Merge pull request #30260 from nextcloud/backport/29523/stable22

[stable22] Support LDAP dns longer than 255 characters

Author: come-nc

apps/user_ldap/appinfo/info.xml

@@ -9,7 +9,7 @@
 A user logs into Nextcloud with their LDAP or AD credentials, and is granted access based on an authentication request handled by the LDAP or AD server. Nextcloud does not store LDAP or AD passwords, rather these credentials are used to authenticate a user and then Nextcloud uses a session for the user ID. More information is available in the LDAP User and Group Backend documentation.
 
 	</description>
-	<version>1.12.1</version>
+	<version>1.12.2</version>
 	<licence>agpl</licence>
 	<author>Dominik Schmidt</author>
 	<author>Arthur Schiwon</author>

apps/user_ldap/composer/composer/autoload_classmap.php

@@ -62,6 +62,7 @@
     'OCA\\User_LDAP\\Migration\\UnsetDefaultProvider' => $baseDir . '/../lib/Migration/UnsetDefaultProvider.php',
     'OCA\\User_LDAP\\Migration\\Version1010Date20200630192842' => $baseDir . '/../lib/Migration/Version1010Date20200630192842.php',
     'OCA\\User_LDAP\\Migration\\Version1120Date20210917155206' => $baseDir . '/../lib/Migration/Version1120Date20210917155206.php',
+    'OCA\\User_LDAP\\Migration\\Version1130Date20211102154716' => $baseDir . '/../lib/Migration/Version1130Date20211102154716.php',
     'OCA\\User_LDAP\\Notification\\Notifier' => $baseDir . '/../lib/Notification/Notifier.php',
     'OCA\\User_LDAP\\PagedResults\\IAdapter' => $baseDir . '/../lib/PagedResults/IAdapter.php',
     'OCA\\User_LDAP\\PagedResults\\Php73' => $baseDir . '/../lib/PagedResults/Php73.php',

apps/user_ldap/composer/composer/autoload_static.php

@@ -77,6 +77,7 @@ class ComposerStaticInitUser_LDAP
         'OCA\\User_LDAP\\Migration\\UnsetDefaultProvider' => __DIR__ . '/..' . '/../lib/Migration/UnsetDefaultProvider.php',
         'OCA\\User_LDAP\\Migration\\Version1010Date20200630192842' => __DIR__ . '/..' . '/../lib/Migration/Version1010Date20200630192842.php',
         'OCA\\User_LDAP\\Migration\\Version1120Date20210917155206' => __DIR__ . '/..' . '/../lib/Migration/Version1120Date20210917155206.php',
+        'OCA\\User_LDAP\\Migration\\Version1130Date20211102154716' => __DIR__ . '/..' . '/../lib/Migration/Version1130Date20211102154716.php',
         'OCA\\User_LDAP\\Notification\\Notifier' => __DIR__ . '/..' . '/../lib/Notification/Notifier.php',
         'OCA\\User_LDAP\\PagedResults\\IAdapter' => __DIR__ . '/..' . '/../lib/PagedResults/IAdapter.php',
         'OCA\\User_LDAP\\PagedResults\\Php73' => __DIR__ . '/..' . '/../lib/PagedResults/Php73.php',

apps/user_ldap/lib/Mapping/AbstractMapping.php

@@ -68,6 +68,7 @@ public function __construct(\OCP\IDBConnection $dbc) {
 	public function isColNameValid($col) {
 		switch ($col) {
 			case 'ldap_dn':
+			case 'ldap_dn_hash':
 			case 'owncloud_name':
 			case 'directory_uuid':
 				return true;
@@ -151,11 +152,11 @@ public function setDNbyUUID($fdn, $uuid) {
 		$oldDn = $this->getDnByUUID($uuid);
 		$statement = $this->dbc->prepare('
 			UPDATE `' . $this->getTableName() . '`
-			SET `ldap_dn` = ?
+			SET `ldap_dn_hash` = ?, `ldap_dn` = ?
 			WHERE `directory_uuid` = ?
 		');
 
-		$r = $this->modify($statement, [$fdn, $uuid]);
+		$r = $this->modify($statement, [$this->getDNHash($fdn), $fdn, $uuid]);
 
 		if ($r && is_string($oldDn) && isset($this->cache[$oldDn])) {
 			$this->cache[$fdn] = $this->cache[$oldDn];
@@ -178,12 +179,24 @@ public function setUUIDbyDN($uuid, $fdn) {
 		$statement = $this->dbc->prepare('
 			UPDATE `' . $this->getTableName() . '`
 			SET `directory_uuid` = ?
-			WHERE `ldap_dn` = ?
+			WHERE `ldap_dn_hash` = ?
 		');
 
 		unset($this->cache[$fdn]);
 
-		return $this->modify($statement, [$uuid, $fdn]);
+		return $this->modify($statement, [$uuid, $this->getDNHash($fdn)]);
+	}
+
+	/**
+	 * Get the hash to store in database column ldap_dn_hash for a given dn
+	 */
+	protected function getDNHash(string $fdn): string {
+		$hash = hash('sha256', $fdn, false);
+		if (is_string($hash)) {
+			return $hash;
+		} else {
+			throw new \RuntimeException('hash function did not return a string');
+		}
 	}
 
 	/**
@@ -194,16 +207,19 @@ public function setUUIDbyDN($uuid, $fdn) {
 	 */
 	public function getNameByDN($fdn) {
 		if (!isset($this->cache[$fdn])) {
-			$this->cache[$fdn] = $this->getXbyY('owncloud_name', 'ldap_dn', $fdn);
+			$this->cache[$fdn] = $this->getXbyY('owncloud_name', 'ldap_dn_hash', $this->getDNHash($fdn));
 		}
 		return $this->cache[$fdn];
 	}
 
-	protected function prepareListOfIdsQuery(array $dnList): IQueryBuilder {
+	/**
+	 * @param array<string> $hashList
+	 */
+	protected function prepareListOfIdsQuery(array $hashList): IQueryBuilder {
 		$qb = $this->dbc->getQueryBuilder();
-		$qb->select('owncloud_name', 'ldap_dn')
+		$qb->select('owncloud_name', 'ldap_dn_hash', 'ldap_dn')
 			->from($this->getTableName(false))
-			->where($qb->expr()->in('ldap_dn', $qb->createNamedParameter($dnList, QueryBuilder::PARAM_STR_ARRAY)));
+			->where($qb->expr()->in('ldap_dn_hash', $qb->createNamedParameter($hashList, QueryBuilder::PARAM_STR_ARRAY)));
 		return $qb;
 	}
 
@@ -216,13 +232,18 @@ protected function collectResultsFromListOfIdsQuery(IQueryBuilder $qb, array &$r
 		$stmt->closeCursor();
 	}
 
+	/**
+	 * @param array<string> $fdns
+	 * @return array<string,string>
+	 */
 	public function getListOfIdsByDn(array $fdns): array {
 		$totalDBParamLimit = 65000;
 		$sliceSize = 1000;
 		$maxSlices = $totalDBParamLimit / $sliceSize;
 		$results = [];
 
 		$slice = 1;
+		$fdns = array_map([$this, 'getDNHash'], $fdns);
 		$fdnsSlice = count($fdns) > $sliceSize ? array_slice($fdns, 0, $sliceSize) : $fdns;
 		$qb = $this->prepareListOfIdsQuery($fdnsSlice);
 
@@ -240,7 +261,7 @@ public function getListOfIdsByDn(array $fdns): array {
 			}
 
 			if (!empty($fdnsSlice)) {
-				$qb->orWhere($qb->expr()->in('ldap_dn', $qb->createNamedParameter($fdnsSlice, QueryBuilder::PARAM_STR_ARRAY)));
+				$qb->orWhere($qb->expr()->in('ldap_dn_hash', $qb->createNamedParameter($fdnsSlice, QueryBuilder::PARAM_STR_ARRAY)));
 			}
 
 			if ($slice % $maxSlices === 0) {
@@ -305,7 +326,7 @@ public function getDnByUUID($uuid) {
 	 * @throws \Exception
 	 */
 	public function getUUIDByDN($dn) {
-		return $this->getXbyY('directory_uuid', 'ldap_dn', $dn);
+		return $this->getXbyY('directory_uuid', 'ldap_dn_hash', $this->getDNHash($dn));
 	}
 
 	/**
@@ -339,9 +360,9 @@ public function getList($offset = null, $limit = null) {
 	 * @return bool
 	 */
 	public function map($fdn, $name, $uuid) {
-		if (mb_strlen($fdn) > 255) {
+		if (mb_strlen($fdn) > 4096) {
 			\OC::$server->getLogger()->error(
-				'Cannot map, because the DN exceeds 255 characters: {dn}',
+				'Cannot map, because the DN exceeds 4096 characters: {dn}',
 				[
 					'app' => 'user_ldap',
 					'dn' => $fdn,
@@ -351,6 +372,7 @@ public function map($fdn, $name, $uuid) {
 		}
 
 		$row = [
+			'ldap_dn_hash' => $this->getDNHash($fdn),
 			'ldap_dn' => $fdn,
 			'owncloud_name' => $name,
 			'directory_uuid' => $uuid
@@ -438,7 +460,7 @@ public function clearCb(callable $preCallback, callable $postCallback): bool {
 	 */
 	public function count() {
 		$qb = $this->dbc->getQueryBuilder();
-		$query = $qb->select($qb->func()->count('ldap_dn'))
+		$query = $qb->select($qb->func()->count('ldap_dn_hash'))
 			->from($this->getTableName());
 		$res = $query->execute();
 		$count = $res->fetchOne();

apps/user_ldap/lib/Migration/Version1010Date20200630192842.php

@@ -60,8 +60,13 @@ public function changeSchema(IOutput $output, Closure $schemaClosure, array $opt
 				'length' => 255,
 				'default' => '',
 			]);
+			$table->addColumn('ldap_dn_hash', Types::STRING, [
+				'notnull' => false,
+				'length' => 64,
+			]);
 			$table->setPrimaryKey(['owncloud_name']);
-			$table->addUniqueIndex(['ldap_dn'], 'ldap_dn_users');
+			$table->addUniqueIndex(['ldap_dn_hash'], 'ldap_user_dn_hashes');
+			$table->addUniqueIndex(['directory_uuid'], 'ldap_user_directory_uuid');
 		}
 
 		if (!$schema->hasTable('ldap_group_mapping')) {
@@ -81,8 +86,13 @@ public function changeSchema(IOutput $output, Closure $schemaClosure, array $opt
 				'length' => 255,
 				'default' => '',
 			]);
-			$table->setPrimaryKey(['ldap_dn']);
-			$table->addUniqueIndex(['owncloud_name'], 'owncloud_name_groups');
+			$table->addColumn('ldap_dn_hash', Types::STRING, [
+				'notnull' => false,
+				'length' => 64,
+			]);
+			$table->setPrimaryKey(['owncloud_name']);
+			$table->addUniqueIndex(['ldap_dn_hash'], 'ldap_group_dn_hashes');
+			$table->addUniqueIndex(['directory_uuid'], 'ldap_group_directory_uuid');
 		}
 
 		if (!$schema->hasTable('ldap_group_members')) {

apps/user_ldap/lib/Migration/Version1120Date20210917155206.php

@@ -2,6 +2,28 @@
 
 declare(strict_types=1);
 
+/**
+ * @copyright Copyright (c) 2020 Joas Schilling <coding@schilljs.com>
+ *
+ * @author Arthur Schiwon <blizzz@arthur-schiwon.de>
+ *
+ * @license GNU AGPL version 3 or any later version
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as
+ * published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
 namespace OCA\User_LDAP\Migration;
 
 use Closure;
@@ -70,19 +92,19 @@ public function changeSchema(IOutput $output, Closure $schemaClosure, array $opt
 	}
 
 	protected function handleIDs(string $table, bool $emitHooks) {
-		$q = $this->getSelectQuery($table);
-		$u = $this->getUpdateQuery($table);
+		$select = $this->getSelectQuery($table);
+		$update = $this->getUpdateQuery($table);
 
-		$r = $q->executeQuery();
-		while ($row = $r->fetch()) {
+		$result = $select->executeQuery();
+		while ($row = $result->fetch()) {
 			$newId = hash('sha256', $row['owncloud_name'], false);
 			if ($emitHooks) {
 				$this->emitUnassign($row['owncloud_name'], true);
 			}
-			$u->setParameter('uuid', $row['directory_uuid']);
-			$u->setParameter('newId', $newId);
+			$update->setParameter('uuid', $row['directory_uuid']);
+			$update->setParameter('newId', $newId);
 			try {
-				$u->executeStatement();
+				$update->executeStatement();
 				if ($emitHooks) {
 					$this->emitUnassign($row['owncloud_name'], false);
 					$this->emitAssign($newId);
@@ -100,23 +122,23 @@ protected function handleIDs(string $table, bool $emitHooks) {
 				);
 			}
 		}
-		$r->closeCursor();
+		$result->closeCursor();
 	}
 
 	protected function getSelectQuery(string $table): IQueryBuilder {
-		$q = $this->dbc->getQueryBuilder();
-		$q->select('owncloud_name', 'directory_uuid')
+		$qb = $this->dbc->getQueryBuilder();
+		$qb->select('owncloud_name', 'directory_uuid')
 			->from($table)
-			->where($q->expr()->like('owncloud_name', $q->createNamedParameter(str_repeat('_', 65) . '%'), Types::STRING));
-		return $q;
+			->where($qb->expr()->like('owncloud_name', $qb->createNamedParameter(str_repeat('_', 65) . '%'), Types::STRING));
+		return $qb;
 	}
 
 	protected function getUpdateQuery(string $table): IQueryBuilder {
-		$q = $this->dbc->getQueryBuilder();
-		$q->update($table)
-			->set('owncloud_name', $q->createParameter('newId'))
-			->where($q->expr()->eq('directory_uuid', $q->createParameter('uuid')));
-		return $q;
+		$qb = $this->dbc->getQueryBuilder();
+		$qb->update($table)
+			->set('owncloud_name', $qb->createParameter('newId'))
+			->where($qb->expr()->eq('directory_uuid', $qb->createParameter('uuid')));
+		return $qb;
 	}
 
 	protected function emitUnassign(string $oldId, bool $pre): void {