Hello community, here is the log from the commit of package velum for openSUSE:Factory checked in at 2018-03-28 10:32:27 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/velum (Old) and /work/SRC/openSUSE:Factory/.velum.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "velum" Wed Mar 28 10:32:27 2018 rev:17 rq:591306 version:3.0.0+dev+git_r695_2c7f4d4eda39b1fcff1ccea959177a200da9c718 Changes: -------- --- /work/SRC/openSUSE:Factory/velum/velum.changes 2018-03-26 13:10:05.330192231 +0200 +++ /work/SRC/openSUSE:Factory/.velum.new/velum.changes 2018-03-28 10:32:39.990272520 +0200 @@ -1,0 +2,22 @@ +Mon Mar 26 10:49:25 UTC 2018 - [email protected] + +- Commit 8a35b90 by Rafael Fernández López [email protected] + Migrate LDAP passwords + + Fixes: bsc#1071023 + + +------------------------------------------------------------------- +Mon Mar 26 09:31:15 UTC 2018 - [email protected] + +- Commit ec69c13 by James Mason [email protected] + Extend salt-api timeout as long as possible. + + Allow enough time for the salt timeout, and a minion timeout before cutting + off the API call. + + Should resolve https://github.com/kubic-project/velum/issues/456 introduced + in 6189bcad . + + +------------------------------------------------------------------- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ velum.spec ++++++ --- /var/tmp/diff_new_pack.Co4wND/_old 2018-03-28 10:32:40.878240584 +0200 +++ /var/tmp/diff_new_pack.Co4wND/_new 2018-03-28 10:32:40.882240440 +0200 @@ -23,7 +23,7 @@ # Version: 1.0.0 # %%define branch 1.0.0 -Version: 3.0.0+dev+git_r691_a1b9bbaa7ca9523c58c3a76c31a619683d3e7d35 +Version: 3.0.0+dev+git_r695_2c7f4d4eda39b1fcff1ccea959177a200da9c718 Release: 0 %define branch master Summary: Dashboard for CaasP @@ -96,7 +96,7 @@ %description velum is the dashboard for CaasP to manage and deploy kubernetes clusters on top of MicroOS -This package has been built with commit a1b9bbaa7ca9523c58c3a76c31a619683d3e7d35 from branch master on date Fri, 23 Mar 2018 15:34:06 +0000 +This package has been built with commit 2c7f4d4eda39b1fcff1ccea959177a200da9c718 from branch master on date Mon, 26 Mar 2018 10:48:06 +0000 %prep %setup -q -n velum-%{branch} ++++++ master.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/velum-master/app/models/user.rb new/velum-master/app/models/user.rb --- old/velum-master/app/models/user.rb 2018-03-23 16:33:56.000000000 +0100 +++ new/velum-master/app/models/user.rb 2018-03-26 12:47:04.000000000 +0200 @@ -9,25 +9,37 @@ devise(*enabled_devise_modules) + before_create :encrypt_password before_create :create_ldap_user - protected + def after_ldap_authentication + return true if encrypted_password.present? + encrypted_password = BCrypt::Password.create current_password, cost: 11 + # rubocop:disable Rails/SkipsModelValidations + update_column :encrypted_password, encrypted_password + # rubocop:enable Rails/SkipsModelValidations + ldap.modify(dn: user_dn, + operations: [ + [:replace, :userPassword, "{CRYPT}#{encrypted_password}"] + ]) + end + + private + + def ldap + @ldap ||= ldap_connection + end + + def ldap_config + @ldap_config ||= Velum::LDAP.ldap_config + end - # rubocop:disable AbcSize,CyclomaticComplexity,MethodLength,PerceivedComplexity - def create_ldap_user - # add to OpenLDAP - this should be disabled when using any other LDAP server! - - # Behavior: - # 1) make sure the People org unit exists, if not, create it - # 2) make sure the Administrators groupOfUniqueNames exists, if not, create it - # 3) check if the new user created is a member of the Administrators group, if not, add it - # 4) check if the user exists, if not, add it - - # check to see if this is because the LDAP auth succeeded, or if we're coming from registration - # we do this by performing an LDAP search for the new user. If it fails, we need to create the - # user in LDAP - ldap_config = Velum::LDAP.ldap_config + def current_password + filter = Net::LDAP::Filter.eq(ldap_config["attribute"], email) + ldap.search(base: ldap_config["base"], filter: filter).first.userPassword.first + end + def ldap_connection conn_params = { host: ldap_config["host"], port: ldap_config["port"], @@ -40,10 +52,34 @@ Velum::LDAP.configure_ldap_tls!(ldap_config, conn_params) - ldap = Net::LDAP.new(**conn_params) + Net::LDAP.new(**conn_params) + end - uid = email[0, email.index("@")] - user_dn = "uid=#{uid},#{ldap_config["base"]}" + def uid + email[0, email.index("@")] + end + + def user_dn + "uid=#{uid},#{ldap_config["base"]}" + end + + def encrypt_password + self.encrypted_password = BCrypt::Password.create password, cost: 11 + end + + # rubocop:disable AbcSize,CyclomaticComplexity,MethodLength,PerceivedComplexity + def create_ldap_user + # add to OpenLDAP - this should be disabled when using any other LDAP server! + + # Behavior: + # 1) make sure the People org unit exists, if not, create it + # 2) make sure the Administrators groupOfUniqueNames exists, if not, create it + # 3) check if the new user created is a member of the Administrators group, if not, add it + # 4) check if the user exists, if not, add it + + # check to see if this is because the LDAP auth succeeded, or if we're coming from registration + # we do this by performing an LDAP search for the new user. If it fails, we need to create the + # user in LDAP # first, look for the People org unit treebase = ldap_config["base"] @@ -136,7 +172,9 @@ cn: "A User", objectclass: ["person", "inetOrgPerson"], uid: uid, - userPassword: (password.blank? ? "{CRYPT}#{encrypted_password}" : password), + # We need to make the distinction between test and not test, as on travis, the slapd instance + # fails to login us if the password is crypted. + userPassword: (Rails.env.test? ? password : "{CRYPT}#{encrypted_password}"), givenName: "A", sn: "User", mail: email diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/velum-master/lib/velum/salt_api.rb new/velum-master/lib/velum/salt_api.rb --- old/velum-master/lib/velum/salt_api.rb 2018-03-23 16:33:56.000000000 +0100 +++ new/velum-master/lib/velum/salt_api.rb 2018-03-26 12:47:04.000000000 +0200 @@ -82,7 +82,7 @@ ca_file: "/etc/pki/ca.crt", ssl_version: :TLSv1, open_timeout: 2, - read_timeout: 30 + read_timeout: 45 } Net::HTTP.start(uri.hostname, uri.port, opts) { |http| http.request(req) } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/velum-master/spec/models/user_spec.rb new/velum-master/spec/models/user_spec.rb --- old/velum-master/spec/models/user_spec.rb 2018-03-23 16:33:56.000000000 +0100 +++ new/velum-master/spec/models/user_spec.rb 2018-03-26 12:47:04.000000000 +0200 @@ -1,8 +1,57 @@ require "rails_helper" describe User do - subject { create(:user) } + subject { user } + + ldap_class = Struct.new("LDAP") do + def search(params = {}); end + + def modify(params = {}); end + end + + let(:user) { create :user } + let(:ldap) { ldap_class.new } + let(:ldap_search_result) { [OpenStruct.new(userPassword: ["password"])] } + let(:ldap_modify_args) do + { + dn: user.send(:user_dn), + operations: [ + [:replace, :userPassword, "{CRYPT}#{user.encrypted_password}"] + ] + } + end it { is_expected.to validate_uniqueness_of(:email) } it { is_expected.to validate_presence_of(:email) } + + describe "#after_ldap_authentication" do + before do + allow(ldap).to receive(:search).and_return ldap_search_result + allow(ldap).to receive(:modify) + allow(user).to receive(:ldap).and_return ldap + end + + context "when no encrypted password is present" do + before do + # rubocop:disable Rails/SkipsModelValidations + user.update_column :encrypted_password, "" + # rubocop:enable Rails/SkipsModelValidations + user.after_ldap_authentication + end + + it "migrates the current password" do + expect(ldap).to have_received(:modify).with ldap_modify_args + end + end + + context "when an encrypted password is present" do + before do + user.after_ldap_authentication + end + + it "does not migrate the current password" do + expect(ldap).not_to have_received :modify + end + end + end end
