Implement Group Mapping

Signed-off-by: James Botting <[email protected]> Merge of the following commits from branch: Rebuild webpack Prevent account enumeration The granular errors shown here can allow an attacker to enumerate valid accounts in the system and increase the attack surface Relocate user disable code If any of the code should error after the creation of the user, the user may then have a valid account to login with when this is not expected. Relocate the code to disable the user immediately after user creation Update backend code for changes
nextcloud · Jul 26, 2024 · 226f4f0 · 226f4f0
1 parent 88301b6
commit 226f4f0
Show file tree

Hide file tree

Showing 13 changed files with 481 additions and 22 deletions.
diff --git a/appinfo/routes.php b/appinfo/routes.php
@@ -13,6 +13,8 @@
 return [
 	'routes' => [
 		['name' => 'settings#admin', 'url' => '/settings', 'verb' => 'POST'],
+		['name' => 'settings#addGroupMapping', 'url' => '/settings/groupmapping', 'verb' => 'POST'],
+		['name' => 'settings#deleteGroupMapping', 'url' => '/settings/groupmapping/{id}', 'verb' => 'DELETE'],
 		['name' => 'register#showEmailForm', 'url' => '/', 'verb' => 'GET'],
 		['name' => 'register#submitEmailForm', 'url' => '/', 'verb' => 'POST'],
 		['name' => 'register#showVerificationForm', 'url' => '/verify/{secret}', 'verb' => 'GET'],

diff --git a/js/registration-settings.js b/js/registration-settings.js
diff --git a/js/registration-settings.js.map b/js/registration-settings.js.map
diff --git a/l10n/en_GB.js b/l10n/en_GB.js
@@ -86,6 +86,11 @@ OC.L10N.register(
     "Verification code" : "Verification code",
     "Verify" : "Verify",
     "Approval required" : "Approval required",
-    "Your account has been successfully created, but it still needs approval from an administrator." : "Your account has been successfully created, but it still needs approval from an administrator."
+    "Your account has been successfully created, but it still needs approval from an administrator." : "Your account has been successfully created, but it still needs approval from an administrator.",
+    "Only send request to group admins" : "Only send approval request to group admins",
+    "Map groups to email" : "Enable assigning default group via email address",
+    "Group mappings" : "Email to Group Mappings",
+    "Delete mapping" : "Delete mapping",
+    "Add mapping" : "Add mapping"
 },
 "nplurals=2; plural=(n != 1);");
diff --git a/l10n/en_GB.json b/l10n/en_GB.json
@@ -84,6 +84,11 @@
     "Verification code" : "Verification code",
     "Verify" : "Verify",
     "Approval required" : "Approval required",
-    "Your account has been successfully created, but it still needs approval from an administrator." : "Your account has been successfully created, but it still needs approval from an administrator."
+    "Your account has been successfully created, but it still needs approval from an administrator." : "Your account has been successfully created, but it still needs approval from an administrator.",
+    "Only send request to group admins" : "Only send approval request to group admins",
+    "Map groups to email" : "Enable assigning default group via email address",
+    "Group mappings" : "Email to Group Mappings",
+    "Delete mapping" : "Delete mapping",
+    "Add mapping" : "Add mapping"
 },"pluralForm" :"nplurals=2; plural=(n != 1);"
 }
diff --git a/lib/Controller/SettingsController.php b/lib/Controller/SettingsController.php
@@ -13,6 +13,8 @@
 
 namespace OCA\Registration\Controller;
 
+use OCA\Registration\Db\GroupMapper;
+use OCA\Registration\Db\Group;
 use OCP\AppFramework\Controller;
 use OCP\AppFramework\Http;
 use OCP\AppFramework\Http\DataResponse;
@@ -27,15 +29,17 @@ class SettingsController extends Controller {
 	private IL10N $l10n;
 	private IConfig $config;
 	private IGroupManager $groupmanager;
+	private GroupMapper $groupMapper;
 	/** @var string */
 	protected $appName;
 
-	public function __construct($appName, IRequest $request, IL10N $l10n, IConfig $config, IGroupManager $groupmanager) {
+	public function __construct($appName, IRequest $request, IL10N $l10n, IConfig $config, IGroupManager $groupmanager, GroupMapper $groupmapper) {
 		parent::__construct($appName, $request);
 		$this->l10n = $l10n;
 		$this->config = $config;
 		$this->groupmanager = $groupmanager;
 		$this->appName = $appName;
+		$this->groupMapper = $groupmapper;
 	}
 
 	/**
@@ -47,10 +51,12 @@ public function __construct($appName, IRequest $request, IL10N $l10n, IConfig $c
 	 * @param string $email_verification_hint if filled embed Text in Verification mail send to user
 	 * @param string $username_policy_regex optional regex to check usernames against a pattern
 	 * @param bool|null $admin_approval_required newly registered users have to be validated by an admin
+	 * @param bool|null $admin_approval_to_group_admin_only only send the activation email to the group admins the new user will be a member of
 	 * @param bool|null $email_is_optional email address is not required
 	 * @param bool|null $email_is_login email address is forced as user id
 	 * @param bool|null $domains_is_blocklist is the domain list an allow or block list
 	 * @param bool|null $show_domains should the email list be shown to the user or not
+	 * @param bool|null $per_email_group_mapping should the group to email mapping feature be enabled or not
 	 * @return DataResponse
 	 */
 	public function admin(?string $registered_user_group,
@@ -59,6 +65,7 @@ public function admin(?string $registered_user_group,
 		string $email_verification_hint,
 		string $username_policy_regex,
 		?bool $admin_approval_required,
+		?bool $admin_approval_to_group_admin_only,
 		?bool $email_is_optional,
 		?bool $email_is_login,
 		?bool $show_fullname,
@@ -67,7 +74,8 @@ public function admin(?string $registered_user_group,
 		?bool $enforce_phone,
 		?bool $domains_is_blocklist,
 		?bool $show_domains,
-		?bool $disable_email_verification): DataResponse {
+		?bool $disable_email_verification,
+		?bool $per_email_group_mapping): DataResponse {
 		// handle domains
 		if (($allowed_domains === '') || ($allowed_domains === null)) {
 			$this->config->deleteAppValue($this->appName, 'allowed_domains');
@@ -104,6 +112,7 @@ public function admin(?string $registered_user_group,
 		}
 
 		$this->config->setAppValue($this->appName, 'admin_approval_required', $admin_approval_required ? 'yes' : 'no');
+		$this->config->setAppValue($this->appName, 'admin_approval_to_group_admin_only', $admin_approval_to_group_admin_only ? 'yes' : 'no');
 		$this->config->setAppValue($this->appName, 'email_is_optional', $email_is_optional ? 'yes' : 'no');
 		$this->config->setAppValue($this->appName, 'email_is_login', !$email_is_optional && $email_is_login ? 'yes' : 'no');
 		$this->config->setAppValue($this->appName, 'show_fullname', $show_fullname ? 'yes' : 'no');
@@ -113,6 +122,7 @@ public function admin(?string $registered_user_group,
 		$this->config->setAppValue($this->appName, 'domains_is_blocklist', $domains_is_blocklist ? 'yes' : 'no');
 		$this->config->setAppValue($this->appName, 'show_domains', $show_domains ? 'yes' : 'no');
 		$this->config->setAppValue($this->appName, 'disable_email_verification', $disable_email_verification ? 'yes' : 'no');
+		$this->config->setAppValue($this->appName, 'per_email_group_mapping', $per_email_group_mapping ? 'yes' : 'no');
 
 		if ($registered_user_group === null) {
 			$this->config->deleteAppValue($this->appName, 'registered_user_group');
@@ -142,4 +152,78 @@ public function admin(?string $registered_user_group,
 			'status' => 'error',
 		], Http::STATUS_NOT_FOUND);
 	}
-}
+
+	/**
+	 * @AdminRequired
+	 *
+	 * @param string $email_domains the email domains to match for this rule
+	 * @param string $group_name the group to assign the users that match to
+	 * @return DataResponse
+	 */
+	public function addGroupMapping(string $email_domains,
+		string $group_name): DataResponse {
+		// Check email domains is valid string
+		if (($email_domains === '') || ($email_domains === null)) {
+			return new DataResponse([
+				'data' => [
+					'message' => $this->l10n->t('Invalid email domain list'),
+				],
+				'status' => 'error',
+			], Http::STATUS_BAD_REQUEST);
+		}
+
+		// Check group is valid
+		$group = $this->groupmanager->get($group_name);
+		if (!($group instanceof IGroup)) {
+			return new DataResponse([
+				'data' => [
+					'message' => $this->l10n->t('No such group'),
+				],
+				'status' => 'error',
+			], Http::STATUS_NOT_FOUND);
+		}
+
+		// Add new mapping
+		$groupMapping = new Group();
+		$groupMapping->setEmailDomains($email_domains);
+		$groupMapping->setGroupId($group_name);
+		$newMapping = $this->groupMapper->insert($groupMapping);
+
+		// Return result
+		return new DataResponse([
+			'data' => [
+				'message' => $this->l10n->t('Saved'),
+				'id' => $newMapping->getId()
+			],
+			'status' => 'success',
+		]);
+	}
+
+	/**
+	 * @AdminRequired
+	 *
+	 * @param int $id The ID of the row to delete
+	 * @return DataResponse
+	 */
+	public function deleteGroupMapping(int $id): DataResponse {
+		// Check mapping is valid
+		$groupMapping = $this->groupMapper->getById($id);
+		if (!($groupMapping instanceof Group)) {
+			return new DataResponse([
+				'data' => [
+					'message' => $this->l10n->t('No such group mapping'),
+				],
+				'status' => 'error',
+			], Http::STATUS_NOT_FOUND);
+		}
+
+		// Delete mapping
+		$this->groupMapper->delete($groupMapping);
+		return new DataResponse([
+			'data' => [
+				'message' => $this->l10n->t('Deleted')
+			],
+			'status' => 'success',
+		]);
+	}
+}
diff --git a/lib/Db/Group.php b/lib/Db/Group.php
@@ -0,0 +1,45 @@
+<?php
+
+declare(strict_types=1);
+/**
+ * @copyright Copyright (c) 2017 Julius Härtl <[email protected]>
+ *
+ * @author Julius Härtl <[email protected]>
+ *
+ * @license GNU AGPL version 3 or any later version
+ *
+ *  This program is free software: you can redistribute it and/or modify
+ *  it under the terms of the GNU Affero General Public License as
+ *  published by the Free Software Foundation, either version 3 of the
+ *  License, or (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU Affero General Public License for more details.
+ *
+ *  You should have received a copy of the GNU Affero General Public License
+ *  along with this program. If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+namespace OCA\Registration\Db;
+
+use OCP\AppFramework\Db\Entity;
+
+/**
+ * @method string getEmailDomains()
+ * @method void setEmailDomains(string $email)
+ * @method string getGroupId()
+ * @method void setGroupId(string $groupid)
+ */
+class Group extends Entity {
+	public $id;
+	protected $emailDomains;
+	protected $groupId;
+
+	public function __construct() {
+		$this->addType('emailDomains', 'string');
+		$this->addType('groupId', 'string');
+	}
+}
diff --git a/lib/Db/GroupMapper.php b/lib/Db/GroupMapper.php
@@ -0,0 +1,84 @@
+<?php
+
+declare(strict_types=1);
+/**
+ * @copyright Copyright (c) 2017 Julius Härtl <[email protected]>
+ *
+ * @author Julius Härtl <[email protected]>
+ * @author Thomas Citharel <[email protected]>
+ *
+ * @license GNU AGPL version 3 or any later version
+ *
+ *  This program is free software: you can redistribute it and/or modify
+ *  it under the terms of the GNU Affero General Public License as
+ *  published by the Free Software Foundation, either version 3 of the
+ *  License, or (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU Affero General Public License for more details.
+ *
+ *  You should have received a copy of the GNU Affero General Public License
+ *  along with this program. If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+namespace OCA\Registration\Db;
+
+use OCP\AppFramework\Db\DoesNotExistException;
+use OCP\AppFramework\Db\Entity;
+use OCP\AppFramework\Db\MultipleObjectsReturnedException;
+use OCP\AppFramework\Db\QBMapper;
+use OCP\DB\Exception;
+use OCP\DB\QueryBuilder\IQueryBuilder;
+use OCP\IDBConnection;
+use OCP\Security\ISecureRandom;
+
+class GroupMapper extends QBMapper {
+	public function __construct(IDBConnection $db, protected ISecureRandom $random) {
+		parent::__construct($db, 'registration_group', Group::class);
+	}
+
+	/**
+	 * @return Group[]
+	 */
+	public function getGroupMappings(): array {
+		$qb = $this->db->getQueryBuilder();
+		$qb
+			->select('*')
+			->from($this->tableName);
+
+		return $this->findEntities($qb);
+	}
+
+	/**
+	 * @return Group|null
+	 */
+	public function getGroupMappingByEmailDomain($emailDomain): ?Group {
+		try {
+			$qb = $this->db->getQueryBuilder();
+			$qb
+				->select('*')
+				->from($this->tableName)
+				->where($qb->expr()->like('email_domains', $qb->createNamedParameter("%".$emailDomain."%", IQueryBuilder::PARAM_STR)));
+
+			return $this->findEntity($qb);
+		} catch( \Exception ) {
+			return null;
+		}
+	}
+
+	/**
+	 * @return Group
+	 */
+	public function getById($id): Group {
+		$qb = $this->db->getQueryBuilder();
+		$qb
+			->select('*')
+			->from($this->tableName)
+			->where($qb->expr()->eq('id', $qb->createNamedParameter($id, IQueryBuilder::PARAM_INT)));
+
+		return $this->findEntity($qb);
+	}
+}
diff --git a/lib/Service/MailService.php b/lib/Service/MailService.php
@@ -128,7 +128,8 @@ public function sendTokenByMail(Registration $registration): void {
 
 	public function notifyAdmins(string $userId, ?string $userEMailAddress, bool $userIsEnabled, string $userGroupId): void {
 		// Notify admin
-		$adminUsers = $this->groupManager->get('admin')->getUsers();
+		$notifyOnlySubadmins = $this->config->getAppValue('registration', 'admin_approval_to_group_admin_only', 'no');
+		$adminUsers = ($notifyOnlySubadmins === 'yes') ? [] : $this->groupManager->get('admin')->getUsers();
 
 		// if the user is disabled and belongs to a group
 		// add subadmins of this group to notification list