domi/forgejo-domi
1
0
Fork 0
forked from forgejo/forgejo
Code Pull requests Activity

ldap: default domain name (#3414)

Browse source 
When the ldap synchronizer is look for an email address and fails at
finding one, it falls back at creating one using "localhost.local"
domain.

This new field makes this domain name configurable.

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/3414
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
Co-authored-by: Baptiste Daroussin <bapt@FreeBSD.org>
Co-committed-by: Baptiste Daroussin <bapt@FreeBSD.org>
This commit is contained in:
Baptiste Daroussin 2024-04-26 22:38:58 +00:00 committed by Earl Warren
parent 4da76d0e5f
commit 08f5a25d3b
9 changed files with 105 additions and 16 deletions
Download patch file Download diff file Expand all files Collapse all files

102
tests/integration/auth_ldap_test.go
View file

@ -112,13 +112,17 @@ func getLDAPServerPort() string {
return port
}
func buildAuthSourceLDAPPayload(csrf, sshKeyAttribute, groupFilter, groupTeamMap, groupTeamMapRemoval string) map[string]string {
func buildAuthSourceLDAPPayload(csrf, sshKeyAttribute, mailKeyAttribute, defaultDomainName, groupFilter, groupTeamMap, groupTeamMapRemoval string) map[string]string {
// Modify user filter to test group filter explicitly
userFilter := "(&(objectClass=inetOrgPerson)(memberOf=cn=git,ou=people,dc=planetexpress,dc=com)(uid=%s))"
if groupFilter != "" {
userFilter = "(&(objectClass=inetOrgPerson)(uid=%s))"
}
if len(mailKeyAttribute) == 0 {
mailKeyAttribute = "mail"
}
return map[string]string{
"_csrf": csrf,
"type": "2",
@ -134,8 +138,9 @@ func buildAuthSourceLDAPPayload(csrf, sshKeyAttribute, groupFilter, groupTeamMap
"attribute_username": "uid",
"attribute_name": "givenName",
"attribute_surname": "sn",
"attribute_mail": "mail",
"attribute_mail": mailKeyAttribute,
"attribute_ssh_public_key": sshKeyAttribute,
"default_domain_name": defaultDomainName,
"is_sync_enabled": "on",
"is_active": "on",
"groups_enabled": "on",
@ -148,7 +153,7 @@ func buildAuthSourceLDAPPayload(csrf, sshKeyAttribute, groupFilter, groupTeamMap
}
}
func addAuthSourceLDAP(t *testing.T, sshKeyAttribute, groupFilter string, groupMapParams ...string) {
func addAuthSourceLDAP(t *testing.T, sshKeyAttribute, mailKeyAttribute, defaultDomainName, groupFilter string, groupMapParams ...string) {
groupTeamMapRemoval := "off"
groupTeamMap := ""
if len(groupMapParams) == 2 {
@ -157,7 +162,7 @@ func addAuthSourceLDAP(t *testing.T, sshKeyAttribute, groupFilter string, groupM
}
session := loginUser(t, "user1")
csrf := GetCSRF(t, session, "/admin/auths/new")
req := NewRequestWithValues(t, "POST", "/admin/auths/new", buildAuthSourceLDAPPayload(csrf, sshKeyAttribute, groupFilter, groupTeamMap, groupTeamMapRemoval))
req := NewRequestWithValues(t, "POST", "/admin/auths/new", buildAuthSourceLDAPPayload(csrf, sshKeyAttribute, mailKeyAttribute, defaultDomainName, groupFilter, groupTeamMap, groupTeamMapRemoval))
session.MakeRequest(t, req, http.StatusSeeOther)
}
@ -167,7 +172,7 @@ func TestLDAPUserSignin(t *testing.T) {
return
}
defer tests.PrepareTestEnv(t)()
addAuthSourceLDAP(t, "", "")
addAuthSourceLDAP(t, "", "", "", "")
u := gitLDAPUsers[0]
@ -184,7 +189,7 @@ func TestLDAPUserSignin(t *testing.T) {
func TestLDAPAuthChange(t *testing.T) {
defer tests.PrepareTestEnv(t)()
addAuthSourceLDAP(t, "", "")
addAuthSourceLDAP(t, "", "", "", "")
session := loginUser(t, "user1")
req := NewRequest(t, "GET", "/admin/auths")
@ -205,7 +210,7 @@ func TestLDAPAuthChange(t *testing.T) {
binddn, _ := doc.Find(`input[name="bind_dn"]`).Attr("value")
assert.Equal(t, "uid=gitea,ou=service,dc=planetexpress,dc=com", binddn)
req = NewRequestWithValues(t, "POST", href, buildAuthSourceLDAPPayload(csrf, "", "", "", "off"))
req = NewRequestWithValues(t, "POST", href, buildAuthSourceLDAPPayload(csrf, "", "", "", "", "", "off"))
session.MakeRequest(t, req, http.StatusSeeOther)
req = NewRequest(t, "GET", href)
@ -215,6 +220,21 @@ func TestLDAPAuthChange(t *testing.T) {
assert.Equal(t, host, getLDAPServerHost())
binddn, _ = doc.Find(`input[name="bind_dn"]`).Attr("value")
assert.Equal(t, "uid=gitea,ou=service,dc=planetexpress,dc=com", binddn)
domainname, _ := doc.Find(`input[name="default_domain_name"]`).Attr("value")
assert.Equal(t, "", domainname)
req = NewRequestWithValues(t, "POST", href, buildAuthSourceLDAPPayload(csrf, "", "", "test.org", "", "", "off"))
session.MakeRequest(t, req, http.StatusSeeOther)
req = NewRequest(t, "GET", href)
resp = session.MakeRequest(t, req, http.StatusOK)
doc = NewHTMLParser(t, resp.Body)
host, _ = doc.Find(`input[name="host"]`).Attr("value")
assert.Equal(t, host, getLDAPServerHost())
binddn, _ = doc.Find(`input[name="bind_dn"]`).Attr("value")
assert.Equal(t, "uid=gitea,ou=service,dc=planetexpress,dc=com", binddn)
domainname, _ = doc.Find(`input[name="default_domain_name"]`).Attr("value")
assert.Equal(t, "test.org", domainname)
}
func TestLDAPUserSync(t *testing.T) {
@ -223,7 +243,7 @@ func TestLDAPUserSync(t *testing.T) {
return
}
defer tests.PrepareTestEnv(t)()
addAuthSourceLDAP(t, "", "")
addAuthSourceLDAP(t, "", "", "", "")
auth.SyncExternalUsers(context.Background(), true)
// Check if users exists
@ -252,7 +272,7 @@ func TestLDAPUserSyncWithEmptyUsernameAttribute(t *testing.T) {
session := loginUser(t, "user1")
csrf := GetCSRF(t, session, "/admin/auths/new")
payload := buildAuthSourceLDAPPayload(csrf, "", "", "", "")
payload := buildAuthSourceLDAPPayload(csrf, "", "", "", "", "", "")
payload["attribute_username"] = ""
req := NewRequestWithValues(t, "POST", "/admin/auths/new", payload)
session.MakeRequest(t, req, http.StatusSeeOther)
@ -300,7 +320,7 @@ func TestLDAPUserSyncWithGroupFilter(t *testing.T) {
return
}
defer tests.PrepareTestEnv(t)()
addAuthSourceLDAP(t, "", "(cn=git)")
addAuthSourceLDAP(t, "", "", "", "(cn=git)")
// Assert a user not a member of the LDAP group "cn=git" cannot login
// This test may look like TestLDAPUserSigninFailed but it is not.
@ -359,7 +379,7 @@ func TestLDAPUserSigninFailed(t *testing.T) {
return
}
defer tests.PrepareTestEnv(t)()
addAuthSourceLDAP(t, "", "")
addAuthSourceLDAP(t, "", "", "", "")
u := otherLDAPUsers[0]
testLoginFailed(t, u.UserName, u.Password, translation.NewLocale("en-US").TrString("form.username_password_incorrect"))
@ -371,7 +391,7 @@ func TestLDAPUserSSHKeySync(t *testing.T) {
return
}
defer tests.PrepareTestEnv(t)()
addAuthSourceLDAP(t, "sshPublicKey", "")
addAuthSourceLDAP(t, "sshPublicKey", "", "", "")
auth.SyncExternalUsers(context.Background(), true)
@ -404,7 +424,7 @@ func TestLDAPGroupTeamSyncAddMember(t *testing.T) {
return
}
defer tests.PrepareTestEnv(t)()
addAuthSourceLDAP(t, "", "", "on", `{"cn=ship_crew,ou=people,dc=planetexpress,dc=com":{"org26": ["team11"]},"cn=admin_staff,ou=people,dc=planetexpress,dc=com": {"non-existent": ["non-existent"]}}`)
addAuthSourceLDAP(t, "", "", "", "", "on", `{"cn=ship_crew,ou=people,dc=planetexpress,dc=com":{"org26": ["team11"]},"cn=admin_staff,ou=people,dc=planetexpress,dc=com": {"non-existent": ["non-existent"]}}`)
org, err := organization.GetOrgByName(db.DefaultContext, "org26")
assert.NoError(t, err)
team, err := organization.GetTeam(db.DefaultContext, org.ID, "team11")
@ -449,7 +469,7 @@ func TestLDAPGroupTeamSyncRemoveMember(t *testing.T) {
return
}
defer tests.PrepareTestEnv(t)()
addAuthSourceLDAP(t, "", "", "on", `{"cn=dispatch,ou=people,dc=planetexpress,dc=com": {"org26": ["team11"]}}`)
addAuthSourceLDAP(t, "", "", "", "", "on", `{"cn=dispatch,ou=people,dc=planetexpress,dc=com": {"org26": ["team11"]}}`)
org, err := organization.GetOrgByName(db.DefaultContext, "org26")
assert.NoError(t, err)
team, err := organization.GetTeam(db.DefaultContext, org.ID, "team11")
@ -487,6 +507,58 @@ func TestLDAPPreventInvalidGroupTeamMap(t *testing.T) {
session := loginUser(t, "user1")
csrf := GetCSRF(t, session, "/admin/auths/new")
req := NewRequestWithValues(t, "POST", "/admin/auths/new", buildAuthSourceLDAPPayload(csrf, "", "", `{"NOT_A_VALID_JSON"["MISSING_DOUBLE_POINT"]}`, "off"))
req := NewRequestWithValues(t, "POST", "/admin/auths/new", buildAuthSourceLDAPPayload(csrf, "", "", "", "", `{"NOT_A_VALID_JSON"["MISSING_DOUBLE_POINT"]}`, "off"))
session.MakeRequest(t, req, http.StatusOK) // StatusOK = failed, StatusSeeOther = ok
}
func TestLDAPUserSyncInvalidMail(t *testing.T) {
if skipLDAPTests() {
t.Skip()
return
}
defer tests.PrepareTestEnv(t)()
addAuthSourceLDAP(t, "", "nonexisting", "", "")
auth.SyncExternalUsers(context.Background(), true)
// Check if users exists
for _, gitLDAPUser := range gitLDAPUsers {
dbUser, err := user_model.GetUserByName(db.DefaultContext, gitLDAPUser.UserName)
assert.NoError(t, err)
assert.Equal(t, gitLDAPUser.UserName, dbUser.Name)
assert.Equal(t, gitLDAPUser.UserName+"@localhost.local", dbUser.Email)
assert.Equal(t, gitLDAPUser.IsAdmin, dbUser.IsAdmin)
assert.Equal(t, gitLDAPUser.IsRestricted, dbUser.IsRestricted)
}
// Check if no users exist
for _, otherLDAPUser := range otherLDAPUsers {
_, err := user_model.GetUserByName(db.DefaultContext, otherLDAPUser.UserName)
assert.True(t, user_model.IsErrUserNotExist(err))
}
}
func TestLDAPUserSyncInvalidMailDefaultDomain(t *testing.T) {
if skipLDAPTests() {
t.Skip()
return
}
defer tests.PrepareTestEnv(t)()
addAuthSourceLDAP(t, "", "nonexisting", "test.org", "")
auth.SyncExternalUsers(context.Background(), true)
// Check if users exists
for _, gitLDAPUser := range gitLDAPUsers {
dbUser, err := user_model.GetUserByName(db.DefaultContext, gitLDAPUser.UserName)
assert.NoError(t, err)
assert.Equal(t, gitLDAPUser.UserName, dbUser.Name)
assert.Equal(t, gitLDAPUser.UserName+"@test.org", dbUser.Email)
assert.Equal(t, gitLDAPUser.IsAdmin, dbUser.IsAdmin)
assert.Equal(t, gitLDAPUser.IsRestricted, dbUser.IsRestricted)
}
// Check if no users exist
for _, otherLDAPUser := range otherLDAPUsers {
_, err := user_model.GetUserByName(db.DefaultContext, otherLDAPUser.UserName)
assert.True(t, user_model.IsErrUserNotExist(err))
}
}