feat(ldap): sync avatar from ldap
This commit is contained in:
parent
26c7ceaed4
commit
e12ebfebed
|
|
@ -775,6 +775,11 @@
|
||||||
"default_value": "(&(objectclass=*)(|(objectclass=group)(objectclass=groupOfNames)))",
|
"default_value": "(&(objectclass=*)(|(objectclass=group)(objectclass=groupOfNames)))",
|
||||||
"comment": "The filter to search for group objects in the ldap directory. Only used when `groupsyncenabled` is set to `true`."
|
"comment": "The filter to search for group objects in the ldap directory. Only used when `groupsyncenabled` is set to `true`."
|
||||||
},
|
},
|
||||||
|
{
|
||||||
|
"key": "avatarsyncattribute",
|
||||||
|
"default_value": "",
|
||||||
|
"comment": "The LDAP attribute where an image, decoded as raw bytes, can be found. If provided, Vikunja will use the value as avatar."
|
||||||
|
},
|
||||||
{
|
{
|
||||||
"key": "attribute",
|
"key": "attribute",
|
||||||
"default_value": "",
|
"default_value": "",
|
||||||
|
|
|
||||||
|
|
@ -90,6 +90,7 @@ const (
|
||||||
AuthLdapBindPassword Key = `auth.ldap.bindpassword`
|
AuthLdapBindPassword Key = `auth.ldap.bindpassword`
|
||||||
AuthLdapGroupSyncEnabled Key = `auth.ldap.groupsyncenabled`
|
AuthLdapGroupSyncEnabled Key = `auth.ldap.groupsyncenabled`
|
||||||
AuthLdapGroupSyncFilter Key = `auth.ldap.groupsyncfilter`
|
AuthLdapGroupSyncFilter Key = `auth.ldap.groupsyncfilter`
|
||||||
|
AuthLdapAvatarSyncAttribute Key = `auth.ldap.avatarsyncattribute`
|
||||||
AuthLdapAttributeUsername Key = `auth.ldap.attribute.username`
|
AuthLdapAttributeUsername Key = `auth.ldap.attribute.username`
|
||||||
AuthLdapAttributeEmail Key = `auth.ldap.attribute.email`
|
AuthLdapAttributeEmail Key = `auth.ldap.attribute.email`
|
||||||
AuthLdapAttributeDisplayname Key = `auth.ldap.attribute.displayname`
|
AuthLdapAttributeDisplayname Key = `auth.ldap.attribute.displayname`
|
||||||
|
|
|
||||||
|
|
@ -17,6 +17,7 @@
|
||||||
package ldap
|
package ldap
|
||||||
|
|
||||||
import (
|
import (
|
||||||
|
"bytes"
|
||||||
"crypto/tls"
|
"crypto/tls"
|
||||||
"errors"
|
"errors"
|
||||||
"fmt"
|
"fmt"
|
||||||
|
|
@ -27,6 +28,7 @@ import (
|
||||||
"code.vikunja.io/api/pkg/log"
|
"code.vikunja.io/api/pkg/log"
|
||||||
"code.vikunja.io/api/pkg/models"
|
"code.vikunja.io/api/pkg/models"
|
||||||
"code.vikunja.io/api/pkg/modules/auth"
|
"code.vikunja.io/api/pkg/modules/auth"
|
||||||
|
"code.vikunja.io/api/pkg/modules/avatar/upload"
|
||||||
"code.vikunja.io/api/pkg/user"
|
"code.vikunja.io/api/pkg/user"
|
||||||
|
|
||||||
"github.com/go-ldap/ldap/v3"
|
"github.com/go-ldap/ldap/v3"
|
||||||
|
|
@ -108,7 +110,7 @@ func sanitizedUserQuery(username string) (string, bool) {
|
||||||
return fmt.Sprintf(config.AuthLdapUserFilter.GetString(), username), true
|
return fmt.Sprintf(config.AuthLdapUserFilter.GetString(), username), true
|
||||||
}
|
}
|
||||||
|
|
||||||
func AuthenticateUserInLDAP(s *xorm.Session, username, password string, syncGroups bool) (u *user.User, err error) {
|
func AuthenticateUserInLDAP(s *xorm.Session, username, password string, syncGroups bool, avatarSyncAttribute string) (u *user.User, err error) {
|
||||||
if password == "" || username == "" {
|
if password == "" || username == "" {
|
||||||
return nil, user.ErrNoUsernamePassword{}
|
return nil, user.ErrNoUsernamePassword{}
|
||||||
}
|
}
|
||||||
|
|
@ -137,6 +139,7 @@ func AuthenticateUserInLDAP(s *xorm.Session, username, password string, syncGrou
|
||||||
config.AuthLdapAttributeUsername.GetString(),
|
config.AuthLdapAttributeUsername.GetString(),
|
||||||
config.AuthLdapAttributeEmail.GetString(),
|
config.AuthLdapAttributeEmail.GetString(),
|
||||||
config.AuthLdapAttributeDisplayname.GetString(),
|
config.AuthLdapAttributeDisplayname.GetString(),
|
||||||
|
"jpegPhoto",
|
||||||
},
|
},
|
||||||
nil,
|
nil,
|
||||||
)
|
)
|
||||||
|
|
@ -169,6 +172,15 @@ func AuthenticateUserInLDAP(s *xorm.Session, username, password string, syncGrou
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if avatarSyncAttribute != "" {
|
||||||
|
raw := sr.Entries[0].GetRawAttributeValue(avatarSyncAttribute)
|
||||||
|
u.AvatarProvider = "ldap"
|
||||||
|
err = upload.StoreAvatarFile(s, u, bytes.NewReader(raw))
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
if !syncGroups {
|
if !syncGroups {
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -40,7 +40,7 @@ func TestLdapLogin(t *testing.T) {
|
||||||
s := db.NewSession()
|
s := db.NewSession()
|
||||||
defer s.Close()
|
defer s.Close()
|
||||||
|
|
||||||
user, err := AuthenticateUserInLDAP(s, "professor", "professor", false)
|
user, err := AuthenticateUserInLDAP(s, "professor", "professor", false, "")
|
||||||
|
|
||||||
require.NoError(t, err)
|
require.NoError(t, err)
|
||||||
assert.Equal(t, "professor", user.Username)
|
assert.Equal(t, "professor", user.Username)
|
||||||
|
|
@ -58,7 +58,7 @@ func TestLdapLogin(t *testing.T) {
|
||||||
s := db.NewSession()
|
s := db.NewSession()
|
||||||
defer s.Close()
|
defer s.Close()
|
||||||
|
|
||||||
_, err := AuthenticateUserInLDAP(s, "professor", "wrongpassword", false)
|
_, err := AuthenticateUserInLDAP(s, "professor", "wrongpassword", false, "")
|
||||||
|
|
||||||
require.Error(t, err)
|
require.Error(t, err)
|
||||||
assert.True(t, user2.IsErrWrongUsernameOrPassword(err))
|
assert.True(t, user2.IsErrWrongUsernameOrPassword(err))
|
||||||
|
|
@ -69,7 +69,7 @@ func TestLdapLogin(t *testing.T) {
|
||||||
s := db.NewSession()
|
s := db.NewSession()
|
||||||
defer s.Close()
|
defer s.Close()
|
||||||
|
|
||||||
_, err := AuthenticateUserInLDAP(s, "gnome", "professor", false)
|
_, err := AuthenticateUserInLDAP(s, "gnome", "professor", false, "")
|
||||||
|
|
||||||
require.Error(t, err)
|
require.Error(t, err)
|
||||||
assert.True(t, user2.IsErrWrongUsernameOrPassword(err))
|
assert.True(t, user2.IsErrWrongUsernameOrPassword(err))
|
||||||
|
|
@ -80,7 +80,7 @@ func TestLdapLogin(t *testing.T) {
|
||||||
s := db.NewSession()
|
s := db.NewSession()
|
||||||
defer s.Close()
|
defer s.Close()
|
||||||
|
|
||||||
user, err := AuthenticateUserInLDAP(s, "professor", "professor", true)
|
user, err := AuthenticateUserInLDAP(s, "professor", "professor", true, "")
|
||||||
|
|
||||||
require.NoError(t, err)
|
require.NoError(t, err)
|
||||||
assert.Equal(t, "professor", user.Username)
|
assert.Equal(t, "professor", user.Username)
|
||||||
|
|
@ -99,4 +99,20 @@ func TestLdapLogin(t *testing.T) {
|
||||||
"external_id": "cn=git,ou=people,dc=planetexpress,dc=com",
|
"external_id": "cn=git,ou=people,dc=planetexpress,dc=com",
|
||||||
}, false)
|
}, false)
|
||||||
})
|
})
|
||||||
|
|
||||||
|
t.Run("should sync avatar when enabled", func(t *testing.T) {
|
||||||
|
db.LoadAndAssertFixtures(t)
|
||||||
|
s := db.NewSession()
|
||||||
|
defer s.Close()
|
||||||
|
|
||||||
|
user, err := AuthenticateUserInLDAP(s, "professor", "professor", false, "jpegPhoto")
|
||||||
|
|
||||||
|
require.NoError(t, err)
|
||||||
|
assert.Equal(t, "professor", user.Username)
|
||||||
|
db.AssertExists(t, "users", map[string]interface{}{
|
||||||
|
"username": "professor",
|
||||||
|
"issuer": "ldap",
|
||||||
|
"avatar_provider": "ldap",
|
||||||
|
}, false)
|
||||||
|
})
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -0,0 +1,30 @@
|
||||||
|
// Vikunja is a to-do list application to facilitate your life.
|
||||||
|
// Copyright 2018-present Vikunja and contributors. All rights reserved.
|
||||||
|
//
|
||||||
|
// This program is free software: you can redistribute it and/or modify
|
||||||
|
// it under the terms of the GNU Affero General Public Licensee as published by
|
||||||
|
// the Free Software Foundation, either version 3 of the License, or
|
||||||
|
// (at your option) any later version.
|
||||||
|
//
|
||||||
|
// This program is distributed in the hope that it will be useful,
|
||||||
|
// but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||||
|
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||||
|
// GNU Affero General Public Licensee for more details.
|
||||||
|
//
|
||||||
|
// You should have received a copy of the GNU Affero General Public Licensee
|
||||||
|
// along with this program. If not, see <https://www.gnu.org/licenses/>.
|
||||||
|
|
||||||
|
package ldap
|
||||||
|
|
||||||
|
import (
|
||||||
|
"code.vikunja.io/api/pkg/modules/avatar/upload"
|
||||||
|
"code.vikunja.io/api/pkg/user"
|
||||||
|
)
|
||||||
|
|
||||||
|
type Provider struct{}
|
||||||
|
|
||||||
|
func (p *Provider) GetAvatar(user *user.User, size int64) (avatar []byte, mimeType string, err error) {
|
||||||
|
up := upload.Provider{}
|
||||||
|
|
||||||
|
return up.GetAvatar(user, size)
|
||||||
|
}
|
||||||
|
|
@ -55,7 +55,7 @@ func Login(c echo.Context) (err error) {
|
||||||
|
|
||||||
var user *user2.User
|
var user *user2.User
|
||||||
if config.AuthLdapEnabled.GetBool() {
|
if config.AuthLdapEnabled.GetBool() {
|
||||||
user, err = ldap.AuthenticateUserInLDAP(s, u.Username, u.Password, config.AuthLdapGroupSyncEnabled.GetBool())
|
user, err = ldap.AuthenticateUserInLDAP(s, u.Username, u.Password, config.AuthLdapGroupSyncEnabled.GetBool(), config.AuthLdapAvatarSyncAttribute.GetString())
|
||||||
if err != nil && !user2.IsErrWrongUsernameOrPassword(err) {
|
if err != nil && !user2.IsErrWrongUsernameOrPassword(err) {
|
||||||
_ = s.Rollback()
|
_ = s.Rollback()
|
||||||
return handler.HandleHTTPError(err)
|
return handler.HandleHTTPError(err)
|
||||||
|
|
|
||||||
|
|
@ -550,7 +550,8 @@ func UpdateUser(s *xorm.Session, user *User, forceOverride bool) (updatedUser *U
|
||||||
user.AvatarProvider != "gravatar" &&
|
user.AvatarProvider != "gravatar" &&
|
||||||
user.AvatarProvider != "initials" &&
|
user.AvatarProvider != "initials" &&
|
||||||
user.AvatarProvider != "upload" &&
|
user.AvatarProvider != "upload" &&
|
||||||
user.AvatarProvider != "marble" {
|
user.AvatarProvider != "marble" &&
|
||||||
|
user.AvatarProvider != "ldap" {
|
||||||
return updatedUser, &ErrInvalidAvatarProvider{AvatarProvider: user.AvatarProvider}
|
return updatedUser, &ErrInvalidAvatarProvider{AvatarProvider: user.AvatarProvider}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue