diff options
Diffstat (limited to 'apps/user_ldap/lib/LDAPProvider.php')
| -rw-r--r-- | apps/user_ldap/lib/LDAPProvider.php | 194 |
1 files changed, 116 insertions, 78 deletions
diff --git a/apps/user_ldap/lib/LDAPProvider.php b/apps/user_ldap/lib/LDAPProvider.php index 94793980b39..d9750ae3fcf 100644 --- a/apps/user_ldap/lib/LDAPProvider.php +++ b/apps/user_ldap/lib/LDAPProvider.php @@ -1,71 +1,51 @@ <?php + /** - * @copyright Copyright (c) 2016, Roger Szabo (roger.szabo@web.de) - * - * @author Joas Schilling <coding@schilljs.com> - * @author Roger Szabo <roger.szabo@web.de> - * @author root <root@localhost.localdomain> - * @author Vinicius Cubas Brand <vinicius@eita.org.br> - * - * @license GNU AGPL version 3 or any later version - * - * This program is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License as - * published by the Free Software Foundation, either version 3 of the - * License, or (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License - * along with this program. If not, see <http://www.gnu.org/licenses/>. - * + * SPDX-FileCopyrightText: 2016-2024 Nextcloud GmbH and Nextcloud contributors + * SPDX-FileCopyrightText: 2016 Nextcloud GmbH and Nextcloud contributors + * SPDX-License-Identifier: AGPL-3.0-or-later */ - namespace OCA\User_LDAP; - -use OCP\LDAP\ILDAPProvider; -use OCP\LDAP\IDeletionFlagSupport; -use OCP\IServerContainer; use OCA\User_LDAP\User\DeletedUsersIndex; +use OCP\IServerContainer; +use OCP\LDAP\IDeletionFlagSupport; +use OCP\LDAP\ILDAPProvider; +use Psr\Log\LoggerInterface; /** - * LDAP provider for pulic access to the LDAP backend. + * LDAP provider for public access to the LDAP backend. */ class LDAPProvider implements ILDAPProvider, IDeletionFlagSupport { - private $userBackend; private $groupBackend; private $logger; - private $helper; - private $deletedUsersIndex; - + /** * Create new LDAPProvider - * @param \OCP\IServerContainer $serverContainer + * @param IServerContainer $serverContainer * @param Helper $helper * @param DeletedUsersIndex $deletedUsersIndex * @throws \Exception if user_ldap app was not enabled */ - public function __construct(IServerContainer $serverContainer, Helper $helper, DeletedUsersIndex $deletedUsersIndex) { - $this->logger = $serverContainer->getLogger(); - $this->helper = $helper; - $this->deletedUsersIndex = $deletedUsersIndex; + public function __construct( + IServerContainer $serverContainer, + private Helper $helper, + private DeletedUsersIndex $deletedUsersIndex, + ) { + $this->logger = $serverContainer->get(LoggerInterface::class); $userBackendFound = false; $groupBackendFound = false; - foreach ($serverContainer->getUserManager()->getBackends() as $backend){ - $this->logger->debug('instance '.get_class($backend).' user backend.', ['app' => 'user_ldap']); + foreach ($serverContainer->getUserManager()->getBackends() as $backend) { + $this->logger->debug('instance ' . get_class($backend) . ' user backend.', ['app' => 'user_ldap']); if ($backend instanceof IUserLDAP) { $this->userBackend = $backend; $userBackendFound = true; break; } - } - foreach ($serverContainer->getGroupManager()->getBackends() as $backend){ - $this->logger->debug('instance '.get_class($backend).' group backend.', ['app' => 'user_ldap']); + } + foreach ($serverContainer->getGroupManager()->getBackends() as $backend) { + $this->logger->debug('instance ' . get_class($backend) . ' group backend.', ['app' => 'user_ldap']); if ($backend instanceof IGroupLDAP) { $this->groupBackend = $backend; $groupBackendFound = true; @@ -73,11 +53,11 @@ class LDAPProvider implements ILDAPProvider, IDeletionFlagSupport { } } - if (!$userBackendFound or !$groupBackendFound) { + if (!$userBackendFound or !$groupBackendFound) { throw new \Exception('To use the LDAPProvider, user_ldap app must be enabled'); } } - + /** * Translate an user id to LDAP DN * @param string $uid user id @@ -85,11 +65,11 @@ class LDAPProvider implements ILDAPProvider, IDeletionFlagSupport { * @throws \Exception if translation was unsuccessful */ public function getUserDN($uid) { - if(!$this->userBackend->userExists($uid)){ + if (!$this->userBackend->userExists($uid)) { throw new \Exception('User id not found in LDAP'); } $result = $this->userBackend->getLDAPAccess($uid)->username2dn($uid); - if(!$result){ + if (!$result) { throw new \Exception('Translation to LDAP DN unsuccessful'); } return $result; @@ -102,18 +82,18 @@ class LDAPProvider implements ILDAPProvider, IDeletionFlagSupport { * @throws \Exception */ public function getGroupDN($gid) { - if(!$this->groupBackend->groupExists($gid)){ + if (!$this->groupBackend->groupExists($gid)) { throw new \Exception('Group id not found in LDAP'); } $result = $this->groupBackend->getLDAPAccess($gid)->groupname2dn($gid); - if(!$result){ + if (!$result) { throw new \Exception('Translation to LDAP DN unsuccessful'); } - return $result; + return $result; } /** - * Translate a LDAP DN to an internal user name. If there is no mapping between + * Translate a LDAP DN to an internal user name. If there is no mapping between * the DN and the user name, a new one will be created. * @param string $dn LDAP DN * @return string with the internal user name @@ -121,12 +101,12 @@ class LDAPProvider implements ILDAPProvider, IDeletionFlagSupport { */ public function getUserName($dn) { $result = $this->userBackend->dn2UserName($dn); - if(!$result){ + if (!$result) { throw new \Exception('Translation to internal user name unsuccessful'); } return $result; } - + /** * Convert a stored DN so it can be used as base parameter for LDAP queries. * @param string $dn the DN in question @@ -135,25 +115,25 @@ class LDAPProvider implements ILDAPProvider, IDeletionFlagSupport { public function DNasBaseParameter($dn) { return $this->helper->DNasBaseParameter($dn); } - + /** * Sanitize a DN received from the LDAP server. - * @param array $dn the DN in question - * @return array the sanitized DN + * @param array|string $dn the DN in question + * @return array|string the sanitized DN */ public function sanitizeDN($dn) { return $this->helper->sanitizeDN($dn); } - + /** - * Return a new LDAP connection resource for the specified user. + * Return a new LDAP connection resource for the specified user. * The connection must be closed manually. * @param string $uid user id - * @return resource of the LDAP connection + * @return \LDAP\Connection The LDAP connection * @throws \Exception if user id was not found in LDAP */ public function getLDAPConnection($uid) { - if(!$this->userBackend->userExists($uid)){ + if (!$this->userBackend->userExists($uid)) { throw new \Exception('User id not found in LDAP'); } return $this->userBackend->getNewLDAPConnection($uid); @@ -163,16 +143,16 @@ class LDAPProvider implements ILDAPProvider, IDeletionFlagSupport { * Return a new LDAP connection resource for the specified user. * The connection must be closed manually. * @param string $gid group id - * @return resource of the LDAP connection + * @return \LDAP\Connection The LDAP connection * @throws \Exception if group id was not found in LDAP */ public function getGroupLDAPConnection($gid) { - if(!$this->groupBackend->groupExists($gid)){ + if (!$this->groupBackend->groupExists($gid)) { throw new \Exception('Group id not found in LDAP'); } return $this->groupBackend->getNewLDAPConnection($gid); } - + /** * Get the LDAP base for users. * @param string $uid user id @@ -180,12 +160,29 @@ class LDAPProvider implements ILDAPProvider, IDeletionFlagSupport { * @throws \Exception if user id was not found in LDAP */ public function getLDAPBaseUsers($uid) { - if(!$this->userBackend->userExists($uid)){ + if (!$this->userBackend->userExists($uid)) { throw new \Exception('User id not found in LDAP'); - } - return $this->userBackend->getLDAPAccess($uid)->getConnection()->getConfiguration()['ldap_base_users']; + } + $access = $this->userBackend->getLDAPAccess($uid); + $bases = $access->getConnection()->ldapBaseUsers; + $dn = $this->getUserDN($uid); + foreach ($bases as $base) { + if ($access->isDNPartOfBase($dn, [$base])) { + return $base; + } + } + // should not occur, because the user does not qualify to use NC in this case + $this->logger->info( + 'No matching user base found for user {dn}, available: {bases}.', + [ + 'app' => 'user_ldap', + 'dn' => $dn, + 'bases' => $bases, + ] + ); + return array_shift($bases); } - + /** * Get the LDAP base for groups. * @param string $uid user id @@ -193,19 +190,20 @@ class LDAPProvider implements ILDAPProvider, IDeletionFlagSupport { * @throws \Exception if user id was not found in LDAP */ public function getLDAPBaseGroups($uid) { - if(!$this->userBackend->userExists($uid)){ + if (!$this->userBackend->userExists($uid)) { throw new \Exception('User id not found in LDAP'); } - return $this->userBackend->getLDAPAccess($uid)->getConnection()->getConfiguration()['ldap_base_groups']; + $bases = $this->userBackend->getLDAPAccess($uid)->getConnection()->ldapBaseGroups; + return array_shift($bases); } - + /** * Clear the cache if a cache is used, otherwise do nothing. * @param string $uid user id * @throws \Exception if user id was not found in LDAP */ public function clearCache($uid) { - if(!$this->userBackend->userExists($uid)){ + if (!$this->userBackend->userExists($uid)) { throw new \Exception('User id not found in LDAP'); } $this->userBackend->getLDAPAccess($uid)->getConnection()->clearCache(); @@ -218,12 +216,12 @@ class LDAPProvider implements ILDAPProvider, IDeletionFlagSupport { * @throws \Exception if user id was not found in LDAP */ public function clearGroupCache($gid) { - if(!$this->groupBackend->groupExists($gid)){ + if (!$this->groupBackend->groupExists($gid)) { throw new \Exception('Group id not found in LDAP'); } $this->groupBackend->getLDAPAccess($gid)->getConnection()->clearCache(); } - + /** * Check whether a LDAP DN exists * @param string $dn LDAP DN @@ -233,7 +231,7 @@ class LDAPProvider implements ILDAPProvider, IDeletionFlagSupport { $result = $this->userBackend->dn2UserName($dn); return !$result ? false : true; } - + /** * Flag record for deletion. * @param string $uid user id @@ -241,7 +239,7 @@ class LDAPProvider implements ILDAPProvider, IDeletionFlagSupport { public function flagRecord($uid) { $this->deletedUsersIndex->markUser($uid); } - + /** * Unflag record for deletion. * @param string $uid user id @@ -257,7 +255,7 @@ class LDAPProvider implements ILDAPProvider, IDeletionFlagSupport { * @throws \Exception if user id was not found in LDAP */ public function getLDAPDisplayNameField($uid) { - if(!$this->userBackend->userExists($uid)){ + if (!$this->userBackend->userExists($uid)) { throw new \Exception('User id not found in LDAP'); } return $this->userBackend->getLDAPAccess($uid)->getConnection()->getConfiguration()['ldap_display_name']; @@ -270,7 +268,7 @@ class LDAPProvider implements ILDAPProvider, IDeletionFlagSupport { * @throws \Exception if user id was not found in LDAP */ public function getLDAPEmailField($uid) { - if(!$this->userBackend->userExists($uid)){ + if (!$this->userBackend->userExists($uid)) { throw new \Exception('User id not found in LDAP'); } return $this->userBackend->getLDAPAccess($uid)->getConnection()->getConfiguration()['ldap_email_attr']; @@ -279,14 +277,54 @@ class LDAPProvider implements ILDAPProvider, IDeletionFlagSupport { /** * Get the LDAP type of association between users and groups * @param string $gid group id - * @return string the configuration, one of: 'memberUid', 'uniqueMember', 'member', 'gidNumber' + * @return string the configuration, one of: 'memberUid', 'uniqueMember', 'member', 'gidNumber', '' * @throws \Exception if group id was not found in LDAP */ public function getLDAPGroupMemberAssoc($gid) { - if(!$this->groupBackend->groupExists($gid)){ + if (!$this->groupBackend->groupExists($gid)) { throw new \Exception('Group id not found in LDAP'); } return $this->groupBackend->getLDAPAccess($gid)->getConnection()->getConfiguration()['ldap_group_member_assoc_attribute']; } + /** + * Get an LDAP attribute for a nextcloud user + * + * @throws \Exception if user id was not found in LDAP + */ + public function getUserAttribute(string $uid, string $attribute): ?string { + $values = $this->getMultiValueUserAttribute($uid, $attribute); + if (count($values) === 0) { + return null; + } + return current($values); + } + + /** + * Get a multi-value LDAP attribute for a nextcloud user + * + * @throws \Exception if user id was not found in LDAP + */ + public function getMultiValueUserAttribute(string $uid, string $attribute): array { + if (!$this->userBackend->userExists($uid)) { + throw new \Exception('User id not found in LDAP'); + } + + $access = $this->userBackend->getLDAPAccess($uid); + $connection = $access->getConnection(); + $key = $uid . '-' . $attribute; + + $cached = $connection->getFromCache($key); + if (is_array($cached)) { + return $cached; + } + + $values = $access->readAttribute($access->username2dn($uid), $attribute); + if ($values === false) { + $values = []; + } + + $connection->writeToCache($key, $values); + return $values; + } } |