feat: use externalID for provisioning api

Signed-off-by: Julian Koberg <julian.koberg@kiteworks.com>

Author: Julian Koberg

changelog/unreleased/use-externalid-in-provapi.md

@@ -0,0 +1,5 @@
+Enhancement: Use externalID in Provisioning API
+
+This PR adds the externalID as optional parameter to the Provisioning API that can be used as the primary identifier. It also contains a switch to enable this setting.
+
+https://github.com/owncloud/ocis/pull/11799

services/graph/pkg/config/config.go

@@ -75,6 +75,7 @@ type LDAP struct {
 	UserIDIsOctetString      bool   `yaml:"user_id_is_octet_string" env:"OCIS_LDAP_USER_SCHEMA_ID_IS_OCTETSTRING;GRAPH_LDAP_USER_SCHEMA_ID_IS_OCTETSTRING" desc:"Set this to true if the defined 'ID' attribute for users is of the 'OCTETSTRING' syntax. This is required when using the 'objectGUID' attribute of Active Directory for the user ID's." introductionVersion:"pre5.0"`
 	UserTypeAttribute        string `yaml:"user_type_attribute" env:"OCIS_LDAP_USER_SCHEMA_USER_TYPE;GRAPH_LDAP_USER_TYPE_ATTRIBUTE" desc:"LDAP Attribute to distinguish between 'Member' and 'Guest' users. Default is 'ownCloudUserType'." introductionVersion:"pre5.0"`
 	UserEnabledAttribute     string `yaml:"user_enabled_attribute" env:"OCIS_LDAP_USER_ENABLED_ATTRIBUTE;GRAPH_USER_ENABLED_ATTRIBUTE" desc:"LDAP Attribute to use as a flag telling if the user is enabled or disabled." introductionVersion:"pre5.0"`
+	ExternalIDAttribute      string `yaml:"external_id_attribute" env:"OCIS_LDAP_USER_SCHEMA_EXTERNAL_ID;GRAPH_LDAP_EXTERNAL_ID_ATTRIBUTE" desc:"LDAP attribute that references the external ID of users during the provisioning process. The final ID is provided by an external identity provider. If it is not set, a default attribute will be used instead." introductionVersion:"Curie"`
 	DisableUserMechanism     string `yaml:"disable_user_mechanism" env:"OCIS_LDAP_DISABLE_USER_MECHANISM;GRAPH_DISABLE_USER_MECHANISM" desc:"An option to control the behavior for disabling users. Supported options are 'none', 'attribute' and 'group'. If set to 'group', disabling a user via API will add the user to the configured group for disabled users, if set to 'attribute' this will be done in the ldap user entry, if set to 'none' the disable request is not processed. Default is 'attribute'." introductionVersion:"pre5.0"`
 	LdapDisabledUsersGroupDN string `yaml:"ldap_disabled_users_group_dn" env:"OCIS_LDAP_DISABLED_USERS_GROUP_DN;GRAPH_DISABLED_USERS_GROUP_DN" desc:"The distinguished name of the group to which added users will be classified as disabled when 'disable_user_mechanism' is set to 'group'." introductionVersion:"pre5.0"`
 
@@ -90,6 +91,7 @@ type LDAP struct {
 
 	EducationResourcesEnabled bool `yaml:"education_resources_enabled" env:"GRAPH_LDAP_EDUCATION_RESOURCES_ENABLED" desc:"Enable LDAP support for managing education related resources." introductionVersion:"pre5.0"`
 	EducationConfig           LDAPEducationConfig
+	RequireExternalID         bool `yaml:"require_external_id" env:"GRAPH_LDAP_REQUIRE_EXTERNAL_ID" desc:"If enabled, the 'OCIS_LDAP_USER_SCHEMA_EXTERNAL_ID' is used as primary identifier for the provisioning API." introductionVersion:"Curie"`
 }
 
 // LDAPEducationConfig represents the LDAP configuration for education related resources

services/graph/pkg/config/defaults/defaultconfig.go

@@ -101,6 +101,7 @@ func DefaultConfig() *config.Config {
 				UserIDAttribute:           "owncloudUUID",
 				UserTypeAttribute:         "ownCloudUserType",
 				UserEnabledAttribute:      "ownCloudUserEnabled",
+				ExternalIDAttribute:       "owncloudExternalID",
 				DisableUserMechanism:      "attribute",
 				LdapDisabledUsersGroupDN:  "cn=DisabledUsersGroup,ou=groups,o=libregraph-idm",
 				GroupBaseDN:               "ou=groups,o=libregraph-idm",

services/graph/pkg/identity/ldap.go

@@ -72,6 +72,8 @@ type LDAP struct {
 
 	educationConfig educationConfig
 
+	useExternalID bool
+
 	logger *log.Logger
 	conn   ldap.Client
 }
@@ -87,6 +89,7 @@ type userAttributeMap struct {
 	userType       string
 	identities     string
 	lastSignIn     string
+	externalID     string
 }
 
 type ldapAttributeValues map[string][]string
@@ -122,6 +125,7 @@ func NewLDAPBackend(lc ldap.Client, config config.LDAP, logger *log.Logger) (*LD
 		userType:       config.UserTypeAttribute,
 		identities:     identitiesAttribute,
 		lastSignIn:     lastSignAttribute,
+		externalID:     config.ExternalIDAttribute,
 	}
 
 	if config.GroupNameAttribute == "" || config.GroupIDAttribute == "" {
@@ -176,6 +180,7 @@ func NewLDAPBackend(lc ldap.Client, config config.LDAP, logger *log.Logger) (*LD
 		conn:                    lc,
 		writeEnabled:            config.WriteEnabled,
 		refintEnabled:           config.RefintEnabled,
+		useExternalID:           config.RequireExternalID,
 	}, nil
 }
 
@@ -844,6 +849,7 @@ func (i *LDAP) createUserModelFromLDAP(e *ldap.Entry) *libregraph.User {
 			GivenName:                pointerOrNil(e.GetEqualFoldAttributeValue(i.userAttributeMap.givenName)),
 			Surname:                  &surname,
 			AccountEnabled:           booleanOrNil(e.GetEqualFoldAttributeValue(i.userAttributeMap.accountEnabled)),
+			ExternalID:               pointerOrNil(e.GetEqualFoldAttributeValue(i.userAttributeMap.externalID)),
 		}
 
 		userType := e.GetEqualFoldAttributeValue(i.userAttributeMap.userType)
@@ -887,6 +893,7 @@ func (i *LDAP) userToLDAPAttrValues(user libregraph.User) (map[string][]string,
 		"objectClass":                  {"inetOrgPerson", "organizationalPerson", "person", "top", "ownCloudUser"},
 		"cn":                           {user.GetOnPremisesSamAccountName()},
 		i.userAttributeMap.userType:    {user.GetUserType()},
+		i.userAttributeMap.externalID:  {user.GetExternalID()},
 	}
 
 	if identities, ok := user.GetIdentitiesOk(); ok {
@@ -957,6 +964,7 @@ func (i *LDAP) getUserAttrTypesForSearch() []string {
 		i.userAttributeMap.userType,
 		i.userAttributeMap.identities,
 		i.userAttributeMap.lastSignIn,
+		i.userAttributeMap.externalID,
 	}
 }
 

services/graph/pkg/identity/ldap_education_school.go

@@ -428,7 +428,7 @@ func (i *LDAP) AddUsersToEducationSchool(ctx context.Context, schoolNumberOrID s
 
 	userEntries := make([]*ldap.Entry, 0, len(memberIDs))
 	for _, memberID := range memberIDs {
-		user, err := i.getEducationUserByNameOrID(memberID)
+		user, err := i.getEducationUser(memberID)
 		if err != nil {
 			i.logger.Warn().Str("userid", memberID).Msg("User does not exist")
 			return errorcode.New(errorcode.ItemNotFound, fmt.Sprintf("user '%s' not found", memberID))
@@ -472,7 +472,7 @@ func (i *LDAP) RemoveUserFromEducationSchool(ctx context.Context, schoolNumberOr
 	}
 
 	schoolID := schoolEntry.GetEqualFoldAttributeValue(i.educationConfig.schoolAttributeMap.id)
-	user, err := i.getEducationUserByNameOrID(memberID)
+	user, err := i.getEducationUser(memberID)
 	if err != nil {
 		i.logger.Warn().Str("userid", memberID).Msg("User does not exist")
 		return err

services/graph/pkg/identity/ldap_education_school_test.go

@@ -25,6 +25,7 @@ var eduConfig = config.LDAP{
 	UserEmailAttribute:       "mail",
 	UserNameAttribute:        "uid",
 	UserEnabledAttribute:     "userEnabledAttribute",
+	ExternalIDAttribute:      "externalID",
 	DisableUserMechanism:     "attribute",
 	UserTypeAttribute:        "userTypeAttribute",
 

services/graph/pkg/identity/ldap_education_user.go

@@ -53,14 +53,13 @@ func (i *LDAP) CreateEducationUser(ctx context.Context, user libregraph.Educatio
 }
 
 // DeleteEducationUser deletes a given education user, identified by username or id, from the backend
-func (i *LDAP) DeleteEducationUser(ctx context.Context, nameOrID string) error {
+func (i *LDAP) DeleteEducationUser(ctx context.Context, id string) error {
 	logger := i.logger.SubloggerWithRequestID(ctx)
 	logger.Debug().Str("backend", "ldap").Msg("DeleteEducationUser")
 	if !i.writeEnabled {
 		return ErrReadOnly
 	}
-	// TODO, implement a proper lookup for education Users here
-	e, err := i.getEducationUserByNameOrID(nameOrID)
+	e, err := i.getEducationUser(id)
 	if err != nil {
 		return err
 	}
@@ -73,13 +72,13 @@ func (i *LDAP) DeleteEducationUser(ctx context.Context, nameOrID string) error {
 }
 
 // UpdateEducationUser applies changes to given education user, identified by username or id
-func (i *LDAP) UpdateEducationUser(ctx context.Context, nameOrID string, user libregraph.EducationUser) (*libregraph.EducationUser, error) {
+func (i *LDAP) UpdateEducationUser(ctx context.Context, id string, user libregraph.EducationUser) (*libregraph.EducationUser, error) {
 	logger := i.logger.SubloggerWithRequestID(ctx)
 	logger.Debug().Str("backend", "ldap").Msg("UpdateEducationUser")
 	if !i.writeEnabled {
 		return nil, ErrReadOnly
 	}
-	e, err := i.getEducationUserByNameOrID(nameOrID)
+	e, err := i.getEducationUser(id)
 	if err != nil {
 		return nil, err
 	}
@@ -189,10 +188,10 @@ func (i *LDAP) UpdateEducationUser(ctx context.Context, nameOrID string, user li
 }
 
 // GetEducationUser implements the EducationBackend interface for the LDAP backend.
-func (i *LDAP) GetEducationUser(ctx context.Context, nameOrID string) (*libregraph.EducationUser, error) {
+func (i *LDAP) GetEducationUser(ctx context.Context, id string) (*libregraph.EducationUser, error) {
 	logger := i.logger.SubloggerWithRequestID(ctx)
 	logger.Debug().Str("backend", "ldap").Msg("GetEducationUser")
-	e, err := i.getEducationUserByNameOrID(nameOrID)
+	e, err := i.getEducationUser(id)
 	if err != nil {
 		return nil, err
 	}
@@ -257,6 +256,7 @@ func (i *LDAP) educationUserToUser(eduUser libregraph.EducationUser) *libregraph
 	user.Mail = eduUser.Mail
 	user.UserType = eduUser.UserType
 	user.Identities = eduUser.Identities
+	user.ExternalID = eduUser.ExternalID
 
 	return user
 }
@@ -272,6 +272,7 @@ func (i *LDAP) userToEducationUser(user libregraph.User, e *ldap.Entry) *libregr
 	eduUser.Mail = user.Mail
 	eduUser.UserType = user.UserType
 	eduUser.Identities = user.Identities
+	eduUser.ExternalID = user.ExternalID
 
 	if e != nil {
 		// Set the education User specific Attributes from the supplied LDAP Entry
@@ -326,6 +327,7 @@ func (i *LDAP) getEducationUserAttrTypes() []string {
 		i.userAttributeMap.accountEnabled,
 		i.userAttributeMap.userType,
 		i.userAttributeMap.identities,
+		i.userAttributeMap.externalID,
 		i.educationConfig.userAttributeMap.primaryRole,
 		i.educationConfig.memberOfSchoolAttribute,
 	}
@@ -341,6 +343,13 @@ func (i *LDAP) getEducationUserByDN(dn string) (*ldap.Entry, error) {
 	return i.getEntryByDN(dn, i.getEducationUserAttrTypes(), filter)
 }
 
+func (i *LDAP) getEducationUser(nameOrID string) (*ldap.Entry, error) {
+	if i.useExternalID {
+		return i.getEducationUserByExternalID(nameOrID)
+	}
+	return i.getEducationUserByNameOrID(nameOrID)
+}
+
 func (i *LDAP) getEducationUserByNameOrID(nameOrID string) (*ldap.Entry, error) {
 	return i.getEducationObjectByNameOrID(
 		nameOrID,
@@ -353,12 +362,28 @@ func (i *LDAP) getEducationUserByNameOrID(nameOrID string) (*ldap.Entry, error)
 	)
 }
 
+func (i *LDAP) getEducationUserByExternalID(id string) (*ldap.Entry, error) {
+	return i.getEducationObjectByID(
+		id,
+		i.userAttributeMap.externalID,
+		i.userFilter,
+		i.educationConfig.userObjectClass,
+		i.userBaseDN,
+		i.getEducationUserAttrTypes(),
+	)
+}
+
 func (i *LDAP) getEducationObjectByNameOrID(nameOrID, nameAttribute, idAttribute, objectFilter, objectClass, baseDN string, attributes []string) (*ldap.Entry, error) {
 	nameOrID = ldap.EscapeFilter(nameOrID)
 	filter := fmt.Sprintf("(|(%s=%s)(%s=%s))", nameAttribute, nameOrID, idAttribute, nameOrID)
 	return i.getEducationObjectByFilter(filter, baseDN, objectFilter, objectClass, attributes)
 }
 
+func (i *LDAP) getEducationObjectByID(id, idAttribute, objectFilter, objectClass, baseDN string, attributes []string) (*ldap.Entry, error) {
+	filter := fmt.Sprintf("(%s=%s)", idAttribute, id)
+	return i.getEducationObjectByFilter(filter, baseDN, objectFilter, objectClass, attributes)
+}
+
 func (i *LDAP) getEducationObjectByFilter(filter, baseDN, objectFilter, objectClass string, attributes []string) (*ldap.Entry, error) {
 	filter = fmt.Sprintf("(&%s(objectClass=%s)%s)", objectFilter, objectClass, filter)
 	return i.searchLDAPEntryByFilter(baseDN, attributes, filter)

services/graph/pkg/identity/ldap_education_user_test.go

@@ -21,6 +21,7 @@ var eduUserAttrs = []string{
 	"userEnabledAttribute",
 	"userTypeAttribute",
 	"oCExternalIdentity",
+	"externalID",
 	"userClass",
 	"ocMemberOfSchool",
 }
@@ -38,6 +39,7 @@ var eduUserEntry = ldap.NewEntry("uid=user,ou=people,dc=test",
 		},
 		"userTypeAttribute":    {"Member"},
 		"userEnabledAttribute": {"FALSE"},
+		"externalID":           {"ext-ernal-id"},
 	})
 var renamedEduUserEntry = ldap.NewEntry("uid=newtestuser,ou=people,dc=test",
 	map[string][]string{
@@ -52,6 +54,7 @@ var renamedEduUserEntry = ldap.NewEntry("uid=newtestuser,ou=people,dc=test",
 		},
 		"userTypeAttribute":    {"Guest"},
 		"userEnabledAttribute": {"TRUE"},
+		"externalID":           {"ext-ernal-id"},
 	})
 var eduUserEntryWithSchool = ldap.NewEntry("uid=user,ou=people,dc=test",
 	map[string][]string{
@@ -83,6 +86,14 @@ var sr2 *ldap.SearchRequest = &ldap.SearchRequest{
 	Attributes: eduUserAttrs,
 	Controls:   []ldap.Control(nil),
 }
+var sr3 *ldap.SearchRequest = &ldap.SearchRequest{
+	BaseDN:     "ou=people,dc=test",
+	Scope:      2,
+	SizeLimit:  1,
+	Filter:     "(&(objectClass=ocEducationUser)(externalID=ext-ernal-id))",
+	Attributes: eduUserAttrs,
+	Controls:   []ldap.Control(nil),
+}
 
 func TestCreateEducationUser(t *testing.T) {
 	lm := &mocks.Client{}
@@ -106,6 +117,8 @@ func TestCreateEducationUser(t *testing.T) {
 	user.SetPrimaryRole("student")
 	user.SetUserType(("Member"))
 	user.SetAccountEnabled(false)
+	user.SetExternalID("ext-ernal-id")
+
 	eduUser, err := b.CreateEducationUser(context.Background(), *user)
 	lm.AssertNumberOfCalls(t, "Add", 1)
 	lm.AssertNumberOfCalls(t, "Search", 1)
@@ -117,19 +130,22 @@ func TestCreateEducationUser(t *testing.T) {
 	assert.Equal(t, eduUser.GetPrimaryRole(), user.GetPrimaryRole())
 	assert.Equal(t, eduUser.GetUserType(), user.GetUserType())
 	assert.Equal(t, eduUser.GetAccountEnabled(), false)
+	assert.Equal(t, eduUser.GetExternalID(), user.GetExternalID())
 }
 
 func TestDeleteEducationUser(t *testing.T) {
 	lm := &mocks.Client{}
 
 	lm.On("Search", sr1).Return(&ldap.SearchResult{Entries: []*ldap.Entry{eduUserEntry}}, nil)
 	lm.On("Search", sr2).Return(&ldap.SearchResult{Entries: []*ldap.Entry{}}, nil)
+	lm.On("Search", sr3).Return(&ldap.SearchResult{Entries: []*ldap.Entry{eduUserEntry}}, nil)
 	dr1 := &ldap.DelRequest{
 		DN: "uid=user,ou=people,dc=test",
 	}
 	lm.On("Del", dr1).Return(nil)
 	b, err := getMockedBackend(lm, eduConfig, &logger)
 	assert.Nil(t, err)
+
 	err = b.DeleteEducationUser(context.Background(), "abcd-defg")
 	lm.AssertNumberOfCalls(t, "Search", 1)
 	lm.AssertNumberOfCalls(t, "Del", 1)
@@ -140,14 +156,23 @@ func TestDeleteEducationUser(t *testing.T) {
 	lm.AssertNumberOfCalls(t, "Del", 1)
 	assert.NotNil(t, err)
 	assert.Equal(t, "itemNotFound: not found", err.Error())
+
+	b.useExternalID = true
+	err = b.DeleteEducationUser(context.Background(), "ext-ernal-id")
+	lm.AssertNumberOfCalls(t, "Search", 3)
+	lm.AssertNumberOfCalls(t, "Del", 2)
+	assert.Nil(t, err)
 }
 
 func TestGetEducationUser(t *testing.T) {
 	lm := &mocks.Client{}
 	lm.On("Search", sr1).Return(&ldap.SearchResult{Entries: []*ldap.Entry{eduUserEntry}}, nil)
 	lm.On("Search", sr2).Return(&ldap.SearchResult{Entries: []*ldap.Entry{}}, nil)
+	lm.On("Search", sr3).Return(&ldap.SearchResult{Entries: []*ldap.Entry{eduUserEntry}}, nil)
+
 	b, err := getMockedBackend(lm, eduConfig, &logger)
 	assert.Nil(t, err)
+
 	user, err := b.GetEducationUser(context.Background(), "abcd-defg")
 	lm.AssertNumberOfCalls(t, "Search", 1)
 	assert.Nil(t, err)
@@ -158,6 +183,13 @@ func TestGetEducationUser(t *testing.T) {
 	lm.AssertNumberOfCalls(t, "Search", 2)
 	assert.NotNil(t, err)
 	assert.Equal(t, "itemNotFound: not found", err.Error())
+
+	b.useExternalID = true
+	user, err = b.GetEducationUser(context.Background(), "ext-ernal-id")
+	lm.AssertNumberOfCalls(t, "Search", 3)
+	assert.Nil(t, err)
+	assert.Equal(t, "Test User", user.GetDisplayName())
+	assert.Equal(t, "ext-ernal-id", user.GetExternalID())
 }
 
 func TestGetEducationUsers(t *testing.T) {
@@ -179,14 +211,25 @@ func TestGetEducationUsers(t *testing.T) {
 }
 
 func TestUpdateEducationUser(t *testing.T) {
+	testUpdateEducationUser(t, "(&(objectClass=ocEducationUser)(|(uid=testuser)(entryUUID=testuser)))", false, "testuser")
+}
+
+func TestUpdateEducationUserExternalID(t *testing.T) {
+	testUpdateEducationUser(t, "(&(objectClass=ocEducationUser)(externalID=ext-ernal-id))", true, "ext-ernal-id")
+}
+
+func testUpdateEducationUser(t *testing.T, userSearchFilter string, useExternalID bool, id string) {
 	lm := &mocks.Client{}
 	b, err := getMockedBackend(lm, eduConfig, &logger)
 	assert.Nil(t, err)
+
+	b.useExternalID = useExternalID
+
 	userSearchReq := &ldap.SearchRequest{
 		BaseDN:     "ou=people,dc=test",
 		Scope:      2,
 		SizeLimit:  1,
-		Filter:     "(&(objectClass=ocEducationUser)(|(uid=testuser)(entryUUID=testuser)))",
+		Filter:     userSearchFilter,
 		Attributes: eduUserAttrs,
 	}
 	userLookupReq := &ldap.SearchRequest{
@@ -268,15 +311,19 @@ func TestUpdateEducationUser(t *testing.T) {
 	}
 	lm.On("ModifyDN", &modDNReq).Return(nil)
 	lm.On("Modify", &modReq).Return(nil)
+
 	user := libregraph.NewEducationUser()
 	user.SetOnPremisesSamAccountName("newtestuser")
 	user.SetMail("new@mail.org")
 	user.SetAccountEnabled(true)
-	eduUser, err := b.UpdateEducationUser(context.Background(), "testuser", *user)
+	user.SetExternalID("ext-ernal-id")
+
+	eduUser, err := b.UpdateEducationUser(context.Background(), id, *user)
 	assert.NotNil(t, eduUser)
 	assert.Nil(t, err)
 	assert.Equal(t, eduUser.GetOnPremisesSamAccountName(), "newtestuser")
 	assert.Equal(t, "abcd-defg", eduUser.GetId())
 	assert.Equal(t, "Guest", eduUser.GetUserType())
 	assert.Equal(t, eduUser.GetAccountEnabled(), true)
+	assert.Equal(t, "ext-ernal-id", eduUser.GetExternalID())
 }