From dbe40bd7c7e360ad7130d254a255212e28d8a9da Mon Sep 17 00:00:00 2001
From: Ralf Haferkamp <rhaferkamp@owncloud.com>
Date: Tue, 14 Mar 2023 15:58:27 +0100
Subject: [PATCH 1/2] Avoid repeated default role assignments

When using the metadata storage (the current default) the default role
assignments were recreated at every start of the settings service. Leading to
duplicated role assignments

Fixes: #3432
---
 changelog/unreleased/fix-duplicated-demouser-roles.md |  6 ++++++
 services/settings/pkg/store/metadata/store.go         | 10 ++++++++++
 2 files changed, 16 insertions(+)
 create mode 100644 changelog/unreleased/fix-duplicated-demouser-roles.md

diff --git a/changelog/unreleased/fix-duplicated-demouser-roles.md b/changelog/unreleased/fix-duplicated-demouser-roles.md
new file mode 100644
index 0000000000..6e015198cb
--- /dev/null
+++ b/changelog/unreleased/fix-duplicated-demouser-roles.md
@@ -0,0 +1,6 @@
+Bugfix: Fix default role assignment for demo users
+
+The roles-assignments for demo users where duplicated with every
+restart of the settings service.
+
+https://github.com/owncloud/ocis/issues/3432
diff --git a/services/settings/pkg/store/metadata/store.go b/services/settings/pkg/store/metadata/store.go
index 38a2cb02b8..8081d40cec 100644
--- a/services/settings/pkg/store/metadata/store.go
+++ b/services/settings/pkg/store/metadata/store.go
@@ -131,11 +131,21 @@ func (s *Store) initMetadataClient(mdc MetadataClient) error {
 			return err
 		}
 
+		assIDs, err := mdc.ReadDir(ctx, accountPath(accountUUID))
+		if err != nil {
+			return err
+		}
+		if len(assIDs) > 0 {
+			// There is already a role assignment for this ID, skip to the next
+			continue
+		}
+
 		ass := &settingsmsg.UserRoleAssignment{
 			Id:          uuid.Must(uuid.NewV4()).String(),
 			AccountUuid: accountUUID,
 			RoleId:      roleID,
 		}
+
 		b, err := json.Marshal(ass)
 		if err != nil {
 			return err

From 46acc8f1ee332d865d5cb24df5f286e8886d8538 Mon Sep 17 00:00:00 2001
From: Ralf Haferkamp <rhaferkamp@owncloud.com>
Date: Tue, 14 Mar 2023 16:05:07 +0100
Subject: [PATCH 2/2] Fix default assigments for demo and admin users

When using metadata backend the default role assignments for the demo users
where create independed of whether the demo users are were actually requested
to be created. This also fixes the name of the env var for enabling the demo
users. This was missed when moving from the accounts service to graph/idm for
user management.
---
 services/settings/pkg/config/config.go        |  2 +-
 .../settings/pkg/store/defaults/defaults.go   | 56 +++++++++++--------
 2 files changed, 34 insertions(+), 24 deletions(-)

diff --git a/services/settings/pkg/config/config.go b/services/settings/pkg/config/config.go
index 031cc7f5dc..f8b7b03b9d 100644
--- a/services/settings/pkg/config/config.go
+++ b/services/settings/pkg/config/config.go
@@ -32,7 +32,7 @@ type Config struct {
 
 	TokenManager *TokenManager `yaml:"token_manager"`
 
-	SetupDefaultAssignments bool `yaml:"set_default_assignments" env:"SETTINGS_SETUP_DEFAULT_ASSIGNMENTS;ACCOUNTS_DEMO_USERS_AND_GROUPS" desc:"The default role assignments the demo users should be setup."`
+	SetupDefaultAssignments bool `yaml:"set_default_assignments" env:"SETTINGS_SETUP_DEFAULT_ASSIGNMENTS;IDM_CREATE_DEMO_USERS" desc:"The default role assignments the demo users should be setup."`
 
 	Context context.Context `yaml:"-"`
 }
diff --git a/services/settings/pkg/store/defaults/defaults.go b/services/settings/pkg/store/defaults/defaults.go
index 5d852a1c52..63a73dcd18 100644
--- a/services/settings/pkg/store/defaults/defaults.go
+++ b/services/settings/pkg/store/defaults/defaults.go
@@ -653,30 +653,40 @@ var languageSetting = settingsmsg.Setting_SingleChoiceValue{
 
 // DefaultRoleAssignments returns (as one might guess) the default role assignments
 func DefaultRoleAssignments(cfg *config.Config) []*settingsmsg.UserRoleAssignment {
-	return []*settingsmsg.UserRoleAssignment{
-		// default admin users
-		{
+	assignments := []*settingsmsg.UserRoleAssignment{}
+
+	if cfg.SetupDefaultAssignments {
+		assignments = []*settingsmsg.UserRoleAssignment{
+			// default users with role "user"
+			{
+				AccountUuid: "4c510ada-c86b-4815-8820-42cdf82c3d51",
+				RoleId:      BundleUUIDRoleUser,
+			}, {
+				AccountUuid: "f7fbf8c8-139b-4376-b307-cf0a8c2d0d9c",
+				RoleId:      BundleUUIDRoleUser,
+			}, {
+				AccountUuid: "932b4540-8d16-481e-8ef4-588e4b6b151c",
+				RoleId:      BundleUUIDRoleUser,
+			},
+			{
+				// additional admin user
+				AccountUuid: "058bff95-6708-4fe5-91e4-9ea3d377588b", // demo user "moss"
+				RoleId:      BundleUUIDRoleAdmin,
+			}, {
+				// default users with role "spaceadmin"
+				AccountUuid: "534bb038-6f9d-4093-946f-133be61fa4e7",
+				RoleId:      BundleUUIDRoleSpaceAdmin,
+			},
+		}
+	}
+
+	if cfg.AdminUserID != "" {
+		// default admin user
+		assignments = append(assignments, &settingsmsg.UserRoleAssignment{
 			AccountUuid: cfg.AdminUserID,
 			RoleId:      BundleUUIDRoleAdmin,
-		},
-		// default users with role "user"
-		{
-			AccountUuid: "4c510ada-c86b-4815-8820-42cdf82c3d51",
-			RoleId:      BundleUUIDRoleUser,
-		}, {
-			AccountUuid: "f7fbf8c8-139b-4376-b307-cf0a8c2d0d9c",
-			RoleId:      BundleUUIDRoleUser,
-		}, {
-			AccountUuid: "932b4540-8d16-481e-8ef4-588e4b6b151c",
-			RoleId:      BundleUUIDRoleUser,
-		},
-		// default users with role "spaceadmin"
-		{
-			AccountUuid: "058bff95-6708-4fe5-91e4-9ea3d377588b", // demo user "moss"
-			RoleId:      BundleUUIDRoleAdmin,
-		}, {
-			AccountUuid: "534bb038-6f9d-4093-946f-133be61fa4e7",
-			RoleId:      BundleUUIDRoleSpaceAdmin,
-		},
+		})
 	}
+
+	return assignments
 }