Skip to content

Nested ldap groups #30223

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
come-nc merged 22 commits into from
Oct 20, 2022
Merged

Nested ldap groups #30223

Changes from 1 commit
Commits
Show all changes
22 commits
Select commit Hold shift + click to select a range
1e4ac22
Make it possible to return nested records whem walking over groups
blizzz Dec 12, 2021
ad2fdbe
Refactor code to split common loop
blizzz Dec 12, 2021
5647093
Cache intermediates
blizzz Dec 12, 2021
0fd7a51
Add more type hinting
CarlSchwan Dec 10, 2021
49aa352
Unify a bit the types of the fetcher
CarlSchwan Dec 9, 2021
6522f8a
Fix merging list with null
CarlSchwan Dec 10, 2021
d07f43d
Refactor _groupMembers to correctly use cache on intermediate results
come-nc Dec 13, 2021
8b19cfc
Small optimisation of _groupMembers
come-nc Dec 13, 2021
02ccce1
Add tests for nested groups
come-nc Dec 13, 2021
6ed0d0b
Refactor group membership listing for nested groups
come-nc Dec 14, 2021
7437673
Add testing of nested group membership
come-nc Dec 14, 2021
150e6ad
Fix types in docblocks
come-nc Dec 14, 2021
69f9e9f
Removed unused use declaration
come-nc Dec 14, 2021
604b5ac
Add missing copyright author in Group_LDAP
come-nc Dec 14, 2021
33be3f7
Only cache base inGroup search
CarlSchwan Jul 18, 2022
e0fbd39
Add back runtime cache for intermediate ldap read results
CarlSchwan Jul 18, 2022
1b12a08
Fix user_ldap tests
CarlSchwan Jul 21, 2022
be5338e
Revert Carl changes on apps/user_ldap/lib/Group_LDAP.php
CarlSchwan Jul 21, 2022
746a5fb
Fix LDAP recursive nested group support
come-nc Jul 26, 2022
1a6a6c9
Bring back small fixes by Carl
come-nc Aug 30, 2022
60ec5e6
Check if cache is present with isset
CarlSchwan Oct 20, 2022
99a7529
Fix psalm
CarlSchwan Oct 20, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
Refactor _groupMembers to correctly use cache on intermediate results 
Signed-off-by: Côme Chilliet <[email protected]>
  • Loading branch information
@come-nc @CarlSchwan
come-nc authored and CarlSchwan committed Oct 20, 2022
commit d07f43dc12addf21aaa76e6b330560b42d8f3ced
63 changes: 28 additions & 35 deletions apps/user_ldap/lib/Group_LDAP.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -240,26 +240,15 @@ public function getDynamicGroupMembers(string $dnGroup): array {

/**
* Get group members from dn.
* @psalm-param array<string, int|array|string> $seen List of DN that have already been processed.
* @psalm-param array<string, bool> $seen List of DN that have already been processed.
* @throws ServerNotAvailableException
*/
private function _groupMembers(string $dnGroup, ?array &$seen = null): array {
if ($seen === null) {
$seen = [];
// the root entry has to be marked as processed to avoid infinite loops,
// but not included in the results later on
$excludeFromResult = $dnGroup;
}
// cache only base groups, otherwise groups get additional unwarranted members
$shouldCacheResult = count($seen) === 0;

/** @psalm-var array<string, string[]|bool> $rawMemberReads */
static $rawMemberReads = []; // runtime cache for intermediate ldap read results
$allMembers = [];

if (array_key_exists($dnGroup, $seen)) {
private function _groupMembers(string $dnGroup, array &$seen = []): array {
if (isset($seen[$dnGroup])) {
return [];
}
$seen[$dnGroup] = true;

// used extensively in cron job, caching makes sense for nested groups
$cacheKey = '_groupMembers' . $dnGroup;
$groupMembers = $this->access->connection->getFromCache($cacheKey);
Expand Down Expand Up @@ -288,47 +277,51 @@ private function _groupMembers(string $dnGroup, ?array &$seen = null): array {
return $carry;
}, []);
if ($this->access->connection->ldapMatchingRuleInChainState === Configuration::LDAP_SERVER_FEATURE_AVAILABLE) {
$this->access->connection->writeToCache($cacheKey, $result);
return $result;
} elseif (!empty($memberRecords)) {
$this->access->connection->ldapMatchingRuleInChainState = Configuration::LDAP_SERVER_FEATURE_AVAILABLE;
$this->access->connection->saveConfiguration();
$this->access->connection->writeToCache($cacheKey, $result);
return $result;
}
// when feature availability is unknown, and the result is empty, continue and test with original approach
}

$seen[$dnGroup] = 1;
$members = $rawMemberReads[$dnGroup] ?? null;
if ($members === null) {
$members = $this->access->readAttribute($dnGroup, $this->access->connection->ldapGroupMemberAssocAttr);
$rawMemberReads[$dnGroup] = $members;
}
$allMembers = [];
$members = $this->access->readAttribute($dnGroup, $this->access->connection->ldapGroupMemberAssocAttr);
if (is_array($members)) {
$fetcher = function (string $memberDN) use (&$seen) {
return $this->_groupMembers($memberDN, $seen);
};
$allMembers = $this->walkNestedGroupsReturnDNs($dnGroup, $fetcher, $members, $seen);
if ((int)$this->access->connection->ldapNestedGroups === 1) {
while ($recordDn = array_shift($members)) {
$nestedMembers = $this->_groupMembers($recordDn, $seen);
$members = array_merge($members, $nestedMembers);
$allMembers[] = $recordDn;
}
} else {
$allMembers = $members;
}
}

$allMembers += $this->getDynamicGroupMembers($dnGroup);
if (isset($excludeFromResult)) {
$index = array_search($excludeFromResult, $allMembers, true);
if ($index !== false) {
unset($allMembers[$index]);
}
}

if ($shouldCacheResult) {
$this->access->connection->writeToCache($cacheKey, $allMembers);
unset($rawMemberReads[$dnGroup]);
$allMembers = array_unique($allMembers);

// A group cannot be a member of itself
$index = array_search($dnGroup, $allMembers, true);
if ($index !== false) {
unset($allMembers[$index]);
}

$this->access->connection->writeToCache($cacheKey, $allMembers);

if (isset($attemptedLdapMatchingRuleInChain)
&& $this->access->connection->ldapMatchingRuleInChainState === Configuration::LDAP_SERVER_FEATURE_UNKNOWN
&& !empty($allMembers)
) {
$this->access->connection->ldapMatchingRuleInChainState = Configuration::LDAP_SERVER_FEATURE_UNAVAILABLE;
$this->access->connection->saveConfiguration();
}

return $allMembers;
}

Expand Down