add graph user capabilities

Signed-off-by: jkoberg <jkoberg@owncloud.com>

changelog/unreleased/graph-user-capabilities.md

@@ -0,0 +1,5 @@
+Enhancement: Graph user capabilities
+
+Adds capablities to show if users are writeable in LDAP so clients can block their specific fields
+
+https://github.com/owncloud/ocis/pull/6339

services/frontend/pkg/config/config.go

@@ -47,6 +47,7 @@ type Config struct {
 	OCS                    OCS         `yaml:"ocs"`
 	Checksums              Checksums   `yaml:"checksums"`
 	ReadOnlyUserAttributes []string    `yaml:"read_only_user_attributes" env:"FRONTEND_READONLY_USER_ATTRIBUTES" desc:"Comma separated list of user attributes to indicate as read-only. Supported values: 'user.onPremisesSamAccountName' (username), 'user.displayName', 'user.mail', 'user.passwordProfile' (password), 'user.appRoleAssignments' (role), 'user.accountEnabled' (login allowed), 'drive.quota' (quota)."`
+	LDAPServerWriteEnabled bool        `yaml:"ldap_server_write_enabled" env:"OCIS_LDAP_SERVER_WRITE_ENABLED;FRONTEND_LDAP_SERVER_WRITE_ENABLED" desc:"Allow to create, modify and delete LDAP users via the GRAPH API."`
 
 	Middleware Middleware `yaml:"middleware"`
 

services/frontend/pkg/revaconfig/config.go

@@ -200,8 +200,13 @@ func FrontendConfigFromStruct(cfg *config.Config) (map[string]interface{}, error
 								"support_url_signing": true,
 							},
 							"graph": map[string]interface{}{
-								"personal_data_export":      true,
-								"read_only_user_attributes": readOnlyUserAttributes,
+								"personal_data_export": true,
+								"users": map[string]interface{}{
+									"read_only_attributes":          readOnlyUserAttributes,
+									"create_disabled":               !cfg.LDAPServerWriteEnabled,
+									"delete_disabled":               !cfg.LDAPServerWriteEnabled,
+									"change_password_self_disabled": !cfg.LDAPServerWriteEnabled,
+								},
 							},
 							"checksums": map[string]interface{}{
 								"supported_types":       cfg.Checksums.SupportedTypes,

services/graph/pkg/config/config.go

@@ -53,7 +53,7 @@ type LDAP struct {
 	BindPassword       string `yaml:"bind_password" env:"LDAP_BIND_PASSWORD;GRAPH_LDAP_BIND_PASSWORD" desc:"Password to use for authenticating the 'bind_dn'."`
 	UseServerUUID      bool   `yaml:"use_server_uuid" env:"GRAPH_LDAP_SERVER_UUID" desc:"If set to true, rely on the LDAP Server to generate a unique ID for users and groups, like when using 'entryUUID' as the user ID attribute."`
 	UsePasswordModExOp bool   `yaml:"use_password_modify_exop" env:"GRAPH_LDAP_SERVER_USE_PASSWORD_MODIFY_EXOP" desc:"Use the 'Password Modify Extended Operation' for updating user passwords."`
-	WriteEnabled       bool   `yaml:"write_enabled" env:"GRAPH_LDAP_SERVER_WRITE_ENABLED" desc:"Allow to create, modify and delete LDAP users via GRAPH API. This is only works when the default Schema is used."`
+	WriteEnabled       bool   `yaml:"write_enabled" env:"OCIS_LDAP_SERVER_WRITE_ENABLED;GRAPH_LDAP_SERVER_WRITE_ENABLED" desc:"Allow to create, modify and delete LDAP users via the GRAPH API. This is only works when the default Schema is used."`
 	RefintEnabled      bool   `yaml:"refint_enabled" env:"GRAPH_LDAP_REFINT_ENABLED" desc:"Signals that the server has the refint plugin enabled, which makes some actions not needed."`
 
 	UserBaseDN               string `yaml:"user_base_dn" env:"OCIS_LDAP_USER_BASE_DN;LDAP_USER_BASE_DN;GRAPH_LDAP_USER_BASE_DN" desc:"Search base DN for looking up LDAP users." deprecationVersion:"3.0" removalVersion:"4.0.0" deprecationInfo:"LDAP_USER_BASE_DN changing name for consistency" deprecationReplacement:"OCIS_LDAP_USER_BASE_DN"`