setup opencloud-keycloak-ldap setup. fix test after changing space template image

.woodpecker.env

@@ -1,3 +1,3 @@
 # The version of OpenCloud to use in pipelines
-OPENCLOUD_COMMITID=69e25b840174e88cb86c5c2b004167f4c05e9c3e
+OPENCLOUD_COMMITID=e62ff11a0ea114c3bd1aea42a704e683031a67a8
 OPENCLOUD_BRANCH=main

.woodpecker.star

@@ -20,6 +20,7 @@ PLUGINS_S3 = "plugins/s3:1.5"
 PLUGINS_S3_CACHE = "plugins/s3-cache:1"
 PLUGINS_SLACK = "plugins/slack:1"
 POSTGRES_ALPINE = "postgres:alpine3.18"
+OPENLDAP = "bitnami/openldap:2.6"
 READY_RELEASE_GO = "woodpeckerci/plugin-ready-release-go:latest"
 
 WEB_PUBLISH_NPM_PACKAGES = ["babel-preset", "design-system", "eslint-config", "extension-sdk", "prettier-config", "tsconfig", "web-client", "web-pkg", "web-test-helpers"]
@@ -1418,14 +1419,47 @@ def postgresService():
         },
     ]
 
+def ldapService():
+    return [
+        {
+            "name": "ldap-server",
+            "image": OPENLDAP,
+            "detach": True,
+            "environment": {
+                "BITNAMI_DEBUG": "true",
+                "LDAP_TLS_VERIFY_CLIENT": "never",
+                "LDAP_ENABLE_TLS": "yes",
+                "LDAP_TLS_CA_FILE": "/opt/bitnami/openldap/share/openldap.crt",
+                "LDAP_TLS_CERT_FILE": "/opt/bitnami/openldap/share/openldap.crt",
+                "LDAP_TLS_KEY_FILE": "/opt/bitnami/openldap/share/openldap.key",
+                "LDAP_ROOT": "dc=opencloud,dc=eu",
+                "LDAP_ADMIN_PASSWORD": "admin",
+            },
+            "commands": [
+                "mkdir -p /opt/bitnami/openldap/share",
+                "mkdir -p /tmp/custom-scripts",
+                "mkdir -p /tmp/ldif-files",
+                "cp tests/woodpecker/ldap/*.ldif /tmp/ldif-files/",
+                "cp tests/woodpecker/ldap/docker-entrypoint-override.sh /tmp/custom-scripts/",
+                "chmod +x /tmp/custom-scripts/docker-entrypoint-override.sh",
+                "/tmp/custom-scripts/docker-entrypoint-override.sh /opt/bitnami/scripts/openldap/run.sh",
+            ],
+            "backend_options": {
+                "docker": {
+                    "user": "0:0",
+                },
+            },
+        },
+    ] + waitForServices("ldap", ["ldap-server:1636", "ldap-server:1389"])
+
 def keycloakService():
     return [{
                "name": "generate-keycloak-certs",
                "image": OC_CI_NODEJS,
                "commands": [
                    "mkdir -p keycloak-certs",
                    "openssl req -x509 -newkey rsa:2048 -keyout keycloak-certs/keycloakkey.pem -out keycloak-certs/keycloakcrt.pem -nodes -days 365 -subj '/CN=keycloak'",
-                   "chmod -R 777 keycloak-certs",
+                   "chmod -R 755 keycloak-certs",
                ],
            }] + waitForServices("postgres", ["postgres:5432"]) + \
            [{
@@ -1445,51 +1479,68 @@ def keycloakService():
                    "KEYCLOAK_ADMIN_PASSWORD": "admin",
                    "KC_HTTPS_CERTIFICATE_FILE": "./keycloak-certs/keycloakcrt.pem",
                    "KC_HTTPS_CERTIFICATE_KEY_FILE": "./keycloak-certs/keycloakkey.pem",
+                   "LDAP_SERVER_URL": "ldaps://ldap-server:1636",
+                   "LDAP_BIND_DN": "cn=admin,dc=opencloud,dc=eu",
+                   "LDAP_BIND_PASSWORD": "admin",
+                   "LDAP_USERS_DN": "ou=users,dc=opencloud,dc=eu",
                },
                "commands": [
                    "mkdir -p /opt/keycloak/data/import",
                    "cp tests/woodpecker/opencloud_keycloak/opencloud-ci-realm.dist.json /opt/keycloak/data/import/opencloud-realm.json",
                    "/opt/keycloak/bin/kc.sh start-dev --proxy-headers xforwarded --spi-connections-http-client-default-disable-trust-manager=true --import-realm --health-enabled=true",
                ],
-           }] + waitForServices("keycloack", ["keycloak:8443"])
+           }] + waitForServices("keycloak", ["keycloak:8443"])
 
 def e2eTestsOnKeycloak(ctx):
     e2e_Keycloak_tests = [
-        "journeys",
-        "admin-settings/users.feature:20",
-        "admin-settings/users.feature:43",
-        "admin-settings/users.feature:106",
-        "admin-settings/users.feature:131",
-        "admin-settings/users.feature:185",
-        "admin-settings/spaces.feature",
-        "admin-settings/groups.feature",
-        "keycloak",
+        "admin-settings/spaces.feature:25",
+        "admin-settings/spaces.feature:60",
     ]
 
     steps = restoreBuildArtifactCache(ctx, "pnpm", ".pnpm-store") + \
             installPnpm() + \
             restoreBrowsersCache() + \
+            ldapService() + \
             keycloakService() + \
             restoreBuildArtifactCache(ctx, "web-dist", "dist")
     if ctx.build.event == "cron":
         steps += restoreBuildArtifactCache(ctx, "opencloud", "opencloud")
     else:
         steps += restoreOpenCloudCache()
 
-    # configs to setup opencloud with keycloak
+    # configs to setup opencloud with keycloak and ldap
     environment = {
-        "PROXY_AUTOPROVISION_ACCOUNTS": True,
+        "PROXY_AUTOPROVISION_ACCOUNTS": False,
         "PROXY_ROLE_ASSIGNMENT_DRIVER": "oidc",
         "OC_OIDC_ISSUER": "https://keycloak:8443/realms/openCloud",
         "PROXY_OIDC_REWRITE_WELLKNOWN": True,
         "WEB_OIDC_CLIENT_ID": "web",
-        "PROXY_USER_OIDC_CLAIM": "preferred_username",
-        "PROXY_USER_CS3_CLAIM": "username",
+        "PROXY_USER_OIDC_CLAIM": "uuid",
+        "PROXY_USER_CS3_CLAIM": "userid",
         "OC_ADMIN_USER_ID": "",
-        "OC_EXCLUDE_RUN_SERVICES": "idp",
+        "OC_EXCLUDE_RUN_SERVICES": "idp,idm",
         "GRAPH_ASSIGN_DEFAULT_USER_ROLE": False,
+        "SETTINGS_SETUP_DEFAULT_ASSIGNMENTS": False,
         "GRAPH_USERNAME_MATCH": "none",
         "KEYCLOAK_DOMAIN": "keycloak:8443",
+        "OC_LOG_LEVEL": "debug",
+        "OC_LDAP_URI": "ldaps://ldap-server:1636",
+        "OC_LDAP_INSECURE": True,
+        "OC_LDAP_BIND_DN": "cn=admin,dc=opencloud,dc=eu",
+        "OC_LDAP_BIND_PASSWORD": "admin",
+
+        # LDAP configs
+        "OC_LDAP_GROUP_BASE_DN": "ou=groups,dc=opencloud,dc=eu",
+        "OC_LDAP_GROUP_SCHEMA_ID": "entryUUID",
+        "GRAPH_LDAP_GROUP_CREATE_BASE_DN": "ou=custom,ou=groups,dc=opencloud,dc=eu",
+        "GRAPH_LDAP_REFINT_ENABLED": True,
+        "OC_LDAP_USER_BASE_DN": "ou=users,dc=opencloud,dc=eu",
+        "OC_LDAP_USER_FILTER": "(objectclass=inetOrgPerson)",
+        "OC_LDAP_USER_SCHEMA_ID": "entryUUID",
+        "OC_LDAP_DISABLE_USER_MECHANISM": "none",
+        "GRAPH_LDAP_SERVER_UUID": "true",
+        "FRONTEND_READONLY_USER_ATTRIBUTES": "user.onPremisesSamAccountName,user.displayName,user.mail,user.passwordProfile,user.accountEnabled,user.appRoleAssignments",
+        "OC_LDAP_SERVER_WRITE_ENABLED": False,
     }
 
     steps += openCloudService(environment) + \

tests/e2e/cucumber/environment/index.ts

@@ -67,7 +67,6 @@ Before(async function (this: World, { pickle }: ITestCaseHookParameter) {
     if (config.keycloak) {
       await api.keycloak.setAccessTokenForKeycloakOpenCloudUser(user)
       await api.keycloak.setAccessTokenForKeycloakUser(user)
-      await storeKeycloakGroups(user, this.usersEnvironment)
     } else {
       await api.token.setAccessAndRefreshToken(user)
       if (isOcm(pickle)) {
@@ -245,17 +244,3 @@ const isOcm = (pickle): boolean => {
   }
   return false
 }
-
-/*
-  store group created from keycloak on store
- */
-const storeKeycloakGroups = async (adminUser: User, usersEnvironment) => {
-  const groups = await api.graph.getGroups(adminUser)
-
-  store.dummyKeycloakGroupStore.forEach((dummyGroup) => {
-    const matchingGroup = groups.find((group) => group.displayName === dummyGroup.displayName)
-    if (matchingGroup) {
-      usersEnvironment.storeCreatedGroup({ group: { ...dummyGroup, uuid: matchingGroup.id } })
-    }
-  })
-}

tests/e2e/cucumber/features/user-settings/pagination.feature

@@ -51,7 +51,7 @@ Feature: check files pagination in personal and project spaces
     And following resources should not be displayed in the files list for user "Alice"
       | resource      |
       | testfile1.txt |
-    And "Alice" should see the text "112 items with 48 kB in total (56 files, 56 folders)" at the footer of the page
+    And "Alice" should see the text "112 items with 12 kB in total (56 files, 56 folders)" at the footer of the page
     And "Alice" should see 12 resources in the project space files view
     When "Alice" disables the option to display the hidden file
     Then "Alice" should see 10 resources in the project space files view

tests/e2e/support/api/graph/userManagement.ts

@@ -66,11 +66,9 @@ export const getUserId = async ({ user, admin }: { user: User; admin: User }): P
     path: join('graph', 'v1.0', 'users', user.username),
     user: admin
   })
-  if (response.ok) {
-    const resBody = (await response.json()) as User
-    userId = resBody.id
-  }
-  return userId
+
+  const resBody = (await response.json()) as User
+  return resBody.id
 }
 
 export const createGroup = async ({

tests/woodpecker/ldap/10_base.ldif

@@ -0,0 +1,20 @@
+dn: dc=opencloud,dc=eu
+objectClass: organization
+objectClass: dcObject
+dc: opencloud
+o: openCloud
+
+dn: ou=users,dc=opencloud,dc=eu
+objectClass: organizationalUnit
+ou: users
+
+dn: cn=admin,dc=opencloud,dc=eu
+objectClass: inetOrgPerson
+objectClass: person
+cn: admin
+sn: admin
+uid: ldapadmin
+
+dn: ou=groups,dc=opencloud,dc=eu
+objectClass: organizationalUnit
+ou: groups

tests/woodpecker/ldap/20_admin_user.ldif

@@ -0,0 +1,13 @@
+dn: uid=admin,ou=users,dc=opencloud,dc=eu
+objectClass: inetOrgPerson
+objectClass: organizationalPerson
+objectClass: person
+objectClass: top
+uid: admin
+givenName: Admin
+sn: Administrator
+cn: admin
+displayName: OpenCloud Administrator
+description: Administrator for OpenCloud instance
+mail: admin@example.org
+userPassword:: e1NTSEF9UWhmaFB3dERydTUydURoWFFObDRMbzVIckI3TkI5Nmo==

tests/woodpecker/ldap/30_admin_groups.ldif

@@ -0,0 +1,13 @@
+dn: cn=admins,ou=groups,dc=opencloud,dc=eu
+objectClass: groupOfNames
+objectClass: top
+cn: admins
+description: System Administrators
+member: uid=admin,ou=users,dc=opencloud,dc=eu
+
+dn: cn=users,ou=groups,dc=opencloud,dc=eu
+objectClass: groupOfNames
+objectClass: top
+cn: users
+description: All Users
+member: uid=admin,ou=users,dc=opencloud,dc=eu

tests/woodpecker/ldap/docker-entrypoint-override.sh

@@ -0,0 +1,42 @@
+#!/bin/bash
+printenv
+
+if [ ! -f /opt/bitnami/openldap/share/openldap.key ]
+then	
+	openssl req -x509 -newkey rsa:4096 -keyout /opt/bitnami/openldap/share/openldap.key -out /opt/bitnami/openldap/share/openldap.crt -sha256 -days 365 -batch -nodes
+fi
+
+mkdir -p /opt/bitnami/openldap/ldifs
+
+if [ -d "/tmp/ldif-files" ]; then
+    cp /tmp/ldif-files/*.ldif /opt/bitnami/openldap/ldifs/
+fi
+
+/opt/bitnami/scripts/openldap/entrypoint.sh "$@" &
+ENTRYPOINT_PID=$!
+
+echo "Waiting for LDAP server to start..."
+while ! ldapsearch -x -H ldap://localhost:1389 -D "cn=admin,dc=opencloud,dc=eu" -w admin -b "dc=opencloud,dc=eu" > /dev/null 2>&1; do
+    sleep 2
+done
+
+echo "LDAP server is running, importing LDIF files..."
+
+if [ -f "/opt/bitnami/openldap/ldifs/10_base.ldif" ]; then
+    echo "Importing 10_base.ldif..."
+    ldapadd -x -H ldap://localhost:1389 -D "cn=admin,dc=opencloud,dc=eu" -w admin -f /opt/bitnami/openldap/ldifs/10_base.ldif
+fi
+
+if [ -f "/opt/bitnami/openldap/ldifs/20_admin_user.ldif" ]; then
+    echo "Importing 20_admin_user.ldif..."
+    ldapadd -x -H ldap://localhost:1389 -D "cn=admin,dc=opencloud,dc=eu" -w admin -f /opt/bitnami/openldap/ldifs/20_admin_user.ldif
+fi
+
+if [ -f "/opt/bitnami/openldap/ldifs/30_admin_groups.ldif" ]; then
+    echo "Importing 30_admin_groups.ldif..."
+    ldapadd -x -H ldap://localhost:1389 -D "cn=admin,dc=opencloud,dc=eu" -w admin -f /opt/bitnami/openldap/ldifs/30_admin_groups.ldif
+fi
+
+echo "LDIF import completed!"
+
+wait $ENTRYPOINT_PID