Merge branch 'stable27' into backport/39044/stable27

apps/user_ldap/appinfo/info.xml

@@ -50,6 +50,7 @@ A user logs into Nextcloud with their LDAP or AD credentials, and is granted acc
 		<command>OCA\User_LDAP\Command\CheckUser</command>
 		<command>OCA\User_LDAP\Command\CreateEmptyConfig</command>
 		<command>OCA\User_LDAP\Command\DeleteConfig</command>
+		<command>OCA\User_LDAP\Command\PromoteGroup</command>
 		<command>OCA\User_LDAP\Command\ResetGroup</command>
 		<command>OCA\User_LDAP\Command\ResetUser</command>
 		<command>OCA\User_LDAP\Command\Search</command>

apps/user_ldap/composer/composer/autoload_classmap.php

@@ -14,6 +14,7 @@ return array(
     'OCA\\User_LDAP\\Command\\CheckUser' => $baseDir . '/../lib/Command/CheckUser.php',
     'OCA\\User_LDAP\\Command\\CreateEmptyConfig' => $baseDir . '/../lib/Command/CreateEmptyConfig.php',
     'OCA\\User_LDAP\\Command\\DeleteConfig' => $baseDir . '/../lib/Command/DeleteConfig.php',
+    'OCA\\User_LDAP\\Command\\PromoteGroup' => $baseDir . '/../lib/Command/PromoteGroup.php',
     'OCA\\User_LDAP\\Command\\ResetGroup' => $baseDir . '/../lib/Command/ResetGroup.php',
     'OCA\\User_LDAP\\Command\\ResetUser' => $baseDir . '/../lib/Command/ResetUser.php',
     'OCA\\User_LDAP\\Command\\Search' => $baseDir . '/../lib/Command/Search.php',

apps/user_ldap/composer/composer/autoload_static.php

@@ -29,6 +29,7 @@ class ComposerStaticInitUser_LDAP
         'OCA\\User_LDAP\\Command\\CheckUser' => __DIR__ . '/..' . '/../lib/Command/CheckUser.php',
         'OCA\\User_LDAP\\Command\\CreateEmptyConfig' => __DIR__ . '/..' . '/../lib/Command/CreateEmptyConfig.php',
         'OCA\\User_LDAP\\Command\\DeleteConfig' => __DIR__ . '/..' . '/../lib/Command/DeleteConfig.php',
+        'OCA\\User_LDAP\\Command\\PromoteGroup' => __DIR__ . '/..' . '/../lib/Command/PromoteGroup.php',
         'OCA\\User_LDAP\\Command\\ResetGroup' => __DIR__ . '/..' . '/../lib/Command/ResetGroup.php',
         'OCA\\User_LDAP\\Command\\ResetUser' => __DIR__ . '/..' . '/../lib/Command/ResetUser.php',
         'OCA\\User_LDAP\\Command\\Search' => __DIR__ . '/..' . '/../lib/Command/Search.php',

apps/user_ldap/lib/Command/PromoteGroup.php

@@ -0,0 +1,128 @@
+<?php
+
+declare(strict_types=1);
+/**
+ * @copyright Copyright (c) 2023 Arthur Schiwon <blizzz@arthur-schiwon.de>
+ *
+ * @author Arthur Schiwon <blizzz@arthur-schiwon.de>
+ *
+ * @license GNU AGPL version 3 or any later version
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as
+ * published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+namespace OCA\User_LDAP\Command;
+
+use OCA\User_LDAP\Group_Proxy;
+use OCP\IGroup;
+use OCP\IGroupManager;
+use Symfony\Component\Console\Command\Command;
+use Symfony\Component\Console\Helper\QuestionHelper;
+use Symfony\Component\Console\Input\InputArgument;
+use Symfony\Component\Console\Input\InputInterface;
+use Symfony\Component\Console\Input\InputOption;
+use Symfony\Component\Console\Output\OutputInterface;
+use Symfony\Component\Console\Question\Question;
+
+class PromoteGroup extends Command {
+
+	public function __construct(
+		private IGroupManager $groupManager,
+		private Group_Proxy $backend
+	) {
+		parent::__construct();
+	}
+
+	protected function configure(): void {
+		$this
+			->setName('ldap:promote-group')
+			->setDescription('declares the specified group as admin group (only one is possible per LDAP configuration)')
+			->addArgument(
+				'group',
+				InputArgument::REQUIRED,
+				'the group ID in Nextcloud or a group name'
+			)
+			->addOption(
+				'yes',
+				'y',
+				InputOption::VALUE_NONE,
+				'do not ask for confirmation'
+			);
+	}
+
+	protected function formatGroupName(IGroup $group): string {
+		$idLabel = '';
+		if ($group->getGID() !== $group->getDisplayName()) {
+			$idLabel = sprintf(' (Group ID: %s)', $group->getGID());
+		}
+		return sprintf('%s%s', $group->getDisplayName(), $idLabel);
+	}
+
+	protected function promoteGroup(IGroup $group, InputInterface $input, OutputInterface $output): void {
+		$access = $this->backend->getLDAPAccess($group->getGID());
+		$currentlyPromotedGroupId = $access->connection->ldapAdminGroup;
+		if ($currentlyPromotedGroupId === $group->getGID()) {
+			$output->writeln('<info>The specified group is already promoted</info>');
+			return;
+		}
+
+		if ($input->getOption('yes') === false) {
+			$currentlyPromotedGroup = $this->groupManager->get($currentlyPromotedGroupId);
+			$demoteLabel = '';
+			if ($currentlyPromotedGroup instanceof IGroup && $this->backend->groupExists($currentlyPromotedGroup->getGID())) {
+				$groupNameLabel = $this->formatGroupName($currentlyPromotedGroup);
+				$demoteLabel = sprintf('and demote %s ', $groupNameLabel);
+			}
+
+			/** @var QuestionHelper $helper */
+			$helper = $this->getHelper('question');
+			$q = new Question(sprintf('Promote %s to the admin group %s(y|N)? ', $this->formatGroupName($group), $demoteLabel));
+			$input->setOption('yes', $helper->ask($input, $output, $q) === 'y');
+		}
+		if ($input->getOption('yes') === true) {
+			$access->connection->setConfiguration(['ldapAdminGroup' => $group->getGID()]);
+			$access->connection->saveConfiguration();
+			$output->writeln(sprintf('<info>Group %s was promoted</info>', $group->getDisplayName()));
+		} else {
+			$output->writeln('<comment>Group promotion cancelled</comment>');
+		}
+	}
+
+	protected function execute(InputInterface $input, OutputInterface $output): int {
+		$groupInput = (string)$input->getArgument('group');
+		$group = $this->groupManager->get($groupInput);
+
+		if ($group instanceof IGroup && $this->backend->groupExists($group->getGID())) {
+			$this->promoteGroup($group, $input, $output);
+			return 0;
+		}
+
+		$groupCandidates = $this->backend->getGroups($groupInput, 20);
+		foreach ($groupCandidates as $gidCandidate) {
+			$group = $this->groupManager->get($gidCandidate);
+			if ($group !== null
+				&& $this->backend->groupExists($group->getGID()) // ensure it is an LDAP group
+				&& ($group->getGID() === $groupInput
+					|| $group->getDisplayName() === $groupInput)
+			) {
+				$this->promoteGroup($group, $input, $output);
+				return 0;
+			}
+		}
+
+		$output->writeln('<error>No matching group found</error>');
+		return 1;
+	}
+
+}

apps/user_ldap/lib/Configuration.php

@@ -133,6 +133,7 @@ class Configuration {
 		'ldapAttributeRole' => null,
 		'ldapAttributeHeadline' => null,
 		'ldapAttributeBiography' => null,
+		'ldapAdminGroup' => '',
 	];
 
 	public function __construct(string $configPrefix, bool $autoRead = true) {
@@ -488,6 +489,7 @@ class Configuration {
 			'ldap_attr_role' => '',
 			'ldap_attr_headline' => '',
 			'ldap_attr_biography' => '',
+			'ldap_admin_group' => '',
 		];
 	}
 
@@ -563,6 +565,7 @@ class Configuration {
 			'ldap_attr_role' => 'ldapAttributeRole',
 			'ldap_attr_headline' => 'ldapAttributeHeadline',
 			'ldap_attr_biography' => 'ldapAttributeBiography',
+			'ldap_admin_group' => 'ldapAdminGroup',
 		];
 		return $array;
 	}

apps/user_ldap/lib/Connection.php

@@ -82,6 +82,7 @@ use Psr\Log\LoggerInterface;
  * @property string ldapAttributeRole
  * @property string ldapAttributeHeadline
  * @property string ldapAttributeBiography
+ * @property string ldapAdminGroup
  */
 class Connection extends LDAPUtility {
 	/**

apps/user_ldap/lib/Group_LDAP.php

@@ -48,6 +48,7 @@ use Exception;
 use OC\ServerNotAvailableException;
 use OCA\User_LDAP\User\OfflineUser;
 use OCP\Cache\CappedMemoryCache;
+use OCP\Group\Backend\IIsAdminBackend;
 use OCP\GroupInterface;
 use OCP\Group\Backend\IDeleteGroupBackend;
 use OCP\Group\Backend\IGetDisplayNameBackend;
@@ -57,7 +58,7 @@ use OCP\Server;
 use Psr\Log\LoggerInterface;
 use function json_decode;
 
-class Group_LDAP extends BackendUtility implements GroupInterface, IGroupLDAP, IGetDisplayNameBackend, IDeleteGroupBackend {
+class Group_LDAP extends BackendUtility implements GroupInterface, IGroupLDAP, IGetDisplayNameBackend, IDeleteGroupBackend, IIsAdminBackend {
 	protected bool $enabled = false;
 
 	/** @var CappedMemoryCache<string[]> $cachedGroupMembers array of users with gid as key */
@@ -1227,6 +1228,7 @@ class Group_LDAP extends BackendUtility implements GroupInterface, IGroupLDAP, I
 	public function implementsActions($actions): bool {
 		return (bool)((GroupInterface::COUNT_USERS |
 				GroupInterface::DELETE_GROUP |
+				GroupInterface::IS_ADMIN |
 				$this->groupPluginManager->getImplementedActions()) & $actions);
 	}
 
@@ -1392,4 +1394,18 @@ class Group_LDAP extends BackendUtility implements GroupInterface, IGroupLDAP, I
 		$this->access->connection->writeToCache($cacheKey, $displayName);
 		return $displayName;
 	}
+
+	/**
+	 * @throws ServerNotAvailableException
+	 */
+	public function isAdmin(string $uid): bool {
+		if (!$this->enabled) {
+			return false;
+		}
+		$ldapAdminGroup = $this->access->connection->ldapAdminGroup;
+		if ($ldapAdminGroup === '') {
+			return false;
+		}
+		return $this->inGroup($uid, $ldapAdminGroup);
+	}
 }

apps/user_ldap/lib/Group_Proxy.php

@@ -30,12 +30,13 @@ namespace OCA\User_LDAP;
 
 use OCP\Group\Backend\IDeleteGroupBackend;
 use OCP\Group\Backend\IGetDisplayNameBackend;
+use OCP\Group\Backend\IIsAdminBackend;
 use OCP\Group\Backend\INamedBackend;
 use OCP\GroupInterface;
 use OCP\IConfig;
 use OCP\IUserManager;
 
-class Group_Proxy extends Proxy implements \OCP\GroupInterface, IGroupLDAP, IGetDisplayNameBackend, INamedBackend, IDeleteGroupBackend {
+class Group_Proxy extends Proxy implements \OCP\GroupInterface, IGroupLDAP, IGetDisplayNameBackend, INamedBackend, IDeleteGroupBackend, IIsAdminBackend {
 	private $backends = [];
 	private ?Group_LDAP $refBackend = null;
 	private Helper $helper;
@@ -347,4 +348,8 @@ class Group_Proxy extends Proxy implements \OCP\GroupInterface, IGroupLDAP, IGet
 	public function searchInGroup(string $gid, string $search = '', int $limit = -1, int $offset = 0): array {
 		return $this->handleRequest($gid, 'searchInGroup', [$gid, $search, $limit, $offset]);
 	}
+
+	public function isAdmin(string $uid): bool {
+		return $this->handleRequest($uid, 'isAdmin', [$uid]);
+	}
 }

build/integration/ldap_features/openldap-numerical-id.feature

@@ -66,3 +66,31 @@ Scenario: Test LDAP group membership with intermediate groups not matching filte
     | 50194 | 1 |
     | 59376 | 1 |
     | 59463 | 1 |
+
+Scenario: Test LDAP admin group mapping, empowered user
+  Given modify LDAP configuration
+    | ldapBaseGroups                | ou=NumericGroups,dc=nextcloud,dc=ci |
+    | ldapGroupFilter               | (objectclass=groupOfNames) |
+    | ldapGroupMemberAssocAttr      | member |
+    | ldapAdminGroup                | 3001   |
+    | useMemberOfToDetectMembership | 1 |
+  And cookies are reset
+  # alice, part of the promoted group
+  And Logging in using web as "92379"
+  And sending "GET" to "/cloud/groups"
+  And sending "GET" to "/cloud/groups/2000/users"
+  And Sending a "GET" to "/index.php/settings/admin/overview" with requesttoken
+  Then the HTTP status code should be "200"
+
+Scenario: Test LDAP admin group mapping, regular user (no access)
+    Given modify LDAP configuration
+      | ldapBaseGroups                | ou=NumericGroups,dc=nextcloud,dc=ci |
+      | ldapGroupFilter               | (objectclass=groupOfNames) |
+      | ldapGroupMemberAssocAttr      | member |
+      | ldapAdminGroup                | 3001   |
+      | useMemberOfToDetectMembership | 1 |
+    And cookies are reset
+    # gustaf, not part of the promoted group
+    And Logging in using web as "59376"
+    And Sending a "GET" to "/index.php/settings/admin/overview" with requesttoken
+    Then the HTTP status code should be "403"

core/Controller/LoginController.php

@@ -62,6 +62,7 @@ use OCP\Util;
 class LoginController extends Controller {
 	public const LOGIN_MSG_INVALIDPASSWORD = 'invalidpassword';
 	public const LOGIN_MSG_USERDISABLED = 'userdisabled';
+	public const LOGIN_MSG_CSRFCHECKFAILED = 'csrfCheckFailed';
 
 	private IUserManager $userManager;
 	private IConfig $config;
@@ -311,7 +312,7 @@ class LoginController extends Controller {
 				$user,
 				$user,
 				$redirect_url,
-				$this->l10n->t('Please try again')
+				self::LOGIN_MSG_CSRFCHECKFAILED
 			);
 		}
 

core/src/components/login/LoginForm.vue

@@ -32,6 +32,11 @@
 				type="warning">
 				{{ t('core', 'Please contact your administrator.') }}
 			</NcNoteCard>
+			<NcNoteCard v-if="csrfCheckFailed"
+				:heading="t('core', 'Temporary error')"
+				type="error">
+				{{ t('core', 'Please try again.') }}
+			</NcNoteCard>
 			<NcNoteCard v-if="messages.length > 0">
 				<div v-for="(message, index) in messages"
 					:key="index">
@@ -186,6 +191,9 @@ export default {
 		apacheAuthFailed() {
 			return this.errors.indexOf('apacheAuthFailed') !== -1
 		},
+		csrfCheckFailed() {
+			return this.errors.indexOf('csrfCheckFailed') !== -1
+		},
 		internalException() {
 			return this.errors.indexOf('internalexception') !== -1
 		},

lib/private/Authentication/Login/LoginResult.php

@@ -25,6 +25,8 @@ declare(strict_types=1);
  */
 namespace OC\Authentication\Login;
 
+use OC\Core\Controller\LoginController;
+
 class LoginResult {
 	/** @var bool */
 	private $success;
@@ -59,6 +61,9 @@ class LoginResult {
 		return $result;
 	}
 
+	/**
+	 * @param LoginController::LOGIN_MSG_*|null $msg
+	 */
 	public static function failure(LoginData $data, string $msg = null): LoginResult {
 		$result = new static(false, $data);
 		if ($msg !== null) {