Use GraphAPI for creating/deleting users and groups in acceptance test

[rhafer]

Summary

With the GraphAPI allowing to manage user and groups now we should adapt our test-suite to use these endpoints for creating user and groups when running the acceptance test. That means basically adapting https://github.com/owncloud/core/blob/master/tests/acceptance/features/bootstrap/Provisioning.php to allow User Management via GraphAPI as another option.

Reasoning

• The GraphAPI is supposed to be the main endpoint for user managment in oCIS
• the user provisioning pieces of the ocs API don't support LDAP based users and the accounts-service based user-management is supposed to go away in the near future.

Howto setup a test env

#3149 gives an overview about how to use the GraphAPI for users and groups

As libregraph/idm is not yet integrated into the single binary ocis build there is a couple of manual step still required to get a test system up for development:

Get and build libregraph/idm

git clone https://github.com/libregraph/idm.git
cd idm/
make

Initialize database an start the libregraph/idm service

Create a file base.ldif with this contents:

dn: dc=owncloud,dc=com
dc: owncloud
o: owncloud
objectClass: organization
objectClass: dcObject

dn: ou=users,dc=owncloud,dc=com
objectClass: organizationalUnit
ou: users

dn: ou=groups,dc=owncloud,dc=com
objectClass: organizationalUnit
ou: groups

dn: uid=admin,ou=users,dc=owncloud,dc=com
objectClass: inetOrgPerson
objectClass: ownCloud
uid: admin
givenName: Admin
sn: Admin
cn: admin
displayName: Admin
description: An admin for this oCIS instance.
mail: admin@example.org
ownCloudUUID: ddc2004c-0977-11eb-9d3f-a793888cd0f8
userPassword: admin

Initialize the database:

bin/idmd boltdb --boltdb-file ocis.db load --ldap-base-dn dc=owncloud,dc=com --input-file base.ldif

Generate a self-signed cert (for testing only)

openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -sha256 -days 365 -subj '/CN=localhost' -nodes

Start the service:

bin/idmd serve --ldap-handler boltdb --boltdb-file ocis.db --ldap-admin-dn uid=admin,ou=users,dc=owncloud,dc=com --ldap-base-dn dc=owncloud,dc=com --ldap-listen 127.0.0.1:389 --ldaps-listen 127.0.0.1:636 --tls-cert-file cert.pem --tls-key-file key.pem

Start oCIS

The list for required settings it going to get smaller once we intefgrated all the pieces, but for now you'd need to start ocis with the following it environement variables set:

export GRAPH_IDENTITY_BACKEND=ldap
export GRAPH_LDAP_URI=ldap://localhost
export GRAPH_LDAP_BIND_DN="uid=admin,ou=users,dc=owncloud,dc=com"
export GRAPH_LDAP_BIND_PASSWORD=admin
export GRAPH_LDAP_USER_EMAIL_ATTRIBUTE=mail
export GRAPH_LDAP_USER_NAME_ATTRIBUTE=uid
export GRAPH_LDAP_USER_BASE_DN="ou=users,dc=owncloud,dc=com"
export GRAPH_LDAP_GROUP_BASE_DN="ou=groups,dc=owncloud,dc=com"
export GRAPH_LDAP_SERVER_WRITE_ENABLED="true"
export IDP_LDAP_FILTER="(&(objectclass=inetOrgPerson)(objectClass=owncloud))"
export IDP_LDAP_URI=ldap://localhost
export IDP_LDAP_BIND_DN="uid=admin,ou=users,dc=owncloud,dc=com"
export IDP_LDAP_BIND_PASSWORD="admin"
export IDP_LDAP_BASE_DN="dc=owncloud,dc=com"
export IDP_LDAP_LOGIN_ATTRIBUTE=uid
export IDP_LDAP_UUID_ATTRIBUTE="ownclouduuid"
export IDP_LDAP_UUID_ATTRIBUTE_TYPE=binary
export PROXY_ACCOUNT_BACKEND_TYPE=cs3
export OCS_ACCOUNT_BACKEND_TYPE=cs3
export STORAGE_LDAP_HOSTNAME=localhost
export STORAGE_LDAP_PORT=636
export STORAGE_LDAP_INSECURE="true"
export STORAGE_LDAP_BASE_DN="dc=owncloud,dc=com"
export STORAGE_LDAP_BIND_DN="uid=admin,ou=users,dc=owncloud,dc=com"
export STORAGE_LDAP_BIND_PASSWORD=admin
export STORAGE_LDAP_LOGINFILTER='(&(objectclass=inetOrgPerson)(objectclass=owncloud)(|(uid={{login}})(mail={{login}})))'
export STORAGE_LDAP_USERFILTER='(&(objectclass=inetOrgPerson)(objectclass=owncloud)(|(ownclouduuid={{.OpaqueId}})(uid={{.OpaqueId}})))'
export STORAGE_LDAP_USERATTRIBUTEFILTER='(&(objectclass=owncloud)({{attr}}={{value}}))'
export STORAGE_LDAP_FINDFILTER='(&(objectclass=owncloud)(|(uid={{query}}*)(cn={{query}}*)(displayname={{query}}*)(mail={{query}}*)(description={{query}}*)))'
export STORAGE_LDAP_GROUPFILTER='(&(objectclass=groupOfUniqueNames)(objectclass=owncloud)(ownclouduuid={{.OpaqueId}}*))'
export OCIS_INSECURE=true
export OCIS_RUN_EXTENSIONS=settings,storage-metadata,graph,graph-explorer,ocs,store,thumbnails,web,webdav,storage-frontend,storage-gateway,storage-userprovider,storage-groupprovider,storage-authbasic,storage-authbearer,storage-authmachine,storage-users,storage-shares,storage-public-link,storage-appprovider,storage-sharing,proxy,idp,nats
ocis server

[rhafer]

@ScharfViktor @phil-davis I am not entirely sure about who wants to work on this. But the above issue should give enough information on how to get started with it. (For curl based examples on how to use the endpoints see: #3149

If you have any questions or need help otherwise, just ping me!

[phil-davis]

Notes:
I amongst the core API tests, we currently run the apiProvisioning-v1 and apiProvisioning-v2 test suites.

For example:
https://drone.owncloud.com/owncloud/ocis/9382/23/6

Running apiProvisioning-v1 tests

https://drone.owncloud.com/owncloud/ocis/9382/24/6

Running apiProvisioning-v2 tests
Running apiProvisioningGroups-v1 tests 
Running apiProvisioningGroups-v2

Those test suites explicitly test the provisioning API. So we probably want to leave those running their When steps as they do now. And some time in the future, which of those test scenarios are run can be adjusted if the availability of the Provisionn API changes.

But we can adjust Given steps that create users and groups in scenario setup, and delete users and groups in scenario tear-down so that they optionally use the Graph API endpoints to do it. That can be controlled by some environment variable that we set before running the test-runner - to be successful it of course needs to be running against a system-under-test that has these endpoints available (oCIS). That will give the Graph API endpoints a reasonable workout.

We can add some "local" API tests here in the oCIS repo to explicitly test the Graph API user/group endpoints for scenarios that would not be in "regular scenario setup". For example, change user attributes after user creation, adding/removing group membership after initial creation of users/groups, trying to do "naughty" things (invalid user/group names, trying to do actions without proper authentication credentials...)

[phil-davis]

@rhafer are these endpoints available in cs3org/reva? Or this this only an oCIS feature?

[phil-davis]

I added this issue to the QA test automation backlog project. Unless there is urgency, we can put it in the next QA test automation sprint starting next Monday. That will be to do the core API test changes.

@ScharfViktor I suggest that we create a separate issue for making local API tests that will exercise the whole graph API provisioning endpoints. Then that can be done as an independent task by someone.

[rhafer]

@rhafer are these endpoints available in cs3org/reva? Or this this only an oCIS feature?

As all the /graph/ related bits, this is an oCIS feature. For the reva-only test we need to continue using LDAP directly.

[phil-davis]

Looking at the outstanding work, the part of this for core might need to wait another 2 weeks. Let's see what the current QA sprint looks like that is in planning today.

[micbar]

@phil-davis I raised this to P2. Is that doable for your team?

[ScharfViktor]

Request https://localhost:9200/remote.php/dav/files/admin/ in web is slow

[phil-davis]

@phil-davis I raised this to P2. Is that doable for your team?

yes, no problem. I will talk with the guys in our local standup tomorrow morning and see if anyone can start on it.

[phil-davis]

@Talank @saw-jan if someone is available for this task in the next few days, let me know and we can discuss a plan for the different tasks that can be given to people.

[rhafer]

Request https://localhost:9200/remote.php/dav/files/admin/ in web is slow

@ScharfViktor I've seen this on your machine, but I am not able to reproduce it. If this is still happening of you, could you please open a new issue, with details how you run ocis and a full debug log? (It might be unrelated to idm)

[ScharfViktor]

I created a new issue in which I describe what I found #3247

[ScharfViktor]

Request https://localhost:9200/remote.php/dav/files/admin/ in web is slow

That problem went away when I added nats to OCIS_RUN_EXTENSIONS

[rhafer]

@phil-davis Do you know if anybody already started to work on this?

[phil-davis]

@phil-davis Do you know if anybody already started to work on this?

I am looking at it. I had a talk with Artur just now. I will make some architecture investigations to see how we can set it up a bit "nicely", and make a proof-of-concept...

[kiranparajuli589]

I've made a test setup following the instructions from the issue description.

One thing I bumped into:

• while starting the database service, I to use sudo for bind permissions

Setup

• database service initialized using idmd and base.ldif
• ocis started with the environment mentioned in the setup description + PROXY_ENABLE_BASIC_AUTH for basic auth support while using curl requests

Findings

Users

• curl -k -uadmin:admin 'https://localhost:9200/graph/v1.0/me' working as expected
• curl -k -uadmin:admin 'https://localhost:9200/graph/v1.0/users' | jq working as expected
• Post user

  curl -k -XPOST -uadmin:admin -H "Content-Type: application/json"  -d '{"displayName": "Example User","mail": "example@example.org","onPremisesSamAccountName": "example","passwordProfile": {"password": "ThePassword"}}' https://localhost:9200/graph/v1.0/users -v | jq
  
  *  SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
  * Server auth using Basic with user 'admin'
  } [5 bytes data]
  > POST /graph/v1.0/users HTTP/1.1
  > Host: localhost:9200
  > Authorization: Basic YWRtaW46YWRtaW4=
  > User-Agent: curl/7.68.0
  > Accept: */*
  > Content-Type: application/json
  > Content-Length: 146
  > 
  } [146 bytes data]
  * upload completely sent off: 146 out of 146 bytes
  { [5 bytes data]
  * TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
  { [130 bytes data]
  * Mark bundle as not supporting multiuse
  < HTTP/1.1 500 Internal Server Error
  < Content-Length: 357
  < Content-Type: application/json; charset=utf-8
  < Date: Wed, 23 Mar 2022 07:38:01 GMT
  < X-Graph-Version: 3f3956737
  < 
  { [357 bytes data]
  100   503  100   357  100   146   1043    426 --:--:-- --:--:-- --:--:--  1470
  * Connection #0 to host localhost left intact
  {
    "error": {
      "code": "generalException",
      "innererror": {
        "date": "2022-03-23T07:38:01Z",
        "request-id": "kiran-OptiPlex-3050/QEfBXIaw2E-000200"
      },
      "message": "could not assign role to account {\"id\":\"go.micro.server\",\"code\":500,\"detail\":\"panic recovered: runtime error: invalid memory address or nil pointer dereference\",\"status\":\"Internal Server Error\"}"
    }
  }

• But still, the new user is found in the list.

  ❯ curl -k -uadmin:admin 'https://localhost:9200/graph/v1.0/users' | jq
    % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                   Dload  Upload   Total   Spent    Left  Speed
  100   283  100   283    0     0   1861      0 --:--:-- --:--:-- --:--:--  1861
  {
    "value": [
      {
        "displayName": "Admin",
        "id": "ddc2004c-0977-11eb-9d3f-a793888cd0f8",
        "mail": "admin@example.org",
        "onPremisesSamAccountName": "admin"
      },
      {
        "displayName": "Example User",
        "id": "07de1e71-930e-4a4f-abc9-398a721fb457",
        "mail": "example@example.org",
        "onPremisesSamAccountName": "example"
      }
    ]
  }

• Now if I try to login using the user example, it is not possible.
  
• Patch: when I now try to update the display name, it is not happy with the email.:

  ❯ curl -k -uadmin:admin 'https://localhost:9200/graph/v1.0/users' | jq
    % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                   Dload  Upload   Total   Spent    Left  Speed
  100   283  100   283    0     0   6581      0 --:--:-- --:--:-- --:--:--  6581
  {
    "value": [
      {
        "displayName": "Admin",
        "id": "ddc2004c-0977-11eb-9d3f-a793888cd0f8",
        "mail": "admin@example.org",
        "onPremisesSamAccountName": "admin"
      },
      {
        "displayName": "Example User",
        "id": "07de1e71-930e-4a4f-abc9-398a721fb457",
        "mail": "example@example.org",
        "onPremisesSamAccountName": "example"
      }
    ]
  }
  ❯ curl -k -XPATCH -uadmin:admin -H "Content-Type: application/json"  -d '{"displayName": "Test User"}' https://localhost:9200/graph/v1.0/users/07de1e71-930e-4a4f-abc9-398a721fb457 | jq
    % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                   Dload  Upload   Total   Spent    Left  Speed
  100   206  100   178  100    28   4139    651 --:--:-- --:--:-- --:--:--  4790
  {
    "error": {
      "code": "invalidRequest",
      "innererror": {
        "date": "2022-03-23T07:57:13Z",
        "request-id": "kiran-OptiPlex-3050/QEfBXIaw2E-001714"
      },
      "message": "'' is not a valid email address"
    }
  }

  But if I send an email too in the payload, update succeeds:

  ❯ curl -k -XPATCH -uadmin:admin -H "Content-Type: application/json"  -d '{"displayName": "Test User", "mail": "somenew@mail.cc"}' https://localhost:9200/graph/v1.0/users/07de1e71-930e-4a4f-abc9-398a721fb457 | jq
    % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                   Dload  Upload   Total   Spent    Left  Speed
  100   189  100   134  100    55   2680   1100 --:--:-- --:--:-- --:--:--  3780
  {
    "displayName": "Test User",
    "id": "07de1e71-930e-4a4f-abc9-398a721fb457",
    "mail": "somenew@mail.cc",
    "onPremisesSamAccountName": "example"
  }

• curl -k -uadmin:admin 'https://localhost:9200/graph/v1.0/users/07de1e71-930e-4a4f-abc9-398a721fb457' works as expected
• When I delete the user example request succeeds with 204 no content
• retrieving deleted user also works as expected.

Groups

• every API works as expected for me.

[kiranparajuli589]

cc @individual-it @rhafer

[rhafer]

I've made a test setup following the instructions from the issue description.

Ok. Cool. Meanwhile the code as evolved a bit and it should be somewhat simpler to start oCIS with a libregraph/idm (e.g. you don't need to manually build libregraph/idm anymore). I just opened #3372 to have a central place of instruction for the current state of affairs. It should end up on https://owncloud.dev/extensions/idm/ after merging and I'll try to keep it updated as the code evolves.

Findings

Users
[..]
* Post user
curl -k -XPOST -uadmin:admin -H "Content-Type: application/json" -d '{"displayName": "Example User","mail": "example@example.org","onPremisesSamAccountName": "example","passwordProfile": {"password": "ThePassword"}}' https://localhost:9200/graph/v1.0/users -v | jq [..] "message": "could not assign role to account {\"id\":\"go.micro.server\",\"code\":500,\"detail\":\"panic recovered: runtime error: invalid memory address or nil pointer dereference\",\"status\":\"Internal Server Error\"}" } }

This is caused by #3343 and should be fixed with: #3371

* Now if I try to login using the user `example`, it is not possible.

That should also caused be fixed by the above PR I think.

* Patch: when I now try to update the display name, it is not happy with the email.:
  ```

[..]
❯ curl -k -XPATCH -uadmin:admin -H "Content-Type: application/json" -d '{"displayName": "Test User"}' https://localhost:9200/graph/v1.0/users/07de1e71-930e-4a4f-abc9-398a721fb457 | jq
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 206 100 178 100 28 4139 651 --:--:-- --:--:-- --:--:-- 4790
{
"error": {
"code": "invalidRequest",
"innererror": {
"date": "2022-03-23T07:57:13Z",
"request-id": "kiran-OptiPlex-3050/QEfBXIaw2E-001714"
},
"message": "'' is not a valid email address"
}
}
```

Hm, I guess that is something I introduced recently. Will provide a fix asap.

* When I delete the user `example` request succeeds with 204 no content

Yeah that's the expected behaviour.

Groups

* every API works as expected for me.

[ScharfViktor]

some points to mention:

• admin user cannot create project space. He get 401 with response: {"error":{"code":"generalException","innererror":{"date":"2022-03-29T13:36:41Z","request-id":"Viktors-Air/odUWtUiDh1-007817"},"message":"insufficient permissions to create a space."}}

[rhafer]

after clean ocis setup, it's working for me too.

some points to mention:

* when trying to create an already existing user, the response body looks good but requests end with 500. (only for users created using the graph API)

Hm, I'll take a look at that.

* users can be created without providing a password profile:

I think that is the desired behaviour. At least unless the user is able to login.

[kiranparajuli589]

• users can be created without providing a password profile:

I think that is the desired behavior. At least unless the user is able to login.

Without a profile password, login should be impossible ;)
Or should we try with random passwords? :)

[kiranparajuli589]

Bug or feature?

1. User can be fetched with the onPremisesSamAccountName value (also case insensitive)
2. User can be deleted with the onPremisesSamAccountName value (also case insensitive)
3. Groups can be fetched with the displayName value (also case insensitive)

   ❯ curl -k -uadmin:admin https://localhost:9200/graph/v1.0/groups/Football%20lovers | jq
     % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                    Dload  Upload   Total   Spent    Left  Speed
   100    78  100    78    0     0    404      0 --:--:-- --:--:-- --:--:--   402
   {
     "displayName": "football lovers",
     "id": "accfd45b-077c-4b69-8f13-f6dd38967436"
   }

4. Groups cannot be deleted with the displayName value
5. Only the admin can update users. the user itself cannot update itself.

[kiranparajuli589]

OCS provisioning API has an endpoint to list all groups assigned to a user.

GET /ocs/v2.php/cloud/users/Alice/groups HTTP/1.1

for the Graph API we have an endpoint to list members of a group, but not one to list groups a member is assigned to.
will this be available in the near future or this is not for implementation 🤔?

[rhafer]

@kiranparajuli589

Bug or feature?

1. User can be fetched with the `onPremisesSamAccountName` value (also case insensitive)

• Yeah, usernames are case-insensitive
• That the GetUser request also works with username is something discussable, I kind of followed the documentation of the MS Graph API, which allows ID or name for GET and DELETE (https://docs.microsoft.com/en-us/graph/api/user-get?view=graph-rest-1.0&tabs=http). I am fine with making the Endpoint with IDs only if that is needed.

2. User can be deleted with the `onPremisesSamAccountName` value (also case insensitive)

See above.

3. Groups can be fetched with the `displayName` value (also case insensitive)
   ```
   ❯ curl -k -uadmin:admin https://localhost:9200/graph/v1.0/groups/Football%20lovers | jq
     % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                    Dload  Upload   Total   Spent    Left  Speed
   100    78  100    78    0     0    404      0 --:--:-- --:--:-- --:--:--   402
   {
     "displayName": "football lovers",
     "id": "accfd45b-077c-4b69-8f13-f6dd38967436"
   }
   ```

Hm, ok that's wrong. As least if looking at the MS docs. Groups should only be accessible by ID. Which admittely is somewhat inconsistent to Users.

4. Groups cannot be deleted with the `displayName` value

5. Only the admin can update users. the user itself cannot update itself.

Yes. That is a current limitation. We might address this in the future

[rhafer]

OCS provisioning API has an endpoint to list all groups assigned to a user.

GET /ocs/v2.php/cloud/users/Alice/groups HTTP/1.1

for the Graph API we have an endpoint to list members of a group, but not one to list groups a member is assigned to. will this be available in the near future or this is not for implementation thinking?

This is going to be address as part of: #3363

[kiranparajuli589]

1. User can be fetched with the `onPremisesSamAccountName` value (also case insensitive)

• Yeah, usernames are case-insensitive
• That the GetUser request also works with username is something discussable, I kind of followed the documentation of the MS Graph API, which allows ID or name for GET and DELETE (https://docs.microsoft.com/en-us/graph/api/user-get?view=graph-rest-1.0&tabs=http). I am fine with making the Endpoint with IDs only if that is needed.

IMO, this feature is nice and also matches with OCS API
One thing, if the user can be deleted/retrieved with a username, then for groups too, it should be the same
cc @phil-davis @individual-it

[kiranparajuli589]

For user-created using the GraphAPI, if we try to edit it using the OCS API,

curl -kv -XPUT -uadmin:admin https://localhost:9200/ocs/v1.php/cloud/users/brand-new-user
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* Empty reply from server
* Connection #0 to host localhost left intact

and the server crashes with

{"level":"fatal","service":"ocs","time":"2022-04-06T16:41:19+05:45","message":"cs3 backend doesn't support editing users"}

[rhafer]

@kiranparajuli589 Please create a separate issue for this. (Note: editiing users via OCS should return an error, but obviously not crash the service)

For user-created using the GraphAPI, if we try to edit it using the OCS API,

curl -kv -XPUT -uadmin:admin https://localhost:9200/ocs/v1.php/cloud/users/brand-new-user
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* Empty reply from server
* Connection #0 to host localhost left intact

and the server crashes with

{"level":"fatal","service":"ocs","time":"2022-04-06T16:41:19+05:45","message":"cs3 backend doesn't support editing users"}

[kiranparajuli589]

@kiranparajuli589 Please create a separate issue for this. (Note: editiing users via OCS should return an error, but obviously not crash the service)

reported at #3483

[phil-davis]

IMO, this feature is nice and also matches with OCS API
One thing, if the user can be deleted/retrieved with a username, then for groups too, it should be the same
cc @phil-davis @individual-it

The implementation could do more/better than just the MS Graph API defined endpoints/behavior. That will be a design decision for "somebody", and will need to be in documentation "somewhere". Whatever is implemented needs to also be documented, and we need to test the behavior so that those "extra" things don't get forgotten in future and accidentally regress.

[kiranparajuli589]

Update about tests:
So far I've refactored core Provisioning.php to use graph API for Given and Then steps when an env TEST_WITH_GRAPH_API is set as true while running tests.

for acceptance tests, GraphHelper and GraphContext live in the ocis repo, so that, it will be easier to add acceptance tests for the Graph API itself in the near future.

Now, I'm trying to run core API acceptance tests using Graph API with those refactored Given and Then steps in #3404 with owncloud/core#39927.

[micbar]

#3507 was merged

[kiranparajuli589]

#3507 was merged

the ci is still failing with 401 unauthorized while creating users with admin user.
https://drone.owncloud.com/owncloud/ocis/10597/3/4
https://drone.owncloud.com/owncloud/ocis/10597/3/7

[rhafer]

After the merge of of #3476 the we need to adapt the .drone.start in #3404 once more. I am working on that.

[kiranparajuli589]

with #3404, now we run acceptance tests using the GraphAPI for user/group provisioning.