Unverified Commit 06866952 authored by Scott Bishel's avatar Scott Bishel Committed by GitHub
Browse files

MM-16861: Support Guest Authentication via AD/LDAP (#12690)



* Add config settings for LDAPSettings GuestFilter

* make error unique

* Update model/config.go
Co-Authored-By: default avatarMartin Kraft <martin@upspin.org>

* add LdapSetting isempty_guest_attribute to diagnostics.go
parent c5dcd85b
......@@ -487,6 +487,7 @@ func (a *App) trackConfig() {
"isempty_group_filter": isDefault(*cfg.LdapSettings.GroupFilter, ""),
"isdefault_group_display_name_attribute": isDefault(*cfg.LdapSettings.GroupDisplayNameAttribute, model.LDAP_SETTINGS_DEFAULT_GROUP_DISPLAY_NAME_ATTRIBUTE),
"isdefault_group_id_attribute": isDefault(*cfg.LdapSettings.GroupIdAttribute, model.LDAP_SETTINGS_DEFAULT_GROUP_ID_ATTRIBUTE),
"isempty_guest_filter": isDefault(*cfg.LdapSettings.GuestFilter, ""),
})
a.SendDiagnostic(TRACK_CONFIG_COMPLIANCE, map[string]interface{}{
......
......@@ -3954,6 +3954,10 @@
"id": "ent.ldap.validate_filter.app_error",
"translation": "Invalid AD/LDAP Filter"
},
{
"id": "ent.ldap.validate_guest_filter.app_error",
"translation": "Invalid AD/LDAP Guest Filter"
},
{
"id": "ent.ldap_groups.group_search_error",
"translation": "error retrieving ldap group"
......
......@@ -1687,6 +1687,7 @@ type LdapSettings struct {
// Filtering
UserFilter *string
GroupFilter *string
GuestFilter *string
// Group Mapping
GroupDisplayNameAttribute *string
......@@ -1758,6 +1759,10 @@ func (s *LdapSettings) SetDefaults() {
s.UserFilter = NewString("")
}
if s.GuestFilter == nil {
s.GuestFilter = NewString("")
}
if s.GroupFilter == nil {
s.GroupFilter = NewString("")
}
......@@ -2784,6 +2789,12 @@ func (ls *LdapSettings) isValid() *AppError {
return NewAppError("ValidateFilter", "ent.ldap.validate_filter.app_error", nil, err.Error(), http.StatusBadRequest)
}
}
if *ls.GuestFilter != "" {
if _, err := ldap.CompileFilter(*ls.GuestFilter); err != nil {
return NewAppError("LdapSettings.isValid", "ent.ldap.validate_guest_filter.app_error", nil, err.Error(), http.StatusBadRequest)
}
}
}
return nil
......
......@@ -1018,6 +1018,105 @@ func TestLdapSettingsIsValid(t *testing.T) {
},
ExpectError: true,
},
{
Name: "valid guest filter #1",
LdapSettings: LdapSettings{
Enable: NewBool(true),
LdapServer: NewString("server"),
BaseDN: NewString("basedn"),
EmailAttribute: NewString("email"),
UsernameAttribute: NewString("username"),
IdAttribute: NewString("id"),
LoginIdAttribute: NewString("loginid"),
GuestFilter: NewString("(property=value)"),
},
ExpectError: false,
},
{
Name: "invalid guest filter #1",
LdapSettings: LdapSettings{
Enable: NewBool(true),
LdapServer: NewString("server"),
BaseDN: NewString("basedn"),
EmailAttribute: NewString("email"),
UsernameAttribute: NewString("username"),
IdAttribute: NewString("id"),
LoginIdAttribute: NewString("loginid"),
GuestFilter: NewString("("),
},
ExpectError: true,
},
{
Name: "invalid guest filter #2",
LdapSettings: LdapSettings{
Enable: NewBool(true),
LdapServer: NewString("server"),
BaseDN: NewString("basedn"),
EmailAttribute: NewString("email"),
UsernameAttribute: NewString("username"),
IdAttribute: NewString("id"),
LoginIdAttribute: NewString("loginid"),
GuestFilter: NewString("()"),
},
ExpectError: true,
},
{
Name: "valid guest filter #2",
LdapSettings: LdapSettings{
Enable: NewBool(true),
LdapServer: NewString("server"),
BaseDN: NewString("basedn"),
EmailAttribute: NewString("email"),
UsernameAttribute: NewString("username"),
IdAttribute: NewString("id"),
LoginIdAttribute: NewString("loginid"),
GuestFilter: NewString("(&(property=value)(otherthing=othervalue))"),
},
ExpectError: false,
},
{
Name: "valid guest filter #3",
LdapSettings: LdapSettings{
Enable: NewBool(true),
LdapServer: NewString("server"),
BaseDN: NewString("basedn"),
EmailAttribute: NewString("email"),
UsernameAttribute: NewString("username"),
IdAttribute: NewString("id"),
LoginIdAttribute: NewString("loginid"),
GuestFilter: NewString("(&(property=value)(|(otherthing=othervalue)(other=thing)))"),
},
ExpectError: false,
},
{
Name: "invalid guest filter #3",
LdapSettings: LdapSettings{
Enable: NewBool(true),
LdapServer: NewString("server"),
BaseDN: NewString("basedn"),
EmailAttribute: NewString("email"),
UsernameAttribute: NewString("username"),
IdAttribute: NewString("id"),
LoginIdAttribute: NewString("loginid"),
GuestFilter: NewString("(&(property=value)(|(otherthing=othervalue)(other=thing))"),
},
ExpectError: true,
},
{
Name: "invalid guest filter #4",
LdapSettings: LdapSettings{
Enable: NewBool(true),
LdapServer: NewString("server"),
BaseDN: NewString("basedn"),
EmailAttribute: NewString("email"),
UsernameAttribute: NewString("username"),
IdAttribute: NewString("id"),
LoginIdAttribute: NewString("loginid"),
GuestFilter: NewString("(&(property=value)((otherthing=othervalue)(other=thing)))"),
},
ExpectError: true,
},
} {
t.Run(test.Name, func(t *testing.T) {
test.LdapSettings.SetDefaults()
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment