mirrors
/
nextcloud
mirror of https://github.com/nextcloud/server.git
Watch 1
Star 0
Fork 0
Code Issues 0 Releases 984 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
56652 Commits
379 Branches
Tree: d89a75be0b
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'd89a75be0b'
${ noResults }
nextcloud/apps/dav/lib/Connector/Sabre/Principal.php

Principal.php 15KB
Raw Blame History

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538 
  1. <?php

  2. /**

  3.  * @copyright Copyright (c) 2016, ownCloud, Inc.

  4.  * @copyright Copyright (c) 2018, Georg Ehrke

  5.  *

  6.  * @author Arthur Schiwon <blizzz@arthur-schiwon.de>

  7.  * @author Bart Visscher <bartv@thisnet.nl>

  8.  * @author Christoph Seitz <christoph.seitz@posteo.de>

  9.  * @author Christoph Wurst <christoph@winzerhof-wurst.at>

  10.  * @author Daniel Kesselberg <mail@danielkesselberg.de>

  11.  * @author Georg Ehrke <oc.list@georgehrke.com>

  12.  * @author Jakob Sack <mail@jakobsack.de>

  13.  * @author Julius Härtl <jus@bitgrid.net>

  14.  * @author Lukas Reschke <lukas@statuscode.ch>

  15.  * @author Morris Jobke <hey@morrisjobke.de>

  16.  * @author Roeland Jago Douma <roeland@famdouma.nl>

  17.  * @author Thomas Müller <thomas.mueller@tmit.eu>

  18.  * @author Vincent Petry <vincent@nextcloud.com>

  19.  * @author Vinicius Cubas Brand <vinicius@eita.org.br>

  20.  *

  21.  * @license AGPL-3.0

  22.  *

  23.  * This code is free software: you can redistribute it and/or modify

  24.  * it under the terms of the GNU Affero General Public License, version 3,

  25.  * as published by the Free Software Foundation.

  26.  *

  27.  * This program is distributed in the hope that it will be useful,

  28.  * but WITHOUT ANY WARRANTY; without even the implied warranty of

  29.  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the

  30.  * GNU Affero General Public License for more details.

  31.  *

  32.  * You should have received a copy of the GNU Affero General Public License, version 3,

  33.  * along with this program. If not, see <http://www.gnu.org/licenses/>

  34.  *

  35.  */

  36. 

  37. namespace OCA\DAV\Connector\Sabre;

  38. 

  39. use OCA\Circles\Exceptions\CircleDoesNotExistException;

  40. use OCA\DAV\CalDAV\Proxy\ProxyMapper;

  41. use OCA\DAV\Traits\PrincipalProxyTrait;

  42. use OCP\App\IAppManager;

  43. use OCP\AppFramework\QueryException;

  44. use OCP\Constants;

  45. use OCP\IConfig;

  46. use OCP\IGroupManager;

  47. use OCP\IUser;

  48. use OCP\IUserManager;

  49. use OCP\IUserSession;

  50. use OCP\Share\IManager as IShareManager;

  51. use Sabre\DAV\Exception;

  52. use Sabre\DAV\PropPatch;

  53. use Sabre\DAVACL\PrincipalBackend\BackendInterface;

  54. 

  55. class Principal implements BackendInterface {

  56. 

  57. 	/** @var IUserManager */

  58. 	private $userManager;

  59. 

  60. 	/** @var IGroupManager */

  61. 	private $groupManager;

  62. 

  63. 	/** @var IShareManager */

  64. 	private $shareManager;

  65. 

  66. 	/** @var IUserSession */

  67. 	private $userSession;

  68. 

  69. 	/** @var IAppManager */

  70. 	private $appManager;

  71. 

  72. 	/** @var string */

  73. 	private $principalPrefix;

  74. 

  75. 	/** @var bool */

  76. 	private $hasGroups;

  77. 

  78. 	/** @var bool */

  79. 	private $hasCircles;

  80. 

  81. 	/** @var ProxyMapper */

  82. 	private $proxyMapper;

  83. 

  84. 	/** @var IConfig */

  85. 	private $config;

  86. 

  87. 	/**

  88. 	 * Principal constructor.

  89. 	 *

  90. 	 * @param IUserManager $userManager

  91. 	 * @param IGroupManager $groupManager

  92. 	 * @param IShareManager $shareManager

  93. 	 * @param IUserSession $userSession

  94. 	 * @param IAppManager $appManager

  95. 	 * @param ProxyMapper $proxyMapper

  96. 	 * @param IConfig $config

  97. 	 * @param string $principalPrefix

  98. 	 */

  99. 	public function __construct(IUserManager $userManager,

  100. 								IGroupManager $groupManager,

  101. 								IShareManager $shareManager,

  102. 								IUserSession $userSession,

  103. 								IAppManager $appManager,

  104. 								ProxyMapper $proxyMapper,

  105. 								IConfig $config,

  106. 								string $principalPrefix = 'principals/users/') {

  107. 		$this->userManager = $userManager;

  108. 		$this->groupManager = $groupManager;

  109. 		$this->shareManager = $shareManager;

  110. 		$this->userSession = $userSession;

  111. 		$this->appManager = $appManager;

  112. 		$this->principalPrefix = trim($principalPrefix, '/');

  113. 		$this->hasGroups = $this->hasCircles = ($principalPrefix === 'principals/users/');

  114. 		$this->proxyMapper = $proxyMapper;

  115. 		$this->config = $config;

  116. 	}

  117. 

  118. 	use PrincipalProxyTrait {

  119. 		getGroupMembership as protected traitGetGroupMembership;

  120. 	}

  121. 

  122. 	/**

  123. 	 * Returns a list of principals based on a prefix.

  124. 	 *

  125. 	 * This prefix will often contain something like 'principals'. You are only

  126. 	 * expected to return principals that are in this base path.

  127. 	 *

  128. 	 * You are expected to return at least a 'uri' for every user, you can

  129. 	 * return any additional properties if you wish so. Common properties are:

  130. 	 *   {DAV:}displayname

  131. 	 *

  132. 	 * @param string $prefixPath

  133. 	 * @return string[]

  134. 	 */

  135. 	public function getPrincipalsByPrefix($prefixPath) {

  136. 		$principals = [];

  137. 

  138. 		if ($prefixPath === $this->principalPrefix) {

  139. 			foreach ($this->userManager->search('') as $user) {

  140. 				$principals[] = $this->userToPrincipal($user);

  141. 			}

  142. 		}

  143. 

  144. 		return $principals;

  145. 	}

  146. 

  147. 	/**

  148. 	 * Returns a specific principal, specified by it's path.

  149. 	 * The returned structure should be the exact same as from

  150. 	 * getPrincipalsByPrefix.

  151. 	 *

  152. 	 * @param string $path

  153. 	 * @return array

  154. 	 */

  155. 	public function getPrincipalByPath($path) {

  156. 		list($prefix, $name) = \Sabre\Uri\split($path);

  157. 

  158. 		if ($name === 'calendar-proxy-write' || $name === 'calendar-proxy-read') {

  159. 			list($prefix2, $name2) = \Sabre\Uri\split($prefix);

  160. 

  161. 			if ($prefix2 === $this->principalPrefix) {

  162. 				$user = $this->userManager->get($name2);

  163. 

  164. 				if ($user !== null) {

  165. 					return [

  166. 						'uri' => 'principals/users/' . $user->getUID() . '/' . $name,

  167. 					];

  168. 				}

  169. 				return null;

  170. 			}

  171. 		}

  172. 

  173. 		if ($prefix === $this->principalPrefix) {

  174. 			// Depending on where it is called, it may happen that this function

  175. 			// is called either with a urlencoded version of the name or with a non-urlencoded one.

  176. 			// The urldecode function replaces %## and +, both of which are forbidden in usernames.

  177. 			// Hence there can be no ambiguity here and it is safe to call urldecode on all usernames

  178. 			$user = $this->userManager->get(urldecode($name));

  179. 

  180. 			if ($user !== null) {

  181. 				return $this->userToPrincipal($user);

  182. 			}

  183. 		} elseif ($prefix === 'principals/circles') {

  184. 			if ($this->userSession->getUser() !== null) {

  185. 				return $this->circleToPrincipal($name);

  186. 			}

  187. 		}

  188. 		return null;

  189. 	}

  190. 

  191. 	/**

  192. 	 * Returns the list of groups a principal is a member of

  193. 	 *

  194. 	 * @param string $principal

  195. 	 * @param bool $needGroups

  196. 	 * @return array

  197. 	 * @throws Exception

  198. 	 */

  199. 	public function getGroupMembership($principal, $needGroups = false) {

  200. 		list($prefix, $name) = \Sabre\Uri\split($principal);

  201. 

  202. 		if ($prefix !== $this->principalPrefix) {

  203. 			return [];

  204. 		}

  205. 

  206. 		$user = $this->userManager->get($name);

  207. 		if (!$user) {

  208. 			throw new Exception('Principal not found');

  209. 		}

  210. 

  211. 		$groups = [];

  212. 

  213. 		if ($this->hasGroups || $needGroups) {

  214. 			$userGroups = $this->groupManager->getUserGroups($user);

  215. 			foreach ($userGroups as $userGroup) {

  216. 				$groups[] = 'principals/groups/' . urlencode($userGroup->getGID());

  217. 			}

  218. 		}

  219. 

  220. 		$groups = array_unique(array_merge(

  221. 			$groups,

  222. 			$this->traitGetGroupMembership($principal, $needGroups)

  223. 		));

  224. 

  225. 		return $groups;

  226. 	}

  227. 

  228. 	/**

  229. 	 * @param string $path

  230. 	 * @param PropPatch $propPatch

  231. 	 * @return int

  232. 	 */

  233. 	public function updatePrincipal($path, PropPatch $propPatch) {

  234. 		return 0;

  235. 	}

  236. 

  237. 	/**

  238. 	 * Search user principals

  239. 	 *

  240. 	 * @param array $searchProperties

  241. 	 * @param string $test

  242. 	 * @return array

  243. 	 */

  244. 	protected function searchUserPrincipals(array $searchProperties, $test = 'allof') {

  245. 		$results = [];

  246. 

  247. 		// If sharing is disabled, return the empty array

  248. 		$shareAPIEnabled = $this->shareManager->shareApiEnabled();

  249. 		if (!$shareAPIEnabled) {

  250. 			return [];

  251. 		}

  252. 

  253. 		$allowEnumeration = $this->shareManager->allowEnumeration();

  254. 		$limitEnumeration = $this->shareManager->limitEnumerationToGroups();

  255. 

  256. 		// If sharing is restricted to group members only,

  257. 		// return only members that have groups in common

  258. 		$restrictGroups = false;

  259. 		if ($this->shareManager->shareWithGroupMembersOnly()) {

  260. 			$user = $this->userSession->getUser();

  261. 			if (!$user) {

  262. 				return [];

  263. 			}

  264. 

  265. 			$restrictGroups = $this->groupManager->getUserGroupIds($user);

  266. 		}

  267. 

  268. 		$currentUserGroups = [];

  269. 		if ($limitEnumeration) {

  270. 			$currentUser = $this->userSession->getUser();

  271. 			if ($currentUser) {

  272. 				$currentUserGroups = $this->groupManager->getUserGroupIds($currentUser);

  273. 			}

  274. 		}

  275. 

  276. 		$searchLimit = $this->config->getSystemValueInt('sharing.maxAutocompleteResults', Constants::SHARING_MAX_AUTOCOMPLETE_RESULTS_DEFAULT);

  277. 		if ($searchLimit <= 0) {

  278. 			$searchLimit = null;

  279. 		}

  280. 		foreach ($searchProperties as $prop => $value) {

  281. 			switch ($prop) {

  282. 				case '{http://sabredav.org/ns}email-address':

  283. 					$users = $this->userManager->getByEmail($value);

  284. 

  285. 					if (!$allowEnumeration) {

  286. 						$users = \array_filter($users, static function (IUser $user) use ($value) {

  287. 							return $user->getEMailAddress() === $value;

  288. 						});

  289. 					}

  290. 

  291. 					if ($limitEnumeration) {

  292. 						$users = \array_filter($users, function (IUser $user) use ($currentUserGroups, $value) {

  293. 							return !empty(array_intersect(

  294. 									$this->groupManager->getUserGroupIds($user),

  295. 									$currentUserGroups

  296. 								)) || $user->getEMailAddress() === $value;

  297. 						});

  298. 					}

  299. 

  300. 					$results[] = array_reduce($users, function (array $carry, IUser $user) use ($restrictGroups) {

  301. 						// is sharing restricted to groups only?

  302. 						if ($restrictGroups !== false) {

  303. 							$userGroups = $this->groupManager->getUserGroupIds($user);

  304. 							if (count(array_intersect($userGroups, $restrictGroups)) === 0) {

  305. 								return $carry;

  306. 							}

  307. 						}

  308. 

  309. 						$carry[] = $this->principalPrefix . '/' . $user->getUID();

  310. 						return $carry;

  311. 					}, []);

  312. 					break;

  313. 

  314. 				case '{DAV:}displayname':

  315. 					$users = $this->userManager->searchDisplayName($value, $searchLimit);

  316. 

  317. 					if (!$allowEnumeration) {

  318. 						$users = \array_filter($users, static function (IUser $user) use ($value) {

  319. 							return $user->getDisplayName() === $value;

  320. 						});

  321. 					}

  322. 

  323. 					if ($limitEnumeration) {

  324. 						$users = \array_filter($users, function (IUser $user) use ($currentUserGroups, $value) {

  325. 							return !empty(array_intersect(

  326. 									$this->groupManager->getUserGroupIds($user),

  327. 									$currentUserGroups

  328. 								)) || $user->getDisplayName() === $value;

  329. 						});

  330. 					}

  331. 

  332. 					$results[] = array_reduce($users, function (array $carry, IUser $user) use ($restrictGroups) {

  333. 						// is sharing restricted to groups only?

  334. 						if ($restrictGroups !== false) {

  335. 							$userGroups = $this->groupManager->getUserGroupIds($user);

  336. 							if (count(array_intersect($userGroups, $restrictGroups)) === 0) {

  337. 								return $carry;

  338. 							}

  339. 						}

  340. 

  341. 						$carry[] = $this->principalPrefix . '/' . $user->getUID();

  342. 						return $carry;

  343. 					}, []);

  344. 					break;

  345. 

  346. 				case '{urn:ietf:params:xml:ns:caldav}calendar-user-address-set':

  347. 					// If you add support for more search properties that qualify as a user-address,

  348. 					// please also add them to the array below

  349. 					$results[] = $this->searchUserPrincipals([

  350. 						// In theory this should also search for principal:principals/users/...

  351. 						// but that's used internally only anyway and i don't know of any client querying that

  352. 						'{http://sabredav.org/ns}email-address' => $value,

  353. 					], 'anyof');

  354. 					break;

  355. 

  356. 				default:

  357. 					$results[] = [];

  358. 					break;

  359. 			}

  360. 		}

  361. 

  362. 		// results is an array of arrays, so this is not the first search result

  363. 		// but the results of the first searchProperty

  364. 		if (count($results) === 1) {

  365. 			return $results[0];

  366. 		}

  367. 

  368. 		switch ($test) {

  369. 			case 'anyof':

  370. 				return array_values(array_unique(array_merge(...$results)));

  371. 

  372. 			case 'allof':

  373. 			default:

  374. 				return array_values(array_intersect(...$results));

  375. 		}

  376. 	}

  377. 

  378. 	/**

  379. 	 * @param string $prefixPath

  380. 	 * @param array $searchProperties

  381. 	 * @param string $test

  382. 	 * @return array

  383. 	 */

  384. 	public function searchPrincipals($prefixPath, array $searchProperties, $test = 'allof') {

  385. 		if (count($searchProperties) === 0) {

  386. 			return [];

  387. 		}

  388. 

  389. 		switch ($prefixPath) {

  390. 			case 'principals/users':

  391. 				return $this->searchUserPrincipals($searchProperties, $test);

  392. 

  393. 			default:

  394. 				return [];

  395. 		}

  396. 	}

  397. 

  398. 	/**

  399. 	 * @param string $uri

  400. 	 * @param string $principalPrefix

  401. 	 * @return string

  402. 	 */

  403. 	public function findByUri($uri, $principalPrefix) {

  404. 		// If sharing is disabled, return the empty array

  405. 		$shareAPIEnabled = $this->shareManager->shareApiEnabled();

  406. 		if (!$shareAPIEnabled) {

  407. 			return null;

  408. 		}

  409. 

  410. 		// If sharing is restricted to group members only,

  411. 		// return only members that have groups in common

  412. 		$restrictGroups = false;

  413. 		if ($this->shareManager->shareWithGroupMembersOnly()) {

  414. 			$user = $this->userSession->getUser();

  415. 			if (!$user) {

  416. 				return null;

  417. 			}

  418. 

  419. 			$restrictGroups = $this->groupManager->getUserGroupIds($user);

  420. 		}

  421. 

  422. 		if (strpos($uri, 'mailto:') === 0) {

  423. 			if ($principalPrefix === 'principals/users') {

  424. 				$users = $this->userManager->getByEmail(substr($uri, 7));

  425. 				if (count($users) !== 1) {

  426. 					return null;

  427. 				}

  428. 				$user = $users[0];

  429. 

  430. 				if ($restrictGroups !== false) {

  431. 					$userGroups = $this->groupManager->getUserGroupIds($user);

  432. 					if (count(array_intersect($userGroups, $restrictGroups)) === 0) {

  433. 						return null;

  434. 					}

  435. 				}

  436. 

  437. 				return $this->principalPrefix . '/' . $user->getUID();

  438. 			}

  439. 		}

  440. 		if (substr($uri, 0, 10) === 'principal:') {

  441. 			$principal = substr($uri, 10);

  442. 			$principal = $this->getPrincipalByPath($principal);

  443. 			if ($principal !== null) {

  444. 				return $principal['uri'];

  445. 			}

  446. 		}

  447. 

  448. 		return null;

  449. 	}

  450. 

  451. 	/**

  452. 	 * @param IUser $user

  453. 	 * @return array

  454. 	 */

  455. 	protected function userToPrincipal($user) {

  456. 		$userId = $user->getUID();

  457. 		$displayName = $user->getDisplayName();

  458. 		$principal = [

  459. 			'uri' => $this->principalPrefix . '/' . $userId,

  460. 			'{DAV:}displayname' => is_null($displayName) ? $userId : $displayName,

  461. 			'{urn:ietf:params:xml:ns:caldav}calendar-user-type' => 'INDIVIDUAL',

  462. 		];

  463. 

  464. 		$email = $user->getEMailAddress();

  465. 		if (!empty($email)) {

  466. 			$principal['{http://sabredav.org/ns}email-address'] = $email;

  467. 		}

  468. 

  469. 		return $principal;

  470. 	}

  471. 

  472. 	public function getPrincipalPrefix() {

  473. 		return $this->principalPrefix;

  474. 	}

  475. 

  476. 	/**

  477. 	 * @param string $circleUniqueId

  478. 	 * @return array|null

  479. 	 */

  480. 	protected function circleToPrincipal($circleUniqueId) {

  481. 		if (!$this->appManager->isEnabledForUser('circles') || !class_exists('\OCA\Circles\Api\v1\Circles')) {

  482. 			return null;

  483. 		}

  484. 

  485. 		try {

  486. 			$circle = \OCA\Circles\Api\v1\Circles::detailsCircle($circleUniqueId, true);

  487. 		} catch (QueryException $ex) {

  488. 			return null;

  489. 		} catch (CircleDoesNotExistException $ex) {

  490. 			return null;

  491. 		}

  492. 

  493. 		if (!$circle) {

  494. 			return null;

  495. 		}

  496. 

  497. 		$principal = [

  498. 			'uri' => 'principals/circles/' . $circleUniqueId,

  499. 			'{DAV:}displayname' => $circle->getName(),

  500. 		];

  501. 

  502. 		return $principal;

  503. 	}

  504. 

  505. 	/**

  506. 	 * Returns the list of circles a principal is a member of

  507. 	 *

  508. 	 * @param string $principal

  509. 	 * @return array

  510. 	 * @throws Exception

  511. 	 * @throws \OCP\AppFramework\QueryException

  512. 	 * @suppress PhanUndeclaredClassMethod

  513. 	 */

  514. 	public function getCircleMembership($principal):array {

  515. 		if (!$this->appManager->isEnabledForUser('circles') || !class_exists('\OCA\Circles\Api\v1\Circles')) {

  516. 			return [];

  517. 		}

  518. 

  519. 		list($prefix, $name) = \Sabre\Uri\split($principal);

  520. 		if ($this->hasCircles && $prefix === $this->principalPrefix) {

  521. 			$user = $this->userManager->get($name);

  522. 			if (!$user) {

  523. 				throw new Exception('Principal not found');

  524. 			}

  525. 

  526. 			$circles = \OCA\Circles\Api\v1\Circles::joinedCircles($name, true);

  527. 

  528. 			$circles = array_map(function ($circle) {

  529. 				/** @var \OCA\Circles\Model\Circle $circle */

  530. 				return 'principals/circles/' . urlencode($circle->getUniqueId());

  531. 			}, $circles);

  532. 

  533. 			return $circles;

  534. 		}

  535. 

  536. 		return [];

  537. 	}

  538. }