mirrors
/
nextcloud
mirror of https://github.com/nextcloud/server.git
Watch 1
Star 0
Fork 0
Code Issues 0 Releases 994 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
56618 Commits
371 Branches
Tree: d8ad4ef6b5
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'd8ad4ef6b5'
${ noResults }
nextcloud/apps/dav/lib/Connector/Sabre/Principal.php

Principal.php 15KB
Raw Blame History

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536 
  1. <?php

  2. /**

  3.  * @copyright Copyright (c) 2016, ownCloud, Inc.

  4.  * @copyright Copyright (c) 2018, Georg Ehrke

  5.  *

  6.  * @author Bart Visscher <bartv@thisnet.nl>

  7.  * @author Christoph Seitz <christoph.seitz@posteo.de>

  8.  * @author Christoph Wurst <christoph@winzerhof-wurst.at>

  9.  * @author Georg Ehrke <oc.list@georgehrke.com>

  10.  * @author Jakob Sack <mail@jakobsack.de>

  11.  * @author Julius Härtl <jus@bitgrid.net>

  12.  * @author Lukas Reschke <lukas@statuscode.ch>

  13.  * @author Morris Jobke <hey@morrisjobke.de>

  14.  * @author Roeland Jago Douma <roeland@famdouma.nl>

  15.  * @author Thomas Müller <thomas.mueller@tmit.eu>

  16.  * @author Vincent Petry <pvince81@owncloud.com>

  17.  * @author Vinicius Cubas Brand <vinicius@eita.org.br>

  18.  *

  19.  * @license AGPL-3.0

  20.  *

  21.  * This code is free software: you can redistribute it and/or modify

  22.  * it under the terms of the GNU Affero General Public License, version 3,

  23.  * as published by the Free Software Foundation.

  24.  *

  25.  * This program is distributed in the hope that it will be useful,

  26.  * but WITHOUT ANY WARRANTY; without even the implied warranty of

  27.  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the

  28.  * GNU Affero General Public License for more details.

  29.  *

  30.  * You should have received a copy of the GNU Affero General Public License, version 3,

  31.  * along with this program. If not, see <http://www.gnu.org/licenses/>

  32.  *

  33.  */

  34. 

  35. namespace OCA\DAV\Connector\Sabre;

  36. 

  37. use OCA\Circles\Exceptions\CircleDoesNotExistException;

  38. use OCA\DAV\CalDAV\Proxy\ProxyMapper;

  39. use OCA\DAV\Traits\PrincipalProxyTrait;

  40. use OCP\App\IAppManager;

  41. use OCP\AppFramework\QueryException;

  42. use OCP\Constants;

  43. use OCP\IConfig;

  44. use OCP\IGroupManager;

  45. use OCP\IUser;

  46. use OCP\IUserManager;

  47. use OCP\IUserSession;

  48. use OCP\Share\IManager as IShareManager;

  49. use Sabre\DAV\Exception;

  50. use Sabre\DAV\PropPatch;

  51. use Sabre\DAVACL\PrincipalBackend\BackendInterface;

  52. 

  53. class Principal implements BackendInterface {

  54. 

  55. 	/** @var IUserManager */

  56. 	private $userManager;

  57. 

  58. 	/** @var IGroupManager */

  59. 	private $groupManager;

  60. 

  61. 	/** @var IShareManager */

  62. 	private $shareManager;

  63. 

  64. 	/** @var IUserSession */

  65. 	private $userSession;

  66. 

  67. 	/** @var IAppManager */

  68. 	private $appManager;

  69. 

  70. 	/** @var string */

  71. 	private $principalPrefix;

  72. 

  73. 	/** @var bool */

  74. 	private $hasGroups;

  75. 

  76. 	/** @var bool */

  77. 	private $hasCircles;

  78. 

  79. 	/** @var ProxyMapper */

  80. 	private $proxyMapper;

  81. 

  82. 	/** @var IConfig */

  83. 	private $config;

  84. 

  85. 	/**

  86. 	 * Principal constructor.

  87. 	 *

  88. 	 * @param IUserManager $userManager

  89. 	 * @param IGroupManager $groupManager

  90. 	 * @param IShareManager $shareManager

  91. 	 * @param IUserSession $userSession

  92. 	 * @param IAppManager $appManager

  93. 	 * @param ProxyMapper $proxyMapper

  94. 	 * @param IConfig $config

  95. 	 * @param string $principalPrefix

  96. 	 */

  97. 	public function __construct(IUserManager $userManager,

  98. 								IGroupManager $groupManager,

  99. 								IShareManager $shareManager,

  100. 								IUserSession $userSession,

  101. 								IAppManager $appManager,

  102. 								ProxyMapper $proxyMapper,

  103. 								IConfig $config,

  104. 								string $principalPrefix = 'principals/users/') {

  105. 		$this->userManager = $userManager;

  106. 		$this->groupManager = $groupManager;

  107. 		$this->shareManager = $shareManager;

  108. 		$this->userSession = $userSession;

  109. 		$this->appManager = $appManager;

  110. 		$this->principalPrefix = trim($principalPrefix, '/');

  111. 		$this->hasGroups = $this->hasCircles = ($principalPrefix === 'principals/users/');

  112. 		$this->proxyMapper = $proxyMapper;

  113. 		$this->config = $config;

  114. 	}

  115. 

  116. 	use PrincipalProxyTrait {

  117. 		getGroupMembership as protected traitGetGroupMembership;

  118. 	}

  119. 

  120. 	/**

  121. 	 * Returns a list of principals based on a prefix.

  122. 	 *

  123. 	 * This prefix will often contain something like 'principals'. You are only

  124. 	 * expected to return principals that are in this base path.

  125. 	 *

  126. 	 * You are expected to return at least a 'uri' for every user, you can

  127. 	 * return any additional properties if you wish so. Common properties are:

  128. 	 *   {DAV:}displayname

  129. 	 *

  130. 	 * @param string $prefixPath

  131. 	 * @return string[]

  132. 	 */

  133. 	public function getPrincipalsByPrefix($prefixPath) {

  134. 		$principals = [];

  135. 

  136. 		if ($prefixPath === $this->principalPrefix) {

  137. 			foreach ($this->userManager->search('') as $user) {

  138. 				$principals[] = $this->userToPrincipal($user);

  139. 			}

  140. 		}

  141. 

  142. 		return $principals;

  143. 	}

  144. 

  145. 	/**

  146. 	 * Returns a specific principal, specified by it's path.

  147. 	 * The returned structure should be the exact same as from

  148. 	 * getPrincipalsByPrefix.

  149. 	 *

  150. 	 * @param string $path

  151. 	 * @return array

  152. 	 */

  153. 	public function getPrincipalByPath($path) {

  154. 		list($prefix, $name) = \Sabre\Uri\split($path);

  155. 

  156. 		if ($name === 'calendar-proxy-write' || $name === 'calendar-proxy-read') {

  157. 			list($prefix2, $name2) = \Sabre\Uri\split($prefix);

  158. 

  159. 			if ($prefix2 === $this->principalPrefix) {

  160. 				$user = $this->userManager->get($name2);

  161. 

  162. 				if ($user !== null) {

  163. 					return [

  164. 						'uri' => 'principals/users/' . $user->getUID() . '/' . $name,

  165. 					];

  166. 				}

  167. 				return null;

  168. 			}

  169. 		}

  170. 

  171. 		if ($prefix === $this->principalPrefix) {

  172. 			// Depending on where it is called, it may happen that this function

  173. 			// is called either with a urlencoded version of the name or with a non-urlencoded one.

  174. 			// The urldecode function replaces %## and +, both of which are forbidden in usernames.

  175. 			// Hence there can be no ambiguity here and it is safe to call urldecode on all usernames

  176. 			$user = $this->userManager->get(urldecode($name));

  177. 

  178. 			if ($user !== null) {

  179. 				return $this->userToPrincipal($user);

  180. 			}

  181. 		} elseif ($prefix === 'principals/circles') {

  182. 			if ($this->userSession->getUser() !== null) {

  183. 				return $this->circleToPrincipal($name);

  184. 			}

  185. 		}

  186. 		return null;

  187. 	}

  188. 

  189. 	/**

  190. 	 * Returns the list of groups a principal is a member of

  191. 	 *

  192. 	 * @param string $principal

  193. 	 * @param bool $needGroups

  194. 	 * @return array

  195. 	 * @throws Exception

  196. 	 */

  197. 	public function getGroupMembership($principal, $needGroups = false) {

  198. 		list($prefix, $name) = \Sabre\Uri\split($principal);

  199. 

  200. 		if ($prefix !== $this->principalPrefix) {

  201. 			return [];

  202. 		}

  203. 

  204. 		$user = $this->userManager->get($name);

  205. 		if (!$user) {

  206. 			throw new Exception('Principal not found');

  207. 		}

  208. 

  209. 		$groups = [];

  210. 

  211. 		if ($this->hasGroups || $needGroups) {

  212. 			$userGroups = $this->groupManager->getUserGroups($user);

  213. 			foreach ($userGroups as $userGroup) {

  214. 				$groups[] = 'principals/groups/' . urlencode($userGroup->getGID());

  215. 			}

  216. 		}

  217. 

  218. 		$groups = array_unique(array_merge(

  219. 			$groups,

  220. 			$this->traitGetGroupMembership($principal, $needGroups)

  221. 		));

  222. 

  223. 		return $groups;

  224. 	}

  225. 

  226. 	/**

  227. 	 * @param string $path

  228. 	 * @param PropPatch $propPatch

  229. 	 * @return int

  230. 	 */

  231. 	public function updatePrincipal($path, PropPatch $propPatch) {

  232. 		return 0;

  233. 	}

  234. 

  235. 	/**

  236. 	 * Search user principals

  237. 	 *

  238. 	 * @param array $searchProperties

  239. 	 * @param string $test

  240. 	 * @return array

  241. 	 */

  242. 	protected function searchUserPrincipals(array $searchProperties, $test = 'allof') {

  243. 		$results = [];

  244. 

  245. 		// If sharing is disabled, return the empty array

  246. 		$shareAPIEnabled = $this->shareManager->shareApiEnabled();

  247. 		if (!$shareAPIEnabled) {

  248. 			return [];

  249. 		}

  250. 

  251. 		$allowEnumeration = $this->shareManager->allowEnumeration();

  252. 		$limitEnumeration = $this->shareManager->limitEnumerationToGroups();

  253. 

  254. 		// If sharing is restricted to group members only,

  255. 		// return only members that have groups in common

  256. 		$restrictGroups = false;

  257. 		if ($this->shareManager->shareWithGroupMembersOnly()) {

  258. 			$user = $this->userSession->getUser();

  259. 			if (!$user) {

  260. 				return [];

  261. 			}

  262. 

  263. 			$restrictGroups = $this->groupManager->getUserGroupIds($user);

  264. 		}

  265. 

  266. 		$currentUserGroups = [];

  267. 		if ($limitEnumeration) {

  268. 			$currentUser = $this->userSession->getUser();

  269. 			if ($currentUser) {

  270. 				$currentUserGroups = $this->groupManager->getUserGroupIds($currentUser);

  271. 			}

  272. 		}

  273. 

  274. 		$searchLimit = $this->config->getSystemValueInt('sharing.maxAutocompleteResults', Constants::SHARING_MAX_AUTOCOMPLETE_RESULTS_DEFAULT);

  275. 		if ($searchLimit <= 0) {

  276. 			$searchLimit = null;

  277. 		}

  278. 		foreach ($searchProperties as $prop => $value) {

  279. 			switch ($prop) {

  280. 				case '{http://sabredav.org/ns}email-address':

  281. 					$users = $this->userManager->getByEmail($value);

  282. 

  283. 					if (!$allowEnumeration) {

  284. 						$users = \array_filter($users, static function (IUser $user) use ($value) {

  285. 							return $user->getEMailAddress() === $value;

  286. 						});

  287. 					}

  288. 

  289. 					if ($limitEnumeration) {

  290. 						$users = \array_filter($users, function (IUser $user) use ($currentUserGroups, $value) {

  291. 							return !empty(array_intersect(

  292. 									$this->groupManager->getUserGroupIds($user),

  293. 									$currentUserGroups

  294. 								)) || $user->getEMailAddress() === $value;

  295. 						});

  296. 					}

  297. 

  298. 					$results[] = array_reduce($users, function (array $carry, IUser $user) use ($restrictGroups) {

  299. 						// is sharing restricted to groups only?

  300. 						if ($restrictGroups !== false) {

  301. 							$userGroups = $this->groupManager->getUserGroupIds($user);

  302. 							if (count(array_intersect($userGroups, $restrictGroups)) === 0) {

  303. 								return $carry;

  304. 							}

  305. 						}

  306. 

  307. 						$carry[] = $this->principalPrefix . '/' . $user->getUID();

  308. 						return $carry;

  309. 					}, []);

  310. 					break;

  311. 

  312. 				case '{DAV:}displayname':

  313. 					$users = $this->userManager->searchDisplayName($value, $searchLimit);

  314. 

  315. 					if (!$allowEnumeration) {

  316. 						$users = \array_filter($users, static function (IUser $user) use ($value) {

  317. 							return $user->getDisplayName() === $value;

  318. 						});

  319. 					}

  320. 

  321. 					if ($limitEnumeration) {

  322. 						$users = \array_filter($users, function (IUser $user) use ($currentUserGroups, $value) {

  323. 							return !empty(array_intersect(

  324. 									$this->groupManager->getUserGroupIds($user),

  325. 									$currentUserGroups

  326. 								)) || $user->getDisplayName() === $value;

  327. 						});

  328. 					}

  329. 

  330. 					$results[] = array_reduce($users, function (array $carry, IUser $user) use ($restrictGroups) {

  331. 						// is sharing restricted to groups only?

  332. 						if ($restrictGroups !== false) {

  333. 							$userGroups = $this->groupManager->getUserGroupIds($user);

  334. 							if (count(array_intersect($userGroups, $restrictGroups)) === 0) {

  335. 								return $carry;

  336. 							}

  337. 						}

  338. 

  339. 						$carry[] = $this->principalPrefix . '/' . $user->getUID();

  340. 						return $carry;

  341. 					}, []);

  342. 					break;

  343. 

  344. 				case '{urn:ietf:params:xml:ns:caldav}calendar-user-address-set':

  345. 					// If you add support for more search properties that qualify as a user-address,

  346. 					// please also add them to the array below

  347. 					$results[] = $this->searchUserPrincipals([

  348. 						// In theory this should also search for principal:principals/users/...

  349. 						// but that's used internally only anyway and i don't know of any client querying that

  350. 						'{http://sabredav.org/ns}email-address' => $value,

  351. 					], 'anyof');

  352. 					break;

  353. 

  354. 				default:

  355. 					$results[] = [];

  356. 					break;

  357. 			}

  358. 		}

  359. 

  360. 		// results is an array of arrays, so this is not the first search result

  361. 		// but the results of the first searchProperty

  362. 		if (count($results) === 1) {

  363. 			return $results[0];

  364. 		}

  365. 

  366. 		switch ($test) {

  367. 			case 'anyof':

  368. 				return array_values(array_unique(array_merge(...$results)));

  369. 

  370. 			case 'allof':

  371. 			default:

  372. 				return array_values(array_intersect(...$results));

  373. 		}

  374. 	}

  375. 

  376. 	/**

  377. 	 * @param string $prefixPath

  378. 	 * @param array $searchProperties

  379. 	 * @param string $test

  380. 	 * @return array

  381. 	 */

  382. 	public function searchPrincipals($prefixPath, array $searchProperties, $test = 'allof') {

  383. 		if (count($searchProperties) === 0) {

  384. 			return [];

  385. 		}

  386. 

  387. 		switch ($prefixPath) {

  388. 			case 'principals/users':

  389. 				return $this->searchUserPrincipals($searchProperties, $test);

  390. 

  391. 			default:

  392. 				return [];

  393. 		}

  394. 	}

  395. 

  396. 	/**

  397. 	 * @param string $uri

  398. 	 * @param string $principalPrefix

  399. 	 * @return string

  400. 	 */

  401. 	public function findByUri($uri, $principalPrefix) {

  402. 		// If sharing is disabled, return the empty array

  403. 		$shareAPIEnabled = $this->shareManager->shareApiEnabled();

  404. 		if (!$shareAPIEnabled) {

  405. 			return null;

  406. 		}

  407. 

  408. 		// If sharing is restricted to group members only,

  409. 		// return only members that have groups in common

  410. 		$restrictGroups = false;

  411. 		if ($this->shareManager->shareWithGroupMembersOnly()) {

  412. 			$user = $this->userSession->getUser();

  413. 			if (!$user) {

  414. 				return null;

  415. 			}

  416. 

  417. 			$restrictGroups = $this->groupManager->getUserGroupIds($user);

  418. 		}

  419. 

  420. 		if (strpos($uri, 'mailto:') === 0) {

  421. 			if ($principalPrefix === 'principals/users') {

  422. 				$users = $this->userManager->getByEmail(substr($uri, 7));

  423. 				if (count($users) !== 1) {

  424. 					return null;

  425. 				}

  426. 				$user = $users[0];

  427. 

  428. 				if ($restrictGroups !== false) {

  429. 					$userGroups = $this->groupManager->getUserGroupIds($user);

  430. 					if (count(array_intersect($userGroups, $restrictGroups)) === 0) {

  431. 						return null;

  432. 					}

  433. 				}

  434. 

  435. 				return $this->principalPrefix . '/' . $user->getUID();

  436. 			}

  437. 		}

  438. 		if (substr($uri, 0, 10) === 'principal:') {

  439. 			$principal = substr($uri, 10);

  440. 			$principal = $this->getPrincipalByPath($principal);

  441. 			if ($principal !== null) {

  442. 				return $principal['uri'];

  443. 			}

  444. 		}

  445. 

  446. 		return null;

  447. 	}

  448. 

  449. 	/**

  450. 	 * @param IUser $user

  451. 	 * @return array

  452. 	 */

  453. 	protected function userToPrincipal($user) {

  454. 		$userId = $user->getUID();

  455. 		$displayName = $user->getDisplayName();

  456. 		$principal = [

  457. 			'uri' => $this->principalPrefix . '/' . $userId,

  458. 			'{DAV:}displayname' => is_null($displayName) ? $userId : $displayName,

  459. 			'{urn:ietf:params:xml:ns:caldav}calendar-user-type' => 'INDIVIDUAL',

  460. 		];

  461. 

  462. 		$email = $user->getEMailAddress();

  463. 		if (!empty($email)) {

  464. 			$principal['{http://sabredav.org/ns}email-address'] = $email;

  465. 		}

  466. 

  467. 		return $principal;

  468. 	}

  469. 

  470. 	public function getPrincipalPrefix() {

  471. 		return $this->principalPrefix;

  472. 	}

  473. 

  474. 	/**

  475. 	 * @param string $circleUniqueId

  476. 	 * @return array|null

  477. 	 */

  478. 	protected function circleToPrincipal($circleUniqueId) {

  479. 		if (!$this->appManager->isEnabledForUser('circles') || !class_exists('\OCA\Circles\Api\v1\Circles')) {

  480. 			return null;

  481. 		}

  482. 

  483. 		try {

  484. 			$circle = \OCA\Circles\Api\v1\Circles::detailsCircle($circleUniqueId, true);

  485. 		} catch (QueryException $ex) {

  486. 			return null;

  487. 		} catch (CircleDoesNotExistException $ex) {

  488. 			return null;

  489. 		}

  490. 

  491. 		if (!$circle) {

  492. 			return null;

  493. 		}

  494. 

  495. 		$principal = [

  496. 			'uri' => 'principals/circles/' . $circleUniqueId,

  497. 			'{DAV:}displayname' => $circle->getName(),

  498. 		];

  499. 

  500. 		return $principal;

  501. 	}

  502. 

  503. 	/**

  504. 	 * Returns the list of circles a principal is a member of

  505. 	 *

  506. 	 * @param string $principal

  507. 	 * @return array

  508. 	 * @throws Exception

  509. 	 * @throws \OCP\AppFramework\QueryException

  510. 	 * @suppress PhanUndeclaredClassMethod

  511. 	 */

  512. 	public function getCircleMembership($principal):array {

  513. 		if (!$this->appManager->isEnabledForUser('circles') || !class_exists('\OCA\Circles\Api\v1\Circles')) {

  514. 			return [];

  515. 		}

  516. 

  517. 		list($prefix, $name) = \Sabre\Uri\split($principal);

  518. 		if ($this->hasCircles && $prefix === $this->principalPrefix) {

  519. 			$user = $this->userManager->get($name);

  520. 			if (!$user) {

  521. 				throw new Exception('Principal not found');

  522. 			}

  523. 

  524. 			$circles = \OCA\Circles\Api\v1\Circles::joinedCircles($name, true);

  525. 

  526. 			$circles = array_map(function ($circle) {

  527. 				/** @var \OCA\Circles\Model\Circle $circle */

  528. 				return 'principals/circles/' . urlencode($circle->getUniqueId());

  529. 			}, $circles);

  530. 

  531. 			return $circles;

  532. 		}

  533. 

  534. 		return [];

  535. 	}

  536. }