From 6a2d6d6989c092615f6773c78ee219a5ec9234b1 Mon Sep 17 00:00:00 2001 From: TheFox0x7 Date: Tue, 18 Mar 2025 22:46:26 +0100 Subject: [PATCH 1/6] add flags for managing ldap groups --- cmd/admin_auth_ldap.go | 42 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 42 insertions(+) diff --git a/cmd/admin_auth_ldap.go b/cmd/admin_auth_ldap.go index aff2a1285541c..dc3589701f7d4 100644 --- a/cmd/admin_auth_ldap.go +++ b/cmd/admin_auth_ldap.go @@ -127,6 +127,30 @@ var ( &cli.UintFlag{ Name: "page-size", Usage: "Search page size.", + }, + &cli.BoolFlag{ + Name: "enable-groups", + Usage: "Enable LDAP groups", + }, + &cli.StringFlag{ + Name: "group-search-base", + Usage: "The LDAP base at which group accounts will be searched for.", + }, + &cli.StringFlag{ + Name: "group-member-uid", + Usage: "Group attribte containing list of users", + }, + &cli.StringFlag{ + Name: "group-user-attribute", + Usage: "User attribte listed in group", + }, + &cli.StringFlag{ + Name: "group-filter", + Usage: "Verify group membership in LDAP", + }, + &cli.StringFlag{ + Name: "group-team-map", + Usage: "Map LDAP groups to Organization teams", }) ldapSimpleAuthCLIFlags = append(commonLdapCLIFlags, @@ -273,6 +297,24 @@ func parseLdapConfig(c *cli.Context, config *ldap.Source) error { if c.IsSet("skip-local-2fa") { config.SkipLocalTwoFA = c.Bool("skip-local-2fa") } + if c.IsSet("enable-groups") { + config.GroupsEnabled = c.Bool("enable-groups") + } + if c.IsSet("group-search-base") { + config.GroupDN = c.String("group-search-base") + } + if c.IsSet("group-member-uid") { + config.GroupMemberUID = c.String("group-member-uid") + } + if c.IsSet("group-user-attribute") { + config.UserUID = c.String("group-user-attribute") + } + if c.IsSet("group-filter") { + config.GroupFilter = c.String("group-filter") + } + if c.IsSet("group-team-map") { + config.GroupTeamMap = c.String("group-team-map") + } return nil } From 2c5d99079418d07d0c3083e614351797c8e9a9f1 Mon Sep 17 00:00:00 2001 From: TheFox0x7 Date: Tue, 18 Mar 2025 22:57:28 +0100 Subject: [PATCH 2/6] add removal flag --- cmd/admin_auth_ldap.go | 7 +++++++ cmd/admin_auth_ldap_test.go | 14 ++++++++++++++ 2 files changed, 21 insertions(+) diff --git a/cmd/admin_auth_ldap.go b/cmd/admin_auth_ldap.go index dc3589701f7d4..7cfd4f14f62ba 100644 --- a/cmd/admin_auth_ldap.go +++ b/cmd/admin_auth_ldap.go @@ -151,6 +151,10 @@ var ( &cli.StringFlag{ Name: "group-team-map", Usage: "Map LDAP groups to Organization teams", + }, + &cli.BoolFlag{ + Name: "group-users-remove", + Usage: "Remove users from synchronized teams if user does not belong to corresponding LDAP group", }) ldapSimpleAuthCLIFlags = append(commonLdapCLIFlags, @@ -315,6 +319,9 @@ func parseLdapConfig(c *cli.Context, config *ldap.Source) error { if c.IsSet("group-team-map") { config.GroupTeamMap = c.String("group-team-map") } + if c.IsSet("group-users-remove") { + config.GroupTeamMapRemoval = c.Bool("group-users-remove") + } return nil } diff --git a/cmd/admin_auth_ldap_test.go b/cmd/admin_auth_ldap_test.go index 7791f3a9cc14b..b4bdc56e3d24e 100644 --- a/cmd/admin_auth_ldap_test.go +++ b/cmd/admin_auth_ldap_test.go @@ -51,6 +51,13 @@ func TestAddLdapBindDn(t *testing.T) { "--attributes-in-bind", "--synchronize-users", "--page-size", "99", + "--enable-groups", "true", + "--group-search-base", "ou=group,dc=full-domain-bind,dc=org", + "--group-member-uid", "memberUid", + "--group-user-attribute", "uid", + "--group-filter", "(|(cn=gitea_user)(cn=admins))", + "--group-team-map", `{"cn=my-group,cn=groups,dc=example,dc=org": {"MyGiteaOrganization": ["MyGiteaTeam1", "MyGiteaTeam2"]}}`, + "--group-users-remove", "true", }, source: &auth.Source{ Type: auth.LDAP, @@ -78,6 +85,13 @@ func TestAddLdapBindDn(t *testing.T) { AdminFilter: "(memberOf=cn=admin-group,ou=example,dc=full-domain-bind,dc=org)", RestrictedFilter: "(memberOf=cn=restricted-group,ou=example,dc=full-domain-bind,dc=org)", Enabled: true, + GroupsEnabled: true, + GroupDN: "ou=group,dc=full-domain-bind,dc=org", + GroupMemberUID: "memberUid", + UserUID: "uid", + GroupFilter: "(|(cn=gitea_users)(cn=admins))", + GroupTeamMap: `{"cn=my-group,cn=groups,dc=example,dc=org": {"MyGiteaOrganization": ["MyGiteaTeam1", "MyGiteaTeam2"]}}`, + GroupTeamMapRemoval: true, }, }, }, From 51c45c0989b763625ecd621dca269c05adfc3b2b Mon Sep 17 00:00:00 2001 From: TheFox0x7 Date: Tue, 18 Mar 2025 23:39:38 +0100 Subject: [PATCH 3/6] fix tests and typo --- cmd/admin_auth_ldap.go | 4 ++-- cmd/admin_auth_ldap_test.go | 18 ++++++++++++++++-- 2 files changed, 18 insertions(+), 4 deletions(-) diff --git a/cmd/admin_auth_ldap.go b/cmd/admin_auth_ldap.go index 7cfd4f14f62ba..ec86ab0c201db 100644 --- a/cmd/admin_auth_ldap.go +++ b/cmd/admin_auth_ldap.go @@ -138,11 +138,11 @@ var ( }, &cli.StringFlag{ Name: "group-member-uid", - Usage: "Group attribte containing list of users", + Usage: "Group attribute containing list of users", }, &cli.StringFlag{ Name: "group-user-attribute", - Usage: "User attribte listed in group", + Usage: "User attribute listed in group", }, &cli.StringFlag{ Name: "group-filter", diff --git a/cmd/admin_auth_ldap_test.go b/cmd/admin_auth_ldap_test.go index b4bdc56e3d24e..49ff4b27c6b6b 100644 --- a/cmd/admin_auth_ldap_test.go +++ b/cmd/admin_auth_ldap_test.go @@ -51,11 +51,11 @@ func TestAddLdapBindDn(t *testing.T) { "--attributes-in-bind", "--synchronize-users", "--page-size", "99", - "--enable-groups", "true", + "--enable-groups", "--group-search-base", "ou=group,dc=full-domain-bind,dc=org", "--group-member-uid", "memberUid", "--group-user-attribute", "uid", - "--group-filter", "(|(cn=gitea_user)(cn=admins))", + "--group-filter", "(|(cn=gitea_users)(cn=admins))", "--group-team-map", `{"cn=my-group,cn=groups,dc=example,dc=org": {"MyGiteaOrganization": ["MyGiteaTeam1", "MyGiteaTeam2"]}}`, "--group-users-remove", "true", }, @@ -524,6 +524,13 @@ func TestUpdateLdapBindDn(t *testing.T) { "--bind-password", "secret-bind-full", "--synchronize-users", "--page-size", "99", + "--enable-groups", + "--group-search-base", "ou=group,dc=full-domain-bind,dc=org", + "--group-member-uid", "memberUid", + "--group-user-attribute", "uid", + "--group-filter", "(|(cn=gitea_users)(cn=admins))", + "--group-team-map", `{"cn=my-group,cn=groups,dc=example,dc=org": {"MyGiteaOrganization": ["MyGiteaTeam1", "MyGiteaTeam2"]}}`, + "--group-users-remove", "true", }, id: 23, existingAuthSource: &auth.Source{ @@ -559,6 +566,13 @@ func TestUpdateLdapBindDn(t *testing.T) { AdminFilter: "(memberOf=cn=admin-group,ou=example,dc=full-domain-bind,dc=org)", RestrictedFilter: "(memberOf=cn=restricted-group,ou=example,dc=full-domain-bind,dc=org)", Enabled: true, + GroupsEnabled: true, + GroupDN: "ou=group,dc=full-domain-bind,dc=org", + GroupMemberUID: "memberUid", + UserUID: "uid", + GroupFilter: "(|(cn=gitea_users)(cn=admins))", + GroupTeamMap: `{"cn=my-group,cn=groups,dc=example,dc=org": {"MyGiteaOrganization": ["MyGiteaTeam1", "MyGiteaTeam2"]}}`, + GroupTeamMapRemoval: true, }, }, }, From 53bd12b19eade84e3bfe4ede27f41a4e3f348e01 Mon Sep 17 00:00:00 2001 From: TheFox0x7 Date: Wed, 19 Mar 2025 09:09:24 +0100 Subject: [PATCH 4/6] fix flag usage --- cmd/admin_auth_ldap_test.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/cmd/admin_auth_ldap_test.go b/cmd/admin_auth_ldap_test.go index 49ff4b27c6b6b..5ff0df2338113 100644 --- a/cmd/admin_auth_ldap_test.go +++ b/cmd/admin_auth_ldap_test.go @@ -57,7 +57,7 @@ func TestAddLdapBindDn(t *testing.T) { "--group-user-attribute", "uid", "--group-filter", "(|(cn=gitea_users)(cn=admins))", "--group-team-map", `{"cn=my-group,cn=groups,dc=example,dc=org": {"MyGiteaOrganization": ["MyGiteaTeam1", "MyGiteaTeam2"]}}`, - "--group-users-remove", "true", + "--group-users-remove", }, source: &auth.Source{ Type: auth.LDAP, @@ -530,7 +530,7 @@ func TestUpdateLdapBindDn(t *testing.T) { "--group-user-attribute", "uid", "--group-filter", "(|(cn=gitea_users)(cn=admins))", "--group-team-map", `{"cn=my-group,cn=groups,dc=example,dc=org": {"MyGiteaOrganization": ["MyGiteaTeam1", "MyGiteaTeam2"]}}`, - "--group-users-remove", "true", + "--group-users-remove", }, id: 23, existingAuthSource: &auth.Source{ From ed251bfffbdda7b9fc3149d48bbff11e3243aecd Mon Sep 17 00:00:00 2001 From: TheFox0x7 Date: Wed, 19 Mar 2025 17:35:35 +0100 Subject: [PATCH 5/6] improve consistency --- cmd/admin_auth_ldap.go | 16 ++++++++-------- cmd/admin_auth_ldap_test.go | 12 ++++++------ 2 files changed, 14 insertions(+), 14 deletions(-) diff --git a/cmd/admin_auth_ldap.go b/cmd/admin_auth_ldap.go index ec86ab0c201db..388af551e81f8 100644 --- a/cmd/admin_auth_ldap.go +++ b/cmd/admin_auth_ldap.go @@ -133,11 +133,11 @@ var ( Usage: "Enable LDAP groups", }, &cli.StringFlag{ - Name: "group-search-base", - Usage: "The LDAP base at which group accounts will be searched for.", + Name: "group-search-base-dn", + Usage: "The LDAP base DN at which group accounts will be searched for", }, &cli.StringFlag{ - Name: "group-member-uid", + Name: "group-member-attribute", Usage: "Group attribute containing list of users", }, &cli.StringFlag{ @@ -153,7 +153,7 @@ var ( Usage: "Map LDAP groups to Organization teams", }, &cli.BoolFlag{ - Name: "group-users-remove", + Name: "group-team-map-removal", Usage: "Remove users from synchronized teams if user does not belong to corresponding LDAP group", }) @@ -304,8 +304,8 @@ func parseLdapConfig(c *cli.Context, config *ldap.Source) error { if c.IsSet("enable-groups") { config.GroupsEnabled = c.Bool("enable-groups") } - if c.IsSet("group-search-base") { - config.GroupDN = c.String("group-search-base") + if c.IsSet("group-search-base-dn") { + config.GroupDN = c.String("group-search-base-dn") } if c.IsSet("group-member-uid") { config.GroupMemberUID = c.String("group-member-uid") @@ -319,8 +319,8 @@ func parseLdapConfig(c *cli.Context, config *ldap.Source) error { if c.IsSet("group-team-map") { config.GroupTeamMap = c.String("group-team-map") } - if c.IsSet("group-users-remove") { - config.GroupTeamMapRemoval = c.Bool("group-users-remove") + if c.IsSet("group-team-map-removal") { + config.GroupTeamMapRemoval = c.Bool("group-team-map-removal") } return nil } diff --git a/cmd/admin_auth_ldap_test.go b/cmd/admin_auth_ldap_test.go index 5ff0df2338113..bab42226ae9c0 100644 --- a/cmd/admin_auth_ldap_test.go +++ b/cmd/admin_auth_ldap_test.go @@ -52,12 +52,12 @@ func TestAddLdapBindDn(t *testing.T) { "--synchronize-users", "--page-size", "99", "--enable-groups", - "--group-search-base", "ou=group,dc=full-domain-bind,dc=org", - "--group-member-uid", "memberUid", + "--group-search-base-dn", "ou=group,dc=full-domain-bind,dc=org", + "--group-member-attribute", "memberUid", "--group-user-attribute", "uid", "--group-filter", "(|(cn=gitea_users)(cn=admins))", "--group-team-map", `{"cn=my-group,cn=groups,dc=example,dc=org": {"MyGiteaOrganization": ["MyGiteaTeam1", "MyGiteaTeam2"]}}`, - "--group-users-remove", + "--group-team-map-removal", }, source: &auth.Source{ Type: auth.LDAP, @@ -525,12 +525,12 @@ func TestUpdateLdapBindDn(t *testing.T) { "--synchronize-users", "--page-size", "99", "--enable-groups", - "--group-search-base", "ou=group,dc=full-domain-bind,dc=org", - "--group-member-uid", "memberUid", + "--group-search-base-dn", "ou=group,dc=full-domain-bind,dc=org", + "--group-member-attribute", "memberUid", "--group-user-attribute", "uid", "--group-filter", "(|(cn=gitea_users)(cn=admins))", "--group-team-map", `{"cn=my-group,cn=groups,dc=example,dc=org": {"MyGiteaOrganization": ["MyGiteaTeam1", "MyGiteaTeam2"]}}`, - "--group-users-remove", + "--group-team-map-removal", }, id: 23, existingAuthSource: &auth.Source{ From cc72d7a9c034b373594f9faf8e0783223a75a8ec Mon Sep 17 00:00:00 2001 From: TheFox0x7 Date: Wed, 19 Mar 2025 18:00:57 +0100 Subject: [PATCH 6/6] fix missed rename --- cmd/admin_auth_ldap.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/cmd/admin_auth_ldap.go b/cmd/admin_auth_ldap.go index 388af551e81f8..274ec181d14cf 100644 --- a/cmd/admin_auth_ldap.go +++ b/cmd/admin_auth_ldap.go @@ -307,8 +307,8 @@ func parseLdapConfig(c *cli.Context, config *ldap.Source) error { if c.IsSet("group-search-base-dn") { config.GroupDN = c.String("group-search-base-dn") } - if c.IsSet("group-member-uid") { - config.GroupMemberUID = c.String("group-member-uid") + if c.IsSet("group-member-attribute") { + config.GroupMemberUID = c.String("group-member-attribute") } if c.IsSet("group-user-attribute") { config.UserUID = c.String("group-user-attribute")