feat(groups): Only allow the "null" driver for multi-tenant setups

2025-12-21 12:09:40 -06:00 · 2025-09-30 14:28:48 +02:00
parent 736fb9db1f
commit f096285769
2 changed files with 5 additions and 0 deletions
--- a/.woodpecker.star
+++ b/.woodpecker.star
@@ -334,6 +334,7 @@ config = {
                "GRAPH_LDAP_SERVER_UUID": True,
                "GRAPH_LDAP_GROUP_CREATE_BASE_DN": "ou=custom,ou=groups,dc=opencloud,dc=eu",
                "GRAPH_LDAP_REFINT_ENABLED": True,
+                "GROUPS_DRIVER": "null",
                "FRONTEND_READONLY_USER_ATTRIBUTES": "user.onPremisesSamAccountName,user.displayName,user.mail,user.passwordProfile,user.accountEnabled,user.appRoleAssignments",
                "OC_LDAP_SERVER_WRITE_ENABLED": False,
                "OC_EXCLUDE_RUN_SERVICES": "idm",
--- a/services/groups/pkg/config/parser/parse.go
+++ b/services/groups/pkg/config/parser/parse.go
@@ -2,6 +2,7 @@ package parser

 import (
 	"errors"
+	"fmt"

 	occfg "github.com/opencloud-eu/opencloud/pkg/config"
 	"github.com/opencloud-eu/opencloud/pkg/shared"
@@ -38,6 +39,9 @@ func Validate(cfg *config.Config) error {
 		return shared.MissingJWTTokenError(cfg.Service.Name)
 	}

+	if cfg.Commons.MultiTenantEnabled && cfg.Driver != "null" {
+		return fmt.Errorf("Multi-tenant support is enabled. Only the 'null'-driver is supported by 'groups' service.")
+	}
 	if cfg.Drivers.LDAP.BindPassword == "" && cfg.Driver == "ldap" {
 		return shared.MissingLDAPBindPassword(cfg.Service.Name)
 	}