feat(ldap): user org role sync working

pkg/auth/ldap.go

@@ -27,7 +27,7 @@ func init() {
 			SearchFilter:  "(cn=%s)",
 			SearchBaseDNs: []string{"dc=grafana,dc=org"},
 			LdapGroups: []*LdapGroupToOrgRole{
-				{GroupDN: "cn=users,dc=grafana,dc=org", OrgRole: m.ROLE_EDITOR},
+				{GroupDN: "cn=users,dc=grafana,dc=org", OrgId: 1, OrgRole: m.ROLE_VIEWER},
 			},
 		},
 	}
@@ -143,16 +143,29 @@ func (a *ldapAuther) syncOrgRoles(user *m.User, ldapUser *ldapUserInfo) error {
 	// remove or update org roles
 	for _, org := range orgsQuery.Result {
 		for _, group := range a.server.LdapGroups {
-			if group.OrgId == org.OrgId && ldapUser.isMemberOf(group.GroupDN) {
+			if org.OrgId != group.OrgId {
+				continue
+			}
+
+			if ldapUser.isMemberOf(group.GroupDN) {
 				if org.Role != group.OrgRole {
 					// update role
+					cmd := m.UpdateOrgUserCommand{OrgId: org.OrgId, UserId: user.Id, Role: group.OrgRole}
+					if err := bus.Dispatch(&cmd); err != nil {
+						return err
+					}
 				}
 			} else {
 				// remove role
+				cmd := m.RemoveOrgUserCommand{OrgId: org.OrgId, UserId: user.Id}
+				if err := bus.Dispatch(&cmd); err != nil {
+					return err
+				}
 			}
 		}
 	}
 
+	// add missing org roles
 	for _, group := range a.server.LdapGroups {
 		if !ldapUser.isMemberOf(group.GroupDN) {
 			continue

pkg/auth/ldap_test.go

@@ -97,10 +97,48 @@ func TestLdapAuther(t *testing.T) {
 
 			Convey("Should create new org user", func() {
 				So(err, ShouldBeNil)
-				So(sc.addOrgUserCommand, ShouldNotBeNil)
+				So(sc.addOrgUserCmd, ShouldNotBeNil)
-				So(sc.addOrgUserCommand.Role, ShouldEqual, m.ROLE_ADMIN)
+				So(sc.addOrgUserCmd.Role, ShouldEqual, m.ROLE_ADMIN)
 			})
 		})
+
+		ldapAutherScenario("given different current org role", func(sc *scenarioContext) {
+			ldapAuther := NewLdapAuthenticator(&LdapServerConf{
+				LdapGroups: []*LdapGroupToOrgRole{
+					{GroupDN: "cn=users", OrgId: 1, OrgRole: "Admin"},
+				},
+			})
+
+			sc.userOrgsQueryReturns([]*m.UserOrgDTO{{OrgId: 1, Role: m.ROLE_EDITOR}})
+			err := ldapAuther.syncOrgRoles(&m.User{}, &ldapUserInfo{
+				MemberOf: []string{"cn=users"},
+			})
+
+			Convey("Should update org role", func() {
+				So(err, ShouldBeNil)
+				So(sc.updateOrgUserCmd, ShouldNotBeNil)
+				So(sc.updateOrgUserCmd.Role, ShouldEqual, m.ROLE_ADMIN)
+			})
+		})
+
+		ldapAutherScenario("given current org role is removed in ldap", func(sc *scenarioContext) {
+			ldapAuther := NewLdapAuthenticator(&LdapServerConf{
+				LdapGroups: []*LdapGroupToOrgRole{
+					{GroupDN: "cn=users", OrgId: 1, OrgRole: "Admin"},
+				},
+			})
+
+			sc.userOrgsQueryReturns([]*m.UserOrgDTO{{OrgId: 1, Role: m.ROLE_EDITOR}})
+			err := ldapAuther.syncOrgRoles(&m.User{}, &ldapUserInfo{
+				MemberOf: []string{"cn=other"},
+			})
+
+			Convey("Should remove org role", func() {
+				So(err, ShouldBeNil)
+				So(sc.removeOrgUserCmd, ShouldNotBeNil)
+			})
+		})
+
 	})
 }
 
@@ -117,7 +155,17 @@ func ldapAutherScenario(desc string, fn scenarioFunc) {
 		})
 
 		bus.AddHandler("test", func(cmd *m.AddOrgUserCommand) error {
-			sc.addOrgUserCommand = cmd
+			sc.addOrgUserCmd = cmd
+			return nil
+		})
+
+		bus.AddHandler("test", func(cmd *m.UpdateOrgUserCommand) error {
+			sc.updateOrgUserCmd = cmd
+			return nil
+		})
+
+		bus.AddHandler("test", func(cmd *m.RemoveOrgUserCommand) error {
+			sc.removeOrgUserCmd = cmd
 			return nil
 		})
 
@@ -127,7 +175,9 @@ func ldapAutherScenario(desc string, fn scenarioFunc) {
 
 type scenarioContext struct {
 	createUserCmd    *m.CreateUserCommand
-	addOrgUserCommand *m.AddOrgUserCommand
+	addOrgUserCmd    *m.AddOrgUserCommand
+	updateOrgUserCmd *m.UpdateOrgUserCommand
+	removeOrgUserCmd *m.RemoveOrgUserCommand
 }
 
 func (sc *scenarioContext) userQueryReturns(user *m.User) {