Added functionality for Active Directory groups to be able to have virtual folders created for them along with associated configuration options.

orware · orware · commit 0a59f9633da9 · 2021-03-16T17:09:37.000-07:00
diff --git a/configuration.example.php b/configuration.example.php
@@ -172,6 +172,42 @@
     'public_keys' => [],
 ];
 
+// If automatic groups mode is disabled, then you have to manually add the allowed groups into $allowed_groups down below:
+// If enabled, then any groups you are a memberof will automatically be added in using the template below.
+$auto_groups_mode = false;
+
+$auto_groups_mode_virtual_folder_template = [
+    [
+      //"id" => 0,
+      "name" => "groups-#GROUP#",
+      "mapped_path" => 'C:\groups\#GROUP#',
+      //"used_quota_size" => 0,
+      //"used_quota_files" => 0,
+      //"last_quota_update" => 0,
+      "virtual_path" => "/groups/#GROUP#",
+      "quota_size" => -1,
+      "quota_files" => -1
+    ]
+];
+
+// List of groups where a virtual folder will be created and associated with any group members:
+$allowed_groups = [];
+
+// Note: that for each group you need to provide a nested array (this allows for more than one virtual folder per group to be defined):
+$allowed_groups['example'] = [
+    [
+      //"id" => 0,
+      "name" => "groups-#GROUP#",
+      "mapped_path" => 'C:\groups\#GROUP#',
+      //"used_quota_size" => 0,
+      //"used_quota_files" => 0,
+      //"last_quota_update" => 0,
+      "virtual_path" => "/groups/#GROUP#",
+      "quota_size" => -1,
+      "quota_files" => -1
+    ]
+];
+
 // Add a minimum length for usernames (set to 0 to ignore length):
 $username_minimum_length = 4;
 
diff --git a/functions.php b/functions.php
@@ -92,9 +92,11 @@ function authenticateUser() {
 
                     logMessage('Before authentication attempt for: ' . $data['username']);
                     if ($connection->auth()->attempt($userDistinguishedName, $data['password'])) {
+                        $groups = getUserGroups($user);
+
                         // User has been successfully authenticated.
                         logMessage('After authentication attempt for: ' . $data['username'] . ' (success!)');
-                        $output = createResponseObject($connectionName, $data['username']);
+                        $output = createResponseObject($connectionName, $data['username'], $groups);
 
                         logMessage('Disconnecting from ' . $connectionName);
                         $connection->disconnect();
@@ -128,8 +130,15 @@ function authenticateUser() {
     denyRequest();
 }
 
-function createResponseObject($connectionName, $username) {
-    global $home_directories, $virtual_folders, $default_output_object, $connection_output_objects, $user_output_objects;
+function createResponseObject($connectionName, $username, $groups = []) {
+    global $home_directories,
+           $virtual_folders,
+           $default_output_object,
+           $connection_output_objects,
+           $user_output_objects,
+           $allowed_groups,
+           $auto_groups_mode,
+           $auto_groups_mode_virtual_folder_template;
 
     $userHomeDirectory = str_replace('#USERNAME#', $username, $home_directories[$connectionName]);
 
@@ -159,6 +168,45 @@ function createResponseObject($connectionName, $username) {
         }
     }
 
+    // Support for automatically creating virtual folders for allowed groups the user may be a member of:
+    if (!empty($groups)) {
+        if ($auto_groups_mode) {
+            foreach($groups as $group) {
+                if (isset($auto_groups_mode_virtual_folder_template)) {
+                    foreach($auto_groups_mode_virtual_folder_template as $virtual_group_folder) {
+
+                        $virtual_group_folder['name'] = str_replace('#GROUP#', $group, $virtual_group_folder['name']);
+                        $virtual_group_folder['mapped_path'] = str_replace('#GROUP#', $group, $virtual_group_folder['mapped_path']);
+                        $virtual_group_folder['virtual_path'] = str_replace('#GROUP#', $group, $virtual_group_folder['virtual_path']);
+
+                        $output['virtual_folders'][] = $virtual_group_folder;
+
+                        // Defaulting to open permissions on the virtual group folder:
+                        $output['permissions'][$virtual_group_folder['virtual_path']] = ["*"];
+                    }
+                }
+            }
+        } else {
+            if (!empty($allowed_groups)) {
+                foreach($groups as $group) {
+                    if (isset($allowed_groups[$group])) {
+                        foreach($allowed_groups[$group] as $virtual_group_folder) {
+
+                            $virtual_group_folder['name'] = str_replace('#GROUP#', $group, $virtual_group_folder['name']);
+                            $virtual_group_folder['mapped_path'] = str_replace('#GROUP#', $group, $virtual_group_folder['mapped_path']);
+                            $virtual_group_folder['virtual_path'] = str_replace('#GROUP#', $group, $virtual_group_folder['virtual_path']);
+
+                            $output['virtual_folders'][] = $virtual_group_folder;
+
+                            // Defaulting to open permissions on the virtual group folder:
+                            $output['permissions'][$virtual_group_folder['virtual_path']] = ["*"];
+                        }
+                    }
+                }
+            }
+        }
+    }
+
     return $output;
 }
 
@@ -273,6 +321,39 @@ function homeDirectoryEntriesExist() {
     }
 }
 
+function getUserGroups($user) {
+    $groups = array();
+
+    if (isset($user['memberof'])) {
+        if (isset($user['memberof']['count'])) {
+            unset($user['memberof']['count']);
+        }
+
+        foreach($user['memberof'] as $group) {
+            $group = str_replace('CN=', '', $group);
+
+            $endGroupName = strpos($group, ',OU');
+
+            $group = substr($group, 0, $endGroupName);
+
+            // Perform uniformity transformations:
+            $group = strtolower($group);
+            $group = str_replace('#', '', $group);
+            $group = str_replace('(', '', $group);
+            $group = str_replace(')', '', $group);
+            $group = str_replace(' ', '-', $group);
+            $group = str_replace('&', 'and', $group);
+            $group = preg_replace('/[^a-zA-Z0-9\-\._]/','', $group);
+
+            if (!empty($group)) {
+                $groups[] = $group;
+            }
+        }
+    }
+
+    return $groups;
+}
+
 function logMessage($message, $extra = []) {
     if (defined('_SFTPGO_LOG') && _SFTPGO_LOG === true) {
         global $log;
