Merge pull request #22204 from nextcloud/backport/21559/stable18

[stable18] shortcut in reading nested group members when IN_CHAIN is available

4 files changed, 95 insertions, 11 deletions

diff --git a/apps/user_ldap/lib/Configuration.php b/apps/user_ldap/lib/Configuration.php
index 724f240847a..13cb18be63f 100644
--- a/apps/user_ldap/lib/Configuration.php
+++ b/apps/user_ldap/lib/Configuration.php
@@ -44,6 +44,10 @@ class Configuration {
 	const AVATAR_PREFIX_NONE = 'none';
 	const AVATAR_PREFIX_DATA_ATTRIBUTE = 'data:';
 
+	public const LDAP_SERVER_FEATURE_UNKNOWN = 'unknown';
+	public const LDAP_SERVER_FEATURE_AVAILABLE = 'available';
+	public const LDAP_SERVER_FEATURE_UNAVAILABLE = 'unavailable';
+
 	protected $configPrefix = null;
 	protected $configRead = false;
 	/**
@@ -109,6 +113,7 @@ class Configuration {
 		'ldapDynamicGroupMemberURL' => null,
 		'ldapDefaultPPolicyDN' => null,
 		'ldapExtStorageHomeAttribute' => null,
+		'ldapMatchingRuleInChainState' => self::LDAP_SERVER_FEATURE_UNKNOWN,
 	);
 
 	/**
@@ -481,6 +486,7 @@ class Configuration {
 			'ldap_default_ppolicy_dn'           => '',
 			'ldap_user_avatar_rule'             => 'default',
 			'ldap_ext_storage_home_attribute'   => '',
+			'ldap_matching_rule_in_chain_state' => self::LDAP_SERVER_FEATURE_UNKNOWN,
 		);
 	}
 
@@ -542,6 +548,7 @@ class Configuration {
 			'ldap_dynamic_group_member_url'     => 'ldapDynamicGroupMemberURL',
 			'ldap_default_ppolicy_dn'           => 'ldapDefaultPPolicyDN',
 			'ldap_ext_storage_home_attribute'   => 'ldapExtStorageHomeAttribute',
+			'ldap_matching_rule_in_chain_state' => 'ldapMatchingRuleInChainState',
 			'ldapIgnoreNamingRules'             => 'ldapIgnoreNamingRules',	// sysconfig
 		);
 		return $array;
diff --git a/apps/user_ldap/lib/Connection.php b/apps/user_ldap/lib/Connection.php
index 8d499a4ee1c..47d7a4fdbb7 100644
--- a/apps/user_ldap/lib/Connection.php
+++ b/apps/user_ldap/lib/Connection.php
@@ -66,6 +66,7 @@ use OCP\ILogger;
  * @property string[] ldapBaseGroups
  * @property string ldapGroupFilter
  * @property string ldapGroupDisplayName
+ * @property string ldapMatchingRuleInChainState
  */
 class Connection extends LDAPUtility {
 	private $ldapConnectionRes = null;
diff --git a/apps/user_ldap/lib/Group_LDAP.php b/apps/user_ldap/lib/Group_LDAP.php
index b369842d847..e9382206f72 100644
--- a/apps/user_ldap/lib/Group_LDAP.php
+++ b/apps/user_ldap/lib/Group_LDAP.php
@@ -232,6 +232,37 @@ class Group_LDAP extends BackendUtility implements \OCP\GroupInterface, IGroupLD
 		if($groupMembers !== null) {
 			return $groupMembers;
 		}
+
+		if ($this->access->connection->ldapNestedGroups
+			&& $this->access->connection->useMemberOfToDetectMembership
+			&& $this->access->connection->hasMemberOfFilterSupport
+			&& $this->access->connection->ldapMatchingRuleInChainState !== Configuration::LDAP_SERVER_FEATURE_UNAVAILABLE
+		) {
+			$attemptedLdapMatchingRuleInChain = true;
+			// compatibility hack with servers supporting :1.2.840.113556.1.4.1941:, and others)
+			$filter = $this->access->combineFilterWithAnd([
+				$this->access->connection->ldapUserFilter,
+				$this->access->connection->ldapUserDisplayName . '=*',
+				'memberof:1.2.840.113556.1.4.1941:=' . $dnGroup
+			]);
+			$memberRecords = $this->access->fetchListOfUsers(
+				$filter,
+				$this->access->userManager->getAttributes(true)
+			);
+			$result = array_reduce($memberRecords, function ($carry, $record) {
+				$carry[] = $record['dn'][0];
+				return $carry;
+			}, []);
+			if ($this->access->connection->ldapMatchingRuleInChainState === Configuration::LDAP_SERVER_FEATURE_AVAILABLE) {
+				return $result;
+			} elseif (!empty($memberRecords)) {
+				$this->access->connection->ldapMatchingRuleInChainState = Configuration::LDAP_SERVER_FEATURE_AVAILABLE;
+				$this->access->connection->saveConfiguration();
+				return $result;
+			}
+			// when feature availability is unknown, and the result is empty, continue and test with original approach
+		}
+
 		$seen[$dnGroup] = 1;
 		$members = $this->access->readAttribute($dnGroup, $this->access->connection->ldapGroupMemberAssocAttr);
 		if (is_array($members)) {
@@ -244,6 +275,13 @@ class Group_LDAP extends BackendUtility implements \OCP\GroupInterface, IGroupLD
 		$allMembers += $this->getDynamicGroupMembers($dnGroup);
 
 		$this->access->connection->writeToCache($cacheKey, $allMembers);
+		if (isset($attemptedLdapMatchingRuleInChain)
+			&& $this->access->connection->ldapMatchingRuleInChainState === Configuration::LDAP_SERVER_FEATURE_UNKNOWN
+			&& !empty($allMembers)
+		) {
+			$this->access->connection->ldapMatchingRuleInChainState = Configuration::LDAP_SERVER_FEATURE_UNAVAILABLE;
+			$this->access->connection->saveConfiguration();
+		}
 		return $allMembers;
 	}
 
diff --git a/apps/user_ldap/tests/Group_LDAPTest.php b/apps/user_ldap/tests/Group_LDAPTest.php
index 7ea4cb463d9..baf51cfe864 100644
--- a/apps/user_ldap/tests/Group_LDAPTest.php
+++ b/apps/user_ldap/tests/Group_LDAPTest.php
@@ -72,13 +72,15 @@ class Group_LDAPTest extends TestCase {
 			->method('getConnection')
 			->will($this->returnValue($connector));
 
+		$access->userManager = $this->createMock(Manager::class);
+
 		return $access;
 	}
 
 	private function getPluginManagerMock() {
 		return $this->getMockBuilder('\OCA\User_LDAP\GroupPluginManager')->getMock();
 	}
-	
+
 	/**
 	 * @param Access|\PHPUnit_Framework_MockObject_MockObject $access
 	 */
@@ -119,12 +121,21 @@ class Group_LDAPTest extends TestCase {
 				}
 				return [];
 			});
-
+		$access->expects($this->any())
+			->method('combineFilterWithAnd')
+			->willReturn('pseudo=filter');
+		$access->expects($this->any())
+			->method('fetchListOfUsers')
+			->will($this->returnValue([])); // return val does not matter here
 		// for primary groups
 		$access->expects($this->once())
 			->method('countUsers')
 			->will($this->returnValue(2));
 
+		$access->userManager->expects($this->any())
+			->method('getAttributes')
+			->willReturn(['displayName', 'mail']);
+
 		$groupBackend = new GroupLDAP($access, $pluginManager);
 		$users = $groupBackend->countUsersInGroup('group');
 
@@ -164,6 +175,13 @@ class Group_LDAPTest extends TestCase {
 			->will($this->returnCallback(function() {
 				return 'foobar' . \OC::$server->getSecureRandom()->generate(7);
 			}));
+		$access->expects($this->any())
+			->method('combineFilterWithAnd')
+			->willReturn('pseudo=filter');
+
+		$access->userManager->expects($this->any())
+			->method('getAttributes')
+			->willReturn(['displayName', 'mail']);
 
 		$groupBackend = new GroupLDAP($access,$pluginManager);
 		$users = $groupBackend->countUsersInGroup('group', '3');
@@ -193,7 +211,7 @@ class Group_LDAPTest extends TestCase {
 		$ldap = new GroupLDAP($access, $pluginManager);
 
 		$this->assertEquals($ldap->countUsersInGroup('gid', 'search'),42);
-	}	
+	}
 
 	public function testGidNumber2NameSuccess() {
 		$access = $this->getAccessMock();
@@ -533,7 +551,13 @@ class Group_LDAPTest extends TestCase {
 		$access->expects($this->exactly(2))
 			->method('nextcloudUserNames')
 			->willReturnOnConsecutiveCalls(['lisa', 'bart', 'kira', 'brad'], ['walle', 'dino', 'xenia']);
-		$access->userManager = $this->createMock(Manager::class);
+		$access->expects($this->any())
+			->method('fetchListOfUsers')
+			->will($this->returnValue([])); // return val does not matter here
+
+		$access->userManager->expects($this->any())
+			->method('getAttributes')
+			->willReturn(['displayName', 'mail']);
 
 		$groupBackend = new GroupLDAP($access, $pluginManager);
 		$users = $groupBackend->usersInGroup('foobar');
@@ -568,7 +592,12 @@ class Group_LDAPTest extends TestCase {
 		$access->expects($this->once())
 			->method('nextcloudUserNames')
 			->will($this->returnValue(array('lisa', 'bart', 'kira', 'brad')));
-		$access->userManager = $this->createMock(Manager::class);
+		$access->expects($this->any())
+			->method('fetchListOfUsers')
+			->will($this->returnValue([])); // return val does not matter here
+		$access->userManager->expects($this->any())
+			->method('getAttributes')
+			->willReturn(['displayName', 'mail']);
 
 		$groupBackend = new GroupLDAP($access, $pluginManager);
 		$users = $groupBackend->usersInGroup('foobar');
@@ -602,10 +631,19 @@ class Group_LDAPTest extends TestCase {
 		$access->expects($this->any())
 			->method('groupname2dn')
 			->will($this->returnValue('cn=foobar,dc=foo,dc=bar'));
-
+		$access->expects($this->any())
+			->method('fetchListOfUsers')
+			->will($this->returnValue([])); // return val does not matter here
 		$access->expects($this->once())
 			->method('countUsers')
 			->will($this->returnValue(4));
+		$access->expects($this->any())
+			->method('combineFilterWithAnd')
+			->willReturn('pseudo=filter');
+
+		$access->userManager->expects($this->any())
+			->method('getAttributes')
+			->willReturn(['displayName', 'mail']);
 
 		$groupBackend = new GroupLDAP($access, $pluginManager);
 		$users = $groupBackend->countUsersInGroup('foobar');
@@ -770,7 +808,7 @@ class Group_LDAPTest extends TestCase {
 		$this->assertEquals($ldap->createGroup('gid'),true);
 	}
 
-	
+
 	public function testCreateGroupFailing() {
 		$this->expectException(\Exception::class);
 
@@ -825,7 +863,7 @@ class Group_LDAPTest extends TestCase {
 		$this->assertEquals($ldap->deleteGroup('gid'),'result');
 	}
 
-	
+
 	public function testDeleteGroupFailing() {
 		$this->expectException(\Exception::class);
 
@@ -871,7 +909,7 @@ class Group_LDAPTest extends TestCase {
 		$this->assertEquals($ldap->addToGroup('uid', 'gid'),'result');
 	}
 
-	
+
 	public function testAddToGroupFailing() {
 		$this->expectException(\Exception::class);
 
@@ -917,7 +955,7 @@ class Group_LDAPTest extends TestCase {
 		$this->assertEquals($ldap->removeFromGroup('uid', 'gid'),'result');
 	}
 
-	
+
 	public function testRemoveFromGroupFailing() {
 		$this->expectException(\Exception::class);
 
@@ -963,7 +1001,7 @@ class Group_LDAPTest extends TestCase {
 		$this->assertEquals($ldap->getGroupDetails('gid'),'result');
 	}
 
-	
+
 	public function testGetGroupDetailsFailing() {
 		$this->expectException(\Exception::class);