Add LDAP group sync to Teams, fixes #1395 (#16299)

* Add setting for a JSON that maps LDAP groups to Org Teams. * Add log when removing or adding team members. * Sync is being run on login and periodically. * Existing group filter settings are reused. * Adding and removing team members. * Sync not existing LDAP group. * Login with broken group map JSON.
author: Sven Seeberg <sven@geeq.de> 2022-02-11 15:24:58 +0100
committer: GitHub <noreply@github.com> 2022-02-11 22:24:58 +0800
commit: 832ce406aefed0cceb30d42d1435f425a9aba279 (patch)
tree: 7089998c621efe706fba829be9d6c31d97210ee7 /integrations
parent: 26718a785ac49f17eab51ad0f5324d036b810f73 (diff)
download: gitea-832ce406aefed0cceb30d42d1435f425a9aba279.tar.gz
gitea-832ce406aefed0cceb30d42d1435f425a9aba279.zip
1 files changed, 118 insertions, 1 deletions
diff --git a/integrations/auth_ldap_test.go b/integrations/auth_ldap_test.go
index 6eb017017f..ef0fafc93d 100644
--- a/integrations/auth_ldap_test.go
+++ b/integrations/auth_ldap_test.go
@@ -11,6 +11,9 @@ import (
 	"strings"
 	"testing"
 
+	"code.gitea.io/gitea/models"
+	"code.gitea.io/gitea/models/unittest"
+	user_model "code.gitea.io/gitea/models/user"
 	"code.gitea.io/gitea/services/auth"
 
 	"github.com/stretchr/testify/assert"
@@ -97,7 +100,13 @@ func getLDAPServerHost() string {
 	return host
 }
 
-func addAuthSourceLDAP(t *testing.T, sshKeyAttribute string) {
+func addAuthSourceLDAP(t *testing.T, sshKeyAttribute string, groupMapParams ...string) {
+	groupTeamMapRemoval := "off"
+	groupTeamMap := ""
+	if len(groupMapParams) == 2 {
+		groupTeamMapRemoval = groupMapParams[0]
+		groupTeamMap = groupMapParams[1]
+	}
 	session := loginUser(t, "user1")
 	csrf := GetCSRF(t, session, "/admin/auths/new")
 	req := NewRequestWithValues(t, "POST", "/admin/auths/new", map[string]string{
@@ -119,6 +128,12 @@ func addAuthSourceLDAP(t *testing.T, sshKeyAttribute string) {
 		"attribute_ssh_public_key": sshKeyAttribute,
 		"is_sync_enabled":          "on",
 		"is_active":                "on",
+		"groups_enabled":           "on",
+		"group_dn":                 "ou=people,dc=planetexpress,dc=com",
+		"group_member_uid":         "member",
+		"group_team_map":           groupTeamMap,
+		"group_team_map_removal":   groupTeamMapRemoval,
+		"user_uid":                 "DN",
 	})
 	session.MakeRequest(t, req, http.StatusFound)
 }
@@ -294,3 +309,105 @@ func TestLDAPUserSSHKeySync(t *testing.T) {
 		assert.ElementsMatch(t, u.SSHKeys, syncedKeys, "Unequal number of keys synchronized for user: %s", u.UserName)
 	}
 }
+
+func TestLDAPGroupTeamSyncAddMember(t *testing.T) {
+	if skipLDAPTests() {
+		t.Skip()
+		return
+	}
+	defer prepareTestEnv(t)()
+	addAuthSourceLDAP(t, "", "on", `{"cn=ship_crew,ou=people,dc=planetexpress,dc=com":{"org26": ["team11"]},"cn=admin_staff,ou=people,dc=planetexpress,dc=com": {"non-existent": ["non-existent"]}}`)
+	org, err := models.GetOrgByName("org26")
+	assert.NoError(t, err)
+	team, err := models.GetTeam(org.ID, "team11")
+	assert.NoError(t, err)
+	auth.SyncExternalUsers(context.Background(), true)
+	for _, gitLDAPUser := range gitLDAPUsers {
+		user := unittest.AssertExistsAndLoadBean(t, &user_model.User{
+			Name: gitLDAPUser.UserName,
+		}).(*user_model.User)
+		usersOrgs, err := models.FindOrgs(models.FindOrgOptions{
+			UserID:         user.ID,
+			IncludePrivate: true,
+		})
+		assert.NoError(t, err)
+		allOrgTeams, err := models.GetUserOrgTeams(org.ID, user.ID)
+		assert.NoError(t, err)
+		if user.Name == "fry" || user.Name == "leela" || user.Name == "bender" {
+			// assert members of LDAP group "cn=ship_crew" are added to mapped teams
+			assert.Equal(t, len(usersOrgs), 1, "User [%s] should be member of one organization", user.Name)
+			assert.Equal(t, usersOrgs[0].Name, "org26", "Membership should be added to the right organization")
+			isMember, err := models.IsTeamMember(usersOrgs[0].ID, team.ID, user.ID)
+			assert.NoError(t, err)
+			assert.True(t, isMember, "Membership should be added to the right team")
+			err = team.RemoveMember(user.ID)
+			assert.NoError(t, err)
+			err = usersOrgs[0].RemoveMember(user.ID)
+			assert.NoError(t, err)
+		} else {
+			// assert members of LDAP group "cn=admin_staff" keep initial team membership since mapped team does not exist
+			assert.Empty(t, usersOrgs, "User should be member of no organization")
+			isMember, err := models.IsTeamMember(org.ID, team.ID, user.ID)
+			assert.NoError(t, err)
+			assert.False(t, isMember, "User should no be added to this team")
+			assert.Empty(t, allOrgTeams, "User should not be added to any team")
+		}
+	}
+}
+
+func TestLDAPGroupTeamSyncRemoveMember(t *testing.T) {
+	if skipLDAPTests() {
+		t.Skip()
+		return
+	}
+	defer prepareTestEnv(t)()
+	addAuthSourceLDAP(t, "", "on", `{"cn=dispatch,ou=people,dc=planetexpress,dc=com": {"org26": ["team11"]}}`)
+	org, err := models.GetOrgByName("org26")
+	assert.NoError(t, err)
+	team, err := models.GetTeam(org.ID, "team11")
+	assert.NoError(t, err)
+	loginUserWithPassword(t, gitLDAPUsers[0].UserName, gitLDAPUsers[0].Password)
+	user := unittest.AssertExistsAndLoadBean(t, &user_model.User{
+		Name: gitLDAPUsers[0].UserName,
+	}).(*user_model.User)
+	err = org.AddMember(user.ID)
+	assert.NoError(t, err)
+	err = team.AddMember(user.ID)
+	assert.NoError(t, err)
+	isMember, err := models.IsOrganizationMember(org.ID, user.ID)
+	assert.NoError(t, err)
+	assert.True(t, isMember, "User should be member of this organization")
+	isMember, err = models.IsTeamMember(org.ID, team.ID, user.ID)
+	assert.NoError(t, err)
+	assert.True(t, isMember, "User should be member of this team")
+	// assert team member "professor" gets removed from org26 team11
+	loginUserWithPassword(t, gitLDAPUsers[0].UserName, gitLDAPUsers[0].Password)
+	isMember, err = models.IsOrganizationMember(org.ID, user.ID)
+	assert.NoError(t, err)
+	assert.False(t, isMember, "User membership should have been removed from organization")
+	isMember, err = models.IsTeamMember(org.ID, team.ID, user.ID)
+	assert.NoError(t, err)
+	assert.False(t, isMember, "User membership should have been removed from team")
+}
+
+// Login should work even if Team Group Map contains a broken JSON
+func TestBrokenLDAPMapUserSignin(t *testing.T) {
+	if skipLDAPTests() {
+		t.Skip()
+		return
+	}
+	defer prepareTestEnv(t)()
+	addAuthSourceLDAP(t, "", "on", `{"NOT_A_VALID_JSON"["MISSING_DOUBLE_POINT"]}`)
+
+	u := gitLDAPUsers[0]
+
+	session := loginUserWithPassword(t, u.UserName, u.Password)
+	req := NewRequest(t, "GET", "/user/settings")
+	resp := session.MakeRequest(t, req, http.StatusOK)
+
+	htmlDoc := NewHTMLParser(t, resp.Body)
+
+	assert.Equal(t, u.UserName, htmlDoc.GetInputValueByName("name"))
+	assert.Equal(t, u.FullName, htmlDoc.GetInputValueByName("full_name"))
+	assert.Equal(t, u.Email, htmlDoc.Find(`label[for="email"]`).Siblings().First().Text())
+}
author	Sven Seeberg <sven@geeq.de>	2022-02-11 15:24:58 +0100
committer	GitHub <noreply@github.com>	2022-02-11 22:24:58 +0800
commit	832ce406aefed0cceb30d42d1435f425a9aba279 (patch)
tree	7089998c621efe706fba829be9d6c31d97210ee7 /integrations
parent	26718a785ac49f17eab51ad0f5324d036b810f73 (diff)
download	gitea-832ce406aefed0cceb30d42d1435f425a9aba279.tar.gz gitea-832ce406aefed0cceb30d42d1435f425a9aba279.zip