diff options
Diffstat (limited to 'apps/user_ldap/lib')
94 files changed, 6332 insertions, 4994 deletions
diff --git a/apps/user_ldap/lib/Access.php b/apps/user_ldap/lib/Access.php index d11ca98ece9..9fe0aa64268 100644 --- a/apps/user_ldap/lib/Access.php +++ b/apps/user_ldap/lib/Access.php @@ -1,64 +1,32 @@ <?php + /** - * @copyright Copyright (c) 2016, ownCloud, Inc. - * - * @author Aaron Wood <aaronjwood@gmail.com> - * @author Andreas Fischer <bantu@owncloud.com> - * @author Arthur Schiwon <blizzz@arthur-schiwon.de> - * @author Bart Visscher <bartv@thisnet.nl> - * @author Benjamin Diele <benjamin@diele.be> - * @author bline <scottbeck@gmail.com> - * @author Christoph Wurst <christoph@winzerhof-wurst.at> - * @author Daniel Kesselberg <mail@danielkesselberg.de> - * @author J0WI <J0WI@users.noreply.github.com> - * @author Joas Schilling <coding@schilljs.com> - * @author Jörn Friedrich Dreyer <jfd@butonic.de> - * @author Juan Pablo Villafáñez <jvillafanez@solidgear.es> - * @author Lorenzo M. Catucci <lorenzo@sancho.ccd.uniroma2.it> - * @author Lukas Reschke <lukas@statuscode.ch> - * @author Mario Kolling <mario.kolling@serpro.gov.br> - * @author Max Kovalenko <mxss1998@yandex.ru> - * @author Morris Jobke <hey@morrisjobke.de> - * @author Nicolas Grekas <nicolas.grekas@gmail.com> - * @author Peter Kubica <peter@kubica.ch> - * @author Ralph Krimmel <rkrimme1@gwdg.de> - * @author Robin McCorkell <robin@mccorkell.me.uk> - * @author Roeland Jago Douma <roeland@famdouma.nl> - * @author Roger Szabo <roger.szabo@web.de> - * @author Roland Tapken <roland@bitarbeiter.net> - * @author root <root@localhost.localdomain> - * @author Victor Dubiniuk <dubiniuk@owncloud.com> - * - * @license AGPL-3.0 - * - * This code is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License, version 3, - * as published by the Free Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License, version 3, - * along with this program. If not, see <http://www.gnu.org/licenses/> - * + * SPDX-FileCopyrightText: 2016-2024 Nextcloud GmbH and Nextcloud contributors + * SPDX-FileCopyrightText: 2016 ownCloud, Inc. + * SPDX-License-Identifier: AGPL-3.0-only */ - namespace OCA\User_LDAP; use DomainException; -use OC\HintException; use OC\Hooks\PublicEmitter; use OC\ServerNotAvailableException; use OCA\User_LDAP\Exceptions\ConstraintViolationException; +use OCA\User_LDAP\Exceptions\NoMoreResults; use OCA\User_LDAP\Mapping\AbstractMapping; -use OCA\User_LDAP\Mapping\UserMapping; use OCA\User_LDAP\User\Manager; use OCA\User_LDAP\User\OfflineUser; +use OCP\EventDispatcher\IEventDispatcher; +use OCP\HintException; +use OCP\IAppConfig; use OCP\IConfig; -use OCP\ILogger; +use OCP\IGroupManager; use OCP\IUserManager; +use OCP\Server; +use OCP\User\Events\UserIdAssignedEvent; +use OCP\Util; +use Psr\Log\LoggerInterface; +use function strlen; +use function substr; /** * Class Access @@ -68,64 +36,46 @@ use OCP\IUserManager; class Access extends LDAPUtility { public const UUID_ATTRIBUTES = ['entryuuid', 'nsuniqueid', 'objectguid', 'guid', 'ipauniqueid']; - /** @var \OCA\User_LDAP\Connection */ - public $connection; - /** @var Manager */ - public $userManager; - //never ever check this var directly, always use getPagedSearchResultState - protected $pagedSearchedSuccessful; - /** - * @var UserMapping $userMapper + * never ever check this var directly, always use getPagedSearchResultState + * @var ?bool */ + protected $pagedSearchedSuccessful; + + /** @var ?AbstractMapping */ protected $userMapper; - /** - * @var AbstractMapping $userMapper - */ + /** @var ?AbstractMapping */ protected $groupMapper; - /** - * @var \OCA\User_LDAP\Helper - */ - private $helper; - /** @var IConfig */ - private $config; - /** @var IUserManager */ - private $ncUserManager; - /** @var string */ - private $lastCookie = ''; + private string $lastCookie = ''; public function __construct( - Connection $connection, ILDAPWrapper $ldap, - Manager $userManager, - Helper $helper, - IConfig $config, - IUserManager $ncUserManager + public Connection $connection, + public Manager $userManager, + private Helper $helper, + private IConfig $config, + private IUserManager $ncUserManager, + private LoggerInterface $logger, + private IAppConfig $appConfig, + private IEventDispatcher $dispatcher, ) { parent::__construct($ldap); - $this->connection = $connection; - $this->userManager = $userManager; $this->userManager->setLdapAccess($this); - $this->helper = $helper; - $this->config = $config; - $this->ncUserManager = $ncUserManager; } /** * sets the User Mapper - * - * @param AbstractMapping $mapper */ - public function setUserMapper(AbstractMapping $mapper) { + public function setUserMapper(AbstractMapping $mapper): void { $this->userMapper = $mapper; } /** * @throws \Exception */ - public function getUserMapper(): UserMapping { + public function getUserMapper(): AbstractMapping { if (is_null($this->userMapper)) { throw new \Exception('UserMapper was not assigned to this Access instance.'); } @@ -134,20 +84,17 @@ class Access extends LDAPUtility { /** * sets the Group Mapper - * - * @param AbstractMapping $mapper */ - public function setGroupMapper(AbstractMapping $mapper) { + public function setGroupMapper(AbstractMapping $mapper): void { $this->groupMapper = $mapper; } /** * returns the Group Mapper * - * @return AbstractMapping * @throws \Exception */ - public function getGroupMapper() { + public function getGroupMapper(): AbstractMapping { if (is_null($this->groupMapper)) { throw new \Exception('GroupMapper was not assigned to this Access instance.'); } @@ -171,38 +118,75 @@ class Access extends LDAPUtility { } /** - * reads a given attribute for an LDAP record identified by a DN + * Reads several attributes for an LDAP record identified by a DN and a filter + * No support for ranged attributes. * * @param string $dn the record in question - * @param string $attr the attribute that shall be retrieved - * if empty, just check the record's existence + * @param array $attrs the attributes that shall be retrieved + * if empty, just check the record's existence * @param string $filter * @return array|false an array of values on success or an empty - * array if $attr is empty, false otherwise + * array if $attr is empty, false otherwise * @throws ServerNotAvailableException */ - public function readAttribute($dn, $attr, $filter = 'objectClass=*') { + public function readAttributes(string $dn, array $attrs, string $filter = 'objectClass=*'): array|false { if (!$this->checkConnection()) { - \OCP\Util::writeLog('user_ldap', + $this->logger->warning( 'No LDAP Connector assigned, access impossible for readAttribute.', - ILogger::WARN); + ['app' => 'user_ldap'] + ); return false; } $cr = $this->connection->getConnectionResource(); - if (!$this->ldap->isResource($cr)) { - //LDAP not available - \OCP\Util::writeLog('user_ldap', 'LDAP resource not available.', ILogger::DEBUG); + $attrs = array_map( + fn (string $attr): string => mb_strtolower($attr, 'UTF-8'), + $attrs, + ); + + $values = []; + $record = $this->executeRead($dn, $attrs, $filter); + if (is_bool($record)) { + // when an exists request was run and it was successful, an empty + // array must be returned + return $record ? [] : false; + } + + $result = []; + foreach ($attrs as $attr) { + $values = $this->extractAttributeValuesFromResult($record, $attr); + if (!empty($values)) { + $result[$attr] = $values; + } + } + + if (!empty($result)) { + return $result; + } + + $this->logger->debug('Requested attributes {attrs} not found for ' . $dn, ['app' => 'user_ldap', 'attrs' => $attrs]); + return false; + } + + /** + * reads a given attribute for an LDAP record identified by a DN + * + * @param string $dn the record in question + * @param string $attr the attribute that shall be retrieved + * if empty, just check the record's existence + * @param string $filter + * @return array|false an array of values on success or an empty + * array if $attr is empty, false otherwise + * @throws ServerNotAvailableException + */ + public function readAttribute(string $dn, string $attr, string $filter = 'objectClass=*') { + if (!$this->checkConnection()) { + $this->logger->warning( + 'No LDAP Connector assigned, access impossible for readAttribute.', + ['app' => 'user_ldap'] + ); return false; } - //Cancel possibly running Paged Results operation, otherwise we run in - //LDAP protocol errors - $this->abandonPagedSearch(); - // openLDAP requires that we init a new Paged Search. Not needed by AD, - // but does not hurt either. - $pagingSize = (int)$this->connection->ldapPagingSize; - // 0 won't result in replies, small numbers may leave out groups - // (cf. #12306), 500 is default for paging and should work everywhere. - $maxResults = $pagingSize > 20 ? $pagingSize : 500; + $cr = $this->connection->getConnectionResource(); $attr = mb_strtolower($attr, 'UTF-8'); // the actual read attribute later may contain parameters on a ranged // request, e.g. member;range=99-199. Depends on server reply. @@ -211,7 +195,7 @@ class Access extends LDAPUtility { $values = []; $isRangeRequest = false; do { - $result = $this->executeRead($cr, $dn, $attrToRead, $filter, $maxResults); + $result = $this->executeRead($dn, $attrToRead, $filter); if (is_bool($result)) { // when an exists request was run and it was successful, an empty // array must be returned @@ -246,47 +230,41 @@ class Access extends LDAPUtility { } } while ($isRangeRequest); - \OCP\Util::writeLog('user_ldap', 'Requested attribute ' . $attr . ' not found for ' . $dn, ILogger::DEBUG); + $this->logger->debug('Requested attribute ' . $attr . ' not found for ' . $dn, ['app' => 'user_ldap']); return false; } /** * Runs an read operation against LDAP * - * @param resource $cr the LDAP connection - * @param string $dn - * @param string $attribute - * @param string $filter - * @param int $maxResults * @return array|bool false if there was any error, true if an exists check * was performed and the requested DN found, array with the * returned data on a successful usual operation * @throws ServerNotAvailableException */ - public function executeRead($cr, $dn, $attribute, $filter, $maxResults) { - $this->initPagedSearch($filter, $dn, [$attribute], $maxResults, 0); + public function executeRead(string $dn, string|array $attribute, string $filter) { $dn = $this->helper->DNasBaseParameter($dn); - $rr = @$this->invokeLDAPMethod('read', $cr, $dn, $filter, [$attribute]); + $rr = @$this->invokeLDAPMethod('read', $dn, $filter, (is_string($attribute) ? [$attribute] : $attribute)); if (!$this->ldap->isResource($rr)) { if ($attribute !== '') { //do not throw this message on userExists check, irritates - \OCP\Util::writeLog('user_ldap', 'readAttribute failed for DN ' . $dn, ILogger::DEBUG); + $this->logger->debug('readAttribute failed for DN ' . $dn, ['app' => 'user_ldap']); } //in case an error occurs , e.g. object does not exist return false; } - if ($attribute === '' && ($filter === 'objectclass=*' || $this->invokeLDAPMethod('countEntries', $cr, $rr) === 1)) { - \OCP\Util::writeLog('user_ldap', 'readAttribute: ' . $dn . ' found', ILogger::DEBUG); + if ($attribute === '' && ($filter === 'objectclass=*' || $this->invokeLDAPMethod('countEntries', $rr) === 1)) { + $this->logger->debug('readAttribute: ' . $dn . ' found', ['app' => 'user_ldap']); return true; } - $er = $this->invokeLDAPMethod('firstEntry', $cr, $rr); + $er = $this->invokeLDAPMethod('firstEntry', $rr); if (!$this->ldap->isResource($er)) { //did not match the filter, return false return false; } //LDAP attributes are not case sensitive - $result = \OCP\Util::mb_array_change_key_case( - $this->invokeLDAPMethod('getAttributes', $cr, $er), MB_CASE_LOWER, 'UTF-8'); + $result = Util::mb_array_change_key_case( + $this->invokeLDAPMethod('getAttributes', $er), MB_CASE_LOWER, 'UTF-8'); return $result; } @@ -295,6 +273,8 @@ class Access extends LDAPUtility { * Normalizes a result grom getAttributes(), i.e. handles DNs and binary * data if present. * + * DN values are escaped as per RFC 2253 + * * @param array $result from ILDAPWrapper::getAttributes() * @param string $attribute the attribute name that was read * @return string[] @@ -326,20 +306,19 @@ class Access extends LDAPUtility { * @return array If a range was detected with keys 'values', 'attributeName', * 'attributeFull' and 'rangeHigh', otherwise empty. */ - public function extractRangeData($result, $attribute) { + public function extractRangeData(array $result, string $attribute): array { $keys = array_keys($result); foreach ($keys as $key) { - if ($key !== $attribute && strpos($key, $attribute) === 0) { - $queryData = explode(';', $key); - if (strpos($queryData[1], 'range=') === 0) { + if ($key !== $attribute && str_starts_with((string)$key, $attribute)) { + $queryData = explode(';', (string)$key); + if (isset($queryData[1]) && str_starts_with($queryData[1], 'range=')) { $high = substr($queryData[1], 1 + strpos($queryData[1], '-')); - $data = [ + return [ 'values' => $result[$key], 'attributeName' => $queryData[0], 'attributeFull' => $key, 'rangeHigh' => $high, ]; - return $data; } } } @@ -360,17 +339,12 @@ class Access extends LDAPUtility { throw new \Exception('LDAP password changes are disabled.'); } $cr = $this->connection->getConnectionResource(); - if (!$this->ldap->isResource($cr)) { - //LDAP not available - \OCP\Util::writeLog('user_ldap', 'LDAP resource not available.', ILogger::DEBUG); - return false; - } try { // try PASSWD extended operation first - return @$this->invokeLDAPMethod('exopPasswd', $cr, $userDN, '', $password) || - @$this->invokeLDAPMethod('modReplace', $cr, $userDN, $password); + return @$this->invokeLDAPMethod('exopPasswd', $userDN, '', $password) + || @$this->invokeLDAPMethod('modReplace', $userDN, $password); } catch (ConstraintViolationException $e) { - throw new HintException('Password change rejected.', \OC::$server->getL10N('user_ldap')->t('Password change rejected. Hint: ') . $e->getMessage(), $e->getCode()); + throw new HintException('Password change rejected.', Util::getL10N('user_ldap')->t('Password change rejected. Hint: %s', $e->getMessage()), (int)$e->getCode()); } } @@ -421,7 +395,7 @@ class Access extends LDAPUtility { $domainParts = []; $dcFound = false; foreach ($allParts as $part) { - if (!$dcFound && strpos($part, 'dc=') === 0) { + if (!$dcFound && str_starts_with($part, 'dc=')) { $dcFound = true; } if ($dcFound) { @@ -438,7 +412,7 @@ class Access extends LDAPUtility { * @return string|false LDAP DN on success, otherwise false */ public function groupname2dn($name) { - return $this->groupMapper->getDNByName($name); + return $this->getGroupMapper()->getDNByName($name); } /** @@ -448,7 +422,7 @@ class Access extends LDAPUtility { * @return string|false with the LDAP DN on success, otherwise false */ public function username2dn($name) { - $fdn = $this->userMapper->getDNByName($name); + $fdn = $this->getUserMapper()->getDNByName($name); //Check whether the DN belongs to the Base, to avoid issues on multi- //server setups @@ -464,10 +438,11 @@ class Access extends LDAPUtility { * * @param string $fdn the dn of the group object * @param string $ldapName optional, the display name of the object + * @param bool $autoMapping Should the group be mapped if not yet mapped * @return string|false with the name to use in Nextcloud, false on DN outside of search DN * @throws \Exception */ - public function dn2groupname($fdn, $ldapName = null) { + public function dn2groupname($fdn, $ldapName = null, bool $autoMapping = true) { //To avoid bypassing the base DN settings under certain circumstances //with the group support, check whether the provided DN matches one of //the given Bases @@ -475,18 +450,18 @@ class Access extends LDAPUtility { return false; } - return $this->dn2ocname($fdn, $ldapName, false); + return $this->dn2ocname($fdn, $ldapName, false, autoMapping:$autoMapping); } /** * returns the internal Nextcloud name for the given LDAP DN of the user, false on DN outside of search DN or failure * - * @param string $dn the dn of the user object + * @param string $fdn the dn of the user object * @param string $ldapName optional, the display name of the object * @return string|false with with the name to use in Nextcloud * @throws \Exception */ - public function dn2username($fdn, $ldapName = null) { + public function dn2username($fdn) { //To avoid bypassing the base DN settings under certain circumstances //with the group support, check whether the provided DN matches one of //the given Bases @@ -494,7 +469,7 @@ class Access extends LDAPUtility { return false; } - return $this->dn2ocname($fdn, $ldapName, true); + return $this->dn2ocname($fdn, null, true); } /** @@ -505,19 +480,21 @@ class Access extends LDAPUtility { * @param bool $isUser optional, whether it is a user object (otherwise group assumed) * @param bool|null $newlyMapped * @param array|null $record + * @param bool $autoMapping Should the group be mapped if not yet mapped * @return false|string with with the name to use in Nextcloud * @throws \Exception */ - public function dn2ocname($fdn, $ldapName = null, $isUser = true, &$newlyMapped = null, array $record = null) { + public function dn2ocname($fdn, $ldapName = null, $isUser = true, &$newlyMapped = null, ?array $record = null, bool $autoMapping = true) { + static $intermediates = []; + if (isset($intermediates[($isUser ? 'user-' : 'group-') . $fdn])) { + return false; // is a known intermediate + } + $newlyMapped = false; if ($isUser) { $mapper = $this->getUserMapper(); - $nameAttribute = $this->connection->ldapUserDisplayName; - $filter = $this->connection->ldapUserFilter; } else { $mapper = $this->getGroupMapper(); - $nameAttribute = $this->connection->ldapGroupDisplayName; - $filter = $this->connection->ldapGroupFilter; } //let's try to retrieve the Nextcloud name from the mappings table @@ -526,6 +503,41 @@ class Access extends LDAPUtility { return $ncName; } + if (!$autoMapping) { + /* If no auto mapping, stop there */ + return false; + } + + if ($isUser) { + $nameAttribute = strtolower($this->connection->ldapUserDisplayName); + $filter = $this->connection->ldapUserFilter; + $uuidAttr = 'ldapUuidUserAttribute'; + $uuidOverride = $this->connection->ldapExpertUUIDUserAttr; + $usernameAttribute = strtolower($this->connection->ldapExpertUsernameAttr); + $attributesToRead = [$nameAttribute,$usernameAttribute]; + // TODO fetch also display name attributes and cache them if the user is mapped + } else { + $nameAttribute = strtolower($this->connection->ldapGroupDisplayName); + $filter = $this->connection->ldapGroupFilter; + $uuidAttr = 'ldapUuidGroupAttribute'; + $uuidOverride = $this->connection->ldapExpertUUIDGroupAttr; + $attributesToRead = [$nameAttribute]; + } + + if ($this->detectUuidAttribute($fdn, $isUser, false, $record)) { + $attributesToRead[] = $this->connection->$uuidAttr; + } + + if ($record === null) { + /* No record was passed, fetch it */ + $record = $this->readAttributes($fdn, $attributesToRead, $filter); + if ($record === false) { + $this->logger->debug('Cannot read attributes for ' . $fdn . '. Skipping.', ['filter' => $filter]); + $intermediates[($isUser ? 'user-' : 'group-') . $fdn] = true; + return false; + } + } + //second try: get the UUID and check if it is known. Then, update the DN and return the name. $uuid = $this->getUUID($fdn, $isUser, $record); if (is_string($uuid)) { @@ -536,23 +548,17 @@ class Access extends LDAPUtility { } } else { //If the UUID can't be detected something is foul. - \OCP\Util::writeLog('user_ldap', 'Cannot determine UUID for ' . $fdn . '. Skipping.', ILogger::INFO); + $this->logger->debug('Cannot determine UUID for ' . $fdn . '. Skipping.', ['app' => 'user_ldap']); return false; } - if (is_null($ldapName)) { - $ldapName = $this->readAttribute($fdn, $nameAttribute, $filter); - if (!isset($ldapName[0]) && empty($ldapName[0])) { - \OCP\Util::writeLog('user_ldap', 'No or empty name for ' . $fdn . ' with filter ' . $filter . '.', ILogger::DEBUG); - return false; - } - $ldapName = $ldapName[0]; - } - if ($isUser) { - $usernameAttribute = (string)$this->connection->ldapExpertUsernameAttr; if ($usernameAttribute !== '') { - $username = $this->readAttribute($fdn, $usernameAttribute); + $username = $record[$usernameAttribute]; + if (!isset($username[0]) || empty($username[0])) { + $this->logger->debug('No or empty username (' . $usernameAttribute . ') for ' . $fdn . '.', ['app' => 'user_ldap']); + return false; + } $username = $username[0]; } else { $username = $uuid; @@ -560,9 +566,8 @@ class Access extends LDAPUtility { try { $intName = $this->sanitizeUsername($username); } catch (\InvalidArgumentException $e) { - \OC::$server->getLogger()->logException($e, [ - 'app' => 'user_ldap', - 'level' => ILogger::WARN, + $this->logger->warning('Error sanitizing username: ' . $e->getMessage(), [ + 'exception' => $e, ]); // we don't attempt to set a username here. We can go for // for an alternative 4 digit random number as we would append @@ -571,7 +576,16 @@ class Access extends LDAPUtility { return false; } } else { - $intName = $ldapName; + if (is_null($ldapName)) { + $ldapName = $record[$nameAttribute]; + if (!isset($ldapName[0]) || empty($ldapName[0])) { + $this->logger->debug('No or empty name for ' . $fdn . ' with filter ' . $filter . '.', ['app' => 'user_ldap']); + $intermediates['group-' . $fdn] = true; + return false; + } + $ldapName = $ldapName[0]; + } + $intName = $this->sanitizeGroupIDCandidate($ldapName); } //a new user/group! Add it only if it doesn't conflict with other backend's users or existing groups @@ -582,12 +596,13 @@ class Access extends LDAPUtility { $this->connection->setConfiguration(['ldapCacheTTL' => 0]); if ($intName !== '' && (($isUser && !$this->ncUserManager->userExists($intName)) - || (!$isUser && !\OC::$server->getGroupManager()->groupExists($intName)) + || (!$isUser && !Server::get(IGroupManager::class)->groupExists($intName)) ) ) { $this->connection->setConfiguration(['ldapCacheTTL' => $originalTTL]); $newlyMapped = $this->mapAndAnnounceIfApplicable($mapper, $fdn, $intName, $uuid, $isUser); if ($newlyMapped) { + $this->logger->debug('Mapped {fdn} as {name}', ['fdn' => $fdn,'name' => $intName]); return $intName; } } @@ -596,13 +611,21 @@ class Access extends LDAPUtility { $altName = $this->createAltInternalOwnCloudName($intName, $isUser); if (is_string($altName)) { if ($this->mapAndAnnounceIfApplicable($mapper, $fdn, $altName, $uuid, $isUser)) { + $this->logger->warning( + 'Mapped {fdn} as {altName} because of a name collision on {intName}.', + [ + 'fdn' => $fdn, + 'altName' => $altName, + 'intName' => $intName, + ] + ); $newlyMapped = true; return $altName; } } //if everything else did not help.. - \OCP\Util::writeLog('user_ldap', 'Could not create unique name for ' . $fdn . '.', ILogger::INFO); + $this->logger->info('Could not create unique name for ' . $fdn . '.', ['app' => 'user_ldap']); return false; } @@ -611,13 +634,16 @@ class Access extends LDAPUtility { string $fdn, string $name, string $uuid, - bool $isUser + bool $isUser, ): bool { if ($mapper->map($fdn, $name, $uuid)) { - if ($this->ncUserManager instanceof PublicEmitter && $isUser) { + if ($isUser) { $this->cacheUserExists($name); - $this->ncUserManager->emit('\OC\User', 'assignedUserId', [$name]); - } elseif (!$isUser) { + $this->dispatcher->dispatchTyped(new UserIdAssignedEvent($name)); + if ($this->ncUserManager instanceof PublicEmitter) { + $this->ncUserManager->emit('\OC\User', 'assignedUserId', [$name]); + } + } else { $this->cacheGroupExists($name); } return true; @@ -629,7 +655,7 @@ class Access extends LDAPUtility { * gives back the user names as they are used ownClod internally * * @param array $ldapUsers as returned by fetchList() - * @return array an array with the user names to use in Nextcloud + * @return array<int,string> an array with the user names to use in Nextcloud * * gives back the user names as they are used ownClod internally * @throws \Exception @@ -642,7 +668,7 @@ class Access extends LDAPUtility { * gives back the group names as they are used ownClod internally * * @param array $ldapGroups as returned by fetchList() - * @return array an array with the group names to use in Nextcloud + * @return array<int,string> an array with the group names to use in Nextcloud * * gives back the group names as they are used ownClod internally * @throws \Exception @@ -652,29 +678,22 @@ class Access extends LDAPUtility { } /** - * @param array $ldapObjects as returned by fetchList() - * @param bool $isUsers - * @return array + * @param array[] $ldapObjects as returned by fetchList() + * @return array<int,string> * @throws \Exception */ - private function ldap2NextcloudNames($ldapObjects, $isUsers) { + private function ldap2NextcloudNames(array $ldapObjects, bool $isUsers): array { if ($isUsers) { $nameAttribute = $this->connection->ldapUserDisplayName; $sndAttribute = $this->connection->ldapUserDisplayName2; } else { $nameAttribute = $this->connection->ldapGroupDisplayName; + $sndAttribute = null; } $nextcloudNames = []; foreach ($ldapObjects as $ldapObject) { - $nameByLDAP = null; - if (isset($ldapObject[$nameAttribute]) - && is_array($ldapObject[$nameAttribute]) - && isset($ldapObject[$nameAttribute][0]) - ) { - // might be set, but not necessarily. if so, we use it. - $nameByLDAP = $ldapObject[$nameAttribute][0]; - } + $nameByLDAP = $ldapObject[$nameAttribute][0] ?? null; $ncName = $this->dn2ocname($ldapObject['dn'][0], $nameByLDAP, $isUsers); if ($ncName) { @@ -686,8 +705,7 @@ class Access extends LDAPUtility { if (is_null($nameByLDAP)) { continue; } - $sndName = isset($ldapObject[$sndAttribute][0]) - ? $ldapObject[$sndAttribute][0] : ''; + $sndName = $ldapObject[$sndAttribute][0] ?? ''; $this->cacheUserDisplayName($ncName, $nameByLDAP, $sndName); } elseif ($nameByLDAP !== null) { $this->cacheGroupDisplayName($ncName, $nameByLDAP); @@ -703,7 +721,7 @@ class Access extends LDAPUtility { * @param string $ncname * @throws \Exception */ - public function updateUserState($ncname) { + public function updateUserState($ncname): void { $user = $this->userManager->get($ncname); if ($user instanceof OfflineUser) { $user->unmark(); @@ -716,18 +734,17 @@ class Access extends LDAPUtility { * @param string $ocName the internal Nextcloud username * @param string|false $home the home directory path */ - public function cacheUserHome($ocName, $home) { + public function cacheUserHome(string $ocName, $home): void { $cacheKey = 'getHome' . $ocName; $this->connection->writeToCache($cacheKey, $home); } /** * caches a user as existing - * - * @param string $ocName the internal Nextcloud username */ - public function cacheUserExists($ocName) { + public function cacheUserExists(string $ocName): void { $this->connection->writeToCache('userExists' . $ocName, true); + $this->connection->writeToCache('userExistsOnLDAP' . $ocName, true); } /** @@ -745,7 +762,7 @@ class Access extends LDAPUtility { * @param string $displayName2 the second display name * @throws \Exception */ - public function cacheUserDisplayName($ocName, $displayName, $displayName2 = '') { + public function cacheUserDisplayName(string $ocName, string $displayName, string $displayName2 = ''): void { $user = $this->userManager->get($ocName); if ($user === null) { return; @@ -769,7 +786,7 @@ class Access extends LDAPUtility { * Instead of using this method directly, call * createAltInternalOwnCloudName($name, true) */ - private function _createAltInternalOwnCloudNameForUsers($name) { + private function _createAltInternalOwnCloudNameForUsers(string $name) { $attempts = 0; //while loop is just a precaution. If a name is not generated within //20 attempts, something else is very wrong. Avoids infinite loop. @@ -796,9 +813,9 @@ class Access extends LDAPUtility { * numbering, e.g. Developers_42 when there are 41 other groups called * "Developers" */ - private function _createAltInternalOwnCloudNameForGroups($name) { - $usedNames = $this->groupMapper->getNamesBySearch($name, "", '_%'); - if (!$usedNames || count($usedNames) === 0) { + private function _createAltInternalOwnCloudNameForGroups(string $name) { + $usedNames = $this->getGroupMapper()->getNamesBySearch($name, '', '_%'); + if (count($usedNames) === 0) { $lastNo = 1; //will become name_2 } else { natsort($usedNames); @@ -813,7 +830,7 @@ class Access extends LDAPUtility { // Check to be really sure it is unique // while loop is just a precaution. If a name is not generated within // 20 attempts, something else is very wrong. Avoids infinite loop. - if (!\OC::$server->getGroupManager()->groupExists($altName)) { + if (!Server::get(IGroupManager::class)->groupExists($altName)) { return $altName; } $altName = $name . '_' . ($lastNo + $attempts); @@ -826,10 +843,15 @@ class Access extends LDAPUtility { * creates a unique name for internal Nextcloud use. * * @param string $name the display name of the object - * @param boolean $isUser whether name should be created for a user (true) or a group (false) + * @param bool $isUser whether name should be created for a user (true) or a group (false) * @return string|false with with the name to use in Nextcloud or false if unsuccessful */ - private function createAltInternalOwnCloudName($name, $isUser) { + private function createAltInternalOwnCloudName(string $name, bool $isUser) { + // ensure there is space for the "_1234" suffix + if (strlen($name) > 59) { + $name = substr($name, 0, 59); + } + $originalTTL = $this->connection->ldapCacheTTL; $this->connection->setConfiguration(['ldapCacheTTL' => 0]); if ($isUser) { @@ -857,7 +879,7 @@ class Access extends LDAPUtility { * utilizing the login filter. * * @param string $loginName - * @return int + * @return false|int */ public function countUsersByLoginName($loginName) { $loginName = $this->escapeFilterPart($loginName); @@ -868,17 +890,16 @@ class Access extends LDAPUtility { /** * @throws \Exception */ - public function fetchListOfUsers(string $filter, array $attr, int $limit = null, int $offset = null, bool $forceApplyAttributes = false): array { + public function fetchListOfUsers(string $filter, array $attr, ?int $limit = null, ?int $offset = null, bool $forceApplyAttributes = false): array { $ldapRecords = $this->searchUsers($filter, $attr, $limit, $offset); $recordsToUpdate = $ldapRecords; if (!$forceApplyAttributes) { - $isBackgroundJobModeAjax = $this->config - ->getAppValue('core', 'backgroundjobs_mode', 'ajax') === 'ajax'; + $isBackgroundJobModeAjax = $this->appConfig->getValueString('core', 'backgroundjobs_mode', 'ajax') === 'ajax'; $listOfDNs = array_reduce($ldapRecords, function ($listOfDNs, $entry) { $listOfDNs[] = $entry['dn'][0]; return $listOfDNs; }, []); - $idsByDn = $this->userMapper->getListOfIdsByDn($listOfDNs); + $idsByDn = $this->getUserMapper()->getListOfIdsByDn($listOfDNs); $recordsToUpdate = array_filter($ldapRecords, function ($record) use ($isBackgroundJobModeAjax, $idsByDn) { $newlyMapped = false; $uid = $idsByDn[$record['dn'][0]] ?? null; @@ -900,11 +921,10 @@ class Access extends LDAPUtility { * user object and requests it to process the freshly fetched attributes and * and their values * - * @param array $ldapRecords * @throws \Exception */ - public function batchApplyUserAttributes(array $ldapRecords) { - $displayNameAttribute = strtolower($this->connection->ldapUserDisplayName); + public function batchApplyUserAttributes(array $ldapRecords): void { + $displayNameAttribute = strtolower((string)$this->connection->ldapUserDisplayName); foreach ($ldapRecords as $userRecord) { if (!isset($userRecord[$displayNameAttribute])) { // displayName is obligatory @@ -919,7 +939,7 @@ class Access extends LDAPUtility { if ($user !== null) { $user->processAttributes($userRecord); } else { - \OC::$server->getLogger()->debug( + $this->logger->debug( "The ldap user manager returned null for $ocName", ['app' => 'user_ldap'] ); @@ -928,61 +948,38 @@ class Access extends LDAPUtility { } /** - * @param string $filter - * @param string|string[] $attr - * @param int $limit - * @param int $offset - * @return array + * @return array[] */ - public function fetchListOfGroups($filter, $attr, $limit = null, $offset = null) { + public function fetchListOfGroups(string $filter, array $attr, ?int $limit = null, ?int $offset = null): array { + $cacheKey = 'fetchListOfGroups_' . $filter . '_' . implode('-', $attr) . '_' . (string)$limit . '_' . (string)$offset; + $listOfGroups = $this->connection->getFromCache($cacheKey); + if (!is_null($listOfGroups)) { + return $listOfGroups; + } $groupRecords = $this->searchGroups($filter, $attr, $limit, $offset); - $listOfDNs = array_reduce($groupRecords, function ($listOfDNs, $entry) { - $listOfDNs[] = $entry['dn'][0]; - return $listOfDNs; - }, []); - $idsByDn = $this->groupMapper->getListOfIdsByDn($listOfDNs); - - array_walk($groupRecords, function ($record) use ($idsByDn) { - $newlyMapped = false; - $gid = $idsByDn[$record['dn'][0]] ?? null; - if ($gid === null) { - $gid = $this->dn2ocname($record['dn'][0], null, false, $newlyMapped, $record); - } - if (!$newlyMapped && is_string($gid)) { - $this->cacheGroupExists($gid); - } - }); - return $this->fetchList($groupRecords, $this->manyAttributes($attr)); + $listOfGroups = $this->fetchList($groupRecords, $this->manyAttributes($attr)); + $this->connection->writeToCache($cacheKey, $listOfGroups); + return $listOfGroups; } - /** - * @param array $list - * @param bool $manyAttributes - * @return array - */ - private function fetchList($list, $manyAttributes) { - if (is_array($list)) { - if ($manyAttributes) { - return $list; - } else { - $list = array_reduce($list, function ($carry, $item) { - $attribute = array_keys($item)[0]; - $carry[] = $item[$attribute][0]; - return $carry; - }, []); - return array_unique($list, SORT_LOCALE_STRING); - } + private function fetchList(array $list, bool $manyAttributes): array { + if ($manyAttributes) { + return $list; + } else { + $list = array_reduce($list, function ($carry, $item) { + $attribute = array_keys($item)[0]; + $carry[] = $item[$attribute][0]; + return $carry; + }, []); + return array_unique($list, SORT_LOCALE_STRING); } - - //error cause actually, maybe throw an exception in future. - return []; } /** * @throws ServerNotAvailableException */ - public function searchUsers(string $filter, array $attr = null, int $limit = null, int $offset = null): array { + public function searchUsers(string $filter, ?array $attr = null, ?int $limit = null, ?int $offset = null): array { $result = []; foreach ($this->connection->ldapBaseUsers as $base) { $result = array_merge($result, $this->search($filter, $base, $attr, $limit, $offset)); @@ -991,17 +988,14 @@ class Access extends LDAPUtility { } /** - * @param string $filter - * @param string|string[] $attr - * @param int $limit - * @param int $offset + * @param string[] $attr * @return false|int * @throws ServerNotAvailableException */ - public function countUsers($filter, $attr = ['dn'], $limit = null, $offset = null) { + public function countUsers(string $filter, array $attr = ['dn'], ?int $limit = null, ?int $offset = null) { $result = false; foreach ($this->connection->ldapBaseUsers as $base) { - $count = $this->count($filter, [$base], $attr, $limit, $offset); + $count = $this->count($filter, [$base], $attr, $limit ?? 0, $offset ?? 0); $result = is_int($count) ? (int)$result + $count : $result; } return $result; @@ -1010,16 +1004,12 @@ class Access extends LDAPUtility { /** * executes an LDAP search, optimized for Groups * - * @param string $filter the LDAP filter for the search - * @param string|string[] $attr optional, when a certain attribute shall be filtered out - * @param integer $limit - * @param integer $offset - * @return array with the search result + * @param ?string[] $attr optional, when certain attributes shall be filtered out * * Executes an LDAP search * @throws ServerNotAvailableException */ - public function searchGroups($filter, $attr = null, $limit = null, $offset = null) { + public function searchGroups(string $filter, ?array $attr = null, ?int $limit = null, ?int $offset = null): array { $result = []; foreach ($this->connection->ldapBaseGroups as $base) { $result = array_merge($result, $this->search($filter, $base, $attr, $limit, $offset)); @@ -1030,17 +1020,13 @@ class Access extends LDAPUtility { /** * returns the number of available groups * - * @param string $filter the LDAP search filter - * @param string[] $attr optional - * @param int|null $limit - * @param int|null $offset * @return int|bool * @throws ServerNotAvailableException */ - public function countGroups($filter, $attr = ['dn'], $limit = null, $offset = null) { + public function countGroups(string $filter, array $attr = ['dn'], ?int $limit = null, ?int $offset = null) { $result = false; foreach ($this->connection->ldapBaseGroups as $base) { - $count = $this->count($filter, [$base], $attr, $limit, $offset); + $count = $this->count($filter, [$base], $attr, $limit ?? 0, $offset ?? 0); $result = is_int($count) ? (int)$result + $count : $result; } return $result; @@ -1049,15 +1035,13 @@ class Access extends LDAPUtility { /** * returns the number of available objects on the base DN * - * @param int|null $limit - * @param int|null $offset * @return int|bool * @throws ServerNotAvailableException */ - public function countObjects($limit = null, $offset = null) { + public function countObjects(?int $limit = null, ?int $offset = null) { $result = false; foreach ($this->connection->ldapBase as $base) { - $count = $this->count('objectclass=*', [$base], ['dn'], $limit, $offset); + $count = $this->count('objectclass=*', [$base], ['dn'], $limit ?? 0, $offset ?? 0); $result = is_int($count) ? (int)$result + $count : $result; } return $result; @@ -1070,26 +1054,23 @@ class Access extends LDAPUtility { */ /** + * @param mixed[] $arguments * @return mixed * @throws \OC\ServerNotAvailableException */ - private function invokeLDAPMethod() { - $arguments = func_get_args(); - $command = array_shift($arguments); - $cr = array_shift($arguments); + private function invokeLDAPMethod(string $command, ...$arguments) { + if ($command == 'controlPagedResultResponse') { + // php no longer supports call-time pass-by-reference + // thus cannot support controlPagedResultResponse as the third argument + // is a reference + throw new \InvalidArgumentException('Invoker does not support controlPagedResultResponse, call LDAP Wrapper directly instead.'); + } if (!method_exists($this->ldap, $command)) { return null; } - array_unshift($arguments, $cr); - // php no longer supports call-time pass-by-reference - // thus cannot support controlPagedResultResponse as the third argument - // is a reference + array_unshift($arguments, $this->connection->getConnectionResource()); $doMethod = function () use ($command, &$arguments) { - if ($command == 'controlPagedResultResponse') { - throw new \InvalidArgumentException('Invoker does not support controlPagedResultResponse, call LDAP Wrapper directly instead.'); - } else { - return call_user_func_array([$this->ldap, $command], $arguments); - } + return call_user_func_array([$this->ldap, $command], $arguments); }; try { $ret = $doMethod(); @@ -1098,13 +1079,13 @@ class Access extends LDAPUtility { * Maybe implement exponential backoff? * This was enough to get solr indexer working which has large delays between LDAP fetches. */ - \OCP\Util::writeLog('user_ldap', "Connection lost on $command, attempting to reestablish.", ILogger::DEBUG); + $this->logger->debug("Connection lost on $command, attempting to reestablish.", ['app' => 'user_ldap']); $this->connection->resetConnectionResource(); $cr = $this->connection->getConnectionResource(); if (!$this->ldap->isResource($cr)) { // Seems like we didn't find any resource. - \OCP\Util::writeLog('user_ldap', "Could not $command, because resource is missing.", ILogger::DEBUG); + $this->logger->debug("Could not $command, because resource is missing.", ['app' => 'user_ldap']); throw $e; } @@ -1123,33 +1104,31 @@ class Access extends LDAPUtility { * @param int|null $limit optional, maximum results to be counted * @param int|null $offset optional, a starting point * @return array|false array with the search result as first value and pagedSearchOK as - * second | false if not successful + * second | false if not successful * @throws ServerNotAvailableException */ private function executeSearch( string $filter, string $base, ?array &$attr, - ?int $limit, - ?int $offset + ?int $pageSize, + ?int $offset, ) { // See if we have a resource, in case not cancel with message $cr = $this->connection->getConnectionResource(); - if (!$this->ldap->isResource($cr)) { - // Seems like we didn't find any resource. - // Return an empty array just like before. - \OCP\Util::writeLog('user_ldap', 'Could not search, because resource is missing.', ILogger::DEBUG); - return false; - } //check whether paged search should be attempted - $pagedSearchOK = $this->initPagedSearch($filter, $base, $attr, (int)$limit, (int)$offset); + try { + [$pagedSearchOK, $pageSize, $cookie] = $this->initPagedSearch($filter, $base, $attr, (int)$pageSize, (int)$offset); + } catch (NoMoreResults $e) { + // beyond last results page + return false; + } - $sr = $this->invokeLDAPMethod('search', $cr, $base, $filter, $attr); - // cannot use $cr anymore, might have changed in the previous call! + $sr = $this->invokeLDAPMethod('search', $base, $filter, $attr, 0, 0, $pageSize, $cookie); $error = $this->ldap->errno($this->connection->getConnectionResource()); if (!$this->ldap->isResource($sr) || $error !== 0) { - \OCP\Util::writeLog('user_ldap', 'Attempt for Paging? ' . print_r($pagedSearchOK, true), ILogger::ERROR); + $this->logger->error('Attempt for Paging? ' . print_r($pagedSearchOK, true), ['app' => 'user_ldap']); return false; } @@ -1159,12 +1138,12 @@ class Access extends LDAPUtility { /** * processes an LDAP paged search operation * - * @param resource $sr the array containing the LDAP search resources + * @param \LDAP\Result|\LDAP\Result[] $sr the array containing the LDAP search resources * @param int $foundItems number of results in the single search operation * @param int $limit maximum results to be counted * @param bool $pagedSearchOK whether a paged search has been executed * @param bool $skipHandling required for paged search when cookies to - * prior results need to be gained + * prior results need to be gained * @return bool cookie validity, true if we have more pages, false otherwise. * @throws ServerNotAvailableException */ @@ -1173,9 +1152,9 @@ class Access extends LDAPUtility { int $foundItems, int $limit, bool $pagedSearchOK, - bool $skipHandling + bool $skipHandling, ): bool { - $cookie = null; + $cookie = ''; if ($pagedSearchOK) { $cr = $this->connection->getConnectionResource(); if ($this->ldap->controlPagedResultResponse($cr, $sr, $cookie)) { @@ -1187,14 +1166,14 @@ class Access extends LDAPUtility { return false; } // if count is bigger, then the server does not support - // paged search. Instead, he did a normal search. We set a + // paged search. Instead, they did a normal search. We set a // flag here, so the callee knows how to deal with it. if ($foundItems <= $limit) { $this->pagedSearchedSuccessful = true; } } else { - if (!is_null($limit) && (int)$this->connection->ldapPagingSize !== 0) { - \OC::$server->getLogger()->debug( + if ((int)$this->connection->ldapPagingSize !== 0) { + $this->logger->debug( 'Paged search was not available', ['app' => 'user_ldap'] ); @@ -1213,34 +1192,30 @@ class Access extends LDAPUtility { * * @param string $filter the LDAP filter for the search * @param array $bases an array containing the LDAP subtree(s) that shall be searched - * @param string|string[] $attr optional, array, one or more attributes that shall be - * retrieved. Results will according to the order in the array. - * @param int $limit optional, maximum results to be counted - * @param int $offset optional, a starting point + * @param ?string[] $attr optional, array, one or more attributes that shall be + * retrieved. Results will according to the order in the array. + * @param int $limit maximum results to be counted, 0 means no limit + * @param int $offset a starting point, defaults to 0 * @param bool $skipHandling indicates whether the pages search operation is - * completed + * completed * @return int|false Integer or false if the search could not be initialized * @throws ServerNotAvailableException */ private function count( string $filter, array $bases, - $attr = null, - ?int $limit = null, - ?int $offset = null, - bool $skipHandling = false + ?array $attr = null, + int $limit = 0, + int $offset = 0, + bool $skipHandling = false, ) { - \OC::$server->getLogger()->debug('Count filter: {filter}', [ + $this->logger->debug('Count filter: {filter}', [ 'app' => 'user_ldap', 'filter' => $filter ]); - if (!is_null($attr) && !is_array($attr)) { - $attr = [mb_strtolower($attr, 'UTF-8')]; - } - $limitPerPage = (int)$this->connection->ldapPagingSize; - if (!is_null($limit) && $limit < $limitPerPage && $limit > 0) { + if ($limit < $limitPerPage && $limit > 0) { $limitPerPage = $limit; } @@ -1254,7 +1229,7 @@ class Access extends LDAPUtility { if ($search === false) { return $counter > 0 ? $counter : false; } - list($sr, $pagedSearchOK) = $search; + [$sr, $pagedSearchOK] = $search; /* ++ Fixing RHDS searches with pages with zero results ++ * countEntriesInSearchResults() method signature changed @@ -1269,24 +1244,26 @@ class Access extends LDAPUtility { * Continue now depends on $hasMorePages value */ $continue = $pagedSearchOK && $hasMorePages; - } while ($continue && (is_null($limit) || $limit <= 0 || $limit > $counter)); + } while ($continue && ($limit <= 0 || $limit > $counter)); } return $counter; } /** - * @param resource $sr + * @param \LDAP\Result|\LDAP\Result[] $sr * @return int * @throws ServerNotAvailableException */ private function countEntriesInSearchResults($sr): int { - return (int)$this->invokeLDAPMethod('countEntries', $this->connection->getConnectionResource(), $sr); + return (int)$this->invokeLDAPMethod('countEntries', $sr); } /** * Executes an LDAP search * + * DN values in the result set are escaped as per RFC 2253 + * * @throws ServerNotAvailableException */ public function search( @@ -1295,17 +1272,13 @@ class Access extends LDAPUtility { ?array $attr = null, ?int $limit = null, ?int $offset = null, - bool $skipHandling = false + bool $skipHandling = false, ): array { $limitPerPage = (int)$this->connection->ldapPagingSize; if (!is_null($limit) && $limit < $limitPerPage && $limit > 0) { $limitPerPage = $limit; } - if (!is_null($attr) && !is_array($attr)) { - $attr = [mb_strtolower($attr, 'UTF-8')]; - } - /* ++ Fixing RHDS searches with pages with zero results ++ * As we can have pages with zero results and/or pages with less * than $limit results but with a still valid server 'cookie', @@ -1313,6 +1286,7 @@ class Access extends LDAPUtility { * $findings['count'] < $limit */ $findings = []; + $offset = $offset ?? 0; $savedoffset = $offset; $iFoundItems = 0; @@ -1321,8 +1295,7 @@ class Access extends LDAPUtility { if ($search === false) { return []; } - list($sr, $pagedSearchOK) = $search; - $cr = $this->connection->getConnectionResource(); + [$sr, $pagedSearchOK] = $search; if ($skipHandling) { //i.e. result do not need to be fetched, we just need the cookie @@ -1332,7 +1305,7 @@ class Access extends LDAPUtility { return []; } - $findings = array_merge($findings, $this->invokeLDAPMethod('getEntries', $cr, $sr)); + $findings = array_merge($findings, $this->invokeLDAPMethod('getEntries', $sr)); $iFoundItems = max($iFoundItems, $findings['count']); unset($findings['count']); @@ -1343,12 +1316,6 @@ class Access extends LDAPUtility { // resetting offset $offset = $savedoffset; - // if we're here, probably no connection resource is returned. - // to make Nextcloud behave nicely, we simply give back an empty array. - if (is_null($findings)) { - return []; - } - if (!is_null($attr)) { $selection = []; $i = 0; @@ -1356,7 +1323,7 @@ class Access extends LDAPUtility { if (!is_array($item)) { continue; } - $item = \OCP\Util::mb_array_change_key_case($item, MB_CASE_LOWER, 'UTF-8'); + $item = Util::mb_array_change_key_case($item, MB_CASE_LOWER, 'UTF-8'); foreach ($attr as $key) { if (isset($item[$key])) { if (is_array($item[$key]) && isset($item[$key]['count'])) { @@ -1389,7 +1356,7 @@ class Access extends LDAPUtility { && !is_null($limit) ) ) { - $findings = array_slice($findings, (int)$offset, $limit); + $findings = array_slice($findings, $offset, $limit); } return $findings; } @@ -1406,12 +1373,15 @@ class Access extends LDAPUtility { return $name; } - // Transliteration to ASCII - $transliterated = @iconv('UTF-8', 'ASCII//TRANSLIT', $name); - if ($transliterated !== false) { - // depending on system config iconv can work or not - $name = $transliterated; - } + // Use htmlentities to get rid of accents + $name = htmlentities($name, ENT_NOQUOTES, 'UTF-8'); + + // Remove accents + $name = preg_replace('#&([A-Za-z])(?:acute|cedil|caron|circ|grave|orn|ring|slash|th|tilde|uml);#', '\1', $name); + // Remove ligatures + $name = preg_replace('#&([A-Za-z]{2})(?:lig);#', '\1', $name); + // Remove unknown leftover entities + $name = preg_replace('#&[^;]+;#', '', $name); // Replacements $name = str_replace(' ', '_', $name); @@ -1419,6 +1389,10 @@ class Access extends LDAPUtility { // Every remaining disallowed characters will be removed $name = preg_replace('/[^a-zA-Z0-9_.@-]/u', '', $name); + if (strlen($name) > 64) { + $name = hash('sha256', $name, false); + } + if ($name === '') { throw new \InvalidArgumentException('provided name template for username does not contain any allowed characters'); } @@ -1426,6 +1400,18 @@ class Access extends LDAPUtility { return $name; } + public function sanitizeGroupIDCandidate(string $candidate): string { + $candidate = trim($candidate); + if (strlen($candidate) > 64) { + $candidate = hash('sha256', $candidate, false); + } + if ($candidate === '') { + throw new \InvalidArgumentException('provided name template for username does not contain any allowed characters'); + } + + return $candidate; + } + /** * escapes (user provided) parts for LDAP filter * @@ -1439,9 +1425,7 @@ class Access extends LDAPUtility { $asterisk = '*'; $input = mb_substr($input, 1, null, 'UTF-8'); } - $search = ['*', '\\', '(', ')']; - $replace = ['\\*', '\\\\', '\\(', '\\)']; - return $asterisk . str_replace($search, $replace, $input); + return $asterisk . ldap_escape($input, '', LDAP_ESCAPE_FILTER); } /** @@ -1459,7 +1443,7 @@ class Access extends LDAPUtility { * * @param string[] $filters the filters to connect * @return string the combined filter - * Combines Filter arguments with OR + * Combines Filter arguments with OR */ public function combineFilterWithOr($filters) { return $this->combineFilter($filters, '|'); @@ -1472,7 +1456,7 @@ class Access extends LDAPUtility { * @param string $operator either & or | * @return string the combined filter */ - private function combineFilter($filters, $operator) { + private function combineFilter(array $filters, string $operator): string { $combinedFilter = '(' . $operator; foreach ($filters as $filter) { if ($filter !== '' && $filter[0] !== '(') { @@ -1490,7 +1474,7 @@ class Access extends LDAPUtility { * @param string $search the search term * @return string the final filter part to use in LDAP searches */ - public function getFilterPartForUserSearch($search) { + public function getFilterPartForUserSearch($search): string { return $this->getFilterPartForSearch($search, $this->connection->ldapAttributesForUserSearch, $this->connection->ldapUserDisplayName); @@ -1502,7 +1486,7 @@ class Access extends LDAPUtility { * @param string $search the search term * @return string the final filter part to use in LDAP searches */ - public function getFilterPartForGroupSearch($search) { + public function getFilterPartForGroupSearch($search): string { return $this->getFilterPartForSearch($search, $this->connection->ldapAttributesForGroupSearch, $this->connection->ldapGroupDisplayName); @@ -1513,12 +1497,12 @@ class Access extends LDAPUtility { * string into single words * * @param string $search the search term - * @param string[] $searchAttributes needs to have at least two attributes, - * otherwise it does not make sense :) + * @param string[]|null|'' $searchAttributes needs to have at least two attributes, + * otherwise it does not make sense :) * @return string the final filter part to use in LDAP searches * @throws DomainException */ - private function getAdvancedFilterPartForSearch($search, $searchAttributes) { + private function getAdvancedFilterPartForSearch(string $search, $searchAttributes): string { if (!is_array($searchAttributes) || count($searchAttributes) < 2) { throw new DomainException('searchAttributes must be an array with at least two string'); } @@ -1540,15 +1524,15 @@ class Access extends LDAPUtility { * creates a filter part for searches * * @param string $search the search term - * @param string[]|null $searchAttributes + * @param string[]|null|'' $searchAttributes * @param string $fallbackAttribute a fallback attribute in case the user - * did not define search attributes. Typically the display name attribute. + * did not define search attributes. Typically the display name attribute. * @return string the final filter part to use in LDAP searches */ - private function getFilterPartForSearch($search, $searchAttributes, $fallbackAttribute) { + private function getFilterPartForSearch(string $search, $searchAttributes, string $fallbackAttribute): string { $filter = []; $haveMultiSearchAttributes = (is_array($searchAttributes) && count($searchAttributes) > 0); - if ($haveMultiSearchAttributes && strpos(trim($search), ' ') !== false) { + if ($haveMultiSearchAttributes && str_contains(trim($search), ' ')) { try { return $this->getAdvancedFilterPartForSearch($search, $searchAttributes); } catch (DomainException $e) { @@ -1556,14 +1540,23 @@ class Access extends LDAPUtility { } } + $originalSearch = $search; $search = $this->prepareSearchTerm($search); if (!is_array($searchAttributes) || count($searchAttributes) === 0) { if ($fallbackAttribute === '') { return ''; } + // wildcards don't work with some attributes + if ($originalSearch !== '') { + $filter[] = $fallbackAttribute . '=' . $originalSearch; + } $filter[] = $fallbackAttribute . '=' . $search; } else { foreach ($searchAttributes as $attribute) { + // wildcards don't work with some attributes + if ($originalSearch !== '') { + $filter[] = $attribute . '=' . $originalSearch; + } $filter[] = $attribute . '=' . $search; } } @@ -1577,11 +1570,9 @@ class Access extends LDAPUtility { * returns the search term depending on whether we are allowed * list users found by ldap with the current input appended by * a * - * - * @return string */ - private function prepareSearchTerm($term) { - $config = \OC::$server->getConfig(); + private function prepareSearchTerm(string $term): string { + $config = Server::get(IConfig::class); $allowEnum = $config->getAppValue('core', 'shareapi_allow_share_dialog_user_enumeration', 'yes'); @@ -1596,10 +1587,8 @@ class Access extends LDAPUtility { /** * returns the filter used for counting users - * - * @return string */ - public function getFilterForUserCount() { + public function getFilterForUserCount(): string { $filter = $this->combineFilterWithAnd([ $this->connection->ldapUserFilter, $this->connection->ldapUserDisplayName . '=*' @@ -1608,17 +1597,15 @@ class Access extends LDAPUtility { return $filter; } - /** - * @param string $name - * @param string $password - * @return bool - */ - public function areCredentialsValid($name, $password) { + public function areCredentialsValid(string $name, string $password): bool { + if ($name === '' || $password === '') { + return false; + } $name = $this->helper->DNasBaseParameter($name); $testConnection = clone $this->connection; $credentials = [ 'ldapAgentName' => $name, - 'ldapAgentPassword' => $password + 'ldapAgentPassword' => $password, ]; if (!$testConnection->setConfiguration($credentials)) { return false; @@ -1670,7 +1657,7 @@ class Access extends LDAPUtility { $filter = $uuidAttr . '=' . $uuid; $result = $this->searchUsers($filter, ['dn'], 2); - if (is_array($result) && isset($result[0]) && isset($result[0]['dn']) && count($result) === 1) { + if (isset($result[0]['dn']) && count($result) === 1) { // we put the count into account to make sure that this is // really unique return $result[0]['dn'][0]; @@ -1689,7 +1676,7 @@ class Access extends LDAPUtility { * @return bool true on success, false otherwise * @throws ServerNotAvailableException */ - private function detectUuidAttribute($dn, $isUser = true, $force = false, array $ldapRecord = null) { + private function detectUuidAttribute(string $dn, bool $isUser = true, bool $force = false, ?array $ldapRecord = null): bool { if ($isUser) { $uuidAttr = 'ldapUuidUserAttribute'; $uuidOverride = $this->connection->ldapExpertUUIDUserAttr; @@ -1707,7 +1694,7 @@ class Access extends LDAPUtility { } $attribute = $this->connection->getFromCache($uuidAttr); - if (!$attribute === null) { + if ($attribute !== null) { $this->connection->$uuidAttr = $attribute; return true; } @@ -1724,7 +1711,7 @@ class Access extends LDAPUtility { $value = $this->readAttribute($dn, $attribute); if (is_array($value) && isset($value[0]) && !empty($value[0])) { - \OC::$server->getLogger()->debug( + $this->logger->debug( 'Setting {attribute} as {subject}', [ 'app' => 'user_ldap', @@ -1737,19 +1724,17 @@ class Access extends LDAPUtility { return true; } } - \OC::$server->getLogger()->debug('Could not autodetect the UUID attribute', ['app' => 'user_ldap']); + $this->logger->debug('Could not autodetect the UUID attribute', ['app' => 'user_ldap']); return false; } /** - * @param string $dn - * @param bool $isUser - * @param null $ldapRecord - * @return bool|string + * @param array|null $ldapRecord + * @return false|string * @throws ServerNotAvailableException */ - public function getUUID($dn, $isUser = true, $ldapRecord = null) { + public function getUUID(string $dn, bool $isUser = true, ?array $ldapRecord = null) { if ($isUser) { $uuidAttr = 'ldapUuidUserAttribute'; $uuidOverride = $this->connection->ldapExpertUUIDUserAttr; @@ -1761,7 +1746,7 @@ class Access extends LDAPUtility { $uuid = false; if ($this->detectUuidAttribute($dn, $isUser, false, $ldapRecord)) { $attr = $this->connection->$uuidAttr; - $uuid = isset($ldapRecord[$attr]) ? $ldapRecord[$attr] : $this->readAttribute($dn, $attr); + $uuid = $ldapRecord[$attr] ?? $this->readAttribute($dn, $attr); if (!is_array($uuid) && $uuidOverride !== '' && $this->detectUuidAttribute($dn, $isUser, true, $ldapRecord)) { @@ -1769,7 +1754,7 @@ class Access extends LDAPUtility { ? $ldapRecord[$this->connection->$uuidAttr] : $this->readAttribute($dn, $this->connection->$uuidAttr); } - if (is_array($uuid) && isset($uuid[0]) && !empty($uuid[0])) { + if (is_array($uuid) && !empty($uuid[0])) { $uuid = $uuid[0]; } } @@ -1780,11 +1765,10 @@ class Access extends LDAPUtility { /** * converts a binary ObjectGUID into a string representation * - * @param string $oguid the ObjectGUID in it's binary form as retrieved from AD - * @return string + * @param string $oguid the ObjectGUID in its binary form as retrieved from AD * @link https://www.php.net/manual/en/function.ldap-get-values-len.php#73198 */ - private function convertObjectGUID2Str($oguid) { + private function convertObjectGUID2Str(string $oguid): string { $hex_guid = bin2hex($oguid); $hex_guid_to_guid_str = ''; for ($k = 1; $k <= 4; ++$k) { @@ -1807,18 +1791,12 @@ class Access extends LDAPUtility { /** * the first three blocks of the string-converted GUID happen to be in * reverse order. In order to use it in a filter, this needs to be - * corrected. Furthermore the dashes need to be replaced and \\ preprended - * to every two hax figures. + * corrected. Furthermore the dashes need to be replaced and \\ prepended + * to every two hex figures. * * If an invalid string is passed, it will be returned without change. - * - * @param string $guid - * @return string */ - public function formatGuid2ForFilterUser($guid) { - if (!is_string($guid)) { - throw new \InvalidArgumentException('String expected'); - } + public function formatGuid2ForFilterUser(string $guid): string { $blocks = explode('-', $guid); if (count($blocks) !== 5) { /* @@ -1832,9 +1810,9 @@ class Access extends LDAPUtility { * an exception here would kill the experience for a valid, acting * user. Instead we write a log message. */ - \OC::$server->getLogger()->info( - 'Passed string does not resemble a valid GUID. Known UUID ' . - '({uuid}) probably does not match UUID configuration.', + $this->logger->info( + 'Passed string does not resemble a valid GUID. Known UUID ' + . '({uuid}) probably does not match UUID configuration.', ['app' => 'user_ldap', 'uuid' => $guid] ); return $guid; @@ -1919,11 +1897,9 @@ class Access extends LDAPUtility { /** * checks if the given DN is part of the given base DN(s) * - * @param string $dn the DN * @param string[] $bases array containing the allowed base DN or DNs - * @return bool */ - public function isDNPartOfBase($dn, $bases) { + public function isDNPartOfBase(string $dn, array $bases): bool { $belongsToBase = false; $bases = $this->helper->sanitizeDN($bases); @@ -1944,12 +1920,10 @@ class Access extends LDAPUtility { * * @throws ServerNotAvailableException */ - private function abandonPagedSearch() { + private function abandonPagedSearch(): void { if ($this->lastCookie === '') { return; } - $cr = $this->connection->getConnectionResource(); - $this->invokeLDAPMethod('controlPagedResult', $cr, 0, false); $this->getPagedSearchResultState(); $this->lastCookie = ''; } @@ -1966,7 +1940,7 @@ class Access extends LDAPUtility { * @return bool */ public function hasMoreResults() { - if (empty($this->lastCookie) && $this->lastCookie !== '0') { + if ($this->lastCookie === '') { // as in RFC 2696, when all results are returned, the cookie will // be empty. return false; @@ -1990,63 +1964,67 @@ class Access extends LDAPUtility { * Prepares a paged search, if possible * * @param string $filter the LDAP filter for the search - * @param string[] $bases an array containing the LDAP subtree(s) that shall be searched + * @param string $base the LDAP subtree that shall be searched * @param string[] $attr optional, when a certain attribute shall be filtered outside * @param int $limit * @param int $offset - * @return bool|true + * @return array{bool, int, string} * @throws ServerNotAvailableException + * @throws NoMoreResults */ private function initPagedSearch( string $filter, string $base, ?array $attr, - int $limit, - int $offset - ): bool { + int $pageSize, + int $offset, + ): array { $pagedSearchOK = false; - if ($limit !== 0) { - \OC::$server->getLogger()->debug( - 'initializing paged search for filter {filter}, base {base}, attr {attr}, limit {limit}, offset {offset}', + if ($pageSize !== 0) { + $this->logger->debug( + 'initializing paged search for filter {filter}, base {base}, attr {attr}, pageSize {pageSize}, offset {offset}', [ 'app' => 'user_ldap', 'filter' => $filter, 'base' => $base, 'attr' => $attr, - 'limit' => $limit, + 'pageSize' => $pageSize, 'offset' => $offset ] ); - //get the cookie from the search for the previous search, required by LDAP - if (empty($this->lastCookie) && $this->lastCookie !== "0" && ($offset > 0)) { + // Get the cookie from the search for the previous search, required by LDAP + if (($this->lastCookie === '') && ($offset > 0)) { // no cookie known from a potential previous search. We need // to start from 0 to come to the desired page. cookie value // of '0' is valid, because 389ds - $reOffset = ($offset - $limit) < 0 ? 0 : $offset - $limit; - $this->search($filter, $base, $attr, $limit, $reOffset, true); + $defaultPageSize = (int)$this->connection->ldapPagingSize; + if ($offset < $defaultPageSize) { + /* Make a search with offset as page size and dismiss the result, to init the cookie */ + $this->search($filter, $base, $attr, $offset, 0, true); + } else { + /* Make a search for previous page and dismiss the result, to init the cookie */ + $reOffset = $offset - $defaultPageSize; + $this->search($filter, $base, $attr, $defaultPageSize, $reOffset, true); + } if (!$this->hasMoreResults()) { // when the cookie is reset with != 0 offset, there are no further // results, so stop. - return false; + throw new NoMoreResults(); } } if ($this->lastCookie !== '' && $offset === 0) { //since offset = 0, this is a new search. We abandon other searches that might be ongoing. $this->abandonPagedSearch(); } - $pagedSearchOK = true === $this->invokeLDAPMethod( - 'controlPagedResult', $this->connection->getConnectionResource(), $limit, false - ); - if ($pagedSearchOK) { - \OC::$server->getLogger()->debug('Ready for a paged search', ['app' => 'user_ldap']); - } + $this->logger->debug('Ready for a paged search', ['app' => 'user_ldap']); + return [true, $pageSize, $this->lastCookie]; /* ++ Fixing RHDS searches with pages with zero results ++ - * We coudn't get paged searches working with our RHDS for login ($limit = 0), + * We couldn't get paged searches working with our RHDS for login ($limit = 0), * due to pages with zero results. * So we added "&& !empty($this->lastCookie)" to this test to ignore pagination * if we don't have a previous paged search. */ - } elseif ($limit === 0 && !empty($this->lastCookie)) { + } elseif ($this->lastCookie !== '') { // a search without limit was requested. However, if we do use // Paged Search once, we always must do it. This requires us to // initialize it with the configured page size. @@ -2054,12 +2032,10 @@ class Access extends LDAPUtility { // in case someone set it to 0 … use 500, otherwise no results will // be returned. $pageSize = (int)$this->connection->ldapPagingSize > 0 ? (int)$this->connection->ldapPagingSize : 500; - $pagedSearchOK = $this->invokeLDAPMethod('controlPagedResult', - $this->connection->getConnectionResource(), - $pageSize, false); + return [true, $pageSize, $this->lastCookie]; } - return $pagedSearchOK; + return [false, $pageSize, '']; } /** diff --git a/apps/user_ldap/lib/AccessFactory.php b/apps/user_ldap/lib/AccessFactory.php index 96f2655f046..da114c467a7 100644 --- a/apps/user_ldap/lib/AccessFactory.php +++ b/apps/user_ldap/lib/AccessFactory.php @@ -1,66 +1,44 @@ <?php + /** - * @copyright Copyright (c) 2018 Arthur Schiwon <blizzz@arthur-schiwon.de> - * - * @author Arthur Schiwon <blizzz@arthur-schiwon.de> - * @author Christoph Wurst <christoph@winzerhof-wurst.at> - * - * @license GNU AGPL version 3 or any later version - * - * This program is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License as - * published by the Free Software Foundation, either version 3 of the - * License, or (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License - * along with this program. If not, see <http://www.gnu.org/licenses/>. - * + * SPDX-FileCopyrightText: 2018 Nextcloud GmbH and Nextcloud contributors + * SPDX-License-Identifier: AGPL-3.0-or-later */ - namespace OCA\User_LDAP; use OCA\User_LDAP\User\Manager; +use OCP\EventDispatcher\IEventDispatcher; +use OCP\IAppConfig; use OCP\IConfig; use OCP\IUserManager; +use OCP\Server; +use Psr\Log\LoggerInterface; class AccessFactory { - /** @var ILDAPWrapper */ - protected $ldap; - /** @var Manager */ - protected $userManager; - /** @var Helper */ - protected $helper; - /** @var IConfig */ - protected $config; - /** @var IUserManager */ - private $ncUserManager; public function __construct( - ILDAPWrapper $ldap, - Manager $userManager, - Helper $helper, - IConfig $config, - IUserManager $ncUserManager) { - $this->ldap = $ldap; - $this->userManager = $userManager; - $this->helper = $helper; - $this->config = $config; - $this->ncUserManager = $ncUserManager; + private ILDAPWrapper $ldap, + private Helper $helper, + private IConfig $config, + private IAppConfig $appConfig, + private IUserManager $ncUserManager, + private LoggerInterface $logger, + private IEventDispatcher $dispatcher, + ) { } - public function get(Connection $connection) { + public function get(Connection $connection): Access { + /* Each Access instance gets its own Manager instance, see OCA\User_LDAP\AppInfo\Application::register() */ return new Access( - $connection, $this->ldap, - $this->userManager, + $connection, + Server::get(Manager::class), $this->helper, $this->config, - $this->ncUserManager + $this->ncUserManager, + $this->logger, + $this->appConfig, + $this->dispatcher, ); } } diff --git a/apps/user_ldap/lib/AppInfo/Application.php b/apps/user_ldap/lib/AppInfo/Application.php index 8dad63fbaf8..70b7920f7ab 100644 --- a/apps/user_ldap/lib/AppInfo/Application.php +++ b/apps/user_ldap/lib/AppInfo/Application.php @@ -1,29 +1,9 @@ <?php + /** - * @copyright Copyright (c) 2017 Roger Szabo <roger.szabo@web.de> - * - * @author Arthur Schiwon <blizzz@arthur-schiwon.de> - * @author Christoph Wurst <christoph@winzerhof-wurst.at> - * @author Morris Jobke <hey@morrisjobke.de> - * @author Roger Szabo <roger.szabo@web.de> - * - * @license GNU AGPL version 3 or any later version - * - * This program is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License as - * published by the Free Software Foundation, either version 3 of the - * License, or (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License - * along with this program. If not, see <http://www.gnu.org/licenses/>. - * + * SPDX-FileCopyrightText: 2017 Nextcloud GmbH and Nextcloud contributors + * SPDX-License-Identifier: AGPL-3.0-or-later */ - namespace OCA\User_LDAP\AppInfo; use Closure; @@ -37,7 +17,11 @@ use OCA\User_LDAP\Handler\ExtStorageConfigHandler; use OCA\User_LDAP\Helper; use OCA\User_LDAP\ILDAPWrapper; use OCA\User_LDAP\LDAP; +use OCA\User_LDAP\LoginListener; use OCA\User_LDAP\Notification\Notifier; +use OCA\User_LDAP\SetupChecks\LdapConnection; +use OCA\User_LDAP\SetupChecks\LdapInvalidUuids; +use OCA\User_LDAP\User\Manager; use OCA\User_LDAP\User_Proxy; use OCA\User_LDAP\UserPluginManager; use OCP\AppFramework\App; @@ -46,11 +30,19 @@ use OCP\AppFramework\Bootstrap\IBootstrap; use OCP\AppFramework\Bootstrap\IRegistrationContext; use OCP\AppFramework\IAppContainer; use OCP\EventDispatcher\IEventDispatcher; +use OCP\IAvatarManager; +use OCP\IConfig; use OCP\IGroupManager; use OCP\IL10N; +use OCP\Image; use OCP\IServerContainer; +use OCP\IUserManager; use OCP\Notification\IManager as INotificationManager; -use Symfony\Component\EventDispatcher\EventDispatcherInterface; +use OCP\Share\IManager as IShareManager; +use OCP\User\Events\PostLoginEvent; +use OCP\Util; +use Psr\Container\ContainerInterface; +use Psr\Log\LoggerInterface; class Application extends App implements IBootstrap { public function __construct() { @@ -75,37 +67,61 @@ class Application extends App implements IBootstrap { ); }); - $container->registerService(ILDAPWrapper::class, function () { - return new LDAP(); + $container->registerService(ILDAPWrapper::class, function (IAppContainer $appContainer) { + /** @var IServerContainer $server */ + $server = $appContainer->get(IServerContainer::class); + + return new LDAP( + $server->getConfig()->getSystemValueString('ldap_log_file') + ); }); } public function register(IRegistrationContext $context): void { + $context->registerNotifierService(Notifier::class); + + $context->registerService( + Manager::class, + function (ContainerInterface $c) { + return new Manager( + $c->get(IConfig::class), + $c->get(LoggerInterface::class), + $c->get(IAvatarManager::class), + $c->get(Image::class), + $c->get(IUserManager::class), + $c->get(INotificationManager::class), + $c->get(IShareManager::class), + ); + }, + // the instance is specific to a lazy bound Access instance, thus cannot be shared. + false + ); + $context->registerEventListener(PostLoginEvent::class, LoginListener::class); + $context->registerSetupCheck(LdapInvalidUuids::class); + $context->registerSetupCheck(LdapConnection::class); } public function boot(IBootContext $context): void { $context->injectFn(function ( INotificationManager $notificationManager, IAppContainer $appContainer, - EventDispatcherInterface $legacyDispatcher, IEventDispatcher $dispatcher, + IUserManager $userManager, IGroupManager $groupManager, User_Proxy $userBackend, Group_Proxy $groupBackend, - Helper $helper - ) { + Helper $helper, + ): void { $configPrefixes = $helper->getServerConfigurationPrefixes(true); if (count($configPrefixes) > 0) { - $notificationManager->registerNotifierService(Notifier::class); - $userPluginManager = $appContainer->get(UserPluginManager::class); $groupPluginManager = $appContainer->get(GroupPluginManager::class); - \OC_User::useBackend($userBackend); + $userManager->registerBackend($userBackend); $groupManager->addBackend($groupBackend); $userBackendRegisteredEvent = new UserBackendRegistered($userBackend, $userPluginManager); - $legacyDispatcher->dispatch('OCA\\User_LDAP\\User\\User::postLDAPBackendAdded', $userBackendRegisteredEvent); + $dispatcher->dispatch('OCA\\User_LDAP\\User\\User::postLDAPBackendAdded', $userBackendRegisteredEvent); $dispatcher->dispatchTyped($userBackendRegisteredEvent); $groupBackendRegisteredEvent = new GroupBackendRegistered($groupBackend, $groupPluginManager); $dispatcher->dispatchTyped($groupBackendRegisteredEvent); @@ -114,7 +130,7 @@ class Application extends App implements IBootstrap { $context->injectFn(Closure::fromCallable([$this, 'registerBackendDependents'])); - \OCP\Util::connectHook( + Util::connectHook( '\OCA\Files_Sharing\API\Server2Server', 'preLoginNameUsedAsUserName', '\OCA\User_LDAP\Helper', @@ -122,10 +138,10 @@ class Application extends App implements IBootstrap { ); } - private function registerBackendDependents(IAppContainer $appContainer, EventDispatcherInterface $dispatcher) { + private function registerBackendDependents(IAppContainer $appContainer, IEventDispatcher $dispatcher): void { $dispatcher->addListener( 'OCA\\Files_External::loadAdditionalBackends', - function () use ($appContainer) { + function () use ($appContainer): void { $storagesBackendService = $appContainer->get(BackendService::class); $storagesBackendService->registerConfigHandler('home', function () use ($appContainer) { return $appContainer->get(ExtStorageConfigHandler::class); diff --git a/apps/user_ldap/lib/BackendUtility.php b/apps/user_ldap/lib/BackendUtility.php index a4eb739ab66..88d7311cde0 100644 --- a/apps/user_ldap/lib/BackendUtility.php +++ b/apps/user_ldap/lib/BackendUtility.php @@ -1,38 +1,19 @@ <?php + /** - * @copyright Copyright (c) 2016, ownCloud, Inc. - * - * @author Arthur Schiwon <blizzz@arthur-schiwon.de> - * @author Joas Schilling <coding@schilljs.com> - * @author Lukas Reschke <lukas@statuscode.ch> - * @author Morris Jobke <hey@morrisjobke.de> - * - * @license AGPL-3.0 - * - * This code is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License, version 3, - * as published by the Free Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License, version 3, - * along with this program. If not, see <http://www.gnu.org/licenses/> - * + * SPDX-FileCopyrightText: 2019-2024 Nextcloud GmbH and Nextcloud contributors + * SPDX-FileCopyrightText: 2016 ownCloud, Inc. + * SPDX-License-Identifier: AGPL-3.0-only */ - namespace OCA\User_LDAP; abstract class BackendUtility { - protected $access; - /** * constructor, make sure the subclasses call this one! * @param Access $access an instance of Access for LDAP interaction */ - public function __construct(Access $access) { - $this->access = $access; + public function __construct( + protected Access $access, + ) { } } diff --git a/apps/user_ldap/lib/Command/CheckGroup.php b/apps/user_ldap/lib/Command/CheckGroup.php new file mode 100644 index 00000000000..9c7ccb9d3b3 --- /dev/null +++ b/apps/user_ldap/lib/Command/CheckGroup.php @@ -0,0 +1,162 @@ +<?php + +declare(strict_types=1); + +/** + * SPDX-FileCopyrightText: 2023 Nextcloud GmbH and Nextcloud contributors + * SPDX-License-Identifier: AGPL-3.0-or-later + */ + +namespace OCA\User_LDAP\Command; + +use OCA\User_LDAP\Group_Proxy; +use OCA\User_LDAP\Helper; +use OCA\User_LDAP\Mapping\GroupMapping; +use OCA\User_LDAP\Service\UpdateGroupsService; +use OCP\EventDispatcher\IEventDispatcher; +use OCP\Group\Events\GroupCreatedEvent; +use OCP\Group\Events\UserAddedEvent; +use OCP\Group\Events\UserRemovedEvent; +use Symfony\Component\Console\Command\Command; +use Symfony\Component\Console\Input\InputArgument; +use Symfony\Component\Console\Input\InputInterface; +use Symfony\Component\Console\Input\InputOption; +use Symfony\Component\Console\Output\OutputInterface; + +class CheckGroup extends Command { + public function __construct( + private UpdateGroupsService $service, + protected Group_Proxy $backend, + protected Helper $helper, + protected GroupMapping $mapping, + protected IEventDispatcher $dispatcher, + ) { + parent::__construct(); + } + + protected function configure(): void { + $this + ->setName('ldap:check-group') + ->setDescription('checks whether a group exists on LDAP.') + ->addArgument( + 'ocName', + InputArgument::REQUIRED, + 'the group name as used in Nextcloud, or the LDAP DN' + ) + ->addOption( + 'force', + null, + InputOption::VALUE_NONE, + 'ignores disabled LDAP configuration' + ) + ->addOption( + 'update', + null, + InputOption::VALUE_NONE, + 'syncs values from LDAP' + ) + ; + } + + protected function execute(InputInterface $input, OutputInterface $output): int { + $this->dispatcher->addListener(GroupCreatedEvent::class, fn ($event) => $this->onGroupCreatedEvent($event, $output)); + $this->dispatcher->addListener(UserAddedEvent::class, fn ($event) => $this->onUserAddedEvent($event, $output)); + $this->dispatcher->addListener(UserRemovedEvent::class, fn ($event) => $this->onUserRemovedEvent($event, $output)); + try { + $this->assertAllowed($input->getOption('force')); + $gid = $input->getArgument('ocName'); + $wasMapped = $this->groupWasMapped($gid); + if ($this->backend->getLDAPAccess($gid)->stringResemblesDN($gid)) { + $groupname = $this->backend->dn2GroupName($gid); + if ($groupname !== false) { + $gid = $groupname; + } + } + /* Search to trigger mapping for new groups */ + $this->backend->getGroups($gid); + $exists = $this->backend->groupExistsOnLDAP($gid, true); + if ($exists === true) { + $output->writeln('The group is still available on LDAP.'); + if ($input->getOption('update')) { + $this->backend->getLDAPAccess($gid)->connection->clearCache(); + if ($wasMapped) { + $this->service->handleKnownGroups([$gid]); + } else { + $this->service->handleCreatedGroups([$gid]); + } + } + return self::SUCCESS; + } + + if ($wasMapped) { + $output->writeln('The group does not exist on LDAP anymore.'); + if ($input->getOption('update')) { + $this->backend->getLDAPAccess($gid)->connection->clearCache(); + $this->service->handleRemovedGroups([$gid]); + } + return self::SUCCESS; + } + + throw new \Exception('The given group is not a recognized LDAP group.'); + } catch (\Exception $e) { + $output->writeln('<error>' . $e->getMessage() . '</error>'); + return self::FAILURE; + } + } + + public function onGroupCreatedEvent(GroupCreatedEvent $event, OutputInterface $output): void { + $output->writeln('<info>The group ' . $event->getGroup()->getGID() . ' was added to Nextcloud with ' . $event->getGroup()->count() . ' users</info>'); + } + + public function onUserAddedEvent(UserAddedEvent $event, OutputInterface $output): void { + $user = $event->getUser(); + $group = $event->getGroup(); + $output->writeln('<info>The user ' . $user->getUID() . ' was added to group ' . $group->getGID() . '</info>'); + } + + public function onUserRemovedEvent(UserRemovedEvent $event, OutputInterface $output): void { + $user = $event->getUser(); + $group = $event->getGroup(); + $output->writeln('<info>The user ' . $user->getUID() . ' was removed from group ' . $group->getGID() . '</info>'); + } + + /** + * checks whether a group is actually mapped + * @param string $gid the groupname as passed to the command + */ + protected function groupWasMapped(string $gid): bool { + $dn = $this->mapping->getDNByName($gid); + if ($dn !== false) { + return true; + } + $name = $this->mapping->getNameByDN($gid); + return $name !== false; + } + + /** + * checks whether the setup allows reliable checking of LDAP group existence + * @throws \Exception + */ + protected function assertAllowed(bool $force): void { + if ($this->helper->haveDisabledConfigurations() && !$force) { + throw new \Exception('Cannot check group existence, because ' + . 'disabled LDAP configurations are present.'); + } + + // we don't check ldapUserCleanupInterval from config.php because this + // action is triggered manually, while the setting only controls the + // background job. + } + + private function updateGroup(string $gid, OutputInterface $output, bool $wasMapped): void { + try { + if ($wasMapped) { + $this->service->handleKnownGroups([$gid]); + } else { + $this->service->handleCreatedGroups([$gid]); + } + } catch (\Exception $e) { + $output->writeln('<error>Error while trying to lookup and update attributes from LDAP</error>'); + } + } +} diff --git a/apps/user_ldap/lib/Command/CheckUser.php b/apps/user_ldap/lib/Command/CheckUser.php index 5314cac365a..8bb26ce3d0e 100644 --- a/apps/user_ldap/lib/Command/CheckUser.php +++ b/apps/user_ldap/lib/Command/CheckUser.php @@ -1,29 +1,10 @@ <?php + /** - * @copyright Copyright (c) 2016, ownCloud, Inc. - * - * @author Arthur Schiwon <blizzz@arthur-schiwon.de> - * @author Christoph Wurst <christoph@winzerhof-wurst.at> - * @author Joas Schilling <coding@schilljs.com> - * @author Morris Jobke <hey@morrisjobke.de> - * @author Roeland Jago Douma <roeland@famdouma.nl> - * - * @license AGPL-3.0 - * - * This code is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License, version 3, - * as published by the Free Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License, version 3, - * along with this program. If not, see <http://www.gnu.org/licenses/> - * + * SPDX-FileCopyrightText: 2016-2024 Nextcloud GmbH and Nextcloud contributors + * SPDX-FileCopyrightText: 2016 ownCloud, Inc. + * SPDX-License-Identifier: AGPL-3.0-only */ - namespace OCA\User_LDAP\Command; use OCA\User_LDAP\Helper; @@ -37,47 +18,30 @@ use Symfony\Component\Console\Input\InputOption; use Symfony\Component\Console\Output\OutputInterface; class CheckUser extends Command { - /** @var User_Proxy */ - protected $backend; - - /** @var Helper */ - protected $helper; - - /** @var DeletedUsersIndex */ - protected $dui; - - /** @var UserMapping */ - protected $mapping; - - /** - * @param User_Proxy $uBackend - * @param Helper $helper - * @param DeletedUsersIndex $dui - * @param UserMapping $mapping - */ - public function __construct(User_Proxy $uBackend, Helper $helper, DeletedUsersIndex $dui, UserMapping $mapping) { - $this->backend = $uBackend; - $this->helper = $helper; - $this->dui = $dui; - $this->mapping = $mapping; + public function __construct( + protected User_Proxy $backend, + protected Helper $helper, + protected DeletedUsersIndex $dui, + protected UserMapping $mapping, + ) { parent::__construct(); } - protected function configure() { + protected function configure(): void { $this ->setName('ldap:check-user') ->setDescription('checks whether a user exists on LDAP.') ->addArgument( - 'ocName', - InputArgument::REQUIRED, - 'the user name as used in Nextcloud' - ) + 'ocName', + InputArgument::REQUIRED, + 'the user name as used in Nextcloud, or the LDAP DN' + ) ->addOption( - 'force', - null, - InputOption::VALUE_NONE, - 'ignores disabled LDAP configuration' - ) + 'force', + null, + InputOption::VALUE_NONE, + 'ignores disabled LDAP configuration' + ) ->addOption( 'update', null, @@ -89,50 +53,53 @@ class CheckUser extends Command { protected function execute(InputInterface $input, OutputInterface $output): int { try { + $this->assertAllowed($input->getOption('force')); $uid = $input->getArgument('ocName'); - $this->isAllowed($input->getOption('force')); - $this->confirmUserIsMapped($uid); - $exists = $this->backend->userExistsOnLDAP($uid); + if ($this->backend->getLDAPAccess($uid)->stringResemblesDN($uid)) { + $username = $this->backend->dn2UserName($uid); + if ($username !== false) { + $uid = $username; + } + } + $wasMapped = $this->userWasMapped($uid); + $exists = $this->backend->userExistsOnLDAP($uid, true); if ($exists === true) { $output->writeln('The user is still available on LDAP.'); if ($input->getOption('update')) { $this->updateUser($uid, $output); } - return 0; + return self::SUCCESS; } - $this->dui->markUser($uid); - $output->writeln('The user does not exists on LDAP anymore.'); - $output->writeln('Clean up the user\'s remnants by: ./occ user:delete "' - . $uid . '"'); - return 0; + if ($wasMapped) { + $this->dui->markUser($uid); + $output->writeln('The user does not exists on LDAP anymore.'); + $output->writeln('Clean up the user\'s remnants by: ./occ user:delete "' + . $uid . '"'); + return self::SUCCESS; + } + + throw new \Exception('The given user is not a recognized LDAP user.'); } catch (\Exception $e) { - $output->writeln('<error>' . $e->getMessage(). '</error>'); - return 1; + $output->writeln('<error>' . $e->getMessage() . '</error>'); + return self::FAILURE; } } /** * checks whether a user is actually mapped * @param string $ocName the username as used in Nextcloud - * @throws \Exception - * @return true */ - protected function confirmUserIsMapped($ocName) { + protected function userWasMapped(string $ocName): bool { $dn = $this->mapping->getDNByName($ocName); - if ($dn === false) { - throw new \Exception('The given user is not a recognized LDAP user.'); - } - - return true; + return $dn !== false; } /** * checks whether the setup allows reliable checking of LDAP user existence * @throws \Exception - * @return true */ - protected function isAllowed($force) { + protected function assertAllowed(bool $force): void { if ($this->helper->haveDisabledConfigurations() && !$force) { throw new \Exception('Cannot check user existence, because ' . 'disabled LDAP configurations are present.'); @@ -141,8 +108,6 @@ class CheckUser extends Command { // we don't check ldapUserCleanupInterval from config.php because this // action is triggered manually, while the setting only controls the // background job. - - return true; } private function updateUser(string $uid, OutputInterface $output): void { @@ -151,7 +116,8 @@ class CheckUser extends Command { $attrs = $access->userManager->getAttributes(); $user = $access->userManager->get($uid); $avatarAttributes = $access->getConnection()->resolveRule('avatar'); - $result = $access->search('objectclass=*', $user->getDN(), $attrs, 1, 0); + $baseDn = $this->helper->DNasBaseParameter($user->getDN()); + $result = $access->search('objectclass=*', $baseDn, $attrs, 1, 0); foreach ($result[0] as $attribute => $valueSet) { $output->writeln(' ' . $attribute . ': '); foreach ($valueSet as $value) { diff --git a/apps/user_ldap/lib/Command/CreateEmptyConfig.php b/apps/user_ldap/lib/Command/CreateEmptyConfig.php index 4d88bf80c5e..7c381cf431f 100644 --- a/apps/user_ldap/lib/Command/CreateEmptyConfig.php +++ b/apps/user_ldap/lib/Command/CreateEmptyConfig.php @@ -1,29 +1,10 @@ <?php + /** - * @copyright Copyright (c) 2016, ownCloud, Inc. - * - * @author Arthur Schiwon <blizzz@arthur-schiwon.de> - * @author Christoph Wurst <christoph@winzerhof-wurst.at> - * @author Joas Schilling <coding@schilljs.com> - * @author Martin Konrad <konrad@frib.msu.edu> - * @author Morris Jobke <hey@morrisjobke.de> - * - * @license AGPL-3.0 - * - * This code is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License, version 3, - * as published by the Free Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License, version 3, - * along with this program. If not, see <http://www.gnu.org/licenses/> - * + * SPDX-FileCopyrightText: 2016-2024 Nextcloud GmbH and Nextcloud contributors + * SPDX-FileCopyrightText: 2016 ownCloud, Inc. + * SPDX-License-Identifier: AGPL-3.0-only */ - namespace OCA\User_LDAP\Command; use OCA\User_LDAP\Configuration; @@ -34,18 +15,13 @@ use Symfony\Component\Console\Input\InputOption; use Symfony\Component\Console\Output\OutputInterface; class CreateEmptyConfig extends Command { - /** @var \OCA\User_LDAP\Helper */ - protected $helper; - - /** - * @param Helper $helper - */ - public function __construct(Helper $helper) { - $this->helper = $helper; + public function __construct( + protected Helper $helper, + ) { parent::__construct(); } - protected function configure() { + protected function configure(): void { $this ->setName('ldap:create-empty-config') ->setDescription('creates an empty LDAP configuration') @@ -61,6 +37,7 @@ class CreateEmptyConfig extends Command { protected function execute(InputInterface $input, OutputInterface $output): int { $configPrefix = $this->helper->getNextServerConfigurationPrefix(); $configHolder = new Configuration($configPrefix); + $configHolder->ldapConfigurationActive = false; $configHolder->saveConfiguration(); $prose = ''; @@ -68,6 +45,6 @@ class CreateEmptyConfig extends Command { $prose = 'Created new configuration with configID '; } $output->writeln($prose . "{$configPrefix}"); - return 0; + return self::SUCCESS; } } diff --git a/apps/user_ldap/lib/Command/DeleteConfig.php b/apps/user_ldap/lib/Command/DeleteConfig.php index c76ba6f296b..7604e229bed 100644 --- a/apps/user_ldap/lib/Command/DeleteConfig.php +++ b/apps/user_ldap/lib/Command/DeleteConfig.php @@ -1,29 +1,10 @@ <?php + /** - * @copyright Copyright (c) 2016, ownCloud, Inc. - * - * @author Arthur Schiwon <blizzz@arthur-schiwon.de> - * @author Christoph Wurst <christoph@winzerhof-wurst.at> - * @author Joas Schilling <coding@schilljs.com> - * @author Martin Konrad <info@martin-konrad.net> - * @author Morris Jobke <hey@morrisjobke.de> - * - * @license AGPL-3.0 - * - * This code is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License, version 3, - * as published by the Free Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License, version 3, - * along with this program. If not, see <http://www.gnu.org/licenses/> - * + * SPDX-FileCopyrightText: 2016-2024 Nextcloud GmbH and Nextcloud contributors + * SPDX-FileCopyrightText: 2016 ownCloud, Inc. + * SPDX-License-Identifier: AGPL-3.0-only */ - namespace OCA\User_LDAP\Command; use OCA\User_LDAP\Helper; @@ -33,41 +14,35 @@ use Symfony\Component\Console\Input\InputInterface; use Symfony\Component\Console\Output\OutputInterface; class DeleteConfig extends Command { - /** @var \OCA\User_LDAP\Helper */ - protected $helper; - - /** - * @param Helper $helper - */ - public function __construct(Helper $helper) { - $this->helper = $helper; + public function __construct( + protected Helper $helper, + ) { parent::__construct(); } - protected function configure() { + protected function configure(): void { $this ->setName('ldap:delete-config') ->setDescription('deletes an existing LDAP configuration') ->addArgument( - 'configID', - InputArgument::REQUIRED, - 'the configuration ID' - ) + 'configID', + InputArgument::REQUIRED, + 'the configuration ID' + ) ; } - protected function execute(InputInterface $input, OutputInterface $output): int { $configPrefix = $input->getArgument('configID'); $success = $this->helper->deleteServerConfiguration($configPrefix); - if ($success) { - $output->writeln("Deleted configuration with configID '{$configPrefix}'"); - return 0; - } else { + if (!$success) { $output->writeln("Cannot delete configuration with configID '{$configPrefix}'"); - return 1; + return self::FAILURE; } + + $output->writeln("Deleted configuration with configID '{$configPrefix}'"); + return self::SUCCESS; } } diff --git a/apps/user_ldap/lib/Command/PromoteGroup.php b/apps/user_ldap/lib/Command/PromoteGroup.php new file mode 100644 index 00000000000..b203a910b14 --- /dev/null +++ b/apps/user_ldap/lib/Command/PromoteGroup.php @@ -0,0 +1,111 @@ +<?php + +declare(strict_types=1); +/** + * SPDX-FileCopyrightText: 2023 Nextcloud GmbH and Nextcloud contributors + * SPDX-License-Identifier: AGPL-3.0-or-later + */ +namespace OCA\User_LDAP\Command; + +use OCA\User_LDAP\Group_Proxy; +use OCP\IGroup; +use OCP\IGroupManager; +use Symfony\Component\Console\Command\Command; +use Symfony\Component\Console\Helper\QuestionHelper; +use Symfony\Component\Console\Input\InputArgument; +use Symfony\Component\Console\Input\InputInterface; +use Symfony\Component\Console\Input\InputOption; +use Symfony\Component\Console\Output\OutputInterface; +use Symfony\Component\Console\Question\Question; + +class PromoteGroup extends Command { + + public function __construct( + private IGroupManager $groupManager, + private Group_Proxy $backend, + ) { + parent::__construct(); + } + + protected function configure(): void { + $this + ->setName('ldap:promote-group') + ->setDescription('declares the specified group as admin group (only one is possible per LDAP configuration)') + ->addArgument( + 'group', + InputArgument::REQUIRED, + 'the group ID in Nextcloud or a group name' + ) + ->addOption( + 'yes', + 'y', + InputOption::VALUE_NONE, + 'do not ask for confirmation' + ); + } + + protected function formatGroupName(IGroup $group): string { + $idLabel = ''; + if ($group->getGID() !== $group->getDisplayName()) { + $idLabel = sprintf(' (Group ID: %s)', $group->getGID()); + } + return sprintf('%s%s', $group->getDisplayName(), $idLabel); + } + + protected function promoteGroup(IGroup $group, InputInterface $input, OutputInterface $output): void { + $access = $this->backend->getLDAPAccess($group->getGID()); + $currentlyPromotedGroupId = $access->connection->ldapAdminGroup; + if ($currentlyPromotedGroupId === $group->getGID()) { + $output->writeln('<info>The specified group is already promoted</info>'); + return; + } + + if ($input->getOption('yes') === false) { + $currentlyPromotedGroup = $this->groupManager->get($currentlyPromotedGroupId); + $demoteLabel = ''; + if ($currentlyPromotedGroup instanceof IGroup && $this->backend->groupExists($currentlyPromotedGroup->getGID())) { + $groupNameLabel = $this->formatGroupName($currentlyPromotedGroup); + $demoteLabel = sprintf('and demote %s ', $groupNameLabel); + } + + /** @var QuestionHelper $helper */ + $helper = $this->getHelper('question'); + $q = new Question(sprintf('Promote %s to the admin group %s(y|N)? ', $this->formatGroupName($group), $demoteLabel)); + $input->setOption('yes', $helper->ask($input, $output, $q) === 'y'); + } + if ($input->getOption('yes') === true) { + $access->connection->setConfiguration(['ldapAdminGroup' => $group->getGID()]); + $access->connection->saveConfiguration(); + $output->writeln(sprintf('<info>Group %s was promoted</info>', $group->getDisplayName())); + } else { + $output->writeln('<comment>Group promotion cancelled</comment>'); + } + } + + protected function execute(InputInterface $input, OutputInterface $output): int { + $groupInput = (string)$input->getArgument('group'); + $group = $this->groupManager->get($groupInput); + + if ($group instanceof IGroup && $this->backend->groupExists($group->getGID())) { + $this->promoteGroup($group, $input, $output); + return 0; + } + + $groupCandidates = $this->backend->getGroups($groupInput, 20); + foreach ($groupCandidates as $gidCandidate) { + $group = $this->groupManager->get($gidCandidate); + if ($group !== null + && $this->backend->groupExists($group->getGID()) // ensure it is an LDAP group + && ($group->getGID() === $groupInput + || $group->getDisplayName() === $groupInput) + ) { + $this->promoteGroup($group, $input, $output); + return 0; + } + } + + $output->writeln('<error>No matching group found</error>'); + return 1; + } + +} diff --git a/apps/user_ldap/lib/Command/ResetGroup.php b/apps/user_ldap/lib/Command/ResetGroup.php new file mode 100644 index 00000000000..5833ca980f2 --- /dev/null +++ b/apps/user_ldap/lib/Command/ResetGroup.php @@ -0,0 +1,87 @@ +<?php + +/** + * SPDX-FileCopyrightText: 2021 Nextcloud GmbH and Nextcloud contributors + * SPDX-License-Identifier: AGPL-3.0-or-later + */ +namespace OCA\User_LDAP\Command; + +use OCA\User_LDAP\Group_Proxy; +use OCA\User_LDAP\GroupPluginManager; +use OCP\IGroup; +use OCP\IGroupManager; +use Symfony\Component\Console\Command\Command; +use Symfony\Component\Console\Helper\QuestionHelper; +use Symfony\Component\Console\Input\InputArgument; +use Symfony\Component\Console\Input\InputInterface; +use Symfony\Component\Console\Input\InputOption; +use Symfony\Component\Console\Output\OutputInterface; +use Symfony\Component\Console\Question\Question; + +class ResetGroup extends Command { + public function __construct( + private IGroupManager $groupManager, + private GroupPluginManager $pluginManager, + private Group_Proxy $backend, + ) { + parent::__construct(); + } + + protected function configure(): void { + $this + ->setName('ldap:reset-group') + ->setDescription('deletes an LDAP group independent of the group state in the LDAP') + ->addArgument( + 'gid', + InputArgument::REQUIRED, + 'the group name as used in Nextcloud' + ) + ->addOption( + 'yes', + 'y', + InputOption::VALUE_NONE, + 'do not ask for confirmation' + ); + } + + protected function execute(InputInterface $input, OutputInterface $output): int { + try { + $gid = $input->getArgument('gid'); + $group = $this->groupManager->get($gid); + if (!$group instanceof IGroup) { + throw new \Exception('Group not found'); + } + $backends = $group->getBackendNames(); + if (!in_array('LDAP', $backends)) { + throw new \Exception('The given group is not a recognized LDAP group.'); + } + if ($input->getOption('yes') === false) { + /** @var QuestionHelper $helper */ + $helper = $this->getHelper('question'); + $q = new Question('Delete all local data of this group (y|N)? '); + $input->setOption('yes', $helper->ask($input, $output, $q) === 'y'); + } + if ($input->getOption('yes') !== true) { + throw new \Exception('Reset cancelled by operator'); + } + + // Disable real deletion if a plugin supports it + $pluginManagerSuppressed = $this->pluginManager->setSuppressDeletion(true); + // Bypass groupExists test to force mapping deletion + $this->backend->getLDAPAccess($gid)->connection->writeToCache('groupExists' . $gid, false); + echo "calling delete $gid\n"; + if ($group->delete()) { + $this->pluginManager->setSuppressDeletion($pluginManagerSuppressed); + return self::SUCCESS; + } + } catch (\Throwable $e) { + if (isset($pluginManagerSuppressed)) { + $this->pluginManager->setSuppressDeletion($pluginManagerSuppressed); + } + $output->writeln('<error>' . $e->getMessage() . '</error>'); + return self::FAILURE; + } + $output->writeln('<error>Error while resetting group</error>'); + return self::INVALID; + } +} diff --git a/apps/user_ldap/lib/Command/ResetUser.php b/apps/user_ldap/lib/Command/ResetUser.php new file mode 100644 index 00000000000..1409806e4ac --- /dev/null +++ b/apps/user_ldap/lib/Command/ResetUser.php @@ -0,0 +1,85 @@ +<?php + +/** + * SPDX-FileCopyrightText: 2021 Nextcloud GmbH and Nextcloud contributors + * SPDX-License-Identifier: AGPL-3.0-or-later + */ +namespace OCA\User_LDAP\Command; + +use OCA\User_LDAP\User\DeletedUsersIndex; +use OCA\User_LDAP\User_Proxy; +use OCA\User_LDAP\UserPluginManager; +use OCP\IUser; +use OCP\IUserManager; +use Symfony\Component\Console\Command\Command; +use Symfony\Component\Console\Helper\QuestionHelper; +use Symfony\Component\Console\Input\InputArgument; +use Symfony\Component\Console\Input\InputInterface; +use Symfony\Component\Console\Input\InputOption; +use Symfony\Component\Console\Output\OutputInterface; +use Symfony\Component\Console\Question\Question; + +class ResetUser extends Command { + public function __construct( + protected DeletedUsersIndex $dui, + private IUserManager $userManager, + private UserPluginManager $pluginManager, + ) { + parent::__construct(); + } + + protected function configure(): void { + $this + ->setName('ldap:reset-user') + ->setDescription('deletes an LDAP user independent of the user state') + ->addArgument( + 'uid', + InputArgument::REQUIRED, + 'the user id as used in Nextcloud' + ) + ->addOption( + 'yes', + 'y', + InputOption::VALUE_NONE, + 'do not ask for confirmation' + ); + } + + protected function execute(InputInterface $input, OutputInterface $output): int { + try { + $uid = $input->getArgument('uid'); + $user = $this->userManager->get($uid); + if (!$user instanceof IUser) { + throw new \Exception('User not found'); + } + $backend = $user->getBackend(); + if (!$backend instanceof User_Proxy) { + throw new \Exception('The given user is not a recognized LDAP user.'); + } + if ($input->getOption('yes') === false) { + /** @var QuestionHelper $helper */ + $helper = $this->getHelper('question'); + $q = new Question('Delete all local data of this user (y|N)? '); + $input->setOption('yes', $helper->ask($input, $output, $q) === 'y'); + } + if ($input->getOption('yes') !== true) { + throw new \Exception('Reset cancelled by operator'); + } + + $this->dui->markUser($uid); + $pluginManagerSuppressed = $this->pluginManager->setSuppressDeletion(true); + if ($user->delete()) { + $this->pluginManager->setSuppressDeletion($pluginManagerSuppressed); + return self::SUCCESS; + } + } catch (\Throwable $e) { + if (isset($pluginManagerSuppressed)) { + $this->pluginManager->setSuppressDeletion($pluginManagerSuppressed); + } + $output->writeln('<error>' . $e->getMessage() . '</error>'); + return self::FAILURE; + } + $output->writeln('<error>Error while resetting user</error>'); + return self::INVALID; + } +} diff --git a/apps/user_ldap/lib/Command/Search.php b/apps/user_ldap/lib/Command/Search.php index b8f2d885299..85906b20e9a 100644 --- a/apps/user_ldap/lib/Command/Search.php +++ b/apps/user_ldap/lib/Command/Search.php @@ -1,30 +1,10 @@ <?php + /** - * @copyright Copyright (c) 2016, ownCloud, Inc. - * - * @author Arthur Schiwon <blizzz@arthur-schiwon.de> - * @author Christoph Wurst <christoph@winzerhof-wurst.at> - * @author Joas Schilling <coding@schilljs.com> - * @author Juan Pablo Villafáñez <jvillafanez@solidgear.es> - * @author Morris Jobke <hey@morrisjobke.de> - * @author Roeland Jago Douma <roeland@famdouma.nl> - * - * @license AGPL-3.0 - * - * This code is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License, version 3, - * as published by the Free Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License, version 3, - * along with this program. If not, see <http://www.gnu.org/licenses/> - * + * SPDX-FileCopyrightText: 2016-2024 Nextcloud GmbH and Nextcloud contributors + * SPDX-FileCopyrightText: 2016 ownCloud, Inc. + * SPDX-License-Identifier: AGPL-3.0-only */ - namespace OCA\User_LDAP\Command; use OCA\User_LDAP\Group_Proxy; @@ -32,6 +12,7 @@ use OCA\User_LDAP\Helper; use OCA\User_LDAP\LDAP; use OCA\User_LDAP\User_Proxy; use OCP\IConfig; +use OCP\Server; use Symfony\Component\Console\Command\Command; use Symfony\Component\Console\Input\InputArgument; @@ -40,59 +21,52 @@ use Symfony\Component\Console\Input\InputOption; use Symfony\Component\Console\Output\OutputInterface; class Search extends Command { - /** @var \OCP\IConfig */ - protected $ocConfig; - /** @var User_Proxy */ - private $userProxy; - /** @var Group_Proxy */ - private $groupProxy; - - public function __construct(IConfig $ocConfig, User_Proxy $userProxy, Group_Proxy $groupProxy) { + public function __construct( + protected IConfig $ocConfig, + private User_Proxy $userProxy, + private Group_Proxy $groupProxy, + ) { parent::__construct(); - $this->ocConfig = $ocConfig; - $this->userProxy = $userProxy; - $this->groupProxy = $groupProxy; } - protected function configure() { + protected function configure(): void { $this ->setName('ldap:search') ->setDescription('executes a user or group search') ->addArgument( - 'search', - InputArgument::REQUIRED, - 'the search string (can be empty)' - ) + 'search', + InputArgument::REQUIRED, + 'the search string (can be empty)' + ) ->addOption( - 'group', - null, - InputOption::VALUE_NONE, - 'searches groups instead of users' - ) + 'group', + null, + InputOption::VALUE_NONE, + 'searches groups instead of users' + ) ->addOption( - 'offset', - null, - InputOption::VALUE_REQUIRED, - 'The offset of the result set. Needs to be a multiple of limit. defaults to 0.', - 0 - ) + 'offset', + null, + InputOption::VALUE_REQUIRED, + 'The offset of the result set. Needs to be a multiple of limit. defaults to 0.', + '0' + ) ->addOption( - 'limit', - null, - InputOption::VALUE_REQUIRED, - 'limit the results. 0 means no limit, defaults to 15', - 15 - ) + 'limit', + null, + InputOption::VALUE_REQUIRED, + 'limit the results. 0 means no limit, defaults to 15', + '15' + ) ; } /** * Tests whether the offset and limit options are valid - * @param int $offset - * @param int $limit + * * @throws \InvalidArgumentException */ - protected function validateOffsetAndLimit($offset, $limit) { + protected function validateOffsetAndLimit(int $offset, int $limit): void { if ($limit < 0) { throw new \InvalidArgumentException('limit must be 0 or greater'); } @@ -108,7 +82,7 @@ class Search extends Command { } protected function execute(InputInterface $input, OutputInterface $output): int { - $helper = new Helper($this->ocConfig, \OC::$server->getDatabaseConnection()); + $helper = Server::get(Helper::class); $configPrefixes = $helper->getServerConfigurationPrefixes(true); $ldapWrapper = new LDAP(); @@ -133,9 +107,9 @@ class Search extends Command { $result = $proxy->$getMethod($input->getArgument('search'), $limit, $offset); foreach ($result as $id => $name) { - $line = $name . ($printID ? ' ('.$id.')' : ''); + $line = $name . ($printID ? ' (' . $id . ')' : ''); $output->writeln($line); } - return 0; + return self::SUCCESS; } } diff --git a/apps/user_ldap/lib/Command/SetConfig.php b/apps/user_ldap/lib/Command/SetConfig.php index 4b20ad65e9f..7e9efcf34d0 100644 --- a/apps/user_ldap/lib/Command/SetConfig.php +++ b/apps/user_ldap/lib/Command/SetConfig.php @@ -1,71 +1,52 @@ <?php + /** - * @copyright Copyright (c) 2016, ownCloud, Inc. - * - * @author Arthur Schiwon <blizzz@arthur-schiwon.de> - * @author Christoph Wurst <christoph@winzerhof-wurst.at> - * @author Joas Schilling <coding@schilljs.com> - * @author Morris Jobke <hey@morrisjobke.de> - * @author Roeland Jago Douma <roeland@famdouma.nl> - * @author Thomas Müller <thomas.mueller@tmit.eu> - * - * @license AGPL-3.0 - * - * This code is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License, version 3, - * as published by the Free Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License, version 3, - * along with this program. If not, see <http://www.gnu.org/licenses/> - * + * SPDX-FileCopyrightText: 2016-2024 Nextcloud GmbH and Nextcloud contributors + * SPDX-FileCopyrightText: 2016 ownCloud, Inc. + * SPDX-License-Identifier: AGPL-3.0-only */ - namespace OCA\User_LDAP\Command; use OCA\User_LDAP\Configuration; use OCA\User_LDAP\ConnectionFactory; use OCA\User_LDAP\Helper; use OCA\User_LDAP\LDAP; +use OCP\Server; use Symfony\Component\Console\Command\Command; use Symfony\Component\Console\Input\InputArgument; use Symfony\Component\Console\Input\InputInterface; use Symfony\Component\Console\Output\OutputInterface; class SetConfig extends Command { - protected function configure() { + protected function configure(): void { $this ->setName('ldap:set-config') ->setDescription('modifies an LDAP configuration') ->addArgument( - 'configID', - InputArgument::REQUIRED, - 'the configuration ID' - ) + 'configID', + InputArgument::REQUIRED, + 'the configuration ID' + ) ->addArgument( - 'configKey', - InputArgument::REQUIRED, - 'the configuration key' - ) + 'configKey', + InputArgument::REQUIRED, + 'the configuration key' + ) ->addArgument( - 'configValue', - InputArgument::REQUIRED, - 'the new configuration value' - ) + 'configValue', + InputArgument::REQUIRED, + 'the new configuration value' + ) ; } protected function execute(InputInterface $input, OutputInterface $output): int { - $helper = new Helper(\OC::$server->getConfig(), \OC::$server->getDatabaseConnection()); + $helper = Server::get(Helper::class); $availableConfigs = $helper->getServerConfigurationPrefixes(); $configID = $input->getArgument('configID'); if (!in_array($configID, $availableConfigs)) { - $output->writeln("Invalid configID"); - return 1; + $output->writeln('Invalid configID'); + return self::FAILURE; } $this->setValue( @@ -73,16 +54,13 @@ class SetConfig extends Command { $input->getArgument('configKey'), $input->getArgument('configValue') ); - return 0; + return self::SUCCESS; } /** * save the configuration value as provided - * @param string $configID - * @param string $configKey - * @param string $configValue */ - protected function setValue($configID, $key, $value) { + protected function setValue(string $configID, string $key, string $value): void { $configHolder = new Configuration($configID); $configHolder->$key = $value; $configHolder->saveConfiguration(); diff --git a/apps/user_ldap/lib/Command/ShowConfig.php b/apps/user_ldap/lib/Command/ShowConfig.php index 99180bd7996..fa021192ac4 100644 --- a/apps/user_ldap/lib/Command/ShowConfig.php +++ b/apps/user_ldap/lib/Command/ShowConfig.php @@ -1,69 +1,50 @@ <?php + /** - * @copyright Copyright (c) 2016, ownCloud, Inc. - * - * @author Arthur Schiwon <blizzz@arthur-schiwon.de> - * @author Christoph Wurst <christoph@winzerhof-wurst.at> - * @author Daniel Kesselberg <mail@danielkesselberg.de> - * @author Joas Schilling <coding@schilljs.com> - * @author Laurens Post <Crote@users.noreply.github.com> - * @author Morris Jobke <hey@morrisjobke.de> - * @author Roeland Jago Douma <roeland@famdouma.nl> - * - * @license AGPL-3.0 - * - * This code is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License, version 3, - * as published by the Free Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License, version 3, - * along with this program. If not, see <http://www.gnu.org/licenses/> - * + * SPDX-FileCopyrightText: 2016-2024 Nextcloud GmbH and Nextcloud contributors + * SPDX-FileCopyrightText: 2016 ownCloud, Inc. + * SPDX-License-Identifier: AGPL-3.0-only */ - namespace OCA\User_LDAP\Command; +use OC\Core\Command\Base; use OCA\User_LDAP\Configuration; use OCA\User_LDAP\Helper; -use Symfony\Component\Console\Command\Command; use Symfony\Component\Console\Helper\Table; use Symfony\Component\Console\Input\InputArgument; use Symfony\Component\Console\Input\InputInterface; use Symfony\Component\Console\Input\InputOption; use Symfony\Component\Console\Output\OutputInterface; -class ShowConfig extends Command { - /** @var \OCA\User_LDAP\Helper */ - protected $helper; - - /** - * @param Helper $helper - */ - public function __construct(Helper $helper) { - $this->helper = $helper; +class ShowConfig extends Base { + public function __construct( + protected Helper $helper, + ) { parent::__construct(); } - protected function configure() { + protected function configure(): void { $this ->setName('ldap:show-config') ->setDescription('shows the LDAP configuration') ->addArgument( - 'configID', - InputArgument::OPTIONAL, - 'will show the configuration of the specified id' - ) + 'configID', + InputArgument::OPTIONAL, + 'will show the configuration of the specified id' + ) + ->addOption( + 'show-password', + null, + InputOption::VALUE_NONE, + 'show ldap bind password' + ) ->addOption( - 'show-password', - null, - InputOption::VALUE_NONE, - 'show ldap bind password' - ) + 'output', + null, + InputOption::VALUE_OPTIONAL, + 'Output format (table, plain, json or json_pretty, default is table)', + 'table' + ) ; } @@ -73,43 +54,66 @@ class ShowConfig extends Command { if (!is_null($configID)) { $configIDs[] = $configID; if (!in_array($configIDs[0], $availableConfigs)) { - $output->writeln("Invalid configID"); - return 1; + $output->writeln('Invalid configID'); + return self::FAILURE; } } else { $configIDs = $availableConfigs; } - $this->renderConfigs($configIDs, $output, $input->getOption('show-password')); - return 0; + $this->renderConfigs($configIDs, $input, $output); + return self::SUCCESS; } /** * prints the LDAP configuration(s) - * @param string[] configID(s) - * @param OutputInterface $output - * @param bool $withPassword Set to TRUE to show plaintext passwords in output + * + * @param string[] $configIDs */ - protected function renderConfigs($configIDs, $output, $withPassword) { + protected function renderConfigs( + array $configIDs, + InputInterface $input, + OutputInterface $output, + ): void { + $renderTable = $input->getOption('output') === 'table' or $input->getOption('output') === null; + $showPassword = $input->getOption('show-password'); + + $configs = []; foreach ($configIDs as $id) { $configHolder = new Configuration($id); $configuration = $configHolder->getConfiguration(); ksort($configuration); - $table = new Table($output); - $table->setHeaders(['Configuration', $id]); $rows = []; - foreach ($configuration as $key => $value) { - if ($key === 'ldapAgentPassword' && !$withPassword) { - $value = '***'; + if ($renderTable) { + foreach ($configuration as $key => $value) { + if (is_array($value)) { + $value = implode(';', $value); + } + if ($key === 'ldapAgentPassword' && !$showPassword) { + $rows[] = [$key, '***']; + } else { + $rows[] = [$key, $value]; + } } - if (is_array($value)) { - $value = implode(';', $value); + $table = new Table($output); + $table->setHeaders(['Configuration', $id]); + $table->setRows($rows); + $table->render(); + continue; + } + + foreach ($configuration as $key => $value) { + if ($key === 'ldapAgentPassword' && !$showPassword) { + $rows[$key] = '***'; + } else { + $rows[$key] = $value; } - $rows[] = [$key, $value]; } - $table->setRows($rows); - $table->render(); + $configs[$id] = $rows; + } + if (!$renderTable) { + $this->writeArrayInOutputFormat($input, $output, $configs); } } } diff --git a/apps/user_ldap/lib/Command/ShowRemnants.php b/apps/user_ldap/lib/Command/ShowRemnants.php index 2d14ff5b06e..d255aac1368 100644 --- a/apps/user_ldap/lib/Command/ShowRemnants.php +++ b/apps/user_ldap/lib/Command/ShowRemnants.php @@ -1,30 +1,10 @@ <?php + /** - * @copyright Copyright (c) 2016, ownCloud, Inc. - * - * @author Arthur Schiwon <blizzz@arthur-schiwon.de> - * @author Daniel Kesselberg <mail@danielkesselberg.de> - * @author Joas Schilling <coding@schilljs.com> - * @author Morris Jobke <hey@morrisjobke.de> - * @author Roeland Jago Douma <roeland@famdouma.nl> - * @author scolebrook <scolebrook@mac.com> - * - * @license AGPL-3.0 - * - * This code is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License, version 3, - * as published by the Free Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License, version 3, - * along with this program. If not, see <http://www.gnu.org/licenses/> - * + * SPDX-FileCopyrightText: 2016-2024 Nextcloud GmbH and Nextcloud contributors + * SPDX-FileCopyrightText: 2016 ownCloud, Inc. + * SPDX-License-Identifier: AGPL-3.0-only */ - namespace OCA\User_LDAP\Command; use OCA\User_LDAP\User\DeletedUsersIndex; @@ -37,23 +17,14 @@ use Symfony\Component\Console\Input\InputOption; use Symfony\Component\Console\Output\OutputInterface; class ShowRemnants extends Command { - /** @var \OCA\User_LDAP\User\DeletedUsersIndex */ - protected $dui; - - /** @var \OCP\IDateTimeFormatter */ - protected $dateFormatter; - - /** - * @param DeletedUsersIndex $dui - * @param IDateTimeFormatter $dateFormatter - */ - public function __construct(DeletedUsersIndex $dui, IDateTimeFormatter $dateFormatter) { - $this->dui = $dui; - $this->dateFormatter = $dateFormatter; + public function __construct( + protected DeletedUsersIndex $dui, + protected IDateTimeFormatter $dateFormatter, + ) { parent::__construct(); } - protected function configure() { + protected function configure(): void { $this ->setName('ldap:show-remnants') ->setDescription('shows which users are not available on LDAP anymore, but have remnants in Nextcloud.') @@ -61,7 +32,7 @@ class ShowRemnants extends Command { ->addOption('short-date', null, InputOption::VALUE_NONE, 'show dates in Y-m-d format'); } - protected function formatDate(int $timestamp, string $default, bool $showShortDate) { + protected function formatDate(int $timestamp, string $default, bool $showShortDate): string { if (!($timestamp > 0)) { return $default; } @@ -104,6 +75,6 @@ class ShowRemnants extends Command { $table->setRows($rows); $table->render(); } - return 0; + return self::SUCCESS; } } diff --git a/apps/user_ldap/lib/Command/TestConfig.php b/apps/user_ldap/lib/Command/TestConfig.php index e83befe6f30..77eaac91d85 100644 --- a/apps/user_ldap/lib/Command/TestConfig.php +++ b/apps/user_ldap/lib/Command/TestConfig.php @@ -1,95 +1,94 @@ <?php + /** - * @copyright Copyright (c) 2016, ownCloud, Inc. - * - * @author Arthur Schiwon <blizzz@arthur-schiwon.de> - * @author Christoph Wurst <christoph@winzerhof-wurst.at> - * @author Joas Schilling <coding@schilljs.com> - * @author Morris Jobke <hey@morrisjobke.de> - * @author Roeland Jago Douma <roeland@famdouma.nl> - * @author Thomas Müller <thomas.mueller@tmit.eu> - * - * @license AGPL-3.0 - * - * This code is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License, version 3, - * as published by the Free Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License, version 3, - * along with this program. If not, see <http://www.gnu.org/licenses/> - * + * SPDX-FileCopyrightText: 2016-2024 Nextcloud GmbH and Nextcloud contributors + * SPDX-FileCopyrightText: 2016 ownCloud, Inc. + * SPDX-License-Identifier: AGPL-3.0-only */ - namespace OCA\User_LDAP\Command; +use OCA\User_LDAP\AccessFactory; use OCA\User_LDAP\Connection; use OCA\User_LDAP\Helper; +use OCA\User_LDAP\ILDAPWrapper; use Symfony\Component\Console\Command\Command; use Symfony\Component\Console\Input\InputArgument; use Symfony\Component\Console\Input\InputInterface; use Symfony\Component\Console\Output\OutputInterface; class TestConfig extends Command { - protected function configure() { + protected const ESTABLISHED = 0; + protected const CONF_INVALID = 1; + protected const BINDFAILURE = 2; + protected const SEARCHFAILURE = 3; + + public function __construct( + protected AccessFactory $accessFactory, + protected Helper $helper, + protected ILDAPWrapper $ldap, + ) { + parent::__construct(); + } + + protected function configure(): void { $this ->setName('ldap:test-config') ->setDescription('tests an LDAP configuration') ->addArgument( - 'configID', - InputArgument::REQUIRED, - 'the configuration ID' - ) + 'configID', + InputArgument::REQUIRED, + 'the configuration ID' + ) ; } protected function execute(InputInterface $input, OutputInterface $output): int { - $helper = new Helper(\OC::$server->getConfig(), \OC::$server->getDatabaseConnection()); - $availableConfigs = $helper->getServerConfigurationPrefixes(); + $availableConfigs = $this->helper->getServerConfigurationPrefixes(); $configID = $input->getArgument('configID'); if (!in_array($configID, $availableConfigs)) { - $output->writeln("Invalid configID"); - return 1; + $output->writeln('Invalid configID'); + return self::FAILURE; } $result = $this->testConfig($configID); - if ($result === 0) { - $output->writeln('The configuration is valid and the connection could be established!'); - } elseif ($result === 1) { - $output->writeln('The configuration is invalid. Please have a look at the logs for further details.'); - return 1; - } elseif ($result === 2) { - $output->writeln('The configuration is valid, but the Bind failed. Please check the server settings and credentials.'); - } else { - $output->writeln('Your LDAP server was kidnapped by aliens.'); - } - return 0; + + $message = match ($result) { + static::ESTABLISHED => 'The configuration is valid and the connection could be established!', + static::CONF_INVALID => 'The configuration is invalid. Please have a look at the logs for further details.', + static::BINDFAILURE => 'The configuration is valid, but the bind failed. Please check the server settings and credentials.', + static::SEARCHFAILURE => 'The configuration is valid and the bind passed, but a simple search on the base fails. Please check the server base setting.', + default => 'Your LDAP server was kidnapped by aliens.', + }; + + $output->writeln($message); + + return $result === static::ESTABLISHED + ? self::SUCCESS + : self::FAILURE; } /** - * tests the specified connection - * @param string $configID - * @return int + * Tests the specified connection */ - protected function testConfig($configID) { - $lw = new \OCA\User_LDAP\LDAP(); - $connection = new Connection($lw, $configID); + protected function testConfig(string $configID): int { + $connection = new Connection($this->ldap, $configID); - //ensure validation is run before we attempt the bind + // Ensure validation is run before we attempt the bind $connection->getConfiguration(); if (!$connection->setConfiguration([ 'ldap_configuration_active' => 1, ])) { - return 1; + return static::CONF_INVALID; + } + if (!$connection->bind()) { + return static::BINDFAILURE; } - if ($connection->bind()) { - return 0; + $access = $this->accessFactory->get($connection); + $result = $access->countObjects(1); + if (!is_int($result) || ($result <= 0)) { + return static::SEARCHFAILURE; } - return 2; + return static::ESTABLISHED; } } diff --git a/apps/user_ldap/lib/Command/TestUserSettings.php b/apps/user_ldap/lib/Command/TestUserSettings.php new file mode 100644 index 00000000000..12690158f98 --- /dev/null +++ b/apps/user_ldap/lib/Command/TestUserSettings.php @@ -0,0 +1,248 @@ +<?php + +/** + * SPDX-FileCopyrightText: 2016-2024 Nextcloud GmbH and Nextcloud contributors + * SPDX-FileCopyrightText: 2016 ownCloud, Inc. + * SPDX-License-Identifier: AGPL-3.0-only + */ +namespace OCA\User_LDAP\Command; + +use OCA\User_LDAP\Group_Proxy; +use OCA\User_LDAP\Helper; +use OCA\User_LDAP\Mapping\GroupMapping; +use OCA\User_LDAP\Mapping\UserMapping; +use OCA\User_LDAP\User\DeletedUsersIndex; +use OCA\User_LDAP\User_Proxy; +use Symfony\Component\Console\Command\Command; +use Symfony\Component\Console\Input\InputArgument; +use Symfony\Component\Console\Input\InputInterface; +use Symfony\Component\Console\Input\InputOption; +use Symfony\Component\Console\Output\OutputInterface; + +class TestUserSettings extends Command { + public function __construct( + protected User_Proxy $backend, + protected Group_Proxy $groupBackend, + protected Helper $helper, + protected DeletedUsersIndex $dui, + protected UserMapping $mapping, + protected GroupMapping $groupMapping, + ) { + parent::__construct(); + } + + protected function configure(): void { + $this + ->setName('ldap:test-user-settings') + ->setDescription('Runs tests and show information about user related LDAP settings') + ->addArgument( + 'user', + InputArgument::REQUIRED, + 'the user name as used in Nextcloud, or the LDAP DN' + ) + ->addOption( + 'group', + 'g', + InputOption::VALUE_REQUIRED, + 'A group DN to check if the user is a member or not' + ) + ->addOption( + 'clearcache', + null, + InputOption::VALUE_NONE, + 'Clear the cache of the LDAP connection before the beginning of tests' + ) + ; + } + + protected function execute(InputInterface $input, OutputInterface $output): int { + try { + $uid = $input->getArgument('user'); + $access = $this->backend->getLDAPAccess($uid); + $connection = $access->getConnection(); + if ($input->getOption('clearcache')) { + $connection->clearCache(); + } + $configPrefix = $connection->getConfigPrefix(); + $knownDn = ''; + if ($access->stringResemblesDN($uid)) { + $knownDn = $uid; + $username = $access->dn2username($uid); + if ($username !== false) { + $uid = $username; + } + } + + $dn = $this->mapping->getDNByName($uid); + if ($dn !== false) { + $output->writeln("User <info>$dn</info> is mapped with account name <info>$uid</info>."); + $uuid = $this->mapping->getUUIDByDN($dn); + $output->writeln("Known UUID is <info>$uuid</info>."); + if ($knownDn === '') { + $knownDn = $dn; + } + } else { + $output->writeln("User <info>$uid</info> is not mapped."); + } + + if ($knownDn === '') { + return self::SUCCESS; + } + + if (!$access->isDNPartOfBase($knownDn, $access->getConnection()->ldapBaseUsers)) { + $output->writeln( + "User <info>$knownDn</info> is not in one of the configured user bases: <info>" + . implode(',', $access->getConnection()->ldapBaseUsers) + . '</info>.' + ); + } + + $output->writeln("Configuration prefix is <info>$configPrefix</info>"); + $output->writeln(''); + + $attributeNames = [ + 'ldapBase', + 'ldapBaseUsers', + 'ldapExpertUsernameAttr', + 'ldapUuidUserAttribute', + 'ldapExpertUUIDUserAttr', + 'ldapQuotaAttribute', + 'ldapEmailAttribute', + 'ldapUserDisplayName', + 'ldapUserDisplayName2', + 'ldapExtStorageHomeAttribute', + 'ldapAttributePhone', + 'ldapAttributeWebsite', + 'ldapAttributeAddress', + 'ldapAttributeTwitter', + 'ldapAttributeFediverse', + 'ldapAttributeOrganisation', + 'ldapAttributeRole', + 'ldapAttributeHeadline', + 'ldapAttributeBiography', + 'ldapAttributeBirthDate', + 'ldapAttributePronouns', + 'ldapGidNumber', + 'hasGidNumber', + ]; + $output->writeln('Attributes set in configuration:'); + foreach ($attributeNames as $attributeName) { + if (($connection->$attributeName !== '') && ($connection->$attributeName !== [])) { + if (\is_string($connection->$attributeName)) { + $output->writeln("- $attributeName: <info>" . $connection->$attributeName . '</info>'); + } else { + $output->writeln("- $attributeName: <info>" . \json_encode($connection->$attributeName) . '</info>'); + } + } + } + + $filter = $connection->ldapUserFilter; + $attrs = $access->userManager->getAttributes(true); + $attrs[] = strtolower($connection->ldapExpertUsernameAttr); + if ($connection->ldapUuidUserAttribute !== 'auto') { + $attrs[] = strtolower($connection->ldapUuidUserAttribute); + } + if ($connection->hasGidNumber) { + $attrs[] = strtolower($connection->ldapGidNumber); + } + $attrs[] = 'memberof'; + $attrs = array_values(array_unique($attrs)); + $attributes = $access->readAttributes($knownDn, $attrs, $filter); + + if ($attributes === false) { + $output->writeln( + "LDAP read on <info>$knownDn</info> with filter <info>$filter</info> failed." + ); + return self::FAILURE; + } + + $output->writeln("Attributes fetched from LDAP using filter <info>$filter</info>:"); + foreach ($attributes as $attribute => $value) { + $output->writeln( + "- $attribute: <info>" . json_encode($value) . '</info>' + ); + } + + $uuid = $access->getUUID($knownDn); + if ($connection->ldapUuidUserAttribute === 'auto') { + $output->writeln('<error>Failed to detect UUID attribute</error>'); + } else { + $output->writeln('Detected UUID attribute: <info>' . $connection->ldapUuidUserAttribute . '</info>'); + } + if ($uuid === false) { + $output->writeln("<error>Failed to find UUID for $knownDn</error>"); + } else { + $output->writeln("UUID for <info>$knownDn</info>: <info>$uuid</info>"); + } + + $groupLdapInstance = $this->groupBackend->getBackend($configPrefix); + + $output->writeln(''); + $output->writeln('Group information:'); + + $attributeNames = [ + 'ldapBaseGroups', + 'ldapDynamicGroupMemberURL', + 'ldapGroupFilter', + 'ldapGroupMemberAssocAttr', + ]; + $output->writeln('Configuration:'); + foreach ($attributeNames as $attributeName) { + if ($connection->$attributeName !== '') { + $output->writeln("- $attributeName: <info>" . $connection->$attributeName . '</info>'); + } + } + + $primaryGroup = $groupLdapInstance->getUserPrimaryGroup($knownDn); + $output->writeln('Primary group: <info>' . ($primaryGroup !== false? $primaryGroup:'') . '</info>'); + + $groupByGid = $groupLdapInstance->getUserGroupByGid($knownDn); + $output->writeln('Group from gidNumber: <info>' . ($groupByGid !== false? $groupByGid:'') . '</info>'); + + $groups = $groupLdapInstance->getUserGroups($uid); + $output->writeln('All known groups: <info>' . json_encode($groups) . '</info>'); + + $memberOfUsed = ((int)$access->connection->hasMemberOfFilterSupport === 1 + && (int)$access->connection->useMemberOfToDetectMembership === 1); + + $output->writeln('MemberOf usage: <info>' . ($memberOfUsed ? 'on' : 'off') . '</info> (' . $access->connection->hasMemberOfFilterSupport . ',' . $access->connection->useMemberOfToDetectMembership . ')'); + + $gid = (string)$input->getOption('group'); + if ($gid === '') { + return self::SUCCESS; + } + + $output->writeln(''); + $output->writeln("Group $gid:"); + $knownGroupDn = ''; + if ($access->stringResemblesDN($gid)) { + $knownGroupDn = $gid; + $groupname = $access->dn2groupname($gid); + if ($groupname !== false) { + $gid = $groupname; + } + } + + $groupDn = $this->groupMapping->getDNByName($gid); + if ($groupDn !== false) { + $output->writeln("Group <info>$groupDn</info> is mapped with name <info>$gid</info>."); + $groupUuid = $this->groupMapping->getUUIDByDN($groupDn); + $output->writeln("Known UUID is <info>$groupUuid</info>."); + if ($knownGroupDn === '') { + $knownGroupDn = $groupDn; + } + } else { + $output->writeln("Group <info>$gid</info> is not mapped."); + } + + $members = $groupLdapInstance->usersInGroup($gid); + $output->writeln('Members: <info>' . json_encode($members) . '</info>'); + + return self::SUCCESS; + + } catch (\Exception $e) { + $output->writeln('<error>' . $e->getMessage() . '</error>'); + return self::FAILURE; + } + } +} diff --git a/apps/user_ldap/lib/Command/UpdateUUID.php b/apps/user_ldap/lib/Command/UpdateUUID.php new file mode 100644 index 00000000000..93dcc37bada --- /dev/null +++ b/apps/user_ldap/lib/Command/UpdateUUID.php @@ -0,0 +1,338 @@ +<?php + +declare(strict_types=1); + +/** + * SPDX-FileCopyrightText: 2021 Nextcloud GmbH and Nextcloud contributors + * SPDX-License-Identifier: AGPL-3.0-or-later + */ + +namespace OCA\User_LDAP\Command; + +use OCA\User_LDAP\Access; +use OCA\User_LDAP\Group_Proxy; +use OCA\User_LDAP\Mapping\AbstractMapping; +use OCA\User_LDAP\Mapping\GroupMapping; +use OCA\User_LDAP\Mapping\UserMapping; +use OCA\User_LDAP\User_Proxy; +use Psr\Log\LoggerInterface; +use Symfony\Component\Console\Command\Command; +use Symfony\Component\Console\Helper\ProgressBar; +use Symfony\Component\Console\Input\InputInterface; +use Symfony\Component\Console\Input\InputOption; +use Symfony\Component\Console\Output\OutputInterface; +use function sprintf; + +class UuidUpdateReport { + public const UNCHANGED = 0; + public const UNKNOWN = 1; + public const UNREADABLE = 2; + public const UPDATED = 3; + public const UNWRITABLE = 4; + public const UNMAPPED = 5; + + public function __construct( + public string $id, + public string $dn, + public bool $isUser, + public int $state, + public string $oldUuid = '', + public string $newUuid = '', + ) { + } +} + +class UpdateUUID extends Command { + /** @var array<UuidUpdateReport[]> */ + protected array $reports = []; + private bool $dryRun = false; + + public function __construct( + private UserMapping $userMapping, + private GroupMapping $groupMapping, + private User_Proxy $userProxy, + private Group_Proxy $groupProxy, + private LoggerInterface $logger, + ) { + $this->reports = [ + UuidUpdateReport::UPDATED => [], + UuidUpdateReport::UNKNOWN => [], + UuidUpdateReport::UNREADABLE => [], + UuidUpdateReport::UNWRITABLE => [], + UuidUpdateReport::UNMAPPED => [], + ]; + parent::__construct(); + } + + protected function configure(): void { + $this + ->setName('ldap:update-uuid') + ->setDescription('Attempts to update UUIDs of user and group entries. By default, the command attempts to update UUIDs that have been invalidated by a migration step.') + ->addOption( + 'all', + null, + InputOption::VALUE_NONE, + 'updates every user and group. All other options are ignored.' + ) + ->addOption( + 'userId', + null, + InputOption::VALUE_REQUIRED | InputOption::VALUE_IS_ARRAY, + 'a user ID to update' + ) + ->addOption( + 'groupId', + null, + InputOption::VALUE_REQUIRED | InputOption::VALUE_IS_ARRAY, + 'a group ID to update' + ) + ->addOption( + 'dn', + null, + InputOption::VALUE_REQUIRED | InputOption::VALUE_IS_ARRAY, + 'a DN to update' + ) + ->addOption( + 'dry-run', + null, + InputOption::VALUE_NONE, + 'UUIDs will not be updated in the database' + ) + ; + } + + protected function execute(InputInterface $input, OutputInterface $output): int { + $this->dryRun = $input->getOption('dry-run'); + $entriesToUpdate = $this->estimateNumberOfUpdates($input); + $progress = new ProgressBar($output); + $progress->start($entriesToUpdate); + foreach ($this->handleUpdates($input) as $_) { + $progress->advance(); + } + $progress->finish(); + $output->writeln(''); + $this->printReport($output); + return count($this->reports[UuidUpdateReport::UNMAPPED]) === 0 + && count($this->reports[UuidUpdateReport::UNREADABLE]) === 0 + && count($this->reports[UuidUpdateReport::UNWRITABLE]) === 0 + ? self::SUCCESS + : self::FAILURE; + } + + protected function printReport(OutputInterface $output): void { + if ($output->isQuiet()) { + return; + } + + if (count($this->reports[UuidUpdateReport::UPDATED]) === 0) { + $output->writeln('<info>No record was updated.</info>'); + } else { + $output->writeln(sprintf('<info>%d record(s) were updated.</info>', count($this->reports[UuidUpdateReport::UPDATED]))); + if ($output->isVerbose()) { + /** @var UuidUpdateReport $report */ + foreach ($this->reports[UuidUpdateReport::UPDATED] as $report) { + $output->writeln(sprintf(' %s had their old UUID %s updated to %s', $report->id, $report->oldUuid, $report->newUuid)); + } + $output->writeln(''); + } + } + + if (count($this->reports[UuidUpdateReport::UNMAPPED]) > 0) { + $output->writeln(sprintf('<error>%d provided IDs were not mapped. These were:</error>', count($this->reports[UuidUpdateReport::UNMAPPED]))); + /** @var UuidUpdateReport $report */ + foreach ($this->reports[UuidUpdateReport::UNMAPPED] as $report) { + if (!empty($report->id)) { + $output->writeln(sprintf(' %s: %s', + $report->isUser ? 'User' : 'Group', $report->id)); + } elseif (!empty($report->dn)) { + $output->writeln(sprintf(' DN: %s', $report->dn)); + } + } + $output->writeln(''); + } + + if (count($this->reports[UuidUpdateReport::UNKNOWN]) > 0) { + $output->writeln(sprintf('<info>%d provided IDs were unknown on LDAP.</info>', count($this->reports[UuidUpdateReport::UNKNOWN]))); + if ($output->isVerbose()) { + /** @var UuidUpdateReport $report */ + foreach ($this->reports[UuidUpdateReport::UNKNOWN] as $report) { + $output->writeln(sprintf(' %s: %s', $report->isUser ? 'User' : 'Group', $report->id)); + } + $output->writeln(PHP_EOL . 'Old users can be removed along with their data per occ user:delete.' . PHP_EOL); + } + } + + if (count($this->reports[UuidUpdateReport::UNREADABLE]) > 0) { + $output->writeln(sprintf('<error>For %d records, the UUID could not be read. Double-check your configuration.</error>', count($this->reports[UuidUpdateReport::UNREADABLE]))); + if ($output->isVerbose()) { + /** @var UuidUpdateReport $report */ + foreach ($this->reports[UuidUpdateReport::UNREADABLE] as $report) { + $output->writeln(sprintf(' %s: %s', $report->isUser ? 'User' : 'Group', $report->id)); + } + } + } + + if (count($this->reports[UuidUpdateReport::UNWRITABLE]) > 0) { + $output->writeln(sprintf('<error>For %d records, the UUID could not be saved to database. Double-check your configuration.</error>', count($this->reports[UuidUpdateReport::UNWRITABLE]))); + if ($output->isVerbose()) { + /** @var UuidUpdateReport $report */ + foreach ($this->reports[UuidUpdateReport::UNWRITABLE] as $report) { + $output->writeln(sprintf(' %s: %s', $report->isUser ? 'User' : 'Group', $report->id)); + } + } + } + } + + protected function handleUpdates(InputInterface $input): \Generator { + if ($input->getOption('all')) { + foreach ($this->handleMappingBasedUpdates(false) as $_) { + yield; + } + } elseif ($input->getOption('userId') + || $input->getOption('groupId') + || $input->getOption('dn') + ) { + foreach ($this->handleUpdatesByUserId($input->getOption('userId')) as $_) { + yield; + } + foreach ($this->handleUpdatesByGroupId($input->getOption('groupId')) as $_) { + yield; + } + foreach ($this->handleUpdatesByDN($input->getOption('dn')) as $_) { + yield; + } + } else { + foreach ($this->handleMappingBasedUpdates(true) as $_) { + yield; + } + } + } + + protected function handleUpdatesByUserId(array $userIds): \Generator { + foreach ($this->handleUpdatesByEntryId($userIds, $this->userMapping) as $_) { + yield; + } + } + + protected function handleUpdatesByGroupId(array $groupIds): \Generator { + foreach ($this->handleUpdatesByEntryId($groupIds, $this->groupMapping) as $_) { + yield; + } + } + + protected function handleUpdatesByDN(array $dns): \Generator { + $userList = $groupList = []; + while ($dn = array_pop($dns)) { + $uuid = $this->userMapping->getUUIDByDN($dn); + if ($uuid) { + $id = $this->userMapping->getNameByDN($dn); + $userList[] = ['name' => $id, 'uuid' => $uuid]; + continue; + } + $uuid = $this->groupMapping->getUUIDByDN($dn); + if ($uuid) { + $id = $this->groupMapping->getNameByDN($dn); + $groupList[] = ['name' => $id, 'uuid' => $uuid]; + continue; + } + $this->reports[UuidUpdateReport::UNMAPPED][] = new UuidUpdateReport('', $dn, true, UuidUpdateReport::UNMAPPED); + yield; + } + foreach ($this->handleUpdatesByList($this->userMapping, $userList) as $_) { + yield; + } + foreach ($this->handleUpdatesByList($this->groupMapping, $groupList) as $_) { + yield; + } + } + + protected function handleUpdatesByEntryId(array $ids, AbstractMapping $mapping): \Generator { + $isUser = $mapping instanceof UserMapping; + $list = []; + while ($id = array_pop($ids)) { + if (!$dn = $mapping->getDNByName($id)) { + $this->reports[UuidUpdateReport::UNMAPPED][] = new UuidUpdateReport($id, '', $isUser, UuidUpdateReport::UNMAPPED); + yield; + continue; + } + // Since we know it was mapped the UUID is populated + $uuid = $mapping->getUUIDByDN($dn); + $list[] = ['name' => $id, 'uuid' => $uuid]; + } + foreach ($this->handleUpdatesByList($mapping, $list) as $_) { + yield; + } + } + + protected function handleMappingBasedUpdates(bool $invalidatedOnly): \Generator { + $limit = 1000; + /** @var AbstractMapping $mapping */ + foreach ([$this->userMapping, $this->groupMapping] as $mapping) { + $offset = 0; + do { + $list = $mapping->getList($offset, $limit, $invalidatedOnly); + $offset += $limit; + + foreach ($this->handleUpdatesByList($mapping, $list) as $tick) { + yield; // null, for it only advances progress counter + } + } while (count($list) === $limit); + } + } + + protected function handleUpdatesByList(AbstractMapping $mapping, array $list): \Generator { + if ($mapping instanceof UserMapping) { + $isUser = true; + $backendProxy = $this->userProxy; + } else { + $isUser = false; + $backendProxy = $this->groupProxy; + } + + foreach ($list as $row) { + $access = $backendProxy->getLDAPAccess($row['name']); + if ($access instanceof Access + && $dn = $mapping->getDNByName($row['name'])) { + if ($uuid = $access->getUUID($dn, $isUser)) { + if ($uuid !== $row['uuid']) { + if ($this->dryRun || $mapping->setUUIDbyDN($uuid, $dn)) { + $this->reports[UuidUpdateReport::UPDATED][] + = new UuidUpdateReport($row['name'], $dn, $isUser, UuidUpdateReport::UPDATED, $row['uuid'], $uuid); + } else { + $this->reports[UuidUpdateReport::UNWRITABLE][] + = new UuidUpdateReport($row['name'], $dn, $isUser, UuidUpdateReport::UNWRITABLE, $row['uuid'], $uuid); + } + $this->logger->info('UUID of {id} was updated from {from} to {to}', + [ + 'appid' => 'user_ldap', + 'id' => $row['name'], + 'from' => $row['uuid'], + 'to' => $uuid, + ] + ); + } + } else { + $this->reports[UuidUpdateReport::UNREADABLE][] = new UuidUpdateReport($row['name'], $dn, $isUser, UuidUpdateReport::UNREADABLE); + } + } else { + $this->reports[UuidUpdateReport::UNKNOWN][] = new UuidUpdateReport($row['name'], '', $isUser, UuidUpdateReport::UNKNOWN); + } + yield; // null, for it only advances progress counter + } + } + + protected function estimateNumberOfUpdates(InputInterface $input): int { + if ($input->getOption('all')) { + return $this->userMapping->count() + $this->groupMapping->count(); + } elseif ($input->getOption('userId') + || $input->getOption('groupId') + || $input->getOption('dn') + ) { + return count($input->getOption('userId')) + + count($input->getOption('groupId')) + + count($input->getOption('dn')); + } else { + return $this->userMapping->countInvalidated() + $this->groupMapping->countInvalidated(); + } + } +} diff --git a/apps/user_ldap/lib/Configuration.php b/apps/user_ldap/lib/Configuration.php index 134f8551f7d..b4a5b847204 100644 --- a/apps/user_ldap/lib/Configuration.php +++ b/apps/user_ldap/lib/Configuration.php @@ -1,43 +1,89 @@ <?php + /** - * @copyright Copyright (c) 2016, ownCloud, Inc. - * - * @author Alexander Bergolth <leo@strike.wu.ac.at> - * @author Alex Weirig <alex.weirig@technolink.lu> - * @author Arthur Schiwon <blizzz@arthur-schiwon.de> - * @author Christoph Wurst <christoph@winzerhof-wurst.at> - * @author Joas Schilling <coding@schilljs.com> - * @author Jörn Friedrich Dreyer <jfd@butonic.de> - * @author Lennart Rosam <hello@takuto.de> - * @author Lukas Reschke <lukas@statuscode.ch> - * @author Morris Jobke <hey@morrisjobke.de> - * @author Robin McCorkell <robin@mccorkell.me.uk> - * @author Roeland Jago Douma <roeland@famdouma.nl> - * @author Roger Szabo <roger.szabo@web.de> - * @author Victor Dubiniuk <dubiniuk@owncloud.com> - * @author Xuanwo <xuanwo@yunify.com> - * - * @license AGPL-3.0 - * - * This code is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License, version 3, - * as published by the Free Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License, version 3, - * along with this program. If not, see <http://www.gnu.org/licenses/> - * + * SPDX-FileCopyrightText: 2016-2024 Nextcloud GmbH and Nextcloud contributors + * SPDX-FileCopyrightText: 2016 ownCloud, Inc. + * SPDX-License-Identifier: AGPL-3.0-only */ - namespace OCA\User_LDAP; +use OCP\IConfig; +use OCP\Server; +use Psr\Log\LoggerInterface; + /** - * @property int ldapPagingSize holds an integer - * @property string ldapUserAvatarRule + * @property string $ldapHost + * @property string $ldapPort + * @property string $ldapBackupHost + * @property string $ldapBackupPort + * @property string $ldapBackgroundHost + * @property string $ldapBackgroundPort + * @property array|'' $ldapBase + * @property array|'' $ldapBaseUsers + * @property array|'' $ldapBaseGroups + * @property string $ldapAgentName + * @property string $ldapAgentPassword + * @property string $ldapTLS + * @property string $turnOffCertCheck + * @property string $ldapIgnoreNamingRules + * @property string $ldapUserDisplayName + * @property string $ldapUserDisplayName2 + * @property string $ldapUserAvatarRule + * @property string $ldapGidNumber + * @property array|'' $ldapUserFilterObjectclass + * @property array|'' $ldapUserFilterGroups + * @property string $ldapUserFilter + * @property string $ldapUserFilterMode + * @property string $ldapGroupFilter + * @property string $ldapGroupFilterMode + * @property array|'' $ldapGroupFilterObjectclass + * @property array|'' $ldapGroupFilterGroups + * @property string $ldapGroupDisplayName + * @property string $ldapGroupMemberAssocAttr + * @property string $ldapLoginFilter + * @property string $ldapLoginFilterMode + * @property string $ldapLoginFilterEmail + * @property string $ldapLoginFilterUsername + * @property array|'' $ldapLoginFilterAttributes + * @property string $ldapQuotaAttribute + * @property string $ldapQuotaDefault + * @property string $ldapEmailAttribute + * @property string $ldapCacheTTL + * @property string $ldapUuidUserAttribute + * @property string $ldapUuidGroupAttribute + * @property string $ldapOverrideMainServer + * @property string $ldapConfigurationActive + * @property array|'' $ldapAttributesForUserSearch + * @property array|'' $ldapAttributesForGroupSearch + * @property string $ldapExperiencedAdmin + * @property string $homeFolderNamingRule + * @property string $hasMemberOfFilterSupport + * @property string $useMemberOfToDetectMembership + * @property string $ldapExpertUsernameAttr + * @property string $ldapExpertUUIDUserAttr + * @property string $ldapExpertUUIDGroupAttr + * @property string $markRemnantsAsDisabled + * @property string $lastJpegPhotoLookup + * @property string $ldapNestedGroups + * @property string $ldapPagingSize + * @property string $turnOnPasswordChange + * @property string $ldapDynamicGroupMemberURL + * @property string $ldapDefaultPPolicyDN + * @property string $ldapExtStorageHomeAttribute + * @property string $ldapMatchingRuleInChainState + * @property string $ldapConnectionTimeout + * @property string $ldapAttributePhone + * @property string $ldapAttributeWebsite + * @property string $ldapAttributeAddress + * @property string $ldapAttributeTwitter + * @property string $ldapAttributeFediverse + * @property string $ldapAttributeOrganisation + * @property string $ldapAttributeRole + * @property string $ldapAttributeHeadline + * @property string $ldapAttributeBiography + * @property string $ldapAdminGroup + * @property string $ldapAttributeBirthDate + * @property string $ldapAttributePronouns */ class Configuration { public const AVATAR_PREFIX_DEFAULT = 'default'; @@ -47,21 +93,25 @@ class Configuration { public const LDAP_SERVER_FEATURE_UNKNOWN = 'unknown'; public const LDAP_SERVER_FEATURE_AVAILABLE = 'available'; public const LDAP_SERVER_FEATURE_UNAVAILABLE = 'unavailable'; - - protected $configPrefix = null; + /** + * @var bool + */ protected $configRead = false; /** - * @var string[] pre-filled with one reference key so that at least one entry is written on save request and - * the config ID is registered + * @var string[] */ - protected $unsavedChanges = ['ldapConfigurationActive' => 'ldapConfigurationActive']; + protected array $unsavedChanges = []; - //settings + /** + * @var array<string, mixed> settings + */ protected $config = [ 'ldapHost' => null, 'ldapPort' => null, 'ldapBackupHost' => null, 'ldapBackupPort' => null, + 'ldapBackgroundHost' => null, + 'ldapBackgroundPort' => null, 'ldapBase' => null, 'ldapBaseUsers' => null, 'ldapBaseGroups' => null, @@ -106,6 +156,7 @@ class Configuration { 'ldapExpertUsernameAttr' => null, 'ldapExpertUUIDUserAttr' => null, 'ldapExpertUUIDGroupAttr' => null, + 'markRemnantsAsDisabled' => false, 'lastJpegPhotoLookup' => null, 'ldapNestedGroups' => false, 'ldapPagingSize' => null, @@ -114,14 +165,26 @@ class Configuration { 'ldapDefaultPPolicyDN' => null, 'ldapExtStorageHomeAttribute' => null, 'ldapMatchingRuleInChainState' => self::LDAP_SERVER_FEATURE_UNKNOWN, + 'ldapConnectionTimeout' => 15, + 'ldapAttributePhone' => null, + 'ldapAttributeWebsite' => null, + 'ldapAttributeAddress' => null, + 'ldapAttributeTwitter' => null, + 'ldapAttributeFediverse' => null, + 'ldapAttributeOrganisation' => null, + 'ldapAttributeRole' => null, + 'ldapAttributeHeadline' => null, + 'ldapAttributeBiography' => null, + 'ldapAdminGroup' => '', + 'ldapAttributeBirthDate' => null, + 'ldapAttributeAnniversaryDate' => null, + 'ldapAttributePronouns' => null, ]; - /** - * @param string $configPrefix - * @param bool $autoRead - */ - public function __construct($configPrefix, $autoRead = true) { - $this->configPrefix = $configPrefix; + public function __construct( + protected string $configPrefix, + bool $autoRead = true, + ) { if ($autoRead) { $this->readConfiguration(); } @@ -146,10 +209,7 @@ class Configuration { $this->setConfiguration([$name => $value]); } - /** - * @return array - */ - public function getConfiguration() { + public function getConfiguration(): array { return $this->config; } @@ -158,18 +218,13 @@ class Configuration { * from configuration. It does not save the configuration! To do so, you * must call saveConfiguration afterwards. * @param array $config array that holds the config parameters in an associated - * array + * array * @param array &$applied optional; array where the set fields will be given to - * @return false|null */ - public function setConfiguration($config, &$applied = null) { - if (!is_array($config)) { - return false; - } - + public function setConfiguration(array $config, ?array &$applied = null): void { $cta = $this->getConfigTranslationArray(); foreach ($config as $inputKey => $val) { - if (strpos($inputKey, '_') !== false && array_key_exists($inputKey, $cta)) { + if (str_contains($inputKey, '_') && array_key_exists($inputKey, $cta)) { $key = $cta[$inputKey]; } elseif (array_key_exists($inputKey, $this->config)) { $key = $inputKey; @@ -184,8 +239,8 @@ class Configuration { break; case 'homeFolderNamingRule': $trimmedVal = trim($val); - if ($trimmedVal !== '' && strpos($val, 'attr:') === false) { - $val = 'attr:'.$trimmedVal; + if ($trimmedVal !== '' && !str_contains($val, 'attr:')) { + $val = 'attr:' . $trimmedVal; } break; case 'ldapBase': @@ -208,11 +263,10 @@ class Configuration { } $this->unsavedChanges[$key] = $key; } - return null; } - public function readConfiguration() { - if (!$this->configRead && !is_null($this->configPrefix)) { + public function readConfiguration(): void { + if (!$this->configRead) { $cta = array_flip($this->getConfigTranslationArray()); foreach ($this->config as $key => $val) { if (!isset($cta[$key])) { @@ -242,6 +296,28 @@ class Configuration { break; case 'ldapUserDisplayName2': case 'ldapGroupDisplayName': + case 'ldapGidNumber': + case 'ldapGroupMemberAssocAttr': + case 'ldapQuotaAttribute': + case 'ldapEmailAttribute': + case 'ldapUuidUserAttribute': + case 'ldapUuidGroupAttribute': + case 'ldapExpertUsernameAttr': + case 'ldapExpertUUIDUserAttr': + case 'ldapExpertUUIDGroupAttr': + case 'ldapExtStorageHomeAttribute': + case 'ldapAttributePhone': + case 'ldapAttributeWebsite': + case 'ldapAttributeAddress': + case 'ldapAttributeTwitter': + case 'ldapAttributeFediverse': + case 'ldapAttributeOrganisation': + case 'ldapAttributeRole': + case 'ldapAttributeHeadline': + case 'ldapAttributeBiography': + case 'ldapAttributeBirthDate': + case 'ldapAttributeAnniversaryDate': + case 'ldapAttributePronouns': $readMethod = 'getLcValue'; break; case 'ldapUserDisplayName': @@ -261,8 +337,9 @@ class Configuration { /** * saves the current config changes in the database */ - public function saveConfiguration() { + public function saveConfiguration(): void { $cta = array_flip($this->getConfigTranslationArray()); + $changed = false; foreach ($this->unsavedChanges as $key) { $value = $this->config[$key]; switch ($key) { @@ -283,7 +360,7 @@ class Configuration { $value = implode("\n", $value); } break; - //following options are not stored but detected, skip them + //following options are not stored but detected, skip them case 'ldapIgnoreNamingRules': case 'ldapUuidUserAttribute': case 'ldapUuidGroupAttribute': @@ -292,9 +369,12 @@ class Configuration { if (is_null($value)) { $value = ''; } + $changed = true; $this->saveValue($cta[$key], $value); } - $this->saveValue('_lastChange', time()); + if ($changed) { + $this->saveValue('_lastChange', (string)time()); + } $this->unsavedChanges = []; } @@ -319,7 +399,7 @@ class Configuration { * @param string $varName name of config-key * @param array|string $value to set */ - protected function setMultiLine($varName, $value) { + protected function setMultiLine(string $varName, $value): void { if (empty($value)) { $value = ''; } elseif (!is_array($value)) { @@ -350,43 +430,27 @@ class Configuration { $this->setRawValue($varName, $finalValue); } - /** - * @param string $varName - * @return string - */ - protected function getPwd($varName) { + protected function getPwd(string $varName): string { return base64_decode($this->getValue($varName)); } - /** - * @param string $varName - * @return string - */ - protected function getLcValue($varName) { + protected function getLcValue(string $varName): string { return mb_strtolower($this->getValue($varName), 'UTF-8'); } - /** - * @param string $varName - * @return string - */ - protected function getSystemValue($varName) { + protected function getSystemValue(string $varName): string { //FIXME: if another system value is added, softcode the default value - return \OC::$server->getConfig()->getSystemValue($varName, false); + return Server::get(IConfig::class)->getSystemValue($varName, false); } - /** - * @param string $varName - * @return string - */ - protected function getValue($varName) { + protected function getValue(string $varName): string { static $defaults; if (is_null($defaults)) { $defaults = $this->getDefaults(); } - return \OC::$server->getConfig()->getAppValue('user_ldap', - $this->configPrefix.$varName, - $defaults[$varName]); + return Server::get(IConfig::class)->getAppValue('user_ldap', + $this->configPrefix . $varName, + $defaults[$varName]); } /** @@ -395,7 +459,7 @@ class Configuration { * @param string $varName name of config key * @param mixed $value to set */ - protected function setValue($varName, $value) { + protected function setValue(string $varName, $value): void { if (is_string($value)) { $value = trim($value); } @@ -408,19 +472,14 @@ class Configuration { * @param string $varName name of config key * @param mixed $value to set */ - protected function setRawValue($varName, $value) { + protected function setRawValue(string $varName, $value): void { $this->config[$varName] = $value; } - /** - * @param string $varName - * @param string $value - * @return bool - */ - protected function saveValue($varName, $value) { - \OC::$server->getConfig()->setAppValue( + protected function saveValue(string $varName, string $value): bool { + Server::get(IConfig::class)->setAppValue( 'user_ldap', - $this->configPrefix.$varName, + $this->configPrefix . $varName, $value ); return true; @@ -428,14 +487,16 @@ class Configuration { /** * @return array an associative array with the default values. Keys are correspond - * to config-value entries in the database table + * to config-value entries in the database table */ - public function getDefaults() { + public function getDefaults(): array { return [ 'ldap_host' => '', 'ldap_port' => '', 'ldap_backup_host' => '', 'ldap_backup_port' => '', + 'ldap_background_host' => '', + 'ldap_background_port' => '', 'ldap_override_main_server' => '', 'ldap_dn' => '', 'ldap_agent_password' => '', @@ -477,6 +538,7 @@ class Configuration { 'ldap_expert_uuid_group_attr' => '', 'has_memberof_filter_support' => 0, 'use_memberof_to_detect_membership' => 1, + 'ldap_mark_remnants_as_disabled' => 0, 'last_jpegPhoto_lookup' => 0, 'ldap_nested_groups' => 0, 'ldap_paging_size' => 500, @@ -487,19 +549,35 @@ class Configuration { 'ldap_user_avatar_rule' => 'default', 'ldap_ext_storage_home_attribute' => '', 'ldap_matching_rule_in_chain_state' => self::LDAP_SERVER_FEATURE_UNKNOWN, + 'ldap_connection_timeout' => 15, + 'ldap_attr_phone' => '', + 'ldap_attr_website' => '', + 'ldap_attr_address' => '', + 'ldap_attr_twitter' => '', + 'ldap_attr_fediverse' => '', + 'ldap_attr_organisation' => '', + 'ldap_attr_role' => '', + 'ldap_attr_headline' => '', + 'ldap_attr_biography' => '', + 'ldap_admin_group' => '', + 'ldap_attr_birthdate' => '', + 'ldap_attr_anniversarydate' => '', + 'ldap_attr_pronouns' => '', ]; } /** * @return array that maps internal variable names to database fields */ - public function getConfigTranslationArray() { + public function getConfigTranslationArray(): array { //TODO: merge them into one representation static $array = [ 'ldap_host' => 'ldapHost', 'ldap_port' => 'ldapPort', 'ldap_backup_host' => 'ldapBackupHost', 'ldap_backup_port' => 'ldapBackupPort', + 'ldap_background_host' => 'ldapBackgroundHost', + 'ldap_background_port' => 'ldapBackgroundPort', 'ldap_override_main_server' => 'ldapOverrideMainServer', 'ldap_dn' => 'ldapAgentName', 'ldap_agent_password' => 'ldapAgentPassword', @@ -540,6 +618,7 @@ class Configuration { 'ldap_expert_uuid_group_attr' => 'ldapExpertUUIDGroupAttr', 'has_memberof_filter_support' => 'hasMemberOfFilterSupport', 'use_memberof_to_detect_membership' => 'useMemberOfToDetectMembership', + 'ldap_mark_remnants_as_disabled' => 'markRemnantsAsDisabled', 'last_jpegPhoto_lookup' => 'lastJpegPhotoLookup', 'ldap_nested_groups' => 'ldapNestedGroups', 'ldap_paging_size' => 'ldapPagingSize', @@ -550,30 +629,42 @@ class Configuration { 'ldap_ext_storage_home_attribute' => 'ldapExtStorageHomeAttribute', 'ldap_matching_rule_in_chain_state' => 'ldapMatchingRuleInChainState', 'ldapIgnoreNamingRules' => 'ldapIgnoreNamingRules', // sysconfig + 'ldap_connection_timeout' => 'ldapConnectionTimeout', + 'ldap_attr_phone' => 'ldapAttributePhone', + 'ldap_attr_website' => 'ldapAttributeWebsite', + 'ldap_attr_address' => 'ldapAttributeAddress', + 'ldap_attr_twitter' => 'ldapAttributeTwitter', + 'ldap_attr_fediverse' => 'ldapAttributeFediverse', + 'ldap_attr_organisation' => 'ldapAttributeOrganisation', + 'ldap_attr_role' => 'ldapAttributeRole', + 'ldap_attr_headline' => 'ldapAttributeHeadline', + 'ldap_attr_biography' => 'ldapAttributeBiography', + 'ldap_admin_group' => 'ldapAdminGroup', + 'ldap_attr_birthdate' => 'ldapAttributeBirthDate', + 'ldap_attr_anniversarydate' => 'ldapAttributeAnniversaryDate', + 'ldap_attr_pronouns' => 'ldapAttributePronouns', ]; return $array; } /** - * @param string $rule - * @return array * @throws \RuntimeException */ - public function resolveRule($rule) { + public function resolveRule(string $rule): array { if ($rule === 'avatar') { return $this->getAvatarAttributes(); } throw new \RuntimeException('Invalid rule'); } - public function getAvatarAttributes() { + public function getAvatarAttributes(): array { $value = $this->ldapUserAvatarRule ?: self::AVATAR_PREFIX_DEFAULT; $defaultAttributes = ['jpegphoto', 'thumbnailphoto']; if ($value === self::AVATAR_PREFIX_NONE) { return []; } - if (strpos($value, self::AVATAR_PREFIX_DATA_ATTRIBUTE) === 0) { + if (str_starts_with($value, self::AVATAR_PREFIX_DATA_ATTRIBUTE)) { $attribute = trim(substr($value, strlen(self::AVATAR_PREFIX_DATA_ATTRIBUTE))); if ($attribute === '') { return $defaultAttributes; @@ -581,8 +672,16 @@ class Configuration { return [strtolower($attribute)]; } if ($value !== self::AVATAR_PREFIX_DEFAULT) { - \OC::$server->getLogger()->warning('Invalid config value to ldapUserAvatarRule; falling back to default.'); + Server::get(LoggerInterface::class)->warning('Invalid config value to ldapUserAvatarRule; falling back to default.'); } return $defaultAttributes; } + + /** + * Returns TRUE if the ldapHost variable starts with 'ldapi://' + */ + public function usesLdapi(): bool { + $host = $this->config['ldapHost']; + return is_string($host) && (substr($host, 0, strlen('ldapi://')) === 'ldapi://'); + } } diff --git a/apps/user_ldap/lib/Connection.php b/apps/user_ldap/lib/Connection.php index 9a99b94689f..336179ac341 100644 --- a/apps/user_ldap/lib/Connection.php +++ b/apps/user_ldap/lib/Connection.php @@ -1,86 +1,106 @@ <?php + /** - * @copyright Copyright (c) 2016, ownCloud, Inc. - * - * @author Arthur Schiwon <blizzz@arthur-schiwon.de> - * @author Bart Visscher <bartv@thisnet.nl> - * @author Christoph Wurst <christoph@winzerhof-wurst.at> - * @author Jarkko Lehtoranta <devel@jlranta.com> - * @author Joas Schilling <coding@schilljs.com> - * @author Jörn Friedrich Dreyer <jfd@butonic.de> - * @author Julius Härtl <jus@bitgrid.net> - * @author Lukas Reschke <lukas@statuscode.ch> - * @author Morris Jobke <hey@morrisjobke.de> - * @author Robin Appelman <robin@icewind.nl> - * @author Robin McCorkell <robin@mccorkell.me.uk> - * @author Roeland Jago Douma <roeland@famdouma.nl> - * @author Roger Szabo <roger.szabo@web.de> - * @author root <root@localhost.localdomain> - * @author Victor Dubiniuk <dubiniuk@owncloud.com> - * @author Xuanwo <xuanwo@yunify.com> - * - * @license AGPL-3.0 - * - * This code is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License, version 3, - * as published by the Free Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License, version 3, - * along with this program. If not, see <http://www.gnu.org/licenses/> - * + * SPDX-FileCopyrightText: 2016-2024 Nextcloud GmbH and Nextcloud contributors + * SPDX-FileCopyrightText: 2016 ownCloud, Inc. + * SPDX-License-Identifier: AGPL-3.0-only */ - namespace OCA\User_LDAP; use OC\ServerNotAvailableException; -use OCP\ILogger; +use OCA\User_LDAP\Exceptions\ConfigurationIssueException; +use OCP\ICache; +use OCP\ICacheFactory; +use OCP\IL10N; +use OCP\Server; +use OCP\Util; +use Psr\Log\LoggerInterface; /** - * magic properties (incomplete) + * magic properties * responsible for LDAP connections in context with the provided configuration * - * @property string ldapHost - * @property string ldapPort holds the port number - * @property string ldapUserFilter - * @property string ldapUserDisplayName - * @property string ldapUserDisplayName2 - * @property string ldapUserAvatarRule - * @property boolean turnOnPasswordChange - * @property string[] ldapBaseUsers - * @property int|null ldapPagingSize holds an integer - * @property bool|mixed|void ldapGroupMemberAssocAttr - * @property string ldapUuidUserAttribute - * @property string ldapUuidGroupAttribute - * @property string ldapExpertUUIDUserAttr - * @property string ldapExpertUUIDGroupAttr - * @property string ldapQuotaAttribute - * @property string ldapQuotaDefault - * @property string ldapEmailAttribute - * @property string ldapExtStorageHomeAttribute - * @property string homeFolderNamingRule - * @property bool|string ldapNestedGroups - * @property string[] ldapBaseGroups - * @property string ldapGroupFilter - * @property string ldapGroupDisplayName - * @property string ldapLoginFilter - * @property string ldapDynamicGroupMemberURL - * @property string ldapGidNumber - * @property int hasMemberOfFilterSupport - * @property int useMemberOfToDetectMembership - * @property string ldapMatchingRuleInChainState + * @property string $ldapHost + * @property string $ldapPort + * @property string $ldapBackupHost + * @property string $ldapBackupPort + * @property string $ldapBackgroundHost + * @property string $ldapBackgroundPort + * @property array|'' $ldapBase + * @property array|'' $ldapBaseUsers + * @property array|'' $ldapBaseGroups + * @property string $ldapAgentName + * @property string $ldapAgentPassword + * @property string $ldapTLS + * @property string $turnOffCertCheck + * @property string $ldapIgnoreNamingRules + * @property string $ldapUserDisplayName + * @property string $ldapUserDisplayName2 + * @property string $ldapUserAvatarRule + * @property string $ldapGidNumber + * @property array|'' $ldapUserFilterObjectclass + * @property array|'' $ldapUserFilterGroups + * @property string $ldapUserFilter + * @property string $ldapUserFilterMode + * @property string $ldapGroupFilter + * @property string $ldapGroupFilterMode + * @property array|'' $ldapGroupFilterObjectclass + * @property array|'' $ldapGroupFilterGroups + * @property string $ldapGroupDisplayName + * @property string $ldapGroupMemberAssocAttr + * @property string $ldapLoginFilter + * @property string $ldapLoginFilterMode + * @property string $ldapLoginFilterEmail + * @property string $ldapLoginFilterUsername + * @property array|'' $ldapLoginFilterAttributes + * @property string $ldapQuotaAttribute + * @property string $ldapQuotaDefault + * @property string $ldapEmailAttribute + * @property string $ldapCacheTTL + * @property string $ldapUuidUserAttribute + * @property string $ldapUuidGroupAttribute + * @property string $ldapOverrideMainServer + * @property string $ldapConfigurationActive + * @property array|'' $ldapAttributesForUserSearch + * @property array|'' $ldapAttributesForGroupSearch + * @property string $ldapExperiencedAdmin + * @property string $homeFolderNamingRule + * @property string $hasMemberOfFilterSupport + * @property string $useMemberOfToDetectMembership + * @property string $ldapExpertUsernameAttr + * @property string $ldapExpertUUIDUserAttr + * @property string $ldapExpertUUIDGroupAttr + * @property string $markRemnantsAsDisabled + * @property string $lastJpegPhotoLookup + * @property string $ldapNestedGroups + * @property string $ldapPagingSize + * @property string $turnOnPasswordChange + * @property string $ldapDynamicGroupMemberURL + * @property string $ldapDefaultPPolicyDN + * @property string $ldapExtStorageHomeAttribute + * @property string $ldapMatchingRuleInChainState + * @property string $ldapConnectionTimeout + * @property string $ldapAttributePhone + * @property string $ldapAttributeWebsite + * @property string $ldapAttributeAddress + * @property string $ldapAttributeTwitter + * @property string $ldapAttributeFediverse + * @property string $ldapAttributeOrganisation + * @property string $ldapAttributeRole + * @property string $ldapAttributeHeadline + * @property string $ldapAttributeBiography + * @property string $ldapAdminGroup + * @property string $ldapAttributeBirthDate + * @property string $ldapAttributePronouns */ class Connection extends LDAPUtility { - private $ldapConnectionRes = null; - private $configPrefix; - private $configID; - private $configured = false; - //whether connection should be kept on __destruct - private $dontDestruct = false; + private ?\LDAP\Connection $ldapConnectionRes = null; + private bool $configured = false; + + /** + * @var bool whether connection should be kept on __destruct + */ + private bool $dontDestruct = false; /** * @var bool runtime flag that indicates whether supported primary groups are available @@ -92,37 +112,53 @@ class Connection extends LDAPUtility { */ public $hasGidNumber = true; - //cache handler - protected $cache; + /** + * @var ICache|null + */ + protected $cache = null; - /** @var Configuration settings handler **/ + /** @var Configuration settings handler * */ protected $configuration; + /** + * @var bool + */ protected $doNotValidate = false; + /** + * @var bool + */ protected $ignoreValidation = false; + /** + * @var array{sum?: string, result?: bool} + */ protected $bindResult = []; + protected LoggerInterface $logger; + private IL10N $l10n; + /** * Constructor - * @param ILDAPWrapper $ldap * @param string $configPrefix a string with the prefix for the configkey column (appconfig table) * @param string|null $configID a string with the value for the appid column (appconfig table) or null for on-the-fly connections */ - public function __construct(ILDAPWrapper $ldap, $configPrefix = '', $configID = 'user_ldap') { + public function __construct( + ILDAPWrapper $ldap, + private string $configPrefix = '', + private ?string $configID = 'user_ldap', + ) { parent::__construct($ldap); - $this->configPrefix = $configPrefix; - $this->configID = $configID; - $this->configuration = new Configuration($configPrefix, - !is_null($configID)); - $memcache = \OC::$server->getMemCacheFactory(); + $this->configuration = new Configuration($this->configPrefix, !is_null($this->configID)); + $memcache = Server::get(ICacheFactory::class); if ($memcache->isAvailable()) { $this->cache = $memcache->createDistributed(); } - $helper = new Helper(\OC::$server->getConfig(), \OC::$server->getDatabaseConnection()); + $helper = Server::get(Helper::class); $this->doNotValidate = !in_array($this->configPrefix, $helper->getServerConfigurationPrefixes()); + $this->logger = Server::get(LoggerInterface::class); + $this->l10n = Util::getL10N('user_ldap'); } public function __destruct() { @@ -137,7 +173,7 @@ class Connection extends LDAPUtility { */ public function __clone() { $this->configuration = new Configuration($this->configPrefix, - !is_null($this->configID)); + !is_null($this->configID)); if (count($this->bindResult) !== 0 && $this->bindResult['result'] === true) { $this->bindResult = []; } @@ -199,17 +235,17 @@ class Connection extends LDAPUtility { } /** - * Returns the LDAP handler + * @return \LDAP\Connection The LDAP resource */ - public function getConnectionResource() { + public function getConnectionResource(): \LDAP\Connection { if (!$this->ldapConnectionRes) { $this->init(); - } elseif (!$this->ldap->isResource($this->ldapConnectionRes)) { - $this->ldapConnectionRes = null; - $this->establishConnection(); } if (is_null($this->ldapConnectionRes)) { - \OCP\Util::writeLog('user_ldap', 'No LDAP Connection to server ' . $this->configuration->ldapHost, ILogger::ERROR); + $this->logger->error( + 'No LDAP Connection to server ' . $this->configuration->ldapHost, + ['app' => 'user_ldap'] + ); throw new ServerNotAvailableException('Connection to LDAP server could not be established'); } return $this->ldapConnectionRes; @@ -218,7 +254,7 @@ class Connection extends LDAPUtility { /** * resets the connection resource */ - public function resetConnectionResource() { + public function resetConnectionResource(): void { if (!is_null($this->ldapConnectionRes)) { @$this->ldap->unbind($this->ldapConnectionRes); $this->ldapConnectionRes = null; @@ -228,14 +264,13 @@ class Connection extends LDAPUtility { /** * @param string|null $key - * @return string */ - private function getCacheKey($key) { - $prefix = 'LDAP-'.$this->configID.'-'.$this->configPrefix.'-'; + private function getCacheKey($key): string { + $prefix = 'LDAP-' . $this->configID . '-' . $this->configPrefix . '-'; if (is_null($key)) { return $prefix; } - return $prefix.hash('sha256', $key); + return $prefix . hash('sha256', $key); } /** @@ -251,27 +286,30 @@ class Connection extends LDAPUtility { } $key = $this->getCacheKey($key); - return json_decode(base64_decode($this->cache->get($key)), true); + return json_decode(base64_decode($this->cache->get($key) ?? ''), true); + } + + public function getConfigPrefix(): string { + return $this->configPrefix; } /** * @param string $key * @param mixed $value - * - * @return string */ - public function writeToCache($key, $value) { + public function writeToCache($key, $value, ?int $ttlOverride = null): void { if (!$this->configured) { $this->readConfiguration(); } if (is_null($this->cache) || !$this->configuration->ldapCacheTTL || !$this->configuration->ldapConfigurationActive) { - return null; + return; } $key = $this->getCacheKey($key); $value = base64_encode(json_encode($value)); - $this->cache->set($key, $value, $this->configuration->ldapCacheTTL); + $ttl = $ttlOverride ?? $this->configuration->ldapCacheTTL; + $this->cache->set($key, $value, $ttl); } public function clearCache() { @@ -283,10 +321,9 @@ class Connection extends LDAPUtility { /** * Caches the general LDAP configuration. * @param bool $force optional. true, if the re-read should be forced. defaults - * to false. - * @return null + * to false. */ - private function readConfiguration($force = false) { + private function readConfiguration(bool $force = false): void { if ((!$this->configured || $force) && !is_null($this->configID)) { $this->configuration->readConfiguration(); $this->configured = $this->validateConfiguration(); @@ -297,16 +334,17 @@ class Connection extends LDAPUtility { * set LDAP configuration with values delivered by an array, not read from configuration * @param array $config array that holds the config parameters in an associated array * @param array &$setParameters optional; array where the set fields will be given to - * @return boolean true if config validates, false otherwise. Check with $setParameters for detailed success on single parameters + * @param bool $throw if true, throw ConfigurationIssueException with details instead of returning false + * @return bool true if config validates, false otherwise. Check with $setParameters for detailed success on single parameters */ - public function setConfiguration($config, &$setParameters = null) { + public function setConfiguration(array $config, ?array &$setParameters = null, bool $throw = false): bool { if (is_null($setParameters)) { $setParameters = []; } $this->doNotValidate = false; $this->configuration->setConfiguration($config, $setParameters); if (count($setParameters) > 0) { - $this->configured = $this->validateConfiguration(); + $this->configured = $this->validateConfiguration($throw); } @@ -335,7 +373,7 @@ class Connection extends LDAPUtility { foreach ($cta as $dbkey => $configkey) { switch ($configkey) { case 'homeFolderNamingRule': - if (strpos($config[$configkey], 'attr:') === 0) { + if (str_starts_with($config[$configkey], 'attr:')) { $result[$dbkey] = substr($config[$configkey], 5); } else { $result[$dbkey] = ''; @@ -358,7 +396,7 @@ class Connection extends LDAPUtility { return $result; } - private function doSoftValidation() { + private function doSoftValidation(): void { //if User or Group Base are not set, take over Base DN setting foreach (['ldapBaseUsers', 'ldapBaseGroups'] as $keyBase) { $val = $this->configuration->$keyBase; @@ -368,30 +406,28 @@ class Connection extends LDAPUtility { } foreach (['ldapExpertUUIDUserAttr' => 'ldapUuidUserAttribute', - 'ldapExpertUUIDGroupAttr' => 'ldapUuidGroupAttribute'] - as $expertSetting => $effectiveSetting) { + 'ldapExpertUUIDGroupAttr' => 'ldapUuidGroupAttribute'] as $expertSetting => $effectiveSetting) { $uuidOverride = $this->configuration->$expertSetting; if (!empty($uuidOverride)) { $this->configuration->$effectiveSetting = $uuidOverride; } else { $uuidAttributes = Access::UUID_ATTRIBUTES; array_unshift($uuidAttributes, 'auto'); - if (!in_array($this->configuration->$effectiveSetting, - $uuidAttributes) - && (!is_null($this->configID))) { + if (!in_array($this->configuration->$effectiveSetting, $uuidAttributes) + && !is_null($this->configID)) { $this->configuration->$effectiveSetting = 'auto'; $this->configuration->saveConfiguration(); - \OCP\Util::writeLog('user_ldap', - 'Illegal value for the '. - $effectiveSetting.', '.'reset to '. - 'autodetect.', ILogger::INFO); + $this->logger->info( + 'Illegal value for the ' . $effectiveSetting . ', reset to autodetect.', + ['app' => 'user_ldap'] + ); } } } $backupPort = (int)$this->configuration->ldapBackupPort; if ($backupPort <= 0) { - $this->configuration->backupPort = $this->configuration->ldapPort; + $this->configuration->ldapBackupPort = $this->configuration->ldapPort; } //make sure empty search attributes are saved as simple, empty array @@ -404,28 +440,29 @@ class Connection extends LDAPUtility { } } - if ((stripos($this->configuration->ldapHost, 'ldaps://') === 0) + if ((stripos((string)$this->configuration->ldapHost, 'ldaps://') === 0) && $this->configuration->ldapTLS) { - $this->configuration->ldapTLS = false; - \OCP\Util::writeLog( - 'user_ldap', + $this->configuration->ldapTLS = (string)false; + $this->logger->info( 'LDAPS (already using secure connection) and TLS do not work together. Switched off TLS.', - ILogger::INFO + ['app' => 'user_ldap'] ); } } /** - * @return bool + * @throws ConfigurationIssueException */ - private function doCriticalValidation() { - $configurationOK = true; - $errorStr = 'Configuration Error (prefix '. - (string)$this->configPrefix .'): '; - + private function doCriticalValidation(): void { //options that shall not be empty - $options = ['ldapHost', 'ldapPort', 'ldapUserDisplayName', + $options = ['ldapHost', 'ldapUserDisplayName', 'ldapGroupDisplayName', 'ldapLoginFilter']; + + //ldapPort should not be empty either unless ldapHost is pointing to a socket + if (!$this->configuration->usesLdapi()) { + $options[] = 'ldapPort'; + } + foreach ($options as $key) { $val = $this->configuration->$key; if (empty($val)) { @@ -449,11 +486,9 @@ class Connection extends LDAPUtility { $subj = $key; break; } - $configurationOK = false; - \OCP\Util::writeLog( - 'user_ldap', - $errorStr.'No '.$subj.' given!', - ILogger::WARN + throw new ConfigurationIssueException( + 'No ' . $subj . ' given!', + $this->l10n->t('Mandatory field "%s" left empty', $subj), ); } } @@ -461,49 +496,76 @@ class Connection extends LDAPUtility { //combinations $agent = $this->configuration->ldapAgentName; $pwd = $this->configuration->ldapAgentPassword; - if ( - ($agent === '' && $pwd !== '') - || ($agent !== '' && $pwd === '') - ) { - \OCP\Util::writeLog( - 'user_ldap', - $errorStr.'either no password is given for the user ' . - 'agent or a password is given, but not an LDAP agent.', - ILogger::WARN); - $configurationOK = false; + if ($agent === '' && $pwd !== '') { + throw new ConfigurationIssueException( + 'A password is given, but not an LDAP agent', + $this->l10n->t('A password is given, but not an LDAP agent'), + ); + } + if ($agent !== '' && $pwd === '') { + throw new ConfigurationIssueException( + 'No password is given for the user agent', + $this->l10n->t('No password is given for the user agent'), + ); } $base = $this->configuration->ldapBase; $baseUsers = $this->configuration->ldapBaseUsers; $baseGroups = $this->configuration->ldapBaseGroups; - if (empty($base) && empty($baseUsers) && empty($baseGroups)) { - \OCP\Util::writeLog( - 'user_ldap', - $errorStr.'Not a single Base DN given.', - ILogger::WARN + if (empty($base)) { + throw new ConfigurationIssueException( + 'Not a single Base DN given', + $this->l10n->t('No LDAP base DN was given'), ); - $configurationOK = false; } - if (mb_strpos($this->configuration->ldapLoginFilter, '%uid', 0, 'UTF-8') - === false) { - \OCP\Util::writeLog( - 'user_ldap', - $errorStr.'login filter does not contain %uid place holder.', - ILogger::WARN + if (!empty($baseUsers) && !$this->checkBasesAreValid($baseUsers, $base)) { + throw new ConfigurationIssueException( + 'User base is not in root base', + $this->l10n->t('User base DN is not a subnode of global base DN'), ); - $configurationOK = false; } - return $configurationOK; + if (!empty($baseGroups) && !$this->checkBasesAreValid($baseGroups, $base)) { + throw new ConfigurationIssueException( + 'Group base is not in root base', + $this->l10n->t('Group base DN is not a subnode of global base DN'), + ); + } + + if (mb_strpos((string)$this->configuration->ldapLoginFilter, '%uid', 0, 'UTF-8') === false) { + throw new ConfigurationIssueException( + 'Login filter does not contain %uid placeholder.', + $this->l10n->t('Login filter does not contain %s placeholder.', ['%uid']), + ); + } + } + + /** + * Checks that all bases are subnodes of one of the root bases + */ + private function checkBasesAreValid(array $bases, array $rootBases): bool { + foreach ($bases as $base) { + $ok = false; + foreach ($rootBases as $rootBase) { + if (str_ends_with($base, $rootBase)) { + $ok = true; + break; + } + } + if (!$ok) { + return false; + } + } + return true; } /** * Validates the user specified configuration * @return bool true if configuration seems OK, false otherwise */ - private function validateConfiguration() { + private function validateConfiguration(bool $throw = false): bool { if ($this->doNotValidate) { //don't do a validation if it is a new configuration with pure //default values. Will be allowed on changes via __set or @@ -517,7 +579,19 @@ class Connection extends LDAPUtility { //second step: critical checks. If left empty or filled wrong, mark as //not configured and give a warning. - return $this->doCriticalValidation(); + try { + $this->doCriticalValidation(); + return true; + } catch (ConfigurationIssueException $e) { + if ($throw) { + throw $e; + } + $this->logger->warning( + 'Configuration Error (prefix ' . $this->configPrefix . '): ' . $e->getMessage(), + ['exception' => $e] + ); + return false; + } } @@ -526,7 +600,7 @@ class Connection extends LDAPUtility { * * @throws ServerNotAvailableException */ - private function establishConnection() { + private function establishConnection(): ?bool { if (!$this->configuration->ldapConfigurationActive) { return null; } @@ -535,67 +609,64 @@ class Connection extends LDAPUtility { return false; } if (!$this->ignoreValidation && !$this->configured) { - \OCP\Util::writeLog( - 'user_ldap', + $this->logger->warning( 'Configuration is invalid, cannot connect', - ILogger::WARN + ['app' => 'user_ldap'] ); return false; } if (!$this->ldapConnectionRes) { if (!$this->ldap->areLDAPFunctionsAvailable()) { $phpLDAPinstalled = false; - \OCP\Util::writeLog( - 'user_ldap', + $this->logger->error( 'function ldap_connect is not available. Make sure that the PHP ldap module is installed.', - ILogger::ERROR + ['app' => 'user_ldap'] ); return false; } - if ($this->configuration->turnOffCertCheck) { - if (putenv('LDAPTLS_REQCERT=never')) { - \OCP\Util::writeLog('user_ldap', - 'Turned off SSL certificate validation successfully.', - ILogger::DEBUG); - } else { - \OCP\Util::writeLog( - 'user_ldap', - 'Could not turn off SSL certificate validation.', - ILogger::WARN - ); - } - } - $isOverrideMainServer = ($this->configuration->ldapOverrideMainServer - || $this->getFromCache('overrideMainServer')); - $isBackupHost = (trim($this->configuration->ldapBackupHost) !== ""); + $hasBackupHost = (trim($this->configuration->ldapBackupHost ?? '') !== ''); + $hasBackgroundHost = (trim($this->configuration->ldapBackgroundHost ?? '') !== ''); + $useBackgroundHost = (\OC::$CLI && $hasBackgroundHost); + $overrideCacheKey = ($useBackgroundHost ? 'overrideBackgroundServer' : 'overrideMainServer'); + $forceBackupHost = ($this->configuration->ldapOverrideMainServer || $this->getFromCache($overrideCacheKey)); $bindStatus = false; - try { - if (!$isOverrideMainServer) { - $this->doConnect($this->configuration->ldapHost, - $this->configuration->ldapPort); + if (!$forceBackupHost) { + try { + $host = $this->configuration->ldapHost ?? ''; + $port = $this->configuration->ldapPort ?? ''; + if ($useBackgroundHost) { + $host = $this->configuration->ldapBackgroundHost ?? ''; + $port = $this->configuration->ldapBackgroundPort ?? ''; + } + $this->doConnect($host, $port); return $this->bind(); + } catch (ServerNotAvailableException $e) { + if (!$hasBackupHost) { + throw $e; + } } - } catch (ServerNotAvailableException $e) { - if (!$isBackupHost) { - throw $e; - } + $this->logger->warning( + 'Main LDAP not reachable, connecting to backup: {msg}', + [ + 'app' => 'user_ldap', + 'msg' => $e->getMessage(), + 'exception' => $e, + ] + ); } - //if LDAP server is not reachable, try the Backup (Replica!) Server - if ($isBackupHost || $isOverrideMainServer) { - $this->doConnect($this->configuration->ldapBackupHost, - $this->configuration->ldapBackupPort); - $this->bindResult = []; - $bindStatus = $this->bind(); - $error = $this->ldap->isResource($this->ldapConnectionRes) ? - $this->ldap->errno($this->ldapConnectionRes) : -1; - if ($bindStatus && $error === 0 && !$this->getFromCache('overrideMainServer')) { - //when bind to backup server succeeded and failed to main server, - //skip contacting him until next cache refresh - $this->writeToCache('overrideMainServer', true); - } + // if LDAP server is not reachable, try the Backup (Replica!) Server + $this->doConnect($this->configuration->ldapBackupHost ?? '', $this->configuration->ldapBackupPort ?? ''); + $this->bindResult = []; + $bindStatus = $this->bind(); + $error = $this->ldap->isResource($this->ldapConnectionRes) + ? $this->ldap->errno($this->ldapConnectionRes) : -1; + if ($bindStatus && $error === 0 && !$forceBackupHost) { + //when bind to backup server succeeded and failed to main server, + //skip contacting it for 15min + $this->writeToCache($overrideCacheKey, true, 60 * 15); } return $bindStatus; @@ -606,15 +677,18 @@ class Connection extends LDAPUtility { /** * @param string $host * @param string $port - * @return bool * @throws \OC\ServerNotAvailableException */ - private function doConnect($host, $port) { + private function doConnect($host, $port): bool { if ($host === '') { return false; } - $this->ldapConnectionRes = $this->ldap->connect($host, $port); + $this->ldapConnectionRes = $this->ldap->connect($host, $port) ?: null; + + if ($this->ldapConnectionRes === null) { + throw new ServerNotAvailableException('Connection failed'); + } if (!$this->ldap->setOption($this->ldapConnectionRes, LDAP_OPT_PROTOCOL_VERSION, 3)) { throw new ServerNotAvailableException('Could not set required LDAP Protocol version.'); @@ -624,7 +698,25 @@ class Connection extends LDAPUtility { throw new ServerNotAvailableException('Could not disable LDAP referrals.'); } + if (!$this->ldap->setOption($this->ldapConnectionRes, LDAP_OPT_NETWORK_TIMEOUT, $this->configuration->ldapConnectionTimeout)) { + throw new ServerNotAvailableException('Could not set network timeout'); + } + if ($this->configuration->ldapTLS) { + if ($this->configuration->turnOffCertCheck) { + if ($this->ldap->setOption($this->ldapConnectionRes, LDAP_OPT_X_TLS_REQUIRE_CERT, LDAP_OPT_X_TLS_NEVER)) { + $this->logger->debug( + 'Turned off SSL certificate validation successfully.', + ['app' => 'user_ldap'] + ); + } else { + $this->logger->warning( + 'Could not turn off SSL certificate validation.', + ['app' => 'user_ldap'] + ); + } + } + if (!$this->ldap->startTls($this->ldapConnectionRes)) { throw new ServerNotAvailableException('Start TLS failed, when connecting to LDAP host ' . $host . '.'); } @@ -647,11 +739,7 @@ class Connection extends LDAPUtility { if ( count($this->bindResult) !== 0 - && $this->bindResult['dn'] === $this->configuration->ldapAgentName - && \OC::$server->getHasher()->verify( - $this->configPrefix . $this->configuration->ldapAgentPassword, - $this->bindResult['hash'] - ) + && $this->bindResult['sum'] === md5($this->configuration->ldapAgentName . $this->configPrefix . $this->configuration->ldapAgentPassword) ) { // don't attempt to bind again with the same data as before // bind might have been invoked via getConnectionResource(), @@ -660,25 +748,28 @@ class Connection extends LDAPUtility { } $ldapLogin = @$this->ldap->bind($cr, - $this->configuration->ldapAgentName, - $this->configuration->ldapAgentPassword); + $this->configuration->ldapAgentName, + $this->configuration->ldapAgentPassword); $this->bindResult = [ - 'dn' => $this->configuration->ldapAgentName, - 'hash' => \OC::$server->getHasher()->hash($this->configPrefix . $this->configuration->ldapAgentPassword), + 'sum' => md5($this->configuration->ldapAgentName . $this->configPrefix . $this->configuration->ldapAgentPassword), 'result' => $ldapLogin, ]; if (!$ldapLogin) { $errno = $this->ldap->errno($cr); - \OCP\Util::writeLog('user_ldap', + $this->logger->warning( 'Bind failed: ' . $errno . ': ' . $this->ldap->error($cr), - ILogger::WARN); + ['app' => 'user_ldap'] + ); - // Set to failure mode, if LDAP error code is not LDAP_SUCCESS or LDAP_INVALID_CREDENTIALS - // or (needed for Apple Open Directory:) LDAP_INSUFFICIENT_ACCESS - if ($errno !== 0 && $errno !== 49 && $errno !== 50) { + // Set to failure mode, if LDAP error code is not one of + // - LDAP_SUCCESS (0) + // - LDAP_INVALID_CREDENTIALS (49) + // - LDAP_INSUFFICIENT_ACCESS (50, spotted Apple Open Directory) + // - LDAP_UNWILLING_TO_PERFORM (53, spotted eDirectory) + if (!in_array($errno, [0, 49, 50, 53], true)) { $this->ldapConnectionRes = null; } diff --git a/apps/user_ldap/lib/ConnectionFactory.php b/apps/user_ldap/lib/ConnectionFactory.php index 48275ff8c3c..dd0ad31920a 100644 --- a/apps/user_ldap/lib/ConnectionFactory.php +++ b/apps/user_ldap/lib/ConnectionFactory.php @@ -1,34 +1,15 @@ <?php + /** - * @copyright Copyright (c) 2018 Arthur Schiwon <blizzz@arthur-schiwon.de> - * - * @author Arthur Schiwon <blizzz@arthur-schiwon.de> - * - * @license GNU AGPL version 3 or any later version - * - * This program is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License as - * published by the Free Software Foundation, either version 3 of the - * License, or (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License - * along with this program. If not, see <http://www.gnu.org/licenses/>. - * + * SPDX-FileCopyrightText: 2018 Nextcloud GmbH and Nextcloud contributors + * SPDX-License-Identifier: AGPL-3.0-or-later */ - namespace OCA\User_LDAP; class ConnectionFactory { - /** @var ILDAPWrapper */ - private $ldap; - - public function __construct(ILDAPWrapper $ldap) { - $this->ldap = $ldap; + public function __construct( + private ILDAPWrapper $ldap, + ) { } public function get($prefix) { diff --git a/apps/user_ldap/lib/Controller/ConfigAPIController.php b/apps/user_ldap/lib/Controller/ConfigAPIController.php index b96aee291d5..d98e6d41b52 100644 --- a/apps/user_ldap/lib/Controller/ConfigAPIController.php +++ b/apps/user_ldap/lib/Controller/ConfigAPIController.php @@ -1,27 +1,9 @@ <?php + /** - * @copyright Copyright (c) 2017 Arthur Schiwon <blizzz@arthur-schiwon.de> - * - * @author Arthur Schiwon <blizzz@arthur-schiwon.de> - * @author Christoph Wurst <christoph@winzerhof-wurst.at> - * - * @license GNU AGPL version 3 or any later version - * - * This program is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License as - * published by the Free Software Foundation, either version 3 of the - * License, or (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License - * along with this program. If not, see <http://www.gnu.org/licenses/>. - * + * SPDX-FileCopyrightText: 2017 Nextcloud GmbH and Nextcloud contributors + * SPDX-License-Identifier: AGPL-3.0-or-later */ - namespace OCA\User_LDAP\Controller; use OC\CapabilitiesManager; @@ -30,36 +12,31 @@ use OC\Security\IdentityProof\Manager; use OCA\User_LDAP\Configuration; use OCA\User_LDAP\ConnectionFactory; use OCA\User_LDAP\Helper; +use OCA\User_LDAP\Settings\Admin; +use OCP\AppFramework\Http; +use OCP\AppFramework\Http\Attribute\AuthorizedAdminSetting; use OCP\AppFramework\Http\DataResponse; use OCP\AppFramework\OCS\OCSBadRequestException; use OCP\AppFramework\OCS\OCSException; use OCP\AppFramework\OCS\OCSNotFoundException; -use OCP\ILogger; use OCP\IRequest; use OCP\IUserManager; use OCP\IUserSession; +use OCP\ServerVersion; +use Psr\Log\LoggerInterface; class ConfigAPIController extends OCSController { - - /** @var Helper */ - private $ldapHelper; - - /** @var ILogger */ - private $logger; - - /** @var ConnectionFactory */ - private $connectionFactory; - public function __construct( - $appName, + string $appName, IRequest $request, CapabilitiesManager $capabilitiesManager, IUserSession $userSession, IUserManager $userManager, Manager $keyManager, - Helper $ldapHelper, - ILogger $logger, - ConnectionFactory $connectionFactory + ServerVersion $serverVersion, + private Helper $ldapHelper, + private LoggerInterface $logger, + private ConnectionFactory $connectionFactory, ) { parent::__construct( $appName, @@ -67,87 +44,44 @@ class ConfigAPIController extends OCSController { $capabilitiesManager, $userSession, $userManager, - $keyManager + $keyManager, + $serverVersion, ); - - - $this->ldapHelper = $ldapHelper; - $this->logger = $logger; - $this->connectionFactory = $connectionFactory; } /** - * creates a new (empty) configuration and returns the resulting prefix - * - * Example: curl -X POST -H "OCS-APIREQUEST: true" -u $admin:$password \ - * https://nextcloud.server/ocs/v2.php/apps/user_ldap/api/v1/config - * - * results in: - * - * <?xml version="1.0"?> - * <ocs> - * <meta> - * <status>ok</status> - * <statuscode>200</statuscode> - * <message>OK</message> - * </meta> - * <data> - * <configID>s40</configID> - * </data> - * </ocs> - * - * Failing example: if an exception is thrown (e.g. Database connection lost) - * the detailed error will be logged. The output will then look like: - * - * <?xml version="1.0"?> - * <ocs> - * <meta> - * <status>failure</status> - * <statuscode>999</statuscode> - * <message>An issue occurred when creating the new config.</message> - * </meta> - * <data/> - * </ocs> + * Create a new (empty) configuration and return the resulting prefix * - * For JSON output provide the format=json parameter - * - * @return DataResponse + * @return DataResponse<Http::STATUS_OK, array{configID: string}, array{}> * @throws OCSException + * + * 200: Config created successfully */ + #[AuthorizedAdminSetting(settings: Admin::class)] public function create() { try { $configPrefix = $this->ldapHelper->getNextServerConfigurationPrefix(); $configHolder = new Configuration($configPrefix); + $configHolder->ldapConfigurationActive = false; $configHolder->saveConfiguration(); } catch (\Exception $e) { - $this->logger->logException($e); + $this->logger->error($e->getMessage(), ['exception' => $e]); throw new OCSException('An issue occurred when creating the new config.'); } return new DataResponse(['configID' => $configPrefix]); } /** - * Deletes a LDAP configuration, if present. - * - * Example: - * curl -X DELETE -H "OCS-APIREQUEST: true" -u $admin:$password \ - * https://nextcloud.server/ocs/v2.php/apps/user_ldap/api/v1/config/s60 - * - * <?xml version="1.0"?> - * <ocs> - * <meta> - * <status>ok</status> - * <statuscode>200</statuscode> - * <message>OK</message> - * </meta> - * <data/> - * </ocs> + * Delete a LDAP configuration * - * @param string $configID - * @return DataResponse - * @throws OCSBadRequestException + * @param string $configID ID of the config + * @return DataResponse<Http::STATUS_OK, list<empty>, array{}> * @throws OCSException + * @throws OCSNotFoundException Config not found + * + * 200: Config deleted successfully */ + #[AuthorizedAdminSetting(settings: Admin::class)] public function delete($configID) { try { $this->ensureConfigIDExists($configID); @@ -157,7 +91,7 @@ class ConfigAPIController extends OCSController { } catch (OCSException $e) { throw $e; } catch (\Exception $e) { - $this->logger->logException($e); + $this->logger->error($e->getMessage(), ['exception' => $e]); throw new OCSException('An issue occurred when deleting the config.'); } @@ -165,28 +99,18 @@ class ConfigAPIController extends OCSController { } /** - * modifies a configuration + * Modify a configuration * - * Example: - * curl -X PUT -d "configData[ldapHost]=ldaps://my.ldap.server&configData[ldapPort]=636" \ - * -H "OCS-APIREQUEST: true" -u $admin:$password \ - * https://nextcloud.server/ocs/v2.php/apps/user_ldap/api/v1/config/s60 - * - * <?xml version="1.0"?> - * <ocs> - * <meta> - * <status>ok</status> - * <statuscode>200</statuscode> - * <message>OK</message> - * </meta> - * <data/> - * </ocs> - * - * @param string $configID - * @param array $configData - * @return DataResponse + * @param string $configID ID of the config + * @param array<string, mixed> $configData New config + * @return DataResponse<Http::STATUS_OK, list<empty>, array{}> * @throws OCSException + * @throws OCSBadRequestException Modifying config is not possible + * @throws OCSNotFoundException Config not found + * + * 200: Config returned */ + #[AuthorizedAdminSetting(settings: Admin::class)] public function modify($configID, $configData) { try { $this->ensureConfigIDExists($configID); @@ -209,7 +133,7 @@ class ConfigAPIController extends OCSController { } catch (OCSException $e) { throw $e; } catch (\Exception $e) { - $this->logger->logException($e); + $this->logger->error($e->getMessage(), ['exception' => $e]); throw new OCSException('An issue occurred when modifying the config.'); } @@ -217,8 +141,9 @@ class ConfigAPIController extends OCSController { } /** - * retrieves a configuration + * Get a configuration * + * Output can look like this: * <?xml version="1.0"?> * <ocs> * <meta> @@ -281,18 +206,22 @@ class ConfigAPIController extends OCSController { * </data> * </ocs> * - * @param string $configID - * @param bool|string $showPassword - * @return DataResponse + * @param string $configID ID of the config + * @param bool $showPassword Whether to show the password + * @return DataResponse<Http::STATUS_OK, array<string, mixed>, array{}> * @throws OCSException + * @throws OCSNotFoundException Config not found + * + * 200: Config returned */ + #[AuthorizedAdminSetting(settings: Admin::class)] public function show($configID, $showPassword = false) { try { $this->ensureConfigIDExists($configID); $config = new Configuration($configID); $data = $config->getConfiguration(); - if (!(int)$showPassword) { + if (!$showPassword) { $data['ldapAgentPassword'] = '***'; } foreach ($data as $key => $value) { @@ -304,7 +233,7 @@ class ConfigAPIController extends OCSController { } catch (OCSException $e) { throw $e; } catch (\Exception $e) { - $this->logger->logException($e); + $this->logger->error($e->getMessage(), ['exception' => $e]); throw new OCSException('An issue occurred when modifying the config.'); } @@ -312,12 +241,13 @@ class ConfigAPIController extends OCSController { } /** - * if the given config ID is not available, an exception is thrown + * If the given config ID is not available, an exception is thrown * * @param string $configID * @throws OCSNotFoundException */ - private function ensureConfigIDExists($configID) { + #[AuthorizedAdminSetting(settings: Admin::class)] + private function ensureConfigIDExists($configID): void { $prefixes = $this->ldapHelper->getServerConfigurationPrefixes(); if (!in_array($configID, $prefixes, true)) { throw new OCSNotFoundException('Config ID not found'); diff --git a/apps/user_ldap/lib/Controller/RenewPasswordController.php b/apps/user_ldap/lib/Controller/RenewPasswordController.php index 715ca1a170c..8389a362b8f 100644 --- a/apps/user_ldap/lib/Controller/RenewPasswordController.php +++ b/apps/user_ldap/lib/Controller/RenewPasswordController.php @@ -1,33 +1,19 @@ <?php + /** - * @copyright Copyright (c) 2017 Roger Szabo <roger.szabo@web.de> - * - * @author Christoph Wurst <christoph@winzerhof-wurst.at> - * @author Roger Szabo <roger.szabo@web.de> - * - * @license GNU AGPL version 3 or any later version - * - * This program is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License as - * published by the Free Software Foundation, either version 3 of the - * License, or (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License - * along with this program. If not, see <http://www.gnu.org/licenses/>. - * + * SPDX-FileCopyrightText: 2017 Nextcloud GmbH and Nextcloud contributors + * SPDX-License-Identifier: AGPL-3.0-or-later */ - namespace OCA\User_LDAP\Controller; -use OC\HintException; use OCP\AppFramework\Controller; +use OCP\AppFramework\Http\Attribute\NoCSRFRequired; +use OCP\AppFramework\Http\Attribute\OpenAPI; +use OCP\AppFramework\Http\Attribute\PublicPage; +use OCP\AppFramework\Http\Attribute\UseSession; use OCP\AppFramework\Http\RedirectResponse; use OCP\AppFramework\Http\TemplateResponse; +use OCP\HintException; use OCP\IConfig; use OCP\IL10N; use OCP\IRequest; @@ -36,18 +22,8 @@ use OCP\IURLGenerator; use OCP\IUser; use OCP\IUserManager; +#[OpenAPI(scope: OpenAPI::SCOPE_IGNORE)] class RenewPasswordController extends Controller { - /** @var IUserManager */ - private $userManager; - /** @var IConfig */ - private $config; - /** @var IL10N */ - protected $l10n; - /** @var ISession */ - private $session; - /** @var IURLGenerator */ - private $urlGenerator; - /** * @param string $appName * @param IRequest $request @@ -55,35 +31,35 @@ class RenewPasswordController extends Controller { * @param IConfig $config * @param IURLGenerator $urlGenerator */ - public function __construct($appName, IRequest $request, IUserManager $userManager, - IConfig $config, IL10N $l10n, ISession $session, IURLGenerator $urlGenerator) { + public function __construct( + $appName, + IRequest $request, + private IUserManager $userManager, + private IConfig $config, + protected IL10N $l10n, + private ISession $session, + private IURLGenerator $urlGenerator, + ) { parent::__construct($appName, $request); - $this->userManager = $userManager; - $this->config = $config; - $this->l10n = $l10n; - $this->session = $session; - $this->urlGenerator = $urlGenerator; } /** - * @PublicPage - * @NoCSRFRequired - * * @return RedirectResponse */ + #[PublicPage] + #[NoCSRFRequired] public function cancel() { return new RedirectResponse($this->urlGenerator->linkToRouteAbsolute('core.login.showLoginForm')); } /** - * @PublicPage - * @NoCSRFRequired - * @UseSession - * * @param string $user * * @return TemplateResponse|RedirectResponse */ + #[PublicPage] + #[NoCSRFRequired] + #[UseSession] public function showRenewPasswordForm($user) { if ($this->config->getUserValue($user, 'user_ldap', 'needsPasswordReset') !== 'true') { return new RedirectResponse($this->urlGenerator->linkToRouteAbsolute('core.login.showLoginForm')); @@ -93,7 +69,7 @@ class RenewPasswordController extends Controller { $errors = []; $messages = []; if (is_array($renewPasswordMessages)) { - list($errors, $messages) = $renewPasswordMessages; + [$errors, $messages] = $renewPasswordMessages; } $this->session->remove('renewPasswordMessages'); foreach ($errors as $value) { @@ -119,15 +95,14 @@ class RenewPasswordController extends Controller { } /** - * @PublicPage - * @UseSession - * * @param string $user * @param string $oldPassword * @param string $newPassword * * @return RedirectResponse */ + #[PublicPage] + #[UseSession] public function tryRenewPassword($user, $oldPassword, $newPassword) { if ($this->config->getUserValue($user, 'user_ldap', 'needsPasswordReset') !== 'true') { return new RedirectResponse($this->urlGenerator->linkToRouteAbsolute('core.login.showLoginForm')); @@ -140,11 +115,11 @@ class RenewPasswordController extends Controller { ]); return new RedirectResponse($this->urlGenerator->linkToRoute('user_ldap.renewPassword.showRenewPasswordForm', $args)); } - + try { if (!is_null($newPassword) && \OC_User::setPassword($user, $newPassword)) { $this->session->set('loginMessages', [ - [], [$this->l10n->t("Please login with the new password")] + [], [$this->l10n->t('Please login with the new password')] ]); $this->config->setUserValue($user, 'user_ldap', 'needsPasswordReset', 'false'); return new RedirectResponse($this->urlGenerator->linkToRoute('core.login.showLoginForm', $args)); @@ -163,12 +138,11 @@ class RenewPasswordController extends Controller { } /** - * @PublicPage - * @NoCSRFRequired - * @UseSession - * * @return RedirectResponse */ + #[PublicPage] + #[NoCSRFRequired] + #[UseSession] public function showLoginFormInvalidPassword($user) { $args = !is_null($user) ? ['user' => $user] : []; $this->session->set('loginMessages', [ diff --git a/apps/user_ldap/lib/DataCollector/LdapDataCollector.php b/apps/user_ldap/lib/DataCollector/LdapDataCollector.php new file mode 100644 index 00000000000..2f74a628a32 --- /dev/null +++ b/apps/user_ldap/lib/DataCollector/LdapDataCollector.php @@ -0,0 +1,36 @@ +<?php + +declare(strict_types = 1); +/** + * SPDX-FileCopyrightText: 2022 Nextcloud GmbH and Nextcloud contributors + * SPDX-License-Identifier: AGPL-3.0-or-later + */ + +namespace OCA\User_LDAP\DataCollector; + +use OC\AppFramework\Http\Request; +use OCP\AppFramework\Http\Response; +use OCP\DataCollector\AbstractDataCollector; + +class LdapDataCollector extends AbstractDataCollector { + public function startLdapRequest(string $query, array $args, array $backtrace): void { + $this->data[] = [ + 'start' => microtime(true), + 'query' => $query, + 'args' => $args, + 'end' => microtime(true), + 'backtrace' => $backtrace, + ]; + } + + public function stopLastLdapRequest(): void { + $this->data[count($this->data) - 1]['end'] = microtime(true); + } + + public function getName(): string { + return 'ldap'; + } + + public function collect(Request $request, Response $response, ?\Throwable $exception = null): void { + } +} diff --git a/apps/user_ldap/lib/Db/GroupMembership.php b/apps/user_ldap/lib/Db/GroupMembership.php new file mode 100644 index 00000000000..6141f1b18c9 --- /dev/null +++ b/apps/user_ldap/lib/Db/GroupMembership.php @@ -0,0 +1,31 @@ +<?php + +declare(strict_types=1); + +/** + * SPDX-FileCopyrightText: 2023 Nextcloud GmbH and Nextcloud contributors + * SPDX-License-Identifier: AGPL-3.0-or-later + */ + +namespace OCA\User_LDAP\Db; + +use OCP\AppFramework\Db\Entity; + +/** + * @method void setUserid(string $userid) + * @method string getUserid() + * @method void setGroupid(string $groupid) + * @method string getGroupid() + */ +class GroupMembership extends Entity { + /** @var string */ + protected $groupid; + + /** @var string */ + protected $userid; + + public function __construct() { + $this->addType('groupid', 'string'); + $this->addType('userid', 'string'); + } +} diff --git a/apps/user_ldap/lib/Db/GroupMembershipMapper.php b/apps/user_ldap/lib/Db/GroupMembershipMapper.php new file mode 100644 index 00000000000..b3d6c31dda6 --- /dev/null +++ b/apps/user_ldap/lib/Db/GroupMembershipMapper.php @@ -0,0 +1,72 @@ +<?php + +declare(strict_types=1); + +/** + * SPDX-FileCopyrightText: 2023 Nextcloud GmbH and Nextcloud contributors + * SPDX-License-Identifier: AGPL-3.0-or-later + */ + +namespace OCA\User_LDAP\Db; + +use OCP\AppFramework\Db\QBMapper; +use OCP\DB\QueryBuilder\IQueryBuilder; +use OCP\IDBConnection; + +/** + * @template-extends QBMapper<GroupMembership> + */ +class GroupMembershipMapper extends QBMapper { + public function __construct(IDBConnection $db) { + parent::__construct($db, 'ldap_group_membership', GroupMembership::class); + } + + /** + * @return string[] + */ + public function getKnownGroups(): array { + $query = $this->db->getQueryBuilder(); + $result = $query->selectDistinct('groupid') + ->from($this->getTableName()) + ->executeQuery(); + + $groups = array_column($result->fetchAll(), 'groupid'); + $result->closeCursor(); + return $groups; + } + + /** + * @return GroupMembership[] + */ + public function findGroupMemberships(string $groupid): array { + $qb = $this->db->getQueryBuilder(); + $select = $qb->select('*') + ->from($this->getTableName()) + ->where($qb->expr()->eq('groupid', $qb->createNamedParameter($groupid))); + + return $this->findEntities($select); + } + + /** + * @return GroupMembership[] + */ + public function findGroupMembershipsForUser(string $userid): array { + $qb = $this->db->getQueryBuilder(); + $select = $qb->select('*') + ->from($this->getTableName()) + ->where($qb->expr()->eq('userid', $qb->createNamedParameter($userid))); + + return $this->findEntities($select); + } + + public function deleteGroups(array $removedGroups): void { + $query = $this->db->getQueryBuilder(); + $query->delete($this->getTableName()) + ->where($query->expr()->in('groupid', $query->createParameter('groupids'))); + + foreach (array_chunk($removedGroups, 1000) as $removedGroupsChunk) { + $query->setParameter('groupids', $removedGroupsChunk, IQueryBuilder::PARAM_STR_ARRAY); + $query->executeStatement(); + } + } +} diff --git a/apps/user_ldap/lib/Events/GroupBackendRegistered.php b/apps/user_ldap/lib/Events/GroupBackendRegistered.php index 6f620cb4e57..a94c239c1b3 100644 --- a/apps/user_ldap/lib/Events/GroupBackendRegistered.php +++ b/apps/user_ldap/lib/Events/GroupBackendRegistered.php @@ -3,28 +3,9 @@ declare(strict_types=1); /** - * @copyright Copyright (c) 2020 Arthur Schiwon <blizzz@arthur-schiwon.de> - * - * @author Arthur Schiwon <blizzz@arthur-schiwon.de> - * @author Morris Jobke <hey@morrisjobke.de> - * - * @license GNU AGPL version 3 or any later version - * - * This program is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License as - * published by the Free Software Foundation, either version 3 of the - * License, or (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License - * along with this program. If not, see <http://www.gnu.org/licenses/>. - * + * SPDX-FileCopyrightText: 2020 Nextcloud GmbH and Nextcloud contributors + * SPDX-License-Identifier: AGPL-3.0-or-later */ - namespace OCA\User_LDAP\Events; use OCA\User_LDAP\GroupPluginManager; @@ -38,14 +19,10 @@ use OCP\EventDispatcher\Event; */ class GroupBackendRegistered extends Event { - /** @var GroupPluginManager */ - private $pluginManager; - /** @var IGroupLDAP */ - private $backend; - - public function __construct(IGroupLDAP $backend, GroupPluginManager $pluginManager) { - $this->pluginManager = $pluginManager; - $this->backend = $backend; + public function __construct( + private IGroupLDAP $backend, + private GroupPluginManager $pluginManager, + ) { } public function getBackend(): IGroupLDAP { diff --git a/apps/user_ldap/lib/Events/UserBackendRegistered.php b/apps/user_ldap/lib/Events/UserBackendRegistered.php index 07b6060cb2b..a26e23f8f83 100644 --- a/apps/user_ldap/lib/Events/UserBackendRegistered.php +++ b/apps/user_ldap/lib/Events/UserBackendRegistered.php @@ -3,28 +3,9 @@ declare(strict_types=1); /** - * @copyright Copyright (c) 2020 Arthur Schiwon <blizzz@arthur-schiwon.de> - * - * @author Arthur Schiwon <blizzz@arthur-schiwon.de> - * @author Morris Jobke <hey@morrisjobke.de> - * - * @license GNU AGPL version 3 or any later version - * - * This program is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License as - * published by the Free Software Foundation, either version 3 of the - * License, or (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License - * along with this program. If not, see <http://www.gnu.org/licenses/>. - * + * SPDX-FileCopyrightText: 2020 Nextcloud GmbH and Nextcloud contributors + * SPDX-License-Identifier: AGPL-3.0-or-later */ - namespace OCA\User_LDAP\Events; use OCA\User_LDAP\IUserLDAP; @@ -38,14 +19,10 @@ use OCP\EventDispatcher\Event; */ class UserBackendRegistered extends Event { - /** @var IUserLDAP */ - private $backend; - /** @var UserPluginManager */ - private $pluginManager; - - public function __construct(IUserLDAP $backend, UserPluginManager $pluginManager) { - $this->backend = $backend; - $this->pluginManager = $pluginManager; + public function __construct( + private IUserLDAP $backend, + private UserPluginManager $pluginManager, + ) { } public function getBackend(): IUserLDAP { diff --git a/apps/user_ldap/lib/Exceptions/AttributeNotSet.php b/apps/user_ldap/lib/Exceptions/AttributeNotSet.php index faa617efd13..4d6053eda66 100644 --- a/apps/user_ldap/lib/Exceptions/AttributeNotSet.php +++ b/apps/user_ldap/lib/Exceptions/AttributeNotSet.php @@ -1,27 +1,9 @@ <?php + /** - * @copyright Copyright (c) 2019 Arthur Schiwon <blizzz@arthur-schiwon.de> - * - * @author Arthur Schiwon <blizzz@arthur-schiwon.de> - * @author Christoph Wurst <christoph@winzerhof-wurst.at> - * - * @license GNU AGPL version 3 or any later version - * - * This program is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License as - * published by the Free Software Foundation, either version 3 of the - * License, or (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License - * along with this program. If not, see <http://www.gnu.org/licenses/>. - * + * SPDX-FileCopyrightText: 2019 Nextcloud GmbH and Nextcloud contributors + * SPDX-License-Identifier: AGPL-3.0-or-later */ - namespace OCA\User_LDAP\Exceptions; class AttributeNotSet extends \RuntimeException { diff --git a/apps/user_ldap/lib/Exceptions/ConfigurationIssueException.php b/apps/user_ldap/lib/Exceptions/ConfigurationIssueException.php new file mode 100644 index 00000000000..efeb426b13d --- /dev/null +++ b/apps/user_ldap/lib/Exceptions/ConfigurationIssueException.php @@ -0,0 +1,15 @@ +<?php + +declare(strict_types=1); + +/** + * SPDX-FileCopyrightText: 2024 Nextcloud GmbH and Nextcloud contributors + * SPDX-License-Identifier: AGPL-3.0-or-later + */ + +namespace OCA\User_LDAP\Exceptions; + +use OCP\HintException; + +class ConfigurationIssueException extends HintException { +} diff --git a/apps/user_ldap/lib/Exceptions/ConstraintViolationException.php b/apps/user_ldap/lib/Exceptions/ConstraintViolationException.php index 46cae91e2c7..d0d384c31de 100644 --- a/apps/user_ldap/lib/Exceptions/ConstraintViolationException.php +++ b/apps/user_ldap/lib/Exceptions/ConstraintViolationException.php @@ -1,27 +1,9 @@ <?php + /** - * @copyright Copyright (c) 2017 Roger Szabo <roger.szabo@web.de> - * - * @author Christoph Wurst <christoph@winzerhof-wurst.at> - * @author Roger Szabo <roger.szabo@web.de> - * - * @license GNU AGPL version 3 or any later version - * - * This program is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License as - * published by the Free Software Foundation, either version 3 of the - * License, or (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License - * along with this program. If not, see <http://www.gnu.org/licenses/>. - * + * SPDX-FileCopyrightText: 2017 Nextcloud GmbH and Nextcloud contributors + * SPDX-License-Identifier: AGPL-3.0-or-later */ - namespace OCA\User_LDAP\Exceptions; class ConstraintViolationException extends \Exception { diff --git a/apps/user_ldap/lib/Exceptions/NoMoreResults.php b/apps/user_ldap/lib/Exceptions/NoMoreResults.php new file mode 100644 index 00000000000..b5621d86eb6 --- /dev/null +++ b/apps/user_ldap/lib/Exceptions/NoMoreResults.php @@ -0,0 +1,12 @@ +<?php + +declare(strict_types=1); + +/** + * SPDX-FileCopyrightText: 2021 Nextcloud GmbH and Nextcloud contributors + * SPDX-License-Identifier: AGPL-3.0-or-later + */ +namespace OCA\User_LDAP\Exceptions; + +class NoMoreResults extends \Exception { +} diff --git a/apps/user_ldap/lib/Exceptions/NotOnLDAP.php b/apps/user_ldap/lib/Exceptions/NotOnLDAP.php index bd59d4956c2..cd74e918829 100644 --- a/apps/user_ldap/lib/Exceptions/NotOnLDAP.php +++ b/apps/user_ldap/lib/Exceptions/NotOnLDAP.php @@ -1,27 +1,9 @@ <?php + /** - * @copyright Copyright (c) 2016 Arthur Schiwon <blizzz@arthur-schiwon.de> - * - * @author Arthur Schiwon <blizzz@arthur-schiwon.de> - * @author Christoph Wurst <christoph@winzerhof-wurst.at> - * - * @license GNU AGPL version 3 or any later version - * - * This program is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License as - * published by the Free Software Foundation, either version 3 of the - * License, or (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License - * along with this program. If not, see <http://www.gnu.org/licenses/>. - * + * SPDX-FileCopyrightText: 2016 Nextcloud GmbH and Nextcloud contributors + * SPDX-License-Identifier: AGPL-3.0-or-later */ - namespace OCA\User_LDAP\Exceptions; class NotOnLDAP extends \Exception { diff --git a/apps/user_ldap/lib/FilesystemHelper.php b/apps/user_ldap/lib/FilesystemHelper.php deleted file mode 100644 index 6a52afcdec1..00000000000 --- a/apps/user_ldap/lib/FilesystemHelper.php +++ /dev/null @@ -1,47 +0,0 @@ -<?php -/** - * @copyright Copyright (c) 2016, ownCloud, Inc. - * - * @author Arthur Schiwon <blizzz@arthur-schiwon.de> - * @author Joas Schilling <coding@schilljs.com> - * @author Morris Jobke <hey@morrisjobke.de> - * - * @license AGPL-3.0 - * - * This code is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License, version 3, - * as published by the Free Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License, version 3, - * along with this program. If not, see <http://www.gnu.org/licenses/> - * - */ - -namespace OCA\User_LDAP; - -/** - * @brief wraps around static Nextcloud core methods - */ -class FilesystemHelper { - - /** - * @brief states whether the filesystem was loaded - * @return bool - */ - public function isLoaded() { - return \OC\Files\Filesystem::$loaded; - } - - /** - * @brief initializes the filesystem for the given user - * @param string $uid the Nextcloud username of the user - */ - public function setup($uid) { - \OC_Util::setupFS($uid); - } -} diff --git a/apps/user_ldap/lib/GroupPluginManager.php b/apps/user_ldap/lib/GroupPluginManager.php index 56c4aab9f3b..9e8ae6805a4 100644 --- a/apps/user_ldap/lib/GroupPluginManager.php +++ b/apps/user_ldap/lib/GroupPluginManager.php @@ -1,35 +1,20 @@ <?php + /** - * @copyright Copyright (c) 2017 EITA Cooperative (eita.org.br) - * - * @author Christoph Wurst <christoph@winzerhof-wurst.at> - * @author Vinicius Cubas Brand <vinicius@eita.org.br> - * - * @license GNU AGPL version 3 or any later version - * - * This program is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License as - * published by the Free Software Foundation, either version 3 of the - * License, or (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License - * along with this program. If not, see <http://www.gnu.org/licenses/>. - * + * SPDX-FileCopyrightText: 2017 Nextcloud GmbH and Nextcloud contributors + * SPDX-License-Identifier: AGPL-3.0-or-later */ - namespace OCA\User_LDAP; use OCP\GroupInterface; +use OCP\Server; +use Psr\Log\LoggerInterface; class GroupPluginManager { - private $respondToActions = 0; + private int $respondToActions = 0; - private $which = [ + /** @var array<int, ?ILDAPGroupPlugin> */ + private array $which = [ GroupInterface::CREATE_GROUP => null, GroupInterface::DELETE_GROUP => null, GroupInterface::ADD_TO_GROUP => null, @@ -38,6 +23,8 @@ class GroupPluginManager { GroupInterface::GROUP_DETAILS => null ]; + private bool $suppressDeletion = false; + /** * @return int All implemented actions */ @@ -56,7 +43,7 @@ class GroupPluginManager { foreach ($this->which as $action => $v) { if ((bool)($respondToActions & $action)) { $this->which[$action] = $plugin; - \OC::$server->getLogger()->debug("Registered action ".$action." to plugin ".get_class($plugin), ['app' => 'user_ldap']); + Server::get(LoggerInterface::class)->debug('Registered action ' . $action . ' to plugin ' . get_class($plugin), ['app' => 'user_ldap']); } } } @@ -85,16 +72,31 @@ class GroupPluginManager { throw new \Exception('No plugin implements createGroup in this LDAP Backend.'); } + public function canDeleteGroup(): bool { + return !$this->suppressDeletion && $this->implementsActions(GroupInterface::DELETE_GROUP); + } + + /** + * @return bool – the value before the change + */ + public function setSuppressDeletion(bool $value): bool { + $old = $this->suppressDeletion; + $this->suppressDeletion = $value; + return $old; + } + /** * Delete a group - * @param string $gid Group Id of the group to delete - * @return bool + * * @throws \Exception */ - public function deleteGroup($gid) { + public function deleteGroup(string $gid): bool { $plugin = $this->which[GroupInterface::DELETE_GROUP]; if ($plugin) { + if ($this->suppressDeletion) { + return false; + } return $plugin->deleteGroup($gid); } throw new \Exception('No plugin implements deleteGroup in this LDAP Backend.'); @@ -147,7 +149,7 @@ class GroupPluginManager { $plugin = $this->which[GroupInterface::COUNT_USERS]; if ($plugin) { - return $plugin->countUsersInGroup($gid,$search); + return $plugin->countUsersInGroup($gid, $search); } throw new \Exception('No plugin implements countUsersInGroup in this LDAP Backend.'); } diff --git a/apps/user_ldap/lib/Group_LDAP.php b/apps/user_ldap/lib/Group_LDAP.php index c84f22bdd30..271cc96afbd 100644 --- a/apps/user_ldap/lib/Group_LDAP.php +++ b/apps/user_ldap/lib/Group_LDAP.php @@ -1,78 +1,49 @@ <?php + /** - * @copyright Copyright (c) 2016, ownCloud, Inc. - * - * @author Alexander Bergolth <leo@strike.wu.ac.at> - * @author Alex Weirig <alex.weirig@technolink.lu> - * @author alexweirig <alex.weirig@technolink.lu> - * @author Andreas Fischer <bantu@owncloud.com> - * @author Andreas Pflug <dev@admin4.org> - * @author Arthur Schiwon <blizzz@arthur-schiwon.de> - * @author Bart Visscher <bartv@thisnet.nl> - * @author Christoph Wurst <christoph@winzerhof-wurst.at> - * @author Clement Wong <git@clement.hk> - * @author Frédéric Fortier <frederic.fortier@oronospolytechnique.com> - * @author Joas Schilling <coding@schilljs.com> - * @author Lukas Reschke <lukas@statuscode.ch> - * @author Morris Jobke <hey@morrisjobke.de> - * @author Nicolas Grekas <nicolas.grekas@gmail.com> - * @author Robin McCorkell <robin@mccorkell.me.uk> - * @author Roeland Jago Douma <roeland@famdouma.nl> - * @author Roland Tapken <roland@bitarbeiter.net> - * @author Thomas Müller <thomas.mueller@tmit.eu> - * @author Tobias Perschon <tobias@perschon.at> - * @author Victor Dubiniuk <dubiniuk@owncloud.com> - * @author Vinicius Cubas Brand <vinicius@eita.org.br> - * @author Xuanwo <xuanwo@yunify.com> - * - * @license AGPL-3.0 - * - * This code is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License, version 3, - * as published by the Free Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License, version 3, - * along with this program. If not, see <http://www.gnu.org/licenses/> - * + * SPDX-FileCopyrightText: 2016-2024 Nextcloud GmbH and Nextcloud contributors + * SPDX-FileCopyrightText: 2016 ownCloud, Inc. + * SPDX-License-Identifier: AGPL-3.0-only */ - namespace OCA\User_LDAP; -use Closure; use Exception; -use OC; -use OC\Cache\CappedMemoryCache; use OC\ServerNotAvailableException; +use OCA\User_LDAP\User\OfflineUser; +use OCP\Cache\CappedMemoryCache; +use OCP\Group\Backend\ABackend; +use OCP\Group\Backend\IDeleteGroupBackend; use OCP\Group\Backend\IGetDisplayNameBackend; +use OCP\Group\Backend\IIsAdminBackend; use OCP\GroupInterface; -use OCP\ILogger; - -class Group_LDAP extends BackendUtility implements GroupInterface, IGroupLDAP, IGetDisplayNameBackend { - protected $enabled = false; - - /** @var string[][] $cachedGroupMembers array of users with gid as key */ - protected $cachedGroupMembers; - /** @var string[] $cachedGroupsByMember array of groups with uid as key */ - protected $cachedGroupsByMember; - /** @var string[] $cachedNestedGroups array of groups with gid (DN) as key */ - protected $cachedNestedGroups; - /** @var GroupPluginManager */ - protected $groupPluginManager; - /** @var ILogger */ - protected $logger; +use OCP\IConfig; +use OCP\IUserManager; +use OCP\Server; +use Psr\Log\LoggerInterface; +use function json_decode; + +class Group_LDAP extends ABackend implements GroupInterface, IGroupLDAP, IGetDisplayNameBackend, IDeleteGroupBackend, IIsAdminBackend { + protected bool $enabled = false; + + /** @var CappedMemoryCache<string[]> $cachedGroupMembers array of user DN with gid as key */ + protected CappedMemoryCache $cachedGroupMembers; + /** @var CappedMemoryCache<array[]> $cachedGroupsByMember array of groups with user DN as key */ + protected CappedMemoryCache $cachedGroupsByMember; + /** @var CappedMemoryCache<string[]> $cachedNestedGroups array of groups with gid (DN) as key */ + protected CappedMemoryCache $cachedNestedGroups; + protected LoggerInterface $logger; /** * @var string $ldapGroupMemberAssocAttr contains the LDAP setting (in lower case) with the same name */ - protected $ldapGroupMemberAssocAttr; - - public function __construct(Access $access, GroupPluginManager $groupPluginManager) { - parent::__construct($access); + protected string $ldapGroupMemberAssocAttr; + + public function __construct( + protected Access $access, + protected GroupPluginManager $groupPluginManager, + private IConfig $config, + private IUserManager $ncUserManager, + ) { $filter = $this->access->connection->ldapGroupFilter; $gAssoc = $this->access->connection->ldapGroupMemberAssocAttr; if (!empty($filter) && !empty($gAssoc)) { @@ -82,21 +53,19 @@ class Group_LDAP extends BackendUtility implements GroupInterface, IGroupLDAP, I $this->cachedGroupMembers = new CappedMemoryCache(); $this->cachedGroupsByMember = new CappedMemoryCache(); $this->cachedNestedGroups = new CappedMemoryCache(); - $this->groupPluginManager = $groupPluginManager; - $this->logger = OC::$server->getLogger(); - $this->ldapGroupMemberAssocAttr = strtolower($gAssoc); + $this->logger = Server::get(LoggerInterface::class); + $this->ldapGroupMemberAssocAttr = strtolower((string)$gAssoc); } /** - * is user in group? + * Check if user is in group * * @param string $uid uid of the user * @param string $gid gid of the group - * @return bool * @throws Exception * @throws ServerNotAvailableException */ - public function inGroup($uid, $gid) { + public function inGroup($uid, $gid): bool { if (!$this->enabled) { return false; } @@ -203,7 +172,7 @@ class Group_LDAP extends BackendUtility implements GroupInterface, IGroupLDAP, I * @throws ServerNotAvailableException */ public function getDynamicGroupMembers(string $dnGroup): array { - $dynamicGroupMemberURL = strtolower($this->access->connection->ldapDynamicGroupMemberURL); + $dynamicGroupMemberURL = strtolower((string)$this->access->connection->ldapDynamicGroupMemberURL); if (empty($dynamicGroupMemberURL)) { return []; @@ -240,16 +209,17 @@ class Group_LDAP extends BackendUtility implements GroupInterface, IGroupLDAP, I } /** + * Get group members from dn. + * @psalm-param array<string, bool> $seen List of DN that have already been processed. * @throws ServerNotAvailableException */ - private function _groupMembers(string $dnGroup, ?array &$seen = null): array { - if ($seen === null) { - $seen = []; - } - $allMembers = []; - if (array_key_exists($dnGroup, $seen)) { + private function _groupMembers(string $dnGroup, array $seen = [], bool &$recursive = false): array { + if (isset($seen[$dnGroup])) { + $recursive = true; return []; } + $seen[$dnGroup] = true; + // used extensively in cron job, caching makes sense for nested groups $cacheKey = '_groupMembers' . $dnGroup; $groupMembers = $this->access->connection->getFromCache($cacheKey); @@ -263,7 +233,7 @@ class Group_LDAP extends BackendUtility implements GroupInterface, IGroupLDAP, I && $this->access->connection->ldapMatchingRuleInChainState !== Configuration::LDAP_SERVER_FEATURE_UNAVAILABLE ) { $attemptedLdapMatchingRuleInChain = true; - // compatibility hack with servers supporting :1.2.840.113556.1.4.1941:, and others) + // Use matching rule 1.2.840.113556.1.4.1941 if available (LDAP_MATCHING_RULE_IN_CHAIN) $filter = $this->access->combineFilterWithAnd([ $this->access->connection->ldapUserFilter, $this->access->connection->ldapUserDisplayName . '=*', @@ -278,27 +248,50 @@ class Group_LDAP extends BackendUtility implements GroupInterface, IGroupLDAP, I return $carry; }, []); if ($this->access->connection->ldapMatchingRuleInChainState === Configuration::LDAP_SERVER_FEATURE_AVAILABLE) { + $this->access->connection->writeToCache($cacheKey, $result); return $result; } elseif (!empty($memberRecords)) { $this->access->connection->ldapMatchingRuleInChainState = Configuration::LDAP_SERVER_FEATURE_AVAILABLE; $this->access->connection->saveConfiguration(); + $this->access->connection->writeToCache($cacheKey, $result); return $result; } // when feature availability is unknown, and the result is empty, continue and test with original approach } - $seen[$dnGroup] = 1; + $allMembers = []; $members = $this->access->readAttribute($dnGroup, $this->access->connection->ldapGroupMemberAssocAttr); if (is_array($members)) { - $fetcher = function ($memberDN, &$seen) { - return $this->_groupMembers($memberDN, $seen); - }; - $allMembers = $this->walkNestedGroups($dnGroup, $fetcher, $members); + if ((int)$this->access->connection->ldapNestedGroups === 1) { + while ($recordDn = array_shift($members)) { + $nestedMembers = $this->_groupMembers($recordDn, $seen, $recursive); + if (!empty($nestedMembers)) { + // Group, queue its members for processing + $members = array_merge($members, $nestedMembers); + } else { + // User (or empty group, or previously seen group), add it to the member list + $allMembers[] = $recordDn; + } + } + } else { + $allMembers = $members; + } } $allMembers += $this->getDynamicGroupMembers($dnGroup); - $this->access->connection->writeToCache($cacheKey, $allMembers); + $allMembers = array_unique($allMembers); + + // A group cannot be a member of itself + $index = array_search($dnGroup, $allMembers, true); + if ($index !== false) { + unset($allMembers[$index]); + } + + if (!$recursive) { + $this->access->connection->writeToCache($cacheKey, $allMembers); + } + if (isset($attemptedLdapMatchingRuleInChain) && $this->access->connection->ldapMatchingRuleInChainState === Configuration::LDAP_SERVER_FEATURE_UNKNOWN && !empty($allMembers) @@ -306,73 +299,47 @@ class Group_LDAP extends BackendUtility implements GroupInterface, IGroupLDAP, I $this->access->connection->ldapMatchingRuleInChainState = Configuration::LDAP_SERVER_FEATURE_UNAVAILABLE; $this->access->connection->saveConfiguration(); } + return $allMembers; } /** + * @return string[] * @throws ServerNotAvailableException */ - private function _getGroupDNsFromMemberOf(string $dn): array { - $groups = $this->access->readAttribute($dn, 'memberOf'); - if (!is_array($groups)) { + private function _getGroupDNsFromMemberOf(string $dn, array &$seen = []): array { + if (isset($seen[$dn])) { return []; } + $seen[$dn] = true; - $fetcher = function ($groupDN) { - if (isset($this->cachedNestedGroups[$groupDN])) { - $nestedGroups = $this->cachedNestedGroups[$groupDN]; - } else { - $nestedGroups = $this->access->readAttribute($groupDN, 'memberOf'); - if (!is_array($nestedGroups)) { - $nestedGroups = []; - } - $this->cachedNestedGroups[$groupDN] = $nestedGroups; - } - return $nestedGroups; - }; - - $groups = $this->walkNestedGroups($dn, $fetcher, $groups); - return $this->filterValidGroups($groups); - } - - private function walkNestedGroups(string $dn, Closure $fetcher, array $list): array { - $nesting = (int)$this->access->connection->ldapNestedGroups; - // depending on the input, we either have a list of DNs or a list of LDAP records - // also, the output expects either DNs or records. Testing the first element should suffice. - $recordMode = is_array($list) && isset($list[0]) && is_array($list[0]) && isset($list[0]['dn'][0]); - - if ($nesting !== 1) { - if ($recordMode) { - // the keys are numeric, but should hold the DN - return array_reduce($list, function ($transformed, $record) use ($dn) { - if ($record['dn'][0] != $dn) { - $transformed[$record['dn'][0]] = $record; - } - return $transformed; - }, []); - } - return $list; + if (isset($this->cachedNestedGroups[$dn])) { + return $this->cachedNestedGroups[$dn]; } - $seen = []; - while ($record = array_shift($list)) { - $recordDN = $recordMode ? $record['dn'][0] : $record; - if ($recordDN === $dn || array_key_exists($recordDN, $seen)) { - // Prevent loops - continue; + $allGroups = []; + $groups = $this->access->readAttribute($dn, 'memberOf'); + if (is_array($groups)) { + if ((int)$this->access->connection->ldapNestedGroups === 1) { + while ($recordDn = array_shift($groups)) { + $nestedParents = $this->_getGroupDNsFromMemberOf($recordDn, $seen); + $groups = array_merge($groups, $nestedParents); + $allGroups[] = $recordDn; + } + } else { + $allGroups = $groups; } - $fetched = $fetcher($record, $seen); - $list = array_merge($list, $fetched); - $seen[$recordDN] = $record; } - return $recordMode ? $seen : array_keys($seen); + // We do not perform array_unique here at it is done in getUserGroups later + $this->cachedNestedGroups[$dn] = $allGroups; + return $this->filterValidGroups($allGroups); } /** - * translates a gidNumber into an ownCloud internal name + * Translates a gidNumber into the Nextcloud internal name. * - * @return string|bool + * @return string|false The nextcloud internal name. * @throws Exception * @throws ServerNotAvailableException */ @@ -393,12 +360,14 @@ class Group_LDAP extends BackendUtility implements GroupInterface, IGroupLDAP, I } /** + * @return string|null|false The name of the group * @throws ServerNotAvailableException * @throws Exception */ private function getNameOfGroup(string $filter, string $cacheKey) { $result = $this->access->searchGroups($filter, ['dn'], 1); if (empty($result)) { + $this->access->connection->writeToCache($cacheKey, false); return null; } $dn = $result[0]['dn'][0]; @@ -414,9 +383,7 @@ class Group_LDAP extends BackendUtility implements GroupInterface, IGroupLDAP, I } /** - * returns the entry's gidNumber - * - * @return string|bool + * @return string|bool The entry's gidNumber * @throws ServerNotAvailableException */ private function getEntryGidNumber(string $dn, string $attribute) { @@ -428,7 +395,7 @@ class Group_LDAP extends BackendUtility implements GroupInterface, IGroupLDAP, I } /** - * @return string|bool + * @return string|bool The group's gidNumber * @throws ServerNotAvailableException */ public function getGroupGidNumber(string $dn) { @@ -436,14 +403,13 @@ class Group_LDAP extends BackendUtility implements GroupInterface, IGroupLDAP, I } /** - * returns the user's gidNumber - * - * @return string|bool + * @return string|bool The user's gidNumber * @throws ServerNotAvailableException */ public function getUserGidNumber(string $dn) { $gidNumber = false; if ($this->access->connection->hasGidNumber) { + // FIXME: when $dn does not exist on LDAP anymore, this will be set wrongly to false :/ $gidNumber = $this->getEntryGidNumber($dn, $this->access->connection->ldapGidNumber); if ($gidNumber === false) { $this->access->connection->hasGidNumber = false; @@ -473,21 +439,20 @@ class Group_LDAP extends BackendUtility implements GroupInterface, IGroupLDAP, I } /** - * returns a list of users that have the given group as gid number - * + * @return array<int,string> A list of users that have the given group as gid number * @throws ServerNotAvailableException */ public function getUsersInGidNumber( string $groupDN, string $search = '', ?int $limit = -1, - ?int $offset = 0 + ?int $offset = 0, ): array { try { $filter = $this->prepareFilterForUsersHasGidNumber($groupDN, $search); $users = $this->access->fetchListOfUsers( $filter, - [$this->access->connection->ldapUserDisplayName, 'dn'], + $this->access->userManager->getAttributes(true), $limit, $offset ); @@ -501,7 +466,7 @@ class Group_LDAP extends BackendUtility implements GroupInterface, IGroupLDAP, I /** * @throws ServerNotAvailableException - * @return bool + * @return false|string */ public function getUserGroupByGid(string $dn) { $groupID = $this->getUserGidNumber($dn); @@ -516,17 +481,17 @@ class Group_LDAP extends BackendUtility implements GroupInterface, IGroupLDAP, I } /** - * translates a primary group ID into an Nextcloud internal name + * Translates a primary group ID into an Nextcloud internal name * - * @return string|bool + * @return string|false * @throws Exception * @throws ServerNotAvailableException */ public function primaryGroupID2Name(string $gid, string $dn) { - $cacheKey = 'primaryGroupIDtoName'; - $groupNames = $this->access->connection->getFromCache($cacheKey); - if (!is_null($groupNames) && isset($groupNames[$gid])) { - return $groupNames[$gid]; + $cacheKey = 'primaryGroupIDtoName_' . $gid; + $groupName = $this->access->connection->getFromCache($cacheKey); + if (!is_null($groupName)) { + return $groupName; } $domainObjectSid = $this->access->getSID($dn); @@ -543,9 +508,7 @@ class Group_LDAP extends BackendUtility implements GroupInterface, IGroupLDAP, I } /** - * returns the entry's primary group ID - * - * @return string|bool + * @return string|false The entry's group Id * @throws ServerNotAvailableException */ private function getEntryGroupID(string $dn, string $attribute) { @@ -557,7 +520,7 @@ class Group_LDAP extends BackendUtility implements GroupInterface, IGroupLDAP, I } /** - * @return string|bool + * @return string|false The entry's primary group Id * @throws ServerNotAvailableException */ public function getGroupPrimaryGroupID(string $dn) { @@ -565,7 +528,7 @@ class Group_LDAP extends BackendUtility implements GroupInterface, IGroupLDAP, I } /** - * @return string|bool + * @return string|false * @throws ServerNotAvailableException */ public function getUserPrimaryGroupIDs(string $dn) { @@ -601,18 +564,19 @@ class Group_LDAP extends BackendUtility implements GroupInterface, IGroupLDAP, I /** * @throws ServerNotAvailableException + * @return array<int,string> */ public function getUsersInPrimaryGroup( string $groupDN, string $search = '', ?int $limit = -1, - ?int $offset = 0 + ?int $offset = 0, ): array { try { $filter = $this->prepareFilterForUsersInPrimaryGroup($groupDN, $search); $users = $this->access->fetchListOfUsers( $filter, - [$this->access->connection->ldapUserDisplayName, 'dn'], + $this->access->userManager->getAttributes(true), $limit, $offset ); @@ -631,7 +595,7 @@ class Group_LDAP extends BackendUtility implements GroupInterface, IGroupLDAP, I string $groupDN, string $search = '', int $limit = -1, - int $offset = 0 + int $offset = 0, ): int { try { $filter = $this->prepareFilterForUsersInPrimaryGroup($groupDN, $search); @@ -645,7 +609,7 @@ class Group_LDAP extends BackendUtility implements GroupInterface, IGroupLDAP, I } /** - * @return string|bool + * @return string|false * @throws ServerNotAvailableException */ public function getUserPrimaryGroup(string $dn) { @@ -660,6 +624,29 @@ class Group_LDAP extends BackendUtility implements GroupInterface, IGroupLDAP, I return false; } + private function isUserOnLDAP(string $uid): bool { + // forces a user exists check - but does not help if a positive result is cached, while group info is not + $ncUser = $this->ncUserManager->get($uid); + if ($ncUser === null) { + return false; + } + $backend = $ncUser->getBackend(); + if ($backend instanceof User_Proxy) { + // ignoring cache as safeguard (and we are behind the group cache check anyway) + return $backend->userExistsOnLDAP($uid, true); + } + return false; + } + + /** + * @param string $uid + * @return list<string> + */ + protected function getCachedGroupsForUserId(string $uid): array { + $groupStr = $this->config->getUserValue($uid, 'user_ldap', 'cached-group-memberships-' . $this->access->connection->getConfigPrefix(), '[]'); + return json_decode($groupStr, true) ?? []; + } + /** * This function fetches all groups a user belongs to. It does not check * if the user exists at all. @@ -667,19 +654,29 @@ class Group_LDAP extends BackendUtility implements GroupInterface, IGroupLDAP, I * This function includes groups based on dynamic group membership. * * @param string $uid Name of the user - * @return array with group names + * @return list<string> Group names * @throws Exception * @throws ServerNotAvailableException */ - public function getUserGroups($uid) { + public function getUserGroups($uid): array { if (!$this->enabled) { return []; } + $ncUid = $uid; + $cacheKey = 'getUserGroups' . $uid; $userGroups = $this->access->connection->getFromCache($cacheKey); if (!is_null($userGroups)) { return $userGroups; } + + $user = $this->access->userManager->get($uid); + if ($user instanceof OfflineUser) { + // We load known group memberships from configuration for remnants, + // because LDAP server does not contain them anymore + return $this->getCachedGroupsForUserId($uid); + } + $userDN = $this->access->username2dn($uid); if (!$userDN) { $this->access->connection->writeToCache($cacheKey, []); @@ -697,7 +694,7 @@ class Group_LDAP extends BackendUtility implements GroupInterface, IGroupLDAP, I $groupsToMatch = $this->access->fetchListOfGroups( $this->access->connection->ldapGroupFilter, ['dn', $dynamicGroupMemberURL]); foreach ($groupsToMatch as $dynamicGroup) { - if (!array_key_exists($dynamicGroupMemberURL, $dynamicGroup)) { + if (!isset($dynamicGroup[$dynamicGroupMemberURL][0])) { continue; } $pos = strpos($dynamicGroup[$dynamicGroupMemberURL][0], '('); @@ -738,64 +735,48 @@ class Group_LDAP extends BackendUtility implements GroupInterface, IGroupLDAP, I && $this->ldapGroupMemberAssocAttr !== 'memberuid' && $this->ldapGroupMemberAssocAttr !== 'zimbramailforwardingaddress') { $groupDNs = $this->_getGroupDNsFromMemberOf($userDN); - if (is_array($groupDNs)) { - foreach ($groupDNs as $dn) { - $groupName = $this->access->dn2groupname($dn); - if (is_string($groupName)) { - // be sure to never return false if the dn could not be - // resolved to a name, for whatever reason. - $groups[] = $groupName; - } + foreach ($groupDNs as $dn) { + $groupName = $this->access->dn2groupname($dn); + if (is_string($groupName)) { + // be sure to never return false if the dn could not be + // resolved to a name, for whatever reason. + $groups[] = $groupName; } } + } else { + // uniqueMember takes DN, memberuid the uid, so we need to distinguish + switch ($this->ldapGroupMemberAssocAttr) { + case 'uniquemember': + case 'member': + $uid = $userDN; + break; - if ($primaryGroup !== false) { - $groups[] = $primaryGroup; - } - if ($gidGroupName !== false) { - $groups[] = $gidGroupName; - } - $this->access->connection->writeToCache($cacheKey, $groups); - return $groups; - } - - //uniqueMember takes DN, memberuid the uid, so we need to distinguish - switch ($this->ldapGroupMemberAssocAttr) { - case 'uniquemember': - case 'member': - $uid = $userDN; - break; - - case 'memberuid': - case 'zimbramailforwardingaddress': - $result = $this->access->readAttribute($userDN, 'uid'); - if ($result === false) { - $this->logger->debug('No uid attribute found for DN {dn} on {host}', - [ - 'app' => 'user_ldap', - 'dn' => $userDN, - 'host' => $this->access->connection->ldapHost, - ] - ); - $uid = false; - } else { - $uid = $result[0]; - } - break; + case 'memberuid': + case 'zimbramailforwardingaddress': + $result = $this->access->readAttribute($userDN, 'uid'); + if ($result === false) { + $this->logger->debug('No uid attribute found for DN {dn} on {host}', + [ + 'app' => 'user_ldap', + 'dn' => $userDN, + 'host' => $this->access->connection->ldapHost, + ] + ); + $uid = false; + } else { + $uid = $result[0]; + } + break; - default: - // just in case - $uid = $userDN; - break; - } + default: + // just in case + $uid = $userDN; + break; + } - if ($uid !== false) { - if (isset($this->cachedGroupsByMember[$uid])) { - $groups = array_merge($groups, $this->cachedGroupsByMember[$uid]); - } else { + if ($uid !== false) { $groupsByMember = array_values($this->getGroupsByMember($uid)); $groupsByMember = $this->access->nextcloudGroupNames($groupsByMember); - $this->cachedGroupsByMember[$uid] = $groupsByMember; $groups = array_merge($groups, $groupsByMember); } } @@ -807,25 +788,38 @@ class Group_LDAP extends BackendUtility implements GroupInterface, IGroupLDAP, I $groups[] = $gidGroupName; } - $groups = array_unique($groups, SORT_LOCALE_STRING); + if (empty($groups) && !$this->isUserOnLDAP($ncUid)) { + // Groups are enabled, but you user has none? Potentially suspicious: + // it could be that the user was deleted from LDAP, but we are not + // aware of it yet. + $groups = $this->getCachedGroupsForUserId($ncUid); + $this->access->connection->writeToCache($cacheKey, $groups); + return $groups; + } + + $groups = array_values(array_unique($groups, SORT_LOCALE_STRING)); $this->access->connection->writeToCache($cacheKey, $groups); + $groupStr = \json_encode($groups); + $this->config->setUserValue($ncUid, 'user_ldap', 'cached-group-memberships-' . $this->access->connection->getConfigPrefix(), $groupStr); + return $groups; } /** + * @return array[] * @throws ServerNotAvailableException */ - private function getGroupsByMember(string $dn, array &$seen = null): array { - if ($seen === null) { - $seen = []; - } - if (array_key_exists($dn, $seen)) { - // avoid loops + private function getGroupsByMember(string $dn, array &$seen = []): array { + if (isset($seen[$dn])) { return []; } - $allGroups = []; $seen[$dn] = true; + + if (isset($this->cachedGroupsByMember[$dn])) { + return $this->cachedGroupsByMember[$dn]; + } + $filter = $this->access->connection->ldapGroupMemberAssocAttr . '=' . $dn; if ($this->ldapGroupMemberAssocAttr === 'zimbramailforwardingaddress') { @@ -838,24 +832,24 @@ class Group_LDAP extends BackendUtility implements GroupInterface, IGroupLDAP, I $filter = $this->access->combineFilterWithAnd([$filter, $this->access->connection->ldapGroupFilter]); } + $allGroups = []; $groups = $this->access->fetchListOfGroups($filter, [strtolower($this->access->connection->ldapGroupMemberAssocAttr), $this->access->connection->ldapGroupDisplayName, 'dn']); - if (is_array($groups)) { - $fetcher = function ($dn, &$seen) { - if (is_array($dn) && isset($dn['dn'][0])) { - $dn = $dn['dn'][0]; - } - return $this->getGroupsByMember($dn, $seen); - }; - if (empty($dn)) { - $dn = ""; + if ($nesting === 1) { + while ($record = array_shift($groups)) { + // Note: this has no effect when ldapGroupMemberAssocAttr is uid based + $nestedParents = $this->getGroupsByMember($record['dn'][0], $seen); + $groups = array_merge($groups, $nestedParents); + $allGroups[] = $record; } - - $allGroups = $this->walkNestedGroups($dn, $fetcher, $groups); + } else { + $allGroups = $groups; } + $visibleGroups = $this->filterValidGroups($allGroups); - return array_intersect_key($allGroups, $visibleGroups); + $this->cachedGroupsByMember[$dn] = $visibleGroups; + return $visibleGroups; } /** @@ -865,7 +859,7 @@ class Group_LDAP extends BackendUtility implements GroupInterface, IGroupLDAP, I * @param string $search * @param int $limit * @param int $offset - * @return array with user ids + * @return array<int,string> user ids * @throws Exception * @throws ServerNotAvailableException */ @@ -897,7 +891,7 @@ class Group_LDAP extends BackendUtility implements GroupInterface, IGroupLDAP, I $groupDN = $this->access->groupname2dn($gid); if (!$groupDN) { - // group couldn't be found, return empty resultset + // group couldn't be found, return empty result-set $this->access->connection->writeToCache($cacheKey, []); return []; } @@ -934,7 +928,11 @@ class Group_LDAP extends BackendUtility implements GroupInterface, IGroupLDAP, I if (empty($ldap_users)) { break; } - $groupUsers[] = $this->access->dn2username($ldap_users[0]['dn'][0]); + $uid = $this->access->dn2username($ldap_users[0]['dn'][0]); + if (!$uid) { + break; + } + $groupUsers[] = $uid; break; default: //we got DNs, check if we need to filter by search or we can give back all of them @@ -1021,9 +1019,9 @@ class Group_LDAP extends BackendUtility implements GroupInterface, IGroupLDAP, I return $groupUsers; } $search = $this->access->escapeFilterPart($search, true); - $isMemberUid = - ($this->ldapGroupMemberAssocAttr === 'memberuid' || - $this->ldapGroupMemberAssocAttr === 'zimbramailforwardingaddress'); + $isMemberUid + = ($this->ldapGroupMemberAssocAttr === 'memberuid' + || $this->ldapGroupMemberAssocAttr === 'zimbramailforwardingaddress'); //we need to apply the search filter //alternatives that need to be checked: @@ -1125,35 +1123,50 @@ class Group_LDAP extends BackendUtility implements GroupInterface, IGroupLDAP, I * @throws ServerNotAvailableException */ public function groupExists($gid) { - $groupExists = $this->access->connection->getFromCache('groupExists' . $gid); - if (!is_null($groupExists)) { - return (bool)$groupExists; + return $this->groupExistsOnLDAP($gid, false); + } + + /** + * Check if a group exists + * + * @throws ServerNotAvailableException + */ + public function groupExistsOnLDAP(string $gid, bool $ignoreCache = false): bool { + $cacheKey = 'groupExists' . $gid; + if (!$ignoreCache) { + $groupExists = $this->access->connection->getFromCache($cacheKey); + if (!is_null($groupExists)) { + return (bool)$groupExists; + } } //getting dn, if false the group does not exist. If dn, it may be mapped //only, requires more checking. $dn = $this->access->groupname2dn($gid); if (!$dn) { - $this->access->connection->writeToCache('groupExists' . $gid, false); + $this->access->connection->writeToCache($cacheKey, false); return false; } if (!$this->access->isDNPartOfBase($dn, $this->access->connection->ldapBaseGroups)) { - $this->access->connection->writeToCache('groupExists' . $gid, false); + $this->access->connection->writeToCache($cacheKey, false); return false; } //if group really still exists, we will be able to read its objectClass if (!is_array($this->access->readAttribute($dn, '', $this->access->connection->ldapGroupFilter))) { - $this->access->connection->writeToCache('groupExists' . $gid, false); + $this->access->connection->writeToCache($cacheKey, false); return false; } - $this->access->connection->writeToCache('groupExists' . $gid, true); + $this->access->connection->writeToCache($cacheKey, true); return true; } /** + * @template T + * @param array<array-key, T> $listOfGroups + * @return array<array-key, T> * @throws ServerNotAvailableException * @throws Exception */ @@ -1161,7 +1174,11 @@ class Group_LDAP extends BackendUtility implements GroupInterface, IGroupLDAP, I $validGroupDNs = []; foreach ($listOfGroups as $key => $item) { $dn = is_string($item) ? $item : $item['dn'][0]; - $gid = $this->access->dn2groupname($dn); + if (is_array($item) && !isset($item[$this->access->connection->ldapGroupDisplayName][0])) { + continue; + } + $name = $item[$this->access->connection->ldapGroupDisplayName][0] ?? null; + $gid = $this->access->dn2groupname($dn, $name, false); if (!$gid) { continue; } @@ -1181,9 +1198,11 @@ class Group_LDAP extends BackendUtility implements GroupInterface, IGroupLDAP, I * Returns the supported actions as int to be * compared with GroupInterface::CREATE_GROUP etc. */ - public function implementsActions($actions) { - return (bool)((GroupInterface::COUNT_USERS | - $this->groupPluginManager->getImplementedActions()) & $actions); + public function implementsActions($actions): bool { + return (bool)((GroupInterface::COUNT_USERS + | GroupInterface::DELETE_GROUP + | GroupInterface::IS_ADMIN + | $this->groupPluginManager->getImplementedActions()) & $actions); } /** @@ -1228,19 +1247,32 @@ class Group_LDAP extends BackendUtility implements GroupInterface, IGroupLDAP, I * delete a group * * @param string $gid gid of the group to delete - * @return bool * @throws Exception */ - public function deleteGroup($gid) { - if ($this->groupPluginManager->implementsActions(GroupInterface::DELETE_GROUP)) { + public function deleteGroup(string $gid): bool { + if ($this->groupPluginManager->canDeleteGroup()) { if ($ret = $this->groupPluginManager->deleteGroup($gid)) { - #delete group in nextcloud internal db + // Delete group in nextcloud internal db $this->access->getGroupMapper()->unmap($gid); - $this->access->connection->writeToCache("groupExists" . $gid, false); + $this->access->connection->writeToCache('groupExists' . $gid, false); } return $ret; } - throw new Exception('Could not delete group in LDAP backend.'); + + // Getting dn, if false the group is not mapped + $dn = $this->access->groupname2dn($gid); + if (!$dn) { + throw new Exception('Could not delete unknown group ' . $gid . ' in LDAP backend.'); + } + + if (!$this->groupExists($gid)) { + // The group does not exist in the LDAP, remove the mapping + $this->access->getGroupMapper()->unmap($gid); + $this->access->connection->writeToCache('groupExists' . $gid, false); + return true; + } + + throw new Exception('Could not delete existing group ' . $gid . ' in LDAP backend.'); } /** @@ -1301,10 +1333,10 @@ class Group_LDAP extends BackendUtility implements GroupInterface, IGroupLDAP, I * of the current access. * * @param string $gid - * @return resource of the LDAP connection + * @return \LDAP\Connection The LDAP connection * @throws ServerNotAvailableException */ - public function getNewLDAPConnection($gid) { + public function getNewLDAPConnection($gid): \LDAP\Connection { $connection = clone $this->access->getConnection(); return $connection->getConnectionResource(); } @@ -1326,12 +1358,65 @@ class Group_LDAP extends BackendUtility implements GroupInterface, IGroupLDAP, I $this->access->groupname2dn($gid), $this->access->connection->ldapGroupDisplayName); - if ($displayName && (count($displayName) > 0)) { + if (($displayName !== false) && (count($displayName) > 0)) { $displayName = $displayName[0]; - $this->access->connection->writeToCache($cacheKey, $displayName); - return $displayName; + } else { + $displayName = ''; + } + + $this->access->connection->writeToCache($cacheKey, $displayName); + return $displayName; + } + + /** + * returns the groupname for the given LDAP DN, if available + */ + public function dn2GroupName(string $dn): string|false { + return $this->access->dn2groupname($dn); + } + + public function addRelationshipToCaches(string $uid, ?string $dnUser, string $gid): void { + $dnGroup = $this->access->groupname2dn($gid); + $dnUser ??= $this->access->username2dn($uid); + if ($dnUser === false || $dnGroup === false) { + return; + } + if (isset($this->cachedGroupMembers[$gid])) { + $this->cachedGroupMembers[$gid] = array_merge($this->cachedGroupMembers[$gid], [$dnUser]); + } + unset($this->cachedGroupsByMember[$dnUser]); + unset($this->cachedNestedGroups[$gid]); + $cacheKey = 'inGroup' . $uid . ':' . $gid; + $this->access->connection->writeToCache($cacheKey, true); + $cacheKeyMembers = 'inGroup-members:' . $gid; + if (!is_null($data = $this->access->connection->getFromCache($cacheKeyMembers))) { + $this->access->connection->writeToCache($cacheKeyMembers, array_merge($data, [$dnUser])); + } + $cacheKey = '_groupMembers' . $dnGroup; + if (!is_null($data = $this->access->connection->getFromCache($cacheKey))) { + $this->access->connection->writeToCache($cacheKey, array_merge($data, [$dnUser])); + } + $cacheKey = 'getUserGroups' . $uid; + if (!is_null($data = $this->access->connection->getFromCache($cacheKey))) { + $this->access->connection->writeToCache($cacheKey, array_merge($data, [$gid])); } + // These cache keys cannot be easily updated: + // $cacheKey = 'usersInGroup-' . $gid . '-' . $search . '-' . $limit . '-' . $offset; + // $cacheKey = 'usersInGroup-' . $gid . '-' . $search; + // $cacheKey = 'countUsersInGroup-' . $gid . '-' . $search; + } - return ''; + /** + * @throws ServerNotAvailableException + */ + public function isAdmin(string $uid): bool { + if (!$this->enabled) { + return false; + } + $ldapAdminGroup = $this->access->connection->ldapAdminGroup; + if ($ldapAdminGroup === '') { + return false; + } + return $this->inGroup($uid, $ldapAdminGroup); } } diff --git a/apps/user_ldap/lib/Group_Proxy.php b/apps/user_ldap/lib/Group_Proxy.php index 490eab44462..f0cdc7a465d 100644 --- a/apps/user_ldap/lib/Group_Proxy.php +++ b/apps/user_ldap/lib/Group_Proxy.php @@ -1,49 +1,41 @@ <?php + /** - * @copyright Copyright (c) 2016, ownCloud, Inc. - * - * @author Arthur Schiwon <blizzz@arthur-schiwon.de> - * @author Christopher Schäpers <kondou@ts.unde.re> - * @author Christoph Wurst <christoph@winzerhof-wurst.at> - * @author Joas Schilling <coding@schilljs.com> - * @author Morris Jobke <hey@morrisjobke.de> - * @author Robin McCorkell <robin@mccorkell.me.uk> - * @author Vinicius Cubas Brand <vinicius@eita.org.br> - * - * @license AGPL-3.0 - * - * This code is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License, version 3, - * as published by the Free Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License, version 3, - * along with this program. If not, see <http://www.gnu.org/licenses/> - * + * SPDX-FileCopyrightText: 2017-2024 Nextcloud GmbH and Nextcloud contributors + * SPDX-FileCopyrightText: 2016 ownCloud, Inc. + * SPDX-License-Identifier: AGPL-3.0-only */ - namespace OCA\User_LDAP; +use OC\ServerNotAvailableException; +use OCP\Group\Backend\IBatchMethodsBackend; +use OCP\Group\Backend\IDeleteGroupBackend; use OCP\Group\Backend\IGetDisplayNameBackend; +use OCP\Group\Backend\IGroupDetailsBackend; +use OCP\Group\Backend\IIsAdminBackend; +use OCP\Group\Backend\INamedBackend; +use OCP\GroupInterface; +use OCP\IConfig; +use OCP\IUserManager; -class Group_Proxy extends Proxy implements \OCP\GroupInterface, IGroupLDAP, IGetDisplayNameBackend { - private $backends = []; - private $refBackend = null; - - public function __construct(Helper $helper, ILDAPWrapper $ldap, GroupPluginManager $groupPluginManager) { - parent::__construct($ldap); - $serverConfigPrefixes = $helper->getServerConfigurationPrefixes(true); - foreach ($serverConfigPrefixes as $configPrefix) { - $this->backends[$configPrefix] = - new \OCA\User_LDAP\Group_LDAP($this->getAccess($configPrefix), $groupPluginManager); - if (is_null($this->refBackend)) { - $this->refBackend = &$this->backends[$configPrefix]; - } - } +/** + * @template-extends Proxy<Group_LDAP> + */ +class Group_Proxy extends Proxy implements GroupInterface, IGroupLDAP, IGetDisplayNameBackend, INamedBackend, IDeleteGroupBackend, IBatchMethodsBackend, IIsAdminBackend { + public function __construct( + private Helper $helper, + ILDAPWrapper $ldap, + AccessFactory $accessFactory, + private GroupPluginManager $groupPluginManager, + private IConfig $config, + private IUserManager $ncUserManager, + ) { + parent::__construct($helper, $ldap, $accessFactory); + } + + + protected function newInstance(string $configPrefix): Group_LDAP { + return new Group_LDAP($this->getAccess($configPrefix), $this->groupPluginManager, $this->config, $this->ncUserManager); } /** @@ -55,6 +47,8 @@ class Group_Proxy extends Proxy implements \OCP\GroupInterface, IGroupLDAP, IGet * @return mixed the result of the method or false */ protected function walkBackends($id, $method, $parameters) { + $this->setup(); + $gid = $id; $cacheKey = $this->getGroupCacheKey($gid); foreach ($this->backends as $configPrefix => $backend) { @@ -78,6 +72,8 @@ class Group_Proxy extends Proxy implements \OCP\GroupInterface, IGroupLDAP, IGet * @return mixed the result of the method or false */ protected function callOnLastSeenOn($id, $method, $parameters, $passOnWhen) { + $this->setup(); + $gid = $id; $cacheKey = $this->getGroupCacheKey($gid); $prefix = $this->getFromCache($cacheKey); @@ -103,6 +99,7 @@ class Group_Proxy extends Proxy implements \OCP\GroupInterface, IGroupLDAP, IGet } protected function activeBackends(): int { + $this->setup(); return count($this->backends); } @@ -123,32 +120,32 @@ class Group_Proxy extends Proxy implements \OCP\GroupInterface, IGroupLDAP, IGet * Get all groups a user belongs to * * @param string $uid Name of the user - * @return string[] with group names + * @return list<string> with group names * * This function fetches all groups a user belongs to. It does not check * if the user exists at all. */ public function getUserGroups($uid) { - $groups = []; + $this->setup(); + $groups = []; foreach ($this->backends as $backend) { $backendGroups = $backend->getUserGroups($uid); - if (is_array($backendGroups)) { - $groups = array_merge($groups, $backendGroups); - } + $groups = array_merge($groups, $backendGroups); } - return $groups; + return array_values(array_unique($groups)); } /** * get a list of all users in a group * - * @return string[] with user ids + * @return array<int,string> user ids */ public function usersInGroup($gid, $search = '', $limit = -1, $offset = 0) { - $users = []; + $this->setup(); + $users = []; foreach ($this->backends as $backend) { $backendUsers = $backend->usersInGroup($gid, $search, $limit, $offset); if (is_array($backendUsers)) { @@ -170,11 +167,8 @@ class Group_Proxy extends Proxy implements \OCP\GroupInterface, IGroupLDAP, IGet /** * delete a group - * - * @param string $gid gid of the group to delete - * @return bool */ - public function deleteGroup($gid) { + public function deleteGroup(string $gid): bool { return $this->handleRequest( $gid, 'deleteGroup', [$gid]); } @@ -231,6 +225,21 @@ class Group_Proxy extends Proxy implements \OCP\GroupInterface, IGroupLDAP, IGet } /** + * {@inheritdoc} + */ + public function getGroupsDetails(array $gids): array { + if (!($this instanceof IGroupDetailsBackend || $this->implementsActions(GroupInterface::GROUP_DETAILS))) { + throw new \Exception('Should not have been called'); + } + + $groupData = []; + foreach ($gids as $gid) { + $groupData[$gid] = $this->handleRequest($gid, 'getGroupDetails', [$gid]); + } + return $groupData; + } + + /** * get a list of all groups * * @return string[] with group names @@ -238,8 +247,9 @@ class Group_Proxy extends Proxy implements \OCP\GroupInterface, IGroupLDAP, IGet * Returns a list with all groups */ public function getGroups($search = '', $limit = -1, $offset = 0) { - $groups = []; + $this->setup(); + $groups = []; foreach ($this->backends as $backend) { $backendGroups = $backend->getGroups($search, $limit, $offset); if (is_array($backendGroups)) { @@ -261,6 +271,33 @@ class Group_Proxy extends Proxy implements \OCP\GroupInterface, IGroupLDAP, IGet } /** + * Check if a group exists + * + * @throws ServerNotAvailableException + */ + public function groupExistsOnLDAP(string $gid, bool $ignoreCache = false): bool { + return $this->handleRequest($gid, 'groupExistsOnLDAP', [$gid, $ignoreCache]); + } + + /** + * returns the groupname for the given LDAP DN, if available + */ + public function dn2GroupName(string $dn): string|false { + $id = 'DN,' . $dn; + return $this->handleRequest($id, 'dn2GroupName', [$dn]); + } + + /** + * {@inheritdoc} + */ + public function groupsExists(array $gids): array { + return array_values(array_filter( + $gids, + fn (string $gid): bool => $this->handleRequest($gid, 'groupExists', [$gid]), + )); + } + + /** * Check if backend implements actions * * @param int $actions bitwise-or'ed actions @@ -270,6 +307,7 @@ class Group_Proxy extends Proxy implements \OCP\GroupInterface, IGroupLDAP, IGet * compared with \OCP\GroupInterface::CREATE_GROUP etc. */ public function implementsActions($actions) { + $this->setup(); //it's the same across all our user backends obviously return $this->refBackend->implementsActions($actions); } @@ -289,13 +327,34 @@ class Group_Proxy extends Proxy implements \OCP\GroupInterface, IGroupLDAP, IGet * The connection needs to be closed manually. * * @param string $gid - * @return resource of the LDAP connection + * @return \LDAP\Connection The LDAP connection */ - public function getNewLDAPConnection($gid) { + public function getNewLDAPConnection($gid): \LDAP\Connection { return $this->handleRequest($gid, 'getNewLDAPConnection', [$gid]); } public function getDisplayName(string $gid): string { return $this->handleRequest($gid, 'getDisplayName', [$gid]); } + + /** + * Backend name to be shown in group management + * @return string the name of the backend to be shown + * @since 22.0.0 + */ + public function getBackendName(): string { + return 'LDAP'; + } + + public function searchInGroup(string $gid, string $search = '', int $limit = -1, int $offset = 0): array { + return $this->handleRequest($gid, 'searchInGroup', [$gid, $search, $limit, $offset]); + } + + public function addRelationshipToCaches(string $uid, ?string $dnUser, string $gid): void { + $this->handleRequest($gid, 'addRelationshipToCaches', [$uid, $dnUser, $gid]); + } + + public function isAdmin(string $uid): bool { + return $this->handleRequest($uid, 'isAdmin', [$uid]); + } } diff --git a/apps/user_ldap/lib/Handler/ExtStorageConfigHandler.php b/apps/user_ldap/lib/Handler/ExtStorageConfigHandler.php index 483dade8566..8b63d54aa66 100644 --- a/apps/user_ldap/lib/Handler/ExtStorageConfigHandler.php +++ b/apps/user_ldap/lib/Handler/ExtStorageConfigHandler.php @@ -1,28 +1,9 @@ <?php + /** - * @copyright Copyright (c) 2019 Arthur Schiwon <blizzz@arthur-schiwon.de> - * - * @author Arthur Schiwon <blizzz@arthur-schiwon.de> - * @author Christoph Wurst <christoph@winzerhof-wurst.at> - * @author Julius Härtl <jus@bitgrid.net> - * - * @license GNU AGPL version 3 or any later version - * - * This program is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License as - * published by the Free Software Foundation, either version 3 of the - * License, or (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License - * along with this program. If not, see <http://www.gnu.org/licenses/>. - * + * SPDX-FileCopyrightText: 2019 Nextcloud GmbH and Nextcloud contributors + * SPDX-License-Identifier: AGPL-3.0-or-later */ - namespace OCA\User_LDAP\Handler; use OCA\Files_External\Config\IConfigHandler; @@ -63,7 +44,7 @@ class ExtStorageConfigHandler extends UserContext implements IConfigHandler { } $ldapUser = $access->userManager->get($user->getUID()); - $extHome = $ldapUser->getExtStorageHome(); + $extHome = $ldapUser !== null ? $ldapUser->getExtStorageHome() : ''; return $this->processInput($optionValue, $extHome); } diff --git a/apps/user_ldap/lib/Helper.php b/apps/user_ldap/lib/Helper.php index f079345d23e..d3abf04fd1e 100644 --- a/apps/user_ldap/lib/Helper.php +++ b/apps/user_ldap/lib/Helper.php @@ -1,55 +1,26 @@ <?php + /** - * @copyright Copyright (c) 2016, ownCloud, Inc. - * - * @author Arthur Schiwon <blizzz@arthur-schiwon.de> - * @author Christoph Wurst <christoph@winzerhof-wurst.at> - * @author Joas Schilling <coding@schilljs.com> - * @author Jörn Friedrich Dreyer <jfd@butonic.de> - * @author Lukas Reschke <lukas@statuscode.ch> - * @author Morris Jobke <hey@morrisjobke.de> - * @author Roeland Jago Douma <roeland@famdouma.nl> - * @author root <root@localhost.localdomain> - * @author Thomas Müller <thomas.mueller@tmit.eu> - * - * @license AGPL-3.0 - * - * This code is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License, version 3, - * as published by the Free Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License, version 3, - * along with this program. If not, see <http://www.gnu.org/licenses/> - * + * SPDX-FileCopyrightText: 2016-2024 Nextcloud GmbH and Nextcloud contributors + * SPDX-FileCopyrightText: 2016 ownCloud, Inc. + * SPDX-License-Identifier: AGPL-3.0-only */ - namespace OCA\User_LDAP; -use OC\Cache\CappedMemoryCache; +use OCP\Cache\CappedMemoryCache; use OCP\DB\QueryBuilder\IQueryBuilder; -use OCP\IConfig; +use OCP\IAppConfig; use OCP\IDBConnection; +use OCP\Server; class Helper { + /** @var CappedMemoryCache<string> */ + protected CappedMemoryCache $sanitizeDnCache; - /** @var IConfig */ - private $config; - - /** @var IDBConnection */ - private $connection; - - /** @var CappedMemoryCache */ - protected $sanitizeDnCache; - - public function __construct(IConfig $config, - IDBConnection $connection) { - $this->config = $config; - $this->connection = $connection; + public function __construct( + private IAppConfig $appConfig, + private IDBConnection $connection, + ) { $this->sanitizeDnCache = new CappedMemoryCache(10000); } @@ -57,7 +28,7 @@ class Helper { * returns prefixes for each saved LDAP/AD server configuration. * * @param bool $activeConfigurations optional, whether only active configuration shall be - * retrieved, defaults to false + * retrieved, defaults to false * @return array with a list of the available prefixes * * Configuration prefixes are used to set up configurations for n LDAP or @@ -74,21 +45,37 @@ class Helper { * except the default (first) server shall be connected to. * */ - public function getServerConfigurationPrefixes($activeConfigurations = false): array { + public function getServerConfigurationPrefixes(bool $activeConfigurations = false): array { + $all = $this->getAllServerConfigurationPrefixes(); + if (!$activeConfigurations) { + return $all; + } + return array_values(array_filter( + $all, + fn (string $prefix): bool => ($this->appConfig->getValueString('user_ldap', $prefix . 'ldap_configuration_active') === '1') + )); + } + + protected function getAllServerConfigurationPrefixes(): array { + $unfilled = ['UNFILLED']; + $prefixes = $this->appConfig->getValueArray('user_ldap', 'configuration_prefixes', $unfilled); + if ($prefixes !== $unfilled) { + return $prefixes; + } + + /* Fallback to browsing key for migration from Nextcloud<32 */ $referenceConfigkey = 'ldap_configuration_active'; $keys = $this->getServersConfig($referenceConfigkey); $prefixes = []; foreach ($keys as $key) { - if ($activeConfigurations && $this->config->getAppValue('user_ldap', $key, '0') !== '1') { - continue; - } - $len = strlen($key) - strlen($referenceConfigkey); $prefixes[] = substr($key, 0, $len); } - asort($prefixes); + sort($prefixes); + + $this->appConfig->setValueArray('user_ldap', 'configuration_prefixes', $prefixes); return $prefixes; } @@ -97,46 +84,45 @@ class Helper { * * determines the host for every configured connection * - * @return array an array with configprefix as keys + * @return array<string,string> an array with configprefix as keys * */ - public function getServerConfigurationHosts() { - $referenceConfigkey = 'ldap_host'; - - $keys = $this->getServersConfig($referenceConfigkey); + public function getServerConfigurationHosts(): array { + $prefixes = $this->getServerConfigurationPrefixes(); + $referenceConfigkey = 'ldap_host'; $result = []; - foreach ($keys as $key) { - $len = strlen($key) - strlen($referenceConfigkey); - $prefix = substr($key, 0, $len); - $result[$prefix] = $this->config->getAppValue('user_ldap', $key); + foreach ($prefixes as $prefix) { + $result[$prefix] = $this->appConfig->getValueString('user_ldap', $prefix . $referenceConfigkey); } return $result; } /** - * return the next available configuration prefix - * - * @return string + * return the next available configuration prefix and register it as used */ - public function getNextServerConfigurationPrefix() { - $serverConnections = $this->getServerConfigurationPrefixes(); - - if (count($serverConnections) === 0) { - return 's01'; + public function getNextServerConfigurationPrefix(): string { + $prefixes = $this->getServerConfigurationPrefixes(); + + if (count($prefixes) === 0) { + $prefix = 's01'; + } else { + sort($prefixes); + $lastKey = array_pop($prefixes); + $lastNumber = (int)str_replace('s', '', $lastKey); + $prefix = 's' . str_pad((string)($lastNumber + 1), 2, '0', STR_PAD_LEFT); } - sort($serverConnections); - $lastKey = array_pop($serverConnections); - $lastNumber = (int)str_replace('s', '', $lastKey); - return 's' . str_pad($lastNumber + 1, 2, '0', STR_PAD_LEFT); + $prefixes[] = $prefix; + $this->appConfig->setValueArray('user_ldap', 'configuration_prefixes', $prefixes); + return $prefix; } - private function getServersConfig($value) { + private function getServersConfig(string $value): array { $regex = '/' . $value . '$/S'; - $keys = $this->config->getAppKeys('user_ldap'); + $keys = $this->appConfig->getKeys('user_ldap'); $result = []; foreach ($keys as $key) { if (preg_match($regex, $key) === 1) { @@ -154,7 +140,9 @@ class Helper { * @return bool true on success, false otherwise */ public function deleteServerConfiguration($prefix) { - if (!in_array($prefix, self::getServerConfigurationPrefixes())) { + $prefixes = $this->getServerConfigurationPrefixes(); + $index = array_search($prefix, $prefixes); + if ($index === false) { return false; } @@ -173,7 +161,11 @@ class Helper { $query->andWhere($query->expr()->notLike('configkey', $query->createNamedParameter('s%'))); } - $deletedRows = $query->execute(); + $deletedRows = $query->executeStatement(); + + unset($prefixes[$index]); + $this->appConfig->setValueArray('user_ldap', 'configuration_prefixes', array_values($prefixes)); + return $deletedRows !== 0; } @@ -181,10 +173,13 @@ class Helper { * checks whether there is one or more disabled LDAP configurations */ public function haveDisabledConfigurations(): bool { - $all = $this->getServerConfigurationPrefixes(false); - $active = $this->getServerConfigurationPrefixes(true); - - return count($all) !== count($active) || count($all) === 0; + $all = $this->getServerConfigurationPrefixes(); + foreach ($all as $prefix) { + if ($this->appConfig->getValueString('user_ldap', $prefix . 'ldap_configuration_active') !== '1') { + return true; + } + } + return false; } /** @@ -212,7 +207,22 @@ class Helper { /** * sanitizes a DN received from the LDAP server * - * @param array $dn the DN in question + * This is used and done to have a stable format of DNs that can be compared + * and identified again. The input DN value is modified as following: + * + * 1) whitespaces after commas are removed + * 2) the DN is turned to lower-case + * 3) the DN is escaped according to RFC 2253 + * + * When a future DN is supposed to be used as a base parameter, it has to be + * run through DNasBaseParameter() first, to recode \5c into a backslash + * again, otherwise the search or read operation will fail with LDAP error + * 32, NO_SUCH_OBJECT. Regular usage in LDAP filters requires the backslash + * being escaped, however. + * + * Internally, DNs are stored in their sanitized form. + * + * @param array|string $dn the DN in question * @return array|string the sanitized DN */ public function sanitizeDN($dn) { @@ -276,15 +286,15 @@ class Helper { * listens to a hook thrown by server2server sharing and replaces the given * login name by a username, if it matches an LDAP user. * - * @param array $param + * @param array $param contains a reference to a $uid var under 'uid' key * @throws \Exception */ - public static function loginName2UserName($param) { + public static function loginName2UserName($param): void { if (!isset($param['uid'])) { throw new \Exception('key uid is expected to be set in $param'); } - $userBackend = \OC::$server->get(User_Proxy::class); + $userBackend = Server::get(User_Proxy::class); $uid = $userBackend->loginName2UserName($param['uid']); if ($uid !== false) { $param['uid'] = $uid; diff --git a/apps/user_ldap/lib/IGroupLDAP.php b/apps/user_ldap/lib/IGroupLDAP.php index c84b899f5c0..667eb421004 100644 --- a/apps/user_ldap/lib/IGroupLDAP.php +++ b/apps/user_ldap/lib/IGroupLDAP.php @@ -1,26 +1,9 @@ <?php + /** - * @copyright Copyright (c) 2017, EITA Cooperative (eita.org.br) - * - * @author Vinicius Cubas Brand <vinicius@eita.org.br> - * - * @license GNU AGPL version 3 or any later version - * - * This program is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License as - * published by the Free Software Foundation, either version 3 of the - * License, or (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License - * along with this program. If not, see <http://www.gnu.org/licenses/>. - * + * SPDX-FileCopyrightText: 2017 Nextcloud GmbH and Nextcloud contributors + * SPDX-License-Identifier: AGPL-3.0-or-later */ - namespace OCA\User_LDAP; interface IGroupLDAP { @@ -37,7 +20,7 @@ interface IGroupLDAP { /** * Return a new LDAP connection for the specified group. * @param string $gid - * @return resource of the LDAP connection + * @return \LDAP\Connection The LDAP connection */ public function getNewLDAPConnection($gid); } diff --git a/apps/user_ldap/lib/ILDAPGroupPlugin.php b/apps/user_ldap/lib/ILDAPGroupPlugin.php index 3c9baeab65c..261b9383dc1 100644 --- a/apps/user_ldap/lib/ILDAPGroupPlugin.php +++ b/apps/user_ldap/lib/ILDAPGroupPlugin.php @@ -1,26 +1,9 @@ <?php + /** - * @copyright Copyright (c) 2017 EITA Cooperative (eita.org.br) - * - * @author Vinicius Cubas Brand <vinicius@eita.org.br> - * - * @license GNU AGPL version 3 or any later version - * - * This program is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License as - * published by the Free Software Foundation, either version 3 of the - * License, or (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License - * along with this program. If not, see <http://www.gnu.org/licenses/>. - * + * SPDX-FileCopyrightText: 2017 Nextcloud GmbH and Nextcloud contributors + * SPDX-License-Identifier: AGPL-3.0-or-later */ - namespace OCA\User_LDAP; interface ILDAPGroupPlugin { diff --git a/apps/user_ldap/lib/ILDAPUserPlugin.php b/apps/user_ldap/lib/ILDAPUserPlugin.php index e4858d0688f..80437bef452 100644 --- a/apps/user_ldap/lib/ILDAPUserPlugin.php +++ b/apps/user_ldap/lib/ILDAPUserPlugin.php @@ -1,31 +1,12 @@ <?php + /** - * @copyright Copyright (c) 2017 EITA Cooperative (eita.org.br) - * - * @author Arthur Schiwon <blizzz@arthur-schiwon.de> - * @author Vinicius Cubas Brand <vinicius@eita.org.br> - * - * @license GNU AGPL version 3 or any later version - * - * This program is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License as - * published by the Free Software Foundation, either version 3 of the - * License, or (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License - * along with this program. If not, see <http://www.gnu.org/licenses/>. - * + * SPDX-FileCopyrightText: 2017 Nextcloud GmbH and Nextcloud contributors + * SPDX-License-Identifier: AGPL-3.0-or-later */ - namespace OCA\User_LDAP; interface ILDAPUserPlugin { - /** * Check if plugin implements actions * @return int @@ -78,7 +59,7 @@ interface ILDAPUserPlugin { public function setDisplayName($uid, $displayName); /** - * checks whether the user is allowed to change his avatar in Nextcloud + * checks whether the user is allowed to change their avatar in Nextcloud * @param string $uid the Nextcloud user name * @return boolean either the user can or cannot */ @@ -86,7 +67,7 @@ interface ILDAPUserPlugin { /** * Count the number of users - * @return int|bool + * @return int|false */ public function countUsers(); } diff --git a/apps/user_ldap/lib/ILDAPWrapper.php b/apps/user_ldap/lib/ILDAPWrapper.php index fd63193116a..de2b9c50241 100644 --- a/apps/user_ldap/lib/ILDAPWrapper.php +++ b/apps/user_ldap/lib/ILDAPWrapper.php @@ -1,42 +1,18 @@ <?php + /** - * @copyright Copyright (c) 2016, ownCloud, Inc. - * - * @author Arthur Schiwon <blizzz@arthur-schiwon.de> - * @author J0WI <J0WI@users.noreply.github.com> - * @author Joas Schilling <coding@schilljs.com> - * @author Jörn Friedrich Dreyer <jfd@butonic.de> - * @author Lukas Reschke <lukas@statuscode.ch> - * @author Morris Jobke <hey@morrisjobke.de> - * @author Robin McCorkell <robin@mccorkell.me.uk> - * @author Roger Szabo <roger.szabo@web.de> - * @author Vinicius Cubas Brand <vinicius@eita.org.br> - * - * @license AGPL-3.0 - * - * This code is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License, version 3, - * as published by the Free Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License, version 3, - * along with this program. If not, see <http://www.gnu.org/licenses/> - * + * SPDX-FileCopyrightText: 2016-2024 Nextcloud GmbH and Nextcloud contributors + * SPDX-FileCopyrightText: 2016 ownCloud, Inc. + * SPDX-License-Identifier: AGPL-3.0-only */ - namespace OCA\User_LDAP; interface ILDAPWrapper { - //LDAP functions in use /** * Bind to LDAP directory - * @param resource $link LDAP link resource + * @param \LDAP\Connection $link LDAP link resource * @param string $dn an RDN to log in with * @param string $password the password * @return bool true on success, false otherwise @@ -49,25 +25,15 @@ interface ILDAPWrapper { * connect to an LDAP server * @param string $host The host to connect to * @param string $port The port to connect to - * @return mixed a link resource on success, otherwise false + * @return \LDAP\Connection|false a link resource on success, otherwise false */ public function connect($host, $port); /** - * Send LDAP pagination control - * @param resource $link LDAP link resource - * @param int $pageSize number of results per page - * @param bool $isCritical Indicates whether the pagination is critical of not. - * @param string $cookie structure sent by LDAP server - * @return bool true on success, false otherwise - */ - public function controlPagedResult($link, $pageSize, $isCritical); - - /** * Retrieve the LDAP pagination cookie - * @param resource $link LDAP link resource - * @param resource $result LDAP result resource - * @param string $cookie structure sent by LDAP server + * @param \LDAP\Connection $link LDAP link resource + * @param \LDAP\Result $result LDAP result resource + * @param string &$cookie structure sent by LDAP server * @return bool true on success, false otherwise * * Corresponds to ldap_control_paged_result_response @@ -76,22 +42,22 @@ interface ILDAPWrapper { /** * Count the number of entries in a search - * @param resource $link LDAP link resource - * @param resource $result LDAP result resource + * @param \LDAP\Connection $link LDAP link resource + * @param \LDAP\Result $result LDAP result resource * @return int|false number of results on success, false otherwise */ public function countEntries($link, $result); /** * Return the LDAP error number of the last LDAP command - * @param resource $link LDAP link resource + * @param \LDAP\Connection $link LDAP link resource * @return int error code */ public function errno($link); /** * Return the LDAP error message of the last LDAP command - * @param resource $link LDAP link resource + * @param \LDAP\Connection $link LDAP link resource * @return string error message */ public function error($link); @@ -107,69 +73,69 @@ interface ILDAPWrapper { /** * Return first result id - * @param resource $link LDAP link resource - * @param resource $result LDAP result resource - * @return Resource an LDAP search result resource + * @param \LDAP\Connection $link LDAP link resource + * @param \LDAP\Result $result LDAP result resource + * @return \LDAP\ResultEntry an LDAP entry resource * */ public function firstEntry($link, $result); /** * Get attributes from a search result entry - * @param resource $link LDAP link resource - * @param resource $result LDAP result resource - * @return array containing the results, false on error + * @param \LDAP\Connection $link LDAP link resource + * @param \LDAP\ResultEntry $result LDAP result resource + * @return array|false containing the results, false on error * */ public function getAttributes($link, $result); /** * Get the DN of a result entry - * @param resource $link LDAP link resource - * @param resource $result LDAP result resource - * @return string containing the DN, false on error + * @param \LDAP\Connection $link LDAP link resource + * @param \LDAP\ResultEntry $result LDAP result resource + * @return string|false containing the DN, false on error */ public function getDN($link, $result); /** * Get all result entries - * @param resource $link LDAP link resource - * @param resource $result LDAP result resource - * @return array containing the results, false on error + * @param \LDAP\Connection $link LDAP link resource + * @param \LDAP\Result $result LDAP result resource + * @return array|false containing the results, false on error */ public function getEntries($link, $result); /** * Return next result id - * @param resource $link LDAP link resource - * @param resource $result LDAP entry result resource - * @return resource an LDAP search result resource + * @param \LDAP\Connection $link LDAP link resource + * @param \LDAP\ResultEntry $result LDAP result resource + * @return \LDAP\ResultEntry an LDAP entry resource * */ public function nextEntry($link, $result); /** * Read an entry - * @param resource $link LDAP link resource - * @param array $baseDN The DN of the entry to read from + * @param \LDAP\Connection $link LDAP link resource + * @param string $baseDN The DN of the entry to read from * @param string $filter An LDAP filter * @param array $attr array of the attributes to read - * @return resource an LDAP search result resource + * @return \LDAP\Result an LDAP search result resource */ public function read($link, $baseDN, $filter, $attr); /** * Search LDAP tree - * @param resource $link LDAP link resource + * @param \LDAP\Connection $link LDAP link resource * @param string $baseDN The DN of the entry to read from * @param string $filter An LDAP filter * @param array $attr array of the attributes to read * @param int $attrsOnly optional, 1 if only attribute types shall be returned * @param int $limit optional, limits the result entries - * @return resource|false an LDAP search result resource, false on error + * @return \LDAP\Result|false an LDAP search result resource, false on error */ - public function search($link, $baseDN, $filter, $attr, $attrsOnly = 0, $limit = 0); + public function search($link, string $baseDN, string $filter, array $attr, int $attrsOnly = 0, int $limit = 0, int $pageSize = 0, string $cookie = ''); /** * Replace the value of a userPassword by $password - * @param resource $link LDAP link resource + * @param \LDAP\Connection $link LDAP link resource * @param string $userDN the DN of the user whose password is to be replaced * @param string $password the new value for the userPassword * @return bool true on success, false otherwise @@ -177,24 +143,31 @@ interface ILDAPWrapper { public function modReplace($link, $userDN, $password); /** + * Performs a PASSWD extended operation. + * @param \LDAP\Connection $link LDAP link resource + * @return bool|string The generated password if new_password is empty or omitted. Otherwise true on success and false on failure. + */ + public function exopPasswd($link, string $userDN, string $oldPassword, string $password); + + /** * Sets the value of the specified option to be $value - * @param resource $link LDAP link resource - * @param string $option a defined LDAP Server option - * @param int $value the new value for the option + * @param \LDAP\Connection $link LDAP link resource + * @param int $option a defined LDAP Server option + * @param mixed $value the new value for the option * @return bool true on success, false otherwise */ public function setOption($link, $option, $value); /** * establish Start TLS - * @param resource $link LDAP link resource + * @param \LDAP\Connection $link LDAP link resource * @return bool true on success, false otherwise */ public function startTls($link); /** * Unbind from LDAP directory - * @param resource $link LDAP link resource + * @param \LDAP\Connection $link LDAP link resource * @return bool true on success, false otherwise */ public function unbind($link); @@ -209,8 +182,9 @@ interface ILDAPWrapper { /** * Checks whether the submitted parameter is a resource - * @param resource $resource the resource variable to check - * @return bool true if it is a resource, false otherwise + * @param mixed $resource the resource variable to check + * @psalm-assert-if-true object $resource + * @return bool true if it is a resource or LDAP object, false otherwise */ public function isResource($resource); } diff --git a/apps/user_ldap/lib/IUserLDAP.php b/apps/user_ldap/lib/IUserLDAP.php index 73ab720cf98..5e8e29c3adf 100644 --- a/apps/user_ldap/lib/IUserLDAP.php +++ b/apps/user_ldap/lib/IUserLDAP.php @@ -1,44 +1,26 @@ <?php + /** - * @copyright Copyright (c) 2016, Roger Szabo (roger.szabo@web.de) - * - * @author Roger Szabo <roger.szabo@web.de> - * @author root <root@localhost.localdomain> - * - * @license GNU AGPL version 3 or any later version - * - * This program is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License as - * published by the Free Software Foundation, either version 3 of the - * License, or (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License - * along with this program. If not, see <http://www.gnu.org/licenses/>. - * + * SPDX-FileCopyrightText: 2016 Nextcloud GmbH and Nextcloud contributors + * SPDX-License-Identifier: AGPL-3.0-or-later */ - namespace OCA\User_LDAP; interface IUserLDAP { //Functions used by LDAPProvider - + /** * Return access for LDAP interaction. * @param string $uid * @return Access instance of Access for LDAP interaction */ public function getLDAPAccess($uid); - + /** * Return a new LDAP connection for the specified user. * @param string $uid - * @return resource of the LDAP connection + * @return \LDAP\Connection of the LDAP connection */ public function getNewLDAPConnection($uid); diff --git a/apps/user_ldap/lib/Jobs/CleanUp.php b/apps/user_ldap/lib/Jobs/CleanUp.php index 19973119eaf..76277b43c0b 100644 --- a/apps/user_ldap/lib/Jobs/CleanUp.php +++ b/apps/user_ldap/lib/Jobs/CleanUp.php @@ -1,37 +1,21 @@ <?php + /** - * @copyright Copyright (c) 2016, ownCloud, Inc. - * - * @author Arthur Schiwon <blizzz@arthur-schiwon.de> - * @author Christoph Wurst <christoph@winzerhof-wurst.at> - * @author Joas Schilling <coding@schilljs.com> - * @author Morris Jobke <hey@morrisjobke.de> - * @author Roeland Jago Douma <roeland@famdouma.nl> - * - * @license AGPL-3.0 - * - * This code is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License, version 3, - * as published by the Free Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License, version 3, - * along with this program. If not, see <http://www.gnu.org/licenses/> - * + * SPDX-FileCopyrightText: 2016-2024 Nextcloud GmbH and Nextcloud contributors + * SPDX-FileCopyrightText: 2016 ownCloud, Inc. + * SPDX-License-Identifier: AGPL-3.0-only */ - namespace OCA\User_LDAP\Jobs; -use OC\BackgroundJob\TimedJob; use OCA\User_LDAP\Helper; use OCA\User_LDAP\Mapping\UserMapping; use OCA\User_LDAP\User\DeletedUsersIndex; -use OCA\User_LDAP\User_LDAP; use OCA\User_LDAP\User_Proxy; +use OCP\AppFramework\Utility\ITimeFactory; +use OCP\BackgroundJob\TimedJob; +use OCP\IConfig; +use OCP\IDBConnection; +use OCP\Server; /** * Class CleanUp @@ -41,19 +25,16 @@ use OCA\User_LDAP\User_Proxy; * @package OCA\User_LDAP\Jobs; */ class CleanUp extends TimedJob { - /** @var int $limit amount of users that should be checked per run */ + /** @var ?int $limit amount of users that should be checked per run */ protected $limit; /** @var int $defaultIntervalMin default interval in minutes */ - protected $defaultIntervalMin = 51; - - /** @var User_LDAP|User_Proxy $userBackend */ - protected $userBackend; + protected $defaultIntervalMin = 60; - /** @var \OCP\IConfig $ocConfig */ + /** @var IConfig $ocConfig */ protected $ocConfig; - /** @var \OCP\IDBConnection $db */ + /** @var IDBConnection $db */ protected $db; /** @var Helper $ldapHelper */ @@ -62,22 +43,22 @@ class CleanUp extends TimedJob { /** @var UserMapping */ protected $mapping; - /** @var DeletedUsersIndex */ - protected $dui; - - public function __construct(User_Proxy $userBackend, DeletedUsersIndex $dui) { - $minutes = \OC::$server->getConfig()->getSystemValue( + public function __construct( + ITimeFactory $timeFactory, + protected User_Proxy $userBackend, + protected DeletedUsersIndex $dui, + ) { + parent::__construct($timeFactory); + $minutes = Server::get(IConfig::class)->getSystemValue( 'ldapUserCleanupInterval', (string)$this->defaultIntervalMin); $this->setInterval((int)$minutes * 60); - $this->userBackend = $userBackend; - $this->dui = $dui; } /** * assigns the instances passed to run() to the class properties * @param array $arguments */ - public function setArguments($arguments) { + public function setArguments($arguments): void { //Dependency Injection is not possible, because the constructor will //only get values that are serialized to JSON. I.e. whatever we would //pass in app.php we do add here, except something else is passed e.g. @@ -86,13 +67,13 @@ class CleanUp extends TimedJob { if (isset($arguments['helper'])) { $this->ldapHelper = $arguments['helper']; } else { - $this->ldapHelper = new Helper(\OC::$server->getConfig(), \OC::$server->getDatabaseConnection()); + $this->ldapHelper = Server::get(Helper::class); } if (isset($arguments['ocConfig'])) { $this->ocConfig = $arguments['ocConfig']; } else { - $this->ocConfig = \OC::$server->getConfig(); + $this->ocConfig = Server::get(IConfig::class); } if (isset($arguments['userBackend'])) { @@ -102,13 +83,13 @@ class CleanUp extends TimedJob { if (isset($arguments['db'])) { $this->db = $arguments['db']; } else { - $this->db = \OC::$server->getDatabaseConnection(); + $this->db = Server::get(IDBConnection::class); } if (isset($arguments['mapping'])) { $this->mapping = $arguments['mapping']; } else { - $this->mapping = new UserMapping($this->db); + $this->mapping = Server::get(UserMapping::class); } if (isset($arguments['deletedUsersIndex'])) { @@ -120,19 +101,13 @@ class CleanUp extends TimedJob { * makes the background job do its work * @param array $argument */ - public function run($argument) { + public function run($argument): void { $this->setArguments($argument); if (!$this->isCleanUpAllowed()) { return; } $users = $this->mapping->getList($this->getOffset(), $this->getChunkSize()); - if (!is_array($users)) { - //something wrong? Let's start from the beginning next time and - //abort - $this->setOffset(true); - return; - } $resetOffset = $this->isOffsetResetNecessary(count($users)); $this->checkUsers($users); $this->setOffset($resetOffset); @@ -140,18 +115,15 @@ class CleanUp extends TimedJob { /** * checks whether next run should start at 0 again - * @param int $resultCount - * @return bool */ - public function isOffsetResetNecessary($resultCount) { + public function isOffsetResetNecessary(int $resultCount): bool { return $resultCount < $this->getChunkSize(); } /** * checks whether cleaning up LDAP users is allowed - * @return bool */ - public function isCleanUpAllowed() { + public function isCleanUpAllowed(): bool { try { if ($this->ldapHelper->haveDisabledConfigurations()) { return false; @@ -165,9 +137,8 @@ class CleanUp extends TimedJob { /** * checks whether clean up is enabled by configuration - * @return bool */ - private function isCleanUpEnabled() { + private function isCleanUpEnabled(): bool { return (bool)$this->ocConfig->getSystemValue( 'ldapUserCleanupInterval', (string)$this->defaultIntervalMin); } @@ -176,7 +147,7 @@ class CleanUp extends TimedJob { * checks users whether they are still existing * @param array $users result from getMappedUsers() */ - private function checkUsers(array $users) { + private function checkUsers(array $users): void { foreach ($users as $user) { $this->checkUser($user); } @@ -186,7 +157,7 @@ class CleanUp extends TimedJob { * checks whether a user is still existing in LDAP * @param string[] $user */ - private function checkUser(array $user) { + private function checkUser(array $user): void { if ($this->userBackend->userExistsOnLDAP($user['name'])) { //still available, all good @@ -198,29 +169,27 @@ class CleanUp extends TimedJob { /** * gets the offset to fetch users from the mappings table - * @return int */ - private function getOffset() { - return (int)$this->ocConfig->getAppValue('user_ldap', 'cleanUpJobOffset', 0); + private function getOffset(): int { + return (int)$this->ocConfig->getAppValue('user_ldap', 'cleanUpJobOffset', '0'); } /** * sets the new offset for the next run * @param bool $reset whether the offset should be set to 0 */ - public function setOffset($reset = false) { - $newOffset = $reset ? 0 : - $this->getOffset() + $this->getChunkSize(); - $this->ocConfig->setAppValue('user_ldap', 'cleanUpJobOffset', $newOffset); + public function setOffset(bool $reset = false): void { + $newOffset = $reset ? 0 + : $this->getOffset() + $this->getChunkSize(); + $this->ocConfig->setAppValue('user_ldap', 'cleanUpJobOffset', (string)$newOffset); } /** * returns the chunk size (limit in DB speak) - * @return int */ - public function getChunkSize() { + public function getChunkSize(): int { if ($this->limit === null) { - $this->limit = (int)$this->ocConfig->getAppValue('user_ldap', 'cleanUpJobChunkSize', 50); + $this->limit = (int)$this->ocConfig->getAppValue('user_ldap', 'cleanUpJobChunkSize', '50'); } return $this->limit; } diff --git a/apps/user_ldap/lib/Jobs/Sync.php b/apps/user_ldap/lib/Jobs/Sync.php index fed8910b2e5..26888ae96ae 100644 --- a/apps/user_ldap/lib/Jobs/Sync.php +++ b/apps/user_ldap/lib/Jobs/Sync.php @@ -1,31 +1,12 @@ <?php + /** - * @copyright Copyright (c) 2017 Arthur Schiwon <blizzz@arthur-schiwon.de> - * - * @author Arthur Schiwon <blizzz@arthur-schiwon.de> - * @author Christoph Wurst <christoph@winzerhof-wurst.at> - * @author Joas Schilling <coding@schilljs.com> - * - * @license GNU AGPL version 3 or any later version - * - * This program is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License as - * published by the Free Software Foundation, either version 3 of the - * License, or (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License - * along with this program. If not, see <http://www.gnu.org/licenses/>. - * + * SPDX-FileCopyrightText: 2017 Nextcloud GmbH and Nextcloud contributors + * SPDX-License-Identifier: AGPL-3.0-or-later */ namespace OCA\User_LDAP\Jobs; -use OC\BackgroundJob\TimedJob; use OC\ServerNotAvailableException; use OCA\User_LDAP\AccessFactory; use OCA\User_LDAP\Configuration; @@ -33,54 +14,51 @@ use OCA\User_LDAP\ConnectionFactory; use OCA\User_LDAP\Helper; use OCA\User_LDAP\LDAP; use OCA\User_LDAP\Mapping\UserMapping; -use OCA\User_LDAP\User\Manager; +use OCP\AppFramework\Utility\ITimeFactory; +use OCP\BackgroundJob\TimedJob; +use OCP\EventDispatcher\IEventDispatcher; use OCP\IAvatarManager; use OCP\IConfig; use OCP\IDBConnection; use OCP\IUserManager; use OCP\Notification\IManager; +use Psr\Log\LoggerInterface; class Sync extends TimedJob { public const MAX_INTERVAL = 12 * 60 * 60; // 12h public const MIN_INTERVAL = 30 * 60; // 30min - /** @var Helper */ - protected $ldapHelper; - /** @var LDAP */ - protected $ldap; - /** @var Manager */ - protected $userManager; - /** @var UserMapping */ - protected $mapper; - /** @var IConfig */ - protected $config; - /** @var IAvatarManager */ - protected $avatarManager; - /** @var IDBConnection */ - protected $dbc; - /** @var IUserManager */ - protected $ncUserManager; - /** @var IManager */ - protected $notificationManager; - /** @var ConnectionFactory */ - protected $connectionFactory; - /** @var AccessFactory */ - protected $accessFactory; - public function __construct(Manager $userManager) { - $this->userManager = $userManager; + protected LDAP $ldap; + + public function __construct( + ITimeFactory $timeFactory, + private IEventDispatcher $dispatcher, + private IConfig $config, + private IDBConnection $dbc, + private IAvatarManager $avatarManager, + private IUserManager $ncUserManager, + private LoggerInterface $logger, + private IManager $notificationManager, + private UserMapping $mapper, + private Helper $ldapHelper, + private ConnectionFactory $connectionFactory, + private AccessFactory $accessFactory, + ) { + parent::__construct($timeFactory); $this->setInterval( - \OC::$server->getConfig()->getAppValue( + (int)$this->config->getAppValue( 'user_ldap', 'background_sync_interval', - self::MIN_INTERVAL + (string)self::MIN_INTERVAL ) ); + $this->ldap = new LDAP($this->config->getSystemValueString('ldap_log_file')); } /** - * updates the interval + * Updates the interval * - * the idea is to adjust the interval depending on the amount of known users + * The idea is to adjust the interval depending on the amount of known users * and the attempt to update each user one day. At most it would run every * 30 minutes, and at least every 12 hours. */ @@ -93,17 +71,16 @@ class Sync extends TimedJob { $interval = floor(24 * 60 * 60 / $runsPerDay); $interval = min(max($interval, self::MIN_INTERVAL), self::MAX_INTERVAL); - $this->config->setAppValue('user_ldap', 'background_sync_interval', $interval); + $this->config->setAppValue('user_ldap', 'background_sync_interval', (string)$interval); } /** * returns the smallest configured paging size - * @return int */ - protected function getMinPagingSize() { + protected function getMinPagingSize(): int { $configKeys = $this->config->getAppKeys('user_ldap'); $configKeys = array_filter($configKeys, function ($key) { - return strpos($key, 'ldap_paging_size') !== false; + return str_contains($key, 'ldap_paging_size'); }); $minPagingSize = null; foreach ($configKeys as $configKey) { @@ -117,10 +94,8 @@ class Sync extends TimedJob { * @param array $argument */ public function run($argument) { - $this->setArgument($argument); - $isBackgroundJobModeAjax = $this->config - ->getAppValue('core', 'backgroundjobs_mode', 'ajax') === 'ajax'; + ->getAppValue('core', 'backgroundjobs_mode', 'ajax') === 'ajax'; if ($isBackgroundJobModeAjax) { return; } @@ -153,10 +128,10 @@ class Sync extends TimedJob { } /** - * @param array $cycleData + * @param array{offset: int, prefix: string} $cycleData * @return bool whether more results are expected from the same configuration */ - public function runCycle($cycleData) { + public function runCycle(array $cycleData): bool { $connection = $this->connectionFactory->get($cycleData['prefix']); $access = $this->accessFactory->get($connection); $access->setUserMapper($this->mapper); @@ -169,7 +144,7 @@ class Sync extends TimedJob { $results = $access->fetchListOfUsers( $filter, $access->userManager->getAttributes(), - $connection->ldapPagingSize, + (int)$connection->ldapPagingSize, $cycleData['offset'], true ); @@ -181,24 +156,22 @@ class Sync extends TimedJob { } /** - * returns the info about the current cycle that should be run, if any, + * Returns the info about the current cycle that should be run, if any, * otherwise null - * - * @return array|null */ - public function getCycle() { + public function getCycle(): ?array { $prefixes = $this->ldapHelper->getServerConfigurationPrefixes(true); if (count($prefixes) === 0) { return null; } $cycleData = [ - 'prefix' => $this->config->getAppValue('user_ldap', 'background_sync_prefix', null), - 'offset' => (int)$this->config->getAppValue('user_ldap', 'background_sync_offset', 0), + 'prefix' => $this->config->getAppValue('user_ldap', 'background_sync_prefix', 'none'), + 'offset' => (int)$this->config->getAppValue('user_ldap', 'background_sync_offset', '0'), ]; if ( - $cycleData['prefix'] !== null + $cycleData['prefix'] !== 'none' && in_array($cycleData['prefix'], $prefixes) ) { return $cycleData; @@ -210,21 +183,21 @@ class Sync extends TimedJob { /** * Save the provided cycle information in the DB * - * @param array $cycleData + * @param array{prefix: ?string, offset: int} $cycleData */ - public function setCycle(array $cycleData) { + public function setCycle(array $cycleData): void { $this->config->setAppValue('user_ldap', 'background_sync_prefix', $cycleData['prefix']); - $this->config->setAppValue('user_ldap', 'background_sync_offset', $cycleData['offset']); + $this->config->setAppValue('user_ldap', 'background_sync_offset', (string)$cycleData['offset']); } /** * returns data about the next cycle that should run, if any, otherwise * null. It also always goes for the next LDAP configuration! * - * @param array|null $cycleData the old cycle - * @return array|null + * @param ?array{prefix: string, offset: int} $cycleData the old cycle + * @return ?array{prefix: string, offset: int} */ - public function determineNextCycle(array $cycleData = null) { + public function determineNextCycle(?array $cycleData = null): ?array { $prefixes = $this->ldapHelper->getServerConfigurationPrefixes(true); if (count($prefixes) === 0) { return null; @@ -244,14 +217,13 @@ class Sync extends TimedJob { } /** - * Checks whether the provided cycle should be run. Currently only the + * Checks whether the provided cycle should be run. Currently, only the * last configuration change goes into account (at least one hour). * - * @param $cycleData - * @return bool + * @param array{prefix: string} $cycleData */ - public function qualifiesToRun($cycleData) { - $lastChange = $this->config->getAppValue('user_ldap', $cycleData['prefix'] . '_lastChange', 0); + public function qualifiesToRun(array $cycleData): bool { + $lastChange = (int)$this->config->getAppValue('user_ldap', $cycleData['prefix'] . '_lastChange', '0'); if ((time() - $lastChange) > 60 * 30) { return true; } @@ -259,23 +231,20 @@ class Sync extends TimedJob { } /** - * increases the offset of the current cycle for the next run + * Increases the offset of the current cycle for the next run * - * @param $cycleData + * @param array{prefix: string, offset: int} $cycleData */ - protected function increaseOffset($cycleData) { + protected function increaseOffset(array $cycleData): void { $ldapConfig = new Configuration($cycleData['prefix']); $cycleData['offset'] += (int)$ldapConfig->ldapPagingSize; $this->setCycle($cycleData); } /** - * determines the next configuration prefix based on the last one (if any) - * - * @param string|null $lastPrefix - * @return string|null + * Determines the next configuration prefix based on the last one (if any) */ - protected function getNextPrefix($lastPrefix) { + protected function getNextPrefix(?string $lastPrefix): ?string { $prefixes = $this->ldapHelper->getServerConfigurationPrefixes(true); $noOfPrefixes = count($prefixes); if ($noOfPrefixes === 0) { @@ -295,79 +264,9 @@ class Sync extends TimedJob { } /** - * "fixes" DI - * - * @param array $argument + * Only used in tests */ - public function setArgument($argument) { - if (isset($argument['config'])) { - $this->config = $argument['config']; - } else { - $this->config = \OC::$server->getConfig(); - } - - if (isset($argument['helper'])) { - $this->ldapHelper = $argument['helper']; - } else { - $this->ldapHelper = new Helper($this->config, \OC::$server->getDatabaseConnection()); - } - - if (isset($argument['ldapWrapper'])) { - $this->ldap = $argument['ldapWrapper']; - } else { - $this->ldap = new LDAP(); - } - - if (isset($argument['avatarManager'])) { - $this->avatarManager = $argument['avatarManager']; - } else { - $this->avatarManager = \OC::$server->getAvatarManager(); - } - - if (isset($argument['dbc'])) { - $this->dbc = $argument['dbc']; - } else { - $this->dbc = \OC::$server->getDatabaseConnection(); - } - - if (isset($argument['ncUserManager'])) { - $this->ncUserManager = $argument['ncUserManager']; - } else { - $this->ncUserManager = \OC::$server->getUserManager(); - } - - if (isset($argument['notificationManager'])) { - $this->notificationManager = $argument['notificationManager']; - } else { - $this->notificationManager = \OC::$server->getNotificationManager(); - } - - if (isset($argument['userManager'])) { - $this->userManager = $argument['userManager']; - } - - if (isset($argument['mapper'])) { - $this->mapper = $argument['mapper']; - } else { - $this->mapper = new UserMapping($this->dbc); - } - - if (isset($argument['connectionFactory'])) { - $this->connectionFactory = $argument['connectionFactory']; - } else { - $this->connectionFactory = new ConnectionFactory($this->ldap); - } - - if (isset($argument['accessFactory'])) { - $this->accessFactory = $argument['accessFactory']; - } else { - $this->accessFactory = new AccessFactory( - $this->ldap, - $this->userManager, - $this->ldapHelper, - $this->config, - $this->ncUserManager - ); - } + public function overwritePropertiesForTest(LDAP $ldapWrapper): void { + $this->ldap = $ldapWrapper; } } diff --git a/apps/user_ldap/lib/Jobs/UpdateGroups.php b/apps/user_ldap/lib/Jobs/UpdateGroups.php index 6a57540e7b7..9e72bcd8432 100644 --- a/apps/user_ldap/lib/Jobs/UpdateGroups.php +++ b/apps/user_ldap/lib/Jobs/UpdateGroups.php @@ -1,244 +1,38 @@ <?php + +declare(strict_types=1); + /** - * @copyright Copyright (c) 2016, ownCloud, Inc. - * - * @author Arthur Schiwon <blizzz@arthur-schiwon.de> - * @author Bart Visscher <bartv@thisnet.nl> - * @author Christoph Wurst <christoph@winzerhof-wurst.at> - * @author Joas Schilling <coding@schilljs.com> - * @author Lukas Reschke <lukas@statuscode.ch> - * @author Morris Jobke <hey@morrisjobke.de> - * @author Robin Appelman <robin@icewind.nl> - * @author Robin McCorkell <robin@mccorkell.me.uk> - * - * @license AGPL-3.0 - * - * This code is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License, version 3, - * as published by the Free Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License, version 3, - * along with this program. If not, see <http://www.gnu.org/licenses/> - * + * SPDX-FileCopyrightText: 2016-2024 Nextcloud GmbH and Nextcloud contributors + * SPDX-FileCopyrightText: 2016 ownCloud, Inc. + * SPDX-License-Identifier: AGPL-3.0-only */ - namespace OCA\User_LDAP\Jobs; -use OC\BackgroundJob\TimedJob; -use OCA\User_LDAP\Group_Proxy; -use OCP\EventDispatcher\IEventDispatcher; -use OCP\Group\Events\UserAddedEvent; -use OCP\Group\Events\UserRemovedEvent; -use OCP\IDBConnection; -use OCP\IGroupManager; -use OCP\ILogger; -use OCP\IUser; -use OCP\IUserManager; +use OCA\User_LDAP\Service\UpdateGroupsService; +use OCP\AppFramework\Utility\ITimeFactory; +use OCP\BackgroundJob\TimedJob; +use OCP\DB\Exception; +use OCP\IConfig; use Psr\Log\LoggerInterface; class UpdateGroups extends TimedJob { - private $groupsFromDB; - - /** @var Group_Proxy */ - private $groupBackend; - /** @var IEventDispatcher */ - private $dispatcher; - /** @var IGroupManager */ - private $groupManager; - /** @var IUserManager */ - private $userManager; - /** @var LoggerInterface */ - private $logger; - /** @var IDBConnection */ - private $dbc; - public function __construct( - Group_Proxy $groupBackend, - IEventDispatcher $dispatcher, - IGroupManager $groupManager, - IUserManager $userManager, - LoggerInterface $logger, - IDBConnection $dbc + private UpdateGroupsService $service, + private LoggerInterface $logger, + IConfig $config, + ITimeFactory $timeFactory, ) { - $this->interval = $this->getRefreshInterval(); - $this->groupBackend = $groupBackend; - $this->dispatcher = $dispatcher; - $this->groupManager = $groupManager; - $this->userManager = $userManager; - $this->logger = $logger; - $this->dbc = $dbc; - } - - /** - * @return int - */ - private function getRefreshInterval() { - //defaults to every hour - return \OC::$server->getConfig()->getAppValue('user_ldap', 'bgjRefreshInterval', 3600); + parent::__construct($timeFactory); + $this->interval = (int)$config->getAppValue('user_ldap', 'bgjRefreshInterval', '3600'); } /** * @param mixed $argument + * @throws Exception */ - public function run($argument) { - $this->updateGroups(); - } - - public function updateGroups() { - \OCP\Util::writeLog('user_ldap', 'Run background job "updateGroups"', ILogger::DEBUG); - - $knownGroups = array_keys($this->getKnownGroups()); - $actualGroups = $this->groupBackend->getGroups(); - - if (empty($actualGroups) && empty($knownGroups)) { - \OCP\Util::writeLog('user_ldap', - 'bgJ "updateGroups" – groups do not seem to be configured properly, aborting.', - ILogger::INFO); - return; - } - - $this->handleKnownGroups(array_intersect($actualGroups, $knownGroups)); - $this->handleCreatedGroups(array_diff($actualGroups, $knownGroups)); - $this->handleRemovedGroups(array_diff($knownGroups, $actualGroups)); - - \OCP\Util::writeLog('user_ldap', 'bgJ "updateGroups" – Finished.', ILogger::DEBUG); - } - - /** - * @return array - */ - private function getKnownGroups() { - if (is_array($this->groupsFromDB)) { - $this->groupsFromDB; - } - $qb = $this->dbc->getQueryBuilder(); - $qb->select(['owncloudname', 'owncloudusers']) - ->from('ldap_group_members'); - - $qResult = $qb->execute(); - $result = $qResult->fetchAll(); - $qResult->closeCursor(); - - $this->groupsFromDB = []; - foreach ($result as $dataset) { - $this->groupsFromDB[$dataset['owncloudname']] = $dataset; - } - - return $this->groupsFromDB; - } - - private function handleKnownGroups(array $groups) { - $this->logger->debug( - 'bgJ "updateGroups" – Dealing with known Groups.', - ['app' => 'user_ldap'] - ); - $qb = $this->dbc->getQueryBuilder(); - $qb->update('ldap_group_members') - ->set('owncloudusers', $qb->createParameter('members')) - ->where($qb->expr()->eq('owncloudname', $qb->createParameter('groupId'))); - - if (!is_array($this->groupsFromDB)) { - $this->getKnownGroups(); - } - foreach ($groups as $group) { - $knownUsers = unserialize($this->groupsFromDB[$group]['owncloudusers']); - $actualUsers = $this->groupBackend->usersInGroup($group); - $hasChanged = false; - - $groupObject = $this->groupManager->get($group); - foreach (array_diff($knownUsers, $actualUsers) as $removedUser) { - $userObject = $this->userManager->get($removedUser); - if ($userObject instanceof IUser) { - $this->dispatcher->dispatchTyped(new UserRemovedEvent($groupObject, $userObject)); - } - $this->logger->info( - 'bgJ "updateGroups" – {user} removed from {group}', - [ - 'app' => 'user_ldap', - 'user' => $removedUser, - 'group' => $group - ] - ); - $hasChanged = true; - } - foreach (array_diff($actualUsers, $knownUsers) as $addedUser) { - $userObject = $this->userManager->get($addedUser); - if ($userObject instanceof IUser) { - $this->dispatcher->dispatchTyped(new UserAddedEvent($groupObject, $userObject)); - } - $this->logger->info( - 'bgJ "updateGroups" – {user} added to {group}', - [ - 'app' => 'user_ldap', - 'user' => $addedUser, - 'group' => $group - ] - ); - $hasChanged = true; - } - if ($hasChanged) { - $qb->setParameters([ - 'members' => serialize($actualUsers), - 'groupId' => $group - ]); - $qb->execute(); - } - } - $this->logger->debug( - 'bgJ "updateGroups" – FINISHED dealing with known Groups.', - ['app' => 'user_ldap'] - ); - } - - /** - * @param string[] $createdGroups - */ - private function handleCreatedGroups($createdGroups) { - \OCP\Util::writeLog('user_ldap', 'bgJ "updateGroups" – dealing with created Groups.', ILogger::DEBUG); - - $query = $this->dbc->getQueryBuilder(); - $query->insert('ldap_group_members') - ->setValue('owncloudname', $query->createParameter('owncloudname')) - ->setValue('owncloudusers', $query->createParameter('owncloudusers')); - foreach ($createdGroups as $createdGroup) { - \OCP\Util::writeLog('user_ldap', - 'bgJ "updateGroups" – new group "' . $createdGroup . '" found.', - ILogger::INFO); - $users = serialize($this->groupBackend->usersInGroup($createdGroup)); - - $query->setParameter('owncloudname', $createdGroup) - ->setParameter('owncloudusers', $users); - $query->execute(); - } - \OCP\Util::writeLog('user_ldap', - 'bgJ "updateGroups" – FINISHED dealing with created Groups.', - ILogger::DEBUG); - } - - /** - * @param string[] $removedGroups - */ - private function handleRemovedGroups($removedGroups) { - \OCP\Util::writeLog('user_ldap', 'bgJ "updateGroups" – dealing with removed groups.', ILogger::DEBUG); - - $query = $this->dbc->getQueryBuilder(); - $query->delete('ldap_group_members') - ->where($query->expr()->eq('owncloudname', $query->createParameter('owncloudname'))); - - foreach ($removedGroups as $removedGroup) { - \OCP\Util::writeLog('user_ldap', - 'bgJ "updateGroups" – group "' . $removedGroup . '" was removed.', - ILogger::INFO); - $query->setParameter('owncloudname', $removedGroup); - $query->execute(); - } - \OCP\Util::writeLog('user_ldap', - 'bgJ "updateGroups" – FINISHED dealing with removed groups.', - ILogger::DEBUG); + public function run($argument): void { + $this->logger->debug('Run background job "updateGroups"'); + $this->service->updateGroups(); } } diff --git a/apps/user_ldap/lib/LDAP.php b/apps/user_ldap/lib/LDAP.php index bd1b7b01e4f..1cf20c4b939 100644 --- a/apps/user_ldap/lib/LDAP.php +++ b/apps/user_ldap/lib/LDAP.php @@ -1,144 +1,111 @@ <?php + /** - * @copyright Copyright (c) 2016, ownCloud, Inc. - * - * @author Alexander Bergolth <leo@strike.wu.ac.at> - * @author Arthur Schiwon <blizzz@arthur-schiwon.de> - * @author Christoph Wurst <christoph@winzerhof-wurst.at> - * @author J0WI <J0WI@users.noreply.github.com> - * @author Joas Schilling <coding@schilljs.com> - * @author Jörn Friedrich Dreyer <jfd@butonic.de> - * @author Lukas Reschke <lukas@statuscode.ch> - * @author Morris Jobke <hey@morrisjobke.de> - * @author Peter Kubica <peter@kubica.ch> - * @author Robin McCorkell <robin@mccorkell.me.uk> - * @author Roeland Jago Douma <roeland@famdouma.nl> - * @author Roger Szabo <roger.szabo@web.de> - * - * @license AGPL-3.0 - * - * This code is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License, version 3, - * as published by the Free Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License, version 3, - * along with this program. If not, see <http://www.gnu.org/licenses/> - * + * SPDX-FileCopyrightText: 2016-2024 Nextcloud GmbH and Nextcloud contributors + * SPDX-FileCopyrightText: 2016 ownCloud, Inc. + * SPDX-License-Identifier: AGPL-3.0-only */ - namespace OCA\User_LDAP; use OC\ServerNotAvailableException; +use OCA\User_LDAP\DataCollector\LdapDataCollector; use OCA\User_LDAP\Exceptions\ConstraintViolationException; -use OCA\User_LDAP\PagedResults\IAdapter; -use OCA\User_LDAP\PagedResults\Php54; -use OCA\User_LDAP\PagedResults\Php73; +use OCP\IConfig; +use OCP\ILogger; +use OCP\Profiler\IProfiler; +use OCP\Server; +use Psr\Log\LoggerInterface; class LDAP implements ILDAPWrapper { - protected $curFunc = ''; - protected $curArgs = []; - - /** @var IAdapter */ - protected $pagedResultsAdapter; - - public function __construct() { - if (version_compare(PHP_VERSION, '7.3', '<') === true) { - $this->pagedResultsAdapter = new Php54(); - } else { - $this->pagedResultsAdapter = new Php73(); + protected array $curArgs = []; + protected LoggerInterface $logger; + protected IConfig $config; + + private ?LdapDataCollector $dataCollector = null; + + public function __construct( + protected string $logFile = '', + ) { + /** @var IProfiler $profiler */ + $profiler = Server::get(IProfiler::class); + if ($profiler->isEnabled()) { + $this->dataCollector = new LdapDataCollector(); + $profiler->add($this->dataCollector); } + + $this->logger = Server::get(LoggerInterface::class); + $this->config = Server::get(IConfig::class); } /** - * @param resource $link - * @param string $dn - * @param string $password - * @return bool|mixed + * {@inheritDoc} */ public function bind($link, $dn, $password) { return $this->invokeLDAPMethod('bind', $link, $dn, $password); } /** - * @param string $host - * @param string $port - * @return mixed + * {@inheritDoc} */ public function connect($host, $port) { - if (strpos($host, '://') === false) { + $pos = strpos($host, '://'); + if ($pos === false) { $host = 'ldap://' . $host; + $pos = 4; } - if (strpos($host, ':', strpos($host, '://') + 1) === false) { + if (strpos($host, ':', $pos + 1) === false && !empty($port)) { //ldap_connect ignores port parameter when URLs are passed $host .= ':' . $port; } return $this->invokeLDAPMethod('connect', $host); } - public function controlPagedResultResponse($link, $result, &$cookie): bool { - $this->preFunctionCall( - $this->pagedResultsAdapter->getResponseCallFunc(), - $this->pagedResultsAdapter->getResponseCallArgs([$link, $result, &$cookie]) - ); - - $result = $this->pagedResultsAdapter->responseCall($link); - $cookie = $this->pagedResultsAdapter->getCookie($link); - - if ($this->isResultFalse($result)) { - $this->postFunctionCall(); - } - - return $result; - } - /** - * @param LDAP $link - * @param int $pageSize - * @param bool $isCritical - * @return mixed|true + * {@inheritDoc} */ - public function controlPagedResult($link, $pageSize, $isCritical) { - $fn = $this->pagedResultsAdapter->getRequestCallFunc(); - $this->pagedResultsAdapter->setRequestParameters($link, $pageSize, $isCritical); - if ($fn === null) { - return true; + public function controlPagedResultResponse($link, $result, &$cookie): bool { + $errorCode = 0; + $errorMsg = ''; + $controls = []; + $matchedDn = null; + $referrals = []; + + /** Cannot use invokeLDAPMethod because arguments are passed by reference */ + $this->preFunctionCall('ldap_parse_result', [$link, $result]); + $success = ldap_parse_result($link, $result, + $errorCode, + $matchedDn, + $errorMsg, + $referrals, + $controls); + if ($errorCode !== 0) { + $this->processLDAPError($link, 'ldap_parse_result', $errorCode, $errorMsg); } - - $this->preFunctionCall($fn, $this->pagedResultsAdapter->getRequestCallArgs($link)); - $result = $this->pagedResultsAdapter->requestCall($link); - - if ($this->isResultFalse($result)) { - $this->postFunctionCall(); + if ($this->dataCollector !== null) { + $this->dataCollector->stopLastLdapRequest(); } - return $result; + $cookie = $controls[LDAP_CONTROL_PAGEDRESULTS]['value']['cookie'] ?? ''; + + return $success; } /** - * @param LDAP $link - * @param LDAP $result - * @return mixed + * {@inheritDoc} */ public function countEntries($link, $result) { return $this->invokeLDAPMethod('count_entries', $link, $result); } /** - * @param LDAP $link - * @return integer + * {@inheritDoc} */ public function errno($link) { return $this->invokeLDAPMethod('errno', $link); } /** - * @param LDAP $link - * @return string + * {@inheritDoc} */ public function error($link) { return $this->invokeLDAPMethod('error', $link); @@ -147,7 +114,7 @@ class LDAP implements ILDAPWrapper { /** * Splits DN into its component parts * @param string $dn - * @param int @withAttrib + * @param int $withAttrib * @return array|false * @link https://www.php.net/manual/en/function.ldap-explode-dn.php */ @@ -156,83 +123,74 @@ class LDAP implements ILDAPWrapper { } /** - * @param LDAP $link - * @param LDAP $result - * @return mixed + * {@inheritDoc} */ public function firstEntry($link, $result) { return $this->invokeLDAPMethod('first_entry', $link, $result); } /** - * @param LDAP $link - * @param LDAP $result - * @return array|mixed + * {@inheritDoc} */ public function getAttributes($link, $result) { return $this->invokeLDAPMethod('get_attributes', $link, $result); } /** - * @param LDAP $link - * @param LDAP $result - * @return mixed|string + * {@inheritDoc} */ public function getDN($link, $result) { return $this->invokeLDAPMethod('get_dn', $link, $result); } /** - * @param LDAP $link - * @param LDAP $result - * @return array|mixed + * {@inheritDoc} */ public function getEntries($link, $result) { return $this->invokeLDAPMethod('get_entries', $link, $result); } /** - * @param LDAP $link - * @param resource $result - * @return mixed + * {@inheritDoc} */ public function nextEntry($link, $result) { return $this->invokeLDAPMethod('next_entry', $link, $result); } /** - * @param LDAP $link - * @param string $baseDN - * @param string $filter - * @param array $attr - * @return mixed + * {@inheritDoc} */ public function read($link, $baseDN, $filter, $attr) { - $this->pagedResultsAdapter->setReadArgs($link, $baseDN, $filter, $attr); - return $this->invokeLDAPMethod('read', ...$this->pagedResultsAdapter->getReadArgs($link)); + return $this->invokeLDAPMethod('read', $link, $baseDN, $filter, $attr, 0, -1); } /** - * @param LDAP $link - * @param string[] $baseDN - * @param string $filter - * @param array $attr - * @param int $attrsOnly - * @param int $limit - * @return mixed - * @throws \Exception + * {@inheritDoc} */ - public function search($link, $baseDN, $filter, $attr, $attrsOnly = 0, $limit = 0) { + public function search($link, $baseDN, $filter, $attr, $attrsOnly = 0, $limit = 0, int $pageSize = 0, string $cookie = '') { + if ($pageSize > 0 || $cookie !== '') { + $serverControls = [[ + 'oid' => LDAP_CONTROL_PAGEDRESULTS, + 'value' => [ + 'size' => $pageSize, + 'cookie' => $cookie, + ], + 'iscritical' => false, + ]]; + } else { + $serverControls = []; + } + + /** @psalm-suppress UndefinedVariable $oldHandler is defined when the closure is called but psalm fails to get that */ $oldHandler = set_error_handler(function ($no, $message, $file, $line) use (&$oldHandler) { - if (strpos($message, 'Partial search results returned: Sizelimit exceeded') !== false) { + if (str_contains($message, 'Partial search results returned: Sizelimit exceeded')) { return true; } $oldHandler($no, $message, $file, $line); return true; }); try { - $this->pagedResultsAdapter->setSearchArgs($link, $baseDN, $filter, $attr, $attrsOnly, $limit); - $result = $this->invokeLDAPMethod('search', ...$this->pagedResultsAdapter->getSearchArgs($link)); + $result = $this->invokeLDAPMethod('search', $link, $baseDN, $filter, $attr, $attrsOnly, $limit, -1, LDAP_DEREF_NEVER, $serverControls); restore_error_handler(); return $result; @@ -243,47 +201,35 @@ class LDAP implements ILDAPWrapper { } /** - * @param LDAP $link - * @param string $userDN - * @param string $password - * @return bool + * {@inheritDoc} */ public function modReplace($link, $userDN, $password) { return $this->invokeLDAPMethod('mod_replace', $link, $userDN, ['userPassword' => $password]); } /** - * @param LDAP $link - * @param string $userDN - * @param string $oldPassword - * @param string $password - * @return bool + * {@inheritDoc} */ - public function exopPasswd($link, $userDN, $oldPassword, $password) { + public function exopPasswd($link, string $userDN, string $oldPassword, string $password) { return $this->invokeLDAPMethod('exop_passwd', $link, $userDN, $oldPassword, $password); } /** - * @param LDAP $link - * @param string $option - * @param int $value - * @return bool|mixed + * {@inheritDoc} */ public function setOption($link, $option, $value) { return $this->invokeLDAPMethod('set_option', $link, $option, $value); } /** - * @param LDAP $link - * @return mixed|true + * {@inheritDoc} */ public function startTls($link) { return $this->invokeLDAPMethod('start_tls', $link); } /** - * @param resource $link - * @return bool|mixed + * {@inheritDoc} */ public function unbind($link) { return $this->invokeLDAPMethod('unbind', $link); @@ -298,12 +244,10 @@ class LDAP implements ILDAPWrapper { } /** - * Checks whether the submitted parameter is a resource - * @param Resource $resource the resource variable to check - * @return bool true if it is a resource, false otherwise + * {@inheritDoc} */ public function isResource($resource) { - return is_resource($resource); + return is_resource($resource) || is_object($resource); } /** @@ -312,15 +256,14 @@ class LDAP implements ILDAPWrapper { * When using ldap_search we provide an array, in case multiple bases are * configured. Thus, we need to check the array elements. * - * @param $result - * @return bool + * @param mixed $result */ - protected function isResultFalse($result) { + protected function isResultFalse(string $functionName, $result): bool { if ($result === false) { return true; } - if ($this->curFunc === 'ldap_search' && is_array($result)) { + if ($functionName === 'ldap_search' && is_array($result)) { foreach ($result as $singleResult) { if ($singleResult === false) { return true; @@ -332,16 +275,19 @@ class LDAP implements ILDAPWrapper { } /** + * @param array $arguments * @return mixed */ - protected function invokeLDAPMethod() { - $arguments = func_get_args(); - $func = 'ldap_' . array_shift($arguments); + protected function invokeLDAPMethod(string $func, ...$arguments) { + $func = 'ldap_' . $func; if (function_exists($func)) { $this->preFunctionCall($func, $arguments); $result = call_user_func_array($func, $arguments); - if ($this->isResultFalse($result)) { - $this->postFunctionCall(); + if ($this->isResultFalse($func, $result)) { + $this->postFunctionCall($func); + } + if ($this->dataCollector !== null) { + $this->dataCollector->stopLastLdapRequest(); } return $result; } @@ -349,30 +295,69 @@ class LDAP implements ILDAPWrapper { } /** - * @param string $functionName - * @param array $args + * Turn resources into string, and removes potentially problematic cookie string to avoid breaking logfiles */ - private function preFunctionCall($functionName, $args) { - $this->curFunc = $functionName; + private function sanitizeFunctionParameters(array $args): array { + return array_map(function ($item) { + if ($this->isResource($item)) { + return '(resource)'; + } + if (isset($item[0]['value']['cookie']) && $item[0]['value']['cookie'] !== '') { + $item[0]['value']['cookie'] = '*opaque cookie*'; + } + return $item; + }, $args); + } + + private function preFunctionCall(string $functionName, array $args): void { $this->curArgs = $args; + if (strcasecmp($functionName, 'ldap_bind') === 0 || strcasecmp($functionName, 'ldap_exop_passwd') === 0) { + // The arguments are not key value pairs + // \OCA\User_LDAP\LDAP::bind passes 3 arguments, the 3rd being the pw + // Remove it via direct array access for now, although a better solution could be found mebbe? + // @link https://github.com/nextcloud/server/issues/38461 + $args[2] = IConfig::SENSITIVE_VALUE; + } + + if ($this->config->getSystemValue('loglevel') === ILogger::DEBUG) { + /* Only running this if debug loglevel is on, to avoid processing parameters on production */ + $this->logger->debug('Calling LDAP function {func} with parameters {args}', [ + 'app' => 'user_ldap', + 'func' => $functionName, + 'args' => $this->sanitizeFunctionParameters($args), + ]); + } + + if ($this->dataCollector !== null) { + $backtrace = debug_backtrace(DEBUG_BACKTRACE_IGNORE_ARGS); + $this->dataCollector->startLdapRequest($functionName, $this->sanitizeFunctionParameters($args), $backtrace); + } + + if ($this->logFile !== '' && is_writable(dirname($this->logFile)) && (!file_exists($this->logFile) || is_writable($this->logFile))) { + file_put_contents( + $this->logFile, + $functionName . '::' . json_encode($this->sanitizeFunctionParameters($args)) . "\n", + FILE_APPEND + ); + } } /** * Analyzes the returned LDAP error and acts accordingly if not 0 * - * @param resource $resource the LDAP Connection resource + * @param \LDAP\Connection $resource the LDAP Connection resource * @throws ConstraintViolationException * @throws ServerNotAvailableException * @throws \Exception */ - private function processLDAPError($resource) { - $errorCode = ldap_errno($resource); - if ($errorCode === 0) { - return; - } - $errorMsg = ldap_error($resource); - - if ($this->curFunc === 'ldap_get_entries' + private function processLDAPError($resource, string $functionName, int $errorCode, string $errorMsg): void { + $this->logger->debug('LDAP error {message} ({code}) after calling {func}', [ + 'app' => 'user_ldap', + 'message' => $errorMsg, + 'code' => $errorCode, + 'func' => $functionName, + ]); + if ($functionName === 'ldap_get_entries' && $errorCode === -4) { } elseif ($errorCode === 32) { //for now @@ -387,27 +372,20 @@ class LDAP implements ILDAPWrapper { } elseif ($errorCode === 1) { throw new \Exception('LDAP Operations error', $errorCode); } elseif ($errorCode === 19) { - ldap_get_option($this->curArgs[0], LDAP_OPT_ERROR_STRING, $extended_error); - throw new ConstraintViolationException(!empty($extended_error)?$extended_error:$errorMsg, $errorCode); - } else { - \OC::$server->getLogger()->debug('LDAP error {message} ({code}) after calling {func}', [ - 'app' => 'user_ldap', - 'message' => $errorMsg, - 'code' => $errorCode, - 'func' => $this->curFunc, - ]); + ldap_get_option($resource, LDAP_OPT_ERROR_STRING, $extended_error); + throw new ConstraintViolationException(!empty($extended_error) ? $extended_error : $errorMsg, $errorCode); } } /** * Called after an ldap method is run to act on LDAP error if necessary - * @throw \Exception + * @throws \Exception */ - private function postFunctionCall() { + private function postFunctionCall(string $functionName): void { if ($this->isResource($this->curArgs[0])) { $resource = $this->curArgs[0]; } elseif ( - $this->curFunc === 'ldap_search' + $functionName === 'ldap_search' && is_array($this->curArgs[0]) && $this->isResource($this->curArgs[0][0]) ) { @@ -418,9 +396,14 @@ class LDAP implements ILDAPWrapper { return; } - $this->processLDAPError($resource); + $errorCode = ldap_errno($resource); + if ($errorCode === 0) { + return; + } + $errorMsg = ldap_error($resource); + + $this->processLDAPError($resource, $functionName, $errorCode, $errorMsg); - $this->curFunc = ''; $this->curArgs = []; } } diff --git a/apps/user_ldap/lib/LDAPProvider.php b/apps/user_ldap/lib/LDAPProvider.php index c63bca9724a..d9750ae3fcf 100644 --- a/apps/user_ldap/lib/LDAPProvider.php +++ b/apps/user_ldap/lib/LDAPProvider.php @@ -1,63 +1,43 @@ <?php + /** - * @copyright Copyright (c) 2016, Roger Szabo (roger.szabo@web.de) - * - * @author Arthur Schiwon <blizzz@arthur-schiwon.de> - * @author Christoph Wurst <christoph@winzerhof-wurst.at> - * @author Roeland Jago Douma <roeland@famdouma.nl> - * @author Roger Szabo <roger.szabo@web.de> - * @author root <root@localhost.localdomain> - * @author Vinicius Cubas Brand <vinicius@eita.org.br> - * - * @license GNU AGPL version 3 or any later version - * - * This program is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License as - * published by the Free Software Foundation, either version 3 of the - * License, or (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License - * along with this program. If not, see <http://www.gnu.org/licenses/>. - * + * SPDX-FileCopyrightText: 2016-2024 Nextcloud GmbH and Nextcloud contributors + * SPDX-FileCopyrightText: 2016 Nextcloud GmbH and Nextcloud contributors + * SPDX-License-Identifier: AGPL-3.0-or-later */ - namespace OCA\User_LDAP; use OCA\User_LDAP\User\DeletedUsersIndex; use OCP\IServerContainer; use OCP\LDAP\IDeletionFlagSupport; use OCP\LDAP\ILDAPProvider; +use Psr\Log\LoggerInterface; /** - * LDAP provider for pulic access to the LDAP backend. + * LDAP provider for public access to the LDAP backend. */ class LDAPProvider implements ILDAPProvider, IDeletionFlagSupport { private $userBackend; private $groupBackend; private $logger; - private $helper; - private $deletedUsersIndex; /** * Create new LDAPProvider - * @param \OCP\IServerContainer $serverContainer + * @param IServerContainer $serverContainer * @param Helper $helper * @param DeletedUsersIndex $deletedUsersIndex * @throws \Exception if user_ldap app was not enabled */ - public function __construct(IServerContainer $serverContainer, Helper $helper, DeletedUsersIndex $deletedUsersIndex) { - $this->logger = $serverContainer->getLogger(); - $this->helper = $helper; - $this->deletedUsersIndex = $deletedUsersIndex; + public function __construct( + IServerContainer $serverContainer, + private Helper $helper, + private DeletedUsersIndex $deletedUsersIndex, + ) { + $this->logger = $serverContainer->get(LoggerInterface::class); $userBackendFound = false; $groupBackendFound = false; foreach ($serverContainer->getUserManager()->getBackends() as $backend) { - $this->logger->debug('instance '.get_class($backend).' user backend.', ['app' => 'user_ldap']); + $this->logger->debug('instance ' . get_class($backend) . ' user backend.', ['app' => 'user_ldap']); if ($backend instanceof IUserLDAP) { $this->userBackend = $backend; $userBackendFound = true; @@ -65,7 +45,7 @@ class LDAPProvider implements ILDAPProvider, IDeletionFlagSupport { } } foreach ($serverContainer->getGroupManager()->getBackends() as $backend) { - $this->logger->debug('instance '.get_class($backend).' group backend.', ['app' => 'user_ldap']); + $this->logger->debug('instance ' . get_class($backend) . ' group backend.', ['app' => 'user_ldap']); if ($backend instanceof IGroupLDAP) { $this->groupBackend = $backend; $groupBackendFound = true; @@ -138,8 +118,8 @@ class LDAPProvider implements ILDAPProvider, IDeletionFlagSupport { /** * Sanitize a DN received from the LDAP server. - * @param array $dn the DN in question - * @return array the sanitized DN + * @param array|string $dn the DN in question + * @return array|string the sanitized DN */ public function sanitizeDN($dn) { return $this->helper->sanitizeDN($dn); @@ -149,7 +129,7 @@ class LDAPProvider implements ILDAPProvider, IDeletionFlagSupport { * Return a new LDAP connection resource for the specified user. * The connection must be closed manually. * @param string $uid user id - * @return resource of the LDAP connection + * @return \LDAP\Connection The LDAP connection * @throws \Exception if user id was not found in LDAP */ public function getLDAPConnection($uid) { @@ -163,7 +143,7 @@ class LDAPProvider implements ILDAPProvider, IDeletionFlagSupport { * Return a new LDAP connection resource for the specified user. * The connection must be closed manually. * @param string $gid group id - * @return resource of the LDAP connection + * @return \LDAP\Connection The LDAP connection * @throws \Exception if group id was not found in LDAP */ public function getGroupLDAPConnection($gid) { @@ -309,32 +289,42 @@ class LDAPProvider implements ILDAPProvider, IDeletionFlagSupport { /** * Get an LDAP attribute for a nextcloud user - * @param string $uid the nextcloud user id to get the attribute for - * @param string $attribute the name of the attribute to read - * @return string|null + * * @throws \Exception if user id was not found in LDAP */ public function getUserAttribute(string $uid, string $attribute): ?string { + $values = $this->getMultiValueUserAttribute($uid, $attribute); + if (count($values) === 0) { + return null; + } + return current($values); + } + + /** + * Get a multi-value LDAP attribute for a nextcloud user + * + * @throws \Exception if user id was not found in LDAP + */ + public function getMultiValueUserAttribute(string $uid, string $attribute): array { if (!$this->userBackend->userExists($uid)) { throw new \Exception('User id not found in LDAP'); } + $access = $this->userBackend->getLDAPAccess($uid); $connection = $access->getConnection(); - $key = $uid . "::" . $attribute; - $cached = $connection->getFromCache($key); + $key = $uid . '-' . $attribute; - if ($cached !== null) { + $cached = $connection->getFromCache($key); + if (is_array($cached)) { return $cached; } - $value = $access->readAttribute($access->username2dn($uid), $attribute); - if (is_array($value) && count($value) > 0) { - $value = current($value); - } else { - return null; + $values = $access->readAttribute($access->username2dn($uid), $attribute); + if ($values === false) { + $values = []; } - $connection->writeToCache($key, $value); - return $value; + $connection->writeToCache($key, $values); + return $values; } } diff --git a/apps/user_ldap/lib/LDAPProviderFactory.php b/apps/user_ldap/lib/LDAPProviderFactory.php index a64425afad0..8fad9d52206 100644 --- a/apps/user_ldap/lib/LDAPProviderFactory.php +++ b/apps/user_ldap/lib/LDAPProviderFactory.php @@ -1,29 +1,10 @@ <?php + /** - * @copyright Copyright (c) 2016, Roger Szabo (roger.szabo@web.de) - * - * @author Arthur Schiwon <blizzz@arthur-schiwon.de> - * @author Roeland Jago Douma <roeland@famdouma.nl> - * @author Roger Szabo <roger.szabo@web.de> - * @author root <root@localhost.localdomain> - * - * @license GNU AGPL version 3 or any later version - * - * This program is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License as - * published by the Free Software Foundation, either version 3 of the - * License, or (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License - * along with this program. If not, see <http://www.gnu.org/licenses/>. - * + * SPDX-FileCopyrightText: 2016-2024 Nextcloud GmbH and Nextcloud contributors + * SPDX-FileCopyrightText: 2016 Nextcloud GmbH and Nextcloud contributors + * SPDX-License-Identifier: AGPL-3.0-or-later */ - namespace OCA\User_LDAP; use OCP\IServerContainer; @@ -31,14 +12,17 @@ use OCP\LDAP\ILDAPProvider; use OCP\LDAP\ILDAPProviderFactory; class LDAPProviderFactory implements ILDAPProviderFactory { - /** * @var IServerContainer */ - private $serverContainer; - - public function __construct(IServerContainer $serverContainer) { - $this->serverContainer = $serverContainer; + public function __construct( + /** * @var IServerContainer */ + private IServerContainer $serverContainer, + ) { } public function getLDAPProvider(): ILDAPProvider { return $this->serverContainer->get(LDAPProvider::class); } + + public function isAvailable(): bool { + return true; + } } diff --git a/apps/user_ldap/lib/LDAPUtility.php b/apps/user_ldap/lib/LDAPUtility.php index 7fea8320739..39b517528e2 100644 --- a/apps/user_ldap/lib/LDAPUtility.php +++ b/apps/user_ldap/lib/LDAPUtility.php @@ -1,38 +1,19 @@ <?php + /** - * @copyright Copyright (c) 2016, ownCloud, Inc. - * - * @author Arthur Schiwon <blizzz@arthur-schiwon.de> - * @author Joas Schilling <coding@schilljs.com> - * @author Lukas Reschke <lukas@statuscode.ch> - * @author Morris Jobke <hey@morrisjobke.de> - * - * @license AGPL-3.0 - * - * This code is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License, version 3, - * as published by the Free Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License, version 3, - * along with this program. If not, see <http://www.gnu.org/licenses/> - * + * SPDX-FileCopyrightText: 2019-2024 Nextcloud GmbH and Nextcloud contributors + * SPDX-FileCopyrightText: 2016 ownCloud, Inc. + * SPDX-License-Identifier: AGPL-3.0-only */ - namespace OCA\User_LDAP; abstract class LDAPUtility { - protected $ldap; - /** * constructor, make sure the subclasses call this one! - * @param ILDAPWrapper $ldapWrapper an instance of an ILDAPWrapper + * @param ILDAPWrapper $ldap an instance of an ILDAPWrapper */ - public function __construct(ILDAPWrapper $ldapWrapper) { - $this->ldap = $ldapWrapper; + public function __construct( + protected ILDAPWrapper $ldap, + ) { } } diff --git a/apps/user_ldap/lib/LogWrapper.php b/apps/user_ldap/lib/LogWrapper.php deleted file mode 100644 index 6543fc34c7e..00000000000 --- a/apps/user_ldap/lib/LogWrapper.php +++ /dev/null @@ -1,40 +0,0 @@ -<?php -/** - * @copyright Copyright (c) 2016, ownCloud, Inc. - * - * @author Arthur Schiwon <blizzz@arthur-schiwon.de> - * @author Joas Schilling <coding@schilljs.com> - * @author Morris Jobke <hey@morrisjobke.de> - * - * @license AGPL-3.0 - * - * This code is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License, version 3, - * as published by the Free Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License, version 3, - * along with this program. If not, see <http://www.gnu.org/licenses/> - * - */ - -namespace OCA\User_LDAP; - -/** - * @brief wraps around static Nextcloud core methods - */ -class LogWrapper { - protected $app = 'user_ldap'; - - /** - * @brief states whether the filesystem was loaded - * @return bool - */ - public function log($msg, $level) { - \OCP\Util::writeLog($this->app, $msg, $level); - } -} diff --git a/apps/user_ldap/lib/LoginListener.php b/apps/user_ldap/lib/LoginListener.php new file mode 100644 index 00000000000..f397f4694d2 --- /dev/null +++ b/apps/user_ldap/lib/LoginListener.php @@ -0,0 +1,147 @@ +<?php + +declare(strict_types=1); + +/** + * SPDX-FileCopyrightText: 2023 Nextcloud GmbH and Nextcloud contributors + * SPDX-License-Identifier: AGPL-3.0-or-later + */ +namespace OCA\User_LDAP; + +use OCA\User_LDAP\Db\GroupMembership; +use OCA\User_LDAP\Db\GroupMembershipMapper; +use OCP\DB\Exception; +use OCP\EventDispatcher\Event; +use OCP\EventDispatcher\IEventDispatcher; +use OCP\EventDispatcher\IEventListener; +use OCP\Group\Events\UserAddedEvent; +use OCP\Group\Events\UserRemovedEvent; +use OCP\IGroupManager; +use OCP\IUser; +use OCP\User\Events\PostLoginEvent; +use Psr\Log\LoggerInterface; + +/** + * @template-implements IEventListener<PostLoginEvent> + */ +class LoginListener implements IEventListener { + public function __construct( + private IEventDispatcher $dispatcher, + private Group_Proxy $groupBackend, + private IGroupManager $groupManager, + private LoggerInterface $logger, + private GroupMembershipMapper $groupMembershipMapper, + ) { + } + + public function handle(Event $event): void { + if ($event instanceof PostLoginEvent) { + $this->onPostLogin($event->getUser()); + } + } + + public function onPostLogin(IUser $user): void { + $this->logger->info( + self::class . ' - {user} postLogin', + [ + 'app' => 'user_ldap', + 'user' => $user->getUID(), + ] + ); + $this->updateGroups($user); + } + + private function updateGroups(IUser $userObject): void { + $userId = $userObject->getUID(); + $groupMemberships = $this->groupMembershipMapper->findGroupMembershipsForUser($userId); + $knownGroups = array_map( + static fn (GroupMembership $groupMembership): string => $groupMembership->getGroupid(), + $groupMemberships + ); + $groupMemberships = array_combine($knownGroups, $groupMemberships); + $actualGroups = $this->groupBackend->getUserGroups($userId); + + $newGroups = array_diff($actualGroups, $knownGroups); + $oldGroups = array_diff($knownGroups, $actualGroups); + foreach ($newGroups as $groupId) { + $groupObject = $this->groupManager->get($groupId); + if ($groupObject === null) { + $this->logger->error( + self::class . ' - group {group} could not be found (user {user})', + [ + 'app' => 'user_ldap', + 'user' => $userId, + 'group' => $groupId + ] + ); + continue; + } + try { + $this->groupMembershipMapper->insert(GroupMembership::fromParams(['groupid' => $groupId,'userid' => $userId])); + } catch (Exception $e) { + if ($e->getReason() !== Exception::REASON_UNIQUE_CONSTRAINT_VIOLATION) { + $this->logger->error( + self::class . ' - group {group} membership failed to be added (user {user})', + [ + 'app' => 'user_ldap', + 'user' => $userId, + 'group' => $groupId, + 'exception' => $e, + ] + ); + } + /* We failed to insert the groupmembership so we do not want to advertise it */ + continue; + } + $this->groupBackend->addRelationshipToCaches($userId, null, $groupId); + $this->dispatcher->dispatchTyped(new UserAddedEvent($groupObject, $userObject)); + $this->logger->info( + self::class . ' - {user} added to {group}', + [ + 'app' => 'user_ldap', + 'user' => $userId, + 'group' => $groupId + ] + ); + } + foreach ($oldGroups as $groupId) { + try { + $this->groupMembershipMapper->delete($groupMemberships[$groupId]); + } catch (Exception $e) { + if ($e->getReason() !== Exception::REASON_DATABASE_OBJECT_NOT_FOUND) { + $this->logger->error( + self::class . ' - group {group} membership failed to be removed (user {user})', + [ + 'app' => 'user_ldap', + 'user' => $userId, + 'group' => $groupId, + 'exception' => $e, + ] + ); + } + /* We failed to delete the groupmembership so we do not want to advertise it */ + continue; + } + $groupObject = $this->groupManager->get($groupId); + if ($groupObject === null) { + $this->logger->error( + self::class . ' - group {group} could not be found (user {user})', + [ + 'app' => 'user_ldap', + 'user' => $userId, + 'group' => $groupId + ] + ); + continue; + } + $this->dispatcher->dispatchTyped(new UserRemovedEvent($groupObject, $userObject)); + $this->logger->info( + 'service "updateGroups" - {user} removed from {group}', + [ + 'user' => $userId, + 'group' => $groupId + ] + ); + } + } +} diff --git a/apps/user_ldap/lib/Mapping/AbstractMapping.php b/apps/user_ldap/lib/Mapping/AbstractMapping.php index dcff88de008..fa10312a915 100644 --- a/apps/user_ldap/lib/Mapping/AbstractMapping.php +++ b/apps/user_ldap/lib/Mapping/AbstractMapping.php @@ -1,36 +1,18 @@ <?php + /** - * @copyright Copyright (c) 2016, ownCloud, Inc. - * - * @author Aaron Wood <aaronjwood@gmail.com> - * @author Arthur Schiwon <blizzz@arthur-schiwon.de> - * @author blizzz <blizzz@arthur-schiwon.de> - * @author Christoph Wurst <christoph@winzerhof-wurst.at> - * @author Joas Schilling <coding@schilljs.com> - * @author Morris Jobke <hey@morrisjobke.de> - * - * @license AGPL-3.0 - * - * This code is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License, version 3, - * as published by the Free Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License, version 3, - * along with this program. If not, see <http://www.gnu.org/licenses/> - * + * SPDX-FileCopyrightText: 2017-2024 Nextcloud GmbH and Nextcloud contributors + * SPDX-FileCopyrightText: 2016 ownCloud, Inc. + * SPDX-License-Identifier: AGPL-3.0-only */ - namespace OCA\User_LDAP\Mapping; use Doctrine\DBAL\Exception; -use OC\DB\QueryBuilder\QueryBuilder; use OCP\DB\IPreparedStatement; use OCP\DB\QueryBuilder\IQueryBuilder; +use OCP\IDBConnection; +use OCP\Server; +use Psr\Log\LoggerInterface; /** * Class AbstractMapping @@ -39,11 +21,6 @@ use OCP\DB\QueryBuilder\IQueryBuilder; */ abstract class AbstractMapping { /** - * @var \OCP\IDBConnection $dbc - */ - protected $dbc; - - /** * returns the DB table name which holds the mappings * * @return string @@ -51,10 +28,11 @@ abstract class AbstractMapping { abstract protected function getTableName(bool $includePrefix = true); /** - * @param \OCP\IDBConnection $dbc + * @param IDBConnection $dbc */ - public function __construct(\OCP\IDBConnection $dbc) { - $this->dbc = $dbc; + public function __construct( + protected IDBConnection $dbc, + ) { } /** @var array caches Names (value) by DN (key) */ @@ -69,6 +47,7 @@ abstract class AbstractMapping { public function isColNameValid($col) { switch ($col) { case 'ldap_dn': + case 'ldap_dn_hash': case 'owncloud_name': case 'directory_uuid': return true; @@ -152,11 +131,11 @@ abstract class AbstractMapping { $oldDn = $this->getDnByUUID($uuid); $statement = $this->dbc->prepare(' UPDATE `' . $this->getTableName() . '` - SET `ldap_dn` = ? + SET `ldap_dn_hash` = ?, `ldap_dn` = ? WHERE `directory_uuid` = ? '); - $r = $this->modify($statement, [$fdn, $uuid]); + $r = $this->modify($statement, [$this->getDNHash($fdn), $fdn, $uuid]); if ($r && is_string($oldDn) && isset($this->cache[$oldDn])) { $this->cache[$fdn] = $this->cache[$oldDn]; @@ -175,16 +154,23 @@ abstract class AbstractMapping { * @param $fdn * @return bool */ - public function setUUIDbyDN($uuid, $fdn) { + public function setUUIDbyDN($uuid, $fdn): bool { $statement = $this->dbc->prepare(' UPDATE `' . $this->getTableName() . '` SET `directory_uuid` = ? - WHERE `ldap_dn` = ? + WHERE `ldap_dn_hash` = ? '); unset($this->cache[$fdn]); - return $this->modify($statement, [$uuid, $fdn]); + return $this->modify($statement, [$uuid, $this->getDNHash($fdn)]); + } + + /** + * Get the hash to store in database column ldap_dn_hash for a given dn + */ + protected function getDNHash(string $fdn): string { + return hash('sha256', $fdn, false); } /** @@ -195,21 +181,24 @@ abstract class AbstractMapping { */ public function getNameByDN($fdn) { if (!isset($this->cache[$fdn])) { - $this->cache[$fdn] = $this->getXbyY('owncloud_name', 'ldap_dn', $fdn); + $this->cache[$fdn] = $this->getXbyY('owncloud_name', 'ldap_dn_hash', $this->getDNHash($fdn)); } return $this->cache[$fdn]; } - protected function prepareListOfIdsQuery(array $dnList): IQueryBuilder { + /** + * @param array<string> $hashList + */ + protected function prepareListOfIdsQuery(array $hashList): IQueryBuilder { $qb = $this->dbc->getQueryBuilder(); - $qb->select('owncloud_name', 'ldap_dn') + $qb->select('owncloud_name', 'ldap_dn_hash', 'ldap_dn') ->from($this->getTableName(false)) - ->where($qb->expr()->in('ldap_dn', $qb->createNamedParameter($dnList, QueryBuilder::PARAM_STR_ARRAY))); + ->where($qb->expr()->in('ldap_dn_hash', $qb->createNamedParameter($hashList, IQueryBuilder::PARAM_STR_ARRAY))); return $qb; } protected function collectResultsFromListOfIdsQuery(IQueryBuilder $qb, array &$results): void { - $stmt = $qb->execute(); + $stmt = $qb->executeQuery(); while ($entry = $stmt->fetch(\Doctrine\DBAL\FetchMode::ASSOCIATIVE)) { $results[$entry['ldap_dn']] = $entry['owncloud_name']; $this->cache[$entry['ldap_dn']] = $entry['owncloud_name']; @@ -217,13 +206,18 @@ abstract class AbstractMapping { $stmt->closeCursor(); } + /** + * @param array<string> $fdns + * @return array<string,string> + */ public function getListOfIdsByDn(array $fdns): array { $totalDBParamLimit = 65000; $sliceSize = 1000; - $maxSlices = $totalDBParamLimit / $sliceSize; + $maxSlices = $this->dbc->getDatabaseProvider() === IDBConnection::PLATFORM_SQLITE ? 9 : $totalDBParamLimit / $sliceSize; $results = []; $slice = 1; + $fdns = array_map([$this, 'getDNHash'], $fdns); $fdnsSlice = count($fdns) > $sliceSize ? array_slice($fdns, 0, $sliceSize) : $fdns; $qb = $this->prepareListOfIdsQuery($fdnsSlice); @@ -241,7 +235,7 @@ abstract class AbstractMapping { } if (!empty($fdnsSlice)) { - $qb->orWhere($qb->expr()->in('ldap_dn', $qb->createNamedParameter($fdnsSlice, QueryBuilder::PARAM_STR_ARRAY))); + $qb->orWhere($qb->expr()->in('ldap_dn_hash', $qb->createNamedParameter($fdnsSlice, IQueryBuilder::PARAM_STR_ARRAY))); } if ($slice % $maxSlices === 0) { @@ -260,12 +254,9 @@ abstract class AbstractMapping { /** * Searches mapped names by the giving string in the name column * - * @param string $search - * @param string $prefixMatch - * @param string $postfixMatch * @return string[] */ - public function getNamesBySearch($search, $prefixMatch = "", $postfixMatch = "") { + public function getNamesBySearch(string $search, string $prefixMatch = '', string $postfixMatch = ''): array { $statement = $this->dbc->prepare(' SELECT `owncloud_name` FROM `' . $this->getTableName() . '` @@ -306,29 +297,27 @@ abstract class AbstractMapping { * @throws \Exception */ public function getUUIDByDN($dn) { - return $this->getXbyY('directory_uuid', 'ldap_dn', $dn); + return $this->getXbyY('directory_uuid', 'ldap_dn_hash', $this->getDNHash($dn)); } - /** - * gets a piece of the mapping list - * - * @param int $offset - * @param int $limit - * @return array - */ - public function getList($offset = null, $limit = null) { - $query = $this->dbc->prepare(' - SELECT - `ldap_dn` AS `dn`, - `owncloud_name` AS `name`, - `directory_uuid` AS `uuid` - FROM `' . $this->getTableName() . '`', - $limit, - $offset - ); - - $query->execute(); - return $query->fetchAll(); + public function getList(int $offset = 0, ?int $limit = null, bool $invalidatedOnly = false): array { + $select = $this->dbc->getQueryBuilder(); + $select->selectAlias('ldap_dn', 'dn') + ->selectAlias('owncloud_name', 'name') + ->selectAlias('directory_uuid', 'uuid') + ->from($this->getTableName()) + ->setMaxResults($limit) + ->setFirstResult($offset); + + if ($invalidatedOnly) { + $select->where($select->expr()->like('directory_uuid', $select->createNamedParameter('invalidated_%'))); + } + + $result = $select->executeQuery(); + $entries = $result->fetchAll(); + $result->closeCursor(); + + return $entries; } /** @@ -340,9 +329,9 @@ abstract class AbstractMapping { * @return bool */ public function map($fdn, $name, $uuid) { - if (mb_strlen($fdn) > 255) { - \OC::$server->getLogger()->error( - 'Cannot map, because the DN exceeds 255 characters: {dn}', + if (mb_strlen($fdn) > 4000) { + Server::get(LoggerInterface::class)->error( + 'Cannot map, because the DN exceeds 4000 characters: {dn}', [ 'app' => 'user_ldap', 'dn' => $fdn, @@ -352,6 +341,7 @@ abstract class AbstractMapping { } $row = [ + 'ldap_dn_hash' => $this->getDNHash($fdn), 'ldap_dn' => $fdn, 'owncloud_name' => $name, 'directory_uuid' => $uuid @@ -380,6 +370,11 @@ abstract class AbstractMapping { DELETE FROM `' . $this->getTableName() . '` WHERE `owncloud_name` = ?'); + $dn = array_search($name, $this->cache); + if ($dn !== false) { + unset($this->cache[$dn]); + } + return $this->modify($statement, [$name]); } @@ -408,20 +403,20 @@ abstract class AbstractMapping { * @param callable $preCallback * @param callable $postCallback * @return bool true on success, false when at least one row was not - * deleted + * deleted */ public function clearCb(callable $preCallback, callable $postCallback): bool { $picker = $this->dbc->getQueryBuilder(); $picker->select('owncloud_name') ->from($this->getTableName()); - $cursor = $picker->execute(); + $cursor = $picker->executeQuery(); $result = true; - while ($id = $cursor->fetchOne()) { + while (($id = $cursor->fetchOne()) !== false) { $preCallback($id); if ($isUnmapped = $this->unmap($id)) { $postCallback($id); } - $result &= $isUnmapped; + $result = $result && $isUnmapped; } $cursor->closeCursor(); return $result; @@ -432,11 +427,22 @@ abstract class AbstractMapping { * * @return int */ - public function count() { - $qb = $this->dbc->getQueryBuilder(); - $query = $qb->select($qb->func()->count('ldap_dn')) + public function count(): int { + $query = $this->dbc->getQueryBuilder(); + $query->select($query->func()->count('ldap_dn_hash')) ->from($this->getTableName()); - $res = $query->execute(); + $res = $query->executeQuery(); + $count = $res->fetchOne(); + $res->closeCursor(); + return (int)$count; + } + + public function countInvalidated(): int { + $query = $this->dbc->getQueryBuilder(); + $query->select($query->func()->count('ldap_dn_hash')) + ->from($this->getTableName()) + ->where($query->expr()->like('directory_uuid', $query->createNamedParameter('invalidated_%'))); + $res = $query->executeQuery(); $count = $res->fetchOne(); $res->closeCursor(); return (int)$count; diff --git a/apps/user_ldap/lib/Mapping/GroupMapping.php b/apps/user_ldap/lib/Mapping/GroupMapping.php index 8bd872b905e..d9ae5e749fc 100644 --- a/apps/user_ldap/lib/Mapping/GroupMapping.php +++ b/apps/user_ldap/lib/Mapping/GroupMapping.php @@ -1,27 +1,10 @@ <?php + /** - * @copyright Copyright (c) 2016, ownCloud, Inc. - * - * @author Arthur Schiwon <blizzz@arthur-schiwon.de> - * @author Christoph Wurst <christoph@winzerhof-wurst.at> - * @author Morris Jobke <hey@morrisjobke.de> - * - * @license AGPL-3.0 - * - * This code is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License, version 3, - * as published by the Free Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License, version 3, - * along with this program. If not, see <http://www.gnu.org/licenses/> - * + * SPDX-FileCopyrightText: 2019-2024 Nextcloud GmbH and Nextcloud contributors + * SPDX-FileCopyrightText: 2016 ownCloud, Inc. + * SPDX-License-Identifier: AGPL-3.0-only */ - namespace OCA\User_LDAP\Mapping; /** diff --git a/apps/user_ldap/lib/Mapping/UserMapping.php b/apps/user_ldap/lib/Mapping/UserMapping.php index 8220215b461..a030cd0ab52 100644 --- a/apps/user_ldap/lib/Mapping/UserMapping.php +++ b/apps/user_ldap/lib/Mapping/UserMapping.php @@ -1,35 +1,58 @@ <?php + /** - * @copyright Copyright (c) 2016, ownCloud, Inc. - * - * @author Arthur Schiwon <blizzz@arthur-schiwon.de> - * @author Christoph Wurst <christoph@winzerhof-wurst.at> - * @author Morris Jobke <hey@morrisjobke.de> - * - * @license AGPL-3.0 - * - * This code is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License, version 3, - * as published by the Free Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License, version 3, - * along with this program. If not, see <http://www.gnu.org/licenses/> - * + * SPDX-FileCopyrightText: 2019-2024 Nextcloud GmbH and Nextcloud contributors + * SPDX-FileCopyrightText: 2016 ownCloud, Inc. + * SPDX-License-Identifier: AGPL-3.0-only */ - namespace OCA\User_LDAP\Mapping; +use OCP\HintException; +use OCP\IDBConnection; +use OCP\IRequest; +use OCP\Server; +use OCP\Support\Subscription\IAssertion; + /** * Class UserMapping + * * @package OCA\User_LDAP\Mapping */ class UserMapping extends AbstractMapping { + protected const PROV_API_REGEX = '/\/ocs\/v[1-9].php\/cloud\/(groups|users)/'; + + public function __construct( + IDBConnection $dbc, + private IAssertion $assertion, + ) { + parent::__construct($dbc); + } + + /** + * @throws HintException + */ + public function map($fdn, $name, $uuid): bool { + try { + $this->assertion->createUserIsLegit(); + } catch (HintException $e) { + static $isProvisioningApi = null; + + if ($isProvisioningApi === null) { + $request = Server::get(IRequest::class); + $isProvisioningApi = \preg_match(self::PROV_API_REGEX, $request->getRequestUri()) === 1; + } + if ($isProvisioningApi) { + // only throw when prov API is being used, since functionality + // should not break for end users (e.g. when sharing). + // On direct API usage, e.g. on users page, this is desired. + throw $e; + } + return false; + } + return parent::map($fdn, $name, $uuid); + } + /** * returns the DB table name which holds the mappings * @return string diff --git a/apps/user_ldap/lib/Migration/GroupMappingMigration.php b/apps/user_ldap/lib/Migration/GroupMappingMigration.php new file mode 100644 index 00000000000..7dfb8705770 --- /dev/null +++ b/apps/user_ldap/lib/Migration/GroupMappingMigration.php @@ -0,0 +1,50 @@ +<?php + +declare(strict_types=1); + +/** + * SPDX-FileCopyrightText: 2020 Nextcloud GmbH and Nextcloud contributors + * SPDX-License-Identifier: AGPL-3.0-or-later + */ + +namespace OCA\User_LDAP\Migration; + +use OCP\IDBConnection; +use OCP\Migration\SimpleMigrationStep; + +abstract class GroupMappingMigration extends SimpleMigrationStep { + + public function __construct( + private IDBConnection $dbc, + ) { + } + + protected function copyGroupMappingData(string $sourceTable, string $destinationTable): void { + $insert = $this->dbc->getQueryBuilder(); + $insert->insert($destinationTable) + ->values([ + 'ldap_dn' => $insert->createParameter('ldap_dn'), + 'owncloud_name' => $insert->createParameter('owncloud_name'), + 'directory_uuid' => $insert->createParameter('directory_uuid'), + 'ldap_dn_hash' => $insert->createParameter('ldap_dn_hash'), + ]); + + $query = $this->dbc->getQueryBuilder(); + $query->select('*') + ->from($sourceTable); + + + $result = $query->executeQuery(); + while ($row = $result->fetch()) { + $insert + ->setParameter('ldap_dn', $row['ldap_dn']) + ->setParameter('owncloud_name', $row['owncloud_name']) + ->setParameter('directory_uuid', $row['directory_uuid']) + ->setParameter('ldap_dn_hash', $row['ldap_dn_hash']) + ; + + $insert->executeStatement(); + } + $result->closeCursor(); + } +} diff --git a/apps/user_ldap/lib/Migration/RemoveRefreshTime.php b/apps/user_ldap/lib/Migration/RemoveRefreshTime.php index 8c8fec2253b..88ac56ccb84 100644 --- a/apps/user_ldap/lib/Migration/RemoveRefreshTime.php +++ b/apps/user_ldap/lib/Migration/RemoveRefreshTime.php @@ -3,27 +3,9 @@ declare(strict_types=1); /** - * @copyright Copyright (c) 2020 Arthur Schiwon <blizzz@arthur-schiwon.de> - * - * @author Arthur Schiwon <blizzz@arthur-schiwon.de> - * - * @license GNU AGPL version 3 or any later version - * - * This program is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License as - * published by the Free Software Foundation, either version 3 of the - * License, or (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License - * along with this program. If not, see <http://www.gnu.org/licenses/>. - * + * SPDX-FileCopyrightText: 2020 Nextcloud GmbH and Nextcloud contributors + * SPDX-License-Identifier: AGPL-3.0-or-later */ - namespace OCA\User_LDAP\Migration; use OCP\IConfig; @@ -40,14 +22,10 @@ use OCP\Migration\IRepairStep; */ class RemoveRefreshTime implements IRepairStep { - /** @var IDBConnection */ - private $dbc; - /** @var IConfig */ - private $config; - - public function __construct(IDBConnection $dbc, IConfig $config) { - $this->dbc = $dbc; - $this->config = $config; + public function __construct( + private IDBConnection $dbc, + private IConfig $config, + ) { } public function getName() { @@ -61,6 +39,6 @@ class RemoveRefreshTime implements IRepairStep { $qb->delete('preferences') ->where($qb->expr()->eq('appid', $qb->createNamedParameter('user_ldap'))) ->andWhere($qb->expr()->eq('configkey', $qb->createNamedParameter('lastFeatureRefresh'))) - ->execute(); + ->executeStatement(); } } diff --git a/apps/user_ldap/lib/Migration/SetDefaultProvider.php b/apps/user_ldap/lib/Migration/SetDefaultProvider.php index e07f25a54d3..0bb04438a1d 100644 --- a/apps/user_ldap/lib/Migration/SetDefaultProvider.php +++ b/apps/user_ldap/lib/Migration/SetDefaultProvider.php @@ -3,27 +3,9 @@ declare(strict_types=1); /** - * @copyright 2020 Christoph Wurst <christoph@winzerhof-wurst.at> - * - * @author Christoph Wurst <christoph@winzerhof-wurst.at> - * - * @license GNU AGPL version 3 or any later version - * - * This program is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License as - * published by the Free Software Foundation, either version 3 of the - * License, or (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License - * along with this program. If not, see <http://www.gnu.org/licenses/>. - * + * SPDX-FileCopyrightText: 2020 Nextcloud GmbH and Nextcloud contributors + * SPDX-License-Identifier: AGPL-3.0-or-later */ - namespace OCA\User_LDAP\Migration; use OCA\User_LDAP\Helper; @@ -34,16 +16,10 @@ use OCP\Migration\IRepairStep; class SetDefaultProvider implements IRepairStep { - /** @var IConfig */ - private $config; - - /** @var Helper */ - private $helper; - - public function __construct(IConfig $config, - Helper $helper) { - $this->config = $config; - $this->helper = $helper; + public function __construct( + private IConfig $config, + private Helper $helper, + ) { } public function getName(): string { diff --git a/apps/user_ldap/lib/Migration/UUIDFix.php b/apps/user_ldap/lib/Migration/UUIDFix.php index ba2264c3c63..e853f3bba66 100644 --- a/apps/user_ldap/lib/Migration/UUIDFix.php +++ b/apps/user_ldap/lib/Migration/UUIDFix.php @@ -1,40 +1,19 @@ <?php + /** - * @copyright Copyright (c) 2017 Arthur Schiwon <blizzz@arthur-schiwon.de> - * - * @author Arthur Schiwon <blizzz@arthur-schiwon.de> - * @author Christoph Wurst <christoph@winzerhof-wurst.at> - * - * @license GNU AGPL version 3 or any later version - * - * This program is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License as - * published by the Free Software Foundation, either version 3 of the - * License, or (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License - * along with this program. If not, see <http://www.gnu.org/licenses/>. - * + * SPDX-FileCopyrightText: 2017 Nextcloud GmbH and Nextcloud contributors + * SPDX-License-Identifier: AGPL-3.0-or-later */ - namespace OCA\User_LDAP\Migration; -use OC\BackgroundJob\QueuedJob; use OCA\User_LDAP\Mapping\AbstractMapping; use OCA\User_LDAP\Proxy; use OCA\User_LDAP\User_Proxy; +use OCP\BackgroundJob\QueuedJob; abstract class UUIDFix extends QueuedJob { - /** @var AbstractMapping */ - protected $mapper; - - /** @var Proxy */ - protected $proxy; + protected AbstractMapping $mapper; + protected Proxy $proxy; public function run($argument) { $isUser = $this->proxy instanceof User_Proxy; diff --git a/apps/user_ldap/lib/Migration/UUIDFixGroup.php b/apps/user_ldap/lib/Migration/UUIDFixGroup.php index 2e9eeac7ca7..3924c91e7ba 100644 --- a/apps/user_ldap/lib/Migration/UUIDFixGroup.php +++ b/apps/user_ldap/lib/Migration/UUIDFixGroup.php @@ -1,33 +1,18 @@ <?php + /** - * @copyright Copyright (c) 2017 Arthur Schiwon <blizzz@arthur-schiwon.de> - * - * @author Arthur Schiwon <blizzz@arthur-schiwon.de> - * - * @license GNU AGPL version 3 or any later version - * - * This program is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License as - * published by the Free Software Foundation, either version 3 of the - * License, or (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License - * along with this program. If not, see <http://www.gnu.org/licenses/>. - * + * SPDX-FileCopyrightText: 2017 Nextcloud GmbH and Nextcloud contributors + * SPDX-License-Identifier: AGPL-3.0-or-later */ - namespace OCA\User_LDAP\Migration; use OCA\User_LDAP\Group_Proxy; use OCA\User_LDAP\Mapping\GroupMapping; +use OCP\AppFramework\Utility\ITimeFactory; class UUIDFixGroup extends UUIDFix { - public function __construct(GroupMapping $mapper, Group_Proxy $proxy) { + public function __construct(ITimeFactory $time, GroupMapping $mapper, Group_Proxy $proxy) { + parent::__construct($time); $this->mapper = $mapper; $this->proxy = $proxy; } diff --git a/apps/user_ldap/lib/Migration/UUIDFixInsert.php b/apps/user_ldap/lib/Migration/UUIDFixInsert.php index 3a8e78ef6a4..bb92314d93a 100644 --- a/apps/user_ldap/lib/Migration/UUIDFixInsert.php +++ b/apps/user_ldap/lib/Migration/UUIDFixInsert.php @@ -1,28 +1,9 @@ <?php + /** - * @copyright Copyright (c) 2017 Arthur Schiwon <blizzz@arthur-schiwon.de> - * - * @author Arthur Schiwon <blizzz@arthur-schiwon.de> - * @author Christoph Wurst <christoph@winzerhof-wurst.at> - * @author Morris Jobke <hey@morrisjobke.de> - * - * @license GNU AGPL version 3 or any later version - * - * This program is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License as - * published by the Free Software Foundation, either version 3 of the - * License, or (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License - * along with this program. If not, see <http://www.gnu.org/licenses/>. - * + * SPDX-FileCopyrightText: 2017 Nextcloud GmbH and Nextcloud contributors + * SPDX-License-Identifier: AGPL-3.0-or-later */ - namespace OCA\User_LDAP\Migration; use OCA\User_LDAP\Mapping\GroupMapping; @@ -34,23 +15,12 @@ use OCP\Migration\IRepairStep; class UUIDFixInsert implements IRepairStep { - /** @var IConfig */ - protected $config; - - /** @var UserMapping */ - protected $userMapper; - - /** @var GroupMapping */ - protected $groupMapper; - - /** @var IJobList */ - protected $jobList; - - public function __construct(IConfig $config, UserMapping $userMapper, GroupMapping $groupMapper, IJobList $jobList) { - $this->config = $config; - $this->userMapper = $userMapper; - $this->groupMapper = $groupMapper; - $this->jobList = $jobList; + public function __construct( + protected IConfig $config, + protected UserMapping $userMapper, + protected GroupMapping $groupMapper, + protected IJobList $jobList, + ) { } /** @@ -91,7 +61,7 @@ class UUIDFixInsert implements IRepairStep { $this->jobList->add($jobClass, ['records' => $records]); $offset += $batchSize; } catch (\InvalidArgumentException $e) { - if (strpos($e->getMessage(), 'Background job arguments can\'t exceed 4000') !== false) { + if (str_contains($e->getMessage(), 'Background job arguments can\'t exceed 4000')) { $batchSize = (int)floor(count($records) * 0.8); $retry = true; } diff --git a/apps/user_ldap/lib/Migration/UUIDFixUser.php b/apps/user_ldap/lib/Migration/UUIDFixUser.php index a98f9fbeb6b..71c3f638095 100644 --- a/apps/user_ldap/lib/Migration/UUIDFixUser.php +++ b/apps/user_ldap/lib/Migration/UUIDFixUser.php @@ -1,33 +1,18 @@ <?php + /** - * @copyright Copyright (c) 2017 Arthur Schiwon <blizzz@arthur-schiwon.de> - * - * @author Arthur Schiwon <blizzz@arthur-schiwon.de> - * - * @license GNU AGPL version 3 or any later version - * - * This program is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License as - * published by the Free Software Foundation, either version 3 of the - * License, or (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License - * along with this program. If not, see <http://www.gnu.org/licenses/>. - * + * SPDX-FileCopyrightText: 2017 Nextcloud GmbH and Nextcloud contributors + * SPDX-License-Identifier: AGPL-3.0-or-later */ - namespace OCA\User_LDAP\Migration; -use OCA\User_LDAP\User_Proxy; use OCA\User_LDAP\Mapping\UserMapping; +use OCA\User_LDAP\User_Proxy; +use OCP\AppFramework\Utility\ITimeFactory; class UUIDFixUser extends UUIDFix { - public function __construct(UserMapping $mapper, User_Proxy $proxy) { + public function __construct(ITimeFactory $time, UserMapping $mapper, User_Proxy $proxy) { + parent::__construct($time); $this->mapper = $mapper; $this->proxy = $proxy; } diff --git a/apps/user_ldap/lib/Migration/UnsetDefaultProvider.php b/apps/user_ldap/lib/Migration/UnsetDefaultProvider.php new file mode 100644 index 00000000000..025415cf712 --- /dev/null +++ b/apps/user_ldap/lib/Migration/UnsetDefaultProvider.php @@ -0,0 +1,33 @@ +<?php + +declare(strict_types=1); + +/** + * SPDX-FileCopyrightText: 2021 Nextcloud GmbH and Nextcloud contributors + * SPDX-License-Identifier: AGPL-3.0-or-later + */ +namespace OCA\User_LDAP\Migration; + +use OCA\User_LDAP\LDAPProviderFactory; +use OCP\IConfig; +use OCP\Migration\IOutput; +use OCP\Migration\IRepairStep; + +class UnsetDefaultProvider implements IRepairStep { + + public function __construct( + private IConfig $config, + ) { + } + + public function getName(): string { + return 'Unset default LDAP provider'; + } + + public function run(IOutput $output): void { + $current = $this->config->getSystemValue('ldapProviderFactory', null); + if ($current === LDAPProviderFactory::class) { + $this->config->deleteSystemValue('ldapProviderFactory'); + } + } +} diff --git a/apps/user_ldap/lib/Migration/Version1010Date20200630192842.php b/apps/user_ldap/lib/Migration/Version1010Date20200630192842.php index 754200405c8..1464e50e359 100644 --- a/apps/user_ldap/lib/Migration/Version1010Date20200630192842.php +++ b/apps/user_ldap/lib/Migration/Version1010Date20200630192842.php @@ -3,32 +3,14 @@ declare(strict_types=1); /** - * @copyright Copyright (c) 2020 Joas Schilling <coding@schilljs.com> - * - * @author Joas Schilling <coding@schilljs.com> - * - * @license GNU AGPL version 3 or any later version - * - * This program is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License as - * published by the Free Software Foundation, either version 3 of the - * License, or (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License - * along with this program. If not, see <http://www.gnu.org/licenses/>. - * + * SPDX-FileCopyrightText: 2020 Nextcloud GmbH and Nextcloud contributors + * SPDX-License-Identifier: AGPL-3.0-or-later */ - namespace OCA\User_LDAP\Migration; use Closure; -use OCP\DB\Types; use OCP\DB\ISchemaWrapper; +use OCP\DB\Types; use OCP\Migration\IOutput; use OCP\Migration\SimpleMigrationStep; @@ -47,12 +29,12 @@ class Version1010Date20200630192842 extends SimpleMigrationStep { $table = $schema->createTable('ldap_user_mapping'); $table->addColumn('ldap_dn', Types::STRING, [ 'notnull' => true, - 'length' => 255, + 'length' => 4000, 'default' => '', ]); $table->addColumn('owncloud_name', Types::STRING, [ 'notnull' => true, - 'length' => 255, + 'length' => 64, 'default' => '', ]); $table->addColumn('directory_uuid', Types::STRING, [ @@ -60,20 +42,25 @@ class Version1010Date20200630192842 extends SimpleMigrationStep { 'length' => 255, 'default' => '', ]); + $table->addColumn('ldap_dn_hash', Types::STRING, [ + 'notnull' => false, + 'length' => 64, + ]); $table->setPrimaryKey(['owncloud_name']); - $table->addUniqueIndex(['ldap_dn'], 'ldap_dn_users'); + $table->addUniqueIndex(['ldap_dn_hash'], 'ldap_user_dn_hashes'); + $table->addUniqueIndex(['directory_uuid'], 'ldap_user_directory_uuid'); } if (!$schema->hasTable('ldap_group_mapping')) { $table = $schema->createTable('ldap_group_mapping'); $table->addColumn('ldap_dn', Types::STRING, [ 'notnull' => true, - 'length' => 255, + 'length' => 4000, 'default' => '', ]); $table->addColumn('owncloud_name', Types::STRING, [ 'notnull' => true, - 'length' => 255, + 'length' => 64, 'default' => '', ]); $table->addColumn('directory_uuid', Types::STRING, [ @@ -81,8 +68,13 @@ class Version1010Date20200630192842 extends SimpleMigrationStep { 'length' => 255, 'default' => '', ]); - $table->setPrimaryKey(['ldap_dn']); - $table->addUniqueIndex(['owncloud_name'], 'owncloud_name_groups'); + $table->addColumn('ldap_dn_hash', Types::STRING, [ + 'notnull' => false, + 'length' => 64, + ]); + $table->setPrimaryKey(['owncloud_name']); + $table->addUniqueIndex(['ldap_dn_hash'], 'ldap_group_dn_hashes'); + $table->addUniqueIndex(['directory_uuid'], 'ldap_group_directory_uuid'); } if (!$schema->hasTable('ldap_group_members')) { diff --git a/apps/user_ldap/lib/Migration/Version1120Date20210917155206.php b/apps/user_ldap/lib/Migration/Version1120Date20210917155206.php new file mode 100644 index 00000000000..dc3823bf771 --- /dev/null +++ b/apps/user_ldap/lib/Migration/Version1120Date20210917155206.php @@ -0,0 +1,131 @@ +<?php + +declare(strict_types=1); + +/** + * SPDX-FileCopyrightText: 2020 Nextcloud GmbH and Nextcloud contributors + * SPDX-License-Identifier: AGPL-3.0-or-later + */ + +namespace OCA\User_LDAP\Migration; + +use Closure; +use OC\Hooks\PublicEmitter; +use OCP\DB\Exception; +use OCP\DB\ISchemaWrapper; +use OCP\DB\QueryBuilder\IQueryBuilder; +use OCP\IDBConnection; +use OCP\IUserManager; +use OCP\Migration\IOutput; +use OCP\Migration\SimpleMigrationStep; +use Psr\Log\LoggerInterface; + +class Version1120Date20210917155206 extends SimpleMigrationStep { + + public function __construct( + private IDBConnection $dbc, + private IUserManager $userManager, + private LoggerInterface $logger, + ) { + } + + public function getName() { + return 'Adjust LDAP user and group id column lengths to match server lengths'; + } + + /** + * @param IOutput $output + * @param Closure $schemaClosure The `\Closure` returns a `ISchemaWrapper` + * @param array $options + */ + public function preSchemaChange(IOutput $output, Closure $schemaClosure, array $options): void { + // ensure that there is no user or group id longer than 64char in LDAP table + $this->handleIDs('ldap_group_mapping', false); + $this->handleIDs('ldap_user_mapping', true); + } + + /** + * @param IOutput $output + * @param Closure $schemaClosure The `\Closure` returns a `ISchemaWrapper` + * @param array $options + * @return null|ISchemaWrapper + */ + public function changeSchema(IOutput $output, Closure $schemaClosure, array $options): ?ISchemaWrapper { + /** @var ISchemaWrapper $schema */ + $schema = $schemaClosure(); + + $changeSchema = false; + foreach (['ldap_user_mapping', 'ldap_group_mapping'] as $tableName) { + $table = $schema->getTable($tableName); + $column = $table->getColumn('owncloud_name'); + if ($column->getLength() > 64) { + $column->setLength(64); + $changeSchema = true; + } + } + + return $changeSchema ? $schema : null; + } + + protected function handleIDs(string $table, bool $emitHooks) { + $select = $this->getSelectQuery($table); + $update = $this->getUpdateQuery($table); + + $result = $select->executeQuery(); + while ($row = $result->fetch()) { + $newId = hash('sha256', $row['owncloud_name'], false); + if ($emitHooks) { + $this->emitUnassign($row['owncloud_name'], true); + } + $update->setParameter('uuid', $row['directory_uuid']); + $update->setParameter('newId', $newId); + try { + $update->executeStatement(); + if ($emitHooks) { + $this->emitUnassign($row['owncloud_name'], false); + $this->emitAssign($newId); + } + } catch (Exception $e) { + $this->logger->error('Failed to shorten owncloud_name "{oldId}" to "{newId}" (UUID: "{uuid}" of {table})', + [ + 'app' => 'user_ldap', + 'oldId' => $row['owncloud_name'], + 'newId' => $newId, + 'uuid' => $row['directory_uuid'], + 'table' => $table, + 'exception' => $e, + ] + ); + } + } + $result->closeCursor(); + } + + protected function getSelectQuery(string $table): IQueryBuilder { + $qb = $this->dbc->getQueryBuilder(); + $qb->select('owncloud_name', 'directory_uuid') + ->from($table) + ->where($qb->expr()->gt($qb->func()->octetLength('owncloud_name'), $qb->createNamedParameter('64'), IQueryBuilder::PARAM_INT)); + return $qb; + } + + protected function getUpdateQuery(string $table): IQueryBuilder { + $qb = $this->dbc->getQueryBuilder(); + $qb->update($table) + ->set('owncloud_name', $qb->createParameter('newId')) + ->where($qb->expr()->eq('directory_uuid', $qb->createParameter('uuid'))); + return $qb; + } + + protected function emitUnassign(string $oldId, bool $pre): void { + if ($this->userManager instanceof PublicEmitter) { + $this->userManager->emit('\OC\User', $pre ? 'pre' : 'post' . 'UnassignedUserId', [$oldId]); + } + } + + protected function emitAssign(string $newId): void { + if ($this->userManager instanceof PublicEmitter) { + $this->userManager->emit('\OC\User', 'assignedUserId', [$newId]); + } + } +} diff --git a/apps/user_ldap/lib/Migration/Version1130Date20211102154716.php b/apps/user_ldap/lib/Migration/Version1130Date20211102154716.php new file mode 100644 index 00000000000..2457acd840d --- /dev/null +++ b/apps/user_ldap/lib/Migration/Version1130Date20211102154716.php @@ -0,0 +1,266 @@ +<?php + +declare(strict_types=1); + +/** + * SPDX-FileCopyrightText: 2020 Nextcloud GmbH and Nextcloud contributors + * SPDX-License-Identifier: AGPL-3.0-or-later + */ + +namespace OCA\User_LDAP\Migration; + +use Closure; +use Generator; +use OCP\DB\Exception; +use OCP\DB\ISchemaWrapper; +use OCP\DB\QueryBuilder\IQueryBuilder; +use OCP\DB\Types; +use OCP\IDBConnection; +use OCP\Migration\IOutput; +use OCP\Migration\SimpleMigrationStep; +use Psr\Log\LoggerInterface; + +class Version1130Date20211102154716 extends SimpleMigrationStep { + + /** @var string[] */ + private $hashColumnAddedToTables = []; + + public function __construct( + private IDBConnection $dbc, + private LoggerInterface $logger, + ) { + } + + public function getName() { + return 'Adjust LDAP user and group ldap_dn column lengths and add ldap_dn_hash columns'; + } + + public function preSchemaChange(IOutput $output, \Closure $schemaClosure, array $options) { + foreach (['ldap_user_mapping', 'ldap_group_mapping'] as $tableName) { + $this->processDuplicateUUIDs($tableName); + } + + /** @var ISchemaWrapper $schema */ + $schema = $schemaClosure(); + if ($schema->hasTable('ldap_group_mapping_backup')) { + // Previous upgrades of a broken release might have left an incomplete + // ldap_group_mapping_backup table. No need to recreate, but it + // should be empty. + // TRUNCATE is not available from Query Builder, but faster than DELETE FROM. + $sql = $this->dbc->getDatabasePlatform()->getTruncateTableSQL('`*PREFIX*ldap_group_mapping_backup`', false); + $this->dbc->executeStatement($sql); + } + } + + /** + * @param IOutput $output + * @param Closure $schemaClosure The `\Closure` returns a `ISchemaWrapper` + * @param array $options + * @return null|ISchemaWrapper + */ + public function changeSchema(IOutput $output, Closure $schemaClosure, array $options): ?ISchemaWrapper { + /** @var ISchemaWrapper $schema */ + $schema = $schemaClosure(); + + $changeSchema = false; + foreach (['ldap_user_mapping', 'ldap_group_mapping'] as $tableName) { + $table = $schema->getTable($tableName); + if (!$table->hasColumn('ldap_dn_hash')) { + $table->addColumn('ldap_dn_hash', Types::STRING, [ + 'notnull' => false, + 'length' => 64, + ]); + $changeSchema = true; + $this->hashColumnAddedToTables[] = $tableName; + } + $column = $table->getColumn('ldap_dn'); + if ($tableName === 'ldap_user_mapping') { + if ($column->getLength() < 4000) { + $column->setLength(4000); + $changeSchema = true; + } + + if ($table->hasIndex('ldap_dn_users')) { + $table->dropIndex('ldap_dn_users'); + $changeSchema = true; + } + if (!$table->hasIndex('ldap_user_dn_hashes')) { + $table->addUniqueIndex(['ldap_dn_hash'], 'ldap_user_dn_hashes'); + $changeSchema = true; + } + if (!$table->hasIndex('ldap_user_directory_uuid')) { + $table->addUniqueIndex(['directory_uuid'], 'ldap_user_directory_uuid'); + $changeSchema = true; + } + } elseif (!$schema->hasTable('ldap_group_mapping_backup')) { + // We need to copy the table twice to be able to change primary key, prepare the backup table + $table2 = $schema->createTable('ldap_group_mapping_backup'); + $table2->addColumn('ldap_dn', Types::STRING, [ + 'notnull' => true, + 'length' => 4000, + 'default' => '', + ]); + $table2->addColumn('owncloud_name', Types::STRING, [ + 'notnull' => true, + 'length' => 64, + 'default' => '', + ]); + $table2->addColumn('directory_uuid', Types::STRING, [ + 'notnull' => true, + 'length' => 255, + 'default' => '', + ]); + $table2->addColumn('ldap_dn_hash', Types::STRING, [ + 'notnull' => false, + 'length' => 64, + ]); + $table2->setPrimaryKey(['owncloud_name'], 'lgm_backup_primary'); + $changeSchema = true; + } + } + + return $changeSchema ? $schema : null; + } + + /** + * @param IOutput $output + * @param Closure $schemaClosure The `\Closure` returns a `ISchemaWrapper` + * @param array $options + */ + public function postSchemaChange(IOutput $output, Closure $schemaClosure, array $options) { + $this->handleDNHashes('ldap_group_mapping'); + $this->handleDNHashes('ldap_user_mapping'); + } + + protected function handleDNHashes(string $table): void { + $select = $this->getSelectQuery($table); + $update = $this->getUpdateQuery($table); + + $result = $select->executeQuery(); + while ($row = $result->fetch()) { + $dnHash = hash('sha256', $row['ldap_dn'], false); + $update->setParameter('name', $row['owncloud_name']); + $update->setParameter('dn_hash', $dnHash); + try { + $update->executeStatement(); + } catch (Exception $e) { + $this->logger->error('Failed to add hash "{dnHash}" ("{name}" of {table})', + [ + 'app' => 'user_ldap', + 'name' => $row['owncloud_name'], + 'dnHash' => $dnHash, + 'table' => $table, + 'exception' => $e, + ] + ); + } + } + $result->closeCursor(); + } + + protected function getSelectQuery(string $table): IQueryBuilder { + $qb = $this->dbc->getQueryBuilder(); + $qb->select('owncloud_name', 'ldap_dn') + ->from($table); + + // when added we may run into risk that it's read from a DB node + // where the column is not present. Then the where clause is also + // not necessary since all rows qualify. + if (!in_array($table, $this->hashColumnAddedToTables, true)) { + $qb->where($qb->expr()->isNull('ldap_dn_hash')); + } + + return $qb; + } + + protected function getUpdateQuery(string $table): IQueryBuilder { + $qb = $this->dbc->getQueryBuilder(); + $qb->update($table) + ->set('ldap_dn_hash', $qb->createParameter('dn_hash')) + ->where($qb->expr()->eq('owncloud_name', $qb->createParameter('name'))); + return $qb; + } + + /** + * @throws Exception + */ + protected function processDuplicateUUIDs(string $table): void { + $uuids = $this->getDuplicatedUuids($table); + $idsWithUuidToInvalidate = []; + foreach ($uuids as $uuid) { + array_push($idsWithUuidToInvalidate, ...$this->getNextcloudIdsByUuid($table, $uuid)); + } + $this->invalidateUuids($table, $idsWithUuidToInvalidate); + } + + /** + * @throws Exception + */ + protected function invalidateUuids(string $table, array $idList): void { + $update = $this->dbc->getQueryBuilder(); + $update->update($table) + ->set('directory_uuid', $update->createParameter('invalidatedUuid')) + ->where($update->expr()->eq('owncloud_name', $update->createParameter('nextcloudId'))); + + while ($nextcloudId = array_shift($idList)) { + $update->setParameter('nextcloudId', $nextcloudId); + $update->setParameter('invalidatedUuid', 'invalidated_' . \bin2hex(\random_bytes(6))); + try { + $update->executeStatement(); + $this->logger->warning( + 'LDAP user or group with ID {nid} has a duplicated UUID value which therefore was invalidated. You may double-check your LDAP configuration and trigger an update of the UUID.', + [ + 'app' => 'user_ldap', + 'nid' => $nextcloudId, + ] + ); + } catch (Exception $e) { + // Catch possible, but unlikely duplications if new invalidated errors. + // There is the theoretical chance of an infinity loop is, when + // the constraint violation has a different background. I cannot + // think of one at the moment. + if ($e->getReason() !== Exception::REASON_CONSTRAINT_VIOLATION) { + throw $e; + } + $idList[] = $nextcloudId; + } + } + } + + /** + * @throws \OCP\DB\Exception + * @return array<string> + */ + protected function getNextcloudIdsByUuid(string $table, string $uuid): array { + $select = $this->dbc->getQueryBuilder(); + $select->select('owncloud_name') + ->from($table) + ->where($select->expr()->eq('directory_uuid', $select->createNamedParameter($uuid))); + + $result = $select->executeQuery(); + $idList = []; + while (($id = $result->fetchOne()) !== false) { + $idList[] = $id; + } + $result->closeCursor(); + return $idList; + } + + /** + * @return Generator<string> + * @throws \OCP\DB\Exception + */ + protected function getDuplicatedUuids(string $table): Generator { + $select = $this->dbc->getQueryBuilder(); + $select->select('directory_uuid') + ->from($table) + ->groupBy('directory_uuid') + ->having($select->expr()->gt($select->func()->count('owncloud_name'), $select->createNamedParameter(1))); + + $result = $select->executeQuery(); + while (($uuid = $result->fetchOne()) !== false) { + yield $uuid; + } + $result->closeCursor(); + } +} diff --git a/apps/user_ldap/lib/Migration/Version1130Date20220110154717.php b/apps/user_ldap/lib/Migration/Version1130Date20220110154717.php new file mode 100644 index 00000000000..80960373edf --- /dev/null +++ b/apps/user_ldap/lib/Migration/Version1130Date20220110154717.php @@ -0,0 +1,60 @@ +<?php + +declare(strict_types=1); + +/** + * SPDX-FileCopyrightText: 2020 Nextcloud GmbH and Nextcloud contributors + * SPDX-License-Identifier: AGPL-3.0-or-later + */ + +namespace OCA\User_LDAP\Migration; + +use Closure; +use OCP\DB\ISchemaWrapper; +use OCP\Migration\IOutput; + +class Version1130Date20220110154717 extends GroupMappingMigration { + public function getName() { + return 'Copy ldap_group_mapping data to backup table if needed'; + } + + /** + * @param IOutput $output + * @param \Closure $schemaClosure The `\Closure` returns a `ISchemaWrapper` + * @param array $options + * @since 13.0.0 + */ + public function preSchemaChange(IOutput $output, \Closure $schemaClosure, array $options) { + /** @var ISchemaWrapper $schema */ + $schema = $schemaClosure(); + + if (!$schema->hasTable('ldap_group_mapping_backup')) { + // Backup table does not exist + return; + } + + $output->startProgress(); + $this->copyGroupMappingData('ldap_group_mapping', 'ldap_group_mapping_backup'); + $output->finishProgress(); + } + + /** + * @param IOutput $output + * @param Closure $schemaClosure The `\Closure` returns a `ISchemaWrapper` + * @param array $options + * @return null|ISchemaWrapper + */ + public function changeSchema(IOutput $output, Closure $schemaClosure, array $options): ?ISchemaWrapper { + /** @var ISchemaWrapper $schema */ + $schema = $schemaClosure(); + + if (!$schema->hasTable('ldap_group_mapping_backup')) { + // Backup table does not exist + return null; + } + + $schema->dropTable('ldap_group_mapping'); + + return $schema; + } +} diff --git a/apps/user_ldap/lib/Migration/Version1130Date20220110154718.php b/apps/user_ldap/lib/Migration/Version1130Date20220110154718.php new file mode 100644 index 00000000000..f67b791daad --- /dev/null +++ b/apps/user_ldap/lib/Migration/Version1130Date20220110154718.php @@ -0,0 +1,82 @@ +<?php + +declare(strict_types=1); + +/** + * SPDX-FileCopyrightText: 2020 Nextcloud GmbH and Nextcloud contributors + * SPDX-License-Identifier: AGPL-3.0-or-later + */ + +namespace OCA\User_LDAP\Migration; + +use Closure; +use OCP\DB\ISchemaWrapper; +use OCP\DB\Types; +use OCP\Migration\IOutput; + +class Version1130Date20220110154718 extends GroupMappingMigration { + public function getName() { + return 'Copy ldap_group_mapping data from backup table and if needed'; + } + + /** + * @param IOutput $output + * @param Closure $schemaClosure The `\Closure` returns a `ISchemaWrapper` + * @param array $options + * @return null|ISchemaWrapper + */ + public function changeSchema(IOutput $output, Closure $schemaClosure, array $options): ?ISchemaWrapper { + /** @var ISchemaWrapper $schema */ + $schema = $schemaClosure(); + + if (!$schema->hasTable('ldap_group_mapping_backup')) { + // Backup table does not exist + return null; + } + + $table = $schema->createTable('ldap_group_mapping'); + $table->addColumn('ldap_dn', Types::STRING, [ + 'notnull' => true, + 'length' => 4000, + 'default' => '', + ]); + $table->addColumn('owncloud_name', Types::STRING, [ + 'notnull' => true, + 'length' => 64, + 'default' => '', + ]); + $table->addColumn('directory_uuid', Types::STRING, [ + 'notnull' => true, + 'length' => 255, + 'default' => '', + ]); + $table->addColumn('ldap_dn_hash', Types::STRING, [ + 'notnull' => false, + 'length' => 64, + ]); + $table->setPrimaryKey(['owncloud_name']); + $table->addUniqueIndex(['ldap_dn_hash'], 'ldap_group_dn_hashes'); + $table->addUniqueIndex(['directory_uuid'], 'ldap_group_directory_uuid'); + + return $schema; + } + + /** + * @param IOutput $output + * @param Closure $schemaClosure The `\Closure` returns a `ISchemaWrapper` + * @param array $options + */ + public function postSchemaChange(IOutput $output, Closure $schemaClosure, array $options) { + /** @var ISchemaWrapper $schema */ + $schema = $schemaClosure(); + + if (!$schema->hasTable('ldap_group_mapping_backup')) { + // Backup table does not exist + return; + } + + $output->startProgress(); + $this->copyGroupMappingData('ldap_group_mapping_backup', 'ldap_group_mapping'); + $output->finishProgress(); + } +} diff --git a/apps/user_ldap/lib/Migration/Version1130Date20220110154719.php b/apps/user_ldap/lib/Migration/Version1130Date20220110154719.php new file mode 100644 index 00000000000..c34ee5357f5 --- /dev/null +++ b/apps/user_ldap/lib/Migration/Version1130Date20220110154719.php @@ -0,0 +1,39 @@ +<?php + +declare(strict_types=1); + +/** + * SPDX-FileCopyrightText: 2020 Nextcloud GmbH and Nextcloud contributors + * SPDX-License-Identifier: AGPL-3.0-or-later + */ + +namespace OCA\User_LDAP\Migration; + +use Closure; +use OCP\DB\ISchemaWrapper; +use OCP\Migration\IOutput; +use OCP\Migration\SimpleMigrationStep; + +class Version1130Date20220110154719 extends SimpleMigrationStep { + public function getName() { + return 'Drop ldap_group_mapping_backup'; + } + + /** + * @param IOutput $output + * @param Closure $schemaClosure The `\Closure` returns a `ISchemaWrapper` + * @param array $options + * @return null|ISchemaWrapper + */ + public function changeSchema(IOutput $output, Closure $schemaClosure, array $options): ?ISchemaWrapper { + /** @var ISchemaWrapper $schema */ + $schema = $schemaClosure(); + + if ($schema->hasTable('ldap_group_mapping_backup')) { + $schema->dropTable('ldap_group_mapping_backup'); + return $schema; + } + + return null; + } +} diff --git a/apps/user_ldap/lib/Migration/Version1141Date20220323143801.php b/apps/user_ldap/lib/Migration/Version1141Date20220323143801.php new file mode 100644 index 00000000000..ecedbf1de20 --- /dev/null +++ b/apps/user_ldap/lib/Migration/Version1141Date20220323143801.php @@ -0,0 +1,95 @@ +<?php + +declare(strict_types=1); + +/** + * SPDX-FileCopyrightText: 2022 Nextcloud GmbH and Nextcloud contributors + * SPDX-License-Identifier: AGPL-3.0-or-later + */ + +namespace OCA\User_LDAP\Migration; + +use Closure; +use OCP\DB\ISchemaWrapper; +use OCP\DB\QueryBuilder\IQueryBuilder; +use OCP\IDBConnection; +use OCP\Migration\IOutput; +use OCP\Migration\SimpleMigrationStep; + +class Version1141Date20220323143801 extends SimpleMigrationStep { + + public function __construct( + private IDBConnection $dbc, + ) { + } + + /** + * @param IOutput $output + * @param Closure $schemaClosure The `\Closure` returns a `ISchemaWrapper` + * @param array $options + */ + public function preSchemaChange(IOutput $output, Closure $schemaClosure, array $options): void { + foreach (['ldap_user_mapping', 'ldap_group_mapping'] as $tableName) { + $qb = $this->dbc->getQueryBuilder(); + $qb->select('ldap_dn') + ->from($tableName) + ->where($qb->expr()->gt($qb->func()->octetLength('ldap_dn'), $qb->createNamedParameter('4000'), IQueryBuilder::PARAM_INT)); + + $dnsTooLong = []; + $result = $qb->executeQuery(); + while (($dn = $result->fetchOne()) !== false) { + $dnsTooLong[] = $dn; + } + $result->closeCursor(); + $this->shortenDNs($dnsTooLong, $tableName); + } + } + + protected function shortenDNs(array $dns, string $table): void { + $qb = $this->dbc->getQueryBuilder(); + $qb->update($table) + ->set('ldap_dn', $qb->createParameter('shortenedDn')) + ->where($qb->expr()->eq('ldap_dn', $qb->createParameter('originalDn'))); + + $pageSize = 1000; + $page = 0; + do { + $subset = array_slice($dns, $page * $pageSize, $pageSize); + try { + $this->dbc->beginTransaction(); + foreach ($subset as $dn) { + $shortenedDN = mb_substr($dn, 0, 4000); + $qb->setParameter('shortenedDn', $shortenedDN); + $qb->setParameter('originalDn', $dn); + $qb->executeStatement(); + } + $this->dbc->commit(); + } catch (\Throwable $t) { + $this->dbc->rollBack(); + throw $t; + } + $page++; + } while (count($subset) === $pageSize); + } + + /** + * @param IOutput $output + * @param Closure $schemaClosure The `\Closure` returns a `ISchemaWrapper` + * @param array $options + * @return null|ISchemaWrapper + */ + public function changeSchema(IOutput $output, Closure $schemaClosure, array $options): ?ISchemaWrapper { + /** @var ISchemaWrapper $schema */ + $schema = $schemaClosure(); + + foreach (['ldap_user_mapping', 'ldap_group_mapping'] as $tableName) { + $table = $schema->getTable($tableName); + $column = $table->getColumn('ldap_dn'); + if ($column->getLength() > 4000) { + $column->setLength(4000); + } + } + + return $schema; + } +} diff --git a/apps/user_ldap/lib/Migration/Version1190Date20230706134108.php b/apps/user_ldap/lib/Migration/Version1190Date20230706134108.php new file mode 100644 index 00000000000..85b046ab7c9 --- /dev/null +++ b/apps/user_ldap/lib/Migration/Version1190Date20230706134108.php @@ -0,0 +1,108 @@ +<?php + +declare(strict_types=1); + +/** + * SPDX-FileCopyrightText: 2023 Nextcloud GmbH and Nextcloud contributors + * SPDX-License-Identifier: AGPL-3.0-or-later + */ + +namespace OCA\User_LDAP\Migration; + +use Closure; +use OCP\DB\ISchemaWrapper; +use OCP\DB\Types; +use OCP\IDBConnection; +use OCP\Migration\IOutput; +use OCP\Migration\SimpleMigrationStep; + +class Version1190Date20230706134108 extends SimpleMigrationStep { + public function __construct( + private IDBConnection $dbc, + ) { + } + + public function preSchemaChange(IOutput $output, Closure $schemaClosure, array $options): void { + } + + public function changeSchema(IOutput $output, Closure $schemaClosure, array $options): ?ISchemaWrapper { + /** @var ISchemaWrapper $schema */ + $schema = $schemaClosure(); + + if (!$schema->hasTable('ldap_group_membership')) { + $table = $schema->createTable('ldap_group_membership'); + $table->addColumn('id', Types::BIGINT, [ + 'autoincrement' => true, + 'notnull' => true, + ]); + $table->addColumn('groupid', Types::STRING, [ + 'notnull' => true, + 'length' => 255, + 'default' => '', + ]); + $table->addColumn('userid', Types::STRING, [ + 'notnull' => true, + 'length' => 64, + 'default' => '', + ]); + $table->setPrimaryKey(['id']); + $table->addUniqueIndex(['groupid', 'userid'], 'user_ldap_membership_unique'); + return $schema; + } else { + return null; + } + } + + public function postSchemaChange(IOutput $output, Closure $schemaClosure, array $options): void { + /** @var ISchemaWrapper $schema */ + $schema = $schemaClosure(); + + if (!$schema->hasTable('ldap_group_members')) { + // Old table does not exist + return; + } + + $output->startProgress(); + $this->copyGroupMembershipData(); + $output->finishProgress(); + } + + protected function copyGroupMembershipData(): void { + $insert = $this->dbc->getQueryBuilder(); + $insert->insert('ldap_group_membership') + ->values([ + 'userid' => $insert->createParameter('userid'), + 'groupid' => $insert->createParameter('groupid'), + ]); + + $query = $this->dbc->getQueryBuilder(); + $query->select('*') + ->from('ldap_group_members'); + + $result = $query->executeQuery(); + while ($row = $result->fetch()) { + $knownUsers = unserialize($row['owncloudusers']); + if (!is_array($knownUsers)) { + /* Unserialize failed or data was incorrect in database, ignore */ + continue; + } + $knownUsers = array_unique($knownUsers); + foreach ($knownUsers as $knownUser) { + try { + $insert + ->setParameter('groupid', $row['owncloudname']) + ->setParameter('userid', $knownUser) + ; + + $insert->executeStatement(); + } catch (\OCP\DB\Exception $e) { + /* + * If it fails on unique constaint violation it may just be left over value from previous half-migration + * If it fails on something else, ignore as well, data will be filled by background job later anyway + */ + } + } + } + $result->closeCursor(); + } +} diff --git a/apps/user_ldap/lib/Migration/Version1190Date20230706134109.php b/apps/user_ldap/lib/Migration/Version1190Date20230706134109.php new file mode 100644 index 00000000000..2d3c26f0d49 --- /dev/null +++ b/apps/user_ldap/lib/Migration/Version1190Date20230706134109.php @@ -0,0 +1,29 @@ +<?php + +declare(strict_types=1); + +/** + * SPDX-FileCopyrightText: 2023 Nextcloud GmbH and Nextcloud contributors + * SPDX-License-Identifier: AGPL-3.0-or-later + */ + +namespace OCA\User_LDAP\Migration; + +use Closure; +use OCP\DB\ISchemaWrapper; +use OCP\Migration\IOutput; +use OCP\Migration\SimpleMigrationStep; + +class Version1190Date20230706134109 extends SimpleMigrationStep { + public function changeSchema(IOutput $output, Closure $schemaClosure, array $options): ?ISchemaWrapper { + /** @var ISchemaWrapper $schema */ + $schema = $schemaClosure(); + + if ($schema->hasTable('ldap_group_members')) { + $schema->dropTable('ldap_group_members'); + return $schema; + } + + return null; + } +} diff --git a/apps/user_ldap/lib/Notification/Notifier.php b/apps/user_ldap/lib/Notification/Notifier.php index e65bba2012d..0195cb9e65b 100644 --- a/apps/user_ldap/lib/Notification/Notifier.php +++ b/apps/user_ldap/lib/Notification/Notifier.php @@ -1,45 +1,24 @@ <?php + /** - * @copyright Copyright (c) 2017 Roger Szabo <roger.szabo@web.de> - * - * @author Christoph Wurst <christoph@winzerhof-wurst.at> - * @author Joas Schilling <coding@schilljs.com> - * @author Roeland Jago Douma <roeland@famdouma.nl> - * @author Roger Szabo <roger.szabo@web.de> - * - * @license GNU AGPL version 3 or any later version - * - * This program is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License as - * published by the Free Software Foundation, either version 3 of the - * License, or (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License - * along with this program. If not, see <http://www.gnu.org/licenses/>. - * + * SPDX-FileCopyrightText: 2017 Nextcloud GmbH and Nextcloud contributors + * SPDX-License-Identifier: AGPL-3.0-or-later */ - namespace OCA\User_LDAP\Notification; use OCP\L10N\IFactory; use OCP\Notification\INotification; use OCP\Notification\INotifier; +use OCP\Notification\UnknownNotificationException; class Notifier implements INotifier { - /** @var IFactory */ - protected $l10nFactory; - /** * @param IFactory $l10nFactory */ - public function __construct(\OCP\L10N\IFactory $l10nFactory) { - $this->l10nFactory = $l10nFactory; + public function __construct( + protected IFactory $l10nFactory, + ) { } /** @@ -66,12 +45,12 @@ class Notifier implements INotifier { * @param INotification $notification * @param string $languageCode The code of the language that should be used to prepare the notification * @return INotification - * @throws \InvalidArgumentException When the notification was not prepared by a notifier + * @throws UnknownNotificationException When the notification was not prepared by a notifier */ public function prepare(INotification $notification, string $languageCode): INotification { if ($notification->getApp() !== 'user_ldap') { // Not my app => throw - throw new \InvalidArgumentException(); + throw new UnknownNotificationException(); } // Read the language from the notification @@ -81,7 +60,7 @@ class Notifier implements INotifier { // Deal with known subjects case 'pwd_exp_warn_days': $params = $notification->getSubjectParameters(); - $days = (int) $params[0]; + $days = (int)$params[0]; if ($days === 2) { $notification->setParsedSubject($l->t('Your password will expire tomorrow.')); } elseif ($days === 1) { @@ -97,7 +76,7 @@ class Notifier implements INotifier { default: // Unknown subject => Unknown notification => throw - throw new \InvalidArgumentException(); + throw new UnknownNotificationException(); } } } diff --git a/apps/user_ldap/lib/PagedResults/IAdapter.php b/apps/user_ldap/lib/PagedResults/IAdapter.php deleted file mode 100644 index 0136aa0694b..00000000000 --- a/apps/user_ldap/lib/PagedResults/IAdapter.php +++ /dev/null @@ -1,131 +0,0 @@ -<?php - -declare(strict_types=1); - -/** - * @copyright Copyright (c) 2020 Arthur Schiwon <blizzz@arthur-schiwon.de> - * - * @author Arthur Schiwon <blizzz@arthur-schiwon.de> - * - * @license GNU AGPL version 3 or any later version - * - * This program is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License as - * published by the Free Software Foundation, either version 3 of the - * License, or (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License - * along with this program. If not, see <http://www.gnu.org/licenses/>. - * - */ - -namespace OCA\User_LDAP\PagedResults; - -interface IAdapter { - - /** - * Methods for initiating Paged Results Control - */ - - /** - * The adapter receives paged result parameters from the client. It may - * store the parameters for later use. - */ - public function setRequestParameters($link, int $pageSize, bool $isCritical): void; - - /** - * The adapter is asked for an function that is being explicitly called to - * send the control parameters to LDAP. If not function has to be called, - * null shall be returned. - * - * It will used by the callee for diagnosis and error handling. - */ - public function getRequestCallFunc(): ?string; - - /** - * The adapter is asked to provide the arguments it would pass to the - * function returned by getRequestCallFunc(). If none shall be called, an - * empty array should be returned. - * - * It will used by the callee for diagnosis and error handling. - */ - public function getRequestCallArgs($link): array; - - /** - * The adapter is asked to do the necessary calls to LDAP, if - * getRequestCallFunc returned a function. If none, it will not be called - * so the return value is best set to false. Otherwise it shall respond - * whether setting the controls was successful. - */ - public function requestCall($link): bool; - - /** - * The adapter shall report which PHP function will be called to process - * the paged results call - * - * It will used by the callee for diagnosis and error handling. - */ - public function getResponseCallFunc(): string; - - /** - * The adapter shall report with arguments will be provided to the LDAP - * function it will call - * - * It will used by the callee for diagnosis and error handling. - */ - public function getResponseCallArgs(array $originalArgs): array; - - /** - * the adapter should do it's LDAP function call and return success state - * - * @param resource $link LDAP resource - * @return bool - */ - public function responseCall($link): bool; - - /** - * The adapter receives the parameters that were passed to a search - * operation. Typically it wants to save the them for the call proper later - * on. - */ - public function setSearchArgs( - $link, - string $baseDN, - string $filter, - array $attr, - int $attrsOnly, - int $limit - ): void; - - /** - * The adapter shall report which arguments shall be passed to the - * ldap_search function. - */ - public function getSearchArgs($link): array; - - /** - * The adapter receives the parameters that were passed to a read - * operation. Typically it wants to save the them for the call proper later - * on. - */ - public function setReadArgs($link, string $baseDN, string $filter, array $attr): void; - - /** - * The adapter shall report which arguments shall be passed to the - * ldap_read function. - */ - public function getReadArgs($link): array; - - /** - * Returns the current paged results cookie - * - * @param resource $link LDAP resource - * @return string - */ - public function getCookie($link): string; -} diff --git a/apps/user_ldap/lib/PagedResults/Php54.php b/apps/user_ldap/lib/PagedResults/Php54.php deleted file mode 100644 index 55a5272f599..00000000000 --- a/apps/user_ldap/lib/PagedResults/Php54.php +++ /dev/null @@ -1,129 +0,0 @@ -<?php - -declare(strict_types=1); - -/** - * @copyright Copyright (c) 2020 Arthur Schiwon <blizzz@arthur-schiwon.de> - * - * @author Arthur Schiwon <blizzz@arthur-schiwon.de> - * @author Roeland Jago Douma <roeland@famdouma.nl> - * - * @license GNU AGPL version 3 or any later version - * - * This program is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License as - * published by the Free Software Foundation, either version 3 of the - * License, or (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License - * along with this program. If not, see <http://www.gnu.org/licenses/>. - * - */ - -namespace OCA\User_LDAP\PagedResults; - -/** - * Class Php54 - * - * implements paged results support with PHP APIs available from PHP 5.4 - * - * @package OCA\User_LDAP\PagedResults - */ -class Php54 implements IAdapter { - use TLinkId; - - /** @var array */ - protected $linkData = []; - - public function getResponseCallFunc(): string { - return 'ldap_control_paged_result_response'; - } - - public function responseCall($link): bool { - $linkId = $this->getLinkId($link); - return ldap_control_paged_result_response(...$this->linkData[$linkId]['responseArgs']); - } - - public function getResponseCallArgs(array $originalArgs): array { - $linkId = $this->getLinkId($originalArgs[0]); - if (!isset($this->linkData[$linkId])) { - throw new \LogicException('There should be a request before the response'); - } - $this->linkData[$linkId]['responseArgs'] = &$originalArgs; - $this->linkData[$linkId]['cookie'] = &$originalArgs[2]; - return $originalArgs; - } - - public function getCookie($link): string { - $linkId = $this->getLinkId($link); - return $this->linkData[$linkId]['cookie']; - } - - public function getRequestCallFunc(): ?string { - return 'ldap_control_paged_result'; - } - - public function setRequestParameters($link, int $pageSize, bool $isCritical): void { - $linkId = $this->getLinkId($link); - - if ($pageSize === 0 || !isset($this->linkData[$linkId]['cookie'])) { - // abandons a previous paged search - $this->linkData[$linkId]['cookie'] = ''; - } - - $this->linkData[$linkId]['requestArgs'] = [ - $link, - $pageSize, - $isCritical, - &$this->linkData[$linkId]['cookie'] - ]; - } - - public function getRequestCallArgs($link): array { - $linkId = $this->getLinkId($link); - return $this->linkData[$linkId]['requestArgs']; - } - - public function requestCall($link): bool { - $linkId = $this->getLinkId($link); - return ldap_control_paged_result(...$this->linkData[$linkId]['requestArgs']); - } - - public function setSearchArgs( - $link, - string $baseDN, - string $filter, - array $attr, - int $attrsOnly, - int $limit - ): void { - $linkId = $this->getLinkId($link); - if (!isset($this->linkData[$linkId])) { - $this->linkData[$linkId] = []; - } - $this->linkData[$linkId]['searchArgs'] = func_get_args(); - } - - public function getSearchArgs($link): array { - $linkId = $this->getLinkId($link); - return $this->linkData[$linkId]['searchArgs']; - } - - public function setReadArgs($link, string $baseDN, string $filter, array $attr): void { - $linkId = $this->getLinkId($link); - if (!isset($this->linkData[$linkId])) { - $this->linkData[$linkId] = []; - } - $this->linkData[$linkId]['readArgs'] = func_get_args(); - } - - public function getReadArgs($link): array { - $linkId = $this->getLinkId($link); - return $this->linkData[$linkId]['readArgs']; - } -} diff --git a/apps/user_ldap/lib/PagedResults/Php73.php b/apps/user_ldap/lib/PagedResults/Php73.php deleted file mode 100644 index 7e182e2eabc..00000000000 --- a/apps/user_ldap/lib/PagedResults/Php73.php +++ /dev/null @@ -1,174 +0,0 @@ -<?php - -declare(strict_types=1); - -/** - * @copyright Copyright (c) 2020 Arthur Schiwon <blizzz@arthur-schiwon.de> - * - * @author Arthur Schiwon <blizzz@arthur-schiwon.de> - * @author Roeland Jago Douma <roeland@famdouma.nl> - * - * @license GNU AGPL version 3 or any later version - * - * This program is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License as - * published by the Free Software Foundation, either version 3 of the - * License, or (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License - * along with this program. If not, see <http://www.gnu.org/licenses/>. - * - */ - -namespace OCA\User_LDAP\PagedResults; - -/** - * Class Php73 - * - * implements paged results support with PHP APIs available from PHP 7.3 - * - * @package OCA\User_LDAP\PagedResults - */ -class Php73 implements IAdapter { - use TLinkId; - - /** @var array */ - protected $linkData = []; - - public function getResponseCallFunc(): string { - return 'ldap_parse_result'; - } - - public function responseCall($link): bool { - $linkId = $this->getLinkId($link); - return ldap_parse_result(...$this->linkData[$linkId]['responseArgs']); - } - - public function getResponseCallArgs(array $originalArgs): array { - $link = array_shift($originalArgs); - $linkId = $this->getLinkId($link); - - if (!isset($this->linkData[$linkId])) { - $this->linkData[$linkId] = []; - } - - $this->linkData[$linkId]['responseErrorCode'] = 0; - $this->linkData[$linkId]['responseErrorMessage'] = ''; - $this->linkData[$linkId]['serverControls'] = []; - $matchedDn = null; - $referrals = []; - - $this->linkData[$linkId]['responseArgs'] = [ - $link, - array_shift($originalArgs), - &$this->linkData[$linkId]['responseErrorCode'], - $matchedDn, - &$this->linkData[$linkId]['responseErrorMessage'], - $referrals, - &$this->linkData[$linkId]['serverControls'] - ]; - - - return $this->linkData[$linkId]['responseArgs']; - } - - public function getCookie($link): string { - $linkId = $this->getLinkId($link); - return $this->linkData[$linkId]['serverControls'][LDAP_CONTROL_PAGEDRESULTS]['value']['cookie'] ?? ''; - } - - private function resetCookie(int $linkId): void { - if (isset($this->linkData[$linkId]['serverControls'][LDAP_CONTROL_PAGEDRESULTS]['value']['cookie'])) { - $this->linkData[$linkId]['serverControls'][LDAP_CONTROL_PAGEDRESULTS]['value']['cookie'] = ''; - } - } - - public function getRequestCallFunc(): ?string { - return null; - } - - public function setRequestParameters($link, int $pageSize, bool $isCritical): void { - $linkId = $this->getLinkId($link); - if (!isset($this->linkData[$linkId])) { - $this->linkData[$linkId] = []; - } - $this->linkData[$linkId]['requestArgs'] = []; - $this->linkData[$linkId]['requestArgs']['pageSize'] = $pageSize; - $this->linkData[$linkId]['requestArgs']['isCritical'] = $isCritical; - - if ($pageSize === 0) { - $this->resetCookie($linkId); - } - } - - public function getRequestCallArgs($link): array { - // no separate call - return []; - } - - public function requestCall($link): bool { - // no separate call - return false; - } - - public function setSearchArgs( - $link, - string $baseDN, - string $filter, - array $attr, - int $attrsOnly, - int $limit - ): void { - $linkId = $this->getLinkId($link); - if (!isset($this->linkData[$linkId])) { - $this->linkData[$linkId] = []; - } - - $this->linkData[$linkId]['searchArgs'] = func_get_args(); - $this->preparePagesResultsArgs($linkId, 'searchArgs'); - } - - public function getSearchArgs($link): array { - $linkId = $this->getLinkId($link); - return $this->linkData[$linkId]['searchArgs']; - } - - public function setReadArgs($link, string $baseDN, string $filter, array $attr): void { - $linkId = $this->getLinkId($link); - if (!isset($this->linkData[$linkId])) { - $this->linkData[$linkId] = []; - } - - $this->linkData[$linkId]['readArgs'] = func_get_args(); - $this->linkData[$linkId]['readArgs'][] = 0; // $attrsonly default - $this->linkData[$linkId]['readArgs'][] = -1; // $sizelimit default - } - - public function getReadArgs($link): array { - $linkId = $this->getLinkId($link); - return $this->linkData[$linkId]['readArgs']; - } - - protected function preparePagesResultsArgs(int $linkId, string $methodKey): void { - if (!isset($this->linkData[$linkId]['requestArgs'])) { - return; - } - - $serverControls = [[ - 'oid' => LDAP_CONTROL_PAGEDRESULTS, - 'value' => [ - 'size' => $this->linkData[$linkId]['requestArgs']['pageSize'], - 'cookie' => $this->linkData[$linkId]['serverControls'][LDAP_CONTROL_PAGEDRESULTS]['value']['cookie'] ?? '', - ] - ]]; - - $this->linkData[$linkId][$methodKey][] = -1; // timelimit - $this->linkData[$linkId][$methodKey][] = LDAP_DEREF_NEVER; - $this->linkData[$linkId][$methodKey][] = $serverControls; - } -} diff --git a/apps/user_ldap/lib/PagedResults/TLinkId.php b/apps/user_ldap/lib/PagedResults/TLinkId.php index 551fb0af333..46d392995e0 100644 --- a/apps/user_ldap/lib/PagedResults/TLinkId.php +++ b/apps/user_ldap/lib/PagedResults/TLinkId.php @@ -3,36 +3,23 @@ declare(strict_types=1); /** - * @copyright Copyright (c) 2020 Arthur Schiwon <blizzz@arthur-schiwon.de> - * - * @author Arthur Schiwon <blizzz@arthur-schiwon.de> - * @author Roeland Jago Douma <roeland@famdouma.nl> - * - * @license GNU AGPL version 3 or any later version - * - * This program is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License as - * published by the Free Software Foundation, either version 3 of the - * License, or (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License - * along with this program. If not, see <http://www.gnu.org/licenses/>. - * + * SPDX-FileCopyrightText: 2020 Nextcloud GmbH and Nextcloud contributors + * SPDX-License-Identifier: AGPL-3.0-or-later */ - namespace OCA\User_LDAP\PagedResults; trait TLinkId { public function getLinkId($link) { - if (is_resource($link)) { + if (is_object($link)) { + return spl_object_id($link); + } elseif (is_resource($link)) { return (int)$link; - } elseif (is_array($link) && isset($link[0]) && is_resource($link[0])) { - return (int)$link[0]; + } elseif (is_array($link) && isset($link[0])) { + if (is_object($link[0])) { + return spl_object_id($link[0]); + } elseif (is_resource($link[0])) { + return (int)$link[0]; + } } throw new \RuntimeException('No resource provided'); } diff --git a/apps/user_ldap/lib/Proxy.php b/apps/user_ldap/lib/Proxy.php index e723c4e3abf..22b2c6617af 100644 --- a/apps/user_ldap/lib/Proxy.php +++ b/apps/user_ldap/lib/Proxy.php @@ -1,103 +1,87 @@ <?php + /** - * @copyright Copyright (c) 2016, ownCloud, Inc. - * - * @author Arthur Schiwon <blizzz@arthur-schiwon.de> - * @author Bart Visscher <bartv@thisnet.nl> - * @author Christopher Schäpers <kondou@ts.unde.re> - * @author Christoph Wurst <christoph@winzerhof-wurst.at> - * @author Joas Schilling <coding@schilljs.com> - * @author Jörn Friedrich Dreyer <jfd@butonic.de> - * @author Lukas Reschke <lukas@statuscode.ch> - * @author Morris Jobke <hey@morrisjobke.de> - * @author Robin McCorkell <robin@mccorkell.me.uk> - * @author Roeland Jago Douma <roeland@famdouma.nl> - * @author Roger Szabo <roger.szabo@web.de> - * @author Thomas Müller <thomas.mueller@tmit.eu> - * - * @license AGPL-3.0 - * - * This code is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License, version 3, - * as published by the Free Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License, version 3, - * along with this program. If not, see <http://www.gnu.org/licenses/> - * + * SPDX-FileCopyrightText: 2016-2024 Nextcloud GmbH and Nextcloud contributors + * SPDX-FileCopyrightText: 2016 ownCloud, Inc. + * SPDX-License-Identifier: AGPL-3.0-only */ - namespace OCA\User_LDAP; use OCA\User_LDAP\Mapping\GroupMapping; use OCA\User_LDAP\Mapping\UserMapping; -use OCA\User_LDAP\User\Manager; -use OCP\Share\IManager; +use OCP\ICache; +use OCP\ICacheFactory; +use OCP\Server; +/** + * @template T + */ abstract class Proxy { - private static $accesses = []; - private $ldap = null; - /** @var bool */ - private $isSingleBackend; - - /** @var \OCP\ICache|null */ - private $cache; - - /** - * @param ILDAPWrapper $ldap - */ - public function __construct(ILDAPWrapper $ldap) { - $this->ldap = $ldap; - $memcache = \OC::$server->getMemCacheFactory(); + /** @var array<string,Access> */ + private static array $accesses = []; + private ?bool $isSingleBackend = null; + private ?ICache $cache = null; + + /** @var T[] */ + protected array $backends = []; + /** @var ?T */ + protected $refBackend = null; + + protected bool $isSetUp = false; + + public function __construct( + private Helper $helper, + private ILDAPWrapper $ldap, + private AccessFactory $accessFactory, + ) { + $memcache = Server::get(ICacheFactory::class); if ($memcache->isAvailable()) { $this->cache = $memcache->createDistributed(); } } + protected function setup(): void { + if ($this->isSetUp) { + return; + } + + $serverConfigPrefixes = $this->helper->getServerConfigurationPrefixes(true); + foreach ($serverConfigPrefixes as $configPrefix) { + $this->backends[$configPrefix] = $this->newInstance($configPrefix); + + if (is_null($this->refBackend)) { + $this->refBackend = $this->backends[$configPrefix]; + } + } + + $this->isSetUp = true; + } + /** - * @param string $configPrefix + * @return T */ - private function addAccess($configPrefix) { - static $ocConfig; - static $fs; - static $log; - static $avatarM; - static $userMap; - static $groupMap; - static $shareManager; - static $coreUserManager; - static $coreNotificationManager; - if ($fs === null) { - $ocConfig = \OC::$server->getConfig(); - $fs = new FilesystemHelper(); - $log = new LogWrapper(); - $avatarM = \OC::$server->getAvatarManager(); - $db = \OC::$server->getDatabaseConnection(); - $userMap = new UserMapping($db); - $groupMap = new GroupMapping($db); - $coreUserManager = \OC::$server->getUserManager(); - $coreNotificationManager = \OC::$server->getNotificationManager(); - $shareManager = \OC::$server->get(IManager::class); - } - $userManager = - new Manager($ocConfig, $fs, $log, $avatarM, new \OCP\Image(), - $coreUserManager, $coreNotificationManager, $shareManager); + abstract protected function newInstance(string $configPrefix): object; + + /** + * @return T + */ + public function getBackend(string $configPrefix): object { + $this->setup(); + return $this->backends[$configPrefix]; + } + + private function addAccess(string $configPrefix): void { + $userMap = Server::get(UserMapping::class); + $groupMap = Server::get(GroupMapping::class); + $connector = new Connection($this->ldap, $configPrefix); - $access = new Access($connector, $this->ldap, $userManager, new Helper($ocConfig, \OC::$server->getDatabaseConnection()), $ocConfig, $coreUserManager); + $access = $this->accessFactory->get($connector); $access->setUserMapper($userMap); $access->setGroupMapper($groupMap); self::$accesses[$configPrefix] = $access; } - /** - * @param string $configPrefix - * @return mixed - */ - protected function getAccess($configPrefix) { + protected function getAccess(string $configPrefix): Access { if (!isset(self::$accesses[$configPrefix])) { $this->addAccess($configPrefix); } @@ -159,7 +143,7 @@ abstract class Proxy { * @param string $method string, the method of the user backend that shall be called * @param array $parameters an array of parameters to be passed * @param bool $passOnWhen - * @return mixed, the result of the specified method + * @return mixed the result of the specified method */ protected function handleRequest($id, $method, $parameters, $passOnWhen = false) { if (!$this->isSingleBackend()) { diff --git a/apps/user_ldap/lib/Service/BirthdateParserService.php b/apps/user_ldap/lib/Service/BirthdateParserService.php new file mode 100644 index 00000000000..8234161b3d8 --- /dev/null +++ b/apps/user_ldap/lib/Service/BirthdateParserService.php @@ -0,0 +1,44 @@ +<?php + +/** + * SPDX-FileCopyrightText: 2024 Nextcloud GmbH and Nextcloud contributors + * SPDX-License-Identifier: AGPL-3.0-or-later + */ + +namespace OCA\User_LDAP\Service; + +use DateTimeImmutable; +use Exception; +use InvalidArgumentException; + +class BirthdateParserService { + /** + * Try to parse the birthdate from LDAP. + * Supports LDAP's generalized time syntax, YYYYMMDD and YYYY-MM-DD. + * + * @throws InvalidArgumentException If the format of then given date is unknown + */ + public function parseBirthdate(string $value): DateTimeImmutable { + // Minimum LDAP generalized date is "1994121610Z" with 11 chars + // While maximum other format is "1994-12-16" with 10 chars + if (strlen($value) > strlen('YYYY-MM-DD')) { + // Probably LDAP generalized time syntax + $value = substr($value, 0, 8); + } + + // Should be either YYYYMMDD or YYYY-MM-DD + if (!preg_match('/^(\d{8}|\d{4}-\d{2}-\d{2})$/', $value)) { + throw new InvalidArgumentException("Unknown date format: $value"); + } + + try { + return new DateTimeImmutable($value); + } catch (Exception $e) { + throw new InvalidArgumentException( + "Unknown date format: $value", + 0, + $e, + ); + } + } +} diff --git a/apps/user_ldap/lib/Service/UpdateGroupsService.php b/apps/user_ldap/lib/Service/UpdateGroupsService.php new file mode 100644 index 00000000000..94f2a7fd4a1 --- /dev/null +++ b/apps/user_ldap/lib/Service/UpdateGroupsService.php @@ -0,0 +1,221 @@ +<?php + +declare(strict_types=1); + +/** + * SPDX-FileCopyrightText: 2023 Nextcloud GmbH and Nextcloud contributors + * SPDX-FileCopyrightText: 2016 ownCloud, Inc. + * SPDX-License-Identifier: AGPL-3.0-only + */ + +namespace OCA\User_LDAP\Service; + +use OCA\User_LDAP\Db\GroupMembership; +use OCA\User_LDAP\Db\GroupMembershipMapper; +use OCA\User_LDAP\Group_Proxy; +use OCP\DB\Exception; +use OCP\EventDispatcher\IEventDispatcher; +use OCP\Group\Events\UserAddedEvent; +use OCP\Group\Events\UserRemovedEvent; +use OCP\IGroup; +use OCP\IGroupManager; +use OCP\IUser; +use OCP\IUserManager; +use Psr\Log\LoggerInterface; + +class UpdateGroupsService { + public function __construct( + private Group_Proxy $groupBackend, + private IEventDispatcher $dispatcher, + private IGroupManager $groupManager, + private IUserManager $userManager, + private LoggerInterface $logger, + private GroupMembershipMapper $groupMembershipMapper, + ) { + } + + /** + * @throws Exception + */ + public function updateGroups(): void { + $knownGroups = $this->groupMembershipMapper->getKnownGroups(); + $actualGroups = $this->groupBackend->getGroups(); + + if (empty($actualGroups) && empty($knownGroups)) { + $this->logger->info( + 'service "updateGroups" - groups do not seem to be configured properly, aborting.', + ); + return; + } + + $this->handleKnownGroups(array_intersect($actualGroups, $knownGroups)); + $this->handleCreatedGroups(array_diff($actualGroups, $knownGroups)); + $this->handleRemovedGroups(array_diff($knownGroups, $actualGroups)); + + $this->logger->debug('service "updateGroups" - Finished.'); + } + + /** + * @param string[] $groups + * @throws Exception + */ + public function handleKnownGroups(array $groups): void { + $this->logger->debug('service "updateGroups" - Dealing with known Groups.'); + + foreach ($groups as $group) { + $this->logger->debug('service "updateGroups" - Dealing with {group}.', ['group' => $group]); + $groupMemberships = $this->groupMembershipMapper->findGroupMemberships($group); + $knownUsers = array_map( + static fn (GroupMembership $groupMembership): string => $groupMembership->getUserid(), + $groupMemberships + ); + $groupMemberships = array_combine($knownUsers, $groupMemberships); + $actualUsers = $this->groupBackend->usersInGroup($group); + + $groupObject = $this->groupManager->get($group); + if ($groupObject === null) { + /* We are not expecting the group to not be found since it was returned by $this->groupBackend->getGroups() */ + $this->logger->error( + 'service "updateGroups" - Failed to get group {group} for update', + [ + 'group' => $group + ] + ); + continue; + } + foreach (array_diff($knownUsers, $actualUsers) as $removedUser) { + try { + $this->groupMembershipMapper->delete($groupMemberships[$removedUser]); + } catch (Exception $e) { + if ($e->getReason() !== Exception::REASON_DATABASE_OBJECT_NOT_FOUND) { + /* If reason is not found something else removed the membership, that’s fine */ + $this->logger->error( + self::class . ' - group {group} membership failed to be removed (user {user})', + [ + 'app' => 'user_ldap', + 'user' => $removedUser, + 'group' => $group, + 'exception' => $e, + ] + ); + } + /* We failed to delete the groupmembership so we do not want to advertise it */ + continue; + } + $userObject = $this->userManager->get($removedUser); + if ($userObject instanceof IUser) { + $this->dispatcher->dispatchTyped(new UserRemovedEvent($groupObject, $userObject)); + } + $this->logger->info( + 'service "updateGroups" - {user} removed from {group}', + [ + 'user' => $removedUser, + 'group' => $group + ] + ); + } + foreach (array_diff($actualUsers, $knownUsers) as $addedUser) { + try { + $this->groupMembershipMapper->insert(GroupMembership::fromParams(['groupid' => $group,'userid' => $addedUser])); + } catch (Exception $e) { + if ($e->getReason() !== Exception::REASON_UNIQUE_CONSTRAINT_VIOLATION) { + /* If reason is unique constraint something else added the membership, that’s fine */ + $this->logger->error( + self::class . ' - group {group} membership failed to be added (user {user})', + [ + 'app' => 'user_ldap', + 'user' => $addedUser, + 'group' => $group, + 'exception' => $e, + ] + ); + } + /* We failed to insert the groupmembership so we do not want to advertise it */ + continue; + } + $userObject = $this->userManager->get($addedUser); + if ($userObject instanceof IUser) { + $this->dispatcher->dispatchTyped(new UserAddedEvent($groupObject, $userObject)); + } + $this->logger->info( + 'service "updateGroups" - {user} added to {group}', + [ + 'user' => $addedUser, + 'group' => $group + ] + ); + } + } + $this->logger->debug('service "updateGroups" - FINISHED dealing with known Groups.'); + } + + /** + * @param string[] $createdGroups + * @throws Exception + */ + public function handleCreatedGroups(array $createdGroups): void { + $this->logger->debug('service "updateGroups" - dealing with created Groups.'); + + foreach ($createdGroups as $createdGroup) { + $this->logger->info('service "updateGroups" - new group "' . $createdGroup . '" found.'); + + $users = $this->groupBackend->usersInGroup($createdGroup); + $groupObject = $this->groupManager->get($createdGroup); + foreach ($users as $user) { + try { + $this->groupMembershipMapper->insert(GroupMembership::fromParams(['groupid' => $createdGroup,'userid' => $user])); + } catch (Exception $e) { + if ($e->getReason() !== Exception::REASON_UNIQUE_CONSTRAINT_VIOLATION) { + $this->logger->error( + self::class . ' - group {group} membership failed to be added (user {user})', + [ + 'app' => 'user_ldap', + 'user' => $user, + 'group' => $createdGroup, + 'exception' => $e, + ] + ); + } + /* We failed to insert the groupmembership so we do not want to advertise it */ + continue; + } + if ($groupObject instanceof IGroup) { + $userObject = $this->userManager->get($user); + if ($userObject instanceof IUser) { + $this->dispatcher->dispatchTyped(new UserAddedEvent($groupObject, $userObject)); + } + } + } + } + $this->logger->debug('service "updateGroups" - FINISHED dealing with created Groups.'); + } + + /** + * @param string[] $removedGroups + * @throws Exception + */ + public function handleRemovedGroups(array $removedGroups): void { + $this->logger->debug('service "updateGroups" - dealing with removed groups.'); + + $this->groupMembershipMapper->deleteGroups($removedGroups); + foreach ($removedGroups as $group) { + $groupObject = $this->groupManager->get($group); + if ($groupObject instanceof IGroup) { + $groupMemberships = $this->groupMembershipMapper->findGroupMemberships($group); + foreach ($groupMemberships as $groupMembership) { + $userObject = $this->userManager->get($groupMembership->getUserid()); + if ($userObject instanceof IUser) { + $this->dispatcher->dispatchTyped(new UserRemovedEvent($groupObject, $userObject)); + } + } + } + } + + $this->logger->info( + 'service "updateGroups" - groups {removedGroups} were removed.', + [ + 'removedGroups' => $removedGroups + ] + ); + } +} diff --git a/apps/user_ldap/lib/Settings/Admin.php b/apps/user_ldap/lib/Settings/Admin.php index 7bcd1758a0a..89fb063265b 100644 --- a/apps/user_ldap/lib/Settings/Admin.php +++ b/apps/user_ldap/lib/Settings/Admin.php @@ -1,54 +1,31 @@ <?php + /** - * @copyright Copyright (c) 2016 Arthur Schiwon <blizzz@arthur-schiwon.de> - * - * @author Arthur Schiwon <blizzz@arthur-schiwon.de> - * @author Christoph Wurst <christoph@winzerhof-wurst.at> - * @author Joas Schilling <coding@schilljs.com> - * @author Lukas Reschke <lukas@statuscode.ch> - * - * @license GNU AGPL version 3 or any later version - * - * This program is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License as - * published by the Free Software Foundation, either version 3 of the - * License, or (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License - * along with this program. If not, see <http://www.gnu.org/licenses/>. - * + * SPDX-FileCopyrightText: 2016 Nextcloud GmbH and Nextcloud contributors + * SPDX-License-Identifier: AGPL-3.0-or-later */ - namespace OCA\User_LDAP\Settings; use OCA\User_LDAP\Configuration; use OCA\User_LDAP\Helper; use OCP\AppFramework\Http\TemplateResponse; use OCP\IL10N; -use OCP\Settings\ISettings; -use OCP\Template; - -class Admin implements ISettings { - /** @var IL10N */ - private $l; +use OCP\Server; +use OCP\Settings\IDelegatedSettings; +use OCP\Template\ITemplateManager; - /** - * @param IL10N $l - */ - public function __construct(IL10N $l) { - $this->l = $l; +class Admin implements IDelegatedSettings { + public function __construct( + private IL10N $l, + private ITemplateManager $templateManager, + ) { } /** * @return TemplateResponse */ public function getForm() { - $helper = new Helper(\OC::$server->getConfig(), \OC::$server->getDatabaseConnection()); + $helper = Server::get(Helper::class); $prefixes = $helper->getServerConfigurationPrefixes(); if (count($prefixes) === 0) { $newPrefix = $helper->getNextServerConfigurationPrefix(); @@ -60,11 +37,12 @@ class Admin implements ISettings { $hosts = $helper->getServerConfigurationHosts(); - $wControls = new Template('user_ldap', 'part.wizardcontrols'); + $wControls = $this->templateManager->getTemplate('user_ldap', 'part.wizardcontrols'); $wControls = $wControls->fetchPage(); - $sControls = new Template('user_ldap', 'part.settingcontrols'); + $sControls = $this->templateManager->getTemplate('user_ldap', 'part.settingcontrols'); $sControls = $sControls->fetchPage(); + $parameters = []; $parameters['serverConfigurationPrefixes'] = $prefixes; $parameters['serverConfigurationHosts'] = $hosts; $parameters['settingControls'] = $sControls; @@ -76,7 +54,7 @@ class Admin implements ISettings { } $defaults = $config->getDefaults(); foreach ($defaults as $key => $default) { - $parameters[$key.'_default'] = $default; + $parameters[$key . '_default'] = $default; } return new TemplateResponse('user_ldap', 'settings', $parameters); @@ -91,12 +69,20 @@ class Admin implements ISettings { /** * @return int whether the form should be rather on the top or bottom of - * the admin section. The forms are arranged in ascending order of the - * priority values. It is required to return a value between 0 and 100. + * the admin section. The forms are arranged in ascending order of the + * priority values. It is required to return a value between 0 and 100. * * E.g.: 70 */ public function getPriority() { return 5; } + + public function getName(): ?string { + return null; // Only one setting in this section + } + + public function getAuthorizedAppConfig(): array { + return []; // Custom controller + } } diff --git a/apps/user_ldap/lib/Settings/Section.php b/apps/user_ldap/lib/Settings/Section.php index 308cf6b86ef..3b95e25513d 100644 --- a/apps/user_ldap/lib/Settings/Section.php +++ b/apps/user_ldap/lib/Settings/Section.php @@ -1,28 +1,9 @@ <?php + /** - * @copyright Copyright (c) 2016 Arthur Schiwon <blizzz@arthur-schiwon.de> - * - * @author Arthur Schiwon <blizzz@arthur-schiwon.de> - * @author Joas Schilling <coding@schilljs.com> - * @author Morris Jobke <hey@morrisjobke.de> - * - * @license GNU AGPL version 3 or any later version - * - * This program is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License as - * published by the Free Software Foundation, either version 3 of the - * License, or (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License - * along with this program. If not, see <http://www.gnu.org/licenses/>. - * + * SPDX-FileCopyrightText: 2016 Nextcloud GmbH and Nextcloud contributors + * SPDX-License-Identifier: AGPL-3.0-or-later */ - namespace OCA\User_LDAP\Settings; use OCP\IL10N; @@ -30,18 +11,14 @@ use OCP\IURLGenerator; use OCP\Settings\IIconSection; class Section implements IIconSection { - /** @var IL10N */ - private $l; - /** @var IURLGenerator */ - private $url; - /** * @param IURLGenerator $url * @param IL10N $l */ - public function __construct(IURLGenerator $url, IL10N $l) { - $this->url = $url; - $this->l = $l; + public function __construct( + private IURLGenerator $url, + private IL10N $l, + ) { } /** @@ -55,19 +32,19 @@ class Section implements IIconSection { } /** - * returns the translated name as it should be displayed, e.g. 'LDAP / AD + * returns the translated name as it should be displayed, e.g. 'LDAP/AD * integration'. Use the L10N service to translate it. * * @return string */ public function getName() { - return $this->l->t('LDAP / AD integration'); + return $this->l->t('LDAP/AD integration'); } /** * @return int whether the form should be rather on the top or bottom of - * the settings navigation. The sections are arranged in ascending order of - * the priority values. It is required to return a value between 0 and 99. + * the settings navigation. The sections are arranged in ascending order of + * the priority values. It is required to return a value between 0 and 99. * * E.g.: 70 */ diff --git a/apps/user_ldap/lib/SetupChecks/LdapConnection.php b/apps/user_ldap/lib/SetupChecks/LdapConnection.php new file mode 100644 index 00000000000..ee8c4ddd595 --- /dev/null +++ b/apps/user_ldap/lib/SetupChecks/LdapConnection.php @@ -0,0 +1,94 @@ +<?php + +declare(strict_types=1); + +/** + * SPDX-FileCopyrightText: 2024 Nextcloud GmbH and Nextcloud contributors + * SPDX-License-Identifier: AGPL-3.0-or-later + */ + +namespace OCA\User_LDAP\SetupChecks; + +use OCA\User_LDAP\AccessFactory; +use OCA\User_LDAP\ConnectionFactory; +use OCA\User_LDAP\Helper; +use OCP\IL10N; +use OCP\SetupCheck\ISetupCheck; +use OCP\SetupCheck\SetupResult; + +class LdapConnection implements ISetupCheck { + public function __construct( + private IL10N $l10n, + private Helper $helper, + private ConnectionFactory $connectionFactory, + private AccessFactory $accessFactory, + ) { + } + + public function getCategory(): string { + return 'ldap'; + } + + public function getName(): string { + return $this->l10n->t('LDAP Connection'); + } + + public function run(): SetupResult { + $availableConfigs = $this->helper->getServerConfigurationPrefixes(); + $inactiveConfigurations = []; + $bindFailedConfigurations = []; + $searchFailedConfigurations = []; + foreach ($availableConfigs as $configID) { + $connection = $this->connectionFactory->get($configID); + if (!$connection->ldapConfigurationActive) { + $inactiveConfigurations[] = $configID; + continue; + } + if (!$connection->bind()) { + $bindFailedConfigurations[] = $configID; + continue; + } + $access = $this->accessFactory->get($connection); + $result = $access->countObjects(1); + if (!is_int($result) || ($result <= 0)) { + $searchFailedConfigurations[] = $configID; + } + } + $output = ''; + if (!empty($bindFailedConfigurations)) { + $output .= $this->l10n->n( + 'Binding failed for this LDAP configuration: %s', + 'Binding failed for %n LDAP configurations: %s', + count($bindFailedConfigurations), + [implode(',', $bindFailedConfigurations)] + ) . "\n"; + } + if (!empty($searchFailedConfigurations)) { + $output .= $this->l10n->n( + 'Searching failed for this LDAP configuration: %s', + 'Searching failed for %n LDAP configurations: %s', + count($searchFailedConfigurations), + [implode(',', $searchFailedConfigurations)] + ) . "\n"; + } + if (!empty($inactiveConfigurations)) { + $output .= $this->l10n->n( + 'There is an inactive LDAP configuration: %s', + 'There are %n inactive LDAP configurations: %s', + count($inactiveConfigurations), + [implode(',', $inactiveConfigurations)] + ) . "\n"; + } + if (!empty($bindFailedConfigurations) || !empty($searchFailedConfigurations)) { + return SetupResult::error($output); + } elseif (!empty($inactiveConfigurations)) { + return SetupResult::warning($output); + } + return SetupResult::success($this->l10n->n( + 'Binding and searching works on the configured LDAP connection (%s)', + 'Binding and searching works on all of the %n configured LDAP connections (%s)', + count($availableConfigs), + [implode(',', $availableConfigs)] + )); + } +} diff --git a/apps/user_ldap/lib/SetupChecks/LdapInvalidUuids.php b/apps/user_ldap/lib/SetupChecks/LdapInvalidUuids.php new file mode 100644 index 00000000000..ac502b6b59e --- /dev/null +++ b/apps/user_ldap/lib/SetupChecks/LdapInvalidUuids.php @@ -0,0 +1,42 @@ +<?php + +declare(strict_types=1); + +/** + * SPDX-FileCopyrightText: 2022 Nextcloud GmbH and Nextcloud contributors + * SPDX-License-Identifier: AGPL-3.0-or-later + */ + +namespace OCA\User_LDAP\SetupChecks; + +use OCA\User_LDAP\Mapping\GroupMapping; +use OCA\User_LDAP\Mapping\UserMapping; +use OCP\IL10N; +use OCP\SetupCheck\ISetupCheck; +use OCP\SetupCheck\SetupResult; + +class LdapInvalidUuids implements ISetupCheck { + public function __construct( + private IL10N $l10n, + private UserMapping $userMapping, + private GroupMapping $groupMapping, + ) { + } + + public function getCategory(): string { + return 'ldap'; + } + + public function getName(): string { + return $this->l10n->t('Invalid LDAP UUIDs'); + } + + public function run(): SetupResult { + if (count($this->userMapping->getList(0, 1, true)) === 0 + && count($this->groupMapping->getList(0, 1, true)) === 0) { + return SetupResult::success($this->l10n->t('None found')); + } else { + return SetupResult::warning($this->l10n->t('Invalid UUIDs of LDAP accounts or groups have been found. Please review your "Override UUID detection" settings in the Expert part of the LDAP configuration and use "occ ldap:update-uuid" to update them.')); + } + } +} diff --git a/apps/user_ldap/lib/User/DeletedUsersIndex.php b/apps/user_ldap/lib/User/DeletedUsersIndex.php index 2591f371fa1..f57f71a9d47 100644 --- a/apps/user_ldap/lib/User/DeletedUsersIndex.php +++ b/apps/user_ldap/lib/User/DeletedUsersIndex.php @@ -1,31 +1,14 @@ <?php + /** - * @copyright Copyright (c) 2016, ownCloud, Inc. - * - * @author Arthur Schiwon <blizzz@arthur-schiwon.de> - * @author Christoph Wurst <christoph@winzerhof-wurst.at> - * @author Joas Schilling <coding@schilljs.com> - * @author Morris Jobke <hey@morrisjobke.de> - * - * @license AGPL-3.0 - * - * This code is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License, version 3, - * as published by the Free Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License, version 3, - * along with this program. If not, see <http://www.gnu.org/licenses/> - * + * SPDX-FileCopyrightText: 2016 ownCloud, Inc. + * SPDX-License-Identifier: AGPL-3.0-only */ - namespace OCA\User_LDAP\User; use OCA\User_LDAP\Mapping\UserMapping; +use OCP\IConfig; +use OCP\PreConditionNotMetException; use OCP\Share\IManager; /** @@ -33,40 +16,30 @@ use OCP\Share\IManager; * @package OCA\User_LDAP */ class DeletedUsersIndex { - /** - * @var \OCP\IConfig $config - */ - protected $config; - - /** - * @var \OCA\User_LDAP\Mapping\UserMapping $mapping - */ - protected $mapping; - - /** - * @var array $deletedUsers - */ - protected $deletedUsers; - /** @var IManager */ - private $shareManager; + protected ?array $deletedUsers = null; - public function __construct(\OCP\IConfig $config, UserMapping $mapping, IManager $shareManager) { - $this->config = $config; - $this->mapping = $mapping; - $this->shareManager = $shareManager; + public function __construct( + protected IConfig $config, + protected UserMapping $mapping, + private IManager $shareManager, + ) { } /** * reads LDAP users marked as deleted from the database - * @return \OCA\User_LDAP\User\OfflineUser[] + * @return OfflineUser[] */ - private function fetchDeletedUsers() { - $deletedUsers = $this->config->getUsersForUserValue( - 'user_ldap', 'isDeleted', '1'); + private function fetchDeletedUsers(): array { + $deletedUsers = $this->config->getUsersForUserValue('user_ldap', 'isDeleted', '1'); $userObjects = []; foreach ($deletedUsers as $user) { - $userObjects[] = new OfflineUser($user, $this->config, $this->mapping, $this->shareManager); + $userObject = new OfflineUser($user, $this->config, $this->mapping, $this->shareManager); + if ($userObject->getLastLogin() > $userObject->getDetectedOn()) { + $userObject->unmark(); + } else { + $userObjects[] = $userObject; + } } $this->deletedUsers = $userObjects; @@ -75,9 +48,9 @@ class DeletedUsersIndex { /** * returns all LDAP users that are marked as deleted - * @return \OCA\User_LDAP\User\OfflineUser[] + * @return OfflineUser[] */ - public function getUsers() { + public function getUsers(): array { if (is_array($this->deletedUsers)) { return $this->deletedUsers; } @@ -86,9 +59,8 @@ class DeletedUsersIndex { /** * whether at least one user was detected as deleted - * @return bool */ - public function hasUsers() { + public function hasUsers(): bool { if (!is_array($this->deletedUsers)) { $this->fetchDeletedUsers(); } @@ -98,12 +70,10 @@ class DeletedUsersIndex { /** * marks a user as deleted * - * @param string $ocName - * @throws \OCP\PreConditionNotMetException + * @throws PreConditionNotMetException */ - public function markUser($ocName) { - $curValue = $this->config->getUserValue($ocName, 'user_ldap', 'isDeleted', '0'); - if ($curValue === '1') { + public function markUser(string $ocName): void { + if ($this->isUserMarked($ocName)) { // the user is already marked, do not write to DB again return; } @@ -111,4 +81,8 @@ class DeletedUsersIndex { $this->config->setUserValue($ocName, 'user_ldap', 'foundDeleted', (string)time()); $this->deletedUsers = null; } + + public function isUserMarked(string $ocName): bool { + return ($this->config->getUserValue($ocName, 'user_ldap', 'isDeleted', '0') === '1'); + } } diff --git a/apps/user_ldap/lib/User/Manager.php b/apps/user_ldap/lib/User/Manager.php index a18c62364db..88a001dd965 100644 --- a/apps/user_ldap/lib/User/Manager.php +++ b/apps/user_ldap/lib/User/Manager.php @@ -1,38 +1,14 @@ <?php + /** - * @copyright Copyright (c) 2016, ownCloud, Inc. - * - * @author Arthur Schiwon <blizzz@arthur-schiwon.de> - * @author Christoph Wurst <christoph@winzerhof-wurst.at> - * @author Joas Schilling <coding@schilljs.com> - * @author Jörn Friedrich Dreyer <jfd@butonic.de> - * @author Morris Jobke <hey@morrisjobke.de> - * @author Roeland Jago Douma <roeland@famdouma.nl> - * @author Roger Szabo <roger.szabo@web.de> - * @author Thomas Müller <thomas.mueller@tmit.eu> - * - * @license AGPL-3.0 - * - * This code is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License, version 3, - * as published by the Free Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License, version 3, - * along with this program. If not, see <http://www.gnu.org/licenses/> - * + * SPDX-FileCopyrightText: 2017-2024 Nextcloud GmbH and Nextcloud contributors + * SPDX-FileCopyrightText: 2016 ownCloud, Inc. + * SPDX-License-Identifier: AGPL-3.0-only */ - namespace OCA\User_LDAP\User; -use OC\Cache\CappedMemoryCache; use OCA\User_LDAP\Access; -use OCA\User_LDAP\FilesystemHelper; -use OCA\User_LDAP\LogWrapper; +use OCP\Cache\CappedMemoryCache; use OCP\IAvatarManager; use OCP\IConfig; use OCP\IDBConnection; @@ -40,6 +16,7 @@ use OCP\Image; use OCP\IUserManager; use OCP\Notification\IManager as INotificationManager; use OCP\Share\IManager; +use Psr\Log\LoggerInterface; /** * Manager @@ -48,64 +25,24 @@ use OCP\Share\IManager; * cache */ class Manager { - /** @var Access */ - protected $access; - - /** @var IConfig */ - protected $ocConfig; - - /** @var IDBConnection */ - protected $db; - - /** @var IUserManager */ - protected $userManager; - - /** @var INotificationManager */ - protected $notificationManager; - - /** @var FilesystemHelper */ - protected $ocFilesystem; - - /** @var LogWrapper */ - protected $ocLog; - - /** @var Image */ - protected $image; - - /** @param \OCP\IAvatarManager */ - protected $avatarManager; - - /** - * @var CappedMemoryCache $usersByDN - */ - protected $usersByDN; - /** - * @var CappedMemoryCache $usersByUid - */ - protected $usersByUid; - /** @var IManager */ - private $shareManager; + protected ?Access $access = null; + protected IDBConnection $db; + /** @var CappedMemoryCache<User> $usersByDN */ + protected CappedMemoryCache $usersByDN; + /** @var CappedMemoryCache<User> $usersByUid */ + protected CappedMemoryCache $usersByUid; public function __construct( - IConfig $ocConfig, - FilesystemHelper $ocFilesystem, - LogWrapper $ocLog, - IAvatarManager $avatarManager, - Image $image, - IUserManager $userManager, - INotificationManager $notificationManager, - IManager $shareManager + protected IConfig $ocConfig, + protected LoggerInterface $logger, + protected IAvatarManager $avatarManager, + protected Image $image, + protected IUserManager $userManager, + protected INotificationManager $notificationManager, + private IManager $shareManager, ) { - $this->ocConfig = $ocConfig; - $this->ocFilesystem = $ocFilesystem; - $this->ocLog = $ocLog; - $this->avatarManager = $avatarManager; - $this->image = $image; - $this->userManager = $userManager; - $this->notificationManager = $notificationManager; $this->usersByDN = new CappedMemoryCache(); $this->usersByUid = new CappedMemoryCache(); - $this->shareManager = $shareManager; } /** @@ -122,12 +59,12 @@ class Manager { * property array * @param string $dn the DN of the user * @param string $uid the internal (owncloud) username - * @return \OCA\User_LDAP\User\User + * @return User */ private function createAndCache($dn, $uid) { $this->checkAccess(); $user = new User($uid, $dn, $this->access, $this->ocConfig, - $this->ocFilesystem, clone $this->image, $this->ocLog, + clone $this->image, $this->logger, $this->avatarManager, $this->userManager, $this->notificationManager); $this->usersByDN[$dn] = $user; @@ -151,6 +88,7 @@ class Manager { /** * @brief checks whether the Access instance has been set * @throws \Exception if Access has not been set + * @psalm-assert !null $this->access * @return null */ private function checkAccess() { @@ -164,22 +102,34 @@ class Manager { * email, displayname, or others. * * @param bool $minimal - optional, set to true to skip attributes with big - * payload + * payload * @return string[] */ public function getAttributes($minimal = false) { $baseAttributes = array_merge(Access::UUID_ATTRIBUTES, ['dn', 'uid', 'samaccountname', 'memberof']); $attributes = [ $this->access->getConnection()->ldapExpertUUIDUserAttr, + $this->access->getConnection()->ldapExpertUsernameAttr, $this->access->getConnection()->ldapQuotaAttribute, $this->access->getConnection()->ldapEmailAttribute, $this->access->getConnection()->ldapUserDisplayName, $this->access->getConnection()->ldapUserDisplayName2, $this->access->getConnection()->ldapExtStorageHomeAttribute, + $this->access->getConnection()->ldapAttributePhone, + $this->access->getConnection()->ldapAttributeWebsite, + $this->access->getConnection()->ldapAttributeAddress, + $this->access->getConnection()->ldapAttributeTwitter, + $this->access->getConnection()->ldapAttributeFediverse, + $this->access->getConnection()->ldapAttributeOrganisation, + $this->access->getConnection()->ldapAttributeRole, + $this->access->getConnection()->ldapAttributeHeadline, + $this->access->getConnection()->ldapAttributeBiography, + $this->access->getConnection()->ldapAttributeBirthDate, + $this->access->getConnection()->ldapAttributePronouns, ]; - $homeRule = $this->access->getConnection()->homeFolderNamingRule; - if (strpos($homeRule, 'attr:') === 0) { + $homeRule = (string)$this->access->getConnection()->homeFolderNamingRule; + if (str_starts_with($homeRule, 'attr:')) { $attributes[] = substr($homeRule, strlen('attr:')); } @@ -221,7 +171,7 @@ class Manager { /** * creates and returns an instance of OfflineUser for the specified user * @param string $id - * @return \OCA\User_LDAP\User\OfflineUser + * @return OfflineUser */ public function getDeletedUser($id) { return new OfflineUser( @@ -233,9 +183,9 @@ class Manager { } /** - * @brief returns a User object by it's Nextcloud username + * @brief returns a User object by its Nextcloud username * @param string $id the DN or username of the user - * @return \OCA\User_LDAP\User\User|\OCA\User_LDAP\User\OfflineUser|null + * @return User|OfflineUser|null */ protected function createInstancyByUserName($id) { //most likely a uid. Check whether it is a deleted user @@ -250,9 +200,9 @@ class Manager { } /** - * @brief returns a User object by it's DN or Nextcloud username + * @brief returns a User object by its DN or Nextcloud username * @param string $id the DN or username of the user - * @return \OCA\User_LDAP\User\User|\OCA\User_LDAP\User\OfflineUser|null + * @return User|OfflineUser|null * @throws \Exception when connection could not be established */ public function get($id) { @@ -272,4 +222,37 @@ class Manager { return $this->createInstancyByUserName($id); } + + /** + * @brief Checks whether a User object by its DN or Nextcloud username exists + * @param string $id the DN or username of the user + * @throws \Exception when connection could not be established + */ + public function exists($id): bool { + $this->checkAccess(); + $this->logger->debug('Checking if {id} exists', ['id' => $id]); + if (isset($this->usersByDN[$id])) { + return true; + } elseif (isset($this->usersByUid[$id])) { + return true; + } + + if ($this->access->stringResemblesDN($id)) { + $this->logger->debug('{id} looks like a dn', ['id' => $id]); + $uid = $this->access->dn2username($id); + if ($uid !== false) { + return true; + } + } + + // Most likely a uid. Check whether it is a deleted user + if ($this->isDeletedUser($id)) { + return true; + } + $dn = $this->access->username2dn($id); + if ($dn !== false) { + return true; + } + return false; + } } diff --git a/apps/user_ldap/lib/User/OfflineUser.php b/apps/user_ldap/lib/User/OfflineUser.php index 309eeec52c7..ecaab7188ba 100644 --- a/apps/user_ldap/lib/User/OfflineUser.php +++ b/apps/user_ldap/lib/User/OfflineUser.php @@ -1,28 +1,10 @@ <?php + /** - * @copyright Copyright (c) 2016, ownCloud, Inc. - * - * @author Arthur Schiwon <blizzz@arthur-schiwon.de> - * @author Christoph Wurst <christoph@winzerhof-wurst.at> - * @author Joas Schilling <coding@schilljs.com> - * @author Morris Jobke <hey@morrisjobke.de> - * - * @license AGPL-3.0 - * - * This code is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License, version 3, - * as published by the Free Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License, version 3, - * along with this program. If not, see <http://www.gnu.org/licenses/> - * + * SPDX-FileCopyrightText: 2017-2024 Nextcloud GmbH and Nextcloud contributors + * SPDX-FileCopyrightText: 2016 ownCloud, Inc. + * SPDX-License-Identifier: AGPL-3.0-only */ - namespace OCA\User_LDAP\User; use OCA\User_LDAP\Mapping\UserMapping; @@ -33,10 +15,6 @@ use OCP\Share\IShare; class OfflineUser { /** - * @var string $ocName - */ - protected $ocName; - /** * @var string $dn */ protected $dn; @@ -60,6 +38,7 @@ class OfflineUser { * @var string $foundDeleted the timestamp when the user was detected as unavailable */ protected $foundDeleted; + protected ?string $extStorageHome = null; /** * @var string $email */ @@ -69,30 +48,19 @@ class OfflineUser { */ protected $hasActiveShares; /** - * @var IConfig $config - */ - protected $config; - /** * @var IDBConnection $db */ protected $db; + /** - * @var \OCA\User_LDAP\Mapping\UserMapping + * @param string $ocName */ - protected $mapping; - /** @var IManager */ - private $shareManager; - public function __construct( - $ocName, - IConfig $config, - UserMapping $mapping, - IManager $shareManager + protected $ocName, + protected IConfig $config, + protected UserMapping $mapping, + private IManager $shareManager, ) { - $this->ocName = $ocName; - $this->config = $config; - $this->mapping = $mapping; - $this->shareManager = $shareManager; } /** @@ -146,7 +114,8 @@ class OfflineUser { */ public function getDN() { if ($this->dn === null) { - $this->fetchDetails(); + $dn = $this->mapping->getDNByName($this->ocName); + $this->dn = ($dn !== false) ? $dn : ''; } return $this->dn; } @@ -206,13 +175,20 @@ class OfflineUser { return (int)$this->foundDeleted; } + public function getExtStorageHome(): string { + if ($this->extStorageHome === null) { + $this->fetchDetails(); + } + return (string)$this->extStorageHome; + } + /** * getter for having active shares * @return bool */ public function getHasActiveShares() { if ($this->hasActiveShares === null) { - $this->fetchDetails(); + $this->determineShares(); } return $this->hasActiveShares; } @@ -226,17 +202,13 @@ class OfflineUser { 'uid' => 'user_ldap', 'homePath' => 'user_ldap', 'foundDeleted' => 'user_ldap', + 'extStorageHome' => 'user_ldap', 'email' => 'settings', 'lastLogin' => 'login', ]; foreach ($properties as $property => $app) { $this->$property = $this->config->getUserValue($this->ocName, $app, $property, ''); } - - $dn = $this->mapping->getDNByName($this->ocName); - $this->dn = ($dn !== false) ? $dn : ''; - - $this->determineShares(); } /** @@ -248,7 +220,7 @@ class OfflineUser { $shareConstants = $shareInterface->getConstants(); foreach ($shareConstants as $constantName => $constantValue) { - if (strpos($constantName, 'TYPE_') !== 0 + if (!str_starts_with($constantName, 'TYPE_') || $constantValue === IShare::TYPE_USERGROUP ) { continue; diff --git a/apps/user_ldap/lib/User/User.php b/apps/user_ldap/lib/User/User.php index 8ddec803370..8f97ec1701f 100644 --- a/apps/user_ldap/lib/User/User.php +++ b/apps/user_ldap/lib/User/User.php @@ -1,49 +1,31 @@ <?php + /** - * @copyright Copyright (c) 2016, ownCloud, Inc. - * - * @author Arthur Schiwon <blizzz@arthur-schiwon.de> - * @author Christoph Wurst <christoph@winzerhof-wurst.at> - * @author Joas Schilling <coding@schilljs.com> - * @author Jörn Friedrich Dreyer <jfd@butonic.de> - * @author Juan Pablo Villafáñez <jvillafanez@solidgear.es> - * @author Morris Jobke <hey@morrisjobke.de> - * @author Philipp Staiger <philipp@staiger.it> - * @author Roger Szabo <roger.szabo@web.de> - * @author Thomas Müller <thomas.mueller@tmit.eu> - * @author Victor Dubiniuk <dubiniuk@owncloud.com> - * @author Vincent Petry <vincent@nextcloud.com> - * - * @license AGPL-3.0 - * - * This code is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License, version 3, - * as published by the Free Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License, version 3, - * along with this program. If not, see <http://www.gnu.org/licenses/> - * + * SPDX-FileCopyrightText: 2016-2024 Nextcloud GmbH and Nextcloud contributors + * SPDX-FileCopyrightText: 2016 ownCloud, Inc. + * SPDX-License-Identifier: AGPL-3.0-only */ - namespace OCA\User_LDAP\User; +use InvalidArgumentException; +use OC\Accounts\AccountManager; use OCA\User_LDAP\Access; use OCA\User_LDAP\Connection; use OCA\User_LDAP\Exceptions\AttributeNotSet; -use OCA\User_LDAP\FilesystemHelper; -use OCA\User_LDAP\LogWrapper; +use OCA\User_LDAP\Service\BirthdateParserService; +use OCP\Accounts\IAccountManager; +use OCP\Accounts\PropertyDoesNotExistException; use OCP\IAvatarManager; use OCP\IConfig; -use OCP\ILogger; use OCP\Image; +use OCP\IURLGenerator; use OCP\IUser; use OCP\IUserManager; use OCP\Notification\IManager as INotificationManager; +use OCP\PreConditionNotMetException; +use OCP\Server; +use OCP\Util; +use Psr\Log\LoggerInterface; /** * User @@ -51,110 +33,51 @@ use OCP\Notification\IManager as INotificationManager; * represents an LDAP user, gets and holds user-specific information from LDAP */ class User { + protected Connection $connection; /** - * @var Access - */ - protected $access; - /** - * @var Connection - */ - protected $connection; - /** - * @var IConfig - */ - protected $config; - /** - * @var FilesystemHelper - */ - protected $fs; - /** - * @var Image - */ - protected $image; - /** - * @var LogWrapper - */ - protected $log; - /** - * @var IAvatarManager - */ - protected $avatarManager; - /** - * @var IUserManager + * @var array<string,1> */ - protected $userManager; - /** - * @var INotificationManager - */ - protected $notificationManager; - /** - * @var string - */ - protected $dn; - /** - * @var string - */ - protected $uid; - /** - * @var string[] - */ - protected $refreshedFeatures = []; - /** - * @var string - */ - protected $avatarImage; + protected array $refreshedFeatures = []; + protected string|false|null $avatarImage = null; + + protected BirthdateParserService $birthdateParser; /** * DB config keys for user preferences + * @var string */ public const USER_PREFKEY_FIRSTLOGIN = 'firstLoginAccomplished'; /** * @brief constructor, make sure the subclasses call this one! - * @param string $username the internal username - * @param string $dn the LDAP DN - * @param Access $access - * @param IConfig $config - * @param FilesystemHelper $fs - * @param Image $image any empty instance - * @param LogWrapper $log - * @param IAvatarManager $avatarManager - * @param IUserManager $userManager - * @param INotificationManager $notificationManager */ - public function __construct($username, $dn, Access $access, - IConfig $config, FilesystemHelper $fs, Image $image, - LogWrapper $log, IAvatarManager $avatarManager, IUserManager $userManager, - INotificationManager $notificationManager) { - if ($username === null) { - $log->log("uid for '$dn' must not be null!", ILogger::ERROR); - throw new \InvalidArgumentException('uid must not be null!'); - } elseif ($username === '') { - $log->log("uid for '$dn' must not be an empty string", ILogger::ERROR); + public function __construct( + protected string $uid, + protected string $dn, + protected Access $access, + protected IConfig $config, + protected Image $image, + protected LoggerInterface $logger, + protected IAvatarManager $avatarManager, + protected IUserManager $userManager, + protected INotificationManager $notificationManager, + ) { + if ($uid === '') { + $logger->error("uid for '$dn' must not be an empty string", ['app' => 'user_ldap']); throw new \InvalidArgumentException('uid must not be an empty string!'); } + $this->connection = $this->access->getConnection(); + $this->birthdateParser = new BirthdateParserService(); - $this->access = $access; - $this->connection = $access->getConnection(); - $this->config = $config; - $this->fs = $fs; - $this->dn = $dn; - $this->uid = $username; - $this->image = $image; - $this->log = $log; - $this->avatarManager = $avatarManager; - $this->userManager = $userManager; - $this->notificationManager = $notificationManager; - - \OCP\Util::connectHook('OC_User', 'post_login', $this, 'handlePasswordExpiry'); + Util::connectHook('OC_User', 'post_login', $this, 'handlePasswordExpiry'); } /** * marks a user as deleted * - * @throws \OCP\PreConditionNotMetException + * @throws PreConditionNotMetException */ - public function markUser() { + public function markUser(): void { $curValue = $this->config->getUserValue($this->getUsername(), 'user_ldap', 'isDeleted', '0'); if ($curValue === '1') { // the user is already marked, do not write to DB again @@ -168,7 +91,7 @@ class User { * processes results from LDAP for attributes as returned by getAttributesToRead() * @param array $ldapEntry the user entry as retrieved from LDAP */ - public function processAttributes($ldapEntry) { + public function processAttributes(array $ldapEntry): void { //Quota $attr = strtolower($this->connection->ldapQuotaAttribute); if (isset($ldapEntry[$attr])) { @@ -205,7 +128,14 @@ class User { //change event that will trigger fetching the display name again $attr = strtolower($this->connection->ldapEmailAttribute); if (isset($ldapEntry[$attr])) { - $this->updateEmail($ldapEntry[$attr][0]); + $mailValue = 0; + for ($x = 0; $x < count($ldapEntry[$attr]); $x++) { + if (filter_var($ldapEntry[$attr][$x], FILTER_VALIDATE_EMAIL)) { + $mailValue = $x; + break; + } + } + $this->updateEmail($ldapEntry[$attr][$mailValue]); } unset($attr); @@ -217,7 +147,7 @@ class User { } //homePath - if (strpos($this->connection->homeFolderNamingRule, 'attr:') === 0) { + if (str_starts_with($this->connection->homeFolderNamingRule, 'attr:')) { $attr = strtolower(substr($this->connection->homeFolderNamingRule, strlen('attr:'))); if (isset($ldapEntry[$attr])) { $this->access->cacheUserHome( @@ -226,7 +156,7 @@ class User { } //memberOf groups - $cacheKey = 'getMemberOf'.$this->getUsername(); + $cacheKey = 'getMemberOf' . $this->getUsername(); $groups = false; if (isset($ldapEntry['memberof'])) { $groups = $ldapEntry['memberof']; @@ -240,6 +170,134 @@ class User { } unset($attr); + // check for cached profile data + $username = $this->getUsername(); // buffer variable, to save resource + $cacheKey = 'getUserProfile-' . $username; + $profileCached = $this->connection->getFromCache($cacheKey); + // honoring profile disabled in config.php and check if user profile was refreshed + if ($this->config->getSystemValueBool('profile.enabled', true) + && ($profileCached === null) // no cache or TTL not expired + && !$this->wasRefreshed('profile')) { + // check current data + $profileValues = []; + //User Profile Field - Phone number + $attr = strtolower($this->connection->ldapAttributePhone); + if (!empty($attr)) { // attribute configured + $profileValues[IAccountManager::PROPERTY_PHONE] + = $ldapEntry[$attr][0] ?? ''; + } + //User Profile Field - website + $attr = strtolower($this->connection->ldapAttributeWebsite); + if (isset($ldapEntry[$attr])) { + $cutPosition = strpos($ldapEntry[$attr][0], ' '); + if ($cutPosition) { + // drop appended label + $profileValues[IAccountManager::PROPERTY_WEBSITE] + = substr($ldapEntry[$attr][0], 0, $cutPosition); + } else { + $profileValues[IAccountManager::PROPERTY_WEBSITE] + = $ldapEntry[$attr][0]; + } + } elseif (!empty($attr)) { // configured, but not defined + $profileValues[IAccountManager::PROPERTY_WEBSITE] = ''; + } + //User Profile Field - Address + $attr = strtolower($this->connection->ldapAttributeAddress); + if (isset($ldapEntry[$attr])) { + if (str_contains($ldapEntry[$attr][0], '$')) { + // basic format conversion from postalAddress syntax to commata delimited + $profileValues[IAccountManager::PROPERTY_ADDRESS] + = str_replace('$', ', ', $ldapEntry[$attr][0]); + } else { + $profileValues[IAccountManager::PROPERTY_ADDRESS] + = $ldapEntry[$attr][0]; + } + } elseif (!empty($attr)) { // configured, but not defined + $profileValues[IAccountManager::PROPERTY_ADDRESS] = ''; + } + //User Profile Field - Twitter + $attr = strtolower($this->connection->ldapAttributeTwitter); + if (!empty($attr)) { + $profileValues[IAccountManager::PROPERTY_TWITTER] + = $ldapEntry[$attr][0] ?? ''; + } + //User Profile Field - fediverse + $attr = strtolower($this->connection->ldapAttributeFediverse); + if (!empty($attr)) { + $profileValues[IAccountManager::PROPERTY_FEDIVERSE] + = $ldapEntry[$attr][0] ?? ''; + } + //User Profile Field - organisation + $attr = strtolower($this->connection->ldapAttributeOrganisation); + if (!empty($attr)) { + $profileValues[IAccountManager::PROPERTY_ORGANISATION] + = $ldapEntry[$attr][0] ?? ''; + } + //User Profile Field - role + $attr = strtolower($this->connection->ldapAttributeRole); + if (!empty($attr)) { + $profileValues[IAccountManager::PROPERTY_ROLE] + = $ldapEntry[$attr][0] ?? ''; + } + //User Profile Field - headline + $attr = strtolower($this->connection->ldapAttributeHeadline); + if (!empty($attr)) { + $profileValues[IAccountManager::PROPERTY_HEADLINE] + = $ldapEntry[$attr][0] ?? ''; + } + //User Profile Field - biography + $attr = strtolower($this->connection->ldapAttributeBiography); + if (isset($ldapEntry[$attr])) { + if (str_contains($ldapEntry[$attr][0], '\r')) { + // convert line endings + $profileValues[IAccountManager::PROPERTY_BIOGRAPHY] + = str_replace(["\r\n","\r"], "\n", $ldapEntry[$attr][0]); + } else { + $profileValues[IAccountManager::PROPERTY_BIOGRAPHY] + = $ldapEntry[$attr][0]; + } + } elseif (!empty($attr)) { // configured, but not defined + $profileValues[IAccountManager::PROPERTY_BIOGRAPHY] = ''; + } + //User Profile Field - birthday + $attr = strtolower($this->connection->ldapAttributeBirthDate); + if (!empty($attr) && !empty($ldapEntry[$attr][0])) { + $value = $ldapEntry[$attr][0]; + try { + $birthdate = $this->birthdateParser->parseBirthdate($value); + $profileValues[IAccountManager::PROPERTY_BIRTHDATE] + = $birthdate->format('Y-m-d'); + } catch (InvalidArgumentException $e) { + // Invalid date -> just skip the property + $this->logger->info("Failed to parse user's birthdate from LDAP: $value", [ + 'exception' => $e, + 'userId' => $username, + ]); + } + } + //User Profile Field - pronouns + $attr = strtolower($this->connection->ldapAttributePronouns); + if (!empty($attr)) { + $profileValues[IAccountManager::PROPERTY_PRONOUNS] + = $ldapEntry[$attr][0] ?? ''; + } + // check for changed data and cache just for TTL checking + $checksum = hash('sha256', json_encode($profileValues)); + $this->connection->writeToCache($cacheKey, $checksum // write array to cache. is waste of cache space + , null); // use ldapCacheTTL from configuration + // Update user profile + if ($this->config->getUserValue($username, 'user_ldap', 'lastProfileChecksum', null) !== $checksum) { + $this->config->setUserValue($username, 'user_ldap', 'lastProfileChecksum', $checksum); + $this->updateProfile($profileValues); + $this->logger->info("updated profile uid=$username", ['app' => 'user_ldap']); + } else { + $this->logger->debug('profile data from LDAP unchanged', ['app' => 'user_ldap', 'uid' => $username]); + } + unset($attr); + } elseif ($profileCached !== null) { // message delayed, to declutter log + $this->logger->debug('skipping profile check, while cached data exist', ['app' => 'user_ldap', 'uid' => $username]); + } + //Avatar /** @var Connection $connection */ $connection = $this->access->getConnection(); @@ -247,11 +305,7 @@ class User { foreach ($attributes as $attribute) { if (isset($ldapEntry[$attribute])) { $this->avatarImage = $ldapEntry[$attribute][0]; - // the call to the method that saves the avatar in the file - // system must be postponed after the login. It is to ensure - // external mounts are mounted properly (e.g. with login - // credentials from the session). - \OCP\Util::connectHook('OC_User', 'post_login', $this, 'updateAvatarPostLogin'); + $this->updateAvatar(); break; } } @@ -275,21 +329,22 @@ class User { /** * returns the home directory of the user if specified by LDAP settings - * @param string $valueFromLDAP - * @return bool|string * @throws \Exception */ - public function getHomePath($valueFromLDAP = null) { + public function getHomePath(?string $valueFromLDAP = null): string|false { $path = (string)$valueFromLDAP; $attr = null; if (is_null($valueFromLDAP) - && strpos($this->access->connection->homeFolderNamingRule, 'attr:') === 0 + && str_starts_with($this->access->connection->homeFolderNamingRule, 'attr:') && $this->access->connection->homeFolderNamingRule !== 'attr:') { $attr = substr($this->access->connection->homeFolderNamingRule, strlen('attr:')); - $homedir = $this->access->readAttribute( - $this->access->username2dn($this->getUsername()), $attr); - if ($homedir && isset($homedir[0])) { + $dn = $this->access->username2dn($this->getUsername()); + if ($dn === false) { + return false; + } + $homedir = $this->access->readAttribute($dn, $attr); + if ($homedir !== false && isset($homedir[0])) { $path = $homedir[0]; } } @@ -297,12 +352,12 @@ class User { if ($path !== '') { //if attribute's value is an absolute path take this, otherwise append it to data dir //check for / at the beginning or pattern c:\ resp. c:/ - if ('/' !== $path[0] - && !(3 < strlen($path) && ctype_alpha($path[0]) - && $path[1] === ':' && ('\\' === $path[2] || '/' === $path[2])) + if ($path[0] !== '/' + && !(strlen($path) > 3 && ctype_alpha($path[0]) + && $path[1] === ':' && ($path[2] === '\\' || $path[2] === '/')) ) { $path = $this->config->getSystemValue('datadirectory', - \OC::$SERVERROOT.'/data') . '/' . $path; + \OC::$SERVERROOT . '/data') . '/' . $path; } //we need it to store it in the DB as well in case a user gets //deleted so we can clean up afterwards @@ -313,7 +368,7 @@ class User { } if (!is_null($attr) - && $this->config->getAppValue('user_ldap', 'enforce_home_folder_naming_rule', true) + && $this->config->getAppValue('user_ldap', 'enforce_home_folder_naming_rule', 'true') ) { // a naming rule attribute is defined, but it doesn't exist for that LDAP user throw new \Exception('Home dir attribute can\'t be read from LDAP for uid: ' . $this->getUsername()); @@ -324,8 +379,8 @@ class User { return false; } - public function getMemberOfGroups() { - $cacheKey = 'getMemberOf'.$this->getUsername(); + public function getMemberOfGroups(): array|false { + $cacheKey = 'getMemberOf' . $this->getUsername(); $memberOfGroups = $this->connection->getFromCache($cacheKey); if (!is_null($memberOfGroups)) { return $memberOfGroups; @@ -337,9 +392,9 @@ class User { /** * @brief reads the image from LDAP that shall be used as Avatar - * @return string data (provided by LDAP) | false + * @return string|false data (provided by LDAP) */ - public function getAvatarImage() { + public function getAvatarImage(): string|false { if (!is_null($this->avatarImage)) { return $this->avatarImage; } @@ -350,7 +405,7 @@ class User { $attributes = $connection->resolveRule('avatar'); foreach ($attributes as $attribute) { $result = $this->access->readAttribute($this->dn, $attribute); - if ($result !== false && is_array($result) && isset($result[0])) { + if ($result !== false && isset($result[0])) { $this->avatarImage = $result[0]; break; } @@ -361,20 +416,16 @@ class User { /** * @brief marks the user as having logged in at least once - * @return null */ - public function markLogin() { + public function markLogin(): void { $this->config->setUserValue( - $this->uid, 'user_ldap', self::USER_PREFKEY_FIRSTLOGIN, 1); + $this->uid, 'user_ldap', self::USER_PREFKEY_FIRSTLOGIN, '1'); } /** * Stores a key-value pair in relation to this user - * - * @param string $key - * @param string $value */ - private function store($key, $value) { + private function store(string $key, string $value): void { $this->config->setUserValue($this->uid, 'user_ldap', $key, $value); } @@ -382,12 +433,9 @@ class User { * Composes the display name and stores it in the database. The final * display name is returned. * - * @param string $displayName - * @param string $displayName2 * @return string the effective display name */ - public function composeAndStoreDisplayName($displayName, $displayName2 = '') { - $displayName2 = (string)$displayName2; + public function composeAndStoreDisplayName(string $displayName, string $displayName2 = ''): string { if ($displayName2 !== '') { $displayName .= ' (' . $displayName2 . ')'; } @@ -406,9 +454,8 @@ class User { /** * Stores the LDAP Username in the Database - * @param string $userName */ - public function storeLDAPUserName($userName) { + public function storeLDAPUserName(string $userName): void { $this->store('uid', $userName); } @@ -416,10 +463,9 @@ class User { * @brief checks whether an update method specified by feature was run * already. If not, it will marked like this, because it is expected that * the method will be run, when false is returned. - * @param string $feature email | quota | avatar (can be extended) - * @return bool + * @param string $feature email | quota | avatar | profile (can be extended) */ - private function wasRefreshed($feature) { + private function wasRefreshed(string $feature): bool { if (isset($this->refreshedFeatures[$feature])) { return true; } @@ -429,10 +475,9 @@ class User { /** * fetches the email from LDAP and stores it as Nextcloud user value - * @param string $valueFromLDAP if known, to save an LDAP read request - * @return null + * @param ?string $valueFromLDAP if known, to save an LDAP read request */ - public function updateEmail($valueFromLDAP = null) { + public function updateEmail(?string $valueFromLDAP = null): void { if ($this->wasRefreshed('email')) { return; } @@ -449,9 +494,9 @@ class User { if ($email !== '') { $user = $this->userManager->get($this->uid); if (!is_null($user)) { - $currentEmail = (string)$user->getEMailAddress(); + $currentEmail = (string)$user->getSystemEMailAddress(); if ($currentEmail !== $email) { - $user->setEMailAddress($email); + $user->setSystemEMailAddress($email); } } } @@ -470,14 +515,13 @@ class User { * fetch all the user's attributes in one call and use the fetched values in this function. * The expected value for that parameter is a string describing the quota for the user. Valid * values are 'none' (unlimited), 'default' (the Nextcloud's default quota), '1234' (quota in - * bytes), '1234 MB' (quota in MB - check the \OC_Helper::computerFileSize method for more info) + * bytes), '1234 MB' (quota in MB - check the \OCP\Util::computerFileSize method for more info) * * fetches the quota from LDAP and stores it as Nextcloud user value - * @param string $valueFromLDAP the quota attribute's value can be passed, - * to save the readAttribute request - * @return null + * @param ?string $valueFromLDAP the quota attribute's value can be passed, + * to save the readAttribute request */ - public function updateQuota($valueFromLDAP = null) { + public function updateQuota(?string $valueFromLDAP = null): void { if ($this->wasRefreshed('quota')) { return; } @@ -491,22 +535,22 @@ class User { $quota = false; if (is_null($valueFromLDAP) && $quotaAttribute !== '') { $aQuota = $this->access->readAttribute($this->dn, $quotaAttribute); - if ($aQuota && (count($aQuota) > 0) && $this->verifyQuotaValue($aQuota[0])) { + if ($aQuota !== false && isset($aQuota[0]) && $this->verifyQuotaValue($aQuota[0])) { $quota = $aQuota[0]; } elseif (is_array($aQuota) && isset($aQuota[0])) { - $this->log->log('no suitable LDAP quota found for user ' . $this->uid . ': [' . $aQuota[0] . ']', ILogger::DEBUG); + $this->logger->debug('no suitable LDAP quota found for user ' . $this->uid . ': [' . $aQuota[0] . ']', ['app' => 'user_ldap']); } - } elseif ($this->verifyQuotaValue($valueFromLDAP)) { + } elseif (!is_null($valueFromLDAP) && $this->verifyQuotaValue($valueFromLDAP)) { $quota = $valueFromLDAP; } else { - $this->log->log('no suitable LDAP quota found for user ' . $this->uid . ': [' . $valueFromLDAP . ']', ILogger::DEBUG); + $this->logger->debug('no suitable LDAP quota found for user ' . $this->uid . ': [' . ($valueFromLDAP ?? '') . ']', ['app' => 'user_ldap']); } if ($quota === false && $this->verifyQuotaValue($defaultQuota)) { // quota not found using the LDAP attribute (or not parseable). Try the default quota $quota = $defaultQuota; } elseif ($quota === false) { - $this->log->log('no suitable default quota found for user ' . $this->uid . ': [' . $defaultQuota . ']', ILogger::DEBUG); + $this->logger->debug('no suitable default quota found for user ' . $this->uid . ': [' . $defaultQuota . ']', ['app' => 'user_ldap']); return; } @@ -514,30 +558,69 @@ class User { if ($targetUser instanceof IUser) { $targetUser->setQuota($quota); } else { - $this->log->log('trying to set a quota for user ' . $this->uid . ' but the user is missing', ILogger::INFO); + $this->logger->info('trying to set a quota for user ' . $this->uid . ' but the user is missing', ['app' => 'user_ldap']); } } - private function verifyQuotaValue($quotaValue) { - return $quotaValue === 'none' || $quotaValue === 'default' || \OC_Helper::computerFileSize($quotaValue) !== false; + private function verifyQuotaValue(string $quotaValue): bool { + return $quotaValue === 'none' || $quotaValue === 'default' || Util::computerFileSize($quotaValue) !== false; } /** - * called by a post_login hook to save the avatar picture + * takes values from LDAP and stores it as Nextcloud user profile value * - * @param array $params + * @param array $profileValues associative array of property keys and values from LDAP */ - public function updateAvatarPostLogin($params) { - if (isset($params['uid']) && $params['uid'] === $this->getUsername()) { - $this->updateAvatar(); + private function updateProfile(array $profileValues): void { + // check if given array is empty + if (empty($profileValues)) { + return; // okay, nothing to do + } + // fetch/prepare user + $user = $this->userManager->get($this->uid); + if (is_null($user)) { + $this->logger->error('could not get user for uid=' . $this->uid . '', ['app' => 'user_ldap']); + return; + } + // prepare AccountManager and Account + $accountManager = Server::get(IAccountManager::class); + $account = $accountManager->getAccount($user); // get Account + $defaultScopes = array_merge(AccountManager::DEFAULT_SCOPES, + $this->config->getSystemValue('account_manager.default_property_scope', [])); + // loop through the properties and handle them + foreach ($profileValues as $property => $valueFromLDAP) { + // check and update profile properties + $value = (is_array($valueFromLDAP) ? $valueFromLDAP[0] : $valueFromLDAP); // take ONLY the first value, if multiple values specified + try { + $accountProperty = $account->getProperty($property); + $currentValue = $accountProperty->getValue(); + $scope = ($accountProperty->getScope() ?: $defaultScopes[$property]); + } catch (PropertyDoesNotExistException $e) { // thrown at getProperty + $this->logger->error('property does not exist: ' . $property + . ' for uid=' . $this->uid . '', ['app' => 'user_ldap', 'exception' => $e]); + $currentValue = ''; + $scope = $defaultScopes[$property]; + } + $verified = IAccountManager::VERIFIED; // trust the LDAP admin knew what they put there + if ($currentValue !== $value) { + $account->setProperty($property, $value, $scope, $verified); + $this->logger->debug('update user profile: ' . $property . '=' . $value + . ' for uid=' . $this->uid . '', ['app' => 'user_ldap']); + } + } + try { + $accountManager->updateAccount($account); // may throw InvalidArgumentException + } catch (\InvalidArgumentException $e) { + $this->logger->error('invalid data from LDAP: for uid=' . $this->uid . '', ['app' => 'user_ldap', 'func' => 'updateProfile' + , 'exception' => $e]); } } /** * @brief attempts to get an image from LDAP and sets it as Nextcloud avatar - * @return bool + * @return bool true when the avatar was set successfully or is up to date */ - public function updateAvatar($force = false) { + public function updateAvatar(bool $force = false): bool { if (!$force && $this->wasRefreshed('avatar')) { return false; } @@ -554,11 +637,11 @@ class User { // use the checksum before modifications $checksum = md5($this->image->data()); - if ($checksum === $this->config->getUserValue($this->uid, 'user_ldap', 'lastAvatarChecksum', '')) { + if ($checksum === $this->config->getUserValue($this->uid, 'user_ldap', 'lastAvatarChecksum', '') && $this->avatarExists()) { return true; } - $isSet = $this->setOwnCloudAvatar(); + $isSet = $this->setNextcloudAvatar(); if ($isSet) { // save checksum only after successful setting @@ -568,38 +651,38 @@ class User { return $isSet; } + private function avatarExists(): bool { + try { + $currentAvatar = $this->avatarManager->getAvatar($this->uid); + return $currentAvatar->exists() && $currentAvatar->isCustomAvatar(); + } catch (\Exception $e) { + return false; + } + } + /** * @brief sets an image as Nextcloud avatar - * @return bool */ - private function setOwnCloudAvatar() { + private function setNextcloudAvatar(): bool { if (!$this->image->valid()) { - $this->log->log('avatar image data from LDAP invalid for '.$this->dn, ILogger::ERROR); + $this->logger->error('avatar image data from LDAP invalid for ' . $this->dn, ['app' => 'user_ldap']); return false; } - //make sure it is a square and not bigger than 128x128 - $size = min([$this->image->width(), $this->image->height(), 128]); + //make sure it is a square and not bigger than 512x512 + $size = min([$this->image->width(), $this->image->height(), 512]); if (!$this->image->centerCrop($size)) { - $this->log->log('croping image for avatar failed for '.$this->dn, ILogger::ERROR); + $this->logger->error('croping image for avatar failed for ' . $this->dn, ['app' => 'user_ldap']); return false; } - if (!$this->fs->isLoaded()) { - $this->fs->setup($this->uid); - } - try { $avatar = $this->avatarManager->getAvatar($this->uid); $avatar->set($this->image); return true; } catch (\Exception $e) { - \OC::$server->getLogger()->logException($e, [ - 'message' => 'Could not set avatar for ' . $this->dn, - 'level' => ILogger::INFO, - 'app' => 'user_ldap', - ]); + $this->logger->info('Could not set avatar for ' . $this->dn, ['exception' => $e]); } return false; } @@ -607,7 +690,7 @@ class User { /** * @throws AttributeNotSet * @throws \OC\ServerNotAvailableException - * @throws \OCP\PreConditionNotMetException + * @throws PreConditionNotMetException */ public function getExtStorageHome():string { $value = $this->config->getUserValue($this->getUsername(), 'user_ldap', 'extStorageHome', ''); @@ -626,16 +709,16 @@ class User { } /** - * @throws \OCP\PreConditionNotMetException + * @throws PreConditionNotMetException * @throws \OC\ServerNotAvailableException */ - public function updateExtStorageHome(string $valueFromLDAP = null):string { + public function updateExtStorageHome(?string $valueFromLDAP = null):string { if ($valueFromLDAP === null) { $extHomeValues = $this->access->readAttribute($this->getDN(), $this->connection->ldapExtStorageHomeAttribute); } else { $extHomeValues = [$valueFromLDAP]; } - if ($extHomeValues && isset($extHomeValues[0])) { + if ($extHomeValues !== false && isset($extHomeValues[0])) { $extHome = $extHomeValues[0]; $this->config->setUserValue($this->getUsername(), 'user_ldap', 'extStorageHome', $extHome); return $extHome; @@ -647,29 +730,30 @@ class User { /** * called by a post_login hook to handle password expiry - * - * @param array $params */ - public function handlePasswordExpiry($params) { + public function handlePasswordExpiry(array $params): void { $ppolicyDN = $this->connection->ldapDefaultPPolicyDN; if (empty($ppolicyDN) || ((int)$this->connection->turnOnPasswordChange !== 1)) { - return;//password expiry handling disabled + //password expiry handling disabled + return; } $uid = $params['uid']; if (isset($uid) && $uid === $this->getUsername()) { //retrieve relevant user attributes $result = $this->access->search('objectclass=*', $this->dn, ['pwdpolicysubentry', 'pwdgraceusetime', 'pwdreset', 'pwdchangedtime']); - if (array_key_exists('pwdpolicysubentry', $result[0])) { - $pwdPolicySubentry = $result[0]['pwdpolicysubentry']; - if ($pwdPolicySubentry && (count($pwdPolicySubentry) > 0)) { - $ppolicyDN = $pwdPolicySubentry[0];//custom ppolicy DN + if (!empty($result)) { + if (array_key_exists('pwdpolicysubentry', $result[0])) { + $pwdPolicySubentry = $result[0]['pwdpolicysubentry']; + if ($pwdPolicySubentry && (count($pwdPolicySubentry) > 0)) { + $ppolicyDN = $pwdPolicySubentry[0];//custom ppolicy DN + } } - } - $pwdGraceUseTime = array_key_exists('pwdgraceusetime', $result[0]) ? $result[0]['pwdgraceusetime'] : []; - $pwdReset = array_key_exists('pwdreset', $result[0]) ? $result[0]['pwdreset'] : []; - $pwdChangedTime = array_key_exists('pwdchangedtime', $result[0]) ? $result[0]['pwdchangedtime'] : []; + $pwdGraceUseTime = array_key_exists('pwdgraceusetime', $result[0]) ? $result[0]['pwdgraceusetime'] : []; + $pwdReset = array_key_exists('pwdreset', $result[0]) ? $result[0]['pwdreset'] : []; + $pwdChangedTime = array_key_exists('pwdchangedtime', $result[0]) ? $result[0]['pwdchangedtime'] : []; + } //retrieve relevant password policy attributes $cacheKey = 'ppolicyAttributes' . $ppolicyDN; @@ -688,19 +772,19 @@ class User { if (!empty($pwdGraceAuthNLimit) && count($pwdGraceUseTime) < (int)$pwdGraceAuthNLimit[0]) { //at least one more grace login available? $this->config->setUserValue($uid, 'user_ldap', 'needsPasswordReset', 'true'); - header('Location: '.\OC::$server->getURLGenerator()->linkToRouteAbsolute( - 'user_ldap.renewPassword.showRenewPasswordForm', ['user' => $uid])); + header('Location: ' . Server::get(IURLGenerator::class)->linkToRouteAbsolute( + 'user_ldap.renewPassword.showRenewPasswordForm', ['user' => $uid])); } else { //no more grace login available - header('Location: '.\OC::$server->getURLGenerator()->linkToRouteAbsolute( - 'user_ldap.renewPassword.showLoginFormInvalidPassword', ['user' => $uid])); + header('Location: ' . Server::get(IURLGenerator::class)->linkToRouteAbsolute( + 'user_ldap.renewPassword.showLoginFormInvalidPassword', ['user' => $uid])); } exit(); } //handle pwdReset attribute - if (!empty($pwdReset) && $pwdReset[0] === 'TRUE') { //user must change his password + if (!empty($pwdReset) && $pwdReset[0] === 'TRUE') { //user must change their password $this->config->setUserValue($uid, 'user_ldap', 'needsPasswordReset', 'true'); - header('Location: '.\OC::$server->getURLGenerator()->linkToRouteAbsolute( - 'user_ldap.renewPassword.showRenewPasswordForm', ['user' => $uid])); + header('Location: ' . Server::get(IURLGenerator::class)->linkToRouteAbsolute( + 'user_ldap.renewPassword.showRenewPasswordForm', ['user' => $uid])); exit(); } //handle password expiry warning @@ -711,7 +795,7 @@ class User { $pwdExpireWarningInt = (int)$pwdExpireWarning[0]; if ($pwdMaxAgeInt > 0 && $pwdExpireWarningInt > 0) { $pwdChangedTimeDt = \DateTime::createFromFormat('YmdHisZ', $pwdChangedTime[0]); - $pwdChangedTimeDt->add(new \DateInterval('PT'.$pwdMaxAgeInt.'S')); + $pwdChangedTimeDt->add(new \DateInterval('PT' . $pwdMaxAgeInt . 'S')); $currentDateTime = new \DateTime(); $secondsToExpiry = $pwdChangedTimeDt->getTimestamp() - $currentDateTime->getTimestamp(); if ($secondsToExpiry <= $pwdExpireWarningInt) { @@ -728,7 +812,7 @@ class User { ->setUser($uid) ->setDateTime($currentDateTime) ->setObject('pwd_exp_warn', $uid) - ->setSubject('pwd_exp_warn_days', [(int) ceil($secondsToExpiry / 60 / 60 / 24)]) + ->setSubject('pwd_exp_warn_days', [(int)ceil($secondsToExpiry / 60 / 60 / 24)]) ; $this->notificationManager->notify($notification); } diff --git a/apps/user_ldap/lib/UserPluginManager.php b/apps/user_ldap/lib/UserPluginManager.php index 2d99d887604..ed87fea6fde 100644 --- a/apps/user_ldap/lib/UserPluginManager.php +++ b/apps/user_ldap/lib/UserPluginManager.php @@ -1,38 +1,19 @@ <?php + /** - * @copyright Copyright (c) 2017 EITA Cooperative (eita.org.br) - * - * @author Christoph Wurst <christoph@winzerhof-wurst.at> - * @author Filis Futsarov <filisko@users.noreply.github.com> - * @author Vinicius Cubas Brand <vinicius@eita.org.br> - * - * @license GNU AGPL version 3 or any later version - * - * This program is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License as - * published by the Free Software Foundation, either version 3 of the - * License, or (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License - * along with this program. If not, see <http://www.gnu.org/licenses/>. - * + * SPDX-FileCopyrightText: 2017 Nextcloud GmbH and Nextcloud contributors + * SPDX-License-Identifier: AGPL-3.0-or-later */ - namespace OCA\User_LDAP; use OC\User\Backend; +use OCP\Server; +use Psr\Log\LoggerInterface; class UserPluginManager { - public $test = false; - - private $respondToActions = 0; + private int $respondToActions = 0; - private $which = [ + private array $which = [ Backend::CREATE_USER => null, Backend::SET_PASSWORD => null, Backend::GET_HOME => null, @@ -43,6 +24,8 @@ class UserPluginManager { 'deleteUser' => null ]; + private bool $suppressDeletion = false; + /** * @return int All implemented actions, except for 'deleteUser' */ @@ -62,12 +45,12 @@ class UserPluginManager { foreach ($this->which as $action => $v) { if (is_int($action) && (bool)($respondToActions & $action)) { $this->which[$action] = $plugin; - \OC::$server->getLogger()->debug("Registered action ".$action." to plugin ".get_class($plugin), ['app' => 'user_ldap']); + Server::get(LoggerInterface::class)->debug('Registered action ' . $action . ' to plugin ' . get_class($plugin), ['app' => 'user_ldap']); } } - if (method_exists($plugin,'deleteUser')) { + if (method_exists($plugin, 'deleteUser')) { $this->which['deleteUser'] = $plugin; - \OC::$server->getLogger()->debug("Registered action deleteUser to plugin ".get_class($plugin), ['app' => 'user_ldap']); + Server::get(LoggerInterface::class)->debug('Registered action deleteUser to plugin ' . get_class($plugin), ['app' => 'user_ldap']); } } @@ -92,7 +75,7 @@ class UserPluginManager { $plugin = $this->which[Backend::CREATE_USER]; if ($plugin) { - return $plugin->createUser($username,$password); + return $plugin->createUser($username, $password); } throw new \Exception('No plugin implements createUser in this LDAP Backend.'); } @@ -108,13 +91,13 @@ class UserPluginManager { $plugin = $this->which[Backend::SET_PASSWORD]; if ($plugin) { - return $plugin->setPassword($uid,$password); + return $plugin->setPassword($uid, $password); } throw new \Exception('No plugin implements setPassword in this LDAP Backend.'); } /** - * checks whether the user is allowed to change his avatar in Nextcloud + * checks whether the user is allowed to change their avatar in Nextcloud * @param string $uid the Nextcloud user name * @return boolean either the user can or cannot * @throws \Exception @@ -176,7 +159,7 @@ class UserPluginManager { /** * Count the number of users - * @return int|bool + * @return int|false * @throws \Exception */ public function countUsers() { @@ -192,7 +175,7 @@ class UserPluginManager { * @return bool */ public function canDeleteUser() { - return $this->which['deleteUser'] !== null; + return !$this->suppressDeletion && $this->which['deleteUser'] !== null; } /** @@ -203,8 +186,21 @@ class UserPluginManager { public function deleteUser($uid) { $plugin = $this->which['deleteUser']; if ($plugin) { + if ($this->suppressDeletion) { + return false; + } return $plugin->deleteUser($uid); } throw new \Exception('No plugin implements deleteUser in this LDAP Backend.'); } + + /** + * @param bool $value + * @return bool – the value before the change + */ + public function setSuppressDeletion(bool $value): bool { + $old = $this->suppressDeletion; + $this->suppressDeletion = $value; + return $old; + } } diff --git a/apps/user_ldap/lib/User_LDAP.php b/apps/user_ldap/lib/User_LDAP.php index 79f230ae00b..c3f56f5ff9b 100644 --- a/apps/user_ldap/lib/User_LDAP.php +++ b/apps/user_ldap/lib/User_LDAP.php @@ -1,81 +1,40 @@ <?php + /** - * @copyright Copyright (c) 2016, ownCloud, Inc. - * - * @author Arthur Schiwon <blizzz@arthur-schiwon.de> - * @author Bart Visscher <bartv@thisnet.nl> - * @author Christoph Wurst <christoph@winzerhof-wurst.at> - * @author Daniel Kesselberg <mail@danielkesselberg.de> - * @author Dominik Schmidt <dev@dominik-schmidt.de> - * @author felixboehm <felix@webhippie.de> - * @author Joas Schilling <coding@schilljs.com> - * @author Jörn Friedrich Dreyer <jfd@butonic.de> - * @author Lukas Reschke <lukas@statuscode.ch> - * @author Morris Jobke <hey@morrisjobke.de> - * @author Robin Appelman <robin@icewind.nl> - * @author Robin McCorkell <robin@mccorkell.me.uk> - * @author Roger Szabo <roger.szabo@web.de> - * @author root <root@localhost.localdomain> - * @author Thomas Müller <thomas.mueller@tmit.eu> - * @author Tom Needham <tom@owncloud.com> - * @author Victor Dubiniuk <dubiniuk@owncloud.com> - * @author Vinicius Cubas Brand <vinicius@eita.org.br> - * - * @license AGPL-3.0 - * - * This code is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License, version 3, - * as published by the Free Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License, version 3, - * along with this program. If not, see <http://www.gnu.org/licenses/> - * + * SPDX-FileCopyrightText: 2016-2024 Nextcloud GmbH and Nextcloud contributors + * SPDX-FileCopyrightText: 2016 ownCloud, Inc. + * SPDX-License-Identifier: AGPL-3.0-only */ - namespace OCA\User_LDAP; use OC\ServerNotAvailableException; use OC\User\Backend; use OC\User\NoUserException; use OCA\User_LDAP\Exceptions\NotOnLDAP; +use OCA\User_LDAP\User\DeletedUsersIndex; use OCA\User_LDAP\User\OfflineUser; use OCA\User_LDAP\User\User; -use OCP\IConfig; -use OCP\ILogger; -use OCP\IUserSession; +use OCP\IUserBackend; use OCP\Notification\IManager as INotificationManager; -use OCP\Util; - -class User_LDAP extends BackendUtility implements \OCP\IUserBackend, \OCP\UserInterface, IUserLDAP { - /** @var \OCP\IConfig */ - protected $ocConfig; - - /** @var INotificationManager */ - protected $notificationManager; - - /** @var UserPluginManager */ - protected $userPluginManager; - - /** - * @param Access $access - * @param \OCP\IConfig $ocConfig - * @param \OCP\Notification\IManager $notificationManager - * @param IUserSession $userSession - */ - public function __construct(Access $access, IConfig $ocConfig, INotificationManager $notificationManager, IUserSession $userSession, UserPluginManager $userPluginManager) { +use OCP\User\Backend\ICountMappedUsersBackend; +use OCP\User\Backend\ILimitAwareCountUsersBackend; +use OCP\User\Backend\IProvideEnabledStateBackend; +use OCP\UserInterface; +use Psr\Log\LoggerInterface; + +class User_LDAP extends BackendUtility implements IUserBackend, UserInterface, IUserLDAP, ILimitAwareCountUsersBackend, ICountMappedUsersBackend, IProvideEnabledStateBackend { + public function __construct( + Access $access, + protected INotificationManager $notificationManager, + protected UserPluginManager $userPluginManager, + protected LoggerInterface $logger, + protected DeletedUsersIndex $deletedUsersIndex, + ) { parent::__construct($access); - $this->ocConfig = $ocConfig; - $this->notificationManager = $notificationManager; - $this->userPluginManager = $userPluginManager; } /** - * checks whether the user is allowed to change his avatar in Nextcloud + * checks whether the user is allowed to change their avatar in Nextcloud * * @param string $uid the Nextcloud user name * @return boolean either the user can or cannot @@ -108,11 +67,12 @@ class User_LDAP extends BackendUtility implements \OCP\IUserBackend, \OCP\UserIn * @return string|false * @throws \Exception */ - public function loginName2UserName($loginName) { + public function loginName2UserName($loginName, bool $forceLdapRefetch = false) { $cacheKey = 'loginName2UserName-' . $loginName; $username = $this->access->connection->getFromCache($cacheKey); - if ($username !== null) { + $ignoreCache = ($username === false && $forceLdapRefetch); + if ($username !== null && !$ignoreCache) { return $username; } @@ -127,13 +87,16 @@ class User_LDAP extends BackendUtility implements \OCP\IUserBackend, \OCP\UserIn } $username = $user->getUsername(); $this->access->connection->writeToCache($cacheKey, $username); + if ($forceLdapRefetch) { + $user->processAttributes($ldapRecord); + } return $username; } catch (NotOnLDAP $e) { $this->access->connection->writeToCache($cacheKey, false); return false; } } - + /** * returns the username for the given LDAP DN, if available * @@ -156,8 +119,8 @@ class User_LDAP extends BackendUtility implements \OCP\IUserBackend, \OCP\UserIn $attrs = $this->access->userManager->getAttributes(); $users = $this->access->fetchUsersByLoginName($loginName, $attrs); if (count($users) < 1) { - throw new NotOnLDAP('No user available for the given login name on ' . - $this->access->connection->ldapHost . ':' . $this->access->connection->ldapPort); + throw new NotOnLDAP('No user available for the given login name on ' + . $this->access->connection->ldapHost . ':' . $this->access->connection->ldapPort); } return $users[0]; } @@ -170,20 +133,19 @@ class User_LDAP extends BackendUtility implements \OCP\IUserBackend, \OCP\UserIn * @return false|string */ public function checkPassword($uid, $password) { - try { - $ldapRecord = $this->getLDAPUserByLoginName($uid); - } catch (NotOnLDAP $e) { - \OC::$server->getLogger()->logException($e, ['app' => 'user_ldap', 'level' => ILogger::DEBUG]); + $username = $this->loginName2UserName($uid, true); + if ($username === false) { return false; } - $dn = $ldapRecord['dn'][0]; + $dn = $this->access->username2dn($username); $user = $this->access->userManager->get($dn); if (!$user instanceof User) { - Util::writeLog('user_ldap', - 'LDAP Login: Could not get user object for DN ' . $dn . - '. Maybe the LDAP entry has no set display name attribute?', - ILogger::WARN); + $this->logger->warning( + 'LDAP Login: Could not get user object for DN ' . $dn + . '. Maybe the LDAP entry has no set display name attribute?', + ['app' => 'user_ldap'] + ); return false; } if ($user->getUsername() !== false) { @@ -193,7 +155,6 @@ class User_LDAP extends BackendUtility implements \OCP\IUserBackend, \OCP\UserIn } $this->access->cacheUserExists($user->getUsername()); - $user->processAttributes($ldapRecord); $user->markLogin(); return $user->getUsername(); @@ -216,8 +177,8 @@ class User_LDAP extends BackendUtility implements \OCP\IUserBackend, \OCP\UserIn $user = $this->access->userManager->get($uid); if (!$user instanceof User) { - throw new \Exception('LDAP setPassword: Could not get user object for uid ' . $uid . - '. Maybe the LDAP entry has no set display name attribute?'); + throw new \Exception('LDAP setPassword: Could not get user object for uid ' . $uid + . '. Maybe the LDAP entry has no set display name attribute?'); } if ($user->getUsername() !== false && $this->access->setPassword($user->getDN(), $password)) { $ldapDefaultPPolicyDN = $this->access->connection->ldapDefaultPPolicyDN; @@ -247,7 +208,7 @@ class User_LDAP extends BackendUtility implements \OCP\IUserBackend, \OCP\UserIn */ public function getUsers($search = '', $limit = 10, $offset = 0) { $search = $this->access->escapeFilterPart($search, true); - $cachekey = 'getUsers-'.$search.'-'.$limit.'-'.$offset; + $cachekey = 'getUsers-' . $search . '-' . $limit . '-' . $offset; //check if users are cached, if so return $ldap_users = $this->access->connection->getFromCache($cachekey); @@ -266,16 +227,20 @@ class User_LDAP extends BackendUtility implements \OCP\IUserBackend, \OCP\UserIn $this->access->getFilterPartForUserSearch($search) ]); - Util::writeLog('user_ldap', - 'getUsers: Options: search '.$search.' limit '.$limit.' offset '.$offset.' Filter: '.$filter, - ILogger::DEBUG); + $this->logger->debug( + 'getUsers: Options: search ' . $search . ' limit ' . $limit . ' offset ' . $offset . ' Filter: ' . $filter, + ['app' => 'user_ldap'] + ); //do the search and translate results to Nextcloud names $ldap_users = $this->access->fetchListOfUsers( $filter, $this->access->userManager->getAttributes(true), $limit, $offset); $ldap_users = $this->access->nextcloudUserNames($ldap_users); - Util::writeLog('user_ldap', 'getUsers: '.count($ldap_users). ' Users found', ILogger::DEBUG); + $this->logger->debug( + 'getUsers: ' . count($ldap_users) . ' Users found', + ['app' => 'user_ldap'] + ); $this->access->connection->writeToCache($cachekey, $ldap_users); return $ldap_users; @@ -284,13 +249,12 @@ class User_LDAP extends BackendUtility implements \OCP\IUserBackend, \OCP\UserIn /** * checks whether a user is still available on LDAP * - * @param string|\OCA\User_LDAP\User\User $user either the Nextcloud user - * name or an instance of that user - * @return bool + * @param string|User $user either the Nextcloud user + * name or an instance of that user * @throws \Exception * @throws \OC\ServerNotAvailableException */ - public function userExistsOnLDAP($user) { + public function userExistsOnLDAP($user, bool $ignoreCache = false): bool { if (is_string($user)) { $user = $this->access->userManager->get($user); } @@ -299,9 +263,11 @@ class User_LDAP extends BackendUtility implements \OCP\IUserBackend, \OCP\UserIn } $uid = $user instanceof User ? $user->getUsername() : $user->getOCName(); $cacheKey = 'userExistsOnLDAP' . $uid; - $userExists = $this->access->connection->getFromCache($cacheKey); - if (!is_null($userExists)) { - return (bool)$userExists; + if (!$ignoreCache) { + $userExists = $this->access->connection->getFromCache($cacheKey); + if (!is_null($userExists)) { + return (bool)$userExists; + } } $dn = $user->getDN(); @@ -320,8 +286,6 @@ class User_LDAP extends BackendUtility implements \OCP\IUserBackend, \OCP\UserIn return false; } $this->access->getUserMapper()->setDNbyUUID($newDn, $uuid); - $this->access->connection->writeToCache($cacheKey, true); - return true; } catch (ServerNotAvailableException $e) { throw $e; } catch (\Exception $e) { @@ -345,21 +309,22 @@ class User_LDAP extends BackendUtility implements \OCP\IUserBackend, \OCP\UserIn * @throws \Exception when connection could not be established */ public function userExists($uid) { - $userExists = $this->access->connection->getFromCache('userExists'.$uid); + $userExists = $this->access->connection->getFromCache('userExists' . $uid); if (!is_null($userExists)) { return (bool)$userExists; } - //getting dn, if false the user does not exist. If dn, he may be mapped only, requires more checking. - $user = $this->access->userManager->get($uid); + $userExists = $this->access->userManager->exists($uid); - if (is_null($user)) { - Util::writeLog('user_ldap', 'No DN found for '.$uid.' on '. - $this->access->connection->ldapHost, ILogger::DEBUG); - $this->access->connection->writeToCache('userExists'.$uid, false); + if (!$userExists) { + $this->logger->debug( + 'No DN found for ' . $uid . ' on ' . $this->access->connection->ldapHost, + ['app' => 'user_ldap'] + ); + $this->access->connection->writeToCache('userExists' . $uid, false); return false; } - $this->access->connection->writeToCache('userExists'.$uid, true); + $this->access->connection->writeToCache('userExists' . $uid, true); return true; } @@ -377,14 +342,29 @@ class User_LDAP extends BackendUtility implements \OCP\IUserBackend, \OCP\UserIn } } - $marked = $this->ocConfig->getUserValue($uid, 'user_ldap', 'isDeleted', 0); - if ((int)$marked === 0) { - \OC::$server->getLogger()->notice( - 'User '.$uid . ' is not marked as deleted, not cleaning up.', - ['app' => 'user_ldap']); - return false; + $marked = $this->deletedUsersIndex->isUserMarked($uid); + if (!$marked) { + try { + $user = $this->access->userManager->get($uid); + if (($user instanceof User) && !$this->userExistsOnLDAP($uid, true)) { + $user->markUser(); + $marked = true; + } + } catch (\Exception $e) { + $this->logger->debug( + $e->getMessage(), + ['app' => 'user_ldap', 'exception' => $e] + ); + } + if (!$marked) { + $this->logger->notice( + 'User ' . $uid . ' is not marked as deleted, not cleaning up.', + ['app' => 'user_ldap'] + ); + return false; + } } - \OC::$server->getLogger()->info('Cleaning up after user ' . $uid, + $this->logger->info('Cleaning up after user ' . $uid, ['app' => 'user_ldap']); $this->access->getUserMapper()->unmap($uid); // we don't emit unassign signals here, since it is implicit to delete signals fired from core @@ -411,7 +391,7 @@ class User_LDAP extends BackendUtility implements \OCP\IUserBackend, \OCP\UserIn return $this->userPluginManager->getHome($uid); } - $cacheKey = 'getHome'.$uid; + $cacheKey = 'getHome' . $uid; $path = $this->access->connection->getFromCache($cacheKey); if (!is_null($path)) { return $path; @@ -443,7 +423,7 @@ class User_LDAP extends BackendUtility implements \OCP\IUserBackend, \OCP\UserIn return false; } - $cacheKey = 'getDisplayName'.$uid; + $cacheKey = 'getDisplayName' . $uid; if (!is_null($displayName = $this->access->connection->getFromCache($cacheKey))) { return $displayName; } @@ -470,11 +450,10 @@ class User_LDAP extends BackendUtility implements \OCP\IUserBackend, \OCP\UserIn $user = $this->access->userManager->get($uid); if ($user instanceof User) { - $displayName = $user->composeAndStoreDisplayName($displayName, $displayName2); + $displayName = $user->composeAndStoreDisplayName($displayName, (string)$displayName2); $this->access->connection->writeToCache($cacheKey, $displayName); } if ($user instanceof OfflineUser) { - /** @var OfflineUser $user*/ $displayName = $user->getDisplayName(); } return $displayName; @@ -502,12 +481,12 @@ class User_LDAP extends BackendUtility implements \OCP\IUserBackend, \OCP\UserIn * Get a list of all display names * * @param string $search - * @param string|null $limit - * @param string|null $offset + * @param int|null $limit + * @param int|null $offset * @return array an array of all displayNames (value) and the corresponding uids (key) */ public function getDisplayNames($search = '', $limit = null, $offset = null) { - $cacheKey = 'getDisplayNames-'.$search.'-'.$limit.'-'.$offset; + $cacheKey = 'getDisplayNames-' . $search . '-' . $limit . '-' . $offset; if (!is_null($displayNames = $this->access->connection->getFromCache($cacheKey))) { return $displayNames; } @@ -549,24 +528,26 @@ class User_LDAP extends BackendUtility implements \OCP\IUserBackend, \OCP\UserIn /** * counts the users in LDAP - * - * @return int|bool */ - public function countUsers() { + public function countUsers(int $limit = 0): int|false { if ($this->userPluginManager->implementsActions(Backend::COUNT_USERS)) { return $this->userPluginManager->countUsers(); } $filter = $this->access->getFilterForUserCount(); - $cacheKey = 'countUsers-'.$filter; + $cacheKey = 'countUsers-' . $filter . '-' . $limit; if (!is_null($entries = $this->access->connection->getFromCache($cacheKey))) { return $entries; } - $entries = $this->access->countUsers($filter); + $entries = $this->access->countUsers($filter, limit:$limit); $this->access->connection->writeToCache($cacheKey, $entries); return $entries; } + public function countMappedUsers(): int { + return $this->access->getUserMapper()->count(); + } + /** * Backend name to be shown in user management * @return string the name of the backend to be shown @@ -574,7 +555,7 @@ class User_LDAP extends BackendUtility implements \OCP\IUserBackend, \OCP\UserIn public function getBackendName() { return 'LDAP'; } - + /** * Return access for LDAP interaction. * @param string $uid @@ -583,13 +564,13 @@ class User_LDAP extends BackendUtility implements \OCP\IUserBackend, \OCP\UserIn public function getLDAPAccess($uid) { return $this->access; } - + /** * Return LDAP connection resource from a cloned connection. * The cloned connection needs to be closed manually. * of the current access. * @param string $uid - * @return resource of the LDAP connection + * @return \LDAP\Connection The LDAP connection */ public function getNewLDAPConnection($uid) { $connection = clone $this->access->getConnection(); @@ -617,9 +598,8 @@ class User_LDAP extends BackendUtility implements \OCP\IUserBackend, \OCP\UserIn $uuid, true ); - $this->access->cacheUserExists($username); } else { - \OC::$server->getLogger()->warning( + $this->logger->warning( 'Failed to map created LDAP user with userid {userid}, because UUID could not be determined', [ 'app' => 'user_ldap', @@ -628,11 +608,28 @@ class User_LDAP extends BackendUtility implements \OCP\IUserBackend, \OCP\UserIn ); } } else { - throw new \UnexpectedValueException("LDAP Plugin: Method createUser changed to return the user DN instead of boolean."); + throw new \UnexpectedValueException('LDAP Plugin: Method createUser changed to return the user DN instead of boolean.'); } } - return (bool) $dn; + return (bool)$dn; } return false; } + + public function isUserEnabled(string $uid, callable $queryDatabaseValue): bool { + if ($this->deletedUsersIndex->isUserMarked($uid) && ((int)$this->access->connection->markRemnantsAsDisabled === 1)) { + return false; + } else { + return $queryDatabaseValue(); + } + } + + public function setUserEnabled(string $uid, bool $enabled, callable $queryDatabaseValue, callable $setDatabaseValue): bool { + $setDatabaseValue($enabled); + return $enabled; + } + + public function getDisabledUserList(?int $limit = null, int $offset = 0, string $search = ''): array { + throw new \Exception('This is implemented directly in User_Proxy'); + } } diff --git a/apps/user_ldap/lib/User_Proxy.php b/apps/user_ldap/lib/User_Proxy.php index e8d0a6d6948..0d41f495ce9 100644 --- a/apps/user_ldap/lib/User_Proxy.php +++ b/apps/user_ldap/lib/User_Proxy.php @@ -1,65 +1,47 @@ <?php + /** - * @copyright Copyright (c) 2016, ownCloud, Inc. - * - * @author Arthur Schiwon <blizzz@arthur-schiwon.de> - * @author Christopher Schäpers <kondou@ts.unde.re> - * @author Christoph Wurst <christoph@winzerhof-wurst.at> - * @author Joas Schilling <coding@schilljs.com> - * @author Lukas Reschke <lukas@statuscode.ch> - * @author Morris Jobke <hey@morrisjobke.de> - * @author Robin McCorkell <robin@mccorkell.me.uk> - * @author Roger Szabo <roger.szabo@web.de> - * @author root <root@localhost.localdomain> - * @author Thomas Müller <thomas.mueller@tmit.eu> - * @author Vinicius Cubas Brand <vinicius@eita.org.br> - * - * @license AGPL-3.0 - * - * This code is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License, version 3, - * as published by the Free Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License, version 3, - * along with this program. If not, see <http://www.gnu.org/licenses/> - * + * SPDX-FileCopyrightText: 2016-2024 Nextcloud GmbH and Nextcloud contributors + * SPDX-FileCopyrightText: 2016 ownCloud, Inc. + * SPDX-License-Identifier: AGPL-3.0-only */ - namespace OCA\User_LDAP; +use OCA\User_LDAP\User\DeletedUsersIndex; +use OCA\User_LDAP\User\OfflineUser; use OCA\User_LDAP\User\User; -use OCP\IConfig; -use OCP\IUserSession; +use OCP\IUserBackend; use OCP\Notification\IManager as INotificationManager; +use OCP\User\Backend\ICountMappedUsersBackend; +use OCP\User\Backend\ILimitAwareCountUsersBackend; +use OCP\User\Backend\IProvideEnabledStateBackend; +use OCP\UserInterface; +use Psr\Log\LoggerInterface; -class User_Proxy extends Proxy implements \OCP\IUserBackend, \OCP\UserInterface, IUserLDAP { - private $backends = []; - /** @var User_LDAP */ - private $refBackend = null; - +/** + * @template-extends Proxy<User_LDAP> + */ +class User_Proxy extends Proxy implements IUserBackend, UserInterface, IUserLDAP, ILimitAwareCountUsersBackend, ICountMappedUsersBackend, IProvideEnabledStateBackend { public function __construct( - Helper $helper, + private Helper $helper, ILDAPWrapper $ldap, - IConfig $ocConfig, - INotificationManager $notificationManager, - IUserSession $userSession, - UserPluginManager $userPluginManager + AccessFactory $accessFactory, + private INotificationManager $notificationManager, + private UserPluginManager $userPluginManager, + private LoggerInterface $logger, + private DeletedUsersIndex $deletedUsersIndex, ) { - parent::__construct($ldap); - $serverConfigPrefixes = $helper->getServerConfigurationPrefixes(true); - foreach ($serverConfigPrefixes as $configPrefix) { - $this->backends[$configPrefix] = - new User_LDAP($this->getAccess($configPrefix), $ocConfig, $notificationManager, $userSession, $userPluginManager); - - if (is_null($this->refBackend)) { - $this->refBackend = &$this->backends[$configPrefix]; - } - } + parent::__construct($helper, $ldap, $accessFactory); + } + + protected function newInstance(string $configPrefix): User_LDAP { + return new User_LDAP( + $this->getAccess($configPrefix), + $this->notificationManager, + $this->userPluginManager, + $this->logger, + $this->deletedUsersIndex, + ); } /** @@ -71,6 +53,8 @@ class User_Proxy extends Proxy implements \OCP\IUserBackend, \OCP\UserInterface, * @return mixed the result of the method or false */ protected function walkBackends($id, $method, $parameters) { + $this->setup(); + $uid = $id; $cacheKey = $this->getUserCacheKey($uid); foreach ($this->backends as $configPrefix => $backend) { @@ -99,6 +83,8 @@ class User_Proxy extends Proxy implements \OCP\IUserBackend, \OCP\UserInterface, * @return mixed the result of the method or false */ protected function callOnLastSeenOn($id, $method, $parameters, $passOnWhen) { + $this->setup(); + $uid = $id; $cacheKey = $this->getUserCacheKey($uid); $prefix = $this->getFromCache($cacheKey); @@ -129,6 +115,7 @@ class User_Proxy extends Proxy implements \OCP\IUserBackend, \OCP\UserInterface, } protected function activeBackends(): int { + $this->setup(); return count($this->backends); } @@ -142,6 +129,7 @@ class User_Proxy extends Proxy implements \OCP\IUserBackend, \OCP\UserInterface, * compared with \OC\User\Backend::CREATE_USER etc. */ public function implementsActions($actions) { + $this->setup(); //it's the same across all our user backends obviously return $this->refBackend->implementsActions($actions); } @@ -152,6 +140,7 @@ class User_Proxy extends Proxy implements \OCP\IUserBackend, \OCP\UserInterface, * @return string the name of the backend to be shown */ public function getBackendName() { + $this->setup(); return $this->refBackend->getBackendName(); } @@ -164,6 +153,8 @@ class User_Proxy extends Proxy implements \OCP\IUserBackend, \OCP\UserInterface, * @return string[] an array of all uids */ public function getUsers($search = '', $limit = 10, $offset = 0) { + $this->setup(); + //we do it just as the /OC_User implementation: do not play around with limit and offset but ask all backends $users = []; foreach ($this->backends as $backend) { @@ -203,13 +194,12 @@ class User_Proxy extends Proxy implements \OCP\IUserBackend, \OCP\UserInterface, /** * check if a user exists on LDAP * - * @param string|\OCA\User_LDAP\User\User $user either the Nextcloud user - * name or an instance of that user - * @return boolean + * @param string|User $user either the Nextcloud user + * name or an instance of that user */ - public function userExistsOnLDAP($user) { + public function userExistsOnLDAP($user, bool $ignoreCache = false): bool { $id = ($user instanceof User) ? $user->getUsername() : $user; - return $this->handleRequest($id, 'userExistsOnLDAP', [$user]); + return $this->handleRequest($id, 'userExistsOnLDAP', [$user, $ignoreCache]); } /** @@ -279,7 +269,7 @@ class User_Proxy extends Proxy implements \OCP\IUserBackend, \OCP\UserInterface, } /** - * checks whether the user is allowed to change his avatar in Nextcloud + * checks whether the user is allowed to change their avatar in Nextcloud * * @param string $uid the Nextcloud user name * @return boolean either the user can or cannot @@ -292,11 +282,13 @@ class User_Proxy extends Proxy implements \OCP\IUserBackend, \OCP\UserInterface, * Get a list of all display names and user ids. * * @param string $search - * @param string|null $limit - * @param string|null $offset + * @param int|null $limit + * @param int|null $offset * @return array an array of all displayNames (value) and the corresponding uids (key) */ public function getDisplayNames($search = '', $limit = null, $offset = null) { + $this->setup(); + //we do it just as the /OC_User implementation: do not play around with limit and offset but ask all backends $users = []; foreach ($this->backends as $backend) { @@ -336,26 +328,46 @@ class User_Proxy extends Proxy implements \OCP\IUserBackend, \OCP\UserInterface, * @return bool */ public function hasUserListings() { + $this->setup(); return $this->refBackend->hasUserListings(); } /** * Count the number of users - * - * @return int|bool */ - public function countUsers() { + public function countUsers(int $limit = 0): int|false { + $this->setup(); + $users = false; foreach ($this->backends as $backend) { - $backendUsers = $backend->countUsers(); + $backendUsers = $backend->countUsers($limit); if ($backendUsers !== false) { - $users += $backendUsers; + $users = (int)$users + $backendUsers; + if ($limit > 0) { + if ($users >= $limit) { + break; + } + $limit -= $users; + } } } return $users; } /** + * Count the number of mapped users + */ + public function countMappedUsers(): int { + $this->setup(); + + $users = 0; + foreach ($this->backends as $backend) { + $users += $backend->countMappedUsers(); + } + return $users; + } + + /** * Return access for LDAP interaction. * * @param string $uid @@ -370,7 +382,7 @@ class User_Proxy extends Proxy implements \OCP\IUserBackend, \OCP\UserInterface, * The connection needs to be closed manually. * * @param string $uid - * @return resource of the LDAP connection + * @return \LDAP\Connection The LDAP connection */ public function getNewLDAPConnection($uid) { return $this->handleRequest($uid, 'getNewLDAPConnection', [$uid]); @@ -386,4 +398,37 @@ class User_Proxy extends Proxy implements \OCP\IUserBackend, \OCP\UserInterface, public function createUser($username, $password) { return $this->handleRequest($username, 'createUser', [$username, $password]); } + + public function isUserEnabled(string $uid, callable $queryDatabaseValue): bool { + return $this->handleRequest($uid, 'isUserEnabled', [$uid, $queryDatabaseValue]); + } + + public function setUserEnabled(string $uid, bool $enabled, callable $queryDatabaseValue, callable $setDatabaseValue): bool { + return $this->handleRequest($uid, 'setUserEnabled', [$uid, $enabled, $queryDatabaseValue, $setDatabaseValue]); + } + + public function getDisabledUserList(?int $limit = null, int $offset = 0, string $search = ''): array { + if ((int)$this->getAccess(array_key_first($this->backends) ?? '')->connection->markRemnantsAsDisabled !== 1) { + return []; + } + $disabledUsers = $this->deletedUsersIndex->getUsers(); + if ($search !== '') { + $disabledUsers = array_filter( + $disabledUsers, + fn (OfflineUser $user): bool + => mb_stripos($user->getOCName(), $search) !== false + || mb_stripos($user->getUID(), $search) !== false + || mb_stripos($user->getDisplayName(), $search) !== false + || mb_stripos($user->getEmail(), $search) !== false, + ); + } + return array_map( + fn (OfflineUser $user) => $user->getOCName(), + array_slice( + $disabledUsers, + $offset, + $limit + ) + ); + } } diff --git a/apps/user_ldap/lib/Wizard.php b/apps/user_ldap/lib/Wizard.php index 0dde8199a02..15a9f9cb212 100644 --- a/apps/user_ldap/lib/Wizard.php +++ b/apps/user_ldap/lib/Wizard.php @@ -1,54 +1,25 @@ <?php + /** - * @copyright Copyright (c) 2016, ownCloud, Inc. - * - * @author Alexander Bergolth <leo@strike.wu.ac.at> - * @author Allan Nordhøy <epost@anotheragency.no> - * @author Arthur Schiwon <blizzz@arthur-schiwon.de> - * @author Bart Visscher <bartv@thisnet.nl> - * @author Christoph Wurst <christoph@winzerhof-wurst.at> - * @author Jean-Louis Dupond <jean-louis@dupond.be> - * @author Joas Schilling <coding@schilljs.com> - * @author Jörn Friedrich Dreyer <jfd@butonic.de> - * @author Lukas Reschke <lukas@statuscode.ch> - * @author Morris Jobke <hey@morrisjobke.de> - * @author Nicolas Grekas <nicolas.grekas@gmail.com> - * @author Robin Appelman <robin@icewind.nl> - * @author Robin McCorkell <robin@mccorkell.me.uk> - * @author Stefan Weil <sw@weilnetz.de> - * @author Tobias Perschon <tobias@perschon.at> - * @author Victor Dubiniuk <dubiniuk@owncloud.com> - * @author Xuanwo <xuanwo@yunify.com> - * - * @license AGPL-3.0 - * - * This code is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License, version 3, - * as published by the Free Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License, version 3, - * along with this program. If not, see <http://www.gnu.org/licenses/> - * + * SPDX-FileCopyrightText: 2016-2024 Nextcloud GmbH and Nextcloud contributors + * SPDX-FileCopyrightText: 2016 ownCloud, Inc. + * SPDX-License-Identifier: AGPL-3.0-only */ namespace OCA\User_LDAP; use OC\ServerNotAvailableException; -use OCP\ILogger; +use OCP\IL10N; +use OCP\L10N\IFactory as IL10NFactory; +use OCP\Server; +use OCP\Util; +use Psr\Log\LoggerInterface; class Wizard extends LDAPUtility { - /** @var \OCP\IL10N */ - protected static $l; - protected $access; - protected $cr; - protected $configuration; - protected $result; - protected $resultCache = []; + protected static ?IL10N $l = null; + protected ?\LDAP\Connection $cr = null; + protected WizardResult $result; + protected LoggerInterface $logger; public const LRESULT_PROCESSED_OK = 2; public const LRESULT_PROCESSED_INVALID = 3; @@ -63,20 +34,17 @@ class Wizard extends LDAPUtility { public const LDAP_NW_TIMEOUT = 4; - /** - * Constructor - * @param Configuration $configuration an instance of Configuration - * @param ILDAPWrapper $ldap an instance of ILDAPWrapper - * @param Access $access - */ - public function __construct(Configuration $configuration, ILDAPWrapper $ldap, Access $access) { + public function __construct( + protected Configuration $configuration, + ILDAPWrapper $ldap, + protected Access $access, + ) { parent::__construct($ldap); - $this->configuration = $configuration; - if (is_null(Wizard::$l)) { - Wizard::$l = \OC::$server->getL10N('user_ldap'); + if (is_null(static::$l)) { + static::$l = Server::get(IL10NFactory::class)->get('user_ldap'); } - $this->access = $access; $this->result = new WizardResult(); + $this->logger = Server::get(LoggerInterface::class); } public function __destruct() { @@ -90,11 +58,13 @@ class Wizard extends LDAPUtility { * * @param string $filter the LDAP search filter * @param string $type a string being either 'users' or 'groups'; - * @return int * @throws \Exception */ public function countEntries(string $filter, string $type): int { - $reqs = ['ldapHost', 'ldapPort', 'ldapBase']; + $reqs = ['ldapHost', 'ldapBase']; + if (!$this->configuration->usesLdapi()) { + $reqs[] = 'ldapPort'; + } if ($type === 'users') { $reqs[] = 'ldapUserFilter'; } @@ -118,24 +88,13 @@ class Wizard extends LDAPUtility { } /** - * formats the return value of a count operation to the string to be - * inserted. - * - * @param int $count - * @return string + * @return WizardResult|false */ - private function formatCountResult(int $count): string { - if ($count > 1000) { - return '> 1000'; - } - return (string)$count; - } - public function countGroups() { $filter = $this->configuration->ldapGroupFilter; if (empty($filter)) { - $output = self::$l->n('%s group found', '%s groups found', 0, [0]); + $output = self::$l->n('%n group found', '%n groups found', 0); $this->result->addChange('ldap_group_count', $output); return $this->result; } @@ -149,30 +108,36 @@ class Wizard extends LDAPUtility { } return false; } - $output = self::$l->n( - '%s group found', - '%s groups found', - $groupsTotal, - [$this->formatCountResult($groupsTotal)] - ); + + if ($groupsTotal > 1000) { + $output = self::$l->t('> 1000 groups found'); + } else { + $output = self::$l->n( + '%n group found', + '%n groups found', + $groupsTotal + ); + } $this->result->addChange('ldap_group_count', $output); return $this->result; } /** - * @return WizardResult * @throws \Exception */ - public function countUsers() { + public function countUsers(): WizardResult { $filter = $this->access->getFilterForUserCount(); $usersTotal = $this->countEntries($filter, 'users'); - $output = self::$l->n( - '%s user found', - '%s users found', - $usersTotal, - [$this->formatCountResult($usersTotal)] - ); + if ($usersTotal > 1000) { + $output = self::$l->t('> 1000 users found'); + } else { + $output = self::$l->n( + '%n user found', + '%n users found', + $usersTotal + ); + } $this->result->addChange('ldap_user_count', $output); return $this->result; } @@ -180,31 +145,25 @@ class Wizard extends LDAPUtility { /** * counts any objects in the currently set base dn * - * @return WizardResult * @throws \Exception */ - public function countInBaseDN() { + public function countInBaseDN(): WizardResult { // we don't need to provide a filter in this case $total = $this->countEntries('', 'objects'); - if ($total === false) { - throw new \Exception('invalid results received'); - } $this->result->addChange('ldap_test_base', $total); return $this->result; } /** * counts users with a specified attribute - * @param string $attr - * @param bool $existsCheck - * @return int|bool + * @return int|false */ - public function countUsersWithAttribute($attr, $existsCheck = false) { - if (!$this->checkRequirements(['ldapHost', - 'ldapPort', - 'ldapBase', - 'ldapUserFilter', - ])) { + public function countUsersWithAttribute(string $attr, bool $existsCheck = false) { + $reqs = ['ldapHost', 'ldapBase', 'ldapUserFilter']; + if (!$this->configuration->usesLdapi()) { + $reqs[] = 'ldapPort'; + } + if (!$this->checkRequirements($reqs)) { return false; } @@ -213,7 +172,7 @@ class Wizard extends LDAPUtility { $attr . '=*' ]); - $limit = ($existsCheck === false) ? null : 1; + $limit = $existsCheck ? null : 1; return $this->access->countUsers($filter, ['dn'], $limit); } @@ -221,15 +180,15 @@ class Wizard extends LDAPUtility { /** * detects the display name attribute. If a setting is already present that * returns at least one hit, the detection will be canceled. - * @return WizardResult|bool + * @return WizardResult|false * @throws \Exception */ public function detectUserDisplayNameAttribute() { - if (!$this->checkRequirements(['ldapHost', - 'ldapPort', - 'ldapBase', - 'ldapUserFilter', - ])) { + $reqs = ['ldapHost', 'ldapBase', 'ldapUserFilter']; + if (!$this->configuration->usesLdapi()) { + $reqs[] = 'ldapPort'; + } + if (!$this->checkRequirements($reqs)) { return false; } @@ -267,11 +226,11 @@ class Wizard extends LDAPUtility { * @return WizardResult|bool */ public function detectEmailAttribute() { - if (!$this->checkRequirements(['ldapHost', - 'ldapPort', - 'ldapBase', - 'ldapUserFilter', - ])) { + $reqs = ['ldapHost', 'ldapBase', 'ldapUserFilter']; + if (!$this->configuration->usesLdapi()) { + $reqs[] = 'ldapPort'; + } + if (!$this->checkRequirements($reqs)) { return false; } @@ -300,9 +259,11 @@ class Wizard extends LDAPUtility { if ($winner !== '') { $this->applyFind('ldap_email_attr', $winner); if ($writeLog) { - \OCP\Util::writeLog('user_ldap', 'The mail attribute has ' . - 'automatically been reset, because the original value ' . - 'did not return any results.', ILogger::INFO); + $this->logger->info( + 'The mail attribute has automatically been reset, ' + . 'because the original value did not return any results.', + ['app' => 'user_ldap'] + ); } } @@ -310,20 +271,24 @@ class Wizard extends LDAPUtility { } /** - * @return WizardResult + * @return WizardResult|false * @throws \Exception */ public function determineAttributes() { - if (!$this->checkRequirements(['ldapHost', - 'ldapPort', - 'ldapBase', - 'ldapUserFilter', - ])) { + $reqs = ['ldapHost', 'ldapBase', 'ldapUserFilter']; + if (!$this->configuration->usesLdapi()) { + $reqs[] = 'ldapPort'; + } + if (!$this->checkRequirements($reqs)) { return false; } $attributes = $this->getUserAttributes(); + if (!is_array($attributes)) { + throw new \Exception('Failed to determine user attributes'); + } + natcasesort($attributes); $attributes = array_values($attributes); @@ -339,15 +304,15 @@ class Wizard extends LDAPUtility { /** * detects the available LDAP attributes - * @return array|false The instance's WizardResult instance + * @return array|false * @throws \Exception */ private function getUserAttributes() { - if (!$this->checkRequirements(['ldapHost', - 'ldapPort', - 'ldapBase', - 'ldapUserFilter', - ])) { + $reqs = ['ldapHost', 'ldapBase', 'ldapUserFilter']; + if (!$this->configuration->usesLdapi()) { + $reqs[] = 'ldapPort'; + } + if (!$this->checkRequirements($reqs)) { return false; } $cr = $this->getConnection(); @@ -361,8 +326,12 @@ class Wizard extends LDAPUtility { if (!$this->ldap->isResource($rr)) { return false; } + /** @var \LDAP\Result $rr */ $er = $this->ldap->firstEntry($cr, $rr); $attributes = $this->ldap->getAttributes($cr, $er); + if ($attributes === false) { + return false; + } $pureAttributes = []; for ($i = 0; $i < $attributes['count']; $i++) { $pureAttributes[] = $attributes[$i]; @@ -377,8 +346,8 @@ class Wizard extends LDAPUtility { */ public function determineGroupsForGroups() { return $this->determineGroups('ldap_groupfilter_groups', - 'ldapGroupFilterGroups', - false); + 'ldapGroupFilterGroups', + false); } /** @@ -387,22 +356,20 @@ class Wizard extends LDAPUtility { */ public function determineGroupsForUsers() { return $this->determineGroups('ldap_userfilter_groups', - 'ldapUserFilterGroups'); + 'ldapUserFilterGroups'); } /** * detects the available LDAP groups - * @param string $dbKey - * @param string $confKey - * @param bool $testMemberOf * @return WizardResult|false the instance's WizardResult instance * @throws \Exception */ - private function determineGroups($dbKey, $confKey, $testMemberOf = true) { - if (!$this->checkRequirements(['ldapHost', - 'ldapPort', - 'ldapBase', - ])) { + private function determineGroups(string $dbKey, string $confKey, bool $testMemberOf = true) { + $reqs = ['ldapHost', 'ldapBase']; + if (!$this->configuration->usesLdapi()) { + $reqs[] = 'ldapPort'; + } + if (!$this->checkRequirements($reqs)) { return false; } $cr = $this->getConnection(); @@ -413,7 +380,7 @@ class Wizard extends LDAPUtility { $this->fetchGroups($dbKey, $confKey); if ($testMemberOf) { - $this->configuration->hasMemberOfFilterSupport = $this->testMemberOf(); + $this->configuration->hasMemberOfFilterSupport = (string)$this->testMemberOf(); $this->result->markChange(); if (!$this->configuration->hasMemberOfFilterSupport) { throw new \Exception('memberOf is not supported by the server'); @@ -426,17 +393,14 @@ class Wizard extends LDAPUtility { /** * fetches all groups from LDAP and adds them to the result object * - * @param string $dbKey - * @param string $confKey - * @return array $groupEntries * @throws \Exception */ - public function fetchGroups($dbKey, $confKey) { + public function fetchGroups(string $dbKey, string $confKey): array { $obclasses = ['posixGroup', 'group', 'zimbraDistributionList', 'groupOfNames', 'groupOfUniqueNames']; $filterParts = []; foreach ($obclasses as $obclass) { - $filterParts[] = 'objectclass='.$obclass; + $filterParts[] = 'objectclass=' . $obclass; } //we filter for everything //- that looks like a group and @@ -453,7 +417,7 @@ class Wizard extends LDAPUtility { // detection will fail later $result = $this->access->searchGroups($filter, ['cn', 'dn'], $limit, $offset); foreach ($result as $item) { - if (!isset($item['cn']) && !is_array($item['cn']) && !isset($item['cn'][0])) { + if (!isset($item['cn']) || !is_array($item['cn']) || !isset($item['cn'][0])) { // just in case - no issue known continue; } @@ -478,11 +442,15 @@ class Wizard extends LDAPUtility { return $groupEntries; } + /** + * @return WizardResult|false + */ public function determineGroupMemberAssoc() { - if (!$this->checkRequirements(['ldapHost', - 'ldapPort', - 'ldapGroupFilter', - ])) { + $reqs = ['ldapHost', 'ldapGroupFilter']; + if (!$this->configuration->usesLdapi()) { + $reqs[] = 'ldapPort'; + } + if (!$this->checkRequirements($reqs)) { return false; } $attribute = $this->detectGroupMemberAssoc(); @@ -501,10 +469,11 @@ class Wizard extends LDAPUtility { * @throws \Exception */ public function determineGroupObjectClasses() { - if (!$this->checkRequirements(['ldapHost', - 'ldapPort', - 'ldapBase', - ])) { + $reqs = ['ldapHost', 'ldapBase']; + if (!$this->configuration->usesLdapi()) { + $reqs[] = 'ldapPort'; + } + if (!$this->checkRequirements($reqs)) { return false; } $cr = $this->getConnection(); @@ -514,24 +483,25 @@ class Wizard extends LDAPUtility { $obclasses = ['groupOfNames', 'groupOfUniqueNames', 'group', 'posixGroup', '*']; $this->determineFeature($obclasses, - 'objectclass', - 'ldap_groupfilter_objectclass', - 'ldapGroupFilterObjectclass', - false); + 'objectclass', + 'ldap_groupfilter_objectclass', + 'ldapGroupFilterObjectclass', + false); return $this->result; } /** * detects the available object classes - * @return WizardResult + * @return WizardResult|false * @throws \Exception */ public function determineUserObjectClasses() { - if (!$this->checkRequirements(['ldapHost', - 'ldapPort', - 'ldapBase', - ])) { + $reqs = ['ldapHost', 'ldapBase']; + if (!$this->configuration->usesLdapi()) { + $reqs[] = 'ldapPort'; + } + if (!$this->checkRequirements($reqs)) { return false; } $cr = $this->getConnection(); @@ -545,10 +515,10 @@ class Wizard extends LDAPUtility { //if filter is empty, it is probably the first time the wizard is called //then, apply suggestions. $this->determineFeature($obclasses, - 'objectclass', - 'ldap_userfilter_objectclass', - 'ldapUserFilterObjectclass', - empty($filter)); + 'objectclass', + 'ldap_userfilter_objectclass', + 'ldapUserFilterObjectclass', + empty($filter)); return $this->result; } @@ -558,10 +528,11 @@ class Wizard extends LDAPUtility { * @throws \Exception */ public function getGroupFilter() { - if (!$this->checkRequirements(['ldapHost', - 'ldapPort', - 'ldapBase', - ])) { + $reqs = ['ldapHost', 'ldapBase']; + if (!$this->configuration->usesLdapi()) { + $reqs[] = 'ldapPort'; + } + if (!$this->checkRequirements($reqs)) { return false; } //make sure the use display name is set @@ -569,7 +540,7 @@ class Wizard extends LDAPUtility { if ($displayName === '') { $d = $this->configuration->getDefaults(); $this->applyFind('ldap_group_display_name', - $d['ldap_group_display_name']); + $d['ldap_group_display_name']); } $filter = $this->composeLdapFilter(self::LFILTER_GROUP_LIST); @@ -582,10 +553,11 @@ class Wizard extends LDAPUtility { * @throws \Exception */ public function getUserListFilter() { - if (!$this->checkRequirements(['ldapHost', - 'ldapPort', - 'ldapBase', - ])) { + $reqs = ['ldapHost', 'ldapBase']; + if (!$this->configuration->usesLdapi()) { + $reqs[] = 'ldapPort'; + } + if (!$this->checkRequirements($reqs)) { return false; } //make sure the use display name is set @@ -604,15 +576,15 @@ class Wizard extends LDAPUtility { } /** - * @return bool|WizardResult + * @return WizardResult|false * @throws \Exception */ public function getUserLoginFilter() { - if (!$this->checkRequirements(['ldapHost', - 'ldapPort', - 'ldapBase', - 'ldapUserFilter', - ])) { + $reqs = ['ldapHost', 'ldapBase', 'ldapUserFilter']; + if (!$this->configuration->usesLdapi()) { + $reqs[] = 'ldapPort'; + } + if (!$this->checkRequirements($reqs)) { return false; } @@ -626,23 +598,19 @@ class Wizard extends LDAPUtility { } /** - * @return bool|WizardResult - * @param string $loginName + * @return WizardResult|false * @throws \Exception */ - public function testLoginName($loginName) { - if (!$this->checkRequirements(['ldapHost', - 'ldapPort', - 'ldapBase', - 'ldapLoginFilter', - ])) { + public function testLoginName(string $loginName) { + $reqs = ['ldapHost', 'ldapBase', 'ldapUserFilter']; + if (!$this->configuration->usesLdapi()) { + $reqs[] = 'ldapPort'; + } + if (!$this->checkRequirements($reqs)) { return false; } $cr = $this->access->connection->getConnectionResource(); - if (!$this->ldap->isResource($cr)) { - throw new \Exception('connection error'); - } if (mb_strpos($this->access->connection->ldapLoginFilter, '%uid', 0, 'UTF-8') === false) { @@ -672,16 +640,15 @@ class Wizard extends LDAPUtility { $this->checkHost(); $portSettings = $this->getPortSettingsToTry(); - if (!is_array($portSettings)) { - throw new \Exception(print_r($portSettings, true)); - } - //proceed from the best configuration and return on first success foreach ($portSettings as $setting) { $p = $setting['port']; $t = $setting['tls']; - \OCP\Util::writeLog('user_ldap', 'Wiz: trying port '. $p . ', TLS '. $t, ILogger::DEBUG); - //connectAndBind may throw Exception, it needs to be catched by the + $this->logger->debug( + 'Wiz: trying port ' . $p . ', TLS ' . $t, + ['app' => 'user_ldap'] + ); + //connectAndBind may throw Exception, it needs to be caught by the //callee of this method try { @@ -699,11 +666,14 @@ class Wizard extends LDAPUtility { if ($settingsFound === true) { $config = [ - 'ldapPort' => $p, - 'ldapTLS' => (int)$t + 'ldapPort' => (string)$p, + 'ldapTLS' => (string)$t, ]; $this->configuration->setConfiguration($config); - \OCP\Util::writeLog('user_ldap', 'Wiz: detected Port ' . $p, ILogger::DEBUG); + $this->logger->debug( + 'Wiz: detected Port ' . $p, + ['app' => 'user_ldap'] + ); $this->result->addChange('ldap_port', $p); return $this->result; } @@ -718,9 +688,11 @@ class Wizard extends LDAPUtility { * @return WizardResult|false WizardResult on success, false otherwise */ public function guessBaseDN() { - if (!$this->checkRequirements(['ldapHost', - 'ldapPort', - ])) { + $reqs = ['ldapHost']; + if (!$this->configuration->usesLdapi()) { + $reqs[] = 'ldapPort'; + } + if (!$this->checkRequirements($reqs)) { return false; } @@ -738,7 +710,7 @@ class Wizard extends LDAPUtility { //this did not help :( //Let's see whether we can parse the Host URL and convert the domain to //a base DN - $helper = new Helper(\OC::$server->getConfig(), \OC::$server->getDatabaseConnection()); + $helper = Server::get(Helper::class); $domain = $helper->getDomainFromURL($this->configuration->ldapHost); if (!$domain) { return false; @@ -764,7 +736,7 @@ class Wizard extends LDAPUtility { * @param string $value the (detected) value * */ - private function applyFind($key, $value) { + private function applyFind(string $key, string $value): void { $this->result->addChange($key, $value); $this->configuration->setConfiguration([$key => $value]); } @@ -774,23 +746,23 @@ class Wizard extends LDAPUtility { * field. In this case the port will be stripped off, but also stored as * setting. */ - private function checkHost() { + private function checkHost(): void { $host = $this->configuration->ldapHost; $hostInfo = parse_url($host); //removes Port from Host if (is_array($hostInfo) && isset($hostInfo['port'])) { $port = $hostInfo['port']; - $host = str_replace(':'.$port, '', $host); + $host = str_replace(':' . $port, '', $host); $this->applyFind('ldap_host', $host); - $this->applyFind('ldap_port', $port); + $this->applyFind('ldap_port', (string)$port); } } /** * tries to detect the group member association attribute which is * one of 'uniqueMember', 'memberUid', 'member', 'gidNumber' - * @return string|false, string with the attribute name, false on error + * @return string|false string with the attribute name, false on error * @throws \Exception */ private function detectGroupMemberAssoc() { @@ -808,8 +780,9 @@ class Wizard extends LDAPUtility { if (!$this->ldap->isResource($rr)) { return false; } + /** @var \LDAP\Result $rr */ $er = $this->ldap->firstEntry($cr, $rr); - while (is_resource($er)) { + while ($this->ldap->isResource($er)) { $this->ldap->getDN($cr, $er); $attrs = $this->ldap->getAttributes($cr, $er); $result = []; @@ -836,7 +809,7 @@ class Wizard extends LDAPUtility { * @return bool true on success, false otherwise * @throws \Exception */ - private function testBaseDN($base) { + private function testBaseDN(string $base): bool { $cr = $this->getConnection(); if (!$cr) { throw new \Exception('Could not connect to LDAP'); @@ -848,10 +821,13 @@ class Wizard extends LDAPUtility { if (!$this->ldap->isResource($rr)) { $errorNo = $this->ldap->errno($cr); $errorMsg = $this->ldap->error($cr); - \OCP\Util::writeLog('user_ldap', 'Wiz: Could not search base '.$base. - ' Error '.$errorNo.': '.$errorMsg, ILogger::INFO); + $this->logger->info( + 'Wiz: Could not search base ' . $base . ' Error ' . $errorNo . ': ' . $errorMsg, + ['app' => 'user_ldap'] + ); return false; } + /** @var \LDAP\Result $rr */ $entries = $this->ldap->countEntries($cr, $rr); return ($entries !== false) && ($entries > 0); } @@ -865,7 +841,7 @@ class Wizard extends LDAPUtility { * @return bool true if it does, false otherwise * @throws \Exception */ - private function testMemberOf() { + private function testMemberOf(): bool { $cr = $this->getConnection(); if (!$cr) { throw new \Exception('Could not connect to LDAP'); @@ -879,13 +855,12 @@ class Wizard extends LDAPUtility { /** * creates an LDAP Filter from given configuration - * @param integer $filterType int, for which use case the filter shall be created - * can be any of self::LFILTER_USER_LIST, self::LFILTER_LOGIN or - * self::LFILTER_GROUP_LIST - * @return string|false string with the filter on success, false otherwise + * @param int $filterType int, for which use case the filter shall be created + * can be any of self::LFILTER_USER_LIST, self::LFILTER_LOGIN or + * self::LFILTER_GROUP_LIST * @throws \Exception */ - private function composeLdapFilter($filterType) { + private function composeLdapFilter(int $filterType): string { $filter = ''; $parts = 0; switch ($filterType) { @@ -895,7 +870,7 @@ class Wizard extends LDAPUtility { if (is_array($objcs) && count($objcs) > 0) { $filter .= '(|'; foreach ($objcs as $objc) { - $filter .= '(objectclass=' . $objc . ')'; + $filter .= '(objectclass=' . ldap_escape($objc, '', LDAP_ESCAPE_FILTER) . ')'; } $filter .= ')'; $parts++; @@ -911,20 +886,21 @@ class Wizard extends LDAPUtility { } $base = $this->configuration->ldapBase[0]; foreach ($cns as $cn) { - $rr = $this->ldap->search($cr, $base, 'cn=' . $cn, ['dn', 'primaryGroupToken']); + $rr = $this->ldap->search($cr, $base, 'cn=' . ldap_escape($cn, '', LDAP_ESCAPE_FILTER), ['dn', 'primaryGroupToken']); if (!$this->ldap->isResource($rr)) { continue; } + /** @var \LDAP\Result $rr */ $er = $this->ldap->firstEntry($cr, $rr); $attrs = $this->ldap->getAttributes($cr, $er); $dn = $this->ldap->getDN($cr, $er); if ($dn === false || $dn === '') { continue; } - $filterPart = '(memberof=' . $dn . ')'; + $filterPart = '(memberof=' . ldap_escape($dn, '', LDAP_ESCAPE_FILTER) . ')'; if (isset($attrs['primaryGroupToken'])) { $pgt = $attrs['primaryGroupToken'][0]; - $primaryFilterPart = '(primaryGroupID=' . $pgt .')'; + $primaryFilterPart = '(primaryGroupID=' . ldap_escape($pgt, '', LDAP_ESCAPE_FILTER) . ')'; $filterPart = '(|' . $filterPart . $primaryFilterPart . ')'; } $filter .= $filterPart; @@ -948,7 +924,7 @@ class Wizard extends LDAPUtility { if (is_array($objcs) && count($objcs) > 0) { $filter .= '(|'; foreach ($objcs as $objc) { - $filter .= '(objectclass=' . $objc . ')'; + $filter .= '(objectclass=' . ldap_escape($objc, '', LDAP_ESCAPE_FILTER) . ')'; } $filter .= ')'; $parts++; @@ -958,7 +934,7 @@ class Wizard extends LDAPUtility { if (is_array($cns) && count($cns) > 0) { $filter .= '(|'; foreach ($cns as $cn) { - $filter .= '(cn=' . $cn . ')'; + $filter .= '(cn=' . ldap_escape($cn, '', LDAP_ESCAPE_FILTER) . ')'; } $filter .= ')'; } @@ -974,6 +950,9 @@ class Wizard extends LDAPUtility { $loginpart = '=%uid'; $filterUsername = ''; $userAttributes = $this->getUserAttributes(); + if ($userAttributes === false) { + throw new \Exception('Failed to get user attributes'); + } $userAttributes = array_change_key_case(array_flip($userAttributes)); $parts = 0; @@ -1021,11 +1000,14 @@ class Wizard extends LDAPUtility { $filterLogin .= ')'; } - $filter = '(&'.$ulf.$filterLogin.')'; + $filter = '(&' . $ulf . $filterLogin . ')'; break; } - \OCP\Util::writeLog('user_ldap', 'Wiz: Final filter '.$filter, ILogger::DEBUG); + $this->logger->debug( + 'Wiz: Final filter ' . $filter, + ['app' => 'user_ldap'] + ); return $filter; } @@ -1035,21 +1017,24 @@ class Wizard extends LDAPUtility { * * @param int $port the port to connect with * @param bool $tls whether startTLS is to be used - * @return bool * @throws \Exception */ - private function connectAndBind($port, $tls) { + private function connectAndBind(int $port, bool $tls): bool { //connect, does not really trigger any server communication $host = $this->configuration->ldapHost; - $hostInfo = parse_url($host); - if (!$hostInfo) { + $hostInfo = parse_url((string)$host); + if (!is_string($host) || !$hostInfo) { throw new \Exception(self::$l->t('Invalid Host')); } - \OCP\Util::writeLog('user_ldap', 'Wiz: Attempting to connect ', ILogger::DEBUG); - $cr = $this->ldap->connect($host, $port); - if (!is_resource($cr)) { + $this->logger->debug( + 'Wiz: Attempting to connect', + ['app' => 'user_ldap'] + ); + $cr = $this->ldap->connect($host, (string)$port); + if (!$this->ldap->isResource($cr)) { throw new \Exception(self::$l->t('Invalid Host')); } + /** @var \LDAP\Connection $cr */ //set LDAP options $this->ldap->setOption($cr, LDAP_OPT_PROTOCOL_VERSION, 3); @@ -1064,22 +1049,27 @@ class Wizard extends LDAPUtility { } } - \OCP\Util::writeLog('user_ldap', 'Wiz: Attemping to Bind ', ILogger::DEBUG); + $this->logger->debug( + 'Wiz: Attempting to Bind', + ['app' => 'user_ldap'] + ); //interesting part: do the bind! $login = $this->ldap->bind($cr, $this->configuration->ldapAgentName, $this->configuration->ldapAgentPassword ); $errNo = $this->ldap->errno($cr); - $error = ldap_error($cr); + $error = $this->ldap->error($cr); $this->ldap->unbind($cr); } catch (ServerNotAvailableException $e) { return false; } if ($login === true) { - $this->ldap->unbind($cr); - \OCP\Util::writeLog('user_ldap', 'Wiz: Bind successful to Port '. $port . ' TLS ' . (int)$tls, ILogger::DEBUG); + $this->logger->debug( + 'Wiz: Bind successful to Port ' . $port . ' TLS ' . (int)$tls, + ['app' => 'user_ldap'] + ); return true; } @@ -1093,9 +1083,9 @@ class Wizard extends LDAPUtility { /** * checks whether a valid combination of agent and password has been * provided (either two values or nothing for anonymous connect) - * @return bool, true if everything is fine, false otherwise + * @return bool true if everything is fine, false otherwise */ - private function checkAgentRequirements() { + private function checkAgentRequirements(): bool { $agent = $this->configuration->ldapAgentName; $pwd = $this->configuration->ldapAgentPassword; @@ -1105,11 +1095,7 @@ class Wizard extends LDAPUtility { ; } - /** - * @param array $reqs - * @return bool - */ - private function checkRequirements($reqs) { + private function checkRequirements(array $reqs): bool { $this->checkAgentRequirements(); foreach ($reqs as $option) { $value = $this->configuration->$option; @@ -1126,12 +1112,12 @@ class Wizard extends LDAPUtility { * @param string[] $filters array, the filters that shall be used in the search * @param string $attr the attribute of which a list of values shall be returned * @param int $dnReadLimit the amount of how many DNs should be analyzed. - * The lower, the faster + * The lower, the faster * @param string $maxF string. if not null, this variable will have the filter that - * yields most result entries + * yields most result entries * @return array|false an array with the values on success, false otherwise */ - public function cumulativeSearchOnAttribute($filters, $attr, $dnReadLimit = 3, &$maxF = null) { + public function cumulativeSearchOnAttribute(array $filters, string $attr, int $dnReadLimit = 3, ?string &$maxF = null) { $dnRead = []; $foundItems = []; $maxEntries = 0; @@ -1144,6 +1130,7 @@ class Wizard extends LDAPUtility { if (!$this->ldap->isResource($cr)) { return false; } + /** @var \LDAP\Connection $cr */ $lastFilter = null; if (isset($filters[count($filters) - 1])) { $lastFilter = $filters[count($filters) - 1]; @@ -1158,6 +1145,7 @@ class Wizard extends LDAPUtility { if (!$this->ldap->isResource($rr)) { continue; } + /** @var \LDAP\Result $rr */ $entries = $this->ldap->countEntries($cr, $rr); $getEntryFunc = 'firstEntry'; if (($entries !== false) && ($entries > 0)) { @@ -1175,20 +1163,19 @@ class Wizard extends LDAPUtility { $rr = $entry; //will be expected by nextEntry next round $attributes = $this->ldap->getAttributes($cr, $entry); $dn = $this->ldap->getDN($cr, $entry); - if ($dn === false || in_array($dn, $dnRead)) { + if ($attributes === false || $dn === false || in_array($dn, $dnRead)) { continue; } $newItems = []; - $state = $this->getAttributeValuesFromEntry($attributes, - $attr, - $newItems); + $state = $this->getAttributeValuesFromEntry( + $attributes, + $attr, + $newItems + ); $dnReadCount++; $foundItems = array_merge($foundItems, $newItems); - $this->resultCache[$dn][$attr] = $newItems; $dnRead[] = $dn; - } while (($state === self::LRESULT_PROCESSED_SKIP - || $this->ldap->isResource($entry)) - && ($dnReadLimit === 0 || $dnReadCount < $dnReadLimit)); + } while ($dnReadLimit === 0 || $dnReadCount < $dnReadLimit); } } @@ -1201,20 +1188,20 @@ class Wizard extends LDAPUtility { * @param string $attr the attribute to look for * @param string $dbkey the dbkey of the setting the feature is connected to * @param string $confkey the confkey counterpart for the $dbkey as used in the - * Configuration class + * Configuration class * @param bool $po whether the objectClass with most result entries - * shall be pre-selected via the result - * @return array|false list of found items. + * shall be pre-selected via the result + * @return array list of found items. * @throws \Exception */ - private function determineFeature($objectclasses, $attr, $dbkey, $confkey, $po = false) { + private function determineFeature(array $objectclasses, string $attr, string $dbkey, string $confkey, bool $po = false): array { $cr = $this->getConnection(); if (!$cr) { throw new \Exception('Could not connect to LDAP'); } $p = 'objectclass='; foreach ($objectclasses as $key => $value) { - $objectclasses[$key] = $p.$value; + $objectclasses[$key] = $p . $value; } $maxEntryObjC = ''; @@ -1222,9 +1209,9 @@ class Wizard extends LDAPUtility { //When looking for objectclasses, testing few entries is sufficient, $dig = 3; - $availableFeatures = - $this->cumulativeSearchOnAttribute($objectclasses, $attr, - $dig, $maxEntryObjC); + $availableFeatures + = $this->cumulativeSearchOnAttribute($objectclasses, $attr, + $dig, $maxEntryObjC); if (is_array($availableFeatures) && count($availableFeatures) > 0) { natcasesort($availableFeatures); @@ -1251,21 +1238,20 @@ class Wizard extends LDAPUtility { /** * appends a list of values fr - * @param resource $result the return value from ldap_get_attributes + * @param array $result the return value from ldap_get_attributes * @param string $attribute the attribute values to look for * @param array &$known new values will be appended here - * @return int, state on of the class constants LRESULT_PROCESSED_OK, - * LRESULT_PROCESSED_INVALID or LRESULT_PROCESSED_SKIP + * @return int state on of the class constants LRESULT_PROCESSED_OK, + * LRESULT_PROCESSED_INVALID or LRESULT_PROCESSED_SKIP */ - private function getAttributeValuesFromEntry($result, $attribute, &$known) { - if (!is_array($result) - || !isset($result['count']) + private function getAttributeValuesFromEntry(array $result, string $attribute, array &$known): int { + if (!isset($result['count']) || !$result['count'] > 0) { return self::LRESULT_PROCESSED_INVALID; } // strtolower on all keys for proper comparison - $result = \OCP\Util::mb_array_change_key_case($result); + $result = Util::mb_array_change_key_case($result); $attribute = strtolower($attribute); if (isset($result[$attribute])) { foreach ($result[$attribute] as $key => $val) { @@ -1283,9 +1269,9 @@ class Wizard extends LDAPUtility { } /** - * @return bool|mixed + * @return \LDAP\Connection|false a link resource on success, otherwise false */ - private function getConnection() { + private function getConnection(): \LDAP\Connection|false { if (!is_null($this->cr)) { return $this->cr; } @@ -1295,18 +1281,22 @@ class Wizard extends LDAPUtility { $this->configuration->ldapPort ); + if ($cr === false) { + return false; + } + $this->ldap->setOption($cr, LDAP_OPT_PROTOCOL_VERSION, 3); $this->ldap->setOption($cr, LDAP_OPT_REFERRALS, 0); $this->ldap->setOption($cr, LDAP_OPT_NETWORK_TIMEOUT, self::LDAP_NW_TIMEOUT); - if ($this->configuration->ldapTLS === 1) { + if ($this->configuration->ldapTLS) { $this->ldap->startTls($cr); } $lo = @$this->ldap->bind($cr, - $this->configuration->ldapAgentName, - $this->configuration->ldapAgentPassword); + $this->configuration->ldapAgentName, + $this->configuration->ldapAgentPassword); if ($lo === true) { - $this->$cr = $cr; + $this->cr = $cr; return $cr; } @@ -1314,9 +1304,9 @@ class Wizard extends LDAPUtility { } /** - * @return array + * @return array<array{port:int,tls:bool}> */ - private function getDefaultLdapPortSettings() { + private function getDefaultLdapPortSettings(): array { static $settings = [ ['port' => 7636, 'tls' => false], ['port' => 636, 'tls' => false], @@ -1329,9 +1319,9 @@ class Wizard extends LDAPUtility { } /** - * @return array + * @return array<array{port:int,tls:bool}> */ - private function getPortSettingsToTry() { + private function getPortSettingsToTry(): array { //389 ← LDAP / Unencrypted or StartTLS //636 ← LDAPS / SSL //7xxx ← UCS. need to be checked first, because both ports may be open @@ -1348,11 +1338,13 @@ class Wizard extends LDAPUtility { $portSettings[] = ['port' => $port, 'tls' => true]; } $portSettings[] = ['port' => $port, 'tls' => false]; + } elseif ($this->configuration->usesLdapi()) { + $portSettings[] = ['port' => 0, 'tls' => false]; } //default ports $portSettings = array_merge($portSettings, - $this->getDefaultLdapPortSettings()); + $this->getDefaultLdapPortSettings()); return $portSettings; } diff --git a/apps/user_ldap/lib/WizardResult.php b/apps/user_ldap/lib/WizardResult.php index 3c8f638736e..d6fd67d4204 100644 --- a/apps/user_ldap/lib/WizardResult.php +++ b/apps/user_ldap/lib/WizardResult.php @@ -1,32 +1,10 @@ <?php + /** - * @copyright Copyright (c) 2016, ownCloud, Inc. - * - * @author Arthur Schiwon <blizzz@arthur-schiwon.de> - * @author Bart Visscher <bartv@thisnet.nl> - * @author Christoph Wurst <christoph@winzerhof-wurst.at> - * @author Joas Schilling <coding@schilljs.com> - * @author Lukas Reschke <lukas@statuscode.ch> - * @author Morris Jobke <hey@morrisjobke.de> - * @author Robin McCorkell <robin@mccorkell.me.uk> - * @author Roeland Jago Douma <roeland@famdouma.nl> - * - * @license AGPL-3.0 - * - * This code is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License, version 3, - * as published by the Free Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License, version 3, - * along with this program. If not, see <http://www.gnu.org/licenses/> - * + * SPDX-FileCopyrightText: 2019-2024 Nextcloud GmbH and Nextcloud contributors + * SPDX-FileCopyrightText: 2016 ownCloud, Inc. + * SPDX-License-Identifier: AGPL-3.0-only */ - namespace OCA\User_LDAP; class WizardResult { @@ -42,7 +20,7 @@ class WizardResult { $this->changes[$key] = $value; } - + public function markChange() { $this->markedChange = true; } |