diff --git a/apps/user_ldap/lib/Configuration.php b/apps/user_ldap/lib/Configuration.php index 654a63cdc7..851ff03cbb 100644 --- a/apps/user_ldap/lib/Configuration.php +++ b/apps/user_ldap/lib/Configuration.php @@ -55,6 +55,7 @@ class Configuration { 'ldapIgnoreNamingRules' => null, 'ldapUserDisplayName' => null, 'ldapUserDisplayName2' => null, + 'ldapGidNumber' => null, 'ldapUserFilterObjectclass' => null, 'ldapUserFilterGroups' => null, 'ldapUserFilter' => null, @@ -431,6 +432,7 @@ class Configuration { 'ldap_group_filter_mode' => 0, 'ldap_groupfilter_objectclass' => '', 'ldap_groupfilter_groups' => '', + 'ldap_gid_number' => 'gidNumber', 'ldap_display_name' => 'displayName', 'ldap_user_display_name_2' => '', 'ldap_group_display_name' => 'cn', @@ -491,6 +493,7 @@ class Configuration { 'ldap_group_filter_mode' => 'ldapGroupFilterMode', 'ldap_groupfilter_objectclass' => 'ldapGroupFilterObjectclass', 'ldap_groupfilter_groups' => 'ldapGroupFilterGroups', + 'ldap_gid_number' => 'ldapGidNumber', 'ldap_display_name' => 'ldapUserDisplayName', 'ldap_user_display_name_2' => 'ldapUserDisplayName2', 'ldap_group_display_name' => 'ldapGroupDisplayName', diff --git a/apps/user_ldap/lib/Connection.php b/apps/user_ldap/lib/Connection.php index 04f8c7401e..10fbea7174 100644 --- a/apps/user_ldap/lib/Connection.php +++ b/apps/user_ldap/lib/Connection.php @@ -12,6 +12,7 @@ * @author Robin Appelman * @author Robin McCorkell * @author Roger Szabo + * @author Xuanwo * * @license AGPL-3.0 * @@ -64,6 +65,11 @@ class Connection extends LDAPUtility { */ public $hasPrimaryGroups = true; + /** + * @var bool runtime flag that indicates whether supported POSIX gidNumber are available + */ + public $hasGidNumber = true; + //cache handler protected $cache; diff --git a/apps/user_ldap/lib/Group_LDAP.php b/apps/user_ldap/lib/Group_LDAP.php index b6013e7776..60ce664684 100644 --- a/apps/user_ldap/lib/Group_LDAP.php +++ b/apps/user_ldap/lib/Group_LDAP.php @@ -18,6 +18,7 @@ * @author Roeland Jago Douma * @author Thomas Müller * @author Vincent Petry + * @author Xuanwo * * @license AGPL-3.0 * @@ -229,9 +230,9 @@ class Group_LDAP extends BackendUtility implements \OCP\GroupInterface { } } } - + $allMembers = array_merge($allMembers, $this->getDynamicGroupMembers($dnGroup)); - + $this->access->connection->writeToCache($cacheKey, $allMembers); return $allMembers; } @@ -263,7 +264,167 @@ class Group_LDAP extends BackendUtility implements \OCP\GroupInterface { $allGroups = array_merge($allGroups, $subGroups); } } - return $allGroups; + return $allGroups; + } + + /** + * translates a gidNumber into an ownCloud internal name + * @param string $gid as given by gidNumber on POSIX LDAP + * @param string $dn a DN that belongs to the same domain as the group + * @return string|bool + */ + public function gidNumber2Name($gid, $dn) { + $cacheKey = 'gidNumberToName' . $gid; + $groupName = $this->access->connection->getFromCache($cacheKey); + if(!is_null($groupName) && isset($groupName)) { + return $groupName; + } + + //we need to get the DN from LDAP + $filter = $this->access->combineFilterWithAnd([ + $this->access->connection->ldapGroupFilter, + 'objectClass=posixGroup', + $this->access->connection->ldapGidNumber . '=' . $gid + ]); + $result = $this->access->searchGroups($filter, array('dn'), 1); + if(empty($result)) { + return false; + } + $dn = $result[0]['dn'][0]; + + //and now the group name + //NOTE once we have separate ownCloud group IDs and group names we can + //directly read the display name attribute instead of the DN + $name = $this->access->dn2groupname($dn); + + $this->access->connection->writeToCache($cacheKey, $name); + + return $name; + } + + /** + * returns the entry's gidNumber + * @param string $dn + * @param string $attribute + * @return string|bool + */ + private function getEntryGidNumber($dn, $attribute) { + $value = $this->access->readAttribute($dn, $attribute); + if(is_array($value) && !empty($value)) { + return $value[0]; + } + return false; + } + + /** + * returns the group's primary ID + * @param string $dn + * @return string|bool + */ + public function getGroupGidNumber($dn) { + return $this->getEntryGidNumber($dn, 'gidNumber'); + } + + /** + * returns the user's gidNumber + * @param string $dn + * @return string|bool + */ + public function getUserGidNumber($dn) { + $gidNumber = false; + if($this->access->connection->hasGidNumber) { + $gidNumber = $this->getEntryGidNumber($dn, 'gidNumber'); + if($gidNumber === false) { + $this->access->connection->hasGidNumber = false; + } + } + return $gidNumber; + } + + /** + * returns a filter for a "users has specific gid" search or count operation + * + * @param string $groupDN + * @param string $search + * @return string + * @throws \Exception + */ + private function prepareFilterForUsersHasGidNumber($groupDN, $search = '') { + $groupID = $this->getGroupGidNumber($groupDN); + if($groupID === false) { + throw new \Exception('Not a valid group'); + } + + $filterParts = []; + $filterParts[] = $this->access->getFilterForUserCount(); + if ($search !== '') { + $filterParts[] = $this->access->getFilterPartForUserSearch($search); + } + $filterParts[] = $this->access->connection->ldapGidNumber .'=' . $groupID; + + $filter = $this->access->combineFilterWithAnd($filterParts); + + return $filter; + } + + /** + * returns a list of users that have the given group as gid number + * + * @param string $groupDN + * @param string $search + * @param int $limit + * @param int $offset + * @return string[] + */ + public function getUsersInGidNumber($groupDN, $search = '', $limit = -1, $offset = 0) { + try { + $filter = $this->prepareFilterForUsersHasGidNumber($groupDN, $search); + $users = $this->access->fetchListOfUsers( + $filter, + [$this->access->connection->ldapUserDisplayName, 'dn'], + $limit, + $offset + ); + return $this->access->nextcloudUserNames($users); + } catch (\Exception $e) { + return []; + } + } + + /** + * returns the number of users that have the given group as gid number + * + * @param string $groupDN + * @param string $search + * @param int $limit + * @param int $offset + * @return int + */ + public function countUsersInGidNumber($groupDN, $search = '', $limit = -1, $offset = 0) { + try { + $filter = $this->prepareFilterForUsersHasGidNumber($groupDN, $search); + $users = $this->access->countUsers($filter, ['dn'], $limit, $offset); + return (int)$users; + } catch (\Exception $e) { + return 0; + } + } + + /** + * gets the gidNumber of a user + * @param string $dn + * @return string + */ + public function getUserGroupByGid($dn) { + $groupID = $this->getUserGidNumber($dn); + if($groupID !== false) { + $groupName = $this->gidNumber2Name($groupID, $dn); + if($groupName !== false) { + return $groupName; + } + } + + return false; } /** @@ -457,6 +618,7 @@ class Group_LDAP extends BackendUtility implements \OCP\GroupInterface { $groups = []; $primaryGroup = $this->getUserPrimaryGroup($userDN); + $gidGroupName = $this->getUserGroupByGid($userDN); $dynamicGroupMemberURL = strtolower($this->access->connection->ldapDynamicGroupMemberURL); @@ -512,10 +674,13 @@ class Group_LDAP extends BackendUtility implements \OCP\GroupInterface { } } } - + if($primaryGroup !== false) { $groups[] = $primaryGroup; } + if($gidGroupName !== false) { + $groups[] = $gidGroupName; + } $this->access->connection->writeToCache($cacheKey, $groups); return $groups; } @@ -549,6 +714,9 @@ class Group_LDAP extends BackendUtility implements \OCP\GroupInterface { if($primaryGroup !== false) { $groups[] = $primaryGroup; } + if($gidGroupName !== false) { + $groups[] = $gidGroupName; + } $groups = array_unique($groups, SORT_LOCALE_STRING); $this->access->connection->writeToCache($cacheKey, $groups); @@ -636,11 +804,12 @@ class Group_LDAP extends BackendUtility implements \OCP\GroupInterface { } $primaryUsers = $this->getUsersInPrimaryGroup($groupDN, $search, $limit, $offset); + $posixGroupUsers = $this->getUsersInGidNumber($groupDN, $search, $limit, $offset); $members = array_keys($this->_groupMembers($groupDN)); - if(!$members && empty($primaryUsers)) { + if(!$members && empty($posixGroupUsers) && empty($primaryUsers)) { //in case users could not be retrieved, return empty result set - $this->access->connection->writeToCache($cacheKey, array()); - return array(); + $this->access->connection->writeToCache($cacheKey, []); + return []; } $groupUsers = array(); @@ -674,12 +843,11 @@ class Group_LDAP extends BackendUtility implements \OCP\GroupInterface { } } - $groupUsers = array_unique(array_merge($groupUsers, $primaryUsers)); + $groupUsers = array_unique(array_merge($groupUsers, $primaryUsers, $posixGroupUsers)); natsort($groupUsers); $this->access->connection->writeToCache('usersInGroup-'.$gid.'-'.$search, $groupUsers); $groupUsers = array_slice($groupUsers, $offset, $limit); - $this->access->connection->writeToCache($cacheKey, $groupUsers); return $groupUsers; diff --git a/apps/user_ldap/lib/Wizard.php b/apps/user_ldap/lib/Wizard.php index 2c388b1803..73fcd4f1e4 100644 --- a/apps/user_ldap/lib/Wizard.php +++ b/apps/user_ldap/lib/Wizard.php @@ -15,6 +15,7 @@ * @author Robin McCorkell * @author Stefan Weil * @author Victor Dubiniuk + * @author Xuanwo * * @license AGPL-3.0 * @@ -775,12 +776,12 @@ class Wizard extends LDAPUtility { /** * tries to detect the group member association attribute which is - * one of 'uniqueMember', 'memberUid', 'member' + * one of 'uniqueMember', 'memberUid', 'member', 'gidNumber' * @return string|false, string with the attribute name, false on error * @throws \Exception */ private function detectGroupMemberAssoc() { - $possibleAttrs = array('uniqueMember', 'memberUid', 'member'); + $possibleAttrs = array('uniqueMember', 'memberUid', 'member', 'gidNumber'); $filter = $this->configuration->ldapGroupFilter; if(empty($filter)) { return false; diff --git a/apps/user_ldap/templates/settings.php b/apps/user_ldap/templates/settings.php index 0d4ca804dd..58116b8c0e 100644 --- a/apps/user_ldap/templates/settings.php +++ b/apps/user_ldap/templates/settings.php @@ -97,8 +97,7 @@ style('user_ldap', 'settings');

-

-

+

t('(New password is sent as plain text to LDAP)'));?> diff --git a/apps/user_ldap/tests/Group_LDAPTest.php b/apps/user_ldap/tests/Group_LDAPTest.php index 621a427eaa..9b5216742f 100644 --- a/apps/user_ldap/tests/Group_LDAPTest.php +++ b/apps/user_ldap/tests/Group_LDAPTest.php @@ -9,6 +9,7 @@ * @author Morris Jobke * @author Thomas Müller * @author Vincent Petry + * @author Xuanwo * * @license AGPL-3.0 * @@ -142,6 +143,107 @@ class Group_LDAPTest extends \Test\TestCase { $this->assertSame(2, $users); } + public function testGidNumber2NameSuccess() { + $access = $this->getAccessMock(); + $this->enableGroups($access); + + $userDN = 'cn=alice,cn=foo,dc=barfoo,dc=bar'; + + $access->expects($this->once()) + ->method('searchGroups') + ->will($this->returnValue([['dn' => ['cn=foo,dc=barfoo,dc=bar']]])); + + $access->expects($this->once()) + ->method('dn2groupname') + ->with('cn=foo,dc=barfoo,dc=bar') + ->will($this->returnValue('MyGroup')); + + $groupBackend = new GroupLDAP($access); + + $group = $groupBackend->gidNumber2Name('3117', $userDN); + + $this->assertSame('MyGroup', $group); + } + + public function testGidNumberID2NameNoGroup() { + $access = $this->getAccessMock(); + $this->enableGroups($access); + + $userDN = 'cn=alice,cn=foo,dc=barfoo,dc=bar'; + + $access->expects($this->once()) + ->method('searchGroups') + ->will($this->returnValue(array())); + + $access->expects($this->never()) + ->method('dn2groupname'); + + $groupBackend = new GroupLDAP($access); + + $group = $groupBackend->gidNumber2Name('3117', $userDN); + + $this->assertSame(false, $group); + } + + public function testGidNumberID2NameNoName() { + $access = $this->getAccessMock(); + $this->enableGroups($access); + + $userDN = 'cn=alice,cn=foo,dc=barfoo,dc=bar'; + + $access->expects($this->once()) + ->method('searchGroups') + ->will($this->returnValue([['dn' => ['cn=foo,dc=barfoo,dc=bar']]])); + + $access->expects($this->once()) + ->method('dn2groupname') + ->will($this->returnValue(false)); + + $groupBackend = new GroupLDAP($access); + + $group = $groupBackend->gidNumber2Name('3117', $userDN); + + $this->assertSame(false, $group); + } + + public function testGetEntryGidNumberValue() { + $access = $this->getAccessMock(); + $this->enableGroups($access); + + $dn = 'cn=foobar,cn=foo,dc=barfoo,dc=bar'; + $attr = 'gidNumber'; + + $access->expects($this->once()) + ->method('readAttribute') + ->with($dn, $attr) + ->will($this->returnValue(array('3117'))); + + $groupBackend = new GroupLDAP($access); + + $gid = $groupBackend->getGroupGidNumber($dn); + + $this->assertSame('3117', $gid); + } + + public function testGetEntryGidNumberNoValue() { + $access = $this->getAccessMock(); + $this->enableGroups($access); + + $dn = 'cn=foobar,cn=foo,dc=barfoo,dc=bar'; + $attr = 'gidNumber'; + + $access->expects($this->once()) + ->method('readAttribute') + ->with($dn, $attr) + ->will($this->returnValue(false)); + + $groupBackend = new GroupLDAP($access); + + $gid = $groupBackend->getGroupGidNumber($dn); + + $this->assertSame(false, $gid); + } + public function testPrimaryGroupID2NameSuccess() { $access = $this->getAccessMock(); $this->enableGroups($access); @@ -332,6 +434,43 @@ class Group_LDAPTest extends \Test\TestCase { $access = $this->getAccessMock(); $this->enableGroups($access); + $access->connection->expects($this->any()) + ->method('getFromCache') + ->will($this->returnValue(null)); + + $access->expects($this->any()) + ->method('readAttribute') + ->will($this->returnCallback(function($dn, $attr) { + if($attr === 'primaryGroupToken') { + return array(1337); + } else if($attr === 'gidNumber') { + return [4211]; + } + return array(); + })); + + $access->expects($this->any()) + ->method('groupname2dn') + ->will($this->returnValue('cn=foobar,dc=foo,dc=bar')); + + $access->expects($this->exactly(2)) + ->method('nextcloudUserNames') + ->willReturnOnConsecutiveCalls(['lisa', 'bart', 'kira', 'brad'], ['walle', 'dino', 'xenia']); + + $groupBackend = new GroupLDAP($access); + $users = $groupBackend->usersInGroup('foobar'); + + $this->assertSame(7, count($users)); + } + + /** + * tests that a user listing is complete, if all it's members have the group + * as their primary. + */ + public function testUsersInGroupPrimaryAndUnixMembers() { + $access = $this->getAccessMock(); + $this->enableGroups($access); + $access->connection->expects($this->any()) ->method('getFromCache') ->will($this->returnValue(null)); @@ -401,6 +540,7 @@ class Group_LDAPTest extends \Test\TestCase { $dn = 'cn=userX,dc=foobar'; $access->connection->hasPrimaryGroups = false; + $access->connection->hasGidNumber = false; $access->expects($this->any()) ->method('username2dn') @@ -441,6 +581,7 @@ class Group_LDAPTest extends \Test\TestCase { $dn = 'cn=userX,dc=foobar'; $access->connection->hasPrimaryGroups = false; + $access->connection->hasGidNumber = false; $access->expects($this->once()) ->method('username2dn') @@ -477,6 +618,7 @@ class Group_LDAPTest extends \Test\TestCase { $dn = 'cn=userX,dc=foobar'; $access->connection->hasPrimaryGroups = false; + $access->connection->hasGidNumber = false; $access->expects($this->exactly(2)) ->method('username2dn')