tests: assert user with unknown group cannot login with sso or ldap
This commit is contained in:
parent
01d8f735ae
commit
ffa918aec6
6 changed files with 36 additions and 15 deletions
|
|
@ -1065,10 +1065,6 @@ in
|
|||
];
|
||||
in lib.mkIf (cfg.enable && cfg.apps.sso.enable) {
|
||||
assertions = [
|
||||
{
|
||||
assertion = cfg.apps.ldap.enable;
|
||||
message = "SSO app requires LDAP app to work correctly.";
|
||||
}
|
||||
{
|
||||
assertion = cfg.ssl != null;
|
||||
message = "To integrate SSO, SSL must be enabled, set the shb.nextcloud.ssl option.";
|
||||
|
|
@ -1128,6 +1124,7 @@ in
|
|||
groups = "groups";
|
||||
is_admin = "is_nextcloud_admin";
|
||||
};
|
||||
oidc_login_allowed_groups = [ cfg.apps.ldap.userGroup ];
|
||||
oidc_login_default_group = "oidc";
|
||||
oidc_login_use_external_storage = false;
|
||||
oidc_login_scope = lib.concatStringsSep " " scopes;
|
||||
|
|
|
|||
|
|
@ -427,16 +427,17 @@ in
|
|||
groups = [ "user_group" "admin_group" ];
|
||||
password.result.path = pkgs.writeText "bobPassword" "BobPassword";
|
||||
};
|
||||
# charlie = {
|
||||
# email = "charlie@example.com";
|
||||
# groups = [ ];
|
||||
# password.result.path = pkgs.writeText "charliePassword" "CharliePassword";
|
||||
# };
|
||||
charlie = {
|
||||
email = "charlie@example.com";
|
||||
groups = [ "other_group" ];
|
||||
password.result.path = pkgs.writeText "charliePassword" "CharliePassword";
|
||||
};
|
||||
};
|
||||
|
||||
ensureGroups = {
|
||||
user_group = {};
|
||||
admin_group = {};
|
||||
other_group = {};
|
||||
};
|
||||
};
|
||||
};
|
||||
|
|
|
|||
|
|
@ -247,6 +247,12 @@ in
|
|||
"expect(page.get_by_role('button', name=re.compile('Sign In'))).not_to_be_visible()"
|
||||
"expect(page).to_have_title(re.compile('Dashboard'))"
|
||||
]; }
|
||||
{ username = "charlie"; password = "NotCharliePassword"; nextPageExpect = [
|
||||
"expect(page.get_by_text('Username or password is incorrect.')).to_be_visible()"
|
||||
]; }
|
||||
{ username = "charlie"; password = "CharliePassword"; nextPageExpect = [
|
||||
"expect(page.get_by_text('Username or password is incorrect.')).to_be_visible()"
|
||||
]; }
|
||||
];
|
||||
};
|
||||
})
|
||||
|
|
|
|||
|
|
@ -231,11 +231,13 @@ let
|
|||
{ username = "bob"; password = "NotBobPassword"; nextPageExpect = [
|
||||
"expect(page.get_by_text('Incorrect username or password')).to_be_visible()"
|
||||
]; }
|
||||
# TODO: charlie has no groups, which makes lldap return a 'null' value instead of an empty array and Authelia does not like that.
|
||||
# { username = "charlie"; password = "CharliePassword"; nextPageExpect = [
|
||||
# "page.get_by_role('button', name=re.compile('Accept')).click()"
|
||||
# "expect(page).to_have_title(re.compile('Dashboard'))"
|
||||
# ]; }
|
||||
{ username = "charlie"; password = "NotCharliePassword"; nextPageExpect = [
|
||||
"expect(page.get_by_text('Incorrect username or password')).to_be_visible()"
|
||||
]; }
|
||||
{ username = "charlie"; password = "CharliePassword"; nextPageExpect = [
|
||||
"page.get_by_role('button', name=re.compile('Accept')).click()"
|
||||
"expect(page.get_by_text('not member of the allowed groups')).to_be_visible()"
|
||||
]; }
|
||||
];
|
||||
};
|
||||
};
|
||||
|
|
@ -269,6 +271,9 @@ let
|
|||
sso = { config, ... }:
|
||||
{
|
||||
shb.nextcloud = {
|
||||
apps.ldap = {
|
||||
userGroup = "user_group";
|
||||
};
|
||||
apps.sso = {
|
||||
enable = true;
|
||||
endpoint = "https://${config.shb.authelia.subdomain}.${config.shb.authelia.domain}";
|
||||
|
|
@ -549,7 +554,6 @@ in
|
|||
testLib.certs
|
||||
https
|
||||
testLib.ldap
|
||||
ldap
|
||||
(testLib.sso config.shb.certs.certs.selfsigned.n)
|
||||
sso
|
||||
({ config, ... }: {
|
||||
|
|
|
|||
|
|
@ -94,6 +94,13 @@ let
|
|||
"expect(page.get_by_role('button', name=re.compile('Sign In'))).not_to_be_visible()"
|
||||
"expect(page.get_by_text('logged in')).to_be_visible()"
|
||||
]; }
|
||||
{ username = "charlie"; password = "NotCharliePassword"; nextPageExpect = [
|
||||
"expect(page.get_by_text(re.compile('[Ii]ncorrect'))).to_be_visible()"
|
||||
]; }
|
||||
{ username = "charlie"; password = "CharliePassword"; nextPageExpect = [
|
||||
"page.get_by_role('button', name=re.compile('Accept')).click()"
|
||||
"expect(page.get_by_text('pending activation')).to_be_visible()"
|
||||
]; }
|
||||
];
|
||||
};
|
||||
};
|
||||
|
|
|
|||
|
|
@ -115,6 +115,12 @@ let
|
|||
"expect(page.get_by_role('button', name=re.compile('Sign In'))).not_to_be_visible()"
|
||||
"expect(page.get_by_text('Create a media profile')).to_be_visible()"
|
||||
]; }
|
||||
{ username = "charlie"; password = "NotCharliePassword"; nextPageExpect = [
|
||||
"expect(page.get_by_text(re.compile('[Ii]ncorrect'))).to_be_visible()"
|
||||
]; }
|
||||
{ username = "charlie"; password = "CharliePassword"; nextPageExpect = [
|
||||
"expect(page).to_have_url(re.compile('.*/authenticated'))"
|
||||
]; }
|
||||
];
|
||||
};
|
||||
};
|
||||
|
|
|
|||
Loading…
Reference in a new issue