mirrors
/
gitea
mirror of https://github.com/go-gitea/gitea.git
Watch 1
Star 0
Fork 0
Code Issues 0 Releases 210 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
13272 Commits
17 Branches
Tree: fd7d83ace6
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'fd7d83ace6'
${ noResults }
gitea/integrations/auth_ldap_test.go

auth_ldap_test.go 13KB
Raw Blame History

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415 
  1. // Copyright 2018 The Gitea Authors. All rights reserved.

  2. // Use of this source code is governed by a MIT-style

  3. // license that can be found in the LICENSE file.

  4. 

  5. package integrations

  6. 

  7. import (

  8. 	"context"

  9. 	"net/http"

  10. 	"os"

  11. 	"strings"

  12. 	"testing"

  13. 

  14. 	"code.gitea.io/gitea/models"

  15. 	"code.gitea.io/gitea/models/db"

  16. 	"code.gitea.io/gitea/models/organization"

  17. 	"code.gitea.io/gitea/models/unittest"

  18. 	user_model "code.gitea.io/gitea/models/user"

  19. 	"code.gitea.io/gitea/modules/translation/i18n"

  20. 	"code.gitea.io/gitea/services/auth"

  21. 

  22. 	"github.com/stretchr/testify/assert"

  23. )

  24. 

  25. type ldapUser struct {

  26. 	UserName     string

  27. 	Password     string

  28. 	FullName     string

  29. 	Email        string

  30. 	OtherEmails  []string

  31. 	IsAdmin      bool

  32. 	IsRestricted bool

  33. 	SSHKeys      []string

  34. }

  35. 

  36. var gitLDAPUsers = []ldapUser{

  37. 	{

  38. 		UserName:    "professor",

  39. 		Password:    "professor",

  40. 		FullName:    "Hubert Farnsworth",

  41. 		Email:       "professor@planetexpress.com",

  42. 		OtherEmails: []string{"hubert@planetexpress.com"},

  43. 		IsAdmin:     true,

  44. 	},

  45. 	{

  46. 		UserName: "hermes",

  47. 		Password: "hermes",

  48. 		FullName: "Conrad Hermes",

  49. 		Email:    "hermes@planetexpress.com",

  50. 		SSHKeys: []string{

  51. 			"SHA256:qLY06smKfHoW/92yXySpnxFR10QFrLdRjf/GNPvwcW8",

  52. 			"SHA256:QlVTuM5OssDatqidn2ffY+Lc4YA5Fs78U+0KOHI51jQ",

  53. 			"SHA256:DXdeUKYOJCSSmClZuwrb60hUq7367j4fA+udNC3FdRI",

  54. 		},

  55. 		IsAdmin: true,

  56. 	},

  57. 	{

  58. 		UserName: "fry",

  59. 		Password: "fry",

  60. 		FullName: "Philip Fry",

  61. 		Email:    "fry@planetexpress.com",

  62. 	},

  63. 	{

  64. 		UserName:     "leela",

  65. 		Password:     "leela",

  66. 		FullName:     "Leela Turanga",

  67. 		Email:        "leela@planetexpress.com",

  68. 		IsRestricted: true,

  69. 	},

  70. 	{

  71. 		UserName: "bender",

  72. 		Password: "bender",

  73. 		FullName: "Bender Rodríguez",

  74. 		Email:    "bender@planetexpress.com",

  75. 	},

  76. }

  77. 

  78. var otherLDAPUsers = []ldapUser{

  79. 	{

  80. 		UserName: "zoidberg",

  81. 		Password: "zoidberg",

  82. 		FullName: "John Zoidberg",

  83. 		Email:    "zoidberg@planetexpress.com",

  84. 	},

  85. 	{

  86. 		UserName: "amy",

  87. 		Password: "amy",

  88. 		FullName: "Amy Kroker",

  89. 		Email:    "amy@planetexpress.com",

  90. 	},

  91. }

  92. 

  93. func skipLDAPTests() bool {

  94. 	return os.Getenv("TEST_LDAP") != "1"

  95. }

  96. 

  97. func getLDAPServerHost() string {

  98. 	host := os.Getenv("TEST_LDAP_HOST")

  99. 	if len(host) == 0 {

  100. 		host = "ldap"

  101. 	}

  102. 	return host

  103. }

  104. 

  105. func addAuthSourceLDAP(t *testing.T, sshKeyAttribute string, groupMapParams ...string) {

  106. 	groupTeamMapRemoval := "off"

  107. 	groupTeamMap := ""

  108. 	if len(groupMapParams) == 2 {

  109. 		groupTeamMapRemoval = groupMapParams[0]

  110. 		groupTeamMap = groupMapParams[1]

  111. 	}

  112. 	session := loginUser(t, "user1")

  113. 	csrf := GetCSRF(t, session, "/admin/auths/new")

  114. 	req := NewRequestWithValues(t, "POST", "/admin/auths/new", map[string]string{

  115. 		"_csrf":                    csrf,

  116. 		"type":                     "2",

  117. 		"name":                     "ldap",

  118. 		"host":                     getLDAPServerHost(),

  119. 		"port":                     "389",

  120. 		"bind_dn":                  "uid=gitea,ou=service,dc=planetexpress,dc=com",

  121. 		"bind_password":            "password",

  122. 		"user_base":                "ou=people,dc=planetexpress,dc=com",

  123. 		"filter":                   "(&(objectClass=inetOrgPerson)(memberOf=cn=git,ou=people,dc=planetexpress,dc=com)(uid=%s))",

  124. 		"admin_filter":             "(memberOf=cn=admin_staff,ou=people,dc=planetexpress,dc=com)",

  125. 		"restricted_filter":        "(uid=leela)",

  126. 		"attribute_username":       "uid",

  127. 		"attribute_name":           "givenName",

  128. 		"attribute_surname":        "sn",

  129. 		"attribute_mail":           "mail",

  130. 		"attribute_ssh_public_key": sshKeyAttribute,

  131. 		"is_sync_enabled":          "on",

  132. 		"is_active":                "on",

  133. 		"groups_enabled":           "on",

  134. 		"group_dn":                 "ou=people,dc=planetexpress,dc=com",

  135. 		"group_member_uid":         "member",

  136. 		"group_team_map":           groupTeamMap,

  137. 		"group_team_map_removal":   groupTeamMapRemoval,

  138. 		"user_uid":                 "DN",

  139. 	})

  140. 	session.MakeRequest(t, req, http.StatusSeeOther)

  141. }

  142. 

  143. func TestLDAPUserSignin(t *testing.T) {

  144. 	if skipLDAPTests() {

  145. 		t.Skip()

  146. 		return

  147. 	}

  148. 	defer prepareTestEnv(t)()

  149. 	addAuthSourceLDAP(t, "")

  150. 

  151. 	u := gitLDAPUsers[0]

  152. 

  153. 	session := loginUserWithPassword(t, u.UserName, u.Password)

  154. 	req := NewRequest(t, "GET", "/user/settings")

  155. 	resp := session.MakeRequest(t, req, http.StatusOK)

  156. 

  157. 	htmlDoc := NewHTMLParser(t, resp.Body)

  158. 

  159. 	assert.Equal(t, u.UserName, htmlDoc.GetInputValueByName("name"))

  160. 	assert.Equal(t, u.FullName, htmlDoc.GetInputValueByName("full_name"))

  161. 	assert.Equal(t, u.Email, htmlDoc.Find(`label[for="email"]`).Siblings().First().Text())

  162. }

  163. 

  164. func TestLDAPAuthChange(t *testing.T) {

  165. 	defer prepareTestEnv(t)()

  166. 	addAuthSourceLDAP(t, "")

  167. 

  168. 	session := loginUser(t, "user1")

  169. 	req := NewRequest(t, "GET", "/admin/auths")

  170. 	resp := session.MakeRequest(t, req, http.StatusOK)

  171. 	doc := NewHTMLParser(t, resp.Body)

  172. 	href, exists := doc.Find("table.table td a").Attr("href")

  173. 	if !exists {

  174. 		assert.True(t, exists, "No authentication source found")

  175. 		return

  176. 	}

  177. 

  178. 	req = NewRequest(t, "GET", href)

  179. 	resp = session.MakeRequest(t, req, http.StatusOK)

  180. 	doc = NewHTMLParser(t, resp.Body)

  181. 	csrf := doc.GetCSRF()

  182. 	host, _ := doc.Find(`input[name="host"]`).Attr("value")

  183. 	assert.Equal(t, host, getLDAPServerHost())

  184. 	binddn, _ := doc.Find(`input[name="bind_dn"]`).Attr("value")

  185. 	assert.Equal(t, binddn, "uid=gitea,ou=service,dc=planetexpress,dc=com")

  186. 

  187. 	req = NewRequestWithValues(t, "POST", href, map[string]string{

  188. 		"_csrf":                    csrf,

  189. 		"type":                     "2",

  190. 		"name":                     "ldap",

  191. 		"host":                     getLDAPServerHost(),

  192. 		"port":                     "389",

  193. 		"bind_dn":                  "uid=gitea,ou=service,dc=planetexpress,dc=com",

  194. 		"bind_password":            "password",

  195. 		"user_base":                "ou=people,dc=planetexpress,dc=com",

  196. 		"filter":                   "(&(objectClass=inetOrgPerson)(memberOf=cn=git,ou=people,dc=planetexpress,dc=com)(uid=%s))",

  197. 		"admin_filter":             "(memberOf=cn=admin_staff,ou=people,dc=planetexpress,dc=com)",

  198. 		"restricted_filter":        "(uid=leela)",

  199. 		"attribute_username":       "uid",

  200. 		"attribute_name":           "givenName",

  201. 		"attribute_surname":        "sn",

  202. 		"attribute_mail":           "mail",

  203. 		"attribute_ssh_public_key": "",

  204. 		"is_sync_enabled":          "on",

  205. 		"is_active":                "on",

  206. 	})

  207. 	session.MakeRequest(t, req, http.StatusSeeOther)

  208. 

  209. 	req = NewRequest(t, "GET", href)

  210. 	resp = session.MakeRequest(t, req, http.StatusOK)

  211. 	doc = NewHTMLParser(t, resp.Body)

  212. 	host, _ = doc.Find(`input[name="host"]`).Attr("value")

  213. 	assert.Equal(t, host, getLDAPServerHost())

  214. 	binddn, _ = doc.Find(`input[name="bind_dn"]`).Attr("value")

  215. 	assert.Equal(t, binddn, "uid=gitea,ou=service,dc=planetexpress,dc=com")

  216. }

  217. 

  218. func TestLDAPUserSync(t *testing.T) {

  219. 	if skipLDAPTests() {

  220. 		t.Skip()

  221. 		return

  222. 	}

  223. 	defer prepareTestEnv(t)()

  224. 	addAuthSourceLDAP(t, "")

  225. 	auth.SyncExternalUsers(context.Background(), true)

  226. 

  227. 	session := loginUser(t, "user1")

  228. 	// Check if users exists

  229. 	for _, u := range gitLDAPUsers {

  230. 		req := NewRequest(t, "GET", "/admin/users?q="+u.UserName)

  231. 		resp := session.MakeRequest(t, req, http.StatusOK)

  232. 

  233. 		htmlDoc := NewHTMLParser(t, resp.Body)

  234. 

  235. 		tr := htmlDoc.doc.Find("table.table tbody tr")

  236. 		if !assert.True(t, tr.Length() == 1) {

  237. 			continue

  238. 		}

  239. 		tds := tr.Find("td")

  240. 		if !assert.True(t, tds.Length() > 0) {

  241. 			continue

  242. 		}

  243. 		assert.Equal(t, u.UserName, strings.TrimSpace(tds.Find("td:nth-child(2) a").Text()))

  244. 		assert.Equal(t, u.Email, strings.TrimSpace(tds.Find("td:nth-child(3) span").Text()))

  245. 		if u.IsAdmin {

  246. 			assert.True(t, tds.Find("td:nth-child(5) svg").HasClass("octicon-check"))

  247. 		} else {

  248. 			assert.True(t, tds.Find("td:nth-child(5) svg").HasClass("octicon-x"))

  249. 		}

  250. 		if u.IsRestricted {

  251. 			assert.True(t, tds.Find("td:nth-child(6) svg").HasClass("octicon-check"))

  252. 		} else {

  253. 			assert.True(t, tds.Find("td:nth-child(6) svg").HasClass("octicon-x"))

  254. 		}

  255. 	}

  256. 

  257. 	// Check if no users exist

  258. 	for _, u := range otherLDAPUsers {

  259. 		req := NewRequest(t, "GET", "/admin/users?q="+u.UserName)

  260. 		resp := session.MakeRequest(t, req, http.StatusOK)

  261. 

  262. 		htmlDoc := NewHTMLParser(t, resp.Body)

  263. 

  264. 		tr := htmlDoc.doc.Find("table.table tbody tr")

  265. 		assert.True(t, tr.Length() == 0)

  266. 	}

  267. }

  268. 

  269. func TestLDAPUserSigninFailed(t *testing.T) {

  270. 	if skipLDAPTests() {

  271. 		t.Skip()

  272. 		return

  273. 	}

  274. 	defer prepareTestEnv(t)()

  275. 	addAuthSourceLDAP(t, "")

  276. 

  277. 	u := otherLDAPUsers[0]

  278. 

  279. 	testLoginFailed(t, u.UserName, u.Password, i18n.Tr("en", "form.username_password_incorrect"))

  280. }

  281. 

  282. func TestLDAPUserSSHKeySync(t *testing.T) {

  283. 	if skipLDAPTests() {

  284. 		t.Skip()

  285. 		return

  286. 	}

  287. 	defer prepareTestEnv(t)()

  288. 	addAuthSourceLDAP(t, "sshPublicKey")

  289. 

  290. 	auth.SyncExternalUsers(context.Background(), true)

  291. 

  292. 	// Check if users has SSH keys synced

  293. 	for _, u := range gitLDAPUsers {

  294. 		if len(u.SSHKeys) == 0 {

  295. 			continue

  296. 		}

  297. 		session := loginUserWithPassword(t, u.UserName, u.Password)

  298. 

  299. 		req := NewRequest(t, "GET", "/user/settings/keys")

  300. 		resp := session.MakeRequest(t, req, http.StatusOK)

  301. 

  302. 		htmlDoc := NewHTMLParser(t, resp.Body)

  303. 

  304. 		divs := htmlDoc.doc.Find(".key.list .print.meta")

  305. 

  306. 		syncedKeys := make([]string, divs.Length())

  307. 		for i := 0; i < divs.Length(); i++ {

  308. 			syncedKeys[i] = strings.TrimSpace(divs.Eq(i).Text())

  309. 		}

  310. 

  311. 		assert.ElementsMatch(t, u.SSHKeys, syncedKeys, "Unequal number of keys synchronized for user: %s", u.UserName)

  312. 	}

  313. }

  314. 

  315. func TestLDAPGroupTeamSyncAddMember(t *testing.T) {

  316. 	if skipLDAPTests() {

  317. 		t.Skip()

  318. 		return

  319. 	}

  320. 	defer prepareTestEnv(t)()

  321. 	addAuthSourceLDAP(t, "", "on", `{"cn=ship_crew,ou=people,dc=planetexpress,dc=com":{"org26": ["team11"]},"cn=admin_staff,ou=people,dc=planetexpress,dc=com": {"non-existent": ["non-existent"]}}`)

  322. 	org, err := organization.GetOrgByName("org26")

  323. 	assert.NoError(t, err)

  324. 	team, err := organization.GetTeam(db.DefaultContext, org.ID, "team11")

  325. 	assert.NoError(t, err)

  326. 	auth.SyncExternalUsers(context.Background(), true)

  327. 	for _, gitLDAPUser := range gitLDAPUsers {

  328. 		user := unittest.AssertExistsAndLoadBean(t, &user_model.User{

  329. 			Name: gitLDAPUser.UserName,

  330. 		}).(*user_model.User)

  331. 		usersOrgs, err := organization.FindOrgs(organization.FindOrgOptions{

  332. 			UserID:         user.ID,

  333. 			IncludePrivate: true,

  334. 		})

  335. 		assert.NoError(t, err)

  336. 		allOrgTeams, err := organization.GetUserOrgTeams(db.DefaultContext, org.ID, user.ID)

  337. 		assert.NoError(t, err)

  338. 		if user.Name == "fry" || user.Name == "leela" || user.Name == "bender" {

  339. 			// assert members of LDAP group "cn=ship_crew" are added to mapped teams

  340. 			assert.Equal(t, len(usersOrgs), 1, "User [%s] should be member of one organization", user.Name)

  341. 			assert.Equal(t, usersOrgs[0].Name, "org26", "Membership should be added to the right organization")

  342. 			isMember, err := organization.IsTeamMember(db.DefaultContext, usersOrgs[0].ID, team.ID, user.ID)

  343. 			assert.NoError(t, err)

  344. 			assert.True(t, isMember, "Membership should be added to the right team")

  345. 			err = models.RemoveTeamMember(team, user.ID)

  346. 			assert.NoError(t, err)

  347. 			err = models.RemoveOrgUser(usersOrgs[0].ID, user.ID)

  348. 			assert.NoError(t, err)

  349. 		} else {

  350. 			// assert members of LDAP group "cn=admin_staff" keep initial team membership since mapped team does not exist

  351. 			assert.Empty(t, usersOrgs, "User should be member of no organization")

  352. 			isMember, err := organization.IsTeamMember(db.DefaultContext, org.ID, team.ID, user.ID)

  353. 			assert.NoError(t, err)

  354. 			assert.False(t, isMember, "User should no be added to this team")

  355. 			assert.Empty(t, allOrgTeams, "User should not be added to any team")

  356. 		}

  357. 	}

  358. }

  359. 

  360. func TestLDAPGroupTeamSyncRemoveMember(t *testing.T) {

  361. 	if skipLDAPTests() {

  362. 		t.Skip()

  363. 		return

  364. 	}

  365. 	defer prepareTestEnv(t)()

  366. 	addAuthSourceLDAP(t, "", "on", `{"cn=dispatch,ou=people,dc=planetexpress,dc=com": {"org26": ["team11"]}}`)

  367. 	org, err := organization.GetOrgByName("org26")

  368. 	assert.NoError(t, err)

  369. 	team, err := organization.GetTeam(db.DefaultContext, org.ID, "team11")

  370. 	assert.NoError(t, err)

  371. 	loginUserWithPassword(t, gitLDAPUsers[0].UserName, gitLDAPUsers[0].Password)

  372. 	user := unittest.AssertExistsAndLoadBean(t, &user_model.User{

  373. 		Name: gitLDAPUsers[0].UserName,

  374. 	}).(*user_model.User)

  375. 	err = organization.AddOrgUser(org.ID, user.ID)

  376. 	assert.NoError(t, err)

  377. 	err = models.AddTeamMember(team, user.ID)

  378. 	assert.NoError(t, err)

  379. 	isMember, err := organization.IsOrganizationMember(db.DefaultContext, org.ID, user.ID)

  380. 	assert.NoError(t, err)

  381. 	assert.True(t, isMember, "User should be member of this organization")

  382. 	isMember, err = organization.IsTeamMember(db.DefaultContext, org.ID, team.ID, user.ID)

  383. 	assert.NoError(t, err)

  384. 	assert.True(t, isMember, "User should be member of this team")

  385. 	// assert team member "professor" gets removed from org26 team11

  386. 	loginUserWithPassword(t, gitLDAPUsers[0].UserName, gitLDAPUsers[0].Password)

  387. 	isMember, err = organization.IsOrganizationMember(db.DefaultContext, org.ID, user.ID)

  388. 	assert.NoError(t, err)

  389. 	assert.False(t, isMember, "User membership should have been removed from organization")

  390. 	isMember, err = organization.IsTeamMember(db.DefaultContext, org.ID, team.ID, user.ID)

  391. 	assert.NoError(t, err)

  392. 	assert.False(t, isMember, "User membership should have been removed from team")

  393. }

  394. 

  395. // Login should work even if Team Group Map contains a broken JSON

  396. func TestBrokenLDAPMapUserSignin(t *testing.T) {

  397. 	if skipLDAPTests() {

  398. 		t.Skip()

  399. 		return

  400. 	}

  401. 	defer prepareTestEnv(t)()

  402. 	addAuthSourceLDAP(t, "", "on", `{"NOT_A_VALID_JSON"["MISSING_DOUBLE_POINT"]}`)

  403. 

  404. 	u := gitLDAPUsers[0]

  405. 

  406. 	session := loginUserWithPassword(t, u.UserName, u.Password)

  407. 	req := NewRequest(t, "GET", "/user/settings")

  408. 	resp := session.MakeRequest(t, req, http.StatusOK)

  409. 

  410. 	htmlDoc := NewHTMLParser(t, resp.Body)

  411. 

  412. 	assert.Equal(t, u.UserName, htmlDoc.GetInputValueByName("name"))

  413. 	assert.Equal(t, u.FullName, htmlDoc.GetInputValueByName("full_name"))

  414. 	assert.Equal(t, u.Email, htmlDoc.Find(`label[for="email"]`).Siblings().First().Text())

  415. }