Inspection of "Merge pull request #8338 from nextcloud/simplify-r..." - nextcloud/server - Measure and Improve Code Quality continuously with Scrutinizer

Completed

Push — master ( ff1b34...d1fb93 )

by Joas

created 2018-02-14 09:08 UTC

Status

Indentation +975 added lines, -975 removed lines patch added patch discarded remove patch

@@ -48,980 +48,980 @@
 block discarded – undo
 
 class Encryption extends Wrapper {
 
-	use LocalTempFileTrait;
-
-	/** @var string */
-	private $mountPoint;
-
-	/** @var \OC\Encryption\Util */
-	private $util;
-
-	/** @var \OCP\Encryption\IManager */
-	private $encryptionManager;
-
-	/** @var \OCP\ILogger */
-	private $logger;
-
-	/** @var string */
-	private $uid;
-
-	/** @var array */
-	protected $unencryptedSize;
-
-	/** @var \OCP\Encryption\IFile */
-	private $fileHelper;
-
-	/** @var IMountPoint */
-	private $mount;
-
-	/** @var IStorage */
-	private $keyStorage;
-
-	/** @var Update */
-	private $update;
-
-	/** @var Manager */
-	private $mountManager;
-
-	/** @var array remember for which path we execute the repair step to avoid recursions */
-	private $fixUnencryptedSizeOf = array();
-
-	/** @var  ArrayCache */
-	private $arrayCache;
-
-	/**
-	 * @param array $parameters
-	 * @param IManager $encryptionManager
-	 * @param Util $util
-	 * @param ILogger $logger
-	 * @param IFile $fileHelper
-	 * @param string $uid
-	 * @param IStorage $keyStorage
-	 * @param Update $update
-	 * @param Manager $mountManager
-	 * @param ArrayCache $arrayCache
-	 */
-	public function __construct(
-			$parameters,
-			IManager $encryptionManager = null,
-			Util $util = null,
-			ILogger $logger = null,
-			IFile $fileHelper = null,
-			$uid = null,
-			IStorage $keyStorage = null,
-			Update $update = null,
-			Manager $mountManager = null,
-			ArrayCache $arrayCache = null
-		) {
-
-		$this->mountPoint = $parameters['mountPoint'];
-		$this->mount = $parameters['mount'];
-		$this->encryptionManager = $encryptionManager;
-		$this->util = $util;
-		$this->logger = $logger;
-		$this->uid = $uid;
-		$this->fileHelper = $fileHelper;
-		$this->keyStorage = $keyStorage;
-		$this->unencryptedSize = array();
-		$this->update = $update;
-		$this->mountManager = $mountManager;
-		$this->arrayCache = $arrayCache;
-		parent::__construct($parameters);
-	}
-
-	/**
-	 * see http://php.net/manual/en/function.filesize.php
-	 * The result for filesize when called on a folder is required to be 0
-	 *
-	 * @param string $path
-	 * @return int
-	 */
-	public function filesize($path) {
-		$fullPath = $this->getFullPath($path);
-
-		/** @var CacheEntry $info */
-		$info = $this->getCache()->get($path);
-		if (isset($this->unencryptedSize[$fullPath])) {
-			$size = $this->unencryptedSize[$fullPath];
-			// update file cache
-			if ($info instanceof ICacheEntry) {
-				$info = $info->getData();
-				$info['encrypted'] = $info['encryptedVersion'];
-			} else {
-				if (!is_array($info)) {
-					$info = [];
-				}
-				$info['encrypted'] = true;
-			}
-
-			$info['size'] = $size;
-			$this->getCache()->put($path, $info);
-
-			return $size;
-		}
-
-		if (isset($info['fileid']) && $info['encrypted']) {
-			return $this->verifyUnencryptedSize($path, $info['size']);
-		}
-
-		return $this->storage->filesize($path);
-	}
-
-	/**
-	 * @param string $path
-	 * @return array
-	 */
-	public function getMetaData($path) {
-		$data = $this->storage->getMetaData($path);
-		if (is_null($data)) {
-			return null;
-		}
-		$fullPath = $this->getFullPath($path);
-		$info = $this->getCache()->get($path);
-
-		if (isset($this->unencryptedSize[$fullPath])) {
-			$data['encrypted'] = true;
-			$data['size'] = $this->unencryptedSize[$fullPath];
-		} else {
-			if (isset($info['fileid']) && $info['encrypted']) {
-				$data['size'] = $this->verifyUnencryptedSize($path, $info['size']);
-				$data['encrypted'] = true;
-			}
-		}
-
-		if (isset($info['encryptedVersion']) && $info['encryptedVersion'] > 1) {
-			$data['encryptedVersion'] = $info['encryptedVersion'];
-		}
-
-		return $data;
-	}
-
-	/**
-	 * see http://php.net/manual/en/function.file_get_contents.php
-	 *
-	 * @param string $path
-	 * @return string
-	 */
-	public function file_get_contents($path) {
-
-		$encryptionModule = $this->getEncryptionModule($path);
-
-		if ($encryptionModule) {
-			$handle = $this->fopen($path, "r");
-			if (!$handle) {
-				return false;
-			}
-			$data = stream_get_contents($handle);
-			fclose($handle);
-			return $data;
-		}
-		return $this->storage->file_get_contents($path);
-	}
-
-	/**
-	 * see http://php.net/manual/en/function.file_put_contents.php
-	 *
-	 * @param string $path
-	 * @param string $data
-	 * @return bool
-	 */
-	public function file_put_contents($path, $data) {
-		// file put content will always be translated to a stream write
-		$handle = $this->fopen($path, 'w');
-		if (is_resource($handle)) {
-			$written = fwrite($handle, $data);
-			fclose($handle);
-			return $written;
-		}
-
-		return false;
-	}
-
-	/**
-	 * see http://php.net/manual/en/function.unlink.php
-	 *
-	 * @param string $path
-	 * @return bool
-	 */
-	public function unlink($path) {
-		$fullPath = $this->getFullPath($path);
-		if ($this->util->isExcluded($fullPath)) {
-			return $this->storage->unlink($path);
-		}
-
-		$encryptionModule = $this->getEncryptionModule($path);
-		if ($encryptionModule) {
-			$this->keyStorage->deleteAllFileKeys($this->getFullPath($path));
-		}
-
-		return $this->storage->unlink($path);
-	}
-
-	/**
-	 * see http://php.net/manual/en/function.rename.php
-	 *
-	 * @param string $path1
-	 * @param string $path2
-	 * @return bool
-	 */
-	public function rename($path1, $path2) {
-
-		$result = $this->storage->rename($path1, $path2);
-
-		if ($result &&
-			// versions always use the keys from the original file, so we can skip
-			// this step for versions
-			$this->isVersion($path2) === false &&
-			$this->encryptionManager->isEnabled()) {
-			$source = $this->getFullPath($path1);
-			if (!$this->util->isExcluded($source)) {
-				$target = $this->getFullPath($path2);
-				if (isset($this->unencryptedSize[$source])) {
-					$this->unencryptedSize[$target] = $this->unencryptedSize[$source];
-				}
-				$this->keyStorage->renameKeys($source, $target);
-				$module = $this->getEncryptionModule($path2);
-				if ($module) {
-					$module->update($target, $this->uid, []);
-				}
-			}
-		}
-
-		return $result;
-	}
-
-	/**
-	 * see http://php.net/manual/en/function.rmdir.php
-	 *
-	 * @param string $path
-	 * @return bool
-	 */
-	public function rmdir($path) {
-		$result = $this->storage->rmdir($path);
-		$fullPath = $this->getFullPath($path);
-		if ($result &&
-			$this->util->isExcluded($fullPath) === false &&
-			$this->encryptionManager->isEnabled()
-		) {
-			$this->keyStorage->deleteAllFileKeys($fullPath);
-		}
-
-		return $result;
-	}
-
-	/**
-	 * check if a file can be read
-	 *
-	 * @param string $path
-	 * @return bool
-	 */
-	public function isReadable($path) {
-
-		$isReadable = true;
-
-		$metaData = $this->getMetaData($path);
-		if (
-			!$this->is_dir($path) &&
-			isset($metaData['encrypted']) &&
-			$metaData['encrypted'] === true
-		) {
-			$fullPath = $this->getFullPath($path);
-			$module = $this->getEncryptionModule($path);
-			$isReadable = $module->isReadable($fullPath, $this->uid);
-		}
-
-		return $this->storage->isReadable($path) && $isReadable;
-	}
-
-	/**
-	 * see http://php.net/manual/en/function.copy.php
-	 *
-	 * @param string $path1
-	 * @param string $path2
-	 * @return bool
-	 */
-	public function copy($path1, $path2) {
-
-		$source = $this->getFullPath($path1);
-
-		if ($this->util->isExcluded($source)) {
-			return $this->storage->copy($path1, $path2);
-		}
-
-		// need to stream copy file by file in case we copy between a encrypted
-		// and a unencrypted storage
-		$this->unlink($path2);
-		return $this->copyFromStorage($this, $path1, $path2);
-	}
-
-	/**
-	 * see http://php.net/manual/en/function.fopen.php
-	 *
-	 * @param string $path
-	 * @param string $mode
-	 * @return resource|bool
-	 * @throws GenericEncryptionException
-	 * @throws ModuleDoesNotExistsException
-	 */
-	public function fopen($path, $mode) {
-
-		// check if the file is stored in the array cache, this means that we
-		// copy a file over to the versions folder, in this case we don't want to
-		// decrypt it
-		if ($this->arrayCache->hasKey('encryption_copy_version_' . $path)) {
-			$this->arrayCache->remove('encryption_copy_version_' . $path);
-			return $this->storage->fopen($path, $mode);
-		}
-
-		$encryptionEnabled = $this->encryptionManager->isEnabled();
-		$shouldEncrypt = false;
-		$encryptionModule = null;
-		$header = $this->getHeader($path);
-		$signed = isset($header['signed']) && $header['signed'] === 'true';
-		$fullPath = $this->getFullPath($path);
-		$encryptionModuleId = $this->util->getEncryptionModuleId($header);
-
-		if ($this->util->isExcluded($fullPath) === false) {
-
-			$size = $unencryptedSize = 0;
-			$realFile = $this->util->stripPartialFileExtension($path);
-			$targetExists = $this->file_exists($realFile) || $this->file_exists($path);
-			$targetIsEncrypted = false;
-			if ($targetExists) {
-				// in case the file exists we require the explicit module as
-				// specified in the file header - otherwise we need to fail hard to
-				// prevent data loss on client side
-				if (!empty($encryptionModuleId)) {
-					$targetIsEncrypted = true;
-					$encryptionModule = $this->encryptionManager->getEncryptionModule($encryptionModuleId);
-				}
-
-				if ($this->file_exists($path)) {
-					$size = $this->storage->filesize($path);
-					$unencryptedSize = $this->filesize($path);
-				} else {
-					$size = $unencryptedSize = 0;
-				}
-			}
-
-			try {
-
-				if (
-					$mode === 'w'
-					|| $mode === 'w+'
-					|| $mode === 'wb'
-					|| $mode === 'wb+'
-				) {
-					// don't overwrite encrypted files if encryption is not enabled
-					if ($targetIsEncrypted && $encryptionEnabled === false) {
-						throw new GenericEncryptionException('Tried to access encrypted file but encryption is not enabled');
-					}
-					if ($encryptionEnabled) {
-						// if $encryptionModuleId is empty, the default module will be used
-						$encryptionModule = $this->encryptionManager->getEncryptionModule($encryptionModuleId);
-						$shouldEncrypt = $encryptionModule->shouldEncrypt($fullPath);
-						$signed = true;
-					}
-				} else {
-					$info = $this->getCache()->get($path);
-					// only get encryption module if we found one in the header
-					// or if file should be encrypted according to the file cache
-					if (!empty($encryptionModuleId)) {
-						$encryptionModule = $this->encryptionManager->getEncryptionModule($encryptionModuleId);
-						$shouldEncrypt = true;
-					} else if (empty($encryptionModuleId) && $info['encrypted'] === true) {
-						// we come from a old installation. No header and/or no module defined
-						// but the file is encrypted. In this case we need to use the
-						// OC_DEFAULT_MODULE to read the file
-						$encryptionModule = $this->encryptionManager->getEncryptionModule('OC_DEFAULT_MODULE');
-						$shouldEncrypt = true;
-						$targetIsEncrypted = true;
-					}
-				}
-			} catch (ModuleDoesNotExistsException $e) {
-				$this->logger->logException($e, [
-					'message' => 'Encryption module "' . $encryptionModuleId . '" not found, file will be stored unencrypted',
-					'level' => \OCP\Util::WARN,
-					'app' => 'core',
-				]);
-			}
-
-			// encryption disabled on write of new file and write to existing unencrypted file -> don't encrypt
-			if (!$encryptionEnabled || !$this->shouldEncrypt($path)) {
-				if (!$targetExists || !$targetIsEncrypted) {
-					$shouldEncrypt = false;
-				}
-			}
-
-			if ($shouldEncrypt === true && $encryptionModule !== null) {
-				$headerSize = $this->getHeaderSize($path);
-				$source = $this->storage->fopen($path, $mode);
-				if (!is_resource($source)) {
-					return false;
-				}
-				$handle = \OC\Files\Stream\Encryption::wrap($source, $path, $fullPath, $header,
-					$this->uid, $encryptionModule, $this->storage, $this, $this->util, $this->fileHelper, $mode,
-					$size, $unencryptedSize, $headerSize, $signed);
-				return $handle;
-			}
-
-		}
-
-		return $this->storage->fopen($path, $mode);
-	}
-
-
-	/**
-	 * perform some plausibility checks if the the unencrypted size is correct.
-	 * If not, we calculate the correct unencrypted size and return it
-	 *
-	 * @param string $path internal path relative to the storage root
-	 * @param int $unencryptedSize size of the unencrypted file
-	 *
-	 * @return int unencrypted size
-	 */
-	protected function verifyUnencryptedSize($path, $unencryptedSize) {
-
-		$size = $this->storage->filesize($path);
-		$result = $unencryptedSize;
-
-		if ($unencryptedSize < 0 ||
-			($size > 0 && $unencryptedSize === $size)
-		) {
-			// check if we already calculate the unencrypted size for the
-			// given path to avoid recursions
-			if (isset($this->fixUnencryptedSizeOf[$this->getFullPath($path)]) === false) {
-				$this->fixUnencryptedSizeOf[$this->getFullPath($path)] = true;
-				try {
-					$result = $this->fixUnencryptedSize($path, $size, $unencryptedSize);
-				} catch (\Exception $e) {
-					$this->logger->error('Couldn\'t re-calculate unencrypted size for '. $path);
-					$this->logger->logException($e);
-				}
-				unset($this->fixUnencryptedSizeOf[$this->getFullPath($path)]);
-			}
-		}
-
-		return $result;
-	}
-
-	/**
-	 * calculate the unencrypted size
-	 *
-	 * @param string $path internal path relative to the storage root
-	 * @param int $size size of the physical file
-	 * @param int $unencryptedSize size of the unencrypted file
-	 *
-	 * @return int calculated unencrypted size
-	 */
-	protected function fixUnencryptedSize($path, $size, $unencryptedSize) {
-
-		$headerSize = $this->getHeaderSize($path);
-		$header = $this->getHeader($path);
-		$encryptionModule = $this->getEncryptionModule($path);
-
-		$stream = $this->storage->fopen($path, 'r');
-
-		// if we couldn't open the file we return the old unencrypted size
-		if (!is_resource($stream)) {
-			$this->logger->error('Could not open ' . $path . '. Recalculation of unencrypted size aborted.');
-			return $unencryptedSize;
-		}
-
-		$newUnencryptedSize = 0;
-		$size -= $headerSize;
-		$blockSize = $this->util->getBlockSize();
-
-		// if a header exists we skip it
-		if ($headerSize > 0) {
-			fread($stream, $headerSize);
-		}
-
-		// fast path, else the calculation for $lastChunkNr is bogus
-		if ($size === 0) {
-			return 0;
-		}
-
-		$signed = isset($header['signed']) && $header['signed'] === 'true';
-		$unencryptedBlockSize = $encryptionModule->getUnencryptedBlockSize($signed);
-
-		// calculate last chunk nr
-		// next highest is end of chunks, one subtracted is last one
-		// we have to read the last chunk, we can't just calculate it (because of padding etc)
-
-		$lastChunkNr = ceil($size/ $blockSize)-1;
-		// calculate last chunk position
-		$lastChunkPos = ($lastChunkNr * $blockSize);
-		// try to fseek to the last chunk, if it fails we have to read the whole file
-		if (@fseek($stream, $lastChunkPos, SEEK_CUR) === 0) {
-			$newUnencryptedSize += $lastChunkNr * $unencryptedBlockSize;
-		}
-
-		$lastChunkContentEncrypted='';
-		$count = $blockSize;
-
-		while ($count > 0) {
-			$data=fread($stream, $blockSize);
-			$count=strlen($data);
-			$lastChunkContentEncrypted .= $data;
-			if(strlen($lastChunkContentEncrypted) > $blockSize) {
-				$newUnencryptedSize += $unencryptedBlockSize;
-				$lastChunkContentEncrypted=substr($lastChunkContentEncrypted, $blockSize);
-			}
-		}
-
-		fclose($stream);
-
-		// we have to decrypt the last chunk to get it actual size
-		$encryptionModule->begin($this->getFullPath($path), $this->uid, 'r', $header, []);
-		$decryptedLastChunk = $encryptionModule->decrypt($lastChunkContentEncrypted, $lastChunkNr . 'end');
-		$decryptedLastChunk .= $encryptionModule->end($this->getFullPath($path), $lastChunkNr . 'end');
-
-		// calc the real file size with the size of the last chunk
-		$newUnencryptedSize += strlen($decryptedLastChunk);
-
-		$this->updateUnencryptedSize($this->getFullPath($path), $newUnencryptedSize);
-
-		// write to cache if applicable
-		$cache = $this->storage->getCache();
-		if ($cache) {
-			$entry = $cache->get($path);
-			$cache->update($entry['fileid'], ['size' => $newUnencryptedSize]);
-		}
-
-		return $newUnencryptedSize;
-	}
-
-	/**
-	 * @param Storage\IStorage $sourceStorage
-	 * @param string $sourceInternalPath
-	 * @param string $targetInternalPath
-	 * @param bool $preserveMtime
-	 * @return bool
-	 */
-	public function moveFromStorage(Storage\IStorage $sourceStorage, $sourceInternalPath, $targetInternalPath, $preserveMtime = true) {
-		if ($sourceStorage === $this) {
-			return $this->rename($sourceInternalPath, $targetInternalPath);
-		}
-
-		// TODO clean this up once the underlying moveFromStorage in OC\Files\Storage\Wrapper\Common is fixed:
-		// - call $this->storage->moveFromStorage() instead of $this->copyBetweenStorage
-		// - copy the file cache update from  $this->copyBetweenStorage to this method
-		// - copy the copyKeys() call from  $this->copyBetweenStorage to this method
-		// - remove $this->copyBetweenStorage
-
-		if (!$sourceStorage->isDeletable($sourceInternalPath)) {
-			return false;
-		}
-
-		$result = $this->copyBetweenStorage($sourceStorage, $sourceInternalPath, $targetInternalPath, $preserveMtime, true);
-		if ($result) {
-			if ($sourceStorage->is_dir($sourceInternalPath)) {
-				$result &= $sourceStorage->rmdir($sourceInternalPath);
-			} else {
-				$result &= $sourceStorage->unlink($sourceInternalPath);
-			}
-		}
-		return $result;
-	}
-
-
-	/**
-	 * @param Storage\IStorage $sourceStorage
-	 * @param string $sourceInternalPath
-	 * @param string $targetInternalPath
-	 * @param bool $preserveMtime
-	 * @param bool $isRename
-	 * @return bool
-	 */
-	public function copyFromStorage(Storage\IStorage $sourceStorage, $sourceInternalPath, $targetInternalPath, $preserveMtime = false, $isRename = false) {
-
-		// TODO clean this up once the underlying moveFromStorage in OC\Files\Storage\Wrapper\Common is fixed:
-		// - call $this->storage->copyFromStorage() instead of $this->copyBetweenStorage
-		// - copy the file cache update from  $this->copyBetweenStorage to this method
-		// - copy the copyKeys() call from  $this->copyBetweenStorage to this method
-		// - remove $this->copyBetweenStorage
-
-		return $this->copyBetweenStorage($sourceStorage, $sourceInternalPath, $targetInternalPath, $preserveMtime, $isRename);
-	}
-
-	/**
-	 * Update the encrypted cache version in the database
-	 *
-	 * @param Storage\IStorage $sourceStorage
-	 * @param string $sourceInternalPath
-	 * @param string $targetInternalPath
-	 * @param bool $isRename
-	 */
-	private function updateEncryptedVersion(Storage\IStorage $sourceStorage, $sourceInternalPath, $targetInternalPath, $isRename) {
-		$isEncrypted = $this->encryptionManager->isEnabled() && $this->shouldEncrypt($targetInternalPath) ? 1 : 0;
-		$cacheInformation = [
-			'encrypted' => (bool)$isEncrypted,
-		];
-		if($isEncrypted === 1) {
-			$encryptedVersion = $sourceStorage->getCache()->get($sourceInternalPath)['encryptedVersion'];
-
-			// In case of a move operation from an unencrypted to an encrypted
-			// storage the old encrypted version would stay with "0" while the
-			// correct value would be "1". Thus we manually set the value to "1"
-			// for those cases.
-			// See also https://github.com/owncloud/core/issues/23078
-			if($encryptedVersion === 0) {
-				$encryptedVersion = 1;
-			}
-
-			$cacheInformation['encryptedVersion'] = $encryptedVersion;
-		}
-
-		// in case of a rename we need to manipulate the source cache because
-		// this information will be kept for the new target
-		if ($isRename) {
-			$sourceStorage->getCache()->put($sourceInternalPath, $cacheInformation);
-		} else {
-			$this->getCache()->put($targetInternalPath, $cacheInformation);
-		}
-	}
-
-	/**
-	 * copy file between two storages
-	 *
-	 * @param Storage\IStorage $sourceStorage
-	 * @param string $sourceInternalPath
-	 * @param string $targetInternalPath
-	 * @param bool $preserveMtime
-	 * @param bool $isRename
-	 * @return bool
-	 * @throws \Exception
-	 */
-	private function copyBetweenStorage(Storage\IStorage $sourceStorage, $sourceInternalPath, $targetInternalPath, $preserveMtime, $isRename) {
-
-		// for versions we have nothing to do, because versions should always use the
-		// key from the original file. Just create a 1:1 copy and done
-		if ($this->isVersion($targetInternalPath) ||
-			$this->isVersion($sourceInternalPath)) {
-			// remember that we try to create a version so that we can detect it during
-			// fopen($sourceInternalPath) and by-pass the encryption in order to
-			// create a 1:1 copy of the file
-			$this->arrayCache->set('encryption_copy_version_' . $sourceInternalPath, true);
-			$result = $this->storage->copyFromStorage($sourceStorage, $sourceInternalPath, $targetInternalPath);
-			$this->arrayCache->remove('encryption_copy_version_' . $sourceInternalPath);
-			if ($result) {
-				$info = $this->getCache('', $sourceStorage)->get($sourceInternalPath);
-				// make sure that we update the unencrypted size for the version
-				if (isset($info['encrypted']) && $info['encrypted'] === true) {
-					$this->updateUnencryptedSize(
-						$this->getFullPath($targetInternalPath),
-						$info['size']
-					);
-				}
-				$this->updateEncryptedVersion($sourceStorage, $sourceInternalPath, $targetInternalPath, $isRename);
-			}
-			return $result;
-		}
-
-		// first copy the keys that we reuse the existing file key on the target location
-		// and don't create a new one which would break versions for example.
-		$mount = $this->mountManager->findByStorageId($sourceStorage->getId());
-		if (count($mount) === 1) {
-			$mountPoint = $mount[0]->getMountPoint();
-			$source = $mountPoint . '/' . $sourceInternalPath;
-			$target = $this->getFullPath($targetInternalPath);
-			$this->copyKeys($source, $target);
-		} else {
-			$this->logger->error('Could not find mount point, can\'t keep encryption keys');
-		}
-
-		if ($sourceStorage->is_dir($sourceInternalPath)) {
-			$dh = $sourceStorage->opendir($sourceInternalPath);
-			$result = $this->mkdir($targetInternalPath);
-			if (is_resource($dh)) {
-				while ($result and ($file = readdir($dh)) !== false) {
-					if (!Filesystem::isIgnoredDir($file)) {
-						$result &= $this->copyFromStorage($sourceStorage, $sourceInternalPath . '/' . $file, $targetInternalPath . '/' . $file, false, $isRename);
-					}
-				}
-			}
-		} else {
-			try {
-				$source = $sourceStorage->fopen($sourceInternalPath, 'r');
-				$target = $this->fopen($targetInternalPath, 'w');
-				list(, $result) = \OC_Helper::streamCopy($source, $target);
-				fclose($source);
-				fclose($target);
-			} catch (\Exception $e) {
-				fclose($source);
-				fclose($target);
-				throw $e;
-			}
-			if($result) {
-				if ($preserveMtime) {
-					$this->touch($targetInternalPath, $sourceStorage->filemtime($sourceInternalPath));
-				}
-				$this->updateEncryptedVersion($sourceStorage, $sourceInternalPath, $targetInternalPath, $isRename);
-			} else {
-				// delete partially written target file
-				$this->unlink($targetInternalPath);
-				// delete cache entry that was created by fopen
-				$this->getCache()->remove($targetInternalPath);
-			}
-		}
-		return (bool)$result;
-
-	}
-
-	/**
-	 * get the path to a local version of the file.
-	 * The local version of the file can be temporary and doesn't have to be persistent across requests
-	 *
-	 * @param string $path
-	 * @return string
-	 */
-	public function getLocalFile($path) {
-		if ($this->encryptionManager->isEnabled()) {
-			$cachedFile = $this->getCachedFile($path);
-			if (is_string($cachedFile)) {
-				return $cachedFile;
-			}
-		}
-		return $this->storage->getLocalFile($path);
-	}
-
-	/**
-	 * Returns the wrapped storage's value for isLocal()
-	 *
-	 * @return bool wrapped storage's isLocal() value
-	 */
-	public function isLocal() {
-		if ($this->encryptionManager->isEnabled()) {
-			return false;
-		}
-		return $this->storage->isLocal();
-	}
-
-	/**
-	 * see http://php.net/manual/en/function.stat.php
-	 * only the following keys are required in the result: size and mtime
-	 *
-	 * @param string $path
-	 * @return array
-	 */
-	public function stat($path) {
-		$stat = $this->storage->stat($path);
-		$fileSize = $this->filesize($path);
-		$stat['size'] = $fileSize;
-		$stat[7] = $fileSize;
-		return $stat;
-	}
-
-	/**
-	 * see http://php.net/manual/en/function.hash.php
-	 *
-	 * @param string $type
-	 * @param string $path
-	 * @param bool $raw
-	 * @return string
-	 */
-	public function hash($type, $path, $raw = false) {
-		$fh = $this->fopen($path, 'rb');
-		$ctx = hash_init($type);
-		hash_update_stream($ctx, $fh);
-		fclose($fh);
-		return hash_final($ctx, $raw);
-	}
-
-	/**
-	 * return full path, including mount point
-	 *
-	 * @param string $path relative to mount point
-	 * @return string full path including mount point
-	 */
-	protected function getFullPath($path) {
-		return Filesystem::normalizePath($this->mountPoint . '/' . $path);
-	}
-
-	/**
-	 * read first block of encrypted file, typically this will contain the
-	 * encryption header
-	 *
-	 * @param string $path
-	 * @return string
-	 */
-	protected function readFirstBlock($path) {
-		$firstBlock = '';
-		if ($this->storage->file_exists($path)) {
-			$handle = $this->storage->fopen($path, 'r');
-			$firstBlock = fread($handle, $this->util->getHeaderSize());
-			fclose($handle);
-		}
-		return $firstBlock;
-	}
-
-	/**
-	 * return header size of given file
-	 *
-	 * @param string $path
-	 * @return int
-	 */
-	protected function getHeaderSize($path) {
-		$headerSize = 0;
-		$realFile = $this->util->stripPartialFileExtension($path);
-		if ($this->storage->file_exists($realFile)) {
-			$path = $realFile;
-		}
-		$firstBlock = $this->readFirstBlock($path);
-
-		if (substr($firstBlock, 0, strlen(Util::HEADER_START)) === Util::HEADER_START) {
-			$headerSize = $this->util->getHeaderSize();
-		}
-
-		return $headerSize;
-	}
-
-	/**
-	 * parse raw header to array
-	 *
-	 * @param string $rawHeader
-	 * @return array
-	 */
-	protected function parseRawHeader($rawHeader) {
-		$result = array();
-		if (substr($rawHeader, 0, strlen(Util::HEADER_START)) === Util::HEADER_START) {
-			$header = $rawHeader;
-			$endAt = strpos($header, Util::HEADER_END);
-			if ($endAt !== false) {
-				$header = substr($header, 0, $endAt + strlen(Util::HEADER_END));
-
-				// +1 to not start with an ':' which would result in empty element at the beginning
-				$exploded = explode(':', substr($header, strlen(Util::HEADER_START)+1));
-
-				$element = array_shift($exploded);
-				while ($element !== Util::HEADER_END) {
-					$result[$element] = array_shift($exploded);
-					$element = array_shift($exploded);
-				}
-			}
-		}
-
-		return $result;
-	}
-
-	/**
-	 * read header from file
-	 *
-	 * @param string $path
-	 * @return array
-	 */
-	protected function getHeader($path) {
-		$realFile = $this->util->stripPartialFileExtension($path);
-		$exists = $this->storage->file_exists($realFile);
-		if ($exists) {
-			$path = $realFile;
-		}
-
-		$firstBlock = $this->readFirstBlock($path);
-		$result = $this->parseRawHeader($firstBlock);
-
-		// if the header doesn't contain a encryption module we check if it is a
-		// legacy file. If true, we add the default encryption module
-		if (!isset($result[Util::HEADER_ENCRYPTION_MODULE_KEY])) {
-			if (!empty($result)) {
-				$result[Util::HEADER_ENCRYPTION_MODULE_KEY] = 'OC_DEFAULT_MODULE';
-			} else if ($exists) {
-				// if the header was empty we have to check first if it is a encrypted file at all
-				// We would do query to filecache only if we know that entry in filecache exists
-				$info = $this->getCache()->get($path);
-				if (isset($info['encrypted']) && $info['encrypted'] === true) {
-					$result[Util::HEADER_ENCRYPTION_MODULE_KEY] = 'OC_DEFAULT_MODULE';
-				}
-			}
-		}
-
-		return $result;
-	}
-
-	/**
-	 * read encryption module needed to read/write the file located at $path
-	 *
-	 * @param string $path
-	 * @return null|\OCP\Encryption\IEncryptionModule
-	 * @throws ModuleDoesNotExistsException
-	 * @throws \Exception
-	 */
-	protected function getEncryptionModule($path) {
-		$encryptionModule = null;
-		$header = $this->getHeader($path);
-		$encryptionModuleId = $this->util->getEncryptionModuleId($header);
-		if (!empty($encryptionModuleId)) {
-			try {
-				$encryptionModule = $this->encryptionManager->getEncryptionModule($encryptionModuleId);
-			} catch (ModuleDoesNotExistsException $e) {
-				$this->logger->critical('Encryption module defined in "' . $path . '" not loaded!');
-				throw $e;
-			}
-		}
-
-		return $encryptionModule;
-	}
-
-	/**
-	 * @param string $path
-	 * @param int $unencryptedSize
-	 */
-	public function updateUnencryptedSize($path, $unencryptedSize) {
-		$this->unencryptedSize[$path] = $unencryptedSize;
-	}
-
-	/**
-	 * copy keys to new location
-	 *
-	 * @param string $source path relative to data/
-	 * @param string $target path relative to data/
-	 * @return bool
-	 */
-	protected function copyKeys($source, $target) {
-		if (!$this->util->isExcluded($source)) {
-			return $this->keyStorage->copyKeys($source, $target);
-		}
-
-		return false;
-	}
-
-	/**
-	 * check if path points to a files version
-	 *
-	 * @param $path
-	 * @return bool
-	 */
-	protected function isVersion($path) {
-		$normalized = Filesystem::normalizePath($path);
-		return substr($normalized, 0, strlen('/files_versions/')) === '/files_versions/';
-	}
-
-	/**
-	 * check if the given storage should be encrypted or not
-	 *
-	 * @param $path
-	 * @return bool
-	 */
-	protected function shouldEncrypt($path) {
-		$fullPath = $this->getFullPath($path);
-		$mountPointConfig = $this->mount->getOption('encrypt', true);
-		if ($mountPointConfig === false) {
-			return false;
-		}
-
-		try {
-			$encryptionModule = $this->getEncryptionModule($fullPath);
-		} catch (ModuleDoesNotExistsException $e) {
-			return false;
-		}
-
-		if ($encryptionModule === null) {
-			$encryptionModule = $this->encryptionManager->getEncryptionModule();
-		}
-
-		return $encryptionModule->shouldEncrypt($fullPath);
-
-	}
+    use LocalTempFileTrait;
+
+    /** @var string */
+    private $mountPoint;
+
+    /** @var \OC\Encryption\Util */
+    private $util;
+
+    /** @var \OCP\Encryption\IManager */
+    private $encryptionManager;
+
+    /** @var \OCP\ILogger */
+    private $logger;
+
+    /** @var string */
+    private $uid;
+
+    /** @var array */
+    protected $unencryptedSize;
+
+    /** @var \OCP\Encryption\IFile */
+    private $fileHelper;
+
+    /** @var IMountPoint */
+    private $mount;
+
+    /** @var IStorage */
+    private $keyStorage;
+
+    /** @var Update */
+    private $update;
+
+    /** @var Manager */
+    private $mountManager;
+
+    /** @var array remember for which path we execute the repair step to avoid recursions */
+    private $fixUnencryptedSizeOf = array();
+
+    /** @var  ArrayCache */
+    private $arrayCache;
+
+    /**
+     * @param array $parameters
+     * @param IManager $encryptionManager
+     * @param Util $util
+     * @param ILogger $logger
+     * @param IFile $fileHelper
+     * @param string $uid
+     * @param IStorage $keyStorage
+     * @param Update $update
+     * @param Manager $mountManager
+     * @param ArrayCache $arrayCache
+     */
+    public function __construct(
+            $parameters,
+            IManager $encryptionManager = null,
+            Util $util = null,
+            ILogger $logger = null,
+            IFile $fileHelper = null,
+            $uid = null,
+            IStorage $keyStorage = null,
+            Update $update = null,
+            Manager $mountManager = null,
+            ArrayCache $arrayCache = null
+        ) {
+
+        $this->mountPoint = $parameters['mountPoint'];
+        $this->mount = $parameters['mount'];
+        $this->encryptionManager = $encryptionManager;
+        $this->util = $util;
+        $this->logger = $logger;
+        $this->uid = $uid;
+        $this->fileHelper = $fileHelper;
+        $this->keyStorage = $keyStorage;
+        $this->unencryptedSize = array();
+        $this->update = $update;
+        $this->mountManager = $mountManager;
+        $this->arrayCache = $arrayCache;
+        parent::__construct($parameters);
+    }
+
+    /**
+     * see http://php.net/manual/en/function.filesize.php
+     * The result for filesize when called on a folder is required to be 0
+     *
+     * @param string $path
+     * @return int
+     */
+    public function filesize($path) {
+        $fullPath = $this->getFullPath($path);
+
+        /** @var CacheEntry $info */
+        $info = $this->getCache()->get($path);
+        if (isset($this->unencryptedSize[$fullPath])) {
+            $size = $this->unencryptedSize[$fullPath];
+            // update file cache
+            if ($info instanceof ICacheEntry) {
+                $info = $info->getData();
+                $info['encrypted'] = $info['encryptedVersion'];
+            } else {
+                if (!is_array($info)) {
+                    $info = [];
+                }
+                $info['encrypted'] = true;
+            }
+
+            $info['size'] = $size;
+            $this->getCache()->put($path, $info);
+
+            return $size;
+        }
+
+        if (isset($info['fileid']) && $info['encrypted']) {
+            return $this->verifyUnencryptedSize($path, $info['size']);
+        }
+
+        return $this->storage->filesize($path);
+    }
+
+    /**
+     * @param string $path
+     * @return array
+     */
+    public function getMetaData($path) {
+        $data = $this->storage->getMetaData($path);
+        if (is_null($data)) {
+            return null;
+        }
+        $fullPath = $this->getFullPath($path);
+        $info = $this->getCache()->get($path);
+
+        if (isset($this->unencryptedSize[$fullPath])) {
+            $data['encrypted'] = true;
+            $data['size'] = $this->unencryptedSize[$fullPath];
+        } else {
+            if (isset($info['fileid']) && $info['encrypted']) {
+                $data['size'] = $this->verifyUnencryptedSize($path, $info['size']);
+                $data['encrypted'] = true;
+            }
+        }
+
+        if (isset($info['encryptedVersion']) && $info['encryptedVersion'] > 1) {
+            $data['encryptedVersion'] = $info['encryptedVersion'];
+        }
+
+        return $data;
+    }
+
+    /**
+     * see http://php.net/manual/en/function.file_get_contents.php
+     *
+     * @param string $path
+     * @return string
+     */
+    public function file_get_contents($path) {
+
+        $encryptionModule = $this->getEncryptionModule($path);
+
+        if ($encryptionModule) {
+            $handle = $this->fopen($path, "r");
+            if (!$handle) {
+                return false;
+            }
+            $data = stream_get_contents($handle);
+            fclose($handle);
+            return $data;
+        }
+        return $this->storage->file_get_contents($path);
+    }
+
+    /**
+     * see http://php.net/manual/en/function.file_put_contents.php
+     *
+     * @param string $path
+     * @param string $data
+     * @return bool
+     */
+    public function file_put_contents($path, $data) {
+        // file put content will always be translated to a stream write
+        $handle = $this->fopen($path, 'w');
+        if (is_resource($handle)) {
+            $written = fwrite($handle, $data);
+            fclose($handle);
+            return $written;
+        }
+
+        return false;
+    }
+
+    /**
+     * see http://php.net/manual/en/function.unlink.php
+     *
+     * @param string $path
+     * @return bool
+     */
+    public function unlink($path) {
+        $fullPath = $this->getFullPath($path);
+        if ($this->util->isExcluded($fullPath)) {
+            return $this->storage->unlink($path);
+        }
+
+        $encryptionModule = $this->getEncryptionModule($path);
+        if ($encryptionModule) {
+            $this->keyStorage->deleteAllFileKeys($this->getFullPath($path));
+        }
+
+        return $this->storage->unlink($path);
+    }
+
+    /**
+     * see http://php.net/manual/en/function.rename.php
+     *
+     * @param string $path1
+     * @param string $path2
+     * @return bool
+     */
+    public function rename($path1, $path2) {
+
+        $result = $this->storage->rename($path1, $path2);
+
+        if ($result &&
+            // versions always use the keys from the original file, so we can skip
+            // this step for versions
+            $this->isVersion($path2) === false &&
+            $this->encryptionManager->isEnabled()) {
+            $source = $this->getFullPath($path1);
+            if (!$this->util->isExcluded($source)) {
+                $target = $this->getFullPath($path2);
+                if (isset($this->unencryptedSize[$source])) {
+                    $this->unencryptedSize[$target] = $this->unencryptedSize[$source];
+                }
+                $this->keyStorage->renameKeys($source, $target);
+                $module = $this->getEncryptionModule($path2);
+                if ($module) {
+                    $module->update($target, $this->uid, []);
+                }
+            }
+        }
+
+        return $result;
+    }
+
+    /**
+     * see http://php.net/manual/en/function.rmdir.php
+     *
+     * @param string $path
+     * @return bool
+     */
+    public function rmdir($path) {
+        $result = $this->storage->rmdir($path);
+        $fullPath = $this->getFullPath($path);
+        if ($result &&
+            $this->util->isExcluded($fullPath) === false &&
+            $this->encryptionManager->isEnabled()
+        ) {
+            $this->keyStorage->deleteAllFileKeys($fullPath);
+        }
+
+        return $result;
+    }
+
+    /**
+     * check if a file can be read
+     *
+     * @param string $path
+     * @return bool
+     */
+    public function isReadable($path) {
+
+        $isReadable = true;
+
+        $metaData = $this->getMetaData($path);
+        if (
+            !$this->is_dir($path) &&
+            isset($metaData['encrypted']) &&
+            $metaData['encrypted'] === true
+        ) {
+            $fullPath = $this->getFullPath($path);
+            $module = $this->getEncryptionModule($path);
+            $isReadable = $module->isReadable($fullPath, $this->uid);
+        }
+
+        return $this->storage->isReadable($path) && $isReadable;
+    }
+
+    /**
+     * see http://php.net/manual/en/function.copy.php
+     *
+     * @param string $path1
+     * @param string $path2
+     * @return bool
+     */
+    public function copy($path1, $path2) {
+
+        $source = $this->getFullPath($path1);
+
+        if ($this->util->isExcluded($source)) {
+            return $this->storage->copy($path1, $path2);
+        }
+
+        // need to stream copy file by file in case we copy between a encrypted
+        // and a unencrypted storage
+        $this->unlink($path2);
+        return $this->copyFromStorage($this, $path1, $path2);
+    }
+
+    /**
+     * see http://php.net/manual/en/function.fopen.php
+     *
+     * @param string $path
+     * @param string $mode
+     * @return resource|bool
+     * @throws GenericEncryptionException
+     * @throws ModuleDoesNotExistsException
+     */
+    public function fopen($path, $mode) {
+
+        // check if the file is stored in the array cache, this means that we
+        // copy a file over to the versions folder, in this case we don't want to
+        // decrypt it
+        if ($this->arrayCache->hasKey('encryption_copy_version_' . $path)) {
+            $this->arrayCache->remove('encryption_copy_version_' . $path);
+            return $this->storage->fopen($path, $mode);
+        }
+
+        $encryptionEnabled = $this->encryptionManager->isEnabled();
+        $shouldEncrypt = false;
+        $encryptionModule = null;
+        $header = $this->getHeader($path);
+        $signed = isset($header['signed']) && $header['signed'] === 'true';
+        $fullPath = $this->getFullPath($path);
+        $encryptionModuleId = $this->util->getEncryptionModuleId($header);
+
+        if ($this->util->isExcluded($fullPath) === false) {
+
+            $size = $unencryptedSize = 0;
+            $realFile = $this->util->stripPartialFileExtension($path);
+            $targetExists = $this->file_exists($realFile) || $this->file_exists($path);
+            $targetIsEncrypted = false;
+            if ($targetExists) {
+                // in case the file exists we require the explicit module as
+                // specified in the file header - otherwise we need to fail hard to
+                // prevent data loss on client side
+                if (!empty($encryptionModuleId)) {
+                    $targetIsEncrypted = true;
+                    $encryptionModule = $this->encryptionManager->getEncryptionModule($encryptionModuleId);
+                }
+
+                if ($this->file_exists($path)) {
+                    $size = $this->storage->filesize($path);
+                    $unencryptedSize = $this->filesize($path);
+                } else {
+                    $size = $unencryptedSize = 0;
+                }
+            }
+
+            try {
+
+                if (
+                    $mode === 'w'
+                    || $mode === 'w+'
+                    || $mode === 'wb'
+                    || $mode === 'wb+'
+                ) {
+                    // don't overwrite encrypted files if encryption is not enabled
+                    if ($targetIsEncrypted && $encryptionEnabled === false) {
+                        throw new GenericEncryptionException('Tried to access encrypted file but encryption is not enabled');
+                    }
+                    if ($encryptionEnabled) {
+                        // if $encryptionModuleId is empty, the default module will be used
+                        $encryptionModule = $this->encryptionManager->getEncryptionModule($encryptionModuleId);
+                        $shouldEncrypt = $encryptionModule->shouldEncrypt($fullPath);
+                        $signed = true;
+                    }
+                } else {
+                    $info = $this->getCache()->get($path);
+                    // only get encryption module if we found one in the header
+                    // or if file should be encrypted according to the file cache
+                    if (!empty($encryptionModuleId)) {
+                        $encryptionModule = $this->encryptionManager->getEncryptionModule($encryptionModuleId);
+                        $shouldEncrypt = true;
+                    } else if (empty($encryptionModuleId) && $info['encrypted'] === true) {
+                        // we come from a old installation. No header and/or no module defined
+                        // but the file is encrypted. In this case we need to use the
+                        // OC_DEFAULT_MODULE to read the file
+                        $encryptionModule = $this->encryptionManager->getEncryptionModule('OC_DEFAULT_MODULE');
+                        $shouldEncrypt = true;
+                        $targetIsEncrypted = true;
+                    }
+                }
+            } catch (ModuleDoesNotExistsException $e) {
+                $this->logger->logException($e, [
+                    'message' => 'Encryption module "' . $encryptionModuleId . '" not found, file will be stored unencrypted',
+                    'level' => \OCP\Util::WARN,
+                    'app' => 'core',
+                ]);
+            }
+
+            // encryption disabled on write of new file and write to existing unencrypted file -> don't encrypt
+            if (!$encryptionEnabled || !$this->shouldEncrypt($path)) {
+                if (!$targetExists || !$targetIsEncrypted) {
+                    $shouldEncrypt = false;
+                }
+            }
+
+            if ($shouldEncrypt === true && $encryptionModule !== null) {
+                $headerSize = $this->getHeaderSize($path);
+                $source = $this->storage->fopen($path, $mode);
+                if (!is_resource($source)) {
+                    return false;
+                }
+                $handle = \OC\Files\Stream\Encryption::wrap($source, $path, $fullPath, $header,
+                    $this->uid, $encryptionModule, $this->storage, $this, $this->util, $this->fileHelper, $mode,
+                    $size, $unencryptedSize, $headerSize, $signed);
+                return $handle;
+            }
+
+        }
+
+        return $this->storage->fopen($path, $mode);
+    }
+
+
+    /**
+     * perform some plausibility checks if the the unencrypted size is correct.
+     * If not, we calculate the correct unencrypted size and return it
+     *
+     * @param string $path internal path relative to the storage root
+     * @param int $unencryptedSize size of the unencrypted file
+     *
+     * @return int unencrypted size
+     */
+    protected function verifyUnencryptedSize($path, $unencryptedSize) {
+
+        $size = $this->storage->filesize($path);
+        $result = $unencryptedSize;
+
+        if ($unencryptedSize < 0 ||
+            ($size > 0 && $unencryptedSize === $size)
+        ) {
+            // check if we already calculate the unencrypted size for the
+            // given path to avoid recursions
+            if (isset($this->fixUnencryptedSizeOf[$this->getFullPath($path)]) === false) {
+                $this->fixUnencryptedSizeOf[$this->getFullPath($path)] = true;
+                try {
+                    $result = $this->fixUnencryptedSize($path, $size, $unencryptedSize);
+                } catch (\Exception $e) {
+                    $this->logger->error('Couldn\'t re-calculate unencrypted size for '. $path);
+                    $this->logger->logException($e);
+                }
+                unset($this->fixUnencryptedSizeOf[$this->getFullPath($path)]);
+            }
+        }
+
+        return $result;
+    }
+
+    /**
+     * calculate the unencrypted size
+     *
+     * @param string $path internal path relative to the storage root
+     * @param int $size size of the physical file
+     * @param int $unencryptedSize size of the unencrypted file
+     *
+     * @return int calculated unencrypted size
+     */
+    protected function fixUnencryptedSize($path, $size, $unencryptedSize) {
+
+        $headerSize = $this->getHeaderSize($path);
+        $header = $this->getHeader($path);
+        $encryptionModule = $this->getEncryptionModule($path);
+
+        $stream = $this->storage->fopen($path, 'r');
+
+        // if we couldn't open the file we return the old unencrypted size
+        if (!is_resource($stream)) {
+            $this->logger->error('Could not open ' . $path . '. Recalculation of unencrypted size aborted.');
+            return $unencryptedSize;
+        }
+
+        $newUnencryptedSize = 0;
+        $size -= $headerSize;
+        $blockSize = $this->util->getBlockSize();
+
+        // if a header exists we skip it
+        if ($headerSize > 0) {
+            fread($stream, $headerSize);
+        }
+
+        // fast path, else the calculation for $lastChunkNr is bogus
+        if ($size === 0) {
+            return 0;
+        }
+
+        $signed = isset($header['signed']) && $header['signed'] === 'true';
+        $unencryptedBlockSize = $encryptionModule->getUnencryptedBlockSize($signed);
+
+        // calculate last chunk nr
+        // next highest is end of chunks, one subtracted is last one
+        // we have to read the last chunk, we can't just calculate it (because of padding etc)
+
+        $lastChunkNr = ceil($size/ $blockSize)-1;
+        // calculate last chunk position
+        $lastChunkPos = ($lastChunkNr * $blockSize);
+        // try to fseek to the last chunk, if it fails we have to read the whole file
+        if (@fseek($stream, $lastChunkPos, SEEK_CUR) === 0) {
+            $newUnencryptedSize += $lastChunkNr * $unencryptedBlockSize;
+        }
+
+        $lastChunkContentEncrypted='';
+        $count = $blockSize;
+
+        while ($count > 0) {
+            $data=fread($stream, $blockSize);
+            $count=strlen($data);
+            $lastChunkContentEncrypted .= $data;
+            if(strlen($lastChunkContentEncrypted) > $blockSize) {
+                $newUnencryptedSize += $unencryptedBlockSize;
+                $lastChunkContentEncrypted=substr($lastChunkContentEncrypted, $blockSize);
+            }
+        }
+
+        fclose($stream);
+
+        // we have to decrypt the last chunk to get it actual size
+        $encryptionModule->begin($this->getFullPath($path), $this->uid, 'r', $header, []);
+        $decryptedLastChunk = $encryptionModule->decrypt($lastChunkContentEncrypted, $lastChunkNr . 'end');
+        $decryptedLastChunk .= $encryptionModule->end($this->getFullPath($path), $lastChunkNr . 'end');
+
+        // calc the real file size with the size of the last chunk
+        $newUnencryptedSize += strlen($decryptedLastChunk);
+
+        $this->updateUnencryptedSize($this->getFullPath($path), $newUnencryptedSize);
+
+        // write to cache if applicable
+        $cache = $this->storage->getCache();
+        if ($cache) {
+            $entry = $cache->get($path);
+            $cache->update($entry['fileid'], ['size' => $newUnencryptedSize]);
+        }
+
+        return $newUnencryptedSize;
+    }
+
+    /**
+     * @param Storage\IStorage $sourceStorage
+     * @param string $sourceInternalPath
+     * @param string $targetInternalPath
+     * @param bool $preserveMtime
+     * @return bool
+     */
+    public function moveFromStorage(Storage\IStorage $sourceStorage, $sourceInternalPath, $targetInternalPath, $preserveMtime = true) {
+        if ($sourceStorage === $this) {
+            return $this->rename($sourceInternalPath, $targetInternalPath);
+        }
+
+        // TODO clean this up once the underlying moveFromStorage in OC\Files\Storage\Wrapper\Common is fixed:
+        // - call $this->storage->moveFromStorage() instead of $this->copyBetweenStorage
+        // - copy the file cache update from  $this->copyBetweenStorage to this method
+        // - copy the copyKeys() call from  $this->copyBetweenStorage to this method
+        // - remove $this->copyBetweenStorage
+
+        if (!$sourceStorage->isDeletable($sourceInternalPath)) {
+            return false;
+        }
+
+        $result = $this->copyBetweenStorage($sourceStorage, $sourceInternalPath, $targetInternalPath, $preserveMtime, true);
+        if ($result) {
+            if ($sourceStorage->is_dir($sourceInternalPath)) {
+                $result &= $sourceStorage->rmdir($sourceInternalPath);
+            } else {
+                $result &= $sourceStorage->unlink($sourceInternalPath);
+            }
+        }
+        return $result;
+    }
+
+
+    /**
+     * @param Storage\IStorage $sourceStorage
+     * @param string $sourceInternalPath
+     * @param string $targetInternalPath
+     * @param bool $preserveMtime
+     * @param bool $isRename
+     * @return bool
+     */
+    public function copyFromStorage(Storage\IStorage $sourceStorage, $sourceInternalPath, $targetInternalPath, $preserveMtime = false, $isRename = false) {
+
+        // TODO clean this up once the underlying moveFromStorage in OC\Files\Storage\Wrapper\Common is fixed:
+        // - call $this->storage->copyFromStorage() instead of $this->copyBetweenStorage
+        // - copy the file cache update from  $this->copyBetweenStorage to this method
+        // - copy the copyKeys() call from  $this->copyBetweenStorage to this method
+        // - remove $this->copyBetweenStorage
+
+        return $this->copyBetweenStorage($sourceStorage, $sourceInternalPath, $targetInternalPath, $preserveMtime, $isRename);
+    }
+
+    /**
+     * Update the encrypted cache version in the database
+     *
+     * @param Storage\IStorage $sourceStorage
+     * @param string $sourceInternalPath
+     * @param string $targetInternalPath
+     * @param bool $isRename
+     */
+    private function updateEncryptedVersion(Storage\IStorage $sourceStorage, $sourceInternalPath, $targetInternalPath, $isRename) {
+        $isEncrypted = $this->encryptionManager->isEnabled() && $this->shouldEncrypt($targetInternalPath) ? 1 : 0;
+        $cacheInformation = [
+            'encrypted' => (bool)$isEncrypted,
+        ];
+        if($isEncrypted === 1) {
+            $encryptedVersion = $sourceStorage->getCache()->get($sourceInternalPath)['encryptedVersion'];
+
+            // In case of a move operation from an unencrypted to an encrypted
+            // storage the old encrypted version would stay with "0" while the
+            // correct value would be "1". Thus we manually set the value to "1"
+            // for those cases.
+            // See also https://github.com/owncloud/core/issues/23078
+            if($encryptedVersion === 0) {
+                $encryptedVersion = 1;
+            }
+
+            $cacheInformation['encryptedVersion'] = $encryptedVersion;
+        }
+
+        // in case of a rename we need to manipulate the source cache because
+        // this information will be kept for the new target
+        if ($isRename) {
+            $sourceStorage->getCache()->put($sourceInternalPath, $cacheInformation);
+        } else {
+            $this->getCache()->put($targetInternalPath, $cacheInformation);
+        }
+    }
+
+    /**
+     * copy file between two storages
+     *
+     * @param Storage\IStorage $sourceStorage
+     * @param string $sourceInternalPath
+     * @param string $targetInternalPath
+     * @param bool $preserveMtime
+     * @param bool $isRename
+     * @return bool
+     * @throws \Exception
+     */
+    private function copyBetweenStorage(Storage\IStorage $sourceStorage, $sourceInternalPath, $targetInternalPath, $preserveMtime, $isRename) {
+
+        // for versions we have nothing to do, because versions should always use the
+        // key from the original file. Just create a 1:1 copy and done
+        if ($this->isVersion($targetInternalPath) ||
+            $this->isVersion($sourceInternalPath)) {
+            // remember that we try to create a version so that we can detect it during
+            // fopen($sourceInternalPath) and by-pass the encryption in order to
+            // create a 1:1 copy of the file
+            $this->arrayCache->set('encryption_copy_version_' . $sourceInternalPath, true);
+            $result = $this->storage->copyFromStorage($sourceStorage, $sourceInternalPath, $targetInternalPath);
+            $this->arrayCache->remove('encryption_copy_version_' . $sourceInternalPath);
+            if ($result) {
+                $info = $this->getCache('', $sourceStorage)->get($sourceInternalPath);
+                // make sure that we update the unencrypted size for the version
+                if (isset($info['encrypted']) && $info['encrypted'] === true) {
+                    $this->updateUnencryptedSize(
+                        $this->getFullPath($targetInternalPath),
+                        $info['size']
+                    );
+                }
+                $this->updateEncryptedVersion($sourceStorage, $sourceInternalPath, $targetInternalPath, $isRename);
+            }
+            return $result;
+        }
+
+        // first copy the keys that we reuse the existing file key on the target location
+        // and don't create a new one which would break versions for example.
+        $mount = $this->mountManager->findByStorageId($sourceStorage->getId());
+        if (count($mount) === 1) {
+            $mountPoint = $mount[0]->getMountPoint();
+            $source = $mountPoint . '/' . $sourceInternalPath;
+            $target = $this->getFullPath($targetInternalPath);
+            $this->copyKeys($source, $target);
+        } else {
+            $this->logger->error('Could not find mount point, can\'t keep encryption keys');
+        }
+
+        if ($sourceStorage->is_dir($sourceInternalPath)) {
+            $dh = $sourceStorage->opendir($sourceInternalPath);
+            $result = $this->mkdir($targetInternalPath);
+            if (is_resource($dh)) {
+                while ($result and ($file = readdir($dh)) !== false) {
+                    if (!Filesystem::isIgnoredDir($file)) {
+                        $result &= $this->copyFromStorage($sourceStorage, $sourceInternalPath . '/' . $file, $targetInternalPath . '/' . $file, false, $isRename);
+                    }
+                }
+            }
+        } else {
+            try {
+                $source = $sourceStorage->fopen($sourceInternalPath, 'r');
+                $target = $this->fopen($targetInternalPath, 'w');
+                list(, $result) = \OC_Helper::streamCopy($source, $target);
+                fclose($source);
+                fclose($target);
+            } catch (\Exception $e) {
+                fclose($source);
+                fclose($target);
+                throw $e;
+            }
+            if($result) {
+                if ($preserveMtime) {
+                    $this->touch($targetInternalPath, $sourceStorage->filemtime($sourceInternalPath));
+                }
+                $this->updateEncryptedVersion($sourceStorage, $sourceInternalPath, $targetInternalPath, $isRename);
+            } else {
+                // delete partially written target file
+                $this->unlink($targetInternalPath);
+                // delete cache entry that was created by fopen
+                $this->getCache()->remove($targetInternalPath);
+            }
+        }
+        return (bool)$result;
+
+    }
+
+    /**
+     * get the path to a local version of the file.
+     * The local version of the file can be temporary and doesn't have to be persistent across requests
+     *
+     * @param string $path
+     * @return string
+     */
+    public function getLocalFile($path) {
+        if ($this->encryptionManager->isEnabled()) {
+            $cachedFile = $this->getCachedFile($path);
+            if (is_string($cachedFile)) {
+                return $cachedFile;
+            }
+        }
+        return $this->storage->getLocalFile($path);
+    }
+
+    /**
+     * Returns the wrapped storage's value for isLocal()
+     *
+     * @return bool wrapped storage's isLocal() value
+     */
+    public function isLocal() {
+        if ($this->encryptionManager->isEnabled()) {
+            return false;
+        }
+        return $this->storage->isLocal();
+    }
+
+    /**
+     * see http://php.net/manual/en/function.stat.php
+     * only the following keys are required in the result: size and mtime
+     *
+     * @param string $path
+     * @return array
+     */
+    public function stat($path) {
+        $stat = $this->storage->stat($path);
+        $fileSize = $this->filesize($path);
+        $stat['size'] = $fileSize;
+        $stat[7] = $fileSize;
+        return $stat;
+    }
+
+    /**
+     * see http://php.net/manual/en/function.hash.php
+     *
+     * @param string $type
+     * @param string $path
+     * @param bool $raw
+     * @return string
+     */
+    public function hash($type, $path, $raw = false) {
+        $fh = $this->fopen($path, 'rb');
+        $ctx = hash_init($type);
+        hash_update_stream($ctx, $fh);
+        fclose($fh);
+        return hash_final($ctx, $raw);
+    }
+
+    /**
+     * return full path, including mount point
+     *
+     * @param string $path relative to mount point
+     * @return string full path including mount point
+     */
+    protected function getFullPath($path) {
+        return Filesystem::normalizePath($this->mountPoint . '/' . $path);
+    }
+
+    /**
+     * read first block of encrypted file, typically this will contain the
+     * encryption header
+     *
+     * @param string $path
+     * @return string
+     */
+    protected function readFirstBlock($path) {
+        $firstBlock = '';
+        if ($this->storage->file_exists($path)) {
+            $handle = $this->storage->fopen($path, 'r');
+            $firstBlock = fread($handle, $this->util->getHeaderSize());
+            fclose($handle);
+        }
+        return $firstBlock;
+    }
+
+    /**
+     * return header size of given file
+     *
+     * @param string $path
+     * @return int
+     */
+    protected function getHeaderSize($path) {
+        $headerSize = 0;
+        $realFile = $this->util->stripPartialFileExtension($path);
+        if ($this->storage->file_exists($realFile)) {
+            $path = $realFile;
+        }
+        $firstBlock = $this->readFirstBlock($path);
+
+        if (substr($firstBlock, 0, strlen(Util::HEADER_START)) === Util::HEADER_START) {
+            $headerSize = $this->util->getHeaderSize();
+        }
+
+        return $headerSize;
+    }
+
+    /**
+     * parse raw header to array
+     *
+     * @param string $rawHeader
+     * @return array
+     */
+    protected function parseRawHeader($rawHeader) {
+        $result = array();
+        if (substr($rawHeader, 0, strlen(Util::HEADER_START)) === Util::HEADER_START) {
+            $header = $rawHeader;
+            $endAt = strpos($header, Util::HEADER_END);
+            if ($endAt !== false) {
+                $header = substr($header, 0, $endAt + strlen(Util::HEADER_END));
+
+                // +1 to not start with an ':' which would result in empty element at the beginning
+                $exploded = explode(':', substr($header, strlen(Util::HEADER_START)+1));
+
+                $element = array_shift($exploded);
+                while ($element !== Util::HEADER_END) {
+                    $result[$element] = array_shift($exploded);
+                    $element = array_shift($exploded);
+                }
+            }
+        }
+
+        return $result;
+    }
+
+    /**
+     * read header from file
+     *
+     * @param string $path
+     * @return array
+     */
+    protected function getHeader($path) {
+        $realFile = $this->util->stripPartialFileExtension($path);
+        $exists = $this->storage->file_exists($realFile);
+        if ($exists) {
+            $path = $realFile;
+        }
+
+        $firstBlock = $this->readFirstBlock($path);
+        $result = $this->parseRawHeader($firstBlock);
+
+        // if the header doesn't contain a encryption module we check if it is a
+        // legacy file. If true, we add the default encryption module
+        if (!isset($result[Util::HEADER_ENCRYPTION_MODULE_KEY])) {
+            if (!empty($result)) {
+                $result[Util::HEADER_ENCRYPTION_MODULE_KEY] = 'OC_DEFAULT_MODULE';
+            } else if ($exists) {
+                // if the header was empty we have to check first if it is a encrypted file at all
+                // We would do query to filecache only if we know that entry in filecache exists
+                $info = $this->getCache()->get($path);
+                if (isset($info['encrypted']) && $info['encrypted'] === true) {
+                    $result[Util::HEADER_ENCRYPTION_MODULE_KEY] = 'OC_DEFAULT_MODULE';
+                }
+            }
+        }
+
+        return $result;
+    }
+
+    /**
+     * read encryption module needed to read/write the file located at $path
+     *
+     * @param string $path
+     * @return null|\OCP\Encryption\IEncryptionModule
+     * @throws ModuleDoesNotExistsException
+     * @throws \Exception
+     */
+    protected function getEncryptionModule($path) {
+        $encryptionModule = null;
+        $header = $this->getHeader($path);
+        $encryptionModuleId = $this->util->getEncryptionModuleId($header);
+        if (!empty($encryptionModuleId)) {
+            try {
+                $encryptionModule = $this->encryptionManager->getEncryptionModule($encryptionModuleId);
+            } catch (ModuleDoesNotExistsException $e) {
+                $this->logger->critical('Encryption module defined in "' . $path . '" not loaded!');
+                throw $e;
+            }
+        }
+
+        return $encryptionModule;
+    }
+
+    /**
+     * @param string $path
+     * @param int $unencryptedSize
+     */
+    public function updateUnencryptedSize($path, $unencryptedSize) {
+        $this->unencryptedSize[$path] = $unencryptedSize;
+    }
+
+    /**
+     * copy keys to new location
+     *
+     * @param string $source path relative to data/
+     * @param string $target path relative to data/
+     * @return bool
+     */
+    protected function copyKeys($source, $target) {
+        if (!$this->util->isExcluded($source)) {
+            return $this->keyStorage->copyKeys($source, $target);
+        }
+
+        return false;
+    }
+
+    /**
+     * check if path points to a files version
+     *
+     * @param $path
+     * @return bool
+     */
+    protected function isVersion($path) {
+        $normalized = Filesystem::normalizePath($path);
+        return substr($normalized, 0, strlen('/files_versions/')) === '/files_versions/';
+    }
+
+    /**
+     * check if the given storage should be encrypted or not
+     *
+     * @param $path
+     * @return bool
+     */
+    protected function shouldEncrypt($path) {
+        $fullPath = $this->getFullPath($path);
+        $mountPointConfig = $this->mount->getOption('encrypt', true);
+        if ($mountPointConfig === false) {
+            return false;
+        }
+
+        try {
+            $encryptionModule = $this->getEncryptionModule($fullPath);
+        } catch (ModuleDoesNotExistsException $e) {
+            return false;
+        }
+
+        if ($encryptionModule === null) {
+            $encryptionModule = $this->encryptionManager->getEncryptionModule();
+        }
+
+        return $encryptionModule->shouldEncrypt($fullPath);
+
+    }
 
 }

Please login to merge, or discard this patch.

apps/user_ldap/lib/Access.php 1 patch

Indentation +1868 added lines, -1868 removed lines patch added patch discarded remove patch

@@ -59,1633 +59,1633 @@  discard block
 block discarded – undo
  * @package OCA\User_LDAP
  */
 class Access extends LDAPUtility implements IUserTools {
-	const UUID_ATTRIBUTES = ['entryuuid', 'nsuniqueid', 'objectguid', 'guid', 'ipauniqueid'];
-
-	/** @var \OCA\User_LDAP\Connection */
-	public $connection;
-	/** @var Manager */
-	public $userManager;
-	//never ever check this var directly, always use getPagedSearchResultState
-	protected $pagedSearchedSuccessful;
-
-	/**
-	 * @var string[] $cookies an array of returned Paged Result cookies
-	 */
-	protected $cookies = array();
-
-	/**
-	 * @var string $lastCookie the last cookie returned from a Paged Results
-	 * operation, defaults to an empty string
-	 */
-	protected $lastCookie = '';
-
-	/**
-	 * @var AbstractMapping $userMapper
-	 */
-	protected $userMapper;
-
-	/**
-	* @var AbstractMapping $userMapper
-	*/
-	protected $groupMapper;
-
-	/**
-	 * @var \OCA\User_LDAP\Helper
-	 */
-	private $helper;
-	/** @var IConfig */
-	private $config;
-
-	public function __construct(
-		Connection $connection,
-		ILDAPWrapper $ldap,
-		Manager $userManager,
-		Helper $helper,
-		IConfig $config
-	) {
-		parent::__construct($ldap);
-		$this->connection = $connection;
-		$this->userManager = $userManager;
-		$this->userManager->setLdapAccess($this);
-		$this->helper = $helper;
-		$this->config = $config;
-	}
-
-	/**
-	 * sets the User Mapper
-	 * @param AbstractMapping $mapper
-	 */
-	public function setUserMapper(AbstractMapping $mapper) {
-		$this->userMapper = $mapper;
-	}
-
-	/**
-	 * returns the User Mapper
-	 * @throws \Exception
-	 * @return AbstractMapping
-	 */
-	public function getUserMapper() {
-		if(is_null($this->userMapper)) {
-			throw new \Exception('UserMapper was not assigned to this Access instance.');
-		}
-		return $this->userMapper;
-	}
-
-	/**
-	 * sets the Group Mapper
-	 * @param AbstractMapping $mapper
-	 */
-	public function setGroupMapper(AbstractMapping $mapper) {
-		$this->groupMapper = $mapper;
-	}
-
-	/**
-	 * returns the Group Mapper
-	 * @throws \Exception
-	 * @return AbstractMapping
-	 */
-	public function getGroupMapper() {
-		if(is_null($this->groupMapper)) {
-			throw new \Exception('GroupMapper was not assigned to this Access instance.');
-		}
-		return $this->groupMapper;
-	}
-
-	/**
-	 * @return bool
-	 */
-	private function checkConnection() {
-		return ($this->connection instanceof Connection);
-	}
-
-	/**
-	 * returns the Connection instance
-	 * @return \OCA\User_LDAP\Connection
-	 */
-	public function getConnection() {
-		return $this->connection;
-	}
-
-	/**
-	 * reads a given attribute for an LDAP record identified by a DN
-	 *
-	 * @param string $dn the record in question
-	 * @param string $attr the attribute that shall be retrieved
-	 *        if empty, just check the record's existence
-	 * @param string $filter
-	 * @return array|false an array of values on success or an empty
-	 *          array if $attr is empty, false otherwise
-	 * @throws ServerNotAvailableException
-	 */
-	public function readAttribute($dn, $attr, $filter = 'objectClass=*') {
-		if(!$this->checkConnection()) {
-			\OCP\Util::writeLog('user_ldap',
-				'No LDAP Connector assigned, access impossible for readAttribute.',
-				\OCP\Util::WARN);
-			return false;
-		}
-		$cr = $this->connection->getConnectionResource();
-		if(!$this->ldap->isResource($cr)) {
-			//LDAP not available
-			\OCP\Util::writeLog('user_ldap', 'LDAP resource not available.', \OCP\Util::DEBUG);
-			return false;
-		}
-		//Cancel possibly running Paged Results operation, otherwise we run in
-		//LDAP protocol errors
-		$this->abandonPagedSearch();
-		// openLDAP requires that we init a new Paged Search. Not needed by AD,
-		// but does not hurt either.
-		$pagingSize = (int)$this->connection->ldapPagingSize;
-		// 0 won't result in replies, small numbers may leave out groups
-		// (cf. #12306), 500 is default for paging and should work everywhere.
-		$maxResults = $pagingSize > 20 ? $pagingSize : 500;
-		$attr = mb_strtolower($attr, 'UTF-8');
-		// the actual read attribute later may contain parameters on a ranged
-		// request, e.g. member;range=99-199. Depends on server reply.
-		$attrToRead = $attr;
-
-		$values = [];
-		$isRangeRequest = false;
-		do {
-			$result = $this->executeRead($cr, $dn, $attrToRead, $filter, $maxResults);
-			if(is_bool($result)) {
-				// when an exists request was run and it was successful, an empty
-				// array must be returned
-				return $result ? [] : false;
-			}
-
-			if (!$isRangeRequest) {
-				$values = $this->extractAttributeValuesFromResult($result, $attr);
-				if (!empty($values)) {
-					return $values;
-				}
-			}
-
-			$isRangeRequest = false;
-			$result = $this->extractRangeData($result, $attr);
-			if (!empty($result)) {
-				$normalizedResult = $this->extractAttributeValuesFromResult(
-					[ $attr => $result['values'] ],
-					$attr
-				);
-				$values = array_merge($values, $normalizedResult);
-
-				if($result['rangeHigh'] === '*') {
-					// when server replies with * as high range value, there are
-					// no more results left
-					return $values;
-				} else {
-					$low  = $result['rangeHigh'] + 1;
-					$attrToRead = $result['attributeName'] . ';range=' . $low . '-*';
-					$isRangeRequest = true;
-				}
-			}
-		} while($isRangeRequest);
-
-		\OCP\Util::writeLog('user_ldap', 'Requested attribute '.$attr.' not found for '.$dn, \OCP\Util::DEBUG);
-		return false;
-	}
-
-	/**
-	 * Runs an read operation against LDAP
-	 *
-	 * @param resource $cr the LDAP connection
-	 * @param string $dn
-	 * @param string $attribute
-	 * @param string $filter
-	 * @param int $maxResults
-	 * @return array|bool false if there was any error, true if an exists check
-	 *                    was performed and the requested DN found, array with the
-	 *                    returned data on a successful usual operation
-	 * @throws ServerNotAvailableException
-	 */
-	public function executeRead($cr, $dn, $attribute, $filter, $maxResults) {
-		$this->initPagedSearch($filter, array($dn), array($attribute), $maxResults, 0);
-		$dn = $this->helper->DNasBaseParameter($dn);
-		$rr = @$this->invokeLDAPMethod('read', $cr, $dn, $filter, array($attribute));
-		if (!$this->ldap->isResource($rr)) {
-			if ($attribute !== '') {
-				//do not throw this message on userExists check, irritates
-				\OCP\Util::writeLog('user_ldap', 'readAttribute failed for DN ' . $dn, \OCP\Util::DEBUG);
-			}
-			//in case an error occurs , e.g. object does not exist
-			return false;
-		}
-		if ($attribute === '' && ($filter === 'objectclass=*' || $this->invokeLDAPMethod('countEntries', $cr, $rr) === 1)) {
-			\OCP\Util::writeLog('user_ldap', 'readAttribute: ' . $dn . ' found', \OCP\Util::DEBUG);
-			return true;
-		}
-		$er = $this->invokeLDAPMethod('firstEntry', $cr, $rr);
-		if (!$this->ldap->isResource($er)) {
-			//did not match the filter, return false
-			return false;
-		}
-		//LDAP attributes are not case sensitive
-		$result = \OCP\Util::mb_array_change_key_case(
-			$this->invokeLDAPMethod('getAttributes', $cr, $er), MB_CASE_LOWER, 'UTF-8');
-
-		return $result;
-	}
-
-	/**
-	 * Normalizes a result grom getAttributes(), i.e. handles DNs and binary
-	 * data if present.
-	 *
-	 * @param array $result from ILDAPWrapper::getAttributes()
-	 * @param string $attribute the attribute name that was read
-	 * @return string[]
-	 */
-	public function extractAttributeValuesFromResult($result, $attribute) {
-		$values = [];
-		if(isset($result[$attribute]) && $result[$attribute]['count'] > 0) {
-			$lowercaseAttribute = strtolower($attribute);
-			for($i=0;$i<$result[$attribute]['count'];$i++) {
-				if($this->resemblesDN($attribute)) {
-					$values[] = $this->helper->sanitizeDN($result[$attribute][$i]);
-				} elseif($lowercaseAttribute === 'objectguid' || $lowercaseAttribute === 'guid') {
-					$values[] = $this->convertObjectGUID2Str($result[$attribute][$i]);
-				} else {
-					$values[] = $result[$attribute][$i];
-				}
-			}
-		}
-		return $values;
-	}
-
-	/**
-	 * Attempts to find ranged data in a getAttribute results and extracts the
-	 * returned values as well as information on the range and full attribute
-	 * name for further processing.
-	 *
-	 * @param array $result from ILDAPWrapper::getAttributes()
-	 * @param string $attribute the attribute name that was read. Without ";range=…"
-	 * @return array If a range was detected with keys 'values', 'attributeName',
-	 *               'attributeFull' and 'rangeHigh', otherwise empty.
-	 */
-	public function extractRangeData($result, $attribute) {
-		$keys = array_keys($result);
-		foreach($keys as $key) {
-			if($key !== $attribute && strpos($key, $attribute) === 0) {
-				$queryData = explode(';', $key);
-				if(strpos($queryData[1], 'range=') === 0) {
-					$high = substr($queryData[1], 1 + strpos($queryData[1], '-'));
-					$data = [
-						'values' => $result[$key],
-						'attributeName' => $queryData[0],
-						'attributeFull' => $key,
-						'rangeHigh' => $high,
-					];
-					return $data;
-				}
-			}
-		}
-		return [];
-	}
+    const UUID_ATTRIBUTES = ['entryuuid', 'nsuniqueid', 'objectguid', 'guid', 'ipauniqueid'];
+
+    /** @var \OCA\User_LDAP\Connection */
+    public $connection;
+    /** @var Manager */
+    public $userManager;
+    //never ever check this var directly, always use getPagedSearchResultState
+    protected $pagedSearchedSuccessful;
+
+    /**
+     * @var string[] $cookies an array of returned Paged Result cookies
+     */
+    protected $cookies = array();
+
+    /**
+     * @var string $lastCookie the last cookie returned from a Paged Results
+     * operation, defaults to an empty string
+     */
+    protected $lastCookie = '';
+
+    /**
+     * @var AbstractMapping $userMapper
+     */
+    protected $userMapper;
+
+    /**
+     * @var AbstractMapping $userMapper
+     */
+    protected $groupMapper;
+
+    /**
+     * @var \OCA\User_LDAP\Helper
+     */
+    private $helper;
+    /** @var IConfig */
+    private $config;
+
+    public function __construct(
+        Connection $connection,
+        ILDAPWrapper $ldap,
+        Manager $userManager,
+        Helper $helper,
+        IConfig $config
+    ) {
+        parent::__construct($ldap);
+        $this->connection = $connection;
+        $this->userManager = $userManager;
+        $this->userManager->setLdapAccess($this);
+        $this->helper = $helper;
+        $this->config = $config;
+    }
+
+    /**
+     * sets the User Mapper
+     * @param AbstractMapping $mapper
+     */
+    public function setUserMapper(AbstractMapping $mapper) {
+        $this->userMapper = $mapper;
+    }
+
+    /**
+     * returns the User Mapper
+     * @throws \Exception
+     * @return AbstractMapping
+     */
+    public function getUserMapper() {
+        if(is_null($this->userMapper)) {
+            throw new \Exception('UserMapper was not assigned to this Access instance.');
+        }
+        return $this->userMapper;
+    }
+
+    /**
+     * sets the Group Mapper
+     * @param AbstractMapping $mapper
+     */
+    public function setGroupMapper(AbstractMapping $mapper) {
+        $this->groupMapper = $mapper;
+    }
+
+    /**
+     * returns the Group Mapper
+     * @throws \Exception
+     * @return AbstractMapping
+     */
+    public function getGroupMapper() {
+        if(is_null($this->groupMapper)) {
+            throw new \Exception('GroupMapper was not assigned to this Access instance.');
+        }
+        return $this->groupMapper;
+    }
+
+    /**
+     * @return bool
+     */
+    private function checkConnection() {
+        return ($this->connection instanceof Connection);
+    }
+
+    /**
+     * returns the Connection instance
+     * @return \OCA\User_LDAP\Connection
+     */
+    public function getConnection() {
+        return $this->connection;
+    }
+
+    /**
+     * reads a given attribute for an LDAP record identified by a DN
+     *
+     * @param string $dn the record in question
+     * @param string $attr the attribute that shall be retrieved
+     *        if empty, just check the record's existence
+     * @param string $filter
+     * @return array|false an array of values on success or an empty
+     *          array if $attr is empty, false otherwise
+     * @throws ServerNotAvailableException
+     */
+    public function readAttribute($dn, $attr, $filter = 'objectClass=*') {
+        if(!$this->checkConnection()) {
+            \OCP\Util::writeLog('user_ldap',
+                'No LDAP Connector assigned, access impossible for readAttribute.',
+                \OCP\Util::WARN);
+            return false;
+        }
+        $cr = $this->connection->getConnectionResource();
+        if(!$this->ldap->isResource($cr)) {
+            //LDAP not available
+            \OCP\Util::writeLog('user_ldap', 'LDAP resource not available.', \OCP\Util::DEBUG);
+            return false;
+        }
+        //Cancel possibly running Paged Results operation, otherwise we run in
+        //LDAP protocol errors
+        $this->abandonPagedSearch();
+        // openLDAP requires that we init a new Paged Search. Not needed by AD,
+        // but does not hurt either.
+        $pagingSize = (int)$this->connection->ldapPagingSize;
+        // 0 won't result in replies, small numbers may leave out groups
+        // (cf. #12306), 500 is default for paging and should work everywhere.
+        $maxResults = $pagingSize > 20 ? $pagingSize : 500;
+        $attr = mb_strtolower($attr, 'UTF-8');
+        // the actual read attribute later may contain parameters on a ranged
+        // request, e.g. member;range=99-199. Depends on server reply.
+        $attrToRead = $attr;
+
+        $values = [];
+        $isRangeRequest = false;
+        do {
+            $result = $this->executeRead($cr, $dn, $attrToRead, $filter, $maxResults);
+            if(is_bool($result)) {
+                // when an exists request was run and it was successful, an empty
+                // array must be returned
+                return $result ? [] : false;
+            }
+
+            if (!$isRangeRequest) {
+                $values = $this->extractAttributeValuesFromResult($result, $attr);
+                if (!empty($values)) {
+                    return $values;
+                }
+            }
+
+            $isRangeRequest = false;
+            $result = $this->extractRangeData($result, $attr);
+            if (!empty($result)) {
+                $normalizedResult = $this->extractAttributeValuesFromResult(
+                    [ $attr => $result['values'] ],
+                    $attr
+                );
+                $values = array_merge($values, $normalizedResult);
+
+                if($result['rangeHigh'] === '*') {
+                    // when server replies with * as high range value, there are
+                    // no more results left
+                    return $values;
+                } else {
+                    $low  = $result['rangeHigh'] + 1;
+                    $attrToRead = $result['attributeName'] . ';range=' . $low . '-*';
+                    $isRangeRequest = true;
+                }
+            }
+        } while($isRangeRequest);
+
+        \OCP\Util::writeLog('user_ldap', 'Requested attribute '.$attr.' not found for '.$dn, \OCP\Util::DEBUG);
+        return false;
+    }
+
+    /**
+     * Runs an read operation against LDAP
+     *
+     * @param resource $cr the LDAP connection
+     * @param string $dn
+     * @param string $attribute
+     * @param string $filter
+     * @param int $maxResults
+     * @return array|bool false if there was any error, true if an exists check
+     *                    was performed and the requested DN found, array with the
+     *                    returned data on a successful usual operation
+     * @throws ServerNotAvailableException
+     */
+    public function executeRead($cr, $dn, $attribute, $filter, $maxResults) {
+        $this->initPagedSearch($filter, array($dn), array($attribute), $maxResults, 0);
+        $dn = $this->helper->DNasBaseParameter($dn);
+        $rr = @$this->invokeLDAPMethod('read', $cr, $dn, $filter, array($attribute));
+        if (!$this->ldap->isResource($rr)) {
+            if ($attribute !== '') {
+                //do not throw this message on userExists check, irritates
+                \OCP\Util::writeLog('user_ldap', 'readAttribute failed for DN ' . $dn, \OCP\Util::DEBUG);
+            }
+            //in case an error occurs , e.g. object does not exist
+            return false;
+        }
+        if ($attribute === '' && ($filter === 'objectclass=*' || $this->invokeLDAPMethod('countEntries', $cr, $rr) === 1)) {
+            \OCP\Util::writeLog('user_ldap', 'readAttribute: ' . $dn . ' found', \OCP\Util::DEBUG);
+            return true;
+        }
+        $er = $this->invokeLDAPMethod('firstEntry', $cr, $rr);
+        if (!$this->ldap->isResource($er)) {
+            //did not match the filter, return false
+            return false;
+        }
+        //LDAP attributes are not case sensitive
+        $result = \OCP\Util::mb_array_change_key_case(
+            $this->invokeLDAPMethod('getAttributes', $cr, $er), MB_CASE_LOWER, 'UTF-8');
+
+        return $result;
+    }
+
+    /**
+     * Normalizes a result grom getAttributes(), i.e. handles DNs and binary
+     * data if present.
+     *
+     * @param array $result from ILDAPWrapper::getAttributes()
+     * @param string $attribute the attribute name that was read
+     * @return string[]
+     */
+    public function extractAttributeValuesFromResult($result, $attribute) {
+        $values = [];
+        if(isset($result[$attribute]) && $result[$attribute]['count'] > 0) {
+            $lowercaseAttribute = strtolower($attribute);
+            for($i=0;$i<$result[$attribute]['count'];$i++) {
+                if($this->resemblesDN($attribute)) {
+                    $values[] = $this->helper->sanitizeDN($result[$attribute][$i]);
+                } elseif($lowercaseAttribute === 'objectguid' || $lowercaseAttribute === 'guid') {
+                    $values[] = $this->convertObjectGUID2Str($result[$attribute][$i]);
+                } else {
+                    $values[] = $result[$attribute][$i];
+                }
+            }
+        }
+        return $values;
+    }
+
+    /**
+     * Attempts to find ranged data in a getAttribute results and extracts the
+     * returned values as well as information on the range and full attribute
+     * name for further processing.
+     *
+     * @param array $result from ILDAPWrapper::getAttributes()
+     * @param string $attribute the attribute name that was read. Without ";range=…"
+     * @return array If a range was detected with keys 'values', 'attributeName',
+     *               'attributeFull' and 'rangeHigh', otherwise empty.
+     */
+    public function extractRangeData($result, $attribute) {
+        $keys = array_keys($result);
+        foreach($keys as $key) {
+            if($key !== $attribute && strpos($key, $attribute) === 0) {
+                $queryData = explode(';', $key);
+                if(strpos($queryData[1], 'range=') === 0) {
+                    $high = substr($queryData[1], 1 + strpos($queryData[1], '-'));
+                    $data = [
+                        'values' => $result[$key],
+                        'attributeName' => $queryData[0],
+                        'attributeFull' => $key,
+                        'rangeHigh' => $high,
+                    ];
+                    return $data;
+                }
+            }
+        }
+        return [];
+    }
 	
-	/**
-	 * Set password for an LDAP user identified by a DN
-	 *
-	 * @param string $userDN the user in question
-	 * @param string $password the new password
-	 * @return bool
-	 * @throws HintException
-	 * @throws \Exception
-	 */
-	public function setPassword($userDN, $password) {
-		if((int)$this->connection->turnOnPasswordChange !== 1) {
-			throw new \Exception('LDAP password changes are disabled.');
-		}
-		$cr = $this->connection->getConnectionResource();
-		if(!$this->ldap->isResource($cr)) {
-			//LDAP not available
-			\OCP\Util::writeLog('user_ldap', 'LDAP resource not available.', \OCP\Util::DEBUG);
-			return false;
-		}
-		try {
-			return @$this->invokeLDAPMethod('modReplace', $cr, $userDN, $password);
-		} catch(ConstraintViolationException $e) {
-			throw new HintException('Password change rejected.', \OC::$server->getL10N('user_ldap')->t('Password change rejected. Hint: ').$e->getMessage(), $e->getCode());
-		}
-	}
-
-	/**
-	 * checks whether the given attributes value is probably a DN
-	 * @param string $attr the attribute in question
-	 * @return boolean if so true, otherwise false
-	 */
-	private function resemblesDN($attr) {
-		$resemblingAttributes = array(
-			'dn',
-			'uniquemember',
-			'member',
-			// memberOf is an "operational" attribute, without a definition in any RFC
-			'memberof'
-		);
-		return in_array($attr, $resemblingAttributes);
-	}
-
-	/**
-	 * checks whether the given string is probably a DN
-	 * @param string $string
-	 * @return boolean
-	 */
-	public function stringResemblesDN($string) {
-		$r = $this->ldap->explodeDN($string, 0);
-		// if exploding a DN succeeds and does not end up in
-		// an empty array except for $r[count] being 0.
-		return (is_array($r) && count($r) > 1);
-	}
-
-	/**
-	 * returns a DN-string that is cleaned from not domain parts, e.g.
-	 * cn=foo,cn=bar,dc=foobar,dc=server,dc=org
-	 * becomes dc=foobar,dc=server,dc=org
-	 * @param string $dn
-	 * @return string
-	 */
-	public function getDomainDNFromDN($dn) {
-		$allParts = $this->ldap->explodeDN($dn, 0);
-		if($allParts === false) {
-			//not a valid DN
-			return '';
-		}
-		$domainParts = array();
-		$dcFound = false;
-		foreach($allParts as $part) {
-			if(!$dcFound && strpos($part, 'dc=') === 0) {
-				$dcFound = true;
-			}
-			if($dcFound) {
-				$domainParts[] = $part;
-			}
-		}
-		return implode(',', $domainParts);
-	}
-
-	/**
-	 * returns the LDAP DN for the given internal Nextcloud name of the group
-	 * @param string $name the Nextcloud name in question
-	 * @return string|false LDAP DN on success, otherwise false
-	 */
-	public function groupname2dn($name) {
-		return $this->groupMapper->getDNByName($name);
-	}
-
-	/**
-	 * returns the LDAP DN for the given internal Nextcloud name of the user
-	 * @param string $name the Nextcloud name in question
-	 * @return string|false with the LDAP DN on success, otherwise false
-	 */
-	public function username2dn($name) {
-		$fdn = $this->userMapper->getDNByName($name);
-
-		//Check whether the DN belongs to the Base, to avoid issues on multi-
-		//server setups
-		if(is_string($fdn) && $this->isDNPartOfBase($fdn, $this->connection->ldapBaseUsers)) {
-			return $fdn;
-		}
-
-		return false;
-	}
-
-	/**
-	 * returns the internal Nextcloud name for the given LDAP DN of the group, false on DN outside of search DN or failure
-	 * @param string $fdn the dn of the group object
-	 * @param string $ldapName optional, the display name of the object
-	 * @return string|false with the name to use in Nextcloud, false on DN outside of search DN
-	 */
-	public function dn2groupname($fdn, $ldapName = null) {
-		//To avoid bypassing the base DN settings under certain circumstances
-		//with the group support, check whether the provided DN matches one of
-		//the given Bases
-		if(!$this->isDNPartOfBase($fdn, $this->connection->ldapBaseGroups)) {
-			return false;
-		}
-
-		return $this->dn2ocname($fdn, $ldapName, false);
-	}
-
-	/**
-	 * accepts an array of group DNs and tests whether they match the user
-	 * filter by doing read operations against the group entries. Returns an
-	 * array of DNs that match the filter.
-	 *
-	 * @param string[] $groupDNs
-	 * @return string[]
-	 */
-	public function groupsMatchFilter($groupDNs) {
-		$validGroupDNs = [];
-		foreach($groupDNs as $dn) {
-			$cacheKey = 'groupsMatchFilter-'.$dn;
-			$groupMatchFilter = $this->connection->getFromCache($cacheKey);
-			if(!is_null($groupMatchFilter)) {
-				if($groupMatchFilter) {
-					$validGroupDNs[] = $dn;
-				}
-				continue;
-			}
-
-			// Check the base DN first. If this is not met already, we don't
-			// need to ask the server at all.
-			if(!$this->isDNPartOfBase($dn, $this->connection->ldapBaseGroups)) {
-				$this->connection->writeToCache($cacheKey, false);
-				continue;
-			}
-
-			$result = $this->readAttribute($dn, 'cn', $this->connection->ldapGroupFilter);
-			if(is_array($result)) {
-				$this->connection->writeToCache($cacheKey, true);
-				$validGroupDNs[] = $dn;
-			} else {
-				$this->connection->writeToCache($cacheKey, false);
-			}
-
-		}
-		return $validGroupDNs;
-	}
-
-	/**
-	 * returns the internal Nextcloud name for the given LDAP DN of the user, false on DN outside of search DN or failure
-	 * @param string $dn the dn of the user object
-	 * @param string $ldapName optional, the display name of the object
-	 * @return string|false with with the name to use in Nextcloud
-	 */
-	public function dn2username($fdn, $ldapName = null) {
-		//To avoid bypassing the base DN settings under certain circumstances
-		//with the group support, check whether the provided DN matches one of
-		//the given Bases
-		if(!$this->isDNPartOfBase($fdn, $this->connection->ldapBaseUsers)) {
-			return false;
-		}
-
-		return $this->dn2ocname($fdn, $ldapName, true);
-	}
-
-	/**
-	 * returns an internal Nextcloud name for the given LDAP DN, false on DN outside of search DN
-	 *
-	 * @param string $fdn the dn of the user object
-	 * @param string|null $ldapName optional, the display name of the object
-	 * @param bool $isUser optional, whether it is a user object (otherwise group assumed)
-	 * @param bool|null $newlyMapped
-	 * @param array|null $record
-	 * @return false|string with with the name to use in Nextcloud
-	 * @throws \Exception
-	 */
-	public function dn2ocname($fdn, $ldapName = null, $isUser = true, &$newlyMapped = null, array $record = null) {
-		$newlyMapped = false;
-		if($isUser) {
-			$mapper = $this->getUserMapper();
-			$nameAttribute = $this->connection->ldapUserDisplayName;
-		} else {
-			$mapper = $this->getGroupMapper();
-			$nameAttribute = $this->connection->ldapGroupDisplayName;
-		}
-
-		//let's try to retrieve the Nextcloud name from the mappings table
-		$ncName = $mapper->getNameByDN($fdn);
-		if(is_string($ncName)) {
-			return $ncName;
-		}
-
-		//second try: get the UUID and check if it is known. Then, update the DN and return the name.
-		$uuid = $this->getUUID($fdn, $isUser, $record);
-		if(is_string($uuid)) {
-			$ncName = $mapper->getNameByUUID($uuid);
-			if(is_string($ncName)) {
-				$mapper->setDNbyUUID($fdn, $uuid);
-				return $ncName;
-			}
-		} else {
-			//If the UUID can't be detected something is foul.
-			\OCP\Util::writeLog('user_ldap', 'Cannot determine UUID for '.$fdn.'. Skipping.', \OCP\Util::INFO);
-			return false;
-		}
-
-		if(is_null($ldapName)) {
-			$ldapName = $this->readAttribute($fdn, $nameAttribute);
-			if(!isset($ldapName[0]) && empty($ldapName[0])) {
-				\OCP\Util::writeLog('user_ldap', 'No or empty name for '.$fdn.'.', \OCP\Util::INFO);
-				return false;
-			}
-			$ldapName = $ldapName[0];
-		}
-
-		if($isUser) {
-			$usernameAttribute = (string)$this->connection->ldapExpertUsernameAttr;
-			if ($usernameAttribute !== '') {
-				$username = $this->readAttribute($fdn, $usernameAttribute);
-				$username = $username[0];
-			} else {
-				$username = $uuid;
-			}
-			$intName = $this->sanitizeUsername($username);
-		} else {
-			$intName = $ldapName;
-		}
-
-		//a new user/group! Add it only if it doesn't conflict with other backend's users or existing groups
-		//disabling Cache is required to avoid that the new user is cached as not-existing in fooExists check
-		//NOTE: mind, disabling cache affects only this instance! Using it
-		// outside of core user management will still cache the user as non-existing.
-		$originalTTL = $this->connection->ldapCacheTTL;
-		$this->connection->setConfiguration(array('ldapCacheTTL' => 0));
-		if(($isUser && $intName !== '' && !\OC::$server->getUserManager()->userExists($intName))
-			|| (!$isUser && !\OC::$server->getGroupManager()->groupExists($intName))) {
-			if($mapper->map($fdn, $intName, $uuid)) {
-				$this->connection->setConfiguration(array('ldapCacheTTL' => $originalTTL));
-				$newlyMapped = true;
-				return $intName;
-			}
-		}
-		$this->connection->setConfiguration(array('ldapCacheTTL' => $originalTTL));
-
-		$altName = $this->createAltInternalOwnCloudName($intName, $isUser);
-		if(is_string($altName) && $mapper->map($fdn, $altName, $uuid)) {
-			$newlyMapped = true;
-			return $altName;
-		}
-
-		//if everything else did not help..
-		\OCP\Util::writeLog('user_ldap', 'Could not create unique name for '.$fdn.'.', \OCP\Util::INFO);
-		return false;
-	}
-
-	/**
-	 * gives back the user names as they are used ownClod internally
-	 * @param array $ldapUsers as returned by fetchList()
-	 * @return array an array with the user names to use in Nextcloud
-	 *
-	 * gives back the user names as they are used ownClod internally
-	 */
-	public function nextcloudUserNames($ldapUsers) {
-		return $this->ldap2NextcloudNames($ldapUsers, true);
-	}
-
-	/**
-	 * gives back the group names as they are used ownClod internally
-	 * @param array $ldapGroups as returned by fetchList()
-	 * @return array an array with the group names to use in Nextcloud
-	 *
-	 * gives back the group names as they are used ownClod internally
-	 */
-	public function nextcloudGroupNames($ldapGroups) {
-		return $this->ldap2NextcloudNames($ldapGroups, false);
-	}
-
-	/**
-	 * @param array $ldapObjects as returned by fetchList()
-	 * @param bool $isUsers
-	 * @return array
-	 */
-	private function ldap2NextcloudNames($ldapObjects, $isUsers) {
-		if($isUsers) {
-			$nameAttribute = $this->connection->ldapUserDisplayName;
-			$sndAttribute  = $this->connection->ldapUserDisplayName2;
-		} else {
-			$nameAttribute = $this->connection->ldapGroupDisplayName;
-		}
-		$nextcloudNames = array();
-
-		foreach($ldapObjects as $ldapObject) {
-			$nameByLDAP = null;
-			if(    isset($ldapObject[$nameAttribute])
-				&& is_array($ldapObject[$nameAttribute])
-				&& isset($ldapObject[$nameAttribute][0])
-			) {
-				// might be set, but not necessarily. if so, we use it.
-				$nameByLDAP = $ldapObject[$nameAttribute][0];
-			}
-
-			$ncName = $this->dn2ocname($ldapObject['dn'][0], $nameByLDAP, $isUsers);
-			if($ncName) {
-				$nextcloudNames[] = $ncName;
-				if($isUsers) {
-					//cache the user names so it does not need to be retrieved
-					//again later (e.g. sharing dialogue).
-					if(is_null($nameByLDAP)) {
-						continue;
-					}
-					$sndName = isset($ldapObject[$sndAttribute][0])
-						? $ldapObject[$sndAttribute][0] : '';
-					$this->cacheUserDisplayName($ncName, $nameByLDAP, $sndName);
-				}
-			}
-		}
-		return $nextcloudNames;
-	}
-
-	/**
-	 * caches the user display name
-	 * @param string $ocName the internal Nextcloud username
-	 * @param string|false $home the home directory path
-	 */
-	public function cacheUserHome($ocName, $home) {
-		$cacheKey = 'getHome'.$ocName;
-		$this->connection->writeToCache($cacheKey, $home);
-	}
-
-	/**
-	 * caches a user as existing
-	 * @param string $ocName the internal Nextcloud username
-	 */
-	public function cacheUserExists($ocName) {
-		$this->connection->writeToCache('userExists'.$ocName, true);
-	}
-
-	/**
-	 * caches the user display name
-	 * @param string $ocName the internal Nextcloud username
-	 * @param string $displayName the display name
-	 * @param string $displayName2 the second display name
-	 */
-	public function cacheUserDisplayName($ocName, $displayName, $displayName2 = '') {
-		$user = $this->userManager->get($ocName);
-		if($user === null) {
-			return;
-		}
-		$displayName = $user->composeAndStoreDisplayName($displayName, $displayName2);
-		$cacheKeyTrunk = 'getDisplayName';
-		$this->connection->writeToCache($cacheKeyTrunk.$ocName, $displayName);
-	}
-
-	/**
-	 * creates a unique name for internal Nextcloud use for users. Don't call it directly.
-	 * @param string $name the display name of the object
-	 * @return string|false with with the name to use in Nextcloud or false if unsuccessful
-	 *
-	 * Instead of using this method directly, call
-	 * createAltInternalOwnCloudName($name, true)
-	 */
-	private function _createAltInternalOwnCloudNameForUsers($name) {
-		$attempts = 0;
-		//while loop is just a precaution. If a name is not generated within
-		//20 attempts, something else is very wrong. Avoids infinite loop.
-		while($attempts < 20){
-			$altName = $name . '_' . rand(1000,9999);
-			if(!\OC::$server->getUserManager()->userExists($altName)) {
-				return $altName;
-			}
-			$attempts++;
-		}
-		return false;
-	}
-
-	/**
-	 * creates a unique name for internal Nextcloud use for groups. Don't call it directly.
-	 * @param string $name the display name of the object
-	 * @return string|false with with the name to use in Nextcloud or false if unsuccessful.
-	 *
-	 * Instead of using this method directly, call
-	 * createAltInternalOwnCloudName($name, false)
-	 *
-	 * Group names are also used as display names, so we do a sequential
-	 * numbering, e.g. Developers_42 when there are 41 other groups called
-	 * "Developers"
-	 */
-	private function _createAltInternalOwnCloudNameForGroups($name) {
-		$usedNames = $this->groupMapper->getNamesBySearch($name, "", '_%');
-		if(!$usedNames || count($usedNames) === 0) {
-			$lastNo = 1; //will become name_2
-		} else {
-			natsort($usedNames);
-			$lastName = array_pop($usedNames);
-			$lastNo = (int)substr($lastName, strrpos($lastName, '_') + 1);
-		}
-		$altName = $name.'_'. (string)($lastNo+1);
-		unset($usedNames);
-
-		$attempts = 1;
-		while($attempts < 21){
-			// Check to be really sure it is unique
-			// while loop is just a precaution. If a name is not generated within
-			// 20 attempts, something else is very wrong. Avoids infinite loop.
-			if(!\OC::$server->getGroupManager()->groupExists($altName)) {
-				return $altName;
-			}
-			$altName = $name . '_' . ($lastNo + $attempts);
-			$attempts++;
-		}
-		return false;
-	}
-
-	/**
-	 * creates a unique name for internal Nextcloud use.
-	 * @param string $name the display name of the object
-	 * @param boolean $isUser whether name should be created for a user (true) or a group (false)
-	 * @return string|false with with the name to use in Nextcloud or false if unsuccessful
-	 */
-	private function createAltInternalOwnCloudName($name, $isUser) {
-		$originalTTL = $this->connection->ldapCacheTTL;
-		$this->connection->setConfiguration(array('ldapCacheTTL' => 0));
-		if($isUser) {
-			$altName = $this->_createAltInternalOwnCloudNameForUsers($name);
-		} else {
-			$altName = $this->_createAltInternalOwnCloudNameForGroups($name);
-		}
-		$this->connection->setConfiguration(array('ldapCacheTTL' => $originalTTL));
-
-		return $altName;
-	}
-
-	/**
-	 * fetches a list of users according to a provided loginName and utilizing
-	 * the login filter.
-	 *
-	 * @param string $loginName
-	 * @param array $attributes optional, list of attributes to read
-	 * @return array
-	 */
-	public function fetchUsersByLoginName($loginName, $attributes = array('dn')) {
-		$loginName = $this->escapeFilterPart($loginName);
-		$filter = str_replace('%uid', $loginName, $this->connection->ldapLoginFilter);
-		return $this->fetchListOfUsers($filter, $attributes);
-	}
-
-	/**
-	 * counts the number of users according to a provided loginName and
-	 * utilizing the login filter.
-	 *
-	 * @param string $loginName
-	 * @return int
-	 */
-	public function countUsersByLoginName($loginName) {
-		$loginName = $this->escapeFilterPart($loginName);
-		$filter = str_replace('%uid', $loginName, $this->connection->ldapLoginFilter);
-		return $this->countUsers($filter);
-	}
-
-	/**
-	 * @param string $filter
-	 * @param string|string[] $attr
-	 * @param int $limit
-	 * @param int $offset
-	 * @param bool $forceApplyAttributes
-	 * @return array
-	 */
-	public function fetchListOfUsers($filter, $attr, $limit = null, $offset = null, $forceApplyAttributes = false) {
-		$ldapRecords = $this->searchUsers($filter, $attr, $limit, $offset);
-		$recordsToUpdate = $ldapRecords;
-		if(!$forceApplyAttributes) {
-			$isBackgroundJobModeAjax = $this->config
-					->getAppValue('core', 'backgroundjobs_mode', 'ajax') === 'ajax';
-			$recordsToUpdate = array_filter($ldapRecords, function($record) use ($isBackgroundJobModeAjax) {
-				$newlyMapped = false;
-				$uid = $this->dn2ocname($record['dn'][0], null, true, $newlyMapped, $record);
-				if(is_string($uid)) {
-					$this->cacheUserExists($uid);
-				}
-				return ($uid !== false) && ($newlyMapped || $isBackgroundJobModeAjax);
-			});
-		}
-		$this->batchApplyUserAttributes($recordsToUpdate);
-		return $this->fetchList($ldapRecords, count($attr) > 1);
-	}
-
-	/**
-	 * provided with an array of LDAP user records the method will fetch the
-	 * user object and requests it to process the freshly fetched attributes and
-	 * and their values
-	 * @param array $ldapRecords
-	 */
-	public function batchApplyUserAttributes(array $ldapRecords){
-		$displayNameAttribute = strtolower($this->connection->ldapUserDisplayName);
-		foreach($ldapRecords as $userRecord) {
-			if(!isset($userRecord[$displayNameAttribute])) {
-				// displayName is obligatory
-				continue;
-			}
-			$ocName  = $this->dn2ocname($userRecord['dn'][0], null, true);
-			if($ocName === false) {
-				continue;
-			}
-			$user = $this->userManager->get($ocName);
-			if($user instanceof OfflineUser) {
-				$user->unmark();
-				$user = $this->userManager->get($ocName);
-			}
-			if ($user !== null) {
-				$user->processAttributes($userRecord);
-			} else {
-				\OC::$server->getLogger()->debug(
-					"The ldap user manager returned null for $ocName",
-					['app'=>'user_ldap']
-				);
-			}
-		}
-	}
-
-	/**
-	 * @param string $filter
-	 * @param string|string[] $attr
-	 * @param int $limit
-	 * @param int $offset
-	 * @return array
-	 */
-	public function fetchListOfGroups($filter, $attr, $limit = null, $offset = null) {
-		return $this->fetchList($this->searchGroups($filter, $attr, $limit, $offset), count($attr) > 1);
-	}
-
-	/**
-	 * @param array $list
-	 * @param bool $manyAttributes
-	 * @return array
-	 */
-	private function fetchList($list, $manyAttributes) {
-		if(is_array($list)) {
-			if($manyAttributes) {
-				return $list;
-			} else {
-				$list = array_reduce($list, function($carry, $item) {
-					$attribute = array_keys($item)[0];
-					$carry[] = $item[$attribute][0];
-					return $carry;
-				}, array());
-				return array_unique($list, SORT_LOCALE_STRING);
-			}
-		}
-
-		//error cause actually, maybe throw an exception in future.
-		return array();
-	}
-
-	/**
-	 * executes an LDAP search, optimized for Users
-	 * @param string $filter the LDAP filter for the search
-	 * @param string|string[] $attr optional, when a certain attribute shall be filtered out
-	 * @param integer $limit
-	 * @param integer $offset
-	 * @return array with the search result
-	 *
-	 * Executes an LDAP search
-	 */
-	public function searchUsers($filter, $attr = null, $limit = null, $offset = null) {
-		return $this->search($filter, $this->connection->ldapBaseUsers, $attr, $limit, $offset);
-	}
-
-	/**
-	 * @param string $filter
-	 * @param string|string[] $attr
-	 * @param int $limit
-	 * @param int $offset
-	 * @return false|int
-	 */
-	public function countUsers($filter, $attr = array('dn'), $limit = null, $offset = null) {
-		return $this->count($filter, $this->connection->ldapBaseUsers, $attr, $limit, $offset);
-	}
-
-	/**
-	 * executes an LDAP search, optimized for Groups
-	 * @param string $filter the LDAP filter for the search
-	 * @param string|string[] $attr optional, when a certain attribute shall be filtered out
-	 * @param integer $limit
-	 * @param integer $offset
-	 * @return array with the search result
-	 *
-	 * Executes an LDAP search
-	 */
-	public function searchGroups($filter, $attr = null, $limit = null, $offset = null) {
-		return $this->search($filter, $this->connection->ldapBaseGroups, $attr, $limit, $offset);
-	}
-
-	/**
-	 * returns the number of available groups
-	 * @param string $filter the LDAP search filter
-	 * @param string[] $attr optional
-	 * @param int|null $limit
-	 * @param int|null $offset
-	 * @return int|bool
-	 */
-	public function countGroups($filter, $attr = array('dn'), $limit = null, $offset = null) {
-		return $this->count($filter, $this->connection->ldapBaseGroups, $attr, $limit, $offset);
-	}
-
-	/**
-	 * returns the number of available objects on the base DN
-	 *
-	 * @param int|null $limit
-	 * @param int|null $offset
-	 * @return int|bool
-	 */
-	public function countObjects($limit = null, $offset = null) {
-		return $this->count('objectclass=*', $this->connection->ldapBase, array('dn'), $limit, $offset);
-	}
-
-	/**
-	 * Returns the LDAP handler
-	 * @throws \OC\ServerNotAvailableException
-	 */
-
-	/**
-	 * @return mixed
-	 * @throws \OC\ServerNotAvailableException
-	 */
-	private function invokeLDAPMethod() {
-		$arguments = func_get_args();
-		$command = array_shift($arguments);
-		$cr = array_shift($arguments);
-		if (!method_exists($this->ldap, $command)) {
-			return null;
-		}
-		array_unshift($arguments, $cr);
-		// php no longer supports call-time pass-by-reference
-		// thus cannot support controlPagedResultResponse as the third argument
-		// is a reference
-		$doMethod = function () use ($command, &$arguments) {
-			if ($command == 'controlPagedResultResponse') {
-				throw new \InvalidArgumentException('Invoker does not support controlPagedResultResponse, call LDAP Wrapper directly instead.');
-			} else {
-				return call_user_func_array(array($this->ldap, $command), $arguments);
-			}
-		};
-		try {
-			$ret = $doMethod();
-		} catch (ServerNotAvailableException $e) {
-			/* Server connection lost, attempt to reestablish it
+    /**
+     * Set password for an LDAP user identified by a DN
+     *
+     * @param string $userDN the user in question
+     * @param string $password the new password
+     * @return bool
+     * @throws HintException
+     * @throws \Exception
+     */
+    public function setPassword($userDN, $password) {
+        if((int)$this->connection->turnOnPasswordChange !== 1) {
+            throw new \Exception('LDAP password changes are disabled.');
+        }
+        $cr = $this->connection->getConnectionResource();
+        if(!$this->ldap->isResource($cr)) {
+            //LDAP not available
+            \OCP\Util::writeLog('user_ldap', 'LDAP resource not available.', \OCP\Util::DEBUG);
+            return false;
+        }
+        try {
+            return @$this->invokeLDAPMethod('modReplace', $cr, $userDN, $password);
+        } catch(ConstraintViolationException $e) {
+            throw new HintException('Password change rejected.', \OC::$server->getL10N('user_ldap')->t('Password change rejected. Hint: ').$e->getMessage(), $e->getCode());
+        }
+    }
+
+    /**
+     * checks whether the given attributes value is probably a DN
+     * @param string $attr the attribute in question
+     * @return boolean if so true, otherwise false
+     */
+    private function resemblesDN($attr) {
+        $resemblingAttributes = array(
+            'dn',
+            'uniquemember',
+            'member',
+            // memberOf is an "operational" attribute, without a definition in any RFC
+            'memberof'
+        );
+        return in_array($attr, $resemblingAttributes);
+    }
+
+    /**
+     * checks whether the given string is probably a DN
+     * @param string $string
+     * @return boolean
+     */
+    public function stringResemblesDN($string) {
+        $r = $this->ldap->explodeDN($string, 0);
+        // if exploding a DN succeeds and does not end up in
+        // an empty array except for $r[count] being 0.
+        return (is_array($r) && count($r) > 1);
+    }
+
+    /**
+     * returns a DN-string that is cleaned from not domain parts, e.g.
+     * cn=foo,cn=bar,dc=foobar,dc=server,dc=org
+     * becomes dc=foobar,dc=server,dc=org
+     * @param string $dn
+     * @return string
+     */
+    public function getDomainDNFromDN($dn) {
+        $allParts = $this->ldap->explodeDN($dn, 0);
+        if($allParts === false) {
+            //not a valid DN
+            return '';
+        }
+        $domainParts = array();
+        $dcFound = false;
+        foreach($allParts as $part) {
+            if(!$dcFound && strpos($part, 'dc=') === 0) {
+                $dcFound = true;
+            }
+            if($dcFound) {
+                $domainParts[] = $part;
+            }
+        }
+        return implode(',', $domainParts);
+    }
+
+    /**
+     * returns the LDAP DN for the given internal Nextcloud name of the group
+     * @param string $name the Nextcloud name in question
+     * @return string|false LDAP DN on success, otherwise false
+     */
+    public function groupname2dn($name) {
+        return $this->groupMapper->getDNByName($name);
+    }
+
+    /**
+     * returns the LDAP DN for the given internal Nextcloud name of the user
+     * @param string $name the Nextcloud name in question
+     * @return string|false with the LDAP DN on success, otherwise false
+     */
+    public function username2dn($name) {
+        $fdn = $this->userMapper->getDNByName($name);
+
+        //Check whether the DN belongs to the Base, to avoid issues on multi-
+        //server setups
+        if(is_string($fdn) && $this->isDNPartOfBase($fdn, $this->connection->ldapBaseUsers)) {
+            return $fdn;
+        }
+
+        return false;
+    }
+
+    /**
+     * returns the internal Nextcloud name for the given LDAP DN of the group, false on DN outside of search DN or failure
+     * @param string $fdn the dn of the group object
+     * @param string $ldapName optional, the display name of the object
+     * @return string|false with the name to use in Nextcloud, false on DN outside of search DN
+     */
+    public function dn2groupname($fdn, $ldapName = null) {
+        //To avoid bypassing the base DN settings under certain circumstances
+        //with the group support, check whether the provided DN matches one of
+        //the given Bases
+        if(!$this->isDNPartOfBase($fdn, $this->connection->ldapBaseGroups)) {
+            return false;
+        }
+
+        return $this->dn2ocname($fdn, $ldapName, false);
+    }
+
+    /**
+     * accepts an array of group DNs and tests whether they match the user
+     * filter by doing read operations against the group entries. Returns an
+     * array of DNs that match the filter.
+     *
+     * @param string[] $groupDNs
+     * @return string[]
+     */
+    public function groupsMatchFilter($groupDNs) {
+        $validGroupDNs = [];
+        foreach($groupDNs as $dn) {
+            $cacheKey = 'groupsMatchFilter-'.$dn;
+            $groupMatchFilter = $this->connection->getFromCache($cacheKey);
+            if(!is_null($groupMatchFilter)) {
+                if($groupMatchFilter) {
+                    $validGroupDNs[] = $dn;
+                }
+                continue;
+            }
+
+            // Check the base DN first. If this is not met already, we don't
+            // need to ask the server at all.
+            if(!$this->isDNPartOfBase($dn, $this->connection->ldapBaseGroups)) {
+                $this->connection->writeToCache($cacheKey, false);
+                continue;
+            }
+
+            $result = $this->readAttribute($dn, 'cn', $this->connection->ldapGroupFilter);
+            if(is_array($result)) {
+                $this->connection->writeToCache($cacheKey, true);
+                $validGroupDNs[] = $dn;
+            } else {
+                $this->connection->writeToCache($cacheKey, false);
+            }
+
+        }
+        return $validGroupDNs;
+    }
+
+    /**
+     * returns the internal Nextcloud name for the given LDAP DN of the user, false on DN outside of search DN or failure
+     * @param string $dn the dn of the user object
+     * @param string $ldapName optional, the display name of the object
+     * @return string|false with with the name to use in Nextcloud
+     */
+    public function dn2username($fdn, $ldapName = null) {
+        //To avoid bypassing the base DN settings under certain circumstances
+        //with the group support, check whether the provided DN matches one of
+        //the given Bases
+        if(!$this->isDNPartOfBase($fdn, $this->connection->ldapBaseUsers)) {
+            return false;
+        }
+
+        return $this->dn2ocname($fdn, $ldapName, true);
+    }
+
+    /**
+     * returns an internal Nextcloud name for the given LDAP DN, false on DN outside of search DN
+     *
+     * @param string $fdn the dn of the user object
+     * @param string|null $ldapName optional, the display name of the object
+     * @param bool $isUser optional, whether it is a user object (otherwise group assumed)
+     * @param bool|null $newlyMapped
+     * @param array|null $record
+     * @return false|string with with the name to use in Nextcloud
+     * @throws \Exception
+     */
+    public function dn2ocname($fdn, $ldapName = null, $isUser = true, &$newlyMapped = null, array $record = null) {
+        $newlyMapped = false;
+        if($isUser) {
+            $mapper = $this->getUserMapper();
+            $nameAttribute = $this->connection->ldapUserDisplayName;
+        } else {
+            $mapper = $this->getGroupMapper();
+            $nameAttribute = $this->connection->ldapGroupDisplayName;
+        }
+
+        //let's try to retrieve the Nextcloud name from the mappings table
+        $ncName = $mapper->getNameByDN($fdn);
+        if(is_string($ncName)) {
+            return $ncName;
+        }
+
+        //second try: get the UUID and check if it is known. Then, update the DN and return the name.
+        $uuid = $this->getUUID($fdn, $isUser, $record);
+        if(is_string($uuid)) {
+            $ncName = $mapper->getNameByUUID($uuid);
+            if(is_string($ncName)) {
+                $mapper->setDNbyUUID($fdn, $uuid);
+                return $ncName;
+            }
+        } else {
+            //If the UUID can't be detected something is foul.
+            \OCP\Util::writeLog('user_ldap', 'Cannot determine UUID for '.$fdn.'. Skipping.', \OCP\Util::INFO);
+            return false;
+        }
+
+        if(is_null($ldapName)) {
+            $ldapName = $this->readAttribute($fdn, $nameAttribute);
+            if(!isset($ldapName[0]) && empty($ldapName[0])) {
+                \OCP\Util::writeLog('user_ldap', 'No or empty name for '.$fdn.'.', \OCP\Util::INFO);
+                return false;
+            }
+            $ldapName = $ldapName[0];
+        }
+
+        if($isUser) {
+            $usernameAttribute = (string)$this->connection->ldapExpertUsernameAttr;
+            if ($usernameAttribute !== '') {
+                $username = $this->readAttribute($fdn, $usernameAttribute);
+                $username = $username[0];
+            } else {
+                $username = $uuid;
+            }
+            $intName = $this->sanitizeUsername($username);
+        } else {
+            $intName = $ldapName;
+        }
+
+        //a new user/group! Add it only if it doesn't conflict with other backend's users or existing groups
+        //disabling Cache is required to avoid that the new user is cached as not-existing in fooExists check
+        //NOTE: mind, disabling cache affects only this instance! Using it
+        // outside of core user management will still cache the user as non-existing.
+        $originalTTL = $this->connection->ldapCacheTTL;
+        $this->connection->setConfiguration(array('ldapCacheTTL' => 0));
+        if(($isUser && $intName !== '' && !\OC::$server->getUserManager()->userExists($intName))
+            || (!$isUser && !\OC::$server->getGroupManager()->groupExists($intName))) {
+            if($mapper->map($fdn, $intName, $uuid)) {
+                $this->connection->setConfiguration(array('ldapCacheTTL' => $originalTTL));
+                $newlyMapped = true;
+                return $intName;
+            }
+        }
+        $this->connection->setConfiguration(array('ldapCacheTTL' => $originalTTL));
+
+        $altName = $this->createAltInternalOwnCloudName($intName, $isUser);
+        if(is_string($altName) && $mapper->map($fdn, $altName, $uuid)) {
+            $newlyMapped = true;
+            return $altName;
+        }
+
+        //if everything else did not help..
+        \OCP\Util::writeLog('user_ldap', 'Could not create unique name for '.$fdn.'.', \OCP\Util::INFO);
+        return false;
+    }
+
+    /**
+     * gives back the user names as they are used ownClod internally
+     * @param array $ldapUsers as returned by fetchList()
+     * @return array an array with the user names to use in Nextcloud
+     *
+     * gives back the user names as they are used ownClod internally
+     */
+    public function nextcloudUserNames($ldapUsers) {
+        return $this->ldap2NextcloudNames($ldapUsers, true);
+    }
+
+    /**
+     * gives back the group names as they are used ownClod internally
+     * @param array $ldapGroups as returned by fetchList()
+     * @return array an array with the group names to use in Nextcloud
+     *
+     * gives back the group names as they are used ownClod internally
+     */
+    public function nextcloudGroupNames($ldapGroups) {
+        return $this->ldap2NextcloudNames($ldapGroups, false);
+    }
+
+    /**
+     * @param array $ldapObjects as returned by fetchList()
+     * @param bool $isUsers
+     * @return array
+     */
+    private function ldap2NextcloudNames($ldapObjects, $isUsers) {
+        if($isUsers) {
+            $nameAttribute = $this->connection->ldapUserDisplayName;
+            $sndAttribute  = $this->connection->ldapUserDisplayName2;
+        } else {
+            $nameAttribute = $this->connection->ldapGroupDisplayName;
+        }
+        $nextcloudNames = array();
+
+        foreach($ldapObjects as $ldapObject) {
+            $nameByLDAP = null;
+            if(    isset($ldapObject[$nameAttribute])
+                && is_array($ldapObject[$nameAttribute])
+                && isset($ldapObject[$nameAttribute][0])
+            ) {
+                // might be set, but not necessarily. if so, we use it.
+                $nameByLDAP = $ldapObject[$nameAttribute][0];
+            }
+
+            $ncName = $this->dn2ocname($ldapObject['dn'][0], $nameByLDAP, $isUsers);
+            if($ncName) {
+                $nextcloudNames[] = $ncName;
+                if($isUsers) {
+                    //cache the user names so it does not need to be retrieved
+                    //again later (e.g. sharing dialogue).
+                    if(is_null($nameByLDAP)) {
+                        continue;
+                    }
+                    $sndName = isset($ldapObject[$sndAttribute][0])
+                        ? $ldapObject[$sndAttribute][0] : '';
+                    $this->cacheUserDisplayName($ncName, $nameByLDAP, $sndName);
+                }
+            }
+        }
+        return $nextcloudNames;
+    }
+
+    /**
+     * caches the user display name
+     * @param string $ocName the internal Nextcloud username
+     * @param string|false $home the home directory path
+     */
+    public function cacheUserHome($ocName, $home) {
+        $cacheKey = 'getHome'.$ocName;
+        $this->connection->writeToCache($cacheKey, $home);
+    }
+
+    /**
+     * caches a user as existing
+     * @param string $ocName the internal Nextcloud username
+     */
+    public function cacheUserExists($ocName) {
+        $this->connection->writeToCache('userExists'.$ocName, true);
+    }
+
+    /**
+     * caches the user display name
+     * @param string $ocName the internal Nextcloud username
+     * @param string $displayName the display name
+     * @param string $displayName2 the second display name
+     */
+    public function cacheUserDisplayName($ocName, $displayName, $displayName2 = '') {
+        $user = $this->userManager->get($ocName);
+        if($user === null) {
+            return;
+        }
+        $displayName = $user->composeAndStoreDisplayName($displayName, $displayName2);
+        $cacheKeyTrunk = 'getDisplayName';
+        $this->connection->writeToCache($cacheKeyTrunk.$ocName, $displayName);
+    }
+
+    /**
+     * creates a unique name for internal Nextcloud use for users. Don't call it directly.
+     * @param string $name the display name of the object
+     * @return string|false with with the name to use in Nextcloud or false if unsuccessful
+     *
+     * Instead of using this method directly, call
+     * createAltInternalOwnCloudName($name, true)
+     */
+    private function _createAltInternalOwnCloudNameForUsers($name) {
+        $attempts = 0;
+        //while loop is just a precaution. If a name is not generated within
+        //20 attempts, something else is very wrong. Avoids infinite loop.
+        while($attempts < 20){
+            $altName = $name . '_' . rand(1000,9999);
+            if(!\OC::$server->getUserManager()->userExists($altName)) {
+                return $altName;
+            }
+            $attempts++;
+        }
+        return false;
+    }
+
+    /**
+     * creates a unique name for internal Nextcloud use for groups. Don't call it directly.
+     * @param string $name the display name of the object
+     * @return string|false with with the name to use in Nextcloud or false if unsuccessful.
+     *
+     * Instead of using this method directly, call
+     * createAltInternalOwnCloudName($name, false)
+     *
+     * Group names are also used as display names, so we do a sequential
+     * numbering, e.g. Developers_42 when there are 41 other groups called
+     * "Developers"
+     */
+    private function _createAltInternalOwnCloudNameForGroups($name) {
+        $usedNames = $this->groupMapper->getNamesBySearch($name, "", '_%');
+        if(!$usedNames || count($usedNames) === 0) {
+            $lastNo = 1; //will become name_2
+        } else {
+            natsort($usedNames);
+            $lastName = array_pop($usedNames);
+            $lastNo = (int)substr($lastName, strrpos($lastName, '_') + 1);
+        }
+        $altName = $name.'_'. (string)($lastNo+1);
+        unset($usedNames);
+
+        $attempts = 1;
+        while($attempts < 21){
+            // Check to be really sure it is unique
+            // while loop is just a precaution. If a name is not generated within
+            // 20 attempts, something else is very wrong. Avoids infinite loop.
+            if(!\OC::$server->getGroupManager()->groupExists($altName)) {
+                return $altName;
+            }
+            $altName = $name . '_' . ($lastNo + $attempts);
+            $attempts++;
+        }
+        return false;
+    }
+
+    /**
+     * creates a unique name for internal Nextcloud use.
+     * @param string $name the display name of the object
+     * @param boolean $isUser whether name should be created for a user (true) or a group (false)
+     * @return string|false with with the name to use in Nextcloud or false if unsuccessful
+     */
+    private function createAltInternalOwnCloudName($name, $isUser) {
+        $originalTTL = $this->connection->ldapCacheTTL;
+        $this->connection->setConfiguration(array('ldapCacheTTL' => 0));
+        if($isUser) {
+            $altName = $this->_createAltInternalOwnCloudNameForUsers($name);
+        } else {
+            $altName = $this->_createAltInternalOwnCloudNameForGroups($name);
+        }
+        $this->connection->setConfiguration(array('ldapCacheTTL' => $originalTTL));
+
+        return $altName;
+    }
+
+    /**
+     * fetches a list of users according to a provided loginName and utilizing
+     * the login filter.
+     *
+     * @param string $loginName
+     * @param array $attributes optional, list of attributes to read
+     * @return array
+     */
+    public function fetchUsersByLoginName($loginName, $attributes = array('dn')) {
+        $loginName = $this->escapeFilterPart($loginName);
+        $filter = str_replace('%uid', $loginName, $this->connection->ldapLoginFilter);
+        return $this->fetchListOfUsers($filter, $attributes);
+    }
+
+    /**
+     * counts the number of users according to a provided loginName and
+     * utilizing the login filter.
+     *
+     * @param string $loginName
+     * @return int
+     */
+    public function countUsersByLoginName($loginName) {
+        $loginName = $this->escapeFilterPart($loginName);
+        $filter = str_replace('%uid', $loginName, $this->connection->ldapLoginFilter);
+        return $this->countUsers($filter);
+    }
+
+    /**
+     * @param string $filter
+     * @param string|string[] $attr
+     * @param int $limit
+     * @param int $offset
+     * @param bool $forceApplyAttributes
+     * @return array
+     */
+    public function fetchListOfUsers($filter, $attr, $limit = null, $offset = null, $forceApplyAttributes = false) {
+        $ldapRecords = $this->searchUsers($filter, $attr, $limit, $offset);
+        $recordsToUpdate = $ldapRecords;
+        if(!$forceApplyAttributes) {
+            $isBackgroundJobModeAjax = $this->config
+                    ->getAppValue('core', 'backgroundjobs_mode', 'ajax') === 'ajax';
+            $recordsToUpdate = array_filter($ldapRecords, function($record) use ($isBackgroundJobModeAjax) {
+                $newlyMapped = false;
+                $uid = $this->dn2ocname($record['dn'][0], null, true, $newlyMapped, $record);
+                if(is_string($uid)) {
+                    $this->cacheUserExists($uid);
+                }
+                return ($uid !== false) && ($newlyMapped || $isBackgroundJobModeAjax);
+            });
+        }
+        $this->batchApplyUserAttributes($recordsToUpdate);
+        return $this->fetchList($ldapRecords, count($attr) > 1);
+    }
+
+    /**
+     * provided with an array of LDAP user records the method will fetch the
+     * user object and requests it to process the freshly fetched attributes and
+     * and their values
+     * @param array $ldapRecords
+     */
+    public function batchApplyUserAttributes(array $ldapRecords){
+        $displayNameAttribute = strtolower($this->connection->ldapUserDisplayName);
+        foreach($ldapRecords as $userRecord) {
+            if(!isset($userRecord[$displayNameAttribute])) {
+                // displayName is obligatory
+                continue;
+            }
+            $ocName  = $this->dn2ocname($userRecord['dn'][0], null, true);
+            if($ocName === false) {
+                continue;
+            }
+            $user = $this->userManager->get($ocName);
+            if($user instanceof OfflineUser) {
+                $user->unmark();
+                $user = $this->userManager->get($ocName);
+            }
+            if ($user !== null) {
+                $user->processAttributes($userRecord);
+            } else {
+                \OC::$server->getLogger()->debug(
+                    "The ldap user manager returned null for $ocName",
+                    ['app'=>'user_ldap']
+                );
+            }
+        }
+    }
+
+    /**
+     * @param string $filter
+     * @param string|string[] $attr
+     * @param int $limit
+     * @param int $offset
+     * @return array
+     */
+    public function fetchListOfGroups($filter, $attr, $limit = null, $offset = null) {
+        return $this->fetchList($this->searchGroups($filter, $attr, $limit, $offset), count($attr) > 1);
+    }
+
+    /**
+     * @param array $list
+     * @param bool $manyAttributes
+     * @return array
+     */
+    private function fetchList($list, $manyAttributes) {
+        if(is_array($list)) {
+            if($manyAttributes) {
+                return $list;
+            } else {
+                $list = array_reduce($list, function($carry, $item) {
+                    $attribute = array_keys($item)[0];
+                    $carry[] = $item[$attribute][0];
+                    return $carry;
+                }, array());
+                return array_unique($list, SORT_LOCALE_STRING);
+            }
+        }
+
+        //error cause actually, maybe throw an exception in future.
+        return array();
+    }
+
+    /**
+     * executes an LDAP search, optimized for Users
+     * @param string $filter the LDAP filter for the search
+     * @param string|string[] $attr optional, when a certain attribute shall be filtered out
+     * @param integer $limit
+     * @param integer $offset
+     * @return array with the search result
+     *
+     * Executes an LDAP search
+     */
+    public function searchUsers($filter, $attr = null, $limit = null, $offset = null) {
+        return $this->search($filter, $this->connection->ldapBaseUsers, $attr, $limit, $offset);
+    }
+
+    /**
+     * @param string $filter
+     * @param string|string[] $attr
+     * @param int $limit
+     * @param int $offset
+     * @return false|int
+     */
+    public function countUsers($filter, $attr = array('dn'), $limit = null, $offset = null) {
+        return $this->count($filter, $this->connection->ldapBaseUsers, $attr, $limit, $offset);
+    }
+
+    /**
+     * executes an LDAP search, optimized for Groups
+     * @param string $filter the LDAP filter for the search
+     * @param string|string[] $attr optional, when a certain attribute shall be filtered out
+     * @param integer $limit
+     * @param integer $offset
+     * @return array with the search result
+     *
+     * Executes an LDAP search
+     */
+    public function searchGroups($filter, $attr = null, $limit = null, $offset = null) {
+        return $this->search($filter, $this->connection->ldapBaseGroups, $attr, $limit, $offset);
+    }
+
+    /**
+     * returns the number of available groups
+     * @param string $filter the LDAP search filter
+     * @param string[] $attr optional
+     * @param int|null $limit
+     * @param int|null $offset
+     * @return int|bool
+     */
+    public function countGroups($filter, $attr = array('dn'), $limit = null, $offset = null) {
+        return $this->count($filter, $this->connection->ldapBaseGroups, $attr, $limit, $offset);
+    }
+
+    /**
+     * returns the number of available objects on the base DN
+     *
+     * @param int|null $limit
+     * @param int|null $offset
+     * @return int|bool
+     */
+    public function countObjects($limit = null, $offset = null) {
+        return $this->count('objectclass=*', $this->connection->ldapBase, array('dn'), $limit, $offset);
+    }
+
+    /**
+     * Returns the LDAP handler
+     * @throws \OC\ServerNotAvailableException
+     */
+
+    /**
+     * @return mixed
+     * @throws \OC\ServerNotAvailableException
+     */
+    private function invokeLDAPMethod() {
+        $arguments = func_get_args();
+        $command = array_shift($arguments);
+        $cr = array_shift($arguments);
+        if (!method_exists($this->ldap, $command)) {
+            return null;
+        }
+        array_unshift($arguments, $cr);
+        // php no longer supports call-time pass-by-reference
+        // thus cannot support controlPagedResultResponse as the third argument
+        // is a reference
+        $doMethod = function () use ($command, &$arguments) {
+            if ($command == 'controlPagedResultResponse') {
+                throw new \InvalidArgumentException('Invoker does not support controlPagedResultResponse, call LDAP Wrapper directly instead.');
+            } else {
+                return call_user_func_array(array($this->ldap, $command), $arguments);
+            }
+        };
+        try {
+            $ret = $doMethod();
+        } catch (ServerNotAvailableException $e) {
+            /* Server connection lost, attempt to reestablish it
 			 * Maybe implement exponential backoff?
 			 * This was enough to get solr indexer working which has large delays between LDAP fetches.
 			 */
-			\OCP\Util::writeLog('user_ldap', "Connection lost on $command, attempting to reestablish.", \OCP\Util::DEBUG);
-			$this->connection->resetConnectionResource();
-			$cr = $this->connection->getConnectionResource();
-
-			if(!$this->ldap->isResource($cr)) {
-				// Seems like we didn't find any resource.
-				\OCP\Util::writeLog('user_ldap', "Could not $command, because resource is missing.", \OCP\Util::DEBUG);
-				throw $e;
-			}
-
-			$arguments[0] = array_pad([], count($arguments[0]), $cr);
-			$ret = $doMethod();
-		}
-		return $ret;
-	}
-
-	/**
-	 * retrieved. Results will according to the order in the array.
-	 *
-	 * @param $filter
-	 * @param $base
-	 * @param string[]|string|null $attr
-	 * @param int $limit optional, maximum results to be counted
-	 * @param int $offset optional, a starting point
-	 * @return array|false array with the search result as first value and pagedSearchOK as
-	 * second | false if not successful
-	 * @throws ServerNotAvailableException
-	 */
-	private function executeSearch($filter, $base, &$attr = null, $limit = null, $offset = null) {
-		if(!is_null($attr) && !is_array($attr)) {
-			$attr = array(mb_strtolower($attr, 'UTF-8'));
-		}
-
-		// See if we have a resource, in case not cancel with message
-		$cr = $this->connection->getConnectionResource();
-		if(!$this->ldap->isResource($cr)) {
-			// Seems like we didn't find any resource.
-			// Return an empty array just like before.
-			\OCP\Util::writeLog('user_ldap', 'Could not search, because resource is missing.', \OCP\Util::DEBUG);
-			return false;
-		}
-
-		//check whether paged search should be attempted
-		$pagedSearchOK = $this->initPagedSearch($filter, $base, $attr, (int)$limit, $offset);
-
-		$linkResources = array_pad(array(), count($base), $cr);
-		$sr = $this->invokeLDAPMethod('search', $linkResources, $base, $filter, $attr);
-		// cannot use $cr anymore, might have changed in the previous call!
-		$error = $this->ldap->errno($this->connection->getConnectionResource());
-		if(!is_array($sr) || $error !== 0) {
-			\OCP\Util::writeLog('user_ldap', 'Attempt for Paging?  '.print_r($pagedSearchOK, true), \OCP\Util::ERROR);
-			return false;
-		}
-
-		return array($sr, $pagedSearchOK);
-	}
-
-	/**
-	 * processes an LDAP paged search operation
-	 * @param array $sr the array containing the LDAP search resources
-	 * @param string $filter the LDAP filter for the search
-	 * @param array $base an array containing the LDAP subtree(s) that shall be searched
-	 * @param int $iFoundItems number of results in the single search operation
-	 * @param int $limit maximum results to be counted
-	 * @param int $offset a starting point
-	 * @param bool $pagedSearchOK whether a paged search has been executed
-	 * @param bool $skipHandling required for paged search when cookies to
-	 * prior results need to be gained
-	 * @return bool cookie validity, true if we have more pages, false otherwise.
-	 */
-	private function processPagedSearchStatus($sr, $filter, $base, $iFoundItems, $limit, $offset, $pagedSearchOK, $skipHandling) {
-		$cookie = null;
-		if($pagedSearchOK) {
-			$cr = $this->connection->getConnectionResource();
-			foreach($sr as $key => $res) {
-				if($this->ldap->controlPagedResultResponse($cr, $res, $cookie)) {
-					$this->setPagedResultCookie($base[$key], $filter, $limit, $offset, $cookie);
-				}
-			}
-
-			//browsing through prior pages to get the cookie for the new one
-			if($skipHandling) {
-				return false;
-			}
-			// if count is bigger, then the server does not support
-			// paged search. Instead, he did a normal search. We set a
-			// flag here, so the callee knows how to deal with it.
-			if($iFoundItems <= $limit) {
-				$this->pagedSearchedSuccessful = true;
-			}
-		} else {
-			if(!is_null($limit) && (int)$this->connection->ldapPagingSize !== 0) {
-				\OC::$server->getLogger()->debug(
-					'Paged search was not available',
-					[ 'app' => 'user_ldap' ]
-				);
-			}
-		}
-		/* ++ Fixing RHDS searches with pages with zero results ++
+            \OCP\Util::writeLog('user_ldap', "Connection lost on $command, attempting to reestablish.", \OCP\Util::DEBUG);
+            $this->connection->resetConnectionResource();
+            $cr = $this->connection->getConnectionResource();
+
+            if(!$this->ldap->isResource($cr)) {
+                // Seems like we didn't find any resource.
+                \OCP\Util::writeLog('user_ldap', "Could not $command, because resource is missing.", \OCP\Util::DEBUG);
+                throw $e;
+            }
+
+            $arguments[0] = array_pad([], count($arguments[0]), $cr);
+            $ret = $doMethod();
+        }
+        return $ret;
+    }
+
+    /**
+     * retrieved. Results will according to the order in the array.
+     *
+     * @param $filter
+     * @param $base
+     * @param string[]|string|null $attr
+     * @param int $limit optional, maximum results to be counted
+     * @param int $offset optional, a starting point
+     * @return array|false array with the search result as first value and pagedSearchOK as
+     * second | false if not successful
+     * @throws ServerNotAvailableException
+     */
+    private function executeSearch($filter, $base, &$attr = null, $limit = null, $offset = null) {
+        if(!is_null($attr) && !is_array($attr)) {
+            $attr = array(mb_strtolower($attr, 'UTF-8'));
+        }
+
+        // See if we have a resource, in case not cancel with message
+        $cr = $this->connection->getConnectionResource();
+        if(!$this->ldap->isResource($cr)) {
+            // Seems like we didn't find any resource.
+            // Return an empty array just like before.
+            \OCP\Util::writeLog('user_ldap', 'Could not search, because resource is missing.', \OCP\Util::DEBUG);
+            return false;
+        }
+
+        //check whether paged search should be attempted
+        $pagedSearchOK = $this->initPagedSearch($filter, $base, $attr, (int)$limit, $offset);
+
+        $linkResources = array_pad(array(), count($base), $cr);
+        $sr = $this->invokeLDAPMethod('search', $linkResources, $base, $filter, $attr);
+        // cannot use $cr anymore, might have changed in the previous call!
+        $error = $this->ldap->errno($this->connection->getConnectionResource());
+        if(!is_array($sr) || $error !== 0) {
+            \OCP\Util::writeLog('user_ldap', 'Attempt for Paging?  '.print_r($pagedSearchOK, true), \OCP\Util::ERROR);
+            return false;
+        }
+
+        return array($sr, $pagedSearchOK);
+    }
+
+    /**
+     * processes an LDAP paged search operation
+     * @param array $sr the array containing the LDAP search resources
+     * @param string $filter the LDAP filter for the search
+     * @param array $base an array containing the LDAP subtree(s) that shall be searched
+     * @param int $iFoundItems number of results in the single search operation
+     * @param int $limit maximum results to be counted
+     * @param int $offset a starting point
+     * @param bool $pagedSearchOK whether a paged search has been executed
+     * @param bool $skipHandling required for paged search when cookies to
+     * prior results need to be gained
+     * @return bool cookie validity, true if we have more pages, false otherwise.
+     */
+    private function processPagedSearchStatus($sr, $filter, $base, $iFoundItems, $limit, $offset, $pagedSearchOK, $skipHandling) {
+        $cookie = null;
+        if($pagedSearchOK) {
+            $cr = $this->connection->getConnectionResource();
+            foreach($sr as $key => $res) {
+                if($this->ldap->controlPagedResultResponse($cr, $res, $cookie)) {
+                    $this->setPagedResultCookie($base[$key], $filter, $limit, $offset, $cookie);
+                }
+            }
+
+            //browsing through prior pages to get the cookie for the new one
+            if($skipHandling) {
+                return false;
+            }
+            // if count is bigger, then the server does not support
+            // paged search. Instead, he did a normal search. We set a
+            // flag here, so the callee knows how to deal with it.
+            if($iFoundItems <= $limit) {
+                $this->pagedSearchedSuccessful = true;
+            }
+        } else {
+            if(!is_null($limit) && (int)$this->connection->ldapPagingSize !== 0) {
+                \OC::$server->getLogger()->debug(
+                    'Paged search was not available',
+                    [ 'app' => 'user_ldap' ]
+                );
+            }
+        }
+        /* ++ Fixing RHDS searches with pages with zero results ++
 		 * Return cookie status. If we don't have more pages, with RHDS
 		 * cookie is null, with openldap cookie is an empty string and
 		 * to 386ds '0' is a valid cookie. Even if $iFoundItems == 0
 		 */
-		return !empty($cookie) || $cookie === '0';
-	}
-
-	/**
-	 * executes an LDAP search, but counts the results only
-	 *
-	 * @param string $filter the LDAP filter for the search
-	 * @param array $base an array containing the LDAP subtree(s) that shall be searched
-	 * @param string|string[] $attr optional, array, one or more attributes that shall be
-	 * retrieved. Results will according to the order in the array.
-	 * @param int $limit optional, maximum results to be counted
-	 * @param int $offset optional, a starting point
-	 * @param bool $skipHandling indicates whether the pages search operation is
-	 * completed
-	 * @return int|false Integer or false if the search could not be initialized
-	 * @throws ServerNotAvailableException
-	 */
-	private function count($filter, $base, $attr = null, $limit = null, $offset = null, $skipHandling = false) {
-		\OCP\Util::writeLog('user_ldap', 'Count filter:  '.print_r($filter, true), \OCP\Util::DEBUG);
-
-		$limitPerPage = (int)$this->connection->ldapPagingSize;
-		if(!is_null($limit) && $limit < $limitPerPage && $limit > 0) {
-			$limitPerPage = $limit;
-		}
-
-		$counter = 0;
-		$count = null;
-		$this->connection->getConnectionResource();
-
-		do {
-			$search = $this->executeSearch($filter, $base, $attr, $limitPerPage, $offset);
-			if($search === false) {
-				return $counter > 0 ? $counter : false;
-			}
-			list($sr, $pagedSearchOK) = $search;
-
-			/* ++ Fixing RHDS searches with pages with zero results ++
+        return !empty($cookie) || $cookie === '0';
+    }
+
+    /**
+     * executes an LDAP search, but counts the results only
+     *
+     * @param string $filter the LDAP filter for the search
+     * @param array $base an array containing the LDAP subtree(s) that shall be searched
+     * @param string|string[] $attr optional, array, one or more attributes that shall be
+     * retrieved. Results will according to the order in the array.
+     * @param int $limit optional, maximum results to be counted
+     * @param int $offset optional, a starting point
+     * @param bool $skipHandling indicates whether the pages search operation is
+     * completed
+     * @return int|false Integer or false if the search could not be initialized
+     * @throws ServerNotAvailableException
+     */
+    private function count($filter, $base, $attr = null, $limit = null, $offset = null, $skipHandling = false) {
+        \OCP\Util::writeLog('user_ldap', 'Count filter:  '.print_r($filter, true), \OCP\Util::DEBUG);
+
+        $limitPerPage = (int)$this->connection->ldapPagingSize;
+        if(!is_null($limit) && $limit < $limitPerPage && $limit > 0) {
+            $limitPerPage = $limit;
+        }
+
+        $counter = 0;
+        $count = null;
+        $this->connection->getConnectionResource();
+
+        do {
+            $search = $this->executeSearch($filter, $base, $attr, $limitPerPage, $offset);
+            if($search === false) {
+                return $counter > 0 ? $counter : false;
+            }
+            list($sr, $pagedSearchOK) = $search;
+
+            /* ++ Fixing RHDS searches with pages with zero results ++
 			 * countEntriesInSearchResults() method signature changed
 			 * by removing $limit and &$hasHitLimit parameters
 			 */
-			$count = $this->countEntriesInSearchResults($sr);
-			$counter += $count;
+            $count = $this->countEntriesInSearchResults($sr);
+            $counter += $count;
 
-			$hasMorePages = $this->processPagedSearchStatus($sr, $filter, $base, $count, $limitPerPage,
-										$offset, $pagedSearchOK, $skipHandling);
-			$offset += $limitPerPage;
-			/* ++ Fixing RHDS searches with pages with zero results ++
+            $hasMorePages = $this->processPagedSearchStatus($sr, $filter, $base, $count, $limitPerPage,
+                                        $offset, $pagedSearchOK, $skipHandling);
+            $offset += $limitPerPage;
+            /* ++ Fixing RHDS searches with pages with zero results ++
 			 * Continue now depends on $hasMorePages value
 			 */
-			$continue = $pagedSearchOK && $hasMorePages;
-		} while($continue && (is_null($limit) || $limit <= 0 || $limit > $counter));
-
-		return $counter;
-	}
-
-	/**
-	 * @param array $searchResults
-	 * @return int
-	 */
-	private function countEntriesInSearchResults($searchResults) {
-		$counter = 0;
-
-		foreach($searchResults as $res) {
-			$count = (int)$this->invokeLDAPMethod('countEntries', $this->connection->getConnectionResource(), $res);
-			$counter += $count;
-		}
-
-		return $counter;
-	}
-
-	/**
-	 * Executes an LDAP search
-	 *
-	 * @param string $filter the LDAP filter for the search
-	 * @param array $base an array containing the LDAP subtree(s) that shall be searched
-	 * @param string|string[] $attr optional, array, one or more attributes that shall be
-	 * @param int $limit
-	 * @param int $offset
-	 * @param bool $skipHandling
-	 * @return array with the search result
-	 * @throws ServerNotAvailableException
-	 */
-	public function search($filter, $base, $attr = null, $limit = null, $offset = null, $skipHandling = false) {
-		$limitPerPage = (int)$this->connection->ldapPagingSize;
-		if(!is_null($limit) && $limit < $limitPerPage && $limit > 0) {
-			$limitPerPage = $limit;
-		}
-
-		/* ++ Fixing RHDS searches with pages with zero results ++
+            $continue = $pagedSearchOK && $hasMorePages;
+        } while($continue && (is_null($limit) || $limit <= 0 || $limit > $counter));
+
+        return $counter;
+    }
+
+    /**
+     * @param array $searchResults
+     * @return int
+     */
+    private function countEntriesInSearchResults($searchResults) {
+        $counter = 0;
+
+        foreach($searchResults as $res) {
+            $count = (int)$this->invokeLDAPMethod('countEntries', $this->connection->getConnectionResource(), $res);
+            $counter += $count;
+        }
+
+        return $counter;
+    }
+
+    /**
+     * Executes an LDAP search
+     *
+     * @param string $filter the LDAP filter for the search
+     * @param array $base an array containing the LDAP subtree(s) that shall be searched
+     * @param string|string[] $attr optional, array, one or more attributes that shall be
+     * @param int $limit
+     * @param int $offset
+     * @param bool $skipHandling
+     * @return array with the search result
+     * @throws ServerNotAvailableException
+     */
+    public function search($filter, $base, $attr = null, $limit = null, $offset = null, $skipHandling = false) {
+        $limitPerPage = (int)$this->connection->ldapPagingSize;
+        if(!is_null($limit) && $limit < $limitPerPage && $limit > 0) {
+            $limitPerPage = $limit;
+        }
+
+        /* ++ Fixing RHDS searches with pages with zero results ++
 		 * As we can have pages with zero results and/or pages with less
 		 * than $limit results but with a still valid server 'cookie',
 		 * loops through until we get $continue equals true and
 		 * $findings['count'] < $limit
 		 */
-		$findings = [];
-		$savedoffset = $offset;
-		do {
-			$search = $this->executeSearch($filter, $base, $attr, $limitPerPage, $offset);
-			if($search === false) {
-				return [];
-			}
-			list($sr, $pagedSearchOK) = $search;
-			$cr = $this->connection->getConnectionResource();
-
-			if($skipHandling) {
-				//i.e. result do not need to be fetched, we just need the cookie
-				//thus pass 1 or any other value as $iFoundItems because it is not
-				//used
-				$this->processPagedSearchStatus($sr, $filter, $base, 1, $limitPerPage,
-								$offset, $pagedSearchOK,
-								$skipHandling);
-				return array();
-			}
-
-			$iFoundItems = 0;
-			foreach($sr as $res) {
-				$findings = array_merge($findings, $this->invokeLDAPMethod('getEntries', $cr, $res));
-				$iFoundItems = max($iFoundItems, $findings['count']);
-				unset($findings['count']);
-			}
-
-			$continue = $this->processPagedSearchStatus($sr, $filter, $base, $iFoundItems,
-				$limitPerPage, $offset, $pagedSearchOK,
-										$skipHandling);
-			$offset += $limitPerPage;
-		} while ($continue && $pagedSearchOK && ($limit === null || count($findings) < $limit));
-		// reseting offset
-		$offset = $savedoffset;
-
-		// if we're here, probably no connection resource is returned.
-		// to make Nextcloud behave nicely, we simply give back an empty array.
-		if(is_null($findings)) {
-			return array();
-		}
-
-		if(!is_null($attr)) {
-			$selection = [];
-			$i = 0;
-			foreach($findings as $item) {
-				if(!is_array($item)) {
-					continue;
-				}
-				$item = \OCP\Util::mb_array_change_key_case($item, MB_CASE_LOWER, 'UTF-8');
-				foreach($attr as $key) {
-					if(isset($item[$key])) {
-						if(is_array($item[$key]) && isset($item[$key]['count'])) {
-							unset($item[$key]['count']);
-						}
-						if($key !== 'dn') {
-							if($this->resemblesDN($key)) {
-								$selection[$i][$key] = $this->helper->sanitizeDN($item[$key]);
-							} else if($key === 'objectguid' || $key === 'guid') {
-								$selection[$i][$key] = [$this->convertObjectGUID2Str($item[$key][0])];
-							} else {
-								$selection[$i][$key] = $item[$key];
-							}
-						} else {
-							$selection[$i][$key] = [$this->helper->sanitizeDN($item[$key])];
-						}
-					}
-
-				}
-				$i++;
-			}
-			$findings = $selection;
-		}
-		//we slice the findings, when
-		//a) paged search unsuccessful, though attempted
-		//b) no paged search, but limit set
-		if((!$this->getPagedSearchResultState()
-			&& $pagedSearchOK)
-			|| (
-				!$pagedSearchOK
-				&& !is_null($limit)
-			)
-		) {
-			$findings = array_slice($findings, (int)$offset, $limit);
-		}
-		return $findings;
-	}
-
-	/**
-	 * @param string $name
-	 * @return bool|mixed|string
-	 */
-	public function sanitizeUsername($name) {
-		if($this->connection->ldapIgnoreNamingRules) {
-			return trim($name);
-		}
-
-		// Transliteration
-		// latin characters to ASCII
-		$name = iconv('UTF-8', 'ASCII//TRANSLIT', $name);
-
-		// Replacements
-		$name = str_replace(' ', '_', $name);
-
-		// Every remaining disallowed characters will be removed
-		$name = preg_replace('/[^a-zA-Z0-9_.@-]/u', '', $name);
-
-		return $name;
-	}
-
-	/**
-	* escapes (user provided) parts for LDAP filter
-	* @param string $input, the provided value
-	* @param bool $allowAsterisk whether in * at the beginning should be preserved
-	* @return string the escaped string
-	*/
-	public function escapeFilterPart($input, $allowAsterisk = false) {
-		$asterisk = '';
-		if($allowAsterisk && strlen($input) > 0 && $input[0] === '*') {
-			$asterisk = '*';
-			$input = mb_substr($input, 1, null, 'UTF-8');
-		}
-		$search  = array('*', '\\', '(', ')');
-		$replace = array('\\*', '\\\\', '\\(', '\\)');
-		return $asterisk . str_replace($search, $replace, $input);
-	}
-
-	/**
-	 * combines the input filters with AND
-	 * @param string[] $filters the filters to connect
-	 * @return string the combined filter
-	 */
-	public function combineFilterWithAnd($filters) {
-		return $this->combineFilter($filters, '&');
-	}
-
-	/**
-	 * combines the input filters with OR
-	 * @param string[] $filters the filters to connect
-	 * @return string the combined filter
-	 * Combines Filter arguments with OR
-	 */
-	public function combineFilterWithOr($filters) {
-		return $this->combineFilter($filters, '|');
-	}
-
-	/**
-	 * combines the input filters with given operator
-	 * @param string[] $filters the filters to connect
-	 * @param string $operator either & or |
-	 * @return string the combined filter
-	 */
-	private function combineFilter($filters, $operator) {
-		$combinedFilter = '('.$operator;
-		foreach($filters as $filter) {
-			if ($filter !== '' && $filter[0] !== '(') {
-				$filter = '('.$filter.')';
-			}
-			$combinedFilter.=$filter;
-		}
-		$combinedFilter.=')';
-		return $combinedFilter;
-	}
-
-	/**
-	 * creates a filter part for to perform search for users
-	 * @param string $search the search term
-	 * @return string the final filter part to use in LDAP searches
-	 */
-	public function getFilterPartForUserSearch($search) {
-		return $this->getFilterPartForSearch($search,
-			$this->connection->ldapAttributesForUserSearch,
-			$this->connection->ldapUserDisplayName);
-	}
-
-	/**
-	 * creates a filter part for to perform search for groups
-	 * @param string $search the search term
-	 * @return string the final filter part to use in LDAP searches
-	 */
-	public function getFilterPartForGroupSearch($search) {
-		return $this->getFilterPartForSearch($search,
-			$this->connection->ldapAttributesForGroupSearch,
-			$this->connection->ldapGroupDisplayName);
-	}
-
-	/**
-	 * creates a filter part for searches by splitting up the given search
-	 * string into single words
-	 * @param string $search the search term
-	 * @param string[] $searchAttributes needs to have at least two attributes,
-	 * otherwise it does not make sense :)
-	 * @return string the final filter part to use in LDAP searches
-	 * @throws \Exception
-	 */
-	private function getAdvancedFilterPartForSearch($search, $searchAttributes) {
-		if(!is_array($searchAttributes) || count($searchAttributes) < 2) {
-			throw new \Exception('searchAttributes must be an array with at least two string');
-		}
-		$searchWords = explode(' ', trim($search));
-		$wordFilters = array();
-		foreach($searchWords as $word) {
-			$word = $this->prepareSearchTerm($word);
-			//every word needs to appear at least once
-			$wordMatchOneAttrFilters = array();
-			foreach($searchAttributes as $attr) {
-				$wordMatchOneAttrFilters[] = $attr . '=' . $word;
-			}
-			$wordFilters[] = $this->combineFilterWithOr($wordMatchOneAttrFilters);
-		}
-		return $this->combineFilterWithAnd($wordFilters);
-	}
-
-	/**
-	 * creates a filter part for searches
-	 * @param string $search the search term
-	 * @param string[]|null $searchAttributes
-	 * @param string $fallbackAttribute a fallback attribute in case the user
-	 * did not define search attributes. Typically the display name attribute.
-	 * @return string the final filter part to use in LDAP searches
-	 */
-	private function getFilterPartForSearch($search, $searchAttributes, $fallbackAttribute) {
-		$filter = array();
-		$haveMultiSearchAttributes = (is_array($searchAttributes) && count($searchAttributes) > 0);
-		if($haveMultiSearchAttributes && strpos(trim($search), ' ') !== false) {
-			try {
-				return $this->getAdvancedFilterPartForSearch($search, $searchAttributes);
-			} catch(\Exception $e) {
-				\OCP\Util::writeLog(
-					'user_ldap',
-					'Creating advanced filter for search failed, falling back to simple method.',
-					\OCP\Util::INFO
-				);
-			}
-		}
-
-		$search = $this->prepareSearchTerm($search);
-		if(!is_array($searchAttributes) || count($searchAttributes) === 0) {
-			if ($fallbackAttribute === '') {
-				return '';
-			}
-			$filter[] = $fallbackAttribute . '=' . $search;
-		} else {
-			foreach($searchAttributes as $attribute) {
-				$filter[] = $attribute . '=' . $search;
-			}
-		}
-		if(count($filter) === 1) {
-			return '('.$filter[0].')';
-		}
-		return $this->combineFilterWithOr($filter);
-	}
-
-	/**
-	 * returns the search term depending on whether we are allowed
-	 * list users found by ldap with the current input appended by
-	 * a *
-	 * @return string
-	 */
-	private function prepareSearchTerm($term) {
-		$config = \OC::$server->getConfig();
-
-		$allowEnum = $config->getAppValue('core', 'shareapi_allow_share_dialog_user_enumeration', 'yes');
-
-		$result = $term;
-		if ($term === '') {
-			$result = '*';
-		} else if ($allowEnum !== 'no') {
-			$result = $term . '*';
-		}
-		return $result;
-	}
-
-	/**
-	 * returns the filter used for counting users
-	 * @return string
-	 */
-	public function getFilterForUserCount() {
-		$filter = $this->combineFilterWithAnd(array(
-			$this->connection->ldapUserFilter,
-			$this->connection->ldapUserDisplayName . '=*'
-		));
-
-		return $filter;
-	}
-
-	/**
-	 * @param string $name
-	 * @param string $password
-	 * @return bool
-	 */
-	public function areCredentialsValid($name, $password) {
-		$name = $this->helper->DNasBaseParameter($name);
-		$testConnection = clone $this->connection;
-		$credentials = array(
-			'ldapAgentName' => $name,
-			'ldapAgentPassword' => $password
-		);
-		if(!$testConnection->setConfiguration($credentials)) {
-			return false;
-		}
-		return $testConnection->bind();
-	}
-
-	/**
-	 * reverse lookup of a DN given a known UUID
-	 *
-	 * @param string $uuid
-	 * @return string
-	 * @throws \Exception
-	 */
-	public function getUserDnByUuid($uuid) {
-		$uuidOverride = $this->connection->ldapExpertUUIDUserAttr;
-		$filter       = $this->connection->ldapUserFilter;
-		$base         = $this->connection->ldapBaseUsers;
-
-		if ($this->connection->ldapUuidUserAttribute === 'auto' && $uuidOverride === '') {
-			// Sacrebleu! The UUID attribute is unknown :( We need first an
-			// existing DN to be able to reliably detect it.
-			$result = $this->search($filter, $base, ['dn'], 1);
-			if(!isset($result[0]) || !isset($result[0]['dn'])) {
-				throw new \Exception('Cannot determine UUID attribute');
-			}
-			$dn = $result[0]['dn'][0];
-			if(!$this->detectUuidAttribute($dn, true)) {
-				throw new \Exception('Cannot determine UUID attribute');
-			}
-		} else {
-			// The UUID attribute is either known or an override is given.
-			// By calling this method we ensure that $this->connection->$uuidAttr
-			// is definitely set
-			if(!$this->detectUuidAttribute('', true)) {
-				throw new \Exception('Cannot determine UUID attribute');
-			}
-		}
-
-		$uuidAttr = $this->connection->ldapUuidUserAttribute;
-		if($uuidAttr === 'guid' || $uuidAttr === 'objectguid') {
-			$uuid = $this->formatGuid2ForFilterUser($uuid);
-		}
-
-		$filter = $uuidAttr . '=' . $uuid;
-		$result = $this->searchUsers($filter, ['dn'], 2);
-		if(is_array($result) && isset($result[0]) && isset($result[0]['dn']) && count($result) === 1) {
-			// we put the count into account to make sure that this is
-			// really unique
-			return $result[0]['dn'][0];
-		}
-
-		throw new \Exception('Cannot determine UUID attribute');
-	}
-
-	/**
-	 * auto-detects the directory's UUID attribute
-	 *
-	 * @param string $dn a known DN used to check against
-	 * @param bool $isUser
-	 * @param bool $force the detection should be run, even if it is not set to auto
-	 * @param array|null $ldapRecord
-	 * @return bool true on success, false otherwise
-	 */
-	private function detectUuidAttribute($dn, $isUser = true, $force = false, array $ldapRecord = null) {
-		if($isUser) {
-			$uuidAttr     = 'ldapUuidUserAttribute';
-			$uuidOverride = $this->connection->ldapExpertUUIDUserAttr;
-		} else {
-			$uuidAttr     = 'ldapUuidGroupAttribute';
-			$uuidOverride = $this->connection->ldapExpertUUIDGroupAttr;
-		}
-
-		if(($this->connection->$uuidAttr !== 'auto') && !$force) {
-			return true;
-		}
-
-		if (is_string($uuidOverride) && trim($uuidOverride) !== '' && !$force) {
-			$this->connection->$uuidAttr = $uuidOverride;
-			return true;
-		}
-
-		foreach(self::UUID_ATTRIBUTES as $attribute) {
-			if($ldapRecord !== null) {
-				// we have the info from LDAP already, we don't need to talk to the server again
-				if(isset($ldapRecord[$attribute])) {
-					$this->connection->$uuidAttr = $attribute;
-					return true;
-				} else {
-					continue;
-				}
-			}
-
-			$value = $this->readAttribute($dn, $attribute);
-			if(is_array($value) && isset($value[0]) && !empty($value[0])) {
-				\OCP\Util::writeLog('user_ldap',
-									'Setting '.$attribute.' as '.$uuidAttr,
-									\OCP\Util::DEBUG);
-				$this->connection->$uuidAttr = $attribute;
-				return true;
-			}
-		}
-		\OCP\Util::writeLog('user_ldap',
-							'Could not autodetect the UUID attribute',
-							\OCP\Util::ERROR);
-
-		return false;
-	}
-
-	/**
-	 * @param string $dn
-	 * @param bool $isUser
-	 * @param null $ldapRecord
-	 * @return bool|string
-	 */
-	public function getUUID($dn, $isUser = true, $ldapRecord = null) {
-		if($isUser) {
-			$uuidAttr     = 'ldapUuidUserAttribute';
-			$uuidOverride = $this->connection->ldapExpertUUIDUserAttr;
-		} else {
-			$uuidAttr     = 'ldapUuidGroupAttribute';
-			$uuidOverride = $this->connection->ldapExpertUUIDGroupAttr;
-		}
-
-		$uuid = false;
-		if($this->detectUuidAttribute($dn, $isUser, false, $ldapRecord)) {
-			$attr = $this->connection->$uuidAttr;
-			$uuid = isset($ldapRecord[$attr]) ? $ldapRecord[$attr] : $this->readAttribute($dn, $attr);
-			if( !is_array($uuid)
-				&& $uuidOverride !== ''
-				&& $this->detectUuidAttribute($dn, $isUser, true, $ldapRecord))
-			{
-				$uuid = isset($ldapRecord[$this->connection->$uuidAttr])
-					? $ldapRecord[$this->connection->$uuidAttr]
-					: $this->readAttribute($dn, $this->connection->$uuidAttr);
-			}
-			if(is_array($uuid) && isset($uuid[0]) && !empty($uuid[0])) {
-				$uuid = $uuid[0];
-			}
-		}
-
-		return $uuid;
-	}
-
-	/**
-	 * converts a binary ObjectGUID into a string representation
-	 * @param string $oguid the ObjectGUID in it's binary form as retrieved from AD
-	 * @return string
-	 * @link http://www.php.net/manual/en/function.ldap-get-values-len.php#73198
-	 */
-	private function convertObjectGUID2Str($oguid) {
-		$hex_guid = bin2hex($oguid);
-		$hex_guid_to_guid_str = '';
-		for($k = 1; $k <= 4; ++$k) {
-			$hex_guid_to_guid_str .= substr($hex_guid, 8 - 2 * $k, 2);
-		}
-		$hex_guid_to_guid_str .= '-';
-		for($k = 1; $k <= 2; ++$k) {
-			$hex_guid_to_guid_str .= substr($hex_guid, 12 - 2 * $k, 2);
-		}
-		$hex_guid_to_guid_str .= '-';
-		for($k = 1; $k <= 2; ++$k) {
-			$hex_guid_to_guid_str .= substr($hex_guid, 16 - 2 * $k, 2);
-		}
-		$hex_guid_to_guid_str .= '-' . substr($hex_guid, 16, 4);
-		$hex_guid_to_guid_str .= '-' . substr($hex_guid, 20);
-
-		return strtoupper($hex_guid_to_guid_str);
-	}
-
-	/**
-	 * the first three blocks of the string-converted GUID happen to be in
-	 * reverse order. In order to use it in a filter, this needs to be
-	 * corrected. Furthermore the dashes need to be replaced and \\ preprended
-	 * to every two hax figures.
-	 *
-	 * If an invalid string is passed, it will be returned without change.
-	 *
-	 * @param string $guid
-	 * @return string
-	 */
-	public function formatGuid2ForFilterUser($guid) {
-		if(!is_string($guid)) {
-			throw new \InvalidArgumentException('String expected');
-		}
-		$blocks = explode('-', $guid);
-		if(count($blocks) !== 5) {
-			/*
+        $findings = [];
+        $savedoffset = $offset;
+        do {
+            $search = $this->executeSearch($filter, $base, $attr, $limitPerPage, $offset);
+            if($search === false) {
+                return [];
+            }
+            list($sr, $pagedSearchOK) = $search;
+            $cr = $this->connection->getConnectionResource();
+
+            if($skipHandling) {
+                //i.e. result do not need to be fetched, we just need the cookie
+                //thus pass 1 or any other value as $iFoundItems because it is not
+                //used
+                $this->processPagedSearchStatus($sr, $filter, $base, 1, $limitPerPage,
+                                $offset, $pagedSearchOK,
+                                $skipHandling);
+                return array();
+            }
+
+            $iFoundItems = 0;
+            foreach($sr as $res) {
+                $findings = array_merge($findings, $this->invokeLDAPMethod('getEntries', $cr, $res));
+                $iFoundItems = max($iFoundItems, $findings['count']);
+                unset($findings['count']);
+            }
+
+            $continue = $this->processPagedSearchStatus($sr, $filter, $base, $iFoundItems,
+                $limitPerPage, $offset, $pagedSearchOK,
+                                        $skipHandling);
+            $offset += $limitPerPage;
+        } while ($continue && $pagedSearchOK && ($limit === null || count($findings) < $limit));
+        // reseting offset
+        $offset = $savedoffset;
+
+        // if we're here, probably no connection resource is returned.
+        // to make Nextcloud behave nicely, we simply give back an empty array.
+        if(is_null($findings)) {
+            return array();
+        }
+
+        if(!is_null($attr)) {
+            $selection = [];
+            $i = 0;
+            foreach($findings as $item) {
+                if(!is_array($item)) {
+                    continue;
+                }
+                $item = \OCP\Util::mb_array_change_key_case($item, MB_CASE_LOWER, 'UTF-8');
+                foreach($attr as $key) {
+                    if(isset($item[$key])) {
+                        if(is_array($item[$key]) && isset($item[$key]['count'])) {
+                            unset($item[$key]['count']);
+                        }
+                        if($key !== 'dn') {
+                            if($this->resemblesDN($key)) {
+                                $selection[$i][$key] = $this->helper->sanitizeDN($item[$key]);
+                            } else if($key === 'objectguid' || $key === 'guid') {
+                                $selection[$i][$key] = [$this->convertObjectGUID2Str($item[$key][0])];
+                            } else {
+                                $selection[$i][$key] = $item[$key];
+                            }
+                        } else {
+                            $selection[$i][$key] = [$this->helper->sanitizeDN($item[$key])];
+                        }
+                    }
+
+                }
+                $i++;
+            }
+            $findings = $selection;
+        }
+        //we slice the findings, when
+        //a) paged search unsuccessful, though attempted
+        //b) no paged search, but limit set
+        if((!$this->getPagedSearchResultState()
+            && $pagedSearchOK)
+            || (
+                !$pagedSearchOK
+                && !is_null($limit)
+            )
+        ) {
+            $findings = array_slice($findings, (int)$offset, $limit);
+        }
+        return $findings;
+    }
+
+    /**
+     * @param string $name
+     * @return bool|mixed|string
+     */
+    public function sanitizeUsername($name) {
+        if($this->connection->ldapIgnoreNamingRules) {
+            return trim($name);
+        }
+
+        // Transliteration
+        // latin characters to ASCII
+        $name = iconv('UTF-8', 'ASCII//TRANSLIT', $name);
+
+        // Replacements
+        $name = str_replace(' ', '_', $name);
+
+        // Every remaining disallowed characters will be removed
+        $name = preg_replace('/[^a-zA-Z0-9_.@-]/u', '', $name);
+
+        return $name;
+    }
+
+    /**
+     * escapes (user provided) parts for LDAP filter
+     * @param string $input, the provided value
+     * @param bool $allowAsterisk whether in * at the beginning should be preserved
+     * @return string the escaped string
+     */
+    public function escapeFilterPart($input, $allowAsterisk = false) {
+        $asterisk = '';
+        if($allowAsterisk && strlen($input) > 0 && $input[0] === '*') {
+            $asterisk = '*';
+            $input = mb_substr($input, 1, null, 'UTF-8');
+        }
+        $search  = array('*', '\\', '(', ')');
+        $replace = array('\\*', '\\\\', '\\(', '\\)');
+        return $asterisk . str_replace($search, $replace, $input);
+    }
+
+    /**
+     * combines the input filters with AND
+     * @param string[] $filters the filters to connect
+     * @return string the combined filter
+     */
+    public function combineFilterWithAnd($filters) {
+        return $this->combineFilter($filters, '&');
+    }
+
+    /**
+     * combines the input filters with OR
+     * @param string[] $filters the filters to connect
+     * @return string the combined filter
+     * Combines Filter arguments with OR
+     */
+    public function combineFilterWithOr($filters) {
+        return $this->combineFilter($filters, '|');
+    }
+
+    /**
+     * combines the input filters with given operator
+     * @param string[] $filters the filters to connect
+     * @param string $operator either & or |
+     * @return string the combined filter
+     */
+    private function combineFilter($filters, $operator) {
+        $combinedFilter = '('.$operator;
+        foreach($filters as $filter) {
+            if ($filter !== '' && $filter[0] !== '(') {
+                $filter = '('.$filter.')';
+            }
+            $combinedFilter.=$filter;
+        }
+        $combinedFilter.=')';
+        return $combinedFilter;
+    }
+
+    /**
+     * creates a filter part for to perform search for users
+     * @param string $search the search term
+     * @return string the final filter part to use in LDAP searches
+     */
+    public function getFilterPartForUserSearch($search) {
+        return $this->getFilterPartForSearch($search,
+            $this->connection->ldapAttributesForUserSearch,
+            $this->connection->ldapUserDisplayName);
+    }
+
+    /**
+     * creates a filter part for to perform search for groups
+     * @param string $search the search term
+     * @return string the final filter part to use in LDAP searches
+     */
+    public function getFilterPartForGroupSearch($search) {
+        return $this->getFilterPartForSearch($search,
+            $this->connection->ldapAttributesForGroupSearch,
+            $this->connection->ldapGroupDisplayName);
+    }
+
+    /**
+     * creates a filter part for searches by splitting up the given search
+     * string into single words
+     * @param string $search the search term
+     * @param string[] $searchAttributes needs to have at least two attributes,
+     * otherwise it does not make sense :)
+     * @return string the final filter part to use in LDAP searches
+     * @throws \Exception
+     */
+    private function getAdvancedFilterPartForSearch($search, $searchAttributes) {
+        if(!is_array($searchAttributes) || count($searchAttributes) < 2) {
+            throw new \Exception('searchAttributes must be an array with at least two string');
+        }
+        $searchWords = explode(' ', trim($search));
+        $wordFilters = array();
+        foreach($searchWords as $word) {
+            $word = $this->prepareSearchTerm($word);
+            //every word needs to appear at least once
+            $wordMatchOneAttrFilters = array();
+            foreach($searchAttributes as $attr) {
+                $wordMatchOneAttrFilters[] = $attr . '=' . $word;
+            }
+            $wordFilters[] = $this->combineFilterWithOr($wordMatchOneAttrFilters);
+        }
+        return $this->combineFilterWithAnd($wordFilters);
+    }
+
+    /**
+     * creates a filter part for searches
+     * @param string $search the search term
+     * @param string[]|null $searchAttributes
+     * @param string $fallbackAttribute a fallback attribute in case the user
+     * did not define search attributes. Typically the display name attribute.
+     * @return string the final filter part to use in LDAP searches
+     */
+    private function getFilterPartForSearch($search, $searchAttributes, $fallbackAttribute) {
+        $filter = array();
+        $haveMultiSearchAttributes = (is_array($searchAttributes) && count($searchAttributes) > 0);
+        if($haveMultiSearchAttributes && strpos(trim($search), ' ') !== false) {
+            try {
+                return $this->getAdvancedFilterPartForSearch($search, $searchAttributes);
+            } catch(\Exception $e) {
+                \OCP\Util::writeLog(
+                    'user_ldap',
+                    'Creating advanced filter for search failed, falling back to simple method.',
+                    \OCP\Util::INFO
+                );
+            }
+        }
+
+        $search = $this->prepareSearchTerm($search);
+        if(!is_array($searchAttributes) || count($searchAttributes) === 0) {
+            if ($fallbackAttribute === '') {
+                return '';
+            }
+            $filter[] = $fallbackAttribute . '=' . $search;
+        } else {
+            foreach($searchAttributes as $attribute) {
+                $filter[] = $attribute . '=' . $search;
+            }
+        }
+        if(count($filter) === 1) {
+            return '('.$filter[0].')';
+        }
+        return $this->combineFilterWithOr($filter);
+    }
+
+    /**
+     * returns the search term depending on whether we are allowed
+     * list users found by ldap with the current input appended by
+     * a *
+     * @return string
+     */
+    private function prepareSearchTerm($term) {
+        $config = \OC::$server->getConfig();
+
+        $allowEnum = $config->getAppValue('core', 'shareapi_allow_share_dialog_user_enumeration', 'yes');
+
+        $result = $term;
+        if ($term === '') {
+            $result = '*';
+        } else if ($allowEnum !== 'no') {
+            $result = $term . '*';
+        }
+        return $result;
+    }
+
+    /**
+     * returns the filter used for counting users
+     * @return string
+     */
+    public function getFilterForUserCount() {
+        $filter = $this->combineFilterWithAnd(array(
+            $this->connection->ldapUserFilter,
+            $this->connection->ldapUserDisplayName . '=*'
+        ));
+
+        return $filter;
+    }
+
+    /**
+     * @param string $name
+     * @param string $password
+     * @return bool
+     */
+    public function areCredentialsValid($name, $password) {
+        $name = $this->helper->DNasBaseParameter($name);
+        $testConnection = clone $this->connection;
+        $credentials = array(
+            'ldapAgentName' => $name,
+            'ldapAgentPassword' => $password
+        );
+        if(!$testConnection->setConfiguration($credentials)) {
+            return false;
+        }
+        return $testConnection->bind();
+    }
+
+    /**
+     * reverse lookup of a DN given a known UUID
+     *
+     * @param string $uuid
+     * @return string
+     * @throws \Exception
+     */
+    public function getUserDnByUuid($uuid) {
+        $uuidOverride = $this->connection->ldapExpertUUIDUserAttr;
+        $filter       = $this->connection->ldapUserFilter;
+        $base         = $this->connection->ldapBaseUsers;
+
+        if ($this->connection->ldapUuidUserAttribute === 'auto' && $uuidOverride === '') {
+            // Sacrebleu! The UUID attribute is unknown :( We need first an
+            // existing DN to be able to reliably detect it.
+            $result = $this->search($filter, $base, ['dn'], 1);
+            if(!isset($result[0]) || !isset($result[0]['dn'])) {
+                throw new \Exception('Cannot determine UUID attribute');
+            }
+            $dn = $result[0]['dn'][0];
+            if(!$this->detectUuidAttribute($dn, true)) {
+                throw new \Exception('Cannot determine UUID attribute');
+            }
+        } else {
+            // The UUID attribute is either known or an override is given.
+            // By calling this method we ensure that $this->connection->$uuidAttr
+            // is definitely set
+            if(!$this->detectUuidAttribute('', true)) {
+                throw new \Exception('Cannot determine UUID attribute');
+            }
+        }
+
+        $uuidAttr = $this->connection->ldapUuidUserAttribute;
+        if($uuidAttr === 'guid' || $uuidAttr === 'objectguid') {
+            $uuid = $this->formatGuid2ForFilterUser($uuid);
+        }
+
+        $filter = $uuidAttr . '=' . $uuid;
+        $result = $this->searchUsers($filter, ['dn'], 2);
+        if(is_array($result) && isset($result[0]) && isset($result[0]['dn']) && count($result) === 1) {
+            // we put the count into account to make sure that this is
+            // really unique
+            return $result[0]['dn'][0];
+        }
+
+        throw new \Exception('Cannot determine UUID attribute');
+    }
+
+    /**
+     * auto-detects the directory's UUID attribute
+     *
+     * @param string $dn a known DN used to check against
+     * @param bool $isUser
+     * @param bool $force the detection should be run, even if it is not set to auto
+     * @param array|null $ldapRecord
+     * @return bool true on success, false otherwise
+     */
+    private function detectUuidAttribute($dn, $isUser = true, $force = false, array $ldapRecord = null) {
+        if($isUser) {
+            $uuidAttr     = 'ldapUuidUserAttribute';
+            $uuidOverride = $this->connection->ldapExpertUUIDUserAttr;
+        } else {
+            $uuidAttr     = 'ldapUuidGroupAttribute';
+            $uuidOverride = $this->connection->ldapExpertUUIDGroupAttr;
+        }
+
+        if(($this->connection->$uuidAttr !== 'auto') && !$force) {
+            return true;
+        }
+
+        if (is_string($uuidOverride) && trim($uuidOverride) !== '' && !$force) {
+            $this->connection->$uuidAttr = $uuidOverride;
+            return true;
+        }
+
+        foreach(self::UUID_ATTRIBUTES as $attribute) {
+            if($ldapRecord !== null) {
+                // we have the info from LDAP already, we don't need to talk to the server again
+                if(isset($ldapRecord[$attribute])) {
+                    $this->connection->$uuidAttr = $attribute;
+                    return true;
+                } else {
+                    continue;
+                }
+            }
+
+            $value = $this->readAttribute($dn, $attribute);
+            if(is_array($value) && isset($value[0]) && !empty($value[0])) {
+                \OCP\Util::writeLog('user_ldap',
+                                    'Setting '.$attribute.' as '.$uuidAttr,
+                                    \OCP\Util::DEBUG);
+                $this->connection->$uuidAttr = $attribute;
+                return true;
+            }
+        }
+        \OCP\Util::writeLog('user_ldap',
+                            'Could not autodetect the UUID attribute',
+                            \OCP\Util::ERROR);
+
+        return false;
+    }
+
+    /**
+     * @param string $dn
+     * @param bool $isUser
+     * @param null $ldapRecord
+     * @return bool|string
+     */
+    public function getUUID($dn, $isUser = true, $ldapRecord = null) {
+        if($isUser) {
+            $uuidAttr     = 'ldapUuidUserAttribute';
+            $uuidOverride = $this->connection->ldapExpertUUIDUserAttr;
+        } else {
+            $uuidAttr     = 'ldapUuidGroupAttribute';
+            $uuidOverride = $this->connection->ldapExpertUUIDGroupAttr;
+        }
+
+        $uuid = false;
+        if($this->detectUuidAttribute($dn, $isUser, false, $ldapRecord)) {
+            $attr = $this->connection->$uuidAttr;
+            $uuid = isset($ldapRecord[$attr]) ? $ldapRecord[$attr] : $this->readAttribute($dn, $attr);
+            if( !is_array($uuid)
+                && $uuidOverride !== ''
+                && $this->detectUuidAttribute($dn, $isUser, true, $ldapRecord))
+            {
+                $uuid = isset($ldapRecord[$this->connection->$uuidAttr])
+                    ? $ldapRecord[$this->connection->$uuidAttr]
+                    : $this->readAttribute($dn, $this->connection->$uuidAttr);
+            }
+            if(is_array($uuid) && isset($uuid[0]) && !empty($uuid[0])) {
+                $uuid = $uuid[0];
+            }
+        }
+
+        return $uuid;
+    }
+
+    /**
+     * converts a binary ObjectGUID into a string representation
+     * @param string $oguid the ObjectGUID in it's binary form as retrieved from AD
+     * @return string
+     * @link http://www.php.net/manual/en/function.ldap-get-values-len.php#73198
+     */
+    private function convertObjectGUID2Str($oguid) {
+        $hex_guid = bin2hex($oguid);
+        $hex_guid_to_guid_str = '';
+        for($k = 1; $k <= 4; ++$k) {
+            $hex_guid_to_guid_str .= substr($hex_guid, 8 - 2 * $k, 2);
+        }
+        $hex_guid_to_guid_str .= '-';
+        for($k = 1; $k <= 2; ++$k) {
+            $hex_guid_to_guid_str .= substr($hex_guid, 12 - 2 * $k, 2);
+        }
+        $hex_guid_to_guid_str .= '-';
+        for($k = 1; $k <= 2; ++$k) {
+            $hex_guid_to_guid_str .= substr($hex_guid, 16 - 2 * $k, 2);
+        }
+        $hex_guid_to_guid_str .= '-' . substr($hex_guid, 16, 4);
+        $hex_guid_to_guid_str .= '-' . substr($hex_guid, 20);
+
+        return strtoupper($hex_guid_to_guid_str);
+    }
+
+    /**
+     * the first three blocks of the string-converted GUID happen to be in
+     * reverse order. In order to use it in a filter, this needs to be
+     * corrected. Furthermore the dashes need to be replaced and \\ preprended
+     * to every two hax figures.
+     *
+     * If an invalid string is passed, it will be returned without change.
+     *
+     * @param string $guid
+     * @return string
+     */
+    public function formatGuid2ForFilterUser($guid) {
+        if(!is_string($guid)) {
+            throw new \InvalidArgumentException('String expected');
+        }
+        $blocks = explode('-', $guid);
+        if(count($blocks) !== 5) {
+            /*
 			 * Why not throw an Exception instead? This method is a utility
 			 * called only when trying to figure out whether a "missing" known
 			 * LDAP user was or was not renamed on the LDAP server. And this
@@ -1696,270 +1696,270 @@  discard block
 block discarded – undo
 			 * an exception here would kill the experience for a valid, acting
 			 * user. Instead we write a log message.
 			 */
-			\OC::$server->getLogger()->info(
-				'Passed string does not resemble a valid GUID. Known UUID ' .
-				'({uuid}) probably does not match UUID configuration.',
-				[ 'app' => 'user_ldap', 'uuid' => $guid ]
-			);
-			return $guid;
-		}
-		for($i=0; $i < 3; $i++) {
-			$pairs = str_split($blocks[$i], 2);
-			$pairs = array_reverse($pairs);
-			$blocks[$i] = implode('', $pairs);
-		}
-		for($i=0; $i < 5; $i++) {
-			$pairs = str_split($blocks[$i], 2);
-			$blocks[$i] = '\\' . implode('\\', $pairs);
-		}
-		return implode('', $blocks);
-	}
-
-	/**
-	 * gets a SID of the domain of the given dn
-	 * @param string $dn
-	 * @return string|bool
-	 */
-	public function getSID($dn) {
-		$domainDN = $this->getDomainDNFromDN($dn);
-		$cacheKey = 'getSID-'.$domainDN;
-		$sid = $this->connection->getFromCache($cacheKey);
-		if(!is_null($sid)) {
-			return $sid;
-		}
-
-		$objectSid = $this->readAttribute($domainDN, 'objectsid');
-		if(!is_array($objectSid) || empty($objectSid)) {
-			$this->connection->writeToCache($cacheKey, false);
-			return false;
-		}
-		$domainObjectSid = $this->convertSID2Str($objectSid[0]);
-		$this->connection->writeToCache($cacheKey, $domainObjectSid);
-
-		return $domainObjectSid;
-	}
-
-	/**
-	 * converts a binary SID into a string representation
-	 * @param string $sid
-	 * @return string
-	 */
-	public function convertSID2Str($sid) {
-		// The format of a SID binary string is as follows:
-		// 1 byte for the revision level
-		// 1 byte for the number n of variable sub-ids
-		// 6 bytes for identifier authority value
-		// n*4 bytes for n sub-ids
-		//
-		// Example: 010400000000000515000000a681e50e4d6c6c2bca32055f
-		//  Legend: RRNNAAAAAAAAAAAA11111111222222223333333344444444
-		$revision = ord($sid[0]);
-		$numberSubID = ord($sid[1]);
-
-		$subIdStart = 8; // 1 + 1 + 6
-		$subIdLength = 4;
-		if (strlen($sid) !== $subIdStart + $subIdLength * $numberSubID) {
-			// Incorrect number of bytes present.
-			return '';
-		}
-
-		// 6 bytes = 48 bits can be represented using floats without loss of
-		// precision (see https://gist.github.com/bantu/886ac680b0aef5812f71)
-		$iav = number_format(hexdec(bin2hex(substr($sid, 2, 6))), 0, '', '');
-
-		$subIDs = array();
-		for ($i = 0; $i < $numberSubID; $i++) {
-			$subID = unpack('V', substr($sid, $subIdStart + $subIdLength * $i, $subIdLength));
-			$subIDs[] = sprintf('%u', $subID[1]);
-		}
-
-		// Result for example above: S-1-5-21-249921958-728525901-1594176202
-		return sprintf('S-%d-%s-%s', $revision, $iav, implode('-', $subIDs));
-	}
-
-	/**
-	 * checks if the given DN is part of the given base DN(s)
-	 * @param string $dn the DN
-	 * @param string[] $bases array containing the allowed base DN or DNs
-	 * @return bool
-	 */
-	public function isDNPartOfBase($dn, $bases) {
-		$belongsToBase = false;
-		$bases = $this->helper->sanitizeDN($bases);
-
-		foreach($bases as $base) {
-			$belongsToBase = true;
-			if(mb_strripos($dn, $base, 0, 'UTF-8') !== (mb_strlen($dn, 'UTF-8')-mb_strlen($base, 'UTF-8'))) {
-				$belongsToBase = false;
-			}
-			if($belongsToBase) {
-				break;
-			}
-		}
-		return $belongsToBase;
-	}
-
-	/**
-	 * resets a running Paged Search operation
-	 */
-	private function abandonPagedSearch() {
-		if($this->connection->hasPagedResultSupport) {
-			$cr = $this->connection->getConnectionResource();
-			$this->invokeLDAPMethod('controlPagedResult', $cr, 0, false, $this->lastCookie);
-			$this->getPagedSearchResultState();
-			$this->lastCookie = '';
-			$this->cookies = array();
-		}
-	}
-
-	/**
-	 * get a cookie for the next LDAP paged search
-	 * @param string $base a string with the base DN for the search
-	 * @param string $filter the search filter to identify the correct search
-	 * @param int $limit the limit (or 'pageSize'), to identify the correct search well
-	 * @param int $offset the offset for the new search to identify the correct search really good
-	 * @return string containing the key or empty if none is cached
-	 */
-	private function getPagedResultCookie($base, $filter, $limit, $offset) {
-		if($offset === 0) {
-			return '';
-		}
-		$offset -= $limit;
-		//we work with cache here
-		$cacheKey = 'lc' . crc32($base) . '-' . crc32($filter) . '-' . (int)$limit . '-' . (int)$offset;
-		$cookie = '';
-		if(isset($this->cookies[$cacheKey])) {
-			$cookie = $this->cookies[$cacheKey];
-			if(is_null($cookie)) {
-				$cookie = '';
-			}
-		}
-		return $cookie;
-	}
-
-	/**
-	 * checks whether an LDAP paged search operation has more pages that can be
-	 * retrieved, typically when offset and limit are provided.
-	 *
-	 * Be very careful to use it: the last cookie value, which is inspected, can
-	 * be reset by other operations. Best, call it immediately after a search(),
-	 * searchUsers() or searchGroups() call. count-methods are probably safe as
-	 * well. Don't rely on it with any fetchList-method.
-	 * @return bool
-	 */
-	public function hasMoreResults() {
-		if(!$this->connection->hasPagedResultSupport) {
-			return false;
-		}
-
-		if(empty($this->lastCookie) && $this->lastCookie !== '0') {
-			// as in RFC 2696, when all results are returned, the cookie will
-			// be empty.
-			return false;
-		}
-
-		return true;
-	}
-
-	/**
-	 * set a cookie for LDAP paged search run
-	 * @param string $base a string with the base DN for the search
-	 * @param string $filter the search filter to identify the correct search
-	 * @param int $limit the limit (or 'pageSize'), to identify the correct search well
-	 * @param int $offset the offset for the run search to identify the correct search really good
-	 * @param string $cookie string containing the cookie returned by ldap_control_paged_result_response
-	 * @return void
-	 */
-	private function setPagedResultCookie($base, $filter, $limit, $offset, $cookie) {
-		// allow '0' for 389ds
-		if(!empty($cookie) || $cookie === '0') {
-			$cacheKey = 'lc' . crc32($base) . '-' . crc32($filter) . '-' . (int)$limit . '-' . (int)$offset;
-			$this->cookies[$cacheKey] = $cookie;
-			$this->lastCookie = $cookie;
-		}
-	}
-
-	/**
-	 * Check whether the most recent paged search was successful. It flushed the state var. Use it always after a possible paged search.
-	 * @return boolean|null true on success, null or false otherwise
-	 */
-	public function getPagedSearchResultState() {
-		$result = $this->pagedSearchedSuccessful;
-		$this->pagedSearchedSuccessful = null;
-		return $result;
-	}
-
-	/**
-	 * Prepares a paged search, if possible
-	 * @param string $filter the LDAP filter for the search
-	 * @param string[] $bases an array containing the LDAP subtree(s) that shall be searched
-	 * @param string[] $attr optional, when a certain attribute shall be filtered outside
-	 * @param int $limit
-	 * @param int $offset
-	 * @return bool|true
-	 */
-	private function initPagedSearch($filter, $bases, $attr, $limit, $offset) {
-		$pagedSearchOK = false;
-		if($this->connection->hasPagedResultSupport && ($limit !== 0)) {
-			$offset = (int)$offset; //can be null
-			\OCP\Util::writeLog('user_ldap',
-				'initializing paged search for  Filter '.$filter.' base '.print_r($bases, true)
-				.' attr '.print_r($attr, true). ' limit ' .$limit.' offset '.$offset,
-				\OCP\Util::DEBUG);
-			//get the cookie from the search for the previous search, required by LDAP
-			foreach($bases as $base) {
-
-				$cookie = $this->getPagedResultCookie($base, $filter, $limit, $offset);
-				if(empty($cookie) && $cookie !== "0" && ($offset > 0)) {
-					// no cookie known from a potential previous search. We need
-					// to start from 0 to come to the desired page. cookie value
-					// of '0' is valid, because 389ds
-					$reOffset = ($offset - $limit) < 0 ? 0 : $offset - $limit;
-					$this->search($filter, array($base), $attr, $limit, $reOffset, true);
-					$cookie = $this->getPagedResultCookie($base, $filter, $limit, $offset);
-					//still no cookie? obviously, the server does not like us. Let's skip paging efforts.
-					// '0' is valid, because 389ds
-					//TODO: remember this, probably does not change in the next request...
-					if(empty($cookie) && $cookie !== '0') {
-						$cookie = null;
-					}
-				}
-				if(!is_null($cookie)) {
-					//since offset = 0, this is a new search. We abandon other searches that might be ongoing.
-					$this->abandonPagedSearch();
-					$pagedSearchOK = $this->invokeLDAPMethod('controlPagedResult',
-						$this->connection->getConnectionResource(), $limit,
-						false, $cookie);
-					if(!$pagedSearchOK) {
-						return false;
-					}
-					\OCP\Util::writeLog('user_ldap', 'Ready for a paged search', \OCP\Util::DEBUG);
-				} else {
-					$e = new \Exception('No paged search possible, Limit '.$limit.' Offset '.$offset);
-					\OC::$server->getLogger()->logException($e, ['level' => Util::DEBUG]);
-				}
-
-			}
-		/* ++ Fixing RHDS searches with pages with zero results ++
+            \OC::$server->getLogger()->info(
+                'Passed string does not resemble a valid GUID. Known UUID ' .
+                '({uuid}) probably does not match UUID configuration.',
+                [ 'app' => 'user_ldap', 'uuid' => $guid ]
+            );
+            return $guid;
+        }
+        for($i=0; $i < 3; $i++) {
+            $pairs = str_split($blocks[$i], 2);
+            $pairs = array_reverse($pairs);
+            $blocks[$i] = implode('', $pairs);
+        }
+        for($i=0; $i < 5; $i++) {
+            $pairs = str_split($blocks[$i], 2);
+            $blocks[$i] = '\\' . implode('\\', $pairs);
+        }
+        return implode('', $blocks);
+    }
+
+    /**
+     * gets a SID of the domain of the given dn
+     * @param string $dn
+     * @return string|bool
+     */
+    public function getSID($dn) {
+        $domainDN = $this->getDomainDNFromDN($dn);
+        $cacheKey = 'getSID-'.$domainDN;
+        $sid = $this->connection->getFromCache($cacheKey);
+        if(!is_null($sid)) {
+            return $sid;
+        }
+
+        $objectSid = $this->readAttribute($domainDN, 'objectsid');
+        if(!is_array($objectSid) || empty($objectSid)) {
+            $this->connection->writeToCache($cacheKey, false);
+            return false;
+        }
+        $domainObjectSid = $this->convertSID2Str($objectSid[0]);
+        $this->connection->writeToCache($cacheKey, $domainObjectSid);
+
+        return $domainObjectSid;
+    }
+
+    /**
+     * converts a binary SID into a string representation
+     * @param string $sid
+     * @return string
+     */
+    public function convertSID2Str($sid) {
+        // The format of a SID binary string is as follows:
+        // 1 byte for the revision level
+        // 1 byte for the number n of variable sub-ids
+        // 6 bytes for identifier authority value
+        // n*4 bytes for n sub-ids
+        //
+        // Example: 010400000000000515000000a681e50e4d6c6c2bca32055f
+        //  Legend: RRNNAAAAAAAAAAAA11111111222222223333333344444444
+        $revision = ord($sid[0]);
+        $numberSubID = ord($sid[1]);
+
+        $subIdStart = 8; // 1 + 1 + 6
+        $subIdLength = 4;
+        if (strlen($sid) !== $subIdStart + $subIdLength * $numberSubID) {
+            // Incorrect number of bytes present.
+            return '';
+        }
+
+        // 6 bytes = 48 bits can be represented using floats without loss of
+        // precision (see https://gist.github.com/bantu/886ac680b0aef5812f71)
+        $iav = number_format(hexdec(bin2hex(substr($sid, 2, 6))), 0, '', '');
+
+        $subIDs = array();
+        for ($i = 0; $i < $numberSubID; $i++) {
+            $subID = unpack('V', substr($sid, $subIdStart + $subIdLength * $i, $subIdLength));
+            $subIDs[] = sprintf('%u', $subID[1]);
+        }
+
+        // Result for example above: S-1-5-21-249921958-728525901-1594176202
+        return sprintf('S-%d-%s-%s', $revision, $iav, implode('-', $subIDs));
+    }
+
+    /**
+     * checks if the given DN is part of the given base DN(s)
+     * @param string $dn the DN
+     * @param string[] $bases array containing the allowed base DN or DNs
+     * @return bool
+     */
+    public function isDNPartOfBase($dn, $bases) {
+        $belongsToBase = false;
+        $bases = $this->helper->sanitizeDN($bases);
+
+        foreach($bases as $base) {
+            $belongsToBase = true;
+            if(mb_strripos($dn, $base, 0, 'UTF-8') !== (mb_strlen($dn, 'UTF-8')-mb_strlen($base, 'UTF-8'))) {
+                $belongsToBase = false;
+            }
+            if($belongsToBase) {
+                break;
+            }
+        }
+        return $belongsToBase;
+    }
+
+    /**
+     * resets a running Paged Search operation
+     */
+    private function abandonPagedSearch() {
+        if($this->connection->hasPagedResultSupport) {
+            $cr = $this->connection->getConnectionResource();
+            $this->invokeLDAPMethod('controlPagedResult', $cr, 0, false, $this->lastCookie);
+            $this->getPagedSearchResultState();
+            $this->lastCookie = '';
+            $this->cookies = array();
+        }
+    }
+
+    /**
+     * get a cookie for the next LDAP paged search
+     * @param string $base a string with the base DN for the search
+     * @param string $filter the search filter to identify the correct search
+     * @param int $limit the limit (or 'pageSize'), to identify the correct search well
+     * @param int $offset the offset for the new search to identify the correct search really good
+     * @return string containing the key or empty if none is cached
+     */
+    private function getPagedResultCookie($base, $filter, $limit, $offset) {
+        if($offset === 0) {
+            return '';
+        }
+        $offset -= $limit;
+        //we work with cache here
+        $cacheKey = 'lc' . crc32($base) . '-' . crc32($filter) . '-' . (int)$limit . '-' . (int)$offset;
+        $cookie = '';
+        if(isset($this->cookies[$cacheKey])) {
+            $cookie = $this->cookies[$cacheKey];
+            if(is_null($cookie)) {
+                $cookie = '';
+            }
+        }
+        return $cookie;
+    }
+
+    /**
+     * checks whether an LDAP paged search operation has more pages that can be
+     * retrieved, typically when offset and limit are provided.
+     *
+     * Be very careful to use it: the last cookie value, which is inspected, can
+     * be reset by other operations. Best, call it immediately after a search(),
+     * searchUsers() or searchGroups() call. count-methods are probably safe as
+     * well. Don't rely on it with any fetchList-method.
+     * @return bool
+     */
+    public function hasMoreResults() {
+        if(!$this->connection->hasPagedResultSupport) {
+            return false;
+        }
+
+        if(empty($this->lastCookie) && $this->lastCookie !== '0') {
+            // as in RFC 2696, when all results are returned, the cookie will
+            // be empty.
+            return false;
+        }
+
+        return true;
+    }
+
+    /**
+     * set a cookie for LDAP paged search run
+     * @param string $base a string with the base DN for the search
+     * @param string $filter the search filter to identify the correct search
+     * @param int $limit the limit (or 'pageSize'), to identify the correct search well
+     * @param int $offset the offset for the run search to identify the correct search really good
+     * @param string $cookie string containing the cookie returned by ldap_control_paged_result_response
+     * @return void
+     */
+    private function setPagedResultCookie($base, $filter, $limit, $offset, $cookie) {
+        // allow '0' for 389ds
+        if(!empty($cookie) || $cookie === '0') {
+            $cacheKey = 'lc' . crc32($base) . '-' . crc32($filter) . '-' . (int)$limit . '-' . (int)$offset;
+            $this->cookies[$cacheKey] = $cookie;
+            $this->lastCookie = $cookie;
+        }
+    }
+
+    /**
+     * Check whether the most recent paged search was successful. It flushed the state var. Use it always after a possible paged search.
+     * @return boolean|null true on success, null or false otherwise
+     */
+    public function getPagedSearchResultState() {
+        $result = $this->pagedSearchedSuccessful;
+        $this->pagedSearchedSuccessful = null;
+        return $result;
+    }
+
+    /**
+     * Prepares a paged search, if possible
+     * @param string $filter the LDAP filter for the search
+     * @param string[] $bases an array containing the LDAP subtree(s) that shall be searched
+     * @param string[] $attr optional, when a certain attribute shall be filtered outside
+     * @param int $limit
+     * @param int $offset
+     * @return bool|true
+     */
+    private function initPagedSearch($filter, $bases, $attr, $limit, $offset) {
+        $pagedSearchOK = false;
+        if($this->connection->hasPagedResultSupport && ($limit !== 0)) {
+            $offset = (int)$offset; //can be null
+            \OCP\Util::writeLog('user_ldap',
+                'initializing paged search for  Filter '.$filter.' base '.print_r($bases, true)
+                .' attr '.print_r($attr, true). ' limit ' .$limit.' offset '.$offset,
+                \OCP\Util::DEBUG);
+            //get the cookie from the search for the previous search, required by LDAP
+            foreach($bases as $base) {
+
+                $cookie = $this->getPagedResultCookie($base, $filter, $limit, $offset);
+                if(empty($cookie) && $cookie !== "0" && ($offset > 0)) {
+                    // no cookie known from a potential previous search. We need
+                    // to start from 0 to come to the desired page. cookie value
+                    // of '0' is valid, because 389ds
+                    $reOffset = ($offset - $limit) < 0 ? 0 : $offset - $limit;
+                    $this->search($filter, array($base), $attr, $limit, $reOffset, true);
+                    $cookie = $this->getPagedResultCookie($base, $filter, $limit, $offset);
+                    //still no cookie? obviously, the server does not like us. Let's skip paging efforts.
+                    // '0' is valid, because 389ds
+                    //TODO: remember this, probably does not change in the next request...
+                    if(empty($cookie) && $cookie !== '0') {
+                        $cookie = null;
+                    }
+                }
+                if(!is_null($cookie)) {
+                    //since offset = 0, this is a new search. We abandon other searches that might be ongoing.
+                    $this->abandonPagedSearch();
+                    $pagedSearchOK = $this->invokeLDAPMethod('controlPagedResult',
+                        $this->connection->getConnectionResource(), $limit,
+                        false, $cookie);
+                    if(!$pagedSearchOK) {
+                        return false;
+                    }
+                    \OCP\Util::writeLog('user_ldap', 'Ready for a paged search', \OCP\Util::DEBUG);
+                } else {
+                    $e = new \Exception('No paged search possible, Limit '.$limit.' Offset '.$offset);
+                    \OC::$server->getLogger()->logException($e, ['level' => Util::DEBUG]);
+                }
+
+            }
+        /* ++ Fixing RHDS searches with pages with zero results ++
 		 * We coudn't get paged searches working with our RHDS for login ($limit = 0),
 		 * due to pages with zero results.
 		 * So we added "&& !empty($this->lastCookie)" to this test to ignore pagination
 		 * if we don't have a previous paged search.
 		 */
-		} else if($this->connection->hasPagedResultSupport && $limit === 0 && !empty($this->lastCookie)) {
-			// a search without limit was requested. However, if we do use
-			// Paged Search once, we always must do it. This requires us to
-			// initialize it with the configured page size.
-			$this->abandonPagedSearch();
-			// in case someone set it to 0 … use 500, otherwise no results will
-			// be returned.
-			$pageSize = (int)$this->connection->ldapPagingSize > 0 ? (int)$this->connection->ldapPagingSize : 500;
-			$pagedSearchOK = $this->invokeLDAPMethod('controlPagedResult',
-				$this->connection->getConnectionResource(),
-				$pageSize, false, '');
-		}
-
-		return $pagedSearchOK;
-	}
+        } else if($this->connection->hasPagedResultSupport && $limit === 0 && !empty($this->lastCookie)) {
+            // a search without limit was requested. However, if we do use
+            // Paged Search once, we always must do it. This requires us to
+            // initialize it with the configured page size.
+            $this->abandonPagedSearch();
+            // in case someone set it to 0 … use 500, otherwise no results will
+            // be returned.
+            $pageSize = (int)$this->connection->ldapPagingSize > 0 ? (int)$this->connection->ldapPagingSize : 500;
+            $pagedSearchOK = $this->invokeLDAPMethod('controlPagedResult',
+                $this->connection->getConnectionResource(),
+                $pageSize, false, '');
+        }
+
+        return $pagedSearchOK;
+    }
 
 }

Please login to merge, or discard this patch.

apps/user_ldap/lib/Group_LDAP.php 2 patches

Indentation +1139 added lines, -1139 removed lines patch added patch discarded remove patch

@@ -45,1144 +45,1144 @@
 block discarded – undo
 use OCP\GroupInterface;
 
 class Group_LDAP extends BackendUtility implements \OCP\GroupInterface, IGroupLDAP {
-	protected $enabled = false;
-
-	/**
-	 * @var string[] $cachedGroupMembers array of users with gid as key
-	 */
-	protected $cachedGroupMembers;
-
-	/**
-	 * @var string[] $cachedGroupsByMember array of groups with uid as key
-	 */
-	protected $cachedGroupsByMember;
-
-	/** @var GroupPluginManager */
-	protected $groupPluginManager;
-
-	public function __construct(Access $access, GroupPluginManager $groupPluginManager) {
-		parent::__construct($access);
-		$filter = $this->access->connection->ldapGroupFilter;
-		$gassoc = $this->access->connection->ldapGroupMemberAssocAttr;
-		if(!empty($filter) && !empty($gassoc)) {
-			$this->enabled = true;
-		}
-
-		$this->cachedGroupMembers = new CappedMemoryCache();
-		$this->cachedGroupsByMember = new CappedMemoryCache();
-		$this->groupPluginManager = $groupPluginManager;
-	}
-
-	/**
-	 * is user in group?
-	 * @param string $uid uid of the user
-	 * @param string $gid gid of the group
-	 * @return bool
-	 *
-	 * Checks whether the user is member of a group or not.
-	 */
-	public function inGroup($uid, $gid) {
-		if(!$this->enabled) {
-			return false;
-		}
-		$cacheKey = 'inGroup'.$uid.':'.$gid;
-		$inGroup = $this->access->connection->getFromCache($cacheKey);
-		if(!is_null($inGroup)) {
-			return (bool)$inGroup;
-		}
-
-		$userDN = $this->access->username2dn($uid);
-
-		if(isset($this->cachedGroupMembers[$gid])) {
-			$isInGroup = in_array($userDN, $this->cachedGroupMembers[$gid]);
-			return $isInGroup;
-		}
-
-		$cacheKeyMembers = 'inGroup-members:'.$gid;
-		$members = $this->access->connection->getFromCache($cacheKeyMembers);
-		if(!is_null($members)) {
-			$this->cachedGroupMembers[$gid] = $members;
-			$isInGroup = in_array($userDN, $members);
-			$this->access->connection->writeToCache($cacheKey, $isInGroup);
-			return $isInGroup;
-		}
-
-		$groupDN = $this->access->groupname2dn($gid);
-		// just in case
-		if(!$groupDN || !$userDN) {
-			$this->access->connection->writeToCache($cacheKey, false);
-			return false;
-		}
-
-		//check primary group first
-		if($gid === $this->getUserPrimaryGroup($userDN)) {
-			$this->access->connection->writeToCache($cacheKey, true);
-			return true;
-		}
-
-		//usually, LDAP attributes are said to be case insensitive. But there are exceptions of course.
-		$members = $this->_groupMembers($groupDN);
-		$members = array_keys($members); // uids are returned as keys
-		if(!is_array($members) || count($members) === 0) {
-			$this->access->connection->writeToCache($cacheKey, false);
-			return false;
-		}
-
-		//extra work if we don't get back user DNs
-		if(strtolower($this->access->connection->ldapGroupMemberAssocAttr) === 'memberuid') {
-			$dns = array();
-			$filterParts = array();
-			$bytes = 0;
-			foreach($members as $mid) {
-				$filter = str_replace('%uid', $mid, $this->access->connection->ldapLoginFilter);
-				$filterParts[] = $filter;
-				$bytes += strlen($filter);
-				if($bytes >= 9000000) {
-					// AD has a default input buffer of 10 MB, we do not want
-					// to take even the chance to exceed it
-					$filter = $this->access->combineFilterWithOr($filterParts);
-					$bytes = 0;
-					$filterParts = array();
-					$users = $this->access->fetchListOfUsers($filter, 'dn', count($filterParts));
-					$dns = array_merge($dns, $users);
-				}
-			}
-			if(count($filterParts) > 0) {
-				$filter = $this->access->combineFilterWithOr($filterParts);
-				$users = $this->access->fetchListOfUsers($filter, 'dn', count($filterParts));
-				$dns = array_merge($dns, $users);
-			}
-			$members = $dns;
-		}
-
-		$isInGroup = in_array($userDN, $members);
-		$this->access->connection->writeToCache($cacheKey, $isInGroup);
-		$this->access->connection->writeToCache($cacheKeyMembers, $members);
-		$this->cachedGroupMembers[$gid] = $members;
-
-		return $isInGroup;
-	}
-
-	/**
-	 * @param string $dnGroup
-	 * @return array
-	 *
-	 * For a group that has user membership defined by an LDAP search url attribute returns the users
-	 * that match the search url otherwise returns an empty array.
-	 */
-	public function getDynamicGroupMembers($dnGroup) {
-		$dynamicGroupMemberURL = strtolower($this->access->connection->ldapDynamicGroupMemberURL);
-
-		if (empty($dynamicGroupMemberURL)) {
-			return array();
-		}
-
-		$dynamicMembers = array();
-		$memberURLs = $this->access->readAttribute(
-			$dnGroup,
-			$dynamicGroupMemberURL,
-			$this->access->connection->ldapGroupFilter
-		);
-		if ($memberURLs !== false) {
-			// this group has the 'memberURL' attribute so this is a dynamic group
-			// example 1: ldap:///cn=users,cn=accounts,dc=dcsubbase,dc=dcbase??one?(o=HeadOffice)
-			// example 2: ldap:///cn=users,cn=accounts,dc=dcsubbase,dc=dcbase??one?(&(o=HeadOffice)(uidNumber>=500))
-			$pos = strpos($memberURLs[0], '(');
-			if ($pos !== false) {
-				$memberUrlFilter = substr($memberURLs[0], $pos);
-				$foundMembers = $this->access->searchUsers($memberUrlFilter,'dn');
-				$dynamicMembers = array();
-				foreach($foundMembers as $value) {
-					$dynamicMembers[$value['dn'][0]] = 1;
-				}
-			} else {
-				\OCP\Util::writeLog('user_ldap', 'No search filter found on member url '.
-					'of group ' . $dnGroup, \OCP\Util::DEBUG);
-			}
-		}
-		return $dynamicMembers;
-	}
-
-	/**
-	 * @param string $dnGroup
-	 * @param array|null &$seen
-	 * @return array|mixed|null
-	 */
-	private function _groupMembers($dnGroup, &$seen = null) {
-		if ($seen === null) {
-			$seen = array();
-		}
-		$allMembers = array();
-		if (array_key_exists($dnGroup, $seen)) {
-			// avoid loops
-			return array();
-		}
-		// used extensively in cron job, caching makes sense for nested groups
-		$cacheKey = '_groupMembers'.$dnGroup;
-		$groupMembers = $this->access->connection->getFromCache($cacheKey);
-		if(!is_null($groupMembers)) {
-			return $groupMembers;
-		}
-		$seen[$dnGroup] = 1;
-		$members = $this->access->readAttribute($dnGroup, $this->access->connection->ldapGroupMemberAssocAttr,
-												$this->access->connection->ldapGroupFilter);
-		if (is_array($members)) {
-			foreach ($members as $memberDN) {
-				$allMembers[$memberDN] = 1;
-				$nestedGroups = $this->access->connection->ldapNestedGroups;
-				if (!empty($nestedGroups)) {
-					$subMembers = $this->_groupMembers($memberDN, $seen);
-					if ($subMembers) {
-						$allMembers = array_merge($allMembers, $subMembers);
-					}
-				}
-			}
-		}
-
-		$allMembers = array_merge($allMembers, $this->getDynamicGroupMembers($dnGroup));
-
-		$this->access->connection->writeToCache($cacheKey, $allMembers);
-		return $allMembers;
-	}
-
-	/**
-	 * @param string $DN
-	 * @param array|null &$seen
-	 * @return array
-	 */
-	private function _getGroupDNsFromMemberOf($DN, &$seen = null) {
-		if ($seen === null) {
-			$seen = array();
-		}
-		if (array_key_exists($DN, $seen)) {
-			// avoid loops
-			return array();
-		}
-		$seen[$DN] = 1;
-		$groups = $this->access->readAttribute($DN, 'memberOf');
-		if (!is_array($groups)) {
-			return array();
-		}
-		$groups = $this->access->groupsMatchFilter($groups);
-		$allGroups =  $groups;
-		$nestedGroups = $this->access->connection->ldapNestedGroups;
-		if ((int)$nestedGroups === 1) {
-			foreach ($groups as $group) {
-				$subGroups = $this->_getGroupDNsFromMemberOf($group, $seen);
-				$allGroups = array_merge($allGroups, $subGroups);
-			}
-		}
-		return $allGroups;
-	}
-
-	/**
-	 * translates a gidNumber into an ownCloud internal name
-	 * @param string $gid as given by gidNumber on POSIX LDAP
-	 * @param string $dn a DN that belongs to the same domain as the group
-	 * @return string|bool
-	 */
-	public function gidNumber2Name($gid, $dn) {
-		$cacheKey = 'gidNumberToName' . $gid;
-		$groupName = $this->access->connection->getFromCache($cacheKey);
-		if(!is_null($groupName) && isset($groupName)) {
-			return $groupName;
-		}
-
-		//we need to get the DN from LDAP
-		$filter = $this->access->combineFilterWithAnd([
-			$this->access->connection->ldapGroupFilter,
-			'objectClass=posixGroup',
-			$this->access->connection->ldapGidNumber . '=' . $gid
-		]);
-		$result = $this->access->searchGroups($filter, array('dn'), 1);
-		if(empty($result)) {
-			return false;
-		}
-		$dn = $result[0]['dn'][0];
-
-		//and now the group name
-		//NOTE once we have separate ownCloud group IDs and group names we can
-		//directly read the display name attribute instead of the DN
-		$name = $this->access->dn2groupname($dn);
-
-		$this->access->connection->writeToCache($cacheKey, $name);
-
-		return $name;
-	}
-
-	/**
-	 * returns the entry's gidNumber
-	 * @param string $dn
-	 * @param string $attribute
-	 * @return string|bool
-	 */
-	private function getEntryGidNumber($dn, $attribute) {
-		$value = $this->access->readAttribute($dn, $attribute);
-		if(is_array($value) && !empty($value)) {
-			return $value[0];
-		}
-		return false;
-	}
-
-	/**
-	 * returns the group's primary ID
-	 * @param string $dn
-	 * @return string|bool
-	 */
-	public function getGroupGidNumber($dn) {
-		return $this->getEntryGidNumber($dn, 'gidNumber');
-	}
-
-	/**
-	 * returns the user's gidNumber
-	 * @param string $dn
-	 * @return string|bool
-	 */
-	public function getUserGidNumber($dn) {
-		$gidNumber = false;
-		if($this->access->connection->hasGidNumber) {
-			$gidNumber = $this->getEntryGidNumber($dn, $this->access->connection->ldapGidNumber);
-			if($gidNumber === false) {
-				$this->access->connection->hasGidNumber = false;
-			}
-		}
-		return $gidNumber;
-	}
-
-	/**
-	 * returns a filter for a "users has specific gid" search or count operation
-	 *
-	 * @param string $groupDN
-	 * @param string $search
-	 * @return string
-	 * @throws \Exception
-	 */
-	private function prepareFilterForUsersHasGidNumber($groupDN, $search = '') {
-		$groupID = $this->getGroupGidNumber($groupDN);
-		if($groupID === false) {
-			throw new \Exception('Not a valid group');
-		}
-
-		$filterParts = [];
-		$filterParts[] = $this->access->getFilterForUserCount();
-		if ($search !== '') {
-			$filterParts[] = $this->access->getFilterPartForUserSearch($search);
-		}
-		$filterParts[] = $this->access->connection->ldapGidNumber .'=' . $groupID;
-
-		return $this->access->combineFilterWithAnd($filterParts);
-	}
-
-	/**
-	 * returns a list of users that have the given group as gid number
-	 *
-	 * @param string $groupDN
-	 * @param string $search
-	 * @param int $limit
-	 * @param int $offset
-	 * @return string[]
-	 */
-	public function getUsersInGidNumber($groupDN, $search = '', $limit = -1, $offset = 0) {
-		try {
-			$filter = $this->prepareFilterForUsersHasGidNumber($groupDN, $search);
-			$users = $this->access->fetchListOfUsers(
-				$filter,
-				[$this->access->connection->ldapUserDisplayName, 'dn'],
-				$limit,
-				$offset
-			);
-			return $this->access->nextcloudUserNames($users);
-		} catch (\Exception $e) {
-			return [];
-		}
-	}
-
-	/**
-	 * returns the number of users that have the given group as gid number
-	 *
-	 * @param string $groupDN
-	 * @param string $search
-	 * @param int $limit
-	 * @param int $offset
-	 * @return int
-	 */
-	public function countUsersInGidNumber($groupDN, $search = '', $limit = -1, $offset = 0) {
-		try {
-			$filter = $this->prepareFilterForUsersHasGidNumber($groupDN, $search);
-			$users = $this->access->countUsers($filter, ['dn'], $limit, $offset);
-			return (int)$users;
-		} catch (\Exception $e) {
-			return 0;
-		}
-	}
-
-	/**
-	 * gets the gidNumber of a user
-	 * @param string $dn
-	 * @return string
-	 */
-	public function getUserGroupByGid($dn) {
-		$groupID = $this->getUserGidNumber($dn);
-		if($groupID !== false) {
-			$groupName = $this->gidNumber2Name($groupID, $dn);
-			if($groupName !== false) {
-				return $groupName;
-			}
-		}
-
-		return false;
-	}
-
-	/**
-	 * translates a primary group ID into an Nextcloud internal name
-	 * @param string $gid as given by primaryGroupID on AD
-	 * @param string $dn a DN that belongs to the same domain as the group
-	 * @return string|bool
-	 */
-	public function primaryGroupID2Name($gid, $dn) {
-		$cacheKey = 'primaryGroupIDtoName';
-		$groupNames = $this->access->connection->getFromCache($cacheKey);
-		if(!is_null($groupNames) && isset($groupNames[$gid])) {
-			return $groupNames[$gid];
-		}
-
-		$domainObjectSid = $this->access->getSID($dn);
-		if($domainObjectSid === false) {
-			return false;
-		}
-
-		//we need to get the DN from LDAP
-		$filter = $this->access->combineFilterWithAnd(array(
-			$this->access->connection->ldapGroupFilter,
-			'objectsid=' . $domainObjectSid . '-' . $gid
-		));
-		$result = $this->access->searchGroups($filter, array('dn'), 1);
-		if(empty($result)) {
-			return false;
-		}
-		$dn = $result[0]['dn'][0];
-
-		//and now the group name
-		//NOTE once we have separate Nextcloud group IDs and group names we can
-		//directly read the display name attribute instead of the DN
-		$name = $this->access->dn2groupname($dn);
-
-		$this->access->connection->writeToCache($cacheKey, $name);
-
-		return $name;
-	}
-
-	/**
-	 * returns the entry's primary group ID
-	 * @param string $dn
-	 * @param string $attribute
-	 * @return string|bool
-	 */
-	private function getEntryGroupID($dn, $attribute) {
-		$value = $this->access->readAttribute($dn, $attribute);
-		if(is_array($value) && !empty($value)) {
-			return $value[0];
-		}
-		return false;
-	}
-
-	/**
-	 * returns the group's primary ID
-	 * @param string $dn
-	 * @return string|bool
-	 */
-	public function getGroupPrimaryGroupID($dn) {
-		return $this->getEntryGroupID($dn, 'primaryGroupToken');
-	}
-
-	/**
-	 * returns the user's primary group ID
-	 * @param string $dn
-	 * @return string|bool
-	 */
-	public function getUserPrimaryGroupIDs($dn) {
-		$primaryGroupID = false;
-		if($this->access->connection->hasPrimaryGroups) {
-			$primaryGroupID = $this->getEntryGroupID($dn, 'primaryGroupID');
-			if($primaryGroupID === false) {
-				$this->access->connection->hasPrimaryGroups = false;
-			}
-		}
-		return $primaryGroupID;
-	}
-
-	/**
-	 * returns a filter for a "users in primary group" search or count operation
-	 *
-	 * @param string $groupDN
-	 * @param string $search
-	 * @return string
-	 * @throws \Exception
-	 */
-	private function prepareFilterForUsersInPrimaryGroup($groupDN, $search = '') {
-		$groupID = $this->getGroupPrimaryGroupID($groupDN);
-		if($groupID === false) {
-			throw new \Exception('Not a valid group');
-		}
-
-		$filterParts = [];
-		$filterParts[] = $this->access->getFilterForUserCount();
-		if ($search !== '') {
-			$filterParts[] = $this->access->getFilterPartForUserSearch($search);
-		}
-		$filterParts[] = 'primaryGroupID=' . $groupID;
-
-		return $this->access->combineFilterWithAnd($filterParts);
-	}
-
-	/**
-	 * returns a list of users that have the given group as primary group
-	 *
-	 * @param string $groupDN
-	 * @param string $search
-	 * @param int $limit
-	 * @param int $offset
-	 * @return string[]
-	 */
-	public function getUsersInPrimaryGroup($groupDN, $search = '', $limit = -1, $offset = 0) {
-		try {
-			$filter = $this->prepareFilterForUsersInPrimaryGroup($groupDN, $search);
-			$users = $this->access->fetchListOfUsers(
-				$filter,
-				array($this->access->connection->ldapUserDisplayName, 'dn'),
-				$limit,
-				$offset
-			);
-			return $this->access->nextcloudUserNames($users);
-		} catch (\Exception $e) {
-			return array();
-		}
-	}
-
-	/**
-	 * returns the number of users that have the given group as primary group
-	 *
-	 * @param string $groupDN
-	 * @param string $search
-	 * @param int $limit
-	 * @param int $offset
-	 * @return int
-	 */
-	public function countUsersInPrimaryGroup($groupDN, $search = '', $limit = -1, $offset = 0) {
-		try {
-			$filter = $this->prepareFilterForUsersInPrimaryGroup($groupDN, $search);
-			$users = $this->access->countUsers($filter, array('dn'), $limit, $offset);
-			return (int)$users;
-		} catch (\Exception $e) {
-			return 0;
-		}
-	}
-
-	/**
-	 * gets the primary group of a user
-	 * @param string $dn
-	 * @return string
-	 */
-	public function getUserPrimaryGroup($dn) {
-		$groupID = $this->getUserPrimaryGroupIDs($dn);
-		if($groupID !== false) {
-			$groupName = $this->primaryGroupID2Name($groupID, $dn);
-			if($groupName !== false) {
-				return $groupName;
-			}
-		}
-
-		return false;
-	}
-
-	/**
-	 * Get all groups a user belongs to
-	 * @param string $uid Name of the user
-	 * @return array with group names
-	 *
-	 * This function fetches all groups a user belongs to. It does not check
-	 * if the user exists at all.
-	 *
-	 * This function includes groups based on dynamic group membership.
-	 */
-	public function getUserGroups($uid) {
-		if(!$this->enabled) {
-			return array();
-		}
-		$cacheKey = 'getUserGroups'.$uid;
-		$userGroups = $this->access->connection->getFromCache($cacheKey);
-		if(!is_null($userGroups)) {
-			return $userGroups;
-		}
-		$userDN = $this->access->username2dn($uid);
-		if(!$userDN) {
-			$this->access->connection->writeToCache($cacheKey, array());
-			return array();
-		}
-
-		$groups = [];
-		$primaryGroup = $this->getUserPrimaryGroup($userDN);
-		$gidGroupName = $this->getUserGroupByGid($userDN);
-
-		$dynamicGroupMemberURL = strtolower($this->access->connection->ldapDynamicGroupMemberURL);
-
-		if (!empty($dynamicGroupMemberURL)) {
-			// look through dynamic groups to add them to the result array if needed
-			$groupsToMatch = $this->access->fetchListOfGroups(
-				$this->access->connection->ldapGroupFilter,array('dn',$dynamicGroupMemberURL));
-			foreach($groupsToMatch as $dynamicGroup) {
-				if (!array_key_exists($dynamicGroupMemberURL, $dynamicGroup)) {
-					continue;
-				}
-				$pos = strpos($dynamicGroup[$dynamicGroupMemberURL][0], '(');
-				if ($pos !== false) {
-					$memberUrlFilter = substr($dynamicGroup[$dynamicGroupMemberURL][0],$pos);
-					// apply filter via ldap search to see if this user is in this
-					// dynamic group
-					$userMatch = $this->access->readAttribute(
-						$userDN,
-						$this->access->connection->ldapUserDisplayName,
-						$memberUrlFilter
-					);
-					if ($userMatch !== false) {
-						// match found so this user is in this group
-						$groupName = $this->access->dn2groupname($dynamicGroup['dn'][0]);
-						if(is_string($groupName)) {
-							// be sure to never return false if the dn could not be
-							// resolved to a name, for whatever reason.
-							$groups[] = $groupName;
-						}
-					}
-				} else {
-					\OCP\Util::writeLog('user_ldap', 'No search filter found on member url '.
-						'of group ' . print_r($dynamicGroup, true), \OCP\Util::DEBUG);
-				}
-			}
-		}
-
-		// if possible, read out membership via memberOf. It's far faster than
-		// performing a search, which still is a fallback later.
-		// memberof doesn't support memberuid, so skip it here.
-		if((int)$this->access->connection->hasMemberOfFilterSupport === 1
-			&& (int)$this->access->connection->useMemberOfToDetectMembership === 1
-		    && strtolower($this->access->connection->ldapGroupMemberAssocAttr) !== 'memberuid'
-		    ) {
-			$groupDNs = $this->_getGroupDNsFromMemberOf($userDN);
-			if (is_array($groupDNs)) {
-				foreach ($groupDNs as $dn) {
-					$groupName = $this->access->dn2groupname($dn);
-					if(is_string($groupName)) {
-						// be sure to never return false if the dn could not be
-						// resolved to a name, for whatever reason.
-						$groups[] = $groupName;
-					}
-				}
-			}
-
-			if($primaryGroup !== false) {
-				$groups[] = $primaryGroup;
-			}
-			if($gidGroupName !== false) {
-				$groups[] = $gidGroupName;
-			}
-			$this->access->connection->writeToCache($cacheKey, $groups);
-			return $groups;
-		}
-
-		//uniqueMember takes DN, memberuid the uid, so we need to distinguish
-		if((strtolower($this->access->connection->ldapGroupMemberAssocAttr) === 'uniquemember')
-			|| (strtolower($this->access->connection->ldapGroupMemberAssocAttr) === 'member')
-		) {
-			$uid = $userDN;
-		} else if(strtolower($this->access->connection->ldapGroupMemberAssocAttr) === 'memberuid') {
-			$result = $this->access->readAttribute($userDN, 'uid');
-			if ($result === false) {
-				\OCP\Util::writeLog('user_ldap', 'No uid attribute found for DN ' . $userDN . ' on '.
-					$this->access->connection->ldapHost, \OCP\Util::DEBUG);
-			}
-			$uid = $result[0];
-		} else {
-			// just in case
-			$uid = $userDN;
-		}
-
-		if(isset($this->cachedGroupsByMember[$uid])) {
-			$groups = array_merge($groups, $this->cachedGroupsByMember[$uid]);
-		} else {
-			$groupsByMember = array_values($this->getGroupsByMember($uid));
-			$groupsByMember = $this->access->nextcloudGroupNames($groupsByMember);
-			$this->cachedGroupsByMember[$uid] = $groupsByMember;
-			$groups = array_merge($groups, $groupsByMember);
-		}
-
-		if($primaryGroup !== false) {
-			$groups[] = $primaryGroup;
-		}
-		if($gidGroupName !== false) {
-			$groups[] = $gidGroupName;
-		}
-
-		$groups = array_unique($groups, SORT_LOCALE_STRING);
-		$this->access->connection->writeToCache($cacheKey, $groups);
-
-		return $groups;
-	}
-
-	/**
-	 * @param string $dn
-	 * @param array|null &$seen
-	 * @return array
-	 */
-	private function getGroupsByMember($dn, &$seen = null) {
-		if ($seen === null) {
-			$seen = array();
-		}
-		$allGroups = array();
-		if (array_key_exists($dn, $seen)) {
-			// avoid loops
-			return array();
-		}
-		$seen[$dn] = true;
-		$filter = $this->access->combineFilterWithAnd(array(
-			$this->access->connection->ldapGroupFilter,
-			$this->access->connection->ldapGroupMemberAssocAttr.'='.$dn
-		));
-		$groups = $this->access->fetchListOfGroups($filter,
-			array($this->access->connection->ldapGroupDisplayName, 'dn'));
-		if (is_array($groups)) {
-			foreach ($groups as $groupobj) {
-				$groupDN = $groupobj['dn'][0];
-				$allGroups[$groupDN] = $groupobj;
-				$nestedGroups = $this->access->connection->ldapNestedGroups;
-				if (!empty($nestedGroups)) {
-					$supergroups = $this->getGroupsByMember($groupDN, $seen);
-					if (is_array($supergroups) && (count($supergroups)>0)) {
-						$allGroups = array_merge($allGroups, $supergroups);
-					}
-				}
-			}
-		}
-		return $allGroups;
-	}
-
-	/**
-	 * get a list of all users in a group
-	 *
-	 * @param string $gid
-	 * @param string $search
-	 * @param int $limit
-	 * @param int $offset
-	 * @return array with user ids
-	 */
-	public function usersInGroup($gid, $search = '', $limit = -1, $offset = 0) {
-		if(!$this->enabled) {
-			return array();
-		}
-		if(!$this->groupExists($gid)) {
-			return array();
-		}
-		$search = $this->access->escapeFilterPart($search, true);
-		$cacheKey = 'usersInGroup-'.$gid.'-'.$search.'-'.$limit.'-'.$offset;
-		// check for cache of the exact query
-		$groupUsers = $this->access->connection->getFromCache($cacheKey);
-		if(!is_null($groupUsers)) {
-			return $groupUsers;
-		}
-
-		// check for cache of the query without limit and offset
-		$groupUsers = $this->access->connection->getFromCache('usersInGroup-'.$gid.'-'.$search);
-		if(!is_null($groupUsers)) {
-			$groupUsers = array_slice($groupUsers, $offset, $limit);
-			$this->access->connection->writeToCache($cacheKey, $groupUsers);
-			return $groupUsers;
-		}
-
-		if($limit === -1) {
-			$limit = null;
-		}
-		$groupDN = $this->access->groupname2dn($gid);
-		if(!$groupDN) {
-			// group couldn't be found, return empty resultset
-			$this->access->connection->writeToCache($cacheKey, array());
-			return array();
-		}
-
-		$primaryUsers = $this->getUsersInPrimaryGroup($groupDN, $search, $limit, $offset);
-		$posixGroupUsers = $this->getUsersInGidNumber($groupDN, $search, $limit, $offset);
-		$members = array_keys($this->_groupMembers($groupDN));
-		if(!$members && empty($posixGroupUsers) && empty($primaryUsers)) {
-			//in case users could not be retrieved, return empty result set
-			$this->access->connection->writeToCache($cacheKey, []);
-			return [];
-		}
-
-		$groupUsers = array();
-		$isMemberUid = (strtolower($this->access->connection->ldapGroupMemberAssocAttr) === 'memberuid');
-		$attrs = $this->access->userManager->getAttributes(true);
-		foreach($members as $member) {
-			if($isMemberUid) {
-				//we got uids, need to get their DNs to 'translate' them to user names
-				$filter = $this->access->combineFilterWithAnd(array(
-					str_replace('%uid', $member, $this->access->connection->ldapLoginFilter),
-					$this->access->getFilterPartForUserSearch($search)
-				));
-				$ldap_users = $this->access->fetchListOfUsers($filter, $attrs, 1);
-				if(count($ldap_users) < 1) {
-					continue;
-				}
-				$groupUsers[] = $this->access->dn2username($ldap_users[0]['dn'][0]);
-			} else {
-				//we got DNs, check if we need to filter by search or we can give back all of them
-				if ($search !== '') {
-					if(!$this->access->readAttribute($member,
-						$this->access->connection->ldapUserDisplayName,
-						$this->access->getFilterPartForUserSearch($search))) {
-						continue;
-					}
-				}
-				// dn2username will also check if the users belong to the allowed base
-				if($ocname = $this->access->dn2username($member)) {
-					$groupUsers[] = $ocname;
-				}
-			}
-		}
-
-		$groupUsers = array_unique(array_merge($groupUsers, $primaryUsers, $posixGroupUsers));
-		natsort($groupUsers);
-		$this->access->connection->writeToCache('usersInGroup-'.$gid.'-'.$search, $groupUsers);
-		$groupUsers = array_slice($groupUsers, $offset, $limit);
-
-		$this->access->connection->writeToCache($cacheKey, $groupUsers);
-
-		return $groupUsers;
-	}
-
-	/**
-	 * returns the number of users in a group, who match the search term
-	 * @param string $gid the internal group name
-	 * @param string $search optional, a search string
-	 * @return int|bool
-	 */
-	public function countUsersInGroup($gid, $search = '') {
-		if ($this->groupPluginManager->implementsActions(GroupInterface::COUNT_USERS)) {
-			return $this->groupPluginManager->countUsersInGroup($gid, $search);
-		}
-
-		$cacheKey = 'countUsersInGroup-'.$gid.'-'.$search;
-		if(!$this->enabled || !$this->groupExists($gid)) {
-			return false;
-		}
-		$groupUsers = $this->access->connection->getFromCache($cacheKey);
-		if(!is_null($groupUsers)) {
-			return $groupUsers;
-		}
-
-		$groupDN = $this->access->groupname2dn($gid);
-		if(!$groupDN) {
-			// group couldn't be found, return empty result set
-			$this->access->connection->writeToCache($cacheKey, false);
-			return false;
-		}
-
-		$members = array_keys($this->_groupMembers($groupDN));
-		$primaryUserCount = $this->countUsersInPrimaryGroup($groupDN, '');
-		if(!$members && $primaryUserCount === 0) {
-			//in case users could not be retrieved, return empty result set
-			$this->access->connection->writeToCache($cacheKey, false);
-			return false;
-		}
-
-		if ($search === '') {
-			$groupUsers = count($members) + $primaryUserCount;
-			$this->access->connection->writeToCache($cacheKey, $groupUsers);
-			return $groupUsers;
-		}
-		$search = $this->access->escapeFilterPart($search, true);
-		$isMemberUid =
-			(strtolower($this->access->connection->ldapGroupMemberAssocAttr)
-			=== 'memberuid');
-
-		//we need to apply the search filter
-		//alternatives that need to be checked:
-		//a) get all users by search filter and array_intersect them
-		//b) a, but only when less than 1k 10k ?k users like it is
-		//c) put all DNs|uids in a LDAP filter, combine with the search string
-		//   and let it count.
-		//For now this is not important, because the only use of this method
-		//does not supply a search string
-		$groupUsers = array();
-		foreach($members as $member) {
-			if($isMemberUid) {
-				//we got uids, need to get their DNs to 'translate' them to user names
-				$filter = $this->access->combineFilterWithAnd(array(
-					str_replace('%uid', $member, $this->access->connection->ldapLoginFilter),
-					$this->access->getFilterPartForUserSearch($search)
-				));
-				$ldap_users = $this->access->fetchListOfUsers($filter, 'dn', 1);
-				if(count($ldap_users) < 1) {
-					continue;
-				}
-				$groupUsers[] = $this->access->dn2username($ldap_users[0]);
-			} else {
-				//we need to apply the search filter now
-				if(!$this->access->readAttribute($member,
-					$this->access->connection->ldapUserDisplayName,
-					$this->access->getFilterPartForUserSearch($search))) {
-					continue;
-				}
-				// dn2username will also check if the users belong to the allowed base
-				if($ocname = $this->access->dn2username($member)) {
-					$groupUsers[] = $ocname;
-				}
-			}
-		}
-
-		//and get users that have the group as primary
-		$primaryUsers = $this->countUsersInPrimaryGroup($groupDN, $search);
-
-		return count($groupUsers) + $primaryUsers;
-	}
-
-	/**
-	 * get a list of all groups
-	 *
-	 * @param string $search
-	 * @param $limit
-	 * @param int $offset
-	 * @return array with group names
-	 *
-	 * Returns a list with all groups (used by getGroups)
-	 */
-	protected function getGroupsChunk($search = '', $limit = -1, $offset = 0) {
-		if(!$this->enabled) {
-			return array();
-		}
-		$cacheKey = 'getGroups-'.$search.'-'.$limit.'-'.$offset;
-
-		//Check cache before driving unnecessary searches
-		\OCP\Util::writeLog('user_ldap', 'getGroups '.$cacheKey, \OCP\Util::DEBUG);
-		$ldap_groups = $this->access->connection->getFromCache($cacheKey);
-		if(!is_null($ldap_groups)) {
-			return $ldap_groups;
-		}
-
-		// if we'd pass -1 to LDAP search, we'd end up in a Protocol
-		// error. With a limit of 0, we get 0 results. So we pass null.
-		if($limit <= 0) {
-			$limit = null;
-		}
-		$filter = $this->access->combineFilterWithAnd(array(
-			$this->access->connection->ldapGroupFilter,
-			$this->access->getFilterPartForGroupSearch($search)
-		));
-		\OCP\Util::writeLog('user_ldap', 'getGroups Filter '.$filter, \OCP\Util::DEBUG);
-		$ldap_groups = $this->access->fetchListOfGroups($filter,
-				array($this->access->connection->ldapGroupDisplayName, 'dn'),
-				$limit,
-				$offset);
-		$ldap_groups = $this->access->nextcloudGroupNames($ldap_groups);
-
-		$this->access->connection->writeToCache($cacheKey, $ldap_groups);
-		return $ldap_groups;
-	}
-
-	/**
-	 * get a list of all groups using a paged search
-	 *
-	 * @param string $search
-	 * @param int $limit
-	 * @param int $offset
-	 * @return array with group names
-	 *
-	 * Returns a list with all groups
-	 * Uses a paged search if available to override a
-	 * server side search limit.
-	 * (active directory has a limit of 1000 by default)
-	 */
-	public function getGroups($search = '', $limit = -1, $offset = 0) {
-		if(!$this->enabled) {
-			return array();
-		}
-		$search = $this->access->escapeFilterPart($search, true);
-		$pagingSize = (int)$this->access->connection->ldapPagingSize;
-		if (!$this->access->connection->hasPagedResultSupport || $pagingSize <= 0) {
-			return $this->getGroupsChunk($search, $limit, $offset);
-		}
-		$maxGroups = 100000; // limit max results (just for safety reasons)
-		if ($limit > -1) {
-		   $overallLimit = min($limit + $offset, $maxGroups);
-		} else {
-		   $overallLimit = $maxGroups;
-		}
-		$chunkOffset = $offset;
-		$allGroups = array();
-		while ($chunkOffset < $overallLimit) {
-			$chunkLimit = min($pagingSize, $overallLimit - $chunkOffset);
-			$ldapGroups = $this->getGroupsChunk($search, $chunkLimit, $chunkOffset);
-			$nread = count($ldapGroups);
-			\OCP\Util::writeLog('user_ldap', 'getGroups('.$search.'): read '.$nread.' at offset '.$chunkOffset.' (limit: '.$chunkLimit.')', \OCP\Util::DEBUG);
-			if ($nread) {
-				$allGroups = array_merge($allGroups, $ldapGroups);
-				$chunkOffset += $nread;
-			}
-			if ($nread < $chunkLimit) {
-				break;
-			}
-		}
-		return $allGroups;
-	}
-
-	/**
-	 * @param string $group
-	 * @return bool
-	 */
-	public function groupMatchesFilter($group) {
-		return (strripos($group, $this->groupSearch) !== false);
-	}
-
-	/**
-	 * check if a group exists
-	 * @param string $gid
-	 * @return bool
-	 */
-	public function groupExists($gid) {
-		$groupExists = $this->access->connection->getFromCache('groupExists'.$gid);
-		if(!is_null($groupExists)) {
-			return (bool)$groupExists;
-		}
-
-		//getting dn, if false the group does not exist. If dn, it may be mapped
-		//only, requires more checking.
-		$dn = $this->access->groupname2dn($gid);
-		if(!$dn) {
-			$this->access->connection->writeToCache('groupExists'.$gid, false);
-			return false;
-		}
-
-		//if group really still exists, we will be able to read its objectclass
-		if(!is_array($this->access->readAttribute($dn, ''))) {
-			$this->access->connection->writeToCache('groupExists'.$gid, false);
-			return false;
-		}
-
-		$this->access->connection->writeToCache('groupExists'.$gid, true);
-		return true;
-	}
-
-	/**
-	* Check if backend implements actions
-	* @param int $actions bitwise-or'ed actions
-	* @return boolean
-	*
-	* Returns the supported actions as int to be
-	* compared with GroupInterface::CREATE_GROUP etc.
-	*/
-	public function implementsActions($actions) {
-		return (bool)((GroupInterface::COUNT_USERS |
-				$this->groupPluginManager->getImplementedActions()) & $actions);
-	}
-
-	/**
-	 * Return access for LDAP interaction.
-	 * @return Access instance of Access for LDAP interaction
-	 */
-	public function getLDAPAccess($gid) {
-		return $this->access;
-	}
-
-	/**
-	 * create a group
-	 * @param string $gid
-	 * @return bool
-	 * @throws \Exception
-	 */
-	public function createGroup($gid) {
-		if ($this->groupPluginManager->implementsActions(GroupInterface::CREATE_GROUP)) {
-			if ($dn = $this->groupPluginManager->createGroup($gid)) {
-				//updates group mapping
-				$this->access->dn2ocname($dn, $gid, false);
-				$this->access->connection->writeToCache("groupExists".$gid, true);
-			}
-			return $dn != null;
-		}
-		throw new \Exception('Could not create group in LDAP backend.');
-	}
-
-	/**
-	 * delete a group
-	 * @param string $gid gid of the group to delete
-	 * @return bool
-	 * @throws \Exception
-	 */
-	public function deleteGroup($gid) {
-		if ($this->groupPluginManager->implementsActions(GroupInterface::DELETE_GROUP)) {
-			if ($ret = $this->groupPluginManager->deleteGroup($gid)) {
-				#delete group in nextcloud internal db
-				$this->access->getGroupMapper()->unmap($gid);
-				$this->access->connection->writeToCache("groupExists".$gid, false);
-			}
-			return $ret;
-		}
-		throw new \Exception('Could not delete group in LDAP backend.');
-	}
-
-	/**
-	 * Add a user to a group
-	 * @param string $uid Name of the user to add to group
-	 * @param string $gid Name of the group in which add the user
-	 * @return bool
-	 * @throws \Exception
-	 */
-	public function addToGroup($uid, $gid) {
-		if ($this->groupPluginManager->implementsActions(GroupInterface::ADD_TO_GROUP)) {
-			if ($ret = $this->groupPluginManager->addToGroup($uid, $gid)) {
-				$this->access->connection->clearCache();
-			}
-			return $ret;
-		}
-		throw new \Exception('Could not add user to group in LDAP backend.');
-	}
-
-	/**
-	 * Removes a user from a group
-	 * @param string $uid Name of the user to remove from group
-	 * @param string $gid Name of the group from which remove the user
-	 * @return bool
-	 * @throws \Exception
-	 */
-	public function removeFromGroup($uid, $gid) {
-		if ($this->groupPluginManager->implementsActions(GroupInterface::REMOVE_FROM_GROUP)) {
-			if ($ret = $this->groupPluginManager->removeFromGroup($uid, $gid)) {
-				$this->access->connection->clearCache();
-			}
-			return $ret;
-		}
-		throw new \Exception('Could not remove user from group in LDAP backend.');
-	}
-
-	/**
-	 * Gets group details
-	 * @param string $gid Name of the group
-	 * @return array | false
-	 * @throws \Exception
-	 */
-	public function getGroupDetails($gid) {
-		if ($this->groupPluginManager->implementsActions(GroupInterface::GROUP_DETAILS)) {
-			return $this->groupPluginManager->getGroupDetails($gid);
-		}
-		throw new \Exception('Could not get group details in LDAP backend.');
-	}
-
-	/**
-	 * Return LDAP connection resource from a cloned connection.
-	 * The cloned connection needs to be closed manually.
-	 * of the current access.
-	 * @param string $gid
-	 * @return resource of the LDAP connection
-	 */
-	public function getNewLDAPConnection($gid) {
-		$connection = clone $this->access->getConnection();
-		return $connection->getConnectionResource();
-	}
+    protected $enabled = false;
+
+    /**
+     * @var string[] $cachedGroupMembers array of users with gid as key
+     */
+    protected $cachedGroupMembers;
+
+    /**
+     * @var string[] $cachedGroupsByMember array of groups with uid as key
+     */
+    protected $cachedGroupsByMember;
+
+    /** @var GroupPluginManager */
+    protected $groupPluginManager;
+
+    public function __construct(Access $access, GroupPluginManager $groupPluginManager) {
+        parent::__construct($access);
+        $filter = $this->access->connection->ldapGroupFilter;
+        $gassoc = $this->access->connection->ldapGroupMemberAssocAttr;
+        if(!empty($filter) && !empty($gassoc)) {
+            $this->enabled = true;
+        }
+
+        $this->cachedGroupMembers = new CappedMemoryCache();
+        $this->cachedGroupsByMember = new CappedMemoryCache();
+        $this->groupPluginManager = $groupPluginManager;
+    }
+
+    /**
+     * is user in group?
+     * @param string $uid uid of the user
+     * @param string $gid gid of the group
+     * @return bool
+     *
+     * Checks whether the user is member of a group or not.
+     */
+    public function inGroup($uid, $gid) {
+        if(!$this->enabled) {
+            return false;
+        }
+        $cacheKey = 'inGroup'.$uid.':'.$gid;
+        $inGroup = $this->access->connection->getFromCache($cacheKey);
+        if(!is_null($inGroup)) {
+            return (bool)$inGroup;
+        }
+
+        $userDN = $this->access->username2dn($uid);
+
+        if(isset($this->cachedGroupMembers[$gid])) {
+            $isInGroup = in_array($userDN, $this->cachedGroupMembers[$gid]);
+            return $isInGroup;
+        }
+
+        $cacheKeyMembers = 'inGroup-members:'.$gid;
+        $members = $this->access->connection->getFromCache($cacheKeyMembers);
+        if(!is_null($members)) {
+            $this->cachedGroupMembers[$gid] = $members;
+            $isInGroup = in_array($userDN, $members);
+            $this->access->connection->writeToCache($cacheKey, $isInGroup);
+            return $isInGroup;
+        }
+
+        $groupDN = $this->access->groupname2dn($gid);
+        // just in case
+        if(!$groupDN || !$userDN) {
+            $this->access->connection->writeToCache($cacheKey, false);
+            return false;
+        }
+
+        //check primary group first
+        if($gid === $this->getUserPrimaryGroup($userDN)) {
+            $this->access->connection->writeToCache($cacheKey, true);
+            return true;
+        }
+
+        //usually, LDAP attributes are said to be case insensitive. But there are exceptions of course.
+        $members = $this->_groupMembers($groupDN);
+        $members = array_keys($members); // uids are returned as keys
+        if(!is_array($members) || count($members) === 0) {
+            $this->access->connection->writeToCache($cacheKey, false);
+            return false;
+        }
+
+        //extra work if we don't get back user DNs
+        if(strtolower($this->access->connection->ldapGroupMemberAssocAttr) === 'memberuid') {
+            $dns = array();
+            $filterParts = array();
+            $bytes = 0;
+            foreach($members as $mid) {
+                $filter = str_replace('%uid', $mid, $this->access->connection->ldapLoginFilter);
+                $filterParts[] = $filter;
+                $bytes += strlen($filter);
+                if($bytes >= 9000000) {
+                    // AD has a default input buffer of 10 MB, we do not want
+                    // to take even the chance to exceed it
+                    $filter = $this->access->combineFilterWithOr($filterParts);
+                    $bytes = 0;
+                    $filterParts = array();
+                    $users = $this->access->fetchListOfUsers($filter, 'dn', count($filterParts));
+                    $dns = array_merge($dns, $users);
+                }
+            }
+            if(count($filterParts) > 0) {
+                $filter = $this->access->combineFilterWithOr($filterParts);
+                $users = $this->access->fetchListOfUsers($filter, 'dn', count($filterParts));
+                $dns = array_merge($dns, $users);
+            }
+            $members = $dns;
+        }
+
+        $isInGroup = in_array($userDN, $members);
+        $this->access->connection->writeToCache($cacheKey, $isInGroup);
+        $this->access->connection->writeToCache($cacheKeyMembers, $members);
+        $this->cachedGroupMembers[$gid] = $members;
+
+        return $isInGroup;
+    }
+
+    /**
+     * @param string $dnGroup
+     * @return array
+     *
+     * For a group that has user membership defined by an LDAP search url attribute returns the users
+     * that match the search url otherwise returns an empty array.
+     */
+    public function getDynamicGroupMembers($dnGroup) {
+        $dynamicGroupMemberURL = strtolower($this->access->connection->ldapDynamicGroupMemberURL);
+
+        if (empty($dynamicGroupMemberURL)) {
+            return array();
+        }
+
+        $dynamicMembers = array();
+        $memberURLs = $this->access->readAttribute(
+            $dnGroup,
+            $dynamicGroupMemberURL,
+            $this->access->connection->ldapGroupFilter
+        );
+        if ($memberURLs !== false) {
+            // this group has the 'memberURL' attribute so this is a dynamic group
+            // example 1: ldap:///cn=users,cn=accounts,dc=dcsubbase,dc=dcbase??one?(o=HeadOffice)
+            // example 2: ldap:///cn=users,cn=accounts,dc=dcsubbase,dc=dcbase??one?(&(o=HeadOffice)(uidNumber>=500))
+            $pos = strpos($memberURLs[0], '(');
+            if ($pos !== false) {
+                $memberUrlFilter = substr($memberURLs[0], $pos);
+                $foundMembers = $this->access->searchUsers($memberUrlFilter,'dn');
+                $dynamicMembers = array();
+                foreach($foundMembers as $value) {
+                    $dynamicMembers[$value['dn'][0]] = 1;
+                }
+            } else {
+                \OCP\Util::writeLog('user_ldap', 'No search filter found on member url '.
+                    'of group ' . $dnGroup, \OCP\Util::DEBUG);
+            }
+        }
+        return $dynamicMembers;
+    }
+
+    /**
+     * @param string $dnGroup
+     * @param array|null &$seen
+     * @return array|mixed|null
+     */
+    private function _groupMembers($dnGroup, &$seen = null) {
+        if ($seen === null) {
+            $seen = array();
+        }
+        $allMembers = array();
+        if (array_key_exists($dnGroup, $seen)) {
+            // avoid loops
+            return array();
+        }
+        // used extensively in cron job, caching makes sense for nested groups
+        $cacheKey = '_groupMembers'.$dnGroup;
+        $groupMembers = $this->access->connection->getFromCache($cacheKey);
+        if(!is_null($groupMembers)) {
+            return $groupMembers;
+        }
+        $seen[$dnGroup] = 1;
+        $members = $this->access->readAttribute($dnGroup, $this->access->connection->ldapGroupMemberAssocAttr,
+                                                $this->access->connection->ldapGroupFilter);
+        if (is_array($members)) {
+            foreach ($members as $memberDN) {
+                $allMembers[$memberDN] = 1;
+                $nestedGroups = $this->access->connection->ldapNestedGroups;
+                if (!empty($nestedGroups)) {
+                    $subMembers = $this->_groupMembers($memberDN, $seen);
+                    if ($subMembers) {
+                        $allMembers = array_merge($allMembers, $subMembers);
+                    }
+                }
+            }
+        }
+
+        $allMembers = array_merge($allMembers, $this->getDynamicGroupMembers($dnGroup));
+
+        $this->access->connection->writeToCache($cacheKey, $allMembers);
+        return $allMembers;
+    }
+
+    /**
+     * @param string $DN
+     * @param array|null &$seen
+     * @return array
+     */
+    private function _getGroupDNsFromMemberOf($DN, &$seen = null) {
+        if ($seen === null) {
+            $seen = array();
+        }
+        if (array_key_exists($DN, $seen)) {
+            // avoid loops
+            return array();
+        }
+        $seen[$DN] = 1;
+        $groups = $this->access->readAttribute($DN, 'memberOf');
+        if (!is_array($groups)) {
+            return array();
+        }
+        $groups = $this->access->groupsMatchFilter($groups);
+        $allGroups =  $groups;
+        $nestedGroups = $this->access->connection->ldapNestedGroups;
+        if ((int)$nestedGroups === 1) {
+            foreach ($groups as $group) {
+                $subGroups = $this->_getGroupDNsFromMemberOf($group, $seen);
+                $allGroups = array_merge($allGroups, $subGroups);
+            }
+        }
+        return $allGroups;
+    }
+
+    /**
+     * translates a gidNumber into an ownCloud internal name
+     * @param string $gid as given by gidNumber on POSIX LDAP
+     * @param string $dn a DN that belongs to the same domain as the group
+     * @return string|bool
+     */
+    public function gidNumber2Name($gid, $dn) {
+        $cacheKey = 'gidNumberToName' . $gid;
+        $groupName = $this->access->connection->getFromCache($cacheKey);
+        if(!is_null($groupName) && isset($groupName)) {
+            return $groupName;
+        }
+
+        //we need to get the DN from LDAP
+        $filter = $this->access->combineFilterWithAnd([
+            $this->access->connection->ldapGroupFilter,
+            'objectClass=posixGroup',
+            $this->access->connection->ldapGidNumber . '=' . $gid
+        ]);
+        $result = $this->access->searchGroups($filter, array('dn'), 1);
+        if(empty($result)) {
+            return false;
+        }
+        $dn = $result[0]['dn'][0];
+
+        //and now the group name
+        //NOTE once we have separate ownCloud group IDs and group names we can
+        //directly read the display name attribute instead of the DN
+        $name = $this->access->dn2groupname($dn);
+
+        $this->access->connection->writeToCache($cacheKey, $name);
+
+        return $name;
+    }
+
+    /**
+     * returns the entry's gidNumber
+     * @param string $dn
+     * @param string $attribute
+     * @return string|bool
+     */
+    private function getEntryGidNumber($dn, $attribute) {
+        $value = $this->access->readAttribute($dn, $attribute);
+        if(is_array($value) && !empty($value)) {
+            return $value[0];
+        }
+        return false;
+    }
+
+    /**
+     * returns the group's primary ID
+     * @param string $dn
+     * @return string|bool
+     */
+    public function getGroupGidNumber($dn) {
+        return $this->getEntryGidNumber($dn, 'gidNumber');
+    }
+
+    /**
+     * returns the user's gidNumber
+     * @param string $dn
+     * @return string|bool
+     */
+    public function getUserGidNumber($dn) {
+        $gidNumber = false;
+        if($this->access->connection->hasGidNumber) {
+            $gidNumber = $this->getEntryGidNumber($dn, $this->access->connection->ldapGidNumber);
+            if($gidNumber === false) {
+                $this->access->connection->hasGidNumber = false;
+            }
+        }
+        return $gidNumber;
+    }
+
+    /**
+     * returns a filter for a "users has specific gid" search or count operation
+     *
+     * @param string $groupDN
+     * @param string $search
+     * @return string
+     * @throws \Exception
+     */
+    private function prepareFilterForUsersHasGidNumber($groupDN, $search = '') {
+        $groupID = $this->getGroupGidNumber($groupDN);
+        if($groupID === false) {
+            throw new \Exception('Not a valid group');
+        }
+
+        $filterParts = [];
+        $filterParts[] = $this->access->getFilterForUserCount();
+        if ($search !== '') {
+            $filterParts[] = $this->access->getFilterPartForUserSearch($search);
+        }
+        $filterParts[] = $this->access->connection->ldapGidNumber .'=' . $groupID;
+
+        return $this->access->combineFilterWithAnd($filterParts);
+    }
+
+    /**
+     * returns a list of users that have the given group as gid number
+     *
+     * @param string $groupDN
+     * @param string $search
+     * @param int $limit
+     * @param int $offset
+     * @return string[]
+     */
+    public function getUsersInGidNumber($groupDN, $search = '', $limit = -1, $offset = 0) {
+        try {
+            $filter = $this->prepareFilterForUsersHasGidNumber($groupDN, $search);
+            $users = $this->access->fetchListOfUsers(
+                $filter,
+                [$this->access->connection->ldapUserDisplayName, 'dn'],
+                $limit,
+                $offset
+            );
+            return $this->access->nextcloudUserNames($users);
+        } catch (\Exception $e) {
+            return [];
+        }
+    }
+
+    /**
+     * returns the number of users that have the given group as gid number
+     *
+     * @param string $groupDN
+     * @param string $search
+     * @param int $limit
+     * @param int $offset
+     * @return int
+     */
+    public function countUsersInGidNumber($groupDN, $search = '', $limit = -1, $offset = 0) {
+        try {
+            $filter = $this->prepareFilterForUsersHasGidNumber($groupDN, $search);
+            $users = $this->access->countUsers($filter, ['dn'], $limit, $offset);
+            return (int)$users;
+        } catch (\Exception $e) {
+            return 0;
+        }
+    }
+
+    /**
+     * gets the gidNumber of a user
+     * @param string $dn
+     * @return string
+     */
+    public function getUserGroupByGid($dn) {
+        $groupID = $this->getUserGidNumber($dn);
+        if($groupID !== false) {
+            $groupName = $this->gidNumber2Name($groupID, $dn);
+            if($groupName !== false) {
+                return $groupName;
+            }
+        }
+
+        return false;
+    }
+
+    /**
+     * translates a primary group ID into an Nextcloud internal name
+     * @param string $gid as given by primaryGroupID on AD
+     * @param string $dn a DN that belongs to the same domain as the group
+     * @return string|bool
+     */
+    public function primaryGroupID2Name($gid, $dn) {
+        $cacheKey = 'primaryGroupIDtoName';
+        $groupNames = $this->access->connection->getFromCache($cacheKey);
+        if(!is_null($groupNames) && isset($groupNames[$gid])) {
+            return $groupNames[$gid];
+        }
+
+        $domainObjectSid = $this->access->getSID($dn);
+        if($domainObjectSid === false) {
+            return false;
+        }
+
+        //we need to get the DN from LDAP
+        $filter = $this->access->combineFilterWithAnd(array(
+            $this->access->connection->ldapGroupFilter,
+            'objectsid=' . $domainObjectSid . '-' . $gid
+        ));
+        $result = $this->access->searchGroups($filter, array('dn'), 1);
+        if(empty($result)) {
+            return false;
+        }
+        $dn = $result[0]['dn'][0];
+
+        //and now the group name
+        //NOTE once we have separate Nextcloud group IDs and group names we can
+        //directly read the display name attribute instead of the DN
+        $name = $this->access->dn2groupname($dn);
+
+        $this->access->connection->writeToCache($cacheKey, $name);
+
+        return $name;
+    }
+
+    /**
+     * returns the entry's primary group ID
+     * @param string $dn
+     * @param string $attribute
+     * @return string|bool
+     */
+    private function getEntryGroupID($dn, $attribute) {
+        $value = $this->access->readAttribute($dn, $attribute);
+        if(is_array($value) && !empty($value)) {
+            return $value[0];
+        }
+        return false;
+    }
+
+    /**
+     * returns the group's primary ID
+     * @param string $dn
+     * @return string|bool
+     */
+    public function getGroupPrimaryGroupID($dn) {
+        return $this->getEntryGroupID($dn, 'primaryGroupToken');
+    }
+
+    /**
+     * returns the user's primary group ID
+     * @param string $dn
+     * @return string|bool
+     */
+    public function getUserPrimaryGroupIDs($dn) {
+        $primaryGroupID = false;
+        if($this->access->connection->hasPrimaryGroups) {
+            $primaryGroupID = $this->getEntryGroupID($dn, 'primaryGroupID');
+            if($primaryGroupID === false) {
+                $this->access->connection->hasPrimaryGroups = false;
+            }
+        }
+        return $primaryGroupID;
+    }
+
+    /**
+     * returns a filter for a "users in primary group" search or count operation
+     *
+     * @param string $groupDN
+     * @param string $search
+     * @return string
+     * @throws \Exception
+     */
+    private function prepareFilterForUsersInPrimaryGroup($groupDN, $search = '') {
+        $groupID = $this->getGroupPrimaryGroupID($groupDN);
+        if($groupID === false) {
+            throw new \Exception('Not a valid group');
+        }
+
+        $filterParts = [];
+        $filterParts[] = $this->access->getFilterForUserCount();
+        if ($search !== '') {
+            $filterParts[] = $this->access->getFilterPartForUserSearch($search);
+        }
+        $filterParts[] = 'primaryGroupID=' . $groupID;
+
+        return $this->access->combineFilterWithAnd($filterParts);
+    }
+
+    /**
+     * returns a list of users that have the given group as primary group
+     *
+     * @param string $groupDN
+     * @param string $search
+     * @param int $limit
+     * @param int $offset
+     * @return string[]
+     */
+    public function getUsersInPrimaryGroup($groupDN, $search = '', $limit = -1, $offset = 0) {
+        try {
+            $filter = $this->prepareFilterForUsersInPrimaryGroup($groupDN, $search);
+            $users = $this->access->fetchListOfUsers(
+                $filter,
+                array($this->access->connection->ldapUserDisplayName, 'dn'),
+                $limit,
+                $offset
+            );
+            return $this->access->nextcloudUserNames($users);
+        } catch (\Exception $e) {
+            return array();
+        }
+    }
+
+    /**
+     * returns the number of users that have the given group as primary group
+     *
+     * @param string $groupDN
+     * @param string $search
+     * @param int $limit
+     * @param int $offset
+     * @return int
+     */
+    public function countUsersInPrimaryGroup($groupDN, $search = '', $limit = -1, $offset = 0) {
+        try {
+            $filter = $this->prepareFilterForUsersInPrimaryGroup($groupDN, $search);
+            $users = $this->access->countUsers($filter, array('dn'), $limit, $offset);
+            return (int)$users;
+        } catch (\Exception $e) {
+            return 0;
+        }
+    }
+
+    /**
+     * gets the primary group of a user
+     * @param string $dn
+     * @return string
+     */
+    public function getUserPrimaryGroup($dn) {
+        $groupID = $this->getUserPrimaryGroupIDs($dn);
+        if($groupID !== false) {
+            $groupName = $this->primaryGroupID2Name($groupID, $dn);
+            if($groupName !== false) {
+                return $groupName;
+            }
+        }
+
+        return false;
+    }
+
+    /**
+     * Get all groups a user belongs to
+     * @param string $uid Name of the user
+     * @return array with group names
+     *
+     * This function fetches all groups a user belongs to. It does not check
+     * if the user exists at all.
+     *
+     * This function includes groups based on dynamic group membership.
+     */
+    public function getUserGroups($uid) {
+        if(!$this->enabled) {
+            return array();
+        }
+        $cacheKey = 'getUserGroups'.$uid;
+        $userGroups = $this->access->connection->getFromCache($cacheKey);
+        if(!is_null($userGroups)) {
+            return $userGroups;
+        }
+        $userDN = $this->access->username2dn($uid);
+        if(!$userDN) {
+            $this->access->connection->writeToCache($cacheKey, array());
+            return array();
+        }
+
+        $groups = [];
+        $primaryGroup = $this->getUserPrimaryGroup($userDN);
+        $gidGroupName = $this->getUserGroupByGid($userDN);
+
+        $dynamicGroupMemberURL = strtolower($this->access->connection->ldapDynamicGroupMemberURL);
+
+        if (!empty($dynamicGroupMemberURL)) {
+            // look through dynamic groups to add them to the result array if needed
+            $groupsToMatch = $this->access->fetchListOfGroups(
+                $this->access->connection->ldapGroupFilter,array('dn',$dynamicGroupMemberURL));
+            foreach($groupsToMatch as $dynamicGroup) {
+                if (!array_key_exists($dynamicGroupMemberURL, $dynamicGroup)) {
+                    continue;
+                }
+                $pos = strpos($dynamicGroup[$dynamicGroupMemberURL][0], '(');
+                if ($pos !== false) {
+                    $memberUrlFilter = substr($dynamicGroup[$dynamicGroupMemberURL][0],$pos);
+                    // apply filter via ldap search to see if this user is in this
+                    // dynamic group
+                    $userMatch = $this->access->readAttribute(
+                        $userDN,
+                        $this->access->connection->ldapUserDisplayName,
+                        $memberUrlFilter
+                    );
+                    if ($userMatch !== false) {
+                        // match found so this user is in this group
+                        $groupName = $this->access->dn2groupname($dynamicGroup['dn'][0]);
+                        if(is_string($groupName)) {
+                            // be sure to never return false if the dn could not be
+                            // resolved to a name, for whatever reason.
+                            $groups[] = $groupName;
+                        }
+                    }
+                } else {
+                    \OCP\Util::writeLog('user_ldap', 'No search filter found on member url '.
+                        'of group ' . print_r($dynamicGroup, true), \OCP\Util::DEBUG);
+                }
+            }
+        }
+
+        // if possible, read out membership via memberOf. It's far faster than
+        // performing a search, which still is a fallback later.
+        // memberof doesn't support memberuid, so skip it here.
+        if((int)$this->access->connection->hasMemberOfFilterSupport === 1
+            && (int)$this->access->connection->useMemberOfToDetectMembership === 1
+            && strtolower($this->access->connection->ldapGroupMemberAssocAttr) !== 'memberuid'
+            ) {
+            $groupDNs = $this->_getGroupDNsFromMemberOf($userDN);
+            if (is_array($groupDNs)) {
+                foreach ($groupDNs as $dn) {
+                    $groupName = $this->access->dn2groupname($dn);
+                    if(is_string($groupName)) {
+                        // be sure to never return false if the dn could not be
+                        // resolved to a name, for whatever reason.
+                        $groups[] = $groupName;
+                    }
+                }
+            }
+
+            if($primaryGroup !== false) {
+                $groups[] = $primaryGroup;
+            }
+            if($gidGroupName !== false) {
+                $groups[] = $gidGroupName;
+            }
+            $this->access->connection->writeToCache($cacheKey, $groups);
+            return $groups;
+        }
+
+        //uniqueMember takes DN, memberuid the uid, so we need to distinguish
+        if((strtolower($this->access->connection->ldapGroupMemberAssocAttr) === 'uniquemember')
+            || (strtolower($this->access->connection->ldapGroupMemberAssocAttr) === 'member')
+        ) {
+            $uid = $userDN;
+        } else if(strtolower($this->access->connection->ldapGroupMemberAssocAttr) === 'memberuid') {
+            $result = $this->access->readAttribute($userDN, 'uid');
+            if ($result === false) {
+                \OCP\Util::writeLog('user_ldap', 'No uid attribute found for DN ' . $userDN . ' on '.
+                    $this->access->connection->ldapHost, \OCP\Util::DEBUG);
+            }
+            $uid = $result[0];
+        } else {
+            // just in case
+            $uid = $userDN;
+        }
+
+        if(isset($this->cachedGroupsByMember[$uid])) {
+            $groups = array_merge($groups, $this->cachedGroupsByMember[$uid]);
+        } else {
+            $groupsByMember = array_values($this->getGroupsByMember($uid));
+            $groupsByMember = $this->access->nextcloudGroupNames($groupsByMember);
+            $this->cachedGroupsByMember[$uid] = $groupsByMember;
+            $groups = array_merge($groups, $groupsByMember);
+        }
+
+        if($primaryGroup !== false) {
+            $groups[] = $primaryGroup;
+        }
+        if($gidGroupName !== false) {
+            $groups[] = $gidGroupName;
+        }
+
+        $groups = array_unique($groups, SORT_LOCALE_STRING);
+        $this->access->connection->writeToCache($cacheKey, $groups);
+
+        return $groups;
+    }
+
+    /**
+     * @param string $dn
+     * @param array|null &$seen
+     * @return array
+     */
+    private function getGroupsByMember($dn, &$seen = null) {
+        if ($seen === null) {
+            $seen = array();
+        }
+        $allGroups = array();
+        if (array_key_exists($dn, $seen)) {
+            // avoid loops
+            return array();
+        }
+        $seen[$dn] = true;
+        $filter = $this->access->combineFilterWithAnd(array(
+            $this->access->connection->ldapGroupFilter,
+            $this->access->connection->ldapGroupMemberAssocAttr.'='.$dn
+        ));
+        $groups = $this->access->fetchListOfGroups($filter,
+            array($this->access->connection->ldapGroupDisplayName, 'dn'));
+        if (is_array($groups)) {
+            foreach ($groups as $groupobj) {
+                $groupDN = $groupobj['dn'][0];
+                $allGroups[$groupDN] = $groupobj;
+                $nestedGroups = $this->access->connection->ldapNestedGroups;
+                if (!empty($nestedGroups)) {
+                    $supergroups = $this->getGroupsByMember($groupDN, $seen);
+                    if (is_array($supergroups) && (count($supergroups)>0)) {
+                        $allGroups = array_merge($allGroups, $supergroups);
+                    }
+                }
+            }
+        }
+        return $allGroups;
+    }
+
+    /**
+     * get a list of all users in a group
+     *
+     * @param string $gid
+     * @param string $search
+     * @param int $limit
+     * @param int $offset
+     * @return array with user ids
+     */
+    public function usersInGroup($gid, $search = '', $limit = -1, $offset = 0) {
+        if(!$this->enabled) {
+            return array();
+        }
+        if(!$this->groupExists($gid)) {
+            return array();
+        }
+        $search = $this->access->escapeFilterPart($search, true);
+        $cacheKey = 'usersInGroup-'.$gid.'-'.$search.'-'.$limit.'-'.$offset;
+        // check for cache of the exact query
+        $groupUsers = $this->access->connection->getFromCache($cacheKey);
+        if(!is_null($groupUsers)) {
+            return $groupUsers;
+        }
+
+        // check for cache of the query without limit and offset
+        $groupUsers = $this->access->connection->getFromCache('usersInGroup-'.$gid.'-'.$search);
+        if(!is_null($groupUsers)) {
+            $groupUsers = array_slice($groupUsers, $offset, $limit);
+            $this->access->connection->writeToCache($cacheKey, $groupUsers);
+            return $groupUsers;
+        }
+
+        if($limit === -1) {
+            $limit = null;
+        }
+        $groupDN = $this->access->groupname2dn($gid);
+        if(!$groupDN) {
+            // group couldn't be found, return empty resultset
+            $this->access->connection->writeToCache($cacheKey, array());
+            return array();
+        }
+
+        $primaryUsers = $this->getUsersInPrimaryGroup($groupDN, $search, $limit, $offset);
+        $posixGroupUsers = $this->getUsersInGidNumber($groupDN, $search, $limit, $offset);
+        $members = array_keys($this->_groupMembers($groupDN));
+        if(!$members && empty($posixGroupUsers) && empty($primaryUsers)) {
+            //in case users could not be retrieved, return empty result set
+            $this->access->connection->writeToCache($cacheKey, []);
+            return [];
+        }
+
+        $groupUsers = array();
+        $isMemberUid = (strtolower($this->access->connection->ldapGroupMemberAssocAttr) === 'memberuid');
+        $attrs = $this->access->userManager->getAttributes(true);
+        foreach($members as $member) {
+            if($isMemberUid) {
+                //we got uids, need to get their DNs to 'translate' them to user names
+                $filter = $this->access->combineFilterWithAnd(array(
+                    str_replace('%uid', $member, $this->access->connection->ldapLoginFilter),
+                    $this->access->getFilterPartForUserSearch($search)
+                ));
+                $ldap_users = $this->access->fetchListOfUsers($filter, $attrs, 1);
+                if(count($ldap_users) < 1) {
+                    continue;
+                }
+                $groupUsers[] = $this->access->dn2username($ldap_users[0]['dn'][0]);
+            } else {
+                //we got DNs, check if we need to filter by search or we can give back all of them
+                if ($search !== '') {
+                    if(!$this->access->readAttribute($member,
+                        $this->access->connection->ldapUserDisplayName,
+                        $this->access->getFilterPartForUserSearch($search))) {
+                        continue;
+                    }
+                }
+                // dn2username will also check if the users belong to the allowed base
+                if($ocname = $this->access->dn2username($member)) {
+                    $groupUsers[] = $ocname;
+                }
+            }
+        }
+
+        $groupUsers = array_unique(array_merge($groupUsers, $primaryUsers, $posixGroupUsers));
+        natsort($groupUsers);
+        $this->access->connection->writeToCache('usersInGroup-'.$gid.'-'.$search, $groupUsers);
+        $groupUsers = array_slice($groupUsers, $offset, $limit);
+
+        $this->access->connection->writeToCache($cacheKey, $groupUsers);
+
+        return $groupUsers;
+    }
+
+    /**
+     * returns the number of users in a group, who match the search term
+     * @param string $gid the internal group name
+     * @param string $search optional, a search string
+     * @return int|bool
+     */
+    public function countUsersInGroup($gid, $search = '') {
+        if ($this->groupPluginManager->implementsActions(GroupInterface::COUNT_USERS)) {
+            return $this->groupPluginManager->countUsersInGroup($gid, $search);
+        }
+
+        $cacheKey = 'countUsersInGroup-'.$gid.'-'.$search;
+        if(!$this->enabled || !$this->groupExists($gid)) {
+            return false;
+        }
+        $groupUsers = $this->access->connection->getFromCache($cacheKey);
+        if(!is_null($groupUsers)) {
+            return $groupUsers;
+        }
+
+        $groupDN = $this->access->groupname2dn($gid);
+        if(!$groupDN) {
+            // group couldn't be found, return empty result set
+            $this->access->connection->writeToCache($cacheKey, false);
+            return false;
+        }
+
+        $members = array_keys($this->_groupMembers($groupDN));
+        $primaryUserCount = $this->countUsersInPrimaryGroup($groupDN, '');
+        if(!$members && $primaryUserCount === 0) {
+            //in case users could not be retrieved, return empty result set
+            $this->access->connection->writeToCache($cacheKey, false);
+            return false;
+        }
+
+        if ($search === '') {
+            $groupUsers = count($members) + $primaryUserCount;
+            $this->access->connection->writeToCache($cacheKey, $groupUsers);
+            return $groupUsers;
+        }
+        $search = $this->access->escapeFilterPart($search, true);
+        $isMemberUid =
+            (strtolower($this->access->connection->ldapGroupMemberAssocAttr)
+            === 'memberuid');
+
+        //we need to apply the search filter
+        //alternatives that need to be checked:
+        //a) get all users by search filter and array_intersect them
+        //b) a, but only when less than 1k 10k ?k users like it is
+        //c) put all DNs|uids in a LDAP filter, combine with the search string
+        //   and let it count.
+        //For now this is not important, because the only use of this method
+        //does not supply a search string
+        $groupUsers = array();
+        foreach($members as $member) {
+            if($isMemberUid) {
+                //we got uids, need to get their DNs to 'translate' them to user names
+                $filter = $this->access->combineFilterWithAnd(array(
+                    str_replace('%uid', $member, $this->access->connection->ldapLoginFilter),
+                    $this->access->getFilterPartForUserSearch($search)
+                ));
+                $ldap_users = $this->access->fetchListOfUsers($filter, 'dn', 1);
+                if(count($ldap_users) < 1) {
+                    continue;
+                }
+                $groupUsers[] = $this->access->dn2username($ldap_users[0]);
+            } else {
+                //we need to apply the search filter now
+                if(!$this->access->readAttribute($member,
+                    $this->access->connection->ldapUserDisplayName,
+                    $this->access->getFilterPartForUserSearch($search))) {
+                    continue;
+                }
+                // dn2username will also check if the users belong to the allowed base
+                if($ocname = $this->access->dn2username($member)) {
+                    $groupUsers[] = $ocname;
+                }
+            }
+        }
+
+        //and get users that have the group as primary
+        $primaryUsers = $this->countUsersInPrimaryGroup($groupDN, $search);
+
+        return count($groupUsers) + $primaryUsers;
+    }
+
+    /**
+     * get a list of all groups
+     *
+     * @param string $search
+     * @param $limit
+     * @param int $offset
+     * @return array with group names
+     *
+     * Returns a list with all groups (used by getGroups)
+     */
+    protected function getGroupsChunk($search = '', $limit = -1, $offset = 0) {
+        if(!$this->enabled) {
+            return array();
+        }
+        $cacheKey = 'getGroups-'.$search.'-'.$limit.'-'.$offset;
+
+        //Check cache before driving unnecessary searches
+        \OCP\Util::writeLog('user_ldap', 'getGroups '.$cacheKey, \OCP\Util::DEBUG);
+        $ldap_groups = $this->access->connection->getFromCache($cacheKey);
+        if(!is_null($ldap_groups)) {
+            return $ldap_groups;
+        }
+
+        // if we'd pass -1 to LDAP search, we'd end up in a Protocol
+        // error. With a limit of 0, we get 0 results. So we pass null.
+        if($limit <= 0) {
+            $limit = null;
+        }
+        $filter = $this->access->combineFilterWithAnd(array(
+            $this->access->connection->ldapGroupFilter,
+            $this->access->getFilterPartForGroupSearch($search)
+        ));
+        \OCP\Util::writeLog('user_ldap', 'getGroups Filter '.$filter, \OCP\Util::DEBUG);
+        $ldap_groups = $this->access->fetchListOfGroups($filter,
+                array($this->access->connection->ldapGroupDisplayName, 'dn'),
+                $limit,
+                $offset);
+        $ldap_groups = $this->access->nextcloudGroupNames($ldap_groups);
+
+        $this->access->connection->writeToCache($cacheKey, $ldap_groups);
+        return $ldap_groups;
+    }
+
+    /**
+     * get a list of all groups using a paged search
+     *
+     * @param string $search
+     * @param int $limit
+     * @param int $offset
+     * @return array with group names
+     *
+     * Returns a list with all groups
+     * Uses a paged search if available to override a
+     * server side search limit.
+     * (active directory has a limit of 1000 by default)
+     */
+    public function getGroups($search = '', $limit = -1, $offset = 0) {
+        if(!$this->enabled) {
+            return array();
+        }
+        $search = $this->access->escapeFilterPart($search, true);
+        $pagingSize = (int)$this->access->connection->ldapPagingSize;
+        if (!$this->access->connection->hasPagedResultSupport || $pagingSize <= 0) {
+            return $this->getGroupsChunk($search, $limit, $offset);
+        }
+        $maxGroups = 100000; // limit max results (just for safety reasons)
+        if ($limit > -1) {
+            $overallLimit = min($limit + $offset, $maxGroups);
+        } else {
+            $overallLimit = $maxGroups;
+        }
+        $chunkOffset = $offset;
+        $allGroups = array();
+        while ($chunkOffset < $overallLimit) {
+            $chunkLimit = min($pagingSize, $overallLimit - $chunkOffset);
+            $ldapGroups = $this->getGroupsChunk($search, $chunkLimit, $chunkOffset);
+            $nread = count($ldapGroups);
+            \OCP\Util::writeLog('user_ldap', 'getGroups('.$search.'): read '.$nread.' at offset '.$chunkOffset.' (limit: '.$chunkLimit.')', \OCP\Util::DEBUG);
+            if ($nread) {
+                $allGroups = array_merge($allGroups, $ldapGroups);
+                $chunkOffset += $nread;
+            }
+            if ($nread < $chunkLimit) {
+                break;
+            }
+        }
+        return $allGroups;
+    }
+
+    /**
+     * @param string $group
+     * @return bool
+     */
+    public function groupMatchesFilter($group) {
+        return (strripos($group, $this->groupSearch) !== false);
+    }
+
+    /**
+     * check if a group exists
+     * @param string $gid
+     * @return bool
+     */
+    public function groupExists($gid) {
+        $groupExists = $this->access->connection->getFromCache('groupExists'.$gid);
+        if(!is_null($groupExists)) {
+            return (bool)$groupExists;
+        }
+
+        //getting dn, if false the group does not exist. If dn, it may be mapped
+        //only, requires more checking.
+        $dn = $this->access->groupname2dn($gid);
+        if(!$dn) {
+            $this->access->connection->writeToCache('groupExists'.$gid, false);
+            return false;
+        }
+
+        //if group really still exists, we will be able to read its objectclass
+        if(!is_array($this->access->readAttribute($dn, ''))) {
+            $this->access->connection->writeToCache('groupExists'.$gid, false);
+            return false;
+        }
+
+        $this->access->connection->writeToCache('groupExists'.$gid, true);
+        return true;
+    }
+
+    /**
+     * Check if backend implements actions
+     * @param int $actions bitwise-or'ed actions
+     * @return boolean
+     *
+     * Returns the supported actions as int to be
+     * compared with GroupInterface::CREATE_GROUP etc.
+     */
+    public function implementsActions($actions) {
+        return (bool)((GroupInterface::COUNT_USERS |
+                $this->groupPluginManager->getImplementedActions()) & $actions);
+    }
+
+    /**
+     * Return access for LDAP interaction.
+     * @return Access instance of Access for LDAP interaction
+     */
+    public function getLDAPAccess($gid) {
+        return $this->access;
+    }
+
+    /**
+     * create a group
+     * @param string $gid
+     * @return bool
+     * @throws \Exception
+     */
+    public function createGroup($gid) {
+        if ($this->groupPluginManager->implementsActions(GroupInterface::CREATE_GROUP)) {
+            if ($dn = $this->groupPluginManager->createGroup($gid)) {
+                //updates group mapping
+                $this->access->dn2ocname($dn, $gid, false);
+                $this->access->connection->writeToCache("groupExists".$gid, true);
+            }
+            return $dn != null;
+        }
+        throw new \Exception('Could not create group in LDAP backend.');
+    }
+
+    /**
+     * delete a group
+     * @param string $gid gid of the group to delete
+     * @return bool
+     * @throws \Exception
+     */
+    public function deleteGroup($gid) {
+        if ($this->groupPluginManager->implementsActions(GroupInterface::DELETE_GROUP)) {
+            if ($ret = $this->groupPluginManager->deleteGroup($gid)) {
+                #delete group in nextcloud internal db
+                $this->access->getGroupMapper()->unmap($gid);
+                $this->access->connection->writeToCache("groupExists".$gid, false);
+            }
+            return $ret;
+        }
+        throw new \Exception('Could not delete group in LDAP backend.');
+    }
+
+    /**
+     * Add a user to a group
+     * @param string $uid Name of the user to add to group
+     * @param string $gid Name of the group in which add the user
+     * @return bool
+     * @throws \Exception
+     */
+    public function addToGroup($uid, $gid) {
+        if ($this->groupPluginManager->implementsActions(GroupInterface::ADD_TO_GROUP)) {
+            if ($ret = $this->groupPluginManager->addToGroup($uid, $gid)) {
+                $this->access->connection->clearCache();
+            }
+            return $ret;
+        }
+        throw new \Exception('Could not add user to group in LDAP backend.');
+    }
+
+    /**
+     * Removes a user from a group
+     * @param string $uid Name of the user to remove from group
+     * @param string $gid Name of the group from which remove the user
+     * @return bool
+     * @throws \Exception
+     */
+    public function removeFromGroup($uid, $gid) {
+        if ($this->groupPluginManager->implementsActions(GroupInterface::REMOVE_FROM_GROUP)) {
+            if ($ret = $this->groupPluginManager->removeFromGroup($uid, $gid)) {
+                $this->access->connection->clearCache();
+            }
+            return $ret;
+        }
+        throw new \Exception('Could not remove user from group in LDAP backend.');
+    }
+
+    /**
+     * Gets group details
+     * @param string $gid Name of the group
+     * @return array | false
+     * @throws \Exception
+     */
+    public function getGroupDetails($gid) {
+        if ($this->groupPluginManager->implementsActions(GroupInterface::GROUP_DETAILS)) {
+            return $this->groupPluginManager->getGroupDetails($gid);
+        }
+        throw new \Exception('Could not get group details in LDAP backend.');
+    }
+
+    /**
+     * Return LDAP connection resource from a cloned connection.
+     * The cloned connection needs to be closed manually.
+     * of the current access.
+     * @param string $gid
+     * @return resource of the LDAP connection
+     */
+    public function getNewLDAPConnection($gid) {
+        $connection = clone $this->access->getConnection();
+        return $connection->getConnectionResource();
+    }
 
 }

Please login to merge, or discard this patch.

Spacing +94 added lines, -94 removed lines patch added patch discarded remove patch

@@ -64,7 +64,7 @@  discard block
 block discarded – undo
 		parent::__construct($access);
 		$filter = $this->access->connection->ldapGroupFilter;
 		$gassoc = $this->access->connection->ldapGroupMemberAssocAttr;
-		if(!empty($filter) && !empty($gassoc)) {
+		if (!empty($filter) && !empty($gassoc)) {
 			$this->enabled = true;
 		}
 
@@ -82,25 +82,25 @@  discard block
 block discarded – undo
 	 * Checks whether the user is member of a group or not.
 	 */
 	public function inGroup($uid, $gid) {
-		if(!$this->enabled) {
+		if (!$this->enabled) {
 			return false;
 		}
 		$cacheKey = 'inGroup'.$uid.':'.$gid;
 		$inGroup = $this->access->connection->getFromCache($cacheKey);
-		if(!is_null($inGroup)) {
-			return (bool)$inGroup;
+		if (!is_null($inGroup)) {
+			return (bool) $inGroup;
 		}
 
 		$userDN = $this->access->username2dn($uid);
 
-		if(isset($this->cachedGroupMembers[$gid])) {
+		if (isset($this->cachedGroupMembers[$gid])) {
 			$isInGroup = in_array($userDN, $this->cachedGroupMembers[$gid]);
 			return $isInGroup;
 		}
 
 		$cacheKeyMembers = 'inGroup-members:'.$gid;
 		$members = $this->access->connection->getFromCache($cacheKeyMembers);
-		if(!is_null($members)) {
+		if (!is_null($members)) {
 			$this->cachedGroupMembers[$gid] = $members;
 			$isInGroup = in_array($userDN, $members);
 			$this->access->connection->writeToCache($cacheKey, $isInGroup);
@@ -109,13 +109,13 @@  discard block
 block discarded – undo
 
 		$groupDN = $this->access->groupname2dn($gid);
 		// just in case
-		if(!$groupDN || !$userDN) {
+		if (!$groupDN || !$userDN) {
 			$this->access->connection->writeToCache($cacheKey, false);
 			return false;
 		}
 
 		//check primary group first
-		if($gid === $this->getUserPrimaryGroup($userDN)) {
+		if ($gid === $this->getUserPrimaryGroup($userDN)) {
 			$this->access->connection->writeToCache($cacheKey, true);
 			return true;
 		}
@@ -123,21 +123,21 @@  discard block
 block discarded – undo
 		//usually, LDAP attributes are said to be case insensitive. But there are exceptions of course.
 		$members = $this->_groupMembers($groupDN);
 		$members = array_keys($members); // uids are returned as keys
-		if(!is_array($members) || count($members) === 0) {
+		if (!is_array($members) || count($members) === 0) {
 			$this->access->connection->writeToCache($cacheKey, false);
 			return false;
 		}
 
 		//extra work if we don't get back user DNs
-		if(strtolower($this->access->connection->ldapGroupMemberAssocAttr) === 'memberuid') {
+		if (strtolower($this->access->connection->ldapGroupMemberAssocAttr) === 'memberuid') {
 			$dns = array();
 			$filterParts = array();
 			$bytes = 0;
-			foreach($members as $mid) {
+			foreach ($members as $mid) {
 				$filter = str_replace('%uid', $mid, $this->access->connection->ldapLoginFilter);
 				$filterParts[] = $filter;
 				$bytes += strlen($filter);
-				if($bytes >= 9000000) {
+				if ($bytes >= 9000000) {
 					// AD has a default input buffer of 10 MB, we do not want
 					// to take even the chance to exceed it
 					$filter = $this->access->combineFilterWithOr($filterParts);
@@ -147,7 +147,7 @@  discard block
 block discarded – undo
 					$dns = array_merge($dns, $users);
 				}
 			}
-			if(count($filterParts) > 0) {
+			if (count($filterParts) > 0) {
 				$filter = $this->access->combineFilterWithOr($filterParts);
 				$users = $this->access->fetchListOfUsers($filter, 'dn', count($filterParts));
 				$dns = array_merge($dns, $users);
@@ -190,14 +190,14 @@  discard block
 block discarded – undo
 			$pos = strpos($memberURLs[0], '(');
 			if ($pos !== false) {
 				$memberUrlFilter = substr($memberURLs[0], $pos);
-				$foundMembers = $this->access->searchUsers($memberUrlFilter,'dn');
+				$foundMembers = $this->access->searchUsers($memberUrlFilter, 'dn');
 				$dynamicMembers = array();
-				foreach($foundMembers as $value) {
+				foreach ($foundMembers as $value) {
 					$dynamicMembers[$value['dn'][0]] = 1;
 				}
 			} else {
 				\OCP\Util::writeLog('user_ldap', 'No search filter found on member url '.
-					'of group ' . $dnGroup, \OCP\Util::DEBUG);
+					'of group '.$dnGroup, \OCP\Util::DEBUG);
 			}
 		}
 		return $dynamicMembers;
@@ -220,7 +220,7 @@  discard block
 block discarded – undo
 		// used extensively in cron job, caching makes sense for nested groups
 		$cacheKey = '_groupMembers'.$dnGroup;
 		$groupMembers = $this->access->connection->getFromCache($cacheKey);
-		if(!is_null($groupMembers)) {
+		if (!is_null($groupMembers)) {
 			return $groupMembers;
 		}
 		$seen[$dnGroup] = 1;
@@ -264,9 +264,9 @@  discard block
 block discarded – undo
 			return array();
 		}
 		$groups = $this->access->groupsMatchFilter($groups);
-		$allGroups =  $groups;
+		$allGroups = $groups;
 		$nestedGroups = $this->access->connection->ldapNestedGroups;
-		if ((int)$nestedGroups === 1) {
+		if ((int) $nestedGroups === 1) {
 			foreach ($groups as $group) {
 				$subGroups = $this->_getGroupDNsFromMemberOf($group, $seen);
 				$allGroups = array_merge($allGroups, $subGroups);
@@ -282,9 +282,9 @@  discard block
 block discarded – undo
 	 * @return string|bool
 	 */
 	public function gidNumber2Name($gid, $dn) {
-		$cacheKey = 'gidNumberToName' . $gid;
+		$cacheKey = 'gidNumberToName'.$gid;
 		$groupName = $this->access->connection->getFromCache($cacheKey);
-		if(!is_null($groupName) && isset($groupName)) {
+		if (!is_null($groupName) && isset($groupName)) {
 			return $groupName;
 		}
 
@@ -292,10 +292,10 @@  discard block
 block discarded – undo
 		$filter = $this->access->combineFilterWithAnd([
 			$this->access->connection->ldapGroupFilter,
 			'objectClass=posixGroup',
-			$this->access->connection->ldapGidNumber . '=' . $gid
+			$this->access->connection->ldapGidNumber.'='.$gid
 		]);
 		$result = $this->access->searchGroups($filter, array('dn'), 1);
-		if(empty($result)) {
+		if (empty($result)) {
 			return false;
 		}
 		$dn = $result[0]['dn'][0];
@@ -318,7 +318,7 @@  discard block
 block discarded – undo
 	 */
 	private function getEntryGidNumber($dn, $attribute) {
 		$value = $this->access->readAttribute($dn, $attribute);
-		if(is_array($value) && !empty($value)) {
+		if (is_array($value) && !empty($value)) {
 			return $value[0];
 		}
 		return false;
@@ -340,9 +340,9 @@  discard block
 block discarded – undo
 	 */
 	public function getUserGidNumber($dn) {
 		$gidNumber = false;
-		if($this->access->connection->hasGidNumber) {
+		if ($this->access->connection->hasGidNumber) {
 			$gidNumber = $this->getEntryGidNumber($dn, $this->access->connection->ldapGidNumber);
-			if($gidNumber === false) {
+			if ($gidNumber === false) {
 				$this->access->connection->hasGidNumber = false;
 			}
 		}
@@ -359,7 +359,7 @@  discard block
 block discarded – undo
 	 */
 	private function prepareFilterForUsersHasGidNumber($groupDN, $search = '') {
 		$groupID = $this->getGroupGidNumber($groupDN);
-		if($groupID === false) {
+		if ($groupID === false) {
 			throw new \Exception('Not a valid group');
 		}
 
@@ -368,7 +368,7 @@  discard block
 block discarded – undo
 		if ($search !== '') {
 			$filterParts[] = $this->access->getFilterPartForUserSearch($search);
 		}
-		$filterParts[] = $this->access->connection->ldapGidNumber .'=' . $groupID;
+		$filterParts[] = $this->access->connection->ldapGidNumber.'='.$groupID;
 
 		return $this->access->combineFilterWithAnd($filterParts);
 	}
@@ -410,7 +410,7 @@  discard block
 block discarded – undo
 		try {
 			$filter = $this->prepareFilterForUsersHasGidNumber($groupDN, $search);
 			$users = $this->access->countUsers($filter, ['dn'], $limit, $offset);
-			return (int)$users;
+			return (int) $users;
 		} catch (\Exception $e) {
 			return 0;
 		}
@@ -423,9 +423,9 @@  discard block
 block discarded – undo
 	 */
 	public function getUserGroupByGid($dn) {
 		$groupID = $this->getUserGidNumber($dn);
-		if($groupID !== false) {
+		if ($groupID !== false) {
 			$groupName = $this->gidNumber2Name($groupID, $dn);
-			if($groupName !== false) {
+			if ($groupName !== false) {
 				return $groupName;
 			}
 		}
@@ -442,22 +442,22 @@  discard block
 block discarded – undo
 	public function primaryGroupID2Name($gid, $dn) {
 		$cacheKey = 'primaryGroupIDtoName';
 		$groupNames = $this->access->connection->getFromCache($cacheKey);
-		if(!is_null($groupNames) && isset($groupNames[$gid])) {
+		if (!is_null($groupNames) && isset($groupNames[$gid])) {
 			return $groupNames[$gid];
 		}
 
 		$domainObjectSid = $this->access->getSID($dn);
-		if($domainObjectSid === false) {
+		if ($domainObjectSid === false) {
 			return false;
 		}
 
 		//we need to get the DN from LDAP
 		$filter = $this->access->combineFilterWithAnd(array(
 			$this->access->connection->ldapGroupFilter,
-			'objectsid=' . $domainObjectSid . '-' . $gid
+			'objectsid='.$domainObjectSid.'-'.$gid
 		));
 		$result = $this->access->searchGroups($filter, array('dn'), 1);
-		if(empty($result)) {
+		if (empty($result)) {
 			return false;
 		}
 		$dn = $result[0]['dn'][0];
@@ -480,7 +480,7 @@  discard block
 block discarded – undo
 	 */
 	private function getEntryGroupID($dn, $attribute) {
 		$value = $this->access->readAttribute($dn, $attribute);
-		if(is_array($value) && !empty($value)) {
+		if (is_array($value) && !empty($value)) {
 			return $value[0];
 		}
 		return false;
@@ -502,9 +502,9 @@  discard block
 block discarded – undo
 	 */
 	public function getUserPrimaryGroupIDs($dn) {
 		$primaryGroupID = false;
-		if($this->access->connection->hasPrimaryGroups) {
+		if ($this->access->connection->hasPrimaryGroups) {
 			$primaryGroupID = $this->getEntryGroupID($dn, 'primaryGroupID');
-			if($primaryGroupID === false) {
+			if ($primaryGroupID === false) {
 				$this->access->connection->hasPrimaryGroups = false;
 			}
 		}
@@ -521,7 +521,7 @@  discard block
 block discarded – undo
 	 */
 	private function prepareFilterForUsersInPrimaryGroup($groupDN, $search = '') {
 		$groupID = $this->getGroupPrimaryGroupID($groupDN);
-		if($groupID === false) {
+		if ($groupID === false) {
 			throw new \Exception('Not a valid group');
 		}
 
@@ -530,7 +530,7 @@  discard block
 block discarded – undo
 		if ($search !== '') {
 			$filterParts[] = $this->access->getFilterPartForUserSearch($search);
 		}
-		$filterParts[] = 'primaryGroupID=' . $groupID;
+		$filterParts[] = 'primaryGroupID='.$groupID;
 
 		return $this->access->combineFilterWithAnd($filterParts);
 	}
@@ -572,7 +572,7 @@  discard block
 block discarded – undo
 		try {
 			$filter = $this->prepareFilterForUsersInPrimaryGroup($groupDN, $search);
 			$users = $this->access->countUsers($filter, array('dn'), $limit, $offset);
-			return (int)$users;
+			return (int) $users;
 		} catch (\Exception $e) {
 			return 0;
 		}
@@ -585,9 +585,9 @@  discard block
 block discarded – undo
 	 */
 	public function getUserPrimaryGroup($dn) {
 		$groupID = $this->getUserPrimaryGroupIDs($dn);
-		if($groupID !== false) {
+		if ($groupID !== false) {
 			$groupName = $this->primaryGroupID2Name($groupID, $dn);
-			if($groupName !== false) {
+			if ($groupName !== false) {
 				return $groupName;
 			}
 		}
@@ -606,16 +606,16 @@  discard block
 block discarded – undo
 	 * This function includes groups based on dynamic group membership.
 	 */
 	public function getUserGroups($uid) {
-		if(!$this->enabled) {
+		if (!$this->enabled) {
 			return array();
 		}
 		$cacheKey = 'getUserGroups'.$uid;
 		$userGroups = $this->access->connection->getFromCache($cacheKey);
-		if(!is_null($userGroups)) {
+		if (!is_null($userGroups)) {
 			return $userGroups;
 		}
 		$userDN = $this->access->username2dn($uid);
-		if(!$userDN) {
+		if (!$userDN) {
 			$this->access->connection->writeToCache($cacheKey, array());
 			return array();
 		}
@@ -629,14 +629,14 @@  discard block
 block discarded – undo
 		if (!empty($dynamicGroupMemberURL)) {
 			// look through dynamic groups to add them to the result array if needed
 			$groupsToMatch = $this->access->fetchListOfGroups(
-				$this->access->connection->ldapGroupFilter,array('dn',$dynamicGroupMemberURL));
-			foreach($groupsToMatch as $dynamicGroup) {
+				$this->access->connection->ldapGroupFilter, array('dn', $dynamicGroupMemberURL));
+			foreach ($groupsToMatch as $dynamicGroup) {
 				if (!array_key_exists($dynamicGroupMemberURL, $dynamicGroup)) {
 					continue;
 				}
 				$pos = strpos($dynamicGroup[$dynamicGroupMemberURL][0], '(');
 				if ($pos !== false) {
-					$memberUrlFilter = substr($dynamicGroup[$dynamicGroupMemberURL][0],$pos);
+					$memberUrlFilter = substr($dynamicGroup[$dynamicGroupMemberURL][0], $pos);
 					// apply filter via ldap search to see if this user is in this
 					// dynamic group
 					$userMatch = $this->access->readAttribute(
@@ -647,7 +647,7 @@  discard block
 block discarded – undo
 					if ($userMatch !== false) {
 						// match found so this user is in this group
 						$groupName = $this->access->dn2groupname($dynamicGroup['dn'][0]);
-						if(is_string($groupName)) {
+						if (is_string($groupName)) {
 							// be sure to never return false if the dn could not be
 							// resolved to a name, for whatever reason.
 							$groups[] = $groupName;
@@ -655,7 +655,7 @@  discard block
 block discarded – undo
 					}
 				} else {
 					\OCP\Util::writeLog('user_ldap', 'No search filter found on member url '.
-						'of group ' . print_r($dynamicGroup, true), \OCP\Util::DEBUG);
+						'of group '.print_r($dynamicGroup, true), \OCP\Util::DEBUG);
 				}
 			}
 		}
@@ -663,15 +663,15 @@  discard block
 block discarded – undo
 		// if possible, read out membership via memberOf. It's far faster than
 		// performing a search, which still is a fallback later.
 		// memberof doesn't support memberuid, so skip it here.
-		if((int)$this->access->connection->hasMemberOfFilterSupport === 1
-			&& (int)$this->access->connection->useMemberOfToDetectMembership === 1
+		if ((int) $this->access->connection->hasMemberOfFilterSupport === 1
+			&& (int) $this->access->connection->useMemberOfToDetectMembership === 1
 		    && strtolower($this->access->connection->ldapGroupMemberAssocAttr) !== 'memberuid'
 		    ) {
 			$groupDNs = $this->_getGroupDNsFromMemberOf($userDN);
 			if (is_array($groupDNs)) {
 				foreach ($groupDNs as $dn) {
 					$groupName = $this->access->dn2groupname($dn);
-					if(is_string($groupName)) {
+					if (is_string($groupName)) {
 						// be sure to never return false if the dn could not be
 						// resolved to a name, for whatever reason.
 						$groups[] = $groupName;
@@ -679,10 +679,10 @@  discard block
 block discarded – undo
 				}
 			}
 
-			if($primaryGroup !== false) {
+			if ($primaryGroup !== false) {
 				$groups[] = $primaryGroup;
 			}
-			if($gidGroupName !== false) {
+			if ($gidGroupName !== false) {
 				$groups[] = $gidGroupName;
 			}
 			$this->access->connection->writeToCache($cacheKey, $groups);
@@ -690,14 +690,14 @@  discard block
 block discarded – undo
 		}
 
 		//uniqueMember takes DN, memberuid the uid, so we need to distinguish
-		if((strtolower($this->access->connection->ldapGroupMemberAssocAttr) === 'uniquemember')
+		if ((strtolower($this->access->connection->ldapGroupMemberAssocAttr) === 'uniquemember')
 			|| (strtolower($this->access->connection->ldapGroupMemberAssocAttr) === 'member')
 		) {
 			$uid = $userDN;
-		} else if(strtolower($this->access->connection->ldapGroupMemberAssocAttr) === 'memberuid') {
+		} else if (strtolower($this->access->connection->ldapGroupMemberAssocAttr) === 'memberuid') {
 			$result = $this->access->readAttribute($userDN, 'uid');
 			if ($result === false) {
-				\OCP\Util::writeLog('user_ldap', 'No uid attribute found for DN ' . $userDN . ' on '.
+				\OCP\Util::writeLog('user_ldap', 'No uid attribute found for DN '.$userDN.' on '.
 					$this->access->connection->ldapHost, \OCP\Util::DEBUG);
 			}
 			$uid = $result[0];
@@ -706,7 +706,7 @@  discard block
 block discarded – undo
 			$uid = $userDN;
 		}
 
-		if(isset($this->cachedGroupsByMember[$uid])) {
+		if (isset($this->cachedGroupsByMember[$uid])) {
 			$groups = array_merge($groups, $this->cachedGroupsByMember[$uid]);
 		} else {
 			$groupsByMember = array_values($this->getGroupsByMember($uid));
@@ -715,10 +715,10 @@  discard block
 block discarded – undo
 			$groups = array_merge($groups, $groupsByMember);
 		}
 
-		if($primaryGroup !== false) {
+		if ($primaryGroup !== false) {
 			$groups[] = $primaryGroup;
 		}
-		if($gidGroupName !== false) {
+		if ($gidGroupName !== false) {
 			$groups[] = $gidGroupName;
 		}
 
@@ -756,7 +756,7 @@  discard block
 block discarded – undo
 				$nestedGroups = $this->access->connection->ldapNestedGroups;
 				if (!empty($nestedGroups)) {
 					$supergroups = $this->getGroupsByMember($groupDN, $seen);
-					if (is_array($supergroups) && (count($supergroups)>0)) {
+					if (is_array($supergroups) && (count($supergroups) > 0)) {
 						$allGroups = array_merge($allGroups, $supergroups);
 					}
 				}
@@ -775,33 +775,33 @@  discard block
 block discarded – undo
 	 * @return array with user ids
 	 */
 	public function usersInGroup($gid, $search = '', $limit = -1, $offset = 0) {
-		if(!$this->enabled) {
+		if (!$this->enabled) {
 			return array();
 		}
-		if(!$this->groupExists($gid)) {
+		if (!$this->groupExists($gid)) {
 			return array();
 		}
 		$search = $this->access->escapeFilterPart($search, true);
 		$cacheKey = 'usersInGroup-'.$gid.'-'.$search.'-'.$limit.'-'.$offset;
 		// check for cache of the exact query
 		$groupUsers = $this->access->connection->getFromCache($cacheKey);
-		if(!is_null($groupUsers)) {
+		if (!is_null($groupUsers)) {
 			return $groupUsers;
 		}
 
 		// check for cache of the query without limit and offset
 		$groupUsers = $this->access->connection->getFromCache('usersInGroup-'.$gid.'-'.$search);
-		if(!is_null($groupUsers)) {
+		if (!is_null($groupUsers)) {
 			$groupUsers = array_slice($groupUsers, $offset, $limit);
 			$this->access->connection->writeToCache($cacheKey, $groupUsers);
 			return $groupUsers;
 		}
 
-		if($limit === -1) {
+		if ($limit === -1) {
 			$limit = null;
 		}
 		$groupDN = $this->access->groupname2dn($gid);
-		if(!$groupDN) {
+		if (!$groupDN) {
 			// group couldn't be found, return empty resultset
 			$this->access->connection->writeToCache($cacheKey, array());
 			return array();
@@ -810,7 +810,7 @@  discard block
 block discarded – undo
 		$primaryUsers = $this->getUsersInPrimaryGroup($groupDN, $search, $limit, $offset);
 		$posixGroupUsers = $this->getUsersInGidNumber($groupDN, $search, $limit, $offset);
 		$members = array_keys($this->_groupMembers($groupDN));
-		if(!$members && empty($posixGroupUsers) && empty($primaryUsers)) {
+		if (!$members && empty($posixGroupUsers) && empty($primaryUsers)) {
 			//in case users could not be retrieved, return empty result set
 			$this->access->connection->writeToCache($cacheKey, []);
 			return [];
@@ -819,29 +819,29 @@  discard block
 block discarded – undo
 		$groupUsers = array();
 		$isMemberUid = (strtolower($this->access->connection->ldapGroupMemberAssocAttr) === 'memberuid');
 		$attrs = $this->access->userManager->getAttributes(true);
-		foreach($members as $member) {
-			if($isMemberUid) {
+		foreach ($members as $member) {
+			if ($isMemberUid) {
 				//we got uids, need to get their DNs to 'translate' them to user names
 				$filter = $this->access->combineFilterWithAnd(array(
 					str_replace('%uid', $member, $this->access->connection->ldapLoginFilter),
 					$this->access->getFilterPartForUserSearch($search)
 				));
 				$ldap_users = $this->access->fetchListOfUsers($filter, $attrs, 1);
-				if(count($ldap_users) < 1) {
+				if (count($ldap_users) < 1) {
 					continue;
 				}
 				$groupUsers[] = $this->access->dn2username($ldap_users[0]['dn'][0]);
 			} else {
 				//we got DNs, check if we need to filter by search or we can give back all of them
 				if ($search !== '') {
-					if(!$this->access->readAttribute($member,
+					if (!$this->access->readAttribute($member,
 						$this->access->connection->ldapUserDisplayName,
 						$this->access->getFilterPartForUserSearch($search))) {
 						continue;
 					}
 				}
 				// dn2username will also check if the users belong to the allowed base
-				if($ocname = $this->access->dn2username($member)) {
+				if ($ocname = $this->access->dn2username($member)) {
 					$groupUsers[] = $ocname;
 				}
 			}
@@ -869,16 +869,16 @@  discard block
 block discarded – undo
 		}
 
 		$cacheKey = 'countUsersInGroup-'.$gid.'-'.$search;
-		if(!$this->enabled || !$this->groupExists($gid)) {
+		if (!$this->enabled || !$this->groupExists($gid)) {
 			return false;
 		}
 		$groupUsers = $this->access->connection->getFromCache($cacheKey);
-		if(!is_null($groupUsers)) {
+		if (!is_null($groupUsers)) {
 			return $groupUsers;
 		}
 
 		$groupDN = $this->access->groupname2dn($gid);
-		if(!$groupDN) {
+		if (!$groupDN) {
 			// group couldn't be found, return empty result set
 			$this->access->connection->writeToCache($cacheKey, false);
 			return false;
@@ -886,7 +886,7 @@  discard block
 block discarded – undo
 
 		$members = array_keys($this->_groupMembers($groupDN));
 		$primaryUserCount = $this->countUsersInPrimaryGroup($groupDN, '');
-		if(!$members && $primaryUserCount === 0) {
+		if (!$members && $primaryUserCount === 0) {
 			//in case users could not be retrieved, return empty result set
 			$this->access->connection->writeToCache($cacheKey, false);
 			return false;
@@ -911,27 +911,27 @@  discard block
 block discarded – undo
 		//For now this is not important, because the only use of this method
 		//does not supply a search string
 		$groupUsers = array();
-		foreach($members as $member) {
-			if($isMemberUid) {
+		foreach ($members as $member) {
+			if ($isMemberUid) {
 				//we got uids, need to get their DNs to 'translate' them to user names
 				$filter = $this->access->combineFilterWithAnd(array(
 					str_replace('%uid', $member, $this->access->connection->ldapLoginFilter),
 					$this->access->getFilterPartForUserSearch($search)
 				));
 				$ldap_users = $this->access->fetchListOfUsers($filter, 'dn', 1);
-				if(count($ldap_users) < 1) {
+				if (count($ldap_users) < 1) {
 					continue;
 				}
 				$groupUsers[] = $this->access->dn2username($ldap_users[0]);
 			} else {
 				//we need to apply the search filter now
-				if(!$this->access->readAttribute($member,
+				if (!$this->access->readAttribute($member,
 					$this->access->connection->ldapUserDisplayName,
 					$this->access->getFilterPartForUserSearch($search))) {
 					continue;
 				}
 				// dn2username will also check if the users belong to the allowed base
-				if($ocname = $this->access->dn2username($member)) {
+				if ($ocname = $this->access->dn2username($member)) {
 					$groupUsers[] = $ocname;
 				}
 			}
@@ -954,7 +954,7 @@  discard block
 block discarded – undo
 	 * Returns a list with all groups (used by getGroups)
 	 */
 	protected function getGroupsChunk($search = '', $limit = -1, $offset = 0) {
-		if(!$this->enabled) {
+		if (!$this->enabled) {
 			return array();
 		}
 		$cacheKey = 'getGroups-'.$search.'-'.$limit.'-'.$offset;
@@ -962,13 +962,13 @@  discard block
 block discarded – undo
 		//Check cache before driving unnecessary searches
 		\OCP\Util::writeLog('user_ldap', 'getGroups '.$cacheKey, \OCP\Util::DEBUG);
 		$ldap_groups = $this->access->connection->getFromCache($cacheKey);
-		if(!is_null($ldap_groups)) {
+		if (!is_null($ldap_groups)) {
 			return $ldap_groups;
 		}
 
 		// if we'd pass -1 to LDAP search, we'd end up in a Protocol
 		// error. With a limit of 0, we get 0 results. So we pass null.
-		if($limit <= 0) {
+		if ($limit <= 0) {
 			$limit = null;
 		}
 		$filter = $this->access->combineFilterWithAnd(array(
@@ -1000,11 +1000,11 @@  discard block
 block discarded – undo
 	 * (active directory has a limit of 1000 by default)
 	 */
 	public function getGroups($search = '', $limit = -1, $offset = 0) {
-		if(!$this->enabled) {
+		if (!$this->enabled) {
 			return array();
 		}
 		$search = $this->access->escapeFilterPart($search, true);
-		$pagingSize = (int)$this->access->connection->ldapPagingSize;
+		$pagingSize = (int) $this->access->connection->ldapPagingSize;
 		if (!$this->access->connection->hasPagedResultSupport || $pagingSize <= 0) {
 			return $this->getGroupsChunk($search, $limit, $offset);
 		}
@@ -1047,20 +1047,20 @@  discard block
 block discarded – undo
 	 */
 	public function groupExists($gid) {
 		$groupExists = $this->access->connection->getFromCache('groupExists'.$gid);
-		if(!is_null($groupExists)) {
-			return (bool)$groupExists;
+		if (!is_null($groupExists)) {
+			return (bool) $groupExists;
 		}
 
 		//getting dn, if false the group does not exist. If dn, it may be mapped
 		//only, requires more checking.
 		$dn = $this->access->groupname2dn($gid);
-		if(!$dn) {
+		if (!$dn) {
 			$this->access->connection->writeToCache('groupExists'.$gid, false);
 			return false;
 		}
 
 		//if group really still exists, we will be able to read its objectclass
-		if(!is_array($this->access->readAttribute($dn, ''))) {
+		if (!is_array($this->access->readAttribute($dn, ''))) {
 			$this->access->connection->writeToCache('groupExists'.$gid, false);
 			return false;
 		}
@@ -1078,7 +1078,7 @@  discard block
 block discarded – undo
 	* compared with GroupInterface::CREATE_GROUP etc.
 	*/
 	public function implementsActions($actions) {
-		return (bool)((GroupInterface::COUNT_USERS |
+		return (bool) ((GroupInterface::COUNT_USERS |
 				$this->groupPluginManager->getImplementedActions()) & $actions);
 	}
 

Please login to merge, or discard this patch.

apps/user_ldap/lib/Jobs/CleanUp.php 1 patch

Indentation +190 added lines, -190 removed lines patch added patch discarded remove patch

@@ -43,195 +43,195 @@
 block discarded – undo
  * @package OCA\User_LDAP\Jobs;
  */
 class CleanUp extends TimedJob {
-	/** @var int $limit amount of users that should be checked per run */
-	protected $limit = 50;
-
-	/** @var int $defaultIntervalMin default interval in minutes */
-	protected $defaultIntervalMin = 51;
-
-	/** @var User_LDAP|User_Proxy $userBackend */
-	protected $userBackend;
-
-	/** @var \OCP\IConfig $ocConfig */
-	protected $ocConfig;
-
-	/** @var \OCP\IDBConnection $db */
-	protected $db;
-
-	/** @var Helper $ldapHelper */
-	protected $ldapHelper;
-
-	/** @var \OCA\User_LDAP\Mapping\UserMapping */
-	protected $mapping;
-
-	/** @var \OCA\User_LDAP\User\DeletedUsersIndex */
-	protected $dui;
-
-	public function __construct() {
-		$minutes = \OC::$server->getConfig()->getSystemValue(
-			'ldapUserCleanupInterval', (string)$this->defaultIntervalMin);
-		$this->setInterval((int)$minutes * 60);
-	}
-
-	/**
-	 * assigns the instances passed to run() to the class properties
-	 * @param array $arguments
-	 */
-	public function setArguments($arguments) {
-		//Dependency Injection is not possible, because the constructor will
-		//only get values that are serialized to JSON. I.e. whatever we would
-		//pass in app.php we do add here, except something else is passed e.g.
-		//in tests.
-
-		if(isset($arguments['helper'])) {
-			$this->ldapHelper = $arguments['helper'];
-		} else {
-			$this->ldapHelper = new Helper(\OC::$server->getConfig());
-		}
-
-		if(isset($arguments['ocConfig'])) {
-			$this->ocConfig = $arguments['ocConfig'];
-		} else {
-			$this->ocConfig = \OC::$server->getConfig();
-		}
-
-		if(isset($arguments['userBackend'])) {
-			$this->userBackend = $arguments['userBackend'];
-		} else {
-			$this->userBackend =  new User_Proxy(
-				$this->ldapHelper->getServerConfigurationPrefixes(true),
-				new LDAP(),
-				$this->ocConfig,
-				\OC::$server->getNotificationManager(),
-				\OC::$server->getUserSession(),
-				\OC::$server->query('LDAPUserPluginManager')
-			);
-		}
-
-		if(isset($arguments['db'])) {
-			$this->db = $arguments['db'];
-		} else {
-			$this->db = \OC::$server->getDatabaseConnection();
-		}
-
-		if(isset($arguments['mapping'])) {
-			$this->mapping = $arguments['mapping'];
-		} else {
-			$this->mapping = new UserMapping($this->db);
-		}
-
-		if(isset($arguments['deletedUsersIndex'])) {
-			$this->dui = $arguments['deletedUsersIndex'];
-		} else {
-			$this->dui = new DeletedUsersIndex(
-				$this->ocConfig, $this->db, $this->mapping);
-		}
-	}
-
-	/**
-	 * makes the background job do its work
-	 * @param array $argument
-	 */
-	public function run($argument) {
-		$this->setArguments($argument);
-
-		if(!$this->isCleanUpAllowed()) {
-			return;
-		}
-		$users = $this->mapping->getList($this->getOffset(), $this->limit);
-		if(!is_array($users)) {
-			//something wrong? Let's start from the beginning next time and
-			//abort
-			$this->setOffset(true);
-			return;
-		}
-		$resetOffset = $this->isOffsetResetNecessary(count($users));
-		$this->checkUsers($users);
-		$this->setOffset($resetOffset);
-	}
-
-	/**
-	 * checks whether next run should start at 0 again
-	 * @param int $resultCount
-	 * @return bool
-	 */
-	public function isOffsetResetNecessary($resultCount) {
-		return $resultCount < $this->limit;
-	}
-
-	/**
-	 * checks whether cleaning up LDAP users is allowed
-	 * @return bool
-	 */
-	public function isCleanUpAllowed() {
-		try {
-			if($this->ldapHelper->haveDisabledConfigurations()) {
-				return false;
-			}
-		} catch (\Exception $e) {
-			return false;
-		}
-
-		return $this->isCleanUpEnabled();
-	}
-
-	/**
-	 * checks whether clean up is enabled by configuration
-	 * @return bool
-	 */
-	private function isCleanUpEnabled() {
-		return (bool)$this->ocConfig->getSystemValue(
-			'ldapUserCleanupInterval', (string)$this->defaultIntervalMin);
-	}
-
-	/**
-	 * checks users whether they are still existing
-	 * @param array $users result from getMappedUsers()
-	 */
-	private function checkUsers(array $users) {
-		foreach($users as $user) {
-			$this->checkUser($user);
-		}
-	}
-
-	/**
-	 * checks whether a user is still existing in LDAP
-	 * @param string[] $user
-	 */
-	private function checkUser(array $user) {
-		if($this->userBackend->userExistsOnLDAP($user['name'])) {
-			//still available, all good
-
-			return;
-		}
-
-		$this->dui->markUser($user['name']);
-	}
-
-	/**
-	 * gets the offset to fetch users from the mappings table
-	 * @return int
-	 */
-	private function getOffset() {
-		return (int)$this->ocConfig->getAppValue('user_ldap', 'cleanUpJobOffset', 0);
-	}
-
-	/**
-	 * sets the new offset for the next run
-	 * @param bool $reset whether the offset should be set to 0
-	 */
-	public function setOffset($reset = false) {
-		$newOffset = $reset ? 0 :
-			$this->getOffset() + $this->limit;
-		$this->ocConfig->setAppValue('user_ldap', 'cleanUpJobOffset', $newOffset);
-	}
-
-	/**
-	 * returns the chunk size (limit in DB speak)
-	 * @return int
-	 */
-	public function getChunkSize() {
-		return $this->limit;
-	}
+    /** @var int $limit amount of users that should be checked per run */
+    protected $limit = 50;
+
+    /** @var int $defaultIntervalMin default interval in minutes */
+    protected $defaultIntervalMin = 51;
+
+    /** @var User_LDAP|User_Proxy $userBackend */
+    protected $userBackend;
+
+    /** @var \OCP\IConfig $ocConfig */
+    protected $ocConfig;
+
+    /** @var \OCP\IDBConnection $db */
+    protected $db;
+
+    /** @var Helper $ldapHelper */
+    protected $ldapHelper;
+
+    /** @var \OCA\User_LDAP\Mapping\UserMapping */
+    protected $mapping;
+
+    /** @var \OCA\User_LDAP\User\DeletedUsersIndex */
+    protected $dui;
+
+    public function __construct() {
+        $minutes = \OC::$server->getConfig()->getSystemValue(
+            'ldapUserCleanupInterval', (string)$this->defaultIntervalMin);
+        $this->setInterval((int)$minutes * 60);
+    }
+
+    /**
+     * assigns the instances passed to run() to the class properties
+     * @param array $arguments
+     */
+    public function setArguments($arguments) {
+        //Dependency Injection is not possible, because the constructor will
+        //only get values that are serialized to JSON. I.e. whatever we would
+        //pass in app.php we do add here, except something else is passed e.g.
+        //in tests.
+
+        if(isset($arguments['helper'])) {
+            $this->ldapHelper = $arguments['helper'];
+        } else {
+            $this->ldapHelper = new Helper(\OC::$server->getConfig());
+        }
+
+        if(isset($arguments['ocConfig'])) {
+            $this->ocConfig = $arguments['ocConfig'];
+        } else {
+            $this->ocConfig = \OC::$server->getConfig();
+        }
+
+        if(isset($arguments['userBackend'])) {
+            $this->userBackend = $arguments['userBackend'];
+        } else {
+            $this->userBackend =  new User_Proxy(
+                $this->ldapHelper->getServerConfigurationPrefixes(true),
+                new LDAP(),
+                $this->ocConfig,
+                \OC::$server->getNotificationManager(),
+                \OC::$server->getUserSession(),
+                \OC::$server->query('LDAPUserPluginManager')
+            );
+        }
+
+        if(isset($arguments['db'])) {
+            $this->db = $arguments['db'];
+        } else {
+            $this->db = \OC::$server->getDatabaseConnection();
+        }
+
+        if(isset($arguments['mapping'])) {
+            $this->mapping = $arguments['mapping'];
+        } else {
+            $this->mapping = new UserMapping($this->db);
+        }
+
+        if(isset($arguments['deletedUsersIndex'])) {
+            $this->dui = $arguments['deletedUsersIndex'];
+        } else {
+            $this->dui = new DeletedUsersIndex(
+                $this->ocConfig, $this->db, $this->mapping);
+        }
+    }
+
+    /**
+     * makes the background job do its work
+     * @param array $argument
+     */
+    public function run($argument) {
+        $this->setArguments($argument);
+
+        if(!$this->isCleanUpAllowed()) {
+            return;
+        }
+        $users = $this->mapping->getList($this->getOffset(), $this->limit);
+        if(!is_array($users)) {
+            //something wrong? Let's start from the beginning next time and
+            //abort
+            $this->setOffset(true);
+            return;
+        }
+        $resetOffset = $this->isOffsetResetNecessary(count($users));
+        $this->checkUsers($users);
+        $this->setOffset($resetOffset);
+    }
+
+    /**
+     * checks whether next run should start at 0 again
+     * @param int $resultCount
+     * @return bool
+     */
+    public function isOffsetResetNecessary($resultCount) {
+        return $resultCount < $this->limit;
+    }
+
+    /**
+     * checks whether cleaning up LDAP users is allowed
+     * @return bool
+     */
+    public function isCleanUpAllowed() {
+        try {
+            if($this->ldapHelper->haveDisabledConfigurations()) {
+                return false;
+            }
+        } catch (\Exception $e) {
+            return false;
+        }
+
+        return $this->isCleanUpEnabled();
+    }
+
+    /**
+     * checks whether clean up is enabled by configuration
+     * @return bool
+     */
+    private function isCleanUpEnabled() {
+        return (bool)$this->ocConfig->getSystemValue(
+            'ldapUserCleanupInterval', (string)$this->defaultIntervalMin);
+    }
+
+    /**
+     * checks users whether they are still existing
+     * @param array $users result from getMappedUsers()
+     */
+    private function checkUsers(array $users) {
+        foreach($users as $user) {
+            $this->checkUser($user);
+        }
+    }
+
+    /**
+     * checks whether a user is still existing in LDAP
+     * @param string[] $user
+     */
+    private function checkUser(array $user) {
+        if($this->userBackend->userExistsOnLDAP($user['name'])) {
+            //still available, all good
+
+            return;
+        }
+
+        $this->dui->markUser($user['name']);
+    }
+
+    /**
+     * gets the offset to fetch users from the mappings table
+     * @return int
+     */
+    private function getOffset() {
+        return (int)$this->ocConfig->getAppValue('user_ldap', 'cleanUpJobOffset', 0);
+    }
+
+    /**
+     * sets the new offset for the next run
+     * @param bool $reset whether the offset should be set to 0
+     */
+    public function setOffset($reset = false) {
+        $newOffset = $reset ? 0 :
+            $this->getOffset() + $this->limit;
+        $this->ocConfig->setAppValue('user_ldap', 'cleanUpJobOffset', $newOffset);
+    }
+
+    /**
+     * returns the chunk size (limit in DB speak)
+     * @return int
+     */
+    public function getChunkSize() {
+        return $this->limit;
+    }
 
 }

Please login to merge, or discard this patch.

apps/dav/lib/Upload/UploadHome.php 2 patches

Indentation +52 added lines, -52 removed lines patch added patch discarded remove patch

@@ -30,66 +30,66 @@
 block discarded – undo
 use Sabre\DAV\ICollection;
 
 class UploadHome implements ICollection {
-	/**
-	 * UploadHome constructor.
-	 *
-	 * @param array $principalInfo
-	 */
-	public function __construct($principalInfo) {
-		$this->principalInfo = $principalInfo;
-	}
+    /**
+     * UploadHome constructor.
+     *
+     * @param array $principalInfo
+     */
+    public function __construct($principalInfo) {
+        $this->principalInfo = $principalInfo;
+    }
 
-	function createFile($name, $data = null) {
-		throw new Forbidden('Permission denied to create file (filename ' . $name . ')');
-	}
+    function createFile($name, $data = null) {
+        throw new Forbidden('Permission denied to create file (filename ' . $name . ')');
+    }
 
-	function createDirectory($name) {
-		$this->impl()->createDirectory($name);
-	}
+    function createDirectory($name) {
+        $this->impl()->createDirectory($name);
+    }
 
-	function getChild($name) {
-		return new UploadFolder($this->impl()->getChild($name));
-	}
+    function getChild($name) {
+        return new UploadFolder($this->impl()->getChild($name));
+    }
 
-	function getChildren() {
-		return array_map(function($node) {
-			return new UploadFolder($node);
-		}, $this->impl()->getChildren());
-	}
+    function getChildren() {
+        return array_map(function($node) {
+            return new UploadFolder($node);
+        }, $this->impl()->getChildren());
+    }
 
-	function childExists($name) {
-		return !is_null($this->getChild($name));
-	}
+    function childExists($name) {
+        return !is_null($this->getChild($name));
+    }
 
-	function delete() {
-		$this->impl()->delete();
-	}
+    function delete() {
+        $this->impl()->delete();
+    }
 
-	function getName() {
-		list(,$name) = \Sabre\Uri\split($this->principalInfo['uri']);
-		return $name;
-	}
+    function getName() {
+        list(,$name) = \Sabre\Uri\split($this->principalInfo['uri']);
+        return $name;
+    }
 
-	function setName($name) {
-		throw new Forbidden('Permission denied to rename this folder');
-	}
+    function setName($name) {
+        throw new Forbidden('Permission denied to rename this folder');
+    }
 
-	function getLastModified() {
-		return $this->impl()->getLastModified();
-	}
+    function getLastModified() {
+        return $this->impl()->getLastModified();
+    }
 
-	/**
-	 * @return Directory
-	 */
-	private function impl() {
-		$rootView = new View();
-		$user = \OC::$server->getUserSession()->getUser();
-		Filesystem::initMountPoints($user->getUID());
-		if (!$rootView->file_exists('/' . $user->getUID() . '/uploads')) {
-			$rootView->mkdir('/' . $user->getUID() . '/uploads');
-		}
-		$view = new View('/' . $user->getUID() . '/uploads');
-		$rootInfo = $view->getFileInfo('');
-		return new Directory($view, $rootInfo);
-	}
+    /**
+     * @return Directory
+     */
+    private function impl() {
+        $rootView = new View();
+        $user = \OC::$server->getUserSession()->getUser();
+        Filesystem::initMountPoints($user->getUID());
+        if (!$rootView->file_exists('/' . $user->getUID() . '/uploads')) {
+            $rootView->mkdir('/' . $user->getUID() . '/uploads');
+        }
+        $view = new View('/' . $user->getUID() . '/uploads');
+        $rootInfo = $view->getFileInfo('');
+        return new Directory($view, $rootInfo);
+    }
 }

Please login to merge, or discard this patch.

Spacing +4 added lines, -4 removed lines patch added patch discarded remove patch

@@ -40,7 +40,7 @@  discard block
 block discarded – undo
 	}
 
 	function createFile($name, $data = null) {
-		throw new Forbidden('Permission denied to create file (filename ' . $name . ')');
+		throw new Forbidden('Permission denied to create file (filename '.$name.')');
 	}
 
 	function createDirectory($name) {
@@ -85,10 +85,10 @@  discard block
 block discarded – undo
 		$rootView = new View();
 		$user = \OC::$server->getUserSession()->getUser();
 		Filesystem::initMountPoints($user->getUID());
-		if (!$rootView->file_exists('/' . $user->getUID() . '/uploads')) {
-			$rootView->mkdir('/' . $user->getUID() . '/uploads');
+		if (!$rootView->file_exists('/'.$user->getUID().'/uploads')) {
+			$rootView->mkdir('/'.$user->getUID().'/uploads');
 		}
-		$view = new View('/' . $user->getUID() . '/uploads');
+		$view = new View('/'.$user->getUID().'/uploads');
 		$rootInfo = $view->getFileInfo('');
 		return new Directory($view, $rootInfo);
 	}

Please login to merge, or discard this patch.

apps/dav/lib/CardDAV/SyncService.php 1 patch

Indentation +294 added lines, -294 removed lines patch added patch discarded remove patch

@@ -39,300 +39,300 @@
 block discarded – undo
 
 class SyncService {
 
-	/** @var CardDavBackend */
-	private $backend;
-
-	/** @var IUserManager */
-	private $userManager;
-
-	/** @var ILogger */
-	private $logger;
-
-	/** @var array */
-	private $localSystemAddressBook;
-
-	/** @var AccountManager */
-	private $accountManager;
-
-	/** @var string */
-	protected $certPath;
-
-	/**
-	 * SyncService constructor.
-	 *
-	 * @param CardDavBackend $backend
-	 * @param IUserManager $userManager
-	 * @param ILogger $logger
-	 * @param AccountManager $accountManager
-	 */
-	public function __construct(CardDavBackend $backend, IUserManager $userManager, ILogger $logger, AccountManager $accountManager) {
-		$this->backend = $backend;
-		$this->userManager = $userManager;
-		$this->logger = $logger;
-		$this->accountManager = $accountManager;
-		$this->certPath = '';
-	}
-
-	/**
-	 * @param string $url
-	 * @param string $userName
-	 * @param string $addressBookUrl
-	 * @param string $sharedSecret
-	 * @param string $syncToken
-	 * @param int $targetBookId
-	 * @param string $targetPrincipal
-	 * @param array $targetProperties
-	 * @return string
-	 * @throws \Exception
-	 */
-	public function syncRemoteAddressBook($url, $userName, $addressBookUrl, $sharedSecret, $syncToken, $targetBookId, $targetPrincipal, $targetProperties) {
-		// 1. create addressbook
-		$book = $this->ensureSystemAddressBookExists($targetPrincipal, $targetBookId, $targetProperties);
-		$addressBookId = $book['id'];
-
-		// 2. query changes
-		try {
-			$response = $this->requestSyncReport($url, $userName, $addressBookUrl, $sharedSecret, $syncToken);
-		} catch (ClientHttpException $ex) {
-			if ($ex->getCode() === Http::STATUS_UNAUTHORIZED) {
-				// remote server revoked access to the address book, remove it
-				$this->backend->deleteAddressBook($addressBookId);
-				$this->logger->info('Authorization failed, remove address book: ' . $url, ['app' => 'dav']);
-				throw $ex;
-			}
-		}
-
-		// 3. apply changes
-		// TODO: use multi-get for download
-		foreach ($response['response'] as $resource => $status) {
-			$cardUri = basename($resource);
-			if (isset($status[200])) {
-				$vCard = $this->download($url, $userName, $sharedSecret, $resource);
-				$existingCard = $this->backend->getCard($addressBookId, $cardUri);
-				if ($existingCard === false) {
-					$this->backend->createCard($addressBookId, $cardUri, $vCard['body']);
-				} else {
-					$this->backend->updateCard($addressBookId, $cardUri, $vCard['body']);
-				}
-			} else {
-				$this->backend->deleteCard($addressBookId, $cardUri);
-			}
-		}
-
-		return $response['token'];
-	}
-
-	/**
-	 * @param string $principal
-	 * @param string $id
-	 * @param array $properties
-	 * @return array|null
-	 * @throws \Sabre\DAV\Exception\BadRequest
-	 */
-	public function ensureSystemAddressBookExists($principal, $id, $properties) {
-		$book = $this->backend->getAddressBooksByUri($principal, $id);
-		if (!is_null($book)) {
-			return $book;
-		}
-		$this->backend->createAddressBook($principal, $id, $properties);
-
-		return $this->backend->getAddressBooksByUri($principal, $id);
-	}
-
-	/**
-	 * Check if there is a valid certPath we should use
-	 *
-	 * @return string
-	 */
-	protected function getCertPath() {
-
-		// we already have a valid certPath
-		if ($this->certPath !== '') {
-			return $this->certPath;
-		}
-
-		/** @var ICertificateManager $certManager */
-		$certManager = \OC::$server->getCertificateManager(null);
-		$certPath = $certManager->getAbsoluteBundlePath();
-		if (file_exists($certPath)) {
-			$this->certPath = $certPath;
-		}
-
-		return $this->certPath;
-	}
-
-	/**
-	 * @param string $url
-	 * @param string $userName
-	 * @param string $addressBookUrl
-	 * @param string $sharedSecret
-	 * @return Client
-	 */
-	protected function getClient($url, $userName, $sharedSecret) {
-		$settings = [
-			'baseUri' => $url . '/',
-			'userName' => $userName,
-			'password' => $sharedSecret,
-		];
-		$client = new Client($settings);
-		$certPath = $this->getCertPath();
-		$client->setThrowExceptions(true);
-
-		if ($certPath !== '' && strpos($url, 'http://') !== 0) {
-			$client->addCurlSetting(CURLOPT_CAINFO, $this->certPath);
-		}
-
-		return $client;
-	}
-
-	/**
-	 * @param string $url
-	 * @param string $userName
-	 * @param string $addressBookUrl
-	 * @param string $sharedSecret
-	 * @param string $syncToken
-	 * @return array
-	 */
-	 protected function requestSyncReport($url, $userName, $addressBookUrl, $sharedSecret, $syncToken) {
-		 $client = $this->getClient($url, $userName, $sharedSecret);
-
-		 $body = $this->buildSyncCollectionRequestBody($syncToken);
-
-		 $response = $client->request('REPORT', $addressBookUrl, $body, [
-			 'Content-Type' => 'application/xml'
-		 ]);
-
-		 return $this->parseMultiStatus($response['body']);
-	 }
-
-	/**
-	 * @param string $url
-	 * @param string $userName
-	 * @param string $sharedSecret
-	 * @param string $resourcePath
-	 * @return array
-	 */
-	protected function download($url, $userName, $sharedSecret, $resourcePath) {
-		$client = $this->getClient($url, $userName, $sharedSecret);
-		return $client->request('GET', $resourcePath);
-	}
-
-	/**
-	 * @param string|null $syncToken
-	 * @return string
-	 */
-	private function buildSyncCollectionRequestBody($syncToken) {
-
-		$dom = new \DOMDocument('1.0', 'UTF-8');
-		$dom->formatOutput = true;
-		$root = $dom->createElementNS('DAV:', 'd:sync-collection');
-		$sync = $dom->createElement('d:sync-token', $syncToken);
-		$prop = $dom->createElement('d:prop');
-		$cont = $dom->createElement('d:getcontenttype');
-		$etag = $dom->createElement('d:getetag');
-
-		$prop->appendChild($cont);
-		$prop->appendChild($etag);
-		$root->appendChild($sync);
-		$root->appendChild($prop);
-		$dom->appendChild($root);
-		return $dom->saveXML();
-	}
-
-	/**
-	 * @param string $body
-	 * @return array
-	 * @throws \Sabre\Xml\ParseException
-	 */
-	private function parseMultiStatus($body) {
-		$xml = new Service();
-
-		/** @var MultiStatus $multiStatus */
-		$multiStatus = $xml->expect('{DAV:}multistatus', $body);
-
-		$result = [];
-		foreach ($multiStatus->getResponses() as $response) {
-			$result[$response->getHref()] = $response->getResponseProperties();
-		}
-
-		return ['response' => $result, 'token' => $multiStatus->getSyncToken()];
-	}
-
-	/**
-	 * @param IUser $user
-	 */
-	public function updateUser($user) {
-		$systemAddressBook = $this->getLocalSystemAddressBook();
-		$addressBookId = $systemAddressBook['id'];
-		$converter = new Converter($this->accountManager);
-		$name = $user->getBackendClassName();
-		$userId = $user->getUID();
-
-		$cardId = "$name:$userId.vcf";
-		$card = $this->backend->getCard($addressBookId, $cardId);
-		if ($card === false) {
-			$vCard = $converter->createCardFromUser($user);
-			if ($vCard !== null) {
-				$this->backend->createCard($addressBookId, $cardId, $vCard->serialize());
-			}
-		} else {
-			$vCard = $converter->createCardFromUser($user);
-			if (is_null($vCard)) {
-				$this->backend->deleteCard($addressBookId, $cardId);
-			} else {
-				$this->backend->updateCard($addressBookId, $cardId, $vCard->serialize());
-			}
-		}
-	}
-
-	/**
-	 * @param IUser|string $userOrCardId
-	 */
-	public function deleteUser($userOrCardId) {
-		$systemAddressBook = $this->getLocalSystemAddressBook();
-		if ($userOrCardId instanceof IUser){
-			$name = $userOrCardId->getBackendClassName();
-			$userId = $userOrCardId->getUID();
-
-			$userOrCardId = "$name:$userId.vcf";
-		}
-		$this->backend->deleteCard($systemAddressBook['id'], $userOrCardId);
-	}
-
-	/**
-	 * @return array|null
-	 */
-	public function getLocalSystemAddressBook() {
-		if (is_null($this->localSystemAddressBook)) {
-			$systemPrincipal = "principals/system/system";
-			$this->localSystemAddressBook = $this->ensureSystemAddressBookExists($systemPrincipal, 'system', [
-				'{' . Plugin::NS_CARDDAV . '}addressbook-description' => 'System addressbook which holds all users of this instance'
-			]);
-		}
-
-		return $this->localSystemAddressBook;
-	}
-
-	public function syncInstance(\Closure $progressCallback = null) {
-		$systemAddressBook = $this->getLocalSystemAddressBook();
-		$this->userManager->callForAllUsers(function($user) use ($systemAddressBook, $progressCallback) {
-			$this->updateUser($user);
-			if (!is_null($progressCallback)) {
-				$progressCallback();
-			}
-		});
-
-		// remove no longer existing
-		$allCards = $this->backend->getCards($systemAddressBook['id']);
-		foreach($allCards as $card) {
-			$vCard = Reader::read($card['carddata']);
-			$uid = $vCard->UID->getValue();
-			// load backend and see if user exists
-			if (!$this->userManager->userExists($uid)) {
-				$this->deleteUser($card['uri']);
-			}
-		}
-	}
+    /** @var CardDavBackend */
+    private $backend;
+
+    /** @var IUserManager */
+    private $userManager;
+
+    /** @var ILogger */
+    private $logger;
+
+    /** @var array */
+    private $localSystemAddressBook;
+
+    /** @var AccountManager */
+    private $accountManager;
+
+    /** @var string */
+    protected $certPath;
+
+    /**
+     * SyncService constructor.
+     *
+     * @param CardDavBackend $backend
+     * @param IUserManager $userManager
+     * @param ILogger $logger
+     * @param AccountManager $accountManager
+     */
+    public function __construct(CardDavBackend $backend, IUserManager $userManager, ILogger $logger, AccountManager $accountManager) {
+        $this->backend = $backend;
+        $this->userManager = $userManager;
+        $this->logger = $logger;
+        $this->accountManager = $accountManager;
+        $this->certPath = '';
+    }
+
+    /**
+     * @param string $url
+     * @param string $userName
+     * @param string $addressBookUrl
+     * @param string $sharedSecret
+     * @param string $syncToken
+     * @param int $targetBookId
+     * @param string $targetPrincipal
+     * @param array $targetProperties
+     * @return string
+     * @throws \Exception
+     */
+    public function syncRemoteAddressBook($url, $userName, $addressBookUrl, $sharedSecret, $syncToken, $targetBookId, $targetPrincipal, $targetProperties) {
+        // 1. create addressbook
+        $book = $this->ensureSystemAddressBookExists($targetPrincipal, $targetBookId, $targetProperties);
+        $addressBookId = $book['id'];
+
+        // 2. query changes
+        try {
+            $response = $this->requestSyncReport($url, $userName, $addressBookUrl, $sharedSecret, $syncToken);
+        } catch (ClientHttpException $ex) {
+            if ($ex->getCode() === Http::STATUS_UNAUTHORIZED) {
+                // remote server revoked access to the address book, remove it
+                $this->backend->deleteAddressBook($addressBookId);
+                $this->logger->info('Authorization failed, remove address book: ' . $url, ['app' => 'dav']);
+                throw $ex;
+            }
+        }
+
+        // 3. apply changes
+        // TODO: use multi-get for download
+        foreach ($response['response'] as $resource => $status) {
+            $cardUri = basename($resource);
+            if (isset($status[200])) {
+                $vCard = $this->download($url, $userName, $sharedSecret, $resource);
+                $existingCard = $this->backend->getCard($addressBookId, $cardUri);
+                if ($existingCard === false) {
+                    $this->backend->createCard($addressBookId, $cardUri, $vCard['body']);
+                } else {
+                    $this->backend->updateCard($addressBookId, $cardUri, $vCard['body']);
+                }
+            } else {
+                $this->backend->deleteCard($addressBookId, $cardUri);
+            }
+        }
+
+        return $response['token'];
+    }
+
+    /**
+     * @param string $principal
+     * @param string $id
+     * @param array $properties
+     * @return array|null
+     * @throws \Sabre\DAV\Exception\BadRequest
+     */
+    public function ensureSystemAddressBookExists($principal, $id, $properties) {
+        $book = $this->backend->getAddressBooksByUri($principal, $id);
+        if (!is_null($book)) {
+            return $book;
+        }
+        $this->backend->createAddressBook($principal, $id, $properties);
+
+        return $this->backend->getAddressBooksByUri($principal, $id);
+    }
+
+    /**
+     * Check if there is a valid certPath we should use
+     *
+     * @return string
+     */
+    protected function getCertPath() {
+
+        // we already have a valid certPath
+        if ($this->certPath !== '') {
+            return $this->certPath;
+        }
+
+        /** @var ICertificateManager $certManager */
+        $certManager = \OC::$server->getCertificateManager(null);
+        $certPath = $certManager->getAbsoluteBundlePath();
+        if (file_exists($certPath)) {
+            $this->certPath = $certPath;
+        }
+
+        return $this->certPath;
+    }
+
+    /**
+     * @param string $url
+     * @param string $userName
+     * @param string $addressBookUrl
+     * @param string $sharedSecret
+     * @return Client
+     */
+    protected function getClient($url, $userName, $sharedSecret) {
+        $settings = [
+            'baseUri' => $url . '/',
+            'userName' => $userName,
+            'password' => $sharedSecret,
+        ];
+        $client = new Client($settings);
+        $certPath = $this->getCertPath();
+        $client->setThrowExceptions(true);
+
+        if ($certPath !== '' && strpos($url, 'http://') !== 0) {
+            $client->addCurlSetting(CURLOPT_CAINFO, $this->certPath);
+        }
+
+        return $client;
+    }
+
+    /**
+     * @param string $url
+     * @param string $userName
+     * @param string $addressBookUrl
+     * @param string $sharedSecret
+     * @param string $syncToken
+     * @return array
+     */
+        protected function requestSyncReport($url, $userName, $addressBookUrl, $sharedSecret, $syncToken) {
+            $client = $this->getClient($url, $userName, $sharedSecret);
+
+            $body = $this->buildSyncCollectionRequestBody($syncToken);
+
+            $response = $client->request('REPORT', $addressBookUrl, $body, [
+                'Content-Type' => 'application/xml'
+            ]);
+
+            return $this->parseMultiStatus($response['body']);
+        }
+
+    /**
+     * @param string $url
+     * @param string $userName
+     * @param string $sharedSecret
+     * @param string $resourcePath
+     * @return array
+     */
+    protected function download($url, $userName, $sharedSecret, $resourcePath) {
+        $client = $this->getClient($url, $userName, $sharedSecret);
+        return $client->request('GET', $resourcePath);
+    }
+
+    /**
+     * @param string|null $syncToken
+     * @return string
+     */
+    private function buildSyncCollectionRequestBody($syncToken) {
+
+        $dom = new \DOMDocument('1.0', 'UTF-8');
+        $dom->formatOutput = true;
+        $root = $dom->createElementNS('DAV:', 'd:sync-collection');
+        $sync = $dom->createElement('d:sync-token', $syncToken);
+        $prop = $dom->createElement('d:prop');
+        $cont = $dom->createElement('d:getcontenttype');
+        $etag = $dom->createElement('d:getetag');
+
+        $prop->appendChild($cont);
+        $prop->appendChild($etag);
+        $root->appendChild($sync);
+        $root->appendChild($prop);
+        $dom->appendChild($root);
+        return $dom->saveXML();
+    }
+
+    /**
+     * @param string $body
+     * @return array
+     * @throws \Sabre\Xml\ParseException
+     */
+    private function parseMultiStatus($body) {
+        $xml = new Service();
+
+        /** @var MultiStatus $multiStatus */
+        $multiStatus = $xml->expect('{DAV:}multistatus', $body);
+
+        $result = [];
+        foreach ($multiStatus->getResponses() as $response) {
+            $result[$response->getHref()] = $response->getResponseProperties();
+        }
+
+        return ['response' => $result, 'token' => $multiStatus->getSyncToken()];
+    }
+
+    /**
+     * @param IUser $user
+     */
+    public function updateUser($user) {
+        $systemAddressBook = $this->getLocalSystemAddressBook();
+        $addressBookId = $systemAddressBook['id'];
+        $converter = new Converter($this->accountManager);
+        $name = $user->getBackendClassName();
+        $userId = $user->getUID();
+
+        $cardId = "$name:$userId.vcf";
+        $card = $this->backend->getCard($addressBookId, $cardId);
+        if ($card === false) {
+            $vCard = $converter->createCardFromUser($user);
+            if ($vCard !== null) {
+                $this->backend->createCard($addressBookId, $cardId, $vCard->serialize());
+            }
+        } else {
+            $vCard = $converter->createCardFromUser($user);
+            if (is_null($vCard)) {
+                $this->backend->deleteCard($addressBookId, $cardId);
+            } else {
+                $this->backend->updateCard($addressBookId, $cardId, $vCard->serialize());
+            }
+        }
+    }
+
+    /**
+     * @param IUser|string $userOrCardId
+     */
+    public function deleteUser($userOrCardId) {
+        $systemAddressBook = $this->getLocalSystemAddressBook();
+        if ($userOrCardId instanceof IUser){
+            $name = $userOrCardId->getBackendClassName();
+            $userId = $userOrCardId->getUID();
+
+            $userOrCardId = "$name:$userId.vcf";
+        }
+        $this->backend->deleteCard($systemAddressBook['id'], $userOrCardId);
+    }
+
+    /**
+     * @return array|null
+     */
+    public function getLocalSystemAddressBook() {
+        if (is_null($this->localSystemAddressBook)) {
+            $systemPrincipal = "principals/system/system";
+            $this->localSystemAddressBook = $this->ensureSystemAddressBookExists($systemPrincipal, 'system', [
+                '{' . Plugin::NS_CARDDAV . '}addressbook-description' => 'System addressbook which holds all users of this instance'
+            ]);
+        }
+
+        return $this->localSystemAddressBook;
+    }
+
+    public function syncInstance(\Closure $progressCallback = null) {
+        $systemAddressBook = $this->getLocalSystemAddressBook();
+        $this->userManager->callForAllUsers(function($user) use ($systemAddressBook, $progressCallback) {
+            $this->updateUser($user);
+            if (!is_null($progressCallback)) {
+                $progressCallback();
+            }
+        });
+
+        // remove no longer existing
+        $allCards = $this->backend->getCards($systemAddressBook['id']);
+        foreach($allCards as $card) {
+            $vCard = Reader::read($card['carddata']);
+            $uid = $vCard->UID->getValue();
+            // load backend and see if user exists
+            if (!$this->userManager->userExists($uid)) {
+                $this->deleteUser($card['uri']);
+            }
+        }
+    }
 
 
 }

Please login to merge, or discard this patch.

apps/dav/lib/Connector/Sabre/Auth.php 1 patch

Indentation +191 added lines, -191 removed lines patch added patch discarded remove patch

@@ -49,212 +49,212 @@
 block discarded – undo
 class Auth extends AbstractBasic {
 
 
-	const DAV_AUTHENTICATED = 'AUTHENTICATED_TO_DAV_BACKEND';
+    const DAV_AUTHENTICATED = 'AUTHENTICATED_TO_DAV_BACKEND';
 
-	/** @var ISession */
-	private $session;
-	/** @var Session */
-	private $userSession;
-	/** @var IRequest */
-	private $request;
-	/** @var string */
-	private $currentUser;
-	/** @var Manager */
-	private $twoFactorManager;
-	/** @var Throttler */
-	private $throttler;
+    /** @var ISession */
+    private $session;
+    /** @var Session */
+    private $userSession;
+    /** @var IRequest */
+    private $request;
+    /** @var string */
+    private $currentUser;
+    /** @var Manager */
+    private $twoFactorManager;
+    /** @var Throttler */
+    private $throttler;
 
-	/**
-	 * @param ISession $session
-	 * @param Session $userSession
-	 * @param IRequest $request
-	 * @param Manager $twoFactorManager
-	 * @param Throttler $throttler
-	 * @param string $principalPrefix
-	 */
-	public function __construct(ISession $session,
-								Session $userSession,
-								IRequest $request,
-								Manager $twoFactorManager,
-								Throttler $throttler,
-								$principalPrefix = 'principals/users/') {
-		$this->session = $session;
-		$this->userSession = $userSession;
-		$this->twoFactorManager = $twoFactorManager;
-		$this->request = $request;
-		$this->throttler = $throttler;
-		$this->principalPrefix = $principalPrefix;
+    /**
+     * @param ISession $session
+     * @param Session $userSession
+     * @param IRequest $request
+     * @param Manager $twoFactorManager
+     * @param Throttler $throttler
+     * @param string $principalPrefix
+     */
+    public function __construct(ISession $session,
+                                Session $userSession,
+                                IRequest $request,
+                                Manager $twoFactorManager,
+                                Throttler $throttler,
+                                $principalPrefix = 'principals/users/') {
+        $this->session = $session;
+        $this->userSession = $userSession;
+        $this->twoFactorManager = $twoFactorManager;
+        $this->request = $request;
+        $this->throttler = $throttler;
+        $this->principalPrefix = $principalPrefix;
 
-		// setup realm
-		$defaults = new \OCP\Defaults();
-		$this->realm = $defaults->getName();
-	}
+        // setup realm
+        $defaults = new \OCP\Defaults();
+        $this->realm = $defaults->getName();
+    }
 
-	/**
-	 * Whether the user has initially authenticated via DAV
-	 *
-	 * This is required for WebDAV clients that resent the cookies even when the
-	 * account was changed.
-	 *
-	 * @see https://github.com/owncloud/core/issues/13245
-	 *
-	 * @param string $username
-	 * @return bool
-	 */
-	public function isDavAuthenticated($username) {
-		return !is_null($this->session->get(self::DAV_AUTHENTICATED)) &&
-		$this->session->get(self::DAV_AUTHENTICATED) === $username;
-	}
+    /**
+     * Whether the user has initially authenticated via DAV
+     *
+     * This is required for WebDAV clients that resent the cookies even when the
+     * account was changed.
+     *
+     * @see https://github.com/owncloud/core/issues/13245
+     *
+     * @param string $username
+     * @return bool
+     */
+    public function isDavAuthenticated($username) {
+        return !is_null($this->session->get(self::DAV_AUTHENTICATED)) &&
+        $this->session->get(self::DAV_AUTHENTICATED) === $username;
+    }
 
-	/**
-	 * Validates a username and password
-	 *
-	 * This method should return true or false depending on if login
-	 * succeeded.
-	 *
-	 * @param string $username
-	 * @param string $password
-	 * @return bool
-	 * @throws PasswordLoginForbidden
-	 */
-	protected function validateUserPass($username, $password) {
-		if ($this->userSession->isLoggedIn() &&
-			$this->isDavAuthenticated($this->userSession->getUser()->getUID())
-		) {
-			\OC_Util::setupFS($this->userSession->getUser()->getUID());
-			$this->session->close();
-			return true;
-		} else {
-			\OC_Util::setupFS(); //login hooks may need early access to the filesystem
-			try {
-				if ($this->userSession->logClientIn($username, $password, $this->request, $this->throttler)) {
-					\OC_Util::setupFS($this->userSession->getUser()->getUID());
-					$this->session->set(self::DAV_AUTHENTICATED, $this->userSession->getUser()->getUID());
-					$this->session->close();
-					return true;
-				} else {
-					$this->session->close();
-					return false;
-				}
-			} catch (PasswordLoginForbiddenException $ex) {
-				$this->session->close();
-				throw new PasswordLoginForbidden();
-			}
-		}
-	}
+    /**
+     * Validates a username and password
+     *
+     * This method should return true or false depending on if login
+     * succeeded.
+     *
+     * @param string $username
+     * @param string $password
+     * @return bool
+     * @throws PasswordLoginForbidden
+     */
+    protected function validateUserPass($username, $password) {
+        if ($this->userSession->isLoggedIn() &&
+            $this->isDavAuthenticated($this->userSession->getUser()->getUID())
+        ) {
+            \OC_Util::setupFS($this->userSession->getUser()->getUID());
+            $this->session->close();
+            return true;
+        } else {
+            \OC_Util::setupFS(); //login hooks may need early access to the filesystem
+            try {
+                if ($this->userSession->logClientIn($username, $password, $this->request, $this->throttler)) {
+                    \OC_Util::setupFS($this->userSession->getUser()->getUID());
+                    $this->session->set(self::DAV_AUTHENTICATED, $this->userSession->getUser()->getUID());
+                    $this->session->close();
+                    return true;
+                } else {
+                    $this->session->close();
+                    return false;
+                }
+            } catch (PasswordLoginForbiddenException $ex) {
+                $this->session->close();
+                throw new PasswordLoginForbidden();
+            }
+        }
+    }
 
-	/**
-	 * @param RequestInterface $request
-	 * @param ResponseInterface $response
-	 * @return array
-	 * @throws NotAuthenticated
-	 * @throws ServiceUnavailable
-	 */
-	function check(RequestInterface $request, ResponseInterface $response) {
-		try {
-			return $this->auth($request, $response);
-		} catch (NotAuthenticated $e) {
-			throw $e;
-		} catch (Exception $e) {
-			$class = get_class($e);
-			$msg = $e->getMessage();
-			\OC::$server->getLogger()->logException($e);
-			throw new ServiceUnavailable("$class: $msg");
-		}
-	}
+    /**
+     * @param RequestInterface $request
+     * @param ResponseInterface $response
+     * @return array
+     * @throws NotAuthenticated
+     * @throws ServiceUnavailable
+     */
+    function check(RequestInterface $request, ResponseInterface $response) {
+        try {
+            return $this->auth($request, $response);
+        } catch (NotAuthenticated $e) {
+            throw $e;
+        } catch (Exception $e) {
+            $class = get_class($e);
+            $msg = $e->getMessage();
+            \OC::$server->getLogger()->logException($e);
+            throw new ServiceUnavailable("$class: $msg");
+        }
+    }
 
-	/**
-	 * Checks whether a CSRF check is required on the request
-	 *
-	 * @return bool
-	 */
-	private function requiresCSRFCheck() {
-		// GET requires no check at all
-		if($this->request->getMethod() === 'GET') {
-			return false;
-		}
+    /**
+     * Checks whether a CSRF check is required on the request
+     *
+     * @return bool
+     */
+    private function requiresCSRFCheck() {
+        // GET requires no check at all
+        if($this->request->getMethod() === 'GET') {
+            return false;
+        }
 
-		// Official Nextcloud clients require no checks
-		if($this->request->isUserAgent([
-			IRequest::USER_AGENT_CLIENT_DESKTOP,
-			IRequest::USER_AGENT_CLIENT_ANDROID,
-			IRequest::USER_AGENT_CLIENT_IOS,
-		])) {
-			return false;
-		}
+        // Official Nextcloud clients require no checks
+        if($this->request->isUserAgent([
+            IRequest::USER_AGENT_CLIENT_DESKTOP,
+            IRequest::USER_AGENT_CLIENT_ANDROID,
+            IRequest::USER_AGENT_CLIENT_IOS,
+        ])) {
+            return false;
+        }
 
-		// If not logged-in no check is required
-		if(!$this->userSession->isLoggedIn()) {
-			return false;
-		}
+        // If not logged-in no check is required
+        if(!$this->userSession->isLoggedIn()) {
+            return false;
+        }
 
-		// POST always requires a check
-		if($this->request->getMethod() === 'POST') {
-			return true;
-		}
+        // POST always requires a check
+        if($this->request->getMethod() === 'POST') {
+            return true;
+        }
 
-		// If logged-in AND DAV authenticated no check is required
-		if($this->userSession->isLoggedIn() &&
-			$this->isDavAuthenticated($this->userSession->getUser()->getUID())) {
-			return false;
-		}
+        // If logged-in AND DAV authenticated no check is required
+        if($this->userSession->isLoggedIn() &&
+            $this->isDavAuthenticated($this->userSession->getUser()->getUID())) {
+            return false;
+        }
 
-		return true;
-	}
+        return true;
+    }
 
-	/**
-	 * @param RequestInterface $request
-	 * @param ResponseInterface $response
-	 * @return array
-	 * @throws NotAuthenticated
-	 */
-	private function auth(RequestInterface $request, ResponseInterface $response) {
-		$forcedLogout = false;
+    /**
+     * @param RequestInterface $request
+     * @param ResponseInterface $response
+     * @return array
+     * @throws NotAuthenticated
+     */
+    private function auth(RequestInterface $request, ResponseInterface $response) {
+        $forcedLogout = false;
 
-		if(!$this->request->passesCSRFCheck() &&
-			$this->requiresCSRFCheck()) {
-			// In case of a fail with POST we need to recheck the credentials
-			if($this->request->getMethod() === 'POST') {
-				$forcedLogout = true;
-			} else {
-				$response->setStatus(401);
-				throw new \Sabre\DAV\Exception\NotAuthenticated('CSRF check not passed.');
-			}
-		}
+        if(!$this->request->passesCSRFCheck() &&
+            $this->requiresCSRFCheck()) {
+            // In case of a fail with POST we need to recheck the credentials
+            if($this->request->getMethod() === 'POST') {
+                $forcedLogout = true;
+            } else {
+                $response->setStatus(401);
+                throw new \Sabre\DAV\Exception\NotAuthenticated('CSRF check not passed.');
+            }
+        }
 
-		if($forcedLogout) {
-			$this->userSession->logout();
-		} else {
-			if($this->twoFactorManager->needsSecondFactor($this->userSession->getUser())) {
-				throw new \Sabre\DAV\Exception\NotAuthenticated('2FA challenge not passed.');
-			}
-			if (\OC_User::handleApacheAuth() ||
-				//Fix for broken webdav clients
-				($this->userSession->isLoggedIn() && is_null($this->session->get(self::DAV_AUTHENTICATED))) ||
-				//Well behaved clients that only send the cookie are allowed
-				($this->userSession->isLoggedIn() && $this->session->get(self::DAV_AUTHENTICATED) === $this->userSession->getUser()->getUID() && $request->getHeader('Authorization') === null)
-			) {
-				$user = $this->userSession->getUser()->getUID();
-				\OC_Util::setupFS($user);
-				$this->currentUser = $user;
-				$this->session->close();
-				return [true, $this->principalPrefix . $user];
-			}
-		}
+        if($forcedLogout) {
+            $this->userSession->logout();
+        } else {
+            if($this->twoFactorManager->needsSecondFactor($this->userSession->getUser())) {
+                throw new \Sabre\DAV\Exception\NotAuthenticated('2FA challenge not passed.');
+            }
+            if (\OC_User::handleApacheAuth() ||
+                //Fix for broken webdav clients
+                ($this->userSession->isLoggedIn() && is_null($this->session->get(self::DAV_AUTHENTICATED))) ||
+                //Well behaved clients that only send the cookie are allowed
+                ($this->userSession->isLoggedIn() && $this->session->get(self::DAV_AUTHENTICATED) === $this->userSession->getUser()->getUID() && $request->getHeader('Authorization') === null)
+            ) {
+                $user = $this->userSession->getUser()->getUID();
+                \OC_Util::setupFS($user);
+                $this->currentUser = $user;
+                $this->session->close();
+                return [true, $this->principalPrefix . $user];
+            }
+        }
 
-		if (!$this->userSession->isLoggedIn() && in_array('XMLHttpRequest', explode(',', $request->getHeader('X-Requested-With')))) {
-			// do not re-authenticate over ajax, use dummy auth name to prevent browser popup
-			$response->addHeader('WWW-Authenticate','DummyBasic realm="' . $this->realm . '"');
-			$response->setStatus(401);
-			throw new \Sabre\DAV\Exception\NotAuthenticated('Cannot authenticate over ajax calls');
-		}
+        if (!$this->userSession->isLoggedIn() && in_array('XMLHttpRequest', explode(',', $request->getHeader('X-Requested-With')))) {
+            // do not re-authenticate over ajax, use dummy auth name to prevent browser popup
+            $response->addHeader('WWW-Authenticate','DummyBasic realm="' . $this->realm . '"');
+            $response->setStatus(401);
+            throw new \Sabre\DAV\Exception\NotAuthenticated('Cannot authenticate over ajax calls');
+        }
 
-		$data = parent::check($request, $response);
-		if($data[0] === true) {
-			$startPos = strrpos($data[1], '/') + 1;
-			$user = $this->userSession->getUser()->getUID();
-			$data[1] = substr_replace($data[1], $user, $startPos);
-		}
-		return $data;
-	}
+        $data = parent::check($request, $response);
+        if($data[0] === true) {
+            $startPos = strrpos($data[1], '/') + 1;
+            $user = $this->userSession->getUser()->getUID();
+            $data[1] = substr_replace($data[1], $user, $startPos);
+        }
+        return $data;
+    }
 }

Please login to merge, or discard this patch.

apps/files_sharing/lib/Helper.php 1 patch

Indentation +235 added lines, -235 removed lines patch added patch discarded remove patch

@@ -36,240 +36,240 @@
 block discarded – undo
 
 class Helper {
 
-	public static function registerHooks() {
-		\OCP\Util::connectHook('OC_Filesystem', 'post_rename', '\OCA\Files_Sharing\Updater', 'renameHook');
-		\OCP\Util::connectHook('OC_Filesystem', 'post_delete', '\OCA\Files_Sharing\Hooks', 'unshareChildren');
-
-		\OCP\Util::connectHook('OC_User', 'post_deleteUser', '\OCA\Files_Sharing\Hooks', 'deleteUser');
-	}
-
-	/**
-	 * Sets up the filesystem and user for public sharing
-	 * @param string $token string share token
-	 * @param string $relativePath optional path relative to the share
-	 * @param string $password optional password
-	 * @return array
-	 */
-	public static function setupFromToken($token, $relativePath = null, $password = null) {
-		\OC_User::setIncognitoMode(true);
-
-		$shareManager = \OC::$server->getShareManager();
-
-		try {
-			$share = $shareManager->getShareByToken($token);
-		} catch (ShareNotFound $e) {
-			\OC_Response::setStatus(404);
-			\OCP\Util::writeLog('core-preview', 'Passed token parameter is not valid', \OCP\Util::DEBUG);
-			exit;
-		}
-
-		\OCP\JSON::checkUserExists($share->getShareOwner());
-		\OC_Util::tearDownFS();
-		\OC_Util::setupFS($share->getShareOwner());
-
-
-		try {
-			$path = Filesystem::getPath($share->getNodeId());
-		} catch (NotFoundException $e) {
-			\OCP\Util::writeLog('share', 'could not resolve linkItem', \OCP\Util::DEBUG);
-			\OC_Response::setStatus(404);
-			\OCP\JSON::error(array('success' => false));
-			exit();
-		}
-
-		if ($share->getShareType() === \OCP\Share::SHARE_TYPE_LINK && $share->getPassword() !== null) {
-			if (!self::authenticate($share, $password)) {
-				\OC_Response::setStatus(403);
-				\OCP\JSON::error(array('success' => false));
-				exit();
-			}
-		}
-
-		$basePath = $path;
-
-		if ($relativePath !== null && Filesystem::isReadable($basePath . $relativePath)) {
-			$path .= Filesystem::normalizePath($relativePath);
-		}
-
-		return array(
-			'share' => $share,
-			'basePath' => $basePath,
-			'realPath' => $path
-		);
-	}
-
-	/**
-	 * Authenticate link item with the given password
-	 * or with the session if no password was given.
-	 * @param \OCP\Share\IShare $share
-	 * @param string $password optional password
-	 *
-	 * @return boolean true if authorized, false otherwise
-	 */
-	public static function authenticate($share, $password = null) {
-		$shareManager = \OC::$server->getShareManager();
-
-		if ($password !== null) {
-			if ($share->getShareType() === \OCP\Share::SHARE_TYPE_LINK) {
-				if ($shareManager->checkPassword($share, $password)) {
-					\OC::$server->getSession()->set('public_link_authenticated', (string)$share->getId());
-					return true;
-				}
-			}
-		} else {
-			// not authenticated ?
-			if (\OC::$server->getSession()->exists('public_link_authenticated')
-				&& \OC::$server->getSession()->get('public_link_authenticated') !== (string)$share->getId()) {
-				return true;
-			}
-		}
-		return false;
-	}
-
-	public static function getSharesFromItem($target) {
-		$result = array();
-		$owner = Filesystem::getOwner($target);
-		Filesystem::initMountPoints($owner);
-		$info = Filesystem::getFileInfo($target);
-		$ownerView = new View('/'.$owner.'/files');
-		if ( $owner !== User::getUser() ) {
-			$path = $ownerView->getPath($info['fileid']);
-		} else {
-			$path = $target;
-		}
-
-
-		$ids = array();
-		while ($path !== dirname($path)) {
-			$info = $ownerView->getFileInfo($path);
-			if ($info instanceof \OC\Files\FileInfo) {
-				$ids[] = $info['fileid'];
-			} else {
-				\OCP\Util::writeLog('sharing', 'No fileinfo available for: ' . $path, \OCP\Util::WARN);
-			}
-			$path = dirname($path);
-		}
-
-		if (!empty($ids)) {
-
-			$idList = array_chunk($ids, 99, true);
-
-			foreach ($idList as $subList) {
-				$statement = "SELECT `share_with`, `share_type`, `file_target` FROM `*PREFIX*share` WHERE `file_source` IN (" . implode(',', $subList) . ") AND `share_type` IN (0, 1, 2)";
-				$query = \OCP\DB::prepare($statement);
-				$r = $query->execute();
-				$result = array_merge($result, $r->fetchAll());
-			}
-		}
-
-		return $result;
-	}
-
-	/**
-	 * get the UID of the owner of the file and the path to the file relative to
-	 * owners files folder
-	 *
-	 * @param $filename
-	 * @return array
-	 * @throws \OC\User\NoUserException
-	 */
-	public static function getUidAndFilename($filename) {
-		$uid = Filesystem::getOwner($filename);
-		$userManager = \OC::$server->getUserManager();
-		// if the user with the UID doesn't exists, e.g. because the UID points
-		// to a remote user with a federated cloud ID we use the current logged-in
-		// user. We need a valid local user to create the share
-		if (!$userManager->userExists($uid)) {
-			$uid = User::getUser();
-		}
-		Filesystem::initMountPoints($uid);
-		if ( $uid !== User::getUser() ) {
-			$info = Filesystem::getFileInfo($filename);
-			$ownerView = new View('/'.$uid.'/files');
-			try {
-				$filename = $ownerView->getPath($info['fileid']);
-			} catch (NotFoundException $e) {
-				$filename = null;
-			}
-		}
-		return [$uid, $filename];
-	}
-
-	/**
-	 * Format a path to be relative to the /user/files/ directory
-	 * @param string $path the absolute path
-	 * @return string e.g. turns '/admin/files/test.txt' into 'test.txt'
-	 */
-	public static function stripUserFilesPath($path) {
-		$trimmed = ltrim($path, '/');
-		$split = explode('/', $trimmed);
-
-		// it is not a file relative to data/user/files
-		if (count($split) < 3 || $split[1] !== 'files') {
-			return false;
-		}
-
-		$sliced = array_slice($split, 2);
-		return implode('/', $sliced);
-	}
-
-	/**
-	 * check if file name already exists and generate unique target
-	 *
-	 * @param string $path
-	 * @param array $excludeList
-	 * @param View $view
-	 * @return string $path
-	 */
-	public static function generateUniqueTarget($path, $excludeList, $view) {
-		$pathinfo = pathinfo($path);
-		$ext = isset($pathinfo['extension']) ? '.'.$pathinfo['extension'] : '';
-		$name = $pathinfo['filename'];
-		$dir = $pathinfo['dirname'];
-		$i = 2;
-		while ($view->file_exists($path) || in_array($path, $excludeList)) {
-			$path = Filesystem::normalizePath($dir . '/' . $name . ' ('.$i.')' . $ext);
-			$i++;
-		}
-
-		return $path;
-	}
-
-	/**
-	 * get default share folder
-	 *
-	 * @param \OC\Files\View
-	 * @return string
-	 */
-	public static function getShareFolder($view = null) {
-		if ($view === null) {
-			$view = Filesystem::getView();
-		}
-		$shareFolder = \OC::$server->getConfig()->getSystemValue('share_folder', '/');
-		$shareFolder = Filesystem::normalizePath($shareFolder);
-
-		if (!$view->file_exists($shareFolder)) {
-			$dir = '';
-			$subdirs = explode('/', $shareFolder);
-			foreach ($subdirs as $subdir) {
-				$dir = $dir . '/' . $subdir;
-				if (!$view->is_dir($dir)) {
-					$view->mkdir($dir);
-				}
-			}
-		}
-
-		return $shareFolder;
-
-	}
-
-	/**
-	 * set default share folder
-	 *
-	 * @param string $shareFolder
-	 */
-	public static function setShareFolder($shareFolder) {
-		\OC::$server->getConfig()->setSystemValue('share_folder', $shareFolder);
-	}
+    public static function registerHooks() {
+        \OCP\Util::connectHook('OC_Filesystem', 'post_rename', '\OCA\Files_Sharing\Updater', 'renameHook');
+        \OCP\Util::connectHook('OC_Filesystem', 'post_delete', '\OCA\Files_Sharing\Hooks', 'unshareChildren');
+
+        \OCP\Util::connectHook('OC_User', 'post_deleteUser', '\OCA\Files_Sharing\Hooks', 'deleteUser');
+    }
+
+    /**
+     * Sets up the filesystem and user for public sharing
+     * @param string $token string share token
+     * @param string $relativePath optional path relative to the share
+     * @param string $password optional password
+     * @return array
+     */
+    public static function setupFromToken($token, $relativePath = null, $password = null) {
+        \OC_User::setIncognitoMode(true);
+
+        $shareManager = \OC::$server->getShareManager();
+
+        try {
+            $share = $shareManager->getShareByToken($token);
+        } catch (ShareNotFound $e) {
+            \OC_Response::setStatus(404);
+            \OCP\Util::writeLog('core-preview', 'Passed token parameter is not valid', \OCP\Util::DEBUG);
+            exit;
+        }
+
+        \OCP\JSON::checkUserExists($share->getShareOwner());
+        \OC_Util::tearDownFS();
+        \OC_Util::setupFS($share->getShareOwner());
+
+
+        try {
+            $path = Filesystem::getPath($share->getNodeId());
+        } catch (NotFoundException $e) {
+            \OCP\Util::writeLog('share', 'could not resolve linkItem', \OCP\Util::DEBUG);
+            \OC_Response::setStatus(404);
+            \OCP\JSON::error(array('success' => false));
+            exit();
+        }
+
+        if ($share->getShareType() === \OCP\Share::SHARE_TYPE_LINK && $share->getPassword() !== null) {
+            if (!self::authenticate($share, $password)) {
+                \OC_Response::setStatus(403);
+                \OCP\JSON::error(array('success' => false));
+                exit();
+            }
+        }
+
+        $basePath = $path;
+
+        if ($relativePath !== null && Filesystem::isReadable($basePath . $relativePath)) {
+            $path .= Filesystem::normalizePath($relativePath);
+        }
+
+        return array(
+            'share' => $share,
+            'basePath' => $basePath,
+            'realPath' => $path
+        );
+    }
+
+    /**
+     * Authenticate link item with the given password
+     * or with the session if no password was given.
+     * @param \OCP\Share\IShare $share
+     * @param string $password optional password
+     *
+     * @return boolean true if authorized, false otherwise
+     */
+    public static function authenticate($share, $password = null) {
+        $shareManager = \OC::$server->getShareManager();
+
+        if ($password !== null) {
+            if ($share->getShareType() === \OCP\Share::SHARE_TYPE_LINK) {
+                if ($shareManager->checkPassword($share, $password)) {
+                    \OC::$server->getSession()->set('public_link_authenticated', (string)$share->getId());
+                    return true;
+                }
+            }
+        } else {
+            // not authenticated ?
+            if (\OC::$server->getSession()->exists('public_link_authenticated')
+                && \OC::$server->getSession()->get('public_link_authenticated') !== (string)$share->getId()) {
+                return true;
+            }
+        }
+        return false;
+    }
+
+    public static function getSharesFromItem($target) {
+        $result = array();
+        $owner = Filesystem::getOwner($target);
+        Filesystem::initMountPoints($owner);
+        $info = Filesystem::getFileInfo($target);
+        $ownerView = new View('/'.$owner.'/files');
+        if ( $owner !== User::getUser() ) {
+            $path = $ownerView->getPath($info['fileid']);
+        } else {
+            $path = $target;
+        }
+
+
+        $ids = array();
+        while ($path !== dirname($path)) {
+            $info = $ownerView->getFileInfo($path);
+            if ($info instanceof \OC\Files\FileInfo) {
+                $ids[] = $info['fileid'];
+            } else {
+                \OCP\Util::writeLog('sharing', 'No fileinfo available for: ' . $path, \OCP\Util::WARN);
+            }
+            $path = dirname($path);
+        }
+
+        if (!empty($ids)) {
+
+            $idList = array_chunk($ids, 99, true);
+
+            foreach ($idList as $subList) {
+                $statement = "SELECT `share_with`, `share_type`, `file_target` FROM `*PREFIX*share` WHERE `file_source` IN (" . implode(',', $subList) . ") AND `share_type` IN (0, 1, 2)";
+                $query = \OCP\DB::prepare($statement);
+                $r = $query->execute();
+                $result = array_merge($result, $r->fetchAll());
+            }
+        }
+
+        return $result;
+    }
+
+    /**
+     * get the UID of the owner of the file and the path to the file relative to
+     * owners files folder
+     *
+     * @param $filename
+     * @return array
+     * @throws \OC\User\NoUserException
+     */
+    public static function getUidAndFilename($filename) {
+        $uid = Filesystem::getOwner($filename);
+        $userManager = \OC::$server->getUserManager();
+        // if the user with the UID doesn't exists, e.g. because the UID points
+        // to a remote user with a federated cloud ID we use the current logged-in
+        // user. We need a valid local user to create the share
+        if (!$userManager->userExists($uid)) {
+            $uid = User::getUser();
+        }
+        Filesystem::initMountPoints($uid);
+        if ( $uid !== User::getUser() ) {
+            $info = Filesystem::getFileInfo($filename);
+            $ownerView = new View('/'.$uid.'/files');
+            try {
+                $filename = $ownerView->getPath($info['fileid']);
+            } catch (NotFoundException $e) {
+                $filename = null;
+            }
+        }
+        return [$uid, $filename];
+    }
+
+    /**
+     * Format a path to be relative to the /user/files/ directory
+     * @param string $path the absolute path
+     * @return string e.g. turns '/admin/files/test.txt' into 'test.txt'
+     */
+    public static function stripUserFilesPath($path) {
+        $trimmed = ltrim($path, '/');
+        $split = explode('/', $trimmed);
+
+        // it is not a file relative to data/user/files
+        if (count($split) < 3 || $split[1] !== 'files') {
+            return false;
+        }
+
+        $sliced = array_slice($split, 2);
+        return implode('/', $sliced);
+    }
+
+    /**
+     * check if file name already exists and generate unique target
+     *
+     * @param string $path
+     * @param array $excludeList
+     * @param View $view
+     * @return string $path
+     */
+    public static function generateUniqueTarget($path, $excludeList, $view) {
+        $pathinfo = pathinfo($path);
+        $ext = isset($pathinfo['extension']) ? '.'.$pathinfo['extension'] : '';
+        $name = $pathinfo['filename'];
+        $dir = $pathinfo['dirname'];
+        $i = 2;
+        while ($view->file_exists($path) || in_array($path, $excludeList)) {
+            $path = Filesystem::normalizePath($dir . '/' . $name . ' ('.$i.')' . $ext);
+            $i++;
+        }
+
+        return $path;
+    }
+
+    /**
+     * get default share folder
+     *
+     * @param \OC\Files\View
+     * @return string
+     */
+    public static function getShareFolder($view = null) {
+        if ($view === null) {
+            $view = Filesystem::getView();
+        }
+        $shareFolder = \OC::$server->getConfig()->getSystemValue('share_folder', '/');
+        $shareFolder = Filesystem::normalizePath($shareFolder);
+
+        if (!$view->file_exists($shareFolder)) {
+            $dir = '';
+            $subdirs = explode('/', $shareFolder);
+            foreach ($subdirs as $subdir) {
+                $dir = $dir . '/' . $subdir;
+                if (!$view->is_dir($dir)) {
+                    $view->mkdir($dir);
+                }
+            }
+        }
+
+        return $shareFolder;
+
+    }
+
+    /**
+     * set default share folder
+     *
+     * @param string $shareFolder
+     */
+    public static function setShareFolder($shareFolder) {
+        \OC::$server->getConfig()->setSystemValue('share_folder', $shareFolder);
+    }
 
 }

Please login to merge, or discard this patch.

apps/encryption/lib/Crypto/Crypt.php 2 patches

Indentation +633 added lines, -633 removed lines patch added patch discarded remove patch

@@ -55,638 +55,638 @@
 block discarded – undo
  */
 class Crypt {
 
-	const DEFAULT_CIPHER = 'AES-256-CTR';
-	// default cipher from old Nextcloud versions
-	const LEGACY_CIPHER = 'AES-128-CFB';
-
-	// default key format, old Nextcloud version encrypted the private key directly
-	// with the user password
-	const LEGACY_KEY_FORMAT = 'password';
-
-	const HEADER_START = 'HBEGIN';
-	const HEADER_END = 'HEND';
-
-	/** @var ILogger */
-	private $logger;
-
-	/** @var string */
-	private $user;
-
-	/** @var IConfig */
-	private $config;
-
-	/** @var array */
-	private $supportedKeyFormats;
-
-	/** @var IL10N */
-	private $l;
-
-	/** @var array */
-	private $supportedCiphersAndKeySize = [
-		'AES-256-CTR' => 32,
-		'AES-128-CTR' => 16,
-		'AES-256-CFB' => 32,
-		'AES-128-CFB' => 16,
-	];
-
-	/**
-	 * @param ILogger $logger
-	 * @param IUserSession $userSession
-	 * @param IConfig $config
-	 * @param IL10N $l
-	 */
-	public function __construct(ILogger $logger, IUserSession $userSession, IConfig $config, IL10N $l) {
-		$this->logger = $logger;
-		$this->user = $userSession && $userSession->isLoggedIn() ? $userSession->getUser()->getUID() : '"no user given"';
-		$this->config = $config;
-		$this->l = $l;
-		$this->supportedKeyFormats = ['hash', 'password'];
-	}
-
-	/**
-	 * create new private/public key-pair for user
-	 *
-	 * @return array|bool
-	 */
-	public function createKeyPair() {
-
-		$log = $this->logger;
-		$res = $this->getOpenSSLPKey();
-
-		if (!$res) {
-			$log->error("Encryption Library couldn't generate users key-pair for {$this->user}",
-				['app' => 'encryption']);
-
-			if (openssl_error_string()) {
-				$log->error('Encryption library openssl_pkey_new() fails: ' . openssl_error_string(),
-					['app' => 'encryption']);
-			}
-		} elseif (openssl_pkey_export($res,
-			$privateKey,
-			null,
-			$this->getOpenSSLConfig())) {
-			$keyDetails = openssl_pkey_get_details($res);
-			$publicKey = $keyDetails['key'];
-
-			return [
-				'publicKey' => $publicKey,
-				'privateKey' => $privateKey
-			];
-		}
-		$log->error('Encryption library couldn\'t export users private key, please check your servers OpenSSL configuration.' . $this->user,
-			['app' => 'encryption']);
-		if (openssl_error_string()) {
-			$log->error('Encryption Library:' . openssl_error_string(),
-				['app' => 'encryption']);
-		}
-
-		return false;
-	}
-
-	/**
-	 * Generates a new private key
-	 *
-	 * @return resource
-	 */
-	public function getOpenSSLPKey() {
-		$config = $this->getOpenSSLConfig();
-		return openssl_pkey_new($config);
-	}
-
-	/**
-	 * get openSSL Config
-	 *
-	 * @return array
-	 */
-	private function getOpenSSLConfig() {
-		$config = ['private_key_bits' => 4096];
-		$config = array_merge(
-			$config,
-			$this->config->getSystemValue('openssl', [])
-		);
-		return $config;
-	}
-
-	/**
-	 * @param string $plainContent
-	 * @param string $passPhrase
-	 * @param int $version
-	 * @param int $position
-	 * @return false|string
-	 * @throws EncryptionFailedException
-	 */
-	public function symmetricEncryptFileContent($plainContent, $passPhrase, $version, $position) {
-
-		if (!$plainContent) {
-			$this->logger->error('Encryption Library, symmetrical encryption failed no content given',
-				['app' => 'encryption']);
-			return false;
-		}
-
-		$iv = $this->generateIv();
-
-		$encryptedContent = $this->encrypt($plainContent,
-			$iv,
-			$passPhrase,
-			$this->getCipher());
-
-		// Create a signature based on the key as well as the current version
-		$sig = $this->createSignature($encryptedContent, $passPhrase.$version.$position);
-
-		// combine content to encrypt the IV identifier and actual IV
-		$catFile = $this->concatIV($encryptedContent, $iv);
-		$catFile = $this->concatSig($catFile, $sig);
-		return $this->addPadding($catFile);
-	}
-
-	/**
-	 * generate header for encrypted file
-	 *
-	 * @param string $keyFormat (can be 'hash' or 'password')
-	 * @return string
-	 * @throws \InvalidArgumentException
-	 */
-	public function generateHeader($keyFormat = 'hash') {
-
-		if (in_array($keyFormat, $this->supportedKeyFormats, true) === false) {
-			throw new \InvalidArgumentException('key format "' . $keyFormat . '" is not supported');
-		}
-
-		$cipher = $this->getCipher();
-
-		$header = self::HEADER_START
-			. ':cipher:' . $cipher
-			. ':keyFormat:' . $keyFormat
-			. ':' . self::HEADER_END;
-
-		return $header;
-	}
-
-	/**
-	 * @param string $plainContent
-	 * @param string $iv
-	 * @param string $passPhrase
-	 * @param string $cipher
-	 * @return string
-	 * @throws EncryptionFailedException
-	 */
-	private function encrypt($plainContent, $iv, $passPhrase = '', $cipher = self::DEFAULT_CIPHER) {
-		$encryptedContent = openssl_encrypt($plainContent,
-			$cipher,
-			$passPhrase,
-			false,
-			$iv);
-
-		if (!$encryptedContent) {
-			$error = 'Encryption (symmetric) of content failed';
-			$this->logger->error($error . openssl_error_string(),
-				['app' => 'encryption']);
-			throw new EncryptionFailedException($error);
-		}
-
-		return $encryptedContent;
-	}
-
-	/**
-	 * return Cipher either from config.php or the default cipher defined in
-	 * this class
-	 *
-	 * @return string
-	 */
-	public function getCipher() {
-		$cipher = $this->config->getSystemValue('cipher', self::DEFAULT_CIPHER);
-		if (!isset($this->supportedCiphersAndKeySize[$cipher])) {
-			$this->logger->warning(
-					sprintf(
-							'Unsupported cipher (%s) defined in config.php supported. Falling back to %s',
-							$cipher,
-							self::DEFAULT_CIPHER
-					),
-				['app' => 'encryption']);
-			$cipher = self::DEFAULT_CIPHER;
-		}
-
-		// Workaround for OpenSSL 0.9.8. Fallback to an old cipher that should work.
-		if(OPENSSL_VERSION_NUMBER < 0x1000101f) {
-			if($cipher === 'AES-256-CTR' || $cipher === 'AES-128-CTR') {
-				$cipher = self::LEGACY_CIPHER;
-			}
-		}
-
-		return $cipher;
-	}
-
-	/**
-	 * get key size depending on the cipher
-	 *
-	 * @param string $cipher
-	 * @return int
-	 * @throws \InvalidArgumentException
-	 */
-	protected function getKeySize($cipher) {
-		if(isset($this->supportedCiphersAndKeySize[$cipher])) {
-			return $this->supportedCiphersAndKeySize[$cipher];
-		}
-
-		throw new \InvalidArgumentException(
-			sprintf(
-					'Unsupported cipher (%s) defined.',
-					$cipher
-			)
-		);
-	}
-
-	/**
-	 * get legacy cipher
-	 *
-	 * @return string
-	 */
-	public function getLegacyCipher() {
-		return self::LEGACY_CIPHER;
-	}
-
-	/**
-	 * @param string $encryptedContent
-	 * @param string $iv
-	 * @return string
-	 */
-	private function concatIV($encryptedContent, $iv) {
-		return $encryptedContent . '00iv00' . $iv;
-	}
-
-	/**
-	 * @param string $encryptedContent
-	 * @param string $signature
-	 * @return string
-	 */
-	private function concatSig($encryptedContent, $signature) {
-		return $encryptedContent . '00sig00' . $signature;
-	}
-
-	/**
-	 * Note: This is _NOT_ a padding used for encryption purposes. It is solely
-	 * used to achieve the PHP stream size. It has _NOTHING_ to do with the
-	 * encrypted content and is not used in any crypto primitive.
-	 *
-	 * @param string $data
-	 * @return string
-	 */
-	private function addPadding($data) {
-		return $data . 'xxx';
-	}
-
-	/**
-	 * generate password hash used to encrypt the users private key
-	 *
-	 * @param string $password
-	 * @param string $cipher
-	 * @param string $uid only used for user keys
-	 * @return string
-	 */
-	protected function generatePasswordHash($password, $cipher, $uid = '') {
-		$instanceId = $this->config->getSystemValue('instanceid');
-		$instanceSecret = $this->config->getSystemValue('secret');
-		$salt = hash('sha256', $uid . $instanceId . $instanceSecret, true);
-		$keySize = $this->getKeySize($cipher);
-
-		$hash = hash_pbkdf2(
-			'sha256',
-			$password,
-			$salt,
-			100000,
-			$keySize,
-			true
-		);
-
-		return $hash;
-	}
-
-	/**
-	 * encrypt private key
-	 *
-	 * @param string $privateKey
-	 * @param string $password
-	 * @param string $uid for regular users, empty for system keys
-	 * @return false|string
-	 */
-	public function encryptPrivateKey($privateKey, $password, $uid = '') {
-		$cipher = $this->getCipher();
-		$hash = $this->generatePasswordHash($password, $cipher, $uid);
-		$encryptedKey = $this->symmetricEncryptFileContent(
-			$privateKey,
-			$hash,
-			0,
-			0
-		);
-
-		return $encryptedKey;
-	}
-
-	/**
-	 * @param string $privateKey
-	 * @param string $password
-	 * @param string $uid for regular users, empty for system keys
-	 * @return false|string
-	 */
-	public function decryptPrivateKey($privateKey, $password = '', $uid = '') {
-
-		$header = $this->parseHeader($privateKey);
-
-		if (isset($header['cipher'])) {
-			$cipher = $header['cipher'];
-		} else {
-			$cipher = self::LEGACY_CIPHER;
-		}
-
-		if (isset($header['keyFormat'])) {
-			$keyFormat = $header['keyFormat'];
-		} else {
-			$keyFormat = self::LEGACY_KEY_FORMAT;
-		}
-
-		if ($keyFormat === 'hash') {
-			$password = $this->generatePasswordHash($password, $cipher, $uid);
-		}
-
-		// If we found a header we need to remove it from the key we want to decrypt
-		if (!empty($header)) {
-			$privateKey = substr($privateKey,
-				strpos($privateKey,
-					self::HEADER_END) + strlen(self::HEADER_END));
-		}
-
-		$plainKey = $this->symmetricDecryptFileContent(
-			$privateKey,
-			$password,
-			$cipher,
-			0
-		);
-
-		if ($this->isValidPrivateKey($plainKey) === false) {
-			return false;
-		}
-
-		return $plainKey;
-	}
-
-	/**
-	 * check if it is a valid private key
-	 *
-	 * @param string $plainKey
-	 * @return bool
-	 */
-	protected function isValidPrivateKey($plainKey) {
-		$res = openssl_get_privatekey($plainKey);
-		if (is_resource($res)) {
-			$sslInfo = openssl_pkey_get_details($res);
-			if (isset($sslInfo['key'])) {
-				return true;
-			}
-		}
-
-		return false;
-	}
-
-	/**
-	 * @param string $keyFileContents
-	 * @param string $passPhrase
-	 * @param string $cipher
-	 * @param int $version
-	 * @param int $position
-	 * @return string
-	 * @throws DecryptionFailedException
-	 */
-	public function symmetricDecryptFileContent($keyFileContents, $passPhrase, $cipher = self::DEFAULT_CIPHER, $version = 0, $position = 0) {
-		$catFile = $this->splitMetaData($keyFileContents, $cipher);
-
-		if ($catFile['signature'] !== false) {
-			$this->checkSignature($catFile['encrypted'], $passPhrase.$version.$position, $catFile['signature']);
-		}
-
-		return $this->decrypt($catFile['encrypted'],
-			$catFile['iv'],
-			$passPhrase,
-			$cipher);
-	}
-
-	/**
-	 * check for valid signature
-	 *
-	 * @param string $data
-	 * @param string $passPhrase
-	 * @param string $expectedSignature
-	 * @throws GenericEncryptionException
-	 */
-	private function checkSignature($data, $passPhrase, $expectedSignature) {
-		$signature = $this->createSignature($data, $passPhrase);
-		if (!hash_equals($expectedSignature, $signature)) {
-			throw new GenericEncryptionException('Bad Signature', $this->l->t('Bad Signature'));
-		}
-	}
-
-	/**
-	 * create signature
-	 *
-	 * @param string $data
-	 * @param string $passPhrase
-	 * @return string
-	 */
-	private function createSignature($data, $passPhrase) {
-		$passPhrase = hash('sha512', $passPhrase . 'a', true);
-		return hash_hmac('sha256', $data, $passPhrase);
-	}
-
-
-	/**
-	 * remove padding
-	 *
-	 * @param string $padded
-	 * @param bool $hasSignature did the block contain a signature, in this case we use a different padding
-	 * @return string|false
-	 */
-	private function removePadding($padded, $hasSignature = false) {
-		if ($hasSignature === false && substr($padded, -2) === 'xx') {
-			return substr($padded, 0, -2);
-		} elseif ($hasSignature === true && substr($padded, -3) === 'xxx') {
-			return substr($padded, 0, -3);
-		}
-		return false;
-	}
-
-	/**
-	 * split meta data from encrypted file
-	 * Note: for now, we assume that the meta data always start with the iv
-	 *       followed by the signature, if available
-	 *
-	 * @param string $catFile
-	 * @param string $cipher
-	 * @return array
-	 */
-	private function splitMetaData($catFile, $cipher) {
-		if ($this->hasSignature($catFile, $cipher)) {
-			$catFile = $this->removePadding($catFile, true);
-			$meta = substr($catFile, -93);
-			$iv = substr($meta, strlen('00iv00'), 16);
-			$sig = substr($meta, 22 + strlen('00sig00'));
-			$encrypted = substr($catFile, 0, -93);
-		} else {
-			$catFile = $this->removePadding($catFile);
-			$meta = substr($catFile, -22);
-			$iv = substr($meta, -16);
-			$sig = false;
-			$encrypted = substr($catFile, 0, -22);
-		}
-
-		return [
-			'encrypted' => $encrypted,
-			'iv' => $iv,
-			'signature' => $sig
-		];
-	}
-
-	/**
-	 * check if encrypted block is signed
-	 *
-	 * @param string $catFile
-	 * @param string $cipher
-	 * @return bool
-	 * @throws GenericEncryptionException
-	 */
-	private function hasSignature($catFile, $cipher) {
-		$meta = substr($catFile, -93);
-		$signaturePosition = strpos($meta, '00sig00');
-
-		// enforce signature for the new 'CTR' ciphers
-		if ($signaturePosition === false && stripos($cipher, 'ctr') !== false) {
-			throw new GenericEncryptionException('Missing Signature', $this->l->t('Missing Signature'));
-		}
-
-		return ($signaturePosition !== false);
-	}
-
-
-	/**
-	 * @param string $encryptedContent
-	 * @param string $iv
-	 * @param string $passPhrase
-	 * @param string $cipher
-	 * @return string
-	 * @throws DecryptionFailedException
-	 */
-	private function decrypt($encryptedContent, $iv, $passPhrase = '', $cipher = self::DEFAULT_CIPHER) {
-		$plainContent = openssl_decrypt($encryptedContent,
-			$cipher,
-			$passPhrase,
-			false,
-			$iv);
-
-		if ($plainContent) {
-			return $plainContent;
-		} else {
-			throw new DecryptionFailedException('Encryption library: Decryption (symmetric) of content failed: ' . openssl_error_string());
-		}
-	}
-
-	/**
-	 * @param string $data
-	 * @return array
-	 */
-	protected function parseHeader($data) {
-		$result = [];
-
-		if (substr($data, 0, strlen(self::HEADER_START)) === self::HEADER_START) {
-			$endAt = strpos($data, self::HEADER_END);
-			$header = substr($data, 0, $endAt + strlen(self::HEADER_END));
-
-			// +1 not to start with an ':' which would result in empty element at the beginning
-			$exploded = explode(':',
-				substr($header, strlen(self::HEADER_START) + 1));
-
-			$element = array_shift($exploded);
-
-			while ($element !== self::HEADER_END) {
-				$result[$element] = array_shift($exploded);
-				$element = array_shift($exploded);
-			}
-		}
-
-		return $result;
-	}
-
-	/**
-	 * generate initialization vector
-	 *
-	 * @return string
-	 * @throws GenericEncryptionException
-	 */
-	private function generateIv() {
-		return random_bytes(16);
-	}
-
-	/**
-	 * Generate a cryptographically secure pseudo-random 256-bit ASCII key, used
-	 * as file key
-	 *
-	 * @return string
-	 * @throws \Exception
-	 */
-	public function generateFileKey() {
-		return random_bytes(32);
-	}
-
-	/**
-	 * @param $encKeyFile
-	 * @param $shareKey
-	 * @param $privateKey
-	 * @return string
-	 * @throws MultiKeyDecryptException
-	 */
-	public function multiKeyDecrypt($encKeyFile, $shareKey, $privateKey) {
-		if (!$encKeyFile) {
-			throw new MultiKeyDecryptException('Cannot multikey decrypt empty plain content');
-		}
-
-		if (openssl_open($encKeyFile, $plainContent, $shareKey, $privateKey)) {
-			return $plainContent;
-		} else {
-			throw new MultiKeyDecryptException('multikeydecrypt with share key failed:' . openssl_error_string());
-		}
-	}
-
-	/**
-	 * @param string $plainContent
-	 * @param array $keyFiles
-	 * @return array
-	 * @throws MultiKeyEncryptException
-	 */
-	public function multiKeyEncrypt($plainContent, array $keyFiles) {
-		// openssl_seal returns false without errors if plaincontent is empty
-		// so trigger our own error
-		if (empty($plainContent)) {
-			throw new MultiKeyEncryptException('Cannot multikeyencrypt empty plain content');
-		}
-
-		// Set empty vars to be set by openssl by reference
-		$sealed = '';
-		$shareKeys = [];
-		$mappedShareKeys = [];
-
-		if (openssl_seal($plainContent, $sealed, $shareKeys, $keyFiles)) {
-			$i = 0;
-
-			// Ensure each shareKey is labelled with its corresponding key id
-			foreach ($keyFiles as $userId => $publicKey) {
-				$mappedShareKeys[$userId] = $shareKeys[$i];
-				$i++;
-			}
-
-			return [
-				'keys' => $mappedShareKeys,
-				'data' => $sealed
-			];
-		} else {
-			throw new MultiKeyEncryptException('multikeyencryption failed ' . openssl_error_string());
-		}
-	}
+    const DEFAULT_CIPHER = 'AES-256-CTR';
+    // default cipher from old Nextcloud versions
+    const LEGACY_CIPHER = 'AES-128-CFB';
+
+    // default key format, old Nextcloud version encrypted the private key directly
+    // with the user password
+    const LEGACY_KEY_FORMAT = 'password';
+
+    const HEADER_START = 'HBEGIN';
+    const HEADER_END = 'HEND';
+
+    /** @var ILogger */
+    private $logger;
+
+    /** @var string */
+    private $user;
+
+    /** @var IConfig */
+    private $config;
+
+    /** @var array */
+    private $supportedKeyFormats;
+
+    /** @var IL10N */
+    private $l;
+
+    /** @var array */
+    private $supportedCiphersAndKeySize = [
+        'AES-256-CTR' => 32,
+        'AES-128-CTR' => 16,
+        'AES-256-CFB' => 32,
+        'AES-128-CFB' => 16,
+    ];
+
+    /**
+     * @param ILogger $logger
+     * @param IUserSession $userSession
+     * @param IConfig $config
+     * @param IL10N $l
+     */
+    public function __construct(ILogger $logger, IUserSession $userSession, IConfig $config, IL10N $l) {
+        $this->logger = $logger;
+        $this->user = $userSession && $userSession->isLoggedIn() ? $userSession->getUser()->getUID() : '"no user given"';
+        $this->config = $config;
+        $this->l = $l;
+        $this->supportedKeyFormats = ['hash', 'password'];
+    }
+
+    /**
+     * create new private/public key-pair for user
+     *
+     * @return array|bool
+     */
+    public function createKeyPair() {
+
+        $log = $this->logger;
+        $res = $this->getOpenSSLPKey();
+
+        if (!$res) {
+            $log->error("Encryption Library couldn't generate users key-pair for {$this->user}",
+                ['app' => 'encryption']);
+
+            if (openssl_error_string()) {
+                $log->error('Encryption library openssl_pkey_new() fails: ' . openssl_error_string(),
+                    ['app' => 'encryption']);
+            }
+        } elseif (openssl_pkey_export($res,
+            $privateKey,
+            null,
+            $this->getOpenSSLConfig())) {
+            $keyDetails = openssl_pkey_get_details($res);
+            $publicKey = $keyDetails['key'];
+
+            return [
+                'publicKey' => $publicKey,
+                'privateKey' => $privateKey
+            ];
+        }
+        $log->error('Encryption library couldn\'t export users private key, please check your servers OpenSSL configuration.' . $this->user,
+            ['app' => 'encryption']);
+        if (openssl_error_string()) {
+            $log->error('Encryption Library:' . openssl_error_string(),
+                ['app' => 'encryption']);
+        }
+
+        return false;
+    }
+
+    /**
+     * Generates a new private key
+     *
+     * @return resource
+     */
+    public function getOpenSSLPKey() {
+        $config = $this->getOpenSSLConfig();
+        return openssl_pkey_new($config);
+    }
+
+    /**
+     * get openSSL Config
+     *
+     * @return array
+     */
+    private function getOpenSSLConfig() {
+        $config = ['private_key_bits' => 4096];
+        $config = array_merge(
+            $config,
+            $this->config->getSystemValue('openssl', [])
+        );
+        return $config;
+    }
+
+    /**
+     * @param string $plainContent
+     * @param string $passPhrase
+     * @param int $version
+     * @param int $position
+     * @return false|string
+     * @throws EncryptionFailedException
+     */
+    public function symmetricEncryptFileContent($plainContent, $passPhrase, $version, $position) {
+
+        if (!$plainContent) {
+            $this->logger->error('Encryption Library, symmetrical encryption failed no content given',
+                ['app' => 'encryption']);
+            return false;
+        }
+
+        $iv = $this->generateIv();
+
+        $encryptedContent = $this->encrypt($plainContent,
+            $iv,
+            $passPhrase,
+            $this->getCipher());
+
+        // Create a signature based on the key as well as the current version
+        $sig = $this->createSignature($encryptedContent, $passPhrase.$version.$position);
+
+        // combine content to encrypt the IV identifier and actual IV
+        $catFile = $this->concatIV($encryptedContent, $iv);
+        $catFile = $this->concatSig($catFile, $sig);
+        return $this->addPadding($catFile);
+    }
+
+    /**
+     * generate header for encrypted file
+     *
+     * @param string $keyFormat (can be 'hash' or 'password')
+     * @return string
+     * @throws \InvalidArgumentException
+     */
+    public function generateHeader($keyFormat = 'hash') {
+
+        if (in_array($keyFormat, $this->supportedKeyFormats, true) === false) {
+            throw new \InvalidArgumentException('key format "' . $keyFormat . '" is not supported');
+        }
+
+        $cipher = $this->getCipher();
+
+        $header = self::HEADER_START
+            . ':cipher:' . $cipher
+            . ':keyFormat:' . $keyFormat
+            . ':' . self::HEADER_END;
+
+        return $header;
+    }
+
+    /**
+     * @param string $plainContent
+     * @param string $iv
+     * @param string $passPhrase
+     * @param string $cipher
+     * @return string
+     * @throws EncryptionFailedException
+     */
+    private function encrypt($plainContent, $iv, $passPhrase = '', $cipher = self::DEFAULT_CIPHER) {
+        $encryptedContent = openssl_encrypt($plainContent,
+            $cipher,
+            $passPhrase,
+            false,
+            $iv);
+
+        if (!$encryptedContent) {
+            $error = 'Encryption (symmetric) of content failed';
+            $this->logger->error($error . openssl_error_string(),
+                ['app' => 'encryption']);
+            throw new EncryptionFailedException($error);
+        }
+
+        return $encryptedContent;
+    }
+
+    /**
+     * return Cipher either from config.php or the default cipher defined in
+     * this class
+     *
+     * @return string
+     */
+    public function getCipher() {
+        $cipher = $this->config->getSystemValue('cipher', self::DEFAULT_CIPHER);
+        if (!isset($this->supportedCiphersAndKeySize[$cipher])) {
+            $this->logger->warning(
+                    sprintf(
+                            'Unsupported cipher (%s) defined in config.php supported. Falling back to %s',
+                            $cipher,
+                            self::DEFAULT_CIPHER
+                    ),
+                ['app' => 'encryption']);
+            $cipher = self::DEFAULT_CIPHER;
+        }
+
+        // Workaround for OpenSSL 0.9.8. Fallback to an old cipher that should work.
+        if(OPENSSL_VERSION_NUMBER < 0x1000101f) {
+            if($cipher === 'AES-256-CTR' || $cipher === 'AES-128-CTR') {
+                $cipher = self::LEGACY_CIPHER;
+            }
+        }
+
+        return $cipher;
+    }
+
+    /**
+     * get key size depending on the cipher
+     *
+     * @param string $cipher
+     * @return int
+     * @throws \InvalidArgumentException
+     */
+    protected function getKeySize($cipher) {
+        if(isset($this->supportedCiphersAndKeySize[$cipher])) {
+            return $this->supportedCiphersAndKeySize[$cipher];
+        }
+
+        throw new \InvalidArgumentException(
+            sprintf(
+                    'Unsupported cipher (%s) defined.',
+                    $cipher
+            )
+        );
+    }
+
+    /**
+     * get legacy cipher
+     *
+     * @return string
+     */
+    public function getLegacyCipher() {
+        return self::LEGACY_CIPHER;
+    }
+
+    /**
+     * @param string $encryptedContent
+     * @param string $iv
+     * @return string
+     */
+    private function concatIV($encryptedContent, $iv) {
+        return $encryptedContent . '00iv00' . $iv;
+    }
+
+    /**
+     * @param string $encryptedContent
+     * @param string $signature
+     * @return string
+     */
+    private function concatSig($encryptedContent, $signature) {
+        return $encryptedContent . '00sig00' . $signature;
+    }
+
+    /**
+     * Note: This is _NOT_ a padding used for encryption purposes. It is solely
+     * used to achieve the PHP stream size. It has _NOTHING_ to do with the
+     * encrypted content and is not used in any crypto primitive.
+     *
+     * @param string $data
+     * @return string
+     */
+    private function addPadding($data) {
+        return $data . 'xxx';
+    }
+
+    /**
+     * generate password hash used to encrypt the users private key
+     *
+     * @param string $password
+     * @param string $cipher
+     * @param string $uid only used for user keys
+     * @return string
+     */
+    protected function generatePasswordHash($password, $cipher, $uid = '') {
+        $instanceId = $this->config->getSystemValue('instanceid');
+        $instanceSecret = $this->config->getSystemValue('secret');
+        $salt = hash('sha256', $uid . $instanceId . $instanceSecret, true);
+        $keySize = $this->getKeySize($cipher);
+
+        $hash = hash_pbkdf2(
+            'sha256',
+            $password,
+            $salt,
+            100000,
+            $keySize,
+            true
+        );
+
+        return $hash;
+    }
+
+    /**
+     * encrypt private key
+     *
+     * @param string $privateKey
+     * @param string $password
+     * @param string $uid for regular users, empty for system keys
+     * @return false|string
+     */
+    public function encryptPrivateKey($privateKey, $password, $uid = '') {
+        $cipher = $this->getCipher();
+        $hash = $this->generatePasswordHash($password, $cipher, $uid);
+        $encryptedKey = $this->symmetricEncryptFileContent(
+            $privateKey,
+            $hash,
+            0,
+            0
+        );
+
+        return $encryptedKey;
+    }
+
+    /**
+     * @param string $privateKey
+     * @param string $password
+     * @param string $uid for regular users, empty for system keys
+     * @return false|string
+     */
+    public function decryptPrivateKey($privateKey, $password = '', $uid = '') {
+
+        $header = $this->parseHeader($privateKey);
+
+        if (isset($header['cipher'])) {
+            $cipher = $header['cipher'];
+        } else {
+            $cipher = self::LEGACY_CIPHER;
+        }
+
+        if (isset($header['keyFormat'])) {
+            $keyFormat = $header['keyFormat'];
+        } else {
+            $keyFormat = self::LEGACY_KEY_FORMAT;
+        }
+
+        if ($keyFormat === 'hash') {
+            $password = $this->generatePasswordHash($password, $cipher, $uid);
+        }
+
+        // If we found a header we need to remove it from the key we want to decrypt
+        if (!empty($header)) {
+            $privateKey = substr($privateKey,
+                strpos($privateKey,
+                    self::HEADER_END) + strlen(self::HEADER_END));
+        }
+
+        $plainKey = $this->symmetricDecryptFileContent(
+            $privateKey,
+            $password,
+            $cipher,
+            0
+        );
+
+        if ($this->isValidPrivateKey($plainKey) === false) {
+            return false;
+        }
+
+        return $plainKey;
+    }
+
+    /**
+     * check if it is a valid private key
+     *
+     * @param string $plainKey
+     * @return bool
+     */
+    protected function isValidPrivateKey($plainKey) {
+        $res = openssl_get_privatekey($plainKey);
+        if (is_resource($res)) {
+            $sslInfo = openssl_pkey_get_details($res);
+            if (isset($sslInfo['key'])) {
+                return true;
+            }
+        }
+
+        return false;
+    }
+
+    /**
+     * @param string $keyFileContents
+     * @param string $passPhrase
+     * @param string $cipher
+     * @param int $version
+     * @param int $position
+     * @return string
+     * @throws DecryptionFailedException
+     */
+    public function symmetricDecryptFileContent($keyFileContents, $passPhrase, $cipher = self::DEFAULT_CIPHER, $version = 0, $position = 0) {
+        $catFile = $this->splitMetaData($keyFileContents, $cipher);
+
+        if ($catFile['signature'] !== false) {
+            $this->checkSignature($catFile['encrypted'], $passPhrase.$version.$position, $catFile['signature']);
+        }
+
+        return $this->decrypt($catFile['encrypted'],
+            $catFile['iv'],
+            $passPhrase,
+            $cipher);
+    }
+
+    /**
+     * check for valid signature
+     *
+     * @param string $data
+     * @param string $passPhrase
+     * @param string $expectedSignature
+     * @throws GenericEncryptionException
+     */
+    private function checkSignature($data, $passPhrase, $expectedSignature) {
+        $signature = $this->createSignature($data, $passPhrase);
+        if (!hash_equals($expectedSignature, $signature)) {
+            throw new GenericEncryptionException('Bad Signature', $this->l->t('Bad Signature'));
+        }
+    }
+
+    /**
+     * create signature
+     *
+     * @param string $data
+     * @param string $passPhrase
+     * @return string
+     */
+    private function createSignature($data, $passPhrase) {
+        $passPhrase = hash('sha512', $passPhrase . 'a', true);
+        return hash_hmac('sha256', $data, $passPhrase);
+    }
+
+
+    /**
+     * remove padding
+     *
+     * @param string $padded
+     * @param bool $hasSignature did the block contain a signature, in this case we use a different padding
+     * @return string|false
+     */
+    private function removePadding($padded, $hasSignature = false) {
+        if ($hasSignature === false && substr($padded, -2) === 'xx') {
+            return substr($padded, 0, -2);
+        } elseif ($hasSignature === true && substr($padded, -3) === 'xxx') {
+            return substr($padded, 0, -3);
+        }
+        return false;
+    }
+
+    /**
+     * split meta data from encrypted file
+     * Note: for now, we assume that the meta data always start with the iv
+     *       followed by the signature, if available
+     *
+     * @param string $catFile
+     * @param string $cipher
+     * @return array
+     */
+    private function splitMetaData($catFile, $cipher) {
+        if ($this->hasSignature($catFile, $cipher)) {
+            $catFile = $this->removePadding($catFile, true);
+            $meta = substr($catFile, -93);
+            $iv = substr($meta, strlen('00iv00'), 16);
+            $sig = substr($meta, 22 + strlen('00sig00'));
+            $encrypted = substr($catFile, 0, -93);
+        } else {
+            $catFile = $this->removePadding($catFile);
+            $meta = substr($catFile, -22);
+            $iv = substr($meta, -16);
+            $sig = false;
+            $encrypted = substr($catFile, 0, -22);
+        }
+
+        return [
+            'encrypted' => $encrypted,
+            'iv' => $iv,
+            'signature' => $sig
+        ];
+    }
+
+    /**
+     * check if encrypted block is signed
+     *
+     * @param string $catFile
+     * @param string $cipher
+     * @return bool
+     * @throws GenericEncryptionException
+     */
+    private function hasSignature($catFile, $cipher) {
+        $meta = substr($catFile, -93);
+        $signaturePosition = strpos($meta, '00sig00');
+
+        // enforce signature for the new 'CTR' ciphers
+        if ($signaturePosition === false && stripos($cipher, 'ctr') !== false) {
+            throw new GenericEncryptionException('Missing Signature', $this->l->t('Missing Signature'));
+        }
+
+        return ($signaturePosition !== false);
+    }
+
+
+    /**
+     * @param string $encryptedContent
+     * @param string $iv
+     * @param string $passPhrase
+     * @param string $cipher
+     * @return string
+     * @throws DecryptionFailedException
+     */
+    private function decrypt($encryptedContent, $iv, $passPhrase = '', $cipher = self::DEFAULT_CIPHER) {
+        $plainContent = openssl_decrypt($encryptedContent,
+            $cipher,
+            $passPhrase,
+            false,
+            $iv);
+
+        if ($plainContent) {
+            return $plainContent;
+        } else {
+            throw new DecryptionFailedException('Encryption library: Decryption (symmetric) of content failed: ' . openssl_error_string());
+        }
+    }
+
+    /**
+     * @param string $data
+     * @return array
+     */
+    protected function parseHeader($data) {
+        $result = [];
+
+        if (substr($data, 0, strlen(self::HEADER_START)) === self::HEADER_START) {
+            $endAt = strpos($data, self::HEADER_END);
+            $header = substr($data, 0, $endAt + strlen(self::HEADER_END));
+
+            // +1 not to start with an ':' which would result in empty element at the beginning
+            $exploded = explode(':',
+                substr($header, strlen(self::HEADER_START) + 1));
+
+            $element = array_shift($exploded);
+
+            while ($element !== self::HEADER_END) {
+                $result[$element] = array_shift($exploded);
+                $element = array_shift($exploded);
+            }
+        }
+
+        return $result;
+    }
+
+    /**
+     * generate initialization vector
+     *
+     * @return string
+     * @throws GenericEncryptionException
+     */
+    private function generateIv() {
+        return random_bytes(16);
+    }
+
+    /**
+     * Generate a cryptographically secure pseudo-random 256-bit ASCII key, used
+     * as file key
+     *
+     * @return string
+     * @throws \Exception
+     */
+    public function generateFileKey() {
+        return random_bytes(32);
+    }
+
+    /**
+     * @param $encKeyFile
+     * @param $shareKey
+     * @param $privateKey
+     * @return string
+     * @throws MultiKeyDecryptException
+     */
+    public function multiKeyDecrypt($encKeyFile, $shareKey, $privateKey) {
+        if (!$encKeyFile) {
+            throw new MultiKeyDecryptException('Cannot multikey decrypt empty plain content');
+        }
+
+        if (openssl_open($encKeyFile, $plainContent, $shareKey, $privateKey)) {
+            return $plainContent;
+        } else {
+            throw new MultiKeyDecryptException('multikeydecrypt with share key failed:' . openssl_error_string());
+        }
+    }
+
+    /**
+     * @param string $plainContent
+     * @param array $keyFiles
+     * @return array
+     * @throws MultiKeyEncryptException
+     */
+    public function multiKeyEncrypt($plainContent, array $keyFiles) {
+        // openssl_seal returns false without errors if plaincontent is empty
+        // so trigger our own error
+        if (empty($plainContent)) {
+            throw new MultiKeyEncryptException('Cannot multikeyencrypt empty plain content');
+        }
+
+        // Set empty vars to be set by openssl by reference
+        $sealed = '';
+        $shareKeys = [];
+        $mappedShareKeys = [];
+
+        if (openssl_seal($plainContent, $sealed, $shareKeys, $keyFiles)) {
+            $i = 0;
+
+            // Ensure each shareKey is labelled with its corresponding key id
+            foreach ($keyFiles as $userId => $publicKey) {
+                $mappedShareKeys[$userId] = $shareKeys[$i];
+                $i++;
+            }
+
+            return [
+                'keys' => $mappedShareKeys,
+                'data' => $sealed
+            ];
+        } else {
+            throw new MultiKeyEncryptException('multikeyencryption failed ' . openssl_error_string());
+        }
+    }
 }
 

Please login to merge, or discard this patch.

Spacing +19 added lines, -19 removed lines patch added patch discarded remove patch

@@ -118,7 +118,7 @@  discard block
 block discarded – undo
 				['app' => 'encryption']);
 
 			if (openssl_error_string()) {
-				$log->error('Encryption library openssl_pkey_new() fails: ' . openssl_error_string(),
+				$log->error('Encryption library openssl_pkey_new() fails: '.openssl_error_string(),
 					['app' => 'encryption']);
 			}
 		} elseif (openssl_pkey_export($res,
@@ -133,10 +133,10 @@  discard block
 block discarded – undo
 				'privateKey' => $privateKey
 			];
 		}
-		$log->error('Encryption library couldn\'t export users private key, please check your servers OpenSSL configuration.' . $this->user,
+		$log->error('Encryption library couldn\'t export users private key, please check your servers OpenSSL configuration.'.$this->user,
 			['app' => 'encryption']);
 		if (openssl_error_string()) {
-			$log->error('Encryption Library:' . openssl_error_string(),
+			$log->error('Encryption Library:'.openssl_error_string(),
 				['app' => 'encryption']);
 		}
 
@@ -209,15 +209,15 @@  discard block
 block discarded – undo
 	public function generateHeader($keyFormat = 'hash') {
 
 		if (in_array($keyFormat, $this->supportedKeyFormats, true) === false) {
-			throw new \InvalidArgumentException('key format "' . $keyFormat . '" is not supported');
+			throw new \InvalidArgumentException('key format "'.$keyFormat.'" is not supported');
 		}
 
 		$cipher = $this->getCipher();
 
 		$header = self::HEADER_START
-			. ':cipher:' . $cipher
-			. ':keyFormat:' . $keyFormat
-			. ':' . self::HEADER_END;
+			. ':cipher:'.$cipher
+			. ':keyFormat:'.$keyFormat
+			. ':'.self::HEADER_END;
 
 		return $header;
 	}
@@ -239,7 +239,7 @@  discard block
 block discarded – undo
 
 		if (!$encryptedContent) {
 			$error = 'Encryption (symmetric) of content failed';
-			$this->logger->error($error . openssl_error_string(),
+			$this->logger->error($error.openssl_error_string(),
 				['app' => 'encryption']);
 			throw new EncryptionFailedException($error);
 		}
@@ -267,8 +267,8 @@  discard block
 block discarded – undo
 		}
 
 		// Workaround for OpenSSL 0.9.8. Fallback to an old cipher that should work.
-		if(OPENSSL_VERSION_NUMBER < 0x1000101f) {
-			if($cipher === 'AES-256-CTR' || $cipher === 'AES-128-CTR') {
+		if (OPENSSL_VERSION_NUMBER < 0x1000101f) {
+			if ($cipher === 'AES-256-CTR' || $cipher === 'AES-128-CTR') {
 				$cipher = self::LEGACY_CIPHER;
 			}
 		}
@@ -284,7 +284,7 @@  discard block
 block discarded – undo
 	 * @throws \InvalidArgumentException
 	 */
 	protected function getKeySize($cipher) {
-		if(isset($this->supportedCiphersAndKeySize[$cipher])) {
+		if (isset($this->supportedCiphersAndKeySize[$cipher])) {
 			return $this->supportedCiphersAndKeySize[$cipher];
 		}
 
@@ -311,7 +311,7 @@  discard block
 block discarded – undo
 	 * @return string
 	 */
 	private function concatIV($encryptedContent, $iv) {
-		return $encryptedContent . '00iv00' . $iv;
+		return $encryptedContent.'00iv00'.$iv;
 	}
 
 	/**
@@ -320,7 +320,7 @@  discard block
 block discarded – undo
 	 * @return string
 	 */
 	private function concatSig($encryptedContent, $signature) {
-		return $encryptedContent . '00sig00' . $signature;
+		return $encryptedContent.'00sig00'.$signature;
 	}
 
 	/**
@@ -332,7 +332,7 @@  discard block
 block discarded – undo
 	 * @return string
 	 */
 	private function addPadding($data) {
-		return $data . 'xxx';
+		return $data.'xxx';
 	}
 
 	/**
@@ -346,7 +346,7 @@  discard block
 block discarded – undo
 	protected function generatePasswordHash($password, $cipher, $uid = '') {
 		$instanceId = $this->config->getSystemValue('instanceid');
 		$instanceSecret = $this->config->getSystemValue('secret');
-		$salt = hash('sha256', $uid . $instanceId . $instanceSecret, true);
+		$salt = hash('sha256', $uid.$instanceId.$instanceSecret, true);
 		$keySize = $this->getKeySize($cipher);
 
 		$hash = hash_pbkdf2(
@@ -492,7 +492,7 @@  discard block
 block discarded – undo
 	 * @return string
 	 */
 	private function createSignature($data, $passPhrase) {
-		$passPhrase = hash('sha512', $passPhrase . 'a', true);
+		$passPhrase = hash('sha512', $passPhrase.'a', true);
 		return hash_hmac('sha256', $data, $passPhrase);
 	}
 
@@ -583,7 +583,7 @@  discard block
 block discarded – undo
 		if ($plainContent) {
 			return $plainContent;
 		} else {
-			throw new DecryptionFailedException('Encryption library: Decryption (symmetric) of content failed: ' . openssl_error_string());
+			throw new DecryptionFailedException('Encryption library: Decryption (symmetric) of content failed: '.openssl_error_string());
 		}
 	}
 
@@ -649,7 +649,7 @@  discard block
 block discarded – undo
 		if (openssl_open($encKeyFile, $plainContent, $shareKey, $privateKey)) {
 			return $plainContent;
 		} else {
-			throw new MultiKeyDecryptException('multikeydecrypt with share key failed:' . openssl_error_string());
+			throw new MultiKeyDecryptException('multikeydecrypt with share key failed:'.openssl_error_string());
 		}
 	}
 
@@ -685,7 +685,7 @@  discard block
 block discarded – undo
 				'data' => $sealed
 			];
 		} else {
-			throw new MultiKeyEncryptException('multikeyencryption failed ' . openssl_error_string());
+			throw new MultiKeyEncryptException('multikeyencryption failed '.openssl_error_string());
 		}
 	}
 }

Please login to merge, or discard this patch.

		@@ -43,195 +43,195 @@
		block discarded – undo
43	43	* @package OCA\User_LDAP\Jobs;
44	44	*/
45	45	class CleanUp extends TimedJob {
46		- /** @var int $limit amount of users that should be checked per run */
47		- protected $limit = 50;
48		-
49		- /** @var int $defaultIntervalMin default interval in minutes */
50		- protected $defaultIntervalMin = 51;
51		-
52		- /** @var User_LDAP\|User_Proxy $userBackend */
53		- protected $userBackend;
54		-
55		- /** @var \OCP\IConfig $ocConfig */
56		- protected $ocConfig;
57		-
58		- /** @var \OCP\IDBConnection $db */
59		- protected $db;
60		-
61		- /** @var Helper $ldapHelper */
62		- protected $ldapHelper;
63		-
64		- /** @var \OCA\User_LDAP\Mapping\UserMapping */
65		- protected $mapping;
66		-
67		- /** @var \OCA\User_LDAP\User\DeletedUsersIndex */
68		- protected $dui;
69		-
70		- public function __construct() {
71		- $minutes = \OC::$server->getConfig()->getSystemValue(
72		- 'ldapUserCleanupInterval', (string)$this->defaultIntervalMin);
73		- $this->setInterval((int)$minutes * 60);
74		- }
75		-
76		- /**
77		- * assigns the instances passed to run() to the class properties
78		- * @param array $arguments
79		- */
80		- public function setArguments($arguments) {
81		- //Dependency Injection is not possible, because the constructor will
82		- //only get values that are serialized to JSON. I.e. whatever we would
83		- //pass in app.php we do add here, except something else is passed e.g.
84		- //in tests.
85		-
86		- if(isset($arguments['helper'])) {
87		- $this->ldapHelper = $arguments['helper'];
88		- } else {
89		- $this->ldapHelper = new Helper(\OC::$server->getConfig());
90		- }
91		-
92		- if(isset($arguments['ocConfig'])) {
93		- $this->ocConfig = $arguments['ocConfig'];
94		- } else {
95		- $this->ocConfig = \OC::$server->getConfig();
96		- }
97		-
98		- if(isset($arguments['userBackend'])) {
99		- $this->userBackend = $arguments['userBackend'];
100		- } else {
101		- $this->userBackend = new User_Proxy(
102		- $this->ldapHelper->getServerConfigurationPrefixes(true),
103		- new LDAP(),
104		- $this->ocConfig,
105		- \OC::$server->getNotificationManager(),
106		- \OC::$server->getUserSession(),
107		- \OC::$server->query('LDAPUserPluginManager')
108		- );
109		- }
110		-
111		- if(isset($arguments['db'])) {
112		- $this->db = $arguments['db'];
113		- } else {
114		- $this->db = \OC::$server->getDatabaseConnection();
115		- }
116		-
117		- if(isset($arguments['mapping'])) {
118		- $this->mapping = $arguments['mapping'];
119		- } else {
120		- $this->mapping = new UserMapping($this->db);
121		- }
122		-
123		- if(isset($arguments['deletedUsersIndex'])) {
124		- $this->dui = $arguments['deletedUsersIndex'];
125		- } else {
126		- $this->dui = new DeletedUsersIndex(
127		- $this->ocConfig, $this->db, $this->mapping);
128		- }
129		- }
130		-
131		- /**
132		- * makes the background job do its work
133		- * @param array $argument
134		- */
135		- public function run($argument) {
136		- $this->setArguments($argument);
137		-
138		- if(!$this->isCleanUpAllowed()) {
139		- return;
140		- }
141		- $users = $this->mapping->getList($this->getOffset(), $this->limit);
142		- if(!is_array($users)) {
143		- //something wrong? Let's start from the beginning next time and
144		- //abort
145		- $this->setOffset(true);
146		- return;
147		- }
148		- $resetOffset = $this->isOffsetResetNecessary(count($users));
149		- $this->checkUsers($users);
150		- $this->setOffset($resetOffset);
151		- }
152		-
153		- /**
154		- * checks whether next run should start at 0 again
155		- * @param int $resultCount
156		- * @return bool
157		- */
158		- public function isOffsetResetNecessary($resultCount) {
159		- return $resultCount < $this->limit;
160		- }
161		-
162		- /**
163		- * checks whether cleaning up LDAP users is allowed
164		- * @return bool
165		- */
166		- public function isCleanUpAllowed() {
167		- try {
168		- if($this->ldapHelper->haveDisabledConfigurations()) {
169		- return false;
170		- }
171		- } catch (\Exception $e) {
172		- return false;
173		- }
174		-
175		- return $this->isCleanUpEnabled();
176		- }
177		-
178		- /**
179		- * checks whether clean up is enabled by configuration
180		- * @return bool
181		- */
182		- private function isCleanUpEnabled() {
183		- return (bool)$this->ocConfig->getSystemValue(
184		- 'ldapUserCleanupInterval', (string)$this->defaultIntervalMin);
185		- }
186		-
187		- /**
188		- * checks users whether they are still existing
189		- * @param array $users result from getMappedUsers()
190		- */
191		- private function checkUsers(array $users) {
192		- foreach($users as $user) {
193		- $this->checkUser($user);
194		- }
195		- }
196		-
197		- /**
198		- * checks whether a user is still existing in LDAP
199		- * @param string[] $user
200		- */
201		- private function checkUser(array $user) {
202		- if($this->userBackend->userExistsOnLDAP($user['name'])) {
203		- //still available, all good
204		-
205		- return;
206		- }
207		-
208		- $this->dui->markUser($user['name']);
209		- }
210		-
211		- /**
212		- * gets the offset to fetch users from the mappings table
213		- * @return int
214		- */
215		- private function getOffset() {
216		- return (int)$this->ocConfig->getAppValue('user_ldap', 'cleanUpJobOffset', 0);
217		- }
218		-
219		- /**
220		- * sets the new offset for the next run
221		- * @param bool $reset whether the offset should be set to 0
222		- */
223		- public function setOffset($reset = false) {
224		- $newOffset = $reset ? 0 :
225		- $this->getOffset() + $this->limit;
226		- $this->ocConfig->setAppValue('user_ldap', 'cleanUpJobOffset', $newOffset);
227		- }
228		-
229		- /**
230		- * returns the chunk size (limit in DB speak)
231		- * @return int
232		- */
233		- public function getChunkSize() {
234		- return $this->limit;
235		- }
	46	+ /** @var int $limit amount of users that should be checked per run */
	47	+ protected $limit = 50;
	48	+
	49	+ /** @var int $defaultIntervalMin default interval in minutes */
	50	+ protected $defaultIntervalMin = 51;
	51	+
	52	+ /** @var User_LDAP\|User_Proxy $userBackend */
	53	+ protected $userBackend;
	54	+
	55	+ /** @var \OCP\IConfig $ocConfig */
	56	+ protected $ocConfig;
	57	+
	58	+ /** @var \OCP\IDBConnection $db */
	59	+ protected $db;
	60	+
	61	+ /** @var Helper $ldapHelper */
	62	+ protected $ldapHelper;
	63	+
	64	+ /** @var \OCA\User_LDAP\Mapping\UserMapping */
	65	+ protected $mapping;
	66	+
	67	+ /** @var \OCA\User_LDAP\User\DeletedUsersIndex */
	68	+ protected $dui;
	69	+
	70	+ public function __construct() {
	71	+ $minutes = \OC::$server->getConfig()->getSystemValue(
	72	+ 'ldapUserCleanupInterval', (string)$this->defaultIntervalMin);
	73	+ $this->setInterval((int)$minutes * 60);
	74	+ }
	75	+
	76	+ /**
	77	+ * assigns the instances passed to run() to the class properties
	78	+ * @param array $arguments
	79	+ */
	80	+ public function setArguments($arguments) {
	81	+ //Dependency Injection is not possible, because the constructor will
	82	+ //only get values that are serialized to JSON. I.e. whatever we would
	83	+ //pass in app.php we do add here, except something else is passed e.g.
	84	+ //in tests.
	85	+
	86	+ if(isset($arguments['helper'])) {
	87	+ $this->ldapHelper = $arguments['helper'];
	88	+ } else {
	89	+ $this->ldapHelper = new Helper(\OC::$server->getConfig());
	90	+ }
	91	+
	92	+ if(isset($arguments['ocConfig'])) {
	93	+ $this->ocConfig = $arguments['ocConfig'];
	94	+ } else {
	95	+ $this->ocConfig = \OC::$server->getConfig();
	96	+ }
	97	+
	98	+ if(isset($arguments['userBackend'])) {
	99	+ $this->userBackend = $arguments['userBackend'];
	100	+ } else {
	101	+ $this->userBackend = new User_Proxy(
	102	+ $this->ldapHelper->getServerConfigurationPrefixes(true),
	103	+ new LDAP(),
	104	+ $this->ocConfig,
	105	+ \OC::$server->getNotificationManager(),
	106	+ \OC::$server->getUserSession(),
	107	+ \OC::$server->query('LDAPUserPluginManager')
	108	+ );
	109	+ }
	110	+
	111	+ if(isset($arguments['db'])) {
	112	+ $this->db = $arguments['db'];
	113	+ } else {
	114	+ $this->db = \OC::$server->getDatabaseConnection();
	115	+ }
	116	+
	117	+ if(isset($arguments['mapping'])) {
	118	+ $this->mapping = $arguments['mapping'];
	119	+ } else {
	120	+ $this->mapping = new UserMapping($this->db);
	121	+ }
	122	+
	123	+ if(isset($arguments['deletedUsersIndex'])) {
	124	+ $this->dui = $arguments['deletedUsersIndex'];
	125	+ } else {
	126	+ $this->dui = new DeletedUsersIndex(
	127	+ $this->ocConfig, $this->db, $this->mapping);
	128	+ }
	129	+ }
	130	+
	131	+ /**
	132	+ * makes the background job do its work
	133	+ * @param array $argument
	134	+ */
	135	+ public function run($argument) {
	136	+ $this->setArguments($argument);
	137	+
	138	+ if(!$this->isCleanUpAllowed()) {
	139	+ return;
	140	+ }
	141	+ $users = $this->mapping->getList($this->getOffset(), $this->limit);
	142	+ if(!is_array($users)) {
	143	+ //something wrong? Let's start from the beginning next time and
	144	+ //abort
	145	+ $this->setOffset(true);
	146	+ return;
	147	+ }
	148	+ $resetOffset = $this->isOffsetResetNecessary(count($users));
	149	+ $this->checkUsers($users);
	150	+ $this->setOffset($resetOffset);
	151	+ }
	152	+
	153	+ /**
	154	+ * checks whether next run should start at 0 again
	155	+ * @param int $resultCount
	156	+ * @return bool
	157	+ */
	158	+ public function isOffsetResetNecessary($resultCount) {
	159	+ return $resultCount < $this->limit;
	160	+ }
	161	+
	162	+ /**
	163	+ * checks whether cleaning up LDAP users is allowed
	164	+ * @return bool
	165	+ */
	166	+ public function isCleanUpAllowed() {
	167	+ try {
	168	+ if($this->ldapHelper->haveDisabledConfigurations()) {
	169	+ return false;
	170	+ }
	171	+ } catch (\Exception $e) {
	172	+ return false;
	173	+ }
	174	+
	175	+ return $this->isCleanUpEnabled();
	176	+ }
	177	+
	178	+ /**
	179	+ * checks whether clean up is enabled by configuration
	180	+ * @return bool
	181	+ */
	182	+ private function isCleanUpEnabled() {
	183	+ return (bool)$this->ocConfig->getSystemValue(
	184	+ 'ldapUserCleanupInterval', (string)$this->defaultIntervalMin);
	185	+ }
	186	+
	187	+ /**
	188	+ * checks users whether they are still existing
	189	+ * @param array $users result from getMappedUsers()
	190	+ */
	191	+ private function checkUsers(array $users) {
	192	+ foreach($users as $user) {
	193	+ $this->checkUser($user);
	194	+ }
	195	+ }
	196	+
	197	+ /**
	198	+ * checks whether a user is still existing in LDAP
	199	+ * @param string[] $user
	200	+ */
	201	+ private function checkUser(array $user) {
	202	+ if($this->userBackend->userExistsOnLDAP($user['name'])) {
	203	+ //still available, all good
	204	+
	205	+ return;
	206	+ }
	207	+
	208	+ $this->dui->markUser($user['name']);
	209	+ }
	210	+
	211	+ /**
	212	+ * gets the offset to fetch users from the mappings table
	213	+ * @return int
	214	+ */
	215	+ private function getOffset() {
	216	+ return (int)$this->ocConfig->getAppValue('user_ldap', 'cleanUpJobOffset', 0);
	217	+ }
	218	+
	219	+ /**
	220	+ * sets the new offset for the next run
	221	+ * @param bool $reset whether the offset should be set to 0
	222	+ */
	223	+ public function setOffset($reset = false) {
	224	+ $newOffset = $reset ? 0 :
	225	+ $this->getOffset() + $this->limit;
	226	+ $this->ocConfig->setAppValue('user_ldap', 'cleanUpJobOffset', $newOffset);
	227	+ }
	228	+
	229	+ /**
	230	+ * returns the chunk size (limit in DB speak)
	231	+ * @return int
	232	+ */
	233	+ public function getChunkSize() {
	234	+ return $this->limit;
	235	+ }
236	236
237	237	}

		@@ -30,66 +30,66 @@
		block discarded – undo
30	30	use Sabre\DAV\ICollection;
31	31
32	32	class UploadHome implements ICollection {
33		- /**
34		- * UploadHome constructor.
35		- *
36		- * @param array $principalInfo
37		- */
38		- public function __construct($principalInfo) {
39		- $this->principalInfo = $principalInfo;
40		- }
	33	+ /**
	34	+ * UploadHome constructor.
	35	+ *
	36	+ * @param array $principalInfo
	37	+ */
	38	+ public function __construct($principalInfo) {
	39	+ $this->principalInfo = $principalInfo;
	40	+ }
41	41
42		- function createFile($name, $data = null) {
43		- throw new Forbidden('Permission denied to create file (filename ' . $name . ')');
44		- }
	42	+ function createFile($name, $data = null) {
	43	+ throw new Forbidden('Permission denied to create file (filename ' . $name . ')');
	44	+ }
45	45
46		- function createDirectory($name) {
47		- $this->impl()->createDirectory($name);
48		- }
	46	+ function createDirectory($name) {
	47	+ $this->impl()->createDirectory($name);
	48	+ }
49	49
50		- function getChild($name) {
51		- return new UploadFolder($this->impl()->getChild($name));
52		- }
	50	+ function getChild($name) {
	51	+ return new UploadFolder($this->impl()->getChild($name));
	52	+ }
53	53
54		- function getChildren() {
55		- return array_map(function($node) {
56		- return new UploadFolder($node);
57		- }, $this->impl()->getChildren());
58		- }
	54	+ function getChildren() {
	55	+ return array_map(function($node) {
	56	+ return new UploadFolder($node);
	57	+ }, $this->impl()->getChildren());
	58	+ }
59	59
60		- function childExists($name) {
61		- return !is_null($this->getChild($name));
62		- }
	60	+ function childExists($name) {
	61	+ return !is_null($this->getChild($name));
	62	+ }
63	63
64		- function delete() {
65		- $this->impl()->delete();
66		- }
	64	+ function delete() {
	65	+ $this->impl()->delete();
	66	+ }
67	67
68		- function getName() {
69		- list(,$name) = \Sabre\Uri\split($this->principalInfo['uri']);
70		- return $name;
71		- }
	68	+ function getName() {
	69	+ list(,$name) = \Sabre\Uri\split($this->principalInfo['uri']);
	70	+ return $name;
	71	+ }
72	72
73		- function setName($name) {
74		- throw new Forbidden('Permission denied to rename this folder');
75		- }
	73	+ function setName($name) {
	74	+ throw new Forbidden('Permission denied to rename this folder');
	75	+ }
76	76
77		- function getLastModified() {
78		- return $this->impl()->getLastModified();
79		- }
	77	+ function getLastModified() {
	78	+ return $this->impl()->getLastModified();
	79	+ }
80	80
81		- /**
82		- * @return Directory
83		- */
84		- private function impl() {
85		- $rootView = new View();
86		- $user = \OC::$server->getUserSession()->getUser();
87		- Filesystem::initMountPoints($user->getUID());
88		- if (!$rootView->file_exists('/' . $user->getUID() . '/uploads')) {
89		- $rootView->mkdir('/' . $user->getUID() . '/uploads');
90		- }
91		- $view = new View('/' . $user->getUID() . '/uploads');
92		- $rootInfo = $view->getFileInfo('');
93		- return new Directory($view, $rootInfo);
94		- }
	81	+ /**
	82	+ * @return Directory
	83	+ */
	84	+ private function impl() {
	85	+ $rootView = new View();
	86	+ $user = \OC::$server->getUserSession()->getUser();
	87	+ Filesystem::initMountPoints($user->getUID());
	88	+ if (!$rootView->file_exists('/' . $user->getUID() . '/uploads')) {
	89	+ $rootView->mkdir('/' . $user->getUID() . '/uploads');
	90	+ }
	91	+ $view = new View('/' . $user->getUID() . '/uploads');
	92	+ $rootInfo = $view->getFileInfo('');
	93	+ return new Directory($view, $rootInfo);
	94	+ }
95	95	}

		@@ -40,7 +40,7 @@ discard block
		block discarded – undo
40	40	}
41	41
42	42	function createFile($name, $data = null) {
43		- throw new Forbidden('Permission denied to create file (filename ' . $name . ')');
	43	+ throw new Forbidden('Permission denied to create file (filename '.$name.')');
44	44	}
45	45
46	46	function createDirectory($name) {
		@@ -85,10 +85,10 @@ discard block
		block discarded – undo
85	85	$rootView = new View();
86	86	$user = \OC::$server->getUserSession()->getUser();
87	87	Filesystem::initMountPoints($user->getUID());
88		- if (!$rootView->file_exists('/' . $user->getUID() . '/uploads')) {
89		- $rootView->mkdir('/' . $user->getUID() . '/uploads');
	88	+ if (!$rootView->file_exists('/'.$user->getUID().'/uploads')) {
	89	+ $rootView->mkdir('/'.$user->getUID().'/uploads');
90	90	}
91		- $view = new View('/' . $user->getUID() . '/uploads');
	91	+ $view = new View('/'.$user->getUID().'/uploads');
92	92	$rootInfo = $view->getFileInfo('');
93	93	return new Directory($view, $rootInfo);
94	94	}

		@@ -39,300 +39,300 @@
		block discarded – undo
39	39
40	40	class SyncService {
41	41
42		- /** @var CardDavBackend */
43		- private $backend;
44		-
45		- /** @var IUserManager */
46		- private $userManager;
47		-
48		- /** @var ILogger */
49		- private $logger;
50		-
51		- /** @var array */
52		- private $localSystemAddressBook;
53		-
54		- /** @var AccountManager */
55		- private $accountManager;
56		-
57		- /** @var string */
58		- protected $certPath;
59		-
60		- /**
61		- * SyncService constructor.
62		- *
63		- * @param CardDavBackend $backend
64		- * @param IUserManager $userManager
65		- * @param ILogger $logger
66		- * @param AccountManager $accountManager
67		- */
68		- public function __construct(CardDavBackend $backend, IUserManager $userManager, ILogger $logger, AccountManager $accountManager) {
69		- $this->backend = $backend;
70		- $this->userManager = $userManager;
71		- $this->logger = $logger;
72		- $this->accountManager = $accountManager;
73		- $this->certPath = '';
74		- }
75		-
76		- /**
77		- * @param string $url
78		- * @param string $userName
79		- * @param string $addressBookUrl
80		- * @param string $sharedSecret
81		- * @param string $syncToken
82		- * @param int $targetBookId
83		- * @param string $targetPrincipal
84		- * @param array $targetProperties
85		- * @return string
86		- * @throws \Exception
87		- */
88		- public function syncRemoteAddressBook($url, $userName, $addressBookUrl, $sharedSecret, $syncToken, $targetBookId, $targetPrincipal, $targetProperties) {
89		- // 1. create addressbook
90		- $book = $this->ensureSystemAddressBookExists($targetPrincipal, $targetBookId, $targetProperties);
91		- $addressBookId = $book['id'];
92		-
93		- // 2. query changes
94		- try {
95		- $response = $this->requestSyncReport($url, $userName, $addressBookUrl, $sharedSecret, $syncToken);
96		- } catch (ClientHttpException $ex) {
97		- if ($ex->getCode() === Http::STATUS_UNAUTHORIZED) {
98		- // remote server revoked access to the address book, remove it
99		- $this->backend->deleteAddressBook($addressBookId);
100		- $this->logger->info('Authorization failed, remove address book: ' . $url, ['app' => 'dav']);
101		- throw $ex;
102		- }
103		- }
104		-
105		- // 3. apply changes
106		- // TODO: use multi-get for download
107		- foreach ($response['response'] as $resource => $status) {
108		- $cardUri = basename($resource);
109		- if (isset($status[200])) {
110		- $vCard = $this->download($url, $userName, $sharedSecret, $resource);
111		- $existingCard = $this->backend->getCard($addressBookId, $cardUri);
112		- if ($existingCard === false) {
113		- $this->backend->createCard($addressBookId, $cardUri, $vCard['body']);
114		- } else {
115		- $this->backend->updateCard($addressBookId, $cardUri, $vCard['body']);
116		- }
117		- } else {
118		- $this->backend->deleteCard($addressBookId, $cardUri);
119		- }
120		- }
121		-
122		- return $response['token'];
123		- }
124		-
125		- /**
126		- * @param string $principal
127		- * @param string $id
128		- * @param array $properties
129		- * @return array\|null
130		- * @throws \Sabre\DAV\Exception\BadRequest
131		- */
132		- public function ensureSystemAddressBookExists($principal, $id, $properties) {
133		- $book = $this->backend->getAddressBooksByUri($principal, $id);
134		- if (!is_null($book)) {
135		- return $book;
136		- }
137		- $this->backend->createAddressBook($principal, $id, $properties);
138		-
139		- return $this->backend->getAddressBooksByUri($principal, $id);
140		- }
141		-
142		- /**
143		- * Check if there is a valid certPath we should use
144		- *
145		- * @return string
146		- */
147		- protected function getCertPath() {
148		-
149		- // we already have a valid certPath
150		- if ($this->certPath !== '') {
151		- return $this->certPath;
152		- }
153		-
154		- /** @var ICertificateManager $certManager */
155		- $certManager = \OC::$server->getCertificateManager(null);
156		- $certPath = $certManager->getAbsoluteBundlePath();
157		- if (file_exists($certPath)) {
158		- $this->certPath = $certPath;
159		- }
160		-
161		- return $this->certPath;
162		- }
163		-
164		- /**
165		- * @param string $url
166		- * @param string $userName
167		- * @param string $addressBookUrl
168		- * @param string $sharedSecret
169		- * @return Client
170		- */
171		- protected function getClient($url, $userName, $sharedSecret) {
172		- $settings = [
173		- 'baseUri' => $url . '/',
174		- 'userName' => $userName,
175		- 'password' => $sharedSecret,
176		- ];
177		- $client = new Client($settings);
178		- $certPath = $this->getCertPath();
179		- $client->setThrowExceptions(true);
180		-
181		- if ($certPath !== '' && strpos($url, 'http://') !== 0) {
182		- $client->addCurlSetting(CURLOPT_CAINFO, $this->certPath);
183		- }
184		-
185		- return $client;
186		- }
187		-
188		- /**
189		- * @param string $url
190		- * @param string $userName
191		- * @param string $addressBookUrl
192		- * @param string $sharedSecret
193		- * @param string $syncToken
194		- * @return array
195		- */
196		- protected function requestSyncReport($url, $userName, $addressBookUrl, $sharedSecret, $syncToken) {
197		- $client = $this->getClient($url, $userName, $sharedSecret);
198		-
199		- $body = $this->buildSyncCollectionRequestBody($syncToken);
200		-
201		- $response = $client->request('REPORT', $addressBookUrl, $body, [
202		- 'Content-Type' => 'application/xml'
203		- ]);
204		-
205		- return $this->parseMultiStatus($response['body']);
206		- }
207		-
208		- /**
209		- * @param string $url
210		- * @param string $userName
211		- * @param string $sharedSecret
212		- * @param string $resourcePath
213		- * @return array
214		- */
215		- protected function download($url, $userName, $sharedSecret, $resourcePath) {
216		- $client = $this->getClient($url, $userName, $sharedSecret);
217		- return $client->request('GET', $resourcePath);
218		- }
219		-
220		- /**
221		- * @param string\|null $syncToken
222		- * @return string
223		- */
224		- private function buildSyncCollectionRequestBody($syncToken) {
225		-
226		- $dom = new \DOMDocument('1.0', 'UTF-8');
227		- $dom->formatOutput = true;
228		- $root = $dom->createElementNS('DAV:', 'd:sync-collection');
229		- $sync = $dom->createElement('d:sync-token', $syncToken);
230		- $prop = $dom->createElement('d:prop');
231		- $cont = $dom->createElement('d:getcontenttype');
232		- $etag = $dom->createElement('d:getetag');
233		-
234		- $prop->appendChild($cont);
235		- $prop->appendChild($etag);
236		- $root->appendChild($sync);
237		- $root->appendChild($prop);
238		- $dom->appendChild($root);
239		- return $dom->saveXML();
240		- }
241		-
242		- /**
243		- * @param string $body
244		- * @return array
245		- * @throws \Sabre\Xml\ParseException
246		- */
247		- private function parseMultiStatus($body) {
248		- $xml = new Service();
249		-
250		- /** @var MultiStatus $multiStatus */
251		- $multiStatus = $xml->expect('{DAV:}multistatus', $body);
252		-
253		- $result = [];
254		- foreach ($multiStatus->getResponses() as $response) {
255		- $result[$response->getHref()] = $response->getResponseProperties();
256		- }
257		-
258		- return ['response' => $result, 'token' => $multiStatus->getSyncToken()];
259		- }
260		-
261		- /**
262		- * @param IUser $user
263		- */
264		- public function updateUser($user) {
265		- $systemAddressBook = $this->getLocalSystemAddressBook();
266		- $addressBookId = $systemAddressBook['id'];
267		- $converter = new Converter($this->accountManager);
268		- $name = $user->getBackendClassName();
269		- $userId = $user->getUID();
270		-
271		- $cardId = "$name:$userId.vcf";
272		- $card = $this->backend->getCard($addressBookId, $cardId);
273		- if ($card === false) {
274		- $vCard = $converter->createCardFromUser($user);
275		- if ($vCard !== null) {
276		- $this->backend->createCard($addressBookId, $cardId, $vCard->serialize());
277		- }
278		- } else {
279		- $vCard = $converter->createCardFromUser($user);
280		- if (is_null($vCard)) {
281		- $this->backend->deleteCard($addressBookId, $cardId);
282		- } else {
283		- $this->backend->updateCard($addressBookId, $cardId, $vCard->serialize());
284		- }
285		- }
286		- }
287		-
288		- /**
289		- * @param IUser\|string $userOrCardId
290		- */
291		- public function deleteUser($userOrCardId) {
292		- $systemAddressBook = $this->getLocalSystemAddressBook();
293		- if ($userOrCardId instanceof IUser){
294		- $name = $userOrCardId->getBackendClassName();
295		- $userId = $userOrCardId->getUID();
296		-
297		- $userOrCardId = "$name:$userId.vcf";
298		- }
299		- $this->backend->deleteCard($systemAddressBook['id'], $userOrCardId);
300		- }
301		-
302		- /**
303		- * @return array\|null
304		- */
305		- public function getLocalSystemAddressBook() {
306		- if (is_null($this->localSystemAddressBook)) {
307		- $systemPrincipal = "principals/system/system";
308		- $this->localSystemAddressBook = $this->ensureSystemAddressBookExists($systemPrincipal, 'system', [
309		- '{' . Plugin::NS_CARDDAV . '}addressbook-description' => 'System addressbook which holds all users of this instance'
310		- ]);
311		- }
312		-
313		- return $this->localSystemAddressBook;
314		- }
315		-
316		- public function syncInstance(\Closure $progressCallback = null) {
317		- $systemAddressBook = $this->getLocalSystemAddressBook();
318		- $this->userManager->callForAllUsers(function($user) use ($systemAddressBook, $progressCallback) {
319		- $this->updateUser($user);
320		- if (!is_null($progressCallback)) {
321		- $progressCallback();
322		- }
323		- });
324		-
325		- // remove no longer existing
326		- $allCards = $this->backend->getCards($systemAddressBook['id']);
327		- foreach($allCards as $card) {
328		- $vCard = Reader::read($card['carddata']);
329		- $uid = $vCard->UID->getValue();
330		- // load backend and see if user exists
331		- if (!$this->userManager->userExists($uid)) {
332		- $this->deleteUser($card['uri']);
333		- }
334		- }
335		- }
	42	+ /** @var CardDavBackend */
	43	+ private $backend;
	44	+
	45	+ /** @var IUserManager */
	46	+ private $userManager;
	47	+
	48	+ /** @var ILogger */
	49	+ private $logger;
	50	+
	51	+ /** @var array */
	52	+ private $localSystemAddressBook;
	53	+
	54	+ /** @var AccountManager */
	55	+ private $accountManager;
	56	+
	57	+ /** @var string */
	58	+ protected $certPath;
	59	+
	60	+ /**
	61	+ * SyncService constructor.
	62	+ *
	63	+ * @param CardDavBackend $backend
	64	+ * @param IUserManager $userManager
	65	+ * @param ILogger $logger
	66	+ * @param AccountManager $accountManager
	67	+ */
	68	+ public function __construct(CardDavBackend $backend, IUserManager $userManager, ILogger $logger, AccountManager $accountManager) {
	69	+ $this->backend = $backend;
	70	+ $this->userManager = $userManager;
	71	+ $this->logger = $logger;
	72	+ $this->accountManager = $accountManager;
	73	+ $this->certPath = '';
	74	+ }
	75	+
	76	+ /**
	77	+ * @param string $url
	78	+ * @param string $userName
	79	+ * @param string $addressBookUrl
	80	+ * @param string $sharedSecret
	81	+ * @param string $syncToken
	82	+ * @param int $targetBookId
	83	+ * @param string $targetPrincipal
	84	+ * @param array $targetProperties
	85	+ * @return string
	86	+ * @throws \Exception
	87	+ */
	88	+ public function syncRemoteAddressBook($url, $userName, $addressBookUrl, $sharedSecret, $syncToken, $targetBookId, $targetPrincipal, $targetProperties) {
	89	+ // 1. create addressbook
	90	+ $book = $this->ensureSystemAddressBookExists($targetPrincipal, $targetBookId, $targetProperties);
	91	+ $addressBookId = $book['id'];
	92	+
	93	+ // 2. query changes
	94	+ try {
	95	+ $response = $this->requestSyncReport($url, $userName, $addressBookUrl, $sharedSecret, $syncToken);
	96	+ } catch (ClientHttpException $ex) {
	97	+ if ($ex->getCode() === Http::STATUS_UNAUTHORIZED) {
	98	+ // remote server revoked access to the address book, remove it
	99	+ $this->backend->deleteAddressBook($addressBookId);
	100	+ $this->logger->info('Authorization failed, remove address book: ' . $url, ['app' => 'dav']);
	101	+ throw $ex;
	102	+ }
	103	+ }
	104	+
	105	+ // 3. apply changes
	106	+ // TODO: use multi-get for download
	107	+ foreach ($response['response'] as $resource => $status) {
	108	+ $cardUri = basename($resource);
	109	+ if (isset($status[200])) {
	110	+ $vCard = $this->download($url, $userName, $sharedSecret, $resource);
	111	+ $existingCard = $this->backend->getCard($addressBookId, $cardUri);
	112	+ if ($existingCard === false) {
	113	+ $this->backend->createCard($addressBookId, $cardUri, $vCard['body']);
	114	+ } else {
	115	+ $this->backend->updateCard($addressBookId, $cardUri, $vCard['body']);
	116	+ }
	117	+ } else {
	118	+ $this->backend->deleteCard($addressBookId, $cardUri);
	119	+ }
	120	+ }
	121	+
	122	+ return $response['token'];
	123	+ }
	124	+
	125	+ /**
	126	+ * @param string $principal
	127	+ * @param string $id
	128	+ * @param array $properties
	129	+ * @return array\|null
	130	+ * @throws \Sabre\DAV\Exception\BadRequest
	131	+ */
	132	+ public function ensureSystemAddressBookExists($principal, $id, $properties) {
	133	+ $book = $this->backend->getAddressBooksByUri($principal, $id);
	134	+ if (!is_null($book)) {
	135	+ return $book;
	136	+ }
	137	+ $this->backend->createAddressBook($principal, $id, $properties);
	138	+
	139	+ return $this->backend->getAddressBooksByUri($principal, $id);
	140	+ }
	141	+
	142	+ /**
	143	+ * Check if there is a valid certPath we should use
	144	+ *
	145	+ * @return string
	146	+ */
	147	+ protected function getCertPath() {
	148	+
	149	+ // we already have a valid certPath
	150	+ if ($this->certPath !== '') {
	151	+ return $this->certPath;
	152	+ }
	153	+
	154	+ /** @var ICertificateManager $certManager */
	155	+ $certManager = \OC::$server->getCertificateManager(null);
	156	+ $certPath = $certManager->getAbsoluteBundlePath();
	157	+ if (file_exists($certPath)) {
	158	+ $this->certPath = $certPath;
	159	+ }
	160	+
	161	+ return $this->certPath;
	162	+ }
	163	+
	164	+ /**
	165	+ * @param string $url
	166	+ * @param string $userName
	167	+ * @param string $addressBookUrl
	168	+ * @param string $sharedSecret
	169	+ * @return Client
	170	+ */
	171	+ protected function getClient($url, $userName, $sharedSecret) {
	172	+ $settings = [
	173	+ 'baseUri' => $url . '/',
	174	+ 'userName' => $userName,
	175	+ 'password' => $sharedSecret,
	176	+ ];
	177	+ $client = new Client($settings);
	178	+ $certPath = $this->getCertPath();
	179	+ $client->setThrowExceptions(true);
	180	+
	181	+ if ($certPath !== '' && strpos($url, 'http://') !== 0) {
	182	+ $client->addCurlSetting(CURLOPT_CAINFO, $this->certPath);
	183	+ }
	184	+
	185	+ return $client;
	186	+ }
	187	+
	188	+ /**
	189	+ * @param string $url
	190	+ * @param string $userName
	191	+ * @param string $addressBookUrl
	192	+ * @param string $sharedSecret
	193	+ * @param string $syncToken
	194	+ * @return array
	195	+ */
	196	+ protected function requestSyncReport($url, $userName, $addressBookUrl, $sharedSecret, $syncToken) {
	197	+ $client = $this->getClient($url, $userName, $sharedSecret);
	198	+
	199	+ $body = $this->buildSyncCollectionRequestBody($syncToken);
	200	+
	201	+ $response = $client->request('REPORT', $addressBookUrl, $body, [
	202	+ 'Content-Type' => 'application/xml'
	203	+ ]);
	204	+
	205	+ return $this->parseMultiStatus($response['body']);
	206	+ }
	207	+
	208	+ /**
	209	+ * @param string $url
	210	+ * @param string $userName
	211	+ * @param string $sharedSecret
	212	+ * @param string $resourcePath
	213	+ * @return array
	214	+ */
	215	+ protected function download($url, $userName, $sharedSecret, $resourcePath) {
	216	+ $client = $this->getClient($url, $userName, $sharedSecret);
	217	+ return $client->request('GET', $resourcePath);
	218	+ }
	219	+
	220	+ /**
	221	+ * @param string\|null $syncToken
	222	+ * @return string
	223	+ */
	224	+ private function buildSyncCollectionRequestBody($syncToken) {
	225	+
	226	+ $dom = new \DOMDocument('1.0', 'UTF-8');
	227	+ $dom->formatOutput = true;
	228	+ $root = $dom->createElementNS('DAV:', 'd:sync-collection');
	229	+ $sync = $dom->createElement('d:sync-token', $syncToken);
	230	+ $prop = $dom->createElement('d:prop');
	231	+ $cont = $dom->createElement('d:getcontenttype');
	232	+ $etag = $dom->createElement('d:getetag');
	233	+
	234	+ $prop->appendChild($cont);
	235	+ $prop->appendChild($etag);
	236	+ $root->appendChild($sync);
	237	+ $root->appendChild($prop);
	238	+ $dom->appendChild($root);
	239	+ return $dom->saveXML();
	240	+ }
	241	+
	242	+ /**
	243	+ * @param string $body
	244	+ * @return array
	245	+ * @throws \Sabre\Xml\ParseException
	246	+ */
	247	+ private function parseMultiStatus($body) {
	248	+ $xml = new Service();
	249	+
	250	+ /** @var MultiStatus $multiStatus */
	251	+ $multiStatus = $xml->expect('{DAV:}multistatus', $body);
	252	+
	253	+ $result = [];
	254	+ foreach ($multiStatus->getResponses() as $response) {
	255	+ $result[$response->getHref()] = $response->getResponseProperties();
	256	+ }
	257	+
	258	+ return ['response' => $result, 'token' => $multiStatus->getSyncToken()];
	259	+ }
	260	+
	261	+ /**
	262	+ * @param IUser $user
	263	+ */
	264	+ public function updateUser($user) {
	265	+ $systemAddressBook = $this->getLocalSystemAddressBook();
	266	+ $addressBookId = $systemAddressBook['id'];
	267	+ $converter = new Converter($this->accountManager);
	268	+ $name = $user->getBackendClassName();
	269	+ $userId = $user->getUID();
	270	+
	271	+ $cardId = "$name:$userId.vcf";
	272	+ $card = $this->backend->getCard($addressBookId, $cardId);
	273	+ if ($card === false) {
	274	+ $vCard = $converter->createCardFromUser($user);
	275	+ if ($vCard !== null) {
	276	+ $this->backend->createCard($addressBookId, $cardId, $vCard->serialize());
	277	+ }
	278	+ } else {
	279	+ $vCard = $converter->createCardFromUser($user);
	280	+ if (is_null($vCard)) {
	281	+ $this->backend->deleteCard($addressBookId, $cardId);
	282	+ } else {
	283	+ $this->backend->updateCard($addressBookId, $cardId, $vCard->serialize());
	284	+ }
	285	+ }
	286	+ }
	287	+
	288	+ /**
	289	+ * @param IUser\|string $userOrCardId
	290	+ */
	291	+ public function deleteUser($userOrCardId) {
	292	+ $systemAddressBook = $this->getLocalSystemAddressBook();
	293	+ if ($userOrCardId instanceof IUser){
	294	+ $name = $userOrCardId->getBackendClassName();
	295	+ $userId = $userOrCardId->getUID();
	296	+
	297	+ $userOrCardId = "$name:$userId.vcf";
	298	+ }
	299	+ $this->backend->deleteCard($systemAddressBook['id'], $userOrCardId);
	300	+ }
	301	+
	302	+ /**
	303	+ * @return array\|null
	304	+ */
	305	+ public function getLocalSystemAddressBook() {
	306	+ if (is_null($this->localSystemAddressBook)) {
	307	+ $systemPrincipal = "principals/system/system";
	308	+ $this->localSystemAddressBook = $this->ensureSystemAddressBookExists($systemPrincipal, 'system', [
	309	+ '{' . Plugin::NS_CARDDAV . '}addressbook-description' => 'System addressbook which holds all users of this instance'
	310	+ ]);
	311	+ }
	312	+
	313	+ return $this->localSystemAddressBook;
	314	+ }
	315	+
	316	+ public function syncInstance(\Closure $progressCallback = null) {
	317	+ $systemAddressBook = $this->getLocalSystemAddressBook();
	318	+ $this->userManager->callForAllUsers(function($user) use ($systemAddressBook, $progressCallback) {
	319	+ $this->updateUser($user);
	320	+ if (!is_null($progressCallback)) {
	321	+ $progressCallback();
	322	+ }
	323	+ });
	324	+
	325	+ // remove no longer existing
	326	+ $allCards = $this->backend->getCards($systemAddressBook['id']);
	327	+ foreach($allCards as $card) {
	328	+ $vCard = Reader::read($card['carddata']);
	329	+ $uid = $vCard->UID->getValue();
	330	+ // load backend and see if user exists
	331	+ if (!$this->userManager->userExists($uid)) {
	332	+ $this->deleteUser($card['uri']);
	333	+ }
	334	+ }
	335	+ }
336	336
337	337
338	338	}

		@@ -49,212 +49,212 @@
		block discarded – undo
49	49	class Auth extends AbstractBasic {
50	50
51	51
52		- const DAV_AUTHENTICATED = 'AUTHENTICATED_TO_DAV_BACKEND';
	52	+ const DAV_AUTHENTICATED = 'AUTHENTICATED_TO_DAV_BACKEND';
53	53
54		- /** @var ISession */
55		- private $session;
56		- /** @var Session */
57		- private $userSession;
58		- /** @var IRequest */
59		- private $request;
60		- /** @var string */
61		- private $currentUser;
62		- /** @var Manager */
63		- private $twoFactorManager;
64		- /** @var Throttler */
65		- private $throttler;
	54	+ /** @var ISession */
	55	+ private $session;
	56	+ /** @var Session */
	57	+ private $userSession;
	58	+ /** @var IRequest */
	59	+ private $request;
	60	+ /** @var string */
	61	+ private $currentUser;
	62	+ /** @var Manager */
	63	+ private $twoFactorManager;
	64	+ /** @var Throttler */
	65	+ private $throttler;
66	66
67		- /**
68		- * @param ISession $session
69		- * @param Session $userSession
70		- * @param IRequest $request
71		- * @param Manager $twoFactorManager
72		- * @param Throttler $throttler
73		- * @param string $principalPrefix
74		- */
75		- public function __construct(ISession $session,
76		- Session $userSession,
77		- IRequest $request,
78		- Manager $twoFactorManager,
79		- Throttler $throttler,
80		- $principalPrefix = 'principals/users/') {
81		- $this->session = $session;
82		- $this->userSession = $userSession;
83		- $this->twoFactorManager = $twoFactorManager;
84		- $this->request = $request;
85		- $this->throttler = $throttler;
86		- $this->principalPrefix = $principalPrefix;
	67	+ /**
	68	+ * @param ISession $session
	69	+ * @param Session $userSession
	70	+ * @param IRequest $request
	71	+ * @param Manager $twoFactorManager
	72	+ * @param Throttler $throttler
	73	+ * @param string $principalPrefix
	74	+ */
	75	+ public function __construct(ISession $session,
	76	+ Session $userSession,
	77	+ IRequest $request,
	78	+ Manager $twoFactorManager,
	79	+ Throttler $throttler,
	80	+ $principalPrefix = 'principals/users/') {
	81	+ $this->session = $session;
	82	+ $this->userSession = $userSession;
	83	+ $this->twoFactorManager = $twoFactorManager;
	84	+ $this->request = $request;
	85	+ $this->throttler = $throttler;
	86	+ $this->principalPrefix = $principalPrefix;
87	87
88		- // setup realm
89		- $defaults = new \OCP\Defaults();
90		- $this->realm = $defaults->getName();
91		- }
	88	+ // setup realm
	89	+ $defaults = new \OCP\Defaults();
	90	+ $this->realm = $defaults->getName();
	91	+ }
92	92
93		- /**
94		- * Whether the user has initially authenticated via DAV
95		- *
96		- * This is required for WebDAV clients that resent the cookies even when the
97		- * account was changed.
98		- *
99		- * @see https://github.com/owncloud/core/issues/13245
100		- *
101		- * @param string $username
102		- * @return bool
103		- */
104		- public function isDavAuthenticated($username) {
105		- return !is_null($this->session->get(self::DAV_AUTHENTICATED)) &&
106		- $this->session->get(self::DAV_AUTHENTICATED) === $username;
107		- }
	93	+ /**
	94	+ * Whether the user has initially authenticated via DAV
	95	+ *
	96	+ * This is required for WebDAV clients that resent the cookies even when the
	97	+ * account was changed.
	98	+ *
	99	+ * @see https://github.com/owncloud/core/issues/13245
	100	+ *
	101	+ * @param string $username
	102	+ * @return bool
	103	+ */
	104	+ public function isDavAuthenticated($username) {
	105	+ return !is_null($this->session->get(self::DAV_AUTHENTICATED)) &&
	106	+ $this->session->get(self::DAV_AUTHENTICATED) === $username;
	107	+ }
108	108
109		- /**
110		- * Validates a username and password
111		- *
112		- * This method should return true or false depending on if login
113		- * succeeded.
114		- *
115		- * @param string $username
116		- * @param string $password
117		- * @return bool
118		- * @throws PasswordLoginForbidden
119		- */
120		- protected function validateUserPass($username, $password) {
121		- if ($this->userSession->isLoggedIn() &&
122		- $this->isDavAuthenticated($this->userSession->getUser()->getUID())
123		- ) {
124		- \OC_Util::setupFS($this->userSession->getUser()->getUID());
125		- $this->session->close();
126		- return true;
127		- } else {
128		- \OC_Util::setupFS(); //login hooks may need early access to the filesystem
129		- try {
130		- if ($this->userSession->logClientIn($username, $password, $this->request, $this->throttler)) {
131		- \OC_Util::setupFS($this->userSession->getUser()->getUID());
132		- $this->session->set(self::DAV_AUTHENTICATED, $this->userSession->getUser()->getUID());
133		- $this->session->close();
134		- return true;
135		- } else {
136		- $this->session->close();
137		- return false;
138		- }
139		- } catch (PasswordLoginForbiddenException $ex) {
140		- $this->session->close();
141		- throw new PasswordLoginForbidden();
142		- }
143		- }
144		- }
	109	+ /**
	110	+ * Validates a username and password
	111	+ *
	112	+ * This method should return true or false depending on if login
	113	+ * succeeded.
	114	+ *
	115	+ * @param string $username
	116	+ * @param string $password
	117	+ * @return bool
	118	+ * @throws PasswordLoginForbidden
	119	+ */
	120	+ protected function validateUserPass($username, $password) {
	121	+ if ($this->userSession->isLoggedIn() &&
	122	+ $this->isDavAuthenticated($this->userSession->getUser()->getUID())
	123	+ ) {
	124	+ \OC_Util::setupFS($this->userSession->getUser()->getUID());
	125	+ $this->session->close();
	126	+ return true;
	127	+ } else {
	128	+ \OC_Util::setupFS(); //login hooks may need early access to the filesystem
	129	+ try {
	130	+ if ($this->userSession->logClientIn($username, $password, $this->request, $this->throttler)) {
	131	+ \OC_Util::setupFS($this->userSession->getUser()->getUID());
	132	+ $this->session->set(self::DAV_AUTHENTICATED, $this->userSession->getUser()->getUID());
	133	+ $this->session->close();
	134	+ return true;
	135	+ } else {
	136	+ $this->session->close();
	137	+ return false;
	138	+ }
	139	+ } catch (PasswordLoginForbiddenException $ex) {
	140	+ $this->session->close();
	141	+ throw new PasswordLoginForbidden();
	142	+ }
	143	+ }
	144	+ }
145	145
146		- /**
147		- * @param RequestInterface $request
148		- * @param ResponseInterface $response
149		- * @return array
150		- * @throws NotAuthenticated
151		- * @throws ServiceUnavailable
152		- */
153		- function check(RequestInterface $request, ResponseInterface $response) {
154		- try {
155		- return $this->auth($request, $response);
156		- } catch (NotAuthenticated $e) {
157		- throw $e;
158		- } catch (Exception $e) {
159		- $class = get_class($e);
160		- $msg = $e->getMessage();
161		- \OC::$server->getLogger()->logException($e);
162		- throw new ServiceUnavailable("$class: $msg");
163		- }
164		- }
	146	+ /**
	147	+ * @param RequestInterface $request
	148	+ * @param ResponseInterface $response
	149	+ * @return array
	150	+ * @throws NotAuthenticated
	151	+ * @throws ServiceUnavailable
	152	+ */
	153	+ function check(RequestInterface $request, ResponseInterface $response) {
	154	+ try {
	155	+ return $this->auth($request, $response);
	156	+ } catch (NotAuthenticated $e) {
	157	+ throw $e;
	158	+ } catch (Exception $e) {
	159	+ $class = get_class($e);
	160	+ $msg = $e->getMessage();
	161	+ \OC::$server->getLogger()->logException($e);
	162	+ throw new ServiceUnavailable("$class: $msg");
	163	+ }
	164	+ }
165	165
166		- /**
167		- * Checks whether a CSRF check is required on the request
168		- *
169		- * @return bool
170		- */
171		- private function requiresCSRFCheck() {
172		- // GET requires no check at all
173		- if($this->request->getMethod() === 'GET') {
174		- return false;
175		- }
	166	+ /**
	167	+ * Checks whether a CSRF check is required on the request
	168	+ *
	169	+ * @return bool
	170	+ */
	171	+ private function requiresCSRFCheck() {
	172	+ // GET requires no check at all
	173	+ if($this->request->getMethod() === 'GET') {
	174	+ return false;
	175	+ }
176	176
177		- // Official Nextcloud clients require no checks
178		- if($this->request->isUserAgent([
179		- IRequest::USER_AGENT_CLIENT_DESKTOP,
180		- IRequest::USER_AGENT_CLIENT_ANDROID,
181		- IRequest::USER_AGENT_CLIENT_IOS,
182		- ])) {
183		- return false;
184		- }
	177	+ // Official Nextcloud clients require no checks
	178	+ if($this->request->isUserAgent([
	179	+ IRequest::USER_AGENT_CLIENT_DESKTOP,
	180	+ IRequest::USER_AGENT_CLIENT_ANDROID,
	181	+ IRequest::USER_AGENT_CLIENT_IOS,
	182	+ ])) {
	183	+ return false;
	184	+ }
185	185
186		- // If not logged-in no check is required
187		- if(!$this->userSession->isLoggedIn()) {
188		- return false;
189		- }
	186	+ // If not logged-in no check is required
	187	+ if(!$this->userSession->isLoggedIn()) {
	188	+ return false;
	189	+ }
190	190
191		- // POST always requires a check
192		- if($this->request->getMethod() === 'POST') {
193		- return true;
194		- }
	191	+ // POST always requires a check
	192	+ if($this->request->getMethod() === 'POST') {
	193	+ return true;
	194	+ }
195	195
196		- // If logged-in AND DAV authenticated no check is required
197		- if($this->userSession->isLoggedIn() &&
198		- $this->isDavAuthenticated($this->userSession->getUser()->getUID())) {
199		- return false;
200		- }
	196	+ // If logged-in AND DAV authenticated no check is required
	197	+ if($this->userSession->isLoggedIn() &&
	198	+ $this->isDavAuthenticated($this->userSession->getUser()->getUID())) {
	199	+ return false;
	200	+ }
201	201
202		- return true;
203		- }
	202	+ return true;
	203	+ }
204	204
205		- /**
206		- * @param RequestInterface $request
207		- * @param ResponseInterface $response
208		- * @return array
209		- * @throws NotAuthenticated
210		- */
211		- private function auth(RequestInterface $request, ResponseInterface $response) {
212		- $forcedLogout = false;
	205	+ /**
	206	+ * @param RequestInterface $request
	207	+ * @param ResponseInterface $response
	208	+ * @return array
	209	+ * @throws NotAuthenticated
	210	+ */
	211	+ private function auth(RequestInterface $request, ResponseInterface $response) {
	212	+ $forcedLogout = false;
213	213
214		- if(!$this->request->passesCSRFCheck() &&
215		- $this->requiresCSRFCheck()) {
216		- // In case of a fail with POST we need to recheck the credentials
217		- if($this->request->getMethod() === 'POST') {
218		- $forcedLogout = true;
219		- } else {
220		- $response->setStatus(401);
221		- throw new \Sabre\DAV\Exception\NotAuthenticated('CSRF check not passed.');
222		- }
223		- }
	214	+ if(!$this->request->passesCSRFCheck() &&
	215	+ $this->requiresCSRFCheck()) {
	216	+ // In case of a fail with POST we need to recheck the credentials
	217	+ if($this->request->getMethod() === 'POST') {
	218	+ $forcedLogout = true;
	219	+ } else {
	220	+ $response->setStatus(401);
	221	+ throw new \Sabre\DAV\Exception\NotAuthenticated('CSRF check not passed.');
	222	+ }
	223	+ }
224	224
225		- if($forcedLogout) {
226		- $this->userSession->logout();
227		- } else {
228		- if($this->twoFactorManager->needsSecondFactor($this->userSession->getUser())) {
229		- throw new \Sabre\DAV\Exception\NotAuthenticated('2FA challenge not passed.');
230		- }
231		- if (\OC_User::handleApacheAuth() \|\|
232		- //Fix for broken webdav clients
233		- ($this->userSession->isLoggedIn() && is_null($this->session->get(self::DAV_AUTHENTICATED))) \|\|
234		- //Well behaved clients that only send the cookie are allowed
235		- ($this->userSession->isLoggedIn() && $this->session->get(self::DAV_AUTHENTICATED) === $this->userSession->getUser()->getUID() && $request->getHeader('Authorization') === null)
236		- ) {
237		- $user = $this->userSession->getUser()->getUID();
238		- \OC_Util::setupFS($user);
239		- $this->currentUser = $user;
240		- $this->session->close();
241		- return [true, $this->principalPrefix . $user];
242		- }
243		- }
	225	+ if($forcedLogout) {
	226	+ $this->userSession->logout();
	227	+ } else {
	228	+ if($this->twoFactorManager->needsSecondFactor($this->userSession->getUser())) {
	229	+ throw new \Sabre\DAV\Exception\NotAuthenticated('2FA challenge not passed.');
	230	+ }
	231	+ if (\OC_User::handleApacheAuth() \|\|
	232	+ //Fix for broken webdav clients
	233	+ ($this->userSession->isLoggedIn() && is_null($this->session->get(self::DAV_AUTHENTICATED))) \|\|
	234	+ //Well behaved clients that only send the cookie are allowed
	235	+ ($this->userSession->isLoggedIn() && $this->session->get(self::DAV_AUTHENTICATED) === $this->userSession->getUser()->getUID() && $request->getHeader('Authorization') === null)
	236	+ ) {
	237	+ $user = $this->userSession->getUser()->getUID();
	238	+ \OC_Util::setupFS($user);
	239	+ $this->currentUser = $user;
	240	+ $this->session->close();
	241	+ return [true, $this->principalPrefix . $user];
	242	+ }
	243	+ }
244	244
245		- if (!$this->userSession->isLoggedIn() && in_array('XMLHttpRequest', explode(',', $request->getHeader('X-Requested-With')))) {
246		- // do not re-authenticate over ajax, use dummy auth name to prevent browser popup
247		- $response->addHeader('WWW-Authenticate','DummyBasic realm="' . $this->realm . '"');
248		- $response->setStatus(401);
249		- throw new \Sabre\DAV\Exception\NotAuthenticated('Cannot authenticate over ajax calls');
250		- }
	245	+ if (!$this->userSession->isLoggedIn() && in_array('XMLHttpRequest', explode(',', $request->getHeader('X-Requested-With')))) {
	246	+ // do not re-authenticate over ajax, use dummy auth name to prevent browser popup
	247	+ $response->addHeader('WWW-Authenticate','DummyBasic realm="' . $this->realm . '"');
	248	+ $response->setStatus(401);
	249	+ throw new \Sabre\DAV\Exception\NotAuthenticated('Cannot authenticate over ajax calls');
	250	+ }
251	251
252		- $data = parent::check($request, $response);
253		- if($data[0] === true) {
254		- $startPos = strrpos($data[1], '/') + 1;
255		- $user = $this->userSession->getUser()->getUID();
256		- $data[1] = substr_replace($data[1], $user, $startPos);
257		- }
258		- return $data;
259		- }
	252	+ $data = parent::check($request, $response);
	253	+ if($data[0] === true) {
	254	+ $startPos = strrpos($data[1], '/') + 1;
	255	+ $user = $this->userSession->getUser()->getUID();
	256	+ $data[1] = substr_replace($data[1], $user, $startPos);
	257	+ }
	258	+ return $data;
	259	+ }
260	260	}

		@@ -36,240 +36,240 @@
		block discarded – undo
36	36
37	37	class Helper {
38	38
39		- public static function registerHooks() {
40		- \OCP\Util::connectHook('OC_Filesystem', 'post_rename', '\OCA\Files_Sharing\Updater', 'renameHook');
41		- \OCP\Util::connectHook('OC_Filesystem', 'post_delete', '\OCA\Files_Sharing\Hooks', 'unshareChildren');
42		-
43		- \OCP\Util::connectHook('OC_User', 'post_deleteUser', '\OCA\Files_Sharing\Hooks', 'deleteUser');
44		- }
45		-
46		- /**
47		- * Sets up the filesystem and user for public sharing
48		- * @param string $token string share token
49		- * @param string $relativePath optional path relative to the share
50		- * @param string $password optional password
51		- * @return array
52		- */
53		- public static function setupFromToken($token, $relativePath = null, $password = null) {
54		- \OC_User::setIncognitoMode(true);
55		-
56		- $shareManager = \OC::$server->getShareManager();
57		-
58		- try {
59		- $share = $shareManager->getShareByToken($token);
60		- } catch (ShareNotFound $e) {
61		- \OC_Response::setStatus(404);
62		- \OCP\Util::writeLog('core-preview', 'Passed token parameter is not valid', \OCP\Util::DEBUG);
63		- exit;
64		- }
65		-
66		- \OCP\JSON::checkUserExists($share->getShareOwner());
67		- \OC_Util::tearDownFS();
68		- \OC_Util::setupFS($share->getShareOwner());
69		-
70		-
71		- try {
72		- $path = Filesystem::getPath($share->getNodeId());
73		- } catch (NotFoundException $e) {
74		- \OCP\Util::writeLog('share', 'could not resolve linkItem', \OCP\Util::DEBUG);
75		- \OC_Response::setStatus(404);
76		- \OCP\JSON::error(array('success' => false));
77		- exit();
78		- }
79		-
80		- if ($share->getShareType() === \OCP\Share::SHARE_TYPE_LINK && $share->getPassword() !== null) {
81		- if (!self::authenticate($share, $password)) {
82		- \OC_Response::setStatus(403);
83		- \OCP\JSON::error(array('success' => false));
84		- exit();
85		- }
86		- }
87		-
88		- $basePath = $path;
89		-
90		- if ($relativePath !== null && Filesystem::isReadable($basePath . $relativePath)) {
91		- $path .= Filesystem::normalizePath($relativePath);
92		- }
93		-
94		- return array(
95		- 'share' => $share,
96		- 'basePath' => $basePath,
97		- 'realPath' => $path
98		- );
99		- }
100		-
101		- /**
102		- * Authenticate link item with the given password
103		- * or with the session if no password was given.
104		- * @param \OCP\Share\IShare $share
105		- * @param string $password optional password
106		- *
107		- * @return boolean true if authorized, false otherwise
108		- */
109		- public static function authenticate($share, $password = null) {
110		- $shareManager = \OC::$server->getShareManager();
111		-
112		- if ($password !== null) {
113		- if ($share->getShareType() === \OCP\Share::SHARE_TYPE_LINK) {
114		- if ($shareManager->checkPassword($share, $password)) {
115		- \OC::$server->getSession()->set('public_link_authenticated', (string)$share->getId());
116		- return true;
117		- }
118		- }
119		- } else {
120		- // not authenticated ?
121		- if (\OC::$server->getSession()->exists('public_link_authenticated')
122		- && \OC::$server->getSession()->get('public_link_authenticated') !== (string)$share->getId()) {
123		- return true;
124		- }
125		- }
126		- return false;
127		- }
128		-
129		- public static function getSharesFromItem($target) {
130		- $result = array();
131		- $owner = Filesystem::getOwner($target);
132		- Filesystem::initMountPoints($owner);
133		- $info = Filesystem::getFileInfo($target);
134		- $ownerView = new View('/'.$owner.'/files');
135		- if ( $owner !== User::getUser() ) {
136		- $path = $ownerView->getPath($info['fileid']);
137		- } else {
138		- $path = $target;
139		- }
140		-
141		-
142		- $ids = array();
143		- while ($path !== dirname($path)) {
144		- $info = $ownerView->getFileInfo($path);
145		- if ($info instanceof \OC\Files\FileInfo) {
146		- $ids[] = $info['fileid'];
147		- } else {
148		- \OCP\Util::writeLog('sharing', 'No fileinfo available for: ' . $path, \OCP\Util::WARN);
149		- }
150		- $path = dirname($path);
151		- }
152		-
153		- if (!empty($ids)) {
154		-
155		- $idList = array_chunk($ids, 99, true);
156		-
157		- foreach ($idList as $subList) {
158		- $statement = "SELECT `share_with`, `share_type`, `file_target` FROM `PREFIXshare` WHERE `file_source` IN (" . implode(',', $subList) . ") AND `share_type` IN (0, 1, 2)";
159		- $query = \OCP\DB::prepare($statement);
160		- $r = $query->execute();
161		- $result = array_merge($result, $r->fetchAll());
162		- }
163		- }
164		-
165		- return $result;
166		- }
167		-
168		- /**
169		- * get the UID of the owner of the file and the path to the file relative to
170		- * owners files folder
171		- *
172		- * @param $filename
173		- * @return array
174		- * @throws \OC\User\NoUserException
175		- */
176		- public static function getUidAndFilename($filename) {
177		- $uid = Filesystem::getOwner($filename);
178		- $userManager = \OC::$server->getUserManager();
179		- // if the user with the UID doesn't exists, e.g. because the UID points
180		- // to a remote user with a federated cloud ID we use the current logged-in
181		- // user. We need a valid local user to create the share
182		- if (!$userManager->userExists($uid)) {
183		- $uid = User::getUser();
184		- }
185		- Filesystem::initMountPoints($uid);
186		- if ( $uid !== User::getUser() ) {
187		- $info = Filesystem::getFileInfo($filename);
188		- $ownerView = new View('/'.$uid.'/files');
189		- try {
190		- $filename = $ownerView->getPath($info['fileid']);
191		- } catch (NotFoundException $e) {
192		- $filename = null;
193		- }
194		- }
195		- return [$uid, $filename];
196		- }
197		-
198		- /**
199		- * Format a path to be relative to the /user/files/ directory
200		- * @param string $path the absolute path
201		- * @return string e.g. turns '/admin/files/test.txt' into 'test.txt'
202		- */
203		- public static function stripUserFilesPath($path) {
204		- $trimmed = ltrim($path, '/');
205		- $split = explode('/', $trimmed);
206		-
207		- // it is not a file relative to data/user/files
208		- if (count($split) < 3 \|\| $split[1] !== 'files') {
209		- return false;
210		- }
211		-
212		- $sliced = array_slice($split, 2);
213		- return implode('/', $sliced);
214		- }
215		-
216		- /**
217		- * check if file name already exists and generate unique target
218		- *
219		- * @param string $path
220		- * @param array $excludeList
221		- * @param View $view
222		- * @return string $path
223		- */
224		- public static function generateUniqueTarget($path, $excludeList, $view) {
225		- $pathinfo = pathinfo($path);
226		- $ext = isset($pathinfo['extension']) ? '.'.$pathinfo['extension'] : '';
227		- $name = $pathinfo['filename'];
228		- $dir = $pathinfo['dirname'];
229		- $i = 2;
230		- while ($view->file_exists($path) \|\| in_array($path, $excludeList)) {
231		- $path = Filesystem::normalizePath($dir . '/' . $name . ' ('.$i.')' . $ext);
232		- $i++;
233		- }
234		-
235		- return $path;
236		- }
237		-
238		- /**
239		- * get default share folder
240		- *
241		- * @param \OC\Files\View
242		- * @return string
243		- */
244		- public static function getShareFolder($view = null) {
245		- if ($view === null) {
246		- $view = Filesystem::getView();
247		- }
248		- $shareFolder = \OC::$server->getConfig()->getSystemValue('share_folder', '/');
249		- $shareFolder = Filesystem::normalizePath($shareFolder);
250		-
251		- if (!$view->file_exists($shareFolder)) {
252		- $dir = '';
253		- $subdirs = explode('/', $shareFolder);
254		- foreach ($subdirs as $subdir) {
255		- $dir = $dir . '/' . $subdir;
256		- if (!$view->is_dir($dir)) {
257		- $view->mkdir($dir);
258		- }
259		- }
260		- }
261		-
262		- return $shareFolder;
263		-
264		- }
265		-
266		- /**
267		- * set default share folder
268		- *
269		- * @param string $shareFolder
270		- */
271		- public static function setShareFolder($shareFolder) {
272		- \OC::$server->getConfig()->setSystemValue('share_folder', $shareFolder);
273		- }
	39	+ public static function registerHooks() {
	40	+ \OCP\Util::connectHook('OC_Filesystem', 'post_rename', '\OCA\Files_Sharing\Updater', 'renameHook');
	41	+ \OCP\Util::connectHook('OC_Filesystem', 'post_delete', '\OCA\Files_Sharing\Hooks', 'unshareChildren');
	42	+
	43	+ \OCP\Util::connectHook('OC_User', 'post_deleteUser', '\OCA\Files_Sharing\Hooks', 'deleteUser');
	44	+ }
	45	+
	46	+ /**
	47	+ * Sets up the filesystem and user for public sharing
	48	+ * @param string $token string share token
	49	+ * @param string $relativePath optional path relative to the share
	50	+ * @param string $password optional password
	51	+ * @return array
	52	+ */
	53	+ public static function setupFromToken($token, $relativePath = null, $password = null) {
	54	+ \OC_User::setIncognitoMode(true);
	55	+
	56	+ $shareManager = \OC::$server->getShareManager();
	57	+
	58	+ try {
	59	+ $share = $shareManager->getShareByToken($token);
	60	+ } catch (ShareNotFound $e) {
	61	+ \OC_Response::setStatus(404);
	62	+ \OCP\Util::writeLog('core-preview', 'Passed token parameter is not valid', \OCP\Util::DEBUG);
	63	+ exit;
	64	+ }
	65	+
	66	+ \OCP\JSON::checkUserExists($share->getShareOwner());
	67	+ \OC_Util::tearDownFS();
	68	+ \OC_Util::setupFS($share->getShareOwner());
	69	+
	70	+
	71	+ try {
	72	+ $path = Filesystem::getPath($share->getNodeId());
	73	+ } catch (NotFoundException $e) {
	74	+ \OCP\Util::writeLog('share', 'could not resolve linkItem', \OCP\Util::DEBUG);
	75	+ \OC_Response::setStatus(404);
	76	+ \OCP\JSON::error(array('success' => false));
	77	+ exit();
	78	+ }
	79	+
	80	+ if ($share->getShareType() === \OCP\Share::SHARE_TYPE_LINK && $share->getPassword() !== null) {
	81	+ if (!self::authenticate($share, $password)) {
	82	+ \OC_Response::setStatus(403);
	83	+ \OCP\JSON::error(array('success' => false));
	84	+ exit();
	85	+ }
	86	+ }
	87	+
	88	+ $basePath = $path;
	89	+
	90	+ if ($relativePath !== null && Filesystem::isReadable($basePath . $relativePath)) {
	91	+ $path .= Filesystem::normalizePath($relativePath);
	92	+ }
	93	+
	94	+ return array(
	95	+ 'share' => $share,
	96	+ 'basePath' => $basePath,
	97	+ 'realPath' => $path
	98	+ );
	99	+ }
	100	+
	101	+ /**
	102	+ * Authenticate link item with the given password
	103	+ * or with the session if no password was given.
	104	+ * @param \OCP\Share\IShare $share
	105	+ * @param string $password optional password
	106	+ *
	107	+ * @return boolean true if authorized, false otherwise
	108	+ */
	109	+ public static function authenticate($share, $password = null) {
	110	+ $shareManager = \OC::$server->getShareManager();
	111	+
	112	+ if ($password !== null) {
	113	+ if ($share->getShareType() === \OCP\Share::SHARE_TYPE_LINK) {
	114	+ if ($shareManager->checkPassword($share, $password)) {
	115	+ \OC::$server->getSession()->set('public_link_authenticated', (string)$share->getId());
	116	+ return true;
	117	+ }
	118	+ }
	119	+ } else {
	120	+ // not authenticated ?
	121	+ if (\OC::$server->getSession()->exists('public_link_authenticated')
	122	+ && \OC::$server->getSession()->get('public_link_authenticated') !== (string)$share->getId()) {
	123	+ return true;
	124	+ }
	125	+ }
	126	+ return false;
	127	+ }
	128	+
	129	+ public static function getSharesFromItem($target) {
	130	+ $result = array();
	131	+ $owner = Filesystem::getOwner($target);
	132	+ Filesystem::initMountPoints($owner);
	133	+ $info = Filesystem::getFileInfo($target);
	134	+ $ownerView = new View('/'.$owner.'/files');
	135	+ if ( $owner !== User::getUser() ) {
	136	+ $path = $ownerView->getPath($info['fileid']);
	137	+ } else {
	138	+ $path = $target;
	139	+ }
	140	+
	141	+
	142	+ $ids = array();
	143	+ while ($path !== dirname($path)) {
	144	+ $info = $ownerView->getFileInfo($path);
	145	+ if ($info instanceof \OC\Files\FileInfo) {
	146	+ $ids[] = $info['fileid'];
	147	+ } else {
	148	+ \OCP\Util::writeLog('sharing', 'No fileinfo available for: ' . $path, \OCP\Util::WARN);
	149	+ }
	150	+ $path = dirname($path);
	151	+ }
	152	+
	153	+ if (!empty($ids)) {
	154	+
	155	+ $idList = array_chunk($ids, 99, true);
	156	+
	157	+ foreach ($idList as $subList) {
	158	+ $statement = "SELECT `share_with`, `share_type`, `file_target` FROM `PREFIXshare` WHERE `file_source` IN (" . implode(',', $subList) . ") AND `share_type` IN (0, 1, 2)";
	159	+ $query = \OCP\DB::prepare($statement);
	160	+ $r = $query->execute();
	161	+ $result = array_merge($result, $r->fetchAll());
	162	+ }
	163	+ }
	164	+
	165	+ return $result;
	166	+ }
	167	+
	168	+ /**
	169	+ * get the UID of the owner of the file and the path to the file relative to
	170	+ * owners files folder
	171	+ *
	172	+ * @param $filename
	173	+ * @return array
	174	+ * @throws \OC\User\NoUserException
	175	+ */
	176	+ public static function getUidAndFilename($filename) {
	177	+ $uid = Filesystem::getOwner($filename);
	178	+ $userManager = \OC::$server->getUserManager();
	179	+ // if the user with the UID doesn't exists, e.g. because the UID points
	180	+ // to a remote user with a federated cloud ID we use the current logged-in
	181	+ // user. We need a valid local user to create the share
	182	+ if (!$userManager->userExists($uid)) {
	183	+ $uid = User::getUser();
	184	+ }
	185	+ Filesystem::initMountPoints($uid);
	186	+ if ( $uid !== User::getUser() ) {
	187	+ $info = Filesystem::getFileInfo($filename);
	188	+ $ownerView = new View('/'.$uid.'/files');
	189	+ try {
	190	+ $filename = $ownerView->getPath($info['fileid']);
	191	+ } catch (NotFoundException $e) {
	192	+ $filename = null;
	193	+ }
	194	+ }
	195	+ return [$uid, $filename];
	196	+ }
	197	+
	198	+ /**
	199	+ * Format a path to be relative to the /user/files/ directory
	200	+ * @param string $path the absolute path
	201	+ * @return string e.g. turns '/admin/files/test.txt' into 'test.txt'
	202	+ */
	203	+ public static function stripUserFilesPath($path) {
	204	+ $trimmed = ltrim($path, '/');
	205	+ $split = explode('/', $trimmed);
	206	+
	207	+ // it is not a file relative to data/user/files
	208	+ if (count($split) < 3 \|\| $split[1] !== 'files') {
	209	+ return false;
	210	+ }
	211	+
	212	+ $sliced = array_slice($split, 2);
	213	+ return implode('/', $sliced);
	214	+ }
	215	+
	216	+ /**
	217	+ * check if file name already exists and generate unique target
	218	+ *
	219	+ * @param string $path
	220	+ * @param array $excludeList
	221	+ * @param View $view
	222	+ * @return string $path
	223	+ */
	224	+ public static function generateUniqueTarget($path, $excludeList, $view) {
	225	+ $pathinfo = pathinfo($path);
	226	+ $ext = isset($pathinfo['extension']) ? '.'.$pathinfo['extension'] : '';
	227	+ $name = $pathinfo['filename'];
	228	+ $dir = $pathinfo['dirname'];
	229	+ $i = 2;
	230	+ while ($view->file_exists($path) \|\| in_array($path, $excludeList)) {
	231	+ $path = Filesystem::normalizePath($dir . '/' . $name . ' ('.$i.')' . $ext);
	232	+ $i++;
	233	+ }
	234	+
	235	+ return $path;
	236	+ }
	237	+
	238	+ /**
	239	+ * get default share folder
	240	+ *
	241	+ * @param \OC\Files\View
	242	+ * @return string
	243	+ */
	244	+ public static function getShareFolder($view = null) {
	245	+ if ($view === null) {
	246	+ $view = Filesystem::getView();
	247	+ }
	248	+ $shareFolder = \OC::$server->getConfig()->getSystemValue('share_folder', '/');
	249	+ $shareFolder = Filesystem::normalizePath($shareFolder);
	250	+
	251	+ if (!$view->file_exists($shareFolder)) {
	252	+ $dir = '';
	253	+ $subdirs = explode('/', $shareFolder);
	254	+ foreach ($subdirs as $subdir) {
	255	+ $dir = $dir . '/' . $subdir;
	256	+ if (!$view->is_dir($dir)) {
	257	+ $view->mkdir($dir);
	258	+ }
	259	+ }
	260	+ }
	261	+
	262	+ return $shareFolder;
	263	+
	264	+ }
	265	+
	266	+ /**
	267	+ * set default share folder
	268	+ *
	269	+ * @param string $shareFolder
	270	+ */
	271	+ public static function setShareFolder($shareFolder) {
	272	+ \OC::$server->getConfig()->setSystemValue('share_folder', $shareFolder);
	273	+ }
274	274
275	275	}

		@@ -118,7 +118,7 @@ discard block
		block discarded – undo
118	118	['app' => 'encryption']);
119	119
120	120	if (openssl_error_string()) {
121		- $log->error('Encryption library openssl_pkey_new() fails: ' . openssl_error_string(),
	121	+ $log->error('Encryption library openssl_pkey_new() fails: '.openssl_error_string(),
122	122	['app' => 'encryption']);
123	123	}
124	124	} elseif (openssl_pkey_export($res,
		@@ -133,10 +133,10 @@ discard block
		block discarded – undo
133	133	'privateKey' => $privateKey
134	134	];
135	135	}
136		- $log->error('Encryption library couldn\'t export users private key, please check your servers OpenSSL configuration.' . $this->user,
	136	+ $log->error('Encryption library couldn\'t export users private key, please check your servers OpenSSL configuration.'.$this->user,
137	137	['app' => 'encryption']);
138	138	if (openssl_error_string()) {
139		- $log->error('Encryption Library:' . openssl_error_string(),
	139	+ $log->error('Encryption Library:'.openssl_error_string(),
140	140	['app' => 'encryption']);
141	141	}
142	142
		@@ -209,15 +209,15 @@ discard block
		block discarded – undo
209	209	public function generateHeader($keyFormat = 'hash') {
210	210
211	211	if (in_array($keyFormat, $this->supportedKeyFormats, true) === false) {
212		- throw new \InvalidArgumentException('key format "' . $keyFormat . '" is not supported');
	212	+ throw new \InvalidArgumentException('key format "'.$keyFormat.'" is not supported');
213	213	}
214	214
215	215	$cipher = $this->getCipher();
216	216
217	217	$header = self::HEADER_START
218		- . ':cipher:' . $cipher
219		- . ':keyFormat:' . $keyFormat
220		- . ':' . self::HEADER_END;
	218	+ . ':cipher:'.$cipher
	219	+ . ':keyFormat:'.$keyFormat
	220	+ . ':'.self::HEADER_END;
221	221
222	222	return $header;
223	223	}
		@@ -239,7 +239,7 @@ discard block
		block discarded – undo
239	239
240	240	if (!$encryptedContent) {
241	241	$error = 'Encryption (symmetric) of content failed';
242		- $this->logger->error($error . openssl_error_string(),
	242	+ $this->logger->error($error.openssl_error_string(),
243	243	['app' => 'encryption']);
244	244	throw new EncryptionFailedException($error);
245	245	}
		@@ -267,8 +267,8 @@ discard block
		block discarded – undo
267	267	}
268	268
269	269	// Workaround for OpenSSL 0.9.8. Fallback to an old cipher that should work.
270		- if(OPENSSL_VERSION_NUMBER < 0x1000101f) {
271		- if($cipher === 'AES-256-CTR' \|\| $cipher === 'AES-128-CTR') {
	270	+ if (OPENSSL_VERSION_NUMBER < 0x1000101f) {
	271	+ if ($cipher === 'AES-256-CTR' \|\| $cipher === 'AES-128-CTR') {
272	272	$cipher = self::LEGACY_CIPHER;
273	273	}
274	274	}
		@@ -284,7 +284,7 @@ discard block
		block discarded – undo
284	284	* @throws \InvalidArgumentException
285	285	*/
286	286	protected function getKeySize($cipher) {
287		- if(isset($this->supportedCiphersAndKeySize[$cipher])) {
	287	+ if (isset($this->supportedCiphersAndKeySize[$cipher])) {
288	288	return $this->supportedCiphersAndKeySize[$cipher];
289	289	}
290	290
		@@ -311,7 +311,7 @@ discard block
		block discarded – undo
311	311	* @return string
312	312	*/
313	313	private function concatIV($encryptedContent, $iv) {
314		- return $encryptedContent . '00iv00' . $iv;
	314	+ return $encryptedContent.'00iv00'.$iv;
315	315	}
316	316
317	317	/**
		@@ -320,7 +320,7 @@ discard block
		block discarded – undo
320	320	* @return string
321	321	*/
322	322	private function concatSig($encryptedContent, $signature) {
323		- return $encryptedContent . '00sig00' . $signature;
	323	+ return $encryptedContent.'00sig00'.$signature;
324	324	}
325	325
326	326	/**
		@@ -332,7 +332,7 @@ discard block
		block discarded – undo
332	332	* @return string
333	333	*/
334	334	private function addPadding($data) {
335		- return $data . 'xxx';
	335	+ return $data.'xxx';
336	336	}
337	337
338	338	/**
		@@ -346,7 +346,7 @@ discard block
		block discarded – undo
346	346	protected function generatePasswordHash($password, $cipher, $uid = '') {
347	347	$instanceId = $this->config->getSystemValue('instanceid');
348	348	$instanceSecret = $this->config->getSystemValue('secret');
349		- $salt = hash('sha256', $uid . $instanceId . $instanceSecret, true);
	349	+ $salt = hash('sha256', $uid.$instanceId.$instanceSecret, true);
350	350	$keySize = $this->getKeySize($cipher);
351	351
352	352	$hash = hash_pbkdf2(
		@@ -492,7 +492,7 @@ discard block
		block discarded – undo
492	492	* @return string
493	493	*/
494	494	private function createSignature($data, $passPhrase) {
495		- $passPhrase = hash('sha512', $passPhrase . 'a', true);
	495	+ $passPhrase = hash('sha512', $passPhrase.'a', true);
496	496	return hash_hmac('sha256', $data, $passPhrase);
497	497	}
498	498
		@@ -583,7 +583,7 @@ discard block
		block discarded – undo
583	583	if ($plainContent) {
584	584	return $plainContent;
585	585	} else {
586		- throw new DecryptionFailedException('Encryption library: Decryption (symmetric) of content failed: ' . openssl_error_string());
	586	+ throw new DecryptionFailedException('Encryption library: Decryption (symmetric) of content failed: '.openssl_error_string());
587	587	}
588	588	}
589	589
		@@ -649,7 +649,7 @@ discard block
		block discarded – undo
649	649	if (openssl_open($encKeyFile, $plainContent, $shareKey, $privateKey)) {
650	650	return $plainContent;
651	651	} else {
652		- throw new MultiKeyDecryptException('multikeydecrypt with share key failed:' . openssl_error_string());
	652	+ throw new MultiKeyDecryptException('multikeydecrypt with share key failed:'.openssl_error_string());
653	653	}
654	654	}
655	655
		@@ -685,7 +685,7 @@ discard block
		block discarded – undo
685	685	'data' => $sealed
686	686	];
687	687	} else {
688		- throw new MultiKeyEncryptException('multikeyencryption failed ' . openssl_error_string());
	688	+ throw new MultiKeyEncryptException('multikeyencryption failed '.openssl_error_string());
689	689	}
690	690	}
691	691	}

nextcloud / server

Push — master ( ff1b34...d1fb93 )

Status

Category

Indentation +975 added lines, -975 removed lines patch added patch discarded remove patch

Indentation +1868 added lines, -1868 removed lines patch added patch discarded remove patch

Indentation +1139 added lines, -1139 removed lines patch added patch discarded remove patch

Spacing +94 added lines, -94 removed lines patch added patch discarded remove patch

Indentation +190 added lines, -190 removed lines patch added patch discarded remove patch

Indentation +52 added lines, -52 removed lines patch added patch discarded remove patch

Spacing +4 added lines, -4 removed lines patch added patch discarded remove patch

Indentation +294 added lines, -294 removed lines patch added patch discarded remove patch

Indentation +191 added lines, -191 removed lines patch added patch discarded remove patch

Indentation +235 added lines, -235 removed lines patch added patch discarded remove patch

Indentation +633 added lines, -633 removed lines patch added patch discarded remove patch

Spacing +19 added lines, -19 removed lines patch added patch discarded remove patch