Skip to content

Commit

Permalink
Merge pull request #42017 from nextcloud/backport/41650/stable28
Browse files Browse the repository at this point in the history
[stable28] feat(LDAP): implement IIsAdmin interface
  • Loading branch information
blizzz authored Dec 5, 2023
2 parents 7ae780b + 26465f3 commit 034241b
Show file tree
Hide file tree
Showing 9 changed files with 186 additions and 2 deletions.
1 change: 1 addition & 0 deletions apps/user_ldap/appinfo/info.xml
Original file line number Diff line number Diff line change
Expand Up @@ -51,6 +51,7 @@ A user logs into Nextcloud with their LDAP or AD credentials, and is granted acc
<command>OCA\User_LDAP\Command\CheckGroup</command>
<command>OCA\User_LDAP\Command\CreateEmptyConfig</command>
<command>OCA\User_LDAP\Command\DeleteConfig</command>
<command>OCA\User_LDAP\Command\PromoteGroup</command>
<command>OCA\User_LDAP\Command\ResetGroup</command>
<command>OCA\User_LDAP\Command\ResetUser</command>
<command>OCA\User_LDAP\Command\Search</command>
Expand Down
1 change: 1 addition & 0 deletions apps/user_ldap/composer/composer/autoload_classmap.php
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,7 @@
'OCA\\User_LDAP\\Command\\CheckUser' => $baseDir . '/../lib/Command/CheckUser.php',
'OCA\\User_LDAP\\Command\\CreateEmptyConfig' => $baseDir . '/../lib/Command/CreateEmptyConfig.php',
'OCA\\User_LDAP\\Command\\DeleteConfig' => $baseDir . '/../lib/Command/DeleteConfig.php',
'OCA\\User_LDAP\\Command\\PromoteGroup' => $baseDir . '/../lib/Command/PromoteGroup.php',
'OCA\\User_LDAP\\Command\\ResetGroup' => $baseDir . '/../lib/Command/ResetGroup.php',
'OCA\\User_LDAP\\Command\\ResetUser' => $baseDir . '/../lib/Command/ResetUser.php',
'OCA\\User_LDAP\\Command\\Search' => $baseDir . '/../lib/Command/Search.php',
Expand Down
1 change: 1 addition & 0 deletions apps/user_ldap/composer/composer/autoload_static.php
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,7 @@ class ComposerStaticInitUser_LDAP
'OCA\\User_LDAP\\Command\\CheckUser' => __DIR__ . '/..' . '/../lib/Command/CheckUser.php',
'OCA\\User_LDAP\\Command\\CreateEmptyConfig' => __DIR__ . '/..' . '/../lib/Command/CreateEmptyConfig.php',
'OCA\\User_LDAP\\Command\\DeleteConfig' => __DIR__ . '/..' . '/../lib/Command/DeleteConfig.php',
'OCA\\User_LDAP\\Command\\PromoteGroup' => __DIR__ . '/..' . '/../lib/Command/PromoteGroup.php',
'OCA\\User_LDAP\\Command\\ResetGroup' => __DIR__ . '/..' . '/../lib/Command/ResetGroup.php',
'OCA\\User_LDAP\\Command\\ResetUser' => __DIR__ . '/..' . '/../lib/Command/ResetUser.php',
'OCA\\User_LDAP\\Command\\Search' => __DIR__ . '/..' . '/../lib/Command/Search.php',
Expand Down
128 changes: 128 additions & 0 deletions apps/user_ldap/lib/Command/PromoteGroup.php
Original file line number Diff line number Diff line change
@@ -0,0 +1,128 @@
<?php

declare(strict_types=1);
/**
* @copyright Copyright (c) 2023 Arthur Schiwon <blizzz@arthur-schiwon.de>
*
* @author Arthur Schiwon <blizzz@arthur-schiwon.de>
*
* @license GNU AGPL version 3 or any later version
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as
* published by the Free Software Foundation, either version 3 of the
* License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*/
namespace OCA\User_LDAP\Command;

use OCA\User_LDAP\Group_Proxy;
use OCP\IGroup;
use OCP\IGroupManager;
use Symfony\Component\Console\Command\Command;
use Symfony\Component\Console\Helper\QuestionHelper;
use Symfony\Component\Console\Input\InputArgument;
use Symfony\Component\Console\Input\InputInterface;
use Symfony\Component\Console\Input\InputOption;
use Symfony\Component\Console\Output\OutputInterface;
use Symfony\Component\Console\Question\Question;

class PromoteGroup extends Command {

public function __construct(
private IGroupManager $groupManager,
private Group_Proxy $backend
) {
parent::__construct();
}

protected function configure(): void {
$this
->setName('ldap:promote-group')
->setDescription('declares the specified group as admin group (only one is possible per LDAP configuration)')
->addArgument(
'group',
InputArgument::REQUIRED,
'the group ID in Nextcloud or a group name'
)
->addOption(
'yes',
'y',
InputOption::VALUE_NONE,
'do not ask for confirmation'
);
}

protected function formatGroupName(IGroup $group): string {
$idLabel = '';
if ($group->getGID() !== $group->getDisplayName()) {
$idLabel = sprintf(' (Group ID: %s)', $group->getGID());
}
return sprintf('%s%s', $group->getDisplayName(), $idLabel);
}

protected function promoteGroup(IGroup $group, InputInterface $input, OutputInterface $output): void {
$access = $this->backend->getLDAPAccess($group->getGID());
$currentlyPromotedGroupId = $access->connection->ldapAdminGroup;
if ($currentlyPromotedGroupId === $group->getGID()) {
$output->writeln('<info>The specified group is already promoted</info>');
return;
}

if ($input->getOption('yes') === false) {
$currentlyPromotedGroup = $this->groupManager->get($currentlyPromotedGroupId);
$demoteLabel = '';
if ($currentlyPromotedGroup instanceof IGroup && $this->backend->groupExists($currentlyPromotedGroup->getGID())) {
$groupNameLabel = $this->formatGroupName($currentlyPromotedGroup);
$demoteLabel = sprintf('and demote %s ', $groupNameLabel);
}

/** @var QuestionHelper $helper */
$helper = $this->getHelper('question');
$q = new Question(sprintf('Promote %s to the admin group %s(y|N)? ', $this->formatGroupName($group), $demoteLabel));
$input->setOption('yes', $helper->ask($input, $output, $q) === 'y');
}
if ($input->getOption('yes') === true) {
$access->connection->setConfiguration(['ldapAdminGroup' => $group->getGID()]);
$access->connection->saveConfiguration();
$output->writeln(sprintf('<info>Group %s was promoted</info>', $group->getDisplayName()));
} else {
$output->writeln('<comment>Group promotion cancelled</comment>');
}
}

protected function execute(InputInterface $input, OutputInterface $output): int {
$groupInput = (string)$input->getArgument('group');
$group = $this->groupManager->get($groupInput);

if ($group instanceof IGroup && $this->backend->groupExists($group->getGID())) {
$this->promoteGroup($group, $input, $output);
return 0;
}

$groupCandidates = $this->backend->getGroups($groupInput, 20);
foreach ($groupCandidates as $gidCandidate) {
$group = $this->groupManager->get($gidCandidate);
if ($group !== null
&& $this->backend->groupExists($group->getGID()) // ensure it is an LDAP group
&& ($group->getGID() === $groupInput
|| $group->getDisplayName() === $groupInput)
) {
$this->promoteGroup($group, $input, $output);
return 0;
}
}

$output->writeln('<error>No matching group found</error>');
return 1;
}

}
3 changes: 3 additions & 0 deletions apps/user_ldap/lib/Configuration.php
Original file line number Diff line number Diff line change
Expand Up @@ -134,6 +134,7 @@ class Configuration {
'ldapAttributeRole' => null,
'ldapAttributeHeadline' => null,
'ldapAttributeBiography' => null,
'ldapAdminGroup' => '',
];

public function __construct(string $configPrefix, bool $autoRead = true) {
Expand Down Expand Up @@ -490,6 +491,7 @@ public function getDefaults(): array {
'ldap_attr_role' => '',
'ldap_attr_headline' => '',
'ldap_attr_biography' => '',
'ldap_admin_group' => '',
];
}

Expand Down Expand Up @@ -566,6 +568,7 @@ public function getConfigTranslationArray(): array {
'ldap_attr_role' => 'ldapAttributeRole',
'ldap_attr_headline' => 'ldapAttributeHeadline',
'ldap_attr_biography' => 'ldapAttributeBiography',
'ldap_admin_group' => 'ldapAdminGroup',
];
return $array;
}
Expand Down
1 change: 1 addition & 0 deletions apps/user_ldap/lib/Connection.php
Original file line number Diff line number Diff line change
Expand Up @@ -83,6 +83,7 @@
* @property string ldapAttributeRole
* @property string ldapAttributeHeadline
* @property string ldapAttributeBiography
* @property string ldapAdminGroup
*/
class Connection extends LDAPUtility {
/**
Expand Down
18 changes: 17 additions & 1 deletion apps/user_ldap/lib/Group_LDAP.php
Original file line number Diff line number Diff line change
Expand Up @@ -51,14 +51,15 @@
use OCP\Group\Backend\ABackend;
use OCP\Group\Backend\IDeleteGroupBackend;
use OCP\Group\Backend\IGetDisplayNameBackend;
use OCP\Group\Backend\IIsAdminBackend;
use OCP\GroupInterface;
use OCP\IConfig;
use OCP\IUserManager;
use OCP\Server;
use Psr\Log\LoggerInterface;
use function json_decode;

class Group_LDAP extends ABackend implements GroupInterface, IGroupLDAP, IGetDisplayNameBackend, IDeleteGroupBackend {
class Group_LDAP extends ABackend implements GroupInterface, IGroupLDAP, IGetDisplayNameBackend, IDeleteGroupBackend, IIsAdminBackend {
protected bool $enabled = false;

/** @var CappedMemoryCache<string[]> $cachedGroupMembers array of user DN with gid as key */
Expand Down Expand Up @@ -1241,6 +1242,7 @@ protected function filterValidGroups(array $listOfGroups): array {
public function implementsActions($actions): bool {
return (bool)((GroupInterface::COUNT_USERS |
GroupInterface::DELETE_GROUP |
GroupInterface::IS_ADMIN |
$this->groupPluginManager->getImplementedActions()) & $actions);
}

Expand Down Expand Up @@ -1444,4 +1446,18 @@ public function addRelationshipToCaches(string $uid, ?string $dnUser, string $gi
// $cacheKey = 'usersInGroup-' . $gid . '-' . $search;
// $cacheKey = 'countUsersInGroup-' . $gid . '-' . $search;
}

/**
* @throws ServerNotAvailableException
*/
public function isAdmin(string $uid): bool {
if (!$this->enabled) {
return false;
}
$ldapAdminGroup = $this->access->connection->ldapAdminGroup;
if ($ldapAdminGroup === '') {
return false;
}
return $this->inGroup($uid, $ldapAdminGroup);
}
}
7 changes: 6 additions & 1 deletion apps/user_ldap/lib/Group_Proxy.php
Original file line number Diff line number Diff line change
Expand Up @@ -33,12 +33,13 @@
use OCP\Group\Backend\IDeleteGroupBackend;
use OCP\Group\Backend\IGetDisplayNameBackend;
use OCP\Group\Backend\IGroupDetailsBackend;
use OCP\Group\Backend\IIsAdminBackend;
use OCP\Group\Backend\INamedBackend;
use OCP\GroupInterface;
use OCP\IConfig;
use OCP\IUserManager;

class Group_Proxy extends Proxy implements \OCP\GroupInterface, IGroupLDAP, IGetDisplayNameBackend, INamedBackend, IDeleteGroupBackend, IBatchMethodsBackend {
class Group_Proxy extends Proxy implements \OCP\GroupInterface, IGroupLDAP, IGetDisplayNameBackend, INamedBackend, IDeleteGroupBackend, IBatchMethodsBackend, IIsAdminBackend {
private $backends = [];
private ?Group_LDAP $refBackend = null;
private Helper $helper;
Expand Down Expand Up @@ -396,4 +397,8 @@ public function searchInGroup(string $gid, string $search = '', int $limit = -1,
public function addRelationshipToCaches(string $uid, ?string $dnUser, string $gid): void {
$this->handleRequest($gid, 'addRelationshipToCaches', [$uid, $dnUser, $gid]);
}

public function isAdmin(string $uid): bool {
return $this->handleRequest($uid, 'isAdmin', [$uid]);
}
}
28 changes: 28 additions & 0 deletions build/integration/ldap_features/openldap-numerical-id.feature
Original file line number Diff line number Diff line change
Expand Up @@ -66,3 +66,31 @@ Scenario: Test LDAP group membership with intermediate groups not matching filte
| 50194 | 1 |
| 59376 | 1 |
| 59463 | 1 |

Scenario: Test LDAP admin group mapping, empowered user
Given modify LDAP configuration
| ldapBaseGroups | ou=NumericGroups,dc=nextcloud,dc=ci |
| ldapGroupFilter | (objectclass=groupOfNames) |
| ldapGroupMemberAssocAttr | member |
| ldapAdminGroup | 3001 |
| useMemberOfToDetectMembership | 1 |
And cookies are reset
# alice, part of the promoted group
And Logging in using web as "92379"
And sending "GET" to "/cloud/groups"
And sending "GET" to "/cloud/groups/2000/users"
And Sending a "GET" to "/index.php/settings/admin/overview" with requesttoken
Then the HTTP status code should be "200"

Scenario: Test LDAP admin group mapping, regular user (no access)
Given modify LDAP configuration
| ldapBaseGroups | ou=NumericGroups,dc=nextcloud,dc=ci |
| ldapGroupFilter | (objectclass=groupOfNames) |
| ldapGroupMemberAssocAttr | member |
| ldapAdminGroup | 3001 |
| useMemberOfToDetectMembership | 1 |
And cookies are reset
# gustaf, not part of the promoted group
And Logging in using web as "59376"
And Sending a "GET" to "/index.php/settings/admin/overview" with requesttoken
Then the HTTP status code should be "403"

0 comments on commit 034241b

Please sign in to comment.