Allow LDAP Sources to provide Avatars

Add setting to LDAP source to allow it to provide an Avatar.

Currently this is required to point to the image bytes.

Fix #4144

Signed-off-by: Andrew Thornton <[email protected]>

Author: zeripath

cmd/admin_auth_ldap.go

@@ -89,6 +89,10 @@ var (
 			Name:  "public-ssh-key-attribute",
 			Usage: "The attribute of the user’s LDAP record containing the user’s public ssh key.",
 		},
+		cli.StringFlag{
+			Name:  "jpeg-avatar-attribute",
+			Usage: "The attribute of the user’s LDAP record containing the user’s avatar.",
+		},
 	}
 
 	ldapBindDnCLIFlags = append(commonLdapCLIFlags,
@@ -230,6 +234,9 @@ func parseLdapConfig(c *cli.Context, config *ldap.Source) error {
 	if c.IsSet("public-ssh-key-attribute") {
 		config.AttributeSSHPublicKey = c.String("public-ssh-key-attribute")
 	}
+	if c.IsSet("jpeg-avatar-attribute") {
+		config.AttributeAvatarJPEG = c.String("jpeg-avatar-attribute")
+	}
 	if c.IsSet("page-size") {
 		config.SearchPageSize = uint32(c.Uint("page-size"))
 	}

cmd/admin_auth_ldap_test.go

@@ -45,6 +45,7 @@ func TestAddLdapBindDn(t *testing.T) {
 				"--surname-attribute", "sn-bind full",
 				"--email-attribute", "mail-bind full",
 				"--public-ssh-key-attribute", "publickey-bind full",
+				"--jpeg-avatar-attribute", "avatar-bind full",
 				"--bind-dn", "cn=readonly,dc=full-domain-bind,dc=org",
 				"--bind-password", "secret-bind-full",
 				"--attributes-in-bind",
@@ -71,6 +72,7 @@ func TestAddLdapBindDn(t *testing.T) {
 					AttributeMail:         "mail-bind full",
 					AttributesInBind:      true,
 					AttributeSSHPublicKey: "publickey-bind full",
+					AttributeAvatarJPEG:   "avatar-bind full",
 					SearchPageSize:        99,
 					Filter:                "(memberOf=cn=user-group,ou=example,dc=full-domain-bind,dc=org)",
 					AdminFilter:           "(memberOf=cn=admin-group,ou=example,dc=full-domain-bind,dc=org)",
@@ -269,6 +271,7 @@ func TestAddLdapSimpleAuth(t *testing.T) {
 				"--surname-attribute", "sn-simple full",
 				"--email-attribute", "mail-simple full",
 				"--public-ssh-key-attribute", "publickey-simple full",
+				"--jpeg-avatar-attribute", "avatar-simple full",
 				"--user-dn", "cn=%s,ou=Users,dc=full-domain-simple,dc=org",
 			},
 			loginSource: &models.LoginSource{
@@ -288,6 +291,7 @@ func TestAddLdapSimpleAuth(t *testing.T) {
 					AttributeSurname:      "sn-simple full",
 					AttributeMail:         "mail-simple full",
 					AttributeSSHPublicKey: "publickey-simple full",
+					AttributeAvatarJPEG:   "avatar-simple full",
 					Filter:                "(&(objectClass=posixAccount)(full-simple-cn=%s))",
 					AdminFilter:           "(memberOf=cn=admin-group,ou=example,dc=full-domain-simple,dc=org)",
 					RestrictedFilter:      "(memberOf=cn=restricted-group,ou=example,dc=full-domain-simple,dc=org)",
@@ -501,6 +505,7 @@ func TestUpdateLdapBindDn(t *testing.T) {
 				"--surname-attribute", "sn-bind full",
 				"--email-attribute", "mail-bind full",
 				"--public-ssh-key-attribute", "publickey-bind full",
+				"--jpeg-avatar-attribute", "avatar-bind full",
 				"--bind-dn", "cn=readonly,dc=full-domain-bind,dc=org",
 				"--bind-password", "secret-bind-full",
 				"--synchronize-users",
@@ -534,6 +539,7 @@ func TestUpdateLdapBindDn(t *testing.T) {
 					AttributeMail:         "mail-bind full",
 					AttributesInBind:      false,
 					AttributeSSHPublicKey: "publickey-bind full",
+					AttributeAvatarJPEG:   "avatar-bind full",
 					SearchPageSize:        99,
 					Filter:                "(memberOf=cn=user-group,ou=example,dc=full-domain-bind,dc=org)",
 					AdminFilter:           "(memberOf=cn=admin-group,ou=example,dc=full-domain-bind,dc=org)",
@@ -932,6 +938,7 @@ func TestUpdateLdapSimpleAuth(t *testing.T) {
 				"--surname-attribute", "sn-simple full",
 				"--email-attribute", "mail-simple full",
 				"--public-ssh-key-attribute", "publickey-simple full",
+				"--jpeg-avatar-attribute", "avatar-simple full",
 				"--user-dn", "cn=%s,ou=Users,dc=full-domain-simple,dc=org",
 			},
 			id: 7,
@@ -952,6 +959,7 @@ func TestUpdateLdapSimpleAuth(t *testing.T) {
 					AttributeSurname:      "sn-simple full",
 					AttributeMail:         "mail-simple full",
 					AttributeSSHPublicKey: "publickey-simple full",
+					AttributeAvatarJPEG:   "avatar-simple full",
 					Filter:                "(&(objectClass=posixAccount)(full-simple-cn=%s))",
 					AdminFilter:           "(memberOf=cn=admin-group,ou=example,dc=full-domain-simple,dc=org)",
 					RestrictedFilter:      "(memberOf=cn=restricted-group,ou=example,dc=full-domain-simple,dc=org)",

docs/content/doc/usage/command-line.en-us.md

@@ -152,6 +152,7 @@ Admin operations:
         - `--surname-attribute value`: The attribute of the user’s LDAP record containing the user’s surname.
         - `--email-attribute value`: The attribute of the user’s LDAP record containing the user’s email address. Required.
         - `--public-ssh-key-attribute value`: The attribute of the user’s LDAP record containing the user’s public ssh key.
+        - `--jpeg-avatar-attribute value`: The attribute of the user’s LDAP record containing the user’s avatar.
         - `--bind-dn value`: The DN to bind to the LDAP server with when searching for the user.
         - `--bind-password value`: The password for the Bind DN, if any.
         - `--attributes-in-bind`: Fetch attributes in bind DN context.
@@ -177,6 +178,7 @@ Admin operations:
         - `--surname-attribute value`: The attribute of the user’s LDAP record containing the user’s surname.
         - `--email-attribute value`: The attribute of the user’s LDAP record containing the user’s email address.
         - `--public-ssh-key-attribute value`: The attribute of the user’s LDAP record containing the user’s public ssh key.
+        - `--jpeg-avatar-attribute value`: The attribute of the user’s LDAP record containing the user’s avatar.
         - `--bind-dn value`: The DN to bind to the LDAP server with when searching for the user.
         - `--bind-password value`: The password for the Bind DN, if any.
         - `--attributes-in-bind`: Fetch attributes in bind DN context.
@@ -202,6 +204,7 @@ Admin operations:
         - `--surname-attribute value`: The attribute of the user’s LDAP record containing the user’s surname.
         - `--email-attribute value`: The attribute of the user’s LDAP record containing the user’s email address. Required.
         - `--public-ssh-key-attribute value`: The attribute of the user’s LDAP record containing the user’s public ssh key.
+        - `--jpeg-avatar-attribute value`: The attribute of the user’s LDAP record containing the user’s avatar.
         - `--user-dn value`: The user’s DN. Required.
       - Examples:
         - `gitea admin auth add-ldap-simple --name ldap --security-protocol unencrypted --host mydomain.org --port 389 --user-dn "cn=%s,ou=Users,dc=mydomain,dc=org" --user-filter "(&(objectClass=posixAccount)(cn=%s))" --email-attribute mail`
@@ -223,6 +226,7 @@ Admin operations:
         - `--surname-attribute value`: The attribute of the user’s LDAP record containing the user’s surname.
         - `--email-attribute value`: The attribute of the user’s LDAP record containing the user’s email address.
         - `--public-ssh-key-attribute value`: The attribute of the user’s LDAP record containing the user’s public ssh key.
+        - `--jpeg-avatar-attribute value`: The attribute of the user’s LDAP record containing the user’s avatar.
         - `--user-dn value`: The user’s DN.
       - Examples:
         - `gitea admin auth update-ldap-simple --id 1 --name "my ldap auth source"`

options/locale/locale_en-US.ini

@@ -2416,6 +2416,7 @@ auths.attribute_name = First Name Attribute
 auths.attribute_surname = Surname Attribute
 auths.attribute_mail = Email Attribute
 auths.attribute_ssh_public_key = Public SSH Key Attribute
+auths.attribute_avatar_jpeg = JPEG Avatar Attribute
 auths.attributes_in_bind = Fetch Attributes in Bind DN Context
 auths.allow_deactivate_all = Allow an empty search result to deactivate all users
 auths.use_paged_search = Use Paged Search

routers/web/admin/auths.go

@@ -134,6 +134,7 @@ func parseLDAPConfig(form forms.AuthenticationForm) *ldap.Source {
 		AttributeMail:         form.AttributeMail,
 		AttributesInBind:      form.AttributesInBind,
 		AttributeSSHPublicKey: form.AttributeSSHPublicKey,
+		AttributeAvatarJPEG:   form.AttributeAvatarJPEG,
 		SearchPageSize:        pageSize,
 		Filter:                form.Filter,
 		GroupsEnabled:         form.GroupsEnabled,

services/auth/source/ldap/source.go

@@ -41,6 +41,7 @@ type Source struct {
 	AttributeMail         string // E-mail attribute
 	AttributesInBind      bool   // fetch attributes in bind context (not user)
 	AttributeSSHPublicKey string // LDAP SSH Public Key attribute
+	AttributeAvatarJPEG   string
 	SearchPageSize        uint32 // Search with paging page size
 	Filter                string // Query filter to validate entry
 	AdminFilter           string // Query filter to check if user is admin

services/auth/source/ldap/source_authenticate.go

@@ -95,5 +95,9 @@ func (source *Source) Authenticate(user *models.User, login, password string) (*
 		err = models.RewriteAllPublicKeys()
 	}
 
+	if err == nil && source.AttributeAvatarJPEG != "" {
+		_ = user.UploadAvatar(sr.AvatarJPEG)
+	}
+
 	return user, err
 }

services/auth/source/ldap/source_search.go

@@ -26,6 +26,7 @@ type SearchResult struct {
 	SSHPublicKey []string // SSH Public Key
 	IsAdmin      bool     // if user is administrator
 	IsRestricted bool     // if user is restricted
+	AvatarJPEG   []byte
 }
 
 func (ls *Source) sanitizedUserQuery(username string) (string, bool) {
@@ -295,6 +296,7 @@ func (ls *Source) SearchEntry(name, passwd string, directBind bool) *SearchResul
 	}
 
 	var sshPublicKey []string
+	var avatarJPEG []byte
 
 	username := sr.Entries[0].GetAttributeValue(ls.AttributeUsername)
 	firstname := sr.Entries[0].GetAttributeValue(ls.AttributeName)
@@ -362,6 +364,10 @@ func (ls *Source) SearchEntry(name, passwd string, directBind bool) *SearchResul
 		}
 	}
 
+	if ls.AttributeAvatarJPEG != "" {
+		avatarJPEG = sr.Entries[0].GetRawAttributeValue(ls.AttributeAvatarJPEG)
+	}
+
 	return &SearchResult{
 		Username:     username,
 		Name:         firstname,
@@ -370,6 +376,7 @@ func (ls *Source) SearchEntry(name, passwd string, directBind bool) *SearchResul
 		SSHPublicKey: sshPublicKey,
 		IsAdmin:      isAdmin,
 		IsRestricted: isRestricted,
+		AvatarJPEG:   avatarJPEG,
 	}
 }
 
@@ -440,6 +447,9 @@ func (ls *Source) SearchEntries() ([]*SearchResult, error) {
 		if isAttributeSSHPublicKeySet {
 			result[i].SSHPublicKey = v.GetAttributeValues(ls.AttributeSSHPublicKey)
 		}
+		if ls.AttributeAvatarJPEG != "" {
+			result[i].AvatarJPEG = v.GetRawAttributeValue(ls.AttributeAvatarJPEG)
+		}
 	}
 
 	return result, nil

services/auth/source/ldap/source_sync.go

@@ -101,12 +101,18 @@ func (source *Source) Sync(ctx context.Context, updateExisting bool) error {
 
 			if err != nil {
 				log.Error("SyncExternalUsers[%s]: Error creating user %s: %v", source.loginSource.Name, su.Username, err)
-			} else if isAttributeSSHPublicKeySet {
+			}
+
+			if err == nil && isAttributeSSHPublicKeySet {
 				log.Trace("SyncExternalUsers[%s]: Adding LDAP Public SSH Keys for user %s", source.loginSource.Name, usr.Name)
 				if models.AddPublicKeysBySource(usr, source.loginSource, su.SSHPublicKey) {
 					sshKeysNeedUpdate = true
 				}
 			}
+
+			if err == nil && source.AttributeAvatarJPEG != "" {
+				_ = usr.UploadAvatar(su.AvatarJPEG)
+			}
 		} else if updateExisting {
 			existingUsers = append(existingUsers, usr.ID)
 
@@ -140,6 +146,10 @@ func (source *Source) Sync(ctx context.Context, updateExisting bool) error {
 				if err != nil {
 					log.Error("SyncExternalUsers[%s]: Error updating user %s: %v", source.loginSource.Name, usr.Name, err)
 				}
+
+				if err == nil && source.AttributeAvatarJPEG != "" {
+					_ = usr.UploadAvatar(su.AvatarJPEG)
+				}
 			}
 		}
 	}

services/forms/auth_form.go

@@ -29,6 +29,7 @@ type AuthenticationForm struct {
 	AttributeSurname              string
 	AttributeMail                 string
 	AttributeSSHPublicKey         string
+	AttributeAvatarJPEG           string
 	AttributesInBind              bool
 	UsePagedSearch                bool
 	SearchPageSize                int

templates/admin/auth/edit.tmpl

@@ -104,6 +104,10 @@
 						<label for="attribute_ssh_public_key">{{.i18n.Tr "admin.auths.attribute_ssh_public_key"}}</label>
 						<input id="attribute_ssh_public_key" name="attribute_ssh_public_key" value="{{$cfg.AttributeSSHPublicKey}}" placeholder="e.g. SshPublicKey">
 					</div>
+					<div class="field">
+						<label for="attribute_avatar_jpeg">{{.i18n.Tr "admin.auths.attribute_avatar_jpeg"}}</label>
+						<input id="attribute_avatar_jpeg" name="attribute_avatar_jpeg" value="{{$cfg.AttributeAvatarJPEG}}" placeholder="e.g. jpegPhoto">
+					</div>
 					<div class="inline field">
 						<div class="ui checkbox">
 							<label for="groups_enabled"><strong>{{.i18n.Tr "admin.auths.verify_group_membership"}}</strong></label>

templates/admin/auth/source/ldap.tmpl

@@ -76,6 +76,10 @@
 		<label for="attribute_ssh_public_key">{{.i18n.Tr "admin.auths.attribute_ssh_public_key"}}</label>
 		<input id="attribute_ssh_public_key" name="attribute_ssh_public_key" value="{{.attribute_ssh_public_key}}" placeholder="e.g. SshPublicKey">
 	</div>
+	<div class="field">
+		<label for="attribute_avatar_jpeg">{{.i18n.Tr "admin.auths.attribute_avatar_jpeg"}}</label>
+		<input id="attribute_avatar_jpeg" name="attribute_avatar_jpeg" value="{{.attribute_avatar_jpeg}}" placeholder="e.g. jpegPhoto">
+	</div>
 	<div class="inline field">
 		<div class="ui checkbox">
 			<label for="groups_enabled"><strong>{{.i18n.Tr "admin.auths.verify_group_membership"}}</strong></label>