Merge pull request #11799 from kobergj/ProvisioningAPIExternalID

[OCISDEV-447] Use ExternalID for ProvisioningAPI

Author: kobergj

changelog/unreleased/use-externalid-in-provapi.md

@@ -0,0 +1,5 @@
+Enhancement: Use externalID in Provisioning API
+
+This PR adds the externalID as optional parameter to the Provisioning API that can be used as the primary identifier. It also contains a switch to enable this setting.
+
+https://github.com/owncloud/ocis/pull/11799

go.mod

@@ -65,7 +65,7 @@ require (
 	github.com/onsi/gomega v1.38.2
 	github.com/open-policy-agent/opa v1.6.0
 	github.com/orcaman/concurrent-map v1.0.0
-	github.com/owncloud/libre-graph-api-go v1.0.5-0.20250217093259-fa3804be6c27
+	github.com/owncloud/libre-graph-api-go v1.0.5-0.20251107084958-31937a4ea3f1
 	github.com/owncloud/reva/v2 v2.0.0-20251106102926-751223b32d48
 	github.com/pkg/errors v0.9.1
 	github.com/pkg/xattr v0.4.12

go.sum

@@ -715,8 +715,8 @@ github.com/opentracing/opentracing-go v1.2.0 h1:uEJPy/1a5RIPAJ0Ov+OIO8OxWu77jEv+
 github.com/opentracing/opentracing-go v1.2.0/go.mod h1:GxEUsuufX4nBwe+T+Wl9TAgYrxe9dPLANfrWvHYVTgc=
 github.com/orcaman/concurrent-map v1.0.0 h1:I/2A2XPCb4IuQWcQhBhSwGfiuybl/J0ev9HDbW65HOY=
 github.com/orcaman/concurrent-map v1.0.0/go.mod h1:Lu3tH6HLW3feq74c2GC+jIMS/K2CFcDWnWD9XkenwhI=
-github.com/owncloud/libre-graph-api-go v1.0.5-0.20250217093259-fa3804be6c27 h1:ID8s5lGBntmrlI6TbDAjTzRyHucn3bVM2wlW+HBplv4=
-github.com/owncloud/libre-graph-api-go v1.0.5-0.20250217093259-fa3804be6c27/go.mod h1:+gT+x62AS9u2Farh9wE2uYmgdvTg0MQgsSI62D+xoRg=
+github.com/owncloud/libre-graph-api-go v1.0.5-0.20251107084958-31937a4ea3f1 h1:uW3BUPdaAhti2aP8x3Vb79vzmqAgDaWZ0yrW+4ujjU8=
+github.com/owncloud/libre-graph-api-go v1.0.5-0.20251107084958-31937a4ea3f1/go.mod h1:z61VMGAJRtR1nbgXWiNoCkxUXP1B3Je9rMuJbnGd+Og=
 github.com/owncloud/reva/v2 v2.0.0-20251106102926-751223b32d48 h1:RGnvbZNOE1ss3b0BOM8J+bPrk6prfXB0paKnWaDA/Xg=
 github.com/owncloud/reva/v2 v2.0.0-20251106102926-751223b32d48/go.mod h1:XenQR69s8JQ5Q4/+/vQbSg6B4+0iM6inYjNxB7SJAhI=
 github.com/oxtoacart/bpool v0.0.0-20190530202638-03653db5a59c h1:rp5dCmg/yLR3mgFuSOe4oEnDDmGLROTvMragMUXpTQw=

services/graph/pkg/config/config.go

@@ -75,6 +75,7 @@ type LDAP struct {
 	UserIDIsOctetString      bool   `yaml:"user_id_is_octet_string" env:"OCIS_LDAP_USER_SCHEMA_ID_IS_OCTETSTRING;GRAPH_LDAP_USER_SCHEMA_ID_IS_OCTETSTRING" desc:"Set this to true if the defined 'ID' attribute for users is of the 'OCTETSTRING' syntax. This is required when using the 'objectGUID' attribute of Active Directory for the user ID's." introductionVersion:"pre5.0"`
 	UserTypeAttribute        string `yaml:"user_type_attribute" env:"OCIS_LDAP_USER_SCHEMA_USER_TYPE;GRAPH_LDAP_USER_TYPE_ATTRIBUTE" desc:"LDAP Attribute to distinguish between 'Member' and 'Guest' users. Default is 'ownCloudUserType'." introductionVersion:"pre5.0"`
 	UserEnabledAttribute     string `yaml:"user_enabled_attribute" env:"OCIS_LDAP_USER_ENABLED_ATTRIBUTE;GRAPH_USER_ENABLED_ATTRIBUTE" desc:"LDAP Attribute to use as a flag telling if the user is enabled or disabled." introductionVersion:"pre5.0"`
+	ExternalIDAttribute      string `yaml:"external_id_attribute" env:"OCIS_LDAP_USER_SCHEMA_EXTERNAL_ID;GRAPH_LDAP_EXTERNAL_ID_ATTRIBUTE" desc:"LDAP attribute that references the external ID of users during the provisioning process. The final ID is provided by an external identity provider. If it is not set, a default attribute will be used instead." introductionVersion:"Curie"`
 	DisableUserMechanism     string `yaml:"disable_user_mechanism" env:"OCIS_LDAP_DISABLE_USER_MECHANISM;GRAPH_DISABLE_USER_MECHANISM" desc:"An option to control the behavior for disabling users. Supported options are 'none', 'attribute' and 'group'. If set to 'group', disabling a user via API will add the user to the configured group for disabled users, if set to 'attribute' this will be done in the ldap user entry, if set to 'none' the disable request is not processed. Default is 'attribute'." introductionVersion:"pre5.0"`
 	LdapDisabledUsersGroupDN string `yaml:"ldap_disabled_users_group_dn" env:"OCIS_LDAP_DISABLED_USERS_GROUP_DN;GRAPH_DISABLED_USERS_GROUP_DN" desc:"The distinguished name of the group to which added users will be classified as disabled when 'disable_user_mechanism' is set to 'group'." introductionVersion:"pre5.0"`
 
@@ -90,6 +91,7 @@ type LDAP struct {
 
 	EducationResourcesEnabled bool `yaml:"education_resources_enabled" env:"GRAPH_LDAP_EDUCATION_RESOURCES_ENABLED" desc:"Enable LDAP support for managing education related resources." introductionVersion:"pre5.0"`
 	EducationConfig           LDAPEducationConfig
+	RequireExternalID         bool `yaml:"require_external_id" env:"GRAPH_LDAP_REQUIRE_EXTERNAL_ID" desc:"If enabled, the 'OCIS_LDAP_USER_SCHEMA_EXTERNAL_ID' is used as primary identifier for the provisioning API." introductionVersion:"Curie"`
 }
 
 // LDAPEducationConfig represents the LDAP configuration for education related resources

services/graph/pkg/config/defaults/defaultconfig.go

@@ -101,6 +101,7 @@ func DefaultConfig() *config.Config {
 				UserIDAttribute:           "owncloudUUID",
 				UserTypeAttribute:         "ownCloudUserType",
 				UserEnabledAttribute:      "ownCloudUserEnabled",
+				ExternalIDAttribute:       "owncloudExternalID",
 				DisableUserMechanism:      "attribute",
 				LdapDisabledUsersGroupDN:  "cn=DisabledUsersGroup,ou=groups,o=libregraph-idm",
 				GroupBaseDN:               "ou=groups,o=libregraph-idm",

services/graph/pkg/identity/ldap.go

@@ -72,6 +72,8 @@ type LDAP struct {
 
 	educationConfig educationConfig
 
+	useExternalID bool
+
 	logger *log.Logger
 	conn   ldap.Client
 }
@@ -87,6 +89,7 @@ type userAttributeMap struct {
 	userType       string
 	identities     string
 	lastSignIn     string
+	externalID     string
 }
 
 type ldapAttributeValues map[string][]string
@@ -122,6 +125,7 @@ func NewLDAPBackend(lc ldap.Client, config config.LDAP, logger *log.Logger) (*LD
 		userType:       config.UserTypeAttribute,
 		identities:     identitiesAttribute,
 		lastSignIn:     lastSignAttribute,
+		externalID:     config.ExternalIDAttribute,
 	}
 
 	if config.GroupNameAttribute == "" || config.GroupIDAttribute == "" {
@@ -176,6 +180,7 @@ func NewLDAPBackend(lc ldap.Client, config config.LDAP, logger *log.Logger) (*LD
 		conn:                    lc,
 		writeEnabled:            config.WriteEnabled,
 		refintEnabled:           config.RefintEnabled,
+		useExternalID:           config.RequireExternalID,
 	}, nil
 }
 
@@ -844,6 +849,7 @@ func (i *LDAP) createUserModelFromLDAP(e *ldap.Entry) *libregraph.User {
 			GivenName:                pointerOrNil(e.GetEqualFoldAttributeValue(i.userAttributeMap.givenName)),
 			Surname:                  &surname,
 			AccountEnabled:           booleanOrNil(e.GetEqualFoldAttributeValue(i.userAttributeMap.accountEnabled)),
+			ExternalID:               pointerOrNil(e.GetEqualFoldAttributeValue(i.userAttributeMap.externalID)),
 		}
 
 		userType := e.GetEqualFoldAttributeValue(i.userAttributeMap.userType)
@@ -887,6 +893,7 @@ func (i *LDAP) userToLDAPAttrValues(user libregraph.User) (map[string][]string,
 		"objectClass":                  {"inetOrgPerson", "organizationalPerson", "person", "top", "ownCloudUser"},
 		"cn":                           {user.GetOnPremisesSamAccountName()},
 		i.userAttributeMap.userType:    {user.GetUserType()},
+		i.userAttributeMap.externalID:  {user.GetExternalID()},
 	}
 
 	if identities, ok := user.GetIdentitiesOk(); ok {
@@ -957,6 +964,7 @@ func (i *LDAP) getUserAttrTypesForSearch() []string {
 		i.userAttributeMap.userType,
 		i.userAttributeMap.identities,
 		i.userAttributeMap.lastSignIn,
+		i.userAttributeMap.externalID,
 	}
 }
 

services/graph/pkg/identity/ldap_education_school.go

@@ -428,7 +428,7 @@ func (i *LDAP) AddUsersToEducationSchool(ctx context.Context, schoolNumberOrID s
 
 	userEntries := make([]*ldap.Entry, 0, len(memberIDs))
 	for _, memberID := range memberIDs {
-		user, err := i.getEducationUserByNameOrID(memberID)
+		user, err := i.getEducationUser(memberID)
 		if err != nil {
 			i.logger.Warn().Str("userid", memberID).Msg("User does not exist")
 			return errorcode.New(errorcode.ItemNotFound, fmt.Sprintf("user '%s' not found", memberID))
@@ -472,7 +472,7 @@ func (i *LDAP) RemoveUserFromEducationSchool(ctx context.Context, schoolNumberOr
 	}
 
 	schoolID := schoolEntry.GetEqualFoldAttributeValue(i.educationConfig.schoolAttributeMap.id)
-	user, err := i.getEducationUserByNameOrID(memberID)
+	user, err := i.getEducationUser(memberID)
 	if err != nil {
 		i.logger.Warn().Str("userid", memberID).Msg("User does not exist")
 		return err

services/graph/pkg/identity/ldap_education_school_test.go

@@ -25,6 +25,7 @@ var eduConfig = config.LDAP{
 	UserEmailAttribute:       "mail",
 	UserNameAttribute:        "uid",
 	UserEnabledAttribute:     "userEnabledAttribute",
+	ExternalIDAttribute:      "externalID",
 	DisableUserMechanism:     "attribute",
 	UserTypeAttribute:        "userTypeAttribute",
 

services/graph/pkg/identity/ldap_education_user.go

@@ -53,14 +53,13 @@ func (i *LDAP) CreateEducationUser(ctx context.Context, user libregraph.Educatio
 }
 
 // DeleteEducationUser deletes a given education user, identified by username or id, from the backend
-func (i *LDAP) DeleteEducationUser(ctx context.Context, nameOrID string) error {
+func (i *LDAP) DeleteEducationUser(ctx context.Context, id string) error {
 	logger := i.logger.SubloggerWithRequestID(ctx)
 	logger.Debug().Str("backend", "ldap").Msg("DeleteEducationUser")
 	if !i.writeEnabled {
 		return ErrReadOnly
 	}
-	// TODO, implement a proper lookup for education Users here
-	e, err := i.getEducationUserByNameOrID(nameOrID)
+	e, err := i.getEducationUser(id)
 	if err != nil {
 		return err
 	}
@@ -73,13 +72,13 @@ func (i *LDAP) DeleteEducationUser(ctx context.Context, nameOrID string) error {
 }
 
 // UpdateEducationUser applies changes to given education user, identified by username or id
-func (i *LDAP) UpdateEducationUser(ctx context.Context, nameOrID string, user libregraph.EducationUser) (*libregraph.EducationUser, error) {
+func (i *LDAP) UpdateEducationUser(ctx context.Context, id string, user libregraph.EducationUser) (*libregraph.EducationUser, error) {
 	logger := i.logger.SubloggerWithRequestID(ctx)
 	logger.Debug().Str("backend", "ldap").Msg("UpdateEducationUser")
 	if !i.writeEnabled {
 		return nil, ErrReadOnly
 	}
-	e, err := i.getEducationUserByNameOrID(nameOrID)
+	e, err := i.getEducationUser(id)
 	if err != nil {
 		return nil, err
 	}
@@ -189,10 +188,10 @@ func (i *LDAP) UpdateEducationUser(ctx context.Context, nameOrID string, user li
 }
 
 // GetEducationUser implements the EducationBackend interface for the LDAP backend.
-func (i *LDAP) GetEducationUser(ctx context.Context, nameOrID string) (*libregraph.EducationUser, error) {
+func (i *LDAP) GetEducationUser(ctx context.Context, id string) (*libregraph.EducationUser, error) {
 	logger := i.logger.SubloggerWithRequestID(ctx)
 	logger.Debug().Str("backend", "ldap").Msg("GetEducationUser")
-	e, err := i.getEducationUserByNameOrID(nameOrID)
+	e, err := i.getEducationUser(id)
 	if err != nil {
 		return nil, err
 	}
@@ -257,6 +256,7 @@ func (i *LDAP) educationUserToUser(eduUser libregraph.EducationUser) *libregraph
 	user.Mail = eduUser.Mail
 	user.UserType = eduUser.UserType
 	user.Identities = eduUser.Identities
+	user.ExternalID = eduUser.ExternalID
 
 	return user
 }
@@ -272,6 +272,7 @@ func (i *LDAP) userToEducationUser(user libregraph.User, e *ldap.Entry) *libregr
 	eduUser.Mail = user.Mail
 	eduUser.UserType = user.UserType
 	eduUser.Identities = user.Identities
+	eduUser.ExternalID = user.ExternalID
 
 	if e != nil {
 		// Set the education User specific Attributes from the supplied LDAP Entry
@@ -326,6 +327,7 @@ func (i *LDAP) getEducationUserAttrTypes() []string {
 		i.userAttributeMap.accountEnabled,
 		i.userAttributeMap.userType,
 		i.userAttributeMap.identities,
+		i.userAttributeMap.externalID,
 		i.educationConfig.userAttributeMap.primaryRole,
 		i.educationConfig.memberOfSchoolAttribute,
 	}
@@ -341,6 +343,13 @@ func (i *LDAP) getEducationUserByDN(dn string) (*ldap.Entry, error) {
 	return i.getEntryByDN(dn, i.getEducationUserAttrTypes(), filter)
 }
 
+func (i *LDAP) getEducationUser(nameOrID string) (*ldap.Entry, error) {
+	if i.useExternalID {
+		return i.getEducationUserByExternalID(nameOrID)
+	}
+	return i.getEducationUserByNameOrID(nameOrID)
+}
+
 func (i *LDAP) getEducationUserByNameOrID(nameOrID string) (*ldap.Entry, error) {
 	return i.getEducationObjectByNameOrID(
 		nameOrID,
@@ -353,12 +362,28 @@ func (i *LDAP) getEducationUserByNameOrID(nameOrID string) (*ldap.Entry, error)
 	)
 }
 
+func (i *LDAP) getEducationUserByExternalID(id string) (*ldap.Entry, error) {
+	return i.getEducationObjectByID(
+		id,
+		i.userAttributeMap.externalID,
+		i.userFilter,
+		i.educationConfig.userObjectClass,
+		i.userBaseDN,
+		i.getEducationUserAttrTypes(),
+	)
+}
+
 func (i *LDAP) getEducationObjectByNameOrID(nameOrID, nameAttribute, idAttribute, objectFilter, objectClass, baseDN string, attributes []string) (*ldap.Entry, error) {
 	nameOrID = ldap.EscapeFilter(nameOrID)
 	filter := fmt.Sprintf("(|(%s=%s)(%s=%s))", nameAttribute, nameOrID, idAttribute, nameOrID)
 	return i.getEducationObjectByFilter(filter, baseDN, objectFilter, objectClass, attributes)
 }
 
+func (i *LDAP) getEducationObjectByID(id, idAttribute, objectFilter, objectClass, baseDN string, attributes []string) (*ldap.Entry, error) {
+	filter := fmt.Sprintf("(%s=%s)", idAttribute, id)
+	return i.getEducationObjectByFilter(filter, baseDN, objectFilter, objectClass, attributes)
+}
+
 func (i *LDAP) getEducationObjectByFilter(filter, baseDN, objectFilter, objectClass string, attributes []string) (*ldap.Entry, error) {
 	filter = fmt.Sprintf("(&%s(objectClass=%s)%s)", objectFilter, objectClass, filter)
 	return i.searchLDAPEntryByFilter(baseDN, attributes, filter)