From 123f0aea00687d98893036e252efa7ff672b3ad5 Mon Sep 17 00:00:00 2001 From: zeripath Date: Mon, 27 Sep 2021 03:39:36 +0100 Subject: [PATCH] Allow LDAP Sources to provide Avatars (#16851) * Allow LDAP Sources to provide Avatars Add setting to LDAP source to allow it to provide an Avatar. Currently this is required to point to the image bytes. Fix #4144 Signed-off-by: Andrew Thornton * Rename as Avatar Attribute (drop JPEG) Signed-off-by: Andrew Thornton * Always synchronize avatar if there is change Signed-off-by: Andrew Thornton * Actually get the avatar from the ldap Signed-off-by: Andrew Thornton * clean-up Signed-off-by: Andrew Thornton * use len()>0 rather than != "" Signed-off-by: Andrew Thornton * slight shortcut in IsUploadAvatarChanged Signed-off-by: Andrew Thornton Co-authored-by: techknowlogick --- cmd/admin_auth_ldap.go | 7 +++++ cmd/admin_auth_ldap_test.go | 8 ++++++ docs/content/doc/usage/command-line.en-us.md | 4 +++ models/user_avatar.go | 9 +++++++ options/locale/locale_en-US.ini | 1 + routers/web/admin/auths.go | 1 + services/auth/source/ldap/source.go | 1 + .../auth/source/ldap/source_authenticate.go | 4 +++ services/auth/source/ldap/source_search.go | 27 +++++++++++++++---- services/auth/source/ldap/source_sync.go | 15 ++++++++++- services/forms/auth_form.go | 1 + templates/admin/auth/edit.tmpl | 4 +++ templates/admin/auth/source/ldap.tmpl | 4 +++ 13 files changed, 80 insertions(+), 6 deletions(-) diff --git a/cmd/admin_auth_ldap.go b/cmd/admin_auth_ldap.go index e95e1d15c6..517904957f 100644 --- a/cmd/admin_auth_ldap.go +++ b/cmd/admin_auth_ldap.go @@ -93,6 +93,10 @@ var ( Name: "skip-local-2fa", Usage: "Set to true to skip local 2fa for users authenticated by this source", }, + cli.StringFlag{ + Name: "avatar-attribute", + Usage: "The attribute of the user’s LDAP record containing the user’s avatar.", + }, } ldapBindDnCLIFlags = append(commonLdapCLIFlags, @@ -234,6 +238,9 @@ func parseLdapConfig(c *cli.Context, config *ldap.Source) error { if c.IsSet("public-ssh-key-attribute") { config.AttributeSSHPublicKey = c.String("public-ssh-key-attribute") } + if c.IsSet("avatar-attribute") { + config.AttributeAvatar = c.String("avatar-attribute") + } if c.IsSet("page-size") { config.SearchPageSize = uint32(c.Uint("page-size")) } diff --git a/cmd/admin_auth_ldap_test.go b/cmd/admin_auth_ldap_test.go index c26cbdaf39..db1ba13bcd 100644 --- a/cmd/admin_auth_ldap_test.go +++ b/cmd/admin_auth_ldap_test.go @@ -45,6 +45,7 @@ func TestAddLdapBindDn(t *testing.T) { "--surname-attribute", "sn-bind full", "--email-attribute", "mail-bind full", "--public-ssh-key-attribute", "publickey-bind full", + "--avatar-attribute", "avatar-bind full", "--bind-dn", "cn=readonly,dc=full-domain-bind,dc=org", "--bind-password", "secret-bind-full", "--attributes-in-bind", @@ -71,6 +72,7 @@ func TestAddLdapBindDn(t *testing.T) { AttributeMail: "mail-bind full", AttributesInBind: true, AttributeSSHPublicKey: "publickey-bind full", + AttributeAvatar: "avatar-bind full", SearchPageSize: 99, Filter: "(memberOf=cn=user-group,ou=example,dc=full-domain-bind,dc=org)", AdminFilter: "(memberOf=cn=admin-group,ou=example,dc=full-domain-bind,dc=org)", @@ -269,6 +271,7 @@ func TestAddLdapSimpleAuth(t *testing.T) { "--surname-attribute", "sn-simple full", "--email-attribute", "mail-simple full", "--public-ssh-key-attribute", "publickey-simple full", + "--avatar-attribute", "avatar-simple full", "--user-dn", "cn=%s,ou=Users,dc=full-domain-simple,dc=org", }, loginSource: &login.Source{ @@ -288,6 +291,7 @@ func TestAddLdapSimpleAuth(t *testing.T) { AttributeSurname: "sn-simple full", AttributeMail: "mail-simple full", AttributeSSHPublicKey: "publickey-simple full", + AttributeAvatar: "avatar-simple full", Filter: "(&(objectClass=posixAccount)(full-simple-cn=%s))", AdminFilter: "(memberOf=cn=admin-group,ou=example,dc=full-domain-simple,dc=org)", RestrictedFilter: "(memberOf=cn=restricted-group,ou=example,dc=full-domain-simple,dc=org)", @@ -501,6 +505,7 @@ func TestUpdateLdapBindDn(t *testing.T) { "--surname-attribute", "sn-bind full", "--email-attribute", "mail-bind full", "--public-ssh-key-attribute", "publickey-bind full", + "--avatar-attribute", "avatar-bind full", "--bind-dn", "cn=readonly,dc=full-domain-bind,dc=org", "--bind-password", "secret-bind-full", "--synchronize-users", @@ -534,6 +539,7 @@ func TestUpdateLdapBindDn(t *testing.T) { AttributeMail: "mail-bind full", AttributesInBind: false, AttributeSSHPublicKey: "publickey-bind full", + AttributeAvatar: "avatar-bind full", SearchPageSize: 99, Filter: "(memberOf=cn=user-group,ou=example,dc=full-domain-bind,dc=org)", AdminFilter: "(memberOf=cn=admin-group,ou=example,dc=full-domain-bind,dc=org)", @@ -932,6 +938,7 @@ func TestUpdateLdapSimpleAuth(t *testing.T) { "--surname-attribute", "sn-simple full", "--email-attribute", "mail-simple full", "--public-ssh-key-attribute", "publickey-simple full", + "--avatar-attribute", "avatar-simple full", "--user-dn", "cn=%s,ou=Users,dc=full-domain-simple,dc=org", }, id: 7, @@ -952,6 +959,7 @@ func TestUpdateLdapSimpleAuth(t *testing.T) { AttributeSurname: "sn-simple full", AttributeMail: "mail-simple full", AttributeSSHPublicKey: "publickey-simple full", + AttributeAvatar: "avatar-simple full", Filter: "(&(objectClass=posixAccount)(full-simple-cn=%s))", AdminFilter: "(memberOf=cn=admin-group,ou=example,dc=full-domain-simple,dc=org)", RestrictedFilter: "(memberOf=cn=restricted-group,ou=example,dc=full-domain-simple,dc=org)", diff --git a/docs/content/doc/usage/command-line.en-us.md b/docs/content/doc/usage/command-line.en-us.md index 0bc8d70fdb..b12400c57e 100644 --- a/docs/content/doc/usage/command-line.en-us.md +++ b/docs/content/doc/usage/command-line.en-us.md @@ -152,6 +152,7 @@ Admin operations: - `--surname-attribute value`: The attribute of the user’s LDAP record containing the user’s surname. - `--email-attribute value`: The attribute of the user’s LDAP record containing the user’s email address. Required. - `--public-ssh-key-attribute value`: The attribute of the user’s LDAP record containing the user’s public ssh key. + - `--avatar-attribute value`: The attribute of the user’s LDAP record containing the user’s avatar. - `--bind-dn value`: The DN to bind to the LDAP server with when searching for the user. - `--bind-password value`: The password for the Bind DN, if any. - `--attributes-in-bind`: Fetch attributes in bind DN context. @@ -177,6 +178,7 @@ Admin operations: - `--surname-attribute value`: The attribute of the user’s LDAP record containing the user’s surname. - `--email-attribute value`: The attribute of the user’s LDAP record containing the user’s email address. - `--public-ssh-key-attribute value`: The attribute of the user’s LDAP record containing the user’s public ssh key. + - `--avatar-attribute value`: The attribute of the user’s LDAP record containing the user’s avatar. - `--bind-dn value`: The DN to bind to the LDAP server with when searching for the user. - `--bind-password value`: The password for the Bind DN, if any. - `--attributes-in-bind`: Fetch attributes in bind DN context. @@ -202,6 +204,7 @@ Admin operations: - `--surname-attribute value`: The attribute of the user’s LDAP record containing the user’s surname. - `--email-attribute value`: The attribute of the user’s LDAP record containing the user’s email address. Required. - `--public-ssh-key-attribute value`: The attribute of the user’s LDAP record containing the user’s public ssh key. + - `--avatar-attribute value`: The attribute of the user’s LDAP record containing the user’s avatar. - `--user-dn value`: The user’s DN. Required. - Examples: - `gitea admin auth add-ldap-simple --name ldap --security-protocol unencrypted --host mydomain.org --port 389 --user-dn "cn=%s,ou=Users,dc=mydomain,dc=org" --user-filter "(&(objectClass=posixAccount)(cn=%s))" --email-attribute mail` @@ -223,6 +226,7 @@ Admin operations: - `--surname-attribute value`: The attribute of the user’s LDAP record containing the user’s surname. - `--email-attribute value`: The attribute of the user’s LDAP record containing the user’s email address. - `--public-ssh-key-attribute value`: The attribute of the user’s LDAP record containing the user’s public ssh key. + - `--avatar-attribute value`: The attribute of the user’s LDAP record containing the user’s avatar. - `--user-dn value`: The user’s DN. - Examples: - `gitea admin auth update-ldap-simple --id 1 --name "my ldap auth source"` diff --git a/models/user_avatar.go b/models/user_avatar.go index 65e59eb326..a7ca1c9151 100644 --- a/models/user_avatar.go +++ b/models/user_avatar.go @@ -153,6 +153,15 @@ func (u *User) UploadAvatar(data []byte) error { return sess.Commit() } +// IsUploadAvatarChanged returns true if the current user's avatar would be changed with the provided data +func (u *User) IsUploadAvatarChanged(data []byte) bool { + if !u.UseCustomAvatar || len(u.Avatar) == 0 { + return true + } + avatarID := fmt.Sprintf("%x", md5.Sum([]byte(fmt.Sprintf("%d-%x", u.ID, md5.Sum(data))))) + return u.Avatar != avatarID +} + // DeleteAvatar deletes the user's custom avatar. func (u *User) DeleteAvatar() error { aPath := u.CustomAvatarRelativePath() diff --git a/options/locale/locale_en-US.ini b/options/locale/locale_en-US.ini index 2ee0f5b566..3d43b99c31 100644 --- a/options/locale/locale_en-US.ini +++ b/options/locale/locale_en-US.ini @@ -2421,6 +2421,7 @@ auths.attribute_name = First Name Attribute auths.attribute_surname = Surname Attribute auths.attribute_mail = Email Attribute auths.attribute_ssh_public_key = Public SSH Key Attribute +auths.attribute_avatar = Avatar Attribute auths.attributes_in_bind = Fetch Attributes in Bind DN Context auths.allow_deactivate_all = Allow an empty search result to deactivate all users auths.use_paged_search = Use Paged Search diff --git a/routers/web/admin/auths.go b/routers/web/admin/auths.go index a394b4fdc2..803dcafa28 100644 --- a/routers/web/admin/auths.go +++ b/routers/web/admin/auths.go @@ -136,6 +136,7 @@ func parseLDAPConfig(form forms.AuthenticationForm) *ldap.Source { AttributeMail: form.AttributeMail, AttributesInBind: form.AttributesInBind, AttributeSSHPublicKey: form.AttributeSSHPublicKey, + AttributeAvatar: form.AttributeAvatar, SearchPageSize: pageSize, Filter: form.Filter, GroupsEnabled: form.GroupsEnabled, diff --git a/services/auth/source/ldap/source.go b/services/auth/source/ldap/source.go index 3d02be4dc9..3e751f512b 100644 --- a/services/auth/source/ldap/source.go +++ b/services/auth/source/ldap/source.go @@ -42,6 +42,7 @@ type Source struct { AttributeMail string // E-mail attribute AttributesInBind bool // fetch attributes in bind context (not user) AttributeSSHPublicKey string // LDAP SSH Public Key attribute + AttributeAvatar string SearchPageSize uint32 // Search with paging page size Filter string // Query filter to validate entry AdminFilter string // Query filter to check if user is admin diff --git a/services/auth/source/ldap/source_authenticate.go b/services/auth/source/ldap/source_authenticate.go index f302a9d583..2719b5b715 100644 --- a/services/auth/source/ldap/source_authenticate.go +++ b/services/auth/source/ldap/source_authenticate.go @@ -96,6 +96,10 @@ func (source *Source) Authenticate(user *models.User, userName, password string) err = models.RewriteAllPublicKeys() } + if err == nil && len(source.AttributeAvatar) > 0 { + _ = user.UploadAvatar(sr.Avatar) + } + return user, err } diff --git a/services/auth/source/ldap/source_search.go b/services/auth/source/ldap/source_search.go index 9fe2443768..1f1cca270d 100644 --- a/services/auth/source/ldap/source_search.go +++ b/services/auth/source/ldap/source_search.go @@ -27,6 +27,7 @@ type SearchResult struct { IsAdmin bool // if user is administrator IsRestricted bool // if user is restricted LowerName string // Lowername + Avatar []byte } func (ls *Source) sanitizedUserQuery(username string) (string, bool) { @@ -266,7 +267,8 @@ func (ls *Source) SearchEntry(name, passwd string, directBind bool) *SearchResul return nil } - var isAttributeSSHPublicKeySet = len(strings.TrimSpace(ls.AttributeSSHPublicKey)) > 0 + isAttributeSSHPublicKeySet := len(strings.TrimSpace(ls.AttributeSSHPublicKey)) > 0 + isAtributeAvatarSet := len(strings.TrimSpace(ls.AttributeAvatar)) > 0 attribs := []string{ls.AttributeUsername, ls.AttributeName, ls.AttributeSurname, ls.AttributeMail} if len(strings.TrimSpace(ls.UserUID)) > 0 { @@ -275,8 +277,11 @@ func (ls *Source) SearchEntry(name, passwd string, directBind bool) *SearchResul if isAttributeSSHPublicKeySet { attribs = append(attribs, ls.AttributeSSHPublicKey) } + if isAtributeAvatarSet { + attribs = append(attribs, ls.AttributeAvatar) + } - log.Trace("Fetching attributes '%v', '%v', '%v', '%v', '%v', '%v' with filter '%s' and base '%s'", ls.AttributeUsername, ls.AttributeName, ls.AttributeSurname, ls.AttributeMail, ls.AttributeSSHPublicKey, ls.UserUID, userFilter, userDN) + log.Trace("Fetching attributes '%v', '%v', '%v', '%v', '%v', '%v', '%v' with filter '%s' and base '%s'", ls.AttributeUsername, ls.AttributeName, ls.AttributeSurname, ls.AttributeMail, ls.AttributeSSHPublicKey, ls.AttributeAvatar, ls.UserUID, userFilter, userDN) search := ldap.NewSearchRequest( userDN, ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 0, 0, false, userFilter, attribs, nil) @@ -296,6 +301,7 @@ func (ls *Source) SearchEntry(name, passwd string, directBind bool) *SearchResul } var sshPublicKey []string + var Avatar []byte username := sr.Entries[0].GetAttributeValue(ls.AttributeUsername) firstname := sr.Entries[0].GetAttributeValue(ls.AttributeName) @@ -363,6 +369,10 @@ func (ls *Source) SearchEntry(name, passwd string, directBind bool) *SearchResul } } + if isAtributeAvatarSet { + Avatar = sr.Entries[0].GetRawAttributeValue(ls.AttributeAvatar) + } + return &SearchResult{ LowerName: strings.ToLower(username), Username: username, @@ -372,6 +382,7 @@ func (ls *Source) SearchEntry(name, passwd string, directBind bool) *SearchResul SSHPublicKey: sshPublicKey, IsAdmin: isAdmin, IsRestricted: isRestricted, + Avatar: Avatar, } } @@ -403,14 +414,18 @@ func (ls *Source) SearchEntries() ([]*SearchResult, error) { userFilter := fmt.Sprintf(ls.Filter, "*") - var isAttributeSSHPublicKeySet = len(strings.TrimSpace(ls.AttributeSSHPublicKey)) > 0 + isAttributeSSHPublicKeySet := len(strings.TrimSpace(ls.AttributeSSHPublicKey)) > 0 + isAtributeAvatarSet := len(strings.TrimSpace(ls.AttributeAvatar)) > 0 attribs := []string{ls.AttributeUsername, ls.AttributeName, ls.AttributeSurname, ls.AttributeMail} if isAttributeSSHPublicKeySet { attribs = append(attribs, ls.AttributeSSHPublicKey) } + if isAtributeAvatarSet { + attribs = append(attribs, ls.AttributeAvatar) + } - log.Trace("Fetching attributes '%v', '%v', '%v', '%v', '%v' with filter %s and base %s", ls.AttributeUsername, ls.AttributeName, ls.AttributeSurname, ls.AttributeMail, ls.AttributeSSHPublicKey, userFilter, ls.UserBase) + log.Trace("Fetching attributes '%v', '%v', '%v', '%v', '%v', '%v' with filter %s and base %s", ls.AttributeUsername, ls.AttributeName, ls.AttributeSurname, ls.AttributeMail, ls.AttributeSSHPublicKey, ls.AttributeAvatar, userFilter, ls.UserBase) search := ldap.NewSearchRequest( ls.UserBase, ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 0, 0, false, userFilter, attribs, nil) @@ -442,8 +457,10 @@ func (ls *Source) SearchEntries() ([]*SearchResult, error) { if isAttributeSSHPublicKeySet { result[i].SSHPublicKey = v.GetAttributeValues(ls.AttributeSSHPublicKey) } + if isAtributeAvatarSet { + result[i].Avatar = v.GetRawAttributeValue(ls.AttributeAvatar) + } result[i].LowerName = strings.ToLower(result[i].Username) - } return result, nil diff --git a/services/auth/source/ldap/source_sync.go b/services/auth/source/ldap/source_sync.go index f03e29f920..2df97aabd3 100644 --- a/services/auth/source/ldap/source_sync.go +++ b/services/auth/source/ldap/source_sync.go @@ -112,12 +112,18 @@ func (source *Source) Sync(ctx context.Context, updateExisting bool) error { if err != nil { log.Error("SyncExternalUsers[%s]: Error creating user %s: %v", source.loginSource.Name, su.Username, err) - } else if isAttributeSSHPublicKeySet { + } + + if err == nil && isAttributeSSHPublicKeySet { log.Trace("SyncExternalUsers[%s]: Adding LDAP Public SSH Keys for user %s", source.loginSource.Name, usr.Name) if models.AddPublicKeysBySource(usr, source.loginSource, su.SSHPublicKey) { sshKeysNeedUpdate = true } } + + if err == nil && len(source.AttributeAvatar) > 0 { + _ = usr.UploadAvatar(su.Avatar) + } } else if updateExisting { // Synchronize SSH Public Key if that attribute is set if isAttributeSSHPublicKeySet && models.SynchronizePublicKeys(usr, source.loginSource, su.SSHPublicKey) { @@ -150,6 +156,13 @@ func (source *Source) Sync(ctx context.Context, updateExisting bool) error { log.Error("SyncExternalUsers[%s]: Error updating user %s: %v", source.loginSource.Name, usr.Name, err) } } + + if usr.IsUploadAvatarChanged(su.Avatar) { + if err == nil && len(source.AttributeAvatar) > 0 { + _ = usr.UploadAvatar(su.Avatar) + } + + } } } diff --git a/services/forms/auth_form.go b/services/forms/auth_form.go index 229728cf7d..2c6966d266 100644 --- a/services/forms/auth_form.go +++ b/services/forms/auth_form.go @@ -29,6 +29,7 @@ type AuthenticationForm struct { AttributeSurname string AttributeMail string AttributeSSHPublicKey string + AttributeAvatar string AttributesInBind bool UsePagedSearch bool SearchPageSize int diff --git a/templates/admin/auth/edit.tmpl b/templates/admin/auth/edit.tmpl index 142c537b15..2f77e9bd80 100644 --- a/templates/admin/auth/edit.tmpl +++ b/templates/admin/auth/edit.tmpl @@ -104,6 +104,10 @@ +
+ + +
diff --git a/templates/admin/auth/source/ldap.tmpl b/templates/admin/auth/source/ldap.tmpl index b8018f5b54..b553502b94 100644 --- a/templates/admin/auth/source/ldap.tmpl +++ b/templates/admin/auth/source/ldap.tmpl @@ -76,6 +76,10 @@
+
+ + +