diff options
author | Arthur Schiwon <blizzz@arthur-schiwon.de> | 2023-11-21 20:20:16 +0100 |
---|---|---|
committer | Arthur Schiwon <blizzz@arthur-schiwon.de> | 2023-12-01 12:48:24 +0100 |
commit | d6b356c63bdf07b094d69ded0d865eab28a0ba55 (patch) | |
tree | 396c432bd4ce57e5509e7d7d4185e15158fb6171 | |
parent | 546cf0ed2fa5ca7143953639f3a86b58505498a8 (diff) | |
download | nextcloud-server-d6b356c63bdf07b094d69ded0d865eab28a0ba55.tar.gz nextcloud-server-d6b356c63bdf07b094d69ded0d865eab28a0ba55.zip |
enh(LDAP): implement IIsAdmin interface
- add configuration to specify one LDAP group acting as admin group (CLI)
- implement `isAdmin()` method, basically relying on inGroup against the
configured group
Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
-rw-r--r-- | apps/user_ldap/lib/Configuration.php | 3 | ||||
-rw-r--r-- | apps/user_ldap/lib/Connection.php | 1 | ||||
-rw-r--r-- | apps/user_ldap/lib/Group_LDAP.php | 18 | ||||
-rw-r--r-- | apps/user_ldap/lib/Group_Proxy.php | 7 | ||||
-rw-r--r-- | build/integration/ldap_features/openldap-numerical-id.feature | 28 |
5 files changed, 55 insertions, 2 deletions
diff --git a/apps/user_ldap/lib/Configuration.php b/apps/user_ldap/lib/Configuration.php index 36258f5ad27..43d7b5cfbf1 100644 --- a/apps/user_ldap/lib/Configuration.php +++ b/apps/user_ldap/lib/Configuration.php @@ -134,6 +134,7 @@ class Configuration { 'ldapAttributeRole' => null, 'ldapAttributeHeadline' => null, 'ldapAttributeBiography' => null, + 'ldapAdminGroup' => '', ]; public function __construct(string $configPrefix, bool $autoRead = true) { @@ -490,6 +491,7 @@ class Configuration { 'ldap_attr_role' => '', 'ldap_attr_headline' => '', 'ldap_attr_biography' => '', + 'ldap_admin_group' => '', ]; } @@ -566,6 +568,7 @@ class Configuration { 'ldap_attr_role' => 'ldapAttributeRole', 'ldap_attr_headline' => 'ldapAttributeHeadline', 'ldap_attr_biography' => 'ldapAttributeBiography', + 'ldap_admin_group' => 'ldapAdminGroup', ]; return $array; } diff --git a/apps/user_ldap/lib/Connection.php b/apps/user_ldap/lib/Connection.php index 14d3111f1d3..37f7dcaea5c 100644 --- a/apps/user_ldap/lib/Connection.php +++ b/apps/user_ldap/lib/Connection.php @@ -83,6 +83,7 @@ use Psr\Log\LoggerInterface; * @property string ldapAttributeRole * @property string ldapAttributeHeadline * @property string ldapAttributeBiography + * @property string ldapAdminGroup */ class Connection extends LDAPUtility { /** diff --git a/apps/user_ldap/lib/Group_LDAP.php b/apps/user_ldap/lib/Group_LDAP.php index a7a82eb88ca..376af8520d0 100644 --- a/apps/user_ldap/lib/Group_LDAP.php +++ b/apps/user_ldap/lib/Group_LDAP.php @@ -51,6 +51,7 @@ use OCP\Cache\CappedMemoryCache; use OCP\Group\Backend\ABackend; use OCP\Group\Backend\IDeleteGroupBackend; use OCP\Group\Backend\IGetDisplayNameBackend; +use OCP\Group\Backend\IIsAdminBackend; use OCP\GroupInterface; use OCP\IConfig; use OCP\IUserManager; @@ -58,7 +59,7 @@ use OCP\Server; use Psr\Log\LoggerInterface; use function json_decode; -class Group_LDAP extends ABackend implements GroupInterface, IGroupLDAP, IGetDisplayNameBackend, IDeleteGroupBackend { +class Group_LDAP extends ABackend implements GroupInterface, IGroupLDAP, IGetDisplayNameBackend, IDeleteGroupBackend, IIsAdminBackend { protected bool $enabled = false; /** @var CappedMemoryCache<string[]> $cachedGroupMembers array of user DN with gid as key */ @@ -1241,6 +1242,7 @@ class Group_LDAP extends ABackend implements GroupInterface, IGroupLDAP, IGetDis public function implementsActions($actions): bool { return (bool)((GroupInterface::COUNT_USERS | GroupInterface::DELETE_GROUP | + GroupInterface::IS_ADMIN | $this->groupPluginManager->getImplementedActions()) & $actions); } @@ -1444,4 +1446,18 @@ class Group_LDAP extends ABackend implements GroupInterface, IGroupLDAP, IGetDis // $cacheKey = 'usersInGroup-' . $gid . '-' . $search; // $cacheKey = 'countUsersInGroup-' . $gid . '-' . $search; } + + /** + * @throws ServerNotAvailableException + */ + public function isAdmin(string $uid): bool { + if (!$this->enabled) { + return false; + } + $ldapAdminGroup = $this->access->connection->ldapAdminGroup; + if ($ldapAdminGroup === '') { + return false; + } + return $this->inGroup($uid, $ldapAdminGroup); + } } diff --git a/apps/user_ldap/lib/Group_Proxy.php b/apps/user_ldap/lib/Group_Proxy.php index a5e5c6c1413..73daf4fdd77 100644 --- a/apps/user_ldap/lib/Group_Proxy.php +++ b/apps/user_ldap/lib/Group_Proxy.php @@ -33,12 +33,13 @@ use OCP\Group\Backend\IBatchMethodsBackend; use OCP\Group\Backend\IDeleteGroupBackend; use OCP\Group\Backend\IGetDisplayNameBackend; use OCP\Group\Backend\IGroupDetailsBackend; +use OCP\Group\Backend\IIsAdminBackend; use OCP\Group\Backend\INamedBackend; use OCP\GroupInterface; use OCP\IConfig; use OCP\IUserManager; -class Group_Proxy extends Proxy implements \OCP\GroupInterface, IGroupLDAP, IGetDisplayNameBackend, INamedBackend, IDeleteGroupBackend, IBatchMethodsBackend { +class Group_Proxy extends Proxy implements \OCP\GroupInterface, IGroupLDAP, IGetDisplayNameBackend, INamedBackend, IDeleteGroupBackend, IBatchMethodsBackend, IIsAdminBackend { private $backends = []; private ?Group_LDAP $refBackend = null; private Helper $helper; @@ -396,4 +397,8 @@ class Group_Proxy extends Proxy implements \OCP\GroupInterface, IGroupLDAP, IGet public function addRelationshipToCaches(string $uid, ?string $dnUser, string $gid): void { $this->handleRequest($gid, 'addRelationshipToCaches', [$uid, $dnUser, $gid]); } + + public function isAdmin(string $uid): bool { + return $this->handleRequest($uid, 'isAdmin', [$uid]); + } } diff --git a/build/integration/ldap_features/openldap-numerical-id.feature b/build/integration/ldap_features/openldap-numerical-id.feature index 4ea63823295..75eb6827192 100644 --- a/build/integration/ldap_features/openldap-numerical-id.feature +++ b/build/integration/ldap_features/openldap-numerical-id.feature @@ -66,3 +66,31 @@ Scenario: Test LDAP group membership with intermediate groups not matching filte | 50194 | 1 | | 59376 | 1 | | 59463 | 1 | + +Scenario: Test LDAP admin group mapping, empowered user + Given modify LDAP configuration + | ldapBaseGroups | ou=NumericGroups,dc=nextcloud,dc=ci | + | ldapGroupFilter | (objectclass=groupOfNames) | + | ldapGroupMemberAssocAttr | member | + | ldapAdminGroup | 3001 | + | useMemberOfToDetectMembership | 1 | + And cookies are reset + # alice, part of the promoted group + And Logging in using web as "92379" + And sending "GET" to "/cloud/groups" + And sending "GET" to "/cloud/groups/2000/users" + And Sending a "GET" to "/index.php/settings/admin/overview" with requesttoken + Then the HTTP status code should be "200" + +Scenario: Test LDAP admin group mapping, regular user (no access) + Given modify LDAP configuration + | ldapBaseGroups | ou=NumericGroups,dc=nextcloud,dc=ci | + | ldapGroupFilter | (objectclass=groupOfNames) | + | ldapGroupMemberAssocAttr | member | + | ldapAdminGroup | 3001 | + | useMemberOfToDetectMembership | 1 | + And cookies are reset + # gustaf, not part of the promoted group + And Logging in using web as "59376" + And Sending a "GET" to "/index.php/settings/admin/overview" with requesttoken + Then the HTTP status code should be "403" |