From ecfd53ac2f60c6abd259702ed9e183acef967ea3 Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Tue, 2 Jun 2020 14:42:25 +0200
Subject: [PATCH] Auth: add new "auth user changed" config event and hook it
 into LDAP's updatePolicies().

This fixes an omission when groups are updated via ldap, the local system doesn't know about it.
Eventually we might consider moving some functionality from auth.inc and the system user management pages into the same event hooks, in which case the workflow would be more like the following:

[page updates config.xml data] --> [fires event] --> [event handler diffs current state agains the desired one and updates the system]
---
 src/etc/inc/plugins.inc.d/core.inc            | 32 +++++++++++++++++++
 .../mvc/app/library/OPNsense/Auth/LDAP.php    |  2 ++
 .../service/conf/actions.d/actions_auth.conf  |  5 +++
 3 files changed, 39 insertions(+)
 create mode 100644 src/opnsense/service/conf/actions.d/actions_auth.conf

diff --git a/src/etc/inc/plugins.inc.d/core.inc b/src/etc/inc/plugins.inc.d/core.inc
index edc813bd7..ff956386a 100644
--- a/src/etc/inc/plugins.inc.d/core.inc
+++ b/src/etc/inc/plugins.inc.d/core.inc
@@ -257,3 +257,35 @@ function core_xmlrpc_sync()
 
     return $result;
 }
+
+function core_configure()
+{
+    return array(
+        'user_changed' => array('core_user_changed_groups:2'),
+    );
+}
+
+/**
+ * user changed event, synchronize attached system groups for requested user
+ */
+function core_user_changed_groups($verbose = false, $username)
+{
+    global $config;
+    if (is_array($config['system']['user'])) {
+        foreach ($config['system']['user'] as $user) {
+            if ($user['name'] == $username) {
+                exec("/usr/bin/groups " . escapeshellarg($username). ' 2>/dev/null', $out, $ret);
+                $current_groups = [];
+                if (!$ret) {
+                    $current_groups = explode(" ", $out[0]);
+                }
+                foreach ($config['system']['group'] as $group) {
+                    if (in_array($group['name'], $current_groups) ||
+                          (!empty($group['member']) && in_array($user['uid'], $group['member']))) {
+                        local_group_set($group);
+                    }
+                }
+            }
+        }
+    }
+}
diff --git a/src/opnsense/mvc/app/library/OPNsense/Auth/LDAP.php b/src/opnsense/mvc/app/library/OPNsense/Auth/LDAP.php
index 7e79ae1bc..3818c1d96 100644
--- a/src/opnsense/mvc/app/library/OPNsense/Auth/LDAP.php
+++ b/src/opnsense/mvc/app/library/OPNsense/Auth/LDAP.php
@@ -29,6 +29,7 @@
 namespace OPNsense\Auth;
 
 use OPNsense\Core\Config;
+use OPNsense\Core\Backend;
 
 /**
  * Class LDAP connector
@@ -510,6 +511,7 @@ class LDAP extends Base implements IAuthConnector
                     }
                 }
                 Config::getInstance()->save();
+                (new Backend())->configdpRun("auth user changed", array($username));
             }
         }
     }
diff --git a/src/opnsense/service/conf/actions.d/actions_auth.conf b/src/opnsense/service/conf/actions.d/actions_auth.conf
new file mode 100644
index 000000000..c34c73ac7
--- /dev/null
+++ b/src/opnsense/service/conf/actions.d/actions_auth.conf
@@ -0,0 +1,5 @@
+[user.changed]
+command:/usr/local/sbin/pluginctl
+parameters:  -c user_changed %s
+type:script
+message: User %s changed