core: add groups to users

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
2021-04-26 19:51:24 +02:00
parent fae4d34131
commit 2a122845d9
4 changed files with 27 additions and 7 deletions
--- a/authentik/core/api/users.py
+++ b/authentik/core/api/users.py
@ -1,4 +1,5 @@
 """User API Views"""
+from authentik.core.api.groups import GroupSerializer
 from django.http.response import Http404
 from django.urls import reverse_lazy
 from django.utils.http import urlencode
@ -8,7 +9,7 @@ from rest_framework.decorators import action
 from rest_framework.fields import CharField, JSONField, SerializerMethodField
 from rest_framework.request import Request
 from rest_framework.response import Response
-from rest_framework.serializers import BooleanField, ModelSerializer
+from rest_framework.serializers import BooleanField, ListSerializer, ModelSerializer
 from rest_framework.viewsets import ModelViewSet

 from authentik.admin.api.metrics import CoordinateSerializer, get_events_per_1h
@ -29,6 +30,7 @@ class UserSerializer(ModelSerializer):
    is_superuser = BooleanField(read_only=True)
    avatar = CharField(read_only=True)
    attributes = JSONField(validators=[is_dict], required=False)
+    groups = ListSerializer(child=GroupSerializer(), read_only=True, source="ak_groups")

    class Meta:

@ -40,6 +42,7 @@ class UserSerializer(ModelSerializer):
            "is_active",
            "last_login",
            "is_superuser",
+            "groups",
            "email",
            "avatar",
            "attributes",
--- a/outpost/pkg/ldap/instance_search.go
+++ b/outpost/pkg/ldap/instance_search.go
@ -50,11 +50,8 @@ func (pi *ProviderInstance) Search(bindDN string, searchReq ldap.SearchRequest,
 				},
 			}
 			attrs = append(attrs, AKAttrsToLDAP(g.Attributes)...)
-			// attrs = append(attrs, &ldap.EntryAttribute{Name: "description", Values: []string{fmt.Sprintf("%s", g.Name)}})
-			// attrs = append(attrs, &ldap.EntryAttribute{Name: "gidNumber", Values: []string{fmt.Sprintf("%d", g.UnixID)}})
-			// attrs = append(attrs, &ldap.EntryAttribute{Name: "uniqueMember", Values: h.getGroupMembers(g.UnixID)})
-			// attrs = append(attrs, &ldap.EntryAttribute{Name: "memberUid", Values: h.getGroupMemberIDs(g.UnixID)})
-			dn := fmt.Sprintf("cn=%s,%s", *g.Name, pi.GroupDN)
+
+			dn := pi.GetGroupDN(g)
 			entries = append(entries, &ldap.Entry{DN: dn, Attributes: attrs})
 		}
 	case UserObjectClass, "":
@ -102,7 +99,7 @@ func (pi *ProviderInstance) Search(bindDN string, searchReq ldap.SearchRequest,
 				attrs = append(attrs, &ldap.EntryAttribute{Name: "superuser", Values: []string{"active"}})
 			}

-			// attrs = append(attrs, &ldap.EntryAttribute{Name: "memberOf", Values: h.getGroupDNs(append(u.OtherGroups, u.PrimaryGroup))})
+			attrs = append(attrs, &ldap.EntryAttribute{Name: "memberOf", Values: pi.GroupsForUser(u)})

 			attrs = append(attrs, AKAttrsToLDAP(u.Attributes)...)

--- a/outpost/pkg/ldap/utils.go
+++ b/outpost/pkg/ldap/utils.go
@ -1,7 +1,10 @@
 package ldap

 import (
+	"fmt"
+
 	"github.com/nmcclain/ldap"
+	"goauthentik.io/outpost/pkg/models"
 )

 func AKAttrsToLDAP(attrs interface{}) []*ldap.EntryAttribute {
@ -18,3 +21,15 @@ func AKAttrsToLDAP(attrs interface{}) []*ldap.EntryAttribute {
 	}
 	return attrList
 }
+
+func (pi *ProviderInstance) GroupsForUser(user *models.User) []string {
+	groups := make([]string, len(user.Groups))
+	for i, group := range user.Groups {
+		groups[i] = pi.GetGroupDN(group)
+	}
+	return groups
+}
+
+func (pi *ProviderInstance) GetGroupDN(group *models.Group) string {
+	return fmt.Sprintf("cn=%s,%s", *group.Name, pi.GroupDN)
+}
--- a/swagger.yaml
+++ b/swagger.yaml
@ -15140,6 +15140,11 @@ definitions:
        title: Is superuser
        type: boolean
        readOnly: true
+      groups:
+        type: array
+        items:
+          $ref: '#/definitions/Group'
+        readOnly: true
      email:
        title: Email address
        type: string