From 846370c55f4906c49ce70ff8d7950eae7ae75968 Mon Sep 17 00:00:00 2001
From: Arthur Schiwon <blizzz@arthur-schiwon.de>
Date: Tue, 21 Nov 2023 20:20:16 +0100
Subject: [PATCH] enh(LDAP): implement IIsAdmin interface

- add configuration to specify one LDAP group acting as admin group (CLI)
- implement `isAdmin()` method, basically relying on inGroup against the
  configured group

Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
---
 apps/user_ldap/lib/Configuration.php          |  3 +++
 apps/user_ldap/lib/Connection.php             |  1 +
 apps/user_ldap/lib/Group_LDAP.php             | 18 +++++++++++++-
 apps/user_ldap/lib/Group_Proxy.php            |  7 +++++-
 .../openldap-numerical-id.feature             | 24 +++++++++++++++++++
 5 files changed, 51 insertions(+), 2 deletions(-)

diff --git a/apps/user_ldap/lib/Configuration.php b/apps/user_ldap/lib/Configuration.php
index 36258f5ad271b..43d7b5cfbf1d4 100644
--- a/apps/user_ldap/lib/Configuration.php
+++ b/apps/user_ldap/lib/Configuration.php
@@ -134,6 +134,7 @@ class Configuration {
 		'ldapAttributeRole' => null,
 		'ldapAttributeHeadline' => null,
 		'ldapAttributeBiography' => null,
+		'ldapAdminGroup' => '',
 	];
 
 	public function __construct(string $configPrefix, bool $autoRead = true) {
@@ -490,6 +491,7 @@ public function getDefaults(): array {
 			'ldap_attr_role' => '',
 			'ldap_attr_headline' => '',
 			'ldap_attr_biography' => '',
+			'ldap_admin_group' => '',
 		];
 	}
 
@@ -566,6 +568,7 @@ public function getConfigTranslationArray(): array {
 			'ldap_attr_role' => 'ldapAttributeRole',
 			'ldap_attr_headline' => 'ldapAttributeHeadline',
 			'ldap_attr_biography' => 'ldapAttributeBiography',
+			'ldap_admin_group' => 'ldapAdminGroup',
 		];
 		return $array;
 	}
diff --git a/apps/user_ldap/lib/Connection.php b/apps/user_ldap/lib/Connection.php
index 14d3111f1d30a..37f7dcaea5ca7 100644
--- a/apps/user_ldap/lib/Connection.php
+++ b/apps/user_ldap/lib/Connection.php
@@ -83,6 +83,7 @@
  * @property string ldapAttributeRole
  * @property string ldapAttributeHeadline
  * @property string ldapAttributeBiography
+ * @property string ldapAdminGroup
  */
 class Connection extends LDAPUtility {
 	/**
diff --git a/apps/user_ldap/lib/Group_LDAP.php b/apps/user_ldap/lib/Group_LDAP.php
index a388c4acbd569..5c9d956cedff1 100644
--- a/apps/user_ldap/lib/Group_LDAP.php
+++ b/apps/user_ldap/lib/Group_LDAP.php
@@ -48,6 +48,7 @@
 use OC\ServerNotAvailableException;
 use OCA\User_LDAP\User\OfflineUser;
 use OCP\Cache\CappedMemoryCache;
+use OCP\Group\Backend\IIsAdminBackend;
 use OCP\GroupInterface;
 use OCP\Group\Backend\ABackend;
 use OCP\Group\Backend\IDeleteGroupBackend;
@@ -58,7 +59,7 @@
 use Psr\Log\LoggerInterface;
 use function json_decode;
 
-class Group_LDAP extends ABackend implements GroupInterface, IGroupLDAP, IGetDisplayNameBackend, IDeleteGroupBackend {
+class Group_LDAP extends ABackend implements GroupInterface, IGroupLDAP, IGetDisplayNameBackend, IDeleteGroupBackend, IIsAdminBackend {
 	protected bool $enabled = false;
 
 	/** @var CappedMemoryCache<string[]> $cachedGroupMembers array of user DN with gid as key */
@@ -1241,6 +1242,7 @@ protected function filterValidGroups(array $listOfGroups): array {
 	public function implementsActions($actions): bool {
 		return (bool)((GroupInterface::COUNT_USERS |
 				GroupInterface::DELETE_GROUP |
+				GroupInterface::IS_ADMIN |
 				$this->groupPluginManager->getImplementedActions()) & $actions);
 	}
 
@@ -1444,4 +1446,18 @@ public function addRelationshipToCaches(string $uid, ?string $dnUser, string $gi
 		// $cacheKey = 'usersInGroup-' . $gid . '-' . $search;
 		// $cacheKey = 'countUsersInGroup-' . $gid . '-' . $search;
 	}
+
+	/**
+	 * @throws ServerNotAvailableException
+	 */
+	public function isAdmin(string $uid): bool {
+		if (!$this->enabled) {
+			return false;
+		}
+		$ldapAdminGroup = $this->access->connection->ldapAdminGroup;
+		if ($ldapAdminGroup === '') {
+			return false;
+		}
+		return $this->inGroup($uid, $ldapAdminGroup);
+	}
 }
diff --git a/apps/user_ldap/lib/Group_Proxy.php b/apps/user_ldap/lib/Group_Proxy.php
index a5e5c6c141383..73daf4fdd7780 100644
--- a/apps/user_ldap/lib/Group_Proxy.php
+++ b/apps/user_ldap/lib/Group_Proxy.php
@@ -33,12 +33,13 @@
 use OCP\Group\Backend\IDeleteGroupBackend;
 use OCP\Group\Backend\IGetDisplayNameBackend;
 use OCP\Group\Backend\IGroupDetailsBackend;
+use OCP\Group\Backend\IIsAdminBackend;
 use OCP\Group\Backend\INamedBackend;
 use OCP\GroupInterface;
 use OCP\IConfig;
 use OCP\IUserManager;
 
-class Group_Proxy extends Proxy implements \OCP\GroupInterface, IGroupLDAP, IGetDisplayNameBackend, INamedBackend, IDeleteGroupBackend, IBatchMethodsBackend {
+class Group_Proxy extends Proxy implements \OCP\GroupInterface, IGroupLDAP, IGetDisplayNameBackend, INamedBackend, IDeleteGroupBackend, IBatchMethodsBackend, IIsAdminBackend {
 	private $backends = [];
 	private ?Group_LDAP $refBackend = null;
 	private Helper $helper;
@@ -396,4 +397,8 @@ public function searchInGroup(string $gid, string $search = '', int $limit = -1,
 	public function addRelationshipToCaches(string $uid, ?string $dnUser, string $gid): void {
 		$this->handleRequest($gid, 'addRelationshipToCaches', [$uid, $dnUser, $gid]);
 	}
+
+	public function isAdmin(string $uid): bool {
+		return $this->handleRequest($uid, 'isAdmin', [$uid]);
+	}
 }
diff --git a/build/integration/ldap_features/openldap-numerical-id.feature b/build/integration/ldap_features/openldap-numerical-id.feature
index 4ea63823295fc..509b79cd6f29d 100644
--- a/build/integration/ldap_features/openldap-numerical-id.feature
+++ b/build/integration/ldap_features/openldap-numerical-id.feature
@@ -66,3 +66,27 @@ Scenario: Test LDAP group membership with intermediate groups not matching filte
     | 50194 | 1 |
     | 59376 | 1 |
     | 59463 | 1 |
+
+Scenario: Test LDAP admin group mapping, empowered user
+  Given modify LDAP configuration
+    | ldapBaseGroups                | ou=NumericGroups,dc=nextcloud,dc=ci |
+    | ldapGroupFilter               | (objectclass=groupOfNames) |
+    | ldapGroupMemberAssocAttr      | member |
+    | ldapAdminGroup                | 3001   |
+    | useMemberOfToDetectMembership | 1 |
+  And cookies are reset
+  And Logging in using web as "alice"
+  And Sending a "GET" to "/index.php/settings/admin/overview" with requesttoken
+  Then the HTTP status code should be "200"
+
+Scenario: Test LDAP admin group mapping, regular user (no access)
+    Given modify LDAP configuration
+      | ldapBaseGroups                | ou=NumericGroups,dc=nextcloud,dc=ci |
+      | ldapGroupFilter               | (objectclass=groupOfNames) |
+      | ldapGroupMemberAssocAttr      | member |
+      | ldapAdminGroup                | 3001   |
+      | useMemberOfToDetectMembership | 1 |
+    And cookies are reset
+    And Logging in using web as "gustaf"
+    And Sending a "GET" to "/index.php/settings/admin/overview" with requesttoken
+    Then the HTTP status code should be "401"