Merge pull request #22203 from nextcloud/backport/21559/stable19

[stable19] shortcut in reading nested group members when IN_CHAIN is available
This commit is contained in:
blizzz 2020-08-12 13:42:08 +00:00 committed by GitHub
commit 33db8a97c9
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 77 additions and 2 deletions

View File

@ -45,6 +45,10 @@ class Configuration {
public const AVATAR_PREFIX_NONE = 'none'; public const AVATAR_PREFIX_NONE = 'none';
public const AVATAR_PREFIX_DATA_ATTRIBUTE = 'data:'; public const AVATAR_PREFIX_DATA_ATTRIBUTE = 'data:';
public const LDAP_SERVER_FEATURE_UNKNOWN = 'unknown';
public const LDAP_SERVER_FEATURE_AVAILABLE = 'available';
public const LDAP_SERVER_FEATURE_UNAVAILABLE = 'unavailable';
protected $configPrefix = null; protected $configPrefix = null;
protected $configRead = false; protected $configRead = false;
/** /**
@ -110,6 +114,7 @@ class Configuration {
'ldapDynamicGroupMemberURL' => null, 'ldapDynamicGroupMemberURL' => null,
'ldapDefaultPPolicyDN' => null, 'ldapDefaultPPolicyDN' => null,
'ldapExtStorageHomeAttribute' => null, 'ldapExtStorageHomeAttribute' => null,
'ldapMatchingRuleInChainState' => self::LDAP_SERVER_FEATURE_UNKNOWN,
]; ];
/** /**
@ -482,6 +487,7 @@ class Configuration {
'ldap_default_ppolicy_dn' => '', 'ldap_default_ppolicy_dn' => '',
'ldap_user_avatar_rule' => 'default', 'ldap_user_avatar_rule' => 'default',
'ldap_ext_storage_home_attribute' => '', 'ldap_ext_storage_home_attribute' => '',
'ldap_matching_rule_in_chain_state' => self::LDAP_SERVER_FEATURE_UNKNOWN,
]; ];
} }
@ -543,6 +549,7 @@ class Configuration {
'ldap_dynamic_group_member_url' => 'ldapDynamicGroupMemberURL', 'ldap_dynamic_group_member_url' => 'ldapDynamicGroupMemberURL',
'ldap_default_ppolicy_dn' => 'ldapDefaultPPolicyDN', 'ldap_default_ppolicy_dn' => 'ldapDefaultPPolicyDN',
'ldap_ext_storage_home_attribute' => 'ldapExtStorageHomeAttribute', 'ldap_ext_storage_home_attribute' => 'ldapExtStorageHomeAttribute',
'ldap_matching_rule_in_chain_state' => 'ldapMatchingRuleInChainState',
'ldapIgnoreNamingRules' => 'ldapIgnoreNamingRules', // sysconfig 'ldapIgnoreNamingRules' => 'ldapIgnoreNamingRules', // sysconfig
]; ];
return $array; return $array;

View File

@ -67,6 +67,7 @@ use OCP\ILogger;
* @property string[] ldapBaseGroups * @property string[] ldapBaseGroups
* @property string ldapGroupFilter * @property string ldapGroupFilter
* @property string ldapGroupDisplayName * @property string ldapGroupDisplayName
* @property string ldapMatchingRuleInChainState
*/ */
class Connection extends LDAPUtility { class Connection extends LDAPUtility {
private $ldapConnectionRes = null; private $ldapConnectionRes = null;

View File

@ -235,6 +235,37 @@ class Group_LDAP extends BackendUtility implements \OCP\GroupInterface, IGroupLD
if ($groupMembers !== null) { if ($groupMembers !== null) {
return $groupMembers; return $groupMembers;
} }
if ($this->access->connection->ldapNestedGroups
&& $this->access->connection->useMemberOfToDetectMembership
&& $this->access->connection->hasMemberOfFilterSupport
&& $this->access->connection->ldapMatchingRuleInChainState !== Configuration::LDAP_SERVER_FEATURE_UNAVAILABLE
) {
$attemptedLdapMatchingRuleInChain = true;
// compatibility hack with servers supporting :1.2.840.113556.1.4.1941:, and others)
$filter = $this->access->combineFilterWithAnd([
$this->access->connection->ldapUserFilter,
$this->access->connection->ldapUserDisplayName . '=*',
'memberof:1.2.840.113556.1.4.1941:=' . $dnGroup
]);
$memberRecords = $this->access->fetchListOfUsers(
$filter,
$this->access->userManager->getAttributes(true)
);
$result = array_reduce($memberRecords, function ($carry, $record) {
$carry[] = $record['dn'][0];
return $carry;
}, []);
if ($this->access->connection->ldapMatchingRuleInChainState === Configuration::LDAP_SERVER_FEATURE_AVAILABLE) {
return $result;
} elseif (!empty($memberRecords)) {
$this->access->connection->ldapMatchingRuleInChainState = Configuration::LDAP_SERVER_FEATURE_AVAILABLE;
$this->access->connection->saveConfiguration();
return $result;
}
// when feature availability is unknown, and the result is empty, continue and test with original approach
}
$seen[$dnGroup] = 1; $seen[$dnGroup] = 1;
$members = $this->access->readAttribute($dnGroup, $this->access->connection->ldapGroupMemberAssocAttr); $members = $this->access->readAttribute($dnGroup, $this->access->connection->ldapGroupMemberAssocAttr);
if (is_array($members)) { if (is_array($members)) {
@ -247,6 +278,13 @@ class Group_LDAP extends BackendUtility implements \OCP\GroupInterface, IGroupLD
$allMembers += $this->getDynamicGroupMembers($dnGroup); $allMembers += $this->getDynamicGroupMembers($dnGroup);
$this->access->connection->writeToCache($cacheKey, $allMembers); $this->access->connection->writeToCache($cacheKey, $allMembers);
if (isset($attemptedLdapMatchingRuleInChain)
&& $this->access->connection->ldapMatchingRuleInChainState === Configuration::LDAP_SERVER_FEATURE_UNKNOWN
&& !empty($allMembers)
) {
$this->access->connection->ldapMatchingRuleInChainState = Configuration::LDAP_SERVER_FEATURE_UNAVAILABLE;
$this->access->connection->saveConfiguration();
}
return $allMembers; return $allMembers;
} }

View File

@ -71,6 +71,8 @@ class Group_LDAPTest extends TestCase {
->method('getConnection') ->method('getConnection')
->willReturn($connector); ->willReturn($connector);
$access->userManager = $this->createMock(Manager::class);
return $access; return $access;
} }
@ -121,12 +123,19 @@ class Group_LDAPTest extends TestCase {
$access->expects($this->any()) $access->expects($this->any())
->method('isDNPartOfBase') ->method('isDNPartOfBase')
->willReturn(true); ->willReturn(true);
$access->expects($this->any())
->method('combineFilterWithAnd')
->willReturn('pseudo=filter');
// for primary groups // for primary groups
$access->expects($this->once()) $access->expects($this->once())
->method('countUsers') ->method('countUsers')
->willReturn(2); ->willReturn(2);
$access->userManager->expects($this->any())
->method('getAttributes')
->willReturn(['displayName', 'mail']);
$groupBackend = new GroupLDAP($access, $pluginManager); $groupBackend = new GroupLDAP($access, $pluginManager);
$users = $groupBackend->countUsersInGroup('group'); $users = $groupBackend->countUsersInGroup('group');
@ -166,6 +175,13 @@ class Group_LDAPTest extends TestCase {
$access->expects($this->any()) $access->expects($this->any())
->method('isDNPartOfBase') ->method('isDNPartOfBase')
->willReturn(true); ->willReturn(true);
$access->expects($this->any())
->method('combineFilterWithAnd')
->willReturn('pseudo=filter');
$access->userManager->expects($this->any())
->method('getAttributes')
->willReturn(['displayName', 'mail']);
$groupBackend = new GroupLDAP($access, $pluginManager); $groupBackend = new GroupLDAP($access, $pluginManager);
$users = $groupBackend->countUsersInGroup('group', '3'); $users = $groupBackend->countUsersInGroup('group', '3');
@ -541,7 +557,10 @@ class Group_LDAPTest extends TestCase {
$access->expects($this->any()) $access->expects($this->any())
->method('combineFilterWithAnd') ->method('combineFilterWithAnd')
->willReturn('pseudo=filter'); ->willReturn('pseudo=filter');
$access->userManager = $this->createMock(Manager::class);
$access->userManager->expects($this->any())
->method('getAttributes')
->willReturn(['displayName', 'mail']);
$groupBackend = new GroupLDAP($access, $pluginManager); $groupBackend = new GroupLDAP($access, $pluginManager);
$users = $groupBackend->usersInGroup('foobar'); $users = $groupBackend->usersInGroup('foobar');
@ -582,7 +601,10 @@ class Group_LDAPTest extends TestCase {
$access->expects($this->any()) $access->expects($this->any())
->method('combineFilterWithAnd') ->method('combineFilterWithAnd')
->willReturn('pseudo=filter'); ->willReturn('pseudo=filter');
$access->userManager = $this->createMock(Manager::class);
$access->userManager->expects($this->any())
->method('getAttributes')
->willReturn(['displayName', 'mail']);
$groupBackend = new GroupLDAP($access, $pluginManager); $groupBackend = new GroupLDAP($access, $pluginManager);
$users = $groupBackend->usersInGroup('foobar'); $users = $groupBackend->usersInGroup('foobar');
@ -621,6 +643,13 @@ class Group_LDAPTest extends TestCase {
$access->expects($this->any()) $access->expects($this->any())
->method('isDNPartOfBase') ->method('isDNPartOfBase')
->willReturn(true); ->willReturn(true);
$access->expects($this->any())
->method('combineFilterWithAnd')
->willReturn('pseudo=filter');
$access->userManager->expects($this->any())
->method('getAttributes')
->willReturn(['displayName', 'mail']);
$groupBackend = new GroupLDAP($access, $pluginManager); $groupBackend = new GroupLDAP($access, $pluginManager);
$users = $groupBackend->countUsersInGroup('foobar'); $users = $groupBackend->countUsersInGroup('foobar');