fix(ldap): fixed issue with ldap group mappings to org roles sync, #1450

9bf9bb02 · Torkel Ödegaard · 5744c703 · 9bf9bb02 · 9bf9bb02
Commit 9bf9bb02 authored Jul 18, 2015 by Torkel Ödegaard
Hide whitespace changes
Inline Side-by-side

Showing with 32 additions and 7 deletions

pkg/login/ldap.go
+12 -7

pkg/login/ldap_test.go
+20 -0

No files found.
--- a/pkg/login/ldap.go
+++ b/pkg/login/ldap.go
@@ -130,14 +130,17 @@ func (a *ldapAuther) syncOrgRoles(user *m.User, ldapUser *ldapUserInfo) error {
 		return err
 	}

-	// remove or update org roles
+	// update or remove org roles
 	for _, org := range orgsQuery.Result {
+		match := false
+
 		for _, group := range a.server.LdapGroups {
 			if org.OrgId != group.OrgId {
 				continue
 			}

 			if ldapUser.isMemberOf(group.GroupDN) {
+				match = true
 				if org.Role != group.OrgRole {
 					// update role
 					cmd := m.UpdateOrgUserCommand{OrgId: org.OrgId, UserId: user.Id, Role: group.OrgRole}
@@ -147,12 +150,14 @@ func (a *ldapAuther) syncOrgRoles(user *m.User, ldapUser *ldapUserInfo) error {
 				}
 				// ignore subsequent ldap group mapping matches
 				break
-			} else {
-				// remove role
-				cmd := m.RemoveOrgUserCommand{OrgId: org.OrgId, UserId: user.Id}
-				if err := bus.Dispatch(&cmd); err != nil {
-					return err
-				}
+			}
+		}
+
+		// remove role if no mappings match
+		if !match {
+			cmd := m.RemoveOrgUserCommand{OrgId: org.OrgId, UserId: user.Id}
+			if err := bus.Dispatch(&cmd); err != nil {
+				return err
 			}
 		}
 	}

--- a/pkg/login/ldap_test.go
+++ b/pkg/login/ldap_test.go
@@ -139,6 +139,26 @@ func TestLdapAuther(t *testing.T) {
 			})
 		})

+		ldapAutherScenario("given org role is updated in config", func(sc *scenarioContext) {
+			ldapAuther := NewLdapAuthenticator(&LdapServerConf{
+				LdapGroups: []*LdapGroupToOrgRole{
+					{GroupDN: "cn=admin", OrgId: 1, OrgRole: "Admin"},
+					{GroupDN: "cn=users", OrgId: 1, OrgRole: "Viewer"},
+				},
+			})
+
+			sc.userOrgsQueryReturns([]*m.UserOrgDTO{{OrgId: 1, Role: m.ROLE_EDITOR}})
+			err := ldapAuther.syncOrgRoles(&m.User{}, &ldapUserInfo{
+				MemberOf: []string{"cn=users"},
+			})
+
+			Convey("Should update org role", func() {
+				So(err, ShouldBeNil)
+				So(sc.removeOrgUserCmd, ShouldBeNil)
+				So(sc.updateOrgUserCmd, ShouldNotBeNil)
+			})
+		})
+
 		ldapAutherScenario("given multiple matching ldap groups", func(sc *scenarioContext) {
 			ldapAuther := NewLdapAuthenticator(&LdapServerConf{
 				LdapGroups: []*LdapGroupToOrgRole{