revert(partial): "Filter users by tenant, add tenant ids to demo users"

This reverts parts of commit 926a2c2080. The LDAP identity backend of the graph service was supposed to stay single-tenant only. The focus for multi-tenancy should be on the CS3 identity backend. Also lets keep the internal IDM and demo users clean of any multi-tenancy stuff for now.
2026-04-16 13:27:37 -04:00 · 2025-09-02 17:42:08 +02:00
parent bc5547aaaf
commit 07b97fa7ac
7 changed files with 4 additions and 29 deletions
--- a/.woodpecker.star
+++ b/.woodpecker.star
@@ -328,6 +328,7 @@ config = {
                "OC_LDAP_USER_FILTER": "(objectclass=inetOrgPerson)",
                "OC_LDAP_USER_SCHEMA_ID": "entryUUID",
                "OC_LDAP_DISABLE_USER_MECHANISM": "none",
+                "GRAPH_IDENTITY_BACKEND": "cs3",
                "GRAPH_LDAP_SERVER_UUID": True,
                "GRAPH_LDAP_GROUP_CREATE_BASE_DN": "ou=custom,ou=groups,dc=opencloud,dc=eu",
                "GRAPH_LDAP_REFINT_ENABLED": True,
--- a/services/graph/pkg/config/config.go
+++ b/services/graph/pkg/config/config.go
@@ -76,7 +76,6 @@ type LDAP struct {
 	UserNameAttribute        string `yaml:"user_name_attribute" env:"OC_LDAP_USER_SCHEMA_USERNAME;GRAPH_LDAP_USER_NAME_ATTRIBUTE" desc:"LDAP Attribute to use for username of users." introductionVersion:"1.0.0"`
 	UserIDAttribute          string `yaml:"user_id_attribute" env:"OC_LDAP_USER_SCHEMA_ID;GRAPH_LDAP_USER_UID_ATTRIBUTE" desc:"LDAP Attribute to use as the unique ID for users. This should be a stable globally unique ID like a UUID." introductionVersion:"1.0.0"`
 	UserIDIsOctetString      bool   `yaml:"user_id_is_octet_string" env:"OC_LDAP_USER_SCHEMA_ID_IS_OCTETSTRING;GRAPH_LDAP_USER_SCHEMA_ID_IS_OCTETSTRING" desc:"Set this to true if the defined 'ID' attribute for users is of the 'OCTETSTRING' syntax. This is required when using the 'objectGUID' attribute of Active Directory for the user ID's." introductionVersion:"1.0.0"`
-	UserTenantIDAttribute    string `yaml:"user_tenant_id_attribute" env:"OC_LDAP_USER_SCHEMA_TENANT_ID;GRAPH_LDAP_USER_SCHEMA_TENANT_ID" desc:"LDAP Attribute to use for the tenant ID of users. This is used to identify the tenant of a user in a multi-tenant environment." introductionVersion:"%%NEXT%%"`
 	UserTypeAttribute        string `yaml:"user_type_attribute" env:"OC_LDAP_USER_SCHEMA_USER_TYPE;GRAPH_LDAP_USER_TYPE_ATTRIBUTE" desc:"LDAP Attribute to distinguish between 'Member' and 'Guest' users. Default is 'openCloudUserType'." introductionVersion:"1.0.0"`
 	UserEnabledAttribute     string `yaml:"user_enabled_attribute" env:"OC_LDAP_USER_ENABLED_ATTRIBUTE;GRAPH_USER_ENABLED_ATTRIBUTE" desc:"LDAP Attribute to use as a flag telling if the user is enabled or disabled." introductionVersion:"1.0.0"`
 	DisableUserMechanism     string `yaml:"disable_user_mechanism" env:"OC_LDAP_DISABLE_USER_MECHANISM;GRAPH_DISABLE_USER_MECHANISM" desc:"An option to control the behavior for disabling users. Supported options are 'none', 'attribute' and 'group'. If set to 'group', disabling a user via API will add the user to the configured group for disabled users, if set to 'attribute' this will be done in the ldap user entry, if set to 'none' the disable request is not processed. Default is 'attribute'." introductionVersion:"1.0.0"`
--- a/services/graph/pkg/config/defaults/defaultconfig.go
+++ b/services/graph/pkg/config/defaults/defaultconfig.go
@@ -96,7 +96,6 @@ func DefaultConfig() *config.Config {
 				// FIXME: switch this to some more widely available attribute by default
 				//        ideally this needs to	be constant for the lifetime of a users
 				UserIDAttribute:           "openCloudUUID",
-				UserTenantIDAttribute:     "",
 				UserTypeAttribute:         "openCloudUserType",
 				UserEnabledAttribute:      "openCloudUserEnabled",
 				DisableUserMechanism:      "attribute",
--- a/services/graph/pkg/identity/ldap.go
+++ b/services/graph/pkg/identity/ldap.go
@@ -15,7 +15,6 @@ import (
 	"github.com/google/uuid"
 	"github.com/libregraph/idm/pkg/ldapdn"
 	libregraph "github.com/opencloud-eu/libre-graph-api-go"
-	ctxpkg "github.com/opencloud-eu/reva/v2/pkg/ctx"

 	"github.com/opencloud-eu/opencloud/pkg/log"
 	"github.com/opencloud-eu/opencloud/services/graph/pkg/config"
@@ -81,7 +80,6 @@ type LDAP struct {
 type userAttributeMap struct {
 	displayName    string
 	id             string
-	tenantId       string
 	mail           string
 	userName       string
 	givenName      string
@@ -117,7 +115,6 @@ func NewLDAPBackend(lc ldap.Client, config config.LDAP, logger *log.Logger) (*LD
 	uam := userAttributeMap{
 		displayName:    config.UserDisplayNameAttribute,
 		id:             config.UserIDAttribute,
-		tenantId:       config.UserTenantIDAttribute,
 		mail:           config.UserEmailAttribute,
 		userName:       config.UserNameAttribute,
 		accountEnabled: config.UserEnabledAttribute,
@@ -617,17 +614,7 @@ func (i *LDAP) FilterUsers(ctx context.Context, oreq *godata.GoDataRequest, filt
 			i.userAttributeMap.displayName, search,
 		)
 	}
-
-	// apply tenant filter if applicable
-	var tenantFilter string
-	if i.userAttributeMap.tenantId != "" {
-		currentUser, ok := ctxpkg.ContextGetUser(ctx)
-		if ok && currentUser.Id.GetTenantId() != "" {
-			tenantFilter = fmt.Sprintf("(%s=%s)", i.userAttributeMap.tenantId, ldap.EscapeFilter(currentUser.Id.GetTenantId()))
-		}
-	}
-
-	userFilter = fmt.Sprintf("(&%s(objectClass=%s)%s%s%s)", i.userFilter, i.userObjectClass, queryFilter, userFilter, tenantFilter)
+	userFilter = fmt.Sprintf("(&%s(objectClass=%s)%s%s)", i.userFilter, i.userObjectClass, queryFilter, userFilter)
 	searchRequest := ldap.NewSearchRequest(
 		i.userBaseDN, i.userScope, ldap.NeverDerefAliases, 0, 0, false,
 		userFilter,
--- a/services/idm/ldif/base.ldif.tmpl
+++ b/services/idm/ldif/base.ldif.tmpl
@@ -31,7 +31,6 @@ displayName: Admin
 description: An admin for this OpenCloud instance.
 mail: admin@example.org
 openCloudUUID: {{ .ID }}
-openCloudTenantId: {{ .TenantID }}
 openCloudExternalIdentity:  $ {{ .Issuer }} $ {{ .ID }}
 {{ else -}}
 dn: uid={{ .Name }},ou=sysusers,o=libregraph-idm
--- a/services/idm/ldif/demousers.ldif.tmpl
+++ b/services/idm/ldif/demousers.ldif.tmpl
@@ -15,7 +15,6 @@ mail: alan@example.org
 openCloudUserEnabled: TRUE
 openCloudUUID: b1f74ec4-dd7e-11ef-a543-03775734d0f7
 openCloudExternalIdentity:  $ {{.}} $ b1f74ec4-dd7e-11ef-a543-03775734d0f7
-openCloudTenantId: cd22ea13-f6b4-4f5f-a2c2-69b5a0f07a8b
 userPassword:: e0FSR09OMn0kYXJnb24yaWQkdj0xOSRtPTY1NTM2LHQ9MSxwPTE2JGg1NUxqckhWVjdEdXVzTkxjbXRoa0EkMzZ3aGZSMjdyTDFOYXQxa0xTajdrVGFubTBnb3VKRGZ0ck9DTStuRHo5cw==

 dn: uid=lynn,ou=users,o=libregraph-idm
@@ -35,7 +34,6 @@ mail: lynn@example.org
 openCloudUserEnabled: TRUE
 openCloudUUID: 60708dda-e897-11ef-919f-bbb7437d6ec2
 openCloudExternalIdentity:  $ {{.}} $ 60708dda-e897-11ef-919f-bbb7437d6ec2
-openCloudTenantId: cd22ea13-f6b4-4f5f-a2c2-69b5a0f07a8b
 userPassword:: e0FSR09OMn0kYXJnb24yaWQkdj0xOSRtPTY1NTM2LHQ9MSxwPTE2JGg1NUxqckhWVjdEdXVzTkxjbXRoa0EkMzZ3aGZSMjdyTDFOYXQxa0xTajdrVGFubTBnb3VKRGZ0ck9DTStuRHo5cw==

 dn: uid=mary,ou=users,o=libregraph-idm
@@ -55,7 +53,6 @@ mail: mary@example.org
 openCloudUserEnabled: TRUE
 openCloudUUID: 056fc874-dd7f-11ef-ba84-af6fca4b7289
 openCloudExternalIdentity:  $ {{.}} $ 056fc874-dd7f-11ef-ba84-af6fca4b7289
-openCloudTenantId: cd22ea13-f6b4-4f5f-a2c2-69b5a0f07a8b
 userPassword:: e0FSR09OMn0kYXJnb24yaWQkdj0xOSRtPTY1NTM2LHQ9MSxwPTE2JGg1NUxqckhWVjdEdXVzTkxjbXRoa0EkMzZ3aGZSMjdyTDFOYXQxa0xTajdrVGFubTBnb3VKRGZ0ck9DTStuRHo5cw==

 dn: uid=margaret,ou=users,o=libregraph-idm
@@ -75,7 +72,6 @@ mail: margaret@example.org
 openCloudUserEnabled: TRUE
 openCloudUUID: 801abee4-dd7f-11ef-a324-83f55a754b62
 openCloudExternalIdentity:  $ {{.}} $ 801abee4-dd7f-11ef-a324-83f55a754b62
-openCloudTenantId: cd22ea13-f6b4-4f5f-a2c2-69b5a0f07a8b
 userPassword:: e0FSR09OMn0kYXJnb24yaWQkdj0xOSRtPTY1NTM2LHQ9MSxwPTE2JGg1NUxqckhWVjdEdXVzTkxjbXRoa0EkMzZ3aGZSMjdyTDFOYXQxa0xTajdrVGFubTBnb3VKRGZ0ck9DTStuRHo5cw==

 dn: uid=dennis,ou=users,o=libregraph-idm
@@ -95,7 +91,6 @@ mail: dennis@example.org
 openCloudUserEnabled: TRUE
 openCloudUUID: cd88bf9a-dd7f-11ef-a609-7f78deb2345f
 openCloudExternalIdentity:  $ {{.}} $ cd88bf9a-dd7f-11ef-a609-7f78deb2345f
-openCloudTenantId: cd22ea13-f6b4-4f5f-a2c2-69b5a0f07a8b
 userPassword:: e0FSR09OMn0kYXJnb24yaWQkdj0xOSRtPTY1NTM2LHQ9MSxwPTE2JGg1NUxqckhWVjdEdXVzTkxjbXRoa0EkMzZ3aGZSMjdyTDFOYXQxa0xTajdrVGFubTBnb3VKRGZ0ck9DTStuRHo5cw==

 dn: cn=users,ou=groups,o=libregraph-idm
--- a/services/idm/pkg/command/server.go
+++ b/services/idm/pkg/command/server.go
@@ -132,7 +132,6 @@ func bootstrap(logger log.Logger, cfg *config.Config, srvcfg server.Config) erro
 		Name     string
 		Password string
 		ID       string
-		TenantID string
 		Issuer   string
 	}

@@ -152,16 +151,12 @@ func bootstrap(logger log.Logger, cfg *config.Config, srvcfg server.Config) erro
 	}

 	if cfg.AdminUserID != "" {
-		adminUser := svcUser{
+		serviceUsers = append(serviceUsers, svcUser{
 			Name:     "admin",
 			Password: cfg.ServiceUserPasswords.OCAdmin,
 			ID:       cfg.AdminUserID,
 			Issuer:   cfg.DemoUsersIssuerUrl,
-		}
-		if cfg.CreateDemoUsers {
-			adminUser.TenantID = "cd22ea13-f6b4-4f5f-a2c2-69b5a0f07a8b"
-		}
-		serviceUsers = append(serviceUsers, adminUser)
+		})
 	}

 	bdb := &ldbbolt.LdbBolt{}