From 906189462c44bc4b4365a829b36d4d8d7f99cc76 Mon Sep 17 00:00:00 2001 From: Ralf Haferkamp Date: Thu, 4 May 2023 18:37:16 +0200 Subject: [PATCH] graph: Always allow updates to "local" groups when LDAP When GRAPH_LDAP_SERVER_WRITE_ENABLED=false still allow updates of groups if a distinct GRAPH_LDAP_GROUP_CREATE_BASE_DN is configured. Partial-Fix: #6219 --- services/graph/pkg/identity/ldap_group.go | 14 +++++--------- services/graph/pkg/identity/ldap_group_test.go | 4 ++++ 2 files changed, 9 insertions(+), 9 deletions(-) diff --git a/services/graph/pkg/identity/ldap_group.go b/services/graph/pkg/identity/ldap_group.go index d19b86e12c..f4c8e85062 100644 --- a/services/graph/pkg/identity/ldap_group.go +++ b/services/graph/pkg/identity/ldap_group.go @@ -177,7 +177,7 @@ func (i *LDAP) GetGroupMembers(ctx context.Context, groupID string, req *godata. func (i *LDAP) CreateGroup(ctx context.Context, group libregraph.Group) (*libregraph.Group, error) { logger := i.logger.SubloggerWithRequestID(ctx) logger.Debug().Str("backend", "ldap").Msg("create group") - if !i.writeEnabled { + if !i.writeEnabled && i.groupCreateBaseDN == i.groupBaseDN { return nil, errorcode.New(errorcode.NotAllowed, "server is configured read-only") } ar, err := i.groupToAddRequest(group) @@ -201,7 +201,7 @@ func (i *LDAP) CreateGroup(ctx context.Context, group libregraph.Group) (*libreg func (i *LDAP) DeleteGroup(ctx context.Context, id string) error { logger := i.logger.SubloggerWithRequestID(ctx) logger.Debug().Str("backend", "ldap").Msg("DeleteGroup") - if !i.writeEnabled { + if !i.writeEnabled && i.groupCreateBaseDN == i.groupBaseDN { return errorcode.New(errorcode.NotAllowed, "server is configured read-only") } @@ -225,7 +225,7 @@ func (i *LDAP) DeleteGroup(ctx context.Context, id string) error { func (i *LDAP) UpdateGroupName(ctx context.Context, groupID string, groupName string) error { logger := i.logger.SubloggerWithRequestID(ctx) logger.Debug().Str("backend", "ldap").Msg("AddMembersToGroup") - if !i.writeEnabled { + if !i.writeEnabled && i.groupCreateBaseDN == i.groupBaseDN { return errorcode.New(errorcode.NotAllowed, "server is configured read-only") } @@ -271,7 +271,7 @@ func (i *LDAP) UpdateGroupName(ctx context.Context, groupID string, groupName st func (i *LDAP) AddMembersToGroup(ctx context.Context, groupID string, memberIDs []string) error { logger := i.logger.SubloggerWithRequestID(ctx) logger.Debug().Str("backend", "ldap").Msg("AddMembersToGroup") - if !i.writeEnabled { + if !i.writeEnabled && i.groupCreateBaseDN == i.groupBaseDN { return errorcode.New(errorcode.NotAllowed, "server is configured read-only") } ge, err := i.getLDAPGroupByNameOrID(groupID, true) @@ -365,7 +365,7 @@ func (i *LDAP) AddMembersToGroup(ctx context.Context, groupID string, memberIDs func (i *LDAP) RemoveMemberFromGroup(ctx context.Context, groupID string, memberID string) error { logger := i.logger.SubloggerWithRequestID(ctx) logger.Debug().Str("backend", "ldap").Msg("RemoveMemberFromGroup") - if !i.writeEnabled { + if !i.writeEnabled && i.groupCreateBaseDN == i.groupBaseDN { return errorcode.New(errorcode.NotAllowed, "server is configured read-only") } @@ -562,10 +562,6 @@ func (i *LDAP) createGroupModelFromLDAP(e *ldap.Entry) *libregraph.Group { } func (i *LDAP) isLDAPGroupReadOnly(e *ldap.Entry) bool { - if !i.writeEnabled { - return true - } - groupDN, err := ldap.ParseDN(e.DN) if err != nil { i.logger.Warn().Err(err).Str("dn", e.DN).Msg("Failed to parse DN") diff --git a/services/graph/pkg/identity/ldap_group_test.go b/services/graph/pkg/identity/ldap_group_test.go index f3557cb197..e823444c48 100644 --- a/services/graph/pkg/identity/ldap_group_test.go +++ b/services/graph/pkg/identity/ldap_group_test.go @@ -161,6 +161,10 @@ func TestGetGroup(t *testing.T) { func TestGetGroupReadOnlyBackend(t *testing.T) { readOnlyConfig := lconfig readOnlyConfig.WriteEnabled = false + readOnlyConfig.GroupBaseDN = "ou=groups,dc=test" + readOnlyConfig.GroupCreateBaseDN = "ou=local,ou=group,dc=test" + localGroupEntry := groupEntry + localGroupEntry.DN = "cn=local,ou=local,o=base" lm := &mocks.Client{} lm.On("Search", groupLookupSearchRequest).Return(&ldap.SearchResult{Entries: []*ldap.Entry{groupEntry}}, nil)