feat: restrict login to users matching a certain group

[bergerar]

Fixes #867

[github-actions]

Hello there,
Thank you so much for taking the time and effort to create a pull request to our Nextcloud project.

We hope that the review process is going smooth and is helpful for you. We want to ensure your pull request is reviewed to your satisfaction. If you have a moment, our community management team would very much appreciate your feedback on your experience with this PR review process.

Your feedback is valuable to us as we continuously strive to improve our community developer experience. Please take a moment to complete our short survey by clicking on the following link: https://cloud.nextcloud.com/apps/forms/s/i9Ago4EQRZ7TWxjfmeEpPkf6

Thank you for contributing to Nextcloud and we hope to hear from you soon!

[edward-ly]

Closing as discussed in #867 (comment).

[Stefanqn]

I'm quite surprised about this decision: the referenced discussion describes a cumbersome workaround, including creating custom Keycloak flows and carefully adding the Keycloak plugin to multiple locations in these flows. Furthermore, it's an unofficial, single-developer plugin and it limits the solution space to Keycloak. On the other hand, a pull request with a proper solution at PEP (Policy Enforcement Point) exists and gets rejected. Would you please elaborate on this decision?

[edward-ly]

We happily welcome open discussion from anyone, not just those already mentioned. We're not saying that this feature isn't useful, but rather that it's better to implement it as a separate app or use LDAP as an alternative.

I agree that the Keycloak extension isn't a perfect solution, but what about my point above? What does this PR provide that another app doesn't (user_ldap or otherwise)? This is the first time I'm hearing about PEP as well, so please explain.

[Stefanqn]

Thank you Edward for keeping an open mind on this.

Regarding your point(s):
a) use LDAP as an alternative: I'm quite confused about this suggestion as it would result in switching to a completely different protocol for authorization - one many don't have in place. Maybe you can describe your idea in more detail.
b) implement it as a separate app: what would be the motivation to do so? You mentioned user_LDAP directly implementing this, so why do it differently for user_oidc?

Please take a look at Keycloaks Authorization Service Architecture for Policy Enforcement Point. It means that e.g. Keycloak can define resource access, but the resource server (Nextclouds user_oidc) has to enforce it.

[edward-ly]

Let's continue the discussion in #867 (comment) in which I made a response there.

[edward-ly]

Reopening as per #867 (comment), will test and merge within the next few days.

[edward-ly]

Could you please rebase the branch so that it starts at the tip of the main branch and resolve any conflicts? We'd like to test that it works on the latest version before merging, thank you.

[bergerar]

I rebased the pull request, unit tests and lints are passing and I did some manual tests in my setup of the feature.

[julien-nc]

Looks sane to me. Tested, works fine ✔️

A small improvement could be to check if the leading and trailing slashes are there and add them if not.

The labels/hints in the settings need to be as much descriptive as possible. See inline comments.

[bergerar]

@julien-nc the delimiters are now added automatically if the first one is missing.

There was one check failing, but it was the same one as on the main branch (Integration tests / php8.1-mysql-stable27)

[julien-nc]

Nice! Could you run composer run cs:fix to make the lint/cs check pass?
I'll merge after that. We can ignore the failing integration tests. They fail because Php 8.3 is installed instead of 8.1 for some reason.

[bergerar]

I still had an old version of the php-cs-fixer.

I did now rebase, install the updated dependencies and run composer run cs:fix.

@julien-nc is should now pass all tests

[bergerar]

Thanks for merging and your work in general on open source. @julien-nc

[julien-nc]

@bergerar Thank you for your patience, your perseverance, your nice words and your contribution!