nextcloud_server/apps/user_ldap/lib/LDAPProvider.php

<?php

/**
 * SPDX-FileCopyrightText: 2016-2024 Nextcloud GmbH and Nextcloud contributors
 * SPDX-FileCopyrightText: 2016 Nextcloud GmbH and Nextcloud contributors
 * SPDX-License-Identifier: AGPL-3.0-or-later
 */
namespace OCA\User_LDAP;

use OCA\User_LDAP\User\DeletedUsersIndex;
use OCP\IServerContainer;
use OCP\LDAP\IDeletionFlagSupport;
use OCP\LDAP\ILDAPProvider;
use Psr\Log\LoggerInterface;

/**
 * LDAP provider for public access to the LDAP backend.
 */
class LDAPProvider implements ILDAPProvider, IDeletionFlagSupport {
	private $userBackend;
	private $groupBackend;
	private $logger;

	/**
	 * Create new LDAPProvider
	 * @param IServerContainer $serverContainer
	 * @param Helper $helper
	 * @param DeletedUsersIndex $deletedUsersIndex
	 * @throws \Exception if user_ldap app was not enabled
	 */
	public function __construct(
		IServerContainer $serverContainer,
		private Helper $helper,
		private DeletedUsersIndex $deletedUsersIndex,
	) {
		$this->logger = $serverContainer->get(LoggerInterface::class);
		$userBackendFound = false;
		$groupBackendFound = false;
		foreach ($serverContainer->getUserManager()->getBackends() as $backend) {
			$this->logger->debug('instance ' . get_class($backend) . ' user backend.', ['app' => 'user_ldap']);
			if ($backend instanceof IUserLDAP) {
				$this->userBackend = $backend;
				$userBackendFound = true;
				break;
			}
		}
		foreach ($serverContainer->getGroupManager()->getBackends() as $backend) {
			$this->logger->debug('instance ' . get_class($backend) . ' group backend.', ['app' => 'user_ldap']);
			if ($backend instanceof IGroupLDAP) {
				$this->groupBackend = $backend;
				$groupBackendFound = true;
				break;
			}
		}

		if (!$userBackendFound or !$groupBackendFound) {
			throw new \Exception('To use the LDAPProvider, user_ldap app must be enabled');
		}
	}

	/**
	 * Translate an user id to LDAP DN
	 * @param string $uid user id
	 * @return string with the LDAP DN
	 * @throws \Exception if translation was unsuccessful
	 */
	public function getUserDN($uid) {
		if (!$this->userBackend->userExists($uid)) {
			throw new \Exception('User id not found in LDAP');
		}
		$result = $this->userBackend->getLDAPAccess($uid)->username2dn($uid);
		if (!$result) {
			throw new \Exception('Translation to LDAP DN unsuccessful');
		}
		return $result;
	}

	/**
	 * Translate a group id to LDAP DN.
	 * @param string $gid group id
	 * @return string
	 * @throws \Exception
	 */
	public function getGroupDN($gid) {
		if (!$this->groupBackend->groupExists($gid)) {
			throw new \Exception('Group id not found in LDAP');
		}
		$result = $this->groupBackend->getLDAPAccess($gid)->groupname2dn($gid);
		if (!$result) {
			throw new \Exception('Translation to LDAP DN unsuccessful');
		}
		return $result;
	}

	/**
	 * Translate a LDAP DN to an internal user name. If there is no mapping between
	 * the DN and the user name, a new one will be created.
	 * @param string $dn LDAP DN
	 * @return string with the internal user name
	 * @throws \Exception if translation was unsuccessful
	 */
	public function getUserName($dn) {
		$result = $this->userBackend->dn2UserName($dn);
		if (!$result) {
			throw new \Exception('Translation to internal user name unsuccessful');
		}
		return $result;
	}

	/**
	 * Convert a stored DN so it can be used as base parameter for LDAP queries.
	 * @param string $dn the DN in question
	 * @return string
	 */
	public function DNasBaseParameter($dn) {
		return $this->helper->DNasBaseParameter($dn);
	}

	/**
	 * Sanitize a DN received from the LDAP server.
	 * @param array|string $dn the DN in question
	 * @return array|string the sanitized DN
	 */
	public function sanitizeDN($dn) {
		return $this->helper->sanitizeDN($dn);
	}

	/**
	 * Return a new LDAP connection resource for the specified user.
	 * The connection must be closed manually.
	 * @param string $uid user id
	 * @return \LDAP\Connection The LDAP connection
	 * @throws \Exception if user id was not found in LDAP
	 */
	public function getLDAPConnection($uid) {
		if (!$this->userBackend->userExists($uid)) {
			throw new \Exception('User id not found in LDAP');
		}
		return $this->userBackend->getNewLDAPConnection($uid);
	}

	/**
	 * Return a new LDAP connection resource for the specified user.
	 * The connection must be closed manually.
	 * @param string $gid group id
	 * @return \LDAP\Connection The LDAP connection
	 * @throws \Exception if group id was not found in LDAP
	 */
	public function getGroupLDAPConnection($gid) {
		if (!$this->groupBackend->groupExists($gid)) {
			throw new \Exception('Group id not found in LDAP');
		}
		return $this->groupBackend->getNewLDAPConnection($gid);
	}

	/**
	 * Get the LDAP base for users.
	 * @param string $uid user id
	 * @return string the base for users
	 * @throws \Exception if user id was not found in LDAP
	 */
	public function getLDAPBaseUsers($uid) {
		if (!$this->userBackend->userExists($uid)) {
			throw new \Exception('User id not found in LDAP');
		}
		$access = $this->userBackend->getLDAPAccess($uid);
		$bases = $access->getConnection()->ldapBaseUsers;
		$dn = $this->getUserDN($uid);
		foreach ($bases as $base) {
			if ($access->isDNPartOfBase($dn, [$base])) {
				return $base;
			}
		}
		// should not occur, because the user does not qualify to use NC in this case
		$this->logger->info(
			'No matching user base found for user {dn}, available: {bases}.',
			[
				'app' => 'user_ldap',
				'dn' => $dn,
				'bases' => $bases,
			]
		);
		return array_shift($bases);
	}

	/**
	 * Get the LDAP base for groups.
	 * @param string $uid user id
	 * @return string the base for groups
	 * @throws \Exception if user id was not found in LDAP
	 */
	public function getLDAPBaseGroups($uid) {
		if (!$this->userBackend->userExists($uid)) {
			throw new \Exception('User id not found in LDAP');
		}
		$bases = $this->userBackend->getLDAPAccess($uid)->getConnection()->ldapBaseGroups;
		return array_shift($bases);
	}

	/**
	 * Clear the cache if a cache is used, otherwise do nothing.
	 * @param string $uid user id
	 * @throws \Exception if user id was not found in LDAP
	 */
	public function clearCache($uid) {
		if (!$this->userBackend->userExists($uid)) {
			throw new \Exception('User id not found in LDAP');
		}
		$this->userBackend->getLDAPAccess($uid)->getConnection()->clearCache();
	}

	/**
	 * Clear the cache if a cache is used, otherwise do nothing.
	 * Acts on the LDAP connection of a group
	 * @param string $gid group id
	 * @throws \Exception if user id was not found in LDAP
	 */
	public function clearGroupCache($gid) {
		if (!$this->groupBackend->groupExists($gid)) {
			throw new \Exception('Group id not found in LDAP');
		}
		$this->groupBackend->getLDAPAccess($gid)->getConnection()->clearCache();
	}

	/**
	 * Check whether a LDAP DN exists
	 * @param string $dn LDAP DN
	 * @return bool whether the DN exists
	 */
	public function dnExists($dn) {
		$result = $this->userBackend->dn2UserName($dn);
		return !$result ? false : true;
	}

	/**
	 * Flag record for deletion.
	 * @param string $uid user id
	 */
	public function flagRecord($uid) {
		$this->deletedUsersIndex->markUser($uid);
	}

	/**
	 * Unflag record for deletion.
	 * @param string $uid user id
	 */
	public function unflagRecord($uid) {
		//do nothing
	}

	/**
	 * Get the LDAP attribute name for the user's display name
	 * @param string $uid user id
	 * @return string the display name field
	 * @throws \Exception if user id was not found in LDAP
	 */
	public function getLDAPDisplayNameField($uid) {
		if (!$this->userBackend->userExists($uid)) {
			throw new \Exception('User id not found in LDAP');
		}
		return $this->userBackend->getLDAPAccess($uid)->getConnection()->getConfiguration()['ldap_display_name'];
	}

	/**
	 * Get the LDAP attribute name for the email
	 * @param string $uid user id
	 * @return string the email field
	 * @throws \Exception if user id was not found in LDAP
	 */
	public function getLDAPEmailField($uid) {
		if (!$this->userBackend->userExists($uid)) {
			throw new \Exception('User id not found in LDAP');
		}
		return $this->userBackend->getLDAPAccess($uid)->getConnection()->getConfiguration()['ldap_email_attr'];
	}

	/**
	 * Get the LDAP type of association between users and groups
	 * @param string $gid group id
	 * @return string the configuration, one of: 'memberUid', 'uniqueMember', 'member', 'gidNumber', ''
	 * @throws \Exception if group id was not found in LDAP
	 */
	public function getLDAPGroupMemberAssoc($gid) {
		if (!$this->groupBackend->groupExists($gid)) {
			throw new \Exception('Group id not found in LDAP');
		}
		return $this->groupBackend->getLDAPAccess($gid)->getConnection()->getConfiguration()['ldap_group_member_assoc_attribute'];
	}

	/**
	 * Get an LDAP attribute for a nextcloud user
	 *
	 * @throws \Exception if user id was not found in LDAP
	 */
	public function getUserAttribute(string $uid, string $attribute): ?string {
		$values = $this->getMultiValueUserAttribute($uid, $attribute);
		if (count($values) === 0) {
			return null;
		}
		return current($values);
	}

	/**
	 * Get a multi-value LDAP attribute for a nextcloud user
	 *
	 * @throws \Exception if user id was not found in LDAP
	 */
	public function getMultiValueUserAttribute(string $uid, string $attribute): array {
		if (!$this->userBackend->userExists($uid)) {
			throw new \Exception('User id not found in LDAP');
		}

		$access = $this->userBackend->getLDAPAccess($uid);
		$connection = $access->getConnection();
		$key = $uid . '-' . $attribute;

		$cached = $connection->getFromCache($key);
		if (is_array($cached)) {
			return $cached;
		}

		$values = $access->readAttribute($access->username2dn($uid), $attribute);
		if ($values === false) {
			$values = [];
		}

		$connection->writeToCache($key, $values);
		return $values;
	}
}