From 8a3941114792eb3d7264abd10c8b275563b266e7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?C=C3=B4me=20Chilliet?= <come.chilliet@nextcloud.com>
Date: Thu, 30 Jan 2025 11:55:43 +0100
Subject: [PATCH] feat(user_ldap): Add command test-user-settings to test LDAP
 user settings
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Côme Chilliet <come.chilliet@nextcloud.com>
---
 apps/user_ldap/appinfo/info.xml               |   1 +
 .../composer/composer/autoload_classmap.php   |   1 +
 .../composer/composer/autoload_static.php     |   1 +
 .../lib/Command/TestUserSettings.php          | 227 ++++++++++++++++++
 4 files changed, 230 insertions(+)
 create mode 100644 apps/user_ldap/lib/Command/TestUserSettings.php

diff --git a/apps/user_ldap/appinfo/info.xml b/apps/user_ldap/appinfo/info.xml
index 3b94c0bc444..0cc0bbb34a5 100644
--- a/apps/user_ldap/appinfo/info.xml
+++ b/apps/user_ldap/appinfo/info.xml
@@ -64,6 +64,7 @@ A user logs into Nextcloud with their LDAP or AD credentials, and is granted acc
 		<command>OCA\User_LDAP\Command\ShowConfig</command>
 		<command>OCA\User_LDAP\Command\ShowRemnants</command>
 		<command>OCA\User_LDAP\Command\TestConfig</command>
+		<command>OCA\User_LDAP\Command\TestUserSettings</command>
 		<command>OCA\User_LDAP\Command\UpdateUUID</command>
 	</commands>
 
diff --git a/apps/user_ldap/composer/composer/autoload_classmap.php b/apps/user_ldap/composer/composer/autoload_classmap.php
index 48fe59a9a51..2be727a240c 100644
--- a/apps/user_ldap/composer/composer/autoload_classmap.php
+++ b/apps/user_ldap/composer/composer/autoload_classmap.php
@@ -23,6 +23,7 @@ return array(
     'OCA\\User_LDAP\\Command\\ShowConfig' => $baseDir . '/../lib/Command/ShowConfig.php',
     'OCA\\User_LDAP\\Command\\ShowRemnants' => $baseDir . '/../lib/Command/ShowRemnants.php',
     'OCA\\User_LDAP\\Command\\TestConfig' => $baseDir . '/../lib/Command/TestConfig.php',
+    'OCA\\User_LDAP\\Command\\TestUserSettings' => $baseDir . '/../lib/Command/TestUserSettings.php',
     'OCA\\User_LDAP\\Command\\UpdateUUID' => $baseDir . '/../lib/Command/UpdateUUID.php',
     'OCA\\User_LDAP\\Configuration' => $baseDir . '/../lib/Configuration.php',
     'OCA\\User_LDAP\\Connection' => $baseDir . '/../lib/Connection.php',
diff --git a/apps/user_ldap/composer/composer/autoload_static.php b/apps/user_ldap/composer/composer/autoload_static.php
index dd5ad0322af..a03e0e8eb97 100644
--- a/apps/user_ldap/composer/composer/autoload_static.php
+++ b/apps/user_ldap/composer/composer/autoload_static.php
@@ -38,6 +38,7 @@ class ComposerStaticInitUser_LDAP
         'OCA\\User_LDAP\\Command\\ShowConfig' => __DIR__ . '/..' . '/../lib/Command/ShowConfig.php',
         'OCA\\User_LDAP\\Command\\ShowRemnants' => __DIR__ . '/..' . '/../lib/Command/ShowRemnants.php',
         'OCA\\User_LDAP\\Command\\TestConfig' => __DIR__ . '/..' . '/../lib/Command/TestConfig.php',
+        'OCA\\User_LDAP\\Command\\TestUserSettings' => __DIR__ . '/..' . '/../lib/Command/TestUserSettings.php',
         'OCA\\User_LDAP\\Command\\UpdateUUID' => __DIR__ . '/..' . '/../lib/Command/UpdateUUID.php',
         'OCA\\User_LDAP\\Configuration' => __DIR__ . '/..' . '/../lib/Configuration.php',
         'OCA\\User_LDAP\\Connection' => __DIR__ . '/..' . '/../lib/Connection.php',
diff --git a/apps/user_ldap/lib/Command/TestUserSettings.php b/apps/user_ldap/lib/Command/TestUserSettings.php
new file mode 100644
index 00000000000..78188332a42
--- /dev/null
+++ b/apps/user_ldap/lib/Command/TestUserSettings.php
@@ -0,0 +1,227 @@
+<?php
+
+/**
+ * SPDX-FileCopyrightText: 2016-2024 Nextcloud GmbH and Nextcloud contributors
+ * SPDX-FileCopyrightText: 2016 ownCloud, Inc.
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+namespace OCA\User_LDAP\Command;
+
+use OCA\User_LDAP\Group_Proxy;
+use OCA\User_LDAP\Helper;
+use OCA\User_LDAP\Mapping\GroupMapping;
+use OCA\User_LDAP\Mapping\UserMapping;
+use OCA\User_LDAP\User\DeletedUsersIndex;
+use OCA\User_LDAP\User_Proxy;
+use Symfony\Component\Console\Command\Command;
+use Symfony\Component\Console\Input\InputArgument;
+use Symfony\Component\Console\Input\InputInterface;
+use Symfony\Component\Console\Input\InputOption;
+use Symfony\Component\Console\Output\OutputInterface;
+
+class TestUserSettings extends Command {
+	public function __construct(
+		protected User_Proxy $backend,
+		protected Group_Proxy $groupBackend,
+		protected Helper $helper,
+		protected DeletedUsersIndex $dui,
+		protected UserMapping $mapping,
+		protected GroupMapping $groupMapping,
+	) {
+		parent::__construct();
+	}
+
+	protected function configure(): void {
+		$this
+			->setName('ldap:test-user-settings')
+			->setDescription('Runs tests and show information about user related LDAP settings')
+			->addArgument(
+				'user',
+				InputArgument::REQUIRED,
+				'the user name as used in Nextcloud, or the LDAP DN'
+			)
+			->addOption(
+				'group',
+				'g',
+				InputOption::VALUE_REQUIRED,
+				'A group DN to check if the user is a member or not'
+			)
+		;
+	}
+
+	protected function execute(InputInterface $input, OutputInterface $output): int {
+		try {
+			$uid = $input->getArgument('user');
+			$access = $this->backend->getLDAPAccess($uid);
+			$connection = $access->getConnection();
+			$configPrefix = $connection->getConfigPrefix();
+			$knownDn = '';
+			if ($access->stringResemblesDN($uid)) {
+				$knownDn = $uid;
+				$username = $access->dn2username($uid);
+				if ($username !== false) {
+					$uid = $username;
+				}
+			}
+
+			$dn = $this->mapping->getDNByName($uid);
+			if ($dn !== false) {
+				$output->writeln("User <info>$dn</info> is mapped with account name <info>$uid</info>.");
+				$uuid = $this->mapping->getUUIDByDN($dn);
+				$output->writeln("Known UUID is <info>$uuid</info>.");
+				if ($knownDn === '') {
+					$knownDn = $dn;
+				}
+			} else {
+				$output->writeln("User <info>$uid</info> is not mapped.");
+			}
+
+			if ($knownDn === '') {
+				return self::SUCCESS;
+			}
+
+			if (!$access->isDNPartOfBase($knownDn, $access->getConnection()->ldapBaseUsers)) {
+				$output->writeln(
+					"User <info>$knownDn</info> is not in one of the configured user bases: <info>" .
+					implode(',', $access->getConnection()->ldapBaseUsers) .
+					'</info>.'
+				);
+			}
+
+			$output->writeln("Configuration prefix is <info>$configPrefix</info>");
+			$output->writeln('');
+
+			$attributeNames = [
+				'ldapExpertUsernameAttr',
+				'ldapUuidUserAttribute',
+				'ldapExpertUUIDUserAttr',
+				'ldapQuotaAttribute',
+				'ldapEmailAttribute',
+				'ldapUserDisplayName',
+				'ldapUserDisplayName2',
+				'ldapExtStorageHomeAttribute',
+				'ldapAttributePhone',
+				'ldapAttributeWebsite',
+				'ldapAttributeAddress',
+				'ldapAttributeTwitter',
+				'ldapAttributeFediverse',
+				'ldapAttributeOrganisation',
+				'ldapAttributeRole',
+				'ldapAttributeHeadline',
+				'ldapAttributeBiography',
+				'ldapAttributeBirthDate',
+				'ldapAttributePronouns',
+			];
+			$output->writeln('Attributes set in configuration:');
+			foreach ($attributeNames as $attributeName) {
+				if ($connection->$attributeName !== '') {
+					$output->writeln("- $attributeName: <info>" . $connection->$attributeName . '</info>');
+				}
+			}
+
+			$filter = $connection->ldapUserFilter;
+			$attrs = $access->userManager->getAttributes(true);
+			$attrs[] = strtolower($connection->ldapExpertUsernameAttr);
+			if ($connection->ldapUuidUserAttribute !== 'auto') {
+				$attrs[] = strtolower($connection->ldapUuidUserAttribute);
+			}
+			$attrs[] = 'memberof';
+			$attrs = array_values(array_unique($attrs));
+			$attributes = $access->readAttributes($knownDn, $attrs, $filter);
+
+			if ($attributes === false) {
+				$output->writeln(
+					"LDAP read on <info>$knownDn</info> with filter <info>$filter</info> failed."
+				);
+				return self::FAILURE;
+			}
+
+			$output->writeln("Attributes fetched from LDAP using filter <info>$filter</info>:");
+			foreach ($attributes as $attribute => $value) {
+				$output->writeln(
+					"- $attribute: <info>" . json_encode($value) . '</info>'
+				);
+			}
+
+			$uuid = $access->getUUID($knownDn);
+			if ($connection->ldapUuidUserAttribute === 'auto') {
+				$output->writeln('<error>Failed to detect UUID attribute</error>');
+			} else {
+				$output->writeln('Detected UUID attribute: <info>' . $connection->ldapUuidUserAttribute . '</info>');
+			}
+			if ($uuid === false) {
+				$output->writeln("<error>Failed to find UUID for $knownDn</error>");
+			} else {
+				$output->writeln("UUID for <info>$knownDn</info>: <info>$uuid</info>");
+			}
+
+			$groupLdapInstance = $this->groupBackend->getBackend($configPrefix);
+
+			$output->writeln('');
+			$output->writeln('Group information:');
+
+			$attributeNames = [
+				'ldapDynamicGroupMemberURL',
+				'ldapGroupFilter',
+				'ldapGroupMemberAssocAttr',
+			];
+			$output->writeln('Configuration:');
+			foreach ($attributeNames as $attributeName) {
+				if ($connection->$attributeName !== '') {
+					$output->writeln("- $attributeName: <info>" . $connection->$attributeName . '</info>');
+				}
+			}
+
+			$primaryGroup = $groupLdapInstance->getUserPrimaryGroup($knownDn);
+			$output->writeln('Primary group: <info>' . ($primaryGroup !== false? $primaryGroup:'') . '</info>');
+
+			$groupByGid = $groupLdapInstance->getUserGroupByGid($knownDn);
+			$output->writeln('Group from gidNumber: <info>' . ($groupByGid !== false? $groupByGid:'') . '</info>');
+
+			$groups = $groupLdapInstance->getUserGroups($uid);
+			$output->writeln('All known groups: <info>' . json_encode($groups) . '</info>');
+
+			$memberOfUsed = ((int)$access->connection->hasMemberOfFilterSupport === 1
+				&& (int)$access->connection->useMemberOfToDetectMembership === 1);
+
+			$output->writeln('MemberOf usage: <info>' . ($memberOfUsed ? 'on' : 'off') . '</info> (' . $access->connection->hasMemberOfFilterSupport . ',' . $access->connection->useMemberOfToDetectMembership . ')');
+
+			$gid = (string)$input->getOption('group');
+			if ($gid === '') {
+				return self::SUCCESS;
+			}
+
+			$output->writeln('');
+			$output->writeln("Group $gid:");
+			$knownGroupDn = '';
+			if ($access->stringResemblesDN($gid)) {
+				$knownGroupDn = $gid;
+				$groupname = $access->dn2groupname($gid);
+				if ($groupname !== false) {
+					$gid = $groupname;
+				}
+			}
+
+			$groupDn = $this->groupMapping->getDNByName($gid);
+			if ($groupDn !== false) {
+				$output->writeln("Group <info>$groupDn</info> is mapped with name <info>$gid</info>.");
+				$groupUuid = $this->groupMapping->getUUIDByDN($groupDn);
+				$output->writeln("Known UUID is <info>$groupUuid</info>.");
+				if ($knownGroupDn === '') {
+					$knownGroupDn = $groupDn;
+				}
+			} else {
+				$output->writeln("Group <info>$gid</info> is not mapped.");
+			}
+
+			$members = $groupLdapInstance->usersInGroup($gid);
+			$output->writeln('Members: <info>' . json_encode($members) . '</info>');
+
+			return self::SUCCESS;
+
+		} catch (\Exception $e) {
+			$output->writeln('<error>' . $e->getMessage() . '</error>');
+			return self::FAILURE;
+		}
+	}
+}