* enhancement: add graph beta listPermissions endpoint
besides the new api endpoint it includes several utilities to simplify the graph api development.
* resolve drive and item id from the request path
* generic pointer and value utilities
* space root detection
* update GetDriveAndItemIDParam signature to return a error
* move errorcode package
* enhancement: add generic error code handling
* fix: rebase
drives.go implemented a local user/group cache (ttl based) to speed up repeated
user and group lookups. This commit moves the implementation to the 'identity' module
to make it usable outside of drives.go.
- Use var for common errors
- Add the addition error message to the Error() output of errorcode.Error
- in PatchEducationSchool() use errorcode.RenderError() to turn the errorcode
in to the right HTTP Status (instead of return 500 always)
Schools can now have a terminationDate set. Schools can only be deleted if the
terminationDate is in the past. Schools without a terminationDate cannot be deleted.
We were using stretchr/testify and test-go/testify inconsitently and
sometimes mixed in the same tests. This can cause very strange issue,
e.g when using things like mock.MatchedBy().
This moves all our code to stretchr/testify, which seems to be far
more active and maintained then test-go/testify.
* enhancement: use reva client pool selectors
register mock service to registry and pass tests
* enhancement: bump reva
* Fix a couple of linter issues
---------
Co-authored-by: Ralf Haferkamp <rhaferkamp@owncloud.com>
When GRAPH_LDAP_SERVER_WRITE_ENABLED=false still allow updates of groups
if a distinct GRAPH_LDAP_GROUP_CREATE_BASE_DN is configured.
Partial-Fix: #6219
When GRAPH_LDAP_SERVER_WRITE_ENABLED is set to false we still allow updates
of the accountEnabled property when OCIS_LDAP_DISABLE_USER_MECHANISM is set
to "group"
Partial-Fix: #6219
As the standard LDAP groups (groupOfNames) require at least one "member"
value to be present in a group, we have workarounds in place that add an
empty member ("") when creating a new group or when removing the last
member from the group. This can cause a race condition when e.g. multiple
request to remove members from a group an running in parallel, as we need
to read the group before we can construct the modification request. If
some other request modified the group (e.g. deleted the 2nd last member)
after we read it, we create non-working modification request.
These changes try to catch those errors and retry the modification
request once.
Fixes: #6170
In Active Directories UUID attributes such as "objectGUID" use a binary
syntax (oposed to the standard UUID syntax defined in RFC4530). This
introduces a flag to enable support for binary UUIDs as the id for users
and groups (similar to what the "users" and "groups" services already
support)
Fixes: #5815
Use access token to lookup session id. The userinfo endpoint does
not return the session id. Also add some debug logging.
Co-authored-by: Christian Richter <crichter@owncloud.com>
Co-authored-by: Michael Barz <mbarz@owncloud.com>
By setting GRAPH_LDAP_GROUP_CREATE_BASE_DN a distinct subtree can be
configured where new LDAP groups are created. That subtree needs to be
subordinate to GRAPH_LDAP_GROUP_BASE_DN. All groups outside for
GRAPH_LDAP_GROUP_CREATE_BASE_DN are considered read-only and only groups
below that DN can be updated and deleted.
This is introduced for a pretty specific usecase where most groups are managed
in an external source (e.g. a read-only replica of an LDAP tree). But we still
want to allow the local administrator to create groups in a writeable subtree
attached to that replica.
Fixes 5603
- Calling POST /graph/v1.0/users with userType not set will create a user as "Member"
- Calling POST /graph/v1.0/users with userType set as "Member" or "Guest" will create a user as "Member" or "Guest"
- Calling POST /graph/v1.0/users with userType set as anything but "Member" or "Guest" returns error
- Calling POST /graph/v1.0/education/users with userType not set will create a user as "Member"
- Calling POST /graph/v1.0/education/users with userType set as "Member" will create a user as "Member" and primary role as parameter specifies
- Calling POST /graph/v1.0/education/users with userType set as "Guest" will create a user as "Guest" and primary role as parameter specifies
- Calling POST /graph/v1.0/education/users with userType not set as anything but "Member" or "Guest" returns error
- Calling PATCH on /users or /education/users will update attribute in the same way as for POST
* graph: Allow updating "surname" and "givenName" of users
Also use attribute getters to lookup the attribute Values instead of fiddling around
with pointers.
* graph: Allow updating education users
Update suppport for education users was still missing.
* A new config option for disabling users with the options "none", "attribute" and "group".
* When set to "none", there will be no enabledAttribute returned in user info and trying to change enabledAttribute will return an error
* Disable/enable group name DN as config parameter
* Adding/removing users to specified group on user update
* Changing log level for service initialization failure to error
* Adding helper methods to check if user is enabled/disabled + tests
Fixes#5554
When refint is enabled on an LDAP server, it will rename all references
to an entity if its DN is modified. If this happens, the member
renames will not be needed, and will also return an error.
This PR does the following:
* Detects the attribute error, and don't return an error.
* Log that the server has been misconfigured.
* Add config value that skips renaming if set.
