diff options
Diffstat (limited to 'apps/user_ldap/lib/LDAPProvider.php')
| -rw-r--r-- | apps/user_ldap/lib/LDAPProvider.php | 330 |
1 files changed, 330 insertions, 0 deletions
diff --git a/apps/user_ldap/lib/LDAPProvider.php b/apps/user_ldap/lib/LDAPProvider.php new file mode 100644 index 00000000000..d9750ae3fcf --- /dev/null +++ b/apps/user_ldap/lib/LDAPProvider.php @@ -0,0 +1,330 @@ +<?php + +/** + * SPDX-FileCopyrightText: 2016-2024 Nextcloud GmbH and Nextcloud contributors + * SPDX-FileCopyrightText: 2016 Nextcloud GmbH and Nextcloud contributors + * SPDX-License-Identifier: AGPL-3.0-or-later + */ +namespace OCA\User_LDAP; + +use OCA\User_LDAP\User\DeletedUsersIndex; +use OCP\IServerContainer; +use OCP\LDAP\IDeletionFlagSupport; +use OCP\LDAP\ILDAPProvider; +use Psr\Log\LoggerInterface; + +/** + * LDAP provider for public access to the LDAP backend. + */ +class LDAPProvider implements ILDAPProvider, IDeletionFlagSupport { + private $userBackend; + private $groupBackend; + private $logger; + + /** + * Create new LDAPProvider + * @param IServerContainer $serverContainer + * @param Helper $helper + * @param DeletedUsersIndex $deletedUsersIndex + * @throws \Exception if user_ldap app was not enabled + */ + public function __construct( + IServerContainer $serverContainer, + private Helper $helper, + private DeletedUsersIndex $deletedUsersIndex, + ) { + $this->logger = $serverContainer->get(LoggerInterface::class); + $userBackendFound = false; + $groupBackendFound = false; + foreach ($serverContainer->getUserManager()->getBackends() as $backend) { + $this->logger->debug('instance ' . get_class($backend) . ' user backend.', ['app' => 'user_ldap']); + if ($backend instanceof IUserLDAP) { + $this->userBackend = $backend; + $userBackendFound = true; + break; + } + } + foreach ($serverContainer->getGroupManager()->getBackends() as $backend) { + $this->logger->debug('instance ' . get_class($backend) . ' group backend.', ['app' => 'user_ldap']); + if ($backend instanceof IGroupLDAP) { + $this->groupBackend = $backend; + $groupBackendFound = true; + break; + } + } + + if (!$userBackendFound or !$groupBackendFound) { + throw new \Exception('To use the LDAPProvider, user_ldap app must be enabled'); + } + } + + /** + * Translate an user id to LDAP DN + * @param string $uid user id + * @return string with the LDAP DN + * @throws \Exception if translation was unsuccessful + */ + public function getUserDN($uid) { + if (!$this->userBackend->userExists($uid)) { + throw new \Exception('User id not found in LDAP'); + } + $result = $this->userBackend->getLDAPAccess($uid)->username2dn($uid); + if (!$result) { + throw new \Exception('Translation to LDAP DN unsuccessful'); + } + return $result; + } + + /** + * Translate a group id to LDAP DN. + * @param string $gid group id + * @return string + * @throws \Exception + */ + public function getGroupDN($gid) { + if (!$this->groupBackend->groupExists($gid)) { + throw new \Exception('Group id not found in LDAP'); + } + $result = $this->groupBackend->getLDAPAccess($gid)->groupname2dn($gid); + if (!$result) { + throw new \Exception('Translation to LDAP DN unsuccessful'); + } + return $result; + } + + /** + * Translate a LDAP DN to an internal user name. If there is no mapping between + * the DN and the user name, a new one will be created. + * @param string $dn LDAP DN + * @return string with the internal user name + * @throws \Exception if translation was unsuccessful + */ + public function getUserName($dn) { + $result = $this->userBackend->dn2UserName($dn); + if (!$result) { + throw new \Exception('Translation to internal user name unsuccessful'); + } + return $result; + } + + /** + * Convert a stored DN so it can be used as base parameter for LDAP queries. + * @param string $dn the DN in question + * @return string + */ + public function DNasBaseParameter($dn) { + return $this->helper->DNasBaseParameter($dn); + } + + /** + * Sanitize a DN received from the LDAP server. + * @param array|string $dn the DN in question + * @return array|string the sanitized DN + */ + public function sanitizeDN($dn) { + return $this->helper->sanitizeDN($dn); + } + + /** + * Return a new LDAP connection resource for the specified user. + * The connection must be closed manually. + * @param string $uid user id + * @return \LDAP\Connection The LDAP connection + * @throws \Exception if user id was not found in LDAP + */ + public function getLDAPConnection($uid) { + if (!$this->userBackend->userExists($uid)) { + throw new \Exception('User id not found in LDAP'); + } + return $this->userBackend->getNewLDAPConnection($uid); + } + + /** + * Return a new LDAP connection resource for the specified user. + * The connection must be closed manually. + * @param string $gid group id + * @return \LDAP\Connection The LDAP connection + * @throws \Exception if group id was not found in LDAP + */ + public function getGroupLDAPConnection($gid) { + if (!$this->groupBackend->groupExists($gid)) { + throw new \Exception('Group id not found in LDAP'); + } + return $this->groupBackend->getNewLDAPConnection($gid); + } + + /** + * Get the LDAP base for users. + * @param string $uid user id + * @return string the base for users + * @throws \Exception if user id was not found in LDAP + */ + public function getLDAPBaseUsers($uid) { + if (!$this->userBackend->userExists($uid)) { + throw new \Exception('User id not found in LDAP'); + } + $access = $this->userBackend->getLDAPAccess($uid); + $bases = $access->getConnection()->ldapBaseUsers; + $dn = $this->getUserDN($uid); + foreach ($bases as $base) { + if ($access->isDNPartOfBase($dn, [$base])) { + return $base; + } + } + // should not occur, because the user does not qualify to use NC in this case + $this->logger->info( + 'No matching user base found for user {dn}, available: {bases}.', + [ + 'app' => 'user_ldap', + 'dn' => $dn, + 'bases' => $bases, + ] + ); + return array_shift($bases); + } + + /** + * Get the LDAP base for groups. + * @param string $uid user id + * @return string the base for groups + * @throws \Exception if user id was not found in LDAP + */ + public function getLDAPBaseGroups($uid) { + if (!$this->userBackend->userExists($uid)) { + throw new \Exception('User id not found in LDAP'); + } + $bases = $this->userBackend->getLDAPAccess($uid)->getConnection()->ldapBaseGroups; + return array_shift($bases); + } + + /** + * Clear the cache if a cache is used, otherwise do nothing. + * @param string $uid user id + * @throws \Exception if user id was not found in LDAP + */ + public function clearCache($uid) { + if (!$this->userBackend->userExists($uid)) { + throw new \Exception('User id not found in LDAP'); + } + $this->userBackend->getLDAPAccess($uid)->getConnection()->clearCache(); + } + + /** + * Clear the cache if a cache is used, otherwise do nothing. + * Acts on the LDAP connection of a group + * @param string $gid group id + * @throws \Exception if user id was not found in LDAP + */ + public function clearGroupCache($gid) { + if (!$this->groupBackend->groupExists($gid)) { + throw new \Exception('Group id not found in LDAP'); + } + $this->groupBackend->getLDAPAccess($gid)->getConnection()->clearCache(); + } + + /** + * Check whether a LDAP DN exists + * @param string $dn LDAP DN + * @return bool whether the DN exists + */ + public function dnExists($dn) { + $result = $this->userBackend->dn2UserName($dn); + return !$result ? false : true; + } + + /** + * Flag record for deletion. + * @param string $uid user id + */ + public function flagRecord($uid) { + $this->deletedUsersIndex->markUser($uid); + } + + /** + * Unflag record for deletion. + * @param string $uid user id + */ + public function unflagRecord($uid) { + //do nothing + } + + /** + * Get the LDAP attribute name for the user's display name + * @param string $uid user id + * @return string the display name field + * @throws \Exception if user id was not found in LDAP + */ + public function getLDAPDisplayNameField($uid) { + if (!$this->userBackend->userExists($uid)) { + throw new \Exception('User id not found in LDAP'); + } + return $this->userBackend->getLDAPAccess($uid)->getConnection()->getConfiguration()['ldap_display_name']; + } + + /** + * Get the LDAP attribute name for the email + * @param string $uid user id + * @return string the email field + * @throws \Exception if user id was not found in LDAP + */ + public function getLDAPEmailField($uid) { + if (!$this->userBackend->userExists($uid)) { + throw new \Exception('User id not found in LDAP'); + } + return $this->userBackend->getLDAPAccess($uid)->getConnection()->getConfiguration()['ldap_email_attr']; + } + + /** + * Get the LDAP type of association between users and groups + * @param string $gid group id + * @return string the configuration, one of: 'memberUid', 'uniqueMember', 'member', 'gidNumber', '' + * @throws \Exception if group id was not found in LDAP + */ + public function getLDAPGroupMemberAssoc($gid) { + if (!$this->groupBackend->groupExists($gid)) { + throw new \Exception('Group id not found in LDAP'); + } + return $this->groupBackend->getLDAPAccess($gid)->getConnection()->getConfiguration()['ldap_group_member_assoc_attribute']; + } + + /** + * Get an LDAP attribute for a nextcloud user + * + * @throws \Exception if user id was not found in LDAP + */ + public function getUserAttribute(string $uid, string $attribute): ?string { + $values = $this->getMultiValueUserAttribute($uid, $attribute); + if (count($values) === 0) { + return null; + } + return current($values); + } + + /** + * Get a multi-value LDAP attribute for a nextcloud user + * + * @throws \Exception if user id was not found in LDAP + */ + public function getMultiValueUserAttribute(string $uid, string $attribute): array { + if (!$this->userBackend->userExists($uid)) { + throw new \Exception('User id not found in LDAP'); + } + + $access = $this->userBackend->getLDAPAccess($uid); + $connection = $access->getConnection(); + $key = $uid . '-' . $attribute; + + $cached = $connection->getFromCache($key); + if (is_array($cached)) { + return $cached; + } + + $values = $access->readAttribute($access->username2dn($uid), $attribute); + if ($values === false) { + $values = []; + } + + $connection->writeToCache($key, $values); + return $values; + } +} |