fix(auth): posix group set with a dn

issue #1319
UPC · May 7, 2020 · 03dc27f · 03dc27f
1 parent 3efea1c
commit 03dc27f
Show file tree

Hide file tree

Showing 2 changed files with 63 additions and 14 deletions.
diff --git a/lib/Ravada/Auth/LDAP.pm b/lib/Ravada/Auth/LDAP.pm
@@ -367,17 +367,35 @@ sub add_to_group {
 
 =cut
 
+sub _search_posix_group($self, $name) {
+    my $base = 'ou=groups,'._dc_base();
+    my $field = 'cn';
+    if ($name =~ /(.*?)=(.*)/) {
+        $field = $1;
+        $name = $2;
+        if ($name =~ /(.*?),(.*)/) {
+            $name = $1;
+            $base = $2;
+        }
+    }
+    my @posix_group = search_user (
+        name => $name
+        ,base => $base
+        ,field => $field
+    );
+    warn "WARNING: found too many entries for posix_group $name"
+    .Dumper([map {$_->dn } @posix_group])
+        if (scalar @posix_group > 1);
+    return $posix_group[0];
+}
+
 sub login($self) {
     my $user_ok;
     my $allowed;
     my $posix_group_name = $$CONFIG->{ldap}->{ravada_posix_group};
 
     if ($posix_group_name) {
-        my ($posix_group) = search_user (
-              name => $posix_group_name
-            ,field => 'cn'
-            , base => 'ou=groups,'._dc_base()
-        );
+        my $posix_group = $self->_search_posix_group($posix_group_name);
         if (!$posix_group) {
             warn "Warning: posix group $posix_group_name not found";
             return;

diff --git a/t/65_user_ldap.t b/t/65_user_ldap.t
@@ -264,27 +264,40 @@ sub test_user_bind {
 
 }
 
-sub _init_config($file_config, $with_admin, $with_posix_group, $with_filter = 0) {
+sub _init_config(%arg) {
+    my $with_admin = delete $arg{with_admin};
+    my $with_filter = ( delete $arg{with_filter} or 0 );
+    my $file_config = delete $arg{file_config};
+    my $with_posix_group = delete $arg{with_posix_group};
+    my $with_dn_posix_group = delete $arg{with_dn_posix_group};
+    my $with_cn_posix_group = delete $arg{with_cn_posix_group};
+
+    confess "Error: unknown args ".Dumper(\%arg) if keys %arg;
+
+    my $ravada_posix_group = $RAVADA_POSIX_GROUP;
+    if ( $with_dn_posix_group ) {
+        my ($entry) = _search_ldap($ravada_posix_group);
+        $ravada_posix_group = $entry->dn;
+    } elsif ( $with_cn_posix_group ) {
+        $ravada_posix_group = "cn=$ravada_posix_group";
+    }
     if ( ! -e $file_config) {
         my $config = {
         ldap => {
             admin_user => { dn => $LDAP_USER , password => $LDAP_PASS }
             ,base => "dc=example,dc=com"
             ,admin_group => $ADMIN_GROUP
             ,auth => 'match'
-            ,ravada_posix_group => $RAVADA_POSIX_GROUP
+            ,ravada_posix_group => $ravada_posix_group
         }
         };
         DumpFile($file_config,$config);
     }
     my $config = LoadFile($file_config);
     delete $config->{ldap}->{admin_group}   if !$with_admin;
     if ($with_posix_group) {
-        if ( !exists $config->{ldap}->{ravada_posix_group}
-                || !$config->{ldap}->{ravada_posix_group}) {
-            $config->{ldap}->{ravada_posix_group} = $RAVADA_POSIX_GROUP;
-            diag("Adding ravada_posix_group = $RAVADA_POSIX_GROUP in $file_config");
-        }
+            $config->{ldap}->{ravada_posix_group} = $ravada_posix_group;
+            diag("Adding ravada_posix_group = $ravada_posix_group in $file_config");
     } else {
         delete $config->{ldap}->{ravada_posix_group};
     }
@@ -339,6 +352,13 @@ sub _add_posix_group {
     return $group[0];
 }
 
+sub _search_ldap($cn) {
+    my $ldap = Ravada::Auth::LDAP::_init_ldap_admin();
+    my $mesg = $ldap->search( filter => "cn=$cn" );
+    my @found = $mesg->entries;
+    return @found;
+}
+
 sub _add_to_posix_group($user_name, $with_posix_group) {
     my $group = _add_posix_group();
 
@@ -364,7 +384,7 @@ sub _add_to_posix_group($user_name, $with_posix_group) {
 
 sub test_filter {
     my $file_config = "t/etc/ravada_ldap.conf";
-    my $fly_config = _init_config($file_config, 0, 0, 1);
+    my $fly_config = _init_config(file_config => $file_config, with_filter =>  1);
     SKIP: {
         my $ravada;
         eval { $ravada = Ravada->new(config => $fly_config
@@ -528,7 +548,16 @@ SKIP: {
     my $file_config = "t/etc/ravada_ldap.conf";
     for my $with_posix_group (0,1) {
     for my $with_admin (0,1) {
-        my $fly_config = _init_config($file_config, $with_admin, $with_posix_group);
+    for my $with_dn_posix_group (0,1) {
+    next if !$with_posix_group;
+    for my $with_cn_posix_group (0,1) {
+        my $fly_config = _init_config(
+            file_config => $file_config
+            ,with_admin => $with_admin
+            ,with_posix_group => $with_posix_group
+            ,with_dn_posix_group => $with_dn_posix_group
+            ,with_cn_posix_group => $with_cn_posix_group
+        );
         my $ravada = Ravada->new(config => $fly_config
                         , connector => connector);
         $ravada->_install();
@@ -570,6 +599,8 @@ SKIP: {
         unlink($fly_config) if -e $fly_config;
     }
     }
+    }
+    }
 };
 
 end();