* Add setting for a JSON that maps LDAP groups to Org Teams. * Add log when removing or adding team members. * Sync is being run on login and periodically. * Existing group filter settings are reused. * Adding and removing team members. * Sync not existing LDAP group. * Login with broken group map JSON.
This commit is contained in:
Sven Seeberg
GitHub
parent
26718a785a
commit
832ce406ae
14 changed files with 423 additions and 65 deletions
|
|
@ -11,6 +11,9 @@ import (
|
|||
"strings"
|
||||
"testing"
|
||||
|
||||
"code.gitea.io/gitea/models"
|
||||
"code.gitea.io/gitea/models/unittest"
|
||||
user_model "code.gitea.io/gitea/models/user"
|
||||
"code.gitea.io/gitea/services/auth"
|
||||
|
||||
"github.com/stretchr/testify/assert"
|
||||
|
|
@ -97,7 +100,13 @@ func getLDAPServerHost() string {
|
|||
return host
|
||||
}
|
||||
|
||||
func addAuthSourceLDAP(t *testing.T, sshKeyAttribute string) {
|
||||
func addAuthSourceLDAP(t *testing.T, sshKeyAttribute string, groupMapParams ...string) {
|
||||
groupTeamMapRemoval := "off"
|
||||
groupTeamMap := ""
|
||||
if len(groupMapParams) == 2 {
|
||||
groupTeamMapRemoval = groupMapParams[0]
|
||||
groupTeamMap = groupMapParams[1]
|
||||
}
|
||||
session := loginUser(t, "user1")
|
||||
csrf := GetCSRF(t, session, "/admin/auths/new")
|
||||
req := NewRequestWithValues(t, "POST", "/admin/auths/new", map[string]string{
|
||||
|
|
@ -119,6 +128,12 @@ func addAuthSourceLDAP(t *testing.T, sshKeyAttribute string) {
|
|||
"attribute_ssh_public_key": sshKeyAttribute,
|
||||
"is_sync_enabled": "on",
|
||||
"is_active": "on",
|
||||
"groups_enabled": "on",
|
||||
"group_dn": "ou=people,dc=planetexpress,dc=com",
|
||||
"group_member_uid": "member",
|
||||
"group_team_map": groupTeamMap,
|
||||
"group_team_map_removal": groupTeamMapRemoval,
|
||||
"user_uid": "DN",
|
||||
})
|
||||
session.MakeRequest(t, req, http.StatusFound)
|
||||
}
|
||||
|
|
@ -294,3 +309,105 @@ func TestLDAPUserSSHKeySync(t *testing.T) {
|
|||
assert.ElementsMatch(t, u.SSHKeys, syncedKeys, "Unequal number of keys synchronized for user: %s", u.UserName)
|
||||
}
|
||||
}
|
||||
|
||||
func TestLDAPGroupTeamSyncAddMember(t *testing.T) {
|
||||
if skipLDAPTests() {
|
||||
t.Skip()
|
||||
return
|
||||
}
|
||||
defer prepareTestEnv(t)()
|
||||
addAuthSourceLDAP(t, "", "on", `{"cn=ship_crew,ou=people,dc=planetexpress,dc=com":{"org26": ["team11"]},"cn=admin_staff,ou=people,dc=planetexpress,dc=com": {"non-existent": ["non-existent"]}}`)
|
||||
org, err := models.GetOrgByName("org26")
|
||||
assert.NoError(t, err)
|
||||
team, err := models.GetTeam(org.ID, "team11")
|
||||
assert.NoError(t, err)
|
||||
auth.SyncExternalUsers(context.Background(), true)
|
||||
for _, gitLDAPUser := range gitLDAPUsers {
|
||||
user := unittest.AssertExistsAndLoadBean(t, &user_model.User{
|
||||
Name: gitLDAPUser.UserName,
|
||||
}).(*user_model.User)
|
||||
usersOrgs, err := models.FindOrgs(models.FindOrgOptions{
|
||||
UserID: user.ID,
|
||||
IncludePrivate: true,
|
||||
})
|
||||
assert.NoError(t, err)
|
||||
allOrgTeams, err := models.GetUserOrgTeams(org.ID, user.ID)
|
||||
assert.NoError(t, err)
|
||||
if user.Name == "fry" || user.Name == "leela" || user.Name == "bender" {
|
||||
// assert members of LDAP group "cn=ship_crew" are added to mapped teams
|
||||
assert.Equal(t, len(usersOrgs), 1, "User [%s] should be member of one organization", user.Name)
|
||||
assert.Equal(t, usersOrgs[0].Name, "org26", "Membership should be added to the right organization")
|
||||
isMember, err := models.IsTeamMember(usersOrgs[0].ID, team.ID, user.ID)
|
||||
assert.NoError(t, err)
|
||||
assert.True(t, isMember, "Membership should be added to the right team")
|
||||
err = team.RemoveMember(user.ID)
|
||||
assert.NoError(t, err)
|
||||
err = usersOrgs[0].RemoveMember(user.ID)
|
||||
assert.NoError(t, err)
|
||||
} else {
|
||||
// assert members of LDAP group "cn=admin_staff" keep initial team membership since mapped team does not exist
|
||||
assert.Empty(t, usersOrgs, "User should be member of no organization")
|
||||
isMember, err := models.IsTeamMember(org.ID, team.ID, user.ID)
|
||||
assert.NoError(t, err)
|
||||
assert.False(t, isMember, "User should no be added to this team")
|
||||
assert.Empty(t, allOrgTeams, "User should not be added to any team")
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
func TestLDAPGroupTeamSyncRemoveMember(t *testing.T) {
|
||||
if skipLDAPTests() {
|
||||
t.Skip()
|
||||
return
|
||||
}
|
||||
defer prepareTestEnv(t)()
|
||||
addAuthSourceLDAP(t, "", "on", `{"cn=dispatch,ou=people,dc=planetexpress,dc=com": {"org26": ["team11"]}}`)
|
||||
org, err := models.GetOrgByName("org26")
|
||||
assert.NoError(t, err)
|
||||
team, err := models.GetTeam(org.ID, "team11")
|
||||
assert.NoError(t, err)
|
||||
loginUserWithPassword(t, gitLDAPUsers[0].UserName, gitLDAPUsers[0].Password)
|
||||
user := unittest.AssertExistsAndLoadBean(t, &user_model.User{
|
||||
Name: gitLDAPUsers[0].UserName,
|
||||
}).(*user_model.User)
|
||||
err = org.AddMember(user.ID)
|
||||
assert.NoError(t, err)
|
||||
err = team.AddMember(user.ID)
|
||||
assert.NoError(t, err)
|
||||
isMember, err := models.IsOrganizationMember(org.ID, user.ID)
|
||||
assert.NoError(t, err)
|
||||
assert.True(t, isMember, "User should be member of this organization")
|
||||
isMember, err = models.IsTeamMember(org.ID, team.ID, user.ID)
|
||||
assert.NoError(t, err)
|
||||
assert.True(t, isMember, "User should be member of this team")
|
||||
// assert team member "professor" gets removed from org26 team11
|
||||
loginUserWithPassword(t, gitLDAPUsers[0].UserName, gitLDAPUsers[0].Password)
|
||||
isMember, err = models.IsOrganizationMember(org.ID, user.ID)
|
||||
assert.NoError(t, err)
|
||||
assert.False(t, isMember, "User membership should have been removed from organization")
|
||||
isMember, err = models.IsTeamMember(org.ID, team.ID, user.ID)
|
||||
assert.NoError(t, err)
|
||||
assert.False(t, isMember, "User membership should have been removed from team")
|
||||
}
|
||||
|
||||
// Login should work even if Team Group Map contains a broken JSON
|
||||
func TestBrokenLDAPMapUserSignin(t *testing.T) {
|
||||
if skipLDAPTests() {
|
||||
t.Skip()
|
||||
return
|
||||
}
|
||||
defer prepareTestEnv(t)()
|
||||
addAuthSourceLDAP(t, "", "on", `{"NOT_A_VALID_JSON"["MISSING_DOUBLE_POINT"]}`)
|
||||
|
||||
u := gitLDAPUsers[0]
|
||||
|
||||
session := loginUserWithPassword(t, u.UserName, u.Password)
|
||||
req := NewRequest(t, "GET", "/user/settings")
|
||||
resp := session.MakeRequest(t, req, http.StatusOK)
|
||||
|
||||
htmlDoc := NewHTMLParser(t, resp.Body)
|
||||
|
||||
assert.Equal(t, u.UserName, htmlDoc.GetInputValueByName("name"))
|
||||
assert.Equal(t, u.FullName, htmlDoc.GetInputValueByName("full_name"))
|
||||
assert.Equal(t, u.Email, htmlDoc.Find(`label[for="email"]`).Siblings().First().Text())
|
||||
}
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue