From b1c50ea5a0a32eb448b27c0224a863b9fae9c5d2 Mon Sep 17 00:00:00 2001
From: Ralf Haferkamp <r.haferkamp@opencloud.eu>
Date: Wed, 24 Sep 2025 15:55:04 +0200
Subject: [PATCH] feat(graph): validate identity backend value

---
 services/graph/pkg/config/parser/parse.go      | 5 +++++
 services/graph/pkg/config/parser/parse_test.go | 6 ++++++
 2 files changed, 11 insertions(+)

diff --git a/services/graph/pkg/config/parser/parse.go b/services/graph/pkg/config/parser/parse.go
index 7223df0089..eb400899b1 100644
--- a/services/graph/pkg/config/parser/parse.go
+++ b/services/graph/pkg/config/parser/parse.go
@@ -3,6 +3,7 @@ package parser
 import (
 	"errors"
 	"fmt"
+	"slices"
 
 	"github.com/go-ldap/ldap/v3"
 
@@ -42,6 +43,10 @@ func Validate(cfg *config.Config) error {
 		return shared.MissingJWTTokenError(cfg.Service.Name)
 	}
 
+	if !slices.Contains([]string{"ldap", "cs3"}, cfg.Identity.Backend) {
+		return fmt.Errorf("'%s' is not a valid identity backend	for the 'graph' service", cfg.Identity.Backend)
+	}
+
 	// ensure that the "cs3" identity backend is used in multi-tenant setups
 	if cfg.Commons.MultiTenantEnabled && cfg.Identity.Backend != "cs3" {
 		return fmt.Errorf("Multi-tenant support is enabled. The identity backend must be set to 'cs3' for the 'graph' service.")
diff --git a/services/graph/pkg/config/parser/parse_test.go b/services/graph/pkg/config/parser/parse_test.go
index 0d0ee61ed6..fdb421fec6 100644
--- a/services/graph/pkg/config/parser/parse_test.go
+++ b/services/graph/pkg/config/parser/parse_test.go
@@ -60,4 +60,10 @@ var _ = Describe("Validate", func() {
 		})
 	})
 
+	It("rejcts a setup with an invalid identity backend", func() {
+		cfg.Identity.Backend = "invalid-backend"
+		err := parser.Validate(cfg)
+		Expect(err).To(HaveOccurred())
+		Expect(err).To(MatchError(ContainSubstring("is not a valid identity backend")))
+	})
 })