Merge pull request #14464 from nextcloud/fix/noid/ldap-nested-group-filter

resolve user and groups in nested groups first before filtering the results
author: blizzz <blizzz@arthur-schiwon.de> 2019-03-07 22:31:51 +0100
committer: GitHub <noreply@github.com> 2019-03-07 22:31:51 +0100
commit: 3af7f2c2ea3675697861b5369855b408bd8f55ec (patch)
tree: 62875164229d4cdc6978d59c82b3014848a79492 /build
parent: 7ff1f8366ad2fdd52d7b0d2d7cf5c5ac39a9e79f (diff)
parent: e36cede9947e47dac15e9b1d5643dd613085c1c3 (diff)
download: nextcloud-server-3af7f2c2ea3675697861b5369855b408bd8f55ec.tar.gz
nextcloud-server-3af7f2c2ea3675697861b5369855b408bd8f55ec.zip
3 files changed, 108 insertions, 0 deletions
diff --git a/build/integration/features/bootstrap/LDAPContext.php b/build/integration/features/bootstrap/LDAPContext.php
index ee7acab6f5f..2ad737bf8b8 100644
--- a/build/integration/features/bootstrap/LDAPContext.php
+++ b/build/integration/features/bootstrap/LDAPContext.php
@@ -27,6 +27,7 @@ use PHPUnit\Framework\Assert;
 
 class LDAPContext implements Context {
 	use BasicStructure;
+	use CommandLine;
 
 	protected $configID;
 
@@ -37,6 +38,8 @@ class LDAPContext implements Context {
 		if($this->configID === null) {
 			return;
 		}
+		$this->disableLDAPConfiguration(); # via occ in case of big config issues
+		$this->asAn('admin');
 		$this->sendingTo('DELETE', $this->apiUrl . '/' . $this->configID);
 	}
 
@@ -196,4 +199,9 @@ class LDAPContext implements Context {
 		$backend = (string)simplexml_load_string($this->response->getBody())->data[0]->backend;
 		Assert::assertEquals('LDAP', $backend);
 	}
+
+	public function disableLDAPConfiguration() {
+		$configKey = $this->configID . 'ldap_configuration_active';
+		$this->invokingTheCommand('config:app:set user_ldap ' . $configKey . ' --value="0"');
+	}
 }
diff --git a/build/integration/ldap_features/ldap-openldap.feature b/build/integration/ldap_features/ldap-openldap.feature
index 4b0b02c5b4f..6c5ed8b462b 100644
--- a/build/integration/ldap_features/ldap-openldap.feature
+++ b/build/integration/ldap_features/ldap-openldap.feature
@@ -102,3 +102,67 @@ Feature: LDAP
       | ldapHost       | foo.bar  |
       | ldapPort       | 2456     |
     Then Expect ServerException on failed web login as "alice"
+
+  Scenario: Test LDAP group membership with intermediate groups not matching filter
+    Given modify LDAP configuration
+      | ldapBaseGroups                | ou=OtherGroups,dc=nextcloud,dc=ci |
+      | ldapGroupFilter               | (&(cn=Gardeners)(objectclass=groupOfNames)) |
+      | ldapNestedGroups              | 1 |
+      | useMemberOfToDetectMembership | 1 |
+      | ldapUserFilter                | (&(objectclass=inetorgperson)(!(uid=alice))) |
+      | ldapExpertUsernameAttr        | uid |
+      | ldapGroupMemberAssocAttr      | member |
+    And As an "admin"
+    # for population
+    And sending "GET" to "/cloud/groups"
+    And sending "GET" to "/cloud/groups/Gardeners/users"
+    Then the OCS status code should be "200"
+    And the "users" result should match
+      | alice  | 0 |
+      | clara  | 1 |
+      | elisa  | 1 |
+      | gustaf | 1 |
+      | jesper | 1 |
+
+  Scenario: Test LDAP group membership with intermediate groups not matching filter and without memberof
+    Given modify LDAP configuration
+      | ldapBaseGroups                | ou=OtherGroups,dc=nextcloud,dc=ci |
+      | ldapGroupFilter               | (&(cn=Gardeners)(objectclass=groupOfNames)) |
+      | ldapNestedGroups              | 1 |
+      | useMemberOfToDetectMembership | 0 |
+      | ldapUserFilter                | (&(objectclass=inetorgperson)(!(uid=alice))) |
+      | ldapExpertUsernameAttr        | uid |
+      | ldapGroupMemberAssocAttr      | member |
+    And As an "admin"
+    # for population
+    And sending "GET" to "/cloud/groups"
+    And sending "GET" to "/cloud/groups/Gardeners/users"
+    Then the OCS status code should be "200"
+    And the "users" result should match
+      | alice  | 0 |
+      | clara  | 1 |
+      | elisa  | 1 |
+      | gustaf | 1 |
+      | jesper | 1 |
+
+  Scenario: Test LDAP group membership with intermediate groups not matching filter, numeric group ids
+    Given modify LDAP configuration
+      | ldapBaseGroups                | ou=NumericGroups,dc=nextcloud,dc=ci |
+      | ldapGroupFilter               | (&(cn=2000)(objectclass=groupOfNames)) |
+      | ldapNestedGroups              | 1 |
+      | useMemberOfToDetectMembership | 1 |
+      | ldapUserFilter                | (&(objectclass=inetorgperson)(!(uid=alice))) |
+      | ldapExpertUsernameAttr        | uid |
+      | ldapGroupMemberAssocAttr      | member |
+    And As an "admin"
+    # for population
+    And sending "GET" to "/cloud/groups"
+    And sending "GET" to "/cloud/groups/2000/users"
+    Then the OCS status code should be "200"
+    And the "users" result should match
+      | alice  | 0 |
+      | clara  | 1 |
+      | elisa  | 1 |
+      | gustaf | 1 |
+      | jesper | 1 |
+
diff --git a/build/integration/ldap_features/openldap-numerical-id.feature b/build/integration/ldap_features/openldap-numerical-id.feature
index 2d87ba33e6e..4112df0ae1a 100644
--- a/build/integration/ldap_features/openldap-numerical-id.feature
+++ b/build/integration/ldap_features/openldap-numerical-id.feature
@@ -29,3 +29,39 @@ Scenario: Test by logging in
   And Logging in using web as "92379"
   And Sending a "GET" to "/remote.php/webdav/welcome.txt" with requesttoken
   Then the HTTP status code should be "200"
+
+Scenario: Test LDAP group retrieval with numeric group ids and nesting
+  # Nesting does not play a role here really
+  Given modify LDAP configuration
+    | ldapBaseGroups                | ou=NumericGroups,dc=nextcloud,dc=ci |
+    | ldapGroupFilter               | (objectclass=groupOfNames) |
+    | ldapNestedGroups              | 1 |
+    | useMemberOfToDetectMembership | 1 |
+  And As an "admin"
+  And sending "GET" to "/cloud/groups"
+  Then the OCS status code should be "200"
+  And the "groups" result should match
+    | 2000 | 1 |
+    | 3000 | 1 |
+    | 3001 | 1 |
+    | 3002 | 1 |
+
+Scenario: Test LDAP group membership with intermediate groups not matching filter, numeric group ids
+  Given modify LDAP configuration
+    | ldapBaseGroups                | ou=NumericGroups,dc=nextcloud,dc=ci |
+    | ldapGroupFilter               | (&(cn=2000)(objectclass=groupOfNames)) |
+    | ldapNestedGroups              | 1 |
+    | useMemberOfToDetectMembership | 1 |
+    | ldapUserFilter                | (&(objectclass=inetorgperson)(!(uid=alice))) |
+    | ldapGroupMemberAssocAttr      | member |
+  And As an "admin"
+  # for population
+  And sending "GET" to "/cloud/groups"
+  And sending "GET" to "/cloud/groups/2000/users"
+  Then the OCS status code should be "200"
+  And the "users" result should match
+    | 92379 | 0 |
+    | 54172 | 1 |
+    | 50194 | 1 |
+    | 59376 | 1 |
+    | 59463 | 1 |
author	blizzz <blizzz@arthur-schiwon.de>	2019-03-07 22:31:51 +0100
committer	GitHub <noreply@github.com>	2019-03-07 22:31:51 +0100
commit	3af7f2c2ea3675697861b5369855b408bd8f55ec (patch)
tree	62875164229d4cdc6978d59c82b3014848a79492 /build
parent	7ff1f8366ad2fdd52d7b0d2d7cf5c5ac39a9e79f (diff)
parent	e36cede9947e47dac15e9b1d5643dd613085c1c3 (diff)
download	nextcloud-server-3af7f2c2ea3675697861b5369855b408bd8f55ec.tar.gz nextcloud-server-3af7f2c2ea3675697861b5369855b408bd8f55ec.zip