Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(LDAP): implement IIsAdmin interface #41650

Merged
merged 3 commits into from
Dec 1, 2023
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions apps/user_ldap/appinfo/info.xml
Original file line number Diff line number Diff line change
Expand Up @@ -51,6 +51,7 @@ A user logs into Nextcloud with their LDAP or AD credentials, and is granted acc
<command>OCA\User_LDAP\Command\CheckGroup</command>
<command>OCA\User_LDAP\Command\CreateEmptyConfig</command>
<command>OCA\User_LDAP\Command\DeleteConfig</command>
<command>OCA\User_LDAP\Command\PromoteGroup</command>
<command>OCA\User_LDAP\Command\ResetGroup</command>
<command>OCA\User_LDAP\Command\ResetUser</command>
<command>OCA\User_LDAP\Command\Search</command>
Expand Down
1 change: 1 addition & 0 deletions apps/user_ldap/composer/composer/autoload_classmap.php
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,7 @@
'OCA\\User_LDAP\\Command\\CheckUser' => $baseDir . '/../lib/Command/CheckUser.php',
'OCA\\User_LDAP\\Command\\CreateEmptyConfig' => $baseDir . '/../lib/Command/CreateEmptyConfig.php',
'OCA\\User_LDAP\\Command\\DeleteConfig' => $baseDir . '/../lib/Command/DeleteConfig.php',
'OCA\\User_LDAP\\Command\\PromoteGroup' => $baseDir . '/../lib/Command/PromoteGroup.php',
'OCA\\User_LDAP\\Command\\ResetGroup' => $baseDir . '/../lib/Command/ResetGroup.php',
'OCA\\User_LDAP\\Command\\ResetUser' => $baseDir . '/../lib/Command/ResetUser.php',
'OCA\\User_LDAP\\Command\\Search' => $baseDir . '/../lib/Command/Search.php',
Expand Down
1 change: 1 addition & 0 deletions apps/user_ldap/composer/composer/autoload_static.php
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,7 @@ class ComposerStaticInitUser_LDAP
'OCA\\User_LDAP\\Command\\CheckUser' => __DIR__ . '/..' . '/../lib/Command/CheckUser.php',
'OCA\\User_LDAP\\Command\\CreateEmptyConfig' => __DIR__ . '/..' . '/../lib/Command/CreateEmptyConfig.php',
'OCA\\User_LDAP\\Command\\DeleteConfig' => __DIR__ . '/..' . '/../lib/Command/DeleteConfig.php',
'OCA\\User_LDAP\\Command\\PromoteGroup' => __DIR__ . '/..' . '/../lib/Command/PromoteGroup.php',
'OCA\\User_LDAP\\Command\\ResetGroup' => __DIR__ . '/..' . '/../lib/Command/ResetGroup.php',
'OCA\\User_LDAP\\Command\\ResetUser' => __DIR__ . '/..' . '/../lib/Command/ResetUser.php',
'OCA\\User_LDAP\\Command\\Search' => __DIR__ . '/..' . '/../lib/Command/Search.php',
Expand Down
128 changes: 128 additions & 0 deletions apps/user_ldap/lib/Command/PromoteGroup.php
Original file line number Diff line number Diff line change
@@ -0,0 +1,128 @@
<?php

declare(strict_types=1);
/**
* @copyright Copyright (c) 2023 Arthur Schiwon <blizzz@arthur-schiwon.de>
*
* @author Arthur Schiwon <blizzz@arthur-schiwon.de>
*
* @license GNU AGPL version 3 or any later version
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as
* published by the Free Software Foundation, either version 3 of the
* License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*/
namespace OCA\User_LDAP\Command;

use OCA\User_LDAP\Group_Proxy;
use OCP\IGroup;
use OCP\IGroupManager;
use Symfony\Component\Console\Command\Command;
use Symfony\Component\Console\Helper\QuestionHelper;
use Symfony\Component\Console\Input\InputArgument;
use Symfony\Component\Console\Input\InputInterface;
use Symfony\Component\Console\Input\InputOption;
use Symfony\Component\Console\Output\OutputInterface;
use Symfony\Component\Console\Question\Question;

class PromoteGroup extends Command {

public function __construct(
private IGroupManager $groupManager,
private Group_Proxy $backend
) {
parent::__construct();
}

protected function configure(): void {
$this
->setName('ldap:promote-group')
->setDescription('declares the specified group as admin group (only one is possible per LDAP configuration)')
->addArgument(
'group',
InputArgument::REQUIRED,
'the group ID in Nextcloud or a group name'
come-nc marked this conversation as resolved.
Show resolved Hide resolved
)
->addOption(
juliusknorr marked this conversation as resolved.
Show resolved Hide resolved
'yes',
'y',
InputOption::VALUE_NONE,
'do not ask for confirmation'
);
}

protected function formatGroupName(IGroup $group): string {
$idLabel = '';
if ($group->getGID() !== $group->getDisplayName()) {
$idLabel = sprintf(' (Group ID: %s)', $group->getGID());
}
return sprintf('%s%s', $group->getDisplayName(), $idLabel);
}

protected function promoteGroup(IGroup $group, InputInterface $input, OutputInterface $output): void {
$access = $this->backend->getLDAPAccess($group->getGID());
$currentlyPromotedGroupId = $access->connection->ldapAdminGroup;
if ($currentlyPromotedGroupId === $group->getGID()) {
$output->writeln('<info>The specified group is already promoted</info>');
return;
}

if ($input->getOption('yes') === false) {
$currentlyPromotedGroup = $this->groupManager->get($currentlyPromotedGroupId);
$demoteLabel = '';
if ($currentlyPromotedGroup instanceof IGroup && $this->backend->groupExists($currentlyPromotedGroup->getGID())) {
$groupNameLabel = $this->formatGroupName($currentlyPromotedGroup);
$demoteLabel = sprintf('and demote %s ', $groupNameLabel);
}

/** @var QuestionHelper $helper */
$helper = $this->getHelper('question');
$q = new Question(sprintf('Promote %s to the admin group %s(y|N)? ', $this->formatGroupName($group), $demoteLabel));
$input->setOption('yes', $helper->ask($input, $output, $q) === 'y');
}
if ($input->getOption('yes') === true) {
$access->connection->setConfiguration(['ldapAdminGroup' => $group->getGID()]);
$access->connection->saveConfiguration();
$output->writeln(sprintf('<info>Group %s was promoted</info>', $group->getDisplayName()));
} else {
$output->writeln('<comment>Group promotion cancelled</comment>');
}
}

protected function execute(InputInterface $input, OutputInterface $output): int {
$groupInput = (string)$input->getArgument('group');
$group = $this->groupManager->get($groupInput);

if ($group instanceof IGroup && $this->backend->groupExists($group->getGID())) {
$this->promoteGroup($group, $input, $output);
return 0;
}

$groupCandidates = $this->backend->getGroups($groupInput, 20);
foreach ($groupCandidates as $gidCandidate) {
$group = $this->groupManager->get($gidCandidate);
if ($group !== null
&& $this->backend->groupExists($group->getGID()) // ensure it is an LDAP group
&& ($group->getGID() === $groupInput
|| $group->getDisplayName() === $groupInput)
) {
$this->promoteGroup($group, $input, $output);
return 0;
}
}

$output->writeln('<error>No matching group found</error>');
return 1;
}

}
3 changes: 3 additions & 0 deletions apps/user_ldap/lib/Configuration.php
Original file line number Diff line number Diff line change
Expand Up @@ -134,6 +134,7 @@ class Configuration {
'ldapAttributeRole' => null,
'ldapAttributeHeadline' => null,
'ldapAttributeBiography' => null,
'ldapAdminGroup' => '',
];

public function __construct(string $configPrefix, bool $autoRead = true) {
Expand Down Expand Up @@ -490,6 +491,7 @@ public function getDefaults(): array {
'ldap_attr_role' => '',
'ldap_attr_headline' => '',
'ldap_attr_biography' => '',
'ldap_admin_group' => '',
];
}

Expand Down Expand Up @@ -566,6 +568,7 @@ public function getConfigTranslationArray(): array {
'ldap_attr_role' => 'ldapAttributeRole',
'ldap_attr_headline' => 'ldapAttributeHeadline',
'ldap_attr_biography' => 'ldapAttributeBiography',
'ldap_admin_group' => 'ldapAdminGroup',
];
return $array;
}
Expand Down
1 change: 1 addition & 0 deletions apps/user_ldap/lib/Connection.php
Original file line number Diff line number Diff line change
Expand Up @@ -83,6 +83,7 @@
* @property string ldapAttributeRole
* @property string ldapAttributeHeadline
* @property string ldapAttributeBiography
* @property string ldapAdminGroup
*/
class Connection extends LDAPUtility {
/**
Expand Down
18 changes: 17 additions & 1 deletion apps/user_ldap/lib/Group_LDAP.php
Original file line number Diff line number Diff line change
Expand Up @@ -51,14 +51,15 @@
use OCP\Group\Backend\ABackend;
use OCP\Group\Backend\IDeleteGroupBackend;
use OCP\Group\Backend\IGetDisplayNameBackend;
use OCP\Group\Backend\IIsAdminBackend;
use OCP\GroupInterface;
use OCP\IConfig;
use OCP\IUserManager;
use OCP\Server;
use Psr\Log\LoggerInterface;
use function json_decode;

class Group_LDAP extends ABackend implements GroupInterface, IGroupLDAP, IGetDisplayNameBackend, IDeleteGroupBackend {
class Group_LDAP extends ABackend implements GroupInterface, IGroupLDAP, IGetDisplayNameBackend, IDeleteGroupBackend, IIsAdminBackend {
protected bool $enabled = false;

/** @var CappedMemoryCache<string[]> $cachedGroupMembers array of user DN with gid as key */
Expand Down Expand Up @@ -1241,6 +1242,7 @@ protected function filterValidGroups(array $listOfGroups): array {
public function implementsActions($actions): bool {
return (bool)((GroupInterface::COUNT_USERS |
GroupInterface::DELETE_GROUP |
GroupInterface::IS_ADMIN |
$this->groupPluginManager->getImplementedActions()) & $actions);
}

Expand Down Expand Up @@ -1444,4 +1446,18 @@ public function addRelationshipToCaches(string $uid, ?string $dnUser, string $gi
// $cacheKey = 'usersInGroup-' . $gid . '-' . $search;
// $cacheKey = 'countUsersInGroup-' . $gid . '-' . $search;
}

/**
* @throws ServerNotAvailableException
*/
public function isAdmin(string $uid): bool {
if (!$this->enabled) {
return false;
}
$ldapAdminGroup = $this->access->connection->ldapAdminGroup;
if ($ldapAdminGroup === '') {
return false;
}
return $this->inGroup($uid, $ldapAdminGroup);
}
}
7 changes: 6 additions & 1 deletion apps/user_ldap/lib/Group_Proxy.php
Original file line number Diff line number Diff line change
Expand Up @@ -33,12 +33,13 @@
use OCP\Group\Backend\IDeleteGroupBackend;
use OCP\Group\Backend\IGetDisplayNameBackend;
use OCP\Group\Backend\IGroupDetailsBackend;
use OCP\Group\Backend\IIsAdminBackend;
use OCP\Group\Backend\INamedBackend;
use OCP\GroupInterface;
use OCP\IConfig;
use OCP\IUserManager;

class Group_Proxy extends Proxy implements \OCP\GroupInterface, IGroupLDAP, IGetDisplayNameBackend, INamedBackend, IDeleteGroupBackend, IBatchMethodsBackend {
class Group_Proxy extends Proxy implements \OCP\GroupInterface, IGroupLDAP, IGetDisplayNameBackend, INamedBackend, IDeleteGroupBackend, IBatchMethodsBackend, IIsAdminBackend {
private $backends = [];
private ?Group_LDAP $refBackend = null;
private Helper $helper;
Expand Down Expand Up @@ -396,4 +397,8 @@ public function searchInGroup(string $gid, string $search = '', int $limit = -1,
public function addRelationshipToCaches(string $uid, ?string $dnUser, string $gid): void {
$this->handleRequest($gid, 'addRelationshipToCaches', [$uid, $dnUser, $gid]);
}

public function isAdmin(string $uid): bool {
return $this->handleRequest($uid, 'isAdmin', [$uid]);
}
}
28 changes: 28 additions & 0 deletions build/integration/ldap_features/openldap-numerical-id.feature
Original file line number Diff line number Diff line change
Expand Up @@ -66,3 +66,31 @@ Scenario: Test LDAP group membership with intermediate groups not matching filte
| 50194 | 1 |
| 59376 | 1 |
| 59463 | 1 |

Scenario: Test LDAP admin group mapping, empowered user
Given modify LDAP configuration
| ldapBaseGroups | ou=NumericGroups,dc=nextcloud,dc=ci |
| ldapGroupFilter | (objectclass=groupOfNames) |
| ldapGroupMemberAssocAttr | member |
| ldapAdminGroup | 3001 |
| useMemberOfToDetectMembership | 1 |
And cookies are reset
# alice, part of the promoted group
And Logging in using web as "92379"
And sending "GET" to "/cloud/groups"
And sending "GET" to "/cloud/groups/2000/users"
And Sending a "GET" to "/index.php/settings/admin/overview" with requesttoken
Then the HTTP status code should be "200"

Scenario: Test LDAP admin group mapping, regular user (no access)
Given modify LDAP configuration
| ldapBaseGroups | ou=NumericGroups,dc=nextcloud,dc=ci |
| ldapGroupFilter | (objectclass=groupOfNames) |
| ldapGroupMemberAssocAttr | member |
| ldapAdminGroup | 3001 |
| useMemberOfToDetectMembership | 1 |
And cookies are reset
# gustaf, not part of the promoted group
And Logging in using web as "59376"
And Sending a "GET" to "/index.php/settings/admin/overview" with requesttoken
Then the HTTP status code should be "403"
Loading