Add LDAP group sync to Teams, fixes #1395

cmd/admin_auth_ldap.go

@@ -89,6 +89,14 @@ var (
 			Name:  "public-ssh-key-attribute",
 			Usage: "The attribute of the user’s LDAP record containing the user’s public ssh key.",
 		},
+		cli.StringFlag{
+			Name:  "team-group-map",
+			Usage: "Map of LDAP groups to teams.",
+		},
+		cli.StringFlag{
+			Name:  "team-group-map-force",
+			Usage: "Force synchronization of mapped LDAP groups to teams.",
+		},
 	}
 
 	ldapBindDnCLIFlags = append(commonLdapCLIFlags,
@@ -245,6 +253,12 @@ func parseLdapConfig(c *cli.Context, config *models.LDAPConfig) error {
 	if c.IsSet("allow-deactivate-all") {
 		config.Source.AllowDeactivateAll = c.Bool("allow-deactivate-all")
 	}
+	if c.IsSet("team-group-map") {
+		config.Source.TeamGroupMap = c.String("team-group-map")
+	}
+	if c.IsSet("team-group-map-removal") {
+		config.Source.TeamGroupMapRemoval = c.Bool("team-group-map-removal")
+	}
 	return nil
 }
 

go.mod

@@ -106,6 +106,7 @@ require (
 	github.com/ssor/bom v0.0.0-20170718123548-6386211fdfcf // indirect
 	github.com/stretchr/testify v1.7.0
 	github.com/syndtr/goleveldb v1.0.0
+	github.com/thoas/go-funk v0.8.0
 	github.com/tstranex/u2f v1.0.0
 	github.com/ulikunitz/xz v0.5.10 // indirect
 	github.com/unknwon/com v1.0.1

go.sum

@@ -1018,6 +1018,8 @@ github.com/subosito/gotenv v1.2.0 h1:Slr1R9HxAlEKefgq5jn9U+DnETlIUa6HfgEzj0g5d7s
 github.com/subosito/gotenv v1.2.0/go.mod h1:N0PQaV/YGNqwC0u51sEeR/aUtSLEXKX9iv69rRypqCw=
 github.com/syndtr/goleveldb v1.0.0 h1:fBdIW9lB4Iz0n9khmH8w27SJ3QEJ7+IgjPEwGSZiFdE=
 github.com/syndtr/goleveldb v1.0.0/go.mod h1:ZVVdQEZoIme9iO1Ch2Jdy24qqXrMMOU6lpPAyBWyWuQ=
+github.com/thoas/go-funk v0.8.0 h1:JP9tKSvnpFVclYgDM0Is7FD9M4fhPvqA0s0BsXmzSRQ=
+github.com/thoas/go-funk v0.8.0/go.mod h1:+IWnUfUmFO1+WVYQWQtIJHeRRdaIyyYglZN7xzUPe4Q=
 github.com/tidwall/pretty v1.0.0 h1:HsD+QiTn7sK6flMKIvNmpqz1qrpP3Ps6jOKIKMooyg4=
 github.com/tidwall/pretty v1.0.0/go.mod h1:XNkn88O1ChpSDQmQeStsy+sBenx6DDtFZJxhVysOjyk=
 github.com/tinylib/msgp v1.1.0/go.mod h1:+d+yLhGm8mzTaHzB+wgMYrodPfmZrzkirds8fDWklFE=

integrations/auth_ldap_test.go

@@ -119,6 +119,12 @@ func addAuthSourceLDAP(t *testing.T, sshKeyAttribute string) {
 		"attribute_ssh_public_key": sshKeyAttribute,
 		"is_sync_enabled":          "on",
 		"is_active":                "on",
+		"team_group_map_enabled":   "on",
+		"team_group_map_removal":   "on",
+		"group_dn":                 "ou=people,dc=planetexpress,dc=com",
+		"group_member_uid":         "member",
+		"user_uid":                 "DN",
+		"team_group_map":           "{\"cn=ship_crew,ou=people,dc=planetexpress,dc=com\": {\"org26\": [\"team11\"]},\"cn=admin_staff,ou=people,dc=planetexpress,dc=com\": {\"non-existent\": [\"non-existent\"]},\"cn=non-existent,ou=people,dc=planetexpress,dc=com\": {\"non-existent\": [\"non-existent\"]}}",
 	})
 	session.MakeRequest(t, req, http.StatusFound)
 }
@@ -240,3 +246,131 @@ func TestLDAPUserSSHKeySync(t *testing.T) {
 		assert.ElementsMatch(t, u.SSHKeys, syncedKeys, "Unequal number of keys synchronized for user: %s", u.UserName)
 	}
 }
+
+func TestLDAPGroupTeamSyncAddMember(t *testing.T) {
+	if skipLDAPTests() {
+		t.Skip()
+		return
+	}
+	defer prepareTestEnv(t)()
+	addAuthSourceLDAP(t, "")
+	org, err := models.GetOrgByName("org26")
+	assert.NoError(t, err)
+	team, err := models.GetTeam(org.ID, "team11")
+	assert.NoError(t, err)
+	models.SyncExternalUsers(context.Background(), true)
+	for _, gitLDAPUser := range gitLDAPUsers {
+		user := models.AssertExistsAndLoadBean(t, &models.User{
+			Name: gitLDAPUser.UserName,
+		}).(*models.User)
+		usersOrgs, err := models.GetOrgsByUserID(user.ID, true)
+		assert.NoError(t, err)
+		allOrgTeams, err := models.GetUserOrgTeams(org.ID, user.ID)
+		assert.NoError(t, err)
+		if user.Name == "fry" || user.Name == "leela" || user.Name == "bender" {
+			// assert members of LDAP group "cn=ship_crew" are added to mapped teams
+			assert.Equal(t, len(usersOrgs), 1, "User should be member of one organization")
+			assert.Equal(t, usersOrgs[0].Name, "org26", "Membership should be added to the right organization")
+			isMember, err := models.IsTeamMember(usersOrgs[0].ID, team.ID, user.ID)
+			assert.NoError(t, err)
+			assert.True(t, isMember, "Membership should be added to the right team")
+			err = team.RemoveMember(user.ID)
+			assert.NoError(t, err)
+		} else {
+			// assert members of LDAP group "cn=admin_staff" keep initial team membership since mapped team does not exist
+			assert.Empty(t, usersOrgs, "User should be member of no organization")
+			isMember, err := models.IsTeamMember(org.ID, team.ID, user.ID)
+			assert.NoError(t, err)
+			assert.False(t, isMember, "User should no be added to this team")
+			assert.Empty(t, allOrgTeams, "User should not be added to any team")
+		}
+	}
+}
+
+func TestLDAPGroupTeamSyncRemoveMember(t *testing.T) {
+	if skipLDAPTests() {
+		t.Skip()
+		return
+	}
+	defer prepareTestEnv(t)()
+	addAuthSourceLDAP(t, "")
+	models.SyncExternalUsers(context.Background(), true)
+	org, err := models.GetOrgByName("org26")
+	assert.NoError(t, err)
+	team, err := models.GetTeam(org.ID, "team11")
+	assert.NoError(t, err)
+	user, err := models.GetUserByName("professor")
+	assert.NoError(t, err)
+	err = org.AddMember(user.ID)
+	assert.NoError(t, err)
+	err = team.AddMember(user.ID)
+	assert.NoError(t, err)
+	isMember, err := models.IsOrganizationMember(org.ID, user.ID)
+	assert.NoError(t, err)
+	assert.True(t, isMember, "User should be member of this organization")
+	isMember, err = models.IsTeamMember(org.ID, team.ID, user.ID)
+	assert.NoError(t, err)
+	assert.True(t, isMember, "User should be member of this team")
+	// assert team member "professor" gets removed from "team11"
+	models.SyncExternalUsers(context.Background(), true)
+	isMember, err = models.IsOrganizationMember(org.ID, user.ID)
+	assert.NoError(t, err)
+	assert.False(t, isMember, "User membership should have been removed from organization")
+	isMember, err = models.IsTeamMember(org.ID, team.ID, user.ID)
+	assert.NoError(t, err)
+	assert.False(t, isMember, "User membership should have been removed from team")
+}
+
+func addBrokenLDAPMapAuthSource(t *testing.T, sshKeyAttribute string) {
+	session := loginUser(t, "user1")
+	csrf := GetCSRF(t, session, "/admin/auths/new")
+	req := NewRequestWithValues(t, "POST", "/admin/auths/new", map[string]string{
+		"_csrf":                    csrf,
+		"type":                     "2",
+		"name":                     "ldap",
+		"host":                     getLDAPServerHost(),
+		"port":                     "389",
+		"bind_dn":                  "uid=gitea,ou=service,dc=planetexpress,dc=com",
+		"bind_password":            "password",
+		"user_base":                "ou=people,dc=planetexpress,dc=com",
+		"filter":                   "(&(objectClass=inetOrgPerson)(memberOf=cn=git,ou=people,dc=planetexpress,dc=com)(uid=%s))",
+		"admin_filter":             "(memberOf=cn=admin_staff,ou=people,dc=planetexpress,dc=com)",
+		"restricted_filter":        "(uid=leela)",
+		"attribute_username":       "uid",
+		"attribute_name":           "givenName",
+		"attribute_surname":        "sn",
+		"attribute_mail":           "mail",
+		"attribute_ssh_public_key": sshKeyAttribute,
+		"is_sync_enabled":          "on",
+		"is_active":                "on",
+		"team_group_map_enabled":   "on",
+		"team_group_map_removal":   "on",
+		"group_dn":                 "ou=people,dc=planetexpress,dc=com",
+		"group_member_uid":         "member",
+		"user_uid":                 "DN",
+		"team_group_map":           "{\"NOT_A_VALID_JSON\"[\"MISSING_DOUBLE_POINT\"]}",
+	})
+	session.MakeRequest(t, req, http.StatusFound)
+}
+
+// Login should work even if Team Group Map contains a broken JSON
+func TestBrokenLDAPMapUserSignin(t *testing.T) {
+	if skipLDAPTests() {
+		t.Skip()
+		return
+	}
+	defer prepareTestEnv(t)()
+	addBrokenLDAPMapAuthSource(t, "")
+
+	u := gitLDAPUsers[0]
+
+	session := loginUserWithPassword(t, u.UserName, u.Password)
+	req := NewRequest(t, "GET", "/user/settings")
+	resp := session.MakeRequest(t, req, http.StatusOK)
+
+	htmlDoc := NewHTMLParser(t, resp.Body)
+
+	assert.Equal(t, u.UserName, htmlDoc.GetInputValueByName("name"))
+	assert.Equal(t, u.FullName, htmlDoc.GetInputValueByName("full_name"))
+	assert.Equal(t, u.Email, htmlDoc.Find(`label[for="email"]`).Siblings().First().Text())
+}

models/login_source.go

@@ -491,6 +491,46 @@ func composeFullName(firstname, surname, username string) string {
 	}
 }
 
+// remove membership to organizations/teams if user is not member of corresponding LDAP group
+// e.g. lets assume user is member of LDAP group "x", but LDAP group team map contains LDAP groups "x" and "y"
+// then users membership gets removed for all organizations/teams mapped by LDAP group "y"
+func removeMappedMemberships(user *User, ldapTeamRemove map[string][]string) {
+	for orgName, teamNames := range ldapTeamRemove {
+		org, err := GetOrgByName(orgName)
+		if err != nil {
+			// organization must be created before LDAP group sync
+			log.Debug("LDAP group sync: Could not find organisation %s: %v", orgName, err)
+			continue
+		}
+		for _, teamName := range teamNames {
+			team, err := org.GetTeam(teamName)
+			if err != nil {
+				// team must must be created before LDAP group sync
+				log.Debug("LDAP group sync: Could not find team %s: %v", teamName, err)
+				continue
+			}
+			if isMember, err := IsTeamMember(org.ID, team.ID, user.ID); isMember && err == nil {
+				log.Trace("LDAP group sync: removing user [%s] from team [%s]", user.Name, org.Name)
+			}
+			err = team.RemoveMember(user.ID)
+			if err != nil {
+				log.Error("LDAP group sync: Could not remove user from team: %v", err)
+			}
+		}
+		if remainingTeams, err := GetUserOrgTeams(org.ID, user.ID); err == nil && len(remainingTeams) == 0 {
+			if isMember, err := IsOrganizationMember(org.ID, user.ID); isMember && err == nil {
+				log.Trace("LDAP group sync: removing user [%s] from organization [%s]", user.Name, org.Name)
+			}
+			err = org.RemoveMember(user.ID)
+			if err != nil {
+				log.Error("LDAP group sync: Could not remove user from organization: %v", err)
+			}
+		} else if err != nil {
+			log.Error("LDAP group sync: Could not find users [id: %d] teams for given organization [%s]", user.ID, org.Name)
+		}
+	}
+}
+
 // LoginViaLDAP queries if login/password is valid against the LDAP directory pool,
 // and create a local user if success when enabled.
 func LoginViaLDAP(user *User, login, password string, source *LoginSource) (*User, error) {
@@ -537,7 +577,9 @@ func LoginViaLDAP(user *User, login, password string, source *LoginSource) (*Use
 		if isAttributeSSHPublicKeySet && synchronizeLdapSSHPublicKeys(user, source, sr.SSHPublicKey) {
 			return user, RewriteAllPublicKeys()
 		}
-
+		if source.LDAP().TeamGroupMapEnabled || source.LDAP().TeamGroupMapRemoval {
+			SyncLdapGroupsToTeams(user, sr.LdapTeamAdd, sr.LdapTeamRemove, source)
+		}
 		return user, nil
 	}
 
@@ -568,10 +610,50 @@ func LoginViaLDAP(user *User, login, password string, source *LoginSource) (*Use
 	if err == nil && isAttributeSSHPublicKeySet && addLdapSSHPublicKeys(user, source, sr.SSHPublicKey) {
 		err = RewriteAllPublicKeys()
 	}
-
+	if source.LDAP().TeamGroupMapEnabled || source.LDAP().TeamGroupMapRemoval {
+		SyncLdapGroupsToTeams(user, sr.LdapTeamAdd, sr.LdapTeamRemove, source)
+	}
 	return user, err
 }
 
+// SyncLdapGroupsToTeams maps LDAP groups to organization and team memberships
+func SyncLdapGroupsToTeams(user *User, ldapTeamAdd map[string][]string, ldapTeamRemove map[string][]string, source *LoginSource) {
+	if source.LDAP().TeamGroupMapRemoval {
+		// when the user is not a member of configs LDAP group, remove mapped organizations/teams memberships
+		removeMappedMemberships(user, ldapTeamRemove)
+	}
+	for orgName, teamNames := range ldapTeamAdd {
+		org, err := GetOrgByName(orgName)
+		if err != nil {
+			// organization must be created before LDAP group sync
+			log.Debug("LDAP group sync: Could not find organisation %s: %v", orgName, err)
+			continue
+		}
+		if isMember, err := IsOrganizationMember(org.ID, user.ID); !isMember && err == nil {
+			log.Trace("LDAP group sync: adding user [%s] to organization [%s]", user.Name, org.Name)
+		}
+		err = org.AddMember(user.ID)
+		if err != nil {
+			log.Error("LDAP group sync: Could not add user to organization: %v", err)
+		}
+		for _, teamName := range teamNames {
+			team, err := org.GetTeam(teamName)
+			if err != nil {
+				// team must be created before LDAP group sync
+				log.Debug("LDAP group sync: Could not find team %s: %v", teamName, err)
+				continue
+			}
+			if isMember, err := IsTeamMember(org.ID, team.ID, user.ID); !isMember && err == nil {
+				log.Trace("LDAP group sync: adding user [%s] to team [%s]", user.Name, org.Name)
+			}
+			err = team.AddMember(user.ID)
+			if err != nil {
+				log.Error("LDAP group sync: Could not add user to team: %v", err)
+			}
+		}
+	}
+}
+
 //   _________   __________________________
 //  /   _____/  /     \__    ___/\______   \
 //  \_____  \  /  \ /  \|    |    |     ___/

models/user.go

@@ -2014,6 +2014,10 @@ func SyncExternalUsers(ctx context.Context, updateExisting bool) error {
 						}
 					}
 				}
+				// Synchronize LDAP groups with organization and team memberships
+				if s.LDAP().TeamGroupMapEnabled || s.LDAP().TeamGroupMapRemoval {
+					SyncLdapGroupsToTeams(usr, su.LdapTeamAdd, su.LdapTeamRemove, s)
+				}
 			}
 
 			// Rewrite authorized_keys file if LDAP Public SSH Key attribute is set and any key was added or removed

modules/auth/ldap/README.md

@@ -121,3 +121,11 @@ share the following fields:
 * Group Attribute for User (optional)
     * Which group LDAP attribute contains an array above user attribute names.
     * Example: memberUid
+
+* Team group map (optional)
+  * Automatically add users to Organization teams, depending on LDAP group memberships.
+  * Note: this function only adds users to teams, it never removes users.
+  * Example: {"cn=MyGroup,cn=groups,dc=example,dc=org": {"MyGiteaOrganization": ["MyGiteaTeam1", "MyGiteaTeam2", ...], ...}, ...}
+
+* Team group map removal (optional)
+  * If set to true, users will be removed from teams if they are not members of the corresponding group.