Add tests to LDAP group sync

melegiul · svenseeberg · svenseeberg · commit 673df9974183 · 2021-07-15T10:29:30.000+02:00
* Adding and removing team members.
* Sync not existing LDAP group.
* Login with broken group map JSON.

Co-authored-by: Giuliano Mele &lt;mele@integreat-app.de&gt;
Co-authored-by: Sven Seeberg &lt;mail@sven-seeberg.de&gt;
diff --git a/integrations/auth_ldap_test.go b/integrations/auth_ldap_test.go
@@ -119,6 +119,12 @@ func addAuthSourceLDAP(t *testing.T, sshKeyAttribute string) {
 		"attribute_ssh_public_key": sshKeyAttribute,
 		"is_sync_enabled":          "on",
 		"is_active":                "on",
+		"team_group_map_enabled":   "on",
+		"team_group_map_removal":   "on",
+		"group_dn":                 "ou=people,dc=planetexpress,dc=com",
+		"group_member_uid":         "member",
+		"user_uid":                 "DN",
+		"team_group_map":           "{\"cn=ship_crew,ou=people,dc=planetexpress,dc=com\": {\"org26\": [\"team11\"]},\"cn=admin_staff,ou=people,dc=planetexpress,dc=com\": {\"non-existent\": [\"non-existent\"]},\"cn=non-existent,ou=people,dc=planetexpress,dc=com\": {\"non-existent\": [\"non-existent\"]}}",
 	})
 	session.MakeRequest(t, req, http.StatusFound)
 }
@@ -240,3 +246,131 @@ func TestLDAPUserSSHKeySync(t *testing.T) {
 		assert.ElementsMatch(t, u.SSHKeys, syncedKeys, "Unequal number of keys synchronized for user: %s", u.UserName)
 	}
 }
+
+func TestLDAPGroupTeamSyncAddMember(t *testing.T) {
+	if skipLDAPTests() {
+		t.Skip()
+		return
+	}
+	defer prepareTestEnv(t)()
+	addAuthSourceLDAP(t, "")
+	org, err := models.GetOrgByName("org26")
+	assert.NoError(t, err)
+	team, err := models.GetTeam(org.ID, "team11")
+	assert.NoError(t, err)
+	models.SyncExternalUsers(context.Background(), true)
+	for _, gitLDAPUser := range gitLDAPUsers {
+		user := models.AssertExistsAndLoadBean(t, &models.User{
+			Name: gitLDAPUser.UserName,
+		}).(*models.User)
+		usersOrgs, err := models.GetOrgsByUserID(user.ID, true)
+		assert.NoError(t, err)
+		allOrgTeams, err := models.GetUserOrgTeams(org.ID, user.ID)
+		assert.NoError(t, err)
+		if user.Name == "fry" || user.Name == "leela" || user.Name == "bender" {
+			// assert members of LDAP group "cn=ship_crew" are added to mapped teams
+			assert.Equal(t, len(usersOrgs), 1, "User should be member of one organization")
+			assert.Equal(t, usersOrgs[0].Name, "org26", "Membership should be added to the right organization")
+			isMember, err := models.IsTeamMember(usersOrgs[0].ID, team.ID, user.ID)
+			assert.NoError(t, err)
+			assert.True(t, isMember, "Membership should be added to the right team")
+			err = team.RemoveMember(user.ID)
+			assert.NoError(t, err)
+		} else {
+			// assert members of LDAP group "cn=admin_staff" keep initial team membership since mapped team does not exist
+			assert.Empty(t, usersOrgs, "User should be member of no organization")
+			isMember, err := models.IsTeamMember(org.ID, team.ID, user.ID)
+			assert.NoError(t, err)
+			assert.False(t, isMember, "User should no be added to this team")
+			assert.Empty(t, allOrgTeams, "User should not be added to any team")
+		}
+	}
+}
+
+func TestLDAPGroupTeamSyncRemoveMember(t *testing.T) {
+	if skipLDAPTests() {
+		t.Skip()
+		return
+	}
+	defer prepareTestEnv(t)()
+	addAuthSourceLDAP(t, "")
+	models.SyncExternalUsers(context.Background(), true)
+	org, err := models.GetOrgByName("org26")
+	assert.NoError(t, err)
+	team, err := models.GetTeam(org.ID, "team11")
+	assert.NoError(t, err)
+	user, err := models.GetUserByName("professor")
+	assert.NoError(t, err)
+	err = org.AddMember(user.ID)
+	assert.NoError(t, err)
+	err = team.AddMember(user.ID)
+	assert.NoError(t, err)
+	isMember, err := models.IsOrganizationMember(org.ID, user.ID)
+	assert.NoError(t, err)
+	assert.True(t, isMember, "User should be member of this organization")
+	isMember, err = models.IsTeamMember(org.ID, team.ID, user.ID)
+	assert.NoError(t, err)
+	assert.True(t, isMember, "User should be member of this team")
+	// assert team member "professor" gets removed from "team11"
+	models.SyncExternalUsers(context.Background(), true)
+	isMember, err = models.IsOrganizationMember(org.ID, user.ID)
+	assert.NoError(t, err)
+	assert.False(t, isMember, "User membership should have been removed from organization")
+	isMember, err = models.IsTeamMember(org.ID, team.ID, user.ID)
+	assert.NoError(t, err)
+	assert.False(t, isMember, "User membership should have been removed from team")
+}
+
+func addBrokenLDAPMapAuthSource(t *testing.T, sshKeyAttribute string) {
+	session := loginUser(t, "user1")
+	csrf := GetCSRF(t, session, "/admin/auths/new")
+	req := NewRequestWithValues(t, "POST", "/admin/auths/new", map[string]string{
+		"_csrf":                    csrf,
+		"type":                     "2",
+		"name":                     "ldap",
+		"host":                     getLDAPServerHost(),
+		"port":                     "389",
+		"bind_dn":                  "uid=gitea,ou=service,dc=planetexpress,dc=com",
+		"bind_password":            "password",
+		"user_base":                "ou=people,dc=planetexpress,dc=com",
+		"filter":                   "(&(objectClass=inetOrgPerson)(memberOf=cn=git,ou=people,dc=planetexpress,dc=com)(uid=%s))",
+		"admin_filter":             "(memberOf=cn=admin_staff,ou=people,dc=planetexpress,dc=com)",
+		"restricted_filter":        "(uid=leela)",
+		"attribute_username":       "uid",
+		"attribute_name":           "givenName",
+		"attribute_surname":        "sn",
+		"attribute_mail":           "mail",
+		"attribute_ssh_public_key": sshKeyAttribute,
+		"is_sync_enabled":          "on",
+		"is_active":                "on",
+		"team_group_map_enabled":   "on",
+		"team_group_map_removal":   "on",
+		"group_dn":                 "ou=people,dc=planetexpress,dc=com",
+		"group_member_uid":         "member",
+		"user_uid":                 "DN",
+		"team_group_map":           "{\"NOT_A_VALID_JSON\"[\"MISSING_DOUBLE_POINT\"]}",
+	})
+	session.MakeRequest(t, req, http.StatusFound)
+}
+
+// Login should work even if Team Group Map contains a broken JSON
+func TestBrokenLDAPMapUserSignin(t *testing.T) {
+	if skipLDAPTests() {
+		t.Skip()
+		return
+	}
+	defer prepareTestEnv(t)()
+	addBrokenLDAPMapAuthSource(t, "")
+
+	u := gitLDAPUsers[0]
+
+	session := loginUserWithPassword(t, u.UserName, u.Password)
+	req := NewRequest(t, "GET", "/user/settings")
+	resp := session.MakeRequest(t, req, http.StatusOK)
+
+	htmlDoc := NewHTMLParser(t, resp.Body)
+
+	assert.Equal(t, u.UserName, htmlDoc.GetInputValueByName("name"))
+	assert.Equal(t, u.FullName, htmlDoc.GetInputValueByName("full_name"))
+	assert.Equal(t, u.Email, htmlDoc.Find(`label[for="email"]`).Siblings().First().Text())
+}
diff --git a/modules/auth/ldap/ldap.go b/modules/auth/ldap/ldap.go
@@ -274,7 +274,7 @@ func (ls *Source) mapLdapGroupsToTeams() map[string]map[string][]string {
 	err := json.Unmarshal([]byte(ls.TeamGroupMap), &ldapGroupsToTeams)
 	if err != nil {
 		log.Debug("Failed to unmarshall LDAP teams map: %v", err)
-		return nil
+		return ldapGroupsToTeams
 	}
 	return ldapGroupsToTeams
 }

Original file line number	Diff line number	Diff line change
`@@ -274,7 +274,7 @@ func (ls *Source) mapLdapGroupsToTeams() map[string]map[string][]string {`
`274`	`274`	`err := json.Unmarshal([]byte(ls.TeamGroupMap), &ldapGroupsToTeams)`
`275`	`275`	`if err != nil {`
`276`	`276`	`log.Debug("Failed to unmarshall LDAP teams map: %v", err)`
`277`		`- return nil`
	`277`	`+ return ldapGroupsToTeams`
`278`	`278`	`}`
`279`	`279`	`return ldapGroupsToTeams`
`280`	`280`	`}`