zerver: Implement ldap group synchronization.

Fixes #9957. Co-authored-by: Mateusz Mandera <mateusz.mandera@zulip.com>
2023-07-15 22:25:36 +02:00 · 2023-07-15 22:25:36 +02:00 · b6a25840a1
parent 2bfbbf0035
commit b6a25840a1
6 changed files with 309 additions and 0 deletions
--- a/docs/production/authentication-methods.md
+++ b/docs/production/authentication-methods.md
@ -184,6 +184,7 @@ All of these data synchronization options have the same model:
  Zulip server with
  `/home/zulip/deployments/current/scripts/restart-server` so that
  your configuration changes take effect.
+- Logs are available in `/var/log/zulip/ldap.log`.

 When using this feature, you may also want to
 [prevent users from changing their display name in the Zulip UI][restrict-name-changes],
@ -212,6 +213,61 @@ corresponding LDAP attribute is `linkedinProfile` then you just need
 to add `'custom_profile_field__linkedin_profile': 'linkedinProfile'`
 to the `AUTH_LDAP_USER_ATTR_MAP`.

+#### Synchronizing groups
+
+Zulip supports syncing [Zulip groups][zulip-groups] with LDAP
+groups. To configure this feature:
+
+1. Review the [django-auth-ldap
+   documentation](https://django-auth-ldap.readthedocs.io/en/latest/groups.html)
+   to determine which of its supported group type configurations
+   matches how your LDAP directory stores groups.
+
+1. Set `AUTH_LDAP_GROUP_TYPE` to the appropriate class instance for
+   that LDAP group type:
+
+   ```python
+   from django_auth_ldap.config import ActiveDirectoryGroupType
+   AUTH_LDAP_GROUP_TYPE = ActiveDirectoryGroupType()
+   ```
+
+   The default is `GroupOfUniqueNamesType`.
+
+1. Configure `AUTH_LDAP_GROUP_SEARCH` to specify how to find groups in
+   your LDAP directory:
+
+   ```python
+   AUTH_LDAP_GROUP_SEARCH = LDAPSearch(
+       "ou=groups,dc=www,dc=example,dc=com", ldap.SCOPE_SUBTREE,
+       "(objectClass=groupOfUniqueNames)"
+   )
+   ```
+
+1. Configure which LDAP groups you want to sync into
+   Zulip. `LDAP_SYNCHRONIZED_GROUPS_BY_REALM` is a map where the keys
+   are subdomains of the realms being configured (use `""` for the
+   root domain), and the value corresponding to the key being a list
+   the names of groups to sync:
+
+   ```python
+   LDAP_SYNCHRONIZED_GROUPS_BY_REALM = {
+     "subdomain1" : [
+         "group1",
+         "group2",
+     ]
+   }
+   ```
+
+   In this example configuration, for the Zulip realm with subdomain
+   `subdomain1`, user membership in the Zulip groups named `group1`
+   and `group2` will match their membership in LDAP groups with those
+   names.
+
+1. Test your configuration and restart the server into the new
+   configuration as [documented above](#synchronizing-data).
+
+[zulip-groups]: https://zulip.com/help/user-groups
+
 #### Synchronizing email addresses

 User accounts in Zulip are uniquely identified by their email address,
--- a/zerver/tests/fixtures/ldap/directory.json
+++ b/zerver/tests/fixtures/ldap/directory.json
@ -77,5 +77,24 @@
        "uid": ["user2_with_shared_email"],
        "sn": ["shortname"],
        "mail": ["shared_email@zulip.com"]
+    },
+
+    "ou=groups,dc=zulip,dc=com": {
+        "ou": "groups"
+    },
+    "cn=cool_test_group,ou=groups,dc=zulip,dc=com": {
+        "objectClass": ["groupOfUniqueNames"],
+        "cn": ["cool_test_group"],
+        "uniqueMember": [
+            "uid=hamlet,ou=users,dc=zulip,dc=com"
+        ]
+    },
+    "cn=another_test_group,ou=groups,dc=zulip,dc=com": {
+        "objectClass": ["groupOfUniqueNames"],
+        "cn": ["another_test_group"],
+        "uniqueMember": [
+            "uid=hamlet,ou=users,dc=zulip,dc=com",
+            "uid=cordelia,ou=users,dc=zulip,dc=com"
+        ]
    }
 }
--- a/zerver/tests/test_auth_backends.py
+++ b/zerver/tests/test_auth_backends.py
@ -63,6 +63,10 @@ from zerver.actions.realm_settings import (
    do_set_realm_authentication_methods,
    do_set_realm_property,
 )
+from zerver.actions.user_groups import (
+    bulk_add_members_to_user_groups,
+    create_user_group_in_database,
+)
 from zerver.actions.user_settings import do_change_password, do_change_user_setting
 from zerver.actions.users import change_user_is_active, do_deactivate_user
 from zerver.lib.avatar import avatar_url
@ -89,6 +93,7 @@ from zerver.lib.test_helpers import (
 )
 from zerver.lib.types import Validator
 from zerver.lib.upload.base import DEFAULT_AVATAR_SIZE, MEDIUM_AVATAR_SIZE, resize_avatar
+from zerver.lib.user_groups import is_user_in_group
 from zerver.lib.users import get_all_api_keys, get_api_key, get_raw_user_data
 from zerver.lib.utils import assert_is_not_none
 from zerver.lib.validator import (
@ -109,6 +114,7 @@ from zerver.models import (
    Realm,
    RealmDomain,
    Stream,
+    UserGroup,
    UserProfile,
    clear_supported_auth_backends_cache,
    get_realm,
@ -7248,5 +7254,136 @@ class JWTFetchAPIKeyTest(ZulipTestCase):
            self.assert_json_error_contains(result, "Invalid subdomain", 404)


+class LDAPGroupSyncTest(ZulipTestCase):
+    @override_settings(AUTHENTICATION_BACKENDS=("zproject.backends.ZulipLDAPAuthBackend",))
+    def test_ldap_group_sync(self) -> None:
+        self.init_default_ldap_database()
+
+        hamlet = self.example_user("hamlet")
+        with self.settings(LDAP_APPEND_DOMAIN="zulip.com"):
+            result = sync_user_from_ldap(hamlet, mock.Mock())
+            self.assertTrue(result)
+        self.assertTrue(hamlet.is_active)
+
+        realm = get_realm("zulip")
+
+        with self.settings(
+            AUTH_LDAP_GROUP_SEARCH=LDAPSearch(
+                "ou=groups,dc=zulip,dc=com",
+                ldap.SCOPE_ONELEVEL,
+                "(objectClass=groupOfUniqueNames)",
+            ),
+            LDAP_SYNCHRONIZED_GROUPS_BY_REALM={
+                "zulip": [
+                    "cool_test_group",
+                ]
+            },
+            LDAP_APPEND_DOMAIN="zulip.com",
+        ), self.assertLogs("zulip.ldap", "DEBUG") as zulip_ldap_log:
+            self.assertFalse(UserGroup.objects.filter(realm=realm, name="cool_test_group").exists())
+
+            create_user_group_in_database(
+                "cool_test_group", [], realm, acting_user=None, description="Created by LDAP sync"
+            )
+
+            self.assertTrue(UserGroup.objects.filter(realm=realm, name="cool_test_group").exists())
+
+            user_group = UserGroup.objects.get(realm=realm, name="cool_test_group")
+
+            self.assertFalse(
+                is_user_in_group(
+                    user_group,
+                    hamlet,
+                    direct_member_only=True,
+                )
+            )
+
+            sync_user_from_ldap(hamlet, mock.Mock())
+            self.assertTrue(
+                is_user_in_group(
+                    user_group,
+                    hamlet,
+                    direct_member_only=True,
+                )
+            )
+
+            # Add a user to a Zulip group that they are not member of in ldap.
+            # This implies that they should be deleted from the Zulip group
+            # upon the next sync.
+            cordelia = self.example_user("cordelia")
+            bulk_add_members_to_user_groups(
+                [user_group],
+                [cordelia.id],
+                acting_user=None,
+            )
+
+            self.assertTrue(
+                is_user_in_group(
+                    UserGroup.objects.get(realm=realm, name="cool_test_group"),
+                    cordelia,
+                    direct_member_only=True,
+                )
+            )
+
+            # This should remove cordelia from cool_test_group
+            sync_user_from_ldap(cordelia, mock.Mock())
+
+            self.assertFalse(
+                is_user_in_group(
+                    UserGroup.objects.get(realm=realm, name="cool_test_group"),
+                    cordelia,
+                    direct_member_only=True,
+                )
+            )
+
+        hamlet = self.example_user("hamlet")
+        cordelia = self.example_user("cordelia")
+
+        self.assertEqual(
+            zulip_ldap_log.output,
+            [
+                f"DEBUG:zulip.ldap:Syncing groups for user: {hamlet.id}",
+                "DEBUG:zulip.ldap:intended groups: {'cool_test_group'}; zulip groups: set()",
+                f"DEBUG:zulip.ldap:add {hamlet.id} to ['cool_test_group']",
+                f"DEBUG:zulip.ldap:Syncing groups for user: {cordelia.id}",
+                "DEBUG:zulip.ldap:intended groups: set(); zulip groups: {'cool_test_group'}",
+                f"DEBUG:zulip.ldap:removing groups {{'cool_test_group'}} from {cordelia.id}",
+            ],
+        )
+
+        # Test an exception using a malformed ldap group search setting.
+        with self.settings(
+            AUTH_LDAP_GROUP_SEARCH=LDAPSearch(
+                "ou=groups,dc=zulip,dc=com",
+                ldap.SCOPE_ONELEVEL,
+                "(objectClass=groupOfUniqueNames",  # this is malformed, missing ")"
+            ),
+            LDAP_SYNCHRONIZED_GROUPS_BY_REALM={
+                "zulip": [
+                    "cool_test_group",
+                ]
+            },
+            LDAP_APPEND_DOMAIN="zulip.com",
+        ), self.assertLogs("django_auth_ldap", "WARN") as django_ldap_log, self.assertLogs(
+            "zulip.ldap", "DEBUG"
+        ) as zulip_ldap_log:
+            with self.assertRaisesRegex(
+                ZulipLDAPError,
+                "search_s.*",
+            ):
+                sync_user_from_ldap(cordelia, mock.Mock())
+
+        self.assertEqual(
+            zulip_ldap_log.output,
+            [f"DEBUG:zulip.ldap:Syncing groups for user: {cordelia.id}"],
+        )
+        self.assertEqual(
+            django_ldap_log.output,
+            [
+                'WARNING:django_auth_ldap:search_s("ou=groups,dc=zulip,dc=com", 1, "(&(objectClass=groupOfUniqueNames(uniqueMember=uid=cordelia,ou=users,dc=zulip,dc=com))", "None", 0) while authenticating cordelia',
+            ],
+        )
+
+
 # Don't load the base class as a test: https://bugs.python.org/issue17519.
 del SocialAuthBase
--- a/zproject/backends.py
+++ b/zproject/backends.py
@ -80,6 +80,10 @@ from zxcvbn import zxcvbn

 from zerver.actions.create_user import do_create_user, do_reactivate_user
 from zerver.actions.custom_profile_fields import do_update_user_custom_profile_data_if_changed
+from zerver.actions.user_groups import (
+    bulk_add_members_to_user_groups,
+    bulk_remove_members_from_user_groups,
+)
 from zerver.actions.user_settings import do_regenerate_api_key
 from zerver.actions.users import do_deactivate_user
 from zerver.lib.avatar import avatar_url, is_avatar_new
@ -105,6 +109,8 @@ from zerver.models import (
    PreregistrationRealm,
    PreregistrationUser,
    Realm,
+    UserGroup,
+    UserGroupMembership,
    UserProfile,
    custom_profile_fields_for_realm,
    get_realm,
@ -910,6 +916,78 @@ class ZulipLDAPAuthBackendBase(ZulipAuthMixin, LDAPBackend):
        except SyncUserError as e:
            raise ZulipLDAPError(str(e)) from e

+    def sync_groups_from_ldap(self, user_profile: UserProfile, ldap_user: _LDAPUser) -> None:
+        """
+        For the groups set up for syncing for the realm in LDAP_SYNCHRONIZED_GROUPS_BY_REALM:
+
+        (1) Makes sure the user has membership in the Zulip UserGroups corresponding
+            to the LDAP groups ldap_user belongs to.
+        (2) Makes sure the user doesn't have membership in the Zulip UserGroups corresponding
+            to the LDAP groups ldap_user doesn't belong to.
+        """
+
+        if user_profile.realm.string_id not in settings.LDAP_SYNCHRONIZED_GROUPS_BY_REALM:
+            # no groups to sync for this realm
+            return
+
+        configured_ldap_group_names_for_sync = set(
+            settings.LDAP_SYNCHRONIZED_GROUPS_BY_REALM[user_profile.realm.string_id]
+        )
+
+        try:
+            ldap_logger.debug("Syncing groups for user: %s", user_profile.id)
+            intended_group_name_set_for_user = set(ldap_user.group_names).intersection(
+                configured_ldap_group_names_for_sync
+            )
+
+            existing_group_name_set_for_user = set(
+                UserGroupMembership.objects.filter(
+                    user_group__realm=user_profile.realm,
+                    user_group__name__in=set(
+                        settings.LDAP_SYNCHRONIZED_GROUPS_BY_REALM[user_profile.realm.string_id]
+                    ),
+                    user_profile=user_profile,
+                ).values_list("user_group__name", flat=True)
+            )
+
+            ldap_logger.debug(
+                "intended groups: %s; zulip groups: %s",
+                repr(intended_group_name_set_for_user),
+                repr(existing_group_name_set_for_user),
+            )
+
+            new_groups = UserGroup.objects.filter(
+                name__in=intended_group_name_set_for_user.difference(
+                    existing_group_name_set_for_user
+                ),
+                realm=user_profile.realm,
+            )
+            if new_groups:
+                ldap_logger.debug(
+                    "add %s to %s", user_profile.id, [group.name for group in new_groups]
+                )
+                bulk_add_members_to_user_groups(new_groups, [user_profile.id], acting_user=None)
+
+            group_names_for_membership_deletion = existing_group_name_set_for_user.difference(
+                intended_group_name_set_for_user
+            )
+            groups_for_membership_deletion = UserGroup.objects.filter(
+                name__in=group_names_for_membership_deletion, realm=user_profile.realm
+            )
+
+            if group_names_for_membership_deletion:
+                ldap_logger.debug(
+                    "removing groups %s from %s",
+                    group_names_for_membership_deletion,
+                    user_profile.id,
+                )
+                bulk_remove_members_from_user_groups(
+                    groups_for_membership_deletion, [user_profile.id], acting_user=None
+                )
+
+        except Exception as e:
+            raise ZulipLDAPError(str(e)) from e
+

 class ZulipLDAPAuthBackend(ZulipLDAPAuthBackendBase):
    REALM_IS_NONE_ERROR = 1
@ -1136,6 +1214,7 @@ class ZulipLDAPUserPopulator(ZulipLDAPAuthBackendBase):
        self.sync_avatar_from_ldap(user, ldap_user)
        self.sync_full_name_from_ldap(user, ldap_user)
        self.sync_custom_profile_fields_from_ldap(user, ldap_user)
+        self.sync_groups_from_ldap(user, ldap_user)
        return (user, built)


--- a/zproject/default_settings.py
+++ b/zproject/default_settings.py
@ -2,6 +2,8 @@ import os
 from email.headerregistry import Address
 from typing import TYPE_CHECKING, Any, Dict, List, Literal, Optional, Tuple

+from django_auth_ldap.config import GroupOfUniqueNamesType, LDAPGroupType
+
 from scripts.lib.zulip_tools import deport
 from zproject.settings_types import JwtAuthKey, OIDCIdPConfigDict, SAMLIdPConfigDict

@ -69,6 +71,8 @@ AUTH_LDAP_ALWAYS_UPDATE_USER = False
 FAKE_LDAP_MODE: Optional[str] = None
 FAKE_LDAP_NUM_USERS = 8
 AUTH_LDAP_ADVANCED_REALM_ACCESS_CONTROL: Optional[Dict[str, Any]] = None
+LDAP_SYNCHRONIZED_GROUPS_BY_REALM: Dict[str, List[str]] = {}
+AUTH_LDAP_GROUP_TYPE: LDAPGroupType = GroupOfUniqueNamesType()

 # Social auth; we support providing values for some of these
 # settings in zulip-secrets.conf instead of settings.py in development.
--- a/zproject/prod_settings_template.py
+++ b/zproject/prod_settings_template.py
@ -266,6 +266,20 @@ AUTH_LDAP_USER_ATTR_MAP = {
 #    ]
 # }

+
+## LDAP group sync configuration.
+## See: https://zulip.readthedocs.io/en/latest/production/authentication-methods.html#synchronizing-groups
+# AUTH_LDAP_GROUP_TYPE = GroupOfUniqueNamesType()
+# AUTH_LDAP_GROUP_SEARCH = LDAPSearch(
+#     "ou=groups,dc=www,dc=example,dc=com", ldap.SCOPE_SUBTREE, "(objectClass=groupOfUniqueNames)"
+# )
+# LDAP_SYNCHRONIZED_GROUPS_BY_REALM = {
+#   "subdomain1" : [
+#       "group1",
+#       "group2",
+#   ]
+# }
+
 ########
 ## Google OAuth.
 ##