Merge pull request #1044 from nextcloud/feat/add-command-for-manual-migration

feat: Add command to manually migrate groups from database

Author: blizzz

appinfo/info.xml

@@ -58,6 +58,7 @@ While theoretically any other authentication provider implementing either one of
 		<command>OCA\User_SAML\Command\ConfigSet</command>
 		<command>OCA\User_SAML\Command\GetMetadata</command>
 		<command>OCA\User_SAML\Command\GroupMigrationCopyIncomplete</command>
+		<command>OCA\User_SAML\Command\GroupMigrationManual</command>
 		<command>OCA\User_SAML\Command\UserAdd</command>
 	</commands>
 	<settings>

lib/Command/ConfigCreate.php

@@ -26,6 +26,7 @@ protected function configure(): void {
 		$this->setDescription('Creates a new config and prints the new provider ID');
 	}
 
+	#[\Override]
 	protected function execute(InputInterface $input, OutputInterface $output): int {
 		$output->writeln((string)$this->samlSettings->getNewProviderId());
 		return 0;

lib/Command/ConfigDelete.php

@@ -33,6 +33,7 @@ protected function configure(): void {
 		);
 	}
 
+	#[\Override]
 	protected function execute(InputInterface $input, OutputInterface $output): int {
 		$pId = (int)$input->getArgument('providerId');
 

lib/Command/ConfigGet.php

@@ -34,6 +34,7 @@ protected function configure(): void {
 		parent::configure();
 	}
 
+	#[\Override]
 	protected function execute(InputInterface $input, OutputInterface $output): int {
 		$providerId = (int)$input->getOption('providerId');
 		if (!empty($providerId)) {

lib/Command/ConfigSet.php

@@ -44,6 +44,7 @@ protected function configure(): void {
 		parent::configure();
 	}
 
+	#[\Override]
 	protected function execute(InputInterface $input, OutputInterface $output): int {
 		$pId = (int)$input->getArgument('providerId');
 

lib/Command/GroupMigrationCopyIncomplete.php

@@ -27,6 +27,7 @@ protected function configure(): void {
 		$this->setDescription('Transfers remaining group members from old local to current SAML groups');
 	}
 
+	#[\Override]
 	protected function execute(InputInterface $input, OutputInterface $output): int {
 		$groupsToTreat = $this->groupMigration->findGroupsWithLocalMembers();
 		if (empty($groupsToTreat)) {

lib/Command/GroupMigrationManual.php

@@ -0,0 +1,188 @@
+<?php
+
+declare(strict_types=1);
+
+/**
+ * SPDX-FileCopyrightText: 2026 Nextcloud GmbH and Nextcloud contributors
+ * SPDX-License-Identifier: AGPL-3.0-or-later
+ */
+
+namespace OCA\User_SAML\Command;
+
+use OC\Core\Command\Base;
+use OC\Group\Database;
+use OCA\User_SAML\Service\GroupMigration;
+use OCP\IGroupManager;
+use Psr\Log\LoggerInterface;
+use Psr\Log\LogLevel;
+use Symfony\Component\Console\Input\InputInterface;
+use Symfony\Component\Console\Output\OutputInterface;
+
+class GroupMigrationManual extends Base implements LoggerInterface {
+	private ?OutputInterface $output = null;
+
+	public function __construct(
+		private readonly GroupMigration $groupMigration,
+		private readonly IGroupManager $groupManager,
+	) {
+		parent::__construct();
+		$this->groupMigration->setLogger($this);
+	}
+
+	#[\Override]
+	protected function configure(): void {
+		$this->setName('saml:group-migration:force');
+		$this->setDescription('Force migration of all groups from Database to SAML backend. Groups with non-saml members are skipped.');
+	}
+
+	#[\Override]
+	protected function execute(InputInterface $input, OutputInterface $output): int {
+		$this->output = $output;
+		try {
+			$backend = $this->findBackend();
+			$groupsToTreat = $this->findGroupIds($backend);
+			$groupsToTreat = $this->groupMigration->getGroupsToMigrate($groupsToTreat, $groupsToTreat);
+		} catch (\UnexpectedValueException) {
+			$output->writeln('<error>Failed to find database group backend</error>');
+			return self::FAILURE;
+		}
+
+		$failures = 0;
+		foreach ($groupsToTreat as $group) {
+			if (!$this->groupMigration->migrateGroup($group)) {
+				$output->writeln('<error>Failed to migrate ' . $group . '</error>');
+				$failures++;
+			}
+		}
+		if ($failures === 0) {
+			$output->writeln('<info>All groups were successfully migrated</info>');
+			return self::SUCCESS;
+		}
+
+		return self::FAILURE;
+	}
+
+	private function findBackend(): Database {
+		$groupBackends = $this->groupManager->getBackends();
+		foreach ($groupBackends as $backend) {
+			if ($backend instanceof Database) {
+				return $backend;
+			}
+		}
+		throw new \UnexpectedValueException();
+	}
+
+	private function findGroupIds(Database $backend): array {
+		$groupIds = $backend->getGroups();
+		$adminGroupIndex = array_search('admin', $groupIds, true);
+		if ($adminGroupIndex !== false) {
+			unset($groupIds[$adminGroupIndex]);
+		}
+		return array_values($groupIds);
+	}
+
+	/*
+	 * Log functions to implement LoggerInterface so that information makes it to the cli output
+	 */
+
+	/**
+	 * @param string $message
+	 */
+	#[\Override]
+	public function emergency($message, array $context = []): void {
+		$this->log(LogLevel::EMERGENCY, $message, $context);
+	}
+
+	/**
+	 * @param string $message
+	 */
+	#[\Override]
+	public function alert($message, array $context = []): void {
+		$this->log(LogLevel::ALERT, $message, $context);
+	}
+
+	/**
+	 * @param string $message
+	 */
+	#[\Override]
+	public function critical($message, array $context = []): void {
+		$this->log(LogLevel::CRITICAL, $message, $context);
+	}
+
+	/**
+	 * @param string $message
+	 */
+	#[\Override]
+	public function error($message, array $context = []): void {
+		$this->log(LogLevel::ERROR, $message, $context);
+	}
+
+	/**
+	 * @param string $message
+	 */
+	#[\Override]
+	public function warning($message, array $context = []): void {
+		$this->log(LogLevel::WARNING, $message, $context);
+	}
+
+	/**
+	 * @param string $message
+	 */
+	#[\Override]
+	public function notice($message, array $context = []): void {
+		$this->log(LogLevel::NOTICE, $message, $context);
+	}
+
+	/**
+	 * @param string $message
+	 */
+	#[\Override]
+	public function info($message, array $context = []): void {
+		$this->log(LogLevel::INFO, $message, $context);
+	}
+
+	/**
+	 * @param string $message
+	 */
+	#[\Override]
+	public function debug($message, array $context = []): void {
+		$this->log(LogLevel::DEBUG, $message, $context);
+	}
+
+	/**
+	 * Logs with an arbitrary level.
+	 *
+	 * @param mixed $level
+	 * @param string $message
+	 */
+	#[\Override]
+	public function log($level, $message, array $context = []): void {
+		$tag = match($level) {
+			LogLevel::EMERGENCY,
+			LogLevel::ALERT,
+			LogLevel::CRITICAL,
+			LogLevel::ERROR => 'error',
+			LogLevel::WARNING,
+			LogLevel::NOTICE => 'warning',
+			LogLevel::INFO => 'info',
+			default => '',
+		};
+		$flags = match($level) {
+			LogLevel::DEBUG => OutputInterface::VERBOSITY_VERBOSE,
+			default => 0,
+		};
+		$message = $this->interpolateMessage($message, $context);
+		if ($tag !== '') {
+			$message = '<' . $tag . '>' . $message . '<' . $tag . '/>';
+		}
+		$this->output?->writeln($message, $flags);
+	}
+
+	private function interpolateMessage(string $message, array $context): string {
+		$replace = [];
+		foreach ($context as $key => $val) {
+			$replace['{' . $key . '}'] = $val;
+		}
+		return strtr($message, $replace);
+	}
+}

lib/Command/UserAdd.php

@@ -48,6 +48,7 @@ protected function configure(): void {
 			);
 	}
 
+	#[\Override]
 	protected function execute(InputInterface $input, OutputInterface $output): int {
 		$uid = $input->getArgument('uid');
 

lib/Jobs/MigrateGroups.php

@@ -14,12 +14,10 @@
 use OCP\AppFramework\Db\TTransactional;
 use OCP\AppFramework\Utility\ITimeFactory;
 use OCP\BackgroundJob\QueuedJob;
-use OCP\DB\Exception;
 use OCP\IConfig;
 use OCP\IDBConnection;
 use OCP\IGroupManager;
 use Psr\Log\LoggerInterface;
-use Throwable;
 
 /**
  * Class MigrateGroups
@@ -49,7 +47,7 @@ public function __construct(
 	protected function run($argument) {
 		try {
 			$candidates = $this->getMigratableGroups();
-			$toMigrate = $this->getGroupsToMigrate($argument['gids'], $candidates);
+			$toMigrate = $this->groupMigration->getGroupsToMigrate($argument['gids'], $candidates);
 			$migrated = $this->migrateGroups($toMigrate);
 			$this->ownGroupManager->updateCandidatePool($migrated);
 		} catch (\RuntimeException) {
@@ -58,89 +56,7 @@ protected function run($argument) {
 	}
 
 	protected function migrateGroups(array $toMigrate): array {
-		return array_filter($toMigrate, fn ($gid) => $this->migrateGroup($gid));
-	}
-
-	protected function migrateGroup(string $gid): bool {
-		$isMigrated = false;
-		$allUsersInserted = false;
-		try {
-			$allUsersInserted = $this->groupMigration->migrateGroupUsers($gid);
-
-			$this->dbc->beginTransaction();
-
-			$qb = $this->dbc->getQueryBuilder();
-			$affected = $qb->delete('groups')
-				->where($qb->expr()->eq('gid', $qb->createNamedParameter($gid)))
-				->executeStatement();
-			if ($affected === 0) {
-				throw new \RuntimeException('Could not delete group from local backend');
-			}
-			if (!$this->ownGroupBackend->createGroup($gid)) {
-				throw new \RuntimeException('Could not create group in SAML backend');
-			}
-
-			$this->dbc->commit();
-			$isMigrated = true;
-		} catch (Throwable $e) {
-			$this->dbc->rollBack();
-			$this->logger->warning($e->getMessage(), ['app' => 'user_saml', 'exception' => $e]);
-		}
-
-		if ($allUsersInserted && $isMigrated) {
-			try {
-				$this->groupMigration->cleanUpOldGroupUsers($gid);
-			} catch (Exception $e) {
-				$this->logger->warning('Error while cleaning up group members in (oc_)group_user of group (gid) {gid}', [
-					'app' => 'user_saml',
-					'gid' => $gid,
-					'exception' => $e,
-				]);
-			}
-		}
-
-		return $isMigrated;
-	}
-
-	protected function getGroupsToMigrate(array $samlGroups, array $pool): array {
-		return array_filter($samlGroups, function (string $gid) use ($pool) {
-			if (!in_array($gid, $pool)) {
-				return false;
-			}
-
-			$group = $this->groupManager->get($gid);
-			if ($group === null) {
-				$this->logger->debug('Not migrating group "{gid}": not found by the group manager', [
-					'app' => 'user_saml',
-					'gid' => $gid,
-				]);
-				return false;
-			}
-
-			$backendNames = $group->getBackendNames();
-			if (!in_array('Database', $backendNames, true)) {
-				$this->logger->debug('Not migrating group "{gid}": not belonging to local database backend', [
-					'app' => 'user_saml',
-					'gid' => $gid,
-					'backends' => $backendNames,
-				]);
-				return false;
-			}
-
-			foreach ($group->getUsers() as $user) {
-				if ($user->getBackendClassName() !== 'user_saml') {
-					$this->logger->debug('Not migrating group "{gid}": user "{userId}" from a different backend "{userBackend}"', [
-						'app' => 'user_saml',
-						'gid' => $gid,
-						'userId' => $user->getUID(),
-						'userBackend' => $user->getBackendClassName(),
-					]);
-					return false;
-				}
-			}
-
-			return true;
-		});
+		return array_filter($toMigrate, fn ($gid) => $this->groupMigration->migrateGroup($gid));
 	}
 
 	protected function getMigratableGroups(): array {