- add configuration to specify one LDAP group acting as admin group (CLI) - implement `isAdmin()` method, basically relying on inGroup against the configured group Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>tags/v28.0.0rc3
@@ -134,6 +134,7 @@ class Configuration { | |||
'ldapAttributeRole' => null, | |||
'ldapAttributeHeadline' => null, | |||
'ldapAttributeBiography' => null, | |||
'ldapAdminGroup' => '', | |||
]; | |||
public function __construct(string $configPrefix, bool $autoRead = true) { | |||
@@ -490,6 +491,7 @@ class Configuration { | |||
'ldap_attr_role' => '', | |||
'ldap_attr_headline' => '', | |||
'ldap_attr_biography' => '', | |||
'ldap_admin_group' => '', | |||
]; | |||
} | |||
@@ -566,6 +568,7 @@ class Configuration { | |||
'ldap_attr_role' => 'ldapAttributeRole', | |||
'ldap_attr_headline' => 'ldapAttributeHeadline', | |||
'ldap_attr_biography' => 'ldapAttributeBiography', | |||
'ldap_admin_group' => 'ldapAdminGroup', | |||
]; | |||
return $array; | |||
} |
@@ -83,6 +83,7 @@ use Psr\Log\LoggerInterface; | |||
* @property string ldapAttributeRole | |||
* @property string ldapAttributeHeadline | |||
* @property string ldapAttributeBiography | |||
* @property string ldapAdminGroup | |||
*/ | |||
class Connection extends LDAPUtility { | |||
/** |
@@ -51,6 +51,7 @@ use OCP\Cache\CappedMemoryCache; | |||
use OCP\Group\Backend\ABackend; | |||
use OCP\Group\Backend\IDeleteGroupBackend; | |||
use OCP\Group\Backend\IGetDisplayNameBackend; | |||
use OCP\Group\Backend\IIsAdminBackend; | |||
use OCP\GroupInterface; | |||
use OCP\IConfig; | |||
use OCP\IUserManager; | |||
@@ -58,7 +59,7 @@ use OCP\Server; | |||
use Psr\Log\LoggerInterface; | |||
use function json_decode; | |||
class Group_LDAP extends ABackend implements GroupInterface, IGroupLDAP, IGetDisplayNameBackend, IDeleteGroupBackend { | |||
class Group_LDAP extends ABackend implements GroupInterface, IGroupLDAP, IGetDisplayNameBackend, IDeleteGroupBackend, IIsAdminBackend { | |||
protected bool $enabled = false; | |||
/** @var CappedMemoryCache<string[]> $cachedGroupMembers array of user DN with gid as key */ | |||
@@ -1241,6 +1242,7 @@ class Group_LDAP extends ABackend implements GroupInterface, IGroupLDAP, IGetDis | |||
public function implementsActions($actions): bool { | |||
return (bool)((GroupInterface::COUNT_USERS | | |||
GroupInterface::DELETE_GROUP | | |||
GroupInterface::IS_ADMIN | | |||
$this->groupPluginManager->getImplementedActions()) & $actions); | |||
} | |||
@@ -1444,4 +1446,18 @@ class Group_LDAP extends ABackend implements GroupInterface, IGroupLDAP, IGetDis | |||
// $cacheKey = 'usersInGroup-' . $gid . '-' . $search; | |||
// $cacheKey = 'countUsersInGroup-' . $gid . '-' . $search; | |||
} | |||
/** | |||
* @throws ServerNotAvailableException | |||
*/ | |||
public function isAdmin(string $uid): bool { | |||
if (!$this->enabled) { | |||
return false; | |||
} | |||
$ldapAdminGroup = $this->access->connection->ldapAdminGroup; | |||
if ($ldapAdminGroup === '') { | |||
return false; | |||
} | |||
return $this->inGroup($uid, $ldapAdminGroup); | |||
} | |||
} |
@@ -33,12 +33,13 @@ use OCP\Group\Backend\IBatchMethodsBackend; | |||
use OCP\Group\Backend\IDeleteGroupBackend; | |||
use OCP\Group\Backend\IGetDisplayNameBackend; | |||
use OCP\Group\Backend\IGroupDetailsBackend; | |||
use OCP\Group\Backend\IIsAdminBackend; | |||
use OCP\Group\Backend\INamedBackend; | |||
use OCP\GroupInterface; | |||
use OCP\IConfig; | |||
use OCP\IUserManager; | |||
class Group_Proxy extends Proxy implements \OCP\GroupInterface, IGroupLDAP, IGetDisplayNameBackend, INamedBackend, IDeleteGroupBackend, IBatchMethodsBackend { | |||
class Group_Proxy extends Proxy implements \OCP\GroupInterface, IGroupLDAP, IGetDisplayNameBackend, INamedBackend, IDeleteGroupBackend, IBatchMethodsBackend, IIsAdminBackend { | |||
private $backends = []; | |||
private ?Group_LDAP $refBackend = null; | |||
private Helper $helper; | |||
@@ -396,4 +397,8 @@ class Group_Proxy extends Proxy implements \OCP\GroupInterface, IGroupLDAP, IGet | |||
public function addRelationshipToCaches(string $uid, ?string $dnUser, string $gid): void { | |||
$this->handleRequest($gid, 'addRelationshipToCaches', [$uid, $dnUser, $gid]); | |||
} | |||
public function isAdmin(string $uid): bool { | |||
return $this->handleRequest($uid, 'isAdmin', [$uid]); | |||
} | |||
} |
@@ -66,3 +66,31 @@ Scenario: Test LDAP group membership with intermediate groups not matching filte | |||
| 50194 | 1 | | |||
| 59376 | 1 | | |||
| 59463 | 1 | | |||
Scenario: Test LDAP admin group mapping, empowered user | |||
Given modify LDAP configuration | |||
| ldapBaseGroups | ou=NumericGroups,dc=nextcloud,dc=ci | | |||
| ldapGroupFilter | (objectclass=groupOfNames) | | |||
| ldapGroupMemberAssocAttr | member | | |||
| ldapAdminGroup | 3001 | | |||
| useMemberOfToDetectMembership | 1 | | |||
And cookies are reset | |||
# alice, part of the promoted group | |||
And Logging in using web as "92379" | |||
And sending "GET" to "/cloud/groups" | |||
And sending "GET" to "/cloud/groups/2000/users" | |||
And Sending a "GET" to "/index.php/settings/admin/overview" with requesttoken | |||
Then the HTTP status code should be "200" | |||
Scenario: Test LDAP admin group mapping, regular user (no access) | |||
Given modify LDAP configuration | |||
| ldapBaseGroups | ou=NumericGroups,dc=nextcloud,dc=ci | | |||
| ldapGroupFilter | (objectclass=groupOfNames) | | |||
| ldapGroupMemberAssocAttr | member | | |||
| ldapAdminGroup | 3001 | | |||
| useMemberOfToDetectMembership | 1 | | |||
And cookies are reset | |||
# gustaf, not part of the promoted group | |||
And Logging in using web as "59376" | |||
And Sending a "GET" to "/index.php/settings/admin/overview" with requesttoken | |||
Then the HTTP status code should be "403" |