of component to new version (see [tools/tuf/test](../tools/tuf/test/README.md)).~
2023-01-20 15:43:22 +00:00
// A new activity item for the failed SSO login is created.
checkNewFailedLoginActivity()
add back-end implementation for SSO JIT provisioning (#7182) Related to #7053, this uses the SSO config added in #7140 to enable JIT provisioning for premium instances.
2022-08-15 17:42:33 +00:00
// an user created by an admin without SSOEnabled can't log-in
params := fleet.UserPayload{
Name: ptr.String("SSO User 1"),
Email: ptr.String("sso_user@example.com"),
GlobalRole: ptr.String(fleet.RoleObserver),
SSOEnabled: ptr.Bool(false),
}
s.Do("POST", "/api/latest/fleet/users/admin", &params, http.StatusUnprocessableEntity)
_, body = s.LoginSSOUser("sso_user", "user123#")
require.Contains(t, body, "/login?status=account_invalid")
Log failed login attempts as activities (#9430) #9119 To test the SSO changes locally you can use: https://github.com/fleetdm/fleet/blob/main/docs/Contributing/Testing-and-local-development.md#testing-sso @RachelElysia Please take a look at the UI changes (All I did was copy/paste and amend the changes for the new activity type.) IMO we shouldn't display an avatar because there's no "actual user" involved in these failed login attempts activities (by "actual user" I mean the user attributed to the activity): <img width="446" alt="Screenshot 2023-01-19 at 10 41 05" src="https://user-images.githubusercontent.com/2073526/213524771-b85901ce-eec0-4cf3-919c-73162285e20b.png"> - [X] Changes file added for user-visible changes in `changes/` or `orbit/changes/`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information. - [X] Documented any API changes (docs/Using-Fleet/REST-API.md or docs/Contributing/API-for-contributors.md) - ~[ ] Documented any permissions changes~ - ~[ ] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements)~ - ~[ ] Added support on fleet's osquery simulator `cmd/osquery-perf` for new osquery data ingestion features.~ - [X] Added/updated tests - [X] Manual QA for all new/changed functionality - ~For Orbit and Fleet Desktop changes:~ - ~[ ] Manual QA must be performed in the three main OSs, macOS, Windows and Linux.~ - ~[ ] Auto-update manual QA, from released version of component to new version (see [tools/tuf/test](../tools/tuf/test/README.md)).~
2023-01-20 15:43:22 +00:00
// A new activity item for the failed SSO login is created.
checkNewFailedLoginActivity()
Add `enable_jit_role_sync` config (#10478) #8411 We decided to only update roles for existing accounts if enabled by a new setting (disabled by default) `sso_settings.enable_jit_role_sync`. - ~[ ] Changes file added for user-visible changes in `changes/` or `orbit/changes/`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information.~ - ~[ ] Documented any API changes (docs/Using-Fleet/REST-API.md or docs/Contributing/API-for-contributors.md)~ - ~[ ] Documented any permissions changes~ - ~[ ] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements)~ - ~[ ] Added support on fleet's osquery simulator `cmd/osquery-perf` for new osquery data ingestion features.~ - [X] Added/updated tests - [X] Manual QA for all new/changed functionality - ~For Orbit and Fleet Desktop changes:~ - ~[ ] Manual QA must be performed in the three main OSs, macOS, Windows and Linux.~ - ~[ ] Auto-update manual QA, from released version of component to new version (see [tools/tuf/test](../tools/tuf/test/README.md)).~
2023-03-14 20:17:08 +00:00
// A user created by an admin with SSOEnabled is able to log-in
add back-end implementation for SSO JIT provisioning (#7182) Related to #7053, this uses the SSO config added in #7140 to enable JIT provisioning for premium instances.
2022-08-15 17:42:33 +00:00
params = fleet.UserPayload{
Name: ptr.String("SSO User 2"),
Email: ptr.String("sso_user2@example.com"),
GlobalRole: ptr.String(fleet.RoleObserver),
SSOEnabled: ptr.Bool(true),
}
s.Do("POST", "/api/latest/fleet/users/admin", &params, http.StatusOK)
auth, body := s.LoginSSOUser("sso_user2", "user123#")
assert.Equal(t, "sso_user2@example.com", auth.UserID())
assert.Equal(t, "SSO User 2", auth.UserDisplayName())
require.Contains(t, body, "Redirecting to Fleet at ...")
add an activity for SSO login (#9110)
2022-12-22 23:06:33 +00:00
// a new activity item is created
Log failed login attempts as activities (#9430) #9119 To test the SSO changes locally you can use: https://github.com/fleetdm/fleet/blob/main/docs/Contributing/Testing-and-local-development.md#testing-sso @RachelElysia Please take a look at the UI changes (All I did was copy/paste and amend the changes for the new activity type.) IMO we shouldn't display an avatar because there's no "actual user" involved in these failed login attempts activities (by "actual user" I mean the user attributed to the activity): <img width="446" alt="Screenshot 2023-01-19 at 10 41 05" src="https://user-images.githubusercontent.com/2073526/213524771-b85901ce-eec0-4cf3-919c-73162285e20b.png"> - [X] Changes file added for user-visible changes in `changes/` or `orbit/changes/`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information. - [X] Documented any API changes (docs/Using-Fleet/REST-API.md or docs/Contributing/API-for-contributors.md) - ~[ ] Documented any permissions changes~ - ~[ ] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements)~ - ~[ ] Added support on fleet's osquery simulator `cmd/osquery-perf` for new osquery data ingestion features.~ - [X] Added/updated tests - [X] Manual QA for all new/changed functionality - ~For Orbit and Fleet Desktop changes:~ - ~[ ] Manual QA must be performed in the three main OSs, macOS, Windows and Linux.~ - ~[ ] Auto-update manual QA, from released version of component to new version (see [tools/tuf/test](../tools/tuf/test/README.md)).~
2023-01-20 15:43:22 +00:00
activitiesResp = listActivitiesResponse{}
add an activity for SSO login (#9110)
2022-12-22 23:06:33 +00:00
s.DoJSON("GET", "/api/latest/fleet/activities", nil, http.StatusOK, &activitiesResp)
require.NoError(t, activitiesResp.Err)
require.NotEmpty(t, activitiesResp.Activities)
require.Condition(t, func() bool {
for _, a := range activitiesResp.Activities {
Make activities typed and auto-generate docs for each type (#9069) * Make activities type and auto-generate docs for each type * Add pageOrderInSection to not break site * Add do not edit note to generated file * Add make generate-doc step * Fix main merge
2022-12-23 16:05:16 +00:00
if (a.Type == fleet.ActivityTypeUserLoggedIn{}.ActivityName()) && *a.ActorEmail == auth.UserID() {
add an activity for SSO login (#9110)
2022-12-22 23:06:33 +00:00
return true
}
}
return false
})
add back-end implementation for SSO JIT provisioning (#7182) Related to #7053, this uses the SSO config added in #7140 to enable JIT provisioning for premium instances.
2022-08-15 17:42:33 +00:00
}
Return 403 instead of 500 when conditions are not met to perform a required pwd reset (#13244)
2023-08-09 19:28:04 +00:00
func (s *integrationSSOTestSuite) TestPerformRequiredPasswordResetWithSSO() {
// ensure that on exit, the admin token is used
defer func() { s.token = s.getTestAdminToken() }()
t := s.T()
// create a non-SSO user
var createResp createUserResponse
userRawPwd := test.GoodPassword
params := fleet.UserPayload{
Name: ptr.String("extra"),
Email: ptr.String("extra@asd.com"),
Password: ptr.String(userRawPwd),
GlobalRole: ptr.String(fleet.RoleObserver),
}
s.DoJSON("POST", "/api/latest/fleet/users/admin", params, http.StatusOK, &createResp)
assert.NotZero(t, createResp.User.ID)
assert.True(t, createResp.User.AdminForcedPasswordReset)
nonSSOUser := *createResp.User
// enable SSO
acResp := appConfigResponse{}
s.DoJSON("PATCH", "/api/latest/fleet/config", json.RawMessage(`{
"sso_settings": {
"enable_sso": true,
"entity_id": "https://localhost:8080",
"issuer_uri": "http://localhost:8080/simplesaml/saml2/idp/SSOService.php",
"idp_name": "SimpleSAML",
"metadata_url": "http://localhost:9080/simplesaml/saml2/idp/metadata.php"
}
}`), http.StatusOK, &acResp)
require.NotNil(t, acResp)
// perform a required password change using the non-SSO user, works
s.token = s.getTestToken(nonSSOUser.Email, userRawPwd)
perfPwdResetResp := performRequiredPasswordResetResponse{}
newRawPwd := "new_password2!"
s.DoJSON("POST", "/api/latest/fleet/perform_required_password_reset", performRequiredPasswordResetRequest{
Password: newRawPwd,
ID: nonSSOUser.ID,
}, http.StatusOK, &perfPwdResetResp)
require.False(t, perfPwdResetResp.User.AdminForcedPasswordReset)
// trick the user into one with SSO enabled (we could create that user but it
// won't have a password nor an API token to use for the request, so we mock
// it in the DB)
mysql.ExecAdhocSQL(t, s.ds, func(db sqlx.ExtContext) error {
_, err := db.ExecContext(
context.Background(),
"UPDATE users SET sso_enabled = 1, admin_forced_password_reset = 1 WHERE id = ?",
nonSSOUser.ID,
)
return err
})
// perform a required password change using the mocked SSO user, disallowed
perfPwdResetResp = performRequiredPasswordResetResponse{}
newRawPwd = "new_password2!"
s.DoJSON("POST", "/api/latest/fleet/perform_required_password_reset", performRequiredPasswordResetRequest{
Password: newRawPwd,
ID: nonSSOUser.ID,
}, http.StatusForbidden, &perfPwdResetResp)
}
Add tests to SSO/SAML implementation (#2997)
2021-11-23 13:25:43 +00:00
func inflate(t *testing.T, s string) *sso.AuthnRequest {
t.Helper()
decoded, err := base64.StdEncoding.DecodeString(s)
require.NoError(t, err)
r := flate.NewReader(bytes.NewReader(decoded))
defer r.Close()
var req sso.AuthnRequest
require.NoError(t, xml.NewDecoder(r).Decode(&req))
return &req
}
Reference in New Issue Copy Permalink