mirror/opencloud
1
0
Fork 0
mirror of https://github.com/opencloud-eu/opencloud.git synced 2026-04-28 06:49:49 -05:00
Code Issues Packages Projects Releases Wiki Activity

add graph api properties

Browse Source 
Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>
This commit is contained in:
Jörn Friedrich Dreyer
2020-06-08 17:38:19 +02:00
parent 810d2b6b34
commit 5ae2ef9b80
8 changed files with 2729 additions and 241 deletions
Download Patch File Download Diff File Expand all files Collapse all files
docs/_index.md
+12 -1
View File
@@ -7,4 +7,15 @@ geekdocEditPath: edit/master/docs
geekdocFilePath: _index.md
---
This service provides an inter-operable accounts service that operates on the filesystem by default.
[![GitHub](https://img.shields.io/github/license/owncloud/ocis-hello)](https://github.com/owncloud/ocis-hello/blob/master/LICENSE)
## Abstract
OCIS needs to be able to identify users. Whithout a non reassignable and persistend account ID share metadata cannot be reliably persisted. `ocis-accounts` allows exchanging oidc claims for a uuid. Using a uuid allows users to change the login, mail or even openid connect provider without breaking any persisted metadata that might have been attached to it.
- persists accounts
- uses graph api properties
-ldap can be synced using the onpremise* attributes
## Table of Contents
{{< toc-tree >}}
go.mod
+1
View File
@@ -10,6 +10,7 @@ require (
github.com/gopherjs/gopherjs v0.0.0-20200217142428-fce0ec30dd00 // indirect
github.com/joho/godotenv v1.3.0
github.com/micro/cli/v2 v2.1.2
github.com/micro/go-micro v1.18.0
github.com/micro/go-micro/v2 v2.6.0
github.com/oklog/run v1.1.0
github.com/owncloud/ocis-pkg/v2 v2.2.1
pkg/flagset/flagset.go
+7 -2
View File
@@ -121,8 +121,13 @@ func ServerWithConfig(cfg *config.Config) []cli.Flag {
},
// ldap dn is always the dn
&cli.StringFlag{
Name: "ldap-schema-account-id",
Value: "ownclouduuid", // TODO write down LDAP schema & register OID
Name: "ldap-schema-account-id",
// TODO write down LDAP schema & register OID ownclouduuid
//... use 'sourceAnchor','immutableid' see https://docs.microsoft.com/en-us/azure/active-directory/hybrid/plan-connect-design-concepts#sourceanchor
// or 'ms-DS-ConsistencyGuid' see https://docs.microsoft.com/en-us/azure/active-directory/hybrid/plan-connect-design-concepts
// or build a scim schema for ldap? https://ldapwiki.com/wiki/SCIM%20Common%20Attribute
// glauth -> support id and externalid from scim
Value: "uidNumber",
Usage: "LDAP schema account id",
EnvVars: []string{"ACCOUNTS_LDAP_SCHEMA_ACCOUNT_ID"},
Destination: &cfg.LDAP.Schema.AccountID,
pkg/proto/v0/accounts.pb.go
+1681 -115
View File
File diff suppressed because it is too large Load Diff
pkg/proto/v0/accounts.pb.micro.go
+179 -85
View File
@@ -7,6 +7,7 @@ import (
fmt "fmt"
proto "github.com/golang/protobuf/proto"
empty "github.com/golang/protobuf/ptypes/empty"
_ "github.com/golang/protobuf/ptypes/timestamp"
_ "google.golang.org/genproto/googleapis/api/annotations"
_ "google.golang.org/genproto/protobuf/field_mask"
math "math"
@@ -47,16 +48,6 @@ type AccountsService interface {
UpdateAccount(ctx context.Context, in *UpdateAccountRequest, opts ...client.CallOption) (*Account, error)
// Deletes an account
DeleteAccount(ctx context.Context, in *DeleteAccountRequest, opts ...client.CallOption) (*empty.Empty, error)
// Lists groups
ListGroups(ctx context.Context, in *ListGroupsRequest, opts ...client.CallOption) (*ListGroupsResponse, error)
// Gets an groups
GetGroup(ctx context.Context, in *GetGroupRequest, opts ...client.CallOption) (*Group, error)
// Creates a group
CreateGroup(ctx context.Context, in *CreateGroupRequest, opts ...client.CallOption) (*Group, error)
// Updates a group
UpdateGroup(ctx context.Context, in *UpdateGroupRequest, opts ...client.CallOption) (*Group, error)
// Deletes a group
DeleteGroup(ctx context.Context, in *DeleteGroupRequest, opts ...client.CallOption) (*empty.Empty, error)
}
type accountsService struct {
@@ -121,56 +112,6 @@ func (c *accountsService) DeleteAccount(ctx context.Context, in *DeleteAccountRe
return out, nil
}
func (c *accountsService) ListGroups(ctx context.Context, in *ListGroupsRequest, opts ...client.CallOption) (*ListGroupsResponse, error) {
req := c.c.NewRequest(c.name, "AccountsService.ListGroups", in)
out := new(ListGroupsResponse)
err := c.c.Call(ctx, req, out, opts...)
if err != nil {
return nil, err
}
return out, nil
}
func (c *accountsService) GetGroup(ctx context.Context, in *GetGroupRequest, opts ...client.CallOption) (*Group, error) {
req := c.c.NewRequest(c.name, "AccountsService.GetGroup", in)
out := new(Group)
err := c.c.Call(ctx, req, out, opts...)
if err != nil {
return nil, err
}
return out, nil
}
func (c *accountsService) CreateGroup(ctx context.Context, in *CreateGroupRequest, opts ...client.CallOption) (*Group, error) {
req := c.c.NewRequest(c.name, "AccountsService.CreateGroup", in)
out := new(Group)
err := c.c.Call(ctx, req, out, opts...)
if err != nil {
return nil, err
}
return out, nil
}
func (c *accountsService) UpdateGroup(ctx context.Context, in *UpdateGroupRequest, opts ...client.CallOption) (*Group, error) {
req := c.c.NewRequest(c.name, "AccountsService.UpdateGroup", in)
out := new(Group)
err := c.c.Call(ctx, req, out, opts...)
if err != nil {
return nil, err
}
return out, nil
}
func (c *accountsService) DeleteGroup(ctx context.Context, in *DeleteGroupRequest, opts ...client.CallOption) (*empty.Empty, error) {
req := c.c.NewRequest(c.name, "AccountsService.DeleteGroup", in)
out := new(empty.Empty)
err := c.c.Call(ctx, req, out, opts...)
if err != nil {
return nil, err
}
return out, nil
}
// Server API for AccountsService service
type AccountsServiceHandler interface {
@@ -184,16 +125,6 @@ type AccountsServiceHandler interface {
UpdateAccount(context.Context, *UpdateAccountRequest, *Account) error
// Deletes an account
DeleteAccount(context.Context, *DeleteAccountRequest, *empty.Empty) error
// Lists groups
ListGroups(context.Context, *ListGroupsRequest, *ListGroupsResponse) error
// Gets an groups
GetGroup(context.Context, *GetGroupRequest, *Group) error
// Creates a group
CreateGroup(context.Context, *CreateGroupRequest, *Group) error
// Updates a group
UpdateGroup(context.Context, *UpdateGroupRequest, *Group) error
// Deletes a group
DeleteGroup(context.Context, *DeleteGroupRequest, *empty.Empty) error
}
func RegisterAccountsServiceHandler(s server.Server, hdlr AccountsServiceHandler, opts ...server.HandlerOption) error {
@@ -203,11 +134,6 @@ func RegisterAccountsServiceHandler(s server.Server, hdlr AccountsServiceHandler
CreateAccount(ctx context.Context, in *CreateAccountRequest, out *Account) error
UpdateAccount(ctx context.Context, in *UpdateAccountRequest, out *Account) error
DeleteAccount(ctx context.Context, in *DeleteAccountRequest, out *empty.Empty) error
ListGroups(ctx context.Context, in *ListGroupsRequest, out *ListGroupsResponse) error
GetGroup(ctx context.Context, in *GetGroupRequest, out *Group) error
CreateGroup(ctx context.Context, in *CreateGroupRequest, out *Group) error
UpdateGroup(ctx context.Context, in *UpdateGroupRequest, out *Group) error
DeleteGroup(ctx context.Context, in *DeleteGroupRequest, out *empty.Empty) error
}
type AccountsService struct {
accountsService
@@ -240,22 +166,190 @@ func (h *accountsServiceHandler) DeleteAccount(ctx context.Context, in *DeleteAc
return h.AccountsServiceHandler.DeleteAccount(ctx, in, out)
}
func (h *accountsServiceHandler) ListGroups(ctx context.Context, in *ListGroupsRequest, out *ListGroupsResponse) error {
return h.AccountsServiceHandler.ListGroups(ctx, in, out)
// Client API for GroupsService service
type GroupsService interface {
// Lists groups
ListGroups(ctx context.Context, in *ListGroupsRequest, opts ...client.CallOption) (*ListGroupsResponse, error)
// Gets an groups
GetGroup(ctx context.Context, in *GetGroupRequest, opts ...client.CallOption) (*Group, error)
// Creates a group
CreateGroup(ctx context.Context, in *CreateGroupRequest, opts ...client.CallOption) (*Group, error)
// Updates a group
UpdateGroup(ctx context.Context, in *UpdateGroupRequest, opts ...client.CallOption) (*Group, error)
// Deletes a group
DeleteGroup(ctx context.Context, in *DeleteGroupRequest, opts ...client.CallOption) (*empty.Empty, error)
// group:addmember https://docs.microsoft.com/en-us/graph/api/group-post-members?view=graph-rest-1.0&tabs=http
AddMember(ctx context.Context, in *AddMemberRequest, opts ...client.CallOption) (*Group, error)
// group:removemember https://docs.microsoft.com/en-us/graph/api/group-delete-members?view=graph-rest-1.0
RemoveMember(ctx context.Context, in *RemoveMemberRequest, opts ...client.CallOption) (*Group, error)
// group:listmembers https://docs.microsoft.com/en-us/graph/api/group-list-members?view=graph-rest-1.0
ListMembers(ctx context.Context, in *ListMembersRequest, opts ...client.CallOption) (*ListMembersResponse, error)
}
func (h *accountsServiceHandler) GetGroup(ctx context.Context, in *GetGroupRequest, out *Group) error {
return h.AccountsServiceHandler.GetGroup(ctx, in, out)
type groupsService struct {
c client.Client
name string
}
func (h *accountsServiceHandler) CreateGroup(ctx context.Context, in *CreateGroupRequest, out *Group) error {
return h.AccountsServiceHandler.CreateGroup(ctx, in, out)
func NewGroupsService(name string, c client.Client) GroupsService {
return &groupsService{
c: c,
name: name,
}
}
func (h *accountsServiceHandler) UpdateGroup(ctx context.Context, in *UpdateGroupRequest, out *Group) error {
return h.AccountsServiceHandler.UpdateGroup(ctx, in, out)
func (c *groupsService) ListGroups(ctx context.Context, in *ListGroupsRequest, opts ...client.CallOption) (*ListGroupsResponse, error) {
req := c.c.NewRequest(c.name, "GroupsService.ListGroups", in)
out := new(ListGroupsResponse)
err := c.c.Call(ctx, req, out, opts...)
if err != nil {
return nil, err
}
return out, nil
}
func (h *accountsServiceHandler) DeleteGroup(ctx context.Context, in *DeleteGroupRequest, out *empty.Empty) error {
return h.AccountsServiceHandler.DeleteGroup(ctx, in, out)
func (c *groupsService) GetGroup(ctx context.Context, in *GetGroupRequest, opts ...client.CallOption) (*Group, error) {
req := c.c.NewRequest(c.name, "GroupsService.GetGroup", in)
out := new(Group)
err := c.c.Call(ctx, req, out, opts...)
if err != nil {
return nil, err
}
return out, nil
}
func (c *groupsService) CreateGroup(ctx context.Context, in *CreateGroupRequest, opts ...client.CallOption) (*Group, error) {
req := c.c.NewRequest(c.name, "GroupsService.CreateGroup", in)
out := new(Group)
err := c.c.Call(ctx, req, out, opts...)
if err != nil {
return nil, err
}
return out, nil
}
func (c *groupsService) UpdateGroup(ctx context.Context, in *UpdateGroupRequest, opts ...client.CallOption) (*Group, error) {
req := c.c.NewRequest(c.name, "GroupsService.UpdateGroup", in)
out := new(Group)
err := c.c.Call(ctx, req, out, opts...)
if err != nil {
return nil, err
}
return out, nil
}
func (c *groupsService) DeleteGroup(ctx context.Context, in *DeleteGroupRequest, opts ...client.CallOption) (*empty.Empty, error) {
req := c.c.NewRequest(c.name, "GroupsService.DeleteGroup", in)
out := new(empty.Empty)
err := c.c.Call(ctx, req, out, opts...)
if err != nil {
return nil, err
}
return out, nil
}
func (c *groupsService) AddMember(ctx context.Context, in *AddMemberRequest, opts ...client.CallOption) (*Group, error) {
req := c.c.NewRequest(c.name, "GroupsService.AddMember", in)
out := new(Group)
err := c.c.Call(ctx, req, out, opts...)
if err != nil {
return nil, err
}
return out, nil
}
func (c *groupsService) RemoveMember(ctx context.Context, in *RemoveMemberRequest, opts ...client.CallOption) (*Group, error) {
req := c.c.NewRequest(c.name, "GroupsService.RemoveMember", in)
out := new(Group)
err := c.c.Call(ctx, req, out, opts...)
if err != nil {
return nil, err
}
return out, nil
}
func (c *groupsService) ListMembers(ctx context.Context, in *ListMembersRequest, opts ...client.CallOption) (*ListMembersResponse, error) {
req := c.c.NewRequest(c.name, "GroupsService.ListMembers", in)
out := new(ListMembersResponse)
err := c.c.Call(ctx, req, out, opts...)
if err != nil {
return nil, err
}
return out, nil
}
// Server API for GroupsService service
type GroupsServiceHandler interface {
// Lists groups
ListGroups(context.Context, *ListGroupsRequest, *ListGroupsResponse) error
// Gets an groups
GetGroup(context.Context, *GetGroupRequest, *Group) error
// Creates a group
CreateGroup(context.Context, *CreateGroupRequest, *Group) error
// Updates a group
UpdateGroup(context.Context, *UpdateGroupRequest, *Group) error
// Deletes a group
DeleteGroup(context.Context, *DeleteGroupRequest, *empty.Empty) error
// group:addmember https://docs.microsoft.com/en-us/graph/api/group-post-members?view=graph-rest-1.0&tabs=http
AddMember(context.Context, *AddMemberRequest, *Group) error
// group:removemember https://docs.microsoft.com/en-us/graph/api/group-delete-members?view=graph-rest-1.0
RemoveMember(context.Context, *RemoveMemberRequest, *Group) error
// group:listmembers https://docs.microsoft.com/en-us/graph/api/group-list-members?view=graph-rest-1.0
ListMembers(context.Context, *ListMembersRequest, *ListMembersResponse) error
}
func RegisterGroupsServiceHandler(s server.Server, hdlr GroupsServiceHandler, opts ...server.HandlerOption) error {
type groupsService interface {
ListGroups(ctx context.Context, in *ListGroupsRequest, out *ListGroupsResponse) error
GetGroup(ctx context.Context, in *GetGroupRequest, out *Group) error
CreateGroup(ctx context.Context, in *CreateGroupRequest, out *Group) error
UpdateGroup(ctx context.Context, in *UpdateGroupRequest, out *Group) error
DeleteGroup(ctx context.Context, in *DeleteGroupRequest, out *empty.Empty) error
AddMember(ctx context.Context, in *AddMemberRequest, out *Group) error
RemoveMember(ctx context.Context, in *RemoveMemberRequest, out *Group) error
ListMembers(ctx context.Context, in *ListMembersRequest, out *ListMembersResponse) error
}
type GroupsService struct {
groupsService
}
h := &groupsServiceHandler{hdlr}
return s.Handle(s.NewHandler(&GroupsService{h}, opts...))
}
type groupsServiceHandler struct {
GroupsServiceHandler
}
func (h *groupsServiceHandler) ListGroups(ctx context.Context, in *ListGroupsRequest, out *ListGroupsResponse) error {
return h.GroupsServiceHandler.ListGroups(ctx, in, out)
}
func (h *groupsServiceHandler) GetGroup(ctx context.Context, in *GetGroupRequest, out *Group) error {
return h.GroupsServiceHandler.GetGroup(ctx, in, out)
}
func (h *groupsServiceHandler) CreateGroup(ctx context.Context, in *CreateGroupRequest, out *Group) error {
return h.GroupsServiceHandler.CreateGroup(ctx, in, out)
}
func (h *groupsServiceHandler) UpdateGroup(ctx context.Context, in *UpdateGroupRequest, out *Group) error {
return h.GroupsServiceHandler.UpdateGroup(ctx, in, out)
}
func (h *groupsServiceHandler) DeleteGroup(ctx context.Context, in *DeleteGroupRequest, out *empty.Empty) error {
return h.GroupsServiceHandler.DeleteGroup(ctx, in, out)
}
func (h *groupsServiceHandler) AddMember(ctx context.Context, in *AddMemberRequest, out *Group) error {
return h.GroupsServiceHandler.AddMember(ctx, in, out)
}
func (h *groupsServiceHandler) RemoveMember(ctx context.Context, in *RemoveMemberRequest, out *Group) error {
return h.GroupsServiceHandler.RemoveMember(ctx, in, out)
}
func (h *groupsServiceHandler) ListMembers(ctx context.Context, in *ListMembersRequest, out *ListMembersResponse) error {
return h.GroupsServiceHandler.ListMembers(ctx, in, out)
}
pkg/proto/v0/accounts.proto
+589 -25
View File
@@ -8,6 +8,7 @@ import "google/api/field_behavior.proto";
import "google/api/annotations.proto";
import "google/protobuf/empty.proto";
import "google/protobuf/field_mask.proto";
import "google/protobuf/timestamp.proto";
// Follow recommended Methods for rpc APIs https://cloud.google.com/apis/design/resources?hl=de#methods
// https://cloud.google.com/apis/design/standard_methods?hl=de#list
@@ -23,7 +24,7 @@ service AccountsService {
// Gets an account
rpc GetAccount(GetAccountRequest) returns (Account) {
option (google.api.http) = {
get: "/v0/accounts/{account_id=*}"
get: "/v0/accounts/{id=*}"
body: "*"
};
}
@@ -41,7 +42,7 @@ service AccountsService {
// Update maps to HTTP PATCH. Resource name is mapped to a URL path.
// Resource is contained in the HTTP request body
option (google.api.http) = {
patch: "/v0/accounts/{account.account_id=*}"
patch: "/v0/accounts/{account.id=*}"
body: "account"
};
};
@@ -50,10 +51,12 @@ service AccountsService {
// Delete maps to HTTP DELETE. Resource name maps to the URL path.
// There is no request body
option (google.api.http) = {
delete: "/v0/accounts/{account_id=*}"
delete: "/v0/accounts/{id=*}"
};
}
}
service GroupsService {
// Lists groups
rpc ListGroups(ListGroupsRequest) returns (ListGroupsResponse) {
// List method maps to HTTP GET
@@ -64,7 +67,7 @@ service AccountsService {
// Gets an groups
rpc GetGroup(GetGroupRequest) returns (Group) {
option (google.api.http) = {
get: "/v0/groups/{group_id=*}"
get: "/v0/groups/{id=*}"
body: "*"
};
}
@@ -82,7 +85,7 @@ service AccountsService {
// Update maps to HTTP PATCH. Resource name is mapped to a URL path.
// Resource is contained in the HTTP request body
option (google.api.http) = {
patch: "/v0/groups/{group.group_id=*}"
patch: "/v0/groups/{group.id=*}"
body: "group"
};
};
@@ -91,9 +94,39 @@ service AccountsService {
// Delete maps to HTTP DELETE. Resource name maps to the URL path.
// There is no request body
option (google.api.http) = {
delete: "/v0/groups/{group_id=*}"
delete: "/v0/groups/{id=*}"
};
}
// additional group methods: https://docs.microsoft.com/en-us/graph/api/resources/group?view=graph-rest-1.0#methods
// references are accessed using $ref, see http://docs.oasis-open.org/odata/odata/v4.0/cs01/part2-url-conventions/odata-v4.0-cs01-part2-url-conventions.html#_Toc365046422
// or the stack overflow question https://stackoverflow.com/questions/49362894/why-is-the-microsoft-graph-api-using-ref-in-the-uri
// group:addmember https://docs.microsoft.com/en-us/graph/api/group-post-members?view=graph-rest-1.0&tabs=http
rpc AddMember(AddMemberRequest) returns (Group) {
// All request parameters go into body.
option (google.api.http) = {
post: "/v0/groups/{id=*}/members/$ref"
body: "*"
};
}
// group:removemember https://docs.microsoft.com/en-us/graph/api/group-delete-members?view=graph-rest-1.0
rpc RemoveMember(RemoveMemberRequest) returns (Group) {
// All request parameters go into body.
option (google.api.http) = {
delete: "/v0/groups/{id=*}/members/{account.id}/$ref"
body: "*"
};
}
// group:listmembers https://docs.microsoft.com/en-us/graph/api/group-list-members?view=graph-rest-1.0
rpc ListMembers(ListMembersRequest) returns (ListMembersResponse) {
// All request parameters go into body.
option (google.api.http) = {
get: "/v0/groups/{id=*}/members/$ref"
};
}
}
message ListAccountsRequest {
@@ -139,12 +172,12 @@ message ListAccountsResponse {
}
message GetAccountRequest {
string account_id = 1;
string id = 1;
}
message CreateAccountRequest {
// The account id to use for this account
string account_id = 1;
string id = 1;
// The account resource to create
Account account = 2;
@@ -160,30 +193,301 @@ message UpdateAccountRequest {
}
message DeleteAccountRequest {
string account_id = 1;
string id = 1;
}
// Account follows the properties of the ms graph api user resuorce.
// See https://docs.microsoft.com/en-us/graph/api/resources/user?view=graph-rest-1.0#properties
message Account {
// the non reassignable and stable account_id of an account
string account_id = 1;
// The identities that are mapped to this account
repeated Identities identities = 2; // keep track of every identity of a given user
// A freeform text entry field for the user to describe themselves.
string about_me = 1;
string username = 3;
string display_name = 4;
string mail = 5;
// TODO avatar needed? because the standard claims contain it or our own avatar service will use the accountid or email to look up the avatar
// *true* if the account is enabled; otherwise, *false*. This property is required when a user is created. Supports $filter.
bool account_enabled = 2;
repeated Group groups = 6;
// Sets the age group of the user. Allowed values: null, minor, notAdult and adult. Refer to the legal age group property definitions for further information.
string age_group = 3;
// The licenses that are assigned to the account. Not nullable.
repeated AssignedLicense assigned_licenses = 4;
// The plans that are assigned to the account. Read-only. Not nullable.
repeated AssignedPlan assigned_plans = 5;
// The birthday of the user.
google.protobuf.Timestamp birthday = 6;
// The telephone numbers for the user. NOTE: Although this is a string collection, only one number can be set for this property.
repeated string business_phones = 7;
// The city in which the user is located. Supports $filter.
string city = 8;
// The company name which the user is associated. This property can be useful for describing the company that an external user comes from.
string company_name = 9;
// Sets whether consent has been obtained for minors. Allowed values: null, granted, denied and notRequired. Refer to the legal age group property definitions for further information.
string consent_provided_for_minor = 10;
// The country/region in which the user is located; for example, “US” or “UK”. Supports $filter.
string country = 11;
// The created date of the account object.
google.protobuf.Timestamp created_date_time = 12;
// Indicates whether the account was created as
// - a regular school or work account (null),
// - an external account (Invitation),
// - a local account for an Azure Active Directory B2C tenant (LocalAccount) or
// - self-service sign-up using email verification (EmailVerified). Read-only.
string creation_type = 13;
// The date and time the user was deleted. Returned only on $select.
google.protobuf.Timestamp deleted_date_time = 14;
// The name for the department in which the user works. Supports $filter.
string department = 15;
// The name displayed in the address book for the account.
// This is usually the combination of the user's first name, middle initial and last name.
// This property is required when a user is created and it cannot be cleared during updates.
// Supports $filter and $orderby.
string display_name = 16;
// The employee identifier assigned to the user by the organization. Supports $filter.
string employee_id = 17;
// For an external user invited to the tenant using the invitation API, this property represents the invited user's invitation status.
// For invited users, the state can be `PendingAcceptance` or `Accepted`, or emptystring / null for all other users.
// Returned only on $select. Supports $filter with the supported values. For example: $filter=externalUserState eq 'PendingAcceptance'.
string external_user_state = 18;
// Shows the timestamp for the latest change to the externalUserState property. Returned only on $select.
// note: in the ms graph beta this changed to a string ?!?
google.protobuf.Timestamp external_user_state_change_date_time = 19;
// The fax number of the account.
string fax_number = 20;
// The given name (first name) of the user. Supports $filter.
string given_name = 21;
// The hire date of the user.
google.protobuf.Timestamp hire_date = 22;
// The unique identifier for the user. Key. Not nullable. Non reassignable. Read-only.
string id = 23;
// Represents the identities that can be used to sign in to this user account.
// An identity can be provided by OCIS (also known as a local account), by organizations, or by social identity providers such as Facebook, Google, and Microsoft, and is tied to an account.
// May contain multiple items with the same signInType value. Supports $filter.
repeated Identities identities = 24;
// The instant message voice over IP (VOIP) session initiation protocol (SIP) addresses for the user. Read-only.
repeated string im_addresses = 25;
// A list for the user to describe their interests.
repeated string interests = 26;
// *true* if the user is a resource account; otherwise, *false*. Null value should be considered false.
bool is_resource_account = 27;
// The users job title. Supports $filter.
string job_title = 28;
// The time when this account last changed their password.
google.protobuf.Timestamp last_password_change_date_time = 29;
// Used by enterprise applications to determine the legal age group of the user.
// This property is read-only and calculated based on `ageGroup` and `consentProvidedForMinor` properties.
// Allowed values: `null`, `minorWithOutParentalConsent`, `minorWithParentalConsent`, `minorNoParentalConsentRequired`, `notAdult` and `adult`.
// Refer to the legal age group property definitions for further information.)
string legal_age_group_classification = 30;
// State of license assignments for this user. Read-only.
// licenseAssignmentState collection licenseAssignmentStates = 31
// The SMTP address for the user, for example, "jeff@contoso.onmicrosoft.com". Read-Only. Supports $filter.
string mail = 32;
// Settings for the primary mailbox of the signed-in user. You can get or update settings for sending automatic replies to incoming messages, locale and time zone.
// mailboxSettings mailboxSettings = 33
// The mail alias for the user. This property must be specified when a user is created. Supports $filter.
string mail_nickname = 34;
// The primary cellular telephone number for the user.
string mobile_phone = 35;
// The URL for the user's personal site.
string my_site = 36;
// The office location in the user's place of business.
string office_location = 37;
// Contains the on-premises LDAP `distinguished name` or `DN`.
// The property is only populated for customers who are synchronizing their on-premises directory to ocis-accounts. Read-only.
string on_premises_distinguished_name = 38;
// Contains the on-premises `domainFQDN`, also called `dnsDomainName` synchronized from the on-premises directory
// The property is only populated for customers who are synchronizing their on-premises directory to ocis-accounts. Read-only.
string on_premises_domain_name = 39;
// Contains extensionAttributes 1-15 for the user. Note that the individual extension attributes are neither selectable nor filterable.
// For an onPremisesSyncEnabled user, this set of properties is mastered on-premises and is read-only.
// For a cloud-only user (where onPremisesSyncEnabled is false), these properties may be set during creation or update.
//onPremisesExtensionAttributes onPremisesExtensionAttributes = 40
// This property is used to associate an on-premises LDAP user to the ocis account object.
// This property must be specified when creating a new user account in the Graph if you are using a federated domain for the users userPrincipalName (UPN) property.
// Important: The $ and _ characters cannot be used when specifying this property. Supports $filter.
string on_premises_immutable_id = 41;
// Indicates the last time at which the object was synced with the on-premises directory; Read-only.
google.protobuf.Timestamp on_premises_last_sync_date_time = 42;
// Errors when using synchronization during provisioning.
repeated OnPremisesProvisioningError on_premises_provisioning_errors = 43;
// Contains the on-premises `samAccountName` synchronized from the on-premises directory.
// The property is only populated for customers who are synchronizing their on-premises directory to ocis-accounts. Read-only.
string on_premises_sam_account_name = 44;
// Contains the on-premises security identifier (SID) for the user that was synchronized from on-premises to the cloud. Read-only.
string on_premises_security_identifier = 45;
// *true* if this object is synced from an on-premises directory;
// *false* if this object was originally synced from an on-premises directory but is no longer synced;
// null if this object has never been synced from an on-premises directory (default). Read-only
bool on_premises_sync_enabled = 46;
// Contains the on-premises userPrincipalName synchronized from the on-premises directory.
// The property is only populated for customers who are synchronizing their on-premises directory to ocis-accounts. Read-only.
string on_premises_user_principal_name = 47;
// A list of additional email addresses for the user; for example: ["bob@contoso.com", "Robert@fabrikam.com"]. Supports $filter.
// note: in ms graph v1.0 this is a string. in the beta api it is a string collection
repeated string other_mails = 48;
// Specifies password policies for the user. This value is an enumeration with one possible value being “DisableStrongPassword”, which allows weaker passwords than the default policy to be specified. “DisablePasswordExpiration” can also be specified. The two may be specified together; for example: "DisablePasswordExpiration, DisableStrongPassword".
string password_policies = 49;
// Specifies the password profile for the user. The profile contains the users password. This property is required when a user is created. The password in the profile must satisfy minimum requirements as specified by the passwordPolicies property. By default, a strong password is required.
// passwordProfile passwordProfile = 50
// A list for the user to enumerate their past projects.
repeated string past_projects = 51;
// The postal code for the user's postal address. The postal code is specific to the user's country/region. In the United States of America, this attribute contains the ZIP code.
string postal_code = 52;
// The preferred data location for the user. For more information, see OneDrive Online Multi-Geo. https://docs.microsoft.com/sharepoint/dev/solution-guidance/multigeo-introduction string preferredDataLocation = 53;
string preferred_data_location = 53;
// The preferred language for the user. Should follow ISO 639-1 Code; for example "en-US".
string preferred_language = 54;
// The preferred name for the user.
string preferred_name = 55;
// The plans that are provisioned for the user. Read-only. Not nullable.
// repeated provisionedPlans provisionedPlans = 56
// For example: ["SMTP: bob@contoso.com", "smtp: bob@sales.contoso.com"]
// The any operator is required for filter expressions on multi-valued properties. Read-only, Not nullable. Supports $filter.
repeated string proxy_addresses = 57;
// Any refresh tokens or sessions tokens (session cookies) issued before this time are invalid, and applications will get
// an error when using an invalid refresh or sessions token to acquire a delegated access token (to access APIs such as Microsoft Graph).
// If this happens, the application will need to acquire a new refresh token by making a request to the authorize endpoint.
// Returned only on $select. Read-only. Use invalidateAllRefreshTokens to reset.
google.protobuf.Timestamp refresh_tokens_valid_from_date_time = 58;
// A list for the user to enumerate their responsibilities.
repeated string responsibilities = 59;
// A list for the user to enumerate the schools they have attended.
repeated string schools = 60;
// *true* if the Outlook global address list should contain this user, otherwise *false*. If not set, this will be treated as *true*.
// For users invited through the invitation manager, this property will be set to *false*.
bool show_in_address_list = 61;
// Any refresh tokens or sessions tokens (session cookies) issued before this time are invalid, and applications will get
// an error when using an invalid refresh or sessions token to acquire a delegated access token (to access APIs such as Microsoft Graph).
// If this happens, the application will need to acquire a new refresh token by making a request to the authorize endpoint.
// Read-only. Use revokeSignInSessions to reset.
google.protobuf.Timestamp sign_in_sessions_valid_from_date_time = 62;
// Get the last signed-in date and request ID of the sign-in for a given user.
// Supports $filter, but not with any other filterable properties.
// Returned only on $select. Read-only.
//signInActivity signInActivity = 63
// A list for the user to enumerate their skills.
repeated string skills = 64;
// The state or province in the user's address. Supports $filter
string state = 65;
// The street address of the user's place of business.
string street_address = 66;
// The user's surname (family name or last name). Supports $filter.
string surname = 67;
// A two letter country code (ISO standard 3166). Required for users that will be assigned licenses due to legal requirement to check for availability of services in countries. Examples include: "US", "JP", and "GB". Not nullable. Supports $filter.
string usage_location = 68;
// The user principal name (UPN) of the user. The UPN is an Internet-style login name for the user based on the Internet standard RFC 822.
// By convention, this should map to the user's email name. The general format is alias@domain,
// where domain must be present in the tenants collection of verified domains.
// This property is required when a user is created. The verified domains for the tenant can be accessed
// from the verifiedDomains property of organization. Supports $filter and $orderby.
string user_principal_name = 69;
// A string value that can be used to classify user types in your directory, such as “Member” and “Guest”. Supports $filter.
string user_type = 70;
// Properties that are not part of the graph API:
// The users password. Used when updating the users password
// TODO: the username is stored as an identity?
string password = 71;
// relationships
// The groups, directory roles and administrative units that the user is a member of. Read-only. Nullable.
repeated Group memberOf = 100;
}
message Identities {
// Specifies the user sign-in types in your directory, such as `emailAddress`, `userName` or `federated`.
// Here, federated represents a unique identifier for a user from an issuer, that can be in any format chosen by the issuer.
// Additional validation is enforced on *issuerAssignedId* when the sign-in type is set to `emailAddress` or `userName`.
// This property can also be set to any custom string.
string sign_in_type = 1;
// Specifies the issuer of the identity, for example facebook.com.
// For local accounts (where signInType is not federated), this property is
// the local B2C tenant default domain name, for example contoso.onmicrosoft.com.
// For external users from other Azure AD organization, this will be the domain of
// the federated organization, for example contoso.com.
// Supports $filter. 512 character limit.
string issuer = 2;
// Specifies the unique identifier assigned to the user by the issuer. The combination of *issuer* and *issuerAssignedId* must be unique within the organization. Represents the sign-in name for the user, when signInType is set to emailAddress or userName (also known as local accounts).
// When *signInType* is set to:
// * `emailAddress`, (or starts with `emailAddress` like `emailAddress1`) *issuerAssignedId* must be a valid email address
// * `userName`, issuerAssignedId must be a valid local part of an email address
// Supports $filter. 512 character limit.
string issuer_assigned_id = 3;
}
// TODO additional user methods? https://docs.microsoft.com/en-us/graph/api/resources/user?view=graph-rest-1.0#methods
message ListGroupsRequest {
// Optional. The maximum number of groups to return in the response
int32 page_size = 1 [(google.api.field_behavior) = OPTIONAL];
@@ -225,12 +529,12 @@ message ListGroupsResponse {
}
message GetGroupRequest {
string group_id = 1;
string id = 1;
}
message CreateGroupRequest {
// The group id to use for this group
string group_id = 1;
string id = 1;
// The account resource to create
Group group = 2;
@@ -246,14 +550,274 @@ message UpdateGroupRequest {
}
message DeleteGroupRequest {
string group_id = 1;
string id = 1;
}
message AddMemberRequest {
// The account id to add
string id = 1;
}
message RemoveMemberRequest {
// The account id to remove
// TODO id in the body indt in the url? not necessary ... use empty?
string id = 1;
}
message ListMembersRequest {
int32 page_size = 1 [(google.api.field_behavior) = OPTIONAL];
// Optional. A pagination token returned from a previous call to `Get`
// that indicates from where search should continue
string page_token = 2 [(google.api.field_behavior) = OPTIONAL];
// Optional. Search criteria used to select the groups to return.
// If no search criteria is specified then all groups will be
// returned
//
// TODO update query language
// Query expressions can be used to restrict results based upon
// the account properties where the operators `=`, `NOT`, `AND` and `OR`
// can be used along with the suffix wildcard symbol `*`.
//
// The string properties in a query expression should use escaped quotes
// for values that include whitespace to prevent unexpected behavior.
//
// Some example queries are:
//
// * Query `display_name=Th*` returns accounts whose display_name
// starts with "Th"
// * Query `display_name=\\"Test String\\"` returns groups with
// display names that include both "Test" and "String"
string query = 3 [(google.api.field_behavior) = OPTIONAL];
}
message ListMembersResponse {
// The field name should match the noun "members" in the method name. There
// will be a maximum number of items returned based on the page_size field
// in the request
repeated Account members = 1;
// Token to retrieve the next page of results, or empty if there are no
// more results in the list
string next_page_token = 2;
}
message Group {
// the non reassignable and stable group_id of a group
string group_id = 1;
// Indicates if people external to the organization can send messages to the group. Default value is false.
// Returned only on $select.
bool allow_external_senders = 1;
string groupname = 2;
// The list of sensitivity label pairs (label ID, label name) associated with an Office 365 group.
//Returned only on $select. Read-only.
repeated AssignedLabel assigned_labels = 2;
repeated Account accounts = 3;
// The licenses that are assigned to the group.
// Returned only on $select. Read-only.
repeated AssignedLicense assigned_licenses = 3;
// Indicates if new members added to the group will be auto-subscribed to receive email notifications. You can set this property in a PATCH request for the group; do not set it in the initial POST request that creates the group. Default value is false.
// Returned only on $select.
bool auto_subscribe_new_members = 4;
// Describes a classification for the group (such as low, medium or high business impact). Valid values for this property are defined by creating a ClassificationList setting value, based on the template definition.
// Returned by default.
string classification = 5;
// App ID of the app used to create the group. Can be null for some groups.
// Returned by default. Read-only. Supports $filter.
string created_by_app_id = 6;
// Timestamp of when the group was created. The value cannot be modified and is automatically populated when the group is created
// Returned by default. Read-only.
google.protobuf.Timestamp created_date_time = 7;
// For some Azure Active Directory objects (user, group, application), if the object is deleted, it is first logically deleted, and this property is updated with the date and time when the object was deleted. Otherwise this property is null. If the object is restored, this property is updated to null.
// Returned by default. Read-only.
google.protobuf.Timestamp deleted_date_time = 8;
// An optional description for the group. Returned by default.
string description = 9;
// The display name for the group. This property is required when a group is created and cannot be cleared during updates.
// Returned by default. Supports $filter and $orderby.
string display_name = 10;
// Timestamp of when the group is set to expire. The value cannot be modified and is automatically populated when the group is created.
// Returned by default. Read-only.
google.protobuf.Timestamp expiration_date_time = 11;
// Specifies the group type and its membership.
// If the collection contains `Unified` then the group is an Office 365 group; otherwise it's a security group.
// If the collection includes `DynamicMembership`, the group has dynamic membership; otherwise, membership is static.
// Returned by default. Supports $filter.
repeated string group_types = 12;
// Indicates whether there are members in this group that have license errors from its group-based license assignment.
// This property is never returned on a GET operation. You can use it as a $filter argument to get groups that have members with license errors (that is, filter for this property being true).
bool has_members_with_license_errors = 13;
// True if the group is not displayed in certain parts of the Outlook user interface:
// in the Address Book, in address lists for selecting message recipients, and in the Browse Groups dialog for searching groups; false otherwise. Default value is false.
// Returned only on $select.
bool hide_from_address_lists = 14;
// True if the group is not displayed in Outlook clients, such as Outlook for Windows and Outlook on the web, false otherwise. Default value is false.
// Returned only on $select.
bool hide_from_outlook_clients = 15;
// The unique identifier for the group.
// Returned by default. Inherited from directoryObject. Key. Not nullable. Read-only.
string id = 16;
// Indicates whether the signed-in user is subscribed to receive email conversations. Default value is true.
// Returned only on $select.
bool is_subscribed_by_mail = 17;
// Indicates status of the group license assignment to all members of the group.
// Possible values: `QueuedForProcessing`, `ProcessingInProgress`, and `ProcessingComplete`.
// Returned only on $select. Read-only.
string license_processing_state = 18;
// The SMTP address for the group, for example, "serviceadmins@contoso.onmicrosoft.com".
// Returned by default. Read-only. Supports $filter.
string mail = 19;
// Specifies whether the group is mail-enabled.
// Returned by default.
bool mail_enabled = 20;
// The mail alias for the group, unique in the organization. This property must be specified when a group is created.
// Returned by default. Supports $filter.
string mail_nickname = 21;
// The rule that determines members for this group if the group is a dynamic group (groupTypes contains DynamicMembership). For more information about the syntax of the membership rule, see Membership Rules syntax.
// Returned by default.
string membership_rule = 22;
// Indicates whether the dynamic membership processing is on or paused. Possible values are "On" or "Paused".
// Returned by default.
string membership_rule_processing_state = 23;
// Contains the on-premises domain FQDN, also called dnsDomainName synchronized from the on-premises directory. The property is only populated for customers who are synchronizing their on-premises directory to Azure Active Directory via Azure AD Connect.
// Returned by default. Read-only.
string on_premises_domain_name = 24;
// Indicates the last time at which the group was synced with the on-premises directory.
// Returned by default. Read-only. Supports $filter.
string on_premises_last_sync_date_time = 25;
// Contains the on-premises netBios name synchronized from the on-premises directory. The property is only populated for customers who are synchronizing their on-premises directory to Azure Active Directory via Azure AD Connect.
// Returned by default. Read-only.
string on_premises_net_bios_name = 26;
// Errors when using synchronization during provisioning.
repeated OnPremisesProvisioningError on_premises_provisioning_errors = 27;
// Contains the on-premises `samAccountName` synchronized from the on-premises directory.
// The property is only populated for customers who are synchronizing their on-premises directory to ocis-accounts. Returned by default. Read-only.
string on_premises_sam_account_name = 28;
// Contains the on-premises security identifier (SID) for the group that was synchronized from on-premises to the cloud. Returned by default. Read-only.
string on_premises_security_identifier = 29;
// *true* if this group is synced from an on-premises directory;
// *false* if this group was originally synced from an on-premises directory but is no longer synced;
// null if this object has never been synced from an on-premises directory (default).
// Returned by default. Read-only. Supports $filter.
bool on_premises_sync_enabled = 30;
// The preferred data location for the group. For more information, see OneDrive Online Multi-Geo. https://docs.microsoft.com/sharepoint/dev/solution-guidance/multigeo-introduction string preferredDataLocation = 53;
string preferred_data_location = 31;
// The preferred language for the user. Should follow ISO 639-1 Code; for example "en-US".
string preferred_language = 32;
// Email addresses for the group that direct to the same group mailbox.
// For example: ["SMTP: bob@contoso.com", "smtp: bob@sales.contoso.com"].
// The any operator is required for filter expressions on multi-valued properties.
// Returned by default. Read-only. Not nullable. Supports $filter.
repeated string proxy_addresses = 33;
// Timestamp of when the group was last renewed.
// This cannot be modified directly and is only updated via the renew service action.
// Returned by default. Read-only.
google.protobuf.Timestamp renewed_date_time = 34;
// Specifies the group behaviors that can be set for an Office 365 group during creation. This can be set only as part of creation (POST). Possible values are `AllowOnlyMembersToPost`, `HideGroupInOutlook`, `SubscribeNewGroupMembers`, `WelcomeEmailDisable`. For more information, see Set Microsoft 365 group behaviors and provisioning options. https://docs.microsoft.com/en-us/graph/group-set-options
repeated string resource_behavior_options = 35;
// Specifies the group resources that are provisioned as part of Office 365 group creation, that are not normally part of default group creation. Possible value is `Team`. For more information, see Set Microsoft 365 group behaviors and provisioning options. https://docs.microsoft.com/en-us/graph/group-set-options
repeated string resource_provisioning_options = 36;
// Specifies whether the group is a security group.
// Returned by default. Supports $filter.
bool security_enabled = 37;
// Security identifier of the group, used in Windows scenarios.
// Returned by default.
string security_identifier = 38;
// Specifies an Office 365 group's color theme. Possible values are Teal, Purple, Green, Blue, Pink, Orange or Red.
// Returned by default.
string theme = 39;
// Count of conversations that have been delivered one or more new posts since the signed-in user's last visit to the group. This property is the same as unseenCount.
// Returned only on $select.
//int unseenConversationsCount = 40;
// Count of conversations that have received new posts since the signed-in user last visited the group. This property is the same as unseenConversationsCount.
// Returned only on $select.
//int unseenCount = 41;
// Count of new posts that have been delivered to the group's conversations since the signed-in user's last visit to the group.
// Returned only on $select.
//int unseenMessagesCount = 42;
// Specifies the visibility of an Office 365 group. Possible values are: Private, Public, or Hiddenmembership; blank values are treated as public. See group visibility options to learn more.
// Visibility can be set only when a group is created; it is not editable.
// Visibility is supported only for unified groups; it is not supported for security groups.
// Returned by default.
string visibility = 43;
// relationships
// Users, contacts, and groups that are members of this group. HTTP Methods: GET (supported for all groups), POST (supported for security groups and mail-enabled security groups), DELETE (supported only for security groups) Read-only. Nullable.
// TODO accounts (users) only for now, we can add groups with the dedicated message using oneof construct later
repeated Account members = 100;
}
message AssignedLabel {
// The unique identifier of the label.
string label_id = 1;
// The display name of the label. Read-only.
string display_name = 2;
}
message AssignedLicense {
string sku_id = 1;
repeated string disabled_plans = 2;
}
message AssignedPlan {
// The date and time at which the plan was assigned; for example: 2013-01-02T19:32:30Z. The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 would look like this: '2014-01-01T00:00:00Z'
google.protobuf.Timestamp assigned_date_time = 1;
// For example, “Enabled”.
string capabilityStatus = 2;
// The name of the service; for example, “Exchange”.
string service = 3;
// A GUID that identifies the service plan.
string servicePlanId = 4;
}
message OnPremisesProvisioningError {
// Category of the provisioning error. Note: Currently, there is only one possible value. Possible value: PropertyConflict - indicates a property value is not unique. Other objects contain the same value for the property.
string category = 1;
// The date and time at which the error occurred.
google.protobuf.Timestamp occurred_date_time = 2;
// Name of the directory property causing the error. Current possible values: UserPrincipalName or ProxyAddress
string property_causing_error = 3;
// Value of the property causing the error.
string value = 4;
}
pkg/service/v0/service.go
+122 -13
View File
@@ -5,6 +5,7 @@ import (
"crypto/tls"
"errors"
"fmt"
"regexp"
"github.com/CiscoM31/godata"
"github.com/golang/protobuf/ptypes/empty"
@@ -32,10 +33,84 @@ type Service struct {
Config *config.Config
}
func (s Service) getBoundConnection(binddn string, password string) (l *ldap.Conn, err error) {
l, err = ldap.DialTLS("tcp", fmt.Sprintf("%s:%d", s.Config.LDAP.Hostname, s.Config.LDAP.Port), &tls.Config{InsecureSkipVerify: true})
if err != nil {
return nil, err
}
err = l.Bind(binddn, password)
if err != nil {
l.Close()
return nil, err
}
return
}
func (s Service) lookupDN(username string) (binddn string, err error) {
l, err := s.getBoundConnection(s.Config.LDAP.BindDN, s.Config.LDAP.BindPassword)
if err != nil {
return "", err
}
defer l.Close()
filter := fmt.Sprintf("(%s=%s)", s.Config.LDAP.Schema.Username, ldap.EscapeFilter(username))
// Search for the given username
searchRequest := ldap.NewSearchRequest(
s.Config.LDAP.BaseDN,
ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 0, 0, false,
filter,
[]string{"dn"},
nil,
)
sr, err := l.Search(searchRequest)
if err != nil {
return "", err
}
switch len(sr.Entries) {
case 0: // TODO return not found error
case 1:
return sr.Entries[0].DN, nil
default: // TODO return too many results error?
}
return "", fmt.Errorf("dn not found for %s", filter)
}
// the auth request is currently hardcoded and has to macth this regex
// userName eq \"teddy\" and password eq \"F&1!b90t111!\"
var authQuery = regexp.MustCompile(`^username eq '(.*)' and password eq '(.*)'$`) // TODO how is ' escaped in the password?
// ListAccounts implements the AccountsServiceHandler interface
// the query contains account properties
// TODO id vs onpremiseimmutableid
func (s Service) ListAccounts(ctx context.Context, in *proto.ListAccountsRequest, res *proto.ListAccountsResponse) (err error) {
log.Debug().Str("query", in.Query).Int32("page-size", in.PageSize).Str("page-token", in.PageToken).Msg("ListAccounts")
var binddn string
var password string
// check if this looks like an auth request
match := authQuery.FindStringSubmatch(in.Query)
if len(match) == 3 {
binddn, err = s.lookupDN(match[1])
if err != nil {
log.Error().Err(err).Msg("ListAccounts with auth request")
return
}
log.Debug().Str("username", match[1]).Str("binddn", binddn).Msg("ListAccounts with auth request")
password = match[2]
// remove password from query
in.Query = fmt.Sprintf("username eq '%s'", match[1])
} else {
log.Debug().Str("query", in.Query).Int32("page-size", in.PageSize).Str("page-token", in.PageToken).Msg("ListAccounts")
binddn = s.Config.LDAP.BindDN
password = s.Config.LDAP.BindPassword
}
filter := "(&)" // see Absolute True and False Filters in https://tools.ietf.org/html/rfc4526#section-2
@@ -43,31 +118,25 @@ func (s Service) ListAccounts(ctx context.Context, in *proto.ListAccountsRequest
// parse the query like an odata filter
var q *godata.GoDataFilterQuery
if q, err = godata.ParseFilterString(in.Query); err != nil {
return err
return
}
// convert to ldap filter
filter, err = provider.BuildLDAPFilter(q, &s.Config.LDAP.Schema)
if err != nil {
return err
return
}
}
log.Debug().Str("filter", filter).Msg("using filter")
var l *ldap.Conn
l, err = ldap.DialTLS("tcp", fmt.Sprintf("%s:%d", s.Config.LDAP.Hostname, s.Config.LDAP.Port), &tls.Config{InsecureSkipVerify: true})
l, err = s.getBoundConnection(binddn, password)
if err != nil {
return err
return
}
defer l.Close()
// First bind with a read only user
err = l.Bind(s.Config.LDAP.BindDN, s.Config.LDAP.BindPassword)
if err != nil {
return err
}
// TODO combine the parsed query with a query filter from the config, eg. fmt.Sprintf(s.Config.LDAP.UserFilter, clientID)
// Search for the given clientID
@@ -89,8 +158,9 @@ func (s Service) ListAccounts(ctx context.Context, in *proto.ListAccountsRequest
res.Accounts = make([]*proto.Account, 0)
for i := range sr.Entries {
res.Accounts = append(res.Accounts, &proto.Account{
AccountId: sr.Entries[i].GetAttributeValue(s.Config.LDAP.Schema.AccountID),
Id: sr.Entries[i].GetAttributeValue(s.Config.LDAP.Schema.AccountID),
// TODO identities
// TODO Username is in the identities ... or in onpremisesamaccountname or in preferredname ...
Username: sr.Entries[i].GetAttributeValue(s.Config.LDAP.Schema.Username),
DisplayName: sr.Entries[i].GetAttributeValue(s.Config.LDAP.Schema.DisplayName),
Mail: sr.Entries[i].GetAttributeValue(s.Config.LDAP.Schema.Mail),
@@ -103,7 +173,46 @@ func (s Service) ListAccounts(ctx context.Context, in *proto.ListAccountsRequest
// GetAccount implements the AccountsServiceHandler interface
func (s Service) GetAccount(c context.Context, req *proto.GetAccountRequest, res *proto.Account) (err error) {
return errors.New("not implemented")
l, err := s.getBoundConnection(s.Config.LDAP.BindDN, s.Config.LDAP.BindPassword)
if err != nil {
return err
}
defer l.Close()
// TODO combine the parsed query with a query filter from the config, eg. fmt.Sprintf(s.Config.LDAP.UserFilter, clientID)
filter := fmt.Sprintf("(%s=%s)", s.Config.LDAP.Schema.AccountID, ldap.EscapeFilter(req.Id))
// Search for the given clientID
searchRequest := ldap.NewSearchRequest(
s.Config.LDAP.BaseDN,
ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 0, 0, false,
filter,
[]string{"dn", s.Config.LDAP.Schema.AccountID, s.Config.LDAP.Schema.Username, s.Config.LDAP.Schema.DisplayName, s.Config.LDAP.Schema.Mail, s.Config.LDAP.Schema.Groups}, // TODO Groups, Identities?
nil,
)
sr, err := l.Search(searchRequest)
if err != nil {
return err
}
log.Debug().Interface("entries", sr.Entries).Msg("entries")
switch len(sr.Entries) {
case 0: // TODO return not found error
case 1:
res.Id = sr.Entries[0].GetAttributeValue(s.Config.LDAP.Schema.AccountID)
// TODO identities?
// TODO Username is in the identities ... or in onpremisesamaccountname or in preferredname ...
res.Username = sr.Entries[0].GetAttributeValue(s.Config.LDAP.Schema.Username)
res.DisplayName = sr.Entries[0].GetAttributeValue(s.Config.LDAP.Schema.DisplayName)
res.Mail = sr.Entries[0].GetAttributeValue(s.Config.LDAP.Schema.Mail)
// TODO groups
default: // TODO return too many results error?
}
return nil
}
// CreateAccount implements the AccountsServiceHandler interface
third_party/google/protobuf/timestamp.proto
Vendored
+138
View File
@@ -0,0 +1,138 @@
// Protocol Buffers - Google's data interchange format
// Copyright 2008 Google Inc. All rights reserved.
// https://developers.google.com/protocol-buffers/
//
// Redistribution and use in source and binary forms, with or without
// modification, are permitted provided that the following conditions are
// met:
//
// * Redistributions of source code must retain the above copyright
// notice, this list of conditions and the following disclaimer.
// * Redistributions in binary form must reproduce the above
// copyright notice, this list of conditions and the following disclaimer
// in the documentation and/or other materials provided with the
// distribution.
// * Neither the name of Google Inc. nor the names of its
// contributors may be used to endorse or promote products derived from
// this software without specific prior written permission.
//
// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
// OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
syntax = "proto3";
package google.protobuf;
option csharp_namespace = "Google.Protobuf.WellKnownTypes";
option cc_enable_arenas = true;
option go_package = "github.com/golang/protobuf/ptypes/timestamp";
option java_package = "com.google.protobuf";
option java_outer_classname = "TimestampProto";
option java_multiple_files = true;
option objc_class_prefix = "GPB";
// A Timestamp represents a point in time independent of any time zone or local
// calendar, encoded as a count of seconds and fractions of seconds at
// nanosecond resolution. The count is relative to an epoch at UTC midnight on
// January 1, 1970, in the proleptic Gregorian calendar which extends the
// Gregorian calendar backwards to year one.
//
// All minutes are 60 seconds long. Leap seconds are "smeared" so that no leap
// second table is needed for interpretation, using a [24-hour linear
// smear](https://developers.google.com/time/smear).
//
// The range is from 0001-01-01T00:00:00Z to 9999-12-31T23:59:59.999999999Z. By
// restricting to that range, we ensure that we can convert to and from [RFC
// 3339](https://www.ietf.org/rfc/rfc3339.txt) date strings.
//
// # Examples
//
// Example 1: Compute Timestamp from POSIX `time()`.
//
// Timestamp timestamp;
// timestamp.set_seconds(time(NULL));
// timestamp.set_nanos(0);
//
// Example 2: Compute Timestamp from POSIX `gettimeofday()`.
//
// struct timeval tv;
// gettimeofday(&tv, NULL);
//
// Timestamp timestamp;
// timestamp.set_seconds(tv.tv_sec);
// timestamp.set_nanos(tv.tv_usec * 1000);
//
// Example 3: Compute Timestamp from Win32 `GetSystemTimeAsFileTime()`.
//
// FILETIME ft;
// GetSystemTimeAsFileTime(&ft);
// UINT64 ticks = (((UINT64)ft.dwHighDateTime) << 32) | ft.dwLowDateTime;
//
// // A Windows tick is 100 nanoseconds. Windows epoch 1601-01-01T00:00:00Z
// // is 11644473600 seconds before Unix epoch 1970-01-01T00:00:00Z.
// Timestamp timestamp;
// timestamp.set_seconds((INT64) ((ticks / 10000000) - 11644473600LL));
// timestamp.set_nanos((INT32) ((ticks % 10000000) * 100));
//
// Example 4: Compute Timestamp from Java `System.currentTimeMillis()`.
//
// long millis = System.currentTimeMillis();
//
// Timestamp timestamp = Timestamp.newBuilder().setSeconds(millis / 1000)
// .setNanos((int) ((millis % 1000) * 1000000)).build();
//
//
// Example 5: Compute Timestamp from current time in Python.
//
// timestamp = Timestamp()
// timestamp.GetCurrentTime()
//
// # JSON Mapping
//
// In JSON format, the Timestamp type is encoded as a string in the
// [RFC 3339](https://www.ietf.org/rfc/rfc3339.txt) format. That is, the
// format is "{year}-{month}-{day}T{hour}:{min}:{sec}[.{frac_sec}]Z"
// where {year} is always expressed using four digits while {month}, {day},
// {hour}, {min}, and {sec} are zero-padded to two digits each. The fractional
// seconds, which can go up to 9 digits (i.e. up to 1 nanosecond resolution),
// are optional. The "Z" suffix indicates the timezone ("UTC"); the timezone
// is required. A proto3 JSON serializer should always use UTC (as indicated by
// "Z") when printing the Timestamp type and a proto3 JSON parser should be
// able to accept both UTC and other timezones (as indicated by an offset).
//
// For example, "2017-01-15T01:30:15.01Z" encodes 15.01 seconds past
// 01:30 UTC on January 15, 2017.
//
// In JavaScript, one can convert a Date object to this format using the
// standard
// [toISOString()](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Date/toISOString)
// method. In Python, a standard `datetime.datetime` object can be converted
// to this format using
// [`strftime`](https://docs.python.org/2/library/time.html#time.strftime) with
// the time format spec '%Y-%m-%dT%H:%M:%S.%fZ'. Likewise, in Java, one can use
// the Joda Time's [`ISODateTimeFormat.dateTime()`](
// http://www.joda.org/joda-time/apidocs/org/joda/time/format/ISODateTimeFormat.html#dateTime%2D%2D
// ) to obtain a formatter capable of generating timestamps in this format.
//
//
message Timestamp {
// Represents seconds of UTC time since Unix epoch
// 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to
// 9999-12-31T23:59:59Z inclusive.
int64 seconds = 1;
// Non-negative fractions of a second at nanosecond resolution. Negative
// second values with fractions must still have non-negative nanos values
// that count forward in time. Must be from 0 to 999,999,999
// inclusive.
int32 nanos = 2;
}