From bb92c4a967e034c57bcc8d159b2e40244273c433 Mon Sep 17 00:00:00 2001 From: Jens L Date: Fri, 21 Apr 2023 14:10:24 +0300 Subject: [PATCH] providers/ldap: remove deprecated fields (#5154) * providers/ldap: remove deprecated fields Signed-off-by: Jens Langhammer * update changelog Signed-off-by: Jens Langhammer --------- Signed-off-by: Jens Langhammer --- internal/outpost/ldap/entries.go | 29 +++---------------- internal/outpost/ldap/group/group.go | 22 --------------- tests/e2e/test_provider_ldap.py | 16 ----------- website/docs/providers/ldap/index.md | 5 ---- website/docs/releases/2023/v2023.5.md | 40 +++++++++++++++++++++++++++ 5 files changed, 44 insertions(+), 68 deletions(-) create mode 100644 website/docs/releases/2023/v2023.5.md diff --git a/internal/outpost/ldap/entries.go b/internal/outpost/ldap/entries.go index af389f27d..577027661 100644 --- a/internal/outpost/ldap/entries.go +++ b/internal/outpost/ldap/entries.go @@ -13,33 +13,16 @@ import ( func (pi *ProviderInstance) UserEntry(u api.User) *ldap.Entry { dn := pi.GetUserDN(u.Username) - userValueMap := func(value []string) []string { + attrs := utils.AttributesToLDAP(u.Attributes, func(key string) string { + return utils.AttributeKeySanitize(key) + }, func(value []string) []string { for i, v := range value { if strings.Contains(v, "%s") { value[i] = fmt.Sprintf(v, u.Username) } } return value - } - attrs := utils.AttributesToLDAP(u.Attributes, func(key string) string { - return utils.AttributeKeySanitize(key) - }, userValueMap) - rawAttrs := utils.AttributesToLDAP(u.Attributes, func(key string) string { - return key - }, userValueMap) - // Only append attributes that don't already exist - // TODO: Remove in 2023.3 - for _, rawAttr := range rawAttrs { - exists := false - for _, attr := range attrs { - if strings.EqualFold(attr.Name, rawAttr.Name) { - exists = true - } - } - if !exists { - attrs = append(attrs, rawAttr) - } - } + }) if u.IsActive == nil { u.IsActive = api.PtrBool(false) @@ -48,10 +31,6 @@ func (pi *ProviderInstance) UserEntry(u api.User) *ldap.Entry { u.Email = api.PtrString("") } attrs = utils.EnsureAttributes(attrs, map[string][]string{ - // Old fields for backwards compatibility - "goauthentik.io/ldap/active": {strconv.FormatBool(*u.IsActive)}, - "goauthentik.io/ldap/superuser": {strconv.FormatBool(u.IsSuperuser)}, - // End old fields "ak-active": {strconv.FormatBool(*u.IsActive)}, "ak-superuser": {strconv.FormatBool(u.IsSuperuser)}, "memberOf": pi.GroupsForUser(u), diff --git a/internal/outpost/ldap/group/group.go b/internal/outpost/ldap/group/group.go index dc48f4a39..0ad2d3915 100644 --- a/internal/outpost/ldap/group/group.go +++ b/internal/outpost/ldap/group/group.go @@ -2,7 +2,6 @@ package group import ( "strconv" - "strings" "github.com/nmcclain/ldap" "goauthentik.io/api/v3" @@ -28,24 +27,6 @@ func (lg *LDAPGroup) Entry() *ldap.Entry { }, func(value []string) []string { return value }) - rawAttrs := utils.AttributesToLDAP(lg.Attributes, func(key string) string { - return key - }, func(value []string) []string { - return value - }) - // Only append attributes that don't already exist - // TODO: Remove in 2023.3 - for _, rawAttr := range rawAttrs { - exists := false - for _, attr := range attrs { - if strings.EqualFold(attr.Name, rawAttr.Name) { - exists = true - } - } - if !exists { - attrs = append(attrs, rawAttr) - } - } objectClass := []string{constants.OCGroup, constants.OCGroupOfUniqueNames, constants.OCGroupOfNames, constants.OCAKGroup, constants.OCPosixGroup} if lg.IsVirtualGroup { @@ -53,9 +34,6 @@ func (lg *LDAPGroup) Entry() *ldap.Entry { } attrs = utils.EnsureAttributes(attrs, map[string][]string{ - // Old fields for backwards compatibility - "goauthentik.io/ldap/superuser": {strconv.FormatBool(lg.IsSuperuser)}, - // End old fields "ak-superuser": {strconv.FormatBool(lg.IsSuperuser)}, "objectClass": objectClass, "member": lg.Member, diff --git a/tests/e2e/test_provider_ldap.py b/tests/e2e/test_provider_ldap.py index c3ba0ee86..083493123 100644 --- a/tests/e2e/test_provider_ldap.py +++ b/tests/e2e/test_provider_ldap.py @@ -229,12 +229,6 @@ class TestProviderLDAP(SeleniumTestCase): "homeDirectory": [ f"/home/{o_user.username}", ], - # Old fields for backwards compatibility - "goauthentik.io/ldap/active": ["true"], - "goauthentik.io/ldap/superuser": ["false"], - "goauthentik.io/user/override-ips": ["true"], - "goauthentik.io/user/service-account": ["true"], - # End old fields "ak-active": ["true"], "ak-superuser": ["false"], "goauthentikio-user-override-ips": ["true"], @@ -264,12 +258,6 @@ class TestProviderLDAP(SeleniumTestCase): "homeDirectory": [ f"/home/{embedded_account.username}", ], - # Old fields for backwards compatibility - "goauthentik.io/ldap/active": ["true"], - "goauthentik.io/ldap/superuser": ["false"], - "goauthentik.io/user/override-ips": ["true"], - "goauthentik.io/user/service-account": ["true"], - # End old fields "ak-active": ["true"], "ak-superuser": ["false"], "goauthentikio-user-override-ips": ["true"], @@ -302,10 +290,6 @@ class TestProviderLDAP(SeleniumTestCase): "homeDirectory": [ f"/home/{self.user.username}", ], - # Old fields for backwards compatibility - "goauthentik.io/ldap/active": ["true"], - "goauthentik.io/ldap/superuser": ["true"], - # End old fields "ak-active": ["true"], "ak-superuser": ["true"], "extraAttribute": ["bar"], diff --git a/website/docs/providers/ldap/index.md b/website/docs/providers/ldap/index.md index aad32575c..30139774f 100644 --- a/website/docs/providers/ldap/index.md +++ b/website/docs/providers/ldap/index.md @@ -33,11 +33,6 @@ The following fields are currently sent for users: - `ak-active`: "true" if the account is active, otherwise "false" - `ak-superuser`: "true" if the account is part of a group with superuser permissions, otherwise "false" -:::warning -The use of the `goauthentik.io/ldap/active` and `goauthentik.io/ldap/superuser` attributes is deprecated as of authentik 2023.3. They will be removed completely in a future release. -Use the replacements fields above instead. -::: - The following fields are current set for groups: - `cn`: The group's name diff --git a/website/docs/releases/2023/v2023.5.md b/website/docs/releases/2023/v2023.5.md new file mode 100644 index 000000000..3bf7f8c1b --- /dev/null +++ b/website/docs/releases/2023/v2023.5.md @@ -0,0 +1,40 @@ +--- +title: Release 2023.5 +slug: "/releases/2023.5" +--- + +## Breaking changes + +- Removal of deprecated LDAP fields + + This version removes the deprecated LDAP fields `goauthentik.io/ldap/active` and `goauthentik.io/ldap/superuser`. + + Additionally, any custom fields based on user attributes will only be represented with their sanitized key, removing any slashes with dashes, and removing periods. + +## New features + +## Upgrading + +This release does not introduce any new requirements. + +### docker-compose + +Download the docker-compose file for 2023.5 from [here](https://goauthentik.io/version/2023.5/docker-compose.yml). Afterwards, simply run `docker-compose up -d`. + +### Kubernetes + +Update your values to use the new images: + +```yaml +image: + repository: ghcr.io/goauthentik/server + tag: 2023.5.0 +``` + +## Minor changes/fixes + +_Insert the output of `make gen-changelog` here_ + +## API Changes + +_Insert output of `make gen-diff` here_