tests: assert user with unknown group cannot login with sso or ldap

This commit is contained in:
ibizaman 2025-09-27 22:33:30 +02:00 committed by Pierre Penninckx
parent 01d8f735ae
commit ffa918aec6
6 changed files with 36 additions and 15 deletions

View file

@ -1065,10 +1065,6 @@ in
];
in lib.mkIf (cfg.enable && cfg.apps.sso.enable) {
assertions = [
{
assertion = cfg.apps.ldap.enable;
message = "SSO app requires LDAP app to work correctly.";
}
{
assertion = cfg.ssl != null;
message = "To integrate SSO, SSL must be enabled, set the shb.nextcloud.ssl option.";
@ -1128,6 +1124,7 @@ in
groups = "groups";
is_admin = "is_nextcloud_admin";
};
oidc_login_allowed_groups = [ cfg.apps.ldap.userGroup ];
oidc_login_default_group = "oidc";
oidc_login_use_external_storage = false;
oidc_login_scope = lib.concatStringsSep " " scopes;

View file

@ -427,16 +427,17 @@ in
groups = [ "user_group" "admin_group" ];
password.result.path = pkgs.writeText "bobPassword" "BobPassword";
};
# charlie = {
# email = "charlie@example.com";
# groups = [ ];
# password.result.path = pkgs.writeText "charliePassword" "CharliePassword";
# };
charlie = {
email = "charlie@example.com";
groups = [ "other_group" ];
password.result.path = pkgs.writeText "charliePassword" "CharliePassword";
};
};
ensureGroups = {
user_group = {};
admin_group = {};
other_group = {};
};
};
};

View file

@ -247,6 +247,12 @@ in
"expect(page.get_by_role('button', name=re.compile('Sign In'))).not_to_be_visible()"
"expect(page).to_have_title(re.compile('Dashboard'))"
]; }
{ username = "charlie"; password = "NotCharliePassword"; nextPageExpect = [
"expect(page.get_by_text('Username or password is incorrect.')).to_be_visible()"
]; }
{ username = "charlie"; password = "CharliePassword"; nextPageExpect = [
"expect(page.get_by_text('Username or password is incorrect.')).to_be_visible()"
]; }
];
};
})

View file

@ -231,11 +231,13 @@ let
{ username = "bob"; password = "NotBobPassword"; nextPageExpect = [
"expect(page.get_by_text('Incorrect username or password')).to_be_visible()"
]; }
# TODO: charlie has no groups, which makes lldap return a 'null' value instead of an empty array and Authelia does not like that.
# { username = "charlie"; password = "CharliePassword"; nextPageExpect = [
# "page.get_by_role('button', name=re.compile('Accept')).click()"
# "expect(page).to_have_title(re.compile('Dashboard'))"
# ]; }
{ username = "charlie"; password = "NotCharliePassword"; nextPageExpect = [
"expect(page.get_by_text('Incorrect username or password')).to_be_visible()"
]; }
{ username = "charlie"; password = "CharliePassword"; nextPageExpect = [
"page.get_by_role('button', name=re.compile('Accept')).click()"
"expect(page.get_by_text('not member of the allowed groups')).to_be_visible()"
]; }
];
};
};
@ -269,6 +271,9 @@ let
sso = { config, ... }:
{
shb.nextcloud = {
apps.ldap = {
userGroup = "user_group";
};
apps.sso = {
enable = true;
endpoint = "https://${config.shb.authelia.subdomain}.${config.shb.authelia.domain}";
@ -549,7 +554,6 @@ in
testLib.certs
https
testLib.ldap
ldap
(testLib.sso config.shb.certs.certs.selfsigned.n)
sso
({ config, ... }: {

View file

@ -94,6 +94,13 @@ let
"expect(page.get_by_role('button', name=re.compile('Sign In'))).not_to_be_visible()"
"expect(page.get_by_text('logged in')).to_be_visible()"
]; }
{ username = "charlie"; password = "NotCharliePassword"; nextPageExpect = [
"expect(page.get_by_text(re.compile('[Ii]ncorrect'))).to_be_visible()"
]; }
{ username = "charlie"; password = "CharliePassword"; nextPageExpect = [
"page.get_by_role('button', name=re.compile('Accept')).click()"
"expect(page.get_by_text('pending activation')).to_be_visible()"
]; }
];
};
};

View file

@ -115,6 +115,12 @@ let
"expect(page.get_by_role('button', name=re.compile('Sign In'))).not_to_be_visible()"
"expect(page.get_by_text('Create a media profile')).to_be_visible()"
]; }
{ username = "charlie"; password = "NotCharliePassword"; nextPageExpect = [
"expect(page.get_by_text(re.compile('[Ii]ncorrect'))).to_be_visible()"
]; }
{ username = "charlie"; password = "CharliePassword"; nextPageExpect = [
"expect(page).to_have_url(re.compile('.*/authenticated'))"
]; }
];
};
};