From 2a122845d940fbea8e193ab95f1db9dd8cb83966 Mon Sep 17 00:00:00 2001
From: Jens Langhammer <jens.langhammer@beryju.org>
Date: Mon, 26 Apr 2021 19:51:24 +0200
Subject: [PATCH] core: add groups to users

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
---
 authentik/core/api/users.py         |  5 ++++-
 outpost/pkg/ldap/instance_search.go |  9 +++------
 outpost/pkg/ldap/utils.go           | 15 +++++++++++++++
 swagger.yaml                        |  5 +++++
 4 files changed, 27 insertions(+), 7 deletions(-)

diff --git a/authentik/core/api/users.py b/authentik/core/api/users.py
index 1099232d8..d86fafb4a 100644
--- a/authentik/core/api/users.py
+++ b/authentik/core/api/users.py
@@ -1,4 +1,5 @@
 """User API Views"""
+from authentik.core.api.groups import GroupSerializer
 from django.http.response import Http404
 from django.urls import reverse_lazy
 from django.utils.http import urlencode
@@ -8,7 +9,7 @@ from rest_framework.decorators import action
 from rest_framework.fields import CharField, JSONField, SerializerMethodField
 from rest_framework.request import Request
 from rest_framework.response import Response
-from rest_framework.serializers import BooleanField, ModelSerializer
+from rest_framework.serializers import BooleanField, ListSerializer, ModelSerializer
 from rest_framework.viewsets import ModelViewSet
 
 from authentik.admin.api.metrics import CoordinateSerializer, get_events_per_1h
@@ -29,6 +30,7 @@ class UserSerializer(ModelSerializer):
     is_superuser = BooleanField(read_only=True)
     avatar = CharField(read_only=True)
     attributes = JSONField(validators=[is_dict], required=False)
+    groups = ListSerializer(child=GroupSerializer(), read_only=True, source="ak_groups")
 
     class Meta:
 
@@ -40,6 +42,7 @@ class UserSerializer(ModelSerializer):
             "is_active",
             "last_login",
             "is_superuser",
+            "groups",
             "email",
             "avatar",
             "attributes",
diff --git a/outpost/pkg/ldap/instance_search.go b/outpost/pkg/ldap/instance_search.go
index 6d07d9456..3e2b1c92f 100644
--- a/outpost/pkg/ldap/instance_search.go
+++ b/outpost/pkg/ldap/instance_search.go
@@ -50,11 +50,8 @@ func (pi *ProviderInstance) Search(bindDN string, searchReq ldap.SearchRequest,
 				},
 			}
 			attrs = append(attrs, AKAttrsToLDAP(g.Attributes)...)
-			// attrs = append(attrs, &ldap.EntryAttribute{Name: "description", Values: []string{fmt.Sprintf("%s", g.Name)}})
-			// attrs = append(attrs, &ldap.EntryAttribute{Name: "gidNumber", Values: []string{fmt.Sprintf("%d", g.UnixID)}})
-			// attrs = append(attrs, &ldap.EntryAttribute{Name: "uniqueMember", Values: h.getGroupMembers(g.UnixID)})
-			// attrs = append(attrs, &ldap.EntryAttribute{Name: "memberUid", Values: h.getGroupMemberIDs(g.UnixID)})
-			dn := fmt.Sprintf("cn=%s,%s", *g.Name, pi.GroupDN)
+
+			dn := pi.GetGroupDN(g)
 			entries = append(entries, &ldap.Entry{DN: dn, Attributes: attrs})
 		}
 	case UserObjectClass, "":
@@ -102,7 +99,7 @@ func (pi *ProviderInstance) Search(bindDN string, searchReq ldap.SearchRequest,
 				attrs = append(attrs, &ldap.EntryAttribute{Name: "superuser", Values: []string{"active"}})
 			}
 
-			// attrs = append(attrs, &ldap.EntryAttribute{Name: "memberOf", Values: h.getGroupDNs(append(u.OtherGroups, u.PrimaryGroup))})
+			attrs = append(attrs, &ldap.EntryAttribute{Name: "memberOf", Values: pi.GroupsForUser(u)})
 
 			attrs = append(attrs, AKAttrsToLDAP(u.Attributes)...)
 
diff --git a/outpost/pkg/ldap/utils.go b/outpost/pkg/ldap/utils.go
index e266e7e2a..244c199f8 100644
--- a/outpost/pkg/ldap/utils.go
+++ b/outpost/pkg/ldap/utils.go
@@ -1,7 +1,10 @@
 package ldap
 
 import (
+	"fmt"
+
 	"github.com/nmcclain/ldap"
+	"goauthentik.io/outpost/pkg/models"
 )
 
 func AKAttrsToLDAP(attrs interface{}) []*ldap.EntryAttribute {
@@ -18,3 +21,15 @@ func AKAttrsToLDAP(attrs interface{}) []*ldap.EntryAttribute {
 	}
 	return attrList
 }
+
+func (pi *ProviderInstance) GroupsForUser(user *models.User) []string {
+	groups := make([]string, len(user.Groups))
+	for i, group := range user.Groups {
+		groups[i] = pi.GetGroupDN(group)
+	}
+	return groups
+}
+
+func (pi *ProviderInstance) GetGroupDN(group *models.Group) string {
+	return fmt.Sprintf("cn=%s,%s", *group.Name, pi.GroupDN)
+}
diff --git a/swagger.yaml b/swagger.yaml
index afe9a4f7b..c17c6c229 100755
--- a/swagger.yaml
+++ b/swagger.yaml
@@ -15140,6 +15140,11 @@ definitions:
         title: Is superuser
         type: boolean
         readOnly: true
+      groups:
+        type: array
+        items:
+          $ref: '#/definitions/Group'
+        readOnly: true
       email:
         title: Email address
         type: string