0
0
Fork 0
mirror of https://github.com/nextcloud/server.git synced 2025-03-15 00:43:23 +00:00

enh(LDAP): implement IIsAdmin interface

- add configuration to specify one LDAP group acting as admin group (CLI)
- implement `isAdmin()` method, basically relying on inGroup against the
  configured group

Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
This commit is contained in:
Arthur Schiwon 2023-11-21 20:20:16 +01:00
parent 546cf0ed2f
commit d6b356c63b
5 changed files with 55 additions and 2 deletions

View file

@ -134,6 +134,7 @@ class Configuration {
'ldapAttributeRole' => null,
'ldapAttributeHeadline' => null,
'ldapAttributeBiography' => null,
'ldapAdminGroup' => '',
];
public function __construct(string $configPrefix, bool $autoRead = true) {
@ -490,6 +491,7 @@ class Configuration {
'ldap_attr_role' => '',
'ldap_attr_headline' => '',
'ldap_attr_biography' => '',
'ldap_admin_group' => '',
];
}
@ -566,6 +568,7 @@ class Configuration {
'ldap_attr_role' => 'ldapAttributeRole',
'ldap_attr_headline' => 'ldapAttributeHeadline',
'ldap_attr_biography' => 'ldapAttributeBiography',
'ldap_admin_group' => 'ldapAdminGroup',
];
return $array;
}

View file

@ -83,6 +83,7 @@ use Psr\Log\LoggerInterface;
* @property string ldapAttributeRole
* @property string ldapAttributeHeadline
* @property string ldapAttributeBiography
* @property string ldapAdminGroup
*/
class Connection extends LDAPUtility {
/**

View file

@ -51,6 +51,7 @@ use OCP\Cache\CappedMemoryCache;
use OCP\Group\Backend\ABackend;
use OCP\Group\Backend\IDeleteGroupBackend;
use OCP\Group\Backend\IGetDisplayNameBackend;
use OCP\Group\Backend\IIsAdminBackend;
use OCP\GroupInterface;
use OCP\IConfig;
use OCP\IUserManager;
@ -58,7 +59,7 @@ use OCP\Server;
use Psr\Log\LoggerInterface;
use function json_decode;
class Group_LDAP extends ABackend implements GroupInterface, IGroupLDAP, IGetDisplayNameBackend, IDeleteGroupBackend {
class Group_LDAP extends ABackend implements GroupInterface, IGroupLDAP, IGetDisplayNameBackend, IDeleteGroupBackend, IIsAdminBackend {
protected bool $enabled = false;
/** @var CappedMemoryCache<string[]> $cachedGroupMembers array of user DN with gid as key */
@ -1241,6 +1242,7 @@ class Group_LDAP extends ABackend implements GroupInterface, IGroupLDAP, IGetDis
public function implementsActions($actions): bool {
return (bool)((GroupInterface::COUNT_USERS |
GroupInterface::DELETE_GROUP |
GroupInterface::IS_ADMIN |
$this->groupPluginManager->getImplementedActions()) & $actions);
}
@ -1444,4 +1446,18 @@ class Group_LDAP extends ABackend implements GroupInterface, IGroupLDAP, IGetDis
// $cacheKey = 'usersInGroup-' . $gid . '-' . $search;
// $cacheKey = 'countUsersInGroup-' . $gid . '-' . $search;
}
/**
* @throws ServerNotAvailableException
*/
public function isAdmin(string $uid): bool {
if (!$this->enabled) {
return false;
}
$ldapAdminGroup = $this->access->connection->ldapAdminGroup;
if ($ldapAdminGroup === '') {
return false;
}
return $this->inGroup($uid, $ldapAdminGroup);
}
}

View file

@ -33,12 +33,13 @@ use OCP\Group\Backend\IBatchMethodsBackend;
use OCP\Group\Backend\IDeleteGroupBackend;
use OCP\Group\Backend\IGetDisplayNameBackend;
use OCP\Group\Backend\IGroupDetailsBackend;
use OCP\Group\Backend\IIsAdminBackend;
use OCP\Group\Backend\INamedBackend;
use OCP\GroupInterface;
use OCP\IConfig;
use OCP\IUserManager;
class Group_Proxy extends Proxy implements \OCP\GroupInterface, IGroupLDAP, IGetDisplayNameBackend, INamedBackend, IDeleteGroupBackend, IBatchMethodsBackend {
class Group_Proxy extends Proxy implements \OCP\GroupInterface, IGroupLDAP, IGetDisplayNameBackend, INamedBackend, IDeleteGroupBackend, IBatchMethodsBackend, IIsAdminBackend {
private $backends = [];
private ?Group_LDAP $refBackend = null;
private Helper $helper;
@ -396,4 +397,8 @@ class Group_Proxy extends Proxy implements \OCP\GroupInterface, IGroupLDAP, IGet
public function addRelationshipToCaches(string $uid, ?string $dnUser, string $gid): void {
$this->handleRequest($gid, 'addRelationshipToCaches', [$uid, $dnUser, $gid]);
}
public function isAdmin(string $uid): bool {
return $this->handleRequest($uid, 'isAdmin', [$uid]);
}
}

View file

@ -66,3 +66,31 @@ Scenario: Test LDAP group membership with intermediate groups not matching filte
| 50194 | 1 |
| 59376 | 1 |
| 59463 | 1 |
Scenario: Test LDAP admin group mapping, empowered user
Given modify LDAP configuration
| ldapBaseGroups | ou=NumericGroups,dc=nextcloud,dc=ci |
| ldapGroupFilter | (objectclass=groupOfNames) |
| ldapGroupMemberAssocAttr | member |
| ldapAdminGroup | 3001 |
| useMemberOfToDetectMembership | 1 |
And cookies are reset
# alice, part of the promoted group
And Logging in using web as "92379"
And sending "GET" to "/cloud/groups"
And sending "GET" to "/cloud/groups/2000/users"
And Sending a "GET" to "/index.php/settings/admin/overview" with requesttoken
Then the HTTP status code should be "200"
Scenario: Test LDAP admin group mapping, regular user (no access)
Given modify LDAP configuration
| ldapBaseGroups | ou=NumericGroups,dc=nextcloud,dc=ci |
| ldapGroupFilter | (objectclass=groupOfNames) |
| ldapGroupMemberAssocAttr | member |
| ldapAdminGroup | 3001 |
| useMemberOfToDetectMembership | 1 |
And cookies are reset
# gustaf, not part of the promoted group
And Logging in using web as "59376"
And Sending a "GET" to "/index.php/settings/admin/overview" with requesttoken
Then the HTTP status code should be "403"