currently, a restart is needed, which reindexes all users. might take a while. better to listen for changes and update the index on the fly.

in https://github.com/owncloud/ocis-accounts/blob/master/.drone.star#L4

see example https://github.com/owncloud/ocis-hello/blob/master/pkg/proto/v0/hello.pb.micro_test.go

Some gRPC calls dont return proper error when it is expected

• - RemoveMember - removing member that is not in the group doesn't return any error
• - CreateAccount - Try to create a user that already exists
• - AddMember - Try to add a user that is already in the group

Currently an rpc-get call results in a 500 internal server error if a key does not exist. It is impossible from a caller perspective to distinguish between not found and real failures.

Proposal:

• Refactor the protobuf definition like described here i.e wrap results in to XXXResponse envelopes which contain an additional error struct.

• Instead directly exposing the generated client write a wrapper which transparently unpacks the above envelope and does transparent error-handling? Tough not sure if this would be compatible with micro? Maybe this can be achieved differently?

Description

While Account creation, if invalid email is sent to CreateAccountRequest we got error message:

 {"id":".","code":400,"detail":"mail '[email protected]_@' must be a valid email","status":"Bad Request"}

But during the Account update, no such email validation is present.

Demonstration:

with ocis-accounts now persisting users ocis needs a way to autoprovision default users.

ocis-accounts should check if the configured accounts folder exists and if not create it and also create the default users einstein, marie and richard, as well as the system users konnectd and reva

Since now we can update the roles of the user after logging in as admin user we need UI tests for that.
Also, non-admin users should not be able to see the accounts list.

the accounts model has an account_enabled flag. in go booleans defaultd to false ... so when creating default users they should be enabled.

test using ocis single binary in owncloud/ocis#409

1. create user curl -k -X POST https://localhost:9200/ocs/v1.php/cloud/users -d userid="Phil" -d password="phil" -d email="[email protected]" -d username="Phil"
2. delete user using different case: curl -k -X DELETE https://localhost:9200/ocs/v1.php/cloud/users/phil

<?xml version="1.0" encoding="UTF-8"?>
<ocs><meta><status>error</status><statuscode>998</statuscode><message>The requested user could not be found</message></meta></ocs>

Hitting a limit of open fd:

• github hidden folder with settings and templates
• drone setup

currently the log looks like this:

$ ACCOUNTS_LOG_LEVEL=debug go run cmd/ocis-accounts/main.go server
2020-06-19T17:35:59+02:00 INF Continue without config service=accounts
2020-06-19T17:35:59+02:00 INF Starting server addr=localhost:9180 service=accounts transport=grpc
{"level":"debug","account":{"id":"4c510ada-c86b-4815-8820-42cdf82c3d51","display_name":"Albert Einstein","preferred_name":"einstein","uid_number":20000,"gid_number":30000,"mail":"[email protected]","password_profile":{"password":"$6$rounds=35210$sa1u5Pmfo4cr23Vw$RJNGElaDB1D3xorWkfTEGm2Ko.o2QL3E0cimKx23MNxVWVFSkUUeRoC7FqC4RzYDNQBD6cKzovTEaDD.8TDkD."}},"time":"2020-06-19T17:35:59+02:00","message":"found account"}
{"level":"debug","account":{"id":"f7fbf8c8-139b-4376-b307-cf0a8c2d0d9c","display_name":"Marie Curie","preferred_name":"marie","uid_number":20001,"gid_number":30000,"mail":"[email protected]","password_profile":{"password":"$6$rounds=81434$sa1u5Pmfo4cr23Vw$W78cyL884GmuvDpxYPvSRBVzEj02T5QhTTcI8Dv4IKvMooDFGv4bwaWMkH9HfJ0wgpEBW7Lp.4Cad0xE/MYSg1"}},"time":"2020-06-19T17:35:59+02:00","message":"found account"}

Steps to reproduce

1. Run ocis server
2. Create a user with curl

❯ curl -X POST https://localhost:9200/ocs/v2.php/cloud/users -u admin:admin -d password=pass -d [email protected] -d username=hellouser -k | xmllint --format -

  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   357  100   301  100    56  17705   3294 --:--:-- --:--:-- --:--:-- 21000
<?xml version="1.0" encoding="UTF-8"?>
<ocs>
  <meta>
    <status>ok</status>
    <statuscode>200</statuscode>
    <message>OK</message>
  </meta>
  <data>
    <enabled>true</enabled>
    <id>9846f5ec-fb00-40b7-aafb-57764ab7bd29</id>
    <username>hellouser</username>
    <displayname/>
    <email>[email protected]</email>
  </data>
</ocs>

2. Create the same user again with same email and username

❯ curl -X POST https://localhost:9200/ocs/v2.php/cloud/users -u admin:admin -d password=pass -d [email protected] -d username=hellouser -k | xmllint --format -

  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   357  100   301  100    56   2370    440 --:--:-- --:--:-- --:--:--  2811
<?xml version="1.0" encoding="UTF-8"?>
<ocs>
  <meta>
    <status>ok</status>
    <statuscode>200</statuscode>
    <message>OK</message>
  </meta>
  <data>
    <enabled>true</enabled>
    <id>5ca0f947-5d3c-4ec2-83f2-a9d99f2f101b</id>
    <username>hellouser</username>
    <displayname/>
    <email>[email protected]</email>
  </data>

Expected behavior

The user should not be created and the response should return error message

Actual behavior

both users are created but when trying to log in with phoenix, we get error in the server with log

ocis          | 2020-08-05T07:45:33.925180642Z 2020-08-05T07:45:33Z ERR IdentifierIdentityManager: fetch failed to get user from userID error="ldap identifier backend get user error: user does not exist or too many entries returned" service=konnectd
ocis          | 2020-08-05T07:45:33.925301752Z 2020-08-05T07:45:33Z ERR identity manager fetch failed error="IdentifierIdentityManager: identifier error" service=konnectd
ocis          | 2020-08-05T07:45:33.925360848Z 2020-08-05T07:45:33Z DBG userinfo request user not found service=konnectd sub=AOZIJvkWz91iYDCr-t6O_GOpZeEFiX-iBdWK3UCXGaFBli8wEruIIj4vvU1kjxd9hwUCt0NXrCBU0zpAuTepDQ@konnect
ocis          | 2020-08-05T07:45:33.925469282Z 2020-08-05T07:45:33Z DBG  bytes=31 duration=74.259117 method=GET path=/konnect/v1/userinfo proto=HTTP/1.1 request=401b2c55-9c7a-43c6-b95a-ef46ab9d7674 service=konnectd status=404

The current implementation uses a very simple definition with some basic user data. We've seen proposals from @butonic like systemd's user records but ultimately we have to come up with a solution that fits for us.

For this let's use this document to try and come with a standard way of dealing with this.

Related draft for ocis-proxy: owncloud/ocis-proxy#35

here: https://github.com/owncloud/ocis-accounts/blob/master/pkg/proto/v0/accounts.proto#L7

• Run protoc

Steps to reproduce

1. Add new user account using the CreateAccount gRPC call
2. List the available accounts using ListAccount gRPC call

Expected Result

1. The newly created account Is listed in the response

Actual Result

1. The Account is created in the data store but not returned in the response

Explaination

The reason the accounts are not returned in the response is that the indexing used for retrieving groups/accounts from the file system is not updated. So it cannot find the new accounts.

Mentioned https://github.com/owncloud/ocis-accounts/blob/master/pkg/service/v0/groups.go#L327
Tests #32

Instead of the config backend we want to let glauth use the accounts service by default, see owncloud/ocis-glauth#5 (comment)

For a demo setup we should either be able to provision default users or add a cli tool to add users and document that.

while ocis-accounts now persists users it also needs to persist groups.

It should follow the implementation for the users, which in turn was built with a look at the ms graph api.

• define group properties and rpcs in account.proto
• implement rpc calls
  • ListGroups
  • GetGroup
  • CreateGroup
  • UpateGroup
  • DeleteGroup
  • AddMember
  • Remove Member
  • ListMembers

see the accounts.proto file for additional links, eg

Open design questions:

Currently we treat group and users as twe resources. Users currently only have the gid_number property which I added to satisfy ldap queries that an os or eos will make to determine acls and permissions. For additional groups a user is a member of it will make additional ldap queries, eg get all groups the user is a member of. Since that is done via ldap we can leave fetching this information to ocis-glauth.

In the current protobuf an account has a memberOf property, which is a list of groups ... we can fill that ... but it might become a lot of groups. We could opt to not return the groups by default but only if they are included in the field mask.

When a user is disabled via WebUI, he can still log in. Checking the file of the user, the key accountEnabled is gone when it's set to false. Not sure if this is a bug in the WebUI or backend.

master branch is broken as the moment of this writing (9f6355a)

Steps to reproduce:

• Start ocis server
• Create a user using the provisioning API curl -X POST http://localhost:9110/ocs/v1.php/cloud/users -d userid=michael -d password="spaces in my password" -d username="michael" -d displayname="display name" -d email="[email protected]" -d enabled="true" | xmllint --format -
• Delete the user using a case sensitive ID curl -X DELETE http://localhost:9110/ocs/v1.php/cloud/users/MiChAEl
• Create the user again using the Command from step 2

Expected

• no error

Actual

• 2020-09-22T14:48:50+02:00 ERR could not add user error="{\"id\":\"com.owncloud.api.accounts\",\"code\":400,\"detail\":\"account already exists\",\"status\":\"Bad Request\"}" service=ocs userid=michael

Latest working commit is (e55b8ae)