diff options
Diffstat (limited to 'apps/user_ldap/lib/Access.php')
| -rw-r--r-- | apps/user_ldap/lib/Access.php | 854 |
1 files changed, 415 insertions, 439 deletions
diff --git a/apps/user_ldap/lib/Access.php b/apps/user_ldap/lib/Access.php index d11ca98ece9..9fe0aa64268 100644 --- a/apps/user_ldap/lib/Access.php +++ b/apps/user_ldap/lib/Access.php @@ -1,64 +1,32 @@ <?php + /** - * @copyright Copyright (c) 2016, ownCloud, Inc. - * - * @author Aaron Wood <aaronjwood@gmail.com> - * @author Andreas Fischer <bantu@owncloud.com> - * @author Arthur Schiwon <blizzz@arthur-schiwon.de> - * @author Bart Visscher <bartv@thisnet.nl> - * @author Benjamin Diele <benjamin@diele.be> - * @author bline <scottbeck@gmail.com> - * @author Christoph Wurst <christoph@winzerhof-wurst.at> - * @author Daniel Kesselberg <mail@danielkesselberg.de> - * @author J0WI <J0WI@users.noreply.github.com> - * @author Joas Schilling <coding@schilljs.com> - * @author Jörn Friedrich Dreyer <jfd@butonic.de> - * @author Juan Pablo Villafáñez <jvillafanez@solidgear.es> - * @author Lorenzo M. Catucci <lorenzo@sancho.ccd.uniroma2.it> - * @author Lukas Reschke <lukas@statuscode.ch> - * @author Mario Kolling <mario.kolling@serpro.gov.br> - * @author Max Kovalenko <mxss1998@yandex.ru> - * @author Morris Jobke <hey@morrisjobke.de> - * @author Nicolas Grekas <nicolas.grekas@gmail.com> - * @author Peter Kubica <peter@kubica.ch> - * @author Ralph Krimmel <rkrimme1@gwdg.de> - * @author Robin McCorkell <robin@mccorkell.me.uk> - * @author Roeland Jago Douma <roeland@famdouma.nl> - * @author Roger Szabo <roger.szabo@web.de> - * @author Roland Tapken <roland@bitarbeiter.net> - * @author root <root@localhost.localdomain> - * @author Victor Dubiniuk <dubiniuk@owncloud.com> - * - * @license AGPL-3.0 - * - * This code is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License, version 3, - * as published by the Free Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License, version 3, - * along with this program. If not, see <http://www.gnu.org/licenses/> - * + * SPDX-FileCopyrightText: 2016-2024 Nextcloud GmbH and Nextcloud contributors + * SPDX-FileCopyrightText: 2016 ownCloud, Inc. + * SPDX-License-Identifier: AGPL-3.0-only */ - namespace OCA\User_LDAP; use DomainException; -use OC\HintException; use OC\Hooks\PublicEmitter; use OC\ServerNotAvailableException; use OCA\User_LDAP\Exceptions\ConstraintViolationException; +use OCA\User_LDAP\Exceptions\NoMoreResults; use OCA\User_LDAP\Mapping\AbstractMapping; -use OCA\User_LDAP\Mapping\UserMapping; use OCA\User_LDAP\User\Manager; use OCA\User_LDAP\User\OfflineUser; +use OCP\EventDispatcher\IEventDispatcher; +use OCP\HintException; +use OCP\IAppConfig; use OCP\IConfig; -use OCP\ILogger; +use OCP\IGroupManager; use OCP\IUserManager; +use OCP\Server; +use OCP\User\Events\UserIdAssignedEvent; +use OCP\Util; +use Psr\Log\LoggerInterface; +use function strlen; +use function substr; /** * Class Access @@ -68,64 +36,46 @@ use OCP\IUserManager; class Access extends LDAPUtility { public const UUID_ATTRIBUTES = ['entryuuid', 'nsuniqueid', 'objectguid', 'guid', 'ipauniqueid']; - /** @var \OCA\User_LDAP\Connection */ - public $connection; - /** @var Manager */ - public $userManager; - //never ever check this var directly, always use getPagedSearchResultState - protected $pagedSearchedSuccessful; - /** - * @var UserMapping $userMapper + * never ever check this var directly, always use getPagedSearchResultState + * @var ?bool */ + protected $pagedSearchedSuccessful; + + /** @var ?AbstractMapping */ protected $userMapper; - /** - * @var AbstractMapping $userMapper - */ + /** @var ?AbstractMapping */ protected $groupMapper; - /** - * @var \OCA\User_LDAP\Helper - */ - private $helper; - /** @var IConfig */ - private $config; - /** @var IUserManager */ - private $ncUserManager; - /** @var string */ - private $lastCookie = ''; + private string $lastCookie = ''; public function __construct( - Connection $connection, ILDAPWrapper $ldap, - Manager $userManager, - Helper $helper, - IConfig $config, - IUserManager $ncUserManager + public Connection $connection, + public Manager $userManager, + private Helper $helper, + private IConfig $config, + private IUserManager $ncUserManager, + private LoggerInterface $logger, + private IAppConfig $appConfig, + private IEventDispatcher $dispatcher, ) { parent::__construct($ldap); - $this->connection = $connection; - $this->userManager = $userManager; $this->userManager->setLdapAccess($this); - $this->helper = $helper; - $this->config = $config; - $this->ncUserManager = $ncUserManager; } /** * sets the User Mapper - * - * @param AbstractMapping $mapper */ - public function setUserMapper(AbstractMapping $mapper) { + public function setUserMapper(AbstractMapping $mapper): void { $this->userMapper = $mapper; } /** * @throws \Exception */ - public function getUserMapper(): UserMapping { + public function getUserMapper(): AbstractMapping { if (is_null($this->userMapper)) { throw new \Exception('UserMapper was not assigned to this Access instance.'); } @@ -134,20 +84,17 @@ class Access extends LDAPUtility { /** * sets the Group Mapper - * - * @param AbstractMapping $mapper */ - public function setGroupMapper(AbstractMapping $mapper) { + public function setGroupMapper(AbstractMapping $mapper): void { $this->groupMapper = $mapper; } /** * returns the Group Mapper * - * @return AbstractMapping * @throws \Exception */ - public function getGroupMapper() { + public function getGroupMapper(): AbstractMapping { if (is_null($this->groupMapper)) { throw new \Exception('GroupMapper was not assigned to this Access instance.'); } @@ -171,38 +118,75 @@ class Access extends LDAPUtility { } /** - * reads a given attribute for an LDAP record identified by a DN + * Reads several attributes for an LDAP record identified by a DN and a filter + * No support for ranged attributes. * * @param string $dn the record in question - * @param string $attr the attribute that shall be retrieved - * if empty, just check the record's existence + * @param array $attrs the attributes that shall be retrieved + * if empty, just check the record's existence * @param string $filter * @return array|false an array of values on success or an empty - * array if $attr is empty, false otherwise + * array if $attr is empty, false otherwise * @throws ServerNotAvailableException */ - public function readAttribute($dn, $attr, $filter = 'objectClass=*') { + public function readAttributes(string $dn, array $attrs, string $filter = 'objectClass=*'): array|false { if (!$this->checkConnection()) { - \OCP\Util::writeLog('user_ldap', + $this->logger->warning( 'No LDAP Connector assigned, access impossible for readAttribute.', - ILogger::WARN); + ['app' => 'user_ldap'] + ); return false; } $cr = $this->connection->getConnectionResource(); - if (!$this->ldap->isResource($cr)) { - //LDAP not available - \OCP\Util::writeLog('user_ldap', 'LDAP resource not available.', ILogger::DEBUG); + $attrs = array_map( + fn (string $attr): string => mb_strtolower($attr, 'UTF-8'), + $attrs, + ); + + $values = []; + $record = $this->executeRead($dn, $attrs, $filter); + if (is_bool($record)) { + // when an exists request was run and it was successful, an empty + // array must be returned + return $record ? [] : false; + } + + $result = []; + foreach ($attrs as $attr) { + $values = $this->extractAttributeValuesFromResult($record, $attr); + if (!empty($values)) { + $result[$attr] = $values; + } + } + + if (!empty($result)) { + return $result; + } + + $this->logger->debug('Requested attributes {attrs} not found for ' . $dn, ['app' => 'user_ldap', 'attrs' => $attrs]); + return false; + } + + /** + * reads a given attribute for an LDAP record identified by a DN + * + * @param string $dn the record in question + * @param string $attr the attribute that shall be retrieved + * if empty, just check the record's existence + * @param string $filter + * @return array|false an array of values on success or an empty + * array if $attr is empty, false otherwise + * @throws ServerNotAvailableException + */ + public function readAttribute(string $dn, string $attr, string $filter = 'objectClass=*') { + if (!$this->checkConnection()) { + $this->logger->warning( + 'No LDAP Connector assigned, access impossible for readAttribute.', + ['app' => 'user_ldap'] + ); return false; } - //Cancel possibly running Paged Results operation, otherwise we run in - //LDAP protocol errors - $this->abandonPagedSearch(); - // openLDAP requires that we init a new Paged Search. Not needed by AD, - // but does not hurt either. - $pagingSize = (int)$this->connection->ldapPagingSize; - // 0 won't result in replies, small numbers may leave out groups - // (cf. #12306), 500 is default for paging and should work everywhere. - $maxResults = $pagingSize > 20 ? $pagingSize : 500; + $cr = $this->connection->getConnectionResource(); $attr = mb_strtolower($attr, 'UTF-8'); // the actual read attribute later may contain parameters on a ranged // request, e.g. member;range=99-199. Depends on server reply. @@ -211,7 +195,7 @@ class Access extends LDAPUtility { $values = []; $isRangeRequest = false; do { - $result = $this->executeRead($cr, $dn, $attrToRead, $filter, $maxResults); + $result = $this->executeRead($dn, $attrToRead, $filter); if (is_bool($result)) { // when an exists request was run and it was successful, an empty // array must be returned @@ -246,47 +230,41 @@ class Access extends LDAPUtility { } } while ($isRangeRequest); - \OCP\Util::writeLog('user_ldap', 'Requested attribute ' . $attr . ' not found for ' . $dn, ILogger::DEBUG); + $this->logger->debug('Requested attribute ' . $attr . ' not found for ' . $dn, ['app' => 'user_ldap']); return false; } /** * Runs an read operation against LDAP * - * @param resource $cr the LDAP connection - * @param string $dn - * @param string $attribute - * @param string $filter - * @param int $maxResults * @return array|bool false if there was any error, true if an exists check * was performed and the requested DN found, array with the * returned data on a successful usual operation * @throws ServerNotAvailableException */ - public function executeRead($cr, $dn, $attribute, $filter, $maxResults) { - $this->initPagedSearch($filter, $dn, [$attribute], $maxResults, 0); + public function executeRead(string $dn, string|array $attribute, string $filter) { $dn = $this->helper->DNasBaseParameter($dn); - $rr = @$this->invokeLDAPMethod('read', $cr, $dn, $filter, [$attribute]); + $rr = @$this->invokeLDAPMethod('read', $dn, $filter, (is_string($attribute) ? [$attribute] : $attribute)); if (!$this->ldap->isResource($rr)) { if ($attribute !== '') { //do not throw this message on userExists check, irritates - \OCP\Util::writeLog('user_ldap', 'readAttribute failed for DN ' . $dn, ILogger::DEBUG); + $this->logger->debug('readAttribute failed for DN ' . $dn, ['app' => 'user_ldap']); } //in case an error occurs , e.g. object does not exist return false; } - if ($attribute === '' && ($filter === 'objectclass=*' || $this->invokeLDAPMethod('countEntries', $cr, $rr) === 1)) { - \OCP\Util::writeLog('user_ldap', 'readAttribute: ' . $dn . ' found', ILogger::DEBUG); + if ($attribute === '' && ($filter === 'objectclass=*' || $this->invokeLDAPMethod('countEntries', $rr) === 1)) { + $this->logger->debug('readAttribute: ' . $dn . ' found', ['app' => 'user_ldap']); return true; } - $er = $this->invokeLDAPMethod('firstEntry', $cr, $rr); + $er = $this->invokeLDAPMethod('firstEntry', $rr); if (!$this->ldap->isResource($er)) { //did not match the filter, return false return false; } //LDAP attributes are not case sensitive - $result = \OCP\Util::mb_array_change_key_case( - $this->invokeLDAPMethod('getAttributes', $cr, $er), MB_CASE_LOWER, 'UTF-8'); + $result = Util::mb_array_change_key_case( + $this->invokeLDAPMethod('getAttributes', $er), MB_CASE_LOWER, 'UTF-8'); return $result; } @@ -295,6 +273,8 @@ class Access extends LDAPUtility { * Normalizes a result grom getAttributes(), i.e. handles DNs and binary * data if present. * + * DN values are escaped as per RFC 2253 + * * @param array $result from ILDAPWrapper::getAttributes() * @param string $attribute the attribute name that was read * @return string[] @@ -326,20 +306,19 @@ class Access extends LDAPUtility { * @return array If a range was detected with keys 'values', 'attributeName', * 'attributeFull' and 'rangeHigh', otherwise empty. */ - public function extractRangeData($result, $attribute) { + public function extractRangeData(array $result, string $attribute): array { $keys = array_keys($result); foreach ($keys as $key) { - if ($key !== $attribute && strpos($key, $attribute) === 0) { - $queryData = explode(';', $key); - if (strpos($queryData[1], 'range=') === 0) { + if ($key !== $attribute && str_starts_with((string)$key, $attribute)) { + $queryData = explode(';', (string)$key); + if (isset($queryData[1]) && str_starts_with($queryData[1], 'range=')) { $high = substr($queryData[1], 1 + strpos($queryData[1], '-')); - $data = [ + return [ 'values' => $result[$key], 'attributeName' => $queryData[0], 'attributeFull' => $key, 'rangeHigh' => $high, ]; - return $data; } } } @@ -360,17 +339,12 @@ class Access extends LDAPUtility { throw new \Exception('LDAP password changes are disabled.'); } $cr = $this->connection->getConnectionResource(); - if (!$this->ldap->isResource($cr)) { - //LDAP not available - \OCP\Util::writeLog('user_ldap', 'LDAP resource not available.', ILogger::DEBUG); - return false; - } try { // try PASSWD extended operation first - return @$this->invokeLDAPMethod('exopPasswd', $cr, $userDN, '', $password) || - @$this->invokeLDAPMethod('modReplace', $cr, $userDN, $password); + return @$this->invokeLDAPMethod('exopPasswd', $userDN, '', $password) + || @$this->invokeLDAPMethod('modReplace', $userDN, $password); } catch (ConstraintViolationException $e) { - throw new HintException('Password change rejected.', \OC::$server->getL10N('user_ldap')->t('Password change rejected. Hint: ') . $e->getMessage(), $e->getCode()); + throw new HintException('Password change rejected.', Util::getL10N('user_ldap')->t('Password change rejected. Hint: %s', $e->getMessage()), (int)$e->getCode()); } } @@ -421,7 +395,7 @@ class Access extends LDAPUtility { $domainParts = []; $dcFound = false; foreach ($allParts as $part) { - if (!$dcFound && strpos($part, 'dc=') === 0) { + if (!$dcFound && str_starts_with($part, 'dc=')) { $dcFound = true; } if ($dcFound) { @@ -438,7 +412,7 @@ class Access extends LDAPUtility { * @return string|false LDAP DN on success, otherwise false */ public function groupname2dn($name) { - return $this->groupMapper->getDNByName($name); + return $this->getGroupMapper()->getDNByName($name); } /** @@ -448,7 +422,7 @@ class Access extends LDAPUtility { * @return string|false with the LDAP DN on success, otherwise false */ public function username2dn($name) { - $fdn = $this->userMapper->getDNByName($name); + $fdn = $this->getUserMapper()->getDNByName($name); //Check whether the DN belongs to the Base, to avoid issues on multi- //server setups @@ -464,10 +438,11 @@ class Access extends LDAPUtility { * * @param string $fdn the dn of the group object * @param string $ldapName optional, the display name of the object + * @param bool $autoMapping Should the group be mapped if not yet mapped * @return string|false with the name to use in Nextcloud, false on DN outside of search DN * @throws \Exception */ - public function dn2groupname($fdn, $ldapName = null) { + public function dn2groupname($fdn, $ldapName = null, bool $autoMapping = true) { //To avoid bypassing the base DN settings under certain circumstances //with the group support, check whether the provided DN matches one of //the given Bases @@ -475,18 +450,18 @@ class Access extends LDAPUtility { return false; } - return $this->dn2ocname($fdn, $ldapName, false); + return $this->dn2ocname($fdn, $ldapName, false, autoMapping:$autoMapping); } /** * returns the internal Nextcloud name for the given LDAP DN of the user, false on DN outside of search DN or failure * - * @param string $dn the dn of the user object + * @param string $fdn the dn of the user object * @param string $ldapName optional, the display name of the object * @return string|false with with the name to use in Nextcloud * @throws \Exception */ - public function dn2username($fdn, $ldapName = null) { + public function dn2username($fdn) { //To avoid bypassing the base DN settings under certain circumstances //with the group support, check whether the provided DN matches one of //the given Bases @@ -494,7 +469,7 @@ class Access extends LDAPUtility { return false; } - return $this->dn2ocname($fdn, $ldapName, true); + return $this->dn2ocname($fdn, null, true); } /** @@ -505,19 +480,21 @@ class Access extends LDAPUtility { * @param bool $isUser optional, whether it is a user object (otherwise group assumed) * @param bool|null $newlyMapped * @param array|null $record + * @param bool $autoMapping Should the group be mapped if not yet mapped * @return false|string with with the name to use in Nextcloud * @throws \Exception */ - public function dn2ocname($fdn, $ldapName = null, $isUser = true, &$newlyMapped = null, array $record = null) { + public function dn2ocname($fdn, $ldapName = null, $isUser = true, &$newlyMapped = null, ?array $record = null, bool $autoMapping = true) { + static $intermediates = []; + if (isset($intermediates[($isUser ? 'user-' : 'group-') . $fdn])) { + return false; // is a known intermediate + } + $newlyMapped = false; if ($isUser) { $mapper = $this->getUserMapper(); - $nameAttribute = $this->connection->ldapUserDisplayName; - $filter = $this->connection->ldapUserFilter; } else { $mapper = $this->getGroupMapper(); - $nameAttribute = $this->connection->ldapGroupDisplayName; - $filter = $this->connection->ldapGroupFilter; } //let's try to retrieve the Nextcloud name from the mappings table @@ -526,6 +503,41 @@ class Access extends LDAPUtility { return $ncName; } + if (!$autoMapping) { + /* If no auto mapping, stop there */ + return false; + } + + if ($isUser) { + $nameAttribute = strtolower($this->connection->ldapUserDisplayName); + $filter = $this->connection->ldapUserFilter; + $uuidAttr = 'ldapUuidUserAttribute'; + $uuidOverride = $this->connection->ldapExpertUUIDUserAttr; + $usernameAttribute = strtolower($this->connection->ldapExpertUsernameAttr); + $attributesToRead = [$nameAttribute,$usernameAttribute]; + // TODO fetch also display name attributes and cache them if the user is mapped + } else { + $nameAttribute = strtolower($this->connection->ldapGroupDisplayName); + $filter = $this->connection->ldapGroupFilter; + $uuidAttr = 'ldapUuidGroupAttribute'; + $uuidOverride = $this->connection->ldapExpertUUIDGroupAttr; + $attributesToRead = [$nameAttribute]; + } + + if ($this->detectUuidAttribute($fdn, $isUser, false, $record)) { + $attributesToRead[] = $this->connection->$uuidAttr; + } + + if ($record === null) { + /* No record was passed, fetch it */ + $record = $this->readAttributes($fdn, $attributesToRead, $filter); + if ($record === false) { + $this->logger->debug('Cannot read attributes for ' . $fdn . '. Skipping.', ['filter' => $filter]); + $intermediates[($isUser ? 'user-' : 'group-') . $fdn] = true; + return false; + } + } + //second try: get the UUID and check if it is known. Then, update the DN and return the name. $uuid = $this->getUUID($fdn, $isUser, $record); if (is_string($uuid)) { @@ -536,23 +548,17 @@ class Access extends LDAPUtility { } } else { //If the UUID can't be detected something is foul. - \OCP\Util::writeLog('user_ldap', 'Cannot determine UUID for ' . $fdn . '. Skipping.', ILogger::INFO); + $this->logger->debug('Cannot determine UUID for ' . $fdn . '. Skipping.', ['app' => 'user_ldap']); return false; } - if (is_null($ldapName)) { - $ldapName = $this->readAttribute($fdn, $nameAttribute, $filter); - if (!isset($ldapName[0]) && empty($ldapName[0])) { - \OCP\Util::writeLog('user_ldap', 'No or empty name for ' . $fdn . ' with filter ' . $filter . '.', ILogger::DEBUG); - return false; - } - $ldapName = $ldapName[0]; - } - if ($isUser) { - $usernameAttribute = (string)$this->connection->ldapExpertUsernameAttr; if ($usernameAttribute !== '') { - $username = $this->readAttribute($fdn, $usernameAttribute); + $username = $record[$usernameAttribute]; + if (!isset($username[0]) || empty($username[0])) { + $this->logger->debug('No or empty username (' . $usernameAttribute . ') for ' . $fdn . '.', ['app' => 'user_ldap']); + return false; + } $username = $username[0]; } else { $username = $uuid; @@ -560,9 +566,8 @@ class Access extends LDAPUtility { try { $intName = $this->sanitizeUsername($username); } catch (\InvalidArgumentException $e) { - \OC::$server->getLogger()->logException($e, [ - 'app' => 'user_ldap', - 'level' => ILogger::WARN, + $this->logger->warning('Error sanitizing username: ' . $e->getMessage(), [ + 'exception' => $e, ]); // we don't attempt to set a username here. We can go for // for an alternative 4 digit random number as we would append @@ -571,7 +576,16 @@ class Access extends LDAPUtility { return false; } } else { - $intName = $ldapName; + if (is_null($ldapName)) { + $ldapName = $record[$nameAttribute]; + if (!isset($ldapName[0]) || empty($ldapName[0])) { + $this->logger->debug('No or empty name for ' . $fdn . ' with filter ' . $filter . '.', ['app' => 'user_ldap']); + $intermediates['group-' . $fdn] = true; + return false; + } + $ldapName = $ldapName[0]; + } + $intName = $this->sanitizeGroupIDCandidate($ldapName); } //a new user/group! Add it only if it doesn't conflict with other backend's users or existing groups @@ -582,12 +596,13 @@ class Access extends LDAPUtility { $this->connection->setConfiguration(['ldapCacheTTL' => 0]); if ($intName !== '' && (($isUser && !$this->ncUserManager->userExists($intName)) - || (!$isUser && !\OC::$server->getGroupManager()->groupExists($intName)) + || (!$isUser && !Server::get(IGroupManager::class)->groupExists($intName)) ) ) { $this->connection->setConfiguration(['ldapCacheTTL' => $originalTTL]); $newlyMapped = $this->mapAndAnnounceIfApplicable($mapper, $fdn, $intName, $uuid, $isUser); if ($newlyMapped) { + $this->logger->debug('Mapped {fdn} as {name}', ['fdn' => $fdn,'name' => $intName]); return $intName; } } @@ -596,13 +611,21 @@ class Access extends LDAPUtility { $altName = $this->createAltInternalOwnCloudName($intName, $isUser); if (is_string($altName)) { if ($this->mapAndAnnounceIfApplicable($mapper, $fdn, $altName, $uuid, $isUser)) { + $this->logger->warning( + 'Mapped {fdn} as {altName} because of a name collision on {intName}.', + [ + 'fdn' => $fdn, + 'altName' => $altName, + 'intName' => $intName, + ] + ); $newlyMapped = true; return $altName; } } //if everything else did not help.. - \OCP\Util::writeLog('user_ldap', 'Could not create unique name for ' . $fdn . '.', ILogger::INFO); + $this->logger->info('Could not create unique name for ' . $fdn . '.', ['app' => 'user_ldap']); return false; } @@ -611,13 +634,16 @@ class Access extends LDAPUtility { string $fdn, string $name, string $uuid, - bool $isUser + bool $isUser, ): bool { if ($mapper->map($fdn, $name, $uuid)) { - if ($this->ncUserManager instanceof PublicEmitter && $isUser) { + if ($isUser) { $this->cacheUserExists($name); - $this->ncUserManager->emit('\OC\User', 'assignedUserId', [$name]); - } elseif (!$isUser) { + $this->dispatcher->dispatchTyped(new UserIdAssignedEvent($name)); + if ($this->ncUserManager instanceof PublicEmitter) { + $this->ncUserManager->emit('\OC\User', 'assignedUserId', [$name]); + } + } else { $this->cacheGroupExists($name); } return true; @@ -629,7 +655,7 @@ class Access extends LDAPUtility { * gives back the user names as they are used ownClod internally * * @param array $ldapUsers as returned by fetchList() - * @return array an array with the user names to use in Nextcloud + * @return array<int,string> an array with the user names to use in Nextcloud * * gives back the user names as they are used ownClod internally * @throws \Exception @@ -642,7 +668,7 @@ class Access extends LDAPUtility { * gives back the group names as they are used ownClod internally * * @param array $ldapGroups as returned by fetchList() - * @return array an array with the group names to use in Nextcloud + * @return array<int,string> an array with the group names to use in Nextcloud * * gives back the group names as they are used ownClod internally * @throws \Exception @@ -652,29 +678,22 @@ class Access extends LDAPUtility { } /** - * @param array $ldapObjects as returned by fetchList() - * @param bool $isUsers - * @return array + * @param array[] $ldapObjects as returned by fetchList() + * @return array<int,string> * @throws \Exception */ - private function ldap2NextcloudNames($ldapObjects, $isUsers) { + private function ldap2NextcloudNames(array $ldapObjects, bool $isUsers): array { if ($isUsers) { $nameAttribute = $this->connection->ldapUserDisplayName; $sndAttribute = $this->connection->ldapUserDisplayName2; } else { $nameAttribute = $this->connection->ldapGroupDisplayName; + $sndAttribute = null; } $nextcloudNames = []; foreach ($ldapObjects as $ldapObject) { - $nameByLDAP = null; - if (isset($ldapObject[$nameAttribute]) - && is_array($ldapObject[$nameAttribute]) - && isset($ldapObject[$nameAttribute][0]) - ) { - // might be set, but not necessarily. if so, we use it. - $nameByLDAP = $ldapObject[$nameAttribute][0]; - } + $nameByLDAP = $ldapObject[$nameAttribute][0] ?? null; $ncName = $this->dn2ocname($ldapObject['dn'][0], $nameByLDAP, $isUsers); if ($ncName) { @@ -686,8 +705,7 @@ class Access extends LDAPUtility { if (is_null($nameByLDAP)) { continue; } - $sndName = isset($ldapObject[$sndAttribute][0]) - ? $ldapObject[$sndAttribute][0] : ''; + $sndName = $ldapObject[$sndAttribute][0] ?? ''; $this->cacheUserDisplayName($ncName, $nameByLDAP, $sndName); } elseif ($nameByLDAP !== null) { $this->cacheGroupDisplayName($ncName, $nameByLDAP); @@ -703,7 +721,7 @@ class Access extends LDAPUtility { * @param string $ncname * @throws \Exception */ - public function updateUserState($ncname) { + public function updateUserState($ncname): void { $user = $this->userManager->get($ncname); if ($user instanceof OfflineUser) { $user->unmark(); @@ -716,18 +734,17 @@ class Access extends LDAPUtility { * @param string $ocName the internal Nextcloud username * @param string|false $home the home directory path */ - public function cacheUserHome($ocName, $home) { + public function cacheUserHome(string $ocName, $home): void { $cacheKey = 'getHome' . $ocName; $this->connection->writeToCache($cacheKey, $home); } /** * caches a user as existing - * - * @param string $ocName the internal Nextcloud username */ - public function cacheUserExists($ocName) { + public function cacheUserExists(string $ocName): void { $this->connection->writeToCache('userExists' . $ocName, true); + $this->connection->writeToCache('userExistsOnLDAP' . $ocName, true); } /** @@ -745,7 +762,7 @@ class Access extends LDAPUtility { * @param string $displayName2 the second display name * @throws \Exception */ - public function cacheUserDisplayName($ocName, $displayName, $displayName2 = '') { + public function cacheUserDisplayName(string $ocName, string $displayName, string $displayName2 = ''): void { $user = $this->userManager->get($ocName); if ($user === null) { return; @@ -769,7 +786,7 @@ class Access extends LDAPUtility { * Instead of using this method directly, call * createAltInternalOwnCloudName($name, true) */ - private function _createAltInternalOwnCloudNameForUsers($name) { + private function _createAltInternalOwnCloudNameForUsers(string $name) { $attempts = 0; //while loop is just a precaution. If a name is not generated within //20 attempts, something else is very wrong. Avoids infinite loop. @@ -796,9 +813,9 @@ class Access extends LDAPUtility { * numbering, e.g. Developers_42 when there are 41 other groups called * "Developers" */ - private function _createAltInternalOwnCloudNameForGroups($name) { - $usedNames = $this->groupMapper->getNamesBySearch($name, "", '_%'); - if (!$usedNames || count($usedNames) === 0) { + private function _createAltInternalOwnCloudNameForGroups(string $name) { + $usedNames = $this->getGroupMapper()->getNamesBySearch($name, '', '_%'); + if (count($usedNames) === 0) { $lastNo = 1; //will become name_2 } else { natsort($usedNames); @@ -813,7 +830,7 @@ class Access extends LDAPUtility { // Check to be really sure it is unique // while loop is just a precaution. If a name is not generated within // 20 attempts, something else is very wrong. Avoids infinite loop. - if (!\OC::$server->getGroupManager()->groupExists($altName)) { + if (!Server::get(IGroupManager::class)->groupExists($altName)) { return $altName; } $altName = $name . '_' . ($lastNo + $attempts); @@ -826,10 +843,15 @@ class Access extends LDAPUtility { * creates a unique name for internal Nextcloud use. * * @param string $name the display name of the object - * @param boolean $isUser whether name should be created for a user (true) or a group (false) + * @param bool $isUser whether name should be created for a user (true) or a group (false) * @return string|false with with the name to use in Nextcloud or false if unsuccessful */ - private function createAltInternalOwnCloudName($name, $isUser) { + private function createAltInternalOwnCloudName(string $name, bool $isUser) { + // ensure there is space for the "_1234" suffix + if (strlen($name) > 59) { + $name = substr($name, 0, 59); + } + $originalTTL = $this->connection->ldapCacheTTL; $this->connection->setConfiguration(['ldapCacheTTL' => 0]); if ($isUser) { @@ -857,7 +879,7 @@ class Access extends LDAPUtility { * utilizing the login filter. * * @param string $loginName - * @return int + * @return false|int */ public function countUsersByLoginName($loginName) { $loginName = $this->escapeFilterPart($loginName); @@ -868,17 +890,16 @@ class Access extends LDAPUtility { /** * @throws \Exception */ - public function fetchListOfUsers(string $filter, array $attr, int $limit = null, int $offset = null, bool $forceApplyAttributes = false): array { + public function fetchListOfUsers(string $filter, array $attr, ?int $limit = null, ?int $offset = null, bool $forceApplyAttributes = false): array { $ldapRecords = $this->searchUsers($filter, $attr, $limit, $offset); $recordsToUpdate = $ldapRecords; if (!$forceApplyAttributes) { - $isBackgroundJobModeAjax = $this->config - ->getAppValue('core', 'backgroundjobs_mode', 'ajax') === 'ajax'; + $isBackgroundJobModeAjax = $this->appConfig->getValueString('core', 'backgroundjobs_mode', 'ajax') === 'ajax'; $listOfDNs = array_reduce($ldapRecords, function ($listOfDNs, $entry) { $listOfDNs[] = $entry['dn'][0]; return $listOfDNs; }, []); - $idsByDn = $this->userMapper->getListOfIdsByDn($listOfDNs); + $idsByDn = $this->getUserMapper()->getListOfIdsByDn($listOfDNs); $recordsToUpdate = array_filter($ldapRecords, function ($record) use ($isBackgroundJobModeAjax, $idsByDn) { $newlyMapped = false; $uid = $idsByDn[$record['dn'][0]] ?? null; @@ -900,11 +921,10 @@ class Access extends LDAPUtility { * user object and requests it to process the freshly fetched attributes and * and their values * - * @param array $ldapRecords * @throws \Exception */ - public function batchApplyUserAttributes(array $ldapRecords) { - $displayNameAttribute = strtolower($this->connection->ldapUserDisplayName); + public function batchApplyUserAttributes(array $ldapRecords): void { + $displayNameAttribute = strtolower((string)$this->connection->ldapUserDisplayName); foreach ($ldapRecords as $userRecord) { if (!isset($userRecord[$displayNameAttribute])) { // displayName is obligatory @@ -919,7 +939,7 @@ class Access extends LDAPUtility { if ($user !== null) { $user->processAttributes($userRecord); } else { - \OC::$server->getLogger()->debug( + $this->logger->debug( "The ldap user manager returned null for $ocName", ['app' => 'user_ldap'] ); @@ -928,61 +948,38 @@ class Access extends LDAPUtility { } /** - * @param string $filter - * @param string|string[] $attr - * @param int $limit - * @param int $offset - * @return array + * @return array[] */ - public function fetchListOfGroups($filter, $attr, $limit = null, $offset = null) { + public function fetchListOfGroups(string $filter, array $attr, ?int $limit = null, ?int $offset = null): array { + $cacheKey = 'fetchListOfGroups_' . $filter . '_' . implode('-', $attr) . '_' . (string)$limit . '_' . (string)$offset; + $listOfGroups = $this->connection->getFromCache($cacheKey); + if (!is_null($listOfGroups)) { + return $listOfGroups; + } $groupRecords = $this->searchGroups($filter, $attr, $limit, $offset); - $listOfDNs = array_reduce($groupRecords, function ($listOfDNs, $entry) { - $listOfDNs[] = $entry['dn'][0]; - return $listOfDNs; - }, []); - $idsByDn = $this->groupMapper->getListOfIdsByDn($listOfDNs); - - array_walk($groupRecords, function ($record) use ($idsByDn) { - $newlyMapped = false; - $gid = $idsByDn[$record['dn'][0]] ?? null; - if ($gid === null) { - $gid = $this->dn2ocname($record['dn'][0], null, false, $newlyMapped, $record); - } - if (!$newlyMapped && is_string($gid)) { - $this->cacheGroupExists($gid); - } - }); - return $this->fetchList($groupRecords, $this->manyAttributes($attr)); + $listOfGroups = $this->fetchList($groupRecords, $this->manyAttributes($attr)); + $this->connection->writeToCache($cacheKey, $listOfGroups); + return $listOfGroups; } - /** - * @param array $list - * @param bool $manyAttributes - * @return array - */ - private function fetchList($list, $manyAttributes) { - if (is_array($list)) { - if ($manyAttributes) { - return $list; - } else { - $list = array_reduce($list, function ($carry, $item) { - $attribute = array_keys($item)[0]; - $carry[] = $item[$attribute][0]; - return $carry; - }, []); - return array_unique($list, SORT_LOCALE_STRING); - } + private function fetchList(array $list, bool $manyAttributes): array { + if ($manyAttributes) { + return $list; + } else { + $list = array_reduce($list, function ($carry, $item) { + $attribute = array_keys($item)[0]; + $carry[] = $item[$attribute][0]; + return $carry; + }, []); + return array_unique($list, SORT_LOCALE_STRING); } - - //error cause actually, maybe throw an exception in future. - return []; } /** * @throws ServerNotAvailableException */ - public function searchUsers(string $filter, array $attr = null, int $limit = null, int $offset = null): array { + public function searchUsers(string $filter, ?array $attr = null, ?int $limit = null, ?int $offset = null): array { $result = []; foreach ($this->connection->ldapBaseUsers as $base) { $result = array_merge($result, $this->search($filter, $base, $attr, $limit, $offset)); @@ -991,17 +988,14 @@ class Access extends LDAPUtility { } /** - * @param string $filter - * @param string|string[] $attr - * @param int $limit - * @param int $offset + * @param string[] $attr * @return false|int * @throws ServerNotAvailableException */ - public function countUsers($filter, $attr = ['dn'], $limit = null, $offset = null) { + public function countUsers(string $filter, array $attr = ['dn'], ?int $limit = null, ?int $offset = null) { $result = false; foreach ($this->connection->ldapBaseUsers as $base) { - $count = $this->count($filter, [$base], $attr, $limit, $offset); + $count = $this->count($filter, [$base], $attr, $limit ?? 0, $offset ?? 0); $result = is_int($count) ? (int)$result + $count : $result; } return $result; @@ -1010,16 +1004,12 @@ class Access extends LDAPUtility { /** * executes an LDAP search, optimized for Groups * - * @param string $filter the LDAP filter for the search - * @param string|string[] $attr optional, when a certain attribute shall be filtered out - * @param integer $limit - * @param integer $offset - * @return array with the search result + * @param ?string[] $attr optional, when certain attributes shall be filtered out * * Executes an LDAP search * @throws ServerNotAvailableException */ - public function searchGroups($filter, $attr = null, $limit = null, $offset = null) { + public function searchGroups(string $filter, ?array $attr = null, ?int $limit = null, ?int $offset = null): array { $result = []; foreach ($this->connection->ldapBaseGroups as $base) { $result = array_merge($result, $this->search($filter, $base, $attr, $limit, $offset)); @@ -1030,17 +1020,13 @@ class Access extends LDAPUtility { /** * returns the number of available groups * - * @param string $filter the LDAP search filter - * @param string[] $attr optional - * @param int|null $limit - * @param int|null $offset * @return int|bool * @throws ServerNotAvailableException */ - public function countGroups($filter, $attr = ['dn'], $limit = null, $offset = null) { + public function countGroups(string $filter, array $attr = ['dn'], ?int $limit = null, ?int $offset = null) { $result = false; foreach ($this->connection->ldapBaseGroups as $base) { - $count = $this->count($filter, [$base], $attr, $limit, $offset); + $count = $this->count($filter, [$base], $attr, $limit ?? 0, $offset ?? 0); $result = is_int($count) ? (int)$result + $count : $result; } return $result; @@ -1049,15 +1035,13 @@ class Access extends LDAPUtility { /** * returns the number of available objects on the base DN * - * @param int|null $limit - * @param int|null $offset * @return int|bool * @throws ServerNotAvailableException */ - public function countObjects($limit = null, $offset = null) { + public function countObjects(?int $limit = null, ?int $offset = null) { $result = false; foreach ($this->connection->ldapBase as $base) { - $count = $this->count('objectclass=*', [$base], ['dn'], $limit, $offset); + $count = $this->count('objectclass=*', [$base], ['dn'], $limit ?? 0, $offset ?? 0); $result = is_int($count) ? (int)$result + $count : $result; } return $result; @@ -1070,26 +1054,23 @@ class Access extends LDAPUtility { */ /** + * @param mixed[] $arguments * @return mixed * @throws \OC\ServerNotAvailableException */ - private function invokeLDAPMethod() { - $arguments = func_get_args(); - $command = array_shift($arguments); - $cr = array_shift($arguments); + private function invokeLDAPMethod(string $command, ...$arguments) { + if ($command == 'controlPagedResultResponse') { + // php no longer supports call-time pass-by-reference + // thus cannot support controlPagedResultResponse as the third argument + // is a reference + throw new \InvalidArgumentException('Invoker does not support controlPagedResultResponse, call LDAP Wrapper directly instead.'); + } if (!method_exists($this->ldap, $command)) { return null; } - array_unshift($arguments, $cr); - // php no longer supports call-time pass-by-reference - // thus cannot support controlPagedResultResponse as the third argument - // is a reference + array_unshift($arguments, $this->connection->getConnectionResource()); $doMethod = function () use ($command, &$arguments) { - if ($command == 'controlPagedResultResponse') { - throw new \InvalidArgumentException('Invoker does not support controlPagedResultResponse, call LDAP Wrapper directly instead.'); - } else { - return call_user_func_array([$this->ldap, $command], $arguments); - } + return call_user_func_array([$this->ldap, $command], $arguments); }; try { $ret = $doMethod(); @@ -1098,13 +1079,13 @@ class Access extends LDAPUtility { * Maybe implement exponential backoff? * This was enough to get solr indexer working which has large delays between LDAP fetches. */ - \OCP\Util::writeLog('user_ldap', "Connection lost on $command, attempting to reestablish.", ILogger::DEBUG); + $this->logger->debug("Connection lost on $command, attempting to reestablish.", ['app' => 'user_ldap']); $this->connection->resetConnectionResource(); $cr = $this->connection->getConnectionResource(); if (!$this->ldap->isResource($cr)) { // Seems like we didn't find any resource. - \OCP\Util::writeLog('user_ldap', "Could not $command, because resource is missing.", ILogger::DEBUG); + $this->logger->debug("Could not $command, because resource is missing.", ['app' => 'user_ldap']); throw $e; } @@ -1123,33 +1104,31 @@ class Access extends LDAPUtility { * @param int|null $limit optional, maximum results to be counted * @param int|null $offset optional, a starting point * @return array|false array with the search result as first value and pagedSearchOK as - * second | false if not successful + * second | false if not successful * @throws ServerNotAvailableException */ private function executeSearch( string $filter, string $base, ?array &$attr, - ?int $limit, - ?int $offset + ?int $pageSize, + ?int $offset, ) { // See if we have a resource, in case not cancel with message $cr = $this->connection->getConnectionResource(); - if (!$this->ldap->isResource($cr)) { - // Seems like we didn't find any resource. - // Return an empty array just like before. - \OCP\Util::writeLog('user_ldap', 'Could not search, because resource is missing.', ILogger::DEBUG); - return false; - } //check whether paged search should be attempted - $pagedSearchOK = $this->initPagedSearch($filter, $base, $attr, (int)$limit, (int)$offset); + try { + [$pagedSearchOK, $pageSize, $cookie] = $this->initPagedSearch($filter, $base, $attr, (int)$pageSize, (int)$offset); + } catch (NoMoreResults $e) { + // beyond last results page + return false; + } - $sr = $this->invokeLDAPMethod('search', $cr, $base, $filter, $attr); - // cannot use $cr anymore, might have changed in the previous call! + $sr = $this->invokeLDAPMethod('search', $base, $filter, $attr, 0, 0, $pageSize, $cookie); $error = $this->ldap->errno($this->connection->getConnectionResource()); if (!$this->ldap->isResource($sr) || $error !== 0) { - \OCP\Util::writeLog('user_ldap', 'Attempt for Paging? ' . print_r($pagedSearchOK, true), ILogger::ERROR); + $this->logger->error('Attempt for Paging? ' . print_r($pagedSearchOK, true), ['app' => 'user_ldap']); return false; } @@ -1159,12 +1138,12 @@ class Access extends LDAPUtility { /** * processes an LDAP paged search operation * - * @param resource $sr the array containing the LDAP search resources + * @param \LDAP\Result|\LDAP\Result[] $sr the array containing the LDAP search resources * @param int $foundItems number of results in the single search operation * @param int $limit maximum results to be counted * @param bool $pagedSearchOK whether a paged search has been executed * @param bool $skipHandling required for paged search when cookies to - * prior results need to be gained + * prior results need to be gained * @return bool cookie validity, true if we have more pages, false otherwise. * @throws ServerNotAvailableException */ @@ -1173,9 +1152,9 @@ class Access extends LDAPUtility { int $foundItems, int $limit, bool $pagedSearchOK, - bool $skipHandling + bool $skipHandling, ): bool { - $cookie = null; + $cookie = ''; if ($pagedSearchOK) { $cr = $this->connection->getConnectionResource(); if ($this->ldap->controlPagedResultResponse($cr, $sr, $cookie)) { @@ -1187,14 +1166,14 @@ class Access extends LDAPUtility { return false; } // if count is bigger, then the server does not support - // paged search. Instead, he did a normal search. We set a + // paged search. Instead, they did a normal search. We set a // flag here, so the callee knows how to deal with it. if ($foundItems <= $limit) { $this->pagedSearchedSuccessful = true; } } else { - if (!is_null($limit) && (int)$this->connection->ldapPagingSize !== 0) { - \OC::$server->getLogger()->debug( + if ((int)$this->connection->ldapPagingSize !== 0) { + $this->logger->debug( 'Paged search was not available', ['app' => 'user_ldap'] ); @@ -1213,34 +1192,30 @@ class Access extends LDAPUtility { * * @param string $filter the LDAP filter for the search * @param array $bases an array containing the LDAP subtree(s) that shall be searched - * @param string|string[] $attr optional, array, one or more attributes that shall be - * retrieved. Results will according to the order in the array. - * @param int $limit optional, maximum results to be counted - * @param int $offset optional, a starting point + * @param ?string[] $attr optional, array, one or more attributes that shall be + * retrieved. Results will according to the order in the array. + * @param int $limit maximum results to be counted, 0 means no limit + * @param int $offset a starting point, defaults to 0 * @param bool $skipHandling indicates whether the pages search operation is - * completed + * completed * @return int|false Integer or false if the search could not be initialized * @throws ServerNotAvailableException */ private function count( string $filter, array $bases, - $attr = null, - ?int $limit = null, - ?int $offset = null, - bool $skipHandling = false + ?array $attr = null, + int $limit = 0, + int $offset = 0, + bool $skipHandling = false, ) { - \OC::$server->getLogger()->debug('Count filter: {filter}', [ + $this->logger->debug('Count filter: {filter}', [ 'app' => 'user_ldap', 'filter' => $filter ]); - if (!is_null($attr) && !is_array($attr)) { - $attr = [mb_strtolower($attr, 'UTF-8')]; - } - $limitPerPage = (int)$this->connection->ldapPagingSize; - if (!is_null($limit) && $limit < $limitPerPage && $limit > 0) { + if ($limit < $limitPerPage && $limit > 0) { $limitPerPage = $limit; } @@ -1254,7 +1229,7 @@ class Access extends LDAPUtility { if ($search === false) { return $counter > 0 ? $counter : false; } - list($sr, $pagedSearchOK) = $search; + [$sr, $pagedSearchOK] = $search; /* ++ Fixing RHDS searches with pages with zero results ++ * countEntriesInSearchResults() method signature changed @@ -1269,24 +1244,26 @@ class Access extends LDAPUtility { * Continue now depends on $hasMorePages value */ $continue = $pagedSearchOK && $hasMorePages; - } while ($continue && (is_null($limit) || $limit <= 0 || $limit > $counter)); + } while ($continue && ($limit <= 0 || $limit > $counter)); } return $counter; } /** - * @param resource $sr + * @param \LDAP\Result|\LDAP\Result[] $sr * @return int * @throws ServerNotAvailableException */ private function countEntriesInSearchResults($sr): int { - return (int)$this->invokeLDAPMethod('countEntries', $this->connection->getConnectionResource(), $sr); + return (int)$this->invokeLDAPMethod('countEntries', $sr); } /** * Executes an LDAP search * + * DN values in the result set are escaped as per RFC 2253 + * * @throws ServerNotAvailableException */ public function search( @@ -1295,17 +1272,13 @@ class Access extends LDAPUtility { ?array $attr = null, ?int $limit = null, ?int $offset = null, - bool $skipHandling = false + bool $skipHandling = false, ): array { $limitPerPage = (int)$this->connection->ldapPagingSize; if (!is_null($limit) && $limit < $limitPerPage && $limit > 0) { $limitPerPage = $limit; } - if (!is_null($attr) && !is_array($attr)) { - $attr = [mb_strtolower($attr, 'UTF-8')]; - } - /* ++ Fixing RHDS searches with pages with zero results ++ * As we can have pages with zero results and/or pages with less * than $limit results but with a still valid server 'cookie', @@ -1313,6 +1286,7 @@ class Access extends LDAPUtility { * $findings['count'] < $limit */ $findings = []; + $offset = $offset ?? 0; $savedoffset = $offset; $iFoundItems = 0; @@ -1321,8 +1295,7 @@ class Access extends LDAPUtility { if ($search === false) { return []; } - list($sr, $pagedSearchOK) = $search; - $cr = $this->connection->getConnectionResource(); + [$sr, $pagedSearchOK] = $search; if ($skipHandling) { //i.e. result do not need to be fetched, we just need the cookie @@ -1332,7 +1305,7 @@ class Access extends LDAPUtility { return []; } - $findings = array_merge($findings, $this->invokeLDAPMethod('getEntries', $cr, $sr)); + $findings = array_merge($findings, $this->invokeLDAPMethod('getEntries', $sr)); $iFoundItems = max($iFoundItems, $findings['count']); unset($findings['count']); @@ -1343,12 +1316,6 @@ class Access extends LDAPUtility { // resetting offset $offset = $savedoffset; - // if we're here, probably no connection resource is returned. - // to make Nextcloud behave nicely, we simply give back an empty array. - if (is_null($findings)) { - return []; - } - if (!is_null($attr)) { $selection = []; $i = 0; @@ -1356,7 +1323,7 @@ class Access extends LDAPUtility { if (!is_array($item)) { continue; } - $item = \OCP\Util::mb_array_change_key_case($item, MB_CASE_LOWER, 'UTF-8'); + $item = Util::mb_array_change_key_case($item, MB_CASE_LOWER, 'UTF-8'); foreach ($attr as $key) { if (isset($item[$key])) { if (is_array($item[$key]) && isset($item[$key]['count'])) { @@ -1389,7 +1356,7 @@ class Access extends LDAPUtility { && !is_null($limit) ) ) { - $findings = array_slice($findings, (int)$offset, $limit); + $findings = array_slice($findings, $offset, $limit); } return $findings; } @@ -1406,12 +1373,15 @@ class Access extends LDAPUtility { return $name; } - // Transliteration to ASCII - $transliterated = @iconv('UTF-8', 'ASCII//TRANSLIT', $name); - if ($transliterated !== false) { - // depending on system config iconv can work or not - $name = $transliterated; - } + // Use htmlentities to get rid of accents + $name = htmlentities($name, ENT_NOQUOTES, 'UTF-8'); + + // Remove accents + $name = preg_replace('#&([A-Za-z])(?:acute|cedil|caron|circ|grave|orn|ring|slash|th|tilde|uml);#', '\1', $name); + // Remove ligatures + $name = preg_replace('#&([A-Za-z]{2})(?:lig);#', '\1', $name); + // Remove unknown leftover entities + $name = preg_replace('#&[^;]+;#', '', $name); // Replacements $name = str_replace(' ', '_', $name); @@ -1419,6 +1389,10 @@ class Access extends LDAPUtility { // Every remaining disallowed characters will be removed $name = preg_replace('/[^a-zA-Z0-9_.@-]/u', '', $name); + if (strlen($name) > 64) { + $name = hash('sha256', $name, false); + } + if ($name === '') { throw new \InvalidArgumentException('provided name template for username does not contain any allowed characters'); } @@ -1426,6 +1400,18 @@ class Access extends LDAPUtility { return $name; } + public function sanitizeGroupIDCandidate(string $candidate): string { + $candidate = trim($candidate); + if (strlen($candidate) > 64) { + $candidate = hash('sha256', $candidate, false); + } + if ($candidate === '') { + throw new \InvalidArgumentException('provided name template for username does not contain any allowed characters'); + } + + return $candidate; + } + /** * escapes (user provided) parts for LDAP filter * @@ -1439,9 +1425,7 @@ class Access extends LDAPUtility { $asterisk = '*'; $input = mb_substr($input, 1, null, 'UTF-8'); } - $search = ['*', '\\', '(', ')']; - $replace = ['\\*', '\\\\', '\\(', '\\)']; - return $asterisk . str_replace($search, $replace, $input); + return $asterisk . ldap_escape($input, '', LDAP_ESCAPE_FILTER); } /** @@ -1459,7 +1443,7 @@ class Access extends LDAPUtility { * * @param string[] $filters the filters to connect * @return string the combined filter - * Combines Filter arguments with OR + * Combines Filter arguments with OR */ public function combineFilterWithOr($filters) { return $this->combineFilter($filters, '|'); @@ -1472,7 +1456,7 @@ class Access extends LDAPUtility { * @param string $operator either & or | * @return string the combined filter */ - private function combineFilter($filters, $operator) { + private function combineFilter(array $filters, string $operator): string { $combinedFilter = '(' . $operator; foreach ($filters as $filter) { if ($filter !== '' && $filter[0] !== '(') { @@ -1490,7 +1474,7 @@ class Access extends LDAPUtility { * @param string $search the search term * @return string the final filter part to use in LDAP searches */ - public function getFilterPartForUserSearch($search) { + public function getFilterPartForUserSearch($search): string { return $this->getFilterPartForSearch($search, $this->connection->ldapAttributesForUserSearch, $this->connection->ldapUserDisplayName); @@ -1502,7 +1486,7 @@ class Access extends LDAPUtility { * @param string $search the search term * @return string the final filter part to use in LDAP searches */ - public function getFilterPartForGroupSearch($search) { + public function getFilterPartForGroupSearch($search): string { return $this->getFilterPartForSearch($search, $this->connection->ldapAttributesForGroupSearch, $this->connection->ldapGroupDisplayName); @@ -1513,12 +1497,12 @@ class Access extends LDAPUtility { * string into single words * * @param string $search the search term - * @param string[] $searchAttributes needs to have at least two attributes, - * otherwise it does not make sense :) + * @param string[]|null|'' $searchAttributes needs to have at least two attributes, + * otherwise it does not make sense :) * @return string the final filter part to use in LDAP searches * @throws DomainException */ - private function getAdvancedFilterPartForSearch($search, $searchAttributes) { + private function getAdvancedFilterPartForSearch(string $search, $searchAttributes): string { if (!is_array($searchAttributes) || count($searchAttributes) < 2) { throw new DomainException('searchAttributes must be an array with at least two string'); } @@ -1540,15 +1524,15 @@ class Access extends LDAPUtility { * creates a filter part for searches * * @param string $search the search term - * @param string[]|null $searchAttributes + * @param string[]|null|'' $searchAttributes * @param string $fallbackAttribute a fallback attribute in case the user - * did not define search attributes. Typically the display name attribute. + * did not define search attributes. Typically the display name attribute. * @return string the final filter part to use in LDAP searches */ - private function getFilterPartForSearch($search, $searchAttributes, $fallbackAttribute) { + private function getFilterPartForSearch(string $search, $searchAttributes, string $fallbackAttribute): string { $filter = []; $haveMultiSearchAttributes = (is_array($searchAttributes) && count($searchAttributes) > 0); - if ($haveMultiSearchAttributes && strpos(trim($search), ' ') !== false) { + if ($haveMultiSearchAttributes && str_contains(trim($search), ' ')) { try { return $this->getAdvancedFilterPartForSearch($search, $searchAttributes); } catch (DomainException $e) { @@ -1556,14 +1540,23 @@ class Access extends LDAPUtility { } } + $originalSearch = $search; $search = $this->prepareSearchTerm($search); if (!is_array($searchAttributes) || count($searchAttributes) === 0) { if ($fallbackAttribute === '') { return ''; } + // wildcards don't work with some attributes + if ($originalSearch !== '') { + $filter[] = $fallbackAttribute . '=' . $originalSearch; + } $filter[] = $fallbackAttribute . '=' . $search; } else { foreach ($searchAttributes as $attribute) { + // wildcards don't work with some attributes + if ($originalSearch !== '') { + $filter[] = $attribute . '=' . $originalSearch; + } $filter[] = $attribute . '=' . $search; } } @@ -1577,11 +1570,9 @@ class Access extends LDAPUtility { * returns the search term depending on whether we are allowed * list users found by ldap with the current input appended by * a * - * - * @return string */ - private function prepareSearchTerm($term) { - $config = \OC::$server->getConfig(); + private function prepareSearchTerm(string $term): string { + $config = Server::get(IConfig::class); $allowEnum = $config->getAppValue('core', 'shareapi_allow_share_dialog_user_enumeration', 'yes'); @@ -1596,10 +1587,8 @@ class Access extends LDAPUtility { /** * returns the filter used for counting users - * - * @return string */ - public function getFilterForUserCount() { + public function getFilterForUserCount(): string { $filter = $this->combineFilterWithAnd([ $this->connection->ldapUserFilter, $this->connection->ldapUserDisplayName . '=*' @@ -1608,17 +1597,15 @@ class Access extends LDAPUtility { return $filter; } - /** - * @param string $name - * @param string $password - * @return bool - */ - public function areCredentialsValid($name, $password) { + public function areCredentialsValid(string $name, string $password): bool { + if ($name === '' || $password === '') { + return false; + } $name = $this->helper->DNasBaseParameter($name); $testConnection = clone $this->connection; $credentials = [ 'ldapAgentName' => $name, - 'ldapAgentPassword' => $password + 'ldapAgentPassword' => $password, ]; if (!$testConnection->setConfiguration($credentials)) { return false; @@ -1670,7 +1657,7 @@ class Access extends LDAPUtility { $filter = $uuidAttr . '=' . $uuid; $result = $this->searchUsers($filter, ['dn'], 2); - if (is_array($result) && isset($result[0]) && isset($result[0]['dn']) && count($result) === 1) { + if (isset($result[0]['dn']) && count($result) === 1) { // we put the count into account to make sure that this is // really unique return $result[0]['dn'][0]; @@ -1689,7 +1676,7 @@ class Access extends LDAPUtility { * @return bool true on success, false otherwise * @throws ServerNotAvailableException */ - private function detectUuidAttribute($dn, $isUser = true, $force = false, array $ldapRecord = null) { + private function detectUuidAttribute(string $dn, bool $isUser = true, bool $force = false, ?array $ldapRecord = null): bool { if ($isUser) { $uuidAttr = 'ldapUuidUserAttribute'; $uuidOverride = $this->connection->ldapExpertUUIDUserAttr; @@ -1707,7 +1694,7 @@ class Access extends LDAPUtility { } $attribute = $this->connection->getFromCache($uuidAttr); - if (!$attribute === null) { + if ($attribute !== null) { $this->connection->$uuidAttr = $attribute; return true; } @@ -1724,7 +1711,7 @@ class Access extends LDAPUtility { $value = $this->readAttribute($dn, $attribute); if (is_array($value) && isset($value[0]) && !empty($value[0])) { - \OC::$server->getLogger()->debug( + $this->logger->debug( 'Setting {attribute} as {subject}', [ 'app' => 'user_ldap', @@ -1737,19 +1724,17 @@ class Access extends LDAPUtility { return true; } } - \OC::$server->getLogger()->debug('Could not autodetect the UUID attribute', ['app' => 'user_ldap']); + $this->logger->debug('Could not autodetect the UUID attribute', ['app' => 'user_ldap']); return false; } /** - * @param string $dn - * @param bool $isUser - * @param null $ldapRecord - * @return bool|string + * @param array|null $ldapRecord + * @return false|string * @throws ServerNotAvailableException */ - public function getUUID($dn, $isUser = true, $ldapRecord = null) { + public function getUUID(string $dn, bool $isUser = true, ?array $ldapRecord = null) { if ($isUser) { $uuidAttr = 'ldapUuidUserAttribute'; $uuidOverride = $this->connection->ldapExpertUUIDUserAttr; @@ -1761,7 +1746,7 @@ class Access extends LDAPUtility { $uuid = false; if ($this->detectUuidAttribute($dn, $isUser, false, $ldapRecord)) { $attr = $this->connection->$uuidAttr; - $uuid = isset($ldapRecord[$attr]) ? $ldapRecord[$attr] : $this->readAttribute($dn, $attr); + $uuid = $ldapRecord[$attr] ?? $this->readAttribute($dn, $attr); if (!is_array($uuid) && $uuidOverride !== '' && $this->detectUuidAttribute($dn, $isUser, true, $ldapRecord)) { @@ -1769,7 +1754,7 @@ class Access extends LDAPUtility { ? $ldapRecord[$this->connection->$uuidAttr] : $this->readAttribute($dn, $this->connection->$uuidAttr); } - if (is_array($uuid) && isset($uuid[0]) && !empty($uuid[0])) { + if (is_array($uuid) && !empty($uuid[0])) { $uuid = $uuid[0]; } } @@ -1780,11 +1765,10 @@ class Access extends LDAPUtility { /** * converts a binary ObjectGUID into a string representation * - * @param string $oguid the ObjectGUID in it's binary form as retrieved from AD - * @return string + * @param string $oguid the ObjectGUID in its binary form as retrieved from AD * @link https://www.php.net/manual/en/function.ldap-get-values-len.php#73198 */ - private function convertObjectGUID2Str($oguid) { + private function convertObjectGUID2Str(string $oguid): string { $hex_guid = bin2hex($oguid); $hex_guid_to_guid_str = ''; for ($k = 1; $k <= 4; ++$k) { @@ -1807,18 +1791,12 @@ class Access extends LDAPUtility { /** * the first three blocks of the string-converted GUID happen to be in * reverse order. In order to use it in a filter, this needs to be - * corrected. Furthermore the dashes need to be replaced and \\ preprended - * to every two hax figures. + * corrected. Furthermore the dashes need to be replaced and \\ prepended + * to every two hex figures. * * If an invalid string is passed, it will be returned without change. - * - * @param string $guid - * @return string */ - public function formatGuid2ForFilterUser($guid) { - if (!is_string($guid)) { - throw new \InvalidArgumentException('String expected'); - } + public function formatGuid2ForFilterUser(string $guid): string { $blocks = explode('-', $guid); if (count($blocks) !== 5) { /* @@ -1832,9 +1810,9 @@ class Access extends LDAPUtility { * an exception here would kill the experience for a valid, acting * user. Instead we write a log message. */ - \OC::$server->getLogger()->info( - 'Passed string does not resemble a valid GUID. Known UUID ' . - '({uuid}) probably does not match UUID configuration.', + $this->logger->info( + 'Passed string does not resemble a valid GUID. Known UUID ' + . '({uuid}) probably does not match UUID configuration.', ['app' => 'user_ldap', 'uuid' => $guid] ); return $guid; @@ -1919,11 +1897,9 @@ class Access extends LDAPUtility { /** * checks if the given DN is part of the given base DN(s) * - * @param string $dn the DN * @param string[] $bases array containing the allowed base DN or DNs - * @return bool */ - public function isDNPartOfBase($dn, $bases) { + public function isDNPartOfBase(string $dn, array $bases): bool { $belongsToBase = false; $bases = $this->helper->sanitizeDN($bases); @@ -1944,12 +1920,10 @@ class Access extends LDAPUtility { * * @throws ServerNotAvailableException */ - private function abandonPagedSearch() { + private function abandonPagedSearch(): void { if ($this->lastCookie === '') { return; } - $cr = $this->connection->getConnectionResource(); - $this->invokeLDAPMethod('controlPagedResult', $cr, 0, false); $this->getPagedSearchResultState(); $this->lastCookie = ''; } @@ -1966,7 +1940,7 @@ class Access extends LDAPUtility { * @return bool */ public function hasMoreResults() { - if (empty($this->lastCookie) && $this->lastCookie !== '0') { + if ($this->lastCookie === '') { // as in RFC 2696, when all results are returned, the cookie will // be empty. return false; @@ -1990,63 +1964,67 @@ class Access extends LDAPUtility { * Prepares a paged search, if possible * * @param string $filter the LDAP filter for the search - * @param string[] $bases an array containing the LDAP subtree(s) that shall be searched + * @param string $base the LDAP subtree that shall be searched * @param string[] $attr optional, when a certain attribute shall be filtered outside * @param int $limit * @param int $offset - * @return bool|true + * @return array{bool, int, string} * @throws ServerNotAvailableException + * @throws NoMoreResults */ private function initPagedSearch( string $filter, string $base, ?array $attr, - int $limit, - int $offset - ): bool { + int $pageSize, + int $offset, + ): array { $pagedSearchOK = false; - if ($limit !== 0) { - \OC::$server->getLogger()->debug( - 'initializing paged search for filter {filter}, base {base}, attr {attr}, limit {limit}, offset {offset}', + if ($pageSize !== 0) { + $this->logger->debug( + 'initializing paged search for filter {filter}, base {base}, attr {attr}, pageSize {pageSize}, offset {offset}', [ 'app' => 'user_ldap', 'filter' => $filter, 'base' => $base, 'attr' => $attr, - 'limit' => $limit, + 'pageSize' => $pageSize, 'offset' => $offset ] ); - //get the cookie from the search for the previous search, required by LDAP - if (empty($this->lastCookie) && $this->lastCookie !== "0" && ($offset > 0)) { + // Get the cookie from the search for the previous search, required by LDAP + if (($this->lastCookie === '') && ($offset > 0)) { // no cookie known from a potential previous search. We need // to start from 0 to come to the desired page. cookie value // of '0' is valid, because 389ds - $reOffset = ($offset - $limit) < 0 ? 0 : $offset - $limit; - $this->search($filter, $base, $attr, $limit, $reOffset, true); + $defaultPageSize = (int)$this->connection->ldapPagingSize; + if ($offset < $defaultPageSize) { + /* Make a search with offset as page size and dismiss the result, to init the cookie */ + $this->search($filter, $base, $attr, $offset, 0, true); + } else { + /* Make a search for previous page and dismiss the result, to init the cookie */ + $reOffset = $offset - $defaultPageSize; + $this->search($filter, $base, $attr, $defaultPageSize, $reOffset, true); + } if (!$this->hasMoreResults()) { // when the cookie is reset with != 0 offset, there are no further // results, so stop. - return false; + throw new NoMoreResults(); } } if ($this->lastCookie !== '' && $offset === 0) { //since offset = 0, this is a new search. We abandon other searches that might be ongoing. $this->abandonPagedSearch(); } - $pagedSearchOK = true === $this->invokeLDAPMethod( - 'controlPagedResult', $this->connection->getConnectionResource(), $limit, false - ); - if ($pagedSearchOK) { - \OC::$server->getLogger()->debug('Ready for a paged search', ['app' => 'user_ldap']); - } + $this->logger->debug('Ready for a paged search', ['app' => 'user_ldap']); + return [true, $pageSize, $this->lastCookie]; /* ++ Fixing RHDS searches with pages with zero results ++ - * We coudn't get paged searches working with our RHDS for login ($limit = 0), + * We couldn't get paged searches working with our RHDS for login ($limit = 0), * due to pages with zero results. * So we added "&& !empty($this->lastCookie)" to this test to ignore pagination * if we don't have a previous paged search. */ - } elseif ($limit === 0 && !empty($this->lastCookie)) { + } elseif ($this->lastCookie !== '') { // a search without limit was requested. However, if we do use // Paged Search once, we always must do it. This requires us to // initialize it with the configured page size. @@ -2054,12 +2032,10 @@ class Access extends LDAPUtility { // in case someone set it to 0 … use 500, otherwise no results will // be returned. $pageSize = (int)$this->connection->ldapPagingSize > 0 ? (int)$this->connection->ldapPagingSize : 500; - $pagedSearchOK = $this->invokeLDAPMethod('controlPagedResult', - $this->connection->getConnectionResource(), - $pageSize, false); + return [true, $pageSize, $this->lastCookie]; } - return $pagedSearchOK; + return [false, $pageSize, '']; } /** |