aboutsummaryrefslogtreecommitdiffstats
path: root/apps
diff options
context:
space:
mode:
authorblizzz <blizzz@arthur-schiwon.de>2020-10-19 15:34:52 +0200
committerGitHub <noreply@github.com>2020-10-19 15:34:52 +0200
commit6d2471d36e6be6ee119f9c21e3a6b78a5762630b (patch)
tree8b901e1f78cbced3a73c71988ba4fbc48e1766dd /apps
parent8355f95beff4916c3fad6869d5bbb966ef130b23 (diff)
parent2ee26b691c8045180c28d81e90c110c38cabcda8 (diff)
downloadnextcloud-server-6d2471d36e6be6ee119f9c21e3a6b78a5762630b.tar.gz
nextcloud-server-6d2471d36e6be6ee119f9c21e3a6b78a5762630b.zip
Merge pull request #23566 from nextcloud/fix/noid/groupsbymember-apply-group-filter-early-if-possible
LDAP: when nesting is not enabled, the group filter can be applied right away
Diffstat (limited to 'apps')
-rw-r--r--apps/user_ldap/lib/Connection.php6
-rw-r--r--apps/user_ldap/lib/Group_LDAP.php7
-rw-r--r--apps/user_ldap/tests/Group_LDAPTest.php42
3 files changed, 43 insertions, 12 deletions
diff --git a/apps/user_ldap/lib/Connection.php b/apps/user_ldap/lib/Connection.php
index af10aadc6bb..6af2fd700e4 100644
--- a/apps/user_ldap/lib/Connection.php
+++ b/apps/user_ldap/lib/Connection.php
@@ -145,11 +145,7 @@ class Connection extends LDAPUtility {
$this->dontDestruct = true;
}
- /**
- * @param string $name
- * @return bool|mixed
- */
- public function __get($name) {
+ public function __get(string $name) {
if (!$this->configured) {
$this->readConfiguration();
}
diff --git a/apps/user_ldap/lib/Group_LDAP.php b/apps/user_ldap/lib/Group_LDAP.php
index ebbab7b2109..5444f0815e3 100644
--- a/apps/user_ldap/lib/Group_LDAP.php
+++ b/apps/user_ldap/lib/Group_LDAP.php
@@ -344,7 +344,7 @@ class Group_LDAP extends BackendUtility implements GroupInterface, IGroupLDAP, I
}
$seen = [];
- while ($record = array_pop($list)) {
+ while ($record = array_shift($list)) {
$recordDN = $recordMode ? $record['dn'][0] : $record;
if ($recordDN === $dn || array_key_exists($recordDN, $seen)) {
// Prevent loops
@@ -822,6 +822,11 @@ class Group_LDAP extends BackendUtility implements GroupInterface, IGroupLDAP, I
$filter .= '@*';
}
+ $nesting = (int)$this->access->connection->ldapNestedGroups;
+ if ($nesting === 0) {
+ $filter = $this->access->combineFilterWithAnd([$filter, $this->access->connection->ldapGroupFilter]);
+ }
+
$groups = $this->access->fetchListOfGroups($filter,
[strtolower($this->access->connection->ldapGroupMemberAssocAttr), $this->access->connection->ldapGroupDisplayName, 'dn']);
if (is_array($groups)) {
diff --git a/apps/user_ldap/tests/Group_LDAPTest.php b/apps/user_ldap/tests/Group_LDAPTest.php
index 4ddf9f5247c..74dd2b467cf 100644
--- a/apps/user_ldap/tests/Group_LDAPTest.php
+++ b/apps/user_ldap/tests/Group_LDAPTest.php
@@ -719,23 +719,36 @@ class Group_LDAPTest extends TestCase {
$groupBackend->getUserGroups('userX');
}
- public function testGetGroupsByMember() {
+ public function nestedGroupsProvider(): array {
+ return [
+ [ true ],
+ [ false ],
+ ];
+ }
+
+ /**
+ * @dataProvider nestedGroupsProvider
+ */
+ public function testGetGroupsByMember(bool $nestedGroups) {
$access = $this->getAccessMock();
$pluginManager = $this->getPluginManagerMock();
+ $groupFilter = '(&(objectclass=nextcloudGroup)(nextcloudEnabled=TRUE))';
$access->connection = $this->createMock(Connection::class);
$access->connection->expects($this->any())
->method('__get')
- ->willReturnCallback(function ($name) {
+ ->willReturnCallback(function ($name) use ($nestedGroups, $groupFilter) {
switch ($name) {
case 'useMemberOfToDetectMembership':
return 0;
case 'ldapDynamicGroupMemberURL':
return '';
case 'ldapNestedGroups':
- return false;
+ return $nestedGroups;
case 'ldapGroupMemberAssocAttr':
return 'member';
+ case 'ldapGroupFilter':
+ return $groupFilter;
}
return 1;
});
@@ -748,10 +761,15 @@ class Group_LDAPTest extends TestCase {
$access->expects($this->exactly(2))
->method('username2dn')
->willReturn($dn);
-
$access->expects($this->any())
->method('readAttribute')
->willReturn([]);
+ $access->expects($this->any())
+ ->method('combineFilterWithAnd')
+ ->willReturnCallback(function (array $filterParts) {
+ // ⚠ returns a pseudo-filter only, not real LDAP Filter syntax
+ return implode('&', $filterParts);
+ });
$group1 = [
'cn' => 'group1',
@@ -766,9 +784,21 @@ class Group_LDAPTest extends TestCase {
->method('nextcloudGroupNames')
->with([$group1, $group2])
->willReturn(['group1', 'group2']);
- $access->expects($this->once())
+ $access->expects($nestedGroups ? $this->atLeastOnce() : $this->once())
->method('fetchListOfGroups')
- ->willReturn([$group1, $group2]);
+ ->willReturnCallback(function ($filter, $attr, $limit, $offset) use ($nestedGroups, $groupFilter, $group1, $group2) {
+ static $firstRun = true;
+ if (!$nestedGroups) {
+ // When nested groups are enabled, groups cannot be filtered early as it would
+ // exclude intermediate groups. But we can, and should, when working with flat groups.
+ $this->assertTrue(strpos($filter, $groupFilter) !== false);
+ }
+ if ($firstRun) {
+ $firstRun = false;
+ return [$group1, $group2];
+ }
+ return [];
+ });
$access->expects($this->any())
->method('dn2groupname')
->willReturnCallback(function (string $dn) {