mirror of
https://github.com/nextcloud/server.git
synced 2025-03-15 00:43:23 +00:00
enh(LDAP): implement IIsAdmin interface
- add configuration to specify one LDAP group acting as admin group (CLI) - implement `isAdmin()` method, basically relying on inGroup against the configured group Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
This commit is contained in:
parent
546cf0ed2f
commit
d6b356c63b
5 changed files with 55 additions and 2 deletions
apps/user_ldap/lib
build/integration/ldap_features
|
@ -134,6 +134,7 @@ class Configuration {
|
|||
'ldapAttributeRole' => null,
|
||||
'ldapAttributeHeadline' => null,
|
||||
'ldapAttributeBiography' => null,
|
||||
'ldapAdminGroup' => '',
|
||||
];
|
||||
|
||||
public function __construct(string $configPrefix, bool $autoRead = true) {
|
||||
|
@ -490,6 +491,7 @@ class Configuration {
|
|||
'ldap_attr_role' => '',
|
||||
'ldap_attr_headline' => '',
|
||||
'ldap_attr_biography' => '',
|
||||
'ldap_admin_group' => '',
|
||||
];
|
||||
}
|
||||
|
||||
|
@ -566,6 +568,7 @@ class Configuration {
|
|||
'ldap_attr_role' => 'ldapAttributeRole',
|
||||
'ldap_attr_headline' => 'ldapAttributeHeadline',
|
||||
'ldap_attr_biography' => 'ldapAttributeBiography',
|
||||
'ldap_admin_group' => 'ldapAdminGroup',
|
||||
];
|
||||
return $array;
|
||||
}
|
||||
|
|
|
@ -83,6 +83,7 @@ use Psr\Log\LoggerInterface;
|
|||
* @property string ldapAttributeRole
|
||||
* @property string ldapAttributeHeadline
|
||||
* @property string ldapAttributeBiography
|
||||
* @property string ldapAdminGroup
|
||||
*/
|
||||
class Connection extends LDAPUtility {
|
||||
/**
|
||||
|
|
|
@ -51,6 +51,7 @@ use OCP\Cache\CappedMemoryCache;
|
|||
use OCP\Group\Backend\ABackend;
|
||||
use OCP\Group\Backend\IDeleteGroupBackend;
|
||||
use OCP\Group\Backend\IGetDisplayNameBackend;
|
||||
use OCP\Group\Backend\IIsAdminBackend;
|
||||
use OCP\GroupInterface;
|
||||
use OCP\IConfig;
|
||||
use OCP\IUserManager;
|
||||
|
@ -58,7 +59,7 @@ use OCP\Server;
|
|||
use Psr\Log\LoggerInterface;
|
||||
use function json_decode;
|
||||
|
||||
class Group_LDAP extends ABackend implements GroupInterface, IGroupLDAP, IGetDisplayNameBackend, IDeleteGroupBackend {
|
||||
class Group_LDAP extends ABackend implements GroupInterface, IGroupLDAP, IGetDisplayNameBackend, IDeleteGroupBackend, IIsAdminBackend {
|
||||
protected bool $enabled = false;
|
||||
|
||||
/** @var CappedMemoryCache<string[]> $cachedGroupMembers array of user DN with gid as key */
|
||||
|
@ -1241,6 +1242,7 @@ class Group_LDAP extends ABackend implements GroupInterface, IGroupLDAP, IGetDis
|
|||
public function implementsActions($actions): bool {
|
||||
return (bool)((GroupInterface::COUNT_USERS |
|
||||
GroupInterface::DELETE_GROUP |
|
||||
GroupInterface::IS_ADMIN |
|
||||
$this->groupPluginManager->getImplementedActions()) & $actions);
|
||||
}
|
||||
|
||||
|
@ -1444,4 +1446,18 @@ class Group_LDAP extends ABackend implements GroupInterface, IGroupLDAP, IGetDis
|
|||
// $cacheKey = 'usersInGroup-' . $gid . '-' . $search;
|
||||
// $cacheKey = 'countUsersInGroup-' . $gid . '-' . $search;
|
||||
}
|
||||
|
||||
/**
|
||||
* @throws ServerNotAvailableException
|
||||
*/
|
||||
public function isAdmin(string $uid): bool {
|
||||
if (!$this->enabled) {
|
||||
return false;
|
||||
}
|
||||
$ldapAdminGroup = $this->access->connection->ldapAdminGroup;
|
||||
if ($ldapAdminGroup === '') {
|
||||
return false;
|
||||
}
|
||||
return $this->inGroup($uid, $ldapAdminGroup);
|
||||
}
|
||||
}
|
||||
|
|
|
@ -33,12 +33,13 @@ use OCP\Group\Backend\IBatchMethodsBackend;
|
|||
use OCP\Group\Backend\IDeleteGroupBackend;
|
||||
use OCP\Group\Backend\IGetDisplayNameBackend;
|
||||
use OCP\Group\Backend\IGroupDetailsBackend;
|
||||
use OCP\Group\Backend\IIsAdminBackend;
|
||||
use OCP\Group\Backend\INamedBackend;
|
||||
use OCP\GroupInterface;
|
||||
use OCP\IConfig;
|
||||
use OCP\IUserManager;
|
||||
|
||||
class Group_Proxy extends Proxy implements \OCP\GroupInterface, IGroupLDAP, IGetDisplayNameBackend, INamedBackend, IDeleteGroupBackend, IBatchMethodsBackend {
|
||||
class Group_Proxy extends Proxy implements \OCP\GroupInterface, IGroupLDAP, IGetDisplayNameBackend, INamedBackend, IDeleteGroupBackend, IBatchMethodsBackend, IIsAdminBackend {
|
||||
private $backends = [];
|
||||
private ?Group_LDAP $refBackend = null;
|
||||
private Helper $helper;
|
||||
|
@ -396,4 +397,8 @@ class Group_Proxy extends Proxy implements \OCP\GroupInterface, IGroupLDAP, IGet
|
|||
public function addRelationshipToCaches(string $uid, ?string $dnUser, string $gid): void {
|
||||
$this->handleRequest($gid, 'addRelationshipToCaches', [$uid, $dnUser, $gid]);
|
||||
}
|
||||
|
||||
public function isAdmin(string $uid): bool {
|
||||
return $this->handleRequest($uid, 'isAdmin', [$uid]);
|
||||
}
|
||||
}
|
||||
|
|
|
@ -66,3 +66,31 @@ Scenario: Test LDAP group membership with intermediate groups not matching filte
|
|||
| 50194 | 1 |
|
||||
| 59376 | 1 |
|
||||
| 59463 | 1 |
|
||||
|
||||
Scenario: Test LDAP admin group mapping, empowered user
|
||||
Given modify LDAP configuration
|
||||
| ldapBaseGroups | ou=NumericGroups,dc=nextcloud,dc=ci |
|
||||
| ldapGroupFilter | (objectclass=groupOfNames) |
|
||||
| ldapGroupMemberAssocAttr | member |
|
||||
| ldapAdminGroup | 3001 |
|
||||
| useMemberOfToDetectMembership | 1 |
|
||||
And cookies are reset
|
||||
# alice, part of the promoted group
|
||||
And Logging in using web as "92379"
|
||||
And sending "GET" to "/cloud/groups"
|
||||
And sending "GET" to "/cloud/groups/2000/users"
|
||||
And Sending a "GET" to "/index.php/settings/admin/overview" with requesttoken
|
||||
Then the HTTP status code should be "200"
|
||||
|
||||
Scenario: Test LDAP admin group mapping, regular user (no access)
|
||||
Given modify LDAP configuration
|
||||
| ldapBaseGroups | ou=NumericGroups,dc=nextcloud,dc=ci |
|
||||
| ldapGroupFilter | (objectclass=groupOfNames) |
|
||||
| ldapGroupMemberAssocAttr | member |
|
||||
| ldapAdminGroup | 3001 |
|
||||
| useMemberOfToDetectMembership | 1 |
|
||||
And cookies are reset
|
||||
# gustaf, not part of the promoted group
|
||||
And Logging in using web as "59376"
|
||||
And Sending a "GET" to "/index.php/settings/admin/overview" with requesttoken
|
||||
Then the HTTP status code should be "403"
|
||||
|
|
Loading…
Reference in a new issue