User_LDAP.php 19 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639
  1. <?php
  2. /**
  3. * @copyright Copyright (c) 2016, ownCloud, Inc.
  4. *
  5. * @author Arthur Schiwon <blizzz@arthur-schiwon.de>
  6. * @author Bart Visscher <bartv@thisnet.nl>
  7. * @author Christoph Wurst <christoph@winzerhof-wurst.at>
  8. * @author Daniel Kesselberg <mail@danielkesselberg.de>
  9. * @author Dominik Schmidt <dev@dominik-schmidt.de>
  10. * @author felixboehm <felix@webhippie.de>
  11. * @author Joas Schilling <coding@schilljs.com>
  12. * @author Jörn Friedrich Dreyer <jfd@butonic.de>
  13. * @author Lukas Reschke <lukas@statuscode.ch>
  14. * @author Morris Jobke <hey@morrisjobke.de>
  15. * @author Renaud Fortier <Renaud.Fortier@fsaa.ulaval.ca>
  16. * @author Robin Appelman <robin@icewind.nl>
  17. * @author Robin McCorkell <robin@mccorkell.me.uk>
  18. * @author Roger Szabo <roger.szabo@web.de>
  19. * @author root <root@localhost.localdomain>
  20. * @author Thomas Müller <thomas.mueller@tmit.eu>
  21. * @author Tom Needham <tom@owncloud.com>
  22. * @author Victor Dubiniuk <dubiniuk@owncloud.com>
  23. * @author Vinicius Cubas Brand <vinicius@eita.org.br>
  24. *
  25. * @license AGPL-3.0
  26. *
  27. * This code is free software: you can redistribute it and/or modify
  28. * it under the terms of the GNU Affero General Public License, version 3,
  29. * as published by the Free Software Foundation.
  30. *
  31. * This program is distributed in the hope that it will be useful,
  32. * but WITHOUT ANY WARRANTY; without even the implied warranty of
  33. * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  34. * GNU Affero General Public License for more details.
  35. *
  36. * You should have received a copy of the GNU Affero General Public License, version 3,
  37. * along with this program. If not, see <http://www.gnu.org/licenses/>
  38. *
  39. */
  40. namespace OCA\User_LDAP;
  41. use OC\ServerNotAvailableException;
  42. use OC\User\Backend;
  43. use OC\User\NoUserException;
  44. use OCA\User_LDAP\Exceptions\NotOnLDAP;
  45. use OCA\User_LDAP\User\OfflineUser;
  46. use OCA\User_LDAP\User\User;
  47. use OCP\IConfig;
  48. use OCP\ILogger;
  49. use OCP\IUserSession;
  50. use OCP\Notification\IManager as INotificationManager;
  51. use OCP\Util;
  52. class User_LDAP extends BackendUtility implements \OCP\IUserBackend, \OCP\UserInterface, IUserLDAP {
  53. /** @var \OCP\IConfig */
  54. protected $ocConfig;
  55. /** @var INotificationManager */
  56. protected $notificationManager;
  57. /** @var UserPluginManager */
  58. protected $userPluginManager;
  59. /**
  60. * @param Access $access
  61. * @param \OCP\IConfig $ocConfig
  62. * @param \OCP\Notification\IManager $notificationManager
  63. * @param IUserSession $userSession
  64. */
  65. public function __construct(Access $access, IConfig $ocConfig, INotificationManager $notificationManager, IUserSession $userSession, UserPluginManager $userPluginManager) {
  66. parent::__construct($access);
  67. $this->ocConfig = $ocConfig;
  68. $this->notificationManager = $notificationManager;
  69. $this->userPluginManager = $userPluginManager;
  70. }
  71. /**
  72. * checks whether the user is allowed to change his avatar in Nextcloud
  73. *
  74. * @param string $uid the Nextcloud user name
  75. * @return boolean either the user can or cannot
  76. * @throws \Exception
  77. */
  78. public function canChangeAvatar($uid) {
  79. if ($this->userPluginManager->implementsActions(Backend::PROVIDE_AVATAR)) {
  80. return $this->userPluginManager->canChangeAvatar($uid);
  81. }
  82. if(!$this->implementsActions(Backend::PROVIDE_AVATAR)) {
  83. return true;
  84. }
  85. $user = $this->access->userManager->get($uid);
  86. if(!$user instanceof User) {
  87. return false;
  88. }
  89. $imageData = $user->getAvatarImage();
  90. if($imageData === false) {
  91. return true;
  92. }
  93. return !$user->updateAvatar(true);
  94. }
  95. /**
  96. * Return the username for the given login name, if available
  97. *
  98. * @param string $loginName
  99. * @return string|false
  100. * @throws \Exception
  101. */
  102. public function loginName2UserName($loginName) {
  103. $cacheKey = 'loginName2UserName-' . $loginName;
  104. $username = $this->access->connection->getFromCache($cacheKey);
  105. if ($username !== null) {
  106. return $username;
  107. }
  108. try {
  109. $ldapRecord = $this->getLDAPUserByLoginName($loginName);
  110. $user = $this->access->userManager->get($ldapRecord['dn'][0]);
  111. if ($user === null || $user instanceof OfflineUser) {
  112. // this path is not really possible, however get() is documented
  113. // to return User, OfflineUser or null so we are very defensive here.
  114. $this->access->connection->writeToCache($cacheKey, false);
  115. return false;
  116. }
  117. $username = $user->getUsername();
  118. $this->access->connection->writeToCache($cacheKey, $username);
  119. return $username;
  120. } catch (NotOnLDAP $e) {
  121. $this->access->connection->writeToCache($cacheKey, false);
  122. return false;
  123. }
  124. }
  125. /**
  126. * returns the username for the given LDAP DN, if available
  127. *
  128. * @param string $dn
  129. * @return string|false with the username
  130. */
  131. public function dn2UserName($dn) {
  132. return $this->access->dn2username($dn);
  133. }
  134. /**
  135. * returns an LDAP record based on a given login name
  136. *
  137. * @param string $loginName
  138. * @return array
  139. * @throws NotOnLDAP
  140. */
  141. public function getLDAPUserByLoginName($loginName) {
  142. //find out dn of the user name
  143. $attrs = $this->access->userManager->getAttributes();
  144. $users = $this->access->fetchUsersByLoginName($loginName, $attrs);
  145. if(count($users) < 1) {
  146. throw new NotOnLDAP('No user available for the given login name on ' .
  147. $this->access->connection->ldapHost . ':' . $this->access->connection->ldapPort);
  148. }
  149. return $users[0];
  150. }
  151. /**
  152. * Check if the password is correct without logging in the user
  153. *
  154. * @param string $uid The username
  155. * @param string $password The password
  156. * @return false|string
  157. */
  158. public function checkPassword($uid, $password) {
  159. try {
  160. $ldapRecord = $this->getLDAPUserByLoginName($uid);
  161. } catch(NotOnLDAP $e) {
  162. \OC::$server->getLogger()->logException($e, ['app' => 'user_ldap', 'level' => ILogger::DEBUG]);
  163. return false;
  164. }
  165. $dn = $ldapRecord['dn'][0];
  166. $user = $this->access->userManager->get($dn);
  167. if(!$user instanceof User) {
  168. Util::writeLog('user_ldap',
  169. 'LDAP Login: Could not get user object for DN ' . $dn .
  170. '. Maybe the LDAP entry has no set display name attribute?',
  171. ILogger::WARN);
  172. return false;
  173. }
  174. if($user->getUsername() !== false) {
  175. //are the credentials OK?
  176. if(!$this->access->areCredentialsValid($dn, $password)) {
  177. return false;
  178. }
  179. $this->access->cacheUserExists($user->getUsername());
  180. $user->processAttributes($ldapRecord);
  181. $user->markLogin();
  182. return $user->getUsername();
  183. }
  184. return false;
  185. }
  186. /**
  187. * Set password
  188. * @param string $uid The username
  189. * @param string $password The new password
  190. * @return bool
  191. */
  192. public function setPassword($uid, $password) {
  193. if ($this->userPluginManager->implementsActions(Backend::SET_PASSWORD)) {
  194. return $this->userPluginManager->setPassword($uid, $password);
  195. }
  196. $user = $this->access->userManager->get($uid);
  197. if(!$user instanceof User) {
  198. throw new \Exception('LDAP setPassword: Could not get user object for uid ' . $uid .
  199. '. Maybe the LDAP entry has no set display name attribute?');
  200. }
  201. if($user->getUsername() !== false && $this->access->setPassword($user->getDN(), $password)) {
  202. $ldapDefaultPPolicyDN = $this->access->connection->ldapDefaultPPolicyDN;
  203. $turnOnPasswordChange = $this->access->connection->turnOnPasswordChange;
  204. if (!empty($ldapDefaultPPolicyDN) && ((int)$turnOnPasswordChange === 1)) {
  205. //remove last password expiry warning if any
  206. $notification = $this->notificationManager->createNotification();
  207. $notification->setApp('user_ldap')
  208. ->setUser($uid)
  209. ->setObject('pwd_exp_warn', $uid)
  210. ;
  211. $this->notificationManager->markProcessed($notification);
  212. }
  213. return true;
  214. }
  215. return false;
  216. }
  217. /**
  218. * Get a list of all users
  219. *
  220. * @param string $search
  221. * @param integer $limit
  222. * @param integer $offset
  223. * @return string[] an array of all uids
  224. */
  225. public function getUsers($search = '', $limit = 10, $offset = 0) {
  226. $search = $this->access->escapeFilterPart($search, true);
  227. $cachekey = 'getUsers-'.$search.'-'.$limit.'-'.$offset;
  228. //check if users are cached, if so return
  229. $ldap_users = $this->access->connection->getFromCache($cachekey);
  230. if(!is_null($ldap_users)) {
  231. return $ldap_users;
  232. }
  233. // if we'd pass -1 to LDAP search, we'd end up in a Protocol
  234. // error. With a limit of 0, we get 0 results. So we pass null.
  235. if($limit <= 0) {
  236. $limit = null;
  237. }
  238. $filter = $this->access->combineFilterWithAnd([
  239. $this->access->connection->ldapUserFilter,
  240. $this->access->connection->ldapUserDisplayName . '=*',
  241. $this->access->getFilterPartForUserSearch($search)
  242. ]);
  243. Util::writeLog('user_ldap',
  244. 'getUsers: Options: search '.$search.' limit '.$limit.' offset '.$offset.' Filter: '.$filter,
  245. ILogger::DEBUG);
  246. //do the search and translate results to Nextcloud names
  247. $ldap_users = $this->access->fetchListOfUsers(
  248. $filter,
  249. $this->access->userManager->getAttributes(true),
  250. $limit, $offset);
  251. $ldap_users = $this->access->nextcloudUserNames($ldap_users);
  252. Util::writeLog('user_ldap', 'getUsers: '.count($ldap_users). ' Users found', ILogger::DEBUG);
  253. $this->access->connection->writeToCache($cachekey, $ldap_users);
  254. return $ldap_users;
  255. }
  256. /**
  257. * checks whether a user is still available on LDAP
  258. *
  259. * @param string|\OCA\User_LDAP\User\User $user either the Nextcloud user
  260. * name or an instance of that user
  261. * @return bool
  262. * @throws \Exception
  263. * @throws \OC\ServerNotAvailableException
  264. */
  265. public function userExistsOnLDAP($user) {
  266. if(is_string($user)) {
  267. $user = $this->access->userManager->get($user);
  268. }
  269. if(is_null($user)) {
  270. return false;
  271. }
  272. $uid = $user instanceof User ? $user->getUsername() : $user->getOCName();
  273. $cacheKey = 'userExistsOnLDAP' . $uid;
  274. $userExists = $this->access->connection->getFromCache($cacheKey);
  275. if(!is_null($userExists)) {
  276. return (bool)$userExists;
  277. }
  278. $dn = $user->getDN();
  279. //check if user really still exists by reading its entry
  280. if(!is_array($this->access->readAttribute($dn, '', $this->access->connection->ldapUserFilter))) {
  281. try {
  282. $uuid = $this->access->getUserMapper()->getUUIDByDN($dn);
  283. if (!$uuid) {
  284. $this->access->connection->writeToCache($cacheKey, false);
  285. return false;
  286. }
  287. $newDn = $this->access->getUserDnByUuid($uuid);
  288. //check if renamed user is still valid by reapplying the ldap filter
  289. if ($newDn === $dn || !is_array($this->access->readAttribute($newDn, '', $this->access->connection->ldapUserFilter))) {
  290. $this->access->connection->writeToCache($cacheKey, false);
  291. return false;
  292. }
  293. $this->access->getUserMapper()->setDNbyUUID($newDn, $uuid);
  294. $this->access->connection->writeToCache($cacheKey, true);
  295. return true;
  296. } catch (ServerNotAvailableException $e) {
  297. throw $e;
  298. } catch (\Exception $e) {
  299. $this->access->connection->writeToCache($cacheKey, false);
  300. return false;
  301. }
  302. }
  303. if($user instanceof OfflineUser) {
  304. $user->unmark();
  305. }
  306. $this->access->connection->writeToCache($cacheKey, true);
  307. return true;
  308. }
  309. /**
  310. * check if a user exists
  311. * @param string $uid the username
  312. * @return boolean
  313. * @throws \Exception when connection could not be established
  314. */
  315. public function userExists($uid) {
  316. $userExists = $this->access->connection->getFromCache('userExists'.$uid);
  317. if(!is_null($userExists)) {
  318. return (bool)$userExists;
  319. }
  320. //getting dn, if false the user does not exist. If dn, he may be mapped only, requires more checking.
  321. $user = $this->access->userManager->get($uid);
  322. if(is_null($user)) {
  323. Util::writeLog('user_ldap', 'No DN found for '.$uid.' on '.
  324. $this->access->connection->ldapHost, ILogger::DEBUG);
  325. $this->access->connection->writeToCache('userExists'.$uid, false);
  326. return false;
  327. }
  328. $this->access->connection->writeToCache('userExists'.$uid, true);
  329. return true;
  330. }
  331. /**
  332. * returns whether a user was deleted in LDAP
  333. *
  334. * @param string $uid The username of the user to delete
  335. * @return bool
  336. */
  337. public function deleteUser($uid) {
  338. if ($this->userPluginManager->canDeleteUser()) {
  339. $status = $this->userPluginManager->deleteUser($uid);
  340. if($status === false) {
  341. return false;
  342. }
  343. }
  344. $marked = $this->ocConfig->getUserValue($uid, 'user_ldap', 'isDeleted', 0);
  345. if((int)$marked === 0) {
  346. \OC::$server->getLogger()->notice(
  347. 'User '.$uid . ' is not marked as deleted, not cleaning up.',
  348. ['app' => 'user_ldap']);
  349. return false;
  350. }
  351. \OC::$server->getLogger()->info('Cleaning up after user ' . $uid,
  352. ['app' => 'user_ldap']);
  353. $this->access->getUserMapper()->unmap($uid); // we don't emit unassign signals here, since it is implicit to delete signals fired from core
  354. $this->access->userManager->invalidate($uid);
  355. return true;
  356. }
  357. /**
  358. * get the user's home directory
  359. *
  360. * @param string $uid the username
  361. * @return bool|string
  362. * @throws NoUserException
  363. * @throws \Exception
  364. */
  365. public function getHome($uid) {
  366. // user Exists check required as it is not done in user proxy!
  367. if(!$this->userExists($uid)) {
  368. return false;
  369. }
  370. if ($this->userPluginManager->implementsActions(Backend::GET_HOME)) {
  371. return $this->userPluginManager->getHome($uid);
  372. }
  373. $cacheKey = 'getHome'.$uid;
  374. $path = $this->access->connection->getFromCache($cacheKey);
  375. if(!is_null($path)) {
  376. return $path;
  377. }
  378. // early return path if it is a deleted user
  379. $user = $this->access->userManager->get($uid);
  380. if($user instanceof User || $user instanceof OfflineUser) {
  381. $path = $user->getHomePath() ?: false;
  382. } else {
  383. throw new NoUserException($uid . ' is not a valid user anymore');
  384. }
  385. $this->access->cacheUserHome($uid, $path);
  386. return $path;
  387. }
  388. /**
  389. * get display name of the user
  390. * @param string $uid user ID of the user
  391. * @return string|false display name
  392. */
  393. public function getDisplayName($uid) {
  394. if ($this->userPluginManager->implementsActions(Backend::GET_DISPLAYNAME)) {
  395. return $this->userPluginManager->getDisplayName($uid);
  396. }
  397. if(!$this->userExists($uid)) {
  398. return false;
  399. }
  400. $cacheKey = 'getDisplayName'.$uid;
  401. if(!is_null($displayName = $this->access->connection->getFromCache($cacheKey))) {
  402. return $displayName;
  403. }
  404. //Check whether the display name is configured to have a 2nd feature
  405. $additionalAttribute = $this->access->connection->ldapUserDisplayName2;
  406. $displayName2 = '';
  407. if ($additionalAttribute !== '') {
  408. $displayName2 = $this->access->readAttribute(
  409. $this->access->username2dn($uid),
  410. $additionalAttribute);
  411. }
  412. $displayName = $this->access->readAttribute(
  413. $this->access->username2dn($uid),
  414. $this->access->connection->ldapUserDisplayName);
  415. if($displayName && (count($displayName) > 0)) {
  416. $displayName = $displayName[0];
  417. if (is_array($displayName2)){
  418. $displayName2 = count($displayName2) > 0 ? $displayName2[0] : '';
  419. }
  420. $user = $this->access->userManager->get($uid);
  421. if ($user instanceof User) {
  422. $displayName = $user->composeAndStoreDisplayName($displayName, $displayName2);
  423. $this->access->connection->writeToCache($cacheKey, $displayName);
  424. }
  425. if ($user instanceof OfflineUser) {
  426. /** @var OfflineUser $user*/
  427. $displayName = $user->getDisplayName();
  428. }
  429. return $displayName;
  430. }
  431. return null;
  432. }
  433. /**
  434. * set display name of the user
  435. * @param string $uid user ID of the user
  436. * @param string $displayName new display name of the user
  437. * @return string|false display name
  438. */
  439. public function setDisplayName($uid, $displayName) {
  440. if ($this->userPluginManager->implementsActions(Backend::SET_DISPLAYNAME)) {
  441. $this->userPluginManager->setDisplayName($uid, $displayName);
  442. $this->access->cacheUserDisplayName($uid, $displayName);
  443. return $displayName;
  444. }
  445. return false;
  446. }
  447. /**
  448. * Get a list of all display names
  449. *
  450. * @param string $search
  451. * @param string|null $limit
  452. * @param string|null $offset
  453. * @return array an array of all displayNames (value) and the corresponding uids (key)
  454. */
  455. public function getDisplayNames($search = '', $limit = null, $offset = null) {
  456. $cacheKey = 'getDisplayNames-'.$search.'-'.$limit.'-'.$offset;
  457. if(!is_null($displayNames = $this->access->connection->getFromCache($cacheKey))) {
  458. return $displayNames;
  459. }
  460. $displayNames = [];
  461. $users = $this->getUsers($search, $limit, $offset);
  462. foreach ($users as $user) {
  463. $displayNames[$user] = $this->getDisplayName($user);
  464. }
  465. $this->access->connection->writeToCache($cacheKey, $displayNames);
  466. return $displayNames;
  467. }
  468. /**
  469. * Check if backend implements actions
  470. * @param int $actions bitwise-or'ed actions
  471. * @return boolean
  472. *
  473. * Returns the supported actions as int to be
  474. * compared with \OC\User\Backend::CREATE_USER etc.
  475. */
  476. public function implementsActions($actions) {
  477. return (bool)((Backend::CHECK_PASSWORD
  478. | Backend::GET_HOME
  479. | Backend::GET_DISPLAYNAME
  480. | (($this->access->connection->ldapUserAvatarRule !== 'none') ? Backend::PROVIDE_AVATAR : 0)
  481. | Backend::COUNT_USERS
  482. | (((int)$this->access->connection->turnOnPasswordChange === 1)? Backend::SET_PASSWORD :0)
  483. | $this->userPluginManager->getImplementedActions())
  484. & $actions);
  485. }
  486. /**
  487. * @return bool
  488. */
  489. public function hasUserListings() {
  490. return true;
  491. }
  492. /**
  493. * counts the users in LDAP
  494. *
  495. * @return int|bool
  496. */
  497. public function countUsers() {
  498. if ($this->userPluginManager->implementsActions(Backend::COUNT_USERS)) {
  499. return $this->userPluginManager->countUsers();
  500. }
  501. $filter = $this->access->getFilterForUserCount();
  502. $cacheKey = 'countUsers-'.$filter;
  503. if(!is_null($entries = $this->access->connection->getFromCache($cacheKey))) {
  504. return $entries;
  505. }
  506. $entries = $this->access->countUsers($filter);
  507. $this->access->connection->writeToCache($cacheKey, $entries);
  508. return $entries;
  509. }
  510. /**
  511. * Backend name to be shown in user management
  512. * @return string the name of the backend to be shown
  513. */
  514. public function getBackendName(){
  515. return 'LDAP';
  516. }
  517. /**
  518. * Return access for LDAP interaction.
  519. * @param string $uid
  520. * @return Access instance of Access for LDAP interaction
  521. */
  522. public function getLDAPAccess($uid) {
  523. return $this->access;
  524. }
  525. /**
  526. * Return LDAP connection resource from a cloned connection.
  527. * The cloned connection needs to be closed manually.
  528. * of the current access.
  529. * @param string $uid
  530. * @return resource of the LDAP connection
  531. */
  532. public function getNewLDAPConnection($uid) {
  533. $connection = clone $this->access->getConnection();
  534. return $connection->getConnectionResource();
  535. }
  536. /**
  537. * create new user
  538. * @param string $username username of the new user
  539. * @param string $password password of the new user
  540. * @throws \UnexpectedValueException
  541. * @return bool
  542. */
  543. public function createUser($username, $password) {
  544. if ($this->userPluginManager->implementsActions(Backend::CREATE_USER)) {
  545. if ($dn = $this->userPluginManager->createUser($username, $password)) {
  546. if (is_string($dn)) {
  547. // the NC user creation work flow requires a know user id up front
  548. $uuid = $this->access->getUUID($dn, true);
  549. if(is_string($uuid)) {
  550. $this->access->mapAndAnnounceIfApplicable(
  551. $this->access->getUserMapper(),
  552. $dn,
  553. $username,
  554. $uuid,
  555. true
  556. );
  557. $this->access->cacheUserExists($username);
  558. } else {
  559. \OC::$server->getLogger()->warning(
  560. 'Failed to map created LDAP user with userid {userid}, because UUID could not be determined',
  561. [
  562. 'app' => 'user_ldap',
  563. 'userid' => $username,
  564. ]
  565. );
  566. }
  567. } else {
  568. throw new \UnexpectedValueException("LDAP Plugin: Method createUser changed to return the user DN instead of boolean.");
  569. }
  570. }
  571. return (bool) $dn;
  572. }
  573. return false;
  574. }
  575. }