Adds basic group matching.

b25df027 · William Turner · e28f74f8 · b25df027 · e28f74f8 · b25df027
Commit b25df027 authored 7 years ago by William Turner
--- a/frontend/src/metabase/admin/settings/selectors.js
+++ b/frontend/src/metabase/admin/settings/selectors.js
@@ -229,7 +229,7 @@ const SECTIONS = [
            },
            {
                key: "ldap-group-sync",
-                display_name: "Synchronize groups",
+                display_name: "Synchronize group memberships",
                description: null,
                type: "boolean"
            },
@@ -238,6 +238,11 @@ const SECTIONS = [
                display_name: "Group search base",
                type: "string",
                required: true
+            },
+            {
+                key: "ldap-group-mappings",
+                display_name: "Group mappings",
+                type: "string"
            }
        ]
    },

--- a/resources/migrations/053_add_ldap_group_mapping_table.yaml
+++ b/resources/migrations/053_add_ldap_group_mapping_table.yaml
-databaseChangeLog:
-  - changeSet:
-      id: 53
-      author: wwwiiilll
-      changes:
-        - createTable:
-            tableName: permissions_group_ldap_mapping
-            columns:
-              - column:
-                  name: id
-                  type: int
-                  autoIncrement: true
-                  constraints:
-                    primaryKey: true
-                    nullable: false
-              - column:
-                  name: group_id
-                  type: int
-                  constraints:
-                    nullable: false
-                    references: permissions_group(id)
-                    foreignKeyName: fk_permissions_group_ldap_mapping_group_id
-              - column:
-                  name: ldap_dn
-                  type: varchar(255)
-                  constraints:
-                    nullable: false
-        - addUniqueConstraint:
-            tableName: permissions_group_ldap_mapping
-            columnNames: group_id, ldap_dn
-            constraintName: unique_permissions_group_ldap_mapping_group_id_ldap_dn
-        - createIndex:
-            tableName: permissions_group_ldap_mapping
-            indexName: idx_permissions_group_ldap_mapping_ldap_dn
-            columns:
-              column:
-                name: ldap_dn
--- a/src/metabase/api/session.clj
+++ b/src/metabase/api/session.clj
 (ns metabase.api.session
  "/api/session endpoints"
  (:require [clojure.tools.logging :as log]
+            [clojure.set :as set]
            [cemerick.friend.credentials :as creds]
            [cheshire.core :as json]
            [clj-http.client :as http]
@@ -11,7 +12,8 @@
            [metabase.api.common :refer :all]
            [metabase.email.messages :as email]
            [metabase.events :as events]
-            (metabase.models [user :refer [User], :as user]
+            (metabase.models [permissions-group :as group]
+                             [user :refer [User], :as user]
                             [session :refer [Session]]
                             [setting :refer [defsetting]])
            [metabase.integrations.ldap :as ldap]
@@ -32,11 +34,30 @@
      :user_id (:id user))
    (events/publish-event! :user-login {:user_id (:id user), :session_id <>, :first_login (not (boolean (:last_login user)))})))

+(defn- ldap-groups->mb-group-ids
+  [ldap-groups]
+  (-> (ldap/ldap-group-mappings)
+      (select-keys (map keyword ldap-groups))
+      (vals)
+      (flatten)
+      (set)))
+
 (defn- ldap-auth-fetch-or-create-user! [first-name last-name email password groups]
  (when-let [user (or (db/select-one [User :id :last_login] :email email)
                      (user/create-new-ldap-auth-user! first-name last-name email password))]
    (u/prog1 {:id (create-session! user)}
-      (user/set-password! (:id user) password))))
+      (user/set-password! (:id user) password)
+      (when (ldap/ldap-group-sync)
+        (let [special-ids #{(:id (group/admin)) (:id (group/all-users))}
+              current-ids (set (map :group_id (db/select ['PermissionsGroupMembership :group_id] :user_id (:id user))))
+              ldap-ids    (when-let [ids (seq (ldap-groups->mb-group-ids groups))]
+                            (set (map :id (db/select ['PermissionsGroup :id] :id [:in ids]))))
+              to-remove   (set/difference current-ids ldap-ids special-ids)
+              to-add      (set/difference ldap-ids current-ids)]
+          (when (seq to-remove)
+            (db/delete! 'PermissionsGroupMembership :group_id [:in to-remove], :user_id (:id user)))
+          (doseq [id to-add]
+            (db/insert! 'PermissionsGroupMembership :group_id id, :user_id (:id user))))))))

 ;;; ## API Endpoints


--- a/src/metabase/integrations/ldap.clj
+++ b/src/metabase/integrations/ldap.clj
@@ -49,12 +49,20 @@
  :default "sn")

 (defsetting ldap-group-sync
-  "Wether to synchronize group membership with LDAP."
+  "Enable group membership synchronization with LDAP."
  :type    :boolean
  :default false)

 (defsetting ldap-group-base
-  "Search base for groups. (Will be searched recursively)")
+  "Search base for groups. (Will be searched recursively if the LDAP server does not provide a 'memberOf' property)")
+
+
+(defsetting ldap-group-mappings
+  ;; Not too sure about this
+  ;; Should be in the form: {"cn=Some Group,dc=...": [1, 2, 3]} where keys are LDAP groups and values are lists of MB groups IDs
+  "JSON containing LDAP to Metabase group mappings."
+  :type    :json
+  :default {})

 (defn ldap-configured?
  "Check if LDAP is enabled and that the mandatory settings are configured."

--- a/src/metabase/models/permissions_group_ldap_mapping.clj
+++ b/src/metabase/models/permissions_group_ldap_mapping.clj
-(ns metabase.models.permissions-group-ldap-mapping
-  (:require [toucan.models :as models]))
-
-(models/defmodel PermissionsGroupLdapMapping :permissions_group_ldap_mapping)