enh(LDAP): implement IIsAdmin interface

- add configuration to specify one LDAP group acting as admin group (CLI)
- implement `isAdmin()` method, basically relying on inGroup against the
  configured group

Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>

apps/user_ldap/lib/Configuration.php

@@ -134,6 +134,7 @@ class Configuration {
 		'ldapAttributeRole' => null,
 		'ldapAttributeHeadline' => null,
 		'ldapAttributeBiography' => null,
+		'ldapAdminGroup' => '',
 	];
 
 	public function __construct(string $configPrefix, bool $autoRead = true) {
@@ -490,6 +491,7 @@ class Configuration {
 			'ldap_attr_role' => '',
 			'ldap_attr_headline' => '',
 			'ldap_attr_biography' => '',
+			'ldap_admin_group' => '',
 		];
 	}
 
@@ -566,6 +568,7 @@ class Configuration {
 			'ldap_attr_role' => 'ldapAttributeRole',
 			'ldap_attr_headline' => 'ldapAttributeHeadline',
 			'ldap_attr_biography' => 'ldapAttributeBiography',
+			'ldap_admin_group' => 'ldapAdminGroup',
 		];
 		return $array;
 	}

apps/user_ldap/lib/Connection.php

@@ -83,6 +83,7 @@ use Psr\Log\LoggerInterface;
  * @property string ldapAttributeRole
  * @property string ldapAttributeHeadline
  * @property string ldapAttributeBiography
+ * @property string ldapAdminGroup
  */
 class Connection extends LDAPUtility {
 	/**

apps/user_ldap/lib/Group_LDAP.php

@@ -51,6 +51,7 @@ use OCP\Cache\CappedMemoryCache;
 use OCP\Group\Backend\ABackend;
 use OCP\Group\Backend\IDeleteGroupBackend;
 use OCP\Group\Backend\IGetDisplayNameBackend;
+use OCP\Group\Backend\IIsAdminBackend;
 use OCP\GroupInterface;
 use OCP\IConfig;
 use OCP\IUserManager;
@@ -58,7 +59,7 @@ use OCP\Server;
 use Psr\Log\LoggerInterface;
 use function json_decode;
 
-class Group_LDAP extends ABackend implements GroupInterface, IGroupLDAP, IGetDisplayNameBackend, IDeleteGroupBackend {
+class Group_LDAP extends ABackend implements GroupInterface, IGroupLDAP, IGetDisplayNameBackend, IDeleteGroupBackend, IIsAdminBackend {
 	protected bool $enabled = false;
 
 	/** @var CappedMemoryCache<string[]> $cachedGroupMembers array of user DN with gid as key */
@@ -1241,6 +1242,7 @@ class Group_LDAP extends ABackend implements GroupInterface, IGroupLDAP, IGetDis
 	public function implementsActions($actions): bool {
 		return (bool)((GroupInterface::COUNT_USERS |
 				GroupInterface::DELETE_GROUP |
+				GroupInterface::IS_ADMIN |
 				$this->groupPluginManager->getImplementedActions()) & $actions);
 	}
 
@@ -1444,4 +1446,18 @@ class Group_LDAP extends ABackend implements GroupInterface, IGroupLDAP, IGetDis
 		// $cacheKey = 'usersInGroup-' . $gid . '-' . $search;
 		// $cacheKey = 'countUsersInGroup-' . $gid . '-' . $search;
 	}
+
+	/**
+	 * @throws ServerNotAvailableException
+	 */
+	public function isAdmin(string $uid): bool {
+		if (!$this->enabled) {
+			return false;
+		}
+		$ldapAdminGroup = $this->access->connection->ldapAdminGroup;
+		if ($ldapAdminGroup === '') {
+			return false;
+		}
+		return $this->inGroup($uid, $ldapAdminGroup);
+	}
 }

apps/user_ldap/lib/Group_Proxy.php

@@ -33,12 +33,13 @@ use OCP\Group\Backend\IBatchMethodsBackend;
 use OCP\Group\Backend\IDeleteGroupBackend;
 use OCP\Group\Backend\IGetDisplayNameBackend;
 use OCP\Group\Backend\IGroupDetailsBackend;
+use OCP\Group\Backend\IIsAdminBackend;
 use OCP\Group\Backend\INamedBackend;
 use OCP\GroupInterface;
 use OCP\IConfig;
 use OCP\IUserManager;
 
-class Group_Proxy extends Proxy implements \OCP\GroupInterface, IGroupLDAP, IGetDisplayNameBackend, INamedBackend, IDeleteGroupBackend, IBatchMethodsBackend {
+class Group_Proxy extends Proxy implements \OCP\GroupInterface, IGroupLDAP, IGetDisplayNameBackend, INamedBackend, IDeleteGroupBackend, IBatchMethodsBackend, IIsAdminBackend {
 	private $backends = [];
 	private ?Group_LDAP $refBackend = null;
 	private Helper $helper;
@@ -396,4 +397,8 @@ class Group_Proxy extends Proxy implements \OCP\GroupInterface, IGroupLDAP, IGet
 	public function addRelationshipToCaches(string $uid, ?string $dnUser, string $gid): void {
 		$this->handleRequest($gid, 'addRelationshipToCaches', [$uid, $dnUser, $gid]);
 	}
+
+	public function isAdmin(string $uid): bool {
+		return $this->handleRequest($uid, 'isAdmin', [$uid]);
+	}
 }

build/integration/ldap_features/openldap-numerical-id.feature

@@ -66,3 +66,31 @@ Scenario: Test LDAP group membership with intermediate groups not matching filte
     | 50194 | 1 |
     | 59376 | 1 |
     | 59463 | 1 |
+
+Scenario: Test LDAP admin group mapping, empowered user
+  Given modify LDAP configuration
+    | ldapBaseGroups                | ou=NumericGroups,dc=nextcloud,dc=ci |
+    | ldapGroupFilter               | (objectclass=groupOfNames) |
+    | ldapGroupMemberAssocAttr      | member |
+    | ldapAdminGroup                | 3001   |
+    | useMemberOfToDetectMembership | 1 |
+  And cookies are reset
+  # alice, part of the promoted group
+  And Logging in using web as "92379"
+  And sending "GET" to "/cloud/groups"
+  And sending "GET" to "/cloud/groups/2000/users"
+  And Sending a "GET" to "/index.php/settings/admin/overview" with requesttoken
+  Then the HTTP status code should be "200"
+
+Scenario: Test LDAP admin group mapping, regular user (no access)
+    Given modify LDAP configuration
+      | ldapBaseGroups                | ou=NumericGroups,dc=nextcloud,dc=ci |
+      | ldapGroupFilter               | (objectclass=groupOfNames) |
+      | ldapGroupMemberAssocAttr      | member |
+      | ldapAdminGroup                | 3001   |
+      | useMemberOfToDetectMembership | 1 |
+    And cookies are reset
+    # gustaf, not part of the promoted group
+    And Logging in using web as "59376"
+    And Sending a "GET" to "/index.php/settings/admin/overview" with requesttoken
+    Then the HTTP status code should be "403"