From 9e73b17a403a9283a281495bb3c35246c75c08e9 Mon Sep 17 00:00:00 2001
From: Ralf Haferkamp <rhaferkamp@owncloud.com>
Date: Tue, 21 Feb 2023 16:51:21 +0100
Subject: [PATCH] idp: Utilize ownCloudUserEnabled Attribute to filter users

This adds support for configuring an LDAP Attribute that can be used as a flag
to disallow users to login. We currently default to 'ownCloudUserEnabled' as
used in the default configuration of the graph service.
---
 .../unreleased/enhancement-user-disable.md    |  7 ++++++
 services/idp/pkg/config/config.go             |  5 ++--
 .../idp/pkg/config/defaults/defaultconfig.go  | 25 ++++++++++---------
 services/idp/pkg/service/v0/service.go        | 17 ++++++++++++-
 4 files changed, 39 insertions(+), 15 deletions(-)
 create mode 100644 changelog/unreleased/enhancement-user-disable.md

diff --git a/changelog/unreleased/enhancement-user-disable.md b/changelog/unreleased/enhancement-user-disable.md
new file mode 100644
index 0000000000..0b8a1c08aa
--- /dev/null
+++ b/changelog/unreleased/enhancement-user-disable.md
@@ -0,0 +1,7 @@
+Enhancement: allow users to be disabled
+
+By setting the `accountEnabled` property to `false` for a user via the graph API. Users
+can be disabled (i.e. they can no longer login)
+
+https://github.com/owncloud/ocis/pull/5588
+https://github.com/owncloud/ocis/pull/5620
diff --git a/services/idp/pkg/config/config.go b/services/idp/pkg/config/config.go
index 85c01c720e..7d3854cccc 100644
--- a/services/idp/pkg/config/config.go
+++ b/services/idp/pkg/config/config.go
@@ -47,8 +47,9 @@ type Ldap struct {
 	UUIDAttribute     string `yaml:"uuid_attribute" env:"LDAP_USER_SCHEMA_ID;IDP_LDAP_UUID_ATTRIBUTE" desc:"LDAP User uuid attribute like 'uid'."`
 	UUIDAttributeType string `yaml:"uuid_attribute_type" env:"IDP_LDAP_UUID_ATTRIBUTE_TYPE" desc:"LDAP User uuid attribute type like 'text'."`
 
-	Filter      string `yaml:"filter" env:"LDAP_USER_FILTER;IDP_LDAP_FILTER" desc:"LDAP filter to add to the default filters for user search like '(objectclass=ownCloud)'."`
-	ObjectClass string `yaml:"objectclass" env:"LDAP_USER_OBJECTCLASS;IDP_LDAP_OBJECTCLASS" desc:"LDAP User ObjectClass like 'inetOrgPerson'."`
+	UserEnabledAttribute string `yaml:"user_enabled_attribute" env:"LDAP_USER_ENABLED_ATTRIBUTE;IDP_USER_ENABLED_ATTRIBUTE" desc:"LDAP Attribute to use as a flag telling if the user is enabled or disabled."`
+	Filter               string `yaml:"filter" env:"LDAP_USER_FILTER;IDP_LDAP_FILTER" desc:"LDAP filter to add to the default filters for user search like '(objectclass=ownCloud)'."`
+	ObjectClass          string `yaml:"objectclass" env:"LDAP_USER_OBJECTCLASS;IDP_LDAP_OBJECTCLASS" desc:"LDAP User ObjectClass like 'inetOrgPerson'."`
 }
 
 // Asset defines the available asset configuration.
diff --git a/services/idp/pkg/config/defaults/defaultconfig.go b/services/idp/pkg/config/defaults/defaultconfig.go
index ab9c730e3c..c65dafda06 100644
--- a/services/idp/pkg/config/defaults/defaultconfig.go
+++ b/services/idp/pkg/config/defaults/defaultconfig.go
@@ -111,18 +111,19 @@ func DefaultConfig() *config.Config {
 			},
 		},
 		Ldap: config.Ldap{
-			URI:               "ldaps://localhost:9235",
-			TLSCACert:         filepath.Join(defaults.BaseDataPath(), "idm", "ldap.crt"),
-			BindDN:            "uid=idp,ou=sysusers,o=libregraph-idm",
-			BaseDN:            "ou=users,o=libregraph-idm",
-			Scope:             "sub",
-			LoginAttribute:    "uid",
-			EmailAttribute:    "mail",
-			NameAttribute:     "displayName",
-			UUIDAttribute:     "uid",
-			UUIDAttributeType: "text",
-			Filter:            "",
-			ObjectClass:       "inetOrgPerson",
+			URI:                  "ldaps://localhost:9235",
+			TLSCACert:            filepath.Join(defaults.BaseDataPath(), "idm", "ldap.crt"),
+			BindDN:               "uid=idp,ou=sysusers,o=libregraph-idm",
+			BaseDN:               "ou=users,o=libregraph-idm",
+			Scope:                "sub",
+			LoginAttribute:       "uid",
+			EmailAttribute:       "mail",
+			NameAttribute:        "displayName",
+			UUIDAttribute:        "uid",
+			UUIDAttributeType:    "text",
+			Filter:               "",
+			ObjectClass:          "inetOrgPerson",
+			UserEnabledAttribute: "ownCloudUserEnabled",
 		},
 	}
 }
diff --git a/services/idp/pkg/service/v0/service.go b/services/idp/pkg/service/v0/service.go
index ca60923eff..231a802f5f 100644
--- a/services/idp/pkg/service/v0/service.go
+++ b/services/idp/pkg/service/v0/service.go
@@ -171,9 +171,24 @@ func initCS3EnvVars(cs3Addr, machineAuthAPIKey string) error {
 // Init ldap backend vars which are currently not accessible via idp api
 func initLicoInternalLDAPEnvVars(ldap *config.Ldap) error {
 	filter := fmt.Sprintf("(objectclass=%s)", ldap.ObjectClass)
+
+	var needsAnd bool
 	if ldap.Filter != "" {
-		filter = fmt.Sprintf("(&%s%s)", ldap.Filter, filter)
+		filter += ldap.Filter
+		needsAnd = true
 	}
+
+	if ldap.UserEnabledAttribute != "" {
+		// Using a (!(enabled=FALSE)) filter here to allow user without
+		// any value for the enable flag to login
+		filter += fmt.Sprintf("(!(%s=FALSE))", ldap.UserEnabledAttribute)
+		needsAnd = true
+	}
+
+	if needsAnd {
+		filter = fmt.Sprintf("(&%s)", filter)
+	}
+
 	var defaults = map[string]string{
 		"LDAP_URI":                 ldap.URI,
 		"LDAP_BINDDN":              ldap.BindDN,