summaryrefslogtreecommitdiffstats
path: root/apps/user_ldap
diff options
context:
space:
mode:
Diffstat (limited to 'apps/user_ldap')
-rw-r--r--apps/user_ldap/appinfo/info.xml1
-rw-r--r--apps/user_ldap/composer/composer/ClassLoader.php2
-rw-r--r--apps/user_ldap/composer/composer/autoload_classmap.php1
-rw-r--r--apps/user_ldap/composer/composer/autoload_static.php1
-rw-r--r--apps/user_ldap/composer/composer/installed.php4
-rw-r--r--apps/user_ldap/lib/Access.php2
-rw-r--r--apps/user_ldap/lib/Command/UpdateUUID.php374
-rw-r--r--apps/user_ldap/lib/Jobs/CleanUp.php40
-rw-r--r--apps/user_ldap/lib/Mapping/AbstractMapping.php57
-rw-r--r--apps/user_ldap/lib/Migration/Version1130Date20211102154716.php103
-rw-r--r--apps/user_ldap/tests/Mapping/AbstractMappingTest.php2
11 files changed, 531 insertions, 56 deletions
diff --git a/apps/user_ldap/appinfo/info.xml b/apps/user_ldap/appinfo/info.xml
index 57b5fe478b6..2dae4845241 100644
--- a/apps/user_ldap/appinfo/info.xml
+++ b/apps/user_ldap/appinfo/info.xml
@@ -56,6 +56,7 @@ A user logs into Nextcloud with their LDAP or AD credentials, and is granted acc
<command>OCA\User_LDAP\Command\ShowConfig</command>
<command>OCA\User_LDAP\Command\ShowRemnants</command>
<command>OCA\User_LDAP\Command\TestConfig</command>
+ <command>OCA\User_LDAP\Command\UpdateUUID</command>
</commands>
<settings>
diff --git a/apps/user_ldap/composer/composer/ClassLoader.php b/apps/user_ldap/composer/composer/ClassLoader.php
index 0cd6055d1b7..afef3fa2ad8 100644
--- a/apps/user_ldap/composer/composer/ClassLoader.php
+++ b/apps/user_ldap/composer/composer/ClassLoader.php
@@ -149,7 +149,7 @@ class ClassLoader
/**
* @return string[] Array of classname => path
- * @psalm-var array<string, string>
+ * @psalm-return array<string, string>
*/
public function getClassMap()
{
diff --git a/apps/user_ldap/composer/composer/autoload_classmap.php b/apps/user_ldap/composer/composer/autoload_classmap.php
index ed8d535a6c5..cffb2aaa9fe 100644
--- a/apps/user_ldap/composer/composer/autoload_classmap.php
+++ b/apps/user_ldap/composer/composer/autoload_classmap.php
@@ -20,6 +20,7 @@ return array(
'OCA\\User_LDAP\\Command\\ShowConfig' => $baseDir . '/../lib/Command/ShowConfig.php',
'OCA\\User_LDAP\\Command\\ShowRemnants' => $baseDir . '/../lib/Command/ShowRemnants.php',
'OCA\\User_LDAP\\Command\\TestConfig' => $baseDir . '/../lib/Command/TestConfig.php',
+ 'OCA\\User_LDAP\\Command\\UpdateUUID' => $baseDir . '/../lib/Command/UpdateUUID.php',
'OCA\\User_LDAP\\Configuration' => $baseDir . '/../lib/Configuration.php',
'OCA\\User_LDAP\\Connection' => $baseDir . '/../lib/Connection.php',
'OCA\\User_LDAP\\ConnectionFactory' => $baseDir . '/../lib/ConnectionFactory.php',
diff --git a/apps/user_ldap/composer/composer/autoload_static.php b/apps/user_ldap/composer/composer/autoload_static.php
index 9ce20914307..5928ff78ef0 100644
--- a/apps/user_ldap/composer/composer/autoload_static.php
+++ b/apps/user_ldap/composer/composer/autoload_static.php
@@ -35,6 +35,7 @@ class ComposerStaticInitUser_LDAP
'OCA\\User_LDAP\\Command\\ShowConfig' => __DIR__ . '/..' . '/../lib/Command/ShowConfig.php',
'OCA\\User_LDAP\\Command\\ShowRemnants' => __DIR__ . '/..' . '/../lib/Command/ShowRemnants.php',
'OCA\\User_LDAP\\Command\\TestConfig' => __DIR__ . '/..' . '/../lib/Command/TestConfig.php',
+ 'OCA\\User_LDAP\\Command\\UpdateUUID' => __DIR__ . '/..' . '/../lib/Command/UpdateUUID.php',
'OCA\\User_LDAP\\Configuration' => __DIR__ . '/..' . '/../lib/Configuration.php',
'OCA\\User_LDAP\\Connection' => __DIR__ . '/..' . '/../lib/Connection.php',
'OCA\\User_LDAP\\ConnectionFactory' => __DIR__ . '/..' . '/../lib/ConnectionFactory.php',
diff --git a/apps/user_ldap/composer/composer/installed.php b/apps/user_ldap/composer/composer/installed.php
index f84b9c452e8..5e942064485 100644
--- a/apps/user_ldap/composer/composer/installed.php
+++ b/apps/user_ldap/composer/composer/installed.php
@@ -5,7 +5,7 @@
'type' => 'library',
'install_path' => __DIR__ . '/../',
'aliases' => array(),
- 'reference' => '6b960de47cabaa7a231e72479012ba4dcbc2e882',
+ 'reference' => '9915dc6785d1660068a51604f9379e8b1dc1418c',
'name' => '__root__',
'dev' => false,
),
@@ -16,7 +16,7 @@
'type' => 'library',
'install_path' => __DIR__ . '/../',
'aliases' => array(),
- 'reference' => '6b960de47cabaa7a231e72479012ba4dcbc2e882',
+ 'reference' => '9915dc6785d1660068a51604f9379e8b1dc1418c',
'dev_requirement' => false,
),
),
diff --git a/apps/user_ldap/lib/Access.php b/apps/user_ldap/lib/Access.php
index 093449ee0ea..65087040cc4 100644
--- a/apps/user_ldap/lib/Access.php
+++ b/apps/user_ldap/lib/Access.php
@@ -1792,7 +1792,7 @@ class Access extends LDAPUtility {
* @param string $dn
* @param bool $isUser
* @param null $ldapRecord
- * @return bool|string
+ * @return false|string
* @throws ServerNotAvailableException
*/
public function getUUID($dn, $isUser = true, $ldapRecord = null) {
diff --git a/apps/user_ldap/lib/Command/UpdateUUID.php b/apps/user_ldap/lib/Command/UpdateUUID.php
new file mode 100644
index 00000000000..716bc2d0563
--- /dev/null
+++ b/apps/user_ldap/lib/Command/UpdateUUID.php
@@ -0,0 +1,374 @@
+<?php
+
+declare(strict_types=1);
+
+/**
+ * @copyright Copyright (c) 2021 Arthur Schiwon <blizzz@arthur-schiwon.de>
+ *
+ * @author Arthur Schiwon <blizzz@arthur-schiwon.de>
+ * @author Côme Chilliet <come.chilliet@nextcloud.com>
+ *
+ * @license GNU AGPL version 3 or any later version
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as
+ * published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program. If not, see <https://www.gnu.org/licenses/>.
+ *
+ */
+
+namespace OCA\User_LDAP\Command;
+
+use OCA\User_LDAP\Access;
+use OCA\User_LDAP\Group_Proxy;
+use OCA\User_LDAP\Mapping\AbstractMapping;
+use OCA\User_LDAP\Mapping\GroupMapping;
+use OCA\User_LDAP\Mapping\UserMapping;
+use OCA\User_LDAP\User_Proxy;
+use Psr\Log\LoggerInterface;
+use Symfony\Component\Console\Command\Command;
+use Symfony\Component\Console\Helper\ProgressBar;
+use Symfony\Component\Console\Input\InputInterface;
+use Symfony\Component\Console\Input\InputOption;
+use Symfony\Component\Console\Output\OutputInterface;
+use function sprintf;
+
+class UuidUpdateReport {
+ const UNCHANGED = 0;
+ const UNKNOWN = 1;
+ const UNREADABLE = 2;
+ const UPDATED = 3;
+ const UNWRITABLE = 4;
+ const UNMAPPED = 5;
+
+ public $id = '';
+ public $dn = '';
+ public $isUser = true;
+ public $state = self::UNCHANGED;
+ public $oldUuid = '';
+ public $newUuid = '';
+
+ public function __construct(string $id, string $dn, bool $isUser, int $state, string $oldUuid = '', string $newUuid = '') {
+ $this->id = $id;
+ $this->dn = $dn;
+ $this->isUser = $isUser;
+ $this->state = $state;
+ $this->oldUuid = $oldUuid;
+ $this->newUuid = $newUuid;
+ }
+}
+
+class UpdateUUID extends Command {
+ /** @var UserMapping */
+ private $userMapping;
+ /** @var GroupMapping */
+ private $groupMapping;
+ /** @var User_Proxy */
+ private $userProxy;
+ /** @var Group_Proxy */
+ private $groupProxy;
+ /** @var array<UuidUpdateReport[]> */
+ protected $reports = [];
+ /** @var LoggerInterface */
+ private $logger;
+ /** @var bool */
+ private $dryRun = false;
+
+ public function __construct(UserMapping $userMapping, GroupMapping $groupMapping, User_Proxy $userProxy, Group_Proxy $groupProxy, LoggerInterface $logger) {
+ $this->userMapping = $userMapping;
+ $this->groupMapping = $groupMapping;
+ $this->userProxy = $userProxy;
+ $this->groupProxy = $groupProxy;
+ $this->logger = $logger;
+ $this->reports = [
+ UuidUpdateReport::UPDATED => [],
+ UuidUpdateReport::UNKNOWN => [],
+ UuidUpdateReport::UNREADABLE => [],
+ UuidUpdateReport::UNWRITABLE => [],
+ UuidUpdateReport::UNMAPPED => [],
+ ];
+ parent::__construct();
+ }
+
+ protected function configure(): void {
+ $this
+ ->setName('ldap:update-uuid')
+ ->setDescription('Attempts to update UUIDs of user and group entries. By default, the command attempts to update UUIDs that have been invalidated by a migration step.')
+ ->addOption(
+ 'all',
+ null,
+ InputOption::VALUE_NONE,
+ 'updates every user and group. All other options are ignored.'
+ )
+ ->addOption(
+ 'userId',
+ null,
+ InputOption::VALUE_REQUIRED | InputOption::VALUE_IS_ARRAY,
+ 'a user ID to update'
+ )
+ ->addOption(
+ 'groupId',
+ null,
+ InputOption::VALUE_REQUIRED | InputOption::VALUE_IS_ARRAY,
+ 'a group ID to update'
+ )
+ ->addOption(
+ 'dn',
+ null,
+ InputOption::VALUE_REQUIRED | InputOption::VALUE_IS_ARRAY,
+ 'a DN to update'
+ )
+ ->addOption(
+ 'dry-run',
+ null,
+ InputOption::VALUE_NONE,
+ 'UUIDs will not be updated in the database'
+ )
+ ;
+ }
+
+ protected function execute(InputInterface $input, OutputInterface $output): int {
+ $this->dryRun = $input->getOption('dry-run');
+ $entriesToUpdate = $this->estimateNumberOfUpdates($input);
+ $progress = new ProgressBar($output);
+ $progress->start($entriesToUpdate);
+ foreach($this->handleUpdates($input) as $_) {
+ $progress->advance();
+ }
+ $progress->finish();
+ $output->writeln('');
+ $this->printReport($output);
+ return count($this->reports[UuidUpdateReport::UNMAPPED]) === 0
+ && count($this->reports[UuidUpdateReport::UNREADABLE]) === 0
+ && count($this->reports[UuidUpdateReport::UNWRITABLE]) === 0
+ ? 0
+ : 1;
+ }
+
+ protected function printReport(OutputInterface $output): void {
+ if ($output->isQuiet()) {
+ return;
+ }
+
+ if (count($this->reports[UuidUpdateReport::UPDATED]) === 0) {
+ $output->writeln('<info>No record was updated.</info>');
+ } else {
+ $output->writeln(sprintf('<info>%d record(s) were updated.</info>', count($this->reports[UuidUpdateReport::UPDATED])));
+ if ($output->isVerbose()) {
+ /** @var UuidUpdateReport $report */
+ foreach ($this->reports[UuidUpdateReport::UPDATED] as $report) {
+ $output->writeln(sprintf(' %s had their old UUID %s updated to %s', $report->id, $report->oldUuid, $report->newUuid));
+ }
+ $output->writeln('');
+ }
+ }
+
+ if (count($this->reports[UuidUpdateReport::UNMAPPED]) > 0) {
+ $output->writeln(sprintf('<error>%d provided IDs were not mapped. These were:</error>', count($this->reports[UuidUpdateReport::UNMAPPED])));
+ /** @var UuidUpdateReport $report */
+ foreach ($this->reports[UuidUpdateReport::UNMAPPED] as $report) {
+ if (!empty($report->id)) {
+ $output->writeln(sprintf(' %s: %s',
+ $report->isUser ? 'User' : 'Group', $report->id));
+ } else if (!empty($report->dn)) {
+ $output->writeln(sprintf(' DN: %s', $report->dn));
+ }
+ }
+ $output->writeln('');
+ }
+
+ if (count($this->reports[UuidUpdateReport::UNKNOWN]) > 0) {
+ $output->writeln(sprintf('<info>%d provided IDs were unknown on LDAP.</info>', count($this->reports[UuidUpdateReport::UNKNOWN])));
+ if ($output->isVerbose()) {
+ /** @var UuidUpdateReport $report */
+ foreach ($this->reports[UuidUpdateReport::UNKNOWN] as $report) {
+ $output->writeln(sprintf(' %s: %s',$report->isUser ? 'User' : 'Group', $report->id));
+ }
+ $output->writeln(PHP_EOL . 'Old users can be removed along with their data per occ user:delete.' . PHP_EOL);
+ }
+ }
+
+ if (count($this->reports[UuidUpdateReport::UNREADABLE]) > 0) {
+ $output->writeln(sprintf('<error>For %d records, the UUID could not be read. Double-check your configuration.</error>', count($this->reports[UuidUpdateReport::UNREADABLE])));
+ if ($output->isVerbose()) {
+ /** @var UuidUpdateReport $report */
+ foreach ($this->reports[UuidUpdateReport::UNREADABLE] as $report) {
+ $output->writeln(sprintf(' %s: %s',$report->isUser ? 'User' : 'Group', $report->id));
+ }
+ }
+ }
+
+ if (count($this->reports[UuidUpdateReport::UNWRITABLE]) > 0) {
+ $output->writeln(sprintf('<error>For %d records, the UUID could not be saved to database. Double-check your configuration.</error>', count($this->reports[UuidUpdateReport::UNWRITABLE])));
+ if ($output->isVerbose()) {
+ /** @var UuidUpdateReport $report */
+ foreach ($this->reports[UuidUpdateReport::UNWRITABLE] as $report) {
+ $output->writeln(sprintf(' %s: %s',$report->isUser ? 'User' : 'Group', $report->id));
+ }
+ }
+ }
+ }
+
+ protected function handleUpdates(InputInterface $input): \Generator {
+ if ($input->getOption('all')) {
+ foreach($this->handleMappingBasedUpdates(false) as $_) {
+ yield;
+ }
+ } else if ($input->getOption('userId')
+ || $input->getOption('groupId')
+ || $input->getOption('dn')
+ ) {
+ foreach($this->handleUpdatesByUserId($input->getOption('userId')) as $_) {
+ yield;
+ }
+ foreach($this->handleUpdatesByGroupId($input->getOption('groupId')) as $_) {
+ yield;
+ }
+ foreach($this->handleUpdatesByDN($input->getOption('dn')) as $_) {
+ yield;
+ }
+ } else {
+ foreach($this->handleMappingBasedUpdates(true) as $_) {
+ yield;
+ }
+ }
+ }
+
+ protected function handleUpdatesByUserId(array $userIds): \Generator {
+ foreach($this->handleUpdatesByEntryId($userIds, $this->userMapping) as $_) {
+ yield;
+ }
+ }
+
+ protected function handleUpdatesByGroupId(array $groupIds): \Generator {
+ foreach($this->handleUpdatesByEntryId($groupIds, $this->groupMapping) as $_) {
+ yield;
+ }
+ }
+
+ protected function handleUpdatesByDN(array $dns): \Generator {
+ $userList = $groupList = [];
+ while ($dn = array_pop($dns)) {
+ $uuid = $this->userMapping->getUUIDByDN($dn);
+ if ($uuid) {
+ $id = $this->userMapping->getNameByDN($dn);
+ $userList[] = ['name' => $id, 'uuid' => $uuid];
+ continue;
+ }
+ $uuid = $this->groupMapping->getUUIDByDN($dn);
+ if ($uuid) {
+ $id = $this->groupMapping->getNameByDN($dn);
+ $groupList[] = ['name' => $id, 'uuid' => $uuid];
+ continue;
+ }
+ $this->reports[UuidUpdateReport::UNMAPPED][] = new UuidUpdateReport('', $dn, true, UuidUpdateReport::UNMAPPED);
+ yield;
+ }
+ foreach($this->handleUpdatesByList($this->userMapping, $userList) as $_) {
+ yield;
+ }
+ foreach($this->handleUpdatesByList($this->groupMapping, $groupList) as $_) {
+ yield;
+ }
+ }
+
+ protected function handleUpdatesByEntryId(array $ids, AbstractMapping $mapping): \Generator {
+ $isUser = $mapping instanceof UserMapping;
+ $list = [];
+ while ($id = array_pop($ids)) {
+ if(!$dn = $mapping->getDNByName($id)) {
+ $this->reports[UuidUpdateReport::UNMAPPED][] = new UuidUpdateReport($id, '', $isUser, UuidUpdateReport::UNMAPPED);
+ yield;
+ continue;
+ }
+ // Since we know it was mapped the UUID is populated
+ $uuid = $mapping->getUUIDByDN($dn);
+ $list[] = ['name' => $id, 'uuid' => $uuid];
+ }
+ foreach($this->handleUpdatesByList($mapping, $list) as $_) {
+ yield;
+ }
+ }
+
+ protected function handleMappingBasedUpdates(bool $invalidatedOnly): \Generator {
+ $limit = 1000;
+ /** @var AbstractMapping $mapping*/
+ foreach([$this->userMapping, $this->groupMapping] as $mapping) {
+ $offset = 0;
+ do {
+ $list = $mapping->getList($offset, $limit, $invalidatedOnly);
+ $offset += $limit;
+
+ foreach($this->handleUpdatesByList($mapping, $list) as $tick) {
+ yield; // null, for it only advances progress counter
+ }
+ } while (count($list) === $limit);
+ }
+ }
+
+ protected function handleUpdatesByList(AbstractMapping $mapping, array $list): \Generator {
+ if ($mapping instanceof UserMapping) {
+ $isUser = true;
+ $backendProxy = $this->userProxy;
+ } else {
+ $isUser = false;
+ $backendProxy = $this->groupProxy;
+ }
+
+ foreach ($list as $row) {
+ $access = $backendProxy->getLDAPAccess($row['name']);
+ if ($access instanceof Access
+ && $dn = $mapping->getDNByName($row['name']))
+ {
+ if ($uuid = $access->getUUID($dn, $isUser)) {
+ if ($uuid !== $row['uuid']) {
+ if ($this->dryRun || $mapping->setUUIDbyDN($uuid, $dn)) {
+ $this->reports[UuidUpdateReport::UPDATED][]
+ = new UuidUpdateReport($row['name'], $dn, $isUser, UuidUpdateReport::UPDATED, $row['uuid'], $uuid);
+ } else {
+ $this->reports[UuidUpdateReport::UNWRITABLE][]
+ = new UuidUpdateReport($row['name'], $dn, $isUser, UuidUpdateReport::UNWRITABLE, $row['uuid'], $uuid);
+ }
+ $this->logger->info('UUID of {id} was updated from {from} to {to}',
+ [
+ 'appid' => 'user_ldap',
+ 'id' => $row['name'],
+ 'from' => $row['uuid'],
+ 'to' => $uuid,
+ ]
+ );
+ }
+ } else {
+ $this->reports[UuidUpdateReport::UNREADABLE][] = new UuidUpdateReport($row['name'], $dn, $isUser, UuidUpdateReport::UNREADABLE);
+ }
+ } else {
+ $this->reports[UuidUpdateReport::UNKNOWN][] = new UuidUpdateReport($row['name'], '', $isUser, UuidUpdateReport::UNKNOWN);
+ }
+ yield; // null, for it only advances progress counter
+ }
+ }
+
+ protected function estimateNumberOfUpdates(InputInterface $input): int {
+ if ($input->getOption('all')) {
+ return $this->userMapping->count() + $this->groupMapping->count();
+ } else if ($input->getOption('userId')
+ || $input->getOption('groupId')
+ || $input->getOption('dn')
+ ) {
+ return count($input->getOption('userId'))
+ + count($input->getOption('groupId'))
+ + count($input->getOption('dn'));
+ } else {
+ return $this->userMapping->countInvalidated() + $this->groupMapping->countInvalidated();
+ }
+ }
+
+}
diff --git a/apps/user_ldap/lib/Jobs/CleanUp.php b/apps/user_ldap/lib/Jobs/CleanUp.php
index ee6879d452f..1fb423b5faf 100644
--- a/apps/user_ldap/lib/Jobs/CleanUp.php
+++ b/apps/user_ldap/lib/Jobs/CleanUp.php
@@ -40,7 +40,7 @@ use OCA\User_LDAP\User_Proxy;
* @package OCA\User_LDAP\Jobs;
*/
class CleanUp extends TimedJob {
- /** @var int $limit amount of users that should be checked per run */
+ /** @var ?int $limit amount of users that should be checked per run */
protected $limit;
/** @var int $defaultIntervalMin default interval in minutes */
@@ -76,7 +76,7 @@ class CleanUp extends TimedJob {
* assigns the instances passed to run() to the class properties
* @param array $arguments
*/
- public function setArguments($arguments) {
+ public function setArguments($arguments): void {
//Dependency Injection is not possible, because the constructor will
//only get values that are serialized to JSON. I.e. whatever we would
//pass in app.php we do add here, except something else is passed e.g.
@@ -119,19 +119,13 @@ class CleanUp extends TimedJob {
* makes the background job do its work
* @param array $argument
*/
- public function run($argument) {
+ public function run($argument): void {
$this->setArguments($argument);
if (!$this->isCleanUpAllowed()) {
return;
}
$users = $this->mapping->getList($this->getOffset(), $this->getChunkSize());
- if (!is_array($users)) {
- //something wrong? Let's start from the beginning next time and
- //abort
- $this->setOffset(true);
- return;
- }
$resetOffset = $this->isOffsetResetNecessary(count($users));
$this->checkUsers($users);
$this->setOffset($resetOffset);
@@ -139,18 +133,15 @@ class CleanUp extends TimedJob {
/**
* checks whether next run should start at 0 again
- * @param int $resultCount
- * @return bool
*/
- public function isOffsetResetNecessary($resultCount) {
+ public function isOffsetResetNecessary(int $resultCount): bool {
return $resultCount < $this->getChunkSize();
}
/**
* checks whether cleaning up LDAP users is allowed
- * @return bool
*/
- public function isCleanUpAllowed() {
+ public function isCleanUpAllowed(): bool {
try {
if ($this->ldapHelper->haveDisabledConfigurations()) {
return false;
@@ -164,9 +155,8 @@ class CleanUp extends TimedJob {
/**
* checks whether clean up is enabled by configuration
- * @return bool
*/
- private function isCleanUpEnabled() {
+ private function isCleanUpEnabled(): bool {
return (bool)$this->ocConfig->getSystemValue(
'ldapUserCleanupInterval', (string)$this->defaultIntervalMin);
}
@@ -175,7 +165,7 @@ class CleanUp extends TimedJob {
* checks users whether they are still existing
* @param array $users result from getMappedUsers()
*/
- private function checkUsers(array $users) {
+ private function checkUsers(array $users): void {
foreach ($users as $user) {
$this->checkUser($user);
}
@@ -185,7 +175,7 @@ class CleanUp extends TimedJob {
* checks whether a user is still existing in LDAP
* @param string[] $user
*/
- private function checkUser(array $user) {
+ private function checkUser(array $user): void {
if ($this->userBackend->userExistsOnLDAP($user['name'])) {
//still available, all good
@@ -197,29 +187,27 @@ class CleanUp extends TimedJob {
/**
* gets the offset to fetch users from the mappings table
- * @return int
*/
- private function getOffset() {
- return (int)$this->ocConfig->getAppValue('user_ldap', 'cleanUpJobOffset', 0);
+ private function getOffset(): int {
+ return (int)$this->ocConfig->getAppValue('user_ldap', 'cleanUpJobOffset', '0');
}
/**
* sets the new offset for the next run
* @param bool $reset whether the offset should be set to 0
*/
- public function setOffset($reset = false) {
+ public function setOffset(bool $reset = false): void {
$newOffset = $reset ? 0 :
$this->getOffset() + $this->getChunkSize();
- $this->ocConfig->setAppValue('user_ldap', 'cleanUpJobOffset', $newOffset);
+ $this->ocConfig->setAppValue('user_ldap', 'cleanUpJobOffset', (string)$newOffset);
}
/**
* returns the chunk size (limit in DB speak)
- * @return int
*/
- public function getChunkSize() {
+ public function getChunkSize(): int {
if ($this->limit === null) {
- $this->limit = (int)$this->ocConfig->getAppValue('user_ldap', 'cleanUpJobChunkSize', 50);
+ $this->limit = (int)$this->ocConfig->getAppValue('user_ldap', 'cleanUpJobChunkSize', '50');
}
return $this->limit;
}
diff --git a/apps/user_ldap/lib/Mapping/AbstractMapping.php b/apps/user_ldap/lib/Mapping/AbstractMapping.php
index 1d3e1a221f7..16973f76ff4 100644
--- a/apps/user_ldap/lib/Mapping/AbstractMapping.php
+++ b/apps/user_ldap/lib/Mapping/AbstractMapping.php
@@ -175,7 +175,7 @@ abstract class AbstractMapping {
* @param $fdn
* @return bool
*/
- public function setUUIDbyDN($uuid, $fdn) {
+ public function setUUIDbyDN($uuid, $fdn): bool {
$statement = $this->dbc->prepare('
UPDATE `' . $this->getTableName() . '`
SET `directory_uuid` = ?
@@ -329,26 +329,24 @@ abstract class AbstractMapping {
return $this->getXbyY('directory_uuid', 'ldap_dn_hash', $this->getDNHash($dn));
}
- /**
- * gets a piece of the mapping list
- *
- * @param int $offset
- * @param int $limit
- * @return array
- */
- public function getList($offset = null, $limit = null) {
- $query = $this->dbc->prepare('
- SELECT
- `ldap_dn` AS `dn`,
- `owncloud_name` AS `name`,
- `directory_uuid` AS `uuid`
- FROM `' . $this->getTableName() . '`',
- $limit,
- $offset
- );
-
- $query->execute();
- return $query->fetchAll();
+ public function getList(int $offset = 0, int $limit = null, bool $invalidatedOnly = false): array {
+ $select = $this->dbc->getQueryBuilder();
+ $select->selectAlias('ldap_dn', 'dn')
+ ->selectAlias('owncloud_name', 'name')
+ ->selectAlias('directory_uuid', 'uuid')
+ ->from($this->getTableName())
+ ->setMaxResults($limit)
+ ->setFirstResult($offset);
+
+ if ($invalidatedOnly) {
+ $select->where($select->expr()->like('directory_uuid', $select->createNamedParameter('invalidated_%')));
+ }
+
+ $result = $select->executeQuery();
+ $entries = $result->fetchAll();
+ $result->closeCursor();
+
+ return $entries;
}
/**
@@ -458,13 +456,24 @@ abstract class AbstractMapping {
*
* @return int
*/
- public function count() {
- $qb = $this->dbc->getQueryBuilder();
- $query = $qb->select($qb->func()->count('ldap_dn_hash'))
+ public function count(): int {
+ $query = $this->dbc->getQueryBuilder();
+ $query->select($query->func()->count('ldap_dn_hash'))
->from($this->getTableName());
$res = $query->execute();
$count = $res->fetchOne();
$res->closeCursor();
return (int)$count;
}
+
+ public function countInvalidated(): int {
+ $query = $this->dbc->getQueryBuilder();
+ $query->select($query->func()->count('ldap_dn_hash'))
+ ->from($this->getTableName())
+ ->where($query->expr()->like('directory_uuid', $query->createNamedParameter('invalidated_%')));
+ $res = $query->execute();
+ $count = $res->fetchOne();
+ $res->closeCursor();
+ return (int)$count;
+ }
}
diff --git a/apps/user_ldap/lib/Migration/Version1130Date20211102154716.php b/apps/user_ldap/lib/Migration/Version1130Date20211102154716.php
index 8695f90ca65..27f5f5ce504 100644
--- a/apps/user_ldap/lib/Migration/Version1130Date20211102154716.php
+++ b/apps/user_ldap/lib/Migration/Version1130Date20211102154716.php
@@ -27,6 +27,7 @@ declare(strict_types=1);
namespace OCA\User_LDAP\Migration;
use Closure;
+use Generator;
use OCP\DB\Exception;
use OCP\DB\ISchemaWrapper;
use OCP\DB\QueryBuilder\IQueryBuilder;
@@ -52,6 +53,23 @@ class Version1130Date20211102154716 extends SimpleMigrationStep {
return 'Adjust LDAP user and group ldap_dn column lengths and add ldap_dn_hash columns';
}
+ public function preSchemaChange(IOutput $output, \Closure $schemaClosure, array $options) {
+ foreach (['ldap_user_mapping', 'ldap_group_mapping'] as $tableName) {
+ $this->processDuplicateUUIDs($tableName);
+ }
+
+ /** @var ISchemaWrapper $schema */
+ $schema = $schemaClosure();
+ if ($schema->hasTable('ldap_group_mapping_backup')) {
+ // Previous upgrades of a broken release might have left an incomplete
+ // ldap_group_mapping_backup table. No need to recreate, but it
+ // should be empty.
+ // TRUNCATE is not available from Query Builder, but faster than DELETE FROM.
+ $sql = $this->dbc->getDatabasePlatform()->getTruncateTableSQL('ldap_group_mapping_backup', false);
+ $this->dbc->executeStatement($sql);
+ }
+ }
+
/**
* @param IOutput $output
* @param Closure $schemaClosure The `\Closure` returns a `ISchemaWrapper`
@@ -91,7 +109,7 @@ class Version1130Date20211102154716 extends SimpleMigrationStep {
$table->addUniqueIndex(['directory_uuid'], 'ldap_user_directory_uuid');
$changeSchema = true;
}
- } else {
+ } else if (!$schema->hasTable('ldap_group_mapping_backup')) {
// We need to copy the table twice to be able to change primary key, prepare the backup table
$table2 = $schema->createTable('ldap_group_mapping_backup');
$table2->addColumn('ldap_dn', Types::STRING, [
@@ -172,4 +190,87 @@ class Version1130Date20211102154716 extends SimpleMigrationStep {
->where($qb->expr()->eq('owncloud_name', $qb->createParameter('name')));
return $qb;
}
+
+ /**
+ * @throws Exception
+ */
+ protected function processDuplicateUUIDs(string $table): void {
+ $uuids = $this->getDuplicatedUuids($table);
+ $idsWithUuidToInvalidate = [];
+ foreach ($uuids as $uuid) {
+ array_push($idsWithUuidToInvalidate, ...$this->getNextcloudIdsByUuid($table, $uuid));
+ }
+ $this->invalidateUuids($table, $idsWithUuidToInvalidate);
+ }
+
+ /**
+ * @throws Exception
+ */
+ protected function invalidateUuids(string $table, array $idList): void {
+ $update = $this->dbc->getQueryBuilder();
+ $update->update($table)
+ ->set('directory_uuid', $update->createParameter('invalidatedUuid'))
+ ->where($update->expr()->eq('owncloud_name', $update->createParameter('nextcloudId')));
+
+ while ($nextcloudId = array_shift($idList)) {
+ $update->setParameter('nextcloudId', $nextcloudId);
+ $update->setParameter('invalidatedUuid', 'invalidated_' . \bin2hex(\random_bytes(6)));
+ try {
+ $update->executeStatement();
+ $this->logger->warning(
+ 'LDAP user or group with ID {nid} has a duplicated UUID value which therefore was invalidated. You may double-check your LDAP configuration and trigger an update of the UUID.',
+ [
+ 'app' => 'user_ldap',
+ 'nid' => $nextcloudId,
+ ]
+ );
+ } catch (Exception $e) {
+ // Catch possible, but unlikely duplications if new invalidated errors.
+ // There is the theoretical chance of an infinity loop is, when
+ // the constraint violation has a different background. I cannot
+ // think of one at the moment.
+ if ($e->getReason() !== Exception::REASON_CONSTRAINT_VIOLATION) {
+ throw $e;
+ }
+ $idList[] = $nextcloudId;
+ }
+ }
+ }
+
+ /**
+ * @throws \OCP\DB\Exception
+ * @return array<string>
+ */
+ protected function getNextcloudIdsByUuid(string $table, string $uuid): array {
+ $select = $this->dbc->getQueryBuilder();
+ $select->select('owncloud_name')
+ ->from($table)
+ ->where($select->expr()->eq('directory_uuid', $select->createNamedParameter($uuid)));
+
+ $result = $select->executeQuery();
+ $idList = [];
+ while ($id = $result->fetchOne()) {
+ $idList[] = $id;
+ }
+ $result->closeCursor();
+ return $idList;
+ }
+
+ /**
+ * @return Generator<string>
+ * @throws \OCP\DB\Exception
+ */
+ protected function getDuplicatedUuids(string $table): Generator{
+ $select = $this->dbc->getQueryBuilder();
+ $select->select('directory_uuid')
+ ->from($table)
+ ->groupBy('directory_uuid')
+ ->having($select->expr()->gt($select->func()->count('owncloud_name'), $select->createNamedParameter(1)));
+
+ $result = $select->executeQuery();
+ while ($uuid = $result->fetchOne()) {
+ yield $uuid;
+ }
+ $result->closeCursor();
+ }
}
diff --git a/apps/user_ldap/tests/Mapping/AbstractMappingTest.php b/apps/user_ldap/tests/Mapping/AbstractMappingTest.php
index 9c25b1d9af6..0d21172445f 100644
--- a/apps/user_ldap/tests/Mapping/AbstractMappingTest.php
+++ b/apps/user_ldap/tests/Mapping/AbstractMappingTest.php
@@ -276,7 +276,7 @@ abstract class AbstractMappingTest extends \Test\TestCase {
$this->assertSame(count($data) - 1, count($results));
// get first 2 entries by limit, but not offset
- $results = $mapper->getList(null, 2);
+ $results = $mapper->getList(0, 2);
$this->assertSame(2, count($results));
// get 2nd entry by specifying both offset and limit