diff options
author | Arthur Schiwon <blizzz@arthur-schiwon.de> | 2020-03-18 17:40:23 +0100 |
---|---|---|
committer | Arthur Schiwon <blizzz@arthur-schiwon.de> | 2020-04-14 12:58:28 +0200 |
commit | 84619a5b9c58ec7f4e3d7faea8c60a187cb61243 (patch) | |
tree | 2572e5f939f8c6bd76b4611c432aad3721b0b62e /apps/user_ldap/lib | |
parent | e4d378d01e67c41fa64a12662128ba25a0b27133 (diff) | |
download | nextcloud-server-84619a5b9c58ec7f4e3d7faea8c60a187cb61243.tar.gz nextcloud-server-84619a5b9c58ec7f4e3d7faea8c60a187cb61243.zip |
use serverControls directly with LDAP calls, fixes 19127
- adapters for PHP API version to Support PHP < 7.3
- switch to pass only one base per search
- cookie logic is moved from Access to API adapters
Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
Diffstat (limited to 'apps/user_ldap/lib')
-rw-r--r-- | apps/user_ldap/lib/Access.php | 326 | ||||
-rw-r--r-- | apps/user_ldap/lib/Command/CheckUser.php | 2 | ||||
-rw-r--r-- | apps/user_ldap/lib/ILDAPWrapper.php | 2 | ||||
-rw-r--r-- | apps/user_ldap/lib/LDAP.php | 65 | ||||
-rw-r--r-- | apps/user_ldap/lib/PagedResults/IAdapter.php | 130 | ||||
-rw-r--r-- | apps/user_ldap/lib/PagedResults/Php54.php | 126 | ||||
-rw-r--r-- | apps/user_ldap/lib/PagedResults/Php73.php | 162 | ||||
-rw-r--r-- | apps/user_ldap/lib/PagedResults/TLinkId.php | 37 | ||||
-rw-r--r-- | apps/user_ldap/lib/User/User.php | 4 |
9 files changed, 651 insertions, 203 deletions
diff --git a/apps/user_ldap/lib/Access.php b/apps/user_ldap/lib/Access.php index 71994585c73..aba1d7a4193 100644 --- a/apps/user_ldap/lib/Access.php +++ b/apps/user_ldap/lib/Access.php @@ -74,17 +74,7 @@ class Access extends LDAPUtility { protected $pagedSearchedSuccessful; /** - * @var string[] $cookies an array of returned Paged Result cookies - */ protected $cookies = []; - - /** - * @var string $lastCookie the last cookie returned from a Paged Results - * operation, defaults to an empty string - */ - protected $lastCookie = ''; - - /** * @var AbstractMapping $userMapper */ protected $userMapper; @@ -102,6 +92,8 @@ class Access extends LDAPUtility { private $config; /** @var IUserManager */ private $ncUserManager; + /** @var string */ + private $lastCookie = ''; public function __construct( Connection $connection, @@ -269,7 +261,7 @@ class Access extends LDAPUtility { * @throws ServerNotAvailableException */ public function executeRead($cr, $dn, $attribute, $filter, $maxResults) { - $this->initPagedSearch($filter, [$dn], [$attribute], $maxResults, 0); + $this->initPagedSearch($filter, $dn, [$attribute], $maxResults, 0); $dn = $this->helper->DNasBaseParameter($dn); $rr = @$this->invokeLDAPMethod('read', $cr, $dn, $filter, [$attribute]); if (!$this->ldap->isResource($rr)) { @@ -1020,7 +1012,7 @@ class Access extends LDAPUtility { public function searchUsers($filter, $attr = null, $limit = null, $offset = null) { $result = []; foreach ($this->connection->ldapBaseUsers as $base) { - $result = array_merge($result, $this->search($filter, [$base], $attr, $limit, $offset)); + $result = array_merge($result, $this->search($filter, $base, $attr, $limit, $offset)); } return $result; } @@ -1057,7 +1049,7 @@ class Access extends LDAPUtility { public function searchGroups($filter, $attr = null, $limit = null, $offset = null) { $result = []; foreach ($this->connection->ldapBaseGroups as $base) { - $result = array_merge($result, $this->search($filter, [$base], $attr, $limit, $offset)); + $result = array_merge($result, $this->search($filter, $base, $attr, $limit, $offset)); } return $result; } @@ -1142,7 +1134,7 @@ class Access extends LDAPUtility { throw $e; } - $arguments[0] = array_pad([], count($arguments[0]), $cr); + $arguments[0] = $cr; $ret = $doMethod(); } return $ret; @@ -1151,20 +1143,22 @@ class Access extends LDAPUtility { /** * retrieved. Results will according to the order in the array. * - * @param $filter - * @param $base - * @param string[]|string|null $attr - * @param int $limit optional, maximum results to be counted - * @param int $offset optional, a starting point + * @param string $filter + * @param string $base + * @param string[] $attr + * @param int|null $limit optional, maximum results to be counted + * @param int|null $offset optional, a starting point * @return array|false array with the search result as first value and pagedSearchOK as * second | false if not successful * @throws ServerNotAvailableException */ - private function executeSearch($filter, $base, &$attr = null, $limit = null, $offset = null) { - if (!is_null($attr) && !is_array($attr)) { - $attr = [mb_strtolower($attr, 'UTF-8')]; - } - + private function executeSearch( + string $filter, + string $base, + ?array &$attr, + ?int $limit, + ?int $offset + ) { // See if we have a resource, in case not cancel with message $cr = $this->connection->getConnectionResource(); if (!$this->ldap->isResource($cr)) { @@ -1175,13 +1169,12 @@ class Access extends LDAPUtility { } //check whether paged search should be attempted - $pagedSearchOK = $this->initPagedSearch($filter, $base, $attr, (int)$limit, $offset); + $pagedSearchOK = $this->initPagedSearch($filter, $base, $attr, (int)$limit, (int)$offset); - $linkResources = array_pad([], count($base), $cr); - $sr = $this->invokeLDAPMethod('search', $linkResources, $base, $filter, $attr); + $sr = $this->invokeLDAPMethod('search', $cr, $base, $filter, $attr); // cannot use $cr anymore, might have changed in the previous call! $error = $this->ldap->errno($this->connection->getConnectionResource()); - if (!is_array($sr) || $error !== 0) { + if(!$this->ldap->isResource($sr) || $error !== 0) { \OCP\Util::writeLog('user_ldap', 'Attempt for Paging? '.print_r($pagedSearchOK, true), ILogger::ERROR); return false; } @@ -1192,26 +1185,27 @@ class Access extends LDAPUtility { /** * processes an LDAP paged search operation * - * @param array $sr the array containing the LDAP search resources - * @param string $filter the LDAP filter for the search - * @param array $base an array containing the LDAP subtree(s) that shall be searched - * @param int $iFoundItems number of results in the single search operation + * @param resource $sr the array containing the LDAP search resources + * @param int $foundItems number of results in the single search operation * @param int $limit maximum results to be counted - * @param int $offset a starting point * @param bool $pagedSearchOK whether a paged search has been executed * @param bool $skipHandling required for paged search when cookies to * prior results need to be gained * @return bool cookie validity, true if we have more pages, false otherwise. * @throws ServerNotAvailableException */ - private function processPagedSearchStatus($sr, $filter, $base, $iFoundItems, $limit, $offset, $pagedSearchOK, $skipHandling) { + private function processPagedSearchStatus( + $sr, + int $foundItems, + int $limit, + bool $pagedSearchOK, + bool $skipHandling + ): bool { $cookie = null; if ($pagedSearchOK) { $cr = $this->connection->getConnectionResource(); - foreach ($sr as $key => $res) { - if ($this->ldap->controlPagedResultResponse($cr, $res, $cookie)) { - $this->setPagedResultCookie($base[$key], $filter, $limit, $offset, $cookie); - } + if($this->ldap->controlPagedResultResponse($cr, $sr, $cookie)) { + $this->lastCookie = $cookie; } //browsing through prior pages to get the cookie for the new one @@ -1221,7 +1215,7 @@ class Access extends LDAPUtility { // if count is bigger, then the server does not support // paged search. Instead, he did a normal search. We set a // flag here, so the callee knows how to deal with it. - if ($iFoundItems <= $limit) { + if($foundItems <= $limit) { $this->pagedSearchedSuccessful = true; } } else { @@ -1244,7 +1238,7 @@ class Access extends LDAPUtility { * executes an LDAP search, but counts the results only * * @param string $filter the LDAP filter for the search - * @param array $base an array containing the LDAP subtree(s) that shall be searched + * @param array $bases an array containing the LDAP subtree(s) that shall be searched * @param string|string[] $attr optional, array, one or more attributes that shall be * retrieved. Results will according to the order in the array. * @param int $limit optional, maximum results to be counted @@ -1254,8 +1248,22 @@ class Access extends LDAPUtility { * @return int|false Integer or false if the search could not be initialized * @throws ServerNotAvailableException */ - private function count($filter, $base, $attr = null, $limit = null, $offset = null, $skipHandling = false) { - \OCP\Util::writeLog('user_ldap', 'Count filter: '.print_r($filter, true), ILogger::DEBUG); + private function count( + string $filter, + array $bases, + $attr = null, + ?int $limit = null, + ?int $offset = null, + bool $skipHandling = false + ) { + \OC::$server->getLogger()->debug('Count filter: {filter}', [ + 'app' => 'user_ldap', + 'filter' => $filter + ]); + + if(!is_null($attr) && !is_array($attr)) { + $attr = array(mb_strtolower($attr, 'UTF-8')); + } $limitPerPage = (int)$this->connection->ldapPagingSize; if (!is_null($limit) && $limit < $limitPerPage && $limit > 0) { @@ -1266,66 +1274,64 @@ class Access extends LDAPUtility { $count = null; $this->connection->getConnectionResource(); - do { - $search = $this->executeSearch($filter, $base, $attr, $limitPerPage, $offset); + foreach($bases as $base) { + do { + $search = $this->executeSearch($filter, $base, $attr, $limitPerPage, $offset); if ($search === false) { - return $counter > 0 ? $counter : false; - } - list($sr, $pagedSearchOK) = $search; - - /* ++ Fixing RHDS searches with pages with zero results ++ - * countEntriesInSearchResults() method signature changed - * by removing $limit and &$hasHitLimit parameters - */ - $count = $this->countEntriesInSearchResults($sr); - $counter += $count; - - $hasMorePages = $this->processPagedSearchStatus($sr, $filter, $base, $count, $limitPerPage, - $offset, $pagedSearchOK, $skipHandling); - $offset += $limitPerPage; - /* ++ Fixing RHDS searches with pages with zero results ++ - * Continue now depends on $hasMorePages value - */ - $continue = $pagedSearchOK && $hasMorePages; + return $counter > 0 ? $counter : false; + } + list($sr, $pagedSearchOK) = $search; + + /* ++ Fixing RHDS searches with pages with zero results ++ + * countEntriesInSearchResults() method signature changed + * by removing $limit and &$hasHitLimit parameters + */ + $count = $this->countEntriesInSearchResults($sr); + $counter += $count; + + $hasMorePages = $this->processPagedSearchStatus($sr, $count, $limitPerPage, $pagedSearchOK, $skipHandling); + $offset += $limitPerPage; + /* ++ Fixing RHDS searches with pages with zero results ++ + * Continue now depends on $hasMorePages value + */ + $continue = $pagedSearchOK && $hasMorePages; } while ($continue && (is_null($limit) || $limit <= 0 || $limit > $counter)); + } return $counter; } /** - * @param array $searchResults + * @param resource $sr * @return int * @throws ServerNotAvailableException */ - private function countEntriesInSearchResults($searchResults) { - $counter = 0; - - foreach ($searchResults as $res) { - $count = (int)$this->invokeLDAPMethod('countEntries', $this->connection->getConnectionResource(), $res); - $counter += $count; - } - - return $counter; + private function countEntriesInSearchResults($sr): int { + return (int)$this->invokeLDAPMethod('countEntries', $this->connection->getConnectionResource(), $sr); } /** * Executes an LDAP search * - * @param string $filter the LDAP filter for the search - * @param array $base an array containing the LDAP subtree(s) that shall be searched - * @param string|string[] $attr optional, array, one or more attributes that shall be - * @param int $limit - * @param int $offset - * @param bool $skipHandling - * @return array with the search result * @throws ServerNotAvailableException */ - public function search($filter, $base, $attr = null, $limit = null, $offset = null, $skipHandling = false) { + public function search( + string $filter, + string $base, + ?array $attr = null, + ?int $limit = null, + ?int $offset = null, + bool $skipHandling = false + ): array { $limitPerPage = (int)$this->connection->ldapPagingSize; if (!is_null($limit) && $limit < $limitPerPage && $limit > 0) { $limitPerPage = $limit; } + if(!is_null($attr) && !is_array($attr)) { + $attr = [mb_strtolower($attr, 'UTF-8')]; + } + /* ++ Fixing RHDS searches with pages with zero results ++ * As we can have pages with zero results and/or pages with less * than $limit results but with a still valid server 'cookie', @@ -1334,6 +1340,8 @@ class Access extends LDAPUtility { */ $findings = []; $savedoffset = $offset; + $iFoundItems = 0; + do { $search = $this->executeSearch($filter, $base, $attr, $limitPerPage, $offset); if ($search === false) { @@ -1346,25 +1354,19 @@ class Access extends LDAPUtility { //i.e. result do not need to be fetched, we just need the cookie //thus pass 1 or any other value as $iFoundItems because it is not //used - $this->processPagedSearchStatus($sr, $filter, $base, 1, $limitPerPage, - $offset, $pagedSearchOK, - $skipHandling); + $this->processPagedSearchStatus($sr, 1, $limitPerPage, $pagedSearchOK, $skipHandling); return []; } - $iFoundItems = 0; - foreach ($sr as $res) { - $findings = array_merge($findings, $this->invokeLDAPMethod('getEntries', $cr, $res)); - $iFoundItems = max($iFoundItems, $findings['count']); - unset($findings['count']); - } + $findings = array_merge($findings, $this->invokeLDAPMethod('getEntries', $cr, $sr)); + $iFoundItems = max($iFoundItems, $findings['count']); + unset($findings['count']); - $continue = $this->processPagedSearchStatus($sr, $filter, $base, $iFoundItems, - $limitPerPage, $offset, $pagedSearchOK, - $skipHandling); + $continue = $this->processPagedSearchStatus($sr, $iFoundItems, $limitPerPage, $pagedSearchOK, $skipHandling); $offset += $limitPerPage; } while ($continue && $pagedSearchOK && ($limit === null || count($findings) < $limit)); - // reseting offset + + // resetting offset $offset = $savedoffset; // if we're here, probably no connection resource is returned. @@ -1654,17 +1656,22 @@ class Access extends LDAPUtility { public function getUserDnByUuid($uuid) { $uuidOverride = $this->connection->ldapExpertUUIDUserAttr; $filter = $this->connection->ldapUserFilter; - $base = $this->connection->ldapBaseUsers; + $bases = $this->connection->ldapBaseUsers; if ($this->connection->ldapUuidUserAttribute === 'auto' && $uuidOverride === '') { // Sacrebleu! The UUID attribute is unknown :( We need first an // existing DN to be able to reliably detect it. - $result = $this->search($filter, $base, ['dn'], 1); - if (!isset($result[0]) || !isset($result[0]['dn'])) { - throw new \Exception('Cannot determine UUID attribute'); + foreach ($bases as $base) { + $result = $this->search($filter, $base, ['dn'], 1); + if (!isset($result[0]) || !isset($result[0]['dn'])) { + continue; + } + $dn = $result[0]['dn'][0]; + if ($hasFound = $this->detectUuidAttribute($dn, true)) { + break; + } } - $dn = $result[0]['dn'][0]; - if (!$this->detectUuidAttribute($dn, true)) { + if(!isset($hasFound) || !$hasFound) { throw new \Exception('Cannot determine UUID attribute'); } } else { @@ -1955,36 +1962,13 @@ class Access extends LDAPUtility { * @throws ServerNotAvailableException */ private function abandonPagedSearch() { + if($this->lastCookie === '') { + return; + } $cr = $this->connection->getConnectionResource(); - $this->invokeLDAPMethod('controlPagedResult', $cr, 0, false, $this->lastCookie); + $this->invokeLDAPMethod('controlPagedResult', $cr, 0, false); $this->getPagedSearchResultState(); $this->lastCookie = ''; - $this->cookies = []; - } - - /** - * get a cookie for the next LDAP paged search - * @param string $base a string with the base DN for the search - * @param string $filter the search filter to identify the correct search - * @param int $limit the limit (or 'pageSize'), to identify the correct search well - * @param int $offset the offset for the new search to identify the correct search really good - * @return string containing the key or empty if none is cached - */ - private function getPagedResultCookie($base, $filter, $limit, $offset) { - if ($offset === 0) { - return ''; - } - $offset -= $limit; - //we work with cache here - $cacheKey = 'lc' . crc32($base) . '-' . crc32($filter) . '-' . (int)$limit . '-' . (int)$offset; - $cookie = ''; - if (isset($this->cookies[$cacheKey])) { - $cookie = $this->cookies[$cacheKey]; - if (is_null($cookie)) { - $cookie = ''; - } - } - return $cookie; } /** @@ -2008,24 +1992,6 @@ class Access extends LDAPUtility { } /** - * set a cookie for LDAP paged search run - * @param string $base a string with the base DN for the search - * @param string $filter the search filter to identify the correct search - * @param int $limit the limit (or 'pageSize'), to identify the correct search well - * @param int $offset the offset for the run search to identify the correct search really good - * @param string $cookie string containing the cookie returned by ldap_control_paged_result_response - * @return void - */ - private function setPagedResultCookie($base, $filter, $limit, $offset, $cookie) { - // allow '0' for 389ds - if (!empty($cookie) || $cookie === '0') { - $cacheKey = 'lc' . crc32($base) . '-' . crc32($filter) . '-' . (int)$limit . '-' . (int)$offset; - $this->cookies[$cacheKey] = $cookie; - $this->lastCookie = $cookie; - } - } - - /** * Check whether the most recent paged search was successful. It flushed the state var. Use it always after a possible paged search. * @return boolean|null true on success, null or false otherwise */ @@ -2046,45 +2012,43 @@ class Access extends LDAPUtility { * @return bool|true * @throws ServerNotAvailableException */ - private function initPagedSearch($filter, $bases, $attr, $limit, $offset) { + private function initPagedSearch( + string $filter, + string $base, + ?array $attr, + int $limit, + int $offset + ): bool { $pagedSearchOK = false; if ($limit !== 0) { - $offset = (int)$offset; //can be null - \OCP\Util::writeLog('user_ldap', - 'initializing paged search for Filter '.$filter.' base '.print_r($bases, true) - .' attr '.print_r($attr, true). ' limit ' .$limit.' offset '.$offset, - ILogger::DEBUG); + \OC::$server->getLogger()->debug( + 'initializing paged search for filter {filter}, base {base}, attr {attr}, limit {limit}, offset {offset}', + [ + 'app' => 'user_ldap', + 'filter' => $filter, + 'base' => $base, + 'attr' => $attr, + 'limit' => $limit, + 'offset' => $offset + ] + ); //get the cookie from the search for the previous search, required by LDAP - foreach ($bases as $base) { - $cookie = $this->getPagedResultCookie($base, $filter, $limit, $offset); - if (empty($cookie) && $cookie !== "0" && ($offset > 0)) { - // no cookie known from a potential previous search. We need - // to start from 0 to come to the desired page. cookie value - // of '0' is valid, because 389ds - $reOffset = ($offset - $limit) < 0 ? 0 : $offset - $limit; - $this->search($filter, [$base], $attr, $limit, $reOffset, true); - $cookie = $this->getPagedResultCookie($base, $filter, $limit, $offset); - //still no cookie? obviously, the server does not like us. Let's skip paging efforts. - // '0' is valid, because 389ds - //TODO: remember this, probably does not change in the next request... - if (empty($cookie) && $cookie !== '0') { - $cookie = null; - } - } - if (!is_null($cookie)) { - //since offset = 0, this is a new search. We abandon other searches that might be ongoing. - $this->abandonPagedSearch(); - $pagedSearchOK = $this->invokeLDAPMethod('controlPagedResult', - $this->connection->getConnectionResource(), $limit, - false, $cookie); - if (!$pagedSearchOK) { - return false; - } - \OCP\Util::writeLog('user_ldap', 'Ready for a paged search', ILogger::DEBUG); - } else { - $e = new \Exception('No paged search possible, Limit '.$limit.' Offset '.$offset); - \OC::$server->getLogger()->logException($e, ['level' => ILogger::DEBUG]); - } + if(empty($this->lastCookie) && $this->lastCookie !== "0" && ($offset > 0)) { + // no cookie known from a potential previous search. We need + // to start from 0 to come to the desired page. cookie value + // of '0' is valid, because 389ds + $reOffset = ($offset - $limit) < 0 ? 0 : $offset - $limit; + $this->search($filter, $base, $attr, $limit, $reOffset, true); + } + if($this->lastCookie !== '' && $offset === 0) { + //since offset = 0, this is a new search. We abandon other searches that might be ongoing. + $this->abandonPagedSearch(); + } + $pagedSearchOK = true === $this->invokeLDAPMethod( + 'controlPagedResult', $this->connection->getConnectionResource(), $limit, false + ); + if ($pagedSearchOK) { + \OC::$server->getLogger()->debug('Ready for a paged search',['app' => 'user_ldap']); } /* ++ Fixing RHDS searches with pages with zero results ++ * We coudn't get paged searches working with our RHDS for login ($limit = 0), @@ -2102,7 +2066,7 @@ class Access extends LDAPUtility { $pageSize = (int)$this->connection->ldapPagingSize > 0 ? (int)$this->connection->ldapPagingSize : 500; $pagedSearchOK = $this->invokeLDAPMethod('controlPagedResult', $this->connection->getConnectionResource(), - $pageSize, false, ''); + $pageSize, false); } return $pagedSearchOK; diff --git a/apps/user_ldap/lib/Command/CheckUser.php b/apps/user_ldap/lib/Command/CheckUser.php index 430e9c35960..c34b396291c 100644 --- a/apps/user_ldap/lib/Command/CheckUser.php +++ b/apps/user_ldap/lib/Command/CheckUser.php @@ -148,7 +148,7 @@ class CheckUser extends Command { $attrs = $access->userManager->getAttributes(); $user = $access->userManager->get($uid); $avatarAttributes = $access->getConnection()->resolveRule('avatar'); - $result = $access->search('objectclass=*', [$user->getDN()], $attrs, 1, 0); + $result = $access->search('objectclass=*', $user->getDN(), $attrs, 1, 0); foreach ($result[0] as $attribute => $valueSet) { $output->writeln(' ' . $attribute . ': '); foreach ($valueSet as $value) { diff --git a/apps/user_ldap/lib/ILDAPWrapper.php b/apps/user_ldap/lib/ILDAPWrapper.php index aa67dd596f1..a96c2b52c4e 100644 --- a/apps/user_ldap/lib/ILDAPWrapper.php +++ b/apps/user_ldap/lib/ILDAPWrapper.php @@ -60,7 +60,7 @@ interface ILDAPWrapper { * @param string $cookie structure sent by LDAP server * @return bool true on success, false otherwise */ - public function controlPagedResult($link, $pageSize, $isCritical, $cookie); + public function controlPagedResult($link, $pageSize, $isCritical); /** * Retrieve the LDAP pagination cookie diff --git a/apps/user_ldap/lib/LDAP.php b/apps/user_ldap/lib/LDAP.php index 409c6ab2b09..bc91fb0ded9 100644 --- a/apps/user_ldap/lib/LDAP.php +++ b/apps/user_ldap/lib/LDAP.php @@ -33,11 +33,25 @@ namespace OCA\User_LDAP; use OC\ServerNotAvailableException; use OCA\User_LDAP\Exceptions\ConstraintViolationException; +use OCA\User_LDAP\PagedResults\IAdapter; +use OCA\User_LDAP\PagedResults\Php54; +use OCA\User_LDAP\PagedResults\Php73; class LDAP implements ILDAPWrapper { protected $curFunc = ''; protected $curArgs = []; + /** @var IAdapter */ + protected $pagedResultsAdapter; + + public function __construct() { + if(version_compare(PHP_VERSION, '7.3', '<') === true) { + $this->pagedResultsAdapter = new Php54(); + } else { + $this->pagedResultsAdapter = new Php73(); + } + } + /** * @param resource $link * @param string $dn @@ -64,17 +78,18 @@ class LDAP implements ILDAPWrapper { return $this->invokeLDAPMethod('connect', $host); } - /** - * @param resource $link - * @param resource $result - * @param string $cookie - * @return bool|LDAP - */ - public function controlPagedResultResponse($link, $result, &$cookie) { - $this->preFunctionCall('ldap_control_paged_result_response', - [$link, $result, $cookie]); - $result = ldap_control_paged_result_response($link, $result, $cookie); - $this->postFunctionCall(); + public function controlPagedResultResponse($link, $result, &$cookie): bool { + $this->preFunctionCall( + $this->pagedResultsAdapter->getResponseCallFunc(), + $this->pagedResultsAdapter->getResponseCallArgs([$link, $result, &$cookie]) + ); + + $result = $this->pagedResultsAdapter->responseCall($link); + $cookie = $this->pagedResultsAdapter->getCookie($link); + + if ($this->isResultFalse($result)) { + $this->postFunctionCall(); + } return $result; } @@ -83,12 +98,23 @@ class LDAP implements ILDAPWrapper { * @param LDAP $link * @param int $pageSize * @param bool $isCritical - * @param string $cookie * @return mixed|true */ - public function controlPagedResult($link, $pageSize, $isCritical, $cookie) { - return $this->invokeLDAPMethod('control_paged_result', $link, $pageSize, - $isCritical, $cookie); + public function controlPagedResult($link, $pageSize, $isCritical) { + $fn = $this->pagedResultsAdapter->getRequestCallFunc(); + $this->pagedResultsAdapter->setRequestParameters($link, $pageSize, $isCritical); + if($fn === null) { + return true; + } + + $this->preFunctionCall($fn, $this->pagedResultsAdapter->getRequestCallArgs($link)); + $result = $this->pagedResultsAdapter->requestCall($link); + + if ($this->isResultFalse($result)) { + $this->postFunctionCall(); + } + + return $result; } /** @@ -180,12 +206,13 @@ class LDAP implements ILDAPWrapper { * @return mixed */ public function read($link, $baseDN, $filter, $attr) { - return $this->invokeLDAPMethod('read', $link, $baseDN, $filter, $attr); + $this->pagedResultsAdapter->setReadArgs($link, $baseDN, $filter, $attr); + return $this->invokeLDAPMethod('read', ...$this->pagedResultsAdapter->getReadArgs($link)); } /** * @param LDAP $link - * @param string $baseDN + * @param string[] $baseDN * @param string $filter * @param array $attr * @param int $attrsOnly @@ -202,7 +229,9 @@ class LDAP implements ILDAPWrapper { return true; }); try { - $result = $this->invokeLDAPMethod('search', $link, $baseDN, $filter, $attr, $attrsOnly, $limit); + $this->pagedResultsAdapter->setSearchArgs($link, $baseDN, $filter, $attr, $attrsOnly, $limit); + $result = $this->invokeLDAPMethod('search', ...$this->pagedResultsAdapter->getSearchArgs($link)); + restore_error_handler(); return $result; } catch (\Exception $e) { diff --git a/apps/user_ldap/lib/PagedResults/IAdapter.php b/apps/user_ldap/lib/PagedResults/IAdapter.php new file mode 100644 index 00000000000..54f165381b0 --- /dev/null +++ b/apps/user_ldap/lib/PagedResults/IAdapter.php @@ -0,0 +1,130 @@ +<?php +declare(strict_types=1); +/** + * @copyright Copyright (c) 2020 Arthur Schiwon <blizzz@arthur-schiwon.de> + * + * @author Arthur Schiwon <blizzz@arthur-schiwon.de> + * + * @license GNU AGPL version 3 or any later version + * + * This program is free software: you can redistribute it and/or modify + * it under the terms of the GNU Affero General Public License as + * published by the Free Software Foundation, either version 3 of the + * License, or (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Affero General Public License for more details. + * + * You should have received a copy of the GNU Affero General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + */ + +namespace OCA\User_LDAP\PagedResults; + +interface IAdapter { + + /** + * Methods for initiating Paged Results Control + */ + + /** + * The adapter receives paged result parameters from the client. It may + * store the parameters for later use. + */ + public function setRequestParameters($link, int $pageSize, bool $isCritical): void; + + /** + * The adapter is asked for an function that is being explicitly called to + * send the control parameters to LDAP. If not function has to be called, + * null shall be returned. + * + * It will used by the callee for diagnosis and error handling. + */ + public function getRequestCallFunc(): ?string; + + /** + * The adapter is asked to provide the arguments it would pass to the + * function returned by getRequestCallFunc(). If none shall be called, an + * empty array should be returned. + * + * It will used by the callee for diagnosis and error handling. + */ + public function getRequestCallArgs($link): array; + + /** + * The adapter is asked to do the necessary calls to LDAP, if + * getRequestCallFunc returned a function. If none, it will not be called + * so the return value is best set to false. Otherwise it shall respond + * whether setting the controls was successful. + */ + public function requestCall($link): bool; + + /** + * The adapter shall report which PHP function will be called to process + * the paged results call + * + * It will used by the callee for diagnosis and error handling. + */ + public function getResponseCallFunc(): string; + + /** + * The adapter shall report with arguments will be provided to the LDAP + * function it will call + * + * It will used by the callee for diagnosis and error handling. + */ + public function getResponseCallArgs(array $originalArgs): array; + + /** + * the adapter should do it's LDAP function call and return success state + * + * @param resource $link LDAP resource + * @return bool + */ + public function responseCall($link): bool; + + /** + * The adapter receives the parameters that were passed to a search + * operation. Typically it wants to save the them for the call proper later + * on. + */ + public function setSearchArgs( + $link, + string $baseDN, + string $filter, + array $attr, + int $attrsOnly, + int $limit + ): void; + + /** + * The adapter shall report which arguments shall be passed to the + * ldap_search function. + */ + public function getSearchArgs($link): array; + + /** + * The adapter receives the parameters that were passed to a read + * operation. Typically it wants to save the them for the call proper later + * on. + */ + public function setReadArgs($link, string $baseDN, string $filter, array $attr): void; + + /** + * The adapter shall report which arguments shall be passed to the + * ldap_read function. + */ + public function getReadArgs($link): array; + + /** + * Returns the current paged results cookie + * + * @param resource $link LDAP resource + * @return string + */ + public function getCookie($link): string; + +} diff --git a/apps/user_ldap/lib/PagedResults/Php54.php b/apps/user_ldap/lib/PagedResults/Php54.php new file mode 100644 index 00000000000..cecaff99b3f --- /dev/null +++ b/apps/user_ldap/lib/PagedResults/Php54.php @@ -0,0 +1,126 @@ +<?php +declare(strict_types=1); +/** + * @copyright Copyright (c) 2020 Arthur Schiwon <blizzz@arthur-schiwon.de> + * + * @author Arthur Schiwon <blizzz@arthur-schiwon.de> + * + * @license GNU AGPL version 3 or any later version + * + * This program is free software: you can redistribute it and/or modify + * it under the terms of the GNU Affero General Public License as + * published by the Free Software Foundation, either version 3 of the + * License, or (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Affero General Public License for more details. + * + * You should have received a copy of the GNU Affero General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + */ + +namespace OCA\User_LDAP\PagedResults; + +/** + * Class Php54 + * + * implements paged results support with PHP APIs available from PHP 5.4 + * + * @package OCA\User_LDAP\PagedResults + */ +class Php54 implements IAdapter { + use TLinkId; + + /** @var array */ + protected $linkData = []; + + public function getResponseCallFunc(): string { + return 'ldap_control_paged_result_response'; + } + + public function responseCall($link): bool { + $linkId = $this->getLinkId($link); + return ldap_control_paged_result_response(...$this->linkData[$linkId]['responseArgs']); + } + + public function getResponseCallArgs(array $originalArgs): array { + $linkId = $this->getLinkId($originalArgs[0]); + if(!isset($this->linkData[$linkId])) { + throw new \LogicException('There should be a request before the response'); + } + $this->linkData[$linkId]['responseArgs'] = &$originalArgs; + $this->linkData[$linkId]['cookie'] = &$originalArgs[2]; + return $originalArgs; + } + + public function getCookie($link): string { + $linkId = $this->getLinkId($link); + return $this->linkData[$linkId]['cookie']; + } + + public function getRequestCallFunc(): ?string { + return 'ldap_control_paged_result'; + } + + public function setRequestParameters($link, int $pageSize, bool $isCritical): void { + $linkId = $this->getLinkId($link); + + if($pageSize === 0 || !isset($this->linkData[$linkId]['cookie'])) { + // abandons a previous paged search + $this->linkData[$linkId]['cookie'] = ''; + } + + $this->linkData[$linkId]['requestArgs'] = [ + $link, + $pageSize, + $isCritical, + &$this->linkData[$linkId]['cookie'] + ]; + } + + public function getRequestCallArgs($link): array { + $linkId = $this->getLinkId($link); + return $this->linkData[$linkId]['requestArgs']; + } + + public function requestCall($link): bool { + $linkId = $this->getLinkId($link); + return ldap_control_paged_result(...$this->linkData[$linkId]['requestArgs']); + } + + public function setSearchArgs( + $link, + string $baseDN, + string $filter, + array $attr, + int $attrsOnly, + int $limit + ): void { + $linkId = $this->getLinkId($link); + if(!isset($this->linkData[$linkId])) { + $this->linkData[$linkId] = []; + } + $this->linkData[$linkId]['searchArgs'] = func_get_args(); + } + + public function getSearchArgs($link): array { + $linkId = $this->getLinkId($link); + return $this->linkData[$linkId]['searchArgs']; + } + + public function setReadArgs($link, string $baseDN, string $filter, array $attr): void { + $linkId = $this->getLinkId($link); + if(!isset($this->linkData[$linkId])) { + $this->linkData[$linkId] = []; + } + $this->linkData[$linkId]['readArgs'] = func_get_args(); + } + + public function getReadArgs($link): array { + $linkId = $this->getLinkId($link); + return $this->linkData[$linkId]['readArgs']; + } +} diff --git a/apps/user_ldap/lib/PagedResults/Php73.php b/apps/user_ldap/lib/PagedResults/Php73.php new file mode 100644 index 00000000000..a4b7455e533 --- /dev/null +++ b/apps/user_ldap/lib/PagedResults/Php73.php @@ -0,0 +1,162 @@ +<?php +declare(strict_types=1); +/** + * @copyright Copyright (c) 2020 Arthur Schiwon <blizzz@arthur-schiwon.de> + * + * @author Arthur Schiwon <blizzz@arthur-schiwon.de> + * + * @license GNU AGPL version 3 or any later version + * + * This program is free software: you can redistribute it and/or modify + * it under the terms of the GNU Affero General Public License as + * published by the Free Software Foundation, either version 3 of the + * License, or (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Affero General Public License for more details. + * + * You should have received a copy of the GNU Affero General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + */ + +namespace OCA\User_LDAP\PagedResults; + +/** + * Class Php73 + * + * implements paged results support with PHP APIs available from PHP 7.3 + * + * @package OCA\User_LDAP\PagedResults + */ +class Php73 implements IAdapter { + use TLinkId; + + /** @var array */ + protected $linkData = []; + + public function getResponseCallFunc(): string { + return 'ldap_parse_result'; + } + + public function responseCall($link): bool { + $linkId = $this->getLinkId($link); + return ldap_parse_result(...$this->linkData[$linkId]['responseArgs']); + } + + public function getResponseCallArgs(array $originalArgs): array { + $link = array_shift($originalArgs); + $linkId = $this->getLinkId($link); + + if(!isset($this->linkData[$linkId])) { + $this->linkData[$linkId] = []; + } + + $this->linkData[$linkId]['responseErrorCode'] = 0; + $this->linkData[$linkId]['responseErrorMessage'] = ''; + $this->linkData[$linkId]['serverControls'] = []; + $matchedDn = null; + $referrals = []; + + $this->linkData[$linkId]['responseArgs'] = [ + $link, + array_shift($originalArgs), + &$this->linkData[$linkId]['responseErrorCode'], + $matchedDn, + &$this->linkData[$linkId]['responseErrorMessage'], + $referrals, + &$this->linkData[$linkId]['serverControls'] + ]; + + + return $this->linkData[$linkId]['responseArgs']; + } + + public function getCookie($link): string { + $linkId = $this->getLinkId($link); + return $this->linkData[$linkId]['serverControls'][LDAP_CONTROL_PAGEDRESULTS]['value']['cookie'] ?? ''; + } + + public function getRequestCallFunc(): ?string { + return null; + } + + public function setRequestParameters($link, int $pageSize, bool $isCritical): void { + $linkId = $this->getLinkId($link); + if(!isset($this->linkData[$linkId])) { + $this->linkData[$linkId] = []; + } + $this->linkData[$linkId]['requestArgs'] = []; + $this->linkData[$linkId]['requestArgs']['pageSize'] = $pageSize; + $this->linkData[$linkId]['requestArgs']['isCritical'] = $isCritical; + } + + public function getRequestCallArgs($link): array { + // no separate call + return []; + } + + public function requestCall($link): bool { + // no separate call + return false; + } + + public function setSearchArgs( + $link, + string $baseDN, + string $filter, + array $attr, + int $attrsOnly, + int $limit + ): void { + $linkId = $this->getLinkId($link); + if(!isset($this->linkData[$linkId])) { + $this->linkData[$linkId] = []; + } + + $this->linkData[$linkId]['searchArgs'] = func_get_args(); + $this->preparePagesResultsArgs($linkId, 'searchArgs'); + } + + public function getSearchArgs($link): array { + $linkId = $this->getLinkId($link); + return $this->linkData[$linkId]['searchArgs']; + } + + public function setReadArgs($link, string $baseDN, string $filter, array $attr): void { + $linkId = $this->getLinkId($link); + if(!isset($this->linkData[$linkId])) { + $this->linkData[$linkId] = []; + } + + $this->linkData[$linkId]['readArgs'] = func_get_args(); + $this->linkData[$linkId]['readArgs'][] = 0; // $attrsonly default + $this->linkData[$linkId]['readArgs'][] = -1; // $sizelimit default + $this->preparePagesResultsArgs($linkId, 'readArgs'); + } + + public function getReadArgs($link): array { + $linkId = $this->getLinkId($link); + return $this->linkData[$linkId]['readArgs']; + } + + protected function preparePagesResultsArgs(int $linkId, string $methodKey): void { + if(!isset($this->linkData[$linkId]['requestArgs'])) { + return; + } + + $serverControls = [[ + 'oid' => LDAP_CONTROL_PAGEDRESULTS, + 'value' => [ + 'size' => $this->linkData[$linkId]['requestArgs']['pageSize'], + 'cookie' => $this->linkData[$linkId]['serverControls'][LDAP_CONTROL_PAGEDRESULTS]['value']['cookie'] ?? '' + ] + ]]; + + $this->linkData[$linkId][$methodKey][] = -1; // timelimit + $this->linkData[$linkId][$methodKey][] = LDAP_DEREF_NEVER; + $this->linkData[$linkId][$methodKey][] = $serverControls; + } +} diff --git a/apps/user_ldap/lib/PagedResults/TLinkId.php b/apps/user_ldap/lib/PagedResults/TLinkId.php new file mode 100644 index 00000000000..3128307ad50 --- /dev/null +++ b/apps/user_ldap/lib/PagedResults/TLinkId.php @@ -0,0 +1,37 @@ +<?php +declare(strict_types=1); +/** + * @copyright Copyright (c) 2020 Arthur Schiwon <blizzz@arthur-schiwon.de> + * + * @author Arthur Schiwon <blizzz@arthur-schiwon.de> + * + * @license GNU AGPL version 3 or any later version + * + * This program is free software: you can redistribute it and/or modify + * it under the terms of the GNU Affero General Public License as + * published by the Free Software Foundation, either version 3 of the + * License, or (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Affero General Public License for more details. + * + * You should have received a copy of the GNU Affero General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + */ + +namespace OCA\User_LDAP\PagedResults; + + +trait TLinkId { + public function getLinkId($link) { + if(is_resource($link)) { + return (int)$link; + } else if(is_array($link) && isset($link[0]) && is_resource($link[0])) { + return (int)$link[0]; + } + throw new \RuntimeException('No resource provided'); + } +} diff --git a/apps/user_ldap/lib/User/User.php b/apps/user_ldap/lib/User/User.php index 7d4e6c267de..4ec7b27017b 100644 --- a/apps/user_ldap/lib/User/User.php +++ b/apps/user_ldap/lib/User/User.php @@ -711,7 +711,7 @@ class User { $uid = $params['uid']; if (isset($uid) && $uid === $this->getUsername()) { //retrieve relevant user attributes - $result = $this->access->search('objectclass=*', [$this->dn], ['pwdpolicysubentry', 'pwdgraceusetime', 'pwdreset', 'pwdchangedtime']); + $result = $this->access->search('objectclass=*', $this->dn, ['pwdpolicysubentry', 'pwdgraceusetime', 'pwdreset', 'pwdchangedtime']); if (array_key_exists('pwdpolicysubentry', $result[0])) { $pwdPolicySubentry = $result[0]['pwdpolicysubentry']; @@ -728,7 +728,7 @@ class User { $cacheKey = 'ppolicyAttributes' . $ppolicyDN; $result = $this->connection->getFromCache($cacheKey); if (is_null($result)) { - $result = $this->access->search('objectclass=*', [$ppolicyDN], ['pwdgraceauthnlimit', 'pwdmaxage', 'pwdexpirewarning']); + $result = $this->access->search('objectclass=*', $ppolicyDN, ['pwdgraceauthnlimit', 'pwdmaxage', 'pwdexpirewarning']); $this->connection->writeToCache($cacheKey, $result); } |