fix(user_ldap): Check that all user and group bases are in the global…

… one

Signed-off-by: Côme Chilliet <come.chilliet@nextcloud.com>

apps/user_ldap/ajax/testConfiguration.php

@@ -21,19 +21,18 @@
 
 
 try {
-	$configurationOk = true;
 	$configurationError = '';
 	$conf = $connection->getConfiguration();
 	if ($conf['ldap_configuration_active'] === '0') {
 		//needs to be true, otherwise it will also fail with an irritating message
 		$conf['ldap_configuration_active'] = '1';
-		try {
-			$configurationOk = $connection->setConfiguration($conf, throw:true);
-		} catch (ConfigurationIssueException $e) {
-			$configurationError = $e->getHint();
-		}
 	}
-	if ($configurationOk) {
+	try {
+		$connection->setConfiguration($conf, throw:true);
+	} catch (ConfigurationIssueException $e) {
+		$configurationError = $e->getHint();
+	}
+	if ($configurationError === '') {
 		//Configuration is okay
 		/*
 		 * Closing the session since it won't be used from this point on. There might be a potential

apps/user_ldap/lib/Connection.php

@@ -451,8 +451,6 @@ private function doSoftValidation(): void {
 	 * @throws ConfigurationIssueException
 	 */
 	private function doCriticalValidation(): void {
-		$configurationOK = true;
-
 		//options that shall not be empty
 		$options = ['ldapHost', 'ldapUserDisplayName',
 			'ldapGroupDisplayName', 'ldapLoginFilter'];
@@ -485,7 +483,6 @@ private function doCriticalValidation(): void {
 						$subj = $key;
 						break;
 				}
-				$configurationOK = false;
 				throw new ConfigurationIssueException(
 					'No ' . $subj . ' given!',
 					$this->l10n->t('Mandatory field "%s" left empty', $subj),
@@ -497,14 +494,12 @@ private function doCriticalValidation(): void {
 		$agent = $this->configuration->ldapAgentName;
 		$pwd = $this->configuration->ldapAgentPassword;
 		if ($agent === '' && $pwd !== '') {
-			$configurationOK = false;
 			throw new ConfigurationIssueException(
 				'A password is given, but not an LDAP agent',
 				$this->l10n->t('A password is given, but not an LDAP agent'),
 			);
 		}
 		if ($agent !== '' && $pwd === '') {
-			$configurationOK = false;
 			throw new ConfigurationIssueException(
 				'No password is given for the user agent',
 				$this->l10n->t('No password is given for the user agent'),
@@ -515,23 +510,54 @@ private function doCriticalValidation(): void {
 		$baseUsers = $this->configuration->ldapBaseUsers;
 		$baseGroups = $this->configuration->ldapBaseGroups;
 
-		if (empty($base) && empty($baseUsers) && empty($baseGroups)) {
-			$configurationOK = false;
+		if (empty($base)) {
 			throw new ConfigurationIssueException(
-				'Not a single Base DN given.',
+				'Not a single Base DN given',
 				$this->l10n->t('No LDAP base DN was given'),
 			);
 		}
 
+		if (!empty($baseUsers) && !$this->checkBasesAreValid($baseUsers, $base)) {
+			throw new ConfigurationIssueException(
+				'User base is not in root base',
+				$this->l10n->t('User base DN is not a subnode of global base DN'),
+			);
+		}
+
+		if (!empty($baseGroups) && !$this->checkBasesAreValid($baseGroups, $base)) {
+			throw new ConfigurationIssueException(
+				'Group base is not in root base',
+				$this->l10n->t('Group base DN is not a subnode of global base DN'),
+			);
+		}
+
 		if (mb_strpos((string)$this->configuration->ldapLoginFilter, '%uid', 0, 'UTF-8') === false) {
-			$configurationOK = false;
 			throw new ConfigurationIssueException(
 				'Login filter does not contain %uid place holder.',
 				$this->l10n->t('Login filter does not contain %uid place holder'),
 			);
 		}
 	}
 
+	/**
+	 * Checks that all bases are subnodes of one of the root bases
+	 */
+	private function checkBasesAreValid(array $bases, array $rootBases): bool {
+		foreach ($bases as $base) {
+			$ok = false;
+			foreach ($rootBases as $rootBase) {
+				if (str_ends_with($base, $rootBase)) {
+					$ok = true;
+					break;
+				}
+			}
+			if (!$ok) {
+				return false;
+			}
+		}
+		return true;
+	}
+
 	/**
 	 * Validates the user specified configuration
 	 * @return bool true if configuration seems OK, false otherwise