refactor

Author: wxiaoguang

cmd/admin_auth_ldap.go

@@ -98,14 +98,6 @@ var (
 			Name:  "avatar-attribute",
 			Usage: "The attribute of the user’s LDAP record containing the user’s avatar.",
 		},
-		cli.StringFlag{
-			Name:  "team-group-map",
-			Usage: "Map of LDAP groups to teams.",
-		},
-		cli.BoolFlag{
-			Name:  "team-group-map-removal",
-			Usage: "Force synchronization of mapped LDAP groups to teams.",
-		},
 	}
 
 	ldapBindDnCLIFlags = append(commonLdapCLIFlags,
@@ -268,14 +260,6 @@ func parseLdapConfig(c *cli.Context, config *ldap.Source) error {
 	if c.IsSet("skip-local-2fa") {
 		config.SkipLocalTwoFA = c.Bool("skip-local-2fa")
 	}
-	if c.IsSet("team-group-map") {
-		config.TeamGroupMapEnabled = c.Bool("team-group-map")
-		config.TeamGroupMap = c.String("team-group-map")
-	}
-	if c.IsSet("team-group-map-removal") {
-		config.TeamGroupMapRemoval = c.Bool("team-group-map-removal")
-	}
-
 	return nil
 }
 

integrations/auth_ldap_test.go

@@ -101,13 +101,11 @@ func getLDAPServerHost() string {
 }
 
 func addAuthSourceLDAP(t *testing.T, sshKeyAttribute string, groupMapParams ...string) {
-	teamGroupMapEnabled := "off"
-	teamGroupMapRemoval := "off"
-	teamGroupMap := ""
-	if len(groupMapParams) == 3 {
-		teamGroupMapEnabled = groupMapParams[0]
-		teamGroupMapRemoval = groupMapParams[1]
-		teamGroupMap = groupMapParams[2]
+	groupTeamMapRemoval := "off"
+	groupTeamMap := ""
+	if len(groupMapParams) == 2 {
+		groupTeamMapRemoval = groupMapParams[0]
+		groupTeamMap = groupMapParams[1]
 	}
 	session := loginUser(t, "user1")
 	csrf := GetCSRF(t, session, "/admin/auths/new")
@@ -130,12 +128,11 @@ func addAuthSourceLDAP(t *testing.T, sshKeyAttribute string, groupMapParams ...s
 		"attribute_ssh_public_key": sshKeyAttribute,
 		"is_sync_enabled":          "on",
 		"is_active":                "on",
-		"team_group_map_enabled":   teamGroupMapEnabled,
-		"team_group_map_removal":   teamGroupMapRemoval,
 		"group_dn":                 "ou=people,dc=planetexpress,dc=com",
 		"group_member_uid":         "member",
+		"group_team_map":           groupTeamMap,
+		"group_team_map_removal":   groupTeamMapRemoval,
 		"user_uid":                 "DN",
-		"team_group_map":           teamGroupMap,
 	})
 	session.MakeRequest(t, req, http.StatusFound)
 }
@@ -318,7 +315,7 @@ func TestLDAPGroupTeamSyncAddMember(t *testing.T) {
 		return
 	}
 	defer prepareTestEnv(t)()
-	addAuthSourceLDAP(t, "", "on", "on", "{\"cn=ship_crew,ou=people,dc=planetexpress,dc=com\":{\"org26\": [\"team11\"]},\"cn=admin_staff,ou=people,dc=planetexpress,dc=com\": {\"non-existent\": [\"non-existent\"]}}")
+	addAuthSourceLDAP(t, "", "on", `{"cn=ship_crew,ou=people,dc=planetexpress,dc=com":{"org26": ["team11"]},"cn=admin_staff,ou=people,dc=planetexpress,dc=com": {"non-existent": ["non-existent"]}}`)
 	org, err := models.GetOrgByName("org26")
 	assert.NoError(t, err)
 	team, err := models.GetTeam(org.ID, "team11")
@@ -363,7 +360,7 @@ func TestLDAPGroupTeamSyncRemoveMember(t *testing.T) {
 		return
 	}
 	defer prepareTestEnv(t)()
-	addAuthSourceLDAP(t, "", "on", "on", "{\"cn=dispatch,ou=people,dc=planetexpress,dc=com\": {\"org26\": [\"team11\"]}}")
+	addAuthSourceLDAP(t, "", "on", `{"cn=dispatch,ou=people,dc=planetexpress,dc=com": {"org26": ["team11"]}}`)
 	org, err := models.GetOrgByName("org26")
 	assert.NoError(t, err)
 	team, err := models.GetTeam(org.ID, "team11")
@@ -399,7 +396,7 @@ func TestBrokenLDAPMapUserSignin(t *testing.T) {
 		return
 	}
 	defer prepareTestEnv(t)()
-	addAuthSourceLDAP(t, "", "on", "on", "{\"NOT_A_VALID_JSON\"[\"MISSING_DOUBLE_POINT\"]}")
+	addAuthSourceLDAP(t, "", "on", `{"NOT_A_VALID_JSON"["MISSING_DOUBLE_POINT"]}`)
 
 	u := gitLDAPUsers[0]
 

options/locale/locale_en-US.ini

@@ -2561,14 +2561,13 @@ auths.filter = User Filter
 auths.admin_filter = Admin Filter
 auths.restricted_filter = Restricted Filter
 auths.restricted_filter_helper = Leave empty to not set any users as restricted. Use an asterisk ('*') to set all users that do not match Admin Filter as restricted.
-auths.verify_group_membership = Verify group membership in LDAP
+auths.verify_group_membership = Verify group membership in LDAP (leave the filter empty to skip)
 auths.group_search_base = Group Search Base DN
-auths.valid_groups_filter = Valid Groups Filter
 auths.group_attribute_list_users = Group Attribute Containing List Of Users
 auths.user_attribute_in_group = User Attribute Listed In Group
-auths.team_group_map = Map LDAP groups to Organization teams
-auths.team_group_map_removal = Remove users from synchronized teams if user does not belong to corresponding LDAP group
-auths.team_group_map_enabled = Enable mapping LDAP groups to gitea organizations teams
+auths.map_group_to_team = Map LDAP groups to Organization teams (leave the filter empty to skip)
+auths.map_group_to_team_removal = Remove users from synchronized teams if user does not belong to corresponding LDAP group
+auths.enable_ldap_groups = Enable LDAP groups
 auths.ms_ad_sa = MS AD Search Attributes
 auths.smtp_auth = SMTP Authentication Type
 auths.smtphost = SMTP Host

routers/web/admin/auths.go

@@ -145,13 +145,12 @@ func parseLDAPConfig(form forms.AuthenticationForm) *ldap.Source {
 		GroupDN:               form.GroupDN,
 		GroupFilter:           form.GroupFilter,
 		GroupMemberUID:        form.GroupMemberUID,
+		GroupTeamMap:          form.GroupTeamMap,
+		GroupTeamMapRemoval:   form.GroupTeamMapRemoval,
 		UserUID:               form.UserUID,
 		AdminFilter:           form.AdminFilter,
 		RestrictedFilter:      form.RestrictedFilter,
 		AllowDeactivateAll:    form.AllowDeactivateAll,
-		TeamGroupMap:          form.TeamGroupMap,
-		TeamGroupMapRemoval:   form.TeamGroupMapRemoval,
-		TeamGroupMapEnabled:   form.TeamGroupMapEnabled,
 		Enabled:               true,
 		SkipLocalTwoFA:        form.SkipLocalTwoFA,
 	}

services/auth/source/ldap/source.go

@@ -52,11 +52,10 @@ type Source struct {
 	GroupDN               string // Group Search Base
 	GroupFilter           string // Group Name Filter
 	GroupMemberUID        string // Group Attribute containing array of UserUID
+	GroupTeamMap          string // Map LDAP groups to teams
+	GroupTeamMapRemoval   bool   // Remove user from teams which are synchronized and user is not a member of the corresponding LDAP group
 	UserUID               string // User Attribute listed in Group
 	SkipLocalTwoFA        bool   `json:",omitempty"` // Skip Local 2fa for users authenticated with this source
-	TeamGroupMap          string // Map LDAP groups to teams
-	TeamGroupMapRemoval   bool   // Remove user from teams which are synchronized and user is not a member of the corresponding LDAP group
-	TeamGroupMapEnabled   bool   // if LDAP groups mapping to gitea organizations teams is enabled
 
 	// reference to the authSource
 	authSource *auth.Source

services/auth/source/ldap/source_authenticate.go

@@ -60,7 +60,7 @@ func (source *Source) Authenticate(user *user_model.User, userName, password str
 	}
 
 	if user != nil {
-		if source.TeamGroupMapEnabled || source.TeamGroupMapRemoval {
+		if source.GroupsEnabled && (source.GroupTeamMap != "" || source.GroupTeamMapRemoval) {
 			orgCache := make(map[string]*models.Organization)
 			teamCache := make(map[string]*models.Team)
 			source.SyncLdapGroupsToTeams(user, sr.LdapTeamAdd, sr.LdapTeamRemove, orgCache, teamCache)
@@ -106,7 +106,7 @@ func (source *Source) Authenticate(user *user_model.User, userName, password str
 	if err == nil && len(source.AttributeAvatar) > 0 {
 		_ = user_service.UploadAvatar(user, sr.Avatar)
 	}
-	if source.TeamGroupMapEnabled || source.TeamGroupMapRemoval {
+	if source.GroupsEnabled && (source.GroupTeamMap != "" || source.GroupTeamMapRemoval) {
 		orgCache := make(map[string]*models.Organization)
 		teamCache := make(map[string]*models.Team)
 		source.SyncLdapGroupsToTeams(user, sr.LdapTeamAdd, sr.LdapTeamRemove, orgCache, teamCache)

services/auth/source/ldap/source_group_sync.go

@@ -13,7 +13,7 @@ import (
 // SyncLdapGroupsToTeams maps LDAP groups to organization and team memberships
 func (source *Source) SyncLdapGroupsToTeams(user *user_model.User, ldapTeamAdd, ldapTeamRemove map[string][]string, orgCache map[string]*models.Organization, teamCache map[string]*models.Team) {
 	var err error
-	if source.TeamGroupMapRemoval {
+	if source.GroupsEnabled && source.GroupTeamMapRemoval {
 		// when the user is not a member of configs LDAP group, remove mapped organizations/teams memberships
 		removeMappedMemberships(user, ldapTeamRemove, orgCache, teamCache)
 	}

services/auth/source/ldap/source_search.go

@@ -230,7 +230,7 @@ func (ls *Source) listLdapGroupMemberships(l *ldap.Conn, uid string) []string {
 // parse LDAP groups and return map of ldap groups to organizations teams
 func (ls *Source) mapLdapGroupsToTeams() map[string]map[string][]string {
 	ldapGroupsToTeams := make(map[string]map[string][]string)
-	err := json.Unmarshal([]byte(ls.TeamGroupMap), &ldapGroupsToTeams)
+	err := json.Unmarshal([]byte(ls.GroupTeamMap), &ldapGroupsToTeams)
 	if err != nil {
 		log.Error("Failed to unmarshall LDAP teams map: %v", err)
 		return ldapGroupsToTeams
@@ -447,7 +447,7 @@ func (ls *Source) SearchEntry(name, passwd string, directBind bool) *SearchResul
 
 	teamsToAdd := make(map[string][]string)
 	teamsToRemove := make(map[string][]string)
-	if ls.TeamGroupMapEnabled || ls.TeamGroupMapRemoval {
+	if ls.GroupsEnabled && (ls.GroupTeamMap != "" || ls.GroupTeamMapRemoval) {
 		teamsToAdd, teamsToRemove = ls.getMappedMemberships(l, uid)
 	}
 
@@ -526,7 +526,7 @@ func (ls *Source) SearchEntries() ([]*SearchResult, error) {
 	for i, v := range sr.Entries {
 		teamsToAdd := make(map[string][]string)
 		teamsToRemove := make(map[string][]string)
-		if ls.TeamGroupMapEnabled || ls.TeamGroupMapRemoval {
+		if ls.GroupsEnabled && (ls.GroupTeamMap != "" || ls.GroupTeamMapRemoval) {
 			userAttributeListedInGroup := v.GetAttributeValue(ls.UserUID)
 			if ls.UserUID == "dn" || ls.UserUID == "DN" {
 				userAttributeListedInGroup = v.DN

services/auth/source/ldap/source_sync.go

@@ -170,7 +170,7 @@ func (source *Source) Sync(ctx context.Context, updateExisting bool) error {
 			}
 		}
 		// Synchronize LDAP groups with organization and team memberships
-		if source.TeamGroupMapEnabled || source.TeamGroupMapRemoval {
+		if source.GroupsEnabled && (source.GroupTeamMap != "" || source.GroupTeamMapRemoval) {
 			source.SyncLdapGroupsToTeams(usr, su.LdapTeamAdd, su.LdapTeamRemove, orgCache, teamCache)
 		}
 	}

services/forms/auth_form.go

@@ -79,9 +79,8 @@ type AuthenticationForm struct {
 	SSPIStripDomainNames          bool
 	SSPISeparatorReplacement      string `binding:"AlphaDashDot;MaxSize(5)"`
 	SSPIDefaultLanguage           string
-	TeamGroupMap                  string
-	TeamGroupMapRemoval           bool
-	TeamGroupMapEnabled           bool
+	GroupTeamMap                  string
+	GroupTeamMapRemoval           bool
 }
 
 // Validate validates fields

templates/admin/auth/edit.tmpl

@@ -108,47 +108,43 @@
 						<label for="attribute_avatar">{{.i18n.Tr "admin.auths.attribute_avatar"}}</label>
 						<input id="attribute_avatar" name="attribute_avatar" value="{{$cfg.AttributeAvatar}}" placeholder="e.g. jpegPhoto">
 					</div>
+
+
+					<!-- ldap group begin -->
 					<div class="inline field">
 						<div class="ui checkbox">
-							<label for="team_group_map_enabled"><strong>{{.i18n.Tr "admin.auths.team_group_map_enabled"}}</strong></label>
-							<input id="team_group_map_enabled" name="team_group_map_enabled" type="checkbox" class="ldap-group-options" {{if $cfg.TeamGroupMapEnabled}}checked{{end}}>
+							<label><strong>{{.i18n.Tr "admin.auths.enable_ldap_groups"}}</strong></label>
+							<input type="checkbox" name="groups_enabled" class="js-ldap-group-toggle" {{if $cfg.GroupsEnabled}}checked{{end}}>
 						</div>
 					</div>
-					<div class="inline field">
-						<div class="ui checkbox">
-							<label for="team_group_map_removal"><strong>{{.i18n.Tr "admin.auths.team_group_map_removal"}}</strong></label>
-							<input id="team_group_map_removal" name="team_group_map_removal" type="checkbox" class="ldap-group-options" {{if $cfg.TeamGroupMapRemoval}}checked{{end}}>
+					<div id="ldap-group-options" class="ui segment secondary" {{if not $cfg.GroupsEnabled}}hidden{{end}}>
+						<div class="field">
+							<label>{{.i18n.Tr "admin.auths.group_search_base"}}</label>
+							<input name="group_dn" value="{{$cfg.GroupDN}}" placeholder="e.g. ou=group,dc=mydomain,dc=com">
 						</div>
-					</div>
-					<div class="inline field">
-						<div class="ui checkbox">
-							<label for="groups_enabled"><strong>{{.i18n.Tr "admin.auths.verify_group_membership"}}</strong></label>
-							<input id="groups_enabled" name="groups_enabled" type="checkbox" class="ldap-group-options" {{if $cfg.GroupsEnabled}}checked{{end}}>
+						<div class="field">
+							<label>{{.i18n.Tr "admin.auths.group_attribute_list_users"}}</label>
+							<input name="group_member_uid" value="{{$cfg.GroupMemberUID}}" placeholder="e.g. memberUid">
 						</div>
-					</div>
-					<div id="groups_enabled_change">
 						<div class="field">
-							<label for="group_dn">{{.i18n.Tr "admin.auths.group_search_base"}}</label>
-							<input id="group_dn" name="group_dn" value="{{$cfg.GroupDN}}" placeholder="e.g. ou=group,dc=mydomain,dc=com">
+							<label>{{.i18n.Tr "admin.auths.user_attribute_in_group"}}</label>
+							<input name="user_uid" value="{{$cfg.UserUID}}" placeholder="e.g. uid">
 						</div>
 						<div class="field">
-							<label for="group_member_uid">{{.i18n.Tr "admin.auths.group_attribute_list_users"}}</label>
-							<input id="group_member_uid" name="group_member_uid" value="{{$cfg.GroupMemberUID}}" placeholder="e.g. memberUid">
+							<label>{{.i18n.Tr "admin.auths.verify_group_membership"}}</label>
+							<input name="group_filter" value="{{$cfg.GroupFilter}}" placeholder="e.g. (|(cn=gitea_users)(cn=admins))">
 						</div>
 						<div class="field">
-							<label for="user_uid">{{.i18n.Tr "admin.auths.user_attribute_in_group"}}</label>
-							<input id="user_uid" name="user_uid" value="{{$cfg.UserUID}}" placeholder="e.g. uid">
+							<label>{{.i18n.Tr "admin.auths.map_group_to_team"}}</label>
+							<input name="group_team_map" value="{{$cfg.GroupTeamMap}}" placeholder='e.g. {"cn=my-group,cn=groups,dc=example,dc=org": {"MyGiteaOrganization": ["MyGiteaTeam1", "MyGiteaTeam2"]}}'>
+						</div>
+						<div class="ui checkbox">
+							<label>{{.i18n.Tr "admin.auths.map_group_to_team_removal"}}</label>
+							<input name="group_team_map_removal" type="checkbox" {{if $cfg.GroupTeamMapRemoval}}checked{{end}}>
 						</div>
-						<br/>
-					</div>
-					<div id="group_filter_field" class="field">
-						<label for="group_filter">{{.i18n.Tr "admin.auths.valid_groups_filter"}}</label>
-						<input id="group_filter" name="group_filter" value="{{$cfg.GroupFilter}}" placeholder="e.g. (|(cn=gitea_users)(cn=admins))">
-					</div>
-					<div id="team_group_map_field" class="field">
-						<label for="team_group_map">{{.i18n.Tr "admin.auths.team_group_map"}}</label>
-						<input id="team_group_map" name="team_group_map" value="{{$cfg.TeamGroupMap}}" placeholder='e.g. {"cn=MyGroup,cn=groups,dc=example,dc=org": {"MyGiteaOrganization": ["MyGiteaTeam1", "MyGiteaTeam2"]}}'>
 					</div>
+					<!-- ldap group end -->
+
 					{{if .Source.IsLDAP}}
 						<div class="inline field">
 							<div class="ui checkbox">

templates/admin/auth/source/ldap.tmpl

@@ -79,47 +79,42 @@
 		<label for="attribute_avatar">{{.i18n.Tr "admin.auths.attribute_avatar"}}</label>
 		<input id="attribute_avatar" name="attribute_avatar" value="{{.attribute_avatar}}" placeholder="e.g. jpegPhoto">
 	</div>
+
+	<!-- ldap group begin -->
 	<div class="inline field">
 		<div class="ui checkbox">
-			<label for="team_group_map_enabled"><strong>{{.i18n.Tr "admin.auths.team_group_map_enabled"}}</strong></label>
-			<input id="team_group_map_enabled" name="team_group_map_enabled" type="checkbox" class="ldap-group-options" {{if .team_group_map_enabled}}checked{{end}}>
+			<label><strong>{{.i18n.Tr "admin.auths.enable_ldap_groups"}}</strong></label>
+			<input type="checkbox" name="groups_enabled" class="js-ldap-group-toggle" {{if .groups_enabled}}checked{{end}}>
 		</div>
 	</div>
-	<div class="inline field">
-		<div class="ui checkbox">
-			<label for="team_group_map_removal"><strong>{{.i18n.Tr "admin.auths.team_group_map_removal"}}</strong></label>
-			<input id="team_group_map_removal" name="team_group_map_removal" type="checkbox" class="ldap-group-options" {{if .team_group_map_removal}}checked{{end}}>
+	<div id="ldap-group-options" class="ui segment secondary">
+		<div class="field">
+			<label>{{.i18n.Tr "admin.auths.group_search_base"}}</label>
+			<input name="group_dn" value="{{.group_dn}}" placeholder="e.g. ou=group,dc=mydomain,dc=com">
 		</div>
-	</div>
-	<div class="inline field">
-		<div class="ui checkbox">
-			<label for="groups_enabled"><strong>{{.i18n.Tr "admin.auths.verify_group_membership"}}</strong></label>
-			<input id="groups_enabled" name="groups_enabled" type="checkbox" class="ldap-group-options" {{if .groups_enabled}}checked{{end}}>
+		<div class="field">
+			<label>{{.i18n.Tr "admin.auths.group_attribute_list_users"}}</label>
+			<input name="group_member_uid" value="{{.group_member_uid}}" placeholder="e.g. memberUid">
 		</div>
-	</div>
-	<div id="groups_enabled_change">
 		<div class="field">
-			<label for="group_dn">{{.i18n.Tr "admin.auths.group_search_base"}}</label>
-			<input id="group_dn" name="group_dn" value="{{.group_dn}}" placeholder="e.g. ou=group,dc=mydomain,dc=com">
+			<label>{{.i18n.Tr "admin.auths.user_attribute_in_group"}}</label>
+			<input name="user_uid" value="{{.user_uid}}" placeholder="e.g. uid">
 		</div>
 		<div class="field">
-			<label for="group_member_uid">{{.i18n.Tr "admin.auths.group_attribute_list_users"}}</label>
-			<input id="group_member_uid" name="group_member_uid" value="{{.group_member_uid}}" placeholder="e.g. memberUid">
+			<label>{{.i18n.Tr "admin.auths.verify_group_membership"}}</label>
+			<input name="group_filter" value="{{.group_filter}}" placeholder="e.g. (|(cn=gitea_users)(cn=admins))">
 		</div>
 		<div class="field">
-			<label for="user_uid">{{.i18n.Tr "admin.auths.user_attribute_in_group"}}</label>
-			<input id="user_uid" name="user_uid" value="{{.user_uid}}" placeholder="e.g. uid">
+			<label>{{.i18n.Tr "admin.auths.map_group_to_team"}}</label>
+			<input name="group_team_map" value="{{.group_team_map}}" placeholder='e.g. {"cn=my-group,cn=groups,dc=example,dc=org": {"MyGiteaOrganization": ["MyGiteaTeam1", "MyGiteaTeam2"]}}'>
+		</div>
+		<div class="ui checkbox">
+			<label>{{.i18n.Tr "admin.auths.map_group_to_team_removal"}}</label>
+			<input name="group_team_map_removal" type="checkbox" {{if .group_team_map_removal}}checked{{end}}>
 		</div>
-		<br/>
-	</div>
-	<div id="group_filter_field" class="field">
-		<label for="group_filter">{{.i18n.Tr "admin.auths.valid_groups_filter"}}</label>
-		<input id="group_filter" name="group_filter" value="{{.group_filter}}" placeholder="e.g. (|(cn=gitea_users)(cn=admins))">
-	</div>
-	<div id="team_group_map_field" class="field">
-		<label for="team_group_map">{{.i18n.Tr "admin.auths.team_group_map"}}</label>
-		<input id="team_group_map" name="team_group_map" value="{{.team_group_map}}" placeholder='e.g. {"cn=MyGroup,cn=groups,dc=example,dc=org": {"MyGiteaOrganization": ["MyGiteaTeam1", "MyGiteaTeam2"]}}'>
 	</div>
+	<!-- ldap group end -->
+
 	<div class="ldap inline field {{if not (eq .type 2)}}hide{{end}}">
 		<div class="ui checkbox">
 			<label for="use_paged_search"><strong>{{.i18n.Tr "admin.auths.use_paged_search"}}</strong></label>