diff --git a/apps/user_ldap/group_ldap.php b/apps/user_ldap/group_ldap.php index 0395a4a80e..a7a90c7583 100644 --- a/apps/user_ldap/group_ldap.php +++ b/apps/user_ldap/group_ldap.php @@ -378,9 +378,11 @@ class GROUP_LDAP extends BackendUtility implements \OCP\GroupInterface { && intval($this->access->connection->useMemberOfToDetectMembership) === 1 ) { $groupDNs = $this->access->readAttribute($userDN, 'memberOf'); + if (is_array($groupDNs)) { + $groupDNs = $this->access->groupsMatchFilter($groupDNs); foreach ($groupDNs as $dn) { - $groups[] = $this->access->dn2groupname($dn);; + $groups[] = $this->access->dn2groupname($dn); } } if($primaryGroup !== false) { diff --git a/apps/user_ldap/lib/access.php b/apps/user_ldap/lib/access.php index f38d11d4be..b201220d72 100644 --- a/apps/user_ldap/lib/access.php +++ b/apps/user_ldap/lib/access.php @@ -346,6 +346,33 @@ class Access extends LDAPUtility implements user\IUserTools { return $this->dn2ocname($fdn, $ldapName, false); } + /** + * accepts an array of group DNs and tests whether they match the user + * filter by doing read operations against the group entries. Returns an + * array of DNs that match the filter. + * + * @param string[] $groupDNs + * @return string[] + */ + public function groupsMatchFilter($groupDNs) { + $validGroupDNs = []; + foreach($groupDNs as $dn) { + $cacheKey = 'groupsMatchFilter-'.$dn; + if($this->connection->isCached($cacheKey)) { + if($this->connection->getFromCache($cacheKey)) { + $validGroupDNs[] = $dn; + } + continue; + } + + $result = $this->readAttribute($dn, 'cn', $this->connection->ldapGroupFilter); + if(is_array($result)) { + $validGroupDNs[] = $dn; + } + } + return $validGroupDNs; + } + /** * returns the internal ownCloud name for the given LDAP DN of the user, false on DN outside of search DN or failure * @param string $dn the dn of the user object diff --git a/apps/user_ldap/tests/.htaccess b/apps/user_ldap/tests/.htaccess new file mode 100755 index 0000000000..5e068d2866 --- /dev/null +++ b/apps/user_ldap/tests/.htaccess @@ -0,0 +1,14 @@ +# Generated by ownCloud on 2015-06-18 14:16:40 +# line below if for Apache 2.4 + +Require all denied + + +# line below if for Apache 2.2 + +deny from all +Satisfy All + + +# section for Apache 2.2 and 2.4 +IndexIgnore * diff --git a/apps/user_ldap/tests/group_ldap.php b/apps/user_ldap/tests/group_ldap.php index aeb306174f..f716618ce4 100644 --- a/apps/user_ldap/tests/group_ldap.php +++ b/apps/user_ldap/tests/group_ldap.php @@ -404,6 +404,10 @@ class Test_Group_Ldap extends \Test\TestCase { ->method('dn2groupname') ->will($this->returnArgument(0)); + $access->expects($this->once()) + ->method('groupsMatchFilter') + ->will($this->returnArgument(0)); + $groupBackend = new GroupLDAP($access); $groups = $groupBackend->getUserGroups('userX'); diff --git a/apps/user_ldap/tests/integration/lib/IntegrationTestAccessGroupsMatchFilter.php b/apps/user_ldap/tests/integration/lib/IntegrationTestAccessGroupsMatchFilter.php new file mode 100644 index 0000000000..6560153bb6 --- /dev/null +++ b/apps/user_ldap/tests/integration/lib/IntegrationTestAccessGroupsMatchFilter.php @@ -0,0 +1,158 @@ +base = $base; + $this->server = [ + 'host' => $host, + 'port' => $port, + 'dn' => $bind, + 'pwd' => $pwd + ]; + } + + /** + * prepares the LDAP environement and sets up a test configuration for + * the LDAP backend. + */ + public function init() { + require('setup-scripts/createExplicitUsers.php'); + require('setup-scripts/createExplicitGroups.php'); + + $this->initLDAPWrapper(); + $this->initConnection(); + $this->initAccess(); + } + + /** + * runs the test cases while outputting progress and result information + * + * If a test failed, the script is exited with return code 1. + */ + public function run() { + $cases = ['case1', 'case2']; + + foreach ($cases as $case) { + print("running $case " . PHP_EOL); + if (!$this->$case()) { + print(PHP_EOL . '>>> !!! Test ' . $case . ' FAILED !!! <<<' . PHP_EOL . PHP_EOL); + exit(1); + } + } + + print('Tests succeeded' . PHP_EOL); + } + + /** + * tests whether the group filter works with one specific group, while the + * input is the same. + * + * @return bool + */ + private function case1() { + $this->connection->setConfiguration(['ldapGroupFilter' => 'cn=RedGroup']); + + $dns = ['cn=RedGroup,ou=Groups,' . $this->base]; + $result = $this->access->groupsMatchFilter($dns); + return ($dns === $result); + } + + /** + * Tests whether a filter for limited groups is effective when more existing + * groups were passed for validation. + * + * @return bool + */ + private function case2() { + $this->connection->setConfiguration(['ldapGroupFilter' => '(|(cn=RedGroup)(cn=PurpleGroup))']); + + $dns = [ + 'cn=RedGroup,ou=Groups,' . $this->base, + 'cn=BlueGroup,ou=Groups,' . $this->base, + 'cn=PurpleGroup,ou=Groups,' . $this->base + ]; + $result = $this->access->groupsMatchFilter($dns); + + $status = + count($result) === 2 + && in_array('cn=RedGroup,ou=Groups,' . $this->base, $result) + && in_array('cn=PurpleGroup,ou=Groups,' . $this->base, $result); + + return $status; + } + + /** + * initializes the Access test instance + */ + private function initAccess() { + $this->access = new \OCA\user_ldap\lib\Access($this->connection, $this->ldap, new FakeManager()); + } + + /** + * initializes the test LDAP wrapper + */ + private function initLDAPWrapper() { + $this->ldap = new LDAP(); + } + + /** + * sets up the LDAP configuration to be used for the test + */ + private function initConnection() { + $this->connection = new \OCA\user_ldap\lib\Connection($this->ldap, '', null); + $this->connection->setConfiguration([ + 'ldapHost' => $this->server['host'], + 'ldapPort' => $this->server['port'], + 'ldapBase' => $this->base, + 'ldapAgentName' => $this->server['dn'], + 'ldapAgentPassword' => $this->server['pwd'], + 'ldapUserFilter' => 'objectclass=inetOrgPerson', + 'ldapUserDisplayName' => 'displayName', + 'ldapGroupDisplayName' => 'cn', + 'ldapLoginFilter' => 'uid=%uid', + 'ldapCacheTTL' => 0, + 'ldapConfigurationActive' => 1, + ]); + } +} + +/** + * Class FakeManager + * + * this is a mock of \OCA\user_ldap\lib\user\Manager which is a dependency of + * Access, that pulls plenty more things in. Because it is not needed in the + * scope of these tests, we replace it with a mock. + */ +class FakeManager extends \OCA\user_ldap\lib\user\Manager { + public function __construct() {} +} + +require_once('setup-scripts/config.php'); +$test = new IntegrationTestAccessGroupsMatchFilter($host, $port, $adn, $apwd, $bdn); +$test->init(); +$test->run(); diff --git a/apps/user_ldap/tests/integration/readme.md b/apps/user_ldap/tests/integration/readme.md new file mode 100644 index 0000000000..e20efef8fd --- /dev/null +++ b/apps/user_ldap/tests/integration/readme.md @@ -0,0 +1,60 @@ +# Requirements # + +Have (as in do copy if not already done) the following files from https://github.com/owncloud/administration/tree/master/ldap-testing copied into the directory "setup-scripts": + + * start.sh + * stop.sh + * config.php + +Configure config.php according to your needs, also have a look into the LDAP and network settings in start.sh and stop.sh. + +# Usage # + +The basic command to run a test is: + +```# ./run-test.sh [phpscript]``` + +Yes, run it as root from within this directory. + +Example: + +``` +$ sudo ./run-test.sh lib/IntegrationTestAccessGroupsMatchFilter.php +71cbe88a4993e67066714d71c1cecc5ef26a54911a208103cb6294f90459e574 +c74dc0155db4efa7a0515d419528a8727bbc7596601cf25b0df05e348bd74895 +CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES +c74dc0155db4 osixia/phpldapadmin:0.5.1 "/sbin/my_init" 1 seconds ago Up Less than a second 80/tcp, 0.0.0.0:8443->443/tcp docker-phpldapadmin +71cbe88a4993 nickstenning/slapd:latest "/sbin/my_init" 1 seconds ago Up Less than a second 127.0.0.1:7770->389/tcp docker-slapd + +LDAP server now available under 127.0.0.1:7770 (internal IP is 172.17.0.78) +phpldapadmin now available under https://127.0.0.1:8443 + +created user : Alice Ealic +created group : RedGroup +created group : BlueGroup +created group : GreenGroup +created group : PurpleGroup +running case1 +running case2 +Tests succeeded +Stopping and resetting containers +docker-slapd +docker-phpldapadmin +docker-slapd +docker-phpldapadmin +``` + +# How it works # + +1. start.sh is executed which brings up a fresh and clean OpenLDAP in Docker. +2. The provided test script is executed. It also outputs results. +3. stop.sh is executed to shut down OpenLDAP + +# Beware # + +This is quick solution for basically one test case. With expension this mechanism should be improved as well. + +It does not run automatically, unless you do it. No integration with any testing framework. + +exceptionOnLostConnection.php is not part of this mechanism. Read its source and run it isolated. While you're at it, port it :รพ + diff --git a/apps/user_ldap/tests/integration/run-test.sh b/apps/user_ldap/tests/integration/run-test.sh new file mode 100755 index 0000000000..e07e9b4340 --- /dev/null +++ b/apps/user_ldap/tests/integration/run-test.sh @@ -0,0 +1,17 @@ +#!/bin/sh + +if [ $1 ] ; then + TESTSCRIPT=$1 +else + echo "No test file given" exit +fi + +if [ ! -e "$TESTSCRIPT" ] ; then + echo "Test file does not exist" + exit +fi + + +# sleep is necessary, otherwise the LDAP server cannot be connected to, yet. +setup-scripts/start.sh && sleep 2 && php -f "$TESTSCRIPT" +setup-scripts/stop.sh diff --git a/apps/user_ldap/tests/integration/setup-scripts/createExplicitGroups.php b/apps/user_ldap/tests/integration/setup-scripts/createExplicitGroups.php new file mode 100644 index 0000000000..68854de557 --- /dev/null +++ b/apps/user_ldap/tests/integration/setup-scripts/createExplicitGroups.php @@ -0,0 +1,52 @@ +