opensource/grafana
1
0
Fork 0
mirror of https://github.com/grafana/grafana.git synced 2025-09-22 07:53:28 +08:00
Code Issues Packages Projects Releases Wiki Activity

LDAP: Always synchronize Server Admin role through role sync if role sync is enabled (#58820)

Browse Source 
fix a bug with role sync
This commit is contained in:
Ieva
2023-03-31 15:39:23 +01:00
committed by GitHub
parent c03bf7d8ad
commit 94cc93cc83
2 changed files with 43 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
pkg/services/ldap/ldap.go
View File

@ -456,6 +456,7 @@ func (server *Server) buildGrafanaUser(user *ldap.Entry) (*login.ExternalUserInf
return extUser, nil return extUser, nil
} }
isGrafanaAdmin := false
for _, group := range server.Config.Groups { for _, group := range server.Config.Groups {
// only use the first match for each org // only use the first match for each org
if extUser.OrgRoles[group.OrgId] != "" { if extUser.OrgRoles[group.OrgId] != "" {
@ -467,11 +468,12 @@ func (server *Server) buildGrafanaUser(user *ldap.Entry) (*login.ExternalUserInf
extUser.OrgRoles[group.OrgId] = group.OrgRole extUser.OrgRoles[group.OrgId] = group.OrgRole
} }
if extUser.IsGrafanaAdmin == nil || !*extUser.IsGrafanaAdmin { if !isGrafanaAdmin && (group.IsGrafanaAdmin != nil && *group.IsGrafanaAdmin) {
extUser.IsGrafanaAdmin = group.IsGrafanaAdmin isGrafanaAdmin = true
} }
} }
} }
extUser.IsGrafanaAdmin = &isGrafanaAdmin
// If there are group org mappings configured, but no matching mappings, // If there are group org mappings configured, but no matching mappings,
// the user will not be able to login and will be disabled // the user will not be able to login and will be disabled

40
pkg/services/ldap/ldap_test.go
View File

@ -243,6 +243,12 @@ func TestServer_Users(t *testing.T) {
{Name: "username", Values: []string{"groot"}}, {Name: "username", Values: []string{"groot"}},
{Name: "name", Values: []string{"I am Groot"}}, {Name: "name", Values: []string{"I am Groot"}},
}}}} }}}}
babyGrootDN := "dn=babygroot," + usersOU
babyGrootSearch := ldap.SearchResult{Entries: []*ldap.Entry{{DN: grootDN,
Attributes: []*ldap.EntryAttribute{
{Name: "username", Values: []string{"babygroot"}},
{Name: "name", Values: []string{"I am baby Groot"}},
}}}}
peterDN := "dn=peter," + usersOU peterDN := "dn=peter," + usersOU
peterSearch := ldap.SearchResult{Entries: []*ldap.Entry{{DN: peterDN, peterSearch := ldap.SearchResult{Entries: []*ldap.Entry{{DN: peterDN,
Attributes: []*ldap.EntryAttribute{ Attributes: []*ldap.EntryAttribute{
@ -256,6 +262,12 @@ func TestServer_Users(t *testing.T) {
{Name: "member", Values: []string{grootDN}}, {Name: "member", Values: []string{grootDN}},
}}}, }}},
} }
babyCreaturesDN := "dn=babycreatures," + groupsOU
babyGrootGroups := ldap.SearchResult{Entries: []*ldap.Entry{{DN: babyCreaturesDN,
Attributes: []*ldap.EntryAttribute{
{Name: "member", Values: []string{babyGrootDN}},
}}},
}
humansDN := "dn=humans," + groupsOU humansDN := "dn=humans," + groupsOU
peterGroups := ldap.SearchResult{Entries: []*ldap.Entry{{DN: humansDN, peterGroups := ldap.SearchResult{Entries: []*ldap.Entry{{DN: humansDN,
Attributes: []*ldap.EntryAttribute{ Attributes: []*ldap.EntryAttribute{
@ -269,6 +281,8 @@ func TestServer_Users(t *testing.T) {
switch request.Filter { switch request.Filter {
case "(|(username=groot))": case "(|(username=groot))":
return &grootSearch, nil return &grootSearch, nil
case "(|(username=babygroot))":
return &babyGrootSearch, nil
case "(|(username=peter))": case "(|(username=peter))":
return &peterSearch, nil return &peterSearch, nil
default: default:
@ -278,6 +292,8 @@ func TestServer_Users(t *testing.T) {
switch request.Filter { switch request.Filter {
case "(member=groot)": case "(member=groot)":
return &grootGroups, nil return &grootGroups, nil
case "(member=babygroot)":
return &babyGrootGroups, nil
case "(member=peter)": case "(member=peter)":
return &peterGroups, nil return &peterGroups, nil
default: default:
@ -288,6 +304,7 @@ func TestServer_Users(t *testing.T) {
} }
}) })
isGrafanaAdmin := true
cfg := setting.NewCfg() cfg := setting.NewCfg()
cfg.LDAPAuthEnabled = true cfg.LDAPAuthEnabled = true
@ -306,9 +323,14 @@ func TestServer_Users(t *testing.T) {
{ {
GroupDN: creaturesDN, GroupDN: creaturesDN,
OrgId: 2, OrgId: 2,
IsGrafanaAdmin: new(bool), IsGrafanaAdmin: &isGrafanaAdmin,
OrgRole: "Admin", OrgRole: "Admin",
}, },
{
GroupDN: babyCreaturesDN,
OrgId: 2,
OrgRole: "Editor",
},
}, },
}, },
Connection: conn, Connection: conn,
@ -347,6 +369,22 @@ func TestServer_Users(t *testing.T) {
require.True(t, mappingExist) require.True(t, mappingExist)
require.Equal(t, roletype.RoleAdmin, role) require.Equal(t, roletype.RoleAdmin, role)
require.False(t, res[0].IsDisabled) require.False(t, res[0].IsDisabled)
require.NotNil(t, res[0].IsGrafanaAdmin)
assert.True(t, *res[0].IsGrafanaAdmin)
})
t.Run("set Grafana Admin to false by default", func(t *testing.T) {
res, err := server.Users([]string{"babygroot"})
require.NoError(t, err)
require.Len(t, res, 1)
require.Equal(t, "I am baby Groot", res[0].Name)
require.ElementsMatch(t, res[0].Groups, []string{babyCreaturesDN})
require.Len(t, res[0].OrgRoles, 1)
role, mappingExist := res[0].OrgRoles[2]
require.True(t, mappingExist)
require.Equal(t, roletype.RoleEditor, role)
require.False(t, res[0].IsDisabled)
require.NotNil(t, res[0].IsGrafanaAdmin)
assert.False(t, *res[0].IsGrafanaAdmin)
}) })
}) })
} }