Merge branch 'master' into ocis-init

.drone.star

@@ -81,11 +81,11 @@ config = {
         "earlyFail": True,
     },
     "accountsUITests": {
-        "skip": False,
+        "skip": True,
         "earlyFail": True,
     },
     "settingsUITests": {
-        "skip": False,
+        "skip": True,
         "earlyFail": True,
     },
     "parallelApiTests": {
@@ -111,7 +111,7 @@ config = {
         },
     },
     "graphApiTests": {
-        "skip": False,
+        "skip": True,
         "earlyFali": False,
         "numberOfParts": 10,
         "skipExceptParts": [],
@@ -505,6 +505,9 @@ def localApiTests(ctx, storage, suite, accounts_hash_difficulty = 4):
                 "name": "localApiTests-%s-%s" % (suite, storage),
                 "image": OC_CI_PHP % DEFAULT_PHP_VERSION,
                 "environment": {
+                    "TEST_WITH_GRAPH_API": "true",
+                    "PATH_TO_OCIS": "/drone/src",
+                    "PATH_TO_CORE": "/srv/app/testrunner",
                     "TEST_SERVER_URL": "https://ocis-server:9200",
                     "OCIS_REVA_DATA_ROOT": "%s" % ("/srv/app/tmp/ocis/owncloud/data/" if storage == "owncloud" else ""),
                     "SKELETON_DIR": "/srv/app/tmp/testing/data/apiSkeleton",
@@ -513,8 +516,7 @@ def localApiTests(ctx, storage, suite, accounts_hash_difficulty = 4):
                     "SEND_SCENARIO_LINE_REFERENCES": "true",
                     "STORAGE_DRIVER": storage,
                     "BEHAT_SUITE": suite,
-                    "BEHAT_FILTER_TAGS": "~@skip&&~@skipOnOcis-%s-Storage" % ("OC" if storage == "owncloud" else "OCIS"),
+                    "BEHAT_FILTER_TAGS": "~@skip&&~@skipOnGraph&&~@skipOnOcis-%s-Storage" % ("OC" if storage == "owncloud" else "OCIS"),
-                    "PATH_TO_CORE": "/srv/app/testrunner",
                     "EXPECTED_FAILURES_FILE": "/drone/src/tests/acceptance/expected-failures-localAPI-on-%s-storage.md" % (storage.upper()),
                     "UPLOAD_DELETE_WAIT_TIME": "1" if storage == "owncloud" else 0,
                 },
@@ -570,6 +572,8 @@ def cs3ApiTests(ctx, storage, accounts_hash_difficulty = 4):
 
 def coreApiTests(ctx, part_number = 1, number_of_parts = 1, storage = "ocis", accounts_hash_difficulty = 4):
     early_fail = config["apiTests"]["earlyFail"] if "earlyFail" in config["apiTests"] else False
+    filterTags = "~@skipOnGraph&&~@skipOnOcis&&~@notToImplementOnOCIS&&~@toImplementOnOCIS&&~comments-app-required&&~@federation-app-required&&~@notifications-app-required&&~systemtags-app-required&&~@local_storage&&~@skipOnOcis-%s-Storage&&~@issue-ocis-3023" % ("OC" if storage == "owncloud" else "OCIS")
+    expectedFailuresFile = "/drone/src/tests/acceptance/expected-failures-graphAPI-on-%s-storage.md" % (storage.upper())
 
     return {
         "kind": "pipeline",
@@ -586,6 +590,9 @@ def coreApiTests(ctx, part_number = 1, number_of_parts = 1, storage = "ocis", ac
                 "name": "oC10ApiTests-%s-storage-%s" % (storage, part_number),
                 "image": OC_CI_PHP % DEFAULT_PHP_VERSION,
                 "environment": {
+                    "TEST_WITH_GRAPH_API": "true",
+                    "PATH_TO_OCIS": "/drone/src",
+                    "PATH_TO_CORE": "/srv/app/testrunner",
                     "TEST_SERVER_URL": "https://ocis-server:9200",
                     "OCIS_REVA_DATA_ROOT": "%s" % ("/srv/app/tmp/ocis/owncloud/data/" if storage == "owncloud" else ""),
                     "SKELETON_DIR": "/srv/app/tmp/testing/data/apiSkeleton",
@@ -593,10 +600,10 @@ def coreApiTests(ctx, part_number = 1, number_of_parts = 1, storage = "ocis", ac
                     "TEST_OCIS": "true",
                     "SEND_SCENARIO_LINE_REFERENCES": "true",
                     "STORAGE_DRIVER": storage,
-                    "BEHAT_FILTER_TAGS": "~@skipOnOcis&&~@notToImplementOnOCIS&&~@toImplementOnOCIS&&~comments-app-required&&~@federation-app-required&&~@notifications-app-required&&~systemtags-app-required&&~@local_storage&&~@skipOnOcis-%s-Storage&&~@issue-ocis-3023" % ("OC" if storage == "owncloud" else "OCIS"),
+                    "BEHAT_FILTER_TAGS": filterTags,
                     "DIVIDE_INTO_NUM_PARTS": number_of_parts,
                     "RUN_PART": part_number,
-                    "EXPECTED_FAILURES_FILE": "/drone/src/tests/acceptance/expected-failures-API-on-%s-storage.md" % (storage.upper()),
+                    "EXPECTED_FAILURES_FILE": expectedFailuresFile,
                     "UPLOAD_DELETE_WAIT_TIME": "1" if storage == "owncloud" else 0,
                 },
                 "commands": [
@@ -691,7 +698,7 @@ def uiTestPipeline(ctx, filterTags, early_fail, runPart = 1, numberOfParts = 1,
             "arch": "amd64",
         },
         "steps": skipIfUnchanged(ctx, "acceptance-tests") + restoreBuildArtifactCache(ctx, "ocis-binary-amd64", "ocis/bin/ocis") +
-                 ocisServer(storage, accounts_hash_difficulty, [stepVolumeOC10Tests]) + waitForSeleniumService() + waitForMiddlewareService() + [
+                 ocisServerWithAccounts(storage, accounts_hash_difficulty, [stepVolumeOC10Tests]) + waitForSeleniumService() + waitForMiddlewareService() + [
             {
                 "name": "webUITests",
                 "image": OC_CI_NODEJS % DEFAULT_NODEJS_VERSION,
@@ -1622,40 +1629,50 @@ def notify(ctx):
         },
     }
 
-def ocisServerWithIdp():
+def ocisServerWithAccounts(storage, accounts_hash_difficulty = 4, volumes = [], depends_on = []):
     environment = {
-        "GRAPH_IDENTITY_BACKEND": "ldap",
+        "GRAPH_IDENTITY_BACKEND": "cs3",
-        "GRAPH_LDAP_SERVER_WRITE_ENABLED": "true",
+        "GRAPH_LDAP_SERVER_WRITE_ENABLED": "false",
-        "LDAP_URI": "ldaps://0.0.0.0:9235",
+        "LDAP_URI": "ldaps://0.0.0.0:9126",
         "LDAP_INSECURE": "true",
-        "GRAPH_LDAP_BIND_DN": "uid=libregraph,ou=sysusers,o=libregraph-idm",
+        "LDAP_BIND_DN": "cn=admin,dc=ocis,dc=test",
-        "GRAPH_LDAP_BIND_PASSWORD": "idm",
+        "LDAP_BIND_PASSWORD": "admin",
-        "LDAP_USER_BASE_DN": "ou=users,o=libregraph-idm",
+        "LDAP_USER_BASE_DN": "dc=ocis,dc=test",
         "LDAP_USER_SCHEMA_ID": "ownclouduuid",
         "LDAP_USER_SCHEMA_MAIL": "mail",
-        "LDAP_USER_SCHEMA_USERNAME": "uid",
+        "LDAP_USER_SCHEMA_USERNAME": "cn",
-        "LDAP_USER_OBJECTCLASS": "inetOrgPerson",
+        "LDAP_USER_OBJECTCLASS": "posixAccount",
-        "LDAP_GROUP_BASE_DN": "ou=groups,o=libregraph-idm",
+        "LDAP_GROUP_BASE_DN": "dc=ocis,dc=test",
-        "LDAP_GROUP_SCHEMA_ID": "ownclouduuid",
+        "LDAP_GROUP_SCHEMA_ID": "cn",
         "LDAP_GROUP_SCHEMA_MAIL": "mail",
         "LDAP_GROUP_SCHEMA_GROUPNAME": "cn",
-        "LDAP_GROUP_SCHEMA_MEMBER": "member",
+        "LDAP_GROUP_SCHEMA_MEMBER": "cn",
-        "LDAP_GROUP_OBJECTCLASS": "groupOfNames",
+        "LDAP_GROUP_OBJECTCLASS": "posixGroup",
-        "IDP_INSECURE": "true",
+        "IDP_LDAP_BIND_DN": "cn=admin,dc=ocis,dc=test",
-        "IDP_LDAP_BIND_DN": "uid=idp,ou=sysusers,o=libregraph-idm",
+        "LDAP_CACERT": "/root/.ocis/ldap/ldap.crt",
-        "IDP_LDAP_BIND_PASSWORD": "idp",
+        "IDP_LDAP_BIND_PASSWORD": "admin",
-        "IDP_LDAP_BASE_DN": "ou=users,o=libregraph-idm",
         "IDP_LDAP_LOGIN_ATTRIBUTE": "uid",
-        "PROXY_ACCOUNT_BACKEND_TYPE": "cs3",
+        "PROXY_ACCOUNT_BACKEND_TYPE": "accounts",
-        "PROXY_ENABLE_BASIC_AUTH": "true",
+        "OCS_ACCOUNT_BACKEND_TYPE": "accounts",
-        "LDAP_BIND_DN": "uid=reva,ou=sysusers,o=libregraph-idm",
+        "OCIS_RUN_EXTENSIONS": "settings,storage-metadata,graph,graph-explorer,ocs,store,thumbnails,web,webdav,storage-frontend,storage-gateway,storage-userprovider,storage-groupprovider,storage-authbasic,storage-authbearer,storage-authmachine,storage-users,storage-shares,storage-public-link,storage-appprovider,storage-sharing,proxy,idp,nats,accounts,glauth,ocdav",
-        "LDAP_BIND_PASSWORD": "reva",
-        "OCS_ACCOUNT_BACKEND_TYPE": "cs3",
-        "OCIS_RUN_EXTENSIONS": "settings,storage-metadata,graph,graph-explorer,ocs,store,thumbnails,web,webdav,storage-frontend,storage-gateway,storage-userprovider,storage-groupprovider,storage-authbasic,storage-authbearer,storage-authmachine,storage-users,storage-shares,storage-public-link,storage-appprovider,storage-sharing,proxy,idp,nats,idm,ocdav",
-        "OCIS_LOG_LEVEL": "error",
         "OCIS_INSECURE": "true",
+        "PROXY_ENABLE_BASIC_AUTH": "true",
+        "IDP_INSECURE": "true",
+        "OCIS_LOG_LEVEL": "error",
         "OCIS_URL": "https://ocis-server:9200",
+        "ACCOUNTS_DEMO_USERS_AND_GROUPS": True,
+        "STORAGE_HOME_DRIVER": "%s" % (storage),
+        "STORAGE_USERS_DRIVER": "%s" % (storage),
+        "WEB_UI_CONFIG": "/drone/src/tests/config/drone/ocis-config.json",
     }
+
+    # Pass in "default" accounts_hash_difficulty to not set this environment variable.
+    # That will allow OCIS to use whatever its built-in default is.
+    # Otherwise pass in a value from 4 to about 11 or 12 (default 4, for making regular tests fast)
+    # The high values cause lots of CPU to be used when hashing passwords, and really slow down the tests.
+    if (accounts_hash_difficulty != "default"):
+        environment["ACCOUNTS_HASH_DIFFICULTY"] = accounts_hash_difficulty
+
     return [
         {
             "name": "ocis-server",
@@ -1665,16 +1682,16 @@ def ocisServerWithIdp():
             "commands": [
                 "ocis/bin/ocis server",
             ],
-            "volumes": [stepVolumeOC10Tests],
+            "volumes": volumes,
-            "depends_on": [],
+            "depends_on": depends_on,
         },
         {
             "name": "wait-for-ocis-server",
-            "image": OC_CI_WAIT_FOR,
+            "image": OC_CI_ALPINE,
             "commands": [
-                "wait-for -it ocis-server:9200 -t 300",
+                "curl -k -u admin:admin --fail --retry-connrefused --retry 10 --retry-all-errors 'https://ocis-server:9200/graph/v1.0/users/ddc2004c-0977-11eb-9d3f-a793888cd0f8'",
             ],
-            "depends_on": [],
+            "depends_on": depends_on,
         },
     ]
 
@@ -1696,7 +1713,6 @@ def ocisServer(storage, accounts_hash_difficulty = 4, volumes = [], depends_on =
             "OCIS_LOG_LEVEL": "error",
             "SETTINGS_DATA_PATH": "/srv/app/tmp/ocis/settings",
             "OCIS_INSECURE": "true",
-            "ACCOUNTS_DEMO_USERS_AND_GROUPS": True,  # deprecated, remove after switching to LibreIDM
             "IDM_CREATE_DEMO_USERS": True,
         }
         wait_for_ocis = {
@@ -1710,6 +1726,8 @@ def ocisServer(storage, accounts_hash_difficulty = 4, volumes = [], depends_on =
     else:
         user = "33:33"
         environment = {
+            "GRAPH_IDENTITY_BACKEND": "cs3",
+            "GRAPH_LDAP_SERVER_WRITE_ENABLED": "false",
             # Keycloak IDP specific configuration
             "PROXY_OIDC_ISSUER": "https://keycloak/auth/realms/owncloud",
             "LDAP_IDP": "https://keycloak/auth/realms/owncloud",
@@ -1781,6 +1799,7 @@ def ocisServer(storage, accounts_hash_difficulty = 4, volumes = [], depends_on =
             "OCIS_MACHINE_AUTH_API_KEY": "change-me-please",
             "OCIS_INSECURE": "true",
             "PROXY_ENABLE_BASIC_AUTH": "true",
+            "IDM_CREATE_DEMO_USERS": True,
         }
         wait_for_ocis = {
             "name": "wait-for-ocis-server",
@@ -2508,7 +2527,7 @@ def graphApiTests(ctx, part_number = 1, number_of_parts = 1):
         },
         "steps": skipIfUnchanged(ctx, "acceptance-tests") +
                  restoreBuildArtifactCache(ctx, "ocis-binary-amd64", "ocis/bin/ocis") +
-                 ocisServerWithIdp() +
+                 ocisServer() +
                  cloneCoreRepos() + [
             {
                 "name": "Graph-oC10ApiTests-%s-storage-%s" % (storage, part_number),

CHANGELOG.md

@@ -7,6 +7,7 @@ The following sections list the changes for unreleased.
 ## Summary
 
 * Bugfix - Return proper errors when ocs/cloud/users is using the cs3 backend: [#3483](https://github.com/owncloud/ocis/issues/3483)
+* Bugfix - URL encode the webdav url in the graph API: [#3597](https://github.com/owncloud/ocis/pull/3597)
 * Change - Load configuration files just from one directory: [#3587](https://github.com/owncloud/ocis/pull/3587)
 * Enhancement - Add capability for public link single file edit: [#6787](https://github.com/owncloud/web/pull/6787)
 * Enhancement - Update linkshare capabilities: [#3579](https://github.com/owncloud/ocis/pull/3579)
@@ -21,6 +22,14 @@ The following sections list the changes for unreleased.
 
    https://github.com/owncloud/ocis/issues/3483
 
+* Bugfix - URL encode the webdav url in the graph API: [#3597](https://github.com/owncloud/ocis/pull/3597)
+
+   Fixed the webdav URL in the drives responses. Without encoding the URL could be broken by files
+   with spaces in the file name.
+
+   https://github.com/owncloud/ocis/issues/3538
+   https://github.com/owncloud/ocis/pull/3597
+
 * Change - Load configuration files just from one directory: [#3587](https://github.com/owncloud/ocis/pull/3587)
 
    We've changed the configuration file loading behavior and are now only loading configuration
@@ -58,6 +67,7 @@ The following sections list the changes for unreleased.
 
    https://github.com/owncloud/ocis/pull/3552
    https://github.com/owncloud/ocis/pull/3570
+   https://github.com/owncloud/ocis/pull/3601
 # Changelog for [1.20.0] (2022-04-13)
 
 The following sections list the changes for 1.20.0.

changelog/unreleased/update-reva.md

@@ -6,3 +6,4 @@ Updated reva to version 2.x.x. This update includes:
 
 https://github.com/owncloud/ocis/pull/3552
 https://github.com/owncloud/ocis/pull/3570
+https://github.com/owncloud/ocis/pull/3601

changelog/unreleased/urlencoding-graph-api.md

@@ -0,0 +1,6 @@
+Bugfix: URL encode the webdav url in the graph API
+
+Fixed the webdav URL in the drives responses. Without encoding the URL could be broken by files with spaces in the file name.
+
+https://github.com/owncloud/ocis/pull/3597
+https://github.com/owncloud/ocis/issues/3538

docs/ocis/deployment/oc10_ocis_parallel.md

@@ -154,7 +154,7 @@ For a more simple local ocis setup see [Getting started]({{< ref "../getting-sta
 
 This docker stack can also be run locally. One downside is that Traefik can not obtain valid SSL certificates and therefore will create self-signed ones. This means that your browser will show scary warnings. Another downside is that you can not point DNS entries to your localhost. So you have to add static host entries to your computer.
 
-On Linux and macOS you can add them to your `/etc/hosts` files like this:
+On Linux and macOS you can add them to your `/etc/hosts` file and on Windows to `C:\Windows\System32\Drivers\etc\hosts` file like this:
 
 ```
 127.0.0.1 cloud.owncloud.test

docs/ocis/deployment/ocis_hello.md

@@ -113,7 +113,7 @@ For a more simple local ocis setup see [Getting started]({{< ref "../getting-sta
 
 This docker stack can also be run locally. One downside is that Traefik can not obtain valid SSL certificates and therefore will create self-signed ones. This means that your browser will show scary warnings. Another downside is that you can not point DNS entries to your localhost. So you have to add static host entries to your computer.
 
-On Linux and macOS you can add them to your `/etc/hosts` files like this:
+On Linux and macOS you can add them to your `/etc/hosts` file and on Windows to `C:\Windows\System32\Drivers\etc\hosts` file like this:
 
 ```
 127.0.0.1 ocis.owncloud.test

docs/ocis/deployment/ocis_individual_services.md

@@ -108,7 +108,8 @@ For a more simple local ocis setup see [Getting started]({{< ref "../getting-sta
 
 This docker stack can also be run locally. One downside is that Traefik can not obtain valid SSL certificates and therefore will create self-signed ones. This means that your browser will show scary warnings. Another downside is that you can not point DNS entries to your localhost. So you have to add static host entries to your computer.
 
-On Linux and macOS you can add them to your `/etc/hosts` files like this:
+On Linux and macOS you can add them to your `/etc/hosts` file and on Windows to `C:\Windows\System32\Drivers\etc\hosts` file like this:
+
 ```
 127.0.0.1 ocis.owncloud.test
 127.0.0.1 traefik.owncloud.test

docs/ocis/deployment/ocis_keycloak.md

@@ -129,7 +129,8 @@ For a more simple local ocis setup see [Getting started]({{< ref "../getting-sta
 
 This docker stack can also be run locally. One downside is that Traefik can not obtain valid SSL certificates and therefore will create self-signed ones. This means that your browser will show scary warnings. Another downside is that you can not point DNS entries to your localhost. So you have to add static host entries to your computer.
 
-On Linux and macOS you can add them to your `/etc/hosts` files like this:
+On Linux and macOS you can add them to your `/etc/hosts` file and on Windows to `C:\Windows\System32\Drivers\etc\hosts` file like this:
+
 ```
 127.0.0.1 ocis.owncloud.test
 127.0.0.1 traefik.owncloud.test

docs/ocis/deployment/ocis_ldap.md

@@ -113,7 +113,7 @@ For a more simple local ocis setup see [Getting started]({{< ref "../getting-sta
 
 This docker stack can also be run locally. One downside is that Traefik can not obtain valid SSL certificates and therefore will create self-signed ones. This means that your browser will show scary warnings. Another downside is that you can not point DNS entries to your localhost. So you have to add static host entries to your computer.
 
-On Linux and macOS you can add them to your `/etc/hosts` files like this:
+On Linux and macOS you can add them to your `/etc/hosts` file and on Windows to `C:\Windows\System32\Drivers\etc\hosts` file like this:
 
 ```
 127.0.0.1 cloud.owncloud.test

docs/ocis/deployment/ocis_s3.md

@@ -125,7 +125,8 @@ For a more simple local ocis setup see [Getting started]({{< ref "../getting-sta
 
 This docker stack can also be run locally. One downside is that Traefik can not obtain valid SSL certificates and therefore will create self-signed ones. This means that your browser will show scary warnings. Another downside is that you can not point DNS entries to your localhost. So you have to add static host entries to your computer.
 
-On Linux and macOS you can add them to your `/etc/hosts` files like this:
+On Linux and macOS you can add them to your `/etc/hosts` file and on Windows to `C:\Windows\System32\Drivers\etc\hosts` file like this:
+
 ```
 127.0.0.1 ocis.owncloud.test
 127.0.0.1 traefik.owncloud.test

docs/ocis/deployment/ocis_traefik.md

@@ -103,7 +103,8 @@ For a more simple local ocis setup see [Getting started]({{< ref "../getting-sta
 
 This docker stack can also be run locally. One downside is that Traefik can not obtain valid SSL certificates and therefore will create self-signed ones. This means that your browser will show scary warnings. Another downside is that you can not point DNS entries to your localhost. So you have to add static host entries to your computer.
 
-On Linux and macOS you can add them to your `/etc/hosts` on Windows to `C:\Windows\System32\Drivers\etc\hosts` file like this:
+On Linux and macOS you can add them to your `/etc/hosts` file and on Windows to `C:\Windows\System32\Drivers\etc\hosts` file like this:
+
 ```
 127.0.0.1 ocis.owncloud.test
 127.0.0.1 traefik.owncloud.test

docs/ocis/deployment/ocis_wopi.md

@@ -159,7 +159,8 @@ For a more simple local ocis setup see [Getting started]({{< ref "../getting-sta
 
 This docker stack can also be run locally. One downside is that Traefik can not obtain valid SSL certificates and therefore will create self-signed ones. This means that your browser will show scary warnings. Another downside is that you can not point DNS entries to your localhost. So you have to add static host entries to your computer.
 
-On Linux and macOS you can add them to your `/etc/hosts` files like this:
+On Linux and macOS you can add them to your `/etc/hosts` file and on Windows to `C:\Windows\System32\Drivers\etc\hosts` file like this:
+
 ```
 127.0.0.1 ocis.owncloud.test
 127.0.0.1 traefik.owncloud.test

extensions/auth-basic/pkg/command/command.go

@@ -197,6 +197,8 @@ func ldapConfigFromString(cfg config.LDAPProvider) map[string]interface{} {
 		"group_base_dn":     cfg.GroupBaseDN,
 		"user_filter":       cfg.UserFilter,
 		"group_filter":      cfg.GroupFilter,
+		"user_scope":        cfg.UserScope,
+		"group_scope":       cfg.GroupScope,
 		"user_objectclass":  cfg.UserObjectClass,
 		"group_objectclass": cfg.GroupObjectClass,
 		"login_attributes":  cfg.LoginAttributes,

extensions/auth-basic/pkg/config/config.go

@@ -67,6 +67,8 @@ type LDAPProvider struct {
 	BindPassword     string   `env:"LDAP_BIND_PASSWORD;AUTH_BASIC_LDAP_BIND_PASSWORD"`
 	UserBaseDN       string   `env:"LDAP_USER_BASE_DN;AUTH_BASIC_LDAP_USER_BASE_DN"`
 	GroupBaseDN      string   `env:"LDAP_GROUP_BASE_DN;AUTH_BASIC_LDAP_GROUP_BASE_DN"`
+	UserScope        string   `env:"LDAP_USER_SCOPE;AUTH_BASIC_LDAP_USER_SCOPE"`
+	GroupScope       string   `env:"LDAP_GROUP_SCOPE;AUTH_BASIC_LDAP_GROUP_SCOPE"`
 	UserFilter       string   `env:"LDAP_USERFILTER;AUTH_BASIC_LDAP_USERFILTER"`
 	GroupFilter      string   `env:"LDAP_GROUPFILTER;AUTH_BASIC_LDAP_USERFILTER"`
 	UserObjectClass  string   `env:"LDAP_USER_OBJECTCLASS;AUTH_BASIC_LDAP_USER_OBJECTCLASS"`

extensions/auth-basic/pkg/config/defaults/defaultconfig.go

@@ -36,31 +36,33 @@ func DefaultConfig() *config.Config {
 		AuthProvider: "ldap",
 		AuthProviders: config.AuthProviders{
 			LDAP: config.LDAPProvider{
-				URI:              "ldaps://localhost:9126",
+				URI:              "ldaps://localhost:9235",
-				CACert:           filepath.Join(defaults.BaseDataPath(), "ldap", "ldap.crt"),
+				CACert:           filepath.Join(defaults.BaseDataPath(), "idm", "ldap.crt"),
 				Insecure:         false,
-				UserBaseDN:       "dc=ocis,dc=test",
+				UserBaseDN:       "ou=users,o=libregraph-idm",
-				GroupBaseDN:      "dc=ocis,dc=test",
+				GroupBaseDN:      "ou=groups,o=libregraph-idm",
-				LoginAttributes:  []string{"cn", "mail"},
+				UserScope:        "sub",
+				GroupScope:       "sub",
+				LoginAttributes:  []string{"uid", "mail"},
 				UserFilter:       "",
 				GroupFilter:      "",
-				UserObjectClass:  "posixAccount",
+				UserObjectClass:  "inetOrgPerson",
-				GroupObjectClass: "posixGroup",
+				GroupObjectClass: "groupOfNames",
-				BindDN:           "cn=reva,ou=sysusers,dc=ocis,dc=test",
+				BindDN:           "uid=reva,ou=sysusers,o=libregraph-idm",
 				BindPassword:     "reva",
 				IDP:              "https://localhost:9200",
 				UserSchema: config.LDAPUserSchema{
 					ID:          "ownclouduuid",
 					Mail:        "mail",
 					DisplayName: "displayname",
-					Username:    "cn",
+					Username:    "uid",
 				},
 				GroupSchema: config.LDAPGroupSchema{
-					ID:          "cn",
+					ID:          "ownclouduuid",
 					Mail:        "mail",
 					DisplayName: "cn",
 					Groupname:   "cn",
-					Member:      "cn",
+					Member:      "member",
 				},
 			},
 			JSON: config.JSONProvider{},

extensions/graph/pkg/config/defaults/defaultconfig.go

@@ -30,15 +30,15 @@ func DefaultConfig() *config.Config {
 			Insecure:     false,
 		},
 		Identity: config.Identity{
-			Backend: "cs3",
+			Backend: "ldap",
 			LDAP: config.LDAP{
-				URI:                      "ldap://localhost:9125",
+				URI:                      "ldaps://localhost:9235",
-				Insecure:                 false,
+				Insecure:                 true,
-				BindDN:                   "",
+				BindDN:                   "uid=libregraph,ou=sysusers,o=libregraph-idm",
-				BindPassword:             "",
+				BindPassword:             "idm",
 				UseServerUUID:            false,
-				WriteEnabled:             false,
+				WriteEnabled:             true,
-				UserBaseDN:               "ou=users,dc=ocis,dc=test",
+				UserBaseDN:               "ou=users,o=libregraph-idm",
 				UserSearchScope:          "sub",
 				UserFilter:               "",
 				UserObjectClass:          "inetOrgPerson",
@@ -48,7 +48,7 @@ func DefaultConfig() *config.Config {
 				// FIXME: switch this to some more widely available attribute by default
 				//        ideally this needs to	be constant for the lifetime of a users
 				UserIDAttribute:    "owncloudUUID",
-				GroupBaseDN:        "ou=groups,dc=ocis,dc=test",
+				GroupBaseDN:        "ou=groups,o=libregraph-idm",
 				GroupSearchScope:   "sub",
 				GroupFilter:        "",
 				GroupObjectClass:   "groupOfNames",

extensions/graph/pkg/service/v0/driveitems.go

@@ -77,11 +77,11 @@ func (g Graph) GetRootDriveChildren(w http.ResponseWriter, r *http.Request) {
 	render.JSON(w, r, &listResponse{Value: files})
 }
 
-func (g Graph) getDriveItem(ctx context.Context, root *storageprovider.ResourceId) (*libregraph.DriveItem, error) {
+func (g Graph) getDriveItem(ctx context.Context, root storageprovider.ResourceId) (*libregraph.DriveItem, error) {
 	client := g.GetGatewayClient()
 
 	ref := &storageprovider.Reference{
-		ResourceId: root,
+		ResourceId: &root,
 	}
 	res, err := client.Stat(ctx, &storageprovider.StatRequest{Ref: ref})
 	if err != nil {
@@ -196,18 +196,16 @@ func cs3ResourceToRemoteItem(res *storageprovider.ResourceInfo) (*libregraph.Rem
 	return remoteItem, nil
 }
 
-func (g Graph) getPathForResource(ctx context.Context, ID *storageprovider.ResourceId) (*string, error) {
+func (g Graph) getPathForResource(ctx context.Context, id storageprovider.ResourceId) (string, error) {
 	client := g.GetGatewayClient()
-	var path *string
+	res, err := client.GetPath(ctx, &storageprovider.GetPathRequest{ResourceId: &id})
-	res, err := client.GetPath(ctx, &storageprovider.GetPathRequest{ResourceId: ID})
 	if err != nil {
-		return nil, err
+		return "", err
 	}
 	if res.Status.Code != cs3rpc.Code_CODE_OK {
-		return nil, fmt.Errorf("could not stat %s: %s", ID, res.Status.Message)
+		return "", fmt.Errorf("could not stat %v: %s", id, res.Status.Message)
 	}
-	path = &res.Path
+	return res.Path, err
-	return path, err
 }
 
 // GetExtendedSpaceProperties reads properties from the opaque and transforms them into driveItems
@@ -221,7 +219,7 @@ func (g Graph) GetExtendedSpaceProperties(ctx context.Context, baseURL *url.URL,
 
 	for _, itemName := range names {
 		if itemID, ok := metadata[itemName]; ok {
-			spaceItem := g.getSpecialDriveItem(ctx, resourceid.OwnCloudResourceIDUnwrap(string(itemID.Value)), itemName, baseURL, space)
+			spaceItem := g.getSpecialDriveItem(ctx, *resourceid.OwnCloudResourceIDUnwrap(string(itemID.Value)), itemName, baseURL, space)
 			if spaceItem != nil {
 				spaceItems = append(spaceItems, *spaceItem)
 			}
@@ -230,24 +228,26 @@ func (g Graph) GetExtendedSpaceProperties(ctx context.Context, baseURL *url.URL,
 	return spaceItems
 }
 
-func (g Graph) getSpecialDriveItem(ctx context.Context, ID *storageprovider.ResourceId, itemName string, baseURL *url.URL, space *storageprovider.StorageSpace) *libregraph.DriveItem {
+func (g Graph) getSpecialDriveItem(ctx context.Context, id storageprovider.ResourceId, itemName string, baseURL *url.URL, space *storageprovider.StorageSpace) *libregraph.DriveItem {
 	var spaceItem *libregraph.DriveItem
-	if ID == nil {
+	if id.StorageId == "" && id.OpaqueId == "" {
 		return nil
 	}
 
-	spaceItem, err := g.getDriveItem(ctx, ID)
+	spaceItem, err := g.getDriveItem(ctx, id)
 	if err != nil {
-		g.logger.Error().Err(err).Str("ID", ID.OpaqueId).Msg("Could not get readme Item")
+		g.logger.Error().Err(err).Str("ID", id.OpaqueId).Msg("Could not get readme Item")
 		return nil
 	}
-	itemPath, err := g.getPathForResource(ctx, ID)
+	itemPath, err := g.getPathForResource(ctx, id)
 	if err != nil {
-		g.logger.Error().Err(err).Str("ID", ID.OpaqueId).Msg("Could not get readme path")
+		g.logger.Error().Err(err).Str("ID", id.OpaqueId).Msg("Could not get readme path")
 		return nil
 	}
 	spaceItem.SpecialFolder = &libregraph.SpecialFolder{Name: libregraph.PtrString(itemName)}
-	spaceItem.WebDavUrl = libregraph.PtrString(baseURL.String() + path.Join(space.Id.OpaqueId, *itemPath))
+	webdavURL := *baseURL
+	webdavURL.Path = path.Join(webdavURL.Path, space.Id.OpaqueId, itemPath)
+	spaceItem.WebDavUrl = libregraph.PtrString(webdavURL.String())
 
 	return spaceItem
 }

extensions/group/pkg/command/command.go

@@ -194,6 +194,8 @@ func ldapConfigFromString(cfg config.LDAPDriver) map[string]interface{} {
 		"bind_password":     cfg.BindPassword,
 		"user_base_dn":      cfg.UserBaseDN,
 		"group_base_dn":     cfg.GroupBaseDN,
+		"user_scope":        cfg.UserScope,
+		"group_scope":       cfg.GroupScope,
 		"user_filter":       cfg.UserFilter,
 		"group_filter":      cfg.GroupFilter,
 		"user_objectclass":  cfg.UserObjectClass,

extensions/group/pkg/config/config.go

@@ -68,6 +68,8 @@ type LDAPDriver struct {
 	BindPassword     string   `env:"LDAP_BIND_PASSWORD;GROUPS_LDAP_BIND_PASSWORD"`
 	UserBaseDN       string   `env:"LDAP_USER_BASE_DN;GROUPS_LDAP_USER_BASE_DN"`
 	GroupBaseDN      string   `env:"LDAP_GROUP_BASE_DN;GROUPS_LDAP_GROUP_BASE_DN"`
+	UserScope        string   `env:"LDAP_USER_SCOPE;GROUPS_LDAP_USER_SCOPE"`
+	GroupScope       string   `env:"LDAP_GROUP_SCOPE;GROUPS_LDAP_GROUP_SCOPE"`
 	UserFilter       string   `env:"LDAP_USERFILTER;GROUPS_LDAP_USERFILTER"`
 	GroupFilter      string   `env:"LDAP_GROUPFILTER;GROUPS_LDAP_USERFILTER"`
 	UserObjectClass  string   `env:"LDAP_USER_OBJECTCLASS;GROUPS_LDAP_USER_OBJECTCLASS"`

extensions/group/pkg/config/defaults/defaultconfig.go

@@ -37,31 +37,33 @@ func DefaultConfig() *config.Config {
 		Driver: "ldap",
 		Drivers: config.Drivers{
 			LDAP: config.LDAPDriver{
-				URI:              "ldaps://localhost:9126",
+				URI:              "ldaps://localhost:9235",
-				CACert:           filepath.Join(defaults.BaseDataPath(), "ldap", "ldap.crt"),
+				CACert:           filepath.Join(defaults.BaseDataPath(), "idm", "ldap.crt"),
 				Insecure:         false,
-				UserBaseDN:       "dc=ocis,dc=test",
+				UserBaseDN:       "ou=users,o=libregraph-idm",
-				GroupBaseDN:      "dc=ocis,dc=test",
+				GroupBaseDN:      "ou=groups,o=libregraph-idm",
-				LoginAttributes:  []string{"cn", "mail"},
+				UserScope:        "sub",
+				GroupScope:       "sub",
+				LoginAttributes:  []string{"uid", "mail"},
 				UserFilter:       "",
 				GroupFilter:      "",
-				UserObjectClass:  "posixAccount",
+				UserObjectClass:  "inetOrgPerson",
-				GroupObjectClass: "posixGroup",
+				GroupObjectClass: "groupOfNames",
-				BindDN:           "cn=reva,ou=sysusers,dc=ocis,dc=test",
+				BindDN:           "uid=reva,ou=sysusers,o=libregraph-idm",
 				BindPassword:     "reva",
 				IDP:              "https://localhost:9200",
 				UserSchema: config.LDAPUserSchema{
 					ID:          "ownclouduuid",
 					Mail:        "mail",
 					DisplayName: "displayname",
-					Username:    "cn",
+					Username:    "uid",
 				},
 				GroupSchema: config.LDAPGroupSchema{
-					ID:          "cn",
+					ID:          "ownclouduuid",
 					Mail:        "mail",
 					DisplayName: "cn",
 					Groupname:   "cn",
-					Member:      "cn",
+					Member:      "member",
 				},
 			},
 			JSON: config.JSONDriver{},

extensions/idp/pkg/config/config.go

@@ -27,7 +27,8 @@ type Config struct {
 
 // Ldap defines the available LDAP configuration.
 type Ldap struct {
-	URI string `yaml:"uri" env:"LDAP_URI;IDP_LDAP_URI"`
+	URI       string `yaml:"uri" env:"LDAP_URI;IDP_LDAP_URI"`
+	TLSCACert string `yaml:"cacert" env:"LDAP_CACERT;IDP_LDAP_TLS_CACERT"`
 
 	BindDN       string `yaml:"bind_dn" env:"LDAP_BIND_DN;IDP_LDAP_BIND_DN"`
 	BindPassword string `yaml:"bind_password" env:"LDAP_BIND_PASSWORD;IDP_LDAP_BIND_PASSWORD"`

extensions/idp/pkg/config/defaults/defaultconfig.go

@@ -68,18 +68,19 @@ func DefaultConfig() *config.Config {
 			DyamicClientSecretDurationSeconds: 0,
 		},
 		Ldap: config.Ldap{
-			URI:               "ldap://localhost:9125",
+			URI:               "ldaps://localhost:9235",
-			BindDN:            "cn=idp,ou=sysusers,dc=ocis,dc=test",
+			TLSCACert:         path.Join(defaults.BaseDataPath(), "idm", "ldap.crt"),
+			BindDN:            "uid=idp,ou=sysusers,o=libregraph-idm",
 			BindPassword:      "idp",
-			BaseDN:            "ou=users,dc=ocis,dc=test",
+			BaseDN:            "ou=users,o=libregraph-idm",
 			Scope:             "sub",
-			LoginAttribute:    "cn",
+			LoginAttribute:    "uid",
 			EmailAttribute:    "mail",
 			NameAttribute:     "displayName",
 			UUIDAttribute:     "uid",
 			UUIDAttributeType: "text",
 			Filter:            "",
-			ObjectClass:       "posixAccount",
+			ObjectClass:       "inetOrgPerson",
 		},
 	}
 }

extensions/idp/pkg/service/v0/service.go

@@ -142,6 +142,10 @@ func initLicoInternalEnvVars(ldap *config.Ldap) error {
 		"LDAP_FILTER":              filter,
 	}
 
+	if ldap.TLSCACert != "" {
+		defaults["LDAP_TLS_CACERT"] = ldap.TLSCACert
+	}
+
 	for k, v := range defaults {
 		if err := os.Setenv(k, v); err != nil {
 			return fmt.Errorf("could not set env var %s=%s", k, v)

extensions/ocs/pkg/config/defaults/defaultconfig.go

@@ -38,8 +38,7 @@ func DefaultConfig() *config.Config {
 		Service: config.Service{
 			Name: "ocs",
 		},
-
+		AccountBackend: "cs3",
-		AccountBackend: "accounts",
 		Reva: &config.Reva{
 			Address: "127.0.0.1:9142",
 		},

extensions/proxy/pkg/config/defaults/defaultconfig.go

@@ -43,7 +43,7 @@ func DefaultConfig() *config.Config {
 			AllowedHTTPMethods: []string{"GET"},
 			Enabled:            true,
 		},
-		AccountBackend:        "accounts",
+		AccountBackend:        "cs3",
 		UserOIDCClaim:         "email",
 		UserCS3Claim:          "mail",
 		AutoprovisionAccounts: false,

extensions/storage/pkg/config/defaults/defaultconfig.go

@@ -44,35 +44,35 @@ func DefaultConfig() *config.Config {
 				IDClaim:  "preferred_username",
 			},
 			LDAP: config.LDAP{
-				URI:              "ldaps://localhost:9126",
+				URI:              "ldaps://localhost:9235",
-				CACert:           path.Join(defaults.BaseDataPath(), "ldap", "ldap.crt"),
+				CACert:           path.Join(defaults.BaseDataPath(), "idm", "ldap.crt"),
 				Insecure:         false,
-				UserBaseDN:       "dc=ocis,dc=test",
+				UserBaseDN:       "ou=users,o=libregraph-idm",
-				GroupBaseDN:      "dc=ocis,dc=test",
+				GroupBaseDN:      "ou=groups,o=libregraph-idm",
 				UserScope:        "sub",
 				GroupScope:       "sub",
-				LoginAttributes:  []string{"cn", "mail"},
+				LoginAttributes:  []string{"uid", "mail"},
 				UserFilter:       "",
 				GroupFilter:      "",
-				UserObjectClass:  "posixAccount",
+				UserObjectClass:  "inetOrgPerson",
-				GroupObjectClass: "posixGroup",
+				GroupObjectClass: "groupOfNames",
-				BindDN:           "cn=reva,ou=sysusers,dc=ocis,dc=test",
+				BindDN:           "uid=reva,ou=sysusers,o=libregraph-idm",
 				BindPassword:     "reva",
 				IDP:              defaultPublicURL,
 				UserSchema: config.LDAPUserSchema{
 					ID:          "ownclouduuid",
 					Mail:        "mail",
 					DisplayName: "displayname",
-					Username:    "cn",
+					Username:    "uid",
 					UIDNumber:   "uidnumber",
 					GIDNumber:   "gidnumber",
 				},
 				GroupSchema: config.LDAPGroupSchema{
-					ID:          "cn",
+					ID:          "ownclouduuid",
 					Mail:        "mail",
 					DisplayName: "cn",
 					Groupname:   "cn",
-					Member:      "cn",
+					Member:      "member",
 					GIDNumber:   "gidnumber",
 				},
 			},

extensions/user/pkg/command/command.go

@@ -213,6 +213,8 @@ func ldapConfigFromString(cfg config.LDAPDriver) map[string]interface{} {
 		"bind_password":     cfg.BindPassword,
 		"user_base_dn":      cfg.UserBaseDN,
 		"group_base_dn":     cfg.GroupBaseDN,
+		"user_scope":        cfg.UserScope,
+		"group_scope":       cfg.GroupScope,
 		"user_filter":       cfg.UserFilter,
 		"group_filter":      cfg.GroupFilter,
 		"user_objectclass":  cfg.UserObjectClass,

extensions/user/pkg/config/config.go

@@ -68,6 +68,8 @@ type LDAPDriver struct {
 	BindPassword     string   `env:"LDAP_BIND_PASSWORD;USERS_LDAP_BIND_PASSWORD"`
 	UserBaseDN       string   `env:"LDAP_USER_BASE_DN;USERS_LDAP_USER_BASE_DN"`
 	GroupBaseDN      string   `env:"LDAP_GROUP_BASE_DN;USERS_LDAP_GROUP_BASE_DN"`
+	UserScope        string   `env:"LDAP_USER_SCOPE;USERS_LDAP_USER_SCOPE"`
+	GroupScope       string   `env:"LDAP_GROUP_SCOPE;USERS_LDAP_GROUP_SCOPE"`
 	UserFilter       string   `env:"LDAP_USERFILTER;USERS_LDAP_USERFILTER"`
 	GroupFilter      string   `env:"LDAP_GROUPFILTER;USERS_LDAP_USERFILTER"`
 	UserObjectClass  string   `env:"LDAP_USER_OBJECTCLASS;USERS_LDAP_USER_OBJECTCLASS"`

extensions/user/pkg/config/defaults/defaultconfig.go

@@ -37,31 +37,33 @@ func DefaultConfig() *config.Config {
 		Driver: "ldap",
 		Drivers: config.Drivers{
 			LDAP: config.LDAPDriver{
-				URI:              "ldaps://localhost:9126",
+				URI:              "ldaps://localhost:9235",
-				CACert:           filepath.Join(defaults.BaseDataPath(), "ldap", "ldap.crt"),
+				CACert:           filepath.Join(defaults.BaseDataPath(), "idm", "ldap.crt"),
 				Insecure:         false,
-				UserBaseDN:       "dc=ocis,dc=test",
+				UserBaseDN:       "ou=users,o=libregraph-idm",
-				GroupBaseDN:      "dc=ocis,dc=test",
+				GroupBaseDN:      "ou=groups,o=libregraph-idm",
-				LoginAttributes:  []string{"cn", "mail"},
+				UserScope:        "sub",
+				GroupScope:       "sub",
+				LoginAttributes:  []string{"uid", "mail"},
 				UserFilter:       "",
 				GroupFilter:      "",
-				UserObjectClass:  "posixAccount",
+				UserObjectClass:  "inetOrgPerson",
-				GroupObjectClass: "posixGroup",
+				GroupObjectClass: "groupOfNames",
-				BindDN:           "cn=reva,ou=sysusers,dc=ocis,dc=test",
+				BindDN:           "uid=reva,ou=sysusers,o=libregraph-idm",
 				BindPassword:     "reva",
 				IDP:              "https://localhost:9200",
 				UserSchema: config.LDAPUserSchema{
 					ID:          "ownclouduuid",
 					Mail:        "mail",
 					DisplayName: "displayname",
-					Username:    "cn",
+					Username:    "uid",
 				},
 				GroupSchema: config.LDAPGroupSchema{
-					ID:          "cn",
+					ID:          "ownclouduuid",
 					Mail:        "mail",
 					DisplayName: "cn",
 					Groupname:   "cn",
-					Member:      "cn",
+					Member:      "member",
 				},
 			},
 			JSON: config.JSONDriver{},

go.mod

@@ -9,7 +9,7 @@ require (
 	github.com/blevesearch/bleve/v2 v2.3.2
 	github.com/coreos/go-oidc/v3 v3.1.0
 	github.com/cs3org/go-cs3apis v0.0.0-20220412090512-93c5918b4bde
-	github.com/cs3org/reva/v2 v2.0.0-20220425084830-0b734be7c6c7
+	github.com/cs3org/reva/v2 v2.0.0-20220427123248-8cad2e542999
 	github.com/disintegration/imaging v1.6.2
 	github.com/glauth/glauth/v2 v2.0.0-20211021011345-ef3151c28733
 	github.com/go-chi/chi/v5 v5.0.7

go.sum

@@ -320,6 +320,8 @@ github.com/cs3org/reva v1.18.0 h1:MbPS5ZAa8RzKcTxAVeSDdISB3XXqLIxqB03BTN5ReBY=
 github.com/cs3org/reva v1.18.0/go.mod h1:e5VDUDu4vVWIeVkZcW//n6UZzhGGMa+Tz/whCiX3N6o=
 github.com/cs3org/reva/v2 v2.0.0-20220425084830-0b734be7c6c7 h1:BTRw/tCFhlDplE6M9bnvlXb4VVz5wNbDN7VWdT1g1Q8=
 github.com/cs3org/reva/v2 v2.0.0-20220425084830-0b734be7c6c7/go.mod h1:2e/4HcIy54Mic3V7Ow0bz4n5dkZU0dHIZSWomFe5vng=
+github.com/cs3org/reva/v2 v2.0.0-20220427123248-8cad2e542999 h1:82ug3hha8u8oaY1LZctupG6hIazq3K7Qi+qFBRtlORA=
+github.com/cs3org/reva/v2 v2.0.0-20220427123248-8cad2e542999/go.mod h1:2e/4HcIy54Mic3V7Ow0bz4n5dkZU0dHIZSWomFe5vng=
 github.com/cubewise-code/go-mime v0.0.0-20200519001935-8c5762b177d8 h1:Z9lwXumT5ACSmJ7WGnFl+OMLLjpz5uR2fyz7dC255FI=
 github.com/cubewise-code/go-mime v0.0.0-20200519001935-8c5762b177d8/go.mod h1:4abs/jPXcmJzYoYGF91JF9Uq9s/KL5n1jvFDix8KcqY=
 github.com/cyberdelia/templates v0.0.0-20141128023046-ca7fffd4298c/go.mod h1:GyV+0YP4qX0UQ7r2MoYZ+AvYDp12OF5yg4q8rGnyNh4=

ocis/pkg/runtime/service/service.go

@@ -112,7 +112,6 @@ func NewService(options ...Option) (*Service, error) {
 	s.ServicesRegistry["glauth"] = glauth.NewSutureService
 	s.ServicesRegistry["graph"] = graph.NewSutureService
 	s.ServicesRegistry["graph-explorer"] = graphExplorer.NewSutureService
-	s.ServicesRegistry["idp"] = idp.NewSutureService
 	s.ServicesRegistry["idm"] = idm.NewSutureService
 	s.ServicesRegistry["ocs"] = ocs.NewSutureService
 	s.ServicesRegistry["store"] = store.NewSutureService
@@ -137,6 +136,7 @@ func NewService(options ...Option) (*Service, error) {
 	s.Delayed["accounts"] = accounts.NewSutureService
 	s.Delayed["proxy"] = proxy.NewSutureService
 	s.Delayed["ocdav"] = ocdav.NewOCDav
+	s.Delayed["idp"] = idp.NewSutureService
 
 	return s, nil
 }
@@ -254,10 +254,18 @@ func (s *Service) generateRunSet(cfg *ociscfg.Config) {
 	}
 
 	for name := range s.ServicesRegistry {
+		// don't run glauth by default but keep the possiblity to start it via cfg.Runtime.Extensions for now
+		if name == "glauth" {
+			continue
+		}
 		runset = append(runset, name)
 	}
 
 	for name := range s.Delayed {
+		// don't run accounts by default but keep the possiblity to start it via cfg.Runtime.Extensions for now
+		if name == "accounts" {
+			continue
+		}
 		runset = append(runset, name)
 	}
 }

tests/acceptance/features/apiAccountsHashDifficulty/addUser.feature

@@ -1,4 +1,4 @@
-@api @provisioning_api-app-required @skipOnLDAP
+@api @provisioning_api-app-required @skipOnLDAP @skipOnGraph
 Feature: add user
   As an admin
   I want to be able to add users and store their password with the full hash difficulty

tests/acceptance/features/bootstrap/SpacesContext.php

@@ -24,12 +24,14 @@ declare(strict_types=1);
 
 use Behat\Behat\Context\Context;
 use Behat\Behat\Hook\Scope\BeforeScenarioScope;
+use Behat\Behat\Hook\Call\AfterScenario;
 use Behat\Gherkin\Node\TableNode;
 use Behat\Testwork\Environment\Environment;
 use GuzzleHttp\Exception\GuzzleException;
 use Psr\Http\Message\ResponseInterface;
 use TestHelpers\HttpRequestHelper;
 use TestHelpers\SetupHelper;
+use TestHelpers\GraphHelper;
 use PHPUnit\Framework\Assert;
 
 require_once 'bootstrap.php';
@@ -285,31 +287,23 @@ class SpacesContext implements Context {
 	 * @return string
 	 */
 	public function getUserIdByUserName(string $userName): string {
-		$fullUrl = $this->baseUrl . "/api/v0/accounts/accounts-list";
+		$this->featureContext->setResponse(GraphHelper::getUser(
-		$this->featureContext->setResponse(
+                        $this->featureContext->getBaseUrl(),
-			HttpRequestHelper::post(
+                        $this->featureContext->getStepLineRef(),
-				$fullUrl,
+                        $this->featureContext->getAdminUsername(),
-				"",
+                        $this->featureContext->getAdminPassword(),
-				$this->featureContext->getAdminUsername(),
+                        $userName
-				$this->featureContext->getAdminPassword(),
+                ));
-				[],
-				"{}"
-			)
-		);
 		if ($this->featureContext->getResponse()) {
 			$rawBody = $this->featureContext->getResponse()->getBody()->getContents();
 			$response = \json_decode($rawBody, true, 512, JSON_THROW_ON_ERROR);
-			if (isset($response["accounts"])) {
+			if (isset($response["id"])) {
-				$accounts = $response["accounts"];
+				$user = $response;
 			} else {
 				throw new Exception(__METHOD__ . " accounts-list is empty");
 			}
 		}
-		foreach ($accounts as $account) {
+		return $user["id"];
-			if ($account["preferredName"] === $userName) {
-				return $account["id"];
-			}
-		}
 		throw new Exception(__METHOD__ . " user with name $userName not found");
 	}
 
@@ -340,6 +334,55 @@ class SpacesContext implements Context {
 		);
 	}
 
+	/**
+	 * @AfterScenario
+	 *
+	 * @return void
+	 *
+	 * @throws Exception
+	 */
+	public function cleanDataAfterTests(): void
+	{
+		$this->deleteAllSpacesOfTheType('project');
+	}
+
+	/**
+	 * The method first disables and then deletes spaces
+	 * @param  string $driveType
+	 * 
+	 * @return void
+	 *
+	 * @throws Exception
+	 */
+	public function deleteAllSpacesOfTheType(string $driveType): void
+	{
+		$query = "\$filter=driveType eq $driveType";
+		$userAdmin = $this->featureContext->getAdminUsername();
+
+		for ($i = 0; $i < 2; ++$i) {
+			$this->theUserListsAllHisAvailableSpacesUsingTheGraphApiWithFilter(
+				$userAdmin,
+				$query
+			);
+
+			$rawBody =  $this->featureContext->getResponse()->getBody()->getContents();
+			$drives = json_decode($rawBody, true, 512, JSON_THROW_ON_ERROR);
+			if (isset($drives["value"])) {
+				$drives = $drives["value"];
+			}
+
+			if (!empty($drives)) {
+				foreach ($drives as $value) {
+					if (!array_key_exists("deleted", $value["root"])) {
+						$this->sendDisableSpaceRequest($userAdmin, $value["name"]);
+					} else {
+						$this->sendDeleteSpaceRequest($userAdmin, $value["name"]);
+					}
+				}
+			}
+		}
+	}
+
 	/**
 	 * Send Graph List My Spaces Request
 	 *
@@ -607,7 +650,6 @@ class SpacesContext implements Context {
 		$password = $this->featureContext->getAdminPassword();
 		$headers = [];
 		$bundles = [];
-		$accounts = [];
 		$assignment = [];
 
 		// get the roles list first
@@ -628,22 +670,20 @@ class SpacesContext implements Context {
 		}
 		Assert::assertNotEmpty($roleToAssign, "The selected role $role could not be found");
 
-		// get the accounts list first
+		$this->featureContext->setResponse(GraphHelper::getUser(
-		$fullUrl = $this->baseUrl . "/api/v0/accounts/accounts-list";
+                        $this->featureContext->getBaseUrl(),
-		$this->featureContext->setResponse(HttpRequestHelper::post($fullUrl, "", $admin, $password, $headers, "{}"));
+                        $this->featureContext->getStepLineRef(),
+                        $this->featureContext->getAdminUsername(),
+                        $this->featureContext->getAdminPassword(),
+                        $user
+                ));
 		if ($this->featureContext->getResponse()) {
 			$rawBody = $this->featureContext->getResponse()->getBody()->getContents();
-			if (isset(\json_decode($rawBody, true, 512, JSON_THROW_ON_ERROR)["accounts"])) {
+			if (isset(\json_decode($rawBody, true, 512, JSON_THROW_ON_ERROR)["id"])) {
-				$accounts = \json_decode($rawBody, true, 512, JSON_THROW_ON_ERROR)["accounts"];
+				$accountToChange = \json_decode($rawBody, true, 512, JSON_THROW_ON_ERROR);
-			}
-		}
-		$accountToChange = "";
-		foreach ($accounts as $account) {
-			// find the selected user
-			if ($account["preferredName"] === $user) {
-				$accountToChange = $account;
 			}
 		}
+
 		Assert::assertNotEmpty($accountToChange, "The selected account $user does not exist");
 
 		// set the new role