Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 5 additions & 5 deletions backend/cmd/server/wire_gen.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

13 changes: 7 additions & 6 deletions backend/ent/schema/auth_identity.go
Original file line number Diff line number Diff line change
Expand Up @@ -15,12 +15,13 @@ import (
)

var authProviderTypes = map[string]struct{}{
"email": {},
"github": {},
"google": {},
"linuxdo": {},
"oidc": {},
"wechat": {},
"email": {},
"github": {},
"google": {},
"linuxdo": {},
"oidc": {},
"wechat": {},
"dingtalk": {},
}

func validateAuthProviderType(value string) error {
Expand Down
2 changes: 1 addition & 1 deletion backend/ent/schema/auth_identity_schema_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -83,7 +83,7 @@ func TestAuthIdentityFoundationSchemas(t *testing.T) {
require.Equal(t, 1, signupSource.Validators)

validator := requireStringFieldValidator(t, User{}.Fields(), "signup_source")
for _, value := range []string{"email", "linuxdo", "wechat", "oidc", "github", "google"} {
for _, value := range []string{"email", "linuxdo", "wechat", "oidc", "github", "google", "dingtalk"} {
require.NoError(t, validator(value))
}
require.Error(t, validator("unknown"))
Expand Down
4 changes: 2 additions & 2 deletions backend/ent/schema/user.go
Original file line number Diff line number Diff line change
Expand Up @@ -77,10 +77,10 @@ func (User) Fields() []ent.Field {
field.String("signup_source").
Validate(func(value string) error {
switch value {
case "email", "linuxdo", "wechat", "oidc", "github", "google":
case "email", "linuxdo", "wechat", "oidc", "github", "google", "dingtalk":
return nil
default:
return fmt.Errorf("must be one of email, linuxdo, wechat, oidc, github, google")
return fmt.Errorf("must be one of email, linuxdo, wechat, oidc, github, google, dingtalk")
}
}).
Default("email"),
Expand Down
58 changes: 58 additions & 0 deletions backend/internal/config/config.go
Original file line number Diff line number Diff line change
Expand Up @@ -72,6 +72,7 @@ type Config struct {
LinuxDo LinuxDoConnectConfig `mapstructure:"linuxdo_connect"`
WeChat WeChatConnectConfig `mapstructure:"wechat_connect"`
OIDC OIDCConnectConfig `mapstructure:"oidc_connect"`
DingTalk DingTalkConnectConfig `mapstructure:"dingtalk_connect"`
GitHubOAuth EmailOAuthProviderConfig `mapstructure:"github_oauth"`
GoogleOAuth EmailOAuthProviderConfig `mapstructure:"google_oauth"`
Default DefaultConfig `mapstructure:"default"`
Expand Down Expand Up @@ -242,6 +243,47 @@ type OIDCConnectConfig struct {
UserInfoUsernamePath string `mapstructure:"userinfo_username_path"`
}

type DingTalkConnectConfig struct {
Enabled bool `mapstructure:"enabled"`
ClientID string `mapstructure:"client_id"`
ClientSecret string `mapstructure:"client_secret"`
AuthorizeURL string `mapstructure:"authorize_url"`
TokenURL string `mapstructure:"token_url"`
UserInfoURL string `mapstructure:"userinfo_url"`
Scopes string `mapstructure:"scopes"`
RedirectURL string `mapstructure:"redirect_url"`
FrontendRedirectURL string `mapstructure:"frontend_redirect_url"`

// 平台底座 + 业务行为
DingTalkAppKind string `mapstructure:"dingtalk_app_kind"` // 仅 "internal_app"(V4 fail-closed)
AppType string `mapstructure:"app_type"` // "public" (default) | "internal"

// Corp 限定(none | internal_only)
CorpRestrictionPolicy string `mapstructure:"corp_restriction_policy"`
InternalCorpID string `mapstructure:"internal_corp_id"`
BypassRegistration bool `mapstructure:"bypass_registration"`
SyncCorpEmail bool `mapstructure:"sync_corp_email"`
SyncDisplayName bool `mapstructure:"sync_display_name"`
SyncDept bool `mapstructure:"sync_dept"`
SyncCorpEmailAttrKey string `mapstructure:"sync_corp_email_attr_key"`
SyncDisplayNameAttrKey string `mapstructure:"sync_display_name_attr_key"`
SyncDeptAttrKey string `mapstructure:"sync_dept_attr_key"`
SyncCorpEmailAttrName string `mapstructure:"sync_corp_email_attr_name"`
SyncDisplayNameAttrName string `mapstructure:"sync_display_name_attr_name"`
SyncDeptAttrName string `mapstructure:"sync_dept_attr_name"`

// 邮箱 + Username
RequireEmail bool `mapstructure:"require_email"`
UsernameOverwritePolicy string `mapstructure:"username_overwrite_policy"`

// Attribute(私有版扩展点;开源版仅声明)
UsernameAttributeKey string `mapstructure:"username_attribute_key"`
EnableAttributeMatching bool `mapstructure:"enable_attribute_matching"`
EnableAttributeSync bool `mapstructure:"enable_attribute_sync"`
AttributeSyncFields []string `mapstructure:"attribute_sync_fields"`
AttributeSyncOverwritePolicy string `mapstructure:"attribute_sync_overwrite_policy"`
}

type EmailOAuthProviderConfig struct {
Enabled bool `mapstructure:"enabled"`
ClientID string `mapstructure:"client_id"`
Expand Down Expand Up @@ -1536,6 +1578,19 @@ func setDefaults() {
viper.SetDefault("oidc_connect.userinfo_id_path", "")
viper.SetDefault("oidc_connect.userinfo_username_path", "")

// DingTalk Connect OAuth 登录
viper.SetDefault("dingtalk_connect.enabled", false)
viper.SetDefault("dingtalk_connect.authorize_url", "https://login.dingtalk.com/oauth2/auth")
viper.SetDefault("dingtalk_connect.token_url", "https://api.dingtalk.com/v1.0/oauth2/userAccessToken")
viper.SetDefault("dingtalk_connect.userinfo_url", "https://api.dingtalk.com/v1.0/contact/users/me")
viper.SetDefault("dingtalk_connect.scopes", "openid")
viper.SetDefault("dingtalk_connect.frontend_redirect_url", "/auth/dingtalk/callback")
viper.SetDefault("dingtalk_connect.dingtalk_app_kind", "internal_app")
viper.SetDefault("dingtalk_connect.app_type", "public")
viper.SetDefault("dingtalk_connect.corp_restriction_policy", "none")
viper.SetDefault("dingtalk_connect.require_email", true)
viper.SetDefault("dingtalk_connect.username_overwrite_policy", "if_empty")

// Database
viper.SetDefault("database.host", "localhost")
viper.SetDefault("database.port", 5432)
Expand Down Expand Up @@ -2608,6 +2663,9 @@ func (c *Config) Validate() error {
if c.Concurrency.PingInterval < 5 || c.Concurrency.PingInterval > 30 {
return fmt.Errorf("concurrency.ping_interval must be between 5-30 seconds")
}
if err := ValidateDingTalkConfig(c.DingTalk); err != nil {
return fmt.Errorf("dingtalk_connect: %w", err)
}
return nil
}

Expand Down
30 changes: 30 additions & 0 deletions backend/internal/config/validate_dingtalk.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,30 @@
// Package config 包含钉钉连接配置的校验逻辑。
//
// internal_only 模式安全模型(方案 A):
// 不再要求 admin 填写 InternalCorpID 做二次 corpID 比对。
// 安全边界由钉钉"企业内部应用"类型本身保证——只有应用所属企业的员工才能完成 OAuth,
// 因此 ValidateDingTalkConfig 只要求 app_type=internal(V1),不再要求 InternalCorpID 非空(原 V3 已删除)。
// InternalCorpID 字段保留,admin 可选填;若填写,checkDingTalkCorpAllowed 不会使用它做约束。
package config

import "errors"

var (
ErrDingTalkV1AppTypeMismatch = errors.New("dingtalk: internal_only requires app_type=internal")
ErrDingTalkV4InvalidAppKind = errors.New("dingtalk: dingtalk_app_kind must be internal_app")
)

func ValidateDingTalkConfig(cfg DingTalkConnectConfig) error {
if !cfg.Enabled {
return nil
}
if cfg.DingTalkAppKind != "internal_app" {
return ErrDingTalkV4InvalidAppKind
}
if cfg.CorpRestrictionPolicy == "internal_only" {
if cfg.AppType != "internal" {
return ErrDingTalkV1AppTypeMismatch
}
}
return nil
}
53 changes: 53 additions & 0 deletions backend/internal/config/validate_dingtalk_test.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,53 @@
package config

import (
"testing"

"github.com/stretchr/testify/require"
)

func TestValidateDingTalkConfig_Disabled_Skip(t *testing.T) {
require.NoError(t, ValidateDingTalkConfig(DingTalkConnectConfig{Enabled: false}))
}

func TestValidateDingTalkConfig_V4_DingTalkAppKind(t *testing.T) {
err := ValidateDingTalkConfig(DingTalkConnectConfig{
Enabled: true,
DingTalkAppKind: "third_party_enterprise_app",
CorpRestrictionPolicy: "none",
})
require.ErrorIs(t, err, ErrDingTalkV4InvalidAppKind)
}

func TestValidateDingTalkConfig_V1_InternalOnlyRequiresInternalAppType(t *testing.T) {
err := ValidateDingTalkConfig(DingTalkConnectConfig{
Enabled: true,
DingTalkAppKind: "internal_app",
AppType: "public",
CorpRestrictionPolicy: "internal_only",
InternalCorpID: "dingABC",
})
require.ErrorIs(t, err, ErrDingTalkV1AppTypeMismatch)
}

// TestValidateDingTalkConfig_V3_InternalOnlyAllowsEmptyCorpID 验证方案 A:
// internal_only 策略下,InternalCorpID="" 应通过校验(企业隔离由钉钉 AppType=internal 保证)。
func TestValidateDingTalkConfig_V3_InternalOnlyAllowsEmptyCorpID(t *testing.T) {
err := ValidateDingTalkConfig(DingTalkConnectConfig{
Enabled: true,
DingTalkAppKind: "internal_app",
AppType: "internal",
CorpRestrictionPolicy: "internal_only",
InternalCorpID: "",
})
require.NoError(t, err)
}

func TestValidateDingTalkConfig_HappyPath_None(t *testing.T) {
require.NoError(t, ValidateDingTalkConfig(DingTalkConnectConfig{
Enabled: true,
DingTalkAppKind: "internal_app",
AppType: "public",
CorpRestrictionPolicy: "none",
}))
}
Loading
Loading