afan
/
gitea
Прати 1
Волим 0
Креирај огранак 0
Код Дискусије 0 Захтеви за спајање 0 Издања 0 Вики Activity
gitea源码
3 Комити
2 Гране
Грана: master
Гране Ознаке
${ item.name }
Create branch ${ searchTerm }
from 'master'
${ noResults }
gitea/tests/integration/auth_ldap_test.go

auth_ldap_test.go 18KB
Пермалинк Историја Датотека

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572 
  1. // Copyright 2018 The Gitea Authors. All rights reserved.

  2. // SPDX-License-Identifier: MIT

  3. 

  4. package integration

  5. 

  6. import (

  7. 	"net/http"

  8. 	"os"

  9. 	"strings"

  10. 	"testing"

  11. 

  12. 	auth_model "code.gitea.io/gitea/models/auth"

  13. 	"code.gitea.io/gitea/models/db"

  14. 	"code.gitea.io/gitea/models/organization"

  15. 	"code.gitea.io/gitea/models/unittest"

  16. 	user_model "code.gitea.io/gitea/models/user"

  17. 	"code.gitea.io/gitea/modules/optional"

  18. 	"code.gitea.io/gitea/modules/structs"

  19. 	"code.gitea.io/gitea/modules/test"

  20. 	"code.gitea.io/gitea/modules/translation"

  21. 	"code.gitea.io/gitea/modules/util"

  22. 	"code.gitea.io/gitea/services/auth"

  23. 	"code.gitea.io/gitea/services/auth/source/ldap"

  24. 	org_service "code.gitea.io/gitea/services/org"

  25. 	"code.gitea.io/gitea/tests"

  26. 

  27. 	"github.com/stretchr/testify/assert"

  28. 	"github.com/stretchr/testify/require"

  29. )

  30. 

  31. type ldapUser struct {

  32. 	UserName     string

  33. 	Password     string

  34. 	FullName     string

  35. 	Email        string

  36. 	OtherEmails  []string

  37. 	IsAdmin      bool

  38. 	IsRestricted bool

  39. 	SSHKeys      []string

  40. }

  41. 

  42. type ldapTestEnv struct {

  43. 	gitLDAPUsers   []ldapUser

  44. 	otherLDAPUsers []ldapUser

  45. 	serverHost     string

  46. 	serverPort     string

  47. }

  48. 

  49. func prepareLdapTestEnv(t *testing.T) *ldapTestEnv {

  50. 	if os.Getenv("TEST_LDAP") != "1" {

  51. 		t.Skip()

  52. 		return nil

  53. 	}

  54. 

  55. 	gitLDAPUsers := []ldapUser{

  56. 		{

  57. 			UserName:    "professor",

  58. 			Password:    "professor",

  59. 			FullName:    "Hubert Farnsworth",

  60. 			Email:       "professor@planetexpress.com",

  61. 			OtherEmails: []string{"hubert@planetexpress.com"},

  62. 			IsAdmin:     true,

  63. 		},

  64. 		{

  65. 			UserName: "hermes",

  66. 			Password: "hermes",

  67. 			FullName: "Conrad Hermes",

  68. 			Email:    "hermes@planetexpress.com",

  69. 			SSHKeys: []string{

  70. 				"SHA256:qLY06smKfHoW/92yXySpnxFR10QFrLdRjf/GNPvwcW8",

  71. 				"SHA256:QlVTuM5OssDatqidn2ffY+Lc4YA5Fs78U+0KOHI51jQ",

  72. 				"SHA256:DXdeUKYOJCSSmClZuwrb60hUq7367j4fA+udNC3FdRI",

  73. 			},

  74. 			IsAdmin: true,

  75. 		},

  76. 		{

  77. 			UserName: "fry",

  78. 			Password: "fry",

  79. 			FullName: "Philip Fry",

  80. 			Email:    "fry@planetexpress.com",

  81. 		},

  82. 		{

  83. 			UserName:     "leela",

  84. 			Password:     "leela",

  85. 			FullName:     "Leela Turanga",

  86. 			Email:        "leela@planetexpress.com",

  87. 			IsRestricted: true,

  88. 		},

  89. 		{

  90. 			UserName: "bender",

  91. 			Password: "bender",

  92. 			FullName: "Bender Rodríguez",

  93. 			Email:    "bender@planetexpress.com",

  94. 		},

  95. 	}

  96. 

  97. 	otherLDAPUsers := []ldapUser{

  98. 		{

  99. 			UserName: "zoidberg",

  100. 			Password: "zoidberg",

  101. 			FullName: "John Zoidberg",

  102. 			Email:    "zoidberg@planetexpress.com",

  103. 		},

  104. 		{

  105. 			UserName: "amy",

  106. 			Password: "amy",

  107. 			FullName: "Amy Kroker",

  108. 			Email:    "amy@planetexpress.com",

  109. 		},

  110. 	}

  111. 

  112. 	return &ldapTestEnv{

  113. 		gitLDAPUsers:   gitLDAPUsers,

  114. 		otherLDAPUsers: otherLDAPUsers,

  115. 		serverHost:     util.IfZero(os.Getenv("TEST_LDAP_HOST"), "ldap"),

  116. 		serverPort:     util.IfZero(os.Getenv("TEST_LDAP_PORT"), "389"),

  117. 	}

  118. }

  119. 

  120. type ldapAuthOptions struct {

  121. 	attributeUID          optional.Option[string] // defaults to "uid"

  122. 	attributeSSHPublicKey string

  123. 	groupFilter           string

  124. 	groupTeamMap          string

  125. 	groupTeamMapRemoval   string

  126. }

  127. 

  128. func (te *ldapTestEnv) buildAuthSourcePayload(csrf string, opts ...ldapAuthOptions) map[string]string {

  129. 	opt := util.OptionalArg(opts)

  130. 	// Modify user filter to test group filter explicitly

  131. 	userFilter := "(&(objectClass=inetOrgPerson)(memberOf=cn=git,ou=people,dc=planetexpress,dc=com)(uid=%s))"

  132. 	if opt.groupFilter != "" {

  133. 		userFilter = "(&(objectClass=inetOrgPerson)(uid=%s))"

  134. 	}

  135. 

  136. 	return map[string]string{

  137. 		"_csrf":                    csrf,

  138. 		"type":                     "2",

  139. 		"name":                     "ldap",

  140. 		"host":                     te.serverHost,

  141. 		"port":                     te.serverPort,

  142. 		"bind_dn":                  "uid=gitea,ou=service,dc=planetexpress,dc=com",

  143. 		"bind_password":            "password",

  144. 		"user_base":                "ou=people,dc=planetexpress,dc=com",

  145. 		"filter":                   userFilter,

  146. 		"admin_filter":             "(memberOf=cn=admin_staff,ou=people,dc=planetexpress,dc=com)",

  147. 		"restricted_filter":        "(uid=leela)",

  148. 		"attribute_username":       util.Iif(opt.attributeUID.Has(), opt.attributeUID.Value(), "uid"),

  149. 		"attribute_name":           "givenName",

  150. 		"attribute_surname":        "sn",

  151. 		"attribute_mail":           "mail",

  152. 		"attribute_ssh_public_key": opt.attributeSSHPublicKey,

  153. 		"is_sync_enabled":          "on",

  154. 		"is_active":                "on",

  155. 		"groups_enabled":           "on",

  156. 		"group_dn":                 "ou=people,dc=planetexpress,dc=com",

  157. 		"group_member_uid":         "member",

  158. 		"group_filter":             opt.groupFilter,

  159. 		"group_team_map":           opt.groupTeamMap,

  160. 		"group_team_map_removal":   opt.groupTeamMapRemoval,

  161. 		"user_uid":                 "DN",

  162. 	}

  163. }

  164. 

  165. func (te *ldapTestEnv) addAuthSource(t *testing.T, opts ...ldapAuthOptions) {

  166. 	session := loginUser(t, "user1")

  167. 	csrf := GetUserCSRFToken(t, session)

  168. 	req := NewRequestWithValues(t, "POST", "/-/admin/auths/new", te.buildAuthSourcePayload(csrf, opts...))

  169. 	session.MakeRequest(t, req, http.StatusSeeOther)

  170. }

  171. 

  172. func TestLDAPUserSignin(t *testing.T) {

  173. 	te := prepareLdapTestEnv(t)

  174. 	if te == nil {

  175. 		return

  176. 	}

  177. 	defer tests.PrepareTestEnv(t)()

  178. 	te.addAuthSource(t)

  179. 

  180. 	u := te.gitLDAPUsers[0]

  181. 

  182. 	session := loginUserWithPassword(t, u.UserName, u.Password)

  183. 	req := NewRequest(t, "GET", "/user/settings")

  184. 	resp := session.MakeRequest(t, req, http.StatusOK)

  185. 

  186. 	htmlDoc := NewHTMLParser(t, resp.Body)

  187. 

  188. 	assert.Equal(t, u.UserName, htmlDoc.GetInputValueByName("name"))

  189. 	assert.Equal(t, u.FullName, htmlDoc.GetInputValueByName("full_name"))

  190. 	assert.Equal(t, u.Email, htmlDoc.Find("#signed-user-email").Text())

  191. }

  192. 

  193. func TestLDAPAuthChange(t *testing.T) {

  194. 	te := prepareLdapTestEnv(t)

  195. 	if te == nil {

  196. 		return

  197. 	}

  198. 

  199. 	defer tests.PrepareTestEnv(t)()

  200. 	te.addAuthSource(t)

  201. 

  202. 	session := loginUser(t, "user1")

  203. 	req := NewRequest(t, "GET", "/-/admin/auths")

  204. 	resp := session.MakeRequest(t, req, http.StatusOK)

  205. 	doc := NewHTMLParser(t, resp.Body)

  206. 	href, exists := doc.Find("table.table td a").Attr("href")

  207. 	if !exists {

  208. 		assert.True(t, exists, "No authentication source found")

  209. 		return

  210. 	}

  211. 

  212. 	req = NewRequest(t, "GET", href)

  213. 	resp = session.MakeRequest(t, req, http.StatusOK)

  214. 	doc = NewHTMLParser(t, resp.Body)

  215. 	csrf := doc.GetCSRF()

  216. 	host, _ := doc.Find(`input[name="host"]`).Attr("value")

  217. 	assert.Equal(t, te.serverHost, host)

  218. 	binddn, _ := doc.Find(`input[name="bind_dn"]`).Attr("value")

  219. 	assert.Equal(t, "uid=gitea,ou=service,dc=planetexpress,dc=com", binddn)

  220. 

  221. 	req = NewRequestWithValues(t, "POST", href, te.buildAuthSourcePayload(csrf, ldapAuthOptions{groupTeamMapRemoval: "off"}))

  222. 	session.MakeRequest(t, req, http.StatusSeeOther)

  223. 

  224. 	req = NewRequest(t, "GET", href)

  225. 	resp = session.MakeRequest(t, req, http.StatusOK)

  226. 	doc = NewHTMLParser(t, resp.Body)

  227. 	host, _ = doc.Find(`input[name="host"]`).Attr("value")

  228. 	assert.Equal(t, te.serverHost, host)

  229. 	binddn, _ = doc.Find(`input[name="bind_dn"]`).Attr("value")

  230. 	assert.Equal(t, "uid=gitea,ou=service,dc=planetexpress,dc=com", binddn)

  231. }

  232. 

  233. func TestLDAPUserSync(t *testing.T) {

  234. 	te := prepareLdapTestEnv(t)

  235. 	if te == nil {

  236. 		return

  237. 	}

  238. 

  239. 	defer tests.PrepareTestEnv(t)()

  240. 	te.addAuthSource(t)

  241. 	err := auth.SyncExternalUsers(t.Context(), true)

  242. 	assert.NoError(t, err)

  243. 

  244. 	// Check if users exists

  245. 	for _, gitLDAPUser := range te.gitLDAPUsers {

  246. 		dbUser, err := user_model.GetUserByName(t.Context(), gitLDAPUser.UserName)

  247. 		assert.NoError(t, err)

  248. 		assert.Equal(t, gitLDAPUser.UserName, dbUser.Name)

  249. 		assert.Equal(t, gitLDAPUser.Email, dbUser.Email)

  250. 		assert.Equal(t, gitLDAPUser.IsAdmin, dbUser.IsAdmin)

  251. 		assert.Equal(t, gitLDAPUser.IsRestricted, dbUser.IsRestricted)

  252. 	}

  253. 

  254. 	// Check if no users exist

  255. 	for _, otherLDAPUser := range te.otherLDAPUsers {

  256. 		_, err := user_model.GetUserByName(t.Context(), otherLDAPUser.UserName)

  257. 		assert.True(t, user_model.IsErrUserNotExist(err))

  258. 	}

  259. }

  260. 

  261. func TestLDAPUserSyncWithEmptyUsernameAttribute(t *testing.T) {

  262. 	te := prepareLdapTestEnv(t)

  263. 	if te == nil {

  264. 		return

  265. 	}

  266. 

  267. 	defer tests.PrepareTestEnv(t)()

  268. 

  269. 	session := loginUser(t, "user1")

  270. 	csrf := GetUserCSRFToken(t, session)

  271. 	payload := te.buildAuthSourcePayload(csrf)

  272. 	payload["attribute_username"] = ""

  273. 	req := NewRequestWithValues(t, "POST", "/-/admin/auths/new", payload)

  274. 	session.MakeRequest(t, req, http.StatusSeeOther)

  275. 

  276. 	for _, u := range te.gitLDAPUsers {

  277. 		req := NewRequest(t, "GET", "/-/admin/users?q="+u.UserName)

  278. 		resp := session.MakeRequest(t, req, http.StatusOK)

  279. 

  280. 		htmlDoc := NewHTMLParser(t, resp.Body)

  281. 

  282. 		tr := htmlDoc.doc.Find("table.table tbody tr:not(.no-results-row)")

  283. 		assert.Equal(t, 0, tr.Length())

  284. 	}

  285. 

  286. 	for _, u := range te.gitLDAPUsers {

  287. 		req := NewRequestWithValues(t, "POST", "/user/login", map[string]string{

  288. 			"_csrf":     csrf,

  289. 			"user_name": u.UserName,

  290. 			"password":  u.Password,

  291. 		})

  292. 		MakeRequest(t, req, http.StatusSeeOther)

  293. 	}

  294. 

  295. 	require.NoError(t, auth.SyncExternalUsers(t.Context(), true))

  296. 

  297. 	authSource := unittest.AssertExistsAndLoadBean(t, &auth_model.Source{

  298. 		Name: payload["name"],

  299. 	})

  300. 	unittest.AssertCount(t, &user_model.User{

  301. 		LoginType:   auth_model.LDAP,

  302. 		LoginSource: authSource.ID,

  303. 	}, len(te.gitLDAPUsers))

  304. 

  305. 	for _, u := range te.gitLDAPUsers {

  306. 		user := unittest.AssertExistsAndLoadBean(t, &user_model.User{

  307. 			Name: u.UserName,

  308. 		})

  309. 		assert.True(t, user.IsActive)

  310. 	}

  311. }

  312. 

  313. func TestLDAPUserSyncWithGroupFilter(t *testing.T) {

  314. 	te := prepareLdapTestEnv(t)

  315. 	if te == nil {

  316. 		return

  317. 	}

  318. 

  319. 	defer tests.PrepareTestEnv(t)()

  320. 	te.addAuthSource(t, ldapAuthOptions{groupFilter: "(cn=git)"})

  321. 

  322. 	// Assert a user not a member of the LDAP group "cn=git" cannot login

  323. 	// This test may look like TestLDAPUserSigninFailed but it is not.

  324. 	// The later test uses user filter containing group membership filter (memberOf)

  325. 	// This test is for the case when LDAP user records may not be linked with

  326. 	// all groups the user is a member of, the user filter is modified accordingly inside

  327. 	// the addAuthSourceLDAP based on the value of the groupFilter

  328. 	u := te.otherLDAPUsers[0]

  329. 	testLoginFailed(t, u.UserName, u.Password, translation.NewLocale("en-US").TrString("form.username_password_incorrect"))

  330. 

  331. 	require.NoError(t, auth.SyncExternalUsers(t.Context(), true))

  332. 

  333. 	// Assert members of LDAP group "cn=git" are added

  334. 	for _, gitLDAPUser := range te.gitLDAPUsers {

  335. 		unittest.AssertExistsAndLoadBean(t, &user_model.User{

  336. 			Name: gitLDAPUser.UserName,

  337. 		})

  338. 	}

  339. 

  340. 	// Assert everyone else is not added

  341. 	for _, gitLDAPUser := range te.otherLDAPUsers {

  342. 		unittest.AssertNotExistsBean(t, &user_model.User{

  343. 			Name: gitLDAPUser.UserName,

  344. 		})

  345. 	}

  346. 

  347. 	ldapSource := unittest.AssertExistsAndLoadBean(t, &auth_model.Source{

  348. 		Name: "ldap",

  349. 	})

  350. 	ldapConfig := ldapSource.Cfg.(*ldap.Source)

  351. 	ldapConfig.GroupFilter = "(cn=ship_crew)"

  352. 	require.NoError(t, auth_model.UpdateSource(t.Context(), ldapSource))

  353. 

  354. 	require.NoError(t, auth.SyncExternalUsers(t.Context(), true))

  355. 

  356. 	for _, gitLDAPUser := range te.gitLDAPUsers {

  357. 		if gitLDAPUser.UserName == "fry" || gitLDAPUser.UserName == "leela" || gitLDAPUser.UserName == "bender" {

  358. 			// Assert members of the LDAP group "cn-ship_crew" are still active

  359. 			user := unittest.AssertExistsAndLoadBean(t, &user_model.User{

  360. 				Name: gitLDAPUser.UserName,

  361. 			})

  362. 			assert.True(t, user.IsActive, "User %s should be active", gitLDAPUser.UserName)

  363. 		} else {

  364. 			// Assert everyone else is inactive

  365. 			user := unittest.AssertExistsAndLoadBean(t, &user_model.User{

  366. 				Name: gitLDAPUser.UserName,

  367. 			})

  368. 			assert.False(t, user.IsActive, "User %s should be inactive", gitLDAPUser.UserName)

  369. 		}

  370. 	}

  371. }

  372. 

  373. func TestLDAPUserSigninFailed(t *testing.T) {

  374. 	te := prepareLdapTestEnv(t)

  375. 	if te == nil {

  376. 		return

  377. 	}

  378. 

  379. 	defer tests.PrepareTestEnv(t)()

  380. 	te.addAuthSource(t)

  381. 

  382. 	u := te.otherLDAPUsers[0]

  383. 	testLoginFailed(t, u.UserName, u.Password, translation.NewLocale("en-US").TrString("form.username_password_incorrect"))

  384. }

  385. 

  386. func TestLDAPUserSSHKeySync(t *testing.T) {

  387. 	te := prepareLdapTestEnv(t)

  388. 	if te == nil {

  389. 		return

  390. 	}

  391. 

  392. 	defer tests.PrepareTestEnv(t)()

  393. 	te.addAuthSource(t, ldapAuthOptions{attributeSSHPublicKey: "sshPublicKey"})

  394. 

  395. 	require.NoError(t, auth.SyncExternalUsers(t.Context(), true))

  396. 

  397. 	// Check if users has SSH keys synced

  398. 	for _, u := range te.gitLDAPUsers {

  399. 		if len(u.SSHKeys) == 0 {

  400. 			continue

  401. 		}

  402. 		session := loginUserWithPassword(t, u.UserName, u.Password)

  403. 

  404. 		req := NewRequest(t, "GET", "/user/settings/keys")

  405. 		resp := session.MakeRequest(t, req, http.StatusOK)

  406. 

  407. 		htmlDoc := NewHTMLParser(t, resp.Body)

  408. 

  409. 		divs := htmlDoc.doc.Find("#keys-ssh .flex-item .flex-item-body:not(:last-child)")

  410. 

  411. 		syncedKeys := make([]string, divs.Length())

  412. 		for i := 0; i < divs.Length(); i++ {

  413. 			syncedKeys[i] = strings.TrimSpace(divs.Eq(i).Text())

  414. 		}

  415. 

  416. 		assert.ElementsMatch(t, u.SSHKeys, syncedKeys, "Unequal number of keys synchronized for user: %s", u.UserName)

  417. 	}

  418. }

  419. 

  420. func TestLDAPGroupTeamSyncAddMember(t *testing.T) {

  421. 	te := prepareLdapTestEnv(t)

  422. 	if te == nil {

  423. 		return

  424. 	}

  425. 

  426. 	defer tests.PrepareTestEnv(t)()

  427. 	te.addAuthSource(t, ldapAuthOptions{

  428. 		groupTeamMap:        `{"cn=ship_crew,ou=people,dc=planetexpress,dc=com":{"org26": ["team11"]},"cn=admin_staff,ou=people,dc=planetexpress,dc=com": {"non-existent": ["non-existent"]}}`,

  429. 		groupTeamMapRemoval: "on",

  430. 	})

  431. 	org, err := organization.GetOrgByName(t.Context(), "org26")

  432. 	assert.NoError(t, err)

  433. 	team, err := organization.GetTeam(t.Context(), org.ID, "team11")

  434. 	assert.NoError(t, err)

  435. 	require.NoError(t, auth.SyncExternalUsers(t.Context(), true))

  436. 	for _, gitLDAPUser := range te.gitLDAPUsers {

  437. 		user := unittest.AssertExistsAndLoadBean(t, &user_model.User{

  438. 			Name: gitLDAPUser.UserName,

  439. 		})

  440. 		usersOrgs, err := db.Find[organization.Organization](t.Context(), organization.FindOrgOptions{

  441. 			UserID:            user.ID,

  442. 			IncludeVisibility: structs.VisibleTypePrivate,

  443. 		})

  444. 		assert.NoError(t, err)

  445. 		allOrgTeams, err := organization.GetUserOrgTeams(t.Context(), org.ID, user.ID)

  446. 		assert.NoError(t, err)

  447. 		if user.Name == "fry" || user.Name == "leela" || user.Name == "bender" {

  448. 			// assert members of LDAP group "cn=ship_crew" are added to mapped teams

  449. 			assert.Len(t, usersOrgs, 1, "User [%s] should be member of one organization", user.Name)

  450. 			assert.Equal(t, "org26", usersOrgs[0].Name, "Membership should be added to the right organization")

  451. 			isMember, err := organization.IsTeamMember(t.Context(), usersOrgs[0].ID, team.ID, user.ID)

  452. 			assert.NoError(t, err)

  453. 			assert.True(t, isMember, "Membership should be added to the right team")

  454. 			err = org_service.RemoveTeamMember(t.Context(), team, user)

  455. 			assert.NoError(t, err)

  456. 			err = org_service.RemoveOrgUser(t.Context(), usersOrgs[0], user)

  457. 			assert.NoError(t, err)

  458. 		} else {

  459. 			// assert members of LDAP group "cn=admin_staff" keep initial team membership since mapped team does not exist

  460. 			assert.Empty(t, usersOrgs, "User should be member of no organization")

  461. 			isMember, err := organization.IsTeamMember(t.Context(), org.ID, team.ID, user.ID)

  462. 			assert.NoError(t, err)

  463. 			assert.False(t, isMember, "User should no be added to this team")

  464. 			assert.Empty(t, allOrgTeams, "User should not be added to any team")

  465. 		}

  466. 	}

  467. }

  468. 

  469. func TestLDAPGroupTeamSyncRemoveMember(t *testing.T) {

  470. 	te := prepareLdapTestEnv(t)

  471. 	if te == nil {

  472. 		return

  473. 	}

  474. 	defer tests.PrepareTestEnv(t)()

  475. 	te.addAuthSource(t, ldapAuthOptions{

  476. 		groupTeamMap:        `{"cn=dispatch,ou=people,dc=planetexpress,dc=com": {"org26": ["team11"]}}`,

  477. 		groupTeamMapRemoval: "on",

  478. 	})

  479. 	org, err := organization.GetOrgByName(t.Context(), "org26")

  480. 	assert.NoError(t, err)

  481. 	team, err := organization.GetTeam(t.Context(), org.ID, "team11")

  482. 	assert.NoError(t, err)

  483. 	loginUserWithPassword(t, te.gitLDAPUsers[0].UserName, te.gitLDAPUsers[0].Password)

  484. 	user := unittest.AssertExistsAndLoadBean(t, &user_model.User{

  485. 		Name: te.gitLDAPUsers[0].UserName,

  486. 	})

  487. 	err = organization.AddOrgUser(t.Context(), org.ID, user.ID)

  488. 	assert.NoError(t, err)

  489. 	err = org_service.AddTeamMember(t.Context(), team, user)

  490. 	assert.NoError(t, err)

  491. 	isMember, err := organization.IsOrganizationMember(t.Context(), org.ID, user.ID)

  492. 	assert.NoError(t, err)

  493. 	assert.True(t, isMember, "User should be member of this organization")

  494. 	isMember, err = organization.IsTeamMember(t.Context(), org.ID, team.ID, user.ID)

  495. 	assert.NoError(t, err)

  496. 	assert.True(t, isMember, "User should be member of this team")

  497. 	// assert team member "professor" gets removed from org26 team11

  498. 	loginUserWithPassword(t, te.gitLDAPUsers[0].UserName, te.gitLDAPUsers[0].Password)

  499. 	isMember, err = organization.IsOrganizationMember(t.Context(), org.ID, user.ID)

  500. 	assert.NoError(t, err)

  501. 	assert.False(t, isMember, "User membership should have been removed from organization")

  502. 	isMember, err = organization.IsTeamMember(t.Context(), org.ID, team.ID, user.ID)

  503. 	assert.NoError(t, err)

  504. 	assert.False(t, isMember, "User membership should have been removed from team")

  505. }

  506. 

  507. func TestLDAPPreventInvalidGroupTeamMap(t *testing.T) {

  508. 	te := prepareLdapTestEnv(t)

  509. 	if te == nil {

  510. 		return

  511. 	}

  512. 	defer tests.PrepareTestEnv(t)()

  513. 

  514. 	session := loginUser(t, "user1")

  515. 	csrf := GetUserCSRFToken(t, session)

  516. 	payload := te.buildAuthSourcePayload(csrf, ldapAuthOptions{groupTeamMap: `{"NOT_A_VALID_JSON"["MISSING_DOUBLE_POINT"]}`, groupTeamMapRemoval: "off"})

  517. 	req := NewRequestWithValues(t, "POST", "/-/admin/auths/new", payload)

  518. 	session.MakeRequest(t, req, http.StatusOK) // StatusOK = failed, StatusSeeOther = ok

  519. }

  520. 

  521. func TestLDAPEmailSignin(t *testing.T) {

  522. 	te := ldapTestEnv{

  523. 		gitLDAPUsers: []ldapUser{

  524. 			{

  525. 				UserName: "u1",

  526. 				Password: "xx",

  527. 				FullName: "user 1",

  528. 				Email:    "u1@gitea.com",

  529. 			},

  530. 		},

  531. 		serverHost: "mock-host",

  532. 		serverPort: "mock-port",

  533. 	}

  534. 	defer test.MockVariableValue(&ldap.MockedSearchEntry, func(source *ldap.Source, name, passwd string, directBind bool) *ldap.SearchResult {

  535. 		var u *ldapUser

  536. 		for _, user := range te.gitLDAPUsers {

  537. 			if user.Email == name && user.Password == passwd {

  538. 				u = &user

  539. 				break

  540. 			}

  541. 		}

  542. 		if u == nil {

  543. 			return nil

  544. 		}

  545. 		result := &ldap.SearchResult{

  546. 			Username:  u.UserName,

  547. 			Mail:      u.Email,

  548. 			LowerName: strings.ToLower(u.UserName),

  549. 		}

  550. 		nameFields := strings.Split(u.FullName, " ")

  551. 		result.Name = nameFields[0]

  552. 		if len(nameFields) > 1 {

  553. 			result.Surname = nameFields[1]

  554. 		}

  555. 		return result

  556. 	})()

  557. 	defer tests.PrepareTestEnv(t)()

  558. 	te.addAuthSource(t)

  559. 

  560. 	u := te.gitLDAPUsers[0]

  561. 

  562. 	session := loginUserWithPassword(t, u.Email, u.Password)

  563. 	req := NewRequest(t, "GET", "/user/settings")

  564. 	resp := session.MakeRequest(t, req, http.StatusOK)

  565. 

  566. 	htmlDoc := NewHTMLParser(t, resp.Body)

  567. 

  568. 	assert.Equal(t, u.UserName, htmlDoc.GetInputValueByName("name"))

  569. 	assert.Equal(t, u.FullName, htmlDoc.GetInputValueByName("full_name"))

  570. 	assert.Equal(t, u.Email, htmlDoc.Find("#signed-user-email").Text())

  571. }