upstream/nextcloud
1
0
Fork 0
mirror of https://github.com/nextcloud/server.git synced 2026-05-27 12:13:04 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 55

Merge pull request #31109 from nextcloud/backport/31107/stable22

Browse source 
[stable22] Fix duplicated UUID migration issue
This commit is contained in:
blizzz 2022-02-10 22:37:30 +01:00 committed by GitHub
commit 6d3dfea43d
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
16 changed files with 636 additions and 58 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
apps/settings/composer/composer/autoload_classmap.php
View file

@ -61,6 +61,7 @@ return array(
'OCA\\Settings\\Settings\\Personal\\Security\\WebAuthn' => $baseDir . '/../lib/Settings/Personal/Security/WebAuthn.php',
'OCA\\Settings\\Settings\\Personal\\ServerDevNotice' => $baseDir . '/../lib/Settings/Personal/ServerDevNotice.php',
'OCA\\Settings\\SetupChecks\\CheckUserCertificates' => $baseDir . '/../lib/SetupChecks/CheckUserCertificates.php',
'OCA\\Settings\\SetupChecks\\LdapInvalidUuids' => $baseDir . '/../lib/SetupChecks/LdapInvalidUuids.php',
'OCA\\Settings\\SetupChecks\\LegacySSEKeyFormat' => $baseDir . '/../lib/SetupChecks/LegacySSEKeyFormat.php',
'OCA\\Settings\\SetupChecks\\PhpDefaultCharset' => $baseDir . '/../lib/SetupChecks/PhpDefaultCharset.php',
'OCA\\Settings\\SetupChecks\\PhpOutputBuffering' => $baseDir . '/../lib/SetupChecks/PhpOutputBuffering.php',

1
apps/settings/composer/composer/autoload_static.php
View file

@ -76,6 +76,7 @@ class ComposerStaticInitSettings
'OCA\\Settings\\Settings\\Personal\\Security\\WebAuthn' => __DIR__ . '/..' . '/../lib/Settings/Personal/Security/WebAuthn.php',
'OCA\\Settings\\Settings\\Personal\\ServerDevNotice' => __DIR__ . '/..' . '/../lib/Settings/Personal/ServerDevNotice.php',
'OCA\\Settings\\SetupChecks\\CheckUserCertificates' => __DIR__ . '/..' . '/../lib/SetupChecks/CheckUserCertificates.php',
'OCA\\Settings\\SetupChecks\\LdapInvalidUuids' => __DIR__ . '/..' . '/../lib/SetupChecks/LdapInvalidUuids.php',
'OCA\\Settings\\SetupChecks\\LegacySSEKeyFormat' => __DIR__ . '/..' . '/../lib/SetupChecks/LegacySSEKeyFormat.php',
'OCA\\Settings\\SetupChecks\\PhpDefaultCharset' => __DIR__ . '/..' . '/../lib/SetupChecks/PhpDefaultCharset.php',
'OCA\\Settings\\SetupChecks\\PhpOutputBuffering' => __DIR__ . '/..' . '/../lib/SetupChecks/PhpOutputBuffering.php',

4
apps/settings/composer/composer/installed.php
View file

@ -5,7 +5,7 @@
'type' => 'library',
'install_path' => __DIR__ . '/../',
'aliases' => array(),
'reference' => 'fb5ee6087bfd1f4cc2f37cda7a7cab7072aaae86',
'reference' => '3c77e489a6bb2541cd5d0c92b5498e71ec1a873f',
'name' => '__root__',
'dev' => false,
),
@ -16,7 +16,7 @@
'type' => 'library',
'install_path' => __DIR__ . '/../',
'aliases' => array(),
'reference' => 'fb5ee6087bfd1f4cc2f37cda7a7cab7072aaae86',
'reference' => '3c77e489a6bb2541cd5d0c92b5498e71ec1a873f',
'dev_requirement' => false,
),
),

18
apps/settings/lib/Controller/CheckSetupController.php
View file

@ -48,7 +48,6 @@ use DirectoryIterator;
use Doctrine\DBAL\Exception;
use Doctrine\DBAL\Platforms\SqlitePlatform;
use Doctrine\DBAL\TransactionIsolationLevel;
use OCP\DB\Types;
use GuzzleHttp\Exception\ClientException;
use OC;
use OC\AppFramework\Http;
@ -61,20 +60,24 @@ use OC\IntegrityCheck\Checker;
use OC\Lock\NoopLockingProvider;
use OC\MemoryInfo;
use OCA\Settings\SetupChecks\CheckUserCertificates;
use OCA\Settings\SetupChecks\LdapInvalidUuids;
use OCA\Settings\SetupChecks\LegacySSEKeyFormat;
use OCA\Settings\SetupChecks\PhpDefaultCharset;
use OCA\Settings\SetupChecks\PhpOutputBuffering;
use OCA\Settings\SetupChecks\SupportedDatabase;
use OCP\App\IAppManager;
use OCP\AppFramework\Controller;
use OCP\AppFramework\Http\DataDisplayResponse;
use OCP\AppFramework\Http\DataResponse;
use OCP\AppFramework\Http\RedirectResponse;
use OCP\DB\Types;
use OCP\Http\Client\IClientService;
use OCP\IConfig;
use OCP\IDateTimeFormatter;
use OCP\IDBConnection;
use OCP\IL10N;
use OCP\IRequest;
use OCP\IServerContainer;
use OCP\IURLGenerator;
use OCP\Lock\ILockingProvider;
use OCP\Security\ISecureRandom;
@ -111,6 +114,10 @@ class CheckSetupController extends Controller {
private $iniGetWrapper;
/** @var IDBConnection */
private $connection;
/** @var IAppManager */
private $appManager;
/** @var IServerContainer */
private $serverContainer;
public function __construct($AppName,
IRequest $request,
@ -127,7 +134,10 @@ class CheckSetupController extends Controller {
MemoryInfo $memoryInfo,
ISecureRandom $secureRandom,
IniGetWrapper $iniGetWrapper,
IDBConnection $connection) {
IDBConnection $connection,
IAppManager $appManager,
IServerContainer $serverContainer
) {
parent::__construct($AppName, $request);
$this->config = $config;
$this->clientService = $clientService;
@ -143,6 +153,8 @@ class CheckSetupController extends Controller {
$this->secureRandom = $secureRandom;
$this->iniGetWrapper = $iniGetWrapper;
$this->connection = $connection;
$this->appManager = $appManager;
$this->serverContainer = $serverContainer;
}
/**
@ -732,6 +744,7 @@ Raw output
$legacySSEKeyFormat = new LegacySSEKeyFormat($this->l10n, $this->config, $this->urlGenerator);
$checkUserCertificates = new CheckUserCertificates($this->l10n, $this->config, $this->urlGenerator);
$supportedDatabases = new SupportedDatabase($this->l10n, $this->connection);
$ldapInvalidUuids = new LdapInvalidUuids($this->appManager, $this->l10n, $this->serverContainer);
return new DataResponse(
[
@ -779,6 +792,7 @@ Raw output
CheckUserCertificates::class => ['pass' => $checkUserCertificates->run(), 'description' => $checkUserCertificates->description(), 'severity' => $checkUserCertificates->severity(), 'elements' => $checkUserCertificates->elements()],
'isDefaultPhoneRegionSet' => $this->config->getSystemValueString('default_phone_region', '') !== '',
SupportedDatabase::class => ['pass' => $supportedDatabases->run(), 'description' => $supportedDatabases->description(), 'severity' => $supportedDatabases->severity()],
LdapInvalidUuids::class => ['pass' => $ldapInvalidUuids->run(), 'description' => $ldapInvalidUuids->description(), 'severity' => $ldapInvalidUuids->severity()],
]
);
}

69
apps/settings/lib/SetupChecks/LdapInvalidUuids.php Normal file
View file

@ -0,0 +1,69 @@
<?php
declare(strict_types=1);
/**
* @copyright Copyright (c) 2022 Arthur Schiwon <blizzz@arthur-schiwon.de>
*
* @author Arthur Schiwon <blizzz@arthur-schiwon.de>
*
* @license GNU AGPL version 3 or any later version
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as
* published by the Free Software Foundation, either version 3 of the
* License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <https://www.gnu.org/licenses/>.
*
*/
namespace OCA\Settings\SetupChecks;
use OCA\User_LDAP\Mapping\GroupMapping;
use OCA\User_LDAP\Mapping\UserMapping;
use OCP\App\IAppManager;
use OCP\IL10N;
use OCP\IServerContainer;
class LdapInvalidUuids {
/** @var IAppManager */
private $appManager;
/** @var IL10N */
private $l10n;
/** @var IServerContainer */
private $server;
public function __construct(IAppManager $appManager, IL10N $l10n, IServerContainer $server) {
$this->appManager = $appManager;
$this->l10n = $l10n;
$this->server = $server;
}
public function description(): string {
return $this->l10n->t('Invalid UUIDs of LDAP users or groups have been found. Please review your "Override UUID detection" settings in the Expert part of the LDAP configuration and use "occ ldap:update-uuid" to update them.');
}
public function severity(): string {
return 'warning';
}
public function run(): bool {
if (!$this->appManager->isEnabledForUser('user_ldap')) {
return true;
}
/** @var UserMapping $userMapping */
$userMapping = $this->server->get(UserMapping::class);
/** @var GroupMapping $groupMapping */
$groupMapping = $this->server->get(GroupMapping::class);
return count($userMapping->getList(0, 1, true)) === 0
&& count($groupMapping->getList(0, 1, true)) === 0;
}
}

21
apps/settings/tests/Controller/CheckSetupControllerTest.php
View file

@ -42,6 +42,7 @@ use OC\IntegrityCheck\Checker;
use OC\MemoryInfo;
use OC\Security\SecureRandom;
use OCA\Settings\Controller\CheckSetupController;
use OCP\App\IAppManager;
use OCP\AppFramework\Http;
use OCP\AppFramework\Http\DataDisplayResponse;
use OCP\AppFramework\Http\DataResponse;
@ -52,6 +53,7 @@ use OCP\IDateTimeFormatter;
use OCP\IDBConnection;
use OCP\IL10N;
use OCP\IRequest;
use OCP\IServerContainer;
use OCP\IURLGenerator;
use OCP\Lock\ILockingProvider;
use PHPUnit\Framework\MockObject\MockObject;
@ -99,6 +101,10 @@ class CheckSetupControllerTest extends TestCase {
private $iniGetWrapper;
/** @var IDBConnection|\PHPUnit\Framework\MockObject\MockObject */
private $connection;
/** @var IAppManager|MockObject */
private $appManager;
/** @var IServerContainer|MockObject */
private $serverContainer;
/**
* Holds a list of directories created during tests.
@ -141,6 +147,8 @@ class CheckSetupControllerTest extends TestCase {
$this->iniGetWrapper = $this->getMockBuilder(IniGetWrapper::class)->getMock();
$this->connection = $this->getMockBuilder(IDBConnection::class)
->disableOriginalConstructor()->getMock();
$this->appManager = $this->createMock(IAppManager::class);
$this->serverContainer = $this->createMock(IServerContainer::class);
$this->checkSetupController = $this->getMockBuilder(CheckSetupController::class)
->setConstructorArgs([
'settings',
@ -159,6 +167,8 @@ class CheckSetupControllerTest extends TestCase {
$this->secureRandom,
$this->iniGetWrapper,
$this->connection,
$this->appManager,
$this->serverContainer,
])
->setMethods([
'isReadOnlyConfig',
@ -617,6 +627,7 @@ class CheckSetupControllerTest extends TestCase {
'imageMagickLacksSVGSupport' => false,
'isDefaultPhoneRegionSet' => false,
'OCA\Settings\SetupChecks\SupportedDatabase' => ['pass' => true, 'description' => '', 'severity' => 'info'],
\OCA\Settings\SetupChecks\LdapInvalidUuids::class => ['pass' => true, 'description' => 'Invalid UUIDs of LDAP users or groups have been found. Please review your "Override UUID detection" settings in the Expert part of the LDAP configuration and use "occ ldap:update-uuid" to update them.', 'severity' => 'warning'],
]
);
$this->assertEquals($expected, $this->checkSetupController->check());
@ -641,6 +652,8 @@ class CheckSetupControllerTest extends TestCase {
$this->secureRandom,
$this->iniGetWrapper,
$this->connection,
$this->appManager,
$this->serverContainer
])
->setMethods(null)->getMock();
@ -1410,7 +1423,9 @@ Array
$this->memoryInfo,
$this->secureRandom,
$this->iniGetWrapper,
$this->connection
$this->connection,
$this->appManager,
$this->serverContainer
);
$this->assertSame($expected, $this->invokePrivate($checkSetupController, 'isMysqlUsedWithoutUTF8MB4'));
@ -1460,7 +1475,9 @@ Array
$this->memoryInfo,
$this->secureRandom,
$this->iniGetWrapper,
$this->connection
$this->connection,
$this->appManager,
$this->serverContainer
);
$this->assertSame($expected, $this->invokePrivate($checkSetupController, 'isEnoughTempSpaceAvailableIfS3PrimaryStorageIsUsed'));

1
apps/user_ldap/appinfo/info.xml
View file

@ -56,6 +56,7 @@ A user logs into Nextcloud with their LDAP or AD credentials, and is granted acc
<command>OCA\User_LDAP\Command\ShowConfig</command>
<command>OCA\User_LDAP\Command\ShowRemnants</command>
<command>OCA\User_LDAP\Command\TestConfig</command>
<command>OCA\User_LDAP\Command\UpdateUUID</command>
</commands>
<settings>

1
apps/user_ldap/composer/composer/autoload_classmap.php
View file

@ -20,6 +20,7 @@ return array(
'OCA\\User_LDAP\\Command\\ShowConfig' => $baseDir . '/../lib/Command/ShowConfig.php',
'OCA\\User_LDAP\\Command\\ShowRemnants' => $baseDir . '/../lib/Command/ShowRemnants.php',
'OCA\\User_LDAP\\Command\\TestConfig' => $baseDir . '/../lib/Command/TestConfig.php',
'OCA\\User_LDAP\\Command\\UpdateUUID' => $baseDir . '/../lib/Command/UpdateUUID.php',
'OCA\\User_LDAP\\Configuration' => $baseDir . '/../lib/Configuration.php',
'OCA\\User_LDAP\\Connection' => $baseDir . '/../lib/Connection.php',
'OCA\\User_LDAP\\ConnectionFactory' => $baseDir . '/../lib/ConnectionFactory.php',

1
apps/user_ldap/composer/composer/autoload_static.php
View file

@ -35,6 +35,7 @@ class ComposerStaticInitUser_LDAP
'OCA\\User_LDAP\\Command\\ShowConfig' => __DIR__ . '/..' . '/../lib/Command/ShowConfig.php',
'OCA\\User_LDAP\\Command\\ShowRemnants' => __DIR__ . '/..' . '/../lib/Command/ShowRemnants.php',
'OCA\\User_LDAP\\Command\\TestConfig' => __DIR__ . '/..' . '/../lib/Command/TestConfig.php',
'OCA\\User_LDAP\\Command\\UpdateUUID' => __DIR__ . '/..' . '/../lib/Command/UpdateUUID.php',
'OCA\\User_LDAP\\Configuration' => __DIR__ . '/..' . '/../lib/Configuration.php',
'OCA\\User_LDAP\\Connection' => __DIR__ . '/..' . '/../lib/Connection.php',
'OCA\\User_LDAP\\ConnectionFactory' => __DIR__ . '/..' . '/../lib/ConnectionFactory.php',

2
apps/user_ldap/lib/Access.php
View file

@ -1792,7 +1792,7 @@ class Access extends LDAPUtility {
* @param string $dn
* @param bool $isUser
* @param null $ldapRecord
* @return bool|string
* @return false|string
* @throws ServerNotAvailableException
*/
public function getUUID($dn, $isUser = true, $ldapRecord = null) {

374
apps/user_ldap/lib/Command/UpdateUUID.php Normal file
View file

@ -0,0 +1,374 @@
<?php
declare(strict_types=1);
/**
* @copyright Copyright (c) 2021 Arthur Schiwon <blizzz@arthur-schiwon.de>
*
* @author Arthur Schiwon <blizzz@arthur-schiwon.de>
* @author Côme Chilliet <come.chilliet@nextcloud.com>
*
* @license GNU AGPL version 3 or any later version
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as
* published by the Free Software Foundation, either version 3 of the
* License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <https://www.gnu.org/licenses/>.
*
*/
namespace OCA\User_LDAP\Command;
use OCA\User_LDAP\Access;
use OCA\User_LDAP\Group_Proxy;
use OCA\User_LDAP\Mapping\AbstractMapping;
use OCA\User_LDAP\Mapping\GroupMapping;
use OCA\User_LDAP\Mapping\UserMapping;
use OCA\User_LDAP\User_Proxy;
use Psr\Log\LoggerInterface;
use Symfony\Component\Console\Command\Command;
use Symfony\Component\Console\Helper\ProgressBar;
use Symfony\Component\Console\Input\InputInterface;
use Symfony\Component\Console\Input\InputOption;
use Symfony\Component\Console\Output\OutputInterface;
use function sprintf;
class UuidUpdateReport {
const UNCHANGED = 0;
const UNKNOWN = 1;
const UNREADABLE = 2;
const UPDATED = 3;
const UNWRITABLE = 4;
const UNMAPPED = 5;
public $id = '';
public $dn = '';
public $isUser = true;
public $state = self::UNCHANGED;
public $oldUuid = '';
public $newUuid = '';
public function __construct(string $id, string $dn, bool $isUser, int $state, string $oldUuid = '', string $newUuid = '') {
$this->id = $id;
$this->dn = $dn;
$this->isUser = $isUser;
$this->state = $state;
$this->oldUuid = $oldUuid;
$this->newUuid = $newUuid;
}
}
class UpdateUUID extends Command {
/** @var UserMapping */
private $userMapping;
/** @var GroupMapping */
private $groupMapping;
/** @var User_Proxy */
private $userProxy;
/** @var Group_Proxy */
private $groupProxy;
/** @var array<UuidUpdateReport[]> */
protected $reports = [];
/** @var LoggerInterface */
private $logger;
/** @var bool */
private $dryRun = false;
public function __construct(UserMapping $userMapping, GroupMapping $groupMapping, User_Proxy $userProxy, Group_Proxy $groupProxy, LoggerInterface $logger) {
$this->userMapping = $userMapping;
$this->groupMapping = $groupMapping;
$this->userProxy = $userProxy;
$this->groupProxy = $groupProxy;
$this->logger = $logger;
$this->reports = [
UuidUpdateReport::UPDATED => [],
UuidUpdateReport::UNKNOWN => [],
UuidUpdateReport::UNREADABLE => [],
UuidUpdateReport::UNWRITABLE => [],
UuidUpdateReport::UNMAPPED => [],
];
parent::__construct();
}
protected function configure(): void {
$this
->setName('ldap:update-uuid')
->setDescription('Attempts to update UUIDs of user and group entries. By default, the command attempts to update UUIDs that have been invalidated by a migration step.')
->addOption(
'all',
null,
InputOption::VALUE_NONE,
'updates every user and group. All other options are ignored.'
)
->addOption(
'userId',
null,
InputOption::VALUE_REQUIRED | InputOption::VALUE_IS_ARRAY,
'a user ID to update'
)
->addOption(
'groupId',
null,
InputOption::VALUE_REQUIRED | InputOption::VALUE_IS_ARRAY,
'a group ID to update'
)
->addOption(
'dn',
null,
InputOption::VALUE_REQUIRED | InputOption::VALUE_IS_ARRAY,
'a DN to update'
)
->addOption(
'dry-run',
null,
InputOption::VALUE_NONE,
'UUIDs will not be updated in the database'
)
;
}
protected function execute(InputInterface $input, OutputInterface $output): int {
$this->dryRun = $input->getOption('dry-run');
$entriesToUpdate = $this->estimateNumberOfUpdates($input);
$progress = new ProgressBar($output);
$progress->start($entriesToUpdate);
foreach($this->handleUpdates($input) as $_) {
$progress->advance();
}
$progress->finish();
$output->writeln('');
$this->printReport($output);
return count($this->reports[UuidUpdateReport::UNMAPPED]) === 0
&& count($this->reports[UuidUpdateReport::UNREADABLE]) === 0
&& count($this->reports[UuidUpdateReport::UNWRITABLE]) === 0
? 0
: 1;
}
protected function printReport(OutputInterface $output): void {
if ($output->isQuiet()) {
return;
}
if (count($this->reports[UuidUpdateReport::UPDATED]) === 0) {
$output->writeln('<info>No record was updated.</info>');
} else {
$output->writeln(sprintf('<info>%d record(s) were updated.</info>', count($this->reports[UuidUpdateReport::UPDATED])));
if ($output->isVerbose()) {
/** @var UuidUpdateReport $report */
foreach ($this->reports[UuidUpdateReport::UPDATED] as $report) {
$output->writeln(sprintf(' %s had their old UUID %s updated to %s', $report->id, $report->oldUuid, $report->newUuid));
}
$output->writeln('');
}
}
if (count($this->reports[UuidUpdateReport::UNMAPPED]) > 0) {
$output->writeln(sprintf('<error>%d provided IDs were not mapped. These were:</error>', count($this->reports[UuidUpdateReport::UNMAPPED])));
/** @var UuidUpdateReport $report */
foreach ($this->reports[UuidUpdateReport::UNMAPPED] as $report) {
if (!empty($report->id)) {
$output->writeln(sprintf(' %s: %s',
$report->isUser ? 'User' : 'Group', $report->id));
} else if (!empty($report->dn)) {
$output->writeln(sprintf(' DN: %s', $report->dn));
}
}
$output->writeln('');
}
if (count($this->reports[UuidUpdateReport::UNKNOWN]) > 0) {
$output->writeln(sprintf('<info>%d provided IDs were unknown on LDAP.</info>', count($this->reports[UuidUpdateReport::UNKNOWN])));
if ($output->isVerbose()) {
/** @var UuidUpdateReport $report */
foreach ($this->reports[UuidUpdateReport::UNKNOWN] as $report) {
$output->writeln(sprintf(' %s: %s',$report->isUser ? 'User' : 'Group', $report->id));
}
$output->writeln(PHP_EOL . 'Old users can be removed along with their data per occ user:delete.' . PHP_EOL);
}
}
if (count($this->reports[UuidUpdateReport::UNREADABLE]) > 0) {
$output->writeln(sprintf('<error>For %d records, the UUID could not be read. Double-check your configuration.</error>', count($this->reports[UuidUpdateReport::UNREADABLE])));
if ($output->isVerbose()) {
/** @var UuidUpdateReport $report */
foreach ($this->reports[UuidUpdateReport::UNREADABLE] as $report) {
$output->writeln(sprintf(' %s: %s',$report->isUser ? 'User' : 'Group', $report->id));
}
}
}
if (count($this->reports[UuidUpdateReport::UNWRITABLE]) > 0) {
$output->writeln(sprintf('<error>For %d records, the UUID could not be saved to database. Double-check your configuration.</error>', count($this->reports[UuidUpdateReport::UNWRITABLE])));
if ($output->isVerbose()) {
/** @var UuidUpdateReport $report */
foreach ($this->reports[UuidUpdateReport::UNWRITABLE] as $report) {
$output->writeln(sprintf(' %s: %s',$report->isUser ? 'User' : 'Group', $report->id));
}
}
}
}
protected function handleUpdates(InputInterface $input): \Generator {
if ($input->getOption('all')) {
foreach($this->handleMappingBasedUpdates(false) as $_) {
yield;
}
} else if ($input->getOption('userId')
|| $input->getOption('groupId')
|| $input->getOption('dn')
) {
foreach($this->handleUpdatesByUserId($input->getOption('userId')) as $_) {
yield;
}
foreach($this->handleUpdatesByGroupId($input->getOption('groupId')) as $_) {
yield;
}
foreach($this->handleUpdatesByDN($input->getOption('dn')) as $_) {
yield;
}
} else {
foreach($this->handleMappingBasedUpdates(true) as $_) {
yield;
}
}
}
protected function handleUpdatesByUserId(array $userIds): \Generator {
foreach($this->handleUpdatesByEntryId($userIds, $this->userMapping) as $_) {
yield;
}
}
protected function handleUpdatesByGroupId(array $groupIds): \Generator {
foreach($this->handleUpdatesByEntryId($groupIds, $this->groupMapping) as $_) {
yield;
}
}
protected function handleUpdatesByDN(array $dns): \Generator {
$userList = $groupList = [];
while ($dn = array_pop($dns)) {
$uuid = $this->userMapping->getUUIDByDN($dn);
if ($uuid) {
$id = $this->userMapping->getNameByDN($dn);
$userList[] = ['name' => $id, 'uuid' => $uuid];
continue;
}
$uuid = $this->groupMapping->getUUIDByDN($dn);
if ($uuid) {
$id = $this->groupMapping->getNameByDN($dn);
$groupList[] = ['name' => $id, 'uuid' => $uuid];
continue;
}
$this->reports[UuidUpdateReport::UNMAPPED][] = new UuidUpdateReport('', $dn, true, UuidUpdateReport::UNMAPPED);
yield;
}
foreach($this->handleUpdatesByList($this->userMapping, $userList) as $_) {
yield;
}
foreach($this->handleUpdatesByList($this->groupMapping, $groupList) as $_) {
yield;
}
}
protected function handleUpdatesByEntryId(array $ids, AbstractMapping $mapping): \Generator {
$isUser = $mapping instanceof UserMapping;
$list = [];
while ($id = array_pop($ids)) {
if(!$dn = $mapping->getDNByName($id)) {
$this->reports[UuidUpdateReport::UNMAPPED][] = new UuidUpdateReport($id, '', $isUser, UuidUpdateReport::UNMAPPED);
yield;
continue;
}
// Since we know it was mapped the UUID is populated
$uuid = $mapping->getUUIDByDN($dn);
$list[] = ['name' => $id, 'uuid' => $uuid];
}
foreach($this->handleUpdatesByList($mapping, $list) as $_) {
yield;
}
}
protected function handleMappingBasedUpdates(bool $invalidatedOnly): \Generator {
$limit = 1000;
/** @var AbstractMapping $mapping*/
foreach([$this->userMapping, $this->groupMapping] as $mapping) {
$offset = 0;
do {
$list = $mapping->getList($offset, $limit, $invalidatedOnly);
$offset += $limit;
foreach($this->handleUpdatesByList($mapping, $list) as $tick) {
yield; // null, for it only advances progress counter
}
} while (count($list) === $limit);
}
}
protected function handleUpdatesByList(AbstractMapping $mapping, array $list): \Generator {
if ($mapping instanceof UserMapping) {
$isUser = true;
$backendProxy = $this->userProxy;
} else {
$isUser = false;
$backendProxy = $this->groupProxy;
}
foreach ($list as $row) {
$access = $backendProxy->getLDAPAccess($row['name']);
if ($access instanceof Access
&& $dn = $mapping->getDNByName($row['name']))
{
if ($uuid = $access->getUUID($dn, $isUser)) {
if ($uuid !== $row['uuid']) {
if ($this->dryRun || $mapping->setUUIDbyDN($uuid, $dn)) {
$this->reports[UuidUpdateReport::UPDATED][]
= new UuidUpdateReport($row['name'], $dn, $isUser, UuidUpdateReport::UPDATED, $row['uuid'], $uuid);
} else {
$this->reports[UuidUpdateReport::UNWRITABLE][]
= new UuidUpdateReport($row['name'], $dn, $isUser, UuidUpdateReport::UNWRITABLE, $row['uuid'], $uuid);
}
$this->logger->info('UUID of {id} was updated from {from} to {to}',
[
'appid' => 'user_ldap',
'id' => $row['name'],
'from' => $row['uuid'],
'to' => $uuid,
]
);
}
} else {
$this->reports[UuidUpdateReport::UNREADABLE][] = new UuidUpdateReport($row['name'], $dn, $isUser, UuidUpdateReport::UNREADABLE);
}
} else {
$this->reports[UuidUpdateReport::UNKNOWN][] = new UuidUpdateReport($row['name'], '', $isUser, UuidUpdateReport::UNKNOWN);
}
yield; // null, for it only advances progress counter
}
}
protected function estimateNumberOfUpdates(InputInterface $input): int {
if ($input->getOption('all')) {
return $this->userMapping->count() + $this->groupMapping->count();
} else if ($input->getOption('userId')
|| $input->getOption('groupId')
|| $input->getOption('dn')
) {
return count($input->getOption('userId'))
+ count($input->getOption('groupId'))
+ count($input->getOption('dn'));
} else {
return $this->userMapping->countInvalidated() + $this->groupMapping->countInvalidated();
}
}
}

40
apps/user_ldap/lib/Jobs/CleanUp.php
View file

@ -40,7 +40,7 @@ use OCA\User_LDAP\User_Proxy;
* @package OCA\User_LDAP\Jobs;
*/
class CleanUp extends TimedJob {
/** @var int $limit amount of users that should be checked per run */
/** @var ?int $limit amount of users that should be checked per run */
protected $limit;
/** @var int $defaultIntervalMin default interval in minutes */
@ -76,7 +76,7 @@ class CleanUp extends TimedJob {
* assigns the instances passed to run() to the class properties
* @param array $arguments
*/
public function setArguments($arguments) {
public function setArguments($arguments): void {
//Dependency Injection is not possible, because the constructor will
//only get values that are serialized to JSON. I.e. whatever we would
//pass in app.php we do add here, except something else is passed e.g.
@ -119,19 +119,13 @@ class CleanUp extends TimedJob {
* makes the background job do its work
* @param array $argument
*/
public function run($argument) {
public function run($argument): void {
$this->setArguments($argument);
if (!$this->isCleanUpAllowed()) {
return;
}
$users = $this->mapping->getList($this->getOffset(), $this->getChunkSize());
if (!is_array($users)) {
//something wrong? Let's start from the beginning next time and
//abort
$this->setOffset(true);
return;
}
$resetOffset = $this->isOffsetResetNecessary(count($users));
$this->checkUsers($users);
$this->setOffset($resetOffset);
@ -139,18 +133,15 @@ class CleanUp extends TimedJob {
/**
* checks whether next run should start at 0 again
* @param int $resultCount
* @return bool
*/
public function isOffsetResetNecessary($resultCount) {
public function isOffsetResetNecessary(int $resultCount): bool {
return $resultCount < $this->getChunkSize();
}
/**
* checks whether cleaning up LDAP users is allowed
* @return bool
*/
public function isCleanUpAllowed() {
public function isCleanUpAllowed(): bool {
try {
if ($this->ldapHelper->haveDisabledConfigurations()) {
return false;
@ -164,9 +155,8 @@ class CleanUp extends TimedJob {
/**
* checks whether clean up is enabled by configuration
* @return bool
*/
private function isCleanUpEnabled() {
private function isCleanUpEnabled(): bool {
return (bool)$this->ocConfig->getSystemValue(
'ldapUserCleanupInterval', (string)$this->defaultIntervalMin);
}
@ -175,7 +165,7 @@ class CleanUp extends TimedJob {
* checks users whether they are still existing
* @param array $users result from getMappedUsers()
*/
private function checkUsers(array $users) {
private function checkUsers(array $users): void {
foreach ($users as $user) {
$this->checkUser($user);
}
@ -185,7 +175,7 @@ class CleanUp extends TimedJob {
* checks whether a user is still existing in LDAP
* @param string[] $user
*/
private function checkUser(array $user) {
private function checkUser(array $user): void {
if ($this->userBackend->userExistsOnLDAP($user['name'])) {
//still available, all good
@ -197,29 +187,27 @@ class CleanUp extends TimedJob {
/**
* gets the offset to fetch users from the mappings table
* @return int
*/
private function getOffset() {
return (int)$this->ocConfig->getAppValue('user_ldap', 'cleanUpJobOffset', 0);
private function getOffset(): int {
return (int)$this->ocConfig->getAppValue('user_ldap', 'cleanUpJobOffset', '0');
}
/**
* sets the new offset for the next run
* @param bool $reset whether the offset should be set to 0
*/
public function setOffset($reset = false) {
public function setOffset(bool $reset = false): void {
$newOffset = $reset ? 0 :
$this->getOffset() + $this->getChunkSize();
$this->ocConfig->setAppValue('user_ldap', 'cleanUpJobOffset', $newOffset);
$this->ocConfig->setAppValue('user_ldap', 'cleanUpJobOffset', (string)$newOffset);
}
/**
* returns the chunk size (limit in DB speak)
* @return int
*/
public function getChunkSize() {
public function getChunkSize(): int {
if ($this->limit === null) {
$this->limit = (int)$this->ocConfig->getAppValue('user_ldap', 'cleanUpJobChunkSize', 50);
$this->limit = (int)$this->ocConfig->getAppValue('user_ldap', 'cleanUpJobChunkSize', '50');
}
return $this->limit;
}

55
apps/user_ldap/lib/Mapping/AbstractMapping.php
View file

@ -175,7 +175,7 @@ abstract class AbstractMapping {
* @param $fdn
* @return bool
*/
public function setUUIDbyDN($uuid, $fdn) {
public function setUUIDbyDN($uuid, $fdn): bool {
$statement = $this->dbc->prepare('
UPDATE `' . $this->getTableName() . '`
SET `directory_uuid` = ?
@ -329,26 +329,24 @@ abstract class AbstractMapping {
return $this->getXbyY('directory_uuid', 'ldap_dn_hash', $this->getDNHash($dn));
}
/**
* gets a piece of the mapping list
*
* @param int $offset
* @param int $limit
* @return array
*/
public function getList($offset = null, $limit = null) {
$query = $this->dbc->prepare('
SELECT
`ldap_dn` AS `dn`,
`owncloud_name` AS `name`,
`directory_uuid` AS `uuid`
FROM `' . $this->getTableName() . '`',
$limit,
$offset
);
public function getList(int $offset = 0, int $limit = null, bool $invalidatedOnly = false): array {
$select = $this->dbc->getQueryBuilder();
$select->selectAlias('ldap_dn', 'dn')
->selectAlias('owncloud_name', 'name')
->selectAlias('directory_uuid', 'uuid')
->from($this->getTableName())
->setMaxResults($limit)
->setFirstResult($offset);
$query->execute();
return $query->fetchAll();
if ($invalidatedOnly) {
$select->where($select->expr()->like('directory_uuid', $select->createNamedParameter('invalidated_%')));
}
$result = $select->executeQuery();
$entries = $result->fetchAll();
$result->closeCursor();
return $entries;
}
/**
@ -458,13 +456,24 @@ abstract class AbstractMapping {
*
* @return int
*/
public function count() {
$qb = $this->dbc->getQueryBuilder();
$query = $qb->select($qb->func()->count('ldap_dn_hash'))
public function count(): int {
$query = $this->dbc->getQueryBuilder();
$query->select($query->func()->count('ldap_dn_hash'))
->from($this->getTableName());
$res = $query->execute();
$count = $res->fetchOne();
$res->closeCursor();
return (int)$count;
}
public function countInvalidated(): int {
$query = $this->dbc->getQueryBuilder();
$query->select($query->func()->count('ldap_dn_hash'))
->from($this->getTableName())
->where($query->expr()->like('directory_uuid', $query->createNamedParameter('invalidated_%')));
$res = $query->execute();
$count = $res->fetchOne();
$res->closeCursor();
return (int)$count;
}
}

103
apps/user_ldap/lib/Migration/Version1130Date20211102154716.php
View file

@ -27,6 +27,7 @@ declare(strict_types=1);
namespace OCA\User_LDAP\Migration;
use Closure;
use Generator;
use OCP\DB\Exception;
use OCP\DB\ISchemaWrapper;
use OCP\DB\QueryBuilder\IQueryBuilder;
@ -52,6 +53,23 @@ class Version1130Date20211102154716 extends SimpleMigrationStep {
return 'Adjust LDAP user and group ldap_dn column lengths and add ldap_dn_hash columns';
}
public function preSchemaChange(IOutput $output, \Closure $schemaClosure, array $options) {
foreach (['ldap_user_mapping', 'ldap_group_mapping'] as $tableName) {
$this->processDuplicateUUIDs($tableName);
}
/** @var ISchemaWrapper $schema */
$schema = $schemaClosure();
if ($schema->hasTable('ldap_group_mapping_backup')) {
// Previous upgrades of a broken release might have left an incomplete
// ldap_group_mapping_backup table. No need to recreate, but it
// should be empty.
// TRUNCATE is not available from Query Builder, but faster than DELETE FROM.
$sql = $this->dbc->getDatabasePlatform()->getTruncateTableSQL('ldap_group_mapping_backup', false);
$this->dbc->executeStatement($sql);
}
}
/**
* @param IOutput $output
* @param Closure $schemaClosure The `\Closure` returns a `ISchemaWrapper`
@ -91,7 +109,7 @@ class Version1130Date20211102154716 extends SimpleMigrationStep {
$table->addUniqueIndex(['directory_uuid'], 'ldap_user_directory_uuid');
$changeSchema = true;
}
} else {
} else if (!$schema->hasTable('ldap_group_mapping_backup')) {
// We need to copy the table twice to be able to change primary key, prepare the backup table
$table2 = $schema->createTable('ldap_group_mapping_backup');
$table2->addColumn('ldap_dn', Types::STRING, [
@ -172,4 +190,87 @@ class Version1130Date20211102154716 extends SimpleMigrationStep {
->where($qb->expr()->eq('owncloud_name', $qb->createParameter('name')));
return $qb;
}
/**
* @throws Exception
*/
protected function processDuplicateUUIDs(string $table): void {
$uuids = $this->getDuplicatedUuids($table);
$idsWithUuidToInvalidate = [];
foreach ($uuids as $uuid) {
array_push($idsWithUuidToInvalidate, ...$this->getNextcloudIdsByUuid($table, $uuid));
}
$this->invalidateUuids($table, $idsWithUuidToInvalidate);
}
/**
* @throws Exception
*/
protected function invalidateUuids(string $table, array $idList): void {
$update = $this->dbc->getQueryBuilder();
$update->update($table)
->set('directory_uuid', $update->createParameter('invalidatedUuid'))
->where($update->expr()->eq('owncloud_name', $update->createParameter('nextcloudId')));
while ($nextcloudId = array_shift($idList)) {
$update->setParameter('nextcloudId', $nextcloudId);
$update->setParameter('invalidatedUuid', 'invalidated_' . \bin2hex(\random_bytes(6)));
try {
$update->executeStatement();
$this->logger->warning(
'LDAP user or group with ID {nid} has a duplicated UUID value which therefore was invalidated. You may double-check your LDAP configuration and trigger an update of the UUID.',
[
'app' => 'user_ldap',
'nid' => $nextcloudId,
]
);
} catch (Exception $e) {
// Catch possible, but unlikely duplications if new invalidated errors.
// There is the theoretical chance of an infinity loop is, when
// the constraint violation has a different background. I cannot
// think of one at the moment.
if ($e->getReason() !== Exception::REASON_CONSTRAINT_VIOLATION) {
throw $e;
}
$idList[] = $nextcloudId;
}
}
}
/**
* @throws \OCP\DB\Exception
* @return array<string>
*/
protected function getNextcloudIdsByUuid(string $table, string $uuid): array {
$select = $this->dbc->getQueryBuilder();
$select->select('owncloud_name')
->from($table)
->where($select->expr()->eq('directory_uuid', $select->createNamedParameter($uuid)));
$result = $select->executeQuery();
$idList = [];
while ($id = $result->fetchOne()) {
$idList[] = $id;
}
$result->closeCursor();
return $idList;
}
/**
* @return Generator<string>
* @throws \OCP\DB\Exception
*/
protected function getDuplicatedUuids(string $table): Generator{
$select = $this->dbc->getQueryBuilder();
$select->select('directory_uuid')
->from($table)
->groupBy('directory_uuid')
->having($select->expr()->gt($select->func()->count('owncloud_name'), $select->createNamedParameter(1)));
$result = $select->executeQuery();
while ($uuid = $result->fetchOne()) {
yield $uuid;
}
$result->closeCursor();
}
}

2
apps/user_ldap/tests/Mapping/AbstractMappingTest.php
View file

@ -276,7 +276,7 @@ abstract class AbstractMappingTest extends \Test\TestCase {
$this->assertSame(count($data) - 1, count($results));
// get first 2 entries by limit, but not offset
$results = $mapper->getList(null, 2);
$results = $mapper->getList(0, 2);
$this->assertSame(2, count($results));
// get 2nd entry by specifying both offset and limit

1
core/js/setupchecks.js
View file

@ -501,6 +501,7 @@
OC.SetupChecks.addGenericSetupCheck(data, 'OCA\\Settings\\SetupChecks\\LegacySSEKeyFormat', messages)
OC.SetupChecks.addGenericSetupCheck(data, 'OCA\\Settings\\SetupChecks\\CheckUserCertificates', messages)
OC.SetupChecks.addGenericSetupCheck(data, 'OCA\\Settings\\SetupChecks\\SupportedDatabase', messages)
OC.SetupChecks.addGenericSetupCheck(data, 'OCA\\Settings\\SetupChecks\\LdapInvalidUuids', messages)
} else {
messages.push({