diff options
Diffstat (limited to 'apps/user_ldap/lib')
90 files changed, 3765 insertions, 3775 deletions
diff --git a/apps/user_ldap/lib/Access.php b/apps/user_ldap/lib/Access.php index 1cc0c62ff1d..9fe0aa64268 100644 --- a/apps/user_ldap/lib/Access.php +++ b/apps/user_ldap/lib/Access.php @@ -1,48 +1,9 @@ <?php + /** - * @copyright Copyright (c) 2016, ownCloud, Inc. - * - * @author Aaron Wood <aaronjwood@gmail.com> - * @author Andreas Fischer <bantu@owncloud.com> - * @author Arthur Schiwon <blizzz@arthur-schiwon.de> - * @author Bart Visscher <bartv@thisnet.nl> - * @author Benjamin Diele <benjamin@diele.be> - * @author bline <scottbeck@gmail.com> - * @author Christoph Wurst <christoph@winzerhof-wurst.at> - * @author Daniel Kesselberg <mail@danielkesselberg.de> - * @author J0WI <J0WI@users.noreply.github.com> - * @author Joas Schilling <coding@schilljs.com> - * @author Jörn Friedrich Dreyer <jfd@butonic.de> - * @author Juan Pablo Villafáñez <jvillafanez@solidgear.es> - * @author Lorenzo M. Catucci <lorenzo@sancho.ccd.uniroma2.it> - * @author Lukas Reschke <lukas@statuscode.ch> - * @author Mario Kolling <mario.kolling@serpro.gov.br> - * @author Max Kovalenko <mxss1998@yandex.ru> - * @author Morris Jobke <hey@morrisjobke.de> - * @author Nicolas Grekas <nicolas.grekas@gmail.com> - * @author Peter Kubica <peter@kubica.ch> - * @author Ralph Krimmel <rkrimme1@gwdg.de> - * @author Robin McCorkell <robin@mccorkell.me.uk> - * @author Roeland Jago Douma <roeland@famdouma.nl> - * @author Roger Szabo <roger.szabo@web.de> - * @author Roland Tapken <roland@bitarbeiter.net> - * @author root <root@localhost.localdomain> - * @author Victor Dubiniuk <dubiniuk@owncloud.com> - * - * @license AGPL-3.0 - * - * This code is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License, version 3, - * as published by the Free Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License, version 3, - * along with this program. If not, see <http://www.gnu.org/licenses/> - * + * SPDX-FileCopyrightText: 2016-2024 Nextcloud GmbH and Nextcloud contributors + * SPDX-FileCopyrightText: 2016 ownCloud, Inc. + * SPDX-License-Identifier: AGPL-3.0-only */ namespace OCA\User_LDAP; @@ -54,9 +15,15 @@ use OCA\User_LDAP\Exceptions\NoMoreResults; use OCA\User_LDAP\Mapping\AbstractMapping; use OCA\User_LDAP\User\Manager; use OCA\User_LDAP\User\OfflineUser; +use OCP\EventDispatcher\IEventDispatcher; use OCP\HintException; +use OCP\IAppConfig; use OCP\IConfig; +use OCP\IGroupManager; use OCP\IUserManager; +use OCP\Server; +use OCP\User\Events\UserIdAssignedEvent; +use OCP\Util; use Psr\Log\LoggerInterface; use function strlen; use function substr; @@ -69,10 +36,6 @@ use function substr; class Access extends LDAPUtility { public const UUID_ATTRIBUTES = ['entryuuid', 'nsuniqueid', 'objectguid', 'guid', 'ipauniqueid']; - /** @var \OCA\User_LDAP\Connection */ - public $connection; - /** @var Manager */ - public $userManager; /** * never ever check this var directly, always use getPagedSearchResultState * @var ?bool @@ -85,35 +48,21 @@ class Access extends LDAPUtility { /** @var ?AbstractMapping */ protected $groupMapper; - /** - * @var \OCA\User_LDAP\Helper - */ - private $helper; - /** @var IConfig */ - private $config; - /** @var IUserManager */ - private $ncUserManager; - /** @var LoggerInterface */ - private $logger; private string $lastCookie = ''; public function __construct( - Connection $connection, ILDAPWrapper $ldap, - Manager $userManager, - Helper $helper, - IConfig $config, - IUserManager $ncUserManager, - LoggerInterface $logger + public Connection $connection, + public Manager $userManager, + private Helper $helper, + private IConfig $config, + private IUserManager $ncUserManager, + private LoggerInterface $logger, + private IAppConfig $appConfig, + private IEventDispatcher $dispatcher, ) { parent::__construct($ldap); - $this->connection = $connection; - $this->userManager = $userManager; $this->userManager->setLdapAccess($this); - $this->helper = $helper; - $this->config = $config; - $this->ncUserManager = $ncUserManager; - $this->logger = $logger; } /** @@ -169,14 +118,64 @@ class Access extends LDAPUtility { } /** + * Reads several attributes for an LDAP record identified by a DN and a filter + * No support for ranged attributes. + * + * @param string $dn the record in question + * @param array $attrs the attributes that shall be retrieved + * if empty, just check the record's existence + * @param string $filter + * @return array|false an array of values on success or an empty + * array if $attr is empty, false otherwise + * @throws ServerNotAvailableException + */ + public function readAttributes(string $dn, array $attrs, string $filter = 'objectClass=*'): array|false { + if (!$this->checkConnection()) { + $this->logger->warning( + 'No LDAP Connector assigned, access impossible for readAttribute.', + ['app' => 'user_ldap'] + ); + return false; + } + $cr = $this->connection->getConnectionResource(); + $attrs = array_map( + fn (string $attr): string => mb_strtolower($attr, 'UTF-8'), + $attrs, + ); + + $values = []; + $record = $this->executeRead($dn, $attrs, $filter); + if (is_bool($record)) { + // when an exists request was run and it was successful, an empty + // array must be returned + return $record ? [] : false; + } + + $result = []; + foreach ($attrs as $attr) { + $values = $this->extractAttributeValuesFromResult($record, $attr); + if (!empty($values)) { + $result[$attr] = $values; + } + } + + if (!empty($result)) { + return $result; + } + + $this->logger->debug('Requested attributes {attrs} not found for ' . $dn, ['app' => 'user_ldap', 'attrs' => $attrs]); + return false; + } + + /** * reads a given attribute for an LDAP record identified by a DN * * @param string $dn the record in question * @param string $attr the attribute that shall be retrieved - * if empty, just check the record's existence + * if empty, just check the record's existence * @param string $filter * @return array|false an array of values on success or an empty - * array if $attr is empty, false otherwise + * array if $attr is empty, false otherwise * @throws ServerNotAvailableException */ public function readAttribute(string $dn, string $attr, string $filter = 'objectClass=*') { @@ -188,11 +187,6 @@ class Access extends LDAPUtility { return false; } $cr = $this->connection->getConnectionResource(); - if (!$this->ldap->isResource($cr)) { - //LDAP not available - $this->logger->debug('LDAP resource not available.', ['app' => 'user_ldap']); - return false; - } $attr = mb_strtolower($attr, 'UTF-8'); // the actual read attribute later may contain parameters on a ranged // request, e.g. member;range=99-199. Depends on server reply. @@ -248,9 +242,9 @@ class Access extends LDAPUtility { * returned data on a successful usual operation * @throws ServerNotAvailableException */ - public function executeRead(string $dn, string $attribute, string $filter) { + public function executeRead(string $dn, string|array $attribute, string $filter) { $dn = $this->helper->DNasBaseParameter($dn); - $rr = @$this->invokeLDAPMethod('read', $dn, $filter, [$attribute]); + $rr = @$this->invokeLDAPMethod('read', $dn, $filter, (is_string($attribute) ? [$attribute] : $attribute)); if (!$this->ldap->isResource($rr)) { if ($attribute !== '') { //do not throw this message on userExists check, irritates @@ -269,7 +263,7 @@ class Access extends LDAPUtility { return false; } //LDAP attributes are not case sensitive - $result = \OCP\Util::mb_array_change_key_case( + $result = Util::mb_array_change_key_case( $this->invokeLDAPMethod('getAttributes', $er), MB_CASE_LOWER, 'UTF-8'); return $result; @@ -279,6 +273,8 @@ class Access extends LDAPUtility { * Normalizes a result grom getAttributes(), i.e. handles DNs and binary * data if present. * + * DN values are escaped as per RFC 2253 + * * @param array $result from ILDAPWrapper::getAttributes() * @param string $attribute the attribute name that was read * @return string[] @@ -310,20 +306,19 @@ class Access extends LDAPUtility { * @return array If a range was detected with keys 'values', 'attributeName', * 'attributeFull' and 'rangeHigh', otherwise empty. */ - public function extractRangeData($result, $attribute) { + public function extractRangeData(array $result, string $attribute): array { $keys = array_keys($result); foreach ($keys as $key) { - if ($key !== $attribute && strpos((string)$key, $attribute) === 0) { + if ($key !== $attribute && str_starts_with((string)$key, $attribute)) { $queryData = explode(';', (string)$key); - if (strpos($queryData[1], 'range=') === 0) { + if (isset($queryData[1]) && str_starts_with($queryData[1], 'range=')) { $high = substr($queryData[1], 1 + strpos($queryData[1], '-')); - $data = [ + return [ 'values' => $result[$key], 'attributeName' => $queryData[0], 'attributeFull' => $key, 'rangeHigh' => $high, ]; - return $data; } } } @@ -344,17 +339,12 @@ class Access extends LDAPUtility { throw new \Exception('LDAP password changes are disabled.'); } $cr = $this->connection->getConnectionResource(); - if (!$this->ldap->isResource($cr)) { - //LDAP not available - $this->logger->debug('LDAP resource not available.', ['app' => 'user_ldap']); - return false; - } try { // try PASSWD extended operation first - return @$this->invokeLDAPMethod('exopPasswd', $userDN, '', $password) || - @$this->invokeLDAPMethod('modReplace', $userDN, $password); + return @$this->invokeLDAPMethod('exopPasswd', $userDN, '', $password) + || @$this->invokeLDAPMethod('modReplace', $userDN, $password); } catch (ConstraintViolationException $e) { - throw new HintException('Password change rejected.', \OC::$server->getL10N('user_ldap')->t('Password change rejected. Hint: ') . $e->getMessage(), (int)$e->getCode()); + throw new HintException('Password change rejected.', Util::getL10N('user_ldap')->t('Password change rejected. Hint: %s', $e->getMessage()), (int)$e->getCode()); } } @@ -405,7 +395,7 @@ class Access extends LDAPUtility { $domainParts = []; $dcFound = false; foreach ($allParts as $part) { - if (!$dcFound && strpos($part, 'dc=') === 0) { + if (!$dcFound && str_starts_with($part, 'dc=')) { $dcFound = true; } if ($dcFound) { @@ -448,10 +438,11 @@ class Access extends LDAPUtility { * * @param string $fdn the dn of the group object * @param string $ldapName optional, the display name of the object + * @param bool $autoMapping Should the group be mapped if not yet mapped * @return string|false with the name to use in Nextcloud, false on DN outside of search DN * @throws \Exception */ - public function dn2groupname($fdn, $ldapName = null) { + public function dn2groupname($fdn, $ldapName = null, bool $autoMapping = true) { //To avoid bypassing the base DN settings under certain circumstances //with the group support, check whether the provided DN matches one of //the given Bases @@ -459,7 +450,7 @@ class Access extends LDAPUtility { return false; } - return $this->dn2ocname($fdn, $ldapName, false); + return $this->dn2ocname($fdn, $ldapName, false, autoMapping:$autoMapping); } /** @@ -470,7 +461,7 @@ class Access extends LDAPUtility { * @return string|false with with the name to use in Nextcloud * @throws \Exception */ - public function dn2username($fdn, $ldapName = null) { + public function dn2username($fdn) { //To avoid bypassing the base DN settings under certain circumstances //with the group support, check whether the provided DN matches one of //the given Bases @@ -478,7 +469,7 @@ class Access extends LDAPUtility { return false; } - return $this->dn2ocname($fdn, $ldapName, true); + return $this->dn2ocname($fdn, null, true); } /** @@ -489,10 +480,11 @@ class Access extends LDAPUtility { * @param bool $isUser optional, whether it is a user object (otherwise group assumed) * @param bool|null $newlyMapped * @param array|null $record + * @param bool $autoMapping Should the group be mapped if not yet mapped * @return false|string with with the name to use in Nextcloud * @throws \Exception */ - public function dn2ocname($fdn, $ldapName = null, $isUser = true, &$newlyMapped = null, array $record = null) { + public function dn2ocname($fdn, $ldapName = null, $isUser = true, &$newlyMapped = null, ?array $record = null, bool $autoMapping = true) { static $intermediates = []; if (isset($intermediates[($isUser ? 'user-' : 'group-') . $fdn])) { return false; // is a known intermediate @@ -501,12 +493,8 @@ class Access extends LDAPUtility { $newlyMapped = false; if ($isUser) { $mapper = $this->getUserMapper(); - $nameAttribute = $this->connection->ldapUserDisplayName; - $filter = $this->connection->ldapUserFilter; } else { $mapper = $this->getGroupMapper(); - $nameAttribute = $this->connection->ldapGroupDisplayName; - $filter = $this->connection->ldapGroupFilter; } //let's try to retrieve the Nextcloud name from the mappings table @@ -515,6 +503,41 @@ class Access extends LDAPUtility { return $ncName; } + if (!$autoMapping) { + /* If no auto mapping, stop there */ + return false; + } + + if ($isUser) { + $nameAttribute = strtolower($this->connection->ldapUserDisplayName); + $filter = $this->connection->ldapUserFilter; + $uuidAttr = 'ldapUuidUserAttribute'; + $uuidOverride = $this->connection->ldapExpertUUIDUserAttr; + $usernameAttribute = strtolower($this->connection->ldapExpertUsernameAttr); + $attributesToRead = [$nameAttribute,$usernameAttribute]; + // TODO fetch also display name attributes and cache them if the user is mapped + } else { + $nameAttribute = strtolower($this->connection->ldapGroupDisplayName); + $filter = $this->connection->ldapGroupFilter; + $uuidAttr = 'ldapUuidGroupAttribute'; + $uuidOverride = $this->connection->ldapExpertUUIDGroupAttr; + $attributesToRead = [$nameAttribute]; + } + + if ($this->detectUuidAttribute($fdn, $isUser, false, $record)) { + $attributesToRead[] = $this->connection->$uuidAttr; + } + + if ($record === null) { + /* No record was passed, fetch it */ + $record = $this->readAttributes($fdn, $attributesToRead, $filter); + if ($record === false) { + $this->logger->debug('Cannot read attributes for ' . $fdn . '. Skipping.', ['filter' => $filter]); + $intermediates[($isUser ? 'user-' : 'group-') . $fdn] = true; + return false; + } + } + //second try: get the UUID and check if it is known. Then, update the DN and return the name. $uuid = $this->getUUID($fdn, $isUser, $record); if (is_string($uuid)) { @@ -529,20 +552,9 @@ class Access extends LDAPUtility { return false; } - if (is_null($ldapName)) { - $ldapName = $this->readAttribute($fdn, $nameAttribute, $filter); - if (!isset($ldapName[0]) || empty($ldapName[0])) { - $this->logger->debug('No or empty name for ' . $fdn . ' with filter ' . $filter . '.', ['app' => 'user_ldap']); - $intermediates[($isUser ? 'user-' : 'group-') . $fdn] = true; - return false; - } - $ldapName = $ldapName[0]; - } - if ($isUser) { - $usernameAttribute = (string)$this->connection->ldapExpertUsernameAttr; if ($usernameAttribute !== '') { - $username = $this->readAttribute($fdn, $usernameAttribute); + $username = $record[$usernameAttribute]; if (!isset($username[0]) || empty($username[0])) { $this->logger->debug('No or empty username (' . $usernameAttribute . ') for ' . $fdn . '.', ['app' => 'user_ldap']); return false; @@ -564,6 +576,15 @@ class Access extends LDAPUtility { return false; } } else { + if (is_null($ldapName)) { + $ldapName = $record[$nameAttribute]; + if (!isset($ldapName[0]) || empty($ldapName[0])) { + $this->logger->debug('No or empty name for ' . $fdn . ' with filter ' . $filter . '.', ['app' => 'user_ldap']); + $intermediates['group-' . $fdn] = true; + return false; + } + $ldapName = $ldapName[0]; + } $intName = $this->sanitizeGroupIDCandidate($ldapName); } @@ -575,12 +596,13 @@ class Access extends LDAPUtility { $this->connection->setConfiguration(['ldapCacheTTL' => 0]); if ($intName !== '' && (($isUser && !$this->ncUserManager->userExists($intName)) - || (!$isUser && !\OC::$server->getGroupManager()->groupExists($intName)) + || (!$isUser && !Server::get(IGroupManager::class)->groupExists($intName)) ) ) { $this->connection->setConfiguration(['ldapCacheTTL' => $originalTTL]); $newlyMapped = $this->mapAndAnnounceIfApplicable($mapper, $fdn, $intName, $uuid, $isUser); if ($newlyMapped) { + $this->logger->debug('Mapped {fdn} as {name}', ['fdn' => $fdn,'name' => $intName]); return $intName; } } @@ -589,6 +611,14 @@ class Access extends LDAPUtility { $altName = $this->createAltInternalOwnCloudName($intName, $isUser); if (is_string($altName)) { if ($this->mapAndAnnounceIfApplicable($mapper, $fdn, $altName, $uuid, $isUser)) { + $this->logger->warning( + 'Mapped {fdn} as {altName} because of a name collision on {intName}.', + [ + 'fdn' => $fdn, + 'altName' => $altName, + 'intName' => $intName, + ] + ); $newlyMapped = true; return $altName; } @@ -604,13 +634,16 @@ class Access extends LDAPUtility { string $fdn, string $name, string $uuid, - bool $isUser + bool $isUser, ): bool { if ($mapper->map($fdn, $name, $uuid)) { - if ($this->ncUserManager instanceof PublicEmitter && $isUser) { + if ($isUser) { $this->cacheUserExists($name); - $this->ncUserManager->emit('\OC\User', 'assignedUserId', [$name]); - } elseif (!$isUser) { + $this->dispatcher->dispatchTyped(new UserIdAssignedEvent($name)); + if ($this->ncUserManager instanceof PublicEmitter) { + $this->ncUserManager->emit('\OC\User', 'assignedUserId', [$name]); + } + } else { $this->cacheGroupExists($name); } return true; @@ -622,7 +655,7 @@ class Access extends LDAPUtility { * gives back the user names as they are used ownClod internally * * @param array $ldapUsers as returned by fetchList() - * @return array an array with the user names to use in Nextcloud + * @return array<int,string> an array with the user names to use in Nextcloud * * gives back the user names as they are used ownClod internally * @throws \Exception @@ -635,7 +668,7 @@ class Access extends LDAPUtility { * gives back the group names as they are used ownClod internally * * @param array $ldapGroups as returned by fetchList() - * @return array an array with the group names to use in Nextcloud + * @return array<int,string> an array with the group names to use in Nextcloud * * gives back the group names as they are used ownClod internally * @throws \Exception @@ -646,6 +679,7 @@ class Access extends LDAPUtility { /** * @param array[] $ldapObjects as returned by fetchList() + * @return array<int,string> * @throws \Exception */ private function ldap2NextcloudNames(array $ldapObjects, bool $isUsers): array { @@ -710,6 +744,7 @@ class Access extends LDAPUtility { */ public function cacheUserExists(string $ocName): void { $this->connection->writeToCache('userExists' . $ocName, true); + $this->connection->writeToCache('userExistsOnLDAP' . $ocName, true); } /** @@ -779,7 +814,7 @@ class Access extends LDAPUtility { * "Developers" */ private function _createAltInternalOwnCloudNameForGroups(string $name) { - $usedNames = $this->getGroupMapper()->getNamesBySearch($name, "", '_%'); + $usedNames = $this->getGroupMapper()->getNamesBySearch($name, '', '_%'); if (count($usedNames) === 0) { $lastNo = 1; //will become name_2 } else { @@ -795,7 +830,7 @@ class Access extends LDAPUtility { // Check to be really sure it is unique // while loop is just a precaution. If a name is not generated within // 20 attempts, something else is very wrong. Avoids infinite loop. - if (!\OC::$server->getGroupManager()->groupExists($altName)) { + if (!Server::get(IGroupManager::class)->groupExists($altName)) { return $altName; } $altName = $name . '_' . ($lastNo + $attempts); @@ -855,12 +890,11 @@ class Access extends LDAPUtility { /** * @throws \Exception */ - public function fetchListOfUsers(string $filter, array $attr, int $limit = null, int $offset = null, bool $forceApplyAttributes = false): array { + public function fetchListOfUsers(string $filter, array $attr, ?int $limit = null, ?int $offset = null, bool $forceApplyAttributes = false): array { $ldapRecords = $this->searchUsers($filter, $attr, $limit, $offset); $recordsToUpdate = $ldapRecords; if (!$forceApplyAttributes) { - $isBackgroundJobModeAjax = $this->config - ->getAppValue('core', 'backgroundjobs_mode', 'ajax') === 'ajax'; + $isBackgroundJobModeAjax = $this->appConfig->getValueString('core', 'backgroundjobs_mode', 'ajax') === 'ajax'; $listOfDNs = array_reduce($ldapRecords, function ($listOfDNs, $entry) { $listOfDNs[] = $entry['dn'][0]; return $listOfDNs; @@ -916,7 +950,7 @@ class Access extends LDAPUtility { /** * @return array[] */ - public function fetchListOfGroups(string $filter, array $attr, int $limit = null, int $offset = null): array { + public function fetchListOfGroups(string $filter, array $attr, ?int $limit = null, ?int $offset = null): array { $cacheKey = 'fetchListOfGroups_' . $filter . '_' . implode('-', $attr) . '_' . (string)$limit . '_' . (string)$offset; $listOfGroups = $this->connection->getFromCache($cacheKey); if (!is_null($listOfGroups)) { @@ -924,22 +958,6 @@ class Access extends LDAPUtility { } $groupRecords = $this->searchGroups($filter, $attr, $limit, $offset); - $listOfDNs = array_reduce($groupRecords, function ($listOfDNs, $entry) { - $listOfDNs[] = $entry['dn'][0]; - return $listOfDNs; - }, []); - $idsByDn = $this->getGroupMapper()->getListOfIdsByDn($listOfDNs); - - array_walk($groupRecords, function (array $record) use ($idsByDn) { - $newlyMapped = false; - $gid = $idsByDn[$record['dn'][0]] ?? null; - if ($gid === null) { - $gid = $this->dn2ocname($record['dn'][0], null, false, $newlyMapped, $record); - } - if (!$newlyMapped && is_string($gid)) { - $this->cacheGroupExists($gid); - } - }); $listOfGroups = $this->fetchList($groupRecords, $this->manyAttributes($attr)); $this->connection->writeToCache($cacheKey, $listOfGroups); return $listOfGroups; @@ -961,7 +979,7 @@ class Access extends LDAPUtility { /** * @throws ServerNotAvailableException */ - public function searchUsers(string $filter, array $attr = null, int $limit = null, int $offset = null): array { + public function searchUsers(string $filter, ?array $attr = null, ?int $limit = null, ?int $offset = null): array { $result = []; foreach ($this->connection->ldapBaseUsers as $base) { $result = array_merge($result, $this->search($filter, $base, $attr, $limit, $offset)); @@ -974,7 +992,7 @@ class Access extends LDAPUtility { * @return false|int * @throws ServerNotAvailableException */ - public function countUsers(string $filter, array $attr = ['dn'], int $limit = null, int $offset = null) { + public function countUsers(string $filter, array $attr = ['dn'], ?int $limit = null, ?int $offset = null) { $result = false; foreach ($this->connection->ldapBaseUsers as $base) { $count = $this->count($filter, [$base], $attr, $limit ?? 0, $offset ?? 0); @@ -991,7 +1009,7 @@ class Access extends LDAPUtility { * Executes an LDAP search * @throws ServerNotAvailableException */ - public function searchGroups(string $filter, array $attr = null, int $limit = null, int $offset = null): array { + public function searchGroups(string $filter, ?array $attr = null, ?int $limit = null, ?int $offset = null): array { $result = []; foreach ($this->connection->ldapBaseGroups as $base) { $result = array_merge($result, $this->search($filter, $base, $attr, $limit, $offset)); @@ -1005,7 +1023,7 @@ class Access extends LDAPUtility { * @return int|bool * @throws ServerNotAvailableException */ - public function countGroups(string $filter, array $attr = ['dn'], int $limit = null, int $offset = null) { + public function countGroups(string $filter, array $attr = ['dn'], ?int $limit = null, ?int $offset = null) { $result = false; foreach ($this->connection->ldapBaseGroups as $base) { $count = $this->count($filter, [$base], $attr, $limit ?? 0, $offset ?? 0); @@ -1020,7 +1038,7 @@ class Access extends LDAPUtility { * @return int|bool * @throws ServerNotAvailableException */ - public function countObjects(int $limit = null, int $offset = null) { + public function countObjects(?int $limit = null, ?int $offset = null) { $result = false; foreach ($this->connection->ldapBase as $base) { $count = $this->count('objectclass=*', [$base], ['dn'], $limit ?? 0, $offset ?? 0); @@ -1086,7 +1104,7 @@ class Access extends LDAPUtility { * @param int|null $limit optional, maximum results to be counted * @param int|null $offset optional, a starting point * @return array|false array with the search result as first value and pagedSearchOK as - * second | false if not successful + * second | false if not successful * @throws ServerNotAvailableException */ private function executeSearch( @@ -1094,16 +1112,10 @@ class Access extends LDAPUtility { string $base, ?array &$attr, ?int $pageSize, - ?int $offset + ?int $offset, ) { // See if we have a resource, in case not cancel with message $cr = $this->connection->getConnectionResource(); - if (!$this->ldap->isResource($cr)) { - // Seems like we didn't find any resource. - // Return an empty array just like before. - $this->logger->debug('Could not search, because resource is missing.', ['app' => 'user_ldap']); - return false; - } //check whether paged search should be attempted try { @@ -1126,12 +1138,12 @@ class Access extends LDAPUtility { /** * processes an LDAP paged search operation * - * @param resource|\LDAP\Result|resource[]|\LDAP\Result[] $sr the array containing the LDAP search resources + * @param \LDAP\Result|\LDAP\Result[] $sr the array containing the LDAP search resources * @param int $foundItems number of results in the single search operation * @param int $limit maximum results to be counted * @param bool $pagedSearchOK whether a paged search has been executed * @param bool $skipHandling required for paged search when cookies to - * prior results need to be gained + * prior results need to be gained * @return bool cookie validity, true if we have more pages, false otherwise. * @throws ServerNotAvailableException */ @@ -1140,7 +1152,7 @@ class Access extends LDAPUtility { int $foundItems, int $limit, bool $pagedSearchOK, - bool $skipHandling + bool $skipHandling, ): bool { $cookie = ''; if ($pagedSearchOK) { @@ -1154,7 +1166,7 @@ class Access extends LDAPUtility { return false; } // if count is bigger, then the server does not support - // paged search. Instead, he did a normal search. We set a + // paged search. Instead, they did a normal search. We set a // flag here, so the callee knows how to deal with it. if ($foundItems <= $limit) { $this->pagedSearchedSuccessful = true; @@ -1181,21 +1193,21 @@ class Access extends LDAPUtility { * @param string $filter the LDAP filter for the search * @param array $bases an array containing the LDAP subtree(s) that shall be searched * @param ?string[] $attr optional, array, one or more attributes that shall be - * retrieved. Results will according to the order in the array. + * retrieved. Results will according to the order in the array. * @param int $limit maximum results to be counted, 0 means no limit * @param int $offset a starting point, defaults to 0 * @param bool $skipHandling indicates whether the pages search operation is - * completed + * completed * @return int|false Integer or false if the search could not be initialized * @throws ServerNotAvailableException */ private function count( string $filter, array $bases, - array $attr = null, + ?array $attr = null, int $limit = 0, int $offset = 0, - bool $skipHandling = false + bool $skipHandling = false, ) { $this->logger->debug('Count filter: {filter}', [ 'app' => 'user_ldap', @@ -1239,7 +1251,7 @@ class Access extends LDAPUtility { } /** - * @param resource|\LDAP\Result|resource[]|\LDAP\Result[] $sr + * @param \LDAP\Result|\LDAP\Result[] $sr * @return int * @throws ServerNotAvailableException */ @@ -1250,6 +1262,8 @@ class Access extends LDAPUtility { /** * Executes an LDAP search * + * DN values in the result set are escaped as per RFC 2253 + * * @throws ServerNotAvailableException */ public function search( @@ -1258,7 +1272,7 @@ class Access extends LDAPUtility { ?array $attr = null, ?int $limit = null, ?int $offset = null, - bool $skipHandling = false + bool $skipHandling = false, ): array { $limitPerPage = (int)$this->connection->ldapPagingSize; if (!is_null($limit) && $limit < $limitPerPage && $limit > 0) { @@ -1309,7 +1323,7 @@ class Access extends LDAPUtility { if (!is_array($item)) { continue; } - $item = \OCP\Util::mb_array_change_key_case($item, MB_CASE_LOWER, 'UTF-8'); + $item = Util::mb_array_change_key_case($item, MB_CASE_LOWER, 'UTF-8'); foreach ($attr as $key) { if (isset($item[$key])) { if (is_array($item[$key]) && isset($item[$key]['count'])) { @@ -1411,9 +1425,7 @@ class Access extends LDAPUtility { $asterisk = '*'; $input = mb_substr($input, 1, null, 'UTF-8'); } - $search = ['*', '\\', '(', ')']; - $replace = ['\\*', '\\\\', '\\(', '\\)']; - return $asterisk . str_replace($search, $replace, $input); + return $asterisk . ldap_escape($input, '', LDAP_ESCAPE_FILTER); } /** @@ -1431,7 +1443,7 @@ class Access extends LDAPUtility { * * @param string[] $filters the filters to connect * @return string the combined filter - * Combines Filter arguments with OR + * Combines Filter arguments with OR */ public function combineFilterWithOr($filters) { return $this->combineFilter($filters, '|'); @@ -1486,7 +1498,7 @@ class Access extends LDAPUtility { * * @param string $search the search term * @param string[]|null|'' $searchAttributes needs to have at least two attributes, - * otherwise it does not make sense :) + * otherwise it does not make sense :) * @return string the final filter part to use in LDAP searches * @throws DomainException */ @@ -1514,13 +1526,13 @@ class Access extends LDAPUtility { * @param string $search the search term * @param string[]|null|'' $searchAttributes * @param string $fallbackAttribute a fallback attribute in case the user - * did not define search attributes. Typically the display name attribute. + * did not define search attributes. Typically the display name attribute. * @return string the final filter part to use in LDAP searches */ private function getFilterPartForSearch(string $search, $searchAttributes, string $fallbackAttribute): string { $filter = []; $haveMultiSearchAttributes = (is_array($searchAttributes) && count($searchAttributes) > 0); - if ($haveMultiSearchAttributes && strpos(trim($search), ' ') !== false) { + if ($haveMultiSearchAttributes && str_contains(trim($search), ' ')) { try { return $this->getAdvancedFilterPartForSearch($search, $searchAttributes); } catch (DomainException $e) { @@ -1528,14 +1540,23 @@ class Access extends LDAPUtility { } } + $originalSearch = $search; $search = $this->prepareSearchTerm($search); if (!is_array($searchAttributes) || count($searchAttributes) === 0) { if ($fallbackAttribute === '') { return ''; } + // wildcards don't work with some attributes + if ($originalSearch !== '') { + $filter[] = $fallbackAttribute . '=' . $originalSearch; + } $filter[] = $fallbackAttribute . '=' . $search; } else { foreach ($searchAttributes as $attribute) { + // wildcards don't work with some attributes + if ($originalSearch !== '') { + $filter[] = $attribute . '=' . $originalSearch; + } $filter[] = $attribute . '=' . $search; } } @@ -1551,7 +1572,7 @@ class Access extends LDAPUtility { * a * */ private function prepareSearchTerm(string $term): string { - $config = \OC::$server->getConfig(); + $config = Server::get(IConfig::class); $allowEnum = $config->getAppValue('core', 'shareapi_allow_share_dialog_user_enumeration', 'yes'); @@ -1576,17 +1597,15 @@ class Access extends LDAPUtility { return $filter; } - /** - * @param string $name - * @param string $password - * @return bool - */ - public function areCredentialsValid($name, $password) { + public function areCredentialsValid(string $name, string $password): bool { + if ($name === '' || $password === '') { + return false; + } $name = $this->helper->DNasBaseParameter($name); $testConnection = clone $this->connection; $credentials = [ 'ldapAgentName' => $name, - 'ldapAgentPassword' => $password + 'ldapAgentPassword' => $password, ]; if (!$testConnection->setConfiguration($credentials)) { return false; @@ -1715,7 +1734,7 @@ class Access extends LDAPUtility { * @return false|string * @throws ServerNotAvailableException */ - public function getUUID(string $dn, bool $isUser = true, array $ldapRecord = null) { + public function getUUID(string $dn, bool $isUser = true, ?array $ldapRecord = null) { if ($isUser) { $uuidAttr = 'ldapUuidUserAttribute'; $uuidOverride = $this->connection->ldapExpertUUIDUserAttr; @@ -1727,7 +1746,7 @@ class Access extends LDAPUtility { $uuid = false; if ($this->detectUuidAttribute($dn, $isUser, false, $ldapRecord)) { $attr = $this->connection->$uuidAttr; - $uuid = isset($ldapRecord[$attr]) ? $ldapRecord[$attr] : $this->readAttribute($dn, $attr); + $uuid = $ldapRecord[$attr] ?? $this->readAttribute($dn, $attr); if (!is_array($uuid) && $uuidOverride !== '' && $this->detectUuidAttribute($dn, $isUser, true, $ldapRecord)) { @@ -1792,8 +1811,8 @@ class Access extends LDAPUtility { * user. Instead we write a log message. */ $this->logger->info( - 'Passed string does not resemble a valid GUID. Known UUID ' . - '({uuid}) probably does not match UUID configuration.', + 'Passed string does not resemble a valid GUID. Known UUID ' + . '({uuid}) probably does not match UUID configuration.', ['app' => 'user_ldap', 'uuid' => $guid] ); return $guid; @@ -1958,7 +1977,7 @@ class Access extends LDAPUtility { string $base, ?array $attr, int $pageSize, - int $offset + int $offset, ): array { $pagedSearchOK = false; if ($pageSize !== 0) { @@ -1978,8 +1997,15 @@ class Access extends LDAPUtility { // no cookie known from a potential previous search. We need // to start from 0 to come to the desired page. cookie value // of '0' is valid, because 389ds - $reOffset = ($offset - $pageSize) < 0 ? 0 : $offset - $pageSize; - $this->search($filter, $base, $attr, $pageSize, $reOffset, true); + $defaultPageSize = (int)$this->connection->ldapPagingSize; + if ($offset < $defaultPageSize) { + /* Make a search with offset as page size and dismiss the result, to init the cookie */ + $this->search($filter, $base, $attr, $offset, 0, true); + } else { + /* Make a search for previous page and dismiss the result, to init the cookie */ + $reOffset = $offset - $defaultPageSize; + $this->search($filter, $base, $attr, $defaultPageSize, $reOffset, true); + } if (!$this->hasMoreResults()) { // when the cookie is reset with != 0 offset, there are no further // results, so stop. diff --git a/apps/user_ldap/lib/AccessFactory.php b/apps/user_ldap/lib/AccessFactory.php index f0820f1444f..da114c467a7 100644 --- a/apps/user_ldap/lib/AccessFactory.php +++ b/apps/user_ldap/lib/AccessFactory.php @@ -1,65 +1,44 @@ <?php + /** - * @copyright Copyright (c) 2018 Arthur Schiwon <blizzz@arthur-schiwon.de> - * - * @author Arthur Schiwon <blizzz@arthur-schiwon.de> - * @author Christoph Wurst <christoph@winzerhof-wurst.at> - * - * @license GNU AGPL version 3 or any later version - * - * This program is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License as - * published by the Free Software Foundation, either version 3 of the - * License, or (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License - * along with this program. If not, see <http://www.gnu.org/licenses/>. - * + * SPDX-FileCopyrightText: 2018 Nextcloud GmbH and Nextcloud contributors + * SPDX-License-Identifier: AGPL-3.0-or-later */ namespace OCA\User_LDAP; use OCA\User_LDAP\User\Manager; +use OCP\EventDispatcher\IEventDispatcher; +use OCP\IAppConfig; use OCP\IConfig; use OCP\IUserManager; +use OCP\Server; use Psr\Log\LoggerInterface; class AccessFactory { - private ILDAPWrapper $ldap; - private Manager $userManager; - private Helper $helper; - private IConfig $config; - private IUserManager $ncUserManager; - private LoggerInterface $logger; public function __construct( - ILDAPWrapper $ldap, - Manager $userManager, - Helper $helper, - IConfig $config, - IUserManager $ncUserManager, - LoggerInterface $logger) { - $this->ldap = $ldap; - $this->userManager = $userManager; - $this->helper = $helper; - $this->config = $config; - $this->ncUserManager = $ncUserManager; - $this->logger = $logger; + private ILDAPWrapper $ldap, + private Helper $helper, + private IConfig $config, + private IAppConfig $appConfig, + private IUserManager $ncUserManager, + private LoggerInterface $logger, + private IEventDispatcher $dispatcher, + ) { } public function get(Connection $connection): Access { + /* Each Access instance gets its own Manager instance, see OCA\User_LDAP\AppInfo\Application::register() */ return new Access( - $connection, $this->ldap, - $this->userManager, + $connection, + Server::get(Manager::class), $this->helper, $this->config, $this->ncUserManager, - $this->logger + $this->logger, + $this->appConfig, + $this->dispatcher, ); } } diff --git a/apps/user_ldap/lib/AppInfo/Application.php b/apps/user_ldap/lib/AppInfo/Application.php index 757ac141d3d..70b7920f7ab 100644 --- a/apps/user_ldap/lib/AppInfo/Application.php +++ b/apps/user_ldap/lib/AppInfo/Application.php @@ -1,28 +1,8 @@ <?php + /** - * @copyright Copyright (c) 2017 Roger Szabo <roger.szabo@web.de> - * - * @author Arthur Schiwon <blizzz@arthur-schiwon.de> - * @author Christoph Wurst <christoph@winzerhof-wurst.at> - * @author Morris Jobke <hey@morrisjobke.de> - * @author Roeland Jago Douma <roeland@famdouma.nl> - * @author Roger Szabo <roger.szabo@web.de> - * - * @license GNU AGPL version 3 or any later version - * - * This program is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License as - * published by the Free Software Foundation, either version 3 of the - * License, or (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License - * along with this program. If not, see <http://www.gnu.org/licenses/>. - * + * SPDX-FileCopyrightText: 2017 Nextcloud GmbH and Nextcloud contributors + * SPDX-License-Identifier: AGPL-3.0-or-later */ namespace OCA\User_LDAP\AppInfo; @@ -31,14 +11,16 @@ use OCA\Files_External\Service\BackendService; use OCA\User_LDAP\Controller\RenewPasswordController; use OCA\User_LDAP\Events\GroupBackendRegistered; use OCA\User_LDAP\Events\UserBackendRegistered; -use OCA\User_LDAP\FilesystemHelper; use OCA\User_LDAP\Group_Proxy; use OCA\User_LDAP\GroupPluginManager; use OCA\User_LDAP\Handler\ExtStorageConfigHandler; use OCA\User_LDAP\Helper; use OCA\User_LDAP\ILDAPWrapper; use OCA\User_LDAP\LDAP; +use OCA\User_LDAP\LoginListener; use OCA\User_LDAP\Notification\Notifier; +use OCA\User_LDAP\SetupChecks\LdapConnection; +use OCA\User_LDAP\SetupChecks\LdapInvalidUuids; use OCA\User_LDAP\User\Manager; use OCA\User_LDAP\User_Proxy; use OCA\User_LDAP\UserPluginManager; @@ -57,9 +39,10 @@ use OCP\IServerContainer; use OCP\IUserManager; use OCP\Notification\IManager as INotificationManager; use OCP\Share\IManager as IShareManager; +use OCP\User\Events\PostLoginEvent; +use OCP\Util; use Psr\Container\ContainerInterface; use Psr\Log\LoggerInterface; -use Symfony\Component\EventDispatcher\EventDispatcherInterface; class Application extends App implements IBootstrap { public function __construct() { @@ -102,7 +85,6 @@ class Application extends App implements IBootstrap { function (ContainerInterface $c) { return new Manager( $c->get(IConfig::class), - $c->get(FilesystemHelper::class), $c->get(LoggerInterface::class), $c->get(IAvatarManager::class), $c->get(Image::class), @@ -114,29 +96,32 @@ class Application extends App implements IBootstrap { // the instance is specific to a lazy bound Access instance, thus cannot be shared. false ); + $context->registerEventListener(PostLoginEvent::class, LoginListener::class); + $context->registerSetupCheck(LdapInvalidUuids::class); + $context->registerSetupCheck(LdapConnection::class); } public function boot(IBootContext $context): void { $context->injectFn(function ( INotificationManager $notificationManager, IAppContainer $appContainer, - EventDispatcherInterface $legacyDispatcher, IEventDispatcher $dispatcher, + IUserManager $userManager, IGroupManager $groupManager, User_Proxy $userBackend, Group_Proxy $groupBackend, - Helper $helper - ) { + Helper $helper, + ): void { $configPrefixes = $helper->getServerConfigurationPrefixes(true); if (count($configPrefixes) > 0) { $userPluginManager = $appContainer->get(UserPluginManager::class); $groupPluginManager = $appContainer->get(GroupPluginManager::class); - \OC_User::useBackend($userBackend); + $userManager->registerBackend($userBackend); $groupManager->addBackend($groupBackend); $userBackendRegisteredEvent = new UserBackendRegistered($userBackend, $userPluginManager); - $legacyDispatcher->dispatch('OCA\\User_LDAP\\User\\User::postLDAPBackendAdded', $userBackendRegisteredEvent); + $dispatcher->dispatch('OCA\\User_LDAP\\User\\User::postLDAPBackendAdded', $userBackendRegisteredEvent); $dispatcher->dispatchTyped($userBackendRegisteredEvent); $groupBackendRegisteredEvent = new GroupBackendRegistered($groupBackend, $groupPluginManager); $dispatcher->dispatchTyped($groupBackendRegisteredEvent); @@ -145,7 +130,7 @@ class Application extends App implements IBootstrap { $context->injectFn(Closure::fromCallable([$this, 'registerBackendDependents'])); - \OCP\Util::connectHook( + Util::connectHook( '\OCA\Files_Sharing\API\Server2Server', 'preLoginNameUsedAsUserName', '\OCA\User_LDAP\Helper', @@ -153,10 +138,10 @@ class Application extends App implements IBootstrap { ); } - private function registerBackendDependents(IAppContainer $appContainer, EventDispatcherInterface $dispatcher) { + private function registerBackendDependents(IAppContainer $appContainer, IEventDispatcher $dispatcher): void { $dispatcher->addListener( 'OCA\\Files_External::loadAdditionalBackends', - function () use ($appContainer) { + function () use ($appContainer): void { $storagesBackendService = $appContainer->get(BackendService::class); $storagesBackendService->registerConfigHandler('home', function () use ($appContainer) { return $appContainer->get(ExtStorageConfigHandler::class); diff --git a/apps/user_ldap/lib/BackendUtility.php b/apps/user_ldap/lib/BackendUtility.php index 4afcb6799d8..88d7311cde0 100644 --- a/apps/user_ldap/lib/BackendUtility.php +++ b/apps/user_ldap/lib/BackendUtility.php @@ -1,37 +1,19 @@ <?php + /** - * @copyright Copyright (c) 2016, ownCloud, Inc. - * - * @author Arthur Schiwon <blizzz@arthur-schiwon.de> - * @author Joas Schilling <coding@schilljs.com> - * @author Lukas Reschke <lukas@statuscode.ch> - * @author Morris Jobke <hey@morrisjobke.de> - * - * @license AGPL-3.0 - * - * This code is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License, version 3, - * as published by the Free Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License, version 3, - * along with this program. If not, see <http://www.gnu.org/licenses/> - * + * SPDX-FileCopyrightText: 2019-2024 Nextcloud GmbH and Nextcloud contributors + * SPDX-FileCopyrightText: 2016 ownCloud, Inc. + * SPDX-License-Identifier: AGPL-3.0-only */ namespace OCA\User_LDAP; abstract class BackendUtility { - protected $access; - /** * constructor, make sure the subclasses call this one! * @param Access $access an instance of Access for LDAP interaction */ - public function __construct(Access $access) { - $this->access = $access; + public function __construct( + protected Access $access, + ) { } } diff --git a/apps/user_ldap/lib/Command/CheckGroup.php b/apps/user_ldap/lib/Command/CheckGroup.php new file mode 100644 index 00000000000..9c7ccb9d3b3 --- /dev/null +++ b/apps/user_ldap/lib/Command/CheckGroup.php @@ -0,0 +1,162 @@ +<?php + +declare(strict_types=1); + +/** + * SPDX-FileCopyrightText: 2023 Nextcloud GmbH and Nextcloud contributors + * SPDX-License-Identifier: AGPL-3.0-or-later + */ + +namespace OCA\User_LDAP\Command; + +use OCA\User_LDAP\Group_Proxy; +use OCA\User_LDAP\Helper; +use OCA\User_LDAP\Mapping\GroupMapping; +use OCA\User_LDAP\Service\UpdateGroupsService; +use OCP\EventDispatcher\IEventDispatcher; +use OCP\Group\Events\GroupCreatedEvent; +use OCP\Group\Events\UserAddedEvent; +use OCP\Group\Events\UserRemovedEvent; +use Symfony\Component\Console\Command\Command; +use Symfony\Component\Console\Input\InputArgument; +use Symfony\Component\Console\Input\InputInterface; +use Symfony\Component\Console\Input\InputOption; +use Symfony\Component\Console\Output\OutputInterface; + +class CheckGroup extends Command { + public function __construct( + private UpdateGroupsService $service, + protected Group_Proxy $backend, + protected Helper $helper, + protected GroupMapping $mapping, + protected IEventDispatcher $dispatcher, + ) { + parent::__construct(); + } + + protected function configure(): void { + $this + ->setName('ldap:check-group') + ->setDescription('checks whether a group exists on LDAP.') + ->addArgument( + 'ocName', + InputArgument::REQUIRED, + 'the group name as used in Nextcloud, or the LDAP DN' + ) + ->addOption( + 'force', + null, + InputOption::VALUE_NONE, + 'ignores disabled LDAP configuration' + ) + ->addOption( + 'update', + null, + InputOption::VALUE_NONE, + 'syncs values from LDAP' + ) + ; + } + + protected function execute(InputInterface $input, OutputInterface $output): int { + $this->dispatcher->addListener(GroupCreatedEvent::class, fn ($event) => $this->onGroupCreatedEvent($event, $output)); + $this->dispatcher->addListener(UserAddedEvent::class, fn ($event) => $this->onUserAddedEvent($event, $output)); + $this->dispatcher->addListener(UserRemovedEvent::class, fn ($event) => $this->onUserRemovedEvent($event, $output)); + try { + $this->assertAllowed($input->getOption('force')); + $gid = $input->getArgument('ocName'); + $wasMapped = $this->groupWasMapped($gid); + if ($this->backend->getLDAPAccess($gid)->stringResemblesDN($gid)) { + $groupname = $this->backend->dn2GroupName($gid); + if ($groupname !== false) { + $gid = $groupname; + } + } + /* Search to trigger mapping for new groups */ + $this->backend->getGroups($gid); + $exists = $this->backend->groupExistsOnLDAP($gid, true); + if ($exists === true) { + $output->writeln('The group is still available on LDAP.'); + if ($input->getOption('update')) { + $this->backend->getLDAPAccess($gid)->connection->clearCache(); + if ($wasMapped) { + $this->service->handleKnownGroups([$gid]); + } else { + $this->service->handleCreatedGroups([$gid]); + } + } + return self::SUCCESS; + } + + if ($wasMapped) { + $output->writeln('The group does not exist on LDAP anymore.'); + if ($input->getOption('update')) { + $this->backend->getLDAPAccess($gid)->connection->clearCache(); + $this->service->handleRemovedGroups([$gid]); + } + return self::SUCCESS; + } + + throw new \Exception('The given group is not a recognized LDAP group.'); + } catch (\Exception $e) { + $output->writeln('<error>' . $e->getMessage() . '</error>'); + return self::FAILURE; + } + } + + public function onGroupCreatedEvent(GroupCreatedEvent $event, OutputInterface $output): void { + $output->writeln('<info>The group ' . $event->getGroup()->getGID() . ' was added to Nextcloud with ' . $event->getGroup()->count() . ' users</info>'); + } + + public function onUserAddedEvent(UserAddedEvent $event, OutputInterface $output): void { + $user = $event->getUser(); + $group = $event->getGroup(); + $output->writeln('<info>The user ' . $user->getUID() . ' was added to group ' . $group->getGID() . '</info>'); + } + + public function onUserRemovedEvent(UserRemovedEvent $event, OutputInterface $output): void { + $user = $event->getUser(); + $group = $event->getGroup(); + $output->writeln('<info>The user ' . $user->getUID() . ' was removed from group ' . $group->getGID() . '</info>'); + } + + /** + * checks whether a group is actually mapped + * @param string $gid the groupname as passed to the command + */ + protected function groupWasMapped(string $gid): bool { + $dn = $this->mapping->getDNByName($gid); + if ($dn !== false) { + return true; + } + $name = $this->mapping->getNameByDN($gid); + return $name !== false; + } + + /** + * checks whether the setup allows reliable checking of LDAP group existence + * @throws \Exception + */ + protected function assertAllowed(bool $force): void { + if ($this->helper->haveDisabledConfigurations() && !$force) { + throw new \Exception('Cannot check group existence, because ' + . 'disabled LDAP configurations are present.'); + } + + // we don't check ldapUserCleanupInterval from config.php because this + // action is triggered manually, while the setting only controls the + // background job. + } + + private function updateGroup(string $gid, OutputInterface $output, bool $wasMapped): void { + try { + if ($wasMapped) { + $this->service->handleKnownGroups([$gid]); + } else { + $this->service->handleCreatedGroups([$gid]); + } + } catch (\Exception $e) { + $output->writeln('<error>Error while trying to lookup and update attributes from LDAP</error>'); + } + } +} diff --git a/apps/user_ldap/lib/Command/CheckUser.php b/apps/user_ldap/lib/Command/CheckUser.php index 6ccfc9c19ea..8bb26ce3d0e 100644 --- a/apps/user_ldap/lib/Command/CheckUser.php +++ b/apps/user_ldap/lib/Command/CheckUser.php @@ -1,28 +1,9 @@ <?php + /** - * @copyright Copyright (c) 2016, ownCloud, Inc. - * - * @author Arthur Schiwon <blizzz@arthur-schiwon.de> - * @author Christoph Wurst <christoph@winzerhof-wurst.at> - * @author Côme Chilliet <come.chilliet@nextcloud.com> - * @author Joas Schilling <coding@schilljs.com> - * @author Morris Jobke <hey@morrisjobke.de> - * @author Roeland Jago Douma <roeland@famdouma.nl> - * - * @license AGPL-3.0 - * - * This code is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License, version 3, - * as published by the Free Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License, version 3, - * along with this program. If not, see <http://www.gnu.org/licenses/> - * + * SPDX-FileCopyrightText: 2016-2024 Nextcloud GmbH and Nextcloud contributors + * SPDX-FileCopyrightText: 2016 ownCloud, Inc. + * SPDX-License-Identifier: AGPL-3.0-only */ namespace OCA\User_LDAP\Command; @@ -37,23 +18,12 @@ use Symfony\Component\Console\Input\InputOption; use Symfony\Component\Console\Output\OutputInterface; class CheckUser extends Command { - /** @var User_Proxy */ - protected $backend; - - /** @var Helper */ - protected $helper; - - /** @var DeletedUsersIndex */ - protected $dui; - - /** @var UserMapping */ - protected $mapping; - - public function __construct(User_Proxy $uBackend, Helper $helper, DeletedUsersIndex $dui, UserMapping $mapping) { - $this->backend = $uBackend; - $this->helper = $helper; - $this->dui = $dui; - $this->mapping = $mapping; + public function __construct( + protected User_Proxy $backend, + protected Helper $helper, + protected DeletedUsersIndex $dui, + protected UserMapping $mapping, + ) { parent::__construct(); } @@ -62,16 +32,16 @@ class CheckUser extends Command { ->setName('ldap:check-user') ->setDescription('checks whether a user exists on LDAP.') ->addArgument( - 'ocName', - InputArgument::REQUIRED, - 'the user name as used in Nextcloud, or the LDAP DN' - ) + 'ocName', + InputArgument::REQUIRED, + 'the user name as used in Nextcloud, or the LDAP DN' + ) ->addOption( - 'force', - null, - InputOption::VALUE_NONE, - 'ignores disabled LDAP configuration' - ) + 'force', + null, + InputOption::VALUE_NONE, + 'ignores disabled LDAP configuration' + ) ->addOption( 'update', null, @@ -98,19 +68,21 @@ class CheckUser extends Command { if ($input->getOption('update')) { $this->updateUser($uid, $output); } - return 0; - } elseif ($wasMapped) { + return self::SUCCESS; + } + + if ($wasMapped) { $this->dui->markUser($uid); $output->writeln('The user does not exists on LDAP anymore.'); $output->writeln('Clean up the user\'s remnants by: ./occ user:delete "' . $uid . '"'); - return 0; - } else { - throw new \Exception('The given user is not a recognized LDAP user.'); + return self::SUCCESS; } + + throw new \Exception('The given user is not a recognized LDAP user.'); } catch (\Exception $e) { - $output->writeln('<error>' . $e->getMessage(). '</error>'); - return 1; + $output->writeln('<error>' . $e->getMessage() . '</error>'); + return self::FAILURE; } } @@ -144,7 +116,8 @@ class CheckUser extends Command { $attrs = $access->userManager->getAttributes(); $user = $access->userManager->get($uid); $avatarAttributes = $access->getConnection()->resolveRule('avatar'); - $result = $access->search('objectclass=*', $user->getDN(), $attrs, 1, 0); + $baseDn = $this->helper->DNasBaseParameter($user->getDN()); + $result = $access->search('objectclass=*', $baseDn, $attrs, 1, 0); foreach ($result[0] as $attribute => $valueSet) { $output->writeln(' ' . $attribute . ': '); foreach ($valueSet as $value) { diff --git a/apps/user_ldap/lib/Command/CreateEmptyConfig.php b/apps/user_ldap/lib/Command/CreateEmptyConfig.php index f7f04e28e60..7c381cf431f 100644 --- a/apps/user_ldap/lib/Command/CreateEmptyConfig.php +++ b/apps/user_ldap/lib/Command/CreateEmptyConfig.php @@ -1,26 +1,9 @@ <?php + /** - * @copyright Copyright (c) 2016, ownCloud, Inc. - * - * @author Arthur Schiwon <blizzz@arthur-schiwon.de> - * @author Christoph Wurst <christoph@winzerhof-wurst.at> - * @author Joas Schilling <coding@schilljs.com> - * @author Martin Konrad <konrad@frib.msu.edu> - * - * @license AGPL-3.0 - * - * This code is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License, version 3, - * as published by the Free Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License, version 3, - * along with this program. If not, see <http://www.gnu.org/licenses/> - * + * SPDX-FileCopyrightText: 2016-2024 Nextcloud GmbH and Nextcloud contributors + * SPDX-FileCopyrightText: 2016 ownCloud, Inc. + * SPDX-License-Identifier: AGPL-3.0-only */ namespace OCA\User_LDAP\Command; @@ -32,18 +15,13 @@ use Symfony\Component\Console\Input\InputOption; use Symfony\Component\Console\Output\OutputInterface; class CreateEmptyConfig extends Command { - /** @var \OCA\User_LDAP\Helper */ - protected $helper; - - /** - * @param Helper $helper - */ - public function __construct(Helper $helper) { - $this->helper = $helper; + public function __construct( + protected Helper $helper, + ) { parent::__construct(); } - protected function configure() { + protected function configure(): void { $this ->setName('ldap:create-empty-config') ->setDescription('creates an empty LDAP configuration') @@ -67,6 +45,6 @@ class CreateEmptyConfig extends Command { $prose = 'Created new configuration with configID '; } $output->writeln($prose . "{$configPrefix}"); - return 0; + return self::SUCCESS; } } diff --git a/apps/user_ldap/lib/Command/DeleteConfig.php b/apps/user_ldap/lib/Command/DeleteConfig.php index 707fd455611..7604e229bed 100644 --- a/apps/user_ldap/lib/Command/DeleteConfig.php +++ b/apps/user_ldap/lib/Command/DeleteConfig.php @@ -1,26 +1,9 @@ <?php + /** - * @copyright Copyright (c) 2016, ownCloud, Inc. - * - * @author Arthur Schiwon <blizzz@arthur-schiwon.de> - * @author Christoph Wurst <christoph@winzerhof-wurst.at> - * @author Joas Schilling <coding@schilljs.com> - * @author Martin Konrad <info@martin-konrad.net> - * - * @license AGPL-3.0 - * - * This code is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License, version 3, - * as published by the Free Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License, version 3, - * along with this program. If not, see <http://www.gnu.org/licenses/> - * + * SPDX-FileCopyrightText: 2016-2024 Nextcloud GmbH and Nextcloud contributors + * SPDX-FileCopyrightText: 2016 ownCloud, Inc. + * SPDX-License-Identifier: AGPL-3.0-only */ namespace OCA\User_LDAP\Command; @@ -31,41 +14,35 @@ use Symfony\Component\Console\Input\InputInterface; use Symfony\Component\Console\Output\OutputInterface; class DeleteConfig extends Command { - /** @var \OCA\User_LDAP\Helper */ - protected $helper; - - /** - * @param Helper $helper - */ - public function __construct(Helper $helper) { - $this->helper = $helper; + public function __construct( + protected Helper $helper, + ) { parent::__construct(); } - protected function configure() { + protected function configure(): void { $this ->setName('ldap:delete-config') ->setDescription('deletes an existing LDAP configuration') ->addArgument( - 'configID', - InputArgument::REQUIRED, - 'the configuration ID' - ) + 'configID', + InputArgument::REQUIRED, + 'the configuration ID' + ) ; } - protected function execute(InputInterface $input, OutputInterface $output): int { $configPrefix = $input->getArgument('configID'); $success = $this->helper->deleteServerConfiguration($configPrefix); - if ($success) { - $output->writeln("Deleted configuration with configID '{$configPrefix}'"); - return 0; - } else { + if (!$success) { $output->writeln("Cannot delete configuration with configID '{$configPrefix}'"); - return 1; + return self::FAILURE; } + + $output->writeln("Deleted configuration with configID '{$configPrefix}'"); + return self::SUCCESS; } } diff --git a/apps/user_ldap/lib/Command/PromoteGroup.php b/apps/user_ldap/lib/Command/PromoteGroup.php new file mode 100644 index 00000000000..b203a910b14 --- /dev/null +++ b/apps/user_ldap/lib/Command/PromoteGroup.php @@ -0,0 +1,111 @@ +<?php + +declare(strict_types=1); +/** + * SPDX-FileCopyrightText: 2023 Nextcloud GmbH and Nextcloud contributors + * SPDX-License-Identifier: AGPL-3.0-or-later + */ +namespace OCA\User_LDAP\Command; + +use OCA\User_LDAP\Group_Proxy; +use OCP\IGroup; +use OCP\IGroupManager; +use Symfony\Component\Console\Command\Command; +use Symfony\Component\Console\Helper\QuestionHelper; +use Symfony\Component\Console\Input\InputArgument; +use Symfony\Component\Console\Input\InputInterface; +use Symfony\Component\Console\Input\InputOption; +use Symfony\Component\Console\Output\OutputInterface; +use Symfony\Component\Console\Question\Question; + +class PromoteGroup extends Command { + + public function __construct( + private IGroupManager $groupManager, + private Group_Proxy $backend, + ) { + parent::__construct(); + } + + protected function configure(): void { + $this + ->setName('ldap:promote-group') + ->setDescription('declares the specified group as admin group (only one is possible per LDAP configuration)') + ->addArgument( + 'group', + InputArgument::REQUIRED, + 'the group ID in Nextcloud or a group name' + ) + ->addOption( + 'yes', + 'y', + InputOption::VALUE_NONE, + 'do not ask for confirmation' + ); + } + + protected function formatGroupName(IGroup $group): string { + $idLabel = ''; + if ($group->getGID() !== $group->getDisplayName()) { + $idLabel = sprintf(' (Group ID: %s)', $group->getGID()); + } + return sprintf('%s%s', $group->getDisplayName(), $idLabel); + } + + protected function promoteGroup(IGroup $group, InputInterface $input, OutputInterface $output): void { + $access = $this->backend->getLDAPAccess($group->getGID()); + $currentlyPromotedGroupId = $access->connection->ldapAdminGroup; + if ($currentlyPromotedGroupId === $group->getGID()) { + $output->writeln('<info>The specified group is already promoted</info>'); + return; + } + + if ($input->getOption('yes') === false) { + $currentlyPromotedGroup = $this->groupManager->get($currentlyPromotedGroupId); + $demoteLabel = ''; + if ($currentlyPromotedGroup instanceof IGroup && $this->backend->groupExists($currentlyPromotedGroup->getGID())) { + $groupNameLabel = $this->formatGroupName($currentlyPromotedGroup); + $demoteLabel = sprintf('and demote %s ', $groupNameLabel); + } + + /** @var QuestionHelper $helper */ + $helper = $this->getHelper('question'); + $q = new Question(sprintf('Promote %s to the admin group %s(y|N)? ', $this->formatGroupName($group), $demoteLabel)); + $input->setOption('yes', $helper->ask($input, $output, $q) === 'y'); + } + if ($input->getOption('yes') === true) { + $access->connection->setConfiguration(['ldapAdminGroup' => $group->getGID()]); + $access->connection->saveConfiguration(); + $output->writeln(sprintf('<info>Group %s was promoted</info>', $group->getDisplayName())); + } else { + $output->writeln('<comment>Group promotion cancelled</comment>'); + } + } + + protected function execute(InputInterface $input, OutputInterface $output): int { + $groupInput = (string)$input->getArgument('group'); + $group = $this->groupManager->get($groupInput); + + if ($group instanceof IGroup && $this->backend->groupExists($group->getGID())) { + $this->promoteGroup($group, $input, $output); + return 0; + } + + $groupCandidates = $this->backend->getGroups($groupInput, 20); + foreach ($groupCandidates as $gidCandidate) { + $group = $this->groupManager->get($gidCandidate); + if ($group !== null + && $this->backend->groupExists($group->getGID()) // ensure it is an LDAP group + && ($group->getGID() === $groupInput + || $group->getDisplayName() === $groupInput) + ) { + $this->promoteGroup($group, $input, $output); + return 0; + } + } + + $output->writeln('<error>No matching group found</error>'); + return 1; + } + +} diff --git a/apps/user_ldap/lib/Command/ResetGroup.php b/apps/user_ldap/lib/Command/ResetGroup.php index f3c3019f919..5833ca980f2 100644 --- a/apps/user_ldap/lib/Command/ResetGroup.php +++ b/apps/user_ldap/lib/Command/ResetGroup.php @@ -1,25 +1,8 @@ <?php + /** - * @copyright Copyright (c) 2021 Arthur Schiwon <blizzz@arthur-schiwon.de> - * - * @author Arthur Schiwon <blizzz@arthur-schiwon.de> - * @author Côme Chilliet <come.chilliet@nextcloud.com> - * - * @license GNU AGPL version 3 or any later version - * - * This program is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License as - * published by the Free Software Foundation, either version 3 of the - * License, or (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License - * along with this program. If not, see <http://www.gnu.org/licenses/>. - * + * SPDX-FileCopyrightText: 2021 Nextcloud GmbH and Nextcloud contributors + * SPDX-License-Identifier: AGPL-3.0-or-later */ namespace OCA\User_LDAP\Command; @@ -36,18 +19,11 @@ use Symfony\Component\Console\Output\OutputInterface; use Symfony\Component\Console\Question\Question; class ResetGroup extends Command { - private IGroupManager $groupManager; - private GroupPluginManager $pluginManager; - private Group_Proxy $backend; - public function __construct( - IGroupManager $groupManager, - GroupPluginManager $pluginManager, - Group_Proxy $backend + private IGroupManager $groupManager, + private GroupPluginManager $pluginManager, + private Group_Proxy $backend, ) { - $this->groupManager = $groupManager; - $this->pluginManager = $pluginManager; - $this->backend = $backend; parent::__construct(); } @@ -96,16 +72,16 @@ class ResetGroup extends Command { echo "calling delete $gid\n"; if ($group->delete()) { $this->pluginManager->setSuppressDeletion($pluginManagerSuppressed); - return 0; + return self::SUCCESS; } } catch (\Throwable $e) { if (isset($pluginManagerSuppressed)) { $this->pluginManager->setSuppressDeletion($pluginManagerSuppressed); } $output->writeln('<error>' . $e->getMessage() . '</error>'); - return 1; + return self::FAILURE; } $output->writeln('<error>Error while resetting group</error>'); - return 2; + return self::INVALID; } } diff --git a/apps/user_ldap/lib/Command/ResetUser.php b/apps/user_ldap/lib/Command/ResetUser.php index 854481fc0d1..1409806e4ac 100644 --- a/apps/user_ldap/lib/Command/ResetUser.php +++ b/apps/user_ldap/lib/Command/ResetUser.php @@ -1,24 +1,8 @@ <?php + /** - * @copyright Copyright (c) 2021 Arthur Schiwon <blizzz@arthur-schiwon.de> - * - * @author Arthur Schiwon <blizzz@arthur-schiwon.de> - * - * @license GNU AGPL version 3 or any later version - * - * This program is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License as - * published by the Free Software Foundation, either version 3 of the - * License, or (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License - * along with this program. If not, see <http://www.gnu.org/licenses/>. - * + * SPDX-FileCopyrightText: 2021 Nextcloud GmbH and Nextcloud contributors + * SPDX-License-Identifier: AGPL-3.0-or-later */ namespace OCA\User_LDAP\Command; @@ -36,25 +20,15 @@ use Symfony\Component\Console\Output\OutputInterface; use Symfony\Component\Console\Question\Question; class ResetUser extends Command { - /** @var DeletedUsersIndex */ - protected $dui; - /** @var IUserManager */ - private $userManager; - /** @var UserPluginManager */ - private $pluginManager; - public function __construct( - DeletedUsersIndex $dui, - IUserManager $userManager, - UserPluginManager $pluginManager + protected DeletedUsersIndex $dui, + private IUserManager $userManager, + private UserPluginManager $pluginManager, ) { - $this->dui = $dui; - $this->userManager = $userManager; - $this->pluginManager = $pluginManager; parent::__construct(); } - protected function configure() { + protected function configure(): void { $this ->setName('ldap:reset-user') ->setDescription('deletes an LDAP user independent of the user state') @@ -96,16 +70,16 @@ class ResetUser extends Command { $pluginManagerSuppressed = $this->pluginManager->setSuppressDeletion(true); if ($user->delete()) { $this->pluginManager->setSuppressDeletion($pluginManagerSuppressed); - return 0; + return self::SUCCESS; } } catch (\Throwable $e) { if (isset($pluginManagerSuppressed)) { $this->pluginManager->setSuppressDeletion($pluginManagerSuppressed); } $output->writeln('<error>' . $e->getMessage() . '</error>'); - return 1; + return self::FAILURE; } $output->writeln('<error>Error while resetting user</error>'); - return 2; + return self::INVALID; } } diff --git a/apps/user_ldap/lib/Command/Search.php b/apps/user_ldap/lib/Command/Search.php index 96c4df4b2bf..85906b20e9a 100644 --- a/apps/user_ldap/lib/Command/Search.php +++ b/apps/user_ldap/lib/Command/Search.php @@ -1,28 +1,9 @@ <?php + /** - * @copyright Copyright (c) 2016, ownCloud, Inc. - * - * @author Arthur Schiwon <blizzz@arthur-schiwon.de> - * @author Christoph Wurst <christoph@winzerhof-wurst.at> - * @author Joas Schilling <coding@schilljs.com> - * @author Juan Pablo Villafáñez <jvillafanez@solidgear.es> - * @author Morris Jobke <hey@morrisjobke.de> - * @author Roeland Jago Douma <roeland@famdouma.nl> - * - * @license AGPL-3.0 - * - * This code is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License, version 3, - * as published by the Free Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License, version 3, - * along with this program. If not, see <http://www.gnu.org/licenses/> - * + * SPDX-FileCopyrightText: 2016-2024 Nextcloud GmbH and Nextcloud contributors + * SPDX-FileCopyrightText: 2016 ownCloud, Inc. + * SPDX-License-Identifier: AGPL-3.0-only */ namespace OCA\User_LDAP\Command; @@ -31,6 +12,7 @@ use OCA\User_LDAP\Helper; use OCA\User_LDAP\LDAP; use OCA\User_LDAP\User_Proxy; use OCP\IConfig; +use OCP\Server; use Symfony\Component\Console\Command\Command; use Symfony\Component\Console\Input\InputArgument; @@ -39,59 +21,52 @@ use Symfony\Component\Console\Input\InputOption; use Symfony\Component\Console\Output\OutputInterface; class Search extends Command { - /** @var \OCP\IConfig */ - protected $ocConfig; - /** @var User_Proxy */ - private $userProxy; - /** @var Group_Proxy */ - private $groupProxy; - - public function __construct(IConfig $ocConfig, User_Proxy $userProxy, Group_Proxy $groupProxy) { + public function __construct( + protected IConfig $ocConfig, + private User_Proxy $userProxy, + private Group_Proxy $groupProxy, + ) { parent::__construct(); - $this->ocConfig = $ocConfig; - $this->userProxy = $userProxy; - $this->groupProxy = $groupProxy; } - protected function configure() { + protected function configure(): void { $this ->setName('ldap:search') ->setDescription('executes a user or group search') ->addArgument( - 'search', - InputArgument::REQUIRED, - 'the search string (can be empty)' - ) + 'search', + InputArgument::REQUIRED, + 'the search string (can be empty)' + ) ->addOption( - 'group', - null, - InputOption::VALUE_NONE, - 'searches groups instead of users' - ) + 'group', + null, + InputOption::VALUE_NONE, + 'searches groups instead of users' + ) ->addOption( - 'offset', - null, - InputOption::VALUE_REQUIRED, - 'The offset of the result set. Needs to be a multiple of limit. defaults to 0.', - '0' - ) + 'offset', + null, + InputOption::VALUE_REQUIRED, + 'The offset of the result set. Needs to be a multiple of limit. defaults to 0.', + '0' + ) ->addOption( - 'limit', - null, - InputOption::VALUE_REQUIRED, - 'limit the results. 0 means no limit, defaults to 15', - '15' - ) + 'limit', + null, + InputOption::VALUE_REQUIRED, + 'limit the results. 0 means no limit, defaults to 15', + '15' + ) ; } /** * Tests whether the offset and limit options are valid - * @param int $offset - * @param int $limit + * * @throws \InvalidArgumentException */ - protected function validateOffsetAndLimit($offset, $limit) { + protected function validateOffsetAndLimit(int $offset, int $limit): void { if ($limit < 0) { throw new \InvalidArgumentException('limit must be 0 or greater'); } @@ -107,7 +82,7 @@ class Search extends Command { } protected function execute(InputInterface $input, OutputInterface $output): int { - $helper = new Helper($this->ocConfig, \OC::$server->getDatabaseConnection()); + $helper = Server::get(Helper::class); $configPrefixes = $helper->getServerConfigurationPrefixes(true); $ldapWrapper = new LDAP(); @@ -132,9 +107,9 @@ class Search extends Command { $result = $proxy->$getMethod($input->getArgument('search'), $limit, $offset); foreach ($result as $id => $name) { - $line = $name . ($printID ? ' ('.$id.')' : ''); + $line = $name . ($printID ? ' (' . $id . ')' : ''); $output->writeln($line); } - return 0; + return self::SUCCESS; } } diff --git a/apps/user_ldap/lib/Command/SetConfig.php b/apps/user_ldap/lib/Command/SetConfig.php index 2b487787c8a..7e9efcf34d0 100644 --- a/apps/user_ldap/lib/Command/SetConfig.php +++ b/apps/user_ldap/lib/Command/SetConfig.php @@ -1,27 +1,9 @@ <?php + /** - * @copyright Copyright (c) 2016, ownCloud, Inc. - * - * @author Arthur Schiwon <blizzz@arthur-schiwon.de> - * @author Christoph Wurst <christoph@winzerhof-wurst.at> - * @author Joas Schilling <coding@schilljs.com> - * @author Roeland Jago Douma <roeland@famdouma.nl> - * @author Thomas Müller <thomas.mueller@tmit.eu> - * - * @license AGPL-3.0 - * - * This code is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License, version 3, - * as published by the Free Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License, version 3, - * along with this program. If not, see <http://www.gnu.org/licenses/> - * + * SPDX-FileCopyrightText: 2016-2024 Nextcloud GmbH and Nextcloud contributors + * SPDX-FileCopyrightText: 2016 ownCloud, Inc. + * SPDX-License-Identifier: AGPL-3.0-only */ namespace OCA\User_LDAP\Command; @@ -29,41 +11,42 @@ use OCA\User_LDAP\Configuration; use OCA\User_LDAP\ConnectionFactory; use OCA\User_LDAP\Helper; use OCA\User_LDAP\LDAP; +use OCP\Server; use Symfony\Component\Console\Command\Command; use Symfony\Component\Console\Input\InputArgument; use Symfony\Component\Console\Input\InputInterface; use Symfony\Component\Console\Output\OutputInterface; class SetConfig extends Command { - protected function configure() { + protected function configure(): void { $this ->setName('ldap:set-config') ->setDescription('modifies an LDAP configuration') ->addArgument( - 'configID', - InputArgument::REQUIRED, - 'the configuration ID' - ) + 'configID', + InputArgument::REQUIRED, + 'the configuration ID' + ) ->addArgument( - 'configKey', - InputArgument::REQUIRED, - 'the configuration key' - ) + 'configKey', + InputArgument::REQUIRED, + 'the configuration key' + ) ->addArgument( - 'configValue', - InputArgument::REQUIRED, - 'the new configuration value' - ) + 'configValue', + InputArgument::REQUIRED, + 'the new configuration value' + ) ; } protected function execute(InputInterface $input, OutputInterface $output): int { - $helper = new Helper(\OC::$server->getConfig(), \OC::$server->getDatabaseConnection()); + $helper = Server::get(Helper::class); $availableConfigs = $helper->getServerConfigurationPrefixes(); $configID = $input->getArgument('configID'); if (!in_array($configID, $availableConfigs)) { - $output->writeln("Invalid configID"); - return 1; + $output->writeln('Invalid configID'); + return self::FAILURE; } $this->setValue( @@ -71,16 +54,13 @@ class SetConfig extends Command { $input->getArgument('configKey'), $input->getArgument('configValue') ); - return 0; + return self::SUCCESS; } /** * save the configuration value as provided - * @param string $configID - * @param string $configKey - * @param string $configValue */ - protected function setValue($configID, $key, $value) { + protected function setValue(string $configID, string $key, string $value): void { $configHolder = new Configuration($configID); $configHolder->$key = $value; $configHolder->saveConfiguration(); diff --git a/apps/user_ldap/lib/Command/ShowConfig.php b/apps/user_ldap/lib/Command/ShowConfig.php index 4997d9737a5..fa021192ac4 100644 --- a/apps/user_ldap/lib/Command/ShowConfig.php +++ b/apps/user_ldap/lib/Command/ShowConfig.php @@ -1,28 +1,9 @@ <?php + /** - * @copyright Copyright (c) 2016, ownCloud, Inc. - * - * @author Arthur Schiwon <blizzz@arthur-schiwon.de> - * @author Christoph Wurst <christoph@winzerhof-wurst.at> - * @author Joas Schilling <coding@schilljs.com> - * @author Johannes Leuker <j.leuker@hosting.de> - * @author Laurens Post <Crote@users.noreply.github.com> - * @author Roeland Jago Douma <roeland@famdouma.nl> - * - * @license AGPL-3.0 - * - * This code is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License, version 3, - * as published by the Free Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License, version 3, - * along with this program. If not, see <http://www.gnu.org/licenses/> - * + * SPDX-FileCopyrightText: 2016-2024 Nextcloud GmbH and Nextcloud contributors + * SPDX-FileCopyrightText: 2016 ownCloud, Inc. + * SPDX-License-Identifier: AGPL-3.0-only */ namespace OCA\User_LDAP\Command; @@ -36,39 +17,34 @@ use Symfony\Component\Console\Input\InputOption; use Symfony\Component\Console\Output\OutputInterface; class ShowConfig extends Base { - /** @var \OCA\User_LDAP\Helper */ - protected $helper; - - /** - * @param Helper $helper - */ - public function __construct(Helper $helper) { - $this->helper = $helper; + public function __construct( + protected Helper $helper, + ) { parent::__construct(); } - protected function configure() { + protected function configure(): void { $this ->setName('ldap:show-config') ->setDescription('shows the LDAP configuration') ->addArgument( - 'configID', - InputArgument::OPTIONAL, - 'will show the configuration of the specified id' - ) + 'configID', + InputArgument::OPTIONAL, + 'will show the configuration of the specified id' + ) ->addOption( - 'show-password', - null, - InputOption::VALUE_NONE, - 'show ldap bind password' - ) + 'show-password', + null, + InputOption::VALUE_NONE, + 'show ldap bind password' + ) ->addOption( - 'output', - null, - InputOption::VALUE_OPTIONAL, - 'Output format (table, plain, json or json_pretty, default is table)', - 'table' - ) + 'output', + null, + InputOption::VALUE_OPTIONAL, + 'Output format (table, plain, json or json_pretty, default is table)', + 'table' + ) ; } @@ -78,24 +54,27 @@ class ShowConfig extends Base { if (!is_null($configID)) { $configIDs[] = $configID; if (!in_array($configIDs[0], $availableConfigs)) { - $output->writeln("Invalid configID"); - return 1; + $output->writeln('Invalid configID'); + return self::FAILURE; } } else { $configIDs = $availableConfigs; } $this->renderConfigs($configIDs, $input, $output); - return 0; + return self::SUCCESS; } /** * prints the LDAP configuration(s) - * @param string[] configID(s) - * @param InputInterface $input - * @param OutputInterface $output + * + * @param string[] $configIDs */ - protected function renderConfigs($configIDs, $input, $output) { + protected function renderConfigs( + array $configIDs, + InputInterface $input, + OutputInterface $output, + ): void { $renderTable = $input->getOption('output') === 'table' or $input->getOption('output') === null; $showPassword = $input->getOption('show-password'); @@ -121,16 +100,17 @@ class ShowConfig extends Base { $table->setHeaders(['Configuration', $id]); $table->setRows($rows); $table->render(); - } else { - foreach ($configuration as $key => $value) { - if ($key === 'ldapAgentPassword' && !$showPassword) { - $rows[$key] = '***'; - } else { - $rows[$key] = $value; - } + continue; + } + + foreach ($configuration as $key => $value) { + if ($key === 'ldapAgentPassword' && !$showPassword) { + $rows[$key] = '***'; + } else { + $rows[$key] = $value; } - $configs[$id] = $rows; } + $configs[$id] = $rows; } if (!$renderTable) { $this->writeArrayInOutputFormat($input, $output, $configs); diff --git a/apps/user_ldap/lib/Command/ShowRemnants.php b/apps/user_ldap/lib/Command/ShowRemnants.php index 55d930dead4..d255aac1368 100644 --- a/apps/user_ldap/lib/Command/ShowRemnants.php +++ b/apps/user_ldap/lib/Command/ShowRemnants.php @@ -1,28 +1,9 @@ <?php + /** - * @copyright Copyright (c) 2016, ownCloud, Inc. - * - * @author Arthur Schiwon <blizzz@arthur-schiwon.de> - * @author Daniel Kesselberg <mail@danielkesselberg.de> - * @author Joas Schilling <coding@schilljs.com> - * @author Morris Jobke <hey@morrisjobke.de> - * @author Roeland Jago Douma <roeland@famdouma.nl> - * @author scolebrook <scolebrook@mac.com> - * - * @license AGPL-3.0 - * - * This code is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License, version 3, - * as published by the Free Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License, version 3, - * along with this program. If not, see <http://www.gnu.org/licenses/> - * + * SPDX-FileCopyrightText: 2016-2024 Nextcloud GmbH and Nextcloud contributors + * SPDX-FileCopyrightText: 2016 ownCloud, Inc. + * SPDX-License-Identifier: AGPL-3.0-only */ namespace OCA\User_LDAP\Command; @@ -36,23 +17,14 @@ use Symfony\Component\Console\Input\InputOption; use Symfony\Component\Console\Output\OutputInterface; class ShowRemnants extends Command { - /** @var \OCA\User_LDAP\User\DeletedUsersIndex */ - protected $dui; - - /** @var \OCP\IDateTimeFormatter */ - protected $dateFormatter; - - /** - * @param DeletedUsersIndex $dui - * @param IDateTimeFormatter $dateFormatter - */ - public function __construct(DeletedUsersIndex $dui, IDateTimeFormatter $dateFormatter) { - $this->dui = $dui; - $this->dateFormatter = $dateFormatter; + public function __construct( + protected DeletedUsersIndex $dui, + protected IDateTimeFormatter $dateFormatter, + ) { parent::__construct(); } - protected function configure() { + protected function configure(): void { $this ->setName('ldap:show-remnants') ->setDescription('shows which users are not available on LDAP anymore, but have remnants in Nextcloud.') @@ -60,7 +32,7 @@ class ShowRemnants extends Command { ->addOption('short-date', null, InputOption::VALUE_NONE, 'show dates in Y-m-d format'); } - protected function formatDate(int $timestamp, string $default, bool $showShortDate) { + protected function formatDate(int $timestamp, string $default, bool $showShortDate): string { if (!($timestamp > 0)) { return $default; } @@ -103,6 +75,6 @@ class ShowRemnants extends Command { $table->setRows($rows); $table->render(); } - return 0; + return self::SUCCESS; } } diff --git a/apps/user_ldap/lib/Command/TestConfig.php b/apps/user_ldap/lib/Command/TestConfig.php index c081b0cb726..77eaac91d85 100644 --- a/apps/user_ldap/lib/Command/TestConfig.php +++ b/apps/user_ldap/lib/Command/TestConfig.php @@ -1,28 +1,9 @@ <?php + /** - * @copyright Copyright (c) 2016, ownCloud, Inc. - * - * @author Arthur Schiwon <blizzz@arthur-schiwon.de> - * @author Christoph Wurst <christoph@winzerhof-wurst.at> - * @author Côme Chilliet <come.chilliet@nextcloud.com> - * @author Joas Schilling <coding@schilljs.com> - * @author Roeland Jago Douma <roeland@famdouma.nl> - * @author Thomas Müller <thomas.mueller@tmit.eu> - * - * @license AGPL-3.0 - * - * This code is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License, version 3, - * as published by the Free Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License, version 3, - * along with this program. If not, see <http://www.gnu.org/licenses/> - * + * SPDX-FileCopyrightText: 2016-2024 Nextcloud GmbH and Nextcloud contributors + * SPDX-FileCopyrightText: 2016 ownCloud, Inc. + * SPDX-License-Identifier: AGPL-3.0-only */ namespace OCA\User_LDAP\Command; @@ -41,18 +22,11 @@ class TestConfig extends Command { protected const BINDFAILURE = 2; protected const SEARCHFAILURE = 3; - protected AccessFactory $accessFactory; - protected Helper $helper; - protected ILDAPWrapper $ldap; - public function __construct( - AccessFactory $accessFactory, - Helper $helper, - ILDAPWrapper $ldap + protected AccessFactory $accessFactory, + protected Helper $helper, + protected ILDAPWrapper $ldap, ) { - $this->accessFactory = $accessFactory; - $this->helper = $helper; - $this->ldap = $ldap; parent::__construct(); } @@ -73,28 +47,24 @@ class TestConfig extends Command { $configID = $input->getArgument('configID'); if (!in_array($configID, $availableConfigs)) { $output->writeln('Invalid configID'); - return 1; + return self::FAILURE; } $result = $this->testConfig($configID); - switch ($result) { - case static::ESTABLISHED: - $output->writeln('The configuration is valid and the connection could be established!'); - return 0; - case static::CONF_INVALID: - $output->writeln('The configuration is invalid. Please have a look at the logs for further details.'); - break; - case static::BINDFAILURE: - $output->writeln('The configuration is valid, but the bind failed. Please check the server settings and credentials.'); - break; - case static::SEARCHFAILURE: - $output->writeln('The configuration is valid and the bind passed, but a simple search on the base fails. Please check the server base setting.'); - break; - default: - $output->writeln('Your LDAP server was kidnapped by aliens.'); - break; - } - return 1; + + $message = match ($result) { + static::ESTABLISHED => 'The configuration is valid and the connection could be established!', + static::CONF_INVALID => 'The configuration is invalid. Please have a look at the logs for further details.', + static::BINDFAILURE => 'The configuration is valid, but the bind failed. Please check the server settings and credentials.', + static::SEARCHFAILURE => 'The configuration is valid and the bind passed, but a simple search on the base fails. Please check the server base setting.', + default => 'Your LDAP server was kidnapped by aliens.', + }; + + $output->writeln($message); + + return $result === static::ESTABLISHED + ? self::SUCCESS + : self::FAILURE; } /** diff --git a/apps/user_ldap/lib/Command/TestUserSettings.php b/apps/user_ldap/lib/Command/TestUserSettings.php new file mode 100644 index 00000000000..12690158f98 --- /dev/null +++ b/apps/user_ldap/lib/Command/TestUserSettings.php @@ -0,0 +1,248 @@ +<?php + +/** + * SPDX-FileCopyrightText: 2016-2024 Nextcloud GmbH and Nextcloud contributors + * SPDX-FileCopyrightText: 2016 ownCloud, Inc. + * SPDX-License-Identifier: AGPL-3.0-only + */ +namespace OCA\User_LDAP\Command; + +use OCA\User_LDAP\Group_Proxy; +use OCA\User_LDAP\Helper; +use OCA\User_LDAP\Mapping\GroupMapping; +use OCA\User_LDAP\Mapping\UserMapping; +use OCA\User_LDAP\User\DeletedUsersIndex; +use OCA\User_LDAP\User_Proxy; +use Symfony\Component\Console\Command\Command; +use Symfony\Component\Console\Input\InputArgument; +use Symfony\Component\Console\Input\InputInterface; +use Symfony\Component\Console\Input\InputOption; +use Symfony\Component\Console\Output\OutputInterface; + +class TestUserSettings extends Command { + public function __construct( + protected User_Proxy $backend, + protected Group_Proxy $groupBackend, + protected Helper $helper, + protected DeletedUsersIndex $dui, + protected UserMapping $mapping, + protected GroupMapping $groupMapping, + ) { + parent::__construct(); + } + + protected function configure(): void { + $this + ->setName('ldap:test-user-settings') + ->setDescription('Runs tests and show information about user related LDAP settings') + ->addArgument( + 'user', + InputArgument::REQUIRED, + 'the user name as used in Nextcloud, or the LDAP DN' + ) + ->addOption( + 'group', + 'g', + InputOption::VALUE_REQUIRED, + 'A group DN to check if the user is a member or not' + ) + ->addOption( + 'clearcache', + null, + InputOption::VALUE_NONE, + 'Clear the cache of the LDAP connection before the beginning of tests' + ) + ; + } + + protected function execute(InputInterface $input, OutputInterface $output): int { + try { + $uid = $input->getArgument('user'); + $access = $this->backend->getLDAPAccess($uid); + $connection = $access->getConnection(); + if ($input->getOption('clearcache')) { + $connection->clearCache(); + } + $configPrefix = $connection->getConfigPrefix(); + $knownDn = ''; + if ($access->stringResemblesDN($uid)) { + $knownDn = $uid; + $username = $access->dn2username($uid); + if ($username !== false) { + $uid = $username; + } + } + + $dn = $this->mapping->getDNByName($uid); + if ($dn !== false) { + $output->writeln("User <info>$dn</info> is mapped with account name <info>$uid</info>."); + $uuid = $this->mapping->getUUIDByDN($dn); + $output->writeln("Known UUID is <info>$uuid</info>."); + if ($knownDn === '') { + $knownDn = $dn; + } + } else { + $output->writeln("User <info>$uid</info> is not mapped."); + } + + if ($knownDn === '') { + return self::SUCCESS; + } + + if (!$access->isDNPartOfBase($knownDn, $access->getConnection()->ldapBaseUsers)) { + $output->writeln( + "User <info>$knownDn</info> is not in one of the configured user bases: <info>" + . implode(',', $access->getConnection()->ldapBaseUsers) + . '</info>.' + ); + } + + $output->writeln("Configuration prefix is <info>$configPrefix</info>"); + $output->writeln(''); + + $attributeNames = [ + 'ldapBase', + 'ldapBaseUsers', + 'ldapExpertUsernameAttr', + 'ldapUuidUserAttribute', + 'ldapExpertUUIDUserAttr', + 'ldapQuotaAttribute', + 'ldapEmailAttribute', + 'ldapUserDisplayName', + 'ldapUserDisplayName2', + 'ldapExtStorageHomeAttribute', + 'ldapAttributePhone', + 'ldapAttributeWebsite', + 'ldapAttributeAddress', + 'ldapAttributeTwitter', + 'ldapAttributeFediverse', + 'ldapAttributeOrganisation', + 'ldapAttributeRole', + 'ldapAttributeHeadline', + 'ldapAttributeBiography', + 'ldapAttributeBirthDate', + 'ldapAttributePronouns', + 'ldapGidNumber', + 'hasGidNumber', + ]; + $output->writeln('Attributes set in configuration:'); + foreach ($attributeNames as $attributeName) { + if (($connection->$attributeName !== '') && ($connection->$attributeName !== [])) { + if (\is_string($connection->$attributeName)) { + $output->writeln("- $attributeName: <info>" . $connection->$attributeName . '</info>'); + } else { + $output->writeln("- $attributeName: <info>" . \json_encode($connection->$attributeName) . '</info>'); + } + } + } + + $filter = $connection->ldapUserFilter; + $attrs = $access->userManager->getAttributes(true); + $attrs[] = strtolower($connection->ldapExpertUsernameAttr); + if ($connection->ldapUuidUserAttribute !== 'auto') { + $attrs[] = strtolower($connection->ldapUuidUserAttribute); + } + if ($connection->hasGidNumber) { + $attrs[] = strtolower($connection->ldapGidNumber); + } + $attrs[] = 'memberof'; + $attrs = array_values(array_unique($attrs)); + $attributes = $access->readAttributes($knownDn, $attrs, $filter); + + if ($attributes === false) { + $output->writeln( + "LDAP read on <info>$knownDn</info> with filter <info>$filter</info> failed." + ); + return self::FAILURE; + } + + $output->writeln("Attributes fetched from LDAP using filter <info>$filter</info>:"); + foreach ($attributes as $attribute => $value) { + $output->writeln( + "- $attribute: <info>" . json_encode($value) . '</info>' + ); + } + + $uuid = $access->getUUID($knownDn); + if ($connection->ldapUuidUserAttribute === 'auto') { + $output->writeln('<error>Failed to detect UUID attribute</error>'); + } else { + $output->writeln('Detected UUID attribute: <info>' . $connection->ldapUuidUserAttribute . '</info>'); + } + if ($uuid === false) { + $output->writeln("<error>Failed to find UUID for $knownDn</error>"); + } else { + $output->writeln("UUID for <info>$knownDn</info>: <info>$uuid</info>"); + } + + $groupLdapInstance = $this->groupBackend->getBackend($configPrefix); + + $output->writeln(''); + $output->writeln('Group information:'); + + $attributeNames = [ + 'ldapBaseGroups', + 'ldapDynamicGroupMemberURL', + 'ldapGroupFilter', + 'ldapGroupMemberAssocAttr', + ]; + $output->writeln('Configuration:'); + foreach ($attributeNames as $attributeName) { + if ($connection->$attributeName !== '') { + $output->writeln("- $attributeName: <info>" . $connection->$attributeName . '</info>'); + } + } + + $primaryGroup = $groupLdapInstance->getUserPrimaryGroup($knownDn); + $output->writeln('Primary group: <info>' . ($primaryGroup !== false? $primaryGroup:'') . '</info>'); + + $groupByGid = $groupLdapInstance->getUserGroupByGid($knownDn); + $output->writeln('Group from gidNumber: <info>' . ($groupByGid !== false? $groupByGid:'') . '</info>'); + + $groups = $groupLdapInstance->getUserGroups($uid); + $output->writeln('All known groups: <info>' . json_encode($groups) . '</info>'); + + $memberOfUsed = ((int)$access->connection->hasMemberOfFilterSupport === 1 + && (int)$access->connection->useMemberOfToDetectMembership === 1); + + $output->writeln('MemberOf usage: <info>' . ($memberOfUsed ? 'on' : 'off') . '</info> (' . $access->connection->hasMemberOfFilterSupport . ',' . $access->connection->useMemberOfToDetectMembership . ')'); + + $gid = (string)$input->getOption('group'); + if ($gid === '') { + return self::SUCCESS; + } + + $output->writeln(''); + $output->writeln("Group $gid:"); + $knownGroupDn = ''; + if ($access->stringResemblesDN($gid)) { + $knownGroupDn = $gid; + $groupname = $access->dn2groupname($gid); + if ($groupname !== false) { + $gid = $groupname; + } + } + + $groupDn = $this->groupMapping->getDNByName($gid); + if ($groupDn !== false) { + $output->writeln("Group <info>$groupDn</info> is mapped with name <info>$gid</info>."); + $groupUuid = $this->groupMapping->getUUIDByDN($groupDn); + $output->writeln("Known UUID is <info>$groupUuid</info>."); + if ($knownGroupDn === '') { + $knownGroupDn = $groupDn; + } + } else { + $output->writeln("Group <info>$gid</info> is not mapped."); + } + + $members = $groupLdapInstance->usersInGroup($gid); + $output->writeln('Members: <info>' . json_encode($members) . '</info>'); + + return self::SUCCESS; + + } catch (\Exception $e) { + $output->writeln('<error>' . $e->getMessage() . '</error>'); + return self::FAILURE; + } + } +} diff --git a/apps/user_ldap/lib/Command/UpdateUUID.php b/apps/user_ldap/lib/Command/UpdateUUID.php index 716bc2d0563..93dcc37bada 100644 --- a/apps/user_ldap/lib/Command/UpdateUUID.php +++ b/apps/user_ldap/lib/Command/UpdateUUID.php @@ -3,26 +3,8 @@ declare(strict_types=1); /** - * @copyright Copyright (c) 2021 Arthur Schiwon <blizzz@arthur-schiwon.de> - * - * @author Arthur Schiwon <blizzz@arthur-schiwon.de> - * @author Côme Chilliet <come.chilliet@nextcloud.com> - * - * @license GNU AGPL version 3 or any later version - * - * This program is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License as - * published by the Free Software Foundation, either version 3 of the - * License, or (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License - * along with this program. If not, see <https://www.gnu.org/licenses/>. - * + * SPDX-FileCopyrightText: 2021 Nextcloud GmbH and Nextcloud contributors + * SPDX-License-Identifier: AGPL-3.0-or-later */ namespace OCA\User_LDAP\Command; @@ -42,52 +24,36 @@ use Symfony\Component\Console\Output\OutputInterface; use function sprintf; class UuidUpdateReport { - const UNCHANGED = 0; - const UNKNOWN = 1; - const UNREADABLE = 2; - const UPDATED = 3; - const UNWRITABLE = 4; - const UNMAPPED = 5; + public const UNCHANGED = 0; + public const UNKNOWN = 1; + public const UNREADABLE = 2; + public const UPDATED = 3; + public const UNWRITABLE = 4; + public const UNMAPPED = 5; - public $id = ''; - public $dn = ''; - public $isUser = true; - public $state = self::UNCHANGED; - public $oldUuid = ''; - public $newUuid = ''; - - public function __construct(string $id, string $dn, bool $isUser, int $state, string $oldUuid = '', string $newUuid = '') { - $this->id = $id; - $this->dn = $dn; - $this->isUser = $isUser; - $this->state = $state; - $this->oldUuid = $oldUuid; - $this->newUuid = $newUuid; + public function __construct( + public string $id, + public string $dn, + public bool $isUser, + public int $state, + public string $oldUuid = '', + public string $newUuid = '', + ) { } } class UpdateUUID extends Command { - /** @var UserMapping */ - private $userMapping; - /** @var GroupMapping */ - private $groupMapping; - /** @var User_Proxy */ - private $userProxy; - /** @var Group_Proxy */ - private $groupProxy; /** @var array<UuidUpdateReport[]> */ - protected $reports = []; - /** @var LoggerInterface */ - private $logger; - /** @var bool */ - private $dryRun = false; + protected array $reports = []; + private bool $dryRun = false; - public function __construct(UserMapping $userMapping, GroupMapping $groupMapping, User_Proxy $userProxy, Group_Proxy $groupProxy, LoggerInterface $logger) { - $this->userMapping = $userMapping; - $this->groupMapping = $groupMapping; - $this->userProxy = $userProxy; - $this->groupProxy = $groupProxy; - $this->logger = $logger; + public function __construct( + private UserMapping $userMapping, + private GroupMapping $groupMapping, + private User_Proxy $userProxy, + private Group_Proxy $groupProxy, + private LoggerInterface $logger, + ) { $this->reports = [ UuidUpdateReport::UPDATED => [], UuidUpdateReport::UNKNOWN => [], @@ -140,7 +106,7 @@ class UpdateUUID extends Command { $entriesToUpdate = $this->estimateNumberOfUpdates($input); $progress = new ProgressBar($output); $progress->start($entriesToUpdate); - foreach($this->handleUpdates($input) as $_) { + foreach ($this->handleUpdates($input) as $_) { $progress->advance(); } $progress->finish(); @@ -149,8 +115,8 @@ class UpdateUUID extends Command { return count($this->reports[UuidUpdateReport::UNMAPPED]) === 0 && count($this->reports[UuidUpdateReport::UNREADABLE]) === 0 && count($this->reports[UuidUpdateReport::UNWRITABLE]) === 0 - ? 0 - : 1; + ? self::SUCCESS + : self::FAILURE; } protected function printReport(OutputInterface $output): void { @@ -178,7 +144,7 @@ class UpdateUUID extends Command { if (!empty($report->id)) { $output->writeln(sprintf(' %s: %s', $report->isUser ? 'User' : 'Group', $report->id)); - } else if (!empty($report->dn)) { + } elseif (!empty($report->dn)) { $output->writeln(sprintf(' DN: %s', $report->dn)); } } @@ -190,7 +156,7 @@ class UpdateUUID extends Command { if ($output->isVerbose()) { /** @var UuidUpdateReport $report */ foreach ($this->reports[UuidUpdateReport::UNKNOWN] as $report) { - $output->writeln(sprintf(' %s: %s',$report->isUser ? 'User' : 'Group', $report->id)); + $output->writeln(sprintf(' %s: %s', $report->isUser ? 'User' : 'Group', $report->id)); } $output->writeln(PHP_EOL . 'Old users can be removed along with their data per occ user:delete.' . PHP_EOL); } @@ -201,7 +167,7 @@ class UpdateUUID extends Command { if ($output->isVerbose()) { /** @var UuidUpdateReport $report */ foreach ($this->reports[UuidUpdateReport::UNREADABLE] as $report) { - $output->writeln(sprintf(' %s: %s',$report->isUser ? 'User' : 'Group', $report->id)); + $output->writeln(sprintf(' %s: %s', $report->isUser ? 'User' : 'Group', $report->id)); } } } @@ -211,7 +177,7 @@ class UpdateUUID extends Command { if ($output->isVerbose()) { /** @var UuidUpdateReport $report */ foreach ($this->reports[UuidUpdateReport::UNWRITABLE] as $report) { - $output->writeln(sprintf(' %s: %s',$report->isUser ? 'User' : 'Group', $report->id)); + $output->writeln(sprintf(' %s: %s', $report->isUser ? 'User' : 'Group', $report->id)); } } } @@ -219,37 +185,37 @@ class UpdateUUID extends Command { protected function handleUpdates(InputInterface $input): \Generator { if ($input->getOption('all')) { - foreach($this->handleMappingBasedUpdates(false) as $_) { + foreach ($this->handleMappingBasedUpdates(false) as $_) { yield; } - } else if ($input->getOption('userId') + } elseif ($input->getOption('userId') || $input->getOption('groupId') || $input->getOption('dn') ) { - foreach($this->handleUpdatesByUserId($input->getOption('userId')) as $_) { + foreach ($this->handleUpdatesByUserId($input->getOption('userId')) as $_) { yield; } - foreach($this->handleUpdatesByGroupId($input->getOption('groupId')) as $_) { + foreach ($this->handleUpdatesByGroupId($input->getOption('groupId')) as $_) { yield; } - foreach($this->handleUpdatesByDN($input->getOption('dn')) as $_) { + foreach ($this->handleUpdatesByDN($input->getOption('dn')) as $_) { yield; } } else { - foreach($this->handleMappingBasedUpdates(true) as $_) { + foreach ($this->handleMappingBasedUpdates(true) as $_) { yield; } } } protected function handleUpdatesByUserId(array $userIds): \Generator { - foreach($this->handleUpdatesByEntryId($userIds, $this->userMapping) as $_) { + foreach ($this->handleUpdatesByEntryId($userIds, $this->userMapping) as $_) { yield; } } protected function handleUpdatesByGroupId(array $groupIds): \Generator { - foreach($this->handleUpdatesByEntryId($groupIds, $this->groupMapping) as $_) { + foreach ($this->handleUpdatesByEntryId($groupIds, $this->groupMapping) as $_) { yield; } } @@ -272,10 +238,10 @@ class UpdateUUID extends Command { $this->reports[UuidUpdateReport::UNMAPPED][] = new UuidUpdateReport('', $dn, true, UuidUpdateReport::UNMAPPED); yield; } - foreach($this->handleUpdatesByList($this->userMapping, $userList) as $_) { + foreach ($this->handleUpdatesByList($this->userMapping, $userList) as $_) { yield; } - foreach($this->handleUpdatesByList($this->groupMapping, $groupList) as $_) { + foreach ($this->handleUpdatesByList($this->groupMapping, $groupList) as $_) { yield; } } @@ -284,7 +250,7 @@ class UpdateUUID extends Command { $isUser = $mapping instanceof UserMapping; $list = []; while ($id = array_pop($ids)) { - if(!$dn = $mapping->getDNByName($id)) { + if (!$dn = $mapping->getDNByName($id)) { $this->reports[UuidUpdateReport::UNMAPPED][] = new UuidUpdateReport($id, '', $isUser, UuidUpdateReport::UNMAPPED); yield; continue; @@ -293,21 +259,21 @@ class UpdateUUID extends Command { $uuid = $mapping->getUUIDByDN($dn); $list[] = ['name' => $id, 'uuid' => $uuid]; } - foreach($this->handleUpdatesByList($mapping, $list) as $_) { + foreach ($this->handleUpdatesByList($mapping, $list) as $_) { yield; } } protected function handleMappingBasedUpdates(bool $invalidatedOnly): \Generator { $limit = 1000; - /** @var AbstractMapping $mapping*/ - foreach([$this->userMapping, $this->groupMapping] as $mapping) { + /** @var AbstractMapping $mapping */ + foreach ([$this->userMapping, $this->groupMapping] as $mapping) { $offset = 0; do { $list = $mapping->getList($offset, $limit, $invalidatedOnly); $offset += $limit; - foreach($this->handleUpdatesByList($mapping, $list) as $tick) { + foreach ($this->handleUpdatesByList($mapping, $list) as $tick) { yield; // null, for it only advances progress counter } } while (count($list) === $limit); @@ -326,8 +292,7 @@ class UpdateUUID extends Command { foreach ($list as $row) { $access = $backendProxy->getLDAPAccess($row['name']); if ($access instanceof Access - && $dn = $mapping->getDNByName($row['name'])) - { + && $dn = $mapping->getDNByName($row['name'])) { if ($uuid = $access->getUUID($dn, $isUser)) { if ($uuid !== $row['uuid']) { if ($this->dryRun || $mapping->setUUIDbyDN($uuid, $dn)) { @@ -359,7 +324,7 @@ class UpdateUUID extends Command { protected function estimateNumberOfUpdates(InputInterface $input): int { if ($input->getOption('all')) { return $this->userMapping->count() + $this->groupMapping->count(); - } else if ($input->getOption('userId') + } elseif ($input->getOption('userId') || $input->getOption('groupId') || $input->getOption('dn') ) { @@ -370,5 +335,4 @@ class UpdateUUID extends Command { return $this->userMapping->countInvalidated() + $this->groupMapping->countInvalidated(); } } - } diff --git a/apps/user_ldap/lib/Configuration.php b/apps/user_ldap/lib/Configuration.php index 59fac50b90b..b4a5b847204 100644 --- a/apps/user_ldap/lib/Configuration.php +++ b/apps/user_ldap/lib/Configuration.php @@ -1,42 +1,89 @@ <?php + /** - * @copyright Copyright (c) 2016, ownCloud, Inc. - * - * @author Alexander Bergolth <leo@strike.wu.ac.at> - * @author Alex Weirig <alex.weirig@technolink.lu> - * @author Arthur Schiwon <blizzz@arthur-schiwon.de> - * @author Christoph Wurst <christoph@winzerhof-wurst.at> - * @author Joas Schilling <coding@schilljs.com> - * @author Jörn Friedrich Dreyer <jfd@butonic.de> - * @author Lennart Rosam <hello@takuto.de> - * @author Lukas Reschke <lukas@statuscode.ch> - * @author Morris Jobke <hey@morrisjobke.de> - * @author Robin McCorkell <robin@mccorkell.me.uk> - * @author Roeland Jago Douma <roeland@famdouma.nl> - * @author Roger Szabo <roger.szabo@web.de> - * @author Victor Dubiniuk <dubiniuk@owncloud.com> - * @author Xuanwo <xuanwo@yunify.com> - * - * @license AGPL-3.0 - * - * This code is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License, version 3, - * as published by the Free Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License, version 3, - * along with this program. If not, see <http://www.gnu.org/licenses/> - * + * SPDX-FileCopyrightText: 2016-2024 Nextcloud GmbH and Nextcloud contributors + * SPDX-FileCopyrightText: 2016 ownCloud, Inc. + * SPDX-License-Identifier: AGPL-3.0-only */ namespace OCA\User_LDAP; +use OCP\IConfig; +use OCP\Server; +use Psr\Log\LoggerInterface; + /** - * @property int ldapPagingSize holds an integer - * @property string ldapUserAvatarRule + * @property string $ldapHost + * @property string $ldapPort + * @property string $ldapBackupHost + * @property string $ldapBackupPort + * @property string $ldapBackgroundHost + * @property string $ldapBackgroundPort + * @property array|'' $ldapBase + * @property array|'' $ldapBaseUsers + * @property array|'' $ldapBaseGroups + * @property string $ldapAgentName + * @property string $ldapAgentPassword + * @property string $ldapTLS + * @property string $turnOffCertCheck + * @property string $ldapIgnoreNamingRules + * @property string $ldapUserDisplayName + * @property string $ldapUserDisplayName2 + * @property string $ldapUserAvatarRule + * @property string $ldapGidNumber + * @property array|'' $ldapUserFilterObjectclass + * @property array|'' $ldapUserFilterGroups + * @property string $ldapUserFilter + * @property string $ldapUserFilterMode + * @property string $ldapGroupFilter + * @property string $ldapGroupFilterMode + * @property array|'' $ldapGroupFilterObjectclass + * @property array|'' $ldapGroupFilterGroups + * @property string $ldapGroupDisplayName + * @property string $ldapGroupMemberAssocAttr + * @property string $ldapLoginFilter + * @property string $ldapLoginFilterMode + * @property string $ldapLoginFilterEmail + * @property string $ldapLoginFilterUsername + * @property array|'' $ldapLoginFilterAttributes + * @property string $ldapQuotaAttribute + * @property string $ldapQuotaDefault + * @property string $ldapEmailAttribute + * @property string $ldapCacheTTL + * @property string $ldapUuidUserAttribute + * @property string $ldapUuidGroupAttribute + * @property string $ldapOverrideMainServer + * @property string $ldapConfigurationActive + * @property array|'' $ldapAttributesForUserSearch + * @property array|'' $ldapAttributesForGroupSearch + * @property string $ldapExperiencedAdmin + * @property string $homeFolderNamingRule + * @property string $hasMemberOfFilterSupport + * @property string $useMemberOfToDetectMembership + * @property string $ldapExpertUsernameAttr + * @property string $ldapExpertUUIDUserAttr + * @property string $ldapExpertUUIDGroupAttr + * @property string $markRemnantsAsDisabled + * @property string $lastJpegPhotoLookup + * @property string $ldapNestedGroups + * @property string $ldapPagingSize + * @property string $turnOnPasswordChange + * @property string $ldapDynamicGroupMemberURL + * @property string $ldapDefaultPPolicyDN + * @property string $ldapExtStorageHomeAttribute + * @property string $ldapMatchingRuleInChainState + * @property string $ldapConnectionTimeout + * @property string $ldapAttributePhone + * @property string $ldapAttributeWebsite + * @property string $ldapAttributeAddress + * @property string $ldapAttributeTwitter + * @property string $ldapAttributeFediverse + * @property string $ldapAttributeOrganisation + * @property string $ldapAttributeRole + * @property string $ldapAttributeHeadline + * @property string $ldapAttributeBiography + * @property string $ldapAdminGroup + * @property string $ldapAttributeBirthDate + * @property string $ldapAttributePronouns */ class Configuration { public const AVATAR_PREFIX_DEFAULT = 'default'; @@ -46,11 +93,6 @@ class Configuration { public const LDAP_SERVER_FEATURE_UNKNOWN = 'unknown'; public const LDAP_SERVER_FEATURE_AVAILABLE = 'available'; public const LDAP_SERVER_FEATURE_UNAVAILABLE = 'unavailable'; - - /** - * @var string - */ - protected $configPrefix; /** * @var bool */ @@ -114,6 +156,7 @@ class Configuration { 'ldapExpertUsernameAttr' => null, 'ldapExpertUUIDUserAttr' => null, 'ldapExpertUUIDGroupAttr' => null, + 'markRemnantsAsDisabled' => false, 'lastJpegPhotoLookup' => null, 'ldapNestedGroups' => false, 'ldapPagingSize' => null, @@ -123,10 +166,25 @@ class Configuration { 'ldapExtStorageHomeAttribute' => null, 'ldapMatchingRuleInChainState' => self::LDAP_SERVER_FEATURE_UNKNOWN, 'ldapConnectionTimeout' => 15, + 'ldapAttributePhone' => null, + 'ldapAttributeWebsite' => null, + 'ldapAttributeAddress' => null, + 'ldapAttributeTwitter' => null, + 'ldapAttributeFediverse' => null, + 'ldapAttributeOrganisation' => null, + 'ldapAttributeRole' => null, + 'ldapAttributeHeadline' => null, + 'ldapAttributeBiography' => null, + 'ldapAdminGroup' => '', + 'ldapAttributeBirthDate' => null, + 'ldapAttributeAnniversaryDate' => null, + 'ldapAttributePronouns' => null, ]; - public function __construct(string $configPrefix, bool $autoRead = true) { - $this->configPrefix = $configPrefix; + public function __construct( + protected string $configPrefix, + bool $autoRead = true, + ) { if ($autoRead) { $this->readConfiguration(); } @@ -160,13 +218,13 @@ class Configuration { * from configuration. It does not save the configuration! To do so, you * must call saveConfiguration afterwards. * @param array $config array that holds the config parameters in an associated - * array + * array * @param array &$applied optional; array where the set fields will be given to */ - public function setConfiguration(array $config, array &$applied = null): void { + public function setConfiguration(array $config, ?array &$applied = null): void { $cta = $this->getConfigTranslationArray(); foreach ($config as $inputKey => $val) { - if (strpos($inputKey, '_') !== false && array_key_exists($inputKey, $cta)) { + if (str_contains($inputKey, '_') && array_key_exists($inputKey, $cta)) { $key = $cta[$inputKey]; } elseif (array_key_exists($inputKey, $this->config)) { $key = $inputKey; @@ -181,8 +239,8 @@ class Configuration { break; case 'homeFolderNamingRule': $trimmedVal = trim($val); - if ($trimmedVal !== '' && strpos($val, 'attr:') === false) { - $val = 'attr:'.$trimmedVal; + if ($trimmedVal !== '' && !str_contains($val, 'attr:')) { + $val = 'attr:' . $trimmedVal; } break; case 'ldapBase': @@ -238,6 +296,28 @@ class Configuration { break; case 'ldapUserDisplayName2': case 'ldapGroupDisplayName': + case 'ldapGidNumber': + case 'ldapGroupMemberAssocAttr': + case 'ldapQuotaAttribute': + case 'ldapEmailAttribute': + case 'ldapUuidUserAttribute': + case 'ldapUuidGroupAttribute': + case 'ldapExpertUsernameAttr': + case 'ldapExpertUUIDUserAttr': + case 'ldapExpertUUIDGroupAttr': + case 'ldapExtStorageHomeAttribute': + case 'ldapAttributePhone': + case 'ldapAttributeWebsite': + case 'ldapAttributeAddress': + case 'ldapAttributeTwitter': + case 'ldapAttributeFediverse': + case 'ldapAttributeOrganisation': + case 'ldapAttributeRole': + case 'ldapAttributeHeadline': + case 'ldapAttributeBiography': + case 'ldapAttributeBirthDate': + case 'ldapAttributeAnniversaryDate': + case 'ldapAttributePronouns': $readMethod = 'getLcValue'; break; case 'ldapUserDisplayName': @@ -360,7 +440,7 @@ class Configuration { protected function getSystemValue(string $varName): string { //FIXME: if another system value is added, softcode the default value - return \OC::$server->getConfig()->getSystemValue($varName, false); + return Server::get(IConfig::class)->getSystemValue($varName, false); } protected function getValue(string $varName): string { @@ -368,8 +448,8 @@ class Configuration { if (is_null($defaults)) { $defaults = $this->getDefaults(); } - return \OC::$server->getConfig()->getAppValue('user_ldap', - $this->configPrefix.$varName, + return Server::get(IConfig::class)->getAppValue('user_ldap', + $this->configPrefix . $varName, $defaults[$varName]); } @@ -397,9 +477,9 @@ class Configuration { } protected function saveValue(string $varName, string $value): bool { - \OC::$server->getConfig()->setAppValue( + Server::get(IConfig::class)->setAppValue( 'user_ldap', - $this->configPrefix.$varName, + $this->configPrefix . $varName, $value ); return true; @@ -407,7 +487,7 @@ class Configuration { /** * @return array an associative array with the default values. Keys are correspond - * to config-value entries in the database table + * to config-value entries in the database table */ public function getDefaults(): array { return [ @@ -458,6 +538,7 @@ class Configuration { 'ldap_expert_uuid_group_attr' => '', 'has_memberof_filter_support' => 0, 'use_memberof_to_detect_membership' => 1, + 'ldap_mark_remnants_as_disabled' => 0, 'last_jpegPhoto_lookup' => 0, 'ldap_nested_groups' => 0, 'ldap_paging_size' => 500, @@ -469,6 +550,19 @@ class Configuration { 'ldap_ext_storage_home_attribute' => '', 'ldap_matching_rule_in_chain_state' => self::LDAP_SERVER_FEATURE_UNKNOWN, 'ldap_connection_timeout' => 15, + 'ldap_attr_phone' => '', + 'ldap_attr_website' => '', + 'ldap_attr_address' => '', + 'ldap_attr_twitter' => '', + 'ldap_attr_fediverse' => '', + 'ldap_attr_organisation' => '', + 'ldap_attr_role' => '', + 'ldap_attr_headline' => '', + 'ldap_attr_biography' => '', + 'ldap_admin_group' => '', + 'ldap_attr_birthdate' => '', + 'ldap_attr_anniversarydate' => '', + 'ldap_attr_pronouns' => '', ]; } @@ -524,6 +618,7 @@ class Configuration { 'ldap_expert_uuid_group_attr' => 'ldapExpertUUIDGroupAttr', 'has_memberof_filter_support' => 'hasMemberOfFilterSupport', 'use_memberof_to_detect_membership' => 'useMemberOfToDetectMembership', + 'ldap_mark_remnants_as_disabled' => 'markRemnantsAsDisabled', 'last_jpegPhoto_lookup' => 'lastJpegPhotoLookup', 'ldap_nested_groups' => 'ldapNestedGroups', 'ldap_paging_size' => 'ldapPagingSize', @@ -535,6 +630,19 @@ class Configuration { 'ldap_matching_rule_in_chain_state' => 'ldapMatchingRuleInChainState', 'ldapIgnoreNamingRules' => 'ldapIgnoreNamingRules', // sysconfig 'ldap_connection_timeout' => 'ldapConnectionTimeout', + 'ldap_attr_phone' => 'ldapAttributePhone', + 'ldap_attr_website' => 'ldapAttributeWebsite', + 'ldap_attr_address' => 'ldapAttributeAddress', + 'ldap_attr_twitter' => 'ldapAttributeTwitter', + 'ldap_attr_fediverse' => 'ldapAttributeFediverse', + 'ldap_attr_organisation' => 'ldapAttributeOrganisation', + 'ldap_attr_role' => 'ldapAttributeRole', + 'ldap_attr_headline' => 'ldapAttributeHeadline', + 'ldap_attr_biography' => 'ldapAttributeBiography', + 'ldap_admin_group' => 'ldapAdminGroup', + 'ldap_attr_birthdate' => 'ldapAttributeBirthDate', + 'ldap_attr_anniversarydate' => 'ldapAttributeAnniversaryDate', + 'ldap_attr_pronouns' => 'ldapAttributePronouns', ]; return $array; } @@ -556,7 +664,7 @@ class Configuration { if ($value === self::AVATAR_PREFIX_NONE) { return []; } - if (strpos($value, self::AVATAR_PREFIX_DATA_ATTRIBUTE) === 0) { + if (str_starts_with($value, self::AVATAR_PREFIX_DATA_ATTRIBUTE)) { $attribute = trim(substr($value, strlen(self::AVATAR_PREFIX_DATA_ATTRIBUTE))); if ($attribute === '') { return $defaultAttributes; @@ -564,7 +672,7 @@ class Configuration { return [strtolower($attribute)]; } if ($value !== self::AVATAR_PREFIX_DEFAULT) { - \OC::$server->getLogger()->warning('Invalid config value to ldapUserAvatarRule; falling back to default.'); + Server::get(LoggerInterface::class)->warning('Invalid config value to ldapUserAvatarRule; falling back to default.'); } return $defaultAttributes; } @@ -573,6 +681,7 @@ class Configuration { * Returns TRUE if the ldapHost variable starts with 'ldapi://' */ public function usesLdapi(): bool { - return (substr($this->config['ldapHost'], 0, strlen('ldapi://')) === 'ldapi://'); + $host = $this->config['ldapHost']; + return is_string($host) && (substr($host, 0, strlen('ldapi://')) === 'ldapi://'); } } diff --git a/apps/user_ldap/lib/Connection.php b/apps/user_ldap/lib/Connection.php index 6700890c8c7..336179ac341 100644 --- a/apps/user_ldap/lib/Connection.php +++ b/apps/user_ldap/lib/Connection.php @@ -1,104 +1,106 @@ <?php + /** - * @copyright Copyright (c) 2016, ownCloud, Inc. - * - * @author Arthur Schiwon <blizzz@arthur-schiwon.de> - * @author Bart Visscher <bartv@thisnet.nl> - * @author Christoph Wurst <christoph@winzerhof-wurst.at> - * @author Jarkko Lehtoranta <devel@jlranta.com> - * @author Joas Schilling <coding@schilljs.com> - * @author Jörn Friedrich Dreyer <jfd@butonic.de> - * @author Julius Härtl <jus@bitgrid.net> - * @author Lukas Reschke <lukas@statuscode.ch> - * @author Morris Jobke <hey@morrisjobke.de> - * @author Robin Appelman <robin@icewind.nl> - * @author Robin McCorkell <robin@mccorkell.me.uk> - * @author Roeland Jago Douma <roeland@famdouma.nl> - * @author Roger Szabo <roger.szabo@web.de> - * @author root <root@localhost.localdomain> - * @author Victor Dubiniuk <dubiniuk@owncloud.com> - * @author Xuanwo <xuanwo@yunify.com> - * @author Vincent Van Houtte <vvh@aplusv.be> - * - * @license AGPL-3.0 - * - * This code is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License, version 3, - * as published by the Free Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License, version 3, - * along with this program. If not, see <http://www.gnu.org/licenses/> - * + * SPDX-FileCopyrightText: 2016-2024 Nextcloud GmbH and Nextcloud contributors + * SPDX-FileCopyrightText: 2016 ownCloud, Inc. + * SPDX-License-Identifier: AGPL-3.0-only */ namespace OCA\User_LDAP; use OC\ServerNotAvailableException; +use OCA\User_LDAP\Exceptions\ConfigurationIssueException; +use OCP\ICache; +use OCP\ICacheFactory; +use OCP\IL10N; +use OCP\Server; +use OCP\Util; use Psr\Log\LoggerInterface; /** - * magic properties (incomplete) + * magic properties * responsible for LDAP connections in context with the provided configuration * - * @property string ldapHost - * @property string ldapPort holds the port number - * @property string ldapUserFilter - * @property string ldapUserDisplayName - * @property string ldapUserDisplayName2 - * @property string ldapUserAvatarRule - * @property boolean turnOnPasswordChange - * @property string[] ldapBaseUsers - * @property int|null ldapPagingSize holds an integer - * @property bool|mixed|void ldapGroupMemberAssocAttr - * @property string ldapUuidUserAttribute - * @property string ldapUuidGroupAttribute - * @property string ldapExpertUUIDUserAttr - * @property string ldapExpertUUIDGroupAttr - * @property string ldapQuotaAttribute - * @property string ldapQuotaDefault - * @property string ldapEmailAttribute - * @property string ldapExtStorageHomeAttribute - * @property string homeFolderNamingRule - * @property bool|string ldapNestedGroups - * @property string[] ldapBaseGroups - * @property string ldapGroupFilter - * @property string ldapGroupDisplayName - * @property string ldapLoginFilter - * @property string ldapDynamicGroupMemberURL - * @property string ldapGidNumber - * @property int hasMemberOfFilterSupport - * @property int useMemberOfToDetectMembership - * @property string ldapMatchingRuleInChainState + * @property string $ldapHost + * @property string $ldapPort + * @property string $ldapBackupHost + * @property string $ldapBackupPort + * @property string $ldapBackgroundHost + * @property string $ldapBackgroundPort + * @property array|'' $ldapBase + * @property array|'' $ldapBaseUsers + * @property array|'' $ldapBaseGroups + * @property string $ldapAgentName + * @property string $ldapAgentPassword + * @property string $ldapTLS + * @property string $turnOffCertCheck + * @property string $ldapIgnoreNamingRules + * @property string $ldapUserDisplayName + * @property string $ldapUserDisplayName2 + * @property string $ldapUserAvatarRule + * @property string $ldapGidNumber + * @property array|'' $ldapUserFilterObjectclass + * @property array|'' $ldapUserFilterGroups + * @property string $ldapUserFilter + * @property string $ldapUserFilterMode + * @property string $ldapGroupFilter + * @property string $ldapGroupFilterMode + * @property array|'' $ldapGroupFilterObjectclass + * @property array|'' $ldapGroupFilterGroups + * @property string $ldapGroupDisplayName + * @property string $ldapGroupMemberAssocAttr + * @property string $ldapLoginFilter + * @property string $ldapLoginFilterMode + * @property string $ldapLoginFilterEmail + * @property string $ldapLoginFilterUsername + * @property array|'' $ldapLoginFilterAttributes + * @property string $ldapQuotaAttribute + * @property string $ldapQuotaDefault + * @property string $ldapEmailAttribute + * @property string $ldapCacheTTL + * @property string $ldapUuidUserAttribute + * @property string $ldapUuidGroupAttribute + * @property string $ldapOverrideMainServer + * @property string $ldapConfigurationActive + * @property array|'' $ldapAttributesForUserSearch + * @property array|'' $ldapAttributesForGroupSearch + * @property string $ldapExperiencedAdmin + * @property string $homeFolderNamingRule + * @property string $hasMemberOfFilterSupport + * @property string $useMemberOfToDetectMembership + * @property string $ldapExpertUsernameAttr + * @property string $ldapExpertUUIDUserAttr + * @property string $ldapExpertUUIDGroupAttr + * @property string $markRemnantsAsDisabled + * @property string $lastJpegPhotoLookup + * @property string $ldapNestedGroups + * @property string $ldapPagingSize + * @property string $turnOnPasswordChange + * @property string $ldapDynamicGroupMemberURL + * @property string $ldapDefaultPPolicyDN + * @property string $ldapExtStorageHomeAttribute + * @property string $ldapMatchingRuleInChainState + * @property string $ldapConnectionTimeout + * @property string $ldapAttributePhone + * @property string $ldapAttributeWebsite + * @property string $ldapAttributeAddress + * @property string $ldapAttributeTwitter + * @property string $ldapAttributeFediverse + * @property string $ldapAttributeOrganisation + * @property string $ldapAttributeRole + * @property string $ldapAttributeHeadline + * @property string $ldapAttributeBiography + * @property string $ldapAdminGroup + * @property string $ldapAttributeBirthDate + * @property string $ldapAttributePronouns */ class Connection extends LDAPUtility { - /** - * @var resource|\LDAP\Connection|null - */ - private $ldapConnectionRes = null; - - /** - * @var string - */ - private $configPrefix; - - /** - * @var ?string - */ - private $configID; - - /** - * @var bool - */ - private $configured = false; + private ?\LDAP\Connection $ldapConnectionRes = null; + private bool $configured = false; /** * @var bool whether connection should be kept on __destruct */ - private $dontDestruct = false; + private bool $dontDestruct = false; /** * @var bool runtime flag that indicates whether supported primary groups are available @@ -111,11 +113,11 @@ class Connection extends LDAPUtility { public $hasGidNumber = true; /** - * @var \OCP\ICache|null + * @var ICache|null */ protected $cache = null; - /** @var Configuration settings handler **/ + /** @var Configuration settings handler * */ protected $configuration; /** @@ -133,27 +135,30 @@ class Connection extends LDAPUtility { */ protected $bindResult = []; - /** @var LoggerInterface */ - protected $logger; + protected LoggerInterface $logger; + private IL10N $l10n; /** * Constructor * @param string $configPrefix a string with the prefix for the configkey column (appconfig table) * @param string|null $configID a string with the value for the appid column (appconfig table) or null for on-the-fly connections */ - public function __construct(ILDAPWrapper $ldap, string $configPrefix = '', ?string $configID = 'user_ldap') { + public function __construct( + ILDAPWrapper $ldap, + private string $configPrefix = '', + private ?string $configID = 'user_ldap', + ) { parent::__construct($ldap); - $this->configPrefix = $configPrefix; - $this->configID = $configID; - $this->configuration = new Configuration($configPrefix, !is_null($configID)); - $memcache = \OC::$server->getMemCacheFactory(); + $this->configuration = new Configuration($this->configPrefix, !is_null($this->configID)); + $memcache = Server::get(ICacheFactory::class); if ($memcache->isAvailable()) { $this->cache = $memcache->createDistributed(); } - $helper = new Helper(\OC::$server->getConfig(), \OC::$server->getDatabaseConnection()); + $helper = Server::get(Helper::class); $this->doNotValidate = !in_array($this->configPrefix, $helper->getServerConfigurationPrefixes()); - $this->logger = \OC::$server->get(LoggerInterface::class); + $this->logger = Server::get(LoggerInterface::class); + $this->l10n = Util::getL10N('user_ldap'); } public function __destruct() { @@ -230,14 +235,11 @@ class Connection extends LDAPUtility { } /** - * @return resource|\LDAP\Connection The LDAP resource + * @return \LDAP\Connection The LDAP resource */ - public function getConnectionResource() { + public function getConnectionResource(): \LDAP\Connection { if (!$this->ldapConnectionRes) { $this->init(); - } elseif (!$this->ldap->isResource($this->ldapConnectionRes)) { - $this->ldapConnectionRes = null; - $this->establishConnection(); } if (is_null($this->ldapConnectionRes)) { $this->logger->error( @@ -252,7 +254,7 @@ class Connection extends LDAPUtility { /** * resets the connection resource */ - public function resetConnectionResource() { + public function resetConnectionResource(): void { if (!is_null($this->ldapConnectionRes)) { @$this->ldap->unbind($this->ldapConnectionRes); $this->ldapConnectionRes = null; @@ -262,14 +264,13 @@ class Connection extends LDAPUtility { /** * @param string|null $key - * @return string */ - private function getCacheKey($key) { - $prefix = 'LDAP-'.$this->configID.'-'.$this->configPrefix.'-'; + private function getCacheKey($key): string { + $prefix = 'LDAP-' . $this->configID . '-' . $this->configPrefix . '-'; if (is_null($key)) { return $prefix; } - return $prefix.hash('sha256', $key); + return $prefix . hash('sha256', $key); } /** @@ -288,11 +289,15 @@ class Connection extends LDAPUtility { return json_decode(base64_decode($this->cache->get($key) ?? ''), true); } + public function getConfigPrefix(): string { + return $this->configPrefix; + } + /** * @param string $key * @param mixed $value */ - public function writeToCache($key, $value, int $ttlOverride = null): void { + public function writeToCache($key, $value, ?int $ttlOverride = null): void { if (!$this->configured) { $this->readConfiguration(); } @@ -316,10 +321,9 @@ class Connection extends LDAPUtility { /** * Caches the general LDAP configuration. * @param bool $force optional. true, if the re-read should be forced. defaults - * to false. - * @return null + * to false. */ - private function readConfiguration($force = false) { + private function readConfiguration(bool $force = false): void { if ((!$this->configured || $force) && !is_null($this->configID)) { $this->configuration->readConfiguration(); $this->configured = $this->validateConfiguration(); @@ -330,16 +334,17 @@ class Connection extends LDAPUtility { * set LDAP configuration with values delivered by an array, not read from configuration * @param array $config array that holds the config parameters in an associated array * @param array &$setParameters optional; array where the set fields will be given to + * @param bool $throw if true, throw ConfigurationIssueException with details instead of returning false * @return bool true if config validates, false otherwise. Check with $setParameters for detailed success on single parameters */ - public function setConfiguration($config, &$setParameters = null): bool { + public function setConfiguration(array $config, ?array &$setParameters = null, bool $throw = false): bool { if (is_null($setParameters)) { $setParameters = []; } $this->doNotValidate = false; $this->configuration->setConfiguration($config, $setParameters); if (count($setParameters) > 0) { - $this->configured = $this->validateConfiguration(); + $this->configured = $this->validateConfiguration($throw); } @@ -368,7 +373,7 @@ class Connection extends LDAPUtility { foreach ($cta as $dbkey => $configkey) { switch ($configkey) { case 'homeFolderNamingRule': - if (strpos($config[$configkey], 'attr:') === 0) { + if (str_starts_with($config[$configkey], 'attr:')) { $result[$dbkey] = substr($config[$configkey], 5); } else { $result[$dbkey] = ''; @@ -391,7 +396,7 @@ class Connection extends LDAPUtility { return $result; } - private function doSoftValidation() { + private function doSoftValidation(): void { //if User or Group Base are not set, take over Base DN setting foreach (['ldapBaseUsers', 'ldapBaseGroups'] as $keyBase) { $val = $this->configuration->$keyBase; @@ -401,8 +406,7 @@ class Connection extends LDAPUtility { } foreach (['ldapExpertUUIDUserAttr' => 'ldapUuidUserAttribute', - 'ldapExpertUUIDGroupAttr' => 'ldapUuidGroupAttribute'] - as $expertSetting => $effectiveSetting) { + 'ldapExpertUUIDGroupAttr' => 'ldapUuidGroupAttribute'] as $expertSetting => $effectiveSetting) { $uuidOverride = $this->configuration->$expertSetting; if (!empty($uuidOverride)) { $this->configuration->$effectiveSetting = $uuidOverride; @@ -414,7 +418,7 @@ class Connection extends LDAPUtility { $this->configuration->$effectiveSetting = 'auto'; $this->configuration->saveConfiguration(); $this->logger->info( - 'Illegal value for the '.$effectiveSetting.', reset to autodetect.', + 'Illegal value for the ' . $effectiveSetting . ', reset to autodetect.', ['app' => 'user_ldap'] ); } @@ -423,7 +427,7 @@ class Connection extends LDAPUtility { $backupPort = (int)$this->configuration->ldapBackupPort; if ($backupPort <= 0) { - $this->configuration->backupPort = $this->configuration->ldapPort; + $this->configuration->ldapBackupPort = $this->configuration->ldapPort; } //make sure empty search attributes are saved as simple, empty array @@ -438,7 +442,7 @@ class Connection extends LDAPUtility { if ((stripos((string)$this->configuration->ldapHost, 'ldaps://') === 0) && $this->configuration->ldapTLS) { - $this->configuration->ldapTLS = false; + $this->configuration->ldapTLS = (string)false; $this->logger->info( 'LDAPS (already using secure connection) and TLS do not work together. Switched off TLS.', ['app' => 'user_ldap'] @@ -447,13 +451,9 @@ class Connection extends LDAPUtility { } /** - * @return bool + * @throws ConfigurationIssueException */ - private function doCriticalValidation() { - $configurationOK = true; - $errorStr = 'Configuration Error (prefix '. - (string)$this->configPrefix .'): '; - + private function doCriticalValidation(): void { //options that shall not be empty $options = ['ldapHost', 'ldapUserDisplayName', 'ldapGroupDisplayName', 'ldapLoginFilter']; @@ -486,10 +486,9 @@ class Connection extends LDAPUtility { $subj = $key; break; } - $configurationOK = false; - $this->logger->warning( - $errorStr.'No '.$subj.' given!', - ['app' => 'user_ldap'] + throw new ConfigurationIssueException( + 'No ' . $subj . ' given!', + $this->l10n->t('Mandatory field "%s" left empty', $subj), ); } } @@ -497,47 +496,76 @@ class Connection extends LDAPUtility { //combinations $agent = $this->configuration->ldapAgentName; $pwd = $this->configuration->ldapAgentPassword; - if ( - ($agent === '' && $pwd !== '') - || ($agent !== '' && $pwd === '') - ) { - $this->logger->warning( - $errorStr.'either no password is given for the user ' . - 'agent or a password is given, but not an LDAP agent.', - ['app' => 'user_ldap'] + if ($agent === '' && $pwd !== '') { + throw new ConfigurationIssueException( + 'A password is given, but not an LDAP agent', + $this->l10n->t('A password is given, but not an LDAP agent'), + ); + } + if ($agent !== '' && $pwd === '') { + throw new ConfigurationIssueException( + 'No password is given for the user agent', + $this->l10n->t('No password is given for the user agent'), ); - $configurationOK = false; } $base = $this->configuration->ldapBase; $baseUsers = $this->configuration->ldapBaseUsers; $baseGroups = $this->configuration->ldapBaseGroups; - if (empty($base) && empty($baseUsers) && empty($baseGroups)) { - $this->logger->warning( - $errorStr.'Not a single Base DN given.', - ['app' => 'user_ldap'] + if (empty($base)) { + throw new ConfigurationIssueException( + 'Not a single Base DN given', + $this->l10n->t('No LDAP base DN was given'), ); - $configurationOK = false; } - if (mb_strpos((string)$this->configuration->ldapLoginFilter, '%uid', 0, 'UTF-8') - === false) { - $this->logger->warning( - $errorStr.'login filter does not contain %uid place holder.', - ['app' => 'user_ldap'] + if (!empty($baseUsers) && !$this->checkBasesAreValid($baseUsers, $base)) { + throw new ConfigurationIssueException( + 'User base is not in root base', + $this->l10n->t('User base DN is not a subnode of global base DN'), + ); + } + + if (!empty($baseGroups) && !$this->checkBasesAreValid($baseGroups, $base)) { + throw new ConfigurationIssueException( + 'Group base is not in root base', + $this->l10n->t('Group base DN is not a subnode of global base DN'), ); - $configurationOK = false; } - return $configurationOK; + if (mb_strpos((string)$this->configuration->ldapLoginFilter, '%uid', 0, 'UTF-8') === false) { + throw new ConfigurationIssueException( + 'Login filter does not contain %uid placeholder.', + $this->l10n->t('Login filter does not contain %s placeholder.', ['%uid']), + ); + } + } + + /** + * Checks that all bases are subnodes of one of the root bases + */ + private function checkBasesAreValid(array $bases, array $rootBases): bool { + foreach ($bases as $base) { + $ok = false; + foreach ($rootBases as $rootBase) { + if (str_ends_with($base, $rootBase)) { + $ok = true; + break; + } + } + if (!$ok) { + return false; + } + } + return true; } /** * Validates the user specified configuration * @return bool true if configuration seems OK, false otherwise */ - private function validateConfiguration() { + private function validateConfiguration(bool $throw = false): bool { if ($this->doNotValidate) { //don't do a validation if it is a new configuration with pure //default values. Will be allowed on changes via __set or @@ -551,7 +579,19 @@ class Connection extends LDAPUtility { //second step: critical checks. If left empty or filled wrong, mark as //not configured and give a warning. - return $this->doCriticalValidation(); + try { + $this->doCriticalValidation(); + return true; + } catch (ConfigurationIssueException $e) { + if ($throw) { + throw $e; + } + $this->logger->warning( + 'Configuration Error (prefix ' . $this->configPrefix . '): ' . $e->getMessage(), + ['exception' => $e] + ); + return false; + } } @@ -560,7 +600,7 @@ class Connection extends LDAPUtility { * * @throws ServerNotAvailableException */ - private function establishConnection() { + private function establishConnection(): ?bool { if (!$this->configuration->ldapConfigurationActive) { return null; } @@ -585,19 +625,6 @@ class Connection extends LDAPUtility { return false; } - if ($this->configuration->turnOffCertCheck) { - if (putenv('LDAPTLS_REQCERT=never')) { - $this->logger->debug( - 'Turned off SSL certificate validation successfully.', - ['app' => 'user_ldap'] - ); - } else { - $this->logger->warning( - 'Could not turn off SSL certificate validation.', - ['app' => 'user_ldap'] - ); - } - } $hasBackupHost = (trim($this->configuration->ldapBackupHost ?? '') !== ''); $hasBackgroundHost = (trim($this->configuration->ldapBackgroundHost ?? '') !== ''); @@ -621,9 +648,11 @@ class Connection extends LDAPUtility { } } $this->logger->warning( - 'Main LDAP not reachable, connecting to backup', + 'Main LDAP not reachable, connecting to backup: {msg}', [ - 'app' => 'user_ldap' + 'app' => 'user_ldap', + 'msg' => $e->getMessage(), + 'exception' => $e, ] ); } @@ -632,8 +661,8 @@ class Connection extends LDAPUtility { $this->doConnect($this->configuration->ldapBackupHost ?? '', $this->configuration->ldapBackupPort ?? ''); $this->bindResult = []; $bindStatus = $this->bind(); - $error = $this->ldap->isResource($this->ldapConnectionRes) ? - $this->ldap->errno($this->ldapConnectionRes) : -1; + $error = $this->ldap->isResource($this->ldapConnectionRes) + ? $this->ldap->errno($this->ldapConnectionRes) : -1; if ($bindStatus && $error === 0 && !$forceBackupHost) { //when bind to backup server succeeded and failed to main server, //skip contacting it for 15min @@ -648,15 +677,18 @@ class Connection extends LDAPUtility { /** * @param string $host * @param string $port - * @return bool * @throws \OC\ServerNotAvailableException */ - private function doConnect($host, $port) { + private function doConnect($host, $port): bool { if ($host === '') { return false; } - $this->ldapConnectionRes = $this->ldap->connect($host, $port); + $this->ldapConnectionRes = $this->ldap->connect($host, $port) ?: null; + + if ($this->ldapConnectionRes === null) { + throw new ServerNotAvailableException('Connection failed'); + } if (!$this->ldap->setOption($this->ldapConnectionRes, LDAP_OPT_PROTOCOL_VERSION, 3)) { throw new ServerNotAvailableException('Could not set required LDAP Protocol version.'); @@ -671,6 +703,20 @@ class Connection extends LDAPUtility { } if ($this->configuration->ldapTLS) { + if ($this->configuration->turnOffCertCheck) { + if ($this->ldap->setOption($this->ldapConnectionRes, LDAP_OPT_X_TLS_REQUIRE_CERT, LDAP_OPT_X_TLS_NEVER)) { + $this->logger->debug( + 'Turned off SSL certificate validation successfully.', + ['app' => 'user_ldap'] + ); + } else { + $this->logger->warning( + 'Could not turn off SSL certificate validation.', + ['app' => 'user_ldap'] + ); + } + } + if (!$this->ldap->startTls($this->ldapConnectionRes)) { throw new ServerNotAvailableException('Start TLS failed, when connecting to LDAP host ' . $host . '.'); } diff --git a/apps/user_ldap/lib/ConnectionFactory.php b/apps/user_ldap/lib/ConnectionFactory.php index cf2bacebc85..dd0ad31920a 100644 --- a/apps/user_ldap/lib/ConnectionFactory.php +++ b/apps/user_ldap/lib/ConnectionFactory.php @@ -1,33 +1,15 @@ <?php + /** - * @copyright Copyright (c) 2018 Arthur Schiwon <blizzz@arthur-schiwon.de> - * - * @author Arthur Schiwon <blizzz@arthur-schiwon.de> - * - * @license GNU AGPL version 3 or any later version - * - * This program is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License as - * published by the Free Software Foundation, either version 3 of the - * License, or (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License - * along with this program. If not, see <http://www.gnu.org/licenses/>. - * + * SPDX-FileCopyrightText: 2018 Nextcloud GmbH and Nextcloud contributors + * SPDX-License-Identifier: AGPL-3.0-or-later */ namespace OCA\User_LDAP; class ConnectionFactory { - /** @var ILDAPWrapper */ - private $ldap; - - public function __construct(ILDAPWrapper $ldap) { - $this->ldap = $ldap; + public function __construct( + private ILDAPWrapper $ldap, + ) { } public function get($prefix) { diff --git a/apps/user_ldap/lib/Controller/ConfigAPIController.php b/apps/user_ldap/lib/Controller/ConfigAPIController.php index e408d03fcd5..d98e6d41b52 100644 --- a/apps/user_ldap/lib/Controller/ConfigAPIController.php +++ b/apps/user_ldap/lib/Controller/ConfigAPIController.php @@ -1,25 +1,8 @@ <?php + /** - * @copyright Copyright (c) 2017 Arthur Schiwon <blizzz@arthur-schiwon.de> - * - * @author Arthur Schiwon <blizzz@arthur-schiwon.de> - * @author Christoph Wurst <christoph@winzerhof-wurst.at> - * - * @license GNU AGPL version 3 or any later version - * - * This program is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License as - * published by the Free Software Foundation, either version 3 of the - * License, or (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License - * along with this program. If not, see <http://www.gnu.org/licenses/>. - * + * SPDX-FileCopyrightText: 2017 Nextcloud GmbH and Nextcloud contributors + * SPDX-License-Identifier: AGPL-3.0-or-later */ namespace OCA\User_LDAP\Controller; @@ -29,36 +12,31 @@ use OC\Security\IdentityProof\Manager; use OCA\User_LDAP\Configuration; use OCA\User_LDAP\ConnectionFactory; use OCA\User_LDAP\Helper; +use OCA\User_LDAP\Settings\Admin; +use OCP\AppFramework\Http; +use OCP\AppFramework\Http\Attribute\AuthorizedAdminSetting; use OCP\AppFramework\Http\DataResponse; use OCP\AppFramework\OCS\OCSBadRequestException; use OCP\AppFramework\OCS\OCSException; use OCP\AppFramework\OCS\OCSNotFoundException; -use OCP\ILogger; use OCP\IRequest; use OCP\IUserManager; use OCP\IUserSession; +use OCP\ServerVersion; +use Psr\Log\LoggerInterface; class ConfigAPIController extends OCSController { - - /** @var Helper */ - private $ldapHelper; - - /** @var ILogger */ - private $logger; - - /** @var ConnectionFactory */ - private $connectionFactory; - public function __construct( - $appName, + string $appName, IRequest $request, CapabilitiesManager $capabilitiesManager, IUserSession $userSession, IUserManager $userManager, Manager $keyManager, - Helper $ldapHelper, - ILogger $logger, - ConnectionFactory $connectionFactory + ServerVersion $serverVersion, + private Helper $ldapHelper, + private LoggerInterface $logger, + private ConnectionFactory $connectionFactory, ) { parent::__construct( $appName, @@ -66,54 +44,20 @@ class ConfigAPIController extends OCSController { $capabilitiesManager, $userSession, $userManager, - $keyManager + $keyManager, + $serverVersion, ); - - - $this->ldapHelper = $ldapHelper; - $this->logger = $logger; - $this->connectionFactory = $connectionFactory; } /** - * Creates a new (empty) configuration and returns the resulting prefix - * - * Example: curl -X POST -H "OCS-APIREQUEST: true" -u $admin:$password \ - * https://nextcloud.server/ocs/v2.php/apps/user_ldap/api/v1/config - * - * results in: - * - * <?xml version="1.0"?> - * <ocs> - * <meta> - * <status>ok</status> - * <statuscode>200</statuscode> - * <message>OK</message> - * </meta> - * <data> - * <configID>s40</configID> - * </data> - * </ocs> - * - * Failing example: if an exception is thrown (e.g. Database connection lost) - * the detailed error will be logged. The output will then look like: - * - * <?xml version="1.0"?> - * <ocs> - * <meta> - * <status>failure</status> - * <statuscode>999</statuscode> - * <message>An issue occurred when creating the new config.</message> - * </meta> - * <data/> - * </ocs> - * - * For JSON output provide the format=json parameter + * Create a new (empty) configuration and return the resulting prefix * - * @AuthorizedAdminSetting(settings=OCA\User_LDAP\Settings\Admin) - * @return DataResponse + * @return DataResponse<Http::STATUS_OK, array{configID: string}, array{}> * @throws OCSException + * + * 200: Config created successfully */ + #[AuthorizedAdminSetting(settings: Admin::class)] public function create() { try { $configPrefix = $this->ldapHelper->getNextServerConfigurationPrefix(); @@ -121,35 +65,23 @@ class ConfigAPIController extends OCSController { $configHolder->ldapConfigurationActive = false; $configHolder->saveConfiguration(); } catch (\Exception $e) { - $this->logger->logException($e); + $this->logger->error($e->getMessage(), ['exception' => $e]); throw new OCSException('An issue occurred when creating the new config.'); } return new DataResponse(['configID' => $configPrefix]); } /** - * Deletes a LDAP configuration, if present. - * - * Example: - * curl -X DELETE -H "OCS-APIREQUEST: true" -u $admin:$password \ - * https://nextcloud.server/ocs/v2.php/apps/user_ldap/api/v1/config/s60 - * - * <?xml version="1.0"?> - * <ocs> - * <meta> - * <status>ok</status> - * <statuscode>200</statuscode> - * <message>OK</message> - * </meta> - * <data/> - * </ocs> + * Delete a LDAP configuration * - * @AuthorizedAdminSetting(settings=OCA\User_LDAP\Settings\Admin) - * @param string $configID - * @return DataResponse - * @throws OCSBadRequestException + * @param string $configID ID of the config + * @return DataResponse<Http::STATUS_OK, list<empty>, array{}> * @throws OCSException + * @throws OCSNotFoundException Config not found + * + * 200: Config deleted successfully */ + #[AuthorizedAdminSetting(settings: Admin::class)] public function delete($configID) { try { $this->ensureConfigIDExists($configID); @@ -159,7 +91,7 @@ class ConfigAPIController extends OCSController { } catch (OCSException $e) { throw $e; } catch (\Exception $e) { - $this->logger->logException($e); + $this->logger->error($e->getMessage(), ['exception' => $e]); throw new OCSException('An issue occurred when deleting the config.'); } @@ -167,29 +99,18 @@ class ConfigAPIController extends OCSController { } /** - * Modifies a configuration - * - * Example: - * curl -X PUT -d "configData[ldapHost]=ldaps://my.ldap.server&configData[ldapPort]=636" \ - * -H "OCS-APIREQUEST: true" -u $admin:$password \ - * https://nextcloud.server/ocs/v2.php/apps/user_ldap/api/v1/config/s60 + * Modify a configuration * - * <?xml version="1.0"?> - * <ocs> - * <meta> - * <status>ok</status> - * <statuscode>200</statuscode> - * <message>OK</message> - * </meta> - * <data/> - * </ocs> - * - * @AuthorizedAdminSetting(settings=OCA\User_LDAP\Settings\Admin) - * @param string $configID - * @param array $configData - * @return DataResponse + * @param string $configID ID of the config + * @param array<string, mixed> $configData New config + * @return DataResponse<Http::STATUS_OK, list<empty>, array{}> * @throws OCSException + * @throws OCSBadRequestException Modifying config is not possible + * @throws OCSNotFoundException Config not found + * + * 200: Config returned */ + #[AuthorizedAdminSetting(settings: Admin::class)] public function modify($configID, $configData) { try { $this->ensureConfigIDExists($configID); @@ -212,7 +133,7 @@ class ConfigAPIController extends OCSController { } catch (OCSException $e) { throw $e; } catch (\Exception $e) { - $this->logger->logException($e); + $this->logger->error($e->getMessage(), ['exception' => $e]); throw new OCSException('An issue occurred when modifying the config.'); } @@ -220,8 +141,9 @@ class ConfigAPIController extends OCSController { } /** - * Retrieves a configuration + * Get a configuration * + * Output can look like this: * <?xml version="1.0"?> * <ocs> * <meta> @@ -284,19 +206,22 @@ class ConfigAPIController extends OCSController { * </data> * </ocs> * - * @AuthorizedAdminSetting(settings=OCA\User_LDAP\Settings\Admin) - * @param string $configID - * @param bool|string $showPassword - * @return DataResponse + * @param string $configID ID of the config + * @param bool $showPassword Whether to show the password + * @return DataResponse<Http::STATUS_OK, array<string, mixed>, array{}> * @throws OCSException + * @throws OCSNotFoundException Config not found + * + * 200: Config returned */ + #[AuthorizedAdminSetting(settings: Admin::class)] public function show($configID, $showPassword = false) { try { $this->ensureConfigIDExists($configID); $config = new Configuration($configID); $data = $config->getConfiguration(); - if (!(int)$showPassword) { + if (!$showPassword) { $data['ldapAgentPassword'] = '***'; } foreach ($data as $key => $value) { @@ -308,7 +233,7 @@ class ConfigAPIController extends OCSController { } catch (OCSException $e) { throw $e; } catch (\Exception $e) { - $this->logger->logException($e); + $this->logger->error($e->getMessage(), ['exception' => $e]); throw new OCSException('An issue occurred when modifying the config.'); } @@ -318,11 +243,11 @@ class ConfigAPIController extends OCSController { /** * If the given config ID is not available, an exception is thrown * - * @AuthorizedAdminSetting(settings=OCA\User_LDAP\Settings\Admin) * @param string $configID * @throws OCSNotFoundException */ - private function ensureConfigIDExists($configID) { + #[AuthorizedAdminSetting(settings: Admin::class)] + private function ensureConfigIDExists($configID): void { $prefixes = $this->ldapHelper->getServerConfigurationPrefixes(); if (!in_array($configID, $prefixes, true)) { throw new OCSNotFoundException('Config ID not found'); diff --git a/apps/user_ldap/lib/Controller/RenewPasswordController.php b/apps/user_ldap/lib/Controller/RenewPasswordController.php index 66371cb3b49..8389a362b8f 100644 --- a/apps/user_ldap/lib/Controller/RenewPasswordController.php +++ b/apps/user_ldap/lib/Controller/RenewPasswordController.php @@ -1,29 +1,16 @@ <?php + /** - * @copyright Copyright (c) 2017 Roger Szabo <roger.szabo@web.de> - * - * @author Christoph Wurst <christoph@winzerhof-wurst.at> - * @author Roger Szabo <roger.szabo@web.de> - * - * @license GNU AGPL version 3 or any later version - * - * This program is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License as - * published by the Free Software Foundation, either version 3 of the - * License, or (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License - * along with this program. If not, see <http://www.gnu.org/licenses/>. - * + * SPDX-FileCopyrightText: 2017 Nextcloud GmbH and Nextcloud contributors + * SPDX-License-Identifier: AGPL-3.0-or-later */ namespace OCA\User_LDAP\Controller; use OCP\AppFramework\Controller; +use OCP\AppFramework\Http\Attribute\NoCSRFRequired; +use OCP\AppFramework\Http\Attribute\OpenAPI; +use OCP\AppFramework\Http\Attribute\PublicPage; +use OCP\AppFramework\Http\Attribute\UseSession; use OCP\AppFramework\Http\RedirectResponse; use OCP\AppFramework\Http\TemplateResponse; use OCP\HintException; @@ -35,18 +22,8 @@ use OCP\IURLGenerator; use OCP\IUser; use OCP\IUserManager; +#[OpenAPI(scope: OpenAPI::SCOPE_IGNORE)] class RenewPasswordController extends Controller { - /** @var IUserManager */ - private $userManager; - /** @var IConfig */ - private $config; - /** @var IL10N */ - protected $l10n; - /** @var ISession */ - private $session; - /** @var IURLGenerator */ - private $urlGenerator; - /** * @param string $appName * @param IRequest $request @@ -54,35 +31,35 @@ class RenewPasswordController extends Controller { * @param IConfig $config * @param IURLGenerator $urlGenerator */ - public function __construct($appName, IRequest $request, IUserManager $userManager, - IConfig $config, IL10N $l10n, ISession $session, IURLGenerator $urlGenerator) { + public function __construct( + $appName, + IRequest $request, + private IUserManager $userManager, + private IConfig $config, + protected IL10N $l10n, + private ISession $session, + private IURLGenerator $urlGenerator, + ) { parent::__construct($appName, $request); - $this->userManager = $userManager; - $this->config = $config; - $this->l10n = $l10n; - $this->session = $session; - $this->urlGenerator = $urlGenerator; } /** - * @PublicPage - * @NoCSRFRequired - * * @return RedirectResponse */ + #[PublicPage] + #[NoCSRFRequired] public function cancel() { return new RedirectResponse($this->urlGenerator->linkToRouteAbsolute('core.login.showLoginForm')); } /** - * @PublicPage - * @NoCSRFRequired - * @UseSession - * * @param string $user * * @return TemplateResponse|RedirectResponse */ + #[PublicPage] + #[NoCSRFRequired] + #[UseSession] public function showRenewPasswordForm($user) { if ($this->config->getUserValue($user, 'user_ldap', 'needsPasswordReset') !== 'true') { return new RedirectResponse($this->urlGenerator->linkToRouteAbsolute('core.login.showLoginForm')); @@ -118,15 +95,14 @@ class RenewPasswordController extends Controller { } /** - * @PublicPage - * @UseSession - * * @param string $user * @param string $oldPassword * @param string $newPassword * * @return RedirectResponse */ + #[PublicPage] + #[UseSession] public function tryRenewPassword($user, $oldPassword, $newPassword) { if ($this->config->getUserValue($user, 'user_ldap', 'needsPasswordReset') !== 'true') { return new RedirectResponse($this->urlGenerator->linkToRouteAbsolute('core.login.showLoginForm')); @@ -143,7 +119,7 @@ class RenewPasswordController extends Controller { try { if (!is_null($newPassword) && \OC_User::setPassword($user, $newPassword)) { $this->session->set('loginMessages', [ - [], [$this->l10n->t("Please login with the new password")] + [], [$this->l10n->t('Please login with the new password')] ]); $this->config->setUserValue($user, 'user_ldap', 'needsPasswordReset', 'false'); return new RedirectResponse($this->urlGenerator->linkToRoute('core.login.showLoginForm', $args)); @@ -162,12 +138,11 @@ class RenewPasswordController extends Controller { } /** - * @PublicPage - * @NoCSRFRequired - * @UseSession - * * @return RedirectResponse */ + #[PublicPage] + #[NoCSRFRequired] + #[UseSession] public function showLoginFormInvalidPassword($user) { $args = !is_null($user) ? ['user' => $user] : []; $this->session->set('loginMessages', [ diff --git a/apps/user_ldap/lib/DataCollector/LdapDataCollector.php b/apps/user_ldap/lib/DataCollector/LdapDataCollector.php index 833b314b199..2f74a628a32 100644 --- a/apps/user_ldap/lib/DataCollector/LdapDataCollector.php +++ b/apps/user_ldap/lib/DataCollector/LdapDataCollector.php @@ -1,24 +1,9 @@ -<?php declare(strict_types = 1); +<?php + +declare(strict_types = 1); /** - * @copyright 2022 Carl Schwan <carl@carlschwan.eu> - * - * @author Carl Schwan <carl@carlschwan.eu> - * - * @license GNU AGPL version 3 or any later version - * - * This program is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License as - * published by the Free Software Foundation, either version 3 of the - * License, or (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License - * along with this program. If not, see <http://www.gnu.org/licenses/>. - * + * SPDX-FileCopyrightText: 2022 Nextcloud GmbH and Nextcloud contributors + * SPDX-License-Identifier: AGPL-3.0-or-later */ namespace OCA\User_LDAP\DataCollector; @@ -46,6 +31,6 @@ class LdapDataCollector extends AbstractDataCollector { return 'ldap'; } - public function collect(Request $request, Response $response, \Throwable $exception = null): void { + public function collect(Request $request, Response $response, ?\Throwable $exception = null): void { } } diff --git a/apps/user_ldap/lib/Db/GroupMembership.php b/apps/user_ldap/lib/Db/GroupMembership.php new file mode 100644 index 00000000000..6141f1b18c9 --- /dev/null +++ b/apps/user_ldap/lib/Db/GroupMembership.php @@ -0,0 +1,31 @@ +<?php + +declare(strict_types=1); + +/** + * SPDX-FileCopyrightText: 2023 Nextcloud GmbH and Nextcloud contributors + * SPDX-License-Identifier: AGPL-3.0-or-later + */ + +namespace OCA\User_LDAP\Db; + +use OCP\AppFramework\Db\Entity; + +/** + * @method void setUserid(string $userid) + * @method string getUserid() + * @method void setGroupid(string $groupid) + * @method string getGroupid() + */ +class GroupMembership extends Entity { + /** @var string */ + protected $groupid; + + /** @var string */ + protected $userid; + + public function __construct() { + $this->addType('groupid', 'string'); + $this->addType('userid', 'string'); + } +} diff --git a/apps/user_ldap/lib/Db/GroupMembershipMapper.php b/apps/user_ldap/lib/Db/GroupMembershipMapper.php new file mode 100644 index 00000000000..b3d6c31dda6 --- /dev/null +++ b/apps/user_ldap/lib/Db/GroupMembershipMapper.php @@ -0,0 +1,72 @@ +<?php + +declare(strict_types=1); + +/** + * SPDX-FileCopyrightText: 2023 Nextcloud GmbH and Nextcloud contributors + * SPDX-License-Identifier: AGPL-3.0-or-later + */ + +namespace OCA\User_LDAP\Db; + +use OCP\AppFramework\Db\QBMapper; +use OCP\DB\QueryBuilder\IQueryBuilder; +use OCP\IDBConnection; + +/** + * @template-extends QBMapper<GroupMembership> + */ +class GroupMembershipMapper extends QBMapper { + public function __construct(IDBConnection $db) { + parent::__construct($db, 'ldap_group_membership', GroupMembership::class); + } + + /** + * @return string[] + */ + public function getKnownGroups(): array { + $query = $this->db->getQueryBuilder(); + $result = $query->selectDistinct('groupid') + ->from($this->getTableName()) + ->executeQuery(); + + $groups = array_column($result->fetchAll(), 'groupid'); + $result->closeCursor(); + return $groups; + } + + /** + * @return GroupMembership[] + */ + public function findGroupMemberships(string $groupid): array { + $qb = $this->db->getQueryBuilder(); + $select = $qb->select('*') + ->from($this->getTableName()) + ->where($qb->expr()->eq('groupid', $qb->createNamedParameter($groupid))); + + return $this->findEntities($select); + } + + /** + * @return GroupMembership[] + */ + public function findGroupMembershipsForUser(string $userid): array { + $qb = $this->db->getQueryBuilder(); + $select = $qb->select('*') + ->from($this->getTableName()) + ->where($qb->expr()->eq('userid', $qb->createNamedParameter($userid))); + + return $this->findEntities($select); + } + + public function deleteGroups(array $removedGroups): void { + $query = $this->db->getQueryBuilder(); + $query->delete($this->getTableName()) + ->where($query->expr()->in('groupid', $query->createParameter('groupids'))); + + foreach (array_chunk($removedGroups, 1000) as $removedGroupsChunk) { + $query->setParameter('groupids', $removedGroupsChunk, IQueryBuilder::PARAM_STR_ARRAY); + $query->executeStatement(); + } + } +} diff --git a/apps/user_ldap/lib/Events/GroupBackendRegistered.php b/apps/user_ldap/lib/Events/GroupBackendRegistered.php index e0302b87b1f..a94c239c1b3 100644 --- a/apps/user_ldap/lib/Events/GroupBackendRegistered.php +++ b/apps/user_ldap/lib/Events/GroupBackendRegistered.php @@ -3,26 +3,8 @@ declare(strict_types=1); /** - * @copyright Copyright (c) 2020 Arthur Schiwon <blizzz@arthur-schiwon.de> - * - * @author Arthur Schiwon <blizzz@arthur-schiwon.de> - * @author Morris Jobke <hey@morrisjobke.de> - * - * @license GNU AGPL version 3 or any later version - * - * This program is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License as - * published by the Free Software Foundation, either version 3 of the - * License, or (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License - * along with this program. If not, see <http://www.gnu.org/licenses/>. - * + * SPDX-FileCopyrightText: 2020 Nextcloud GmbH and Nextcloud contributors + * SPDX-License-Identifier: AGPL-3.0-or-later */ namespace OCA\User_LDAP\Events; @@ -37,14 +19,10 @@ use OCP\EventDispatcher\Event; */ class GroupBackendRegistered extends Event { - /** @var GroupPluginManager */ - private $pluginManager; - /** @var IGroupLDAP */ - private $backend; - - public function __construct(IGroupLDAP $backend, GroupPluginManager $pluginManager) { - $this->pluginManager = $pluginManager; - $this->backend = $backend; + public function __construct( + private IGroupLDAP $backend, + private GroupPluginManager $pluginManager, + ) { } public function getBackend(): IGroupLDAP { diff --git a/apps/user_ldap/lib/Events/UserBackendRegistered.php b/apps/user_ldap/lib/Events/UserBackendRegistered.php index 91743089ccf..a26e23f8f83 100644 --- a/apps/user_ldap/lib/Events/UserBackendRegistered.php +++ b/apps/user_ldap/lib/Events/UserBackendRegistered.php @@ -3,26 +3,8 @@ declare(strict_types=1); /** - * @copyright Copyright (c) 2020 Arthur Schiwon <blizzz@arthur-schiwon.de> - * - * @author Arthur Schiwon <blizzz@arthur-schiwon.de> - * @author Morris Jobke <hey@morrisjobke.de> - * - * @license GNU AGPL version 3 or any later version - * - * This program is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License as - * published by the Free Software Foundation, either version 3 of the - * License, or (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License - * along with this program. If not, see <http://www.gnu.org/licenses/>. - * + * SPDX-FileCopyrightText: 2020 Nextcloud GmbH and Nextcloud contributors + * SPDX-License-Identifier: AGPL-3.0-or-later */ namespace OCA\User_LDAP\Events; @@ -37,14 +19,10 @@ use OCP\EventDispatcher\Event; */ class UserBackendRegistered extends Event { - /** @var IUserLDAP */ - private $backend; - /** @var UserPluginManager */ - private $pluginManager; - - public function __construct(IUserLDAP $backend, UserPluginManager $pluginManager) { - $this->backend = $backend; - $this->pluginManager = $pluginManager; + public function __construct( + private IUserLDAP $backend, + private UserPluginManager $pluginManager, + ) { } public function getBackend(): IUserLDAP { diff --git a/apps/user_ldap/lib/Exceptions/AttributeNotSet.php b/apps/user_ldap/lib/Exceptions/AttributeNotSet.php index 63e255b85d6..4d6053eda66 100644 --- a/apps/user_ldap/lib/Exceptions/AttributeNotSet.php +++ b/apps/user_ldap/lib/Exceptions/AttributeNotSet.php @@ -1,25 +1,8 @@ <?php + /** - * @copyright Copyright (c) 2019 Arthur Schiwon <blizzz@arthur-schiwon.de> - * - * @author Arthur Schiwon <blizzz@arthur-schiwon.de> - * @author Christoph Wurst <christoph@winzerhof-wurst.at> - * - * @license GNU AGPL version 3 or any later version - * - * This program is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License as - * published by the Free Software Foundation, either version 3 of the - * License, or (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License - * along with this program. If not, see <http://www.gnu.org/licenses/>. - * + * SPDX-FileCopyrightText: 2019 Nextcloud GmbH and Nextcloud contributors + * SPDX-License-Identifier: AGPL-3.0-or-later */ namespace OCA\User_LDAP\Exceptions; diff --git a/apps/user_ldap/lib/Exceptions/ConfigurationIssueException.php b/apps/user_ldap/lib/Exceptions/ConfigurationIssueException.php new file mode 100644 index 00000000000..efeb426b13d --- /dev/null +++ b/apps/user_ldap/lib/Exceptions/ConfigurationIssueException.php @@ -0,0 +1,15 @@ +<?php + +declare(strict_types=1); + +/** + * SPDX-FileCopyrightText: 2024 Nextcloud GmbH and Nextcloud contributors + * SPDX-License-Identifier: AGPL-3.0-or-later + */ + +namespace OCA\User_LDAP\Exceptions; + +use OCP\HintException; + +class ConfigurationIssueException extends HintException { +} diff --git a/apps/user_ldap/lib/Exceptions/ConstraintViolationException.php b/apps/user_ldap/lib/Exceptions/ConstraintViolationException.php index 912d6039a60..d0d384c31de 100644 --- a/apps/user_ldap/lib/Exceptions/ConstraintViolationException.php +++ b/apps/user_ldap/lib/Exceptions/ConstraintViolationException.php @@ -1,25 +1,8 @@ <?php + /** - * @copyright Copyright (c) 2017 Roger Szabo <roger.szabo@web.de> - * - * @author Christoph Wurst <christoph@winzerhof-wurst.at> - * @author Roger Szabo <roger.szabo@web.de> - * - * @license GNU AGPL version 3 or any later version - * - * This program is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License as - * published by the Free Software Foundation, either version 3 of the - * License, or (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License - * along with this program. If not, see <http://www.gnu.org/licenses/>. - * + * SPDX-FileCopyrightText: 2017 Nextcloud GmbH and Nextcloud contributors + * SPDX-License-Identifier: AGPL-3.0-or-later */ namespace OCA\User_LDAP\Exceptions; diff --git a/apps/user_ldap/lib/Exceptions/NoMoreResults.php b/apps/user_ldap/lib/Exceptions/NoMoreResults.php index 26dc4a58992..b5621d86eb6 100644 --- a/apps/user_ldap/lib/Exceptions/NoMoreResults.php +++ b/apps/user_ldap/lib/Exceptions/NoMoreResults.php @@ -3,25 +3,8 @@ declare(strict_types=1); /** - * @copyright Copyright (c) 2021 Arthur Schiwon <blizzz@arthur-schiwon.de> - * - * @author Arthur Schiwon <blizzz@arthur-schiwon.de> - * - * @license GNU AGPL version 3 or any later version - * - * This program is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License as - * published by the Free Software Foundation, either version 3 of the - * License, or (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License - * along with this program. If not, see <http://www.gnu.org/licenses/>. - * + * SPDX-FileCopyrightText: 2021 Nextcloud GmbH and Nextcloud contributors + * SPDX-License-Identifier: AGPL-3.0-or-later */ namespace OCA\User_LDAP\Exceptions; diff --git a/apps/user_ldap/lib/Exceptions/NotOnLDAP.php b/apps/user_ldap/lib/Exceptions/NotOnLDAP.php index 30a82106655..cd74e918829 100644 --- a/apps/user_ldap/lib/Exceptions/NotOnLDAP.php +++ b/apps/user_ldap/lib/Exceptions/NotOnLDAP.php @@ -1,25 +1,8 @@ <?php + /** - * @copyright Copyright (c) 2016 Arthur Schiwon <blizzz@arthur-schiwon.de> - * - * @author Arthur Schiwon <blizzz@arthur-schiwon.de> - * @author Christoph Wurst <christoph@winzerhof-wurst.at> - * - * @license GNU AGPL version 3 or any later version - * - * This program is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License as - * published by the Free Software Foundation, either version 3 of the - * License, or (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License - * along with this program. If not, see <http://www.gnu.org/licenses/>. - * + * SPDX-FileCopyrightText: 2016 Nextcloud GmbH and Nextcloud contributors + * SPDX-License-Identifier: AGPL-3.0-or-later */ namespace OCA\User_LDAP\Exceptions; diff --git a/apps/user_ldap/lib/FilesystemHelper.php b/apps/user_ldap/lib/FilesystemHelper.php deleted file mode 100644 index 0596b109deb..00000000000 --- a/apps/user_ldap/lib/FilesystemHelper.php +++ /dev/null @@ -1,46 +0,0 @@ -<?php -/** - * @copyright Copyright (c) 2016, ownCloud, Inc. - * - * @author Arthur Schiwon <blizzz@arthur-schiwon.de> - * @author Joas Schilling <coding@schilljs.com> - * @author Morris Jobke <hey@morrisjobke.de> - * - * @license AGPL-3.0 - * - * This code is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License, version 3, - * as published by the Free Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License, version 3, - * along with this program. If not, see <http://www.gnu.org/licenses/> - * - */ -namespace OCA\User_LDAP; - -/** - * @brief wraps around static Nextcloud core methods - */ -class FilesystemHelper { - - /** - * @brief states whether the filesystem was loaded - * @return bool - */ - public function isLoaded() { - return \OC\Files\Filesystem::$loaded; - } - - /** - * @brief initializes the filesystem for the given user - * @param string $uid the Nextcloud username of the user - */ - public function setup($uid) { - \OC_Util::setupFS($uid); - } -} diff --git a/apps/user_ldap/lib/GroupPluginManager.php b/apps/user_ldap/lib/GroupPluginManager.php index 5999409cdba..9e8ae6805a4 100644 --- a/apps/user_ldap/lib/GroupPluginManager.php +++ b/apps/user_ldap/lib/GroupPluginManager.php @@ -1,29 +1,14 @@ <?php + /** - * @copyright Copyright (c) 2017 EITA Cooperative (eita.org.br) - * - * @author Christoph Wurst <christoph@winzerhof-wurst.at> - * @author Vinicius Cubas Brand <vinicius@eita.org.br> - * - * @license GNU AGPL version 3 or any later version - * - * This program is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License as - * published by the Free Software Foundation, either version 3 of the - * License, or (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License - * along with this program. If not, see <http://www.gnu.org/licenses/>. - * + * SPDX-FileCopyrightText: 2017 Nextcloud GmbH and Nextcloud contributors + * SPDX-License-Identifier: AGPL-3.0-or-later */ namespace OCA\User_LDAP; use OCP\GroupInterface; +use OCP\Server; +use Psr\Log\LoggerInterface; class GroupPluginManager { private int $respondToActions = 0; @@ -58,7 +43,7 @@ class GroupPluginManager { foreach ($this->which as $action => $v) { if ((bool)($respondToActions & $action)) { $this->which[$action] = $plugin; - \OC::$server->getLogger()->debug("Registered action ".$action." to plugin ".get_class($plugin), ['app' => 'user_ldap']); + Server::get(LoggerInterface::class)->debug('Registered action ' . $action . ' to plugin ' . get_class($plugin), ['app' => 'user_ldap']); } } } @@ -164,7 +149,7 @@ class GroupPluginManager { $plugin = $this->which[GroupInterface::COUNT_USERS]; if ($plugin) { - return $plugin->countUsersInGroup($gid,$search); + return $plugin->countUsersInGroup($gid, $search); } throw new \Exception('No plugin implements countUsersInGroup in this LDAP Backend.'); } diff --git a/apps/user_ldap/lib/Group_LDAP.php b/apps/user_ldap/lib/Group_LDAP.php index b32e031175f..271cc96afbd 100644 --- a/apps/user_ldap/lib/Group_LDAP.php +++ b/apps/user_ldap/lib/Group_LDAP.php @@ -1,67 +1,36 @@ <?php + /** - * @copyright Copyright (c) 2016, ownCloud, Inc. - * - * @author Alexander Bergolth <leo@strike.wu.ac.at> - * @author Alex Weirig <alex.weirig@technolink.lu> - * @author alexweirig <alex.weirig@technolink.lu> - * @author Andreas Fischer <bantu@owncloud.com> - * @author Andreas Pflug <dev@admin4.org> - * @author Arthur Schiwon <blizzz@arthur-schiwon.de> - * @author Bart Visscher <bartv@thisnet.nl> - * @author Christoph Wurst <christoph@winzerhof-wurst.at> - * @author Clement Wong <git@clement.hk> - * @author Frédéric Fortier <frederic.fortier@oronospolytechnique.com> - * @author Joas Schilling <coding@schilljs.com> - * @author Lukas Reschke <lukas@statuscode.ch> - * @author Morris Jobke <hey@morrisjobke.de> - * @author Nicolas Grekas <nicolas.grekas@gmail.com> - * @author Robin McCorkell <robin@mccorkell.me.uk> - * @author Roeland Jago Douma <roeland@famdouma.nl> - * @author Roland Tapken <roland@bitarbeiter.net> - * @author Thomas Müller <thomas.mueller@tmit.eu> - * @author Tobias Perschon <tobias@perschon.at> - * @author Victor Dubiniuk <dubiniuk@owncloud.com> - * @author Vinicius Cubas Brand <vinicius@eita.org.br> - * @author Xuanwo <xuanwo@yunify.com> - * @author Carl Schwan <carl@carlschwan.eu> - * @author Côme Chilliet <come.chilliet@nextcloud.com> - * - * @license AGPL-3.0 - * - * This code is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License, version 3, - * as published by the Free Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License, version 3, - * along with this program. If not, see <http://www.gnu.org/licenses/> - * + * SPDX-FileCopyrightText: 2016-2024 Nextcloud GmbH and Nextcloud contributors + * SPDX-FileCopyrightText: 2016 ownCloud, Inc. + * SPDX-License-Identifier: AGPL-3.0-only */ namespace OCA\User_LDAP; use Exception; +use OC\ServerNotAvailableException; +use OCA\User_LDAP\User\OfflineUser; use OCP\Cache\CappedMemoryCache; -use OCP\GroupInterface; +use OCP\Group\Backend\ABackend; use OCP\Group\Backend\IDeleteGroupBackend; use OCP\Group\Backend\IGetDisplayNameBackend; -use OC\ServerNotAvailableException; +use OCP\Group\Backend\IIsAdminBackend; +use OCP\GroupInterface; +use OCP\IConfig; +use OCP\IUserManager; +use OCP\Server; use Psr\Log\LoggerInterface; +use function json_decode; -class Group_LDAP extends BackendUtility implements GroupInterface, IGroupLDAP, IGetDisplayNameBackend, IDeleteGroupBackend { +class Group_LDAP extends ABackend implements GroupInterface, IGroupLDAP, IGetDisplayNameBackend, IDeleteGroupBackend, IIsAdminBackend { protected bool $enabled = false; - /** @var CappedMemoryCache<string[]> $cachedGroupMembers array of users with gid as key */ + /** @var CappedMemoryCache<string[]> $cachedGroupMembers array of user DN with gid as key */ protected CappedMemoryCache $cachedGroupMembers; - /** @var CappedMemoryCache<array[]> $cachedGroupsByMember array of groups with uid as key */ + /** @var CappedMemoryCache<array[]> $cachedGroupsByMember array of groups with user DN as key */ protected CappedMemoryCache $cachedGroupsByMember; /** @var CappedMemoryCache<string[]> $cachedNestedGroups array of groups with gid (DN) as key */ protected CappedMemoryCache $cachedNestedGroups; - protected GroupPluginManager $groupPluginManager; protected LoggerInterface $logger; /** @@ -69,8 +38,12 @@ class Group_LDAP extends BackendUtility implements GroupInterface, IGroupLDAP, I */ protected string $ldapGroupMemberAssocAttr; - public function __construct(Access $access, GroupPluginManager $groupPluginManager) { - parent::__construct($access); + public function __construct( + protected Access $access, + protected GroupPluginManager $groupPluginManager, + private IConfig $config, + private IUserManager $ncUserManager, + ) { $filter = $this->access->connection->ldapGroupFilter; $gAssoc = $this->access->connection->ldapGroupMemberAssocAttr; if (!empty($filter) && !empty($gAssoc)) { @@ -80,8 +53,7 @@ class Group_LDAP extends BackendUtility implements GroupInterface, IGroupLDAP, I $this->cachedGroupMembers = new CappedMemoryCache(); $this->cachedGroupsByMember = new CappedMemoryCache(); $this->cachedNestedGroups = new CappedMemoryCache(); - $this->groupPluginManager = $groupPluginManager; - $this->logger = \OCP\Server::get(LoggerInterface::class); + $this->logger = Server::get(LoggerInterface::class); $this->ldapGroupMemberAssocAttr = strtolower((string)$gAssoc); } @@ -437,6 +409,7 @@ class Group_LDAP extends BackendUtility implements GroupInterface, IGroupLDAP, I public function getUserGidNumber(string $dn) { $gidNumber = false; if ($this->access->connection->hasGidNumber) { + // FIXME: when $dn does not exist on LDAP anymore, this will be set wrongly to false :/ $gidNumber = $this->getEntryGidNumber($dn, $this->access->connection->ldapGidNumber); if ($gidNumber === false) { $this->access->connection->hasGidNumber = false; @@ -466,20 +439,20 @@ class Group_LDAP extends BackendUtility implements GroupInterface, IGroupLDAP, I } /** - * @return array A list of users that have the given group as gid number + * @return array<int,string> A list of users that have the given group as gid number * @throws ServerNotAvailableException */ public function getUsersInGidNumber( string $groupDN, string $search = '', ?int $limit = -1, - ?int $offset = 0 + ?int $offset = 0, ): array { try { $filter = $this->prepareFilterForUsersHasGidNumber($groupDN, $search); $users = $this->access->fetchListOfUsers( $filter, - [$this->access->connection->ldapUserDisplayName, 'dn'], + $this->access->userManager->getAttributes(true), $limit, $offset ); @@ -591,18 +564,19 @@ class Group_LDAP extends BackendUtility implements GroupInterface, IGroupLDAP, I /** * @throws ServerNotAvailableException + * @return array<int,string> */ public function getUsersInPrimaryGroup( string $groupDN, string $search = '', ?int $limit = -1, - ?int $offset = 0 + ?int $offset = 0, ): array { try { $filter = $this->prepareFilterForUsersInPrimaryGroup($groupDN, $search); $users = $this->access->fetchListOfUsers( $filter, - [$this->access->connection->ldapUserDisplayName, 'dn'], + $this->access->userManager->getAttributes(true), $limit, $offset ); @@ -621,7 +595,7 @@ class Group_LDAP extends BackendUtility implements GroupInterface, IGroupLDAP, I string $groupDN, string $search = '', int $limit = -1, - int $offset = 0 + int $offset = 0, ): int { try { $filter = $this->prepareFilterForUsersInPrimaryGroup($groupDN, $search); @@ -650,6 +624,29 @@ class Group_LDAP extends BackendUtility implements GroupInterface, IGroupLDAP, I return false; } + private function isUserOnLDAP(string $uid): bool { + // forces a user exists check - but does not help if a positive result is cached, while group info is not + $ncUser = $this->ncUserManager->get($uid); + if ($ncUser === null) { + return false; + } + $backend = $ncUser->getBackend(); + if ($backend instanceof User_Proxy) { + // ignoring cache as safeguard (and we are behind the group cache check anyway) + return $backend->userExistsOnLDAP($uid, true); + } + return false; + } + + /** + * @param string $uid + * @return list<string> + */ + protected function getCachedGroupsForUserId(string $uid): array { + $groupStr = $this->config->getUserValue($uid, 'user_ldap', 'cached-group-memberships-' . $this->access->connection->getConfigPrefix(), '[]'); + return json_decode($groupStr, true) ?? []; + } + /** * This function fetches all groups a user belongs to. It does not check * if the user exists at all. @@ -657,19 +654,29 @@ class Group_LDAP extends BackendUtility implements GroupInterface, IGroupLDAP, I * This function includes groups based on dynamic group membership. * * @param string $uid Name of the user - * @return string[] Group names + * @return list<string> Group names * @throws Exception * @throws ServerNotAvailableException */ - public function getUserGroups($uid) { + public function getUserGroups($uid): array { if (!$this->enabled) { return []; } + $ncUid = $uid; + $cacheKey = 'getUserGroups' . $uid; $userGroups = $this->access->connection->getFromCache($cacheKey); if (!is_null($userGroups)) { return $userGroups; } + + $user = $this->access->userManager->get($uid); + if ($user instanceof OfflineUser) { + // We load known group memberships from configuration for remnants, + // because LDAP server does not contain them anymore + return $this->getCachedGroupsForUserId($uid); + } + $userDN = $this->access->username2dn($uid); if (!$userDN) { $this->access->connection->writeToCache($cacheKey, []); @@ -781,9 +788,21 @@ class Group_LDAP extends BackendUtility implements GroupInterface, IGroupLDAP, I $groups[] = $gidGroupName; } - $groups = array_unique($groups, SORT_LOCALE_STRING); + if (empty($groups) && !$this->isUserOnLDAP($ncUid)) { + // Groups are enabled, but you user has none? Potentially suspicious: + // it could be that the user was deleted from LDAP, but we are not + // aware of it yet. + $groups = $this->getCachedGroupsForUserId($ncUid); + $this->access->connection->writeToCache($cacheKey, $groups); + return $groups; + } + + $groups = array_values(array_unique($groups, SORT_LOCALE_STRING)); $this->access->connection->writeToCache($cacheKey, $groups); + $groupStr = \json_encode($groups); + $this->config->setUserValue($ncUid, 'user_ldap', 'cached-group-memberships-' . $this->access->connection->getConfigPrefix(), $groupStr); + return $groups; } @@ -840,7 +859,7 @@ class Group_LDAP extends BackendUtility implements GroupInterface, IGroupLDAP, I * @param string $search * @param int $limit * @param int $offset - * @return array with user ids + * @return array<int,string> user ids * @throws Exception * @throws ServerNotAvailableException */ @@ -909,7 +928,11 @@ class Group_LDAP extends BackendUtility implements GroupInterface, IGroupLDAP, I if (empty($ldap_users)) { break; } - $groupUsers[] = $this->access->dn2username($ldap_users[0]['dn'][0]); + $uid = $this->access->dn2username($ldap_users[0]['dn'][0]); + if (!$uid) { + break; + } + $groupUsers[] = $uid; break; default: //we got DNs, check if we need to filter by search or we can give back all of them @@ -996,9 +1019,9 @@ class Group_LDAP extends BackendUtility implements GroupInterface, IGroupLDAP, I return $groupUsers; } $search = $this->access->escapeFilterPart($search, true); - $isMemberUid = - ($this->ldapGroupMemberAssocAttr === 'memberuid' || - $this->ldapGroupMemberAssocAttr === 'zimbramailforwardingaddress'); + $isMemberUid + = ($this->ldapGroupMemberAssocAttr === 'memberuid' + || $this->ldapGroupMemberAssocAttr === 'zimbramailforwardingaddress'); //we need to apply the search filter //alternatives that need to be checked: @@ -1100,31 +1123,43 @@ class Group_LDAP extends BackendUtility implements GroupInterface, IGroupLDAP, I * @throws ServerNotAvailableException */ public function groupExists($gid) { - $groupExists = $this->access->connection->getFromCache('groupExists' . $gid); - if (!is_null($groupExists)) { - return (bool)$groupExists; + return $this->groupExistsOnLDAP($gid, false); + } + + /** + * Check if a group exists + * + * @throws ServerNotAvailableException + */ + public function groupExistsOnLDAP(string $gid, bool $ignoreCache = false): bool { + $cacheKey = 'groupExists' . $gid; + if (!$ignoreCache) { + $groupExists = $this->access->connection->getFromCache($cacheKey); + if (!is_null($groupExists)) { + return (bool)$groupExists; + } } //getting dn, if false the group does not exist. If dn, it may be mapped //only, requires more checking. $dn = $this->access->groupname2dn($gid); if (!$dn) { - $this->access->connection->writeToCache('groupExists' . $gid, false); + $this->access->connection->writeToCache($cacheKey, false); return false; } if (!$this->access->isDNPartOfBase($dn, $this->access->connection->ldapBaseGroups)) { - $this->access->connection->writeToCache('groupExists' . $gid, false); + $this->access->connection->writeToCache($cacheKey, false); return false; } //if group really still exists, we will be able to read its objectClass if (!is_array($this->access->readAttribute($dn, '', $this->access->connection->ldapGroupFilter))) { - $this->access->connection->writeToCache('groupExists' . $gid, false); + $this->access->connection->writeToCache($cacheKey, false); return false; } - $this->access->connection->writeToCache('groupExists' . $gid, true); + $this->access->connection->writeToCache($cacheKey, true); return true; } @@ -1143,7 +1178,7 @@ class Group_LDAP extends BackendUtility implements GroupInterface, IGroupLDAP, I continue; } $name = $item[$this->access->connection->ldapGroupDisplayName][0] ?? null; - $gid = $this->access->dn2groupname($dn, $name); + $gid = $this->access->dn2groupname($dn, $name, false); if (!$gid) { continue; } @@ -1163,10 +1198,11 @@ class Group_LDAP extends BackendUtility implements GroupInterface, IGroupLDAP, I * Returns the supported actions as int to be * compared with GroupInterface::CREATE_GROUP etc. */ - public function implementsActions($actions) { - return (bool)((GroupInterface::COUNT_USERS | - GroupInterface::DELETE_GROUP | - $this->groupPluginManager->getImplementedActions()) & $actions); + public function implementsActions($actions): bool { + return (bool)((GroupInterface::COUNT_USERS + | GroupInterface::DELETE_GROUP + | GroupInterface::IS_ADMIN + | $this->groupPluginManager->getImplementedActions()) & $actions); } /** @@ -1218,7 +1254,7 @@ class Group_LDAP extends BackendUtility implements GroupInterface, IGroupLDAP, I if ($ret = $this->groupPluginManager->deleteGroup($gid)) { // Delete group in nextcloud internal db $this->access->getGroupMapper()->unmap($gid); - $this->access->connection->writeToCache("groupExists" . $gid, false); + $this->access->connection->writeToCache('groupExists' . $gid, false); } return $ret; } @@ -1226,17 +1262,17 @@ class Group_LDAP extends BackendUtility implements GroupInterface, IGroupLDAP, I // Getting dn, if false the group is not mapped $dn = $this->access->groupname2dn($gid); if (!$dn) { - throw new Exception('Could not delete unknown group '.$gid.' in LDAP backend.'); + throw new Exception('Could not delete unknown group ' . $gid . ' in LDAP backend.'); } if (!$this->groupExists($gid)) { // The group does not exist in the LDAP, remove the mapping $this->access->getGroupMapper()->unmap($gid); - $this->access->connection->writeToCache("groupExists" . $gid, false); + $this->access->connection->writeToCache('groupExists' . $gid, false); return true; } - throw new Exception('Could not delete existing group '.$gid.' in LDAP backend.'); + throw new Exception('Could not delete existing group ' . $gid . ' in LDAP backend.'); } /** @@ -1297,10 +1333,10 @@ class Group_LDAP extends BackendUtility implements GroupInterface, IGroupLDAP, I * of the current access. * * @param string $gid - * @return resource|\LDAP\Connection The LDAP connection + * @return \LDAP\Connection The LDAP connection * @throws ServerNotAvailableException */ - public function getNewLDAPConnection($gid) { + public function getNewLDAPConnection($gid): \LDAP\Connection { $connection = clone $this->access->getConnection(); return $connection->getConnectionResource(); } @@ -1331,4 +1367,56 @@ class Group_LDAP extends BackendUtility implements GroupInterface, IGroupLDAP, I $this->access->connection->writeToCache($cacheKey, $displayName); return $displayName; } + + /** + * returns the groupname for the given LDAP DN, if available + */ + public function dn2GroupName(string $dn): string|false { + return $this->access->dn2groupname($dn); + } + + public function addRelationshipToCaches(string $uid, ?string $dnUser, string $gid): void { + $dnGroup = $this->access->groupname2dn($gid); + $dnUser ??= $this->access->username2dn($uid); + if ($dnUser === false || $dnGroup === false) { + return; + } + if (isset($this->cachedGroupMembers[$gid])) { + $this->cachedGroupMembers[$gid] = array_merge($this->cachedGroupMembers[$gid], [$dnUser]); + } + unset($this->cachedGroupsByMember[$dnUser]); + unset($this->cachedNestedGroups[$gid]); + $cacheKey = 'inGroup' . $uid . ':' . $gid; + $this->access->connection->writeToCache($cacheKey, true); + $cacheKeyMembers = 'inGroup-members:' . $gid; + if (!is_null($data = $this->access->connection->getFromCache($cacheKeyMembers))) { + $this->access->connection->writeToCache($cacheKeyMembers, array_merge($data, [$dnUser])); + } + $cacheKey = '_groupMembers' . $dnGroup; + if (!is_null($data = $this->access->connection->getFromCache($cacheKey))) { + $this->access->connection->writeToCache($cacheKey, array_merge($data, [$dnUser])); + } + $cacheKey = 'getUserGroups' . $uid; + if (!is_null($data = $this->access->connection->getFromCache($cacheKey))) { + $this->access->connection->writeToCache($cacheKey, array_merge($data, [$gid])); + } + // These cache keys cannot be easily updated: + // $cacheKey = 'usersInGroup-' . $gid . '-' . $search . '-' . $limit . '-' . $offset; + // $cacheKey = 'usersInGroup-' . $gid . '-' . $search; + // $cacheKey = 'countUsersInGroup-' . $gid . '-' . $search; + } + + /** + * @throws ServerNotAvailableException + */ + public function isAdmin(string $uid): bool { + if (!$this->enabled) { + return false; + } + $ldapAdminGroup = $this->access->connection->ldapAdminGroup; + if ($ldapAdminGroup === '') { + return false; + } + return $this->inGroup($uid, $ldapAdminGroup); + } } diff --git a/apps/user_ldap/lib/Group_Proxy.php b/apps/user_ldap/lib/Group_Proxy.php index c8c986318ec..f0cdc7a465d 100644 --- a/apps/user_ldap/lib/Group_Proxy.php +++ b/apps/user_ldap/lib/Group_Proxy.php @@ -1,70 +1,41 @@ <?php + /** - * @copyright Copyright (c) 2016, ownCloud, Inc. - * - * @author Arthur Schiwon <blizzz@arthur-schiwon.de> - * @author Christopher Schäpers <kondou@ts.unde.re> - * @author Christoph Wurst <christoph@winzerhof-wurst.at> - * @author Joas Schilling <coding@schilljs.com> - * @author Johannes Leuker <j.leuker@hosting.de> - * @author Morris Jobke <hey@morrisjobke.de> - * @author Robin McCorkell <robin@mccorkell.me.uk> - * @author Vinicius Cubas Brand <vinicius@eita.org.br> - * - * @license AGPL-3.0 - * - * This code is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License, version 3, - * as published by the Free Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License, version 3, - * along with this program. If not, see <http://www.gnu.org/licenses/> - * + * SPDX-FileCopyrightText: 2017-2024 Nextcloud GmbH and Nextcloud contributors + * SPDX-FileCopyrightText: 2016 ownCloud, Inc. + * SPDX-License-Identifier: AGPL-3.0-only */ namespace OCA\User_LDAP; +use OC\ServerNotAvailableException; +use OCP\Group\Backend\IBatchMethodsBackend; use OCP\Group\Backend\IDeleteGroupBackend; use OCP\Group\Backend\IGetDisplayNameBackend; +use OCP\Group\Backend\IGroupDetailsBackend; +use OCP\Group\Backend\IIsAdminBackend; use OCP\Group\Backend\INamedBackend; +use OCP\GroupInterface; +use OCP\IConfig; +use OCP\IUserManager; -class Group_Proxy extends Proxy implements \OCP\GroupInterface, IGroupLDAP, IGetDisplayNameBackend, INamedBackend, IDeleteGroupBackend { - private $backends = []; - private ?Group_LDAP $refBackend = null; - private Helper $helper; - private GroupPluginManager $groupPluginManager; - private bool $isSetUp = false; - +/** + * @template-extends Proxy<Group_LDAP> + */ +class Group_Proxy extends Proxy implements GroupInterface, IGroupLDAP, IGetDisplayNameBackend, INamedBackend, IDeleteGroupBackend, IBatchMethodsBackend, IIsAdminBackend { public function __construct( - Helper $helper, + private Helper $helper, ILDAPWrapper $ldap, AccessFactory $accessFactory, - GroupPluginManager $groupPluginManager + private GroupPluginManager $groupPluginManager, + private IConfig $config, + private IUserManager $ncUserManager, ) { - parent::__construct($ldap, $accessFactory); - $this->helper = $helper; - $this->groupPluginManager = $groupPluginManager; + parent::__construct($helper, $ldap, $accessFactory); } - protected function setup(): void { - if ($this->isSetUp) { - return; - } - - $serverConfigPrefixes = $this->helper->getServerConfigurationPrefixes(true); - foreach ($serverConfigPrefixes as $configPrefix) { - $this->backends[$configPrefix] = - new Group_LDAP($this->getAccess($configPrefix), $this->groupPluginManager); - if (is_null($this->refBackend)) { - $this->refBackend = &$this->backends[$configPrefix]; - } - } - $this->isSetUp = true; + protected function newInstance(string $configPrefix): Group_LDAP { + return new Group_LDAP($this->getAccess($configPrefix), $this->groupPluginManager, $this->config, $this->ncUserManager); } /** @@ -149,7 +120,7 @@ class Group_Proxy extends Proxy implements \OCP\GroupInterface, IGroupLDAP, IGet * Get all groups a user belongs to * * @param string $uid Name of the user - * @return string[] with group names + * @return list<string> with group names * * This function fetches all groups a user belongs to. It does not check * if the user exists at all. @@ -160,18 +131,16 @@ class Group_Proxy extends Proxy implements \OCP\GroupInterface, IGroupLDAP, IGet $groups = []; foreach ($this->backends as $backend) { $backendGroups = $backend->getUserGroups($uid); - if (is_array($backendGroups)) { - $groups = array_merge($groups, $backendGroups); - } + $groups = array_merge($groups, $backendGroups); } - return $groups; + return array_values(array_unique($groups)); } /** * get a list of all users in a group * - * @return string[] with user ids + * @return array<int,string> user ids */ public function usersInGroup($gid, $search = '', $limit = -1, $offset = 0) { $this->setup(); @@ -256,6 +225,21 @@ class Group_Proxy extends Proxy implements \OCP\GroupInterface, IGroupLDAP, IGet } /** + * {@inheritdoc} + */ + public function getGroupsDetails(array $gids): array { + if (!($this instanceof IGroupDetailsBackend || $this->implementsActions(GroupInterface::GROUP_DETAILS))) { + throw new \Exception('Should not have been called'); + } + + $groupData = []; + foreach ($gids as $gid) { + $groupData[$gid] = $this->handleRequest($gid, 'getGroupDetails', [$gid]); + } + return $groupData; + } + + /** * get a list of all groups * * @return string[] with group names @@ -287,6 +271,33 @@ class Group_Proxy extends Proxy implements \OCP\GroupInterface, IGroupLDAP, IGet } /** + * Check if a group exists + * + * @throws ServerNotAvailableException + */ + public function groupExistsOnLDAP(string $gid, bool $ignoreCache = false): bool { + return $this->handleRequest($gid, 'groupExistsOnLDAP', [$gid, $ignoreCache]); + } + + /** + * returns the groupname for the given LDAP DN, if available + */ + public function dn2GroupName(string $dn): string|false { + $id = 'DN,' . $dn; + return $this->handleRequest($id, 'dn2GroupName', [$dn]); + } + + /** + * {@inheritdoc} + */ + public function groupsExists(array $gids): array { + return array_values(array_filter( + $gids, + fn (string $gid): bool => $this->handleRequest($gid, 'groupExists', [$gid]), + )); + } + + /** * Check if backend implements actions * * @param int $actions bitwise-or'ed actions @@ -316,9 +327,9 @@ class Group_Proxy extends Proxy implements \OCP\GroupInterface, IGroupLDAP, IGet * The connection needs to be closed manually. * * @param string $gid - * @return resource|\LDAP\Connection The LDAP connection + * @return \LDAP\Connection The LDAP connection */ - public function getNewLDAPConnection($gid) { + public function getNewLDAPConnection($gid): \LDAP\Connection { return $this->handleRequest($gid, 'getNewLDAPConnection', [$gid]); } @@ -334,4 +345,16 @@ class Group_Proxy extends Proxy implements \OCP\GroupInterface, IGroupLDAP, IGet public function getBackendName(): string { return 'LDAP'; } + + public function searchInGroup(string $gid, string $search = '', int $limit = -1, int $offset = 0): array { + return $this->handleRequest($gid, 'searchInGroup', [$gid, $search, $limit, $offset]); + } + + public function addRelationshipToCaches(string $uid, ?string $dnUser, string $gid): void { + $this->handleRequest($gid, 'addRelationshipToCaches', [$uid, $dnUser, $gid]); + } + + public function isAdmin(string $uid): bool { + return $this->handleRequest($uid, 'isAdmin', [$uid]); + } } diff --git a/apps/user_ldap/lib/Handler/ExtStorageConfigHandler.php b/apps/user_ldap/lib/Handler/ExtStorageConfigHandler.php index 0d3c5b8f3f3..8b63d54aa66 100644 --- a/apps/user_ldap/lib/Handler/ExtStorageConfigHandler.php +++ b/apps/user_ldap/lib/Handler/ExtStorageConfigHandler.php @@ -1,26 +1,8 @@ <?php + /** - * @copyright Copyright (c) 2019 Arthur Schiwon <blizzz@arthur-schiwon.de> - * - * @author Arthur Schiwon <blizzz@arthur-schiwon.de> - * @author Christoph Wurst <christoph@winzerhof-wurst.at> - * @author Julius Härtl <jus@bitgrid.net> - * - * @license GNU AGPL version 3 or any later version - * - * This program is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License as - * published by the Free Software Foundation, either version 3 of the - * License, or (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License - * along with this program. If not, see <http://www.gnu.org/licenses/>. - * + * SPDX-FileCopyrightText: 2019 Nextcloud GmbH and Nextcloud contributors + * SPDX-License-Identifier: AGPL-3.0-or-later */ namespace OCA\User_LDAP\Handler; @@ -62,7 +44,7 @@ class ExtStorageConfigHandler extends UserContext implements IConfigHandler { } $ldapUser = $access->userManager->get($user->getUID()); - $extHome = $ldapUser->getExtStorageHome(); + $extHome = $ldapUser !== null ? $ldapUser->getExtStorageHome() : ''; return $this->processInput($optionValue, $extHome); } diff --git a/apps/user_ldap/lib/Helper.php b/apps/user_ldap/lib/Helper.php index 6668338d195..d3abf04fd1e 100644 --- a/apps/user_ldap/lib/Helper.php +++ b/apps/user_ldap/lib/Helper.php @@ -1,49 +1,26 @@ <?php + /** - * @copyright Copyright (c) 2016, ownCloud, Inc. - * - * @author Arthur Schiwon <blizzz@arthur-schiwon.de> - * @author Christoph Wurst <christoph@winzerhof-wurst.at> - * @author Joas Schilling <coding@schilljs.com> - * @author Jörn Friedrich Dreyer <jfd@butonic.de> - * @author Lukas Reschke <lukas@statuscode.ch> - * @author Morris Jobke <hey@morrisjobke.de> - * @author Roeland Jago Douma <roeland@famdouma.nl> - * @author root <root@localhost.localdomain> - * @author Thomas Müller <thomas.mueller@tmit.eu> - * - * @license AGPL-3.0 - * - * This code is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License, version 3, - * as published by the Free Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License, version 3, - * along with this program. If not, see <http://www.gnu.org/licenses/> - * + * SPDX-FileCopyrightText: 2016-2024 Nextcloud GmbH and Nextcloud contributors + * SPDX-FileCopyrightText: 2016 ownCloud, Inc. + * SPDX-License-Identifier: AGPL-3.0-only */ namespace OCA\User_LDAP; use OCP\Cache\CappedMemoryCache; use OCP\DB\QueryBuilder\IQueryBuilder; -use OCP\IConfig; +use OCP\IAppConfig; use OCP\IDBConnection; +use OCP\Server; class Helper { - private IConfig $config; - private IDBConnection $connection; /** @var CappedMemoryCache<string> */ protected CappedMemoryCache $sanitizeDnCache; - public function __construct(IConfig $config, - IDBConnection $connection) { - $this->config = $config; - $this->connection = $connection; + public function __construct( + private IAppConfig $appConfig, + private IDBConnection $connection, + ) { $this->sanitizeDnCache = new CappedMemoryCache(10000); } @@ -51,7 +28,7 @@ class Helper { * returns prefixes for each saved LDAP/AD server configuration. * * @param bool $activeConfigurations optional, whether only active configuration shall be - * retrieved, defaults to false + * retrieved, defaults to false * @return array with a list of the available prefixes * * Configuration prefixes are used to set up configurations for n LDAP or @@ -68,21 +45,37 @@ class Helper { * except the default (first) server shall be connected to. * */ - public function getServerConfigurationPrefixes($activeConfigurations = false): array { + public function getServerConfigurationPrefixes(bool $activeConfigurations = false): array { + $all = $this->getAllServerConfigurationPrefixes(); + if (!$activeConfigurations) { + return $all; + } + return array_values(array_filter( + $all, + fn (string $prefix): bool => ($this->appConfig->getValueString('user_ldap', $prefix . 'ldap_configuration_active') === '1') + )); + } + + protected function getAllServerConfigurationPrefixes(): array { + $unfilled = ['UNFILLED']; + $prefixes = $this->appConfig->getValueArray('user_ldap', 'configuration_prefixes', $unfilled); + if ($prefixes !== $unfilled) { + return $prefixes; + } + + /* Fallback to browsing key for migration from Nextcloud<32 */ $referenceConfigkey = 'ldap_configuration_active'; $keys = $this->getServersConfig($referenceConfigkey); $prefixes = []; foreach ($keys as $key) { - if ($activeConfigurations && $this->config->getAppValue('user_ldap', $key, '0') !== '1') { - continue; - } - $len = strlen($key) - strlen($referenceConfigkey); $prefixes[] = substr($key, 0, $len); } - asort($prefixes); + sort($prefixes); + + $this->appConfig->setValueArray('user_ldap', 'configuration_prefixes', $prefixes); return $prefixes; } @@ -91,46 +84,45 @@ class Helper { * * determines the host for every configured connection * - * @return array an array with configprefix as keys + * @return array<string,string> an array with configprefix as keys * */ - public function getServerConfigurationHosts() { - $referenceConfigkey = 'ldap_host'; - - $keys = $this->getServersConfig($referenceConfigkey); + public function getServerConfigurationHosts(): array { + $prefixes = $this->getServerConfigurationPrefixes(); + $referenceConfigkey = 'ldap_host'; $result = []; - foreach ($keys as $key) { - $len = strlen($key) - strlen($referenceConfigkey); - $prefix = substr($key, 0, $len); - $result[$prefix] = $this->config->getAppValue('user_ldap', $key); + foreach ($prefixes as $prefix) { + $result[$prefix] = $this->appConfig->getValueString('user_ldap', $prefix . $referenceConfigkey); } return $result; } /** - * return the next available configuration prefix - * - * @return string + * return the next available configuration prefix and register it as used */ - public function getNextServerConfigurationPrefix() { - $serverConnections = $this->getServerConfigurationPrefixes(); - - if (count($serverConnections) === 0) { - return 's01'; + public function getNextServerConfigurationPrefix(): string { + $prefixes = $this->getServerConfigurationPrefixes(); + + if (count($prefixes) === 0) { + $prefix = 's01'; + } else { + sort($prefixes); + $lastKey = array_pop($prefixes); + $lastNumber = (int)str_replace('s', '', $lastKey); + $prefix = 's' . str_pad((string)($lastNumber + 1), 2, '0', STR_PAD_LEFT); } - sort($serverConnections); - $lastKey = array_pop($serverConnections); - $lastNumber = (int)str_replace('s', '', $lastKey); - return 's' . str_pad((string)($lastNumber + 1), 2, '0', STR_PAD_LEFT); + $prefixes[] = $prefix; + $this->appConfig->setValueArray('user_ldap', 'configuration_prefixes', $prefixes); + return $prefix; } private function getServersConfig(string $value): array { $regex = '/' . $value . '$/S'; - $keys = $this->config->getAppKeys('user_ldap'); + $keys = $this->appConfig->getKeys('user_ldap'); $result = []; foreach ($keys as $key) { if (preg_match($regex, $key) === 1) { @@ -148,7 +140,9 @@ class Helper { * @return bool true on success, false otherwise */ public function deleteServerConfiguration($prefix) { - if (!in_array($prefix, self::getServerConfigurationPrefixes())) { + $prefixes = $this->getServerConfigurationPrefixes(); + $index = array_search($prefix, $prefixes); + if ($index === false) { return false; } @@ -167,7 +161,11 @@ class Helper { $query->andWhere($query->expr()->notLike('configkey', $query->createNamedParameter('s%'))); } - $deletedRows = $query->execute(); + $deletedRows = $query->executeStatement(); + + unset($prefixes[$index]); + $this->appConfig->setValueArray('user_ldap', 'configuration_prefixes', array_values($prefixes)); + return $deletedRows !== 0; } @@ -175,10 +173,13 @@ class Helper { * checks whether there is one or more disabled LDAP configurations */ public function haveDisabledConfigurations(): bool { - $all = $this->getServerConfigurationPrefixes(false); - $active = $this->getServerConfigurationPrefixes(true); - - return count($all) !== count($active) || count($all) === 0; + $all = $this->getServerConfigurationPrefixes(); + foreach ($all as $prefix) { + if ($this->appConfig->getValueString('user_ldap', $prefix . 'ldap_configuration_active') !== '1') { + return true; + } + } + return false; } /** @@ -206,6 +207,21 @@ class Helper { /** * sanitizes a DN received from the LDAP server * + * This is used and done to have a stable format of DNs that can be compared + * and identified again. The input DN value is modified as following: + * + * 1) whitespaces after commas are removed + * 2) the DN is turned to lower-case + * 3) the DN is escaped according to RFC 2253 + * + * When a future DN is supposed to be used as a base parameter, it has to be + * run through DNasBaseParameter() first, to recode \5c into a backslash + * again, otherwise the search or read operation will fail with LDAP error + * 32, NO_SUCH_OBJECT. Regular usage in LDAP filters requires the backslash + * being escaped, however. + * + * Internally, DNs are stored in their sanitized form. + * * @param array|string $dn the DN in question * @return array|string the sanitized DN */ @@ -278,7 +294,7 @@ class Helper { throw new \Exception('key uid is expected to be set in $param'); } - $userBackend = \OC::$server->get(User_Proxy::class); + $userBackend = Server::get(User_Proxy::class); $uid = $userBackend->loginName2UserName($param['uid']); if ($uid !== false) { $param['uid'] = $uid; diff --git a/apps/user_ldap/lib/IGroupLDAP.php b/apps/user_ldap/lib/IGroupLDAP.php index 2face1aa907..667eb421004 100644 --- a/apps/user_ldap/lib/IGroupLDAP.php +++ b/apps/user_ldap/lib/IGroupLDAP.php @@ -1,24 +1,8 @@ <?php + /** - * @copyright Copyright (c) 2017, EITA Cooperative (eita.org.br) - * - * @author Vinicius Cubas Brand <vinicius@eita.org.br> - * - * @license GNU AGPL version 3 or any later version - * - * This program is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License as - * published by the Free Software Foundation, either version 3 of the - * License, or (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License - * along with this program. If not, see <http://www.gnu.org/licenses/>. - * + * SPDX-FileCopyrightText: 2017 Nextcloud GmbH and Nextcloud contributors + * SPDX-License-Identifier: AGPL-3.0-or-later */ namespace OCA\User_LDAP; @@ -36,7 +20,7 @@ interface IGroupLDAP { /** * Return a new LDAP connection for the specified group. * @param string $gid - * @return resource|\LDAP\Connection The LDAP connection + * @return \LDAP\Connection The LDAP connection */ public function getNewLDAPConnection($gid); } diff --git a/apps/user_ldap/lib/ILDAPGroupPlugin.php b/apps/user_ldap/lib/ILDAPGroupPlugin.php index 20cff50e801..261b9383dc1 100644 --- a/apps/user_ldap/lib/ILDAPGroupPlugin.php +++ b/apps/user_ldap/lib/ILDAPGroupPlugin.php @@ -1,24 +1,8 @@ <?php + /** - * @copyright Copyright (c) 2017 EITA Cooperative (eita.org.br) - * - * @author Vinicius Cubas Brand <vinicius@eita.org.br> - * - * @license GNU AGPL version 3 or any later version - * - * This program is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License as - * published by the Free Software Foundation, either version 3 of the - * License, or (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License - * along with this program. If not, see <http://www.gnu.org/licenses/>. - * + * SPDX-FileCopyrightText: 2017 Nextcloud GmbH and Nextcloud contributors + * SPDX-License-Identifier: AGPL-3.0-or-later */ namespace OCA\User_LDAP; diff --git a/apps/user_ldap/lib/ILDAPUserPlugin.php b/apps/user_ldap/lib/ILDAPUserPlugin.php index 06b86c50385..80437bef452 100644 --- a/apps/user_ldap/lib/ILDAPUserPlugin.php +++ b/apps/user_ldap/lib/ILDAPUserPlugin.php @@ -1,25 +1,8 @@ <?php + /** - * @copyright Copyright (c) 2017 EITA Cooperative (eita.org.br) - * - * @author Arthur Schiwon <blizzz@arthur-schiwon.de> - * @author Vinicius Cubas Brand <vinicius@eita.org.br> - * - * @license GNU AGPL version 3 or any later version - * - * This program is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License as - * published by the Free Software Foundation, either version 3 of the - * License, or (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License - * along with this program. If not, see <http://www.gnu.org/licenses/>. - * + * SPDX-FileCopyrightText: 2017 Nextcloud GmbH and Nextcloud contributors + * SPDX-License-Identifier: AGPL-3.0-or-later */ namespace OCA\User_LDAP; @@ -76,7 +59,7 @@ interface ILDAPUserPlugin { public function setDisplayName($uid, $displayName); /** - * checks whether the user is allowed to change his avatar in Nextcloud + * checks whether the user is allowed to change their avatar in Nextcloud * @param string $uid the Nextcloud user name * @return boolean either the user can or cannot */ diff --git a/apps/user_ldap/lib/ILDAPWrapper.php b/apps/user_ldap/lib/ILDAPWrapper.php index 6ec88effa5f..de2b9c50241 100644 --- a/apps/user_ldap/lib/ILDAPWrapper.php +++ b/apps/user_ldap/lib/ILDAPWrapper.php @@ -1,31 +1,9 @@ <?php + /** - * @copyright Copyright (c) 2016, ownCloud, Inc. - * - * @author Arthur Schiwon <blizzz@arthur-schiwon.de> - * @author J0WI <J0WI@users.noreply.github.com> - * @author Joas Schilling <coding@schilljs.com> - * @author Jörn Friedrich Dreyer <jfd@butonic.de> - * @author Lukas Reschke <lukas@statuscode.ch> - * @author Morris Jobke <hey@morrisjobke.de> - * @author Robin McCorkell <robin@mccorkell.me.uk> - * @author Roger Szabo <roger.szabo@web.de> - * @author Vinicius Cubas Brand <vinicius@eita.org.br> - * - * @license AGPL-3.0 - * - * This code is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License, version 3, - * as published by the Free Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License, version 3, - * along with this program. If not, see <http://www.gnu.org/licenses/> - * + * SPDX-FileCopyrightText: 2016-2024 Nextcloud GmbH and Nextcloud contributors + * SPDX-FileCopyrightText: 2016 ownCloud, Inc. + * SPDX-License-Identifier: AGPL-3.0-only */ namespace OCA\User_LDAP; @@ -34,7 +12,7 @@ interface ILDAPWrapper { /** * Bind to LDAP directory - * @param resource|\LDAP\Connection $link LDAP link resource + * @param \LDAP\Connection $link LDAP link resource * @param string $dn an RDN to log in with * @param string $password the password * @return bool true on success, false otherwise @@ -47,14 +25,14 @@ interface ILDAPWrapper { * connect to an LDAP server * @param string $host The host to connect to * @param string $port The port to connect to - * @return resource|\LDAP\Connection|false a link resource on success, otherwise false + * @return \LDAP\Connection|false a link resource on success, otherwise false */ public function connect($host, $port); /** * Retrieve the LDAP pagination cookie - * @param resource|\LDAP\Connection $link LDAP link resource - * @param resource|\LDAP\Result $result LDAP result resource + * @param \LDAP\Connection $link LDAP link resource + * @param \LDAP\Result $result LDAP result resource * @param string &$cookie structure sent by LDAP server * @return bool true on success, false otherwise * @@ -64,22 +42,22 @@ interface ILDAPWrapper { /** * Count the number of entries in a search - * @param resource|\LDAP\Connection $link LDAP link resource - * @param resource|\LDAP\Result $result LDAP result resource + * @param \LDAP\Connection $link LDAP link resource + * @param \LDAP\Result $result LDAP result resource * @return int|false number of results on success, false otherwise */ public function countEntries($link, $result); /** * Return the LDAP error number of the last LDAP command - * @param resource|\LDAP\Connection $link LDAP link resource + * @param \LDAP\Connection $link LDAP link resource * @return int error code */ public function errno($link); /** * Return the LDAP error message of the last LDAP command - * @param resource|\LDAP\Connection $link LDAP link resource + * @param \LDAP\Connection $link LDAP link resource * @return string error message */ public function error($link); @@ -95,69 +73,69 @@ interface ILDAPWrapper { /** * Return first result id - * @param resource|\LDAP\Connection $link LDAP link resource - * @param resource|\LDAP\Result $result LDAP result resource - * @return resource|\LDAP\ResultEntry an LDAP entry resource + * @param \LDAP\Connection $link LDAP link resource + * @param \LDAP\Result $result LDAP result resource + * @return \LDAP\ResultEntry an LDAP entry resource * */ public function firstEntry($link, $result); /** * Get attributes from a search result entry - * @param resource|\LDAP\Connection $link LDAP link resource - * @param resource|\LDAP\ResultEntry $result LDAP result resource + * @param \LDAP\Connection $link LDAP link resource + * @param \LDAP\ResultEntry $result LDAP result resource * @return array|false containing the results, false on error * */ public function getAttributes($link, $result); /** * Get the DN of a result entry - * @param resource|\LDAP\Connection $link LDAP link resource - * @param resource|\LDAP\ResultEntry $result LDAP result resource + * @param \LDAP\Connection $link LDAP link resource + * @param \LDAP\ResultEntry $result LDAP result resource * @return string|false containing the DN, false on error */ public function getDN($link, $result); /** * Get all result entries - * @param resource|\LDAP\Connection $link LDAP link resource - * @param resource|\LDAP\Result $result LDAP result resource + * @param \LDAP\Connection $link LDAP link resource + * @param \LDAP\Result $result LDAP result resource * @return array|false containing the results, false on error */ public function getEntries($link, $result); /** * Return next result id - * @param resource|\LDAP\Connection $link LDAP link resource - * @param resource|\LDAP\ResultEntry $result LDAP result resource - * @return resource|\LDAP\ResultEntry an LDAP entry resource + * @param \LDAP\Connection $link LDAP link resource + * @param \LDAP\ResultEntry $result LDAP result resource + * @return \LDAP\ResultEntry an LDAP entry resource * */ public function nextEntry($link, $result); /** * Read an entry - * @param resource|\LDAP\Connection $link LDAP link resource + * @param \LDAP\Connection $link LDAP link resource * @param string $baseDN The DN of the entry to read from * @param string $filter An LDAP filter * @param array $attr array of the attributes to read - * @return resource|\LDAP\Result an LDAP search result resource + * @return \LDAP\Result an LDAP search result resource */ public function read($link, $baseDN, $filter, $attr); /** * Search LDAP tree - * @param resource|\LDAP\Connection $link LDAP link resource + * @param \LDAP\Connection $link LDAP link resource * @param string $baseDN The DN of the entry to read from * @param string $filter An LDAP filter * @param array $attr array of the attributes to read * @param int $attrsOnly optional, 1 if only attribute types shall be returned * @param int $limit optional, limits the result entries - * @return resource|\LDAP\Result|false an LDAP search result resource, false on error + * @return \LDAP\Result|false an LDAP search result resource, false on error */ public function search($link, string $baseDN, string $filter, array $attr, int $attrsOnly = 0, int $limit = 0, int $pageSize = 0, string $cookie = ''); /** * Replace the value of a userPassword by $password - * @param resource|\LDAP\Connection $link LDAP link resource + * @param \LDAP\Connection $link LDAP link resource * @param string $userDN the DN of the user whose password is to be replaced * @param string $password the new value for the userPassword * @return bool true on success, false otherwise @@ -166,14 +144,14 @@ interface ILDAPWrapper { /** * Performs a PASSWD extended operation. - * @param resource|\LDAP\Connection $link LDAP link resource + * @param \LDAP\Connection $link LDAP link resource * @return bool|string The generated password if new_password is empty or omitted. Otherwise true on success and false on failure. */ public function exopPasswd($link, string $userDN, string $oldPassword, string $password); /** * Sets the value of the specified option to be $value - * @param resource|\LDAP\Connection $link LDAP link resource + * @param \LDAP\Connection $link LDAP link resource * @param int $option a defined LDAP Server option * @param mixed $value the new value for the option * @return bool true on success, false otherwise @@ -182,14 +160,14 @@ interface ILDAPWrapper { /** * establish Start TLS - * @param resource|\LDAP\Connection $link LDAP link resource + * @param \LDAP\Connection $link LDAP link resource * @return bool true on success, false otherwise */ public function startTls($link); /** * Unbind from LDAP directory - * @param resource|\LDAP\Connection $link LDAP link resource + * @param \LDAP\Connection $link LDAP link resource * @return bool true on success, false otherwise */ public function unbind($link); @@ -205,6 +183,7 @@ interface ILDAPWrapper { /** * Checks whether the submitted parameter is a resource * @param mixed $resource the resource variable to check + * @psalm-assert-if-true object $resource * @return bool true if it is a resource or LDAP object, false otherwise */ public function isResource($resource); diff --git a/apps/user_ldap/lib/IUserLDAP.php b/apps/user_ldap/lib/IUserLDAP.php index dfba11c5d34..5e8e29c3adf 100644 --- a/apps/user_ldap/lib/IUserLDAP.php +++ b/apps/user_ldap/lib/IUserLDAP.php @@ -1,43 +1,26 @@ <?php + /** - * @copyright Copyright (c) 2016, Roger Szabo (roger.szabo@web.de) - * - * @author Roger Szabo <roger.szabo@web.de> - * @author root <root@localhost.localdomain> - * - * @license GNU AGPL version 3 or any later version - * - * This program is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License as - * published by the Free Software Foundation, either version 3 of the - * License, or (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License - * along with this program. If not, see <http://www.gnu.org/licenses/>. - * + * SPDX-FileCopyrightText: 2016 Nextcloud GmbH and Nextcloud contributors + * SPDX-License-Identifier: AGPL-3.0-or-later */ namespace OCA\User_LDAP; interface IUserLDAP { //Functions used by LDAPProvider - + /** * Return access for LDAP interaction. * @param string $uid * @return Access instance of Access for LDAP interaction */ public function getLDAPAccess($uid); - + /** * Return a new LDAP connection for the specified user. * @param string $uid - * @return resource|\LDAP\Connection of the LDAP connection + * @return \LDAP\Connection of the LDAP connection */ public function getNewLDAPConnection($uid); diff --git a/apps/user_ldap/lib/Jobs/CleanUp.php b/apps/user_ldap/lib/Jobs/CleanUp.php index be7c09bd961..76277b43c0b 100644 --- a/apps/user_ldap/lib/Jobs/CleanUp.php +++ b/apps/user_ldap/lib/Jobs/CleanUp.php @@ -1,37 +1,21 @@ <?php + /** - * @copyright Copyright (c) 2016, ownCloud, Inc. - * - * @author Arthur Schiwon <blizzz@arthur-schiwon.de> - * @author Christoph Wurst <christoph@winzerhof-wurst.at> - * @author Joas Schilling <coding@schilljs.com> - * @author Morris Jobke <hey@morrisjobke.de> - * @author Roeland Jago Douma <roeland@famdouma.nl> - * - * @license AGPL-3.0 - * - * This code is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License, version 3, - * as published by the Free Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License, version 3, - * along with this program. If not, see <http://www.gnu.org/licenses/> - * + * SPDX-FileCopyrightText: 2016-2024 Nextcloud GmbH and Nextcloud contributors + * SPDX-FileCopyrightText: 2016 ownCloud, Inc. + * SPDX-License-Identifier: AGPL-3.0-only */ namespace OCA\User_LDAP\Jobs; -use OCP\AppFramework\Utility\ITimeFactory; -use OCP\BackgroundJob\TimedJob; use OCA\User_LDAP\Helper; use OCA\User_LDAP\Mapping\UserMapping; use OCA\User_LDAP\User\DeletedUsersIndex; -use OCA\User_LDAP\User_LDAP; use OCA\User_LDAP\User_Proxy; +use OCP\AppFramework\Utility\ITimeFactory; +use OCP\BackgroundJob\TimedJob; +use OCP\IConfig; +use OCP\IDBConnection; +use OCP\Server; /** * Class CleanUp @@ -45,15 +29,12 @@ class CleanUp extends TimedJob { protected $limit; /** @var int $defaultIntervalMin default interval in minutes */ - protected $defaultIntervalMin = 51; - - /** @var User_LDAP|User_Proxy $userBackend */ - protected $userBackend; + protected $defaultIntervalMin = 60; - /** @var \OCP\IConfig $ocConfig */ + /** @var IConfig $ocConfig */ protected $ocConfig; - /** @var \OCP\IDBConnection $db */ + /** @var IDBConnection $db */ protected $db; /** @var Helper $ldapHelper */ @@ -62,20 +43,15 @@ class CleanUp extends TimedJob { /** @var UserMapping */ protected $mapping; - /** @var DeletedUsersIndex */ - protected $dui; - public function __construct( ITimeFactory $timeFactory, - User_Proxy $userBackend, - DeletedUsersIndex $dui + protected User_Proxy $userBackend, + protected DeletedUsersIndex $dui, ) { parent::__construct($timeFactory); - $minutes = \OC::$server->getConfig()->getSystemValue( + $minutes = Server::get(IConfig::class)->getSystemValue( 'ldapUserCleanupInterval', (string)$this->defaultIntervalMin); $this->setInterval((int)$minutes * 60); - $this->userBackend = $userBackend; - $this->dui = $dui; } /** @@ -91,13 +67,13 @@ class CleanUp extends TimedJob { if (isset($arguments['helper'])) { $this->ldapHelper = $arguments['helper']; } else { - $this->ldapHelper = new Helper(\OC::$server->getConfig(), \OC::$server->getDatabaseConnection()); + $this->ldapHelper = Server::get(Helper::class); } if (isset($arguments['ocConfig'])) { $this->ocConfig = $arguments['ocConfig']; } else { - $this->ocConfig = \OC::$server->getConfig(); + $this->ocConfig = Server::get(IConfig::class); } if (isset($arguments['userBackend'])) { @@ -107,13 +83,13 @@ class CleanUp extends TimedJob { if (isset($arguments['db'])) { $this->db = $arguments['db']; } else { - $this->db = \OC::$server->getDatabaseConnection(); + $this->db = Server::get(IDBConnection::class); } if (isset($arguments['mapping'])) { $this->mapping = $arguments['mapping']; } else { - $this->mapping = \OCP\Server::get(UserMapping::class); + $this->mapping = Server::get(UserMapping::class); } if (isset($arguments['deletedUsersIndex'])) { @@ -203,8 +179,8 @@ class CleanUp extends TimedJob { * @param bool $reset whether the offset should be set to 0 */ public function setOffset(bool $reset = false): void { - $newOffset = $reset ? 0 : - $this->getOffset() + $this->getChunkSize(); + $newOffset = $reset ? 0 + : $this->getOffset() + $this->getChunkSize(); $this->ocConfig->setAppValue('user_ldap', 'cleanUpJobOffset', (string)$newOffset); } diff --git a/apps/user_ldap/lib/Jobs/Sync.php b/apps/user_ldap/lib/Jobs/Sync.php index b231089b79b..26888ae96ae 100644 --- a/apps/user_ldap/lib/Jobs/Sync.php +++ b/apps/user_ldap/lib/Jobs/Sync.php @@ -1,27 +1,10 @@ <?php + /** - * @copyright Copyright (c) 2017 Arthur Schiwon <blizzz@arthur-schiwon.de> - * - * @author Arthur Schiwon <blizzz@arthur-schiwon.de> - * @author Christoph Wurst <christoph@winzerhof-wurst.at> - * @author Joas Schilling <coding@schilljs.com> - * - * @license GNU AGPL version 3 or any later version - * - * This program is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License as - * published by the Free Software Foundation, either version 3 of the - * License, or (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License - * along with this program. If not, see <http://www.gnu.org/licenses/>. - * + * SPDX-FileCopyrightText: 2017 Nextcloud GmbH and Nextcloud contributors + * SPDX-License-Identifier: AGPL-3.0-or-later */ + namespace OCA\User_LDAP\Jobs; use OC\ServerNotAvailableException; @@ -31,9 +14,9 @@ use OCA\User_LDAP\ConnectionFactory; use OCA\User_LDAP\Helper; use OCA\User_LDAP\LDAP; use OCA\User_LDAP\Mapping\UserMapping; -use OCA\User_LDAP\User\Manager; use OCP\AppFramework\Utility\ITimeFactory; use OCP\BackgroundJob\TimedJob; +use OCP\EventDispatcher\IEventDispatcher; use OCP\IAvatarManager; use OCP\IConfig; use OCP\IDBConnection; @@ -44,47 +27,38 @@ use Psr\Log\LoggerInterface; class Sync extends TimedJob { public const MAX_INTERVAL = 12 * 60 * 60; // 12h public const MIN_INTERVAL = 30 * 60; // 30min - /** @var Helper */ - protected $ldapHelper; - /** @var LDAP */ - protected $ldap; - /** @var Manager */ - protected $userManager; - /** @var UserMapping */ - protected $mapper; - /** @var IConfig */ - protected $config; - /** @var IAvatarManager */ - protected $avatarManager; - /** @var IDBConnection */ - protected $dbc; - /** @var IUserManager */ - protected $ncUserManager; - /** @var LoggerInterface */ - protected $logger; - /** @var IManager */ - protected $notificationManager; - /** @var ConnectionFactory */ - protected $connectionFactory; - /** @var AccessFactory */ - protected $accessFactory; - public function __construct(Manager $userManager, ITimeFactory $time) { - parent::__construct($time); - $this->userManager = $userManager; + protected LDAP $ldap; + + public function __construct( + ITimeFactory $timeFactory, + private IEventDispatcher $dispatcher, + private IConfig $config, + private IDBConnection $dbc, + private IAvatarManager $avatarManager, + private IUserManager $ncUserManager, + private LoggerInterface $logger, + private IManager $notificationManager, + private UserMapping $mapper, + private Helper $ldapHelper, + private ConnectionFactory $connectionFactory, + private AccessFactory $accessFactory, + ) { + parent::__construct($timeFactory); $this->setInterval( - \OC::$server->getConfig()->getAppValue( + (int)$this->config->getAppValue( 'user_ldap', 'background_sync_interval', - self::MIN_INTERVAL + (string)self::MIN_INTERVAL ) ); + $this->ldap = new LDAP($this->config->getSystemValueString('ldap_log_file')); } /** - * updates the interval + * Updates the interval * - * the idea is to adjust the interval depending on the amount of known users + * The idea is to adjust the interval depending on the amount of known users * and the attempt to update each user one day. At most it would run every * 30 minutes, and at least every 12 hours. */ @@ -97,17 +71,16 @@ class Sync extends TimedJob { $interval = floor(24 * 60 * 60 / $runsPerDay); $interval = min(max($interval, self::MIN_INTERVAL), self::MAX_INTERVAL); - $this->config->setAppValue('user_ldap', 'background_sync_interval', $interval); + $this->config->setAppValue('user_ldap', 'background_sync_interval', (string)$interval); } /** * returns the smallest configured paging size - * @return int */ - protected function getMinPagingSize() { + protected function getMinPagingSize(): int { $configKeys = $this->config->getAppKeys('user_ldap'); $configKeys = array_filter($configKeys, function ($key) { - return strpos($key, 'ldap_paging_size') !== false; + return str_contains($key, 'ldap_paging_size'); }); $minPagingSize = null; foreach ($configKeys as $configKey) { @@ -121,10 +94,8 @@ class Sync extends TimedJob { * @param array $argument */ public function run($argument) { - $this->setArgument($argument); - $isBackgroundJobModeAjax = $this->config - ->getAppValue('core', 'backgroundjobs_mode', 'ajax') === 'ajax'; + ->getAppValue('core', 'backgroundjobs_mode', 'ajax') === 'ajax'; if ($isBackgroundJobModeAjax) { return; } @@ -157,10 +128,10 @@ class Sync extends TimedJob { } /** - * @param array $cycleData + * @param array{offset: int, prefix: string} $cycleData * @return bool whether more results are expected from the same configuration */ - public function runCycle($cycleData) { + public function runCycle(array $cycleData): bool { $connection = $this->connectionFactory->get($cycleData['prefix']); $access = $this->accessFactory->get($connection); $access->setUserMapper($this->mapper); @@ -173,7 +144,7 @@ class Sync extends TimedJob { $results = $access->fetchListOfUsers( $filter, $access->userManager->getAttributes(), - $connection->ldapPagingSize, + (int)$connection->ldapPagingSize, $cycleData['offset'], true ); @@ -185,24 +156,22 @@ class Sync extends TimedJob { } /** - * returns the info about the current cycle that should be run, if any, + * Returns the info about the current cycle that should be run, if any, * otherwise null - * - * @return array|null */ - public function getCycle() { + public function getCycle(): ?array { $prefixes = $this->ldapHelper->getServerConfigurationPrefixes(true); if (count($prefixes) === 0) { return null; } $cycleData = [ - 'prefix' => $this->config->getAppValue('user_ldap', 'background_sync_prefix', null), - 'offset' => (int)$this->config->getAppValue('user_ldap', 'background_sync_offset', 0), + 'prefix' => $this->config->getAppValue('user_ldap', 'background_sync_prefix', 'none'), + 'offset' => (int)$this->config->getAppValue('user_ldap', 'background_sync_offset', '0'), ]; if ( - $cycleData['prefix'] !== null + $cycleData['prefix'] !== 'none' && in_array($cycleData['prefix'], $prefixes) ) { return $cycleData; @@ -214,21 +183,21 @@ class Sync extends TimedJob { /** * Save the provided cycle information in the DB * - * @param array $cycleData + * @param array{prefix: ?string, offset: int} $cycleData */ - public function setCycle(array $cycleData) { + public function setCycle(array $cycleData): void { $this->config->setAppValue('user_ldap', 'background_sync_prefix', $cycleData['prefix']); - $this->config->setAppValue('user_ldap', 'background_sync_offset', $cycleData['offset']); + $this->config->setAppValue('user_ldap', 'background_sync_offset', (string)$cycleData['offset']); } /** * returns data about the next cycle that should run, if any, otherwise * null. It also always goes for the next LDAP configuration! * - * @param array|null $cycleData the old cycle - * @return array|null + * @param ?array{prefix: string, offset: int} $cycleData the old cycle + * @return ?array{prefix: string, offset: int} */ - public function determineNextCycle(array $cycleData = null) { + public function determineNextCycle(?array $cycleData = null): ?array { $prefixes = $this->ldapHelper->getServerConfigurationPrefixes(true); if (count($prefixes) === 0) { return null; @@ -248,14 +217,13 @@ class Sync extends TimedJob { } /** - * Checks whether the provided cycle should be run. Currently only the + * Checks whether the provided cycle should be run. Currently, only the * last configuration change goes into account (at least one hour). * - * @param $cycleData - * @return bool + * @param array{prefix: string} $cycleData */ - public function qualifiesToRun($cycleData) { - $lastChange = $this->config->getAppValue('user_ldap', $cycleData['prefix'] . '_lastChange', 0); + public function qualifiesToRun(array $cycleData): bool { + $lastChange = (int)$this->config->getAppValue('user_ldap', $cycleData['prefix'] . '_lastChange', '0'); if ((time() - $lastChange) > 60 * 30) { return true; } @@ -263,23 +231,20 @@ class Sync extends TimedJob { } /** - * increases the offset of the current cycle for the next run + * Increases the offset of the current cycle for the next run * - * @param $cycleData + * @param array{prefix: string, offset: int} $cycleData */ - protected function increaseOffset($cycleData) { + protected function increaseOffset(array $cycleData): void { $ldapConfig = new Configuration($cycleData['prefix']); $cycleData['offset'] += (int)$ldapConfig->ldapPagingSize; $this->setCycle($cycleData); } /** - * determines the next configuration prefix based on the last one (if any) - * - * @param string|null $lastPrefix - * @return string|null + * Determines the next configuration prefix based on the last one (if any) */ - protected function getNextPrefix($lastPrefix) { + protected function getNextPrefix(?string $lastPrefix): ?string { $prefixes = $this->ldapHelper->getServerConfigurationPrefixes(true); $noOfPrefixes = count($prefixes); if ($noOfPrefixes === 0) { @@ -299,84 +264,9 @@ class Sync extends TimedJob { } /** - * "fixes" DI + * Only used in tests */ - public function setArgument($argument) { - if (isset($argument['config'])) { - $this->config = $argument['config']; - } else { - $this->config = \OC::$server->getConfig(); - } - - if (isset($argument['helper'])) { - $this->ldapHelper = $argument['helper']; - } else { - $this->ldapHelper = new Helper($this->config, \OC::$server->getDatabaseConnection()); - } - - if (isset($argument['ldapWrapper'])) { - $this->ldap = $argument['ldapWrapper']; - } else { - $this->ldap = new LDAP($this->config->getSystemValueString('ldap_log_file')); - } - - if (isset($argument['avatarManager'])) { - $this->avatarManager = $argument['avatarManager']; - } else { - $this->avatarManager = \OC::$server->getAvatarManager(); - } - - if (isset($argument['dbc'])) { - $this->dbc = $argument['dbc']; - } else { - $this->dbc = \OC::$server->getDatabaseConnection(); - } - - if (isset($argument['ncUserManager'])) { - $this->ncUserManager = $argument['ncUserManager']; - } else { - $this->ncUserManager = \OC::$server->getUserManager(); - } - - if (isset($argument['logger'])) { - $this->logger = $argument['logger']; - } else { - $this->logger = \OC::$server->get(LoggerInterface::class); - } - - if (isset($argument['notificationManager'])) { - $this->notificationManager = $argument['notificationManager']; - } else { - $this->notificationManager = \OC::$server->getNotificationManager(); - } - - if (isset($argument['userManager'])) { - $this->userManager = $argument['userManager']; - } - - if (isset($argument['mapper'])) { - $this->mapper = $argument['mapper']; - } else { - $this->mapper = \OCP\Server::get(UserMapping::class); - } - - if (isset($argument['connectionFactory'])) { - $this->connectionFactory = $argument['connectionFactory']; - } else { - $this->connectionFactory = new ConnectionFactory($this->ldap); - } - - if (isset($argument['accessFactory'])) { - $this->accessFactory = $argument['accessFactory']; - } else { - $this->accessFactory = new AccessFactory( - $this->ldap, - $this->userManager, - $this->ldapHelper, - $this->config, - $this->ncUserManager, - $this->logger - ); - } + public function overwritePropertiesForTest(LDAP $ldapWrapper): void { + $this->ldap = $ldapWrapper; } } diff --git a/apps/user_ldap/lib/Jobs/UpdateGroups.php b/apps/user_ldap/lib/Jobs/UpdateGroups.php index 86b4b2b59f4..9e72bcd8432 100644 --- a/apps/user_ldap/lib/Jobs/UpdateGroups.php +++ b/apps/user_ldap/lib/Jobs/UpdateGroups.php @@ -1,76 +1,30 @@ <?php + +declare(strict_types=1); + /** - * @copyright Copyright (c) 2016, ownCloud, Inc. - * - * @author Arthur Schiwon <blizzz@arthur-schiwon.de> - * @author Bart Visscher <bartv@thisnet.nl> - * @author Christoph Wurst <christoph@winzerhof-wurst.at> - * @author Joas Schilling <coding@schilljs.com> - * @author Lukas Reschke <lukas@statuscode.ch> - * @author Morris Jobke <hey@morrisjobke.de> - * @author Robin Appelman <robin@icewind.nl> - * @author Robin McCorkell <robin@mccorkell.me.uk> - * - * @license AGPL-3.0 - * - * This code is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License, version 3, - * as published by the Free Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License, version 3, - * along with this program. If not, see <http://www.gnu.org/licenses/> - * + * SPDX-FileCopyrightText: 2016-2024 Nextcloud GmbH and Nextcloud contributors + * SPDX-FileCopyrightText: 2016 ownCloud, Inc. + * SPDX-License-Identifier: AGPL-3.0-only */ namespace OCA\User_LDAP\Jobs; +use OCA\User_LDAP\Service\UpdateGroupsService; use OCP\AppFramework\Utility\ITimeFactory; use OCP\BackgroundJob\TimedJob; -use OCA\User_LDAP\Group_Proxy; use OCP\DB\Exception; -use OCP\DB\QueryBuilder\IQueryBuilder; -use OCP\EventDispatcher\IEventDispatcher; -use OCP\Group\Events\UserAddedEvent; -use OCP\Group\Events\UserRemovedEvent; use OCP\IConfig; -use OCP\IDBConnection; -use OCP\IGroupManager; -use OCP\IUser; -use OCP\IUserManager; use Psr\Log\LoggerInterface; class UpdateGroups extends TimedJob { - /** @var ?array<string, array{owncloudusers: string, owncloudname: string}> */ - private ?array $groupsFromDB = null; - private Group_Proxy $groupBackend; - private IEventDispatcher $dispatcher; - private IGroupManager $groupManager; - private IUserManager $userManager; - private LoggerInterface $logger; - private IDBConnection $dbc; - public function __construct( - Group_Proxy $groupBackend, - IEventDispatcher $dispatcher, - IGroupManager $groupManager, - IUserManager $userManager, - LoggerInterface $logger, - IDBConnection $dbc, + private UpdateGroupsService $service, + private LoggerInterface $logger, IConfig $config, - ITimeFactory $timeFactory + ITimeFactory $timeFactory, ) { parent::__construct($timeFactory); $this->interval = (int)$config->getAppValue('user_ldap', 'bgjRefreshInterval', '3600'); - $this->groupBackend = $groupBackend; - $this->dispatcher = $dispatcher; - $this->groupManager = $groupManager; - $this->userManager = $userManager; - $this->logger = $logger; - $this->dbc = $dbc; } /** @@ -78,190 +32,7 @@ class UpdateGroups extends TimedJob { * @throws Exception */ public function run($argument): void { - $this->updateGroups(); - } - - /** - * @throws Exception - */ - public function updateGroups(): void { - $this->logger->debug( - 'Run background job "updateGroups"', - ['app' => 'user_ldap'] - ); - - /** @var string[] $knownGroups */ - $knownGroups = array_keys($this->getKnownGroups()); - $actualGroups = $this->groupBackend->getGroups(); - - if (empty($actualGroups) && empty($knownGroups)) { - $this->logger->info( - 'bgJ "updateGroups" – groups do not seem to be configured properly, aborting.', - ['app' => 'user_ldap'] - ); - return; - } - - $this->handleKnownGroups(array_intersect($actualGroups, $knownGroups)); - $this->handleCreatedGroups(array_diff($actualGroups, $knownGroups)); - $this->handleRemovedGroups(array_diff($knownGroups, $actualGroups)); - - $this->logger->debug( - 'bgJ "updateGroups" – Finished.', - ['app' => 'user_ldap'] - ); - } - - /** - * @return array<string, array{owncloudusers: string, owncloudname: string}> - * @throws Exception - */ - private function getKnownGroups(): array { - if (is_array($this->groupsFromDB)) { - return $this->groupsFromDB; - } - $qb = $this->dbc->getQueryBuilder(); - $qb->select(['owncloudname', 'owncloudusers']) - ->from('ldap_group_members'); - - $qResult = $qb->executeQuery(); - $result = $qResult->fetchAll(); - $qResult->closeCursor(); - - $this->groupsFromDB = []; - foreach ($result as $dataset) { - $this->groupsFromDB[$dataset['owncloudname']] = $dataset; - } - - return $this->groupsFromDB; - } - - /** - * @param string[] $groups - * @throws Exception - */ - private function handleKnownGroups(array $groups): void { - $this->logger->debug( - 'bgJ "updateGroups" – Dealing with known Groups.', - ['app' => 'user_ldap'] - ); - $qb = $this->dbc->getQueryBuilder(); - $qb->update('ldap_group_members') - ->set('owncloudusers', $qb->createParameter('members')) - ->where($qb->expr()->eq('owncloudname', $qb->createParameter('groupId'))); - - $groupsFromDB = $this->getKnownGroups(); - foreach ($groups as $group) { - $knownUsers = unserialize($groupsFromDB[$group]['owncloudusers']); - $actualUsers = $this->groupBackend->usersInGroup($group); - $hasChanged = false; - - $groupObject = $this->groupManager->get($group); - foreach (array_diff($knownUsers, $actualUsers) as $removedUser) { - $userObject = $this->userManager->get($removedUser); - if ($userObject instanceof IUser) { - $this->dispatcher->dispatchTyped(new UserRemovedEvent($groupObject, $userObject)); - } - $this->logger->info( - 'bgJ "updateGroups" – {user} removed from {group}', - [ - 'app' => 'user_ldap', - 'user' => $removedUser, - 'group' => $group - ] - ); - $hasChanged = true; - } - foreach (array_diff($actualUsers, $knownUsers) as $addedUser) { - $userObject = $this->userManager->get($addedUser); - if ($userObject instanceof IUser) { - $this->dispatcher->dispatchTyped(new UserAddedEvent($groupObject, $userObject)); - } - $this->logger->info( - 'bgJ "updateGroups" – {user} added to {group}', - [ - 'app' => 'user_ldap', - 'user' => $addedUser, - 'group' => $group - ] - ); - $hasChanged = true; - } - if ($hasChanged) { - $qb->setParameters([ - 'members' => serialize($actualUsers), - 'groupId' => $group - ]); - $qb->executeStatement(); - } - } - $this->logger->debug( - 'bgJ "updateGroups" – FINISHED dealing with known Groups.', - ['app' => 'user_ldap'] - ); - } - - /** - * @param string[] $createdGroups - * @throws Exception - */ - private function handleCreatedGroups(array $createdGroups): void { - $this->logger->debug( - 'bgJ "updateGroups" – dealing with created Groups.', - ['app' => 'user_ldap'] - ); - - $query = $this->dbc->getQueryBuilder(); - $query->insert('ldap_group_members') - ->setValue('owncloudname', $query->createParameter('owncloudname')) - ->setValue('owncloudusers', $query->createParameter('owncloudusers')); - - foreach ($createdGroups as $createdGroup) { - $this->logger->info( - 'bgJ "updateGroups" – new group "' . $createdGroup . '" found.', - ['app' => 'user_ldap'] - ); - $users = serialize($this->groupBackend->usersInGroup($createdGroup)); - - $query->setParameter('owncloudname', $createdGroup) - ->setParameter('owncloudusers', $users); - $query->executeStatement(); - } - $this->logger->debug( - 'bgJ "updateGroups" – FINISHED dealing with created Groups.', - ['app' => 'user_ldap'] - ); - } - - /** - * @param string[] $removedGroups - * @throws Exception - */ - private function handleRemovedGroups(array $removedGroups): void { - $this->logger->debug( - 'bgJ "updateGroups" – dealing with removed groups.', - ['app' => 'user_ldap'] - ); - - $query = $this->dbc->getQueryBuilder(); - $query->delete('ldap_group_members') - ->where($query->expr()->in('owncloudname', $query->createParameter('owncloudnames'))); - - foreach (array_chunk($removedGroups, 1000) as $removedGroupsChunk) { - $this->logger->info( - 'bgJ "updateGroups" – groups {removedGroups} were removed.', - [ - 'app' => 'user_ldap', - 'removedGroups' => $removedGroupsChunk - ] - ); - $query->setParameter('owncloudnames', $removedGroupsChunk, IQueryBuilder::PARAM_STR_ARRAY); - $query->executeStatement(); - } - - $this->logger->debug( - 'bgJ "updateGroups" – FINISHED dealing with removed groups.', - ['app' => 'user_ldap'] - ); + $this->logger->debug('Run background job "updateGroups"'); + $this->service->updateGroups(); } } diff --git a/apps/user_ldap/lib/LDAP.php b/apps/user_ldap/lib/LDAP.php index 5730907b653..1cf20c4b939 100644 --- a/apps/user_ldap/lib/LDAP.php +++ b/apps/user_ldap/lib/LDAP.php @@ -1,62 +1,40 @@ <?php + /** - * @copyright Copyright (c) 2016, ownCloud, Inc. - * - * @author Alexander Bergolth <leo@strike.wu.ac.at> - * @author Arthur Schiwon <blizzz@arthur-schiwon.de> - * @author Christoph Wurst <christoph@winzerhof-wurst.at> - * @author J0WI <J0WI@users.noreply.github.com> - * @author Joas Schilling <coding@schilljs.com> - * @author Jörn Friedrich Dreyer <jfd@butonic.de> - * @author Lukas Reschke <lukas@statuscode.ch> - * @author Morris Jobke <hey@morrisjobke.de> - * @author Peter Kubica <peter@kubica.ch> - * @author Robin McCorkell <robin@mccorkell.me.uk> - * @author Roeland Jago Douma <roeland@famdouma.nl> - * @author Roger Szabo <roger.szabo@web.de> - * @author Carl Schwan <carl@carlschwan.eu> - * - * @license AGPL-3.0 - * - * This code is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License, version 3, - * as published by the Free Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License, version 3, - * along with this program. If not, see <http://www.gnu.org/licenses/> - * + * SPDX-FileCopyrightText: 2016-2024 Nextcloud GmbH and Nextcloud contributors + * SPDX-FileCopyrightText: 2016 ownCloud, Inc. + * SPDX-License-Identifier: AGPL-3.0-only */ namespace OCA\User_LDAP; -use OCP\Profiler\IProfiler; use OC\ServerNotAvailableException; use OCA\User_LDAP\DataCollector\LdapDataCollector; use OCA\User_LDAP\Exceptions\ConstraintViolationException; +use OCP\IConfig; +use OCP\ILogger; +use OCP\Profiler\IProfiler; +use OCP\Server; use Psr\Log\LoggerInterface; class LDAP implements ILDAPWrapper { - protected string $logFile = ''; protected array $curArgs = []; protected LoggerInterface $logger; + protected IConfig $config; private ?LdapDataCollector $dataCollector = null; - public function __construct(string $logFile = '') { - $this->logFile = $logFile; - + public function __construct( + protected string $logFile = '', + ) { /** @var IProfiler $profiler */ - $profiler = \OC::$server->get(IProfiler::class); + $profiler = Server::get(IProfiler::class); if ($profiler->isEnabled()) { $this->dataCollector = new LdapDataCollector(); $profiler->add($this->dataCollector); } - $this->logger = \OCP\Server::get(LoggerInterface::class); + $this->logger = Server::get(LoggerInterface::class); + $this->config = Server::get(IConfig::class); } /** @@ -190,17 +168,22 @@ class LDAP implements ILDAPWrapper { * {@inheritDoc} */ public function search($link, $baseDN, $filter, $attr, $attrsOnly = 0, $limit = 0, int $pageSize = 0, string $cookie = '') { - $serverControls = [[ - 'oid' => LDAP_CONTROL_PAGEDRESULTS, - 'value' => [ - 'size' => $pageSize, - 'cookie' => $cookie, - ], - 'iscritical' => false, - ]]; + if ($pageSize > 0 || $cookie !== '') { + $serverControls = [[ + 'oid' => LDAP_CONTROL_PAGEDRESULTS, + 'value' => [ + 'size' => $pageSize, + 'cookie' => $cookie, + ], + 'iscritical' => false, + ]]; + } else { + $serverControls = []; + } + /** @psalm-suppress UndefinedVariable $oldHandler is defined when the closure is called but psalm fails to get that */ $oldHandler = set_error_handler(function ($no, $message, $file, $line) use (&$oldHandler) { - if (strpos($message, 'Partial search results returned: Sizelimit exceeded') !== false) { + if (str_contains($message, 'Partial search results returned: Sizelimit exceeded')) { return true; } $oldHandler($no, $message, $file, $line); @@ -311,34 +294,49 @@ class LDAP implements ILDAPWrapper { return null; } + /** + * Turn resources into string, and removes potentially problematic cookie string to avoid breaking logfiles + */ + private function sanitizeFunctionParameters(array $args): array { + return array_map(function ($item) { + if ($this->isResource($item)) { + return '(resource)'; + } + if (isset($item[0]['value']['cookie']) && $item[0]['value']['cookie'] !== '') { + $item[0]['value']['cookie'] = '*opaque cookie*'; + } + return $item; + }, $args); + } + private function preFunctionCall(string $functionName, array $args): void { $this->curArgs = $args; - $this->logger->debug('Calling LDAP function {func} with parameters {args}', [ - 'app' => 'user_ldap', - 'func' => $functionName, - 'args' => json_encode($args), - ]); + if (strcasecmp($functionName, 'ldap_bind') === 0 || strcasecmp($functionName, 'ldap_exop_passwd') === 0) { + // The arguments are not key value pairs + // \OCA\User_LDAP\LDAP::bind passes 3 arguments, the 3rd being the pw + // Remove it via direct array access for now, although a better solution could be found mebbe? + // @link https://github.com/nextcloud/server/issues/38461 + $args[2] = IConfig::SENSITIVE_VALUE; + } - if ($this->dataCollector !== null) { - $args = array_map(function ($item) { - if ($this->isResource($item)) { - return '(resource)'; - } - if (isset($item[0]['value']['cookie']) && $item[0]['value']['cookie'] !== "") { - $item[0]['value']['cookie'] = "*opaque cookie*"; - } - return $item; - }, $this->curArgs); + if ($this->config->getSystemValue('loglevel') === ILogger::DEBUG) { + /* Only running this if debug loglevel is on, to avoid processing parameters on production */ + $this->logger->debug('Calling LDAP function {func} with parameters {args}', [ + 'app' => 'user_ldap', + 'func' => $functionName, + 'args' => $this->sanitizeFunctionParameters($args), + ]); + } + if ($this->dataCollector !== null) { $backtrace = debug_backtrace(DEBUG_BACKTRACE_IGNORE_ARGS); - $this->dataCollector->startLdapRequest($functionName, $args, $backtrace); + $this->dataCollector->startLdapRequest($functionName, $this->sanitizeFunctionParameters($args), $backtrace); } if ($this->logFile !== '' && is_writable(dirname($this->logFile)) && (!file_exists($this->logFile) || is_writable($this->logFile))) { - $args = array_map(fn ($item) => (!$this->isResource($item) ? $item : '(resource)'), $this->curArgs); file_put_contents( $this->logFile, - $functionName . '::' . json_encode($args) . "\n", + $functionName . '::' . json_encode($this->sanitizeFunctionParameters($args)) . "\n", FILE_APPEND ); } @@ -347,7 +345,7 @@ class LDAP implements ILDAPWrapper { /** * Analyzes the returned LDAP error and acts accordingly if not 0 * - * @param resource|\LDAP\Connection $resource the LDAP Connection resource + * @param \LDAP\Connection $resource the LDAP Connection resource * @throws ConstraintViolationException * @throws ServerNotAvailableException * @throws \Exception @@ -381,13 +379,13 @@ class LDAP implements ILDAPWrapper { /** * Called after an ldap method is run to act on LDAP error if necessary - * @throw \Exception + * @throws \Exception */ private function postFunctionCall(string $functionName): void { if ($this->isResource($this->curArgs[0])) { $resource = $this->curArgs[0]; } elseif ( - $functionName === 'ldap_search' + $functionName === 'ldap_search' && is_array($this->curArgs[0]) && $this->isResource($this->curArgs[0][0]) ) { diff --git a/apps/user_ldap/lib/LDAPProvider.php b/apps/user_ldap/lib/LDAPProvider.php index 751ebf68768..d9750ae3fcf 100644 --- a/apps/user_ldap/lib/LDAPProvider.php +++ b/apps/user_ldap/lib/LDAPProvider.php @@ -1,30 +1,9 @@ <?php + /** - * @copyright Copyright (c) 2016, Roger Szabo (roger.szabo@web.de) - * - * @author Arthur Schiwon <blizzz@arthur-schiwon.de> - * @author Christoph Wurst <christoph@winzerhof-wurst.at> - * @author Robin Appelman <robin@icewind.nl> - * @author Roeland Jago Douma <roeland@famdouma.nl> - * @author Roger Szabo <roger.szabo@web.de> - * @author root <root@localhost.localdomain> - * @author Vinicius Cubas Brand <vinicius@eita.org.br> - * - * @license GNU AGPL version 3 or any later version - * - * This program is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License as - * published by the Free Software Foundation, either version 3 of the - * License, or (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License - * along with this program. If not, see <http://www.gnu.org/licenses/>. - * + * SPDX-FileCopyrightText: 2016-2024 Nextcloud GmbH and Nextcloud contributors + * SPDX-FileCopyrightText: 2016 Nextcloud GmbH and Nextcloud contributors + * SPDX-License-Identifier: AGPL-3.0-or-later */ namespace OCA\User_LDAP; @@ -32,32 +11,33 @@ use OCA\User_LDAP\User\DeletedUsersIndex; use OCP\IServerContainer; use OCP\LDAP\IDeletionFlagSupport; use OCP\LDAP\ILDAPProvider; +use Psr\Log\LoggerInterface; /** - * LDAP provider for pulic access to the LDAP backend. + * LDAP provider for public access to the LDAP backend. */ class LDAPProvider implements ILDAPProvider, IDeletionFlagSupport { private $userBackend; private $groupBackend; private $logger; - private $helper; - private $deletedUsersIndex; /** * Create new LDAPProvider - * @param \OCP\IServerContainer $serverContainer + * @param IServerContainer $serverContainer * @param Helper $helper * @param DeletedUsersIndex $deletedUsersIndex * @throws \Exception if user_ldap app was not enabled */ - public function __construct(IServerContainer $serverContainer, Helper $helper, DeletedUsersIndex $deletedUsersIndex) { - $this->logger = $serverContainer->getLogger(); - $this->helper = $helper; - $this->deletedUsersIndex = $deletedUsersIndex; + public function __construct( + IServerContainer $serverContainer, + private Helper $helper, + private DeletedUsersIndex $deletedUsersIndex, + ) { + $this->logger = $serverContainer->get(LoggerInterface::class); $userBackendFound = false; $groupBackendFound = false; foreach ($serverContainer->getUserManager()->getBackends() as $backend) { - $this->logger->debug('instance '.get_class($backend).' user backend.', ['app' => 'user_ldap']); + $this->logger->debug('instance ' . get_class($backend) . ' user backend.', ['app' => 'user_ldap']); if ($backend instanceof IUserLDAP) { $this->userBackend = $backend; $userBackendFound = true; @@ -65,7 +45,7 @@ class LDAPProvider implements ILDAPProvider, IDeletionFlagSupport { } } foreach ($serverContainer->getGroupManager()->getBackends() as $backend) { - $this->logger->debug('instance '.get_class($backend).' group backend.', ['app' => 'user_ldap']); + $this->logger->debug('instance ' . get_class($backend) . ' group backend.', ['app' => 'user_ldap']); if ($backend instanceof IGroupLDAP) { $this->groupBackend = $backend; $groupBackendFound = true; @@ -138,8 +118,8 @@ class LDAPProvider implements ILDAPProvider, IDeletionFlagSupport { /** * Sanitize a DN received from the LDAP server. - * @param array $dn the DN in question - * @return array the sanitized DN + * @param array|string $dn the DN in question + * @return array|string the sanitized DN */ public function sanitizeDN($dn) { return $this->helper->sanitizeDN($dn); @@ -149,7 +129,7 @@ class LDAPProvider implements ILDAPProvider, IDeletionFlagSupport { * Return a new LDAP connection resource for the specified user. * The connection must be closed manually. * @param string $uid user id - * @return resource|\LDAP\Connection The LDAP connection + * @return \LDAP\Connection The LDAP connection * @throws \Exception if user id was not found in LDAP */ public function getLDAPConnection($uid) { @@ -163,7 +143,7 @@ class LDAPProvider implements ILDAPProvider, IDeletionFlagSupport { * Return a new LDAP connection resource for the specified user. * The connection must be closed manually. * @param string $gid group id - * @return resource|\LDAP\Connection The LDAP connection + * @return \LDAP\Connection The LDAP connection * @throws \Exception if group id was not found in LDAP */ public function getGroupLDAPConnection($gid) { diff --git a/apps/user_ldap/lib/LDAPProviderFactory.php b/apps/user_ldap/lib/LDAPProviderFactory.php index 13887921603..8fad9d52206 100644 --- a/apps/user_ldap/lib/LDAPProviderFactory.php +++ b/apps/user_ldap/lib/LDAPProviderFactory.php @@ -1,27 +1,9 @@ <?php + /** - * @copyright Copyright (c) 2016, Roger Szabo (roger.szabo@web.de) - * - * @author Arthur Schiwon <blizzz@arthur-schiwon.de> - * @author Robin Appelman <robin@icewind.nl> - * @author Roeland Jago Douma <roeland@famdouma.nl> - * @author root <root@localhost.localdomain> - * - * @license GNU AGPL version 3 or any later version - * - * This program is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License as - * published by the Free Software Foundation, either version 3 of the - * License, or (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License - * along with this program. If not, see <http://www.gnu.org/licenses/>. - * + * SPDX-FileCopyrightText: 2016-2024 Nextcloud GmbH and Nextcloud contributors + * SPDX-FileCopyrightText: 2016 Nextcloud GmbH and Nextcloud contributors + * SPDX-License-Identifier: AGPL-3.0-or-later */ namespace OCA\User_LDAP; @@ -30,11 +12,10 @@ use OCP\LDAP\ILDAPProvider; use OCP\LDAP\ILDAPProviderFactory; class LDAPProviderFactory implements ILDAPProviderFactory { - /** * @var IServerContainer */ - private $serverContainer; - - public function __construct(IServerContainer $serverContainer) { - $this->serverContainer = $serverContainer; + public function __construct( + /** * @var IServerContainer */ + private IServerContainer $serverContainer, + ) { } public function getLDAPProvider(): ILDAPProvider { diff --git a/apps/user_ldap/lib/LDAPUtility.php b/apps/user_ldap/lib/LDAPUtility.php index a8e4c16fac7..39b517528e2 100644 --- a/apps/user_ldap/lib/LDAPUtility.php +++ b/apps/user_ldap/lib/LDAPUtility.php @@ -1,37 +1,19 @@ <?php + /** - * @copyright Copyright (c) 2016, ownCloud, Inc. - * - * @author Arthur Schiwon <blizzz@arthur-schiwon.de> - * @author Joas Schilling <coding@schilljs.com> - * @author Lukas Reschke <lukas@statuscode.ch> - * @author Morris Jobke <hey@morrisjobke.de> - * - * @license AGPL-3.0 - * - * This code is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License, version 3, - * as published by the Free Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License, version 3, - * along with this program. If not, see <http://www.gnu.org/licenses/> - * + * SPDX-FileCopyrightText: 2019-2024 Nextcloud GmbH and Nextcloud contributors + * SPDX-FileCopyrightText: 2016 ownCloud, Inc. + * SPDX-License-Identifier: AGPL-3.0-only */ namespace OCA\User_LDAP; abstract class LDAPUtility { - protected ILDAPWrapper $ldap; - /** * constructor, make sure the subclasses call this one! - * @param ILDAPWrapper $ldapWrapper an instance of an ILDAPWrapper + * @param ILDAPWrapper $ldap an instance of an ILDAPWrapper */ - public function __construct(ILDAPWrapper $ldapWrapper) { - $this->ldap = $ldapWrapper; + public function __construct( + protected ILDAPWrapper $ldap, + ) { } } diff --git a/apps/user_ldap/lib/LoginListener.php b/apps/user_ldap/lib/LoginListener.php new file mode 100644 index 00000000000..f397f4694d2 --- /dev/null +++ b/apps/user_ldap/lib/LoginListener.php @@ -0,0 +1,147 @@ +<?php + +declare(strict_types=1); + +/** + * SPDX-FileCopyrightText: 2023 Nextcloud GmbH and Nextcloud contributors + * SPDX-License-Identifier: AGPL-3.0-or-later + */ +namespace OCA\User_LDAP; + +use OCA\User_LDAP\Db\GroupMembership; +use OCA\User_LDAP\Db\GroupMembershipMapper; +use OCP\DB\Exception; +use OCP\EventDispatcher\Event; +use OCP\EventDispatcher\IEventDispatcher; +use OCP\EventDispatcher\IEventListener; +use OCP\Group\Events\UserAddedEvent; +use OCP\Group\Events\UserRemovedEvent; +use OCP\IGroupManager; +use OCP\IUser; +use OCP\User\Events\PostLoginEvent; +use Psr\Log\LoggerInterface; + +/** + * @template-implements IEventListener<PostLoginEvent> + */ +class LoginListener implements IEventListener { + public function __construct( + private IEventDispatcher $dispatcher, + private Group_Proxy $groupBackend, + private IGroupManager $groupManager, + private LoggerInterface $logger, + private GroupMembershipMapper $groupMembershipMapper, + ) { + } + + public function handle(Event $event): void { + if ($event instanceof PostLoginEvent) { + $this->onPostLogin($event->getUser()); + } + } + + public function onPostLogin(IUser $user): void { + $this->logger->info( + self::class . ' - {user} postLogin', + [ + 'app' => 'user_ldap', + 'user' => $user->getUID(), + ] + ); + $this->updateGroups($user); + } + + private function updateGroups(IUser $userObject): void { + $userId = $userObject->getUID(); + $groupMemberships = $this->groupMembershipMapper->findGroupMembershipsForUser($userId); + $knownGroups = array_map( + static fn (GroupMembership $groupMembership): string => $groupMembership->getGroupid(), + $groupMemberships + ); + $groupMemberships = array_combine($knownGroups, $groupMemberships); + $actualGroups = $this->groupBackend->getUserGroups($userId); + + $newGroups = array_diff($actualGroups, $knownGroups); + $oldGroups = array_diff($knownGroups, $actualGroups); + foreach ($newGroups as $groupId) { + $groupObject = $this->groupManager->get($groupId); + if ($groupObject === null) { + $this->logger->error( + self::class . ' - group {group} could not be found (user {user})', + [ + 'app' => 'user_ldap', + 'user' => $userId, + 'group' => $groupId + ] + ); + continue; + } + try { + $this->groupMembershipMapper->insert(GroupMembership::fromParams(['groupid' => $groupId,'userid' => $userId])); + } catch (Exception $e) { + if ($e->getReason() !== Exception::REASON_UNIQUE_CONSTRAINT_VIOLATION) { + $this->logger->error( + self::class . ' - group {group} membership failed to be added (user {user})', + [ + 'app' => 'user_ldap', + 'user' => $userId, + 'group' => $groupId, + 'exception' => $e, + ] + ); + } + /* We failed to insert the groupmembership so we do not want to advertise it */ + continue; + } + $this->groupBackend->addRelationshipToCaches($userId, null, $groupId); + $this->dispatcher->dispatchTyped(new UserAddedEvent($groupObject, $userObject)); + $this->logger->info( + self::class . ' - {user} added to {group}', + [ + 'app' => 'user_ldap', + 'user' => $userId, + 'group' => $groupId + ] + ); + } + foreach ($oldGroups as $groupId) { + try { + $this->groupMembershipMapper->delete($groupMemberships[$groupId]); + } catch (Exception $e) { + if ($e->getReason() !== Exception::REASON_DATABASE_OBJECT_NOT_FOUND) { + $this->logger->error( + self::class . ' - group {group} membership failed to be removed (user {user})', + [ + 'app' => 'user_ldap', + 'user' => $userId, + 'group' => $groupId, + 'exception' => $e, + ] + ); + } + /* We failed to delete the groupmembership so we do not want to advertise it */ + continue; + } + $groupObject = $this->groupManager->get($groupId); + if ($groupObject === null) { + $this->logger->error( + self::class . ' - group {group} could not be found (user {user})', + [ + 'app' => 'user_ldap', + 'user' => $userId, + 'group' => $groupId + ] + ); + continue; + } + $this->dispatcher->dispatchTyped(new UserRemovedEvent($groupObject, $userObject)); + $this->logger->info( + 'service "updateGroups" - {user} removed from {group}', + [ + 'user' => $userId, + 'group' => $groupId + ] + ); + } + } +} diff --git a/apps/user_ldap/lib/Mapping/AbstractMapping.php b/apps/user_ldap/lib/Mapping/AbstractMapping.php index 3f05091a537..fa10312a915 100644 --- a/apps/user_ldap/lib/Mapping/AbstractMapping.php +++ b/apps/user_ldap/lib/Mapping/AbstractMapping.php @@ -1,35 +1,18 @@ <?php + /** - * @copyright Copyright (c) 2016, ownCloud, Inc. - * - * @author Aaron Wood <aaronjwood@gmail.com> - * @author Arthur Schiwon <blizzz@arthur-schiwon.de> - * @author blizzz <blizzz@arthur-schiwon.de> - * @author Christoph Wurst <christoph@winzerhof-wurst.at> - * @author Joas Schilling <coding@schilljs.com> - * @author Roeland Jago Douma <roeland@famdouma.nl> - * - * @license AGPL-3.0 - * - * This code is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License, version 3, - * as published by the Free Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License, version 3, - * along with this program. If not, see <http://www.gnu.org/licenses/> - * + * SPDX-FileCopyrightText: 2017-2024 Nextcloud GmbH and Nextcloud contributors + * SPDX-FileCopyrightText: 2016 ownCloud, Inc. + * SPDX-License-Identifier: AGPL-3.0-only */ namespace OCA\User_LDAP\Mapping; use Doctrine\DBAL\Exception; -use Doctrine\DBAL\Platforms\SqlitePlatform; use OCP\DB\IPreparedStatement; use OCP\DB\QueryBuilder\IQueryBuilder; +use OCP\IDBConnection; +use OCP\Server; +use Psr\Log\LoggerInterface; /** * Class AbstractMapping @@ -38,11 +21,6 @@ use OCP\DB\QueryBuilder\IQueryBuilder; */ abstract class AbstractMapping { /** - * @var \OCP\IDBConnection $dbc - */ - protected $dbc; - - /** * returns the DB table name which holds the mappings * * @return string @@ -50,10 +28,11 @@ abstract class AbstractMapping { abstract protected function getTableName(bool $includePrefix = true); /** - * @param \OCP\IDBConnection $dbc + * @param IDBConnection $dbc */ - public function __construct(\OCP\IDBConnection $dbc) { - $this->dbc = $dbc; + public function __construct( + protected IDBConnection $dbc, + ) { } /** @var array caches Names (value) by DN (key) */ @@ -234,7 +213,7 @@ abstract class AbstractMapping { public function getListOfIdsByDn(array $fdns): array { $totalDBParamLimit = 65000; $sliceSize = 1000; - $maxSlices = $this->dbc->getDatabasePlatform() instanceof SqlitePlatform ? 9 : $totalDBParamLimit / $sliceSize; + $maxSlices = $this->dbc->getDatabaseProvider() === IDBConnection::PLATFORM_SQLITE ? 9 : $totalDBParamLimit / $sliceSize; $results = []; $slice = 1; @@ -277,7 +256,7 @@ abstract class AbstractMapping { * * @return string[] */ - public function getNamesBySearch(string $search, string $prefixMatch = "", string $postfixMatch = ""): array { + public function getNamesBySearch(string $search, string $prefixMatch = '', string $postfixMatch = ''): array { $statement = $this->dbc->prepare(' SELECT `owncloud_name` FROM `' . $this->getTableName() . '` @@ -321,7 +300,7 @@ abstract class AbstractMapping { return $this->getXbyY('directory_uuid', 'ldap_dn_hash', $this->getDNHash($dn)); } - public function getList(int $offset = 0, int $limit = null, bool $invalidatedOnly = false): array { + public function getList(int $offset = 0, ?int $limit = null, bool $invalidatedOnly = false): array { $select = $this->dbc->getQueryBuilder(); $select->selectAlias('ldap_dn', 'dn') ->selectAlias('owncloud_name', 'name') @@ -351,7 +330,7 @@ abstract class AbstractMapping { */ public function map($fdn, $name, $uuid) { if (mb_strlen($fdn) > 4000) { - \OC::$server->getLogger()->error( + Server::get(LoggerInterface::class)->error( 'Cannot map, because the DN exceeds 4000 characters: {dn}', [ 'app' => 'user_ldap', @@ -424,7 +403,7 @@ abstract class AbstractMapping { * @param callable $preCallback * @param callable $postCallback * @return bool true on success, false when at least one row was not - * deleted + * deleted */ public function clearCb(callable $preCallback, callable $postCallback): bool { $picker = $this->dbc->getQueryBuilder(); @@ -452,7 +431,7 @@ abstract class AbstractMapping { $query = $this->dbc->getQueryBuilder(); $query->select($query->func()->count('ldap_dn_hash')) ->from($this->getTableName()); - $res = $query->execute(); + $res = $query->executeQuery(); $count = $res->fetchOne(); $res->closeCursor(); return (int)$count; @@ -463,7 +442,7 @@ abstract class AbstractMapping { $query->select($query->func()->count('ldap_dn_hash')) ->from($this->getTableName()) ->where($query->expr()->like('directory_uuid', $query->createNamedParameter('invalidated_%'))); - $res = $query->execute(); + $res = $query->executeQuery(); $count = $res->fetchOne(); $res->closeCursor(); return (int)$count; diff --git a/apps/user_ldap/lib/Mapping/GroupMapping.php b/apps/user_ldap/lib/Mapping/GroupMapping.php index e8518e5e9fc..d9ae5e749fc 100644 --- a/apps/user_ldap/lib/Mapping/GroupMapping.php +++ b/apps/user_ldap/lib/Mapping/GroupMapping.php @@ -1,24 +1,9 @@ <?php + /** - * @copyright Copyright (c) 2016, ownCloud, Inc. - * - * @author Arthur Schiwon <blizzz@arthur-schiwon.de> - * @author Christoph Wurst <christoph@winzerhof-wurst.at> - * - * @license AGPL-3.0 - * - * This code is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License, version 3, - * as published by the Free Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License, version 3, - * along with this program. If not, see <http://www.gnu.org/licenses/> - * + * SPDX-FileCopyrightText: 2019-2024 Nextcloud GmbH and Nextcloud contributors + * SPDX-FileCopyrightText: 2016 ownCloud, Inc. + * SPDX-License-Identifier: AGPL-3.0-only */ namespace OCA\User_LDAP\Mapping; diff --git a/apps/user_ldap/lib/Mapping/UserMapping.php b/apps/user_ldap/lib/Mapping/UserMapping.php index ade9c67213a..a030cd0ab52 100644 --- a/apps/user_ldap/lib/Mapping/UserMapping.php +++ b/apps/user_ldap/lib/Mapping/UserMapping.php @@ -1,24 +1,9 @@ <?php + /** - * @copyright Copyright (c) 2016, ownCloud, Inc. - * - * @author Arthur Schiwon <blizzz@arthur-schiwon.de> - * @author Christoph Wurst <christoph@winzerhof-wurst.at> - * - * @license AGPL-3.0 - * - * This code is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License, version 3, - * as published by the Free Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License, version 3, - * along with this program. If not, see <http://www.gnu.org/licenses/> - * + * SPDX-FileCopyrightText: 2019-2024 Nextcloud GmbH and Nextcloud contributors + * SPDX-FileCopyrightText: 2016 ownCloud, Inc. + * SPDX-License-Identifier: AGPL-3.0-only */ namespace OCA\User_LDAP\Mapping; @@ -35,11 +20,12 @@ use OCP\Support\Subscription\IAssertion; */ class UserMapping extends AbstractMapping { - private IAssertion $assertion; protected const PROV_API_REGEX = '/\/ocs\/v[1-9].php\/cloud\/(groups|users)/'; - public function __construct(IDBConnection $dbc, IAssertion $assertion) { - $this->assertion = $assertion; + public function __construct( + IDBConnection $dbc, + private IAssertion $assertion, + ) { parent::__construct($dbc); } diff --git a/apps/user_ldap/lib/Migration/GroupMappingMigration.php b/apps/user_ldap/lib/Migration/GroupMappingMigration.php index f89bebe57d6..7dfb8705770 100644 --- a/apps/user_ldap/lib/Migration/GroupMappingMigration.php +++ b/apps/user_ldap/lib/Migration/GroupMappingMigration.php @@ -3,25 +3,8 @@ declare(strict_types=1); /** - * @copyright Copyright (c) 2020 Joas Schilling <coding@schilljs.com> - * - * @author Côme Chilliet <come.chilliet@nextcloud.com> - * - * @license GNU AGPL version 3 or any later version - * - * This program is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License as - * published by the Free Software Foundation, either version 3 of the - * License, or (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License - * along with this program. If not, see <http://www.gnu.org/licenses/>. - * + * SPDX-FileCopyrightText: 2020 Nextcloud GmbH and Nextcloud contributors + * SPDX-License-Identifier: AGPL-3.0-or-later */ namespace OCA\User_LDAP\Migration; @@ -31,11 +14,9 @@ use OCP\Migration\SimpleMigrationStep; abstract class GroupMappingMigration extends SimpleMigrationStep { - /** @var IDBConnection */ - private $dbc; - - public function __construct(IDBConnection $dbc) { - $this->dbc = $dbc; + public function __construct( + private IDBConnection $dbc, + ) { } protected function copyGroupMappingData(string $sourceTable, string $destinationTable): void { @@ -60,7 +41,7 @@ abstract class GroupMappingMigration extends SimpleMigrationStep { ->setParameter('owncloud_name', $row['owncloud_name']) ->setParameter('directory_uuid', $row['directory_uuid']) ->setParameter('ldap_dn_hash', $row['ldap_dn_hash']) - ; + ; $insert->executeStatement(); } diff --git a/apps/user_ldap/lib/Migration/RemoveRefreshTime.php b/apps/user_ldap/lib/Migration/RemoveRefreshTime.php index 501076ed0e8..88ac56ccb84 100644 --- a/apps/user_ldap/lib/Migration/RemoveRefreshTime.php +++ b/apps/user_ldap/lib/Migration/RemoveRefreshTime.php @@ -3,25 +3,8 @@ declare(strict_types=1); /** - * @copyright Copyright (c) 2020 Arthur Schiwon <blizzz@arthur-schiwon.de> - * - * @author Arthur Schiwon <blizzz@arthur-schiwon.de> - * - * @license GNU AGPL version 3 or any later version - * - * This program is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License as - * published by the Free Software Foundation, either version 3 of the - * License, or (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License - * along with this program. If not, see <http://www.gnu.org/licenses/>. - * + * SPDX-FileCopyrightText: 2020 Nextcloud GmbH and Nextcloud contributors + * SPDX-License-Identifier: AGPL-3.0-or-later */ namespace OCA\User_LDAP\Migration; @@ -39,14 +22,10 @@ use OCP\Migration\IRepairStep; */ class RemoveRefreshTime implements IRepairStep { - /** @var IDBConnection */ - private $dbc; - /** @var IConfig */ - private $config; - - public function __construct(IDBConnection $dbc, IConfig $config) { - $this->dbc = $dbc; - $this->config = $config; + public function __construct( + private IDBConnection $dbc, + private IConfig $config, + ) { } public function getName() { @@ -60,6 +39,6 @@ class RemoveRefreshTime implements IRepairStep { $qb->delete('preferences') ->where($qb->expr()->eq('appid', $qb->createNamedParameter('user_ldap'))) ->andWhere($qb->expr()->eq('configkey', $qb->createNamedParameter('lastFeatureRefresh'))) - ->execute(); + ->executeStatement(); } } diff --git a/apps/user_ldap/lib/Migration/SetDefaultProvider.php b/apps/user_ldap/lib/Migration/SetDefaultProvider.php index 15dba57e5f3..0bb04438a1d 100644 --- a/apps/user_ldap/lib/Migration/SetDefaultProvider.php +++ b/apps/user_ldap/lib/Migration/SetDefaultProvider.php @@ -3,25 +3,8 @@ declare(strict_types=1); /** - * @copyright 2020 Christoph Wurst <christoph@winzerhof-wurst.at> - * - * @author Christoph Wurst <christoph@winzerhof-wurst.at> - * - * @license GNU AGPL version 3 or any later version - * - * This program is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License as - * published by the Free Software Foundation, either version 3 of the - * License, or (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License - * along with this program. If not, see <http://www.gnu.org/licenses/>. - * + * SPDX-FileCopyrightText: 2020 Nextcloud GmbH and Nextcloud contributors + * SPDX-License-Identifier: AGPL-3.0-or-later */ namespace OCA\User_LDAP\Migration; @@ -33,16 +16,10 @@ use OCP\Migration\IRepairStep; class SetDefaultProvider implements IRepairStep { - /** @var IConfig */ - private $config; - - /** @var Helper */ - private $helper; - - public function __construct(IConfig $config, - Helper $helper) { - $this->config = $config; - $this->helper = $helper; + public function __construct( + private IConfig $config, + private Helper $helper, + ) { } public function getName(): string { diff --git a/apps/user_ldap/lib/Migration/UUIDFix.php b/apps/user_ldap/lib/Migration/UUIDFix.php index 74ab65d347c..e853f3bba66 100644 --- a/apps/user_ldap/lib/Migration/UUIDFix.php +++ b/apps/user_ldap/lib/Migration/UUIDFix.php @@ -1,39 +1,19 @@ <?php + /** - * @copyright Copyright (c) 2017 Arthur Schiwon <blizzz@arthur-schiwon.de> - * - * @author Arthur Schiwon <blizzz@arthur-schiwon.de> - * @author Christoph Wurst <christoph@winzerhof-wurst.at> - * - * @license GNU AGPL version 3 or any later version - * - * This program is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License as - * published by the Free Software Foundation, either version 3 of the - * License, or (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License - * along with this program. If not, see <http://www.gnu.org/licenses/>. - * + * SPDX-FileCopyrightText: 2017 Nextcloud GmbH and Nextcloud contributors + * SPDX-License-Identifier: AGPL-3.0-or-later */ namespace OCA\User_LDAP\Migration; -use OC\BackgroundJob\QueuedJob; use OCA\User_LDAP\Mapping\AbstractMapping; use OCA\User_LDAP\Proxy; use OCA\User_LDAP\User_Proxy; +use OCP\BackgroundJob\QueuedJob; abstract class UUIDFix extends QueuedJob { - /** @var AbstractMapping */ - protected $mapper; - - /** @var Proxy */ - protected $proxy; + protected AbstractMapping $mapper; + protected Proxy $proxy; public function run($argument) { $isUser = $this->proxy instanceof User_Proxy; diff --git a/apps/user_ldap/lib/Migration/UUIDFixGroup.php b/apps/user_ldap/lib/Migration/UUIDFixGroup.php index a90dcb5a938..3924c91e7ba 100644 --- a/apps/user_ldap/lib/Migration/UUIDFixGroup.php +++ b/apps/user_ldap/lib/Migration/UUIDFixGroup.php @@ -1,32 +1,18 @@ <?php + /** - * @copyright Copyright (c) 2017 Arthur Schiwon <blizzz@arthur-schiwon.de> - * - * @author Arthur Schiwon <blizzz@arthur-schiwon.de> - * - * @license GNU AGPL version 3 or any later version - * - * This program is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License as - * published by the Free Software Foundation, either version 3 of the - * License, or (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License - * along with this program. If not, see <http://www.gnu.org/licenses/>. - * + * SPDX-FileCopyrightText: 2017 Nextcloud GmbH and Nextcloud contributors + * SPDX-License-Identifier: AGPL-3.0-or-later */ namespace OCA\User_LDAP\Migration; use OCA\User_LDAP\Group_Proxy; use OCA\User_LDAP\Mapping\GroupMapping; +use OCP\AppFramework\Utility\ITimeFactory; class UUIDFixGroup extends UUIDFix { - public function __construct(GroupMapping $mapper, Group_Proxy $proxy) { + public function __construct(ITimeFactory $time, GroupMapping $mapper, Group_Proxy $proxy) { + parent::__construct($time); $this->mapper = $mapper; $this->proxy = $proxy; } diff --git a/apps/user_ldap/lib/Migration/UUIDFixInsert.php b/apps/user_ldap/lib/Migration/UUIDFixInsert.php index a8e9d2829d7..bb92314d93a 100644 --- a/apps/user_ldap/lib/Migration/UUIDFixInsert.php +++ b/apps/user_ldap/lib/Migration/UUIDFixInsert.php @@ -1,26 +1,8 @@ <?php + /** - * @copyright Copyright (c) 2017 Arthur Schiwon <blizzz@arthur-schiwon.de> - * - * @author Arthur Schiwon <blizzz@arthur-schiwon.de> - * @author Christoph Wurst <christoph@winzerhof-wurst.at> - * @author Morris Jobke <hey@morrisjobke.de> - * - * @license GNU AGPL version 3 or any later version - * - * This program is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License as - * published by the Free Software Foundation, either version 3 of the - * License, or (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License - * along with this program. If not, see <http://www.gnu.org/licenses/>. - * + * SPDX-FileCopyrightText: 2017 Nextcloud GmbH and Nextcloud contributors + * SPDX-License-Identifier: AGPL-3.0-or-later */ namespace OCA\User_LDAP\Migration; @@ -33,23 +15,12 @@ use OCP\Migration\IRepairStep; class UUIDFixInsert implements IRepairStep { - /** @var IConfig */ - protected $config; - - /** @var UserMapping */ - protected $userMapper; - - /** @var GroupMapping */ - protected $groupMapper; - - /** @var IJobList */ - protected $jobList; - - public function __construct(IConfig $config, UserMapping $userMapper, GroupMapping $groupMapper, IJobList $jobList) { - $this->config = $config; - $this->userMapper = $userMapper; - $this->groupMapper = $groupMapper; - $this->jobList = $jobList; + public function __construct( + protected IConfig $config, + protected UserMapping $userMapper, + protected GroupMapping $groupMapper, + protected IJobList $jobList, + ) { } /** @@ -90,7 +61,7 @@ class UUIDFixInsert implements IRepairStep { $this->jobList->add($jobClass, ['records' => $records]); $offset += $batchSize; } catch (\InvalidArgumentException $e) { - if (strpos($e->getMessage(), 'Background job arguments can\'t exceed 4000') !== false) { + if (str_contains($e->getMessage(), 'Background job arguments can\'t exceed 4000')) { $batchSize = (int)floor(count($records) * 0.8); $retry = true; } diff --git a/apps/user_ldap/lib/Migration/UUIDFixUser.php b/apps/user_ldap/lib/Migration/UUIDFixUser.php index 2cb7ac8bdfb..71c3f638095 100644 --- a/apps/user_ldap/lib/Migration/UUIDFixUser.php +++ b/apps/user_ldap/lib/Migration/UUIDFixUser.php @@ -1,32 +1,18 @@ <?php + /** - * @copyright Copyright (c) 2017 Arthur Schiwon <blizzz@arthur-schiwon.de> - * - * @author Arthur Schiwon <blizzz@arthur-schiwon.de> - * - * @license GNU AGPL version 3 or any later version - * - * This program is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License as - * published by the Free Software Foundation, either version 3 of the - * License, or (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License - * along with this program. If not, see <http://www.gnu.org/licenses/>. - * + * SPDX-FileCopyrightText: 2017 Nextcloud GmbH and Nextcloud contributors + * SPDX-License-Identifier: AGPL-3.0-or-later */ namespace OCA\User_LDAP\Migration; -use OCA\User_LDAP\User_Proxy; use OCA\User_LDAP\Mapping\UserMapping; +use OCA\User_LDAP\User_Proxy; +use OCP\AppFramework\Utility\ITimeFactory; class UUIDFixUser extends UUIDFix { - public function __construct(UserMapping $mapper, User_Proxy $proxy) { + public function __construct(ITimeFactory $time, UserMapping $mapper, User_Proxy $proxy) { + parent::__construct($time); $this->mapper = $mapper; $this->proxy = $proxy; } diff --git a/apps/user_ldap/lib/Migration/UnsetDefaultProvider.php b/apps/user_ldap/lib/Migration/UnsetDefaultProvider.php index a696b815856..025415cf712 100644 --- a/apps/user_ldap/lib/Migration/UnsetDefaultProvider.php +++ b/apps/user_ldap/lib/Migration/UnsetDefaultProvider.php @@ -3,25 +3,8 @@ declare(strict_types=1); /** - * @copyright 2021 Arthur Schiwon <blizzz@arthur-schiwon.de> - * - * @author Arthur Schiwon <blizzz@arthur-schiwon.de> - * - * @license GNU AGPL version 3 or any later version - * - * This program is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License as - * published by the Free Software Foundation, either version 3 of the - * License, or (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License - * along with this program. If not, see <http://www.gnu.org/licenses/>. - * + * SPDX-FileCopyrightText: 2021 Nextcloud GmbH and Nextcloud contributors + * SPDX-License-Identifier: AGPL-3.0-or-later */ namespace OCA\User_LDAP\Migration; @@ -32,11 +15,9 @@ use OCP\Migration\IRepairStep; class UnsetDefaultProvider implements IRepairStep { - /** @var IConfig */ - private $config; - - public function __construct(IConfig $config) { - $this->config = $config; + public function __construct( + private IConfig $config, + ) { } public function getName(): string { diff --git a/apps/user_ldap/lib/Migration/Version1010Date20200630192842.php b/apps/user_ldap/lib/Migration/Version1010Date20200630192842.php index 5c7dc7db95c..1464e50e359 100644 --- a/apps/user_ldap/lib/Migration/Version1010Date20200630192842.php +++ b/apps/user_ldap/lib/Migration/Version1010Date20200630192842.php @@ -3,32 +3,14 @@ declare(strict_types=1); /** - * @copyright Copyright (c) 2020 Joas Schilling <coding@schilljs.com> - * - * @author Christoph Wurst <christoph@winzerhof-wurst.at> - * @author Joas Schilling <coding@schilljs.com> - * - * @license GNU AGPL version 3 or any later version - * - * This program is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License as - * published by the Free Software Foundation, either version 3 of the - * License, or (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License - * along with this program. If not, see <http://www.gnu.org/licenses/>. - * + * SPDX-FileCopyrightText: 2020 Nextcloud GmbH and Nextcloud contributors + * SPDX-License-Identifier: AGPL-3.0-or-later */ namespace OCA\User_LDAP\Migration; use Closure; -use OCP\DB\Types; use OCP\DB\ISchemaWrapper; +use OCP\DB\Types; use OCP\Migration\IOutput; use OCP\Migration\SimpleMigrationStep; diff --git a/apps/user_ldap/lib/Migration/Version1120Date20210917155206.php b/apps/user_ldap/lib/Migration/Version1120Date20210917155206.php index b7a9b81d6a0..dc3823bf771 100644 --- a/apps/user_ldap/lib/Migration/Version1120Date20210917155206.php +++ b/apps/user_ldap/lib/Migration/Version1120Date20210917155206.php @@ -3,25 +3,8 @@ declare(strict_types=1); /** - * @copyright Copyright (c) 2020 Joas Schilling <coding@schilljs.com> - * - * @author Arthur Schiwon <blizzz@arthur-schiwon.de> - * - * @license GNU AGPL version 3 or any later version - * - * This program is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License as - * published by the Free Software Foundation, either version 3 of the - * License, or (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License - * along with this program. If not, see <http://www.gnu.org/licenses/>. - * + * SPDX-FileCopyrightText: 2020 Nextcloud GmbH and Nextcloud contributors + * SPDX-License-Identifier: AGPL-3.0-or-later */ namespace OCA\User_LDAP\Migration; @@ -31,7 +14,6 @@ use OC\Hooks\PublicEmitter; use OCP\DB\Exception; use OCP\DB\ISchemaWrapper; use OCP\DB\QueryBuilder\IQueryBuilder; -use OCP\DB\Types; use OCP\IDBConnection; use OCP\IUserManager; use OCP\Migration\IOutput; @@ -40,17 +22,11 @@ use Psr\Log\LoggerInterface; class Version1120Date20210917155206 extends SimpleMigrationStep { - /** @var IDBConnection */ - private $dbc; - /** @var IUserManager */ - private $userManager; - /** @var LoggerInterface */ - private $logger; - - public function __construct(IDBConnection $dbc, IUserManager $userManager, LoggerInterface $logger) { - $this->dbc = $dbc; - $this->userManager = $userManager; - $this->logger = $logger; + public function __construct( + private IDBConnection $dbc, + private IUserManager $userManager, + private LoggerInterface $logger, + ) { } public function getName() { diff --git a/apps/user_ldap/lib/Migration/Version1130Date20211102154716.php b/apps/user_ldap/lib/Migration/Version1130Date20211102154716.php index 5c5ed44c899..2457acd840d 100644 --- a/apps/user_ldap/lib/Migration/Version1130Date20211102154716.php +++ b/apps/user_ldap/lib/Migration/Version1130Date20211102154716.php @@ -3,25 +3,8 @@ declare(strict_types=1); /** - * @copyright Copyright (c) 2020 Joas Schilling <coding@schilljs.com> - * - * @author Côme Chilliet <come.chilliet@nextcloud.com> - * - * @license GNU AGPL version 3 or any later version - * - * This program is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License as - * published by the Free Software Foundation, either version 3 of the - * License, or (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License - * along with this program. If not, see <http://www.gnu.org/licenses/>. - * + * SPDX-FileCopyrightText: 2020 Nextcloud GmbH and Nextcloud contributors + * SPDX-License-Identifier: AGPL-3.0-or-later */ namespace OCA\User_LDAP\Migration; @@ -39,16 +22,13 @@ use Psr\Log\LoggerInterface; class Version1130Date20211102154716 extends SimpleMigrationStep { - /** @var IDBConnection */ - private $dbc; - /** @var LoggerInterface */ - private $logger; /** @var string[] */ private $hashColumnAddedToTables = []; - public function __construct(IDBConnection $dbc, LoggerInterface $logger) { - $this->dbc = $dbc; - $this->logger = $logger; + public function __construct( + private IDBConnection $dbc, + private LoggerInterface $logger, + ) { } public function getName() { diff --git a/apps/user_ldap/lib/Migration/Version1130Date20220110154717.php b/apps/user_ldap/lib/Migration/Version1130Date20220110154717.php index 2ffda4198c1..80960373edf 100644 --- a/apps/user_ldap/lib/Migration/Version1130Date20220110154717.php +++ b/apps/user_ldap/lib/Migration/Version1130Date20220110154717.php @@ -3,25 +3,8 @@ declare(strict_types=1); /** - * @copyright Copyright (c) 2020 Joas Schilling <coding@schilljs.com> - * - * @author Côme Chilliet <come.chilliet@nextcloud.com> - * - * @license GNU AGPL version 3 or any later version - * - * This program is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License as - * published by the Free Software Foundation, either version 3 of the - * License, or (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License - * along with this program. If not, see <http://www.gnu.org/licenses/>. - * + * SPDX-FileCopyrightText: 2020 Nextcloud GmbH and Nextcloud contributors + * SPDX-License-Identifier: AGPL-3.0-or-later */ namespace OCA\User_LDAP\Migration; diff --git a/apps/user_ldap/lib/Migration/Version1130Date20220110154718.php b/apps/user_ldap/lib/Migration/Version1130Date20220110154718.php index 74dd2d873bc..f67b791daad 100644 --- a/apps/user_ldap/lib/Migration/Version1130Date20220110154718.php +++ b/apps/user_ldap/lib/Migration/Version1130Date20220110154718.php @@ -3,25 +3,8 @@ declare(strict_types=1); /** - * @copyright Copyright (c) 2020 Joas Schilling <coding@schilljs.com> - * - * @author Côme Chilliet <come.chilliet@nextcloud.com> - * - * @license GNU AGPL version 3 or any later version - * - * This program is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License as - * published by the Free Software Foundation, either version 3 of the - * License, or (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License - * along with this program. If not, see <http://www.gnu.org/licenses/>. - * + * SPDX-FileCopyrightText: 2020 Nextcloud GmbH and Nextcloud contributors + * SPDX-License-Identifier: AGPL-3.0-or-later */ namespace OCA\User_LDAP\Migration; diff --git a/apps/user_ldap/lib/Migration/Version1130Date20220110154719.php b/apps/user_ldap/lib/Migration/Version1130Date20220110154719.php index 9e9ed38cb70..c34ee5357f5 100644 --- a/apps/user_ldap/lib/Migration/Version1130Date20220110154719.php +++ b/apps/user_ldap/lib/Migration/Version1130Date20220110154719.php @@ -3,25 +3,8 @@ declare(strict_types=1); /** - * @copyright Copyright (c) 2020 Joas Schilling <coding@schilljs.com> - * - * @author Côme Chilliet <come.chilliet@nextcloud.com> - * - * @license GNU AGPL version 3 or any later version - * - * This program is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License as - * published by the Free Software Foundation, either version 3 of the - * License, or (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License - * along with this program. If not, see <http://www.gnu.org/licenses/>. - * + * SPDX-FileCopyrightText: 2020 Nextcloud GmbH and Nextcloud contributors + * SPDX-License-Identifier: AGPL-3.0-or-later */ namespace OCA\User_LDAP\Migration; diff --git a/apps/user_ldap/lib/Migration/Version1141Date20220323143801.php b/apps/user_ldap/lib/Migration/Version1141Date20220323143801.php index 10043371aae..ecedbf1de20 100644 --- a/apps/user_ldap/lib/Migration/Version1141Date20220323143801.php +++ b/apps/user_ldap/lib/Migration/Version1141Date20220323143801.php @@ -3,25 +3,8 @@ declare(strict_types=1); /** - * @copyright Copyright (c) 2022 Arthur Schiwon <blizzz@arthur-schiwon.de> - * - * @author Arthur Schiwon <blizzz@arthur-schiwon.de> - * - * @license GNU AGPL version 3 or any later version - * - * This program is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License as - * published by the Free Software Foundation, either version 3 of the - * License, or (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License - * along with this program. If not, see <http://www.gnu.org/licenses/>. - * + * SPDX-FileCopyrightText: 2022 Nextcloud GmbH and Nextcloud contributors + * SPDX-License-Identifier: AGPL-3.0-or-later */ namespace OCA\User_LDAP\Migration; @@ -35,10 +18,9 @@ use OCP\Migration\SimpleMigrationStep; class Version1141Date20220323143801 extends SimpleMigrationStep { - private IDBConnection $dbc; - - public function __construct(IDBConnection $dbc) { - $this->dbc = $dbc; + public function __construct( + private IDBConnection $dbc, + ) { } /** diff --git a/apps/user_ldap/lib/Migration/Version1190Date20230706134108.php b/apps/user_ldap/lib/Migration/Version1190Date20230706134108.php new file mode 100644 index 00000000000..85b046ab7c9 --- /dev/null +++ b/apps/user_ldap/lib/Migration/Version1190Date20230706134108.php @@ -0,0 +1,108 @@ +<?php + +declare(strict_types=1); + +/** + * SPDX-FileCopyrightText: 2023 Nextcloud GmbH and Nextcloud contributors + * SPDX-License-Identifier: AGPL-3.0-or-later + */ + +namespace OCA\User_LDAP\Migration; + +use Closure; +use OCP\DB\ISchemaWrapper; +use OCP\DB\Types; +use OCP\IDBConnection; +use OCP\Migration\IOutput; +use OCP\Migration\SimpleMigrationStep; + +class Version1190Date20230706134108 extends SimpleMigrationStep { + public function __construct( + private IDBConnection $dbc, + ) { + } + + public function preSchemaChange(IOutput $output, Closure $schemaClosure, array $options): void { + } + + public function changeSchema(IOutput $output, Closure $schemaClosure, array $options): ?ISchemaWrapper { + /** @var ISchemaWrapper $schema */ + $schema = $schemaClosure(); + + if (!$schema->hasTable('ldap_group_membership')) { + $table = $schema->createTable('ldap_group_membership'); + $table->addColumn('id', Types::BIGINT, [ + 'autoincrement' => true, + 'notnull' => true, + ]); + $table->addColumn('groupid', Types::STRING, [ + 'notnull' => true, + 'length' => 255, + 'default' => '', + ]); + $table->addColumn('userid', Types::STRING, [ + 'notnull' => true, + 'length' => 64, + 'default' => '', + ]); + $table->setPrimaryKey(['id']); + $table->addUniqueIndex(['groupid', 'userid'], 'user_ldap_membership_unique'); + return $schema; + } else { + return null; + } + } + + public function postSchemaChange(IOutput $output, Closure $schemaClosure, array $options): void { + /** @var ISchemaWrapper $schema */ + $schema = $schemaClosure(); + + if (!$schema->hasTable('ldap_group_members')) { + // Old table does not exist + return; + } + + $output->startProgress(); + $this->copyGroupMembershipData(); + $output->finishProgress(); + } + + protected function copyGroupMembershipData(): void { + $insert = $this->dbc->getQueryBuilder(); + $insert->insert('ldap_group_membership') + ->values([ + 'userid' => $insert->createParameter('userid'), + 'groupid' => $insert->createParameter('groupid'), + ]); + + $query = $this->dbc->getQueryBuilder(); + $query->select('*') + ->from('ldap_group_members'); + + $result = $query->executeQuery(); + while ($row = $result->fetch()) { + $knownUsers = unserialize($row['owncloudusers']); + if (!is_array($knownUsers)) { + /* Unserialize failed or data was incorrect in database, ignore */ + continue; + } + $knownUsers = array_unique($knownUsers); + foreach ($knownUsers as $knownUser) { + try { + $insert + ->setParameter('groupid', $row['owncloudname']) + ->setParameter('userid', $knownUser) + ; + + $insert->executeStatement(); + } catch (\OCP\DB\Exception $e) { + /* + * If it fails on unique constaint violation it may just be left over value from previous half-migration + * If it fails on something else, ignore as well, data will be filled by background job later anyway + */ + } + } + } + $result->closeCursor(); + } +} diff --git a/apps/user_ldap/lib/Migration/Version1190Date20230706134109.php b/apps/user_ldap/lib/Migration/Version1190Date20230706134109.php new file mode 100644 index 00000000000..2d3c26f0d49 --- /dev/null +++ b/apps/user_ldap/lib/Migration/Version1190Date20230706134109.php @@ -0,0 +1,29 @@ +<?php + +declare(strict_types=1); + +/** + * SPDX-FileCopyrightText: 2023 Nextcloud GmbH and Nextcloud contributors + * SPDX-License-Identifier: AGPL-3.0-or-later + */ + +namespace OCA\User_LDAP\Migration; + +use Closure; +use OCP\DB\ISchemaWrapper; +use OCP\Migration\IOutput; +use OCP\Migration\SimpleMigrationStep; + +class Version1190Date20230706134109 extends SimpleMigrationStep { + public function changeSchema(IOutput $output, Closure $schemaClosure, array $options): ?ISchemaWrapper { + /** @var ISchemaWrapper $schema */ + $schema = $schemaClosure(); + + if ($schema->hasTable('ldap_group_members')) { + $schema->dropTable('ldap_group_members'); + return $schema; + } + + return null; + } +} diff --git a/apps/user_ldap/lib/Notification/Notifier.php b/apps/user_ldap/lib/Notification/Notifier.php index 04c03febb0e..0195cb9e65b 100644 --- a/apps/user_ldap/lib/Notification/Notifier.php +++ b/apps/user_ldap/lib/Notification/Notifier.php @@ -1,44 +1,24 @@ <?php + /** - * @copyright Copyright (c) 2017 Roger Szabo <roger.szabo@web.de> - * - * @author Christoph Wurst <christoph@winzerhof-wurst.at> - * @author Joas Schilling <coding@schilljs.com> - * @author Roeland Jago Douma <roeland@famdouma.nl> - * @author Roger Szabo <roger.szabo@web.de> - * - * @license GNU AGPL version 3 or any later version - * - * This program is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License as - * published by the Free Software Foundation, either version 3 of the - * License, or (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License - * along with this program. If not, see <http://www.gnu.org/licenses/>. - * + * SPDX-FileCopyrightText: 2017 Nextcloud GmbH and Nextcloud contributors + * SPDX-License-Identifier: AGPL-3.0-or-later */ namespace OCA\User_LDAP\Notification; use OCP\L10N\IFactory; use OCP\Notification\INotification; use OCP\Notification\INotifier; +use OCP\Notification\UnknownNotificationException; class Notifier implements INotifier { - /** @var IFactory */ - protected $l10nFactory; - /** * @param IFactory $l10nFactory */ - public function __construct(\OCP\L10N\IFactory $l10nFactory) { - $this->l10nFactory = $l10nFactory; + public function __construct( + protected IFactory $l10nFactory, + ) { } /** @@ -65,12 +45,12 @@ class Notifier implements INotifier { * @param INotification $notification * @param string $languageCode The code of the language that should be used to prepare the notification * @return INotification - * @throws \InvalidArgumentException When the notification was not prepared by a notifier + * @throws UnknownNotificationException When the notification was not prepared by a notifier */ public function prepare(INotification $notification, string $languageCode): INotification { if ($notification->getApp() !== 'user_ldap') { // Not my app => throw - throw new \InvalidArgumentException(); + throw new UnknownNotificationException(); } // Read the language from the notification @@ -80,7 +60,7 @@ class Notifier implements INotifier { // Deal with known subjects case 'pwd_exp_warn_days': $params = $notification->getSubjectParameters(); - $days = (int) $params[0]; + $days = (int)$params[0]; if ($days === 2) { $notification->setParsedSubject($l->t('Your password will expire tomorrow.')); } elseif ($days === 1) { @@ -96,7 +76,7 @@ class Notifier implements INotifier { default: // Unknown subject => Unknown notification => throw - throw new \InvalidArgumentException(); + throw new UnknownNotificationException(); } } } diff --git a/apps/user_ldap/lib/PagedResults/TLinkId.php b/apps/user_ldap/lib/PagedResults/TLinkId.php index 02c36da97f9..46d392995e0 100644 --- a/apps/user_ldap/lib/PagedResults/TLinkId.php +++ b/apps/user_ldap/lib/PagedResults/TLinkId.php @@ -3,26 +3,8 @@ declare(strict_types=1); /** - * @copyright Copyright (c) 2020 Arthur Schiwon <blizzz@arthur-schiwon.de> - * - * @author Arthur Schiwon <blizzz@arthur-schiwon.de> - * @author Roeland Jago Douma <roeland@famdouma.nl> - * - * @license GNU AGPL version 3 or any later version - * - * This program is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License as - * published by the Free Software Foundation, either version 3 of the - * License, or (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License - * along with this program. If not, see <http://www.gnu.org/licenses/>. - * + * SPDX-FileCopyrightText: 2020 Nextcloud GmbH and Nextcloud contributors + * SPDX-License-Identifier: AGPL-3.0-or-later */ namespace OCA\User_LDAP\PagedResults; diff --git a/apps/user_ldap/lib/Proxy.php b/apps/user_ldap/lib/Proxy.php index 8cdb1b1da6a..22b2c6617af 100644 --- a/apps/user_ldap/lib/Proxy.php +++ b/apps/user_ldap/lib/Proxy.php @@ -1,62 +1,75 @@ <?php + /** - * @copyright Copyright (c) 2016, ownCloud, Inc. - * - * @author Arthur Schiwon <blizzz@arthur-schiwon.de> - * @author Bart Visscher <bartv@thisnet.nl> - * @author Christopher Schäpers <kondou@ts.unde.re> - * @author Christoph Wurst <christoph@winzerhof-wurst.at> - * @author Joas Schilling <coding@schilljs.com> - * @author Jörn Friedrich Dreyer <jfd@butonic.de> - * @author Lukas Reschke <lukas@statuscode.ch> - * @author Morris Jobke <hey@morrisjobke.de> - * @author Robin McCorkell <robin@mccorkell.me.uk> - * @author Roeland Jago Douma <roeland@famdouma.nl> - * @author Roger Szabo <roger.szabo@web.de> - * @author Thomas Müller <thomas.mueller@tmit.eu> - * - * @license AGPL-3.0 - * - * This code is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License, version 3, - * as published by the Free Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License, version 3, - * along with this program. If not, see <http://www.gnu.org/licenses/> - * + * SPDX-FileCopyrightText: 2016-2024 Nextcloud GmbH and Nextcloud contributors + * SPDX-FileCopyrightText: 2016 ownCloud, Inc. + * SPDX-License-Identifier: AGPL-3.0-only */ namespace OCA\User_LDAP; use OCA\User_LDAP\Mapping\GroupMapping; use OCA\User_LDAP\Mapping\UserMapping; use OCP\ICache; +use OCP\ICacheFactory; use OCP\Server; +/** + * @template T + */ abstract class Proxy { /** @var array<string,Access> */ private static array $accesses = []; - private ILDAPWrapper $ldap; private ?bool $isSingleBackend = null; private ?ICache $cache = null; - private AccessFactory $accessFactory; + + /** @var T[] */ + protected array $backends = []; + /** @var ?T */ + protected $refBackend = null; + + protected bool $isSetUp = false; public function __construct( - ILDAPWrapper $ldap, - AccessFactory $accessFactory + private Helper $helper, + private ILDAPWrapper $ldap, + private AccessFactory $accessFactory, ) { - $this->ldap = $ldap; - $this->accessFactory = $accessFactory; - $memcache = \OC::$server->getMemCacheFactory(); + $memcache = Server::get(ICacheFactory::class); if ($memcache->isAvailable()) { $this->cache = $memcache->createDistributed(); } } + protected function setup(): void { + if ($this->isSetUp) { + return; + } + + $serverConfigPrefixes = $this->helper->getServerConfigurationPrefixes(true); + foreach ($serverConfigPrefixes as $configPrefix) { + $this->backends[$configPrefix] = $this->newInstance($configPrefix); + + if (is_null($this->refBackend)) { + $this->refBackend = $this->backends[$configPrefix]; + } + } + + $this->isSetUp = true; + } + + /** + * @return T + */ + abstract protected function newInstance(string $configPrefix): object; + + /** + * @return T + */ + public function getBackend(string $configPrefix): object { + $this->setup(); + return $this->backends[$configPrefix]; + } + private function addAccess(string $configPrefix): void { $userMap = Server::get(UserMapping::class); $groupMap = Server::get(GroupMapping::class); @@ -130,7 +143,7 @@ abstract class Proxy { * @param string $method string, the method of the user backend that shall be called * @param array $parameters an array of parameters to be passed * @param bool $passOnWhen - * @return mixed, the result of the specified method + * @return mixed the result of the specified method */ protected function handleRequest($id, $method, $parameters, $passOnWhen = false) { if (!$this->isSingleBackend()) { diff --git a/apps/user_ldap/lib/Service/BirthdateParserService.php b/apps/user_ldap/lib/Service/BirthdateParserService.php new file mode 100644 index 00000000000..8234161b3d8 --- /dev/null +++ b/apps/user_ldap/lib/Service/BirthdateParserService.php @@ -0,0 +1,44 @@ +<?php + +/** + * SPDX-FileCopyrightText: 2024 Nextcloud GmbH and Nextcloud contributors + * SPDX-License-Identifier: AGPL-3.0-or-later + */ + +namespace OCA\User_LDAP\Service; + +use DateTimeImmutable; +use Exception; +use InvalidArgumentException; + +class BirthdateParserService { + /** + * Try to parse the birthdate from LDAP. + * Supports LDAP's generalized time syntax, YYYYMMDD and YYYY-MM-DD. + * + * @throws InvalidArgumentException If the format of then given date is unknown + */ + public function parseBirthdate(string $value): DateTimeImmutable { + // Minimum LDAP generalized date is "1994121610Z" with 11 chars + // While maximum other format is "1994-12-16" with 10 chars + if (strlen($value) > strlen('YYYY-MM-DD')) { + // Probably LDAP generalized time syntax + $value = substr($value, 0, 8); + } + + // Should be either YYYYMMDD or YYYY-MM-DD + if (!preg_match('/^(\d{8}|\d{4}-\d{2}-\d{2})$/', $value)) { + throw new InvalidArgumentException("Unknown date format: $value"); + } + + try { + return new DateTimeImmutable($value); + } catch (Exception $e) { + throw new InvalidArgumentException( + "Unknown date format: $value", + 0, + $e, + ); + } + } +} diff --git a/apps/user_ldap/lib/Service/UpdateGroupsService.php b/apps/user_ldap/lib/Service/UpdateGroupsService.php new file mode 100644 index 00000000000..94f2a7fd4a1 --- /dev/null +++ b/apps/user_ldap/lib/Service/UpdateGroupsService.php @@ -0,0 +1,221 @@ +<?php + +declare(strict_types=1); + +/** + * SPDX-FileCopyrightText: 2023 Nextcloud GmbH and Nextcloud contributors + * SPDX-FileCopyrightText: 2016 ownCloud, Inc. + * SPDX-License-Identifier: AGPL-3.0-only + */ + +namespace OCA\User_LDAP\Service; + +use OCA\User_LDAP\Db\GroupMembership; +use OCA\User_LDAP\Db\GroupMembershipMapper; +use OCA\User_LDAP\Group_Proxy; +use OCP\DB\Exception; +use OCP\EventDispatcher\IEventDispatcher; +use OCP\Group\Events\UserAddedEvent; +use OCP\Group\Events\UserRemovedEvent; +use OCP\IGroup; +use OCP\IGroupManager; +use OCP\IUser; +use OCP\IUserManager; +use Psr\Log\LoggerInterface; + +class UpdateGroupsService { + public function __construct( + private Group_Proxy $groupBackend, + private IEventDispatcher $dispatcher, + private IGroupManager $groupManager, + private IUserManager $userManager, + private LoggerInterface $logger, + private GroupMembershipMapper $groupMembershipMapper, + ) { + } + + /** + * @throws Exception + */ + public function updateGroups(): void { + $knownGroups = $this->groupMembershipMapper->getKnownGroups(); + $actualGroups = $this->groupBackend->getGroups(); + + if (empty($actualGroups) && empty($knownGroups)) { + $this->logger->info( + 'service "updateGroups" - groups do not seem to be configured properly, aborting.', + ); + return; + } + + $this->handleKnownGroups(array_intersect($actualGroups, $knownGroups)); + $this->handleCreatedGroups(array_diff($actualGroups, $knownGroups)); + $this->handleRemovedGroups(array_diff($knownGroups, $actualGroups)); + + $this->logger->debug('service "updateGroups" - Finished.'); + } + + /** + * @param string[] $groups + * @throws Exception + */ + public function handleKnownGroups(array $groups): void { + $this->logger->debug('service "updateGroups" - Dealing with known Groups.'); + + foreach ($groups as $group) { + $this->logger->debug('service "updateGroups" - Dealing with {group}.', ['group' => $group]); + $groupMemberships = $this->groupMembershipMapper->findGroupMemberships($group); + $knownUsers = array_map( + static fn (GroupMembership $groupMembership): string => $groupMembership->getUserid(), + $groupMemberships + ); + $groupMemberships = array_combine($knownUsers, $groupMemberships); + $actualUsers = $this->groupBackend->usersInGroup($group); + + $groupObject = $this->groupManager->get($group); + if ($groupObject === null) { + /* We are not expecting the group to not be found since it was returned by $this->groupBackend->getGroups() */ + $this->logger->error( + 'service "updateGroups" - Failed to get group {group} for update', + [ + 'group' => $group + ] + ); + continue; + } + foreach (array_diff($knownUsers, $actualUsers) as $removedUser) { + try { + $this->groupMembershipMapper->delete($groupMemberships[$removedUser]); + } catch (Exception $e) { + if ($e->getReason() !== Exception::REASON_DATABASE_OBJECT_NOT_FOUND) { + /* If reason is not found something else removed the membership, that’s fine */ + $this->logger->error( + self::class . ' - group {group} membership failed to be removed (user {user})', + [ + 'app' => 'user_ldap', + 'user' => $removedUser, + 'group' => $group, + 'exception' => $e, + ] + ); + } + /* We failed to delete the groupmembership so we do not want to advertise it */ + continue; + } + $userObject = $this->userManager->get($removedUser); + if ($userObject instanceof IUser) { + $this->dispatcher->dispatchTyped(new UserRemovedEvent($groupObject, $userObject)); + } + $this->logger->info( + 'service "updateGroups" - {user} removed from {group}', + [ + 'user' => $removedUser, + 'group' => $group + ] + ); + } + foreach (array_diff($actualUsers, $knownUsers) as $addedUser) { + try { + $this->groupMembershipMapper->insert(GroupMembership::fromParams(['groupid' => $group,'userid' => $addedUser])); + } catch (Exception $e) { + if ($e->getReason() !== Exception::REASON_UNIQUE_CONSTRAINT_VIOLATION) { + /* If reason is unique constraint something else added the membership, that’s fine */ + $this->logger->error( + self::class . ' - group {group} membership failed to be added (user {user})', + [ + 'app' => 'user_ldap', + 'user' => $addedUser, + 'group' => $group, + 'exception' => $e, + ] + ); + } + /* We failed to insert the groupmembership so we do not want to advertise it */ + continue; + } + $userObject = $this->userManager->get($addedUser); + if ($userObject instanceof IUser) { + $this->dispatcher->dispatchTyped(new UserAddedEvent($groupObject, $userObject)); + } + $this->logger->info( + 'service "updateGroups" - {user} added to {group}', + [ + 'user' => $addedUser, + 'group' => $group + ] + ); + } + } + $this->logger->debug('service "updateGroups" - FINISHED dealing with known Groups.'); + } + + /** + * @param string[] $createdGroups + * @throws Exception + */ + public function handleCreatedGroups(array $createdGroups): void { + $this->logger->debug('service "updateGroups" - dealing with created Groups.'); + + foreach ($createdGroups as $createdGroup) { + $this->logger->info('service "updateGroups" - new group "' . $createdGroup . '" found.'); + + $users = $this->groupBackend->usersInGroup($createdGroup); + $groupObject = $this->groupManager->get($createdGroup); + foreach ($users as $user) { + try { + $this->groupMembershipMapper->insert(GroupMembership::fromParams(['groupid' => $createdGroup,'userid' => $user])); + } catch (Exception $e) { + if ($e->getReason() !== Exception::REASON_UNIQUE_CONSTRAINT_VIOLATION) { + $this->logger->error( + self::class . ' - group {group} membership failed to be added (user {user})', + [ + 'app' => 'user_ldap', + 'user' => $user, + 'group' => $createdGroup, + 'exception' => $e, + ] + ); + } + /* We failed to insert the groupmembership so we do not want to advertise it */ + continue; + } + if ($groupObject instanceof IGroup) { + $userObject = $this->userManager->get($user); + if ($userObject instanceof IUser) { + $this->dispatcher->dispatchTyped(new UserAddedEvent($groupObject, $userObject)); + } + } + } + } + $this->logger->debug('service "updateGroups" - FINISHED dealing with created Groups.'); + } + + /** + * @param string[] $removedGroups + * @throws Exception + */ + public function handleRemovedGroups(array $removedGroups): void { + $this->logger->debug('service "updateGroups" - dealing with removed groups.'); + + $this->groupMembershipMapper->deleteGroups($removedGroups); + foreach ($removedGroups as $group) { + $groupObject = $this->groupManager->get($group); + if ($groupObject instanceof IGroup) { + $groupMemberships = $this->groupMembershipMapper->findGroupMemberships($group); + foreach ($groupMemberships as $groupMembership) { + $userObject = $this->userManager->get($groupMembership->getUserid()); + if ($userObject instanceof IUser) { + $this->dispatcher->dispatchTyped(new UserRemovedEvent($groupObject, $userObject)); + } + } + } + } + + $this->logger->info( + 'service "updateGroups" - groups {removedGroups} were removed.', + [ + 'removedGroups' => $removedGroups + ] + ); + } +} diff --git a/apps/user_ldap/lib/Settings/Admin.php b/apps/user_ldap/lib/Settings/Admin.php index 21805b6f7b5..89fb063265b 100644 --- a/apps/user_ldap/lib/Settings/Admin.php +++ b/apps/user_ldap/lib/Settings/Admin.php @@ -1,27 +1,8 @@ <?php + /** - * @copyright Copyright (c) 2016 Arthur Schiwon <blizzz@arthur-schiwon.de> - * - * @author Arthur Schiwon <blizzz@arthur-schiwon.de> - * @author Christoph Wurst <christoph@winzerhof-wurst.at> - * @author Joas Schilling <coding@schilljs.com> - * @author Lukas Reschke <lukas@statuscode.ch> - * - * @license GNU AGPL version 3 or any later version - * - * This program is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License as - * published by the Free Software Foundation, either version 3 of the - * License, or (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License - * along with this program. If not, see <http://www.gnu.org/licenses/>. - * + * SPDX-FileCopyrightText: 2016 Nextcloud GmbH and Nextcloud contributors + * SPDX-License-Identifier: AGPL-3.0-or-later */ namespace OCA\User_LDAP\Settings; @@ -29,25 +10,22 @@ use OCA\User_LDAP\Configuration; use OCA\User_LDAP\Helper; use OCP\AppFramework\Http\TemplateResponse; use OCP\IL10N; +use OCP\Server; use OCP\Settings\IDelegatedSettings; -use OCP\Template; +use OCP\Template\ITemplateManager; class Admin implements IDelegatedSettings { - /** @var IL10N */ - private $l; - - /** - * @param IL10N $l - */ - public function __construct(IL10N $l) { - $this->l = $l; + public function __construct( + private IL10N $l, + private ITemplateManager $templateManager, + ) { } /** * @return TemplateResponse */ public function getForm() { - $helper = new Helper(\OC::$server->getConfig(), \OC::$server->getDatabaseConnection()); + $helper = Server::get(Helper::class); $prefixes = $helper->getServerConfigurationPrefixes(); if (count($prefixes) === 0) { $newPrefix = $helper->getNextServerConfigurationPrefix(); @@ -59,11 +37,12 @@ class Admin implements IDelegatedSettings { $hosts = $helper->getServerConfigurationHosts(); - $wControls = new Template('user_ldap', 'part.wizardcontrols'); + $wControls = $this->templateManager->getTemplate('user_ldap', 'part.wizardcontrols'); $wControls = $wControls->fetchPage(); - $sControls = new Template('user_ldap', 'part.settingcontrols'); + $sControls = $this->templateManager->getTemplate('user_ldap', 'part.settingcontrols'); $sControls = $sControls->fetchPage(); + $parameters = []; $parameters['serverConfigurationPrefixes'] = $prefixes; $parameters['serverConfigurationHosts'] = $hosts; $parameters['settingControls'] = $sControls; @@ -75,7 +54,7 @@ class Admin implements IDelegatedSettings { } $defaults = $config->getDefaults(); foreach ($defaults as $key => $default) { - $parameters[$key.'_default'] = $default; + $parameters[$key . '_default'] = $default; } return new TemplateResponse('user_ldap', 'settings', $parameters); @@ -90,8 +69,8 @@ class Admin implements IDelegatedSettings { /** * @return int whether the form should be rather on the top or bottom of - * the admin section. The forms are arranged in ascending order of the - * priority values. It is required to return a value between 0 and 100. + * the admin section. The forms are arranged in ascending order of the + * priority values. It is required to return a value between 0 and 100. * * E.g.: 70 */ diff --git a/apps/user_ldap/lib/Settings/Section.php b/apps/user_ldap/lib/Settings/Section.php index 7c4bc5bf44d..3b95e25513d 100644 --- a/apps/user_ldap/lib/Settings/Section.php +++ b/apps/user_ldap/lib/Settings/Section.php @@ -1,27 +1,8 @@ <?php + /** - * @copyright Copyright (c) 2016 Arthur Schiwon <blizzz@arthur-schiwon.de> - * - * @author Arthur Schiwon <blizzz@arthur-schiwon.de> - * @author Joas Schilling <coding@schilljs.com> - * @author Morris Jobke <hey@morrisjobke.de> - * @author Valdnet <47037905+Valdnet@users.noreply.github.com> - * - * @license GNU AGPL version 3 or any later version - * - * This program is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License as - * published by the Free Software Foundation, either version 3 of the - * License, or (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License - * along with this program. If not, see <http://www.gnu.org/licenses/>. - * + * SPDX-FileCopyrightText: 2016 Nextcloud GmbH and Nextcloud contributors + * SPDX-License-Identifier: AGPL-3.0-or-later */ namespace OCA\User_LDAP\Settings; @@ -30,18 +11,14 @@ use OCP\IURLGenerator; use OCP\Settings\IIconSection; class Section implements IIconSection { - /** @var IL10N */ - private $l; - /** @var IURLGenerator */ - private $url; - /** * @param IURLGenerator $url * @param IL10N $l */ - public function __construct(IURLGenerator $url, IL10N $l) { - $this->url = $url; - $this->l = $l; + public function __construct( + private IURLGenerator $url, + private IL10N $l, + ) { } /** @@ -66,8 +43,8 @@ class Section implements IIconSection { /** * @return int whether the form should be rather on the top or bottom of - * the settings navigation. The sections are arranged in ascending order of - * the priority values. It is required to return a value between 0 and 99. + * the settings navigation. The sections are arranged in ascending order of + * the priority values. It is required to return a value between 0 and 99. * * E.g.: 70 */ diff --git a/apps/user_ldap/lib/SetupChecks/LdapConnection.php b/apps/user_ldap/lib/SetupChecks/LdapConnection.php new file mode 100644 index 00000000000..ee8c4ddd595 --- /dev/null +++ b/apps/user_ldap/lib/SetupChecks/LdapConnection.php @@ -0,0 +1,94 @@ +<?php + +declare(strict_types=1); + +/** + * SPDX-FileCopyrightText: 2024 Nextcloud GmbH and Nextcloud contributors + * SPDX-License-Identifier: AGPL-3.0-or-later + */ + +namespace OCA\User_LDAP\SetupChecks; + +use OCA\User_LDAP\AccessFactory; +use OCA\User_LDAP\ConnectionFactory; +use OCA\User_LDAP\Helper; +use OCP\IL10N; +use OCP\SetupCheck\ISetupCheck; +use OCP\SetupCheck\SetupResult; + +class LdapConnection implements ISetupCheck { + public function __construct( + private IL10N $l10n, + private Helper $helper, + private ConnectionFactory $connectionFactory, + private AccessFactory $accessFactory, + ) { + } + + public function getCategory(): string { + return 'ldap'; + } + + public function getName(): string { + return $this->l10n->t('LDAP Connection'); + } + + public function run(): SetupResult { + $availableConfigs = $this->helper->getServerConfigurationPrefixes(); + $inactiveConfigurations = []; + $bindFailedConfigurations = []; + $searchFailedConfigurations = []; + foreach ($availableConfigs as $configID) { + $connection = $this->connectionFactory->get($configID); + if (!$connection->ldapConfigurationActive) { + $inactiveConfigurations[] = $configID; + continue; + } + if (!$connection->bind()) { + $bindFailedConfigurations[] = $configID; + continue; + } + $access = $this->accessFactory->get($connection); + $result = $access->countObjects(1); + if (!is_int($result) || ($result <= 0)) { + $searchFailedConfigurations[] = $configID; + } + } + $output = ''; + if (!empty($bindFailedConfigurations)) { + $output .= $this->l10n->n( + 'Binding failed for this LDAP configuration: %s', + 'Binding failed for %n LDAP configurations: %s', + count($bindFailedConfigurations), + [implode(',', $bindFailedConfigurations)] + ) . "\n"; + } + if (!empty($searchFailedConfigurations)) { + $output .= $this->l10n->n( + 'Searching failed for this LDAP configuration: %s', + 'Searching failed for %n LDAP configurations: %s', + count($searchFailedConfigurations), + [implode(',', $searchFailedConfigurations)] + ) . "\n"; + } + if (!empty($inactiveConfigurations)) { + $output .= $this->l10n->n( + 'There is an inactive LDAP configuration: %s', + 'There are %n inactive LDAP configurations: %s', + count($inactiveConfigurations), + [implode(',', $inactiveConfigurations)] + ) . "\n"; + } + if (!empty($bindFailedConfigurations) || !empty($searchFailedConfigurations)) { + return SetupResult::error($output); + } elseif (!empty($inactiveConfigurations)) { + return SetupResult::warning($output); + } + return SetupResult::success($this->l10n->n( + 'Binding and searching works on the configured LDAP connection (%s)', + 'Binding and searching works on all of the %n configured LDAP connections (%s)', + count($availableConfigs), + [implode(',', $availableConfigs)] + )); + } +} diff --git a/apps/user_ldap/lib/SetupChecks/LdapInvalidUuids.php b/apps/user_ldap/lib/SetupChecks/LdapInvalidUuids.php new file mode 100644 index 00000000000..ac502b6b59e --- /dev/null +++ b/apps/user_ldap/lib/SetupChecks/LdapInvalidUuids.php @@ -0,0 +1,42 @@ +<?php + +declare(strict_types=1); + +/** + * SPDX-FileCopyrightText: 2022 Nextcloud GmbH and Nextcloud contributors + * SPDX-License-Identifier: AGPL-3.0-or-later + */ + +namespace OCA\User_LDAP\SetupChecks; + +use OCA\User_LDAP\Mapping\GroupMapping; +use OCA\User_LDAP\Mapping\UserMapping; +use OCP\IL10N; +use OCP\SetupCheck\ISetupCheck; +use OCP\SetupCheck\SetupResult; + +class LdapInvalidUuids implements ISetupCheck { + public function __construct( + private IL10N $l10n, + private UserMapping $userMapping, + private GroupMapping $groupMapping, + ) { + } + + public function getCategory(): string { + return 'ldap'; + } + + public function getName(): string { + return $this->l10n->t('Invalid LDAP UUIDs'); + } + + public function run(): SetupResult { + if (count($this->userMapping->getList(0, 1, true)) === 0 + && count($this->groupMapping->getList(0, 1, true)) === 0) { + return SetupResult::success($this->l10n->t('None found')); + } else { + return SetupResult::warning($this->l10n->t('Invalid UUIDs of LDAP accounts or groups have been found. Please review your "Override UUID detection" settings in the Expert part of the LDAP configuration and use "occ ldap:update-uuid" to update them.')); + } + } +} diff --git a/apps/user_ldap/lib/User/DeletedUsersIndex.php b/apps/user_ldap/lib/User/DeletedUsersIndex.php index 1e057987eef..f57f71a9d47 100644 --- a/apps/user_ldap/lib/User/DeletedUsersIndex.php +++ b/apps/user_ldap/lib/User/DeletedUsersIndex.php @@ -1,29 +1,14 @@ <?php + /** - * @copyright Copyright (c) 2016, ownCloud, Inc. - * - * @author Arthur Schiwon <blizzz@arthur-schiwon.de> - * @author Christoph Wurst <christoph@winzerhof-wurst.at> - * @author Joas Schilling <coding@schilljs.com> - * - * @license AGPL-3.0 - * - * This code is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License, version 3, - * as published by the Free Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License, version 3, - * along with this program. If not, see <http://www.gnu.org/licenses/> - * + * SPDX-FileCopyrightText: 2016 ownCloud, Inc. + * SPDX-License-Identifier: AGPL-3.0-only */ namespace OCA\User_LDAP\User; use OCA\User_LDAP\Mapping\UserMapping; +use OCP\IConfig; +use OCP\PreConditionNotMetException; use OCP\Share\IManager; /** @@ -31,40 +16,30 @@ use OCP\Share\IManager; * @package OCA\User_LDAP */ class DeletedUsersIndex { - /** - * @var \OCP\IConfig $config - */ - protected $config; - - /** - * @var \OCA\User_LDAP\Mapping\UserMapping $mapping - */ - protected $mapping; + protected ?array $deletedUsers = null; - /** - * @var array $deletedUsers - */ - protected $deletedUsers; - /** @var IManager */ - private $shareManager; - - public function __construct(\OCP\IConfig $config, UserMapping $mapping, IManager $shareManager) { - $this->config = $config; - $this->mapping = $mapping; - $this->shareManager = $shareManager; + public function __construct( + protected IConfig $config, + protected UserMapping $mapping, + private IManager $shareManager, + ) { } /** * reads LDAP users marked as deleted from the database - * @return \OCA\User_LDAP\User\OfflineUser[] + * @return OfflineUser[] */ - private function fetchDeletedUsers() { - $deletedUsers = $this->config->getUsersForUserValue( - 'user_ldap', 'isDeleted', '1'); + private function fetchDeletedUsers(): array { + $deletedUsers = $this->config->getUsersForUserValue('user_ldap', 'isDeleted', '1'); $userObjects = []; foreach ($deletedUsers as $user) { - $userObjects[] = new OfflineUser($user, $this->config, $this->mapping, $this->shareManager); + $userObject = new OfflineUser($user, $this->config, $this->mapping, $this->shareManager); + if ($userObject->getLastLogin() > $userObject->getDetectedOn()) { + $userObject->unmark(); + } else { + $userObjects[] = $userObject; + } } $this->deletedUsers = $userObjects; @@ -73,9 +48,9 @@ class DeletedUsersIndex { /** * returns all LDAP users that are marked as deleted - * @return \OCA\User_LDAP\User\OfflineUser[] + * @return OfflineUser[] */ - public function getUsers() { + public function getUsers(): array { if (is_array($this->deletedUsers)) { return $this->deletedUsers; } @@ -84,9 +59,8 @@ class DeletedUsersIndex { /** * whether at least one user was detected as deleted - * @return bool */ - public function hasUsers() { + public function hasUsers(): bool { if (!is_array($this->deletedUsers)) { $this->fetchDeletedUsers(); } @@ -96,12 +70,10 @@ class DeletedUsersIndex { /** * marks a user as deleted * - * @param string $ocName - * @throws \OCP\PreConditionNotMetException + * @throws PreConditionNotMetException */ - public function markUser($ocName) { - $curValue = $this->config->getUserValue($ocName, 'user_ldap', 'isDeleted', '0'); - if ($curValue === '1') { + public function markUser(string $ocName): void { + if ($this->isUserMarked($ocName)) { // the user is already marked, do not write to DB again return; } @@ -109,4 +81,8 @@ class DeletedUsersIndex { $this->config->setUserValue($ocName, 'user_ldap', 'foundDeleted', (string)time()); $this->deletedUsers = null; } + + public function isUserMarked(string $ocName): bool { + return ($this->config->getUserValue($ocName, 'user_ldap', 'isDeleted', '0') === '1'); + } } diff --git a/apps/user_ldap/lib/User/Manager.php b/apps/user_ldap/lib/User/Manager.php index b1915ab57b5..88a001dd965 100644 --- a/apps/user_ldap/lib/User/Manager.php +++ b/apps/user_ldap/lib/User/Manager.php @@ -1,36 +1,14 @@ <?php + /** - * @copyright Copyright (c) 2016, ownCloud, Inc. - * - * @author Arthur Schiwon <blizzz@arthur-schiwon.de> - * @author Christoph Wurst <christoph@winzerhof-wurst.at> - * @author Joas Schilling <coding@schilljs.com> - * @author Jörn Friedrich Dreyer <jfd@butonic.de> - * @author Morris Jobke <hey@morrisjobke.de> - * @author Roeland Jago Douma <roeland@famdouma.nl> - * @author Roger Szabo <roger.szabo@web.de> - * @author Thomas Müller <thomas.mueller@tmit.eu> - * - * @license AGPL-3.0 - * - * This code is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License, version 3, - * as published by the Free Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License, version 3, - * along with this program. If not, see <http://www.gnu.org/licenses/> - * + * SPDX-FileCopyrightText: 2017-2024 Nextcloud GmbH and Nextcloud contributors + * SPDX-FileCopyrightText: 2016 ownCloud, Inc. + * SPDX-License-Identifier: AGPL-3.0-only */ namespace OCA\User_LDAP\User; -use OCP\Cache\CappedMemoryCache; use OCA\User_LDAP\Access; -use OCA\User_LDAP\FilesystemHelper; +use OCP\Cache\CappedMemoryCache; use OCP\IAvatarManager; use OCP\IConfig; use OCP\IDBConnection; @@ -48,40 +26,23 @@ use Psr\Log\LoggerInterface; */ class Manager { protected ?Access $access = null; - protected IConfig $ocConfig; protected IDBConnection $db; - protected IUserManager $userManager; - protected INotificationManager $notificationManager; - protected FilesystemHelper $ocFilesystem; - protected LoggerInterface $logger; - protected Image $image; - protected IAvatarManager $avatarManager; /** @var CappedMemoryCache<User> $usersByDN */ protected CappedMemoryCache $usersByDN; /** @var CappedMemoryCache<User> $usersByUid */ protected CappedMemoryCache $usersByUid; - private IManager $shareManager; public function __construct( - IConfig $ocConfig, - FilesystemHelper $ocFilesystem, - LoggerInterface $logger, - IAvatarManager $avatarManager, - Image $image, - IUserManager $userManager, - INotificationManager $notificationManager, - IManager $shareManager + protected IConfig $ocConfig, + protected LoggerInterface $logger, + protected IAvatarManager $avatarManager, + protected Image $image, + protected IUserManager $userManager, + protected INotificationManager $notificationManager, + private IManager $shareManager, ) { - $this->ocConfig = $ocConfig; - $this->ocFilesystem = $ocFilesystem; - $this->logger = $logger; - $this->avatarManager = $avatarManager; - $this->image = $image; - $this->userManager = $userManager; - $this->notificationManager = $notificationManager; $this->usersByDN = new CappedMemoryCache(); $this->usersByUid = new CappedMemoryCache(); - $this->shareManager = $shareManager; } /** @@ -98,12 +59,12 @@ class Manager { * property array * @param string $dn the DN of the user * @param string $uid the internal (owncloud) username - * @return \OCA\User_LDAP\User\User + * @return User */ private function createAndCache($dn, $uid) { $this->checkAccess(); $user = new User($uid, $dn, $this->access, $this->ocConfig, - $this->ocFilesystem, clone $this->image, $this->logger, + clone $this->image, $this->logger, $this->avatarManager, $this->userManager, $this->notificationManager); $this->usersByDN[$dn] = $user; @@ -127,6 +88,7 @@ class Manager { /** * @brief checks whether the Access instance has been set * @throws \Exception if Access has not been set + * @psalm-assert !null $this->access * @return null */ private function checkAccess() { @@ -140,22 +102,34 @@ class Manager { * email, displayname, or others. * * @param bool $minimal - optional, set to true to skip attributes with big - * payload + * payload * @return string[] */ public function getAttributes($minimal = false) { $baseAttributes = array_merge(Access::UUID_ATTRIBUTES, ['dn', 'uid', 'samaccountname', 'memberof']); $attributes = [ $this->access->getConnection()->ldapExpertUUIDUserAttr, + $this->access->getConnection()->ldapExpertUsernameAttr, $this->access->getConnection()->ldapQuotaAttribute, $this->access->getConnection()->ldapEmailAttribute, $this->access->getConnection()->ldapUserDisplayName, $this->access->getConnection()->ldapUserDisplayName2, $this->access->getConnection()->ldapExtStorageHomeAttribute, + $this->access->getConnection()->ldapAttributePhone, + $this->access->getConnection()->ldapAttributeWebsite, + $this->access->getConnection()->ldapAttributeAddress, + $this->access->getConnection()->ldapAttributeTwitter, + $this->access->getConnection()->ldapAttributeFediverse, + $this->access->getConnection()->ldapAttributeOrganisation, + $this->access->getConnection()->ldapAttributeRole, + $this->access->getConnection()->ldapAttributeHeadline, + $this->access->getConnection()->ldapAttributeBiography, + $this->access->getConnection()->ldapAttributeBirthDate, + $this->access->getConnection()->ldapAttributePronouns, ]; $homeRule = (string)$this->access->getConnection()->homeFolderNamingRule; - if (strpos($homeRule, 'attr:') === 0) { + if (str_starts_with($homeRule, 'attr:')) { $attributes[] = substr($homeRule, strlen('attr:')); } @@ -197,7 +171,7 @@ class Manager { /** * creates and returns an instance of OfflineUser for the specified user * @param string $id - * @return \OCA\User_LDAP\User\OfflineUser + * @return OfflineUser */ public function getDeletedUser($id) { return new OfflineUser( @@ -211,7 +185,7 @@ class Manager { /** * @brief returns a User object by its Nextcloud username * @param string $id the DN or username of the user - * @return \OCA\User_LDAP\User\User|\OCA\User_LDAP\User\OfflineUser|null + * @return User|OfflineUser|null */ protected function createInstancyByUserName($id) { //most likely a uid. Check whether it is a deleted user @@ -228,7 +202,7 @@ class Manager { /** * @brief returns a User object by its DN or Nextcloud username * @param string $id the DN or username of the user - * @return \OCA\User_LDAP\User\User|\OCA\User_LDAP\User\OfflineUser|null + * @return User|OfflineUser|null * @throws \Exception when connection could not be established */ public function get($id) { @@ -248,4 +222,37 @@ class Manager { return $this->createInstancyByUserName($id); } + + /** + * @brief Checks whether a User object by its DN or Nextcloud username exists + * @param string $id the DN or username of the user + * @throws \Exception when connection could not be established + */ + public function exists($id): bool { + $this->checkAccess(); + $this->logger->debug('Checking if {id} exists', ['id' => $id]); + if (isset($this->usersByDN[$id])) { + return true; + } elseif (isset($this->usersByUid[$id])) { + return true; + } + + if ($this->access->stringResemblesDN($id)) { + $this->logger->debug('{id} looks like a dn', ['id' => $id]); + $uid = $this->access->dn2username($id); + if ($uid !== false) { + return true; + } + } + + // Most likely a uid. Check whether it is a deleted user + if ($this->isDeletedUser($id)) { + return true; + } + $dn = $this->access->username2dn($id); + if ($dn !== false) { + return true; + } + return false; + } } diff --git a/apps/user_ldap/lib/User/OfflineUser.php b/apps/user_ldap/lib/User/OfflineUser.php index 4adf5302bfe..ecaab7188ba 100644 --- a/apps/user_ldap/lib/User/OfflineUser.php +++ b/apps/user_ldap/lib/User/OfflineUser.php @@ -1,27 +1,9 @@ <?php + /** - * @copyright Copyright (c) 2016, ownCloud, Inc. - * - * @author Arthur Schiwon <blizzz@arthur-schiwon.de> - * @author Christoph Wurst <christoph@winzerhof-wurst.at> - * @author Joas Schilling <coding@schilljs.com> - * @author Morris Jobke <hey@morrisjobke.de> - * @author Roeland Jago Douma <roeland@famdouma.nl> - * - * @license AGPL-3.0 - * - * This code is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License, version 3, - * as published by the Free Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License, version 3, - * along with this program. If not, see <http://www.gnu.org/licenses/> - * + * SPDX-FileCopyrightText: 2017-2024 Nextcloud GmbH and Nextcloud contributors + * SPDX-FileCopyrightText: 2016 ownCloud, Inc. + * SPDX-License-Identifier: AGPL-3.0-only */ namespace OCA\User_LDAP\User; @@ -33,10 +15,6 @@ use OCP\Share\IShare; class OfflineUser { /** - * @var string $ocName - */ - protected $ocName; - /** * @var string $dn */ protected $dn; @@ -60,6 +38,7 @@ class OfflineUser { * @var string $foundDeleted the timestamp when the user was detected as unavailable */ protected $foundDeleted; + protected ?string $extStorageHome = null; /** * @var string $email */ @@ -69,30 +48,19 @@ class OfflineUser { */ protected $hasActiveShares; /** - * @var IConfig $config - */ - protected $config; - /** * @var IDBConnection $db */ protected $db; + /** - * @var \OCA\User_LDAP\Mapping\UserMapping + * @param string $ocName */ - protected $mapping; - /** @var IManager */ - private $shareManager; - public function __construct( - $ocName, - IConfig $config, - UserMapping $mapping, - IManager $shareManager + protected $ocName, + protected IConfig $config, + protected UserMapping $mapping, + private IManager $shareManager, ) { - $this->ocName = $ocName; - $this->config = $config; - $this->mapping = $mapping; - $this->shareManager = $shareManager; } /** @@ -207,6 +175,13 @@ class OfflineUser { return (int)$this->foundDeleted; } + public function getExtStorageHome(): string { + if ($this->extStorageHome === null) { + $this->fetchDetails(); + } + return (string)$this->extStorageHome; + } + /** * getter for having active shares * @return bool @@ -227,6 +202,7 @@ class OfflineUser { 'uid' => 'user_ldap', 'homePath' => 'user_ldap', 'foundDeleted' => 'user_ldap', + 'extStorageHome' => 'user_ldap', 'email' => 'settings', 'lastLogin' => 'login', ]; @@ -244,7 +220,7 @@ class OfflineUser { $shareConstants = $shareInterface->getConstants(); foreach ($shareConstants as $constantName => $constantValue) { - if (strpos($constantName, 'TYPE_') !== 0 + if (!str_starts_with($constantName, 'TYPE_') || $constantValue === IShare::TYPE_USERGROUP ) { continue; diff --git a/apps/user_ldap/lib/User/User.php b/apps/user_ldap/lib/User/User.php index 15894ce04b7..8f97ec1701f 100644 --- a/apps/user_ldap/lib/User/User.php +++ b/apps/user_ldap/lib/User/User.php @@ -1,47 +1,30 @@ <?php + /** - * @copyright Copyright (c) 2016, ownCloud, Inc. - * - * @author Arthur Schiwon <blizzz@arthur-schiwon.de> - * @author Christoph Wurst <christoph@winzerhof-wurst.at> - * @author Joas Schilling <coding@schilljs.com> - * @author Jörn Friedrich Dreyer <jfd@butonic.de> - * @author Juan Pablo Villafáñez <jvillafanez@solidgear.es> - * @author Morris Jobke <hey@morrisjobke.de> - * @author Philipp Staiger <philipp@staiger.it> - * @author Roger Szabo <roger.szabo@web.de> - * @author Thomas Müller <thomas.mueller@tmit.eu> - * @author Victor Dubiniuk <dubiniuk@owncloud.com> - * @author Vincent Petry <vincent@nextcloud.com> - * - * @license AGPL-3.0 - * - * This code is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License, version 3, - * as published by the Free Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License, version 3, - * along with this program. If not, see <http://www.gnu.org/licenses/> - * + * SPDX-FileCopyrightText: 2016-2024 Nextcloud GmbH and Nextcloud contributors + * SPDX-FileCopyrightText: 2016 ownCloud, Inc. + * SPDX-License-Identifier: AGPL-3.0-only */ namespace OCA\User_LDAP\User; +use InvalidArgumentException; +use OC\Accounts\AccountManager; use OCA\User_LDAP\Access; use OCA\User_LDAP\Connection; use OCA\User_LDAP\Exceptions\AttributeNotSet; -use OCA\User_LDAP\FilesystemHelper; +use OCA\User_LDAP\Service\BirthdateParserService; +use OCP\Accounts\IAccountManager; +use OCP\Accounts\PropertyDoesNotExistException; use OCP\IAvatarManager; use OCP\IConfig; -use OCP\ILogger; use OCP\Image; +use OCP\IURLGenerator; use OCP\IUser; use OCP\IUserManager; use OCP\Notification\IManager as INotificationManager; +use OCP\PreConditionNotMetException; +use OCP\Server; +use OCP\Util; use Psr\Log\LoggerInterface; /** @@ -50,102 +33,51 @@ use Psr\Log\LoggerInterface; * represents an LDAP user, gets and holds user-specific information from LDAP */ class User { + protected Connection $connection; /** - * @var Access - */ - protected $access; - /** - * @var Connection - */ - protected $connection; - /** - * @var IConfig - */ - protected $config; - /** - * @var FilesystemHelper - */ - protected $fs; - /** - * @var Image - */ - protected $image; - /** - * @var LoggerInterface - */ - protected $logger; - /** - * @var IAvatarManager - */ - protected $avatarManager; - /** - * @var IUserManager + * @var array<string,1> */ - protected $userManager; - /** - * @var INotificationManager - */ - protected $notificationManager; - /** - * @var string - */ - protected $dn; - /** - * @var string - */ - protected $uid; - /** - * @var string[] - */ - protected $refreshedFeatures = []; - /** - * @var string - */ - protected $avatarImage; + protected array $refreshedFeatures = []; + protected string|false|null $avatarImage = null; + + protected BirthdateParserService $birthdateParser; /** * DB config keys for user preferences + * @var string */ public const USER_PREFKEY_FIRSTLOGIN = 'firstLoginAccomplished'; /** * @brief constructor, make sure the subclasses call this one! - * @param string $username the internal username - * @param string $dn the LDAP DN */ - public function __construct($username, $dn, Access $access, - IConfig $config, FilesystemHelper $fs, Image $image, - LoggerInterface $logger, IAvatarManager $avatarManager, IUserManager $userManager, - INotificationManager $notificationManager) { - if ($username === null) { - $logger->error("uid for '$dn' must not be null!", ['app' => 'user_ldap']); - throw new \InvalidArgumentException('uid must not be null!'); - } elseif ($username === '') { + public function __construct( + protected string $uid, + protected string $dn, + protected Access $access, + protected IConfig $config, + protected Image $image, + protected LoggerInterface $logger, + protected IAvatarManager $avatarManager, + protected IUserManager $userManager, + protected INotificationManager $notificationManager, + ) { + if ($uid === '') { $logger->error("uid for '$dn' must not be an empty string", ['app' => 'user_ldap']); throw new \InvalidArgumentException('uid must not be an empty string!'); } + $this->connection = $this->access->getConnection(); + $this->birthdateParser = new BirthdateParserService(); - $this->access = $access; - $this->connection = $access->getConnection(); - $this->config = $config; - $this->fs = $fs; - $this->dn = $dn; - $this->uid = $username; - $this->image = $image; - $this->logger = $logger; - $this->avatarManager = $avatarManager; - $this->userManager = $userManager; - $this->notificationManager = $notificationManager; - - \OCP\Util::connectHook('OC_User', 'post_login', $this, 'handlePasswordExpiry'); + Util::connectHook('OC_User', 'post_login', $this, 'handlePasswordExpiry'); } /** * marks a user as deleted * - * @throws \OCP\PreConditionNotMetException + * @throws PreConditionNotMetException */ - public function markUser() { + public function markUser(): void { $curValue = $this->config->getUserValue($this->getUsername(), 'user_ldap', 'isDeleted', '0'); if ($curValue === '1') { // the user is already marked, do not write to DB again @@ -159,7 +91,7 @@ class User { * processes results from LDAP for attributes as returned by getAttributesToRead() * @param array $ldapEntry the user entry as retrieved from LDAP */ - public function processAttributes($ldapEntry) { + public function processAttributes(array $ldapEntry): void { //Quota $attr = strtolower($this->connection->ldapQuotaAttribute); if (isset($ldapEntry[$attr])) { @@ -196,7 +128,14 @@ class User { //change event that will trigger fetching the display name again $attr = strtolower($this->connection->ldapEmailAttribute); if (isset($ldapEntry[$attr])) { - $this->updateEmail($ldapEntry[$attr][0]); + $mailValue = 0; + for ($x = 0; $x < count($ldapEntry[$attr]); $x++) { + if (filter_var($ldapEntry[$attr][$x], FILTER_VALIDATE_EMAIL)) { + $mailValue = $x; + break; + } + } + $this->updateEmail($ldapEntry[$attr][$mailValue]); } unset($attr); @@ -208,7 +147,7 @@ class User { } //homePath - if (strpos($this->connection->homeFolderNamingRule, 'attr:') === 0) { + if (str_starts_with($this->connection->homeFolderNamingRule, 'attr:')) { $attr = strtolower(substr($this->connection->homeFolderNamingRule, strlen('attr:'))); if (isset($ldapEntry[$attr])) { $this->access->cacheUserHome( @@ -217,7 +156,7 @@ class User { } //memberOf groups - $cacheKey = 'getMemberOf'.$this->getUsername(); + $cacheKey = 'getMemberOf' . $this->getUsername(); $groups = false; if (isset($ldapEntry['memberof'])) { $groups = $ldapEntry['memberof']; @@ -231,6 +170,134 @@ class User { } unset($attr); + // check for cached profile data + $username = $this->getUsername(); // buffer variable, to save resource + $cacheKey = 'getUserProfile-' . $username; + $profileCached = $this->connection->getFromCache($cacheKey); + // honoring profile disabled in config.php and check if user profile was refreshed + if ($this->config->getSystemValueBool('profile.enabled', true) + && ($profileCached === null) // no cache or TTL not expired + && !$this->wasRefreshed('profile')) { + // check current data + $profileValues = []; + //User Profile Field - Phone number + $attr = strtolower($this->connection->ldapAttributePhone); + if (!empty($attr)) { // attribute configured + $profileValues[IAccountManager::PROPERTY_PHONE] + = $ldapEntry[$attr][0] ?? ''; + } + //User Profile Field - website + $attr = strtolower($this->connection->ldapAttributeWebsite); + if (isset($ldapEntry[$attr])) { + $cutPosition = strpos($ldapEntry[$attr][0], ' '); + if ($cutPosition) { + // drop appended label + $profileValues[IAccountManager::PROPERTY_WEBSITE] + = substr($ldapEntry[$attr][0], 0, $cutPosition); + } else { + $profileValues[IAccountManager::PROPERTY_WEBSITE] + = $ldapEntry[$attr][0]; + } + } elseif (!empty($attr)) { // configured, but not defined + $profileValues[IAccountManager::PROPERTY_WEBSITE] = ''; + } + //User Profile Field - Address + $attr = strtolower($this->connection->ldapAttributeAddress); + if (isset($ldapEntry[$attr])) { + if (str_contains($ldapEntry[$attr][0], '$')) { + // basic format conversion from postalAddress syntax to commata delimited + $profileValues[IAccountManager::PROPERTY_ADDRESS] + = str_replace('$', ', ', $ldapEntry[$attr][0]); + } else { + $profileValues[IAccountManager::PROPERTY_ADDRESS] + = $ldapEntry[$attr][0]; + } + } elseif (!empty($attr)) { // configured, but not defined + $profileValues[IAccountManager::PROPERTY_ADDRESS] = ''; + } + //User Profile Field - Twitter + $attr = strtolower($this->connection->ldapAttributeTwitter); + if (!empty($attr)) { + $profileValues[IAccountManager::PROPERTY_TWITTER] + = $ldapEntry[$attr][0] ?? ''; + } + //User Profile Field - fediverse + $attr = strtolower($this->connection->ldapAttributeFediverse); + if (!empty($attr)) { + $profileValues[IAccountManager::PROPERTY_FEDIVERSE] + = $ldapEntry[$attr][0] ?? ''; + } + //User Profile Field - organisation + $attr = strtolower($this->connection->ldapAttributeOrganisation); + if (!empty($attr)) { + $profileValues[IAccountManager::PROPERTY_ORGANISATION] + = $ldapEntry[$attr][0] ?? ''; + } + //User Profile Field - role + $attr = strtolower($this->connection->ldapAttributeRole); + if (!empty($attr)) { + $profileValues[IAccountManager::PROPERTY_ROLE] + = $ldapEntry[$attr][0] ?? ''; + } + //User Profile Field - headline + $attr = strtolower($this->connection->ldapAttributeHeadline); + if (!empty($attr)) { + $profileValues[IAccountManager::PROPERTY_HEADLINE] + = $ldapEntry[$attr][0] ?? ''; + } + //User Profile Field - biography + $attr = strtolower($this->connection->ldapAttributeBiography); + if (isset($ldapEntry[$attr])) { + if (str_contains($ldapEntry[$attr][0], '\r')) { + // convert line endings + $profileValues[IAccountManager::PROPERTY_BIOGRAPHY] + = str_replace(["\r\n","\r"], "\n", $ldapEntry[$attr][0]); + } else { + $profileValues[IAccountManager::PROPERTY_BIOGRAPHY] + = $ldapEntry[$attr][0]; + } + } elseif (!empty($attr)) { // configured, but not defined + $profileValues[IAccountManager::PROPERTY_BIOGRAPHY] = ''; + } + //User Profile Field - birthday + $attr = strtolower($this->connection->ldapAttributeBirthDate); + if (!empty($attr) && !empty($ldapEntry[$attr][0])) { + $value = $ldapEntry[$attr][0]; + try { + $birthdate = $this->birthdateParser->parseBirthdate($value); + $profileValues[IAccountManager::PROPERTY_BIRTHDATE] + = $birthdate->format('Y-m-d'); + } catch (InvalidArgumentException $e) { + // Invalid date -> just skip the property + $this->logger->info("Failed to parse user's birthdate from LDAP: $value", [ + 'exception' => $e, + 'userId' => $username, + ]); + } + } + //User Profile Field - pronouns + $attr = strtolower($this->connection->ldapAttributePronouns); + if (!empty($attr)) { + $profileValues[IAccountManager::PROPERTY_PRONOUNS] + = $ldapEntry[$attr][0] ?? ''; + } + // check for changed data and cache just for TTL checking + $checksum = hash('sha256', json_encode($profileValues)); + $this->connection->writeToCache($cacheKey, $checksum // write array to cache. is waste of cache space + , null); // use ldapCacheTTL from configuration + // Update user profile + if ($this->config->getUserValue($username, 'user_ldap', 'lastProfileChecksum', null) !== $checksum) { + $this->config->setUserValue($username, 'user_ldap', 'lastProfileChecksum', $checksum); + $this->updateProfile($profileValues); + $this->logger->info("updated profile uid=$username", ['app' => 'user_ldap']); + } else { + $this->logger->debug('profile data from LDAP unchanged', ['app' => 'user_ldap', 'uid' => $username]); + } + unset($attr); + } elseif ($profileCached !== null) { // message delayed, to declutter log + $this->logger->debug('skipping profile check, while cached data exist', ['app' => 'user_ldap', 'uid' => $username]); + } + //Avatar /** @var Connection $connection */ $connection = $this->access->getConnection(); @@ -238,11 +305,7 @@ class User { foreach ($attributes as $attribute) { if (isset($ldapEntry[$attribute])) { $this->avatarImage = $ldapEntry[$attribute][0]; - // the call to the method that saves the avatar in the file - // system must be postponed after the login. It is to ensure - // external mounts are mounted properly (e.g. with login - // credentials from the session). - \OCP\Util::connectHook('OC_User', 'post_login', $this, 'updateAvatarPostLogin'); + $this->updateAvatar(); break; } } @@ -266,20 +329,22 @@ class User { /** * returns the home directory of the user if specified by LDAP settings - * @param ?string $valueFromLDAP - * @return false|string * @throws \Exception */ - public function getHomePath($valueFromLDAP = null) { + public function getHomePath(?string $valueFromLDAP = null): string|false { $path = (string)$valueFromLDAP; $attr = null; if (is_null($valueFromLDAP) - && strpos($this->access->connection->homeFolderNamingRule, 'attr:') === 0 + && str_starts_with($this->access->connection->homeFolderNamingRule, 'attr:') && $this->access->connection->homeFolderNamingRule !== 'attr:') { $attr = substr($this->access->connection->homeFolderNamingRule, strlen('attr:')); - $homedir = $this->access->readAttribute($this->access->username2dn($this->getUsername()), $attr); - if ($homedir && isset($homedir[0])) { + $dn = $this->access->username2dn($this->getUsername()); + if ($dn === false) { + return false; + } + $homedir = $this->access->readAttribute($dn, $attr); + if ($homedir !== false && isset($homedir[0])) { $path = $homedir[0]; } } @@ -287,12 +352,12 @@ class User { if ($path !== '') { //if attribute's value is an absolute path take this, otherwise append it to data dir //check for / at the beginning or pattern c:\ resp. c:/ - if ('/' !== $path[0] - && !(3 < strlen($path) && ctype_alpha($path[0]) - && $path[1] === ':' && ('\\' === $path[2] || '/' === $path[2])) + if ($path[0] !== '/' + && !(strlen($path) > 3 && ctype_alpha($path[0]) + && $path[1] === ':' && ($path[2] === '\\' || $path[2] === '/')) ) { $path = $this->config->getSystemValue('datadirectory', - \OC::$SERVERROOT.'/data') . '/' . $path; + \OC::$SERVERROOT . '/data') . '/' . $path; } //we need it to store it in the DB as well in case a user gets //deleted so we can clean up afterwards @@ -303,7 +368,7 @@ class User { } if (!is_null($attr) - && $this->config->getAppValue('user_ldap', 'enforce_home_folder_naming_rule', true) + && $this->config->getAppValue('user_ldap', 'enforce_home_folder_naming_rule', 'true') ) { // a naming rule attribute is defined, but it doesn't exist for that LDAP user throw new \Exception('Home dir attribute can\'t be read from LDAP for uid: ' . $this->getUsername()); @@ -314,8 +379,8 @@ class User { return false; } - public function getMemberOfGroups() { - $cacheKey = 'getMemberOf'.$this->getUsername(); + public function getMemberOfGroups(): array|false { + $cacheKey = 'getMemberOf' . $this->getUsername(); $memberOfGroups = $this->connection->getFromCache($cacheKey); if (!is_null($memberOfGroups)) { return $memberOfGroups; @@ -327,9 +392,9 @@ class User { /** * @brief reads the image from LDAP that shall be used as Avatar - * @return string data (provided by LDAP) | false + * @return string|false data (provided by LDAP) */ - public function getAvatarImage() { + public function getAvatarImage(): string|false { if (!is_null($this->avatarImage)) { return $this->avatarImage; } @@ -340,7 +405,7 @@ class User { $attributes = $connection->resolveRule('avatar'); foreach ($attributes as $attribute) { $result = $this->access->readAttribute($this->dn, $attribute); - if ($result !== false && is_array($result) && isset($result[0])) { + if ($result !== false && isset($result[0])) { $this->avatarImage = $result[0]; break; } @@ -351,20 +416,16 @@ class User { /** * @brief marks the user as having logged in at least once - * @return null */ - public function markLogin() { + public function markLogin(): void { $this->config->setUserValue( - $this->uid, 'user_ldap', self::USER_PREFKEY_FIRSTLOGIN, 1); + $this->uid, 'user_ldap', self::USER_PREFKEY_FIRSTLOGIN, '1'); } /** * Stores a key-value pair in relation to this user - * - * @param string $key - * @param string $value */ - private function store($key, $value) { + private function store(string $key, string $value): void { $this->config->setUserValue($this->uid, 'user_ldap', $key, $value); } @@ -372,12 +433,9 @@ class User { * Composes the display name and stores it in the database. The final * display name is returned. * - * @param string $displayName - * @param string $displayName2 * @return string the effective display name */ - public function composeAndStoreDisplayName($displayName, $displayName2 = '') { - $displayName2 = (string)$displayName2; + public function composeAndStoreDisplayName(string $displayName, string $displayName2 = ''): string { if ($displayName2 !== '') { $displayName .= ' (' . $displayName2 . ')'; } @@ -396,9 +454,8 @@ class User { /** * Stores the LDAP Username in the Database - * @param string $userName */ - public function storeLDAPUserName($userName) { + public function storeLDAPUserName(string $userName): void { $this->store('uid', $userName); } @@ -406,10 +463,9 @@ class User { * @brief checks whether an update method specified by feature was run * already. If not, it will marked like this, because it is expected that * the method will be run, when false is returned. - * @param string $feature email | quota | avatar (can be extended) - * @return bool + * @param string $feature email | quota | avatar | profile (can be extended) */ - private function wasRefreshed($feature) { + private function wasRefreshed(string $feature): bool { if (isset($this->refreshedFeatures[$feature])) { return true; } @@ -419,10 +475,9 @@ class User { /** * fetches the email from LDAP and stores it as Nextcloud user value - * @param string $valueFromLDAP if known, to save an LDAP read request - * @return null + * @param ?string $valueFromLDAP if known, to save an LDAP read request */ - public function updateEmail($valueFromLDAP = null) { + public function updateEmail(?string $valueFromLDAP = null): void { if ($this->wasRefreshed('email')) { return; } @@ -441,7 +496,7 @@ class User { if (!is_null($user)) { $currentEmail = (string)$user->getSystemEMailAddress(); if ($currentEmail !== $email) { - $user->setEMailAddress($email); + $user->setSystemEMailAddress($email); } } } @@ -460,14 +515,13 @@ class User { * fetch all the user's attributes in one call and use the fetched values in this function. * The expected value for that parameter is a string describing the quota for the user. Valid * values are 'none' (unlimited), 'default' (the Nextcloud's default quota), '1234' (quota in - * bytes), '1234 MB' (quota in MB - check the \OC_Helper::computerFileSize method for more info) + * bytes), '1234 MB' (quota in MB - check the \OCP\Util::computerFileSize method for more info) * * fetches the quota from LDAP and stores it as Nextcloud user value * @param ?string $valueFromLDAP the quota attribute's value can be passed, - * to save the readAttribute request - * @return void + * to save the readAttribute request */ - public function updateQuota($valueFromLDAP = null) { + public function updateQuota(?string $valueFromLDAP = null): void { if ($this->wasRefreshed('quota')) { return; } @@ -481,7 +535,7 @@ class User { $quota = false; if (is_null($valueFromLDAP) && $quotaAttribute !== '') { $aQuota = $this->access->readAttribute($this->dn, $quotaAttribute); - if ($aQuota && (count($aQuota) > 0) && $this->verifyQuotaValue($aQuota[0])) { + if ($aQuota !== false && isset($aQuota[0]) && $this->verifyQuotaValue($aQuota[0])) { $quota = $aQuota[0]; } elseif (is_array($aQuota) && isset($aQuota[0])) { $this->logger->debug('no suitable LDAP quota found for user ' . $this->uid . ': [' . $aQuota[0] . ']', ['app' => 'user_ldap']); @@ -489,7 +543,7 @@ class User { } elseif (!is_null($valueFromLDAP) && $this->verifyQuotaValue($valueFromLDAP)) { $quota = $valueFromLDAP; } else { - $this->logger->debug('no suitable LDAP quota found for user ' . $this->uid . ': [' . $valueFromLDAP . ']', ['app' => 'user_ldap']); + $this->logger->debug('no suitable LDAP quota found for user ' . $this->uid . ': [' . ($valueFromLDAP ?? '') . ']', ['app' => 'user_ldap']); } if ($quota === false && $this->verifyQuotaValue($defaultQuota)) { @@ -508,26 +562,65 @@ class User { } } - private function verifyQuotaValue(string $quotaValue) { - return $quotaValue === 'none' || $quotaValue === 'default' || \OC_Helper::computerFileSize($quotaValue) !== false; + private function verifyQuotaValue(string $quotaValue): bool { + return $quotaValue === 'none' || $quotaValue === 'default' || Util::computerFileSize($quotaValue) !== false; } /** - * called by a post_login hook to save the avatar picture + * takes values from LDAP and stores it as Nextcloud user profile value * - * @param array $params + * @param array $profileValues associative array of property keys and values from LDAP */ - public function updateAvatarPostLogin($params) { - if (isset($params['uid']) && $params['uid'] === $this->getUsername()) { - $this->updateAvatar(); + private function updateProfile(array $profileValues): void { + // check if given array is empty + if (empty($profileValues)) { + return; // okay, nothing to do + } + // fetch/prepare user + $user = $this->userManager->get($this->uid); + if (is_null($user)) { + $this->logger->error('could not get user for uid=' . $this->uid . '', ['app' => 'user_ldap']); + return; + } + // prepare AccountManager and Account + $accountManager = Server::get(IAccountManager::class); + $account = $accountManager->getAccount($user); // get Account + $defaultScopes = array_merge(AccountManager::DEFAULT_SCOPES, + $this->config->getSystemValue('account_manager.default_property_scope', [])); + // loop through the properties and handle them + foreach ($profileValues as $property => $valueFromLDAP) { + // check and update profile properties + $value = (is_array($valueFromLDAP) ? $valueFromLDAP[0] : $valueFromLDAP); // take ONLY the first value, if multiple values specified + try { + $accountProperty = $account->getProperty($property); + $currentValue = $accountProperty->getValue(); + $scope = ($accountProperty->getScope() ?: $defaultScopes[$property]); + } catch (PropertyDoesNotExistException $e) { // thrown at getProperty + $this->logger->error('property does not exist: ' . $property + . ' for uid=' . $this->uid . '', ['app' => 'user_ldap', 'exception' => $e]); + $currentValue = ''; + $scope = $defaultScopes[$property]; + } + $verified = IAccountManager::VERIFIED; // trust the LDAP admin knew what they put there + if ($currentValue !== $value) { + $account->setProperty($property, $value, $scope, $verified); + $this->logger->debug('update user profile: ' . $property . '=' . $value + . ' for uid=' . $this->uid . '', ['app' => 'user_ldap']); + } + } + try { + $accountManager->updateAccount($account); // may throw InvalidArgumentException + } catch (\InvalidArgumentException $e) { + $this->logger->error('invalid data from LDAP: for uid=' . $this->uid . '', ['app' => 'user_ldap', 'func' => 'updateProfile' + , 'exception' => $e]); } } /** * @brief attempts to get an image from LDAP and sets it as Nextcloud avatar - * @return bool + * @return bool true when the avatar was set successfully or is up to date */ - public function updateAvatar($force = false) { + public function updateAvatar(bool $force = false): bool { if (!$force && $this->wasRefreshed('avatar')) { return false; } @@ -544,11 +637,11 @@ class User { // use the checksum before modifications $checksum = md5($this->image->data()); - if ($checksum === $this->config->getUserValue($this->uid, 'user_ldap', 'lastAvatarChecksum', '')) { + if ($checksum === $this->config->getUserValue($this->uid, 'user_ldap', 'lastAvatarChecksum', '') && $this->avatarExists()) { return true; } - $isSet = $this->setOwnCloudAvatar(); + $isSet = $this->setNextcloudAvatar(); if ($isSet) { // save checksum only after successful setting @@ -558,38 +651,38 @@ class User { return $isSet; } + private function avatarExists(): bool { + try { + $currentAvatar = $this->avatarManager->getAvatar($this->uid); + return $currentAvatar->exists() && $currentAvatar->isCustomAvatar(); + } catch (\Exception $e) { + return false; + } + } + /** * @brief sets an image as Nextcloud avatar - * @return bool */ - private function setOwnCloudAvatar() { + private function setNextcloudAvatar(): bool { if (!$this->image->valid()) { - $this->logger->error('avatar image data from LDAP invalid for '.$this->dn, ['app' => 'user_ldap']); + $this->logger->error('avatar image data from LDAP invalid for ' . $this->dn, ['app' => 'user_ldap']); return false; } - //make sure it is a square and not bigger than 128x128 - $size = min([$this->image->width(), $this->image->height(), 128]); + //make sure it is a square and not bigger than 512x512 + $size = min([$this->image->width(), $this->image->height(), 512]); if (!$this->image->centerCrop($size)) { - $this->logger->error('croping image for avatar failed for '.$this->dn, ['app' => 'user_ldap']); + $this->logger->error('croping image for avatar failed for ' . $this->dn, ['app' => 'user_ldap']); return false; } - if (!$this->fs->isLoaded()) { - $this->fs->setup($this->uid); - } - try { $avatar = $this->avatarManager->getAvatar($this->uid); $avatar->set($this->image); return true; } catch (\Exception $e) { - \OC::$server->getLogger()->logException($e, [ - 'message' => 'Could not set avatar for ' . $this->dn, - 'level' => ILogger::INFO, - 'app' => 'user_ldap', - ]); + $this->logger->info('Could not set avatar for ' . $this->dn, ['exception' => $e]); } return false; } @@ -597,7 +690,7 @@ class User { /** * @throws AttributeNotSet * @throws \OC\ServerNotAvailableException - * @throws \OCP\PreConditionNotMetException + * @throws PreConditionNotMetException */ public function getExtStorageHome():string { $value = $this->config->getUserValue($this->getUsername(), 'user_ldap', 'extStorageHome', ''); @@ -616,16 +709,16 @@ class User { } /** - * @throws \OCP\PreConditionNotMetException + * @throws PreConditionNotMetException * @throws \OC\ServerNotAvailableException */ - public function updateExtStorageHome(string $valueFromLDAP = null):string { + public function updateExtStorageHome(?string $valueFromLDAP = null):string { if ($valueFromLDAP === null) { $extHomeValues = $this->access->readAttribute($this->getDN(), $this->connection->ldapExtStorageHomeAttribute); } else { $extHomeValues = [$valueFromLDAP]; } - if ($extHomeValues && isset($extHomeValues[0])) { + if ($extHomeValues !== false && isset($extHomeValues[0])) { $extHome = $extHomeValues[0]; $this->config->setUserValue($this->getUsername(), 'user_ldap', 'extStorageHome', $extHome); return $extHome; @@ -637,29 +730,30 @@ class User { /** * called by a post_login hook to handle password expiry - * - * @param array $params */ - public function handlePasswordExpiry($params) { + public function handlePasswordExpiry(array $params): void { $ppolicyDN = $this->connection->ldapDefaultPPolicyDN; if (empty($ppolicyDN) || ((int)$this->connection->turnOnPasswordChange !== 1)) { - return;//password expiry handling disabled + //password expiry handling disabled + return; } $uid = $params['uid']; if (isset($uid) && $uid === $this->getUsername()) { //retrieve relevant user attributes $result = $this->access->search('objectclass=*', $this->dn, ['pwdpolicysubentry', 'pwdgraceusetime', 'pwdreset', 'pwdchangedtime']); - if (array_key_exists('pwdpolicysubentry', $result[0])) { - $pwdPolicySubentry = $result[0]['pwdpolicysubentry']; - if ($pwdPolicySubentry && (count($pwdPolicySubentry) > 0)) { - $ppolicyDN = $pwdPolicySubentry[0];//custom ppolicy DN + if (!empty($result)) { + if (array_key_exists('pwdpolicysubentry', $result[0])) { + $pwdPolicySubentry = $result[0]['pwdpolicysubentry']; + if ($pwdPolicySubentry && (count($pwdPolicySubentry) > 0)) { + $ppolicyDN = $pwdPolicySubentry[0];//custom ppolicy DN + } } - } - $pwdGraceUseTime = array_key_exists('pwdgraceusetime', $result[0]) ? $result[0]['pwdgraceusetime'] : []; - $pwdReset = array_key_exists('pwdreset', $result[0]) ? $result[0]['pwdreset'] : []; - $pwdChangedTime = array_key_exists('pwdchangedtime', $result[0]) ? $result[0]['pwdchangedtime'] : []; + $pwdGraceUseTime = array_key_exists('pwdgraceusetime', $result[0]) ? $result[0]['pwdgraceusetime'] : []; + $pwdReset = array_key_exists('pwdreset', $result[0]) ? $result[0]['pwdreset'] : []; + $pwdChangedTime = array_key_exists('pwdchangedtime', $result[0]) ? $result[0]['pwdchangedtime'] : []; + } //retrieve relevant password policy attributes $cacheKey = 'ppolicyAttributes' . $ppolicyDN; @@ -678,19 +772,19 @@ class User { if (!empty($pwdGraceAuthNLimit) && count($pwdGraceUseTime) < (int)$pwdGraceAuthNLimit[0]) { //at least one more grace login available? $this->config->setUserValue($uid, 'user_ldap', 'needsPasswordReset', 'true'); - header('Location: '.\OC::$server->getURLGenerator()->linkToRouteAbsolute( - 'user_ldap.renewPassword.showRenewPasswordForm', ['user' => $uid])); + header('Location: ' . Server::get(IURLGenerator::class)->linkToRouteAbsolute( + 'user_ldap.renewPassword.showRenewPasswordForm', ['user' => $uid])); } else { //no more grace login available - header('Location: '.\OC::$server->getURLGenerator()->linkToRouteAbsolute( - 'user_ldap.renewPassword.showLoginFormInvalidPassword', ['user' => $uid])); + header('Location: ' . Server::get(IURLGenerator::class)->linkToRouteAbsolute( + 'user_ldap.renewPassword.showLoginFormInvalidPassword', ['user' => $uid])); } exit(); } //handle pwdReset attribute - if (!empty($pwdReset) && $pwdReset[0] === 'TRUE') { //user must change his password + if (!empty($pwdReset) && $pwdReset[0] === 'TRUE') { //user must change their password $this->config->setUserValue($uid, 'user_ldap', 'needsPasswordReset', 'true'); - header('Location: '.\OC::$server->getURLGenerator()->linkToRouteAbsolute( - 'user_ldap.renewPassword.showRenewPasswordForm', ['user' => $uid])); + header('Location: ' . Server::get(IURLGenerator::class)->linkToRouteAbsolute( + 'user_ldap.renewPassword.showRenewPasswordForm', ['user' => $uid])); exit(); } //handle password expiry warning @@ -701,7 +795,7 @@ class User { $pwdExpireWarningInt = (int)$pwdExpireWarning[0]; if ($pwdMaxAgeInt > 0 && $pwdExpireWarningInt > 0) { $pwdChangedTimeDt = \DateTime::createFromFormat('YmdHisZ', $pwdChangedTime[0]); - $pwdChangedTimeDt->add(new \DateInterval('PT'.$pwdMaxAgeInt.'S')); + $pwdChangedTimeDt->add(new \DateInterval('PT' . $pwdMaxAgeInt . 'S')); $currentDateTime = new \DateTime(); $secondsToExpiry = $pwdChangedTimeDt->getTimestamp() - $currentDateTime->getTimestamp(); if ($secondsToExpiry <= $pwdExpireWarningInt) { @@ -718,7 +812,7 @@ class User { ->setUser($uid) ->setDateTime($currentDateTime) ->setObject('pwd_exp_warn', $uid) - ->setSubject('pwd_exp_warn_days', [(int) ceil($secondsToExpiry / 60 / 60 / 24)]) + ->setSubject('pwd_exp_warn_days', [(int)ceil($secondsToExpiry / 60 / 60 / 24)]) ; $this->notificationManager->notify($notification); } diff --git a/apps/user_ldap/lib/UserPluginManager.php b/apps/user_ldap/lib/UserPluginManager.php index 516338f006b..ed87fea6fde 100644 --- a/apps/user_ldap/lib/UserPluginManager.php +++ b/apps/user_ldap/lib/UserPluginManager.php @@ -1,31 +1,14 @@ <?php + /** - * @copyright Copyright (c) 2017 EITA Cooperative (eita.org.br) - * - * @author Arthur Schiwon <blizzz@arthur-schiwon.de> - * @author Christoph Wurst <christoph@winzerhof-wurst.at> - * @author Filis Futsarov <filisko@users.noreply.github.com> - * @author Vinicius Cubas Brand <vinicius@eita.org.br> - * - * @license GNU AGPL version 3 or any later version - * - * This program is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License as - * published by the Free Software Foundation, either version 3 of the - * License, or (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License - * along with this program. If not, see <http://www.gnu.org/licenses/>. - * + * SPDX-FileCopyrightText: 2017 Nextcloud GmbH and Nextcloud contributors + * SPDX-License-Identifier: AGPL-3.0-or-later */ namespace OCA\User_LDAP; use OC\User\Backend; +use OCP\Server; +use Psr\Log\LoggerInterface; class UserPluginManager { private int $respondToActions = 0; @@ -62,12 +45,12 @@ class UserPluginManager { foreach ($this->which as $action => $v) { if (is_int($action) && (bool)($respondToActions & $action)) { $this->which[$action] = $plugin; - \OC::$server->getLogger()->debug("Registered action ".$action." to plugin ".get_class($plugin), ['app' => 'user_ldap']); + Server::get(LoggerInterface::class)->debug('Registered action ' . $action . ' to plugin ' . get_class($plugin), ['app' => 'user_ldap']); } } if (method_exists($plugin, 'deleteUser')) { $this->which['deleteUser'] = $plugin; - \OC::$server->getLogger()->debug("Registered action deleteUser to plugin ".get_class($plugin), ['app' => 'user_ldap']); + Server::get(LoggerInterface::class)->debug('Registered action deleteUser to plugin ' . get_class($plugin), ['app' => 'user_ldap']); } } @@ -114,7 +97,7 @@ class UserPluginManager { } /** - * checks whether the user is allowed to change his avatar in Nextcloud + * checks whether the user is allowed to change their avatar in Nextcloud * @param string $uid the Nextcloud user name * @return boolean either the user can or cannot * @throws \Exception diff --git a/apps/user_ldap/lib/User_LDAP.php b/apps/user_ldap/lib/User_LDAP.php index f855dcb1fd6..c3f56f5ff9b 100644 --- a/apps/user_ldap/lib/User_LDAP.php +++ b/apps/user_ldap/lib/User_LDAP.php @@ -1,40 +1,9 @@ <?php + /** - * @copyright Copyright (c) 2016, ownCloud, Inc. - * - * @author Arthur Schiwon <blizzz@arthur-schiwon.de> - * @author Bart Visscher <bartv@thisnet.nl> - * @author Christoph Wurst <christoph@winzerhof-wurst.at> - * @author Daniel Kesselberg <mail@danielkesselberg.de> - * @author Dominik Schmidt <dev@dominik-schmidt.de> - * @author felixboehm <felix@webhippie.de> - * @author Joas Schilling <coding@schilljs.com> - * @author Jörn Friedrich Dreyer <jfd@butonic.de> - * @author Lukas Reschke <lukas@statuscode.ch> - * @author Morris Jobke <hey@morrisjobke.de> - * @author Robin Appelman <robin@icewind.nl> - * @author Robin McCorkell <robin@mccorkell.me.uk> - * @author Roger Szabo <roger.szabo@web.de> - * @author root <root@localhost.localdomain> - * @author Thomas Müller <thomas.mueller@tmit.eu> - * @author Tom Needham <tom@owncloud.com> - * @author Victor Dubiniuk <dubiniuk@owncloud.com> - * @author Vinicius Cubas Brand <vinicius@eita.org.br> - * - * @license AGPL-3.0 - * - * This code is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License, version 3, - * as published by the Free Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License, version 3, - * along with this program. If not, see <http://www.gnu.org/licenses/> - * + * SPDX-FileCopyrightText: 2016-2024 Nextcloud GmbH and Nextcloud contributors + * SPDX-FileCopyrightText: 2016 ownCloud, Inc. + * SPDX-License-Identifier: AGPL-3.0-only */ namespace OCA\User_LDAP; @@ -42,46 +11,30 @@ use OC\ServerNotAvailableException; use OC\User\Backend; use OC\User\NoUserException; use OCA\User_LDAP\Exceptions\NotOnLDAP; +use OCA\User_LDAP\User\DeletedUsersIndex; use OCA\User_LDAP\User\OfflineUser; use OCA\User_LDAP\User\User; -use OCP\IConfig; use OCP\IUserBackend; -use OCP\IUserSession; use OCP\Notification\IManager as INotificationManager; use OCP\User\Backend\ICountMappedUsersBackend; -use OCP\User\Backend\ICountUsersBackend; +use OCP\User\Backend\ILimitAwareCountUsersBackend; +use OCP\User\Backend\IProvideEnabledStateBackend; use OCP\UserInterface; use Psr\Log\LoggerInterface; -class User_LDAP extends BackendUtility implements IUserBackend, UserInterface, IUserLDAP, ICountUsersBackend, ICountMappedUsersBackend { - /** @var \OCP\IConfig */ - protected $ocConfig; - - /** @var INotificationManager */ - protected $notificationManager; - - /** @var UserPluginManager */ - protected $userPluginManager; - - /** @var LoggerInterface */ - protected $logger; - - /** - * @param Access $access - * @param \OCP\IConfig $ocConfig - * @param \OCP\Notification\IManager $notificationManager - * @param IUserSession $userSession - */ - public function __construct(Access $access, IConfig $ocConfig, INotificationManager $notificationManager, IUserSession $userSession, UserPluginManager $userPluginManager) { +class User_LDAP extends BackendUtility implements IUserBackend, UserInterface, IUserLDAP, ILimitAwareCountUsersBackend, ICountMappedUsersBackend, IProvideEnabledStateBackend { + public function __construct( + Access $access, + protected INotificationManager $notificationManager, + protected UserPluginManager $userPluginManager, + protected LoggerInterface $logger, + protected DeletedUsersIndex $deletedUsersIndex, + ) { parent::__construct($access); - $this->ocConfig = $ocConfig; - $this->notificationManager = $notificationManager; - $this->userPluginManager = $userPluginManager; - $this->logger = \OC::$server->get(LoggerInterface::class); } /** - * checks whether the user is allowed to change his avatar in Nextcloud + * checks whether the user is allowed to change their avatar in Nextcloud * * @param string $uid the Nextcloud user name * @return boolean either the user can or cannot @@ -114,11 +67,12 @@ class User_LDAP extends BackendUtility implements IUserBackend, UserInterface, I * @return string|false * @throws \Exception */ - public function loginName2UserName($loginName) { + public function loginName2UserName($loginName, bool $forceLdapRefetch = false) { $cacheKey = 'loginName2UserName-' . $loginName; $username = $this->access->connection->getFromCache($cacheKey); - if ($username !== null) { + $ignoreCache = ($username === false && $forceLdapRefetch); + if ($username !== null && !$ignoreCache) { return $username; } @@ -133,6 +87,9 @@ class User_LDAP extends BackendUtility implements IUserBackend, UserInterface, I } $username = $user->getUsername(); $this->access->connection->writeToCache($cacheKey, $username); + if ($forceLdapRefetch) { + $user->processAttributes($ldapRecord); + } return $username; } catch (NotOnLDAP $e) { $this->access->connection->writeToCache($cacheKey, false); @@ -162,8 +119,8 @@ class User_LDAP extends BackendUtility implements IUserBackend, UserInterface, I $attrs = $this->access->userManager->getAttributes(); $users = $this->access->fetchUsersByLoginName($loginName, $attrs); if (count($users) < 1) { - throw new NotOnLDAP('No user available for the given login name on ' . - $this->access->connection->ldapHost . ':' . $this->access->connection->ldapPort); + throw new NotOnLDAP('No user available for the given login name on ' + . $this->access->connection->ldapHost . ':' . $this->access->connection->ldapPort); } return $users[0]; } @@ -176,22 +133,17 @@ class User_LDAP extends BackendUtility implements IUserBackend, UserInterface, I * @return false|string */ public function checkPassword($uid, $password) { - try { - $ldapRecord = $this->getLDAPUserByLoginName($uid); - } catch (NotOnLDAP $e) { - $this->logger->debug( - $e->getMessage(), - ['app' => 'user_ldap', 'exception' => $e] - ); + $username = $this->loginName2UserName($uid, true); + if ($username === false) { return false; } - $dn = $ldapRecord['dn'][0]; + $dn = $this->access->username2dn($username); $user = $this->access->userManager->get($dn); if (!$user instanceof User) { $this->logger->warning( - 'LDAP Login: Could not get user object for DN ' . $dn . - '. Maybe the LDAP entry has no set display name attribute?', + 'LDAP Login: Could not get user object for DN ' . $dn + . '. Maybe the LDAP entry has no set display name attribute?', ['app' => 'user_ldap'] ); return false; @@ -203,7 +155,6 @@ class User_LDAP extends BackendUtility implements IUserBackend, UserInterface, I } $this->access->cacheUserExists($user->getUsername()); - $user->processAttributes($ldapRecord); $user->markLogin(); return $user->getUsername(); @@ -226,8 +177,8 @@ class User_LDAP extends BackendUtility implements IUserBackend, UserInterface, I $user = $this->access->userManager->get($uid); if (!$user instanceof User) { - throw new \Exception('LDAP setPassword: Could not get user object for uid ' . $uid . - '. Maybe the LDAP entry has no set display name attribute?'); + throw new \Exception('LDAP setPassword: Could not get user object for uid ' . $uid + . '. Maybe the LDAP entry has no set display name attribute?'); } if ($user->getUsername() !== false && $this->access->setPassword($user->getDN(), $password)) { $ldapDefaultPPolicyDN = $this->access->connection->ldapDefaultPPolicyDN; @@ -257,7 +208,7 @@ class User_LDAP extends BackendUtility implements IUserBackend, UserInterface, I */ public function getUsers($search = '', $limit = 10, $offset = 0) { $search = $this->access->escapeFilterPart($search, true); - $cachekey = 'getUsers-'.$search.'-'.$limit.'-'.$offset; + $cachekey = 'getUsers-' . $search . '-' . $limit . '-' . $offset; //check if users are cached, if so return $ldap_users = $this->access->connection->getFromCache($cachekey); @@ -277,7 +228,7 @@ class User_LDAP extends BackendUtility implements IUserBackend, UserInterface, I ]); $this->logger->debug( - 'getUsers: Options: search '.$search.' limit '.$limit.' offset '.$offset.' Filter: '.$filter, + 'getUsers: Options: search ' . $search . ' limit ' . $limit . ' offset ' . $offset . ' Filter: ' . $filter, ['app' => 'user_ldap'] ); //do the search and translate results to Nextcloud names @@ -287,7 +238,7 @@ class User_LDAP extends BackendUtility implements IUserBackend, UserInterface, I $limit, $offset); $ldap_users = $this->access->nextcloudUserNames($ldap_users); $this->logger->debug( - 'getUsers: '.count($ldap_users). ' Users found', + 'getUsers: ' . count($ldap_users) . ' Users found', ['app' => 'user_ldap'] ); @@ -298,8 +249,8 @@ class User_LDAP extends BackendUtility implements IUserBackend, UserInterface, I /** * checks whether a user is still available on LDAP * - * @param string|\OCA\User_LDAP\User\User $user either the Nextcloud user - * name or an instance of that user + * @param string|User $user either the Nextcloud user + * name or an instance of that user * @throws \Exception * @throws \OC\ServerNotAvailableException */ @@ -335,8 +286,6 @@ class User_LDAP extends BackendUtility implements IUserBackend, UserInterface, I return false; } $this->access->getUserMapper()->setDNbyUUID($newDn, $uuid); - $this->access->connection->writeToCache($cacheKey, true); - return true; } catch (ServerNotAvailableException $e) { throw $e; } catch (\Exception $e) { @@ -360,23 +309,22 @@ class User_LDAP extends BackendUtility implements IUserBackend, UserInterface, I * @throws \Exception when connection could not be established */ public function userExists($uid) { - $userExists = $this->access->connection->getFromCache('userExists'.$uid); + $userExists = $this->access->connection->getFromCache('userExists' . $uid); if (!is_null($userExists)) { return (bool)$userExists; } - //getting dn, if false the user does not exist. If dn, he may be mapped only, requires more checking. - $user = $this->access->userManager->get($uid); + $userExists = $this->access->userManager->exists($uid); - if (is_null($user)) { + if (!$userExists) { $this->logger->debug( - 'No DN found for '.$uid.' on '.$this->access->connection->ldapHost, + 'No DN found for ' . $uid . ' on ' . $this->access->connection->ldapHost, ['app' => 'user_ldap'] ); - $this->access->connection->writeToCache('userExists'.$uid, false); + $this->access->connection->writeToCache('userExists' . $uid, false); return false; } - $this->access->connection->writeToCache('userExists'.$uid, true); + $this->access->connection->writeToCache('userExists' . $uid, true); return true; } @@ -394,13 +342,13 @@ class User_LDAP extends BackendUtility implements IUserBackend, UserInterface, I } } - $marked = (int)$this->ocConfig->getUserValue($uid, 'user_ldap', 'isDeleted', 0); - if ($marked === 0) { + $marked = $this->deletedUsersIndex->isUserMarked($uid); + if (!$marked) { try { $user = $this->access->userManager->get($uid); if (($user instanceof User) && !$this->userExistsOnLDAP($uid, true)) { $user->markUser(); - $marked = 1; + $marked = true; } } catch (\Exception $e) { $this->logger->debug( @@ -408,9 +356,9 @@ class User_LDAP extends BackendUtility implements IUserBackend, UserInterface, I ['app' => 'user_ldap', 'exception' => $e] ); } - if ($marked === 0) { + if (!$marked) { $this->logger->notice( - 'User '.$uid . ' is not marked as deleted, not cleaning up.', + 'User ' . $uid . ' is not marked as deleted, not cleaning up.', ['app' => 'user_ldap'] ); return false; @@ -443,7 +391,7 @@ class User_LDAP extends BackendUtility implements IUserBackend, UserInterface, I return $this->userPluginManager->getHome($uid); } - $cacheKey = 'getHome'.$uid; + $cacheKey = 'getHome' . $uid; $path = $this->access->connection->getFromCache($cacheKey); if (!is_null($path)) { return $path; @@ -475,7 +423,7 @@ class User_LDAP extends BackendUtility implements IUserBackend, UserInterface, I return false; } - $cacheKey = 'getDisplayName'.$uid; + $cacheKey = 'getDisplayName' . $uid; if (!is_null($displayName = $this->access->connection->getFromCache($cacheKey))) { return $displayName; } @@ -502,11 +450,10 @@ class User_LDAP extends BackendUtility implements IUserBackend, UserInterface, I $user = $this->access->userManager->get($uid); if ($user instanceof User) { - $displayName = $user->composeAndStoreDisplayName($displayName, $displayName2); + $displayName = $user->composeAndStoreDisplayName($displayName, (string)$displayName2); $this->access->connection->writeToCache($cacheKey, $displayName); } if ($user instanceof OfflineUser) { - /** @var OfflineUser $user*/ $displayName = $user->getDisplayName(); } return $displayName; @@ -539,7 +486,7 @@ class User_LDAP extends BackendUtility implements IUserBackend, UserInterface, I * @return array an array of all displayNames (value) and the corresponding uids (key) */ public function getDisplayNames($search = '', $limit = null, $offset = null) { - $cacheKey = 'getDisplayNames-'.$search.'-'.$limit.'-'.$offset; + $cacheKey = 'getDisplayNames-' . $search . '-' . $limit . '-' . $offset; if (!is_null($displayNames = $this->access->connection->getFromCache($cacheKey))) { return $displayNames; } @@ -581,20 +528,18 @@ class User_LDAP extends BackendUtility implements IUserBackend, UserInterface, I /** * counts the users in LDAP - * - * @return int|false */ - public function countUsers() { + public function countUsers(int $limit = 0): int|false { if ($this->userPluginManager->implementsActions(Backend::COUNT_USERS)) { return $this->userPluginManager->countUsers(); } $filter = $this->access->getFilterForUserCount(); - $cacheKey = 'countUsers-'.$filter; + $cacheKey = 'countUsers-' . $filter . '-' . $limit; if (!is_null($entries = $this->access->connection->getFromCache($cacheKey))) { return $entries; } - $entries = $this->access->countUsers($filter); + $entries = $this->access->countUsers($filter, limit:$limit); $this->access->connection->writeToCache($cacheKey, $entries); return $entries; } @@ -625,7 +570,7 @@ class User_LDAP extends BackendUtility implements IUserBackend, UserInterface, I * The cloned connection needs to be closed manually. * of the current access. * @param string $uid - * @return resource|\LDAP\Connection The LDAP connection + * @return \LDAP\Connection The LDAP connection */ public function getNewLDAPConnection($uid) { $connection = clone $this->access->getConnection(); @@ -653,7 +598,6 @@ class User_LDAP extends BackendUtility implements IUserBackend, UserInterface, I $uuid, true ); - $this->access->cacheUserExists($username); } else { $this->logger->warning( 'Failed to map created LDAP user with userid {userid}, because UUID could not be determined', @@ -664,11 +608,28 @@ class User_LDAP extends BackendUtility implements IUserBackend, UserInterface, I ); } } else { - throw new \UnexpectedValueException("LDAP Plugin: Method createUser changed to return the user DN instead of boolean."); + throw new \UnexpectedValueException('LDAP Plugin: Method createUser changed to return the user DN instead of boolean.'); } } - return (bool) $dn; + return (bool)$dn; } return false; } + + public function isUserEnabled(string $uid, callable $queryDatabaseValue): bool { + if ($this->deletedUsersIndex->isUserMarked($uid) && ((int)$this->access->connection->markRemnantsAsDisabled === 1)) { + return false; + } else { + return $queryDatabaseValue(); + } + } + + public function setUserEnabled(string $uid, bool $enabled, callable $queryDatabaseValue, callable $setDatabaseValue): bool { + $setDatabaseValue($enabled); + return $enabled; + } + + public function getDisabledUserList(?int $limit = null, int $offset = 0, string $search = ''): array { + throw new \Exception('This is implemented directly in User_Proxy'); + } } diff --git a/apps/user_ldap/lib/User_Proxy.php b/apps/user_ldap/lib/User_Proxy.php index b07c632eeeb..0d41f495ce9 100644 --- a/apps/user_ldap/lib/User_Proxy.php +++ b/apps/user_ldap/lib/User_Proxy.php @@ -1,91 +1,47 @@ <?php + /** - * @copyright Copyright (c) 2016, ownCloud, Inc. - * - * @author Arthur Schiwon <blizzz@arthur-schiwon.de> - * @author Christopher Schäpers <kondou@ts.unde.re> - * @author Christoph Wurst <christoph@winzerhof-wurst.at> - * @author Joas Schilling <coding@schilljs.com> - * @author Lukas Reschke <lukas@statuscode.ch> - * @author Morris Jobke <hey@morrisjobke.de> - * @author Robin McCorkell <robin@mccorkell.me.uk> - * @author Roger Szabo <roger.szabo@web.de> - * @author root <root@localhost.localdomain> - * @author Thomas Müller <thomas.mueller@tmit.eu> - * @author Vinicius Cubas Brand <vinicius@eita.org.br> - * - * @license AGPL-3.0 - * - * This code is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License, version 3, - * as published by the Free Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License, version 3, - * along with this program. If not, see <http://www.gnu.org/licenses/> - * + * SPDX-FileCopyrightText: 2016-2024 Nextcloud GmbH and Nextcloud contributors + * SPDX-FileCopyrightText: 2016 ownCloud, Inc. + * SPDX-License-Identifier: AGPL-3.0-only */ namespace OCA\User_LDAP; +use OCA\User_LDAP\User\DeletedUsersIndex; +use OCA\User_LDAP\User\OfflineUser; use OCA\User_LDAP\User\User; -use OCP\IConfig; use OCP\IUserBackend; -use OCP\IUserSession; use OCP\Notification\IManager as INotificationManager; use OCP\User\Backend\ICountMappedUsersBackend; -use OCP\User\Backend\ICountUsersBackend; +use OCP\User\Backend\ILimitAwareCountUsersBackend; +use OCP\User\Backend\IProvideEnabledStateBackend; use OCP\UserInterface; +use Psr\Log\LoggerInterface; -class User_Proxy extends Proxy implements IUserBackend, UserInterface, IUserLDAP, ICountUsersBackend, ICountMappedUsersBackend { - /** @var array<string,User_LDAP> */ - private $backends = []; - /** @var ?User_LDAP */ - private $refBackend = null; - - private bool $isSetUp = false; - private Helper $helper; - private IConfig $ocConfig; - private INotificationManager $notificationManager; - private IUserSession $userSession; - private UserPluginManager $userPluginManager; - +/** + * @template-extends Proxy<User_LDAP> + */ +class User_Proxy extends Proxy implements IUserBackend, UserInterface, IUserLDAP, ILimitAwareCountUsersBackend, ICountMappedUsersBackend, IProvideEnabledStateBackend { public function __construct( - Helper $helper, + private Helper $helper, ILDAPWrapper $ldap, AccessFactory $accessFactory, - IConfig $ocConfig, - INotificationManager $notificationManager, - IUserSession $userSession, - UserPluginManager $userPluginManager + private INotificationManager $notificationManager, + private UserPluginManager $userPluginManager, + private LoggerInterface $logger, + private DeletedUsersIndex $deletedUsersIndex, ) { - parent::__construct($ldap, $accessFactory); - $this->helper = $helper; - $this->ocConfig = $ocConfig; - $this->notificationManager = $notificationManager; - $this->userSession = $userSession; - $this->userPluginManager = $userPluginManager; + parent::__construct($helper, $ldap, $accessFactory); } - protected function setup(): void { - if ($this->isSetUp) { - return; - } - - $serverConfigPrefixes = $this->helper->getServerConfigurationPrefixes(true); - foreach ($serverConfigPrefixes as $configPrefix) { - $this->backends[$configPrefix] = - new User_LDAP($this->getAccess($configPrefix), $this->ocConfig, $this->notificationManager, $this->userSession, $this->userPluginManager); - - if (is_null($this->refBackend)) { - $this->refBackend = &$this->backends[$configPrefix]; - } - } - - $this->isSetUp = true; + protected function newInstance(string $configPrefix): User_LDAP { + return new User_LDAP( + $this->getAccess($configPrefix), + $this->notificationManager, + $this->userPluginManager, + $this->logger, + $this->deletedUsersIndex, + ); } /** @@ -238,8 +194,8 @@ class User_Proxy extends Proxy implements IUserBackend, UserInterface, IUserLDAP /** * check if a user exists on LDAP * - * @param string|\OCA\User_LDAP\User\User $user either the Nextcloud user - * name or an instance of that user + * @param string|User $user either the Nextcloud user + * name or an instance of that user */ public function userExistsOnLDAP($user, bool $ignoreCache = false): bool { $id = ($user instanceof User) ? $user->getUsername() : $user; @@ -313,7 +269,7 @@ class User_Proxy extends Proxy implements IUserBackend, UserInterface, IUserLDAP } /** - * checks whether the user is allowed to change his avatar in Nextcloud + * checks whether the user is allowed to change their avatar in Nextcloud * * @param string $uid the Nextcloud user name * @return boolean either the user can or cannot @@ -378,17 +334,21 @@ class User_Proxy extends Proxy implements IUserBackend, UserInterface, IUserLDAP /** * Count the number of users - * - * @return int|false */ - public function countUsers() { + public function countUsers(int $limit = 0): int|false { $this->setup(); $users = false; foreach ($this->backends as $backend) { - $backendUsers = $backend->countUsers(); + $backendUsers = $backend->countUsers($limit); if ($backendUsers !== false) { $users = (int)$users + $backendUsers; + if ($limit > 0) { + if ($users >= $limit) { + break; + } + $limit -= $users; + } } } return $users; @@ -422,7 +382,7 @@ class User_Proxy extends Proxy implements IUserBackend, UserInterface, IUserLDAP * The connection needs to be closed manually. * * @param string $uid - * @return resource|\LDAP\Connection The LDAP connection + * @return \LDAP\Connection The LDAP connection */ public function getNewLDAPConnection($uid) { return $this->handleRequest($uid, 'getNewLDAPConnection', [$uid]); @@ -438,4 +398,37 @@ class User_Proxy extends Proxy implements IUserBackend, UserInterface, IUserLDAP public function createUser($username, $password) { return $this->handleRequest($username, 'createUser', [$username, $password]); } + + public function isUserEnabled(string $uid, callable $queryDatabaseValue): bool { + return $this->handleRequest($uid, 'isUserEnabled', [$uid, $queryDatabaseValue]); + } + + public function setUserEnabled(string $uid, bool $enabled, callable $queryDatabaseValue, callable $setDatabaseValue): bool { + return $this->handleRequest($uid, 'setUserEnabled', [$uid, $enabled, $queryDatabaseValue, $setDatabaseValue]); + } + + public function getDisabledUserList(?int $limit = null, int $offset = 0, string $search = ''): array { + if ((int)$this->getAccess(array_key_first($this->backends) ?? '')->connection->markRemnantsAsDisabled !== 1) { + return []; + } + $disabledUsers = $this->deletedUsersIndex->getUsers(); + if ($search !== '') { + $disabledUsers = array_filter( + $disabledUsers, + fn (OfflineUser $user): bool + => mb_stripos($user->getOCName(), $search) !== false + || mb_stripos($user->getUID(), $search) !== false + || mb_stripos($user->getDisplayName(), $search) !== false + || mb_stripos($user->getEmail(), $search) !== false, + ); + } + return array_map( + fn (OfflineUser $user) => $user->getOCName(), + array_slice( + $disabledUsers, + $offset, + $limit + ) + ); + } } diff --git a/apps/user_ldap/lib/Wizard.php b/apps/user_ldap/lib/Wizard.php index 3014ec8e8a7..15a9f9cb212 100644 --- a/apps/user_ldap/lib/Wizard.php +++ b/apps/user_ldap/lib/Wizard.php @@ -1,41 +1,9 @@ <?php + /** - * @copyright Copyright (c) 2016, ownCloud, Inc. - * - * @author Alexander Bergolth <leo@strike.wu.ac.at> - * @author Allan Nordhøy <epost@anotheragency.no> - * @author Arthur Schiwon <blizzz@arthur-schiwon.de> - * @author Bart Visscher <bartv@thisnet.nl> - * @author Christoph Wurst <christoph@winzerhof-wurst.at> - * @author Jean-Louis Dupond <jean-louis@dupond.be> - * @author Joas Schilling <coding@schilljs.com> - * @author Jörn Friedrich Dreyer <jfd@butonic.de> - * @author Lukas Reschke <lukas@statuscode.ch> - * @author Morris Jobke <hey@morrisjobke.de> - * @author Nicolas Grekas <nicolas.grekas@gmail.com> - * @author Robin Appelman <robin@icewind.nl> - * @author Robin McCorkell <robin@mccorkell.me.uk> - * @author Stefan Weil <sw@weilnetz.de> - * @author Tobias Perschon <tobias@perschon.at> - * @author Victor Dubiniuk <dubiniuk@owncloud.com> - * @author Xuanwo <xuanwo@yunify.com> - * @author Vincent Van Houtte <vvh@aplusv.be> - * @author Côme Chilliet <come.chilliet@nextcloud.com> - * - * @license AGPL-3.0 - * - * This code is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License, version 3, - * as published by the Free Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License, version 3, - * along with this program. If not, see <http://www.gnu.org/licenses/> - * + * SPDX-FileCopyrightText: 2016-2024 Nextcloud GmbH and Nextcloud contributors + * SPDX-FileCopyrightText: 2016 ownCloud, Inc. + * SPDX-License-Identifier: AGPL-3.0-only */ namespace OCA\User_LDAP; @@ -43,14 +11,13 @@ namespace OCA\User_LDAP; use OC\ServerNotAvailableException; use OCP\IL10N; use OCP\L10N\IFactory as IL10NFactory; +use OCP\Server; +use OCP\Util; use Psr\Log\LoggerInterface; class Wizard extends LDAPUtility { protected static ?IL10N $l = null; - protected Access $access; - /** @var resource|\LDAP\Connection|null */ - protected $cr; - protected Configuration $configuration; + protected ?\LDAP\Connection $cr = null; protected WizardResult $result; protected LoggerInterface $logger; @@ -68,18 +35,16 @@ class Wizard extends LDAPUtility { public const LDAP_NW_TIMEOUT = 4; public function __construct( - Configuration $configuration, + protected Configuration $configuration, ILDAPWrapper $ldap, - Access $access + protected Access $access, ) { parent::__construct($ldap); - $this->configuration = $configuration; if (is_null(static::$l)) { - static::$l = \OC::$server->get(IL10NFactory::class)->get('user_ldap'); + static::$l = Server::get(IL10NFactory::class)->get('user_ldap'); } - $this->access = $access; $this->result = new WizardResult(); - $this->logger = \OC::$server->get(LoggerInterface::class); + $this->logger = Server::get(LoggerInterface::class); } public function __destruct() { @@ -193,7 +158,7 @@ class Wizard extends LDAPUtility { * counts users with a specified attribute * @return int|false */ - public function countUsersWithAttribute(string $attr, bool $existsCheck = false) { + public function countUsersWithAttribute(string $attr, bool $existsCheck = false) { $reqs = ['ldapHost', 'ldapBase', 'ldapUserFilter']; if (!$this->configuration->usesLdapi()) { $reqs[] = 'ldapPort'; @@ -295,8 +260,8 @@ class Wizard extends LDAPUtility { $this->applyFind('ldap_email_attr', $winner); if ($writeLog) { $this->logger->info( - 'The mail attribute has automatically been reset, '. - 'because the original value did not return any results.', + 'The mail attribute has automatically been reset, ' + . 'because the original value did not return any results.', ['app' => 'user_ldap'] ); } @@ -361,7 +326,7 @@ class Wizard extends LDAPUtility { if (!$this->ldap->isResource($rr)) { return false; } - /** @var resource|\LDAP\Result $rr */ + /** @var \LDAP\Result $rr */ $er = $this->ldap->firstEntry($cr, $rr); $attributes = $this->ldap->getAttributes($cr, $er); if ($attributes === false) { @@ -399,7 +364,7 @@ class Wizard extends LDAPUtility { * @return WizardResult|false the instance's WizardResult instance * @throws \Exception */ - private function determineGroups(string $dbKey, string $confKey, bool $testMemberOf = true) { + private function determineGroups(string $dbKey, string $confKey, bool $testMemberOf = true) { $reqs = ['ldapHost', 'ldapBase']; if (!$this->configuration->usesLdapi()) { $reqs[] = 'ldapPort'; @@ -415,7 +380,7 @@ class Wizard extends LDAPUtility { $this->fetchGroups($dbKey, $confKey); if ($testMemberOf) { - $this->configuration->hasMemberOfFilterSupport = $this->testMemberOf(); + $this->configuration->hasMemberOfFilterSupport = (string)$this->testMemberOf(); $this->result->markChange(); if (!$this->configuration->hasMemberOfFilterSupport) { throw new \Exception('memberOf is not supported by the server'); @@ -435,7 +400,7 @@ class Wizard extends LDAPUtility { $filterParts = []; foreach ($obclasses as $obclass) { - $filterParts[] = 'objectclass='.$obclass; + $filterParts[] = 'objectclass=' . $obclass; } //we filter for everything //- that looks like a group and @@ -636,7 +601,7 @@ class Wizard extends LDAPUtility { * @return WizardResult|false * @throws \Exception */ - public function testLoginName(string $loginName) { + public function testLoginName(string $loginName) { $reqs = ['ldapHost', 'ldapBase', 'ldapUserFilter']; if (!$this->configuration->usesLdapi()) { $reqs[] = 'ldapPort'; @@ -646,10 +611,6 @@ class Wizard extends LDAPUtility { } $cr = $this->access->connection->getConnectionResource(); - if (!$this->ldap->isResource($cr)) { - throw new \Exception('connection error'); - } - /** @var resource|\LDAP\Connection $cr */ if (mb_strpos($this->access->connection->ldapLoginFilter, '%uid', 0, 'UTF-8') === false) { @@ -684,7 +645,7 @@ class Wizard extends LDAPUtility { $p = $setting['port']; $t = $setting['tls']; $this->logger->debug( - 'Wiz: trying port '. $p . ', TLS '. $t, + 'Wiz: trying port ' . $p . ', TLS ' . $t, ['app' => 'user_ldap'] ); //connectAndBind may throw Exception, it needs to be caught by the @@ -705,8 +666,8 @@ class Wizard extends LDAPUtility { if ($settingsFound === true) { $config = [ - 'ldapPort' => $p, - 'ldapTLS' => (int)$t + 'ldapPort' => (string)$p, + 'ldapTLS' => (string)$t, ]; $this->configuration->setConfiguration($config); $this->logger->debug( @@ -749,7 +710,7 @@ class Wizard extends LDAPUtility { //this did not help :( //Let's see whether we can parse the Host URL and convert the domain to //a base DN - $helper = \OC::$server->get(Helper::class); + $helper = Server::get(Helper::class); $domain = $helper->getDomainFromURL($this->configuration->ldapHost); if (!$domain) { return false; @@ -792,7 +753,7 @@ class Wizard extends LDAPUtility { //removes Port from Host if (is_array($hostInfo) && isset($hostInfo['port'])) { $port = $hostInfo['port']; - $host = str_replace(':'.$port, '', $host); + $host = str_replace(':' . $port, '', $host); $this->applyFind('ldap_host', $host); $this->applyFind('ldap_port', (string)$port); } @@ -819,7 +780,7 @@ class Wizard extends LDAPUtility { if (!$this->ldap->isResource($rr)) { return false; } - /** @var resource|\LDAP\Result $rr */ + /** @var \LDAP\Result $rr */ $er = $this->ldap->firstEntry($cr, $rr); while ($this->ldap->isResource($er)) { $this->ldap->getDN($cr, $er); @@ -861,12 +822,12 @@ class Wizard extends LDAPUtility { $errorNo = $this->ldap->errno($cr); $errorMsg = $this->ldap->error($cr); $this->logger->info( - 'Wiz: Could not search base '.$base.' Error '.$errorNo.': '.$errorMsg, + 'Wiz: Could not search base ' . $base . ' Error ' . $errorNo . ': ' . $errorMsg, ['app' => 'user_ldap'] ); return false; } - /** @var resource|\LDAP\Result $rr */ + /** @var \LDAP\Result $rr */ $entries = $this->ldap->countEntries($cr, $rr); return ($entries !== false) && ($entries > 0); } @@ -895,8 +856,8 @@ class Wizard extends LDAPUtility { /** * creates an LDAP Filter from given configuration * @param int $filterType int, for which use case the filter shall be created - * can be any of self::LFILTER_USER_LIST, self::LFILTER_LOGIN or - * self::LFILTER_GROUP_LIST + * can be any of self::LFILTER_USER_LIST, self::LFILTER_LOGIN or + * self::LFILTER_GROUP_LIST * @throws \Exception */ private function composeLdapFilter(int $filterType): string { @@ -909,7 +870,7 @@ class Wizard extends LDAPUtility { if (is_array($objcs) && count($objcs) > 0) { $filter .= '(|'; foreach ($objcs as $objc) { - $filter .= '(objectclass=' . $objc . ')'; + $filter .= '(objectclass=' . ldap_escape($objc, '', LDAP_ESCAPE_FILTER) . ')'; } $filter .= ')'; $parts++; @@ -925,21 +886,21 @@ class Wizard extends LDAPUtility { } $base = $this->configuration->ldapBase[0]; foreach ($cns as $cn) { - $rr = $this->ldap->search($cr, $base, 'cn=' . $cn, ['dn', 'primaryGroupToken']); + $rr = $this->ldap->search($cr, $base, 'cn=' . ldap_escape($cn, '', LDAP_ESCAPE_FILTER), ['dn', 'primaryGroupToken']); if (!$this->ldap->isResource($rr)) { continue; } - /** @var resource|\LDAP\Result $rr */ + /** @var \LDAP\Result $rr */ $er = $this->ldap->firstEntry($cr, $rr); $attrs = $this->ldap->getAttributes($cr, $er); $dn = $this->ldap->getDN($cr, $er); if ($dn === false || $dn === '') { continue; } - $filterPart = '(memberof=' . $dn . ')'; + $filterPart = '(memberof=' . ldap_escape($dn, '', LDAP_ESCAPE_FILTER) . ')'; if (isset($attrs['primaryGroupToken'])) { $pgt = $attrs['primaryGroupToken'][0]; - $primaryFilterPart = '(primaryGroupID=' . $pgt .')'; + $primaryFilterPart = '(primaryGroupID=' . ldap_escape($pgt, '', LDAP_ESCAPE_FILTER) . ')'; $filterPart = '(|' . $filterPart . $primaryFilterPart . ')'; } $filter .= $filterPart; @@ -963,7 +924,7 @@ class Wizard extends LDAPUtility { if (is_array($objcs) && count($objcs) > 0) { $filter .= '(|'; foreach ($objcs as $objc) { - $filter .= '(objectclass=' . $objc . ')'; + $filter .= '(objectclass=' . ldap_escape($objc, '', LDAP_ESCAPE_FILTER) . ')'; } $filter .= ')'; $parts++; @@ -973,7 +934,7 @@ class Wizard extends LDAPUtility { if (is_array($cns) && count($cns) > 0) { $filter .= '(|'; foreach ($cns as $cn) { - $filter .= '(cn=' . $cn . ')'; + $filter .= '(cn=' . ldap_escape($cn, '', LDAP_ESCAPE_FILTER) . ')'; } $filter .= ')'; } @@ -1039,12 +1000,12 @@ class Wizard extends LDAPUtility { $filterLogin .= ')'; } - $filter = '(&'.$ulf.$filterLogin.')'; + $filter = '(&' . $ulf . $filterLogin . ')'; break; } $this->logger->debug( - 'Wiz: Final filter '.$filter, + 'Wiz: Final filter ' . $filter, ['app' => 'user_ldap'] ); @@ -1073,7 +1034,7 @@ class Wizard extends LDAPUtility { if (!$this->ldap->isResource($cr)) { throw new \Exception(self::$l->t('Invalid Host')); } - /** @var resource|\LDAP\Connection $cr */ + /** @var \LDAP\Connection $cr */ //set LDAP options $this->ldap->setOption($cr, LDAP_OPT_PROTOCOL_VERSION, 3); @@ -1106,7 +1067,7 @@ class Wizard extends LDAPUtility { if ($login === true) { $this->logger->debug( - 'Wiz: Bind successful to Port '. $port . ' TLS ' . (int)$tls, + 'Wiz: Bind successful to Port ' . $port . ' TLS ' . (int)$tls, ['app' => 'user_ldap'] ); return true; @@ -1151,9 +1112,9 @@ class Wizard extends LDAPUtility { * @param string[] $filters array, the filters that shall be used in the search * @param string $attr the attribute of which a list of values shall be returned * @param int $dnReadLimit the amount of how many DNs should be analyzed. - * The lower, the faster + * The lower, the faster * @param string $maxF string. if not null, this variable will have the filter that - * yields most result entries + * yields most result entries * @return array|false an array with the values on success, false otherwise */ public function cumulativeSearchOnAttribute(array $filters, string $attr, int $dnReadLimit = 3, ?string &$maxF = null) { @@ -1169,7 +1130,7 @@ class Wizard extends LDAPUtility { if (!$this->ldap->isResource($cr)) { return false; } - /** @var resource|\LDAP\Connection $cr */ + /** @var \LDAP\Connection $cr */ $lastFilter = null; if (isset($filters[count($filters) - 1])) { $lastFilter = $filters[count($filters) - 1]; @@ -1184,7 +1145,7 @@ class Wizard extends LDAPUtility { if (!$this->ldap->isResource($rr)) { continue; } - /** @var resource|\LDAP\Result $rr */ + /** @var \LDAP\Result $rr */ $entries = $this->ldap->countEntries($cr, $rr); $getEntryFunc = 'firstEntry'; if (($entries !== false) && ($entries > 0)) { @@ -1214,9 +1175,7 @@ class Wizard extends LDAPUtility { $dnReadCount++; $foundItems = array_merge($foundItems, $newItems); $dnRead[] = $dn; - } while (($state === self::LRESULT_PROCESSED_SKIP - || $this->ldap->isResource($entry)) - && ($dnReadLimit === 0 || $dnReadCount < $dnReadLimit)); + } while ($dnReadLimit === 0 || $dnReadCount < $dnReadLimit); } } @@ -1229,9 +1188,9 @@ class Wizard extends LDAPUtility { * @param string $attr the attribute to look for * @param string $dbkey the dbkey of the setting the feature is connected to * @param string $confkey the confkey counterpart for the $dbkey as used in the - * Configuration class + * Configuration class * @param bool $po whether the objectClass with most result entries - * shall be pre-selected via the result + * shall be pre-selected via the result * @return array list of found items. * @throws \Exception */ @@ -1242,7 +1201,7 @@ class Wizard extends LDAPUtility { } $p = 'objectclass='; foreach ($objectclasses as $key => $value) { - $objectclasses[$key] = $p.$value; + $objectclasses[$key] = $p . $value; } $maxEntryObjC = ''; @@ -1250,8 +1209,8 @@ class Wizard extends LDAPUtility { //When looking for objectclasses, testing few entries is sufficient, $dig = 3; - $availableFeatures = - $this->cumulativeSearchOnAttribute($objectclasses, $attr, + $availableFeatures + = $this->cumulativeSearchOnAttribute($objectclasses, $attr, $dig, $maxEntryObjC); if (is_array($availableFeatures) && count($availableFeatures) > 0) { @@ -1283,7 +1242,7 @@ class Wizard extends LDAPUtility { * @param string $attribute the attribute values to look for * @param array &$known new values will be appended here * @return int state on of the class constants LRESULT_PROCESSED_OK, - * LRESULT_PROCESSED_INVALID or LRESULT_PROCESSED_SKIP + * LRESULT_PROCESSED_INVALID or LRESULT_PROCESSED_SKIP */ private function getAttributeValuesFromEntry(array $result, string $attribute, array &$known): int { if (!isset($result['count']) @@ -1292,7 +1251,7 @@ class Wizard extends LDAPUtility { } // strtolower on all keys for proper comparison - $result = \OCP\Util::mb_array_change_key_case($result); + $result = Util::mb_array_change_key_case($result); $attribute = strtolower($attribute); if (isset($result[$attribute])) { foreach ($result[$attribute] as $key => $val) { @@ -1310,9 +1269,9 @@ class Wizard extends LDAPUtility { } /** - * @return resource|\LDAP\Connection|false a link resource on success, otherwise false + * @return \LDAP\Connection|false a link resource on success, otherwise false */ - private function getConnection() { + private function getConnection(): \LDAP\Connection|false { if (!is_null($this->cr)) { return $this->cr; } @@ -1329,7 +1288,7 @@ class Wizard extends LDAPUtility { $this->ldap->setOption($cr, LDAP_OPT_PROTOCOL_VERSION, 3); $this->ldap->setOption($cr, LDAP_OPT_REFERRALS, 0); $this->ldap->setOption($cr, LDAP_OPT_NETWORK_TIMEOUT, self::LDAP_NW_TIMEOUT); - if ($this->configuration->ldapTLS === 1) { + if ($this->configuration->ldapTLS) { $this->ldap->startTls($cr); } @@ -1344,6 +1303,9 @@ class Wizard extends LDAPUtility { return false; } + /** + * @return array<array{port:int,tls:bool}> + */ private function getDefaultLdapPortSettings(): array { static $settings = [ ['port' => 7636, 'tls' => false], @@ -1356,6 +1318,9 @@ class Wizard extends LDAPUtility { return $settings; } + /** + * @return array<array{port:int,tls:bool}> + */ private function getPortSettingsToTry(): array { //389 ← LDAP / Unencrypted or StartTLS //636 ← LDAPS / SSL @@ -1374,7 +1339,7 @@ class Wizard extends LDAPUtility { } $portSettings[] = ['port' => $port, 'tls' => false]; } elseif ($this->configuration->usesLdapi()) { - $portSettings[] = ['port' => '', 'tls' => false]; + $portSettings[] = ['port' => 0, 'tls' => false]; } //default ports diff --git a/apps/user_ldap/lib/WizardResult.php b/apps/user_ldap/lib/WizardResult.php index 0f8d9f46fdd..d6fd67d4204 100644 --- a/apps/user_ldap/lib/WizardResult.php +++ b/apps/user_ldap/lib/WizardResult.php @@ -1,29 +1,9 @@ <?php + /** - * @copyright Copyright (c) 2016, ownCloud, Inc. - * - * @author Arthur Schiwon <blizzz@arthur-schiwon.de> - * @author Bart Visscher <bartv@thisnet.nl> - * @author Christoph Wurst <christoph@winzerhof-wurst.at> - * @author Joas Schilling <coding@schilljs.com> - * @author Lukas Reschke <lukas@statuscode.ch> - * @author Robin McCorkell <robin@mccorkell.me.uk> - * @author Roeland Jago Douma <roeland@famdouma.nl> - * - * @license AGPL-3.0 - * - * This code is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License, version 3, - * as published by the Free Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License, version 3, - * along with this program. If not, see <http://www.gnu.org/licenses/> - * + * SPDX-FileCopyrightText: 2019-2024 Nextcloud GmbH and Nextcloud contributors + * SPDX-FileCopyrightText: 2016 ownCloud, Inc. + * SPDX-License-Identifier: AGPL-3.0-only */ namespace OCA\User_LDAP; @@ -40,7 +20,7 @@ class WizardResult { $this->changes[$key] = $value; } - + public function markChange() { $this->markedChange = true; } |