Add a new group template just as it is already there for adding users.

rotdrop · rotdrop · commit 2244b19631c0 · 2020-10-13T21:59:39.000+02:00
Rationale: this allows to support "custom" group LDAP classes, like the
groupOfMembers calls of the rfc2307bis draft. The core user_ldap app
could also be changed to make this more handy, but already allows custom
group filters.
diff --git a/lib/AppInfo/Application.php b/lib/AppInfo/Application.php
@@ -77,6 +77,7 @@ public function registerLDAPPlugins(): void {
 
 		$this->ldapGroupManager = new LDAPGroupManager(
 			$s->getGroupManager(),
+			$s->getUserSession(),
 			$ldapConnect,
 			$s->getLogger(),
 			$provider
diff --git a/lib/LDAPGroupManager.php b/lib/LDAPGroupManager.php
@@ -33,6 +33,7 @@
 use OCA\User_LDAP\LDAPProvider;
 use OCP\AppFramework\QueryException;
 use OCP\IGroupManager;
+use OCP\IUserSession;
 use OCP\ILogger;
 use OCP\LDAP\ILDAPProvider;
 
@@ -41,6 +42,9 @@ class LDAPGroupManager implements ILDAPGroupPlugin {
 	/** @var ILDAPProvider */
 	private $ldapProvider;
 
+	/** @var IUserSession */
+	private $userSession;
+
 	/** @var IGroupManager */
 	private $groupManager;
 
@@ -49,8 +53,9 @@ class LDAPGroupManager implements ILDAPGroupPlugin {
 	/** @var ILogger */
 	private $logger;
 
-	public function __construct(IGroupManager $groupManager, LDAPConnect $ldapConnect, ILogger $logger, ILDAPProvider $ldapProvider) {
+	public function __construct(IGroupManager $groupManager, IUserSession $userSession, LDAPConnect $ldapConnect, ILogger $logger, ILDAPProvider $ldapProvider) {
 		$this->groupManager = $groupManager;
+		$this->userSession = $userSession;
 		$this->ldapConnect = $ldapConnect;
 		$this->logger = $logger;
 		$this->ldapProvider = $ldapProvider;
@@ -84,15 +89,27 @@ public function respondToActions() {
 	 * @return string|null
 	 */
 	public function createGroup($gid) {
+		$adminUser = $this->userSession->getUser();
+		$requireActorFromLDAP = $this->configuration->isLdapActorRequired();
+		if ($requireActorFromLDAP && !$adminUser instanceof IUser) {
+			throw new Exception('Acting user is not from LDAP');
+		}
+		try {
+			$connection = $this->ldapProvider->getLDAPConnection($adminUser->getUID());
+			// TODO: what about multiple bases?
+			$base = $this->ldapProvider->getLDAPBaseGroups($adminUser->getUID());
+		} catch (Exception $e) {
+			if ($requireActorFromLDAP) {
+				if ($this->configuration->isPreventFallback()) {
+					throw new \Exception('Acting admin is not from LDAP', 0, $e);
+				}
+				return false;
+			}
+			$connection = $this->ldapConnect->getLDAPConnection();
+			$base = $this->ldapConnect->getLDAPBaseGroups()[0];
+		}
 
-		/**
-		 * FIXME could not create group using LDAPProvider, because its methods rely
-		 * on passing an already inserted [ug]id, which we do not have at this point.
-		 */
-
-		$newGroupEntry = $this->buildNewEntry($gid);
-		$connection = $this->ldapConnect->getLDAPConnection();
-		$newGroupDN = "cn=$gid," . $this->ldapConnect->getLDAPBaseGroups()[0];
+        list($newGroupDN, $newGroupEntry) = $this->buildNewEntry($gid, $base);
 		$newGroupDN = $this->ldapProvider->sanitizeDN([$newGroupDN])[0];
 
 		if ($ret = ldap_add($connection, $newGroupDN, $newGroupEntry)) {
@@ -223,12 +240,30 @@ public function isLDAPGroup($gid) {
 		}
 	}
 
-	private function buildNewEntry($gid) {
-		return [
-			'objectClass' => ['groupOfNames', 'top'],
-			'cn' => $gid,
-			'member' => ['']
-		];
+	private function buildNewEntry($gid, $base) {
+        $ldif = $this->configuration->getGroupTemplate();
+
+		$ldif = str_replace('{GID}', $gid, $ldif);
+		$ldif = str_replace('{BASE}', $base, $ldif);
+
+		$entry = [];
+		$lines = explode(PHP_EOL, $ldif);
+		foreach ($lines as $line) {
+			$split = explode(':', $line, 2);
+			$key = trim($split[0]);
+			$value = trim($split[1]);
+			if (!isset($entry[$key])) {
+				$entry[$key] = $value;
+			} else if (is_array($entry[$key])) {
+				$entry[$key][] = $value;
+			} else {
+				$entry[$key] = [$entry[$key], $value];
+			}
+		}
+		$dn = $entry['dn'];
+		unset($entry['dn']);
+
+		return [$dn, $entry];
 	}
 
 	public function makeLdapBackendFirst() {
diff --git a/lib/LDAPUserManager.php b/lib/LDAPUserManager.php
@@ -118,6 +118,8 @@ public function respondToActions() {
 	 * @throws ServerNotAvailableException
 	 */
 	public function setDisplayName($uid, $displayName) {
+        trigger_error(__METHOD__);
+        $this->logger->error(__METHOD__, ['app' => 'ldap_write_support']);
 		$userDN = $this->getUserDN($uid);
 
 		$connection = $this->ldapProvider->getLDAPConnection($uid);
@@ -141,6 +143,10 @@ public function setDisplayName($uid, $displayName) {
 			if (ldap_mod_replace($connection, $userDN, [$displayNameField => $displayName])) {
 				return $displayName;
 			}
+            trigger_error(print_r(['conn' => $connection,
+                                   'user' => $userDN,
+                                   'dpyField' => $displayNameField,
+                                   'dpy' => $displayName], true));
 			throw new HintException('Failed to set display name');
 		} catch (ConstraintViolationException $e) {
 			throw new HintException(
diff --git a/lib/Service/Configuration.php b/lib/Service/Configuration.php
@@ -56,6 +56,14 @@ public function getUserTemplate() {
 		);
 	}
 
+	public function getGroupTemplate() {
+		return $this->config->getAppValue(
+			Application::APP_ID,
+			'template.group',
+			$this->getGroupTemplateDefault()
+		);
+	}
+
 	public function getUserTemplateDefault() {
 		return
 			'dn: uid={UID},{BASE}' . PHP_EOL .
@@ -67,6 +75,14 @@ public function getUserTemplateDefault() {
 			'userPassword: {PWD}';
 	}
 
+	public function getGroupTemplateDefault() {
+		return
+			'dn: cn={GID},{BASE}' . PHP_EOL .
+			'objectClass: groupOfNames' . PHP_EOL .
+			'cn: {GID}' . PHP_EOL .
+			'member:';
+	}
+
 	public function isRequireEmail(): bool {
 		// this core settings flag is not exposed anywhere else
 		return $this->config->getAppValue('core', 'newUser.requireEmail', 'no') === 'yes';
diff --git a/lib/Settings/Admin.php b/lib/Settings/Admin.php
@@ -53,7 +53,9 @@ public function getForm() {
 			'templates',
 			[
 				'user' => $this->config->getUserTemplate(),
-				'userDefault' => $this->config->getUserTemplateDefault(),
+				'userDefault' => $this->config->getGroupTemplateDefault(),
+				'group' => $this->config->getGroupTemplate(),
+				'groupDefault' => $this->config->getGroupTemplateDefault(),
 			]
 		);
 		$this->initialStateService->provideInitialState(
diff --git a/src/components/AdminSettings.vue b/src/components/AdminSettings.vue
@@ -53,6 +53,13 @@
 			<li><span class="mono">{BASE}</span> – {{ t('ldap_write_support', 'the LDAP node of the acting (sub)admin or the configured user base') }}</li>
 		</ul>
 		<textarea class="mono" v-on:change="setUserTemplate" v-model="templates.user">{{templates.user}}</textarea>
+		<h3>{{ t('ldap_write_support', 'Group template') }}</h3>
+		<p>{{ t('ldap_write_support', 'LDIF template for creating groups. Following placeholders may be used') }}</p>
+		<ul class="disc">
+			<li><span class="mono">{GID}</span> – {{ t('ldap_write_support', 'the group id provided by the (sub)admin') }}</li>
+			<li><span class="mono">{BASE}</span> – {{ t('ldap_write_support', 'the LDAP node of the acting (sub)admin or the configured group base') }}</li>
+		</ul>
+		<textarea class="mono" v-on:change="setGroupTemplate" v-model="templates.group">{{templates.group}}</textarea>
 	</div>
 </template>
 
@@ -67,6 +74,8 @@
 			templates: {
 				user: Object,
 				userDefault: Object,
+				group: Object,
+				groupDefault: Object,
 			},
 			switches: {
 				createRequireActorFromLdap: Boolean,
@@ -92,6 +101,18 @@
 				}
 				OCP.AppConfig.setValue('ldap_write_support', 'template.user', this.templates.user);
 			},
+			setGroupTemplate() {
+				if(this.templates.group === "") {
+					let self = this;
+					OCP.AppConfig.deleteKey('ldap_write_support', 'template.group', {
+						success: function() {
+							self.templates.group = self.templates.groupDefault;
+						}
+					});
+					return;
+				}
+				OCP.AppConfig.setValue('ldap_write_support', 'template.group', this.templates.group);
+			},
 			toggleSwitch(prefKey, state, appId = 'ldap_write_support') {
 				this.switches[prefKey] = state;
 				let value = (state | 0).toString();

Original file line number	Diff line number	Diff line change
`@@ -53,7 +53,9 @@ public function getForm() {`
`53`	`53`	`'templates',`
`54`	`54`	`[`
`55`	`55`	`'user' => $this->config->getUserTemplate(),`
`56`		`- 'userDefault' => $this->config->getUserTemplateDefault(),`
	`56`	`+ 'userDefault' => $this->config->getGroupTemplateDefault(),`
	`57`	`+ 'group' => $this->config->getGroupTemplate(),`
	`58`	`+ 'groupDefault' => $this->config->getGroupTemplateDefault(),`
`57`	`59`	`]`
`58`	`60`	`);`
`59`	`61`	`$this->initialStateService->provideInitialState(`