providers/ldap: remove deprecated fields (#5154)

* providers/ldap: remove deprecated fields Signed-off-by: Jens Langhammer <jens@goauthentik.io> * update changelog Signed-off-by: Jens Langhammer <jens@goauthentik.io> --------- Signed-off-by: Jens Langhammer <jens@goauthentik.io>
2023-04-21 14:10:24 +03:00 · 2023-04-21 14:10:24 +03:00 · bb92c4a967
parent b40caf12df
commit bb92c4a967
5 changed files with 44 additions and 68 deletions
--- a/internal/outpost/ldap/entries.go
+++ b/internal/outpost/ldap/entries.go
@ -13,33 +13,16 @@ import (

 func (pi *ProviderInstance) UserEntry(u api.User) *ldap.Entry {
 	dn := pi.GetUserDN(u.Username)
-	userValueMap := func(value []string) []string {
+	attrs := utils.AttributesToLDAP(u.Attributes, func(key string) string {
+		return utils.AttributeKeySanitize(key)
+	}, func(value []string) []string {
 		for i, v := range value {
 			if strings.Contains(v, "%s") {
 				value[i] = fmt.Sprintf(v, u.Username)
 			}
 		}
 		return value
-	}
-	attrs := utils.AttributesToLDAP(u.Attributes, func(key string) string {
-		return utils.AttributeKeySanitize(key)
-	}, userValueMap)
-	rawAttrs := utils.AttributesToLDAP(u.Attributes, func(key string) string {
-		return key
-	}, userValueMap)
-	// Only append attributes that don't already exist
-	// TODO: Remove in 2023.3
-	for _, rawAttr := range rawAttrs {
-		exists := false
-		for _, attr := range attrs {
-			if strings.EqualFold(attr.Name, rawAttr.Name) {
-				exists = true
-			}
-		}
-		if !exists {
-			attrs = append(attrs, rawAttr)
-		}
-	}
+	})

 	if u.IsActive == nil {
 		u.IsActive = api.PtrBool(false)
@ -48,10 +31,6 @@ func (pi *ProviderInstance) UserEntry(u api.User) *ldap.Entry {
 		u.Email = api.PtrString("")
 	}
 	attrs = utils.EnsureAttributes(attrs, map[string][]string{
-		// Old fields for backwards compatibility
-		"goauthentik.io/ldap/active":    {strconv.FormatBool(*u.IsActive)},
-		"goauthentik.io/ldap/superuser": {strconv.FormatBool(u.IsSuperuser)},
-		// End old fields
 		"ak-active":      {strconv.FormatBool(*u.IsActive)},
 		"ak-superuser":   {strconv.FormatBool(u.IsSuperuser)},
 		"memberOf":       pi.GroupsForUser(u),
--- a/internal/outpost/ldap/group/group.go
+++ b/internal/outpost/ldap/group/group.go
@ -2,7 +2,6 @@ package group

 import (
 	"strconv"
-	"strings"

 	"github.com/nmcclain/ldap"
 	"goauthentik.io/api/v3"
@ -28,24 +27,6 @@ func (lg *LDAPGroup) Entry() *ldap.Entry {
 	}, func(value []string) []string {
 		return value
 	})
-	rawAttrs := utils.AttributesToLDAP(lg.Attributes, func(key string) string {
-		return key
-	}, func(value []string) []string {
-		return value
-	})
-	// Only append attributes that don't already exist
-	// TODO: Remove in 2023.3
-	for _, rawAttr := range rawAttrs {
-		exists := false
-		for _, attr := range attrs {
-			if strings.EqualFold(attr.Name, rawAttr.Name) {
-				exists = true
-			}
-		}
-		if !exists {
-			attrs = append(attrs, rawAttr)
-		}
-	}

 	objectClass := []string{constants.OCGroup, constants.OCGroupOfUniqueNames, constants.OCGroupOfNames, constants.OCAKGroup, constants.OCPosixGroup}
 	if lg.IsVirtualGroup {
@ -53,9 +34,6 @@ func (lg *LDAPGroup) Entry() *ldap.Entry {
 	}

 	attrs = utils.EnsureAttributes(attrs, map[string][]string{
-		// Old fields for backwards compatibility
-		"goauthentik.io/ldap/superuser": {strconv.FormatBool(lg.IsSuperuser)},
-		// End old fields
 		"ak-superuser":   {strconv.FormatBool(lg.IsSuperuser)},
 		"objectClass":    objectClass,
 		"member":         lg.Member,
--- a/tests/e2e/test_provider_ldap.py
+++ b/tests/e2e/test_provider_ldap.py
@ -229,12 +229,6 @@ class TestProviderLDAP(SeleniumTestCase):
                        "homeDirectory": [
                            f"/home/{o_user.username}",
                        ],
-                        # Old fields for backwards compatibility
-                        "goauthentik.io/ldap/active": ["true"],
-                        "goauthentik.io/ldap/superuser": ["false"],
-                        "goauthentik.io/user/override-ips": ["true"],
-                        "goauthentik.io/user/service-account": ["true"],
-                        # End old fields
                        "ak-active": ["true"],
                        "ak-superuser": ["false"],
                        "goauthentikio-user-override-ips": ["true"],
@ -264,12 +258,6 @@ class TestProviderLDAP(SeleniumTestCase):
                        "homeDirectory": [
                            f"/home/{embedded_account.username}",
                        ],
-                        # Old fields for backwards compatibility
-                        "goauthentik.io/ldap/active": ["true"],
-                        "goauthentik.io/ldap/superuser": ["false"],
-                        "goauthentik.io/user/override-ips": ["true"],
-                        "goauthentik.io/user/service-account": ["true"],
-                        # End old fields
                        "ak-active": ["true"],
                        "ak-superuser": ["false"],
                        "goauthentikio-user-override-ips": ["true"],
@ -302,10 +290,6 @@ class TestProviderLDAP(SeleniumTestCase):
                        "homeDirectory": [
                            f"/home/{self.user.username}",
                        ],
-                        # Old fields for backwards compatibility
-                        "goauthentik.io/ldap/active": ["true"],
-                        "goauthentik.io/ldap/superuser": ["true"],
-                        # End old fields
                        "ak-active": ["true"],
                        "ak-superuser": ["true"],
                        "extraAttribute": ["bar"],
--- a/website/docs/providers/ldap/index.md
+++ b/website/docs/providers/ldap/index.md
@ -33,11 +33,6 @@ The following fields are currently sent for users:
 -   `ak-active`: "true" if the account is active, otherwise "false"
 -   `ak-superuser`: "true" if the account is part of a group with superuser permissions, otherwise "false"

-:::warning
-The use of the `goauthentik.io/ldap/active` and `goauthentik.io/ldap/superuser` attributes is deprecated as of authentik 2023.3. They will be removed completely in a future release.
-Use the replacements fields above instead.
-:::
-
 The following fields are current set for groups:

 -   `cn`: The group's name
--- a/website/docs/releases/2023/v2023.5.md
+++ b/website/docs/releases/2023/v2023.5.md
@ -0,0 +1,40 @@
+---
+title: Release 2023.5
+slug: "/releases/2023.5"
+---
+
+## Breaking changes
+
+-   Removal of deprecated LDAP fields
+
+    This version removes the deprecated LDAP fields `goauthentik.io/ldap/active` and `goauthentik.io/ldap/superuser`.
+
+    Additionally, any custom fields based on user attributes will only be represented with their sanitized key, removing any slashes with dashes, and removing periods.
+
+## New features
+
+## Upgrading
+
+This release does not introduce any new requirements.
+
+### docker-compose
+
+Download the docker-compose file for 2023.5 from [here](https://goauthentik.io/version/2023.5/docker-compose.yml). Afterwards, simply run `docker-compose up -d`.
+
+### Kubernetes
+
+Update your values to use the new images:
+
+```yaml
+image:
+    repository: ghcr.io/goauthentik/server
+    tag: 2023.5.0
+```
+
+## Minor changes/fixes
+
+_Insert the output of `make gen-changelog` here_
+
+## API Changes
+
+_Insert output of `make gen-diff` here_