diff --git a/appinfo/info.xml b/appinfo/info.xml index 9df4fb24e..bd765481d 100644 --- a/appinfo/info.xml +++ b/appinfo/info.xml @@ -45,6 +45,7 @@ While theoretically any other authentication provider implementing either one of OCA\User_SAML\Migration\CleanupRemovedConfig + OCA\User_SAML\Migration\TransferGroupMembers @@ -53,6 +54,7 @@ While theoretically any other authentication provider implementing either one of OCA\User_SAML\Command\ConfigGet OCA\User_SAML\Command\ConfigSet OCA\User_SAML\Command\GetMetadata + OCA\User_SAML\Command\GroupMigrationCopyIncomplete OCA\User_SAML\Settings\Admin diff --git a/lib/Command/ConfigDelete.php b/lib/Command/ConfigDelete.php index 0d5e04d30..eba270cc2 100644 --- a/lib/Command/ConfigDelete.php +++ b/lib/Command/ConfigDelete.php @@ -44,7 +44,7 @@ protected function execute(InputInterface $input, OutputInterface $output): int $this->samlSettings->delete($pId); $output->writeln('Provider deleted.'); } catch (Exception $e) { - $output->writeln('Provider with id: ' . $providerId . ' does not exist.'); + $output->writeln('Provider with id: ' . $pId . ' does not exist.'); return 1; } return 0; diff --git a/lib/Command/GroupMigrationCopyIncomplete.php b/lib/Command/GroupMigrationCopyIncomplete.php new file mode 100644 index 000000000..7d746245b --- /dev/null +++ b/lib/Command/GroupMigrationCopyIncomplete.php @@ -0,0 +1,93 @@ +setName('saml:group-migration:copy-incomplete-members'); + $this->setDescription('Transfers remaining group members from old local to current SAML groups'); + } + + protected function execute(InputInterface $input, OutputInterface $output): int { + $groupsToTreat = $this->groupMigration->findGroupsWithLocalMembers(); + if (empty($groupsToTreat)) { + if ($output->isVerbose()) { + $output->writeln('No pending group member transfer'); + } + return 0; + } + + if (!$this->doMemberTransfer($groupsToTreat, $output)) { + if (!$output->isQuiet()) { + $output->writeln('Not all group members could be transferred completely. Rerun this command or check the Nextcloud log.'); + } + return 1; + } + + if (!$output->isQuiet()) { + $output->writeln('All group members could be transferred completely.'); + } + return 0; + } + + /** + * @param string[]|array $groups + * @param OutputInterface $output + * @return bool + */ + protected function doMemberTransfer(array $groups, OutputInterface $output): bool { + $errorOccurred = false; + for ($i = 0; $i < 2; $i++) { + $retry = []; + foreach ($groups as $gid) { + try { + $isComplete = $this->groupMigration->migrateGroupUsers($gid); + if (!$isComplete) { + $retry[] = $gid; + } else { + $this->groupMigration->cleanUpOldGroupUsers($gid); + if ($output->isVerbose()) { + $output->writeln(sprintf('Members transferred successfully for group %s', $gid)); + } + } + } catch (Throwable $e) { + $errorOccurred = true; + if (!$output->isQuiet()) { + $output->writeln(sprintf('Failed to transfer users from group %s: %s', $gid, $e->getMessage())); + } + $this->logger->warning('Error while transferring group members of {gid}', ['gid' => $gid, 'exception' => $e]); + } + } + if (empty($retry)) { + return true; + } + /** @var string[]|array $groups */ + $groups = $retry; + } + if (!empty($groups) && !$output->isQuiet()) { + $output->writeln(sprintf( + 'Members not or incompletely transferred for groups: %s', + implode(', ', $groups) + )); + } + return empty($groups) && !$errorOccurred; + } +} diff --git a/lib/GroupManager.php b/lib/GroupManager.php index 989c1bb46..63948fa14 100644 --- a/lib/GroupManager.php +++ b/lib/GroupManager.php @@ -23,6 +23,7 @@ class GroupManager { public const LOCAL_GROUPS_CHECK_FOR_MIGRATION = 'localGroupsCheckForMigration'; + public const STATE_MIGRATION_PHASE_EXPIRED = 'EXPIRED'; /** * @var IDBConnection $db @@ -68,8 +69,6 @@ public function __construct( */ private function getGroupsToRemove(array $samlGroupNames, array $assignedGroups): array { $groupsToRemove = []; - // FIXME: Seems unused - $this->config->getAppValue('user_saml', self::LOCAL_GROUPS_CHECK_FOR_MIGRATION, ''); foreach ($assignedGroups as $group) { // if group is not supplied by SAML and group has SAML backend if (!in_array($group->getGID(), $samlGroupNames) && $this->hasSamlBackend($group)) { @@ -201,7 +200,7 @@ protected function findGroup(string $gid): IGroup { $strictBackendCheck = $migrationAllowListRaw === ''; $migrationAllowList = null; - if ($migrationAllowListRaw !== '') { + if ($migrationAllowListRaw !== '' || $migrationAllowListRaw !== self::STATE_MIGRATION_PHASE_EXPIRED) { /** @var array{dropAfter: int, groups: string[]} $migrationAllowList */ $migrationAllowList = \json_decode($migrationAllowListRaw, true); } @@ -238,13 +237,8 @@ protected function hasSamlBackend(IGroup $group): bool { } protected function evaluateGroupMigrations(array $groups): void { - $candidateInfo = $this->config->getAppValue('user_saml', self::LOCAL_GROUPS_CHECK_FOR_MIGRATION, ''); - if ($candidateInfo === '') { - return; - } - $candidateInfo = \json_decode($candidateInfo, true); - if (!isset($candidateInfo['dropAfter']) || $candidateInfo['dropAfter'] < time()) { - $this->config->deleteAppValue('user_saml', self::LOCAL_GROUPS_CHECK_FOR_MIGRATION); + $candidateInfo = $this->getCandidateInfoIfValid(); + if ($candidateInfo === null) { return; } @@ -252,17 +246,29 @@ protected function evaluateGroupMigrations(array $groups): void { } protected function isGroupInTransitionList(string $groupId): bool { - $candidateInfo = $this->config->getAppValue('user_saml', self::LOCAL_GROUPS_CHECK_FOR_MIGRATION, ''); - if ($candidateInfo === '') { + $candidateInfo = $this->getCandidateInfoIfValid(); + if (!$candidateInfo) { return false; } + return in_array($groupId, $candidateInfo['groups'], true); + } + + /** + * @return array{dropAfter: int, groups: string[]}|null + */ + public function getCandidateInfoIfValid(): ?array { + $candidateInfo = $this->config->getAppValue('user_saml', self::LOCAL_GROUPS_CHECK_FOR_MIGRATION, ''); + if ($candidateInfo === '' || $candidateInfo === self::STATE_MIGRATION_PHASE_EXPIRED) { + return null; + } + /** @var array{dropAfter: int, groups: string[]} $candidateInfo */ $candidateInfo = \json_decode($candidateInfo, true); if (!isset($candidateInfo['dropAfter']) || $candidateInfo['dropAfter'] < time()) { - $this->config->deleteAppValue('user_saml', self::LOCAL_GROUPS_CHECK_FOR_MIGRATION); - return false; + $this->config->setAppValue('user_saml', self::LOCAL_GROUPS_CHECK_FOR_MIGRATION, self::STATE_MIGRATION_PHASE_EXPIRED); + return null; } - return in_array($groupId, $candidateInfo['groups']); + return $candidateInfo; } protected function hasGroupForeignMembers(IGroup $group): bool { diff --git a/lib/Jobs/MigrateGroups.php b/lib/Jobs/MigrateGroups.php index d5e02338f..8a41a65f7 100644 --- a/lib/Jobs/MigrateGroups.php +++ b/lib/Jobs/MigrateGroups.php @@ -10,12 +10,16 @@ use OCA\User_SAML\GroupBackend; use OCA\User_SAML\GroupManager; +use OCA\User_SAML\Service\GroupMigration; +use OCP\AppFramework\Db\TTransactional; use OCP\AppFramework\Utility\ITimeFactory; use OCP\BackgroundJob\QueuedJob; +use OCP\DB\Exception; use OCP\IConfig; use OCP\IDBConnection; use OCP\IGroupManager; use Psr\Log\LoggerInterface; +use Throwable; /** * Class MigrateGroups @@ -24,6 +28,9 @@ * @todo: remove this, when dropping Nextcloud 29 support */ class MigrateGroups extends QueuedJob { + use TTransactional; + + protected const BATCH_SIZE = 1000; /** @var IConfig */ private $config; @@ -37,12 +44,14 @@ class MigrateGroups extends QueuedJob { private $logger; public function __construct( + protected GroupMigration $groupMigration, + protected GroupManager $ownGroupManager, IConfig $config, IGroupManager $groupManager, IDBConnection $dbc, GroupBackend $ownGroupBackend, LoggerInterface $logger, - ITimeFactory $timeFactory + ITimeFactory $timeFactory, ) { parent::__construct($timeFactory); $this->config = $config; @@ -63,16 +72,16 @@ protected function run($argument) { } } - protected function updateCandidatePool($migrateGroups) { + protected function updateCandidatePool(array $migratedGroups): void { $candidateInfo = $this->config->getAppValue('user_saml', GroupManager::LOCAL_GROUPS_CHECK_FOR_MIGRATION, ''); - if ($candidateInfo === null || $candidateInfo === '') { + if ($candidateInfo === '' || $candidateInfo === GroupManager::STATE_MIGRATION_PHASE_EXPIRED) { return; } $candidateInfo = \json_decode($candidateInfo, true); if (!isset($candidateInfo['dropAfter']) || !isset($candidateInfo['groups'])) { return; } - $candidateInfo['groups'] = array_diff($candidateInfo['groups'], $migrateGroups); + $candidateInfo['groups'] = array_diff($candidateInfo['groups'], $migratedGroups); $this->config->setAppValue( 'user_saml', GroupManager::LOCAL_GROUPS_CHECK_FOR_MIGRATION, @@ -87,7 +96,11 @@ protected function migrateGroups(array $toMigrate): array { } protected function migrateGroup(string $gid): bool { + $isMigrated = false; + $allUsersInserted = false; try { + $allUsersInserted = $this->groupMigration->migrateGroupUsers($gid); + $this->dbc->beginTransaction(); $qb = $this->dbc->getQueryBuilder(); @@ -97,20 +110,30 @@ protected function migrateGroup(string $gid): bool { if ($affected === 0) { throw new \RuntimeException('Could not delete group from local backend'); } - if (!$this->ownGroupBackend->createGroup($gid)) { throw new \RuntimeException('Could not create group in SAML backend'); } $this->dbc->commit(); - - return true; - } catch (\Exception $e) { + $isMigrated = true; + } catch (Throwable $e) { $this->dbc->rollBack(); $this->logger->warning($e->getMessage(), ['app' => 'user_saml', 'exception' => $e]); } - return false; + if ($allUsersInserted && $isMigrated) { + try { + $this->groupMigration->cleanUpOldGroupUsers($gid); + } catch (Exception $e) { + $this->logger->warning('Error while cleaning up group members in (oc_)group_user of group (gid) {gid}', [ + 'app' => 'user_saml', + 'gid' => $gid, + 'exception' => $e, + ]); + } + } + + return $isMigrated; } protected function getGroupsToMigrate(array $samlGroups, array $pool): array { @@ -140,14 +163,9 @@ protected function getGroupsToMigrate(array $samlGroups, array $pool): array { } protected function getMigratableGroups(): array { - $candidateInfo = $this->config->getAppValue('user_saml', GroupManager::LOCAL_GROUPS_CHECK_FOR_MIGRATION, ''); - if ($candidateInfo === null || $candidateInfo === '') { - throw new \RuntimeException('No migration of groups to SAML backend anymore'); - } - $candidateInfo = \json_decode($candidateInfo, true); - if (!isset($candidateInfo['dropAfter']) || !isset($candidateInfo['groups']) || $candidateInfo['dropAfter'] < time()) { - $this->config->deleteAppValue('user_saml', GroupManager::LOCAL_GROUPS_CHECK_FOR_MIGRATION); - throw new \RuntimeException('Period for migration groups is over'); + $candidateInfo = $this->ownGroupManager->getCandidateInfoIfValid(); + if ($candidateInfo === null) { + throw new \RuntimeException('No migration tasks of groups to SAML backend'); } return $candidateInfo['groups']; diff --git a/lib/Migration/RememberLocalGroupsForPotentialMigrations.php b/lib/Migration/RememberLocalGroupsForPotentialMigrations.php index cafbfd465..09c735624 100644 --- a/lib/Migration/RememberLocalGroupsForPotentialMigrations.php +++ b/lib/Migration/RememberLocalGroupsForPotentialMigrations.php @@ -44,6 +44,11 @@ public function getName(): string { * @since 9.1.0 */ public function run(IOutput $output) { + $candidateInfo = $this->config->getAppValue('user_saml', GroupManager::LOCAL_GROUPS_CHECK_FOR_MIGRATION, ''); + if ($candidateInfo !== '') { + return; + } + try { $backend = $this->findBackend(); $groupIds = $this->findGroupIds($backend); diff --git a/lib/Migration/TransferGroupMembers.php b/lib/Migration/TransferGroupMembers.php new file mode 100644 index 000000000..68e134241 --- /dev/null +++ b/lib/Migration/TransferGroupMembers.php @@ -0,0 +1,52 @@ +groupMigration->findGroupsWithLocalMembers(); + if (empty($groupsToTreat)) { + return; + } + $hasError = false; + $output->startProgress(count($groupsToTreat)); + foreach ($groupsToTreat as $gid) { + try { + if ($this->groupMigration->migrateGroupUsers($gid)) { + $this->groupMigration->cleanUpOldGroupUsers($gid); + } + } catch (Throwable $e) { + $hasError = true; + $this->logger->warning('Error while transferring group members of {gid}', ['gid' => $gid, 'exception' => $e]); + } finally { + $output->advance(); + } + } + $output->finishProgress(); + if ($hasError) { + $output->warning('There were errors while transferring group members to SAML groups. You may try later `occ saml:group-migration:copy-incomplete-members` later and check your nextcloud.log.'); + } + } +} diff --git a/lib/Service/GroupMigration.php b/lib/Service/GroupMigration.php new file mode 100644 index 000000000..ce3b7a268 --- /dev/null +++ b/lib/Service/GroupMigration.php @@ -0,0 +1,101 @@ +dbc->getQueryBuilder(); + $qb->selectDistinct('gid') + ->from('group_user') + ->where($qb->expr()->in('gid', $qb->createParameter('gidList'))); + + $allOwnedGroups = $this->ownGroupBackend->getGroups(); + foreach (array_chunk($allOwnedGroups, self::CHUNK_SIZE) as $groupsChunk) { + $qb->setParameter('gidList', $groupsChunk, IQueryBuilder::PARAM_STR_ARRAY); + $result = $qb->executeQuery(); + while ($gid = $result->fetchOne()) { + $foundGroups[] = $gid; + } + $result->closeCursor(); + } + + return $foundGroups; + } + + /** + * @returns bool true when all users were migrated, when they were only partly migrated + * @throws Exception + * @throws Throwable + */ + public function migrateGroupUsers(string $gid): bool { + $originalGroup = $this->groupManager->get($gid); + $members = $originalGroup?->getUsers(); + + $areAllInserted = true; + foreach (array_chunk($members ?? [], (int)floor(self::CHUNK_SIZE / 2)) as $userBatch) { + $areAllInserted = ($this->atomic(function () use ($userBatch, $gid) { + /** @var IUser $user */ + foreach ($userBatch as $user) { + $this->dbc->insertIgnoreConflict( + GroupBackend::TABLE_MEMBERS, + [ + 'gid' => $gid, + 'uid' => $user->getUID(), + ] + ); + } + return true; + }, $this->dbc) === true) && $areAllInserted; + } + if (!$areAllInserted) { + $this->logger->warning('Partial migration of users from local group {gid} to SAML.', [ + 'app' => 'user_saml', + 'gid' => $gid, + ]); + } + return $areAllInserted; + } + + /** + * @throws Exception + */ + public function cleanUpOldGroupUsers(string $gid): void { + $cleanup = $this->dbc->getQueryBuilder(); + $cleanup->delete('group_user') + ->where($cleanup->expr()->eq('gid', $cleanup->createNamedParameter($gid))); + $cleanup->executeStatement(); + } + +} diff --git a/tests/integration/features/Shibboleth.feature b/tests/integration/features/Shibboleth.feature index 240e82823..5503a5b37 100644 --- a/tests/integration/features/Shibboleth.feature +++ b/tests/integration/features/Shibboleth.feature @@ -165,6 +165,139 @@ Feature: Shibboleth And Then the group backend of "Astrophysics" must not be "Database" And The user value "groups" should be "Astrophysics,SAML_Students" + Scenario: Migrating a local group to SAML backend and taking the assigned users as well + Given The setting "type" is set to "saml" + And The setting "general-uid_mapping" is set to "urn:oid:0.9.2342.19200300.100.1.1" + And The setting "idp-entityId" is set to "https://shibboleth-integration-nextcloud.localdomain/idp/shibboleth" + And The setting "idp-singleSignOnService.url" is set to "https://localhost:4443/idp/profile/SAML2/Redirect/SSO" + And The setting "idp-singleLogoutService.url" is set to "https://localhost:4443/idp/profile/Logout" + And The setting "idp-x509cert" is set to "MIIDnTCCAoWgAwIBAgIUGPx9uPjCu7c172IUgV84Tm94pBcwDQYJKoZIhvcNAQEL BQAwNzE1MDMGA1UEAwwsc2hpYmJvbGV0aC1pbnRlZ3JhdGlvbi1uZXh0Y2xvdWQu bG9jYWxkb21haW4wHhcNMTcwMTA0MTAxMTI3WhcNMzcwMTA0MTAxMTI3WjA3MTUw MwYDVQQDDCxzaGliYm9sZXRoLWludGVncmF0aW9uLW5leHRjbG91ZC5sb2NhbGRv bWFpbjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKH+bPu45tk8/JRk XOxkyfbxocWZlY4mRumEUxscd3fn0oVzOrdWbHH7lCZV4bus4KxvJljc0Nm2K+Zr LoiRUUnf/LQ4LlehWVm5Kbc4kRgOXS0iGZN3SslAWPKyIg0tywg+TLOBPoS6EtST 1WuYg1JPMFxPfeFDWQ0dQYPlXIJWBFh6F2JMTb0FLECqA5l/ryYE13QisX5l+Mqo 6y3Dh7qIgaH0IJNobXoAcEWza7Kb2RnfhZRh9e0qjZIwBqTJUFM/6I86RYXn829s INUvYQQbez6VkGTdUQJ/GuXb/dD5sMQfOyK8hrRY5MozOmK32cz3JaAzSXpiSRS9 NxFwvicCAwEAAaOBoDCBnTAdBgNVHQ4EFgQUKn8+TV0WXSDeavvF0M8mWn1o8ukw fAYDVR0RBHUwc4Isc2hpYmJvbGV0aC1pbnRlZ3JhdGlvbi1uZXh0Y2xvdWQubG9j YWxkb21haW6GQ2h0dHBzOi8vc2hpYmJvbGV0aC1pbnRlZ3JhdGlvbi1uZXh0Y2xv dWQubG9jYWxkb21haW4vaWRwL3NoaWJib2xldGgwDQYJKoZIhvcNAQELBQADggEB ABI6uzoIeLZT9Az2KTlLxIc6jZ4MDmhaVja4ZuBxTXEb7BFLfeASEJmQm1wgIMOn pJId3Kh3njW+3tOBWKm7lj8JxVVpAu4yMFSoQGPaVUgYB1AVm+pmAyPLzfJ/XGhf esCU2F/b0eHWcaIb3x+BZFX089Cd/PBtP84MNXdo+TccibxC8N39sr45qJM/7SC7 TfDYU0L4q2WZHJr4S7+0F+F4KaxLx9NzCvN4h6XaoWofZWir2iHO4NzbrVQGC0ei QybS/neBfni4A2g1lyzCb6xFB58JBvNCn7AAnDJULOE7S5XWUKsDAQVQrxTNkUq7 pnhlCQqZDwUdgmIXd1KB1So=" + And The setting "security-authnRequestsSigned" is set to "1" + And The setting "security-wantAssertionsEncrypted" is set to "1" + And The setting "sp-x509cert" is set to "-----BEGIN CERTIFICATE-----MIIC+zCCAeOgAwIBAgIJAIgZuvWDBIrdMA0GCSqGSIb3DQEBBQUAMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDAeFw0xNzAxMDQxMTM5MjFaFw0yNzAxMDIxMTM5MjFaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAN3ESWaDH1JiJTy9yRJQV7kahPOxgBkIH2xwcYDL1k9deKNhSKLx7aGfxE244+HBcC6WLHKVUnOm0ld2qxQ4bMYiJXzZuqL67r07L5wxGAssv12lO92qohGmlHy3+VzRYUBmovu6upqOv3R2F8HBbo7Jc7Hvt7hOEJn/jPuFuF/fHit3mqU8l6IkrIZjpaW8T9fIWOXRq98U4+hkgWpqEZWsqlfE8BxAs9DeIMZab0GxO9stHLp+GYKx10uE4ezFcaDS8W+g2C8enCTt1HXGvcnj4o5zkC1lITGvcFTsiFqfIWyXeSufcxdc0W7HoG6J3ks0WJyK38sfFn0t2Ao6kX0CAwEAAaNQME4wHQYDVR0OBBYEFAoJzX6TVYAwC1GSPe6nObBG54zaMB8GA1UdIwQYMBaAFAoJzX6TVYAwC1GSPe6nObBG54zaMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAJia9R70uXdUZtgujUPjLas4+sVajzlBFmqhBqpLAo934vljf9HISsHrPtdBcbS0d0rucqXwabDf0MlR18ksnT/NYpsTwMbMx76CrXi4zYEEW5lISKEO65aIkzVTcqKWSuhjtSnRdB6iOLsFiKmNMWXaIKMR5T0+AbR9wdQgn08W+3EEeHGvafVQfE3STVsSgNb1ft7DvcSUnfPXGU7KzvmTpZa0Hfmc7uY4vpdEEhLAdRhgLReS7USZskov7ooiPSoD+JRFi2gM4klBxTemHdNUa9oFnHMXuYKOkLbkgFvHxyy+QlLq2ELQTga5e7I83ZyOfGctyf8Ul6vGw10vbQ=-----END CERTIFICATE-----" + And The setting "sp-privateKey" is set to "-----BEGIN RSA PRIVATE KEY-----MIIEpAIBAAKCAQEA3cRJZoMfUmIlPL3JElBXuRqE87GAGQgfbHBxgMvWT114o2FIovHtoZ/ETbjj4cFwLpYscpVSc6bSV3arFDhsxiIlfNm6ovruvTsvnDEYCyy/XaU73aqiEaaUfLf5XNFhQGai+7q6mo6/dHYXwcFujslzse+3uE4Qmf+M+4W4X98eK3eapTyXoiSshmOlpbxP18hY5dGr3xTj6GSBamoRlayqV8TwHECz0N4gxlpvQbE72y0cun4ZgrHXS4Th7MVxoNLxb6DYLx6cJO3Udca9yePijnOQLWUhMa9wVOyIWp8hbJd5K59zF1zRbsegboneSzRYnIrfyx8WfS3YCjqRfQIDAQABAoIBAQC5CQAdcqZ9vLpJNilBCJxJLCFmm+HAAREHD8MErg9A5UK1P4S1wJp/0qieGPi68wXBOTgY2xKSwMycgb04/+NyZidVRu388takOW/+KNBg8pMxdZ6/05GqnI0kivSbR3CXpYuz8hekwhpo9+fWmKjApsHL47ItK6WaeKmPbAFsq1YJGzfp/DXg7LIvh9GA3C1LWWGV7SuCGOyX/2Moi8xRa7qBtH4hDo/0NRhTx7zjYjlBgNEr330pJUopc3+AtHE40R+xMr2zkGvq9RsCZxYxD2VWbLwQW0yNjWmQ2OTuMgJJvk2+N73QLHcB+tea82ZTszsNzRS9DLtc6qbsKEPZAoGBAO78U3vEuRyY56f/1hpo0xuCDwOkWGzgBQWkjJl6dlyVz/zKkhXBHpEYImyt8XRN0W3iGZYpZ2hCFJGTcDp32R6UiEyGLz0Uc8R/tva/TiRVW1FdNczzSHcB24b9OMK4vE9JLs8mA8Rp8YBgtLr5DDuMfYt/a/rZJbg/HIfIN98nAoGBAO2OInCX93t2I6zzRPIqKtI6q6FYNp64VIQjvw9Y8l0x3IdJZRP9H5C8ZhCeYPsgEqTXcXa4j5hL4rQzoUtxfxflBUUH60bcnd4LGaTCMYLS14G011E3GZlIP0sJi5OjEhy8fq3zt6jVzS9V/lPHB8i+w1D7CbPrMpW7B3k32vC7AoGAX/HvdkYhZyjAAEOG6m1hK68IZhbp5TP+8CgCxm9S65K9wKh3A8LXibrdvzIKOP4w8WOPkCipOkMlTNibeu24vj01hztr5aK7Y40+oEtnjNCz67N3MQQO+LBHOSeaTRqrh01DPKjvZECAU2D/zfzEe3fIw2Nxr3DUYub7hkvMmosCgYAzxbVVypjiLGYsDDyrdmsstCKxoDMPNmcdAVljc+QmUXaZeXJw/8qAVb78wjeqo1vM1zNgR2rsKyW2VkZB1fN39q7GU6qAIBa7zLmDAduegmr7VrlSduq6UFeS9/qWa4TIBICrUqFlR2tXdKtgANF+e6y/mmaL8qdsoH1JetXZfwKBgQC1vscRpdAXivjOOZAh+mzJWzS4BUl4CTJLYYIuOEXikmN5g0EdV2fhUEdkewmyKnXHsd0x83167bYgpTDNs71jUxDHy5NXlg2qIjLkf09X9wr19gBzDApfWzfh3vUqttyMZuQMLVNepGCWM2vjlY9KGl5OvZqY6d+7yO0mLV9GmQ==-----END RSA PRIVATE KEY-----" + And The setting "security-wantAssertionsSigned" is set to "1" + And The setting "localGroupsCheckForMigration" is set to '{\"dropAfter\":9223372036854775807,\"groups\":[\"Astrophysics\",\"Students\"]}' + And the local group "Astrophysics" is created + # Initial login so the user is known and belonging to SAML, directly followed by a logout + And I send a GET request to "http://localhost:8080/index.php/login" + And I should be redirected to "https://localhost:4443/idp/profile/SAML2/Redirect/SSO" + And I send a POST request to "https://localhost:4443/idp/profile/SAML2/Redirect/SSO?execution=e1s1" with the following data + |j_username|j_password|_eventId_proceed| + |student1 |password | | + And The response should be a SAML redirect page that gets submitted + And I send a GET request with requesttoken to "http://localhost:8080/index.php/apps/user_saml/saml/sls" + And the cookies are cleared + # Have a second SAML users being known + And I send a GET request to "http://localhost:8080/index.php/login" + And I should be redirected to "https://localhost:4443/idp/profile/SAML2/Redirect/SSO" + And I send a POST request to "https://localhost:4443/idp/profile/SAML2/Redirect/SSO?execution=e1s1" with the following data + |j_username|j_password|_eventId_proceed| + |staff1 |password | | + And The response should be a SAML redirect page that gets submitted + And I send a GET request with requesttoken to "http://localhost:8080/index.php/apps/user_saml/saml/sls" + And the cookies are cleared + # The users are already known as members + And the user "student1" is added to the group "Astrophysics" + And the user "staff1" is added to the group "Astrophysics" + # Set the proper attributes + And The setting "saml-attribute-mapping-email_mapping" is set to "urn:oid:0.9.2342.19200300.100.1.3" + And The setting "saml-attribute-mapping-displayName_mapping" is set to "urn:oid:2.5.4.42 urn:oid:2.5.4.4" + And The setting "saml-attribute-mapping-group_mapping" is set to "groups" + # Now login in for good + When I send a GET request to "http://localhost:8080/index.php/login" + Then I should be redirected to "https://localhost:4443/idp/profile/SAML2/Redirect/SSO" + And I send a POST request to "https://localhost:4443/idp/profile/SAML2/Redirect/SSO?execution=e1s1" with the following data + |j_username|j_password|_eventId_proceed| + |student1 |password | | + And The response should be a SAML redirect page that gets submitted + And The user value "groups" should be "Astrophysics,SAML_Students" + And the group backend of "Astrophysics" should be "Database" + And Then the group backend of "Astrophysics" must not be "user_saml" + When I execute the background job for class "OCA\\User_SAML\\Jobs\\MigrateGroups" + Then the group backend of "Astrophysics" should be "user_saml" + And Then the group backend of "Astrophysics" must not be "Database" + And The user value "groups" should be "Astrophysics,SAML_Students" + And The group "Astrophysics" has exactly the members "student1, staff1" + + Scenario: Migrating a local group to SAML backend and taking the assigned users via occ command + Given The setting "type" is set to "saml" + And The setting "general-uid_mapping" is set to "urn:oid:0.9.2342.19200300.100.1.1" + And The setting "idp-entityId" is set to "https://shibboleth-integration-nextcloud.localdomain/idp/shibboleth" + And The setting "idp-singleSignOnService.url" is set to "https://localhost:4443/idp/profile/SAML2/Redirect/SSO" + And The setting "idp-singleLogoutService.url" is set to "https://localhost:4443/idp/profile/Logout" + And The setting "idp-x509cert" is set to "MIIDnTCCAoWgAwIBAgIUGPx9uPjCu7c172IUgV84Tm94pBcwDQYJKoZIhvcNAQEL BQAwNzE1MDMGA1UEAwwsc2hpYmJvbGV0aC1pbnRlZ3JhdGlvbi1uZXh0Y2xvdWQu bG9jYWxkb21haW4wHhcNMTcwMTA0MTAxMTI3WhcNMzcwMTA0MTAxMTI3WjA3MTUw MwYDVQQDDCxzaGliYm9sZXRoLWludGVncmF0aW9uLW5leHRjbG91ZC5sb2NhbGRv bWFpbjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKH+bPu45tk8/JRk XOxkyfbxocWZlY4mRumEUxscd3fn0oVzOrdWbHH7lCZV4bus4KxvJljc0Nm2K+Zr LoiRUUnf/LQ4LlehWVm5Kbc4kRgOXS0iGZN3SslAWPKyIg0tywg+TLOBPoS6EtST 1WuYg1JPMFxPfeFDWQ0dQYPlXIJWBFh6F2JMTb0FLECqA5l/ryYE13QisX5l+Mqo 6y3Dh7qIgaH0IJNobXoAcEWza7Kb2RnfhZRh9e0qjZIwBqTJUFM/6I86RYXn829s INUvYQQbez6VkGTdUQJ/GuXb/dD5sMQfOyK8hrRY5MozOmK32cz3JaAzSXpiSRS9 NxFwvicCAwEAAaOBoDCBnTAdBgNVHQ4EFgQUKn8+TV0WXSDeavvF0M8mWn1o8ukw fAYDVR0RBHUwc4Isc2hpYmJvbGV0aC1pbnRlZ3JhdGlvbi1uZXh0Y2xvdWQubG9j YWxkb21haW6GQ2h0dHBzOi8vc2hpYmJvbGV0aC1pbnRlZ3JhdGlvbi1uZXh0Y2xv dWQubG9jYWxkb21haW4vaWRwL3NoaWJib2xldGgwDQYJKoZIhvcNAQELBQADggEB ABI6uzoIeLZT9Az2KTlLxIc6jZ4MDmhaVja4ZuBxTXEb7BFLfeASEJmQm1wgIMOn pJId3Kh3njW+3tOBWKm7lj8JxVVpAu4yMFSoQGPaVUgYB1AVm+pmAyPLzfJ/XGhf esCU2F/b0eHWcaIb3x+BZFX089Cd/PBtP84MNXdo+TccibxC8N39sr45qJM/7SC7 TfDYU0L4q2WZHJr4S7+0F+F4KaxLx9NzCvN4h6XaoWofZWir2iHO4NzbrVQGC0ei QybS/neBfni4A2g1lyzCb6xFB58JBvNCn7AAnDJULOE7S5XWUKsDAQVQrxTNkUq7 pnhlCQqZDwUdgmIXd1KB1So=" + And The setting "security-authnRequestsSigned" is set to "1" + And The setting "security-wantAssertionsEncrypted" is set to "1" + And The setting "sp-x509cert" is set to "-----BEGIN CERTIFICATE-----MIIC+zCCAeOgAwIBAgIJAIgZuvWDBIrdMA0GCSqGSIb3DQEBBQUAMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDAeFw0xNzAxMDQxMTM5MjFaFw0yNzAxMDIxMTM5MjFaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAN3ESWaDH1JiJTy9yRJQV7kahPOxgBkIH2xwcYDL1k9deKNhSKLx7aGfxE244+HBcC6WLHKVUnOm0ld2qxQ4bMYiJXzZuqL67r07L5wxGAssv12lO92qohGmlHy3+VzRYUBmovu6upqOv3R2F8HBbo7Jc7Hvt7hOEJn/jPuFuF/fHit3mqU8l6IkrIZjpaW8T9fIWOXRq98U4+hkgWpqEZWsqlfE8BxAs9DeIMZab0GxO9stHLp+GYKx10uE4ezFcaDS8W+g2C8enCTt1HXGvcnj4o5zkC1lITGvcFTsiFqfIWyXeSufcxdc0W7HoG6J3ks0WJyK38sfFn0t2Ao6kX0CAwEAAaNQME4wHQYDVR0OBBYEFAoJzX6TVYAwC1GSPe6nObBG54zaMB8GA1UdIwQYMBaAFAoJzX6TVYAwC1GSPe6nObBG54zaMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAJia9R70uXdUZtgujUPjLas4+sVajzlBFmqhBqpLAo934vljf9HISsHrPtdBcbS0d0rucqXwabDf0MlR18ksnT/NYpsTwMbMx76CrXi4zYEEW5lISKEO65aIkzVTcqKWSuhjtSnRdB6iOLsFiKmNMWXaIKMR5T0+AbR9wdQgn08W+3EEeHGvafVQfE3STVsSgNb1ft7DvcSUnfPXGU7KzvmTpZa0Hfmc7uY4vpdEEhLAdRhgLReS7USZskov7ooiPSoD+JRFi2gM4klBxTemHdNUa9oFnHMXuYKOkLbkgFvHxyy+QlLq2ELQTga5e7I83ZyOfGctyf8Ul6vGw10vbQ=-----END CERTIFICATE-----" + And The setting "sp-privateKey" is set to "-----BEGIN RSA PRIVATE KEY-----MIIEpAIBAAKCAQEA3cRJZoMfUmIlPL3JElBXuRqE87GAGQgfbHBxgMvWT114o2FIovHtoZ/ETbjj4cFwLpYscpVSc6bSV3arFDhsxiIlfNm6ovruvTsvnDEYCyy/XaU73aqiEaaUfLf5XNFhQGai+7q6mo6/dHYXwcFujslzse+3uE4Qmf+M+4W4X98eK3eapTyXoiSshmOlpbxP18hY5dGr3xTj6GSBamoRlayqV8TwHECz0N4gxlpvQbE72y0cun4ZgrHXS4Th7MVxoNLxb6DYLx6cJO3Udca9yePijnOQLWUhMa9wVOyIWp8hbJd5K59zF1zRbsegboneSzRYnIrfyx8WfS3YCjqRfQIDAQABAoIBAQC5CQAdcqZ9vLpJNilBCJxJLCFmm+HAAREHD8MErg9A5UK1P4S1wJp/0qieGPi68wXBOTgY2xKSwMycgb04/+NyZidVRu388takOW/+KNBg8pMxdZ6/05GqnI0kivSbR3CXpYuz8hekwhpo9+fWmKjApsHL47ItK6WaeKmPbAFsq1YJGzfp/DXg7LIvh9GA3C1LWWGV7SuCGOyX/2Moi8xRa7qBtH4hDo/0NRhTx7zjYjlBgNEr330pJUopc3+AtHE40R+xMr2zkGvq9RsCZxYxD2VWbLwQW0yNjWmQ2OTuMgJJvk2+N73QLHcB+tea82ZTszsNzRS9DLtc6qbsKEPZAoGBAO78U3vEuRyY56f/1hpo0xuCDwOkWGzgBQWkjJl6dlyVz/zKkhXBHpEYImyt8XRN0W3iGZYpZ2hCFJGTcDp32R6UiEyGLz0Uc8R/tva/TiRVW1FdNczzSHcB24b9OMK4vE9JLs8mA8Rp8YBgtLr5DDuMfYt/a/rZJbg/HIfIN98nAoGBAO2OInCX93t2I6zzRPIqKtI6q6FYNp64VIQjvw9Y8l0x3IdJZRP9H5C8ZhCeYPsgEqTXcXa4j5hL4rQzoUtxfxflBUUH60bcnd4LGaTCMYLS14G011E3GZlIP0sJi5OjEhy8fq3zt6jVzS9V/lPHB8i+w1D7CbPrMpW7B3k32vC7AoGAX/HvdkYhZyjAAEOG6m1hK68IZhbp5TP+8CgCxm9S65K9wKh3A8LXibrdvzIKOP4w8WOPkCipOkMlTNibeu24vj01hztr5aK7Y40+oEtnjNCz67N3MQQO+LBHOSeaTRqrh01DPKjvZECAU2D/zfzEe3fIw2Nxr3DUYub7hkvMmosCgYAzxbVVypjiLGYsDDyrdmsstCKxoDMPNmcdAVljc+QmUXaZeXJw/8qAVb78wjeqo1vM1zNgR2rsKyW2VkZB1fN39q7GU6qAIBa7zLmDAduegmr7VrlSduq6UFeS9/qWa4TIBICrUqFlR2tXdKtgANF+e6y/mmaL8qdsoH1JetXZfwKBgQC1vscRpdAXivjOOZAh+mzJWzS4BUl4CTJLYYIuOEXikmN5g0EdV2fhUEdkewmyKnXHsd0x83167bYgpTDNs71jUxDHy5NXlg2qIjLkf09X9wr19gBzDApfWzfh3vUqttyMZuQMLVNepGCWM2vjlY9KGl5OvZqY6d+7yO0mLV9GmQ==-----END RSA PRIVATE KEY-----" + And The setting "security-wantAssertionsSigned" is set to "1" + And The setting "localGroupsCheckForMigration" is set to '{\"dropAfter\":9223372036854775807,\"groups\":[\"Astrophysics\",\"Students\"]}' + And the local group "Astrophysics" is created + # Initial login so the user is known and belonging to SAML, directly followed by a logout + And I send a GET request to "http://localhost:8080/index.php/login" + And I should be redirected to "https://localhost:4443/idp/profile/SAML2/Redirect/SSO" + And I send a POST request to "https://localhost:4443/idp/profile/SAML2/Redirect/SSO?execution=e1s1" with the following data + |j_username|j_password|_eventId_proceed| + |student1 |password | | + And The response should be a SAML redirect page that gets submitted + And I send a GET request with requesttoken to "http://localhost:8080/index.php/apps/user_saml/saml/sls" + And the cookies are cleared + # Have a second SAML users being known + And I send a GET request to "http://localhost:8080/index.php/login" + And I should be redirected to "https://localhost:4443/idp/profile/SAML2/Redirect/SSO" + And I send a POST request to "https://localhost:4443/idp/profile/SAML2/Redirect/SSO?execution=e1s1" with the following data + |j_username|j_password|_eventId_proceed| + |staff1 |password | | + And The response should be a SAML redirect page that gets submitted + And I send a GET request with requesttoken to "http://localhost:8080/index.php/apps/user_saml/saml/sls" + And the cookies are cleared + # Have a third SAML users being known + And I send a GET request to "http://localhost:8080/index.php/login" + And I should be redirected to "https://localhost:4443/idp/profile/SAML2/Redirect/SSO" + And I send a POST request to "https://localhost:4443/idp/profile/SAML2/Redirect/SSO?execution=e1s1" with the following data + |j_username|j_password|_eventId_proceed| + |student2 |password | | + And The response should be a SAML redirect page that gets submitted + And I send a GET request with requesttoken to "http://localhost:8080/index.php/apps/user_saml/saml/sls" + And the cookies are cleared + # The users are already known as members - student 2 is not + And the user "student1" is added to the group "Astrophysics" + And the user "staff1" is added to the group "Astrophysics" + # Set the proper attributes + And The setting "saml-attribute-mapping-email_mapping" is set to "urn:oid:0.9.2342.19200300.100.1.3" + And The setting "saml-attribute-mapping-displayName_mapping" is set to "urn:oid:2.5.4.42 urn:oid:2.5.4.4" + And The setting "saml-attribute-mapping-group_mapping" is set to "groups" + # Now login in for good + When I send a GET request to "http://localhost:8080/index.php/login" + Then I should be redirected to "https://localhost:4443/idp/profile/SAML2/Redirect/SSO" + And I send a POST request to "https://localhost:4443/idp/profile/SAML2/Redirect/SSO?execution=e1s1" with the following data + |j_username|j_password|_eventId_proceed| + |student1 |password | | + And The response should be a SAML redirect page that gets submitted + And The user value "groups" should be "Astrophysics,SAML_Students" + And the group backend of "Astrophysics" should be "Database" + And Then the group backend of "Astrophysics" must not be "user_saml" + And I execute the background job for class "OCA\\User_SAML\\Jobs\\MigrateGroups" + And the group backend of "Astrophysics" should be "user_saml" + And Then the group backend of "Astrophysics" must not be "Database" + # Recreate state from v6.1 where members where not migrated - terribly awful tinkering + And I "disable" the app "user_saml" + And the local group "Astrophysics" is created + And I hack "student2" into existence + And the user "student2" is added to the group "Astrophysics" + And I "enable" the app "user_saml" + # Now test the occ command, which counts as a test against the repair step as well + Then I run the copy-incomplete-members command + # Remove local group remnants + And I "disable" the app "user_saml" + And the group "Astrophysics" is deleted + And I "enable" the app "user_saml" + # Now the proper checks + And The user value "groups" should be "Astrophysics,SAML_Students" + # student2 will be removed upon proper login, this tests whether the old data is taken over + And The group "Astrophysics" has exactly the members "student1, student2, staff1" + Scenario: Keeping the local admin group assigned to the SAML user Given The setting "type" is set to "saml" And The setting "general-uid_mapping" is set to "urn:oid:0.9.2342.19200300.100.1.1" diff --git a/tests/integration/features/bootstrap/FeatureContext.php b/tests/integration/features/bootstrap/FeatureContext.php index 4c3591691..51f6c8727 100644 --- a/tests/integration/features/bootstrap/FeatureContext.php +++ b/tests/integration/features/bootstrap/FeatureContext.php @@ -302,6 +302,43 @@ public function theUserValueShouldBe(string $key, string $value): void { } } + /** + * @Then The group :group has exactly the members :memberList + */ + public function theGroupHasExactlyTheMembers(string $group, string $memberList): void { + $this->response = $this->client->request( + 'GET', + sprintf('http://localhost:8080/ocs/v2.php/cloud/groups/%s', $group), + [ + 'headers' => [ + 'OCS-APIRequest' => 'true', + ], + 'query' => [ + 'format' => 'json', + ], + 'auth' => [ + 'admin', 'admin' + ], + 'cookies' => '', + ] + ); + + $responseArray = (json_decode($this->response->getBody(), true))['ocs']; + if ($responseArray['meta']['statuscode'] !== 200) { + throw new UnexpectedValueException(sprintf('Expected 200 status code but got %d', $responseArray['meta']['statusCode'])); + } + + $expectedMembers = array_map('trim', explode(',', $memberList)); + $actualMembers = array_map('trim', $responseArray['data']['users']); + + sort($expectedMembers); + sort($actualMembers); + + if ($expectedMembers !== $actualMembers) { + throw new UnexpectedValueException(sprintf('Unexpectedly the returned members are: %s', implode(', ', $actualMembers))); + } + } + /** * @Given A local user with uid :uid exists * @param string $uid @@ -317,6 +354,22 @@ public function aLocalUserWithUidExists($uid) { ); } + /** + * @Then I hack :uid into existence + */ + public function hackUserIntoExistence(string $uid): void { + rename(__DIR__ . '/../../../../../../data/' . $uid, __DIR__ . '/../../../../../../data/hide-' . $uid); + shell_exec( + sprintf( + 'OC_PASS=password %s %s user:add %s --display-name "Default displayname of '.$uid.'" --password-from-env', + PHP_BINARY, + __DIR__ . '/../../../../../../occ', + $uid + ) + ); + rename(__DIR__ . '/../../../../../../data/hide-' . $uid, __DIR__ . '/../../../../../../data/' . $uid); + } + /** * @Then The last login timestamp of :uid should not be empty * @@ -455,7 +508,19 @@ public function theLocalGroupIsCreated(string $groupName) { ); } - + /** + * @Given the group :group is deleted + */ + public function theGroupIsDeleted(string $group) { + shell_exec( + sprintf( + '%s %s group:delete "%s"', + PHP_BINARY, + __DIR__ . '/../../../../../../occ', + $group + ) + ); + } /** * @Given /^I send a GET request with requesttoken to "([^"]*)"$/ @@ -503,6 +568,37 @@ public function theUserIsAddedToTheGroup(string $userId, string $groupId) { ); } + /** + * @Given I run the copy-incomplete-members command + */ + public function theCopyIncompleteMembersCommandIsRun() { + $out = shell_exec( + sprintf( + '%s %s saml:group-migration:copy-incomplete-members --verbose', + PHP_BINARY, + __DIR__ . '/../../../../../../occ', + ) + ); + if ($out === false || $out === null) { + throw new RuntimeException('Failed to execute saml:group-migration:copy-incomplete-members command'); + } + } + + /** + * @Given I :stateAction the app :appId + */ + public function theAppIsEnabledOrDisabled(string $appId, string $stateAction) { + shell_exec( + sprintf( + '%s %s app:%s "%s"', + PHP_BINARY, + __DIR__ . '/../../../../../../occ', + $stateAction, + $appId + ) + ); + } + /** * @Given /^I expect no background job for class "([^"]*)"$/ */ diff --git a/tests/stub.phpstub b/tests/stub.phpstub index 12a826696..352cb702c 100644 --- a/tests/stub.phpstub +++ b/tests/stub.phpstub @@ -9,6 +9,47 @@ namespace OCA\Files\Event { } } +namespace OC\Core\Command { + use Symfony\Component\Console\Command\Command; + use Symfony\Component\Console\Input\InputInterface; + use Symfony\Component\Console\Output\OutputInterface; + + class Base { + public function __construct() {} + protected function configure(): void {} + public function run(InputInterface $input, OutputInterface $output): int {} + public function setName(string $name): self {} + public function setDescription(string $description): self {} + public function addOption(string $name, $shortcut = null, ?int $mode = null, string $description = '', $default = null): self; + public function addArgument(string $name, int $mode = null, string $description = '', $default = null): self; + protected function writeArrayInOutputFormat(InputInterface $input, OutputInterface $output, array $items, string $prefix = ' - '): void; + } +} + +namespace Symfony\Component\Console\Output { + class OutputInterface { + public function isVerbose(): bool; + public function isQuiet(): bool; + public function writeln($messages, int $options = 0): void; + } +} + +namespace Symfony\Component\Console\Input { + class InputInterface { + public function getArgument(string $name): mixed; + public function getOptions(): array; + public function getOption(string $name): mixed; + } + + class InputArgument { + public const REQUIRED = 1; + } + + class InputOption { + public const VALUE_REQUIRED = 2; + } +} + namespace OC\Group { abstract class Database extends \OCP\Group\Backend\ABackend implements \OCP\Group\Backend\IAddToGroupBackend, @@ -24,3 +65,14 @@ namespace OC\Group { \OCP\Group\Backend\INamedBackend { } } + +namespace OC\DB\Exceptions { + class DbalException extends \OCP\DB\Exception { + public function isRetryable(): bool { + } + } +} + +namespace OCP\Log { + public function logger(?string $appId = null): \Psr\Log\LoggerInterface; +}