Skip to content

feat: Prevent LDAP sync from adding users to abac rooms/teams #37299

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
KevLehman merged 1 commit into from
Oct 24, 2025
Merged

feat: Prevent LDAP sync from adding users to abac rooms/teams #37299

KevLehman merged 1 commit into from
Oct 24, 2025

Conversation

@KevLehman
Copy link
Member

@KevLehman KevLehman commented Oct 24, 2025
edited by coderabbitai bot
Loading

Proposed changes (including videos or screenshots)

Issue(s)

https://rocketchat.atlassian.net/browse/ABAC-55

Steps to test or reproduce

Further comments

Summary by CodeRabbit

Release Notes

  • Bug Fixes
    • LDAP synchronization now properly respects ABAC-protected channels and teams by skipping them during user synchronization operations when ABAC is enabled.

@dionisio-bot
Copy link
Contributor

dionisio-bot bot commented Oct 24, 2025

Looks like this PR is not ready to merge, because of the following issues:

  • This PR is missing the 'stat: QA assured' label
  • This PR is missing the required milestone or project

Please fix the issues and try again

If you have any trouble, please check the PR guidelines

@changeset-bot
Copy link

changeset-bot bot commented Oct 24, 2025

⚠️ No Changeset found

Latest commit: af17b64

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

@coderabbitai
Copy link
Contributor

coderabbitai bot commented Oct 24, 2025
edited
Loading

Walkthrough

This PR adds ABAC (Attribute-Based Access Control) guards to user-channel and user-team synchronization in LDAP Manager, preventing sync operations from adding users to channels or teams that have ABAC-protected rooms. It introduces a new finder method to query private rooms with ABAC attributes.

Changes

Cohort / File(s) Summary
LDAP Manager ABAC Sync Guards
apps/meteor/ee/server/lib/ldap/Manager.ts		 Added short-circuit logic for user-channel and user-team synchronization; when ABAC is enabled, queries for ABAC-protected rooms and filters them out from addition operations, returning early if no teams remain.
Room Model Type Definitions
packages/model-typings/src/models/IRoomsModel.ts		 Added new public finder method findPrivateRoomsByIdsWithAbacAttributes(ids: string[], options?: FindOptions<IRoom>): FindCursor<IRoom> to IRoomsModel interface.
Room Model Implementation
packages/models/src/models/Rooms.ts		 Implemented findPrivateRoomsByIdsWithAbacAttributes() method in RoomsRaw class; constructs query filtering by room IDs, private room type, and non-empty ABAC attributes, then delegates to find().

Sequence Diagram

sequenceDiagram
    participant LDAPSync as LDAP Sync
    participant RoomsModel as Rooms Model
    participant DB as Database
    
    rect rgb(230, 240, 255)
    Note over LDAPSync,DB: User-Channel/Team Sync Flow
    
    alt ABAC Enabled
        LDAPSync->>LDAPSync: Check if ABAC enabled
        activate LDAPSync
        LDAPSync->>RoomsModel: findPrivateRoomsByIdsWithAbacAttributes()
        activate RoomsModel
        RoomsModel->>DB: Query: _id in ids, type='p', abacAttributes exists
        DB-->>RoomsModel: ABAC-protected room IDs
        RoomsModel-->>LDAPSync: ABAC room results
        deactivate RoomsModel
        
        LDAPSync->>LDAPSync: Filter out ABAC rooms from candidates
        alt Rooms/Teams Remain
            LDAPSync->>LDAPSync: Add to non-ABAC channels/teams
        else No Rooms/Teams Remain
            LDAPSync->>LDAPSync: Return early (skip operation)
        end
        deactivate LDAPSync
    else ABAC Disabled
        LDAPSync->>LDAPSync: Proceed with normal sync
    end
    end
Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

The changes span three related files with straightforward logic additions: new model method, its interface definition, and LDAP manager integration. The code patterns are consistent and logic density is moderate, though reviewers should verify ABAC filtering correctness and ensure the early-return conditions are handled properly.

Possibly related PRs

Suggested reviewers

  • tassoevan
  • d-gubert
  • lucas-a-pelegrino

Poem

🐰 With ABAC wisdom, we guard our rooms,
No sync shall pass where protection blooms,
Channels stay safe from unwanted tide,
Teams respect boundaries, side by side!

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)
Check name Status Explanation Resolution
Docstring Coverage ⚠️ Warning Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%. You can run @coderabbitai generate docstrings to improve docstring coverage.
✅ Passed checks (4 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title Check ✅ Passed The pull request title "feat: Prevent LDAP sync from adding users to abac rooms/teams" accurately and concisely describes the main objective of the changeset. The implementation adds logic to the LDAP Manager to skip adding users to channels and teams when ABAC attributes are present, and introduces a supporting method to identify private rooms with ABAC attributes. The title clearly conveys the primary change without being vague or misleading.
Linked Issues Check ✅ Passed The linked issue ABAC-55 requests disabling channel/team sync for ABAC rooms, and the code changes directly address this requirement. The LDAP Manager modifications add short-circuit logic to prevent user addition to channels with ABAC attributes [Manager.ts] and filter out ABAC-protected teams from synchronization. Supporting changes include new methods in IRoomsModel and Rooms to identify private rooms with ABAC attributes, which are necessary to implement the filtering logic. The implementation meets the coding requirements specified in the linked issue.
Out of Scope Changes Check ✅ Passed All code changes in this pull request are directly related to the linked issue's objective. The modifications to Manager.ts implement the core feature of preventing LDAP sync from adding users to ABAC-protected channels and teams, while the method additions to IRoomsModel.ts and Rooms.ts provide necessary supporting functionality to identify which rooms have ABAC attributes. No unrelated or tangential changes are present in the changeset.
✨ Finishing touches
  • 📝 Generate docstrings
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Post copyable unit tests in a comment
  • Commit unit tests in branch feat/prevent-autojoin-ldap-abac

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@codecov
Copy link

codecov bot commented Oct 24, 2025
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 70.11%. Comparing base (5e9962a) to head (af17b64).
⚠️ Report is 1 commits behind head on feat/abac.

Additional details and impacted files

Impacted file tree graph

@@              Coverage Diff              @@
##           feat/abac   #37299      +/-   ##
=============================================
+ Coverage      70.09%   70.11%   +0.02%     
=============================================
  Files           3032     3032              
  Lines         103981   103981              
  Branches       18491    18494       +3     
=============================================
+ Hits           72887    72909      +22     
+ Misses         29144    29118      -26     
- Partials        1950     1954       +4
Flag Coverage Δ
e2e 57.40% <ø> (+0.01%) ⬆️
unit 71.68% <ø> (+0.03%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@KevLehman KevLehman marked this pull request as ready for review October 24, 2025 17:22
@KevLehman KevLehman requested a review from a team as a code owner October 24, 2025 17:22
coderabbitai[bot]
coderabbitai bot reviewed Oct 24, 2025
View reviewed changes
Copy link
Contributor

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

  • Jira integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 5e9962a and af17b64.

📒 Files selected for processing (3)
  • apps/meteor/ee/server/lib/ldap/Manager.ts (2 hunks)
  • packages/model-typings/src/models/IRoomsModel.ts (1 hunks)
  • packages/models/src/models/Rooms.ts (1 hunks)
🧰 Additional context used
🧬 Code graph analysis (2)
packages/models/src/models/Rooms.ts (1)
packages/core-typings/src/IRoom.ts (1)
  • IRoom (22-98)
packages/model-typings/src/models/IRoomsModel.ts (1)
packages/core-typings/src/IRoom.ts (1)
  • IRoom (22-98)
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (19)
  • GitHub Check: 🔨 Test UI (EE) / MongoDB 5.0 (5/5) - Alpine (Official)
  • GitHub Check: 🔨 Test UI (EE) / MongoDB 7.0 [legacy watchers] (4/5) - Alpine (Official)
  • GitHub Check: 🔨 Test UI (EE) / MongoDB 7.0 [legacy watchers] (3/5) - Alpine (Official)
  • GitHub Check: 🔨 Test UI (CE) / MongoDB 7.0 (4/4) - Alpine (Official)
  • GitHub Check: 🔨 Test UI (CE) / MongoDB 5.0 (3/4) - Alpine (Official)
  • GitHub Check: 🔨 Test UI (EE) / MongoDB 7.0 [legacy watchers] (2/5) - Alpine (Official)
  • GitHub Check: 🔨 Test UI (EE) / MongoDB 7.0 [legacy watchers] (5/5) - Alpine (Official)
  • GitHub Check: 🔨 Test UI (CE) / MongoDB 7.0 (1/4) - Alpine (Official)
  • GitHub Check: 🔨 Test UI (CE) / MongoDB 5.0 (1/4) - Alpine (Official)
  • GitHub Check: 🔨 Test UI (CE) / MongoDB 7.0 (2/4) - Alpine (Official)
  • GitHub Check: 🔨 Test UI (EE) / MongoDB 7.0 [legacy watchers] (1/5) - Alpine (Official)
  • GitHub Check: 🔨 Test UI (EE) / MongoDB 5.0 (3/5) - Alpine (Official)
  • GitHub Check: 🔨 Test UI (CE) / MongoDB 5.0 (2/4) - Alpine (Official)
  • GitHub Check: 🔨 Test UI (CE) / MongoDB 7.0 (3/4) - Alpine (Official)
  • GitHub Check: 🔨 Test UI (EE) / MongoDB 5.0 (1/5) - Alpine (Official)
  • GitHub Check: 🔨 Test UI (EE) / MongoDB 5.0 (4/5) - Alpine (Official)
  • GitHub Check: 🔨 Test UI (CE) / MongoDB 5.0 (4/4) - Alpine (Official)
  • GitHub Check: 🔨 Test API (EE) / MongoDB 5.0 (1/1) - Alpine (Official)
  • GitHub Check: 🔨 Test UI (EE) / MongoDB 5.0 (2/5) - Alpine (Official)
🔇 Additional comments (3)
apps/meteor/ee/server/lib/ldap/Manager.ts (1)

361-364: LGTM - ABAC guard correctly prevents channel auto-join.

The check appropriately skips adding users to ABAC-protected channels during LDAP sync. The error logging provides clear feedback about why the channel was skipped.

packages/model-typings/src/models/IRoomsModel.ts (1)

220-220: LGTM - Type signature correctly defines the new ABAC-aware finder method.

The method signature properly describes the new finder for private rooms with ABAC attributes, aligning with the implementation in the Rooms model.

packages/models/src/models/Rooms.ts (1)

1271-1279: LGTM - Implementation correctly queries private rooms with ABAC attributes.

The method implementation properly filters for:

  • Rooms matching the provided IDs
  • Private room type ('p')
  • Non-empty abacAttributes array

The query structure and use of $exists with $ne: [] ensures only rooms with actual ABAC configuration are returned.

Note: This method is scoped to private rooms only. If the use case requires checking public rooms (type 'c') for ABAC attributes as well, consider creating a more general method or renaming this to clarify its scope.

@KevLehman KevLehman merged commit 0aa0e27 into feat/abac Oct 24, 2025
100 of 110 checks passed
@KevLehman KevLehman deleted the feat/prevent-autojoin-ldap-abac branch October 24, 2025 19:03
@coderabbitai coderabbitai bot mentioned this pull request Oct 29, 2025
Merged
KevLehman added a commit that referenced this pull request Oct 30, 2025
@KevLehman
feat: Prevent LDAP sync from adding users to abac rooms/teams (#37299)
1c22071
KevLehman added a commit that referenced this pull request Nov 5, 2025
@KevLehman
feat: Prevent LDAP sync from adding users to abac rooms/teams (#37299)
c7e2fd0
KevLehman added a commit that referenced this pull request Nov 6, 2025
@KevLehman
feat: Prevent LDAP sync from adding users to abac rooms/teams (#37299)
0058410
@coderabbitai coderabbitai bot mentioned this pull request Nov 11, 2025
Merged
KevLehman added a commit that referenced this pull request Nov 12, 2025
@KevLehman
feat: Prevent LDAP sync from adding users to abac rooms/teams (#37299)
2099262
KevLehman added a commit that referenced this pull request Nov 18, 2025
@KevLehman
feat: Prevent LDAP sync from adding users to abac rooms/teams (#37299)
2674df6
This was referenced Nov 19, 2025
Merged
Merged
KevLehman added a commit that referenced this pull request Nov 24, 2025
@KevLehman
feat: Prevent LDAP sync from adding users to abac rooms/teams (#37299)
82f504e
@coderabbitai coderabbitai bot mentioned this pull request Nov 25, 2025
Merged
KevLehman added a commit that referenced this pull request Nov 27, 2025
@KevLehman
feat: Prevent LDAP sync from adding users to abac rooms/teams (#37299)
f96966d
@coderabbitai coderabbitai bot mentioned this pull request Nov 28, 2025
Merged
KevLehman added a commit that referenced this pull request Dec 1, 2025
@KevLehman
feat: Prevent LDAP sync from adding users to abac rooms/teams (#37299)
98d54a3
KevLehman added a commit that referenced this pull request Dec 2, 2025
@KevLehman
feat: Prevent LDAP sync from adding users to abac rooms/teams (#37299)
f40b6c6
KevLehman added a commit that referenced this pull request Dec 8, 2025
@KevLehman
feat: Prevent LDAP sync from adding users to abac rooms/teams (#37299)
552cce8
This was referenced Dec 9, 2025
Merged
Merged
KevLehman added a commit that referenced this pull request Dec 10, 2025
@KevLehman
feat: Prevent LDAP sync from adding users to abac rooms/teams (#37299)
dfeba1c
@coderabbitai coderabbitai bot mentioned this pull request Dec 15, 2025
Merged
KevLehman added a commit that referenced this pull request Dec 15, 2025
@KevLehman
feat: Prevent LDAP sync from adding users to abac rooms/teams (#37299)
549bbcd
MartinSchoeler pushed a commit that referenced this pull request Dec 17, 2025
@KevLehman @MartinSchoeler
feat: Prevent LDAP sync from adding users to abac rooms/teams (#37299)
d92dea1
@coderabbitai coderabbitai bot mentioned this pull request Dec 19, 2025
Merged
@coderabbitai coderabbitai bot mentioned this pull request Jan 18, 2026
Closed
5 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

@tassoevan tassoevan tassoevan approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@KevLehman @tassoevan