Skip to content

Commit

Permalink
Merge branch 'stable27' into backport/39044/stable27
Browse files Browse the repository at this point in the history
  • Loading branch information
staticdev authored Dec 5, 2023
2 parents 15bed77 + a4a120c commit 572890d
Show file tree
Hide file tree
Showing 14 changed files with 204 additions and 6 deletions.
1 change: 1 addition & 0 deletions apps/user_ldap/appinfo/info.xml
Original file line number Diff line number Diff line change
Expand Up @@ -50,6 +50,7 @@ A user logs into Nextcloud with their LDAP or AD credentials, and is granted acc
<command>OCA\User_LDAP\Command\CheckUser</command>
<command>OCA\User_LDAP\Command\CreateEmptyConfig</command>
<command>OCA\User_LDAP\Command\DeleteConfig</command>
<command>OCA\User_LDAP\Command\PromoteGroup</command>
<command>OCA\User_LDAP\Command\ResetGroup</command>
<command>OCA\User_LDAP\Command\ResetUser</command>
<command>OCA\User_LDAP\Command\Search</command>
Expand Down
1 change: 1 addition & 0 deletions apps/user_ldap/composer/composer/autoload_classmap.php
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,7 @@
'OCA\\User_LDAP\\Command\\CheckUser' => $baseDir . '/../lib/Command/CheckUser.php',
'OCA\\User_LDAP\\Command\\CreateEmptyConfig' => $baseDir . '/../lib/Command/CreateEmptyConfig.php',
'OCA\\User_LDAP\\Command\\DeleteConfig' => $baseDir . '/../lib/Command/DeleteConfig.php',
'OCA\\User_LDAP\\Command\\PromoteGroup' => $baseDir . '/../lib/Command/PromoteGroup.php',
'OCA\\User_LDAP\\Command\\ResetGroup' => $baseDir . '/../lib/Command/ResetGroup.php',
'OCA\\User_LDAP\\Command\\ResetUser' => $baseDir . '/../lib/Command/ResetUser.php',
'OCA\\User_LDAP\\Command\\Search' => $baseDir . '/../lib/Command/Search.php',
Expand Down
1 change: 1 addition & 0 deletions apps/user_ldap/composer/composer/autoload_static.php
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,7 @@ class ComposerStaticInitUser_LDAP
'OCA\\User_LDAP\\Command\\CheckUser' => __DIR__ . '/..' . '/../lib/Command/CheckUser.php',
'OCA\\User_LDAP\\Command\\CreateEmptyConfig' => __DIR__ . '/..' . '/../lib/Command/CreateEmptyConfig.php',
'OCA\\User_LDAP\\Command\\DeleteConfig' => __DIR__ . '/..' . '/../lib/Command/DeleteConfig.php',
'OCA\\User_LDAP\\Command\\PromoteGroup' => __DIR__ . '/..' . '/../lib/Command/PromoteGroup.php',
'OCA\\User_LDAP\\Command\\ResetGroup' => __DIR__ . '/..' . '/../lib/Command/ResetGroup.php',
'OCA\\User_LDAP\\Command\\ResetUser' => __DIR__ . '/..' . '/../lib/Command/ResetUser.php',
'OCA\\User_LDAP\\Command\\Search' => __DIR__ . '/..' . '/../lib/Command/Search.php',
Expand Down
128 changes: 128 additions & 0 deletions apps/user_ldap/lib/Command/PromoteGroup.php
Original file line number Diff line number Diff line change
@@ -0,0 +1,128 @@
<?php

declare(strict_types=1);
/**
* @copyright Copyright (c) 2023 Arthur Schiwon <blizzz@arthur-schiwon.de>
*
* @author Arthur Schiwon <blizzz@arthur-schiwon.de>
*
* @license GNU AGPL version 3 or any later version
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as
* published by the Free Software Foundation, either version 3 of the
* License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*/
namespace OCA\User_LDAP\Command;

use OCA\User_LDAP\Group_Proxy;
use OCP\IGroup;
use OCP\IGroupManager;
use Symfony\Component\Console\Command\Command;
use Symfony\Component\Console\Helper\QuestionHelper;
use Symfony\Component\Console\Input\InputArgument;
use Symfony\Component\Console\Input\InputInterface;
use Symfony\Component\Console\Input\InputOption;
use Symfony\Component\Console\Output\OutputInterface;
use Symfony\Component\Console\Question\Question;

class PromoteGroup extends Command {

public function __construct(
private IGroupManager $groupManager,
private Group_Proxy $backend
) {
parent::__construct();
}

protected function configure(): void {
$this
->setName('ldap:promote-group')
->setDescription('declares the specified group as admin group (only one is possible per LDAP configuration)')
->addArgument(
'group',
InputArgument::REQUIRED,
'the group ID in Nextcloud or a group name'
)
->addOption(
'yes',
'y',
InputOption::VALUE_NONE,
'do not ask for confirmation'
);
}

protected function formatGroupName(IGroup $group): string {
$idLabel = '';
if ($group->getGID() !== $group->getDisplayName()) {
$idLabel = sprintf(' (Group ID: %s)', $group->getGID());
}
return sprintf('%s%s', $group->getDisplayName(), $idLabel);
}

protected function promoteGroup(IGroup $group, InputInterface $input, OutputInterface $output): void {
$access = $this->backend->getLDAPAccess($group->getGID());
$currentlyPromotedGroupId = $access->connection->ldapAdminGroup;
if ($currentlyPromotedGroupId === $group->getGID()) {
$output->writeln('<info>The specified group is already promoted</info>');
return;
}

if ($input->getOption('yes') === false) {
$currentlyPromotedGroup = $this->groupManager->get($currentlyPromotedGroupId);
$demoteLabel = '';
if ($currentlyPromotedGroup instanceof IGroup && $this->backend->groupExists($currentlyPromotedGroup->getGID())) {
$groupNameLabel = $this->formatGroupName($currentlyPromotedGroup);
$demoteLabel = sprintf('and demote %s ', $groupNameLabel);
}

/** @var QuestionHelper $helper */
$helper = $this->getHelper('question');
$q = new Question(sprintf('Promote %s to the admin group %s(y|N)? ', $this->formatGroupName($group), $demoteLabel));
$input->setOption('yes', $helper->ask($input, $output, $q) === 'y');
}
if ($input->getOption('yes') === true) {
$access->connection->setConfiguration(['ldapAdminGroup' => $group->getGID()]);
$access->connection->saveConfiguration();
$output->writeln(sprintf('<info>Group %s was promoted</info>', $group->getDisplayName()));
} else {
$output->writeln('<comment>Group promotion cancelled</comment>');
}
}

protected function execute(InputInterface $input, OutputInterface $output): int {
$groupInput = (string)$input->getArgument('group');
$group = $this->groupManager->get($groupInput);

if ($group instanceof IGroup && $this->backend->groupExists($group->getGID())) {
$this->promoteGroup($group, $input, $output);
return 0;
}

$groupCandidates = $this->backend->getGroups($groupInput, 20);
foreach ($groupCandidates as $gidCandidate) {
$group = $this->groupManager->get($gidCandidate);
if ($group !== null
&& $this->backend->groupExists($group->getGID()) // ensure it is an LDAP group
&& ($group->getGID() === $groupInput
|| $group->getDisplayName() === $groupInput)
) {
$this->promoteGroup($group, $input, $output);
return 0;
}
}

$output->writeln('<error>No matching group found</error>');
return 1;
}

}
3 changes: 3 additions & 0 deletions apps/user_ldap/lib/Configuration.php
Original file line number Diff line number Diff line change
Expand Up @@ -133,6 +133,7 @@ class Configuration {
'ldapAttributeRole' => null,
'ldapAttributeHeadline' => null,
'ldapAttributeBiography' => null,
'ldapAdminGroup' => '',
];

public function __construct(string $configPrefix, bool $autoRead = true) {
Expand Down Expand Up @@ -488,6 +489,7 @@ public function getDefaults(): array {
'ldap_attr_role' => '',
'ldap_attr_headline' => '',
'ldap_attr_biography' => '',
'ldap_admin_group' => '',
];
}

Expand Down Expand Up @@ -563,6 +565,7 @@ public function getConfigTranslationArray(): array {
'ldap_attr_role' => 'ldapAttributeRole',
'ldap_attr_headline' => 'ldapAttributeHeadline',
'ldap_attr_biography' => 'ldapAttributeBiography',
'ldap_admin_group' => 'ldapAdminGroup',
];
return $array;
}
Expand Down
1 change: 1 addition & 0 deletions apps/user_ldap/lib/Connection.php
Original file line number Diff line number Diff line change
Expand Up @@ -82,6 +82,7 @@
* @property string ldapAttributeRole
* @property string ldapAttributeHeadline
* @property string ldapAttributeBiography
* @property string ldapAdminGroup
*/
class Connection extends LDAPUtility {
/**
Expand Down
18 changes: 17 additions & 1 deletion apps/user_ldap/lib/Group_LDAP.php
Original file line number Diff line number Diff line change
Expand Up @@ -48,6 +48,7 @@
use OC\ServerNotAvailableException;
use OCA\User_LDAP\User\OfflineUser;
use OCP\Cache\CappedMemoryCache;
use OCP\Group\Backend\IIsAdminBackend;
use OCP\GroupInterface;
use OCP\Group\Backend\IDeleteGroupBackend;
use OCP\Group\Backend\IGetDisplayNameBackend;
Expand All @@ -57,7 +58,7 @@
use Psr\Log\LoggerInterface;
use function json_decode;

class Group_LDAP extends BackendUtility implements GroupInterface, IGroupLDAP, IGetDisplayNameBackend, IDeleteGroupBackend {
class Group_LDAP extends BackendUtility implements GroupInterface, IGroupLDAP, IGetDisplayNameBackend, IDeleteGroupBackend, IIsAdminBackend {
protected bool $enabled = false;

/** @var CappedMemoryCache<string[]> $cachedGroupMembers array of users with gid as key */
Expand Down Expand Up @@ -1227,6 +1228,7 @@ protected function filterValidGroups(array $listOfGroups): array {
public function implementsActions($actions): bool {
return (bool)((GroupInterface::COUNT_USERS |
GroupInterface::DELETE_GROUP |
GroupInterface::IS_ADMIN |
$this->groupPluginManager->getImplementedActions()) & $actions);
}

Expand Down Expand Up @@ -1392,4 +1394,18 @@ public function getDisplayName(string $gid): string {
$this->access->connection->writeToCache($cacheKey, $displayName);
return $displayName;
}

/**
* @throws ServerNotAvailableException
*/
public function isAdmin(string $uid): bool {
if (!$this->enabled) {
return false;
}
$ldapAdminGroup = $this->access->connection->ldapAdminGroup;
if ($ldapAdminGroup === '') {
return false;
}
return $this->inGroup($uid, $ldapAdminGroup);
}
}
7 changes: 6 additions & 1 deletion apps/user_ldap/lib/Group_Proxy.php
Original file line number Diff line number Diff line change
Expand Up @@ -30,12 +30,13 @@

use OCP\Group\Backend\IDeleteGroupBackend;
use OCP\Group\Backend\IGetDisplayNameBackend;
use OCP\Group\Backend\IIsAdminBackend;
use OCP\Group\Backend\INamedBackend;
use OCP\GroupInterface;
use OCP\IConfig;
use OCP\IUserManager;

class Group_Proxy extends Proxy implements \OCP\GroupInterface, IGroupLDAP, IGetDisplayNameBackend, INamedBackend, IDeleteGroupBackend {
class Group_Proxy extends Proxy implements \OCP\GroupInterface, IGroupLDAP, IGetDisplayNameBackend, INamedBackend, IDeleteGroupBackend, IIsAdminBackend {
private $backends = [];
private ?Group_LDAP $refBackend = null;
private Helper $helper;
Expand Down Expand Up @@ -347,4 +348,8 @@ public function getBackendName(): string {
public function searchInGroup(string $gid, string $search = '', int $limit = -1, int $offset = 0): array {
return $this->handleRequest($gid, 'searchInGroup', [$gid, $search, $limit, $offset]);
}

public function isAdmin(string $uid): bool {
return $this->handleRequest($uid, 'isAdmin', [$uid]);
}
}
28 changes: 28 additions & 0 deletions build/integration/ldap_features/openldap-numerical-id.feature
Original file line number Diff line number Diff line change
Expand Up @@ -66,3 +66,31 @@ Scenario: Test LDAP group membership with intermediate groups not matching filte
| 50194 | 1 |
| 59376 | 1 |
| 59463 | 1 |

Scenario: Test LDAP admin group mapping, empowered user
Given modify LDAP configuration
| ldapBaseGroups | ou=NumericGroups,dc=nextcloud,dc=ci |
| ldapGroupFilter | (objectclass=groupOfNames) |
| ldapGroupMemberAssocAttr | member |
| ldapAdminGroup | 3001 |
| useMemberOfToDetectMembership | 1 |
And cookies are reset
# alice, part of the promoted group
And Logging in using web as "92379"
And sending "GET" to "/cloud/groups"
And sending "GET" to "/cloud/groups/2000/users"
And Sending a "GET" to "/index.php/settings/admin/overview" with requesttoken
Then the HTTP status code should be "200"

Scenario: Test LDAP admin group mapping, regular user (no access)
Given modify LDAP configuration
| ldapBaseGroups | ou=NumericGroups,dc=nextcloud,dc=ci |
| ldapGroupFilter | (objectclass=groupOfNames) |
| ldapGroupMemberAssocAttr | member |
| ldapAdminGroup | 3001 |
| useMemberOfToDetectMembership | 1 |
And cookies are reset
# gustaf, not part of the promoted group
And Logging in using web as "59376"
And Sending a "GET" to "/index.php/settings/admin/overview" with requesttoken
Then the HTTP status code should be "403"
3 changes: 2 additions & 1 deletion core/Controller/LoginController.php
Original file line number Diff line number Diff line change
Expand Up @@ -62,6 +62,7 @@
class LoginController extends Controller {
public const LOGIN_MSG_INVALIDPASSWORD = 'invalidpassword';
public const LOGIN_MSG_USERDISABLED = 'userdisabled';
public const LOGIN_MSG_CSRFCHECKFAILED = 'csrfCheckFailed';

private IUserManager $userManager;
private IConfig $config;
Expand Down Expand Up @@ -311,7 +312,7 @@ public function tryLogin(Chain $loginChain,
$user,
$user,
$redirect_url,
$this->l10n->t('Please try again')
self::LOGIN_MSG_CSRFCHECKFAILED
);
}

Expand Down
8 changes: 8 additions & 0 deletions core/src/components/login/LoginForm.vue
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,11 @@
type="warning">
{{ t('core', 'Please contact your administrator.') }}
</NcNoteCard>
<NcNoteCard v-if="csrfCheckFailed"
:heading="t('core', 'Temporary error')"
type="error">
{{ t('core', 'Please try again.') }}
</NcNoteCard>
<NcNoteCard v-if="messages.length > 0">
<div v-for="(message, index) in messages"
:key="index">
Expand Down Expand Up @@ -186,6 +191,9 @@ export default {
apacheAuthFailed() {
return this.errors.indexOf('apacheAuthFailed') !== -1
},
csrfCheckFailed() {
return this.errors.indexOf('csrfCheckFailed') !== -1
},
internalException() {
return this.errors.indexOf('internalexception') !== -1
},
Expand Down
4 changes: 2 additions & 2 deletions dist/core-login.js

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion dist/core-login.js.map

Large diffs are not rendered by default.

5 changes: 5 additions & 0 deletions lib/private/Authentication/Login/LoginResult.php
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,8 @@
*/
namespace OC\Authentication\Login;

use OC\Core\Controller\LoginController;

class LoginResult {
/** @var bool */
private $success;
Expand Down Expand Up @@ -59,6 +61,9 @@ public static function success(LoginData $data, ?string $redirectUrl = null) {
return $result;
}

/**
* @param LoginController::LOGIN_MSG_*|null $msg
*/
public static function failure(LoginData $data, string $msg = null): LoginResult {
$result = new static(false, $data);
if ($msg !== null) {
Expand Down

0 comments on commit 572890d

Please sign in to comment.