diff --git a/modules/services/nextcloud-server.nix b/modules/services/nextcloud-server.nix index f2bdb7a..032e34e 100644 --- a/modules/services/nextcloud-server.nix +++ b/modules/services/nextcloud-server.nix @@ -1065,10 +1065,6 @@ in ]; in lib.mkIf (cfg.enable && cfg.apps.sso.enable) { assertions = [ - { - assertion = cfg.apps.ldap.enable; - message = "SSO app requires LDAP app to work correctly."; - } { assertion = cfg.ssl != null; message = "To integrate SSO, SSL must be enabled, set the shb.nextcloud.ssl option."; @@ -1128,6 +1124,7 @@ in groups = "groups"; is_admin = "is_nextcloud_admin"; }; + oidc_login_allowed_groups = [ cfg.apps.ldap.userGroup ]; oidc_login_default_group = "oidc"; oidc_login_use_external_storage = false; oidc_login_scope = lib.concatStringsSep " " scopes; diff --git a/test/common.nix b/test/common.nix index a3f7ef2..a011377 100644 --- a/test/common.nix +++ b/test/common.nix @@ -427,16 +427,17 @@ in groups = [ "user_group" "admin_group" ]; password.result.path = pkgs.writeText "bobPassword" "BobPassword"; }; - # charlie = { - # email = "charlie@example.com"; - # groups = [ ]; - # password.result.path = pkgs.writeText "charliePassword" "CharliePassword"; - # }; + charlie = { + email = "charlie@example.com"; + groups = [ "other_group" ]; + password.result.path = pkgs.writeText "charliePassword" "CharliePassword"; + }; }; ensureGroups = { user_group = {}; admin_group = {}; + other_group = {}; }; }; }; diff --git a/test/services/forgejo.nix b/test/services/forgejo.nix index 72b9b58..32be99d 100644 --- a/test/services/forgejo.nix +++ b/test/services/forgejo.nix @@ -247,6 +247,12 @@ in "expect(page.get_by_role('button', name=re.compile('Sign In'))).not_to_be_visible()" "expect(page).to_have_title(re.compile('Dashboard'))" ]; } + { username = "charlie"; password = "NotCharliePassword"; nextPageExpect = [ + "expect(page.get_by_text('Username or password is incorrect.')).to_be_visible()" + ]; } + { username = "charlie"; password = "CharliePassword"; nextPageExpect = [ + "expect(page.get_by_text('Username or password is incorrect.')).to_be_visible()" + ]; } ]; }; }) diff --git a/test/services/nextcloud.nix b/test/services/nextcloud.nix index 5563fde..dba441f 100644 --- a/test/services/nextcloud.nix +++ b/test/services/nextcloud.nix @@ -231,11 +231,13 @@ let { username = "bob"; password = "NotBobPassword"; nextPageExpect = [ "expect(page.get_by_text('Incorrect username or password')).to_be_visible()" ]; } - # TODO: charlie has no groups, which makes lldap return a 'null' value instead of an empty array and Authelia does not like that. - # { username = "charlie"; password = "CharliePassword"; nextPageExpect = [ - # "page.get_by_role('button', name=re.compile('Accept')).click()" - # "expect(page).to_have_title(re.compile('Dashboard'))" - # ]; } + { username = "charlie"; password = "NotCharliePassword"; nextPageExpect = [ + "expect(page.get_by_text('Incorrect username or password')).to_be_visible()" + ]; } + { username = "charlie"; password = "CharliePassword"; nextPageExpect = [ + "page.get_by_role('button', name=re.compile('Accept')).click()" + "expect(page.get_by_text('not member of the allowed groups')).to_be_visible()" + ]; } ]; }; }; @@ -269,6 +271,9 @@ let sso = { config, ... }: { shb.nextcloud = { + apps.ldap = { + userGroup = "user_group"; + }; apps.sso = { enable = true; endpoint = "https://${config.shb.authelia.subdomain}.${config.shb.authelia.domain}"; @@ -549,7 +554,6 @@ in testLib.certs https testLib.ldap - ldap (testLib.sso config.shb.certs.certs.selfsigned.n) sso ({ config, ... }: { diff --git a/test/services/open-webui.nix b/test/services/open-webui.nix index 9ab7bb4..5dbd383 100644 --- a/test/services/open-webui.nix +++ b/test/services/open-webui.nix @@ -94,6 +94,13 @@ let "expect(page.get_by_role('button', name=re.compile('Sign In'))).not_to_be_visible()" "expect(page.get_by_text('logged in')).to_be_visible()" ]; } + { username = "charlie"; password = "NotCharliePassword"; nextPageExpect = [ + "expect(page.get_by_text(re.compile('[Ii]ncorrect'))).to_be_visible()" + ]; } + { username = "charlie"; password = "CharliePassword"; nextPageExpect = [ + "page.get_by_role('button', name=re.compile('Accept')).click()" + "expect(page.get_by_text('pending activation')).to_be_visible()" + ]; } ]; }; }; diff --git a/test/services/pinchflat.nix b/test/services/pinchflat.nix index f6b2370..9a39c26 100644 --- a/test/services/pinchflat.nix +++ b/test/services/pinchflat.nix @@ -115,6 +115,12 @@ let "expect(page.get_by_role('button', name=re.compile('Sign In'))).not_to_be_visible()" "expect(page.get_by_text('Create a media profile')).to_be_visible()" ]; } + { username = "charlie"; password = "NotCharliePassword"; nextPageExpect = [ + "expect(page.get_by_text(re.compile('[Ii]ncorrect'))).to_be_visible()" + ]; } + { username = "charlie"; password = "CharliePassword"; nextPageExpect = [ + "expect(page).to_have_url(re.compile('.*/authenticated'))" + ]; } ]; }; };