Use samba ad container for ldap

2024-04-24 11:24:46 +01:00 · 2024-04-24 11:24:46 +01:00 · 33ffc14e6b
parent 463200cfb3
commit 33ffc14e6b
6 changed files with 122 additions and 29 deletions
--- a/.github/workflows/ldap_acceptance.yml
+++ b/.github/workflows/ldap_acceptance.yml
@ -45,15 +45,6 @@ jobs:
    runs-on: ${{ matrix.os }}
    timeout-minutes: 40

-    services:
-      ldap:
-        image: ${{ matrix.target.version }}
-        ports: [ "10389:10389" ]
-        options: >-
-          --health-cmd "${{ matrix.target.health_cmd }}"
-          --health-interval 10s
-          --health-timeout 10s
-          --health-retries 5
    strategy:
      fail-fast: true
      matrix:
@ -61,13 +52,11 @@ jobs:
          - '3.2'
        os:
          - ubuntu-latest
-        target:
-          - { version: "dwimberger/ldap-ad-it:latest", health_cmd: 'apk update; apk add openldap-clients; ldapsearch -x -H ldap://localhost:10389 -D uid=admin,ou=system -w secret -b dc=wimpi,dc=net' }

    env:
      RAILS_ENV: test

-    name: ${{ matrix.target.version }} - ${{ matrix.os }} - Ruby ${{ matrix.ruby }}
+    name: LDAP Acceptance - ${{ matrix.os }} - Ruby ${{ matrix.ruby }}
    steps:
      - name: Install system dependencies
        run: sudo apt-get install -y --no-install-recommends libpcap-dev graphviz
@ -75,6 +64,12 @@ jobs:
      - name: Checkout code
        uses: actions/checkout@v4

+      - name: Run samba/ldap docker container
+        working-directory: 'test/ldap'
+        run: |
+          docker compose build
+          docker compose up --wait -d
+
      - name: Setup Ruby
        env:
          BUNDLE_WITHOUT: "coverage development pcap"
@ -85,19 +80,11 @@ jobs:
          ruby-version: '${{ matrix.ruby }}'
          bundler-cache: true

-      - name: Extract runtime version
-        run: |
-          echo "RUNTIME_VERSION=$(echo $DOCKER_IMAGE | awk -F: '{ print $2 }')" >> $GITHUB_ENV
-          echo "DOCKER_IMAGE_FILENAME=$(echo $DOCKER_IMAGE | tr -d '/:')" >> $GITHUB_ENV
-        env:
-          DOCKER_IMAGE: ${{ matrix.target.version }}
-          OS: ${{ matrix.os }}
-
      - name: acceptance
        env:
          SPEC_HELPER_LOAD_METASPLOIT: false
          SPEC_OPTS: "--tag acceptance --require acceptance_spec_helper.rb --color --format documentation --format AllureRspec::RSpecFormatter"
-          RUNTIME_VERSION: ${{ env.RUNTIME_VERSION }}
+          RUNTIME_VERSION: latest
        # Unix run command:
        #   SPEC_HELPER_LOAD_METASPLOIT=false bundle exec ./spec/acceptance
        # Windows cmd command:
@ -113,7 +100,7 @@ jobs:
        uses: actions/upload-artifact@v4
        with:
          # Provide a unique artifact for each matrix os, otherwise race conditions can lead to corrupt zips
-          name: ${{ env.DOCKER_IMAGE_FILENAME }}-${{ matrix.os }}
+          name: ldap-acceptance-${{ matrix.os }}
          path: tmp/allure-raw-data

  # Generate a final report from the previous test results
--- a/spec/acceptance/ldap_spec.rb
+++ b/spec/acceptance/ldap_spec.rb
@ -14,10 +14,10 @@ RSpec.describe 'LDAP modules' do
        datastore: {
          global: {},
          module: {
-            username: ENV.fetch('LDAP_USERNAME', 'uid=admin,ou=system'),
-            password: ENV.fetch('LDAP_PASSWORD', 'secret'),
+            username: ENV.fetch('LDAP_USERNAME', "'DEV-AD\\Administrator'"),
+            password: ENV.fetch('LDAP_PASSWORD', 'admin123!'),
            rhost: ENV.fetch('LDAP_RHOST', '127.0.0.1'),
-            rport: ENV.fetch('LDAP_RPORT', '10389'),
+            rport: ENV.fetch('LDAP_RPORT', '389'),
            ssl: ENV.fetch('LDAP_SSL', 'false')
          }
        }
@ -54,7 +54,7 @@ RSpec.describe 'LDAP modules' do
            all: {
              required: [
                /Discovered base DN/,
-                /Query returned 1 result/
+                /Query returned 4 results/
              ]
            }
          }
@ -68,8 +68,10 @@ RSpec.describe 'LDAP modules' do
            all: {
              required: [
                /Discovering base DN\(s\) automatically/,
-                /Storing LDAP data for base DN='dc=wimpi,dc=net' in loot/,
-                /5 entries, 1 creds found in 'dc=wimpi,dc=net'/
+                /Dumping data for root DSE/,
+                /Searching base DN='DC=ldap,DC=example,DC=com'/,
+                /Storing LDAP data for base DN='DC=ldap,DC=example,DC=com' in loot/,
+                /266 entries, 0 creds found in 'DC=ldap,DC=example,DC=com'./
              ]
            }
          }
@ -79,11 +81,12 @@ RSpec.describe 'LDAP modules' do
          platforms: %i[linux osx windows],
          targets: [:rhost],
          skipped: false,
-          datastore: { TARGET_USER: 'test' },
+          datastore: { TARGET_USER: 'administrator' },
          lines: {
            all: {
              required: [
                /Discovering base DN automatically/,
+                /Discovered base DN: DC=ldap,DC=example,DC=com/,
                /The msDS-KeyCredentialLink field is empty./
              ]
            }
--- a/test/ldap/Dockerfile
+++ b/test/ldap/Dockerfile
@ -0,0 +1,14 @@
+FROM ubuntu:20.04
+
+RUN DEBIAN_FRONTEND=noninteractive apt-get update && DEBIAN_FRONTEND=noninteractive apt-get -y install samba krb5-config winbind smbclient
+RUN DEBIAN_FRONTEND=noninteractive apt-get update && DEBIAN_FRONTEND=noninteractive apt-get -y install iproute2
+RUN DEBIAN_FRONTEND=noninteractive apt-get update && DEBIAN_FRONTEND=noninteractive apt-get -y install openssl
+RUN DEBIAN_FRONTEND=noninteractive apt-get update && DEBIAN_FRONTEND=noninteractive apt-get -y install vim
+RUN DEBIAN_FRONTEND=noninteractive apt-get update && DEBIAN_FRONTEND=noninteractive apt-get -y install ldap-utils
+
+RUN rm /etc/krb5.conf
+RUN mkdir -p /opt/ad-scripts
+
+WORKDIR /opt/ad-scripts
+
+CMD chmod +x *.sh && ./samba-ad-setup.sh && ./samba-ad-run.sh
--- a/test/ldap/docker-compose.yml
+++ b/test/ldap/docker-compose.yml
@ -0,0 +1,25 @@
+version: '3.7'
+
+services:
+  ldap:
+    tty: true
+    network_mode: bridge
+    hostname: ldap.example.com
+    ports:
+      - "389:389"
+      - "636:636"
+    cap_add:
+      - SYS_ADMIN
+    environment:
+      SMB_ADMIN_PASSWORD: admin123!
+    volumes:
+      - ./:/opt/ad-scripts
+    healthcheck:
+      test: ldapsearch -x -H ldap://localhost:389 -b '' -D DEV-AD\\Administrator -w admin123! -s base
+      interval: 10s
+      timeout: 5s
+      retries: 5
+      start_period: 5s
+    build:
+      context: .
+      dockerfile: Dockerfile
--- a/test/ldap/samba-ad-run.sh
+++ b/test/ldap/samba-ad-run.sh
@ -0,0 +1,33 @@
+#!/bin/bash
+
+set -e
+
+[ -f /var/lib/samba/.setup ] || {
+    >&2 echo "[ERROR] Samba is not setup yet, which should happen automatically. Look for errors!"
+    exit 127
+}
+
+cat << EOF > /var/lib/samba/private/smb.conf
+# Global parameters
+[global]
+	dns forwarder = 192.168.65.7
+	#server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate
+	server services = ldap
+
+	netbios name = LDAP
+	realm = LDAP.EXAMPLE.COM
+	server role = active directory domain controller
+	workgroup = DEV-AD
+	idmap_ldb:use rfc2307 = yes
+	ldap server require strong auth = no
+	allow dns updates = disabled
+[sysvol]
+	path = /var/lib/samba/sysvol
+	read only = No
+
+[netlogon]
+	path = /var/lib/samba/sysvol/ldap.example.com/scripts
+	read only = No
+EOF
+
+samba -i -s /var/lib/samba/private/smb.conf
--- a/test/ldap/samba-ad-setup.sh
+++ b/test/ldap/samba-ad-setup.sh
@ -0,0 +1,31 @@
+#!/bin/bash
+
+set -e
+
+info () {
+    echo "[INFO] $@"
+}
+
+info "Running setup"
+
+# Check if samba is setup
+[ -f /var/lib/samba/.setup ] && info "Already setup..." && exit 0
+
+info "Provisioning domain controller..."
+
+info "Given admin password: ${SMB_ADMIN_PASSWORD}"
+
+rm /etc/samba/smb.conf
+
+samba-tool domain provision\
+ --server-role=dc\
+ --use-rfc2307\
+ --dns-backend=SAMBA_INTERNAL\
+ --realm=`hostname`\
+ --domain=DEV-AD\
+ --adminpass=${SMB_ADMIN_PASSWORD}\
+ --option='server services = ldap'
+
+mv /etc/samba/smb.conf /var/lib/samba/private/smb.conf
+
+touch /var/lib/samba/.setup