Group_LDAP.php 44 KB

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495969798991001011021031041051061071081091101111121131141151161171181191201211221231241251261271281291301311321331341351361371381391401411421431441451461471481491501511521531541551561571581591601611621631641651661671681691701711721731741751761771781791801811821831841851861871881891901911921931941951961971981992002012022032042052062072082092102112122132142152162172182192202212222232242252262272282292302312322332342352362372382392402412422432442452462472482492502512522532542552562572582592602612622632642652662672682692702712722732742752762772782792802812822832842852862872882892902912922932942952962972982993003013023033043053063073083093103113123133143153163173183193203213223233243253263273283293303313323333343353363373383393403413423433443453463473483493503513523533543553563573583593603613623633643653663673683693703713723733743753763773783793803813823833843853863873883893903913923933943953963973983994004014024034044054064074084094104114124134144154164174184194204214224234244254264274284294304314324334344354364374384394404414424434444454464474484494504514524534544554564574584594604614624634644654664674684694704714724734744754764774784794804814824834844854864874884894904914924934944954964974984995005015025035045055065075085095105115125135145155165175185195205215225235245255265275285295305315325335345355365375385395405415425435445455465475485495505515525535545555565575585595605615625635645655665675685695705715725735745755765775785795805815825835845855865875885895905915925935945955965975985996006016026036046056066076086096106116126136146156166176186196206216226236246256266276286296306316326336346356366376386396406416426436446456466476486496506516526536546556566576586596606616626636646656666676686696706716726736746756766776786796806816826836846856866876886896906916926936946956966976986997007017027037047057067077087097107117127137147157167177187197207217227237247257267277287297307317327337347357367377387397407417427437447457467477487497507517527537547557567577587597607617627637647657667677687697707717727737747757767777787797807817827837847857867877887897907917927937947957967977987998008018028038048058068078088098108118128138148158168178188198208218228238248258268278288298308318328338348358368378388398408418428438448458468478488498508518528538548558568578588598608618628638648658668678688698708718728738748758768778788798808818828838848858868878888898908918928938948958968978988999009019029039049059069079089099109119129139149159169179189199209219229239249259269279289299309319329339349359369379389399409419429439449459469479489499509519529539549559569579589599609619629639649659669679689699709719729739749759769779789799809819829839849859869879889899909919929939949959969979989991000100110021003100410051006100710081009101010111012101310141015101610171018101910201021102210231024102510261027102810291030103110321033103410351036103710381039104010411042104310441045104610471048104910501051105210531054105510561057105810591060106110621063106410651066106710681069107010711072107310741075107610771078107910801081108210831084108510861087108810891090109110921093109410951096109710981099110011011102110311041105110611071108110911101111111211131114111511161117111811191120112111221123112411251126112711281129113011311132113311341135113611371138113911401141114211431144114511461147114811491150115111521153115411551156115711581159116011611162116311641165116611671168116911701171117211731174117511761177117811791180118111821183118411851186118711881189119011911192119311941195119611971198119912001201120212031204120512061207120812091210121112121213121412151216121712181219122012211222122312241225122612271228122912301231123212331234123512361237123812391240124112421243124412451246124712481249125012511252125312541255125612571258125912601261126212631264126512661267126812691270127112721273127412751276127712781279128012811282128312841285128612871288128912901291129212931294129512961297129812991300130113021303130413051306130713081309131013111312131313141315131613171318131913201321132213231324132513261327132813291330133113321333133413351336133713381339134013411342134313441345134613471348134913501351135213531354135513561357135813591360136113621363136413651366136713681369137013711372137313741375137613771378137913801381138213831384138513861387138813891390139113921393139413951396139713981399140014011402140314041405140614071408140914101411141214131414141514161417141814191420142114221423142414251426
  1. <?php
  2. /**
  3. * SPDX-FileCopyrightText: 2016-2024 Nextcloud GmbH and Nextcloud contributors
  4. * SPDX-FileCopyrightText: 2016 ownCloud, Inc.
  5. * SPDX-License-Identifier: AGPL-3.0-only
  6. */
  7. namespace OCA\User_LDAP;
  8. use Exception;
  9. use OC\ServerNotAvailableException;
  10. use OCA\User_LDAP\User\OfflineUser;
  11. use OCP\Cache\CappedMemoryCache;
  12. use OCP\Group\Backend\ABackend;
  13. use OCP\Group\Backend\IDeleteGroupBackend;
  14. use OCP\Group\Backend\IGetDisplayNameBackend;
  15. use OCP\Group\Backend\IIsAdminBackend;
  16. use OCP\GroupInterface;
  17. use OCP\IConfig;
  18. use OCP\IUserManager;
  19. use OCP\Server;
  20. use Psr\Log\LoggerInterface;
  21. use function json_decode;
  22. class Group_LDAP extends ABackend implements GroupInterface, IGroupLDAP, IGetDisplayNameBackend, IDeleteGroupBackend, IIsAdminBackend {
  23. protected bool $enabled = false;
  24. /** @var CappedMemoryCache<string[]> $cachedGroupMembers array of user DN with gid as key */
  25. protected CappedMemoryCache $cachedGroupMembers;
  26. /** @var CappedMemoryCache<array[]> $cachedGroupsByMember array of groups with user DN as key */
  27. protected CappedMemoryCache $cachedGroupsByMember;
  28. /** @var CappedMemoryCache<string[]> $cachedNestedGroups array of groups with gid (DN) as key */
  29. protected CappedMemoryCache $cachedNestedGroups;
  30. protected GroupPluginManager $groupPluginManager;
  31. protected LoggerInterface $logger;
  32. protected Access $access;
  33. /**
  34. * @var string $ldapGroupMemberAssocAttr contains the LDAP setting (in lower case) with the same name
  35. */
  36. protected string $ldapGroupMemberAssocAttr;
  37. private IConfig $config;
  38. private IUserManager $ncUserManager;
  39. public function __construct(
  40. Access $access,
  41. GroupPluginManager $groupPluginManager,
  42. IConfig $config,
  43. IUserManager $ncUserManager
  44. ) {
  45. $this->access = $access;
  46. $filter = $this->access->connection->ldapGroupFilter;
  47. $gAssoc = $this->access->connection->ldapGroupMemberAssocAttr;
  48. if (!empty($filter) && !empty($gAssoc)) {
  49. $this->enabled = true;
  50. }
  51. $this->cachedGroupMembers = new CappedMemoryCache();
  52. $this->cachedGroupsByMember = new CappedMemoryCache();
  53. $this->cachedNestedGroups = new CappedMemoryCache();
  54. $this->groupPluginManager = $groupPluginManager;
  55. $this->logger = Server::get(LoggerInterface::class);
  56. $this->ldapGroupMemberAssocAttr = strtolower((string)$gAssoc);
  57. $this->config = $config;
  58. $this->ncUserManager = $ncUserManager;
  59. }
  60. /**
  61. * Check if user is in group
  62. *
  63. * @param string $uid uid of the user
  64. * @param string $gid gid of the group
  65. * @throws Exception
  66. * @throws ServerNotAvailableException
  67. */
  68. public function inGroup($uid, $gid): bool {
  69. if (!$this->enabled) {
  70. return false;
  71. }
  72. $cacheKey = 'inGroup' . $uid . ':' . $gid;
  73. $inGroup = $this->access->connection->getFromCache($cacheKey);
  74. if (!is_null($inGroup)) {
  75. return (bool)$inGroup;
  76. }
  77. $userDN = $this->access->username2dn($uid);
  78. if (isset($this->cachedGroupMembers[$gid])) {
  79. return in_array($userDN, $this->cachedGroupMembers[$gid]);
  80. }
  81. $cacheKeyMembers = 'inGroup-members:' . $gid;
  82. $members = $this->access->connection->getFromCache($cacheKeyMembers);
  83. if (!is_null($members)) {
  84. $this->cachedGroupMembers[$gid] = $members;
  85. $isInGroup = in_array($userDN, $members, true);
  86. $this->access->connection->writeToCache($cacheKey, $isInGroup);
  87. return $isInGroup;
  88. }
  89. $groupDN = $this->access->groupname2dn($gid);
  90. // just in case
  91. if (!$groupDN || !$userDN) {
  92. $this->access->connection->writeToCache($cacheKey, false);
  93. return false;
  94. }
  95. //check primary group first
  96. if ($gid === $this->getUserPrimaryGroup($userDN)) {
  97. $this->access->connection->writeToCache($cacheKey, true);
  98. return true;
  99. }
  100. //usually, LDAP attributes are said to be case insensitive. But there are exceptions of course.
  101. $members = $this->_groupMembers($groupDN);
  102. //extra work if we don't get back user DNs
  103. switch ($this->ldapGroupMemberAssocAttr) {
  104. case 'memberuid':
  105. case 'zimbramailforwardingaddress':
  106. $requestAttributes = $this->access->userManager->getAttributes(true);
  107. $users = [];
  108. $filterParts = [];
  109. $bytes = 0;
  110. foreach ($members as $mid) {
  111. if ($this->ldapGroupMemberAssocAttr === 'zimbramailforwardingaddress') {
  112. $parts = explode('@', $mid); //making sure we get only the uid
  113. $mid = $parts[0];
  114. }
  115. $filter = str_replace('%uid', $mid, $this->access->connection->ldapLoginFilter);
  116. $filterParts[] = $filter;
  117. $bytes += strlen($filter);
  118. if ($bytes >= 9000000) {
  119. // AD has a default input buffer of 10 MB, we do not want
  120. // to take even the chance to exceed it
  121. // so we fetch results with the filterParts we collected so far
  122. $filter = $this->access->combineFilterWithOr($filterParts);
  123. $search = $this->access->fetchListOfUsers($filter, $requestAttributes, count($filterParts));
  124. $bytes = 0;
  125. $filterParts = [];
  126. $users = array_merge($users, $search);
  127. }
  128. }
  129. if (count($filterParts) > 0) {
  130. // if there are filterParts left we need to add their result
  131. $filter = $this->access->combineFilterWithOr($filterParts);
  132. $search = $this->access->fetchListOfUsers($filter, $requestAttributes, count($filterParts));
  133. $users = array_merge($users, $search);
  134. }
  135. // now we cleanup the users array to get only dns
  136. $dns = [];
  137. foreach ($users as $record) {
  138. $dns[$record['dn'][0]] = 1;
  139. }
  140. $members = array_keys($dns);
  141. break;
  142. }
  143. if (count($members) === 0) {
  144. $this->access->connection->writeToCache($cacheKey, false);
  145. return false;
  146. }
  147. $isInGroup = in_array($userDN, $members);
  148. $this->access->connection->writeToCache($cacheKey, $isInGroup);
  149. $this->access->connection->writeToCache($cacheKeyMembers, $members);
  150. $this->cachedGroupMembers[$gid] = $members;
  151. return $isInGroup;
  152. }
  153. /**
  154. * For a group that has user membership defined by an LDAP search url
  155. * attribute returns the users that match the search url otherwise returns
  156. * an empty array.
  157. *
  158. * @throws ServerNotAvailableException
  159. */
  160. public function getDynamicGroupMembers(string $dnGroup): array {
  161. $dynamicGroupMemberURL = strtolower((string)$this->access->connection->ldapDynamicGroupMemberURL);
  162. if (empty($dynamicGroupMemberURL)) {
  163. return [];
  164. }
  165. $dynamicMembers = [];
  166. $memberURLs = $this->access->readAttribute(
  167. $dnGroup,
  168. $dynamicGroupMemberURL,
  169. $this->access->connection->ldapGroupFilter
  170. );
  171. if ($memberURLs !== false) {
  172. // this group has the 'memberURL' attribute so this is a dynamic group
  173. // example 1: ldap:///cn=users,cn=accounts,dc=dcsubbase,dc=dcbase??one?(o=HeadOffice)
  174. // example 2: ldap:///cn=users,cn=accounts,dc=dcsubbase,dc=dcbase??one?(&(o=HeadOffice)(uidNumber>=500))
  175. $pos = strpos($memberURLs[0], '(');
  176. if ($pos !== false) {
  177. $memberUrlFilter = substr($memberURLs[0], $pos);
  178. $foundMembers = $this->access->searchUsers($memberUrlFilter, ['dn']);
  179. $dynamicMembers = [];
  180. foreach ($foundMembers as $value) {
  181. $dynamicMembers[$value['dn'][0]] = 1;
  182. }
  183. } else {
  184. $this->logger->debug('No search filter found on member url of group {dn}',
  185. [
  186. 'app' => 'user_ldap',
  187. 'dn' => $dnGroup,
  188. ]
  189. );
  190. }
  191. }
  192. return $dynamicMembers;
  193. }
  194. /**
  195. * Get group members from dn.
  196. * @psalm-param array<string, bool> $seen List of DN that have already been processed.
  197. * @throws ServerNotAvailableException
  198. */
  199. private function _groupMembers(string $dnGroup, array $seen = [], bool &$recursive = false): array {
  200. if (isset($seen[$dnGroup])) {
  201. $recursive = true;
  202. return [];
  203. }
  204. $seen[$dnGroup] = true;
  205. // used extensively in cron job, caching makes sense for nested groups
  206. $cacheKey = '_groupMembers' . $dnGroup;
  207. $groupMembers = $this->access->connection->getFromCache($cacheKey);
  208. if ($groupMembers !== null) {
  209. return $groupMembers;
  210. }
  211. if ($this->access->connection->ldapNestedGroups
  212. && $this->access->connection->useMemberOfToDetectMembership
  213. && $this->access->connection->hasMemberOfFilterSupport
  214. && $this->access->connection->ldapMatchingRuleInChainState !== Configuration::LDAP_SERVER_FEATURE_UNAVAILABLE
  215. ) {
  216. $attemptedLdapMatchingRuleInChain = true;
  217. // Use matching rule 1.2.840.113556.1.4.1941 if available (LDAP_MATCHING_RULE_IN_CHAIN)
  218. $filter = $this->access->combineFilterWithAnd([
  219. $this->access->connection->ldapUserFilter,
  220. $this->access->connection->ldapUserDisplayName . '=*',
  221. 'memberof:1.2.840.113556.1.4.1941:=' . $dnGroup
  222. ]);
  223. $memberRecords = $this->access->fetchListOfUsers(
  224. $filter,
  225. $this->access->userManager->getAttributes(true)
  226. );
  227. $result = array_reduce($memberRecords, function ($carry, $record) {
  228. $carry[] = $record['dn'][0];
  229. return $carry;
  230. }, []);
  231. if ($this->access->connection->ldapMatchingRuleInChainState === Configuration::LDAP_SERVER_FEATURE_AVAILABLE) {
  232. $this->access->connection->writeToCache($cacheKey, $result);
  233. return $result;
  234. } elseif (!empty($memberRecords)) {
  235. $this->access->connection->ldapMatchingRuleInChainState = Configuration::LDAP_SERVER_FEATURE_AVAILABLE;
  236. $this->access->connection->saveConfiguration();
  237. $this->access->connection->writeToCache($cacheKey, $result);
  238. return $result;
  239. }
  240. // when feature availability is unknown, and the result is empty, continue and test with original approach
  241. }
  242. $allMembers = [];
  243. $members = $this->access->readAttribute($dnGroup, $this->access->connection->ldapGroupMemberAssocAttr);
  244. if (is_array($members)) {
  245. if ((int)$this->access->connection->ldapNestedGroups === 1) {
  246. while ($recordDn = array_shift($members)) {
  247. $nestedMembers = $this->_groupMembers($recordDn, $seen, $recursive);
  248. if (!empty($nestedMembers)) {
  249. // Group, queue its members for processing
  250. $members = array_merge($members, $nestedMembers);
  251. } else {
  252. // User (or empty group, or previously seen group), add it to the member list
  253. $allMembers[] = $recordDn;
  254. }
  255. }
  256. } else {
  257. $allMembers = $members;
  258. }
  259. }
  260. $allMembers += $this->getDynamicGroupMembers($dnGroup);
  261. $allMembers = array_unique($allMembers);
  262. // A group cannot be a member of itself
  263. $index = array_search($dnGroup, $allMembers, true);
  264. if ($index !== false) {
  265. unset($allMembers[$index]);
  266. }
  267. if (!$recursive) {
  268. $this->access->connection->writeToCache($cacheKey, $allMembers);
  269. }
  270. if (isset($attemptedLdapMatchingRuleInChain)
  271. && $this->access->connection->ldapMatchingRuleInChainState === Configuration::LDAP_SERVER_FEATURE_UNKNOWN
  272. && !empty($allMembers)
  273. ) {
  274. $this->access->connection->ldapMatchingRuleInChainState = Configuration::LDAP_SERVER_FEATURE_UNAVAILABLE;
  275. $this->access->connection->saveConfiguration();
  276. }
  277. return $allMembers;
  278. }
  279. /**
  280. * @return string[]
  281. * @throws ServerNotAvailableException
  282. */
  283. private function _getGroupDNsFromMemberOf(string $dn, array &$seen = []): array {
  284. if (isset($seen[$dn])) {
  285. return [];
  286. }
  287. $seen[$dn] = true;
  288. if (isset($this->cachedNestedGroups[$dn])) {
  289. return $this->cachedNestedGroups[$dn];
  290. }
  291. $allGroups = [];
  292. $groups = $this->access->readAttribute($dn, 'memberOf');
  293. if (is_array($groups)) {
  294. if ((int)$this->access->connection->ldapNestedGroups === 1) {
  295. while ($recordDn = array_shift($groups)) {
  296. $nestedParents = $this->_getGroupDNsFromMemberOf($recordDn, $seen);
  297. $groups = array_merge($groups, $nestedParents);
  298. $allGroups[] = $recordDn;
  299. }
  300. } else {
  301. $allGroups = $groups;
  302. }
  303. }
  304. // We do not perform array_unique here at it is done in getUserGroups later
  305. $this->cachedNestedGroups[$dn] = $allGroups;
  306. return $this->filterValidGroups($allGroups);
  307. }
  308. /**
  309. * Translates a gidNumber into the Nextcloud internal name.
  310. *
  311. * @return string|false The nextcloud internal name.
  312. * @throws Exception
  313. * @throws ServerNotAvailableException
  314. */
  315. public function gidNumber2Name(string $gid, string $dn) {
  316. $cacheKey = 'gidNumberToName' . $gid;
  317. $groupName = $this->access->connection->getFromCache($cacheKey);
  318. if (!is_null($groupName) && isset($groupName)) {
  319. return $groupName;
  320. }
  321. //we need to get the DN from LDAP
  322. $filter = $this->access->combineFilterWithAnd([
  323. $this->access->connection->ldapGroupFilter,
  324. 'objectClass=posixGroup',
  325. $this->access->connection->ldapGidNumber . '=' . $gid
  326. ]);
  327. return $this->getNameOfGroup($filter, $cacheKey) ?? false;
  328. }
  329. /**
  330. * @return string|null|false The name of the group
  331. * @throws ServerNotAvailableException
  332. * @throws Exception
  333. */
  334. private function getNameOfGroup(string $filter, string $cacheKey) {
  335. $result = $this->access->searchGroups($filter, ['dn'], 1);
  336. if (empty($result)) {
  337. $this->access->connection->writeToCache($cacheKey, false);
  338. return null;
  339. }
  340. $dn = $result[0]['dn'][0];
  341. //and now the group name
  342. //NOTE once we have separate Nextcloud group IDs and group names we can
  343. //directly read the display name attribute instead of the DN
  344. $name = $this->access->dn2groupname($dn);
  345. $this->access->connection->writeToCache($cacheKey, $name);
  346. return $name;
  347. }
  348. /**
  349. * @return string|bool The entry's gidNumber
  350. * @throws ServerNotAvailableException
  351. */
  352. private function getEntryGidNumber(string $dn, string $attribute) {
  353. $value = $this->access->readAttribute($dn, $attribute);
  354. if (is_array($value) && !empty($value)) {
  355. return $value[0];
  356. }
  357. return false;
  358. }
  359. /**
  360. * @return string|bool The group's gidNumber
  361. * @throws ServerNotAvailableException
  362. */
  363. public function getGroupGidNumber(string $dn) {
  364. return $this->getEntryGidNumber($dn, 'gidNumber');
  365. }
  366. /**
  367. * @return string|bool The user's gidNumber
  368. * @throws ServerNotAvailableException
  369. */
  370. public function getUserGidNumber(string $dn) {
  371. $gidNumber = false;
  372. if ($this->access->connection->hasGidNumber) {
  373. // FIXME: when $dn does not exist on LDAP anymore, this will be set wrongly to false :/
  374. $gidNumber = $this->getEntryGidNumber($dn, $this->access->connection->ldapGidNumber);
  375. if ($gidNumber === false) {
  376. $this->access->connection->hasGidNumber = false;
  377. }
  378. }
  379. return $gidNumber;
  380. }
  381. /**
  382. * @throws ServerNotAvailableException
  383. * @throws Exception
  384. */
  385. private function prepareFilterForUsersHasGidNumber(string $groupDN, string $search = ''): string {
  386. $groupID = $this->getGroupGidNumber($groupDN);
  387. if ($groupID === false) {
  388. throw new Exception('Not a valid group');
  389. }
  390. $filterParts = [];
  391. $filterParts[] = $this->access->getFilterForUserCount();
  392. if ($search !== '') {
  393. $filterParts[] = $this->access->getFilterPartForUserSearch($search);
  394. }
  395. $filterParts[] = $this->access->connection->ldapGidNumber . '=' . $groupID;
  396. return $this->access->combineFilterWithAnd($filterParts);
  397. }
  398. /**
  399. * @return array<int,string> A list of users that have the given group as gid number
  400. * @throws ServerNotAvailableException
  401. */
  402. public function getUsersInGidNumber(
  403. string $groupDN,
  404. string $search = '',
  405. ?int $limit = -1,
  406. ?int $offset = 0
  407. ): array {
  408. try {
  409. $filter = $this->prepareFilterForUsersHasGidNumber($groupDN, $search);
  410. $users = $this->access->fetchListOfUsers(
  411. $filter,
  412. $this->access->userManager->getAttributes(true),
  413. $limit,
  414. $offset
  415. );
  416. return $this->access->nextcloudUserNames($users);
  417. } catch (ServerNotAvailableException $e) {
  418. throw $e;
  419. } catch (Exception $e) {
  420. return [];
  421. }
  422. }
  423. /**
  424. * @throws ServerNotAvailableException
  425. * @return false|string
  426. */
  427. public function getUserGroupByGid(string $dn) {
  428. $groupID = $this->getUserGidNumber($dn);
  429. if ($groupID !== false) {
  430. $groupName = $this->gidNumber2Name($groupID, $dn);
  431. if ($groupName !== false) {
  432. return $groupName;
  433. }
  434. }
  435. return false;
  436. }
  437. /**
  438. * Translates a primary group ID into an Nextcloud internal name
  439. *
  440. * @return string|false
  441. * @throws Exception
  442. * @throws ServerNotAvailableException
  443. */
  444. public function primaryGroupID2Name(string $gid, string $dn) {
  445. $cacheKey = 'primaryGroupIDtoName_' . $gid;
  446. $groupName = $this->access->connection->getFromCache($cacheKey);
  447. if (!is_null($groupName)) {
  448. return $groupName;
  449. }
  450. $domainObjectSid = $this->access->getSID($dn);
  451. if ($domainObjectSid === false) {
  452. return false;
  453. }
  454. //we need to get the DN from LDAP
  455. $filter = $this->access->combineFilterWithAnd([
  456. $this->access->connection->ldapGroupFilter,
  457. 'objectsid=' . $domainObjectSid . '-' . $gid
  458. ]);
  459. return $this->getNameOfGroup($filter, $cacheKey) ?? false;
  460. }
  461. /**
  462. * @return string|false The entry's group Id
  463. * @throws ServerNotAvailableException
  464. */
  465. private function getEntryGroupID(string $dn, string $attribute) {
  466. $value = $this->access->readAttribute($dn, $attribute);
  467. if (is_array($value) && !empty($value)) {
  468. return $value[0];
  469. }
  470. return false;
  471. }
  472. /**
  473. * @return string|false The entry's primary group Id
  474. * @throws ServerNotAvailableException
  475. */
  476. public function getGroupPrimaryGroupID(string $dn) {
  477. return $this->getEntryGroupID($dn, 'primaryGroupToken');
  478. }
  479. /**
  480. * @return string|false
  481. * @throws ServerNotAvailableException
  482. */
  483. public function getUserPrimaryGroupIDs(string $dn) {
  484. $primaryGroupID = false;
  485. if ($this->access->connection->hasPrimaryGroups) {
  486. $primaryGroupID = $this->getEntryGroupID($dn, 'primaryGroupID');
  487. if ($primaryGroupID === false) {
  488. $this->access->connection->hasPrimaryGroups = false;
  489. }
  490. }
  491. return $primaryGroupID;
  492. }
  493. /**
  494. * @throws Exception
  495. * @throws ServerNotAvailableException
  496. */
  497. private function prepareFilterForUsersInPrimaryGroup(string $groupDN, string $search = ''): string {
  498. $groupID = $this->getGroupPrimaryGroupID($groupDN);
  499. if ($groupID === false) {
  500. throw new Exception('Not a valid group');
  501. }
  502. $filterParts = [];
  503. $filterParts[] = $this->access->getFilterForUserCount();
  504. if ($search !== '') {
  505. $filterParts[] = $this->access->getFilterPartForUserSearch($search);
  506. }
  507. $filterParts[] = 'primaryGroupID=' . $groupID;
  508. return $this->access->combineFilterWithAnd($filterParts);
  509. }
  510. /**
  511. * @throws ServerNotAvailableException
  512. * @return array<int,string>
  513. */
  514. public function getUsersInPrimaryGroup(
  515. string $groupDN,
  516. string $search = '',
  517. ?int $limit = -1,
  518. ?int $offset = 0
  519. ): array {
  520. try {
  521. $filter = $this->prepareFilterForUsersInPrimaryGroup($groupDN, $search);
  522. $users = $this->access->fetchListOfUsers(
  523. $filter,
  524. $this->access->userManager->getAttributes(true),
  525. $limit,
  526. $offset
  527. );
  528. return $this->access->nextcloudUserNames($users);
  529. } catch (ServerNotAvailableException $e) {
  530. throw $e;
  531. } catch (Exception $e) {
  532. return [];
  533. }
  534. }
  535. /**
  536. * @throws ServerNotAvailableException
  537. */
  538. public function countUsersInPrimaryGroup(
  539. string $groupDN,
  540. string $search = '',
  541. int $limit = -1,
  542. int $offset = 0
  543. ): int {
  544. try {
  545. $filter = $this->prepareFilterForUsersInPrimaryGroup($groupDN, $search);
  546. $users = $this->access->countUsers($filter, ['dn'], $limit, $offset);
  547. return (int)$users;
  548. } catch (ServerNotAvailableException $e) {
  549. throw $e;
  550. } catch (Exception $e) {
  551. return 0;
  552. }
  553. }
  554. /**
  555. * @return string|false
  556. * @throws ServerNotAvailableException
  557. */
  558. public function getUserPrimaryGroup(string $dn) {
  559. $groupID = $this->getUserPrimaryGroupIDs($dn);
  560. if ($groupID !== false) {
  561. $groupName = $this->primaryGroupID2Name($groupID, $dn);
  562. if ($groupName !== false) {
  563. return $groupName;
  564. }
  565. }
  566. return false;
  567. }
  568. private function isUserOnLDAP(string $uid): bool {
  569. // forces a user exists check - but does not help if a positive result is cached, while group info is not
  570. $ncUser = $this->ncUserManager->get($uid);
  571. if ($ncUser === null) {
  572. return false;
  573. }
  574. $backend = $ncUser->getBackend();
  575. if ($backend instanceof User_Proxy) {
  576. // ignoring cache as safeguard (and we are behind the group cache check anyway)
  577. return $backend->userExistsOnLDAP($uid, true);
  578. }
  579. return false;
  580. }
  581. protected function getCachedGroupsForUserId(string $uid): array {
  582. $groupStr = $this->config->getUserValue($uid, 'user_ldap', 'cached-group-memberships-' . $this->access->connection->getConfigPrefix(), '[]');
  583. return json_decode($groupStr, true) ?? [];
  584. }
  585. /**
  586. * This function fetches all groups a user belongs to. It does not check
  587. * if the user exists at all.
  588. *
  589. * This function includes groups based on dynamic group membership.
  590. *
  591. * @param string $uid Name of the user
  592. * @return string[] Group names
  593. * @throws Exception
  594. * @throws ServerNotAvailableException
  595. */
  596. public function getUserGroups($uid): array {
  597. if (!$this->enabled) {
  598. return [];
  599. }
  600. $ncUid = $uid;
  601. $cacheKey = 'getUserGroups' . $uid;
  602. $userGroups = $this->access->connection->getFromCache($cacheKey);
  603. if (!is_null($userGroups)) {
  604. return $userGroups;
  605. }
  606. $user = $this->access->userManager->get($uid);
  607. if ($user instanceof OfflineUser) {
  608. // We load known group memberships from configuration for remnants,
  609. // because LDAP server does not contain them anymore
  610. return $this->getCachedGroupsForUserId($uid);
  611. }
  612. $userDN = $this->access->username2dn($uid);
  613. if (!$userDN) {
  614. $this->access->connection->writeToCache($cacheKey, []);
  615. return [];
  616. }
  617. $groups = [];
  618. $primaryGroup = $this->getUserPrimaryGroup($userDN);
  619. $gidGroupName = $this->getUserGroupByGid($userDN);
  620. $dynamicGroupMemberURL = strtolower($this->access->connection->ldapDynamicGroupMemberURL);
  621. if (!empty($dynamicGroupMemberURL)) {
  622. // look through dynamic groups to add them to the result array if needed
  623. $groupsToMatch = $this->access->fetchListOfGroups(
  624. $this->access->connection->ldapGroupFilter, ['dn', $dynamicGroupMemberURL]);
  625. foreach ($groupsToMatch as $dynamicGroup) {
  626. if (!isset($dynamicGroup[$dynamicGroupMemberURL][0])) {
  627. continue;
  628. }
  629. $pos = strpos($dynamicGroup[$dynamicGroupMemberURL][0], '(');
  630. if ($pos !== false) {
  631. $memberUrlFilter = substr($dynamicGroup[$dynamicGroupMemberURL][0], $pos);
  632. // apply filter via ldap search to see if this user is in this
  633. // dynamic group
  634. $userMatch = $this->access->readAttribute(
  635. $userDN,
  636. $this->access->connection->ldapUserDisplayName,
  637. $memberUrlFilter
  638. );
  639. if ($userMatch !== false) {
  640. // match found so this user is in this group
  641. $groupName = $this->access->dn2groupname($dynamicGroup['dn'][0]);
  642. if (is_string($groupName)) {
  643. // be sure to never return false if the dn could not be
  644. // resolved to a name, for whatever reason.
  645. $groups[] = $groupName;
  646. }
  647. }
  648. } else {
  649. $this->logger->debug('No search filter found on member url of group {dn}',
  650. [
  651. 'app' => 'user_ldap',
  652. 'dn' => $dynamicGroup,
  653. ]
  654. );
  655. }
  656. }
  657. }
  658. // if possible, read out membership via memberOf. It's far faster than
  659. // performing a search, which still is a fallback later.
  660. // memberof doesn't support memberuid, so skip it here.
  661. if ((int)$this->access->connection->hasMemberOfFilterSupport === 1
  662. && (int)$this->access->connection->useMemberOfToDetectMembership === 1
  663. && $this->ldapGroupMemberAssocAttr !== 'memberuid'
  664. && $this->ldapGroupMemberAssocAttr !== 'zimbramailforwardingaddress') {
  665. $groupDNs = $this->_getGroupDNsFromMemberOf($userDN);
  666. foreach ($groupDNs as $dn) {
  667. $groupName = $this->access->dn2groupname($dn);
  668. if (is_string($groupName)) {
  669. // be sure to never return false if the dn could not be
  670. // resolved to a name, for whatever reason.
  671. $groups[] = $groupName;
  672. }
  673. }
  674. } else {
  675. // uniqueMember takes DN, memberuid the uid, so we need to distinguish
  676. switch ($this->ldapGroupMemberAssocAttr) {
  677. case 'uniquemember':
  678. case 'member':
  679. $uid = $userDN;
  680. break;
  681. case 'memberuid':
  682. case 'zimbramailforwardingaddress':
  683. $result = $this->access->readAttribute($userDN, 'uid');
  684. if ($result === false) {
  685. $this->logger->debug('No uid attribute found for DN {dn} on {host}',
  686. [
  687. 'app' => 'user_ldap',
  688. 'dn' => $userDN,
  689. 'host' => $this->access->connection->ldapHost,
  690. ]
  691. );
  692. $uid = false;
  693. } else {
  694. $uid = $result[0];
  695. }
  696. break;
  697. default:
  698. // just in case
  699. $uid = $userDN;
  700. break;
  701. }
  702. if ($uid !== false) {
  703. $groupsByMember = array_values($this->getGroupsByMember($uid));
  704. $groupsByMember = $this->access->nextcloudGroupNames($groupsByMember);
  705. $groups = array_merge($groups, $groupsByMember);
  706. }
  707. }
  708. if ($primaryGroup !== false) {
  709. $groups[] = $primaryGroup;
  710. }
  711. if ($gidGroupName !== false) {
  712. $groups[] = $gidGroupName;
  713. }
  714. if (empty($groups) && !$this->isUserOnLDAP($ncUid)) {
  715. // Groups are enabled, but you user has none? Potentially suspicious:
  716. // it could be that the user was deleted from LDAP, but we are not
  717. // aware of it yet.
  718. $groups = $this->getCachedGroupsForUserId($ncUid);
  719. $this->access->connection->writeToCache($cacheKey, $groups);
  720. return $groups;
  721. }
  722. $groups = array_values(array_unique($groups, SORT_LOCALE_STRING));
  723. $this->access->connection->writeToCache($cacheKey, $groups);
  724. $groupStr = \json_encode($groups);
  725. $this->config->setUserValue($ncUid, 'user_ldap', 'cached-group-memberships-' . $this->access->connection->getConfigPrefix(), $groupStr);
  726. return $groups;
  727. }
  728. /**
  729. * @return array[]
  730. * @throws ServerNotAvailableException
  731. */
  732. private function getGroupsByMember(string $dn, array &$seen = []): array {
  733. if (isset($seen[$dn])) {
  734. return [];
  735. }
  736. $seen[$dn] = true;
  737. if (isset($this->cachedGroupsByMember[$dn])) {
  738. return $this->cachedGroupsByMember[$dn];
  739. }
  740. $filter = $this->access->connection->ldapGroupMemberAssocAttr . '=' . $dn;
  741. if ($this->ldapGroupMemberAssocAttr === 'zimbramailforwardingaddress') {
  742. //in this case the member entries are email addresses
  743. $filter .= '@*';
  744. }
  745. $nesting = (int)$this->access->connection->ldapNestedGroups;
  746. if ($nesting === 0) {
  747. $filter = $this->access->combineFilterWithAnd([$filter, $this->access->connection->ldapGroupFilter]);
  748. }
  749. $allGroups = [];
  750. $groups = $this->access->fetchListOfGroups($filter,
  751. [strtolower($this->access->connection->ldapGroupMemberAssocAttr), $this->access->connection->ldapGroupDisplayName, 'dn']);
  752. if ($nesting === 1) {
  753. while ($record = array_shift($groups)) {
  754. // Note: this has no effect when ldapGroupMemberAssocAttr is uid based
  755. $nestedParents = $this->getGroupsByMember($record['dn'][0], $seen);
  756. $groups = array_merge($groups, $nestedParents);
  757. $allGroups[] = $record;
  758. }
  759. } else {
  760. $allGroups = $groups;
  761. }
  762. $visibleGroups = $this->filterValidGroups($allGroups);
  763. $this->cachedGroupsByMember[$dn] = $visibleGroups;
  764. return $visibleGroups;
  765. }
  766. /**
  767. * get a list of all users in a group
  768. *
  769. * @param string $gid
  770. * @param string $search
  771. * @param int $limit
  772. * @param int $offset
  773. * @return array<int,string> user ids
  774. * @throws Exception
  775. * @throws ServerNotAvailableException
  776. */
  777. public function usersInGroup($gid, $search = '', $limit = -1, $offset = 0) {
  778. if (!$this->enabled) {
  779. return [];
  780. }
  781. if (!$this->groupExists($gid)) {
  782. return [];
  783. }
  784. $search = $this->access->escapeFilterPart($search, true);
  785. $cacheKey = 'usersInGroup-' . $gid . '-' . $search . '-' . $limit . '-' . $offset;
  786. // check for cache of the exact query
  787. $groupUsers = $this->access->connection->getFromCache($cacheKey);
  788. if (!is_null($groupUsers)) {
  789. return $groupUsers;
  790. }
  791. if ($limit === -1) {
  792. $limit = null;
  793. }
  794. // check for cache of the query without limit and offset
  795. $groupUsers = $this->access->connection->getFromCache('usersInGroup-' . $gid . '-' . $search);
  796. if (!is_null($groupUsers)) {
  797. $groupUsers = array_slice($groupUsers, $offset, $limit);
  798. $this->access->connection->writeToCache($cacheKey, $groupUsers);
  799. return $groupUsers;
  800. }
  801. $groupDN = $this->access->groupname2dn($gid);
  802. if (!$groupDN) {
  803. // group couldn't be found, return empty result-set
  804. $this->access->connection->writeToCache($cacheKey, []);
  805. return [];
  806. }
  807. $primaryUsers = $this->getUsersInPrimaryGroup($groupDN, $search, $limit, $offset);
  808. $posixGroupUsers = $this->getUsersInGidNumber($groupDN, $search, $limit, $offset);
  809. $members = $this->_groupMembers($groupDN);
  810. if (!$members && empty($posixGroupUsers) && empty($primaryUsers)) {
  811. //in case users could not be retrieved, return empty result set
  812. $this->access->connection->writeToCache($cacheKey, []);
  813. return [];
  814. }
  815. $groupUsers = [];
  816. $attrs = $this->access->userManager->getAttributes(true);
  817. foreach ($members as $member) {
  818. switch ($this->ldapGroupMemberAssocAttr) {
  819. /** @noinspection PhpMissingBreakStatementInspection */
  820. case 'zimbramailforwardingaddress':
  821. //we get email addresses and need to convert them to uids
  822. $parts = explode('@', $member);
  823. $member = $parts[0];
  824. //no break needed because we just needed to remove the email part and now we have uids
  825. case 'memberuid':
  826. //we got uids, need to get their DNs to 'translate' them to user names
  827. $filter = $this->access->combineFilterWithAnd([
  828. str_replace('%uid', trim($member), $this->access->connection->ldapLoginFilter),
  829. $this->access->combineFilterWithAnd([
  830. $this->access->getFilterPartForUserSearch($search),
  831. $this->access->connection->ldapUserFilter
  832. ])
  833. ]);
  834. $ldap_users = $this->access->fetchListOfUsers($filter, $attrs, 1);
  835. if (empty($ldap_users)) {
  836. break;
  837. }
  838. $uid = $this->access->dn2username($ldap_users[0]['dn'][0]);
  839. if (!$uid) {
  840. break;
  841. }
  842. $groupUsers[] = $uid;
  843. break;
  844. default:
  845. //we got DNs, check if we need to filter by search or we can give back all of them
  846. $uid = $this->access->dn2username($member);
  847. if (!$uid) {
  848. break;
  849. }
  850. $cacheKey = 'userExistsOnLDAP' . $uid;
  851. $userExists = $this->access->connection->getFromCache($cacheKey);
  852. if ($userExists === false) {
  853. break;
  854. }
  855. if ($userExists === null || $search !== '') {
  856. if (!$this->access->readAttribute($member,
  857. $this->access->connection->ldapUserDisplayName,
  858. $this->access->combineFilterWithAnd([
  859. $this->access->getFilterPartForUserSearch($search),
  860. $this->access->connection->ldapUserFilter
  861. ]))) {
  862. if ($search === '') {
  863. $this->access->connection->writeToCache($cacheKey, false);
  864. }
  865. break;
  866. }
  867. $this->access->connection->writeToCache($cacheKey, true);
  868. }
  869. $groupUsers[] = $uid;
  870. break;
  871. }
  872. }
  873. $groupUsers = array_unique(array_merge($groupUsers, $primaryUsers, $posixGroupUsers));
  874. natsort($groupUsers);
  875. $this->access->connection->writeToCache('usersInGroup-' . $gid . '-' . $search, $groupUsers);
  876. $groupUsers = array_slice($groupUsers, $offset, $limit);
  877. $this->access->connection->writeToCache($cacheKey, $groupUsers);
  878. return $groupUsers;
  879. }
  880. /**
  881. * returns the number of users in a group, who match the search term
  882. *
  883. * @param string $gid the internal group name
  884. * @param string $search optional, a search string
  885. * @return int|bool
  886. * @throws Exception
  887. * @throws ServerNotAvailableException
  888. */
  889. public function countUsersInGroup($gid, $search = '') {
  890. if ($this->groupPluginManager->implementsActions(GroupInterface::COUNT_USERS)) {
  891. return $this->groupPluginManager->countUsersInGroup($gid, $search);
  892. }
  893. $cacheKey = 'countUsersInGroup-' . $gid . '-' . $search;
  894. if (!$this->enabled || !$this->groupExists($gid)) {
  895. return false;
  896. }
  897. $groupUsers = $this->access->connection->getFromCache($cacheKey);
  898. if (!is_null($groupUsers)) {
  899. return $groupUsers;
  900. }
  901. $groupDN = $this->access->groupname2dn($gid);
  902. if (!$groupDN) {
  903. // group couldn't be found, return empty result set
  904. $this->access->connection->writeToCache($cacheKey, false);
  905. return false;
  906. }
  907. $members = $this->_groupMembers($groupDN);
  908. $primaryUserCount = $this->countUsersInPrimaryGroup($groupDN, '');
  909. if (!$members && $primaryUserCount === 0) {
  910. //in case users could not be retrieved, return empty result set
  911. $this->access->connection->writeToCache($cacheKey, false);
  912. return false;
  913. }
  914. if ($search === '') {
  915. $groupUsers = count($members) + $primaryUserCount;
  916. $this->access->connection->writeToCache($cacheKey, $groupUsers);
  917. return $groupUsers;
  918. }
  919. $search = $this->access->escapeFilterPart($search, true);
  920. $isMemberUid =
  921. ($this->ldapGroupMemberAssocAttr === 'memberuid' ||
  922. $this->ldapGroupMemberAssocAttr === 'zimbramailforwardingaddress');
  923. //we need to apply the search filter
  924. //alternatives that need to be checked:
  925. //a) get all users by search filter and array_intersect them
  926. //b) a, but only when less than 1k 10k ?k users like it is
  927. //c) put all DNs|uids in a LDAP filter, combine with the search string
  928. // and let it count.
  929. //For now this is not important, because the only use of this method
  930. //does not supply a search string
  931. $groupUsers = [];
  932. foreach ($members as $member) {
  933. if ($isMemberUid) {
  934. if ($this->ldapGroupMemberAssocAttr === 'zimbramailforwardingaddress') {
  935. //we get email addresses and need to convert them to uids
  936. $parts = explode('@', $member);
  937. $member = $parts[0];
  938. }
  939. //we got uids, need to get their DNs to 'translate' them to user names
  940. $filter = $this->access->combineFilterWithAnd([
  941. str_replace('%uid', $member, $this->access->connection->ldapLoginFilter),
  942. $this->access->getFilterPartForUserSearch($search)
  943. ]);
  944. $ldap_users = $this->access->fetchListOfUsers($filter, ['dn'], 1);
  945. if (count($ldap_users) < 1) {
  946. continue;
  947. }
  948. $groupUsers[] = $this->access->dn2username($ldap_users[0]);
  949. } else {
  950. //we need to apply the search filter now
  951. if (!$this->access->readAttribute($member,
  952. $this->access->connection->ldapUserDisplayName,
  953. $this->access->getFilterPartForUserSearch($search))) {
  954. continue;
  955. }
  956. // dn2username will also check if the users belong to the allowed base
  957. if ($ncGroupId = $this->access->dn2username($member)) {
  958. $groupUsers[] = $ncGroupId;
  959. }
  960. }
  961. }
  962. //and get users that have the group as primary
  963. $primaryUsers = $this->countUsersInPrimaryGroup($groupDN, $search);
  964. return count($groupUsers) + $primaryUsers;
  965. }
  966. /**
  967. * get a list of all groups using a paged search
  968. *
  969. * @param string $search
  970. * @param int $limit
  971. * @param int $offset
  972. * @return array with group names
  973. *
  974. * Returns a list with all groups
  975. * Uses a paged search if available to override a
  976. * server side search limit.
  977. * (active directory has a limit of 1000 by default)
  978. * @throws Exception
  979. */
  980. public function getGroups($search = '', $limit = -1, $offset = 0) {
  981. if (!$this->enabled) {
  982. return [];
  983. }
  984. $search = $this->access->escapeFilterPart($search, true);
  985. $cacheKey = 'getGroups-' . $search . '-' . $limit . '-' . $offset;
  986. //Check cache before driving unnecessary searches
  987. $ldap_groups = $this->access->connection->getFromCache($cacheKey);
  988. if (!is_null($ldap_groups)) {
  989. return $ldap_groups;
  990. }
  991. // if we'd pass -1 to LDAP search, we'd end up in a Protocol
  992. // error. With a limit of 0, we get 0 results. So we pass null.
  993. if ($limit <= 0) {
  994. $limit = null;
  995. }
  996. $filter = $this->access->combineFilterWithAnd([
  997. $this->access->connection->ldapGroupFilter,
  998. $this->access->getFilterPartForGroupSearch($search)
  999. ]);
  1000. $ldap_groups = $this->access->fetchListOfGroups($filter,
  1001. [$this->access->connection->ldapGroupDisplayName, 'dn'],
  1002. $limit,
  1003. $offset);
  1004. $ldap_groups = $this->access->nextcloudGroupNames($ldap_groups);
  1005. $this->access->connection->writeToCache($cacheKey, $ldap_groups);
  1006. return $ldap_groups;
  1007. }
  1008. /**
  1009. * check if a group exists
  1010. *
  1011. * @param string $gid
  1012. * @return bool
  1013. * @throws ServerNotAvailableException
  1014. */
  1015. public function groupExists($gid) {
  1016. return $this->groupExistsOnLDAP($gid, false);
  1017. }
  1018. /**
  1019. * Check if a group exists
  1020. *
  1021. * @throws ServerNotAvailableException
  1022. */
  1023. public function groupExistsOnLDAP(string $gid, bool $ignoreCache = false): bool {
  1024. $cacheKey = 'groupExists' . $gid;
  1025. if (!$ignoreCache) {
  1026. $groupExists = $this->access->connection->getFromCache($cacheKey);
  1027. if (!is_null($groupExists)) {
  1028. return (bool)$groupExists;
  1029. }
  1030. }
  1031. //getting dn, if false the group does not exist. If dn, it may be mapped
  1032. //only, requires more checking.
  1033. $dn = $this->access->groupname2dn($gid);
  1034. if (!$dn) {
  1035. $this->access->connection->writeToCache($cacheKey, false);
  1036. return false;
  1037. }
  1038. if (!$this->access->isDNPartOfBase($dn, $this->access->connection->ldapBaseGroups)) {
  1039. $this->access->connection->writeToCache($cacheKey, false);
  1040. return false;
  1041. }
  1042. //if group really still exists, we will be able to read its objectClass
  1043. if (!is_array($this->access->readAttribute($dn, '', $this->access->connection->ldapGroupFilter))) {
  1044. $this->access->connection->writeToCache($cacheKey, false);
  1045. return false;
  1046. }
  1047. $this->access->connection->writeToCache($cacheKey, true);
  1048. return true;
  1049. }
  1050. /**
  1051. * @template T
  1052. * @param array<array-key, T> $listOfGroups
  1053. * @return array<array-key, T>
  1054. * @throws ServerNotAvailableException
  1055. * @throws Exception
  1056. */
  1057. protected function filterValidGroups(array $listOfGroups): array {
  1058. $validGroupDNs = [];
  1059. foreach ($listOfGroups as $key => $item) {
  1060. $dn = is_string($item) ? $item : $item['dn'][0];
  1061. if (is_array($item) && !isset($item[$this->access->connection->ldapGroupDisplayName][0])) {
  1062. continue;
  1063. }
  1064. $name = $item[$this->access->connection->ldapGroupDisplayName][0] ?? null;
  1065. $gid = $this->access->dn2groupname($dn, $name);
  1066. if (!$gid) {
  1067. continue;
  1068. }
  1069. if ($this->groupExists($gid)) {
  1070. $validGroupDNs[$key] = $item;
  1071. }
  1072. }
  1073. return $validGroupDNs;
  1074. }
  1075. /**
  1076. * Check if backend implements actions
  1077. *
  1078. * @param int $actions bitwise-or'ed actions
  1079. * @return boolean
  1080. *
  1081. * Returns the supported actions as int to be
  1082. * compared with GroupInterface::CREATE_GROUP etc.
  1083. */
  1084. public function implementsActions($actions): bool {
  1085. return (bool)((GroupInterface::COUNT_USERS |
  1086. GroupInterface::DELETE_GROUP |
  1087. GroupInterface::IS_ADMIN |
  1088. $this->groupPluginManager->getImplementedActions()) & $actions);
  1089. }
  1090. /**
  1091. * Return access for LDAP interaction.
  1092. *
  1093. * @return Access instance of Access for LDAP interaction
  1094. */
  1095. public function getLDAPAccess($gid) {
  1096. return $this->access;
  1097. }
  1098. /**
  1099. * create a group
  1100. *
  1101. * @param string $gid
  1102. * @return bool
  1103. * @throws Exception
  1104. * @throws ServerNotAvailableException
  1105. */
  1106. public function createGroup($gid) {
  1107. if ($this->groupPluginManager->implementsActions(GroupInterface::CREATE_GROUP)) {
  1108. if ($dn = $this->groupPluginManager->createGroup($gid)) {
  1109. //updates group mapping
  1110. $uuid = $this->access->getUUID($dn, false);
  1111. if (is_string($uuid)) {
  1112. $this->access->mapAndAnnounceIfApplicable(
  1113. $this->access->getGroupMapper(),
  1114. $dn,
  1115. $gid,
  1116. $uuid,
  1117. false
  1118. );
  1119. $this->access->cacheGroupExists($gid);
  1120. }
  1121. }
  1122. return $dn != null;
  1123. }
  1124. throw new Exception('Could not create group in LDAP backend.');
  1125. }
  1126. /**
  1127. * delete a group
  1128. *
  1129. * @param string $gid gid of the group to delete
  1130. * @throws Exception
  1131. */
  1132. public function deleteGroup(string $gid): bool {
  1133. if ($this->groupPluginManager->canDeleteGroup()) {
  1134. if ($ret = $this->groupPluginManager->deleteGroup($gid)) {
  1135. // Delete group in nextcloud internal db
  1136. $this->access->getGroupMapper()->unmap($gid);
  1137. $this->access->connection->writeToCache('groupExists' . $gid, false);
  1138. }
  1139. return $ret;
  1140. }
  1141. // Getting dn, if false the group is not mapped
  1142. $dn = $this->access->groupname2dn($gid);
  1143. if (!$dn) {
  1144. throw new Exception('Could not delete unknown group '.$gid.' in LDAP backend.');
  1145. }
  1146. if (!$this->groupExists($gid)) {
  1147. // The group does not exist in the LDAP, remove the mapping
  1148. $this->access->getGroupMapper()->unmap($gid);
  1149. $this->access->connection->writeToCache('groupExists' . $gid, false);
  1150. return true;
  1151. }
  1152. throw new Exception('Could not delete existing group '.$gid.' in LDAP backend.');
  1153. }
  1154. /**
  1155. * Add a user to a group
  1156. *
  1157. * @param string $uid Name of the user to add to group
  1158. * @param string $gid Name of the group in which add the user
  1159. * @return bool
  1160. * @throws Exception
  1161. */
  1162. public function addToGroup($uid, $gid) {
  1163. if ($this->groupPluginManager->implementsActions(GroupInterface::ADD_TO_GROUP)) {
  1164. if ($ret = $this->groupPluginManager->addToGroup($uid, $gid)) {
  1165. $this->access->connection->clearCache();
  1166. unset($this->cachedGroupMembers[$gid]);
  1167. }
  1168. return $ret;
  1169. }
  1170. throw new Exception('Could not add user to group in LDAP backend.');
  1171. }
  1172. /**
  1173. * Removes a user from a group
  1174. *
  1175. * @param string $uid Name of the user to remove from group
  1176. * @param string $gid Name of the group from which remove the user
  1177. * @return bool
  1178. * @throws Exception
  1179. */
  1180. public function removeFromGroup($uid, $gid) {
  1181. if ($this->groupPluginManager->implementsActions(GroupInterface::REMOVE_FROM_GROUP)) {
  1182. if ($ret = $this->groupPluginManager->removeFromGroup($uid, $gid)) {
  1183. $this->access->connection->clearCache();
  1184. unset($this->cachedGroupMembers[$gid]);
  1185. }
  1186. return $ret;
  1187. }
  1188. throw new Exception('Could not remove user from group in LDAP backend.');
  1189. }
  1190. /**
  1191. * Gets group details
  1192. *
  1193. * @param string $gid Name of the group
  1194. * @return array|false
  1195. * @throws Exception
  1196. */
  1197. public function getGroupDetails($gid) {
  1198. if ($this->groupPluginManager->implementsActions(GroupInterface::GROUP_DETAILS)) {
  1199. return $this->groupPluginManager->getGroupDetails($gid);
  1200. }
  1201. throw new Exception('Could not get group details in LDAP backend.');
  1202. }
  1203. /**
  1204. * Return LDAP connection resource from a cloned connection.
  1205. * The cloned connection needs to be closed manually.
  1206. * of the current access.
  1207. *
  1208. * @param string $gid
  1209. * @return \LDAP\Connection The LDAP connection
  1210. * @throws ServerNotAvailableException
  1211. */
  1212. public function getNewLDAPConnection($gid): \LDAP\Connection {
  1213. $connection = clone $this->access->getConnection();
  1214. return $connection->getConnectionResource();
  1215. }
  1216. /**
  1217. * @throws ServerNotAvailableException
  1218. */
  1219. public function getDisplayName(string $gid): string {
  1220. if ($this->groupPluginManager instanceof IGetDisplayNameBackend) {
  1221. return $this->groupPluginManager->getDisplayName($gid);
  1222. }
  1223. $cacheKey = 'group_getDisplayName' . $gid;
  1224. if (!is_null($displayName = $this->access->connection->getFromCache($cacheKey))) {
  1225. return $displayName;
  1226. }
  1227. $displayName = $this->access->readAttribute(
  1228. $this->access->groupname2dn($gid),
  1229. $this->access->connection->ldapGroupDisplayName);
  1230. if (($displayName !== false) && (count($displayName) > 0)) {
  1231. $displayName = $displayName[0];
  1232. } else {
  1233. $displayName = '';
  1234. }
  1235. $this->access->connection->writeToCache($cacheKey, $displayName);
  1236. return $displayName;
  1237. }
  1238. /**
  1239. * returns the groupname for the given LDAP DN, if available
  1240. */
  1241. public function dn2GroupName(string $dn): string|false {
  1242. return $this->access->dn2groupname($dn);
  1243. }
  1244. public function addRelationshipToCaches(string $uid, ?string $dnUser, string $gid): void {
  1245. $dnGroup = $this->access->groupname2dn($gid);
  1246. $dnUser ??= $this->access->username2dn($uid);
  1247. if ($dnUser === false || $dnGroup === false) {
  1248. return;
  1249. }
  1250. if (isset($this->cachedGroupMembers[$gid])) {
  1251. $this->cachedGroupMembers[$gid] = array_merge($this->cachedGroupMembers[$gid], [$dnUser]);
  1252. }
  1253. unset($this->cachedGroupsByMember[$dnUser]);
  1254. unset($this->cachedNestedGroups[$gid]);
  1255. $cacheKey = 'inGroup' . $uid . ':' . $gid;
  1256. $this->access->connection->writeToCache($cacheKey, true);
  1257. $cacheKeyMembers = 'inGroup-members:' . $gid;
  1258. if (!is_null($data = $this->access->connection->getFromCache($cacheKeyMembers))) {
  1259. $this->access->connection->writeToCache($cacheKeyMembers, array_merge($data, [$dnUser]));
  1260. }
  1261. $cacheKey = '_groupMembers' . $dnGroup;
  1262. if (!is_null($data = $this->access->connection->getFromCache($cacheKey))) {
  1263. $this->access->connection->writeToCache($cacheKey, array_merge($data, [$dnUser]));
  1264. }
  1265. $cacheKey = 'getUserGroups' . $uid;
  1266. if (!is_null($data = $this->access->connection->getFromCache($cacheKey))) {
  1267. $this->access->connection->writeToCache($cacheKey, array_merge($data, [$gid]));
  1268. }
  1269. // These cache keys cannot be easily updated:
  1270. // $cacheKey = 'usersInGroup-' . $gid . '-' . $search . '-' . $limit . '-' . $offset;
  1271. // $cacheKey = 'usersInGroup-' . $gid . '-' . $search;
  1272. // $cacheKey = 'countUsersInGroup-' . $gid . '-' . $search;
  1273. }
  1274. /**
  1275. * @throws ServerNotAvailableException
  1276. */
  1277. public function isAdmin(string $uid): bool {
  1278. if (!$this->enabled) {
  1279. return false;
  1280. }
  1281. $ldapAdminGroup = $this->access->connection->ldapAdminGroup;
  1282. if ($ldapAdminGroup === '') {
  1283. return false;
  1284. }
  1285. return $this->inGroup($uid, $ldapAdminGroup);
  1286. }
  1287. }