From 07b97fa7ac2aa4d977990ac65bd274ef64472434 Mon Sep 17 00:00:00 2001 From: Ralf Haferkamp Date: Tue, 2 Sep 2025 17:42:08 +0200 Subject: [PATCH] revert(partial): "Filter users by tenant, add tenant ids to demo users" This reverts parts of commit 926a2c20801cda69d3c7f7f32d5d181b3cf3f91d. The LDAP identity backend of the graph service was supposed to stay single-tenant only. The focus for multi-tenancy should be on the CS3 identity backend. Also lets keep the internal IDM and demo users clean of any multi-tenancy stuff for now. --- .woodpecker.star | 1 + services/graph/pkg/config/config.go | 1 - .../graph/pkg/config/defaults/defaultconfig.go | 1 - services/graph/pkg/identity/ldap.go | 15 +-------------- services/idm/ldif/base.ldif.tmpl | 1 - services/idm/ldif/demousers.ldif.tmpl | 5 ----- services/idm/pkg/command/server.go | 9 ++------- 7 files changed, 4 insertions(+), 29 deletions(-) diff --git a/.woodpecker.star b/.woodpecker.star index 0f8dba8ae..e579db056 100644 --- a/.woodpecker.star +++ b/.woodpecker.star @@ -328,6 +328,7 @@ config = { "OC_LDAP_USER_FILTER": "(objectclass=inetOrgPerson)", "OC_LDAP_USER_SCHEMA_ID": "entryUUID", "OC_LDAP_DISABLE_USER_MECHANISM": "none", + "GRAPH_IDENTITY_BACKEND": "cs3", "GRAPH_LDAP_SERVER_UUID": True, "GRAPH_LDAP_GROUP_CREATE_BASE_DN": "ou=custom,ou=groups,dc=opencloud,dc=eu", "GRAPH_LDAP_REFINT_ENABLED": True, diff --git a/services/graph/pkg/config/config.go b/services/graph/pkg/config/config.go index 13075a79a..ff9332016 100644 --- a/services/graph/pkg/config/config.go +++ b/services/graph/pkg/config/config.go @@ -76,7 +76,6 @@ type LDAP struct { UserNameAttribute string `yaml:"user_name_attribute" env:"OC_LDAP_USER_SCHEMA_USERNAME;GRAPH_LDAP_USER_NAME_ATTRIBUTE" desc:"LDAP Attribute to use for username of users." introductionVersion:"1.0.0"` UserIDAttribute string `yaml:"user_id_attribute" env:"OC_LDAP_USER_SCHEMA_ID;GRAPH_LDAP_USER_UID_ATTRIBUTE" desc:"LDAP Attribute to use as the unique ID for users. This should be a stable globally unique ID like a UUID." introductionVersion:"1.0.0"` UserIDIsOctetString bool `yaml:"user_id_is_octet_string" env:"OC_LDAP_USER_SCHEMA_ID_IS_OCTETSTRING;GRAPH_LDAP_USER_SCHEMA_ID_IS_OCTETSTRING" desc:"Set this to true if the defined 'ID' attribute for users is of the 'OCTETSTRING' syntax. This is required when using the 'objectGUID' attribute of Active Directory for the user ID's." introductionVersion:"1.0.0"` - UserTenantIDAttribute string `yaml:"user_tenant_id_attribute" env:"OC_LDAP_USER_SCHEMA_TENANT_ID;GRAPH_LDAP_USER_SCHEMA_TENANT_ID" desc:"LDAP Attribute to use for the tenant ID of users. This is used to identify the tenant of a user in a multi-tenant environment." introductionVersion:"%%NEXT%%"` UserTypeAttribute string `yaml:"user_type_attribute" env:"OC_LDAP_USER_SCHEMA_USER_TYPE;GRAPH_LDAP_USER_TYPE_ATTRIBUTE" desc:"LDAP Attribute to distinguish between 'Member' and 'Guest' users. Default is 'openCloudUserType'." introductionVersion:"1.0.0"` UserEnabledAttribute string `yaml:"user_enabled_attribute" env:"OC_LDAP_USER_ENABLED_ATTRIBUTE;GRAPH_USER_ENABLED_ATTRIBUTE" desc:"LDAP Attribute to use as a flag telling if the user is enabled or disabled." introductionVersion:"1.0.0"` DisableUserMechanism string `yaml:"disable_user_mechanism" env:"OC_LDAP_DISABLE_USER_MECHANISM;GRAPH_DISABLE_USER_MECHANISM" desc:"An option to control the behavior for disabling users. Supported options are 'none', 'attribute' and 'group'. If set to 'group', disabling a user via API will add the user to the configured group for disabled users, if set to 'attribute' this will be done in the ldap user entry, if set to 'none' the disable request is not processed. Default is 'attribute'." introductionVersion:"1.0.0"` diff --git a/services/graph/pkg/config/defaults/defaultconfig.go b/services/graph/pkg/config/defaults/defaultconfig.go index 1cd0cdd76..3967408dd 100644 --- a/services/graph/pkg/config/defaults/defaultconfig.go +++ b/services/graph/pkg/config/defaults/defaultconfig.go @@ -96,7 +96,6 @@ func DefaultConfig() *config.Config { // FIXME: switch this to some more widely available attribute by default // ideally this needs to be constant for the lifetime of a users UserIDAttribute: "openCloudUUID", - UserTenantIDAttribute: "", UserTypeAttribute: "openCloudUserType", UserEnabledAttribute: "openCloudUserEnabled", DisableUserMechanism: "attribute", diff --git a/services/graph/pkg/identity/ldap.go b/services/graph/pkg/identity/ldap.go index bc6ae71b9..9ca26bf51 100644 --- a/services/graph/pkg/identity/ldap.go +++ b/services/graph/pkg/identity/ldap.go @@ -15,7 +15,6 @@ import ( "github.com/google/uuid" "github.com/libregraph/idm/pkg/ldapdn" libregraph "github.com/opencloud-eu/libre-graph-api-go" - ctxpkg "github.com/opencloud-eu/reva/v2/pkg/ctx" "github.com/opencloud-eu/opencloud/pkg/log" "github.com/opencloud-eu/opencloud/services/graph/pkg/config" @@ -81,7 +80,6 @@ type LDAP struct { type userAttributeMap struct { displayName string id string - tenantId string mail string userName string givenName string @@ -117,7 +115,6 @@ func NewLDAPBackend(lc ldap.Client, config config.LDAP, logger *log.Logger) (*LD uam := userAttributeMap{ displayName: config.UserDisplayNameAttribute, id: config.UserIDAttribute, - tenantId: config.UserTenantIDAttribute, mail: config.UserEmailAttribute, userName: config.UserNameAttribute, accountEnabled: config.UserEnabledAttribute, @@ -617,17 +614,7 @@ func (i *LDAP) FilterUsers(ctx context.Context, oreq *godata.GoDataRequest, filt i.userAttributeMap.displayName, search, ) } - - // apply tenant filter if applicable - var tenantFilter string - if i.userAttributeMap.tenantId != "" { - currentUser, ok := ctxpkg.ContextGetUser(ctx) - if ok && currentUser.Id.GetTenantId() != "" { - tenantFilter = fmt.Sprintf("(%s=%s)", i.userAttributeMap.tenantId, ldap.EscapeFilter(currentUser.Id.GetTenantId())) - } - } - - userFilter = fmt.Sprintf("(&%s(objectClass=%s)%s%s%s)", i.userFilter, i.userObjectClass, queryFilter, userFilter, tenantFilter) + userFilter = fmt.Sprintf("(&%s(objectClass=%s)%s%s)", i.userFilter, i.userObjectClass, queryFilter, userFilter) searchRequest := ldap.NewSearchRequest( i.userBaseDN, i.userScope, ldap.NeverDerefAliases, 0, 0, false, userFilter, diff --git a/services/idm/ldif/base.ldif.tmpl b/services/idm/ldif/base.ldif.tmpl index 0d5a1c5c8..b70c284ac 100644 --- a/services/idm/ldif/base.ldif.tmpl +++ b/services/idm/ldif/base.ldif.tmpl @@ -31,7 +31,6 @@ displayName: Admin description: An admin for this OpenCloud instance. mail: admin@example.org openCloudUUID: {{ .ID }} -openCloudTenantId: {{ .TenantID }} openCloudExternalIdentity: $ {{ .Issuer }} $ {{ .ID }} {{ else -}} dn: uid={{ .Name }},ou=sysusers,o=libregraph-idm diff --git a/services/idm/ldif/demousers.ldif.tmpl b/services/idm/ldif/demousers.ldif.tmpl index 798265e71..881c90f9f 100644 --- a/services/idm/ldif/demousers.ldif.tmpl +++ b/services/idm/ldif/demousers.ldif.tmpl @@ -15,7 +15,6 @@ mail: alan@example.org openCloudUserEnabled: TRUE openCloudUUID: b1f74ec4-dd7e-11ef-a543-03775734d0f7 openCloudExternalIdentity: $ {{.}} $ b1f74ec4-dd7e-11ef-a543-03775734d0f7 -openCloudTenantId: cd22ea13-f6b4-4f5f-a2c2-69b5a0f07a8b userPassword:: e0FSR09OMn0kYXJnb24yaWQkdj0xOSRtPTY1NTM2LHQ9MSxwPTE2JGg1NUxqckhWVjdEdXVzTkxjbXRoa0EkMzZ3aGZSMjdyTDFOYXQxa0xTajdrVGFubTBnb3VKRGZ0ck9DTStuRHo5cw== dn: uid=lynn,ou=users,o=libregraph-idm @@ -35,7 +34,6 @@ mail: lynn@example.org openCloudUserEnabled: TRUE openCloudUUID: 60708dda-e897-11ef-919f-bbb7437d6ec2 openCloudExternalIdentity: $ {{.}} $ 60708dda-e897-11ef-919f-bbb7437d6ec2 -openCloudTenantId: cd22ea13-f6b4-4f5f-a2c2-69b5a0f07a8b userPassword:: e0FSR09OMn0kYXJnb24yaWQkdj0xOSRtPTY1NTM2LHQ9MSxwPTE2JGg1NUxqckhWVjdEdXVzTkxjbXRoa0EkMzZ3aGZSMjdyTDFOYXQxa0xTajdrVGFubTBnb3VKRGZ0ck9DTStuRHo5cw== dn: uid=mary,ou=users,o=libregraph-idm @@ -55,7 +53,6 @@ mail: mary@example.org openCloudUserEnabled: TRUE openCloudUUID: 056fc874-dd7f-11ef-ba84-af6fca4b7289 openCloudExternalIdentity: $ {{.}} $ 056fc874-dd7f-11ef-ba84-af6fca4b7289 -openCloudTenantId: cd22ea13-f6b4-4f5f-a2c2-69b5a0f07a8b userPassword:: e0FSR09OMn0kYXJnb24yaWQkdj0xOSRtPTY1NTM2LHQ9MSxwPTE2JGg1NUxqckhWVjdEdXVzTkxjbXRoa0EkMzZ3aGZSMjdyTDFOYXQxa0xTajdrVGFubTBnb3VKRGZ0ck9DTStuRHo5cw== dn: uid=margaret,ou=users,o=libregraph-idm @@ -75,7 +72,6 @@ mail: margaret@example.org openCloudUserEnabled: TRUE openCloudUUID: 801abee4-dd7f-11ef-a324-83f55a754b62 openCloudExternalIdentity: $ {{.}} $ 801abee4-dd7f-11ef-a324-83f55a754b62 -openCloudTenantId: cd22ea13-f6b4-4f5f-a2c2-69b5a0f07a8b userPassword:: e0FSR09OMn0kYXJnb24yaWQkdj0xOSRtPTY1NTM2LHQ9MSxwPTE2JGg1NUxqckhWVjdEdXVzTkxjbXRoa0EkMzZ3aGZSMjdyTDFOYXQxa0xTajdrVGFubTBnb3VKRGZ0ck9DTStuRHo5cw== dn: uid=dennis,ou=users,o=libregraph-idm @@ -95,7 +91,6 @@ mail: dennis@example.org openCloudUserEnabled: TRUE openCloudUUID: cd88bf9a-dd7f-11ef-a609-7f78deb2345f openCloudExternalIdentity: $ {{.}} $ cd88bf9a-dd7f-11ef-a609-7f78deb2345f -openCloudTenantId: cd22ea13-f6b4-4f5f-a2c2-69b5a0f07a8b userPassword:: e0FSR09OMn0kYXJnb24yaWQkdj0xOSRtPTY1NTM2LHQ9MSxwPTE2JGg1NUxqckhWVjdEdXVzTkxjbXRoa0EkMzZ3aGZSMjdyTDFOYXQxa0xTajdrVGFubTBnb3VKRGZ0ck9DTStuRHo5cw== dn: cn=users,ou=groups,o=libregraph-idm diff --git a/services/idm/pkg/command/server.go b/services/idm/pkg/command/server.go index fda1404d2..1789ce98f 100644 --- a/services/idm/pkg/command/server.go +++ b/services/idm/pkg/command/server.go @@ -132,7 +132,6 @@ func bootstrap(logger log.Logger, cfg *config.Config, srvcfg server.Config) erro Name string Password string ID string - TenantID string Issuer string } @@ -152,16 +151,12 @@ func bootstrap(logger log.Logger, cfg *config.Config, srvcfg server.Config) erro } if cfg.AdminUserID != "" { - adminUser := svcUser{ + serviceUsers = append(serviceUsers, svcUser{ Name: "admin", Password: cfg.ServiceUserPasswords.OCAdmin, ID: cfg.AdminUserID, Issuer: cfg.DemoUsersIssuerUrl, - } - if cfg.CreateDemoUsers { - adminUser.TenantID = "cd22ea13-f6b4-4f5f-a2c2-69b5a0f07a8b" - } - serviceUsers = append(serviceUsers, adminUser) + }) } bdb := &ldbbolt.LdbBolt{}