Merge pull request #29523 from nextcloud/fix/support-ldap-long-dns

6 files changed, 213 insertions, 33 deletions

diff --git a/apps/user_ldap/composer/composer/autoload_classmap.php b/apps/user_ldap/composer/composer/autoload_classmap.php
index 10d61327c2d..186f28db828 100644
--- a/apps/user_ldap/composer/composer/autoload_classmap.php
+++ b/apps/user_ldap/composer/composer/autoload_classmap.php
@@ -61,6 +61,7 @@ return array(
     'OCA\\User_LDAP\\Migration\\UnsetDefaultProvider' => $baseDir . '/../lib/Migration/UnsetDefaultProvider.php',
     'OCA\\User_LDAP\\Migration\\Version1010Date20200630192842' => $baseDir . '/../lib/Migration/Version1010Date20200630192842.php',
     'OCA\\User_LDAP\\Migration\\Version1120Date20210917155206' => $baseDir . '/../lib/Migration/Version1120Date20210917155206.php',
+    'OCA\\User_LDAP\\Migration\\Version1130Date20211102154716' => $baseDir . '/../lib/Migration/Version1130Date20211102154716.php',
     'OCA\\User_LDAP\\Notification\\Notifier' => $baseDir . '/../lib/Notification/Notifier.php',
     'OCA\\User_LDAP\\PagedResults\\IAdapter' => $baseDir . '/../lib/PagedResults/IAdapter.php',
     'OCA\\User_LDAP\\PagedResults\\Php73' => $baseDir . '/../lib/PagedResults/Php73.php',
diff --git a/apps/user_ldap/composer/composer/autoload_static.php b/apps/user_ldap/composer/composer/autoload_static.php
index e1133fd8700..121439f0239 100644
--- a/apps/user_ldap/composer/composer/autoload_static.php
+++ b/apps/user_ldap/composer/composer/autoload_static.php
@@ -76,6 +76,7 @@ class ComposerStaticInitUser_LDAP
         'OCA\\User_LDAP\\Migration\\UnsetDefaultProvider' => __DIR__ . '/..' . '/../lib/Migration/UnsetDefaultProvider.php',
         'OCA\\User_LDAP\\Migration\\Version1010Date20200630192842' => __DIR__ . '/..' . '/../lib/Migration/Version1010Date20200630192842.php',
         'OCA\\User_LDAP\\Migration\\Version1120Date20210917155206' => __DIR__ . '/..' . '/../lib/Migration/Version1120Date20210917155206.php',
+        'OCA\\User_LDAP\\Migration\\Version1130Date20211102154716' => __DIR__ . '/..' . '/../lib/Migration/Version1130Date20211102154716.php',
         'OCA\\User_LDAP\\Notification\\Notifier' => __DIR__ . '/..' . '/../lib/Notification/Notifier.php',
         'OCA\\User_LDAP\\PagedResults\\IAdapter' => __DIR__ . '/..' . '/../lib/PagedResults/IAdapter.php',
         'OCA\\User_LDAP\\PagedResults\\Php73' => __DIR__ . '/..' . '/../lib/PagedResults/Php73.php',
diff --git a/apps/user_ldap/lib/Mapping/AbstractMapping.php b/apps/user_ldap/lib/Mapping/AbstractMapping.php
index 85fc91590fb..1d3e1a221f7 100644
--- a/apps/user_ldap/lib/Mapping/AbstractMapping.php
+++ b/apps/user_ldap/lib/Mapping/AbstractMapping.php
@@ -68,6 +68,7 @@ abstract class AbstractMapping {
 	public function isColNameValid($col) {
 		switch ($col) {
 			case 'ldap_dn':
+			case 'ldap_dn_hash':
 			case 'owncloud_name':
 			case 'directory_uuid':
 				return true;
@@ -151,11 +152,11 @@ abstract class AbstractMapping {
 		$oldDn = $this->getDnByUUID($uuid);
 		$statement = $this->dbc->prepare('
 			UPDATE `' . $this->getTableName() . '`
-			SET `ldap_dn` = ?
+			SET `ldap_dn_hash` = ?, `ldap_dn` = ?
 			WHERE `directory_uuid` = ?
 		');
 
-		$r = $this->modify($statement, [$fdn, $uuid]);
+		$r = $this->modify($statement, [$this->getDNHash($fdn), $fdn, $uuid]);
 
 		if ($r && is_string($oldDn) && isset($this->cache[$oldDn])) {
 			$this->cache[$fdn] = $this->cache[$oldDn];
@@ -178,12 +179,24 @@ abstract class AbstractMapping {
 		$statement = $this->dbc->prepare('
 			UPDATE `' . $this->getTableName() . '`
 			SET `directory_uuid` = ?
-			WHERE `ldap_dn` = ?
+			WHERE `ldap_dn_hash` = ?
 		');
 
 		unset($this->cache[$fdn]);
 
-		return $this->modify($statement, [$uuid, $fdn]);
+		return $this->modify($statement, [$uuid, $this->getDNHash($fdn)]);
+	}
+
+	/**
+	 * Get the hash to store in database column ldap_dn_hash for a given dn
+	 */
+	protected function getDNHash(string $fdn): string {
+		$hash = hash('sha256', $fdn, false);
+		if (is_string($hash)) {
+			return $hash;
+		} else {
+			throw new \RuntimeException('hash function did not return a string');
+		}
 	}
 
 	/**
@@ -194,16 +207,19 @@ abstract class AbstractMapping {
 	 */
 	public function getNameByDN($fdn) {
 		if (!isset($this->cache[$fdn])) {
-			$this->cache[$fdn] = $this->getXbyY('owncloud_name', 'ldap_dn', $fdn);
+			$this->cache[$fdn] = $this->getXbyY('owncloud_name', 'ldap_dn_hash', $this->getDNHash($fdn));
 		}
 		return $this->cache[$fdn];
 	}
 
-	protected function prepareListOfIdsQuery(array $dnList): IQueryBuilder {
+	/**
+	 * @param array<string> $hashList
+	 */
+	protected function prepareListOfIdsQuery(array $hashList): IQueryBuilder {
 		$qb = $this->dbc->getQueryBuilder();
-		$qb->select('owncloud_name', 'ldap_dn')
+		$qb->select('owncloud_name', 'ldap_dn_hash', 'ldap_dn')
 			->from($this->getTableName(false))
-			->where($qb->expr()->in('ldap_dn', $qb->createNamedParameter($dnList, QueryBuilder::PARAM_STR_ARRAY)));
+			->where($qb->expr()->in('ldap_dn_hash', $qb->createNamedParameter($hashList, QueryBuilder::PARAM_STR_ARRAY)));
 		return $qb;
 	}
 
@@ -216,6 +232,10 @@ abstract class AbstractMapping {
 		$stmt->closeCursor();
 	}
 
+	/**
+	 * @param array<string> $fdns
+	 * @return array<string,string>
+	 */
 	public function getListOfIdsByDn(array $fdns): array {
 		$totalDBParamLimit = 65000;
 		$sliceSize = 1000;
@@ -223,6 +243,7 @@ abstract class AbstractMapping {
 		$results = [];
 
 		$slice = 1;
+		$fdns = array_map([$this, 'getDNHash'], $fdns);
 		$fdnsSlice = count($fdns) > $sliceSize ? array_slice($fdns, 0, $sliceSize) : $fdns;
 		$qb = $this->prepareListOfIdsQuery($fdnsSlice);
 
@@ -240,7 +261,7 @@ abstract class AbstractMapping {
 			}
 
 			if (!empty($fdnsSlice)) {
-				$qb->orWhere($qb->expr()->in('ldap_dn', $qb->createNamedParameter($fdnsSlice, QueryBuilder::PARAM_STR_ARRAY)));
+				$qb->orWhere($qb->expr()->in('ldap_dn_hash', $qb->createNamedParameter($fdnsSlice, QueryBuilder::PARAM_STR_ARRAY)));
 			}
 
 			if ($slice % $maxSlices === 0) {
@@ -305,7 +326,7 @@ abstract class AbstractMapping {
 	 * @throws \Exception
 	 */
 	public function getUUIDByDN($dn) {
-		return $this->getXbyY('directory_uuid', 'ldap_dn', $dn);
+		return $this->getXbyY('directory_uuid', 'ldap_dn_hash', $this->getDNHash($dn));
 	}
 
 	/**
@@ -339,9 +360,9 @@ abstract class AbstractMapping {
 	 * @return bool
 	 */
 	public function map($fdn, $name, $uuid) {
-		if (mb_strlen($fdn) > 255) {
+		if (mb_strlen($fdn) > 4096) {
 			\OC::$server->getLogger()->error(
-				'Cannot map, because the DN exceeds 255 characters: {dn}',
+				'Cannot map, because the DN exceeds 4096 characters: {dn}',
 				[
 					'app' => 'user_ldap',
 					'dn' => $fdn,
@@ -351,6 +372,7 @@ abstract class AbstractMapping {
 		}
 
 		$row = [
+			'ldap_dn_hash' => $this->getDNHash($fdn),
 			'ldap_dn' => $fdn,
 			'owncloud_name' => $name,
 			'directory_uuid' => $uuid
@@ -438,7 +460,7 @@ abstract class AbstractMapping {
 	 */
 	public function count() {
 		$qb = $this->dbc->getQueryBuilder();
-		$query = $qb->select($qb->func()->count('ldap_dn'))
+		$query = $qb->select($qb->func()->count('ldap_dn_hash'))
 			->from($this->getTableName());
 		$res = $query->execute();
 		$count = $res->fetchOne();
diff --git a/apps/user_ldap/lib/Migration/Version1010Date20200630192842.php b/apps/user_ldap/lib/Migration/Version1010Date20200630192842.php
index e2c78ed59f8..939db69a6ab 100644
--- a/apps/user_ldap/lib/Migration/Version1010Date20200630192842.php
+++ b/apps/user_ldap/lib/Migration/Version1010Date20200630192842.php
@@ -60,8 +60,13 @@ class Version1010Date20200630192842 extends SimpleMigrationStep {
 				'length' => 255,
 				'default' => '',
 			]);
+			$table->addColumn('ldap_dn_hash', Types::STRING, [
+				'notnull' => false,
+				'length' => 64,
+			]);
 			$table->setPrimaryKey(['owncloud_name']);
-			$table->addUniqueIndex(['ldap_dn'], 'ldap_dn_users');
+			$table->addUniqueIndex(['ldap_dn_hash'], 'ldap_user_dn_hashes');
+			$table->addUniqueIndex(['directory_uuid'], 'ldap_user_directory_uuid');
 		}
 
 		if (!$schema->hasTable('ldap_group_mapping')) {
@@ -81,8 +86,13 @@ class Version1010Date20200630192842 extends SimpleMigrationStep {
 				'length' => 255,
 				'default' => '',
 			]);
-			$table->setPrimaryKey(['ldap_dn']);
-			$table->addUniqueIndex(['owncloud_name'], 'owncloud_name_groups');
+			$table->addColumn('ldap_dn_hash', Types::STRING, [
+				'notnull' => false,
+				'length' => 64,
+			]);
+			$table->setPrimaryKey(['owncloud_name']);
+			$table->addUniqueIndex(['ldap_dn_hash'], 'ldap_group_dn_hashes');
+			$table->addUniqueIndex(['directory_uuid'], 'ldap_group_directory_uuid');
 		}
 
 		if (!$schema->hasTable('ldap_group_members')) {
diff --git a/apps/user_ldap/lib/Migration/Version1120Date20210917155206.php b/apps/user_ldap/lib/Migration/Version1120Date20210917155206.php
index d46107733dc..3ab069679ef 100644
--- a/apps/user_ldap/lib/Migration/Version1120Date20210917155206.php
+++ b/apps/user_ldap/lib/Migration/Version1120Date20210917155206.php
@@ -70,19 +70,19 @@ class Version1120Date20210917155206 extends SimpleMigrationStep {
 	}
 
 	protected function handleIDs(string $table, bool $emitHooks) {
-		$q = $this->getSelectQuery($table);
-		$u = $this->getUpdateQuery($table);
+		$select = $this->getSelectQuery($table);
+		$update = $this->getUpdateQuery($table);
 
-		$r = $q->executeQuery();
-		while ($row = $r->fetch()) {
+		$result = $select->executeQuery();
+		while ($row = $result->fetch()) {
 			$newId = hash('sha256', $row['owncloud_name'], false);
 			if ($emitHooks) {
 				$this->emitUnassign($row['owncloud_name'], true);
 			}
-			$u->setParameter('uuid', $row['directory_uuid']);
-			$u->setParameter('newId', $newId);
+			$update->setParameter('uuid', $row['directory_uuid']);
+			$update->setParameter('newId', $newId);
 			try {
-				$u->executeStatement();
+				$update->executeStatement();
 				if ($emitHooks) {
 					$this->emitUnassign($row['owncloud_name'], false);
 					$this->emitAssign($newId);
@@ -100,23 +100,23 @@ class Version1120Date20210917155206 extends SimpleMigrationStep {
 				);
 			}
 		}
-		$r->closeCursor();
+		$result->closeCursor();
 	}
 
 	protected function getSelectQuery(string $table): IQueryBuilder {
-		$q = $this->dbc->getQueryBuilder();
-		$q->select('owncloud_name', 'directory_uuid')
+		$qb = $this->dbc->getQueryBuilder();
+		$qb->select('owncloud_name', 'directory_uuid')
 			->from($table)
-			->where($q->expr()->like('owncloud_name', $q->createNamedParameter(str_repeat('_', 65) . '%'), Types::STRING));
-		return $q;
+			->where($qb->expr()->like('owncloud_name', $qb->createNamedParameter(str_repeat('_', 65) . '%'), Types::STRING));
+		return $qb;
 	}
 
 	protected function getUpdateQuery(string $table): IQueryBuilder {
-		$q = $this->dbc->getQueryBuilder();
-		$q->update($table)
-			->set('owncloud_name', $q->createParameter('newId'))
-			->where($q->expr()->eq('directory_uuid', $q->createParameter('uuid')));
-		return $q;
+		$qb = $this->dbc->getQueryBuilder();
+		$qb->update($table)
+			->set('owncloud_name', $qb->createParameter('newId'))
+			->where($qb->expr()->eq('directory_uuid', $qb->createParameter('uuid')));
+		return $qb;
 	}
 
 	protected function emitUnassign(string $oldId, bool $pre): void {
diff --git a/apps/user_ldap/lib/Migration/Version1130Date20211102154716.php b/apps/user_ldap/lib/Migration/Version1130Date20211102154716.php
new file mode 100644
index 00000000000..b79dbabd5a0
--- /dev/null
+++ b/apps/user_ldap/lib/Migration/Version1130Date20211102154716.php
@@ -0,0 +1,146 @@
+<?php
+
+declare(strict_types=1);
+
+namespace OCA\User_LDAP\Migration;
+
+use Closure;
+use OCP\DB\Exception;
+use OCP\DB\ISchemaWrapper;
+use OCP\DB\QueryBuilder\IQueryBuilder;
+use OCP\DB\Types;
+use OCP\IDBConnection;
+use OCP\Migration\IOutput;
+use OCP\Migration\SimpleMigrationStep;
+use Psr\Log\LoggerInterface;
+
+class Version1130Date20211102154716 extends SimpleMigrationStep {
+
+	/** @var IDBConnection */
+	private $dbc;
+	/** @var LoggerInterface */
+	private $logger;
+
+	public function __construct(IDBConnection $dbc, LoggerInterface $logger) {
+		$this->dbc = $dbc;
+		$this->logger = $logger;
+	}
+
+	public function getName() {
+		return 'Adjust LDAP user and group ldap_dn column lengths and add ldap_dn_hash columns';
+	}
+
+	/**
+	 * @param IOutput $output
+	 * @param Closure $schemaClosure The `\Closure` returns a `ISchemaWrapper`
+	 * @param array $options
+	 * @return null|ISchemaWrapper
+	 */
+	public function changeSchema(IOutput $output, Closure $schemaClosure, array $options): ?ISchemaWrapper {
+		/** @var ISchemaWrapper $schema */
+		$schema = $schemaClosure();
+
+		$changeSchema = false;
+		foreach (['ldap_user_mapping', 'ldap_group_mapping'] as $tableName) {
+			$table = $schema->getTable($tableName);
+			if (!$table->hasColumn('ldap_dn_hash')) {
+				$table->addColumn('ldap_dn_hash', Types::STRING, [
+					'notnull' => false,
+					'length' => 64,
+				]);
+				$changeSchema = true;
+			}
+			$column = $table->getColumn('ldap_dn');
+			if ($column->getLength() < 4096) {
+				$column->setLength(4096);
+				$changeSchema = true;
+			}
+			if ($tableName === 'ldap_user_mapping') {
+				if ($table->hasIndex('ldap_dn_users')) {
+					$table->dropIndex('ldap_dn_users');
+					$changeSchema = true;
+				}
+				if (!$table->hasIndex('ldap_user_dn_hashes')) {
+					$table->addUniqueIndex(['ldap_dn_hash'], 'ldap_user_dn_hashes');
+					$changeSchema = true;
+				}
+				if (!$table->hasIndex('ldap_user_directory_uuid')) {
+					$table->addUniqueIndex(['directory_uuid'], 'ldap_user_directory_uuid');
+					$changeSchema = true;
+				}
+			} else {
+				if ($table->hasIndex('owncloud_name_groups')) {
+					$table->dropIndex('owncloud_name_groups');
+					$changeSchema = true;
+				}
+				if (!$table->hasIndex('ldap_group_dn_hashes')) {
+					$table->addUniqueIndex(['ldap_dn_hash'], 'ldap_group_dn_hashes');
+					$changeSchema = true;
+				}
+				if (!$table->hasIndex('ldap_group_directory_uuid')) {
+					$table->addUniqueIndex(['directory_uuid'], 'ldap_group_directory_uuid');
+					$changeSchema = true;
+				}
+				if (!$table->hasPrimaryKey() || ($table->getPrimaryKeyColumns() !== ['owncloud_name'])) {
+					$table->dropPrimaryKey();
+					$table->setPrimaryKey(['owncloud_name']);
+					$changeSchema = true;
+				}
+			}
+		}
+
+		return $changeSchema ? $schema : null;
+	}
+
+	/**
+	 * @param IOutput $output
+	 * @param Closure $schemaClosure The `\Closure` returns a `ISchemaWrapper`
+	 * @param array $options
+	 */
+	public function postSchemaChange(IOutput $output, Closure $schemaClosure, array $options) {
+		$this->handleDNHashes('ldap_group_mapping');
+		$this->handleDNHashes('ldap_user_mapping');
+	}
+
+	protected function handleDNHashes(string $table): void {
+		$select = $this->getSelectQuery($table);
+		$update = $this->getUpdateQuery($table);
+
+		$result = $select->executeQuery();
+		while ($row = $result->fetch()) {
+			$dnHash = hash('sha256', $row['ldap_dn'], false);
+			$update->setParameter('name', $row['owncloud_name']);
+			$update->setParameter('dn_hash', $dnHash);
+			try {
+				$update->executeStatement();
+			} catch (Exception $e) {
+				$this->logger->error('Failed to add hash "{dnHash}" ("{name}" of {table})',
+					[
+						'app' => 'user_ldap',
+						'name' => $row['owncloud_name'],
+						'dnHash' => $dnHash,
+						'table' => $table,
+						'exception' => $e,
+					]
+				);
+			}
+		}
+		$result->closeCursor();
+	}
+
+	protected function getSelectQuery(string $table): IQueryBuilder {
+		$qb = $this->dbc->getQueryBuilder();
+		$qb->select('owncloud_name', 'ldap_dn', 'ldap_dn_hash')
+			->from($table)
+			->where($qb->expr()->isNull('ldap_dn_hash'));
+		return $qb;
+	}
+
+	protected function getUpdateQuery(string $table): IQueryBuilder {
+		$qb = $this->dbc->getQueryBuilder();
+		$qb->update($table)
+			->set('ldap_dn_hash', $qb->createParameter('dn_hash'))
+			->where($qb->expr()->eq('owncloud_name', $qb->createParameter('name')));
+		return $qb;
+	}
+}