From 59b6845af5efb1a37d2f871aa0bf7445eb147524 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?J=C3=B6rn=20Friedrich=20Dreyer?= <jfd@butonic.de>
Date: Fri, 28 Nov 2025 13:48:10 +0100
Subject: [PATCH] ocm fixes
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>
---
 services/graph/pkg/identity/backend.go     |  4 ++++
 services/graph/pkg/identity/cache/cache.go | 24 +++++++++++++++++++++-
 services/graph/pkg/service/v0/utils.go     |  6 ++++--
 3 files changed, 31 insertions(+), 3 deletions(-)

diff --git a/services/graph/pkg/identity/backend.go b/services/graph/pkg/identity/backend.go
index ab9ca462e..93684311d 100644
--- a/services/graph/pkg/identity/backend.go
+++ b/services/graph/pkg/identity/backend.go
@@ -133,6 +133,10 @@ func CreateUserModelFromCS3(u *cs3user.User) *libregraph.User {
 		OnPremisesSamAccountName: u.GetUsername(),
 		Id:                       &u.GetId().OpaqueId,
 	}
+	if u.GetId().GetType() == cs3user.UserType_USER_TYPE_FEDERATED {
+		ocmUserId := u.GetId().GetOpaqueId() + "@" + u.GetId().GetIdp()
+		user.Id = &ocmUserId
+	}
 	return user
 }
 
diff --git a/services/graph/pkg/identity/cache/cache.go b/services/graph/pkg/identity/cache/cache.go
index 3bd13bf44..fe1fd5b0c 100644
--- a/services/graph/pkg/identity/cache/cache.go
+++ b/services/graph/pkg/identity/cache/cache.go
@@ -2,6 +2,8 @@ package cache
 
 import (
 	"context"
+	"errors"
+	"strings"
 	"time"
 
 	gateway "github.com/cs3org/go-cs3apis/cs3/gateway/v1beta1"
@@ -133,6 +135,20 @@ func (cache IdentityCache) GetAcceptedUser(ctx context.Context, userid string) (
 	return *identity.CreateUserModelFromCS3(u), nil
 }
 
+func getIDAndMeshProvider(user string) (id, provider string, err error) {
+	last := strings.LastIndex(user, "@")
+	if last == -1 {
+		return "", "", errors.New("not in the form <id>@<provider>")
+	}
+	if len(user[:last]) == 0 {
+		return "", "", errors.New("empty id")
+	}
+	if len(user[last+1:]) == 0 {
+		return "", "", errors.New("empty provider")
+	}
+	return user[:last], user[last+1:], nil
+}
+
 func (cache IdentityCache) GetAcceptedCS3User(ctx context.Context, userid string) (*cs3User.User, error) {
 	var user *cs3user.User
 	if item := cache.users.Get(userid); item == nil {
@@ -140,8 +156,14 @@ func (cache IdentityCache) GetAcceptedCS3User(ctx context.Context, userid string
 		if err != nil {
 			return nil, errorcode.New(errorcode.GeneralException, err.Error())
 		}
+		id, provider, err := getIDAndMeshProvider(userid)
+		if err != nil {
+			return nil, errorcode.New(errorcode.InvalidRequest, err.Error())
+		}
 		cs3UserID := &cs3User.UserId{
-			OpaqueId: userid,
+			Idp:      provider,
+			OpaqueId: id,
+			Type:     cs3User.UserType_USER_TYPE_FEDERATED,
 		}
 		user, err = revautils.GetAcceptedUserWithContext(ctx, cs3UserID, gatewayClient)
 		if err != nil {
diff --git a/services/graph/pkg/service/v0/utils.go b/services/graph/pkg/service/v0/utils.go
index 86de9919c..106c7b6ec 100644
--- a/services/graph/pkg/service/v0/utils.go
+++ b/services/graph/pkg/service/v0/utils.go
@@ -4,6 +4,7 @@ import (
 	"context"
 	"encoding/base64"
 	"encoding/json"
+	"fmt"
 	"io"
 	"net/http"
 	"reflect"
@@ -106,7 +107,8 @@ func userIdToIdentity(ctx context.Context, cache cache.IdentityCache, tennantId,
 
 // federatedIdToIdentity looks the user for the supplied id using the cache and returns it
 // as a libregraph.Identity
-func federatedIdToIdentity(ctx context.Context, cache cache.IdentityCache, userID string) (libregraph.Identity, error) {
+func federatedIdToIdentity(ctx context.Context, cache cache.IdentityCache, cs3UserID *cs3User.UserId) (libregraph.Identity, error) {
+	userID := fmt.Sprintf("%s@%s", cs3UserID.GetOpaqueId(), cs3UserID.GetIdp())
 	identity := libregraph.Identity{
 		Id:                 libregraph.PtrString(userID),
 		LibreGraphUserType: libregraph.PtrString("Federated"),
@@ -123,7 +125,7 @@ func federatedIdToIdentity(ctx context.Context, cache cache.IdentityCache, userI
 // as a libregraph.Identity. Skips the user lookup if the id type is USER_TYPE_SPACE_OWNER
 func cs3UserIdToIdentity(ctx context.Context, cache cache.IdentityCache, cs3UserID *cs3User.UserId) (libregraph.Identity, error) {
 	if cs3UserID.GetType() == cs3User.UserType_USER_TYPE_FEDERATED {
-		return federatedIdToIdentity(ctx, cache, cs3UserID.GetOpaqueId())
+		return federatedIdToIdentity(ctx, cache, cs3UserID)
 	}
 	if cs3UserID.GetType() != cs3User.UserType_USER_TYPE_SPACE_OWNER {
 		return userIdToIdentity(ctx, cache, cs3UserID.GetTenantId(), cs3UserID.GetOpaqueId())