When refint is enabled on an LDAP server, it will rename all references
to an entity if its DN is modified. If this happens, the member
renames will not be needed, and will also return an error.
This PR does the following:
* Detects the attribute error, and don't return an error.
* Log that the server has been misconfigured.
* Add config value that skips renaming if set.
* Add http endpoint to list permissions
Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>
* extract handler registration
Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>
* use generated protobuf
Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>
* update permissions mock in graph service
Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>
* add unit test
Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>
* return correct userid
Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>
* assert error message type in tests
Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>
---------
Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>
This is an incomplete implementation of username changing code.
The things still needed to be finished:
* The method that changes the member attribute has to be filled in.
* The functionality needs to be tested.
* Unit tests need to be added.
This adds some initial support for using $filter (as defined in the
odata spec) on the /users endpoint. Currently the following filters are
supported:
A single filter on `id` property of the `memberOf` relation of users.
To list all users that are members of a specific group:
```
curl 'https://localhost:9200/graph/v1.0/users?$filter=memberOf/any(m:m/id eq '262982c1-2362-4afa-bfdf-8cbfef64a06e')
```
A logical AND filteri on the `id` property of the `memberOf` relation of users.
`$filter=memberOf/any(m:m/id eq 262982c1-2362-4afa-bfdf-8cbfef64a06e) and memberOf/any(m:m/id eq 6040aa17-9c64-4fef-9bd0-77234d71bad0)`
This will cause at least two queries on the identity backend. The `and`
operation is performed locally.
Closes: #5487
In preparation for some more advanced queries pass the parse odata request
tVo the identity backend methods instead of the raw url.Values{}. This also
add some helpers for validating $expand and $search queries to reject
some unsupported queries.
Also remove support for `$select=memberOf` and `$select=drive|drives` queries
and stick to the technically correct `$expand=...`.
We don't need to support any complex queries on /education (yet?). And if we would need
to add support for $search, $filter, $expand or $select we should pass the parsed odata Query
instead of the raw url.Values struct.
Allow to use the /graph/users and /graph/education/users endpoints standalone
without the RoleService running. When there is no Roleservice do not expose
the `/appRoleAssignments` endpoint.
When running the graph service standalone with token auth we don't
have a user in the context. Avoid nil point exception when issueing
events in such a setup.
* fix populating user drive and drives
Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>
* update changelog
Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>
* fix test condition
Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>
Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>
As described in #5410: add support for updating educationClass properties.
This adds the `UpdateEducationClass` to the `EducationBackend` interface,
and implements it on the `ErrEducationBackend` and `LDAP` backends.
It also alters `PatchEducationClass` to call the `UpdateEducationClass` method.
Closes#5410
* walk and log chi routes, ocs cleanup
Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>
* make linter happy
Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>
Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>
GET /education/schools/{school-id}/users
POST /education/schools/{school-id}/users/$ref
and
DELETE /education/schools/{school-id}/users/$ref
are supposed to also work when using the schoolNumber as the
'{school-id}' parameter. This fix that functionality. This also makes the
the mocks for the LDAP Modify operations more specific to avoid using
the generic mock.Anything
