- add configuration to specify one LDAP group acting as admin group (CLI) - implement `isAdmin()` method, basically relying on inGroup against the configured group Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>

vor 6 Monaten · d8215fbcee
--- a/apps/user_ldap/lib/Configuration.php
+++ b/apps/user_ldap/lib/Configuration.php
@@ -134,6 +134,7 @@ class Configuration {
 		'ldapAttributeRole' => null,
 		'ldapAttributeHeadline' => null,
 		'ldapAttributeBiography' => null,
 		'ldapAdminGroup' => '',
 	];

 	public function __construct(string $configPrefix, bool $autoRead = true) {
@@ -490,6 +491,7 @@ class Configuration {
 			'ldap_attr_role' => '',
 			'ldap_attr_headline' => '',
 			'ldap_attr_biography' => '',
 			'ldap_admin_group' => '',
 		];
 	}

@@ -566,6 +568,7 @@ class Configuration {
 			'ldap_attr_role' => 'ldapAttributeRole',
 			'ldap_attr_headline' => 'ldapAttributeHeadline',
 			'ldap_attr_biography' => 'ldapAttributeBiography',
 			'ldap_admin_group' => 'ldapAdminGroup',
 		];
 		return $array;
 	}
--- a/apps/user_ldap/lib/Connection.php
+++ b/apps/user_ldap/lib/Connection.php
@@ -83,6 +83,7 @@ use Psr\Log\LoggerInterface;
 * @property string ldapAttributeRole
 * @property string ldapAttributeHeadline
 * @property string ldapAttributeBiography
 * @property string ldapAdminGroup
 */
 class Connection extends LDAPUtility {
 	/**
--- a/apps/user_ldap/lib/Group_LDAP.php
+++ b/apps/user_ldap/lib/Group_LDAP.php
@@ -51,6 +51,7 @@ use OCP\Cache\CappedMemoryCache;
 use OCP\Group\Backend\ABackend;
 use OCP\Group\Backend\IDeleteGroupBackend;
 use OCP\Group\Backend\IGetDisplayNameBackend;
 use OCP\Group\Backend\IIsAdminBackend;
 use OCP\GroupInterface;
 use OCP\IConfig;
 use OCP\IUserManager;
@@ -58,7 +59,7 @@ use OCP\Server;
 use Psr\Log\LoggerInterface;
 use function json_decode;

 class Group_LDAP extends ABackend implements GroupInterface, IGroupLDAP, IGetDisplayNameBackend, IDeleteGroupBackend {
 class Group_LDAP extends ABackend implements GroupInterface, IGroupLDAP, IGetDisplayNameBackend, IDeleteGroupBackend, IIsAdminBackend {
 	protected bool $enabled = false;

 	/** @var CappedMemoryCache<string[]> $cachedGroupMembers array of user DN with gid as key */
@@ -1241,6 +1242,7 @@ class Group_LDAP extends ABackend implements GroupInterface, IGroupLDAP, IGetDis
 	public function implementsActions($actions): bool {
 		return (bool)((GroupInterface::COUNT_USERS |
 				GroupInterface::DELETE_GROUP |
 				GroupInterface::IS_ADMIN |
 				$this->groupPluginManager->getImplementedActions()) & $actions);
 	}

@@ -1444,4 +1446,18 @@ class Group_LDAP extends ABackend implements GroupInterface, IGroupLDAP, IGetDis
 		// $cacheKey = 'usersInGroup-' . $gid . '-' . $search;
 		// $cacheKey = 'countUsersInGroup-' . $gid . '-' . $search;
 	}

 	/**
 	 * @throws ServerNotAvailableException
 	 */
 	public function isAdmin(string $uid): bool {
 		if (!$this->enabled) {
 			return false;
 		}
 		$ldapAdminGroup = $this->access->connection->ldapAdminGroup;
 		if ($ldapAdminGroup === '') {
 			return false;
 		}
 		return $this->inGroup($uid, $ldapAdminGroup);
 	}
 }
--- a/apps/user_ldap/lib/Group_Proxy.php
+++ b/apps/user_ldap/lib/Group_Proxy.php
@@ -33,12 +33,13 @@ use OCP\Group\Backend\IBatchMethodsBackend;
 use OCP\Group\Backend\IDeleteGroupBackend;
 use OCP\Group\Backend\IGetDisplayNameBackend;
 use OCP\Group\Backend\IGroupDetailsBackend;
 use OCP\Group\Backend\IIsAdminBackend;
 use OCP\Group\Backend\INamedBackend;
 use OCP\GroupInterface;
 use OCP\IConfig;
 use OCP\IUserManager;

 class Group_Proxy extends Proxy implements \OCP\GroupInterface, IGroupLDAP, IGetDisplayNameBackend, INamedBackend, IDeleteGroupBackend, IBatchMethodsBackend {
 class Group_Proxy extends Proxy implements \OCP\GroupInterface, IGroupLDAP, IGetDisplayNameBackend, INamedBackend, IDeleteGroupBackend, IBatchMethodsBackend, IIsAdminBackend {
 	private $backends = [];
 	private ?Group_LDAP $refBackend = null;
 	private Helper $helper;
@@ -396,4 +397,8 @@ class Group_Proxy extends Proxy implements \OCP\GroupInterface, IGroupLDAP, IGet
 	public function addRelationshipToCaches(string $uid, ?string $dnUser, string $gid): void {
 		$this->handleRequest($gid, 'addRelationshipToCaches', [$uid, $dnUser, $gid]);
 	}

 	public function isAdmin(string $uid): bool {
 		return $this->handleRequest($uid, 'isAdmin', [$uid]);
 	}
 }
--- a/build/integration/ldap_features/openldap-numerical-id.feature
+++ b/build/integration/ldap_features/openldap-numerical-id.feature
@@ -66,3 +66,31 @@ Scenario: Test LDAP group membership with intermediate groups not matching filte
    | 50194 | 1 |
    | 59376 | 1 |
    | 59463 | 1 |

 Scenario: Test LDAP admin group mapping, empowered user
  Given modify LDAP configuration
    | ldapBaseGroups                | ou=NumericGroups,dc=nextcloud,dc=ci |
    | ldapGroupFilter               | (objectclass=groupOfNames) |
    | ldapGroupMemberAssocAttr      | member |
    | ldapAdminGroup                | 3001   |
    | useMemberOfToDetectMembership | 1 |
  And cookies are reset
  # alice, part of the promoted group
  And Logging in using web as "92379"
  And sending "GET" to "/cloud/groups"
  And sending "GET" to "/cloud/groups/2000/users"
  And Sending a "GET" to "/index.php/settings/admin/overview" with requesttoken
  Then the HTTP status code should be "200"

 Scenario: Test LDAP admin group mapping, regular user (no access)
    Given modify LDAP configuration
      | ldapBaseGroups                | ou=NumericGroups,dc=nextcloud,dc=ci |
      | ldapGroupFilter               | (objectclass=groupOfNames) |
      | ldapGroupMemberAssocAttr      | member |
      | ldapAdminGroup                | 3001   |
      | useMemberOfToDetectMembership | 1 |
    And cookies are reset
    # gustaf, not part of the promoted group
    And Logging in using web as "59376"
    And Sending a "GET" to "/index.php/settings/admin/overview" with requesttoken
    Then the HTTP status code should be "403"