enh(LDAP): implement IIsAdmin interface

- add configuration to specify one LDAP group acting as admin group (CLI)
- implement `isAdmin()` method, basically relying on inGroup against the
  configured group

Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>

diff --git a/apps/user_ldap/lib/Configuration.php b/apps/user_ldap/lib/Configuration.php
index 36258f5ad271bf7caaf03cbcd44463082174cb18..43d7b5cfbf1d4224d10836d6a49049d41ff1fb01 100644 (file)
--- a/apps/user_ldap/lib/Configuration.php
+++ b/apps/user_ldap/lib/Configuration.php
@@ -134,6 +134,7 @@ class Configuration {
                'ldapAttributeRole' => null,
                'ldapAttributeHeadline' => null,
                'ldapAttributeBiography' => null,
+               'ldapAdminGroup' => '',
        ];
 
        public function __construct(string $configPrefix, bool $autoRead = true) {
@@ -490,6 +491,7 @@ class Configuration {
                        'ldap_attr_role' => '',
                        'ldap_attr_headline' => '',
                        'ldap_attr_biography' => '',
+                       'ldap_admin_group' => '',
                ];
        }
 
@@ -566,6 +568,7 @@ class Configuration {
                        'ldap_attr_role' => 'ldapAttributeRole',
                        'ldap_attr_headline' => 'ldapAttributeHeadline',
                        'ldap_attr_biography' => 'ldapAttributeBiography',
+                       'ldap_admin_group' => 'ldapAdminGroup',
                ];
                return $array;
        }

diff --git a/apps/user_ldap/lib/Connection.php b/apps/user_ldap/lib/Connection.php
index 14d3111f1d30a716654c68e7611645baa6e57519..37f7dcaea5ca7ad303264cd58f4ffa9adc55da05 100644 (file)
--- a/apps/user_ldap/lib/Connection.php
+++ b/apps/user_ldap/lib/Connection.php
@@ -83,6 +83,7 @@ use Psr\Log\LoggerInterface;
  * @property string ldapAttributeRole
  * @property string ldapAttributeHeadline
  * @property string ldapAttributeBiography
+ * @property string ldapAdminGroup
  */
 class Connection extends LDAPUtility {
        /**

diff --git a/apps/user_ldap/lib/Group_LDAP.php b/apps/user_ldap/lib/Group_LDAP.php
index a7a82eb88cab516d326aecaf351268e84a6d8101..376af8520d04005f1039479ea6f6844eaf4622ac 100644 (file)
--- a/apps/user_ldap/lib/Group_LDAP.php
+++ b/apps/user_ldap/lib/Group_LDAP.php
@@ -51,6 +51,7 @@ use OCP\Cache\CappedMemoryCache;
 use OCP\Group\Backend\ABackend;
 use OCP\Group\Backend\IDeleteGroupBackend;
 use OCP\Group\Backend\IGetDisplayNameBackend;
+use OCP\Group\Backend\IIsAdminBackend;
 use OCP\GroupInterface;
 use OCP\IConfig;
 use OCP\IUserManager;
@@ -58,7 +59,7 @@ use OCP\Server;
 use Psr\Log\LoggerInterface;
 use function json_decode;
 
-class Group_LDAP extends ABackend implements GroupInterface, IGroupLDAP, IGetDisplayNameBackend, IDeleteGroupBackend {
+class Group_LDAP extends ABackend implements GroupInterface, IGroupLDAP, IGetDisplayNameBackend, IDeleteGroupBackend, IIsAdminBackend {
        protected bool $enabled = false;
 
        /** @var CappedMemoryCache<string[]> $cachedGroupMembers array of user DN with gid as key */
@@ -1241,6 +1242,7 @@ class Group_LDAP extends ABackend implements GroupInterface, IGroupLDAP, IGetDis
        public function implementsActions($actions): bool {
                return (bool)((GroupInterface::COUNT_USERS |
                                GroupInterface::DELETE_GROUP |
+                               GroupInterface::IS_ADMIN |
                                $this->groupPluginManager->getImplementedActions()) & $actions);
        }
 
@@ -1444,4 +1446,18 @@ class Group_LDAP extends ABackend implements GroupInterface, IGroupLDAP, IGetDis
                // $cacheKey = 'usersInGroup-' . $gid . '-' . $search;
                // $cacheKey = 'countUsersInGroup-' . $gid . '-' . $search;
        }
+
+       /**
+        * @throws ServerNotAvailableException
+        */
+       public function isAdmin(string $uid): bool {
+               if (!$this->enabled) {
+                       return false;
+               }
+               $ldapAdminGroup = $this->access->connection->ldapAdminGroup;
+               if ($ldapAdminGroup === '') {
+                       return false;
+               }
+               return $this->inGroup($uid, $ldapAdminGroup);
+       }
 }

diff --git a/apps/user_ldap/lib/Group_Proxy.php b/apps/user_ldap/lib/Group_Proxy.php
index a5e5c6c14138329ae2fcf6ee1027dec40cc845fb..73daf4fdd77801a8bc3efad0773bf924c2cdb391 100644 (file)
--- a/apps/user_ldap/lib/Group_Proxy.php
+++ b/apps/user_ldap/lib/Group_Proxy.php
@@ -33,12 +33,13 @@ use OCP\Group\Backend\IBatchMethodsBackend;
 use OCP\Group\Backend\IDeleteGroupBackend;
 use OCP\Group\Backend\IGetDisplayNameBackend;
 use OCP\Group\Backend\IGroupDetailsBackend;
+use OCP\Group\Backend\IIsAdminBackend;
 use OCP\Group\Backend\INamedBackend;
 use OCP\GroupInterface;
 use OCP\IConfig;
 use OCP\IUserManager;
 
-class Group_Proxy extends Proxy implements \OCP\GroupInterface, IGroupLDAP, IGetDisplayNameBackend, INamedBackend, IDeleteGroupBackend, IBatchMethodsBackend {
+class Group_Proxy extends Proxy implements \OCP\GroupInterface, IGroupLDAP, IGetDisplayNameBackend, INamedBackend, IDeleteGroupBackend, IBatchMethodsBackend, IIsAdminBackend {
        private $backends = [];
        private ?Group_LDAP $refBackend = null;
        private Helper $helper;
@@ -396,4 +397,8 @@ class Group_Proxy extends Proxy implements \OCP\GroupInterface, IGroupLDAP, IGet
        public function addRelationshipToCaches(string $uid, ?string $dnUser, string $gid): void {
                $this->handleRequest($gid, 'addRelationshipToCaches', [$uid, $dnUser, $gid]);
        }
+
+       public function isAdmin(string $uid): bool {
+               return $this->handleRequest($uid, 'isAdmin', [$uid]);
+       }
 }

diff --git a/build/integration/ldap_features/openldap-numerical-id.feature b/build/integration/ldap_features/openldap-numerical-id.feature
index 4ea63823295fcd7adc61e6de40e11d861de54836..75eb68271927a0575c6f2ec99cfd4f26826c00ce 100644 (file)
--- a/build/integration/ldap_features/openldap-numerical-id.feature
+++ b/build/integration/ldap_features/openldap-numerical-id.feature
@@ -66,3 +66,31 @@ Scenario: Test LDAP group membership with intermediate groups not matching filte
     | 50194 | 1 |
     | 59376 | 1 |
     | 59463 | 1 |
+
+Scenario: Test LDAP admin group mapping, empowered user
+  Given modify LDAP configuration
+    | ldapBaseGroups                | ou=NumericGroups,dc=nextcloud,dc=ci |
+    | ldapGroupFilter               | (objectclass=groupOfNames) |
+    | ldapGroupMemberAssocAttr      | member |
+    | ldapAdminGroup                | 3001   |
+    | useMemberOfToDetectMembership | 1 |
+  And cookies are reset
+  # alice, part of the promoted group
+  And Logging in using web as "92379"
+  And sending "GET" to "/cloud/groups"
+  And sending "GET" to "/cloud/groups/2000/users"
+  And Sending a "GET" to "/index.php/settings/admin/overview" with requesttoken
+  Then the HTTP status code should be "200"
+
+Scenario: Test LDAP admin group mapping, regular user (no access)
+    Given modify LDAP configuration
+      | ldapBaseGroups                | ou=NumericGroups,dc=nextcloud,dc=ci |
+      | ldapGroupFilter               | (objectclass=groupOfNames) |
+      | ldapGroupMemberAssocAttr      | member |
+      | ldapAdminGroup                | 3001   |
+      | useMemberOfToDetectMembership | 1 |
+    And cookies are reset
+    # gustaf, not part of the promoted group
+    And Logging in using web as "59376"
+    And Sending a "GET" to "/index.php/settings/admin/overview" with requesttoken
+    Then the HTTP status code should be "403"