From 33ffc14e6b58de95fa90f28add871cbbb2bc7fd4 Mon Sep 17 00:00:00 2001 From: Dean Welch Date: Wed, 24 Apr 2024 11:24:46 +0100 Subject: [PATCH] Use samba ad container for ldap --- .github/workflows/ldap_acceptance.yml | 31 ++++++++----------------- spec/acceptance/ldap_spec.rb | 17 ++++++++------ test/ldap/Dockerfile | 14 ++++++++++++ test/ldap/docker-compose.yml | 25 ++++++++++++++++++++ test/ldap/samba-ad-run.sh | 33 +++++++++++++++++++++++++++ test/ldap/samba-ad-setup.sh | 31 +++++++++++++++++++++++++ 6 files changed, 122 insertions(+), 29 deletions(-) create mode 100644 test/ldap/Dockerfile create mode 100644 test/ldap/docker-compose.yml create mode 100755 test/ldap/samba-ad-run.sh create mode 100755 test/ldap/samba-ad-setup.sh diff --git a/.github/workflows/ldap_acceptance.yml b/.github/workflows/ldap_acceptance.yml index 37241bb4b8..2658b4f428 100644 --- a/.github/workflows/ldap_acceptance.yml +++ b/.github/workflows/ldap_acceptance.yml @@ -45,15 +45,6 @@ jobs: runs-on: ${{ matrix.os }} timeout-minutes: 40 - services: - ldap: - image: ${{ matrix.target.version }} - ports: [ "10389:10389" ] - options: >- - --health-cmd "${{ matrix.target.health_cmd }}" - --health-interval 10s - --health-timeout 10s - --health-retries 5 strategy: fail-fast: true matrix: @@ -61,13 +52,11 @@ jobs: - '3.2' os: - ubuntu-latest - target: - - { version: "dwimberger/ldap-ad-it:latest", health_cmd: 'apk update; apk add openldap-clients; ldapsearch -x -H ldap://localhost:10389 -D uid=admin,ou=system -w secret -b dc=wimpi,dc=net' } env: RAILS_ENV: test - name: ${{ matrix.target.version }} - ${{ matrix.os }} - Ruby ${{ matrix.ruby }} + name: LDAP Acceptance - ${{ matrix.os }} - Ruby ${{ matrix.ruby }} steps: - name: Install system dependencies run: sudo apt-get install -y --no-install-recommends libpcap-dev graphviz @@ -75,6 +64,12 @@ jobs: - name: Checkout code uses: actions/checkout@v4 + - name: Run samba/ldap docker container + working-directory: 'test/ldap' + run: | + docker compose build + docker compose up --wait -d + - name: Setup Ruby env: BUNDLE_WITHOUT: "coverage development pcap" @@ -85,19 +80,11 @@ jobs: ruby-version: '${{ matrix.ruby }}' bundler-cache: true - - name: Extract runtime version - run: | - echo "RUNTIME_VERSION=$(echo $DOCKER_IMAGE | awk -F: '{ print $2 }')" >> $GITHUB_ENV - echo "DOCKER_IMAGE_FILENAME=$(echo $DOCKER_IMAGE | tr -d '/:')" >> $GITHUB_ENV - env: - DOCKER_IMAGE: ${{ matrix.target.version }} - OS: ${{ matrix.os }} - - name: acceptance env: SPEC_HELPER_LOAD_METASPLOIT: false SPEC_OPTS: "--tag acceptance --require acceptance_spec_helper.rb --color --format documentation --format AllureRspec::RSpecFormatter" - RUNTIME_VERSION: ${{ env.RUNTIME_VERSION }} + RUNTIME_VERSION: latest # Unix run command: # SPEC_HELPER_LOAD_METASPLOIT=false bundle exec ./spec/acceptance # Windows cmd command: @@ -113,7 +100,7 @@ jobs: uses: actions/upload-artifact@v4 with: # Provide a unique artifact for each matrix os, otherwise race conditions can lead to corrupt zips - name: ${{ env.DOCKER_IMAGE_FILENAME }}-${{ matrix.os }} + name: ldap-acceptance-${{ matrix.os }} path: tmp/allure-raw-data # Generate a final report from the previous test results diff --git a/spec/acceptance/ldap_spec.rb b/spec/acceptance/ldap_spec.rb index d5907b9b5b..4c702020d3 100644 --- a/spec/acceptance/ldap_spec.rb +++ b/spec/acceptance/ldap_spec.rb @@ -14,10 +14,10 @@ RSpec.describe 'LDAP modules' do datastore: { global: {}, module: { - username: ENV.fetch('LDAP_USERNAME', 'uid=admin,ou=system'), - password: ENV.fetch('LDAP_PASSWORD', 'secret'), + username: ENV.fetch('LDAP_USERNAME', "'DEV-AD\\Administrator'"), + password: ENV.fetch('LDAP_PASSWORD', 'admin123!'), rhost: ENV.fetch('LDAP_RHOST', '127.0.0.1'), - rport: ENV.fetch('LDAP_RPORT', '10389'), + rport: ENV.fetch('LDAP_RPORT', '389'), ssl: ENV.fetch('LDAP_SSL', 'false') } } @@ -54,7 +54,7 @@ RSpec.describe 'LDAP modules' do all: { required: [ /Discovered base DN/, - /Query returned 1 result/ + /Query returned 4 results/ ] } } @@ -68,8 +68,10 @@ RSpec.describe 'LDAP modules' do all: { required: [ /Discovering base DN\(s\) automatically/, - /Storing LDAP data for base DN='dc=wimpi,dc=net' in loot/, - /5 entries, 1 creds found in 'dc=wimpi,dc=net'/ + /Dumping data for root DSE/, + /Searching base DN='DC=ldap,DC=example,DC=com'/, + /Storing LDAP data for base DN='DC=ldap,DC=example,DC=com' in loot/, + /266 entries, 0 creds found in 'DC=ldap,DC=example,DC=com'./ ] } } @@ -79,11 +81,12 @@ RSpec.describe 'LDAP modules' do platforms: %i[linux osx windows], targets: [:rhost], skipped: false, - datastore: { TARGET_USER: 'test' }, + datastore: { TARGET_USER: 'administrator' }, lines: { all: { required: [ /Discovering base DN automatically/, + /Discovered base DN: DC=ldap,DC=example,DC=com/, /The msDS-KeyCredentialLink field is empty./ ] } diff --git a/test/ldap/Dockerfile b/test/ldap/Dockerfile new file mode 100644 index 0000000000..d1f6eefd49 --- /dev/null +++ b/test/ldap/Dockerfile @@ -0,0 +1,14 @@ +FROM ubuntu:20.04 + +RUN DEBIAN_FRONTEND=noninteractive apt-get update && DEBIAN_FRONTEND=noninteractive apt-get -y install samba krb5-config winbind smbclient +RUN DEBIAN_FRONTEND=noninteractive apt-get update && DEBIAN_FRONTEND=noninteractive apt-get -y install iproute2 +RUN DEBIAN_FRONTEND=noninteractive apt-get update && DEBIAN_FRONTEND=noninteractive apt-get -y install openssl +RUN DEBIAN_FRONTEND=noninteractive apt-get update && DEBIAN_FRONTEND=noninteractive apt-get -y install vim +RUN DEBIAN_FRONTEND=noninteractive apt-get update && DEBIAN_FRONTEND=noninteractive apt-get -y install ldap-utils + +RUN rm /etc/krb5.conf +RUN mkdir -p /opt/ad-scripts + +WORKDIR /opt/ad-scripts + +CMD chmod +x *.sh && ./samba-ad-setup.sh && ./samba-ad-run.sh diff --git a/test/ldap/docker-compose.yml b/test/ldap/docker-compose.yml new file mode 100644 index 0000000000..1544a1670e --- /dev/null +++ b/test/ldap/docker-compose.yml @@ -0,0 +1,25 @@ +version: '3.7' + +services: + ldap: + tty: true + network_mode: bridge + hostname: ldap.example.com + ports: + - "389:389" + - "636:636" + cap_add: + - SYS_ADMIN + environment: + SMB_ADMIN_PASSWORD: admin123! + volumes: + - ./:/opt/ad-scripts + healthcheck: + test: ldapsearch -x -H ldap://localhost:389 -b '' -D DEV-AD\\Administrator -w admin123! -s base + interval: 10s + timeout: 5s + retries: 5 + start_period: 5s + build: + context: . + dockerfile: Dockerfile diff --git a/test/ldap/samba-ad-run.sh b/test/ldap/samba-ad-run.sh new file mode 100755 index 0000000000..1cbf0baa2b --- /dev/null +++ b/test/ldap/samba-ad-run.sh @@ -0,0 +1,33 @@ +#!/bin/bash + +set -e + +[ -f /var/lib/samba/.setup ] || { + >&2 echo "[ERROR] Samba is not setup yet, which should happen automatically. Look for errors!" + exit 127 +} + +cat << EOF > /var/lib/samba/private/smb.conf +# Global parameters +[global] + dns forwarder = 192.168.65.7 + #server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate + server services = ldap + + netbios name = LDAP + realm = LDAP.EXAMPLE.COM + server role = active directory domain controller + workgroup = DEV-AD + idmap_ldb:use rfc2307 = yes + ldap server require strong auth = no + allow dns updates = disabled +[sysvol] + path = /var/lib/samba/sysvol + read only = No + +[netlogon] + path = /var/lib/samba/sysvol/ldap.example.com/scripts + read only = No +EOF + +samba -i -s /var/lib/samba/private/smb.conf diff --git a/test/ldap/samba-ad-setup.sh b/test/ldap/samba-ad-setup.sh new file mode 100755 index 0000000000..a5683d201f --- /dev/null +++ b/test/ldap/samba-ad-setup.sh @@ -0,0 +1,31 @@ +#!/bin/bash + +set -e + +info () { + echo "[INFO] $@" +} + +info "Running setup" + +# Check if samba is setup +[ -f /var/lib/samba/.setup ] && info "Already setup..." && exit 0 + +info "Provisioning domain controller..." + +info "Given admin password: ${SMB_ADMIN_PASSWORD}" + +rm /etc/samba/smb.conf + +samba-tool domain provision\ + --server-role=dc\ + --use-rfc2307\ + --dns-backend=SAMBA_INTERNAL\ + --realm=`hostname`\ + --domain=DEV-AD\ + --adminpass=${SMB_ADMIN_PASSWORD}\ + --option='server services = ldap' + +mv /etc/samba/smb.conf /var/lib/samba/private/smb.conf + +touch /var/lib/samba/.setup