Implement proper group mapping via SAML

Fixes #561

As stated in the issue, it's not desirable to have a group called
`admin` in the SAML backend which doesn't indicate to which service
admin permissions are granted.

This is orthogonal to `saml-attribute-mapping-group_mapping` which
simply maps all groups from a SAML attribute to Nextcloud groups, i.e.
the attribute's value MUST contain a group called `admin` to make sure
that users get admin rights in Nextcloud.

When enabled, the name of (another) attribute must be specified which
contains a list of SAML-specific groups, e.g.

    ["nextcloud-admins", "nextcloud-marketing"]

that can be mapped to e.g.

    ["admin", "marketing"]

Author: Ma27

js/admin.js

@@ -223,6 +223,99 @@ $(function() {
 		OCA.User_SAML.Admin.resetSettings();
 	});
 
+	function isGroupMappingValid() {
+		if (!$('#user-saml-group-mapping-field-name').val()) {
+			return false;
+		}
+		var allMappingsDeclared = $('#saml-mapping-items')
+			.children('p')
+			.children('input')
+			.map(function () { return $(this).val(); })
+			.get()
+			.every(function (x) { return x; });
+		if (!allMappingsDeclared) {
+			return false;
+		}
+		return true;
+	}
+
+	function updateGroupMappings() {
+		OCA.User_SAML.Admin.setSamlConfigValue(
+			'group-mapping',
+			'field-mappings',
+			JSON.stringify(
+				$('#saml-mapping-items').children('p').map(function () {
+					return [$(this).children('.required').map(function () { return $(this).val() }).get()];
+				}).get()
+			)
+		);
+	}
+
+	$(document).on('change', '#saml-mapping-items input', function () {
+		if (isGroupMappingValid()) {
+			$('#user-saml-settings-group-mapping-incomplete').addClass('hidden');
+			OCA.User_SAML.Admin.setSamlConfigValue('group-mapping', 'enable', '1');
+			updateGroupMappings();
+		} else {
+			$('#user-saml-settings-group-mapping-incomplete').removeClass('hidden');
+		}
+	});
+
+	$('#saml-add-mapping').click(function(e) {
+		e.preventDefault();
+		$('#saml-mapping-items').append("\
+			<p class=\"saml-group-mapping\">\
+				<input type=\"text\" placeholder=\"SAML group\" class=\"required\" />\
+				<input type=\"text\" placeholder=\"Nextcloud pendant\" class=\"required\" />\
+				<button class=\"user-saml-remove-mapping\">Remove mapping</button>\
+			</p>");
+		$('#saml-group-initial').clone().appendTo('#saml-mapping-items');
+		$('#user-saml-settings-group-mapping-incomplete').removeClass('hidden');
+	});
+
+	$(document).on('click', '.user-saml-remove-mapping', function(e) {
+		e.preventDefault();
+		$(this).closest('.saml-group-mapping').remove();
+		if (isGroupMappingValid()) {
+			$('#user-saml-settings-group-mapping-incomplete').addClass('hidden');
+			OCA.User_SAML.Admin.setSamlConfigValue('group-mapping', 'enable', '1');
+			updateGroupMappings();
+		}
+	});
+
+	$('#user-saml-group-mapping-check').change(function() {
+		$(this).val($(this).val() === '0' ? '1' : '0');
+		if ($(this).val() == '1') {
+			if (!isGroupMappingValid()) {
+				$('#user-saml-settings-group-mapping-incomplete').removeClass('hidden');
+			} else {
+				OCA.User_SAML.Admin.setSamlConfigValue('group-mapping', 'enable', '1');
+			}
+			$('#user-saml-group-mapping-field-name').removeAttr('disabled');
+			$('#saml-add-mapping').removeAttr('disabled');
+			$('#saml-mapping-items').children('p').children('input, button').removeAttr('disabled');
+		} else {
+			OCA.User_SAML.Admin.setSamlConfigValue('group-mapping', 'enable', '0');
+			$('#user-saml-group-mapping-field-name').attr('disabled', 'disabled');
+			$('#saml-add-mapping').attr('disabled', 'disabled');
+			$('#user-saml-settings-group-mapping-incomplete').addClass('hidden');
+			$('#saml-mapping-items').children('p').children('input, button').attr('disabled', 'disabled');
+		}
+	});
+
+	$('#user-saml-group-mapping-field-name').change(function() {
+		var value = $(this).val();
+		if (value) {
+			if (isGroupMappingValid()) {
+				$('#user-saml-settings-group-mapping-incomplete').addClass('hidden');
+			}
+			OCA.User_SAML.Admin.setSamlConfigValue('group-mapping', 'enable', '1');
+			OCA.User_SAML.Admin.setSamlConfigValue('group-mapping', 'saml-field', value);
+		} else {
+			$('#user-saml-settings-group-mapping-incomplete').removeClass('hidden');
+		}
+	});
+
 	var switchProvider = function(providerId) {
 		$('.account-list li').removeClass('active');
 		$('.account-list li[data-id="' + providerId + '"]').addClass('active');
@@ -446,6 +539,13 @@ $(function() {
 					text = 'Show attribute mapping settings ...';
 				}
 				break;
+			case 'user-saml-group-mapping':
+				if (nextSibling.hasClass('hidden')) {
+					text = 'Hide group mapping settings ...';
+				} else {
+					text = 'Show group mapping settings ...';
+				}
+				break;
 		}
 		el.html(t('user_saml', text));
 

lib/SAMLSettings.php

@@ -68,6 +68,9 @@ class SAMLSettings {
 		'sp-x509cert',
 		'sp-name-id-format',
 		'sp-privateKey',
+		'group-mapping-enable',
+		'group-mapping-saml-field',
+		'group-mapping-field-mappings',
 	];
 
 	/** @var IURLGenerator */

lib/UserBackend.php

@@ -659,24 +659,52 @@ public function updateAttributes($uid,
 				$user->setQuota($newQuota);
 			}
 
+			if ($this->getGroupMappingSetting('enable') === '1') {
+				$fieldName = $this->getGroupMappingSetting('saml-field');
+				$groupMappings = json_decode($this->getGroupMappingSetting('field-mappings'), true);
+				$newMappedGroups = [];
+				$samlGroups = $attributes[$fieldName] ?? [];
+				foreach ($samlGroups as $samlGroup) {
+					foreach ($groupMappings as $mapping) {
+						list($saml, $nextcloud) = $mapping;
+						if ($saml === $samlGroup) {
+							$newMappedGroups[] = $nextcloud;
+						}
+					}
+				}
+				if ($newMappedGroups !== []) {
+					$this->updateGroups($newMappedGroups, $user);
+				}
+			}
+
 			if ($newGroups !== null) {
-				$groupManager = $this->groupManager;
-				$oldGroups = $groupManager->getUserGroupIds($user);
+				$this->updateGroups($newGroups, $user);
+			}
+		}
+	}
 
-				$groupsToAdd = array_unique(array_diff($newGroups, $oldGroups));
-				$groupsToRemove = array_diff($oldGroups, $newGroups);
+	private function getGroupMappingSetting($key) {
+		$id = $this->settings->getProviderId();
+		$settings = $this->settings->get($id);
+		return $settings['group-mapping-' . $key] ?? null;
+	}
 
-				foreach ($groupsToAdd as $group) {
-					if (!($groupManager->groupExists($group))) {
-						$groupManager->createGroup($group);
-					}
-					$groupManager->get($group)->addUser($user);
-				}
+	private function updateGroups(array $newGroups, $user) {
+		$groupManager = $this->groupManager;
+		$oldGroups = $groupManager->getUserGroupIds($user);
 
-				foreach ($groupsToRemove as $group) {
-					$groupManager->get($group)->removeUser($user);
-				}
+		$groupsToAdd = array_unique(array_diff($newGroups, $oldGroups));
+		$groupsToRemove = array_diff($oldGroups, $newGroups);
+
+		foreach ($groupsToAdd as $group) {
+			if (!($groupManager->groupExists($group))) {
+				$groupManager->createGroup($group);
 			}
+			$groupManager->get($group)->addUser($user);
+		}
+
+		foreach ($groupsToRemove as $group) {
+			$groupManager->get($group)->removeUser($user);
 		}
 	}
 

templates/admin.php

@@ -198,6 +198,36 @@
 			</div>
 		</div>
 
+		<div id="user-saml-group-mapping">
+			<h3><?php p($l->t('Group mapping')) ?></h3>
+			<p>
+				<?php p($l->t('Map groups from a specified SAML attribute to existing Nextcloud groups')) ?>
+				<span class="toggle"><?php p($l->t('Show group mapping settings ...')) ?></span>
+			</p>
+			<div class="ident hidden">
+				<p>
+					<input type="checkbox" id="user-saml-group-mapping-check" name="user-saml-group-mapping-check" value="<?php p($_['config']['group-mapping-enable'] ?? '0') ?>" />
+					<label for="user-saml-group-mapping-check"><?php p($l->t('Whether to enable group mapping')) ?></label>
+				</p>
+				<p>
+				<input <?php if ('0' === $_['config']['group-mapping-enable'] ?? '0'): ?>disabled="disabled"<?php endif; ?> id="user-saml-group-mapping-field-name" type="text" placeholder="<?php p($l->t('SAML group attribute name')) ?>" class="required" value="<?php p($_['config']['group-mapping-saml-field'] ?? '') ?>" />
+				</p>
+				<div>
+					<h4>Mappings</h4>
+					<div id="saml-mapping-items">
+						<?php foreach (json_decode($_['config']['group-mapping-field-mappings'] ?? '') as $mapping): ?>
+							<p class="saml-group-mapping">
+								<input type="text" placeholder="SAML group" class="required" value="<?php p($mapping[0]) ?>" />
+								<input type="text" placeholder="Nextcloud pendant" class="required" value="<?php p($mapping[1]) ?>" />
+								<button class="user-saml-remove-mapping">Remove mapping</button>
+							</p>
+						<?php endforeach; ?>
+					</div>
+					<button id="saml-add-mapping" <?php if ('0' === $_['config']['group-mapping-enable'] ?? '0'): ?>disabled="disabled"<?php endif; ?>>Add Mapping</button>
+				</div>
+			</div>
+		</div>
+
 		<a id="get-metadata" data-base="<?php p(\OC::$server->getURLGenerator()->linkToRoute('user_saml.SAML.getMetadata')); ?>"
 		   href="<?php p(\OC::$server->getURLGenerator()->linkToRoute('user_saml.SAML.getMetadata', ['idp' => $_['providers'][0]['id']])) ?>" class="button">
 			<?php p($l->t('Download metadata XML')) ?>
@@ -207,6 +237,7 @@
 
 
 		<span class="warning hidden" id="user-saml-settings-incomplete"><?php p($l->t('Metadata invalid')) ?></span>
+		<span class="warning hidden" id="user-saml-settings-group-mapping-incomplete"><?php p($l->t('Group mapping invalid')) ?></span>
 		<span class="success hidden" id="user-saml-settings-complete"><?php p($l->t('Metadata valid')) ?></span>
 	</div>
 </form>