mirror of
https://github.com/nextcloud/server.git
synced 2026-06-14 19:20:35 -04:00
Merge pull request #40443 from nextcloud/fix/noid/store-lpap-user-groups
fix(ldap): store last known user groups
This commit is contained in:
Arthur Schiwon
GitHub
commit
37f21cf94d
5 changed files with 441 additions and 415 deletions
|
|
@ -298,6 +298,10 @@ class Connection extends LDAPUtility {
|
|||
return json_decode(base64_decode($this->cache->get($key) ?? ''), true);
|
||||
}
|
||||
|
||||
public function getConfigPrefix(): string {
|
||||
return $this->configPrefix;
|
||||
}
|
||||
|
||||
/**
|
||||
* @param string $key
|
||||
* @param mixed $value
|
||||
|
|
|
|||
|
|
@ -46,12 +46,17 @@ namespace OCA\User_LDAP;
|
|||
|
||||
use Exception;
|
||||
use OC\ServerNotAvailableException;
|
||||
use OCA\User_LDAP\User\OfflineUser;
|
||||
use OCP\Cache\CappedMemoryCache;
|
||||
use OCP\GroupInterface;
|
||||
use OCP\Group\Backend\ABackend;
|
||||
use OCP\Group\Backend\IDeleteGroupBackend;
|
||||
use OCP\Group\Backend\IGetDisplayNameBackend;
|
||||
use OCP\IConfig;
|
||||
use OCP\IUserManager;
|
||||
use OCP\Server;
|
||||
use Psr\Log\LoggerInterface;
|
||||
use function json_decode;
|
||||
|
||||
class Group_LDAP extends ABackend implements GroupInterface, IGroupLDAP, IGetDisplayNameBackend, IDeleteGroupBackend {
|
||||
protected bool $enabled = false;
|
||||
|
|
@ -70,8 +75,15 @@ class Group_LDAP extends ABackend implements GroupInterface, IGroupLDAP, IGetDis
|
|||
* @var string $ldapGroupMemberAssocAttr contains the LDAP setting (in lower case) with the same name
|
||||
*/
|
||||
protected string $ldapGroupMemberAssocAttr;
|
||||
private IConfig $config;
|
||||
private IUserManager $ncUserManager;
|
||||
|
||||
public function __construct(Access $access, GroupPluginManager $groupPluginManager) {
|
||||
public function __construct(
|
||||
Access $access,
|
||||
GroupPluginManager $groupPluginManager,
|
||||
IConfig $config,
|
||||
IUserManager $ncUserManager
|
||||
) {
|
||||
$this->access = $access;
|
||||
$filter = $this->access->connection->ldapGroupFilter;
|
||||
$gAssoc = $this->access->connection->ldapGroupMemberAssocAttr;
|
||||
|
|
@ -83,8 +95,10 @@ class Group_LDAP extends ABackend implements GroupInterface, IGroupLDAP, IGetDis
|
|||
$this->cachedGroupsByMember = new CappedMemoryCache();
|
||||
$this->cachedNestedGroups = new CappedMemoryCache();
|
||||
$this->groupPluginManager = $groupPluginManager;
|
||||
$this->logger = \OCP\Server::get(LoggerInterface::class);
|
||||
$this->logger = Server::get(LoggerInterface::class);
|
||||
$this->ldapGroupMemberAssocAttr = strtolower((string)$gAssoc);
|
||||
$this->config = $config;
|
||||
$this->ncUserManager = $ncUserManager;
|
||||
}
|
||||
|
||||
/**
|
||||
|
|
@ -439,6 +453,7 @@ class Group_LDAP extends ABackend implements GroupInterface, IGroupLDAP, IGetDis
|
|||
public function getUserGidNumber(string $dn) {
|
||||
$gidNumber = false;
|
||||
if ($this->access->connection->hasGidNumber) {
|
||||
// FIXME: when $dn does not exist on LDAP anymore, this will be set wrongly to false :/
|
||||
$gidNumber = $this->getEntryGidNumber($dn, $this->access->connection->ldapGidNumber);
|
||||
if ($gidNumber === false) {
|
||||
$this->access->connection->hasGidNumber = false;
|
||||
|
|
@ -653,6 +668,25 @@ class Group_LDAP extends ABackend implements GroupInterface, IGroupLDAP, IGetDis
|
|||
return false;
|
||||
}
|
||||
|
||||
private function isUserOnLDAP(string $uid): bool {
|
||||
// forces a user exists check - but does not help if a positive result is cached, while group info is not
|
||||
$ncUser = $this->ncUserManager->get($uid);
|
||||
if ($ncUser === null) {
|
||||
return false;
|
||||
}
|
||||
$backend = $ncUser->getBackend();
|
||||
if ($backend instanceof User_Proxy) {
|
||||
// ignoring cache as safeguard (and we are behind the group cache check anyway)
|
||||
return $backend->userExistsOnLDAP($uid, true);
|
||||
}
|
||||
return false;
|
||||
}
|
||||
|
||||
protected function getCachedGroupsForUserId(string $uid): array {
|
||||
$groupStr = $this->config->getUserValue($uid, 'user_ldap', 'cached-group-memberships-' . $this->access->connection->getConfigPrefix(), '[]');
|
||||
return json_decode($groupStr) ?? [];
|
||||
}
|
||||
|
||||
/**
|
||||
* This function fetches all groups a user belongs to. It does not check
|
||||
* if the user exists at all.
|
||||
|
|
@ -664,15 +698,25 @@ class Group_LDAP extends ABackend implements GroupInterface, IGroupLDAP, IGetDis
|
|||
* @throws Exception
|
||||
* @throws ServerNotAvailableException
|
||||
*/
|
||||
public function getUserGroups($uid) {
|
||||
public function getUserGroups($uid): array {
|
||||
if (!$this->enabled) {
|
||||
return [];
|
||||
}
|
||||
$ncUid = $uid;
|
||||
|
||||
$cacheKey = 'getUserGroups' . $uid;
|
||||
$userGroups = $this->access->connection->getFromCache($cacheKey);
|
||||
if (!is_null($userGroups)) {
|
||||
return $userGroups;
|
||||
}
|
||||
|
||||
$user = $this->access->userManager->get($uid);
|
||||
if ($user instanceof OfflineUser) {
|
||||
// We load known group memberships from configuration for remnants,
|
||||
// because LDAP server does not contain them anymore
|
||||
return $this->getCachedGroupsForUserId($uid);
|
||||
}
|
||||
|
||||
$userDN = $this->access->username2dn($uid);
|
||||
if (!$userDN) {
|
||||
$this->access->connection->writeToCache($cacheKey, []);
|
||||
|
|
@ -784,9 +828,21 @@ class Group_LDAP extends ABackend implements GroupInterface, IGroupLDAP, IGetDis
|
|||
$groups[] = $gidGroupName;
|
||||
}
|
||||
|
||||
if (empty($groups) && !$this->isUserOnLDAP($ncUid)) {
|
||||
// Groups are enabled, but you user has none? Potentially suspicious:
|
||||
// it could be that the user was deleted from LDAP, but we are not
|
||||
// aware of it yet.
|
||||
$groups = $this->getCachedGroupsForUserId($ncUid);
|
||||
$this->access->connection->writeToCache($cacheKey, $groups);
|
||||
return $groups;
|
||||
}
|
||||
|
||||
$groups = array_unique($groups, SORT_LOCALE_STRING);
|
||||
$this->access->connection->writeToCache($cacheKey, $groups);
|
||||
|
||||
$groupStr = \json_encode($groups);
|
||||
$this->config->setUserValue($ncUid, 'user_ldap', 'cached-group-memberships-' . $this->access->connection->getConfigPrefix(), $groupStr);
|
||||
|
||||
return $groups;
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -35,6 +35,8 @@ use OCP\Group\Backend\IGetDisplayNameBackend;
|
|||
use OCP\Group\Backend\IGroupDetailsBackend;
|
||||
use OCP\Group\Backend\INamedBackend;
|
||||
use OCP\GroupInterface;
|
||||
use OCP\IConfig;
|
||||
use OCP\IUserManager;
|
||||
|
||||
class Group_Proxy extends Proxy implements \OCP\GroupInterface, IGroupLDAP, IGetDisplayNameBackend, INamedBackend, IDeleteGroupBackend, IBatchMethodsBackend {
|
||||
private $backends = [];
|
||||
|
|
@ -42,16 +44,22 @@ class Group_Proxy extends Proxy implements \OCP\GroupInterface, IGroupLDAP, IGet
|
|||
private Helper $helper;
|
||||
private GroupPluginManager $groupPluginManager;
|
||||
private bool $isSetUp = false;
|
||||
private IConfig $config;
|
||||
private IUserManager $ncUserManager;
|
||||
|
||||
public function __construct(
|
||||
Helper $helper,
|
||||
ILDAPWrapper $ldap,
|
||||
AccessFactory $accessFactory,
|
||||
GroupPluginManager $groupPluginManager
|
||||
GroupPluginManager $groupPluginManager,
|
||||
IConfig $config,
|
||||
IUserManager $ncUserManager,
|
||||
) {
|
||||
parent::__construct($ldap, $accessFactory);
|
||||
$this->helper = $helper;
|
||||
$this->groupPluginManager = $groupPluginManager;
|
||||
$this->config = $config;
|
||||
$this->ncUserManager = $ncUserManager;
|
||||
}
|
||||
|
||||
protected function setup(): void {
|
||||
|
|
@ -62,7 +70,7 @@ class Group_Proxy extends Proxy implements \OCP\GroupInterface, IGroupLDAP, IGet
|
|||
$serverConfigPrefixes = $this->helper->getServerConfigurationPrefixes(true);
|
||||
foreach ($serverConfigPrefixes as $configPrefix) {
|
||||
$this->backends[$configPrefix] =
|
||||
new Group_LDAP($this->getAccess($configPrefix), $this->groupPluginManager);
|
||||
new Group_LDAP($this->getAccess($configPrefix), $this->groupPluginManager, $this->config, $this->ncUserManager);
|
||||
if (is_null($this->refBackend)) {
|
||||
$this->refBackend = &$this->backends[$configPrefix];
|
||||
}
|
||||
|
|
|
|||
File diff suppressed because it is too large
Load diff
|
|
@ -31,6 +31,7 @@ use OCA\User_LDAP\Tests\Integration\AbstractIntegrationTest;
|
|||
use OCA\User_LDAP\User\DeletedUsersIndex;
|
||||
use OCA\User_LDAP\User_LDAP;
|
||||
use OCA\User_LDAP\UserPluginManager;
|
||||
use OCP\IConfig;
|
||||
use Psr\Log\LoggerInterface;
|
||||
|
||||
require_once __DIR__ . '/../Bootstrap.php';
|
||||
|
|
@ -58,7 +59,7 @@ class IntegrationTestAttributeDetection extends AbstractIntegrationTest {
|
|||
$userManager->clearBackends();
|
||||
$userManager->registerBackend($userBackend);
|
||||
|
||||
$groupBackend = new Group_LDAP($this->access, \OC::$server->query(GroupPluginManager::class));
|
||||
$groupBackend = new Group_LDAP($this->access, \OC::$server->query(GroupPluginManager::class), \OC::$server->get(IConfig::class));
|
||||
$groupManger = \OC::$server->getGroupManager();
|
||||
$groupManger->clearBackends();
|
||||
$groupManger->addBackend($groupBackend);
|
||||
|
|
|
|||
Loading…
Reference in a new issue