tdsds.com/gitea
1
1
Fork 0
mirror of https://github.com/go-gitea/gitea synced 2025-07-05 18:17:19 +00:00
Code Releases Activity

Refactor some LDAP code (#32849)

Browse Source
This commit is contained in:
wxiaoguang
2024-12-15 19:59:18 +08:00
committed by GitHub
parent 33e8e82c4b
commit b01b0b99a5
6 changed files with 264 additions and 178 deletions
Download Patch File Download Diff File Expand all files Collapse all files

366
tests/integration/auth_ldap_test.go
View File

@ -15,13 +15,17 @@ import (
"code.gitea.io/gitea/models/organization"
"code.gitea.io/gitea/models/unittest"
user_model "code.gitea.io/gitea/models/user"
"code.gitea.io/gitea/modules/optional"
"code.gitea.io/gitea/modules/test"
"code.gitea.io/gitea/modules/translation"
"code.gitea.io/gitea/modules/util"
"code.gitea.io/gitea/services/auth"
"code.gitea.io/gitea/services/auth/source/ldap"
org_service "code.gitea.io/gitea/services/org"
"code.gitea.io/gitea/tests"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
)
type ldapUser struct {
@ -35,87 +39,97 @@ type ldapUser struct {
SSHKeys []string
}
var gitLDAPUsers = []ldapUser{
{
UserName: "professor",
Password: "professor",
FullName: "Hubert Farnsworth",
Email: "professor@planetexpress.com",
OtherEmails: []string{"hubert@planetexpress.com"},
IsAdmin: true,
},
{
UserName: "hermes",
Password: "hermes",
FullName: "Conrad Hermes",
Email: "hermes@planetexpress.com",
SSHKeys: []string{
"SHA256:qLY06smKfHoW/92yXySpnxFR10QFrLdRjf/GNPvwcW8",
"SHA256:QlVTuM5OssDatqidn2ffY+Lc4YA5Fs78U+0KOHI51jQ",
"SHA256:DXdeUKYOJCSSmClZuwrb60hUq7367j4fA+udNC3FdRI",
type ldapTestEnv struct {
gitLDAPUsers []ldapUser
otherLDAPUsers []ldapUser
serverHost string
serverPort string
}
func prepareLdapTestEnv(t *testing.T) *ldapTestEnv {
if os.Getenv("TEST_LDAP") != "1" {
t.Skip()
return nil
}
gitLDAPUsers := []ldapUser{
{
UserName: "professor",
Password: "professor",
FullName: "Hubert Farnsworth",
Email: "professor@planetexpress.com",
OtherEmails: []string{"hubert@planetexpress.com"},
IsAdmin: true,
},
{
UserName: "hermes",
Password: "hermes",
FullName: "Conrad Hermes",
Email: "hermes@planetexpress.com",
SSHKeys: []string{
"SHA256:qLY06smKfHoW/92yXySpnxFR10QFrLdRjf/GNPvwcW8",
"SHA256:QlVTuM5OssDatqidn2ffY+Lc4YA5Fs78U+0KOHI51jQ",
"SHA256:DXdeUKYOJCSSmClZuwrb60hUq7367j4fA+udNC3FdRI",
},
IsAdmin: true,
},
{
UserName: "fry",
Password: "fry",
FullName: "Philip Fry",
Email: "fry@planetexpress.com",
},
{
UserName: "leela",
Password: "leela",
FullName: "Leela Turanga",
Email: "leela@planetexpress.com",
IsRestricted: true,
},
{
UserName: "bender",
Password: "bender",
FullName: "Bender Rodríguez",
Email: "bender@planetexpress.com",
},
IsAdmin: true,
},
{
UserName: "fry",
Password: "fry",
FullName: "Philip Fry",
Email: "fry@planetexpress.com",
},
{
UserName: "leela",
Password: "leela",
FullName: "Leela Turanga",
Email: "leela@planetexpress.com",
IsRestricted: true,
},
{
UserName: "bender",
Password: "bender",
FullName: "Bender Rodríguez",
Email: "bender@planetexpress.com",
},
}
var otherLDAPUsers = []ldapUser{
{
UserName: "zoidberg",
Password: "zoidberg",
FullName: "John Zoidberg",
Email: "zoidberg@planetexpress.com",
},
{
UserName: "amy",
Password: "amy",
FullName: "Amy Kroker",
Email: "amy@planetexpress.com",
},
}
func skipLDAPTests() bool {
return os.Getenv("TEST_LDAP") != "1"
}
func getLDAPServerHost() string {
host := os.Getenv("TEST_LDAP_HOST")
if len(host) == 0 {
host = "ldap"
}
return host
}
func getLDAPServerPort() string {
port := os.Getenv("TEST_LDAP_PORT")
if len(port) == 0 {
port = "389"
otherLDAPUsers := []ldapUser{
{
UserName: "zoidberg",
Password: "zoidberg",
FullName: "John Zoidberg",
Email: "zoidberg@planetexpress.com",
},
{
UserName: "amy",
Password: "amy",
FullName: "Amy Kroker",
Email: "amy@planetexpress.com",
},
}
return &ldapTestEnv{
gitLDAPUsers: gitLDAPUsers,
otherLDAPUsers: otherLDAPUsers,
serverHost: util.IfZero(os.Getenv("TEST_LDAP_HOST"), "ldap"),
serverPort: util.IfZero(os.Getenv("TEST_LDAP_PORT"), "389"),
}
return port
}
func buildAuthSourceLDAPPayload(csrf, sshKeyAttribute, groupFilter, groupTeamMap, groupTeamMapRemoval string) map[string]string {
type ldapAuthOptions struct {
attributeUID optional.Option[string] // defaults to "uid"
attributeSSHPublicKey string
groupFilter string
groupTeamMap string
groupTeamMapRemoval string
}
func (te *ldapTestEnv) buildAuthSourcePayload(csrf string, opts ...ldapAuthOptions) map[string]string {
opt := util.OptionalArg(opts)
// Modify user filter to test group filter explicitly
userFilter := "(&(objectClass=inetOrgPerson)(memberOf=cn=git,ou=people,dc=planetexpress,dc=com)(uid=%s))"
if groupFilter != "" {
if opt.groupFilter != "" {
userFilter = "(&(objectClass=inetOrgPerson)(uid=%s))"
}
@ -123,53 +137,47 @@ func buildAuthSourceLDAPPayload(csrf, sshKeyAttribute, groupFilter, groupTeamMap
"_csrf": csrf,
"type": "2",
"name": "ldap",
"host": getLDAPServerHost(),
"port": getLDAPServerPort(),
"host": te.serverHost,
"port": te.serverPort,
"bind_dn": "uid=gitea,ou=service,dc=planetexpress,dc=com",
"bind_password": "password",
"user_base": "ou=people,dc=planetexpress,dc=com",
"filter": userFilter,
"admin_filter": "(memberOf=cn=admin_staff,ou=people,dc=planetexpress,dc=com)",
"restricted_filter": "(uid=leela)",
"attribute_username": "uid",
"attribute_username": util.Iif(opt.attributeUID.Has(), opt.attributeUID.Value(), "uid"),
"attribute_name": "givenName",
"attribute_surname": "sn",
"attribute_mail": "mail",
"attribute_ssh_public_key": sshKeyAttribute,
"attribute_ssh_public_key": opt.attributeSSHPublicKey,
"is_sync_enabled": "on",
"is_active": "on",
"groups_enabled": "on",
"group_dn": "ou=people,dc=planetexpress,dc=com",
"group_member_uid": "member",
"group_filter": groupFilter,
"group_team_map": groupTeamMap,
"group_team_map_removal": groupTeamMapRemoval,
"group_filter": opt.groupFilter,
"group_team_map": opt.groupTeamMap,
"group_team_map_removal": opt.groupTeamMapRemoval,
"user_uid": "DN",
}
}
func addAuthSourceLDAP(t *testing.T, sshKeyAttribute, groupFilter string, groupMapParams ...string) {
groupTeamMapRemoval := "off"
groupTeamMap := ""
if len(groupMapParams) == 2 {
groupTeamMapRemoval = groupMapParams[0]
groupTeamMap = groupMapParams[1]
}
func (te *ldapTestEnv) addAuthSource(t *testing.T, opts ...ldapAuthOptions) {
session := loginUser(t, "user1")
csrf := GetUserCSRFToken(t, session)
req := NewRequestWithValues(t, "POST", "/-/admin/auths/new", buildAuthSourceLDAPPayload(csrf, sshKeyAttribute, groupFilter, groupTeamMap, groupTeamMapRemoval))
req := NewRequestWithValues(t, "POST", "/-/admin/auths/new", te.buildAuthSourcePayload(csrf, opts...))
session.MakeRequest(t, req, http.StatusSeeOther)
}
func TestLDAPUserSignin(t *testing.T) {
if skipLDAPTests() {
t.Skip()
te := prepareLdapTestEnv(t)
if te == nil {
return
}
defer tests.PrepareTestEnv(t)()
addAuthSourceLDAP(t, "", "")
te.addAuthSource(t)
u := gitLDAPUsers[0]
u := te.gitLDAPUsers[0]
session := loginUserWithPassword(t, u.UserName, u.Password)
req := NewRequest(t, "GET", "/user/settings")
@ -183,8 +191,13 @@ func TestLDAPUserSignin(t *testing.T) {
}
func TestLDAPAuthChange(t *testing.T) {
te := prepareLdapTestEnv(t)
if te == nil {
return
}
defer tests.PrepareTestEnv(t)()
addAuthSourceLDAP(t, "", "")
te.addAuthSource(t)
session := loginUser(t, "user1")
req := NewRequest(t, "GET", "/-/admin/auths")
@ -201,34 +214,35 @@ func TestLDAPAuthChange(t *testing.T) {
doc = NewHTMLParser(t, resp.Body)
csrf := doc.GetCSRF()
host, _ := doc.Find(`input[name="host"]`).Attr("value")
assert.Equal(t, host, getLDAPServerHost())
assert.Equal(t, te.serverHost, host)
binddn, _ := doc.Find(`input[name="bind_dn"]`).Attr("value")
assert.Equal(t, "uid=gitea,ou=service,dc=planetexpress,dc=com", binddn)
req = NewRequestWithValues(t, "POST", href, buildAuthSourceLDAPPayload(csrf, "", "", "", "off"))
req = NewRequestWithValues(t, "POST", href, te.buildAuthSourcePayload(csrf, ldapAuthOptions{groupTeamMapRemoval: "off"}))
session.MakeRequest(t, req, http.StatusSeeOther)
req = NewRequest(t, "GET", href)
resp = session.MakeRequest(t, req, http.StatusOK)
doc = NewHTMLParser(t, resp.Body)
host, _ = doc.Find(`input[name="host"]`).Attr("value")
assert.Equal(t, host, getLDAPServerHost())
assert.Equal(t, te.serverHost, host)
binddn, _ = doc.Find(`input[name="bind_dn"]`).Attr("value")
assert.Equal(t, "uid=gitea,ou=service,dc=planetexpress,dc=com", binddn)
}
func TestLDAPUserSync(t *testing.T) {
if skipLDAPTests() {
t.Skip()
te := prepareLdapTestEnv(t)
if te == nil {
return
}
defer tests.PrepareTestEnv(t)()
addAuthSourceLDAP(t, "", "")
te.addAuthSource(t)
err := auth.SyncExternalUsers(context.Background(), true)
assert.NoError(t, err)
// Check if users exists
for _, gitLDAPUser := range gitLDAPUsers {
for _, gitLDAPUser := range te.gitLDAPUsers {
dbUser, err := user_model.GetUserByName(db.DefaultContext, gitLDAPUser.UserName)
assert.NoError(t, err)
assert.Equal(t, gitLDAPUser.UserName, dbUser.Name)
@ -238,27 +252,28 @@ func TestLDAPUserSync(t *testing.T) {
}
// Check if no users exist
for _, otherLDAPUser := range otherLDAPUsers {
for _, otherLDAPUser := range te.otherLDAPUsers {
_, err := user_model.GetUserByName(db.DefaultContext, otherLDAPUser.UserName)
assert.True(t, user_model.IsErrUserNotExist(err))
}
}
func TestLDAPUserSyncWithEmptyUsernameAttribute(t *testing.T) {
if skipLDAPTests() {
t.Skip()
te := prepareLdapTestEnv(t)
if te == nil {
return
}
defer tests.PrepareTestEnv(t)()
session := loginUser(t, "user1")
csrf := GetUserCSRFToken(t, session)
payload := buildAuthSourceLDAPPayload(csrf, "", "", "", "")
payload := te.buildAuthSourcePayload(csrf)
payload["attribute_username"] = ""
req := NewRequestWithValues(t, "POST", "/-/admin/auths/new", payload)
session.MakeRequest(t, req, http.StatusSeeOther)
for _, u := range gitLDAPUsers {
for _, u := range te.gitLDAPUsers {
req := NewRequest(t, "GET", "/-/admin/users?q="+u.UserName)
resp := session.MakeRequest(t, req, http.StatusOK)
@ -268,7 +283,7 @@ func TestLDAPUserSyncWithEmptyUsernameAttribute(t *testing.T) {
assert.Equal(t, 0, tr.Length())
}
for _, u := range gitLDAPUsers {
for _, u := range te.gitLDAPUsers {
req := NewRequestWithValues(t, "POST", "/user/login", map[string]string{
"_csrf": csrf,
"user_name": u.UserName,
@ -277,7 +292,7 @@ func TestLDAPUserSyncWithEmptyUsernameAttribute(t *testing.T) {
MakeRequest(t, req, http.StatusSeeOther)
}
auth.SyncExternalUsers(context.Background(), true)
require.NoError(t, auth.SyncExternalUsers(context.Background(), true))
authSource := unittest.AssertExistsAndLoadBean(t, &auth_model.Source{
Name: payload["name"],
@ -285,9 +300,9 @@ func TestLDAPUserSyncWithEmptyUsernameAttribute(t *testing.T) {
unittest.AssertCount(t, &user_model.User{
LoginType: auth_model.LDAP,
LoginSource: authSource.ID,
}, len(gitLDAPUsers))
}, len(te.gitLDAPUsers))
for _, u := range gitLDAPUsers {
for _, u := range te.gitLDAPUsers {
user := unittest.AssertExistsAndLoadBean(t, &user_model.User{
Name: u.UserName,
})
@ -296,12 +311,13 @@ func TestLDAPUserSyncWithEmptyUsernameAttribute(t *testing.T) {
}
func TestLDAPUserSyncWithGroupFilter(t *testing.T) {
if skipLDAPTests() {
t.Skip()
te := prepareLdapTestEnv(t)
if te == nil {
return
}
defer tests.PrepareTestEnv(t)()
addAuthSourceLDAP(t, "", "(cn=git)")
te.addAuthSource(t, ldapAuthOptions{groupFilter: "(cn=git)"})
// Assert a user not a member of the LDAP group "cn=git" cannot login
// This test may look like TestLDAPUserSigninFailed but it is not.
@ -309,20 +325,20 @@ func TestLDAPUserSyncWithGroupFilter(t *testing.T) {
// This test is for the case when LDAP user records may not be linked with
// all groups the user is a member of, the user filter is modified accordingly inside
// the addAuthSourceLDAP based on the value of the groupFilter
u := otherLDAPUsers[0]
u := te.otherLDAPUsers[0]
testLoginFailed(t, u.UserName, u.Password, translation.NewLocale("en-US").TrString("form.username_password_incorrect"))
auth.SyncExternalUsers(context.Background(), true)
require.NoError(t, auth.SyncExternalUsers(context.Background(), true))
// Assert members of LDAP group "cn=git" are added
for _, gitLDAPUser := range gitLDAPUsers {
for _, gitLDAPUser := range te.gitLDAPUsers {
unittest.BeanExists(t, &user_model.User{
Name: gitLDAPUser.UserName,
})
}
// Assert everyone else is not added
for _, gitLDAPUser := range otherLDAPUsers {
for _, gitLDAPUser := range te.otherLDAPUsers {
unittest.AssertNotExistsBean(t, &user_model.User{
Name: gitLDAPUser.UserName,
})
@ -333,11 +349,11 @@ func TestLDAPUserSyncWithGroupFilter(t *testing.T) {
})
ldapConfig := ldapSource.Cfg.(*ldap.Source)
ldapConfig.GroupFilter = "(cn=ship_crew)"
auth_model.UpdateSource(db.DefaultContext, ldapSource)
require.NoError(t, auth_model.UpdateSource(db.DefaultContext, ldapSource))
auth.SyncExternalUsers(context.Background(), true)
require.NoError(t, auth.SyncExternalUsers(context.Background(), true))
for _, gitLDAPUser := range gitLDAPUsers {
for _, gitLDAPUser := range te.gitLDAPUsers {
if gitLDAPUser.UserName == "fry" || gitLDAPUser.UserName == "leela" || gitLDAPUser.UserName == "bender" {
// Assert members of the LDAP group "cn-ship_crew" are still active
user := unittest.AssertExistsAndLoadBean(t, &user_model.User{
@ -355,29 +371,31 @@ func TestLDAPUserSyncWithGroupFilter(t *testing.T) {
}
func TestLDAPUserSigninFailed(t *testing.T) {
if skipLDAPTests() {
t.Skip()
te := prepareLdapTestEnv(t)
if te == nil {
return
}
defer tests.PrepareTestEnv(t)()
addAuthSourceLDAP(t, "", "")
u := otherLDAPUsers[0]
defer tests.PrepareTestEnv(t)()
te.addAuthSource(t)
u := te.otherLDAPUsers[0]
testLoginFailed(t, u.UserName, u.Password, translation.NewLocale("en-US").TrString("form.username_password_incorrect"))
}
func TestLDAPUserSSHKeySync(t *testing.T) {
if skipLDAPTests() {
t.Skip()
te := prepareLdapTestEnv(t)
if te == nil {
return
}
defer tests.PrepareTestEnv(t)()
addAuthSourceLDAP(t, "sshPublicKey", "")
auth.SyncExternalUsers(context.Background(), true)
defer tests.PrepareTestEnv(t)()
te.addAuthSource(t, ldapAuthOptions{attributeSSHPublicKey: "sshPublicKey"})
require.NoError(t, auth.SyncExternalUsers(context.Background(), true))
// Check if users has SSH keys synced
for _, u := range gitLDAPUsers {
for _, u := range te.gitLDAPUsers {
if len(u.SSHKeys) == 0 {
continue
}
@ -400,18 +418,22 @@ func TestLDAPUserSSHKeySync(t *testing.T) {
}
func TestLDAPGroupTeamSyncAddMember(t *testing.T) {
if skipLDAPTests() {
t.Skip()
te := prepareLdapTestEnv(t)
if te == nil {
return
}
defer tests.PrepareTestEnv(t)()
addAuthSourceLDAP(t, "", "", "on", `{"cn=ship_crew,ou=people,dc=planetexpress,dc=com":{"org26": ["team11"]},"cn=admin_staff,ou=people,dc=planetexpress,dc=com": {"non-existent": ["non-existent"]}}`)
te.addAuthSource(t, ldapAuthOptions{
groupTeamMap: `{"cn=ship_crew,ou=people,dc=planetexpress,dc=com":{"org26": ["team11"]},"cn=admin_staff,ou=people,dc=planetexpress,dc=com": {"non-existent": ["non-existent"]}}`,
groupTeamMapRemoval: "on",
})
org, err := organization.GetOrgByName(db.DefaultContext, "org26")
assert.NoError(t, err)
team, err := organization.GetTeam(db.DefaultContext, org.ID, "team11")
assert.NoError(t, err)
auth.SyncExternalUsers(context.Background(), true)
for _, gitLDAPUser := range gitLDAPUsers {
require.NoError(t, auth.SyncExternalUsers(context.Background(), true))
for _, gitLDAPUser := range te.gitLDAPUsers {
user := unittest.AssertExistsAndLoadBean(t, &user_model.User{
Name: gitLDAPUser.UserName,
})
@ -445,19 +467,22 @@ func TestLDAPGroupTeamSyncAddMember(t *testing.T) {
}
func TestLDAPGroupTeamSyncRemoveMember(t *testing.T) {
if skipLDAPTests() {
t.Skip()
te := prepareLdapTestEnv(t)
if te == nil {
return
}
defer tests.PrepareTestEnv(t)()
addAuthSourceLDAP(t, "", "", "on", `{"cn=dispatch,ou=people,dc=planetexpress,dc=com": {"org26": ["team11"]}}`)
te.addAuthSource(t, ldapAuthOptions{
groupTeamMap: `{"cn=dispatch,ou=people,dc=planetexpress,dc=com": {"org26": ["team11"]}}`,
groupTeamMapRemoval: "on",
})
org, err := organization.GetOrgByName(db.DefaultContext, "org26")
assert.NoError(t, err)
team, err := organization.GetTeam(db.DefaultContext, org.ID, "team11")
assert.NoError(t, err)
loginUserWithPassword(t, gitLDAPUsers[0].UserName, gitLDAPUsers[0].Password)
loginUserWithPassword(t, te.gitLDAPUsers[0].UserName, te.gitLDAPUsers[0].Password)
user := unittest.AssertExistsAndLoadBean(t, &user_model.User{
Name: gitLDAPUsers[0].UserName,
Name: te.gitLDAPUsers[0].UserName,
})
err = organization.AddOrgUser(db.DefaultContext, org.ID, user.ID)
assert.NoError(t, err)
@ -470,7 +495,7 @@ func TestLDAPGroupTeamSyncRemoveMember(t *testing.T) {
assert.NoError(t, err)
assert.True(t, isMember, "User should be member of this team")
// assert team member "professor" gets removed from org26 team11
loginUserWithPassword(t, gitLDAPUsers[0].UserName, gitLDAPUsers[0].Password)
loginUserWithPassword(t, te.gitLDAPUsers[0].UserName, te.gitLDAPUsers[0].Password)
isMember, err = organization.IsOrganizationMember(db.DefaultContext, org.ID, user.ID)
assert.NoError(t, err)
assert.False(t, isMember, "User membership should have been removed from organization")
@ -480,14 +505,67 @@ func TestLDAPGroupTeamSyncRemoveMember(t *testing.T) {
}
func TestLDAPPreventInvalidGroupTeamMap(t *testing.T) {
if skipLDAPTests() {
t.Skip()
te := prepareLdapTestEnv(t)
if te == nil {
return
}
defer tests.PrepareTestEnv(t)()
session := loginUser(t, "user1")
csrf := GetUserCSRFToken(t, session)
req := NewRequestWithValues(t, "POST", "/-/admin/auths/new", buildAuthSourceLDAPPayload(csrf, "", "", `{"NOT_A_VALID_JSON"["MISSING_DOUBLE_POINT"]}`, "off"))
payload := te.buildAuthSourcePayload(csrf, ldapAuthOptions{groupTeamMap: `{"NOT_A_VALID_JSON"["MISSING_DOUBLE_POINT"]}`, groupTeamMapRemoval: "off"})
req := NewRequestWithValues(t, "POST", "/-/admin/auths/new", payload)
session.MakeRequest(t, req, http.StatusOK) // StatusOK = failed, StatusSeeOther = ok
}
func TestLDAPEmailSignin(t *testing.T) {
te := ldapTestEnv{
gitLDAPUsers: []ldapUser{
{
UserName: "u1",
Password: "xx",
FullName: "user 1",
Email: "u1@gitea.com",
},
},
serverHost: "mock-host",
serverPort: "mock-port",
}
defer test.MockVariableValue(&ldap.MockedSearchEntry, func(source *ldap.Source, name, passwd string, directBind bool) *ldap.SearchResult {
var u *ldapUser
for _, user := range te.gitLDAPUsers {
if user.Email == name && user.Password == passwd {
u = &user
break
}
}
if u == nil {
return nil
}
result := &ldap.SearchResult{
Username: u.UserName,
Mail: u.Email,
LowerName: strings.ToLower(u.UserName),
}
nameFields := strings.Split(u.FullName, " ")
result.Name = nameFields[0]
if len(nameFields) > 1 {
result.Surname = nameFields[1]
}
return result
})()
defer tests.PrepareTestEnv(t)()
te.addAuthSource(t)
u := te.gitLDAPUsers[0]
session := loginUserWithPassword(t, u.Email, u.Password)
req := NewRequest(t, "GET", "/user/settings")
resp := session.MakeRequest(t, req, http.StatusOK)
htmlDoc := NewHTMLParser(t, resp.Body)
assert.Equal(t, u.UserName, htmlDoc.GetInputValueByName("name"))
assert.Equal(t, u.FullName, htmlDoc.GetInputValueByName("full_name"))
assert.Equal(t, u.Email, htmlDoc.Find("#signed-user-email").Text())
}