From f3bd2667877b50c6e08d796a70f4bf4687fab05c Mon Sep 17 00:00:00 2001 From: Arthur Schiwon Date: Mon, 17 Nov 2014 16:30:50 +0100 Subject: Backport of #13740 inlcude AD primary group in user filter, if a group is selected. fixes #12190 fix counting of users in primary group :lipstick: adept to OC 7 and escape the search term Conflicts: apps/user_ldap/lib/connection.php --- apps/user_ldap/group_ldap.php | 91 ++++++++++++++++++++++++++++--------- apps/user_ldap/lib/access.php | 2 +- apps/user_ldap/lib/connection.php | 3 ++ apps/user_ldap/lib/wizard.php | 14 +++++- apps/user_ldap/tests/group_ldap.php | 7 ++- 5 files changed, 91 insertions(+), 26 deletions(-) diff --git a/apps/user_ldap/group_ldap.php b/apps/user_ldap/group_ldap.php index cba19f3791c..94aa53b8506 100644 --- a/apps/user_ldap/group_ldap.php +++ b/apps/user_ldap/group_ldap.php @@ -249,32 +249,75 @@ class GROUP_LDAP extends BackendUtility implements \OCP\GroupInterface { } /** - * returns a list of users that have the given group as primary group + * returns a filter for a "users in primary group" search or count operation * * @param string $groupDN - * @param $limit - * @param int $offset - * @return string[] + * @param string $search + * @return string + * @throws \Exception */ - public function getUsersInPrimaryGroup($groupDN, $limit = -1, $offset = 0) { + private function prepareFilterForUsersInPrimaryGroup($groupDN, $search = '') { $groupID = $this->getGroupPrimaryGroupID($groupDN); if($groupID === false) { - return array(); + throw new \Exception('Not a valid group'); } - $filter = $this->access->combineFilterWithAnd(array( - $this->access->connection->ldapUserFilter, - 'primaryGroupID=' . $groupID - )); + $filterParts = []; + // part for counting users (see countUsers in user backend) + // it is consolidated in OC 8. No big changes for OC 7. + $filterParts[] = \OCP\Util::mb_str_replace( + '%uid', '*', $this->access->connection->ldapLoginFilter, 'UTF-8'); + if(!empty($search)) { + $search = $this->access->escapeFilterPart($search, true); + $filterParts[] = $this->access->getFilterPartForUserSearch($search); + } + $filterParts[] = 'primaryGroupID=' . $groupID; + + $filter = $this->access->combineFilterWithAnd($filterParts); - $users = $this->access->fetchListOfUsers( - $filter, - array($this->access->connection->ldapUserDisplayName, 'dn'), - $limit, - $offset - ); + return $filter; + } + + /** + * returns a list of users that have the given group as primary group + * + * @param string $groupDN + * @param string $search + * @param int $limit + * @param int $offset + * @return string[] + */ + public function getUsersInPrimaryGroup($groupDN, $search = '', $limit = -1, $offset = 0) { + try { + $filter = $this->prepareFilterForUsersInPrimaryGroup($groupDN, $search); + return $this->access->fetchListOfUsers( + $filter, + array($this->access->connection->ldapUserDisplayName, 'dn'), + $limit, + $offset + ); + } catch (\Exception $e) { + return array(); + } + } - return $users; + /** + * returns the number of users that have the given group as primary group + * + * @param string $groupDN + * @param string $search + * @param int $limit + * @param int $offset + * @return int + */ + public function countUsersInPrimaryGroup($groupDN, $search = '', $limit = -1, $offset = 0) { + try { + $filter = $this->prepareFilterForUsersInPrimaryGroup($groupDN, $search); + $users = $this->access->countUsers($filter, array('dn'), $limit, $offset); + return (int)$users; + } catch (\Exception $e) { + return 0; + } } /** @@ -405,6 +448,7 @@ class GROUP_LDAP extends BackendUtility implements \OCP\GroupInterface { if(!$this->groupExists($gid)) { return array(); } + $search = $this->access->escapeFilterPart($search, true); $cacheKey = 'usersInGroup-'.$gid.'-'.$search.'-'.$limit.'-'.$offset; // check for cache of the exact query $groupUsers = $this->access->connection->getFromCache($cacheKey); @@ -473,7 +517,7 @@ class GROUP_LDAP extends BackendUtility implements \OCP\GroupInterface { $groupUsers = array_slice($groupUsers, $offset, $limit); //and get users that have the group as primary - $primaryUsers = $this->getUsersInPrimaryGroup($groupDN, $limit, $offset); + $primaryUsers = $this->getUsersInPrimaryGroup($groupDN, $search, $limit, $offset); $groupUsers = array_unique(array_merge($groupUsers, $primaryUsers)); $this->access->connection->writeToCache($cacheKey, $groupUsers); @@ -512,10 +556,13 @@ class GROUP_LDAP extends BackendUtility implements \OCP\GroupInterface { } if(empty($search)) { - $groupUsers = count($members); + $primaryUsers = $this->countUsersInPrimaryGroup($groupDN, ''); + $groupUsers = count($members) + $primaryUsers; + $this->access->connection->writeToCache($cacheKey, $groupUsers); return $groupUsers; } + $search = $this->access->escapeFilterPart($search, true); $isMemberUid = (strtolower($this->access->connection->ldapGroupMemberAssocAttr) === 'memberuid'); @@ -557,10 +604,9 @@ class GROUP_LDAP extends BackendUtility implements \OCP\GroupInterface { } //and get users that have the group as primary - $primaryUsers = $this->getUsersInPrimaryGroup($groupDN); - $groupUsers = array_unique(array_merge($groupUsers, $primaryUsers)); + $primaryUsers = $this->countUsersInPrimaryGroup($groupDN, $search); - return count($groupUsers); + return count($groupUsers) + $primaryUsers; } /** @@ -623,6 +669,7 @@ class GROUP_LDAP extends BackendUtility implements \OCP\GroupInterface { if(!$this->enabled) { return array(); } + $search = $this->access->escapeFilterPart($search, true); $pagingSize = $this->access->connection->ldapPagingSize; if ((! $this->access->connection->hasPagedResultSupport) || empty($pagingSize)) { diff --git a/apps/user_ldap/lib/access.php b/apps/user_ldap/lib/access.php index a38f6be00e0..9ed8a0e7b69 100644 --- a/apps/user_ldap/lib/access.php +++ b/apps/user_ldap/lib/access.php @@ -1069,7 +1069,7 @@ class Access extends LDAPUtility implements user\IUserTools { /** * escapes (user provided) parts for LDAP filter * @param string $input, the provided value - * @param bool $allowAsterisk wether in * at the beginning should be preserved + * @param bool $allowAsterisk whether in * at the beginning should be preserved * @return string the escaped string */ public function escapeFilterPart($input, $allowAsterisk = false) { diff --git a/apps/user_ldap/lib/connection.php b/apps/user_ldap/lib/connection.php index 34a1cb39f9c..e560c22040d 100644 --- a/apps/user_ldap/lib/connection.php +++ b/apps/user_ldap/lib/connection.php @@ -30,7 +30,10 @@ namespace OCA\user_ldap\lib; * @property string ldapUserFilter * @property string ldapUserDisplayName * @property boolean hasPagedResultSupport + * @property string[] ldapBaseUsers * @property int|string ldapPagingSize holds an integer + * @property string ldapLoginFilter + * @property string ldapGroupMemberAssocAttr */ class Connection extends LDAPUtility { private $ldapConnectionRes = null; diff --git a/apps/user_ldap/lib/wizard.php b/apps/user_ldap/lib/wizard.php index 0480e5b6b64..a2b86843ea5 100644 --- a/apps/user_ldap/lib/wizard.php +++ b/apps/user_ldap/lib/wizard.php @@ -804,13 +804,23 @@ class Wizard extends LDAPUtility { } $base = $this->configuration->ldapBase[0]; foreach($cns as $cn) { - $rr = $this->ldap->search($cr, $base, 'cn=' . $cn, array('dn')); + $rr = $this->ldap->search($cr, $base, 'cn=' . $cn, array('dn', 'primaryGroupToken')); if(!$this->ldap->isResource($rr)) { continue; } $er = $this->ldap->firstEntry($cr, $rr); + $attrs = $this->ldap->getAttributes($cr, $er); $dn = $this->ldap->getDN($cr, $er); - $filter .= '(memberof=' . $dn . ')'; + if(empty($dn)) { + continue; + } + $filterPart = '(memberof=' . $dn . ')'; + if(isset($attrs['primaryGroupToken'])) { + $pgt = $attrs['primaryGroupToken'][0]; + $primaryFilterPart = '(primaryGroupID=' . $pgt .')'; + $filterPart = '(|' . $filterPart . $primaryFilterPart . ')'; + } + $filter .= $filterPart; } $filter .= ')'; } diff --git a/apps/user_ldap/tests/group_ldap.php b/apps/user_ldap/tests/group_ldap.php index 8066bce02e3..b29449d286e 100644 --- a/apps/user_ldap/tests/group_ldap.php +++ b/apps/user_ldap/tests/group_ldap.php @@ -77,10 +77,15 @@ class Test_Group_Ldap extends \PHPUnit_Framework_TestCase { ->method('readAttribute') ->will($this->returnValue(array('u11', 'u22', 'u33', 'u34'))); + // for primary groups + $access->expects($this->once()) + ->method('countUsers') + ->will($this->returnValue(2)); + $groupBackend = new GroupLDAP($access); $users = $groupBackend->countUsersInGroup('group'); - $this->assertSame(4, $users); + $this->assertSame(6, $users); } public function testCountWithSearchString() { -- cgit v1.2.3 From 07988cf77cd8d6a52c5b99ffc4ca1b8a40fa6ea4 Mon Sep 17 00:00:00 2001 From: Arthur Schiwon Date: Tue, 14 Apr 2015 14:40:37 +0200 Subject: Fixes returns of group memberships and counting if all members have the specific groups as primary set. --- apps/user_ldap/group_ldap.php | 16 ++++----- apps/user_ldap/tests/group_ldap.php | 70 +++++++++++++++++++++++++++++++++++++ 2 files changed, 77 insertions(+), 9 deletions(-) diff --git a/apps/user_ldap/group_ldap.php b/apps/user_ldap/group_ldap.php index 94aa53b8506..10e8bfd9e61 100644 --- a/apps/user_ldap/group_ldap.php +++ b/apps/user_ldap/group_ldap.php @@ -290,12 +290,13 @@ class GROUP_LDAP extends BackendUtility implements \OCP\GroupInterface { public function getUsersInPrimaryGroup($groupDN, $search = '', $limit = -1, $offset = 0) { try { $filter = $this->prepareFilterForUsersInPrimaryGroup($groupDN, $search); - return $this->access->fetchListOfUsers( + $users = $this->access->fetchListOfUsers( $filter, array($this->access->connection->ldapUserDisplayName, 'dn'), $limit, $offset ); + return $this->access->ownCloudUserNames($users); } catch (\Exception $e) { return array(); } @@ -474,8 +475,9 @@ class GROUP_LDAP extends BackendUtility implements \OCP\GroupInterface { return array(); } + $primaryUsers = $this->getUsersInPrimaryGroup($groupDN, $search, $limit, $offset); $members = array_keys($this->_groupMembers($groupDN)); - if(!$members) { + if(!$members && empty($primaryUsers)) { //in case users could not be retrieved, return empty result set $this->access->connection->writeToCache($cacheKey, array()); return array(); @@ -515,9 +517,6 @@ class GROUP_LDAP extends BackendUtility implements \OCP\GroupInterface { natsort($groupUsers); $this->access->connection->writeToCache('usersInGroup-'.$gid.'-'.$search, $groupUsers); $groupUsers = array_slice($groupUsers, $offset, $limit); - - //and get users that have the group as primary - $primaryUsers = $this->getUsersInPrimaryGroup($groupDN, $search, $limit, $offset); $groupUsers = array_unique(array_merge($groupUsers, $primaryUsers)); $this->access->connection->writeToCache($cacheKey, $groupUsers); @@ -549,16 +548,15 @@ class GROUP_LDAP extends BackendUtility implements \OCP\GroupInterface { } $members = array_keys($this->_groupMembers($groupDN)); - if(!$members) { + $primaryUserCount = $this->countUsersInPrimaryGroup($groupDN, ''); + if(!$members && $primaryUserCount === 0) { //in case users could not be retrieved, return empty result set $this->access->connection->writeToCache($cacheKey, false); return false; } if(empty($search)) { - $primaryUsers = $this->countUsersInPrimaryGroup($groupDN, ''); - $groupUsers = count($members) + $primaryUsers; - + $groupUsers = count($members) + $primaryUserCount; $this->access->connection->writeToCache($cacheKey, $groupUsers); return $groupUsers; } diff --git a/apps/user_ldap/tests/group_ldap.php b/apps/user_ldap/tests/group_ldap.php index b29449d286e..b18ebb50efa 100644 --- a/apps/user_ldap/tests/group_ldap.php +++ b/apps/user_ldap/tests/group_ldap.php @@ -313,4 +313,74 @@ class Test_Group_Ldap extends \PHPUnit_Framework_TestCase { $this->assertSame(2, count($groups)); } + /** + * tests that a user listing is complete, if all it's members have the group + * as their primary. + */ + public function testUsersInGroupPrimaryMembersOnly() { + $access = $this->getAccessMock(); + $this->enableGroups($access); + + $access->connection->expects($this->any()) + ->method('getFromCache') + ->will($this->returnValue(null)); + + $access->expects($this->any()) + ->method('readAttribute') + ->will($this->returnCallback(function($dn, $attr) { + if($attr === 'primaryGroupToken') { + return array(1337); + } + return array(); + })); + + $access->expects($this->any()) + ->method('groupname2dn') + ->will($this->returnValue('cn=foobar,dc=foo,dc=bar')); + + $access->expects($this->once()) + ->method('ownCloudUserNames') + ->will($this->returnValue(array('lisa', 'bart', 'kira', 'brad'))); + + $groupBackend = new GroupLDAP($access); + $users = $groupBackend->usersInGroup('foobar'); + + $this->assertSame(4, count($users)); + } + + /** + * tests that a user counting is complete, if all it's members have the group + * as their primary. + */ + public function testCountUsersInGroupPrimaryMembersOnly() { + $access = $this->getAccessMock(); + $this->enableGroups($access); + + $access->connection->expects($this->any()) + ->method('getFromCache') + ->will($this->returnValue(null)); + + $access->expects($this->any()) + ->method('readAttribute') + ->will($this->returnCallback(function($dn, $attr) { + if($attr === 'primaryGroupToken') { + return array(1337); + } + return array(); + })); + + $access->expects($this->any()) + ->method('groupname2dn') + ->will($this->returnValue('cn=foobar,dc=foo,dc=bar')); + + $access->expects($this->once()) + ->method('countUsers') + ->will($this->returnValue(4)); + + $groupBackend = new GroupLDAP($access); + $users = $groupBackend->countUsersInGroup('foobar'); + + $this->assertSame(4, $users); + } + } -- cgit v1.2.3 From ae850d76ea9bebf77f55ce54fc5015db725dec4f Mon Sep 17 00:00:00 2001 From: Arthur Schiwon Date: Thu, 14 May 2015 01:07:16 +0200 Subject: add primary group users to resultset before caching --- apps/user_ldap/group_ldap.php | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/apps/user_ldap/group_ldap.php b/apps/user_ldap/group_ldap.php index 10e8bfd9e61..0d39b74bbe8 100644 --- a/apps/user_ldap/group_ldap.php +++ b/apps/user_ldap/group_ldap.php @@ -514,10 +514,11 @@ class GROUP_LDAP extends BackendUtility implements \OCP\GroupInterface { } } + $groupUsers = array_unique(array_merge($groupUsers, $primaryUsers)); natsort($groupUsers); $this->access->connection->writeToCache('usersInGroup-'.$gid.'-'.$search, $groupUsers); $groupUsers = array_slice($groupUsers, $offset, $limit); - $groupUsers = array_unique(array_merge($groupUsers, $primaryUsers)); + $this->access->connection->writeToCache($cacheKey, $groupUsers); -- cgit v1.2.3