From 77bdad84c21f2d836b778a2741eb8e8512ee19eb Mon Sep 17 00:00:00 2001 From: =?utf8?q?C=C3=B4me=20Chilliet?= Date: Tue, 22 Mar 2022 12:31:44 +0100 Subject: [PATCH] Add ldap:reset-group command to unmap groups from LDAP MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit Signed-off-by: Côme Chilliet --- apps/user_ldap/appinfo/info.xml | 1 + .../composer/composer/autoload_classmap.php | 1 + .../composer/composer/autoload_static.php | 1 + apps/user_ldap/lib/GroupPluginManager.php | 22 +++++++++++++-- apps/user_ldap/lib/Group_LDAP.php | 27 ++++++++++++++----- apps/user_ldap/lib/Group_Proxy.php | 10 +++---- apps/user_ldap/lib/UserPluginManager.php | 7 +++-- core/Command/Group/Delete.php | 2 +- 8 files changed, 52 insertions(+), 19 deletions(-) diff --git a/apps/user_ldap/appinfo/info.xml b/apps/user_ldap/appinfo/info.xml index 2dae4845241..d654d34d66e 100644 --- a/apps/user_ldap/appinfo/info.xml +++ b/apps/user_ldap/appinfo/info.xml @@ -50,6 +50,7 @@ A user logs into Nextcloud with their LDAP or AD credentials, and is granted acc OCA\User_LDAP\Command\CheckUser OCA\User_LDAP\Command\CreateEmptyConfig OCA\User_LDAP\Command\DeleteConfig + OCA\User_LDAP\Command\ResetGroup OCA\User_LDAP\Command\ResetUser OCA\User_LDAP\Command\Search OCA\User_LDAP\Command\SetConfig diff --git a/apps/user_ldap/composer/composer/autoload_classmap.php b/apps/user_ldap/composer/composer/autoload_classmap.php index 12ede37a941..1fca642fc9f 100644 --- a/apps/user_ldap/composer/composer/autoload_classmap.php +++ b/apps/user_ldap/composer/composer/autoload_classmap.php @@ -14,6 +14,7 @@ return array( 'OCA\\User_LDAP\\Command\\CheckUser' => $baseDir . '/../lib/Command/CheckUser.php', 'OCA\\User_LDAP\\Command\\CreateEmptyConfig' => $baseDir . '/../lib/Command/CreateEmptyConfig.php', 'OCA\\User_LDAP\\Command\\DeleteConfig' => $baseDir . '/../lib/Command/DeleteConfig.php', + 'OCA\\User_LDAP\\Command\\ResetGroup' => $baseDir . '/../lib/Command/ResetGroup.php', 'OCA\\User_LDAP\\Command\\ResetUser' => $baseDir . '/../lib/Command/ResetUser.php', 'OCA\\User_LDAP\\Command\\Search' => $baseDir . '/../lib/Command/Search.php', 'OCA\\User_LDAP\\Command\\SetConfig' => $baseDir . '/../lib/Command/SetConfig.php', diff --git a/apps/user_ldap/composer/composer/autoload_static.php b/apps/user_ldap/composer/composer/autoload_static.php index ecf5e4167f6..9d8c33406e8 100644 --- a/apps/user_ldap/composer/composer/autoload_static.php +++ b/apps/user_ldap/composer/composer/autoload_static.php @@ -29,6 +29,7 @@ class ComposerStaticInitUser_LDAP 'OCA\\User_LDAP\\Command\\CheckUser' => __DIR__ . '/..' . '/../lib/Command/CheckUser.php', 'OCA\\User_LDAP\\Command\\CreateEmptyConfig' => __DIR__ . '/..' . '/../lib/Command/CreateEmptyConfig.php', 'OCA\\User_LDAP\\Command\\DeleteConfig' => __DIR__ . '/..' . '/../lib/Command/DeleteConfig.php', + 'OCA\\User_LDAP\\Command\\ResetGroup' => __DIR__ . '/..' . '/../lib/Command/ResetGroup.php', 'OCA\\User_LDAP\\Command\\ResetUser' => __DIR__ . '/..' . '/../lib/Command/ResetUser.php', 'OCA\\User_LDAP\\Command\\Search' => __DIR__ . '/..' . '/../lib/Command/Search.php', 'OCA\\User_LDAP\\Command\\SetConfig' => __DIR__ . '/..' . '/../lib/Command/SetConfig.php', diff --git a/apps/user_ldap/lib/GroupPluginManager.php b/apps/user_ldap/lib/GroupPluginManager.php index d23e9d4d443..a25665e4691 100644 --- a/apps/user_ldap/lib/GroupPluginManager.php +++ b/apps/user_ldap/lib/GroupPluginManager.php @@ -26,9 +26,9 @@ namespace OCA\User_LDAP; use OCP\GroupInterface; class GroupPluginManager { - private $respondToActions = 0; + private int $respondToActions = 0; - private $which = [ + private array $which = [ GroupInterface::CREATE_GROUP => null, GroupInterface::DELETE_GROUP => null, GroupInterface::ADD_TO_GROUP => null, @@ -37,6 +37,8 @@ class GroupPluginManager { GroupInterface::GROUP_DETAILS => null ]; + private bool $suppressDeletion = false; + /** * @return int All implemented actions */ @@ -84,6 +86,19 @@ class GroupPluginManager { throw new \Exception('No plugin implements createGroup in this LDAP Backend.'); } + public function canDeleteGroup(): bool { + return !$this->suppressDeletion && ($this->which[GroupInterface::DELETE_GROUP] !== null); + } + + /** + * @return bool – the value before the change + */ + public function setSuppressDeletion(bool $value): bool { + $old = $this->suppressDeletion; + $this->suppressDeletion = $value; + return $old; + } + /** * Delete a group * @param string $gid Group Id of the group to delete @@ -94,6 +109,9 @@ class GroupPluginManager { $plugin = $this->which[GroupInterface::DELETE_GROUP]; if ($plugin) { + if ($this->suppressDeletion) { + return false; + } return $plugin->deleteGroup($gid); } throw new \Exception('No plugin implements deleteGroup in this LDAP Backend.'); diff --git a/apps/user_ldap/lib/Group_LDAP.php b/apps/user_ldap/lib/Group_LDAP.php index 766b77bf521..f9d9b061743 100644 --- a/apps/user_ldap/lib/Group_LDAP.php +++ b/apps/user_ldap/lib/Group_LDAP.php @@ -48,10 +48,11 @@ use OC; use OC\Cache\CappedMemoryCache; use OC\ServerNotAvailableException; use OCP\Group\Backend\IGetDisplayNameBackend; +use OCP\Group\Backend\IDeleteGroupBackend; use OCP\GroupInterface; use Psr\Log\LoggerInterface; -class Group_LDAP extends BackendUtility implements GroupInterface, IGroupLDAP, IGetDisplayNameBackend { +class Group_LDAP extends BackendUtility implements GroupInterface, IGroupLDAP, IGetDisplayNameBackend, IDeleteGroupBackend { protected $enabled = false; /** @var string[][] $cachedGroupMembers array of users with gid as key */ @@ -1204,6 +1205,7 @@ class Group_LDAP extends BackendUtility implements GroupInterface, IGroupLDAP, I */ public function implementsActions($actions) { return (bool)((GroupInterface::COUNT_USERS | + GroupInterface::DELETE_GROUP | $this->groupPluginManager->getImplementedActions()) & $actions); } @@ -1249,19 +1251,32 @@ class Group_LDAP extends BackendUtility implements GroupInterface, IGroupLDAP, I * delete a group * * @param string $gid gid of the group to delete - * @return bool * @throws Exception */ - public function deleteGroup($gid) { - if ($this->groupPluginManager->implementsActions(GroupInterface::DELETE_GROUP)) { + public function deleteGroup(string $gid): bool { + if ($this->groupPluginManager->canDeleteGroup()) { if ($ret = $this->groupPluginManager->deleteGroup($gid)) { - #delete group in nextcloud internal db + // Delete group in nextcloud internal db $this->access->getGroupMapper()->unmap($gid); $this->access->connection->writeToCache("groupExists" . $gid, false); } return $ret; } - throw new Exception('Could not delete group in LDAP backend.'); + + // Getting dn, if false the group is not mapped + $dn = $this->access->groupname2dn($gid); + if (!$dn) { + throw new Exception('Could not delete unknown group '.$gid.' in LDAP backend.'); + } + + if (!$this->groupExists($gid)) { + // The group does not exist in the LDAP, remove the mapping + $this->access->getGroupMapper()->unmap($gid); + $this->access->connection->writeToCache("groupExists" . $gid, false); + return true; + } + + throw new Exception('Could not delete existing group '.$gid.' in LDAP backend.'); } /** diff --git a/apps/user_ldap/lib/Group_Proxy.php b/apps/user_ldap/lib/Group_Proxy.php index 92a9041949e..ea2fcce679c 100644 --- a/apps/user_ldap/lib/Group_Proxy.php +++ b/apps/user_ldap/lib/Group_Proxy.php @@ -28,10 +28,11 @@ */ namespace OCA\User_LDAP; -use OCP\Group\Backend\INamedBackend; +use OCP\Group\Backend\IDeleteGroupBackend; use OCP\Group\Backend\IGetDisplayNameBackend; +use OCP\Group\Backend\INamedBackend; -class Group_Proxy extends Proxy implements \OCP\GroupInterface, IGroupLDAP, IGetDisplayNameBackend, INamedBackend { +class Group_Proxy extends Proxy implements \OCP\GroupInterface, IGroupLDAP, IGetDisplayNameBackend, INamedBackend, IDeleteGroupBackend { private $backends = []; private $refBackend = null; @@ -171,11 +172,8 @@ class Group_Proxy extends Proxy implements \OCP\GroupInterface, IGroupLDAP, IGet /** * delete a group - * - * @param string $gid gid of the group to delete - * @return bool */ - public function deleteGroup($gid) { + public function deleteGroup(string $gid): bool { return $this->handleRequest( $gid, 'deleteGroup', [$gid]); } diff --git a/apps/user_ldap/lib/UserPluginManager.php b/apps/user_ldap/lib/UserPluginManager.php index 035b7952dce..748a210cf60 100644 --- a/apps/user_ldap/lib/UserPluginManager.php +++ b/apps/user_ldap/lib/UserPluginManager.php @@ -28,9 +28,9 @@ namespace OCA\User_LDAP; use OC\User\Backend; class UserPluginManager { - private $respondToActions = 0; + private int $respondToActions = 0; - private $which = [ + private array $which = [ Backend::CREATE_USER => null, Backend::SET_PASSWORD => null, Backend::GET_HOME => null, @@ -41,8 +41,7 @@ class UserPluginManager { 'deleteUser' => null ]; - /** @var bool */ - private $suppressDeletion = false; + private bool $suppressDeletion = false; /** * @return int All implemented actions, except for 'deleteUser' diff --git a/core/Command/Group/Delete.php b/core/Command/Group/Delete.php index 75202308944..be97be83407 100644 --- a/core/Command/Group/Delete.php +++ b/core/Command/Group/Delete.php @@ -61,7 +61,7 @@ class Delete extends Base { $output->writeln('Group "' . $gid . '" could not be deleted.'); return 1; } - if (! $this->groupManager->groupExists($gid)) { + if (!$this->groupManager->groupExists($gid)) { $output->writeln('Group "' . $gid . '" does not exist.'); return 1; } -- 2.39.5