From 7236b041333e2275c8a9825852a0ba694bba1129 Mon Sep 17 00:00:00 2001 From: Arthur Schiwon Date: Tue, 21 Nov 2023 20:20:16 +0100 Subject: [PATCH 1/3] enh(LDAP): implement IIsAdmin interface - add configuration to specify one LDAP group acting as admin group (CLI) - implement `isAdmin()` method, basically relying on inGroup against the configured group Signed-off-by: Arthur Schiwon --- apps/user_ldap/lib/Configuration.php | 3 ++ apps/user_ldap/lib/Connection.php | 1 + apps/user_ldap/lib/Group_LDAP.php | 18 +++++++++++- apps/user_ldap/lib/Group_Proxy.php | 7 ++++- .../openldap-numerical-id.feature | 28 +++++++++++++++++++ 5 files changed, 55 insertions(+), 2 deletions(-) diff --git a/apps/user_ldap/lib/Configuration.php b/apps/user_ldap/lib/Configuration.php index ef64f75a9ef60..3dda4e3ebbad4 100644 --- a/apps/user_ldap/lib/Configuration.php +++ b/apps/user_ldap/lib/Configuration.php @@ -133,6 +133,7 @@ class Configuration { 'ldapAttributeRole' => null, 'ldapAttributeHeadline' => null, 'ldapAttributeBiography' => null, + 'ldapAdminGroup' => '', ]; public function __construct(string $configPrefix, bool $autoRead = true) { @@ -488,6 +489,7 @@ public function getDefaults(): array { 'ldap_attr_role' => '', 'ldap_attr_headline' => '', 'ldap_attr_biography' => '', + 'ldap_admin_group' => '', ]; } @@ -563,6 +565,7 @@ public function getConfigTranslationArray(): array { 'ldap_attr_role' => 'ldapAttributeRole', 'ldap_attr_headline' => 'ldapAttributeHeadline', 'ldap_attr_biography' => 'ldapAttributeBiography', + 'ldap_admin_group' => 'ldapAdminGroup', ]; return $array; } diff --git a/apps/user_ldap/lib/Connection.php b/apps/user_ldap/lib/Connection.php index f90add9ef9e65..05cd3d10698b5 100644 --- a/apps/user_ldap/lib/Connection.php +++ b/apps/user_ldap/lib/Connection.php @@ -82,6 +82,7 @@ * @property string ldapAttributeRole * @property string ldapAttributeHeadline * @property string ldapAttributeBiography + * @property string ldapAdminGroup */ class Connection extends LDAPUtility { /** diff --git a/apps/user_ldap/lib/Group_LDAP.php b/apps/user_ldap/lib/Group_LDAP.php index 70dca6a40cab6..999dc403c2fa0 100644 --- a/apps/user_ldap/lib/Group_LDAP.php +++ b/apps/user_ldap/lib/Group_LDAP.php @@ -48,6 +48,7 @@ use OC\ServerNotAvailableException; use OCA\User_LDAP\User\OfflineUser; use OCP\Cache\CappedMemoryCache; +use OCP\Group\Backend\IIsAdminBackend; use OCP\GroupInterface; use OCP\Group\Backend\IDeleteGroupBackend; use OCP\Group\Backend\IGetDisplayNameBackend; @@ -57,7 +58,7 @@ use Psr\Log\LoggerInterface; use function json_decode; -class Group_LDAP extends BackendUtility implements GroupInterface, IGroupLDAP, IGetDisplayNameBackend, IDeleteGroupBackend { +class Group_LDAP extends BackendUtility implements GroupInterface, IGroupLDAP, IGetDisplayNameBackend, IDeleteGroupBackend, IIsAdminBackend { protected bool $enabled = false; /** @var CappedMemoryCache $cachedGroupMembers array of users with gid as key */ @@ -1227,6 +1228,7 @@ protected function filterValidGroups(array $listOfGroups): array { public function implementsActions($actions): bool { return (bool)((GroupInterface::COUNT_USERS | GroupInterface::DELETE_GROUP | + GroupInterface::IS_ADMIN | $this->groupPluginManager->getImplementedActions()) & $actions); } @@ -1392,4 +1394,18 @@ public function getDisplayName(string $gid): string { $this->access->connection->writeToCache($cacheKey, $displayName); return $displayName; } + + /** + * @throws ServerNotAvailableException + */ + public function isAdmin(string $uid): bool { + if (!$this->enabled) { + return false; + } + $ldapAdminGroup = $this->access->connection->ldapAdminGroup; + if ($ldapAdminGroup === '') { + return false; + } + return $this->inGroup($uid, $ldapAdminGroup); + } } diff --git a/apps/user_ldap/lib/Group_Proxy.php b/apps/user_ldap/lib/Group_Proxy.php index 70fda715d5e24..a9261f197e065 100644 --- a/apps/user_ldap/lib/Group_Proxy.php +++ b/apps/user_ldap/lib/Group_Proxy.php @@ -30,12 +30,13 @@ use OCP\Group\Backend\IDeleteGroupBackend; use OCP\Group\Backend\IGetDisplayNameBackend; +use OCP\Group\Backend\IIsAdminBackend; use OCP\Group\Backend\INamedBackend; use OCP\GroupInterface; use OCP\IConfig; use OCP\IUserManager; -class Group_Proxy extends Proxy implements \OCP\GroupInterface, IGroupLDAP, IGetDisplayNameBackend, INamedBackend, IDeleteGroupBackend { +class Group_Proxy extends Proxy implements \OCP\GroupInterface, IGroupLDAP, IGetDisplayNameBackend, INamedBackend, IDeleteGroupBackend, IIsAdminBackend { private $backends = []; private ?Group_LDAP $refBackend = null; private Helper $helper; @@ -347,4 +348,8 @@ public function getBackendName(): string { public function searchInGroup(string $gid, string $search = '', int $limit = -1, int $offset = 0): array { return $this->handleRequest($gid, 'searchInGroup', [$gid, $search, $limit, $offset]); } + + public function isAdmin(string $uid): bool { + return $this->handleRequest($uid, 'isAdmin', [$uid]); + } } diff --git a/build/integration/ldap_features/openldap-numerical-id.feature b/build/integration/ldap_features/openldap-numerical-id.feature index 4ea63823295fc..75eb68271927a 100644 --- a/build/integration/ldap_features/openldap-numerical-id.feature +++ b/build/integration/ldap_features/openldap-numerical-id.feature @@ -66,3 +66,31 @@ Scenario: Test LDAP group membership with intermediate groups not matching filte | 50194 | 1 | | 59376 | 1 | | 59463 | 1 | + +Scenario: Test LDAP admin group mapping, empowered user + Given modify LDAP configuration + | ldapBaseGroups | ou=NumericGroups,dc=nextcloud,dc=ci | + | ldapGroupFilter | (objectclass=groupOfNames) | + | ldapGroupMemberAssocAttr | member | + | ldapAdminGroup | 3001 | + | useMemberOfToDetectMembership | 1 | + And cookies are reset + # alice, part of the promoted group + And Logging in using web as "92379" + And sending "GET" to "/cloud/groups" + And sending "GET" to "/cloud/groups/2000/users" + And Sending a "GET" to "/index.php/settings/admin/overview" with requesttoken + Then the HTTP status code should be "200" + +Scenario: Test LDAP admin group mapping, regular user (no access) + Given modify LDAP configuration + | ldapBaseGroups | ou=NumericGroups,dc=nextcloud,dc=ci | + | ldapGroupFilter | (objectclass=groupOfNames) | + | ldapGroupMemberAssocAttr | member | + | ldapAdminGroup | 3001 | + | useMemberOfToDetectMembership | 1 | + And cookies are reset + # gustaf, not part of the promoted group + And Logging in using web as "59376" + And Sending a "GET" to "/index.php/settings/admin/overview" with requesttoken + Then the HTTP status code should be "403" From 16ed15a0497c29a996df09750c4acbcf835d57af Mon Sep 17 00:00:00 2001 From: Arthur Schiwon Date: Tue, 21 Nov 2023 21:32:55 +0100 Subject: [PATCH 2/3] enh(LDAP): add occ command to promote an LDAP group to admin Signed-off-by: Arthur Schiwon --- apps/user_ldap/appinfo/info.xml | 1 + .../composer/composer/autoload_classmap.php | 1 + .../composer/composer/autoload_static.php | 1 + apps/user_ldap/lib/Command/PromoteGroup.php | 113 ++++++++++++++++++ 4 files changed, 116 insertions(+) create mode 100644 apps/user_ldap/lib/Command/PromoteGroup.php diff --git a/apps/user_ldap/appinfo/info.xml b/apps/user_ldap/appinfo/info.xml index a1b5cf28758c8..ba7090fa26e0a 100644 --- a/apps/user_ldap/appinfo/info.xml +++ b/apps/user_ldap/appinfo/info.xml @@ -50,6 +50,7 @@ A user logs into Nextcloud with their LDAP or AD credentials, and is granted acc OCA\User_LDAP\Command\CheckUser OCA\User_LDAP\Command\CreateEmptyConfig OCA\User_LDAP\Command\DeleteConfig + OCA\User_LDAP\Command\PromoteGroup OCA\User_LDAP\Command\ResetGroup OCA\User_LDAP\Command\ResetUser OCA\User_LDAP\Command\Search diff --git a/apps/user_ldap/composer/composer/autoload_classmap.php b/apps/user_ldap/composer/composer/autoload_classmap.php index c9001d3d59ad6..408c26bf4e5bf 100644 --- a/apps/user_ldap/composer/composer/autoload_classmap.php +++ b/apps/user_ldap/composer/composer/autoload_classmap.php @@ -14,6 +14,7 @@ 'OCA\\User_LDAP\\Command\\CheckUser' => $baseDir . '/../lib/Command/CheckUser.php', 'OCA\\User_LDAP\\Command\\CreateEmptyConfig' => $baseDir . '/../lib/Command/CreateEmptyConfig.php', 'OCA\\User_LDAP\\Command\\DeleteConfig' => $baseDir . '/../lib/Command/DeleteConfig.php', + 'OCA\\User_LDAP\\Command\\PromoteGroup' => $baseDir . '/../lib/Command/PromoteGroup.php', 'OCA\\User_LDAP\\Command\\ResetGroup' => $baseDir . '/../lib/Command/ResetGroup.php', 'OCA\\User_LDAP\\Command\\ResetUser' => $baseDir . '/../lib/Command/ResetUser.php', 'OCA\\User_LDAP\\Command\\Search' => $baseDir . '/../lib/Command/Search.php', diff --git a/apps/user_ldap/composer/composer/autoload_static.php b/apps/user_ldap/composer/composer/autoload_static.php index 53d7bcb648140..b34829f8a7e0e 100644 --- a/apps/user_ldap/composer/composer/autoload_static.php +++ b/apps/user_ldap/composer/composer/autoload_static.php @@ -29,6 +29,7 @@ class ComposerStaticInitUser_LDAP 'OCA\\User_LDAP\\Command\\CheckUser' => __DIR__ . '/..' . '/../lib/Command/CheckUser.php', 'OCA\\User_LDAP\\Command\\CreateEmptyConfig' => __DIR__ . '/..' . '/../lib/Command/CreateEmptyConfig.php', 'OCA\\User_LDAP\\Command\\DeleteConfig' => __DIR__ . '/..' . '/../lib/Command/DeleteConfig.php', + 'OCA\\User_LDAP\\Command\\PromoteGroup' => __DIR__ . '/..' . '/../lib/Command/PromoteGroup.php', 'OCA\\User_LDAP\\Command\\ResetGroup' => __DIR__ . '/..' . '/../lib/Command/ResetGroup.php', 'OCA\\User_LDAP\\Command\\ResetUser' => __DIR__ . '/..' . '/../lib/Command/ResetUser.php', 'OCA\\User_LDAP\\Command\\Search' => __DIR__ . '/..' . '/../lib/Command/Search.php', diff --git a/apps/user_ldap/lib/Command/PromoteGroup.php b/apps/user_ldap/lib/Command/PromoteGroup.php new file mode 100644 index 0000000000000..5fc3905414f5c --- /dev/null +++ b/apps/user_ldap/lib/Command/PromoteGroup.php @@ -0,0 +1,113 @@ + + * + * @author Arthur Schiwon + * + * @license GNU AGPL version 3 or any later version + * + * This program is free software: you can redistribute it and/or modify + * it under the terms of the GNU Affero General Public License as + * published by the Free Software Foundation, either version 3 of the + * License, or (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Affero General Public License for more details. + * + * You should have received a copy of the GNU Affero General Public License + * along with this program. If not, see . + * + */ +namespace OCA\User_LDAP\Command; + +use OCA\User_LDAP\Group_Proxy; +use OCP\IGroup; +use OCP\IGroupManager; +use Symfony\Component\Console\Command\Command; +use Symfony\Component\Console\Helper\QuestionHelper; +use Symfony\Component\Console\Input\InputArgument; +use Symfony\Component\Console\Input\InputInterface; +use Symfony\Component\Console\Input\InputOption; +use Symfony\Component\Console\Output\OutputInterface; +use Symfony\Component\Console\Question\Question; + +class PromoteGroup extends Command { + + public function __construct( + private IGroupManager $groupManager, + private Group_Proxy $backend + ) { + parent::__construct(); + } + + protected function configure(): void { + $this + ->setName('ldap:promote-group') + ->setDescription('declares the specified group as admin group (only one is possible per LDAP configuration)') + ->addArgument( + 'group', + InputArgument::REQUIRED, + 'the group ID in Nextcloud or a group name' + ) + ->addOption( + 'yes', + 'y', + InputOption::VALUE_NONE, + 'do not ask for confirmation' + ); + } + + protected function promoteGroup(IGroup $group, InputInterface $input, OutputInterface $output): void { + if ($input->getOption('yes') === false) { + /** @var QuestionHelper $helper */ + $helper = $this->getHelper('question'); + + $idLabel = ''; + if ($group->getGID() !== $group->getDisplayName()) { + $idLabel = sprintf(' (Group ID: %s)', $group->getGID()); + } + + $q = new Question(sprintf('Promote %s%s to the admin group (y|N)? ', $group->getDisplayName(), $idLabel)); + $input->setOption('yes', $helper->ask($input, $output, $q) === 'y'); + } + if ($input->getOption('yes') === true) { + $access = $this->backend->getLDAPAccess($group->getGID()); + $access->connection->setConfiguration(['ldapAdminGroup' => $group->getGID()]); + $access->connection->saveConfiguration(); + $output->writeln(sprintf('Group %s was promoted', $group->getDisplayName())); + } else { + $output->writeln('Group promotion cancelled'); + } + } + + protected function execute(InputInterface $input, OutputInterface $output): int { + $groupInput = (string)$input->getArgument('group'); + $group = $this->groupManager->get($groupInput); + + if ($group instanceof IGroup && $this->backend->groupExists($group->getGID())) { + $this->promoteGroup($group, $input, $output); + return 0; + } + + $groupCandidates = $this->backend->getGroups($groupInput, 20); + foreach ($groupCandidates as $gidCandidate) { + $group = $this->groupManager->get($gidCandidate); + if ($group !== null + && $this->backend->groupExists($group->getGID()) // ensure it is an LDAP group + && ($group->getGID() === $groupInput + || $group->getDisplayName() === $groupInput) + ) { + $this->promoteGroup($group, $input, $output); + return 0; + } + } + + $output->writeln('No matching group found'); + return 1; + } + +} From cfe9a7e7653df3b210c78b7a80d8ba7e2b0ea635 Mon Sep 17 00:00:00 2001 From: Arthur Schiwon Date: Tue, 28 Nov 2023 22:07:29 +0100 Subject: [PATCH 3/3] feat(LDAP): warn about demoting a group while promoting another Signed-off-by: Arthur Schiwon --- apps/user_ldap/lib/Command/PromoteGroup.php | 31 +++++++++++++++------ 1 file changed, 23 insertions(+), 8 deletions(-) diff --git a/apps/user_ldap/lib/Command/PromoteGroup.php b/apps/user_ldap/lib/Command/PromoteGroup.php index 5fc3905414f5c..7ec1806433269 100644 --- a/apps/user_ldap/lib/Command/PromoteGroup.php +++ b/apps/user_ldap/lib/Command/PromoteGroup.php @@ -61,21 +61,36 @@ protected function configure(): void { ); } + protected function formatGroupName(IGroup $group): string { + $idLabel = ''; + if ($group->getGID() !== $group->getDisplayName()) { + $idLabel = sprintf(' (Group ID: %s)', $group->getGID()); + } + return sprintf('%s%s', $group->getDisplayName(), $idLabel); + } + protected function promoteGroup(IGroup $group, InputInterface $input, OutputInterface $output): void { - if ($input->getOption('yes') === false) { - /** @var QuestionHelper $helper */ - $helper = $this->getHelper('question'); + $access = $this->backend->getLDAPAccess($group->getGID()); + $currentlyPromotedGroupId = $access->connection->ldapAdminGroup; + if ($currentlyPromotedGroupId === $group->getGID()) { + $output->writeln('The specified group is already promoted'); + return; + } - $idLabel = ''; - if ($group->getGID() !== $group->getDisplayName()) { - $idLabel = sprintf(' (Group ID: %s)', $group->getGID()); + if ($input->getOption('yes') === false) { + $currentlyPromotedGroup = $this->groupManager->get($currentlyPromotedGroupId); + $demoteLabel = ''; + if ($currentlyPromotedGroup instanceof IGroup && $this->backend->groupExists($currentlyPromotedGroup->getGID())) { + $groupNameLabel = $this->formatGroupName($currentlyPromotedGroup); + $demoteLabel = sprintf('and demote %s ', $groupNameLabel); } - $q = new Question(sprintf('Promote %s%s to the admin group (y|N)? ', $group->getDisplayName(), $idLabel)); + /** @var QuestionHelper $helper */ + $helper = $this->getHelper('question'); + $q = new Question(sprintf('Promote %s to the admin group %s(y|N)? ', $this->formatGroupName($group), $demoteLabel)); $input->setOption('yes', $helper->ask($input, $output, $q) === 'y'); } if ($input->getOption('yes') === true) { - $access = $this->backend->getLDAPAccess($group->getGID()); $access->connection->setConfiguration(['ldapAdminGroup' => $group->getGID()]); $access->connection->saveConfiguration(); $output->writeln(sprintf('Group %s was promoted', $group->getDisplayName()));