mirrors
/
nextcloud
mirror of https://github.com/nextcloud/server.git
Watch 1
Star 0
Fork 0
Code Issues 0 Releases 984 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
57403 Commits
379 Branches
Tree: eb502c02ff
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'eb502c02ff'
${ noResults }
nextcloud/apps/dav/lib/Connector/Sabre/Principal.php

Principal.php 15KB
Raw Blame History

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554 
  1. <?php

  2. /**

  3.  * @copyright Copyright (c) 2016, ownCloud, Inc.

  4.  * @copyright Copyright (c) 2018, Georg Ehrke

  5.  *

  6.  * @author Arthur Schiwon <blizzz@arthur-schiwon.de>

  7.  * @author Bart Visscher <bartv@thisnet.nl>

  8.  * @author Christoph Seitz <christoph.seitz@posteo.de>

  9.  * @author Christoph Wurst <christoph@winzerhof-wurst.at>

  10.  * @author Daniel Kesselberg <mail@danielkesselberg.de>

  11.  * @author Georg Ehrke <oc.list@georgehrke.com>

  12.  * @author Jakob Sack <mail@jakobsack.de>

  13.  * @author Julius Härtl <jus@bitgrid.net>

  14.  * @author Lukas Reschke <lukas@statuscode.ch>

  15.  * @author Morris Jobke <hey@morrisjobke.de>

  16.  * @author Roeland Jago Douma <roeland@famdouma.nl>

  17.  * @author Thomas Müller <thomas.mueller@tmit.eu>

  18.  * @author Vincent Petry <vincent@nextcloud.com>

  19.  * @author Vinicius Cubas Brand <vinicius@eita.org.br>

  20.  *

  21.  * @license AGPL-3.0

  22.  *

  23.  * This code is free software: you can redistribute it and/or modify

  24.  * it under the terms of the GNU Affero General Public License, version 3,

  25.  * as published by the Free Software Foundation.

  26.  *

  27.  * This program is distributed in the hope that it will be useful,

  28.  * but WITHOUT ANY WARRANTY; without even the implied warranty of

  29.  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the

  30.  * GNU Affero General Public License for more details.

  31.  *

  32.  * You should have received a copy of the GNU Affero General Public License, version 3,

  33.  * along with this program. If not, see <http://www.gnu.org/licenses/>

  34.  *

  35.  */

  36. 

  37. namespace OCA\DAV\Connector\Sabre;

  38. 

  39. use OCA\Circles\Exceptions\CircleDoesNotExistException;

  40. use OCA\DAV\CalDAV\Proxy\ProxyMapper;

  41. use OCA\DAV\Traits\PrincipalProxyTrait;

  42. use OCP\App\IAppManager;

  43. use OCP\AppFramework\QueryException;

  44. use OCP\Constants;

  45. use OCP\IConfig;

  46. use OCP\IGroup;

  47. use OCP\IGroupManager;

  48. use OCP\IUser;

  49. use OCP\IUserManager;

  50. use OCP\IUserSession;

  51. use OCP\Share\IManager as IShareManager;

  52. use Sabre\DAV\Exception;

  53. use Sabre\DAV\PropPatch;

  54. use Sabre\DAVACL\PrincipalBackend\BackendInterface;

  55. 

  56. class Principal implements BackendInterface {

  57. 

  58. 	/** @var IUserManager */

  59. 	private $userManager;

  60. 

  61. 	/** @var IGroupManager */

  62. 	private $groupManager;

  63. 

  64. 	/** @var IShareManager */

  65. 	private $shareManager;

  66. 

  67. 	/** @var IUserSession */

  68. 	private $userSession;

  69. 

  70. 	/** @var IAppManager */

  71. 	private $appManager;

  72. 

  73. 	/** @var string */

  74. 	private $principalPrefix;

  75. 

  76. 	/** @var bool */

  77. 	private $hasGroups;

  78. 

  79. 	/** @var bool */

  80. 	private $hasCircles;

  81. 

  82. 	/** @var ProxyMapper */

  83. 	private $proxyMapper;

  84. 

  85. 	/** @var IConfig */

  86. 	private $config;

  87. 

  88. 	/**

  89. 	 * Principal constructor.

  90. 	 *

  91. 	 * @param IUserManager $userManager

  92. 	 * @param IGroupManager $groupManager

  93. 	 * @param IShareManager $shareManager

  94. 	 * @param IUserSession $userSession

  95. 	 * @param IAppManager $appManager

  96. 	 * @param ProxyMapper $proxyMapper

  97. 	 * @param IConfig $config

  98. 	 * @param string $principalPrefix

  99. 	 */

  100. 	public function __construct(IUserManager $userManager,

  101. 								IGroupManager $groupManager,

  102. 								IShareManager $shareManager,

  103. 								IUserSession $userSession,

  104. 								IAppManager $appManager,

  105. 								ProxyMapper $proxyMapper,

  106. 								IConfig $config,

  107. 								string $principalPrefix = 'principals/users/') {

  108. 		$this->userManager = $userManager;

  109. 		$this->groupManager = $groupManager;

  110. 		$this->shareManager = $shareManager;

  111. 		$this->userSession = $userSession;

  112. 		$this->appManager = $appManager;

  113. 		$this->principalPrefix = trim($principalPrefix, '/');

  114. 		$this->hasGroups = $this->hasCircles = ($principalPrefix === 'principals/users/');

  115. 		$this->proxyMapper = $proxyMapper;

  116. 		$this->config = $config;

  117. 	}

  118. 

  119. 	use PrincipalProxyTrait {

  120. 		getGroupMembership as protected traitGetGroupMembership;

  121. 	}

  122. 

  123. 	/**

  124. 	 * Returns a list of principals based on a prefix.

  125. 	 *

  126. 	 * This prefix will often contain something like 'principals'. You are only

  127. 	 * expected to return principals that are in this base path.

  128. 	 *

  129. 	 * You are expected to return at least a 'uri' for every user, you can

  130. 	 * return any additional properties if you wish so. Common properties are:

  131. 	 *   {DAV:}displayname

  132. 	 *

  133. 	 * @param string $prefixPath

  134. 	 * @return string[]

  135. 	 */

  136. 	public function getPrincipalsByPrefix($prefixPath) {

  137. 		$principals = [];

  138. 

  139. 		if ($prefixPath === $this->principalPrefix) {

  140. 			foreach ($this->userManager->search('') as $user) {

  141. 				$principals[] = $this->userToPrincipal($user);

  142. 			}

  143. 		}

  144. 

  145. 		return $principals;

  146. 	}

  147. 

  148. 	/**

  149. 	 * Returns a specific principal, specified by it's path.

  150. 	 * The returned structure should be the exact same as from

  151. 	 * getPrincipalsByPrefix.

  152. 	 *

  153. 	 * @param string $path

  154. 	 * @return array

  155. 	 */

  156. 	public function getPrincipalByPath($path) {

  157. 		[$prefix, $name] = \Sabre\Uri\split($path);

  158. 		$decodedName = urldecode($name);

  159. 

  160. 		if ($name === 'calendar-proxy-write' || $name === 'calendar-proxy-read') {

  161. 			[$prefix2, $name2] = \Sabre\Uri\split($prefix);

  162. 

  163. 			if ($prefix2 === $this->principalPrefix) {

  164. 				$user = $this->userManager->get($name2);

  165. 

  166. 				if ($user !== null) {

  167. 					return [

  168. 						'uri' => 'principals/users/' . $user->getUID() . '/' . $name,

  169. 					];

  170. 				}

  171. 				return null;

  172. 			}

  173. 		}

  174. 

  175. 		if ($prefix === $this->principalPrefix) {

  176. 			// Depending on where it is called, it may happen that this function

  177. 			// is called either with a urlencoded version of the name or with a non-urlencoded one.

  178. 			// The urldecode function replaces %## and +, both of which are forbidden in usernames.

  179. 			// Hence there can be no ambiguity here and it is safe to call urldecode on all usernames

  180. 			$user = $this->userManager->get($decodedName);

  181. 

  182. 			if ($user !== null) {

  183. 				return $this->userToPrincipal($user);

  184. 			}

  185. 		} elseif ($prefix === 'principals/circles') {

  186. 			if ($this->userSession->getUser() !== null) {

  187. 				// At the time of writing - 2021-01-19 — a mixed state is possible.

  188. 				// The second condition can be removed when this is fixed.

  189. 				return $this->circleToPrincipal($decodedName)

  190. 					?: $this->circleToPrincipal($name);

  191. 			}

  192. 		} elseif ($prefix === 'principals/groups') {

  193. 			// At the time of writing - 2021-01-19 — a mixed state is possible.

  194. 			// The second condition can be removed when this is fixed.

  195. 			$group = $this->groupManager->get($decodedName)

  196. 				?: $this->groupManager->get($name);

  197. 			if ($group instanceof IGroup) {

  198. 				return [

  199. 					'uri' => 'principals/groups/' . $name,

  200. 					'{DAV:}displayname' => $group->getDisplayName(),

  201. 				];

  202. 			}

  203. 		}

  204. 		return null;

  205. 	}

  206. 

  207. 	/**

  208. 	 * Returns the list of groups a principal is a member of

  209. 	 *

  210. 	 * @param string $principal

  211. 	 * @param bool $needGroups

  212. 	 * @return array

  213. 	 * @throws Exception

  214. 	 */

  215. 	public function getGroupMembership($principal, $needGroups = false) {

  216. 		[$prefix, $name] = \Sabre\Uri\split($principal);

  217. 

  218. 		if ($prefix !== $this->principalPrefix) {

  219. 			return [];

  220. 		}

  221. 

  222. 		$user = $this->userManager->get($name);

  223. 		if (!$user) {

  224. 			throw new Exception('Principal not found');

  225. 		}

  226. 

  227. 		$groups = [];

  228. 

  229. 		if ($this->hasGroups || $needGroups) {

  230. 			$userGroups = $this->groupManager->getUserGroups($user);

  231. 			foreach ($userGroups as $userGroup) {

  232. 				$groups[] = 'principals/groups/' . urlencode($userGroup->getGID());

  233. 			}

  234. 		}

  235. 

  236. 		$groups = array_unique(array_merge(

  237. 			$groups,

  238. 			$this->traitGetGroupMembership($principal, $needGroups)

  239. 		));

  240. 

  241. 		return $groups;

  242. 	}

  243. 

  244. 	/**

  245. 	 * @param string $path

  246. 	 * @param PropPatch $propPatch

  247. 	 * @return int

  248. 	 */

  249. 	public function updatePrincipal($path, PropPatch $propPatch) {

  250. 		return 0;

  251. 	}

  252. 

  253. 	/**

  254. 	 * Search user principals

  255. 	 *

  256. 	 * @param array $searchProperties

  257. 	 * @param string $test

  258. 	 * @return array

  259. 	 */

  260. 	protected function searchUserPrincipals(array $searchProperties, $test = 'allof') {

  261. 		$results = [];

  262. 

  263. 		// If sharing is disabled, return the empty array

  264. 		$shareAPIEnabled = $this->shareManager->shareApiEnabled();

  265. 		if (!$shareAPIEnabled) {

  266. 			return [];

  267. 		}

  268. 

  269. 		$allowEnumeration = $this->shareManager->allowEnumeration();

  270. 		$limitEnumeration = $this->shareManager->limitEnumerationToGroups();

  271. 

  272. 		// If sharing is restricted to group members only,

  273. 		// return only members that have groups in common

  274. 		$restrictGroups = false;

  275. 		if ($this->shareManager->shareWithGroupMembersOnly()) {

  276. 			$user = $this->userSession->getUser();

  277. 			if (!$user) {

  278. 				return [];

  279. 			}

  280. 

  281. 			$restrictGroups = $this->groupManager->getUserGroupIds($user);

  282. 		}

  283. 

  284. 		$currentUserGroups = [];

  285. 		if ($limitEnumeration) {

  286. 			$currentUser = $this->userSession->getUser();

  287. 			if ($currentUser) {

  288. 				$currentUserGroups = $this->groupManager->getUserGroupIds($currentUser);

  289. 			}

  290. 		}

  291. 

  292. 		$searchLimit = $this->config->getSystemValueInt('sharing.maxAutocompleteResults', Constants::SHARING_MAX_AUTOCOMPLETE_RESULTS_DEFAULT);

  293. 		if ($searchLimit <= 0) {

  294. 			$searchLimit = null;

  295. 		}

  296. 		foreach ($searchProperties as $prop => $value) {

  297. 			switch ($prop) {

  298. 				case '{http://sabredav.org/ns}email-address':

  299. 					$users = $this->userManager->getByEmail($value);

  300. 

  301. 					if (!$allowEnumeration) {

  302. 						$users = \array_filter($users, static function (IUser $user) use ($value) {

  303. 							return $user->getEMailAddress() === $value;

  304. 						});

  305. 					}

  306. 

  307. 					if ($limitEnumeration) {

  308. 						$users = \array_filter($users, function (IUser $user) use ($currentUserGroups, $value) {

  309. 							return !empty(array_intersect(

  310. 									$this->groupManager->getUserGroupIds($user),

  311. 									$currentUserGroups

  312. 								)) || $user->getEMailAddress() === $value;

  313. 						});

  314. 					}

  315. 

  316. 					$results[] = array_reduce($users, function (array $carry, IUser $user) use ($restrictGroups) {

  317. 						// is sharing restricted to groups only?

  318. 						if ($restrictGroups !== false) {

  319. 							$userGroups = $this->groupManager->getUserGroupIds($user);

  320. 							if (count(array_intersect($userGroups, $restrictGroups)) === 0) {

  321. 								return $carry;

  322. 							}

  323. 						}

  324. 

  325. 						$carry[] = $this->principalPrefix . '/' . $user->getUID();

  326. 						return $carry;

  327. 					}, []);

  328. 					break;

  329. 

  330. 				case '{DAV:}displayname':

  331. 					$users = $this->userManager->searchDisplayName($value, $searchLimit);

  332. 

  333. 					if (!$allowEnumeration) {

  334. 						$users = \array_filter($users, static function (IUser $user) use ($value) {

  335. 							return $user->getDisplayName() === $value;

  336. 						});

  337. 					}

  338. 

  339. 					if ($limitEnumeration) {

  340. 						$users = \array_filter($users, function (IUser $user) use ($currentUserGroups, $value) {

  341. 							return !empty(array_intersect(

  342. 									$this->groupManager->getUserGroupIds($user),

  343. 									$currentUserGroups

  344. 								)) || $user->getDisplayName() === $value;

  345. 						});

  346. 					}

  347. 

  348. 					$results[] = array_reduce($users, function (array $carry, IUser $user) use ($restrictGroups) {

  349. 						// is sharing restricted to groups only?

  350. 						if ($restrictGroups !== false) {

  351. 							$userGroups = $this->groupManager->getUserGroupIds($user);

  352. 							if (count(array_intersect($userGroups, $restrictGroups)) === 0) {

  353. 								return $carry;

  354. 							}

  355. 						}

  356. 

  357. 						$carry[] = $this->principalPrefix . '/' . $user->getUID();

  358. 						return $carry;

  359. 					}, []);

  360. 					break;

  361. 

  362. 				case '{urn:ietf:params:xml:ns:caldav}calendar-user-address-set':

  363. 					// If you add support for more search properties that qualify as a user-address,

  364. 					// please also add them to the array below

  365. 					$results[] = $this->searchUserPrincipals([

  366. 						// In theory this should also search for principal:principals/users/...

  367. 						// but that's used internally only anyway and i don't know of any client querying that

  368. 						'{http://sabredav.org/ns}email-address' => $value,

  369. 					], 'anyof');

  370. 					break;

  371. 

  372. 				default:

  373. 					$results[] = [];

  374. 					break;

  375. 			}

  376. 		}

  377. 

  378. 		// results is an array of arrays, so this is not the first search result

  379. 		// but the results of the first searchProperty

  380. 		if (count($results) === 1) {

  381. 			return $results[0];

  382. 		}

  383. 

  384. 		switch ($test) {

  385. 			case 'anyof':

  386. 				return array_values(array_unique(array_merge(...$results)));

  387. 

  388. 			case 'allof':

  389. 			default:

  390. 				return array_values(array_intersect(...$results));

  391. 		}

  392. 	}

  393. 

  394. 	/**

  395. 	 * @param string $prefixPath

  396. 	 * @param array $searchProperties

  397. 	 * @param string $test

  398. 	 * @return array

  399. 	 */

  400. 	public function searchPrincipals($prefixPath, array $searchProperties, $test = 'allof') {

  401. 		if (count($searchProperties) === 0) {

  402. 			return [];

  403. 		}

  404. 

  405. 		switch ($prefixPath) {

  406. 			case 'principals/users':

  407. 				return $this->searchUserPrincipals($searchProperties, $test);

  408. 

  409. 			default:

  410. 				return [];

  411. 		}

  412. 	}

  413. 

  414. 	/**

  415. 	 * @param string $uri

  416. 	 * @param string $principalPrefix

  417. 	 * @return string

  418. 	 */

  419. 	public function findByUri($uri, $principalPrefix) {

  420. 		// If sharing is disabled, return the empty array

  421. 		$shareAPIEnabled = $this->shareManager->shareApiEnabled();

  422. 		if (!$shareAPIEnabled) {

  423. 			return null;

  424. 		}

  425. 

  426. 		// If sharing is restricted to group members only,

  427. 		// return only members that have groups in common

  428. 		$restrictGroups = false;

  429. 		if ($this->shareManager->shareWithGroupMembersOnly()) {

  430. 			$user = $this->userSession->getUser();

  431. 			if (!$user) {

  432. 				return null;

  433. 			}

  434. 

  435. 			$restrictGroups = $this->groupManager->getUserGroupIds($user);

  436. 		}

  437. 

  438. 		if (strpos($uri, 'mailto:') === 0) {

  439. 			if ($principalPrefix === 'principals/users') {

  440. 				$users = $this->userManager->getByEmail(substr($uri, 7));

  441. 				if (count($users) !== 1) {

  442. 					return null;

  443. 				}

  444. 				$user = $users[0];

  445. 

  446. 				if ($restrictGroups !== false) {

  447. 					$userGroups = $this->groupManager->getUserGroupIds($user);

  448. 					if (count(array_intersect($userGroups, $restrictGroups)) === 0) {

  449. 						return null;

  450. 					}

  451. 				}

  452. 

  453. 				return $this->principalPrefix . '/' . $user->getUID();

  454. 			}

  455. 		}

  456. 		if (substr($uri, 0, 10) === 'principal:') {

  457. 			$principal = substr($uri, 10);

  458. 			$principal = $this->getPrincipalByPath($principal);

  459. 			if ($principal !== null) {

  460. 				return $principal['uri'];

  461. 			}

  462. 		}

  463. 

  464. 		return null;

  465. 	}

  466. 

  467. 	/**

  468. 	 * @param IUser $user

  469. 	 * @return array

  470. 	 */

  471. 	protected function userToPrincipal($user) {

  472. 		$userId = $user->getUID();

  473. 		$displayName = $user->getDisplayName();

  474. 		$principal = [

  475. 			'uri' => $this->principalPrefix . '/' . $userId,

  476. 			'{DAV:}displayname' => is_null($displayName) ? $userId : $displayName,

  477. 			'{urn:ietf:params:xml:ns:caldav}calendar-user-type' => 'INDIVIDUAL',

  478. 		];

  479. 

  480. 		$email = $user->getEMailAddress();

  481. 		if (!empty($email)) {

  482. 			$principal['{http://sabredav.org/ns}email-address'] = $email;

  483. 		}

  484. 

  485. 		return $principal;

  486. 	}

  487. 

  488. 	public function getPrincipalPrefix() {

  489. 		return $this->principalPrefix;

  490. 	}

  491. 

  492. 	/**

  493. 	 * @param string $circleUniqueId

  494. 	 * @return array|null

  495. 	 */

  496. 	protected function circleToPrincipal($circleUniqueId) {

  497. 		if (!$this->appManager->isEnabledForUser('circles') || !class_exists('\OCA\Circles\Api\v1\Circles')) {

  498. 			return null;

  499. 		}

  500. 

  501. 		try {

  502. 			$circle = \OCA\Circles\Api\v1\Circles::detailsCircle($circleUniqueId, true);

  503. 		} catch (QueryException $ex) {

  504. 			return null;

  505. 		} catch (CircleDoesNotExistException $ex) {

  506. 			return null;

  507. 		}

  508. 

  509. 		if (!$circle) {

  510. 			return null;

  511. 		}

  512. 

  513. 		$principal = [

  514. 			'uri' => 'principals/circles/' . $circleUniqueId,

  515. 			'{DAV:}displayname' => $circle->getName(),

  516. 		];

  517. 

  518. 		return $principal;

  519. 	}

  520. 

  521. 	/**

  522. 	 * Returns the list of circles a principal is a member of

  523. 	 *

  524. 	 * @param string $principal

  525. 	 * @return array

  526. 	 * @throws Exception

  527. 	 * @throws \OCP\AppFramework\QueryException

  528. 	 * @suppress PhanUndeclaredClassMethod

  529. 	 */

  530. 	public function getCircleMembership($principal):array {

  531. 		if (!$this->appManager->isEnabledForUser('circles') || !class_exists('\OCA\Circles\Api\v1\Circles')) {

  532. 			return [];

  533. 		}

  534. 

  535. 		[$prefix, $name] = \Sabre\Uri\split($principal);

  536. 		if ($this->hasCircles && $prefix === $this->principalPrefix) {

  537. 			$user = $this->userManager->get($name);

  538. 			if (!$user) {

  539. 				throw new Exception('Principal not found');

  540. 			}

  541. 

  542. 			$circles = \OCA\Circles\Api\v1\Circles::joinedCircles($name, true);

  543. 

  544. 			$circles = array_map(function ($circle) {

  545. 				/** @var \OCA\Circles\Model\Circle $circle */

  546. 				return 'principals/circles/' . urlencode($circle->getUniqueId());

  547. 			}, $circles);

  548. 

  549. 			return $circles;

  550. 		}

  551. 

  552. 		return [];

  553. 	}

  554. }