1<?php 2/** 3 * @copyright Copyright (c) 2016, Roger Szabo (roger.szabo@web.de) 4 * 5 * @author Arthur Schiwon <blizzz@arthur-schiwon.de> 6 * @author Christoph Wurst <christoph@winzerhof-wurst.at> 7 * @author Robin Appelman <robin@icewind.nl> 8 * @author Roeland Jago Douma <roeland@famdouma.nl> 9 * @author Roger Szabo <roger.szabo@web.de> 10 * @author root <root@localhost.localdomain> 11 * @author Vinicius Cubas Brand <vinicius@eita.org.br> 12 * 13 * @license GNU AGPL version 3 or any later version 14 * 15 * This program is free software: you can redistribute it and/or modify 16 * it under the terms of the GNU Affero General Public License as 17 * published by the Free Software Foundation, either version 3 of the 18 * License, or (at your option) any later version. 19 * 20 * This program is distributed in the hope that it will be useful, 21 * but WITHOUT ANY WARRANTY; without even the implied warranty of 22 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 23 * GNU Affero General Public License for more details. 24 * 25 * You should have received a copy of the GNU Affero General Public License 26 * along with this program. If not, see <http://www.gnu.org/licenses/>. 27 * 28 */ 29namespace OCA\User_LDAP; 30 31use OCA\User_LDAP\User\DeletedUsersIndex; 32use OCP\IServerContainer; 33use OCP\LDAP\IDeletionFlagSupport; 34use OCP\LDAP\ILDAPProvider; 35 36/** 37 * LDAP provider for pulic access to the LDAP backend. 38 */ 39class LDAPProvider implements ILDAPProvider, IDeletionFlagSupport { 40 private $userBackend; 41 private $groupBackend; 42 private $logger; 43 private $helper; 44 private $deletedUsersIndex; 45 46 /** 47 * Create new LDAPProvider 48 * @param \OCP\IServerContainer $serverContainer 49 * @param Helper $helper 50 * @param DeletedUsersIndex $deletedUsersIndex 51 * @throws \Exception if user_ldap app was not enabled 52 */ 53 public function __construct(IServerContainer $serverContainer, Helper $helper, DeletedUsersIndex $deletedUsersIndex) { 54 $this->logger = $serverContainer->getLogger(); 55 $this->helper = $helper; 56 $this->deletedUsersIndex = $deletedUsersIndex; 57 $userBackendFound = false; 58 $groupBackendFound = false; 59 foreach ($serverContainer->getUserManager()->getBackends() as $backend) { 60 $this->logger->debug('instance '.get_class($backend).' user backend.', ['app' => 'user_ldap']); 61 if ($backend instanceof IUserLDAP) { 62 $this->userBackend = $backend; 63 $userBackendFound = true; 64 break; 65 } 66 } 67 foreach ($serverContainer->getGroupManager()->getBackends() as $backend) { 68 $this->logger->debug('instance '.get_class($backend).' group backend.', ['app' => 'user_ldap']); 69 if ($backend instanceof IGroupLDAP) { 70 $this->groupBackend = $backend; 71 $groupBackendFound = true; 72 break; 73 } 74 } 75 76 if (!$userBackendFound or !$groupBackendFound) { 77 throw new \Exception('To use the LDAPProvider, user_ldap app must be enabled'); 78 } 79 } 80 81 /** 82 * Translate an user id to LDAP DN 83 * @param string $uid user id 84 * @return string with the LDAP DN 85 * @throws \Exception if translation was unsuccessful 86 */ 87 public function getUserDN($uid) { 88 if (!$this->userBackend->userExists($uid)) { 89 throw new \Exception('User id not found in LDAP'); 90 } 91 $result = $this->userBackend->getLDAPAccess($uid)->username2dn($uid); 92 if (!$result) { 93 throw new \Exception('Translation to LDAP DN unsuccessful'); 94 } 95 return $result; 96 } 97 98 /** 99 * Translate a group id to LDAP DN. 100 * @param string $gid group id 101 * @return string 102 * @throws \Exception 103 */ 104 public function getGroupDN($gid) { 105 if (!$this->groupBackend->groupExists($gid)) { 106 throw new \Exception('Group id not found in LDAP'); 107 } 108 $result = $this->groupBackend->getLDAPAccess($gid)->groupname2dn($gid); 109 if (!$result) { 110 throw new \Exception('Translation to LDAP DN unsuccessful'); 111 } 112 return $result; 113 } 114 115 /** 116 * Translate a LDAP DN to an internal user name. If there is no mapping between 117 * the DN and the user name, a new one will be created. 118 * @param string $dn LDAP DN 119 * @return string with the internal user name 120 * @throws \Exception if translation was unsuccessful 121 */ 122 public function getUserName($dn) { 123 $result = $this->userBackend->dn2UserName($dn); 124 if (!$result) { 125 throw new \Exception('Translation to internal user name unsuccessful'); 126 } 127 return $result; 128 } 129 130 /** 131 * Convert a stored DN so it can be used as base parameter for LDAP queries. 132 * @param string $dn the DN in question 133 * @return string 134 */ 135 public function DNasBaseParameter($dn) { 136 return $this->helper->DNasBaseParameter($dn); 137 } 138 139 /** 140 * Sanitize a DN received from the LDAP server. 141 * @param array $dn the DN in question 142 * @return array the sanitized DN 143 */ 144 public function sanitizeDN($dn) { 145 return $this->helper->sanitizeDN($dn); 146 } 147 148 /** 149 * Return a new LDAP connection resource for the specified user. 150 * The connection must be closed manually. 151 * @param string $uid user id 152 * @return resource of the LDAP connection 153 * @throws \Exception if user id was not found in LDAP 154 */ 155 public function getLDAPConnection($uid) { 156 if (!$this->userBackend->userExists($uid)) { 157 throw new \Exception('User id not found in LDAP'); 158 } 159 return $this->userBackend->getNewLDAPConnection($uid); 160 } 161 162 /** 163 * Return a new LDAP connection resource for the specified user. 164 * The connection must be closed manually. 165 * @param string $gid group id 166 * @return resource of the LDAP connection 167 * @throws \Exception if group id was not found in LDAP 168 */ 169 public function getGroupLDAPConnection($gid) { 170 if (!$this->groupBackend->groupExists($gid)) { 171 throw new \Exception('Group id not found in LDAP'); 172 } 173 return $this->groupBackend->getNewLDAPConnection($gid); 174 } 175 176 /** 177 * Get the LDAP base for users. 178 * @param string $uid user id 179 * @return string the base for users 180 * @throws \Exception if user id was not found in LDAP 181 */ 182 public function getLDAPBaseUsers($uid) { 183 if (!$this->userBackend->userExists($uid)) { 184 throw new \Exception('User id not found in LDAP'); 185 } 186 $access = $this->userBackend->getLDAPAccess($uid); 187 $bases = $access->getConnection()->ldapBaseUsers; 188 $dn = $this->getUserDN($uid); 189 foreach ($bases as $base) { 190 if ($access->isDNPartOfBase($dn, [$base])) { 191 return $base; 192 } 193 } 194 // should not occur, because the user does not qualify to use NC in this case 195 $this->logger->info( 196 'No matching user base found for user {dn}, available: {bases}.', 197 [ 198 'app' => 'user_ldap', 199 'dn' => $dn, 200 'bases' => $bases, 201 ] 202 ); 203 return array_shift($bases); 204 } 205 206 /** 207 * Get the LDAP base for groups. 208 * @param string $uid user id 209 * @return string the base for groups 210 * @throws \Exception if user id was not found in LDAP 211 */ 212 public function getLDAPBaseGroups($uid) { 213 if (!$this->userBackend->userExists($uid)) { 214 throw new \Exception('User id not found in LDAP'); 215 } 216 $bases = $this->userBackend->getLDAPAccess($uid)->getConnection()->ldapBaseGroups; 217 return array_shift($bases); 218 } 219 220 /** 221 * Clear the cache if a cache is used, otherwise do nothing. 222 * @param string $uid user id 223 * @throws \Exception if user id was not found in LDAP 224 */ 225 public function clearCache($uid) { 226 if (!$this->userBackend->userExists($uid)) { 227 throw new \Exception('User id not found in LDAP'); 228 } 229 $this->userBackend->getLDAPAccess($uid)->getConnection()->clearCache(); 230 } 231 232 /** 233 * Clear the cache if a cache is used, otherwise do nothing. 234 * Acts on the LDAP connection of a group 235 * @param string $gid group id 236 * @throws \Exception if user id was not found in LDAP 237 */ 238 public function clearGroupCache($gid) { 239 if (!$this->groupBackend->groupExists($gid)) { 240 throw new \Exception('Group id not found in LDAP'); 241 } 242 $this->groupBackend->getLDAPAccess($gid)->getConnection()->clearCache(); 243 } 244 245 /** 246 * Check whether a LDAP DN exists 247 * @param string $dn LDAP DN 248 * @return bool whether the DN exists 249 */ 250 public function dnExists($dn) { 251 $result = $this->userBackend->dn2UserName($dn); 252 return !$result ? false : true; 253 } 254 255 /** 256 * Flag record for deletion. 257 * @param string $uid user id 258 */ 259 public function flagRecord($uid) { 260 $this->deletedUsersIndex->markUser($uid); 261 } 262 263 /** 264 * Unflag record for deletion. 265 * @param string $uid user id 266 */ 267 public function unflagRecord($uid) { 268 //do nothing 269 } 270 271 /** 272 * Get the LDAP attribute name for the user's display name 273 * @param string $uid user id 274 * @return string the display name field 275 * @throws \Exception if user id was not found in LDAP 276 */ 277 public function getLDAPDisplayNameField($uid) { 278 if (!$this->userBackend->userExists($uid)) { 279 throw new \Exception('User id not found in LDAP'); 280 } 281 return $this->userBackend->getLDAPAccess($uid)->getConnection()->getConfiguration()['ldap_display_name']; 282 } 283 284 /** 285 * Get the LDAP attribute name for the email 286 * @param string $uid user id 287 * @return string the email field 288 * @throws \Exception if user id was not found in LDAP 289 */ 290 public function getLDAPEmailField($uid) { 291 if (!$this->userBackend->userExists($uid)) { 292 throw new \Exception('User id not found in LDAP'); 293 } 294 return $this->userBackend->getLDAPAccess($uid)->getConnection()->getConfiguration()['ldap_email_attr']; 295 } 296 297 /** 298 * Get the LDAP type of association between users and groups 299 * @param string $gid group id 300 * @return string the configuration, one of: 'memberUid', 'uniqueMember', 'member', 'gidNumber', '' 301 * @throws \Exception if group id was not found in LDAP 302 */ 303 public function getLDAPGroupMemberAssoc($gid) { 304 if (!$this->groupBackend->groupExists($gid)) { 305 throw new \Exception('Group id not found in LDAP'); 306 } 307 return $this->groupBackend->getLDAPAccess($gid)->getConnection()->getConfiguration()['ldap_group_member_assoc_attribute']; 308 } 309 310 /** 311 * Get an LDAP attribute for a nextcloud user 312 * 313 * @throws \Exception if user id was not found in LDAP 314 */ 315 public function getUserAttribute(string $uid, string $attribute): ?string { 316 $values = $this->getMultiValueUserAttribute($uid, $attribute); 317 if (count($values) === 0) { 318 return null; 319 } 320 return current($values); 321 } 322 323 /** 324 * Get a multi-value LDAP attribute for a nextcloud user 325 * 326 * @throws \Exception if user id was not found in LDAP 327 */ 328 public function getMultiValueUserAttribute(string $uid, string $attribute): array { 329 if (!$this->userBackend->userExists($uid)) { 330 throw new \Exception('User id not found in LDAP'); 331 } 332 333 $access = $this->userBackend->getLDAPAccess($uid); 334 $connection = $access->getConnection(); 335 $key = $uid . '-' . $attribute; 336 337 $cached = $connection->getFromCache($key); 338 if (is_array($cached)) { 339 return $cached; 340 } 341 342 $values = $access->readAttribute($access->username2dn($uid), $attribute); 343 if ($values === false) { 344 $values = []; 345 } 346 347 $connection->writeToCache($key, $values); 348 return $values; 349 } 350} 351